get_page_addr_code() reads a code tlb entry, but interprets it as an
iotlb entry.  This works by accident since the low bits of a RAM code
tlb entry are clear, and match a RAM iotlb entry.  This accident is
about to unhappen, so fix the code to use an iotlb entry (using the
code entry with TLB_MMIO may fail if the page is a watchpoint).
Signed-off-by: NAvi Kivity <avi@redhat.com>

A step towards eliminating io indices.
Signed-off-by: NAvi Kivity <avi@redhat.com>

We'd like to store the section index in the iotlb, so we can't
adjust it before returning.  Return an unadjusted section and
instead introduce section_addr(), which does the adjustment later.
Signed-off-by: NAvi Kivity <avi@redhat.com>

Xilinx zynq-7000 machine model. Also includes device model for the zynq-specific
system level control register (SLCR) module.
Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
Acked-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

Device model for cadence gem ethernet controller.
Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: NJohn Linn <john.linn@xilinx.com>
Acked-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

Implemented cadence Triple Timer Counter (TCC)
Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: NJohn Linn <john.linn@xilinx.com>
Acked-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

Implemented cadence UART serial controller
Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: NJohn Linn <john.linn@xilinx.com>
Acked-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

Use the -dtb argument for passing is a custom dtb rather than the old
hardcoded "mb.dtb"
Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

defined macros for the addresses of the peripherals in machine model
Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

This belongs in the machine specific reset function
Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

factored out the copy-pasted common boot code from the two microblaze platforms
into a dedicated microblaze bootloader (microblaze_boot.o).
Signed-off-by: NPeter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

* 's390-for-upstream' of git://repo.or.cz/qemu/agraf:
  Move helpers.h to helper.h
  s390: Rework kernel loading: supports elf and newer kernels

Provides a file naming scheme consistent with other targets.
Signed-off-by: NLluís Vilanova <vilanova@ac.upc.edu>
Signed-off-by: NAlexander Graf <agraf@suse.de>

This reworks the image loading on s390.

Newer kernels will not always have a 0dd0 (basr 13,0) at address 0x10000.
We must not rely on specific code at certain  addresses. This check was
introduced to warn users that tried to load vmlinux, since ELF loading
was not supported. Lets wire that up. If elf loading fails, we assume
that this is a standard kernel image and load that via load_image_targphys.
This patch also changes all other users of load_image to
load_image_targphys to be consistent. (the elf loader registers the kernel
as rom).
Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: NAlexander Graf <agraf@suse.de>

Commit e58ac72b6a0 ("ioport: change portio_list not to use
memory_region_set_offset()") started using aliases of I/O memory
regions.  Since the IORange used for the I/O was contained in the
target region, the alias information (specifically, the offset
into the region) was lost.  This broke -vga std.

Fix by allocating an independent object to hold the IORange and
also the new offset.

Note that I/O memory regions were conceptually broken wrt aliases
in a different way: an alias can cause the same region to appear
twice in an address space, but we had just one IORange to service it.
This patch fixes that problem as well, since we can now have multiple
IORange/MemoryRegion associations.
Signed-off-by: NAvi Kivity <avi@redhat.com>

Previously all callers had a containing object with a destructor that
could be used to trigger cleanup of the IORange objects (typically
just freeing the containing object), but a forthcoming memory API
change doesn't fit this pattern.  Rather than setting up a new global
table, extend the ioport system to support destructors.
Signed-off-by: NAvi Kivity <avi@redhat.com>

Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

The TCG targets i386 and tci needed a change of the function
prototype for w64.

This change is currently not needed here, but it can be applied
to avoid code differences.

Cc: Alexander Graf <agraf@suse.de>
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

The TCG targets i386 and tci needed a change of the function
prototype for w64.

This change is currently not needed for the other TCG targets,
but it can be applied to avoid code differences.

Cc: Blue Swirl <blauwirbel@gmail.com>
Cc: Andrzej Zaborowski <balrogg@gmail.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Aurelien Jarno <aurelien@aurel32.net>
Cc: Alexander Graf <agraf@suse.de>
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

flush_icache_range takes two address parameters which must be large
enough to address any address of the host.

For hosts with sizeof(unsigned long) == sizeof(void *), this patch
changes nothing. All currently supported hosts fall into this category.

For w64 hosts, sizeof(unsigned long) is 4 while sizeof(void *) is 8,
so the use of tcg_target_ulong is needed for i386 and tci (the tcg
targets which work with w64).
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

This change makes tcg_target_ulong available in tcg-target.h.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

ram_addr_t must be large enough to address any address of the host.

For hosts with sizeof(unsigned long) == sizeof(void *), this patch
changes nothing. All currently supported hosts fall into this category.

For w64 hosts, sizeof(unsigned long) is 4 while sizeof(void *) is 8,
so the use of uintptr_t is needed.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

* 'upstream' of git://qemu.weilnetz.de/qemu:
  Move definition of HOST_LONG_BITS to qemu-common.h
  target-xtensa: Clean includes
  target-unicore32: Clean includes
  target-sh4: Clean includes
  target-s390x: Clean includes
  target-ppc: Clean includes
  target-mips: Clean includes
  target-microblaze: Clean includes
  target-m68k: Clean includes
  target-lm32: Clean includes
  target-i386: Clean includes
  target-cris: Clean includes
  target-arm: Clean includes
  target-alpha: Clean includes
  Remove macro HOST_LONG_SIZE

This was a breakage of 3741715c.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Acked-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

* 'arm-devs.for-upstream' of git://git.linaro.org/people/pmaydell/qemu-arm:
  hw/arm11mpcore: Fix broken realview_mpcore/arm11mpcore_priv properties
  arm: add device tree support
  arm: make sure that number of irqs can be represented in GICD_TYPER.
  arm: clean up GIC constants

* 'xtensa' of git://jcmvbkbc.spb.ru/dumb/qemu-xtensa:
  target-xtensa: add breakpoint tests
  target-xtensa: add DEBUG_SECTION to overlay tool
  target-xtensa: add DBREAK data breakpoints
  exec: let cpu_watchpoint_insert accept larger watchpoints
  exec: fix check_watchpoint exiting cpu_loop
  exec: add missing breaks to the watch_mem_write
  target-xtensa: add ICOUNT SR and debug exception
  target-xtensa: implement instruction breakpoints
  target-xtensa: add DEBUGCAUSE SR and configuration
  target-xtensa: fetch 3rd opcode byte only when needed
  target-xtensa: implement info tlb monitor command
  target-xtensa: define TLB_TEMPLATE for MMU-less cores

Fix confusion in the Property arrays for the "arm11mpcore_priv"
(per-CPU devices for the ARM11MPcore CPU) and "realview_mpcore"
(realview-eb board specific device encapsulating CPU and some
extra interrupt controllers) -- the num-irq property was defined
on the wrong device and the mpcore_rirq_properties were defined
as offsets in the wrong structure. The effect was that the
realview-eb-mpcore machine would abort on startup trying to
allocate an insane amount of memory. (This bug was introduced in
the QOM conversion in commit 999e12bb.)
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

If compiled with CONFIG_FDT, allow user to specify a device tree file using
the -dtb argument.  If the machine supports it then the dtb will be loaded
into memory and passed to the kernel on boot.
Signed-off-by: NJeremy Kerr <jeremy.kerr@canonical.com>
Signed-off-by: NGrant Likely <grant.likely@secretlab.ca>
[Peter Maydell: Use machine opt rather than global to pass dtb filename]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

We currently assume that the number of interrupts (ITLinesNumber in
the architecture reference manual) is divisible by 32, since we
present it to the guest when it reads GICD_TYPER (in gic_dist_readb())
as (N / 32) - 1.
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

Interrupts numbers 0-31 are private to the processor interface, 32-1019 are
general interrupts.  Add GIC_INTERNAL and substitute everywhere.
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
[Peter Maydell: converted some tabs to spaces]
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

* qemu-kvm/memory/urgent:
  kvm: fix unaligned slots

* qemu-kvm/memory/core: (30 commits)
  memory: allow phys_map tree paths to terminate early
  memory: unify PhysPageEntry::node and ::leaf
  memory: change phys_page_set() to set multiple pages
  memory: switch phys_page_set() to a recursive implementation
  memory: replace phys_page_find_alloc() with phys_page_set()
  memory: simplify multipage/subpage registration
  memory: give phys_page_find() its own tree search loop
  memory: make phys_page_find() return a MemoryRegionSection
  memory: move tlb flush to MemoryListener commit callback
  memory: unify the two branches of cpu_register_physical_memory_log()
  memory: fix RAM subpages in newly initialized pages
  memory: compress phys_map node pointers to 16 bits
  memory: store MemoryRegionSection pointers in phys_map
  memory: unify phys_map last level with intermediate levels
  memory: remove first level of l1_phys_map
  memory: change memory registration to rebuild the memory map on each change
  memory: support stateless memory listeners
  memory: split memory listener for the two address spaces
  xen: ignore I/O memory regions
  memory: allow MemoryListeners to observe a specific address space
  ...

* qemu-kvm/uq/master:
  pc-bios: update kvmvapic.bin
  kvmvapic: Use optionrom helpers
  optionsrom: Reserve space for checksum
  kvmvapic: Simplify mp/up_set_tpr
  kvmvapic: Introduce TPR access optimization for Windows guests
  kvmvapic: Add option ROM
  target-i386: Add infrastructure for reporting TPR MMIO accesses
  Allow to use pause_all_vcpus from VCPU context
  Process pending work while waiting for initial kick-off in TCG mode
  Remove useless casts from cpu iterators
  kvm: Set cpu_single_env only once
  kvm: Synchronize cpu state in kvm_arch_stop_on_emulation_error()

kvm_set_phys_mem() may be passed sections that are not aligned to a page
boundary.  The current code simply brute-forces the alignment which leads
to an inconsistency and an abort().

Fix by aligning the start and the end of the section correctly, discarding
and unaligned head or tail.

This was triggered by a guest sizing a 64-bit BAR that is smaller than a page
with PCI_COMMAND_MEMORY enabled and the upper dword clear.
Signed-off-by: NAvi Kivity <avi@redhat.com>

Signed-off-by: NAvi Kivity <avi@redhat.com>

* kwolf/for-anthony: (27 commits)
  qemu-img: fix segment fault when the image format is qed
  qemu-io: fix segment fault when the image format is qed
  qemu-tool: revert cpu_get_clock() abort(3)
  qemu-iotests: Test rebase with short backing file
  qemu-iotests: 026: Reduce output changes for cache=none qcow2
  qemu-iotests: Filter out DOS line endings
  test: add image streaming tests
  qemu-iotests: add iotests Python module
  qemu-iotests: export TEST_DIR for non-bash tests
  QMP: Add qmp command for blockdev-group-snapshot-sync
  qapi: Introduce blockdev-group-snapshot-sync command
  qcow2: Reject too large header extensions
  qcow2: Fix offset in qcow2_read_extensions
  block: drop aio_multiwrite in BlockDriver
  block: remove unused fields in BlockDriverState
  qcow2: Fix build with DEBUG_EXT enabled
  ide: fail I/O to empty disk
  fdc: DIR (Digital Input Register) should return status of current drive...
  fdc: fix seek command, which shouldn't check tracks
  fdc: check if media rate is correct before doing any transfer
  ...

* spice/spice.v49:
  qxl: properly handle upright and non-shared surfaces
  Error out when tls-channel option is used without TLS
  spice: use error_report to report errors
  qxl: add optinal 64bit vram bar
  qxl: make qxl_render_update async
  qxl: introduce QXLCookie
  qxl: remove flipped
  qxl: require spice >= 0.8.2
  qxl: drop qxl_spice_update_area_async definition
  sdl: remove NULL check, g_malloc0 can't fail
  qxl: fix spice+sdl no cursor regression

* kraxel/usb.39: (21 commits)
  usb: Resolve warnings about unassigned bus on usb device creation
  usb-redir: Return USB_RET_NAK when we've no data for an interrupt endpoint
  usb-redir: Limit return values returned by iso packets
  usb-redir: Let the usb-host know about our device filtering
  usb-redir: Always clear device state on filter reject
  usb-redir: Fix printing of device version
  ehci: drop old stuff
  usb-ehci: Handle ISO packets failing with an error other then NAK
  libcacard: fix reported ATR length
  usb-ccid: advertise SELF_POWERED
  libcacard: link with glib for g_strndup
  usb-desc: fix user trigerrable segfaults (!config)
  usb-ehci: sanity-check iso xfers
  usb: add tracepoint for usb packet state changes.
  usb-xhci: enable packet queuing
  usb-uhci: implement packet queuing
  usb-uhci: process uhci_handle_td return code via switch.
  usb-uhci: add UHCIQueue
  usb-uhci: cleanup UHCIAsync allocation & initialization.
  usb-ehci: fix reset
  ...

[root@f15 qemu]# qemu-img info /home/zwu/work/misc/rh6.img
image: /home/zwu/work/misc/rh6.img
file format: qed
virtual size: 4.0G (4294967296 bytes)
disk size: 1.2G
cluster_size: 65536
Segmentation fault (core dumped)

Today when i were fixing another issue, i found this issue; After simple
investigation, i found that the required clock vm_clock is not created
for qemu tool.
Signed-off-by: NZhi Yong Wu <wuzhy@linux.vnet.ibm.com>
Reviewed-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>