The target payloads in cmsg conversions may not have the alignment
required by the host. Using the get_user and put_user functions is
the easiest way to handle this and also do the byte-swapping we
require.

(Note that prior to this commit target_to_host_cmsg was incorrectly
using __put_user() rather than __get_user() for the SCM_CREDENTIALS
conversion, which meant it wasn't getting the benefit of the
misalignment handling.)
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

The previous code for handling payload length when converting
cmsg structures from host to target had a number of problems:
 * we required the msg->msg_controllen to declare the buffer
   to have enough space for final trailing padding (we were
   checking against CMSG_SPACE), whereas the kernel does not
   require this, and common userspace code assumes this. (In
   particular, glibc's "try to talk to nscd" code that it will
   run on startup will receive a cmsg with a 4 byte payload and
   only allocate 4 bytes for it, which was causing us to do
   the wrong thing on architectures that need 8-alignment.)
 * we weren't correctly handling the fact that the SO_TIMESTAMP
   payload may be larger for the target than the host
 * we weren't marking the messages with MSG_CTRUNC when we did
   need to truncate a message that wasn't truncated by the host,
   but were instead logging a QEMU message; since truncation is
   always the result of a guest giving us an insufficiently
   sized buffer, we should report it to the guest as the kernel
   does and don't log anything

Rewrite the parts of the function that deal with length to
fix these issues, and add a comment in target_to_host_cmsg
to explain why the overflow logging it does is a QEMU bug,
not a guest issue.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

TARGET_ELF_PAGESTART is required to use abi_ulong to correctly handle
addresses for different target bits width.
This patch fixes a problem when running a 64-bit user mode application
on 32-bit host machines.
Signed-off-by: NYongbok Kim <yongbok.kim@imgtec.com>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

We store all struct types in an array of static size without ever
checking whether we overrun it. Of course some day someone (like me
in another, ancient ALSA enabling patch set) will run into the limit
without realizing it.

So let's make the allocation dynamic. We already know the number of
structs that we want to allocate, so we only need to pass the variable
into the respective piece of code.

Also, to ensure we don't accidently overwrite random memory, add some
asserts to sanity check whether a thunk is actually part of our array.
Signed-off-by: NAlexander Graf <agraf@suse.de>
Signed-off-by: NRiku Voipio <riku.voipio@linaro.org>

# gpg: Signature made Fri Jun 12 13:57:20 2015 BST using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/net-pull-request:
  qmp/hmp: add rocker device support
  rocker: bring link up/down on PHY enable/disable
  rocker: update tests using hw-derived interface names
  rocker: Add support for phys name
  iohandler: Change return type of qemu_set_fd_handler to "void"
  event-notifier: Always return 0 for posix implementation
  xen_backend: Remove unused error handling of qemu_set_fd_handler
  oss: Remove unused error handling of qemu_set_fd_handler
  alsaaudio: Remove unused error handling of qemu_set_fd_handler
  main-loop: Drop qemu_set_fd_handler2
  Change qemu_set_fd_handler2(..., NULL, ...) to qemu_set_fd_handler
  tap: Drop tap_can_send
  net/socket: Drop net_socket_can_send
  netmap: Drop netmap_can_send
  l2tpv3: Drop l2tpv3_can_send
  stubs: Add qemu_set_fd_handler
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

sh4 linux-user cpu and hwcap
misc optimizations and cleanup
convert r2d to new MMIO accessor style

# gpg: Signature made Fri Jun 12 11:28:43 2015 BST using RSA key ID 1DDD8C9B
# gpg: Good signature from "Aurelien Jarno <aurelien@aurel32.net>"
# gpg:                 aka "Aurelien Jarno <aurelien@jarno.fr>"
# gpg:                 aka "Aurelien Jarno <aurel32@debian.org>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 7746 2642 A9EF 94FD 0F77  196D BA9C 7806 1DDD 8C9B

* remotes/aurel/tags/pull-sh4-next-20150612:
  target-sh4: remove dead code
  target-sh4: factorize fmov implementation
  target-sh4: split out Q and M from of SR and optimize div1
  target-sh4: optimize negc using add2 and sub2
  target-sh4: optimize subc using sub2
  target-sh4: optimize addc using add2
  target-sh4: Split out T from SR
  target-sh4: use bit number for SR constants
  sh4/r2d: convert to new MMIO accessor style
  linux-user: Add HWCAP for SH4
  linux-user: Default sh4 to sh7785
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Add QMP/HMP support for rocker devices.  This is mostly for debugging purposes
to see inside the device's tables and port configurations.  Some examples:

(qemu) info rocker sw1
name: sw1
id: 0x0000013512005452
ports: 4

(qemu) info rocker-ports sw1
            ena/    speed/ auto
      port  link    duplex neg?
     sw1.1  up     10G  FD  No
     sw1.2  up     10G  FD  No
     sw1.3  !ena   10G  FD  No
     sw1.4  !ena   10G  FD  No

(qemu) info rocker-of-dpa-flows sw1
prio tbl hits key(mask) --> actions
2    60       pport 1 vlan 1 LLDP src 00:02:00:00:02:00 dst 01:80:c2:00:00:0e
2    60       pport 1 vlan 1 ARP src 00:02:00:00:02:00 dst 00:02:00:00:03:00
2    60       pport 2 vlan 2 IPv6 src 00:02:00:00:03:00 dst 33:33:ff:00:00:02 proto 58
3    50       vlan 2 dst 33:33:ff:00:00:02 --> write group 0x32000001 goto tbl 60
2    60       pport 2 vlan 2 IPv6 src 00:02:00:00:03:00 dst 33:33:ff:00:03:00 proto 58
3    50  1    vlan 2 dst 33:33:ff:00:03:00 --> write group 0x32000001 goto tbl 60
2    60       pport 2 vlan 2 ARP src 00:02:00:00:03:00 dst 00:02:00:00:02:00
3    50  2    vlan 2 dst 00:02:00:00:02:00 --> write group 0x02000001 goto tbl 60
2    60  1    pport 2 vlan 2 IP src 00:02:00:00:03:00 dst 00:02:00:00:02:00 proto 1
3    50  2    vlan 1 dst 00:02:00:00:03:00 --> write group 0x01000002 goto tbl 60
2    60  1    pport 1 vlan 1 IP src 00:02:00:00:02:00 dst 00:02:00:00:03:00 proto 1
2    60       pport 1 vlan 1 IPv6 src 00:02:00:00:02:00 dst 33:33:ff:00:00:01 proto 58
3    50       vlan 1 dst 33:33:ff:00:00:01 --> write group 0x31000000 goto tbl 60
2    60       pport 1 vlan 1 IPv6 src 00:02:00:00:02:00 dst 33:33:ff:00:02:00 proto 58
3    50  1    vlan 1 dst 33:33:ff:00:02:00 --> write group 0x31000000 goto tbl 60
1    60  173  pport 2 vlan 2 LLDP src <any> dst 01:80:c2:00:00:0e --> write group 0x02000000
1    60  6    pport 2 vlan 2 IPv6 src <any> dst <any> --> write group 0x02000000
1    60  174  pport 1 vlan 1 LLDP src <any> dst 01:80:c2:00:00:0e --> write group 0x01000000
1    60  174  pport 2 vlan 2 IP src <any> dst <any> --> write group 0x02000000
1    60  6    pport 1 vlan 1 IPv6 src <any> dst <any> --> write group 0x01000000
1    60  181  pport 2 vlan 2 ARP src <any> dst <any> --> write group 0x02000000
1    10  715  pport 2 --> apply new vlan 2 goto tbl 20
1    60  177  pport 1 vlan 1 ARP src <any> dst <any> --> write group 0x01000000
1    60  174  pport 1 vlan 1 IP src <any> dst <any> --> write group 0x01000000
1    10  717  pport 1 --> apply new vlan 1 goto tbl 20
1    0   1432 pport 0(0xffff) --> goto tbl 10

(qemu) info rocker-of-dpa-groups sw1
id (decode) --> buckets
0x32000001 (type L2 multicast vlan 2 index 1) --> groups [0x02000001,0x02000000]
0x02000001 (type L2 interface vlan 2 pport 1) --> pop vlan out pport 1
0x01000002 (type L2 interface vlan 1 pport 2) --> pop vlan out pport 2
0x02000000 (type L2 interface vlan 2 pport 0) --> pop vlan out pport 0
0x01000000 (type L2 interface vlan 1 pport 0) --> pop vlan out pport 0
0x31000000 (type L2 multicast vlan 1 index 0) --> groups [0x01000002,0x01000000]

[Added "query-" prefixes to rocker.json commands as suggested by Eric
Blake <eblake@redhat.com>.
--Stefan]
Signed-off-by: NScott Feldman <sfeldma@gmail.com>
Signed-off-by: NJiri Pirko <jiri@resnulli.us>
Message-id: 1433985681-56138-5-git-send-email-sfeldma@gmail.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

When the OS driver enables/disables the port, go ahead and set the port's
link status to up/down in response to the change.  This more closely
emulates real hardware when the PHY for the port is brought up/down
and the PHY negotiates carrier (link status) with link partner.  In
the case of qemu, the virtual rocker device can't really do link
negotiation with the link partner as that requires signally over a
physical medium (the wire), so just pretend the negotiation was
successful and bring the link up when the port is enabled.
Signed-off-by: NScott Feldman <sfeldma@gmail.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Message-id: 1433985681-56138-4-git-send-email-sfeldma@gmail.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

With previous patch to support phy name attribute for each port, the OS
can name port interfaces using the hw-derived name.  So update rocker
tests to use the new hw-derived interface names.
Signed-off-by: NScott Feldman <sfeldma@gmail.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Message-id: 1433985681-56138-3-git-send-email-sfeldma@gmail.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Add ROCKER_TLV_CMD_PORT_SETTINGS_PHYS_NAME to port settings. This attribute
exports the port name to the guest OS allowing it to name interfaces with
sensible defaults.

Mostly done by Scott for phys_id support; adapted to phys_name by David.
Signed-off-by: NScott Feldman <sfeldma@gmail.com>
Signed-off-by: NDavid Ahern <dsahern@gmail.com>
Message-id: 1433985681-56138-2-git-send-email-sfeldma@gmail.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-14-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

qemu_set_fd_handler cannot fail, let's always return 0.
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-13-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

The function cannot fail, so the check is superfluous.
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-12-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

The function cannot fail, so the check is superfluous.
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-11-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

The function cannot fail, so the check is superfluous.
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-10-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

All users are converted to qemu_set_fd_handler now, drop
qemu_set_fd_handler2 and IOHandlerRecord.fd_read_poll.
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-9-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Done with following Coccinelle semantic patch, plus manual cosmetic changes in
net/*.c.

    @@
    expression E1, E2, E3, E4;
    @@
    -   qemu_set_fd_handler2(E1, NULL, E2, E3, E4);
    +   qemu_set_fd_handler(E1, E2, E3, E4);
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-8-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

This callback is called by main loop before polling s->fd, if it returns
false, the fd will not be polled in this iteration.

This is redundant with checks inside read callback. After this patch,
the data will be sent to peer when it arrives. If the device can't
receive, it will be queued to incoming_queue, and when the device status
changes, this queue will be flushed.
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-7-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

This callback is called by main loop before polling s->fd, if it returns
false, the fd will not be polled in this iteration.

This is redundant with checks inside read callback. After this patch,
the data will be sent to peer when it arrives. If the device can't
receive, it will be queued to incoming_queue, and when the device status
changes, this queue will be flushed.

If the peer is not ready, disable the read poll until send completes.
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-6-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

This callback is called by main loop before polling s->fd, if it returns
false, the fd will not be polled in this iteration.

This is redundant with checks inside read callback. After this patch,
the data will be copied from s->fd to s->iov when it arrives. If the
device can't receive, it will be queued to incoming_queue, and when the
device status changes, this queue will be flushed.

Also remove the qemu_can_send_packet() check in netmap_send. If it's
true, we are good; if it's false, the qemu_sendv_packet_async would
return 0 and read poll will be disabled until netmap_send_completed is
called.
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-5-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

This callback is called by main loop before polling s->fd, if it returns
false, the fd will not be polled in this iteration.

This is redundant with checks inside read callback. After this patch,
the data will be copied from s->fd to s->msgvec when it arrives. If the
device can't receive, it will be queued to incoming_queue, and when the
device status changes, this queue will be flushed.
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-4-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Some qemu_set_fd_handler2 stub callers will be converted to
call qemu_set_fd_handler, add this stub for them before making the
change.
Signed-off-by: NFam Zheng <famz@redhat.com>
Message-id: 1433400324-7358-2-git-send-email-famz@redhat.com
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

MIPS patches 2015-06-12

Changes:
* improve dp8393x network card and rc4030 chipset emulation
* support misaligned R6 and MSA memory accesses
* support MIPS eXtended and Large Physical Addressing
* add Config5.FRE bit and ERETNC instruction (Config5.LLB)
* support ememsize on MALTA

# gpg: Signature made Fri Jun 12 09:38:11 2015 BST using RSA key ID 0B29DA6B
# gpg: Good signature from "Leon Alrae <leon.alrae@imgtec.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 DA6B

* remotes/lalrae/tags/mips-20150612: (29 commits)
  target-mips: enable XPA and LPA features
  target-mips: remove misleading comments in translate_init.c
  target-mips: add MTHC0 and MFHC0 instructions
  target-mips: add CP0.PageGrain.ELPA support
  target-mips: support Page Frame Number Extension field
  target-mips: extend selected CP0 registers to 64-bits in MIPS32
  target-mips: correct MFC0 for CP0.EntryLo in MIPS64
  net/dp8393x: fix hardware reset
  net/dp8393x: correctly reset in_use field
  net/dp8393x: add load/save support
  net/dp8393x: add PROM to store MAC address
  net/dp8393x: QOM'ify
  net/dp8393x: use dp8393x_ prefix for all functions
  net/dp8393x: do not use old_mmio accesses
  net/dp8393x: always calculate proper checksums
  dma/rc4030: convert to QOM
  dma/rc4030: use trace events instead of custom logging
  dma/rc4030: document register at offset 0x210
  dma/rc4030: do not use old_mmio accesses
  dma/rc4030: use AddressSpace and address_space_rw in users
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

migration/next for 20150612

# gpg: Signature made Fri Jun 12 05:56:21 2015 BST using RSA key ID 5872D723
# gpg: Good signature from "Juan Quintela <quintela@redhat.com>"
# gpg:                 aka "Juan Quintela <quintela@trasno.org>"

* remotes/juanquintela/tags/migration/20150612: (21 commits)
  Remove unneeded memset
  Rename RDMA structures to make destination clear
  Teach analyze-migration.py about section footers
  Add a protective section footer
  Disable section footers on older machine types
  Merge section header writing
  Move loadvm_handlers into MigrationIncomingState
  Move copy out of qemu_peek_buffer
  Create MigrationIncomingState
  qemu_ram_foreach_block: pass up error value, and down the ramblock name
  Split header writing out of qemu_savevm_state_begin
  Add qemu_get_counted_string to read a string prefixed by a count byte
  migration: Use normal VMStateDescriptions for Subsections
  migration: create savevm_state
  migration: Remove duplicated assignment of SETUP status
  rdma: Fix qemu crash when IPv6 address is used for migration
  arch_init: Clean up the duplicate variable 'len' defining in ram_load()
  migration: reduce include files
  migration: Add myself to the copyright list of both files
  migration: move savevm.c inside migration/
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

Splitting Q and M out of SR, it's possible to optimize div1 by using
TCG code instead of an helper.

At the same time removed the now unused gen_copy_bit_i32 function.
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

In preparation for more efficient setting of this field.
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

Use the bit number for SR constants instead of using a bit mask. This
make possible to also use the constants for shifts.
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

The documentation is clear to use 16-bit accesses for all registers.
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

Only exposing FPU and LLSC as the only features
supported by the translator.
Signed-off-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

Signed-off-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

Enable XPA in MIPS32R5-generic and LPA in MIPS64R6-generic.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>

PABITS are not hardcoded to 36 bits and we do not model 59 PABITS (which is
the architectural limit) in QEMU.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>

Implement MTHC0 and MFHC0 instructions. In MIPS32 they are used to access
upper word of extended to 64-bits CP0 registers.

In MIPS64, when CP0 destination register specified is the EntryLo0 or
EntryLo1, bits 1:0 of the GPR appear at bits 31:30 of EntryLo0 or
EntryLo1. This is to compensate for RI and XI, which were shifted to bits
63:62 by MTC0 to EntryLo0 or EntryLo1. Therefore creating separate
functions for EntryLo0 and EntryLo1.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>

CP0.PageGrain.ELPA enables support for large physical addresses. This field
is encoded as follows:
0: Large physical address support is disabled.
1: Large physical address support is enabled.

If this bit is a 1, the following changes occur to coprocessor 0 registers:
- The PFNX field of the EntryLo0 and EntryLo1 registers is writable and
  concatenated with the PFN field to form the full page frame number.
- Access to optional COP0 registers with PA extension, LLAddr, TagLo is
  defined.

P5600 can operate in 32-bit or 40-bit Physical Address Mode. Therefore if
XPA is disabled (CP0.PageGrain.ELPA = 0) then assume 32-bit Address Mode.
In MIPS64 assume 36 as default PABITS (when CP0.PageGrain.ELPA = 0).

env->PABITS value is constant and indicates maximum PABITS available on
a core, whereas env->PAMask is calculated from env->PABITS and is also
affected by CP0.PageGrain.ELPA.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>

Update tlb->PFN to contain PFN concatenated with PFNX. PFNX is 0 if large
physical address is not supported.
Signed-off-by: NLeon Alrae <leon.alrae@imgtec.com>
Reviewed-by: NAurelien Jarno <aurelien@aurel32.net>