This patch removes 2 bits of dead nakcnt code:

1) usb_ehci_execute calls ehci_qh_do_overlay which does:
nakcnt = reload;
and then has a block of code which is conditional on:
if (reload && !nakcnt) {
which ofcourse is never true now as nakcnt == reload.

2) ehci_state_fetchqh does:
nakcnt = reload;
but before nakcnt is ever used ehci_state_fetchqh is always followed
by a ehci_qh_do_overlay call which also does:
nakcnt = reload;
So doing this from ehci_state_fetchqh is redundant.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

cerr should only be decremented on errors which cause XactErr to be set, and
when that happens the failing transaction should be retried until cerr reaches
0 and only then should USBSTS_ERRINT be set (and inactive cleared and
USBSTS_INT set if requested).

Since we don't have any hardware level errors (and in case of redirection
the real hardware has already retried), re-trying makes no sense, so
immediately set cerr to 0 on errors which set XactErr.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

As clearly stated in the 2.3.2 of the EHCI spec, any time USBERRINT get
sets then if the td has its IOC bit set USBINT should be set as well.

This means that for any status except for USB_RET_NAK we should set
USBINT if the IOC bit is set.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

The purpose of the IAAD bit / the doorbell is to make the ehci controller
forget about cached qhs, this is mainly used when cancelling transactions,
the qh is unlinked from the async schedule and then the doorbell gets rung,
once the doorbell is acked by the controller the hcd knows that the qh is
no longer in use and that it can do something else with the memory, such
as re-use it for a new qh! But we keep our struct representing this qh around
for circa 250 ms. This allows for a (mightily large) race window where the
following could happen:
-hcd submits a qh at address 0xdeadbeef
-our ehci code sees the qh, sends a request to a usb-device, gets a result
 of USB_RET_ASYNC, sets the async_state of the qh to EHCI_ASYNC_INFLIGHT
-hcd unlinks the qh at address 0xdeadbeef
-hcd rings the doorbell, wait for us to ack it
-hcd re-uses the qh at address 0xdeadbeef
-our ehci code sees the qh, looks in the async_queue, sees there already is
 a qh at address 0xdeadbeef there with async_state of EHCI_ASYNC_INFLIGHT,
 does nothing
-the *original* (which the hcd thinks it has cancelled) transaction finishes
-our ehci code sees the qh on yet another pass through the async list,
 looks in the async_queue, sees there already is a qh at address 0xdeadbeef
 there with async_state of EHCI_ASYNC_COMPLETED, and finished the transaction
 with the results of the *original* transaction.

Not good (tm), this patch fixes this race by removing all qhs which have not
been seen during the last cycle through the async list immidiately when the
doorbell is rung.

Note this patch does not fix any actually observed problem, but upon
reading of the EHCI spec it became apparent to me that the above race could
happen and the usb-ehci behavior from before this patch is not good.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Before this patch USB 2 devices with interrupt endpoints were not working
properly. The problem is that to avoid loops we stop processing as soon
as we encounter a queue-head (qh) we've already seen since qhs can be linked
in a circular fashion, this is tracked by the seen flag in our qh struct.

The resetting of the seen flag is done from ehci_queues_rip_unused which
before this patch was only called when executing the statemachine for the
async schedule.

But packets for interrupt endpoints are part of the periodic schedule! So what
would happen is that when there were no ctrl or bulk packets for a USB 2
device with an interrupt endpoint, the async schedule would become non
active, then ehci_queues_rip_unused would no longer get called and when
processing the qhs for the interrupt endpoints from the periodic schedule
their seen bit would still be 1 and they would be skipped.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

qhs can be part of both the async and the periodic schedule, as is shown
in later patches in this series it is useful to keep track of the qhs on
a per schedule basis.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Before this patch the T-bit was not checked in 2 places, while it should be.

Once we properly check the T-bit everywhere we no longer need the weird
entry < 0x1000 and entry > 0x1000 checks, so this patch removes them.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Since we don't use usb_desc.c we need to do this ourselves. This fixes
iso transfers no longer working for USB 2 devices due to the ep->type
check in ehci.c
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

* 's390-for-upstream' of git://repo.or.cz/qemu/agraf:
  Move helpers.h to helper.h
  s390: Rework kernel loading: supports elf and newer kernels

Provides a file naming scheme consistent with other targets.
Signed-off-by: NLluís Vilanova <vilanova@ac.upc.edu>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This reworks the image loading on s390.

Newer kernels will not always have a 0dd0 (basr 13,0) at address 0x10000.
We must not rely on specific code at certain  addresses. This check was
introduced to warn users that tried to load vmlinux, since ELF loading
was not supported. Lets wire that up. If elf loading fails, we assume
that this is a standard kernel image and load that via load_image_targphys.
This patch also changes all other users of load_image to
load_image_targphys to be consistent. (the elf loader registers the kernel
as rom).
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Commit e58ac72b6a0 ("ioport: change portio_list not to use
memory_region_set_offset()") started using aliases of I/O memory
regions.  Since the IORange used for the I/O was contained in the
target region, the alias information (specifically, the offset
into the region) was lost.  This broke -vga std.

Fix by allocating an independent object to hold the IORange and
also the new offset.

Note that I/O memory regions were conceptually broken wrt aliases
in a different way: an alias can cause the same region to appear
twice in an address space, but we had just one IORange to service it.
This patch fixes that problem as well, since we can now have multiple
IORange/MemoryRegion associations.
Signed-off-by: NAvi Kivity <avi@redhat.com>

Previously all callers had a containing object with a destructor that
could be used to trigger cleanup of the IORange objects (typically
just freeing the containing object), but a forthcoming memory API
change doesn't fit this pattern.  Rather than setting up a new global
table, extend the ioport system to support destructors.
Signed-off-by: NAvi Kivity <avi@redhat.com>

Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

The TCG targets i386 and tci needed a change of the function
prototype for w64.

This change is currently not needed here, but it can be applied
to avoid code differences.

Cc: Alexander Graf <agraf@suse.de>
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

The TCG targets i386 and tci needed a change of the function
prototype for w64.

This change is currently not needed for the other TCG targets,
but it can be applied to avoid code differences.

Cc: Blue Swirl <blauwirbel@gmail.com>
Cc: Andrzej Zaborowski <balrogg@gmail.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Alexander Graf <agraf@suse.de>
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

flush_icache_range takes two address parameters which must be large
enough to address any address of the host.

For hosts with sizeof(unsigned long) == sizeof(void *), this patch
changes nothing. All currently supported hosts fall into this category.

For w64 hosts, sizeof(unsigned long) is 4 while sizeof(void *) is 8,
so the use of tcg_target_ulong is needed for i386 and tci (the tcg
targets which work with w64).
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

This change makes tcg_target_ulong available in tcg-target.h.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

ram_addr_t must be large enough to address any address of the host.

For hosts with sizeof(unsigned long) == sizeof(void *), this patch
changes nothing. All currently supported hosts fall into this category.

For w64 hosts, sizeof(unsigned long) is 4 while sizeof(void *) is 8,
so the use of uintptr_t is needed.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

* 'upstream' of git://qemu.weilnetz.de/qemu:
  Move definition of HOST_LONG_BITS to qemu-common.h
  target-xtensa: Clean includes
  target-unicore32: Clean includes
  target-sh4: Clean includes
  target-s390x: Clean includes
  target-ppc: Clean includes
  target-mips: Clean includes
  target-microblaze: Clean includes
  target-m68k: Clean includes
  target-lm32: Clean includes
  target-i386: Clean includes
  target-cris: Clean includes
  target-arm: Clean includes
  target-alpha: Clean includes
  Remove macro HOST_LONG_SIZE

This was a breakage of 3741715c.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Acked-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

* 'arm-devs.for-upstream' of git://git.linaro.org/people/pmaydell/qemu-arm:
  hw/arm11mpcore: Fix broken realview_mpcore/arm11mpcore_priv properties
  arm: add device tree support
  arm: make sure that number of irqs can be represented in GICD_TYPER.
  arm: clean up GIC constants

* 'xtensa' of git://jcmvbkbc.spb.ru/dumb/qemu-xtensa:
  target-xtensa: add breakpoint tests
  target-xtensa: add DEBUG_SECTION to overlay tool
  target-xtensa: add DBREAK data breakpoints
  exec: let cpu_watchpoint_insert accept larger watchpoints
  exec: fix check_watchpoint exiting cpu_loop
  exec: add missing breaks to the watch_mem_write
  target-xtensa: add ICOUNT SR and debug exception
  target-xtensa: implement instruction breakpoints
  target-xtensa: add DEBUGCAUSE SR and configuration
  target-xtensa: fetch 3rd opcode byte only when needed
  target-xtensa: implement info tlb monitor command
  target-xtensa: define TLB_TEMPLATE for MMU-less cores

Fix confusion in the Property arrays for the "arm11mpcore_priv"
(per-CPU devices for the ARM11MPcore CPU) and "realview_mpcore"
(realview-eb board specific device encapsulating CPU and some
extra interrupt controllers) -- the num-irq property was defined
on the wrong device and the mpcore_rirq_properties were defined
as offsets in the wrong structure. The effect was that the
realview-eb-mpcore machine would abort on startup trying to
allocate an insane amount of memory. (This bug was introduced in
the QOM conversion in commit 999e12bb.)
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

If compiled with CONFIG_FDT, allow user to specify a device tree file using
the -dtb argument.  If the machine supports it then the dtb will be loaded
into memory and passed to the kernel on boot.
Signed-off-by: NJeremy Kerr <jeremy.kerr@canonical.com>
Signed-off-by: NGrant Likely <grant.likely@secretlab.ca>
[Peter Maydell: Use machine opt rather than global to pass dtb filename]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

We currently assume that the number of interrupts (ITLinesNumber in
the architecture reference manual) is divisible by 32, since we
present it to the guest when it reads GICD_TYPER (in gic_dist_readb())
as (N / 32) - 1.
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Interrupts numbers 0-31 are private to the processor interface, 32-1019 are
general interrupts.  Add GIC_INTERNAL and substitute everywhere.
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
[Peter Maydell: converted some tabs to spaces]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

* qemu-kvm/memory/urgent:
  kvm: fix unaligned slots

* qemu-kvm/memory/core: (30 commits)
  memory: allow phys_map tree paths to terminate early
  memory: unify PhysPageEntry::node and ::leaf
  memory: change phys_page_set() to set multiple pages
  memory: switch phys_page_set() to a recursive implementation
  memory: replace phys_page_find_alloc() with phys_page_set()
  memory: simplify multipage/subpage registration
  memory: give phys_page_find() its own tree search loop
  memory: make phys_page_find() return a MemoryRegionSection
  memory: move tlb flush to MemoryListener commit callback
  memory: unify the two branches of cpu_register_physical_memory_log()
  memory: fix RAM subpages in newly initialized pages
  memory: compress phys_map node pointers to 16 bits
  memory: store MemoryRegionSection pointers in phys_map
  memory: unify phys_map last level with intermediate levels
  memory: remove first level of l1_phys_map
  memory: change memory registration to rebuild the memory map on each change
  memory: support stateless memory listeners
  memory: split memory listener for the two address spaces
  xen: ignore I/O memory regions
  memory: allow MemoryListeners to observe a specific address space
  ...

* qemu-kvm/uq/master:
  pc-bios: update kvmvapic.bin
  kvmvapic: Use optionrom helpers
  optionsrom: Reserve space for checksum
  kvmvapic: Simplify mp/up_set_tpr
  kvmvapic: Introduce TPR access optimization for Windows guests
  kvmvapic: Add option ROM
  target-i386: Add infrastructure for reporting TPR MMIO accesses
  Allow to use pause_all_vcpus from VCPU context
  Process pending work while waiting for initial kick-off in TCG mode
  Remove useless casts from cpu iterators
  kvm: Set cpu_single_env only once
  kvm: Synchronize cpu state in kvm_arch_stop_on_emulation_error()

kvm_set_phys_mem() may be passed sections that are not aligned to a page
boundary.  The current code simply brute-forces the alignment which leads
to an inconsistency and an abort().

Fix by aligning the start and the end of the section correctly, discarding
and unaligned head or tail.

This was triggered by a guest sizing a 64-bit BAR that is smaller than a page
with PCI_COMMAND_MEMORY enabled and the upper dword clear.
Signed-off-by: NAvi Kivity <avi@redhat.com>

Signed-off-by: NAvi Kivity <avi@redhat.com>

* kwolf/for-anthony: (27 commits)
  qemu-img: fix segment fault when the image format is qed
  qemu-io: fix segment fault when the image format is qed
  qemu-tool: revert cpu_get_clock() abort(3)
  qemu-iotests: Test rebase with short backing file
  qemu-iotests: 026: Reduce output changes for cache=none qcow2
  qemu-iotests: Filter out DOS line endings
  test: add image streaming tests
  qemu-iotests: add iotests Python module
  qemu-iotests: export TEST_DIR for non-bash tests
  QMP: Add qmp command for blockdev-group-snapshot-sync
  qapi: Introduce blockdev-group-snapshot-sync command
  qcow2: Reject too large header extensions
  qcow2: Fix offset in qcow2_read_extensions
  block: drop aio_multiwrite in BlockDriver
  block: remove unused fields in BlockDriverState
  qcow2: Fix build with DEBUG_EXT enabled
  ide: fail I/O to empty disk
  fdc: DIR (Digital Input Register) should return status of current drive...
  fdc: fix seek command, which shouldn't check tracks
  fdc: check if media rate is correct before doing any transfer
  ...

* spice/spice.v49:
  qxl: properly handle upright and non-shared surfaces
  Error out when tls-channel option is used without TLS
  spice: use error_report to report errors
  qxl: add optinal 64bit vram bar
  qxl: make qxl_render_update async
  qxl: introduce QXLCookie
  qxl: remove flipped
  qxl: require spice >= 0.8.2
  qxl: drop qxl_spice_update_area_async definition
  sdl: remove NULL check, g_malloc0 can't fail
  qxl: fix spice+sdl no cursor regression

* kraxel/usb.39: (21 commits)
  usb: Resolve warnings about unassigned bus on usb device creation
  usb-redir: Return USB_RET_NAK when we've no data for an interrupt endpoint
  usb-redir: Limit return values returned by iso packets
  usb-redir: Let the usb-host know about our device filtering
  usb-redir: Always clear device state on filter reject
  usb-redir: Fix printing of device version
  ehci: drop old stuff
  usb-ehci: Handle ISO packets failing with an error other then NAK
  libcacard: fix reported ATR length
  usb-ccid: advertise SELF_POWERED
  libcacard: link with glib for g_strndup
  usb-desc: fix user trigerrable segfaults (!config)
  usb-ehci: sanity-check iso xfers
  usb: add tracepoint for usb packet state changes.
  usb-xhci: enable packet queuing
  usb-uhci: implement packet queuing
  usb-uhci: process uhci_handle_td return code via switch.
  usb-uhci: add UHCIQueue
  usb-uhci: cleanup UHCIAsync allocation & initialization.
  usb-ehci: fix reset
  ...

[root@f15 qemu]# qemu-img info /home/zwu/work/misc/rh6.img
image: /home/zwu/work/misc/rh6.img
file format: qed
virtual size: 4.0G (4294967296 bytes)
disk size: 1.2G
cluster_size: 65536
Segmentation fault (core dumped)

Today when i were fixing another issue, i found this issue; After simple
investigation, i found that the required clock vm_clock is not created
for qemu tool.
Signed-off-by: NZhi Yong Wu <wuzhy@linux.vnet.ibm.com>
Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

[root@f15 qemu]# qemu-io -c info /home/zwu/work/misc/rh6.img
format name: qed
cluster size: 64 KiB
vm state offset: 0.000000 bytes
Segmentation fault (core dumped)

This reason is same as the former patch
Signed-off-by: NZhi Yong Wu <wuzhy@linux.vnet.ibm.com>
Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Despite the fact that the qemu-tool environment has no guest running and
vm_clock therefore does not make sense, there is code that gets the
vm_clock time even in qemu-tool.  Therefore, revert the abort(3) call
and just return 0 like we used to.  This unbreaks qemu-img/qemu-io with
QED and Kevin has also expressed interest in this for qcow2.
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

This tests that qemu-img rebase doesn't assume that the backing file has
the same size as the image, but considers that it can be smaller.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>