This reverts commit a53ae8e9.

The patch being reverted introduced a low-priority memory region
covering all 64 bit pci address space.  This exposed the following bugs
elsewhere in the code:
 1. Some memory regions have INT64_MAX size, where the
    intent was all 64 bit address space.
    This results in a sub-page region, should be UINT64_MAX.
 2. page table rendering in exec.c ignores physical address bits
    above TARGET_PHYS_ADDR_SPACE_BITS.
    Access outside this range (e.g. from device DMA, or gdb stub)
    ends up with a wrong region.  Registering a region outside this
    range leads to page table corruption.
 3. Some regions overlap PCI hole and have same priority.
    This only works as long as no device uses the overlapping address.

It doesn't look like we can resolve all issues in time for 1.7.
Let's fix the bugs first and apply afterwards for 1.8.
Signed-off-by: NMarcel Apfelbaum <marcel.a@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

rom_add_blob never fails, and neither does rom_add_blob_fixed,
so there's no need to return value from it.

In fact, rom_add_blob_fixed was erroneously returning -1 unconditionally
which made the only system that checked the return value -M bamboo fail
to start.

Drop the return value and drop checks from ppc440_bamboo to
fix this failure.
Reported-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

The following commit introduced a migration incompatibility:

commit 568f0690
Author: David Gibson <david@gibson.dropbear.id.au>
Date:   Thu Jun 6 18:48:49 2013 +1000

    pci: Replace pci_find_domain() with more general pci_root_bus_path()

The issue is that i440fx savevm idstr went from 0000:00:00.0/I440FX to
0000:00.0/I440FX. Unfortunately we are stuck with the breakage for
1.6 machine types.

Add a compat property to maintain the busted idstr for the 1.6 machine
types, but revert to the old style format for 1.7+, and <= 1.5.

Tested with migration from qemu 1.5, qemu 1.6, and qemu.git.

Cc: qemu-stable@nongnu.org
Signed-off-by: NCole Robinson <crobinso@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

[Assigning a multicast MAC address to a NIC leads to confusing behavior.
Reject multicast MAC addresses so users are alerted to their error
straight away.

The "net/eth.h" in6_addr rename prevents a name collision with
<netinet/in.h> on Linux.
-- Stefan]
Signed-off-by: NDmitry V. Krivenok <krivenok.dmitry@gmail.com>
Reviewed-by: Amos Kong <kongjianjun@gmail.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Replace the legacy cpu_to_32wu() with stl_p().
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1383669517-25598-10-git-send-email-peter.maydell@linaro.org
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Replace the legacy cpu_to_be64wu() with stq_be_p().
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1383669517-25598-9-git-send-email-peter.maydell@linaro.org
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Replace the legacy cpu_to_be32wu() with stl_be_p().
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1383669517-25598-8-git-send-email-peter.maydell@linaro.org
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Replace the legacy cpu_to_be16wu() with stw_be_p().
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1383669517-25598-7-git-send-email-peter.maydell@linaro.org
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Replace the legacy be32_to_cpupu() with ldl_be_p().
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1383669517-25598-6-git-send-email-peter.maydell@linaro.org
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Replace the legacy le32_to_cpupu() with ldl_le_p().
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1383669517-25598-5-git-send-email-peter.maydell@linaro.org
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Replace the legacy le16_to_cpupu() with lduw_le_p().
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1383669517-25598-4-git-send-email-peter.maydell@linaro.org
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Replace the legacy cpu_to_le32wu() with stl_le_p().
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1383669517-25598-3-git-send-email-peter.maydell@linaro.org
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Replace the legacy cpu_to_le16wu() with stw_le_p().
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 1383669517-25598-2-git-send-email-peter.maydell@linaro.org
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Turn PCMCIACardState into a device.
Move callbacks to new PCMCIACardClass.

Derive TYPE_MICRODRIVE from TYPE_PCMCIA_CARD.
Replace ide_init2_with_non_qdev_drives().
Signed-off-by: NOthmar Pasteka <pasteka@kabsi.at>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Signed-off-by: NAndreas Färber <afaerber@suse.de>

Relocate to alongside the other object_property_add_* helpers while at it.
Signed-off-by: NAndreas Färber <afaerber@suse.de>

The qdev_free() function name is misleading since all the function does
is unlink the device from its parent.  The device is not necessarily
freed.

The device will be freed when its QObject refcount reaches zero.  It is
usual for the parent (bus) to hold the final reference but there are
cases where something else holds a reference so "free" is a misleading
name.

Call object_unparent(obj) directly instead of having a qdev wrapper
function.
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Move state struct, type constant and cast macro to a new header.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Move state struct, type constant and cast macro to a new header.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Inspired by a9scu.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndreas Färber <andreas.faerber@web.de>

Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndreas Färber <andreas.faerber@web.de>

Prepares for QOM realize.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndreas Färber <andreas.faerber@web.de>

Prepares for QOM realize.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndreas Färber <andreas.faerber@web.de>

Rename NCPU to GIC_NCPU and move GICState away from gic_internal.h.
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Commit 9b8c6924 (since reverted) broke the ability to boot the kernel
as the value returned by unassigned_mem_read returned non-zero and left
the kernel looping forever waiting for it to change (see
integrator_led_set in the kernel code).

Relying on a varying implementation detail is incorrect anyway so this
introduces a basic stub of a memory region for the debug/LED section
on the integrator board.
Signed-off-by: NAlex Bennée <alex@bennee.com>
Message-id: 1382451366-9539-1-git-send-email-alex.bennee@linaro.org
[PMM: removed three unused fields from struct IntegratorDebugState]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

This helper function behaves similarly to co_sleep_ns(), but the
sleeping coroutine will be resumed when using qemu_aio_wait().
Signed-off-by: NMORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
Tested-by: NLiu Yuan <namei.unix@gmail.com>
Reviewed-by: NLiu Yuan <namei.unix@gmail.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

The block layer generally keeps the size of an image cached in
bs->total_sectors so that it doesn't have to perform expensive
operations to get the size whenever it needs it.

This doesn't work however when using a backend that can change its size
without qemu being aware of it, i.e. passthrough of removable media like
CD-ROMs or floppy disks. For this reason, the caching is disabled when a
removable device is used.

It is obvious that checking whether the _guest_ device has removable
media isn't the right thing to do when we want to know whether the size
of the host backend can change. To make things worse, non-top-level
BlockDriverStates never have any device attached, which makes qemu
assume they are removable, so drv->bdrv_getlength() is always called on
the protocol layer. In the case of raw-posix, this causes unnecessary
lseek() system calls, which turned out to be rather expensive.

This patch completely changes the logic and disables bs->total_sectors
caching only for certain block driver types, for which a size change is
expected: host_cdrom and host_floppy on POSIX, host_device on win32; also
the raw format in case it sits on top of one of these protocols, but in
the common case the nested bdrv_getlength() call on the protocol driver
will use the cache again and avoid an expensive drv->bdrv_getlength()
call.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>

Instead of relying on cpu_model, obtain the device tree node label
per CPU. Use DeviceClass::fw_name as source.

Whenever DeviceClass::fw_name is unknown, default to "PowerPC,UNKNOWN".

As a consequence, spapr_fixup_cpu_dt() can operate on each CPU's fw_name,
obsoleting sPAPREnvironment::cpu_model, and spapr_create_fdt_skel() can
drop its cpu_model argument.
Signed-off-by: NPrerna Saxena <prerna@linux.vnet.ibm.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This patch add support for dumping guest memory using dump-guest-memory
monitor command.

Before patch:

(qemu) dump-guest-memory testcrash
this feature or command is not currently supported
(qemu)

After patch:

(qemu) dump-guest-memory testcrash
(qemu)

crash was able to read the file

crash> bt
PID: 0      TASK: c000000000c0d0d0  CPU: 0   COMMAND: "swapper/0"

 R0:  0000000028000084    R1:  c000000000cafa50    R2:  c000000000cb05b0
 R3:  0000000000000000    R4:  c000000000bc4cb0    R5:  0000000000000000
 R6:  001efe93b8000000    R7:  0000000000000000    R8:  0000000000000000
 R9:  b000000000001032    R10: 0000000000000001    R11: 0001eb2117e00d55
....
...

NOTE: Currently crash tools doesn't look at ELF notes in the dump on ppc64.
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This implements H_XIRR_X hypercall in addition to H_XIRR as
it is mandatory for PAPR+ and there is no way for the guest to
detect whether it is supported or not so just add it.

As the Partition Adjunct Option is not supported at the moment,
the CPPR parameter of the hypercall is ignored.
Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Recent (host) kernels support emulating the PAPR defined "XICS" interrupt
controller system within KVM.  This patch allows qemu to initialize and
configure the in-kernel XICS, and keep its state in sync with qemu's XICS
state as necessary.

This should give considerable performance improvements.  e.g. on a simple
IPI ping-pong test between hardware threads, using qemu XICS gives us
around 5,000 irqs/second, whereas the in-kernel XICS gives us around
70,000 irqs/s on the same hardware configuration.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
[Mike Qiu <qiudayu@linux.vnet.ibm.com>: fixed mistype which caused ics_set_kvm_state() to fail]
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This adds a cpu_setup callback to the XICS device class (as XICS-KVM
will do it different), xics_cpu_setup() will call it if it is set.
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The upcoming XICS-KVM support will use bits of emulated XICS code.
So this introduces new level of hierarchy - "xics-common" class. Both
emulated XICS and XICS-KVM will inherit from it and override class
callbacks when required.

The new "xics-common" class implements:
1. replaces static "nr_irqs" and "nr_servers" properties with
the dynamic ones and adds callbacks to be executed when properties
are set.
2. xics_cpu_setup() callback renamed to xics_common_cpu_setup() as
it is a common part for both XICS'es
3. xics_reset() renamed to xics_common_reset() for the same reason.

The emulated XICS changes:
1. the part of xics_realize() which creates ICPs is moved to
the "nr_servers" property callback as realize() is too late to
create/initialize devices and instance_init() is too early to create
devices as the number of child devices comes via the "nr_servers"
property.
2. added ics_initfn() which does a little part of what xics_realize() did.
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NAlexander Graf <agraf@suse.de>

The upcoming support of in-kernel XICS will redefine migration callbacks
for both ICS and ICP so classes and callback pointers are added.
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: NAlexander Graf <agraf@suse.de>

On the real hardware, RTAS is called in real mode and therefore
top 4 bits of the address passed in the call are ignored.
So does the patch.

This converts h_rtas() to use existing rtas_ld() handlers.

This fixed rtas_ld()/rtas_st() to ignore top 4 bits.
Signed-off-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: NAlexander Graf <agraf@suse.de>

These let a user anticipate the deadline of a timer, atomically with
other sites that call the function.  This helps avoiding complicated
lock hierarchies.
Reviewed-by: NAlex Bligh <alex@alex.org.uk>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

After disabling the QemuClock, we should make sure that no QemuTimers
are still in flight. To implement that with light overhead, we resort
to QemuEvent. The caller of disabling will wait on QemuEvent of each
timerlist.

Note, qemu_clock_enable(foo,false) can _not_ be called from timer's cb.
Also, the callers of qemu_clock_enable() should be protected by the BQL.
Signed-off-by: NLiu Ping Fan <pingfank@linux.vnet.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This emulates Win32 manual-reset events using futexes or conditional
variables.  Typical ways to use them are with multi-producer,
single-consumer data structures, to test for a complex condition whose
elements come from different threads:

    for (;;) {
        qemu_event_reset(ev);
        ... test complex condition ...
        if (condition is true) {
            break;
        }
        qemu_event_wait(ev);
    }

Or more efficiently (but with some duplication):

    ... evaluate condition ...
    while (!condition) {
        qemu_event_reset(ev);
        ... evaluate condition ...
        if (!condition) {
            qemu_event_wait(ev);
            ... evaluate condition ...
        }
    }

QemuEvent provides a very fast userspace path in the common case when
no other thread is waiting, or the event is not changing state.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

QEMU_CLOCK_VIRTUAL may be read outside BQL. This will make its
foundation, i.e. cpu_clock_offset exposed to race condition.
Using private lock to protect it.

After this patch, reading QEMU_CLOCK_VIRTUAL is thread safe
unless use_icount is true, in which case the existing callers
still rely on the BQL.

Lock rule: private lock innermost, ie BQL->"this lock"
Signed-off-by: NLiu Ping Fan <pingfank@linux.vnet.ibm.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>