date:20180220

On 20.02.2018 23:35, Eric Blake wrote:
> On 02/20/2018 11:40 AM, Thomas Huth wrote:
>> "-net dump" has been marked as deprecated since QEMU v2.10, since it
>> only works with the deprecated 'vlan' parameter (or hubs). Network
>> dumping should be done with "-object filter-dump" nowadays instead.
>> Since nobody complained so far about the deprecation message, let's
>> finally get rid of "-net dump" now.
>>
>> Reviewed-by: Paolo Bonzini 
>> Reviewed-by: Eric Blake 
>> Signed-off-by: Thomas Huth 
>> ---
> 
>> +++ b/qapi/net.json
>> @@ -39,8 +39,10 @@
>>   #
>>   # Add a network backend.
>>   #
>> -# @type: the type of network backend.  Current valid values are
>> 'user', 'tap',
>> -#    'vde', 'socket', 'dump' and 'bridge'
>> +# @type: the type of network backend. Possible values in version
>> +#    2.11: 'user', 'tap', 'vde', 'socket', 'hubport', 'bridge',
>> +#  'dump', 'l2tpv3', 'netmap', 'vhost-user'
>> +#    2.12: 'dump' dropped
>>   #
> 
> That's a bit fuzzy, especially since the command has been around since
> 0.14.  It might be easier to word it as:
> 
> @type: the type of network backend. Possible values are listed in
> NetClientDriver.

That's a really good idea to avoid that we have to maintain the list
multiple times...

> Then defer the actual listing by version...
> 
>> @@ -468,7 +453,7 @@
>>   # Since: 2.7
>>   ##
>>   { 'enum': 'NetClientDriver',
>> -  'data': [ 'none', 'nic', 'user', 'tap', 'l2tpv3', 'socket', 'vde',
>> 'dump',
>> +  'data': [ 'none', 'nic', 'user', 'tap', 'l2tpv3', 'socket', 'vde',
>>   'bridge', 'hubport', 'netmap', 'vhost-user' ] }
> 
> ...to here
... but 'none' and 'nic' are not valid for netdev_add. Well, I guess I
can simply write something like "Possible values are listed in
NetClientDriver (excluding 'none' and 'nic')". I'll send a v3 with that.

 Thomas


PS: By the way, now that you've mentioned this, I think "dump" was also
not valid for netdev_add, so the comment was even wrong there.

Re: [Qemu-devel] [PATCH v2 8/8] qemu-doc: Make "-net" less prominent

On 20.02.2018 19:37, Paolo Bonzini wrote:
> On 20/02/2018 18:40, Thomas Huth wrote:
>> "-net" is clearly a legacy option. Yet we still use it in almost all
>> examples in the qemu documentation, and many other spots in the network
>> chapter. We should make it less prominent that users are not lured into
>> using it so often anymore. So instead of starting the network chapter with
>> "-net nic" and documenting "-net " below "-netdev "
>> everywhere, all the "-net" related documentation is now moved to the end
>> of the chapter. And the examples are changed to use the "--device" and
>> "--netdev" options instead of "-net nic -net ".
> 
> Do we want to change them to "-nic" instead?  The proof is in the
> pudding, they say, :) and "-nic" is way easier to learn than "-device
> -netdev".

While -nic is easier to use than -netdev, I don't think that we should
put the focus in our main qemu-doc on -nic instead of -netdev. -nic is a
convenience option, while -netdev is the "architected" way to configure
network devices. We first should document how to do it "right", and
teach the user to proper distinguish between emulated guest hardware and
host network backend (with the old -net command, a lot of people seemed
to have mixed that up IIRC), and then finally explain -nic on top of it.

> And maybe we *should* go the extra mile and deprecate "-net" altogether.
>  The only case where the newer syntax is a bit more uncomfortable is for
> "-net nic -net nic -net tap|user", which however does work with "-nic
> hubport -nic hubport -netdev tap|user,id=x -netdev hubport,netdev=x".

I'd be glad to add such a deprecation patch to this series - I just
thought it might have been too early so far, but if you feel confident
that we can mark it as deprecated, I can spin a v3 with such a patch on
top...

 Thomas

Re: [Qemu-devel] [RFC PATCH v6 00/20] replay additions

2018-02-20 Thread Ciro Santilli

On Tue, Feb 20, 2018 at 9:46 AM, Pavel Dovgalyuk  wrote:
>> From: Ciro Santilli [mailto:ciro.santi...@gmail.com]
>> On Mon, Feb 19, 2018 at 8:02 AM, Pavel Dovgalyuk  wrote:
>> >> From: Pavel Dovgalyuk [mailto:dovga...@ispras.ru]
>> >> > From: Peter Maydell [mailto:peter.mayd...@linaro.org]
>> >> > On 13 February 2018 at 10:26, Pavel Dovgalyuk  
>> >> > wrote:
>> >> > > Then I added SCSI adapter with the option –device lsi,id=scsi0 and 
>> >> > > QEMU
>> >> > > failed with the following error:
>> >> > >
>> >> > > qemu: fatal: IO on conditional branch instruction
>> >> >
>> >> > > Seems, that your kernel is incomatible with QEMU, which ARM emulation 
>> >> > > is not
>> >> > > good enough.
>> >> >
>> >> > It seems fairly unlikely to me that the Linux driver for this
>> >> > SCSI adaptor is using weirdo self-modifying code of the kind
>> >> > that would trip up that cpu_abort(). I would suggest a bit
>> >> > more investigation into what's actually happening...
>> >>
>> >> Peter, I bisected this bug and figured out the following.
>> >>
>> >> icount in ARM was broken by the following commit: 
>> >> 9b990ee5a3cc6aa38f81266fb0c6ef37a36c45b9
>> >> tcg: Add CPUState cflags_next_tb
>> >> This commit breaks execution of Ciro's kernel with enabled icount.
>> >> I haven't yet figured out why this happens.
>> >
>> > The problem is in the following code.
>> > As far, as I can understand, original version recompiles the TB and
>> > continues the execution as it goes.
>> >
>> > But the modified version sets cflags for the next compilation.
>> > And these are the flags for the old TB which should replace the original 
>> > one.
>> > TCG tries to use cflags for the new TB (which starts after the interrupted 
>> > one)
>> > and fails, because these flags are inappropriate.
>> > That is why icount execution fails.
>> >
>> > New version also does not include recompilation of the old block, which is 
>> > wrong too.
>> >
>>
>> Awesome! Can you push it to a branch, and give the full qemu command
>> line so I can test it?
>
> Updated the branch on github.
> You may try it.
>

Thanks,

At 8a482834780a131e7747c1c3c1931379ed0beedc ARM initrd record runs,
but replay is getting stuck at:

[   12.120424] scsi host0: sym-2.2.3

Neighboring lines on record:

[   11.346357] sym53c8xx :00:0c.0: enabling device (0100 -> 0103)
[   11.536683] sym0: <895a> rev 0x0 at pci :00:0c.0 irq 66
[   11.731679] sym0: No NVRAM, ID 7, Fast-40, LVD, parity checking
[   11.930599] sym0: SCSI BUS has been reset.
[   12.120424] scsi host0: sym-2.2.3
[   15.451809] scsi 0:0:2:0: CD-ROMQEMU QEMU CD-ROM
  2.5+ PQ: 0 ANSI: 5
[   15.847227] scsi target0:0:2: tagged command queuing enabled,
command queue depth 16.
[   16.256585] scsi target0:0:2: Beginning Domain Validation
[   16.482189] scsi target0:0:2: Domain Validation skipping write tests
[   16.699445] scsi target0:0:2: Ending Domain Validation

My QEMU command:

time ./buildroot/output.arm~/host/usr/bin/qemu-system-arm -M
versatilepb -append 'root=/dev/sda nokaslr norandmaps
printk.devkmsg=on printk.time=y - lkmc_eval="/rand_check.out;wget -S
google.com;/poweroff.out;"'
 -kernel ./buildroot/output.arm~/images/zImage -dtb
./buildroot/output.arm~/images/versatile-pb.dtb -nographic -initrd
./buildroot/output.arm~/images/rootfs.cpio -netdev user,id=net1
-device rtl8139,netdev=net1
-object filter-replay,id=replay,netdev=net1

What is your full QEMU command?

Also I think the patch to fix qmeu-img was not included in the branch.

> Pavel Dovgalyuk
>

Re: [Qemu-devel] [PATCH] Fix ast2500 protection register emulation

2018-02-20 Thread Andrew Jeffery

On Tue, 20 Feb 2018, at 23:56, Hugo Landau wrote:
> Some register blocks of the ast2500 are protected by protection key
> registers which require the right magic value to be written to those
> registers to allow those registers to be mutated.
> 
> Register manuals indicate that writing the correct magic value to these
> registers should cause subsequent reads from those values to return 1,
> and writing any other value should cause subsequent reads to return 0.
> 
> Previously, qemu implemented these registers incorrectly: the registers
> were handled as simple memory, meaning that writing some value x to a
> protection key register would result in subsequent reads from that
> register returning the same value x. The protection was implemented by
> ensuring that the current value of that register equaled the magic
> value.
> 
> This modifies qemu to have the correct behaviour: attempts to write to a
> ast2500 protection register results in a transition to 1 or 0 depending
> on whether the written value is the correct magic. The protection logic
> is updated to ensure that the value of the register is nonzero.
> 
> This bug caused deadlocks with u-boot HEAD: when u-boot is done with a
> protectable register block, it attempts to lock it by writing the
> bitwise inverse of the correct magic value, and then spinning forever
> until the register reads as zero. Since qemu implemented writes to these
> registers as ordinary memory writes, writing the inverse of the magic
> value resulted in subsequent reads returning that value, leading to
> u-boot spinning forever.
> 
> Signed-off-by: Hugo Landau 

Acked-by: Andrew Jeffery 

> ---
>  hw/misc/aspeed_scu.c  | 6 +-
>  hw/misc/aspeed_sdmc.c | 8 +++-
>  2 files changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/misc/aspeed_scu.c b/hw/misc/aspeed_scu.c
> index 74537ce975..5e6d5744ee 100644
> --- a/hw/misc/aspeed_scu.c
> +++ b/hw/misc/aspeed_scu.c
> @@ -191,7 +191,7 @@ static void aspeed_scu_write(void *opaque, hwaddr 
> offset, uint64_t data,
>  }
>  
>  if (reg > PROT_KEY && reg < CPU2_BASE_SEG1 &&
> -s->regs[PROT_KEY] != ASPEED_SCU_PROT_KEY) {
> +!s->regs[PROT_KEY]) {
>  qemu_log_mask(LOG_GUEST_ERROR, "%s: SCU is locked!\n", 
> __func__);
>  return;
>  }
> @@ -199,6 +199,10 @@ static void aspeed_scu_write(void *opaque, hwaddr 
> offset, uint64_t data,
>  trace_aspeed_scu_write(offset, size, data);
>  
>  switch (reg) {
> +case PROT_KEY:
> +s->regs[reg] = (data == ASPEED_SCU_PROT_KEY) ? 1 : 0;
> +return;
> +
>  case FREQ_CNTR_EVAL:
>  case VGA_SCRATCH1 ... VGA_SCRATCH8:
>  case RNG_DATA:
> diff --git a/hw/misc/aspeed_sdmc.c b/hw/misc/aspeed_sdmc.c
> index f0b3053fae..265171ee42 100644
> --- a/hw/misc/aspeed_sdmc.c
> +++ b/hw/misc/aspeed_sdmc.c
> @@ -110,7 +110,12 @@ static void aspeed_sdmc_write(void *opaque, hwaddr 
> addr, uint64_t data,
>  return;
>  }
>  
> -if (addr != R_PROT && s->regs[R_PROT] != PROT_KEY_UNLOCK) {
> +if (addr == R_PROT) {
> +  s->regs[addr] = (data == PROT_KEY_UNLOCK) ? 1 : 0;
> +  return;
> +}
> +
> +if (!s->regs[R_PROT]) {
>  qemu_log_mask(LOG_GUEST_ERROR, "%s: SDMC is locked!\n", 
> __func__);
>  return;
>  }
> @@ -123,6 +128,7 @@ static void aspeed_sdmc_write(void *opaque, hwaddr 
> addr, uint64_t data,
>  data &= ~ASPEED_SDMC_READONLY_MASK;
>  break;
>  case AST2500_A0_SILICON_REV:
> +case AST2500_A1_SILICON_REV:
>  data &= ~ASPEED_SDMC_AST2500_READONLY_MASK;
>  break;
>  default:
> -- 
> 2.15.0
> 
>

[Qemu-devel] [PATCH v4 5/5] usb-mtp: Advertise SendObjectInfo for write support

This patch implements a dummy ObjectInfo structure so that
it's easy to typecast the incoming data. If the metadata is
valid, write_pending is set. Also, the incoming filename
is utf-16, so, instead of depending on external libraries, just
implement a simple function to get the filename

Signed-off-by: Bandan Das 
---
 hw/usb/dev-mtp.c | 132 ++-
 1 file changed, 130 insertions(+), 2 deletions(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 9b51708614..086296f415 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -47,6 +47,7 @@ enum mtp_code {
 CMD_GET_OBJECT_INFO= 0x1008,
 CMD_GET_OBJECT = 0x1009,
 CMD_DELETE_OBJECT  = 0x100b,
+CMD_SEND_OBJECT_INFO   = 0x100c,
 CMD_SEND_OBJECT= 0x100d,
 CMD_GET_PARTIAL_OBJECT = 0x101b,
 CMD_GET_OBJECT_PROPS_SUPPORTED = 0x9801,
@@ -67,8 +68,10 @@ enum mtp_code {
 RES_STORE_FULL = 0x200c,
 RES_STORE_READ_ONLY= 0x200e,
 RES_PARTIAL_DELETE = 0x2012,
+RES_STORE_NOT_AVAILABLE= 0x2013,
 RES_SPEC_BY_FORMAT_UNSUPPORTED = 0x2014,
 RES_INVALID_OBJECTINFO = 0x2015,
+RES_DESTINATION_UNSUPPORTED= 0x2020,
 RES_INVALID_PARENT_OBJECT  = 0x201a,
 RES_INVALID_PARAMETER  = 0x201d,
 RES_SESSION_ALREADY_OPEN   = 0x201e,
@@ -196,6 +199,34 @@ struct MTPState {
 } dataset;
 };
 
+/*
+ * ObjectInfo dataset received from initiator
+ * Fields we don't care about are ignored
+ */
+typedef struct {
+uint32_t storage_id; /*unused*/
+uint16_t format;
+uint16_t protection_status; /*unused*/
+uint32_t size;
+uint16_t thumb_format; /*unused*/
+uint32_t thumb_comp_sz; /*unused*/
+uint32_t thumb_pix_width; /*unused*/
+uint32_t thumb_pix_height; /*unused*/
+uint32_t image_pix_width; /*unused*/
+uint32_t image_pix_height; /*unused*/
+uint32_t image_bit_depth; /*unused*/
+uint32_t parent; /*unused*/
+uint16_t assoc_type;
+uint32_t assoc_desc;
+uint32_t seq_no; /*unused*/
+uint8_t length; /*part of filename field*/
+uint16_t filename[0];
+char date_created[0]; /*unused*/
+char date_modified[0]; /*unused*/
+char keywords[0]; /*unused*/
+/* string and other data follows */
+} QEMU_PACKED ObjectInfo;
+
 #define TYPE_USB_MTP "usb-mtp"
 #define USB_MTP(obj) OBJECT_CHECK(MTPState, (obj), TYPE_USB_MTP)
 
@@ -437,7 +468,6 @@ static MTPObject *usb_mtp_add_child(MTPState *s, MTPObject 
*o,
 return child;
 }
 
-#ifdef CONFIG_INOTIFY1
 static MTPObject *usb_mtp_object_lookup_name(MTPObject *parent,
  char *name, int len)
 {
@@ -452,6 +482,7 @@ static MTPObject *usb_mtp_object_lookup_name(MTPObject 
*parent,
 return NULL;
 }
 
+#ifdef CONFIG_INOTIFY1
 static MTPObject *usb_mtp_object_lookup_wd(MTPState *s, int wd)
 {
 MTPObject *iter;
@@ -815,6 +846,7 @@ static MTPData *usb_mtp_get_device_info(MTPState *s, 
MTPControl *c)
 CMD_GET_OBJECT_HANDLES,
 CMD_GET_OBJECT_INFO,
 CMD_DELETE_OBJECT,
+CMD_SEND_OBJECT_INFO,
 CMD_SEND_OBJECT,
 CMD_GET_OBJECT,
 CMD_GET_PARTIAL_OBJECT,
@@ -1243,7 +1275,7 @@ static void usb_mtp_object_delete(MTPState *s, uint32_t 
handle,
 static void usb_mtp_command(MTPState *s, MTPControl *c)
 {
 MTPData *data_in = NULL;
-MTPObject *o;
+MTPObject *o = NULL;
 uint32_t nres = 0, res0 = 0;
 
 /* sanity checks */
@@ -1390,6 +1422,37 @@ static void usb_mtp_command(MTPState *s, MTPControl *c)
 nres = 1;
 res0 = data_in->length;
 break;
+case CMD_SEND_OBJECT_INFO:
+/* First parameter points to storage id or is 0 */
+if (c->argv[0] && (c->argv[0] != QEMU_STORAGE_ID)) {
+usb_mtp_queue_result(s, RES_STORE_NOT_AVAILABLE, c->trans,
+ 0, 0, 0, 0);
+} else if (c->argv[1] && !c->argv[0]) {
+/* If second parameter is specified, first must also be specified 
*/
+usb_mtp_queue_result(s, RES_DESTINATION_UNSUPPORTED, c->trans,
+ 0, 0, 0, 0);
+} else {
+uint32_t handle = c->argv[1];
+if (handle == 0x || handle == 0) {
+/* root object */
+o = QTAILQ_FIRST(>objects);
+} else {
+o = usb_mtp_object_lookup(s, handle);
+}
+if (o == NULL) {
+usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE, c->trans,
+ 0, 0, 0, 0);
+}
+if (o->format != FMT_ASSOCIATION) {
+usb_mtp_queue_result(s, RES_INVALID_PARENT_OBJECT, c->trans,
+ 0, 0, 0, 0);
+}
+}
+if (o) {
+s->dataset.parent_handle = o->handle;
+

[Qemu-devel] [PATCH v4 3/5] usb-mtp: Support delete of mtp objects

Write of existing objects by the initiator is acheived by
making a temporary buffer with the new changes, deleting the
old file and then writing a new file with the same name.

Also, add a "readonly" property which needs to be set to false
for deletion to work.

Signed-off-by: Bandan Das 
---
 hw/usb/dev-mtp.c | 123 +++
 1 file changed, 123 insertions(+)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 63f8f3b90b..5ef77f3e9f 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -46,6 +46,7 @@ enum mtp_code {
 CMD_GET_OBJECT_HANDLES = 0x1007,
 CMD_GET_OBJECT_INFO= 0x1008,
 CMD_GET_OBJECT = 0x1009,
+CMD_DELETE_OBJECT  = 0x100b,
 CMD_GET_PARTIAL_OBJECT = 0x101b,
 CMD_GET_OBJECT_PROPS_SUPPORTED = 0x9801,
 CMD_GET_OBJECT_PROP_DESC   = 0x9802,
@@ -62,6 +63,8 @@ enum mtp_code {
 RES_INVALID_STORAGE_ID = 0x2008,
 RES_INVALID_OBJECT_HANDLE  = 0x2009,
 RES_INVALID_OBJECT_FORMAT_CODE = 0x200b,
+RES_STORE_READ_ONLY= 0x200e,
+RES_PARTIAL_DELETE = 0x2012,
 RES_SPEC_BY_FORMAT_UNSUPPORTED = 0x2014,
 RES_INVALID_PARENT_OBJECT  = 0x201a,
 RES_INVALID_PARAMETER  = 0x201d,
@@ -172,6 +175,7 @@ struct MTPState {
 MTPControl   *result;
 uint32_t session;
 uint32_t next_handle;
+bool readonly;
 
 QTAILQ_HEAD(, MTPObject) objects;
 #ifdef CONFIG_INOTIFY1
@@ -799,6 +803,7 @@ static MTPData *usb_mtp_get_device_info(MTPState *s, 
MTPControl *c)
 CMD_GET_NUM_OBJECTS,
 CMD_GET_OBJECT_HANDLES,
 CMD_GET_OBJECT_INFO,
+CMD_DELETE_OBJECT,
 CMD_GET_OBJECT,
 CMD_GET_PARTIAL_OBJECT,
 CMD_GET_OBJECT_PROPS_SUPPORTED,
@@ -1113,6 +1118,116 @@ static MTPData *usb_mtp_get_object_prop_value(MTPState 
*s, MTPControl *c,
 return d;
 }
 
+/* Return correct return code for a delete event */
+enum {
+ALL_DELETE,
+PARTIAL_DELETE,
+READ_ONLY,
+};
+
+/* Assumes that children, if any, have been already freed */
+static void usb_mtp_object_free_one(MTPState *s, MTPObject *o)
+{
+#ifndef CONFIG_INOTIFY1
+assert(o->nchildren == 0);
+QTAILQ_REMOVE(>objects, o, next);
+g_free(o->name);
+g_free(o->path);
+g_free(o);
+#endif
+}
+
+static int usb_mtp_deletefn(MTPState *s, MTPObject *o, uint32_t trans)
+{
+MTPObject *iter, *iter2;
+bool partial_delete = false;
+bool success = false;
+
+/*
+ * TODO: Add support for Protection Status
+ */
+
+QLIST_FOREACH(iter, >children, list) {
+if (iter->format == FMT_ASSOCIATION) {
+QLIST_FOREACH(iter2, >children, list) {
+usb_mtp_deletefn(s, iter2, trans);
+}
+}
+}
+
+if (o->format == FMT_UNDEFINED_OBJECT) {
+if (remove(o->path)) {
+partial_delete = true;
+} else {
+usb_mtp_object_free_one(s, o);
+success = true;
+}
+}
+
+if (o->format == FMT_ASSOCIATION) {
+if (rmdir(o->path)) {
+partial_delete = true;
+} else {
+usb_mtp_object_free_one(s, o);
+success = true;
+}
+}
+
+if (success && partial_delete) {
+return PARTIAL_DELETE;
+}
+if (!success && partial_delete) {
+return READ_ONLY;
+}
+return ALL_DELETE;
+}
+
+static void usb_mtp_object_delete(MTPState *s, uint32_t handle,
+  uint32_t format_code, uint32_t trans)
+{
+MTPObject *o;
+int ret;
+
+/* Return error if store is read-only */
+if (!FLAG_SET(s, MTP_FLAG_WRITABLE)) {
+usb_mtp_queue_result(s, RES_STORE_READ_ONLY,
+ trans, 0, 0, 0, 0);
+return;
+}
+
+if (format_code != 0) {
+usb_mtp_queue_result(s, RES_SPEC_BY_FORMAT_UNSUPPORTED,
+ trans, 0, 0, 0, 0);
+return;
+}
+
+if (handle == 0xFFF) {
+o = QTAILQ_FIRST(>objects);
+} else {
+o = usb_mtp_object_lookup(s, handle);
+}
+if (o == NULL) {
+usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE,
+ trans, 0, 0, 0, 0);
+return;
+}
+
+ret = usb_mtp_deletefn(s, o, trans);
+if (ret == PARTIAL_DELETE) {
+usb_mtp_queue_result(s, RES_PARTIAL_DELETE,
+ trans, 0, 0, 0, 0);
+return;
+} else if (ret == READ_ONLY) {
+usb_mtp_queue_result(s, RES_STORE_READ_ONLY, trans,
+ 0, 0, 0, 0);
+return;
+} else {
+usb_mtp_queue_result(s, RES_OK, trans,
+ 0, 0, 0, 0);
+return;
+}
+}
+
 static void usb_mtp_command(MTPState *s, MTPControl *c)
 {
 MTPData *data_in = NULL;
@@ -1239,6 +1354,9 @@ static void usb_mtp_command(MTPState *s, MTPControl *c)

[Qemu-devel] [PATCH v4 0/5] Initial write support for MTP objects

v4:
  4/5: Remove getumask and set default permissions to 0644
  5/5: Remove usb_mtp_object_lookup_name out of #ifdef CONFIG_INOTIFY1
  Test compilation on freebsd

v3:
  3/5: Add a property that sets r/w to on/off (default:off)
   Restructure ifdefs
  4/5: Sort the response codes
  5/5: Use actual names for fields in the dataset
   Copy uint16_t to wchar_t and use wcstombs to get char type
   for filename
v2:
  3/5: Set mtp store flag to read only
  4/5: Fix compiler warnings and change default file permissions
  5/5: Fix file permissions

These patches implement write support for Qemu's MTP
emulation. Simple tests such as delete/move/edit/copy work ok.
Current issues/TODO:

 - File transfers > 4GB has not been tested and will probably not work
 - Some (or most) MTP clients don't advertise hidden files and folders (names
 that start with a .) even though iiuc Qemu MTP does advertise these files.
 This can confuse certain applications such as text editors or git.
 - Also related, file editors typically run fsync when saving. Depending on
 the MTP client, it may choose not to implement it (such as simple-mtpfs that 
 runs on top of fuse).
 - Needs more testing :)


Bandan Das (5):
  usb-mtp: Add one more argument when building results
  usb-mtp: print parent path in IN_IGNORED trace fn
  usb-mtp: Support delete of mtp objects
  usb-mtp: Introduce write support for MTP objects
  usb-mtp: Advertise SendObjectInfo for write support

 hw/usb/dev-mtp.c | 462 +++
 1 file changed, 432 insertions(+), 30 deletions(-)

-- 
2.14.3

[Qemu-devel] [PATCH v4 1/5] usb-mtp: Add one more argument when building results

The response to a SendObjectInfo consists of the storageid,
parent obejct handle and the handle reserved for the new
incoming object

Signed-off-by: Bandan Das 
---
 hw/usb/dev-mtp.c | 50 +++---
 1 file changed, 27 insertions(+), 23 deletions(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 94c2e94f10..b55aa8205e 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -765,7 +765,8 @@ static void usb_mtp_add_time(MTPData *data, time_t time)
 /* --- */
 
 static void usb_mtp_queue_result(MTPState *s, uint16_t code, uint32_t trans,
- int argc, uint32_t arg0, uint32_t arg1)
+ int argc, uint32_t arg0, uint32_t arg1,
+ uint32_t arg2)
 {
 MTPControl *c = g_new0(MTPControl, 1);
 
@@ -778,6 +779,9 @@ static void usb_mtp_queue_result(MTPState *s, uint16_t 
code, uint32_t trans,
 if (argc > 1) {
 c->argv[1] = arg1;
 }
+if (argc > 2) {
+c->argv[2] = arg2;
+}
 
 assert(s->result == NULL);
 s->result = c;
@@ -1119,7 +1123,7 @@ static void usb_mtp_command(MTPState *s, MTPControl *c)
 /* sanity checks */
 if (c->code >= CMD_CLOSE_SESSION && s->session == 0) {
 usb_mtp_queue_result(s, RES_SESSION_NOT_OPEN,
- c->trans, 0, 0, 0);
+ c->trans, 0, 0, 0, 0);
 return;
 }
 
@@ -1131,12 +1135,12 @@ static void usb_mtp_command(MTPState *s, MTPControl *c)
 case CMD_OPEN_SESSION:
 if (s->session) {
 usb_mtp_queue_result(s, RES_SESSION_ALREADY_OPEN,
- c->trans, 1, s->session, 0);
+ c->trans, 1, s->session, 0, 0);
 return;
 }
 if (c->argv[0] == 0) {
 usb_mtp_queue_result(s, RES_INVALID_PARAMETER,
- c->trans, 0, 0, 0);
+ c->trans, 0, 0, 0, 0);
 return;
 }
 trace_usb_mtp_op_open_session(s->dev.addr);
@@ -1165,7 +1169,7 @@ static void usb_mtp_command(MTPState *s, MTPControl *c)
 if (c->argv[0] != QEMU_STORAGE_ID &&
 c->argv[0] != 0x) {
 usb_mtp_queue_result(s, RES_INVALID_STORAGE_ID,
- c->trans, 0, 0, 0);
+ c->trans, 0, 0, 0, 0);
 return;
 }
 data_in = usb_mtp_get_storage_info(s, c);
@@ -1175,12 +1179,12 @@ static void usb_mtp_command(MTPState *s, MTPControl *c)
 if (c->argv[0] != QEMU_STORAGE_ID &&
 c->argv[0] != 0x) {
 usb_mtp_queue_result(s, RES_INVALID_STORAGE_ID,
- c->trans, 0, 0, 0);
+ c->trans, 0, 0, 0, 0);
 return;
 }
 if (c->argv[1] != 0x) {
 usb_mtp_queue_result(s, RES_SPEC_BY_FORMAT_UNSUPPORTED,
- c->trans, 0, 0, 0);
+ c->trans, 0, 0, 0, 0);
 return;
 }
 if (c->argv[2] == 0x ||
@@ -1191,12 +1195,12 @@ static void usb_mtp_command(MTPState *s, MTPControl *c)
 }
 if (o == NULL) {
 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE,
- c->trans, 0, 0, 0);
+ c->trans, 0, 0, 0, 0);
 return;
 }
 if (o->format != FMT_ASSOCIATION) {
 usb_mtp_queue_result(s, RES_INVALID_PARENT_OBJECT,
- c->trans, 0, 0, 0);
+ c->trans, 0, 0, 0, 0);
 return;
 }
 usb_mtp_object_readdir(s, o);
@@ -1212,7 +1216,7 @@ static void usb_mtp_command(MTPState *s, MTPControl *c)
 o = usb_mtp_object_lookup(s, c->argv[0]);
 if (o == NULL) {
 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE,
- c->trans, 0, 0, 0);
+ c->trans, 0, 0, 0, 0);
 return;
 }
 data_in = usb_mtp_get_object_info(s, c, o);
@@ -1221,18 +1225,18 @@ static void usb_mtp_command(MTPState *s, MTPControl *c)
 o = usb_mtp_object_lookup(s, c->argv[0]);
 if (o == NULL) {
 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE,
- c->trans, 0, 0, 0);
+ c->trans, 0, 0, 0, 0);
 return;
 }
 if (o->format == FMT_ASSOCIATION) {
 usb_mtp_queue_result(s, RES_INVALID_OBJECT_HANDLE,
- c->trans, 0, 0, 0);
+ c->trans, 0, 0, 0, 0);
 return;
 }
 data_in = usb_mtp_get_object(s, c, o);
 if (data_in == NULL) {

[Qemu-devel] [PATCH v4 4/5] usb-mtp: Introduce write support for MTP objects

Allow write operations on behalf of the initiator. The
precursor to write is the sending of the write metadata
that consists of the ObjectInfo dataset. This patch introduces
a flag that is set when the responder is ready to receive
write data based on a previous SendObjectInfo operation by
the initiator (The SendObjectInfo implementation is in a
later patch)

Signed-off-by: Bandan Das 
---
 hw/usb/dev-mtp.c | 152 ++-
 1 file changed, 150 insertions(+), 2 deletions(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 5ef77f3e9f..9b51708614 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -47,6 +47,7 @@ enum mtp_code {
 CMD_GET_OBJECT_INFO= 0x1008,
 CMD_GET_OBJECT = 0x1009,
 CMD_DELETE_OBJECT  = 0x100b,
+CMD_SEND_OBJECT= 0x100d,
 CMD_GET_PARTIAL_OBJECT = 0x101b,
 CMD_GET_OBJECT_PROPS_SUPPORTED = 0x9801,
 CMD_GET_OBJECT_PROP_DESC   = 0x9802,
@@ -63,9 +64,11 @@ enum mtp_code {
 RES_INVALID_STORAGE_ID = 0x2008,
 RES_INVALID_OBJECT_HANDLE  = 0x2009,
 RES_INVALID_OBJECT_FORMAT_CODE = 0x200b,
+RES_STORE_FULL = 0x200c,
 RES_STORE_READ_ONLY= 0x200e,
 RES_PARTIAL_DELETE = 0x2012,
 RES_SPEC_BY_FORMAT_UNSUPPORTED = 0x2014,
+RES_INVALID_OBJECTINFO = 0x2015,
 RES_INVALID_PARENT_OBJECT  = 0x201a,
 RES_INVALID_PARAMETER  = 0x201d,
 RES_SESSION_ALREADY_OPEN   = 0x201e,
@@ -183,6 +186,14 @@ struct MTPState {
 int  inotifyfd;
 QTAILQ_HEAD(events, MTPMonEntry) events;
 #endif
+/* Responder is expecting a write operation */
+bool write_pending;
+struct {
+uint32_t parent_handle;
+uint16_t format;
+uint32_t size;
+char *filename;
+} dataset;
 };
 
 #define TYPE_USB_MTP "usb-mtp"
@@ -804,6 +815,7 @@ static MTPData *usb_mtp_get_device_info(MTPState *s, 
MTPControl *c)
 CMD_GET_OBJECT_HANDLES,
 CMD_GET_OBJECT_INFO,
 CMD_DELETE_OBJECT,
+CMD_SEND_OBJECT,
 CMD_GET_OBJECT,
 CMD_GET_PARTIAL_OBJECT,
 CMD_GET_OBJECT_PROPS_SUPPORTED,
@@ -1378,6 +1390,14 @@ static void usb_mtp_command(MTPState *s, MTPControl *c)
 nres = 1;
 res0 = data_in->length;
 break;
+case CMD_SEND_OBJECT:
+if (!s->write_pending) {
+usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO,
+ c->trans, 0, 0, 0, 0);
+return;
+}
+s->data_out = usb_mtp_data_alloc(c);
+return;
 case CMD_GET_OBJECT_PROPS_SUPPORTED:
 if (c->argv[0] != FMT_UNDEFINED_OBJECT &&
 c->argv[0] != FMT_ASSOCIATION) {
@@ -1472,12 +1492,126 @@ static void usb_mtp_cancel_packet(USBDevice *dev, 
USBPacket *p)
 fprintf(stderr, "%s\n", __func__);
 }
 
+static void usb_mtp_write_data(MTPState *s)
+{
+MTPData *d = s->data_out;
+MTPObject *parent =
+usb_mtp_object_lookup(s, s->dataset.parent_handle);
+char *path = NULL;
+int rc = -1;
+mode_t mask = 0644;
+
+assert(d != NULL);
+
+if (parent == NULL || !s->write_pending) {
+usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, d->trans,
+ 0, 0, 0, 0);
+return;
+}
+
+if (s->dataset.filename) {
+path = g_strdup_printf("%s/%s", parent->path, s->dataset.filename);
+if (s->dataset.format == FMT_ASSOCIATION) {
+d->fd = mkdir(path, mask);
+goto free;
+}
+if (s->dataset.size < d->length) {
+usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
+ 0, 0, 0, 0);
+goto done;
+}
+d->fd = open(path, O_CREAT | O_WRONLY, mask);
+if (d->fd == -1) {
+usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
+ 0, 0, 0, 0);
+goto done;
+}
+
+/*
+ * Return success if initiator sent 0 sized data
+ */
+if (!s->dataset.size) {
+goto success;
+}
+
+rc = write(d->fd, d->data, s->dataset.size);
+if (rc == -1) {
+usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
+ 0, 0, 0, 0);
+goto done;
+}
+if (rc != s->dataset.size) {
+usb_mtp_queue_result(s, RES_INCOMPLETE_TRANSFER, d->trans,
+ 0, 0, 0, 0);
+goto done;
+}
+}
+
+success:
+usb_mtp_queue_result(s, RES_OK, d->trans,
+ 0, 0, 0, 0);
+
+done:
+/*
+ * The write dataset is kept around and freed only
+ * on success or if another write request comes in
+ */
+if (d->fd != -1) {
+close(d->fd);
+}
+free:
+g_free(s->dataset.filename);
+g_free(path);
+

[Qemu-devel] [PATCH v4 2/5] usb-mtp: print parent path in IN_IGNORED trace fn

Fix a possible null dereference when deleting a folder and
its contents. An ignored event might be received for its contents
after the parent folder is deleted which will return a null object.

Signed-off-by: Bandan Das 
---
 hw/usb/dev-mtp.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index b55aa8205e..63f8f3b90b 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -540,9 +540,8 @@ static void inotify_watchfn(void *arg)
 break;
 
 case IN_IGNORED:
-o = usb_mtp_object_lookup_name(parent, event->name, 
event->len);
-trace_usb_mtp_inotify_event(s->dev.addr, o->path,
-  event->mask, "Obj ignored");
+trace_usb_mtp_inotify_event(s->dev.addr, parent->path,
+  event->mask, "Obj parent dir ignored");
 break;
 
 default:
-- 
2.14.3

Re: [Qemu-devel] [PATCH v2 5/8] net: Remove the deprecated way of dumping network packets


On 02/20/2018 11:40 AM, Thomas Huth wrote:

"-net dump" has been marked as deprecated since QEMU v2.10, since it
only works with the deprecated 'vlan' parameter (or hubs). Network
dumping should be done with "-object filter-dump" nowadays instead.
Since nobody complained so far about the deprecation message, let's
finally get rid of "-net dump" now.

Reviewed-by: Paolo Bonzini 
Reviewed-by: Eric Blake 
Signed-off-by: Thomas Huth 
---



+++ b/qapi/net.json
@@ -39,8 +39,10 @@
  #
  # Add a network backend.
  #
-# @type: the type of network backend.  Current valid values are 'user', 'tap',
-#'vde', 'socket', 'dump' and 'bridge'
+# @type: the type of network backend. Possible values in version
+#2.11: 'user', 'tap', 'vde', 'socket', 'hubport', 'bridge',
+#  'dump', 'l2tpv3', 'netmap', 'vhost-user'
+#2.12: 'dump' dropped
  #


That's a bit fuzzy, especially since the command has been around since 
0.14.  It might be easier to word it as:


@type: the type of network backend. Possible values are listed in 
NetClientDriver.


Then defer the actual listing by version...


@@ -468,7 +453,7 @@
  # Since: 2.7
  ##
  { 'enum': 'NetClientDriver',
-  'data': [ 'none', 'nic', 'user', 'tap', 'l2tpv3', 'socket', 'vde', 'dump',
+  'data': [ 'none', 'nic', 'user', 'tap', 'l2tpv3', 'socket', 'vde',
  'bridge', 'hubport', 'netmap', 'vhost-user' ] }


...to here (although this type only mentions 2.7 as its starting point). 
 (Hmm, I should see if it is worth reviving my attempted patches to 
properly QAPI-fy netdev_add into using a proper schema description - 
when I last proposed it, we ditched it at the last minute because of 
minor incompatibilities in parsing between a QAPI parse and the manual 
parse).


--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] [PATCH v2 2/8] net: List available netdevs with "-netdev help"


On 02/20/2018 11:40 AM, Thomas Huth wrote:

Other options like "-chardev" or "-device" feature a nice help text
with the available devices when being called with "help" or "?".
Since it is quite useful, especially if you want to see which network
backends have been compiled into the QEMU binary, let's provide such
a help text for "-netdev", too.

Reviewed-by: Paolo Bonzini 
Signed-off-by: Thomas Huth 
---
  net/net.c | 37 -
  1 file changed, 36 insertions(+), 1 deletion(-)



Reviewed-by: Eric Blake 

--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

[Qemu-devel] [PATCH 0/2] qcow2: minor compression improvements

I noticed these while reviewing Berto's proposed change to the
qcow2 spec on how compression works.

Eric Blake (2):
  qcow2: Prefer byte-based calls into bs->file
  qcow2: Avoid memory over-allocation on compressed images

 block/qcow2-cluster.c  | 17 +
 block/qcow2-refcount.c |  6 +++---
 block/qcow2.c  |  2 +-
 3 files changed, 9 insertions(+), 16 deletions(-)

-- 
2.14.3

[Qemu-devel] [PATCH 1/2] qcow2: Prefer byte-based calls into bs->file

We had only three sector-based stragglers left; convert them to use
our preferred byte-based accesses.

Signed-off-by: Eric Blake 
---
 block/qcow2-cluster.c  | 5 ++---
 block/qcow2-refcount.c | 6 +++---
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index e406b0f3b9e..85be7d5e340 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -1615,13 +1615,12 @@ int qcow2_decompress_cluster(BlockDriverState *bs, 
uint64_t cluster_offset)
 }

 BLKDBG_EVENT(bs->file, BLKDBG_READ_COMPRESSED);
-ret = bdrv_read(bs->file, coffset >> 9, s->cluster_data,
-nb_csectors);
+ret = bdrv_pread(bs->file, coffset, s->cluster_data, csize);
 if (ret < 0) {
 return ret;
 }
 if (decompress_buffer(s->cluster_cache, s->cluster_size,
-  s->cluster_data + sector_offset, csize) < 0) {
+  s->cluster_data, csize) < 0) {
 return -EIO;
 }
 s->cluster_cache_offset = coffset;
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index d46b69d7f34..3fefeb3dc50 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -2310,8 +2310,8 @@ write_refblocks:
 on_disk_refblock = (void *)((char *) *refcount_table +
 refblock_index * s->cluster_size);

-ret = bdrv_write(bs->file, refblock_offset / BDRV_SECTOR_SIZE,
- on_disk_refblock, s->cluster_sectors);
+ret = bdrv_pwrite(bs->file, refblock_offset,
+ on_disk_refblock, s->cluster_size);
 if (ret < 0) {
 fprintf(stderr, "ERROR writing refblock: %s\n", strerror(-ret));
 goto fail;
@@ -2533,7 +2533,7 @@ fail:
  * - 0 if writing to this offset will not affect the mentioned metadata
  * - a positive QCow2MetadataOverlap value indicating one overlapping section
  * - a negative value (-errno) indicating an error while performing a check,
- *   e.g. when bdrv_read failed on QCOW2_OL_INACTIVE_L2
+ *   e.g. when bdrv_pread failed on QCOW2_OL_INACTIVE_L2
  */
 int qcow2_check_metadata_overlap(BlockDriverState *bs, int ign, int64_t offset,
  int64_t size)
-- 
2.14.3

[Qemu-devel] [PATCH 2/2] qcow2: Avoid memory over-allocation on compressed images

When reading a compressed image, we were allocating s->cluster_data
to 32*cluster_size + 512 (possibly over 64 megabytes, for an image
with 2M clusters).  Let's check out the history:

Back when qcow2 was first written, we used s->cluster_data for
everything, including copy_sectors() and encryption, where we want
to operate on more than one cluster at once.  Obviously, at that
point, the buffer had to be aligned for other users, even though
compression itself doesn't require any alignment.

But commit 1b9f1491 (v1.1!) changed things to allocate parallel
buffers on demand rather than sharing a single buffer, for encryption
and COW, leaving compression as the final client of s->cluster_data.
That use was still preserved, because if a single compressed cluster
is read more than once, we reuse the cache instead of decompressing
it a second time (I'm not sure how often this optimization actually
fires, or if it penalizes us from being able to decompress multiple
clusters in parallel even though we can now decrypt clusters in
parallel; the XXX comment in qcow2_co_preadv for
QCOW2_CLUSTER_COMPRESSED is telling).

Much later, in commit de82815d (v2.2), we noticed that a 64M
allocation is prone to failure, so we switched over to a graceful
memory allocation error message.  But note that elsewhere in the
code, we do g_malloc(2 * cluster_size) without ever checking for
failure.

Then even later, in 3e4c7052 (2.11), we realized that allocating
a large buffer up front for every qcow2 image is expensive, and
switched to lazy allocation only for images that actually had
compressed clusters.  But in the process, we never even bothered
to check whether what we were allocating still made sense in its
new context!

So, it's time to cut back on the waste.  A compressed cluster
will NEVER occupy more than an uncompressed cluster (okay, gzip
DOES document that because the compression stream adds metadata,
and because of the pigeonhole principle, there are worst case
scenarios where attempts to compress will actually inflate an
image - but in those cases, we would just write the cluster
uncompressed instead of inflating it).  And as that is a smaller
amount of memory, we can get by with the simpler g_malloc.

Signed-off-by: Eric Blake 
---
 block/qcow2-cluster.c | 12 +++-
 block/qcow2.c |  2 +-
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 85be7d5e340..8c4b26ceaf2 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -1603,15 +1603,9 @@ int qcow2_decompress_cluster(BlockDriverState *bs, 
uint64_t cluster_offset)
  * are freed in .bdrv_close().
  */
 if (!s->cluster_data) {
-/* one more sector for decompressed data alignment */
-s->cluster_data = qemu_try_blockalign(bs->file->bs,
-QCOW_MAX_CRYPT_CLUSTERS * s->cluster_size + 512);
-if (!s->cluster_data) {
-return -ENOMEM;
-}
-}
-if (!s->cluster_cache) {
-s->cluster_cache = g_malloc(s->cluster_size);
+assert(!s->cluster_cache);
+s->cluster_data = g_try_malloc(s->cluster_size);
+s->cluster_cache = g_try_malloc(s->cluster_size);
 }

 BLKDBG_EVENT(bs->file, BLKDBG_READ_COMPRESSED);
diff --git a/block/qcow2.c b/block/qcow2.c
index 288b5299d80..6ad3436e0e5 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -2103,7 +2103,7 @@ static void qcow2_close(BlockDriverState *bs)
 g_free(s->image_backing_format);

 g_free(s->cluster_cache);
-qemu_vfree(s->cluster_data);
+g_free(s->cluster_data);
 qcow2_refcount_close(bs);
 qcow2_free_snapshots(bs);
 }
-- 
2.14.3

Re: [Qemu-devel] [PATCH v2] specs/qcow2: Fix documentation of the compressed cluster descriptor


On 02/20/2018 04:03 PM, Eric Blake wrote:

boundary. Technically, it might be possible, but qemu does NOT do that 
(again, looking at qcow2_alloc_bytes() - we loop if free_in_cluster < 
size) - so we may want to be explicit about this point to prevent 
OTHER implementations from creating a compressed cluster that crosses 
host cluster boundaries (right now, I can't see 
qcow2_decompress_cluster() validating it, though - YIKES).


Aha, I see where I went wrong.



That said, a simple patch to try this:





triggers failures in iotests 122:

--- /home/eblake/qemu/tests/qemu-iotests/122.out    2017-10-06 
13:45:25.559279136 -0500
+++ /home/eblake/qemu/tests/qemu-iotests/122.out.bad    2018-02-20 
15:54:29.890221575 -0600

@@ -117,8 +117,8 @@
  convert -c -S 0:
  read 3145728/3145728 bytes at offset 0
  3 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-read 63963136/63963136 bytes at offset 3145728
-61 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+qcow2: Marking image as corrupt: Compressed cluster at 0x5ffd2 crosses 
host cluster boundary; further corruption events will be suppressed

+read failed: Input/output error
  [{ "start": 0, "length": 67108864, "depth": 0, "zero": false, "data": 
true}]


so it looks like I'm reading qcow2_alloc_bytes() wrong and that we CAN 
have a compressed cluster that crosses host cluster boundaries?


We DO allow crossing sector boundaries, IF the newly allocated cluster 
is contiguous to the cluster that has the unused tail that we are 
starting in.  Good, because that's less wasteful of the image (suppose 
every compressed cluster got 49% reduction in size - since each one 
requires 51% of a cluster, not allowing cluster crossing would require a 
full cluster each, rather than the expected ~49% reduction in overall 
image size if we are good at contiguous allocations).



So if I may suggest:

    x+1 - 61:    Number of additional 512-byte sectors used for the
 compressed data, beyond the sector containing the
 offset in the previous field.  These sectors must fit
 within the same host cluster.


This sentence needs tweaking to match reality, given that my simple 
patch to flag cross-sector hosts triggered (or I need to figure out what 
was wrong with my patch).


So change that sentence to:  As needed, these additional sectors may 
reside in the next contiguous host cluster.





  Note that the compressed
 data does not necessarily occupy all of the bytes in
 the final sector; rather, decompression stops when it
 has produced a cluster of data.  Another compressed
 cluster may map to the tail of the final sector used
 by this compressed cluster.





--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] Moving seabios-hppa git submodule to use a qemu.org mirror


On Tue, 20 Feb 2018, Paolo Bonzini wrote:

I don't mind either way and don't expect to change this u-boot source
too much in the future so if you just copy it to the qemu repo without
mirroring my repo that's fine as well. (If any change will be needed I
can submit patches for it like for other QEMU parts but this should not
be needed too frequently as this firmware is not developed any further
by upstream so only changes may be bugfixes from QEMU contributors.) But
I can't do that myself so I need help with that. All I could do is to
provide my own repo and refer to that for all else I need your help.


Out of curiosity, why is it not upstream?


See this thread:
http://lists.nongnu.org/archive/html/qemu-devel/2018-02/msg05221.html
(and those that it refers to; this seems to be everyone's first question, 
maybe I should add a FAQ in the commit message :-) )


I don't know the details but I guess the hardware vendor who created this 
fork never bothered to upstream their changes and then u-boot has changed 
so it's now not even simple to do so any more so this u-boot variant is at 
a dead end and only needed for this board because guests running on it 
(some of which are closed source thus cannot be changed) use the services 
provided by this u-boot version.


Regards,
BALATON Zoltan

Re: [Qemu-devel] [PATCH v2] specs/qcow2: Fix documentation of the compressed cluster descriptor


On 02/20/2018 01:40 PM, Eric Blake wrote:

On 02/20/2018 11:01 AM, Alberto Garcia wrote:

tl:dr; I think we need a v3 with even more clarification.





I'm also making an additional observationn: Due to the pigeonhole 
principle and the fact that the compression stream adds metadata, we 
KNOW that there are some (rare) cases where attempting to compress data 
will actually result in an INCREASE in size ('man gzip' backs up this 
claim, calling out a worst case -0.015% compression ratio, or 15 bytes 
added for every 1000 bytes of input, on uncompressible data).  So 
presumably, we should state that a cluster can only be written in 
compressed form IF it occupies less space than the uncompressed cluster 
(we could also allow a compressed form that occupies the same length as 
the uncompressed cluster, but that's a waste of CPU cycles).


Once we have that restriction stated, then it becomes obvious that a 
compressed cluster should never REQUIRE using more than one host cluster 
(and this is backed up by qcow2_alloc_bytes() asserting that size <= 
s->cluster_size).  Where things get interesting, though, is whether we 
PERMIT a compressed cluster to overlap a host cluster boundary. 
Technically, it might be possible, but qemu does NOT do that (again, 
looking at qcow2_alloc_bytes() - we loop if free_in_cluster < size) - so 
we may want to be explicit about this point to prevent OTHER 
implementations from creating a compressed cluster that crosses host 
cluster boundaries (right now, I can't see qcow2_decompress_cluster() 
validating it, though - YIKES).


That said, a simple patch to try this:

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 8c4b26ceaf2..85b5dbd9c16 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -1598,6 +1598,15 @@ int qcow2_decompress_cluster(BlockDriverState 
*bs, uint64_t cluster_offset)

 sector_offset = coffset & 511;
 csize = nb_csectors * 512 - sector_offset;

+/* We never write a compressed cluster that crosses host
+ * cluster boundaries; reject images that do that.  */
+if (csize + (coffset % s->cluster_size) > s->cluster_size) {
+qcow2_signal_corruption(bs, true, coffset, csize,
+"Compressed cluster at %#" PRIx64
+" crosses host cluster boundary", 
coffset);

+return -EIO;
+}
+
 /* Allocate buffers on first decompress operation, most images are
  * uncompressed and the memory overhead can be avoided.  The 
buffers

  * are freed in .bdrv_close().

triggers failures in iotests 122:

--- /home/eblake/qemu/tests/qemu-iotests/122.out	2017-10-06 
13:45:25.559279136 -0500
+++ /home/eblake/qemu/tests/qemu-iotests/122.out.bad	2018-02-20 
15:54:29.890221575 -0600

@@ -117,8 +117,8 @@
 convert -c -S 0:
 read 3145728/3145728 bytes at offset 0
 3 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-read 63963136/63963136 bytes at offset 3145728
-61 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+qcow2: Marking image as corrupt: Compressed cluster at 0x5ffd2 crosses 
host cluster boundary; further corruption events will be suppressed

+read failed: Input/output error
 [{ "start": 0, "length": 67108864, "depth": 0, "zero": false, "data": 
true}]


so it looks like I'm reading qcow2_alloc_bytes() wrong and that we CAN 
have a compressed cluster that crosses host cluster boundaries?




So if I may suggest:

    x+1 - 61:    Number of additional 512-byte sectors used for the
     compressed data, beyond the sector containing the
     offset in the previous field.  These sectors must fit
     within the same host cluster.


This sentence needs tweaking to match reality, given that my simple 
patch to flag cross-sector hosts triggered (or I need to figure out what 
was wrong with my patch).



  Note that the compressed
     data does not necessarily occupy all of the bytes in
     the final sector; rather, decompression stops when it
     has produced a cluster of data.  Another compressed
     cluster may map to the tail of the final sector used
     by this compressed cluster.



--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] Moving seabios-hppa git submodule to use a qemu.org mirror

On 20/02/2018 19:43, Peter Maydell wrote:
> I just noticed that we seem to have acquired another git
> submodule that isn't pointing to a qemu.org git url:
> 
> [submodule "roms/seabios-hppa"]
> path = roms/seabios-hppa
> url = git://github.com/hdeller/seabios-hppa.git
> 
> Jeff, could we set up so we can mirror this repo on qemu.org?
> Then we can send a patch to update the .gitmodules to point to it.

This is a fork of SeaBIOS, perhaps we should add "branch = hppa" and
pull it into the existing SeaBIOS repo of qemu.git.

However, I am worried that any bugfixes are never going to be applied to
the HPPA version.  How much forked is the fork?

Paolo

Re: [Qemu-devel] Moving seabios-hppa git submodule to use a qemu.org mirror

On 20/02/2018 22:41, BALATON Zoltan wrote:
> On Tue, 20 Feb 2018, Peter Maydell wrote:
>> I just noticed that we seem to have acquired another git
>> submodule that isn't pointing to a qemu.org git url:
>>
>> [submodule "roms/seabios-hppa"]
>>    path = roms/seabios-hppa
>>    url = git://github.com/hdeller/seabios-hppa.git
> 
> And there's also
> 
> [submodule "roms/qemu-palcode"]
>     path = roms/qemu-palcode
>     url = git://github.com/rth7680/qemu-palcode.git
> 
> if that matters.

That already exists at https://github.com/qemu/qemu-palcode, it's just
not pointed to by .gitmodules.

> I don't mind either way and don't expect to change this u-boot source
> too much in the future so if you just copy it to the qemu repo without
> mirroring my repo that's fine as well. (If any change will be needed I
> can submit patches for it like for other QEMU parts but this should not
> be needed too frequently as this firmware is not developed any further
> by upstream so only changes may be bugfixes from QEMU contributors.) But
> I can't do that myself so I need help with that. All I could do is to
> provide my own repo and refer to that for all else I need your help.

Out of curiosity, why is it not upstream?

Paolo

Re: [Qemu-devel] [PATCH 2/2] pc-bios: Added u-boot-sam460 firmware binary


On Tue, 20 Feb 2018, Daniel P. Berrangé wrote:

On Tue, Feb 20, 2018 at 06:57:43PM +0100, BALATON Zoltan wrote:

Signed-off-by: BALATON Zoltan 
---
 Makefile   |   2 +-
 pc-bios/u-boot-sam460-20100605.bin | Bin 0 -> 524288 bytes
 2 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100755 pc-bios/u-boot-sam460-20100605.bin

diff --git a/Makefile b/Makefile
index 6434d6c..b0c16b3 100644
--- a/Makefile
+++ b/Makefile
@@ -661,7 +661,7 @@ multiboot.bin linuxboot.bin linuxboot_dma.bin kvmvapic.bin \
 s390-ccw.img s390-netboot.img \
 spapr-rtas.bin slof.bin skiboot.lid \
 palcode-clipper \
-u-boot.e500 \
+u-boot.e500 u-boot-sam460-20100605.bin \
 qemu_vga.ndrv \
 hppa-firmware.img
 else
diff --git a/pc-bios/u-boot-sam460-20100605.bin 
b/pc-bios/u-boot-sam460-20100605.bin
new file mode 100755


IIUC, you also need to provide glue in roms/Makefile to build the
u-boot-sam460-20100605.bin from the submodule content. Presumably
you can largely copy what's done for u-boot.e500 there.


Yes, it seems we can do the same (except stripping the result) and build 
the Sam460ex_config from the appropriate source that should generate the 
binary (but I'm not sure about the cross compiler setup in that Makefile, 
my cross compiler is called powerpc-elf-gcc and after briefly looking at 
it I'm not sure it will be found by that make magic).


Once the patch to add the sources is cleared I can send a v2 of this with 
the roms/Makefile changes to also add a new target for this binary.


Regards,
BALATON Zoltan

Re: [Qemu-devel] [Qemu-block] Limiting coroutine stack usage

On 20/02/2018 18:04, Peter Lieven wrote:
> Hi,
> 
> I remember we discussed a long time ago to limit the stack usage of all
> functions that are executed in a coroutine
> context to a very low value to be able to safely limit the coroutine
> stack size as well.

IIRC the only issue was that hw/ide/atapi.c has mutual recursion between
ide_atapi_cmd_reply_end -> ide_transfer_start -> ahci_start_transfer ->
ide_atapi_cmd_reply_end.

But perhaps it's not an issue, somebody needs to audit the code.

> I checked through all functions in block/, migration/ and nbd/ and there
> are only very few larger or unbound stack
> allocations that can easily be fixed.

Yeah, the really large allocations are very few and mostly have to do
with networking (https://wiki.qemu.org/BiteSizedTasks#Large_frames).
Unfortunately the link to the original list has died together with the
gmane archives.

Paolo

Re: [Qemu-devel] Moving seabios-hppa git submodule to use a qemu.org mirror


On Tue, 20 Feb 2018, Peter Maydell wrote:

I just noticed that we seem to have acquired another git
submodule that isn't pointing to a qemu.org git url:

[submodule "roms/seabios-hppa"]
   path = roms/seabios-hppa
   url = git://github.com/hdeller/seabios-hppa.git


And there's also

[submodule "roms/qemu-palcode"]
path = roms/qemu-palcode
url = git://github.com/rth7680/qemu-palcode.git

if that matters.


Jeff, could we set up so we can mirror this repo on qemu.org?
Then we can send a patch to update the .gitmodules to point to it.

(There's also a patchset on list that wants to add a
submodule for git://github.com/zbalaton/u-boot-sam460ex
but I don't know if that will go in or not yet. Should


I think the patches that add the board are queued in the PPC tree and may 
be in next pull request (unless they have to be dropped for some reason) 
so it would be nice if this firmware could go in with that as well for the 
board to be usable without getting the firmware binary separately.



we insist that we set up the mirror first for new
submodules, or allow them in and fix things up after?
By default we're doing the latter at the moment; the
former seems cleaner but makes it more painful for
contributors to get things added which need new
submodules.)


I don't mind either way and don't expect to change this u-boot source too 
much in the future so if you just copy it to the qemu repo without 
mirroring my repo that's fine as well. (If any change will be needed I can 
submit patches for it like for other QEMU parts but this should not be 
needed too frequently as this firmware is not developed any further by 
upstream so only changes may be bugfixes from QEMU contributors.) But I 
can't do that myself so I need help with that. All I could do is to 
provide my own repo and refer to that for all else I need your help.


Thank you,
BALATON Zoltan

Re: [Qemu-devel] [PULL 4/5] usb-mtp: Introduce write support for MTP objects

Eric Blake  writes:

> On 02/20/2018 09:28 AM, Gerd Hoffmann wrote:
>> From: Bandan Das 
>>
>> Allow write operations on behalf of the initiator. The
>> precursor to write is the sending of the write metadata
>> that consists of the ObjectInfo dataset. This patch introduces
>> a flag that is set when the responder is ready to receive
>> write data based on a previous SendObjectInfo operation by
>> the initiator (The SendObjectInfo implementation is in a
>> later patch)
>>
>> Signed-off-by: Bandan Das 
>> Message-id: 20180215231129.14710-5-...@redhat.com
>> Signed-off-by: Gerd Hoffmann 
>> ---
>>   hw/usb/dev-mtp.c | 159 
>> ++-
>>   1 file changed, 157 insertions(+), 2 deletions(-)
>>
>
>> @@ -1472,12 +1492,133 @@ static void usb_mtp_cancel_packet(USBDevice *dev, 
>> USBPacket *p)
>>   fprintf(stderr, "%s\n", __func__);
>>   }
>>   +mode_t getumask(void)
>> +{
>> +mode_t mask = umask(0);
>> +umask(mask);
>> +return mask;
>> +}
>
> This is dangerous.  'man getumask' on my Fedora machine states:

Thanks for the pointer, Eric. Indeed, this doesn't look right.
I am inclined to just set the default
permission of created files to 0644 for the mtp share
and not implement a thread safe getumask.

Bandan

> CONFORMING TO
>This is a vaporware GNU extension.
>
> NOTES
>This  function is documented in the glibc manual, but, as at
> glibc ver‐
>sion 2.24, it is not implemented on Linux.  (See umask(2) for a
> thread-
>safe method of discovering a process's umask.)
>
>
> and 'man 2 umask' concurs:
>
>It  is  impossible to use umask() to fetch a process's umask
> without at
>the same time changing it.  A second call  to  umask()  would
> then  be
>needed  to restore the umask.  The nonatomicity of these two
> steps pro‐
>vides the potential for races in multithreaded programs.
>
> It is ONLY safe to grab umask() prior to spawning threads, cache that
> value, and refer to the cache at all later points.

[Qemu-devel] [PATCH] fpu/softfloat: use hardware sqrt if we can (EXPERIMENT!)

2018-02-20 Thread Alex Bennée

This is an attempt to save some of the cost of sqrt by using the
inbuilt support of the host hardware. The idea is assuming we start
with a valid input we can use the hardware. If any tininess issues
occur this will trip and FPU exception where:

  - we turn off cpu->use_host_fpu
  - mask the FPU exceptions
  - return to what we were doing

Once we return we should pick up the fact that there was something
weird about the operation and fall-back to the pure software
implementation.

You could imagine this being extended for code generation but instead
of returning to the code we could exit and re-generate the TB but this
time with pure software helpers rather than any support from the
hardware.

This is a sort of fix-it-up after the fact approach because reading
the FP state is an expensive operation for everything so let's only
worry about exceptions when they trip...

Signed-off-by: Alex Bennée 
---
 cpus.c| 28 
 fpu/softfloat.c   | 40 +++-
 include/fpu/softfloat-types.h |  2 ++
 include/fpu/softfloat.h   |  4 
 include/qom/cpu.h |  1 +
 linux-user/main.c |  8 
 linux-user/signal.c   | 16 
 target/arm/cpu.c  |  4 
 8 files changed, 98 insertions(+), 5 deletions(-)

diff --git a/cpus.c b/cpus.c
index f298b659f4..e435f6737b 100644
--- a/cpus.c
+++ b/cpus.c
@@ -23,6 +23,7 @@
  */
 
 #include "qemu/osdep.h"
+#include 
 #include "qemu/config-file.h"
 #include "cpu.h"
 #include "monitor/monitor.h"
@@ -1078,10 +1079,36 @@ static void qemu_init_sigbus(void)
 
 prctl(PR_MCE_KILL, PR_MCE_KILL_SET, PR_MCE_KILL_EARLY, 0, 0);
 }
+
+static void sigfpu_handler(int n, siginfo_t *siginfo, void *ctx)
+{
+fprintf(stderr, "%s: got %d, %p/%p\n", __func__, n, siginfo, ctx);
+
+/* Called asynchronously in VCPU thread.  */
+g_assert(current_cpu);
+}
+
+static void qemu_init_sigfpu(void)
+{
+struct sigaction action;
+
+memset(, 0, sizeof(action));
+action.sa_flags = SA_SIGINFO;
+action.sa_sigaction = sigfpu_handler;
+sigaction(SIGBUS, , NULL);
+
+feenableexcept(FE_INVALID   |
+   FE_OVERFLOW  |
+   FE_UNDERFLOW |
+   FE_INEXACT);
+}
 #else /* !CONFIG_LINUX */
 static void qemu_init_sigbus(void)
 {
 }
+static void qemu_init_sigfpu(void)
+{
+}
 #endif /* !CONFIG_LINUX */
 
 static QemuMutex qemu_global_mutex;
@@ -1827,6 +1854,7 @@ static void qemu_tcg_init_vcpu(CPUState *cpu)
 if (!tcg_region_inited) {
 tcg_region_inited = 1;
 tcg_region_init();
+qemu_init_sigfpu();
 }
 
 if (qemu_tcg_mttcg_enabled() || !single_tcg_cpu_thread) {
diff --git a/fpu/softfloat.c b/fpu/softfloat.c
index e7fb0d357a..ec9355af7a 100644
--- a/fpu/softfloat.c
+++ b/fpu/softfloat.c
@@ -1905,10 +1905,12 @@ float64 float64_scalbn(float64 a, int n, float_status 
*status)
  * bits to ensure we get a correctly rounded result.
  *
  * This does mean however the calculation is slower than before,
- * especially for 64 bit floats.
+ * especially for 64 bit floats. However the caller can only do checks
+ * if they actually want to off-load to the library.
  */
 
-static FloatParts sqrt_float(FloatParts a, float_status *s, const FloatFmt *p)
+static FloatParts sqrt_float(FloatParts a, float_status *s,
+ const FloatFmt *p, bool check_only)
 {
 uint64_t a_frac, r_frac, s_frac;
 int bit, last_bit;
@@ -1928,6 +1930,10 @@ static FloatParts sqrt_float(FloatParts a, float_status 
*s, const FloatFmt *p)
 return a;  /* sqrt(+inf) = +inf */
 }
 
+if (check_only) {
+return a;
+}
+
 assert(a.cls == float_class_normal);
 
 /* We need two overflow bits at the top. Adding room for that is a
@@ -1973,21 +1979,45 @@ static FloatParts sqrt_float(FloatParts a, float_status 
*s, const FloatFmt *p)
 float16 __attribute__((flatten)) float16_sqrt(float16 a, float_status *status)
 {
 FloatParts pa = float16_unpack_canonical(a, status);
-FloatParts pr = sqrt_float(pa, status, _params);
+FloatParts pr = sqrt_float(pa, status, _params, false);
 return float16_round_pack_canonical(pr, status);
 }
 
 float32 __attribute__((flatten)) float32_sqrt(float32 a, float_status *status)
 {
 FloatParts pa = float32_unpack_canonical(a, status);
-FloatParts pr = sqrt_float(pa, status, _params);
+FloatParts pr;
+
+if (status->use_host_fpu && *status->use_host_fpu) {
+pr = sqrt_float(pa, status, _params, true);
+if (pr.cls == float_class_normal) {
+float32 r = __builtin_sqrt(a);
+if (*status->use_host_fpu) {
+return r;
+}
+}
+}
+
+pr = sqrt_float(pa, status, _params, false);
 return float32_round_pack_canonical(pr, status);
 }
 
 float64 __attribute__((flatten)) float64_sqrt(float64 a, float_status

Re: [Qemu-devel] [PULL 4/5] usb-mtp: Introduce write support for MTP objects


On 02/20/2018 09:28 AM, Gerd Hoffmann wrote:

From: Bandan Das 

Allow write operations on behalf of the initiator. The
precursor to write is the sending of the write metadata
that consists of the ObjectInfo dataset. This patch introduces
a flag that is set when the responder is ready to receive
write data based on a previous SendObjectInfo operation by
the initiator (The SendObjectInfo implementation is in a
later patch)

Signed-off-by: Bandan Das 
Message-id: 20180215231129.14710-5-...@redhat.com
Signed-off-by: Gerd Hoffmann 
---
  hw/usb/dev-mtp.c | 159 ++-
  1 file changed, 157 insertions(+), 2 deletions(-)




@@ -1472,12 +1492,133 @@ static void usb_mtp_cancel_packet(USBDevice *dev, 
USBPacket *p)
  fprintf(stderr, "%s\n", __func__);
  }
  
+mode_t getumask(void)

+{
+mode_t mask = umask(0);
+umask(mask);
+return mask;
+}


This is dangerous.  'man getumask' on my Fedora machine states:

CONFORMING TO
   This is a vaporware GNU extension.

NOTES
   This  function is documented in the glibc manual, but, as at 
glibc ver‐
   sion 2.24, it is not implemented on Linux.  (See umask(2) for a 
thread-

   safe method of discovering a process's umask.)


and 'man 2 umask' concurs:

   It  is  impossible to use umask() to fetch a process's umask 
without at
   the same time changing it.  A second call  to  umask()  would 
then  be
   needed  to restore the umask.  The nonatomicity of these two 
steps pro‐

   vides the potential for races in multithreaded programs.

It is ONLY safe to grab umask() prior to spawning threads, cache that 
value, and refer to the cache at all later points.


--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] [PATCH 0/2] Firmware blob and git submodule for Sam460ex

2018-02-20 Thread Emilio G. Cota

On Tue, Feb 20, 2018 at 18:31:17 +, Peter Maydell wrote:
> On 20 February 2018 at 18:10, BALATON Zoltan  wrote:
> > I've created a git repo for the Sam460ex u-boot sources and this adds
> > that as a submodule and a separate patch to add the binary built from
> > these sources. Feel free to keep this as two patches, squash them into
> > one patch or take the git repo and commit the content under the QEMU
> > repo and use that as a submodule as you see fit (or let me know if any
> > changes are needed for these patches).
> >
> > BALATON Zoltan (2):
> >   roms: Added git submodule for u-boot-sam460 (firmware for sam460ex)
> >   pc-bios: Added u-boot-sam460 firmware binary
> 
> We already have a submodule for u-boot. Is it not possible to
> build this bios blob from those upstream u-boot sources?

This is discussed in the following thread:
  Re: [Qemu-ppc] [PATCH v3 2/2] ppc: Add aCube Sam460ex board
  http://lists.gnu.org/archive/html/qemu-ppc/2018-02/msg00268.html

Emilio

[Qemu-devel] [PATCH v8] ui/cocoa.m: Add ability for user to specify mouse ungrab key

2018-02-20 Thread John Arbuckle

Currently the ungrab keys for the Cocoa and GTK interface are Control-Alt-g.
This combination may not be very fun for the user to have to enter, so we
now enable the user to specify their own key(s) as the ungrab key(s). The
list of keys that can be used is found in the file qapi/ui.json under QKeyCode.
The max number of keys that can be used is three.

Syntax: -display cocoa,hotkey-grab=

Example usage:  -display cocoa,hotkey-grab=home
-display cocoa,hotkey-grab=shift-ctrl
-display cocoa,hotkey-grab=ctrl-x
-display cocoa,hotkey-grab=pgup-pgdn
-display cocoa,hotkey-grab=kp_5-kp_6
-display cocoa,hotkey-grab=kp_4-kp_5-kp_6
-display cocoa,hotkey-grab=ctrl-alt

Signed-off-by: John Arbuckle 
---
v8 changes:
- Added a queue that keeps track of keys and their order for sending to the 
guest. 
- Removed send_key_if_delayed()
- Before if the user had 1-2-3 as the ungrab keys, and this happend:
down: 1
down: 2
down: 3
down: 4

What the guest would see is 'down 4' only.

Now this is what happens:

If user entered:
down: 1
down: 2
down: 3
down: 4

Guest would see:
down: 1
down: 2
down: 3
down: 4

v7 changes:
- Prevent ungrab keys from being seen by guest.

v6 changes:
- changed ungrab command-line option to -display cocoa,hotkey-grab
- Removed NSMutableSet code
- Implemented C version of Set datatype

v5 changes:
- Removed ungrab detection code from keydown event in handleEvent.
- Removed console_ungrab_sequence_length().
- Removed ability to always use the default ctrl-alt-g ungrab key sequence.
- Added ability to actually send keys to the guest that might overlap ungrab 
keys. 
Example for -ungrab ctrl-alt:
down(ctrl)
down(alt)
up(ctrl)
up(alt)
..ungrab activates..

down(ctrl)
down(alt)
down(f1)
up(ctrl)
up(alt)
up(f1)
..no ungrab activates..

v4 changes:
- Removed initialization code for key_value_array.
- Added void keyword to console_ungrab_key_sequence(),
  and console_ungrab_key_string() functions.

v3 changes:
- Added the ability for any "sendkey supported" key to be used.
- Added ability for one to three key sequences to be used.

v2 changes:
- Removed the "int i" code from the for loops. 

 include/ui/console.h |  36 
 qemu-options.hx  |   1 +
 ui/cocoa.m   |  93 ++---
 ui/console.c | 227 +++
 vl.c |  17 
 5 files changed, 362 insertions(+), 12 deletions(-)

diff --git a/include/ui/console.h b/include/ui/console.h
index 12fef80923..9d604bac92 100644
--- a/include/ui/console.h
+++ b/include/ui/console.h
@@ -508,4 +508,40 @@ static inline void early_gtk_display_init(int opengl)
 /* egl-headless.c */
 void egl_headless_init(void);
 
+/* console.c */
+/* max number of keys that can be used as the ungrab keys */
+#define MAX_UNGRAB_KEYS 3
+void set_ungrab_seq(const char *new_seq);
+int *console_ungrab_key_sequence(void);
+const char *console_ungrab_key_string(void);
+void use_default_ungrab_keys(void);
+void init_ungrab_keys(void);
+
+/* Set datatype related code */
+typedef struct Set_struct {
+int size;   /* The size of the array */
+int *array; /* The array used to store the set's values */
+} Set;
+
+Set *new_set(int max_size);
+void add_number(Set *the_set, int the_number);
+void remove_number(Set *the_set, int the_number);
+bool contains_number(Set *the_set, int the_number);
+void clear_set(Set *the_set);
+bool are_sets_equal(Set *set1, Set *set2);
+
+/* Code to handle sending keys to the guest */
+
+/* The queue is implemented as a linked list */
+struct Node {
+int value;
+void *next;
+};
+
+typedef struct Node Node;
+
+void add_key_to_queue(int keycode);
+void clear_key_queue(void);
+void send_queued_keys(DisplayChangeListener *dcl);
+
 #endif
diff --git a/qemu-options.hx b/qemu-options.hx
index 5050a49a5e..4a613e4e9c 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1243,6 +1243,7 @@ DEF("display", HAS_ARG, QEMU_OPTION_display,
 "[,window_close=on|off][,gl=on|off]\n"
 "-display gtk[,grab_on_hover=on|off][,gl=on|off]|\n"
 "-display vnc=[,]\n"
+"-display cocoa[hotkey-grab=]\n"
 "-display curses\n"
 "-display none"
 "select display type\n"
diff --git a/ui/cocoa.m b/ui/cocoa.m
index 51db47cd71..c507f0d642 100644
--- a/ui/cocoa.m
+++ b/ui/cocoa.m
@@ -106,6 +106,8 @@
 bool stretch_video;
 NSTextField *pauseLabel;
 NSArray * supportedImageFileTypes;
+Set *key_set, *ungrab_set;
+int ungrab_sequence_length;
 
 // Mac to QKeyCode conversion
 const int mac_to_qkeycode_map[] = {
@@ -489,8 +491,6 @@ - (void) switchSurface:(DisplaySurface *)surface
 [[fullScreenWindow contentView] setFrame:[[NSScreen mainScreen] 
frame]];
 [normalWindow setFrame:NSMakeRect([normalWindow frame].origin.x, 
[normalWindow frame].origin.y - h + oldh, w, h + [normalWindow 
frame].size.height - oldh)

Re: [Qemu-devel] [PATCH v2] specs/qcow2: Fix documentation of the compressed cluster descriptor


On 02/20/2018 11:01 AM, Alberto Garcia wrote:

tl:dr; I think we need a v3 with even more clarification.



The documentation claims that the cluster descriptor contains the
number of sectors used to store the compressed data, but what it
actually contains is the number of sectors *minus one*.

That can be easily seen in qcow2_decompress_cluster(), that adds one
to the value stored in that field:

   nb_csectors = ((cluster_offset >> s->csize_shift) & s->csize_mask) + 1;


This is misleading.  It says how we take what is in the qcow2 file on 
reading in order to decompress, but still doesn't show how we generated 
that number.  Let's also compare it as well to what we WRITE into the 
qcow2 file:


nb_csectors = ((cluster_offset + compressed_size - 1) >> 9) -
  (cluster_offset >> 9);

I'm also making an additional observationn: Due to the pigeonhole 
principle and the fact that the compression stream adds metadata, we 
KNOW that there are some (rare) cases where attempting to compress data 
will actually result in an INCREASE in size ('man gzip' backs up this 
claim, calling out a worst case -0.015% compression ratio, or 15 bytes 
added for every 1000 bytes of input, on uncompressible data).  So 
presumably, we should state that a cluster can only be written in 
compressed form IF it occupies less space than the uncompressed cluster 
(we could also allow a compressed form that occupies the same length as 
the uncompressed cluster, but that's a waste of CPU cycles).


Once we have that restriction stated, then it becomes obvious that a 
compressed cluster should never REQUIRE using more than one host cluster 
(and this is backed up by qcow2_alloc_bytes() asserting that size <= 
s->cluster_size).  Where things get interesting, though, is whether we 
PERMIT a compressed cluster to overlap a host cluster boundary. 
Technically, it might be possible, but qemu does NOT do that (again, 
looking at qcow2_alloc_bytes() - we loop if free_in_cluster < size) - so 
we may want to be explicit about this point to prevent OTHER 
implementations from creating a compressed cluster that crosses host 
cluster boundaries (right now, I can't see qcow2_decompress_cluster() 
validating it, though - YIKES).




In addition to that this patch clarifies where the actual compressed
data is located.

Although the size of the data is specified in sectors, the offset is
not necessarily aligned to a sector boundary, so the actual data goes
from the specified offset until the end of the last sector, leaving
the initial bytes of the first sector (if any) unused.

Signed-off-by: Alberto Garcia 
---

v2: I realized that the documentation is not completely clear about
 the exact location and size of the compressed data, so I updated
 the patch to clarify this.

---
  docs/interop/qcow2.txt | 12 ++--
  1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/docs/interop/qcow2.txt b/docs/interop/qcow2.txt
index d7fdb1fee3..dc2b9cefb2 100644
--- a/docs/interop/qcow2.txt
+++ b/docs/interop/qcow2.txt
@@ -427,9 +427,17 @@ Standard Cluster Descriptor:
  Compressed Clusters Descriptor (x = 62 - (cluster_bits - 8)):
  


I'm looking at how this works for different cluster sizes.  If we have 
512-byte clusters, x is 61, and we DON'T have the 'number sectors' field 
at all!  But that still makes sense, provided that all consecutive host 
sectors used to hold a compressed guest cluster lie within a single host 
cluster.  If we ever allowed a compressed cluster to spill across two 
host clusters, it would cause mayhem in trying to track refcounts and 
other things.  So you can have two 512-byte guest clusters that manage 
to compress into the same host cluster, but must never have a single 
guest cluster that spills over a host cluster boundary.


For all other cluster sizes, the value of x leaves us exactly 
log2(cluster_size / 512) bits for the 'number sectors' field.  For 
example, with 64k clusters, x is 54, leaving 7 bits (64k/512 == 128, and 
2^7 covers the number of sectors in a 64k host cluster).  Whether all of 
these sectors should lie within the same host cluster should be stated 
(as I argued above, this is how qemu does it, so it SHOULD be part of 
the spec to prevent refcount and other confusion if some other 
implementation created images violating that).



  Bit  0 -  x:Host cluster offset. This is usually _not_ aligned to a
-cluster boundary!
+cluster or sector boundary!
  
-   x+1 - 61:Compressed size of the images in sectors of 512 bytes

+   x+1 - 61:Number of 512-byte sectors used for the compressed data,
+minus one (that is, a value of n here means n+1 sectors).
+
+The actual compressed data is located at the end of this
+region, from the offset indicated in the previous field
+until the end of the last sector.
+
+

[Qemu-devel] [PATCH v1 1/3] s390x/sclp: proper support of larger send and receive masks

The architecture allows the guests to ask for masks up to 1021 bytes in
length. Part was fixed in 67915de9f0383ccf4ab8c42dd02aa18dcd79b411
("s390x/event-facility: variable-length event masks"), but some issues
were still remaining, in particular regarding the handling of selective
reads.

This patch fixes the handling of selective reads, whose size will now
match the length of the event mask, as per architecture.

The default behaviour is to be compliant with the architecture, but when
using older machine models the old behaviour is selected, in order to
be able to migrate toward older versions.

Fixes: 67915de9f0383ccf4a ("s390x/event-facility: variable-length event masks")
Signed-off-by: Claudio Imbrenda 
---
 hw/s390x/event-facility.c  | 90 +++---
 hw/s390x/s390-virtio-ccw.c |  8 -
 2 files changed, 84 insertions(+), 14 deletions(-)

diff --git a/hw/s390x/event-facility.c b/hw/s390x/event-facility.c
index 155a694..2414614 100644
--- a/hw/s390x/event-facility.c
+++ b/hw/s390x/event-facility.c
@@ -31,6 +31,14 @@ struct SCLPEventFacility {
 SCLPEventsBus sbus;
 /* guest' receive mask */
 unsigned int receive_mask;
+/*
+ * when false, we keep the same broken, backwards compatible behaviour as
+ * before; when true, we implement the architecture correctly. Needed for
+ * migration toward older versions.
+ */
+bool allow_all_mask_sizes;
+/* length of the receive mask */
+uint16_t mask_length;
 };
 
 /* return true if any child has event pending set */
@@ -220,6 +228,17 @@ static uint16_t handle_sccb_read_events(SCLPEventFacility 
*ef, SCCB *sccb,
 return rc;
 }
 
+/* copy up to dst_len bytes and fill the rest of dst with zeroes */
+static void copy_mask(uint8_t *dst, uint8_t *src, uint16_t dst_len,
+  uint16_t src_len)
+{
+int i;
+
+for (i = 0; i < dst_len; i++) {
+dst[i] = i < src_len ? src[i] : 0;
+}
+}
+
 static void read_event_data(SCLPEventFacility *ef, SCCB *sccb)
 {
 unsigned int sclp_active_selection_mask;
@@ -240,7 +259,9 @@ static void read_event_data(SCLPEventFacility *ef, SCCB 
*sccb)
 sclp_active_selection_mask = sclp_cp_receive_mask;
 break;
 case SCLP_SELECTIVE_READ:
-sclp_active_selection_mask = be32_to_cpu(red->mask);
+copy_mask((uint8_t *)_active_selection_mask, (uint8_t 
*)>mask,
+  sizeof(sclp_active_selection_mask), ef->mask_length);
+sclp_active_selection_mask = be32_to_cpu(sclp_active_selection_mask);
 if (!sclp_cp_receive_mask ||
 (sclp_active_selection_mask & ~sclp_cp_receive_mask)) {
 sccb->h.response_code =
@@ -259,24 +280,14 @@ out:
 return;
 }
 
-/* copy up to dst_len bytes and fill the rest of dst with zeroes */
-static void copy_mask(uint8_t *dst, uint8_t *src, uint16_t dst_len,
-  uint16_t src_len)
-{
-int i;
-
-for (i = 0; i < dst_len; i++) {
-dst[i] = i < src_len ? src[i] : 0;
-}
-}
-
 static void write_event_mask(SCLPEventFacility *ef, SCCB *sccb)
 {
 WriteEventMask *we_mask = (WriteEventMask *) sccb;
 uint16_t mask_length = be16_to_cpu(we_mask->mask_length);
 uint32_t tmp_mask;
 
-if (!mask_length || (mask_length > SCLP_EVENT_MASK_LEN_MAX)) {
+if (!mask_length || (mask_length > SCLP_EVENT_MASK_LEN_MAX) ||
+((mask_length != 4) && !ef->allow_all_mask_sizes)) {
 sccb->h.response_code = cpu_to_be16(SCLP_RC_INVALID_MASK_LENGTH);
 goto out;
 }
@@ -301,6 +312,7 @@ static void write_event_mask(SCLPEventFacility *ef, SCCB 
*sccb)
   mask_length, sizeof(tmp_mask));
 
 sccb->h.response_code = cpu_to_be16(SCLP_RC_NORMAL_COMPLETION);
+ef->mask_length = mask_length;
 
 out:
 return;
@@ -356,6 +368,34 @@ static void command_handler(SCLPEventFacility *ef, SCCB 
*sccb, uint64_t code)
 }
 }
 
+static bool vmstate_event_facility_mask_length_needed(void *opaque)
+{
+SCLPEventFacility *ef = opaque;
+
+return ef->allow_all_mask_sizes;
+}
+
+static int vmstate_event_facility_mask_length_pre_load(void *opaque)
+{
+SCLPEventFacility *ef = opaque;
+
+ef->allow_all_mask_sizes = false;
+return 0;
+}
+
+static const VMStateDescription vmstate_event_facility_mask_length = {
+.name = "vmstate-event-facility/mask_length",
+.version_id = 0,
+.minimum_version_id = 0,
+.needed = vmstate_event_facility_mask_length_needed,
+.pre_load = vmstate_event_facility_mask_length_pre_load,
+.fields = (VMStateField[]) {
+VMSTATE_BOOL(allow_all_mask_sizes, SCLPEventFacility),
+VMSTATE_UINT16(mask_length, SCLPEventFacility),
+VMSTATE_END_OF_LIST()
+ }
+};
+
 static const VMStateDescription vmstate_event_facility = {
 .name = "vmstate-event-facility",
 .version_id = 0,
@@ -363,15 +403,39 @@ static const VMStateDescription vmstate_event_facility = {
 .fields =

[Qemu-devel] [PATCH v1 2/3] s390x/sclp: clean up sclp masks

Clean up SCLP masks: introduce an sccb_mask_t to be used for SCLP event
masks instead of just unsigned int or uint32_t. This will allow later
to extend the mask with more ease.

Signed-off-by: Claudio Imbrenda 
---
 hw/char/sclpconsole-lm.c  |  4 ++--
 hw/char/sclpconsole.c |  4 ++--
 hw/s390x/event-facility.c | 18 +-
 hw/s390x/sclpcpu.c|  4 ++--
 hw/s390x/sclpquiesce.c|  4 ++--
 include/hw/s390x/event-facility.h | 22 +-
 6 files changed, 30 insertions(+), 26 deletions(-)

diff --git a/hw/char/sclpconsole-lm.c b/hw/char/sclpconsole-lm.c
index c500bda..cc4d70a 100644
--- a/hw/char/sclpconsole-lm.c
+++ b/hw/char/sclpconsole-lm.c
@@ -102,12 +102,12 @@ static bool can_handle_event(uint8_t type)
 return type == SCLP_EVENT_MESSAGE || type == SCLP_EVENT_PMSGCMD;
 }
 
-static unsigned int send_mask(void)
+static sccb_mask_t send_mask(void)
 {
 return SCLP_EVENT_MASK_OP_CMD | SCLP_EVENT_MASK_PMSGCMD;
 }
 
-static unsigned int receive_mask(void)
+static sccb_mask_t receive_mask(void)
 {
 return SCLP_EVENT_MASK_MSG | SCLP_EVENT_MASK_PMSGCMD;
 }
diff --git a/hw/char/sclpconsole.c b/hw/char/sclpconsole.c
index d0265df..ec9db13 100644
--- a/hw/char/sclpconsole.c
+++ b/hw/char/sclpconsole.c
@@ -83,12 +83,12 @@ static bool can_handle_event(uint8_t type)
 return type == SCLP_EVENT_ASCII_CONSOLE_DATA;
 }
 
-static unsigned int send_mask(void)
+static sccb_mask_t send_mask(void)
 {
 return SCLP_EVENT_MASK_MSG_ASCII;
 }
 
-static unsigned int receive_mask(void)
+static sccb_mask_t receive_mask(void)
 {
 return SCLP_EVENT_MASK_MSG_ASCII;
 }
diff --git a/hw/s390x/event-facility.c b/hw/s390x/event-facility.c
index 2414614..f6f28fd 100644
--- a/hw/s390x/event-facility.c
+++ b/hw/s390x/event-facility.c
@@ -30,7 +30,7 @@ struct SCLPEventFacility {
 SysBusDevice parent_obj;
 SCLPEventsBus sbus;
 /* guest' receive mask */
-unsigned int receive_mask;
+sccb_mask_t receive_mask;
 /*
  * when false, we keep the same broken, backwards compatible behaviour as
  * before; when true, we implement the architecture correctly. Needed for
@@ -60,9 +60,9 @@ static bool event_pending(SCLPEventFacility *ef)
 return false;
 }
 
-static unsigned int get_host_send_mask(SCLPEventFacility *ef)
+static sccb_mask_t get_host_send_mask(SCLPEventFacility *ef)
 {
-unsigned int mask;
+sccb_mask_t mask;
 BusChild *kid;
 SCLPEventClass *child;
 
@@ -76,9 +76,9 @@ static unsigned int get_host_send_mask(SCLPEventFacility *ef)
 return mask;
 }
 
-static unsigned int get_host_receive_mask(SCLPEventFacility *ef)
+static sccb_mask_t get_host_receive_mask(SCLPEventFacility *ef)
 {
-unsigned int mask;
+sccb_mask_t mask;
 BusChild *kid;
 SCLPEventClass *child;
 
@@ -188,7 +188,7 @@ out:
 }
 
 static uint16_t handle_sccb_read_events(SCLPEventFacility *ef, SCCB *sccb,
-unsigned int mask)
+sccb_mask_t mask)
 {
 uint16_t rc;
 int slen;
@@ -241,8 +241,8 @@ static void copy_mask(uint8_t *dst, uint8_t *src, uint16_t 
dst_len,
 
 static void read_event_data(SCLPEventFacility *ef, SCCB *sccb)
 {
-unsigned int sclp_active_selection_mask;
-unsigned int sclp_cp_receive_mask;
+sccb_mask_t sclp_active_selection_mask = 0;
+sccb_mask_t sclp_cp_receive_mask;
 
 ReadEventData *red = (ReadEventData *) sccb;
 
@@ -284,7 +284,7 @@ static void write_event_mask(SCLPEventFacility *ef, SCCB 
*sccb)
 {
 WriteEventMask *we_mask = (WriteEventMask *) sccb;
 uint16_t mask_length = be16_to_cpu(we_mask->mask_length);
-uint32_t tmp_mask;
+sccb_mask_t tmp_mask = 0;
 
 if (!mask_length || (mask_length > SCLP_EVENT_MASK_LEN_MAX) ||
 ((mask_length != 4) && !ef->allow_all_mask_sizes)) {
diff --git a/hw/s390x/sclpcpu.c b/hw/s390x/sclpcpu.c
index 3ee890b..50c021b 100644
--- a/hw/s390x/sclpcpu.c
+++ b/hw/s390x/sclpcpu.c
@@ -37,12 +37,12 @@ void raise_irq_cpu_hotplug(void)
 sclp_service_interrupt(0);
 }
 
-static unsigned int send_mask(void)
+static sccb_mask_t send_mask(void)
 {
 return SCLP_EVENT_MASK_CONFIG_MGT_DATA;
 }
 
-static unsigned int receive_mask(void)
+static sccb_mask_t receive_mask(void)
 {
 return 0;
 }
diff --git a/hw/s390x/sclpquiesce.c b/hw/s390x/sclpquiesce.c
index 0241643..1c8f5c9 100644
--- a/hw/s390x/sclpquiesce.c
+++ b/hw/s390x/sclpquiesce.c
@@ -28,12 +28,12 @@ static bool can_handle_event(uint8_t type)
 return type == SCLP_EVENT_SIGNAL_QUIESCE;
 }
 
-static unsigned int send_mask(void)
+static sccb_mask_t send_mask(void)
 {
 return SCLP_EVENT_MASK_SIGNAL_QUIESCE;
 }
 
-static unsigned int receive_mask(void)
+static sccb_mask_t receive_mask(void)
 {
 return 0;
 }
diff --git a/include/hw/s390x/event-facility.h 
b/include/hw/s390x/event-facility.h
index 5119b9b..0a8b47a 100644
--- a/include/hw/s390x/event-facility.h
+++

[Qemu-devel] Moving seabios-hppa git submodule to use a qemu.org mirror

I just noticed that we seem to have acquired another git
submodule that isn't pointing to a qemu.org git url:

[submodule "roms/seabios-hppa"]
path = roms/seabios-hppa
url = git://github.com/hdeller/seabios-hppa.git

Jeff, could we set up so we can mirror this repo on qemu.org?
Then we can send a patch to update the .gitmodules to point to it.

(There's also a patchset on list that wants to add a
submodule for git://github.com/zbalaton/u-boot-sam460ex
but I don't know if that will go in or not yet. Should
we insist that we set up the mirror first for new
submodules, or allow them in and fix things up after?
By default we're doing the latter at the moment; the
former seems cleaner but makes it more painful for
contributors to get things added which need new
submodules.)

thanks
-- PMM

[Qemu-devel] [PATCHv2 11/11] macio: remove macio_init() function

Move the remaining comment into macio.c for reference, then remove the
macio_init() function and instantiate the macio devices for both Old World
and New World machines via qdev_init_nofail() directly.

Signed-off-by: Mark Cave-Ayland 
---
 hw/misc/macio/macio.c | 11 +++
 hw/ppc/mac_newworld.c |  4 +---
 hw/ppc/mac_oldworld.c |  4 +---
 3 files changed, 5 insertions(+), 14 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index f71ed61819..af1bd46b4b 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -33,6 +33,9 @@
 #include "hw/misc/macio/macio.h"
 #include "hw/intc/heathrow_pic.h"
 
+/* Note: this code is strongly inspirated from the corresponding code
+ * in PearPC */
+
 /*
  * The mac-io has two interfaces to the ESCC. One is called "escc-legacy",
  * while the other one is the normal, current ESCC interface.
@@ -442,11 +445,3 @@ static void macio_register_types(void)
 }
 
 type_init(macio_register_types)
-
-void macio_init(PCIDevice *d,
-MemoryRegion *pic_mem)
-{
-/* Note: this code is strongly inspirated from the corresponding code
-   in PearPC */
-qdev_init_nofail(DEVICE(d));
-}
diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index c7960ab67a..a749e2565d 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -160,7 +160,6 @@ static void ppc_core99_init(MachineState *machine)
 MacIONVRAMState *nvr;
 int bios_size, ndrv_size;
 uint8_t *ndrv_file;
-MemoryRegion *pic_mem;
 int ppc_boot_device;
 DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
 void *fw_cfg;
@@ -337,7 +336,6 @@ static void ppc_core99_init(MachineState *machine)
 qdev_prop_set_uint32(pic_dev, "model", OPENPIC_MODEL_KEYLARGO);
 qdev_init_nofail(pic_dev);
 s = SYS_BUS_DEVICE(pic_dev);
-pic_mem = s->mmio[0].memory;
 k = 0;
 for (i = 0; i < smp_cpus; i++) {
 for (j = 0; j < OPENPIC_OUTPUT_NB; j++) {
@@ -381,7 +379,7 @@ static void ppc_core99_init(MachineState *machine)
 qdev_prop_set_uint64(dev, "frequency", tbfreq);
 object_property_set_link(OBJECT(macio), OBJECT(pic_dev), "pic",
  _abort);
-macio_init(PCI_DEVICE(macio), pic_mem);
+qdev_init_nofail(dev);
 
 /* We only emulate 2 out of 3 IDE controllers for now */
 ide_drive_get(hd, ARRAY_SIZE(hd));
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 3ac5b19073..935493c966 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -96,7 +96,6 @@ static void ppc_heathrow_init(MachineState *machine)
 OldWorldMacIOState *macio;
 MACIOIDEState *macio_ide;
 DeviceState *dev, *pic_dev;
-SysBusDevice *sbd;
 BusState *adb_bus;
 int bios_size, ndrv_size;
 uint8_t *ndrv_file;
@@ -283,8 +282,7 @@ static void ppc_heathrow_init(MachineState *machine)
 qdev_prop_set_uint64(dev, "frequency", tbfreq);
 object_property_set_link(OBJECT(macio), OBJECT(pic_dev), "pic",
  _abort);
-sbd = SYS_BUS_DEVICE(pic_dev);
-macio_init(PCI_DEVICE(macio), sysbus_mmio_get_region(sbd, 0));
+qdev_init_nofail(dev);
 
 macio_ide = MACIO_IDE(object_resolve_path_component(OBJECT(macio),
 "ide[0]"));
-- 
2.11.0

Re: [Qemu-devel] [PATCHv2 01/11] macio: embed DBDMA device directly within macio

On 02/20/2018 03:41 PM, Mark Cave-Ayland wrote:
> The current recommendation is to embed subdevices directly within their 
> container
> device, so do this for the DBDMA device.
> 
> Signed-off-by: Mark Cave-Ayland 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  hw/misc/macio/macio.c | 13 +++--
>  1 file changed, 7 insertions(+), 6 deletions(-)
> 
> diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
> index 024f8557ab..7174135c8b 100644
> --- a/hw/misc/macio/macio.c
> +++ b/hw/misc/macio/macio.c
> @@ -42,7 +42,7 @@ typedef struct MacIOState
>  
>  MemoryRegion bar;
>  CUDAState cuda;
> -DBDMAState *dbdma;
> +DBDMAState dbdma;
>  MemoryRegion *pic_mem;
>  MemoryRegion *escc_mem;
>  uint64_t frequency;
> @@ -129,12 +129,12 @@ static void macio_common_realize(PCIDevice *d, Error 
> **errp)
>  SysBusDevice *sysbus_dev;
>  Error *err = NULL;
>  
> -object_property_set_bool(OBJECT(s->dbdma), true, "realized", );
> +object_property_set_bool(OBJECT(>dbdma), true, "realized", );
>  if (err) {
>  error_propagate(errp, err);
>  return;
>  }
> -sysbus_dev = SYS_BUS_DEVICE(s->dbdma);
> +sysbus_dev = SYS_BUS_DEVICE(>dbdma);
>  memory_region_add_subregion(>bar, 0x08000,
>  sysbus_mmio_get_region(sysbus_dev, 0));
>  
> @@ -161,7 +161,7 @@ static void macio_realize_ide(MacIOState *s, 
> MACIOIDEState *ide,
>  sysbus_connect_irq(sysbus_dev, 0, irq0);
>  sysbus_connect_irq(sysbus_dev, 1, irq1);
>  qdev_prop_set_uint32(DEVICE(ide), "channel", dmaid);
> -object_property_set_link(OBJECT(ide), OBJECT(s->dbdma), "dbdma", errp);
> +object_property_set_link(OBJECT(ide), OBJECT(>dbdma), "dbdma", errp);
>  macio_ide_register_dma(ide);
>  
>  object_property_set_bool(OBJECT(ide), true, "realized", errp);
> @@ -344,8 +344,9 @@ static void macio_instance_init(Object *obj)
>  qdev_set_parent_bus(DEVICE(>cuda), sysbus_get_default());
>  object_property_add_child(obj, "cuda", OBJECT(>cuda), NULL);
>  
> -s->dbdma = MAC_DBDMA(object_new(TYPE_MAC_DBDMA));
> -object_property_add_child(obj, "dbdma", OBJECT(s->dbdma), NULL);
> +object_initialize(>dbdma, sizeof(s->dbdma), TYPE_MAC_DBDMA);
> +qdev_set_parent_bus(DEVICE(>dbdma), sysbus_get_default());
> +object_property_add_child(obj, "dbdma", OBJECT(>dbdma), NULL);
>  }
>  
>  static const VMStateDescription vmstate_macio_oldworld = {
>

[Qemu-devel] [PATCHv2 10/11] macio: move setting of CUDA timebase frequency to macio_common_realize()

This removes the last of the functionality from macio_init() in preparation
for its subsequent removal.

Signed-off-by: Mark Cave-Ayland 
---
 hw/misc/macio/macio.c | 7 ++-
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index e5288f1084..f71ed61819 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -101,6 +101,8 @@ static void macio_common_realize(PCIDevice *d, Error **errp)
 memory_region_add_subregion(>bar, 0x08000,
 sysbus_mmio_get_region(sysbus_dev, 0));
 
+qdev_prop_set_uint64(DEVICE(>cuda), "timebase-frequency",
+ s->frequency);
 object_property_set_bool(OBJECT(>cuda), true, "realized", );
 if (err) {
 error_propagate(errp, err);
@@ -444,12 +446,7 @@ type_init(macio_register_types)
 void macio_init(PCIDevice *d,
 MemoryRegion *pic_mem)
 {
-MacIOState *macio_state = MACIO(d);
-
 /* Note: this code is strongly inspirated from the corresponding code
in PearPC */
-qdev_prop_set_uint64(DEVICE(_state->cuda), "timebase-frequency",
- macio_state->frequency);
-
 qdev_init_nofail(DEVICE(d));
 }
-- 
2.11.0

[Qemu-devel] [PATCH v1 3/3] s390x/sclp: extend SCLP event masks to 64 bits

Extend the SCLP event masks to 64 bits. This will make us future proof
against future extensions of the architecture.

Notice that using any of the new bits results in a state that cannot be
migrated to an older version.

Signed-off-by: Claudio Imbrenda 
---
 hw/s390x/event-facility.c | 43 +--
 include/hw/s390x/event-facility.h |  2 +-
 2 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/hw/s390x/event-facility.c b/hw/s390x/event-facility.c
index f6f28fd..e71302a 100644
--- a/hw/s390x/event-facility.c
+++ b/hw/s390x/event-facility.c
@@ -30,7 +30,10 @@ struct SCLPEventFacility {
 SysBusDevice parent_obj;
 SCLPEventsBus sbus;
 /* guest' receive mask */
-sccb_mask_t receive_mask;
+union {
+uint32_t receive_mask_compat32;
+sccb_mask_t receive_mask;
+};
 /*
  * when false, we keep the same broken, backwards compatible behaviour as
  * before; when true, we implement the architecture correctly. Needed for
@@ -261,7 +264,7 @@ static void read_event_data(SCLPEventFacility *ef, SCCB 
*sccb)
 case SCLP_SELECTIVE_READ:
 copy_mask((uint8_t *)_active_selection_mask, (uint8_t 
*)>mask,
   sizeof(sclp_active_selection_mask), ef->mask_length);
-sclp_active_selection_mask = be32_to_cpu(sclp_active_selection_mask);
+sclp_active_selection_mask = be64_to_cpu(sclp_active_selection_mask);
 if (!sclp_cp_receive_mask ||
 (sclp_active_selection_mask & ~sclp_cp_receive_mask)) {
 sccb->h.response_code =
@@ -301,13 +304,13 @@ static void write_event_mask(SCLPEventFacility *ef, SCCB 
*sccb)
 /* keep track of the guest's capability masks */
 copy_mask((uint8_t *)_mask, WEM_CP_RECEIVE_MASK(we_mask, mask_length),
   sizeof(tmp_mask), mask_length);
-ef->receive_mask = be32_to_cpu(tmp_mask);
+ef->receive_mask = be64_to_cpu(tmp_mask);
 
 /* return the SCLP's capability masks to the guest */
-tmp_mask = cpu_to_be32(get_host_receive_mask(ef));
+tmp_mask = cpu_to_be64(get_host_receive_mask(ef));
 copy_mask(WEM_RECEIVE_MASK(we_mask, mask_length), (uint8_t *)_mask,
   mask_length, sizeof(tmp_mask));
-tmp_mask = cpu_to_be32(get_host_send_mask(ef));
+tmp_mask = cpu_to_be64(get_host_send_mask(ef));
 copy_mask(WEM_SEND_MASK(we_mask, mask_length), (uint8_t *)_mask,
   mask_length, sizeof(tmp_mask));
 
@@ -368,6 +371,21 @@ static void command_handler(SCLPEventFacility *ef, SCCB 
*sccb, uint64_t code)
 }
 }
 
+static bool vmstate_event_facility_mask64_needed(void *opaque)
+{
+SCLPEventFacility *ef = opaque;
+
+return (ef->receive_mask & 0x) != 0;
+}
+
+static int vmstate_event_facility_mask64_pre_load(void *opaque)
+{
+SCLPEventFacility *ef = opaque;
+
+ef->receive_mask &= ~0xULL;
+return 0;
+}
+
 static bool vmstate_event_facility_mask_length_needed(void *opaque)
 {
 SCLPEventFacility *ef = opaque;
@@ -383,6 +401,18 @@ static int 
vmstate_event_facility_mask_length_pre_load(void *opaque)
 return 0;
 }
 
+static const VMStateDescription vmstate_event_facility_mask64 = {
+.name = "vmstate-event-facility/mask64",
+.version_id = 0,
+.minimum_version_id = 0,
+.needed = vmstate_event_facility_mask64_needed,
+.pre_load = vmstate_event_facility_mask64_pre_load,
+.fields = (VMStateField[]) {
+VMSTATE_UINT64(receive_mask, SCLPEventFacility),
+VMSTATE_END_OF_LIST()
+ }
+};
+
 static const VMStateDescription vmstate_event_facility_mask_length = {
 .name = "vmstate-event-facility/mask_length",
 .version_id = 0,
@@ -401,10 +431,11 @@ static const VMStateDescription vmstate_event_facility = {
 .version_id = 0,
 .minimum_version_id = 0,
 .fields = (VMStateField[]) {
-VMSTATE_UINT32(receive_mask, SCLPEventFacility),
+VMSTATE_UINT32(receive_mask_compat32, SCLPEventFacility),
 VMSTATE_END_OF_LIST()
  },
 .subsections = (const VMStateDescription * []) {
+_event_facility_mask64,
 _event_facility_mask_length,
 NULL
  }
diff --git a/include/hw/s390x/event-facility.h 
b/include/hw/s390x/event-facility.h
index 0a8b47a..e40c85f 100644
--- a/include/hw/s390x/event-facility.h
+++ b/include/hw/s390x/event-facility.h
@@ -73,7 +73,7 @@ typedef struct WriteEventMask {
 #define WEM_RECEIVE_MASK(wem, mask_len) ((wem)->masks + 2 * (mask_len))
 #define WEM_SEND_MASK(wem, mask_len) ((wem)->masks + 3 * (mask_len))
 
-typedef uint32_t sccb_mask_t;
+typedef uint64_t sccb_mask_t;
 
 typedef struct EventBufferHeader {
 uint16_t length;
-- 
2.7.4

[Qemu-devel] [PATCHv2 04/11] heathrow: convert to trace-events

Signed-off-by: Mark Cave-Ayland 
---
 hw/intc/heathrow_pic.c | 32 +++-
 hw/intc/trace-events   |  5 +
 2 files changed, 16 insertions(+), 21 deletions(-)

diff --git a/hw/intc/heathrow_pic.c b/hw/intc/heathrow_pic.c
index 7bf44e0d86..5fd2b33a12 100644
--- a/hw/intc/heathrow_pic.c
+++ b/hw/intc/heathrow_pic.c
@@ -26,16 +26,7 @@
 #include "hw/hw.h"
 #include "hw/ppc/mac.h"
 #include "hw/intc/heathrow_pic.h"
-
-/* debug PIC */
-//#define DEBUG_PIC
-
-#ifdef DEBUG_PIC
-#define PIC_DPRINTF(fmt, ...)   \
-do { printf("PIC: " fmt , ## __VA_ARGS__); } while (0)
-#else
-#define PIC_DPRINTF(fmt, ...)
-#endif
+#include "trace.h"
 
 static inline int heathrow_check_irq(HeathrowPICState *pic)
 {
@@ -61,7 +52,7 @@ static void heathrow_write(void *opaque, hwaddr addr,
 unsigned int n;
 
 n = ((addr & 0xfff) - 0x10) >> 4;
-PIC_DPRINTF("writel: " TARGET_FMT_plx " %u: %08x\n", addr, n, value);
+trace_heathrow_write(addr, n, value);
 if (n >= 2)
 return;
 pic = >pics[n];
@@ -109,7 +100,7 @@ static uint64_t heathrow_read(void *opaque, hwaddr addr,
 break;
 }
 }
-PIC_DPRINTF("readl: " TARGET_FMT_plx " %u: %08x\n", addr, n, value);
+trace_heathrow_read(addr, n, value);
 return value;
 }
 
@@ -124,24 +115,23 @@ static void heathrow_set_irq(void *opaque, int num, int 
level)
 HeathrowState *s = opaque;
 HeathrowPICState *pic;
 unsigned int irq_bit;
+int last_level;
 
-#if defined(DEBUG)
-{
-static int last_level[64];
-if (last_level[num] != level) {
-PIC_DPRINTF("set_irq: num=0x%02x level=%d\n", num, level);
-last_level[num] = level;
-}
-}
-#endif
 pic = >pics[1 - (num >> 5)];
 irq_bit = 1 << (num & 0x1f);
+last_level = (pic->levels & irq_bit) ? 1 : 0;
+
 if (level) {
 pic->events |= irq_bit & ~pic->level_triggered;
 pic->levels |= irq_bit;
 } else {
 pic->levels &= ~irq_bit;
 }
+
+if (last_level != level) {
+trace_heathrow_set_irq(num, level);
+}
+
 heathrow_update_irq(s);
 }
 
diff --git a/hw/intc/trace-events b/hw/intc/trace-events
index 4092d2825e..55e8c2570c 100644
--- a/hw/intc/trace-events
+++ b/hw/intc/trace-events
@@ -186,3 +186,8 @@ nvic_complete_irq(int irq, bool secure) "NVIC complete IRQ 
%d (secure %d)"
 nvic_set_irq_level(int irq, int level) "NVIC external irq %d level set to %d"
 nvic_sysreg_read(uint64_t addr, uint32_t value, unsigned size) "NVIC sysreg 
read addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
 nvic_sysreg_write(uint64_t addr, uint32_t value, unsigned size) "NVIC sysreg 
write addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
+
+# hw/intc/heathrow_pic.c
+heathrow_write(uint64_t addr, unsigned int n, uint64_t value) "0x%"PRIx64" %u: 
0x%"PRIx64
+heathrow_read(uint64_t addr, unsigned int n, uint64_t value) "0x%"PRIx64" %u: 
0x%"PRIx64
+heathrow_set_irq(int num, int level) "set_irq: num=0x%02x level=%d"
-- 
2.11.0

[Qemu-devel] [PATCHv2 09/11] mac_newworld: use object link to pass OpenPIC object to macio

Also switch macio_newworld_realize() over to use it rather than using the 
pic_mem
memory region directly.

Now that both Old World and New World macio devices no longer make use of the
pic_mem memory region directly, we can remove it.

Signed-off-by: Mark Cave-Ayland 
---
 hw/misc/macio/macio.c | 14 +-
 hw/ppc/mac_newworld.c | 20 +++-
 include/hw/misc/macio/macio.h |  4 +++-
 3 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index d4c1d190c4..e5288f1084 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -279,10 +279,10 @@ static void macio_newworld_realize(PCIDevice *d, Error 
**errp)
 sysbus_connect_irq(sysbus_dev, 0, ns->irqs[cur_irq++]);
 sysbus_connect_irq(sysbus_dev, 1, ns->irqs[cur_irq++]);
 
-if (s->pic_mem) {
-/* OpenPIC */
-memory_region_add_subregion(>bar, 0x4, s->pic_mem);
-}
+/* OpenPIC */
+sysbus_dev = SYS_BUS_DEVICE(ns->pic);
+memory_region_add_subregion(>bar, 0x4,
+sysbus_mmio_get_region(sysbus_dev, 0));
 
 /* IDE buses */
 for (i = 0; i < ARRAY_SIZE(ns->ide); i++) {
@@ -311,6 +311,11 @@ static void macio_newworld_init(Object *obj)
 
 qdev_init_gpio_out(DEVICE(obj), ns->irqs, ARRAY_SIZE(ns->irqs));
 
+object_property_add_link(obj, "pic", TYPE_OPENPIC,
+ (Object **) >pic,
+ qdev_prop_allow_set_link_before_realize,
+ 0, NULL);
+
 for (i = 0; i < 2; i++) {
 macio_init_ide(s, >ide[i], sizeof(ns->ide[i]), i);
 }
@@ -441,7 +446,6 @@ void macio_init(PCIDevice *d,
 {
 MacIOState *macio_state = MACIO(d);
 
-macio_state->pic_mem = pic_mem;
 /* Note: this code is strongly inspirated from the corresponding code
in PearPC */
 qdev_prop_set_uint64(DEVICE(_state->cuda), "timebase-frequency",
diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index 396216954e..c7960ab67a 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -154,7 +154,7 @@ static void ppc_core99_init(MachineState *machine)
 hwaddr kernel_base, initrd_base, cmdline_base = 0;
 long kernel_size, initrd_size;
 PCIBus *pci_bus;
-PCIDevice *macio;
+NewWorldMacIOState *macio;
 MACIOIDEState *macio_ide;
 BusState *adb_bus;
 MacIONVRAMState *nvr;
@@ -166,7 +166,7 @@ static void ppc_core99_init(MachineState *machine)
 void *fw_cfg;
 int machine_arch;
 SysBusDevice *s;
-DeviceState *dev;
+DeviceState *dev, *pic_dev;
 int *token = g_new(int, 1);
 hwaddr nvram_addr = 0xFFF04000;
 uint64_t tbfreq;
@@ -333,10 +333,10 @@ static void ppc_core99_init(MachineState *machine)
 
 pic = g_new0(qemu_irq, 64);
 
-dev = qdev_create(NULL, TYPE_OPENPIC);
-qdev_prop_set_uint32(dev, "model", OPENPIC_MODEL_KEYLARGO);
-qdev_init_nofail(dev);
-s = SYS_BUS_DEVICE(dev);
+pic_dev = qdev_create(NULL, TYPE_OPENPIC);
+qdev_prop_set_uint32(pic_dev, "model", OPENPIC_MODEL_KEYLARGO);
+qdev_init_nofail(pic_dev);
+s = SYS_BUS_DEVICE(pic_dev);
 pic_mem = s->mmio[0].memory;
 k = 0;
 for (i = 0; i < smp_cpus; i++) {
@@ -346,7 +346,7 @@ static void ppc_core99_init(MachineState *machine)
 }
 
 for (i = 0; i < 64; i++) {
-pic[i] = qdev_get_gpio_in(dev, i);
+pic[i] = qdev_get_gpio_in(pic_dev, i);
 }
 
 if (PPC_INPUT(env) == PPC_FLAGS_INPUT_970) {
@@ -369,7 +369,7 @@ static void ppc_core99_init(MachineState *machine)
 }
 
 /* MacIO */
-macio = pci_create(pci_bus, -1, TYPE_NEWWORLD_MACIO);
+macio = NEWWORLD_MACIO(pci_create(pci_bus, -1, TYPE_NEWWORLD_MACIO));
 dev = DEVICE(macio);
 qdev_connect_gpio_out(dev, 0, pic[0x19]); /* CUDA */
 qdev_connect_gpio_out(dev, 1, pic[0x24]); /* ESCC-B */
@@ -379,7 +379,9 @@ static void ppc_core99_init(MachineState *machine)
 qdev_connect_gpio_out(dev, 5, pic[0x0e]); /* IDE */
 qdev_connect_gpio_out(dev, 6, pic[0x03]); /* IDE DMA */
 qdev_prop_set_uint64(dev, "frequency", tbfreq);
-macio_init(macio, pic_mem);
+object_property_set_link(OBJECT(macio), OBJECT(pic_dev), "pic",
+ _abort);
+macio_init(PCI_DEVICE(macio), pic_mem);
 
 /* We only emulate 2 out of 3 IDE controllers for now */
 ide_drive_get(hd, ARRAY_SIZE(hd));
diff --git a/include/hw/misc/macio/macio.h b/include/hw/misc/macio/macio.h
index 843c114c07..4528282b36 100644
--- a/include/hw/misc/macio/macio.h
+++ b/include/hw/misc/macio/macio.h
@@ -29,6 +29,7 @@
 #include "hw/intc/heathrow_pic.h"
 #include "hw/misc/macio/cuda.h"
 #include "hw/ppc/mac_dbdma.h"
+#include "hw/ppc/openpic.h"
 
 #define TYPE_MACIO "macio"
 #define MACIO(obj) OBJECT_CHECK(MacIOState, (obj), TYPE_MACIO)
@@ -42,7 +43,6 @@ typedef struct MacIOState {
 CUDAState cuda;
 DBDMAState dbdma;
 ESCCState escc;

[Qemu-devel] [PATCHv2 03/11] heathrow: QOMify heathrow PIC

Signed-off-by: Mark Cave-Ayland 
---
 hw/intc/heathrow_pic.c | 126 +++--
 include/hw/intc/heathrow_pic.h |  49 
 2 files changed, 119 insertions(+), 56 deletions(-)
 create mode 100644 include/hw/intc/heathrow_pic.h

diff --git a/hw/intc/heathrow_pic.c b/hw/intc/heathrow_pic.c
index 171f5ed814..7bf44e0d86 100644
--- a/hw/intc/heathrow_pic.c
+++ b/hw/intc/heathrow_pic.c
@@ -25,6 +25,7 @@
 #include "qemu/osdep.h"
 #include "hw/hw.h"
 #include "hw/ppc/mac.h"
+#include "hw/intc/heathrow_pic.h"
 
 /* debug PIC */
 //#define DEBUG_PIC
@@ -36,39 +37,27 @@
 #define PIC_DPRINTF(fmt, ...)
 #endif
 
-typedef struct HeathrowPIC {
-uint32_t events;
-uint32_t mask;
-uint32_t levels;
-uint32_t level_triggered;
-} HeathrowPIC;
-
-typedef struct HeathrowPICS {
-MemoryRegion mem;
-HeathrowPIC pics[2];
-qemu_irq *irqs;
-} HeathrowPICS;
-
-static inline int check_irq(HeathrowPIC *pic)
+static inline int heathrow_check_irq(HeathrowPICState *pic)
 {
 return (pic->events | (pic->levels & pic->level_triggered)) & pic->mask;
 }
 
 /* update the CPU irq state */
-static void heathrow_pic_update(HeathrowPICS *s)
+static void heathrow_update_irq(HeathrowState *s)
 {
-if (check_irq(>pics[0]) || check_irq(>pics[1])) {
+if (heathrow_check_irq(>pics[0]) ||
+heathrow_check_irq(>pics[1])) {
 qemu_irq_raise(s->irqs[0]);
 } else {
 qemu_irq_lower(s->irqs[0]);
 }
 }
 
-static void pic_write(void *opaque, hwaddr addr,
-  uint64_t value, unsigned size)
+static void heathrow_write(void *opaque, hwaddr addr,
+   uint64_t value, unsigned size)
 {
-HeathrowPICS *s = opaque;
-HeathrowPIC *pic;
+HeathrowState *s = opaque;
+HeathrowPICState *pic;
 unsigned int n;
 
 n = ((addr & 0xfff) - 0x10) >> 4;
@@ -79,24 +68,24 @@ static void pic_write(void *opaque, hwaddr addr,
 switch(addr & 0xf) {
 case 0x04:
 pic->mask = value;
-heathrow_pic_update(s);
+heathrow_update_irq(s);
 break;
 case 0x08:
 /* do not reset level triggered IRQs */
 value &= ~pic->level_triggered;
 pic->events &= ~value;
-heathrow_pic_update(s);
+heathrow_update_irq(s);
 break;
 default:
 break;
 }
 }
 
-static uint64_t pic_read(void *opaque, hwaddr addr,
- unsigned size)
+static uint64_t heathrow_read(void *opaque, hwaddr addr,
+  unsigned size)
 {
-HeathrowPICS *s = opaque;
-HeathrowPIC *pic;
+HeathrowState *s = opaque;
+HeathrowPICState *pic;
 unsigned int n;
 uint32_t value;
 
@@ -124,16 +113,16 @@ static uint64_t pic_read(void *opaque, hwaddr addr,
 return value;
 }
 
-static const MemoryRegionOps heathrow_pic_ops = {
-.read = pic_read,
-.write = pic_write,
+static const MemoryRegionOps heathrow_ops = {
+.read = heathrow_read,
+.write = heathrow_write,
 .endianness = DEVICE_LITTLE_ENDIAN,
 };
 
-static void heathrow_pic_set_irq(void *opaque, int num, int level)
+static void heathrow_set_irq(void *opaque, int num, int level)
 {
-HeathrowPICS *s = opaque;
-HeathrowPIC *pic;
+HeathrowState *s = opaque;
+HeathrowPICState *pic;
 unsigned int irq_bit;
 
 #if defined(DEBUG)
@@ -153,7 +142,7 @@ static void heathrow_pic_set_irq(void *opaque, int num, int 
level)
 } else {
 pic->levels &= ~irq_bit;
 }
-heathrow_pic_update(s);
+heathrow_update_irq(s);
 }
 
 static const VMStateDescription vmstate_heathrow_pic_one = {
@@ -161,54 +150,79 @@ static const VMStateDescription vmstate_heathrow_pic_one 
= {
 .version_id = 0,
 .minimum_version_id = 0,
 .fields = (VMStateField[]) {
-VMSTATE_UINT32(events, HeathrowPIC),
-VMSTATE_UINT32(mask, HeathrowPIC),
-VMSTATE_UINT32(levels, HeathrowPIC),
-VMSTATE_UINT32(level_triggered, HeathrowPIC),
+VMSTATE_UINT32(events, HeathrowPICState),
+VMSTATE_UINT32(mask, HeathrowPICState),
+VMSTATE_UINT32(levels, HeathrowPICState),
+VMSTATE_UINT32(level_triggered, HeathrowPICState),
 VMSTATE_END_OF_LIST()
 }
 };
 
-static const VMStateDescription vmstate_heathrow_pic = {
+static const VMStateDescription vmstate_heathrow = {
 .name = "heathrow_pic",
 .version_id = 1,
 .minimum_version_id = 1,
 .fields = (VMStateField[]) {
-VMSTATE_STRUCT_ARRAY(pics, HeathrowPICS, 2, 1,
- vmstate_heathrow_pic_one, HeathrowPIC),
+VMSTATE_STRUCT_ARRAY(pics, HeathrowState, 2, 1,
+ vmstate_heathrow_pic_one, HeathrowPICState),
 VMSTATE_END_OF_LIST()
 }
 };
 
-static void heathrow_pic_reset_one(HeathrowPIC *s)
+static void heathrow_reset(DeviceState *d)
 {
-memset(s, '\0', sizeof(HeathrowPIC));
+HeathrowState *s = HEATHROW(d);

[Qemu-devel] [PATCH v1 0/3] s390x/sclp: 64 bit event masks

Until 67915de9f0383ccf4a ("s390x/event-facility: variable-length event masks")
we only supported 32bit sclp event masks, even though the archiecture
allows the guests to set up sclp event masks up to 1021 bytes in length.
With that patch the behaviour was almost compliant, but some issues were
still remaining, in particular regarding the handling of selective reads
and migration.

This patchset fixes migration and the handling of selective reads, and
puts in place the support for 64-bit sclp event masks internally.

A new property of the sclp-event device switches between the 32bit masks
and the compliant behaviour. The property is bound to the machine
version, so older machines keep the old broken behaviour, allowing for
migration, but the default is the compliant implementation.

Fixes: 67915de9f0383ccf4a ("s390x/event-facility: variable-length event masks")

Claudio Imbrenda (3):
  s390x/sclp: proper support of larger send and receive masks
  s390x/sclp: clean up sclp masks
  s390x/sclp: extend SCLP event masks to 64 bits

 hw/char/sclpconsole-lm.c  |   4 +-
 hw/char/sclpconsole.c |   4 +-
 hw/s390x/event-facility.c | 147 +++---
 hw/s390x/s390-virtio-ccw.c|   8 ++-
 hw/s390x/sclpcpu.c|   4 +-
 hw/s390x/sclpquiesce.c|   4 +-
 include/hw/s390x/event-facility.h |  22 +++---
 7 files changed, 149 insertions(+), 44 deletions(-)

-- 
2.7.4

[Qemu-devel] [PATCHv2 07/11] mac_oldworld: use object link to pass heathrow PIC object to macio

Also switch macio_oldworld_realize() over to use it rather than using the 
pic_mem
memory region directly.

Signed-off-by: Mark Cave-Ayland 
Reviewed-by: David Gibson 
---
 hw/misc/macio/macio.c | 14 ++
 hw/ppc/mac_oldworld.c |  8 +---
 include/hw/misc/macio/macio.h |  2 ++
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index 4e502ede2e..d4c1d190c4 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -31,6 +31,7 @@
 #include "hw/ppc/mac_dbdma.h"
 #include "hw/char/escc.h"
 #include "hw/misc/macio/macio.h"
+#include "hw/intc/heathrow_pic.h"
 
 /*
  * The mac-io has two interfaces to the ESCC. One is called "escc-legacy",
@@ -167,10 +168,10 @@ static void macio_oldworld_realize(PCIDevice *d, Error 
**errp)
 sysbus_mmio_get_region(sysbus_dev, 0));
 pmac_format_nvram_partition(>nvram, os->nvram.size);
 
-if (s->pic_mem) {
-/* Heathrow PIC */
-memory_region_add_subregion(>bar, 0x0, s->pic_mem);
-}
+/* Heathrow PIC */
+sysbus_dev = SYS_BUS_DEVICE(os->pic);
+memory_region_add_subregion(>bar, 0x0,
+sysbus_mmio_get_region(sysbus_dev, 0));
 
 /* IDE buses */
 for (i = 0; i < ARRAY_SIZE(os->ide); i++) {
@@ -208,6 +209,11 @@ static void macio_oldworld_init(Object *obj)
 
 qdev_init_gpio_out(DEVICE(obj), os->irqs, ARRAY_SIZE(os->irqs));
 
+object_property_add_link(obj, "pic", TYPE_HEATHROW,
+ (Object **) >pic,
+ qdev_prop_allow_set_link_before_realize,
+ 0, NULL);
+
 object_initialize(>nvram, sizeof(os->nvram), TYPE_MACIO_NVRAM);
 dev = DEVICE(>nvram);
 qdev_prop_set_uint32(dev, "size", 0x2000);
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 5903ff47d3..3ac5b19073 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -93,7 +93,7 @@ static void ppc_heathrow_init(MachineState *machine)
 uint32_t kernel_base, initrd_base, cmdline_base = 0;
 int32_t kernel_size, initrd_size;
 PCIBus *pci_bus;
-PCIDevice *macio;
+OldWorldMacIOState *macio;
 MACIOIDEState *macio_ide;
 DeviceState *dev, *pic_dev;
 SysBusDevice *sbd;
@@ -271,7 +271,7 @@ static void ppc_heathrow_init(MachineState *machine)
 ide_drive_get(hd, ARRAY_SIZE(hd));
 
 /* MacIO */
-macio = pci_create(pci_bus, -1, TYPE_OLDWORLD_MACIO);
+macio = OLDWORLD_MACIO(pci_create(pci_bus, -1, TYPE_OLDWORLD_MACIO));
 dev = DEVICE(macio);
 qdev_connect_gpio_out(dev, 0, pic[0x12]); /* CUDA */
 qdev_connect_gpio_out(dev, 1, pic[0x10]); /* ESCC-B */
@@ -281,8 +281,10 @@ static void ppc_heathrow_init(MachineState *machine)
 qdev_connect_gpio_out(dev, 5, pic[0x0E]); /* IDE-1 */
 qdev_connect_gpio_out(dev, 6, pic[0x03]); /* IDE-1 DMA */
 qdev_prop_set_uint64(dev, "frequency", tbfreq);
+object_property_set_link(OBJECT(macio), OBJECT(pic_dev), "pic",
+ _abort);
 sbd = SYS_BUS_DEVICE(pic_dev);
-macio_init(macio, sysbus_mmio_get_region(sbd, 0));
+macio_init(PCI_DEVICE(macio), sysbus_mmio_get_region(sbd, 0));
 
 macio_ide = MACIO_IDE(object_resolve_path_component(OBJECT(macio),
 "ide[0]"));
diff --git a/include/hw/misc/macio/macio.h b/include/hw/misc/macio/macio.h
index e1e249f898..843c114c07 100644
--- a/include/hw/misc/macio/macio.h
+++ b/include/hw/misc/macio/macio.h
@@ -26,6 +26,7 @@
 #ifndef MACIO_H
 #define MACIO_H
 
+#include "hw/intc/heathrow_pic.h"
 #include "hw/misc/macio/cuda.h"
 #include "hw/ppc/mac_dbdma.h"
 
@@ -54,6 +55,7 @@ typedef struct OldWorldMacIOState {
 MacIOState parent_obj;
 /*< public >*/
 
+HeathrowState *pic;
 qemu_irq irqs[7];
 
 MacIONVRAMState nvram;
-- 
2.11.0

[Qemu-devel] [PATCHv2 06/11] macio: move macio related structures and defines into separate macio.h file

Signed-off-by: Mark Cave-Ayland 
Reviewed-by: David Gibson 
---
 hw/misc/macio/macio.c | 43 +
 hw/ppc/mac.h  |  3 --
 hw/ppc/mac_newworld.c |  1 +
 hw/ppc/mac_oldworld.c |  1 +
 include/hw/misc/macio/macio.h | 75 +++
 5 files changed, 78 insertions(+), 45 deletions(-)
 create mode 100644 include/hw/misc/macio/macio.h

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index 1c10d8a1d7..4e502ede2e 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -30,48 +30,7 @@
 #include "hw/pci/pci.h"
 #include "hw/ppc/mac_dbdma.h"
 #include "hw/char/escc.h"
-
-#define TYPE_MACIO "macio"
-#define MACIO(obj) OBJECT_CHECK(MacIOState, (obj), TYPE_MACIO)
-
-typedef struct MacIOState
-{
-/*< private >*/
-PCIDevice parent;
-/*< public >*/
-
-MemoryRegion bar;
-CUDAState cuda;
-DBDMAState dbdma;
-ESCCState escc;
-MemoryRegion *pic_mem;
-uint64_t frequency;
-} MacIOState;
-
-#define OLDWORLD_MACIO(obj) \
-OBJECT_CHECK(OldWorldMacIOState, (obj), TYPE_OLDWORLD_MACIO)
-
-typedef struct OldWorldMacIOState {
-/*< private >*/
-MacIOState parent_obj;
-/*< public >*/
-
-qemu_irq irqs[7];
-
-MacIONVRAMState nvram;
-MACIOIDEState ide[2];
-} OldWorldMacIOState;
-
-#define NEWWORLD_MACIO(obj) \
-OBJECT_CHECK(NewWorldMacIOState, (obj), TYPE_NEWWORLD_MACIO)
-
-typedef struct NewWorldMacIOState {
-/*< private >*/
-MacIOState parent_obj;
-/*< public >*/
-qemu_irq irqs[7];
-MACIOIDEState ide[2];
-} NewWorldMacIOState;
+#include "hw/misc/macio/macio.h"
 
 /*
  * The mac-io has two interfaces to the ESCC. One is called "escc-legacy",
diff --git a/hw/ppc/mac.h b/hw/ppc/mac.h
index 5b5fffdff3..a02f797598 100644
--- a/hw/ppc/mac.h
+++ b/hw/ppc/mac.h
@@ -47,9 +47,6 @@
 
 
 /* MacIO */
-#define TYPE_OLDWORLD_MACIO "macio-oldworld"
-#define TYPE_NEWWORLD_MACIO "macio-newworld"
-
 #define TYPE_MACIO_IDE "macio-ide"
 #define MACIO_IDE(obj) OBJECT_CHECK(MACIOIDEState, (obj), TYPE_MACIO_IDE)
 
diff --git a/hw/ppc/mac_newworld.c b/hw/ppc/mac_newworld.c
index 5e82158759..396216954e 100644
--- a/hw/ppc/mac_newworld.c
+++ b/hw/ppc/mac_newworld.c
@@ -60,6 +60,7 @@
 #include "hw/boards.h"
 #include "hw/nvram/fw_cfg.h"
 #include "hw/char/escc.h"
+#include "hw/misc/macio/macio.h"
 #include "hw/ppc/openpic.h"
 #include "hw/ide.h"
 #include "hw/loader.h"
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 06a61220cb..5903ff47d3 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -37,6 +37,7 @@
 #include "hw/boards.h"
 #include "hw/nvram/fw_cfg.h"
 #include "hw/char/escc.h"
+#include "hw/misc/macio/macio.h"
 #include "hw/ide.h"
 #include "hw/loader.h"
 #include "elf.h"
diff --git a/include/hw/misc/macio/macio.h b/include/hw/misc/macio/macio.h
new file mode 100644
index 00..e1e249f898
--- /dev/null
+++ b/include/hw/misc/macio/macio.h
@@ -0,0 +1,75 @@
+/*
+ * PowerMac MacIO device emulation
+ *
+ * Copyright (c) 2005-2007 Fabrice Bellard
+ * Copyright (c) 2007 Jocelyn Mayer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef MACIO_H
+#define MACIO_H
+
+#include "hw/misc/macio/cuda.h"
+#include "hw/ppc/mac_dbdma.h"
+
+#define TYPE_MACIO "macio"
+#define MACIO(obj) OBJECT_CHECK(MacIOState, (obj), TYPE_MACIO)
+
+typedef struct MacIOState {
+/*< private >*/
+PCIDevice parent;
+/*< public >*/
+
+MemoryRegion bar;
+CUDAState cuda;
+DBDMAState dbdma;
+ESCCState escc;
+MemoryRegion *pic_mem;
+uint64_t frequency;
+} MacIOState;
+
+#define TYPE_OLDWORLD_MACIO "macio-oldworld"
+#define OLDWORLD_MACIO(obj) \
+OBJECT_CHECK(OldWorldMacIOState, (obj), TYPE_OLDWORLD_MACIO)
+
+typedef struct OldWorldMacIOState {
+/*< private >*/
+MacIOState parent_obj;
+/*< public >*/
+
+qemu_irq irqs[7];

[Qemu-devel] [PATCHv2 05/11] heathrow: change heathrow_pic_init() to return the heathrow device

This enables the device to be made available during the setup of the Old World
machine. In order to pass back the previous set of IRQs we temporarily introduce
a new pic_irqs parameter until it can be removed.

An additional benefit of this change is that it is also possible to remove the
pic_mem pointer used for macio by accessing the memory region via sysbus.

Signed-off-by: Mark Cave-Ayland 
Reviewed-by: David Gibson 
---
 hw/intc/heathrow_pic.c | 10 ++
 hw/ppc/mac.h   |  4 ++--
 hw/ppc/mac_oldworld.c  |  9 +
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/hw/intc/heathrow_pic.c b/hw/intc/heathrow_pic.c
index 5fd2b33a12..393fdd7326 100644
--- a/hw/intc/heathrow_pic.c
+++ b/hw/intc/heathrow_pic.c
@@ -170,13 +170,15 @@ static void heathrow_reset(DeviceState *d)
 static void heathrow_init(Object *obj)
 {
 HeathrowState *s = HEATHROW(obj);
+SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
 
 memory_region_init_io(>mem, OBJECT(s), _ops, s,
   "heathrow-pic", 0x1000);
+sysbus_init_mmio(sbd, >mem);
 }
 
-qemu_irq *heathrow_pic_init(MemoryRegion **pmem,
-int nb_cpus, qemu_irq **irqs)
+DeviceState *heathrow_pic_init(int nb_cpus, qemu_irq **irqs,
+   qemu_irq **pic_irqs)
 {
 DeviceState *d;
 HeathrowState *s;
@@ -188,9 +190,9 @@ qemu_irq *heathrow_pic_init(MemoryRegion **pmem,
 /* only 1 CPU */
 s->irqs = irqs[0];
 
-*pmem = >mem;
+*pic_irqs = qemu_allocate_irqs(heathrow_set_irq, s, HEATHROW_NUM_IRQS);
 
-return qemu_allocate_irqs(heathrow_set_irq, s, HEATHROW_NUM_IRQS);
+return d;
 }
 
 static void heathrow_class_init(ObjectClass *oc, void *data)
diff --git a/hw/ppc/mac.h b/hw/ppc/mac.h
index 261b519aa5..5b5fffdff3 100644
--- a/hw/ppc/mac.h
+++ b/hw/ppc/mac.h
@@ -79,8 +79,8 @@ void macio_init(PCIDevice *dev,
 MemoryRegion *pic_mem);
 
 /* Heathrow PIC */
-qemu_irq *heathrow_pic_init(MemoryRegion **pmem,
-int nb_cpus, qemu_irq **irqs);
+DeviceState *heathrow_pic_init(int nb_cpus, qemu_irq **irqs,
+   qemu_irq **pic_irqs);
 
 /* Grackle PCI */
 #define TYPE_GRACKLE_PCI_HOST_BRIDGE "grackle-pcihost"
diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
index 4401ce5af2..06a61220cb 100644
--- a/hw/ppc/mac_oldworld.c
+++ b/hw/ppc/mac_oldworld.c
@@ -94,11 +94,11 @@ static void ppc_heathrow_init(MachineState *machine)
 PCIBus *pci_bus;
 PCIDevice *macio;
 MACIOIDEState *macio_ide;
-DeviceState *dev;
+DeviceState *dev, *pic_dev;
+SysBusDevice *sbd;
 BusState *adb_bus;
 int bios_size, ndrv_size;
 uint8_t *ndrv_file;
-MemoryRegion *pic_mem;
 uint16_t ppc_boot_device;
 DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
 void *fw_cfg;
@@ -257,7 +257,7 @@ static void ppc_heathrow_init(MachineState *machine)
 error_report("Only 6xx bus is supported on heathrow machine");
 exit(1);
 }
-pic = heathrow_pic_init(_mem, 1, heathrow_irqs);
+pic_dev = heathrow_pic_init(1, heathrow_irqs, );
 pci_bus = pci_grackle_init(0xfec0, pic,
get_system_memory(),
get_system_io());
@@ -280,7 +280,8 @@ static void ppc_heathrow_init(MachineState *machine)
 qdev_connect_gpio_out(dev, 5, pic[0x0E]); /* IDE-1 */
 qdev_connect_gpio_out(dev, 6, pic[0x03]); /* IDE-1 DMA */
 qdev_prop_set_uint64(dev, "frequency", tbfreq);
-macio_init(macio, pic_mem);
+sbd = SYS_BUS_DEVICE(pic_dev);
+macio_init(macio, sysbus_mmio_get_region(sbd, 0));
 
 macio_ide = MACIO_IDE(object_resolve_path_component(OBJECT(macio),
 "ide[0]"));
-- 
2.11.0

[Qemu-devel] [PATCHv2 08/11] openpic: move OpenPIC state and related definitions to openpic.h

This is to faciliate access to OpenPICState when wiring up the PIC to the macio
controller.

Signed-off-by: Mark Cave-Ayland 
---
 hw/intc/openpic.c| 157 --
 include/hw/ppc/openpic.h | 160 ++-
 2 files changed, 159 insertions(+), 158 deletions(-)

diff --git a/hw/intc/openpic.c b/hw/intc/openpic.c
index 9159a06f07..811cee9b26 100644
--- a/hw/intc/openpic.c
+++ b/hw/intc/openpic.c
@@ -63,10 +63,6 @@ static int get_current_cpu(void);
 } \
 } while (0)
 
-#define MAX_CPU 32
-#define MAX_MSI 8
-#define VID 0x03 /* MPIC version ID */
-
 /* OpenPIC capability flags */
 #define OPENPIC_FLAG_IDR_CRIT (1 << 0)
 #define OPENPIC_FLAG_ILR  (2 << 0)
@@ -85,35 +81,6 @@ static int get_current_cpu(void);
 #define OPENPIC_CPU_REG_START0x2
 #define OPENPIC_CPU_REG_SIZE 0x100 + ((MAX_CPU - 1) * 0x1000)
 
-/* Raven */
-#define RAVEN_MAX_CPU  2
-#define RAVEN_MAX_EXT 48
-#define RAVEN_MAX_IRQ 64
-#define RAVEN_MAX_TMR  OPENPIC_MAX_TMR
-#define RAVEN_MAX_IPI  OPENPIC_MAX_IPI
-
-/* KeyLargo */
-#define KEYLARGO_MAX_CPU  4
-#define KEYLARGO_MAX_EXT  64
-#define KEYLARGO_MAX_IPI  4
-#define KEYLARGO_MAX_IRQ  (64 + KEYLARGO_MAX_IPI)
-#define KEYLARGO_MAX_TMR  0
-#define KEYLARGO_IPI_IRQ  (KEYLARGO_MAX_EXT) /* First IPI IRQ */
-/* Timers don't exist but this makes the code happy... */
-#define KEYLARGO_TMR_IRQ  (KEYLARGO_IPI_IRQ + KEYLARGO_MAX_IPI)
-
-/* Interrupt definitions */
-#define RAVEN_FE_IRQ (RAVEN_MAX_EXT) /* Internal functional IRQ */
-#define RAVEN_ERR_IRQ(RAVEN_MAX_EXT + 1) /* Error IRQ */
-#define RAVEN_TMR_IRQ(RAVEN_MAX_EXT + 2) /* First timer IRQ */
-#define RAVEN_IPI_IRQ(RAVEN_TMR_IRQ + RAVEN_MAX_TMR) /* First IPI IRQ */
-/* First doorbell IRQ */
-#define RAVEN_DBL_IRQ(RAVEN_IPI_IRQ + (RAVEN_MAX_CPU * RAVEN_MAX_IPI))
-
-typedef struct FslMpicInfo {
-int max_ext;
-} FslMpicInfo;
-
 static FslMpicInfo fsl_mpic_20 = {
 .max_ext = 12,
 };
@@ -211,55 +178,6 @@ static void openpic_cpu_write_internal(void *opaque, 
hwaddr addr,
uint32_t val, int idx);
 static void openpic_reset(DeviceState *d);
 
-typedef enum IRQType {
-IRQ_TYPE_NORMAL = 0,
-IRQ_TYPE_FSLINT,/* FSL internal interrupt -- level only */
-IRQ_TYPE_FSLSPECIAL,/* FSL timer/IPI interrupt, edge, no polarity */
-} IRQType;
-
-/* Round up to the nearest 64 IRQs so that the queue length
- * won't change when moving between 32 and 64 bit hosts.
- */
-#define IRQQUEUE_SIZE_BITS ((OPENPIC_MAX_IRQ + 63) & ~63)
-
-typedef struct IRQQueue {
-unsigned long *queue;
-int32_t queue_size; /* Only used for VMSTATE_BITMAP */
-int next;
-int priority;
-} IRQQueue;
-
-typedef struct IRQSource {
-uint32_t ivpr;  /* IRQ vector/priority register */
-uint32_t idr;   /* IRQ destination register */
-uint32_t destmask; /* bitmap of CPU destinations */
-int last_cpu;
-int output; /* IRQ level, e.g. OPENPIC_OUTPUT_INT */
-int pending;/* TRUE if IRQ is pending */
-IRQType type;
-bool level:1;   /* level-triggered */
-bool nomask:1;  /* critical interrupts ignore mask on some FSL MPICs */
-} IRQSource;
-
-#define IVPR_MASK_SHIFT   31
-#define IVPR_MASK_MASK(1U << IVPR_MASK_SHIFT)
-#define IVPR_ACTIVITY_SHIFT   30
-#define IVPR_ACTIVITY_MASK(1U << IVPR_ACTIVITY_SHIFT)
-#define IVPR_MODE_SHIFT   29
-#define IVPR_MODE_MASK(1U << IVPR_MODE_SHIFT)
-#define IVPR_POLARITY_SHIFT   23
-#define IVPR_POLARITY_MASK(1U << IVPR_POLARITY_SHIFT)
-#define IVPR_SENSE_SHIFT  22
-#define IVPR_SENSE_MASK   (1U << IVPR_SENSE_SHIFT)
-
-#define IVPR_PRIORITY_MASK (0xFU << 16)
-#define IVPR_PRIORITY(_ivprr_) ((int)(((_ivprr_) & IVPR_PRIORITY_MASK) >> 16))
-#define IVPR_VECTOR(opp, _ivprr_) ((_ivprr_) & (opp)->vector_mask)
-
-/* IDR[EP/CI] are only for FSL MPIC prior to v4.0 */
-#define IDR_EP  0x8000  /* external pin */
-#define IDR_CI  0x4000  /* critical interrupt */
-
 /* Convert between openpic clock ticks and nanosecs.  In the hardware the clock
frequency is driven by board inputs to the PIC which the PIC would then
divide by 4 or 8.  For now hard code to 25MZ.
@@ -275,81 +193,6 @@ static inline uint64_t ticks_to_ns(uint64_t ticks)
 return ticks * OPENPIC_TIMER_NS_PER_TICK;
 }
 
-typedef struct OpenPICTimer {
-uint32_t tccr;  /* Global timer current count register */
-uint32_t tbcr;  /* Global timer base count register */
-int   n_IRQ;
-bool  qemu_timer_active; /* Is the qemu_timer is running? 
*/
-struct QEMUTimer *qemu_timer;
-struct OpenPICState  *opp;  /* Device timer is part of. */
-/* The QEMU_CLOCK_VIRTUAL time (in ns) corresponding to the last
-   current_count written or read, only defined if

[Qemu-devel] [PATCHv2 00/11] macio: remove legacy macio_init() function

This patchset eliminates the legacy macio_init() function used to setup the
ESCC and PIC memory regions and instead allows the macio device to be
instantiated directly via qdev, wiring up the ESCC internally using sysbus MMIO
memory regions and the PIC via QOM object links.

The biggest surprise in this patchset was the need to QOMify the heathrow
device which apparently up until now has never required any of these new-fangled
APIs from the last decade such as qdev and QOM.

There's still some follow-up work to do with the PCI host bridge wiring but it
seems to me that this is a good preparation step.

Signed-off-by: Mark Cave-Ayland 

v2:
- Rebase onto master
- Add R-B tags from David
- Rework patch 4 ("heathrow: convert to trace-events") as suggested by David


Mark Cave-Ayland (11):
  macio: embed DBDMA device directly within macio
  macio: move ESCC device within the macio device
  heathrow: QOMify heathrow PIC
  heathrow: convert to trace-events
  heathrow: change heathrow_pic_init() to return the heathrow device
  macio: move macio related structures and defines into separate macio.h
file
  mac_oldworld: use object link to pass heathrow PIC object to macio
  openpic: move OpenPIC state and related definitions to openpic.h
  mac_newworld: use object link to pass OpenPIC object to macio
  macio: move setting of CUDA timebase frequency to
macio_common_realize()
  macio: remove macio_init() function

 hw/intc/heathrow_pic.c | 166 +
 hw/intc/openpic.c  | 157 --
 hw/intc/trace-events   |   5 ++
 hw/misc/macio/macio.c  | 150 +
 hw/ppc/mac.h   |  10 +--
 hw/ppc/mac_newworld.c  |  56 +-
 hw/ppc/mac_oldworld.c  |  50 +
 include/hw/intc/heathrow_pic.h |  49 
 include/hw/misc/macio/macio.h  |  79 
 include/hw/ppc/openpic.h   | 160 ++-
 10 files changed, 486 insertions(+), 396 deletions(-)
 create mode 100644 include/hw/intc/heathrow_pic.h
 create mode 100644 include/hw/misc/macio/macio.h

-- 
2.11.0

[Qemu-devel] [PATCHv2 01/11] macio: embed DBDMA device directly within macio

The current recommendation is to embed subdevices directly within their 
container
device, so do this for the DBDMA device.

Signed-off-by: Mark Cave-Ayland 
---
 hw/misc/macio/macio.c | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index 024f8557ab..7174135c8b 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -42,7 +42,7 @@ typedef struct MacIOState
 
 MemoryRegion bar;
 CUDAState cuda;
-DBDMAState *dbdma;
+DBDMAState dbdma;
 MemoryRegion *pic_mem;
 MemoryRegion *escc_mem;
 uint64_t frequency;
@@ -129,12 +129,12 @@ static void macio_common_realize(PCIDevice *d, Error 
**errp)
 SysBusDevice *sysbus_dev;
 Error *err = NULL;
 
-object_property_set_bool(OBJECT(s->dbdma), true, "realized", );
+object_property_set_bool(OBJECT(>dbdma), true, "realized", );
 if (err) {
 error_propagate(errp, err);
 return;
 }
-sysbus_dev = SYS_BUS_DEVICE(s->dbdma);
+sysbus_dev = SYS_BUS_DEVICE(>dbdma);
 memory_region_add_subregion(>bar, 0x08000,
 sysbus_mmio_get_region(sysbus_dev, 0));
 
@@ -161,7 +161,7 @@ static void macio_realize_ide(MacIOState *s, MACIOIDEState 
*ide,
 sysbus_connect_irq(sysbus_dev, 0, irq0);
 sysbus_connect_irq(sysbus_dev, 1, irq1);
 qdev_prop_set_uint32(DEVICE(ide), "channel", dmaid);
-object_property_set_link(OBJECT(ide), OBJECT(s->dbdma), "dbdma", errp);
+object_property_set_link(OBJECT(ide), OBJECT(>dbdma), "dbdma", errp);
 macio_ide_register_dma(ide);
 
 object_property_set_bool(OBJECT(ide), true, "realized", errp);
@@ -344,8 +344,9 @@ static void macio_instance_init(Object *obj)
 qdev_set_parent_bus(DEVICE(>cuda), sysbus_get_default());
 object_property_add_child(obj, "cuda", OBJECT(>cuda), NULL);
 
-s->dbdma = MAC_DBDMA(object_new(TYPE_MAC_DBDMA));
-object_property_add_child(obj, "dbdma", OBJECT(s->dbdma), NULL);
+object_initialize(>dbdma, sizeof(s->dbdma), TYPE_MAC_DBDMA);
+qdev_set_parent_bus(DEVICE(>dbdma), sysbus_get_default());
+object_property_add_child(obj, "dbdma", OBJECT(>dbdma), NULL);
 }
 
 static const VMStateDescription vmstate_macio_oldworld = {
-- 
2.11.0

[Qemu-devel] [PATCHv2 02/11] macio: move ESCC device within the macio device

Now that the ESCC device is instantiated directly via qdev, move it to within
the macio device and wire up the IRQs and memory regions using the sysbus API.

This enables to remove the now-obsolete escc_mem parameter to the macio_init()
function.

(Note this patch also contains small touch-ups to the formatting in
macio_escc_legacy_setup() and ppc_heathrow_init() in order to keep checkpatch
happy)

Signed-off-by: Mark Cave-Ayland 
---
 hw/misc/macio/macio.c | 60 ---
 hw/ppc/mac.h  |  3 +--
 hw/ppc/mac_newworld.c | 37 ---
 hw/ppc/mac_oldworld.c | 38 +---
 4 files changed, 63 insertions(+), 75 deletions(-)

diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
index 7174135c8b..1c10d8a1d7 100644
--- a/hw/misc/macio/macio.c
+++ b/hw/misc/macio/macio.c
@@ -43,8 +43,8 @@ typedef struct MacIOState
 MemoryRegion bar;
 CUDAState cuda;
 DBDMAState dbdma;
+ESCCState escc;
 MemoryRegion *pic_mem;
-MemoryRegion *escc_mem;
 uint64_t frequency;
 } MacIOState;
 
@@ -56,7 +56,7 @@ typedef struct OldWorldMacIOState {
 MacIOState parent_obj;
 /*< public >*/
 
-qemu_irq irqs[5];
+qemu_irq irqs[7];
 
 MacIONVRAMState nvram;
 MACIOIDEState ide[2];
@@ -69,7 +69,7 @@ typedef struct NewWorldMacIOState {
 /*< private >*/
 MacIOState parent_obj;
 /*< public >*/
-qemu_irq irqs[5];
+qemu_irq irqs[7];
 MACIOIDEState ide[2];
 } NewWorldMacIOState;
 
@@ -84,10 +84,12 @@ typedef struct NewWorldMacIOState {
  *
  * Reference: 
ftp://ftp.software.ibm.com/rs6000/technology/spec/chrp/inwork/CHRP_IORef_1.0.pdf
  */
-static void macio_escc_legacy_setup(MacIOState *macio_state)
+static void macio_escc_legacy_setup(MacIOState *s)
 {
+ESCCState *escc = ESCC(>escc);
+SysBusDevice *sbd = SYS_BUS_DEVICE(escc);
 MemoryRegion *escc_legacy = g_new(MemoryRegion, 1);
-MemoryRegion *bar = _state->bar;
+MemoryRegion *bar = >bar;
 int i;
 static const int maps[] = {
 0x00, 0x00, /* Command B */
@@ -102,25 +104,26 @@ static void macio_escc_legacy_setup(MacIOState 
*macio_state)
 0xb0, 0xb0, /* Detect AB */
 };
 
-memory_region_init(escc_legacy, OBJECT(macio_state), "escc-legacy", 256);
+memory_region_init(escc_legacy, OBJECT(s), "escc-legacy", 256);
 for (i = 0; i < ARRAY_SIZE(maps); i += 2) {
 MemoryRegion *port = g_new(MemoryRegion, 1);
-memory_region_init_alias(port, OBJECT(macio_state), "escc-legacy-port",
- macio_state->escc_mem, maps[i+1], 0x2);
+memory_region_init_alias(port, OBJECT(s), "escc-legacy-port",
+ sysbus_mmio_get_region(sbd, 0),
+ maps[i + 1], 0x2);
 memory_region_add_subregion(escc_legacy, maps[i], port);
 }
 
 memory_region_add_subregion(bar, 0x12000, escc_legacy);
 }
 
-static void macio_bar_setup(MacIOState *macio_state)
+static void macio_bar_setup(MacIOState *s)
 {
-MemoryRegion *bar = _state->bar;
+ESCCState *escc = ESCC(>escc);
+SysBusDevice *sbd = SYS_BUS_DEVICE(escc);
+MemoryRegion *bar = >bar;
 
-if (macio_state->escc_mem) {
-memory_region_add_subregion(bar, 0x13000, macio_state->escc_mem);
-macio_escc_legacy_setup(macio_state);
-}
+memory_region_add_subregion(bar, 0x13000, sysbus_mmio_get_region(sbd, 0));
+macio_escc_legacy_setup(s);
 }
 
 static void macio_common_realize(PCIDevice *d, Error **errp)
@@ -147,6 +150,12 @@ static void macio_common_realize(PCIDevice *d, Error 
**errp)
 memory_region_add_subregion(>bar, 0x16000,
 sysbus_mmio_get_region(sysbus_dev, 0));
 
+object_property_set_bool(OBJECT(>escc), true, "realized", );
+if (err) {
+error_propagate(errp, err);
+return;
+}
+
 macio_bar_setup(s);
 pci_register_bar(d, 0, PCI_BASE_ADDRESS_SPACE_MEMORY, >bar);
 }
@@ -185,6 +194,10 @@ static void macio_oldworld_realize(PCIDevice *d, Error 
**errp)
 sysbus_dev = SYS_BUS_DEVICE(>cuda);
 sysbus_connect_irq(sysbus_dev, 0, os->irqs[cur_irq++]);
 
+sysbus_dev = SYS_BUS_DEVICE(>escc);
+sysbus_connect_irq(sysbus_dev, 0, os->irqs[cur_irq++]);
+sysbus_connect_irq(sysbus_dev, 1, os->irqs[cur_irq++]);
+
 object_property_set_bool(OBJECT(>nvram), true, "realized", );
 if (err) {
 error_propagate(errp, err);
@@ -297,6 +310,10 @@ static void macio_newworld_realize(PCIDevice *d, Error 
**errp)
 sysbus_dev = SYS_BUS_DEVICE(>cuda);
 sysbus_connect_irq(sysbus_dev, 0, ns->irqs[cur_irq++]);
 
+sysbus_dev = SYS_BUS_DEVICE(>escc);
+sysbus_connect_irq(sysbus_dev, 0, ns->irqs[cur_irq++]);
+sysbus_connect_irq(sysbus_dev, 1, ns->irqs[cur_irq++]);
+
 if (s->pic_mem) {
 /* OpenPIC */
 memory_region_add_subregion(>bar, 0x4, s->pic_mem);
@@ -347,6

Re: [Qemu-devel] [PATCH v2 7/8] net: Add a new convenience option "--nic" to configure default/on-board NICs

On 20/02/2018 18:40, Thomas Huth wrote:
> The legacy "-net" option can be quite confusing for the users since most
> people do not expect to get a "vlan" hub between their emulated guest
> hardware and the host backend. But so far, we are also not able to get
> rid of "-net" completely, since it is the only way to configure on-board
> NICs that can not be instantiated via "-device" yet. It's also a little
> bit shorter to type "-net nic -net tap" instead of "-device xyz,netdev=n1
> -netdev tap,id=n1".
> 
> So what we need is a new convenience option that is shorter to type than
> the full -device + -netdev stuff, and which can be used to configure the
> on-board NICs that can not be handled via -device yet. Thus this patch now
> provides such a new option "--nic": It adds an entry in the nd_table to
> configure a on-board / default NIC, creates a host backend and connects
> the two directly, without a confusing "vlan" hub inbetween.
> 
> Signed-off-by: Thomas Huth 

Yay!

Reviewed-by: Paolo Bonzini 

Paolo

> ---
>  include/sysemu/sysemu.h |  1 +
>  net/net.c   | 78 
> +
>  qemu-options.hx | 40 +
>  vl.c|  7 +
>  4 files changed, 120 insertions(+), 6 deletions(-)
> 
> diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
> index 77bb3da..66f0761 100644
> --- a/include/sysemu/sysemu.h
> +++ b/include/sysemu/sysemu.h
> @@ -197,6 +197,7 @@ extern QemuOptsList bdrv_runtime_opts;
>  extern QemuOptsList qemu_chardev_opts;
>  extern QemuOptsList qemu_device_opts;
>  extern QemuOptsList qemu_netdev_opts;
> +extern QemuOptsList qemu_nic_opts;
>  extern QemuOptsList qemu_net_opts;
>  extern QemuOptsList qemu_global_opts;
>  extern QemuOptsList qemu_mon_opts;
> diff --git a/net/net.c b/net/net.c
> index 2d05808..0bab269 100644
> --- a/net/net.c
> +++ b/net/net.c
> @@ -1462,6 +1462,67 @@ static int net_init_netdev(void *dummy, QemuOpts 
> *opts, Error **errp)
>  return net_client_init(opts, true, errp);
>  }
>  
> +/* For the convenience "--nic" parameter */
> +static int net_param_nic(void *dummy, QemuOpts *opts, Error **errp)
> +{
> +char *mac, *nd_id;
> +int idx, ret;
> +NICInfo *ni;
> +const char *type;
> +
> +type = qemu_opt_get(opts, "type");
> +if (type && g_str_equal(type, "none")) {
> +return 0;/* Nothing to do, default_net is cleared in vl.c */
> +}
> +
> +idx = nic_get_free_idx();
> +if (idx == -1 || nb_nics >= MAX_NICS) {
> +error_setg(errp, "no more on-board/default NIC slots available");
> +return -1;
> +}
> +
> +if (!type) {
> +qemu_opt_set(opts, "type", "user", _abort);
> +}
> +
> +ni = _table[idx];
> +memset(ni, 0, sizeof(*ni));
> +ni->model = qemu_opt_get_del(opts, "model");
> +
> +/* Create an ID if the user did not specify one */
> +nd_id = g_strdup(qemu_opts_id(opts));
> +if (!nd_id) {
> +nd_id = g_strdup_printf("__org.qemu.nic%i\n", idx);
> +qemu_opts_set_id(opts, nd_id);
> +}
> +
> +/* Handle MAC address */
> +mac = qemu_opt_get_del(opts, "mac");
> +if (mac) {
> +ret = net_parse_macaddr(ni->macaddr.a, mac);
> +g_free(mac);
> +if (ret) {
> +error_setg(errp, "invalid syntax for ethernet address");
> +return -1;
> +}
> +if (is_multicast_ether_addr(ni->macaddr.a)) {
> +error_setg(errp, "NIC cannot have multicast MAC address");
> +return -1;
> +}
> +}
> +qemu_macaddr_default_if_unset(>macaddr);
> +
> +ret = net_client_init(opts, true, errp);
> +if (ret == 0) {
> +ni->netdev = qemu_find_netdev(nd_id);
> +ni->used = true;
> +nb_nics++;
> +}
> +
> +g_free(nd_id);
> +return ret;
> +}
> +
>  int net_init_clients(Error **errp)
>  {
>  net_change_state_entry =
> @@ -1474,6 +1535,10 @@ int net_init_clients(Error **errp)
>  return -1;
>  }
>  
> +if (qemu_opts_foreach(qemu_find_opts("nic"), net_param_nic, NULL, errp)) 
> {
> +return -1;
> +}
> +
>  if (qemu_opts_foreach(qemu_find_opts("net"), net_init_client, NULL, 
> errp)) {
>  return -1;
>  }
> @@ -1549,6 +1614,19 @@ QemuOptsList qemu_netdev_opts = {
>  },
>  };
>  
> +QemuOptsList qemu_nic_opts = {
> +.name = "nic",
> +.implied_opt_name = "type",
> +.head = QTAILQ_HEAD_INITIALIZER(qemu_nic_opts.head),
> +.desc = {
> +/*
> + * no elements => accept any params
> + * validation will happen later
> + */
> +{ /* end of list */ }
> +},
> +};
> +
>  QemuOptsList qemu_net_opts = {
>  .name = "net",
>  .implied_opt_name = "type",
> diff --git a/qemu-options.hx b/qemu-options.hx
> index a9249b6..399905e 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -2004,13 +2004,34 @@ DEF("netdev",

Re: [Qemu-devel] [PATCH v2 8/8] qemu-doc: Make "-net" less prominent

On 20/02/2018 18:40, Thomas Huth wrote:
> "-net" is clearly a legacy option. Yet we still use it in almost all
> examples in the qemu documentation, and many other spots in the network
> chapter. We should make it less prominent that users are not lured into
> using it so often anymore. So instead of starting the network chapter with
> "-net nic" and documenting "-net " below "-netdev "
> everywhere, all the "-net" related documentation is now moved to the end
> of the chapter. And the examples are changed to use the "--device" and
> "--netdev" options instead of "-net nic -net ".

Do we want to change them to "-nic" instead?  The proof is in the
pudding, they say, :) and "-nic" is way easier to learn than "-device
-netdev".

And maybe we *should* go the extra mile and deprecate "-net" altogether.
 The only case where the newer syntax is a bit more uncomfortable is for
"-net nic -net nic -net tap|user", which however does work with "-nic
hubport -nic hubport -netdev tap|user,id=x -netdev hubport,netdev=x".

For now I suggest dropping this patch.

Paolo

Re: [Qemu-devel] [PATCH 0/2] Firmware blob and git submodule for Sam460ex

On 20 February 2018 at 18:10, BALATON Zoltan  wrote:
> I've created a git repo for the Sam460ex u-boot sources and this adds
> that as a submodule and a separate patch to add the binary built from
> these sources. Feel free to keep this as two patches, squash them into
> one patch or take the git repo and commit the content under the QEMU
> repo and use that as a submodule as you see fit (or let me know if any
> changes are needed for these patches).
>
> BALATON Zoltan (2):
>   roms: Added git submodule for u-boot-sam460 (firmware for sam460ex)
>   pc-bios: Added u-boot-sam460 firmware binary

We already have a submodule for u-boot. Is it not possible to
build this bios blob from those upstream u-boot sources?

thanks
-- PMM

Re: [Qemu-devel] [PATCH 2/2] pc-bios: Added u-boot-sam460 firmware binary

2018-02-20 Thread Daniel P . Berrangé

On Tue, Feb 20, 2018 at 06:57:43PM +0100, BALATON Zoltan wrote:
> Signed-off-by: BALATON Zoltan 
> ---
>  Makefile   |   2 +-
>  pc-bios/u-boot-sam460-20100605.bin | Bin 0 -> 524288 bytes
>  2 files changed, 1 insertion(+), 1 deletion(-)
>  create mode 100755 pc-bios/u-boot-sam460-20100605.bin
> 
> diff --git a/Makefile b/Makefile
> index 6434d6c..b0c16b3 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -661,7 +661,7 @@ multiboot.bin linuxboot.bin linuxboot_dma.bin 
> kvmvapic.bin \
>  s390-ccw.img s390-netboot.img \
>  spapr-rtas.bin slof.bin skiboot.lid \
>  palcode-clipper \
> -u-boot.e500 \
> +u-boot.e500 u-boot-sam460-20100605.bin \
>  qemu_vga.ndrv \
>  hppa-firmware.img
>  else
> diff --git a/pc-bios/u-boot-sam460-20100605.bin 
> b/pc-bios/u-boot-sam460-20100605.bin
> new file mode 100755

IIUC, you also need to provide glue in roms/Makefile to build the
u-boot-sam460-20100605.bin from the submodule content. Presumably
you can largely copy what's done for u-boot.e500 there.

Regards,
Daniel
-- 
|: https://berrange.com  -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|

Re: [Qemu-devel] [PATCH 10/19] include/hw/or-irq.h: Add missing include guard

On 02/20/2018 03:03 PM, Peter Maydell wrote:
> The or-irq.h header file is missing the customary guard against
> multiple inclusion, which means compilation fails if it gets
> included twice. Fix the omission.
> 
> Signed-off-by: Peter Maydell 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  include/hw/or-irq.h | 5 +
>  1 file changed, 5 insertions(+)
> 
> diff --git a/include/hw/or-irq.h b/include/hw/or-irq.h
> index fd900fcf19..3f6fc1b58a 100644
> --- a/include/hw/or-irq.h
> +++ b/include/hw/or-irq.h
> @@ -22,6 +22,9 @@
>   * THE SOFTWARE.
>   */
>  
> +#ifndef HW_OR_IRQ_H
> +#define HW_OR_IRQ_H
> +
>  #include "hw/irq.h"
>  #include "hw/sysbus.h"
>  #include "qom/object.h"
> @@ -41,3 +44,5 @@ struct OrIRQState {
>  bool levels[MAX_OR_LINES];
>  uint16_t num_lines;
>  };
> +
> +#endif
>

Re: [Qemu-devel] [Qemu-arm] [PATCH 11/19] qdev: Add new qdev_init_gpio_in_named_with_opaque()

On 02/20/2018 03:03 PM, Peter Maydell wrote:
> The function qdev_init_gpio_in_named() passes the DeviceState pointer
> as the opaque data pointor for the irq handler function.  Usually
> this is what you want, but in some cases it would be helpful to use
> some other data pointer.
> 
> Add a new function qdev_init_gpio_in_named_with_opaque() which allows
> the caller to specify the data pointer they want.
> 
> Signed-off-by: Peter Maydell 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  include/hw/qdev-core.h | 30 --
>  hw/core/qdev.c |  8 +---
>  2 files changed, 33 insertions(+), 5 deletions(-)
> 
> diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
> index fc9d617a76..9453588160 100644
> --- a/include/hw/qdev-core.h
> +++ b/include/hw/qdev-core.h
> @@ -311,10 +311,36 @@ BusState *qdev_get_child_bus(DeviceState *dev, const 
> char *name);
>  /* GPIO inputs also double as IRQ sinks.  */
>  void qdev_init_gpio_in(DeviceState *dev, qemu_irq_handler handler, int n);
>  void qdev_init_gpio_out(DeviceState *dev, qemu_irq *pins, int n);
> -void qdev_init_gpio_in_named(DeviceState *dev, qemu_irq_handler handler,
> - const char *name, int n);
>  void qdev_init_gpio_out_named(DeviceState *dev, qemu_irq *pins,
>const char *name, int n);
> +/**
> + * qdev_init_gpio_in_named_with_opaque: create an array of input GPIO lines
> + *   for the specified device
> + *
> + * @dev: Device to create input GPIOs for
> + * @handler: Function to call when GPIO line value is set
> + * @opaque: Opaque data pointer to pass to @handler
> + * @name: Name of the GPIO input (must be unique for this device)
> + * @n: Number of GPIO lines in this input set
> + */
> +void qdev_init_gpio_in_named_with_opaque(DeviceState *dev,
> + qemu_irq_handler handler,
> + void *opaque,
> + const char *name, int n);
> +
> +/**
> + * qdev_init_gpio_in_named: create an array of input GPIO lines
> + *   for the specified device
> + *
> + * Like qdev_init_gpio_in_named_with_opaque(), but the opaque pointer
> + * passed to the handler is @dev (which is the most commonly desired 
> behaviour).
> + */
> +static inline void qdev_init_gpio_in_named(DeviceState *dev,
> +   qemu_irq_handler handler,
> +   const char *name, int n)
> +{
> +qdev_init_gpio_in_named_with_opaque(dev, handler, dev, name, n);
> +}
>  
>  void qdev_pass_gpios(DeviceState *dev, DeviceState *container,
>   const char *name);
> diff --git a/hw/core/qdev.c b/hw/core/qdev.c
> index 7ed1f431f0..f3754ee606 100644
> --- a/hw/core/qdev.c
> +++ b/hw/core/qdev.c
> @@ -385,15 +385,17 @@ static NamedGPIOList 
> *qdev_get_named_gpio_list(DeviceState *dev,
>  return ngl;
>  }
>  
> -void qdev_init_gpio_in_named(DeviceState *dev, qemu_irq_handler handler,
> - const char *name, int n)
> +void qdev_init_gpio_in_named_with_opaque(DeviceState *dev,
> + qemu_irq_handler handler,
> + void *opaque,
> + const char *name, int n)
>  {
>  int i;
>  NamedGPIOList *gpio_list = qdev_get_named_gpio_list(dev, name);
>  
>  assert(gpio_list->num_out == 0 || !name);
>  gpio_list->in = qemu_extend_irqs(gpio_list->in, gpio_list->num_in, 
> handler,
> - dev, n);
> + opaque, n);
>  
>  if (!name) {
>  name = "unnamed-gpio-in";
>

Re: [Qemu-devel] [Qemu-arm] [PATCH 09/19] hw/misc/unimp: Move struct to header file

On 02/20/2018 03:03 PM, Peter Maydell wrote:
> Move the definition of the struct for the unimplemented-device
> from unimp.c to unimp.h, so that users can embed the struct
> in their own device structs if they prefer.
> 
> Signed-off-by: Peter Maydell 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  include/hw/misc/unimp.h | 10 ++
>  hw/misc/unimp.c | 10 --
>  2 files changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/include/hw/misc/unimp.h b/include/hw/misc/unimp.h
> index 52e068ec3e..2a291ca42d 100644
> --- a/include/hw/misc/unimp.h
> +++ b/include/hw/misc/unimp.h
> @@ -12,6 +12,16 @@
>  
>  #define TYPE_UNIMPLEMENTED_DEVICE "unimplemented-device"
>  
> +#define UNIMPLEMENTED_DEVICE(obj) \
> +OBJECT_CHECK(UnimplementedDeviceState, (obj), TYPE_UNIMPLEMENTED_DEVICE)
> +
> +typedef struct {
> +SysBusDevice parent_obj;
> +MemoryRegion iomem;
> +char *name;
> +uint64_t size;
> +} UnimplementedDeviceState;
> +
>  /**
>   * create_unimplemented_device: create and map a dummy device
>   * @name: name of the device for debug logging
> diff --git a/hw/misc/unimp.c b/hw/misc/unimp.c
> index bcbb585888..1c0ba2f0a7 100644
> --- a/hw/misc/unimp.c
> +++ b/hw/misc/unimp.c
> @@ -18,16 +18,6 @@
>  #include "qemu/log.h"
>  #include "qapi/error.h"
>  
> -#define UNIMPLEMENTED_DEVICE(obj) \
> -OBJECT_CHECK(UnimplementedDeviceState, (obj), TYPE_UNIMPLEMENTED_DEVICE)
> -
> -typedef struct {
> -SysBusDevice parent_obj;
> -MemoryRegion iomem;
> -char *name;
> -uint64_t size;
> -} UnimplementedDeviceState;
> -
>  static uint64_t unimp_read(void *opaque, hwaddr offset, unsigned size)
>  {
>  UnimplementedDeviceState *s = UNIMPLEMENTED_DEVICE(opaque);
>

[Qemu-devel] [PATCH 1/2] roms: Added git submodule for u-boot-sam460 (firmware for sam460ex)

Signed-off-by: BALATON Zoltan 
---
 .gitmodules | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.gitmodules b/.gitmodules
index 7a8282d..b76fb45 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -43,3 +43,6 @@
 [submodule "roms/seabios-hppa"]
path = roms/seabios-hppa
url = git://github.com/hdeller/seabios-hppa.git
+[submodule "roms/u-boot-sam460ex"]
+   path = roms/u-boot-sam460ex
+   url = git://github.com/zbalaton/u-boot-sam460ex
-- 
2.7.6

[Qemu-devel] [PATCH 0/2] Firmware blob and git submodule for Sam460ex

I've created a git repo for the Sam460ex u-boot sources and this adds
that as a submodule and a separate patch to add the binary built from
these sources. Feel free to keep this as two patches, squash them into
one patch or take the git repo and commit the content under the QEMU
repo and use that as a submodule as you see fit (or let me know if any
changes are needed for these patches).

BALATON Zoltan (2):
  roms: Added git submodule for u-boot-sam460 (firmware for sam460ex)
  pc-bios: Added u-boot-sam460 firmware binary

 .gitmodules|   3 +++
 Makefile   |   2 +-
 pc-bios/u-boot-sam460-20100605.bin | Bin 0 -> 524288 bytes
 3 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100755 pc-bios/u-boot-sam460-20100605.bin

-- 
2.7.6

[Qemu-devel] [PATCH 19/19] mps2-an505: New board model: MPS2 with AN505 Cortex-M33 FPGA image

Define a new board model for the MPS2 with an AN505 FPGA image
containing a Cortex-M33. Since the FPGA images for TrustZone
cores (AN505, and the similar AN519 for Cortex-M23) have a
significantly different layout of devices to the non-TrustZone
images, we use a new source file rather than shoehorning them
into the existing mps2.c.

Signed-off-by: Peter Maydell 
---
 hw/arm/Makefile.objs |   1 +
 hw/arm/mps2-tz.c | 504 +++
 2 files changed, 505 insertions(+)
 create mode 100644 hw/arm/mps2-tz.c

diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index 79cd30bb92..232258160a 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -19,5 +19,6 @@ obj-$(CONFIG_FSL_IMX31) += fsl-imx31.o kzm.o
 obj-$(CONFIG_FSL_IMX6) += fsl-imx6.o sabrelite.o
 obj-$(CONFIG_ASPEED_SOC) += aspeed_soc.o aspeed.o
 obj-$(CONFIG_MPS2) += mps2.o
+obj-$(CONFIG_MPS2) += mps2-tz.o
 obj-$(CONFIG_MSF2) += msf2-soc.o msf2-som.o
 obj-$(CONFIG_IOTKIT) += iotkit.o
diff --git a/hw/arm/mps2-tz.c b/hw/arm/mps2-tz.c
new file mode 100644
index 00..ff414c649c
--- /dev/null
+++ b/hw/arm/mps2-tz.c
@@ -0,0 +1,504 @@
+/*
+ * ARM V2M MPS2 board emulation, trustzone aware FPGA images
+ *
+ * Copyright (c) 2017 Linaro Limited
+ * Written by Peter Maydell
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 or
+ *  (at your option) any later version.
+ */
+
+/* The MPS2 and MPS2+ dev boards are FPGA based (the 2+ has a bigger
+ * FPGA but is otherwise the same as the 2). Since the CPU itself
+ * and most of the devices are in the FPGA, the details of the board
+ * as seen by the guest depend significantly on the FPGA image.
+ * This source file covers the following FPGA images, for TrustZone cores:
+ *  "mps2-an505" -- Cortex-M33 as documented in ARM Application Note AN505
+ *
+ * Links to the TRM for the board itself and to the various Application
+ * Notes which document the FPGA images can be found here:
+ * 
https://developer.arm.com/products/system-design/development-boards/fpga-prototyping-boards/mps2
+ *
+ * Board TRM:
+ * 
http://infocenter.arm.com/help/topic/com.arm.doc.100112_0200_06_en/versatile_express_cortex_m_prototyping_systems_v2m_mps2_and_v2m_mps2plus_technical_reference_100112_0200_06_en.pdf
+ * Application Note AN505:
+ * http://infocenter.arm.com/help/topic/com.arm.doc.dai0505b/index.html
+ *
+ * The AN505 defers to the Cortex-M33 processor ARMv8M IoT Kit FVP User Guide
+ * (ARM ECM0601256) for the details of some of the device layout:
+ *   
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ecm0601256/index.html
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qemu/error-report.h"
+#include "hw/arm/arm.h"
+#include "hw/arm/armv7m.h"
+#include "hw/or-irq.h"
+#include "hw/boards.h"
+#include "exec/address-spaces.h"
+#include "sysemu/sysemu.h"
+#include "hw/misc/unimp.h"
+#include "hw/char/cmsdk-apb-uart.h"
+#include "hw/timer/cmsdk-apb-timer.h"
+#include "hw/misc/mps2-scc.h"
+#include "hw/misc/mps2-fpgaio.h"
+#include "hw/arm/iotkit.h"
+#include "hw/devices.h"
+#include "net/net.h"
+#include "hw/core/split-irq.h"
+
+typedef enum MPS2TZFPGAType {
+FPGA_AN505,
+} MPS2TZFPGAType;
+
+typedef struct {
+MachineClass parent;
+MPS2TZFPGAType fpga_type;
+const char *cpu_model;
+uint32_t scc_id;
+} MPS2TZMachineClass;
+
+typedef struct {
+MachineState parent;
+
+IoTKit iotkit;
+MemoryRegion psram;
+MemoryRegion ssram1;
+MemoryRegion ssram1_m;
+MemoryRegion ssram23;
+MPS2SCC scc;
+MPS2FPGAIO fpgaio;
+TZPPC ppc[5];
+UnimplementedDeviceState ssram_mpc[3];
+UnimplementedDeviceState spi[5];
+UnimplementedDeviceState i2c[4];
+UnimplementedDeviceState i2s_audio;
+UnimplementedDeviceState gpio[5];
+UnimplementedDeviceState dma[4];
+UnimplementedDeviceState gfx;
+CMSDKAPBUART uart[5];
+SplitIRQ sec_resp_splitter;
+qemu_or_irq uart_irq_orgate;
+} MPS2TZMachineState;
+
+#define TYPE_MPS2TZ_MACHINE "mps2tz"
+#define TYPE_MPS2TZ_AN505_MACHINE MACHINE_TYPE_NAME("mps2-an505")
+
+#define MPS2TZ_MACHINE(obj) \
+OBJECT_CHECK(MPS2TZMachineState, obj, TYPE_MPS2TZ_MACHINE)
+#define MPS2TZ_MACHINE_GET_CLASS(obj) \
+OBJECT_GET_CLASS(MPS2TZMachineClass, obj, TYPE_MPS2TZ_MACHINE)
+#define MPS2TZ_MACHINE_CLASS(klass) \
+OBJECT_CLASS_CHECK(MPS2TZMachineClass, klass, TYPE_MPS2TZ_MACHINE)
+
+/* Main SYSCLK frequency in Hz */
+#define SYSCLK_FRQ 2000
+
+/* Initialize the auxiliary RAM region @mr and map it into
+ * the memory map at @base.
+ */
+static void make_ram(MemoryRegion *mr, const char *name,
+ hwaddr base, hwaddr size)
+{
+memory_region_init_ram(mr, NULL, name, size, _fatal);
+memory_region_add_subregion(get_system_memory(), base, mr);
+}
+
+/* Create an alias of an entire original MemoryRegion @orig
+ * located

[Qemu-devel] [PATCH 18/19] hw/arm/iotkit: Model Arm IOT Kit

Model the Arm IoT Kit documented in
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ecm0601256/index.html

The Arm IoT Kit is a subsystem which includes a CPU and some devices,
and is intended be extended by adding extra devices to form a
complete system.  It is used in the MPS2 board's AN505 image for the
Cortex-M33.

Signed-off-by: Peter Maydell 
---
 hw/arm/Makefile.objs|   1 +
 include/hw/arm/iotkit.h | 109 
 hw/arm/iotkit.c | 598 
 default-configs/arm-softmmu.mak |   1 +
 4 files changed, 709 insertions(+)
 create mode 100644 include/hw/arm/iotkit.h
 create mode 100644 hw/arm/iotkit.c

diff --git a/hw/arm/Makefile.objs b/hw/arm/Makefile.objs
index 1c896bafb4..79cd30bb92 100644
--- a/hw/arm/Makefile.objs
+++ b/hw/arm/Makefile.objs
@@ -20,3 +20,4 @@ obj-$(CONFIG_FSL_IMX6) += fsl-imx6.o sabrelite.o
 obj-$(CONFIG_ASPEED_SOC) += aspeed_soc.o aspeed.o
 obj-$(CONFIG_MPS2) += mps2.o
 obj-$(CONFIG_MSF2) += msf2-soc.o msf2-som.o
+obj-$(CONFIG_IOTKIT) += iotkit.o
diff --git a/include/hw/arm/iotkit.h b/include/hw/arm/iotkit.h
new file mode 100644
index 00..c6129d926b
--- /dev/null
+++ b/include/hw/arm/iotkit.h
@@ -0,0 +1,109 @@
+/*
+ * ARM IoT Kit
+ *
+ * Copyright (c) 2018 Linaro Limited
+ * Written by Peter Maydell
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 or
+ * (at your option) any later version.
+ */
+
+/* This is a model of the Arm IoT Kit which is documented in
+ * 
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ecm0601256/index.html
+ * It contains:
+ *  a Cortex-M33
+ *  the IDAU
+ *  some timers and watchdogs
+ *  two peripheral protection controllers
+ *  a memory protection controller
+ *  a security controller
+ *  a bus fabric which arranges that some parts of the address
+ *  space are secure and non-secure aliases of each other
+ *
+ * QEMU interface:
+ *  + QOM property "memory" is a MemoryRegion containing the devices provided
+ *by the board model.
+ *  + QOM property "MAINCLK" is the frequency of the main system clock
+ *  + QOM property "EXP_NUMIRQ" sets the number of expansion interrupts
+ *  + Named GPIO inputs "EXP_IRQ" 0..n are the expansion interrupts, which
+ *are wired to the NVIC lines 32 .. n+32
+ * Controlling up to 4 AHB expansion PPBs which a system using the IoTKit
+ * might provide:
+ *  + named GPIO outputs apb_ppcexp{0,1,2,3}_nonsec[0..15]
+ *  + named GPIO outputs apb_ppcexp{0,1,2,3}_ap[0..15]
+ *  + named GPIO outputs apb_ppcexp{0,1,2,3}_irq_enable
+ *  + named GPIO outputs apb_ppcexp{0,1,2,3}_irq_clear
+ *  + named GPIO inputs apb_ppcexp{0,1,2,3}_irq_status
+ * Controlling each of the 4 expansion AHB PPCs which a system using the IoTKit
+ * might provide:
+ *  + named GPIO outputs ahb_ppcexp{0,1,2,3}_nonsec[0..15]
+ *  + named GPIO outputs ahb_ppcexp{0,1,2,3}_ap[0..15]
+ *  + named GPIO outputs ahb_ppcexp{0,1,2,3}_irq_enable
+ *  + named GPIO outputs ahb_ppcexp{0,1,2,3}_irq_clear
+ *  + named GPIO inputs ahb_ppcexp{0,1,2,3}_irq_status
+ */
+
+#ifndef IOTKIT_H
+#define IOTKIT_H
+
+#include "hw/sysbus.h"
+#include "hw/arm/armv7m.h"
+#include "hw/misc/iotkit-secctl.h"
+#include "hw/misc/tz-ppc.h"
+#include "hw/timer/cmsdk-apb-timer.h"
+#include "hw/misc/unimp.h"
+#include "hw/or-irq.h"
+#include "hw/core/split-irq.h"
+
+#define TYPE_IOTKIT "iotkit"
+#define IOTKIT(obj) OBJECT_CHECK(IoTKit, (obj), TYPE_IOTKIT)
+
+/* We have an IRQ splitter and an OR gate input for each external PPC
+ * and the 2 internal PPCs
+ */
+#define NUM_EXTERNAL_PPCS (IOTS_NUM_AHB_EXP_PPC + IOTS_NUM_APB_EXP_PPC)
+#define NUM_PPCS (NUM_EXTERNAL_PPCS + 2)
+
+typedef struct IoTKit {
+/*< private >*/
+SysBusDevice parent_obj;
+
+/*< public >*/
+ARMv7MState armv7m;
+IoTKitSecCtl secctl;
+TZPPC apb_ppc0;
+TZPPC apb_ppc1;
+CMSDKAPBTIMER timer0;
+CMSDKAPBTIMER timer1;
+qemu_or_irq ppc_irq_orgate;
+SplitIRQ sec_resp_splitter;
+SplitIRQ ppc_irq_splitter[NUM_PPCS];
+
+UnimplementedDeviceState dualtimer;
+UnimplementedDeviceState s32ktimer;
+
+MemoryRegion container;
+MemoryRegion alias1;
+MemoryRegion alias2;
+MemoryRegion alias3;
+MemoryRegion sram0;
+
+qemu_irq *exp_irqs;
+qemu_irq ppc0_irq;
+qemu_irq ppc1_irq;
+qemu_irq sec_resp_cfg;
+qemu_irq sec_resp_cfg_in;
+qemu_irq nsc_cfg_in;
+
+qemu_irq irq_status_in[NUM_EXTERNAL_PPCS];
+
+uint32_t nsccfg;
+
+/* Properties */
+MemoryRegion *board_memory;
+uint32_t exp_numirq;
+uint32_t mainclk_frq;
+} IoTKit;
+
+#endif
diff --git a/hw/arm/iotkit.c b/hw/arm/iotkit.c
new file mode 100644
index 00..c5f0a5b98a
--- /dev/null
+++ b/hw/arm/iotkit.c
@@ -0,0 +1,598 @@
+/*
+ * Arm IoT Kit
+ *
+ * Copyright (c) 2018 Linaro Limited
+ * Written by Peter Maydell
+ *
+ * This program is free software; you

[Qemu-devel] [PATCH 03/19] hw/arm/armv7m: Honour CPU's address space for image loads

Instead of loading guest images to the system address space, use the
CPU's address space.  This is important if we're trying to load the
file to memory or via an alias memory region that is provided by an
SoC object and thus not mapped into the system address space.

Signed-off-by: Peter Maydell 
Reviewed-by: Philippe Mathieu-Daudé 
---
 hw/arm/armv7m.c | 17 ++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/hw/arm/armv7m.c b/hw/arm/armv7m.c
index 56770a7048..facc536b07 100644
--- a/hw/arm/armv7m.c
+++ b/hw/arm/armv7m.c
@@ -270,6 +270,9 @@ void armv7m_load_kernel(ARMCPU *cpu, const char 
*kernel_filename, int mem_size)
 uint64_t entry;
 uint64_t lowaddr;
 int big_endian;
+AddressSpace *as;
+int asidx;
+CPUState *cs = CPU(cpu);
 
 #ifdef TARGET_WORDS_BIGENDIAN
 big_endian = 1;
@@ -282,11 +285,19 @@ void armv7m_load_kernel(ARMCPU *cpu, const char 
*kernel_filename, int mem_size)
 exit(1);
 }
 
+if (arm_feature(>env, ARM_FEATURE_EL3)) {
+asidx = ARMASIdx_S;
+} else {
+asidx = ARMASIdx_NS;
+}
+as = cpu_get_address_space(cs, asidx);
+
 if (kernel_filename) {
-image_size = load_elf(kernel_filename, NULL, NULL, , ,
-  NULL, big_endian, EM_ARM, 1, 0);
+image_size = load_elf_as(kernel_filename, NULL, NULL, , ,
+ NULL, big_endian, EM_ARM, 1, 0, as);
 if (image_size < 0) {
-image_size = load_image_targphys(kernel_filename, 0, mem_size);
+image_size = load_image_targphys_as(kernel_filename, 0,
+mem_size, as);
 lowaddr = 0;
 }
 if (image_size < 0) {
-- 
2.16.1

[Qemu-devel] [PATCH 15/19] hw/misc/iotkit-secctl: Arm IoT Kit security controller initial skeleton

The Arm IoT Kit includes a "security controller" which is largely a
collection of registers for controlling the PPCs and other bits of
glue in the system.  This commit provides the initial skeleton of the
device, implementing just the ID registers, and a couple of read-only
read-as-zero registers.

Signed-off-by: Peter Maydell 
---
 hw/misc/Makefile.objs   |   1 +
 include/hw/misc/iotkit-secctl.h |  39 
 hw/misc/iotkit-secctl.c | 450 
 default-configs/arm-softmmu.mak |   1 +
 hw/misc/trace-events|   7 +
 5 files changed, 498 insertions(+)
 create mode 100644 include/hw/misc/iotkit-secctl.h
 create mode 100644 hw/misc/iotkit-secctl.c

diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
index dcf413d730..00e834d0f0 100644
--- a/hw/misc/Makefile.objs
+++ b/hw/misc/Makefile.objs
@@ -62,6 +62,7 @@ obj-$(CONFIG_MPS2_FPGAIO) += mps2-fpgaio.o
 obj-$(CONFIG_MPS2_SCC) += mps2-scc.o
 
 obj-$(CONFIG_TZ_PPC) += tz-ppc.o
+obj-$(CONFIG_IOTKIT_SECCTL) += iotkit-secctl.o
 
 obj-$(CONFIG_PVPANIC) += pvpanic.o
 obj-$(CONFIG_HYPERV_TESTDEV) += hyperv_testdev.o
diff --git a/include/hw/misc/iotkit-secctl.h b/include/hw/misc/iotkit-secctl.h
new file mode 100644
index 00..872f652f8d
--- /dev/null
+++ b/include/hw/misc/iotkit-secctl.h
@@ -0,0 +1,39 @@
+/*
+ * ARM IoT Kit security controller
+ *
+ * Copyright (c) 2018 Linaro Limited
+ * Written by Peter Maydell
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 or
+ * (at your option) any later version.
+ */
+
+/* This is a model of the security controller which is part of the
+ * Arm IoT Kit and documented in
+ * 
http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ecm0601256/index.html
+ *
+ * QEMU interface:
+ *  + sysbus MMIO region 0 is the "secure privilege control block" registers
+ *  + sysbus MMIO region 1 is the "non-secure privilege control block" 
registers
+ */
+
+#ifndef IOTKIT_SECCTL_H
+#define IOTKIT_SECCTL_H
+
+#include "hw/sysbus.h"
+
+#define TYPE_IOTKIT_SECCTL "iotkit-secctl"
+#define IOTKIT_SECCTL(obj) OBJECT_CHECK(IoTKitSecCtl, (obj), 
TYPE_IOTKIT_SECCTL)
+
+typedef struct IoTKitSecCtl {
+/*< private >*/
+SysBusDevice parent_obj;
+
+/*< public >*/
+
+MemoryRegion s_regs;
+MemoryRegion ns_regs;
+} IoTKitSecCtl;
+
+#endif
diff --git a/hw/misc/iotkit-secctl.c b/hw/misc/iotkit-secctl.c
new file mode 100644
index 00..5da52e4706
--- /dev/null
+++ b/hw/misc/iotkit-secctl.c
@@ -0,0 +1,450 @@
+/*
+ * Arm IoT Kit security controller
+ *
+ * Copyright (c) 2018 Linaro Limited
+ * Written by Peter Maydell
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 or
+ * (at your option) any later version.
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "qapi/error.h"
+#include "trace.h"
+#include "hw/sysbus.h"
+#include "hw/registerfields.h"
+#include "hw/misc/iotkit-secctl.h"
+
+/* Registers in the secure privilege control block */
+REG32(SECRESPCFG, 0x10)
+REG32(NSCCFG, 0x14)
+REG32(SECMPCINTSTATUS, 0x1c)
+REG32(SECPPCINTSTAT, 0x20)
+REG32(SECPPCINTCLR, 0x24)
+REG32(SECPPCINTEN, 0x28)
+REG32(SECMSCINTSTAT, 0x30)
+REG32(SECMSCINTCLR, 0x34)
+REG32(SECMSCINTEN, 0x38)
+REG32(BRGINTSTAT, 0x40)
+REG32(BRGINTCLR, 0x44)
+REG32(BRGINTEN, 0x48)
+REG32(AHBNSPPC0, 0x50)
+REG32(AHBNSPPCEXP0, 0x60)
+REG32(AHBNSPPCEXP1, 0x64)
+REG32(AHBNSPPCEXP2, 0x68)
+REG32(AHBNSPPCEXP3, 0x6c)
+REG32(APBNSPPC0, 0x70)
+REG32(APBNSPPC1, 0x74)
+REG32(APBNSPPCEXP0, 0x80)
+REG32(APBNSPPCEXP1, 0x84)
+REG32(APBNSPPCEXP2, 0x88)
+REG32(APBNSPPCEXP3, 0x8c)
+REG32(AHBSPPPC0, 0x90)
+REG32(AHBSPPPCEXP0, 0xa0)
+REG32(AHBSPPPCEXP1, 0xa4)
+REG32(AHBSPPPCEXP2, 0xa8)
+REG32(AHBSPPPCEXP3, 0xac)
+REG32(APBSPPPC0, 0xb0)
+REG32(APBSPPPC1, 0xb4)
+REG32(APBSPPPCEXP0, 0xc0)
+REG32(APBSPPPCEXP1, 0xc4)
+REG32(APBSPPPCEXP2, 0xc8)
+REG32(APBSPPPCEXP3, 0xcc)
+REG32(NSMSCEXP, 0xd0)
+REG32(PID4, 0xfd0)
+REG32(PID5, 0xfd4)
+REG32(PID6, 0xfd8)
+REG32(PID7, 0xfdc)
+REG32(PID0, 0xfe0)
+REG32(PID1, 0xfe4)
+REG32(PID2, 0xfe8)
+REG32(PID3, 0xfec)
+REG32(CID0, 0xff0)
+REG32(CID1, 0xff4)
+REG32(CID2, 0xff8)
+REG32(CID3, 0xffc)
+
+/* Registers in the non-secure privilege control block */
+REG32(AHBNSPPPC0, 0x90)
+REG32(AHBNSPPPCEXP0, 0xa0)
+REG32(AHBNSPPPCEXP1, 0xa4)
+REG32(AHBNSPPPCEXP2, 0xa8)
+REG32(AHBNSPPPCEXP3, 0xac)
+REG32(APBNSPPPC0, 0xb0)
+REG32(APBNSPPPC1, 0xb4)
+REG32(APBNSPPPCEXP0, 0xc0)
+REG32(APBNSPPPCEXP1, 0xc4)
+REG32(APBNSPPPCEXP2, 0xc8)
+REG32(APBNSPPPCEXP3, 0xcc)
+/* PID and CID registers are also present in the NS block */
+
+static const uint8_t iotkit_secctl_s_idregs[] = {
+0x04, 0x00, 0x00, 0x00,
+0x52, 0xb8, 0x0b, 0x00,
+0x0d, 0xf0, 0x05, 0xb1,
+};
+
+static const uint8_t iotkit_secctl_ns_idregs[] = {
+0x04, 0x00, 0x00, 0x00,
+0x53, 0xb8, 0x0b, 0x00,
+0x0d,

[Qemu-devel] [PATCH 02/19] hw/arm/boot: Honour CPU's address space for image loads

Instead of loading kernels, device trees, and the like to
the system address space, use the CPU's address space. This
is important if we're trying to load the file to memory or
via an alias memory region that is provided by an SoC
object and thus not mapped into the system address space.

Signed-off-by: Peter Maydell 
Reviewed-by: Philippe Mathieu-Daudé 
---
Function name changed to arm_boot_address_space()
rather than arm_boot_addressspace(), following irc
conversation...
---
 hw/arm/boot.c | 119 +-
 1 file changed, 76 insertions(+), 43 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index 05108bc42f..6d0c92ab88 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -36,6 +36,25 @@
 #define ARM64_TEXT_OFFSET_OFFSET8
 #define ARM64_MAGIC_OFFSET  56
 
+static AddressSpace *arm_boot_address_space(ARMCPU *cpu,
+const struct arm_boot_info *info)
+{
+/* Return the address space to use for bootloader reads and writes.
+ * We prefer the secure address space if the CPU has it and we're
+ * going to boot the guest into it.
+ */
+int asidx;
+CPUState *cs = CPU(cpu);
+
+if (arm_feature(>env, ARM_FEATURE_EL3) && info->secure_boot) {
+asidx = ARMASIdx_S;
+} else {
+asidx = ARMASIdx_NS;
+}
+
+return cpu_get_address_space(cs, asidx);
+}
+
 typedef enum {
 FIXUP_NONE = 0, /* do nothing */
 FIXUP_TERMINATOR,   /* end of insns */
@@ -125,7 +144,8 @@ static const ARMInsnFixup smpboot[] = {
 };
 
 static void write_bootloader(const char *name, hwaddr addr,
- const ARMInsnFixup *insns, uint32_t *fixupcontext)
+ const ARMInsnFixup *insns, uint32_t *fixupcontext,
+ AddressSpace *as)
 {
 /* Fix up the specified bootloader fragment and write it into
  * guest memory using rom_add_blob_fixed(). fixupcontext is
@@ -164,7 +184,7 @@ static void write_bootloader(const char *name, hwaddr addr,
 code[i] = tswap32(insn);
 }
 
-rom_add_blob_fixed(name, code, len * sizeof(uint32_t), addr);
+rom_add_blob_fixed_as(name, code, len * sizeof(uint32_t), addr, as);
 
 g_free(code);
 }
@@ -173,6 +193,7 @@ static void default_write_secondary(ARMCPU *cpu,
 const struct arm_boot_info *info)
 {
 uint32_t fixupcontext[FIXUP_MAX];
+AddressSpace *as = arm_boot_address_space(cpu, info);
 
 fixupcontext[FIXUP_GIC_CPU_IF] = info->gic_cpu_if_addr;
 fixupcontext[FIXUP_BOOTREG] = info->smp_bootreg_addr;
@@ -183,13 +204,14 @@ static void default_write_secondary(ARMCPU *cpu,
 }
 
 write_bootloader("smpboot", info->smp_loader_start,
- smpboot, fixupcontext);
+ smpboot, fixupcontext, as);
 }
 
 void arm_write_secure_board_setup_dummy_smc(ARMCPU *cpu,
 const struct arm_boot_info *info,
 hwaddr mvbar_addr)
 {
+AddressSpace *as = arm_boot_address_space(cpu, info);
 int n;
 uint32_t mvbar_blob[] = {
 /* mvbar_addr: secure monitor vectors
@@ -227,22 +249,23 @@ void arm_write_secure_board_setup_dummy_smc(ARMCPU *cpu,
 for (n = 0; n < ARRAY_SIZE(mvbar_blob); n++) {
 mvbar_blob[n] = tswap32(mvbar_blob[n]);
 }
-rom_add_blob_fixed("board-setup-mvbar", mvbar_blob, sizeof(mvbar_blob),
-   mvbar_addr);
+rom_add_blob_fixed_as("board-setup-mvbar", mvbar_blob, sizeof(mvbar_blob),
+  mvbar_addr, as);
 
 for (n = 0; n < ARRAY_SIZE(board_setup_blob); n++) {
 board_setup_blob[n] = tswap32(board_setup_blob[n]);
 }
-rom_add_blob_fixed("board-setup", board_setup_blob,
-   sizeof(board_setup_blob), info->board_setup_addr);
+rom_add_blob_fixed_as("board-setup", board_setup_blob,
+  sizeof(board_setup_blob), info->board_setup_addr, 
as);
 }
 
 static void default_reset_secondary(ARMCPU *cpu,
 const struct arm_boot_info *info)
 {
+AddressSpace *as = arm_boot_address_space(cpu, info);
 CPUState *cs = CPU(cpu);
 
-address_space_stl_notdirty(_space_memory, info->smp_bootreg_addr,
+address_space_stl_notdirty(as, info->smp_bootreg_addr,
0, MEMTXATTRS_UNSPECIFIED, NULL);
 cpu_set_pc(cs, info->smp_loader_start);
 }
@@ -253,12 +276,12 @@ static inline bool have_dtb(const struct arm_boot_info 
*info)
 }
 
 #define WRITE_WORD(p, value) do { \
-address_space_stl_notdirty(_space_memory, p, value, \
+address_space_stl_notdirty(as, p, value, \
MEMTXATTRS_UNSPECIFIED, NULL);  \
 p += 4;   \
 } while (0)
 
-static void set_kernel_args(const struct arm_boot_info *info)
+static void

[Qemu-devel] [PATCH 04/19] target/arm: Define an IDAU interface

In v8M, the Implementation Defined Attribution Unit (IDAU) is
a small piece of hardware typically implemented in the SoC
which provides board or SoC specific security attribution
information for each address that the CPU performs MPU/SAU
checks on. For QEMU, we model this with a QOM interface which
is implemented by the board or SoC object and connected to
the CPU using a link property.

This commit defines the new interface class, adds the link
property to the CPU object, and makes the SAU checking
code call the IDAU interface if one is present.

Signed-off-by: Peter Maydell 
---
An example of an object that implements the IDAU can be
found in the later patch "hw/arm/iotkit: Model Arm IOT Kit".
---
 target/arm/cpu.h|  3 +++
 target/arm/idau.h   | 61 +
 target/arm/cpu.c| 15 +
 target/arm/helper.c | 28 +---
 4 files changed, 104 insertions(+), 3 deletions(-)
 create mode 100644 target/arm/idau.h

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index de62df091c..dc45b740c5 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -685,6 +685,9 @@ struct ARMCPU {
 /* MemoryRegion to use for secure physical accesses */
 MemoryRegion *secure_memory;
 
+/* For v8M, pointer to the IDAU interface provided by board/SoC */
+Object *idau;
+
 /* 'compatible' string for this CPU for Linux device trees */
 const char *dtb_compatible;
 
diff --git a/target/arm/idau.h b/target/arm/idau.h
new file mode 100644
index 00..cac27b95fa
--- /dev/null
+++ b/target/arm/idau.h
@@ -0,0 +1,61 @@
+/*
+ * QEMU ARM CPU -- interface for the Arm v8M IDAU
+ *
+ * Copyright (c) 2018 Linaro Ltd
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see
+ * 
+ *
+ * In the v8M architecture, the IDAU is a small piece of hardware
+ * typically implemented in the SoC which provides board or SoC
+ * specific security attribution information for each address that
+ * the CPU performs MPU/SAU checks on. For QEMU, we model this with a
+ * QOM interface which is implemented by the board or SoC object and
+ * connected to the CPU using a link property.
+ */
+
+#ifndef TARGET_ARM_IDAU_H
+#define TARGET_ARM_IDAU_H
+
+#include "qom/object.h"
+
+#define TYPE_IDAU_INTERFACE "idau-interface"
+#define IDAU_INTERFACE(obj) \
+INTERFACE_CHECK(IDAUInterface, (obj), TYPE_IDAU_INTERFACE)
+#define IDAU_INTERFACE_CLASS(class) \
+OBJECT_CLASS_CHECK(IDAUInterfaceClass, (class), TYPE_IDAU_INTERFACE)
+#define IDAU_INTERFACE_GET_CLASS(obj) \
+OBJECT_GET_CLASS(IDAUInterfaceClass, (obj), TYPE_IDAU_INTERFACE)
+
+typedef struct IDAUInterface {
+Object parent;
+} IDAUInterface;
+
+#define IREGION_NOTVALID -1
+
+typedef struct IDAUInterfaceClass {
+InterfaceClass parent;
+
+/* Check the specified address and return the IDAU security information
+ * for it by filling in iregion, exempt, ns and nsc:
+ *  iregion: IDAU region number, or IREGION_NOTVALID if not valid
+ *  exempt: true if address is exempt from security attribution
+ *  ns: true if the address is NonSecure
+ *  nsc: true if the address is NonSecure-callable
+ */
+void (*check)(IDAUInterface *ii, uint32_t address, int *iregion,
+  bool *exempt, bool *ns, bool *nsc);
+} IDAUInterfaceClass;
+
+#endif
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index d796085be9..99d00c3ac9 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -19,6 +19,7 @@
  */
 
 #include "qemu/osdep.h"
+#include "target/arm/idau.h"
 #include "qemu/error-report.h"
 #include "qapi/error.h"
 #include "cpu.h"
@@ -687,6 +688,13 @@ static void arm_cpu_post_init(Object *obj)
 }
 }
 
+if (arm_feature(>env, ARM_FEATURE_M_SECURITY)) {
+object_property_add_link(obj, "idau", TYPE_IDAU_INTERFACE, >idau,
+ qdev_prop_allow_set_link_before_realize,
+ OBJ_PROP_LINK_UNREF_ON_RELEASE,
+ _abort);
+}
+
 qdev_property_add_static(DEVICE(obj), _cpu_cfgend_property,
  _abort);
 }
@@ -1820,11 +1828,18 @@ static const TypeInfo arm_cpu_type_info = {
 .class_init = arm_cpu_class_init,
 };
 
+static const TypeInfo idau_interface_type_info = {
+.name = TYPE_IDAU_INTERFACE,
+.parent =

[Qemu-devel] [PATCH 16/19] hw/misc/iotkit-secctl: Add handling for PPCs

The IoTKit Security Controller includes various registers
that expose to software the controls for the Peripheral
Protection Controllers in the system. Implement these.

Signed-off-by: Peter Maydell 
---
 include/hw/misc/iotkit-secctl.h |  64 +-
 hw/misc/iotkit-secctl.c | 270 +---
 2 files changed, 315 insertions(+), 19 deletions(-)

diff --git a/include/hw/misc/iotkit-secctl.h b/include/hw/misc/iotkit-secctl.h
index 872f652f8d..ea3d62967f 100644
--- a/include/hw/misc/iotkit-secctl.h
+++ b/include/hw/misc/iotkit-secctl.h
@@ -16,6 +16,28 @@
  * QEMU interface:
  *  + sysbus MMIO region 0 is the "secure privilege control block" registers
  *  + sysbus MMIO region 1 is the "non-secure privilege control block" 
registers
+ *  + named GPIO output "sec_resp_cfg" indicating whether blocked accesses
+ *should RAZ/WI or bus error
+ * Controlling the 2 APB PPCs in the IoTKit:
+ *  + named GPIO outputs apb_ppc0_nonsec[0..2] and apb_ppc1_nonsec
+ *  + named GPIO outputs apb_ppc0_ap[0..2] and apb_ppc1_ap
+ *  + named GPIO outputs apb_ppc{0,1}_irq_enable
+ *  + named GPIO outputs apb_ppc{0,1}_irq_clear
+ *  + named GPIO inputs apb_ppc{0,1}_irq_status
+ * Controlling each of the 4 expansion APB PPCs which a system using the IoTKit
+ * might provide:
+ *  + named GPIO outputs apb_ppcexp{0,1,2,3}_nonsec[0..15]
+ *  + named GPIO outputs apb_ppcexp{0,1,2,3}_ap[0..15]
+ *  + named GPIO outputs apb_ppcexp{0,1,2,3}_irq_enable
+ *  + named GPIO outputs apb_ppcexp{0,1,2,3}_irq_clear
+ *  + named GPIO inputs apb_ppcexp{0,1,2,3}_irq_status
+ * Controlling each of the 4 expansion AHB PPCs which a system using the IoTKit
+ * might provide:
+ *  + named GPIO outputs ahb_ppcexp{0,1,2,3}_nonsec[0..15]
+ *  + named GPIO outputs ahb_ppcexp{0,1,2,3}_ap[0..15]
+ *  + named GPIO outputs ahb_ppcexp{0,1,2,3}_irq_enable
+ *  + named GPIO outputs ahb_ppcexp{0,1,2,3}_irq_clear
+ *  + named GPIO inputs ahb_ppcexp{0,1,2,3}_irq_status
  */
 
 #ifndef IOTKIT_SECCTL_H
@@ -26,14 +48,52 @@
 #define TYPE_IOTKIT_SECCTL "iotkit-secctl"
 #define IOTKIT_SECCTL(obj) OBJECT_CHECK(IoTKitSecCtl, (obj), 
TYPE_IOTKIT_SECCTL)
 
-typedef struct IoTKitSecCtl {
+#define IOTS_APB_PPC0_NUM_PORTS 3
+#define IOTS_APB_PPC1_NUM_PORTS 1
+#define IOTS_PPC_NUM_PORTS 16
+#define IOTS_NUM_APB_PPC 2
+#define IOTS_NUM_APB_EXP_PPC 4
+#define IOTS_NUM_AHB_EXP_PPC 4
+
+typedef struct IoTKitSecCtl IoTKitSecCtl;
+
+/* State and IRQ lines relating to a PPC. For the
+ * PPCs in the IoTKit not all the IRQ lines are used.
+ */
+typedef struct IoTKitSecCtlPPC {
+qemu_irq nonsec[IOTS_PPC_NUM_PORTS];
+qemu_irq ap[IOTS_PPC_NUM_PORTS];
+qemu_irq irq_enable;
+qemu_irq irq_clear;
+
+uint32_t ns;
+uint32_t sp;
+uint32_t nsp;
+
+/* Number of ports actually present */
+int numports;
+/* Offset of this PPC's interrupt bits in SECPPCINTSTAT */
+int irq_bit_offset;
+IoTKitSecCtl *parent;
+} IoTKitSecCtlPPC;
+
+struct IoTKitSecCtl {
 /*< private >*/
 SysBusDevice parent_obj;
 
 /*< public >*/
+qemu_irq sec_resp_cfg;
 
 MemoryRegion s_regs;
 MemoryRegion ns_regs;
-} IoTKitSecCtl;
+
+uint32_t secppcintstat;
+uint32_t secppcinten;
+uint32_t secrespcfg;
+
+IoTKitSecCtlPPC apb[IOTS_NUM_APB_PPC];
+IoTKitSecCtlPPC apbexp[IOTS_NUM_APB_EXP_PPC];
+IoTKitSecCtlPPC ahbexp[IOTS_NUM_APB_EXP_PPC];
+};
 
 #endif
diff --git a/hw/misc/iotkit-secctl.c b/hw/misc/iotkit-secctl.c
index 5da52e4706..7e1ca184ab 100644
--- a/hw/misc/iotkit-secctl.c
+++ b/hw/misc/iotkit-secctl.c
@@ -92,12 +92,41 @@ static const uint8_t iotkit_secctl_ns_idregs[] = {
 0x0d, 0xf0, 0x05, 0xb1,
 };
 
+/* The register sets for the various PPCs (AHB internal, APB internal,
+ * AHB expansion, APB expansion) are all set up so that they are
+ * in 16-aligned blocks so offsets 0xN0, 0xN4, 0xN8, 0xNC are PPCs
+ * 0, 1, 2, 3 of that type, so we can convert a register address offset
+ * into an an index into a PPC array easily.
+ */
+static inline int offset_to_ppc_idx(uint32_t offset)
+{
+return extract32(offset, 2, 2);
+}
+
+typedef void PerPPCFunction(IoTKitSecCtlPPC *ppc);
+
+static void foreach_ppc(IoTKitSecCtl *s, PerPPCFunction *fn)
+{
+int i;
+
+for (i = 0; i < IOTS_NUM_APB_PPC; i++) {
+fn(>apb[i]);
+}
+for (i = 0; i < IOTS_NUM_APB_EXP_PPC; i++) {
+fn(>apbexp[i]);
+}
+for (i = 0; i < IOTS_NUM_AHB_EXP_PPC; i++) {
+fn(>ahbexp[i]);
+}
+}
+
 static MemTxResult iotkit_secctl_s_read(void *opaque, hwaddr addr,
 uint64_t *pdata,
 unsigned size, MemTxAttrs attrs)
 {
 uint64_t r;
 uint32_t offset = addr & ~0x3;
+IoTKitSecCtl *s = IOTKIT_SECCTL(opaque);
 
 switch (offset) {
 case A_AHBNSPPC0:
@@ -105,34 +134,52 @@ static MemTxResult iotkit_secctl_s_read(void *opaque, 
hwaddr addr,
 r = 0;
 break;
 case

[Qemu-devel] [PATCH 06/19] target/arm: Define init-svtor property for the reset secure VTOR value

The Cortex-M33 allows the system to specify the reset value of the
secure Vector Table Offset Register (VTOR) by asserting config
signals. In particular, guest images for the MPS2 AN505 board rely
on the MPS2's initial VTOR being correct for that board.
Implement a QEMU property so board and SoC code can set the reset
value to the correct value.

Signed-off-by: Peter Maydell 
---
 * This patch doesn't try to change the handling of the load itself;
   strictly speaking for real hardware the load of initial PC and
   SP should honour the secure/nonsecure attributes and check
   SAU settings and bus fault responses, as with other vector
   table loads. That is a change for a different patch, if ever.
 * The M33 and MPS2 are actually more flexible than "constant value
   set when the board is created" -- the MPS2 has a register in
   the FPGA which can be used to define the VTOR to use on the
   next (soft) reset, since the M33 samples its config signals
   on every reset. That would be pretty fiddly to implement in
   QEMU (which doesn't even really have a well-defined concept
   of reset which is not a powercycle) so I'm not going to
   implement it unless we run into guest code that needs it.
---
 target/arm/cpu.h |  3 +++
 target/arm/cpu.c | 18 ++
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index dc45b740c5..c286169630 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -722,6 +722,9 @@ struct ARMCPU {
  */
 uint32_t psci_conduit;
 
+/* For v8M, initial value of the Secure VTOR */
+uint32_t init_svtor;
+
 /* [QEMU_]KVM_ARM_TARGET_* constant for this CPU, or
  * QEMU_KVM_ARM_TARGET_NONE if the kernel doesn't support this CPU type.
  */
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 99d00c3ac9..34b5a4a00b 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -186,6 +186,7 @@ static void arm_cpu_reset(CPUState *s)
 uint32_t initial_msp; /* Loaded from 0x0 */
 uint32_t initial_pc; /* Loaded from 0x4 */
 uint8_t *rom;
+uint32_t vecbase;
 
 if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
 env->v7m.secure = true;
@@ -213,8 +214,11 @@ static void arm_cpu_reset(CPUState *s)
 /* Unlike A/R profile, M profile defines the reset LR value */
 env->regs[14] = 0x;
 
-/* Load the initial SP and PC from the vector table at address 0 */
-rom = rom_ptr(0);
+env->v7m.vecbase[M_REG_S] = cpu->init_svtor;
+
+/* Load the initial SP and PC from offset 0 and 4 in the vector table 
*/
+vecbase = env->v7m.vecbase[env->v7m.secure];
+rom = rom_ptr(vecbase);
 if (rom) {
 /* Address zero is covered by ROM which hasn't yet been
  * copied into physical memory.
@@ -227,8 +231,8 @@ static void arm_cpu_reset(CPUState *s)
  * it got copied into memory. In the latter case, rom_ptr
  * will return a NULL pointer and we should use ldl_phys instead.
  */
-initial_msp = ldl_phys(s->as, 0);
-initial_pc = ldl_phys(s->as, 4);
+initial_msp = ldl_phys(s->as, vecbase);
+initial_pc = ldl_phys(s->as, vecbase + 4);
 }
 
 env->regs[13] = initial_msp & 0xFFFC;
@@ -623,6 +627,10 @@ static Property arm_cpu_pmsav7_dregion_property =
pmsav7_dregion,
qdev_prop_uint32, uint32_t);
 
+/* M profile: initial value of the Secure VTOR */
+static Property arm_cpu_initsvtor_property =
+DEFINE_PROP_UINT32("init-svtor", ARMCPU, init_svtor, 0);
+
 static void arm_cpu_post_init(Object *obj)
 {
 ARMCPU *cpu = ARM_CPU(obj);
@@ -693,6 +701,8 @@ static void arm_cpu_post_init(Object *obj)
  qdev_prop_allow_set_link_before_realize,
  OBJ_PROP_LINK_UNREF_ON_RELEASE,
  _abort);
+qdev_property_add_static(DEVICE(obj), _cpu_initsvtor_property,
+ _abort);
 }
 
 qdev_property_add_static(DEVICE(obj), _cpu_cfgend_property,
-- 
2.16.1

[Qemu-devel] [PATCH 14/19] hw/misc/tz-ppc: Model TrustZone peripheral protection controller

Add a model of the TrustZone peripheral protection controller (PPC),
which is used to gate transactions to non-TZ-aware peripherals so
that secure software can configure them to not be accessible to
non-secure software.

Signed-off-by: Peter Maydell 
---
 hw/misc/Makefile.objs   |   2 +
 include/hw/misc/tz-ppc.h| 101 ++
 hw/misc/tz-ppc.c| 302 
 default-configs/arm-softmmu.mak |   2 +
 hw/misc/trace-events|  11 ++
 5 files changed, 418 insertions(+)
 create mode 100644 include/hw/misc/tz-ppc.h
 create mode 100644 hw/misc/tz-ppc.c

diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
index 31f83dcfe7..dcf413d730 100644
--- a/hw/misc/Makefile.objs
+++ b/hw/misc/Makefile.objs
@@ -61,6 +61,8 @@ obj-$(CONFIG_MIPS_ITU) += mips_itu.o
 obj-$(CONFIG_MPS2_FPGAIO) += mps2-fpgaio.o
 obj-$(CONFIG_MPS2_SCC) += mps2-scc.o
 
+obj-$(CONFIG_TZ_PPC) += tz-ppc.o
+
 obj-$(CONFIG_PVPANIC) += pvpanic.o
 obj-$(CONFIG_HYPERV_TESTDEV) += hyperv_testdev.o
 obj-$(CONFIG_AUX) += auxbus.o
diff --git a/include/hw/misc/tz-ppc.h b/include/hw/misc/tz-ppc.h
new file mode 100644
index 00..fc8b806e4d
--- /dev/null
+++ b/include/hw/misc/tz-ppc.h
@@ -0,0 +1,101 @@
+/*
+ * ARM TrustZone peripheral protection controller emulation
+ *
+ * Copyright (c) 2018 Linaro Limited
+ * Written by Peter Maydell
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 or
+ * (at your option) any later version.
+ */
+
+/* This is a model of the TrustZone peripheral protection controller (PPC).
+ * It is documented in the ARM CoreLink SIE-200 System IP for Embedded TRM
+ * (DDI 0571G):
+ * https://developer.arm.com/products/architecture/m-profile/docs/ddi0571/g
+ *
+ * The PPC sits in front of peripherals and allows secure software to
+ * configure it to either pass through or reject transactions.
+ * Rejected transactions may be configured to either be aborted, or to
+ * behave as RAZ/WI. An interrupt can be signalled for a rejected transaction.
+ *
+ * The PPC has no register interface -- it is configured purely by a
+ * collection of input signals from other hardware in the system. Typically
+ * they are either hardwired or exposed in an ad-hoc register interface by
+ * the SoC that uses the PPC.
+ *
+ * This QEMU model can be used to model either the AHB5 or APB4 TZ PPC,
+ * since the only difference between them is that the AHB version has a
+ * "default" port which has no security checks applied. In QEMU the default
+ * port can be emulated simply by wiring its downstream devices directly
+ * into the parent address space, since the PPC does not need to intercept
+ * transactions there.
+ *
+ * In the hardware, selection of which downstream port to use is done by
+ * the user's decode logic asserting one of the hsel[] signals. In QEMU,
+ * we provide 16 MMIO regions, one per port, and the user maps these into
+ * the desired addresses to implement the address decode.
+ *
+ * QEMU interface:
+ * + sysbus MMIO regions 0..15: MemoryRegions defining the upstream end
+ *   of each of the 16 ports of the PPC
+ * + Property "port[0..15]": MemoryRegion defining the downstream device(s)
+ *   for each of the 16 ports of the PPC
+ * + Named GPIO inputs "cfg_nonsec[0..15]": set to 1 if the port should be
+ *   accessible to NonSecure transactions
+ * + Named GPIO inputs "cfg_ap[0..15]": set to 1 if the port should be
+ *   accessible to non-privileged transactions
+ * + Named GPIO input "cfg_sec_resp": set to 1 if a rejected transaction should
+ *   result in a transaction error, or 0 for the transaction to RAZ/WI
+ * + Named GPIO input "irq_enable": set to 1 to enable interrupts
+ * + Named GPIO input "irq_clear": set to 1 to clear a pending interrupt
+ * + Named GPIO output "irq": set for a transaction-failed interrupt
+ * + Property "NONSEC_MASK": if a bit is set in this mask then accesses to
+ *   the associated port do not have the TZ security check performed. (This
+ *   corresponds to the hardware allowing this to be set as a Verilog
+ *   parameter.)
+ */
+
+#ifndef TZ_PPC_H
+#define TZ_PPC_H
+
+#include "hw/sysbus.h"
+
+#define TYPE_TZ_PPC "tz-ppc"
+#define TZ_PPC(obj) OBJECT_CHECK(TZPPC, (obj), TYPE_TZ_PPC)
+
+#define TZ_NUM_PORTS 16
+
+typedef struct TZPPC TZPPC;
+
+typedef struct TZPPCPort {
+TZPPC *ppc;
+MemoryRegion upstream;
+AddressSpace downstream_as;
+MemoryRegion *downstream;
+} TZPPCPort;
+
+struct TZPPC {
+/*< private >*/
+SysBusDevice parent_obj;
+
+/*< public >*/
+
+/* State: these just track the values of our input signals */
+bool cfg_nonsec[TZ_NUM_PORTS];
+bool cfg_ap[TZ_NUM_PORTS];
+bool cfg_sec_resp;
+bool irq_enable;
+bool irq_clear;
+/* State: are we asserting irq ? */
+bool irq_status;
+
+qemu_irq irq;
+
+/* Properties */
+uint32_t nonsec_mask;
+

[Qemu-devel] [PATCH 07/19] armv7m: Forward init-svtor property to CPU object

Create an "init-svtor" property on the armv7m container
object which we can forward to the CPU object.

Signed-off-by: Peter Maydell 
---
 include/hw/arm/armv7m.h | 2 ++
 hw/arm/armv7m.c | 6 ++
 2 files changed, 8 insertions(+)

diff --git a/include/hw/arm/armv7m.h b/include/hw/arm/armv7m.h
index 5c3f406ccc..78308d1484 100644
--- a/include/hw/arm/armv7m.h
+++ b/include/hw/arm/armv7m.h
@@ -42,6 +42,7 @@ typedef struct {
  *   that CPU accesses see. (The NVIC, bitbanding and other CPU-internal
  *   devices will be automatically layered on top of this view.)
  * + Property "idau": IDAU interface (forwarded to CPU object)
+ * + Property "init-svtor": secure VTOR reset value (forwarded to CPU object)
  */
 typedef struct ARMv7MState {
 /*< private >*/
@@ -61,6 +62,7 @@ typedef struct ARMv7MState {
 /* MemoryRegion the board provides to us (with its devices, RAM, etc) */
 MemoryRegion *board_memory;
 Object *idau;
+uint32_t init_svtor;
 } ARMv7MState;
 
 #endif
diff --git a/hw/arm/armv7m.c b/hw/arm/armv7m.c
index 189066812c..149aa07cd5 100644
--- a/hw/arm/armv7m.c
+++ b/hw/arm/armv7m.c
@@ -168,6 +168,11 @@ static void armv7m_realize(DeviceState *dev, Error **errp)
 error_propagate(errp, err);
 return;
 }
+object_property_set_uint(OBJECT(s->cpu), s->init_svtor, "init-svtor", 
);
+if (err != NULL) {
+error_propagate(errp, err);
+return;
+}
 object_property_set_bool(OBJECT(s->cpu), true, "realized", );
 if (err != NULL) {
 error_propagate(errp, err);
@@ -224,6 +229,7 @@ static Property armv7m_properties[] = {
 DEFINE_PROP_LINK("memory", ARMv7MState, board_memory, TYPE_MEMORY_REGION,
  MemoryRegion *),
 DEFINE_PROP_LINK("idau", ARMv7MState, idau, TYPE_IDAU_INTERFACE, Object *),
+DEFINE_PROP_UINT32("init-svtor", ARMv7MState, init_svtor, 0),
 DEFINE_PROP_END_OF_LIST(),
 };
 
-- 
2.16.1

[Qemu-devel] [PATCH 01/19] loader: Add new load_ramdisk_as()

Add a function load_ramdisk_as() which behaves like the existing
load_ramdisk() but allows the caller to specify the AddressSpace
to use. This matches the pattern we have already for various
other loader functions.

Signed-off-by: Peter Maydell 
Reviewed-by: Philippe Mathieu-Daudé 
---
 include/hw/loader.h | 12 +++-
 hw/core/loader.c|  8 +++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/include/hw/loader.h b/include/hw/loader.h
index 5edbe02b1c..2504cc2259 100644
--- a/include/hw/loader.h
+++ b/include/hw/loader.h
@@ -162,16 +162,26 @@ int load_uimage(const char *filename, hwaddr *ep,
 void *translate_opaque);
 
 /**
- * load_ramdisk:
+ * load_ramdisk_as:
  * @filename: Path to the ramdisk image
  * @addr: Memory address to load the ramdisk to
  * @max_sz: Maximum allowed ramdisk size (for non-u-boot ramdisks)
+ * @as: The AddressSpace to load the ELF to. The value of address_space_memory
+ *  is used if nothing is supplied here.
  *
  * Load a ramdisk image with U-Boot header to the specified memory
  * address.
  *
  * Returns the size of the loaded image on success, -1 otherwise.
  */
+int load_ramdisk_as(const char *filename, hwaddr addr, uint64_t max_sz,
+AddressSpace *as);
+
+/**
+ * load_ramdisk:
+ * Same as load_ramdisk_as(), but doesn't allow the caller to specify
+ * an AddressSpace.
+ */
 int load_ramdisk(const char *filename, hwaddr addr, uint64_t max_sz);
 
 ssize_t gunzip(void *dst, size_t dstlen, uint8_t *src, size_t srclen);
diff --git a/hw/core/loader.c b/hw/core/loader.c
index 91669d65aa..2b9e7394a1 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -729,9 +729,15 @@ int load_uimage_as(const char *filename, hwaddr *ep, 
hwaddr *loadaddr,
 
 /* Load a ramdisk.  */
 int load_ramdisk(const char *filename, hwaddr addr, uint64_t max_sz)
+{
+return load_ramdisk_as(filename, addr, max_sz, NULL);
+}
+
+int load_ramdisk_as(const char *filename, hwaddr addr, uint64_t max_sz,
+AddressSpace *as)
 {
 return load_uboot_image(filename, NULL, , NULL, IH_TYPE_RAMDISK,
-NULL, NULL, NULL);
+NULL, NULL, as);
 }
 
 /* Load a gzip-compressed kernel to a dynamically allocated buffer. */
-- 
2.16.1

[Qemu-devel] [PATCH 17/19] hw/misc/iotkit-secctl: Add remaining simple registers

Add remaining easy registers to iotkit-secctl:
 * NSCCFG just routes its two bits out to external GPIO lines
 * BRGINSTAT/BRGINTCLR/BRGINTEN can be dummies, because QEMU's
   bus fabric can never report errors

Signed-off-by: Peter Maydell 
---
 include/hw/misc/iotkit-secctl.h |  4 
 hw/misc/iotkit-secctl.c | 32 ++--
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/include/hw/misc/iotkit-secctl.h b/include/hw/misc/iotkit-secctl.h
index ea3d62967f..faad0c9190 100644
--- a/include/hw/misc/iotkit-secctl.h
+++ b/include/hw/misc/iotkit-secctl.h
@@ -18,6 +18,7 @@
  *  + sysbus MMIO region 1 is the "non-secure privilege control block" 
registers
  *  + named GPIO output "sec_resp_cfg" indicating whether blocked accesses
  *should RAZ/WI or bus error
+ *  + named GPIO output "nsc_cfg" whose value tracks the NSCCFG register value
  * Controlling the 2 APB PPCs in the IoTKit:
  *  + named GPIO outputs apb_ppc0_nonsec[0..2] and apb_ppc1_nonsec
  *  + named GPIO outputs apb_ppc0_ap[0..2] and apb_ppc1_ap
@@ -83,6 +84,7 @@ struct IoTKitSecCtl {
 
 /*< public >*/
 qemu_irq sec_resp_cfg;
+qemu_irq nsc_cfg_irq;
 
 MemoryRegion s_regs;
 MemoryRegion ns_regs;
@@ -90,6 +92,8 @@ struct IoTKitSecCtl {
 uint32_t secppcintstat;
 uint32_t secppcinten;
 uint32_t secrespcfg;
+uint32_t nsccfg;
+uint32_t brginten;
 
 IoTKitSecCtlPPC apb[IOTS_NUM_APB_PPC];
 IoTKitSecCtlPPC apbexp[IOTS_NUM_APB_EXP_PPC];
diff --git a/hw/misc/iotkit-secctl.c b/hw/misc/iotkit-secctl.c
index 7e1ca184ab..2cefa0ec15 100644
--- a/hw/misc/iotkit-secctl.c
+++ b/hw/misc/iotkit-secctl.c
@@ -136,12 +136,24 @@ static MemTxResult iotkit_secctl_s_read(void *opaque, 
hwaddr addr,
 case A_SECRESPCFG:
 r = s->secrespcfg;
 break;
+case A_NSCCFG:
+r = s->nsccfg;
+break;
 case A_SECPPCINTSTAT:
 r = s->secppcintstat;
 break;
 case A_SECPPCINTEN:
 r = s->secppcinten;
 break;
+case A_BRGINTSTAT:
+/* QEMU's bus fabric can never report errors as it doesn't buffer
+ * writes, so we never report bridge interrupts.
+ */
+r = 0;
+break;
+case A_BRGINTEN:
+r = s->brginten;
+break;
 case A_AHBNSPPCEXP0:
 case A_AHBNSPPCEXP1:
 case A_AHBNSPPCEXP2:
@@ -174,12 +186,9 @@ static MemTxResult iotkit_secctl_s_read(void *opaque, 
hwaddr addr,
 case A_APBSPPPCEXP3:
 r = s->apbexp[offset_to_ppc_idx(offset)].sp;
 break;
-case A_NSCCFG:
 case A_SECMPCINTSTATUS:
 case A_SECMSCINTSTAT:
 case A_SECMSCINTEN:
-case A_BRGINTSTAT:
-case A_BRGINTEN:
 case A_NSMSCEXP:
 qemu_log_mask(LOG_UNIMP,
   "IoTKit SecCtl S block read: "
@@ -299,6 +308,10 @@ static MemTxResult iotkit_secctl_s_write(void *opaque, 
hwaddr addr,
 }
 
 switch (offset) {
+case A_NSCCFG:
+s->nsccfg = value & 3;
+qemu_set_irq(s->nsc_cfg_irq, s->nsccfg);
+break;
 case A_SECRESPCFG:
 value &= 1;
 s->secrespcfg = value;
@@ -312,6 +325,11 @@ static MemTxResult iotkit_secctl_s_write(void *opaque, 
hwaddr addr,
 s->secppcinten = value & 0x00f000f3;
 foreach_ppc(s, iotkit_secctl_ppc_update_irq_enable);
 break;
+case A_BRGINTCLR:
+break;
+case A_BRGINTEN:
+s->brginten = value & 0x;
+break;
 case A_AHBNSPPCEXP0:
 case A_AHBNSPPCEXP1:
 case A_AHBNSPPCEXP2:
@@ -350,11 +368,8 @@ static MemTxResult iotkit_secctl_s_write(void *opaque, 
hwaddr addr,
 ppc = >apbexp[offset_to_ppc_idx(offset)];
 iotkit_secctl_ppc_sp_write(ppc, value);
 break;
-case A_NSCCFG:
 case A_SECMSCINTCLR:
 case A_SECMSCINTEN:
-case A_BRGINTCLR:
-case A_BRGINTEN:
 qemu_log_mask(LOG_UNIMP,
   "IoTKit SecCtl S block write: "
   "unimplemented offset 0x%x\n", offset);
@@ -553,6 +568,8 @@ static void iotkit_secctl_reset(DeviceState *dev)
 s->secppcintstat = 0;
 s->secppcinten = 0;
 s->secrespcfg = 0;
+s->nsccfg = 0;
+s->brginten = 0;
 
 foreach_ppc(s, iotkit_secctl_reset_ppc);
 }
@@ -623,6 +640,7 @@ static void iotkit_secctl_init(Object *obj)
 }
 
 qdev_init_gpio_out_named(dev, >sec_resp_cfg, "sec_resp_cfg", 1);
+qdev_init_gpio_out_named(dev, >nsc_cfg_irq, "nsc_cfg", 1);
 
 memory_region_init_io(>s_regs, obj, _secctl_s_ops,
   s, "iotkit-secctl-s-regs", 0x1000);
@@ -652,6 +670,8 @@ static const VMStateDescription iotkit_secctl_vmstate = {
 VMSTATE_UINT32(secppcintstat, IoTKitSecCtl),
 VMSTATE_UINT32(secppcinten, IoTKitSecCtl),
 VMSTATE_UINT32(secrespcfg, IoTKitSecCtl),
+VMSTATE_UINT32(nsccfg, IoTKitSecCtl),
+VMSTATE_UINT32(brginten, IoTKitSecCtl),
 VMSTATE_STRUCT_ARRAY(apb, IoTKitSecCtl,

[Qemu-devel] [PATCH 12/19] hw/core/split-irq: Device that splits IRQ lines

In some board or SoC models it is necessary to split a qemu_irq line
so that one input can feed multiple outputs.  We currently have
qemu_irq_split() for this, but that has several deficiencies:
 * it can only handle splitting a line into two
 * it unavoidably leaks memory, so it can't be used
   in a device that can be deleted

Implement a qdev device that encapsulates splitting of IRQs, with a
configurable number of outputs.  (This is in some ways the inverse of
the TYPE_OR_IRQ device.)

Signed-off-by: Peter Maydell 
---
 hw/core/Makefile.objs   |  1 +
 include/hw/core/split-irq.h | 57 +
 include/hw/irq.h|  4 +-
 hw/core/split-irq.c | 89 +
 4 files changed, 150 insertions(+), 1 deletion(-)
 create mode 100644 include/hw/core/split-irq.h
 create mode 100644 hw/core/split-irq.c

diff --git a/hw/core/Makefile.objs b/hw/core/Makefile.objs
index 1240728c87..eb88ca979e 100644
--- a/hw/core/Makefile.objs
+++ b/hw/core/Makefile.objs
@@ -18,6 +18,7 @@ common-obj-$(CONFIG_FITLOADER) += loader-fit.o
 common-obj-$(CONFIG_SOFTMMU) += qdev-properties-system.o
 common-obj-$(CONFIG_SOFTMMU) += register.o
 common-obj-$(CONFIG_SOFTMMU) += or-irq.o
+common-obj-$(CONFIG_SOFTMMU) += split-irq.o
 common-obj-$(CONFIG_PLATFORM_BUS) += platform-bus.o
 
 obj-$(CONFIG_SOFTMMU) += generic-loader.o
diff --git a/include/hw/core/split-irq.h b/include/hw/core/split-irq.h
new file mode 100644
index 00..bb87157c5a
--- /dev/null
+++ b/include/hw/core/split-irq.h
@@ -0,0 +1,57 @@
+/*
+ * IRQ splitter device.
+ *
+ * Copyright (c) 2018 Linaro Limited.
+ * Written by Peter Maydell
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/* This is a simple device which has one GPIO input line and multiple
+ * GPIO output lines. Any change on the input line is forwarded to all
+ * of the outputs.
+ *
+ * QEMU interface:
+ *  + one unnamed GPIO input: the input line
+ *  + N unnamed GPIO outputs: the output lines
+ *  + QOM property "num-lines": sets the number of output lines
+ */
+#ifndef HW_SPLIT_IRQ_H
+#define HW_SPLIT_IRQ_H
+
+#include "hw/irq.h"
+#include "hw/sysbus.h"
+#include "qom/object.h"
+
+#define TYPE_SPLIT_IRQ "split-irq"
+
+#define MAX_SPLIT_LINES 16
+
+typedef struct SplitIRQ SplitIRQ;
+
+#define SPLIT_IRQ(obj) OBJECT_CHECK(SplitIRQ, (obj), TYPE_SPLIT_IRQ)
+
+struct SplitIRQ {
+DeviceState parent_obj;
+
+qemu_irq out_irq[MAX_SPLIT_LINES];
+uint16_t num_lines;
+};
+
+#endif
diff --git a/include/hw/irq.h b/include/hw/irq.h
index 4c4c2eaf9a..7a40e3ed26 100644
--- a/include/hw/irq.h
+++ b/include/hw/irq.h
@@ -50,7 +50,9 @@ void qemu_free_irq(qemu_irq irq);
 /* Returns a new IRQ with opposite polarity.  */
 qemu_irq qemu_irq_invert(qemu_irq irq);
 
-/* Returns a new IRQ which feeds into both the passed IRQs */
+/* Returns a new IRQ which feeds into both the passed IRQs.
+ * It's probably better to use the TYPE_SPLIT_IRQ device instead.
+ */
 qemu_irq qemu_irq_split(qemu_irq irq1, qemu_irq irq2);
 
 /* Returns a new IRQ set which connects 1:1 to another IRQ set, which
diff --git a/hw/core/split-irq.c b/hw/core/split-irq.c
new file mode 100644
index 00..7e64cd4969
--- /dev/null
+++ b/hw/core/split-irq.c
@@ -0,0 +1,89 @@
+/*
+ * IRQ splitter device.
+ *
+ * Copyright (c) 2018 Linaro Limited.
+ * Written by Peter Maydell
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to 
deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ *

[Qemu-devel] [PATCH 09/19] hw/misc/unimp: Move struct to header file

Move the definition of the struct for the unimplemented-device
from unimp.c to unimp.h, so that users can embed the struct
in their own device structs if they prefer.

Signed-off-by: Peter Maydell 
---
 include/hw/misc/unimp.h | 10 ++
 hw/misc/unimp.c | 10 --
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/include/hw/misc/unimp.h b/include/hw/misc/unimp.h
index 52e068ec3e..2a291ca42d 100644
--- a/include/hw/misc/unimp.h
+++ b/include/hw/misc/unimp.h
@@ -12,6 +12,16 @@
 
 #define TYPE_UNIMPLEMENTED_DEVICE "unimplemented-device"
 
+#define UNIMPLEMENTED_DEVICE(obj) \
+OBJECT_CHECK(UnimplementedDeviceState, (obj), TYPE_UNIMPLEMENTED_DEVICE)
+
+typedef struct {
+SysBusDevice parent_obj;
+MemoryRegion iomem;
+char *name;
+uint64_t size;
+} UnimplementedDeviceState;
+
 /**
  * create_unimplemented_device: create and map a dummy device
  * @name: name of the device for debug logging
diff --git a/hw/misc/unimp.c b/hw/misc/unimp.c
index bcbb585888..1c0ba2f0a7 100644
--- a/hw/misc/unimp.c
+++ b/hw/misc/unimp.c
@@ -18,16 +18,6 @@
 #include "qemu/log.h"
 #include "qapi/error.h"
 
-#define UNIMPLEMENTED_DEVICE(obj) \
-OBJECT_CHECK(UnimplementedDeviceState, (obj), TYPE_UNIMPLEMENTED_DEVICE)
-
-typedef struct {
-SysBusDevice parent_obj;
-MemoryRegion iomem;
-char *name;
-uint64_t size;
-} UnimplementedDeviceState;
-
 static uint64_t unimp_read(void *opaque, hwaddr offset, unsigned size)
 {
 UnimplementedDeviceState *s = UNIMPLEMENTED_DEVICE(opaque);
-- 
2.16.1

[Qemu-devel] [PATCH 05/19] armv7m: Forward idau property to CPU object

Create an "idau" property on the armv7m container object which
we can forward to the CPU object. Annoyingly, we can't use
object_property_add_alias() because the CPU object we want to
forward to doesn't exist until the armv7m container is realized.

Signed-off-by: Peter Maydell 
---
 include/hw/arm/armv7m.h | 3 +++
 hw/arm/armv7m.c | 7 +++
 2 files changed, 10 insertions(+)

diff --git a/include/hw/arm/armv7m.h b/include/hw/arm/armv7m.h
index 35ab757264..5c3f406ccc 100644
--- a/include/hw/arm/armv7m.h
+++ b/include/hw/arm/armv7m.h
@@ -12,6 +12,7 @@
 
 #include "hw/sysbus.h"
 #include "hw/intc/armv7m_nvic.h"
+#include "target/arm/idau.h"
 
 #define TYPE_BITBAND "ARM,bitband-memory"
 #define BITBAND(obj) OBJECT_CHECK(BitBandState, (obj), TYPE_BITBAND)
@@ -40,6 +41,7 @@ typedef struct {
  * + Property "memory": MemoryRegion defining the physical address space
  *   that CPU accesses see. (The NVIC, bitbanding and other CPU-internal
  *   devices will be automatically layered on top of this view.)
+ * + Property "idau": IDAU interface (forwarded to CPU object)
  */
 typedef struct ARMv7MState {
 /*< private >*/
@@ -58,6 +60,7 @@ typedef struct ARMv7MState {
 char *cpu_type;
 /* MemoryRegion the board provides to us (with its devices, RAM, etc) */
 MemoryRegion *board_memory;
+Object *idau;
 } ARMv7MState;
 
 #endif
diff --git a/hw/arm/armv7m.c b/hw/arm/armv7m.c
index facc536b07..189066812c 100644
--- a/hw/arm/armv7m.c
+++ b/hw/arm/armv7m.c
@@ -19,6 +19,7 @@
 #include "sysemu/qtest.h"
 #include "qemu/error-report.h"
 #include "exec/address-spaces.h"
+#include "target/arm/idau.h"
 
 /* Bitbanded IO.  Each word corresponds to a single bit.  */
 
@@ -162,6 +163,11 @@ static void armv7m_realize(DeviceState *dev, Error **errp)
 
 object_property_set_link(OBJECT(s->cpu), OBJECT(>container), "memory",
  _abort);
+object_property_set_link(OBJECT(s->cpu), s->idau, "idau", );
+if (err != NULL) {
+error_propagate(errp, err);
+return;
+}
 object_property_set_bool(OBJECT(s->cpu), true, "realized", );
 if (err != NULL) {
 error_propagate(errp, err);
@@ -217,6 +223,7 @@ static Property armv7m_properties[] = {
 DEFINE_PROP_STRING("cpu-type", ARMv7MState, cpu_type),
 DEFINE_PROP_LINK("memory", ARMv7MState, board_memory, TYPE_MEMORY_REGION,
  MemoryRegion *),
+DEFINE_PROP_LINK("idau", ARMv7MState, idau, TYPE_IDAU_INTERFACE, Object *),
 DEFINE_PROP_END_OF_LIST(),
 };
 
-- 
2.16.1

[Qemu-devel] [PATCH 08/19] target/arm: Add Cortex-M33

Add a Cortex-M33 definition. The M33 is an M profile CPU
which implements the ARM v8M architecture, including the
M profile Security Extension.

Signed-off-by: Peter Maydell 
---
 target/arm/cpu.c | 31 +++
 1 file changed, 31 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index 34b5a4a00b..897003a186 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -1205,6 +1205,35 @@ static void cortex_m4_initfn(Object *obj)
 cpu->id_isar5 = 0x;
 }
 
+static void cortex_m33_initfn(Object *obj)
+{
+ARMCPU *cpu = ARM_CPU(obj);
+
+set_feature(>env, ARM_FEATURE_V8);
+set_feature(>env, ARM_FEATURE_M);
+set_feature(>env, ARM_FEATURE_M_SECURITY);
+set_feature(>env, ARM_FEATURE_THUMB_DSP);
+cpu->midr = 0x410fd213; /* r0p3 */
+cpu->pmsav7_dregion = 16;
+cpu->sau_sregion = 8;
+cpu->id_pfr0 = 0x0030;
+cpu->id_pfr1 = 0x0210;
+cpu->id_dfr0 = 0x0020;
+cpu->id_afr0 = 0x;
+cpu->id_mmfr0 = 0x00101F40;
+cpu->id_mmfr1 = 0x;
+cpu->id_mmfr2 = 0x0100;
+cpu->id_mmfr3 = 0x;
+cpu->id_isar0 = 0x01101110;
+cpu->id_isar1 = 0x02212000;
+cpu->id_isar2 = 0x20232232;
+cpu->id_isar3 = 0x0131;
+cpu->id_isar4 = 0x01310132;
+cpu->id_isar5 = 0x;
+cpu->clidr = 0x;
+cpu->ctr = 0x8000c000;
+}
+
 static void arm_v7m_class_init(ObjectClass *oc, void *data)
 {
 CPUClass *cc = CPU_CLASS(oc);
@@ -1696,6 +1725,8 @@ static const ARMCPUInfo arm_cpus[] = {
  .class_init = arm_v7m_class_init },
 { .name = "cortex-m4",   .initfn = cortex_m4_initfn,
  .class_init = arm_v7m_class_init },
+{ .name = "cortex-m33",  .initfn = cortex_m33_initfn,
+ .class_init = arm_v7m_class_init },
 { .name = "cortex-r5",   .initfn = cortex_r5_initfn },
 { .name = "cortex-a7",   .initfn = cortex_a7_initfn },
 { .name = "cortex-a8",   .initfn = cortex_a8_initfn },
-- 
2.16.1

[Qemu-devel] [PATCH 00/19] Add Cortex-M33 and mps2-an505 board model

This patchset enables the Cortex-M33 v8M CPU type and adds a board model
for it: the AN505 FPGA image for the MPS2+ devboard. The AN505 uses and
extends the "IoT Kit", which is a reference subsystem that includes the
CPU and some devices, and is intended to be extended further to build
a complete device. Both the IoT Kit and the FPGA use devices documented
in the ARM CoreLink SIE-200 System IP for Embedded TRM.

Useful documents (these are also linked in comments in the relevant
source files):

Board TRM:

http://infocenter.arm.com/help/topic/com.arm.doc.100112_0200_06_en/versatile_express_cortex_m_prototyping_systems_v2m_mps2_and_v2m_mps2plus_technical_reference_100112_0200_06_en.pdf
Application Note AN505 (documenting the FPGA image):
http://infocenter.arm.com/help/topic/com.arm.doc.dai0505b/index.html
ARMv8M IoT Kit FVP User Guide (ARM ECM0601256):

http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ecm0601256/index.html
ARM CoreLink SIE-200 System IP for Embedded TRM (DDI 0571G):
https://developer.arm.com/products/architecture/m-profile/docs/ddi0571/g

The most complicated thing here is the various kinds of security
controller in the system, so here's a summary of them which will
hopefully make the patchset easier to navigate:

* Secure Attribution Unit (SAU) -- this is part of the CPU. Rather like
the MPU, it provides registers that the guest can use to specify the
security attributes for memory regions. The QEMU implementation is
already in master. If the SAU says 'no' then a SecureFault exception
is taken.
* Implementation Defined Attribution Unit (IDAU) -- an implementation
defined mechanism for an SoC to specify security attributes for memory.
In Cortex-M33 hardware, the CPU puts the address of each memory access
out on a special set of signal lines, and the SoC then has to respond
with its attribute information for that address. Typically this is set
up to be simple combinatorial logic; for this board, for instance the
IDAU reports the inverse of address bit 28 as the NS attribute, creating
a series of 256MB regions NS/S/NS/S... over the whole address space.
If the IDAU attributes are more restrictive than the SAU then the IDAU
overrides the SAU settings. Again, transgressions get a SecureFault.
In QEMU we define a QOM interface for the IDAU which can then be
implemented by the SoC or board class. In this series patch 4 has
the interface definition and the CPU use of it; patch 18 has the
SoC implementation of its end.
* The Peripheral Protection Controller (PPC) is part of the interconnect
fabric outside the CPU. It sits in front of non-TrustZone aware devices
and can configurably block attempts to access them from the wrong
security state or privilege mode. Blocked transactions can be configured
to either cause a bus error, or to be RAZ/WI. The PPC has no register
interface of its own, but is configured by setting signal lines into it.
It's one of the devices in the SIE-200 TRM.
* The Memory Protection Controller (MPC) is similar in purpose to the PPC
but specifically for sitting in front of RAM. It allows more granular
configuration of protection so that one RAM can be split between Secure
and Nonsecure. The IoTKit and FPGA should have MPCs, but I have not
implemented them in this patchset (it seemed big enough as it is :-))
It's also documented in the SIE-200 TRM.
* The Master Security Controller (MSC) sits in front of the transaction
master interface of a non-trustzone-aware device that can initiate
memory transactions (DMA controllers, for instance). It allows
transactions made by the device to be configurably blocked, so that a
DMA controller can be given to the non-secure world but prevented from
making accesses to secure-only memory. Like the PPC, it has no register
interface and is configured using signal lines. It's documented in the
SIE-200 TRM. I haven't implemented the MSC in this patchset.
* The IoT Kit security controller is an ad-hoc collection of registers
that let the guest configure various bits of the IoT Kit subsystem.
It includes registers that control both the 2 PPCs in the IoT Kit and
the 5 PPCs in the FPGA, and also registers to control the MSCs. The
QEMU implementation is in patches 15-17 (and used in subsequent patches).

Patch series structure:

Patches 1..3 make the Arm -kernel loading code honour the CPU's
AddressSpace -- this is necessary for this board because most of the
devices and RAM don't live in address_space_system(). They've already
been on-list and reviewed; included here to make the series
self-contained.

Patches 4 and 5 are the CPU end of the IDAU.

Patches 6 and 7 allow the board/SoC code to specify the reset value of
the secure Vector Table Offset Register. This is configurable for
Cortex-M33 hardware, and on this board it's not zero.

Patch 8 adds the CPU definition for the Cortex-M33, since we now have
all the

[Qemu-devel] [PATCH 11/19] qdev: Add new qdev_init_gpio_in_named_with_opaque()

The function qdev_init_gpio_in_named() passes the DeviceState pointer
as the opaque data pointor for the irq handler function.  Usually
this is what you want, but in some cases it would be helpful to use
some other data pointer.

Add a new function qdev_init_gpio_in_named_with_opaque() which allows
the caller to specify the data pointer they want.

Signed-off-by: Peter Maydell 
---
 include/hw/qdev-core.h | 30 --
 hw/core/qdev.c |  8 +---
 2 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
index fc9d617a76..9453588160 100644
--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
@@ -311,10 +311,36 @@ BusState *qdev_get_child_bus(DeviceState *dev, const char 
*name);
 /* GPIO inputs also double as IRQ sinks.  */
 void qdev_init_gpio_in(DeviceState *dev, qemu_irq_handler handler, int n);
 void qdev_init_gpio_out(DeviceState *dev, qemu_irq *pins, int n);
-void qdev_init_gpio_in_named(DeviceState *dev, qemu_irq_handler handler,
- const char *name, int n);
 void qdev_init_gpio_out_named(DeviceState *dev, qemu_irq *pins,
   const char *name, int n);
+/**
+ * qdev_init_gpio_in_named_with_opaque: create an array of input GPIO lines
+ *   for the specified device
+ *
+ * @dev: Device to create input GPIOs for
+ * @handler: Function to call when GPIO line value is set
+ * @opaque: Opaque data pointer to pass to @handler
+ * @name: Name of the GPIO input (must be unique for this device)
+ * @n: Number of GPIO lines in this input set
+ */
+void qdev_init_gpio_in_named_with_opaque(DeviceState *dev,
+ qemu_irq_handler handler,
+ void *opaque,
+ const char *name, int n);
+
+/**
+ * qdev_init_gpio_in_named: create an array of input GPIO lines
+ *   for the specified device
+ *
+ * Like qdev_init_gpio_in_named_with_opaque(), but the opaque pointer
+ * passed to the handler is @dev (which is the most commonly desired 
behaviour).
+ */
+static inline void qdev_init_gpio_in_named(DeviceState *dev,
+   qemu_irq_handler handler,
+   const char *name, int n)
+{
+qdev_init_gpio_in_named_with_opaque(dev, handler, dev, name, n);
+}
 
 void qdev_pass_gpios(DeviceState *dev, DeviceState *container,
  const char *name);
diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index 7ed1f431f0..f3754ee606 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -385,15 +385,17 @@ static NamedGPIOList 
*qdev_get_named_gpio_list(DeviceState *dev,
 return ngl;
 }
 
-void qdev_init_gpio_in_named(DeviceState *dev, qemu_irq_handler handler,
- const char *name, int n)
+void qdev_init_gpio_in_named_with_opaque(DeviceState *dev,
+ qemu_irq_handler handler,
+ void *opaque,
+ const char *name, int n)
 {
 int i;
 NamedGPIOList *gpio_list = qdev_get_named_gpio_list(dev, name);
 
 assert(gpio_list->num_out == 0 || !name);
 gpio_list->in = qemu_extend_irqs(gpio_list->in, gpio_list->num_in, handler,
- dev, n);
+ opaque, n);
 
 if (!name) {
 name = "unnamed-gpio-in";
-- 
2.16.1

[Qemu-devel] [PATCH 13/19] hw/misc/mps2-fpgaio: FPGA control block for MPS2 AN505

The MPS2 AN505 FPGA image includes a "FPGA control block"
which is a small set of registers handling LEDs, buttons
and some counters.

Signed-off-by: Peter Maydell 
---
 hw/misc/Makefile.objs   |   1 +
 include/hw/misc/mps2-fpgaio.h   |  43 ++
 hw/misc/mps2-fpgaio.c   | 176 
 default-configs/arm-softmmu.mak |   1 +
 hw/misc/trace-events|   6 ++
 5 files changed, 227 insertions(+)
 create mode 100644 include/hw/misc/mps2-fpgaio.h
 create mode 100644 hw/misc/mps2-fpgaio.c

diff --git a/hw/misc/Makefile.objs b/hw/misc/Makefile.objs
index f33b37a8e5..31f83dcfe7 100644
--- a/hw/misc/Makefile.objs
+++ b/hw/misc/Makefile.objs
@@ -58,6 +58,7 @@ obj-$(CONFIG_STM32F2XX_SYSCFG) += stm32f2xx_syscfg.o
 obj-$(CONFIG_MIPS_CPS) += mips_cmgcr.o
 obj-$(CONFIG_MIPS_CPS) += mips_cpc.o
 obj-$(CONFIG_MIPS_ITU) += mips_itu.o
+obj-$(CONFIG_MPS2_FPGAIO) += mps2-fpgaio.o
 obj-$(CONFIG_MPS2_SCC) += mps2-scc.o
 
 obj-$(CONFIG_PVPANIC) += pvpanic.o
diff --git a/include/hw/misc/mps2-fpgaio.h b/include/hw/misc/mps2-fpgaio.h
new file mode 100644
index 00..eedf17ebc6
--- /dev/null
+++ b/include/hw/misc/mps2-fpgaio.h
@@ -0,0 +1,43 @@
+/*
+ * ARM MPS2 FPGAIO emulation
+ *
+ * Copyright (c) 2018 Linaro Limited
+ * Written by Peter Maydell
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 or
+ *  (at your option) any later version.
+ */
+
+/* This is a model of the FPGAIO register block in the AN505
+ * FPGA image for the MPS2 dev board; it is documented in the
+ * application note:
+ * http://infocenter.arm.com/help/topic/com.arm.doc.dai0505b/index.html
+ *
+ * QEMU interface:
+ *  + sysbus MMIO region 0: the register bank
+ */
+
+#ifndef MPS2_FPGAIO_H
+#define MPS2_FPGAIO_H
+
+#include "hw/sysbus.h"
+
+#define TYPE_MPS2_FPGAIO "mps2-fpgaio"
+#define MPS2_FPGAIO(obj) OBJECT_CHECK(MPS2FPGAIO, (obj), TYPE_MPS2_FPGAIO)
+
+typedef struct {
+/*< private >*/
+SysBusDevice parent_obj;
+
+/*< public >*/
+MemoryRegion iomem;
+
+uint32_t led0;
+uint32_t prescale;
+uint32_t misc;
+
+uint32_t prescale_clk;
+} MPS2FPGAIO;
+
+#endif
diff --git a/hw/misc/mps2-fpgaio.c b/hw/misc/mps2-fpgaio.c
new file mode 100644
index 00..7394a057d8
--- /dev/null
+++ b/hw/misc/mps2-fpgaio.c
@@ -0,0 +1,176 @@
+/*
+ * ARM MPS2 AN505 FPGAIO emulation
+ *
+ * Copyright (c) 2018 Linaro Limited
+ * Written by Peter Maydell
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 or
+ *  (at your option) any later version.
+ */
+
+/* This is a model of the "FPGA system control and I/O" block found
+ * in the AN505 FPGA image for the MPS2 devboard.
+ * It is documented in AN505:
+ * http://infocenter.arm.com/help/topic/com.arm.doc.dai0505b/index.html
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/log.h"
+#include "qapi/error.h"
+#include "trace.h"
+#include "hw/sysbus.h"
+#include "hw/registerfields.h"
+#include "hw/misc/mps2-fpgaio.h"
+
+REG32(LED0, 0)
+REG32(BUTTON, 8)
+REG32(CLK1HZ, 0x10)
+REG32(CLK100HZ, 0x14)
+REG32(COUNTER, 0x18)
+REG32(PRESCALE, 0x1c)
+REG32(PSCNTR, 0x20)
+REG32(MISC, 0x4c)
+
+static uint64_t mps2_fpgaio_read(void *opaque, hwaddr offset, unsigned size)
+{
+MPS2FPGAIO *s = MPS2_FPGAIO(opaque);
+uint64_t r;
+
+switch (offset) {
+case A_LED0:
+r = s->led0;
+break;
+case A_BUTTON:
+/* User-pressable board buttons. We don't model that, so just return
+ * zeroes.
+ */
+r = 0;
+break;
+case A_PRESCALE:
+r = s->prescale;
+break;
+case A_MISC:
+r = s->misc;
+break;
+case A_CLK1HZ:
+case A_CLK100HZ:
+case A_COUNTER:
+case A_PSCNTR:
+/* These are all upcounters of various frequencies. */
+qemu_log_mask(LOG_UNIMP, "MPS2 FPGAIO: counters unimplemented\n");
+r = 0;
+break;
+default:
+qemu_log_mask(LOG_GUEST_ERROR,
+  "MPS2 FPGAIO read: bad offset %x\n", (int) offset);
+r = 0;
+break;
+}
+
+trace_mps2_fpgaio_read(offset, r, size);
+return r;
+}
+
+static void mps2_fpgaio_write(void *opaque, hwaddr offset, uint64_t value,
+  unsigned size)
+{
+MPS2FPGAIO *s = MPS2_FPGAIO(opaque);
+
+trace_mps2_fpgaio_write(offset, value, size);
+
+switch (offset) {
+case A_LED0:
+/* LED bits [1:0] control board LEDs. We don't currently have
+ * a mechanism for displaying this graphically, so use a trace event.
+ */
+trace_mps2_fpgaio_leds(value & 0x02 ? '*' : '.',
+   value & 0x01 ? '*' : '.');
+s->led0 = value & 0x3;
+break;
+case A_PRESCALE:
+s->prescale = value;
+break;
+case A_MISC:
+/*

[Qemu-devel] [PATCH 10/19] include/hw/or-irq.h: Add missing include guard

The or-irq.h header file is missing the customary guard against
multiple inclusion, which means compilation fails if it gets
included twice. Fix the omission.

Signed-off-by: Peter Maydell 
---
 include/hw/or-irq.h | 5 +
 1 file changed, 5 insertions(+)

diff --git a/include/hw/or-irq.h b/include/hw/or-irq.h
index fd900fcf19..3f6fc1b58a 100644
--- a/include/hw/or-irq.h
+++ b/include/hw/or-irq.h
@@ -22,6 +22,9 @@
  * THE SOFTWARE.
  */
 
+#ifndef HW_OR_IRQ_H
+#define HW_OR_IRQ_H
+
 #include "hw/irq.h"
 #include "hw/sysbus.h"
 #include "qom/object.h"
@@ -41,3 +44,5 @@ struct OrIRQState {
 bool levels[MAX_OR_LINES];
 uint16_t num_lines;
 };
+
+#endif
-- 
2.16.1

Re: [Qemu-devel] [PATCH] block/iscsi: cancel libiscsi task when ABORT TASK TMF completes

2018-02-20 Thread Stefan Hajnoczi

On Tue, Feb 20, 2018 at 3:12 PM, Peter Lieven  wrote:
> Am 15.02.2018 um 18:27 schrieb Stefan Hajnoczi:
>>
>> On Thu, Feb 15, 2018 at 03:24:54PM +0100, Peter Lieven wrote:
>>>
>>> Am 15.02.2018 um 12:15 schrieb Stefan Hajnoczi:

 The libiscsi iscsi_task_mgmt_async() API documentation says:

 abort_task will also cancel the scsi task. The callback for the scsi
 task will be invoked with SCSI_STATUS_CANCELLED

 The libiscsi implementation does not fulfil this promise.  The task's
 callback is not invoked and its struct iscsi_pdu remains in the internal
 list (effectively leaked).
>>>
>>> If that contract is fixed in libiscsi, will the Qemu iSCSI driver still
>>> work?
>>
>> In
>>
>> +/* If the command callback hasn't been called yet, drop the task */
>> +if (!acb->bh) {
>>
>> and
>>
>> +if (status == SCSI_STATUS_CANCELLED) {
>> +if (!acb->bh) {
>>
>> we're mindful of the fact that the callback may have been invoked by
>> libiscsi already.  There is no risk of double-completion.
>
>
> Hi Stefan,
>
> thanks for the clarification. I am fine with this change. I will check with
> Ronnie for the
> libiscsi fix.

Great, then this patch can go via Paolo's SCSI tree.

Stefan

Re: [Qemu-devel] [PATCH 2/5] tests: more thorough test of ds1338

2018-02-20 Thread Michael Davidsaver

On 02/18/2018 11:39 PM, Thomas Huth wrote:
> On 19.02.2018 05:03, Michael Davidsaver wrote:
>> Test current time and set+get round trip.
>>
>> The set+get test is repeated 4 times.  These cases are
>> spread across a single day in an attempt to trigger some potential
>> issues regardless of the timezone of the machine running the tests.
>>
>> Signed-off-by: Michael Davidsaver 
>> ---
>>  tests/Makefile.include  |   2 +
>>  tests/ds-rtc-i2c-test.c | 193 
>> 
>>  2 files changed, 195 insertions(+)
>>  create mode 100644 tests/ds-rtc-i2c-test.c
> [...]
>>  tests/q35-test$(EXESUF): tests/q35-test.o $(libqos-pc-obj-y)
>> diff --git a/tests/ds-rtc-i2c-test.c b/tests/ds-rtc-i2c-test.c
>> new file mode 100644
>> index 00..464eb08558
>> --- /dev/null
>> +++ b/tests/ds-rtc-i2c-test.c
>> @@ -0,0 +1,193 @@
>> +/* Testing of Dallas/Maxim I2C bus RTC devices
>> + *
>> + * Copyright (c) 2017 Michael Davidsaver
>> + *
>> + * This work is licensed under the terms of the GNU GPL, version 2.  See
>> + * the LICENSE file in the top-level directory.
>> + */
>> +#include 
>> +
>> +#include "qemu/osdep.h"
>> +#include "qemu/bcd.h"
>> +#include "qemu/cutils.h"
>> +#include "qemu/timer.h"
>> +#include "libqtest.h"
>> +#include "libqos/libqos.h"
>> +#include "libqos/i2c.h"
>> +
>> +#define IMX25_I2C_0_BASE 0x43F8
>> +#define DS1338_ADDR 0x68
>> +
>> +static I2CAdapter *i2c;
>> +static uint8_t addr;
>> +static bool use_century;
>> +
>> +static
>> +time_t rtc_gettime(void)
>> +{
>> +struct tm parts;
>> +uint8_t buf[7];
>> +
>> +buf[0] = 0;
>> +i2c_send(i2c, addr, buf, 1);
>> +i2c_recv(i2c, addr, buf, 7);
>> +
>> +parts.tm_sec = from_bcd(buf[0]);
>> +parts.tm_min = from_bcd(buf[1]);
>> +if (buf[2] & 0x40) {
>> +/* 12 hour */
>> +/* HOUR register is 1-12. */
>> +parts.tm_hour = from_bcd(buf[2] & 0x1f);
>> +g_assert_cmpuint(parts.tm_hour, >=, 1);
>> +g_assert_cmpuint(parts.tm_hour, <=, 12);
>> +parts.tm_hour %= 12u; /* wrap 12 -> 0 */
>> +if (buf[2] & 0x20) {
>> +parts.tm_hour += 12u;
>> +}
>> +} else {
>> +/* 24 hour */
>> +parts.tm_hour = from_bcd(buf[2] & 0x3f);
>> +}
>> +parts.tm_wday = from_bcd(buf[3]);
>> +parts.tm_mday = from_bcd(buf[4]);
>> +parts.tm_mon =  from_bcd((buf[5] & 0x1f) - 1u);
>> +parts.tm_year = from_bcd(buf[6]);
>> +if (!use_century || (buf[5] & 0x80)) {
>> +parts.tm_year += 100u;
>> +}
>> +
>> +return mktimegm();
>> +}
>> +
>> +/* read back and compare with current system time */
>> +static
>> +void test_rtc_current(void)
>> +{
>> +uint8_t buf;
>> +time_t expected, actual;
>> +
>> +/* magic address to zero RTC time offset
>> + * as tests may be run in any order
>> + */
>> +buf = 0xff;
>> +i2c_send(i2c, addr, , 1);
> 
> That magic (together with patch 1/5) is IMHO a little bit ugly. I've hit
> the same problem with the m48t59 test recently, and I solved it by
> moving the qtest_start() and qtest_end() calls from the main() function
> into the single tests instead, so that each test starts with a clean state:
> 
> https://git.qemu.org/?p=qemu.git;a=commitdiff;h=9c29830c90d82f27f
> 
> Could you maybe try whether that approach works for your test cases
> here, too? Then you could do this without the "0xff" hack here...

Your right, this looks clearer.  I'll try this approach.

>> +
>> +actual = time(NULL);
>> +/* new second may start here */
>> +expected = rtc_gettime();
>> +g_assert_cmpuint(expected, <=, actual + 1);
>> +g_assert_cmpuint(expected, >=, actual);
>> +}
>> +
>> +
>> +static uint8_t test_time_24_12am[8] = {
>> +0, /* address */
>> +/* Wed, 22 Nov 2017 00:30:53 + */
>> +0x53,
>> +0x30,
>> +0x00, /* 12 AM in 24 hour mode */
>> +0x03, /* monday is our day 1 */
>> +0x22,
>> +0x11 | 0x80,
>> +0x17,
>> +};
>> +
>> +static uint8_t test_time_24_6am[8] = {
>> +0, /* address */
>> +/* Wed, 22 Nov 2017 06:30:53 + */
>> +0x53,
>> +0x30,
>> +0x06, /* 6 AM in 24 hour mode */
>> +0x03, /* monday is our day 1 */
>> +0x22,
>> +0x11 | 0x80,
>> +0x17,
>> +};
>> +
>> +static uint8_t test_time_24_12pm[8] = {
>> +0, /* address */
>> +/* Wed, 22 Nov 2017 12:30:53 + */
>> +0x53,
>> +0x30,
>> +0x12, /* 12 PM in 24 hour mode */
>> +0x03, /* monday is our day 1 */
>> +0x22,
>> +0x11 | 0x80,
>> +0x17,
>> +};
>> +
>> +static uint8_t test_time_24_6pm[8] = {
>> +0, /* address */
>> +/* Wed, 22 Nov 2017 18:30:53 + */
>> +0x53,
>> +0x30,
>> +0x18, /* 6 PM in 24 hour mode */
>> +0x03, /* monday is our day 1 */
>> +0x22,
>> +0x11 | 0x80,
>> +0x17,
>> +};
>> +
>> +/* write in and read back known time */
>> +static
>> +void test_rtc_set(const void *raw)
>> +{
>> +const uint8_t *testtime

[Qemu-devel] [PATCH v2 8/8] qemu-doc: Make "-net" less prominent

"-net" is clearly a legacy option. Yet we still use it in almost all
examples in the qemu documentation, and many other spots in the network
chapter. We should make it less prominent that users are not lured into
using it so often anymore. So instead of starting the network chapter with
"-net nic" and documenting "-net " below "-netdev "
everywhere, all the "-net" related documentation is now moved to the end
of the chapter. And the examples are changed to use the "--device" and
"--netdev" options instead of "-net nic -net ".

Signed-off-by: Thomas Huth 
---
 qemu-options.hx | 176 +++-
 1 file changed, 86 insertions(+), 90 deletions(-)

diff --git a/qemu-options.hx b/qemu-options.hx
index 399905e..ff5da07 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2048,41 +2048,18 @@ DEF("net", HAS_ARG, QEMU_OPTION_net,
 "old way to initialize a host network interface\n"
 "(use the -netdev option if possible instead)\n", 
QEMU_ARCH_ALL)
 STEXI
-@item -net 
nic[,vlan=@var{n}][,netdev=@var{nd}][,macaddr=@var{mac}][,model=@var{type}] 
[,name=@var{name}][,addr=@var{addr}][,vectors=@var{v}]
-@findex -net
-Configure or create an on-board (or machine default) Network Interface Card
-(NIC) and connect it either to VLAN @var{n} (@var{n} = 0 is the default), or
-to the netdev @var{nd}. The NIC is an e1000 by default on the PC
-target. Optionally, the MAC address can be changed to @var{mac}, the
-device address set to @var{addr} (PCI cards only),
-and a @var{name} can be assigned for use in monitor commands.
-Optionally, for PCI cards, you can specify the number @var{v} of MSI-X vectors
-that the card should have; this option currently only affects virtio cards; set
-@var{v} = 0 to disable MSI-X. If no @option{-net} option is specified, a single
-NIC is created.  QEMU can emulate several different models of network card.
-Valid values for @var{type} are
-@code{virtio}, @code{i82551}, @code{i82557b}, @code{i82559er},
-@code{ne2k_pci}, @code{ne2k_isa}, @code{pcnet}, @code{rtl8139},
-@code{e1000}, @code{smc91c111}, @code{lance} and @code{mcf_fec}.
-Not all devices are supported on all targets.  Use @code{-net nic,model=help}
-for a list of available devices for your target.
-
-@item -netdev user,id=@var{id}[,@var{option}][,@var{option}][,...]
-@findex -netdev
-@item -net user[,@var{option}][,@var{option}][,...]
-Use the user mode network stack which requires no administrator
+@item --netdev user,id=@var{id}[,@var{option}][,@var{option}][,...]
+@findex --netdev
+Configure user mode host network backend which requires no administrator
 privilege to run. Valid options are:
 
 @table @option
-@item vlan=@var{n}
-Connect user mode stack to VLAN @var{n} (@var{n} = 0 is the default).
-
 @item id=@var{id}
-@itemx name=@var{name}
 Assign symbolic name for use in monitor commands.
 
-@option{ipv4} and @option{ipv6} specify that either IPv4 or IPv6 must
-be enabled.  If neither is specified both protocols are enabled.
+@item ipv4=on|off and ipv6=on|off
+Specify that either IPv4 or IPv6 must be enabled. If neither is specified
+both protocols are enabled.
 
 @item net=@var{addr}[/@var{mask}]
 Set IP network address the guest will see. Optionally specify the netmask,
@@ -2134,7 +2111,7 @@ can not be resolved.
 
 Example:
 @example
-qemu -net user,dnssearch=mgmt.example.org,dnssearch=example.org [...]
+qemu-system-i386 --device e1000,netdev=n1 --netdev 
user,id=n1,dnssearch=mgmt.example.org,dnssearch=example.org [...]
 @end example
 
 @item tftp=@var{dir}
@@ -2150,7 +2127,8 @@ a guest from a local directory.
 
 Example (using pxelinux):
 @example
-qemu-system-i386 -hda linux.img -boot n -net 
user,tftp=/path/to/tftp/files,bootfile=/pxelinux.0
+qemu-system-i386 --hda linux.img --boot n --device e1000,netdev=n1 \
+--netdev user,id=n1,tftp=/path/to/tftp/files,bootfile=/pxelinux.0
 @end example
 
 @item smb=@var{dir}[,smbserver=@var{addr}]
@@ -2185,7 +2163,7 @@ screen 0, use the following:
 
 @example
 # on the host
-qemu-system-i386 -net user,hostfwd=tcp:127.0.0.1:6001-:6000 [...]
+qemu-system-i386 --device virtio-net-pci,netdev=n1 --netdev 
user,id=n1,hostfwd=tcp:127.0.0.1:6001-:6000 [...]
 # this host xterm should open in the guest X11 server
 xterm -display :1
 @end example
@@ -2195,7 +2173,7 @@ the guest, use the following:
 
 @example
 # on the host
-qemu-system-i386 -net user,hostfwd=tcp::-:23 [...]
+qemu-system-i386 --device e1000,netdev=n1 --netdev 
user,id=n1,hostfwd=tcp::-:23 [...]
 telnet localhost 
 @end example
 
@@ -2214,7 +2192,7 @@ lifetime, like in the following example:
 @example
 # open 10.10.1.1:4321 on bootup, connect 10.0.2.100:1234 to it whenever
 # the guest accesses it
-qemu -net user,guestfwd=tcp:10.0.2.100:1234-tcp:10.10.1.1:4321 [...]
+qemu-system-i386 --device e1000,netdev=n1 --netdev 
user,id=n1,guestfwd=tcp:10.0.2.100:1234-tcp:10.10.1.1:4321 [...]
 @end example
 
 Or you can execute a

[Qemu-devel] [PATCH v2 4/8] net: Make net_client_init() static

The function is only used within net.c, so there's no need that
this is a global function.

While we're at it, also remove the unused prototype compute_mcast_idx()
(the function has been removed in commit d9caeb09b107e91122d10ba4a08a).

Reviewed-by: Paolo Bonzini 
Signed-off-by: Thomas Huth 
---
 include/net/net.h | 2 --
 net/net.c | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/include/net/net.h b/include/net/net.h
index bdd4d9f..cd1708c 100644
--- a/include/net/net.h
+++ b/include/net/net.h
@@ -204,7 +204,6 @@ extern const char *host_net_devices[];
 extern const char *legacy_tftp_prefix;
 extern const char *legacy_bootp_filename;
 
-int net_client_init(QemuOpts *opts, bool is_netdev, Error **errp);
 int net_client_parse(QemuOptsList *opts_list, const char *str);
 int net_init_clients(Error **errp);
 void net_check_clients(void);
@@ -228,7 +227,6 @@ void qdev_set_nic_properties(DeviceState *dev, NICInfo *nd);
 #define POLYNOMIAL_LE 0xedb88320
 uint32_t net_crc32(const uint8_t *p, int len);
 uint32_t net_crc32_le(const uint8_t *p, int len);
-unsigned compute_mcast_idx(const uint8_t *ep);
 
 #define vmstate_offset_macaddr(_state, _field)   \
 vmstate_offset_array(_state, _field.a, uint8_t,\
diff --git a/net/net.c b/net/net.c
index cf07e15..dd80f1b 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1119,7 +1119,7 @@ static void show_netdevs(void)
 }
 }
 
-int net_client_init(QemuOpts *opts, bool is_netdev, Error **errp)
+static int net_client_init(QemuOpts *opts, bool is_netdev, Error **errp)
 {
 void *object = NULL;
 Error *err = NULL;
-- 
1.8.3.1

[Qemu-devel] [PATCH v2 5/8] net: Remove the deprecated way of dumping network packets

"-net dump" has been marked as deprecated since QEMU v2.10, since it
only works with the deprecated 'vlan' parameter (or hubs). Network
dumping should be done with "-object filter-dump" nowadays instead.
Since nobody complained so far about the deprecation message, let's
finally get rid of "-net dump" now.

Reviewed-by: Paolo Bonzini 
Reviewed-by: Eric Blake 
Signed-off-by: Thomas Huth 
---
 net/dump.c  | 102 ++--
 net/net.c   |   9 +
 qapi/net.json   |  29 
 qemu-doc.texi   |   6 
 qemu-options.hx |   8 -
 5 files changed, 9 insertions(+), 145 deletions(-)

diff --git a/net/dump.c b/net/dump.c
index 15df9a4..f16c354 100644
--- a/net/dump.c
+++ b/net/dump.c
@@ -109,7 +109,7 @@ static int net_dump_state_init(DumpState *s, const char 
*filename,
 
 fd = open(filename, O_CREAT | O_TRUNC | O_WRONLY | O_BINARY, 0644);
 if (fd < 0) {
-error_setg_errno(errp, errno, "-net dump: can't open %s", filename);
+error_setg_errno(errp, errno, "net dump: can't open %s", filename);
 return -1;
 }
 
@@ -122,7 +122,7 @@ static int net_dump_state_init(DumpState *s, const char 
*filename,
 hdr.linktype = 1;
 
 if (write(fd, , sizeof(hdr)) < sizeof(hdr)) {
-error_setg_errno(errp, errno, "-net dump write error");
+error_setg_errno(errp, errno, "net dump write error");
 close(fd);
 return -1;
 }
@@ -136,104 +136,6 @@ static int net_dump_state_init(DumpState *s, const char 
*filename,
 return 0;
 }
 
-/* Dumping via VLAN netclient */
-
-struct DumpNetClient {
-NetClientState nc;
-DumpState ds;
-};
-typedef struct DumpNetClient DumpNetClient;
-
-static ssize_t dumpclient_receive(NetClientState *nc, const uint8_t *buf,
-  size_t size)
-{
-DumpNetClient *dc = DO_UPCAST(DumpNetClient, nc, nc);
-struct iovec iov = {
-.iov_base = (void *)buf,
-.iov_len = size
-};
-
-return dump_receive_iov(>ds, , 1);
-}
-
-static ssize_t dumpclient_receive_iov(NetClientState *nc,
-  const struct iovec *iov, int cnt)
-{
-DumpNetClient *dc = DO_UPCAST(DumpNetClient, nc, nc);
-
-return dump_receive_iov(>ds, iov, cnt);
-}
-
-static void dumpclient_cleanup(NetClientState *nc)
-{
-DumpNetClient *dc = DO_UPCAST(DumpNetClient, nc, nc);
-
-dump_cleanup(>ds);
-}
-
-static NetClientInfo net_dump_info = {
-.type = NET_CLIENT_DRIVER_DUMP,
-.size = sizeof(DumpNetClient),
-.receive = dumpclient_receive,
-.receive_iov = dumpclient_receive_iov,
-.cleanup = dumpclient_cleanup,
-};
-
-int net_init_dump(const Netdev *netdev, const char *name,
-  NetClientState *peer, Error **errp)
-{
-int len, rc;
-const char *file;
-char def_file[128];
-const NetdevDumpOptions *dump;
-NetClientState *nc;
-DumpNetClient *dnc;
-
-assert(netdev->type == NET_CLIENT_DRIVER_DUMP);
-dump = >u.dump;
-
-assert(peer);
-
-error_report("'-net dump' is deprecated. "
- "Please use '-object filter-dump' instead.");
-
-if (dump->has_file) {
-file = dump->file;
-} else {
-int id;
-int ret;
-
-ret = net_hub_id_for_client(peer, );
-assert(ret == 0); /* peer must be on a hub */
-
-snprintf(def_file, sizeof(def_file), "qemu-vlan%d.pcap", id);
-file = def_file;
-}
-
-if (dump->has_len) {
-if (dump->len > INT_MAX) {
-error_setg(errp, "invalid length: %"PRIu64, dump->len);
-return -1;
-}
-len = dump->len;
-} else {
-len = 65536;
-}
-
-nc = qemu_new_net_client(_dump_info, peer, "dump", name);
-snprintf(nc->info_str, sizeof(nc->info_str),
- "dump to %s (len=%d)", file, len);
-
-dnc = DO_UPCAST(DumpNetClient, nc, nc);
-rc = net_dump_state_init(>ds, file, len, errp);
-if (rc) {
-qemu_del_net_client(nc);
-}
-return rc;
-}
-
-/* Dumping via filter */
-
 #define TYPE_FILTER_DUMP "filter-dump"
 
 #define FILTER_DUMP(obj) \
diff --git a/net/net.c b/net/net.c
index dd80f1b..cbd553d 100644
--- a/net/net.c
+++ b/net/net.c
@@ -63,7 +63,6 @@ static QTAILQ_HEAD(, NetClientState) net_clients;
 const char *host_net_devices[] = {
 "tap",
 "socket",
-"dump",
 #ifdef CONFIG_NET_BRIDGE
 "bridge",
 #endif
@@ -967,7 +966,6 @@ static int (* const 
net_client_init_fun[NET_CLIENT_DRIVER__MAX])(
 #ifdef CONFIG_NETMAP
 [NET_CLIENT_DRIVER_NETMAP]= net_init_netmap,
 #endif
-[NET_CLIENT_DRIVER_DUMP]  = net_init_dump,
 #ifdef CONFIG_NET_BRIDGE
 [NET_CLIENT_DRIVER_BRIDGE]= net_init_bridge,
 #endif
@@ -993,8 +991,7 @@ static int net_client_init1(const void *object, bool 
is_netdev, Error **errp)
 netdev = object;
 name = netdev->id;
 
-if (netdev->type

[Qemu-devel] [PATCH v2 7/8] net: Add a new convenience option "--nic" to configure default/on-board NICs

The legacy "-net" option can be quite confusing for the users since most
people do not expect to get a "vlan" hub between their emulated guest
hardware and the host backend. But so far, we are also not able to get
rid of "-net" completely, since it is the only way to configure on-board
NICs that can not be instantiated via "-device" yet. It's also a little
bit shorter to type "-net nic -net tap" instead of "-device xyz,netdev=n1
-netdev tap,id=n1".

So what we need is a new convenience option that is shorter to type than
the full -device + -netdev stuff, and which can be used to configure the
on-board NICs that can not be handled via -device yet. Thus this patch now
provides such a new option "--nic": It adds an entry in the nd_table to
configure a on-board / default NIC, creates a host backend and connects
the two directly, without a confusing "vlan" hub inbetween.

Signed-off-by: Thomas Huth 
---
 include/sysemu/sysemu.h |  1 +
 net/net.c   | 78 +
 qemu-options.hx | 40 +
 vl.c|  7 +
 4 files changed, 120 insertions(+), 6 deletions(-)

diff --git a/include/sysemu/sysemu.h b/include/sysemu/sysemu.h
index 77bb3da..66f0761 100644
--- a/include/sysemu/sysemu.h
+++ b/include/sysemu/sysemu.h
@@ -197,6 +197,7 @@ extern QemuOptsList bdrv_runtime_opts;
 extern QemuOptsList qemu_chardev_opts;
 extern QemuOptsList qemu_device_opts;
 extern QemuOptsList qemu_netdev_opts;
+extern QemuOptsList qemu_nic_opts;
 extern QemuOptsList qemu_net_opts;
 extern QemuOptsList qemu_global_opts;
 extern QemuOptsList qemu_mon_opts;
diff --git a/net/net.c b/net/net.c
index 2d05808..0bab269 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1462,6 +1462,67 @@ static int net_init_netdev(void *dummy, QemuOpts *opts, 
Error **errp)
 return net_client_init(opts, true, errp);
 }
 
+/* For the convenience "--nic" parameter */
+static int net_param_nic(void *dummy, QemuOpts *opts, Error **errp)
+{
+char *mac, *nd_id;
+int idx, ret;
+NICInfo *ni;
+const char *type;
+
+type = qemu_opt_get(opts, "type");
+if (type && g_str_equal(type, "none")) {
+return 0;/* Nothing to do, default_net is cleared in vl.c */
+}
+
+idx = nic_get_free_idx();
+if (idx == -1 || nb_nics >= MAX_NICS) {
+error_setg(errp, "no more on-board/default NIC slots available");
+return -1;
+}
+
+if (!type) {
+qemu_opt_set(opts, "type", "user", _abort);
+}
+
+ni = _table[idx];
+memset(ni, 0, sizeof(*ni));
+ni->model = qemu_opt_get_del(opts, "model");
+
+/* Create an ID if the user did not specify one */
+nd_id = g_strdup(qemu_opts_id(opts));
+if (!nd_id) {
+nd_id = g_strdup_printf("__org.qemu.nic%i\n", idx);
+qemu_opts_set_id(opts, nd_id);
+}
+
+/* Handle MAC address */
+mac = qemu_opt_get_del(opts, "mac");
+if (mac) {
+ret = net_parse_macaddr(ni->macaddr.a, mac);
+g_free(mac);
+if (ret) {
+error_setg(errp, "invalid syntax for ethernet address");
+return -1;
+}
+if (is_multicast_ether_addr(ni->macaddr.a)) {
+error_setg(errp, "NIC cannot have multicast MAC address");
+return -1;
+}
+}
+qemu_macaddr_default_if_unset(>macaddr);
+
+ret = net_client_init(opts, true, errp);
+if (ret == 0) {
+ni->netdev = qemu_find_netdev(nd_id);
+ni->used = true;
+nb_nics++;
+}
+
+g_free(nd_id);
+return ret;
+}
+
 int net_init_clients(Error **errp)
 {
 net_change_state_entry =
@@ -1474,6 +1535,10 @@ int net_init_clients(Error **errp)
 return -1;
 }
 
+if (qemu_opts_foreach(qemu_find_opts("nic"), net_param_nic, NULL, errp)) {
+return -1;
+}
+
 if (qemu_opts_foreach(qemu_find_opts("net"), net_init_client, NULL, errp)) 
{
 return -1;
 }
@@ -1549,6 +1614,19 @@ QemuOptsList qemu_netdev_opts = {
 },
 };
 
+QemuOptsList qemu_nic_opts = {
+.name = "nic",
+.implied_opt_name = "type",
+.head = QTAILQ_HEAD_INITIALIZER(qemu_nic_opts.head),
+.desc = {
+/*
+ * no elements => accept any params
+ * validation will happen later
+ */
+{ /* end of list */ }
+},
+};
+
 QemuOptsList qemu_net_opts = {
 .name = "net",
 .implied_opt_name = "type",
diff --git a/qemu-options.hx b/qemu-options.hx
index a9249b6..399905e 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2004,13 +2004,34 @@ DEF("netdev", HAS_ARG, QEMU_OPTION_netdev,
 #endif
 "-netdev hubport,id=str,hubid=n[,netdev=nd]\n"
 "configure a hub port on QEMU VLAN 'n'\n", QEMU_ARCH_ALL)
+DEF("nic", HAS_ARG, QEMU_OPTION_nic,
+"--nic [tap|bridge|"
+#ifdef CONFIG_SLIRP
+"user|"
+#endif
+#ifdef __linux__
+"l2tpv3|"
+#endif
+#ifdef CONFIG_VDE
+"vde|"
+#endif
+#ifdef CONFIG_NETMAP
+"netmap|"
+#endif

[Qemu-devel] [PATCH v2 1/8] net: Move error reporting from net_init_client/netdev to the calling site

It looks strange that net_init_client() and net_init_netdev() both
take an "Error **errp" parameter, but then do the error reporting
with "error_report_err(local_err)" on their own. Let's move the
error reporting to the calling site instead to simplify this code
a little bit.

Reviewed-by: Eric Blake 
Reviewed-by: Paolo Bonzini 
Signed-off-by: Thomas Huth 
---
 include/net/net.h |  2 +-
 net/net.c | 29 +
 vl.c  |  3 ++-
 3 files changed, 8 insertions(+), 26 deletions(-)

diff --git a/include/net/net.h b/include/net/net.h
index 3fc48e4..bdd4d9f 100644
--- a/include/net/net.h
+++ b/include/net/net.h
@@ -206,7 +206,7 @@ extern const char *legacy_bootp_filename;
 
 int net_client_init(QemuOpts *opts, bool is_netdev, Error **errp);
 int net_client_parse(QemuOptsList *opts_list, const char *str);
-int net_init_clients(void);
+int net_init_clients(Error **errp);
 void net_check_clients(void);
 void net_cleanup(void);
 void hmp_host_net_add(Monitor *mon, const QDict *qdict);
diff --git a/net/net.c b/net/net.c
index 7d42925..e213a61 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1520,46 +1520,27 @@ void net_check_clients(void)
 
 static int net_init_client(void *dummy, QemuOpts *opts, Error **errp)
 {
-Error *local_err = NULL;
-
-net_client_init(opts, false, _err);
-if (local_err) {
-error_report_err(local_err);
-return -1;
-}
-
-return 0;
+return net_client_init(opts, false, errp);
 }
 
 static int net_init_netdev(void *dummy, QemuOpts *opts, Error **errp)
 {
-Error *local_err = NULL;
-int ret;
-
-ret = net_client_init(opts, true, _err);
-if (local_err) {
-error_report_err(local_err);
-return -1;
-}
-
-return ret;
+return net_client_init(opts, true, errp);
 }
 
-int net_init_clients(void)
+int net_init_clients(Error **errp)
 {
-QemuOptsList *net = qemu_find_opts("net");
-
 net_change_state_entry =
 qemu_add_vm_change_state_handler(net_vm_change_state_handler, NULL);
 
 QTAILQ_INIT(_clients);
 
 if (qemu_opts_foreach(qemu_find_opts("netdev"),
-  net_init_netdev, NULL, NULL)) {
+  net_init_netdev, NULL, errp)) {
 return -1;
 }
 
-if (qemu_opts_foreach(net, net_init_client, NULL, NULL)) {
+if (qemu_opts_foreach(qemu_find_opts("net"), net_init_client, NULL, errp)) 
{
 return -1;
 }
 
diff --git a/vl.c b/vl.c
index 9e7235d..698b681 100644
--- a/vl.c
+++ b/vl.c
@@ -4476,7 +4476,8 @@ int main(int argc, char **argv, char **envp)
 
 colo_info_init();
 
-if (net_init_clients() < 0) {
+if (net_init_clients() < 0) {
+error_report_err(err);
 exit(1);
 }
 
-- 
1.8.3.1

[Qemu-devel] [PATCH v2 6/8] net: Remove the deprecated 'host_net_add' and 'host_net_remove' HMP commands

They are deprecated since QEMU v2.10, and so far nobody complained that
these commands are still necessary for any reason - and since you can use
'netdev_add' and 'netdev_remove' instead, there also should not be any
real reason. Since they are also standing in the way for the upcoming
'vlan' clean-up, it's now time to remove them.

Reviewed-by: Paolo Bonzini 
Signed-off-by: Thomas Huth 
---
 hmp-commands.hx  | 30 --
 hmp.h|  3 --
 monitor.c| 61 
 net/net.c| 94 
 qemu-doc.texi| 10 --
 tests/test-hmp.c |  2 --
 6 files changed, 200 deletions(-)

diff --git a/hmp-commands.hx b/hmp-commands.hx
index d26eb41..964eb51 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -1291,36 +1291,6 @@ Inject PCIe AER error
 ETEXI
 
 {
-.name   = "host_net_add",
-.args_type  = "device:s,opts:s?",
-.params = "tap|user|socket|vde|netmap|bridge|vhost-user|dump 
[options]",
-.help   = "add host VLAN client (deprecated, use netdev_add 
instead)",
-.cmd= hmp_host_net_add,
-.command_completion = host_net_add_completion,
-},
-
-STEXI
-@item host_net_add
-@findex host_net_add
-Add host VLAN client. Deprecated, please use @code{netdev_add} instead.
-ETEXI
-
-{
-.name   = "host_net_remove",
-.args_type  = "vlan_id:i,device:s",
-.params = "vlan_id name",
-.help   = "remove host VLAN client (deprecated, use netdev_del 
instead)",
-.cmd= hmp_host_net_remove,
-.command_completion = host_net_remove_completion,
-},
-
-STEXI
-@item host_net_remove
-@findex host_net_remove
-Remove host VLAN client. Deprecated, please use @code{netdev_del} instead.
-ETEXI
-
-{
 .name   = "netdev_add",
 .args_type  = "netdev:O",
 .params = 
"[user|tap|socket|vde|bridge|hubport|netmap|vhost-user],id=str[,prop=value][,...]",
diff --git a/hmp.h b/hmp.h
index 1143db4..b897338 100644
--- a/hmp.h
+++ b/hmp.h
@@ -132,9 +132,6 @@ void migrate_set_capability_completion(ReadLineState *rs, 
int nb_args,
const char *str);
 void migrate_set_parameter_completion(ReadLineState *rs, int nb_args,
   const char *str);
-void host_net_add_completion(ReadLineState *rs, int nb_args, const char *str);
-void host_net_remove_completion(ReadLineState *rs, int nb_args,
-const char *str);
 void delvm_completion(ReadLineState *rs, int nb_args, const char *str);
 void loadvm_completion(ReadLineState *rs, int nb_args, const char *str);
 void hmp_rocker(Monitor *mon, const QDict *qdict);
diff --git a/monitor.c b/monitor.c
index 373bb8d..a4f1f28 100644
--- a/monitor.c
+++ b/monitor.c
@@ -3574,67 +3574,6 @@ void migrate_set_parameter_completion(ReadLineState *rs, 
int nb_args,
 }
 }
 
-void host_net_add_completion(ReadLineState *rs, int nb_args, const char *str)
-{
-int i;
-size_t len;
-if (nb_args != 2) {
-return;
-}
-len = strlen(str);
-readline_set_completion_index(rs, len);
-for (i = 0; host_net_devices[i]; i++) {
-if (!strncmp(host_net_devices[i], str, len)) {
-readline_add_completion(rs, host_net_devices[i]);
-}
-}
-}
-
-void host_net_remove_completion(ReadLineState *rs, int nb_args, const char 
*str)
-{
-NetClientState *ncs[MAX_QUEUE_NUM];
-int count, i, len;
-
-len = strlen(str);
-readline_set_completion_index(rs, len);
-if (nb_args == 2) {
-count = qemu_find_net_clients_except(NULL, ncs,
- NET_CLIENT_DRIVER_NONE,
- MAX_QUEUE_NUM);
-for (i = 0; i < MIN(count, MAX_QUEUE_NUM); i++) {
-int id;
-char name[16];
-
-if (net_hub_id_for_client(ncs[i], )) {
-continue;
-}
-snprintf(name, sizeof(name), "%d", id);
-if (!strncmp(str, name, len)) {
-readline_add_completion(rs, name);
-}
-}
-return;
-} else if (nb_args == 3) {
-count = qemu_find_net_clients_except(NULL, ncs,
- NET_CLIENT_DRIVER_NIC,
- MAX_QUEUE_NUM);
-for (i = 0; i < MIN(count, MAX_QUEUE_NUM); i++) {
-int id;
-const char *name;
-
-if (ncs[i]->info->type == NET_CLIENT_DRIVER_HUBPORT ||
-net_hub_id_for_client(ncs[i], )) {
-continue;
-}
-name = ncs[i]->name;
-if (!strncmp(str, name, len)) {
-readline_add_completion(rs, name);
-}
-}
-return;
-}
-}
-
 static void vm_completion(ReadLineState

[Qemu-devel] [PATCH v2 3/8] net: Only show vhost-user in the help text if CONFIG_POSIX is defined

According to net/Makefile.objs we only link in the vhost-user code
if CONFIG_POSIX has been set. So the help screen should also only
show this information if CONFIG_POSIX has been defined.

Reviewed-by: Paolo Bonzini 
Signed-off-by: Thomas Huth 
---
 qemu-options.hx | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/qemu-options.hx b/qemu-options.hx
index 8ccd5dc..9ae49a0 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1998,8 +1998,10 @@ DEF("netdev", HAS_ARG, QEMU_OPTION_netdev,
 "VALE port (created on the fly) called 'name' ('nmname' is 
name of the \n"
 "netmap device, defaults to '/dev/netmap')\n"
 #endif
+#ifdef CONFIG_POSIX
 "-netdev vhost-user,id=str,chardev=dev[,vhostforce=on|off]\n"
 "configure a vhost-user network, backed by a chardev 
'dev'\n"
+#endif
 "-netdev hubport,id=str,hubid=n[,netdev=nd]\n"
 "configure a hub port on QEMU VLAN 'n'\n", QEMU_ARCH_ALL)
 DEF("net", HAS_ARG, QEMU_OPTION_net,
-- 
1.8.3.1

[Qemu-devel] [PATCH v2 2/8] net: List available netdevs with "-netdev help"

Other options like "-chardev" or "-device" feature a nice help text
with the available devices when being called with "help" or "?".
Since it is quite useful, especially if you want to see which network
backends have been compiled into the QEMU binary, let's provide such
a help text for "-netdev", too.

Reviewed-by: Paolo Bonzini 
Signed-off-by: Thomas Huth 
---
 net/net.c | 37 -
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/net/net.c b/net/net.c
index e213a61..cf07e15 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1086,6 +1086,38 @@ static int net_client_init1(const void *object, bool 
is_netdev, Error **errp)
 return 0;
 }
 
+static void show_netdevs(void)
+{
+int idx;
+const char *available_netdevs[] = {
+"socket",
+"hubport",
+"tap",
+#ifdef CONFIG_SLIRP
+"user",
+#endif
+#ifdef CONFIG_L2TPV3
+"l2tpv3",
+#endif
+#ifdef CONFIG_VDE
+"vde",
+#endif
+#ifdef CONFIG_NET_BRIDGE
+"bridge",
+#endif
+#ifdef CONFIG_NETMAP
+"netmap",
+#endif
+#ifdef CONFIG_POSIX
+"vhost-user",
+#endif
+};
+
+printf("Available netdev backend types:\n");
+for (idx = 0; idx < ARRAY_SIZE(available_netdevs); idx++) {
+puts(available_netdevs[idx]);
+}
+}
 
 int net_client_init(QemuOpts *opts, bool is_netdev, Error **errp)
 {
@@ -1094,7 +1126,10 @@ int net_client_init(QemuOpts *opts, bool is_netdev, 
Error **errp)
 int ret = -1;
 Visitor *v = opts_visitor_new(opts);
 
-{
+if (is_netdev && is_help_option(qemu_opt_get(opts, "type"))) {
+show_netdevs();
+exit(0);
+} else {
 /* Parse convenience option format ip6-net=fec0::0[/64] */
 const char *ip6_net = qemu_opt_get(opts, "ipv6-net");
 
-- 
1.8.3.1

[Qemu-devel] [PATCH v2 0/8] Improvements and clean-ups related to -net

"-net" is a legacy option that often causes confusion and
misconfigurations for the users, since most people are not aware
of the underlying "vlan" (i.e. hub) concept that is used for this
parameter. The prefered way of configuring your network stack is
to use "--netdev" instead, which gives you a clean 1:1 connection
between your emulated guest hardware and the host network backend.

However, there are two reasons why we could not completely deprecate
"-net" yet:

1) Convenience:
In some cases, it's more convenient to use "-net" instead of "--netdev",
e.g. if you just want to have a "tap" network connection, it's faster
to type "-net nic -net tap" instead of "--device e1000,netdev=n1
--netdev tap,id=n1".

2) On-board NICs:
Currently the "-net nic" parameter is the only way to configure on-board
NICs on certain (embedded) machines via the nd_table[] array.

So beside some generic clean-ups and removal of code that has been
marked as deprecated since QEMU 2.10 already, this patch series intro-
duces a new parameter "--nic" (in patch 7/8) which should be able to
replace "-net" in the long run completely: This new convenience parameter
can be used to configure the default/on-board guest HW together with a
host network backend in a very compact way. To configure a tap backend
for the default NIC, you just have to type "--nic tap" here for example.

The last patch finally makes "-net" less prominent in our qemu docs,
e.g. by replacing the examples that contain "-net" with "--netdev".

Note that "-net" itself is not marked as deprecated yet - I think we
should rather do that after one or two QEMU release with "--nic" so
that we have enough time to test / get used to the new parameter first.
Or we should likely even keep the "-net" around for a couple of years
since there are a lot of scripts and tools out there that still use
this legacy parameter...

v2:
- Renamed "-n" to "--nic" (suggested by Paolo)
- Improved the QAPI comment about the removal of 'dump (suggested by Eric)
- exit(0) instead of exit(1) after showing the "-netdev help" (Eric)
- Improved the documenation for hubport a little bit (suggested by Paolo)

Thomas Huth (8):
  net: Move error reporting from net_init_client/netdev to the calling
site
  net: List available netdevs with "-netdev help"
  net: Only show vhost-user in the help text if CONFIG_POSIX is defined
  net: Make net_client_init() static
  net: Remove the deprecated way of dumping network packets
  net: Remove the deprecated 'host_net_add' and 'host_net_remove' HMP
commands
  net: Add a new convenience option "--nic" to configure
default/on-board NICs
  qemu-doc: Make "-net" less prominent

 hmp-commands.hx |  30 --
 hmp.h   |   3 -
 include/net/net.h   |   4 +-
 include/sysemu/sysemu.h |   1 +
 monitor.c   |  61 
 net/dump.c  | 102 +
 net/net.c   | 239 +++-
 qapi/net.json   |  29 ++
 qemu-doc.texi   |  16 
 qemu-options.hx | 224 -
 tests/test-hmp.c|   2 -
 vl.c|  10 +-
 12 files changed, 256 insertions(+), 465 deletions(-)

-- 
1.8.3.1

[Qemu-devel] [PATCH v5 1/4] linux-user: Move CPU type name selection to a function

Instead of a sequence of "#if ... #endif" move the
selection to a function in linux-user/*/target_elf.h

We can't add them in linux-user/*/target_cpu.h
because we will need to include "elf.h" to
use ELF flags with eflags, and including
"elf.h" in "target_cpu.h" introduces some
conflicts in elfload.c

Suggested-by: Richard Henderson 
Signed-off-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
Reviewed-by: Philippe Mathieu-Daudé 
---

Notes:
v5: some architectures like sparc32plus are
32bit architectures using 64bit processors.
We need to select the CPU according to the
TARGET_ABI ("sparc" path to target_elf.h)
and the TARGET_ARCH ("sparc64").
(Reported by Peter Maydell)
v3: change "#if ... #endif" structure for ppc
v2: new patch in the series

v3: change "#if ... #endif" structure for ppc
v2: new patch in the series

 linux-user/aarch64/target_elf.h| 14 +
 linux-user/alpha/target_elf.h  | 14 +
 linux-user/arm/target_elf.h| 14 +
 linux-user/cris/target_elf.h   | 14 +
 linux-user/hppa/target_elf.h   | 14 +
 linux-user/i386/target_elf.h   | 14 +
 linux-user/m68k/target_elf.h   | 14 +
 linux-user/main.c  | 41 ++
 linux-user/microblaze/target_elf.h | 14 +
 linux-user/mips/target_elf.h   | 14 +
 linux-user/mips64/target_elf.h | 14 +
 linux-user/nios2/target_elf.h  | 14 +
 linux-user/openrisc/target_elf.h   | 14 +
 linux-user/ppc/target_elf.h| 18 +
 linux-user/s390x/target_elf.h  | 14 +
 linux-user/sh4/target_elf.h| 14 +
 linux-user/sparc/target_elf.h  | 18 +
 linux-user/sparc64/target_elf.h| 14 +
 linux-user/tilegx/target_elf.h | 14 +
 linux-user/unicore32/target_elf.h  | 14 +
 linux-user/x86_64/target_elf.h | 14 +
 21 files changed, 290 insertions(+), 39 deletions(-)
 create mode 100644 linux-user/aarch64/target_elf.h
 create mode 100644 linux-user/alpha/target_elf.h
 create mode 100644 linux-user/arm/target_elf.h
 create mode 100644 linux-user/cris/target_elf.h
 create mode 100644 linux-user/hppa/target_elf.h
 create mode 100644 linux-user/i386/target_elf.h
 create mode 100644 linux-user/m68k/target_elf.h
 create mode 100644 linux-user/microblaze/target_elf.h
 create mode 100644 linux-user/mips/target_elf.h
 create mode 100644 linux-user/mips64/target_elf.h
 create mode 100644 linux-user/nios2/target_elf.h
 create mode 100644 linux-user/openrisc/target_elf.h
 create mode 100644 linux-user/ppc/target_elf.h
 create mode 100644 linux-user/s390x/target_elf.h
 create mode 100644 linux-user/sh4/target_elf.h
 create mode 100644 linux-user/sparc/target_elf.h
 create mode 100644 linux-user/sparc64/target_elf.h
 create mode 100644 linux-user/tilegx/target_elf.h
 create mode 100644 linux-user/unicore32/target_elf.h
 create mode 100644 linux-user/x86_64/target_elf.h

diff --git a/linux-user/aarch64/target_elf.h b/linux-user/aarch64/target_elf.h
new file mode 100644
index 00..a7eb962fba
--- /dev/null
+++ b/linux-user/aarch64/target_elf.h
@@ -0,0 +1,14 @@
+/*
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation, or (at your option) any
+ * later version. See the COPYING file in the top-level directory.
+ */
+
+#ifndef AARCH64_TARGET_ELF_H
+#define AARCH64_TARGET_ELF_H
+static inline const char *cpu_get_model(uint32_t eflags)
+{
+return "any";
+}
+#endif
diff --git a/linux-user/alpha/target_elf.h b/linux-user/alpha/target_elf.h
new file mode 100644
index 00..344e9f4d39
--- /dev/null
+++ b/linux-user/alpha/target_elf.h
@@ -0,0 +1,14 @@
+/*
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation, or (at your option) any
+ * later version. See the COPYING file in the top-level directory.
+ */
+
+#ifndef ALPHA_TARGET_ELF_H
+#define ALPHA_TARGET_ELF_H
+static inline const char *cpu_get_model(uint32_t eflags)
+{
+return "any";
+}
+#endif
diff --git a/linux-user/arm/target_elf.h b/linux-user/arm/target_elf.h
new file mode 100644
index 00..58ff6a0986
--- /dev/null
+++ b/linux-user/arm/target_elf.h
@@ -0,0 +1,14 @@
+/*
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation, or (at your option) any
+ * later version. See the COPYING file in the top-level directory.
+ */
+

[Qemu-devel] [PATCH v5 2/4] linux-user: introduce functions to detect CPU type

From: YunQiang Su 

Add a function to return ELF e_flags and use it
to select the CPU model.

Signed-off-by: YunQiang Su 
[lv: split the patch and some cleanup in get_elf_eflags()]
Signed-off-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
---

Notes:
v4: add YunQiang Su's Signed-off-by
v2: call cpu_get_model() with the result of get_elf_eflags()

 linux-user/elfload.c | 35 +++
 linux-user/main.c| 20 ++--
 linux-user/qemu.h|  1 +
 3 files changed, 46 insertions(+), 10 deletions(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 8bb9a2c3e8..0208022445 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -2396,6 +2396,41 @@ give_up:
 g_free(syms);
 }
 
+uint32_t get_elf_eflags(int fd)
+{
+struct elfhdr ehdr;
+off_t offset;
+int ret;
+
+/* Read ELF header */
+offset = lseek(fd, 0, SEEK_SET);
+if (offset == (off_t) -1) {
+return 0;
+}
+ret = read(fd, , sizeof(ehdr));
+if (ret < sizeof(ehdr)) {
+return 0;
+}
+offset = lseek(fd, offset, SEEK_SET);
+if (offset == (off_t) -1) {
+return 0;
+}
+
+/* Check ELF signature */
+if (!elf_check_ident()) {
+return 0;
+}
+
+/* check header */
+bswap_ehdr();
+if (!elf_check_ehdr()) {
+return 0;
+}
+
+/* return architecture id */
+return ehdr.e_flags;
+}
+
 int load_elf_binary(struct linux_binprm *bprm, struct image_info *info)
 {
 struct image_info interp_info;
diff --git a/linux-user/main.c b/linux-user/main.c
index 24ecef3607..bab5bbcfb1 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -4344,8 +4344,17 @@ int main(int argc, char **argv, char **envp)
 
 init_qemu_uname_release();
 
+execfd = qemu_getauxval(AT_EXECFD);
+if (execfd == 0) {
+execfd = open(filename, O_RDONLY);
+if (execfd < 0) {
+printf("Error while loading %s: %s\n", filename, strerror(errno));
+_exit(EXIT_FAILURE);
+}
+}
+
 if (cpu_model == NULL) {
-cpu_model = cpu_get_model(0);
+cpu_model = cpu_get_model(get_elf_eflags(execfd));
 }
 tcg_exec_init(0);
 /* NOTE: we need to init the CPU at this stage to get
@@ -4438,15 +4447,6 @@ int main(int argc, char **argv, char **envp)
 cpu->opaque = ts;
 task_settid(ts);
 
-execfd = qemu_getauxval(AT_EXECFD);
-if (execfd == 0) {
-execfd = open(filename, O_RDONLY);
-if (execfd < 0) {
-printf("Error while loading %s: %s\n", filename, strerror(errno));
-_exit(EXIT_FAILURE);
-}
-}
-
 ret = loader_exec(execfd, filename, target_argv, target_environ, regs,
 info, );
 if (ret != 0) {
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 4edd7d0c08..47ca71159c 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -188,6 +188,7 @@ int loader_exec(int fdexec, const char *filename, char 
**argv, char **envp,
  struct target_pt_regs * regs, struct image_info *infop,
  struct linux_binprm *);
 
+uint32_t get_elf_eflags(int fd);
 int load_elf_binary(struct linux_binprm *bprm, struct image_info *info);
 int load_flt_binary(struct linux_binprm *bprm, struct image_info *info);
 
-- 
2.14.3

[Qemu-devel] [PATCH v5 3/4] linux-user, m68k: select CPU according to ELF header values

M680x0 doesn't support the same set of instructions
as ColdFire, so we can't use "any" CPU type to execute
m68020 instructions.
We select CPU type ("m68040" or "any" for ColdFire)
according to the ELF header. If we can't, we
use by default the value used until now: "any".

Signed-off-by: Laurent Vivier 
Reviewed-by: Richard Henderson 
---

Notes:
v3: check for EF_M68K_M68000
add EF_M68K_* flags in elf.h
set 680x0 default CPU to m68040
v2: call cpu_get_model() with the result of get_elf_eflags()

 include/elf.h| 28 
 linux-user/m68k/target_elf.h |  6 ++
 2 files changed, 34 insertions(+)

diff --git a/include/elf.h b/include/elf.h
index e8a515ce3d..ca9a419043 100644
--- a/include/elf.h
+++ b/include/elf.h
@@ -537,6 +537,34 @@ typedef struct {
 #define HWCAP_S390_HIGH_GPRS512
 #define HWCAP_S390_TE   1024
 
+/* M68K specific definitions. */
+/* We use the top 24 bits to encode information about the
+   architecture variant.  */
+#define EF_M68K_CPU320x0081
+#define EF_M68K_M68000   0x0100
+#define EF_M68K_CFV4E0x8000
+#define EF_M68K_FIDO 0x0200
+#define EF_M68K_ARCH_MASK   \
+  (EF_M68K_M68000 | EF_M68K_CPU32 | EF_M68K_CFV4E | EF_M68K_FIDO)
+
+/* We use the bottom 8 bits to encode information about the
+   coldfire variant.  If we use any of these bits, the top 24 bits are
+   either 0 or EF_M68K_CFV4E.  */
+#define EF_M68K_CF_ISA_MASK 0x0F  /* Which ISA */
+#define EF_M68K_CF_ISA_A_NODIV  0x01  /* ISA A except for div */
+#define EF_M68K_CF_ISA_A0x02
+#define EF_M68K_CF_ISA_A_PLUS   0x03
+#define EF_M68K_CF_ISA_B_NOUSP  0x04  /* ISA_B except for USP */
+#define EF_M68K_CF_ISA_B0x05
+#define EF_M68K_CF_ISA_C0x06
+#define EF_M68K_CF_ISA_C_NODIV  0x07  /* ISA C except for div */
+#define EF_M68K_CF_MAC_MASK 0x30
+#define EF_M68K_CF_MAC  0x10  /* MAC */
+#define EF_M68K_CF_EMAC 0x20  /* EMAC */
+#define EF_M68K_CF_EMAC_B   0x30  /* EMAC_B */
+#define EF_M68K_CF_FLOAT0x40  /* Has float insns */
+#define EF_M68K_CF_MASK 0xFF
+
 /*
  * 68k ELF relocation types
  */
diff --git a/linux-user/m68k/target_elf.h b/linux-user/m68k/target_elf.h
index df375ad5d3..998fe0fe2f 100644
--- a/linux-user/m68k/target_elf.h
+++ b/linux-user/m68k/target_elf.h
@@ -9,6 +9,12 @@
 #define M68K_TARGET_ELF_H
 static inline const char *cpu_get_model(uint32_t eflags)
 {
+if (eflags == 0 || (eflags & EF_M68K_M68000)) {
+/* 680x0 */
+return "m68040";
+}
+
+/* Coldfire */
 return "any";
 }
 #endif
-- 
2.14.3

[Qemu-devel] [PATCH v5 0/4] linux-user: select CPU type according ELF header values

This idea has been suggested to me before by Philippe
Mathieu-Daudé, and recently YunQiang Su has proposed a
patch to manage the MIPS r6 case.

Based on this, this series tries to clean-up the original
patch, and introduces the use for m68k architecture and
port the patch from YunQiang Su.

v5: Use EF_MIPS_ARCH mask to read MIPS architecture flags
-> removed Richard's R-b because of this change
Some architectures like sparc32plus are
32bit architectures using 64bit processors.
We need to select the CPU according to the
TARGET_ABI ("sparc" path to target_elf.h)
and the TARGET_ARCH ("sparc64").
(Reported by Peter Maydell)
v4: Add YunQiang Su's S-o-b
I don't use cpu type as suggested by Igor because
his latest series "generalize parsing of cpu_model (part 4)" v3
doesn't seem to need this anymore (use of parse_cpu_model())
v3: fix code indent problem reported by patchew
remove useless "!= 0"
check for EF_M68K_M68000
add EF_M68K_* flags in elf.h
set 680x0 default CPU to m68040
change "#if ... #endif" structure for ppc
v2: move cpu_model selection to linux-user/*/target_elf.h
provide eflags to cpu_get_model() instead of fd
(and modify other patches accordingly)

Laurent Vivier (2):
  linux-user: Move CPU type name selection to a function
  linux-user,m68k: select CPU according to ELF header values

YunQiang Su (2):
  linux-user: introduce functions to detect CPU type
  linux-user: MIPS set cpu to r6 CPU if binary is R6

 include/elf.h  | 35 ++
 linux-user/aarch64/target_elf.h| 14 +
 linux-user/alpha/target_elf.h  | 14 +
 linux-user/arm/target_elf.h| 14 +
 linux-user/cris/target_elf.h   | 14 +
 linux-user/elfload.c   | 35 ++
 linux-user/hppa/target_elf.h   | 14 +
 linux-user/i386/target_elf.h   | 14 +
 linux-user/m68k/target_elf.h   | 20 +
 linux-user/main.c  | 59 +++---
 linux-user/microblaze/target_elf.h | 14 +
 linux-user/mips/target_elf.h   | 17 +++
 linux-user/mips64/target_elf.h | 17 +++
 linux-user/nios2/target_elf.h  | 14 +
 linux-user/openrisc/target_elf.h   | 14 +
 linux-user/ppc/target_elf.h| 18 
 linux-user/qemu.h  |  1 +
 linux-user/s390x/target_elf.h  | 14 +
 linux-user/sh4/target_elf.h| 14 +
 linux-user/sparc/target_elf.h  | 18 
 linux-user/sparc64/target_elf.h| 14 +
 linux-user/tilegx/target_elf.h | 14 +
 linux-user/unicore32/target_elf.h  | 14 +
 linux-user/x86_64/target_elf.h | 14 +
 24 files changed, 382 insertions(+), 48 deletions(-)
 create mode 100644 linux-user/aarch64/target_elf.h
 create mode 100644 linux-user/alpha/target_elf.h
 create mode 100644 linux-user/arm/target_elf.h
 create mode 100644 linux-user/cris/target_elf.h
 create mode 100644 linux-user/hppa/target_elf.h
 create mode 100644 linux-user/i386/target_elf.h
 create mode 100644 linux-user/m68k/target_elf.h
 create mode 100644 linux-user/microblaze/target_elf.h
 create mode 100644 linux-user/mips/target_elf.h
 create mode 100644 linux-user/mips64/target_elf.h
 create mode 100644 linux-user/nios2/target_elf.h
 create mode 100644 linux-user/openrisc/target_elf.h
 create mode 100644 linux-user/ppc/target_elf.h
 create mode 100644 linux-user/s390x/target_elf.h
 create mode 100644 linux-user/sh4/target_elf.h
 create mode 100644 linux-user/sparc/target_elf.h
 create mode 100644 linux-user/sparc64/target_elf.h
 create mode 100644 linux-user/tilegx/target_elf.h
 create mode 100644 linux-user/unicore32/target_elf.h
 create mode 100644 linux-user/x86_64/target_elf.h

-- 
2.14.3

[Qemu-devel] [PATCH v5 4/4] linux-user: MIPS set cpu to r6 CPU if binary is R6