Signed-off-by: NIgor Mammedov <imammedo@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Signed integer overflow in C is undefined behaviour, and the compiler
is at liberty to assume it can never happen and optimize accordingly.
In particular, the subtractions in hpet_time_after() and hpet_time_after64()
were causing OSX clang to optimize the code such that it was prone to
hangs and complaints about the main loop stalling (presumably because
we were spending all our time trying to service very high frequency
HPET timer callbacks). The clang sanitizer confirms the UB:

hw/timer/hpet.c:119:26: runtime error: signed integer overflow: -2146967296 - 2147003978 cannot be represented in type 'int'

Fix this by doing the subtraction as an unsigned operation and then
converting to signed for the comparison.
Reported-by: NAaron Elkins <threcius@yahoo.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Message-id: 1447080991-24995-1-git-send-email-peter.maydell@linaro.org

hpet defines a clock period in femtoseconds but
then converts it to nanoseconds to use the internal
timers.

We can define the period in nanoseconds and use it
directly, this allows to remove muldiv64().

We only need to convert the period to femtoseconds
to put it in internal hpet capability register.
Signed-off-by: NLaurent Vivier <lvivier@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: NEric Blake <eblake@redhat.com>
Reviewed-by: NLuiz Capitulino <lcapitulino@redhat.com>

We create optional sections with this patch.  But we already have
optional subsections.  Instead of having two mechanism that do the
same, we can just generalize it.

For subsections we just change:

- Add a needed function to VMStateDescription
- Remove VMStateSubsection (after removal of the needed function
  it is just a VMStateDescription)
- Adjust the whole tree, moving the needed function to the corresponding
  VMStateDescription
Signed-off-by: NJuan Quintela <quintela@redhat.com>

Switch all the uses of ld/st*_phys to address_space_ld/st*,
except for those cases where the address space is the CPU's
(ie cs->as). This was done with the following script which
generates a Coccinelle patch.

A few over-80-columns lines in the result were rewrapped by
hand where Coccinelle failed to do the wrapping automatically,
as well as one location where it didn't put a line-continuation
'\' when wrapping lines on a change made to a match inside
a macro definition.

===begin===
#!/bin/sh -e
# Usage:
# ./ldst-phys.spatch.sh > ldst-phys.spatch
# spatch -sp_file ldst-phys.spatch -dir . | sed -e '/^+/s/\t/        /g' > out.patch
# patch -p1 < out.patch

for FN in ub uw_le uw_be l_le l_be q_le q_be uw l q; do
cat <<EOF
@ cpu_matches_ld_${FN} @
expression E1,E2;
identifier as;
@@

ld${FN}_phys(E1->as,E2)

@ other_matches_ld_${FN} depends on !cpu_matches_ld_${FN} @
expression E1,E2;
@@

-ld${FN}_phys(E1,E2)
+address_space_ld${FN}(E1,E2, MEMTXATTRS_UNSPECIFIED, NULL)

EOF

done

for FN in b w_le w_be l_le l_be q_le q_be w l q; do
cat <<EOF
@ cpu_matches_st_${FN} @
expression E1,E2,E3;
identifier as;
@@

st${FN}_phys(E1->as,E2,E3)

@ other_matches_st_${FN} depends on !cpu_matches_st_${FN} @
expression E1,E2,E3;
@@

-st${FN}_phys(E1,E2,E3)
+address_space_st${FN}(E1,E2,E3, MEMTXATTRS_UNSPECIFIED, NULL)

EOF

done
===endit===
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: NAlex Bennée <alex.bennee@linaro.org>

Old users of VMSTATE_TIMER* are mechanically changed to VMSTATE_TIMER_PTR
variants.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>

After previous Peter patch, they are redundant.  This way we don't
assign them except when needed.  Once there, there were lots of case
where the ".fields" indentation was wrong:

     .fields = (VMStateField []) {
and
     .fields =      (VMStateField []) {

Change all the combinations to:

     .fields = (VMStateField[]){

The biggest problem (appart from aesthetics) was that checkpatch complained
when we copy&pasted the code from one place to another.
Signed-off-by: NJuan Quintela <quintela@redhat.com>
Acked-by: NAlexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>

CVE-2013-4527 hw/timer/hpet.c buffer overrun

hpet is a VARRAY with a uint8 size but static array of 32

To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: NAnthony Liguori <anthony@codemonkey.ws>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: NJuan Quintela <quintela@redhat.com>

A HPET timer can be started when HPET is not yet
enabled. This will not generate an interrupt
to the guest, but causes problems when HPET is later
enabled.

A timer that is created and expires at least once before
HPET is enabled will have an initialized comparator based
on a hpet_offset of 0 (uninitialized). When HPET is
enabled, hpet_set_timer() is called a second time, which
modifies the timer expiry to a time based on the
difference between current ticks (measured with the
newly initialized hpet_offset) and the timer's
comparator (which was generated before hpet_offset was
initialized). This results in a long period of no HPET
timer ticks.

When this occurs with a CentOS 5.x guest, the guest
may not receive timer interrupts during its narrow
timer check window and panic on boot.
Signed-off-by: NMatt Lupfer <mlupfer@ddn.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>

Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@xilinx.com>

device_add plugs devices into suitable bus.  For "real" buses, that
actually connects the device.  For sysbus, the connections need to be
made separately, and device_add can't do that.  The device would be
left unconnected, and could not possibly work.

Quite a few, but not all sysbus devices already set
cannot_instantiate_with_device_add_yet in their class init function.

Set it in their abstract base's class init function
sysbus_device_class_init(), and remove the now redundant assignments
from device class init functions.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NMarcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

In an ideal world, machines can be built by wiring devices together
with configuration, not code.  Unfortunately, that's not the world we
live in right now.  We still have quite a few devices that need to be
wired up by code.  If you try to device_add such a device, it'll fail
in sometimes mysterious ways.  If you're lucky, you get an
unmysterious immediate crash.

To protect users from such badness, DeviceClass member no_user used to
make device models unavailable with -device / device_add, but that
regressed in commit 18b6dade.  The device model is still omitted from
help, but is available anyway.

Attempts to fix the regression have been rejected with the argument
that the purpose of no_user isn't clear, and it's prone to misuse.

This commit clarifies no_user's purpose.  Anthony suggested to rename
it cannot_instantiate_with_device_add_yet_due_to_internal_bugs, which
I shorten somewhat to keep checkpatch happy.  While there, make it
bool.

Every use of cannot_instantiate_with_device_add_yet gets a FIXME
comment asking for rationale.  The next few commits will clean them
all up, either by providing a rationale, or by getting rid of the use.

With that done, the regression fix is hopefully acceptable.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NMarcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: NAndreas Färber <afaerber@suse.de>

make hpet_find inline so we don't need
to build hpet.c to check if hpet is enabled.

Fixes link error with CONFIG_HPET off.

Cc: qemu-stable@nongnu.org
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Owning to some different hardware design, piix and q35 need
different compat. So making them diverge.

On q35, IRQ2/8 can be reserved for hpet timer 0/1. And pin 16~23
can be assigned to hpet as guest chooses. So we introduce intcap
property to do that.

Consider the compat and piix/q35, we finally have the following
value for intcap: For piix, hpet's intcap is hard coded as IRQ2.
For pc-q35-1.7 and earlier, we use IRQ2 for compat reason. Otherwise
IRQ2, IRQ8, and IRQ16~23 are allowed.
Signed-off-by: NLiu Ping Fan <pingfank@linux.vnet.ibm.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

According to hpet spec, hpet irq is high active. But according to
ICH spec, there is inversion before the input of ioapic. So the OS
will expect low active on this IRQ line. (On bare metal, if OS driver
claims high active on this line, spurious irq is generated)

We fold the emulation of this inversion inside the hpet logic.
Signed-off-by: NLiu Ping Fan <pingfank@linux.vnet.ibm.com>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Add API to find HPET using QOM.
Reviewed-by: NGerd Hoffmann <kraxel@redhat.com>
Tested-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NIgor Mammedov <imammedo@redhat.com>
Tested-by: NIgor Mammedov <imammedo@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

This is an autogenerated patch using scripts/switch-timer-api.

Switch the entire code base to using the new timer API.

Note this patch may introduce some line length issues.
Signed-off-by: NAlex Bligh <alex@alex.org.uk>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

Signed-off-by: NHu Tao <hutao@cn.fujitsu.com>
[AF: Avoided SYS_BUS_DEVICE() in loop]
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Introduce type constant, avoid FROM_SYSBUS().
Signed-off-by: NHu Tao <hutao@cn.fujitsu.com>
[AF: Renamed parent field and renamed variable]
Signed-off-by: NAndreas Färber <afaerber@suse.de>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This patch tackles all files that are compiled once, moving
them to subdirectories of hw/.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Many of these should be cleaned up with proper qdev-/QOM-ification.
Right now there are many catch-all headers in include/hw/ARCH depending
on cpu.h, and this makes it necessary to compile these files per-target.
However, fixing this does not belong in these patches.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Done with this script:

cd hw
for i in `find . -name '*.h' | sed 's/^..//'`; do
  echo '\,^#.*include.*["<]'$i'[">], s,'$i',hw/&,'
done | sed -i -f - `find . -type f`

This is so that paths remain valid as files are moved.

Instead, files in hw/dataplane are referenced with the relative path.
We know they are not going to move to include/, and they are the only
include files that are in subdirectories _and_ move.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Replace by SYS_BUS_DEVICE() QOM cast macro using a scripted conversion.
Avoids the old macro creeping into new code.

Resolve a Coding Style warning in openpic code.
Signed-off-by: NAndreas Färber <afaerber@suse.de>
Cc: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Since 39bffca2 (qdev: register all
types natively through QEMU Object Model), TypeInfo as used in
the common, non-iterative pattern is no longer amended with information
and should therefore be const.

Fix the documented QOM examples:

 sed -i 's/static TypeInfo/static const TypeInfo/g' include/qom/object.h

Since frequently the wrong examples are being copied by contributors of
new devices, fix all types in the tree:

 sed -i 's/^static TypeInfo/static const TypeInfo/g' */*.c
 sed -i 's/^static TypeInfo/static const TypeInfo/g' */*/*.c

This also avoids to piggy-back these changes onto real functional
changes or other refactorings.
Signed-off-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

target_phys_addr_t is unwieldly, violates the C standard (_t suffixes are
reserved) and its purpose doesn't match the name (most target_phys_addr_t
addresses are not target specific).  Replace it with a finger-friendly,
standards conformant hwaddr.

Outstanding patchsets can be fixed up with the command

  git rebase -i --exec 'find -name "*.[ch]"
                        | xargs s/target_phys_addr_t/hwaddr/g' origin
Signed-off-by: NAvi Kivity <avi@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

When the HPET enters legacy mode, the IRQ output of the PIT is
suppressed and replaced by the HPET timer 0. But the current code to
emulate this was broken in many ways. It reset the PIT state after
re-enabling, it worked against a stale static PIT structure, and it did
not properly saved/restored the IRQ output mask in the PIT vmstate.

This patch solves the PIT IRQ control in a different way. On x86, it
both redirects the PIT IRQ to the HPET, just like the RTC. But it also
keeps the control line from the HPET to the PIT. This allows to disable
the PIT QEMU timer when it is not needed. The PIT's view on the control
line state is now saved in the same format that qemu-kvm is already
using.

Note that, in contrast to the suppressed RTC IRQ line, we do not need to
save/restore the PIT line state in the HPET. As we trigger a PIT IRQ
update via the control line, the line state is reconstructed on mode
switch.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Move the public interface of the PIT into its own header file and update
all users.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

In legacy mode, the HPET suppresses the RTC interrupt delivery via IRQ
8 but keeps track of the RTC output level and applies it when legacy
mode is turned off again. This value has to be preserved across save/
restore as it cannot be reconstructed otherwise.

To document that a raised rtc_irq_level won't survive a vmload without
a hpet/rtc_irq_level subsection, add an explicit clearing to the reset
handler.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Replace device_init() with generalized type_init().

While at it, unify naming convention: type_init([$prefix_]register_types)
Also, type_init() is a function, so add preceding blank line where
necessary and don't put a semicolon after the closing brace.
Signed-off-by: NAndreas Färber <afaerber@suse.de>
Cc: Anthony Liguori <anthony@codemonkey.ws>
Cc: malc <av1474@comtv.ru>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This was done in a mostly automated fashion.  I did it in three steps and then
rebased it into a single step which avoids repeatedly touching every file in
the tree.

The first step was a sed-based addition of the parent type to the subclass
registration functions.

The second step was another sed-based removal of subclass registration functions
while also adding virtual functions from the base class into a class_init
function as appropriate.

Finally, a python script was used to convert the DeviceInfo structures and
qdev_register_subclass functions to TypeInfo structures, class_init functions,
and type_register_static calls.

We are almost fully converted to QOM after this commit.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This converts three devices because apic and ioapic are subclasses of sysbus.
Converting subclasses independently of their base class is prohibitively hard.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NAvi Kivity <avi@redhat.com>

Signed-off-by: NAvi Kivity <avi@redhat.com>

hpet_timer timer callback rearms itself based on difference between
current HPET tick counter and comparator value. Difference calculated by
the hpet_calculate_diff function is limited to non-negative values.

cur_tick is calculated via hpet_get_ticks that uses qemu_get_clock_ns(vm_clock).

With -icount enabled vm_clock doesn't advance during qemu_run_timers
loop thus once difference is zero, qemu_run_timers loops forever
handling hpet_timer.

Limit hpet_calculate_diff results to positive only values to avoid that
infinite loop.

This fixes the following qemu-system-x86_64 hang when it reaches
timer_irq_works() in the linux bootup:

[    0.000000] Fast TSC calibration using PIT
[    0.000000] Detected 1000.054 MHz processor.
[    0.000031] Calibrating delay loop (skipped), value calculated using timer frequency.. 2000.10 BogoMIPS (lpj=10000540)
[    0.000404] pid_max: default: 32768 minimum: 301
[    0.001138] Mount-cache hash table entries: 256
[    0.003883] Initializing cgroup subsys ns
[    0.004035] Initializing cgroup subsys cpuacct
[    0.004280] Initializing cgroup subsys freezer
[    0.004790] Performance Events: AMD PMU driver.
[    0.004985] ... version:                0
[    0.005134] ... bit width:              48
[    0.005285] ... generic registers:      4
[    0.005437] ... value mask:             0000ffffffffffff
[    0.005625] ... max period:             00007fffffffffff
[    0.005807] ... fixed-purpose events:   0
[    0.005957] ... event mask:             000000000000000f
[    0.006275] SMP alternatives: switching to UP code
Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>