With this patch applied USB drivers can enable pipelining per endpoint.
With pipelining enabled the usb core will continue submitting packets
even when there are still async transfers in flight instead of passing
them on one by one.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

This can happen today in case the ->complete() callback queues up the
next packet.  Also we'll support pipelining soon, which allows to have
multiple packets per queue in flight (aka ASYNC) state.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

We already have USB_RET_NAK, but that means that a device does not want
to send/receive right now. But with host / network redirection we can
actually have a transaction fail due to some io error, rather then ie
the device just not having any data atm.

This patch adds a new error code named USB_RET_IOERROR for this, and uses
it were appropriate.

Notes:
-Currently all usb-controllers handle this the same as NODEV, but that
 may change in the future, OHCI could indicate a CRC error instead for example.
-This patch does not touch hw/usb-musb.c, that is because the code in there
 handles STALL and NAK specially and has a if status < 0 generic catch all
 for all other errors
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

All error statuses except for NAK are handled in a switch case, move the
handling of NAK into the same switch case.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

The nakcnt code in ehci_execute_complete() marked transactions as finished
when a packet completed with a result of USB_RET_NAK, but USB_RET_NAK
means that the device cannot receive / send data at that time and that
the transaction should be retried later, which is also what the usb-uhci
and usb-ohci code does.

Note that there already was some special code in place to handle this
for interrupt endpoints in the form of doing a return from
ehci_execute_complete() when reload == 0, but that for bulk transactions
this was not handled correctly (where as for example the usb-ccid device does
return USB_RET_NAK for bulk packets).

Besides that the code in ehci_execute_complete() decrement nakcnt by 1
on a packet result of USB_RET_NAK, but
-since the transaction got marked as finished,
 nakcnt would never be decremented again
-there is no code checking for nakcnt becoming 0
-there is no use in re-trying the transaction within the same usb frame /
 usb-ehci frame-timer call, since the status of emulated devices won't change
 as long as the usb-ehci frame-timer is running
So we should simply set the nakcnt to 0 when we get a USB_RET_NAK, thus
claiming that we've tried reload times (or as many times as possible if
reload is 0).

Besides the code in ehci_execute_complete() handling USB_RET_NAK there
was also code handling it in ehci_state_executing(), which calls
ehci_execute_complete(), and then does its own handling on top of the handling
in ehci_execute_complete(), this code would decrement nakcnt *again* (if not
already 0), or restore the reload value (which was never changed) on success.

Since the double decrement was wrong to begin with, and is no longer needed
now that we set nakcnt directly to 0 on USB_RET_NAK, and the restore of reload
is not needed either, this patch simply removes all nakcnt handling from
ehci_state_executing().
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

This patch removes 2 bits of dead nakcnt code:

1) usb_ehci_execute calls ehci_qh_do_overlay which does:
nakcnt = reload;
and then has a block of code which is conditional on:
if (reload && !nakcnt) {
which ofcourse is never true now as nakcnt == reload.

2) ehci_state_fetchqh does:
nakcnt = reload;
but before nakcnt is ever used ehci_state_fetchqh is always followed
by a ehci_qh_do_overlay call which also does:
nakcnt = reload;
So doing this from ehci_state_fetchqh is redundant.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

cerr should only be decremented on errors which cause XactErr to be set, and
when that happens the failing transaction should be retried until cerr reaches
0 and only then should USBSTS_ERRINT be set (and inactive cleared and
USBSTS_INT set if requested).

Since we don't have any hardware level errors (and in case of redirection
the real hardware has already retried), re-trying makes no sense, so
immediately set cerr to 0 on errors which set XactErr.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

As clearly stated in the 2.3.2 of the EHCI spec, any time USBERRINT get
sets then if the td has its IOC bit set USBINT should be set as well.

This means that for any status except for USB_RET_NAK we should set
USBINT if the IOC bit is set.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

The purpose of the IAAD bit / the doorbell is to make the ehci controller
forget about cached qhs, this is mainly used when cancelling transactions,
the qh is unlinked from the async schedule and then the doorbell gets rung,
once the doorbell is acked by the controller the hcd knows that the qh is
no longer in use and that it can do something else with the memory, such
as re-use it for a new qh! But we keep our struct representing this qh around
for circa 250 ms. This allows for a (mightily large) race window where the
following could happen:
-hcd submits a qh at address 0xdeadbeef
-our ehci code sees the qh, sends a request to a usb-device, gets a result
 of USB_RET_ASYNC, sets the async_state of the qh to EHCI_ASYNC_INFLIGHT
-hcd unlinks the qh at address 0xdeadbeef
-hcd rings the doorbell, wait for us to ack it
-hcd re-uses the qh at address 0xdeadbeef
-our ehci code sees the qh, looks in the async_queue, sees there already is
 a qh at address 0xdeadbeef there with async_state of EHCI_ASYNC_INFLIGHT,
 does nothing
-the *original* (which the hcd thinks it has cancelled) transaction finishes
-our ehci code sees the qh on yet another pass through the async list,
 looks in the async_queue, sees there already is a qh at address 0xdeadbeef
 there with async_state of EHCI_ASYNC_COMPLETED, and finished the transaction
 with the results of the *original* transaction.

Not good (tm), this patch fixes this race by removing all qhs which have not
been seen during the last cycle through the async list immidiately when the
doorbell is rung.

Note this patch does not fix any actually observed problem, but upon
reading of the EHCI spec it became apparent to me that the above race could
happen and the usb-ehci behavior from before this patch is not good.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Before this patch USB 2 devices with interrupt endpoints were not working
properly. The problem is that to avoid loops we stop processing as soon
as we encounter a queue-head (qh) we've already seen since qhs can be linked
in a circular fashion, this is tracked by the seen flag in our qh struct.

The resetting of the seen flag is done from ehci_queues_rip_unused which
before this patch was only called when executing the statemachine for the
async schedule.

But packets for interrupt endpoints are part of the periodic schedule! So what
would happen is that when there were no ctrl or bulk packets for a USB 2
device with an interrupt endpoint, the async schedule would become non
active, then ehci_queues_rip_unused would no longer get called and when
processing the qhs for the interrupt endpoints from the periodic schedule
their seen bit would still be 1 and they would be skipped.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

qhs can be part of both the async and the periodic schedule, as is shown
in later patches in this series it is useful to keep track of the qhs on
a per schedule basis.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Before this patch the T-bit was not checked in 2 places, while it should be.

Once we properly check the T-bit everywhere we no longer need the weird
entry < 0x1000 and entry > 0x1000 checks, so this patch removes them.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Since we don't use usb_desc.c we need to do this ourselves. This fixes
iso transfers no longer working for USB 2 devices due to the ep->type
check in ehci.c
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

* 's390-for-upstream' of git://repo.or.cz/qemu/agraf:
  Move helpers.h to helper.h
  s390: Rework kernel loading: supports elf and newer kernels

Provides a file naming scheme consistent with other targets.
Signed-off-by: NLluís Vilanova <vilanova@ac.upc.edu>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This reworks the image loading on s390.

Newer kernels will not always have a 0dd0 (basr 13,0) at address 0x10000.
We must not rely on specific code at certain  addresses. This check was
introduced to warn users that tried to load vmlinux, since ELF loading
was not supported. Lets wire that up. If elf loading fails, we assume
that this is a standard kernel image and load that via load_image_targphys.
This patch also changes all other users of load_image to
load_image_targphys to be consistent. (the elf loader registers the kernel
as rom).
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Commit e58ac72b6a0 ("ioport: change portio_list not to use
memory_region_set_offset()") started using aliases of I/O memory
regions.  Since the IORange used for the I/O was contained in the
target region, the alias information (specifically, the offset
into the region) was lost.  This broke -vga std.

Fix by allocating an independent object to hold the IORange and
also the new offset.

Note that I/O memory regions were conceptually broken wrt aliases
in a different way: an alias can cause the same region to appear
twice in an address space, but we had just one IORange to service it.
This patch fixes that problem as well, since we can now have multiple
IORange/MemoryRegion associations.
Signed-off-by: NAvi Kivity <avi@redhat.com>

Previously all callers had a containing object with a destructor that
could be used to trigger cleanup of the IORange objects (typically
just freeing the containing object), but a forthcoming memory API
change doesn't fit this pattern.  Rather than setting up a new global
table, extend the ioport system to support destructors.
Signed-off-by: NAvi Kivity <avi@redhat.com>

Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

The TCG targets i386 and tci needed a change of the function
prototype for w64.

This change is currently not needed here, but it can be applied
to avoid code differences.

Cc: Alexander Graf <agraf@suse.de>
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

The TCG targets i386 and tci needed a change of the function
prototype for w64.

This change is currently not needed for the other TCG targets,
but it can be applied to avoid code differences.

Cc: Blue Swirl <blauwirbel@gmail.com>
Cc: Andrzej Zaborowski <balrogg@gmail.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Alexander Graf <agraf@suse.de>
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

flush_icache_range takes two address parameters which must be large
enough to address any address of the host.

For hosts with sizeof(unsigned long) == sizeof(void *), this patch
changes nothing. All currently supported hosts fall into this category.

For w64 hosts, sizeof(unsigned long) is 4 while sizeof(void *) is 8,
so the use of tcg_target_ulong is needed for i386 and tci (the tcg
targets which work with w64).
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

This change makes tcg_target_ulong available in tcg-target.h.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

ram_addr_t must be large enough to address any address of the host.

For hosts with sizeof(unsigned long) == sizeof(void *), this patch
changes nothing. All currently supported hosts fall into this category.

For w64 hosts, sizeof(unsigned long) is 4 while sizeof(void *) is 8,
so the use of uintptr_t is needed.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

* 'upstream' of git://qemu.weilnetz.de/qemu:
  Move definition of HOST_LONG_BITS to qemu-common.h
  target-xtensa: Clean includes
  target-unicore32: Clean includes
  target-sh4: Clean includes
  target-s390x: Clean includes
  target-ppc: Clean includes
  target-mips: Clean includes
  target-microblaze: Clean includes
  target-m68k: Clean includes
  target-lm32: Clean includes
  target-i386: Clean includes
  target-cris: Clean includes
  target-arm: Clean includes
  target-alpha: Clean includes
  Remove macro HOST_LONG_SIZE

This was a breakage of 3741715c.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Acked-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

* 'arm-devs.for-upstream' of git://git.linaro.org/people/pmaydell/qemu-arm:
  hw/arm11mpcore: Fix broken realview_mpcore/arm11mpcore_priv properties
  arm: add device tree support
  arm: make sure that number of irqs can be represented in GICD_TYPER.
  arm: clean up GIC constants

* 'xtensa' of git://jcmvbkbc.spb.ru/dumb/qemu-xtensa:
  target-xtensa: add breakpoint tests
  target-xtensa: add DEBUG_SECTION to overlay tool
  target-xtensa: add DBREAK data breakpoints
  exec: let cpu_watchpoint_insert accept larger watchpoints
  exec: fix check_watchpoint exiting cpu_loop
  exec: add missing breaks to the watch_mem_write
  target-xtensa: add ICOUNT SR and debug exception
  target-xtensa: implement instruction breakpoints
  target-xtensa: add DEBUGCAUSE SR and configuration
  target-xtensa: fetch 3rd opcode byte only when needed
  target-xtensa: implement info tlb monitor command
  target-xtensa: define TLB_TEMPLATE for MMU-less cores

Fix confusion in the Property arrays for the "arm11mpcore_priv"
(per-CPU devices for the ARM11MPcore CPU) and "realview_mpcore"
(realview-eb board specific device encapsulating CPU and some
extra interrupt controllers) -- the num-irq property was defined
on the wrong device and the mpcore_rirq_properties were defined
as offsets in the wrong structure. The effect was that the
realview-eb-mpcore machine would abort on startup trying to
allocate an insane amount of memory. (This bug was introduced in
the QOM conversion in commit 999e12bb.)
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

If compiled with CONFIG_FDT, allow user to specify a device tree file using
the -dtb argument.  If the machine supports it then the dtb will be loaded
into memory and passed to the kernel on boot.
Signed-off-by: NJeremy Kerr <jeremy.kerr@canonical.com>
Signed-off-by: NGrant Likely <grant.likely@secretlab.ca>
[Peter Maydell: Use machine opt rather than global to pass dtb filename]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

We currently assume that the number of interrupts (ITLinesNumber in
the architecture reference manual) is divisible by 32, since we
present it to the guest when it reads GICD_TYPER (in gic_dist_readb())
as (N / 32) - 1.
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Interrupts numbers 0-31 are private to the processor interface, 32-1019 are
general interrupts.  Add GIC_INTERNAL and substitute everywhere.
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
[Peter Maydell: converted some tabs to spaces]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

* qemu-kvm/memory/urgent:
  kvm: fix unaligned slots

* qemu-kvm/memory/core: (30 commits)
  memory: allow phys_map tree paths to terminate early
  memory: unify PhysPageEntry::node and ::leaf
  memory: change phys_page_set() to set multiple pages
  memory: switch phys_page_set() to a recursive implementation
  memory: replace phys_page_find_alloc() with phys_page_set()
  memory: simplify multipage/subpage registration
  memory: give phys_page_find() its own tree search loop
  memory: make phys_page_find() return a MemoryRegionSection
  memory: move tlb flush to MemoryListener commit callback
  memory: unify the two branches of cpu_register_physical_memory_log()
  memory: fix RAM subpages in newly initialized pages
  memory: compress phys_map node pointers to 16 bits
  memory: store MemoryRegionSection pointers in phys_map
  memory: unify phys_map last level with intermediate levels
  memory: remove first level of l1_phys_map
  memory: change memory registration to rebuild the memory map on each change
  memory: support stateless memory listeners
  memory: split memory listener for the two address spaces
  xen: ignore I/O memory regions
  memory: allow MemoryListeners to observe a specific address space
  ...

* qemu-kvm/uq/master:
  pc-bios: update kvmvapic.bin
  kvmvapic: Use optionrom helpers
  optionsrom: Reserve space for checksum
  kvmvapic: Simplify mp/up_set_tpr
  kvmvapic: Introduce TPR access optimization for Windows guests
  kvmvapic: Add option ROM
  target-i386: Add infrastructure for reporting TPR MMIO accesses
  Allow to use pause_all_vcpus from VCPU context
  Process pending work while waiting for initial kick-off in TCG mode
  Remove useless casts from cpu iterators
  kvm: Set cpu_single_env only once
  kvm: Synchronize cpu state in kvm_arch_stop_on_emulation_error()

kvm_set_phys_mem() may be passed sections that are not aligned to a page
boundary.  The current code simply brute-forces the alignment which leads
to an inconsistency and an abort().

Fix by aligning the start and the end of the section correctly, discarding
and unaligned head or tail.

This was triggered by a guest sizing a 64-bit BAR that is smaller than a page
with PCI_COMMAND_MEMORY enabled and the upper dword clear.
Signed-off-by: NAvi Kivity <avi@redhat.com>

Signed-off-by: NAvi Kivity <avi@redhat.com>