Following on from the previous commit, we can also do the same with
with legacy OBIO interrupts in pci_pbmA_map_irq().
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NArtyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>

This enables us to remove the static array mapping in the ISA IRQ
handler (and the embedded reference to the APB device) by formalising
the interrupt wiring via the qdev GPIO API.

For more clarity we replace the APB OBIO interrupt numbers with constants
designating the interrupt source, and rename isa_irq_handler() to
ebus_isa_irq_handler().
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NArtyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>

Since the previous commit the only remaining use of the qdev busA property is
to configure the PCI bridge in front of the onboard ebus devices differently
to allow early OpenBIOS serial console access.

Instead we can now manually update the PCI configuration for bridge A in
pci_pbm_reset() and thus completely remove the busA property from the
PBMPCIBridge state.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NArtyom Tarasenko <atar4qemu@gmail.com>

After the previous refactoring it is now possible to use separate functions
to improve the clarity of the interrupt paths.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NArtyom Tarasenko <atar4qemu@gmail.com>

By making the special_base and mem_base values qdev properties, we can move
the remaining parts of pci_apb_init() into the pbm init() and realize()
functions.

This finally allows us to instantiate the APB directly using standard qdev
create/init functions in sun4u.c.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NArtyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>

This enables us to remove these parameters from pci_apb_init().
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NArtyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>

Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: NArtyom Tarasenko <atar4qemu@gmail.com>

This is a first step towards removing pci_apb_init() completely.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: NArtyom Tarasenko <atar4qemu@gmail.com>

Use DeviceClass rather than SysBusDeviceClass in pbm_host_class_init() and
adjust pci_pbm_init_device() accordingly.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>

This belongs in the PCI-ISA bridge rather than at the machine level.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: NArtyom Tarasenko <atar4qemu@gmail.com>

This is initialisation that should really take place in the ebus realize
function. As part of this we also rework the ebus IRQ mapping so that
instead of having to pass in the array of pbm_irqs, we obtain a reference
to them by looking up the APB device during ebus realize.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NArtyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>

Since the EBus is effectively a PCI-ISA bridge then the underlying ISA bus
should be contained within the PCI bridge itself.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NArtyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>

The main change here is to introduce the proper TYPE_EBUS/EBUS QOM macros
and remove the use of DO_UPCAST.

Alongside this there are some a couple of minor cosmetic changes and a rename
of pci_ebus_realize() to ebus_realize() since the ebus device is always what
is effectively a PCI-ISA bridge.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>

This also includes the related IOMMUState typedef and defines.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: NArtyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>

This code is preventing the MMU debug code from displaying virtual
mappings of IO devices (anything that is not located in the RAM).

Before this patch, Qemu would output 0xffffffffffffffff (-1) as the
physical address corresponding to an IO device virtual address.

With this patch the intended physical address is displayed.
Signed-off-by: NJean-Christophe Dubois <jcd@tribudubois.net>
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>

nbd patches for 2018-01-08

- Eric Blake: 0/2 Optimize sparse reads over NBD
- Murilo Opsfelder Araujo: block/nbd: fix segmentation fault when .desc is not null-terminated

# gpg: Signature made Mon 08 Jan 2018 15:21:19 GMT
# gpg:                using RSA key 0xA7A16B4A2527436A
# gpg: Good signature from "Eric Blake <eblake@redhat.com>"
# gpg:                 aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>"
# gpg:                 aka "[jpeg image of size 6874]"
# Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2  F3AA A7A1 6B4A 2527 436A

* remotes/ericb/tags/pull-nbd-2018-01-08:
  block/nbd: fix segmentation fault when .desc is not null-terminated
  nbd/server: Optimize final chunk of sparse read
  nbd/server: Implement sparse reads atop structured reply
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

- Aneesh no longer listed in MAINTAINERS,
- deprecation of the handle backend,
- improved error reporting, especially when the local backend fails to
  open the VirtFS root,
- virtio-9p-test to behave more like a real virtio guest driver: set
  DRIVER_OK when ready to use the device and process the used ring
  for completed requests,
- cosmetic fixes (mostly coding style related).

# gpg: Signature made Mon 08 Jan 2018 10:19:18 GMT
# gpg:                using RSA key 0x71D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg:                 aka "Gregory Kurz <gregory.kurz@free.fr>"
# gpg:                 aka "[jpeg image of size 3330]"
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3  4910 71D4 D5E5 822F 73D6

* remotes/gkurz/tags/for-upstream:
  MAINTAINERS: Drop Aneesh as 9pfs maintainer
  9pfs: deprecate handle backend
  fsdev: improve error handling of backend init
  fsdev: improve error handling of backend opts parsing
  tests: virtio-9p: set DRIVER_OK before using the device
  tests: virtio-9p: fix ISR dependence
  9pfs: make pdu_marshal() and pdu_unmarshal() static functions
  9pfs: fix error path in pdu_submit()
  9pfs: fix type in *_parse_opts declarations
  9pfs: handle: fix type definition
  9pfs: fix some type definitions
  fsdev: fix some type definitions
  9pfs: fix XattrOperations typedef
  virtio-9p: move unrealize/realize after virtio_9p_transport definition
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

# gpg: Signature made Thu 04 Jan 2018 16:37:32 GMT
# gpg:                using RSA key 0xF30C38BD3F2FBE3C
# gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>"
# gpg:                 aka "Laurent Vivier <laurent@vivier.eu>"
# gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>"
# Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F  5173 F30C 38BD 3F2F BE3C

* remotes/vivier/tags/m68k-for-2.12-pull-request:
  target/m68k: fix m68k_cpu_dump_state()
  target/m68k: add the Interrupt Stack Pointer
  target/m68k: add andi/ori/eori to SR/CCR
  target/m68k: add 680x0 "move to SR" instruction
  target/m68k: move CCR/SR functions
  target/m68k: implement fsave/frestore
  target/m68k: add reset
  target/m68k: add cpush/cinv
  target/m68k: softmmu cleanup
  target/m68k: add move16
  target/m68k: add chk and chk2
  target/m68k: manage 680x0 stack frames
  target/m68k: add CPU_LOG_INT trace
  target/m68k: use insn_pc to generate instruction fault address
  linux-user, m68k: correctly manage SR in context
  target/m68k: fix gen_get_ccr()
  target-m68k: sync CC_OP before gen_jmp_tb()
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

# gpg: Signature made Tue 02 Jan 2018 13:51:26 GMT
# gpg:                using RSA key 0xDAE8E10975969CE5
# gpg: Good signature from "Marc-André Lureau <marcandre.lureau@redhat.com>"
# gpg:                 aka "Marc-André Lureau <marcandre.lureau@gmail.com>"
# Primary key fingerprint: 87A9 BD93 3F87 C606 D276  F62D DAE8 E109 7596 9CE5

* remotes/elmarco/tags/dump-pull-request:
  dump-guest-memory.py: fix "You can't do that without a process to debug"
  dump: fix note_name_equal()
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

In commit c97d6d2c we accidentally added code to configure
that uses '==' for string equality testing. This is a bashism --
the portable way to write this is '='.

This fixes the "Unexpected operator error" complaint produced
if the system /bin/sh is dash.

Fixes: c97d6d2cReported-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 1515431442-23795-1-git-send-email-peter.maydell@linaro.org

Queued TCG patches

# gpg: Signature made Fri 29 Dec 2017 20:44:06 GMT
# gpg:                using RSA key 0x64DF38E8AF7E215F
# gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>"
# Primary key fingerprint: 7A48 1E78 868B 4DB6 A85A  05C0 64DF 38E8 AF7E 215F

* remotes/rth/tags/pull-tcg-20171229:
  tcg: add cs_base and flags to -d exec output
  tcg: Allow 6 arguments to TCG helpers
  tcg: Add tcg_signed_cond
  tcg: Generalize TCGOp parameters
  tcg: Dynamically allocate TCGOps
  tcg: Remove TCGV_UNUSED* and TCGV_IS_UNUSED*
  target/moxie: Fix tlb_fill
  target/*helper: don't check retaddr before calling cpu_restore_state
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

The find_desc_by_name() from util/qemu-option.c relies on the .name not being
NULL to call strcmp(). This check becomes unsafe when the list is not
NULL-terminated, which is the case of nbd_runtime_opts in block/nbd.c, and can
result in segmentation fault when strcmp() tries to access an invalid memory:

    #0 0x00007fff8c75f7d4 in __strcmp_power9 () from /lib64/libc.so.6
    #1 0x00000000102d3ec8 in find_desc_by_name (desc=0x1036d6f0, name=0x28e46670 "server.path") at util/qemu-option.c:166
    #2 0x00000000102d93e0 in qemu_opts_absorb_qdict (opts=0x28e47a80, qdict=0x28e469a0, errp=0x7fffec247c98) at util/qemu-option.c:1026
    #3 0x000000001012a2e4 in nbd_open (bs=0x28e42290, options=0x28e469a0, flags=24578, errp=0x7fffec247d80) at block/nbd.c:406
    #4 0x00000000100144e8 in bdrv_open_driver (bs=0x28e42290, drv=0x1036e070 <bdrv_nbd_unix>, node_name=0x0, options=0x28e469a0, open_flags=24578, errp=0x7fffec247f50) at block.c:1135
    #5 0x0000000010015b04 in bdrv_open_common (bs=0x28e42290, file=0x0, options=0x28e469a0, errp=0x7fffec247f50) at block.c:1395

>From gdb, the desc[i].name was not NULL and resulted in strcmp() accessing an
invalid memory:

    >>> p desc[5]
    $8 = {
      name = 0x1037f098 "R27A",
      type = 1561964883,
      help = 0xc0bbb23e <error: Cannot access memory at address 0xc0bbb23e>,
      def_value_str = 0x2 <error: Cannot access memory at address 0x2>
    }
    >>> p desc[6]
    $9 = {
      name = 0x103dac78 <__gcov0.do_qemu_init_bdrv_nbd_init> "\001",
      type = 272101528,
      help = 0x29ec0b754403e31f <error: Cannot access memory at address 0x29ec0b754403e31f>,
      def_value_str = 0x81f343b9 <error: Cannot access memory at address 0x81f343b9>
    }

This patch fixes the segmentation fault in strcmp() by adding a NULL element at
the end of nbd_runtime_opts.desc list, which is the common practice to most of
other structs like runtime_opts in block/null.c. Thus, the desc[i].name != NULL
check becomes safe because it will not evaluate to true when .desc list reached
its end.
Reported-by: NR. Nageswara Sastry <nasastry@in.ibm.com>
Buglink: https://bugs.launchpad.net/qemu/+bug/1727259Signed-off-by: NMurilo Opsfelder Araujo <muriloo@linux.vnet.ibm.com>
Message-Id: <20180105133241.14141-2-muriloo@linux.vnet.ibm.com>
CC: qemu-stable@nongnu.org
Fixes: 7ccc44fdSigned-off-by: NEric Blake <eblake@redhat.com>

If we are careful to handle 0-length read requests correctly,
we can optimize our sparse read to send the NBD_REPLY_FLAG_DONE
bit on our last OFFSET_DATA or OFFSET_HOLE chunk rather than
needing a separate chunk.
Signed-off-by: NEric Blake <eblake@redhat.com>
Message-Id: <20171107030912.23930-3-eblake@redhat.com>
Reviewed-by: NVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>

The reason that NBD added structured reply in the first place was
to allow for efficient reads of sparse files, by allowing the
reply to include chunks to quickly communicate holes to the client
without sending lots of zeroes over the wire.  Time to implement
this in the server; our client can already read such data.

We can only skip holes insofar as the block layer can query them;
and only if the client is okay with a fragmented request (if a
client requests NBD_CMD_FLAG_DF and the entire read is a hole, we
could technically return a single NBD_REPLY_TYPE_OFFSET_HOLE, but
that's a fringe case not worth catering to here).  Sadly, the
control flow is a bit wonkier than I would have preferred, but
it was minimally invasive to have a split in the action between
a fragmented read (handled directly where we recognize
NBD_CMD_READ with the right conditions, and sending multiple
chunks) vs. a single read (handled at the end of nbd_trip, for
both simple and structured replies, when we know there is only
one thing being read).  Likewise, I didn't make any effort to
optimize the final chunk of a fragmented read to set the
NBD_REPLY_FLAG_DONE, but unconditionally send that as a separate
NBD_REPLY_TYPE_NONE.
Signed-off-by: NEric Blake <eblake@redhat.com>
Message-Id: <20171107030912.23930-2-eblake@redhat.com>
Reviewed-by: NVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>

Block layer patches

# gpg: Signature made Fri 22 Dec 2017 14:09:01 GMT
# gpg:                using RSA key 0x7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6

* remotes/kevin/tags/for-upstream: (35 commits)
  block: Keep nodes drained between reopen_queue/multiple
  commit: Simplify reopen of base
  test-bdrv-drain: Test graph changes in drained section
  block: Allow graph changes in subtree drained section
  test-bdrv-drain: Recursive draining with multiple parents
  test-bdrv-drain: Test behaviour in coroutine context
  test-bdrv-drain: Tests for bdrv_subtree_drain
  block: Add bdrv_subtree_drained_begin/end()
  block: Don't notify parents in drain call chain
  test-bdrv-drain: Test nested drain sections
  block: Nested drain_end must still call callbacks
  block: Don't block_job_pause_all() in bdrv_drain_all()
  test-bdrv-drain: Test drain vs. block jobs
  blockjob: Pause job on draining any job BDS
  test-bdrv-drain: Test bs->quiesce_counter
  test-bdrv-drain: Test callback for bdrv_drain
  block: Make bdrv_drain() driver callbacks non-recursive
  block: Assert drain_all is only called from main AioContext
  block: Remove unused bdrv_requests_pending
  block: Mention -drive cyls/heads/secs/trans/serial/addr in deprecation chapter
  ...
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Initial support for the HVF accelerator

# gpg: Signature made Sat 23 Dec 2017 07:51:18 GMT
# gpg:                using RSA key 0xBFFBD25F78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream-hvf:
  i386: hvf: cleanup x86_gen.h
  i386: hvf: remove VM_PANIC from "in"
  i386: hvf: remove addr_t
  i386: hvf: simplify flag handling
  i386: hvf: abort on decoding error
  i386: hvf: remove ZERO_INIT macro
  i386: hvf: remove more dead emulator code
  i386: hvf: unify register enums between HVF and the rest
  i386: hvf: header cleanup
  i386: hvf: move all hvf files in the same directory
  i386: hvf: inject General Protection Fault when vmexit through vmcall
  i386: hvf: refactor event injection code for hvf
  i386: hvf: implement vga dirty page tracking
  i386: refactor KVM cpuid code so that it applies to hvf as well
  i386: hvf: implement hvf_get_supported_cpuid
  i386: hvf: use new helper functions for put/get xsave
  i386: hvf: fix licensing issues; isolate task handling code (GPL v2-only)
  i386: hvf: add code base from Google's QEMU repository
  apic: add function to apic that will be used by hvf
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Aneesh has been working on other topics for some time now. Let's reflect
that in the MAINTAINERS file, so that people stop Cc'ing him.
Signed-off-by: NGreg Kurz <groug@kaod.org>
Acked-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

This backend raise some concerns:

- doesn't support symlinks
- fails +100 tests in the PJD POSIX file system test suite [1]
- requires the QEMU process to run with the CAP_DAC_READ_SEARCH
  capability, which isn't recommended for security reasons

This backend should not be used and wil be removed. The 'local'
backend is the recommended alternative.

[1] https://www.tuxera.com/community/posix-test-suite/Signed-off-by: NGreg Kurz <groug@kaod.org>
Reviewed-by: NDaniel P. Berrange <berrange@redhat.com>
Reviewed-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

This patch changes some error messages in the backend init code and
convert backends to propagate QEMU Error objects instead of calling
error_report().

One notable improvement is that the local backend now provides a more
detailed error report when it fails to open the shared directory.
Signed-off-by: NGreg Kurz <groug@kaod.org>

This patch changes some error messages in the backend opts parsing
code and convert backends to propagate QEMU Error objects instead
of calling error_report().
Signed-off-by: NGreg Kurz <groug@kaod.org>

Signed-off-by: NGreg Kurz <groug@kaod.org>

Like other virtio tests, use the used ring APIs instead of assuming ISR
being set means the request has completed.
Signed-off-by: NGreg Kurz <groug@kaod.org>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>

They're only used by the 9p core code.
Signed-off-by: NGreg Kurz <groug@kaod.org>
Reviewed-by: NEric Blake <eblake@redhat.com>

If we receive an unsupported request id, we first decide to
return -ENOTSUPP to the client, but since the request id
causes is_read_only_op() to return false, we change the
error to be -EROFS if the fsdev is read-only. This doesn't
make sense since we don't know what the client asked for.

This patch ensures that -EROFS can only be returned if the
request id is supported.
Signed-off-by: NGreg Kurz <groug@kaod.org>
Reviewed-by: NEric Blake <eblake@redhat.com>

To comply with the QEMU coding style.
Signed-off-by: NGreg Kurz <groug@kaod.org>
Reviewed-by: NEric Blake <eblake@redhat.com>

To comply with the QEMU coding style.
Signed-off-by: NGreg Kurz <groug@kaod.org>

To comply with the QEMU coding style.
Signed-off-by: NGreg Kurz <groug@kaod.org>

To comply with the QEMU coding style.
Signed-off-by: NGreg Kurz <groug@kaod.org>

To comply with the QEMU coding style.
Signed-off-by: NGreg Kurz <groug@kaod.org>

And drop the now useless forward declaration of virtio_9p_transport.
Signed-off-by: NGreg Kurz <groug@kaod.org>