Re: [Qemu-devel] [PATCH COLO-Frame v15 00/38] COarse-grain LOck-stepping(COLO) Virtual Machines for Non-stop Service (FT)

[Hailiang Zhang]

On 2016/2/27 0:36, Dr. David Alan Gilbert wrote:

* Dr. David Alan Gilbert (dgilb...@redhat.com) wrote:

* zhanghailiang (zhang.zhanghaili...@huawei.com) wrote:

From: root 

This is the 15th version of COLO (Still only support periodic checkpoint).

Here is only COLO frame part, you can get the whole codes from github:
https://github.com/coloft/qemu/commits/colo-v2.6-periodic-mode

There are little changes for this series except the network releated part.


I was looking at the time the guest is paused during COLO and
was surprised to find one of the larger chunks was the time to reset
the guest before loading each checkpoint;  I've traced it part way, the
biggest contributors for my test VM seem to be:

   3.8ms  pcibus_reset: VGA
   1.8ms  pcibus_reset: virtio-net-pci
   1.5ms  pcibus_reset: virtio-blk-pci
   1.5ms  qemu_devices_reset: piix4_reset
   1.1ms  pcibus_reset: piix3-ide
   1.1ms  pcibus_reset: virtio-rng-pci

I've not looked deeper yet, but some of these are very silly;
I'm running with -nographic so why it's taking 3.8ms to reset VGA is
going to be interesting.
Also, my only block device is the virtio-blk, so while I understand the
standard PC machine has the IDE controller, why it takes it over a ms
to reset an unused device.


OK, so I've dug a bit deeper, and it appears that it's the changes in
PCI bars that actually take the time;  every time we do a reset we
reset all the BARs, this causes it to do a pci_update_mappings and
end up doing a memory_region_del_subregion.
Then we load the config space of the PCI device as we do the vmstate_load,
and this recreates all the mappings again.

I'm not sure what the fix is, but that sounds like it would
speed up the checkpoints usefully if we can avoid the map/remap when
they're the same.



Interesting, and thanks for your report.

We already known qemu_system_reset() is a time-consuming function, we shouldn't
call it here, but if we didn't do that, there will be a bug, which we have
reported before in the previous COLO series, the bellow is the copy of the 
related
patch comment:

COLO VMstate: Load VM state into qsb before restore it

We should not destroy the state of secondary until we receive the whole
state from the primary, in case the primary fails in the middle of sending
the state, so, here we cache the device state in Secondary before restore 
it.

Besides, we should call qemu_system_reset() before load VM state,
which can ensure the data is intact.
Note: If we discard qemu_system_reset(), there will be some odd error,
For exmple, qemu in slave side crashes and reports:

KVM: entry failed, hardware error 0x7
EAX= EBX=e000 ECX=9578 EDX=434f
ESI=fc10 EDI=434f EBP= ESP=1fca
EIP=9594 EFL=00010246 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0040 0400  9300
CS =f000 000f  9b00
SS =434f 000434f0  9300
DS =434f 000434f0  9300
FS =   9300
GS =   9300
LDT=   8200
TR =   8b00
GDT= 0002dcc8 0047
IDT=  
CR0=0010 CR2= CR3= CR4=
DR0= DR1= DR2= 
DR3=
DR6=0ff0 DR7=0400
EFER=
Code=c0 74 0f 66 b9 78 95 00 00 66 31 d2 66 31 c0 e9 47 e0 fb 90  90 fa 
fc 66 c3 66 53 66 89 c3
ERROR: invalid runstate transition: 'internal-error' -> 'colo'

The reason is, some of the device state will be ignored when saving device 
state to slave,
if the corresponding data is in its initial value, such as 0.
But the device state in slave maybe in initialized value, after a loop of 
checkpoint,
there will be inconsistent for the value of device state.
This will happen when the PVM reboot or SVM run ahead of PVM in the startup 
process.
Signed-off-by: zhanghailiang 
Signed-off-by: Yang Hongyang 
Signed-off-by: Gonglei 
Reviewed-by: Dr. David Alan Gilbert 

[Qemu-devel] QCow2 compression

[mgreger]

Hello, I am hoping someone here can help me. I am implementing QCow2 support 
for a PC emulator project and have a couple questions regarding compression I 
haven't been able to figure out on my own.

First some background:
I am using the information I found at 
https://people.gnome.org/~markmc/qcow-image-format.html and I have implemented 
working support for QCow2 images as described there except for snapshots, 
encryption, and compression. Of these, only compression is of immediate use to 
me.

I have some QCow2 images all using 16-bit clusters created using qemu-img 2.1.2 
(the version bundled with Debian stable). According to the documentation I 
linked, 8 bits of an L2 table entry following the copy flag should say how many 
512 byte sectors a compressed cluster takes up and the remaining bits are the 
actual offset of the cluster within the file. I have for example a compressed 
cluster with an L2 entry value of 4A C0 00 00 00 3D 97 50. This would lead me 
to believe the cluster starts at offset 0x3D9750 and has a length of 0x2B 
512-byte sectors (or 0x2B times 0x200 = 0x5600). Added to the offset this would 
give an end for the cluster at offset 0x3DED50. However, it is clear from 
looking at the image that the compressed cluster extends further, the data 
ending at 0x3DEDD5 and being followed by some zero padding until 0x3DEDF0 where 
the file ends. How can I know the data extends beyond the length I calculated? 
Did I misunderstand the documentation somewhere? Why does the file end here 
versus a cluster aligned offset?

A final question: I noticed that compressed clusters typically have a reference 
count higher than one, yet there are no snapshots present in the image. I 
suspect the count is incremented for each compressed cluster that exists even 
partially within a normal sized cluster region of the file, but I can find no 
documentation to this effect and am merely speculating. Am I correct?

If it is the wrong place to ask these questions, I would appreciate it if 
anyone could direct me to a more appropriate venue. Thank you for taking the 
time to read this and tanks in advance for any assistance.

Re: [Qemu-devel] [PATCH v2 0/6] external backup api

[Fam Zheng]

On Fri, 02/26 23:40, Denis V. Lunev wrote:
> On 02/26/2016 10:55 PM, Paolo Bonzini wrote:
> >
> >On 19/02/2016 09:51, Markus Armbruster wrote:
> >>>Is it an abuse to "Get LBA Status" to return dirty information? Because in 
> >>>SCSI
> >>>the command reports "mapped", "allocated" and "anchored" statuses. Does 
> >>>that
> >>>mean NBD will use a different status set?
> >>Perhaps some conceptual gymnastics can get us to standard semantics.
> >>
> >>Incremental backup wants to copy out an image's "dirty" blocks.
> >>
> >>We can view this as a bitmap telling us which of the image's blocks are
> >>dirty.
> >>
> >>An alternative view would be base image + dirty delta image.  In the the
> >>dirty delta, exactly the dirty blocks are allocated.  The delta image
> >>may be conceptual.
> >I see a problem here. On one hand I agree that the "GET LBA STATUS" is
> >a natural extension to the NBD protocol.
> >
> >On the other hand, the Get LBA Status command in SCSI reflects the
> >state over the whole chain, not only the top element.  It is the
> >equivalent of bdrv_get_block_status_above(bs, NULL, ...), rather than
> >bdrv_get_block_status(bs, ...).  My understanding is that the dirty
> >block information would require the latter, especially in the
> >"conceptual delta image" model that Markus describes above.
> >
> >Having NBD implement subtly different semantics compared to SCSI is a
> >bad idea in my opinion.
> >
> >Of course if we call it "READ DIRTY BLOCKS" that would work, but I
> >don't think such a command would be something that it makes sense to
> >have in the general purpose NBD spec, so you would need a mechanism
> >for vendor-specific extensions.
> >
> >Paolo
> >
> In general, the idea to bind DIRTY BITMAP to GET STATUS command is not that
> bad. First of all, NBD has no relation to the SCSI at all thus we are not
> bound to the SCSI protocol. This is good thing.
> 
> Next, it is generally good to query state of the data block before reading
> to reduce amount of transfers over the network. This is useful even for a
> full backup operation to avoid zero block transfers.
> 
> Thus, if we have created special NBD share, we can provide STATUS bitmap
> in the way we want, f.e. with the proposed semantics. This will not be a
> violation of the protocol.

Paolo described what I was trying to say, but way clearer then what I said. :)
And I agree a dedicated bitmap status seems better here.

Fam

Re: [Qemu-devel] [PATCH 1/1] arm: virt: change GPIO trigger interrupt to pulse

[Shannon Zhao]

On 2016/2/26 23:42, Peter Maydell wrote:
> On 26 February 2016 at 15:28, Wei Huang  wrote:
>>
>>
>> On 02/26/2016 09:06 AM, Peter Maydell wrote:
>>> On 26 February 2016 at 14:54, Shannon Zhao  wrote:
 On 2016/2/26 20:53, Peter Maydell wrote:
> I don't understand why a 500ms pulse is better than a short one.
>
 Oh, I just pick a value which seems like a real latency for pressing a
 button. What's your suggestion?
>>>
>>> I would prefer to avoid the pain of having a timer whose state
>>> needs to be migrated. It's unclear to me why a 500ms pulse
>>> will solve anything that an instantaneous pulse does not,
>>> so I'd like to better understand the problem first.
>>
>> The problem we found with pulse was: only the last state change in GPIO
>> is received by guest VM. In other words, with 0(L)->1(H)->0(L) or
>> 1(H)->0(L)->1(0), PL061 only sees the last state (0 and 1). I guess this
>> is because QEMU is non-preemptive. The solution is to have the following
>> steps:
>>   * qemu_set_irq(gpio_in, 1)
>>   * yeild to guest VM
>>   * qemu_set_irq(gpio_in, 0)
>>
>> Is there any way to do so in QEMU without using timer?
> 
> You have no guarantee that the guest VM will necessarily
> make any progress even with a 500ms pulse length, 
Yeah, if the guest is very busy! But it's true in the real world like
that we press a GPIO_KEY button, but guest is too busy that it can't
react to this then the guest can't shutdown.

> so I don't
> think increasing the length of the pulse is going to solidly
> fix this.
> 
This is not simply increasing the length. It just makes the guest not
blocked after the first qemu_set_irq so that the guest can detect the
button is pressed(i.e. get the value 1). Then after any time, call the
second qemu_set_irq then guest can detect the button is released.

You must be aware that here the purpose of qemu_set_irq is only to set
the value of gpio pin not directly set the interrupt controller. As for
injecting the interrupt, it's what the PL061 device does which detects
the pin value changed.

And for GPIO_KEY, it must detect 1 and 0 then it realizes it as a valid
input.

Have a look at the below function in drivers/input/keyboard/gpio_keys.c.

static void gpio_keys_gpio_report_event(struct gpio_button_data *bdata)
{
const struct gpio_keys_button *button = bdata->button;
struct input_dev *input = bdata->input;
unsigned int type = button->type ?: EV_KEY;
int state = (gpio_get_value_cansleep(button->gpio) ? 1 : 0) ^
button->active_low;

if (type == EV_ABS) {
if (state)
input_event(input, type, button->code, button->value);
} else {
input_event(input, type, button->code, !!state);
}
input_sync(input);
}


> As usual with any kind of interrupt you either need to
> trigger on an edge (and latch the trigger in the interrupt
> controller until the guest picks it up), or trigger on a
> level, and keep the level high until the guest acknowledges
> by writing back to the original device to tell it to drop
> the level.
> 
As said, here we only want change the some pin value and want guest to
get the value. The interrupt is triggered by PL061 device which just
notifies the guest that pin value is changed, please read.

Thanks,
-- 
Shannon

[Qemu-devel] [PATCH 2/4] bcm2835_aux: add emulation of BCM2835 AUX (aka UART1) block

[Andrew Baumann]

Signed-off-by: Andrew Baumann 
---
 hw/arm/bcm2835_peripherals.c |  18 +++
 hw/char/Makefile.objs|   1 +
 hw/char/bcm2835_aux.c| 241 +++
 include/hw/arm/bcm2835_peripherals.h |   2 +
 include/hw/char/bcm2835_aux.h|  31 +
 5 files changed, 293 insertions(+)
 create mode 100644 hw/char/bcm2835_aux.c
 create mode 100644 include/hw/char/bcm2835_aux.h

diff --git a/hw/arm/bcm2835_peripherals.c b/hw/arm/bcm2835_peripherals.c
index 6ce9cd1..103a330 100644
--- a/hw/arm/bcm2835_peripherals.c
+++ b/hw/arm/bcm2835_peripherals.c
@@ -48,6 +48,11 @@ static void bcm2835_peripherals_init(Object *obj)
 object_property_add_child(obj, "uart0", OBJECT(s->uart0), NULL);
 qdev_set_parent_bus(DEVICE(s->uart0), sysbus_get_default());
 
+/* AUX / UART1 */
+object_initialize(>aux, sizeof(s->aux), TYPE_BCM2835_AUX);
+object_property_add_child(obj, "aux", OBJECT(>aux), NULL);
+qdev_set_parent_bus(DEVICE(>aux), sysbus_get_default());
+
 /* Mailboxes */
 object_initialize(>mboxes, sizeof(s->mboxes), TYPE_BCM2835_MBOX);
 object_property_add_child(obj, "mbox", OBJECT(>mboxes), NULL);
@@ -131,6 +136,19 @@ static void bcm2835_peripherals_realize(DeviceState *dev, 
Error **errp)
 qdev_get_gpio_in_named(DEVICE(>ic), BCM2835_IC_GPU_IRQ,
INTERRUPT_UART));
 
+/* AUX / UART1 */
+object_property_set_bool(OBJECT(>aux), true, "realized", );
+if (err) {
+error_propagate(errp, err);
+return;
+}
+
+memory_region_add_subregion(>peri_mr, UART1_OFFSET,
+sysbus_mmio_get_region(SYS_BUS_DEVICE(>aux), 0));
+sysbus_connect_irq(SYS_BUS_DEVICE(>aux), 0,
+qdev_get_gpio_in_named(DEVICE(>ic), BCM2835_IC_GPU_IRQ,
+   INTERRUPT_AUX));
+
 /* Mailboxes */
 object_property_set_bool(OBJECT(>mboxes), true, "realized", );
 if (err) {
diff --git a/hw/char/Makefile.objs b/hw/char/Makefile.objs
index 5931cc8..69a553c 100644
--- a/hw/char/Makefile.objs
+++ b/hw/char/Makefile.objs
@@ -16,6 +16,7 @@ obj-$(CONFIG_SH4) += sh_serial.o
 obj-$(CONFIG_PSERIES) += spapr_vty.o
 obj-$(CONFIG_DIGIC) += digic-uart.o
 obj-$(CONFIG_STM32F2XX_USART) += stm32f2xx_usart.o
+obj-$(CONFIG_RASPI) += bcm2835_aux.o
 
 common-obj-$(CONFIG_ETRAXFS) += etraxfs_ser.o
 common-obj-$(CONFIG_ISA_DEBUG) += debugcon.o
diff --git a/hw/char/bcm2835_aux.c b/hw/char/bcm2835_aux.c
new file mode 100644
index 000..c2f71e5
--- /dev/null
+++ b/hw/char/bcm2835_aux.c
@@ -0,0 +1,241 @@
+/*
+ * BCM2835 (Raspberry Pi / Pi 2) Aux block (mini UART and SPI).
+ * Copyright (c) 2015, Microsoft
+ * Written by Andrew Baumann
+ * Based on pl011.c, copyright terms below:
+ *
+ * Arm PrimeCell PL011 UART
+ *
+ * Copyright (c) 2006 CodeSourcery.
+ * Written by Paul Brook
+ *
+ * This code is licensed under the GPL.
+ */
+
+#include "qemu/osdep.h"
+#include "hw/char/bcm2835_aux.h"
+
+#define AUX_ENABLES 0x4
+#define AUX_MU_IO_REG   0x40
+#define AUX_MU_IER_REG  0x44
+#define AUX_MU_IIR_REG  0x48
+#define AUX_MU_LSR_REG  0x54
+#define AUX_MU_STAT_REG 0x64
+
+static void bcm2835_aux_update(BCM2835AuxState *s)
+{
+bool status = (s->rx_int_enable && s->read_count != 0) || s->tx_int_enable;
+qemu_set_irq(s->irq, status);
+}
+
+static uint64_t bcm2835_aux_read(void *opaque, hwaddr offset, unsigned size)
+{
+BCM2835AuxState *s = opaque;
+uint32_t c, res;
+
+switch (offset) {
+case AUX_ENABLES:
+return 1; /* mini UART enabled */
+
+case AUX_MU_IO_REG:
+c = s->read_fifo[s->read_pos];
+if (s->read_count > 0) {
+s->read_count--;
+if (++s->read_pos == 8) {
+s->read_pos = 0;
+}
+}
+if (s->chr) {
+qemu_chr_accept_input(s->chr);
+}
+bcm2835_aux_update(s);
+return c;
+
+case AUX_MU_IER_REG:
+res = 0;
+if (s->rx_int_enable) {
+res |= 0x2;
+}
+if (s->tx_int_enable) {
+res |= 0x1;
+}
+return res;
+
+case AUX_MU_IIR_REG:
+res = 0xc0;
+if (s->tx_int_enable) {
+res |= 0x1;
+} else if (s->rx_int_enable && s->read_count != 0) {
+res |= 0x2;
+}
+return res;
+
+case AUX_MU_LSR_REG:
+res = 0x60; /* tx idle, empty */
+if (s->read_count != 0) {
+res |= 0x1;
+}
+return res;
+
+case AUX_MU_STAT_REG:
+res = 0x302; /* space in the output buffer, empty tx fifo */
+if (s->read_count > 0) {
+res |= 0x1; /* data in input buffer */
+assert(s->read_count < 8);
+res |= ((uint32_t)s->read_count) << 16; /* rx fifo fill level */
+}
+return res;
+
+default:
+qemu_log_mask(LOG_GUEST_ERROR, "%s: Bad offset %"HWADDR_PRIx"\n",
+  __func__, 

[Qemu-devel] [PATCH 1/4] bcm2835_peripherals: enable sdhci pending-insert quirk for raspberry pi

[Andrew Baumann]

Signed-off-by: Andrew Baumann 
---
 hw/arm/bcm2835_peripherals.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/hw/arm/bcm2835_peripherals.c b/hw/arm/bcm2835_peripherals.c
index 6d66fa0..6ce9cd1 100644
--- a/hw/arm/bcm2835_peripherals.c
+++ b/hw/arm/bcm2835_peripherals.c
@@ -171,6 +171,13 @@ static void bcm2835_peripherals_realize(DeviceState *dev, 
Error **errp)
 return;
 }
 
+object_property_set_bool(OBJECT(>sdhci), true, "pending-insert-quirk",
+ );
+if (err) {
+error_propagate(errp, err);
+return;
+}
+
 object_property_set_bool(OBJECT(>sdhci), true, "realized", );
 if (err) {
 error_propagate(errp, err);
-- 
2.5.3

[Qemu-devel] [PATCH 4/4] bcm2835_property: implement framebuffer control/configuration properties

[Andrew Baumann]

The property channel driver now interfaces with the framebuffer device
to query and set framebuffer parameters. As a result of this, the "get
ARM RAM size" query now correctly returns the video RAM base address
(not total RAM size), and the ram-size property is no longer relevant
here.

Signed-off-by: Andrew Baumann 
---
 hw/arm/bcm2835_peripherals.c   |   8 +--
 hw/misc/bcm2835_property.c | 139 -
 include/hw/misc/bcm2835_property.h |   5 +-
 3 files changed, 143 insertions(+), 9 deletions(-)

diff --git a/hw/arm/bcm2835_peripherals.c b/hw/arm/bcm2835_peripherals.c
index eff4fa2..c2b812a 100644
--- a/hw/arm/bcm2835_peripherals.c
+++ b/hw/arm/bcm2835_peripherals.c
@@ -78,6 +78,8 @@ static void bcm2835_peripherals_init(Object *obj)
   "board-rev", _abort);
 qdev_set_parent_bus(DEVICE(>property), sysbus_get_default());
 
+object_property_add_const_link(OBJECT(>property), "fb",
+   OBJECT(>fb), _abort);
 object_property_add_const_link(OBJECT(>property), "dma-mr",
OBJECT(>gpu_bus_mr), _abort);
 
@@ -199,12 +201,6 @@ static void bcm2835_peripherals_realize(DeviceState *dev, 
Error **errp)
qdev_get_gpio_in(DEVICE(>mboxes), MBOX_CHAN_FB));
 
 /* Property channel */
-object_property_set_int(OBJECT(>property), ram_size, "ram-size", );
-if (err) {
-error_propagate(errp, err);
-return;
-}
-
 object_property_set_bool(OBJECT(>property), true, "realized", );
 if (err) {
 error_propagate(errp, err);
diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c
index 581922a..8bffad9 100644
--- a/hw/misc/bcm2835_property.c
+++ b/hw/misc/bcm2835_property.c
@@ -17,6 +17,11 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState 
*s, uint32_t value)
 uint32_t tot_len;
 size_t resplen;
 uint32_t tmp;
+int n;
+uint32_t offset, length, color;
+uint32_t xres, yres, xoffset, yoffset, bpp, pixo, alpha;
+uint32_t *newxres = NULL, *newyres = NULL, *newxoffset = NULL,
+*newyoffset = NULL, *newbpp = NULL, *newpixo = NULL, *newalpha = NULL;
 
 value &= ~0xf;
 
@@ -60,7 +65,14 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState 
*s, uint32_t value)
 /* base */
 stl_phys(>dma_as, value + 12, 0);
 /* size */
-stl_phys(>dma_as, value + 16, s->ram_size);
+stl_phys(>dma_as, value + 16, s->fbdev->vcram_base);
+resplen = 8;
+break;
+case 0x00010006: /* Get VC memory */
+/* base */
+stl_phys(>dma_as, value + 12, s->fbdev->vcram_base);
+/* size */
+stl_phys(>dma_as, value + 16, s->fbdev->vcram_size);
 resplen = 8;
 break;
 case 0x00028001: /* Set power state */
@@ -122,6 +134,114 @@ static void 
bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value)
 resplen = 8;
 break;
 
+/* Frame buffer */
+
+case 0x00040001: /* Allocate buffer */
+stl_phys(>dma_as, value + 12, s->fbdev->base);
+stl_phys(>dma_as, value + 16, s->fbdev->size);
+resplen = 8;
+break;
+case 0x00048001: /* Release buffer */
+resplen = 0;
+break;
+case 0x00040002: /* Blank screen */
+resplen = 4;
+break;
+case 0x00040003: /* Get display width/height */
+case 0x00040004:
+stl_phys(>dma_as, value + 12, s->fbdev->xres);
+stl_phys(>dma_as, value + 16, s->fbdev->yres);
+resplen = 8;
+break;
+case 0x00044003: /* Test display width/height */
+case 0x00044004:
+resplen = 8;
+break;
+case 0x00048003: /* Set display width/height */
+case 0x00048004:
+xres = ldl_phys(>dma_as, value + 12);
+newxres = 
+yres = ldl_phys(>dma_as, value + 16);
+newyres = 
+resplen = 8;
+break;
+case 0x00040005: /* Get depth */
+stl_phys(>dma_as, value + 12, s->fbdev->bpp);
+resplen = 4;
+break;
+case 0x00044005: /* Test depth */
+resplen = 4;
+break;
+case 0x00048005: /* Set depth */
+bpp = ldl_phys(>dma_as, value + 12);
+newbpp = 
+resplen = 4;
+break;
+case 0x00040006: /* Get pixel order */
+stl_phys(>dma_as, value + 12, s->fbdev->pixo);
+resplen = 4;
+break;
+case 0x00044006: /* Test pixel order */
+resplen = 4;
+break;
+case 0x00048006: /* Set pixel order */
+pixo = ldl_phys(>dma_as, value + 12);
+newpixo = 
+resplen = 4;
+  

[Qemu-devel] [PATCH 0/4] Raspberry Pi framebuffer and Windows support

[Andrew Baumann]

This patch series adds support for the AUX (second UART) and
framebuffer devices on Raspberry Pi 2, and enables booting Windows on
this device. As with the previous series, it is heavily based on the
original (out of tree) work of Gregory Estrade, Stefan Weil and others
to support Raspberry Pi 1.

After this series, it is possible to boot Windows by following the
instructions at https://github.com/0xabu/qemu/wiki. There's also
documentation for booting Linux on that page, but note that you can't
load bcm2709-rpi-2-b.dtb because the DMA controller is not included.

I plan to add DMA, USB, and reamining timers / system devices in
future patch series, along with support for pi1 (bcm2835). In the
meantime, the complete code is available at https://github.com/0xabu/qemu

Cheers,
Andrew

Andrew Baumann (4):
  bcm2835_peripherals: enable sdhci pending-insert quirk for raspberry
pi
  bcm2835_aux: add emulation of BCM2835 AUX (aka UART1) block
  bcm2835_fb: add framebuffer device for Raspberry Pi
  bcm2835_property: implement framebuffer control/configuration
properties

 hw/arm/bcm2835_peripherals.c |  63 +-
 hw/arm/bcm2836.c |   2 +
 hw/arm/raspi.c   |  12 +-
 hw/char/Makefile.objs|   1 +
 hw/char/bcm2835_aux.c| 241 
 hw/display/Makefile.objs |   1 +
 hw/display/bcm2835_fb.c  | 421 +++
 hw/misc/bcm2835_property.c   | 139 +++-
 include/hw/arm/bcm2835_peripherals.h |   4 +
 include/hw/char/bcm2835_aux.h|  31 +++
 include/hw/display/bcm2835_fb.h  |  47 
 include/hw/misc/bcm2835_property.h   |   5 +-
 12 files changed, 954 insertions(+), 13 deletions(-)
 create mode 100644 hw/char/bcm2835_aux.c
 create mode 100644 hw/display/bcm2835_fb.c
 create mode 100644 include/hw/char/bcm2835_aux.h
 create mode 100644 include/hw/display/bcm2835_fb.h

-- 
2.5.3

[Qemu-devel] [PATCH 3/4] bcm2835_fb: add framebuffer device for Raspberry Pi

[Andrew Baumann]

The framebuffer occupies the upper portion of memory (64MiB by
default), but it can only be controlled/configured via a system
mailbox or property channel (to be added by a subsequent patch).

Signed-off-by: Andrew Baumann 
---
 hw/arm/bcm2835_peripherals.c |  38 +++-
 hw/arm/bcm2836.c |   2 +
 hw/arm/raspi.c   |  12 +-
 hw/display/Makefile.objs |   1 +
 hw/display/bcm2835_fb.c  | 421 +++
 include/hw/arm/bcm2835_peripherals.h |   2 +
 include/hw/display/bcm2835_fb.h  |  47 
 7 files changed, 515 insertions(+), 8 deletions(-)
 create mode 100644 hw/display/bcm2835_fb.c
 create mode 100644 include/hw/display/bcm2835_fb.h

diff --git a/hw/arm/bcm2835_peripherals.c b/hw/arm/bcm2835_peripherals.c
index 103a330..eff4fa2 100644
--- a/hw/arm/bcm2835_peripherals.c
+++ b/hw/arm/bcm2835_peripherals.c
@@ -61,6 +61,16 @@ static void bcm2835_peripherals_init(Object *obj)
 object_property_add_const_link(OBJECT(>mboxes), "mbox-mr",
OBJECT(>mbox_mr), _abort);
 
+/* Framebuffer */
+object_initialize(>fb, sizeof(s->fb), TYPE_BCM2835_FB);
+object_property_add_child(obj, "fb", OBJECT(>fb), NULL);
+object_property_add_alias(obj, "vcram-size", OBJECT(>fb), "vcram-size",
+  _abort);
+qdev_set_parent_bus(DEVICE(>fb), sysbus_get_default());
+
+object_property_add_const_link(OBJECT(>fb), "dma-mr",
+   OBJECT(>gpu_bus_mr), _abort);
+
 /* Property channel */
 object_initialize(>property, sizeof(s->property), 
TYPE_BCM2835_PROPERTY);
 object_property_add_child(obj, "property", OBJECT(>property), NULL);
@@ -83,7 +93,7 @@ static void bcm2835_peripherals_realize(DeviceState *dev, 
Error **errp)
 Object *obj;
 MemoryRegion *ram;
 Error *err = NULL;
-uint32_t ram_size;
+uint32_t ram_size, vcram_size;
 int n;
 
 obj = object_property_get_link(OBJECT(dev), "ram", );
@@ -162,6 +172,32 @@ static void bcm2835_peripherals_realize(DeviceState *dev, 
Error **errp)
 qdev_get_gpio_in_named(DEVICE(>ic), BCM2835_IC_ARM_IRQ,
INTERRUPT_ARM_MAILBOX));
 
+/* Framebuffer */
+vcram_size = (uint32_t)object_property_get_int(OBJECT(s), "vcram-size",
+   );
+if (err) {
+error_propagate(errp, err);
+return;
+}
+
+object_property_set_int(OBJECT(>fb), ram_size - vcram_size,
+"vcram-base", );
+if (err) {
+error_propagate(errp, err);
+return;
+}
+
+object_property_set_bool(OBJECT(>fb), true, "realized", );
+if (err) {
+error_propagate(errp, err);
+return;
+}
+
+memory_region_add_subregion(>mbox_mr, MBOX_CHAN_FB << 
MBOX_AS_CHAN_SHIFT,
+sysbus_mmio_get_region(SYS_BUS_DEVICE(>fb), 0));
+sysbus_connect_irq(SYS_BUS_DEVICE(>fb), 0,
+   qdev_get_gpio_in(DEVICE(>mboxes), MBOX_CHAN_FB));
+
 /* Property channel */
 object_property_set_int(OBJECT(>property), ram_size, "ram-size", );
 if (err) {
diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
index 0321439..89a6b35 100644
--- a/hw/arm/bcm2836.c
+++ b/hw/arm/bcm2836.c
@@ -42,6 +42,8 @@ static void bcm2836_init(Object *obj)
   _abort);
 object_property_add_alias(obj, "board-rev", OBJECT(>peripherals),
   "board-rev", _abort);
+object_property_add_alias(obj, "vcram-size", OBJECT(>peripherals),
+  "vcram-size", _abort);
 qdev_set_parent_bus(DEVICE(>peripherals), sysbus_get_default());
 }
 
diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index 6582279..83fe809 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -113,6 +113,7 @@ static void setup_boot(MachineState *machine, int version, 
size_t ram_size)
 static void raspi2_init(MachineState *machine)
 {
 RasPiState *s = g_new0(RasPiState, 1);
+uint32_t vcram_size;
 DriveInfo *di;
 BlockBackend *blk;
 BusState *bus;
@@ -149,7 +150,9 @@ static void raspi2_init(MachineState *machine)
 qdev_prop_set_drive(carddev, "drive", blk, _fatal);
 object_property_set_bool(OBJECT(carddev), true, "realized", _fatal);
 
-setup_boot(machine, 2, machine->ram_size);
+vcram_size = object_property_get_int(OBJECT(>soc), "vcram-size",
+ _abort);
+setup_boot(machine, 2, machine->ram_size - vcram_size);
 }
 
 static void raspi2_machine_init(MachineClass *mc)
@@ -161,11 +164,6 @@ static void raspi2_machine_init(MachineClass *mc)
 mc->no_floppy = 1;
 mc->no_cdrom = 1;
 mc->max_cpus = BCM2836_NCPUS;
-
-/* XXX: Temporary restriction in RAM size from the full 1GB. Since
- * we do not yet support the framebuffer / GPU, we need to limit
- * RAM usable by the OS to 

Re: [Qemu-devel] [PATCH] i8257: fix Terminal Count status

[John Snow]

On 02/25/2016 07:45 AM, Hervé Poussineau wrote:
> When a DMA transfer is done (ie all bytes have been transfered), the 
> corresponding
> Terminal Count bit must be set in the status register.
> This bit is already cleared in i8257_read_cont and i8257_write_cont when 
> required.
> 
> This fixes (at least) floppy transfer in IBM 40p firmware, which checks in DMA
> controller if everything went fine.
> 
> Signed-off-by: Hervé Poussineau 
> ---
>  hw/dma/i8257.c | 4 
>  1 file changed, 4 insertions(+)
> 
> diff --git a/hw/dma/i8257.c b/hw/dma/i8257.c
> index 5a52707..6078893 100644
> --- a/hw/dma/i8257.c
> +++ b/hw/dma/i8257.c
> @@ -342,6 +342,10 @@ static void i8257_channel_run(I8257State *d, int ichan)
>   r->now[COUNT], (r->base[COUNT] + 1) << ncont);
>  r->now[COUNT] = n;
>  ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont);
> +if (n == (r->base[COUNT] + 1) << ncont) {
> +ldebug("transfer done\n");
> +d->status |= (1 << ichan);
> +}
>  }
>  
>  static void i8257_dma_run(void *opaque)
> 

As best as I can tell from the i8257 data sheet I found this seems to be
correct, assuming the size calculation is correct (looks right, based on
that existing ldebug print.)

Reviewed-by: John Snow 

[Qemu-devel] Migration design planning

[John Snow]

Hi Juan;
We need your assistance in reviewing two competing designs for migrating
some block data so we can move forward with the feature.

First, some background:

What: Block Dirty Bitmaps. They are simple primitives that keep track of
which clusters have been written to since the last incremental backup.

Why: They are in-ram primitives that do not get migrated as-is alongside
block data, they need to be migrated specially. We want to migrate them
so that the "incremental backup" feature is available after a migration.

How: There are two competing designs, see below.


Design Option #1: Live Migration

Just like block data and ram, we make an initial pass over the data and
then continue to re-transmit data as necessary when block data becomes
dirtied again.

This is a simple, bog-standard approach that mimics pretty closely how
other systems are migrated.

The series is here from November:
https://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg02717.html

Most of the block-specific stuff has been reviewed, but it never got any
reviews by the migration maintainers. It's reasonably rotted by this
point, but it probably would not be a herculean effort to revive it.


Design Option #2: "Postcopy" Migration

https://lists.nongnu.org/archive/html/qemu-devel/2016-02/msg02793.html

The concept here is that incremental backup data can be treated simply
as best-effort; if it is lost, it's not a big deal. We can reconstitute
the data or simply start a new incremental backup sync point with a full
backup.

The idea then is that instead of the incremental live migration, we just
wait to copy the bitmap until after the pivot and send it all at once.
This is faster and a bit more efficient, and will scale pretty nicely to
even quite large bitmaps.



What I'd like from you: a broad acknowledgment of whether or not you
feel the Postcopy solution here is tenable, so we know which solution to
pursue. If we can get an ACK to one or the other method, we can
exhaustively review it from our end before handing it back to you for a
comprehensive migration review. We would like to see this feature hit
2.6 if possible as the designs have been on-list for quite some time.

Thanks,
--John Snow

Re: [Qemu-devel] [PATCH 1/2] sd.c: Handle NULL block backend in sd_get_inserted()

[Alistair Francis]

On Fri, Feb 26, 2016 at 5:24 AM, Peter Maydell  wrote:
> The sd.c SD card emulation code can be in a state where the
> SDState BlockBackend pointer is NULL; this is treated as
> "card not present". Add a missing check to sd_get_inserted()
> so that we don't segfault in this situation.
>
> (This could be provoked by the guest writing to the SDHCI
> register to do a reset on a xilinx-zynq-a9 board; it will
> also happen at startup when sdhci implements its DeviceClass
> reset method.)
>
> Signed-off-by: Peter Maydell 

Reviewed-by: Alistair Francis 

Thanks,

Alistair

> ---
>  hw/sd/sd.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index edb6b32..00c320d 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -449,7 +449,7 @@ static void sd_reset(DeviceState *dev)
>
>  static bool sd_get_inserted(SDState *sd)
>  {
> -return blk_is_inserted(sd->blk);
> +return sd->blk && blk_is_inserted(sd->blk);
>  }
>
>  static bool sd_get_readonly(SDState *sd)
> --
> 1.9.1
>
>

Re: [Qemu-devel] [PATCH v4 RFC 00/17] qcow2: persistent dirty bitmaps

[John Snow]

Do you have this mirrored in a git repo so I can browse it more
effectively? I can't figure out what all the prerequisite patches are,
so it will be convenient to just have a repo in that case for the RFC.

On 02/17/2016 10:28 AM, Vladimir Sementsov-Ogievskiy wrote:
> This series add persistent dirty bitmaps feature to qcow2.
> Specification is in docs/spec/qcow2.txt (not merged yet, see
> [PATCH v10] spec: add qcow2 bitmaps extension specification)
> 
> This series are based on Fam's
> [PATCH v2 00/13] Dirty bitmap changes for migration/persistence work
> (meta bitmaps not used, and only hbitmap_deserialize_finish from
> serialization)
> 
> This also needs some preparation patches, most of them are in my
> bitmap-migration series. I've not listed them here to keep things
> simpler, this is RFC any way.
> 
> v4:
> 
> Previous version was posted more than five months ago, so I will not
> carefully list all changes.
> 
> What should be noted:
>  - some changes are made to sutisfy last version of specification
>- removed staff, related to possibility of saving bitmaps for one
>  disk in the other qcow2.
>  - to make bitmap store/load zero-copy, I've moved load/store code to
>HBitmap - this is new patch 01.
>so, bdrv_dirty_bitmap_serialize_part and friends are not needed,
>only hbitmap_deserialize_finish, to repair bitmap consistency after
>loading its last level.
>  - two patches added about AUTO and EXTRA_DATA_COMPATIBLE flags
>  - some fixes made after John's comments on v3
> 
> Vladimir Sementsov-Ogievskiy (17):
>   hbitmap: load/store
>   qcow2: Bitmaps extension: structs and consts
>   qcow2-dirty-bitmap: read dirty bitmap directory
>   qcow2-dirty-bitmap: add qcow2_bitmap_load()
>   qcow2-dirty-bitmap: add qcow2_bitmap_store()
>   qcow2: add dirty bitmaps extension
>   qcow2-dirty-bitmap: add qcow2_bitmap_load_check()
>   block: store persistent dirty bitmaps
>   block: add bdrv_load_dirty_bitmap()
>   qcow2-dirty-bitmap: add autoclear bit
>   qemu: command line option for dirty bitmaps
>   qcow2-dirty-bitmap: add IN_USE flag
>   qcow2-dirty-bitmaps: disallow stroing bitmap to other bs
>   iotests: add VM.test_launcn()
>   iotests: test internal persistent dirty bitmap
>   qcow2-dirty-bitmap: add AUTO flag
>   qcow2-dirty-bitmap: add EXTRA_DATA_COMPATIBLE flag
> 
>  block.c   |   3 +
>  block/Makefile.objs   |   2 +-
>  block/dirty-bitmap.c  | 101 +
>  block/qcow2-dirty-bitmap.c| 839 
> ++
>  block/qcow2.c | 105 +-
>  block/qcow2.h |  59 +++
>  blockdev.c|  36 ++
>  include/block/block_int.h |   9 +
>  include/block/dirty-bitmap.h  |  21 ++
>  include/qemu/hbitmap.h|  12 +
>  include/sysemu/blockdev.h |   1 +
>  include/sysemu/sysemu.h   |   1 +
>  qemu-options.hx   |  35 ++
>  tests/qemu-iotests/160| 112 ++
>  tests/qemu-iotests/160.out|  21 ++
>  tests/qemu-iotests/group  |   1 +
>  tests/qemu-iotests/iotests.py |  25 ++
>  util/hbitmap.c| 182 +
>  vl.c  |  78 
>  19 files changed, 1640 insertions(+), 3 deletions(-)
>  create mode 100644 block/qcow2-dirty-bitmap.c
>  create mode 100755 tests/qemu-iotests/160
>  create mode 100644 tests/qemu-iotests/160.out
> 

Re: [Qemu-devel] [PATCH v2 0/6] external backup api

[John Snow]

On 02/26/2016 03:03 PM, Paolo Bonzini wrote:
> 
> 
> On 26/02/2016 20:55, Paolo Bonzini wrote:
>>
>>
>> On 19/02/2016 09:51, Markus Armbruster wrote:
 Is it an abuse to "Get LBA Status" to return dirty information? Because in 
 SCSI
 the command reports "mapped", "allocated" and "anchored" statuses. Does 
 that
 mean NBD will use a different status set?
>>>
>>> Perhaps some conceptual gymnastics can get us to standard semantics.
>>>
>>> Incremental backup wants to copy out an image's "dirty" blocks.
>>>
>>> We can view this as a bitmap telling us which of the image's blocks are
>>> dirty.
>>>
>>> An alternative view would be base image + dirty delta image.  In the the
>>> dirty delta, exactly the dirty blocks are allocated.  The delta image
>>> may be conceptual.
>>
>> I see a problem here. On one hand I agree that the "GET LBA STATUS" is
>> a natural extension to the NBD protocol.
>>
>> On the other hand, the Get LBA Status command in SCSI reflects the
>> state over the whole chain, not only the top element.  It is the
>> equivalent of bdrv_get_block_status_above(bs, NULL, ...), rather than
>> bdrv_get_block_status(bs, ...).  My understanding is that the dirty
>> block information would require the latter, especially in the
>> "conceptual delta image" model that Markus describes above.
>>

This is unfortunate.

>> Having NBD implement subtly different semantics compared to SCSI is a
>> bad idea in my opinion.
>>
>> Of course if we call it "READ DIRTY BLOCKS" that would work, but I
>> don't think such a command would be something that it makes sense to
>> have in the general purpose NBD spec, so you would need a mechanism
>> for vendor-specific extensions.
> 
> Trying to be constructive: shall we instead have a simple mini-protocol
> with commands like "read bitmap slice", "clear bitmap slice", "query
> next 0 bit", "query next 1 bit"?
> 
> Not necessarily QMP, just a little socket thing.  It could be JSON or
> ASCII or binary.  It sucks to implement a new protocol, but perhaps it
> could be something compatible with VMware or Parallels.
> 
> Sorry if this has already been proposed, I'm late to the game and I only
> read this subthread.
> 
> Paolo
> 

The solution I proposed prior to the LBA status idea (which I did like,
pending its suitability which looks... compromised, now. sigh.) was a
simple binary protocol.

Something akin to this:

{ "execute": "dirty-bitmap-export",
  "arguments": {
"node": "drive0",
"bitmap": "bitmap0",
"uri": "tcp:127.0.0.1:31337"
  }
}

We'll open up a socket to the URI provided, and push data akin to the
following:

Bytes 0-3: "QBMP" (Qemu Bit Map Protocol)
Bytes 4-11: number of dirty bits (As a lazy checksum)
Bytes 12-19: granularity of bits
Bytes 20+: raw bitmap data
EOF

A simple, non-glorious format that just gets the data out there. Then
the client has the info it needs to poll dirty blocks as necessary.


The other suggestion is to literally fetch the bitmap over NBD. How
would this work -- would the export just be sized to the number of bytes
of the bitmap data, and the client queries it?

I can't help but feel like this is slightly hacky, but I can't think of
any truly solid reasons against it either.

--js

Re: [Qemu-devel] [PATCH v2 0/6] external backup api

[Denis V. Lunev]

On 02/26/2016 10:55 PM, Paolo Bonzini wrote:


On 19/02/2016 09:51, Markus Armbruster wrote:

Is it an abuse to "Get LBA Status" to return dirty information? Because in SCSI
the command reports "mapped", "allocated" and "anchored" statuses. Does that
mean NBD will use a different status set?

Perhaps some conceptual gymnastics can get us to standard semantics.

Incremental backup wants to copy out an image's "dirty" blocks.

We can view this as a bitmap telling us which of the image's blocks are
dirty.

An alternative view would be base image + dirty delta image.  In the the
dirty delta, exactly the dirty blocks are allocated.  The delta image
may be conceptual.

I see a problem here. On one hand I agree that the "GET LBA STATUS" is
a natural extension to the NBD protocol.

On the other hand, the Get LBA Status command in SCSI reflects the
state over the whole chain, not only the top element.  It is the
equivalent of bdrv_get_block_status_above(bs, NULL, ...), rather than
bdrv_get_block_status(bs, ...).  My understanding is that the dirty
block information would require the latter, especially in the
"conceptual delta image" model that Markus describes above.

Having NBD implement subtly different semantics compared to SCSI is a
bad idea in my opinion.

Of course if we call it "READ DIRTY BLOCKS" that would work, but I
don't think such a command would be something that it makes sense to
have in the general purpose NBD spec, so you would need a mechanism
for vendor-specific extensions.

Paolo


In general, the idea to bind DIRTY BITMAP to GET STATUS command is not that
bad. First of all, NBD has no relation to the SCSI at all thus we are not
bound to the SCSI protocol. This is good thing.

Next, it is generally good to query state of the data block before reading
to reduce amount of transfers over the network. This is useful even for a
full backup operation to avoid zero block transfers.

Thus, if we have created special NBD share, we can provide STATUS bitmap
in the way we want, f.e. with the proposed semantics. This will not be a
violation of the protocol.

Den

[Qemu-devel] [PATCH 1/3] block/qapi: Factor out bdrv_query_blk_stats()

[Kevin Wolf]

The new functions handles the data that is taken from the BlockBackend.

Signed-off-by: Kevin Wolf 
---
 block/qapi.c | 131 +++
 1 file changed, 68 insertions(+), 63 deletions(-)

diff --git a/block/qapi.c b/block/qapi.c
index db2d3fb..c04f1d8 100644
--- a/block/qapi.c
+++ b/block/qapi.c
@@ -355,6 +355,73 @@ static void bdrv_query_info(BlockBackend *blk, BlockInfo 
**p_info,
 qapi_free_BlockInfo(info);
 }
 
+static void bdrv_query_blk_stats(BlockStats *s, BlockBackend *blk)
+{
+BlockAcctStats *stats = blk_get_stats(blk);
+BlockAcctTimedStats *ts = NULL;
+
+s->stats->rd_bytes = stats->nr_bytes[BLOCK_ACCT_READ];
+s->stats->wr_bytes = stats->nr_bytes[BLOCK_ACCT_WRITE];
+s->stats->rd_operations = stats->nr_ops[BLOCK_ACCT_READ];
+s->stats->wr_operations = stats->nr_ops[BLOCK_ACCT_WRITE];
+
+s->stats->failed_rd_operations = stats->failed_ops[BLOCK_ACCT_READ];
+s->stats->failed_wr_operations = stats->failed_ops[BLOCK_ACCT_WRITE];
+s->stats->failed_flush_operations = stats->failed_ops[BLOCK_ACCT_FLUSH];
+
+s->stats->invalid_rd_operations = stats->invalid_ops[BLOCK_ACCT_READ];
+s->stats->invalid_wr_operations = stats->invalid_ops[BLOCK_ACCT_WRITE];
+s->stats->invalid_flush_operations =
+stats->invalid_ops[BLOCK_ACCT_FLUSH];
+
+s->stats->rd_merged = stats->merged[BLOCK_ACCT_READ];
+s->stats->wr_merged = stats->merged[BLOCK_ACCT_WRITE];
+s->stats->flush_operations = stats->nr_ops[BLOCK_ACCT_FLUSH];
+s->stats->wr_total_time_ns = stats->total_time_ns[BLOCK_ACCT_WRITE];
+s->stats->rd_total_time_ns = stats->total_time_ns[BLOCK_ACCT_READ];
+s->stats->flush_total_time_ns = stats->total_time_ns[BLOCK_ACCT_FLUSH];
+
+s->stats->has_idle_time_ns = stats->last_access_time_ns > 0;
+if (s->stats->has_idle_time_ns) {
+s->stats->idle_time_ns = block_acct_idle_time_ns(stats);
+}
+
+s->stats->account_invalid = stats->account_invalid;
+s->stats->account_failed = stats->account_failed;
+
+while ((ts = block_acct_interval_next(stats, ts))) {
+BlockDeviceTimedStatsList *timed_stats =
+g_malloc0(sizeof(*timed_stats));
+BlockDeviceTimedStats *dev_stats = g_malloc0(sizeof(*dev_stats));
+timed_stats->next = s->stats->timed_stats;
+timed_stats->value = dev_stats;
+s->stats->timed_stats = timed_stats;
+
+TimedAverage *rd = >latency[BLOCK_ACCT_READ];
+TimedAverage *wr = >latency[BLOCK_ACCT_WRITE];
+TimedAverage *fl = >latency[BLOCK_ACCT_FLUSH];
+
+dev_stats->interval_length = ts->interval_length;
+
+dev_stats->min_rd_latency_ns = timed_average_min(rd);
+dev_stats->max_rd_latency_ns = timed_average_max(rd);
+dev_stats->avg_rd_latency_ns = timed_average_avg(rd);
+
+dev_stats->min_wr_latency_ns = timed_average_min(wr);
+dev_stats->max_wr_latency_ns = timed_average_max(wr);
+dev_stats->avg_wr_latency_ns = timed_average_avg(wr);
+
+dev_stats->min_flush_latency_ns = timed_average_min(fl);
+dev_stats->max_flush_latency_ns = timed_average_max(fl);
+dev_stats->avg_flush_latency_ns = timed_average_avg(fl);
+
+dev_stats->avg_rd_queue_depth =
+block_acct_queue_depth(ts, BLOCK_ACCT_READ);
+dev_stats->avg_wr_queue_depth =
+block_acct_queue_depth(ts, BLOCK_ACCT_WRITE);
+}
+}
+
 static BlockStats *bdrv_query_stats(const BlockDriverState *bs,
 bool query_backing)
 {
@@ -374,69 +441,7 @@ static BlockStats *bdrv_query_stats(const BlockDriverState 
*bs,
 
 s->stats = g_malloc0(sizeof(*s->stats));
 if (bs->blk) {
-BlockAcctStats *stats = blk_get_stats(bs->blk);
-BlockAcctTimedStats *ts = NULL;
-
-s->stats->rd_bytes = stats->nr_bytes[BLOCK_ACCT_READ];
-s->stats->wr_bytes = stats->nr_bytes[BLOCK_ACCT_WRITE];
-s->stats->rd_operations = stats->nr_ops[BLOCK_ACCT_READ];
-s->stats->wr_operations = stats->nr_ops[BLOCK_ACCT_WRITE];
-
-s->stats->failed_rd_operations = stats->failed_ops[BLOCK_ACCT_READ];
-s->stats->failed_wr_operations = stats->failed_ops[BLOCK_ACCT_WRITE];
-s->stats->failed_flush_operations = 
stats->failed_ops[BLOCK_ACCT_FLUSH];
-
-s->stats->invalid_rd_operations = stats->invalid_ops[BLOCK_ACCT_READ];
-s->stats->invalid_wr_operations = stats->invalid_ops[BLOCK_ACCT_WRITE];
-s->stats->invalid_flush_operations =
-stats->invalid_ops[BLOCK_ACCT_FLUSH];
-
-s->stats->rd_merged = stats->merged[BLOCK_ACCT_READ];
-s->stats->wr_merged = stats->merged[BLOCK_ACCT_WRITE];
-s->stats->flush_operations = stats->nr_ops[BLOCK_ACCT_FLUSH];
-s->stats->wr_total_time_ns = stats->total_time_ns[BLOCK_ACCT_WRITE];
-s->stats->rd_total_time_ns = stats->total_time_ns[BLOCK_ACCT_READ];
-

[Qemu-devel] [PATCH 3/3] block/qapi: Include empty drives in query-blockstats

[Kevin Wolf]

Since commit 5ec18f8c, query-blockstats didn't return the statistics of
drives without media any more because such drives have only a BB now,
but not a BDS any more.

This patch fixes the regression so that query-blockstats iterates over
BBs by default and empty drives are displayed again.

Signed-off-by: Kevin Wolf 
---
 block/qapi.c | 48 +---
 1 file changed, 33 insertions(+), 15 deletions(-)

diff --git a/block/qapi.c b/block/qapi.c
index 31ae879..6a4869a 100644
--- a/block/qapi.c
+++ b/block/qapi.c
@@ -355,7 +355,8 @@ static void bdrv_query_info(BlockBackend *blk, BlockInfo 
**p_info,
 qapi_free_BlockInfo(info);
 }
 
-static BlockStats *bdrv_query_stats(const BlockDriverState *bs,
+static BlockStats *bdrv_query_stats(BlockBackend *blk,
+const BlockDriverState *bs,
 bool query_backing);
 
 static void bdrv_query_blk_stats(BlockStats *s, BlockBackend *blk)
@@ -363,6 +364,9 @@ static void bdrv_query_blk_stats(BlockStats *s, 
BlockBackend *blk)
 BlockAcctStats *stats = blk_get_stats(blk);
 BlockAcctTimedStats *ts = NULL;
 
+s->has_device = true;
+s->device = g_strdup(blk_name(blk));
+
 s->stats->rd_bytes = stats->nr_bytes[BLOCK_ACCT_READ];
 s->stats->wr_bytes = stats->nr_bytes[BLOCK_ACCT_WRITE];
 s->stats->rd_operations = stats->nr_ops[BLOCK_ACCT_READ];
@@ -428,11 +432,6 @@ static void bdrv_query_blk_stats(BlockStats *s, 
BlockBackend *blk)
 static void bdrv_query_bds_stats(BlockStats *s, const BlockDriverState *bs,
  bool query_backing)
 {
-if (bdrv_get_device_name(bs)[0]) {
-s->has_device = true;
-s->device = g_strdup(bdrv_get_device_name(bs));
-}
-
 if (bdrv_get_node_name(bs)[0]) {
 s->has_node_name = true;
 s->node_name = g_strdup(bdrv_get_node_name(bs));
@@ -442,17 +441,18 @@ static void bdrv_query_bds_stats(BlockStats *s, const 
BlockDriverState *bs,
 
 if (bs->file) {
 s->has_parent = true;
-s->parent = bdrv_query_stats(bs->file->bs, query_backing);
+s->parent = bdrv_query_stats(NULL, bs->file->bs, query_backing);
 }
 
 if (query_backing && bs->backing) {
 s->has_backing = true;
-s->backing = bdrv_query_stats(bs->backing->bs, query_backing);
+s->backing = bdrv_query_stats(NULL, bs->backing->bs, query_backing);
 }
 
 }
 
-static BlockStats *bdrv_query_stats(const BlockDriverState *bs,
+static BlockStats *bdrv_query_stats(BlockBackend *blk,
+const BlockDriverState *bs,
 bool query_backing)
 {
 BlockStats *s;
@@ -460,10 +460,12 @@ static BlockStats *bdrv_query_stats(const 
BlockDriverState *bs,
 s = g_malloc0(sizeof(*s));
 s->stats = g_malloc0(sizeof(*s->stats));
 
-if (bs->blk) {
-bdrv_query_blk_stats(s, bs->blk);
+if (blk) {
+bdrv_query_blk_stats(s, blk);
+}
+if (bs) {
+bdrv_query_bds_stats(s, bs, query_backing);
 }
-bdrv_query_bds_stats(s, bs, query_backing);
 
 return s;
 }
@@ -491,22 +493,38 @@ BlockInfoList *qmp_query_block(Error **errp)
 return head;
 }
 
+static bool next_query_bds(BlockBackend **blk, BlockDriverState **bs,
+   bool query_nodes)
+{
+if (query_nodes) {
+*bs = bdrv_next_node(*bs);
+return !!*bs;
+}
+
+*blk = blk_next(*blk);
+*bs = *blk ? blk_bs(*blk) : NULL;
+
+return !!*blk;
+}
+
 BlockStatsList *qmp_query_blockstats(bool has_query_nodes,
  bool query_nodes,
  Error **errp)
 {
 BlockStatsList *head = NULL, **p_next = 
+BlockBackend *blk = NULL;
 BlockDriverState *bs = NULL;
 
 /* Just to be safe if query_nodes is not always initialized */
 query_nodes = has_query_nodes && query_nodes;
 
-while ((bs = query_nodes ? bdrv_next_node(bs) : bdrv_next(bs))) {
+while (next_query_bds(, , query_nodes)) {
 BlockStatsList *info = g_malloc0(sizeof(*info));
-AioContext *ctx = bdrv_get_aio_context(bs);
+AioContext *ctx = blk ? blk_get_aio_context(blk)
+  : bdrv_get_aio_context(bs);
 
 aio_context_acquire(ctx);
-info->value = bdrv_query_stats(bs, !query_nodes);
+info->value = bdrv_query_stats(blk, bs, !query_nodes);
 aio_context_release(ctx);
 
 *p_next = info;
-- 
1.8.3.1

[Qemu-devel] [PATCH 0/3] block/qapi: Include empty drives in query-blockstats

[Kevin Wolf]

This series fixes a regression introduced by recent blockdev work. As a nice
side effect, it gets rid of at least one user of bs->blk.

Kevin Wolf (3):
  block/qapi: Factor out bdrv_query_blk_stats()
  block/qapi: Factor out bdrv_query_bds_stats()
  block/qapi: Include empty drives in query-blockstats

 block/qapi.c | 178 +++
 1 file changed, 105 insertions(+), 73 deletions(-)

-- 
1.8.3.1

[Qemu-devel] [PATCH 2/3] block/qapi: Factor out bdrv_query_bds_stats()

[Kevin Wolf]

The new functions handles the data that is taken from the
BlockDriverState.

Signed-off-by: Kevin Wolf 
---
 block/qapi.c | 31 ---
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/block/qapi.c b/block/qapi.c
index c04f1d8..31ae879 100644
--- a/block/qapi.c
+++ b/block/qapi.c
@@ -355,6 +355,9 @@ static void bdrv_query_info(BlockBackend *blk, BlockInfo 
**p_info,
 qapi_free_BlockInfo(info);
 }
 
+static BlockStats *bdrv_query_stats(const BlockDriverState *bs,
+bool query_backing);
+
 static void bdrv_query_blk_stats(BlockStats *s, BlockBackend *blk)
 {
 BlockAcctStats *stats = blk_get_stats(blk);
@@ -422,13 +425,9 @@ static void bdrv_query_blk_stats(BlockStats *s, 
BlockBackend *blk)
 }
 }
 
-static BlockStats *bdrv_query_stats(const BlockDriverState *bs,
-bool query_backing)
+static void bdrv_query_bds_stats(BlockStats *s, const BlockDriverState *bs,
+ bool query_backing)
 {
-BlockStats *s;
-
-s = g_malloc0(sizeof(*s));
-
 if (bdrv_get_device_name(bs)[0]) {
 s->has_device = true;
 s->device = g_strdup(bdrv_get_device_name(bs));
@@ -439,11 +438,6 @@ static BlockStats *bdrv_query_stats(const BlockDriverState 
*bs,
 s->node_name = g_strdup(bdrv_get_node_name(bs));
 }
 
-s->stats = g_malloc0(sizeof(*s->stats));
-if (bs->blk) {
-bdrv_query_blk_stats(s, bs->blk);
-}
-
 s->stats->wr_highest_offset = bs->wr_highest_offset;
 
 if (bs->file) {
@@ -456,6 +450,21 @@ static BlockStats *bdrv_query_stats(const BlockDriverState 
*bs,
 s->backing = bdrv_query_stats(bs->backing->bs, query_backing);
 }
 
+}
+
+static BlockStats *bdrv_query_stats(const BlockDriverState *bs,
+bool query_backing)
+{
+BlockStats *s;
+
+s = g_malloc0(sizeof(*s));
+s->stats = g_malloc0(sizeof(*s->stats));
+
+if (bs->blk) {
+bdrv_query_blk_stats(s, bs->blk);
+}
+bdrv_query_bds_stats(s, bs, query_backing);
+
 return s;
 }
 
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH v2 0/6] external backup api

[Denis V. Lunev]

On 02/26/2016 11:03 PM, Paolo Bonzini wrote:


On 26/02/2016 20:55, Paolo Bonzini wrote:


On 19/02/2016 09:51, Markus Armbruster wrote:

Is it an abuse to "Get LBA Status" to return dirty information? Because in SCSI
the command reports "mapped", "allocated" and "anchored" statuses. Does that
mean NBD will use a different status set?

Perhaps some conceptual gymnastics can get us to standard semantics.

Incremental backup wants to copy out an image's "dirty" blocks.

We can view this as a bitmap telling us which of the image's blocks are
dirty.

An alternative view would be base image + dirty delta image.  In the the
dirty delta, exactly the dirty blocks are allocated.  The delta image
may be conceptual.

I see a problem here. On one hand I agree that the "GET LBA STATUS" is
a natural extension to the NBD protocol.

On the other hand, the Get LBA Status command in SCSI reflects the
state over the whole chain, not only the top element.  It is the
equivalent of bdrv_get_block_status_above(bs, NULL, ...), rather than
bdrv_get_block_status(bs, ...).  My understanding is that the dirty
block information would require the latter, especially in the
"conceptual delta image" model that Markus describes above.

Having NBD implement subtly different semantics compared to SCSI is a
bad idea in my opinion.

Of course if we call it "READ DIRTY BLOCKS" that would work, but I
don't think such a command would be something that it makes sense to
have in the general purpose NBD spec, so you would need a mechanism
for vendor-specific extensions.

Trying to be constructive: shall we instead have a simple mini-protocol
with commands like "read bitmap slice", "clear bitmap slice", "query
next 0 bit", "query next 1 bit"?

Not necessarily QMP, just a little socket thing.  It could be JSON or
ASCII or binary.  It sucks to implement a new protocol, but perhaps it
could be something compatible with VMware or Parallels.

Sorry if this has already been proposed, I'm late to the game and I only
read this subthread.

Paolo

there was a proposal in the thread to export bitmap itself as NBD
block device. We have also discuss to transfer entire bitmap over
QMP but this idea is not that good according to Eric/Markus.

Den

Re: [Qemu-devel] [PATCH v7 5/9] qemu-log: new option -dfilter to limit output

[Richard Henderson]

On 02/22/2016 07:59 AM, Alex Bennée wrote:
> +qemu_set_dfilter_ranges("0x1000+0x100");
> +
> +g_assert_false(qemu_log_in_addr_range(0xfff));
> +g_assert(qemu_log_in_addr_range(0x1000));
> +g_assert(qemu_log_in_addr_range(0x1100));

This is exactly what I was talking about wrt off-by-one error in my first
review -- 0x100 bytes, including 0x1000, finishes at 0x10ff.

This third test should fail.


r~

Re: [Qemu-devel] [PATCH v7 8/9] qemu-log: support simple pid substitution for logs

[Richard Henderson]

On 02/22/2016 07:59 AM, Alex Bennée wrote:
> When debugging stuff that occurs over several forks it would be useful
> not to keep overwriting the one logfile you've set-up. This allows a
> simple %d to be included once in the logfile parameter which is
> substituted with getpid().
> 
> As the test cases involve checking user output they need
> g_test_trap_subprocess() support. As a result they are currently skipped
> on Travis builds due to the older glib involved.
> 
> Signed-off-by: Alex Bennée 
> Reviewed-by: Leandro Dorileo 
> Reviewed-by: Aurelien Jarno 
> 
> ---
> v5
>   - add another r-b
> v7
>   - simpler error check as suggested by Eric Blake
>   - don't g_error, just error_report (so we don't crash from monitor)
>   - add some unit tests
> ---
>  tests/test-logging.c | 39 +++
>  util/log.c   | 22 --
>  2 files changed, 59 insertions(+), 2 deletions(-)


Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [PATCH v7 7/9] target-arm: dfilter support for in_asm

[Richard Henderson]

On 02/22/2016 07:59 AM, Alex Bennée wrote:
> Each individual architecture needs to use the qemu_log_in_addr_range()
> feature for enabling in_asm output as it is part of the frontend.
> 
> Signed-off-by: Alex Bennée 
> Reviewed-by: Aurelien Jarno 
> 
> ---
> v5
>   - no longer wrapping tcg_gen_insn_start (was tcg_gen_debug)
>   - reword to handle only in_asm
>   - added r-b tag
> ---
>  target-arm/translate-a64.c | 3 ++-
>  target-arm/translate.c | 3 ++-
>  2 files changed, 4 insertions(+), 2 deletions(-)


Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [PATCH v7 1/9] tcg: pass down TranslationBlock to tcg_code_gen

[Richard Henderson]

On 02/22/2016 07:59 AM, Alex Bennée wrote:
> My later debugging patches need access to the origin PC which is held in
> the TranslationBlock structure. Pass down the whole structure as it also
> holds the information about the code start point.
> 
> Signed-off-by: Alex Bennée 
> 
> ---
> v1
>  - checkpatch fixes
> v5
>  - much simplified due to changes since last posting
> v6
>  - remove needless tweaking of gen_code_buf in tb_gen_code
> ---
>  tcg/tcg.c   | 6 +++---
>  tcg/tcg.h   | 2 +-
>  translate-all.c | 2 +-
>  3 files changed, 5 insertions(+), 5 deletions(-)

Reviewed-by: Richard Henderson  


r~

[Qemu-devel] [Bug 1550503] [NEW] target-arm/helper.c:5493: bad test ?

[dcb]

Public bug reported:

[qemu/target-arm/helper.c:5493]: (style) Expression '(X & 0x1f) !=
0xf80f' is always true.

Source code is

(env->uncached_cpsr & CPSR_M) != CPSR_USER &&

but

./qemu/target-arm/cpu.h:#define CPSR_M (0x1fU)

./qemu/target-arm/cpu.h:#define CPSR_USER (CPSR_NZCV | CPSR_Q | CPSR_GE)

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1550503

Title:
  target-arm/helper.c:5493: bad test ?

Status in QEMU:
  New

Bug description:
  [qemu/target-arm/helper.c:5493]: (style) Expression '(X & 0x1f) !=
  0xf80f' is always true.

  Source code is

  (env->uncached_cpsr & CPSR_M) != CPSR_USER &&

  but

  ./qemu/target-arm/cpu.h:#define CPSR_M (0x1fU)

  ./qemu/target-arm/cpu.h:#define CPSR_USER (CPSR_NZCV | CPSR_Q |
  CPSR_GE)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1550503/+subscriptions

Re: [Qemu-devel] [PATCH v2 4/8] target-arm: Add more fields to the data abort syndrome generator

[Sergey Fedorov]

On 25.02.2016 20:41, Peter Maydell wrote:

On 19 February 2016 at 20:04, Edgar E. Iglesias
 wrote:

From: "Edgar E. Iglesias" 

Add the following flags to the data abort syndrome generator:
* isv - Instruction syndrome valid
* sas - Syndrome access size
* sse - Syndrome sign extend
* srt - Syndrome register transfer
* sf  - Sixty-Four bit register width
* ar  - Acquire/Release

These flags are not yet used, so this patch has no functional change.

Signed-off-by: Edgar E. Iglesias 
---
  target-arm/internals.h | 20 ++--
  target-arm/op_helper.c |  8 ++--
  2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/target-arm/internals.h b/target-arm/internals.h
index 34e2688..4e9d9f5 100644
--- a/target-arm/internals.h
+++ b/target-arm/internals.h
@@ -383,13 +383,29 @@ static inline uint32_t syn_insn_abort(int same_el, int 
ea, int s1ptw, int fsc)
  | (ea << 9) | (s1ptw << 7) | fsc;
  }

-static inline uint32_t syn_data_abort(int same_el, int ea, int cm, int s1ptw,
+static inline uint32_t syn_data_abort(int same_el, int isv,
+  int sas, int sse, int srt,
+  int sf, int ar,
+  int ea, int cm, int s1ptw,
int wnr, int fsc,
bool is_16bit)

Everywhere we call this (both now and once the full patchset has
been applied) isv is a constant (either 0 or 1). I think it might
be cleaner to define both a syn_data_abort_with_isv() and a
syn_data_abort_no_isv(). Then the no_isv version doesn't need all
the arguments that are zeroes.


Alternatively, we could define a function similar to 
LSInstructionSyndrome from ARMv8 ARM pseudocode, but which will pack the 
instruction syndrome from its components into a value of ISS<24:14>.


Best regards,
Sergey

Re: [Qemu-devel] [PATCH v2 0/6] external backup api

[Paolo Bonzini]

On 26/02/2016 20:55, Paolo Bonzini wrote:
> 
> 
> On 19/02/2016 09:51, Markus Armbruster wrote:
>>> Is it an abuse to "Get LBA Status" to return dirty information? Because in 
>>> SCSI
>>> the command reports "mapped", "allocated" and "anchored" statuses. Does that
>>> mean NBD will use a different status set?
>>
>> Perhaps some conceptual gymnastics can get us to standard semantics.
>>
>> Incremental backup wants to copy out an image's "dirty" blocks.
>>
>> We can view this as a bitmap telling us which of the image's blocks are
>> dirty.
>>
>> An alternative view would be base image + dirty delta image.  In the the
>> dirty delta, exactly the dirty blocks are allocated.  The delta image
>> may be conceptual.
> 
> I see a problem here. On one hand I agree that the "GET LBA STATUS" is
> a natural extension to the NBD protocol.
> 
> On the other hand, the Get LBA Status command in SCSI reflects the
> state over the whole chain, not only the top element.  It is the
> equivalent of bdrv_get_block_status_above(bs, NULL, ...), rather than
> bdrv_get_block_status(bs, ...).  My understanding is that the dirty
> block information would require the latter, especially in the
> "conceptual delta image" model that Markus describes above.
> 
> Having NBD implement subtly different semantics compared to SCSI is a
> bad idea in my opinion.
> 
> Of course if we call it "READ DIRTY BLOCKS" that would work, but I
> don't think such a command would be something that it makes sense to
> have in the general purpose NBD spec, so you would need a mechanism
> for vendor-specific extensions.

Trying to be constructive: shall we instead have a simple mini-protocol
with commands like "read bitmap slice", "clear bitmap slice", "query
next 0 bit", "query next 1 bit"?

Not necessarily QMP, just a little socket thing.  It could be JSON or
ASCII or binary.  It sucks to implement a new protocol, but perhaps it
could be something compatible with VMware or Parallels.

Sorry if this has already been proposed, I'm late to the game and I only
read this subthread.

Paolo

Re: [Qemu-devel] [PATCH v2 0/6] external backup api

[Paolo Bonzini]

On 19/02/2016 09:51, Markus Armbruster wrote:
>> Is it an abuse to "Get LBA Status" to return dirty information? Because in 
>> SCSI
>> the command reports "mapped", "allocated" and "anchored" statuses. Does that
>> mean NBD will use a different status set?
> 
> Perhaps some conceptual gymnastics can get us to standard semantics.
> 
> Incremental backup wants to copy out an image's "dirty" blocks.
> 
> We can view this as a bitmap telling us which of the image's blocks are
> dirty.
> 
> An alternative view would be base image + dirty delta image.  In the the
> dirty delta, exactly the dirty blocks are allocated.  The delta image
> may be conceptual.

I see a problem here. On one hand I agree that the "GET LBA STATUS" is
a natural extension to the NBD protocol.

On the other hand, the Get LBA Status command in SCSI reflects the
state over the whole chain, not only the top element.  It is the
equivalent of bdrv_get_block_status_above(bs, NULL, ...), rather than
bdrv_get_block_status(bs, ...).  My understanding is that the dirty
block information would require the latter, especially in the
"conceptual delta image" model that Markus describes above.

Having NBD implement subtly different semantics compared to SCSI is a
bad idea in my opinion.

Of course if we call it "READ DIRTY BLOCKS" that would work, but I
don't think such a command would be something that it makes sense to
have in the general purpose NBD spec, so you would need a mechanism
for vendor-specific extensions.

Paolo

> Now, consider the dirty delta *without* its backing image.  You can find
> its allocated blocks with Get LBA Status.  As usual, you can read even
> unallocated blocks, see SBC3 table 9.
> 
> If we NBD-export exactly that, we can use standard semantics, can't we?

Re: [Qemu-devel] [PATCH] Qemu/KVM: Remove x2apic feature from CPU model when kernel_irqchip is off

[Eduardo Habkost]

On Thu, Feb 25, 2016 at 11:15:12PM +0800, Lan Tianyu wrote:
> x2apic feature is in the kvm_default_props and automatically added to all
> CPU models when KVM is enabled. But userspace devices don't support x2apic
> which can't be enabled without the in-kernel irqchip. It will trigger
> warning of "host doesn't support requested feature: CPUID.01H:ECX.x2apic
> [bit 21]" when kernel_irqchip is off. This patch is to fix it via removing
> x2apic feature when kernel_irqchip is off.
> 
> Signed-off-by: Lan Tianyu 
> ---
>  target-i386/cpu.c | 4 
>  1 file changed, 4 insertions(+)
> 
> diff --git a/target-i386/cpu.c b/target-i386/cpu.c
> index c78f824..298fb62 100644
> --- a/target-i386/cpu.c
> +++ b/target-i386/cpu.c
> @@ -2125,6 +2125,10 @@ static void x86_cpu_load_def(X86CPU *cpu, 
> X86CPUDefinition *def, Error **errp)
>  
>  /* Special cases not set in the X86CPUDefinition structs: */
>  if (kvm_enabled()) {
> +if (!kvm_irqchip_in_kernel()) {
> +x86_cpu_change_kvm_default("x2apic", "off");

This should be NULL instead of "off". Otherwise, the warning will
be disabled if using "-cpu ...,+x2apic".

> +}
> +

This function runs multiple times (once for each VCPU being
created). Should be harmless, though. Eventually we could move
the whole kvm_default_props logic outside cpu.c, to a KVM-x86
accel class or to common PC initialization code.


>  x86_cpu_apply_props(cpu, kvm_default_props);
>  }
>  
> -- 
> 1.9.3
> 

-- 
Eduardo

Re: [Qemu-devel] [Qemu-arm] help on how to emulate rasbperry pi 2

[Andrew Baumann]

> From: John Snow [mailto:js...@redhat.com]
> Sent: Friday, 26 February 2016 9:53 AM
> 
> On 02/26/2016 12:23 PM, Andrew Baumann wrote:
> >> From: John Snow [mailto:js...@redhat.com]
> >> Sent: Friday, 26 February 2016 9:13 AM
[...]
> >> Andrew, you might want to update the examples on that wiki: it looks
> >> like with recent changes that "-sd" was temporarily insufficient for
> >> getting a proper instance running.
> >>
> >> Maybe you should also add some examples that use the -drive/-device
> >> combo that we canonically support in addition to the sugared -sd/-hda.
> >>
> >> Mats: for now, try grabbing the latest qemu master, it fixed a bug with
> >> -sd. :)
> >
> > Yes, John's right, please try now and this bug should be fixed.
> >
> > There was a regression in qemu-master for about a week, fixed by:
> > https://lists.nongnu.org/archive/html/qemu-devel/2016-
> 02/msg05733.html
> >
> > John, AFAIK there was no way to have working SD without this patch (the
> code to hook up the block device didn't exist), so I don't think there's much
> point updating the wiki.
> >
> > Cheers,
> > Andrew
> >
> 
> `-drive if=none,id=sd0,file=etc.img,format=raw
>  -device sd-card,drive=sd0,bus=sd-bus`
> 
> doesn't work?

No, that doesn't work, but don't ask me why. After commenting out the new code 
in raspi.c, I get:

./qemu-system-arm.exe -M raspi2 -bios e:/raspi/th2_10556_uefi.img -drive 
if=none,id=sd0,file=e:/raspi/th2_10556_pi2.vhd,format=raw -device 
sd-card,drive=sd0,bus=sd-bus
E:\qemu\build64\arm-softmmu\qemu-system-arm.exe: Device with id 'sd0' already 
exists

Changing the id to sd1 proceeds, but results in an unbootable system (looks 
like there is no card in the device). I don't know what creates sd0. In fact, I 
tried putting the new code back, so -sd works, but the invocation you gave me 
above still fails the same way.

> The code to "hook up the block device" was added to the board init, but
> that's for if=SD devices as added by -sd. the -drive/-device combo
> should work anyway, because you are explicitly hooking it up via -device.
> 
> I guess the QOMification of SD is new, but usually we recommend/prefer
> scripts and clients to use the explicit drive/device syntax above
> instead of the -sd or -hda syntactic sugar. Real actual people can still
> use -sd/-hd -- but they're prone to breakage as you've seen.

Thanks for the explainer. As you can see, I haven't been able to grok the 
-drive -device syntax yet :)

Andrew

Re: [Qemu-devel] [RFC PATCH v0 2/6] spapr: CPU core device

[Michael Roth]

Quoting Bharata B Rao (2016-02-25 10:22:38)
> Add sPAPR specific CPU core device that is based on generic CPU core device.
> Creating this core device will result in creation of all the CPU thread
> devices that are part of this core.
> 
> Signed-off-by: Bharata B Rao 
> ---
>  hw/ppc/Makefile.objs|   1 +
>  hw/ppc/spapr_cpu_core.c | 210 
> 
>  include/hw/ppc/spapr_cpu_core.h |  32 ++
>  3 files changed, 243 insertions(+)
>  create mode 100644 hw/ppc/spapr_cpu_core.c
>  create mode 100644 include/hw/ppc/spapr_cpu_core.h
> 
> diff --git a/hw/ppc/Makefile.objs b/hw/ppc/Makefile.objs
> index c1ffc77..5cc6608 100644
> --- a/hw/ppc/Makefile.objs
> +++ b/hw/ppc/Makefile.objs
> @@ -4,6 +4,7 @@ obj-y += ppc.o ppc_booke.o
>  obj-$(CONFIG_PSERIES) += spapr.o spapr_vio.o spapr_events.o
>  obj-$(CONFIG_PSERIES) += spapr_hcall.o spapr_iommu.o spapr_rtas.o
>  obj-$(CONFIG_PSERIES) += spapr_pci.o spapr_rtc.o spapr_drc.o spapr_rng.o
> +obj-$(CONFIG_PSERIES) += spapr_cpu_core.o
>  ifeq ($(CONFIG_PCI)$(CONFIG_PSERIES)$(CONFIG_LINUX), yyy)
>  obj-y += spapr_pci_vfio.o
>  endif
> diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
> new file mode 100644
> index 000..c44eb61
> --- /dev/null
> +++ b/hw/ppc/spapr_cpu_core.c
> @@ -0,0 +1,210 @@
> +/*
> + * sPAPR CPU core device, acts as container of CPU thread devices.
> + *
> + * Copyright (C) 2016 Bharata B Rao 
> + *
> + * This work is licensed under the terms of the GNU GPL, version 2 or later.
> + * See the COPYING file in the top-level directory.
> + */
> +#include "hw/cpu/core.h"
> +#include "hw/ppc/spapr_cpu_core.h"
> +#include "hw/ppc/spapr.h"
> +#include "hw/boards.h"
> +#include "qemu/error-report.h"
> +#include "qapi/visitor.h"
> +#include 
> +
> +static int spapr_cpu_core_realize_child(Object *child, void *opaque)
> +{
> +Error **errp = opaque;
> +
> +object_property_set_bool(child, true, "realized", errp);
> +if (*errp) {
> +return 1;
> +}
> +return 0;
> +}
> +
> +static void spapr_cpu_core_realize(DeviceState *dev, Error **errp)
> +{
> +sPAPRCPUCore *core = SPAPR_CPU_CORE(OBJECT(dev));
> +sPAPRMachineState *spapr = SPAPR_MACHINE(qdev_get_machine());
> +Error *local_err = NULL;
> +
> +if (!core->nr_threads) {
> +error_setg(errp, "nr_threads property can't be 0");
> +return;
> +}
> +
> +if (!core->cpu_model) {
> +error_setg(errp, "cpu_model property isn't set");
> +return;
> +}
> +
> +/*
> + * TODO: If slot isn't specified, plug this core into
> + * an existing empty slot.
> + */
> +if (!core->slot) {
> +error_setg(errp, "slot property isn't set");
> +return;
> +}
> +
> +object_property_set_link(OBJECT(spapr), OBJECT(core), core->slot,
> + _err);
> +if (local_err) {
> +error_propagate(errp, local_err);
> +return;
> +}
> +
> +object_child_foreach(OBJECT(dev), spapr_cpu_core_realize_child, errp);
> +}
> +
> +/*
> + * This creates the CPU threads for a given @core.
> + *
> + * In order to create the threads, we need two inputs - number of
> + * threads and the cpu_model. These are set as core object's properties.
> + * When both of them become available/set, this routine will be called from
> + * either property's set handler to create the threads.
> + *
> + * TODO: Dependence of threads creation on two properties is resulting
> + * in this not-so-clean way of creating threads from either of the
> + * property setters based on the order in which they get set. Check if
> + * this can be handled in a better manner.
> + */
> +static void spapr_cpu_core_create_threads(sPAPRCPUCore *core, Error **errp)
> +{
> +int i;
> +
> +for (i = 0; i < core->nr_threads; i++) {
> +char id[32];
> +char type[32];
> +
> +snprintf(type, sizeof(type), "%s-%s", core->cpu_model,
> + TYPE_POWERPC_CPU);
> +object_initialize(>threads[i], sizeof(core->threads[i]), type);
> +
> +snprintf(id, sizeof(id), "thread[%d]", i);
> +object_property_add_child(OBJECT(core), id, 
> OBJECT(>threads[i]),
> +  errp);
> +}
> +}
> +
> +static char *spapr_cpu_core_prop_get_slot(Object *obj, Error **errp)
> +{
> +sPAPRCPUCore *core = SPAPR_CPU_CORE(obj);
> +
> +return core->slot;
> +}
> +
> +static void spapr_cpu_core_prop_set_slot(Object *obj, const char *val,
> +  Error **errp)
> +{
> +sPAPRCPUCore *core = SPAPR_CPU_CORE(obj);
> +
> +core->slot = g_strdup(val);
> +}
> +
> +static char *spapr_cpu_core_prop_get_cpu_model(Object *obj, Error **errp)
> +{
> +sPAPRCPUCore *core = SPAPR_CPU_CORE(obj);
> +
> +return core->cpu_model;
> +}
> +
> +static void spapr_cpu_core_prop_set_cpu_model(Object *obj, const char *val,
> + 

Re: [Qemu-devel] [PATCH v3 0/2] virtio-balloon: improve balloon statistics

[Denis V. Lunev]

On 02/24/2016 06:39 PM, Michael S. Tsirkin wrote:

On Wed, Feb 24, 2016 at 06:33:38PM +0300, Denis V. Lunev wrote:

On 02/24/2016 05:34 PM, Michael S. Tsirkin wrote:

On Wed, Feb 24, 2016 at 10:50:46AM +0300, Denis V. Lunev wrote:

New counter from the Linux kernel +

It is in AKPM's linux-next kernel but I will revert it there if
the suggested interface extension is not submitted
to the Virtio ABI committee soon.



can you pls pinpoint the contact and procedure then.

https://www.oasis-open.org/committees/comments/index.php?wg_abbrev=virtio


done with comment submission.

Can we proceed with this version if you do not like v2?

Den

Re: [Qemu-devel] [Qemu-arm] help on how to emulate rasbperry pi 2

[John Snow]

On 02/26/2016 12:23 PM, Andrew Baumann wrote:
>> From: John Snow [mailto:js...@redhat.com]
>> Sent: Friday, 26 February 2016 9:13 AM
>>
>> On 02/26/2016 04:30 AM, Mats Malmberg wrote:
>>> Hello, thank you for your quick response!
>>>
>>> It helped me to get a little bit further, but unfortunately the problem
>> persists.
>>> I now get some output from the kernel startup, but I think that it is unable
>> to find the provided sd-card image.
>>>
>>> Here's what I've tried (the most successful setup):
>>> 1. download and deflate jessie/jessie-lite image (I tried both distros)
>>> 2. mount the boot partition and copy the following files to host:
>> kernel7.img, kernel.img and bcm2709-rpi-2-b.dtb
>>> 3. mount the rootfs partition. Open the file /etc/ld.so.preload and
>> comment out the line /usr/lib/arm-linux-gnueabihf/libarmmem.so (which is
>> the only line present in the file.)
>>> 4. execute the command
>>> qemu-system-arm -M raspi2  -kernel kernel7.img -sd 2016-02-09-raspbian-
>> jessie.img -append "rw earlyprintk loglevel=8 console=ttyAMA0,115200
>> dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2" -dtb bcm2709-rpi-2-b.dtb -
>> serial stdio
>>>
>>> the resulting terminal printout :
>>>
>>> WARNING: Image format was not specified for '2016-02-09-raspbian-
>> jessie.img' and probing guessed raw.
>>>  Automatically detecting the format is dangerous for raw images, 
>>> write
>> operations on block 0 will be restricted.
>>>  Specify the 'raw' format explicitly to remove the restrictions.
>>> Warning: Orphaned drive without device: id=sd0,file=2016-02-09-raspbian-
>> jessie.img,if=sd,bus=0,unit=0
>>> VNC server running on '127.0.0.1;5900'
>>> Uncompressing Linux... done, booting the kernel.
>>> ...
>>> lots of kernel output
>>> ...
>>> [6.306894] sdhci-pltfm: SDHCI platform and OF driver helper
>>> [6.335521] ledtrig-cpu: registered to indicate activity on CPUs
>>> [6.338465] hidraw: raw HID events driver (C) Jiri Kosina
>>> [6.341004] usbcore: registered new interface driver usbhid
>>> [6.341768] usbhid: USB HID core driver
>>> [6.346873] Initializing XFRM netlink socket
>>> [6.348012] NET: Registered protocol family 17
>>> [6.350974] Key type dns_resolver registered
>>> [6.352810] Registering SWP/SWPB emulation handler
>>> [6.360245] registered taskstats version 1
>>> [6.374999] vc-sm: Videocore shared memory driver
>>> [6.397370] uart-pl011 3f201000.uart: no DMA platform data
>>> [6.428165] VFS: Cannot open root device "mmcblk0p2" or unknown-
>> block(0,0): error -6
>>> [6.429208] Please append a correct "root=" boot option; here are the
>> available partitions:
>>> [6.430848] 01004096 ram0  (driver?)
>>> [6.431718] 01014096 ram1  (driver?)
>>> [6.432348] 01024096 ram2  (driver?)
>>> [6.433101] 01034096 ram3  (driver?)
>>> [6.434627] 01044096 ram4  (driver?)
>>> [6.435317] 01054096 ram5  (driver?)
>>> [6.435995] 01064096 ram6  (driver?)
>>> [6.436749] 01074096 ram7  (driver?)
>>> [6.437507] 01084096 ram8  (driver?)
>>> [6.438159] 01094096 ram9  (driver?)
>>> [6.438853] 010a4096 ram10  (driver?)
>>> [6.439562] 010b4096 ram11  (driver?)
>>> [6.440193] 010c4096 ram12  (driver?)
>>> [6.440815] 010d4096 ram13  (driver?)
>>> [6.441439] 010e4096 ram14  (driver?)
>>> [6.442065] 010f4096 ram15  (driver?)
>>> [6.443003] Kernel panic - not syncing: VFS: Unable to mount root fs on
>> unknown-block(0,0)
>>> [6.444949] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.1.17-v7+ #838
>>> [6.445837] Hardware name: BCM2709
>>> [6.448200] [<800180c0>] (unwind_backtrace) from [<80013b88>]
>> (show_stack+0x20/0x24)
>>> [6.449477] [<80013b88>] (show_stack) from [<80555028>]
>> (dump_stack+0x80/0x98)
>>> [6.450490] [<80555028>] (dump_stack) from [<80551540>]
>> (panic+0xa4/0x204)
>>> [6.451641] [<80551540>] (panic) from [<80777384>]
>> (mount_block_root+0x1a8/0x260)
>>> [6.452802] [<80777384>] (mount_block_root) from [<80777614>]
>> (mount_root+0xec/0x110)
>>> [6.453878] [<80777614>] (mount_root) from [<80a0>]
>> (prepare_namespace+0x168/0x1c8)
>>> [6.454982] [<80a0>] (prepare_namespace) from [<80776f90>]
>> (kernel_init_freeable+0x270/0x2bc)
>>> [6.456243] [<80776f90>] (kernel_init_freeable) from [<80550968>]
>> (kernel_init+0x18/0xfc)
>>> [6.457378] [<80550968>] (kernel_init) from [<8000f858>]
>> (ret_from_fork+0x14/0x3c)
>>> [6.459706] ---[ end Kernel panic - not syncing: VFS: Unable to mount 
>>> root
>> fs on unknown-block(0,0)
>>>
>>> I know that in some of my previous attempts (before I contacted you
>> guys), I was able to get similar result. At that time an mmcblk device was
>> listed among the available partitions, but the kernel was unable to mount 

Re: [Qemu-devel] [PATCH 2/2] sdhci: Implement DeviceClass reset

[Andrew Baumann]

> From: Peter Maydell [mailto:peter.mayd...@linaro.org]
> Sent: Friday, 26 February 2016 5:24 AM
> 
> The sdhci device was missing a DeviceClass reset method;
> implement it. Poweron reset looks the same as reset commanded
> by the guest via the device registers, apart from modelling of
> the rpi 'pending insert interrupt on powerup' quirk.
> 
> Signed-off-by: Peter Maydell 
> ---
>  hw/sd/sdhci.c | 21 +
>  1 file changed, 17 insertions(+), 4 deletions(-)
> 
> diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
> index e087c17..d28b587 100644
> --- a/hw/sd/sdhci.c
> +++ b/hw/sd/sdhci.c
> @@ -207,6 +207,21 @@ static void sdhci_reset(SDHCIState *s)
>  s->pending_insert_state = false;
>  }
> 
> +static void sdhci_poweron_reset(DeviceState *dev)
> +{
> +/* QOM (ie power-on) reset. This is identical to reset
> + * commanded via device register apart from handling of the
> + * 'pending insert on powerup' quirk.
> + */
> +SDHCIState *s = (SDHCIState *)dev;
> +
> +sdhci_reset(s);
> +
> +if (s->pending_insert_quirk) {
> +s->pending_insert_state = true;
> +}
> +}
> +
>  static void sdhci_data_transfer(void *opaque);
> 
>  static void sdhci_send_command(SDHCIState *s)
> @@ -1290,6 +1305,7 @@ static void sdhci_pci_class_init(ObjectClass *klass,
> void *data)
>  set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
>  dc->vmsd = _vmstate;
>  dc->props = sdhci_pci_properties;
> +dc->reset = sdhci_poweron_reset;
>  }
> 
>  static const TypeInfo sdhci_pci_info = {
> @@ -1332,10 +1348,6 @@ static void sdhci_sysbus_realize(DeviceState *dev,
> Error ** errp)
>  memory_region_init_io(>iomem, OBJECT(s), _mmio_ops, s,
> "sdhci",
>  SDHC_REGISTERS_MAP_SIZE);
>  sysbus_init_mmio(sbd, >iomem);
> -
> -if (s->pending_insert_quirk) {
> -s->pending_insert_state = true;
> -}
>  }
> 
>  static void sdhci_sysbus_class_init(ObjectClass *klass, void *data)
> @@ -1345,6 +1357,7 @@ static void sdhci_sysbus_class_init(ObjectClass
> *klass, void *data)
>  dc->vmsd = _vmstate;
>  dc->props = sdhci_sysbus_properties;
>  dc->realize = sdhci_sysbus_realize;
> +dc->reset = sdhci_poweron_reset;
>  }
> 
>  static const TypeInfo sdhci_sysbus_info = {

Not tested, but the handling of the Pi quirk looks good to me, and it's trivial.

Reviewed-by: Andrew Baumann 

BTW, now that you've done this, we could unify sdhci_pci_properties and 
sdhci_sysbus_properties. Let me know if you'd like a patch for that.

Cheers,
Andrew

Re: [Qemu-devel] [PATCH v4 03/16] register: Add Memory API glue

[Alex Bennée]

Alistair Francis  writes:

> From: Peter Crosthwaite 
>
> Add memory io handlers that glue the register API to the memory API.
> Just translation functions at this stage. Although it does allow for
> devices to be created without all-in-one mmio r/w handlers.
>
> Signed-off-by: Peter Crosthwaite 
> Signed-off-by: Alistair Francis 
> ---
>
>  hw/core/register.c| 48 
>  include/hw/register.h | 31 +++
>  2 files changed, 79 insertions(+)
>
> diff --git a/hw/core/register.c b/hw/core/register.c
> index 7e47df5..9cd50c8 100644
> --- a/hw/core/register.c
> +++ b/hw/core/register.c
> @@ -150,3 +150,51 @@ void register_reset(RegisterInfo *reg)
>
>  register_write_val(reg, reg->access->reset);
>  }
> +
> +static inline void register_write_memory(void *opaque, hwaddr addr,
> + uint64_t value, unsigned size, bool 
> be)
> +{
> +RegisterInfo *reg = opaque;
> +uint64_t we = ~0;
> +int shift = 0;
> +
> +if (reg->data_size != size) {
> +we = (size == 8) ? ~0ull : (1ull << size * 8) - 1;
> +shift = 8 * (be ? reg->data_size - size - addr : addr);
> +}

What happens if the user writes too large a value at once to the
register? I haven't attempted to decode the shift magic going on here
but perhaps the handling would be clearer if there was a:

if (size > reg->data_size) {
   ..deal with it..
} else if (size < data_size ) {
  ..do other magic..
}

> +
> +assert(size + addr <= reg->data_size);

Why are we asserting expected input conditions after we've done stuff?

> +register_write(reg, value << shift, we << shift);
> +}
> +
> +void register_write_memory_be(void *opaque, hwaddr addr, uint64_t value,
> +  unsigned size)
> +{
> +register_write_memory(opaque, addr, value, size, true);
> +}
> +
> +
> +void register_write_memory_le(void *opaque, hwaddr addr, uint64_t value,
> +  unsigned size)
> +{
> +register_write_memory(opaque, addr, value, size, false);
> +}
> +
> +static inline uint64_t register_read_memory(void *opaque, hwaddr addr,
> +unsigned size, bool be)
> +{
> +RegisterInfo *reg = opaque;
> +int shift = 8 * (be ? reg->data_size - size - addr : addr);
> +

Well we never have to deal with an over/undersized read? I suspect the
magic above might not correctly represent some hardware when presented
with such a thing on the bus.

> +return register_read(reg) >> shift;
> +}
> +
> +uint64_t register_read_memory_be(void *opaque, hwaddr addr, unsigned size)
> +{
> +return register_read_memory(opaque, addr, size, true);
> +}
> +
> +uint64_t register_read_memory_le(void *opaque, hwaddr addr, unsigned size)
> +{
> +return register_read_memory(opaque, addr, size, false);
> +}
> diff --git a/include/hw/register.h b/include/hw/register.h
> index 444239c..9aa9cfc 100644
> --- a/include/hw/register.h
> +++ b/include/hw/register.h
> @@ -69,9 +69,14 @@ struct RegisterAccessInfo {
>   * @prefix: String prefix for log and debug messages
>   *
>   * @opaque: Opaque data for the register
> + *
> + * @mem: optional Memory region for the register
>   */
>
>  struct RegisterInfo {
> +/*  */
> +MemoryRegion mem;
> +

This seems unconnected with adding the helpers. Should it come with the
original definition or when it actually gets used?

>  /*  */
>  void *data;
>  int data_size;
> @@ -108,4 +113,30 @@ uint64_t register_read(RegisterInfo *reg);
>
>  void register_reset(RegisterInfo *reg);
>
> +/**
> + * Memory API MMIO write handler that will write to a Register API register.
> + *  _be for big endian variant and _le for little endian.
> + * @opaque: RegisterInfo to write to
> + * @addr: Address to write
> + * @value: Value to write
> + * @size: Number of bytes to write
> + */
> +
> +void register_write_memory_be(void *opaque, hwaddr addr, uint64_t value,
> +  unsigned size);
> +void register_write_memory_le(void *opaque, hwaddr addr, uint64_t value,
> +  unsigned size);
> +
> +/**
> + * Memory API MMIO read handler that will read from a Register API register.
> + *  _be for big endian variant and _le for little endian.
> + * @opaque: RegisterInfo to read from
> + * @addr: Address to read
> + * @size: Number of bytes to read
> + * returns: Value read from register
> + */
> +
> +uint64_t register_read_memory_be(void *opaque, hwaddr addr, unsigned size);
> +uint64_t register_read_memory_le(void *opaque, hwaddr addr, unsigned size);
> +
>  #endif


--
Alex Bennée

Re: [Qemu-devel] [Qemu-arm] help on how to emulate rasbperry pi 2

[Andrew Baumann]

> From: John Snow [mailto:js...@redhat.com]
> Sent: Friday, 26 February 2016 9:13 AM
> 
> On 02/26/2016 04:30 AM, Mats Malmberg wrote:
> > Hello, thank you for your quick response!
> >
> > It helped me to get a little bit further, but unfortunately the problem
> persists.
> > I now get some output from the kernel startup, but I think that it is unable
> to find the provided sd-card image.
> >
> > Here's what I've tried (the most successful setup):
> > 1. download and deflate jessie/jessie-lite image (I tried both distros)
> > 2. mount the boot partition and copy the following files to host:
> kernel7.img, kernel.img and bcm2709-rpi-2-b.dtb
> > 3. mount the rootfs partition. Open the file /etc/ld.so.preload and
> comment out the line /usr/lib/arm-linux-gnueabihf/libarmmem.so (which is
> the only line present in the file.)
> > 4. execute the command
> > qemu-system-arm -M raspi2  -kernel kernel7.img -sd 2016-02-09-raspbian-
> jessie.img -append "rw earlyprintk loglevel=8 console=ttyAMA0,115200
> dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2" -dtb bcm2709-rpi-2-b.dtb -
> serial stdio
> >
> > the resulting terminal printout :
> >
> > WARNING: Image format was not specified for '2016-02-09-raspbian-
> jessie.img' and probing guessed raw.
> >  Automatically detecting the format is dangerous for raw images, 
> > write
> operations on block 0 will be restricted.
> >  Specify the 'raw' format explicitly to remove the restrictions.
> > Warning: Orphaned drive without device: id=sd0,file=2016-02-09-raspbian-
> jessie.img,if=sd,bus=0,unit=0
> > VNC server running on '127.0.0.1;5900'
> > Uncompressing Linux... done, booting the kernel.
> > ...
> > lots of kernel output
> > ...
> > [6.306894] sdhci-pltfm: SDHCI platform and OF driver helper
> > [6.335521] ledtrig-cpu: registered to indicate activity on CPUs
> > [6.338465] hidraw: raw HID events driver (C) Jiri Kosina
> > [6.341004] usbcore: registered new interface driver usbhid
> > [6.341768] usbhid: USB HID core driver
> > [6.346873] Initializing XFRM netlink socket
> > [6.348012] NET: Registered protocol family 17
> > [6.350974] Key type dns_resolver registered
> > [6.352810] Registering SWP/SWPB emulation handler
> > [6.360245] registered taskstats version 1
> > [6.374999] vc-sm: Videocore shared memory driver
> > [6.397370] uart-pl011 3f201000.uart: no DMA platform data
> > [6.428165] VFS: Cannot open root device "mmcblk0p2" or unknown-
> block(0,0): error -6
> > [6.429208] Please append a correct "root=" boot option; here are the
> available partitions:
> > [6.430848] 01004096 ram0  (driver?)
> > [6.431718] 01014096 ram1  (driver?)
> > [6.432348] 01024096 ram2  (driver?)
> > [6.433101] 01034096 ram3  (driver?)
> > [6.434627] 01044096 ram4  (driver?)
> > [6.435317] 01054096 ram5  (driver?)
> > [6.435995] 01064096 ram6  (driver?)
> > [6.436749] 01074096 ram7  (driver?)
> > [6.437507] 01084096 ram8  (driver?)
> > [6.438159] 01094096 ram9  (driver?)
> > [6.438853] 010a4096 ram10  (driver?)
> > [6.439562] 010b4096 ram11  (driver?)
> > [6.440193] 010c4096 ram12  (driver?)
> > [6.440815] 010d4096 ram13  (driver?)
> > [6.441439] 010e4096 ram14  (driver?)
> > [6.442065] 010f4096 ram15  (driver?)
> > [6.443003] Kernel panic - not syncing: VFS: Unable to mount root fs on
> unknown-block(0,0)
> > [6.444949] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.1.17-v7+ #838
> > [6.445837] Hardware name: BCM2709
> > [6.448200] [<800180c0>] (unwind_backtrace) from [<80013b88>]
> (show_stack+0x20/0x24)
> > [6.449477] [<80013b88>] (show_stack) from [<80555028>]
> (dump_stack+0x80/0x98)
> > [6.450490] [<80555028>] (dump_stack) from [<80551540>]
> (panic+0xa4/0x204)
> > [6.451641] [<80551540>] (panic) from [<80777384>]
> (mount_block_root+0x1a8/0x260)
> > [6.452802] [<80777384>] (mount_block_root) from [<80777614>]
> (mount_root+0xec/0x110)
> > [6.453878] [<80777614>] (mount_root) from [<80a0>]
> (prepare_namespace+0x168/0x1c8)
> > [6.454982] [<80a0>] (prepare_namespace) from [<80776f90>]
> (kernel_init_freeable+0x270/0x2bc)
> > [6.456243] [<80776f90>] (kernel_init_freeable) from [<80550968>]
> (kernel_init+0x18/0xfc)
> > [6.457378] [<80550968>] (kernel_init) from [<8000f858>]
> (ret_from_fork+0x14/0x3c)
> > [6.459706] ---[ end Kernel panic - not syncing: VFS: Unable to mount 
> > root
> fs on unknown-block(0,0)
> >
> > I know that in some of my previous attempts (before I contacted you
> guys), I was able to get similar result. At that time an mmcblk device was
> listed among the available partitions, but the kernel was unable to mount it.
> >
> > I'm having problem to identify the cause (since as I mentioned 

Re: [Qemu-devel] [Qemu-arm] help on how to emulate rasbperry pi 2

[John Snow]

On 02/26/2016 04:30 AM, Mats Malmberg wrote:
> Hello, thank you for your quick response!
> 
> It helped me to get a little bit further, but unfortunately the problem 
> persists. 
> I now get some output from the kernel startup, but I think that it is unable 
> to find the provided sd-card image.
> 
> Here's what I've tried (the most successful setup):
> 1. download and deflate jessie/jessie-lite image (I tried both distros)
> 2. mount the boot partition and copy the following files to host: 
> kernel7.img, kernel.img and bcm2709-rpi-2-b.dtb
> 3. mount the rootfs partition. Open the file /etc/ld.so.preload and comment 
> out the line /usr/lib/arm-linux-gnueabihf/libarmmem.so (which is the only 
> line present in the file.)
> 4. execute the command 
> qemu-system-arm -M raspi2  -kernel kernel7.img -sd 
> 2016-02-09-raspbian-jessie.img -append "rw earlyprintk loglevel=8 
> console=ttyAMA0,115200 dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2" -dtb 
> bcm2709-rpi-2-b.dtb -serial stdio
> 
> the resulting terminal printout : 
> 
> WARNING: Image format was not specified for '2016-02-09-raspbian-jessie.img' 
> and probing guessed raw.
>  Automatically detecting the format is dangerous for raw images, 
> write operations on block 0 will be restricted.
>  Specify the 'raw' format explicitly to remove the restrictions.
> Warning: Orphaned drive without device: 
> id=sd0,file=2016-02-09-raspbian-jessie.img,if=sd,bus=0,unit=0
> VNC server running on '127.0.0.1;5900'
> Uncompressing Linux... done, booting the kernel.
> ...
> lots of kernel output
> ...
> [6.306894] sdhci-pltfm: SDHCI platform and OF driver helper
> [6.335521] ledtrig-cpu: registered to indicate activity on CPUs
> [6.338465] hidraw: raw HID events driver (C) Jiri Kosina
> [6.341004] usbcore: registered new interface driver usbhid
> [6.341768] usbhid: USB HID core driver
> [6.346873] Initializing XFRM netlink socket
> [6.348012] NET: Registered protocol family 17
> [6.350974] Key type dns_resolver registered
> [6.352810] Registering SWP/SWPB emulation handler
> [6.360245] registered taskstats version 1
> [6.374999] vc-sm: Videocore shared memory driver
> [6.397370] uart-pl011 3f201000.uart: no DMA platform data
> [6.428165] VFS: Cannot open root device "mmcblk0p2" or 
> unknown-block(0,0): error -6
> [6.429208] Please append a correct "root=" boot option; here are the 
> available partitions:
> [6.430848] 01004096 ram0  (driver?)
> [6.431718] 01014096 ram1  (driver?)
> [6.432348] 01024096 ram2  (driver?)
> [6.433101] 01034096 ram3  (driver?)
> [6.434627] 01044096 ram4  (driver?)
> [6.435317] 01054096 ram5  (driver?)
> [6.435995] 01064096 ram6  (driver?)
> [6.436749] 01074096 ram7  (driver?)
> [6.437507] 01084096 ram8  (driver?)
> [6.438159] 01094096 ram9  (driver?)
> [6.438853] 010a4096 ram10  (driver?)
> [6.439562] 010b4096 ram11  (driver?)
> [6.440193] 010c4096 ram12  (driver?)
> [6.440815] 010d4096 ram13  (driver?)
> [6.441439] 010e4096 ram14  (driver?)
> [6.442065] 010f4096 ram15  (driver?)
> [6.443003] Kernel panic - not syncing: VFS: Unable to mount root fs on 
> unknown-block(0,0)
> [6.444949] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.1.17-v7+ #838
> [6.445837] Hardware name: BCM2709
> [6.448200] [<800180c0>] (unwind_backtrace) from [<80013b88>] 
> (show_stack+0x20/0x24)
> [6.449477] [<80013b88>] (show_stack) from [<80555028>] 
> (dump_stack+0x80/0x98)
> [6.450490] [<80555028>] (dump_stack) from [<80551540>] (panic+0xa4/0x204)
> [6.451641] [<80551540>] (panic) from [<80777384>] 
> (mount_block_root+0x1a8/0x260)
> [6.452802] [<80777384>] (mount_block_root) from [<80777614>] 
> (mount_root+0xec/0x110)
> [6.453878] [<80777614>] (mount_root) from [<80a0>] 
> (prepare_namespace+0x168/0x1c8)
> [6.454982] [<80a0>] (prepare_namespace) from [<80776f90>] 
> (kernel_init_freeable+0x270/0x2bc)
> [6.456243] [<80776f90>] (kernel_init_freeable) from [<80550968>] 
> (kernel_init+0x18/0xfc)
> [6.457378] [<80550968>] (kernel_init) from [<8000f858>] 
> (ret_from_fork+0x14/0x3c)
> [6.459706] ---[ end Kernel panic - not syncing: VFS: Unable to mount root 
> fs on unknown-block(0,0)
> 
> I know that in some of my previous attempts (before I contacted you guys), I 
> was able to get similar result. At that time an mmcblk device was listed 
> among the available partitions, but the kernel was unable to mount it.
> 
> I'm having problem to identify the cause (since as I mentioned earlier this 
> is not really my domain).
> I've also tried (without any positive results)
> - mark the boot partition as bootable with fdisk (does not seem to make any 
> difference)
> - use kernel.img instead of 

Re: [Qemu-devel] [PATCH v4 02/16] register: Add Register API

[Alex Bennée]

Alistair Francis  writes:

> This API provides some encapsulation of registers and factors our some
> common functionality to common code. Bits of device state (usually MMIO
> registers), often have all sorts of access restrictions and semantics
> associated with them. This API allow you to define what those
> restrictions are on a bit-by-bit basis.
>
> Helper functions are then used to access the register which observe the
> semantics defined by the RegisterAccessInfo struct.
>
> Some features:
> Bits can be marked as read_only (ro field)
> Bits can be marked as write-1-clear (w1c field)
> Bits can be marked as reserved (rsvd field)
> Reset values can be defined (reset)
> Bits can throw guest errors when written certain values (ge0, ge1)
> Bits can throw unimp errors when written certain values (ui0, ui1)
> Bits can be marked clear on read (cor)
> Pre and post action callbacks can be added to read and write ops
> Verbose debugging info can be enabled/disabled
>
> Useful for defining device register spaces in a data driven way. Cuts
> down on a lot of the verbosity and repetition in the switch-case blocks
> in the standard foo_mmio_read/write functions.
>
> Also useful for automated generation of device models from hardware
> design sources.
>
> Signed-off-by: Peter Crosthwaite 
> Signed-off-by: Alistair Francis 
> ---
> V4:
>  - Rebase
>  - Remove the guest error masking
>  - Simplify the unimplemented masking
>  - Use the reserved value in the write calculations
>  - Remove read_lite and write_lite
>  - General fixes to asserts and log printing
> V3:
>  - Address some comments from Fred
>
>  hw/core/Makefile.objs |   1 +
>  hw/core/register.c| 152 
> ++
>  include/hw/register.h | 111 
>  3 files changed, 264 insertions(+)
>  create mode 100644 hw/core/register.c
>  create mode 100644 include/hw/register.h
>
> diff --git a/hw/core/Makefile.objs b/hw/core/Makefile.objs
> index abb3560..bf95db5 100644
> --- a/hw/core/Makefile.objs
> +++ b/hw/core/Makefile.objs
> @@ -14,4 +14,5 @@ common-obj-$(CONFIG_SOFTMMU) += machine.o
>  common-obj-$(CONFIG_SOFTMMU) += null-machine.o
>  common-obj-$(CONFIG_SOFTMMU) += loader.o
>  common-obj-$(CONFIG_SOFTMMU) += qdev-properties-system.o
> +common-obj-$(CONFIG_SOFTMMU) += register.o
>  common-obj-$(CONFIG_PLATFORM_BUS) += platform-bus.o
> diff --git a/hw/core/register.c b/hw/core/register.c
> new file mode 100644
> index 000..7e47df5
> --- /dev/null
> +++ b/hw/core/register.c
> @@ -0,0 +1,152 @@
> +/*
> + * Register Definition API
> + *
> + * Copyright (c) 2013 Xilinx Inc.
> + * Copyright (c) 2013 Peter Crosthwaite 
> + *
> + * This work is licensed under the terms of the GNU GPL, version 2.  See
> + * the COPYING file in the top-level directory.
> + */
> +
> +#include "hw/register.h"
> +#include "hw/qdev.h"
> +#include "qemu/log.h"
> +
> +static inline void register_write_log(int mask, RegisterInfo *reg, int dir,
> +  uint64_t val, const char *msg,
> +  const char *reason)
> +{
> +qemu_log_mask(mask, "%s:%s bits %#" PRIx64 " %s write of %d%s%s\n",
> +  reg->prefix, reg->access->name, val, msg, dir,
> +  reason ? ": " : "", reason ? reason : "");
> +}

This seems unused, I guess the compiler ignores unused inlines through :-/

> +
> +static inline void register_write_val(RegisterInfo *reg, uint64_t val)
> +{
> +g_assert(reg->data);
> +
> +switch (reg->data_size) {
> +case 1:
> +*(uint8_t *)reg->data = val;
> +break;
> +case 2:
> +*(uint16_t *)reg->data = val;
> +break;
> +case 4:
> +*(uint32_t *)reg->data = val;
> +break;
> +case 8:
> +*(uint64_t *)reg->data = val;
> +break;
> +default:
> +g_assert_not_reached();
> +}
> +}
> +
> +static inline uint64_t register_read_val(RegisterInfo *reg)
> +{
> +switch (reg->data_size) {
> +case 1:
> +return *(uint8_t *)reg->data;
> +case 2:
> +return *(uint16_t *)reg->data;
> +case 4:
> +return *(uint32_t *)reg->data;
> +case 8:
> +return *(uint64_t *)reg->data;
> +default:
> +g_assert_not_reached();
> +}
> +return 0; /* unreachable */
> +}
> +
> +void register_write(RegisterInfo *reg, uint64_t val, uint64_t we)
> +{
> +uint64_t old_val, new_val, test, no_w_mask;
> +const RegisterAccessInfo *ac;
> +
> +assert(reg);
> +
> +ac = reg->access;
> +
> +if (!ac || !ac->name) {
> +qemu_log_mask(LOG_GUEST_ERROR, "%s: write to undefined device state "
> +  "(written value: %#" PRIx64 ")\n", reg->prefix, val);
> +return;
> +}
> +
> +old_val = reg->data ? register_read_val(reg) : ac->reset;
> +
> +   

Re: [Qemu-devel] [PATCH v4 01/16] memory: Allow subregions to not be printed by info mtree

[Peter Maydell]

On 26 February 2016 at 16:51, Alex Bennée  wrote:
> I think this needlessly complicates the memory region code and I'm not
> sure what is too be gained for the register code. The only usage of the
> code is inside a loop in register_init_block32. In each case the region
> has the same set of ops. Why isn't a single region being created with an
> indirect handler which can dispatch to the individual register handling
> code?
>
> While its true some drivers create individual IO regions by an large
> most are creating a block with a common handler.

Yeah, I have to say I'm not really convinced about having one MR
per register -- the MR code was never intended to be used that way,
and it seems like a good way to find nasty performance or memory
usage surprises.

thanks
-- PMM

Re: [Qemu-devel] [PATCH v4 01/16] memory: Allow subregions to not be printed by info mtree

[Alex Bennée]

Alistair Francis  writes:

> Add a function called memory_region_add_subregion_no_print() that
> creates memory subregions that won't be printed when running
> the 'info mtree' command.
>
> Signed-off-by: Alistair Francis 
> Reviewed-by: KONRAD Frederic 
> ---
>
>  include/exec/memory.h | 17 +
>  memory.c  | 10 +-
>  2 files changed, 26 insertions(+), 1 deletion(-)
>
> diff --git a/include/exec/memory.h b/include/exec/memory.h
> index c92734a..25353df 100644
> --- a/include/exec/memory.h
> +++ b/include/exec/memory.h
> @@ -186,6 +186,7 @@ struct MemoryRegion {
>  bool skip_dump;
>  bool enabled;
>  bool warning_printed; /* For reservations */
> +bool do_not_print;
>  uint8_t vga_logging_count;
>  MemoryRegion *alias;
>  hwaddr alias_offset;
> @@ -954,6 +955,22 @@ void memory_region_del_eventfd(MemoryRegion *mr,
>  void memory_region_add_subregion(MemoryRegion *mr,
>   hwaddr offset,
>   MemoryRegion *subregion);
> +
> +/**
> + * memory_region_add_subregion_no_print: Add a subregion to a container.
> + *
> + * The same functionality as memory_region_add_subregion except that any
> + * memory regions added by this function are not printed by 'info mtree'.
> + *
> + * @mr: the region to contain the new subregion; must be a container
> + *  initialized with memory_region_init().
> + * @offset: the offset relative to @mr where @subregion is added.
> + * @subregion: the subregion to be added.
> + */
> +void memory_region_add_subregion_no_print(MemoryRegion *mr,
> +  hwaddr offset,
> +  MemoryRegion *subregion);
> +

I think this needlessly complicates the memory region code and I'm not
sure what is too be gained for the register code. The only usage of the
code is inside a loop in register_init_block32. In each case the region
has the same set of ops. Why isn't a single region being created with an
indirect handler which can dispatch to the individual register handling
code?

While its true some drivers create individual IO regions by an large
most are creating a block with a common handler.

>  /**
>   * memory_region_add_subregion_overlap: Add a subregion to a container
>   *  with overlap.
> diff --git a/memory.c b/memory.c
> index 09041ed..228a8a7 100644
> --- a/memory.c
> +++ b/memory.c
> @@ -1829,6 +1829,14 @@ void memory_region_add_subregion(MemoryRegion *mr,
>  memory_region_add_subregion_common(mr, offset, subregion);
>  }
>
> +void memory_region_add_subregion_no_print(MemoryRegion *mr,
> +  hwaddr offset,
> +  MemoryRegion *subregion)
> +{
> +memory_region_add_subregion(mr, offset, subregion);
> +subregion->do_not_print = true;
> +}
> +
>  void memory_region_add_subregion_overlap(MemoryRegion *mr,
>   hwaddr offset,
>   MemoryRegion *subregion,
> @@ -2219,7 +2227,7 @@ static void mtree_print_mr(fprintf_function mon_printf, 
> void *f,
>  const MemoryRegion *submr;
>  unsigned int i;
>
> -if (!mr) {
> +if (!mr || mr->do_not_print) {
>  return;
>  }


--
Alex Bennée

Re: [Qemu-devel] [PATCH 1/2] hw/mips: add initial Cluster Power Controller support

[Peter Maydell]

On 26 February 2016 at 16:19, Leon Alrae  wrote:
> Cluster Power Controller (CPC) is responsible for power management in
> multiprocessing system. It provides registers to control the power and the
> clock frequency of the individual elements in the system.
>
> This patch implements only three registers that are used to control the
> power state of each VP on a single core:
> * VP Run is a write-only register used to set each VP to the run state
> * VP Stop is a write-only register used to set each VP to the suspend state
> * VP Running is a read-only register indicating the run state of each VP
>
> Signed-off-by: Leon Alrae 
> ---
>  default-configs/mips-softmmu.mak |   1 +
>  default-configs/mips64-softmmu.mak   |   1 +
>  default-configs/mips64el-softmmu.mak |   1 +
>  default-configs/mipsel-softmmu.mak   |   1 +

A separate thing, but maybe it would be worth having a mips-softmmu-common.mak
that all the mips*-softmmu.mak include to avoid having to repeat CONFIG defines
in four places like this.

> +static void mips_cpc_init(Object *obj)
> +{
> +SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
> +MIPSCPCState *s = MIPS_CPC(obj);
> +
> +memory_region_init_io(>mr, OBJECT(s), _ops, s, "mips-cpc",
> +  CPC_ADDRSPACE_SZ);
> +sysbus_init_mmio(sbd, >mr);
> +}
> +
> +static const TypeInfo mips_cpc_info = {
> +.name  = TYPE_MIPS_CPC,
> +.parent= TYPE_SYS_BUS_DEVICE,
> +.instance_size = sizeof(MIPSCPCState),
> +.instance_init = mips_cpc_init,
> +};

I suspect you need a reset method.

> +
> +static void mips_cpc_register_types(void)
> +{
> +type_register_static(_cpc_info);
> +}
> +
> +type_init(mips_cpc_register_types)

> +typedef struct MIPSCPCState {
> +SysBusDevice parent_obj;
> +
> +MemoryRegion mr;
> +uint64_t vp_running; /* Indicates which VP's are in the run state */

This is state, so you need a VMState structure to migrate it correctly.

> +} MIPSCPCState;
> +
> +#endif /* MIPS_CPC_H */
> --
> 2.1.0

thanks
-- PMM

Re: [Qemu-devel] [PULL 00/20] target-arm queue

[Peter Maydell]

On 26 February 2016 at 15:20, Peter Maydell <peter.mayd...@linaro.org> wrote:
> The following changes since commit 4d1e324b2241017c92d816ec3af51a14685dbf62:
>
>   Merge remote-tracking branch 'remotes/lalrae/tags/mips-20160226' into 
> staging (2016-02-26 12:54:22 +)
>
> are available in the git repository at:
>
>
>   git://git.linaro.org/people/pmaydell/qemu-arm.git 
> tags/pull-target-arm-20160226
>
> for you to fetch changes up to e20d84c1407d43d5a2e2ac95dbb46db3b0af8f9f:
>
>   target-arm: Make reserved ranges in ID_AA64* spaces RAZ, not UNDEF 
> (2016-02-26 15:09:42 +)
>
> 
> target-arm queue:
>  * Clean up handling of bad mode switches writing to CPSR, and implement
>the ARMv8 requirement that they set PSTATE.IL
>  * Implement MDCR_EL3.TPM and MDCR_EL2.TPM traps on perf monitor
>register accesses
>  * Don't implement stellaris-pl061-only registers on generic-pl061
>  * Fix SD card handling for raspi
>  * Add missing include files to MAINTAINERS
>  * Mark CNTHP_TVAL_EL2 as ARM_CP_NO_RAW
>  * Make reserved ranges in ID_AA64* spaces RAZ, not UNDEF

Applied, thanks.

-- PMM

Re: [Qemu-devel] [PATCH COLO-Frame v15 00/38] COarse-grain LOck-stepping(COLO) Virtual Machines for Non-stop Service (FT)

[Dr. David Alan Gilbert]

* Dr. David Alan Gilbert (dgilb...@redhat.com) wrote:
> * zhanghailiang (zhang.zhanghaili...@huawei.com) wrote:
> > From: root 
> > 
> > This is the 15th version of COLO (Still only support periodic checkpoint).
> > 
> > Here is only COLO frame part, you can get the whole codes from github:
> > https://github.com/coloft/qemu/commits/colo-v2.6-periodic-mode
> > 
> > There are little changes for this series except the network releated part.
> 
> I was looking at the time the guest is paused during COLO and
> was surprised to find one of the larger chunks was the time to reset
> the guest before loading each checkpoint;  I've traced it part way, the
> biggest contributors for my test VM seem to be:
> 
>   3.8ms  pcibus_reset: VGA
>   1.8ms  pcibus_reset: virtio-net-pci
>   1.5ms  pcibus_reset: virtio-blk-pci
>   1.5ms  qemu_devices_reset: piix4_reset
>   1.1ms  pcibus_reset: piix3-ide
>   1.1ms  pcibus_reset: virtio-rng-pci
> 
> I've not looked deeper yet, but some of these are very silly;
> I'm running with -nographic so why it's taking 3.8ms to reset VGA is 
> going to be interesting.
> Also, my only block device is the virtio-blk, so while I understand the
> standard PC machine has the IDE controller, why it takes it over a ms
> to reset an unused device.

OK, so I've dug a bit deeper, and it appears that it's the changes in
PCI bars that actually take the time;  every time we do a reset we
reset all the BARs, this causes it to do a pci_update_mappings and
end up doing a memory_region_del_subregion.
Then we load the config space of the PCI device as we do the vmstate_load,
and this recreates all the mappings again.

I'm not sure what the fix is, but that sounds like it would
speed up the checkpoints usefully if we can avoid the map/remap when
they're the same.

Dave

> 
> I guess reset is normally off anyones radar since it's outside
> the time anyone cares about, but I guess perhaps the guys trying
> to make qemu start really quickly would be interested.
> 
> Dave
> 
> > 
> > Patch status:
> > Unreviewed: patch 21,27,28,29,33,38
> > Updated: patch 31,34,35,37
> > 
> > TODO:
> > 1. Checkpoint based on proxy in qemu
> > 2. The capability of continuous FT
> > 3. Optimize the VM's downtime during checkpoint
> > 
> > v15:
> >  - Go on the shutdown process if encounter error while sending shutdown
> >message to SVM. (patch 24)
> >  - Rename qemu_need_skip_netfilter to qemu_netfilter_can_skip and Remove
> >some useless comment. (patch 31, Jason)
> >  - Call object_new_with_props() directly to add filter in
> >colo_add_buffer_filter. (patch 34, Jason)
> >  - Re-implement colo_set_filter_status() based on COLOBufferFilters
> >list. (patch 35)
> >  - Re-implement colo_flush_filter_packets() based on COLOBufferFilters
> >list. (patch 37) 
> > v14:
> >  - Re-implement the network processing based on netfilter (Jason Wang)
> >  - Rename 'COLOCommand' to 'COLOMessage'. (Markus's suggestion)
> >  - Split two new patches (patch 27/28) from patch 29
> >  - Fix some other comments from Dave and Markus.
> > 
> > v13:
> >  - Refactor colo_*_cmd helper functions to use 'Error **errp' parameter
> >   instead of return value to indicate success or failure. (patch 10)
> >  - Remove the optional error message for COLO_EXIT event. (patch 25)
> >  - Use semaphore to notify colo/colo incoming loop that failover work is
> >finished. (patch 26)
> >  - Move COLO shutdown related codes to colo.c file. (patch 28)
> >  - Fix memory leak bug for colo incoming loop. (new patch 31)
> >  - Re-use some existed helper functions to realize the process of
> >saving/loading ram and device. (patch 32)
> >  - Fix some other comments from Dave and Markus.
> > 
> > zhanghailiang (38):
> >   configure: Add parameter for configure to enable/disable COLO support
> >   migration: Introduce capability 'x-colo' to migration
> >   COLO: migrate colo related info to secondary node
> >   migration: Integrate COLO checkpoint process into migration
> >   migration: Integrate COLO checkpoint process into loadvm
> >   COLO/migration: Create a new communication path from destination to
> > source
> >   COLO: Implement colo checkpoint protocol
> >   COLO: Add a new RunState RUN_STATE_COLO
> >   QEMUSizedBuffer: Introduce two help functions for qsb
> >   COLO: Save PVM state to secondary side when do checkpoint
> >   COLO: Load PVM's dirty pages into SVM's RAM cache temporarily
> >   ram/COLO: Record the dirty pages that SVM received
> >   COLO: Load VMState into qsb before restore it
> >   COLO: Flush PVM's cached RAM into SVM's memory
> >   COLO: Add checkpoint-delay parameter for migrate-set-parameters
> >   COLO: synchronize PVM's state to SVM periodically
> >   COLO failover: Introduce a new command to trigger a failover
> >   COLO failover: Introduce state to record failover process
> >   COLO: Implement failover work for Primary VM
> >   COLO: Implement failover work for Secondary VM
> >   qmp event: 

Re: [Qemu-devel] [RFC PATCH v0 5/6] qmp, spapr: Show hot-plugged/pluggable CPU slots in the Machine

[Thomas Huth]

On 25.02.2016 17:22, Bharata B Rao wrote:
> Implement query cpu-slots that provides information about hot-plugged
> as well as hot-pluggable CPU slots that the machine supports.
> 
> TODO: As Eric suggested use enum for type instead of str.
> TODO: @hotplug-granularity probably isn't required.
> 
> Signed-off-by: Bharata B Rao 
> ---
>  hw/core/machine.c   |  19 +
>  hw/ppc/spapr.c  | 112 
> 
>  include/hw/boards.h |   4 ++
>  qapi-schema.json|  85 +++
>  qmp-commands.hx |  47 ++
>  5 files changed, 267 insertions(+)
> 
> diff --git a/hw/core/machine.c b/hw/core/machine.c
> index 6d1a0d8..3055ef8 100644
> --- a/hw/core/machine.c
> +++ b/hw/core/machine.c
> @@ -17,6 +17,25 @@
>  #include "hw/sysbus.h"
>  #include "sysemu/sysemu.h"
>  #include "qemu/error-report.h"
> +#include "qmp-commands.h"
> +
> +/*
> + * QMP: query-cpu-slots
> + *
> + * TODO: Ascertain if this is the right place to for this arch-neutral 
> routine.
> + */
> +CPUSlotInfoList *qmp_query_cpu_slots(Error **errp)
> +{
> +MachineState *ms = MACHINE(qdev_get_machine());
> +MachineClass *mc = MACHINE_GET_CLASS(ms);
> +
> +if (!mc->cpu_slots) {
> +error_setg(errp, QERR_UNSUPPORTED);
> +return NULL;
> +}
> +
> +return mc->cpu_slots(ms);
> +}
>  
>  static char *machine_get_accel(Object *obj, Error **errp)
>  {
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index 780cd00..b76ed85 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -2453,6 +2453,117 @@ static unsigned spapr_cpu_index_to_socket_id(unsigned 
> cpu_index)
>  return cpu_index / smp_threads / smp_cores;
>  }
>  
> +static int spapr_cpuinfo_list(Object *obj, void *opaque)
> +{
> +MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine());
> +CPUInfoList ***prev = opaque;
> +
> +if (object_dynamic_cast(obj, TYPE_CPU)) {
> +CPUInfoList *elem = g_new0(CPUInfoList, 1);
> +CPUInfo *s = g_new0(CPUInfo, 1);
> +CPUState *cpu = CPU(obj);
> +PowerPCCPU *pcpu = POWERPC_CPU(cpu);
> +
> +s->arch_id = ppc_get_vcpu_dt_id(pcpu);
> +s->type = g_strdup(object_get_typename(obj));
> +s->thread = cpu->cpu_index;
> +s->has_thread = true;
> +s->core = cpu->cpu_index / smp_threads;
> +s->has_core = true;
> +if (mc->cpu_index_to_socket_id) {
> +s->socket = mc->cpu_index_to_socket_id(cpu->cpu_index);
> +} else {
> +s->socket = cpu->cpu_index / smp_threads / smp_cores;
> +}
> +s->has_socket = true;
> +s->node = cpu->numa_node;
> +s->has_node = true;
> +s->qom_path = object_get_canonical_path(obj);
> +s->has_qom_path = true;
> +
> +elem->value = s;
> +elem->next = NULL;
> +**prev = elem;
> +*prev = >next;
> +}
> +object_child_foreach(obj, spapr_cpuinfo_list, opaque);
> +return 0;
> +}
> +
> +static CPUSlotInfoList *spapr_cpu_slots(MachineState *machine)
> +{
> +CPUSlotInfoList *head = NULL;
> +CPUSlotInfoList **prev = 
> +Object *root_container;
> +ObjectProperty *prop;
> +ObjectPropertyIterator iter;
> +
> +/*
> + * TODO: There surely must be a better/easier way to walk all
> + * the link properties of an object ?
> + */
> +root_container = container_get(object_get_root(), "/machine");
> +object_property_iter_init(, root_container);
> +
> +while ((prop = object_property_iter_next())) {
> +Object *obj;
> +DeviceState *dev;
> +CPUSlotInfoList *elem;
> +CPUSlotInfo *s;
> +CPUInfoList *cpu_head = NULL;
> +CPUInfoList **cpu_prev = _head;
> +sPAPRCPUCore *core;
> +
> +if (!strstart(prop->type, "link<", NULL)) {
> +continue;
> +}
> +
> +if (!strstart(prop->name, SPAPR_MACHINE_CPU_CORE_PROP, NULL)) {
> +continue;
> +}
> +
> +elem = g_new0(CPUSlotInfoList, 1);
> +s = g_new0(CPUSlotInfo, 1);
> +
> +obj = object_property_get_link(root_container, prop->name, NULL);
> +if (obj) {
> +/* Slot populated */
> +dev = DEVICE(obj);
> +core = SPAPR_CPU_CORE(obj);
> +
> +if (dev->id) {
> +s->has_id = true;
> +s->id = g_strdup(dev->id);
> +}
> +s->realized = object_property_get_bool(obj, "realized", NULL);
> +s->nr_cpus = core->nr_threads;
> +s->has_nr_cpus = true;
> +s->qom_path = object_get_canonical_path(obj);
> +s->has_qom_path = true;
> +if (s->realized) {
> +spapr_cpuinfo_list(obj, _prev);
> +}
> +s->has_cpus = true;
> +} else {
> +/* Slot empty */
> +s->has_id = false;
> +

Re: [Qemu-devel] [PATCH v3 1/2] generic-loader: Add a generic loader

[Peter Maydell]

On 19 February 2016 at 20:40, Alistair Francis
 wrote:
> Add a generic loader to QEMU which can be used to load images or set
> memory values.

I'm not inherently opposed to this (it seems like a nice way
to deal with the desire to load arbitrary images), but it feels
a bit half-baked at the moment. More detailed comments below.

> This only supports ARM architectures at the moment.

This doesn't sound very generic :-)

> Signed-off-by: Alistair Francis 
> ---
> V3:
>  - Pass the ram_size to load_image_targphys()
> V2:
>  - Add maintainers entry
>  - Perform bounds checking
>  - Register and unregister the reset in the realise/unrealise
> Changes since RFC:
>  - Add BE support
>
>  MAINTAINERS  |   6 ++
>  default-configs/arm-softmmu.mak  |   1 +
>  hw/misc/Makefile.objs|   2 +
>  hw/misc/generic-loader.c | 143 
> +++
>  include/hw/misc/generic-loader.h |  50 ++
>  5 files changed, 202 insertions(+)
>  create mode 100644 hw/misc/generic-loader.c
>  create mode 100644 include/hw/misc/generic-loader.h
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 9adeda3..7dae3dd 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -963,6 +963,12 @@ F: hw/acpi/nvdimm.c
>  F: hw/mem/nvdimm.c
>  F: include/hw/mem/nvdimm.h
>
> +Generic Loader
> +M: Alistair Francis 
> +S: Maintained
> +F: hw/misc/generic-loader.c
> +F: include/hw/misc/generic-loader.h
> +
>  Subsystems
>  --
>  Audio
> diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
> index a9f82a1..b246b75 100644
> --- a/default-configs/arm-softmmu.mak
> +++ b/default-configs/arm-softmmu.mak
> @@ -110,3 +110,4 @@ CONFIG_IOH3420=y
>  CONFIG_I82801B11=y
>  CONFIG_ACPI=y
>  CONFIG_SMBIOS=y
> +CONFIG_LOADER=y
> diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
> index ea6cd3c..9f05dcf 100644
> --- a/hw/misc/Makefile.objs
> +++ b/hw/misc/Makefile.objs
> @@ -46,3 +46,5 @@ obj-$(CONFIG_STM32F2XX_SYSCFG) += stm32f2xx_syscfg.o
>  obj-$(CONFIG_PVPANIC) += pvpanic.o
>  obj-$(CONFIG_EDU) += edu.o
>  obj-$(CONFIG_HYPERV_TESTDEV) += hyperv_testdev.o
> +
> +obj-$(CONFIG_LOADER) += generic-loader.o
> diff --git a/hw/misc/generic-loader.c b/hw/misc/generic-loader.c
> new file mode 100644
> index 000..20f07a8
> --- /dev/null
> +++ b/hw/misc/generic-loader.c
> @@ -0,0 +1,143 @@
> +/*
> + * Generic Loader
> + *
> + * Copyright (C) 2014 Li Guang
> + * Copyright (C) 2016 Xilinx Inc.
> + * Written by Li Guang 
> + *
> + * This program is free software; you can redistribute it and/or modify it
> + * under the terms of the GNU General Public License as published by the
> + * Free Software Foundation; either version 2 of the License, or
> + * (at your option) any later version.
> + *
> + * This program is distributed in the hope that it will be useful, but 
> WITHOUT
> + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
> + * for more details.
> + */
> +
> +#include "qemu/osdep.h"
> +#include "hw/sysbus.h"
> +#include "sysemu/dma.h"
> +#include "hw/loader.h"
> +#include "hw/misc/generic-loader.h"
> +
> +#define CPU_NONE 0xFF

This is a mine waiting to be triggered if we ever raise
MAX_CPUMASK_BITS and allow 256 CPUs.

> +
> +static void generic_loader_reset(void *opaque)
> +{
> +GenericLoaderState *s = GENERIC_LOADER(opaque);
> +
> +if (s->cpu) {
> +CPUClass *cc = CPU_GET_CLASS(s->cpu);
> +cpu_reset(s->cpu);
> +cc->set_pc(s->cpu, s->addr);

Why is a loader device messing with the CPU state (especially
unconditionally) ?

> +}
> +
> +if (s->data_len) {
> +assert(s->data_len < sizeof(s->data));
> +dma_memory_write((s->cpu ? s->cpu : first_cpu)->as, s->addr, 
> >data,
> + s->data_len);

Writing directly to cpu->as is not very generic. In particular,
how should this interact with TrustZone, where you might want to
write the image to the Secure address space?

> +}
> +}
> +
> +static void generic_loader_realize(DeviceState *dev, Error **errp)
> +{
> +GenericLoaderState *s = GENERIC_LOADER(dev);
> +hwaddr entry;
> +int big_endian;
> +int size = 0;
> +
> +qemu_register_reset(generic_loader_reset, dev);
> +
> +if (s->cpu_nr != CPU_NONE) {
> +CPUState *cs = first_cpu;
> +int cpu_num = 0;
> +
> +CPU_FOREACH(cs) {
> +if (cpu_num == s->cpu_nr) {
> +s->cpu = cs;
> +break;
> +} else if (!CPU_NEXT(cs)) {
> +error_setg(errp, "Specified boot CPU#%d is nonexistent",
> +   s->cpu_nr);
> +return;
> +} else {
> +cpu_num++;
> +}
> +}

This appears to be reimplementing 

[Qemu-devel] [PATCH 1/2] hw/mips: add initial Cluster Power Controller support

[Leon Alrae]

Cluster Power Controller (CPC) is responsible for power management in
multiprocessing system. It provides registers to control the power and the
clock frequency of the individual elements in the system.

This patch implements only three registers that are used to control the
power state of each VP on a single core:
* VP Run is a write-only register used to set each VP to the run state
* VP Stop is a write-only register used to set each VP to the suspend state
* VP Running is a read-only register indicating the run state of each VP

Signed-off-by: Leon Alrae 
---
 default-configs/mips-softmmu.mak |   1 +
 default-configs/mips64-softmmu.mak   |   1 +
 default-configs/mips64el-softmmu.mak |   1 +
 default-configs/mipsel-softmmu.mak   |   1 +
 hw/misc/Makefile.objs|   1 +
 hw/misc/mips_cpc.c   | 124 +++
 include/hw/misc/mips_cpc.h   |  45 +
 7 files changed, 174 insertions(+)
 create mode 100644 hw/misc/mips_cpc.c
 create mode 100644 include/hw/misc/mips_cpc.h

diff --git a/default-configs/mips-softmmu.mak b/default-configs/mips-softmmu.mak
index a784644..8a9482e 100644
--- a/default-configs/mips-softmmu.mak
+++ b/default-configs/mips-softmmu.mak
@@ -31,3 +31,4 @@ CONFIG_MC146818RTC=y
 CONFIG_ISA_TESTDEV=y
 CONFIG_EMPTY_SLOT=y
 CONFIG_MIPS_GIC=y
+CONFIG_MIPS_CPC=y
diff --git a/default-configs/mips64-softmmu.mak 
b/default-configs/mips64-softmmu.mak
index 957508d..27ca662 100644
--- a/default-configs/mips64-softmmu.mak
+++ b/default-configs/mips64-softmmu.mak
@@ -37,3 +37,4 @@ CONFIG_MC146818RTC=y
 CONFIG_ISA_TESTDEV=y
 CONFIG_EMPTY_SLOT=y
 CONFIG_MIPS_GIC=y
+CONFIG_MIPS_CPC=y
diff --git a/default-configs/mips64el-softmmu.mak 
b/default-configs/mips64el-softmmu.mak
index 6c1065f..7dfc4cb 100644
--- a/default-configs/mips64el-softmmu.mak
+++ b/default-configs/mips64el-softmmu.mak
@@ -40,3 +40,4 @@ CONFIG_VT82C686=y
 CONFIG_ISA_TESTDEV=y
 CONFIG_EMPTY_SLOT=y
 CONFIG_MIPS_GIC=y
+CONFIG_MIPS_CPC=y
diff --git a/default-configs/mipsel-softmmu.mak 
b/default-configs/mipsel-softmmu.mak
index 4633b0b..e02599d 100644
--- a/default-configs/mipsel-softmmu.mak
+++ b/default-configs/mipsel-softmmu.mak
@@ -31,3 +31,4 @@ CONFIG_MC146818RTC=y
 CONFIG_ISA_TESTDEV=y
 CONFIG_EMPTY_SLOT=y
 CONFIG_MIPS_GIC=y
+CONFIG_MIPS_CPC=y
diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
index 7bb14ed..46b3e71 100644
--- a/hw/misc/Makefile.objs
+++ b/hw/misc/Makefile.objs
@@ -43,6 +43,7 @@ obj-$(CONFIG_ZYNQ) += zynq_slcr.o
 obj-$(CONFIG_ZYNQ) += zynq-xadc.o
 obj-$(CONFIG_STM32F2XX_SYSCFG) += stm32f2xx_syscfg.o
 obj-$(CONFIG_MIPS_GIC) += mips_gcr.o
+obj-$(CONFIG_MIPS_CPC) += mips_cpc.o
 
 obj-$(CONFIG_PVPANIC) += pvpanic.o
 obj-$(CONFIG_EDU) += edu.o
diff --git a/hw/misc/mips_cpc.c b/hw/misc/mips_cpc.c
new file mode 100644
index 000..3ea55fb
--- /dev/null
+++ b/hw/misc/mips_cpc.c
@@ -0,0 +1,124 @@
+/*
+ * Cluster Power Controller emulation
+ *
+ * Copyright (c) 2016 Imagination Technologies
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "hw/sysbus.h"
+
+#include "hw/misc/mips_cpc.h"
+
+#define CPC_VP_PER_CORE_MAX 4
+#define CPC_VP_RUN_MASK ((1 << CPC_VP_PER_CORE_MAX) - 1)
+
+static void cpc_run_vp(MIPSCPCState *cpc, uint64_t vp_run)
+{
+CPUState *cs = first_cpu;
+
+CPU_FOREACH(cs) {
+uint64_t i = 1ULL << cs->cpu_index;
+if (i & vp_run & ~cpc->vp_running) {
+cpu_interrupt(cs, CPU_INTERRUPT_WAKE);
+cpc->vp_running |= i;
+}
+}
+}
+
+static void cpc_stop_vp(MIPSCPCState *cpc, uint64_t vp_stop)
+{
+CPUState *cs = first_cpu;
+
+CPU_FOREACH(cs) {
+uint64_t i = 1ULL << cs->cpu_index;
+if (i & vp_stop & cpc->vp_running) {
+cs->halted = 1;
+cpu_reset_interrupt(cs, CPU_INTERRUPT_WAKE);
+cpc->vp_running &= ~i;
+}
+}
+}
+
+static void cpc_write(void *opaque, hwaddr offset, uint64_t data,
+  unsigned size)
+{
+MIPSCPCState *s = opaque;
+
+switch (offset) {
+case CPC_CL_BASE_OFS + CPC_VP_RUN_OFS:
+case CPC_CO_BASE_OFS + CPC_VP_RUN_OFS:
+cpc_run_vp(s, data & CPC_VP_RUN_MASK);
+break;
+case CPC_CL_BASE_OFS + CPC_VP_STOP_OFS:
+case CPC_CO_BASE_OFS + CPC_VP_STOP_OFS:
+

[Qemu-devel] [PATCH 2/2] hw/mips_malta: add CPC to the Malta board

[Leon Alrae]

On Malta, after reset, only VP0 on Core0 starts the execution. Other VPs
are halted until VP0 powers them up using Cluster Power Controller.

Signed-off-by: Leon Alrae 
---
 hw/mips/mips_malta.c | 30 ++
 1 file changed, 30 insertions(+)

diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
index 1fb17fb..34cc4cb 100644
--- a/hw/mips/mips_malta.c
+++ b/hw/mips/mips_malta.c
@@ -57,6 +57,7 @@
 #include "exec/semihost.h"
 #include "hw/misc/mips_gcr.h"
 #include "hw/intc/mips_gic.h"
+#include "hw/misc/mips_cpc.h"
 
 //#define DEBUG_BOARD_INIT
 
@@ -97,6 +98,7 @@ typedef struct {
 
 MIPSGCRState gcr;
 MIPSGICState gic;
+MIPSCPCState cpc;
 qemu_irq *i8259;
 } MaltaState;
 
@@ -617,6 +619,19 @@ static void gic_init(MaltaState *s, Error **err)
 sysbus_mmio_map(gicbusdev, 0, gicbase);
 }
 
+static void cpc_init(MaltaState *s, Error **err)
+{
+object_initialize(>cpc, sizeof(s->cpc), TYPE_MIPS_CPC);
+qdev_set_parent_bus(DEVICE(>cpc), sysbus_get_default());
+
+object_property_set_bool(OBJECT(>cpc), true, "realized", err);
+if (*err != NULL) {
+return;
+}
+
+sysbus_mmio_map(SYS_BUS_DEVICE(>cpc), 0, CPC_BASE_ADDR);
+}
+
 /* Network support */
 static void network_init(PCIBus *pci_bus)
 {
@@ -937,6 +952,7 @@ static void malta_mips_config(MIPSCPU *cpu)
 static void main_cpu_reset(void *opaque)
 {
 MIPSCPU *cpu = opaque;
+CPUState *cs = CPU(cpu);
 CPUMIPSState *env = >env;
 
 cpu_reset(CPU(cpu));
@@ -954,6 +970,15 @@ static void main_cpu_reset(void *opaque)
 /* Start running from the bootloader we wrote to end of RAM */
 env->active_tc.PC = 0x4000 + loaderparams.ram_low_size;
 }
+
+/* At reset only VP0 on Core0 will start executing the code, other
+   VPs are halted until VP0 powers them up through Cluster Power
+   Controller. */
+if ((env->CP0_Config5 & (1 << CP0C5_VP)) &&
+(env->CP0_Config3 & (1 << CP0C3_CMGCR)) &&
+(cs->cpu_index != 0)) {
+cs->halted = 1;
+}
 }
 
 static
@@ -1200,6 +1225,11 @@ void mips_malta_init(MachineState *machine)
 error_report("%s", error_get_pretty(err));
 exit(1);
 }
+cpc_init(s, );
+if (err != NULL) {
+error_report("%s", error_get_pretty(err));
+exit(1);
+}
 }
 
 /*
-- 
2.1.0

[Qemu-devel] [PATCH 0/2] hw/mips: implement Cluster Power Controller

[Leon Alrae]

This minimal CPC support is one of the elements required to allow R6 Linux to
bring up Virtual Processors on Malta board. This patch applies on top of
Yongbok's GIC/GCR patchset which still requires updating/fixing (that
probably will also affect CPC, in particular when we come up with a wrapper
for the CPU, GIC, GCR, etc.). Hopefully this will get sorted out soon so
we could include these functionalities in 2.6 release.

Next step can be extending the feature to support multi-core. Also,
these features will be handy for testing MIPS with MTTCG which is
something I hope to start in near future.

Thanks,
Leon

Leon Alrae (2):
  hw/mips: add initial Cluster Power Controller support
  hw/mips_malta: add CPC to the Malta board

 default-configs/mips-softmmu.mak |   1 +
 default-configs/mips64-softmmu.mak   |   1 +
 default-configs/mips64el-softmmu.mak |   1 +
 default-configs/mipsel-softmmu.mak   |   1 +
 hw/mips/mips_malta.c |  30 +
 hw/misc/Makefile.objs|   1 +
 hw/misc/mips_cpc.c   | 124 +++
 include/hw/misc/mips_cpc.h   |  45 +
 8 files changed, 204 insertions(+)
 create mode 100644 hw/misc/mips_cpc.c
 create mode 100644 include/hw/misc/mips_cpc.h

-- 
2.1.0

Re: [Qemu-devel] [PATCH v4 00/16] data-driven device registers

[Alex Bennée]

Alistair Francis  writes:

> This patch series is based on Peter C's original register API. His
> original cover letter is below.

In the next revision you'll need to add the osdep includes that
currently break this when applied to origin/master.

See:

https://travis-ci.org/stsquad/qemu/builds/112038657

>
> I have added a new function memory_region_add_subregion_no_print() which
> stops memory regions from being printed by 'info mtree'. This is used to
> avoid evey register being printed when running 'info mtree'.
>
> NOTE: That info qom-tree will still print all of these registers.
>
> Future work: Allow support for memory attributes.
>
> V4:
>  - Rebase and fix build issue
>  - Simplify the register write logic
>  - Other small fixes suggested by Alex Bennee
> V3:
>  - Small changes reported by Fred
> V2:
>  - Rebase
>  - Fix up IOU SLCR connections
>  - Add the memory_region_add_subregion_no_print() function and use it
>for the registers
> Changes since RFC:
>  - Connect the ZynqMP IOU SLCR device
>  - Rebase
>
> Original cover letter From Peter:
> Hi All. This is a new scheme I've come up with handling device registers in a
> data driven way. My motivation for this is to factor out a lot of the access
> checking that seems to be replicated in every device. See P1 commit message 
> for
> further discussion.
>
> P1 is the main patch, adds the register definition functionality
> P2-3,6 add helpers that glue the register API to the Memory API
> P4 Defines a set of macros that minimise register and field definitions
> P5 is QOMfication
> P7 is a trivial
> P10-13 Work up to GPIO support
> P8,9,14 add new devices (the Xilinx Zynq devcfg & ZynqMP SLCR) that use this
> scheme.
> P15: Connect the ZynqMP SLCR device
>
> This Zynq devcfg device was particularly finnicky with per-bit restrictions.
> I'm also looking for a higher-than-usual modelling fidelity
> on the register space, with semantics defined for random reserved bits
> in-between otherwise consistent fields.
>
> Here's an example of the qemu_log output for the devcfg device. This is 
> produced
> by now generic sharable code:
>
> /machine/unattached/device[44]:Addr 0x08:CFG: write of value 0508
> /machine/unattached/device[44]:Addr 0x80:MCTRL: write of value 00800010
> /machine/unattached/device[44]:Addr 0x10:INT_MASK: write of value 
> /machine/unattached/device[44]:Addr :CTRL: write of value 0c00607f
>
> And an example of a rogue guest banging on a bad bit:
>
> /machine/unattached/device[44]:Addr 0x14:STATUS bits 0x01 may not be \
>   written to 1
>
> A future feature I am interested in is implementing TCG optimisation of
> side-effectless registers. The register API allows clear definition of
> what registers have txn side effects and which ones don't. You could even
> go a step further and translate such side-effectless accesses based on the
> data pointer for the register.
>
>
> Alistair Francis (3):
>   memory: Allow subregions to not be printed by info mtree
>   register: Add Register API
>   xlnx-zynqmp: Connect the ZynqMP IOU SLCR
>
> Peter Crosthwaite (13):
>   register: Add Memory API glue
>   register: Add support for decoding information
>   register: Define REG and FIELD macros
>   register: QOMify
>   register: Add block initialise helper
>   bitops: Add ONES macro
>   dma: Add Xilinx Zynq devcfg device model
>   xilinx_zynq: add devcfg to machine model
>   qdev: Define qdev_get_gpio_out
>   qdev: Add qdev_pass_all_gpios API
>   irq: Add opaque setter routine
>   register: Add GPIO API
>   misc: Introduce ZynqMP IOU SLCR
>
>  default-configs/arm-softmmu.mak|   1 +
>  hw/arm/xilinx_zynq.c   |   8 +
>  hw/arm/xlnx-zynqmp.c   |  13 ++
>  hw/core/Makefile.objs  |   1 +
>  hw/core/irq.c  |   5 +
>  hw/core/qdev.c |  21 ++
>  hw/core/register.c | 348 +
>  hw/dma/Makefile.objs   |   1 +
>  hw/dma/xlnx-zynq-devcfg.c  | 393 
> +
>  hw/misc/Makefile.objs  |   1 +
>  hw/misc/xlnx-zynqmp-iou-slcr.c | 113 ++
>  include/exec/memory.h  |  17 ++
>  include/hw/arm/xlnx-zynqmp.h   |   2 +
>  include/hw/dma/xlnx-zynq-devcfg.h  |  62 ++
>  include/hw/irq.h   |   2 +
>  include/hw/misc/xlnx-zynqmp-iou-slcr.h |  47 
>  include/hw/qdev-core.h |   3 +
>  include/hw/register.h  | 260 ++
>  include/qemu/bitops.h  |   2 +
>  memory.c   |  10 +-
>  20 files changed, 1309 insertions(+), 1 deletion(-)
>  create mode 100644 hw/core/register.c
>  create mode 100644 hw/dma/xlnx-zynq-devcfg.c
>  create mode 100644 

Re: [Qemu-devel] [RFC 00/11] Current MTTCG kvm-unit-test patches

[Alex Bennée]

Andrew Jones  writes:

> On Fri, Feb 26, 2016 at 02:54:33PM +, Alex Bennée wrote:
>>
>> Andrew Jones  writes:
>>
>> > On Fri, Feb 26, 2016 at 01:15:22PM +, Alex Bennée wrote:
>> >> Hi,
>> >>
>> >> Some of these patches have been posted before and previous patches
>> >> have already been accepted upstream so I'm tagging this as a new RFC
>> >> series.
>> >>
>> >> This is a series of tests built around kvm-unit-tests but built with
>> >> the express purpose of stressing the TCG, in particular MTTCG builds.
>> >>
>> >> Changes from previous appearances:
>> >>
>> >>  * Separated locking and barrier tests
>> >>  * Included Drew's IPI patches (used in tcg-test)
>> >>  * New TCG chaining test
>> >>
>> >> The new barrier tests really only fails when running on MTTCG builds on
>> >> a weak backend. Many thanks to Will Deacon for helping me get a
>> >> working test case at the last Connect.
>> >>
>> >> I'm mainly posting these for reference for others testing MTTCG as
>> >> I've still got to check I've addressed any outstanding review
>> >> comments. However there has been enough code churn some of the
>> >> comments may no longer be relevant.
>> >>
>> >> The TCG tests are also useful as benchmarks for comparing the cost of
>> >> having chained basic blocks versus exiting the loop every time. The
>> >> pathological case is the computed jumps test as all the addresses are
>> >> within a PAGE_SIZE boundary the tb_jump_cache has no effect meaning a
>> >> full look up each time.
>> >>
>> >> Alex Bennée (8):
>> >>   config/config-arm-common: build-up tests-common target
>> >>   lib: add isaac prng library from CCAN
>> >>   arm/run: set indentation defaults for emacs
>> >>   arm/run: allow aarch64 to start arm binaries
>> >>   arm/tlbflush-test: Add TLB torture test
>> >>   arm/locking-tests: add comprehensive locking test
>> >>   arm/barrier-litmus-tests: add some litmus tests
>> >>   arm/tcg-test: some basic TCG exercising tests
>> >>
>> >> Andrew Jones (3):
>> >>   arm/arm64: irq enable/disable
>> >>   arm/arm64: Add initial gic support
>> >>   arm/arm64: Add IPI test
>> >
>> > I've actually updated these patches a bit, and started extending the
>> > series to also work with a v3 gic. I'll pick that back up and get it
>> > posted for you (hopefully next week). Or I'll at least update my
>> > arm/ipi-test branch with the changes I've made for gicv2...
>>
>> Cool.
>>
>> One thing I noticed was a slight disparity between the number of IPI
>> IRQs sent and the number received. However I'm assuming this could well
>> be without any explicit synchronisation a second IPI can get swallowed
>> up if the first hasn't been acknowledged yet.
>
> Hmm, this version of the test only sends/receives a single IPI, so
> it should always be one/one. Or, are you watching the interrupts
> somewhere else, and seeing more generated?

Sorry I should have been clear. In my tcg-test with the "irq" modifier
which sends an IRQ to every CPU every n-iterations.

>> Is there any sane/safe way for gic_send_sgi to know if the IRQ was
>> pending when it flips the bit?
>
> The new version wraps the acking in an if (iar != GICC_INT_SPURIOUS)
> condition (I ripped that off of Marc's assembler version). That may
> "fix" things for you, but then the question is why do you see spurious
> interrupts? I'll add code that counts spurious interrupts too.

Not spurious, less received than sent. I'll double check the code and
make sure I count them up right.

>
> Thanks,
> drew


--
Alex Bennée

Re: [Qemu-devel] [PULL v3 0/6] migration pull

[Peter Maydell]

On 26 February 2016 at 15:17, Amit Shah  wrote:
> The following changes since commit 0c6940d086f39bbf725d96104abe46da87429cb6:
>
>   build: [bsd-user] Rename "syscall.h" to "target_syscall.h" in target 
> directories (2016-02-25 16:41:08 +)
>
> are available in the git repository at:
>
>   https://git.kernel.org/pub/scm/virt/qemu/amit/migration.git 
> tags/migration-for-2.6-5
>
> for you to fetch changes up to ea6a55bcc0d144ac5086cebf7f84afa7071afe90:
>
>   migration (postcopy): move bdrv_invalidate_cache_all of of coroutine 
> context (2016-02-26 20:40:08 +0530)
>
> 
> migration pull
>  - fix a qcow2 assert
>  - fix for older distros (CentOS 5)
>  - documentation for vmstate flags
>  - minor code rearrangement

Applied, thanks.

-- PMM

Re: [Qemu-devel] [PATCH v3 2/2] docs: Add a generic loader explanation document

[Peter Maydell]

On 19 February 2016 at 20:40, Alistair Francis
 wrote:
> Signed-off-by: Alistair Francis 
> ---
>
>  docs/generic-loader.txt | 21 +
>  1 file changed, 21 insertions(+)
>  create mode 100644 docs/generic-loader.txt
>
> diff --git a/docs/generic-loader.txt b/docs/generic-loader.txt
> new file mode 100644
> index 000..69e262d
> --- /dev/null
> +++ b/docs/generic-loader.txt
> @@ -0,0 +1,21 @@
> +Copyright (c) 2016 Xilinx Inc.
> +
> +This work is licensed under the terms of the GNU GPL, version 2 or later.  
> See
> +the COPYING file in the top-level directory.
> +
> +
> +This loader allows the user to load multiple images or values into QEMU at 
> startup.

This is a bit confusing, because it's not entirely clear what
"this" is referring to. Something with a heading and then a
paragraph starting "The 'loader' device allows ..." might be
better.

> +
> +Loading Memory Values
> +---
> +Memory values can be loaded like this:
> +-device loader,addr=0xfd1a0104,data=0x800e,data-len=4

What values are permitted for data-len ? What endianness is
the data stored as? What address space is the data written to?
Is 'cpu=N' valid here as it is for the image loader syntax below?

> +
> +Loading Images
> +---
> +Images can be loaded like this:
> +-device loader,file=./images/boot.elf,cpu=0
> +
> +The limiation for arch is based off settting the ELF_ARCH macro.

I don't understand this sentence (also it has two typos in it :-))


> +
> +At the moment only the ARM arhitectures are supported

"architectures". Why is there an architecture limitation? Missing
full stop.

Straightforward documentation of all possible options, followed
by examples, is probably a better way to structure this than
trying to describe it only by example.

thanks
-- PMM

Re: [Qemu-devel] [RFC PATCH v0 5/6] qmp, spapr: Show hot-plugged/pluggable CPU slots in the Machine

[Eric Blake]

On 02/25/2016 09:22 AM, Bharata B Rao wrote:
> Implement query cpu-slots that provides information about hot-plugged
> as well as hot-pluggable CPU slots that the machine supports.
> 
> TODO: As Eric suggested use enum for type instead of str.
> TODO: @hotplug-granularity probably isn't required.

I guess this is still marked TODO because the series is still RFC?

> 
> Signed-off-by: Bharata B Rao 
> ---

> +++ b/qapi-schema.json
> @@ -4083,3 +4083,88 @@
>  ##
>  { 'enum': 'ReplayMode',
>'data': [ 'none', 'record', 'play' ] }
> +
> +##
> +# @CPUInfo:
> +#
> +# Information about CPUs
> +#
> +# @arch-id: Arch-specific ID for the CPU.
> +#
> +# @type: QOM type of the CPU.
> +#
> +# @thread: Thread ID of the CPU.
> +#
> +# @core: Core ID of the CPU.
> +#
> +# @socket: Socket ID of the CPU.
> +#
> +# @node: NUMA node to which the CPU belongs.

Please add the '#optional' tag to the fields which are not always present.

> +#
> +# @qom-path: QOM path of the CPU object
> +#
> +# Since: 2.6
> +##
> +
> +{ 'struct': 'CPUInfo',
> +  'data': { 'arch-id': 'int',
> +'type': 'str',

The TODO in the commit message mentions that this should be converted to
an enum.

> +'*thread': 'int',
> +'*core': 'int',
> +'*socket' : 'int',
> +'*node' : 'int',
> +'*qom-path': 'str'
> +  }

But looking better than the previous round.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

[Qemu-devel] [PULL 09/20] target-arm: In v8, make illegal AArch32 mode changes set PSTATE.IL

[Peter Maydell]

In v8, the illegal mode changes which are UNPREDICTABLE in v7 are
given architected behaviour:
 * the mode field is unchanged
 * PSTATE.IL is set (so any subsequent instructions will UNDEF)
 * any other CPSR fields are written to as normal

This is pretty much the same behaviour we picked for our
UNPREDICTABLE handling, with the exception that for v8 we
need to set the IL bit.

Signed-off-by: Peter Maydell 
Reviewed-by: Sergey Fedorov 
Message-id: 146977-3644-10-git-send-email-peter.mayd...@linaro.org
---
 target-arm/helper.c | 15 ---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 5926b15..ff5f895 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -5325,11 +5325,20 @@ void cpsr_write(CPUARMState *env, uint32_t val, 
uint32_t mask,
 (env->uncached_cpsr & CPSR_M) != CPSR_USER &&
 ((env->uncached_cpsr ^ val) & mask & CPSR_M)) {
 if (bad_mode_switch(env, val & CPSR_M)) {
-/* Attempt to switch to an invalid mode: this is UNPREDICTABLE.
- * We choose to ignore the attempt and leave the CPSR M field
- * untouched.
+/* Attempt to switch to an invalid mode: this is UNPREDICTABLE in
+ * v7, and has defined behaviour in v8:
+ *  + leave CPSR.M untouched
+ *  + allow changes to the other CPSR fields
+ *  + set PSTATE.IL
+ * For user changes via the GDB stub, we don't set PSTATE.IL,
+ * as this would be unnecessarily harsh for a user error.
  */
 mask &= ~CPSR_M;
+if (write_type != CPSRWriteByGDBStub &&
+arm_feature(env, ARM_FEATURE_V8)) {
+mask |= CPSR_IL;
+val |= CPSR_IL;
+}
 } else {
 switch_mode(env, val & CPSR_M);
 }
-- 
1.9.1

Re: [Qemu-devel] [PATCH 1/1] arm: virt: change GPIO trigger interrupt to pulse

[Peter Maydell]

On 26 February 2016 at 15:28, Wei Huang  wrote:
>
>
> On 02/26/2016 09:06 AM, Peter Maydell wrote:
>> On 26 February 2016 at 14:54, Shannon Zhao  wrote:
>>> On 2016/2/26 20:53, Peter Maydell wrote:
 I don't understand why a 500ms pulse is better than a short one.

>>> Oh, I just pick a value which seems like a real latency for pressing a
>>> button. What's your suggestion?
>>
>> I would prefer to avoid the pain of having a timer whose state
>> needs to be migrated. It's unclear to me why a 500ms pulse
>> will solve anything that an instantaneous pulse does not,
>> so I'd like to better understand the problem first.
>
> The problem we found with pulse was: only the last state change in GPIO
> is received by guest VM. In other words, with 0(L)->1(H)->0(L) or
> 1(H)->0(L)->1(0), PL061 only sees the last state (0 and 1). I guess this
> is because QEMU is non-preemptive. The solution is to have the following
> steps:
>   * qemu_set_irq(gpio_in, 1)
>   * yeild to guest VM
>   * qemu_set_irq(gpio_in, 0)
>
> Is there any way to do so in QEMU without using timer?

You have no guarantee that the guest VM will necessarily
make any progress even with a 500ms pulse length, so I don't
think increasing the length of the pulse is going to solidly
fix this.

As usual with any kind of interrupt you either need to
trigger on an edge (and latch the trigger in the interrupt
controller until the guest picks it up), or trigger on a
level, and keep the level high until the guest acknowledges
by writing back to the original device to tell it to drop
the level.

thanks
-- PMM

Re: [Qemu-devel] [PULL 0/6] migration pull

[Denis V. Lunev]

On 02/26/2016 06:14 PM, Amit Shah wrote:

On (Fri) 26 Feb 2016 [17:58:34], Denis V. Lunev wrote:

On 02/26/2016 04:15 PM, Amit Shah wrote:

On (Fri) 26 Feb 2016 [12:23:01], Peter Maydell wrote:

Hi. I'm afraid this causes make check to fail:

Oops, I should've caught that.


   /i386/ahci/flush/migrate:
   /i386/ahci/migrate/sanity:
   /i386/ahci/migrate/dma/simple:
   /i386/ahci/migrate/dma/halted:
   /i386/ahci/migrate/ncq/simple:
   /i386/ahci/migrate/ncq/halted:
Broken pipe
FAIL
GTester: last random seed: R02S34da744548f394684dbb7b6d11e14043
(pid=56820)

(failure seen on ppc64be, x86-64 linux, aarch64, but not aarch32 or OSX).

AHCI tests are failing due to Denis's patches.  I'm checking why.

Amit

oops. Interesting :(

Right - use-after-free; this on top of your patch fixes it.


diff --git a/migration/migration.c b/migration/migration.c
index f82fdf6..0129d9f 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -366,9 +366,8 @@ static void process_incoming_migration_bh(void *opaque)
   */
  migrate_set_state(>state, MIGRATION_STATUS_ACTIVE,
MIGRATION_STATUS_COMPLETED);
-migration_incoming_state_destroy();
-
  qemu_bh_delete(mis->bh);
+migration_incoming_state_destroy();
  }
  
  static void process_incoming_migration_co(void *opaque)



Amit

sorry :( last minute changes are bad...

Re: [Qemu-devel] [RFC 00/11] Current MTTCG kvm-unit-test patches

[Andrew Jones]

On Fri, Feb 26, 2016 at 02:54:33PM +, Alex Bennée wrote:
> 
> Andrew Jones  writes:
> 
> > On Fri, Feb 26, 2016 at 01:15:22PM +, Alex Bennée wrote:
> >> Hi,
> >>
> >> Some of these patches have been posted before and previous patches
> >> have already been accepted upstream so I'm tagging this as a new RFC
> >> series.
> >>
> >> This is a series of tests built around kvm-unit-tests but built with
> >> the express purpose of stressing the TCG, in particular MTTCG builds.
> >>
> >> Changes from previous appearances:
> >>
> >>  * Separated locking and barrier tests
> >>  * Included Drew's IPI patches (used in tcg-test)
> >>  * New TCG chaining test
> >>
> >> The new barrier tests really only fails when running on MTTCG builds on
> >> a weak backend. Many thanks to Will Deacon for helping me get a
> >> working test case at the last Connect.
> >>
> >> I'm mainly posting these for reference for others testing MTTCG as
> >> I've still got to check I've addressed any outstanding review
> >> comments. However there has been enough code churn some of the
> >> comments may no longer be relevant.
> >>
> >> The TCG tests are also useful as benchmarks for comparing the cost of
> >> having chained basic blocks versus exiting the loop every time. The
> >> pathological case is the computed jumps test as all the addresses are
> >> within a PAGE_SIZE boundary the tb_jump_cache has no effect meaning a
> >> full look up each time.
> >>
> >> Alex Bennée (8):
> >>   config/config-arm-common: build-up tests-common target
> >>   lib: add isaac prng library from CCAN
> >>   arm/run: set indentation defaults for emacs
> >>   arm/run: allow aarch64 to start arm binaries
> >>   arm/tlbflush-test: Add TLB torture test
> >>   arm/locking-tests: add comprehensive locking test
> >>   arm/barrier-litmus-tests: add some litmus tests
> >>   arm/tcg-test: some basic TCG exercising tests
> >>
> >> Andrew Jones (3):
> >>   arm/arm64: irq enable/disable
> >>   arm/arm64: Add initial gic support
> >>   arm/arm64: Add IPI test
> >
> > I've actually updated these patches a bit, and started extending the
> > series to also work with a v3 gic. I'll pick that back up and get it
> > posted for you (hopefully next week). Or I'll at least update my
> > arm/ipi-test branch with the changes I've made for gicv2...
> 
> Cool.
> 
> One thing I noticed was a slight disparity between the number of IPI
> IRQs sent and the number received. However I'm assuming this could well
> be without any explicit synchronisation a second IPI can get swallowed
> up if the first hasn't been acknowledged yet.

Hmm, this version of the test only sends/receives a single IPI, so
it should always be one/one. Or, are you watching the interrupts
somewhere else, and seeing more generated?

> 
> Is there any sane/safe way for gic_send_sgi to know if the IRQ was
> pending when it flips the bit?

The new version wraps the acking in an if (iar != GICC_INT_SPURIOUS)
condition (I ripped that off of Marc's assembler version). That may
"fix" things for you, but then the question is why do you see spurious
interrupts? I'll add code that counts spurious interrupts too.

Thanks,
drew

[Qemu-devel] [PULL 18/20] sdhci: add quirk property for card insert interrupt status on Raspberry Pi

[Peter Maydell]

From: Andrew Baumann 

This quirk is a workaround for the following hardware behaviour, on
which UEFI (specifically, the bootloader for Windows on Pi2) depends:

1. at boot with an SD card present, the interrupt status/enable
   registers are initially zero
2. upon enabling it in the interrupt enable register, the card insert
   bit in the interrupt status register is immediately set
3. after a subsequent controller reset, the card insert interrupt does
   not fire, even if enabled in the interrupt enable register

Signed-off-by: Andrew Baumann 
Message-id: 1456436130-7048-3-git-send-email-andrew.baum...@microsoft.com
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 hw/sd/sdhci.c | 38 +-
 include/hw/sd/sdhci.h |  2 ++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index f175b30..e087c17 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -204,6 +204,7 @@ static void sdhci_reset(SDHCIState *s)
 
 s->data_count = 0;
 s->stopped_state = sdhc_not_stopped;
+s->pending_insert_state = false;
 }
 
 static void sdhci_data_transfer(void *opaque);
@@ -1095,6 +1096,13 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, 
unsigned size)
 } else {
 s->norintsts &= ~SDHC_NIS_ERR;
 }
+/* Quirk for Raspberry Pi: pending card insert interrupt
+ * appears when first enabled after power on */
+if ((s->norintstsen & SDHC_NISEN_INSERT) && s->pending_insert_state) {
+assert(s->pending_insert_quirk);
+s->norintsts |= SDHC_NIS_INSERT;
+s->pending_insert_state = false;
+}
 sdhci_update_irq(s);
 break;
 case SDHC_NORINTSIGEN:
@@ -1181,6 +1189,24 @@ static void sdhci_uninitfn(SDHCIState *s)
 s->fifo_buffer = NULL;
 }
 
+static bool sdhci_pending_insert_vmstate_needed(void *opaque)
+{
+SDHCIState *s = opaque;
+
+return s->pending_insert_state;
+}
+
+static const VMStateDescription sdhci_pending_insert_vmstate = {
+.name = "sdhci/pending-insert",
+.version_id = 1,
+.minimum_version_id = 1,
+.needed = sdhci_pending_insert_vmstate_needed,
+.fields = (VMStateField[]) {
+VMSTATE_BOOL(pending_insert_state, SDHCIState),
+VMSTATE_END_OF_LIST()
+},
+};
+
 const VMStateDescription sdhci_vmstate = {
 .name = "sdhci",
 .version_id = 1,
@@ -1215,7 +1241,11 @@ const VMStateDescription sdhci_vmstate = {
 VMSTATE_TIMER_PTR(insert_timer, SDHCIState),
 VMSTATE_TIMER_PTR(transfer_timer, SDHCIState),
 VMSTATE_END_OF_LIST()
-}
+},
+.subsections = (const VMStateDescription*[]) {
+_pending_insert_vmstate,
+NULL
+},
 };
 
 /* Capabilities registers provide information on supported features of this
@@ -1273,6 +1303,8 @@ static Property sdhci_sysbus_properties[] = {
 DEFINE_PROP_UINT32("capareg", SDHCIState, capareg,
 SDHC_CAPAB_REG_DEFAULT),
 DEFINE_PROP_UINT32("maxcurr", SDHCIState, maxcurr, 0),
+DEFINE_PROP_BOOL("pending-insert-quirk", SDHCIState, pending_insert_quirk,
+ false),
 DEFINE_PROP_END_OF_LIST(),
 };
 
@@ -1300,6 +1332,10 @@ static void sdhci_sysbus_realize(DeviceState *dev, Error 
** errp)
 memory_region_init_io(>iomem, OBJECT(s), _mmio_ops, s, "sdhci",
 SDHC_REGISTERS_MAP_SIZE);
 sysbus_init_mmio(sbd, >iomem);
+
+if (s->pending_insert_quirk) {
+s->pending_insert_state = true;
+}
 }
 
 static void sdhci_sysbus_class_init(ObjectClass *klass, void *data)
diff --git a/include/hw/sd/sdhci.h b/include/hw/sd/sdhci.h
index 4816516..0f0c3f1 100644
--- a/include/hw/sd/sdhci.h
+++ b/include/hw/sd/sdhci.h
@@ -76,6 +76,8 @@ typedef struct SDHCIState {
 uint32_t buf_maxsz;
 uint16_t data_count;   /* current element in FIFO buffer */
 uint8_t  stopped_state;/* Current SDHC state */
+bool pending_insert_quirk;/* Quirk for Raspberry Pi card insert int */
+bool pending_insert_state;
 /* Buffer Data Port Register - virtual access point to R and W buffers */
 /* Software Reset Register - always reads as 0 */
 /* Force Event Auto CMD12 Error Interrupt Reg - write only */
-- 
1.9.1

[Qemu-devel] [PULL 17/20] sdhci: Revert "add optional quirk property to disable card insertion/removal interrupts"

[Peter Maydell]

From: Andrew Baumann 

This reverts commit 723697551a7e926abe7d3c7f2966012b8075143d.

This change was poorly tested on my part. It squelched card insertion
interrupts on reset, but that was not necessary because sdhci_reset()
clears all the registers (via the call to memset), so the subsequent
sdhci_insert_eject_cb() call never sees the card insert interrupt
enabled. However, not calling the insert_eject_cb results in prnsts
remaining 0, when it actually needs to be updated to indicate card
presence and R/O status.

Signed-off-by: Andrew Baumann 
Message-id: 1456436130-7048-2-git-send-email-andrew.baum...@microsoft.com
Signed-off-by: Peter Maydell 
---
 hw/sd/sdhci.c | 9 +++--
 include/hw/sd/sdhci.h | 1 -
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 73e7c87..f175b30 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -198,11 +198,9 @@ static void sdhci_reset(SDHCIState *s)
  * initialization */
 memset(>sdmasysad, 0, (uintptr_t)>capareg - 
(uintptr_t)>sdmasysad);
 
-if (!s->noeject_quirk) {
-/* Reset other state based on current card insertion/readonly status */
-sdhci_set_inserted(dev, sdbus_get_inserted(>sdbus));
-sdhci_set_readonly(dev, sdbus_get_readonly(>sdbus));
-}
+/* Reset other state based on current card insertion/readonly status */
+sdhci_set_inserted(dev, sdbus_get_inserted(>sdbus));
+sdhci_set_readonly(dev, sdbus_get_readonly(>sdbus));
 
 s->data_count = 0;
 s->stopped_state = sdhc_not_stopped;
@@ -1275,7 +1273,6 @@ static Property sdhci_sysbus_properties[] = {
 DEFINE_PROP_UINT32("capareg", SDHCIState, capareg,
 SDHC_CAPAB_REG_DEFAULT),
 DEFINE_PROP_UINT32("maxcurr", SDHCIState, maxcurr, 0),
-DEFINE_PROP_BOOL("noeject-quirk", SDHCIState, noeject_quirk, false),
 DEFINE_PROP_END_OF_LIST(),
 };
 
diff --git a/include/hw/sd/sdhci.h b/include/hw/sd/sdhci.h
index 607a83e..4816516 100644
--- a/include/hw/sd/sdhci.h
+++ b/include/hw/sd/sdhci.h
@@ -76,7 +76,6 @@ typedef struct SDHCIState {
 uint32_t buf_maxsz;
 uint16_t data_count;   /* current element in FIFO buffer */
 uint8_t  stopped_state;/* Current SDHC state */
-bool noeject_quirk;/* Quirk to disable card insert/remove interrupts */
 /* Buffer Data Port Register - virtual access point to R and W buffers */
 /* Software Reset Register - always reads as 0 */
 /* Force Event Auto CMD12 Error Interrupt Reg - write only */
-- 
1.9.1

[Qemu-devel] [PATCH 1/1] icount: possible options are on or off

[Pranith Kumar]

Signed-off-by: Pranith Kumar 
---
 cpus.c  | 4 ++--
 qemu-options.hx | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/cpus.c b/cpus.c
index 9592163..bc774e2 100644
--- a/cpus.c
+++ b/cpus.c
@@ -630,7 +630,7 @@ void configure_icount(QemuOpts *opts, Error **errp)
 icount_align_option = qemu_opt_get_bool(opts, "align", false);
 
 if (icount_align_option && !icount_sleep) {
-error_setg(errp, "align=on and sleep=no are incompatible");
+error_setg(errp, "align=on and sleep=off are incompatible");
 }
 if (strcmp(option, "auto") != 0) {
 errno = 0;
@@ -643,7 +643,7 @@ void configure_icount(QemuOpts *opts, Error **errp)
 } else if (icount_align_option) {
 error_setg(errp, "shift=auto and align=on are incompatible");
 } else if (!icount_sleep) {
-error_setg(errp, "shift=auto and sleep=no are incompatible");
+error_setg(errp, "shift=auto and sleep=off are incompatible");
 }
 
 use_icount = 2;
diff --git a/qemu-options.hx b/qemu-options.hx
index 599db94..b7a6e65 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3275,7 +3275,7 @@ re-inject them.
 ETEXI
 
 DEF("icount", HAS_ARG, QEMU_OPTION_icount, \
-"-icount 
[shift=N|auto][,align=on|off][,sleep=no,rr=record|replay,rrfile=]\n" \
+"-icount 
[shift=N|auto][,align=on|off][,sleep=on|off,rr=record|replay,rrfile=]\n"
 \
 "enable virtual instruction counter with 2^N clock ticks 
per\n" \
 "instruction, enable aligning the host and virtual 
clocks\n" \
 "or disable real time cpu sleeping\n", QEMU_ARCH_ALL)
@@ -3288,8 +3288,8 @@ then the virtual cpu speed will be automatically adjusted 
to keep virtual
 time within a few seconds of real time.
 
 When the virtual cpu is sleeping, the virtual time will advance at default
-speed unless @option{sleep=no} is specified.
-With @option{sleep=no}, the virtual time will jump to the next timer deadline
+speed unless @option{sleep=on|off} is specified.
+With @option{sleep=off}, the virtual time will jump to the next timer deadline
 instantly whenever the virtual cpu goes to sleep mode and will not advance
 if no timer is enabled. This behavior give deterministic execution times from
 the guest point of view.
-- 
2.7.1

[Qemu-devel] [PATCH] icount: possible options for sleep are on or off

[Pranith Kumar]

icount sleep takes on or off as options. A few places mention sleep=no
which is not accepted. This patch corrects them.

Signed-off-by: Pranith Kumar 
---
 cpus.c  | 4 ++--
 qemu-options.hx | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/cpus.c b/cpus.c
index 9592163..bc774e2 100644
--- a/cpus.c
+++ b/cpus.c
@@ -630,7 +630,7 @@ void configure_icount(QemuOpts *opts, Error **errp)
 icount_align_option = qemu_opt_get_bool(opts, "align", false);
 
 if (icount_align_option && !icount_sleep) {
-error_setg(errp, "align=on and sleep=no are incompatible");
+error_setg(errp, "align=on and sleep=off are incompatible");
 }
 if (strcmp(option, "auto") != 0) {
 errno = 0;
@@ -643,7 +643,7 @@ void configure_icount(QemuOpts *opts, Error **errp)
 } else if (icount_align_option) {
 error_setg(errp, "shift=auto and align=on are incompatible");
 } else if (!icount_sleep) {
-error_setg(errp, "shift=auto and sleep=no are incompatible");
+error_setg(errp, "shift=auto and sleep=off are incompatible");
 }
 
 use_icount = 2;
diff --git a/qemu-options.hx b/qemu-options.hx
index 599db94..b7a6e65 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3275,7 +3275,7 @@ re-inject them.
 ETEXI
 
 DEF("icount", HAS_ARG, QEMU_OPTION_icount, \
-"-icount 
[shift=N|auto][,align=on|off][,sleep=no,rr=record|replay,rrfile=]\n" \
+"-icount 
[shift=N|auto][,align=on|off][,sleep=on|off,rr=record|replay,rrfile=]\n"
 \
 "enable virtual instruction counter with 2^N clock ticks 
per\n" \
 "instruction, enable aligning the host and virtual 
clocks\n" \
 "or disable real time cpu sleeping\n", QEMU_ARCH_ALL)
@@ -3288,8 +3288,8 @@ then the virtual cpu speed will be automatically adjusted 
to keep virtual
 time within a few seconds of real time.
 
 When the virtual cpu is sleeping, the virtual time will advance at default
-speed unless @option{sleep=no} is specified.
-With @option{sleep=no}, the virtual time will jump to the next timer deadline
+speed unless @option{sleep=on|off} is specified.
+With @option{sleep=off}, the virtual time will jump to the next timer deadline
 instantly whenever the virtual cpu goes to sleep mode and will not advance
 if no timer is enabled. This behavior give deterministic execution times from
 the guest point of view.
-- 
2.7.1

[Qemu-devel] [PULL 00/20] target-arm queue

[Peter Maydell]

The following changes since commit 4d1e324b2241017c92d816ec3af51a14685dbf62:

  Merge remote-tracking branch 'remotes/lalrae/tags/mips-20160226' into staging 
(2016-02-26 12:54:22 +)

are available in the git repository at:


  git://git.linaro.org/people/pmaydell/qemu-arm.git 
tags/pull-target-arm-20160226

for you to fetch changes up to e20d84c1407d43d5a2e2ac95dbb46db3b0af8f9f:

  target-arm: Make reserved ranges in ID_AA64* spaces RAZ, not UNDEF 
(2016-02-26 15:09:42 +)


target-arm queue:
 * Clean up handling of bad mode switches writing to CPSR, and implement
   the ARMv8 requirement that they set PSTATE.IL
 * Implement MDCR_EL3.TPM and MDCR_EL2.TPM traps on perf monitor
   register accesses
 * Don't implement stellaris-pl061-only registers on generic-pl061
 * Fix SD card handling for raspi
 * Add missing include files to MAINTAINERS
 * Mark CNTHP_TVAL_EL2 as ARM_CP_NO_RAW
 * Make reserved ranges in ID_AA64* spaces RAZ, not UNDEF


Andrew Baumann (3):
  raspi: fix SD card with recent sdhci changes
  sdhci: Revert "add optional quirk property to disable card 
insertion/removal interrupts"
  sdhci: add quirk property for card insert interrupt status on Raspberry Pi

Edgar E. Iglesias (1):
  target-arm: Mark CNTHP_TVAL_EL2 as ARM_CP_NO_RAW

Peter Maydell (14):
  target-arm: Give CPSR setting on 32-bit exception return its own helper
  target-arm: Add write_type argument to cpsr_write()
  target-arm: Raw CPSR writes should skip checks and bank switching
  linux-user: Use restrictive mask when calling cpsr_write()
  target-arm: In cpsr_write() ignore mode switches from User mode
  target-arm: Add comment about not implementing NSACR.RFR
  target-arm: Add Hyp mode checks to bad_mode_switch()
  target-arm: Forbid mode switch to Mon from Secure EL1
  target-arm: In v8, make illegal AArch32 mode changes set PSTATE.IL
  target-arm: Make mode switches from Hyp via CPS and MRS illegal
  target-arm: Make Monitor->NS PL1 mode changes illegal if HCR.TGE is 1
  target-arm: Fix handling of SDCR for 32-bit code
  target-arm: Implement MDCR_EL3.TPM and MDCR_EL2.TPM traps
  target-arm: Make reserved ranges in ID_AA64* spaces RAZ, not UNDEF

Thomas Huth (1):
  MAINTAINERS: Add some missing ARM related header files

Wei Huang (1):
  ARM: PL061: Checking register r/w accesses to reserved area

 MAINTAINERS  |   4 +
 hw/arm/bcm2835_peripherals.c |   7 ++
 hw/arm/bcm2836.c |   7 ++
 hw/arm/raspi.c   |  16 +++
 hw/gpio/pl061.c  |  30 --
 hw/sd/sdhci.c|  47 ++--
 include/hw/sd/sdhci.h|   3 +-
 linux-user/arm/nwfpe/fpa11.h |   2 +-
 linux-user/main.c|   7 +-
 linux-user/signal.c  |   4 +-
 target-arm/cpu-qom.h |   1 +
 target-arm/cpu.h |  17 ++-
 target-arm/gdbstub.c |   2 +-
 target-arm/helper.c  | 250 +--
 target-arm/helper.h  |   1 +
 target-arm/kvm32.c   |   2 +-
 target-arm/kvm64.c   |   3 +-
 target-arm/machine.c |   4 +-
 target-arm/op_helper.c   |  15 ++-
 target-arm/translate.c   |   6 +-
 20 files changed, 359 insertions(+), 69 deletions(-)

[Qemu-devel] [PULL 20/20] target-arm: Make reserved ranges in ID_AA64* spaces RAZ, not UNDEF

[Peter Maydell]

The v8 ARM ARM defines that unused spaces in the ID_AA64* system
register ranges are Reserved and must RAZ, rather than being UNDEF.
Implement this.

In particular, ARM v8.2 adds a new feature register ID_AA64MMFR2,
and newer versions of the Linux kernel will attempt to read this,
which causes them not to boot up on versions of QEMU missing this fix.

Since the encoding .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 6
is actually defined in ARMv8 (as ID_MMFR4), we give it an entry in
the ARMCPU struct so CPUs can override it, though since none do
this too will just RAZ.

Cc: qemu-sta...@nongnu.org
Reported-by: Ard Biesheuvel 
Signed-off-by: Peter Maydell 
Message-id: 1455890863-11203-1-git-send-email-peter.mayd...@linaro.org
Reviewed-by: Alex Bennée 
Tested-by: Alex Bennée 
---
 target-arm/cpu-qom.h |   1 +
 target-arm/helper.c  | 128 ---
 2 files changed, 122 insertions(+), 7 deletions(-)

diff --git a/target-arm/cpu-qom.h b/target-arm/cpu-qom.h
index 1cc4502..1061c08 100644
--- a/target-arm/cpu-qom.h
+++ b/target-arm/cpu-qom.h
@@ -155,6 +155,7 @@ typedef struct ARMCPU {
 uint32_t id_mmfr1;
 uint32_t id_mmfr2;
 uint32_t id_mmfr3;
+uint32_t id_mmfr4;
 uint32_t id_isar0;
 uint32_t id_isar1;
 uint32_t id_isar2;
diff --git a/target-arm/helper.c b/target-arm/helper.c
index 2b43cdc..18c8296 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -4316,12 +4316,14 @@ void register_cp_regs_for_features(ARMCPU *cpu)
   .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 5,
   .access = PL1_R, .type = ARM_CP_CONST,
   .resetvalue = cpu->id_isar5 },
-/* 6..7 are as yet unallocated and must RAZ */
-{ .name = "ID_ISAR6", .cp = 15, .crn = 0, .crm = 2,
-  .opc1 = 0, .opc2 = 6, .access = PL1_R, .type = ARM_CP_CONST,
-  .resetvalue = 0 },
-{ .name = "ID_ISAR7", .cp = 15, .crn = 0, .crm = 2,
-  .opc1 = 0, .opc2 = 7, .access = PL1_R, .type = ARM_CP_CONST,
+{ .name = "ID_MMFR4", .state = ARM_CP_STATE_BOTH,
+  .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 6,
+  .access = PL1_R, .type = ARM_CP_CONST,
+  .resetvalue = cpu->id_mmfr4 },
+/* 7 is as yet unallocated and must RAZ */
+{ .name = "ID_ISAR7_RESERVED", .state = ARM_CP_STATE_BOTH,
+  .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 7,
+  .access = PL1_R, .type = ARM_CP_CONST,
   .resetvalue = 0 },
 REGINFO_SENTINEL
 };
@@ -4375,7 +4377,11 @@ void register_cp_regs_for_features(ARMCPU *cpu)
 define_arm_cp_regs(cpu, not_v7_cp_reginfo);
 }
 if (arm_feature(env, ARM_FEATURE_V8)) {
-/* AArch64 ID registers, which all have impdef reset values */
+/* AArch64 ID registers, which all have impdef reset values.
+ * Note that within the ID register ranges the unused slots
+ * must all RAZ, not UNDEF; future architecture versions may
+ * define new registers here.
+ */
 ARMCPRegInfo v8_idregs[] = {
 { .name = "ID_AA64PFR0_EL1", .state = ARM_CP_STATE_AA64,
   .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 0,
@@ -4385,6 +4391,30 @@ void register_cp_regs_for_features(ARMCPU *cpu)
   .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 1,
   .access = PL1_R, .type = ARM_CP_CONST,
   .resetvalue = cpu->id_aa64pfr1},
+{ .name = "ID_AA64PFR2_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 2,
+  .access = PL1_R, .type = ARM_CP_CONST,
+  .resetvalue = 0 },
+{ .name = "ID_AA64PFR3_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 3,
+  .access = PL1_R, .type = ARM_CP_CONST,
+  .resetvalue = 0 },
+{ .name = "ID_AA64PFR4_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 4,
+  .access = PL1_R, .type = ARM_CP_CONST,
+  .resetvalue = 0 },
+{ .name = "ID_AA64PFR5_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 5,
+  .access = PL1_R, .type = ARM_CP_CONST,
+  .resetvalue = 0 },
+{ .name = "ID_AA64PFR6_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 6,
+  .access = PL1_R, .type = ARM_CP_CONST,
+  .resetvalue = 0 },
+{ .name = "ID_AA64PFR7_EL1_RESERVED", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 7,
+  .access = PL1_R, 

[Qemu-devel] [PULL 07/20] target-arm: Add Hyp mode checks to bad_mode_switch()

[Peter Maydell]

We don't actually support Hyp mode yet, but add the correct
checks for it to the bad_mode_switch() function for completeness.

Signed-off-by: Peter Maydell 
Reviewed-by: Sergey Fedorov 
Message-id: 146977-3644-8-git-send-email-peter.mayd...@linaro.org
---
 target-arm/helper.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 57cc879..c43d66f 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -5218,6 +5218,9 @@ static int bad_mode_switch(CPUARMState *env, int mode)
  * allows FIQ mode to be Secure-only. (In v8 this doesn't exist.)
  */
 return 0;
+case ARM_CPU_MODE_HYP:
+return !arm_feature(env, ARM_FEATURE_EL2)
+|| arm_current_el(env) < 2 || arm_is_secure(env);
 case ARM_CPU_MODE_MON:
 return !arm_is_secure(env);
 default:
-- 
1.9.1

Re: [Qemu-devel] [PATCH 1/1] arm: virt: change GPIO trigger interrupt to pulse

[Wei Huang]

On 02/26/2016 09:06 AM, Peter Maydell wrote:
> On 26 February 2016 at 14:54, Shannon Zhao  wrote:
>> On 2016/2/26 20:53, Peter Maydell wrote:
>>> I don't understand why a 500ms pulse is better than a short one.
>>>
>> Oh, I just pick a value which seems like a real latency for pressing a
>> button. What's your suggestion?
> 
> I would prefer to avoid the pain of having a timer whose state
> needs to be migrated. It's unclear to me why a 500ms pulse
> will solve anything that an instantaneous pulse does not,
> so I'd like to better understand the problem first.

The problem we found with pulse was: only the last state change in GPIO
is received by guest VM. In other words, with 0(L)->1(H)->0(L) or
1(H)->0(L)->1(0), PL061 only sees the last state (0 and 1). I guess this
is because QEMU is non-preemptive. The solution is to have the following
steps:
  * qemu_set_irq(gpio_in, 1)
  * yeild to guest VM
  * qemu_set_irq(gpio_in, 0)

Is there any way to do so in QEMU without using timer?

> 
> thanks
> -- PMM
> 

[Qemu-devel] [PULL 4/6] migration/vmstate: document VMStateFlags

[Amit Shah]

From: Sascha Silbe 

The VMState API is rather sparsely documented. Start by describing the
meaning of all VMStateFlags.

Reviewed-by: Amit Shah 
Reviewed-by: Juan Quintela 
Signed-off-by: Sascha Silbe 
Message-Id: <1456474693-11662-1-git-send-email-si...@linux.vnet.ibm.com>
Signed-off-by: Amit Shah 
---
 include/migration/vmstate.h | 100 +++-
 1 file changed, 90 insertions(+), 10 deletions(-)

diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index 7246f29..84ee355 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -88,21 +88,101 @@ struct VMStateInfo {
 };
 
 enum VMStateFlags {
+/* Ignored */
 VMS_SINGLE   = 0x001,
+
+/* The struct member at opaque + VMStateField.offset is a pointer
+ * to the actual field (e.g. struct a { uint8_t *b;
+ * }). Dereference the pointer before using it as basis for
+ * further pointer arithmetic (see e.g. VMS_ARRAY). Does not
+ * affect the meaning of VMStateField.num_offset or
+ * VMStateField.size_offset; see VMS_VARRAY* and VMS_VBUFFER for
+ * those. */
 VMS_POINTER  = 0x002,
+
+/* The field is an array of fixed size. VMStateField.num contains
+ * the number of entries in the array. The size of each entry is
+ * given by VMStateField.size and / or opaque +
+ * VMStateField.size_offset; see VMS_VBUFFER and
+ * VMS_MULTIPLY. Each array entry will be processed individually
+ * (VMStateField.info.get()/put() if VMS_STRUCT is not set,
+ * recursion into VMStateField.vmsd if VMS_STRUCT is set). May not
+ * be combined with VMS_VARRAY*. */
 VMS_ARRAY= 0x004,
+
+/* The field is itself a struct, containing one or more
+ * fields. Recurse into VMStateField.vmsd. Most useful in
+ * combination with VMS_ARRAY / VMS_VARRAY*, recursing into each
+ * array entry. */
 VMS_STRUCT   = 0x008,
-VMS_VARRAY_INT32 = 0x010,  /* Array with size in int32_t field*/
-VMS_BUFFER   = 0x020,  /* static sized buffer */
+
+/* The field is an array of variable size. The int32_t at opaque +
+ * VMStateField.num_offset contains the number of entries in the
+ * array. See the VMS_ARRAY description regarding array handling
+ * in general. May not be combined with VMS_ARRAY or any other
+ * VMS_VARRAY*. */
+VMS_VARRAY_INT32 = 0x010,
+
+/* Ignored */
+VMS_BUFFER   = 0x020,
+
+/* The field is a (fixed-size or variable-size) array of pointers
+ * (e.g. struct a { uint8_t *b[]; }). Dereference each array entry
+ * before using it. Note: Does not imply any one of VMS_ARRAY /
+ * VMS_VARRAY*; these need to be set explicitly. */
 VMS_ARRAY_OF_POINTER = 0x040,
-VMS_VARRAY_UINT16= 0x080,  /* Array with size in uint16_t field */
-VMS_VBUFFER  = 0x100,  /* Buffer with size in int32_t field */
-VMS_MULTIPLY = 0x200,  /* multiply "size" field by field_size */
-VMS_VARRAY_UINT8 = 0x400,  /* Array with size in uint8_t field*/
-VMS_VARRAY_UINT32= 0x800,  /* Array with size in uint32_t field*/
-VMS_MUST_EXIST   = 0x1000, /* Field must exist in input */
-VMS_ALLOC= 0x2000, /* Alloc a buffer on the destination */
-VMS_MULTIPLY_ELEMENTS = 0x4000, /* multiply varray size by field->num */
+
+/* The field is an array of variable size. The uint16_t at opaque
+ * + VMStateField.num_offset (subject to VMS_MULTIPLY_ELEMENTS)
+ * contains the number of entries in the array. See the VMS_ARRAY
+ * description regarding array handling in general. May not be
+ * combined with VMS_ARRAY or any other VMS_VARRAY*. */
+VMS_VARRAY_UINT16= 0x080,
+
+/* The size of the individual entries (a single array entry if
+ * VMS_ARRAY or any of VMS_VARRAY* are set, or the field itself if
+ * neither is set) is variable (i.e. not known at compile-time),
+ * but the same for all entries. Use the int32_t at opaque +
+ * VMStateField.size_offset (subject to VMS_MULTIPLY) to determine
+ * the size of each (and every) entry. */
+VMS_VBUFFER  = 0x100,
+
+/* Multiply the entry size given by the int32_t at opaque +
+ * VMStateField.size_offset (see VMS_VBUFFER description) with
+ * VMStateField.size to determine the number of bytes to be
+ * allocated. Only valid in combination with VMS_VBUFFER. */
+VMS_MULTIPLY = 0x200,
+
+/* The field is an array of variable size. The uint8_t at opaque +
+ * VMStateField.num_offset (subject to VMS_MULTIPLY_ELEMENTS)
+ * contains the number of entries in the array. See the VMS_ARRAY
+ * description regarding array handling in general. May not be
+ * combined with VMS_ARRAY or any other VMS_VARRAY*. */
+VMS_VARRAY_UINT8 = 

[Qemu-devel] [PULL 19/20] target-arm: Mark CNTHP_TVAL_EL2 as ARM_CP_NO_RAW

[Peter Maydell]

From: "Edgar E. Iglesias" 

Mark CNTHP_TVAL_EL2 as ARM_CP_NO_RAW due to the register not
having any underlying state. This fixes an issue with booting
KVM enabled kernels when EL2 is on.

Signed-off-by: Edgar E. Iglesias 
Message-id: 1456490739-19343-1-git-send-email-edgar.igles...@gmail.com
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 target-arm/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index ef3f1ce..2b43cdc 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -3672,7 +3672,7 @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
   .writefn = gt_hyp_cval_write, .raw_writefn = raw_write },
 { .name = "CNTHP_TVAL_EL2", .state = ARM_CP_STATE_BOTH,
   .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 0,
-  .type = ARM_CP_IO, .access = PL2_RW,
+  .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL2_RW,
   .resetfn = gt_hyp_timer_reset,
   .readfn = gt_hyp_tval_read, .writefn = gt_hyp_tval_write },
 { .name = "CNTHP_CTL_EL2", .state = ARM_CP_STATE_BOTH,
-- 
1.9.1

[Qemu-devel] [PULL 6/6] migration (postcopy): move bdrv_invalidate_cache_all of of coroutine context

[Amit Shah]

From: "Denis V. Lunev" 

There is a possibility to hit an assert in qcow2_get_specific_info that
s->qcow_version is undefined. This happens when VM in starting from
suspended state, i.e. it processes incoming migration, and in the same
time 'info block' is called.

The problem is that qcow2_invalidate_cache() closes the image and
memset()s BDRVQcowState in the middle.

The patch moves processing of bdrv_invalidate_cache_all out of
coroutine context for postcopy migration to avoid that. This function
is called with the following stack:
  process_incoming_migration_co
  qemu_loadvm_state
  qemu_loadvm_state_main
  loadvm_process_command
  loadvm_postcopy_handle_run

Signed-off-by: Denis V. Lunev 
Tested-by: Dr. David Alan Gilbert 
Reviewed-by: Fam Zheng 
CC: Paolo Bonzini 
CC: Juan Quintela 
CC: Amit Shah 
Message-Id: <1456304019-10507-3-git-send-email-...@openvz.org>
Signed-off-by: Amit Shah 
---
 migration/savevm.c | 29 +++--
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/migration/savevm.c b/migration/savevm.c
index 02e8487..b459156 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -1495,17 +1495,10 @@ static int 
loadvm_postcopy_handle_listen(MigrationIncomingState *mis)
 return 0;
 }
 
-/* After all discards we can start running and asking for pages */
-static int loadvm_postcopy_handle_run(MigrationIncomingState *mis)
+static void loadvm_postcopy_handle_run_bh(void *opaque)
 {
-PostcopyState ps = postcopy_state_set(POSTCOPY_INCOMING_RUNNING);
 Error *local_err = NULL;
-
-trace_loadvm_postcopy_handle_run();
-if (ps != POSTCOPY_INCOMING_LISTENING) {
-error_report("CMD_POSTCOPY_RUN in wrong postcopy state (%d)", ps);
-return -1;
-}
+MigrationIncomingState *mis = opaque;
 
 /* TODO we should move all of this lot into postcopy_ram.c or a shared code
  * in migration.c
@@ -1518,7 +1511,6 @@ static int 
loadvm_postcopy_handle_run(MigrationIncomingState *mis)
 bdrv_invalidate_cache_all(_err);
 if (local_err) {
 error_report_err(local_err);
-return -1;
 }
 
 trace_loadvm_postcopy_handle_run_cpu_sync();
@@ -1534,6 +1526,23 @@ static int 
loadvm_postcopy_handle_run(MigrationIncomingState *mis)
 runstate_set(RUN_STATE_PAUSED);
 }
 
+qemu_bh_delete(mis->bh);
+}
+
+/* After all discards we can start running and asking for pages */
+static int loadvm_postcopy_handle_run(MigrationIncomingState *mis)
+{
+PostcopyState ps = postcopy_state_set(POSTCOPY_INCOMING_RUNNING);
+
+trace_loadvm_postcopy_handle_run();
+if (ps != POSTCOPY_INCOMING_LISTENING) {
+error_report("CMD_POSTCOPY_RUN in wrong postcopy state (%d)", ps);
+return -1;
+}
+
+mis->bh = qemu_bh_new(loadvm_postcopy_handle_run_bh, NULL);
+qemu_bh_schedule(mis->bh);
+
 /* We need to finish reading the stream from the package
  * and also stop reading anything more from the stream that loaded the
  * package (since it's now being read by the listener thread).
-- 
2.5.0

[Qemu-devel] [PULL 14/20] ARM: PL061: Checking register r/w accesses to reserved area

[Peter Maydell]

From: Wei Huang 

pl061.c emulates two GPIO devices, ARM PL061 and TI Stellaris, which
share the same read/write functions (pl061_read and pl061_write).
However PL061 and Stellaris have different GPIO register definitions
and pl061_read()/pl061_write() doesn't check it. This patch enforces
checking on offset, preventing R/W into the reserved memory area.

Signed-off-by: Wei Huang 
Message-id: 1455814580-17699-1-git-send-email-...@redhat.com
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 hw/gpio/pl061.c | 30 ++
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/hw/gpio/pl061.c b/hw/gpio/pl061.c
index 5ece8b0..29dc7fc 100644
--- a/hw/gpio/pl061.c
+++ b/hw/gpio/pl061.c
@@ -60,6 +60,7 @@ typedef struct PL061State {
 qemu_irq irq;
 qemu_irq out[8];
 const unsigned char *id;
+uint32_t rsvd_start; /* reserved area: [rsvd_start, 0xfcc] */
 } PL061State;
 
 static const VMStateDescription vmstate_pl061 = {
@@ -152,12 +153,15 @@ static uint64_t pl061_read(void *opaque, hwaddr offset,
 {
 PL061State *s = (PL061State *)opaque;
 
-if (offset >= 0xfd0 && offset < 0x1000) {
-return s->id[(offset - 0xfd0) >> 2];
-}
 if (offset < 0x400) {
 return s->data & (offset >> 2);
 }
+if (offset >= s->rsvd_start && offset <= 0xfcc) {
+goto err_out;
+}
+if (offset >= 0xfd0 && offset < 0x1000) {
+return s->id[(offset - 0xfd0) >> 2];
+}
 switch (offset) {
 case 0x400: /* Direction */
 return s->dir;
@@ -198,10 +202,12 @@ static uint64_t pl061_read(void *opaque, hwaddr offset,
 case 0x528: /* Analog mode select */
 return s->amsel;
 default:
-qemu_log_mask(LOG_GUEST_ERROR,
-  "pl061_read: Bad offset %x\n", (int)offset);
-return 0;
+break;
 }
+err_out:
+qemu_log_mask(LOG_GUEST_ERROR,
+  "pl061_read: Bad offset %x\n", (int)offset);
+return 0;
 }
 
 static void pl061_write(void *opaque, hwaddr offset,
@@ -216,6 +222,9 @@ static void pl061_write(void *opaque, hwaddr offset,
 pl061_update(s);
 return;
 }
+if (offset >= s->rsvd_start) {
+goto err_out;
+}
 switch (offset) {
 case 0x400: /* Direction */
 s->dir = value & 0xff;
@@ -274,10 +283,13 @@ static void pl061_write(void *opaque, hwaddr offset,
 s->amsel = value & 0xff;
 break;
 default:
-qemu_log_mask(LOG_GUEST_ERROR,
-  "pl061_write: Bad offset %x\n", (int)offset);
+goto err_out;
 }
 pl061_update(s);
+return;
+err_out:
+qemu_log_mask(LOG_GUEST_ERROR,
+  "pl061_write: Bad offset %x\n", (int)offset);
 }
 
 static void pl061_reset(DeviceState *dev)
@@ -347,6 +359,7 @@ static void pl061_luminary_init(Object *obj)
 PL061State *s = PL061(obj);
 
 s->id = pl061_id_luminary;
+s->rsvd_start = 0x52c;
 }
 
 static void pl061_init(Object *obj)
@@ -354,6 +367,7 @@ static void pl061_init(Object *obj)
 PL061State *s = PL061(obj);
 
 s->id = pl061_id;
+s->rsvd_start = 0x424;
 }
 
 static void pl061_class_init(ObjectClass *klass, void *data)
-- 
1.9.1

[Qemu-devel] [PULL 16/20] MAINTAINERS: Add some missing ARM related header files

[Peter Maydell]

From: Thomas Huth 

Some header files in the include/hw/arm/ directory can be assigned
to entries in the MAINTAINERS file.

Signed-off-by: Thomas Huth 
Message-id: 1456399324-24259-1-git-send-email-th...@redhat.com
Signed-off-by: Peter Maydell 
---
 MAINTAINERS | 4 
 1 file changed, 4 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 606d9c0..ec8a037 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -363,6 +363,7 @@ M: Dmitry Solodkiy 
 L: qemu-...@nongnu.org
 S: Maintained
 F: hw/*/exynos*
+F: include/hw/arm/exynos4210.h
 
 Calxeda Highbank
 M: Rob Herring 
@@ -390,6 +391,7 @@ L: qemu-...@nongnu.org
 S: Odd fixes
 F: hw/*/imx*
 F: hw/arm/kzm.c
+F: include/hw/arm/fsl-imx31.h
 
 Integrator CP
 M: Peter Maydell 
@@ -432,6 +434,7 @@ F: hw/arm/spitz.c
 F: hw/arm/tosa.c
 F: hw/arm/z2.c
 F: hw/*/pxa2xx*
+F: include/hw/arm/pxa.h
 
 Stellaris
 M: Peter Maydell 
@@ -768,6 +771,7 @@ OMAP
 M: Peter Maydell 
 S: Maintained
 F: hw/*/omap*
+F: include/hw/arm/omap.h
 
 IPack
 M: Alberto Garcia 
-- 
1.9.1

[Qemu-devel] [PULL 3/6] MAINTAINERS: Add docs/migration.txt to the "Migration" section

[Amit Shah]

From: Thomas Huth 

Signed-off-by: Thomas Huth 
Reviewed-by: Amit Shah 
Message-Id: <1456393669-20678-1-git-send-email-th...@redhat.com>
Signed-off-by: Amit Shah 
---
 MAINTAINERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 606d9c0..5fafa81 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1241,6 +1241,7 @@ F: include/migration/
 F: migration/
 F: scripts/vmstate-static-checker.py
 F: tests/vmstate-static-checker-data/
+F: docs/migration.txt
 
 Seccomp
 M: Eduardo Otubo 
-- 
2.5.0

[Qemu-devel] [PULL 11/20] target-arm: Make Monitor->NS PL1 mode changes illegal if HCR.TGE is 1

[Peter Maydell]

If HCR.TGE is 1 then mode changes via CPS and MSR from Monitor to
NonSecure PL1 modes are illegal mode changes. Implement this check
in bad_mode_switch().

(We don't currently implement HCR.TGE, but this is the only missing
check from the v8 ARM ARM G1.9.3 and so it's worth adding now; the
rest of the HCR.TGE checks can be added later as necessary.)

Signed-off-by: Peter Maydell 
Reviewed-by: Sergey Fedorov 
Message-id: 146977-3644-12-git-send-email-peter.mayd...@linaro.org
---
 target-arm/helper.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 24ea48e..3d7fda1 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -5216,6 +5216,7 @@ static int bad_mode_switch(CPUARMState *env, int mode, 
CPSRWriteType write_type)
 
 switch (mode) {
 case ARM_CPU_MODE_USR:
+return 0;
 case ARM_CPU_MODE_SYS:
 case ARM_CPU_MODE_SVC:
 case ARM_CPU_MODE_ABT:
@@ -5225,6 +5226,15 @@ static int bad_mode_switch(CPUARMState *env, int mode, 
CPSRWriteType write_type)
 /* Note that we don't implement the IMPDEF NSACR.RFR which in v7
  * allows FIQ mode to be Secure-only. (In v8 this doesn't exist.)
  */
+/* If HCR.TGE is set then changes from Monitor to NS PL1 via MSR
+ * and CPS are treated as illegal mode changes.
+ */
+if (write_type == CPSRWriteByInstr &&
+(env->cp15.hcr_el2 & HCR_TGE) &&
+(env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON &&
+!arm_is_secure_below_el3(env)) {
+return 1;
+}
 return 0;
 case ARM_CPU_MODE_HYP:
 return !arm_feature(env, ARM_FEATURE_EL2)
-- 
1.9.1

[Qemu-devel] [PULL 05/20] target-arm: In cpsr_write() ignore mode switches from User mode

[Peter Maydell]

The only case where we can attempt a cpsr_write() mode switch from
User is from the gdbstub; all other cases are handled in the
calling code (notably translate.c). Architecturally attempts to
alter the mode bits from user mode are simply ignored (and not
treated as a bad mode switch, which in v8 sets CPSR.IL). Make
mode switches from User ignored in cpsr_write() as well, for
consistency.

Signed-off-by: Peter Maydell 
Reviewed-by: Sergey Fedorov 
Message-id: 146977-3644-6-git-send-email-peter.mayd...@linaro.org
---
 target-arm/helper.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index c491cd8..b2d2440 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -5316,6 +5316,7 @@ void cpsr_write(CPUARMState *env, uint32_t val, uint32_t 
mask,
 env->daif |= val & CPSR_AIF & mask;
 
 if (write_type != CPSRWriteRaw &&
+(env->uncached_cpsr & CPSR_M) != CPSR_USER &&
 ((env->uncached_cpsr ^ val) & mask & CPSR_M)) {
 if (bad_mode_switch(env, val & CPSR_M)) {
 /* Attempt to switch to an invalid mode: this is UNPREDICTABLE.
-- 
1.9.1

[Qemu-devel] [PULL 15/20] raspi: fix SD card with recent sdhci changes

[Peter Maydell]

From: Andrew Baumann 

Recent changes to sdhci broke SD on raspi. This change mirrors
the logic to create the SD card device at the board level.

Signed-off-by: Andrew Baumann 
Message-id: 1456351128-5560-1-git-send-email-andrew.baum...@microsoft.com
Reviewed-by: Peter Maydell 
Signed-off-by: Peter Maydell 
---
 hw/arm/bcm2835_peripherals.c |  7 +++
 hw/arm/bcm2836.c |  7 +++
 hw/arm/raspi.c   | 16 
 3 files changed, 30 insertions(+)

diff --git a/hw/arm/bcm2835_peripherals.c b/hw/arm/bcm2835_peripherals.c
index 72467fd..6d66fa0 100644
--- a/hw/arm/bcm2835_peripherals.c
+++ b/hw/arm/bcm2835_peripherals.c
@@ -182,6 +182,13 @@ static void bcm2835_peripherals_realize(DeviceState *dev, 
Error **errp)
 sysbus_connect_irq(SYS_BUS_DEVICE(>sdhci), 0,
 qdev_get_gpio_in_named(DEVICE(>ic), BCM2835_IC_GPU_IRQ,
INTERRUPT_ARASANSDIO));
+object_property_add_alias(OBJECT(s), "sd-bus", OBJECT(>sdhci), "sd-bus",
+  );
+if (err) {
+error_propagate(errp, err);
+return;
+}
+
 }
 
 static void bcm2835_peripherals_class_init(ObjectClass *oc, void *data)
diff --git a/hw/arm/bcm2836.c b/hw/arm/bcm2836.c
index 15c7622..0321439 100644
--- a/hw/arm/bcm2836.c
+++ b/hw/arm/bcm2836.c
@@ -73,6 +73,13 @@ static void bcm2836_realize(DeviceState *dev, Error **errp)
 return;
 }
 
+object_property_add_alias(OBJECT(s), "sd-bus", OBJECT(>peripherals),
+  "sd-bus", );
+if (err) {
+error_propagate(errp, err);
+return;
+}
+
 sysbus_mmio_map_overlap(SYS_BUS_DEVICE(>peripherals), 0,
 BCM2836_PERI_BASE, 1);
 
diff --git a/hw/arm/raspi.c b/hw/arm/raspi.c
index 48d014c..6582279 100644
--- a/hw/arm/raspi.c
+++ b/hw/arm/raspi.c
@@ -113,6 +113,10 @@ static void setup_boot(MachineState *machine, int version, 
size_t ram_size)
 static void raspi2_init(MachineState *machine)
 {
 RasPiState *s = g_new0(RasPiState, 1);
+DriveInfo *di;
+BlockBackend *blk;
+BusState *bus;
+DeviceState *carddev;
 
 object_initialize(>soc, sizeof(s->soc), TYPE_BCM2836);
 object_property_add_child(OBJECT(machine), "soc", OBJECT(>soc),
@@ -133,6 +137,18 @@ static void raspi2_init(MachineState *machine)
 _abort);
 object_property_set_bool(OBJECT(>soc), true, "realized", _abort);
 
+/* Create and plug in the SD cards */
+di = drive_get_next(IF_SD);
+blk = di ? blk_by_legacy_dinfo(di) : NULL;
+bus = qdev_get_child_bus(DEVICE(>soc), "sd-bus");
+if (bus == NULL) {
+error_report("No SD bus found in SOC object");
+exit(1);
+}
+carddev = qdev_create(bus, TYPE_SD_CARD);
+qdev_prop_set_drive(carddev, "drive", blk, _fatal);
+object_property_set_bool(OBJECT(carddev), true, "realized", _fatal);
+
 setup_boot(machine, 2, machine->ram_size);
 }
 
-- 
1.9.1

Re: [Qemu-devel] [PULL 0/6] migration pull

[Amit Shah]

On (Fri) 26 Feb 2016 [17:58:34], Denis V. Lunev wrote:
> On 02/26/2016 04:15 PM, Amit Shah wrote:
> >On (Fri) 26 Feb 2016 [12:23:01], Peter Maydell wrote:

> >>Hi. I'm afraid this causes make check to fail:
> >Oops, I should've caught that.
> >
> >>   /i386/ahci/flush/migrate:
> >>   /i386/ahci/migrate/sanity:
> >>   /i386/ahci/migrate/dma/simple:
> >>   /i386/ahci/migrate/dma/halted:
> >>   /i386/ahci/migrate/ncq/simple:
> >>   /i386/ahci/migrate/ncq/halted:
> >>Broken pipe
> >>FAIL
> >>GTester: last random seed: R02S34da744548f394684dbb7b6d11e14043
> >>(pid=56820)
> >>
> >>(failure seen on ppc64be, x86-64 linux, aarch64, but not aarch32 or OSX).
> >AHCI tests are failing due to Denis's patches.  I'm checking why.
> >
> > Amit
> oops. Interesting :(

Right - use-after-free; this on top of your patch fixes it.


diff --git a/migration/migration.c b/migration/migration.c
index f82fdf6..0129d9f 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -366,9 +366,8 @@ static void process_incoming_migration_bh(void *opaque)
  */
 migrate_set_state(>state, MIGRATION_STATUS_ACTIVE,
   MIGRATION_STATUS_COMPLETED);
-migration_incoming_state_destroy();
-
 qemu_bh_delete(mis->bh);
+migration_incoming_state_destroy();
 }
 
 static void process_incoming_migration_co(void *opaque)


Amit

[Qemu-devel] [PULL 04/20] linux-user: Use restrictive mask when calling cpsr_write()

[Peter Maydell]

When linux-user code is calling cpsr_write(), use a restrictive
mask to ensure we are limiting the set of CPSR bits we update.
In particular, don't allow the mode bits to be changed.

Signed-off-by: Peter Maydell 
Reviewed-by: Sergey Fedorov 
Message-id: 146977-3644-5-git-send-email-peter.mayd...@linaro.org
---
 linux-user/main.c   | 3 ++-
 linux-user/signal.c | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/linux-user/main.c b/linux-user/main.c
index 072eee8..700724e 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -4446,7 +4446,8 @@ int main(int argc, char **argv, char **envp)
 #elif defined(TARGET_ARM)
 {
 int i;
-cpsr_write(env, regs->uregs[16], 0x, CPSRWriteByInstr);
+cpsr_write(env, regs->uregs[16], CPSR_USER | CPSR_EXEC,
+   CPSRWriteByInstr);
 for(i = 0; i < 16; i++) {
 env->regs[i] = regs->uregs[i];
 }
diff --git a/linux-user/signal.c b/linux-user/signal.c
index 82f81c7..962111c 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1611,7 +1611,7 @@ setup_return(CPUARMState *env, struct target_sigaction 
*ka,
env->regs[13] = frame_addr;
env->regs[14] = retcode;
env->regs[15] = handler & (thumb ? ~1 : ~3);
-cpsr_write(env, cpsr, 0x, CPSRWriteByInstr);
+cpsr_write(env, cpsr, CPSR_IT | CPSR_T, CPSRWriteByInstr);
 }
 
 static abi_ulong *setup_sigframe_v2_vfp(abi_ulong *regspace, CPUARMState *env)
-- 
1.9.1

[Qemu-devel] [PULL 02/20] target-arm: Add write_type argument to cpsr_write()

[Peter Maydell]

Add an argument to cpsr_write() to indicate what kind of CPSR
write is being requested, since the exact behaviour should
differ for the different cases.

Signed-off-by: Peter Maydell 
Reviewed-by: Sergey Fedorov 
Message-id: 146977-3644-3-git-send-email-peter.mayd...@linaro.org
---
 linux-user/arm/nwfpe/fpa11.h |  2 +-
 linux-user/main.c|  6 +++---
 linux-user/signal.c  |  4 ++--
 target-arm/cpu.h | 13 +++--
 target-arm/gdbstub.c |  2 +-
 target-arm/helper.c  |  3 ++-
 target-arm/kvm32.c   |  2 +-
 target-arm/kvm64.c   |  2 +-
 target-arm/machine.c |  2 +-
 target-arm/op_helper.c   |  6 +++---
 10 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/linux-user/arm/nwfpe/fpa11.h b/linux-user/arm/nwfpe/fpa11.h
index 7e114ee..0b07284 100644
--- a/linux-user/arm/nwfpe/fpa11.h
+++ b/linux-user/arm/nwfpe/fpa11.h
@@ -105,7 +105,7 @@ static inline void writeRegister(unsigned int x, unsigned 
int y)
 
 static inline void writeConditionCodes(unsigned int x)
 {
-cpsr_write(user_registers,x,CPSR_NZCV);
+cpsr_write(user_registers, x, CPSR_NZCV, CPSRWriteByInstr);
 }
 
 #define ARM_REG_PC 15
diff --git a/linux-user/main.c b/linux-user/main.c
index 2a692e0..072eee8 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -513,7 +513,7 @@ static void arm_kernel_cmpxchg64_helper(CPUARMState *env)
 env->regs[0] = -1;
 cpsr &= ~CPSR_C;
 }
-cpsr_write(env, cpsr, CPSR_C);
+cpsr_write(env, cpsr, CPSR_C, CPSRWriteByInstr);
 end_exclusive();
 return;
 
@@ -562,7 +562,7 @@ do_kernel_trap(CPUARMState *env)
 env->regs[0] = -1;
 cpsr &= ~CPSR_C;
 }
-cpsr_write(env, cpsr, CPSR_C);
+cpsr_write(env, cpsr, CPSR_C, CPSRWriteByInstr);
 end_exclusive();
 break;
 case 0x0fe0: /* __kernel_get_tls */
@@ -4446,7 +4446,7 @@ int main(int argc, char **argv, char **envp)
 #elif defined(TARGET_ARM)
 {
 int i;
-cpsr_write(env, regs->uregs[16], 0x);
+cpsr_write(env, regs->uregs[16], 0x, CPSRWriteByInstr);
 for(i = 0; i < 16; i++) {
 env->regs[i] = regs->uregs[i];
 }
diff --git a/linux-user/signal.c b/linux-user/signal.c
index 327c032..82f81c7 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1611,7 +1611,7 @@ setup_return(CPUARMState *env, struct target_sigaction 
*ka,
env->regs[13] = frame_addr;
env->regs[14] = retcode;
env->regs[15] = handler & (thumb ? ~1 : ~3);
-   cpsr_write(env, cpsr, 0x);
+cpsr_write(env, cpsr, 0x, CPSRWriteByInstr);
 }
 
 static abi_ulong *setup_sigframe_v2_vfp(abi_ulong *regspace, CPUARMState *env)
@@ -1843,7 +1843,7 @@ restore_sigcontext(CPUARMState *env, struct 
target_sigcontext *sc)
 __get_user(env->regs[15], >arm_pc);
 #ifdef TARGET_CONFIG_CPU_32
 __get_user(cpsr, >arm_cpsr);
-cpsr_write(env, cpsr, CPSR_USER | CPSR_EXEC);
+cpsr_write(env, cpsr, CPSR_USER | CPSR_EXEC, CPSRWriteByInstr);
 #endif
 
err |= !valid_user_regs(env);
diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 3cbda73..87720d4 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -718,8 +718,17 @@ static inline void pstate_write(CPUARMState *env, uint32_t 
val)
 
 /* Return the current CPSR value.  */
 uint32_t cpsr_read(CPUARMState *env);
-/* Set the CPSR.  Note that some bits of mask must be all-set or all-clear.  */
-void cpsr_write(CPUARMState *env, uint32_t val, uint32_t mask);
+
+typedef enum CPSRWriteType {
+CPSRWriteByInstr = 0, /* from guest MSR or CPS */
+CPSRWriteExceptionReturn = 1, /* from guest exception return insn */
+CPSRWriteRaw = 2, /* trust values, do not switch reg banks */
+CPSRWriteByGDBStub = 3,   /* from the GDB stub */
+} CPSRWriteType;
+
+/* Set the CPSR.  Note that some bits of mask must be all-set or all-clear.*/
+void cpsr_write(CPUARMState *env, uint32_t val, uint32_t mask,
+CPSRWriteType write_type);
 
 /* Return the current xPSR value.  */
 static inline uint32_t xpsr_read(CPUARMState *env)
diff --git a/target-arm/gdbstub.c b/target-arm/gdbstub.c
index 08b91a4..3ba9aad 100644
--- a/target-arm/gdbstub.c
+++ b/target-arm/gdbstub.c
@@ -94,7 +94,7 @@ int arm_cpu_gdb_write_register(CPUState *cs, uint8_t 
*mem_buf, int n)
 return 4;
 case 25:
 /* CPSR */
-cpsr_write(env, tmp, 0x);
+cpsr_write(env, tmp, 0x, CPSRWriteByGDBStub);
 return 4;
 }
 /* Unknown register.  */
diff --git a/target-arm/helper.c b/target-arm/helper.c
index 5a0447b..014bb80 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -5233,7 +5233,8 @@ uint32_t cpsr_read(CPUARMState *env)
 | (env->GE << 16) | (env->daif & CPSR_AIF);
 }
 
-void cpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)

[Qemu-devel] [PULL 08/20] target-arm: Forbid mode switch to Mon from Secure EL1

[Peter Maydell]

In v8 trying to switch mode to Mon from Secure EL1 is an
illegal mode switch. (In v7 this is impossible as all secure
modes except User are at EL3.) We can handle this case by
making a switch to Mon valid only if the current EL is 3,
which then gives the correct answer whether EL3 is AArch32
or AArch64.

Signed-off-by: Peter Maydell 
Reviewed-by: Sergey Fedorov 
Message-id: 146977-3644-9-git-send-email-peter.mayd...@linaro.org
---
 target-arm/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index c43d66f..5926b15 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -5222,7 +5222,7 @@ static int bad_mode_switch(CPUARMState *env, int mode)
 return !arm_feature(env, ARM_FEATURE_EL2)
 || arm_current_el(env) < 2 || arm_is_secure(env);
 case ARM_CPU_MODE_MON:
-return !arm_is_secure(env);
+return arm_current_el(env) < 3;
 default:
 return 1;
 }
-- 
1.9.1

[Qemu-devel] [PULL 06/20] target-arm: Add comment about not implementing NSACR.RFR

[Peter Maydell]

QEMU doesn't implement the NSACR.RFR bit, which is a permitted
IMPDEF in choice in ARMv7 and the only permitted choice in ARMv8.
Add a comment to bad_mode_switch() to note that this is why
FIQ is always a valid mode regardless of the CPU's Secure state.

Signed-off-by: Peter Maydell 
Reviewed-by: Sergey Fedorov 
Message-id: 146977-3644-7-git-send-email-peter.mayd...@linaro.org
---
 target-arm/helper.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index b2d2440..57cc879 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -5214,6 +5214,9 @@ static int bad_mode_switch(CPUARMState *env, int mode)
 case ARM_CPU_MODE_UND:
 case ARM_CPU_MODE_IRQ:
 case ARM_CPU_MODE_FIQ:
+/* Note that we don't implement the IMPDEF NSACR.RFR which in v7
+ * allows FIQ mode to be Secure-only. (In v8 this doesn't exist.)
+ */
 return 0;
 case ARM_CPU_MODE_MON:
 return !arm_is_secure(env);
-- 
1.9.1

[Qemu-devel] [PULL 10/20] target-arm: Make mode switches from Hyp via CPS and MRS illegal

[Peter Maydell]

Mode switches from Hyp to any other mode via the CPS and MRS
instructions are illegal mode switches (though obviously switching
via exception return is valid).  Add this check to bad_mode_switch().

Signed-off-by: Peter Maydell 
Reviewed-by: Sergey Fedorov 
Message-id: 146977-3644-11-git-send-email-peter.mayd...@linaro.org
---
 target-arm/helper.c | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index ff5f895..24ea48e 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -5200,12 +5200,20 @@ void arm_cp_reset_ignore(CPUARMState *env, const 
ARMCPRegInfo *opaque)
 /* Helper coprocessor reset function for do-nothing-on-reset registers */
 }
 
-static int bad_mode_switch(CPUARMState *env, int mode)
+static int bad_mode_switch(CPUARMState *env, int mode, CPSRWriteType 
write_type)
 {
 /* Return true if it is not valid for us to switch to
  * this CPU mode (ie all the UNPREDICTABLE cases in
  * the ARM ARM CPSRWriteByInstr pseudocode).
  */
+
+/* Changes to or from Hyp via MSR and CPS are illegal. */
+if (write_type == CPSRWriteByInstr &&
+((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_HYP ||
+ mode == ARM_CPU_MODE_HYP)) {
+return 1;
+}
+
 switch (mode) {
 case ARM_CPU_MODE_USR:
 case ARM_CPU_MODE_SYS:
@@ -5324,7 +5332,7 @@ void cpsr_write(CPUARMState *env, uint32_t val, uint32_t 
mask,
 if (write_type != CPSRWriteRaw &&
 (env->uncached_cpsr & CPSR_M) != CPSR_USER &&
 ((env->uncached_cpsr ^ val) & mask & CPSR_M)) {
-if (bad_mode_switch(env, val & CPSR_M)) {
+if (bad_mode_switch(env, val & CPSR_M, write_type)) {
 /* Attempt to switch to an invalid mode: this is UNPREDICTABLE in
  * v7, and has defined behaviour in v8:
  *  + leave CPSR.M untouched
-- 
1.9.1

[Qemu-devel] [PULL 13/20] target-arm: Implement MDCR_EL3.TPM and MDCR_EL2.TPM traps

[Peter Maydell]

Implement the performance monitor register traps controlled
by MDCR_EL3.TPM and MDCR_EL2.TPM. Most of the performance
registers already have an access function to deal with the
user-enable bit, and the TPM checks can be added there. We
also need a new access function which only implements the
TPM checks for use by the few not-EL0-accessible registers
and by PMUSERENR_EL0 (which is always EL0-readable).

Signed-off-by: Peter Maydell 
Message-id: 1455892784-11328-3-git-send-email-peter.mayd...@linaro.org
Reviewed-by: Sergey Fedorov 
Acked-by: Alistair Francis 
---
 target-arm/helper.c | 43 ---
 1 file changed, 36 insertions(+), 7 deletions(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index e9b89e6..ef3f1ce 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -439,6 +439,24 @@ static CPAccessResult access_tda(CPUARMState *env, const 
ARMCPRegInfo *ri,
 return CP_ACCESS_OK;
 }
 
+/* Check for traps to performance monitor registers, which are controlled
+ * by MDCR_EL2.TPM for EL2 and MDCR_EL3.TPM for EL3.
+ */
+static CPAccessResult access_tpm(CPUARMState *env, const ARMCPRegInfo *ri,
+ bool isread)
+{
+int el = arm_current_el(env);
+
+if (el < 2 && (env->cp15.mdcr_el2 & MDCR_TPM)
+&& !arm_is_secure_below_el3(env)) {
+return CP_ACCESS_TRAP_EL2;
+}
+if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TPM)) {
+return CP_ACCESS_TRAP_EL3;
+}
+return CP_ACCESS_OK;
+}
+
 static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t 
value)
 {
 ARMCPU *cpu = arm_env_get_cpu(env);
@@ -774,11 +792,22 @@ static CPAccessResult pmreg_access(CPUARMState *env, 
const ARMCPRegInfo *ri,
bool isread)
 {
 /* Performance monitor registers user accessibility is controlled
- * by PMUSERENR.
+ * by PMUSERENR. MDCR_EL2.TPM and MDCR_EL3.TPM allow configurable
+ * trapping to EL2 or EL3 for other accesses.
  */
-if (arm_current_el(env) == 0 && !env->cp15.c9_pmuserenr) {
+int el = arm_current_el(env);
+
+if (el == 0 && !env->cp15.c9_pmuserenr) {
 return CP_ACCESS_TRAP;
 }
+if (el < 2 && (env->cp15.mdcr_el2 & MDCR_TPM)
+&& !arm_is_secure_below_el3(env)) {
+return CP_ACCESS_TRAP_EL2;
+}
+if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TPM)) {
+return CP_ACCESS_TRAP_EL3;
+}
+
 return CP_ACCESS_OK;
 }
 
@@ -1101,28 +1130,28 @@ static const ARMCPRegInfo v7_cp_reginfo[] = {
   .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
   .accessfn = pmreg_access },
 { .name = "PMUSERENR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 0,
-  .access = PL0_R | PL1_RW,
+  .access = PL0_R | PL1_RW, .accessfn = access_tpm,
   .fieldoffset = offsetof(CPUARMState, cp15.c9_pmuserenr),
   .resetvalue = 0,
   .writefn = pmuserenr_write, .raw_writefn = raw_write },
 { .name = "PMUSERENR_EL0", .state = ARM_CP_STATE_AA64,
   .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 14, .opc2 = 0,
-  .access = PL0_R | PL1_RW, .type = ARM_CP_ALIAS,
+  .access = PL0_R | PL1_RW, .accessfn = access_tpm, .type = ARM_CP_ALIAS,
   .fieldoffset = offsetof(CPUARMState, cp15.c9_pmuserenr),
   .resetvalue = 0,
   .writefn = pmuserenr_write, .raw_writefn = raw_write },
 { .name = "PMINTENSET", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 
1,
-  .access = PL1_RW,
+  .access = PL1_RW, .accessfn = access_tpm,
   .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
   .resetvalue = 0,
   .writefn = pmintenset_write, .raw_writefn = raw_write },
 { .name = "PMINTENCLR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 
2,
-  .access = PL1_RW, .type = ARM_CP_ALIAS,
+  .access = PL1_RW, .accessfn = access_tpm, .type = ARM_CP_ALIAS,
   .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
   .writefn = pmintenclr_write, },
 { .name = "PMINTENCLR_EL1", .state = ARM_CP_STATE_AA64,
   .opc0 = 3, .opc1 = 0, .crn = 9, .crm = 14, .opc2 = 2,
-  .access = PL1_RW, .type = ARM_CP_ALIAS,
+  .access = PL1_RW, .accessfn = access_tpm, .type = ARM_CP_ALIAS,
   .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
   .writefn = pmintenclr_write },
 { .name = "VBAR", .state = ARM_CP_STATE_BOTH,
-- 
1.9.1

[Qemu-devel] [PATCH] icount: possible options for sleep are on or off

[Pranith Kumar]

icount sleep takes on or off as options. A few places mention sleep=no
which is not accepted. This patch corrects them.

Signed-off-by: Pranith Kumar 
---
 cpus.c  | 4 ++--
 qemu-options.hx | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/cpus.c b/cpus.c
index 9592163..bc774e2 100644
--- a/cpus.c
+++ b/cpus.c
@@ -630,7 +630,7 @@ void configure_icount(QemuOpts *opts, Error **errp)
 icount_align_option = qemu_opt_get_bool(opts, "align", false);
 
 if (icount_align_option && !icount_sleep) {
-error_setg(errp, "align=on and sleep=no are incompatible");
+error_setg(errp, "align=on and sleep=off are incompatible");
 }
 if (strcmp(option, "auto") != 0) {
 errno = 0;
@@ -643,7 +643,7 @@ void configure_icount(QemuOpts *opts, Error **errp)
 } else if (icount_align_option) {
 error_setg(errp, "shift=auto and align=on are incompatible");
 } else if (!icount_sleep) {
-error_setg(errp, "shift=auto and sleep=no are incompatible");
+error_setg(errp, "shift=auto and sleep=off are incompatible");
 }
 
 use_icount = 2;
diff --git a/qemu-options.hx b/qemu-options.hx
index 599db94..bbe0e51 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3275,7 +3275,7 @@ re-inject them.
 ETEXI
 
 DEF("icount", HAS_ARG, QEMU_OPTION_icount, \
-"-icount 
[shift=N|auto][,align=on|off][,sleep=no,rr=record|replay,rrfile=]\n" \
+"-icount 
[shift=N|auto][,align=on|off][,sleep=on|off,rr=record|replay,rrfile=]\n"
 \
 "enable virtual instruction counter with 2^N clock ticks 
per\n" \
 "instruction, enable aligning the host and virtual 
clocks\n" \
 "or disable real time cpu sleeping\n", QEMU_ARCH_ALL)
@@ -3288,8 +3288,8 @@ then the virtual cpu speed will be automatically adjusted 
to keep virtual
 time within a few seconds of real time.
 
 When the virtual cpu is sleeping, the virtual time will advance at default
-speed unless @option{sleep=no} is specified.
-With @option{sleep=no}, the virtual time will jump to the next timer deadline
+speed unless @option{sleep=on|off} is specified.
+With @option{sleep=on|off}, the virtual time will jump to the next timer 
deadline
 instantly whenever the virtual cpu goes to sleep mode and will not advance
 if no timer is enabled. This behavior give deterministic execution times from
 the guest point of view.
-- 
2.7.1

[Qemu-devel] [PULL 12/20] target-arm: Fix handling of SDCR for 32-bit code

[Peter Maydell]

Fix two issues with our implementation of the SDCR:
 * it is only present from ARMv8 onwards
 * it does not contain several of the trap bits present in its 64-bit
   counterpart the MDCR_EL3

Put the register description in the right place so that it does not
get enabled for ARMv7 and earlier, and give it a write function so that
we can mask out the bits which should not be allowed to have an effect
if EL3 is 32-bit.

Signed-off-by: Peter Maydell 
Message-id: 1455892784-11328-2-git-send-email-peter.mayd...@linaro.org
Reviewed-by: Sergey Fedorov 
Acked-by: Alistair Francis 
---
 target-arm/cpu.h|  4 
 target-arm/helper.c | 23 +++
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 87720d4..744f052 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -598,6 +598,7 @@ void pmccntr_sync(CPUARMState *env);
 #define MDCR_EDAD (1U << 20)
 #define MDCR_SPME (1U << 17)
 #define MDCR_SDD  (1U << 16)
+#define MDCR_SPD  (3U << 14)
 #define MDCR_TDRA (1U << 11)
 #define MDCR_TDOSA(1U << 10)
 #define MDCR_TDA  (1U << 9)
@@ -606,6 +607,9 @@ void pmccntr_sync(CPUARMState *env);
 #define MDCR_TPM  (1U << 6)
 #define MDCR_TPMCR(1U << 5)
 
+/* Not all of the MDCR_EL3 bits are present in the 32-bit SDCR */
+#define SDCR_VALID_MASK (MDCR_EPMAD | MDCR_EDAD | MDCR_SPME | MDCR_SPD)
+
 #define CPSR_M (0x1fU)
 #define CPSR_T (1U << 5)
 #define CPSR_F (1U << 6)
diff --git a/target-arm/helper.c b/target-arm/helper.c
index 3d7fda1..e9b89e6 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -3037,6 +3037,12 @@ static CPAccessResult fpexc32_access(CPUARMState *env, 
const ARMCPRegInfo *ri,
 return CP_ACCESS_OK;
 }
 
+static void sdcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+   uint64_t value)
+{
+env->cp15.mdcr_el3 = value & SDCR_VALID_MASK;
+}
+
 static const ARMCPRegInfo v8_cp_reginfo[] = {
 /* Minimal set of EL0-visible registers. This will need to be expanded
  * significantly for system emulation of AArch64 CPUs.
@@ -3331,6 +3337,15 @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
   .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 3, .opc2 = 3,
   .access = PL2_RW,
   .fieldoffset = offsetof(CPUARMState, banked_spsr[BANK_FIQ]) },
+{ .name = "MDCR_EL3", .state = ARM_CP_STATE_AA64,
+  .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 3, .opc2 = 1,
+  .resetvalue = 0,
+  .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el3) },
+{ .name = "SDCR", .type = ARM_CP_ALIAS,
+  .cp = 15, .opc1 = 0, .crn = 1, .crm = 3, .opc2 = 1,
+  .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
+  .writefn = sdcr_write,
+  .fieldoffset = offsetoflow32(CPUARMState, cp15.mdcr_el3) },
 REGINFO_SENTINEL
 };
 
@@ -3688,14 +3703,6 @@ static const ARMCPRegInfo el3_cp_reginfo[] = {
   .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
   .fieldoffset = offsetoflow32(CPUARMState, cp15.scr_el3),
   .writefn = scr_write },
-{ .name = "MDCR_EL3", .state = ARM_CP_STATE_AA64,
-  .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 3, .opc2 = 1,
-  .resetvalue = 0,
-  .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.mdcr_el3) },
-{ .name = "SDCR", .type = ARM_CP_ALIAS,
-  .cp = 15, .opc1 = 0, .crn = 1, .crm = 3, .opc2 = 1,
-  .access = PL1_RW, .accessfn = access_trap_aa32s_el1,
-  .fieldoffset = offsetoflow32(CPUARMState, cp15.mdcr_el3) },
 { .name = "SDER32_EL3", .state = ARM_CP_STATE_AA64,
   .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 1,
   .access = PL3_RW, .resetvalue = 0,
-- 
1.9.1

Re: [Qemu-devel] [RFC PATCH v0 3/6] spapr: Represent boot CPUs as spapr-cpu-core devices

[Igor Mammedov]

On Thu, 25 Feb 2016 21:52:39 +0530
Bharata B Rao  wrote:

> Initialize boot CPUs as spapr-cpu-core devices and create links from
> machine object to these core devices. These links can be considered
> as CPU slots in which core devices will get hot-plugged. spapr-cpu-core
> device's slot property indicates the slot where it is plugged. Information
> about all the CPU slots can be obtained by walking these links.
> 
> Signed-off-by: Bharata B Rao 
> ---
>  hw/ppc/spapr.c | 65 
> +++---
>  include/hw/ppc/spapr.h |  3 +++
>  2 files changed, 60 insertions(+), 8 deletions(-)
> 
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index e214a34..1f0d232 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -64,6 +64,7 @@
>  
>  #include "hw/compat.h"
>  #include "qemu-common.h"
> +#include "hw/ppc/spapr_cpu_core.h"
>  
>  #include 
>  
> @@ -1720,6 +1721,21 @@ static void spapr_validate_node_memory(MachineState 
> *machine, Error **errp)
>  }
>  }
>  
> +/*
> + * Check to see if core is being hot-plugged into an already populated slot.
> + */
> +static void spapr_cpu_core_allow_set_link(Object *obj, const char *name,
> +  Object *val, Error **errp)
> +{
> +Object *core = object_property_get_link(qdev_get_machine(), name, NULL);
> +
> +if (core) {
> +char *path = object_get_canonical_path(core);
> +error_setg(errp, "Slot %s already populated with %s", name, path);
> +g_free(path);
> +}
> +}
> +
>  /* pSeries LPAR / sPAPR hardware init */
>  static void ppc_spapr_init(MachineState *machine)
>  {
> @@ -1728,7 +1744,6 @@ static void ppc_spapr_init(MachineState *machine)
>  const char *kernel_filename = machine->kernel_filename;
>  const char *kernel_cmdline = machine->kernel_cmdline;
>  const char *initrd_filename = machine->initrd_filename;
> -PowerPCCPU *cpu;
>  PCIHostState *phb;
>  int i;
>  MemoryRegion *sysmem = get_system_memory();
> @@ -1742,6 +1757,8 @@ static void ppc_spapr_init(MachineState *machine)
>  long load_limit, fw_size;
>  bool kernel_le = false;
>  char *filename;
> +int spapr_cores = smp_cpus / smp_threads;
> +int spapr_max_cores = max_cpus / smp_threads;
>  
>  msi_supported = true;
>  
> @@ -1800,13 +1817,38 @@ static void ppc_spapr_init(MachineState *machine)
>  if (machine->cpu_model == NULL) {
>  machine->cpu_model = kvm_enabled() ? "host" : "POWER7";
>  }
> -for (i = 0; i < smp_cpus; i++) {
> -cpu = cpu_ppc_init(machine->cpu_model);
> -if (cpu == NULL) {
> -error_report("Unable to find PowerPC CPU definition");
> -exit(1);
> +
> +spapr->cores = g_malloc0(spapr_max_cores * sizeof(Object));
souldn't it be sizeof(Object *) 

> +
> +for (i = 0; i < spapr_max_cores; i++) {
> +Object *spapr_cpu_core  = object_new(TYPE_SPAPR_CPU_CORE);
you allocate spapr_max_cores cores but set links to only to spapr_cores only,
it looks like all spapr_cpu_core objects are leaked for range 
spapr_cores..spapr_max_cores


> +char name[32];
> +
> +object_property_set_str(spapr_cpu_core, machine->cpu_model, 
> "cpu_model",
> +_fatal);
> +object_property_set_int(spapr_cpu_core, smp_threads, "nr_threads",
> +_fatal);
> +/*
> + * Create links from machine objects to all possible cores.
> + */
> +snprintf(name, sizeof(name), "%s[%d]", SPAPR_MACHINE_CPU_CORE_PROP, 
> i);
> +object_property_add_link(OBJECT(spapr), name, TYPE_SPAPR_CPU_CORE,
> + (Object **)>cores[i],
> + spapr_cpu_core_allow_set_link, 0,
> + _fatal);
> +
> +/*
> + * Set the link from machine object to core object for all
> + * boot time CPUs specified with -smp and realize them.
> + * For rest of the hotpluggable cores this is happens from
> + * the core hotplug/realization path.
> + */
> +if (i < spapr_cores) {
> +object_property_set_str(spapr_cpu_core, name,
> +SPAPR_CPU_CORE_SLOT_PROP, _fatal);
> +object_property_set_bool(spapr_cpu_core, true, "realized",
> + _fatal);
>  }
> -spapr_cpu_init(spapr, cpu, _fatal);
>  }
>  
>  if (kvm_enabled()) {
> @@ -2209,6 +2251,7 @@ static void spapr_machine_device_plug(HotplugHandler 
> *hotplug_dev,
>DeviceState *dev, Error **errp)
>  {
>  sPAPRMachineClass *smc = SPAPR_MACHINE_GET_CLASS(qdev_get_machine());
> +sPAPRMachineState *ms = SPAPR_MACHINE(hotplug_dev);
>  
>  if (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM)) {
>  int node;
> @@ -2245,6 

[Qemu-devel] [PULL 03/20] target-arm: Raw CPSR writes should skip checks and bank switching

[Peter Maydell]

Raw CPSR writes should skip the architectural checks for whether
we're allowed to set the A or F bits and should also not do
the switching of register banks if the mode changes. Handle
this inside cpsr_write(), which allows us to drop the "manually
set the mode bits to avoid the bank switch" code from all the
callsites which are using CPSRWriteRaw.

This fixes a bug in 32-bit KVM handling where we had forgotten
the "manually set the mode bits" part and could thus potentially
trash the register state if the mode from the last exit to userspace
differed from the mode on this exit.

Signed-off-by: Peter Maydell 
Reviewed-by: Sergey Fedorov 
Message-id: 146977-3644-4-git-send-email-peter.mayd...@linaro.org
---
 target-arm/helper.c| 5 +++--
 target-arm/kvm64.c | 1 -
 target-arm/machine.c   | 2 --
 target-arm/op_helper.c | 5 -
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 014bb80..c491cd8 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -5268,7 +5268,7 @@ void cpsr_write(CPUARMState *env, uint32_t val, uint32_t 
mask,
  * In a V8 implementation, it is permitted for privileged software to
  * change the CPSR A/F bits regardless of the SCR.AW/FW bits.
  */
-if (!arm_feature(env, ARM_FEATURE_V8) &&
+if (write_type != CPSRWriteRaw && !arm_feature(env, ARM_FEATURE_V8) &&
 arm_feature(env, ARM_FEATURE_EL3) &&
 !arm_feature(env, ARM_FEATURE_EL2) &&
 !arm_is_secure(env)) {
@@ -5315,7 +5315,8 @@ void cpsr_write(CPUARMState *env, uint32_t val, uint32_t 
mask,
 env->daif &= ~(CPSR_AIF & mask);
 env->daif |= val & CPSR_AIF & mask;
 
-if ((env->uncached_cpsr ^ val) & mask & CPSR_M) {
+if (write_type != CPSRWriteRaw &&
+((env->uncached_cpsr ^ val) & mask & CPSR_M)) {
 if (bad_mode_switch(env, val & CPSR_M)) {
 /* Attempt to switch to an invalid mode: this is UNPREDICTABLE.
  * We choose to ignore the attempt and leave the CPSR M field
diff --git a/target-arm/kvm64.c b/target-arm/kvm64.c
index 08c2c81..e8527bf 100644
--- a/target-arm/kvm64.c
+++ b/target-arm/kvm64.c
@@ -722,7 +722,6 @@ int kvm_arch_get_registers(CPUState *cs)
 if (is_a64(env)) {
 pstate_write(env, val);
 } else {
-env->uncached_cpsr = val & CPSR_M;
 cpsr_write(env, val, 0x, CPSRWriteRaw);
 }
 
diff --git a/target-arm/machine.c b/target-arm/machine.c
index 0fc7df0..03a73d9 100644
--- a/target-arm/machine.c
+++ b/target-arm/machine.c
@@ -173,8 +173,6 @@ static int get_cpsr(QEMUFile *f, void *opaque, size_t size)
 return 0;
 }
 
-/* Avoid mode switch when restoring CPSR */
-env->uncached_cpsr = val & CPSR_M;
 cpsr_write(env, val, 0x, CPSRWriteRaw);
 return 0;
 }
diff --git a/target-arm/op_helper.c b/target-arm/op_helper.c
index 543d33a..4881e34 100644
--- a/target-arm/op_helper.c
+++ b/target-arm/op_helper.c
@@ -779,7 +779,10 @@ void HELPER(exception_return)(CPUARMState *env)
 
 if (!return_to_aa64) {
 env->aarch64 = 0;
-env->uncached_cpsr = spsr & CPSR_M;
+/* We do a raw CPSR write because aarch64_sync_64_to_32()
+ * will sort the register banks out for us, and we've already
+ * caught all the bad-mode cases in el_from_spsr().
+ */
 cpsr_write(env, spsr, ~0, CPSRWriteRaw);
 if (!arm_singlestep_active(env)) {
 env->uncached_cpsr &= ~PSTATE_SS;
-- 
1.9.1

[Qemu-devel] [PATCH v3 27/27] migration: remove qemu_get_fd method from QEMUFile

[Daniel P. Berrange]

Now that there is a set_blocking callback in QEMUFileOps,
and all users needing non-blocking support have been
converted to QIOChannel, there is no longer any codepath
requiring the qemu_get_fd() method for QEMUFile. Remove it
to avoid further code being introduced with an expectation
of direct file handle access.

Reviewed-by: Dr. David Alan Gilbert 
Signed-off-by: Daniel P. Berrange 
---
 include/migration/qemu-file.h |  1 -
 migration/qemu-file.c | 14 --
 2 files changed, 15 deletions(-)

diff --git a/include/migration/qemu-file.h b/include/migration/qemu-file.h
index 36af5f4..2409a98 100644
--- a/include/migration/qemu-file.h
+++ b/include/migration/qemu-file.h
@@ -103,7 +103,6 @@ typedef int (QEMUFileShutdownFunc)(void *opaque, bool rd, 
bool wr);
 typedef struct QEMUFileOps {
 QEMUFileGetBufferFunc *get_buffer;
 QEMUFileCloseFunc *close;
-QEMUFileGetFD *get_fd;
 QEMUFileSetBlocking *set_blocking;
 QEMUFileWritevBufferFunc *writev_buffer;
 QEMURetPathFunc *get_return_path;
diff --git a/migration/qemu-file.c b/migration/qemu-file.c
index 6790040..8aea1c7 100644
--- a/migration/qemu-file.c
+++ b/migration/qemu-file.c
@@ -268,14 +268,6 @@ static ssize_t qemu_fill_buffer(QEMUFile *f)
 return len;
 }
 
-int qemu_get_fd(QEMUFile *f)
-{
-if (f->ops->get_fd) {
-return f->ops->get_fd(f->opaque);
-}
-return -1;
-}
-
 void qemu_update_position(QEMUFile *f, size_t size)
 {
 f->pos += size;
@@ -688,11 +680,5 @@ void qemu_file_set_blocking(QEMUFile *f, bool block)
 {
 if (f->ops->set_blocking) {
 f->ops->set_blocking(f->opaque, block);
-} else {
-if (block) {
-qemu_set_block(qemu_get_fd(f));
-} else {
-qemu_set_nonblock(qemu_get_fd(f));
-}
 }
 }
-- 
2.5.0

[Qemu-devel] [PULL 01/20] target-arm: Give CPSR setting on 32-bit exception return its own helper

[Peter Maydell]

The rules for setting the CPSR on a 32-bit exception return are
subtly different from those for setting the CPSR via an instruction
like MSR or CPS. (In particular, in Hyp mode changing the mode bits
is not valid via MSR or CPS.) Split the exception-return case into
its own helper for setting CPSR, so we can eventually handle them
differently in the helper function.

Signed-off-by: Peter Maydell 
Reviewed-by: Sergey Fedorov 
Message-id: 146977-3644-2-git-send-email-peter.mayd...@linaro.org
---
 target-arm/helper.h| 1 +
 target-arm/op_helper.c | 6 ++
 target-arm/translate.c | 6 +++---
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/target-arm/helper.h b/target-arm/helper.h
index c98e9ce..ea13202 100644
--- a/target-arm/helper.h
+++ b/target-arm/helper.h
@@ -57,6 +57,7 @@ DEF_HELPER_2(pre_smc, void, env, i32)
 DEF_HELPER_1(check_breakpoints, void, env)
 
 DEF_HELPER_3(cpsr_write, void, env, i32, i32)
+DEF_HELPER_2(cpsr_write_eret, void, env, i32)
 DEF_HELPER_1(cpsr_read, i32, env)
 
 DEF_HELPER_3(v7m_msr, void, env, i32, i32)
diff --git a/target-arm/op_helper.c b/target-arm/op_helper.c
index 538887c..e3ddd5a 100644
--- a/target-arm/op_helper.c
+++ b/target-arm/op_helper.c
@@ -425,6 +425,12 @@ void HELPER(cpsr_write)(CPUARMState *env, uint32_t val, 
uint32_t mask)
 cpsr_write(env, val, mask);
 }
 
+/* Write the CPSR for a 32-bit exception return */
+void HELPER(cpsr_write_eret)(CPUARMState *env, uint32_t val)
+{
+cpsr_write(env, val, CPSR_ERET_MASK);
+}
+
 /* Access to user mode registers from privileged modes.  */
 uint32_t HELPER(get_user_reg)(CPUARMState *env, uint32_t regno)
 {
diff --git a/target-arm/translate.c b/target-arm/translate.c
index e69145d..413f7de 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -4094,7 +4094,7 @@ static void gen_exception_return(DisasContext *s, 
TCGv_i32 pc)
 TCGv_i32 tmp;
 store_reg(s, 15, pc);
 tmp = load_cpu_field(spsr);
-gen_set_cpsr(tmp, CPSR_ERET_MASK);
+gen_helper_cpsr_write_eret(cpu_env, tmp);
 tcg_temp_free_i32(tmp);
 s->is_jmp = DISAS_JUMP;
 }
@@ -4102,7 +4102,7 @@ static void gen_exception_return(DisasContext *s, 
TCGv_i32 pc)
 /* Generate a v6 exception return.  Marks both values as dead.  */
 static void gen_rfe(DisasContext *s, TCGv_i32 pc, TCGv_i32 cpsr)
 {
-gen_set_cpsr(cpsr, CPSR_ERET_MASK);
+gen_helper_cpsr_write_eret(cpu_env, cpsr);
 tcg_temp_free_i32(cpsr);
 store_reg(s, 15, pc);
 s->is_jmp = DISAS_JUMP;
@@ -9094,7 +9094,7 @@ static void disas_arm_insn(DisasContext *s, unsigned int 
insn)
 if (exc_return) {
 /* Restore CPSR from SPSR.  */
 tmp = load_cpu_field(spsr);
-gen_set_cpsr(tmp, CPSR_ERET_MASK);
+gen_helper_cpsr_write_eret(cpu_env, tmp);
 tcg_temp_free_i32(tmp);
 s->is_jmp = DISAS_JUMP;
 }
-- 
1.9.1

[Qemu-devel] [PULL 1/6] migration: reorder code to make it symmetric

[Amit Shah]

From: Wei Yang 

In qemu_savevm_state_complete_precopy(), it iterates on each device to add
a json object and transfer related status to destination, while the order
of the last two steps could be refined.

Current order:

json_start_object()
save_section_header()
vmstate_save()
json_end_object()
save_section_footer()

After the change:

json_start_object()
save_section_header()
vmstate_save()
save_section_footer()
json_end_object()

This patch reorder the code to to make it symmetric. No functional change.

Signed-off-by: Wei Yang 
Reviewed-by: Amit Shah 
Message-Id: <1454626230-16334-1-git-send-email-richard.weiy...@gmail.com>
Signed-off-by: Amit Shah 
---
 migration/savevm.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/migration/savevm.c b/migration/savevm.c
index 94f2894..02e8487 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -1088,12 +1088,11 @@ void qemu_savevm_state_complete_precopy(QEMUFile *f, 
bool iterable_only)
 json_prop_int(vmdesc, "instance_id", se->instance_id);
 
 save_section_header(f, se, QEMU_VM_SECTION_FULL);
-
 vmstate_save(f, se, vmdesc);
-
-json_end_object(vmdesc);
 trace_savevm_section_end(se->idstr, se->section_id, 0);
 save_section_footer(f, se);
+
+json_end_object(vmdesc);
 }
 
 if (!in_postcopy) {
-- 
2.5.0

[Qemu-devel] [PATCH v3 26/27] migration: remove support for non-iovec based write handlers

[Daniel P. Berrange]

All the remaining QEMUFile implementations provide an iovec
based write handler, so the put_buffer callback can be removed
to simplify the code.

Reviewed-by: Dr. David Alan Gilbert 
Signed-off-by: Daniel P. Berrange 
---
 include/migration/qemu-file.h |  9 -
 migration/qemu-file.c | 36 
 migration/savevm.c|  8 
 3 files changed, 8 insertions(+), 45 deletions(-)

diff --git a/include/migration/qemu-file.h b/include/migration/qemu-file.h
index 43eba9b..36af5f4 100644
--- a/include/migration/qemu-file.h
+++ b/include/migration/qemu-file.h
@@ -28,14 +28,6 @@
 #include "io/channel.h"
 
 
-/* This function writes a chunk of data to a file at the given position.
- * The pos argument can be ignored if the file is only being used for
- * streaming.  The handler must write all of the data or return a negative
- * errno value.
- */
-typedef ssize_t (QEMUFilePutBufferFunc)(void *opaque, const uint8_t *buf,
-int64_t pos, size_t size);
-
 /* Read a chunk of data from a file at the given position.  The pos argument
  * can be ignored if the file is only be used for streaming.  The number of
  * bytes actually read should be returned.
@@ -109,7 +101,6 @@ typedef QEMUFile *(QEMURetPathFunc)(void *opaque);
 typedef int (QEMUFileShutdownFunc)(void *opaque, bool rd, bool wr);
 
 typedef struct QEMUFileOps {
-QEMUFilePutBufferFunc *put_buffer;
 QEMUFileGetBufferFunc *get_buffer;
 QEMUFileCloseFunc *close;
 QEMUFileGetFD *get_fd;
diff --git a/migration/qemu-file.c b/migration/qemu-file.c
index cf743d1..6790040 100644
--- a/migration/qemu-file.c
+++ b/migration/qemu-file.c
@@ -129,7 +129,7 @@ void qemu_file_set_error(QEMUFile *f, int ret)
 
 bool qemu_file_is_writable(QEMUFile *f)
 {
-return f->ops->writev_buffer || f->ops->put_buffer;
+return f->ops->writev_buffer;
 }
 
 /**
@@ -148,16 +148,9 @@ void qemu_fflush(QEMUFile *f)
 return;
 }
 
-if (f->ops->writev_buffer) {
-if (f->iovcnt > 0) {
-expect = iov_size(f->iov, f->iovcnt);
-ret = f->ops->writev_buffer(f->opaque, f->iov, f->iovcnt, f->pos);
-}
-} else {
-if (f->buf_index > 0) {
-expect = f->buf_index;
-ret = f->ops->put_buffer(f->opaque, f->buf, f->pos, f->buf_index);
-}
+if (f->iovcnt > 0) {
+expect = iov_size(f->iov, f->iovcnt);
+ret = f->ops->writev_buffer(f->opaque, f->iov, f->iovcnt, f->pos);
 }
 
 if (ret >= 0) {
@@ -337,11 +330,6 @@ static void add_to_iovec(QEMUFile *f, const uint8_t *buf, 
size_t size)
 
 void qemu_put_buffer_async(QEMUFile *f, const uint8_t *buf, size_t size)
 {
-if (!f->ops->writev_buffer) {
-qemu_put_buffer(f, buf, size);
-return;
-}
-
 if (f->last_error) {
 return;
 }
@@ -365,9 +353,7 @@ void qemu_put_buffer(QEMUFile *f, const uint8_t *buf, 
size_t size)
 }
 memcpy(f->buf + f->buf_index, buf, l);
 f->bytes_xfer += l;
-if (f->ops->writev_buffer) {
-add_to_iovec(f, f->buf + f->buf_index, l);
-}
+add_to_iovec(f, f->buf + f->buf_index, l);
 f->buf_index += l;
 if (f->buf_index == IO_BUF_SIZE) {
 qemu_fflush(f);
@@ -388,9 +374,7 @@ void qemu_put_byte(QEMUFile *f, int v)
 
 f->buf[f->buf_index] = v;
 f->bytes_xfer++;
-if (f->ops->writev_buffer) {
-add_to_iovec(f, f->buf + f->buf_index, 1);
-}
+add_to_iovec(f, f->buf + f->buf_index, 1);
 f->buf_index++;
 if (f->buf_index == IO_BUF_SIZE) {
 qemu_fflush(f);
@@ -554,12 +538,8 @@ int64_t qemu_ftell_fast(QEMUFile *f)
 int64_t ret = f->pos;
 int i;
 
-if (f->ops->writev_buffer) {
-for (i = 0; i < f->iovcnt; i++) {
-ret += f->iov[i].iov_len;
-}
-} else {
-ret += f->buf_index;
+for (i = 0; i < f->iovcnt; i++) {
+ret += f->iov[i].iov_len;
 }
 
 return ret;
diff --git a/migration/savevm.c b/migration/savevm.c
index 8b8ffe8..b609a6b 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -160,13 +160,6 @@ static ssize_t block_writev_buffer(void *opaque, struct 
iovec *iov, int iovcnt,
 return qiov.size;
 }
 
-static ssize_t block_put_buffer(void *opaque, const uint8_t *buf,
-int64_t pos, size_t size)
-{
-bdrv_save_vmstate(opaque, buf, pos, size);
-return size;
-}
-
 static ssize_t block_get_buffer(void *opaque, uint8_t *buf, int64_t pos,
 size_t size)
 {
@@ -184,7 +177,6 @@ static const QEMUFileOps bdrv_read_ops = {
 };
 
 static const QEMUFileOps bdrv_write_ops = {
-.put_buffer = block_put_buffer,
 .writev_buffer  = block_writev_buffer,
 .close  = bdrv_fclose
 };
-- 
2.5.0

[Qemu-devel] [PULL 5/6] migration (ordinary): move bdrv_invalidate_cache_all of of coroutine context

[Amit Shah]

From: "Denis V. Lunev" 

There is a possibility to hit an assert in qcow2_get_specific_info that
s->qcow_version is undefined. This happens when VM in starting from
suspended state, i.e. it processes incoming migration, and in the same
time 'info block' is called.

The problem is that qcow2_invalidate_cache() closes the image and
memset()s BDRVQcowState in the middle.

The patch moves processing of bdrv_invalidate_cache_all out of
coroutine context for standard migration to avoid that.

Signed-off-by: Denis V. Lunev 
Reviewed-by: Fam Zheng 
CC: Paolo Bonzini 
CC: Juan Quintela 
CC: Amit Shah 
Message-Id: <1456304019-10507-2-git-send-email-...@openvz.org>

[Amit: Fix a use-after-free bug]

Signed-off-by: Amit Shah 
---
 include/migration/migration.h |  2 +
 migration/migration.c | 89 ---
 2 files changed, 51 insertions(+), 40 deletions(-)

diff --git a/include/migration/migration.h b/include/migration/migration.h
index 85b6026..ac2c12c 100644
--- a/include/migration/migration.h
+++ b/include/migration/migration.h
@@ -104,6 +104,8 @@ struct MigrationIncomingState {
 QemuMutex rp_mutex;/* We send replies from multiple threads */
 void *postcopy_tmp_page;
 
+QEMUBH *bh;
+
 int state;
 /* See savevm.c */
 LoadStateEntry_Head loadvm_handlers;
diff --git a/migration/migration.c b/migration/migration.c
index fc5e50b..0129d9f 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -323,10 +323,56 @@ void qemu_start_incoming_migration(const char *uri, Error 
**errp)
 }
 }
 
+static void process_incoming_migration_bh(void *opaque)
+{
+Error *local_err = NULL;
+MigrationIncomingState *mis = opaque;
+
+/* Make sure all file formats flush their mutable metadata */
+bdrv_invalidate_cache_all(_err);
+if (local_err) {
+migrate_set_state(>state, MIGRATION_STATUS_ACTIVE,
+  MIGRATION_STATUS_FAILED);
+error_report_err(local_err);
+migrate_decompress_threads_join();
+exit(EXIT_FAILURE);
+}
+
+/*
+ * This must happen after all error conditions are dealt with and
+ * we're sure the VM is going to be running on this host.
+ */
+qemu_announce_self();
+
+/* If global state section was not received or we are in running
+   state, we need to obey autostart. Any other state is set with
+   runstate_set. */
+
+if (!global_state_received() ||
+global_state_get_runstate() == RUN_STATE_RUNNING) {
+if (autostart) {
+vm_start();
+} else {
+runstate_set(RUN_STATE_PAUSED);
+}
+} else {
+runstate_set(global_state_get_runstate());
+}
+migrate_decompress_threads_join();
+/*
+ * This must happen after any state changes since as soon as an external
+ * observer sees this event they might start to prod at the VM assuming
+ * it's ready to use.
+ */
+migrate_set_state(>state, MIGRATION_STATUS_ACTIVE,
+  MIGRATION_STATUS_COMPLETED);
+qemu_bh_delete(mis->bh);
+migration_incoming_state_destroy();
+}
+
 static void process_incoming_migration_co(void *opaque)
 {
 QEMUFile *f = opaque;
-Error *local_err = NULL;
 MigrationIncomingState *mis;
 PostcopyState ps;
 int ret;
@@ -369,45 +415,8 @@ static void process_incoming_migration_co(void *opaque)
 exit(EXIT_FAILURE);
 }
 
-/* Make sure all file formats flush their mutable metadata */
-bdrv_invalidate_cache_all(_err);
-if (local_err) {
-migrate_set_state(>state, MIGRATION_STATUS_ACTIVE,
-  MIGRATION_STATUS_FAILED);
-error_report_err(local_err);
-migrate_decompress_threads_join();
-exit(EXIT_FAILURE);
-}
-
-/*
- * This must happen after all error conditions are dealt with and
- * we're sure the VM is going to be running on this host.
- */
-qemu_announce_self();
-
-/* If global state section was not received or we are in running
-   state, we need to obey autostart. Any other state is set with
-   runstate_set. */
-
-if (!global_state_received() ||
-global_state_get_runstate() == RUN_STATE_RUNNING) {
-if (autostart) {
-vm_start();
-} else {
-runstate_set(RUN_STATE_PAUSED);
-}
-} else {
-runstate_set(global_state_get_runstate());
-}
-migrate_decompress_threads_join();
-/*
- * This must happen after any state changes since as soon as an external
- * observer sees this event they might start to prod at the VM assuming
- * it's ready to use.
- */
-migrate_set_state(>state, MIGRATION_STATUS_ACTIVE,
-  MIGRATION_STATUS_COMPLETED);
-migration_incoming_state_destroy();
+mis->bh = 

[Qemu-devel] [PULL 2/6] migration/postcopy-ram: Guard use of sys/eventfd.h with CONFIG_EVENTFD

[Amit Shah]

From: Matthew Fortune 

sys/eventfd.h was being guarded only by a check for linux but does
not exist on older distributions like CentOS 5. Move the include
into the code that uses it and add an appropriate guard.

Signed-off-by: Matthew Fortune 
Reviewed-by: Juan Quintela 
Message-Id: <6d39441bf12ef246a7abce6654b023536bb85...@hhmail02.hh.imgtec.org>
Signed-off-by: Amit Shah 
---
 migration/postcopy-ram.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/migration/postcopy-ram.c b/migration/postcopy-ram.c
index 254c629..fbd0064 100644
--- a/migration/postcopy-ram.c
+++ b/migration/postcopy-ram.c
@@ -52,14 +52,14 @@ struct PostcopyDiscardState {
 #if defined(__linux__)
 
 #include 
-#include 
 #include 
 #include 
 #include 
 #include  /* for __u64 */
 #endif
 
-#if defined(__linux__) && defined(__NR_userfaultfd)
+#if defined(__linux__) && defined(__NR_userfaultfd) && defined(CONFIG_EVENTFD)
+#include 
 #include 
 
 static bool ufd_version_check(int ufd)
-- 
2.5.0

[Qemu-devel] [PATCH v3 10/27] migration: convert post-copy to use QIOChannelBuffer

[Daniel P. Berrange]

The post-copy code does some I/O to/from an intermediate
in-memory buffer rather than direct to the underlying
I/O channel. Switch this code to use QIOChannelBuffer
instead of QEMUSizedBuffer.

Signed-off-by: Daniel P. Berrange 
---
 docs/migration.txt  |  4 ++--
 include/sysemu/sysemu.h |  2 +-
 migration/migration.c   | 15 +++
 migration/savevm.c  | 47 ---
 4 files changed, 26 insertions(+), 42 deletions(-)

diff --git a/docs/migration.txt b/docs/migration.txt
index fda8d61..11703de 100644
--- a/docs/migration.txt
+++ b/docs/migration.txt
@@ -403,8 +403,8 @@ listen thread: --- page -- page -- page 
-- page -- page --
 
 On receipt of CMD_PACKAGED (1)
All the data associated with the package - the ( ... ) section in the
-diagram - is read into memory (into a QEMUSizedBuffer), and the main thread
-recurses into qemu_loadvm_state_main to process the contents of the package (2)
+diagram - is read into memory, and the main thread recurses into
+qemu_loadvm_state_main to process the contents of the package (2)
 which contains commands (3,6) and devices (4...)
 
 On receipt of 'postcopy listen' - 3 -(i.e. the 1st command in the package)
diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
index 3bb8897..ea488de 100644
--- a/include/sysemu/sysemu.h
+++ b/include/sysemu/sysemu.h
@@ -120,7 +120,7 @@ void qemu_savevm_command_send(QEMUFile *f, enum qemu_vm_cmd 
command,
   uint16_t len, uint8_t *data);
 void qemu_savevm_send_ping(QEMUFile *f, uint32_t value);
 void qemu_savevm_send_open_return_path(QEMUFile *f);
-int qemu_savevm_send_packaged(QEMUFile *f, const QEMUSizedBuffer *qsb);
+int qemu_savevm_send_packaged(QEMUFile *f, const uint8_t *buf, size_t len);
 void qemu_savevm_send_postcopy_advise(QEMUFile *f);
 void qemu_savevm_send_postcopy_listen(QEMUFile *f);
 void qemu_savevm_send_postcopy_run(QEMUFile *f);
diff --git a/migration/migration.c b/migration/migration.c
index 08720bc..c645443 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -34,6 +34,7 @@
 #include "qom/cpu.h"
 #include "exec/memory.h"
 #include "exec/address-spaces.h"
+#include "io/channel-buffer.h"
 
 #define MAX_THROTTLE  (32 << 20)  /* Migration transfer speed throttling */
 
@@ -1436,7 +1437,8 @@ static int 
await_return_path_close_on_source(MigrationState *ms)
 static int postcopy_start(MigrationState *ms, bool *old_vm_running)
 {
 int ret;
-const QEMUSizedBuffer *qsb;
+QIOChannelBuffer *bioc;
+QEMUFile *fb;
 int64_t time_at_stop = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
 migrate_set_state(>state, MIGRATION_STATUS_ACTIVE,
   MIGRATION_STATUS_POSTCOPY_ACTIVE);
@@ -1495,11 +1497,9 @@ static int postcopy_start(MigrationState *ms, bool 
*old_vm_running)
  * So we wrap the device state up in a package with a length at the start;
  * to do this we use a qemu_buf to hold the whole of the device state.
  */
-QEMUFile *fb = qemu_bufopen("w", NULL);
-if (!fb) {
-error_report("Failed to create buffered file");
-goto fail;
-}
+bioc = qio_channel_buffer_new(4096);
+fb = qemu_fopen_channel_output(QIO_CHANNEL(bioc));
+object_unref(OBJECT(bioc));
 
 /*
  * Make sure the receiver can get incoming pages before we send the rest
@@ -1513,10 +1513,9 @@ static int postcopy_start(MigrationState *ms, bool 
*old_vm_running)
 qemu_savevm_send_postcopy_run(fb);
 
 /* <><> end of stuff going into the package */
-qsb = qemu_buf_get(fb);
 
 /* Now send that blob */
-if (qemu_savevm_send_packaged(ms->to_dst_file, qsb)) {
+if (qemu_savevm_send_packaged(ms->to_dst_file, bioc->data, bioc->usage)) {
 goto fail_closefb;
 }
 qemu_fclose(fb);
diff --git a/migration/savevm.c b/migration/savevm.c
index 94f2894..d2652fb 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -50,6 +50,7 @@
 #include "qemu/iov.h"
 #include "block/snapshot.h"
 #include "block/qapi.h"
+#include "io/channel-buffer.h"
 
 
 #ifndef ETH_P_RARP
@@ -760,10 +761,8 @@ void qemu_savevm_send_open_return_path(QEMUFile *f)
  *0 on success
  *-ve on error
  */
-int qemu_savevm_send_packaged(QEMUFile *f, const QEMUSizedBuffer *qsb)
+int qemu_savevm_send_packaged(QEMUFile *f, const uint8_t *buf, size_t len)
 {
-size_t cur_iov;
-size_t len = qsb_get_length(qsb);
 uint32_t tmp;
 
 if (len > MAX_VM_CMD_PACKAGED_SIZE) {
@@ -777,18 +776,7 @@ int qemu_savevm_send_packaged(QEMUFile *f, const 
QEMUSizedBuffer *qsb)
 trace_qemu_savevm_send_packaged();
 qemu_savevm_command_send(f, MIG_CMD_PACKAGED, 4, (uint8_t *));
 
-/* all the data follows (concatinating the iov's) */
-for (cur_iov = 0; cur_iov < qsb->n_iov; cur_iov++) {
-/* The iov entries are partially filled */
-size_t towrite = MIN(qsb->iov[cur_iov].iov_len, len);
-len -= towrite;
-
-if 

[Qemu-devel] [PULL v3 0/6] migration pull

[Amit Shah]

The following changes since commit 0c6940d086f39bbf725d96104abe46da87429cb6:

  build: [bsd-user] Rename "syscall.h" to "target_syscall.h" in target 
directories (2016-02-25 16:41:08 +)

are available in the git repository at:

  https://git.kernel.org/pub/scm/virt/qemu/amit/migration.git 
tags/migration-for-2.6-5

for you to fetch changes up to ea6a55bcc0d144ac5086cebf7f84afa7071afe90:

  migration (postcopy): move bdrv_invalidate_cache_all of of coroutine context 
(2016-02-26 20:40:08 +0530)


migration pull
 - fix a qcow2 assert
 - fix for older distros (CentOS 5)
 - documentation for vmstate flags
 - minor code rearrangement



Denis V. Lunev (2):
  migration (ordinary): move bdrv_invalidate_cache_all of of coroutine
context
  migration (postcopy): move bdrv_invalidate_cache_all of of coroutine
context

Matthew Fortune (1):
  migration/postcopy-ram: Guard use of sys/eventfd.h with CONFIG_EVENTFD

Sascha Silbe (1):
  migration/vmstate: document VMStateFlags

Thomas Huth (1):
  MAINTAINERS: Add docs/migration.txt to the "Migration" section

Wei Yang (1):
  migration: reorder code to make it symmetric

 MAINTAINERS   |   1 +
 include/migration/migration.h |   2 +
 include/migration/vmstate.h   | 100 +-
 migration/migration.c |  89 -
 migration/postcopy-ram.c  |   4 +-
 migration/savevm.c|  34 --
 6 files changed, 165 insertions(+), 65 deletions(-)

-- 
2.5.0

[Qemu-devel] [PATCH v3 20/27] migration: delete QEMUFile sockets implementation

[Daniel P. Berrange]

Now that the tcp, unix and fd migration backends have converted
to use the QIOChannel based QEMUFile, there is no user remaining
for the sockets based QEMUFile impl and it can be deleted.

Reviewed-by: Dr. David Alan Gilbert 
Signed-off-by: Daniel P. Berrange 
---
 include/migration/qemu-file.h |   2 -
 migration/Makefile.objs   |   2 +-
 migration/qemu-file-unix.c| 325 --
 3 files changed, 1 insertion(+), 328 deletions(-)
 delete mode 100644 migration/qemu-file-unix.c

diff --git a/include/migration/qemu-file.h b/include/migration/qemu-file.h
index edaf598..ba5fe08 100644
--- a/include/migration/qemu-file.h
+++ b/include/migration/qemu-file.h
@@ -128,8 +128,6 @@ typedef struct QEMUFileHooks {
 
 QEMUFile *qemu_fopen_ops(void *opaque, const QEMUFileOps *ops);
 QEMUFile *qemu_fopen(const char *filename, const char *mode);
-QEMUFile *qemu_fdopen(int fd, const char *mode);
-QEMUFile *qemu_fopen_socket(int fd, const char *mode);
 QEMUFile *qemu_fopen_channel_input(QIOChannel *ioc);
 QEMUFile *qemu_fopen_channel_output(QIOChannel *ioc);
 QEMUFile *qemu_popen_cmd(const char *command, const char *mode);
diff --git a/migration/Makefile.objs b/migration/Makefile.objs
index 3e5a57c..2f9bf12 100644
--- a/migration/Makefile.objs
+++ b/migration/Makefile.objs
@@ -1,6 +1,6 @@
 common-obj-y += migration.o socket.o fd.o exec.o
 common-obj-y += vmstate.o
-common-obj-y += qemu-file.o qemu-file-unix.o qemu-file-stdio.o
+common-obj-y += qemu-file.o qemu-file-stdio.o
 common-obj-y += qemu-file-channel.o
 common-obj-y += xbzrle.o postcopy-ram.o
 
diff --git a/migration/qemu-file-unix.c b/migration/qemu-file-unix.c
deleted file mode 100644
index 61b059b..000
--- a/migration/qemu-file-unix.c
+++ /dev/null
@@ -1,325 +0,0 @@
-/*
- * QEMU System Emulator
- *
- * Copyright (c) 2003-2008 Fabrice Bellard
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to 
deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-#include "qemu/osdep.h"
-#include "qemu-common.h"
-#include "qemu/error-report.h"
-#include "qemu/iov.h"
-#include "qemu/sockets.h"
-#include "qemu/coroutine.h"
-#include "migration/qemu-file.h"
-#include "migration/qemu-file-internal.h"
-
-typedef struct QEMUFileSocket {
-int fd;
-QEMUFile *file;
-} QEMUFileSocket;
-
-static ssize_t socket_writev_buffer(void *opaque, struct iovec *iov, int 
iovcnt,
-int64_t pos)
-{
-QEMUFileSocket *s = opaque;
-ssize_t len;
-ssize_t size = iov_size(iov, iovcnt);
-ssize_t offset = 0;
-int err;
-
-while (size > 0) {
-len = iov_send(s->fd, iov, iovcnt, offset, size);
-
-if (len > 0) {
-size -= len;
-offset += len;
-}
-
-if (size > 0) {
-err = socket_error();
-
-if (err != EAGAIN && err != EWOULDBLOCK) {
-error_report("socket_writev_buffer: Got err=%d for (%zu/%zu)",
- err, (size_t)size, (size_t)len);
-/*
- * If I've already sent some but only just got the error, I
- * could return the amount validly sent so far and wait for the
- * next call to report the error, but I'd rather flag the error
- * immediately.
- */
-return -err;
-}
-
-/* Emulate blocking */
-GPollFD pfd;
-
-pfd.fd = s->fd;
-pfd.events = G_IO_OUT | G_IO_ERR;
-pfd.revents = 0;
-TFR(err = g_poll(, 1, -1 /* no timeout */));
-/* Errors other than EINTR intentionally ignored */
-}
- }
-
-return offset;
-}
-
-static int socket_get_fd(void *opaque)
-{
-QEMUFileSocket *s = opaque;
-
-return s->fd;
-}
-
-static ssize_t socket_get_buffer(void *opaque, uint8_t *buf, int64_t pos,
- size_t size)
-{
-QEMUFileSocket *s = 

[Qemu-devel] [PATCH v3 09/27] migration: add reporting of errors for outgoing migration

[Daniel P. Berrange]

Currently if an app initiates an outgoing migration, it
may or may not, get an error reported back on failure. If
the error occurs synchronously to the 'migrate' command
execution, the client app will see the error message. This
is the case for DNS lookup failures. If the error occurs
asynchronously to the monitor command though, the error
will be thrown away and the client left guessing about
what went wrong. This is the case for failure to connect
to the TCP server (eg due to wrong port, or firewall
rules, or other similar errors).

In the future we'll be adding more scope for errors to
happen asynchronously with the TLS protocol handshake.
TLS errors are hard to diagnose even when they are well
reported, so discarding errors entirely will make it
impossible to debug TLS connection problems.

Management apps which do migration are already using
'query-migrate' / 'info migrate' to check up on progress
of background migration operations and to see their end
status. This is a fine place to also include the error
message when things go wrong.

This patch thus adds an 'error-desc' field to the
MigrationInfo struct, which will be populated when
the 'status' is set to 'failed':

(qemu) migrate -d tcp:localhost:9001
(qemu) info migrate
capabilities: xbzrle: off rdma-pin-all: off auto-converge: off zero-blocks: off 
compress: off events: off x-postcopy-ram: off
Migration status: failed
total time: 0 milliseconds
error description: Error connecting to socket: Connection refused

In the HMP, when doing non-detached migration, it is
also possible to display this error message directly
to the app.

(qemu) migrate tcp:localhost:9001
Error connecting to socket: Connection refused

Signed-off-by: Daniel P. Berrange 
---
 hmp.c |  8 
 include/migration/migration.h |  5 -
 include/qapi/error.h  |  2 +-
 migration/migration.c | 12 +---
 migration/rdma.c  | 10 +++---
 migration/tcp.c   |  2 +-
 migration/unix.c  |  2 +-
 qapi-schema.json  |  5 -
 trace-events  |  2 +-
 util/error.c  |  2 +-
 10 files changed, 33 insertions(+), 17 deletions(-)

diff --git a/hmp.c b/hmp.c
index 5b6084a..a239e1e 100644
--- a/hmp.c
+++ b/hmp.c
@@ -34,6 +34,7 @@
 #include "ui/console.h"
 #include "block/qapi.h"
 #include "qemu-io.h"
+#include "qemu/error-report.h"
 
 #ifdef CONFIG_SPICE
 #include 
@@ -239,6 +240,10 @@ void hmp_info_migrate(Monitor *mon, const QDict *qdict)
info->x_cpu_throttle_percentage);
 }
 
+if (info->has_error_desc) {
+monitor_printf(mon, "error description: %s\n", info->error_desc);
+}
+
 qapi_free_MigrationInfo(info);
 qapi_free_MigrationCapabilityStatusList(caps);
 }
@@ -1532,6 +1537,9 @@ static void hmp_migrate_status_cb(void *opaque)
 if (status->is_block_migration) {
 monitor_printf(status->mon, "\n");
 }
+if (info->has_error_desc) {
+error_report("%s", info->error_desc);
+}
 monitor_resume(status->mon);
 timer_del(status->timer);
 g_free(status);
diff --git a/include/migration/migration.h b/include/migration/migration.h
index 35db68a..5d44b07 100644
--- a/include/migration/migration.h
+++ b/include/migration/migration.h
@@ -169,6 +169,9 @@ struct MigrationState
 QSIMPLEQ_HEAD(src_page_requests, MigrationSrcPageRequest) 
src_page_requests;
 /* The RAMBlock used in the last src_page_request */
 RAMBlock *last_req_rb;
+
+/* The last error that occurred */
+Error *error;
 };
 
 void migrate_set_state(int *state, int old_state, int new_state);
@@ -205,7 +208,7 @@ void rdma_start_outgoing_migration(void *opaque, const char 
*host_port, Error **
 
 void rdma_start_incoming_migration(const char *host_port, Error **errp);
 
-void migrate_fd_error(MigrationState *s);
+void migrate_fd_error(MigrationState *s, const Error *error);
 
 void migrate_fd_connect(MigrationState *s);
 
diff --git a/include/qapi/error.h b/include/qapi/error.h
index 02e9dd2..c7e2869 100644
--- a/include/qapi/error.h
+++ b/include/qapi/error.h
@@ -139,7 +139,7 @@ typedef enum ErrorClass {
 /*
  * Get @err's human-readable error message.
  */
-const char *error_get_pretty(Error *err);
+const char *error_get_pretty(const Error *err);
 
 /*
  * Get @err's error class.
diff --git a/migration/migration.c b/migration/migration.c
index 76a4aac..08720bc 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -681,6 +681,10 @@ MigrationInfo *qmp_query_migrate(Error **errp)
 break;
 case MIGRATION_STATUS_FAILED:
 info->has_status = true;
+if (s->error) {
+info->has_error_desc = true;
+info->error_desc = g_strdup(error_get_pretty(s->error));
+}
 break;
 case MIGRATION_STATUS_CANCELLED:
 info->has_status = true;
@@ -853,12 +857,14 @@ static void 

[Qemu-devel] [PATCH v3 25/27] migration: add support for encrypting data with TLS

[Daniel P. Berrange]

This extends the migration_set_incoming_channel and
migration_set_outgoing_channel methods so that they
will automatically wrap the QIOChannel in a
QIOChannelTLS instance if TLS credentials are configured
in the migration parameters.

This allows TLS to work for tcp, unix, fd and exec
migration protocols. It does not (currently) work for
RDMA since it does not use these APIs, but it is
unlikely that TLS would be desired with RDMA anyway
since it would degrade the performance to that seen
with TCP defeating the purpose of using RDMA.

On the target host, QEMU would be launched with a set
of TLS credentials for a server endpoint

 $ qemu-system-x86_64 -monitor stdio -incoming defer \
-object 
tls-creds-x509,dir=/home/berrange/security/qemutls,endpoint=server,id=tls0 \
...other args...

To enable incoming TLS migration 2 monitor commands are
then used

  (qemu) migrate_set_str_parameter tls-creds tls0
  (qemu) migrate_incoming tcp:myhostname:9000

On the source host, QEMU is launched in a similar
manner but using client endpoint credentials

 $ qemu-system-x86_64 -monitor stdio \
-object 
tls-creds-x509,dir=/home/berrange/security/qemutls,endpoint=client,id=tls0 \
...other args...

To enable outgoing TLS migration 2 monitor commands are
then used

  (qemu) migrate_set_str_parameter tls-creds tls0
  (qemu) migrate tcp:otherhostname:9000

Thanks to earlier improvements to error reporting,
TLS errors can be seen 'info migrate' when doing a
detached migration. For example:

  (qemu) info migrate
  capabilities: xbzrle: off rdma-pin-all: off auto-converge: off zero-blocks: 
off compress: off events: off x-postcopy-ram: off
  Migration status: failed
  total time: 0 milliseconds
  error description: TLS handshake failed: The TLS connection was non-properly 
terminated.

Or

  (qemu) info migrate
  capabilities: xbzrle: off rdma-pin-all: off auto-converge: off zero-blocks: 
off compress: off events: off x-postcopy-ram: off
  Migration status: failed
  total time: 0 milliseconds
  error description: Certificate does not match the hostname localhost

Signed-off-by: Daniel P. Berrange 
---
 include/migration/migration.h |  12 +++-
 migration/Makefile.objs   |   1 +
 migration/exec.c  |   2 +-
 migration/fd.c|   2 +-
 migration/migration.c |  40 +--
 migration/socket.c|  34 +++--
 migration/tls.c   | 160 ++
 trace-events  |  12 +++-
 8 files changed, 246 insertions(+), 17 deletions(-)
 create mode 100644 migration/tls.c

diff --git a/include/migration/migration.h b/include/migration/migration.h
index 999a5ee..6310ff4 100644
--- a/include/migration/migration.h
+++ b/include/migration/migration.h
@@ -186,8 +186,18 @@ void qemu_start_incoming_migration(const char *uri, Error 
**errp);
 void migration_set_incoming_channel(MigrationState *s,
 QIOChannel *ioc);
 
+void migration_tls_set_incoming_channel(MigrationState *s,
+QIOChannel *ioc,
+Error **errp);
+
 void migration_set_outgoing_channel(MigrationState *s,
-QIOChannel *ioc);
+QIOChannel *ioc,
+const char *hostname);
+
+void migration_tls_set_outgoing_channel(MigrationState *s,
+QIOChannel *ioc,
+const char *hostname,
+Error **errp);
 
 uint64_t migrate_max_downtime(void);
 
diff --git a/migration/Makefile.objs b/migration/Makefile.objs
index 7b9051c..e68b54d 100644
--- a/migration/Makefile.objs
+++ b/migration/Makefile.objs
@@ -1,4 +1,5 @@
 common-obj-y += migration.o socket.o fd.o exec.o
+common-obj-y += tls.o
 common-obj-y += vmstate.o
 common-obj-y += qemu-file.o
 common-obj-y += qemu-file-channel.o
diff --git a/migration/exec.c b/migration/exec.c
index 4f439b4..a5debc6 100644
--- a/migration/exec.c
+++ b/migration/exec.c
@@ -36,7 +36,7 @@ void exec_start_outgoing_migration(MigrationState *s, const 
char *command, Error
 return;
 }
 
-migration_set_outgoing_channel(s, ioc);
+migration_set_outgoing_channel(s, ioc, NULL);
 object_unref(OBJECT(ioc));
 }
 
diff --git a/migration/fd.c b/migration/fd.c
index 1a7fd43..e089bf4 100644
--- a/migration/fd.c
+++ b/migration/fd.c
@@ -36,7 +36,7 @@ void fd_start_outgoing_migration(MigrationState *s, const 
char *fdname, Error **
 return;
 }
 
-migration_set_outgoing_channel(s, ioc);
+migration_set_outgoing_channel(s, ioc, NULL);
 object_unref(OBJECT(ioc));
 }
 
diff --git a/migration/migration.c b/migration/migration.c
index c7bc1c7..84393c0 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -35,6 +35,7 @@
 #include "exec/memory.h"
 #include "exec/address-spaces.h"

[Qemu-devel] [PATCH v3 17/27] migration: convert savevm to use QIOChannel for writing to files

[Daniel P. Berrange]

Convert the exec savevm code to use QIOChannel and QEMUFileChannel,
instead of the stdio APIs.

Reviewed-by: Dr. David Alan Gilbert 
Signed-off-by: Daniel P. Berrange 
---
 migration/savevm.c   |  8 +---
 tests/Makefile   |  4 ++--
 tests/test-vmstate.c | 11 ++-
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/migration/savevm.c b/migration/savevm.c
index d2652fb..8b8ffe8 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -51,6 +51,7 @@
 #include "block/snapshot.h"
 #include "block/qapi.h"
 #include "io/channel-buffer.h"
+#include "io/channel-file.h"
 
 
 #ifndef ETH_P_RARP
@@ -2024,6 +2025,7 @@ void hmp_savevm(Monitor *mon, const QDict *qdict)
 void qmp_xen_save_devices_state(const char *filename, Error **errp)
 {
 QEMUFile *f;
+QIOChannelFile *ioc;
 int saved_vm_running;
 int ret;
 
@@ -2031,11 +2033,11 @@ void qmp_xen_save_devices_state(const char *filename, 
Error **errp)
 vm_stop(RUN_STATE_SAVE_VM);
 global_state_store_running();
 
-f = qemu_fopen(filename, "wb");
-if (!f) {
-error_setg_file_open(errp, errno, filename);
+ioc = qio_channel_file_new_path(filename, O_WRONLY | O_CREAT, 0660, errp);
+if (!ioc) {
 goto the_end;
 }
+f = qemu_fopen_channel_output(QIO_CHANNEL(ioc));
 ret = qemu_save_device_state(f);
 qemu_fclose(f);
 if (ret < 0) {
diff --git a/tests/Makefile b/tests/Makefile
index 13f1c84..98f3b1c 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -425,8 +425,8 @@ tests/test-qdev-global-props$(EXESUF): 
tests/test-qdev-global-props.o \
$(test-qapi-obj-y)
 tests/test-vmstate$(EXESUF): tests/test-vmstate.o \
migration/vmstate.o migration/qemu-file.o \
-migration/qemu-file-unix.o qjson.o \
-   $(test-qom-obj-y)
+migration/qemu-file-channel.o qjson.o \
+   $(test-io-obj-y)
 tests/test-timed-average$(EXESUF): tests/test-timed-average.o qemu-timer.o \
$(test-util-obj-y)
 tests/test-base64$(EXESUF): tests/test-base64.o \
diff --git a/tests/test-vmstate.c b/tests/test-vmstate.c
index f337cf6..d19b16a 100644
--- a/tests/test-vmstate.c
+++ b/tests/test-vmstate.c
@@ -29,6 +29,7 @@
 #include "migration/migration.h"
 #include "migration/vmstate.h"
 #include "qemu/coroutine.h"
+#include "io/channel-file.h"
 
 static char temp_file[] = "/tmp/vmst.test.XX";
 static int temp_fd;
@@ -49,11 +50,17 @@ void yield_until_fd_readable(int fd)
 static QEMUFile *open_test_file(bool write)
 {
 int fd = dup(temp_fd);
+QIOChannel *ioc;
 lseek(fd, 0, SEEK_SET);
 if (write) {
 g_assert_cmpint(ftruncate(fd, 0), ==, 0);
 }
-return qemu_fdopen(fd, write ? "wb" : "rb");
+ioc = QIO_CHANNEL(qio_channel_file_new_fd(fd));
+if (write) {
+return qemu_fopen_channel_output(ioc);
+} else {
+return qemu_fopen_channel_input(ioc);
+}
 }
 
 #define SUCCESS(val) \
@@ -469,6 +476,8 @@ int main(int argc, char **argv)
 {
 temp_fd = mkstemp(temp_file);
 
+module_call_init(MODULE_INIT_QOM);
+
 g_test_init(, , NULL);
 g_test_add_func("/vmstate/simple/primitive", test_simple_primitive);
 g_test_add_func("/vmstate/versioned/load/v1", test_load_v1);
-- 
2.5.0

[Qemu-devel] [PATCH v3 24/27] migration: define 'tls-creds' and 'tls-hostname' migration parameters

[Daniel P. Berrange]

Define two new migration parameters to be used with TLS encryption.
The 'tls-creds' parameter provides the ID of an instance of the
'tls-creds' object type, or rather a subclass such as 'tls-creds-x509'.
Providing these credentials will enable use of TLS on the migration
data stream.

If using x509 certificates, together with a migration URI that does
not include a hostname, the 'tls-hostname' parameter provides the
hostname to use when verifying the server's x509 certificate. This
allows TLS to be used in combination with fd: and exec: protocols
where a TCP connection is established by a 3rd party outside of
QEMU.

For the HMP this sadly requires adding a new monitor command
'migration_set_str_parameter', since the existing command
'migration_set_parameter' is fixed to take integer values.

The QMP monitor is fine, since it has the more flexible
'migration_set_parameters' which takes the dict of params
of arbitrary types per the QAPI schema.

Signed-off-by: Daniel P. Berrange 
---
 hmp-commands.hx   | 15 +
 hmp.c | 48 ++
 hmp.h |  1 +
 migration/migration.c | 14 +
 qapi-schema.json  | 58 ---
 5 files changed, 133 insertions(+), 3 deletions(-)

diff --git a/hmp-commands.hx b/hmp-commands.hx
index 664d794..883ef90 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -1022,6 +1022,21 @@ Set the parameter @var{parameter} for migration.
 ETEXI
 
 {
+.name   = "migrate_set_str_parameter",
+.args_type  = "parameter:s,value:s",
+.params = "parameter value",
+.help   = "Set the parameter for migration",
+.mhandler.cmd = hmp_migrate_set_str_parameter,
+.command_completion = migrate_set_parameter_completion,
+},
+
+STEXI
+@item migrate_set_str_parameter @var{parameter} @var{value}
+@findex migrate_set_str_parameter
+Set the parameter @var{parameter} for migration.
+ETEXI
+
+{
 .name   = "migrate_start_postcopy",
 .args_type  = "",
 .params = "",
diff --git a/hmp.c b/hmp.c
index a239e1e..c27c280 100644
--- a/hmp.c
+++ b/hmp.c
@@ -290,6 +290,12 @@ void hmp_info_migrate_parameters(Monitor *mon, const QDict 
*qdict)
 monitor_printf(mon, " %s: %" PRId64,
 
MigrationParameter_lookup[MIGRATION_PARAMETER_X_CPU_THROTTLE_INCREMENT],
 params->x_cpu_throttle_increment);
+monitor_printf(mon, " %s: '%s'",
+MigrationParameter_lookup[MIGRATION_PARAMETER_TLS_CREDS],
+params->tls_creds ? : "");
+monitor_printf(mon, " %s: '%s'",
+MigrationParameter_lookup[MIGRATION_PARAMETER_TLS_HOSTNAME],
+params->tls_hostname ? : "");
 monitor_printf(mon, "\n");
 }
 
@@ -1272,6 +1278,48 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict 
*qdict)
has_decompress_threads, value,
has_x_cpu_throttle_initial, value,
has_x_cpu_throttle_increment, value,
+   false, NULL,
+   false, NULL,
+   );
+break;
+}
+}
+
+if (i == MIGRATION_PARAMETER__MAX) {
+error_setg(, QERR_INVALID_PARAMETER, param);
+}
+
+if (err) {
+error_report_err(err);
+}
+}
+
+void hmp_migrate_set_str_parameter(Monitor *mon, const QDict *qdict)
+{
+const char *param = qdict_get_str(qdict, "parameter");
+const char *valuestr = qdict_get_str(qdict, "value");
+Error *err = NULL;
+bool has_tls_creds = false;
+bool has_tls_hostname = false;
+int i;
+
+for (i = 0; i < MIGRATION_PARAMETER__MAX; i++) {
+if (strcmp(param, MigrationParameter_lookup[i]) == 0) {
+switch (i) {
+case MIGRATION_PARAMETER_TLS_CREDS:
+has_tls_creds = true;
+break;
+case MIGRATION_PARAMETER_TLS_HOSTNAME:
+has_tls_hostname = true;
+break;
+}
+qmp_migrate_set_parameters(false, 0,
+   false, 0,
+   false, 0,
+   false, 0,
+   false, 0,
+   has_tls_creds, valuestr,
+   has_tls_hostname, valuestr,
);
 break;
 }
diff --git a/hmp.h b/hmp.h
index 093d65f..74873b4 100644
--- a/hmp.h
+++ b/hmp.h
@@ -67,6 +67,7 @@ void hmp_migrate_set_downtime(Monitor *mon, const QDict 
*qdict);
 void hmp_migrate_set_speed(Monitor *mon, const QDict *qdict);
 void hmp_migrate_set_capability(Monitor *mon, const QDict *qdict);
 void 

[Qemu-devel] [PATCH v3 07/27] migration: introduce a new QEMUFile impl based on QIOChannel

[Daniel P. Berrange]

Introduce a new QEMUFile implementation that is based on
the QIOChannel objects. This impl is different from existing
impls in that there is no file descriptor that can be made
available, as some channels may be based on higher level
protocols such as TLS.

Although the QIOChannel based implementation can trivially
provide a bi-directional stream, initially we have separate
functions for opening input & output directions to fit with
the expectation of the current QEMUFile interface.

Signed-off-by: Daniel P. Berrange 
---
 include/migration/qemu-file.h |   4 +
 migration/Makefile.objs   |   1 +
 migration/qemu-file-channel.c | 204 ++
 3 files changed, 209 insertions(+)
 create mode 100644 migration/qemu-file-channel.c

diff --git a/include/migration/qemu-file.h b/include/migration/qemu-file.h
index 2dea81f..0329ccc 100644
--- a/include/migration/qemu-file.h
+++ b/include/migration/qemu-file.h
@@ -23,7 +23,9 @@
  */
 #ifndef QEMU_FILE_H
 #define QEMU_FILE_H 1
+#include "qemu-common.h"
 #include "exec/cpu-common.h"
+#include "io/channel.h"
 
 
 /* This function writes a chunk of data to a file at the given position.
@@ -135,6 +137,8 @@ QEMUFile *qemu_fopen_ops(void *opaque, const QEMUFileOps 
*ops);
 QEMUFile *qemu_fopen(const char *filename, const char *mode);
 QEMUFile *qemu_fdopen(int fd, const char *mode);
 QEMUFile *qemu_fopen_socket(int fd, const char *mode);
+QEMUFile *qemu_fopen_channel_input(QIOChannel *ioc);
+QEMUFile *qemu_fopen_channel_output(QIOChannel *ioc);
 QEMUFile *qemu_popen_cmd(const char *command, const char *mode);
 QEMUFile *qemu_bufopen(const char *mode, QEMUSizedBuffer *input);
 void qemu_file_set_hooks(QEMUFile *f, const QEMUFileHooks *hooks);
diff --git a/migration/Makefile.objs b/migration/Makefile.objs
index 0cac6d7..b357e2f 100644
--- a/migration/Makefile.objs
+++ b/migration/Makefile.objs
@@ -1,6 +1,7 @@
 common-obj-y += migration.o tcp.o
 common-obj-y += vmstate.o
 common-obj-y += qemu-file.o qemu-file-buf.o qemu-file-unix.o qemu-file-stdio.o
+common-obj-y += qemu-file-channel.o
 common-obj-y += xbzrle.o postcopy-ram.o
 
 common-obj-$(CONFIG_RDMA) += rdma.o
diff --git a/migration/qemu-file-channel.c b/migration/qemu-file-channel.c
new file mode 100644
index 000..10990e8
--- /dev/null
+++ b/migration/qemu-file-channel.c
@@ -0,0 +1,204 @@
+/*
+ * QEMUFile backend for QIOChannel objects
+ *
+ * Copyright (c) 2015-2016 Red Hat, Inc
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "migration/qemu-file.h"
+#include "io/channel-socket.h"
+#include "qemu/iov.h"
+
+
+/**
+ * @skip: number of bytes to advance head of @iov
+ * @iov: pointer to iov array, updated on success
+ * @iovcnt: number of elements in @iov, updated on success
+ * @oldiov: pointer single element to hold old info from @iov
+ *
+ * This will update @iov so that its head is advanced
+ * by @skip bytes. To do this, zero or more complete
+ * elements of @iov will be skipped over. The new head
+ * of @iov will then have its base & len updated to
+ * skip the remaining number of bytes. @oldiov will
+ * hold the original data from the new head of @iov.
+ */
+static void channel_skip_iov(size_t skip,
+ struct iovec **iov,
+ int *iovcnt,
+ struct iovec *oldiov)
+{
+ssize_t done = 0;
+size_t i;
+for (i = 0; i < *iovcnt; i++) {
+if ((*iov)[i].iov_len <= skip) {
+done += (*iov)[i].iov_len;
+skip -= (*iov)[i].iov_len;
+} else {
+done += skip;
+oldiov->iov_base = (*iov)[i].iov_base;
+oldiov->iov_len = (*iov)[i].iov_len;
+(*iov)[i].iov_len -= skip;
+(*iov)[i].iov_base += skip;
+*iov = *iov + i;
+*iovcnt = *iovcnt - i;
+break;
+}
+}
+}
+
+static ssize_t 

[Qemu-devel] [PATCH v3 19/27] migration: delete QEMUSizedBuffer struct

[Daniel P. Berrange]

Now that we don't have have a buffer based QemuFile
implementation, the QEMUSizedBuffer code is also
unused and can be deleted. A simpler buffer class
also exists in util/buffer.c which other code can
used as needed.

Reviewed-by: Dr. David Alan Gilbert 
Signed-off-by: Daniel P. Berrange 
---
 include/migration/qemu-file.h |  16 --
 include/qemu/typedefs.h   |   1 -
 migration/Makefile.objs   |   2 +-
 migration/qemu-file-buf.c | 368 --
 4 files changed, 1 insertion(+), 386 deletions(-)
 delete mode 100644 migration/qemu-file-buf.c

diff --git a/include/migration/qemu-file.h b/include/migration/qemu-file.h
index 6618d19..edaf598 100644
--- a/include/migration/qemu-file.h
+++ b/include/migration/qemu-file.h
@@ -126,13 +126,6 @@ typedef struct QEMUFileHooks {
 QEMURamSaveFunc *save_page;
 } QEMUFileHooks;
 
-struct QEMUSizedBuffer {
-struct iovec *iov;
-size_t n_iov;
-size_t size; /* total allocated size in all iov's */
-size_t used; /* number of used bytes */
-};
-
 QEMUFile *qemu_fopen_ops(void *opaque, const QEMUFileOps *ops);
 QEMUFile *qemu_fopen(const char *filename, const char *mode);
 QEMUFile *qemu_fdopen(int fd, const char *mode);
@@ -155,15 +148,6 @@ void qemu_put_buffer_async(QEMUFile *f, const uint8_t 
*buf, size_t size);
 bool qemu_file_mode_is_not_valid(const char *mode);
 bool qemu_file_is_writable(QEMUFile *f);
 
-QEMUSizedBuffer *qsb_create(const uint8_t *buffer, size_t len);
-void qsb_free(QEMUSizedBuffer *);
-size_t qsb_set_length(QEMUSizedBuffer *qsb, size_t length);
-size_t qsb_get_length(const QEMUSizedBuffer *qsb);
-ssize_t qsb_get_buffer(const QEMUSizedBuffer *, off_t start, size_t count,
-   uint8_t *buf);
-ssize_t qsb_write_at(QEMUSizedBuffer *qsb, const uint8_t *buf,
- off_t pos, size_t count);
-
 
 static inline void qemu_put_ubyte(QEMUFile *f, unsigned int v)
 {
diff --git a/include/qemu/typedefs.h b/include/qemu/typedefs.h
index 6ed91b4..c42dea5 100644
--- a/include/qemu/typedefs.h
+++ b/include/qemu/typedefs.h
@@ -78,7 +78,6 @@ typedef struct QemuOpt QemuOpt;
 typedef struct QemuOpts QemuOpts;
 typedef struct QemuOptsList QemuOptsList;
 typedef struct QEMUSGList QEMUSGList;
-typedef struct QEMUSizedBuffer QEMUSizedBuffer;
 typedef struct QEMUTimer QEMUTimer;
 typedef struct QEMUTimerListGroup QEMUTimerListGroup;
 typedef struct QObject QObject;
diff --git a/migration/Makefile.objs b/migration/Makefile.objs
index 86dd050..3e5a57c 100644
--- a/migration/Makefile.objs
+++ b/migration/Makefile.objs
@@ -1,6 +1,6 @@
 common-obj-y += migration.o socket.o fd.o exec.o
 common-obj-y += vmstate.o
-common-obj-y += qemu-file.o qemu-file-buf.o qemu-file-unix.o qemu-file-stdio.o
+common-obj-y += qemu-file.o qemu-file-unix.o qemu-file-stdio.o
 common-obj-y += qemu-file-channel.o
 common-obj-y += xbzrle.o postcopy-ram.o
 
diff --git a/migration/qemu-file-buf.c b/migration/qemu-file-buf.c
deleted file mode 100644
index 668ab35..000
--- a/migration/qemu-file-buf.c
+++ /dev/null
@@ -1,368 +0,0 @@
-/*
- * QEMU System Emulator
- *
- * Copyright (c) 2003-2008 Fabrice Bellard
- * Copyright (c) 2014 IBM Corp.
- *
- * Authors:
- *  Stefan Berger 
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to 
deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-#include "qemu/osdep.h"
-#include "qemu-common.h"
-#include "qemu/error-report.h"
-#include "qemu/iov.h"
-#include "qemu/sockets.h"
-#include "qemu/coroutine.h"
-#include "migration/migration.h"
-#include "migration/qemu-file.h"
-#include "migration/qemu-file-internal.h"
-#include "trace.h"
-
-#define QSB_CHUNK_SIZE  (1 << 10)
-#define QSB_MAX_CHUNK_SIZE  (16 * QSB_CHUNK_SIZE)
-
-/**
- * Create a QEMUSizedBuffer
- * This type of buffer uses scatter-gather lists internally and
- * can grow to any size. Any data array in the scatter-gather list
- * can hold different amount of bytes.
- *
- *