[Qemu-devel] [PATCH] xhci: properties cleanup

[Gerd Hoffmann]

Split xhci properties into common and nec specific.

Move the backward compat flags to nec, so the new qemu-xhci
devices doesn't carry on the compatibiity stuff.

Move the msi/msix switches too and just enable msix for qemu-xhci.

Also move the intrs and slots properties.  Wasn't a great idea to
make them configurable in the first place, nobody needs this.

Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-xhci.c | 29 ++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 28dd2f2..f0af852 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -635,6 +635,11 @@ static bool xhci_get_flag(XHCIState *xhci, enum xhci_flags 
bit)
 return xhci->flags & (1 << bit);
 }
 
+static void xhci_set_flag(XHCIState *xhci, enum xhci_flags bit)
+{
+xhci->flags |= (1 << bit);
+}
+
 static uint64_t xhci_mfindex_get(XHCIState *xhci)
 {
 int64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
@@ -3839,17 +3844,21 @@ static const VMStateDescription vmstate_xhci = {
 }
 };
 
-static Property xhci_properties[] = {
+static Property nec_xhci_properties[] = {
 DEFINE_PROP_ON_OFF_AUTO("msi", XHCIState, msi, ON_OFF_AUTO_AUTO),
 DEFINE_PROP_ON_OFF_AUTO("msix", XHCIState, msix, ON_OFF_AUTO_AUTO),
 DEFINE_PROP_BIT("superspeed-ports-first",
 XHCIState, flags, XHCI_FLAG_SS_FIRST, true),
 DEFINE_PROP_BIT("force-pcie-endcap", XHCIState, flags,
 XHCI_FLAG_FORCE_PCIE_ENDCAP, false),
-DEFINE_PROP_BIT("streams", XHCIState, flags,
-XHCI_FLAG_ENABLE_STREAMS, true),
 DEFINE_PROP_UINT32("intrs", XHCIState, numintrs, MAXINTRS),
 DEFINE_PROP_UINT32("slots", XHCIState, numslots, MAXSLOTS),
+DEFINE_PROP_END_OF_LIST(),
+};
+
+static Property xhci_properties[] = {
+DEFINE_PROP_BIT("streams", XHCIState, flags,
+XHCI_FLAG_ENABLE_STREAMS, true),
 DEFINE_PROP_UINT32("p2",XHCIState, numports_2, 4),
 DEFINE_PROP_UINT32("p3",XHCIState, numports_3, 4),
 DEFINE_PROP_END_OF_LIST(),
@@ -3881,7 +3890,9 @@ static const TypeInfo xhci_info = {
 static void nec_xhci_class_init(ObjectClass *klass, void *data)
 {
 PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
+DeviceClass *dc = DEVICE_CLASS(klass);
 
+dc->props   = nec_xhci_properties;
 k->vendor_id= PCI_VENDOR_ID_NEC;
 k->device_id= PCI_DEVICE_ID_NEC_UPD720200;
 k->revision = 0x03;
@@ -3902,10 +3913,22 @@ static void qemu_xhci_class_init(ObjectClass *klass, 
void *data)
 k->revision = 0x01;
 }
 
+static void qemu_xhci_instance_init(Object *obj)
+{
+XHCIState *xhci = XHCI(obj);
+
+xhci->msi  = ON_OFF_AUTO_OFF;
+xhci->msix = ON_OFF_AUTO_AUTO;
+xhci->numintrs = MAXINTRS;
+xhci->numslots = MAXSLOTS;
+xhci_set_flag(xhci, XHCI_FLAG_SS_FIRST);
+}
+
 static const TypeInfo qemu_xhci_info = {
 .name  = TYPE_QEMU_XHCI,
 .parent= TYPE_XHCI,
 .class_init= qemu_xhci_class_init,
+.instance_init = qemu_xhci_instance_init,
 };
 
 static void xhci_register_types(void)
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH] spice-char: fix segfault in char_spice_finalize

[Marc-André Lureau]

Hi

On Tue, Feb 21, 2017 at 7:38 AM Li Qiang  wrote:

> In 'qemu_chr_open_spice_vmc' if the 'psubtype' is NULL, it will
> call 'char_spice_finalize'. But as the SpiceChardev is not inserted
> in the 'spice_chars' list, the 'QLIST_REMOVE' will cause a segfault.
> Add a detect to avoid it.
>

> Signed-off-by: Li Qiang 
> ---
>  spice-qemu-char.c | 5 -
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/spice-qemu-char.c b/spice-qemu-char.c
> index 6f46f46..15dbf9c 100644
> --- a/spice-qemu-char.c
> +++ b/spice-qemu-char.c
> @@ -215,7 +215,10 @@ static void char_spice_finalize(Object *obj)
>  SpiceChardev *s = SPICE_CHARDEV(obj);
>
>  vmc_unregister_interface(s);
> -QLIST_REMOVE(s, next);
> +
> +if (spice_chars.lh_first) {
> +QLIST_REMOVE(s, next);
> +}
>
>
The condition you added is unrelated. It should rather be "if
(s->next.le_prev)". (there is a similar test in block.c)

 g_free((char *)s->sin.subtype);
>  #if SPICE_SERVER_VERSION >= 0x000c02
> --
> 1.8.3.1
>
>
> --
Marc-André Lureau

Re: [Qemu-devel] [PATCH RFC v3 04/15] vfio: ccw: basic implementation for vfio_ccw driver

[Dong Jia Shi]

* Dong Jia Shi  [2017-02-21 15:36:23 +0800]:

[...]
> > > +static int vfio_ccw_sch_probe(struct subchannel *sch)
> > > +{
> > > + struct pmcw *pmcw = >schib.pmcw;
> > > + struct vfio_ccw_private *private;
> > > + int ret;
> > > +
> > > + if (pmcw->qf) {
> > > + dev_warn(>dev, "vfio: ccw: do not support QDIO: %s\n",
> > 
> > s/do/does/
> > 
> Ok.
> 
> > > +  dev_name(>dev));
> > > + return -ENOTTY;
> > 
> > Is -ENOTTY the right return code here? -EINVAL?
> > 
> Ok. Think it again. -EINVAL makes more sense. It's like:
> "hey, I know it's an I/O subchannel, but not the kind we support".
> 
Or -ENOTSUPP ?
> > > + }
> > > +
[...]

-- 
Dong Jia

Re: [Qemu-devel] [PATCH RFC v3 04/15] vfio: ccw: basic implementation for vfio_ccw driver

[Dong Jia Shi]

* Cornelia Huck  [2017-02-20 19:31:13 +0100]:

> On Fri, 17 Feb 2017 09:29:28 +0100
> Dong Jia Shi  wrote:
> 
> > To make vfio support subchannel devices, we need a css driver for
> > the vfio subchannels. This patch adds a basic vfio-ccw subchannel
> > driver for this purpose.
> > 
> > To enable VFIO for vfio-ccw, enable S390_CCW_IOMMU config option
> > and configure VFIO as required.
> > 
> > Signed-off-by: Dong Jia Shi 
> > Acked-by: Pierre Morel 
> > ---
> >  arch/s390/Kconfig   |  10 ++
> >  arch/s390/include/asm/isc.h |   1 +
> >  drivers/iommu/Kconfig   |   8 ++
> >  drivers/s390/cio/Makefile   |   3 +
> >  drivers/s390/cio/vfio_ccw_drv.c | 262 
> > 
> >  drivers/s390/cio/vfio_ccw_private.h |  25 
> >  6 files changed, 309 insertions(+)
> >  create mode 100644 drivers/s390/cio/vfio_ccw_drv.c
> >  create mode 100644 drivers/s390/cio/vfio_ccw_private.h
> > 
> > diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
> > index c6722112..b920df8 100644
> > --- a/arch/s390/Kconfig
> > +++ b/arch/s390/Kconfig
> > @@ -670,6 +670,16 @@ config EADM_SCH
> >   To compile this driver as a module, choose M here: the
> >   module will be called eadm_sch.
> > 
> > +config VFIO_CCW
> > +   def_tristate n
> > +   prompt "Support for VFIO-CCW subchannels"
> > +   depends on S390_CCW_IOMMU && VFIO
> > +   help
> > + This driver allows usage of VFIO-CCW subchannels.
> 
> Hm...
> 
> "This driver allows usage of I/O subchannels via VFIO-CCW."
> 
> ?
> 
This is better. Will change.

> > +
> > + To compile this driver as a module, choose M here: the
> > + module will be called vfio_ccw.
> > +
> >  endmenu
> > 
> >  menu "Dump support"
> > diff --git a/arch/s390/include/asm/isc.h b/arch/s390/include/asm/isc.h
> > index 68d7d68..8a0b721 100644
> > --- a/arch/s390/include/asm/isc.h
> > +++ b/arch/s390/include/asm/isc.h
> > @@ -16,6 +16,7 @@
> >  #define CONSOLE_ISC 1  /* console I/O subchannel */
> >  #define EADM_SCH_ISC 4 /* EADM subchannels */
> >  #define CHSC_SCH_ISC 7 /* CHSC subchannels */
> > +#define VFIO_CCW_ISC IO_SCH_ISC/* VFIO-CCW I/O subchannels */
> 
> This is OK for now, I guess; but do we want to have the isc
> configurable in the long run? I.e., if a host wants to run its own I/O
> devices at a different priority than the devices it passes to a guest?
> 
I think we can keep this as the default value, and provide a driver
param to customize the ISC value in the future once we need this. I put
this on my LATER list, or I do it in next version?

> >  /* Adapter interrupts. */
> >  #define QDIO_AIRQ_ISC IO_SCH_ISC   /* I/O subchannel in qdio mode */
> >  #define PCI_ISC 2  /* PCI I/O subchannels */
> 
> (...)
> 
> > diff --git a/drivers/s390/cio/vfio_ccw_drv.c 
> > b/drivers/s390/cio/vfio_ccw_drv.c
> > new file mode 100644
> > index 000..b068207
> > --- /dev/null
> > +++ b/drivers/s390/cio/vfio_ccw_drv.c
> > @@ -0,0 +1,262 @@
> > +/*
> > + * VFIO based Physical Subchannel device driver
> > + *
> > + * Copyright IBM Corp. 2017
> > + *
> > + * Author(s): Dong Jia Shi 
> > + *Xiao Feng Ren 
> > + */
> > +
> > +#include 
> > +#include 
> > +#include 
> > +#include 
> > +
> > +#include 
> > +
> > +#include "vfio_ccw_private.h"
> > +
> > +/*
> > + * Helpers
> > + */
> > +static int vfio_ccw_sch_quiesce(struct subchannel *sch)
> > +{
> > +   struct vfio_ccw_private *private = dev_get_drvdata(>dev);
> > +   DECLARE_COMPLETION_ONSTACK(completion);
> > +   int iretry, ret = 0;
> > +
> > +   spin_lock_irq(sch->lock);
> > +   if (!sch->schib.pmcw.ena)
> > +   goto out_unlock;
> > +   ret = cio_disable_subchannel(sch);
> > +   if (ret != -EBUSY)
> > +   goto out_unlock;
> > +
> > +   do {
> > +   iretry = 255;
> > +
> > +   ret = cio_cancel_halt_clear(sch, );
> > +   while (ret == -EBUSY) {
> > +   /*
> > +* Flushing all I/O and wait the
> 
> "Flush all I/O and wait for..."
> 
Ok.

> > +* cancel/halt/clear completion.
> > +*/
> > +   private->completion = 
> > +   spin_unlock_irq(sch->lock);
> > +
> > +   wait_for_completion();
> 
> What happens for cancel? It won't generate an interrupt.
> 
Right! How about using:
wait_for_completion_timeout(, 3*HZ);

(I stole '3*HZ' from ccw_device_kill_io.)

> > +
> > +   spin_lock_irq(sch->lock);
> > +   private->completion = NULL;
> > +   ret = cio_cancel_halt_clear(sch, );
> > +   };
> > +
> > +   ret = cio_disable_subchannel(sch);
> > +   } while (ret == -EBUSY);
> > +
> > 

Re: [Qemu-devel] [PATCH v2 00/16] Postcopy: Hugepage support

[Alexey Perevalov]

Hello David,

On Tue, Feb 14, 2017 at 07:34:26PM +, Dr. David Alan Gilbert wrote:
> * Alexey Perevalov (a.pereva...@samsung.com) wrote:
> > Hi David,
> > 
> > Thank your, now it's clear.
> > 
> > On Mon, Feb 13, 2017 at 06:16:02PM +, Dr. David Alan Gilbert wrote:
> > > * Alexey Perevalov (a.pereva...@samsung.com) wrote:
> > > >  Hello David!
> > > 
> > > Hi Alexey,
> > > 
> > > > I have checked you series with 1G hugepage, but only in 1 Gbit/sec 
> > > > network
> > > > environment.
> > > 
> > > Can you show the qemu command line you're using?  I'm just trying
> > > to make sure I understand where your hugepages are; running 1G hostpages
> > > across a 1Gbit/sec network for postcopy would be pretty poor - it would 
> > > take
> > > ~10 seconds to transfer the page.
> > 
> > sure
> > -hda ./Ubuntu.img -name PAU,debug-threads=on -boot d -net nic -net user
> > -m 1024 -localtime -nographic -enable-kvm -incoming tcp:0: -object
> > memory-backend-file,id=mem,size=1G,mem-path=/dev/hugepages -mem-prealloc
> > -numa node,memdev=mem -trace events=/tmp/events -chardev
> > socket,id=charmonitor,path=/var/lib/migrate-vm-monitor.sock,server,nowait
> > -mon chardev=charmonitor,id=monitor,mode=control
> 
> OK, it's a pretty unusual setup - a 1G page guest with 1G of guest RAM.
> 
> > > 
> > > > I started Ubuntu just with console interface and gave to it only 1G of
> > > > RAM, inside Ubuntu I started stress command
> > > 
> > > > (stress --cpu 4 --io 4 --vm 4 --vm-bytes 25600 &)
> > > > in such environment precopy live migration was impossible, it never
> > > > being finished, in this case it infinitely sends pages (it looks like
> > > > dpkg scenario).
> > > > 
> > > > Also I modified stress utility
> > > > http://people.seas.harvard.edu/~apw/stress/stress-1.0.4.tar.gz
> > > > due to it wrote into memory every time the same value `Z`. My
> > > > modified version writes every allocation new incremented value.
> > > 
> > > I use google's stressapptest normally; although remember to turn
> > > off the bit where it pauses.
> > 
> > I decided to use it too
> > stressapptest -s 300 -M 256 -m 8 -W
> > 
> > > 
> > > > I'm using Arcangeli's kernel only at the destination.
> > > > 
> > > > I got controversial results. Downtime for 1G hugepage is close to 2Mb
> > > > hugepage and it took around 7 ms (in 2Mb hugepage scenario downtime was
> > > > around 8 ms).
> > > > I made that opinion by query-migrate.
> > > > {"return": {"status": "completed", "setup-time": 6, "downtime": 6, 
> > > > "total-time": 9668, "ram": {"total": 1091379200, "postcopy-requests": 
> > > > 1, "dirty-sync-count": 2, "remaining": 0, "mbps": 879.786851, 
> > > > "transferred": 1063007296, "duplicate": 7449, "dirty-pages-rate": 0, 
> > > > "skipped": 0, "normal-bytes": 1060868096, "normal": 259001}}}
> > > > 
> > > > Documentation says about downtime field - measurement unit is ms.
> > > 
> > > The downtime measurement field is pretty meaningless for postcopy; it's 
> > > only
> > > the time from stopping the VM until the point where we tell the 
> > > destination it
> > > can start running.  Meaningful measurements are only from inside the guest
> > > really, or the place latencys.
> > >
> > 
> > Maybe improve it by receiving such information from destination?
> > I wish to do that.
> > > > So I traced it (I added additional trace into postcopy_place_page
> > > > trace_postcopy_place_page_start(host, from, pagesize); )
> > > > 
> > > > postcopy_ram_fault_thread_request Request for HVA=7f6dc000 
> > > > rb=/objects/mem offset=0
> > > > postcopy_place_page_start host=0x7f6dc000 from=0x7f6d7000, 
> > > > pagesize=4000
> > > > postcopy_place_page_start host=0x7f6e0e80 from=0x55b665969619, 
> > > > pagesize=1000
> > > > postcopy_place_page_start host=0x7f6e0e801000 from=0x55b6659684e8, 
> > > > pagesize=1000
> > > > several pages with 4Kb step ...
> > > > postcopy_place_page_start host=0x7f6e0e817000 from=0x55b6659694f0, 
> > > > pagesize=1000
> > > > 
> > > > 4K pages, started from 0x7f6e0e80 address it's
> > > > vga.ram, /rom@etc/acpi/tables etc.
> > > > 
> > > > Frankly saying, right now, I don't have any ideas why hugepage wasn't
> > > > resent. Maybe my expectation of it is wrong as well as understanding )
> > > 
> > > That's pretty much what I expect to see - before you get into postcopy
> > > mode everything is sent as individual 4k pages (in order); once we're
> > > in postcopy mode we send each page no more than once.  So you're
> > > huge page comes across once - and there it is.
> > > 
> > > > stress utility also duplicated for me value into appropriate file:
> > > > sec_since_epoch.microsec:value
> > > > 1487003192.728493:22
> > > > 1487003197.335362:23
> > > > *1487003213.367260:24*
> > > > *1487003238.480379:25*
> > > > 1487003243.315299:26
> > > > 1487003250.775721:27
> > > > 1487003255.473792:28
> > > > 
> > > > It mean rewriting 256Mb of memory per byte took around 5 sec, but at
> > > > the moment of 

[Qemu-devel] [PULL 09/11] usb-ccid: better bulk_out error handling

[Gerd Hoffmann]

Add err goto label where we can jump to from all error conditions.
STALL request on all errors.  Reset position on all errors.

Normal request processing is not in a else branch any more, so this code
is reintended, there are no code changes in that part of the code
though.

Signed-off-by: Gerd Hoffmann 
Reviewed-by: Marc-André Lureau 
Message-id: 1487250819-23764-2-git-send-email-kra...@redhat.com
---
 hw/usb/dev-smartcard-reader.c | 116 ++
 1 file changed, 61 insertions(+), 55 deletions(-)

diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
index 1325ea1..badcfcb 100644
--- a/hw/usb/dev-smartcard-reader.c
+++ b/hw/usb/dev-smartcard-reader.c
@@ -1001,8 +1001,7 @@ static void ccid_handle_bulk_out(USBCCIDState *s, 
USBPacket *p)
 CCID_Header *ccid_header;
 
 if (p->iov.size + s->bulk_out_pos > BULK_OUT_DATA_SIZE) {
-p->status = USB_RET_STALL;
-return;
+goto err;
 }
 ccid_header = (CCID_Header *)s->bulk_out_data;
 usb_packet_copy(p, s->bulk_out_data + s->bulk_out_pos, p->iov.size);
@@ -1017,64 +1016,71 @@ static void ccid_handle_bulk_out(USBCCIDState *s, 
USBPacket *p)
 DPRINTF(s, 1,
 "%s: bad USB_TOKEN_OUT length, should be at least 10 bytes\n",
 __func__);
-} else {
-DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
-ccid_header->bMessageType,
-ccid_message_type_to_str(ccid_header->bMessageType));
-switch (ccid_header->bMessageType) {
-case CCID_MESSAGE_TYPE_PC_to_RDR_GetSlotStatus:
-ccid_write_slot_status(s, ccid_header);
-break;
-case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOn:
-DPRINTF(s, 1, "%s: PowerOn: %d\n", __func__,
+goto err;
+}
+
+DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
+ccid_header->bMessageType,
+ccid_message_type_to_str(ccid_header->bMessageType));
+switch (ccid_header->bMessageType) {
+case CCID_MESSAGE_TYPE_PC_to_RDR_GetSlotStatus:
+ccid_write_slot_status(s, ccid_header);
+break;
+case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOn:
+DPRINTF(s, 1, "%s: PowerOn: %d\n", __func__,
 ((CCID_IccPowerOn *)(ccid_header))->bPowerSelect);
-s->powered = true;
-if (!ccid_card_inserted(s)) {
-ccid_report_error_failed(s, ERROR_ICC_MUTE);
-}
-/* atr is written regardless of error. */
-ccid_write_data_block_atr(s, ccid_header);
-break;
-case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOff:
-ccid_reset_error_status(s);
-s->powered = false;
-ccid_write_slot_status(s, ccid_header);
-break;
-case CCID_MESSAGE_TYPE_PC_to_RDR_XfrBlock:
-ccid_on_apdu_from_guest(s, (CCID_XferBlock *)s->bulk_out_data);
-break;
-case CCID_MESSAGE_TYPE_PC_to_RDR_SetParameters:
-ccid_reset_error_status(s);
-ccid_set_parameters(s, ccid_header);
-ccid_write_parameters(s, ccid_header);
-break;
-case CCID_MESSAGE_TYPE_PC_to_RDR_ResetParameters:
-ccid_reset_error_status(s);
-ccid_reset_parameters(s);
-ccid_write_parameters(s, ccid_header);
-break;
-case CCID_MESSAGE_TYPE_PC_to_RDR_GetParameters:
-ccid_reset_error_status(s);
-ccid_write_parameters(s, ccid_header);
-break;
-case CCID_MESSAGE_TYPE_PC_to_RDR_Mechanical:
-ccid_report_error_failed(s, 0);
-ccid_write_slot_status(s, ccid_header);
-break;
-default:
-DPRINTF(s, 1,
+s->powered = true;
+if (!ccid_card_inserted(s)) {
+ccid_report_error_failed(s, ERROR_ICC_MUTE);
+}
+/* atr is written regardless of error. */
+ccid_write_data_block_atr(s, ccid_header);
+break;
+case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOff:
+ccid_reset_error_status(s);
+s->powered = false;
+ccid_write_slot_status(s, ccid_header);
+break;
+case CCID_MESSAGE_TYPE_PC_to_RDR_XfrBlock:
+ccid_on_apdu_from_guest(s, (CCID_XferBlock *)s->bulk_out_data);
+break;
+case CCID_MESSAGE_TYPE_PC_to_RDR_SetParameters:
+ccid_reset_error_status(s);
+ccid_set_parameters(s, ccid_header);
+ccid_write_parameters(s, ccid_header);
+break;
+case CCID_MESSAGE_TYPE_PC_to_RDR_ResetParameters:
+ccid_reset_error_status(s);
+ccid_reset_parameters(s);
+ccid_write_parameters(s, ccid_header);
+break;
+case CCID_MESSAGE_TYPE_PC_to_RDR_GetParameters:
+ccid_reset_error_status(s);
+ccid_write_parameters(s, ccid_header);
+break;
+case CCID_MESSAGE_TYPE_PC_to_RDR_Mechanical:
+

[Qemu-devel] [PULL 05/11] xhci: drop ER_FULL_HACK workaround

[Gerd Hoffmann]

The nec/renesas driver problems have finally been debugged and root
caused, see commit "7da76e1 xhci: fix event queue IRQ handling".

It's pretty clear now that
 (a) The whole "driver can't handle ring full" story is most likely
 wrong.
 (b) The ER_FULL_HACK workaround based on the false assumtion doesn't
 much.  It avoids the driver crashing (without commit 7da76e1), but
 it doesn't make usb work.
 (c) With 7da76e1 applied it doesn't trigger any more.

So, lets kill it.  Or, to be exact, lets almost kill it.  Some data
fields are kept unused in the state struct, for live migration backward
compatibility.

Signed-off-by: Gerd Hoffmann 
Message-id: 1486382139-30630-2-git-send-email-kra...@redhat.com
---
 hw/usb/hcd-xhci.c | 117 +-
 1 file changed, 11 insertions(+), 106 deletions(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index f3f9579..cfb5f74 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -49,9 +49,6 @@
 
 /* Very pessimistic, let's hope it's enough for all cases */
 #define EV_QUEUE (((3 * 24) + 16) * MAXSLOTS)
-/* Do not deliver ER Full events. NEC's driver does some things not bound
- * to the specs when it gets them */
-#define ER_FULL_HACK
 
 #define TRB_LINK_LIMIT  4
 #define COMMAND_LIMIT   256
@@ -433,12 +430,14 @@ typedef struct XHCIInterrupter {
 uint32_t erdp_low;
 uint32_t erdp_high;
 
-bool msix_used, er_pcs, er_full;
+bool msix_used, er_pcs;
 
 dma_addr_t er_start;
 uint32_t er_size;
 unsigned int er_ep_idx;
 
+/* kept for live migration compat only */
+bool er_full_unused;
 XHCIEvent ev_buffer[EV_QUEUE];
 unsigned int ev_buffer_put;
 unsigned int ev_buffer_get;
@@ -828,7 +827,7 @@ static void xhci_intr_raise(XHCIState *xhci, int v)
 
 static inline int xhci_running(XHCIState *xhci)
 {
-return !(xhci->usbsts & USBSTS_HCH) && !xhci->intr[0].er_full;
+return !(xhci->usbsts & USBSTS_HCH);
 }
 
 static void xhci_die(XHCIState *xhci)
@@ -867,74 +866,6 @@ static void xhci_write_event(XHCIState *xhci, XHCIEvent 
*event, int v)
 }
 }
 
-static void xhci_events_update(XHCIState *xhci, int v)
-{
-XHCIInterrupter *intr = >intr[v];
-dma_addr_t erdp;
-unsigned int dp_idx;
-bool do_irq = 0;
-
-if (xhci->usbsts & USBSTS_HCH) {
-return;
-}
-
-erdp = xhci_addr64(intr->erdp_low, intr->erdp_high);
-if (erdp < intr->er_start ||
-erdp >= (intr->er_start + TRB_SIZE*intr->er_size)) {
-DPRINTF("xhci: ERDP out of bounds: "DMA_ADDR_FMT"\n", erdp);
-DPRINTF("xhci: ER[%d] at "DMA_ADDR_FMT" len %d\n",
-v, intr->er_start, intr->er_size);
-xhci_die(xhci);
-return;
-}
-dp_idx = (erdp - intr->er_start) / TRB_SIZE;
-assert(dp_idx < intr->er_size);
-
-/* NEC didn't read section 4.9.4 of the spec (v1.0 p139 top Note) and thus
- * deadlocks when the ER is full. Hack it by holding off events until
- * the driver decides to free at least half of the ring */
-if (intr->er_full) {
-int er_free = dp_idx - intr->er_ep_idx;
-if (er_free <= 0) {
-er_free += intr->er_size;
-}
-if (er_free < (intr->er_size/2)) {
-DPRINTF("xhci_events_update(): event ring still "
-"more than half full (hack)\n");
-return;
-}
-}
-
-while (intr->ev_buffer_put != intr->ev_buffer_get) {
-assert(intr->er_full);
-if (((intr->er_ep_idx+1) % intr->er_size) == dp_idx) {
-DPRINTF("xhci_events_update(): event ring full again\n");
-#ifndef ER_FULL_HACK
-XHCIEvent full = {ER_HOST_CONTROLLER, CC_EVENT_RING_FULL_ERROR};
-xhci_write_event(xhci, , v);
-#endif
-do_irq = 1;
-break;
-}
-XHCIEvent *event = >ev_buffer[intr->ev_buffer_get];
-xhci_write_event(xhci, event, v);
-intr->ev_buffer_get++;
-do_irq = 1;
-if (intr->ev_buffer_get == EV_QUEUE) {
-intr->ev_buffer_get = 0;
-}
-}
-
-if (do_irq) {
-xhci_intr_raise(xhci, v);
-}
-
-if (intr->er_full && intr->ev_buffer_put == intr->ev_buffer_get) {
-DPRINTF("xhci_events_update(): event ring no longer full\n");
-intr->er_full = 0;
-}
-}
-
 static void xhci_event(XHCIState *xhci, XHCIEvent *event, int v)
 {
 XHCIInterrupter *intr;
@@ -947,19 +878,6 @@ static void xhci_event(XHCIState *xhci, XHCIEvent *event, 
int v)
 }
 intr = >intr[v];
 
-if (intr->er_full) {
-DPRINTF("xhci_event(): ER full, queueing\n");
-if (((intr->ev_buffer_put+1) % EV_QUEUE) == intr->ev_buffer_get) {
-DPRINTF("xhci: event queue full, dropping event!\n");
-return;
-}
-intr->ev_buffer[intr->ev_buffer_put++] = *event;
-if (intr->ev_buffer_put == EV_QUEUE) {
-intr->ev_buffer_put = 0;
-}
-   

[Qemu-devel] [PULL 06/11] xhci: add qemu xhci controller

[Gerd Hoffmann]

Turn existing TYPE_XHCI into an abstract base class.
Create two child classes, TYPE_NEC_XHCI (same name as old xhci
controller) and TYPE_QEMU_XHCI (using an ID from our namespace).

Signed-off-by: Gerd Hoffmann 
Reviewed-by: Marcel Apfelbaum 
Message-id: 1486382139-30630-3-git-send-email-kra...@redhat.com
---
 docs/specs/pci-ids.txt |  1 +
 hw/usb/hcd-xhci.c  | 40 
 include/hw/pci/pci.h   |  1 +
 3 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/docs/specs/pci-ids.txt b/docs/specs/pci-ids.txt
index 16fdb0c..95adee0 100644
--- a/docs/specs/pci-ids.txt
+++ b/docs/specs/pci-ids.txt
@@ -61,6 +61,7 @@ PCI devices (other than virtio):
 1b36:0009  PCI Expander Bridge (-device pxb)
 1b36:000a  PCI-PCI bridge (multiseat)
 1b36:000b  PCIe Expander Bridge (-device pxb-pcie)
+1b36:000d  PCI xhci usb host adapter
 
 All these devices are documented in docs/specs.
 
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index cfb5f74..c534b43 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -489,7 +489,9 @@ struct XHCIState {
 XHCIRing cmd_ring;
 };
 
-#define TYPE_XHCI "nec-usb-xhci"
+#define TYPE_XHCI "base-xhci"
+#define TYPE_NEC_XHCI "nec-usb-xhci"
+#define TYPE_QEMU_XHCI "qemu-xhci"
 
 #define XHCI(obj) \
 OBJECT_CHECK(XHCIState, (obj), TYPE_XHCI)
@@ -3881,10 +3883,7 @@ static void xhci_class_init(ObjectClass *klass, void 
*data)
 set_bit(DEVICE_CATEGORY_USB, dc->categories);
 k->realize  = usb_xhci_realize;
 k->exit = usb_xhci_exit;
-k->vendor_id= PCI_VENDOR_ID_NEC;
-k->device_id= PCI_DEVICE_ID_NEC_UPD720200;
 k->class_id = PCI_CLASS_SERIAL_USB;
-k->revision = 0x03;
 k->is_express   = 1;
 }
 
@@ -3893,11 +3892,44 @@ static const TypeInfo xhci_info = {
 .parent= TYPE_PCI_DEVICE,
 .instance_size = sizeof(XHCIState),
 .class_init= xhci_class_init,
+.abstract  = true,
+};
+
+static void nec_xhci_class_init(ObjectClass *klass, void *data)
+{
+PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
+
+k->vendor_id= PCI_VENDOR_ID_NEC;
+k->device_id= PCI_DEVICE_ID_NEC_UPD720200;
+k->revision = 0x03;
+}
+
+static const TypeInfo nec_xhci_info = {
+.name  = TYPE_NEC_XHCI,
+.parent= TYPE_XHCI,
+.class_init= nec_xhci_class_init,
+};
+
+static void qemu_xhci_class_init(ObjectClass *klass, void *data)
+{
+PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
+
+k->vendor_id= PCI_VENDOR_ID_REDHAT;
+k->device_id= PCI_DEVICE_ID_REDHAT_XHCI;
+k->revision = 0x01;
+}
+
+static const TypeInfo qemu_xhci_info = {
+.name  = TYPE_QEMU_XHCI,
+.parent= TYPE_XHCI,
+.class_init= qemu_xhci_class_init,
 };
 
 static void xhci_register_types(void)
 {
 type_register_static(_info);
+type_register_static(_xhci_info);
+type_register_static(_xhci_info);
 }
 
 type_init(xhci_register_types)
diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
index cbc1fdf..05ef14b 100644
--- a/include/hw/pci/pci.h
+++ b/include/hw/pci/pci.h
@@ -97,6 +97,7 @@
 #define PCI_DEVICE_ID_REDHAT_BRIDGE_SEAT 0x000a
 #define PCI_DEVICE_ID_REDHAT_PXB_PCIE0x000b
 #define PCI_DEVICE_ID_REDHAT_PCIE_RP 0x000c
+#define PCI_DEVICE_ID_REDHAT_XHCI0x000d
 #define PCI_DEVICE_ID_REDHAT_QXL 0x0100
 
 #define FMT_PCIBUS  PRIx64
-- 
1.8.3.1

[Qemu-devel] [PULL 07/11] xhci: fix nec vendor quirk handling

[Gerd Hoffmann]

Only the TYPE_NEC_XHCI controller will have the nec vendor quirks.

Signed-off-by: Gerd Hoffmann 
Message-id: 1486382139-30630-4-git-send-email-kra...@redhat.com
---
 hw/usb/hcd-xhci.c | 44 +---
 1 file changed, 29 insertions(+), 15 deletions(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index c534b43..4ac67ae 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -487,6 +487,8 @@ struct XHCIState {
 XHCIInterrupter intr[MAXINTRS];
 
 XHCIRing cmd_ring;
+
+bool nec_quirks;
 };
 
 #define TYPE_XHCI "base-xhci"
@@ -2745,20 +2747,26 @@ static void xhci_process_commands(XHCIState *xhci)
 xhci_via_challenge(xhci, trb.parameter);
 break;
 case CR_VENDOR_NEC_FIRMWARE_REVISION:
-event.type = 48; /* NEC reply */
-event.length = 0x3025;
+if (xhci->nec_quirks) {
+event.type = 48; /* NEC reply */
+event.length = 0x3025;
+} else {
+event.ccode = CC_TRB_ERROR;
+}
 break;
 case CR_VENDOR_NEC_CHALLENGE_RESPONSE:
-{
-uint32_t chi = trb.parameter >> 32;
-uint32_t clo = trb.parameter;
-uint32_t val = xhci_nec_challenge(chi, clo);
-event.length = val & 0x;
-event.epid = val >> 16;
-slotid = val >> 24;
-event.type = 48; /* NEC reply */
-}
-break;
+if (xhci->nec_quirks) {
+uint32_t chi = trb.parameter >> 32;
+uint32_t clo = trb.parameter;
+uint32_t val = xhci_nec_challenge(chi, clo);
+event.length = val & 0x;
+event.epid = val >> 16;
+slotid = val >> 24;
+event.type = 48; /* NEC reply */
+} else {
+event.ccode = CC_TRB_ERROR;
+}
+break;
 default:
 trace_usb_xhci_unimplemented("command", type);
 event.ccode = CC_TRB_ERROR;
@@ -3265,9 +3273,12 @@ static void xhci_runtime_write(void *ptr, hwaddr reg,
 intr->erstsz = val & 0x;
 break;
 case 0x10: /* ERSTBA low */
-/* XXX NEC driver bug: it doesn't align this to 64 bytes
-intr->erstba_low = val & 0xffc0; */
-intr->erstba_low = val & 0xfff0;
+if (xhci->nec_quirks) {
+/* NEC driver bug: it doesn't align this to 64 bytes */
+intr->erstba_low = val & 0xfff0;
+} else {
+intr->erstba_low = val & 0xffc0;
+}
 break;
 case 0x14: /* ERSTBA high */
 intr->erstba_high = val;
@@ -3562,6 +3573,9 @@ static void usb_xhci_realize(struct PCIDevice *dev, Error 
**errp)
 dev->config[PCI_CACHE_LINE_SIZE] = 0x10;
 dev->config[0x60] = 0x30; /* release number */
 
+if (strcmp(object_get_typename(OBJECT(dev)), TYPE_NEC_XHCI) == 0) {
+xhci->nec_quirks = true;
+}
 if (xhci->numintrs > MAXINTRS) {
 xhci->numintrs = MAXINTRS;
 }
-- 
1.8.3.1

[Qemu-devel] [PULL 01/11] usb: ehci: fix memory leak in ehci

[Gerd Hoffmann]

From: Li Qiang 

In usb_ehci_init function, it initializes 's->ipacket', but there
is no corresponding function to free this. As the ehci can be hotplug
and unplug, this will leak host memory leak. In order to make the
hierarchy clean, we should add a ehci pci finalize function, then call
the clean function in ehci device.

Signed-off-by: Li Qiang 
Message-id: 589a85b8.3c2b9d0a.b8e6.1...@mx.google.com
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-ehci-pci.c | 9 +
 hw/usb/hcd-ehci.c | 5 +
 hw/usb/hcd-ehci.h | 1 +
 3 files changed, 15 insertions(+)

diff --git a/hw/usb/hcd-ehci-pci.c b/hw/usb/hcd-ehci-pci.c
index 5657705..6dedcb8 100644
--- a/hw/usb/hcd-ehci-pci.c
+++ b/hw/usb/hcd-ehci-pci.c
@@ -89,6 +89,14 @@ static void usb_ehci_pci_init(Object *obj)
 usb_ehci_init(s, DEVICE(obj));
 }
 
+static void usb_ehci_pci_finalize(Object *obj)
+{
+EHCIPCIState *i = PCI_EHCI(obj);
+EHCIState *s = >ehci;
+
+usb_ehci_finalize(s);
+}
+
 static void usb_ehci_pci_exit(PCIDevice *dev)
 {
 EHCIPCIState *i = PCI_EHCI(dev);
@@ -159,6 +167,7 @@ static const TypeInfo ehci_pci_type_info = {
 .parent = TYPE_PCI_DEVICE,
 .instance_size = sizeof(EHCIPCIState),
 .instance_init = usb_ehci_pci_init,
+.instance_finalize = usb_ehci_pci_finalize,
 .abstract = true,
 .class_init = ehci_class_init,
 };
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 7622a3a..50ef817 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -2545,6 +2545,11 @@ void usb_ehci_init(EHCIState *s, DeviceState *dev)
 >mem_ports);
 }
 
+void usb_ehci_finalize(EHCIState *s)
+{
+usb_packet_cleanup(>ipacket);
+}
+
 /*
  * vim: expandtab ts=4
  */
diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
index 3fd7038..938d8aa 100644
--- a/hw/usb/hcd-ehci.h
+++ b/hw/usb/hcd-ehci.h
@@ -323,6 +323,7 @@ struct EHCIState {
 extern const VMStateDescription vmstate_ehci;
 
 void usb_ehci_init(EHCIState *s, DeviceState *dev);
+void usb_ehci_finalize(EHCIState *s);
 void usb_ehci_realize(EHCIState *s, DeviceState *dev, Error **errp);
 void usb_ehci_unrealize(EHCIState *s, DeviceState *dev, Error **errp);
 void ehci_reset(void *opaque);
-- 
1.8.3.1

[Qemu-devel] [PULL 11/11] usb-ccid: add check message size checks

[Gerd Hoffmann]

Check message size too when figuring whenever we should expect more data.
Fix debug message to show useful data, p->iov.size is fixed anyway if we
land there, print how much we got meanwhile instead.

Also check announced message size against actual message size.  That
is a more general fix for CVE-2017-5898 than commit "c7dfbf3 usb: ccid:
check ccid apdu length".

Signed-off-by: Gerd Hoffmann 
Reviewed-by: Marc-André Lureau 
Message-id: 1487250819-23764-4-git-send-email-kra...@redhat.com
---
 hw/usb/dev-smartcard-reader.c | 13 ++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
index 1acc1fb..7cd4ed0 100644
--- a/hw/usb/dev-smartcard-reader.c
+++ b/hw/usb/dev-smartcard-reader.c
@@ -1011,12 +1011,19 @@ static void ccid_handle_bulk_out(USBCCIDState *s, 
USBPacket *p)
 }
 
 ccid_header = (CCID_Header *)s->bulk_out_data;
-if (p->iov.size == CCID_MAX_PACKET_SIZE) {
+if ((s->bulk_out_pos - 10 < ccid_header->dwLength) &&
+(p->iov.size == CCID_MAX_PACKET_SIZE)) {
 DPRINTF(s, D_VERBOSE,
-"usb-ccid: bulk_in: expecting more packets (%zd/%d)\n",
-p->iov.size, ccid_header->dwLength);
+"usb-ccid: bulk_in: expecting more packets (%d/%d)\n",
+s->bulk_out_pos - 10, ccid_header->dwLength);
 return;
 }
+if (s->bulk_out_pos - 10 != ccid_header->dwLength) {
+DPRINTF(s, 1,
+"usb-ccid: bulk_in: message size mismatch (got %d, expected 
%d)\n",
+s->bulk_out_pos - 10, ccid_header->dwLength);
+goto err;
+}
 
 DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
 ccid_header->bMessageType,
-- 
1.8.3.1

[Qemu-devel] [PULL 08/11] xhci: drop via vendor command handling

[Gerd Hoffmann]

Seems pretty pointless, we don't emulate an via xhci controller.

Signed-off-by: Gerd Hoffmann 
Message-id: 1486382139-30630-5-git-send-email-kra...@redhat.com
---
 hw/usb/hcd-xhci.c | 31 ---
 1 file changed, 31 deletions(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 4ac67ae..28dd2f2 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -198,7 +198,6 @@ typedef enum TRBType {
 ER_DEVICE_NOTIFICATION,
 ER_MFINDEX_WRAP,
 /* vendor specific bits */
-CR_VENDOR_VIA_CHALLENGE_RESPONSE = 48,
 CR_VENDOR_NEC_FIRMWARE_REVISION  = 49,
 CR_VENDOR_NEC_CHALLENGE_RESPONSE = 50,
 } TRBType;
@@ -554,7 +553,6 @@ static const char *TRBType_names[] = {
 [ER_HOST_CONTROLLER]   = "ER_HOST_CONTROLLER",
 [ER_DEVICE_NOTIFICATION]   = "ER_DEVICE_NOTIFICATION",
 [ER_MFINDEX_WRAP]  = "ER_MFINDEX_WRAP",
-[CR_VENDOR_VIA_CHALLENGE_RESPONSE] = "CR_VENDOR_VIA_CHALLENGE_RESPONSE",
 [CR_VENDOR_NEC_FIRMWARE_REVISION]  = "CR_VENDOR_NEC_FIRMWARE_REVISION",
 [CR_VENDOR_NEC_CHALLENGE_RESPONSE] = "CR_VENDOR_NEC_CHALLENGE_RESPONSE",
 };
@@ -2622,32 +2620,6 @@ static uint32_t xhci_nec_challenge(uint32_t hi, uint32_t 
lo)
 return ~val;
 }
 
-static void xhci_via_challenge(XHCIState *xhci, uint64_t addr)
-{
-PCIDevice *pci_dev = PCI_DEVICE(xhci);
-uint32_t buf[8];
-uint32_t obuf[8];
-dma_addr_t paddr = xhci_mask64(addr);
-
-pci_dma_read(pci_dev, paddr, , 32);
-
-memcpy(obuf, buf, sizeof(obuf));
-
-if ((buf[0] & 0xff) == 2) {
-obuf[0] = 0x49932000 + 0x54dc200 * buf[2] + 0x7429b578 * buf[3];
-obuf[0] |=  (buf[2] * buf[3]) & 0xff;
-obuf[1] = 0x0132bb37 + 0xe89 * buf[2] + 0xf09 * buf[3];
-obuf[2] = 0x0066c2e9 + 0x2091 * buf[2] + 0x19bd * buf[3];
-obuf[3] = 0xd5281342 + 0x2cc9691 * buf[2] + 0x2367662 * buf[3];
-obuf[4] = 0x0123c75c + 0x1595 * buf[2] + 0x19ec * buf[3];
-obuf[5] = 0x00f695de + 0x26fd * buf[2] + 0x3e9 * buf[3];
-obuf[6] = obuf[2] ^ obuf[3] ^ 0x29472956;
-obuf[7] = obuf[2] ^ obuf[3] ^ 0x65866593;
-}
-
-pci_dma_write(pci_dev, paddr, , 32);
-}
-
 static void xhci_process_commands(XHCIState *xhci)
 {
 XHCITRB trb;
@@ -2743,9 +2715,6 @@ static void xhci_process_commands(XHCIState *xhci)
 case CR_GET_PORT_BANDWIDTH:
 event.ccode = xhci_get_port_bandwidth(xhci, trb.parameter);
 break;
-case CR_VENDOR_VIA_CHALLENGE_RESPONSE:
-xhci_via_challenge(xhci, trb.parameter);
-break;
 case CR_VENDOR_NEC_FIRMWARE_REVISION:
 if (xhci->nec_quirks) {
 event.type = 48; /* NEC reply */
-- 
1.8.3.1

[Qemu-devel] [PULL 00/11] usb patch queue

[Gerd Hoffmann]

  Hi,

Here is the usb patch queue, bringing the usual share of bugfixes.
Also a generic xhci device variant (qemu-xhci).

please pull,
  Gerd

The following changes since commit 56f9e46b841c7be478ca038d8d4085d776ab4b0d:

  Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2017-02-20' into 
staging (2017-02-20 17:42:47 +)

are available in the git repository at:


  git://git.kraxel.org/qemu tags/pull-usb-20170221-1

for you to fetch changes up to 31fba485a348f8e2699d7c3dd15e1819ad2c:

  usb-ccid: add check message size checks (2017-02-21 08:11:43 +0100)


xhci: add qemu-xhci device, some followup cleanups.
ccid: better sanity checking.
ehci: fix memory leak
ohci: bugfixes.


Gerd Hoffmann (8):
  xhci: apply limits to loops
  xhci: drop ER_FULL_HACK workaround
  xhci: add qemu xhci controller
  xhci: fix nec vendor quirk handling
  xhci: drop via vendor command handling
  usb-ccid: better bulk_out error handling
  usb-ccid: move header size check
  usb-ccid: add check message size checks

Li Qiang (3):
  usb: ehci: fix memory leak in ehci
  usb: ohci: fix error return code in servicing iso td
  usb: ohci: limit the number of link eds

 docs/specs/pci-ids.txt|   1 +
 hw/usb/dev-smartcard-reader.c | 140 +---
 hw/usb/hcd-ehci-pci.c |   9 ++
 hw/usb/hcd-ehci.c |   5 +
 hw/usb/hcd-ehci.h |   1 +
 hw/usb/hcd-ohci.c |  11 +-
 hw/usb/hcd-xhci.c | 247 +++---
 hw/usb/trace-events   |   1 +
 include/hw/pci/pci.h  |   1 +
 9 files changed, 193 insertions(+), 223 deletions(-)

[Qemu-devel] [PULL 10/11] usb-ccid: move header size check

[Gerd Hoffmann]

Move up header size check, so we can use header fields in sanity checks
(in followup patches).  Also reword the debug message.

Signed-off-by: Gerd Hoffmann 
Reviewed-by: Marc-André Lureau 
Message-id: 1487250819-23764-3-git-send-email-kra...@redhat.com
---
 hw/usb/dev-smartcard-reader.c | 13 ++---
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
index badcfcb..1acc1fb 100644
--- a/hw/usb/dev-smartcard-reader.c
+++ b/hw/usb/dev-smartcard-reader.c
@@ -1003,21 +1003,20 @@ static void ccid_handle_bulk_out(USBCCIDState *s, 
USBPacket *p)
 if (p->iov.size + s->bulk_out_pos > BULK_OUT_DATA_SIZE) {
 goto err;
 }
-ccid_header = (CCID_Header *)s->bulk_out_data;
 usb_packet_copy(p, s->bulk_out_data + s->bulk_out_pos, p->iov.size);
 s->bulk_out_pos += p->iov.size;
+if (s->bulk_out_pos < 10) {
+DPRINTF(s, 1, "%s: header incomplete\n", __func__);
+goto err;
+}
+
+ccid_header = (CCID_Header *)s->bulk_out_data;
 if (p->iov.size == CCID_MAX_PACKET_SIZE) {
 DPRINTF(s, D_VERBOSE,
 "usb-ccid: bulk_in: expecting more packets (%zd/%d)\n",
 p->iov.size, ccid_header->dwLength);
 return;
 }
-if (s->bulk_out_pos < 10) {
-DPRINTF(s, 1,
-"%s: bad USB_TOKEN_OUT length, should be at least 10 bytes\n",
-__func__);
-goto err;
-}
 
 DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
 ccid_header->bMessageType,
-- 
1.8.3.1

[Qemu-devel] [PULL 02/11] usb: ohci: fix error return code in servicing iso td

[Gerd Hoffmann]

From: Li Qiang 

It should return 1 if an error occurs when reading iso td.
This will avoid an infinite loop issue in ohci_service_ed_list.

Signed-off-by: Li Qiang 
Message-id: 5899ac3e.1033240a.944d5.9...@mx.google.com
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-ohci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index c82a92f..2cba3e3 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -725,7 +725,7 @@ static int ohci_service_iso_td(OHCIState *ohci, struct 
ohci_ed *ed,
 if (ohci_read_iso_td(ohci, addr, _td)) {
 trace_usb_ohci_iso_td_read_failed(addr);
 ohci_die(ohci);
-return 0;
+return 1;
 }
 
 starting_frame = OHCI_BM(iso_td.flags, TD_SF);
-- 
1.8.3.1

[Qemu-devel] [PULL 04/11] xhci: apply limits to loops

[Gerd Hoffmann]

Limits should be big enough that normal guest should not hit it.
Add a tracepoint to log them, just in case.  Also, while being
at it, log the existing link trb limit too.

Reported-by: 李强 
Signed-off-by: Gerd Hoffmann 
Message-id: 1486383669-6421-1-git-send-email-kra...@redhat.com
---
 hw/usb/hcd-xhci.c   | 15 ++-
 hw/usb/trace-events |  1 +
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 54b3901..f3f9579 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -54,6 +54,8 @@
 #define ER_FULL_HACK
 
 #define TRB_LINK_LIMIT  4
+#define COMMAND_LIMIT   256
+#define TRANSFER_LIMIT  256
 
 #define LEN_CAP 0x40
 #define LEN_OPER(0x400 + 0x10 * MAXPORTS)
@@ -1032,6 +1034,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing 
*ring, XHCITRB *trb,
 return type;
 } else {
 if (++link_cnt > TRB_LINK_LIMIT) {
+trace_usb_xhci_enforced_limit("trb-link");
 return 0;
 }
 ring->dequeue = xhci_mask64(trb->parameter);
@@ -2150,6 +2153,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, 
unsigned int streamid)
 XHCIRing *ring;
 USBEndpoint *ep = NULL;
 uint64_t mfindex;
+unsigned int count = 0;
 int length;
 int i;
 
@@ -2262,6 +2266,10 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, 
unsigned int streamid)
 epctx->retry = xfer;
 break;
 }
+if (count++ > TRANSFER_LIMIT) {
+trace_usb_xhci_enforced_limit("transfers");
+break;
+}
 }
 epctx->kick_active--;
 
@@ -2734,7 +2742,7 @@ static void xhci_process_commands(XHCIState *xhci)
 TRBType type;
 XHCIEvent event = {ER_COMMAND_COMPLETE, CC_SUCCESS};
 dma_addr_t addr;
-unsigned int i, slotid = 0;
+unsigned int i, slotid = 0, count = 0;
 
 DPRINTF("xhci_process_commands()\n");
 if (!xhci_running(xhci)) {
@@ -2848,6 +2856,11 @@ static void xhci_process_commands(XHCIState *xhci)
 }
 event.slotid = slotid;
 xhci_event(xhci, , 0);
+
+if (count++ > COMMAND_LIMIT) {
+trace_usb_xhci_enforced_limit("commands");
+return;
+}
 }
 }
 
diff --git a/hw/usb/trace-events b/hw/usb/trace-events
index fdd1d29..0c323d4 100644
--- a/hw/usb/trace-events
+++ b/hw/usb/trace-events
@@ -174,6 +174,7 @@ usb_xhci_xfer_retry(void *xfer) "%p"
 usb_xhci_xfer_success(void *xfer, uint32_t bytes) "%p: len %d"
 usb_xhci_xfer_error(void *xfer, uint32_t ret) "%p: ret %d"
 usb_xhci_unimplemented(const char *item, int nr) "%s (0x%x)"
+usb_xhci_enforced_limit(const char *item) "%s"
 
 # hw/usb/desc.c
 usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret 
%d"
-- 
1.8.3.1

[Qemu-devel] [PULL 03/11] usb: ohci: limit the number of link eds

[Gerd Hoffmann]

From: Li Qiang 

The guest may builds an infinite loop with link eds. This patch
limit the number of linked ed to avoid this.

Signed-off-by: Li Qiang 
Message-id: 5899a02e.45ca240a.6c373.9...@mx.google.com
Signed-off-by: Gerd Hoffmann 
---
 hw/usb/hcd-ohci.c | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index 2cba3e3..21c93e0 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -42,6 +42,8 @@
 
 #define OHCI_MAX_PORTS 15
 
+#define ED_LINK_LIMIT 4
+
 static int64_t usb_frame_time;
 static int64_t usb_bit_time;
 
@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t 
head, int completion)
 uint32_t next_ed;
 uint32_t cur;
 int active;
-
+uint32_t link_cnt = 0;
 active = 0;
 
 if (head == 0)
@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, 
uint32_t head, int completion)
 
 next_ed = ed.next & OHCI_DPTR_MASK;
 
+if (++link_cnt > ED_LINK_LIMIT) {
+ohci_die(ohci);
+return 0;
+}
+
 if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
 uint32_t addr;
 /* Cancel pending packets for ED that have been paused.  */
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH v8 0/8] Add support for VM Generation ID

[Gerd Hoffmann]

  Hi,

> Gerd - are you planning to backport this series to the stable branch?

Yes.  Unless we'll have a 1.11 release next week, which I doubt ;)

cheers,
  Gerd

Re: [Qemu-devel] [PULL 0/2] QAPI patches for 2017-02-20

[Zhang Chen]

Hi~ Markus.

This patch set has been reviewed for a long time, can you pick up it?

[PATCH V7 0/2] Add new qmp commands to suppurt Xen COLO

Thanks

Zhang Chen


On 02/20/2017 09:33 PM, Markus Armbruster wrote:

The following changes since commit d514cfd763b271b4e97a9fc6adaabc8fd50084ab:

   Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging 
(2017-02-20 09:53:59 +)

are available in the git repository at:

   git://repo.or.cz/qemu/armbru.git tags/pull-qapi-2017-02-20

for you to fetch changes up to fea346f569d4132296f7c26367374fcace80e096:

   Makefile: Put VERSION info into version.texi rather than using -D 
(2017-02-20 14:11:07 +0100)


QAPI patches for 2017-02-20


Marc-André Lureau (1):
   qapi2texi: replace quotation by bold section name

Peter Maydell (1):
   Makefile: Put VERSION info into version.texi rather than using -D

  .gitignore |  1 +
  Makefile   | 17 ++---
  docs/qemu-ga-ref.texi  |  2 ++
  docs/qemu-qmp-ref.texi |  2 ++
  scripts/qapi2texi.py   | 10 --
  5 files changed, 19 insertions(+), 13 deletions(-)

Marc-André Lureau (1):
   qapi2texi: replace quotation by bold section name

Peter Maydell (1):
   Makefile: Put VERSION info into version.texi rather than using -D

  .gitignore |  1 +
  Makefile   | 17 ++---
  docs/qemu-ga-ref.texi  |  2 ++
  docs/qemu-qmp-ref.texi |  2 ++
  scripts/qapi2texi.py   | 10 --
  5 files changed, 19 insertions(+), 13 deletions(-)



--
Thanks
Zhang Chen

[Qemu-devel] [RFC v6] RBD: Add support readv,writev for rbd

[jazeltq]

From: tianqing 

Rbd can do readv and writev directly, so wo do not need to transform
iov to buf or vice versa any more.

Signed-off-by: tianqing 
---
 block/rbd.c | 80 ++---
 1 file changed, 56 insertions(+), 24 deletions(-)

diff --git a/block/rbd.c b/block/rbd.c
index a57b3e3..22e8e69 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -62,6 +62,13 @@
 #define RBD_MAX_SNAP_NAME_SIZE 128
 #define RBD_MAX_SNAPS 100
 
+/* The LIBRBD_SUPPORTS_IOVEC is defined in librbd.h */
+#ifdef LIBRBD_SUPPORTS_IOVEC
+#define LIBRBD_USE_IOVEC 1
+#else
+#define LIBRBD_USE_IOVEC 0
+#endif
+
 typedef enum {
 RBD_AIO_READ,
 RBD_AIO_WRITE,
@@ -310,6 +317,17 @@ static int qemu_rbd_set_conf(rados_t cluster, const char 
*conf,
 return ret;
 }
 
+static void qemu_rbd_memset(RADOSCB *rcb, int64_t offs)
+{
+if (LIBRBD_USE_IOVEC) {
+RBDAIOCB *acb = rcb->acb;
+iov_memset(acb->qiov->iov, acb->qiov->niov, offs, 0,
+   acb->qiov->size - offs);
+} else {
+memset(rcb->buf + offs, 0, rcb->size - offs);
+}
+}
+
 static int qemu_rbd_create(const char *filename, QemuOpts *opts, Error **errp)
 {
 Error *local_err = NULL;
@@ -426,11 +444,11 @@ static void qemu_rbd_complete_aio(RADOSCB *rcb)
 }
 } else {
 if (r < 0) {
-memset(rcb->buf, 0, rcb->size);
+qemu_rbd_memset(rcb, 0);
 acb->ret = r;
 acb->error = 1;
 } else if (r < rcb->size) {
-memset(rcb->buf + r, 0, rcb->size - r);
+qemu_rbd_memset(rcb, r);
 if (!acb->error) {
 acb->ret = rcb->size;
 }
@@ -441,10 +459,13 @@ static void qemu_rbd_complete_aio(RADOSCB *rcb)
 
 g_free(rcb);
 
-if (acb->cmd == RBD_AIO_READ) {
-qemu_iovec_from_buf(acb->qiov, 0, acb->bounce, acb->qiov->size);
+if (!LIBRBD_USE_IOVEC) {
+if (acb->cmd == RBD_AIO_READ) {
+qemu_iovec_from_buf(acb->qiov, 0, acb->bounce, acb->qiov->size);
+}
+qemu_vfree(acb->bounce);
 }
-qemu_vfree(acb->bounce);
+
 acb->common.cb(acb->common.opaque, (acb->ret > 0 ? 0 : acb->ret));
 
 qemu_aio_unref(acb);
@@ -655,7 +676,6 @@ static BlockAIOCB *rbd_start_aio(BlockDriverState *bs,
 RBDAIOCB *acb;
 RADOSCB *rcb = NULL;
 rbd_completion_t c;
-char *buf;
 int r;
 
 BDRVRBDState *s = bs->opaque;
@@ -664,27 +684,29 @@ static BlockAIOCB *rbd_start_aio(BlockDriverState *bs,
 acb->cmd = cmd;
 acb->qiov = qiov;
 assert(!qiov || qiov->size == size);
-if (cmd == RBD_AIO_DISCARD || cmd == RBD_AIO_FLUSH) {
-acb->bounce = NULL;
-} else {
-acb->bounce = qemu_try_blockalign(bs, qiov->size);
-if (acb->bounce == NULL) {
-goto failed;
+
+rcb = g_new(RADOSCB, 1);
+
+if (!LIBRBD_USE_IOVEC) {
+if (cmd == RBD_AIO_DISCARD || cmd == RBD_AIO_FLUSH) {
+acb->bounce = NULL;
+} else {
+acb->bounce = qemu_try_blockalign(bs, qiov->size);
+if (acb->bounce == NULL) {
+goto failed;
+}
 }
+if (cmd == RBD_AIO_WRITE) {
+qemu_iovec_to_buf(acb->qiov, 0, acb->bounce, qiov->size);
+}
+rcb->buf = acb->bounce;
 }
+
 acb->ret = 0;
 acb->error = 0;
 acb->s = s;
 
-if (cmd == RBD_AIO_WRITE) {
-qemu_iovec_to_buf(acb->qiov, 0, acb->bounce, qiov->size);
-}
-
-buf = acb->bounce;
-
-rcb = g_new(RADOSCB, 1);
 rcb->acb = acb;
-rcb->buf = buf;
 rcb->s = acb->s;
 rcb->size = size;
 r = rbd_aio_create_completion(rcb, (rbd_callback_t) rbd_finish_aiocb, );
@@ -694,10 +716,18 @@ static BlockAIOCB *rbd_start_aio(BlockDriverState *bs,
 
 switch (cmd) {
 case RBD_AIO_WRITE:
-r = rbd_aio_write(s->image, off, size, buf, c);
+#ifdef LIBRBD_SUPPORTS_IOVEC
+r = rbd_aio_writev(s->image, qiov->iov, qiov->niov, off, c);
+#else
+r = rbd_aio_write(s->image, off, size, rcb->buf, c);
+#endif
 break;
 case RBD_AIO_READ:
-r = rbd_aio_read(s->image, off, size, buf, c);
+#ifdef LIBRBD_SUPPORTS_IOVEC
+r = rbd_aio_readv(s->image, qiov->iov, qiov->niov, off, c);
+#else
+r = rbd_aio_read(s->image, off, size, rcb->buf, c);
+#endif
 break;
 case RBD_AIO_DISCARD:
 r = rbd_aio_discard_wrapper(s->image, off, size, c);
@@ -712,14 +742,16 @@ static BlockAIOCB *rbd_start_aio(BlockDriverState *bs,
 if (r < 0) {
 goto failed_completion;
 }
-
 return >common;
 
 failed_completion:
 rbd_aio_release(c);
 failed:
 g_free(rcb);
-qemu_vfree(acb->bounce);
+if (!LIBRBD_USE_IOVEC) {
+qemu_vfree(acb->bounce);
+}
+
 qemu_aio_unref(acb);
 return NULL;
 }
-- 
2.10.2

[Qemu-devel] [PATCH] memory: make ram device read/write endian sensitive

[Yongji Xie]

At the moment ram device's memory regions are NATIVE_ENDIAN. This does
not work on PPC64 because VFIO PCI device is little endian but PPC64
always defines static macro TARGET_WORDS_BIGENDIAN.

This fixes endianness for ram device the same way as it is done
for VFIO region in commit 6758008e2c4e79fb6bd04fe8e7a41665fa583965.

Signed-off-by: Yongji Xie 
---
 memory.c |   14 +++---
 1 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/memory.c b/memory.c
index 6c58373..1ccb99f 100644
--- a/memory.c
+++ b/memory.c
@@ -1139,13 +1139,13 @@ static uint64_t memory_region_ram_device_read(void 
*opaque,
 data = *(uint8_t *)(mr->ram_block->host + addr);
 break;
 case 2:
-data = *(uint16_t *)(mr->ram_block->host + addr);
+data = le16_to_cpu(*(uint16_t *)(mr->ram_block->host + addr));
 break;
 case 4:
-data = *(uint32_t *)(mr->ram_block->host + addr);
+data = le32_to_cpu(*(uint32_t *)(mr->ram_block->host + addr));
 break;
 case 8:
-data = *(uint64_t *)(mr->ram_block->host + addr);
+data = le64_to_cpu(*(uint64_t *)(mr->ram_block->host + addr));
 break;
 }
 
@@ -1166,13 +1166,13 @@ static void memory_region_ram_device_write(void 
*opaque, hwaddr addr,
 *(uint8_t *)(mr->ram_block->host + addr) = (uint8_t)data;
 break;
 case 2:
-*(uint16_t *)(mr->ram_block->host + addr) = (uint16_t)data;
+*(uint16_t *)(mr->ram_block->host + addr) = 
cpu_to_le16((uint16_t)data);
 break;
 case 4:
-*(uint32_t *)(mr->ram_block->host + addr) = (uint32_t)data;
+*(uint32_t *)(mr->ram_block->host + addr) = 
cpu_to_le32((uint32_t)data);
 break;
 case 8:
-*(uint64_t *)(mr->ram_block->host + addr) = data;
+*(uint64_t *)(mr->ram_block->host + addr) = cpu_to_le64(data);
 break;
 }
 }
@@ -1180,7 +1180,7 @@ static void memory_region_ram_device_write(void *opaque, 
hwaddr addr,
 static const MemoryRegionOps ram_device_mem_ops = {
 .read = memory_region_ram_device_read,
 .write = memory_region_ram_device_write,
-.endianness = DEVICE_NATIVE_ENDIAN,
+.endianness = DEVICE_LITTLE_ENDIAN,
 .valid = {
 .min_access_size = 1,
 .max_access_size = 8,
-- 
1.7.1

Re: [Qemu-devel] [PATCH] vfio/pci-quirks.c: Disable stolen memory for igd VFIO

[Zhang, Xiong Y]

> On Mon, 20 Feb 2017 19:42:54 +0800
> Xiong Zhang  wrote:
> 
> > From: XiongZhang 
> >
> > If IGD isn't assigned at 00:02.0 in UPT and host bios enable stolen
> > memory, seabios won't reseave stolen memory in E820 for guest. Then
> > both Intel graphic driver and others in guest could use stolen
> > memory, this will generate system hang. So we should disable stolen
> > memory in this case.
> 
> Wasn't the intent of UPT mode that it removed all of the BIOS and
> chipset dependencies of IGD such that it could be assigned as just
> another PCI device?  Does this mean that the drivers fail to meet that
> promise by evaluating the size and location of stolen memory as
> programmed on the physical device even in UPT mode?
[Zhang, Xiong Y] The intent of UPT mode is correct. Driver also evaluate
the size and location of stolen memory correctly.
The current problem is: when IGD isn't at 00:02.0, seabios don't create memory
region and reserve memory resource in E820 for stolen memory.
So guest OS maybe assign stolen memory MMIO to other devices, when IGD driver
access stolen memory, it access the wrong device and cause system error. 
If guest OS don't assign stolen memory MMIO to other devices, then there
isn't gpa to hpa translate for stolen memory, guest IGD driver couldn't
access it.
> 
> I'm a little confused by the use of the term "others" here and in the
> comment below.  Can you be more specific what other software beyond the
> graphics driver is evaluating the size or location of stolen memory?
> 
> > Bugzilla:https://bugs.freedesktop.org/show_bug.cgi?id=99028
> >  https://bugs.freedesktop.org/show_bug.cgi?id=99025
> >
> > Signed-off-by: Xiong Zhang 
> > Tested-by: Terrence Xu 
> > ---
> >  hw/vfio/pci-quirks.c | 63
> ++--
> >  1 file changed, 36 insertions(+), 27 deletions(-)
> >
> > diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
> > index 1e97bc4..015d0c2 100644
> > --- a/hw/vfio/pci-quirks.c
> > +++ b/hw/vfio/pci-quirks.c
> > @@ -1364,14 +1364,43 @@ static void
> vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
> >  uint32_t gmch;
> >  uint16_t cmd_orig, cmd;
> >
> > +/* This must be an Intel VGA device. */
> > +if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) ||
> > +!vfio_is_vga(vdev) || nr != 4) {
> > +return;
> > +}
> > +
> >  /*
> > - * This must be an Intel VGA device at address 00:02.0 for us to even
> > - * consider enabling legacy mode.  The vBIOS has dependencies on
> the
> > - * PCI bus address.
> > + * IGD is not a standard, they like to change their specs often.  We
> > + * only attempt to support back to SandBridge and we hope that
> newer
> > + * devices maintain compatibility with generation 8.
> >   */
> > -if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) ||
> > -!vfio_is_vga(vdev) || nr != 4 ||
> > ->pdev !=
> pci_find_device(pci_device_root_bus(>pdev),
> > +gen = igd_gen(vdev);
> > +if (gen != 6 && gen != 8) {
> > +error_report("IGD device %s is unsupported in legacy mode, "
> > + "try SandyBridge or newer",
> vdev->vbasedev.name);
> 
> This is a little bit misleading now since this is no longer exclusively
> a legacy mode path, a user trying to use UPT mode might disregard this
> as noise.  Perhaps...
> 
> error_report("IGD device %s is unsupported by IGD quirks, "
>  "try SandyBridge or newer", vdev->vbasedev.name);
> 
[Zhang, Xiong Y] yes, I will follow it.
> 
> > +return;
> > +}
> > +/*
> > + * If this isn't at address 00:02.0, bios won't reserv stolen
> 
> s/reserv/reserve/
> 
> > + * memory in E820, then others could use stolen memory. If guest
> > + * graphic driver still use stolen memory, system maybe hang.
> > + * so we set stolen memory size to 0 and guest graphic driver won't
> > + * use stolen memory.
> 
> Based on my understanding of the bug, I might suggest:
> 
>   Regardless of running in UPT or legacy mode, the guest graphics
>   driver may attempt to use stolen memory, however only legacy mode has
>   BIOS support for reserving stolen memory in the guest VM.  Emulate
>   the GMCH register in all cases and zero out the stolen memory size
>   here.  Legacy mode may request allocation and re-write this below.
> 
[Zhang, Xiong Y] yes, As you comment, things become more clear. I will
Follow it. thanks a lot.
> > + */
> > +gmch = vfio_pci_read_config(>pdev, IGD_GMCH, 4);
> > +gmch &= ~((gen < 8 ? 0x1f : 0xff) << (gen < 8 ? 3 : 8));
> > +
> > +/* GMCH is read-only, emulated */
> > +pci_set_long(vdev->pdev.config + IGD_GMCH, gmch);
> > +pci_set_long(vdev->pdev.wmask + IGD_GMCH, 0);
> > +pci_set_long(vdev->emulated_config_bits + IGD_GMCH, ~0);
> > +
> > +/*
> > + * This must be at 

[Qemu-devel] Recall: [PATCH] vfio/pci-quirks.c: Disable stolen memory for igd VFIO

[Zhang, Xiong Y]

Zhang, Xiong Y would like to recall the message, "[Qemu-devel] [PATCH] 
vfio/pci-quirks.c: Disable stolen memory for igd VFIO".

Re: [Qemu-devel] [RFC v6] RBD: Add support readv,writev for rbd

[Jeff Cody]

On Tue, Feb 21, 2017 at 11:43:36AM +0800, jaze...@gmail.com wrote:
> From: tianqing 
> 
> Rbd can do readv and writev directly, so wo do not need to transform
> iov to buf or vice versa any more.
> 
> Signed-off-by: tianqing 
> ---
>  block/rbd.c | 79 
> ++---
>  1 file changed, 54 insertions(+), 25 deletions(-)
> 


[...]

>  case RBD_AIO_WRITE:
> -r = rbd_aio_write(s->image, off, size, buf, c);
> +if(!LIBRBD_USE_IOVEC)
> +r = rbd_aio_write(s->image, off, size, rcb->buf, c);
> +else
> +r = rbd_aio_writev(s->image, qiov->iov, qiov->niov, off, c);
>  break;
>  case RBD_AIO_READ:
> -r = rbd_aio_read(s->image, off, size, buf, c);
> +if(!LIBRBD_USE_IOVEC)
> +r = rbd_aio_read(s->image, off, size, rcb->buf, c);
> +else
> +r = rbd_aio_readv(s->image, qiov->iov, qiov->niov, off, c);

These will need to stay #ifdef's since they are new symbols.

>  break;
>  case RBD_AIO_DISCARD:
>  r = rbd_aio_discard_wrapper(s->image, off, size, c);
> @@ -712,14 +740,15 @@ static BlockAIOCB *rbd_start_aio(BlockDriverState *bs,
>  if (r < 0) {
>  goto failed_completion;
>  }
> -
>  return >common;
>  
>  failed_completion:
>  rbd_aio_release(c);
>  failed:
>  g_free(rcb);
> -qemu_vfree(acb->bounce);
> +if(!LIBRBD_USE_IOVEC)
> +qemu_vfree(acb->bounce);
> +
>  qemu_aio_unref(acb);
>  return NULL;
>  }
> -- 
> 2.10.2
>

(Also code formatting as pointed out by patchew)

Re: [Qemu-devel] [PATCH] vfio/pci-quirks.c: Disable stolen memory for igd VFIO

[Zhang, Xiong Y]

> 
> On Mon, 20 Feb 2017 19:42:54 +0800
> Xiong Zhang  wrote:
> 
> > From: XiongZhang 
> >
> > If IGD isn't assigned at 00:02.0 in UPT and host bios enable stolen
> > memory, seabios won't reseave stolen memory in E820 for guest. Then
> > both Intel graphic driver and others in guest could use stolen
> > memory, this will generate system hang. So we should disable stolen
> > memory in this case.
> 
> Wasn't the intent of UPT mode that it removed all of the BIOS and
> chipset dependencies of IGD such that it could be assigned as just
> another PCI device?  Does this mean that the drivers fail to meet that
> promise by evaluating the size and location of stolen memory as
> programmed on the physical device even in UPT mode?
[Zhang, Xiong Y] The intent of UPT mode is correct. Driver also evaluate
the size and location of stolen memory correctly.
The current problem is: when IGD isn't at 00:02.0, seabios don't create memory
region and reserve memory resource in E820 for stolen memory.
So guest OS maybe assign stolen memory MMIO to other devices, when IGD driver
access stolen memory, it access the wrong device and cause system error. 
If guest OS don't assign stolen memory MMIO to other devices, then there
isn't gpa to hpa translate for stolen memory, guest IGD driver couldn't
access it. 
> 
> I'm a little confused by the use of the term "others" here and in the
> comment below.  Can you be more specific what other software beyond the
> graphics driver is evaluating the size or location of stolen memory?
> 
> > Bugzilla:https://bugs.freedesktop.org/show_bug.cgi?id=99028
> >  https://bugs.freedesktop.org/show_bug.cgi?id=99025
> >
> > Signed-off-by: Xiong Zhang 
> > Tested-by: Terrence Xu 
> > ---
> >  hw/vfio/pci-quirks.c | 63
> ++--
> >  1 file changed, 36 insertions(+), 27 deletions(-)
> >
> > diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
> > index 1e97bc4..015d0c2 100644
> > --- a/hw/vfio/pci-quirks.c
> > +++ b/hw/vfio/pci-quirks.c
> > @@ -1364,14 +1364,43 @@ static void
> vfio_probe_igd_bar4_quirk(VFIOPCIDevice *vdev, int nr)
> >  uint32_t gmch;
> >  uint16_t cmd_orig, cmd;
> >
> > +/* This must be an Intel VGA device. */
> > +if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) ||
> > +!vfio_is_vga(vdev) || nr != 4) {
> > +return;
> > +}
> > +
> >  /*
> > - * This must be an Intel VGA device at address 00:02.0 for us to even
> > - * consider enabling legacy mode.  The vBIOS has dependencies on
> the
> > - * PCI bus address.
> > + * IGD is not a standard, they like to change their specs often.  We
> > + * only attempt to support back to SandBridge and we hope that
> newer
> > + * devices maintain compatibility with generation 8.
> >   */
> > -if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) ||
> > -!vfio_is_vga(vdev) || nr != 4 ||
> > ->pdev !=
> pci_find_device(pci_device_root_bus(>pdev),
> > +gen = igd_gen(vdev);
> > +if (gen != 6 && gen != 8) {
> > +error_report("IGD device %s is unsupported in legacy mode, "
> > + "try SandyBridge or newer",
> vdev->vbasedev.name);
> 
> This is a little bit misleading now since this is no longer exclusively
> a legacy mode path, a user trying to use UPT mode might disregard this
> as noise.  Perhaps...
> 
> error_report("IGD device %s is unsupported by IGD quirks, "
>  "try SandyBridge or newer", vdev->vbasedev.name);
> 
> 
> > +return;
> > +}
> > +/*
> > + * If this isn't at address 00:02.0, bios won't reserv stolen
> 
> s/reserv/reserve/
> 
> > + * memory in E820, then others could use stolen memory. If guest
> > + * graphic driver still use stolen memory, system maybe hang.
> > + * so we set stolen memory size to 0 and guest graphic driver won't
> > + * use stolen memory.
> 
> Based on my understanding of the bug, I might suggest:
> 
>   Regardless of running in UPT or legacy mode, the guest graphics
>   driver may attempt to use stolen memory, however only legacy mode has
>   BIOS support for reserving stolen memory in the guest VM.  Emulate
>   the GMCH register in all cases and zero out the stolen memory size
>   here.  Legacy mode may request allocation and re-write this below.
> 
> > + */
> > +gmch = vfio_pci_read_config(>pdev, IGD_GMCH, 4);
> > +gmch &= ~((gen < 8 ? 0x1f : 0xff) << (gen < 8 ? 3 : 8));
> > +
> > +/* GMCH is read-only, emulated */
> > +pci_set_long(vdev->pdev.config + IGD_GMCH, gmch);
> > +pci_set_long(vdev->pdev.wmask + IGD_GMCH, 0);
> > +pci_set_long(vdev->emulated_config_bits + IGD_GMCH, ~0);
> > +
> > +/*
> > + * This must be at address 00:02.0 for us to even onsider enabling
> > + * legacy mode.  The vBIOS has dependencies on the PCI bus address.
> > +   

Re: [Qemu-devel] [PATCH v1 01/10] target/ppc: support for 32-bit carry and overflow

[Nikunj A Dadhania]

Richard Henderson  writes:

> On 02/20/2017 09:11 PM, Nikunj A Dadhania wrote:
>> +#ifndef TARGET_PPC64
>>  static inline target_ulong cpu_read_xer(CPUPPCState *env)
>>  {
>>  return env->xer | (env->so << XER_SO) | (env->ov << XER_OV) | (env->ca 
>> << XER_CA);
>>  }
>> +#else
>> +static inline target_ulong cpu_read_xer(CPUPPCState *env)
>> +{
>> +return env->xer | (env->so << XER_SO) |
>> +(env->ov << XER_OV) | (env->ca << XER_CA) |
>> +(env->ov32 << XER_OV32) | (env->ca32 << XER_CA32);
>> +}
>> +#endif
>>
>> +#ifndef TARGET_PPC64
>>  static inline void cpu_write_xer(CPUPPCState *env, target_ulong xer)
>>  {
>>  env->so = (xer >> XER_SO) & 1;
>> @@ -2355,6 +2371,20 @@ static inline void cpu_write_xer(CPUPPCState *env, 
>> target_ulong xer)
>>  env->ca = (xer >> XER_CA) & 1;
>>  env->xer = xer & ~((1u << XER_SO) | (1u << XER_OV) | (1u << XER_CA));
>>  }
>> +#else
>> +static inline void cpu_write_xer(CPUPPCState *env, target_ulong xer)
>> +{
>> +env->so = (xer >> XER_SO) & 1;
>> +env->ov = (xer >> XER_OV) & 1;
>> +env->ca = (xer >> XER_CA) & 1;
>> +env->ov32 = (xer >> XER_OV32) & 1;
>> +env->ca32 = (xer >> XER_CA32) & 1;
>> +env->xer = xer & ~((1ul << XER_SO) |
>> +   (1ul << XER_OV) | (1ul << XER_CA) |
>> +   (1ul << XER_OV32) | (1ul << XER_CA32));
>> +}
>> +#endif
>
> You should probably move both of these out of line now (perhaps cpu.c).

Sure.


> You probably don't want to set ov32/ca32 unless the cpu is power9.  I assume 
> that if you attempt to set these bits for power8 they are 
> read-as-zero/write-ignore?

Sure, will make it CPU specific.

>> @@ -3715,6 +3719,12 @@ static void gen_read_xer(TCGv dst)
>>  tcg_gen_or_tl(t0, t0, t1);
>>  tcg_gen_or_tl(dst, dst, t2);
>>  tcg_gen_or_tl(dst, dst, t0);
>> +#ifdef TARGET_PPC64
>> +tcg_gen_shli_tl(t0, cpu_ov32, XER_OV32);
>> +tcg_gen_or_tl(dst, dst, t0);
>> +tcg_gen_shli_tl(t0, cpu_ca32, XER_CA32);
>> +tcg_gen_or_tl(dst, dst, t0);
>> +#endif
>>  tcg_temp_free(t0);
>>  tcg_temp_free(t1);
>>  tcg_temp_free(t2);
>> @@ -3727,9 +3737,14 @@ static void gen_write_xer(TCGv src)
>>  tcg_gen_shri_tl(cpu_so, src, XER_SO);
>>  tcg_gen_shri_tl(cpu_ov, src, XER_OV);
>>  tcg_gen_shri_tl(cpu_ca, src, XER_CA);
>> +tcg_gen_shri_tl(cpu_ov32, src, XER_OV32);
>> +tcg_gen_shri_tl(cpu_ca32, src, XER_CA32);
>>  tcg_gen_andi_tl(cpu_so, cpu_so, 1);
>>  tcg_gen_andi_tl(cpu_ov, cpu_ov, 1);
>>  tcg_gen_andi_tl(cpu_ca, cpu_ca, 1);
>> +tcg_gen_andi_tl(cpu_ov32, cpu_ov32, 1);
>> +tcg_gen_andi_tl(cpu_ca32, cpu_ca32, 1);
>> +
>>  }
>
> Watch the blank lines.  No ifdef here on the write side?

Right, will add.

Regards
Nikunj

Re: [Qemu-devel] [QEMU-PPC] [PATCH V3 04/10] target/ppc/POWER9: Direct all instr and data storage interrupts to the hypv

[Balbir Singh]

On Mon, Feb 20, 2017 at 03:04:32PM +1100, Suraj Jitindar Singh wrote:
> The vpm0 bit was removed from the LPCR in POWER9, this bit controlled
> whether ISI and DSI interrupts were directed to the hypervisor or the
> partition. These interrupts now go to the hypervisor irrespective, thus
> it is no longer necessary to check the vmp0 bit in the LPCR.
> 
> Signed-off-by: Suraj Jitindar Singh 
> Reviewed-by: David Gibson 
> ---

Acked-by: Balbir Singh 

Re: [Qemu-devel] [PATCH] mttcg: Set jmp_env to handle exit from tb_gen_code

[Pranith Kumar]

On Mon, Feb 20, 2017 at 7:35 PM, Alex Bennée  wrote:
>
> Pranith Kumar  writes:
>
>> Alex Bennée writes:
>>
>>> Pranith Kumar  writes:
>>>
 tb_gen_code() can exit execution using cpu_exit_loop() when it cannot
 allocate new tb's. To handle this, we need to properly set the jmp_env
 pointer ahead of calling tb_gen_code().

 CC:Alex Bennée 
 CC: Richard Henderson 
 Signed-off-by: Pranith Kumar 
 ---
  cpu-exec.c | 23 +++
  1 file changed, 11 insertions(+), 12 deletions(-)

 diff --git a/cpu-exec.c b/cpu-exec.c
 index 97d79612d9..4b70988b24 100644
 --- a/cpu-exec.c
 +++ b/cpu-exec.c
 @@ -236,23 +236,22 @@ static void cpu_exec_step(CPUState *cpu)

  cpu_get_tb_cpu_state(env, , _base, );
  tb_lock();
 -tb = tb_gen_code(cpu, pc, cs_base, flags,
 - 1 | CF_NOCACHE | CF_IGNORE_ICOUNT);
 -tb->orig_tb = NULL;
 -tb_unlock();
 -
 -cc->cpu_exec_enter(cpu);
 -
>>>
>>> It occurs to me we are also diverging in our locking pattern from
>>> tb_find which takes mmap_lock first. This is a NOP for system emulation
>>> but needed for user-emulation (for which we can do cpu_exec_step but not
>>> cpu_exec_nocache).
>>
>> Right. So we have to take the mmap_lock() before calling
>> tb_gen_code(). However, this lock is released in the error path before 
>> calling
>> cpu_loop_exit() if allocation of a new tb fails. The following is what I have
>> after merging with the previous EXCP_ATOMIC handling patch.
>
> Hmm we are a start/end_exclusive() though so what could we be racing
> against that also wants the mmap_lock()? Could it be held by anything at
> this point as every user needs to be woken up?
>

No, I don't think any other thread holds the mmap/tb lock at this
point. However, we still need to take this lock since the functions we
are calling expect us to hold it and assert otherwise.


-- 
Pranith

Re: [Qemu-devel] [RFC v6] RBD: Add support readv,writev for rbd

[no-reply]

Hi,

This series failed build test on s390x host. Please find the details below.

Type: series
Subject: [Qemu-devel] [RFC v6] RBD: Add support readv,writev for rbd
Message-id: 20170221034336.10097-1-jaze...@gmail.com

=== TEST SCRIPT BEGIN ===
#!/bin/bash
# Testing script will be invoked under the git checkout with
# HEAD pointing to a commit that has the patches applied on top of "base"
# branch
set -e
echo "=== ENV ==="
env
echo "=== PACKAGES ==="
rpm -qa
echo "=== TEST BEGIN ==="
CC=$HOME/bin/cc
INSTALL=$PWD/install
BUILD=/var/tmp/patchew-qemu-build
echo -n "Using CC: "
realpath $CC
test -e $BUILD && rm -rf $BUILD
mkdir -p $BUILD $INSTALL
SRC=$PWD
cd $BUILD
$SRC/configure --cc=$CC --prefix=$INSTALL
make -j4
make check -j4
make install
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 * [new tag] patchew/20170221034336.10097-1-jaze...@gmail.com -> 
patchew/20170221034336.10097-1-jaze...@gmail.com
Switched to a new branch 'test'
dc83903 RBD: Add support readv,writev for rbd

=== OUTPUT BEGIN ===
=== ENV ===
XDG_SESSION_ID=29861
SHELL=/bin/sh
USER=fam
PATCHEW=/home/fam/patchew/patchew-cli -s http://patchew.org --nodebug
PATH=/usr/bin:/bin
PWD=/var/tmp/patchew-tester-tmp-855u0v7j/src
LANG=en_US.UTF-8
HOME=/home/fam
SHLVL=2
LOGNAME=fam
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1012/bus
XDG_RUNTIME_DIR=/run/user/1012
_=/usr/bin/env
=== PACKAGES ===
gpg-pubkey-873529b8-54e386ff
xz-libs-5.2.2-2.fc24.s390x
libacl-2.2.52-11.fc24.s390x
libxshmfence-1.2-3.fc24.s390x
cdparanoia-libs-10.2-21.fc24.s390x
ustr-1.0.4-21.fc24.s390x
giflib-4.1.6-15.fc24.s390x
libusb-0.1.5-7.fc24.s390x
trousers-lib-0.3.13-6.fc24.s390x
readline-devel-6.3-8.fc24.s390x
python-srpm-macros-3-10.fc25.noarch
ncurses-base-6.0-6.20160709.fc25.noarch
gmp-6.1.1-1.fc25.s390x
chkconfig-1.8-1.fc25.s390x
libidn-1.33-1.fc25.s390x
file-5.28-4.fc25.s390x
slang-2.3.0-7.fc25.s390x
avahi-libs-0.6.32-4.fc25.s390x
libsemanage-2.5-8.fc25.s390x
perl-Unicode-Normalize-1.25-365.fc25.s390x
perl-libnet-3.10-1.fc25.noarch
perl-Thread-Queue-3.11-1.fc25.noarch
perl-podlators-4.09-1.fc25.noarch
jasper-libs-1.900.13-1.fc25.s390x
graphite2-1.3.6-1.fc25.s390x
libblkid-2.28.2-1.fc25.s390x
pkgconfig-0.29.1-1.fc25.s390x
dbus-python-1.2.4-2.fc25.s390x
alsa-lib-1.1.1-2.fc25.s390x
libgnome-keyring-3.12.0-7.fc25.s390x
yum-metadata-parser-1.1.4-17.fc25.s390x
python3-3.5.2-4.fc25.s390x
python3-slip-dbus-0.6.4-4.fc25.noarch
python2-cssselect-0.9.2-1.fc25.noarch
python-backports-1.0-8.fc25.s390x
python-magic-5.28-4.fc25.noarch
python-pycparser-2.14-7.fc25.noarch
python-fedora-0.8.0-2.fc25.noarch
createrepo_c-libs-0.10.0-6.fc25.s390x
initscripts-9.69-1.fc25.s390x
plymouth-scripts-0.9.3-0.6.20160620git0e65b86c.fc25.s390x
cronie-1.5.1-2.fc25.s390x
python2-librepo-1.7.18-3.fc25.s390x
wget-1.18-2.fc25.s390x
python3-dnf-plugins-core-0.1.21-4.fc25.noarch
at-spi2-core-2.22.0-1.fc25.s390x
libXv-1.0.11-1.fc25.s390x
dhcp-client-4.3.5-1.fc25.s390x
python2-dnf-plugins-core-0.1.21-4.fc25.noarch
parted-3.2-21.fc25.s390x
python2-ndg_httpsclient-0.4.0-4.fc25.noarch
bash-completion-2.4-1.fc25.noarch
btrfs-progs-4.6.1-1.fc25.s390x
texinfo-6.1-3.fc25.s390x
perl-Filter-1.55-366.fc25.s390x
flex-2.6.0-3.fc25.s390x
libgcc-6.3.1-1.fc25.s390x
glib2-2.50.2-1.fc25.s390x
dbus-libs-1.11.8-1.fc25.s390x
libgomp-6.3.1-1.fc25.s390x
colord-libs-1.3.4-1.fc25.s390x
perl-Encode-2.88-5.fc25.s390x
gstreamer1-1.10.2-1.fc25.s390x
cracklib-2.9.6-4.fc25.s390x
rpm-build-libs-4.13.0-6.fc25.s390x
libobjc-6.3.1-1.fc25.s390x
pcre-devel-8.40-1.fc25.s390x
mariadb-config-10.1.20-1.fc25.s390x
gcc-6.3.1-1.fc25.s390x
mesa-libGL-13.0.3-1.fc25.s390x
python3-dnf-plugin-system-upgrade-0.7.1-4.fc25.noarch
bind-libs-9.10.4-4.P5.fc25.s390x
python-osbs-client-0.33-3.fc25.noarch
NetworkManager-1.4.4-3.fc25.s390x
audit-2.7.1-1.fc25.s390x
glibc-static-2.24-4.fc25.s390x
perl-Pod-Simple-3.35-1.fc25.noarch
gdb-7.12-36.fc25.s390x
python2-simplejson-3.10.0-1.fc25.s390x
python3-sssdconfig-1.14.2-2.fc25.noarch
texlive-lib-2016-30.20160520.fc25.s390x
boost-random-1.60.0-10.fc25.s390x
brltty-5.4-2.fc25.s390x
libref_array-0.1.5-29.fc25.s390x
librados2-10.2.4-2.fc25.s390x
gnutls-dane-3.5.8-1.fc25.s390x
systemtap-client-3.1-0.20160725git91bfb36.fc25.s390x
libXrender-devel-0.9.10-1.fc25.s390x
libXi-devel-1.7.8-2.fc25.s390x
texlive-pdftex-doc-svn41149-30.fc25.noarch
tcp_wrappers-7.6-83.fc25.s390x
javapackages-tools-4.7.0-6.1.fc25.noarch
texlive-kpathsea-bin-svn40473-30.20160520.fc25.s390x
texlive-url-svn32528.3.4-30.fc25.noarch
texlive-latex-fonts-svn2.0-30.fc25.noarch
texlive-mptopdf-bin-svn18674.0-30.20160520.fc25.noarch
texlive-underscore-svn18261.0-30.fc25.noarch
texlive-subfig-svn15878.1.3-30.fc25.noarch
texlive-dvipdfmx-def-svn40328-30.fc25.noarch
texlive-plain-svn40274-30.fc25.noarch
texlive-texlive-scripts-svn41433-30.fc25.noarch
texlive-fancyref-svn15878.0.9c-30.fc25.noarch
texlive-csquotes-svn39538-30.fc25.noarch
texlive-pxfonts-svn15878.0-30.fc25.noarch

Re: [Qemu-devel] [RFC v6] RBD: Add support readv,writev for rbd

[no-reply]

Hi,

This series seems to have some coding style problems. See output below for
more information:

Type: series
Subject: [Qemu-devel] [RFC v6] RBD: Add support readv,writev for rbd
Message-id: 20170221034336.10097-1-jaze...@gmail.com

=== TEST SCRIPT BEGIN ===
#!/bin/bash

BASE=base
n=1
total=$(git log --oneline $BASE.. | wc -l)
failed=0

# Useful git options
git config --local diff.renamelimit 0
git config --local diff.renames True

commits="$(git log --format=%H --reverse $BASE..)"
for c in $commits; do
echo "Checking PATCH $n/$total: $(git log -n 1 --format=%s $c)..."
if ! git show $c --format=email | ./scripts/checkpatch.pl --mailback -; then
failed=1
echo
fi
n=$((n+1))
done

exit $failed
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 * [new tag] patchew/20170221034336.10097-1-jaze...@gmail.com -> 
patchew/20170221034336.10097-1-jaze...@gmail.com
Switched to a new branch 'test'
dc83903 RBD: Add support readv,writev for rbd

=== OUTPUT BEGIN ===
Checking PATCH 1/1: RBD: Add support readv,writev for rbd...
ERROR: space required before the open brace '{'
#36: FILE: block/rbd.c:322:
+if(LIBRBD_USE_IOVEC){

ERROR: space required before the open parenthesis '('
#36: FILE: block/rbd.c:322:
+if(LIBRBD_USE_IOVEC){

ERROR: trailing whitespace
#69: FILE: block/rbd.c:461:
+ $

ERROR: suspect code indent for conditional statements (4, 9)
#70: FILE: block/rbd.c:462:
+if(!LIBRBD_USE_IOVEC){
+ if (acb->cmd == RBD_AIO_READ) {

ERROR: space required before the open brace '{'
#70: FILE: block/rbd.c:462:
+if(!LIBRBD_USE_IOVEC){

ERROR: space required before the open parenthesis '('
#70: FILE: block/rbd.c:462:
+if(!LIBRBD_USE_IOVEC){

ERROR: suspect code indent for conditional statements (9, 13)
#71: FILE: block/rbd.c:463:
+ if (acb->cmd == RBD_AIO_READ) {
+ qemu_iovec_from_buf(acb->qiov, 0, acb->bounce, acb->qiov->size);

ERROR: space required before the open brace '{'
#102: FILE: block/rbd.c:690:
+if(!LIBRBD_USE_IOVEC){

ERROR: space required before the open parenthesis '('
#102: FILE: block/rbd.c:690:
+if(!LIBRBD_USE_IOVEC){

ERROR: space required before the open parenthesis '('
#138: FILE: block/rbd.c:719:
+if(!LIBRBD_USE_IOVEC)

ERROR: braces {} are necessary for all arms of this statement
#138: FILE: block/rbd.c:719:
+if(!LIBRBD_USE_IOVEC)
[...]
+else
[...]

ERROR: space required before the open parenthesis '('
#145: FILE: block/rbd.c:725:
+if(!LIBRBD_USE_IOVEC)

ERROR: braces {} are necessary for all arms of this statement
#145: FILE: block/rbd.c:725:
+if(!LIBRBD_USE_IOVEC)
[...]
+else
[...]

ERROR: space required before the open parenthesis '('
#164: FILE: block/rbd.c:749:
+if(!LIBRBD_USE_IOVEC)

ERROR: braces {} are necessary for all arms of this statement
#164: FILE: block/rbd.c:749:
+if(!LIBRBD_USE_IOVEC)
[...]

total: 15 errors, 0 warnings, 146 lines checked

Your patch has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

=== OUTPUT END ===

Test command exited with code: 1


---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-de...@freelists.org

[Qemu-devel] [RFC v6] RBD: Add support readv,writev for rbd

[jazeltq]

From: tianqing 

Rbd can do readv and writev directly, so wo do not need to transform
iov to buf or vice versa any more.

Signed-off-by: tianqing 
---
 block/rbd.c | 79 ++---
 1 file changed, 54 insertions(+), 25 deletions(-)

diff --git a/block/rbd.c b/block/rbd.c
index a57b3e3..5373680 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -62,6 +62,13 @@
 #define RBD_MAX_SNAP_NAME_SIZE 128
 #define RBD_MAX_SNAPS 100
 
+/* The LIBRBD_SUPPORTS_IOVEC is defined in librbd.h */
+#ifdef LIBRBD_SUPPORTS_IOVEC
+#define LIBRBD_USE_IOVEC 1
+#else
+#define LIBRBD_USE_IOVEC 0
+#endif
+
 typedef enum {
 RBD_AIO_READ,
 RBD_AIO_WRITE,
@@ -310,6 +317,17 @@ static int qemu_rbd_set_conf(rados_t cluster, const char 
*conf,
 return ret;
 }
 
+static void qemu_rbd_memset(RADOSCB *rcb, int64_t offs)
+{
+if(LIBRBD_USE_IOVEC){
+RBDAIOCB *acb = rcb->acb;
+iov_memset(acb->qiov->iov, acb->qiov->niov, offs, 0,
+   acb->qiov->size - offs);
+} else {
+memset(rcb->buf + offs, 0, rcb->size - offs);
+}
+}
+
 static int qemu_rbd_create(const char *filename, QemuOpts *opts, Error **errp)
 {
 Error *local_err = NULL;
@@ -426,11 +444,11 @@ static void qemu_rbd_complete_aio(RADOSCB *rcb)
 }
 } else {
 if (r < 0) {
-memset(rcb->buf, 0, rcb->size);
+qemu_rbd_memset(rcb, 0);
 acb->ret = r;
 acb->error = 1;
 } else if (r < rcb->size) {
-memset(rcb->buf + r, 0, rcb->size - r);
+qemu_rbd_memset(rcb, r);
 if (!acb->error) {
 acb->ret = rcb->size;
 }
@@ -440,11 +458,14 @@ static void qemu_rbd_complete_aio(RADOSCB *rcb)
 }
 
 g_free(rcb);
-
-if (acb->cmd == RBD_AIO_READ) {
-qemu_iovec_from_buf(acb->qiov, 0, acb->bounce, acb->qiov->size);
+ 
+if(!LIBRBD_USE_IOVEC){
+ if (acb->cmd == RBD_AIO_READ) {
+ qemu_iovec_from_buf(acb->qiov, 0, acb->bounce, acb->qiov->size);
+ }
+ qemu_vfree(acb->bounce);
 }
-qemu_vfree(acb->bounce);
+
 acb->common.cb(acb->common.opaque, (acb->ret > 0 ? 0 : acb->ret));
 
 qemu_aio_unref(acb);
@@ -655,7 +676,6 @@ static BlockAIOCB *rbd_start_aio(BlockDriverState *bs,
 RBDAIOCB *acb;
 RADOSCB *rcb = NULL;
 rbd_completion_t c;
-char *buf;
 int r;
 
 BDRVRBDState *s = bs->opaque;
@@ -664,27 +684,29 @@ static BlockAIOCB *rbd_start_aio(BlockDriverState *bs,
 acb->cmd = cmd;
 acb->qiov = qiov;
 assert(!qiov || qiov->size == size);
-if (cmd == RBD_AIO_DISCARD || cmd == RBD_AIO_FLUSH) {
-acb->bounce = NULL;
-} else {
-acb->bounce = qemu_try_blockalign(bs, qiov->size);
-if (acb->bounce == NULL) {
-goto failed;
+
+rcb = g_new(RADOSCB, 1);
+
+if(!LIBRBD_USE_IOVEC){
+if (cmd == RBD_AIO_DISCARD || cmd == RBD_AIO_FLUSH) {
+acb->bounce = NULL;
+} else {
+acb->bounce = qemu_try_blockalign(bs, qiov->size);
+if (acb->bounce == NULL) {
+goto failed;
+}
 }
+if (cmd == RBD_AIO_WRITE) {
+qemu_iovec_to_buf(acb->qiov, 0, acb->bounce, qiov->size);
+}
+rcb->buf = acb->bounce;
 }
+
 acb->ret = 0;
 acb->error = 0;
 acb->s = s;
 
-if (cmd == RBD_AIO_WRITE) {
-qemu_iovec_to_buf(acb->qiov, 0, acb->bounce, qiov->size);
-}
-
-buf = acb->bounce;
-
-rcb = g_new(RADOSCB, 1);
 rcb->acb = acb;
-rcb->buf = buf;
 rcb->s = acb->s;
 rcb->size = size;
 r = rbd_aio_create_completion(rcb, (rbd_callback_t) rbd_finish_aiocb, );
@@ -694,10 +716,16 @@ static BlockAIOCB *rbd_start_aio(BlockDriverState *bs,
 
 switch (cmd) {
 case RBD_AIO_WRITE:
-r = rbd_aio_write(s->image, off, size, buf, c);
+if(!LIBRBD_USE_IOVEC)
+r = rbd_aio_write(s->image, off, size, rcb->buf, c);
+else
+r = rbd_aio_writev(s->image, qiov->iov, qiov->niov, off, c);
 break;
 case RBD_AIO_READ:
-r = rbd_aio_read(s->image, off, size, buf, c);
+if(!LIBRBD_USE_IOVEC)
+r = rbd_aio_read(s->image, off, size, rcb->buf, c);
+else
+r = rbd_aio_readv(s->image, qiov->iov, qiov->niov, off, c);
 break;
 case RBD_AIO_DISCARD:
 r = rbd_aio_discard_wrapper(s->image, off, size, c);
@@ -712,14 +740,15 @@ static BlockAIOCB *rbd_start_aio(BlockDriverState *bs,
 if (r < 0) {
 goto failed_completion;
 }
-
 return >common;
 
 failed_completion:
 rbd_aio_release(c);
 failed:
 g_free(rcb);
-qemu_vfree(acb->bounce);
+if(!LIBRBD_USE_IOVEC)
+qemu_vfree(acb->bounce);
+
 qemu_aio_unref(acb);
 return NULL;
 }
-- 
2.10.2

[Qemu-devel] [PATCH] spice-char: fix segfault in char_spice_finalize

[Li Qiang]

In 'qemu_chr_open_spice_vmc' if the 'psubtype' is NULL, it will
call 'char_spice_finalize'. But as the SpiceChardev is not inserted
in the 'spice_chars' list, the 'QLIST_REMOVE' will cause a segfault.
Add a detect to avoid it.

Signed-off-by: Li Qiang 
---
 spice-qemu-char.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/spice-qemu-char.c b/spice-qemu-char.c
index 6f46f46..15dbf9c 100644
--- a/spice-qemu-char.c
+++ b/spice-qemu-char.c
@@ -215,7 +215,10 @@ static void char_spice_finalize(Object *obj)
 SpiceChardev *s = SPICE_CHARDEV(obj);
 
 vmc_unregister_interface(s);
-QLIST_REMOVE(s, next);
+
+if (spice_chars.lh_first) {
+QLIST_REMOVE(s, next);
+}
 
 g_free((char *)s->sin.subtype);
 #if SPICE_SERVER_VERSION >= 0x000c02
-- 
1.8.3.1

Re: [Qemu-devel] [PATCH] target/ppc: Fix serious bug in HPTE writeback

[David Gibson]

On Tue, Feb 21, 2017 at 01:52:11PM +1100, David Gibson wrote:
> ppc_hash64_store_hpte() is used to update HPTEs in the hashed page table
> (HPT) for 64-bit machines.  This is used when the (emulated) CPU needs to
> update the referenced (R) or changed (C) bits in the HPTE.
> 
> Some time ago this was converted to take an HPTE index, instead of a
> raw offset to the HPTE within the HPT (similar functions for 32-bit still
> take an offset).  In the process a serious bug was introduced: we're
> still using the index parameter as though it was an offset, failing to
> multiply by the size of an HPTE, so it will update bits in the wrong part
> of the HPT.  This can corrupt the guests's HPT, causing crashes or data
> loss.
> 
> AFAICT the reason we haven't noticed this error earlier is that for 64-bit
> machines we've been testing almost exclusively with Linux guests.  Linux
> on ppc does not make use of the hardware R & C bits, so this writeback
> will never be triggered.  It also occurs only on TCG, not KVM, guests.
> 
> Signed-off-by: David Gibson 

Self NACK.  Sorry.  In my panic, I managed to miss the multiply a few
lines above.  There isn't actually a bug here, just some confusing
variable naming.

> ---
>  target/ppc/mmu-hash64.c | 11 +++
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c
> index bb78fb5..dc3b5f7 100644
> --- a/target/ppc/mmu-hash64.c
> +++ b/target/ppc/mmu-hash64.c
> @@ -894,12 +894,15 @@ void ppc_hash64_store_hpte(PowerPCCPU *cpu,
>  
>  pte_index *= HASH_PTE_SIZE_64;
>  if (env->external_htab) {
> -stq_p(env->external_htab + pte_index, pte0);
> -stq_p(env->external_htab + pte_index + HASH_PTE_SIZE_64 / 2, pte1);
> +stq_p(env->external_htab + pte_index * HASH_PTE_SIZE_64, pte0);
> +stq_p(env->external_htab + pte_index * HASH_PTE_SIZE_64
> +  + HASH_PTE_SIZE_64 / 2, pte1);
>  } else {
> -stq_phys(CPU(cpu)->as, env->htab_base + pte_index, pte0);
>  stq_phys(CPU(cpu)->as,
> - env->htab_base + pte_index + HASH_PTE_SIZE_64 / 2, pte1);
> + env->htab_base + pte_index * HASH_PTE_SIZE_64, pte0);
> +stq_phys(CPU(cpu)->as,
> + env->htab_base + pte_index * HASH_PTE_SIZE_64
> + + HASH_PTE_SIZE_64 / 2, pte1);
>  }
>  }
>  

-- 
David Gibson| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au  | minimalist, thank you.  NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson


signature.asc
Description: PGP signature

Re: [Qemu-devel] [PATCH 1/3] net/colo: fix memory double free error

[Hailiang Zhang]

On 2017/2/21 10:25, Zhang Chen wrote:



On 02/20/2017 04:01 PM, zhanghailiang wrote:

The 'primary_list' and 'secondary_list' members of struct Connection
is not allocated through dynamically g_queue_new(), but we free it by using
g_queue_free(), which will lead to a double-free bug.

Signed-off-by: zhanghailiang 
---
   net/colo.c | 2 --
   1 file changed, 2 deletions(-)

diff --git a/net/colo.c b/net/colo.c
index 6a6eacd..7d5c423 100644
--- a/net/colo.c
+++ b/net/colo.c
@@ -147,9 +147,7 @@ void connection_destroy(void *opaque)
   Connection *conn = opaque;

   g_queue_foreach(>primary_list, packet_destroy, NULL);
-g_queue_free(>primary_list);
   g_queue_foreach(>secondary_list, packet_destroy, NULL);
-g_queue_free(>secondary_list);


I think we need use g_queue_clear () here.



Ha, you are right, my original modification will introduce memory leak.
Will fix in next version.


void
g_queue_clear (GQueue *queue);
Removes all the elements in queue . If queue elements contain
dynamically-allocated memory, they should be freed first.

Thanks
Zhang Chen


   g_slice_free(Connection, conn);
   }

Re: [Qemu-devel] Fix build break during configuration on musl-libc based Linux systems.

[Eric Blake]

On 02/19/2017 01:02 AM, Chad Joan wrote:
> development work.  There are no user accounts, just root.  I have tried to
> avoid putting any personal information on it.  If I am on it, then I'm
> editing files in /etc or installing system-wide software.  I'm realizing
> that I might have to change this a bit due to the WIP nature of the
> hardened-musl profile: ultimately I *am* doing development work on it, and
> that kind of snuck up on me.  If I give myself a user account, then
> authoring patches with git (and using send-email) becomes somewhat more
> practical (putting smtp login information onto the machine still bugs me).

You don't have to store your SMTP passwords; git is smart enough to ask
you interactively if you (intentionally) omit the passwords from
.gitconfig.  But I agree that even storing your SMTP address and
username in configs can be a bit hairier than you want on some boxes.

> Still, I can't imagine I'm the only person who runs into this kind of thing
> and wants to write quick patches on an impersonal machine.

There's always the option to float the patches back to a personal
machine before posting to the list (yes, it requires more work on your
end, but if it serves as a nice manual wall between your internal and
external machines, it may well be worth the discipline).

> 
> 
>> [...]
>>
>> But nothing requires you to set up a certificate to submit a patch.  I'm
>> not sure which piece of the documentation got you steered in that
>> direction, but gpg signing of patches is only required of maintainers,
>> not contributors (or maybe you're hinting at the extra effort required
>> to set up gmail as a valid 'git send-email' target, to which I have no
>> experience, but which starts to leave the realm of qemu-specific
>> instructions into something where it would be better to link to a good
>> git setup tutorial, if one exists).
>>
>>
> I think this is just language ambiguity and confirmation bias doing their
> thing.  Usually when I read "you have to sign this" in an OSS context, I
> think of cryptographic signing.  I haven't encountered the requirement for
> non-cryptographic signing before.  Language is arbitrary and we all have
> different experiences and backgrounds.

Is it sufficient to just give the example of 'git commit -s' being the
trick to automatically adding the necessary Signed-off-by: line?  (Of
course, automating the process like that, without actually reading
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/SubmittingPatches?id=f6f94e2ab1b33f0082ac22d71f66385a60d8157f#n297
to understand what it means and that you actually comply, is risky)

> 
> This is one of the reasons why I suggest a simple example: it would be both
> very concise and unambiguous.  If there are no signing steps in the example
> then you don't even need to spend words telling the reader that
> cryptographic signing is unnecessary.  It'll be implied.
> 
> Thankfully, this is a separate concern from the 'git send-email' thing.

'git send-email -s' can also add Signed-off-by: lines, if you didn't add
them earlier (but only if you use send-email, rather than attachments) :)

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] Fix build break during configuration on musl-libc based Linux systems.

[Eric Blake]

On 02/17/2017 11:15 AM, Peter Maydell wrote:
> The kernel docs have a longer list of mail clients with
> notes about suitability:
> https://kernel.org/doc/html/latest/process/email-clients.html
> but the set of "just works" clients is very small.

Currently fails with 403 Forbidden

You don't have permission to access
/doc/html/latest/process/email-clients.html on this server.

Hopefully its transient?

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

[Qemu-devel] [PATCH] target/ppc: Fix serious bug in HPTE writeback

[David Gibson]

ppc_hash64_store_hpte() is used to update HPTEs in the hashed page table
(HPT) for 64-bit machines.  This is used when the (emulated) CPU needs to
update the referenced (R) or changed (C) bits in the HPTE.

Some time ago this was converted to take an HPTE index, instead of a
raw offset to the HPTE within the HPT (similar functions for 32-bit still
take an offset).  In the process a serious bug was introduced: we're
still using the index parameter as though it was an offset, failing to
multiply by the size of an HPTE, so it will update bits in the wrong part
of the HPT.  This can corrupt the guests's HPT, causing crashes or data
loss.

AFAICT the reason we haven't noticed this error earlier is that for 64-bit
machines we've been testing almost exclusively with Linux guests.  Linux
on ppc does not make use of the hardware R & C bits, so this writeback
will never be triggered.  It also occurs only on TCG, not KVM, guests.

Signed-off-by: David Gibson 
---
 target/ppc/mmu-hash64.c | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/target/ppc/mmu-hash64.c b/target/ppc/mmu-hash64.c
index bb78fb5..dc3b5f7 100644
--- a/target/ppc/mmu-hash64.c
+++ b/target/ppc/mmu-hash64.c
@@ -894,12 +894,15 @@ void ppc_hash64_store_hpte(PowerPCCPU *cpu,
 
 pte_index *= HASH_PTE_SIZE_64;
 if (env->external_htab) {
-stq_p(env->external_htab + pte_index, pte0);
-stq_p(env->external_htab + pte_index + HASH_PTE_SIZE_64 / 2, pte1);
+stq_p(env->external_htab + pte_index * HASH_PTE_SIZE_64, pte0);
+stq_p(env->external_htab + pte_index * HASH_PTE_SIZE_64
+  + HASH_PTE_SIZE_64 / 2, pte1);
 } else {
-stq_phys(CPU(cpu)->as, env->htab_base + pte_index, pte0);
 stq_phys(CPU(cpu)->as,
- env->htab_base + pte_index + HASH_PTE_SIZE_64 / 2, pte1);
+ env->htab_base + pte_index * HASH_PTE_SIZE_64, pte0);
+stq_phys(CPU(cpu)->as,
+ env->htab_base + pte_index * HASH_PTE_SIZE_64
+ + HASH_PTE_SIZE_64 / 2, pte1);
 }
 }
 
-- 
2.9.3

[Qemu-devel] [PATCH] net/colo-compare: Fix memory free error

[Zhang Chen]

We use g_queue_init() to init s->conn_list, so we should use g_queue_clear()
to instead of g_queue_free().

Signed-off-by: Zhang Chen 
---
 net/colo-compare.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/colo-compare.c b/net/colo-compare.c
index 162fd6a..cf8c4c9 100644
--- a/net/colo-compare.c
+++ b/net/colo-compare.c
@@ -715,7 +715,7 @@ static void colo_compare_finalize(Object *obj)
 qemu_chr_fe_deinit(>chr_sec_in);
 qemu_chr_fe_deinit(>chr_out);
 
-g_queue_free(>conn_list);
+g_queue_clear(>conn_list);
 
 if (qemu_thread_is_self(>thread)) {
 /* compare connection */
-- 
2.7.4

Re: [Qemu-devel] [PATCH 05/14] libqtest: Clean up qmp_response() a bit

[Eric Blake]

On 02/17/2017 02:38 PM, Markus Armbruster wrote:
> Use qobject_to_qdict() instead of a type cast.
> 
> Signed-off-by: Markus Armbruster 
> ---
>  tests/libqtest.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Happens to be the same (because of our struct layout), but agree that
the conversion function is safer if we ever change struct layout.

Reviewed-by: Eric Blake 


-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

[Qemu-devel] [PATCH v4 8/8] nbd: Implement NBD_INFO_BLOCK_SIZE on client

[Eric Blake]

The upstream NBD Protocol has defined a new extension to allow
the server to advertise block sizes to the client, as well as
a way for the client to inform the server whether it intends to
obey block sizes.

When using the block layer as the client, we will obey block
sizes; but when used as 'qemu-nbd -c' to hand off to the
kernel nbd module as the client, we are still waiting for the
kernel to implement a way for us to learn if it will honor
block sizes (perhaps by an addition to sysfs, rather than an
ioctl), as well as any way to tell the kernel what additional
block sizes to obey (NBD_SET_BLKSIZE appears to be accurate
for the minimum size, but preferred and maximum sizes would
probably be new ioctl()s), so until then, we need to make our
request for block sizes conditional.

When using ioctl(NBD_SET_BLKSIZE) to hand off to the kernel,
use the minimum block size as the sector size if it is larger
than 512, which also has the nice effect of cooperating with
(non-qemu) servers that don't do read-modify-write when
exposing a block device with 4k sectors; it might also allow
us to visit a file larger than 2T on a 32-bit kernel.

Signed-off-by: Eric Blake 

---
v4: new patch
---
 include/block/nbd.h |  6 
 block/nbd-client.c  |  4 +++
 block/nbd.c | 14 +++--
 nbd/client.c| 86 -
 qemu-nbd.c  |  2 +-
 5 files changed, 94 insertions(+), 18 deletions(-)

diff --git a/include/block/nbd.h b/include/block/nbd.h
index c84e022..ae8cc12 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -143,8 +143,14 @@ enum {

 /* Details collected by NBD_OPT_EXPORT_NAME and NBD_OPT_GO */
 struct NBDExportInfo {
+/* Set by client before nbd_receive_negotiate() */
+bool request_sizes;
+/* Set by server results during nbd_receive_negotiate() */
 uint64_t size;
 uint16_t flags;
+uint32_t min_block;
+uint32_t opt_block;
+uint32_t max_block;
 };
 typedef struct NBDExportInfo NBDExportInfo;

diff --git a/block/nbd-client.c b/block/nbd-client.c
index 32d7c90..7dfe4ec 100644
--- a/block/nbd-client.c
+++ b/block/nbd-client.c
@@ -404,6 +404,7 @@ int nbd_client_init(BlockDriverState *bs,
 logout("session init %s\n", export);
 qio_channel_set_blocking(QIO_CHANNEL(sioc), true, NULL);

+client->info.request_sizes = true;
 ret = nbd_receive_negotiate(QIO_CHANNEL(sioc), export,
 tlscreds, hostname,
 >ioc, >info, errp);
@@ -418,6 +419,9 @@ int nbd_client_init(BlockDriverState *bs,
 if (client->info.flags & NBD_FLAG_SEND_WRITE_ZEROES) {
 bs->supported_zero_flags |= BDRV_REQ_MAY_UNMAP;
 }
+if (client->info.min_block > bs->bl.request_alignment) {
+bs->bl.request_alignment = client->info.min_block;
+}

 qemu_co_mutex_init(>send_mutex);
 qemu_co_queue_init(>free_sema);
diff --git a/block/nbd.c b/block/nbd.c
index c43fa35..3afd475 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -465,9 +465,17 @@ static int nbd_co_flush(BlockDriverState *bs)

 static void nbd_refresh_limits(BlockDriverState *bs, Error **errp)
 {
-bs->bl.max_pdiscard = NBD_MAX_BUFFER_SIZE;
-bs->bl.max_pwrite_zeroes = NBD_MAX_BUFFER_SIZE;
-bs->bl.max_transfer = NBD_MAX_BUFFER_SIZE;
+NBDClientSession *s = nbd_get_client_session(bs);
+uint32_t max = MIN_NON_ZERO(NBD_MAX_BUFFER_SIZE, s->info.max_block);
+
+bs->bl.max_pdiscard = max;
+bs->bl.max_pwrite_zeroes = max;
+bs->bl.max_transfer = max;
+
+if (s->info.opt_block &&
+s->info.opt_block > bs->bl.opt_transfer) {
+bs->bl.opt_transfer = s->info.opt_block;
+}
 }

 static void nbd_close(BlockDriverState *bs)
diff --git a/nbd/client.c b/nbd/client.c
index b408945..9f62a02 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -399,11 +399,17 @@ static int nbd_opt_go(QIOChannel *ioc, const char 
*wantname,
 info->flags = 0;

 TRACE("Attempting NBD_OPT_GO for export '%s'", wantname);
-buf = g_malloc(2 + 4 + len + 1);
-stw_be_p(buf, 0); /* No requests, live with whatever server sends */
-stl_be_p(buf + 2, len);
-memcpy(buf + 6, wantname, len);
-if (nbd_send_option_request(ioc, NBD_OPT_GO, len + 6, buf, errp) < 0) {
+/* At most one request, everything else up to server */
+buf = g_malloc(2 + 2 * info->request_sizes + 4 + len);
+stw_be_p(buf, info->request_sizes);
+if (info->request_sizes) {
+stw_be_p(buf + 2, NBD_INFO_BLOCK_SIZE);
+}
+stl_be_p(buf + 2 + 2 * info->request_sizes, len);
+memcpy(buf + 2 + 2 * info->request_sizes + 4, wantname, len);
+if (nbd_send_option_request(ioc, NBD_OPT_GO,
+2 + 2 * info->request_sizes + 4 + len, buf,
+errp) < 0) {
 return -1;
 }

@@ -435,8 +441,9 @@ static int nbd_opt_go(QIOChannel *ioc, const char *wantname,
 return 1;
 }
 if (reply.type != 

[Qemu-devel] [PATCH v4 7/8] nbd: Implement NBD_INFO_BLOCK_SIZE on server

[Eric Blake]

The upstream NBD Protocol has defined a new extension to allow
the server to advertise block sizes to the client, as well as
a way for the client to inform the server that it intends to
obey block sizes.

Thanks to a recent fix (commit df7b97ff), our real minimum
transfer size is always 1 (the block layer takes care of
read-modify-write on our behalf), but we're still more efficient
if we advertise 512 when the client supports it, as follows:
- OPT_INFO, but no NBD_INFO_BLOCK_SIZE: advertise 512, then
fail with NBD_REP_ERR_BLOCK_SIZE_REQD; client is free to try
something else since we don't disconnect
- OPT_INFO with NBD_INFO_BLOCK_SIZE: advertise 512
- OPT_GO, but no NBD_INFO_BLOCK_SIZE: advertise 1
- OPT_GO with NBD_INFO_BLOCK_SIZE: advertise 512

We can also advertise the optimum block size (presumably the
cluster size, when exporting a qcow2 file), and our absolute
maximum transfer size of 32M, to help newer clients avoid
EINVAL failures or abrupt disconnects on oversize requests.

We do not reject clients for using the older NBD_OPT_EXPORT_NAME;
we are no worse off for those clients than we used to be.

Signed-off-by: Eric Blake 

---
v4: new patch
---
 nbd/server.c | 47 +++
 1 file changed, 43 insertions(+), 4 deletions(-)

diff --git a/nbd/server.c b/nbd/server.c
index 3b1a4a5..d63e5d3 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -409,6 +409,8 @@ static int nbd_negotiate_handle_info(NBDClient *client, 
uint32_t length,
 uint16_t request;
 uint32_t namelen;
 bool sendname = false;
+bool blocksize = false;
+uint32_t sizes[3];
 char buf[sizeof(uint64_t) + sizeof(uint16_t)];
 const char *msg;

@@ -444,11 +446,16 @@ static int nbd_negotiate_handle_info(NBDClient *client, 
uint32_t length,
 length -= sizeof(request);
 TRACE("Client requested info %d (%s)", request,
   nbd_info_lookup(request));
-/* For now, we only care about NBD_INFO_NAME; everything else
- * is either a request we don't know or something we send
- * regardless of request. */
-if (request == NBD_INFO_NAME) {
+/* We care about NBD_INFO_NAME and NBD_INFO_BLOCK_SIZE;
+ * everything else is either a request we don't know or
+ * something we send regardless of request */
+switch (request) {
+case NBD_INFO_NAME:
 sendname = true;
+break;
+case NBD_INFO_BLOCK_SIZE:
+blocksize = true;
+break;
 }
 }

@@ -499,6 +506,27 @@ static int nbd_negotiate_handle_info(NBDClient *client, 
uint32_t length,
 }
 }

+/* Send NBD_INFO_BLOCK_SIZE always, but tweak the minimum size
+ * according to whether the client requested it, and according to
+ * whether this is OPT_INFO or OPT_GO. */
+/* minimum - 1 for back-compat, or 512 if client is new enough.
+ * TODO: consult blk_bs(blk)->request_align? */
+sizes[0] = (opt == NBD_OPT_INFO || blocksize) ? BDRV_SECTOR_SIZE : 1;
+/* preferred - At least 4096, but larger as appropriate. */
+sizes[1] = MAX(blk_get_opt_transfer(exp->blk), 4096);
+/* maximum - At most 32M, but smaller as appropriate. */
+sizes[2] = MIN(blk_get_max_transfer(exp->blk), NBD_MAX_BUFFER_SIZE);
+TRACE("advertising minimum 0x%" PRIx32 ", preferred 0x%" PRIx32
+  ", maximum 0x%" PRIx32, sizes[0], sizes[1], sizes[2]);
+cpu_to_be32s([0]);
+cpu_to_be32s([1]);
+cpu_to_be32s([2]);
+rc = nbd_negotiate_send_info(client, opt, NBD_INFO_BLOCK_SIZE,
+ sizeof(sizes), sizes);
+if (rc < 0) {
+return rc;
+}
+
 /* Send NBD_INFO_EXPORT always */
 TRACE("advertising size %" PRIu64 " and flags %" PRIx16,
   exp->size, exp->nbdflags | myflags);
@@ -510,6 +538,17 @@ static int nbd_negotiate_handle_info(NBDClient *client, 
uint32_t length,
 return rc;
 }

+/* If the client is just asking for NBD_OPT_INFO, but forgot to
+ * request block sizes, return an error.
+ * TODO: consult blk_bs(blk)->request_align, and only error if it
+ * is not 1? */
+if (opt == NBD_OPT_INFO && !blocksize) {
+return nbd_negotiate_send_rep_err(client->ioc,
+  NBD_REP_ERR_BLOCK_SIZE_REQD, opt,
+  "request NBD_INFO_BLOCK_SIZE to "
+  "use this export");
+}
+
 /* Final reply */
 rc = nbd_negotiate_send_rep(client->ioc, NBD_REP_ACK, opt);
 if (rc < 0) {
-- 
2.9.3

[Qemu-devel] [PATCH v4 4/8] nbd: Expose and debug more NBD constants

[Eric Blake]

The NBD protocol has several constants defined in various extensions
that we are about to implement.  Expose them to the code, along with
an easy way to map various constants to strings during diagnostic
messages.

Doing this points out a debug message in server.c that got
parameters mixed up.

Signed-off-by: Eric Blake 

---
v4: new patch
---
 include/block/nbd.h | 34 +++---
 nbd/nbd-internal.h  |  9 +++
 nbd/client.c| 56 ---
 nbd/common.c| 69 +
 nbd/server.c| 17 +++--
 5 files changed, 145 insertions(+), 40 deletions(-)

diff --git a/include/block/nbd.h b/include/block/nbd.h
index 8cc9cbe..c84e022 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2016 Red Hat, Inc.
+ *  Copyright (C) 2016-2017 Red Hat, Inc.
  *  Copyright (C) 2005  Anthony Liguori 
  *
  *  Network Block Device
@@ -83,18 +83,36 @@ typedef struct NBDReply NBDReply;
 #define NBD_FLAG_C_FIXED_NEWSTYLE (1 << 0) /* Fixed newstyle protocol. */
 #define NBD_FLAG_C_NO_ZEROES  (1 << 1) /* End handshake without zeroes. */

-/* Reply types. */
+/* Option requests. */
+#define NBD_OPT_EXPORT_NAME (1)
+#define NBD_OPT_ABORT   (2)
+#define NBD_OPT_LIST(3)
+/* #define NBD_OPT_PEEK_EXPORT  (4) not in use */
+#define NBD_OPT_STARTTLS(5)
+#define NBD_OPT_INFO(6)
+#define NBD_OPT_GO  (7)
+
+/* Option reply types. */
 #define NBD_REP_ERR(value) ((UINT32_C(1) << 31) | (value))

 #define NBD_REP_ACK (1) /* Data sending finished. */
 #define NBD_REP_SERVER  (2) /* Export description. */
+#define NBD_REP_INFO(3) /* NBD_OPT_INFO/GO. */

-#define NBD_REP_ERR_UNSUP   NBD_REP_ERR(1)  /* Unknown option */
-#define NBD_REP_ERR_POLICY  NBD_REP_ERR(2)  /* Server denied */
-#define NBD_REP_ERR_INVALID NBD_REP_ERR(3)  /* Invalid length */
-#define NBD_REP_ERR_PLATFORMNBD_REP_ERR(4)  /* Not compiled in */
-#define NBD_REP_ERR_TLS_REQDNBD_REP_ERR(5)  /* TLS required */
-#define NBD_REP_ERR_SHUTDOWNNBD_REP_ERR(7)  /* Server shutting down */
+#define NBD_REP_ERR_UNSUP   NBD_REP_ERR(1)  /* Unknown option */
+#define NBD_REP_ERR_POLICY  NBD_REP_ERR(2)  /* Server denied */
+#define NBD_REP_ERR_INVALID NBD_REP_ERR(3)  /* Invalid length */
+#define NBD_REP_ERR_PLATFORMNBD_REP_ERR(4)  /* Not compiled in */
+#define NBD_REP_ERR_TLS_REQDNBD_REP_ERR(5)  /* TLS required */
+#define NBD_REP_ERR_UNKNOWN NBD_REP_ERR(6)  /* Export unknown */
+#define NBD_REP_ERR_SHUTDOWNNBD_REP_ERR(7)  /* Server shutting down */
+#define NBD_REP_ERR_BLOCK_SIZE_REQD NBD_REP_ERR(8)  /* Need INFO_BLOCK_SIZE */
+
+/* Info types, used during NBD_REP_INFO */
+#define NBD_INFO_EXPORT 0
+#define NBD_INFO_NAME   1
+#define NBD_INFO_DESCRIPTION2
+#define NBD_INFO_BLOCK_SIZE 3

 /* Request flags, sent from client to server during transmission phase */
 #define NBD_CMD_FLAG_FUA(1 << 0) /* 'force unit access' during write */
diff --git a/nbd/nbd-internal.h b/nbd/nbd-internal.h
index f43d990..aa5b2fd 100644
--- a/nbd/nbd-internal.h
+++ b/nbd/nbd-internal.h
@@ -76,12 +76,6 @@
 #define NBD_SET_TIMEOUT _IO(0xab, 9)
 #define NBD_SET_FLAGS   _IO(0xab, 10)

-#define NBD_OPT_EXPORT_NAME (1)
-#define NBD_OPT_ABORT   (2)
-#define NBD_OPT_LIST(3)
-#define NBD_OPT_PEEK_EXPORT (4)
-#define NBD_OPT_STARTTLS(5)
-
 /* NBD errors are based on errno numbers, so there is a 1:1 mapping,
  * but only a limited set of errno values is specified in the protocol.
  * Everything else is squashed to EINVAL.
@@ -122,5 +116,8 @@ struct NBDTLSHandshakeData {

 void nbd_tls_handshake(QIOTask *task,
void *opaque);
+const char *nbd_opt_lookup(uint32_t opt);
+const char *nbd_rep_lookup(uint32_t rep);
+const char *nbd_info_lookup(uint16_t info);

 #endif
diff --git a/nbd/client.c b/nbd/client.c
index 69f0e09..f96539b 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2016 Red Hat, Inc.
+ *  Copyright (C) 2016-2017 Red Hat, Inc.
  *  Copyright (C) 2005  Anthony Liguori 
  *
  *  Network Block Device Client Side
@@ -130,7 +130,8 @@ static int nbd_send_option_request(QIOChannel *ioc, 
uint32_t opt,
 if (len == -1) {
 req.length = len = strlen(data);
 }
-TRACE("Sending option request %" PRIu32", len %" PRIu32, opt, len);
+TRACE("Sending option request %" PRIu32" (%s), len %" PRIu32, opt,
+  nbd_opt_lookup(opt), len);

 stq_be_p(, NBD_OPTS_MAGIC);
 stl_be_p(, opt);
@@ -180,8 +181,10 @@ static int nbd_receive_option_reply(QIOChannel *ioc, 
uint32_t opt,
 be32_to_cpus(>type);
 be32_to_cpus(>length);

-

[Qemu-devel] [PATCH v4 2/8] nbd: Create struct for tracking export info

[Eric Blake]

The NBD Protocol is introducing some additional information
about exports, such as minimum request size and alignment, as
well as an advertised maximum request size.  It will be easier
to feed this information back to the block layer if we gather
all the information into a struct, rather than adding yet more
pointer parameters during negotiation.

Signed-off-by: Eric Blake 

---
v4: rebase to master
v3: new patch
---
 block/nbd-client.h  |  3 +--
 include/block/nbd.h | 15 +++
 block/nbd-client.c  | 18 --
 block/nbd.c |  2 +-
 nbd/client.c| 47 +--
 qemu-nbd.c  | 10 --
 6 files changed, 50 insertions(+), 45 deletions(-)

diff --git a/block/nbd-client.h b/block/nbd-client.h
index f8d6006..098b65c 100644
--- a/block/nbd-client.h
+++ b/block/nbd-client.h
@@ -20,8 +20,7 @@
 typedef struct NBDClientSession {
 QIOChannelSocket *sioc; /* The master data channel */
 QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) */
-uint16_t nbdflags;
-off_t size;
+NBDExportInfo info;

 CoMutex send_mutex;
 CoQueue free_sema;
diff --git a/include/block/nbd.h b/include/block/nbd.h
index 3e373f0..8cc9cbe 100644
--- a/include/block/nbd.h
+++ b/include/block/nbd.h
@@ -123,16 +123,23 @@ enum {
  * aren't overflowing some other buffer. */
 #define NBD_MAX_NAME_SIZE 256

+/* Details collected by NBD_OPT_EXPORT_NAME and NBD_OPT_GO */
+struct NBDExportInfo {
+uint64_t size;
+uint16_t flags;
+};
+typedef struct NBDExportInfo NBDExportInfo;
+
 ssize_t nbd_wr_syncv(QIOChannel *ioc,
  struct iovec *iov,
  size_t niov,
  size_t length,
  bool do_read);
-int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint16_t *flags,
+int nbd_receive_negotiate(QIOChannel *ioc, const char *name,
   QCryptoTLSCreds *tlscreds, const char *hostname,
-  QIOChannel **outioc,
-  off_t *size, Error **errp);
-int nbd_init(int fd, QIOChannelSocket *sioc, uint16_t flags, off_t size);
+  QIOChannel **outioc, NBDExportInfo *info,
+  Error **errp);
+int nbd_init(int fd, QIOChannelSocket *sioc, NBDExportInfo *info);
 ssize_t nbd_send_request(QIOChannel *ioc, NBDRequest *request);
 ssize_t nbd_receive_reply(QIOChannel *ioc, NBDReply *reply);
 int nbd_client(int fd);
diff --git a/block/nbd-client.c b/block/nbd-client.c
index 06f1532..32d7c90 100644
--- a/block/nbd-client.c
+++ b/block/nbd-client.c
@@ -258,7 +258,7 @@ int nbd_client_co_pwritev(BlockDriverState *bs, uint64_t 
offset,
 ssize_t ret;

 if (flags & BDRV_REQ_FUA) {
-assert(client->nbdflags & NBD_FLAG_SEND_FUA);
+assert(client->info.flags & NBD_FLAG_SEND_FUA);
 request.flags |= NBD_CMD_FLAG_FUA;
 }

@@ -287,12 +287,12 @@ int nbd_client_co_pwrite_zeroes(BlockDriverState *bs, 
int64_t offset,
 };
 NBDReply reply;

-if (!(client->nbdflags & NBD_FLAG_SEND_WRITE_ZEROES)) {
+if (!(client->info.flags & NBD_FLAG_SEND_WRITE_ZEROES)) {
 return -ENOTSUP;
 }

 if (flags & BDRV_REQ_FUA) {
-assert(client->nbdflags & NBD_FLAG_SEND_FUA);
+assert(client->info.flags & NBD_FLAG_SEND_FUA);
 request.flags |= NBD_CMD_FLAG_FUA;
 }
 if (!(flags & BDRV_REQ_MAY_UNMAP)) {
@@ -317,7 +317,7 @@ int nbd_client_co_flush(BlockDriverState *bs)
 NBDReply reply;
 ssize_t ret;

-if (!(client->nbdflags & NBD_FLAG_SEND_FLUSH)) {
+if (!(client->info.flags & NBD_FLAG_SEND_FLUSH)) {
 return 0;
 }

@@ -346,7 +346,7 @@ int nbd_client_co_pdiscard(BlockDriverState *bs, int64_t 
offset, int count)
 NBDReply reply;
 ssize_t ret;

-if (!(client->nbdflags & NBD_FLAG_SEND_TRIM)) {
+if (!(client->info.flags & NBD_FLAG_SEND_TRIM)) {
 return 0;
 }

@@ -405,19 +405,17 @@ int nbd_client_init(BlockDriverState *bs,
 qio_channel_set_blocking(QIO_CHANNEL(sioc), true, NULL);

 ret = nbd_receive_negotiate(QIO_CHANNEL(sioc), export,
->nbdflags,
 tlscreds, hostname,
->ioc,
->size, errp);
+>ioc, >info, errp);
 if (ret < 0) {
 logout("Failed to negotiate with the NBD server\n");
 return ret;
 }
-if (client->nbdflags & NBD_FLAG_SEND_FUA) {
+if (client->info.flags & NBD_FLAG_SEND_FUA) {
 bs->supported_write_flags = BDRV_REQ_FUA;
 bs->supported_zero_flags |= BDRV_REQ_FUA;
 }
-if (client->nbdflags & NBD_FLAG_SEND_WRITE_ZEROES) {
+if (client->info.flags & NBD_FLAG_SEND_WRITE_ZEROES) {
 bs->supported_zero_flags |= BDRV_REQ_MAY_UNMAP;
 }

diff --git a/block/nbd.c b/block/nbd.c
index 35f24be..c43fa35 100644
--- 

[Qemu-devel] [PATCH v4 1/8] nbd/client: fix drop_sync [CVE-2017-2630]

[Eric Blake]

From: Vladimir Sementsov-Ogievskiy 

Comparison symbol is misused. It may lead to memory corruption.
Introduced in commit 7d3123e.

Signed-off-by: Vladimir Sementsov-Ogievskiy 
Message-Id: <20170203154757.36140-6-vsement...@virtuozzo.com>
[eblake: add CVE details]
Signed-off-by: Eric Blake 
---
 nbd/client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nbd/client.c b/nbd/client.c
index ffb0743..0d16cd1 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
 char small[1024];
 char *buffer;

-buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
+buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size));
 while (size > 0) {
 ssize_t count = read_sync(ioc, buffer, MIN(65536, size));

-- 
2.9.3

[Qemu-devel] [PATCH v4 3/8] block: Add blk_get_opt_transfer()

[Eric Blake]

The NBD protocol would like to advertise the optimal I/O
size to the client; but it would be a layering violation to
peek into blk_bs(blk)->bl, when we only have a BB.

This copies the existing blk_get_max_transfer() in reading
a value from the top BDS; where that value was picked via
bdrv_refresh_limits() to reflect the overall constraints of
the entire BDS chain.

Signed-off-by: Eric Blake 

---
v4: retitle, as part of rebasing to byte limits
v3: new patch
---
 include/sysemu/block-backend.h |  1 +
 block/block-backend.c  | 12 
 2 files changed, 13 insertions(+)

diff --git a/include/sysemu/block-backend.h b/include/sysemu/block-backend.h
index 6444e41..882480a 100644
--- a/include/sysemu/block-backend.h
+++ b/include/sysemu/block-backend.h
@@ -174,6 +174,7 @@ void blk_lock_medium(BlockBackend *blk, bool locked);
 void blk_eject(BlockBackend *blk, bool eject_flag);
 int blk_get_flags(BlockBackend *blk);
 uint32_t blk_get_max_transfer(BlockBackend *blk);
+uint32_t blk_get_opt_transfer(BlockBackend *blk);
 int blk_get_max_iov(BlockBackend *blk);
 void blk_set_guest_block_size(BlockBackend *blk, int align);
 void *blk_try_blockalign(BlockBackend *blk, size_t size);
diff --git a/block/block-backend.c b/block/block-backend.c
index efbf398..4d91ff8 100644
--- a/block/block-backend.c
+++ b/block/block-backend.c
@@ -1426,6 +1426,18 @@ uint32_t blk_get_max_transfer(BlockBackend *blk)
 return MIN_NON_ZERO(max, INT_MAX);
 }

+/* Returns the optimum transfer length, in bytes; may be 0 if no optimum */
+uint32_t blk_get_opt_transfer(BlockBackend *blk)
+{
+BlockDriverState *bs = blk_bs(blk);
+
+if (bs) {
+return bs->bl.opt_transfer;
+} else {
+return 0;
+}
+}
+
 int blk_get_max_iov(BlockBackend *blk)
 {
 return blk->root->bs->bl.max_iov;
-- 
2.9.3

[Qemu-devel] [PATCH v4 6/8] nbd: Implement NBD_OPT_GO on client

[Eric Blake]

NBD_OPT_EXPORT_NAME is lousy: per the NBD protocol, any failure
requires the server to close the connection rather than report an
error to us.  Therefore, upstream NBD recently added NBD_OPT_GO as
the improved version of the option that does what we want [1]: it
reports sane errors on failures, and on success provides at least
as much info as NBD_OPT_EXPORT_NAME.

[1] https://github.com/NetworkBlockDevice/nbd/blob/extension-info/doc/proto.md

This is a first cut at use of the information types.  Note that we
do not need to use NBD_OPT_INFO, and that use of NBD_OPT_GO means
we no longer have to use NBD_OPT_LIST to learn whether a server
requires TLS (this requires servers that gracefully handle unknown
NBD_OPT, many servers prior to qemu 2.5 were buggy, but I have patched
qemu, upstream nbd, and nbdkit in the meantime, in part because of
interoperability testing with this patch).  We still fall back to
NBD_OPT_LIST when NBD_OPT_GO is not supported on the server, as it
is still one last chance for a nicer error message.  Later patches
will use further info, like NBD_INFO_BLOCK_SIZE.

Signed-off-by: Eric Blake 

---
v4: NBD protocol changes, again
v3: revamp to match latest version of NBD protocol
---
 nbd/nbd-internal.h |   3 ++
 nbd/client.c   | 130 -
 2 files changed, 131 insertions(+), 2 deletions(-)

diff --git a/nbd/nbd-internal.h b/nbd/nbd-internal.h
index aa5b2fd..96c204b 100644
--- a/nbd/nbd-internal.h
+++ b/nbd/nbd-internal.h
@@ -56,8 +56,11 @@
  * https://github.com/yoe/nbd/blob/master/doc/proto.md
  */

+/* Size of all NBD_OPT_*, without payload */
 #define NBD_REQUEST_SIZE(4 + 2 + 2 + 8 + 8 + 4)
+/* Size of all NBD_REP_* sent in answer to most NBD_OPT_*, without payload */
 #define NBD_REPLY_SIZE  (4 + 4 + 8)
+
 #define NBD_REQUEST_MAGIC   0x25609513
 #define NBD_REPLY_MAGIC 0x67446698
 #define NBD_OPTS_MAGIC  0x49484156454F5054LL
diff --git a/nbd/client.c b/nbd/client.c
index f96539b..b408945 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -380,6 +380,118 @@ static int nbd_receive_list(QIOChannel *ioc, const char 
*want, bool *match,
 }


+/* Returns -1 if NBD_OPT_GO proves the export @wantname cannot be
+ * used, 0 if NBD_OPT_GO is unsupported (fall back to NBD_OPT_LIST and
+ * NBD_OPT_EXPORT_NAME in that case), and > 0 if the export is good to
+ * go (with @info populated). */
+static int nbd_opt_go(QIOChannel *ioc, const char *wantname,
+  NBDExportInfo *info, Error **errp)
+{
+nbd_opt_reply reply;
+uint32_t len = strlen(wantname);
+uint16_t type;
+int error;
+char *buf;
+
+/* The protocol requires that the server send NBD_INFO_EXPORT with
+ * a non-zero flags (at least NBD_FLAG_HAS_FLAGS must be set); so
+ * flags still 0 is a witness of a broken server. */
+info->flags = 0;
+
+TRACE("Attempting NBD_OPT_GO for export '%s'", wantname);
+buf = g_malloc(2 + 4 + len + 1);
+stw_be_p(buf, 0); /* No requests, live with whatever server sends */
+stl_be_p(buf + 2, len);
+memcpy(buf + 6, wantname, len);
+if (nbd_send_option_request(ioc, NBD_OPT_GO, len + 6, buf, errp) < 0) {
+return -1;
+}
+
+TRACE("Reading export info");
+while (1) {
+if (nbd_receive_option_reply(ioc, NBD_OPT_GO, , errp) < 0) {
+return -1;
+}
+error = nbd_handle_reply_err(ioc, , errp);
+if (error <= 0) {
+return error;
+}
+len = reply.length;
+
+if (reply.type == NBD_REP_ACK) {
+/* Server is done sending info and moved into transmission
+   phase, but make sure it sent flags */
+if (len) {
+error_setg(errp, "server sent invalid NBD_REP_ACK");
+nbd_send_opt_abort(ioc);
+return -1;
+}
+if (!info->flags) {
+error_setg(errp, "broken server omitted NBD_INFO_EXPORT");
+nbd_send_opt_abort(ioc);
+return -1;
+}
+TRACE("export is good to go");
+return 1;
+}
+if (reply.type != NBD_REP_INFO) {
+error_setg(errp, "unexpected reply type %" PRIx32 ", expected %x",
+   reply.type, NBD_REP_INFO);
+nbd_send_opt_abort(ioc);
+return -1;
+}
+if (len < sizeof(type)) {
+error_setg(errp, "NBD_REP_INFO length %" PRIu32 " is too short",
+   len);
+nbd_send_opt_abort(ioc);
+return -1;
+}
+if (read_sync(ioc, , sizeof(type)) != sizeof(type)) {
+error_setg(errp, "failed to read info type");
+nbd_send_opt_abort(ioc);
+return -1;
+}
+len -= sizeof(type);
+be16_to_cpus();
+switch (type) {
+case NBD_INFO_EXPORT:
+if (len != sizeof(info->size) + 

[Qemu-devel] [PATCH v4 5/8] nbd: Implement NBD_OPT_GO on server

[Eric Blake]

NBD_OPT_EXPORT_NAME is lousy: per the NBD protocol, any failure
requires us to close the connection rather than report an error.
Therefore, upstream NBD recently added NBD_OPT_GO as the improved
version of the option that does what we want [1], along with
NBD_OPT_INFO that returns the same information but does not
transition to transmission phase.

[1] https://github.com/NetworkBlockDevice/nbd/blob/extension-info/doc/proto.md

This is a first cut at the information types, and only passes the
same information already available through NBD_OPT_LIST and
NBD_OPT_EXPORT_NAME; items like NBD_INFO_BLOCK_SIZE (and thus any
use of NBD_REP_ERR_BLOCK_SIZE_REQD) are intentionally left for
later patches.

Signed-off-by: Eric Blake 

---
v4: revamp to another round of NBD protocol changes
v3: revamp to match latest version of NBD protocol
---
 nbd/server.c | 208 +++
 1 file changed, 195 insertions(+), 13 deletions(-)

diff --git a/nbd/server.c b/nbd/server.c
index 767ca0f..3b1a4a5 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -209,6 +209,7 @@ static int nbd_negotiate_send_rep_len(QIOChannel *ioc, 
uint32_t type,
 TRACE("Reply opt=%" PRIx32 " (%s), type=%" PRIx32 " (%s), len=%" PRIu32,
   opt, nbd_opt_lookup(opt), type, nbd_rep_lookup(type), len);

+assert(len < NBD_MAX_BUFFER_SIZE);
 magic = cpu_to_be64(NBD_REP_MAGIC);
 if (nbd_negotiate_write(ioc, , sizeof(magic)) != sizeof(magic)) {
 LOG("write failed (rep magic)");
@@ -331,6 +332,8 @@ static int nbd_negotiate_handle_list(NBDClient *client, 
uint32_t length)
 return nbd_negotiate_send_rep(client->ioc, NBD_REP_ACK, NBD_OPT_LIST);
 }

+/* Send a reply to NBD_OPT_EXPORT_NAME.
+ * Return -errno on error, 0 on success. */
 static int nbd_negotiate_handle_export_name(NBDClient *client, uint32_t length)
 {
 int rc = -EINVAL;
@@ -365,6 +368,171 @@ fail:
 return rc;
 }

+/* Send a single NBD_REP_INFO, with a buffer @buf of @length bytes.
+ * The buffer does NOT include the info type prefix.
+ * Return -errno on error, 0 if ready to send more. */
+static int nbd_negotiate_send_info(NBDClient *client, uint32_t opt,
+   uint16_t info, uint32_t length, void *buf)
+{
+int rc;
+
+TRACE("Sending NBD_REP_INFO type %" PRIu16 " (%s) with remaining length %"
+  PRIu32, info, nbd_info_lookup(info), length);
+rc = nbd_negotiate_send_rep_len(client->ioc, NBD_REP_INFO, opt,
+sizeof(info) + length);
+if (rc < 0) {
+return rc;
+}
+cpu_to_be16s();
+if (nbd_negotiate_write(client->ioc, , sizeof(info)) !=
+sizeof(info)) {
+LOG("write failed");
+return -EIO;
+}
+if (nbd_negotiate_write(client->ioc, buf, length) != length) {
+LOG("write failed");
+return -EIO;
+}
+return 0;
+}
+
+/* Handle NBD_OPT_INFO and NBD_OPT_GO.
+ * Return -errno on error, 0 if ready for next option, and 1 to move
+ * into transmission phase.  */
+static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length,
+ uint32_t opt, uint16_t myflags)
+{
+int rc;
+char name[NBD_MAX_NAME_SIZE + 1];
+NBDExport *exp;
+uint16_t requests;
+uint16_t request;
+uint32_t namelen;
+bool sendname = false;
+char buf[sizeof(uint64_t) + sizeof(uint16_t)];
+const char *msg;
+
+/* Client sends:
+2 bytes: N, number of requests (can be 0)
+N * 2 bytes: N requests
+4 bytes: L, name length (can be 0)
+L bytes: export name
+*/
+if (length < sizeof(requests) + sizeof(namelen)) {
+msg = "overall request too short";
+goto invalid;
+}
+if (nbd_negotiate_read(client->ioc, , sizeof(requests)) !=
+sizeof(requests)) {
+LOG("read failed");
+return -EIO;
+}
+be16_to_cpus();
+length -= sizeof(requests);
+TRACE("Client requested %d items of info", requests);
+if (requests > (length - sizeof(namelen)) / sizeof(request)) {
+msg = "too many requests for overall length";
+goto invalid;
+}
+while (requests--) {
+if (nbd_negotiate_read(client->ioc, , sizeof(request)) !=
+sizeof(request)) {
+LOG("read failed");
+return -EIO;
+}
+be16_to_cpus();
+length -= sizeof(request);
+TRACE("Client requested info %d (%s)", request,
+  nbd_info_lookup(request));
+/* For now, we only care about NBD_INFO_NAME; everything else
+ * is either a request we don't know or something we send
+ * regardless of request. */
+if (request == NBD_INFO_NAME) {
+sendname = true;
+}
+}
+
+if (nbd_negotiate_read(client->ioc, , sizeof(namelen)) !=
+sizeof(namelen)) {
+LOG("read failed");
+return -EIO;
+}
+be32_to_cpus();
+length 

[Qemu-devel] [PATCH v4 0/8] Implement NBD_OPT_GO, block size advertisement

[Eric Blake]

A bit later than I planned, but still in time for soft freeze if
we like it. The NBD protocol has a proposed extension that fixes
several shortcomings with NBD_OPT_EXPORT_NAME (namely, no error
reporting, no way for the server to advertise block sizes to the
client):
https://github.com/NetworkBlockDevice/nbd/blob/extension-info/doc/proto.md

This sort of overlaps with the work Vladimir is proposing for
implementing NBD_CMD_BLOCK_STATUS (in fact, I included his CVE
fix because it was my bug that introduced the hole), but an initial
version of my work has been on the list a lot longer; where it was
posted as v3 of a larger series (see patches 37-44):
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg03526.html

Difference since v3 (if it is even worth comparing):

001/8:[down] 'nbd/client: fix drop_sync [CVE-2017-2630]'
002/8:[0034] [FC] 'nbd: Create struct for tracking export info'
003/8:[down] 'block: Add blk_get_opt_transfer()'
004/8:[down] 'nbd: Expose and debug more NBD constants'
005/8:[0187] [FC] 'nbd: Implement NBD_OPT_GO on server'
006/8:[0030] [FC] 'nbd: Implement NBD_OPT_GO on client'
007/8:[down] 'nbd: Implement NBD_INFO_BLOCK_SIZE on server'
008/8:[down] 'nbd: Implement NBD_INFO_BLOCK_SIZE on client'

I built this on top of my blkdebug enhancements for testing
purposes; I did not test this one without that but the two
series should be relatively orthogonal:
https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg03042.html

Also available as a tag at this location:
git fetch git://repo.or.cz/qemu/ericb.git nbd-go-v4

Eric Blake (7):
  nbd: Create struct for tracking export info
  block: Add blk_get_opt_transfer()
  nbd: Expose and debug more NBD constants
  nbd: Implement NBD_OPT_GO on server
  nbd: Implement NBD_OPT_GO on client
  nbd: Implement NBD_INFO_BLOCK_SIZE on server
  nbd: Implement NBD_INFO_BLOCK_SIZE on client

Vladimir Sementsov-Ogievskiy (1):
  nbd/client: fix drop_sync [CVE-2017-2630]

 block/nbd-client.h |   3 +-
 include/block/nbd.h|  55 ++--
 include/sysemu/block-backend.h |   1 +
 nbd/nbd-internal.h |  12 +-
 block/block-backend.c  |  12 ++
 block/nbd-client.c |  22 +--
 block/nbd.c|  16 ++-
 nbd/client.c   | 299 ++---
 nbd/common.c   |  69 ++
 nbd/server.c   | 264 +---
 qemu-nbd.c |  10 +-
 11 files changed, 656 insertions(+), 107 deletions(-)

-- 
2.9.3

Re: [Qemu-devel] [PATCH 1/3] net/colo: fix memory double free error

[Zhang Chen]

On 02/20/2017 04:01 PM, zhanghailiang wrote:

The 'primary_list' and 'secondary_list' members of struct Connection
is not allocated through dynamically g_queue_new(), but we free it by using
g_queue_free(), which will lead to a double-free bug.

Signed-off-by: zhanghailiang 
---
  net/colo.c | 2 --
  1 file changed, 2 deletions(-)

diff --git a/net/colo.c b/net/colo.c
index 6a6eacd..7d5c423 100644
--- a/net/colo.c
+++ b/net/colo.c
@@ -147,9 +147,7 @@ void connection_destroy(void *opaque)
  Connection *conn = opaque;
  
  g_queue_foreach(>primary_list, packet_destroy, NULL);

-g_queue_free(>primary_list);
  g_queue_foreach(>secondary_list, packet_destroy, NULL);
-g_queue_free(>secondary_list);


I think we need use g_queue_clear () here.

void
g_queue_clear (GQueue *queue);
Removes all the elements in queue . If queue elements contain 
dynamically-allocated memory, they should be freed first.


Thanks
Zhang Chen


  g_slice_free(Connection, conn);
  }
  


--
Thanks
Zhang Chen

Re: [Qemu-devel] [PATCH Risu v2 7/9] Add PPC64 in risu build system

[joserz]

On Sat, Feb 18, 2017 at 10:41:41PM +, Peter Maydell wrote:
> On 6 November 2016 at 17:15, Jose Ricardo Ziviani
>  wrote:
> > Recognizes PPC64 as a valid architecture and setup the environment
> > variables to compile code for that.
> >
> > Signed-off-by: Jose Ricardo Ziviani 
> > ---
> >  configure | 8 +++-
> >  1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/configure b/configure
> > index 748b48a..f81bdb5 100755
> > --- a/configure
> > +++ b/configure
> > @@ -22,6 +22,12 @@ guess_arch() {
> >  ARCH="arm"
> >  elif check_define __aarch64__ ; then
> >  ARCH="aarch64"
> > +elif check_define __powerpc64__ ; then
> > +if check_define __BIG_ENDIAN__; then
> > +ARCH="ppc64"
> > +else
> > +ARCH="ppc64le"
> > +fi
> 
> Does the BE ppc64 risu build work for you? I tried
> installing the cross-compiler, but the build fails
> because there's no risu_ppc64.c. (ppc64le works fine.)
> If we don't support the big-endian variant yet maybe
> we should drop it from the configure file.

I want it to work to but I focused the efforts on LE only, never tested
at all. I have a small patchset to send to you. I'll make an effort to fix BE 
as well,
it's worth it.

Thanks Peter!

> 
> thanks
> -- PMM
> 

[Qemu-devel] [Bug 1653384] Re: Assertion failed with USB pass through with XHCI controller

[Bug Watch Updater]

** Changed in: qemu (Debian)
   Status: Unknown => Confirmed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1653384

Title:
  Assertion failed with USB pass through with XHCI controller

Status in QEMU:
  Fix Committed
Status in qemu package in Debian:
  Confirmed

Bug description:
  Starting qemu 2.8.0 with XHCI controller and host device passed
  through results in an assertion failure:

  qemu-system-x86_64: hw/usb/core.c:623: usb_packet_cleanup: Assertion
  `!usb_packet_is_inflight(p)' failed.

  Can be reproduced with the following command (passing through a Lenovo
  keyboard):

  qemu-system-x86_64 -usb  -device nec-usb-xhci,id=usb -device usb-
  host,vendorid=0x04b3,productid=0x3025,id=hostdev0,bus=usb.0,port=1

  If nec-usb-xhci is changed to usb-ehci, qemu tries to boot without
  assertion failures.

  
  Can be reproduced with the latest master (commit dbe2b65) and v2.8.0.

  Bisected the issue to following commit:
  first bad commit: [94b037f2a451b3dc855f9f2c346e5049a361bd55] xhci: use linked 
list for transfers

  
  Backtrace from commit dbe2b65:

  #0  0x7f2eb4657227 in __GI_raise (sig=sig@entry=6) at 
../sysdeps/unix/sysv/linux/raise.c:55
  resultvar = 0
  pid = 3453
  selftid = 3453
  #1  0x7f2eb465867a in __GI_abort () at abort.c:89
  save_stage = 2
  act = {__sigaction_handler = {sa_handler = 0x4, sa_sigaction = 0x4}, 
sa_mask = {__val = {140734740550528, 93876690035339, 
140734740550624, 48833659808, 0, 0, 0, 21474836480, 
140734740550792, 139838573009553, 140734740550560, 139838573043008, 
139838573024160, 9387665872, 139838702616576, 
139838573024160}}, sa_flags = 1528954938, 
sa_restorer = 0x55615b2202c0 <__PRETTY_FUNCTION__.38612>}
  sigs = {__val = {32, 0 }}
  #2  0x7f2eb46502cd in __assert_fail_base (fmt=0x7f2eb47893a0 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", 
  assertion=assertion@entry=0x55615b22003a "!usb_packet_is_inflight(p)", 
file=file@entry=0x55615b21fdf0 "hw/usb/core.c", line=line@entry=619, 
  function=function@entry=0x55615b2202c0 <__PRETTY_FUNCTION__.38612> 
"usb_packet_cleanup") at assert.c:92
  str = 0x55615cfdf510 ""
  total = 4096
  #3  0x7f2eb4650382 in __GI___assert_fail (assertion=0x55615b22003a 
"!usb_packet_is_inflight(p)", file=0x55615b21fdf0 "hw/usb/core.c", 
  line=619, function=0x55615b2202c0 <__PRETTY_FUNCTION__.38612> 
"usb_packet_cleanup") at assert.c:101
  No locals.
  #4  0x55615afc385e in usb_packet_cleanup ()
  No symbol table info available.
  #5  0x55615afda555 in xhci_ep_free_xfer ()
  No symbol table info available.
  #6  0x55615afdc156 in xhci_kick_epctx ()
  No symbol table info available.
  #7  0x55615afda099 in xhci_ep_kick_timer ()
  No symbol table info available.
  #8  0x55615b08ceee in timerlist_run_timers ()
  No symbol table info available.
  #9  0x55615b08cf36 in qemu_clock_run_timers ()
  No symbol table info available.
  #10 0x55615b08d2df in qemu_clock_run_all_timers ()
  No symbol table info available.
  #11 0x55615b08be40 in main_loop_wait ()
  No symbol table info available.
  #12 0x55615ae3870f in main_loop ()
  No symbol table info available.
  #13 0x55615ae4027b in main ()

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1653384/+subscriptions

[Qemu-devel] why it meets this error after putting windows-virtio-dirvers into win7x64ultimate.iso using waik when boot from the iso?

[xiucai]

Hi,

BTW, I also had posted the Q @ 
http://stackoverflow.com/questions/42336175/why-meet-this-winload-exe-error-after-put-virtio-dirver-into-win7x64ultimate-iso.

My aim is making windows-virtio-drivers within win7x64ultimate.iso, so it can 
be used directly upon qemu-kvm with virtio bus, especially block devices and 
network interfaces.


But it meets this error when boot from the modified iso.



Here is my makeiso.win7x64.ps1:
# TODO: simplify logics # By Bob # define variables 
$WAIKPEToolsPath="C:\Program Files\Windows AIK\Tools\PETools" 
$WIMInstallPath="C:\simple\install.wim" $WIMBootPath="C:\simple\boot.wim" 
$WindowsVirtIODriversPath="C:\simple\windows-virtio-drivers" 
$ImageInstallMountPath="C:\simple\mnt\install" 
$ImageBootMountPath="C:\simple\mnt\boot" cd $WAIKPEToolsPath pwd # then modify 
install.wim dism /get-wiminfo /wimfile:$WIMInstallPath # TODO: get $n from this 
output $n=4 while($n -ne 0) { $newdir=$ImageInstallMountPath+$n mkdir 
$newdir dism /mount-wim /wimfile:$WIMInstallPath /index:$n 
/mountdir:$newdir dism /image:$newdir /get-drivers dism /image:$newdir 
/add-driver /driver:$WindowsVirtIODriversPath\Balloon\w7\amd64\balloon.inf 
<# dism /image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\NetKVM\w7\amd64\netkvm.inf dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\pvpanic\w7\amd64\pvpanic.inf dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\qemupciserial\qemupciserial.inf dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\qxl\w7\amd64\qxl.inf dism /image:$newdir 
/add-driver /driver:$WindowsVirtIODriversPath\vioinput\w7\amd64\vioinput.inf
 dism /image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\viorng\w7\amd64\viorng.inf dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\vioscsi\w7\amd64\vioscsi.inf dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\vioserial\w7\amd64\vioser.inf #> dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\viostor\w7\amd64\viostor.inf dism 
/image:$newdir /get-drivers dism /unmount-wim /mountdir:$newdir /commit 
# rmdir $newdir -Recurse -Force -Confirm:$false $n-- } # then modify 
boot.wim dism /get-wiminfo /wimfile:$WIMBootPath # TODO: get $n from this 
output $n=2 while($n -ne 0) { $newdir=$ImageBootMountPath+$n mkdir 
$newdir dism /mount-wim /wimfile:$WIMBootPath /index:$n /mountdir:$newdir   
  dism /image:$newdir /get-drivers dism /image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\Balloon\w7\amd64\balloon.inf <# dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\NetKVM\w7\amd64\netkvm.inf dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\pvpanic\w7\amd64\pvpanic.inf dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\qemupciserial\qemupciserial.inf dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\qxl\w7\amd64\qxl.inf dism /image:$newdir 
/add-driver /driver:$WindowsVirtIODriversPath\vioinput\w7\amd64\vioinput.inf
 dism /image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\viorng\w7\amd64\viorng.inf dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\vioscsi\w7\amd64\vioscsi.inf dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\vioserial\w7\amd64\vioser.inf #> dism 
/image:$newdir /add-driver 
/driver:$WindowsVirtIODriversPath\viostor\w7\amd64\viostor.inf dism 
/image:$newdir /get-drivers dism /unmount-wim /mountdir:$newdir /commit 
# rmdir $newdir -Recurse -Force -Confirm:$false $n-- } # end






Regards!

Re: [Qemu-devel] [PATCH v8 4/8] ACPI: Add Virtual Machine Generation ID support

[Michael S. Tsirkin]

On Mon, Feb 20, 2017 at 09:55:40PM +0100, Laszlo Ersek wrote:
> On 02/20/17 21:45, Eric Blake wrote:
> > On 02/20/2017 02:19 PM, Dr. David Alan Gilbert wrote:
> >> * Eric Blake (ebl...@redhat.com) wrote:
> >>> On 02/20/2017 04:23 AM, Dr. David Alan Gilbert wrote:
>  * Laszlo Ersek (ler...@redhat.com) wrote:
> > CC Dave
> 
>  This isn't an area I really understand; but if I'm
>  reading this right then 
> vmgenid is stored in fw_cfg?
> fw_cfg isn't migrated
> 
>  So why should any changes to it get migrated, except if it's already
>  been read by the guest (and if the guest reads it again aftwards what's
>  it expected to read?)
> >>>
> >>> Why are we expecting it to change on migration?  You want a new value
> >>
> >> I'm not; I was asking why a change made prior to migration would be
> >> preserved across migration.
> > 
> > Okay, so you're asking what happens if the source requests the vmgenid
> > device, and sets an id, but the destination of the migration does not
> > request anything
> 
> This should never happen, as it means different QEMU command lines on
> source vs. target hosts. (Different as in "incorrectly different".)
> 
> Dave writes, "a change made prior to migration". Change made to what?
> 
> - the GUID cannot be changed via the monitor once QEMU has been started.
> We dropped the monitor command for that, due to lack of a good use case,
> and due to lifecycle complexities. We have figured out a way to make it
> safe, but until there's a really convincing use case, we shouldn't add
> that complexity.

True but we might in the future, and it seems prudent to make
migration stream future-proof for that.

> - the address of the GUID is changed (the firmware programs it from
> "zero" to an actual address, in a writeable fw_cfg file), and that piece
> of info is explicitly migrated, as part of the vmgenid device's vmsd.
> 
> Thanks
> Laszlo
> 
> 
> > - how does the guest on the destination see the same id
> > as was in place on the source at the time migration started.
> > 
> >>
> >>
> >>> when you load state from disk (you don't know how many times the same
> >>> state has been loaded previously, so each load is effectively forking
> >>> the VM and you want a different value), but for a single live migration,
> >>> you aren't forking the VM and don't need a new generation ID.
> >>>
> >>> I guess it all boils down to what command line you're using: if libvirt
> >>> is driving a live migration, it will request the same UUID in the
> >>> command line of the destination as what is on the source; while if
> >>> libvirt is loading from a [managed]save to restore state from a file, it
> >>> will either request a new UUID directly or request auto to let qemu
> >>> generate the new id.
> >>
> >> Hmm now I've lost it a bit; I thought we would preserve the value
> >> transmitted from the source, not the value on the command line of the 
> >> destination.
> > 
> > I guess I'm trying to figure out whether libvirt MUST read the current
> > id and explicitly tell the destination of migration to reuse that id, or
> > if libvirt can omit the id on migration and everything just works
> > because the id was migrated from the source.
> > 

[Qemu-devel] [Bug 1653384] Re: Assertion failed with USB pass through with XHCI controller

[Alistair Phipps]

** Bug watch added: Debian Bug tracker #855659
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855659

** Also affects: qemu (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855659
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1653384

Title:
  Assertion failed with USB pass through with XHCI controller

Status in QEMU:
  Fix Committed
Status in qemu package in Debian:
  Unknown

Bug description:
  Starting qemu 2.8.0 with XHCI controller and host device passed
  through results in an assertion failure:

  qemu-system-x86_64: hw/usb/core.c:623: usb_packet_cleanup: Assertion
  `!usb_packet_is_inflight(p)' failed.

  Can be reproduced with the following command (passing through a Lenovo
  keyboard):

  qemu-system-x86_64 -usb  -device nec-usb-xhci,id=usb -device usb-
  host,vendorid=0x04b3,productid=0x3025,id=hostdev0,bus=usb.0,port=1

  If nec-usb-xhci is changed to usb-ehci, qemu tries to boot without
  assertion failures.

  
  Can be reproduced with the latest master (commit dbe2b65) and v2.8.0.

  Bisected the issue to following commit:
  first bad commit: [94b037f2a451b3dc855f9f2c346e5049a361bd55] xhci: use linked 
list for transfers

  
  Backtrace from commit dbe2b65:

  #0  0x7f2eb4657227 in __GI_raise (sig=sig@entry=6) at 
../sysdeps/unix/sysv/linux/raise.c:55
  resultvar = 0
  pid = 3453
  selftid = 3453
  #1  0x7f2eb465867a in __GI_abort () at abort.c:89
  save_stage = 2
  act = {__sigaction_handler = {sa_handler = 0x4, sa_sigaction = 0x4}, 
sa_mask = {__val = {140734740550528, 93876690035339, 
140734740550624, 48833659808, 0, 0, 0, 21474836480, 
140734740550792, 139838573009553, 140734740550560, 139838573043008, 
139838573024160, 9387665872, 139838702616576, 
139838573024160}}, sa_flags = 1528954938, 
sa_restorer = 0x55615b2202c0 <__PRETTY_FUNCTION__.38612>}
  sigs = {__val = {32, 0 }}
  #2  0x7f2eb46502cd in __assert_fail_base (fmt=0x7f2eb47893a0 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", 
  assertion=assertion@entry=0x55615b22003a "!usb_packet_is_inflight(p)", 
file=file@entry=0x55615b21fdf0 "hw/usb/core.c", line=line@entry=619, 
  function=function@entry=0x55615b2202c0 <__PRETTY_FUNCTION__.38612> 
"usb_packet_cleanup") at assert.c:92
  str = 0x55615cfdf510 ""
  total = 4096
  #3  0x7f2eb4650382 in __GI___assert_fail (assertion=0x55615b22003a 
"!usb_packet_is_inflight(p)", file=0x55615b21fdf0 "hw/usb/core.c", 
  line=619, function=0x55615b2202c0 <__PRETTY_FUNCTION__.38612> 
"usb_packet_cleanup") at assert.c:101
  No locals.
  #4  0x55615afc385e in usb_packet_cleanup ()
  No symbol table info available.
  #5  0x55615afda555 in xhci_ep_free_xfer ()
  No symbol table info available.
  #6  0x55615afdc156 in xhci_kick_epctx ()
  No symbol table info available.
  #7  0x55615afda099 in xhci_ep_kick_timer ()
  No symbol table info available.
  #8  0x55615b08ceee in timerlist_run_timers ()
  No symbol table info available.
  #9  0x55615b08cf36 in qemu_clock_run_timers ()
  No symbol table info available.
  #10 0x55615b08d2df in qemu_clock_run_all_timers ()
  No symbol table info available.
  #11 0x55615b08be40 in main_loop_wait ()
  No symbol table info available.
  #12 0x55615ae3870f in main_loop ()
  No symbol table info available.
  #13 0x55615ae4027b in main ()

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1653384/+subscriptions

Re: [Qemu-devel] [PATCH] mttcg: Set jmp_env to handle exit from tb_gen_code

[Alex Bennée]

Pranith Kumar  writes:

> Alex Bennée writes:
>
>> Pranith Kumar  writes:
>>
>>> tb_gen_code() can exit execution using cpu_exit_loop() when it cannot
>>> allocate new tb's. To handle this, we need to properly set the jmp_env
>>> pointer ahead of calling tb_gen_code().
>>>
>>> CC:Alex Bennée 
>>> CC: Richard Henderson 
>>> Signed-off-by: Pranith Kumar 
>>> ---
>>>  cpu-exec.c | 23 +++
>>>  1 file changed, 11 insertions(+), 12 deletions(-)
>>>
>>> diff --git a/cpu-exec.c b/cpu-exec.c
>>> index 97d79612d9..4b70988b24 100644
>>> --- a/cpu-exec.c
>>> +++ b/cpu-exec.c
>>> @@ -236,23 +236,22 @@ static void cpu_exec_step(CPUState *cpu)
>>>
>>>  cpu_get_tb_cpu_state(env, , _base, );
>>>  tb_lock();
>>> -tb = tb_gen_code(cpu, pc, cs_base, flags,
>>> - 1 | CF_NOCACHE | CF_IGNORE_ICOUNT);
>>> -tb->orig_tb = NULL;
>>> -tb_unlock();
>>> -
>>> -cc->cpu_exec_enter(cpu);
>>> -
>>
>> It occurs to me we are also diverging in our locking pattern from
>> tb_find which takes mmap_lock first. This is a NOP for system emulation
>> but needed for user-emulation (for which we can do cpu_exec_step but not
>> cpu_exec_nocache).
>
> Right. So we have to take the mmap_lock() before calling
> tb_gen_code(). However, this lock is released in the error path before calling
> cpu_loop_exit() if allocation of a new tb fails. The following is what I have
> after merging with the previous EXCP_ATOMIC handling patch.

Hmm we are a start/end_exclusive() though so what could we be racing
against that also wants the mmap_lock()? Could it be held by anything at
this point as every user needs to be woken up?

>
> diff --git a/cpu-exec.c b/cpu-exec.c
> index a8e04bffbf..2bb3ba3672 100644
> --- a/cpu-exec.c
> +++ b/cpu-exec.c
> @@ -228,6 +228,7 @@ static void cpu_exec_nocache(CPUState *cpu, int 
> max_cycles,
>
>  static void cpu_exec_step(CPUState *cpu)
>  {
> +CPUClass *cc = CPU_GET_CLASS(cpu);
>  CPUArchState *env = (CPUArchState *)cpu->env_ptr;
>  TranslationBlock *tb;
>  target_ulong cs_base, pc;
> @@ -235,16 +236,24 @@ static void cpu_exec_step(CPUState *cpu)
>
>  cpu_get_tb_cpu_state(env, , _base, );
>  tb_lock();
> -tb = tb_gen_code(cpu, pc, cs_base, flags,
> - 1 | CF_NOCACHE | CF_IGNORE_ICOUNT);
> -tb->orig_tb = NULL;
> -tb_unlock();
> -/* execute the generated code */
> -trace_exec_tb_nocache(tb, pc);
> -cpu_tb_exec(cpu, tb);
> -tb_lock();
> -tb_phys_invalidate(tb, -1);
> -tb_free(tb);
> +if (sigsetjmp(cpu->jmp_env, 0) == 0) {
> +mmap_lock();
> +tb = tb_gen_code(cpu, pc, cs_base, flags,
> + 1 | CF_NOCACHE | CF_IGNORE_ICOUNT);
> +tb->orig_tb = NULL;
> +mmap_unlock();
> +tb_unlock();
> +
> +cc->cpu_exec_enter(cpu);
> +/* execute the generated code */
> +trace_exec_tb_nocache(tb, pc);
> +cpu_tb_exec(cpu, tb);
> +cc->cpu_exec_exit(cpu);
> +
> +tb_lock();
> +tb_phys_invalidate(tb, -1);
> +tb_free(tb);
> +}
>  tb_unlock();
>  }
>
> diff --git a/cpus.c b/cpus.c
> index 77bba08f9a..b39408b4b1 100644
> --- a/cpus.c
> +++ b/cpus.c
> @@ -1347,6 +1347,11 @@ static void *qemu_tcg_rr_cpu_thread_fn(void *arg)
>  if (r == EXCP_DEBUG) {
>  cpu_handle_guest_debug(cpu);
>  break;
> +} else if (r == EXCP_ATOMIC) {
> +qemu_mutex_unlock_iothread();
> +cpu_exec_step_atomic(cpu);
> +qemu_mutex_lock_iothread();
> +break;
>  }
>  } else if (cpu->stop) {
>  if (cpu->unplug) {
> @@ -1457,6 +1462,10 @@ static void *qemu_tcg_cpu_thread_fn(void *arg)
>   */
>  g_assert(cpu->halted);
>  break;
> +case EXCP_ATOMIC:
> +qemu_mutex_unlock_iothread();
> +cpu_exec_step_atomic(cpu);
> +qemu_mutex_lock_iothread();
>  default:
>  /* Ignore everything else? */
>  break;


--
Alex Bennée

[Qemu-devel] [PATCH V2] migration: expose qemu_announce_self() via qmp

[Germano Veit Michel]

qemu_announce_self() is triggered by qemu at the end of migrations
to update the network regarding the path to the guest l2addr.

however it is also useful when there is a network change such as
an active bond slave swap. Essentially, it's the same as a migration
from a network perspective - the guest moves to a different point
in the network topology.

this exposes the function via qmp.

Signed-off-by: Germano Veit Michel 
---
 include/migration/vmstate.h |  5 +
 migration/savevm.c  | 30 +++---
 qapi-schema.json| 18 ++
 3 files changed, 42 insertions(+), 11 deletions(-)

diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index 63e7b02..a08715c 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -1042,6 +1042,11 @@ int64_t self_announce_delay(int round)
 return 50 + (SELF_ANNOUNCE_ROUNDS - round - 1) * 100;
 }

+struct AnnounceRound {
+QEMUTimer *timer;
+int count;
+};
+
 void dump_vmstate_json_to_file(FILE *out_fp);

 #endif
diff --git a/migration/savevm.c b/migration/savevm.c
index 5ecd264..44e196b 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -118,29 +118,37 @@ static void qemu_announce_self_iter(NICState
*nic, void *opaque)
 qemu_send_packet_raw(qemu_get_queue(nic), buf, len);
 }

-
 static void qemu_announce_self_once(void *opaque)
 {
-static int count = SELF_ANNOUNCE_ROUNDS;
-QEMUTimer *timer = *(QEMUTimer **)opaque;
+struct AnnounceRound *round = opaque;

 qemu_foreach_nic(qemu_announce_self_iter, NULL);

-if (--count) {
+round->count--;
+if (round->count) {
 /* delay 50ms, 150ms, 250ms, ... */
-timer_mod(timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) +
-  self_announce_delay(count));
+timer_mod(round->timer, qemu_clock_get_ms(QEMU_CLOCK_REALTIME) +
+  self_announce_delay(round->count));
 } else {
-timer_del(timer);
-timer_free(timer);
+timer_del(round->timer);
+timer_free(round->timer);
+g_free(round);
 }
 }

 void qemu_announce_self(void)
 {
-static QEMUTimer *timer;
-timer = timer_new_ms(QEMU_CLOCK_REALTIME, qemu_announce_self_once, );
-qemu_announce_self_once();
+struct AnnounceRound *round = g_malloc(sizeof(struct AnnounceRound));
+if (!round)
+return;
+round->count = SELF_ANNOUNCE_ROUNDS;
+round->timer = timer_new_ms(QEMU_CLOCK_REALTIME,
qemu_announce_self_once, round);
+qemu_announce_self_once(round);
+}
+
+void qmp_announce_self(Error **errp)
+{
+qemu_announce_self();
 }

 /***/
diff --git a/qapi-schema.json b/qapi-schema.json
index baa0d26..0d9bffd 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -6080,3 +6080,21 @@
 #
 ##
 { 'command': 'query-hotpluggable-cpus', 'returns': ['HotpluggableCPU'] }
+
+##
+# @announce-self:
+#
+# Trigger generation of broadcast RARP frames to update network switches.
+# This can be useful when network bonds fail-over the active slave.
+#
+# Arguments: None.
+#
+# Example:
+#
+# -> { "execute": "announce-self" }
+# <- { "return": {} }
+#
+# Since: 2.9
+##
+{ 'command': 'announce-self' }
+
-- 
2.9.3

Re: [Qemu-devel] [PULL 0/8] target-mips queue

[Yongbok Kim]

Ok. I will fix the warning and isolate the file for mips64el only as it is
only used for that.

Regards,
Yongbok

On 20/02/2017 20:47, no-re...@patchew.org wrote:
> Hi,
> 
> This series failed build test on s390x host. Please find the details below.
> 
> Subject: [Qemu-devel] [PULL 0/8] target-mips queue
> Message-id: 1487622662-62984-1-git-send-email-yongbok@imgtec.com
> Type: series
> 
> === TEST SCRIPT BEGIN ===
> #!/bin/bash
> # Testing script will be invoked under the git checkout with
> # HEAD pointing to a commit that has the patches applied on top of "base"
> # branch
> set -e
> echo "=== ENV ==="
> env
> echo "=== PACKAGES ==="
> rpm -qa
> echo "=== TEST BEGIN ==="
> CC=$HOME/bin/cc
> INSTALL=$PWD/install
> BUILD=/var/tmp/patchew-qemu-build
> echo -n "Using CC: "
> realpath $CC
> test -e $BUILD && rm -rf $BUILD
> mkdir -p $BUILD $INSTALL
> SRC=$PWD
> cd $BUILD
> $SRC/configure --cc=$CC --prefix=$INSTALL
> make -j4
> make check -j4
> make install
> === TEST SCRIPT END ===
> 
> Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
> From https://github.com/patchew-project/qemu
>  - [tag update]  
> patchew/1487067971-10443-1-git-send-email-arm...@redhat.com -> 
> patchew/1487067971-10443-1-git-send-email-arm...@redhat.com
>  - [tag update]  
> patchew/1487585521-19445-1-git-send-email-nik...@linux.vnet.ibm.com -> 
> patchew/1487585521-19445-1-git-send-email-nik...@linux.vnet.ibm.com
>  - [tag update]  patchew/1487614915-18710-1-git-send-email-...@openvz.org 
> -> patchew/1487614915-18710-1-git-send-email-...@openvz.org
>  * [new tag] 
> patchew/1487622662-62984-1-git-send-email-yongbok@imgtec.com -> 
> patchew/1487622662-62984-1-git-send-email-yongbok@imgtec.com
>  - [tag update]  patchew/20170220165204.1980-1-stefa...@redhat.com -> 
> patchew/20170220165204.1980-1-stefa...@redhat.com
> Switched to a new branch 'test'
> 0645df1 hw/mips: MIPS Boston board support
> 04f5bec hw: xilinx-pcie: Add support for Xilinx AXI PCIe Controller
> 6c3d656 loader: Support Flattened Image Trees (FIT images)
> 9275ec8 dtc: Update requirement to v1.4.2
> aa8e11a target-mips: Provide function to test if a CPU supports an ISA
> 0ea1cba hw/mips_gic: Update pin state on mask changes
> e84e2ee hw/mips_gictimer: provide API for retrieving frequency
> 65bddf5 hw/mips_cmgcr: allow GCR base to be moved
> 
> === OUTPUT BEGIN ===
> === ENV ===
> XDG_SESSION_ID=28414
> SHELL=/bin/sh
> USER=fam
> PATCHEW=/home/fam/patchew/patchew-cli -s http://patchew.org --nodebug
> PATH=/usr/bin:/bin
> PWD=/var/tmp/patchew-tester-tmp-i2k78q7z/src
> LANG=en_US.UTF-8
> HOME=/home/fam
> SHLVL=2
> LOGNAME=fam
> DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1012/bus
> XDG_RUNTIME_DIR=/run/user/1012
> _=/usr/bin/env
> === PACKAGES ===
> gpg-pubkey-873529b8-54e386ff
> xz-libs-5.2.2-2.fc24.s390x
> libacl-2.2.52-11.fc24.s390x
> libxshmfence-1.2-3.fc24.s390x
> cdparanoia-libs-10.2-21.fc24.s390x
> ustr-1.0.4-21.fc24.s390x
> giflib-4.1.6-15.fc24.s390x
> libusb-0.1.5-7.fc24.s390x
> trousers-lib-0.3.13-6.fc24.s390x
> readline-devel-6.3-8.fc24.s390x
> python-srpm-macros-3-10.fc25.noarch
> ncurses-base-6.0-6.20160709.fc25.noarch
> gmp-6.1.1-1.fc25.s390x
> chkconfig-1.8-1.fc25.s390x
> libidn-1.33-1.fc25.s390x
> file-5.28-4.fc25.s390x
> slang-2.3.0-7.fc25.s390x
> avahi-libs-0.6.32-4.fc25.s390x
> libsemanage-2.5-8.fc25.s390x
> perl-Unicode-Normalize-1.25-365.fc25.s390x
> perl-libnet-3.10-1.fc25.noarch
> perl-Thread-Queue-3.11-1.fc25.noarch
> perl-podlators-4.09-1.fc25.noarch
> jasper-libs-1.900.13-1.fc25.s390x
> graphite2-1.3.6-1.fc25.s390x
> libblkid-2.28.2-1.fc25.s390x
> pkgconfig-0.29.1-1.fc25.s390x
> dbus-python-1.2.4-2.fc25.s390x
> alsa-lib-1.1.1-2.fc25.s390x
> libgnome-keyring-3.12.0-7.fc25.s390x
> yum-metadata-parser-1.1.4-17.fc25.s390x
> python3-3.5.2-4.fc25.s390x
> python3-slip-dbus-0.6.4-4.fc25.noarch
> python2-cssselect-0.9.2-1.fc25.noarch
> python-backports-1.0-8.fc25.s390x
> python-magic-5.28-4.fc25.noarch
> python-pycparser-2.14-7.fc25.noarch
> python-fedora-0.8.0-2.fc25.noarch
> createrepo_c-libs-0.10.0-6.fc25.s390x
> initscripts-9.69-1.fc25.s390x
> plymouth-scripts-0.9.3-0.6.20160620git0e65b86c.fc25.s390x
> cronie-1.5.1-2.fc25.s390x
> python2-librepo-1.7.18-3.fc25.s390x
> wget-1.18-2.fc25.s390x
> python3-dnf-plugins-core-0.1.21-4.fc25.noarch
> at-spi2-core-2.22.0-1.fc25.s390x
> libXv-1.0.11-1.fc25.s390x
> dhcp-client-4.3.5-1.fc25.s390x
> python2-dnf-plugins-core-0.1.21-4.fc25.noarch
> parted-3.2-21.fc25.s390x
> python2-ndg_httpsclient-0.4.0-4.fc25.noarch
> bash-completion-2.4-1.fc25.noarch
> btrfs-progs-4.6.1-1.fc25.s390x
> texinfo-6.1-3.fc25.s390x
> perl-Filter-1.55-366.fc25.s390x
> flex-2.6.0-3.fc25.s390x
> libgcc-6.3.1-1.fc25.s390x
> glib2-2.50.2-1.fc25.s390x
> dbus-libs-1.11.8-1.fc25.s390x
> libgomp-6.3.1-1.fc25.s390x
> colord-libs-1.3.4-1.fc25.s390x
> perl-Encode-2.88-5.fc25.s390x
> gstreamer1-1.10.2-1.fc25.s390x
> cracklib-2.9.6-4.fc25.s390x
> rpm-build-libs-4.13.0-6.fc25.s390x
> libobjc-6.3.1-1.fc25.s390x
> 

Re: [Qemu-devel] [PATCH] mttcg: Set jmp_env to handle exit from tb_gen_code

[Pranith Kumar]

Alex Bennée writes:

> Pranith Kumar  writes:
>
>> tb_gen_code() can exit execution using cpu_exit_loop() when it cannot
>> allocate new tb's. To handle this, we need to properly set the jmp_env
>> pointer ahead of calling tb_gen_code().
>>
>> CC:Alex Bennée 
>> CC: Richard Henderson 
>> Signed-off-by: Pranith Kumar 
>> ---
>>  cpu-exec.c | 23 +++
>>  1 file changed, 11 insertions(+), 12 deletions(-)
>>
>> diff --git a/cpu-exec.c b/cpu-exec.c
>> index 97d79612d9..4b70988b24 100644
>> --- a/cpu-exec.c
>> +++ b/cpu-exec.c
>> @@ -236,23 +236,22 @@ static void cpu_exec_step(CPUState *cpu)
>>
>>  cpu_get_tb_cpu_state(env, , _base, );
>>  tb_lock();
>> -tb = tb_gen_code(cpu, pc, cs_base, flags,
>> - 1 | CF_NOCACHE | CF_IGNORE_ICOUNT);
>> -tb->orig_tb = NULL;
>> -tb_unlock();
>> -
>> -cc->cpu_exec_enter(cpu);
>> -
>
> It occurs to me we are also diverging in our locking pattern from
> tb_find which takes mmap_lock first. This is a NOP for system emulation
> but needed for user-emulation (for which we can do cpu_exec_step but not
> cpu_exec_nocache).

Right. So we have to take the mmap_lock() before calling
tb_gen_code(). However, this lock is released in the error path before calling
cpu_loop_exit() if allocation of a new tb fails. The following is what I have
after merging with the previous EXCP_ATOMIC handling patch.

diff --git a/cpu-exec.c b/cpu-exec.c
index a8e04bffbf..2bb3ba3672 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -228,6 +228,7 @@ static void cpu_exec_nocache(CPUState *cpu, int max_cycles,
 
 static void cpu_exec_step(CPUState *cpu)
 {
+CPUClass *cc = CPU_GET_CLASS(cpu);
 CPUArchState *env = (CPUArchState *)cpu->env_ptr;
 TranslationBlock *tb;
 target_ulong cs_base, pc;
@@ -235,16 +236,24 @@ static void cpu_exec_step(CPUState *cpu)
 
 cpu_get_tb_cpu_state(env, , _base, );
 tb_lock();
-tb = tb_gen_code(cpu, pc, cs_base, flags,
- 1 | CF_NOCACHE | CF_IGNORE_ICOUNT);
-tb->orig_tb = NULL;
-tb_unlock();
-/* execute the generated code */
-trace_exec_tb_nocache(tb, pc);
-cpu_tb_exec(cpu, tb);
-tb_lock();
-tb_phys_invalidate(tb, -1);
-tb_free(tb);
+if (sigsetjmp(cpu->jmp_env, 0) == 0) {
+mmap_lock();
+tb = tb_gen_code(cpu, pc, cs_base, flags,
+ 1 | CF_NOCACHE | CF_IGNORE_ICOUNT);
+tb->orig_tb = NULL;
+mmap_unlock();
+tb_unlock();
+
+cc->cpu_exec_enter(cpu);
+/* execute the generated code */
+trace_exec_tb_nocache(tb, pc);
+cpu_tb_exec(cpu, tb);
+cc->cpu_exec_exit(cpu);
+
+tb_lock();
+tb_phys_invalidate(tb, -1);
+tb_free(tb);
+}
 tb_unlock();
 }
 
diff --git a/cpus.c b/cpus.c
index 77bba08f9a..b39408b4b1 100644
--- a/cpus.c
+++ b/cpus.c
@@ -1347,6 +1347,11 @@ static void *qemu_tcg_rr_cpu_thread_fn(void *arg)
 if (r == EXCP_DEBUG) {
 cpu_handle_guest_debug(cpu);
 break;
+} else if (r == EXCP_ATOMIC) {
+qemu_mutex_unlock_iothread();
+cpu_exec_step_atomic(cpu);
+qemu_mutex_lock_iothread();
+break;
 }
 } else if (cpu->stop) {
 if (cpu->unplug) {
@@ -1457,6 +1462,10 @@ static void *qemu_tcg_cpu_thread_fn(void *arg)
  */
 g_assert(cpu->halted);
 break;
+case EXCP_ATOMIC:
+qemu_mutex_unlock_iothread();
+cpu_exec_step_atomic(cpu);
+qemu_mutex_lock_iothread();
 default:
 /* Ignore everything else? */
 break;


--
Pranith

Re: [Qemu-devel] [PATCH 2/3] qapi: flatten GuestPanicInformation union

[Denis V. Lunev]

On 02/20/2017 08:48 PM, Eric Blake wrote:
> On 02/20/2017 12:21 PM, Denis V. Lunev wrote:
>> From: Anton Nefedov 
>>
>> Signed-off-by: Anton Nefedov 
>> Signed-off-by: Denis V. Lunev 
>> CC: Paolo Bonzini 
>> CC: Eric Blake 
>> ---
>>  qapi-schema.json  | 12 
>>  target/i386/cpu.c | 15 ++-
>>  vl.c  | 12 ++--
>>  3 files changed, 24 insertions(+), 15 deletions(-)
>>
>> diff --git a/qapi-schema.json b/qapi-schema.json
>> index e9a6364..b142e15 100644
>> --- a/qapi-schema.json
>> +++ b/qapi-schema.json
>> @@ -5872,6 +5872,16 @@
>>'data': [ 'pause', 'poweroff' ] }
>>  
>>  ##
>> +# @GuestPanicInformationType:
>> +#
>> +# An enumeration of the guest panic information types
>> +#
>> +# Since: 2.9
>> +##
>> +{ 'enum': 'GuestPanicInformationType',
>> +  'data': [ 'hyper-v'] }
> Perhaps 'hyperv' is better? It's the difference between
> GUEST_PANIC_INFORMATION_TYPE_HYPER_V and
> GUEST_PANIC_INFORMATION_TYPE_HYPERV. But that's bikeshedding, so no need
> to change it.
>
> Must go into 2.9, so we aren't baking in bad API.
>
> Reviewed-by: Eric Blake 
>
We can you plain 'hv', like all command line options controlling
HyperV features.

Roman, Evgeniy, do you have any opinion on that?

Den

Re: [Qemu-devel] [Resend RFC PATCH 1/4] VFIO: Set eventfd for IOMMU fault event via new vfio cmd

[Alex Williamson]

On Mon, 20 Feb 2017 09:28:04 +0800
Lan Tianyu  wrote:

> This patch is to assign an event fd to VFIO IOMMU type1 driver
> in order to get notification when IOMMU driver reports fault event.
> 
> Signed-off-by: Lan Tianyu 
> ---
>  hw/vfio/common.c  | 37 +
>  include/hw/vfio/vfio-common.h |  3 +++
>  linux-headers/linux/vfio.h| 13 +
>  3 files changed, 53 insertions(+)
> 
> diff --git a/hw/vfio/common.c b/hw/vfio/common.c
> index 6b33b9f..628b424 100644
> --- a/hw/vfio/common.c
> +++ b/hw/vfio/common.c
> @@ -33,6 +33,7 @@
>  #include "qemu/error-report.h"
>  #include "qemu/range.h"
>  #include "sysemu/kvm.h"
> +#include "sysemu/sysemu.h"
>  #include "trace.h"
>  #include "qapi/error.h"
>  
> @@ -294,6 +295,34 @@ static bool 
> vfio_listener_skipped_section(MemoryRegionSection *section)
> section->offset_within_address_space & (1ULL << 63);
>  }
>  
> +static void vfio_iommu_fault(void *opaque)
> +{
> +}
> +
> +static int vfio_set_iommu_fault_notifier(struct VFIOContainer *container)
> +{
> +struct vfio_iommu_type1_set_fault_eventfd eventfd;
> +int ret;
> +
> +ret = event_notifier_init(>fault_notifier, 0);
> +if (ret < 0) {
> +error_report("vfio: Failed to init notifier for IOMMU fault event");
> +return ret;
> +}
> +
> +eventfd.fd = event_notifier_get_fd(>fault_notifier);
> +eventfd.argsz = sizeof(eventfd);
> +
> +ret = ioctl(container->fd, VFIO_IOMMU_SET_FAULT_EVENTFD, );
> +if (ret < 0) {
> +error_report("vfio: Failed to set notifier for IOMMU fault event");
> +return ret;
> +}
> +
> +qemu_set_fd_handler(eventfd.fd, vfio_iommu_fault, NULL, container);
> +return 0;
> +}
> +
>  /* Called with rcu_read_lock held.  */
>  static bool vfio_get_vaddr(IOMMUTLBEntry *iotlb, void **vaddr,
> bool *read_only)
> @@ -1103,6 +1132,14 @@ static int vfio_connect_container(VFIOGroup *group, 
> AddressSpace *as,
>  goto listener_release_exit;
>  }
>  
> +if (memory_region_is_iommu(container->space->as->root)) {
> +if (vfio_set_iommu_fault_notifier(container)) {
> +error_setg_errno(errp, -ret,
> +"Fail to set IOMMU fault notifier");
> +goto listener_release_exit;
> +}
> +}


Backwards compatibility needs to be supported, we can't invent a
feature and impose it on all users.  We can either opportunistically
enable it and be silent about it when it's not there, or we can add a
feature flag and complain and fail if the user requests the feature and
it's not available or errors.

> +
>  container->initialized = true;
>  
>  QLIST_INIT(>group_list);
> diff --git a/include/hw/vfio/vfio-common.h b/include/hw/vfio/vfio-common.h
> index c582de1..1b594c6 100644
> --- a/include/hw/vfio/vfio-common.h
> +++ b/include/hw/vfio/vfio-common.h
> @@ -26,6 +26,7 @@
>  #include "exec/memory.h"
>  #include "qemu/queue.h"
>  #include "qemu/notify.h"
> +#include "qemu/event_notifier.h"
>  #ifdef CONFIG_LINUX
>  #include 
>  #endif
> @@ -81,6 +82,8 @@ typedef struct VFIOContainer {
>  unsigned iommu_type;
>  int error;
>  bool initialized;
> +EventNotifier fault_notifier;
> +
>  /*
>   * This assumes the host IOMMU can support only a single
>   * contiguous IOVA window.  We may need to generalize that in
> diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h
> index 759b850..ca890ee 100644
> --- a/linux-headers/linux/vfio.h
> +++ b/linux-headers/linux/vfio.h
> @@ -537,6 +537,19 @@ struct vfio_iommu_type1_dma_unmap {
>  #define VFIO_IOMMU_ENABLE_IO(VFIO_TYPE, VFIO_BASE + 15)
>  #define VFIO_IOMMU_DISABLE   _IO(VFIO_TYPE, VFIO_BASE + 16)
>  
> +/*
> + * VFIO_IOMMU_SET_FAULT_EVENT_FD _IO(VFIO_TYPE, VFIO_BASE + 17)
> + * 
> + * Receive eventfd from userspace to notify fault event from IOMMU.
> + */
> +struct vfio_iommu_type1_set_fault_eventfd {
> + __u32   argsz;
> + __u32   flags;
> + __u32   fd;
> +};
> +
> +#define VFIO_IOMMU_SET_FAULT_EVENTFD _IO(VFIO_TYPE, VFIO_BASE + 17)
> +
>  /*  Additional API for SPAPR TCE (Server POWERPC) IOMMU  */
>  
>  /*

Re: [Qemu-devel] [Resend RFC PATCH 3/4] Intel iommu: Add Intel IOMMU fault event callback

[Alex Williamson]

On Mon, 20 Feb 2017 09:28:06 +0800
Lan Tianyu  wrote:

> This patch is to deal with fault event reported from IOMMU driver.
> 
> Signed-off-by: Lan Tianyu 
> ---
>  hw/i386/intel_iommu.c | 25 +
>  1 file changed, 25 insertions(+)
> 
> diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
> index 9b1ba1b..79507d2 100644
> --- a/hw/i386/intel_iommu.c
> +++ b/hw/i386/intel_iommu.c
> @@ -2286,6 +2286,30 @@ static void vtd_iommu_notify_flag_changed(MemoryRegion 
> *iommu,
>  }
>  }
>  
> +static void vtd_iommu_notify_fault_event(MemoryRegion *iommu,
> + IOMMUFaultInfo *info)
> +{
> +VTDAddressSpace *vtd_as = container_of(iommu, VTDAddressSpace, iommu);
> +IntelIOMMUState *s = vtd_as->iommu_state;
> +bool is_fpd_set = false;
> +uint8_t bus_num = pci_bus_num(vtd_as->bus);
> +uint8_t devfn = vtd_as->devfn;
> +VTDContextEntry ce;
> +
> +/* Replace source id with device's vbdf */
> +info->sid = vtd_make_source_id(bus_num, devfn);
> +
> +if (!vtd_dev_to_context_entry(s, bus_num, devfn, )) {
> +is_fpd_set = ce.lo & VTD_CONTEXT_ENTRY_FPD;
> +if (is_fpd_set) {
> +trace_vtd_fault_disabled();
> +} else {
> +vtd_report_dmar_fault(s, info->sid, info->addr,
> +  info->fault_reason, info->is_write);

Convenient that the error structure exactly matches the function
parameters here.  Is fault_reason going to be standardized across all
IOMMU vendors?  If not, how does QEMU know whether the type1 container
is backed by VT-d, AMD-Vi, ARM SMMU, etc?

> +}
> +}
> +}
> +
>  static const VMStateDescription vtd_vmstate = {
>  .name = "iommu-intel",
>  .version_id = 1,
> @@ -2816,6 +2840,7 @@ static void vtd_init(IntelIOMMUState *s)
>  
>  s->iommu_ops.translate = vtd_iommu_translate;
>  s->iommu_ops.notify_flag_changed = vtd_iommu_notify_flag_changed;
> +s->iommu_ops.notify_fault_event = vtd_iommu_notify_fault_event;
>  s->iommu_ops.replay = vtd_iommu_replay;
>  s->root = 0;
>  s->root_extended = false;

Re: [Qemu-devel] [Resend RFC PATCH 4/4] VFIO: Read IOMMU fault info from kernel space when get fault event

[Alex Williamson]

On Mon, 20 Feb 2017 09:28:07 +0800
Lan Tianyu  wrote:

> This patch is to implement fault event handler with new vfio cmd to
> get fault info and notify vIOMMU device model.
> 
> Signed-off-by: Lan Tianyu 
> ---
>  hw/vfio/common.c   | 51 
> ++
>  linux-headers/linux/vfio.h | 22 
>  2 files changed, 73 insertions(+)
> 
> diff --git a/hw/vfio/common.c b/hw/vfio/common.c
> index 628b424..4f76e26 100644
> --- a/hw/vfio/common.c
> +++ b/hw/vfio/common.c
> @@ -297,6 +297,57 @@ static bool 
> vfio_listener_skipped_section(MemoryRegionSection *section)
>  
>  static void vfio_iommu_fault(void *opaque)
>  {
> +VFIOContainer *container = opaque;
> +struct vfio_iommu_type1_get_fault_info *info;
> +struct vfio_iommu_fault_info *fault_info;
> +MemoryRegion *mr = container->space->as->root;
> +int count = 0, i, ret;
> +IOMMUFaultInfo tmp;
> +
> +if (!event_notifier_test_and_clear(>fault_notifier)) {
> +return;
> +}
> +
> +info = g_malloc0(sizeof(*info));
> +if (!info) {
> +error_report("vfio: Fail to allocate memory");
> +return;
> +}
> +
> +info->argsz = sizeof(*info);
> +
> +ret = ioctl(container->fd, VFIO_IOMMU_GET_FAULT_INFO, info);
> +if (ret && ret != -ENOSPC) {
> +error_report("vfio: Can't get fault info");
> +goto err_exit;
> +}
> +
> +count = info->count;
> +if (count <= 0) {
> +goto err_exit;
> +}
> +
> +info = g_realloc(info, sizeof(*info) + count * sizeof(*fault_info));
> +info->argsz = sizeof(*info) + count * sizeof(*fault_info);
> +fault_info = info->fault_info;
> +
> +ret = ioctl(container->fd, VFIO_IOMMU_GET_FAULT_INFO, info);
> +if (ret) {
> +error_report("vfio: Can't get fault info");
> +goto err_exit;
> +}
> +
> +for (i = 0; i < info->count; i++) {
> +tmp.addr = fault_info[i].addr;
> +tmp.sid = fault_info[i].sid;
> +tmp.fault_reason = fault_info[i].fault_reason;
> +tmp.is_write = fault_info[i].is_write;
> +
> +memory_region_iommu_fault_notify(mr, );
> +}

Are there service requirements for handling these faults?  Can the
device wait indefinitely?  Can userspace handling of such faults meet
the device service requirements?  Is userspace handling sufficient for
the device's performance needs?  Do we get one eventfd per fault entry?
How do we know if the faults have overflowed?  Would an overflow be
fatal or would there be a retry mechanism?

> +
> +err_exit:
> +g_free(info);
>  }
>  
>  static int vfio_set_iommu_fault_notifier(struct VFIOContainer *container)
> diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h
> index ca890ee..8b172f5 100644
> --- a/linux-headers/linux/vfio.h
> +++ b/linux-headers/linux/vfio.h
> @@ -550,6 +550,28 @@ struct vfio_iommu_type1_set_fault_eventfd {
>  
>  #define VFIO_IOMMU_SET_FAULT_EVENTFD _IO(VFIO_TYPE, VFIO_BASE + 17)
>  
> +/*
> + * VFIO_IOMMU_GET_FAULT_INFO _IO(VFIO_TYPE, VFIO_BASE + 18)
> + *
> + * Return IOMMU fault info to userspace.
> + */
> +
> +struct vfio_iommu_fault_info {
> + __u64   addr;
> + __u16   sid;
> + __u8fault_reason;
> + __u8is_write:1;
> +};
> +
> +struct vfio_iommu_type1_get_fault_info {
> + __u32   argsz;
> + __u32   flags;
> + __u32   count;
> + struct vfio_iommu_fault_info fault_info[];
> +};
> +
> +#define VFIO_IOMMU_GET_FAULT_INFO_IO(VFIO_TYPE, VFIO_BASE + 18)
> +
>  /*  Additional API for SPAPR TCE (Server POWERPC) IOMMU  */
>  
>  /*

Re: [Qemu-devel] [PATCH v4 3/5] slirp: Common lhost/fhost union

[Philippe Mathieu-Daudé]

On 02/20/2017 03:50 PM, Dr. David Alan Gilbert (git) wrote:

From: "Dr. David Alan Gilbert" 

The socket structure has a pair of unions for lhost and fhost
addresses; the unions are identical so split them out into
a separate union declaration.

Signed-off-by: Dr. David Alan Gilbert 


Reviewed-by: Philippe Mathieu-Daudé 


---
 slirp/socket.h | 18 --
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/slirp/socket.h b/slirp/socket.h
index 8feed2a..c1be77e 100644
--- a/slirp/socket.h
+++ b/slirp/socket.h
@@ -15,6 +15,12 @@
  * Our socket structure
  */

+union slirp_sockaddr {
+struct sockaddr_storage ss;
+struct sockaddr_in sin;
+struct sockaddr_in6 sin6;
+};
+
 struct socket {
   struct socket *so_next,*so_prev;  /* For a linked list of sockets */

@@ -31,22 +37,14 @@ struct socket {
   struct tcpiphdr *so_ti; /* Pointer to the original ti within
* so_mconn, for non-blocking connections */
   int so_urgc;
-  union {   /* foreign host */
-  struct sockaddr_storage ss;
-  struct sockaddr_in sin;
-  struct sockaddr_in6 sin6;
-  } fhost;
+  union slirp_sockaddr fhost;  /* Foreign host */
 #define so_faddr fhost.sin.sin_addr
 #define so_fport fhost.sin.sin_port
 #define so_faddr6 fhost.sin6.sin6_addr
 #define so_fport6 fhost.sin6.sin6_port
 #define so_ffamily fhost.ss.ss_family

-  union {   /* local host */
-  struct sockaddr_storage ss;
-  struct sockaddr_in sin;
-  struct sockaddr_in6 sin6;
-  } lhost;
+  union slirp_sockaddr lhost;  /* Local host */
 #define so_laddr lhost.sin.sin_addr
 #define so_lport lhost.sin.sin_port
 #define so_laddr6 lhost.sin6.sin6_addr

Re: [Qemu-devel] [PATCH v8 4/8] ACPI: Add Virtual Machine Generation ID support

[Laszlo Ersek]

On 02/20/17 21:19, Dr. David Alan Gilbert wrote:
> * Eric Blake (ebl...@redhat.com) wrote:
>> On 02/20/2017 04:23 AM, Dr. David Alan Gilbert wrote:
>>> * Laszlo Ersek (ler...@redhat.com) wrote:
 CC Dave
>>>
>>> This isn't an area I really understand; but if I'm
>>> reading this right then 
>>>vmgenid is stored in fw_cfg?
>>>fw_cfg isn't migrated
>>>
>>> So why should any changes to it get migrated, except if it's already
>>> been read by the guest (and if the guest reads it again aftwards what's
>>> it expected to read?)
>>
>> Why are we expecting it to change on migration?  You want a new value
> 
> I'm not; I was asking why a change made prior to migration would be
> preserved across migration.
> 
> 
>> when you load state from disk (you don't know how many times the same
>> state has been loaded previously, so each load is effectively forking
>> the VM and you want a different value), but for a single live migration,
>> you aren't forking the VM and don't need a new generation ID.
>>
>> I guess it all boils down to what command line you're using: if libvirt
>> is driving a live migration, it will request the same UUID in the
>> command line of the destination as what is on the source; while if
>> libvirt is loading from a [managed]save to restore state from a file, it
>> will either request a new UUID directly or request auto to let qemu
>> generate the new id.
> 
> Hmm now I've lost it a bit; I thought we would preserve the value
> transmitted from the source, not the value on the command line of the 
> destination.

The are two relevant pieces of data here.

(a) the GUID in guest RAM
(b) the guest-phys address of the GUID, written back by the guest fw to
a guest-writeable fw_cfg file, to be dereferenced by QEMU, for updating
the GUID in guest RAM

For both live migration and restoring saved state from disk, (b) doesn't
change. It is also not exposed on the QEMU command line. (It is
configured by the guest firmware during initial boot.)

(a) is taken from the QEMU command line. It can be "auto" (and then QEMU
generates a random GUID), or a specific GUID string. This GUID is always
written to guest RAM (assuming (b) has been configured) in the vmgenid
device's post_load callback. However, whether the new GUID should be
different from the one already present in guest RAM is a separate question.

- For restoring state from disk, a different GUID (either generated by
libvirt, or by QEMU due to "auto") makes sense.

- For live migration, it makes sense for libvirt to pass in the same
GUID on the target host as was used on the source host. The guest RAM
update, and the ACPI interrupt (SCI), will occur on the target host, but
the GUID won't change effectively. (The VMGENID spec explicitly permits
spurious notifications, i.e., an SCI with no change to the GUID in RAM.)

Thanks
Laszlo

Re: [Qemu-devel] [PATCH v8 4/8] ACPI: Add Virtual Machine Generation ID support

[Laszlo Ersek]

On 02/20/17 21:45, Eric Blake wrote:
> On 02/20/2017 02:19 PM, Dr. David Alan Gilbert wrote:
>> * Eric Blake (ebl...@redhat.com) wrote:
>>> On 02/20/2017 04:23 AM, Dr. David Alan Gilbert wrote:
 * Laszlo Ersek (ler...@redhat.com) wrote:
> CC Dave

 This isn't an area I really understand; but if I'm
 reading this right then 
vmgenid is stored in fw_cfg?
fw_cfg isn't migrated

 So why should any changes to it get migrated, except if it's already
 been read by the guest (and if the guest reads it again aftwards what's
 it expected to read?)
>>>
>>> Why are we expecting it to change on migration?  You want a new value
>>
>> I'm not; I was asking why a change made prior to migration would be
>> preserved across migration.
> 
> Okay, so you're asking what happens if the source requests the vmgenid
> device, and sets an id, but the destination of the migration does not
> request anything

This should never happen, as it means different QEMU command lines on
source vs. target hosts. (Different as in "incorrectly different".)

Dave writes, "a change made prior to migration". Change made to what?

- the GUID cannot be changed via the monitor once QEMU has been started.
We dropped the monitor command for that, due to lack of a good use case,
and due to lifecycle complexities. We have figured out a way to make it
safe, but until there's a really convincing use case, we shouldn't add
that complexity.

- the address of the GUID is changed (the firmware programs it from
"zero" to an actual address, in a writeable fw_cfg file), and that piece
of info is explicitly migrated, as part of the vmgenid device's vmsd.

Thanks
Laszlo


> - how does the guest on the destination see the same id
> as was in place on the source at the time migration started.
> 
>>
>>
>>> when you load state from disk (you don't know how many times the same
>>> state has been loaded previously, so each load is effectively forking
>>> the VM and you want a different value), but for a single live migration,
>>> you aren't forking the VM and don't need a new generation ID.
>>>
>>> I guess it all boils down to what command line you're using: if libvirt
>>> is driving a live migration, it will request the same UUID in the
>>> command line of the destination as what is on the source; while if
>>> libvirt is loading from a [managed]save to restore state from a file, it
>>> will either request a new UUID directly or request auto to let qemu
>>> generate the new id.
>>
>> Hmm now I've lost it a bit; I thought we would preserve the value
>> transmitted from the source, not the value on the command line of the 
>> destination.
> 
> I guess I'm trying to figure out whether libvirt MUST read the current
> id and explicitly tell the destination of migration to reuse that id, or
> if libvirt can omit the id on migration and everything just works
> because the id was migrated from the source.
> 

[Qemu-devel] [PATCH V2 4/4] hw/virtio: fix Power Management Control Register for PCI Express virtio devices

[Marcel Apfelbaum]

Make Power Management State flag writable to conform
with the PCI Express spec.

Signed-off-by: Marcel Apfelbaum 
---
 hw/virtio/virtio-pci.c | 11 +++
 hw/virtio/virtio-pci.h |  4 
 include/hw/compat.h|  4 
 include/hw/pci/pcie.h  |  2 ++
 4 files changed, 21 insertions(+)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 1fb0a03..fb86e58 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -1812,6 +1812,7 @@ static void virtio_pci_realize(PCIDevice *pci_dev, Error 
**errp)
 
 pos = pci_add_capability(pci_dev, PCI_CAP_ID_PM, 0, PCI_PM_SIZEOF);
 assert(pos > 0);
+pci_dev->exp.pm_cap = pos;
 
 /*
  * Indicates that this function complies with revision 1.2 of the
@@ -1829,6 +1830,12 @@ static void virtio_pci_realize(PCIDevice *pci_dev, Error 
**errp)
 pcie_cap_lnkctl_init(pci_dev);
 }
 
+if (proxy->flags & VIRTIO_PCI_FLAG_INIT_PM) {
+/* Init Power Management Control Register */
+pci_set_word(pci_dev->wmask + pos + PCI_PM_CTRL,
+ PCI_PM_CTRL_STATE_MASK);
+}
+
 if (proxy->flags & VIRTIO_PCI_FLAG_ATS) {
 pcie_ats_init(pci_dev, 256);
 }
@@ -1873,6 +1880,8 @@ static void virtio_pci_reset(DeviceState *qdev)
 if (pci_is_express(dev)) {
 pcie_cap_deverr_reset(dev);
 pcie_cap_lnkctl_reset(dev);
+
+pci_set_word(dev->config + dev->exp.pm_cap + PCI_PM_CTRL, 0);
 }
 }
 
@@ -1898,6 +1907,8 @@ static Property virtio_pci_properties[] = {
 VIRTIO_PCI_FLAG_INIT_DEVERR_BIT, true),
 DEFINE_PROP_BIT("x-pcie-lnkctl-init", VirtIOPCIProxy, flags,
 VIRTIO_PCI_FLAG_INIT_LNKCTL_BIT, true),
+DEFINE_PROP_BIT("x-pcie-pm-init", VirtIOPCIProxy, flags,
+VIRTIO_PCI_FLAG_INIT_PM_BIT, true),
 DEFINE_PROP_END_OF_LIST(),
 };
 
diff --git a/hw/virtio/virtio-pci.h b/hw/virtio/virtio-pci.h
index 9b5dd5a..b095dfc 100644
--- a/hw/virtio/virtio-pci.h
+++ b/hw/virtio/virtio-pci.h
@@ -75,6 +75,7 @@ enum {
 VIRTIO_PCI_FLAG_ATS_BIT,
 VIRTIO_PCI_FLAG_INIT_DEVERR_BIT,
 VIRTIO_PCI_FLAG_INIT_LNKCTL_BIT,
+VIRTIO_PCI_FLAG_INIT_PM_BIT,
 };
 
 /* Need to activate work-arounds for buggy guests at vmstate load. */
@@ -108,6 +109,9 @@ enum {
 /* Init Link Control register */
 #define VIRTIO_PCI_FLAG_INIT_LNKCTL (1 << VIRTIO_PCI_FLAG_INIT_LNKCTL_BIT)
 
+/* Init Power Management */
+#define VIRTIO_PCI_FLAG_INIT_PM (1 << VIRTIO_PCI_FLAG_INIT_PM_BIT)
+
 typedef struct {
 MSIMessage msg;
 int virq;
diff --git a/include/hw/compat.h b/include/hw/compat.h
index 0931aa5..90606f9 100644
--- a/include/hw/compat.h
+++ b/include/hw/compat.h
@@ -30,6 +30,10 @@
 .driver   = "virtio-pci",\
 .property = "x-pcie-lnkctl-init",\
 .value= "off",\
+},{\
+.driver   = "virtio-pci",\
+.property = "x-pcie-pm-init",\
+.value= "off",\
 },
 
 #define HW_COMPAT_2_7 \
diff --git a/include/hw/pci/pcie.h b/include/hw/pci/pcie.h
index 11c6247..3d8f24b 100644
--- a/include/hw/pci/pcie.h
+++ b/include/hw/pci/pcie.h
@@ -63,6 +63,8 @@ typedef enum {
 struct PCIExpressDevice {
 /* Offset of express capability in config space */
 uint8_t exp_cap;
+/* Offset of Power Management capability in config space */
+uint8_t pm_cap;
 
 /* SLOT */
 bool hpev_notified; /* Logical AND of conditions for hot plug event.
-- 
2.5.5

Re: [Qemu-devel] [PATCH v8 4/8] ACPI: Add Virtual Machine Generation ID support

[Eric Blake]

On 02/20/2017 02:19 PM, Dr. David Alan Gilbert wrote:
> * Eric Blake (ebl...@redhat.com) wrote:
>> On 02/20/2017 04:23 AM, Dr. David Alan Gilbert wrote:
>>> * Laszlo Ersek (ler...@redhat.com) wrote:
 CC Dave
>>>
>>> This isn't an area I really understand; but if I'm
>>> reading this right then 
>>>vmgenid is stored in fw_cfg?
>>>fw_cfg isn't migrated
>>>
>>> So why should any changes to it get migrated, except if it's already
>>> been read by the guest (and if the guest reads it again aftwards what's
>>> it expected to read?)
>>
>> Why are we expecting it to change on migration?  You want a new value
> 
> I'm not; I was asking why a change made prior to migration would be
> preserved across migration.

Okay, so you're asking what happens if the source requests the vmgenid
device, and sets an id, but the destination of the migration does not
request anything - how does the guest on the destination see the same id
as was in place on the source at the time migration started.

> 
> 
>> when you load state from disk (you don't know how many times the same
>> state has been loaded previously, so each load is effectively forking
>> the VM and you want a different value), but for a single live migration,
>> you aren't forking the VM and don't need a new generation ID.
>>
>> I guess it all boils down to what command line you're using: if libvirt
>> is driving a live migration, it will request the same UUID in the
>> command line of the destination as what is on the source; while if
>> libvirt is loading from a [managed]save to restore state from a file, it
>> will either request a new UUID directly or request auto to let qemu
>> generate the new id.
> 
> Hmm now I've lost it a bit; I thought we would preserve the value
> transmitted from the source, not the value on the command line of the 
> destination.

I guess I'm trying to figure out whether libvirt MUST read the current
id and explicitly tell the destination of migration to reuse that id, or
if libvirt can omit the id on migration and everything just works
because the id was migrated from the source.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

[Qemu-devel] [PATCH V2 2/4] hw/virtio: fix error enabling flags in Device Control register

[Marcel Apfelbaum]

When the virtio devices are PCI Express, make error-enabling flags
writable to respect the PCIe spec.

Signed-off-by: Marcel Apfelbaum 
---
 hw/virtio/virtio-pci.c | 12 
 hw/virtio/virtio-pci.h |  4 
 include/hw/compat.h|  4 
 3 files changed, 20 insertions(+)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 5ce42af..9e2bca6 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -1819,6 +1819,11 @@ static void virtio_pci_realize(PCIDevice *pci_dev, Error 
**errp)
  */
 pci_set_word(pci_dev->config + pos + PCI_PM_PMC, 0x3);
 
+if (proxy->flags & VIRTIO_PCI_FLAG_INIT_DEVERR) {
+/* Init error enabling flags */
+pcie_cap_deverr_init(pci_dev);
+}
+
 if (proxy->flags & VIRTIO_PCI_FLAG_ATS) {
 pcie_ats_init(pci_dev, 256);
 }
@@ -1849,6 +1854,7 @@ static void virtio_pci_reset(DeviceState *qdev)
 {
 VirtIOPCIProxy *proxy = VIRTIO_PCI(qdev);
 VirtioBusState *bus = VIRTIO_BUS(>bus);
+PCIDevice *dev = PCI_DEVICE(qdev);
 int i;
 
 virtio_pci_stop_ioeventfd(proxy);
@@ -1858,6 +1864,10 @@ static void virtio_pci_reset(DeviceState *qdev)
 for (i = 0; i < VIRTIO_QUEUE_MAX; i++) {
 proxy->vqs[i].enabled = 0;
 }
+
+if (pci_is_express(dev)) {
+pcie_cap_deverr_reset(dev);
+}
 }
 
 static Property virtio_pci_properties[] = {
@@ -1878,6 +1888,8 @@ static Property virtio_pci_properties[] = {
  ignore_backend_features, false),
 DEFINE_PROP_BIT("ats", VirtIOPCIProxy, flags,
 VIRTIO_PCI_FLAG_ATS_BIT, false),
+DEFINE_PROP_BIT("x-pcie-deverr-init", VirtIOPCIProxy, flags,
+VIRTIO_PCI_FLAG_INIT_DEVERR_BIT, true),
 DEFINE_PROP_END_OF_LIST(),
 };
 
diff --git a/hw/virtio/virtio-pci.h b/hw/virtio/virtio-pci.h
index d00064c..120661d 100644
--- a/hw/virtio/virtio-pci.h
+++ b/hw/virtio/virtio-pci.h
@@ -73,6 +73,7 @@ enum {
 VIRTIO_PCI_FLAG_DISABLE_PCIE_BIT,
 VIRTIO_PCI_FLAG_PAGE_PER_VQ_BIT,
 VIRTIO_PCI_FLAG_ATS_BIT,
+VIRTIO_PCI_FLAG_INIT_DEVERR_BIT,
 };
 
 /* Need to activate work-arounds for buggy guests at vmstate load. */
@@ -100,6 +101,9 @@ enum {
 /* address space translation service */
 #define VIRTIO_PCI_FLAG_ATS (1 << VIRTIO_PCI_FLAG_ATS_BIT)
 
+/* Init error enabling flags */
+#define VIRTIO_PCI_FLAG_INIT_DEVERR (1 << VIRTIO_PCI_FLAG_INIT_DEVERR_BIT)
+
 typedef struct {
 MSIMessage msg;
 int virq;
diff --git a/include/hw/compat.h b/include/hw/compat.h
index ce3bfe3..c98776a 100644
--- a/include/hw/compat.h
+++ b/include/hw/compat.h
@@ -22,6 +22,10 @@
 .driver   = TYPE_PCI_DEVICE,\
 .property = "x-pcie-extcap-init",\
 .value= "off",\
+},{\
+.driver   = "virtio-pci",\
+.property = "x-pcie-deverr-init",\
+.value= "off",\
 },
 
 #define HW_COMPAT_2_7 \
-- 
2.5.5

[Qemu-devel] [PATCH V2 3/4] hw/virtio: fix Link Control Register for PCI Express virtio devices

[Marcel Apfelbaum]

Make several Link Control Register flags writable to conform
with the PCI Express spec.

Signed-off-by: Marcel Apfelbaum 
---
 hw/pci/pcie.c  | 14 ++
 hw/virtio/virtio-pci.c |  8 
 hw/virtio/virtio-pci.h |  4 
 include/hw/compat.h|  4 
 include/hw/pci/pcie.h  |  3 +++
 5 files changed, 33 insertions(+)

diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
index 2526e3a..1804163 100644
--- a/hw/pci/pcie.c
+++ b/hw/pci/pcie.c
@@ -223,6 +223,20 @@ void pcie_cap_deverr_reset(PCIDevice *dev)
  PCI_EXP_DEVCTL_FERE | PCI_EXP_DEVCTL_URRE);
 }
 
+void pcie_cap_lnkctl_init(PCIDevice *dev)
+{
+uint32_t pos = dev->exp.exp_cap;
+pci_long_test_and_set_mask(dev->wmask + pos + PCI_EXP_LNKCTL,
+   PCI_EXP_LNKCTL_CCC | PCI_EXP_LNKCTL_ES);
+}
+
+void pcie_cap_lnkctl_reset(PCIDevice *dev)
+{
+uint8_t *lnkctl = dev->config + dev->exp.exp_cap + PCI_EXP_LNKCTL;
+pci_long_test_and_clear_mask(lnkctl,
+ PCI_EXP_LNKCTL_CCC | PCI_EXP_LNKCTL_ES);
+}
+
 static void hotplug_event_update_event_status(PCIDevice *dev)
 {
 uint32_t pos = dev->exp.exp_cap;
diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 9e2bca6..1fb0a03 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -1824,6 +1824,11 @@ static void virtio_pci_realize(PCIDevice *pci_dev, Error 
**errp)
 pcie_cap_deverr_init(pci_dev);
 }
 
+if (proxy->flags & VIRTIO_PCI_FLAG_INIT_LNKCTL) {
+/* Init Link Control Register */
+pcie_cap_lnkctl_init(pci_dev);
+}
+
 if (proxy->flags & VIRTIO_PCI_FLAG_ATS) {
 pcie_ats_init(pci_dev, 256);
 }
@@ -1867,6 +1872,7 @@ static void virtio_pci_reset(DeviceState *qdev)
 
 if (pci_is_express(dev)) {
 pcie_cap_deverr_reset(dev);
+pcie_cap_lnkctl_reset(dev);
 }
 }
 
@@ -1890,6 +1896,8 @@ static Property virtio_pci_properties[] = {
 VIRTIO_PCI_FLAG_ATS_BIT, false),
 DEFINE_PROP_BIT("x-pcie-deverr-init", VirtIOPCIProxy, flags,
 VIRTIO_PCI_FLAG_INIT_DEVERR_BIT, true),
+DEFINE_PROP_BIT("x-pcie-lnkctl-init", VirtIOPCIProxy, flags,
+VIRTIO_PCI_FLAG_INIT_LNKCTL_BIT, true),
 DEFINE_PROP_END_OF_LIST(),
 };
 
diff --git a/hw/virtio/virtio-pci.h b/hw/virtio/virtio-pci.h
index 120661d..9b5dd5a 100644
--- a/hw/virtio/virtio-pci.h
+++ b/hw/virtio/virtio-pci.h
@@ -74,6 +74,7 @@ enum {
 VIRTIO_PCI_FLAG_PAGE_PER_VQ_BIT,
 VIRTIO_PCI_FLAG_ATS_BIT,
 VIRTIO_PCI_FLAG_INIT_DEVERR_BIT,
+VIRTIO_PCI_FLAG_INIT_LNKCTL_BIT,
 };
 
 /* Need to activate work-arounds for buggy guests at vmstate load. */
@@ -104,6 +105,9 @@ enum {
 /* Init error enabling flags */
 #define VIRTIO_PCI_FLAG_INIT_DEVERR (1 << VIRTIO_PCI_FLAG_INIT_DEVERR_BIT)
 
+/* Init Link Control register */
+#define VIRTIO_PCI_FLAG_INIT_LNKCTL (1 << VIRTIO_PCI_FLAG_INIT_LNKCTL_BIT)
+
 typedef struct {
 MSIMessage msg;
 int virq;
diff --git a/include/hw/compat.h b/include/hw/compat.h
index c98776a..0931aa5 100644
--- a/include/hw/compat.h
+++ b/include/hw/compat.h
@@ -26,6 +26,10 @@
 .driver   = "virtio-pci",\
 .property = "x-pcie-deverr-init",\
 .value= "off",\
+},{\
+.driver   = "virtio-pci",\
+.property = "x-pcie-lnkctl-init",\
+.value= "off",\
 },
 
 #define HW_COMPAT_2_7 \
diff --git a/include/hw/pci/pcie.h b/include/hw/pci/pcie.h
index 163c519..11c6247 100644
--- a/include/hw/pci/pcie.h
+++ b/include/hw/pci/pcie.h
@@ -96,6 +96,9 @@ uint8_t pcie_cap_flags_get_vector(PCIDevice *dev);
 void pcie_cap_deverr_init(PCIDevice *dev);
 void pcie_cap_deverr_reset(PCIDevice *dev);
 
+void pcie_cap_lnkctl_init(PCIDevice *dev);
+void pcie_cap_lnkctl_reset(PCIDevice *dev);
+
 void pcie_cap_slot_init(PCIDevice *dev, uint16_t slot);
 void pcie_cap_slot_reset(PCIDevice *dev);
 void pcie_cap_slot_write_config(PCIDevice *dev,
-- 
2.5.5

Re: [Qemu-devel] [PULL 0/8] target-mips queue

[no-reply]

Hi,

This series failed build test on s390x host. Please find the details below.

Subject: [Qemu-devel] [PULL 0/8] target-mips queue
Message-id: 1487622662-62984-1-git-send-email-yongbok@imgtec.com
Type: series

=== TEST SCRIPT BEGIN ===
#!/bin/bash
# Testing script will be invoked under the git checkout with
# HEAD pointing to a commit that has the patches applied on top of "base"
# branch
set -e
echo "=== ENV ==="
env
echo "=== PACKAGES ==="
rpm -qa
echo "=== TEST BEGIN ==="
CC=$HOME/bin/cc
INSTALL=$PWD/install
BUILD=/var/tmp/patchew-qemu-build
echo -n "Using CC: "
realpath $CC
test -e $BUILD && rm -rf $BUILD
mkdir -p $BUILD $INSTALL
SRC=$PWD
cd $BUILD
$SRC/configure --cc=$CC --prefix=$INSTALL
make -j4
make check -j4
make install
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 - [tag update]  
patchew/1487067971-10443-1-git-send-email-arm...@redhat.com -> 
patchew/1487067971-10443-1-git-send-email-arm...@redhat.com
 - [tag update]  
patchew/1487585521-19445-1-git-send-email-nik...@linux.vnet.ibm.com -> 
patchew/1487585521-19445-1-git-send-email-nik...@linux.vnet.ibm.com
 - [tag update]  patchew/1487614915-18710-1-git-send-email-...@openvz.org 
-> patchew/1487614915-18710-1-git-send-email-...@openvz.org
 * [new tag] 
patchew/1487622662-62984-1-git-send-email-yongbok@imgtec.com -> 
patchew/1487622662-62984-1-git-send-email-yongbok@imgtec.com
 - [tag update]  patchew/20170220165204.1980-1-stefa...@redhat.com -> 
patchew/20170220165204.1980-1-stefa...@redhat.com
Switched to a new branch 'test'
0645df1 hw/mips: MIPS Boston board support
04f5bec hw: xilinx-pcie: Add support for Xilinx AXI PCIe Controller
6c3d656 loader: Support Flattened Image Trees (FIT images)
9275ec8 dtc: Update requirement to v1.4.2
aa8e11a target-mips: Provide function to test if a CPU supports an ISA
0ea1cba hw/mips_gic: Update pin state on mask changes
e84e2ee hw/mips_gictimer: provide API for retrieving frequency
65bddf5 hw/mips_cmgcr: allow GCR base to be moved

=== OUTPUT BEGIN ===
=== ENV ===
XDG_SESSION_ID=28414
SHELL=/bin/sh
USER=fam
PATCHEW=/home/fam/patchew/patchew-cli -s http://patchew.org --nodebug
PATH=/usr/bin:/bin
PWD=/var/tmp/patchew-tester-tmp-i2k78q7z/src
LANG=en_US.UTF-8
HOME=/home/fam
SHLVL=2
LOGNAME=fam
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1012/bus
XDG_RUNTIME_DIR=/run/user/1012
_=/usr/bin/env
=== PACKAGES ===
gpg-pubkey-873529b8-54e386ff
xz-libs-5.2.2-2.fc24.s390x
libacl-2.2.52-11.fc24.s390x
libxshmfence-1.2-3.fc24.s390x
cdparanoia-libs-10.2-21.fc24.s390x
ustr-1.0.4-21.fc24.s390x
giflib-4.1.6-15.fc24.s390x
libusb-0.1.5-7.fc24.s390x
trousers-lib-0.3.13-6.fc24.s390x
readline-devel-6.3-8.fc24.s390x
python-srpm-macros-3-10.fc25.noarch
ncurses-base-6.0-6.20160709.fc25.noarch
gmp-6.1.1-1.fc25.s390x
chkconfig-1.8-1.fc25.s390x
libidn-1.33-1.fc25.s390x
file-5.28-4.fc25.s390x
slang-2.3.0-7.fc25.s390x
avahi-libs-0.6.32-4.fc25.s390x
libsemanage-2.5-8.fc25.s390x
perl-Unicode-Normalize-1.25-365.fc25.s390x
perl-libnet-3.10-1.fc25.noarch
perl-Thread-Queue-3.11-1.fc25.noarch
perl-podlators-4.09-1.fc25.noarch
jasper-libs-1.900.13-1.fc25.s390x
graphite2-1.3.6-1.fc25.s390x
libblkid-2.28.2-1.fc25.s390x
pkgconfig-0.29.1-1.fc25.s390x
dbus-python-1.2.4-2.fc25.s390x
alsa-lib-1.1.1-2.fc25.s390x
libgnome-keyring-3.12.0-7.fc25.s390x
yum-metadata-parser-1.1.4-17.fc25.s390x
python3-3.5.2-4.fc25.s390x
python3-slip-dbus-0.6.4-4.fc25.noarch
python2-cssselect-0.9.2-1.fc25.noarch
python-backports-1.0-8.fc25.s390x
python-magic-5.28-4.fc25.noarch
python-pycparser-2.14-7.fc25.noarch
python-fedora-0.8.0-2.fc25.noarch
createrepo_c-libs-0.10.0-6.fc25.s390x
initscripts-9.69-1.fc25.s390x
plymouth-scripts-0.9.3-0.6.20160620git0e65b86c.fc25.s390x
cronie-1.5.1-2.fc25.s390x
python2-librepo-1.7.18-3.fc25.s390x
wget-1.18-2.fc25.s390x
python3-dnf-plugins-core-0.1.21-4.fc25.noarch
at-spi2-core-2.22.0-1.fc25.s390x
libXv-1.0.11-1.fc25.s390x
dhcp-client-4.3.5-1.fc25.s390x
python2-dnf-plugins-core-0.1.21-4.fc25.noarch
parted-3.2-21.fc25.s390x
python2-ndg_httpsclient-0.4.0-4.fc25.noarch
bash-completion-2.4-1.fc25.noarch
btrfs-progs-4.6.1-1.fc25.s390x
texinfo-6.1-3.fc25.s390x
perl-Filter-1.55-366.fc25.s390x
flex-2.6.0-3.fc25.s390x
libgcc-6.3.1-1.fc25.s390x
glib2-2.50.2-1.fc25.s390x
dbus-libs-1.11.8-1.fc25.s390x
libgomp-6.3.1-1.fc25.s390x
colord-libs-1.3.4-1.fc25.s390x
perl-Encode-2.88-5.fc25.s390x
gstreamer1-1.10.2-1.fc25.s390x
cracklib-2.9.6-4.fc25.s390x
rpm-build-libs-4.13.0-6.fc25.s390x
libobjc-6.3.1-1.fc25.s390x
pcre-devel-8.40-1.fc25.s390x
mariadb-config-10.1.20-1.fc25.s390x
gcc-6.3.1-1.fc25.s390x
mesa-libGL-13.0.3-1.fc25.s390x
python3-dnf-plugin-system-upgrade-0.7.1-4.fc25.noarch
bind-libs-9.10.4-4.P5.fc25.s390x
python-osbs-client-0.33-3.fc25.noarch
NetworkManager-1.4.4-3.fc25.s390x
audit-2.7.1-1.fc25.s390x
glibc-static-2.24-4.fc25.s390x
perl-Pod-Simple-3.35-1.fc25.noarch
gdb-7.12-36.fc25.s390x
python2-simplejson-3.10.0-1.fc25.s390x

[Qemu-devel] [PATCH V2 1/4] hw/pcie: fix Extended Configuration Space for devices with no Extended Capabilities

[Marcel Apfelbaum]

Absence of any Extended Capabilities is required to be
indicated by an Extended Capability header with a Capability ID of
h, a Capability Version of 0h, and a Next Capability Offset of 000h.

Instead of inserting a 'NULL' capability is simpler to mark the start
of the Extended Configuration Space as read-only to achieve the same
behaviour.

Signed-off-by: Marcel Apfelbaum 
---
 hw/pci/pci.c | 2 ++
 hw/pci/pcie.c| 6 ++
 include/hw/compat.h  | 4 
 include/hw/pci/pci.h | 2 ++
 4 files changed, 14 insertions(+)

diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index a563555..4d2c0e1 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -64,6 +64,8 @@ static Property pci_props[] = {
 QEMU_PCI_CAP_SERR_BITNR, true),
 DEFINE_PROP_BIT("x-pcie-lnksta-dllla", PCIDevice, cap_present,
 QEMU_PCIE_LNKSTA_DLLLA_BITNR, true),
+DEFINE_PROP_BIT("x-pcie-extcap-init", PCIDevice, cap_present,
+QEMU_PCIE_EXTCAP_INIT_BITNR, true),
 DEFINE_PROP_END_OF_LIST()
 };
 
diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
index cbd4bb4..2526e3a 100644
--- a/hw/pci/pcie.c
+++ b/hw/pci/pcie.c
@@ -109,6 +109,12 @@ int pcie_cap_init(PCIDevice *dev, uint8_t offset, uint8_t 
type, uint8_t port)
  PCI_EXP_DEVCAP2_EFF | PCI_EXP_DEVCAP2_EETLPP);
 
 pci_set_word(dev->wmask + pos + PCI_EXP_DEVCTL2, PCI_EXP_DEVCTL2_EETLPPB);
+
+if (dev->cap_present & QEMU_PCIE_EXTCAP_INIT) {
+/* read-only to behave like a 'NULL' Extended Capability Header */
+pci_set_long(dev->wmask + PCI_CONFIG_SPACE_SIZE, 0);
+}
+
 return pos;
 }
 
diff --git a/include/hw/compat.h b/include/hw/compat.h
index b7db438..ce3bfe3 100644
--- a/include/hw/compat.h
+++ b/include/hw/compat.h
@@ -18,6 +18,10 @@
 .driver   = "pci-bridge",\
 .property = "shpc",\
 .value= "on",\
+},{\
+.driver   = TYPE_PCI_DEVICE,\
+.property = "x-pcie-extcap-init",\
+.value= "off",\
 },
 
 #define HW_COMPAT_2_7 \
diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
index cbc1fdf..ded978c 100644
--- a/include/hw/pci/pci.h
+++ b/include/hw/pci/pci.h
@@ -182,6 +182,8 @@ enum {
 /* Link active status in endpoint capability is always set */
 #define QEMU_PCIE_LNKSTA_DLLLA_BITNR 8
 QEMU_PCIE_LNKSTA_DLLLA = (1 << QEMU_PCIE_LNKSTA_DLLLA_BITNR),
+#define QEMU_PCIE_EXTCAP_INIT_BITNR 9
+QEMU_PCIE_EXTCAP_INIT = (1 << QEMU_PCIE_EXTCAP_INIT_BITNR),
 };
 
 #define TYPE_PCI_DEVICE "pci-device"
-- 
2.5.5

[Qemu-devel] [PATCH v2] vl: disable default cdrom when using explicitely scsi-hd

[Hervé Poussineau]

In commit af6bf1328ef90fae617857c02697e0174b84d596 (May 2011),
ide-hd, ide-cd and scsi-cd have been added to disable default cdrom,
"or else you can't put one on secondary master without -nodefaults".

Make it the same for scsi-hd, so you can put one on scsi-id 2 without
using -nodefaults.
scsi-hd has probably been forgotten, as it has been added in the
preceding commit (b443ae67130d32ad06b06fc9aa6d04d05ccd93ce).

Affected users are the ones using a machine with SCSI devices and start QEMU
with -device scsi-hd but without -device scsi-cd or -cdrom
In that case, the default cdrom device will disappear instead of being empty.

Signed-off-by: Hervé Poussineau 
---
 vl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vl.c b/vl.c
index 27d9829..4af95b3 100644
--- a/vl.c
+++ b/vl.c
@@ -226,6 +226,7 @@ static struct {
 { .driver = "ide-hd",   .flag = _cdrom },
 { .driver = "ide-drive",.flag = _cdrom },
 { .driver = "scsi-cd",  .flag = _cdrom },
+{ .driver = "scsi-hd",  .flag = _cdrom },
 { .driver = "virtio-serial-pci",.flag = _virtcon   },
 { .driver = "virtio-serial",.flag = _virtcon   },
 { .driver = "VGA",  .flag = _vga   },
-- 
2.1.4

[Qemu-devel] [PATCH V2 0/4] hw/virtio: fix several PCI Express compliance issues

[Marcel Apfelbaum]

v1 -> v2:
  - Added compat properties (Michael S. Tsirkin)
  - Rebased on latest master
  - Regarding the patch 1/4, we don't need to init the PCI "standard"
config capabilities to 0 since they are "protected" by the Capabilities 
List bit
   (bit 4) to indicate that the Capabilities Pointer is located at offset 34h.


Fix a few issues found while running WHQL tests:

 - Assertion 1F27399E-30B9-44BC-8908-D6E6F3836212: FAILED. Enhanced Capability 
Header register
   of the PCI Express Enhanced Capabilities Absent Indicator table must be 
read-only .

   Solved in patch 1/4

 - Assertion 47C39833-84AD-44EA-9723-0695202ADDEA: FAILED. Bit 0 (Correctable 
Error Reporting Enable)
   in the Device Control register (offset 8h) in the PCI Express Capability 
table must be read-writable .
 - Assertion 5CBA2A63-A48E-4443-85FA-A7DCD8EA47BC: FAILED. Bit 1 (Non-Fatal 
Error Reporting Enable)
   in the Device Control register (offset 8h) in the PCI Express Capability 
table must be read-writable .
 - Assertion 0AB06F7C-59CB-4F9A-8363-B51B1ACAB54F: FAILED. Bit 2 (Fatal Error 
Reporting Enable)
   in the Device Control register (offset 8h) in the PCI Express Capability 
table must be read-writable .
 - Assertion E3834E4A-A7BD-410C-9A61-FA91770D2A71: FAILED. Bit 3 (Unsupported 
Request Reporting Enable)
   in the Device Control register (offset 8h) in the PCI Express Capability 
table must be read-writable 

   Solved in patch 2/4

 - Assertion 1587DC0B-FE59-494E-85B5-C2A59D0CC098: FAILED. Bit 6 (Common Clock 
Configuration)
   in the Link Control register (offset 10h) in the PCI Express Capability 
table must be read-writable .
 - Assertion 13DD25A3-07E4-4477-BE0F-2273BBB32174: FAILED. Bit 7 (Extended 
Synch) in the Link Control
   register (offset 10h) in the PCI Express Capability table must be 
read-writable .

  Solved in patch 3/4

  - AM Assertion 06779BD9-0C35-4CA1-9EB3-96E7DA9A74F8: FAILED. Bit range 1:0 
(PowerState)in
the Power Management Control/Status register (offset 4h) in the Power 
Management Capability table is 0h.
It must be 3h after a supported D3 transition. 

Thanks,
Marcel

Marcel Apfelbaum (4):
  hw/pcie: fix Extended Configuration Space for devices with no Extended
Capabilities
  hw/virtio: fix error enabling flags in Device Control register
  hw/virtio: fix Link Control Register for PCI Express virtio devices
  hw/virtio: fix Power Management Control Register for PCI Express
virtio devices

 hw/pci/pci.c   |  2 ++
 hw/pci/pcie.c  | 20 
 hw/virtio/virtio-pci.c | 31 +++
 hw/virtio/virtio-pci.h | 12 
 include/hw/compat.h| 16 
 include/hw/pci/pci.h   |  2 ++
 include/hw/pci/pcie.h  |  5 +
 7 files changed, 88 insertions(+)

-- 
2.5.5

[Qemu-devel] [PULL 7/8] hw: xilinx-pcie: Add support for Xilinx AXI PCIe Controller

[Yongbok Kim]

From: Paul Burton 

Add support for emulating the Xilinx AXI Root Port Bridge for PCI
Express as described by Xilinx' PG055 document. This is a PCIe
controller that can be used with certain series of Xilinx FPGAs, and is
used on the MIPS Boston board which will make use of this code.

Signed-off-by: Paul Burton 
[yongbok@imgtec.com:
  removed returning on !level,
  updated IRQ connection with GPIO logic,
  moved xilinx_pcie_init() to boston.c
  replaced stw_le_p() with pci_set_word()
  and other cosmetic changes]
Signed-off-by: Yongbok Kim 
---
 hw/pci-host/Makefile.objs |   1 +
 hw/pci-host/xilinx-pcie.c | 328 ++
 include/hw/pci-host/xilinx-pcie.h |  68 
 3 files changed, 397 insertions(+)
 create mode 100644 hw/pci-host/xilinx-pcie.c
 create mode 100644 include/hw/pci-host/xilinx-pcie.h

diff --git a/hw/pci-host/Makefile.objs b/hw/pci-host/Makefile.objs
index 45f1f0e..9c7909c 100644
--- a/hw/pci-host/Makefile.objs
+++ b/hw/pci-host/Makefile.objs
@@ -16,3 +16,4 @@ common-obj-$(CONFIG_FULONG) += bonito.o
 common-obj-$(CONFIG_PCI_PIIX) += piix.o
 common-obj-$(CONFIG_PCI_Q35) += q35.o
 common-obj-$(CONFIG_PCI_GENERIC) += gpex.o
+common-obj-$(CONFIG_PCI_XILINX) += xilinx-pcie.o
diff --git a/hw/pci-host/xilinx-pcie.c b/hw/pci-host/xilinx-pcie.c
new file mode 100644
index 000..8b71e2d
--- /dev/null
+++ b/hw/pci-host/xilinx-pcie.c
@@ -0,0 +1,328 @@
+/*
+ * Xilinx PCIe host controller emulation.
+ *
+ * Copyright (c) 2016 Imagination Technologies
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "hw/pci/pci_bridge.h"
+#include "hw/pci-host/xilinx-pcie.h"
+
+enum root_cfg_reg {
+/* Interrupt Decode Register */
+ROOTCFG_INTDEC  = 0x138,
+
+/* Interrupt Mask Register */
+ROOTCFG_INTMASK = 0x13c,
+/* INTx Interrupt Received */
+#define ROOTCFG_INTMASK_INTX(1 << 16)
+/* MSI Interrupt Received */
+#define ROOTCFG_INTMASK_MSI (1 << 17)
+
+/* PHY Status/Control Register */
+ROOTCFG_PSCR= 0x144,
+/* Link Up */
+#define ROOTCFG_PSCR_LINK_UP(1 << 11)
+
+/* Root Port Status/Control Register */
+ROOTCFG_RPSCR   = 0x148,
+/* Bridge Enable */
+#define ROOTCFG_RPSCR_BRIDGEEN  (1 << 0)
+/* Interrupt FIFO Not Empty */
+#define ROOTCFG_RPSCR_INTNEMPTY (1 << 18)
+/* Interrupt FIFO Overflow */
+#define ROOTCFG_RPSCR_INTOVF(1 << 19)
+
+/* Root Port Interrupt FIFO Read Register 1 */
+ROOTCFG_RPIFR1  = 0x158,
+#define ROOTCFG_RPIFR1_INT_LANE_SHIFT   27
+#define ROOTCFG_RPIFR1_INT_ASSERT_SHIFT 29
+#define ROOTCFG_RPIFR1_INT_VALID_SHIFT  31
+/* Root Port Interrupt FIFO Read Register 2 */
+ROOTCFG_RPIFR2  = 0x15c,
+};
+
+static void xilinx_pcie_update_intr(XilinxPCIEHost *s,
+uint32_t set, uint32_t clear)
+{
+int level;
+
+s->intr |= set;
+s->intr &= ~clear;
+
+if (s->intr_fifo_r != s->intr_fifo_w) {
+s->intr |= ROOTCFG_INTMASK_INTX;
+}
+
+level = !!(s->intr & s->intr_mask);
+qemu_set_irq(s->irq, level);
+}
+
+static void xilinx_pcie_queue_intr(XilinxPCIEHost *s,
+   uint32_t fifo_reg1, uint32_t fifo_reg2)
+{
+XilinxPCIEInt *intr;
+unsigned int new_w;
+
+new_w = (s->intr_fifo_w + 1) % ARRAY_SIZE(s->intr_fifo);
+if (new_w == s->intr_fifo_r) {
+s->rpscr |= ROOTCFG_RPSCR_INTOVF;
+return;
+}
+
+intr = >intr_fifo[s->intr_fifo_w];
+s->intr_fifo_w = new_w;
+
+intr->fifo_reg1 = fifo_reg1;
+intr->fifo_reg2 = fifo_reg2;
+
+xilinx_pcie_update_intr(s, ROOTCFG_INTMASK_INTX, 0);
+}
+
+static void xilinx_pcie_set_irq(void *opaque, int irq_num, int level)
+{
+XilinxPCIEHost *s = XILINX_PCIE_HOST(opaque);
+
+xilinx_pcie_queue_intr(s,
+   (irq_num << ROOTCFG_RPIFR1_INT_LANE_SHIFT) |
+   (level << ROOTCFG_RPIFR1_INT_ASSERT_SHIFT) |
+   (1 << ROOTCFG_RPIFR1_INT_VALID_SHIFT),
+   0);
+}
+
+static void xilinx_pcie_host_realize(DeviceState *dev, Error **errp)
+{
+PCIHostState *pci = PCI_HOST_BRIDGE(dev);
+XilinxPCIEHost *s = XILINX_PCIE_HOST(dev);
+SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
+

[Qemu-devel] [PULL 3/8] hw/mips_gic: Update pin state on mask changes

[Yongbok Kim]

From: Paul Burton 

If the GIC interrupt mask is changed by a write to the smask (set mask)
or rmask (reset mask) registers, we need to re-evaluate the state of the
pins/IRQs fed to the CPU. Without doing so we risk leaving a pin high
despite the interrupt that led to that state being masked, or losing
interrupts if an already pending interrupt is unmasked.

Signed-off-by: Paul Burton 
Reviewed-by: Leon Alrae 
Signed-off-by: Yongbok Kim 
---
 hw/intc/mips_gic.c | 56 ++
 1 file changed, 31 insertions(+), 25 deletions(-)

diff --git a/hw/intc/mips_gic.c b/hw/intc/mips_gic.c
index 6e25773..15e6e40 100644
--- a/hw/intc/mips_gic.c
+++ b/hw/intc/mips_gic.c
@@ -20,31 +20,29 @@
 #include "kvm_mips.h"
 #include "hw/intc/mips_gic.h"
 
-static void mips_gic_set_vp_irq(MIPSGICState *gic, int vp, int pin, int level)
+static void mips_gic_set_vp_irq(MIPSGICState *gic, int vp, int pin)
 {
-int ored_level = level;
+int ored_level = 0;
 int i;
 
 /* ORing pending registers sharing same pin */
-if (!ored_level) {
-for (i = 0; i < gic->num_irq; i++) {
-if ((gic->irq_state[i].map_pin & GIC_MAP_MSK) == pin &&
-gic->irq_state[i].map_vp == vp &&
-gic->irq_state[i].enabled) {
-ored_level |= gic->irq_state[i].pending;
-}
-if (ored_level) {
-/* no need to iterate all interrupts */
-break;
-}
+for (i = 0; i < gic->num_irq; i++) {
+if ((gic->irq_state[i].map_pin & GIC_MAP_MSK) == pin &&
+gic->irq_state[i].map_vp == vp &&
+gic->irq_state[i].enabled) {
+ored_level |= gic->irq_state[i].pending;
 }
-if (((gic->vps[vp].compare_map & GIC_MAP_MSK) == pin) &&
-(gic->vps[vp].mask & GIC_VP_MASK_CMP_MSK)) {
-/* ORing with local pending register (count/compare) */
-ored_level |= (gic->vps[vp].pend & GIC_VP_MASK_CMP_MSK) >>
-  GIC_VP_MASK_CMP_SHF;
+if (ored_level) {
+/* no need to iterate all interrupts */
+break;
 }
 }
+if (((gic->vps[vp].compare_map & GIC_MAP_MSK) == pin) &&
+(gic->vps[vp].mask & GIC_VP_MASK_CMP_MSK)) {
+/* ORing with local pending register (count/compare) */
+ored_level |= (gic->vps[vp].pend & GIC_VP_MASK_CMP_MSK) >>
+  GIC_VP_MASK_CMP_SHF;
+}
 if (kvm_enabled())  {
 kvm_mips_set_ipi_interrupt(mips_env_get_cpu(gic->vps[vp].env),
pin + GIC_CPU_PIN_OFFSET,
@@ -55,21 +53,27 @@ static void mips_gic_set_vp_irq(MIPSGICState *gic, int vp, 
int pin, int level)
 }
 }
 
-static void gic_set_irq(void *opaque, int n_IRQ, int level)
+static void gic_update_pin_for_irq(MIPSGICState *gic, int n_IRQ)
 {
-MIPSGICState *gic = (MIPSGICState *) opaque;
 int vp = gic->irq_state[n_IRQ].map_vp;
 int pin = gic->irq_state[n_IRQ].map_pin & GIC_MAP_MSK;
 
+if (vp < 0 || vp >= gic->num_vps) {
+return;
+}
+mips_gic_set_vp_irq(gic, vp, pin);
+}
+
+static void gic_set_irq(void *opaque, int n_IRQ, int level)
+{
+MIPSGICState *gic = (MIPSGICState *) opaque;
+
 gic->irq_state[n_IRQ].pending = (uint8_t) level;
 if (!gic->irq_state[n_IRQ].enabled) {
 /* GIC interrupt source disabled */
 return;
 }
-if (vp < 0 || vp >= gic->num_vps) {
-return;
-}
-mips_gic_set_vp_irq(gic, vp, pin, level);
+gic_update_pin_for_irq(gic, n_IRQ);
 }
 
 #define OFFSET_CHECK(c) \
@@ -209,7 +213,7 @@ static void gic_timer_store_vp_compare(MIPSGICState *gic, 
uint32_t vp_index,
 gic->vps[vp_index].pend &= ~(1 << GIC_LOCAL_INT_COMPARE);
 if (gic->vps[vp_index].compare_map & GIC_MAP_TO_PIN_MSK) {
 uint32_t pin = (gic->vps[vp_index].compare_map & GIC_MAP_MSK);
-mips_gic_set_vp_irq(gic, vp_index, pin, 0);
+mips_gic_set_vp_irq(gic, vp_index, pin);
 }
 mips_gictimer_store_vp_compare(gic->gic_timer, vp_index, compare);
 }
@@ -286,6 +290,7 @@ static void gic_write(void *opaque, hwaddr addr, uint64_t 
data, unsigned size)
 OFFSET_CHECK((base + size * 8) <= gic->num_irq);
 for (i = 0; i < size * 8; i++) {
 gic->irq_state[base + i].enabled &= !((data >> i) & 1);
+gic_update_pin_for_irq(gic, base + i);
 }
 break;
 case GIC_SH_WEDGE_OFS:
@@ -305,6 +310,7 @@ static void gic_write(void *opaque, hwaddr addr, uint64_t 
data, unsigned size)
 OFFSET_CHECK((base + size * 8) <= gic->num_irq);
 for (i = 0; i < size * 8; i++) {
 gic->irq_state[base + i].enabled |= (data >> i) & 1;
+gic_update_pin_for_irq(gic, base + i);
 }
 break;
 case GIC_SH_MAP0_PIN_OFS 

[Qemu-devel] [PULL 8/8] hw/mips: MIPS Boston board support

[Yongbok Kim]

From: Paul Burton 

Introduce support for emulating the MIPS Boston development board. The
Boston board is built around an FPGA & 3 PCIe controllers, one of which
is connected to an Intel EG20T Platform Controller Hub. It is used
during the development & debug of new CPUs and the software intended to
run on them, and is essentially the successor to the older MIPS Malta
board.

This patch does not implement the EG20T, instead connecting an already
supported ICH-9 AHCI controller. Whilst this isn't accurate it's enough
for typical stock Boston software (eg. Linux kernels) to work with hard
disks given that both the ICH-9 & EG20T implement the AHCI
specification.

Boston boards typically boot kernels in the FIT image format, and this
patch will treat kernels provided to QEMU as such. When loading a kernel
directly, the board code will generate minimal firmware much as the
Malta board code does. This firmware will set up the CM, CPC & GIC
register base addresses then set argument registers & jump to the kernel
entry point. Alternatively, bootloader code may be loaded using the bios
argument in which case no firmware will be generated & execution will
proceed from the start of the boot code at the default MIPS boot
exception vector (offset 0x1fc0 into (c)kseg1).

Currently real Boston boards are always used with FPGA bitfiles that
include a Global Interrupt Controller (GIC), so the interrupt
configuration is only defined for such cases. Therefore the board will
only allow use of CPUs which implement the CPS components, including the
GIC, and will otherwise exit with a message.

Signed-off-by: Paul Burton 
Reviewed-by: Yongbok Kim 
[yongbok@imgtec.com:
  isolated boston machine support for mips64el.
  updated for recent Chardev changes.
  ignore missing bios/kernel for qtest.]
Signed-off-by: Yongbok Kim 
---
 configure|   2 +-
 default-configs/mips64el-softmmu.mak |   2 +
 hw/mips/Makefile.objs|   1 +
 hw/mips/boston.c | 576 +++
 4 files changed, 580 insertions(+), 1 deletion(-)
 create mode 100644 hw/mips/boston.c

diff --git a/configure b/configure
index 4b68861..8e8f18d 100755
--- a/configure
+++ b/configure
@@ -3378,7 +3378,7 @@ fi
 fdt_required=no
 for target in $target_list; do
   case $target in
-aarch64*-softmmu|arm*-softmmu|ppc*-softmmu|microblaze*-softmmu)
+
aarch64*-softmmu|arm*-softmmu|ppc*-softmmu|microblaze*-softmmu|mips64el-softmmu)
   fdt_required=yes
 ;;
   esac
diff --git a/default-configs/mips64el-softmmu.mak 
b/default-configs/mips64el-softmmu.mak
index 485e218..cc5f3b3 100644
--- a/default-configs/mips64el-softmmu.mak
+++ b/default-configs/mips64el-softmmu.mak
@@ -10,3 +10,5 @@ CONFIG_JAZZ=y
 CONFIG_G364FB=y
 CONFIG_JAZZ_LED=y
 CONFIG_VT82C686=y
+CONFIG_MIPS_BOSTON=y
+CONFIG_PCI_XILINX=y
diff --git a/hw/mips/Makefile.objs b/hw/mips/Makefile.objs
index 9352a1c..48cd2ef 100644
--- a/hw/mips/Makefile.objs
+++ b/hw/mips/Makefile.objs
@@ -4,3 +4,4 @@ obj-$(CONFIG_JAZZ) += mips_jazz.o
 obj-$(CONFIG_FULONG) += mips_fulong2e.o
 obj-y += gt64xxx_pci.o
 obj-$(CONFIG_MIPS_CPS) += cps.o
+obj-$(CONFIG_MIPS_BOSTON) += boston.o
diff --git a/hw/mips/boston.c b/hw/mips/boston.c
new file mode 100644
index 000..560c8b4
--- /dev/null
+++ b/hw/mips/boston.c
@@ -0,0 +1,576 @@
+/*
+ * MIPS Boston development board emulation.
+ *
+ * Copyright (c) 2016 Imagination Technologies
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "qemu-common.h"
+
+#include "exec/address-spaces.h"
+#include "hw/boards.h"
+#include "hw/char/serial.h"
+#include "hw/hw.h"
+#include "hw/ide/pci.h"
+#include "hw/ide/ahci.h"
+#include "hw/loader.h"
+#include "hw/loader-fit.h"
+#include "hw/mips/cps.h"
+#include "hw/mips/cpudevs.h"
+#include "hw/pci-host/xilinx-pcie.h"
+#include "qapi/error.h"
+#include "qemu/cutils.h"
+#include "qemu/error-report.h"
+#include "qemu/log.h"
+#include "sysemu/char.h"
+#include "sysemu/device_tree.h"
+#include "sysemu/sysemu.h"
+#include "sysemu/qtest.h"
+
+#include 
+
+#define TYPE_MIPS_BOSTON "mips-boston"
+#define BOSTON(obj) OBJECT_CHECK(BostonState, (obj), TYPE_MIPS_BOSTON)
+
+typedef struct {
+SysBusDevice parent_obj;
+
+

[Qemu-devel] [PULL 1/8] hw/mips_cmgcr: allow GCR base to be moved

[Yongbok Kim]

From: Paul Burton 

Support moving the GCR base address & updating the CPU's CP0 CMGCRBase
register appropriately. This is required if a platform needs to move its
GCRs away from other memory, as the MIPS Boston development board does
to avoid its flash memory.

Signed-off-by: Paul Burton 
Reviewed-by: Leon Alrae 
Signed-off-by: Yongbok Kim 
---
 hw/misc/mips_cmgcr.c | 17 +
 include/hw/misc/mips_cmgcr.h |  3 +++
 2 files changed, 20 insertions(+)

diff --git a/hw/misc/mips_cmgcr.c b/hw/misc/mips_cmgcr.c
index b3ba166..a1edb53 100644
--- a/hw/misc/mips_cmgcr.c
+++ b/hw/misc/mips_cmgcr.c
@@ -29,6 +29,20 @@ static inline bool is_gic_connected(MIPSGCRState *s)
 return s->gic_mr != NULL;
 }
 
+static inline void update_gcr_base(MIPSGCRState *gcr, uint64_t val)
+{
+CPUState *cpu;
+MIPSCPU *mips_cpu;
+
+gcr->gcr_base = val & GCR_BASE_GCRBASE_MSK;
+memory_region_set_address(>iomem, gcr->gcr_base);
+
+CPU_FOREACH(cpu) {
+mips_cpu = MIPS_CPU(cpu);
+mips_cpu->env.CP0_CMGCRBase = gcr->gcr_base >> 4;
+}
+}
+
 static inline void update_cpc_base(MIPSGCRState *gcr, uint64_t val)
 {
 if (is_cpc_connected(gcr)) {
@@ -117,6 +131,9 @@ static void gcr_write(void *opaque, hwaddr addr, uint64_t 
data, unsigned size)
 MIPSGCRVPState *other_vps = >vps[current_vps->other];
 
 switch (addr) {
+case GCR_BASE_OFS:
+update_gcr_base(gcr, data);
+break;
 case GCR_GIC_BASE_OFS:
 update_gic_base(gcr, data);
 break;
diff --git a/include/hw/misc/mips_cmgcr.h b/include/hw/misc/mips_cmgcr.h
index a209d91..c9dfcb4 100644
--- a/include/hw/misc/mips_cmgcr.h
+++ b/include/hw/misc/mips_cmgcr.h
@@ -41,6 +41,9 @@
 #define GCR_L2_CONFIG_BYPASS_SHF20
 #define GCR_L2_CONFIG_BYPASS_MSK((0x1ULL) << GCR_L2_CONFIG_BYPASS_SHF)
 
+/* GCR_BASE register fields */
+#define GCR_BASE_GCRBASE_MSK 0x8000ULL
+
 /* GCR_GIC_BASE register fields */
 #define GCR_GIC_BASE_GICEN_MSK   1
 #define GCR_GIC_BASE_GICBASE_MSK 0xFFFEULL
-- 
2.7.4

[Qemu-devel] [PULL 0/8] target-mips queue

[Yongbok Kim]

Hi,

This is pull-req for target-mips.

Regards,
Yongbok

The following changes since commit 56f9e46b841c7be478ca038d8d4085d776ab4b0d:

  Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2017-02-20' into 
staging (2017-02-20 17:42:47 +)

are available in the git repository at:

  git://github.com/yongbok/upstream-qemu.git tags/mips-20170220

for you to fetch changes up to 0a1fdcc94338ea12f7deba71e795c01989152752:

  hw/mips: MIPS Boston board support (2017-02-20 19:37:28 +)


MIPS patches 2017-02-20

Changes:
* Add MIPS Boston board support



Paul Burton (8):
  hw/mips_cmgcr: allow GCR base to be moved
  hw/mips_gictimer: provide API for retrieving frequency
  hw/mips_gic: Update pin state on mask changes
  target-mips: Provide function to test if a CPU supports an ISA
  dtc: Update requirement to v1.4.2
  loader: Support Flattened Image Trees (FIT images)
  hw: xilinx-pcie: Add support for Xilinx AXI PCIe Controller
  hw/mips: MIPS Boston board support

 configure|   8 +-
 default-configs/mips64el-softmmu.mak |   2 +
 dtc  |   2 +-
 hw/core/Makefile.objs|   1 +
 hw/core/loader-fit.c | 325 
 hw/core/loader.c |   7 +-
 hw/intc/mips_gic.c   |  56 ++--
 hw/mips/Makefile.objs|   1 +
 hw/mips/boston.c | 576 +++
 hw/misc/mips_cmgcr.c |  17 ++
 hw/pci-host/Makefile.objs|   1 +
 hw/pci-host/xilinx-pcie.c| 328 
 hw/timer/mips_gictimer.c |   5 +
 include/hw/loader-fit.h  |  41 +++
 include/hw/loader.h  |   6 +
 include/hw/misc/mips_cmgcr.h |   3 +
 include/hw/pci-host/xilinx-pcie.h|  68 +
 include/hw/timer/mips_gictimer.h |   1 +
 target/mips/cpu.h|   1 +
 target/mips/translate.c  |  10 +
 20 files changed, 1423 insertions(+), 36 deletions(-)
 create mode 100644 hw/core/loader-fit.c
 create mode 100644 hw/mips/boston.c
 create mode 100644 hw/pci-host/xilinx-pcie.c
 create mode 100644 include/hw/loader-fit.h
 create mode 100644 include/hw/pci-host/xilinx-pcie.h

-- 
2.7.4

[Qemu-devel] [PULL 6/8] loader: Support Flattened Image Trees (FIT images)

[Yongbok Kim]

From: Paul Burton 

Introduce support for loading Flattened Image Trees, as used by modern
U-Boot. FIT images are essentially flattened device tree files which
contain binary images such as kernels, FDTs or ramdisks along with one
or more configuration nodes describing boot configurations.

The MIPS Boston board typically boots kernels in the form of FIT images,
and will make use of this code.

Signed-off-by: Paul Burton 
[yongbok@imgtec.com: fixed potential memory leaks]
Signed-off-by: Yongbok Kim 
---
 hw/core/Makefile.objs   |   1 +
 hw/core/loader-fit.c| 325 
 hw/core/loader.c|   7 +-
 include/hw/loader-fit.h |  41 ++
 include/hw/loader.h |   6 +
 5 files changed, 374 insertions(+), 6 deletions(-)
 create mode 100644 hw/core/loader-fit.c
 create mode 100644 include/hw/loader-fit.h

diff --git a/hw/core/Makefile.objs b/hw/core/Makefile.objs
index 7f8c9dc..ff59512 100644
--- a/hw/core/Makefile.objs
+++ b/hw/core/Makefile.objs
@@ -13,6 +13,7 @@ common-obj-$(CONFIG_PTIMER) += ptimer.o
 common-obj-$(CONFIG_SOFTMMU) += sysbus.o
 common-obj-$(CONFIG_SOFTMMU) += machine.o
 common-obj-$(CONFIG_SOFTMMU) += loader.o
+common-obj-$(CONFIG_SOFTMMU) += loader-fit.o
 common-obj-$(CONFIG_SOFTMMU) += qdev-properties-system.o
 common-obj-$(CONFIG_SOFTMMU) += register.o
 common-obj-$(CONFIG_SOFTMMU) += or-irq.o
diff --git a/hw/core/loader-fit.c b/hw/core/loader-fit.c
new file mode 100644
index 000..4ddd35e
--- /dev/null
+++ b/hw/core/loader-fit.c
@@ -0,0 +1,325 @@
+/*
+ * Flattened Image Tree loader.
+ *
+ * Copyright (c) 2016 Imagination Technologies
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see .
+ */
+
+#include "qemu/osdep.h"
+#include "exec/address-spaces.h"
+#include "exec/memory.h"
+#include "hw/loader.h"
+#include "hw/loader-fit.h"
+#include "qemu/cutils.h"
+#include "qemu/error-report.h"
+#include "sysemu/device_tree.h"
+#include "sysemu/sysemu.h"
+
+#include 
+#include 
+
+#define FIT_LOADER_MAX_PATH (128)
+
+static const void *fit_load_image_alloc(const void *itb, const char *name,
+int *poff, size_t *psz)
+{
+const void *data;
+const char *comp;
+void *uncomp_data;
+char path[FIT_LOADER_MAX_PATH];
+int off, sz;
+ssize_t uncomp_len;
+
+snprintf(path, sizeof(path), "/images/%s", name);
+
+off = fdt_path_offset(itb, path);
+if (off < 0) {
+return NULL;
+}
+if (poff) {
+*poff = off;
+}
+
+data = fdt_getprop(itb, off, "data", );
+if (!data) {
+return NULL;
+}
+
+comp = fdt_getprop(itb, off, "compression", NULL);
+if (!comp || !strcmp(comp, "none")) {
+if (psz) {
+*psz = sz;
+}
+uncomp_data = g_malloc(sz);
+memmove(uncomp_data, data, sz);
+return uncomp_data;
+}
+
+if (!strcmp(comp, "gzip")) {
+uncomp_len = UBOOT_MAX_GUNZIP_BYTES;
+uncomp_data = g_malloc(uncomp_len);
+
+uncomp_len = gunzip(uncomp_data, uncomp_len, (void *) data, sz);
+if (uncomp_len < 0) {
+error_printf("unable to decompress %s image\n", name);
+g_free(uncomp_data);
+return NULL;
+}
+
+data = g_realloc(uncomp_data, uncomp_len);
+if (psz) {
+*psz = uncomp_len;
+}
+return data;
+}
+
+error_printf("unknown compression '%s'\n", comp);
+return NULL;
+}
+
+static int fit_image_addr(const void *itb, int img, const char *name,
+  hwaddr *addr)
+{
+const void *prop;
+int len;
+
+prop = fdt_getprop(itb, img, name, );
+if (!prop) {
+return -ENOENT;
+}
+
+switch (len) {
+case 4:
+*addr = fdt32_to_cpu(*(fdt32_t *)prop);
+return 0;
+case 8:
+*addr = fdt64_to_cpu(*(fdt64_t *)prop);
+return 0;
+default:
+error_printf("invalid %s address length %d\n", name, len);
+return -EINVAL;
+}
+}
+
+static int fit_load_kernel(const struct fit_loader *ldr, const void *itb,
+   int cfg, void *opaque, hwaddr *pend)
+{
+const char *name;
+const void *data;
+const void *load_data;
+hwaddr load_addr, entry_addr;
+int img_off, err;
+

[Qemu-devel] [PULL 5/8] dtc: Update requirement to v1.4.2

[Yongbok Kim]

From: Paul Burton 

In order to obtain fdt_first_subnode & fdt_next_subnode symbols from
libfdt for use by a later patch, bump the requirement for dtc to v1.4.2
& the submodule to that same version.

Signed-off-by: Paul Burton 
Reviewed-by: Yongbok Kim 
Signed-off-by: Yongbok Kim 
---
 configure | 6 +++---
 dtc   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/configure b/configure
index 1c9655e..4b68861 100755
--- a/configure
+++ b/configure
@@ -3396,11 +3396,11 @@ fi
 if test "$fdt" != "no" ; then
   fdt_libs="-lfdt"
   # explicitly check for libfdt_env.h as it is missing in some stable installs
-  # and test for required functions to make sure we are on a version >= 1.4.0
+  # and test for required functions to make sure we are on a version >= 1.4.2
   cat > $TMPC << EOF
 #include 
 #include 
-int main(void) { fdt_get_property_by_offset(0, 0, 0); return 0; }
+int main(void) { fdt_first_subnode(0, 0); return 0; }
 EOF
   if compile_prog "" "$fdt_libs" ; then
 # system DTC is good - use it
@@ -3418,7 +3418,7 @@ EOF
 fdt_libs="-L\$(BUILD_DIR)/dtc/libfdt $fdt_libs"
   elif test "$fdt" = "yes" ; then
 # have neither and want - prompt for system/submodule install
-error_exit "DTC (libfdt) version >= 1.4.0 not present. Your options:" \
+error_exit "DTC (libfdt) version >= 1.4.2 not present. Your options:" \
 "  (1) Preferred: Install the DTC (libfdt) devel package" \
 "  (2) Fetch the DTC submodule, using:" \
 "  git submodule update --init dtc"
diff --git a/dtc b/dtc
index 65cc4d2..ec02b34 16
--- a/dtc
+++ b/dtc
@@ -1 +1 @@
-Subproject commit 65cc4d2748a2c2e6f27f1cf39e07a5dbabd80ebf
+Subproject commit ec02b34c05be04f249ffaaca4b666f5246877dea
-- 
2.7.4

[Qemu-devel] [PULL 4/8] target-mips: Provide function to test if a CPU supports an ISA

[Yongbok Kim]

From: Paul Burton 

Provide a new cpu_supports_isa function which allows callers to
determine whether a CPU supports one of the ISA_ flags, by testing
whether the associated struct mips_def_t sets the ISA flags in its
insn_flags field.

An example use of this is to allow boards which generate bootloader code
to determine the properties of the CPU that will be used, for example
whether the CPU is 64 bit or which architecture revision it implements.

Signed-off-by: Paul Burton 
Reviewed-by: Leon Alrae 
Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: Yongbok Kim 
---
 target/mips/cpu.h   |  1 +
 target/mips/translate.c | 10 ++
 2 files changed, 11 insertions(+)

diff --git a/target/mips/cpu.h b/target/mips/cpu.h
index e1c78f5..4a4747a 100644
--- a/target/mips/cpu.h
+++ b/target/mips/cpu.h
@@ -815,6 +815,7 @@ int cpu_mips_signal_handler(int host_signum, void *pinfo, 
void *puc);
 
 #define cpu_init(cpu_model) CPU(cpu_mips_init(cpu_model))
 bool cpu_supports_cps_smp(const char *cpu_model);
+bool cpu_supports_isa(const char *cpu_model, unsigned int isa);
 void cpu_set_exception_base(int vp_index, target_ulong address);
 
 /* TODO QOM'ify CPU reset and remove */
diff --git a/target/mips/translate.c b/target/mips/translate.c
index 7f8ecf4..8b4a072 100644
--- a/target/mips/translate.c
+++ b/target/mips/translate.c
@@ -20233,6 +20233,16 @@ bool cpu_supports_cps_smp(const char *cpu_model)
 return (def->CP0_Config3 & (1 << CP0C3_CMGCR)) != 0;
 }
 
+bool cpu_supports_isa(const char *cpu_model, unsigned int isa)
+{
+const mips_def_t *def = cpu_mips_find_by_name(cpu_model);
+if (!def) {
+return false;
+}
+
+return (def->insn_flags & isa) != 0;
+}
+
 void cpu_set_exception_base(int vp_index, target_ulong address)
 {
 MIPSCPU *vp = MIPS_CPU(qemu_get_cpu(vp_index));
-- 
2.7.4

[Qemu-devel] [PULL 2/8] hw/mips_gictimer: provide API for retrieving frequency

[Yongbok Kim]

From: Paul Burton 

Provide a new function mips_gictimer_get_freq() which returns the
frequency at which a GIC timer will count. This will be useful for
boards which perform setup based upon this frequency.

Signed-off-by: Paul Burton 
Reviewed-by: Leon Alrae 
Reviewed-by: Philippe Mathieu-Daudé 
Signed-off-by: Yongbok Kim 
---
 hw/timer/mips_gictimer.c | 5 +
 include/hw/timer/mips_gictimer.h | 1 +
 2 files changed, 6 insertions(+)

diff --git a/hw/timer/mips_gictimer.c b/hw/timer/mips_gictimer.c
index 3698889..f5c5806 100644
--- a/hw/timer/mips_gictimer.c
+++ b/hw/timer/mips_gictimer.c
@@ -14,6 +14,11 @@
 
 #define TIMER_PERIOD 10 /* 10 ns period for 100 Mhz frequency */
 
+uint32_t mips_gictimer_get_freq(MIPSGICTimerState *gic)
+{
+return NANOSECONDS_PER_SECOND / TIMER_PERIOD;
+}
+
 static void gic_vptimer_update(MIPSGICTimerState *gictimer,
uint32_t vp_index, uint64_t now)
 {
diff --git a/include/hw/timer/mips_gictimer.h b/include/hw/timer/mips_gictimer.h
index c8bc5d2..c7ca6c8 100644
--- a/include/hw/timer/mips_gictimer.h
+++ b/include/hw/timer/mips_gictimer.h
@@ -31,6 +31,7 @@ struct MIPSGICTimerState {
 MIPSGICTimerCB *cb;
 };
 
+uint32_t mips_gictimer_get_freq(MIPSGICTimerState *gic);
 uint32_t mips_gictimer_get_sh_count(MIPSGICTimerState *gic);
 void mips_gictimer_store_sh_count(MIPSGICTimerState *gic, uint64_t count);
 uint32_t mips_gictimer_get_vp_compare(MIPSGICTimerState *gictimer,
-- 
2.7.4

Re: [Qemu-devel] [PATCH v8 4/8] ACPI: Add Virtual Machine Generation ID support

[Dr. David Alan Gilbert]

* Eric Blake (ebl...@redhat.com) wrote:
> On 02/20/2017 04:23 AM, Dr. David Alan Gilbert wrote:
> > * Laszlo Ersek (ler...@redhat.com) wrote:
> >> CC Dave
> > 
> > This isn't an area I really understand; but if I'm
> > reading this right then 
> >vmgenid is stored in fw_cfg?
> >fw_cfg isn't migrated
> > 
> > So why should any changes to it get migrated, except if it's already
> > been read by the guest (and if the guest reads it again aftwards what's
> > it expected to read?)
> 
> Why are we expecting it to change on migration?  You want a new value

I'm not; I was asking why a change made prior to migration would be
preserved across migration.


> when you load state from disk (you don't know how many times the same
> state has been loaded previously, so each load is effectively forking
> the VM and you want a different value), but for a single live migration,
> you aren't forking the VM and don't need a new generation ID.
> 
> I guess it all boils down to what command line you're using: if libvirt
> is driving a live migration, it will request the same UUID in the
> command line of the destination as what is on the source; while if
> libvirt is loading from a [managed]save to restore state from a file, it
> will either request a new UUID directly or request auto to let qemu
> generate the new id.

Hmm now I've lost it a bit; I thought we would preserve the value
transmitted from the source, not the value on the command line of the 
destination.

Dave

> 
> -- 
> Eric Blake   eblake redhat com+1-919-301-3266
> Libvirt virtualization library http://libvirt.org
> 



--
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK

Re: [Qemu-devel] [PATCH 23/24] util/cutils: Change qemu_strtosz*() from int64_t to uint64_t

[Dr. David Alan Gilbert]

* Markus Armbruster (arm...@redhat.com) wrote:
> This will permit its use in parse_option_size().
> 
> Cc: Dr. David Alan Gilbert 
> Cc: Eduardo Habkost  (maintainer:X86)
> Cc: Kevin Wolf  (supporter:Block layer core)
> Cc: Max Reitz  (supporter:Block layer core)
> Cc: qemu-bl...@nongnu.org (open list:Block layer core)
> Signed-off-by: Markus Armbruster 
> ---
>  hmp.c |  5 +++--
>  hw/misc/ivshmem.c |  2 +-
>  include/qemu/cutils.h |  6 +++---
>  monitor.c |  4 ++--
>  qapi/opts-visitor.c   |  6 ++
>  qemu-img.c|  5 -
>  qemu-io-cmds.c|  5 -
>  target/i386/cpu.c |  4 ++--
>  tests/test-cutils.c   | 40 
>  util/cutils.c | 14 +-
>  10 files changed, 50 insertions(+), 41 deletions(-)
> 
> diff --git a/hmp.c b/hmp.c
> index 9846fa4..5b9e461 100644
> --- a/hmp.c
> +++ b/hmp.c
> @@ -1338,7 +1338,7 @@ void hmp_migrate_set_parameter(Monitor *mon, const 
> QDict *qdict)
>  {
>  const char *param = qdict_get_str(qdict, "parameter");
>  const char *valuestr = qdict_get_str(qdict, "value");
> -int64_t valuebw = 0;
> +uint64_t valuebw = 0;
>  long valueint = 0;
>  Error *err = NULL;
>  bool use_int_value = false;
> @@ -1379,7 +1379,8 @@ void hmp_migrate_set_parameter(Monitor *mon, const 
> QDict *qdict)
>  case MIGRATION_PARAMETER_MAX_BANDWIDTH:
>  p.has_max_bandwidth = true;
>  ret = qemu_strtosz_mebi(valuestr, NULL, );
> -if (ret < 0 || (size_t)valuebw != valuebw) {
> +if (ret < 0 || valuebw > INT64_MAX
> +|| (size_t)valuebw != valuebw) {

We should probably just turn all of the parameters into size_t's - although 
that's
more work and there's some int64_t's in qemu_file for no good reason.

>  error_setg(, "Invalid size %s", valuestr);
>  goto cleanup;
>  }
> diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
> index 3dc04f4..ba0cc22 100644
> --- a/hw/misc/ivshmem.c
> +++ b/hw/misc/ivshmem.c
> @@ -1268,7 +1268,7 @@ static void ivshmem_realize(PCIDevice *dev, Error 
> **errp)
>  s->legacy_size = 4 << 20; /* 4 MB default */
>  } else {
>  int ret;
> -int64_t size;
> +uint64_t size;
>  
>  ret = qemu_strtosz_mebi(s->sizearg, NULL, );
>  if (ret < 0 || (size_t)size != size || !is_power_of_2(size)) {
> diff --git a/include/qemu/cutils.h b/include/qemu/cutils.h
> index c91649b..476d274 100644
> --- a/include/qemu/cutils.h
> +++ b/include/qemu/cutils.h
> @@ -139,9 +139,9 @@ int parse_uint(const char *s, unsigned long long *value, 
> char **endptr,
> int base);
>  int parse_uint_full(const char *s, unsigned long long *value, int base);
>  
> -int qemu_strtosz(const char *nptr, char **end, int64_t *result);
> -int qemu_strtosz_mebi(const char *nptr, char **end, int64_t *result);
> -int qemu_strtosz_metric(const char *nptr, char **end, int64_t *result);
> +int qemu_strtosz(const char *nptr, char **end, uint64_t *result);
> +int qemu_strtosz_mebi(const char *nptr, char **end, uint64_t *result);
> +int qemu_strtosz_metric(const char *nptr, char **end, uint64_t *result);
>  
>  #define K_BYTE (1ULL << 10)
>  #define M_BYTE (1ULL << 20)
> diff --git a/monitor.c b/monitor.c
> index 85b1b61..1008ced 100644
> --- a/monitor.c
> +++ b/monitor.c
> @@ -2774,7 +2774,7 @@ static QDict *monitor_parse_arguments(Monitor *mon,
>  case 'o':
>  {
>  int ret;
> -int64_t val;
> +uint64_t val;
>  char *end;
>  
>  while (qemu_isspace(*p)) {
> @@ -2787,7 +2787,7 @@ static QDict *monitor_parse_arguments(Monitor *mon,
>  }
>  }
>  ret = qemu_strtosz_mebi(p, , );
> -if (ret < 0) {
> +if (ret < 0 || val > INT64_MAX) {
>  monitor_printf(mon, "invalid size\n");
>  goto fail;
>  }
> diff --git a/qapi/opts-visitor.c b/qapi/opts-visitor.c
> index aac2e09..a0a7c0e 100644
> --- a/qapi/opts-visitor.c
> +++ b/qapi/opts-visitor.c
> @@ -481,7 +481,6 @@ opts_type_size(Visitor *v, const char *name, uint64_t 
> *obj, Error **errp)
>  {
>  OptsVisitor *ov = to_ov(v);
>  const QemuOpt *opt;
> -int64_t val;
>  int err;
>  
>  opt = lookup_scalar(ov, name, errp);
> @@ -489,14 +488,13 @@ opts_type_size(Visitor *v, const char *name, uint64_t 
> *obj, Error **errp)
>  return;
>  }
>  
> -err = qemu_strtosz(opt->str ? opt->str : "", NULL, );
> +err = qemu_strtosz(opt->str ? opt->str : "", NULL, obj);
>  if (err < 0) {
>  error_setg(errp, QERR_INVALID_PARAMETER_VALUE, opt->name,
> -   "a size value 

Re: [Qemu-devel] [PATCH] vfio/pci-quirks.c: Disable stolen memory for igd VFIO

[Alex Williamson]

On Mon, 20 Feb 2017 19:42:54 +0800
Xiong Zhang  wrote:

> From: XiongZhang 
> 
> If IGD isn't assigned at 00:02.0 in UPT and host bios enable stolen
> memory, seabios won't reseave stolen memory in E820 for guest. Then
> both Intel graphic driver and others in guest could use stolen
> memory, this will generate system hang. So we should disable stolen
> memory in this case.

Wasn't the intent of UPT mode that it removed all of the BIOS and
chipset dependencies of IGD such that it could be assigned as just
another PCI device?  Does this mean that the drivers fail to meet that
promise by evaluating the size and location of stolen memory as
programmed on the physical device even in UPT mode?

I'm a little confused by the use of the term "others" here and in the
comment below.  Can you be more specific what other software beyond the
graphics driver is evaluating the size or location of stolen memory?
 
> Bugzilla:https://bugs.freedesktop.org/show_bug.cgi?id=99028
>  https://bugs.freedesktop.org/show_bug.cgi?id=99025
> 
> Signed-off-by: Xiong Zhang 
> Tested-by: Terrence Xu 
> ---
>  hw/vfio/pci-quirks.c | 63 
> ++--
>  1 file changed, 36 insertions(+), 27 deletions(-)
> 
> diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
> index 1e97bc4..015d0c2 100644
> --- a/hw/vfio/pci-quirks.c
> +++ b/hw/vfio/pci-quirks.c
> @@ -1364,14 +1364,43 @@ static void vfio_probe_igd_bar4_quirk(VFIOPCIDevice 
> *vdev, int nr)
>  uint32_t gmch;
>  uint16_t cmd_orig, cmd;
>  
> +/* This must be an Intel VGA device. */
> +if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) ||
> +!vfio_is_vga(vdev) || nr != 4) {
> +return;
> +}
> +
>  /*
> - * This must be an Intel VGA device at address 00:02.0 for us to even
> - * consider enabling legacy mode.  The vBIOS has dependencies on the
> - * PCI bus address.
> + * IGD is not a standard, they like to change their specs often.  We
> + * only attempt to support back to SandBridge and we hope that newer
> + * devices maintain compatibility with generation 8.
>   */
> -if (!vfio_pci_is(vdev, PCI_VENDOR_ID_INTEL, PCI_ANY_ID) ||
> -!vfio_is_vga(vdev) || nr != 4 ||
> ->pdev != pci_find_device(pci_device_root_bus(>pdev),
> +gen = igd_gen(vdev);
> +if (gen != 6 && gen != 8) {
> +error_report("IGD device %s is unsupported in legacy mode, "
> + "try SandyBridge or newer", vdev->vbasedev.name);

This is a little bit misleading now since this is no longer exclusively
a legacy mode path, a user trying to use UPT mode might disregard this
as noise.  Perhaps...

error_report("IGD device %s is unsupported by IGD quirks, "
 "try SandyBridge or newer", vdev->vbasedev.name);


> +return;
> +}
> +/*
> + * If this isn't at address 00:02.0, bios won't reserv stolen

s/reserv/reserve/

> + * memory in E820, then others could use stolen memory. If guest
> + * graphic driver still use stolen memory, system maybe hang.
> + * so we set stolen memory size to 0 and guest graphic driver won't
> + * use stolen memory.

Based on my understanding of the bug, I might suggest:

  Regardless of running in UPT or legacy mode, the guest graphics
  driver may attempt to use stolen memory, however only legacy mode has
  BIOS support for reserving stolen memory in the guest VM.  Emulate
  the GMCH register in all cases and zero out the stolen memory size
  here.  Legacy mode may request allocation and re-write this below.

> + */
> +gmch = vfio_pci_read_config(>pdev, IGD_GMCH, 4);
> +gmch &= ~((gen < 8 ? 0x1f : 0xff) << (gen < 8 ? 3 : 8));
> +
> +/* GMCH is read-only, emulated */
> +pci_set_long(vdev->pdev.config + IGD_GMCH, gmch);
> +pci_set_long(vdev->pdev.wmask + IGD_GMCH, 0);
> +pci_set_long(vdev->emulated_config_bits + IGD_GMCH, ~0);
> +
> +/*
> + * This must be at address 00:02.0 for us to even onsider enabling
> + * legacy mode.  The vBIOS has dependencies on the PCI bus address.
> + */
> +if (>pdev != pci_find_device(pci_device_root_bus(>pdev),
> 0, PCI_DEVFN(0x2, 0))) {
>  return;
>  }
> @@ -1391,18 +1420,6 @@ static void vfio_probe_igd_bar4_quirk(VFIOPCIDevice 
> *vdev, int nr)
>  }
>  
>  /*
> - * IGD is not a standard, they like to change their specs often.  We
> - * only attempt to support back to SandBridge and we hope that newer
> - * devices maintain compatibility with generation 8.
> - */
> -gen = igd_gen(vdev);
> -if (gen != 6 && gen != 8) {
> -error_report("IGD device %s is unsupported in legacy mode, "
> - "try SandyBridge or newer", vdev->vbasedev.name);
> -return;
> -}
> -
> -/*
>   * Most of 

Re: [Qemu-devel] [PATCH v1 10/10] target/ppc: add mcrxrx instruction

[Richard Henderson]

On 02/20/2017 09:12 PM, Nikunj A Dadhania wrote:

mcrxrx: Move to CR from XER Extended

Signed-off-by: Nikunj A Dadhania 
---
 target/ppc/translate.c | 23 +++
 1 file changed, 23 insertions(+)


Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [PATCH v8 4/8] ACPI: Add Virtual Machine Generation ID support

[Eric Blake]

On 02/20/2017 04:23 AM, Dr. David Alan Gilbert wrote:
> * Laszlo Ersek (ler...@redhat.com) wrote:
>> CC Dave
> 
> This isn't an area I really understand; but if I'm
> reading this right then 
>vmgenid is stored in fw_cfg?
>fw_cfg isn't migrated
> 
> So why should any changes to it get migrated, except if it's already
> been read by the guest (and if the guest reads it again aftwards what's
> it expected to read?)

Why are we expecting it to change on migration?  You want a new value
when you load state from disk (you don't know how many times the same
state has been loaded previously, so each load is effectively forking
the VM and you want a different value), but for a single live migration,
you aren't forking the VM and don't need a new generation ID.

I guess it all boils down to what command line you're using: if libvirt
is driving a live migration, it will request the same UUID in the
command line of the destination as what is on the source; while if
libvirt is loading from a [managed]save to restore state from a file, it
will either request a new UUID directly or request auto to let qemu
generate the new id.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH v1 09/10] target/ppc: add ov32 flag in divide operations

[Richard Henderson]

On 02/20/2017 09:12 PM, Nikunj A Dadhania wrote:

Add helper_div_compute_ov() in the int_helper for updating the overflow
flags.

For Divide Word:
SO, OV, and OV32 bits reflects overflow of the 32-bit result

For Divide DoubleWord:
SO, OV, and OV32 bits reflects overflow of the 64-bit result

Signed-off-by: Nikunj A Dadhania 
---
 target/ppc/int_helper.c | 49 -
 target/ppc/translate.c  |  6 --
 2 files changed, 20 insertions(+), 35 deletions(-)


Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [PATCH v1 08/10] target/ppc: add ov32 flag for multiply low insns

[Richard Henderson]

On 02/20/2017 09:11 PM, Nikunj A Dadhania wrote:

For Multiply Word:
SO, OV, and OV32 bits reflects overflow of the 32-bit result

For Multiply DoubleWord:
SO, OV, and OV32 bits reflects overflow of the 64-bit result

Signed-off-by: Nikunj A Dadhania 
---
 target/ppc/translate.c | 2 ++
 1 file changed, 2 inser


Reviewed-by: Richard Henderson 


r~

Re: [Qemu-devel] [PATCH v1 06/10] target/ppc: use tcg ops for neg instruction

[Richard Henderson]

On 02/20/2017 09:11 PM, Nikunj A Dadhania wrote:

 static void gen_neg(DisasContext *ctx)
 {
-gen_op_arith_neg(ctx, 0);
+tcg_gen_neg_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)]);
 }



NACK.  You're forgetting "neg.".


r~

Re: [Qemu-devel] [PATCH v1 07/10] target/ppc: update ov/ov32 for nego

[Richard Henderson]

On 02/20/2017 09:11 PM, Nikunj A Dadhania wrote:

For 64-bit mode if the register RA contains 0x8000___, OV
and OV32 are set to 1.

For 32-bit mode if the register RA contains 0x8000_, OV and OV32 are
set to 1.

Use the tcg-ops for negation (neg_tl) and drop gen_op_arith_neg() as
nego was the last user.

Signed-off-by: Nikunj A Dadhania 
---
 target/ppc/translate.c | 23 ++-
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index 9fa3b5a..0168e1c 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -1473,14 +1473,6 @@ static void gen_subfic(DisasContext *ctx)
 }

 /* neg neg. nego nego. */
-static inline void gen_op_arith_neg(DisasContext *ctx, bool compute_ov)
-{
-TCGv zero = tcg_const_tl(0);
-gen_op_arith_subf(ctx, cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)],
-  zero, 0, 0, compute_ov, Rc(ctx->opcode));
-tcg_temp_free(zero);
-}
-
 static void gen_neg(DisasContext *ctx)
 {
 tcg_gen_neg_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)]);
@@ -1488,7 +1480,20 @@ static void gen_neg(DisasContext *ctx)

 static void gen_nego(DisasContext *ctx)
 {
-gen_op_arith_neg(ctx, 1);
+TCGv t0 = tcg_temp_new();
+TCGv zero = tcg_const_tl(0);
+
+if (NARROW_MODE(ctx)) {
+tcg_gen_xori_tl(t0, cpu_gpr[rA(ctx->opcode)], INT32_MIN);
+} else {
+tcg_gen_xori_tl(t0, cpu_gpr[rA(ctx->opcode)], (target_ulong)INT64_MIN);
+}
+
+tcg_gen_setcond_tl(TCG_COND_EQ, cpu_ov, t0, zero);
+tcg_gen_mov_tl(cpu_ov32, cpu_ov);
+tcg_gen_neg_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)]);
+tcg_temp_free(t0);
+tcg_temp_free(zero);
 }


Again, you're forgetting "nego.".  Don't try to simplify from gen_op_arith_subf 
by hand.



r~

Re: [Qemu-devel] [PATCH] vl: disable default cdrom when using explicitely scsi-hd

[John Snow]

On 02/19/2017 08:00 PM, Markus Armbruster wrote:
> Hervé Poussineau  writes:
> 
>> Hi,
>>
>> Le 09/01/2017 à 14:48, Paolo Bonzini a écrit :
>>>
>>>
>>> On 09/01/2017 13:49, Markus Armbruster wrote:
 Hervé Poussineau  writes:

> 'ide-hd', 'ide-cd' and 'scsi-cd' devices already disable default cdrom.
> Make it the same for 'scsi-hd'.
>
> That way, we can add/replace the device on lun=2 without using 
> -nodefaults.

 Yes, but it might upset existing usage that relies on the default
 CD-ROM.  In my opinion, making your needs explicit is better than
 relying on defaults, but that doesn't mean we can change the defaults
 unthinkingly.  Definitely not qemu-trivial.

 Opinions on the change?
>>>
>>> The original rationale for the change was "ide-hd has to suppress the
>>> default CD-ROM, or else you can't put one on secondary master without
>>> -nodefaults" but the same applies for scsi-hd vs. lun=1.
>>>
>>> So I'm not sure, but I lean towards accepting the patch.
>>>
>>> Paolo
>>
>> Paolo, Markus, so what is the conclusion?
>> Accepting the patch, or refusing it?
> 
> Suggest to repost with the commit message updated to mention the
> backwards incompatibility, and why you think it's okay.
> cc: John Snow , cc: qemu-bl...@nongnu.org
> 

I don't have a lot of history with the SCSI devices, so I'd be pretty
much relying exclusively on a statement on what breaks with the change,
and why that breakage would be justified.

No strong feelings for/against right now and am likely to just defer to
Paolo, who was leaning towards accepting it.

--js

Re: [Qemu-devel] [PATCH v1 04/10] target/ppc: compute ca32 for arithmetic substract

[Richard Henderson]

On 02/20/2017 09:11 PM, Nikunj A Dadhania wrote:

For 64-bit mode use the compute ca32 routine. While for 32-bit mode, CA
and CA32 will have same value.

Signed-off-by: Nikunj A Dadhania 
---
 target/ppc/translate.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index 77045be..dd413de 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -1389,6 +1389,7 @@ static inline void gen_op_arith_subf(DisasContext *ctx, 
TCGv ret, TCGv arg1,
 tcg_temp_free(t1);
 tcg_gen_shri_tl(cpu_ca, cpu_ca, 32);/* extract bit 32 */
 tcg_gen_andi_tl(cpu_ca, cpu_ca, 1);
+tcg_gen_mov_tl(cpu_ca32, cpu_ca);
 } else {
 if (add_ca) {
 TCGv zero, inv1 = tcg_temp_new();
@@ -1402,6 +1403,7 @@ static inline void gen_op_arith_subf(DisasContext *ctx, 
TCGv ret, TCGv arg1,
 tcg_gen_setcond_tl(TCG_COND_GEU, cpu_ca, arg2, arg1);
 tcg_gen_sub_tl(t0, arg2, arg1);
 }
+gen_op_arith_compute_ca32(ctx, arg1, arg2, add_ca, 1);
 }


Ah, I see what you wanted with the previous patch.  However, you won't want to 
put this here when you fix ca32 computation as I described, because for the 
add_ca case you'll want to pass in inv1 as arg1 so that you don't have to 
re-invert it.



r~

Re: [Qemu-devel] [PATCH 22/24] util/cutils: Return qemu_strtosz*() error and value separately

[Dr. David Alan Gilbert]

* Markus Armbruster (arm...@redhat.com) wrote:
> This makes qemu_strtosz(), qemu_strtosz_mebi() and
> qemu_strtosz_metric() similar to qemu_strtoi64(), except negative
> values are rejected.
> 
> Cc: Dr. David Alan Gilbert 
> Cc: Eduardo Habkost  (maintainer:X86)
> Cc: Kevin Wolf  (supporter:Block layer core)
> Cc: Max Reitz  (supporter:Block layer core)
> Cc: qemu-bl...@nongnu.org (open list:Block layer core)
> Signed-off-by: Markus Armbruster 

Reviewed-by: Dr. David Alan Gilbert 

> ---
>  hmp.c |   6 +--
>  hw/misc/ivshmem.c |   7 ++-
>  include/qemu/cutils.h |   6 +--
>  monitor.c |   5 ++-
>  qapi/opts-visitor.c   |   5 ++-
>  qemu-img.c|  10 +++--
>  qemu-io-cmds.c|  10 +++--
>  target/i386/cpu.c |   5 ++-
>  tests/test-cutils.c   | 120 
> ++
>  util/cutils.c |  22 -
>  10 files changed, 119 insertions(+), 77 deletions(-)
> 
> diff --git a/hmp.c b/hmp.c
> index 0eb5b6d..9846fa4 100644
> --- a/hmp.c
> +++ b/hmp.c
> @@ -1342,7 +1342,7 @@ void hmp_migrate_set_parameter(Monitor *mon, const 
> QDict *qdict)
>  long valueint = 0;
>  Error *err = NULL;
>  bool use_int_value = false;
> -int i;
> +int i, ret;
>  
>  for (i = 0; i < MIGRATION_PARAMETER__MAX; i++) {
>  if (strcmp(param, MigrationParameter_lookup[i]) == 0) {
> @@ -1378,8 +1378,8 @@ void hmp_migrate_set_parameter(Monitor *mon, const 
> QDict *qdict)
>  break;
>  case MIGRATION_PARAMETER_MAX_BANDWIDTH:
>  p.has_max_bandwidth = true;
> -valuebw = qemu_strtosz_mebi(valuestr, NULL);
> -if (valuebw < 0 || (size_t)valuebw != valuebw) {
> +ret = qemu_strtosz_mebi(valuestr, NULL, );
> +if (ret < 0 || (size_t)valuebw != valuebw) {
>  error_setg(, "Invalid size %s", valuestr);
>  goto cleanup;
>  }
> diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
> index f00cd75..3dc04f4 100644
> --- a/hw/misc/ivshmem.c
> +++ b/hw/misc/ivshmem.c
> @@ -1267,8 +1267,11 @@ static void ivshmem_realize(PCIDevice *dev, Error 
> **errp)
>  if (s->sizearg == NULL) {
>  s->legacy_size = 4 << 20; /* 4 MB default */
>  } else {
> -int64_t size = qemu_strtosz_mebi(s->sizearg, NULL);
> -if (size < 0 || (size_t)size != size || !is_power_of_2(size)) {
> +int ret;
> +int64_t size;
> +
> +ret = qemu_strtosz_mebi(s->sizearg, NULL, );
> +if (ret < 0 || (size_t)size != size || !is_power_of_2(size)) {
>  error_setg(errp, "Invalid size %s", s->sizearg);
>  return;
>  }
> diff --git a/include/qemu/cutils.h b/include/qemu/cutils.h
> index 4184851..c91649b 100644
> --- a/include/qemu/cutils.h
> +++ b/include/qemu/cutils.h
> @@ -139,9 +139,9 @@ int parse_uint(const char *s, unsigned long long *value, 
> char **endptr,
> int base);
>  int parse_uint_full(const char *s, unsigned long long *value, int base);
>  
> -int64_t qemu_strtosz(const char *nptr, char **end);
> -int64_t qemu_strtosz_mebi(const char *nptr, char **end);
> -int64_t qemu_strtosz_metric(const char *nptr, char **end);
> +int qemu_strtosz(const char *nptr, char **end, int64_t *result);
> +int qemu_strtosz_mebi(const char *nptr, char **end, int64_t *result);
> +int qemu_strtosz_metric(const char *nptr, char **end, int64_t *result);
>  
>  #define K_BYTE (1ULL << 10)
>  #define M_BYTE (1ULL << 20)
> diff --git a/monitor.c b/monitor.c
> index 1f8c031..85b1b61 100644
> --- a/monitor.c
> +++ b/monitor.c
> @@ -2773,6 +2773,7 @@ static QDict *monitor_parse_arguments(Monitor *mon,
>  break;
>  case 'o':
>  {
> +int ret;
>  int64_t val;
>  char *end;
>  
> @@ -2785,8 +2786,8 @@ static QDict *monitor_parse_arguments(Monitor *mon,
>  break;
>  }
>  }
> -val = qemu_strtosz_mebi(p, );
> -if (val < 0) {
> +ret = qemu_strtosz_mebi(p, , );
> +if (ret < 0) {
>  monitor_printf(mon, "invalid size\n");
>  goto fail;
>  }
> diff --git a/qapi/opts-visitor.c b/qapi/opts-visitor.c
> index 911a0ee..aac2e09 100644
> --- a/qapi/opts-visitor.c
> +++ b/qapi/opts-visitor.c
> @@ -482,14 +482,15 @@ opts_type_size(Visitor *v, const char *name, uint64_t 
> *obj, Error **errp)
>  OptsVisitor *ov = to_ov(v);
>  const QemuOpt *opt;
>  int64_t val;
> +int err;
>  
>  opt = lookup_scalar(ov, name, errp);
>  if (!opt) {
>  return;
>  }
>  
> -val = qemu_strtosz(opt->str ? opt->str : "", NULL);
> -if (val < 0) {
> +err = 

Re: [Qemu-devel] [PATCH 3/3] qmp-events: fix GUEST_PANICKED description formatting

[Eric Blake]

On 02/20/2017 12:21 PM, Denis V. Lunev wrote:
> From: Anton Nefedov 
> 
> Signed-off-by: Anton Nefedov 
> Signed-off-by: Denis V. Lunev 
> CC: Paolo Bonzini 
> CC: Eric Blake 
> ---
>  qapi/event.json | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Reviewed-by: Eric Blake 

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH] qmp-events: fix GUEST_PANICKED description formatting

[Eric Blake]

On 02/20/2017 12:12 PM, Denis V. Lunev wrote:

>> But for 2.9, we only need to change the union.  Eric, can you do that
>> for us since my QAPI-fu is limited?
>>
>> Paolo
>>
> give me 5 minutes, I have patches for that, received them today.

Yep, I've reviewed those patches.  Thanks for the fast followup.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH 2/3] qapi: flatten GuestPanicInformation union

[Eric Blake]

On 02/20/2017 12:21 PM, Denis V. Lunev wrote:
> From: Anton Nefedov 
> 
> Signed-off-by: Anton Nefedov 
> Signed-off-by: Denis V. Lunev 
> CC: Paolo Bonzini 
> CC: Eric Blake 
> ---
>  qapi-schema.json  | 12 
>  target/i386/cpu.c | 15 ++-
>  vl.c  | 12 ++--
>  3 files changed, 24 insertions(+), 15 deletions(-)
> 
> diff --git a/qapi-schema.json b/qapi-schema.json
> index e9a6364..b142e15 100644
> --- a/qapi-schema.json
> +++ b/qapi-schema.json
> @@ -5872,6 +5872,16 @@
>'data': [ 'pause', 'poweroff' ] }
>  
>  ##
> +# @GuestPanicInformationType:
> +#
> +# An enumeration of the guest panic information types
> +#
> +# Since: 2.9
> +##
> +{ 'enum': 'GuestPanicInformationType',
> +  'data': [ 'hyper-v'] }

Perhaps 'hyperv' is better? It's the difference between
GUEST_PANIC_INFORMATION_TYPE_HYPER_V and
GUEST_PANIC_INFORMATION_TYPE_HYPERV. But that's bikeshedding, so no need
to change it.

Must go into 2.9, so we aren't baking in bad API.

Reviewed-by: Eric Blake 

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH v1 05/10] target/ppc: update overflow flags for add/sub

[Richard Henderson]

On 02/20/2017 09:11 PM, Nikunj A Dadhania wrote:

 tcg_temp_free(t0);
+tcg_gen_extract_tl(cpu_ov32, cpu_ov, 31, 1);
+tcg_gen_extract_tl(cpu_ov, cpu_ov, 63, 1);
 if (NARROW_MODE(ctx)) {
-tcg_gen_ext32s_tl(cpu_ov, cpu_ov);
+tcg_gen_mov_tl(cpu_ov, cpu_ov32);
 }
-tcg_gen_shri_tl(cpu_ov, cpu_ov, TARGET_LONG_BITS - 1);


Don't compute ov32 only to overwrite it again.  Move the ov32 extraction into 
an else of NARROW_MODE.



r~

Re: [Qemu-devel] [PATCH 1/3] i386/cpu: release GuestPanicInformation memory

[Eric Blake]

On 02/20/2017 12:21 PM, Denis V. Lunev wrote:
> From: Anton Nefedov 
> 
> Do not make some foreign function do it.
> 
> Signed-off-by: Anton Nefedov 
> Signed-off-by: Denis V. Lunev 
> CC: Paolo Bonzini 
> CC: Eric Blake 
> ---
>  kvm-all.c |  5 -
>  vl.c  | 22 +-
>  2 files changed, 13 insertions(+), 14 deletions(-)
> 

> +++ b/vl.c
> @@ -1682,6 +1682,15 @@ void qemu_system_reset(bool report)
>  void qemu_system_guest_panicked(GuestPanicInformation *info)
>  {
>  qemu_log_mask(LOG_GUEST_ERROR, "Guest crashed\n");
> +if (info && info->type == GUEST_PANIC_INFORMATION_KIND_HYPER_V) {
> +qemu_log_mask(LOG_GUEST_ERROR, "HV crash parameters: (%#"PRIx64
> +  " %#"PRIx64" %#"PRIx64" %#"PRIx64" %#"PRIx64")\n",
> +  info->u.hyper_v.data->arg1,
> +  info->u.hyper_v.data->arg2,
> +  info->u.hyper_v.data->arg3,
> +  info->u.hyper_v.data->arg4,
> +  info->u.hyper_v.data->arg5);
> +}

Why are we hoisting this code earlier in the function (which changes the
log order, if I'm reading correctly)...

>  
>  if (current_cpu) {
>  current_cpu->crash_occurred = true;
> @@ -1694,19 +1703,6 @@ void qemu_system_guest_panicked(GuestPanicInformation 
> *info)
> !!info, info, _abort);
>  qemu_system_shutdown_request();
>  }
> -
> -if (info) {
> -if (info->type == GUEST_PANIC_INFORMATION_KIND_HYPER_V) {
> -qemu_log_mask(LOG_GUEST_ERROR, "HV crash parameters: (%#"PRIx64
> -  " %#"PRIx64" %#"PRIx64" %#"PRIx64" %#"PRIx64")\n",
> -  info->u.hyper_v.data->arg1,
> -  info->u.hyper_v.data->arg2,
> -  info->u.hyper_v.data->arg3,
> -  info->u.hyper_v.data->arg4,
> -  info->u.hyper_v.data->arg5);
> -}
> -qapi_free_GuestPanicInformation(info);
> -}

...instead of just cleaning up this code in place?

But the rest of the patch looks fine.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [PATCH] qemu-options: explain disk I/O throttling options

[Eric Blake]

On 02/20/2017 10:52 AM, Stefan Hajnoczi wrote:
> The disk I/O throttling options have been listed for a long time but
> never explained on the QEMU man page.
> 
> Suggested-by: Nini Gu 
> Cc: Alberto Garcia 
> Signed-off-by: Stefan Hajnoczi 
> ---
>  qemu-options.hx | 25 +
>  1 file changed, 25 insertions(+)
> 
> diff --git a/qemu-options.hx b/qemu-options.hx
> index 5633d39..b2254cc 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -587,6 +587,31 @@ file sectors into the image file.
>  conversion of plain zero writes by the OS to driver specific optimized
>  zero write commands. You may even choose "unmap" if @var{discard} is set
>  to "unmap" to allow a zero write to be converted to an UNMAP operation.
> +@item bps=@var{b},bps_rd=@var{r},bps_wr=@var{w}
> +Specify bandwidth throttling limits in bytes per second, either for all 
> request
> +types or for reads or writes only.  Values must be larger than the maximum
> +request size to avoid timeouts or hangs in the guest.  At minimum use 2 MB/s

s/At minimum/At a minimum,/

With that tweak,
Reviewed-by: Eric Blake 

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature