[Spice-commits] Branch 'kvm' - 1436 commits - .gitignore .gitmodules CODING_STYLE HACKING MAINTAINERS Makefile Makefile.objs Makefile.target QMP/README QMP/qmp-events.txt QMP/qmp-shell QMP/qmp.py QMP/vm-info VERSION alpha-dis.c arch_init.c arch_init.h arm-dis.c arm-semi.c audio/alsaaudio.c audio/audio.c audio/audio.h audio/audio_int.h audio/audio_pt_int.c audio/audio_template.h audio/dsoundaudio.c audio/esdaudio.c audio/fmodaudio.c audio/mixeng.c audio/mixeng.h audio/mixeng_template.h audio/noaudio.c audio/ossaudio.c audio/paaudio.c audio/spiceaudio.c audio/winwaveaudio.c balloon.c block-migration.c block.c block.h block/blkdebug.c block/blkverify.c block/cow.c block/nbd.c block/qcow.c block/qcow2-cache.c block/qcow2-cluster.c block/qcow2-refcount.c block/qcow2-snapshot.c block/qcow2.c block/qcow2.h block/qed-check.c block/qed-cluster.c block/qed-gencb.c block/qed-l2-cache.c block/qed-table.c block/qed.c block/qed.h block/raw-posix.c block/raw-win32.c block/raw.c block/rbd.c block/r bd_types.h block/sheepdog.c block/vdi.c block/vmdk.c block/vpc.c block/vvfat.c block_int.h blockdev.c blockdev.h bsd-user/bsdload.c bsd-user/elfload.c bsd-user/main.c bsd-user/qemu.h bswap.h buffered_file.c cache-utils.c cache-utils.h check-qjson.c cmd.h configure console.c console.h cpu-all.h cpu-common.h cpu-exec.c cpus.c cpus.h create_config cris-dis.c cutils.c darwin-user/machload.c darwin-user/qemu.h default-configs/arm-softmmu.mak default-configs/cris-softmmu.mak default-configs/i386-softmmu.mak default-configs/m68k-softmmu.mak default-configs/microblaze-softmmu.mak default-configs/mips-softmmu.mak default-configs/mips64-softmmu.mak default-configs/mips64el-softmmu.mak default-configs/mipsel-softmmu.mak default-configs/pci.mak default-configs/ppc-softmmu.mak default-configs/ppc64-softmmu.mak default-configs/ppcemb-softmmu.mak default-configs/s390x-softmmu.mak default-configs/sh4-softmmu.mak default-configs/sh4eb-softmmu.mak default-configs/sparc-softmmu.mak default-con figs/sparc64-softmmu.mak default-configs/x86_64-softmmu.mak dis-asm.h disas.c disas.h docs/blkverify.txt docs/bootindex.txt docs/migration.txt docs/qdev-device-use.txt docs/specs docs/tracing.txt dyngen-exec.h elf.h envlist.h exec-all.h exec.c feature_to_c.sh fpu/softfloat-native.c fpu/softfloat-native.h fpu/softfloat-specialize.h fpu/softfloat.c fpu/softfloat.h fsdev/qemu-fsdev.c fsdev/qemu-fsdev.h gdbstub.c gdbstub.h hmp-commands.hx hw/acpi.c hw/acpi_piix4.c hw/apb_pci.c hw/apic.c hw/arm_gic.c hw/arm_sysctl.c hw/arm_timer.c hw/armv7m.c hw/audiodev.h hw/axis_dev88.c hw/bonito.c hw/bt-sdp.c hw/cirrus_vga.c hw/cirrus_vga_rop.h hw/cirrus_vga_rop2.h hw/cs4231.c hw/cs4231a.c hw/cuda.c hw/dec_pci.c hw/device-assignment.c hw/device-assignment.h hw/device-hotplug.c hw/dp8393x.c hw/ds1225y.c hw/e1000.c hw/ecc.c hw/eccmemctl.c hw/eepro100.c hw/elf_ops.h hw/empty_slot.c hw/escc.c hw/esp.c hw/esp.h hw/etraxfs_dma.c hw/etraxfs_eth.c hw/etraxfs_pic.c hw/etraxfs_ser.c hw/etraxfs_timer.c h w/fdc.c hw/file-op-9p.h hw/flash.h hw/fmopl.c hw/fw_cfg.c hw/fw_cfg.h hw/g364fb.c hw/grackle_pci.c hw/grlib.h hw/grlib_apbuart.c hw/grlib_gptimer.c hw/grlib_irqmp.c hw/gt64xxx.c hw/gumstix.c hw/gus.c hw/hda-audio.c hw/heathrow_pic.c hw/hpet.c hw/hw.h hw/i8259.c hw/ide hw/ide.h hw/integratorcp.c hw/intel-hda-defs.h hw/intel-hda.c hw/intel-hda.h hw/ioapic.c hw/ioapic.h hw/ioh3420.c hw/ioh3420.h hw/ipf.c hw/isa-bus.c hw/isa.h hw/isa_mmio.c hw/ivshmem.c hw/jazz_led.c hw/lan9118.c hw/lance.c hw/leon3.c hw/loader.c hw/loader.h hw/lsi53c895a.c hw/m48t59.c hw/mac_dbdma.c hw/mac_nvram.c hw/mainstone.c hw/marvell_88w8618_audio.c hw/mc146818rtc.c hw/mcf5206.c hw/mcf5208.c hw/mcf_fec.c hw/mcf_intc.c hw/mcf_uart.c hw/mips.h hw/mips_fulong2e.c hw/mips_jazz.c hw/mips_malta.c hw/mips_mipssim.c hw/mips_r4k.c hw/mips_timer.c hw/mipsnet.c hw/mpcore.c hw/msi.c hw/msi.h hw/msix.c hw/msix.h hw/mst_fpga.c hw/multiboot.c hw/musicpal.c hw/ne2000-isa.c hw/ne2000.c hw/nseries.c hw/omap.h hw/omap1.c hw /omap2.c hw/omap_dma.c hw/omap_dss.c hw/omap_gpio.c hw/omap_gpmc.c hw/omap_i2c.c hw/omap_intc.c hw/omap_l4.c hw/omap_lcdc.c hw/omap_mmc.c hw/omap_sdrc.c hw/omap_sx1.c hw/omap_uart.c hw/onenand.c hw/openpic.c hw/palm.c hw/parallel.c hw/pc.c hw/pc.h hw/pc_piix.c hw/pci-hotplug.c hw/pci-stub.c hw/pci.c hw/pci.h hw/pci_bridge.c hw/pci_bridge.h hw/pci_host.c hw/pci_host.h hw/pci_ids.h hw/pci_internals.h hw/pcie.c hw/pcie.h hw/pcie_aer.c hw/pcie_aer.h hw/pcie_host.c hw/pcie_port.c hw/pcie_port.h hw/pcie_regs.h hw/pckbd.c hw/pcnet-pci.c hw/pcnet.c hw/pcnet.h hw/pflash_cfi01.c hw/pflash_cfi02.c hw/piix4.c hw/piix_pci.c hw/pl011.c hw/pl022.c hw/pl031.c hw/pl050.c hw/pl061.c hw/pl080.c hw/pl110.c hw/pl181.c hw/pl190.c hw/ppc.c hw/ppc.h hw/ppc405_boards.c hw/ppc405_uc.c hw/ppc440.c hw/ppc4xx_devs.c hw/ppc4xx_pci.c hw/ppc_mac.h hw/ppc_newworld.c hw/ppc_oldworld.c hw/ppc_prep.c hw/ppce500_mpc8544ds.c hw/ppce500_pci.c hw/prep_pci.c hw/pxa.h hw/pxa2xx.c hw/pxa2xx_dma.c hw/pxa2xx_gpio.c hw/ pxa2xx_keypad.c hw/pxa2xx_lcd.c hw/pxa2xx_mmci.c hw/pxa2xx_pcmcia.c hw/pxa2xx_pic.c hw/pxa2xx_timer.c hw/qdev.c hw/qdev.h hw/qxl-logger.c hw/qxl-render.c hw/qxl.c hw/qxl.h hw/r2d.c hw/rc4030.c hw/realview.c hw/realview_gic.c hw/rtl8139.c hw/s390-virtio-bus.c hw/s390-virtio-bus.h hw/s390-virtio.c hw/sb16.c hw/sbi.c hw/scsi-bus.c hw/scsi-defs.h hw/scsi-disk.c hw/scsi-generic.c hw/scsi.h hw/sd.c hw/serial.c hw/sh7750.c hw/sh_intc.c hw/sh_pci.c hw/sh_pci.h hw/sh_serial.c hw/sh_timer.c hw/sharpsl.h hw/slavio_intctl.c hw/slavio_misc.c hw/slavio_timer.c hw/sm501.c hw/smc91c111.c hw/soc_dma.c hw/sparc32_dma.c hw/spitz.c hw/ssi-sd.c hw/stellaris.c hw/stellaris_enet.c hw/sun4c_intctl.c hw/sun4m.c hw/sun4m_iommu.c hw/sun4u.c hw/syborg_fb.c hw/syborg_interrupt.c hw/syborg_keyboard.c hw/syborg_pointer.c hw/syborg_rtc.c hw/syborg_serial.c hw/syborg_timer.c hw/syborg_virtio.c hw/sysbus.c hw/sysbus.h hw/tc6393xb.c hw/tc6393xb_template.h hw/tcx.c hw/testdev.c hw/tosa.c hw/tusb6010.c hw/unin_ pci.c hw/usb-bt.c hw/usb-bus.c hw/usb-desc.c hw/usb-desc.h hw/usb-hid.c hw/usb-hub.c hw/usb-msd.c hw/usb-musb.c hw/usb-net.c hw/usb-ohci.c hw/usb-serial.c hw/usb-uhci.c hw/usb-wacom.c hw/usb.c hw/usb.h hw/versatile_pci.c hw/versatilepb.c hw/vga-isa-mm.c hw/vga-pci.c hw/vga.c hw/vga_int.h hw/vhost.c hw/vhost.h hw/vhost_net.c hw/vhost_net.h hw/virtex_ml507.c hw/virtio-9p-debug.c hw/virtio-9p-debug.h hw/virtio-9p-local.c hw/virtio-9p-posix-acl.c hw/virtio-9p-xattr-user.c hw/virtio-9p-xattr.c hw/virtio-9p-xattr.h hw/virtio-9p.c hw/virtio-9p.h hw/virtio-balloon.c hw/virtio-blk.c hw/virtio-console.c hw/virtio-net.c hw/virtio-net.h hw/virtio-pci.c hw/virtio-serial-bus.c hw/virtio-serial.h hw/virtio.c hw/virtio.h hw/vmmouse.c hw/vmware_vga.c hw/watchdog.h hw/wdt_i6300esb.c hw/wdt_ib700.c hw/wm8750.c hw/xen_backend.h hw/xen_disk.c hw/xilinx_ethlite.c hw/xilinx_intc.c hw/xilinx_timer.c hw/xilinx_uartlite.c hw/xio3130_downstream.c hw/xio3130_downstream.h hw/xio3130_upstream.c hw/xio313 0_upstream.h hw/zaurus.c hxtool ioport.c ioport.h iorange.h json-parser.c kvm-all.c kvm-stub.c kvm-tpr-opt.c kvm.h kvm/doxygen.conf kvm/kvm_stat kvm/libkvm kvm/scripts linux-user/arm linux-user/elfload.c linux-user/flatload.c linux-user/ioctls.h linux-user/linuxload.c linux-user/m68k-sim.c linux-user/main.c linux-user/mips linux-user/mmap.c linux-user/ppc linux-user/qemu.h linux-user/signal.c linux-user/strace.c linux-user/strace.list linux-user/syscall.c linux-user/syscall_defs.h linux-user/syscall_types.h linux-user/target_flat.h m68k-dis.c m68k-semi.c microblaze-dis.c migration.c migration.h mips-dis.c monitor.c monitor.h nbd.c nbd.h net.c net.h net/socket.c net/tap-aix.c net/tap-bsd.c net/tap-haiku.c net/tap-linux.c net/tap-linux.h net/tap-solaris.c net/tap-win32.c net/tap.c net/tap.h os-posix.c os-win32.c osdep.c osdep.h oslib-posix.c oslib-win32.c path.c pc-bios/README pc-bios/bios.bin pc-bios/gpxe-eepro100-80861229.rom pc-bios/keymaps pc-bios/openbios-ppc pc-bios/open bios-sparc32 pc-bios/openbios-sparc64 pc-bios/optionrom pc-bios/vgabios-cirrus.bin pc-bios/vgabios-qxl.bin pc-bios/vgabios-stdvga.bin pc-bios/vgabios-vmware.bin pc-bios/vgabios.bin pc-bios/video.x pflib.c pflib.h posix-aio-compat.c qemu-binfmt-conf.sh qemu-char.c qemu-char.h qemu-common.h qemu-config.c qemu-config.h qemu-doc.texi qemu-error.h qemu-img-cmds.hx qemu-img.c qemu-img.texi qemu-io.c qemu-kvm-helper.c qemu-kvm-x86.c qemu-kvm.c qemu-kvm.h qemu-lock.h qemu-malloc.c qemu-monitor.hx qemu-nbd.c qemu-option.c qemu-options.hx qemu-os-posix.h qemu-os-win32.h qemu-tech.texi qemu-timer-common.c qemu-timer.c qemu-timer.h qemu-tool.c qemu_socket.h qerror.c qerror.h qjson.c qjson.h qmp-commands.hx range.h roms/seabios roms/vgabios rules.mak rwhandler.c rwhandler.h savevm.c scripts/checkpatch.pl scripts/create_config scripts/feature_to_c.sh scripts/hxtool scripts/make_device_config.sh scripts/qemu-binfmt-conf.sh scripts/signrom.sh scripts/simpletrace.py scripts/texi2pod.pl scrip ts/tracetool sh4-dis.c simpletrace.c simpletrace.h slirp/bootp.c slirp/ip_input.c slirp/misc.c slirp/slirp.c slirp/slirp.h slirp/slirp_config.h slirp/tftp.c spice-qemu-char.c sysemu.h target-alpha/helper.c target-alpha/op_helper.c target-arm/cpu.h target-arm/helper.c target-arm/helpers.h target-arm/neon_helper.c target-arm/op_helper.c target-arm/translate.c target-cris/cpu.h target-cris/exec.h target-cris/helper.c target-cris/mmu.c target-cris/op_helper.c target-cris/translate.c target-cris/translate_v10.c target-i386/cpu.h target-i386/cpuid.c target-i386/fake-exec.c target-i386/helper.c target-i386/kvm.c target-i386/kvm_x86.h target-i386/machine.c target-i386/op_helper.c target-i386/translate.c target-m68k/cpu.h target-m68k/helper.c target-m68k/translate.c target-microblaze/cpu.h target-microblaze/exec.h target-microblaze/helper.h target-microblaze/op_helper.c target-microblaze/translate.c target-mips/cpu.h target-mips/exec.h target-mips/helper.h target-mips/op_helper.c tar get-mips/translate.c target-mips/translate_init.c target-ppc/cpu.h target-ppc/exec.h target-ppc/helper.c target-ppc/kvm.c target-ppc/kvm_ppc.h target-ppc/op_helper.c target-ppc/translate.c target-ppc/translate_init.c target-s390x/cpu.h target-s390x/kvm.c target-s390x/translate.c target-sh4/cpu.h target-sh4/helper.c target-sh4/helper.h target-sh4/op_helper.c target-sh4/translate.c target-sparc/cpu.h target-sparc/helper.c target-sparc/helper.h target-sparc/op_helper.c target-sparc/translate.c tcg/README tcg/arm tcg/ia64 tcg/mips tcg/tcg-op.h tcg/tcg-opc.h tcg/tcg.c tcg/tcg.h tests/Makefile tests/cris tests/hello-i386.c tests/runcom.c tests/test-i386.c tests/test_path.c texi2pod.pl trace-events ui/cocoa.m ui/curses.c ui/curses_keys.h ui/d3des.h ui/qemu-spice.h ui/sdl.c ui/spice-core.c ui/spice-display.c ui/spice-display.h ui/spice-input.c ui/vnc-auth-sasl.c ui/vnc-enc-tight.c ui/vnc-jobs-async.c ui/vnc.c ui/vnc.h ui/x_keymap.h usb-bsd.c usb-linux.c version.rc vl.c

Gerd Hoffmann kraxel at kemper.freedesktop.org
Fri Jun 17 08:47:02 PDT 2011


 .gitignore                             |    6 
 .gitmodules                            |    2 
 CODING_STYLE                           |    6 
 HACKING                                |  125 +
 MAINTAINERS                            |  553 +++++-
 Makefile                               |  109 -
 Makefile.objs                          |   85 
 Makefile.target                        |   84 
 QMP/README                             |    9 
 QMP/qmp-events.txt                     |   66 
 QMP/qmp-shell                          |  254 ++
 QMP/qmp.py                             |  157 +
 QMP/vm-info                            |   33 
 VERSION                                |    2 
 alpha-dis.c                            |    3 
 arch_init.c                            |   85 
 arch_init.h                            |    1 
 arm-dis.c                              |   38 
 arm-semi.c                             |   79 
 audio/alsaaudio.c                      |   63 
 audio/audio.c                          |   38 
 audio/audio.h                          |    8 
 audio/audio_int.h                      |   11 
 audio/audio_pt_int.c                   |    3 
 audio/audio_template.h                 |    4 
 audio/dsoundaudio.c                    |    4 
 audio/esdaudio.c                       |    3 
 audio/fmodaudio.c                      |    4 
 audio/mixeng.c                         |   25 
 audio/mixeng.h                         |    4 
 audio/mixeng_template.h                |   39 
 audio/noaudio.c                        |    5 
 audio/ossaudio.c                       |   23 
 audio/paaudio.c                        |   44 
 audio/spiceaudio.c                     |  345 +++
 audio/winwaveaudio.c                   |    3 
 balloon.c                              |    2 
 block-migration.c                      |   95 +
 block.c                                |  378 +++-
 block.h                                |   16 
 block/blkdebug.c                       |    8 
 block/blkverify.c                      |  383 ++++
 block/cow.c                            |    4 
 block/nbd.c                            |   64 
 block/qcow.c                           |    5 
 block/qcow2-cache.c                    |  314 +++
 block/qcow2-cluster.c                  |  337 ++-
 block/qcow2-refcount.c                 |  276 +--
 block/qcow2-snapshot.c                 |   41 
 block/qcow2.c                          |  696 ++++---
 block/qcow2.h                          |   42 
 block/qed-check.c                      |  210 ++
 block/qed-cluster.c                    |  154 +
 block/qed-gencb.c                      |   32 
 block/qed-l2-cache.c                   |  173 +
 block/qed-table.c                      |  319 +++
 block/qed.c                            | 1365 +++++++++++++++
 block/qed.h                            |  301 +++
 block/raw-posix.c                      |  153 +
 block/raw-win32.c                      |   11 
 block/raw.c                            |  140 -
 block/rbd.c                            | 1059 ++++++++++++
 block/rbd_types.h                      |   71 
 block/sheepdog.c                       |   27 
 block/vdi.c                            |    9 
 block/vmdk.c                           |    5 
 block/vpc.c                            |   70 
 block/vvfat.c                          |   30 
 block_int.h                            |   22 
 blockdev.c                             |  371 +++-
 blockdev.h                             |   32 
 bsd-user/bsdload.c                     |    2 
 bsd-user/elfload.c                     |   37 
 bsd-user/main.c                        |    6 
 bsd-user/qemu.h                        |    3 
 bswap.h                                |   15 
 buffered_file.c                        |    9 
 cache-utils.c                          |    2 
 cache-utils.h                          |    2 
 check-qjson.c                          |    4 
 cmd.h                                  |   36 
 configure                              |  815 ++++++---
 console.c                              |   87 
 console.h                              |    4 
 cpu-all.h                              |   18 
 cpu-common.h                           |   15 
 cpu-exec.c                             |   12 
 cpus.c                                 |  169 +
 cpus.h                                 |    3 
 create_config                          |  103 -
 cris-dis.c                             |   13 
 cutils.c                               |  145 +
 darwin-user/machload.c                 |    2 
 darwin-user/qemu.h                     |    4 
 default-configs/arm-softmmu.mak        |    4 
 default-configs/cris-softmmu.mak       |    1 
 default-configs/i386-softmmu.mak       |    7 
 default-configs/m68k-softmmu.mak       |    2 
 default-configs/microblaze-softmmu.mak |    1 
 default-configs/mips-softmmu.mak       |    6 
 default-configs/mips64-softmmu.mak     |    6 
 default-configs/mips64el-softmmu.mak   |    6 
 default-configs/mipsel-softmmu.mak     |    6 
 default-configs/pci.mak                |   16 
 default-configs/ppc-softmmu.mak        |    8 
 default-configs/ppc64-softmmu.mak      |    8 
 default-configs/ppcemb-softmmu.mak     |    8 
 default-configs/s390x-softmmu.mak      |    1 
 default-configs/sh4-softmmu.mak        |    4 
 default-configs/sh4eb-softmmu.mak      |    4 
 default-configs/sparc-softmmu.mak      |    2 
 default-configs/sparc64-softmmu.mak    |    5 
 default-configs/x86_64-softmmu.mak     |    7 
 dev/null                               |binary
 dis-asm.h                              |   96 -
 disas.c                                |   17 
 disas.h                                |    3 
 docs/blkverify.txt                     |   69 
 docs/bootindex.txt                     |   43 
 docs/migration.txt                     |   56 
 docs/qdev-device-use.txt               |   21 
 docs/specs/acpi_pci_hotplug.txt        |   37 
 docs/specs/qed_spec.txt                |  130 +
 docs/tracing.txt                       |  189 ++
 dyngen-exec.h                          |   23 
 elf.h                                  |   19 
 envlist.h                              |   14 
 exec-all.h                             |   12 
 exec.c                                 |  216 ++
 feature_to_c.sh                        |   76 
 fpu/softfloat-native.c                 |    6 
 fpu/softfloat-native.h                 |    6 
 fpu/softfloat-specialize.h             |  436 +++-
 fpu/softfloat.c                        |  240 ++
 fpu/softfloat.h                        |   64 
 fsdev/qemu-fsdev.c                     |   57 
 fsdev/qemu-fsdev.h                     |    4 
 gdbstub.c                              |    7 
 gdbstub.h                              |    3 
 hmp-commands.hx                        | 1382 +++++++++++++++
 hw/acpi.c                              |   28 
 hw/acpi_piix4.c                        |  162 +
 hw/apb_pci.c                           |   65 
 hw/apic.c                              |   74 
 hw/arm_gic.c                           |    3 
 hw/arm_sysctl.c                        |   20 
 hw/arm_timer.c                         |    5 
 hw/armv7m.c                            |    2 
 hw/audiodev.h                          |    3 
 hw/axis_dev88.c                        |    6 
 hw/bonito.c                            |   19 
 hw/bt-sdp.c                            |   20 
 hw/cirrus_vga.c                        |  222 --
 hw/cirrus_vga_rop.h                    |   38 
 hw/cirrus_vga_rop2.h                   |   12 
 hw/cs4231.c                            |   23 
 hw/cs4231a.c                           |    1 
 hw/cuda.c                              |    3 
 hw/dec_pci.c                           |   52 
 hw/device-assignment.c                 |  697 +++++--
 hw/device-assignment.h                 |   20 
 hw/device-hotplug.c                    |    5 
 hw/dp8393x.c                           |    3 
 hw/ds1225y.c                           |    6 
 hw/e1000.c                             |   58 
 hw/ecc.c                               |   27 
 hw/eccmemctl.c                         |   52 
 hw/eepro100.c                          |   60 
 hw/elf_ops.h                           |    5 
 hw/empty_slot.c                        |    3 
 hw/escc.c                              |   11 
 hw/esp.c                               |   56 
 hw/esp.h                               |    3 
 hw/etraxfs_dma.c                       |    2 
 hw/etraxfs_eth.c                       |    3 
 hw/etraxfs_pic.c                       |    3 
 hw/etraxfs_ser.c                       |    3 
 hw/etraxfs_timer.c                     |    7 
 hw/fdc.c                               |   18 
 hw/file-op-9p.h                        |   44 
 hw/flash.h                             |    3 
 hw/fmopl.c                             |    6 
 hw/fw_cfg.c                            |   36 
 hw/fw_cfg.h                            |    4 
 hw/g364fb.c                            |    3 
 hw/grackle_pci.c                       |    6 
 hw/grlib.h                             |  126 +
 hw/grlib_apbuart.c                     |  187 ++
 hw/grlib_gptimer.c                     |  395 ++++
 hw/grlib_irqmp.c                       |  376 ++++
 hw/gt64xxx.c                           |  125 -
 hw/gumstix.c                           |    4 
 hw/gus.c                               |    4 
 hw/hda-audio.c                         |  926 ++++++++++
 hw/heathrow_pic.c                      |    5 
 hw/hpet.c                              |    3 
 hw/hw.h                                |   67 
 hw/i8259.c                             |    2 
 hw/ide.h                               |    2 
 hw/ide/ahci.c                          | 1152 +++++++++++++
 hw/ide/ahci.h                          |  333 +++
 hw/ide/cmd646.c                        |   26 
 hw/ide/core.c                          | 1232 ++++++-------
 hw/ide/ich.c                           |  148 +
 hw/ide/internal.h                      |   79 
 hw/ide/isa.c                           |    5 
 hw/ide/macio.c                         |    3 
 hw/ide/mmio.c                          |    6 
 hw/ide/pci.c                           |  378 +++-
 hw/ide/pci.h                           |   37 
 hw/ide/piix.c                          |   44 
 hw/ide/qdev.c                          |   22 
 hw/ide/via.c                           |   44 
 hw/integratorcp.c                      |    9 
 hw/intel-hda-defs.h                    |  717 ++++++++
 hw/intel-hda.c                         | 1308 ++++++++++++++
 hw/intel-hda.h                         |   62 
 hw/ioapic.c                            |  224 +-
 hw/ioapic.h                            |   20 
 hw/ioh3420.c                           |  246 ++
 hw/ioh3420.h                           |   10 
 hw/ipf.c                               |    6 
 hw/isa-bus.c                           |   53 
 hw/isa.h                               |    6 
 hw/isa_mmio.c                          |  100 -
 hw/ivshmem.c                           |   13 
 hw/jazz_led.c                          |    3 
 hw/lan9118.c                           |    7 
 hw/lance.c                             |   18 
 hw/leon3.c                             |  217 ++
 hw/loader.c                            |   37 
 hw/loader.h                            |    8 
 hw/lsi53c895a.c                        |   22 
 hw/m48t59.c                            |   15 
 hw/mac_dbdma.c                         |    6 
 hw/mac_nvram.c                         |    3 
 hw/mainstone.c                         |    3 
 hw/marvell_88w8618_audio.c             |    3 
 hw/mc146818rtc.c                       |   16 
 hw/mcf5206.c                           |    3 
 hw/mcf5208.c                           |    6 
 hw/mcf_fec.c                           |    3 
 hw/mcf_intc.c                          |    3 
 hw/mcf_uart.c                          |    3 
 hw/mips.h                              |    4 
 hw/mips_fulong2e.c                     |   23 
 hw/mips_jazz.c                         |   41 
 hw/mips_malta.c                        |   53 
 hw/mips_mipssim.c                      |    6 
 hw/mips_r4k.c                          |   12 
 hw/mips_timer.c                        |   44 
 hw/mipsnet.c                           |    2 
 hw/mpcore.c                            |    3 
 hw/msi.c                               |  344 +++
 hw/msi.h                               |   41 
 hw/msix.c                              |  237 +-
 hw/msix.h                              |    4 
 hw/mst_fpga.c                          |    2 
 hw/multiboot.c                         |   13 
 hw/musicpal.c                          |   24 
 hw/ne2000-isa.c                        |    3 
 hw/ne2000.c                            |    5 
 hw/nseries.c                           |    4 
 hw/omap.h                              |    9 
 hw/omap1.c                             |   59 
 hw/omap2.c                             |   10 
 hw/omap_dma.c                          |    4 
 hw/omap_dss.c                          |    2 
 hw/omap_gpio.c                         |    2 
 hw/omap_gpmc.c                         |    2 
 hw/omap_i2c.c                          |    7 
 hw/omap_intc.c                         |    4 
 hw/omap_l4.c                           |    5 
 hw/omap_lcdc.c                         |    2 
 hw/omap_mmc.c                          |    7 
 hw/omap_sdrc.c                         |    2 
 hw/omap_sx1.c                          |   15 
 hw/omap_uart.c                         |   14 
 hw/onenand.c                           |    3 
 hw/openpic.c                           |   31 
 hw/palm.c                              |   18 
 hw/parallel.c                          |    8 
 hw/pc.c                                |  162 +
 hw/pc.h                                |    6 
 hw/pc_piix.c                           |   55 
 hw/pci-hotplug.c                       |   27 
 hw/pci-stub.c                          |   50 
 hw/pci.c                               |  825 +++++----
 hw/pci.h                               |  204 +-
 hw/pci_bridge.c                        |  275 +++
 hw/pci_bridge.h                        |   66 
 hw/pci_host.c                          |  103 -
 hw/pci_host.h                          |    6 
 hw/pci_ids.h                           |    3 
 hw/pci_internals.h                     |   47 
 hw/pcie.c                              |  544 ++++++
 hw/pcie.h                              |  132 +
 hw/pcie_aer.c                          | 1031 +++++++++++
 hw/pcie_aer.h                          |  106 +
 hw/pcie_host.c                         |    3 
 hw/pcie_port.c                         |  124 +
 hw/pcie_port.h                         |   51 
 hw/pcie_regs.h                         |  156 +
 hw/pckbd.c                             |   23 
 hw/pcnet-pci.c                         |  346 +++
 hw/pcnet.c                             |  316 ---
 hw/pcnet.h                             |    3 
 hw/pflash_cfi01.c                      |    6 
 hw/pflash_cfi02.c                      |    4 
 hw/piix4.c                             |    1 
 hw/piix_pci.c                          |    8 
 hw/pl011.c                             |    3 
 hw/pl022.c                             |    3 
 hw/pl031.c                             |   28 
 hw/pl050.c                             |   38 
 hw/pl061.c                             |    3 
 hw/pl080.c                             |   61 
 hw/pl110.c                             |   47 
 hw/pl181.c                             |   11 
 hw/pl190.c                             |   41 
 hw/ppc.c                               |   27 
 hw/ppc.h                               |    4 
 hw/ppc405_boards.c                     |   34 
 hw/ppc405_uc.c                         |   44 
 hw/ppc440.c                            |    2 
 hw/ppc4xx_devs.c                       |    2 
 hw/ppc4xx_pci.c                        |   19 
 hw/ppc_mac.h                           |    1 
 hw/ppc_newworld.c                      |   52 
 hw/ppc_oldworld.c                      |  115 -
 hw/ppc_prep.c                          |   53 
 hw/ppce500_mpc8544ds.c                 |   15 
 hw/ppce500_pci.c                       |    9 
 hw/prep_pci.c                          |    3 
 hw/pxa.h                               |   10 
 hw/pxa2xx.c                            |   46 
 hw/pxa2xx_dma.c                        |    2 
 hw/pxa2xx_gpio.c                       |  150 -
 hw/pxa2xx_keypad.c                     |    2 
 hw/pxa2xx_lcd.c                        |    6 
 hw/pxa2xx_mmci.c                       |    2 
 hw/pxa2xx_pcmcia.c                     |    6 
 hw/pxa2xx_pic.c                        |    2 
 hw/pxa2xx_timer.c                      |    2 
 hw/qdev.c                              |  162 +
 hw/qdev.h                              |   38 
 hw/qxl-logger.c                        |  248 ++
 hw/qxl-render.c                        |  226 ++
 hw/qxl.c                               | 1531 +++++++++++++++++
 hw/qxl.h                               |  108 +
 hw/r2d.c                               |   34 
 hw/rc4030.c                            |   11 
 hw/realview.c                          |    3 
 hw/realview_gic.c                      |    3 
 hw/rtl8139.c                           |   47 
 hw/s390-virtio-bus.c                   |    8 
 hw/s390-virtio-bus.h                   |   19 
 hw/s390-virtio.c                       |    1 
 hw/sb16.c                              |    4 
 hw/sbi.c                               |    3 
 hw/scsi-bus.c                          |   46 
 hw/scsi-defs.h                         |   21 
 hw/scsi-disk.c                         |  456 +++--
 hw/scsi-generic.c                      |   49 
 hw/scsi.h                              |   15 
 hw/sd.c                                |   10 
 hw/serial.c                            |   33 
 hw/sh7750.c                            |   28 
 hw/sh_intc.c                           |    3 
 hw/sh_pci.c                            |  106 -
 hw/sh_pci.h                            |    9 
 hw/sh_serial.c                         |   62 
 hw/sh_timer.c                          |    3 
 hw/sharpsl.h                           |    7 
 hw/slavio_intctl.c                     |   51 
 hw/slavio_misc.c                       |   75 
 hw/slavio_timer.c                      |   52 
 hw/sm501.c                             |   61 
 hw/smc91c111.c                         |   33 
 hw/soc_dma.c                           |    5 
 hw/sparc32_dma.c                       |   84 
 hw/spitz.c                             |  351 ++-
 hw/ssi-sd.c                            |    7 
 hw/stellaris.c                         |   12 
 hw/stellaris_enet.c                    |    3 
 hw/sun4c_intctl.c                      |    3 
 hw/sun4m.c                             |   57 
 hw/sun4m_iommu.c                       |   36 
 hw/sun4u.c                             |    6 
 hw/syborg_fb.c                         |    3 
 hw/syborg_interrupt.c                  |    3 
 hw/syborg_keyboard.c                   |    3 
 hw/syborg_pointer.c                    |    3 
 hw/syborg_rtc.c                        |    3 
 hw/syborg_serial.c                     |    3 
 hw/syborg_timer.c                      |    3 
 hw/syborg_virtio.c                     |   11 
 hw/sysbus.c                            |   33 
 hw/sysbus.h                            |    9 
 hw/tc6393xb.c                          |    2 
 hw/tc6393xb_template.h                 |    2 
 hw/tcx.c                               |    5 
 hw/testdev.c                           |   19 
 hw/tosa.c                              |   35 
 hw/tusb6010.c                          |    2 
 hw/unin_pci.c                          |   26 
 hw/usb-bt.c                            |  525 ++---
 hw/usb-bus.c                           |  104 +
 hw/usb-desc.c                          |  406 ++++
 hw/usb-desc.h                          |   92 +
 hw/usb-hid.c                           |  808 ++++-----
 hw/usb-hub.c                           |  275 +--
 hw/usb-msd.c                           |  276 +--
 hw/usb-musb.c                          |   44 
 hw/usb-net.c                           |  531 ++----
 hw/usb-ohci.c                          |  100 -
 hw/usb-serial.c                        |  236 --
 hw/usb-uhci.c                          |   98 -
 hw/usb-wacom.c                         |  227 --
 hw/usb.c                               |   34 
 hw/usb.h                               |   59 
 hw/versatile_pci.c                     |   21 
 hw/versatilepb.c                       |   27 
 hw/vga-isa-mm.c                        |    6 
 hw/vga-pci.c                           |   45 
 hw/vga.c                               |   35 
 hw/vga_int.h                           |    4 
 hw/vhost.c                             |   68 
 hw/vhost.h                             |    4 
 hw/vhost_net.c                         |   50 
 hw/vhost_net.h                         |    3 
 hw/virtex_ml507.c                      |  276 +++
 hw/virtio-9p-debug.c                   |  193 +-
 hw/virtio-9p-debug.h                   |    1 
 hw/virtio-9p-local.c                   |  147 +
 hw/virtio-9p-posix-acl.c               |  140 +
 hw/virtio-9p-xattr-user.c              |  109 +
 hw/virtio-9p-xattr.c                   |  159 +
 hw/virtio-9p-xattr.h                   |  102 +
 hw/virtio-9p.c                         | 1973 +++++++++++++++++++---
 hw/virtio-9p.h                         |  261 ++
 hw/virtio-balloon.c                    |   12 
 hw/virtio-blk.c                        |   77 
 hw/virtio-console.c                    |   38 
 hw/virtio-net.c                        |  313 ++-
 hw/virtio-net.h                        |   14 
 hw/virtio-pci.c                        |  329 +++
 hw/virtio-serial-bus.c                 |  136 +
 hw/virtio-serial.h                     |   24 
 hw/virtio.c                            |  123 +
 hw/virtio.h                            |   14 
 hw/vmmouse.c                           |   31 
 hw/vmware_vga.c                        |   95 -
 hw/watchdog.h                          |    8 
 hw/wdt_i6300esb.c                      |   43 
 hw/wdt_ib700.c                         |   22 
 hw/wm8750.c                            |    5 
 hw/xen_backend.h                       |    2 
 hw/xen_disk.c                          |   29 
 hw/xilinx_ethlite.c                    |    2 
 hw/xilinx_intc.c                       |    2 
 hw/xilinx_timer.c                      |    3 
 hw/xilinx_uartlite.c                   |    3 
 hw/xio3130_downstream.c                |  211 ++
 hw/xio3130_downstream.h                |   11 
 hw/xio3130_upstream.c                  |  186 ++
 hw/xio3130_upstream.h                  |   10 
 hw/zaurus.c                            |  115 -
 hxtool                                 |  102 -
 ioport.c                               |   71 
 ioport.h                               |    2 
 iorange.h                              |   30 
 json-parser.c                          |    3 
 kvm-all.c                              |  353 ++--
 kvm-stub.c                             |   52 
 kvm-tpr-opt.c                          |   10 
 kvm.h                                  |   51 
 kvm/doxygen.conf                       | 1252 --------------
 kvm/kvm_stat                           |  313 +++
 kvm/libkvm/libkvm-x86.c                |   39 
 kvm/libkvm/libkvm.h                    |   30 
 kvm/scripts/make-release               |   22 
 linux-user/arm/nwfpe/fpa11.h           |    6 
 linux-user/arm/nwfpe/fpa11_cprt.c      |   14 
 linux-user/arm/nwfpe/fpopcode.h        |    4 
 linux-user/elfload.c                   |   79 
 linux-user/flatload.c                  |   41 
 linux-user/ioctls.h                    |    6 
 linux-user/linuxload.c                 |    2 
 linux-user/m68k-sim.c                  |    6 
 linux-user/main.c                      |   60 
 linux-user/mips/syscall_nr.h           |   38 
 linux-user/mmap.c                      |    6 
 linux-user/ppc/syscall_nr.h            |   30 
 linux-user/qemu.h                      |   18 
 linux-user/signal.c                    |  197 +-
 linux-user/strace.c                    |    6 
 linux-user/strace.list                 |    6 
 linux-user/syscall.c                   |  366 +++-
 linux-user/syscall_defs.h              |    4 
 linux-user/syscall_types.h             |   16 
 linux-user/target_flat.h               |   10 
 m68k-dis.c                             |    2 
 m68k-semi.c                            |    2 
 microblaze-dis.c                       |    2 
 migration.c                            |   44 
 migration.h                            |    5 
 mips-dis.c                             |    2 
 monitor.c                              | 1105 ++++++++++--
 monitor.h                              |   11 
 nbd.c                                  |  149 +
 nbd.h                                  |    7 
 net.c                                  |   69 
 net.h                                  |    5 
 net/socket.c                           |   53 
 net/tap-aix.c                          |    9 
 net/tap-bsd.c                          |   21 
 net/tap-haiku.c                        |   61 
 net/tap-linux.c                        |   42 
 net/tap-linux.h                        |    8 
 net/tap-solaris.c                      |    9 
 net/tap-win32.c                        |   14 
 net/tap.c                              |   62 
 net/tap.h                              |    4 
 os-posix.c                             |   53 
 os-win32.c                             |   30 
 osdep.c                                |  261 --
 osdep.h                                |   46 
 oslib-posix.c                          |  161 +
 oslib-win32.c                          |  121 +
 path.c                                 |   28 
 pc-bios/README                         |    8 
 pc-bios/bios.bin                       |binary
 pc-bios/keymaps/bepo                   |  333 +++
 pc-bios/openbios-ppc                   |binary
 pc-bios/openbios-sparc32               |binary
 pc-bios/openbios-sparc64               |binary
 pc-bios/optionrom/Makefile             |    2 
 pc-bios/optionrom/signrom.sh           |   46 
 pc-bios/optionrom/vapic.S              |   15 
 pc-bios/vgabios-cirrus.bin             |binary
 pc-bios/vgabios-qxl.bin                |binary
 pc-bios/vgabios-stdvga.bin             |binary
 pc-bios/vgabios-vmware.bin             |binary
 pc-bios/vgabios.bin                    |binary
 pflib.c                                |  213 ++
 pflib.h                                |   20 
 posix-aio-compat.c                     |    8 
 qemu-binfmt-conf.sh                    |   62 
 qemu-char.c                            |  138 +
 qemu-char.h                            |   12 
 qemu-common.h                          |   97 -
 qemu-config.c                          |  129 +
 qemu-config.h                          |    1 
 qemu-doc.texi                          |  103 +
 qemu-error.h                           |    9 
 qemu-img-cmds.hx                       |    4 
 qemu-img.c                             |  467 ++---
 qemu-img.texi                          |   45 
 qemu-io.c                              |  154 +
 qemu-kvm-helper.c                      |   35 
 qemu-kvm-x86.c                         | 1266 ++++----------
 qemu-kvm.c                             |  495 +----
 qemu-kvm.h                             |  217 --
 qemu-lock.h                            |   10 
 qemu-malloc.c                          |   25 
 qemu-monitor.hx                        | 2549 ----------------------------
 qemu-nbd.c                             |   19 
 qemu-option.c                          |   13 
 qemu-options.hx                        |  130 +
 qemu-os-posix.h                        |   15 
 qemu-os-win32.h                        |   11 
 qemu-tech.texi                         |    4 
 qemu-timer-common.c                    |   63 
 qemu-timer.c                           |  162 -
 qemu-timer.h                           |   50 
 qemu-tool.c                            |    8 
 qemu_socket.h                          |    1 
 qerror.c                               |   10 
 qerror.h                               |    8 
 qjson.c                                |   55 
 qjson.h                                |    8 
 qmp-commands.hx                        | 1776 ++++++++++++++++++++
 range.h                                |   29 
 roms/seabios                           |    2 
 roms/vgabios                           |    2 
 rules.mak                              |   17 
 rwhandler.c                            |    4 
 rwhandler.h                            |    2 
 savevm.c                               |  171 +
 scripts/checkpatch.pl                  | 2910 +++++++++++++++++++++++++++++++++
 scripts/create_config                  |  103 +
 scripts/feature_to_c.sh                |   78 
 scripts/hxtool                         |  102 +
 scripts/make_device_config.sh          |   28 
 scripts/qemu-binfmt-conf.sh            |   66 
 scripts/signrom.sh                     |   45 
 scripts/simpletrace.py                 |   93 +
 scripts/texi2pod.pl                    |  477 +++++
 scripts/tracetool                      |  629 +++++++
 sh4-dis.c                              |   16 
 simpletrace.c                          |  255 ++
 simpletrace.h                          |   40 
 slirp/bootp.c                          |   34 
 slirp/ip_input.c                       |    2 
 slirp/misc.c                           |   42 
 slirp/slirp.c                          |    3 
 slirp/slirp.h                          |   22 
 slirp/slirp_config.h                   |    6 
 slirp/tftp.c                           |    4 
 spice-qemu-char.c                      |  190 ++
 sysemu.h                               |   36 
 target-alpha/helper.c                  |    3 
 target-alpha/op_helper.c               |    2 
 target-arm/cpu.h                       |   77 
 target-arm/helper.c                    |  169 +
 target-arm/helpers.h                   |   19 
 target-arm/neon_helper.c               |  225 ++
 target-arm/op_helper.c                 |   63 
 target-arm/translate.c                 |  725 +++++---
 target-cris/cpu.h                      |    7 
 target-cris/exec.h                     |    4 
 target-cris/helper.c                   |   10 
 target-cris/mmu.c                      |    4 
 target-cris/op_helper.c                |    4 
 target-cris/translate.c                |  104 -
 target-cris/translate_v10.c            |   15 
 target-i386/cpu.h                      |   34 
 target-i386/cpuid.c                    |   85 
 target-i386/fake-exec.c                |   12 
 target-i386/helper.c                   |  116 +
 target-i386/kvm.c                      | 1000 ++++++++---
 target-i386/kvm_x86.h                  |   25 
 target-i386/machine.c                  |   26 
 target-i386/op_helper.c                |    4 
 target-i386/translate.c                |   34 
 target-m68k/cpu.h                      |    3 
 target-m68k/helper.c                   |    8 
 target-m68k/translate.c                |    3 
 target-microblaze/cpu.h                |    9 
 target-microblaze/exec.h               |    4 
 target-microblaze/helper.h             |   19 
 target-microblaze/op_helper.c          |  289 ++-
 target-microblaze/translate.c          |  492 ++++-
 target-mips/cpu.h                      |   11 
 target-mips/exec.h                     |   18 
 target-mips/helper.h                   |    8 
 target-mips/op_helper.c                |   56 
 target-mips/translate.c                |   69 
 target-mips/translate_init.c           |    2 
 target-ppc/cpu.h                       |   12 
 target-ppc/exec.h                      |    3 
 target-ppc/helper.c                    |  132 -
 target-ppc/kvm.c                       |   49 
 target-ppc/kvm_ppc.h                   |   13 
 target-ppc/op_helper.c                 |  407 ++--
 target-ppc/translate.c                 |   59 
 target-ppc/translate_init.c            |    8 
 target-s390x/cpu.h                     |    6 
 target-s390x/kvm.c                     |    8 
 target-s390x/translate.c               |    5 
 target-sh4/cpu.h                       |   68 
 target-sh4/helper.c                    |  232 ++
 target-sh4/helper.h                    |    3 
 target-sh4/op_helper.c                 |  249 ++
 target-sh4/translate.c                 |  164 +
 target-sparc/cpu.h                     |   50 
 target-sparc/helper.c                  |  121 -
 target-sparc/helper.h                  |    3 
 target-sparc/op_helper.c               |  296 ++-
 target-sparc/translate.c               |   36 
 tcg/README                             |   24 
 tcg/arm/tcg-target.c                   |   72 
 tcg/ia64/tcg-target.c                  |   18 
 tcg/mips/tcg-target.c                  |    6 
 tcg/tcg-op.h                           |   68 
 tcg/tcg-opc.h                          |    6 
 tcg/tcg.c                              |    8 
 tcg/tcg.h                              |    3 
 tests/Makefile                         |  122 -
 tests/cris/check_abs.c                 |    5 
 tests/cris/check_addc.c                |    3 
 tests/cris/check_addcm.c               |    6 
 tests/cris/check_bound.c               |    9 
 tests/cris/check_ftag.c                |   12 
 tests/cris/check_int64.c               |    6 
 tests/cris/check_lz.c                  |    2 
 tests/cris/check_swap.c                |    4 
 tests/cris/crisutils.h                 |   20 
 tests/cris/sys.h                       |    4 
 tests/hello-i386.c                     |    4 
 tests/runcom.c                         |   11 
 tests/test-i386.c                      |    5 
 tests/test_path.c                      |   13 
 texi2pod.pl                            |  477 -----
 trace-events                           |  256 ++
 ui/cocoa.m                             |    6 
 ui/curses.c                            |    9 
 ui/curses_keys.h                       |    1 
 ui/d3des.h                             |    8 
 ui/qemu-spice.h                        |   57 
 ui/sdl.c                               |   14 
 ui/spice-core.c                        |  672 +++++++
 ui/spice-display.c                     |  412 ++++
 ui/spice-display.h                     |   68 
 ui/spice-input.c                       |  217 ++
 ui/vnc-auth-sasl.c                     |   14 
 ui/vnc-enc-tight.c                     |   20 
 ui/vnc-jobs-async.c                    |    4 
 ui/vnc.c                               |   93 -
 ui/vnc.h                               |    1 
 ui/x_keymap.h                          |    4 
 usb-bsd.c                              |   71 
 usb-linux.c                            |   75 
 version.rc                             |   28 
 vl.c                                   |  437 +++-
 716 files changed, 55164 insertions(+), 19070 deletions(-)

New commits:
commit 671d89d6411655bb4f8058ce6eb86bb0bb8ec978
Merge: 080b695... ac7a1d0...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Feb 13 16:56:08 2011 +0200

    Merge branch 'upstream-merge' into next
    
    * upstream-merge: (55 commits)
      microblaze: Handle singlestepping over direct jmps
      target-arm: implement vsli.64, vsri.64
      target-arm: fix VSHLL Neon instruction.
      [PATCH] [MIPS] Clear softfpu exception state for round, trunc, ceil and floor
      target-arm: Fix 32 bit signed saturating narrow
      target-arm: Fix VQMOVUN Neon instruction.
      linux-user: fix for loopmount ioctl
      linux-user: fix build errors for mmap2-only ports
      user: speed up init_paths a bit
      linux-user: implement sched_{g,s}etaffinity
      linux-user/FLAT: allow targets to override FLAT processing
      linux-user/FLAT: fix auto-stack sizing
      linux-user: decode MAP_{UNINITIALIZED,EXECUTABLE} in strace
      linux-user: add ppoll syscall support
      linux-user/elfload: add FDPIC support
      linux-user: fix sizeof handling for getsockopt
      linux-user: Fix possible realloc memory leak
      linux-user: Add support for -version option
      cris, microblaze: use cpu_has_work
      x86: Fix MCA broadcast parameters for TCG case
      ...
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

commit ac7a1d055d8407c26bf00a0fe41a57aa90e4352c
Merge: a90c0e6... 6c5f738...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Feb 13 16:54:50 2011 +0200

    Merge commit '6c5f738daec123020d32543fe90a6633a4f6643e' into upstream-merge
    
    * commit '6c5f738daec123020d32543fe90a6633a4f6643e': (44 commits)
      microblaze: Handle singlestepping over direct jmps
      target-arm: implement vsli.64, vsri.64
      target-arm: fix VSHLL Neon instruction.
      [PATCH] [MIPS] Clear softfpu exception state for round, trunc, ceil and floor
      target-arm: Fix 32 bit signed saturating narrow
      target-arm: Fix VQMOVUN Neon instruction.
      linux-user: fix for loopmount ioctl
      linux-user: fix build errors for mmap2-only ports
      user: speed up init_paths a bit
      linux-user: implement sched_{g,s}etaffinity
      linux-user/FLAT: allow targets to override FLAT processing
      linux-user/FLAT: fix auto-stack sizing
      linux-user: decode MAP_{UNINITIALIZED,EXECUTABLE} in strace
      linux-user: add ppoll syscall support
      linux-user/elfload: add FDPIC support
      linux-user: fix sizeof handling for getsockopt
      linux-user: Fix possible realloc memory leak
      linux-user: Add support for -version option
      cris, microblaze: use cpu_has_work
      x86: Fix MCA broadcast parameters for TCG case
      ...
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

commit a90c0e680d83d4e8f34f46566cd559c72c4ef2b6
Merge: 2d24961... 1f5e71a...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Feb 13 16:51:51 2011 +0200

    Merge commit '1f5e71a8e6b24dce74b156472ff9253b9bd33a11' into upstream-merge
    
    * commit '1f5e71a8e6b24dce74b156472ff9253b9bd33a11':
      ioapic: Style & magics cleanup
    
    Conflicts:
    	hw/ioapic.c
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --cc hw/ioapic.c
index 5c8b835,569327d..8fab34f
--- a/hw/ioapic.c
+++ b/hw/ioapic.c
@@@ -41,23 -37,50 +41,51 @@@
  #define DPRINTF(fmt, ...)
  #endif
  
 +#define IOAPIC_DEFAULT_BASE_ADDRESS  0xfec00000
  #define MAX_IOAPICS                     1
  
- #define IOAPIC_LVT_MASKED               (1 << 16)
- #define IOAPIC_LVT_REMOTE_IRR           (1 << 14)
+ #define IOAPIC_VERSION                  0x11
  
- #define IOAPIC_TRIGGER_EDGE		0
- #define IOAPIC_TRIGGER_LEVEL		1
+ #define IOAPIC_LVT_DEST_SHIFT           56
+ #define IOAPIC_LVT_MASKED_SHIFT         16
+ #define IOAPIC_LVT_TRIGGER_MODE_SHIFT   15
+ #define IOAPIC_LVT_REMOTE_IRR_SHIFT     14
+ #define IOAPIC_LVT_POLARITY_SHIFT       13
+ #define IOAPIC_LVT_DELIV_STATUS_SHIFT   12
+ #define IOAPIC_LVT_DEST_MODE_SHIFT      11
+ #define IOAPIC_LVT_DELIV_MODE_SHIFT     8
+ 
+ #define IOAPIC_LVT_MASKED               (1 << IOAPIC_LVT_MASKED_SHIFT)
+ #define IOAPIC_LVT_REMOTE_IRR           (1 << IOAPIC_LVT_REMOTE_IRR_SHIFT)
+ 
+ #define IOAPIC_TRIGGER_EDGE             0
+ #define IOAPIC_TRIGGER_LEVEL            1
  
  /*io{apic,sapic} delivery mode*/
- #define IOAPIC_DM_FIXED			0x0
- #define IOAPIC_DM_LOWEST_PRIORITY	0x1
- #define IOAPIC_DM_PMI			0x2
- #define IOAPIC_DM_NMI			0x4
- #define IOAPIC_DM_INIT			0x5
- #define IOAPIC_DM_SIPI			0x5
- #define IOAPIC_DM_EXTINT		0x7
+ #define IOAPIC_DM_FIXED                 0x0
+ #define IOAPIC_DM_LOWEST_PRIORITY       0x1
+ #define IOAPIC_DM_PMI                   0x2
+ #define IOAPIC_DM_NMI                   0x4
+ #define IOAPIC_DM_INIT                  0x5
+ #define IOAPIC_DM_SIPI                  0x6
+ #define IOAPIC_DM_EXTINT                0x7
+ #define IOAPIC_DM_MASK                  0x7
+ 
+ #define IOAPIC_VECTOR_MASK              0xff
+ 
+ #define IOAPIC_IOREGSEL                 0x00
+ #define IOAPIC_IOWIN                    0x10
+ 
+ #define IOAPIC_REG_ID                   0x00
+ #define IOAPIC_REG_VER                  0x01
+ #define IOAPIC_REG_ARB                  0x02
+ #define IOAPIC_REG_REDTBL_BASE          0x10
+ #define IOAPIC_ID                       0x00
+ 
+ #define IOAPIC_ID_SHIFT                 24
+ #define IOAPIC_ID_MASK                  0xf
+ 
+ #define IOAPIC_VER_ENTRIES_SHIFT        16
  
  typedef struct IOAPICState IOAPICState;
  
@@@ -65,8 -88,6 +93,7 @@@ struct IOAPICState 
      SysBusDevice busdev;
      uint8_t id;
      uint8_t ioregsel;
 +    uint64_t base_address;
- 
      uint32_t irr;
      uint64_t ioredtbl[IOAPIC_NUM_PINS];
  };
@@@ -120,11 -142,10 +148,10 @@@ static void ioapic_set_irq(void *opaque
       * to GSI 2.  GSI maps to ioapic 1-1.  This is not
       * the cleanest way of doing it but it should work. */
  
-     DPRINTF("%s: %s vec %x\n", __func__, level? "raise" : "lower", vector);
+     DPRINTF("%s: %s vec %x\n", __func__, level ? "raise" : "lower", vector);
 -    if (vector == 0) {
 +    if (vector == 0 && irq0override) {
          vector = 2;
      }
- 
      if (vector >= 0 && vector < IOAPIC_NUM_PINS) {
          uint32_t mask = 1 << vector;
          uint64_t entry = s->ioredtbl[vector];
@@@ -322,12 -284,10 +357,12 @@@ static const VMStateDescription vmstate
      .post_load = ioapic_post_load,
      .minimum_version_id = 1,
      .minimum_version_id_old = 1,
 +    .pre_load = ioapic_pre_load,
 +    .pre_save = ioapic_pre_save,
-     .fields      = (VMStateField []) {
+     .fields = (VMStateField[]) {
          VMSTATE_UINT8(id, IOAPICState),
          VMSTATE_UINT8(ioregsel, IOAPICState),
 -        VMSTATE_UNUSED_V(2, 8), /* to account for qemu-kvm's v2 format */
 +        VMSTATE_UINT64_V(base_address, IOAPICState, 2),
          VMSTATE_UINT32_V(irr, IOAPICState, 2),
          VMSTATE_UINT64_ARRAY(ioredtbl, IOAPICState, IOAPIC_NUM_PINS),
          VMSTATE_END_OF_LIST()
@@@ -343,13 -302,9 +378,14 @@@ static void ioapic_reset(DeviceState *d
      s->id = 0;
      s->ioregsel = 0;
      s->irr = 0;
-     for(i = 0; i < IOAPIC_NUM_PINS; i++)
-         s->ioredtbl[i] = 1 << 16; /* mask LVT */
+     for (i = 0; i < IOAPIC_NUM_PINS; i++) {
+         s->ioredtbl[i] = 1 << IOAPIC_LVT_MASKED_SHIFT;
+     }
 +#ifdef KVM_CAP_IRQCHIP
 +    if (kvm_enabled() && kvm_irqchip_in_kernel()) {
 +        kvm_kernel_ioapic_load_from_user(s);
 +    }
 +#endif
  }
  
  static CPUReadMemoryFunc * const ioapic_mem_read[3] = {
commit 2d24961d3bba8ac38c38af27816f462d5deb2d51
Merge: 53d6be9... 5dce499...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Feb 13 16:48:24 2011 +0200

    Merge commit '5dce499948e4a4abe62f010baf4a7ed3d49e53cb' into upstream-merge
    
    * commit '5dce499948e4a4abe62f010baf4a7ed3d49e53cb':
      ioapic: Add support for qemu-kvm's vmstate v2
    
    Conflicts:
    	hw/ioapic.c
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

commit 53d6be977096cbeb9f3941437e1c36a6d47b3ed3
Merge: e806014... 35a74c5...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Feb 13 16:47:59 2011 +0200

    Merge commit '35a74c5c5941b474d8b985237e1bde0b8cd2a20f' into upstream-merge
    
    * commit '35a74c5c5941b474d8b985237e1bde0b8cd2a20f':
      ioapic: Save/restore irr
    
    Conflicts:
    	hw/ioapic.c
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --cc hw/ioapic.c
index afdf9b5,8c46c1d..7027b3e
--- a/hw/ioapic.c
+++ b/hw/ioapic.c
@@@ -304,20 -235,19 +304,26 @@@ static int ioapic_post_load(void *opaqu
  {
      IOAPICState *s = opaque;
  
+     if (version_id == 1) {
+         /* set sane value */
+         s->irr = 0;
+     }
++
 +    if (kvm_enabled() && kvm_irqchip_in_kernel()) {
 +        kvm_kernel_ioapic_load_from_user(s);
 +    }
++
      return 0;
  }
  
  static const VMStateDescription vmstate_ioapic = {
      .name = "ioapic",
      .version_id = 2,
+     .post_load = ioapic_post_load,
      .minimum_version_id = 1,
      .minimum_version_id_old = 1,
 +    .pre_load = ioapic_pre_load,
-     .post_load = ioapic_post_load,
 +    .pre_save = ioapic_pre_save,
      .fields      = (VMStateField []) {
          VMSTATE_UINT8(id, IOAPICState),
          VMSTATE_UINT8(ioregsel, IOAPICState),
commit e80601494369f8b3f542185d75139a77d0e66853
Merge: 080b695... 0280b57...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Feb 13 16:46:53 2011 +0200

    Merge commit '0280b571c1a153f8926612d8c8d7359242d596f5' into upstream-merge
    
    * commit '0280b571c1a153f8926612d8c8d7359242d596f5':
      ioapic: Implement EOI handling for level-triggered IRQs
      vnc: qemu can die if the client is disconnected while updating screen
      virtio-serial: Make sure virtqueue is ready before discarding data
      ui/sdl: Fix handling of caps lock and num lock keys
      Unify alarm deadline computation
      Correct alarm deadline computation
      use nanoseconds everywhere for timeout computation
      savevm: fix corruption in vmstate_subsection_load().
    
    Conflicts:
    	hw/ioapic.c
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --cc hw/ioapic.c
index aeb3653,8bc31f7..afdf9b5
--- a/hw/ioapic.c
+++ b/hw/ioapic.c
@@@ -23,8 -23,7 +23,9 @@@
  #include "hw.h"
  #include "pc.h"
  #include "apic.h"
 +#include "sysemu.h"
 +#include "apic.h"
+ #include "ioapic.h"
  #include "qemu-timer.h"
  #include "host-utils.h"
  #include "sysbus.h"
@@@ -40,8 -37,10 +41,11 @@@
  #define DPRINTF(fmt, ...)
  #endif
  
 +#define IOAPIC_DEFAULT_BASE_ADDRESS  0xfec00000
- #define IOAPIC_LVT_MASKED 		(1<<16)
+ #define MAX_IOAPICS                     1
+ 
+ #define IOAPIC_LVT_MASKED               (1 << 16)
+ #define IOAPIC_LVT_REMOTE_IRR           (1 << 14)
  
  #define IOAPIC_TRIGGER_EDGE		0
  #define IOAPIC_TRIGGER_LEVEL		1
commit 080b695d7ce5d21f9db7f4ad87f1d1f5bcf37660
Author: Avi Kivity <avi at redhat.com>
Date:   Wed Feb 9 13:46:48 2011 +0200

    Close all block drivers on quit
    
    Following 2bc93fed76c89f7adaa0e5bb3, close all block drivers on quit.
    Fixes qcow2 data loss after quit due to qcowcache being volatile.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/qemu-kvm.c b/qemu-kvm.c
index 4974179..49cd683 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -1606,6 +1606,7 @@ int kvm_main_loop(void)
         }
     }
 
+    bdrv_close_all();
     pause_all_threads();
     pthread_mutex_unlock(&qemu_mutex);
 
commit 6c5f738daec123020d32543fe90a6633a4f6643e
Author: Edgar E. Iglesias <edgar.iglesias at petalogix.com>
Date:   Thu Feb 10 00:46:09 2011 +0100

    microblaze: Handle singlestepping over direct jmps
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at petalogix.com>

diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index 2207431..fdb2b40 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -1715,9 +1715,13 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
     t_sync_flags(dc);
 
     if (unlikely(env->singlestep_enabled)) {
-        t_gen_raise_exception(dc, EXCP_DEBUG);
-        if (dc->is_jmp == DISAS_NEXT)
+        TCGv_i32 tmp = tcg_const_i32(EXCP_DEBUG);
+
+        if (dc->is_jmp != DISAS_JUMP) {
             tcg_gen_movi_tl(cpu_SR[SR_PC], npc);
+        }
+        gen_helper_raise_exception(tmp);
+        tcg_temp_free_i32(tmp);
     } else {
         switch(dc->is_jmp) {
             case DISAS_NEXT:
commit 1c0de9fa509c48aeeb6ef2465307d603abc9ee4e
Merge: 923e650... 898b1be...
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Wed Feb 9 19:53:36 2011 +0100

    Merge branch 'linux-user-for-upstream' of git://gitorious.org/qemu-maemo/qemu
    
    * 'linux-user-for-upstream' of git://gitorious.org/qemu-maemo/qemu:
      linux-user: fix for loopmount ioctl
      linux-user: fix build errors for mmap2-only ports
      user: speed up init_paths a bit
      linux-user: implement sched_{g,s}etaffinity
      linux-user/FLAT: allow targets to override FLAT processing
      linux-user/FLAT: fix auto-stack sizing
      linux-user: decode MAP_{UNINITIALIZED,EXECUTABLE} in strace
      linux-user: add ppoll syscall support
      linux-user/elfload: add FDPIC support
      linux-user: fix sizeof handling for getsockopt
      linux-user: Fix possible realloc memory leak
      linux-user: Add support for -version option

commit 923e65097d2101a78f716f7932f4291315d88bbf
Author: Christophe Lyon <christophe.lyon at st.com>
Date:   Tue Feb 8 18:39:02 2011 +0100

    target-arm: implement vsli.64, vsri.64
    
    Signed-off-by: Christophe Lyon <christophe.lyon at st.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index ef3f369..3087a5d 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -4698,7 +4698,19 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                             tcg_gen_add_i64(cpu_V0, cpu_V0, cpu_V1);
                         } else if (op == 4 || (op == 5 && u)) {
                             /* Insert */
-                            cpu_abort(env, "VS[LR]I.64 not implemented");
+                            neon_load_reg64(cpu_V1, rd + pass);
+                            uint64_t mask;
+                            if (shift < -63 || shift > 63) {
+                                mask = 0;
+                            } else {
+                                if (op == 4) {
+                                    mask = 0xffffffffffffffffull >> -shift;
+                                } else {
+                                    mask = 0xffffffffffffffffull << shift;
+                                }
+                            }
+                            tcg_gen_andi_i64(cpu_V1, cpu_V1, ~mask);
+                            tcg_gen_or_i64(cpu_V0, cpu_V0, cpu_V1);
                         }
                         neon_store_reg64(cpu_V0, rd + pass);
                     } else { /* size < 3 */
commit acdf01effa1851780a731ca5ffeab79a474a6335
Author: Christophe Lyon <christophe.lyon at st.com>
Date:   Wed Feb 9 13:19:15 2011 +0100

    target-arm: fix VSHLL Neon instruction.
    
    Fix bit mask used when widening the result of shift on narrow input.
    
    Signed-off-by: Christophe Lyon <christophe.lyon at st.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 89c916d..ef3f369 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -4880,16 +4880,28 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                         /* The shift is less than the width of the source
                            type, so we can just shift the whole register.  */
                         tcg_gen_shli_i64(cpu_V0, cpu_V0, shift);
+                        /* Widen the result of shift: we need to clear
+                         * the potential overflow bits resulting from
+                         * left bits of the narrow input appearing as
+                         * right bits of left the neighbour narrow
+                         * input.  */
                         if (size < 2 || !u) {
                             uint64_t imm64;
                             if (size == 0) {
                                 imm = (0xffu >> (8 - shift));
                                 imm |= imm << 16;
-                            } else {
+                            } else if (size == 1) {
                                 imm = 0xffff >> (16 - shift);
+                            } else {
+                                /* size == 2 */
+                                imm = 0xffffffff >> (32 - shift);
+                            }
+                            if (size < 2) {
+                                imm64 = imm | (((uint64_t)imm) << 32);
+                            } else {
+                                imm64 = imm;
                             }
-                            imm64 = imm | (((uint64_t)imm) << 32);
-                            tcg_gen_andi_i64(cpu_V0, cpu_V0, imm64);
+                            tcg_gen_andi_i64(cpu_V0, cpu_V0, ~imm64);
                         }
                     }
                     neon_store_reg64(cpu_V0, rd + pass);
commit efd410373a4551911f3928bb2ccdf28792b294bf
Author: Chris Dearman <chris at mips.com>
Date:   Tue Feb 8 19:03:30 2011 -0800

    [PATCH] [MIPS] Clear softfpu exception state for round, trunc, ceil and floor
    
    MIPS FPU instructions should start with a clean softfpu status. This
    is done for the arithmetic operations and cvt instructions, but not
    for round, trunc, ceil and floor.
    
    Signed-off-by: Chris Dearman <chris at mips.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-mips/op_helper.c b/target-mips/op_helper.c
index 669faf1..bd16ce3 100644
--- a/target-mips/op_helper.c
+++ b/target-mips/op_helper.c
@@ -2282,6 +2282,7 @@ uint64_t helper_float_roundl_d(uint64_t fdt0)
 {
     uint64_t dt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     set_float_rounding_mode(float_round_nearest_even, &env->active_fpu.fp_status);
     dt2 = float64_to_int64(fdt0, &env->active_fpu.fp_status);
     RESTORE_ROUNDING_MODE;
@@ -2295,6 +2296,7 @@ uint64_t helper_float_roundl_s(uint32_t fst0)
 {
     uint64_t dt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     set_float_rounding_mode(float_round_nearest_even, &env->active_fpu.fp_status);
     dt2 = float32_to_int64(fst0, &env->active_fpu.fp_status);
     RESTORE_ROUNDING_MODE;
@@ -2308,6 +2310,7 @@ uint32_t helper_float_roundw_d(uint64_t fdt0)
 {
     uint32_t wt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     set_float_rounding_mode(float_round_nearest_even, &env->active_fpu.fp_status);
     wt2 = float64_to_int32(fdt0, &env->active_fpu.fp_status);
     RESTORE_ROUNDING_MODE;
@@ -2321,6 +2324,7 @@ uint32_t helper_float_roundw_s(uint32_t fst0)
 {
     uint32_t wt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     set_float_rounding_mode(float_round_nearest_even, &env->active_fpu.fp_status);
     wt2 = float32_to_int32(fst0, &env->active_fpu.fp_status);
     RESTORE_ROUNDING_MODE;
@@ -2334,6 +2338,7 @@ uint64_t helper_float_truncl_d(uint64_t fdt0)
 {
     uint64_t dt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     dt2 = float64_to_int64_round_to_zero(fdt0, &env->active_fpu.fp_status);
     update_fcr31();
     if (GET_FP_CAUSE(env->active_fpu.fcr31) & (FP_OVERFLOW | FP_INVALID))
@@ -2345,6 +2350,7 @@ uint64_t helper_float_truncl_s(uint32_t fst0)
 {
     uint64_t dt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     dt2 = float32_to_int64_round_to_zero(fst0, &env->active_fpu.fp_status);
     update_fcr31();
     if (GET_FP_CAUSE(env->active_fpu.fcr31) & (FP_OVERFLOW | FP_INVALID))
@@ -2356,6 +2362,7 @@ uint32_t helper_float_truncw_d(uint64_t fdt0)
 {
     uint32_t wt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     wt2 = float64_to_int32_round_to_zero(fdt0, &env->active_fpu.fp_status);
     update_fcr31();
     if (GET_FP_CAUSE(env->active_fpu.fcr31) & (FP_OVERFLOW | FP_INVALID))
@@ -2367,6 +2374,7 @@ uint32_t helper_float_truncw_s(uint32_t fst0)
 {
     uint32_t wt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     wt2 = float32_to_int32_round_to_zero(fst0, &env->active_fpu.fp_status);
     update_fcr31();
     if (GET_FP_CAUSE(env->active_fpu.fcr31) & (FP_OVERFLOW | FP_INVALID))
@@ -2378,6 +2386,7 @@ uint64_t helper_float_ceill_d(uint64_t fdt0)
 {
     uint64_t dt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     set_float_rounding_mode(float_round_up, &env->active_fpu.fp_status);
     dt2 = float64_to_int64(fdt0, &env->active_fpu.fp_status);
     RESTORE_ROUNDING_MODE;
@@ -2391,6 +2400,7 @@ uint64_t helper_float_ceill_s(uint32_t fst0)
 {
     uint64_t dt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     set_float_rounding_mode(float_round_up, &env->active_fpu.fp_status);
     dt2 = float32_to_int64(fst0, &env->active_fpu.fp_status);
     RESTORE_ROUNDING_MODE;
@@ -2404,6 +2414,7 @@ uint32_t helper_float_ceilw_d(uint64_t fdt0)
 {
     uint32_t wt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     set_float_rounding_mode(float_round_up, &env->active_fpu.fp_status);
     wt2 = float64_to_int32(fdt0, &env->active_fpu.fp_status);
     RESTORE_ROUNDING_MODE;
@@ -2417,6 +2428,7 @@ uint32_t helper_float_ceilw_s(uint32_t fst0)
 {
     uint32_t wt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     set_float_rounding_mode(float_round_up, &env->active_fpu.fp_status);
     wt2 = float32_to_int32(fst0, &env->active_fpu.fp_status);
     RESTORE_ROUNDING_MODE;
@@ -2430,6 +2442,7 @@ uint64_t helper_float_floorl_d(uint64_t fdt0)
 {
     uint64_t dt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     set_float_rounding_mode(float_round_down, &env->active_fpu.fp_status);
     dt2 = float64_to_int64(fdt0, &env->active_fpu.fp_status);
     RESTORE_ROUNDING_MODE;
@@ -2443,6 +2456,7 @@ uint64_t helper_float_floorl_s(uint32_t fst0)
 {
     uint64_t dt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     set_float_rounding_mode(float_round_down, &env->active_fpu.fp_status);
     dt2 = float32_to_int64(fst0, &env->active_fpu.fp_status);
     RESTORE_ROUNDING_MODE;
@@ -2456,6 +2470,7 @@ uint32_t helper_float_floorw_d(uint64_t fdt0)
 {
     uint32_t wt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     set_float_rounding_mode(float_round_down, &env->active_fpu.fp_status);
     wt2 = float64_to_int32(fdt0, &env->active_fpu.fp_status);
     RESTORE_ROUNDING_MODE;
@@ -2469,6 +2484,7 @@ uint32_t helper_float_floorw_s(uint32_t fst0)
 {
     uint32_t wt2;
 
+    set_float_exception_flags(0, &env->active_fpu.fp_status);
     set_float_rounding_mode(float_round_down, &env->active_fpu.fp_status);
     wt2 = float32_to_int32(fst0, &env->active_fpu.fp_status);
     RESTORE_ROUNDING_MODE;
commit cc2212c2f851291929becc3f4fd153d05ca4c54a
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Wed Feb 9 15:42:33 2011 +0000

    target-arm: Fix 32 bit signed saturating narrow
    
    The returned value when doing saturating signed 64->32 bit
    conversion of a negative number was incorrect due to a missing cast.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/neon_helper.c b/target-arm/neon_helper.c
index a7cf383..61890dd 100644
--- a/target-arm/neon_helper.c
+++ b/target-arm/neon_helper.c
@@ -1209,7 +1209,7 @@ uint32_t HELPER(neon_narrow_sat_s32)(CPUState *env, uint64_t x)
 {
     if ((int64_t)x != (int32_t)x) {
         SET_QC();
-        return (x >> 63) ^ 0x7fffffff;
+        return ((int64_t)x >> 63) ^ 0x7fffffff;
     }
     return x;
 }
commit af1bbf30c407cb194599a4e1724c38c7bf1d94b3
Author: Juha Riihimäki <juha.riihimaki at nokia.com>
Date:   Wed Feb 9 15:42:32 2011 +0000

    target-arm: Fix VQMOVUN Neon instruction.
    
    VQMOVUN does a signed-to-unsigned saturating conversion. This is
    different from both the signed-to-signed and unsigned-to-unsigned
    conversions already implemented, so we need a new set of helper
    functions (neon_unarrow_sat*).
    
    Signed-off-by: Juha Riihimäki <juha.riihimaki at nokia.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/helpers.h b/target-arm/helpers.h
index 8a2564e..4d0de00 100644
--- a/target-arm/helpers.h
+++ b/target-arm/helpers.h
@@ -299,10 +299,13 @@ DEF_HELPER_3(neon_qrdmulh_s32, i32, env, i32, i32)
 
 DEF_HELPER_1(neon_narrow_u8, i32, i64)
 DEF_HELPER_1(neon_narrow_u16, i32, i64)
+DEF_HELPER_2(neon_unarrow_sat8, i32, env, i64)
 DEF_HELPER_2(neon_narrow_sat_u8, i32, env, i64)
 DEF_HELPER_2(neon_narrow_sat_s8, i32, env, i64)
+DEF_HELPER_2(neon_unarrow_sat16, i32, env, i64)
 DEF_HELPER_2(neon_narrow_sat_u16, i32, env, i64)
 DEF_HELPER_2(neon_narrow_sat_s16, i32, env, i64)
+DEF_HELPER_2(neon_unarrow_sat32, i32, env, i64)
 DEF_HELPER_2(neon_narrow_sat_u32, i32, env, i64)
 DEF_HELPER_2(neon_narrow_sat_s32, i32, env, i64)
 DEF_HELPER_1(neon_narrow_high_u8, i32, i64)
diff --git a/target-arm/neon_helper.c b/target-arm/neon_helper.c
index 268af33..a7cf383 100644
--- a/target-arm/neon_helper.c
+++ b/target-arm/neon_helper.c
@@ -1053,6 +1053,33 @@ uint32_t HELPER(neon_narrow_round_high_u16)(uint64_t x)
     return ((x >> 16) & 0xffff) | ((x >> 32) & 0xffff0000);
 }
 
+uint32_t HELPER(neon_unarrow_sat8)(CPUState *env, uint64_t x)
+{
+    uint16_t s;
+    uint8_t d;
+    uint32_t res = 0;
+#define SAT8(n) \
+    s = x >> n; \
+    if (s & 0x8000) { \
+        SET_QC(); \
+    } else { \
+        if (s > 0xff) { \
+            d = 0xff; \
+            SET_QC(); \
+        } else  { \
+            d = s; \
+        } \
+        res |= (uint32_t)d << (n / 2); \
+    }
+
+    SAT8(0);
+    SAT8(16);
+    SAT8(32);
+    SAT8(48);
+#undef SAT8
+    return res;
+}
+
 uint32_t HELPER(neon_narrow_sat_u8)(CPUState *env, uint64_t x)
 {
     uint16_t s;
@@ -1099,6 +1126,29 @@ uint32_t HELPER(neon_narrow_sat_s8)(CPUState *env, uint64_t x)
     return res;
 }
 
+uint32_t HELPER(neon_unarrow_sat16)(CPUState *env, uint64_t x)
+{
+    uint32_t high;
+    uint32_t low;
+    low = x;
+    if (low & 0x80000000) {
+        low = 0;
+        SET_QC();
+    } else if (low > 0xffff) {
+        low = 0xffff;
+        SET_QC();
+    }
+    high = x >> 32;
+    if (high & 0x80000000) {
+        high = 0;
+        SET_QC();
+    } else if (high > 0xffff) {
+        high = 0xffff;
+        SET_QC();
+    }
+    return low | (high << 16);
+}
+
 uint32_t HELPER(neon_narrow_sat_u16)(CPUState *env, uint64_t x)
 {
     uint32_t high;
@@ -1133,6 +1183,19 @@ uint32_t HELPER(neon_narrow_sat_s16)(CPUState *env, uint64_t x)
     return (uint16_t)low | (high << 16);
 }
 
+uint32_t HELPER(neon_unarrow_sat32)(CPUState *env, uint64_t x)
+{
+    if (x & 0x8000000000000000ull) {
+        SET_QC();
+        return 0;
+    }
+    if (x > 0xffffffffu) {
+        SET_QC();
+        return 0xffffffffu;
+    }
+    return x;
+}
+
 uint32_t HELPER(neon_narrow_sat_u32)(CPUState *env, uint64_t x)
 {
     if (x > 0xffffffffu) {
diff --git a/target-arm/translate.c b/target-arm/translate.c
index e4649e6..89c916d 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -4065,6 +4065,16 @@ static inline void gen_neon_narrow_satu(int size, TCGv dest, TCGv_i64 src)
     }
 }
 
+static inline void gen_neon_unarrow_sats(int size, TCGv dest, TCGv_i64 src)
+{
+    switch (size) {
+    case 0: gen_helper_neon_unarrow_sat8(dest, cpu_env, src); break;
+    case 1: gen_helper_neon_unarrow_sat16(dest, cpu_env, src); break;
+    case 2: gen_helper_neon_unarrow_sat32(dest, cpu_env, src); break;
+    default: abort();
+    }
+}
+
 static inline void gen_neon_shift_narrow(int size, TCGv var, TCGv shift,
                                          int q, int u)
 {
@@ -5461,12 +5471,18 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                     for (pass = 0; pass < 2; pass++) {
                         neon_load_reg64(cpu_V0, rm + pass);
                         tmp = new_tmp();
-                        if (op == 36 && q == 0) {
-                            gen_neon_narrow(size, tmp, cpu_V0);
-                        } else if (q) {
-                            gen_neon_narrow_satu(size, tmp, cpu_V0);
-                        } else {
-                            gen_neon_narrow_sats(size, tmp, cpu_V0);
+                        if (op == 36) {
+                            if (q) { /* VQMOVUN */
+                                gen_neon_unarrow_sats(size, tmp, cpu_V0);
+                            } else { /* VMOVN */
+                                gen_neon_narrow(size, tmp, cpu_V0);
+                            }
+                        } else { /* VQMOVN */
+                            if (q) {
+                                gen_neon_narrow_satu(size, tmp, cpu_V0);
+                            } else {
+                                gen_neon_narrow_sats(size, tmp, cpu_V0);
+                            }
                         }
                         if (pass == 0) {
                             tmp2 = tmp;
commit 898b1bebf97e5f973624a4e513da45dffefdb9b7
Author: Martin Mohring <martin.mohring at 5edatasoft.com>
Date:   Tue Feb 8 14:48:56 2011 +0200

    linux-user: fix for loopmount ioctl
    
    In case a chrooted build uses XEN or KVM, a looped mount needs to be done to setup the chroot.
    The ioctl for loop mount works correctly for arm, mips, ppc32 and sh4, so its now activated.
    
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index acff781..526aaa2 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -312,10 +312,8 @@
   IOCTL(LOOP_CLR_FD, 0, TYPE_INT)
   IOCTL(LOOP_SET_STATUS, IOC_W, MK_PTR(MK_STRUCT(STRUCT_loop_info)))
   IOCTL(LOOP_GET_STATUS, IOC_W, MK_PTR(MK_STRUCT(STRUCT_loop_info)))
-#if 0 /* These have some problems - not fully tested */
   IOCTL(LOOP_SET_STATUS64, IOC_W, MK_PTR(MK_STRUCT(STRUCT_loop_info64)))
   IOCTL(LOOP_GET_STATUS64, IOC_W, MK_PTR(MK_STRUCT(STRUCT_loop_info64)))
-#endif
   IOCTL(LOOP_CHANGE_FD, 0, TYPE_INT)
 
   IOCTL(MTIOCTOP, IOC_W, MK_PTR(MK_STRUCT(STRUCT_mtop)))
commit 8d9016c0919bab1fdf3a36c0f72d012924bb7efd
Author: Mike Frysinger <vapier at gentoo.org>
Date:   Mon Feb 7 01:05:57 2011 -0500

    linux-user: fix build errors for mmap2-only ports
    
    The current print_mmap func is only enabled when the target supports the
    mmap syscall, but both mmap and mmap2 syscalls use it.  This leads to a
    build failure when the target supports mmap2 but not mmap.
    
    Signed-off-by: Mike Frysinger <vapier at gentoo.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/strace.c b/linux-user/strace.c
index a8786bb..1836666 100644
--- a/linux-user/strace.c
+++ b/linux-user/strace.c
@@ -1203,7 +1203,7 @@ print_utimensat(const struct syscallname *name,
 }
 #endif
 
-#ifdef TARGET_NR_mmap
+#if defined(TARGET_NR_mmap) || defined(TARGET_NR_mmap2)
 static void
 print_mmap(const struct syscallname *name,
     abi_long arg0, abi_long arg1, abi_long arg2,
commit 2296f194dfde4c0a54f249d3fdb8c8ca21dc611b
Author: Mike Frysinger <vapier at gentoo.org>
Date:   Mon Feb 7 01:05:56 2011 -0500

    user: speed up init_paths a bit
    
    The current init_paths code will attempt to opendir() every single file it
    finds.  This can obviously generated a huge number of syscalls with even a
    moderately small sysroot that will fail.  Since the readdir() call provides
    the file type in the struct itself, use it.  On my system, this prevents
    over 1000 syscalls from being made at every invocation of a target binary,
    and I only have a C library installed.
    
    Signed-off-by: Mike Frysinger <vapier at gentoo.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/path.c b/path.c
index 0d2bf14..ef3f277 100644
--- a/path.c
+++ b/path.c
@@ -38,7 +38,8 @@ static int strneq(const char *s1, unsigned int n, const char *s2)
     return s2[i] == 0;
 }
 
-static struct pathelem *add_entry(struct pathelem *root, const char *name);
+static struct pathelem *add_entry(struct pathelem *root, const char *name,
+                                  unsigned char type);
 
 static struct pathelem *new_entry(const char *root,
                                   struct pathelem *parent,
@@ -56,6 +57,15 @@ static struct pathelem *new_entry(const char *root,
 
 #define streq(a,b) (strcmp((a), (b)) == 0)
 
+/* Not all systems provide this feature */
+#if defined(DT_DIR) && defined(DT_UNKNOWN)
+# define dirent_type(dirent) ((dirent)->d_type)
+# define is_dir_maybe(type)  ((type) == DT_DIR || (type) == DT_UNKNOWN)
+#else
+# define dirent_type(dirent) (1)
+# define is_dir_maybe(type)  (type)
+#endif
+
 static struct pathelem *add_dir_maybe(struct pathelem *path)
 {
     DIR *dir;
@@ -65,7 +75,7 @@ static struct pathelem *add_dir_maybe(struct pathelem *path)
 
         while ((dirent = readdir(dir)) != NULL) {
             if (!streq(dirent->d_name,".") && !streq(dirent->d_name,"..")){
-                path = add_entry(path, dirent->d_name);
+                path = add_entry(path, dirent->d_name, dirent_type(dirent));
             }
         }
         closedir(dir);
@@ -73,16 +83,22 @@ static struct pathelem *add_dir_maybe(struct pathelem *path)
     return path;
 }
 
-static struct pathelem *add_entry(struct pathelem *root, const char *name)
+static struct pathelem *add_entry(struct pathelem *root, const char *name,
+                                  unsigned char type)
 {
+    struct pathelem **e;
+
     root->num_entries++;
 
     root = realloc(root, sizeof(*root)
                    + sizeof(root->entries[0])*root->num_entries);
+    e = &root->entries[root->num_entries-1];
+
+    *e = new_entry(root->pathname, root, name);
+    if (is_dir_maybe(type)) {
+        *e = add_dir_maybe(*e);
+    }
 
-    root->entries[root->num_entries-1] = new_entry(root->pathname, root, name);
-    root->entries[root->num_entries-1]
-        = add_dir_maybe(root->entries[root->num_entries-1]);
     return root;
 }
 
commit 737de1d1357b13f162b26ca0b775eb375594833a
Author: Mike Frysinger <vapier at gentoo.org>
Date:   Mon Feb 7 01:05:55 2011 -0500

    linux-user: implement sched_{g,s}etaffinity
    
    Signed-off-by: Mike Frysinger <vapier at gentoo.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index bb6ef43..4412a9b 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -235,6 +235,12 @@ _syscall6(int,sys_futex,int *,uaddr,int,op,int,val,
           const struct timespec *,timeout,int *,uaddr2,int,val3)
 #endif
 #endif
+#define __NR_sys_sched_getaffinity __NR_sched_getaffinity
+_syscall3(int, sys_sched_getaffinity, pid_t, pid, unsigned int, len,
+          unsigned long *, user_mask_ptr);
+#define __NR_sys_sched_setaffinity __NR_sched_setaffinity
+_syscall3(int, sys_sched_setaffinity, pid_t, pid, unsigned int, len,
+          unsigned long *, user_mask_ptr);
 
 static bitmask_transtbl fcntl_flags_tbl[] = {
   { TARGET_O_ACCMODE,   TARGET_O_WRONLY,    O_ACCMODE,   O_WRONLY,    },
@@ -6354,6 +6360,67 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
            return value. */
         ret = -TARGET_ENOTDIR;
         break;
+    case TARGET_NR_sched_getaffinity:
+        {
+            unsigned int mask_size;
+            unsigned long *mask;
+
+            /*
+             * sched_getaffinity needs multiples of ulong, so need to take
+             * care of mismatches between target ulong and host ulong sizes.
+             */
+            if (arg2 & (sizeof(abi_ulong) - 1)) {
+                ret = -TARGET_EINVAL;
+                break;
+            }
+            mask_size = (arg2 + (sizeof(*mask) - 1)) & ~(sizeof(*mask) - 1);
+
+            mask = alloca(mask_size);
+            ret = get_errno(sys_sched_getaffinity(arg1, mask_size, mask));
+
+            if (!is_error(ret)) {
+                if (arg2 > ret) {
+                    /* Zero out any extra space kernel didn't fill */
+                    unsigned long zero = arg2 - ret;
+                    p = alloca(zero);
+                    memset(p, 0, zero);
+                    if (copy_to_user(arg3 + zero, p, zero)) {
+                        goto efault;
+                    }
+                    arg2 = ret;
+                }
+                if (copy_to_user(arg3, mask, arg2)) {
+                    goto efault;
+                }
+                ret = arg2;
+            }
+        }
+        break;
+    case TARGET_NR_sched_setaffinity:
+        {
+            unsigned int mask_size;
+            unsigned long *mask;
+
+            /*
+             * sched_setaffinity needs multiples of ulong, so need to take
+             * care of mismatches between target ulong and host ulong sizes.
+             */
+            if (arg2 & (sizeof(abi_ulong) - 1)) {
+                ret = -TARGET_EINVAL;
+                break;
+            }
+            mask_size = (arg2 + (sizeof(*mask) - 1)) & ~(sizeof(*mask) - 1);
+
+            mask = alloca(mask_size);
+            if (!lock_user_struct(VERIFY_READ, p, arg3, 1)) {
+                goto efault;
+            }
+            memcpy(mask, p, arg2);
+            unlock_user_struct(p, arg2, 0);
+
+            ret = get_errno(sys_sched_setaffinity(arg1, mask_size, mask));
+        }
+        break;
     case TARGET_NR_sched_setparam:
         {
             struct sched_param *target_schp;
commit c3109ba1b109f84929abbfe0462d910d5aa8617c
Author: Mike Frysinger <vapier at gentoo.org>
Date:   Mon Feb 7 01:05:54 2011 -0500

    linux-user/FLAT: allow targets to override FLAT processing
    
    This brings flatload.c more in line with the current Linux FLAT loader
    which allows targets to handle various FLAT aspects in their own way.
    For the common behavior, the new functions get stubbed out.
    
    Signed-off-by: Mike Frysinger <vapier at gentoo.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/Makefile.target b/Makefile.target
index b0ba95f..48e6c00 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -107,7 +107,7 @@ ifdef CONFIG_LINUX_USER
 
 $(call set-vpath, $(SRC_PATH)/linux-user:$(SRC_PATH)/linux-user/$(TARGET_ABI_DIR))
 
-QEMU_CFLAGS+=-I$(SRC_PATH)/linux-user -I$(SRC_PATH)/linux-user/$(TARGET_ABI_DIR)
+QEMU_CFLAGS+=-I$(SRC_PATH)/linux-user/$(TARGET_ABI_DIR) -I$(SRC_PATH)/linux-user
 obj-y = main.o syscall.o strace.o mmap.o signal.o thunk.o \
       elfload.o linuxload.o uaccess.o gdbstub.o cpu-uname.o \
       qemu-malloc.o $(oslib-obj-y)
diff --git a/linux-user/flatload.c b/linux-user/flatload.c
index d8b4476..cd7af7c 100644
--- a/linux-user/flatload.c
+++ b/linux-user/flatload.c
@@ -41,6 +41,8 @@
 
 #include "qemu.h"
 #include "flat.h"
+#define ntohl(x) be32_to_cpu(x)
+#include <target_flat.h>
 
 //#define DEBUG
 
@@ -50,14 +52,6 @@
 #define	DBG_FLT(...)
 #endif
 
-#define flat_reloc_valid(reloc, size)             ((reloc) <= (size))
-#define flat_old_ram_flag(flag)                   (flag)
-#ifdef TARGET_WORDS_BIGENDIAN
-#define flat_get_relocate_addr(relval)            (relval)
-#else
-#define flat_get_relocate_addr(relval)            bswap32(relval)
-#endif
-
 #define RELOC_FAILED 0xff00ff01		/* Relocation incorrect somewhere */
 #define UNLOADED_LIB 0x7ff000ff		/* Placeholder for unused library */
 
@@ -78,8 +72,6 @@ static int load_flat_shared_library(int id, struct lib_info *p);
 
 struct linux_binprm;
 
-#define ntohl(x) be32_to_cpu(x)
-
 /****************************************************************************/
 /*
  * create_flat_tables() parses the env- and arg-strings in new user
@@ -625,6 +617,7 @@ static int load_flat_file(struct linux_binprm * bprm,
      * __start to address 4 so that is okay).
      */
     if (rev > OLD_FLAT_VERSION) {
+        abi_ulong persistent = 0;
         for (i = 0; i < relocs; i++) {
             abi_ulong addr, relval;
 
@@ -633,6 +626,9 @@ static int load_flat_file(struct linux_binprm * bprm,
                relocated first).  */
             if (get_user_ual(relval, reloc + i * sizeof(abi_ulong)))
                 return -EFAULT;
+            relval = ntohl(relval);
+            if (flat_set_persistent(relval, &persistent))
+                continue;
             addr = flat_get_relocate_addr(relval);
             rp = calc_reloc(addr, libinfo, id, 1);
             if (rp == RELOC_FAILED)
@@ -641,22 +637,20 @@ static int load_flat_file(struct linux_binprm * bprm,
             /* Get the pointer's value.  */
             if (get_user_ual(addr, rp))
                 return -EFAULT;
+            addr = flat_get_addr_from_rp(rp, relval, flags, &persistent);
             if (addr != 0) {
                 /*
                  * Do the relocation.  PIC relocs in the data section are
                  * already in target order
                  */
-
-#ifndef TARGET_WORDS_BIGENDIAN
                 if ((flags & FLAT_FLAG_GOTPIC) == 0)
-                    addr = bswap32(addr);
-#endif
+                    addr = ntohl(addr);
                 addr = calc_reloc(addr, libinfo, id, 0);
                 if (addr == RELOC_FAILED)
                     return -ENOEXEC;
 
                 /* Write back the relocated pointer.  */
-                if (put_user_ual(addr, rp))
+                if (flat_put_addr_at_rp(rp, addr, relval))
                     return -EFAULT;
             }
         }
@@ -782,7 +776,8 @@ int load_flt_binary(struct linux_binprm * bprm, struct target_pt_regs * regs,
     stack_len *= sizeof(abi_ulong);
     if ((sp + stack_len) & 15)
         sp -= 16 - ((sp + stack_len) & 15);
-    sp = loader_build_argptr(bprm->envc, bprm->argc, sp, p, 1);
+    sp = loader_build_argptr(bprm->envc, bprm->argc, sp, p,
+                             flat_argvp_envp_on_stack());
 
     /* Fake some return addresses to ensure the call chain will
      * initialise library in order for us.  We are required to call
diff --git a/linux-user/target_flat.h b/linux-user/target_flat.h
new file mode 100644
index 0000000..0ba6bdd
--- /dev/null
+++ b/linux-user/target_flat.h
@@ -0,0 +1,10 @@
+/* If your arch needs to do custom stuff, create your own target_flat.h
+ * header file in linux-user/<your arch>/
+ */
+#define flat_argvp_envp_on_stack()                           1
+#define flat_reloc_valid(reloc, size)                        ((reloc) <= (size))
+#define flat_old_ram_flag(flag)                              (flag)
+#define flat_get_relocate_addr(relval)                       (relval)
+#define flat_get_addr_from_rp(rp, relval, flags, persistent) (rp)
+#define flat_set_persistent(relval, persistent)              (*persistent)
+#define flat_put_addr_at_rp(rp, addr, relval)                put_user_ual(addr, rp)
commit 82a39595f7c70aecfb4649ae5a125147b62131f8
Author: Mike Frysinger <vapier at gentoo.org>
Date:   Mon Feb 7 01:05:53 2011 -0500

    linux-user/FLAT: fix auto-stack sizing
    
    The current auto-stack sizing works like it does on a NOMMU system; the
    problem is that this only works if the envp/argv arrays are fairly slim.
    On a desktop system, this is rarely the case, and can easily blow past
    the stack and into data/text regions as the default stack for FLAT progs
    is a mere 4KiB.  So rather than rely on the NOMMU calculation (which is
    only there because NOMMU can't easily allocate gobs of contiguous mem),
    calc the full space actually needed and let the MMU host make space.
    
    Signed-off-by: Mike Frysinger <vapier at gentoo.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/flatload.c b/linux-user/flatload.c
index 8f9f4a5..d8b4476 100644
--- a/linux-user/flatload.c
+++ b/linux-user/flatload.c
@@ -733,8 +733,15 @@ int load_flt_binary(struct linux_binprm * bprm, struct target_pt_regs * regs,
      * pedantic and include space for the argv/envp array as it may have
      * a lot of entries.
      */
-#define TOP_OF_ARGS (TARGET_PAGE_SIZE * MAX_ARG_PAGES - sizeof(void *))
-    stack_len = TOP_OF_ARGS - bprm->p;             /* the strings */
+    stack_len = 0;
+    for (i = 0; i < bprm->argc; ++i) {
+        /* the argv strings */
+        stack_len += strlen(bprm->argv[i]);
+    }
+    for (i = 0; i < bprm->envc; ++i) {
+        /* the envp strings */
+        stack_len += strlen(bprm->envp[i]);
+    }
     stack_len += (bprm->argc + 1) * 4; /* the argv array */
     stack_len += (bprm->envc + 1) * 4; /* the envp array */
 
commit 906c1b8ec8ed8987662e2697af20b9ca19c659b5
Author: Mike Frysinger <vapier at gentoo.org>
Date:   Mon Feb 7 01:05:52 2011 -0500

    linux-user: decode MAP_{UNINITIALIZED,EXECUTABLE} in strace
    
    Signed-off-by: Mike Frysinger <vapier at gentoo.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/strace.c b/linux-user/strace.c
index bf9a0d9..a8786bb 100644
--- a/linux-user/strace.c
+++ b/linux-user/strace.c
@@ -398,6 +398,7 @@ UNUSED static struct flags mmap_flags[] = {
     FLAG_TARGET(MAP_DENYWRITE),
     FLAG_TARGET(MAP_FIXED),
     FLAG_TARGET(MAP_GROWSDOWN),
+    FLAG_TARGET(MAP_EXECUTABLE),
 #ifdef MAP_LOCKED
     FLAG_TARGET(MAP_LOCKED),
 #endif
@@ -408,6 +409,9 @@ UNUSED static struct flags mmap_flags[] = {
 #ifdef MAP_POPULATE
     FLAG_TARGET(MAP_POPULATE),
 #endif
+#ifdef TARGET_MAP_UNINITIALIZED
+    FLAG_TARGET(MAP_UNINITIALIZED),
+#endif
     FLAG_END,
 };
 
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index d02a9bf..4742ac0 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -999,6 +999,7 @@ struct target_winsize {
 #define TARGET_MAP_NORESERVE	0x4000		/* don't check for reservations */
 #define TARGET_MAP_POPULATE	0x8000		/* populate (prefault) pagetables */
 #define TARGET_MAP_NONBLOCK	0x10000		/* do not block on IO */
+#define TARGET_MAP_UNINITIALIZED 0x4000000	/* for anonymous mmap, memory could be uninitialized */
 #endif
 
 #if (defined(TARGET_I386) && defined(TARGET_ABI32)) || defined(TARGET_ARM) || defined(TARGET_CRIS)
commit d8035d4cfce42e0268e39e109d5abf01d9f25259
Author: Mike Frysinger <vapier at gentoo.org>
Date:   Mon Feb 7 01:05:51 2011 -0500

    linux-user: add ppoll syscall support
    
    Some architectures (like Blackfin) only implement ppoll (and skip poll).
    So add support for it using existing poll code.
    
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Mike Frysinger <vapier at gentoo.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 6116ab5..bb6ef43 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -529,6 +529,15 @@ static int sys_inotify_init1(int flags)
 #undef TARGET_NR_inotify_rm_watch
 #endif /* CONFIG_INOTIFY  */
 
+#if defined(TARGET_NR_ppoll)
+#ifndef __NR_ppoll
+# define __NR_ppoll -1
+#endif
+#define __NR_sys_ppoll __NR_ppoll
+_syscall5(int, sys_ppoll, struct pollfd *, fds, nfds_t, nfds,
+          struct timespec *, timeout, const __sigset_t *, sigmask,
+          size_t, sigsetsize)
+#endif
 
 extern int personality(int);
 extern int flock(int, int);
@@ -6230,8 +6239,13 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
         ret = do_select(arg1, arg2, arg3, arg4, arg5);
         break;
 #endif
-#ifdef TARGET_NR_poll
+#if defined(TARGET_NR_poll) || defined(TARGET_NR_ppoll)
+# ifdef TARGET_NR_poll
     case TARGET_NR_poll:
+# endif
+# ifdef TARGET_NR_ppoll
+    case TARGET_NR_ppoll:
+# endif
         {
             struct target_pollfd *target_pfd;
             unsigned int nfds = arg2;
@@ -6242,12 +6256,51 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
             target_pfd = lock_user(VERIFY_WRITE, arg1, sizeof(struct target_pollfd) * nfds, 1);
             if (!target_pfd)
                 goto efault;
+
             pfd = alloca(sizeof(struct pollfd) * nfds);
             for(i = 0; i < nfds; i++) {
                 pfd[i].fd = tswap32(target_pfd[i].fd);
                 pfd[i].events = tswap16(target_pfd[i].events);
             }
-            ret = get_errno(poll(pfd, nfds, timeout));
+
+# ifdef TARGET_NR_ppoll
+            if (num == TARGET_NR_ppoll) {
+                struct timespec _timeout_ts, *timeout_ts = &_timeout_ts;
+                target_sigset_t *target_set;
+                sigset_t _set, *set = &_set;
+
+                if (arg3) {
+                    if (target_to_host_timespec(timeout_ts, arg3)) {
+                        unlock_user(target_pfd, arg1, 0);
+                        goto efault;
+                    }
+                } else {
+                    timeout_ts = NULL;
+                }
+
+                if (arg4) {
+                    target_set = lock_user(VERIFY_READ, arg4, sizeof(target_sigset_t), 1);
+                    if (!target_set) {
+                        unlock_user(target_pfd, arg1, 0);
+                        goto efault;
+                    }
+                    target_to_host_sigset(set, target_set);
+                } else {
+                    set = NULL;
+                }
+
+                ret = get_errno(sys_ppoll(pfd, nfds, timeout_ts, set, _NSIG/8));
+
+                if (!is_error(ret) && arg3) {
+                    host_to_target_timespec(arg3, timeout_ts);
+                }
+                if (arg4) {
+                    unlock_user(target_set, arg4, 0);
+                }
+            } else
+# endif
+                ret = get_errno(poll(pfd, nfds, timeout));
+
             if (!is_error(ret)) {
                 for(i = 0; i < nfds; i++) {
                     target_pfd[i].revents = tswap16(pfd[i].revents);
commit 1af02e83c00fe269fbbaeaccc7c0b914ad277d18
Author: Mike Frysinger <vapier at gentoo.org>
Date:   Mon Feb 7 01:05:50 2011 -0500

    linux-user/elfload: add FDPIC support
    
    Signed-off-by: Mike Frysinger <vapier at gentoo.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/elf.h b/elf.h
index 7067c90..d2f24f4 100644
--- a/elf.h
+++ b/elf.h
@@ -1191,6 +1191,25 @@ typedef struct elf64_note {
   Elf64_Word n_type;	/* Content type */
 } Elf64_Nhdr;
 
+
+/* This data structure represents a PT_LOAD segment.  */
+struct elf32_fdpic_loadseg {
+  /* Core address to which the segment is mapped.  */
+  Elf32_Addr addr;
+  /* VMA recorded in the program header.  */
+  Elf32_Addr p_vaddr;
+  /* Size of this segment in memory.  */
+  Elf32_Word p_memsz;
+};
+struct elf32_fdpic_loadmap {
+  /* Protocol version number, must be zero.  */
+  Elf32_Half version;
+  /* Number of segments in this map.  */
+  Elf32_Half nsegs;
+  /* The actual memory map.  */
+  struct elf32_fdpic_loadseg segs[/*nsegs*/];
+};
+
 #ifdef ELF_CLASS
 #if ELF_CLASS == ELFCLASS32
 
diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 08c44d8..2de83e4 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -1075,6 +1075,33 @@ static void zero_bss(abi_ulong elf_bss, abi_ulong last_bss, int prot)
     }
 }
 
+#ifdef CONFIG_USE_FDPIC
+static abi_ulong loader_build_fdpic_loadmap(struct image_info *info, abi_ulong sp)
+{
+    uint16_t n;
+    struct elf32_fdpic_loadseg *loadsegs = info->loadsegs;
+
+    /* elf32_fdpic_loadseg */
+    n = info->nsegs;
+    while (n--) {
+        sp -= 12;
+        put_user_u32(loadsegs[n].addr, sp+0);
+        put_user_u32(loadsegs[n].p_vaddr, sp+4);
+        put_user_u32(loadsegs[n].p_memsz, sp+8);
+    }
+
+    /* elf32_fdpic_loadmap */
+    sp -= 4;
+    put_user_u16(0, sp+0); /* version */
+    put_user_u16(info->nsegs, sp+2); /* nsegs */
+
+    info->personality = PER_LINUX_FDPIC;
+    info->loadmap_addr = sp;
+
+    return sp;
+}
+#endif
+
 static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
                                    struct elfhdr *exec,
                                    struct image_info *info,
@@ -1087,6 +1114,21 @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
     const int n = sizeof(elf_addr_t);
 
     sp = p;
+
+#ifdef CONFIG_USE_FDPIC
+    /* Needs to be before we load the env/argc/... */
+    if (elf_is_fdpic(exec)) {
+        /* Need 4 byte alignment for these structs */
+        sp &= ~3;
+        sp = loader_build_fdpic_loadmap(info, sp);
+        info->other_info = interp_info;
+        if (interp_info) {
+            interp_info->other_info = info;
+            sp = loader_build_fdpic_loadmap(interp_info, sp);
+        }
+    }
+#endif
+
     u_platform = 0;
     k_platform = ELF_PLATFORM;
     if (k_platform) {
@@ -1197,6 +1239,11 @@ static void load_elf_image(const char *image_name, int image_fd,
     }
     bswap_phdr(phdr, ehdr->e_phnum);
 
+#ifdef CONFIG_USE_FDPIC
+    info->nsegs = 0;
+    info->pt_dynamic_addr = 0;
+#endif
+
     /* Find the maximum size of the image and allocate an appropriate
        amount of memory to handle that.  */
     loaddr = -1, hiaddr = 0;
@@ -1210,6 +1257,9 @@ static void load_elf_image(const char *image_name, int image_fd,
             if (a > hiaddr) {
                 hiaddr = a;
             }
+#ifdef CONFIG_USE_FDPIC
+            ++info->nsegs;
+#endif
         }
     }
 
@@ -1290,6 +1340,27 @@ static void load_elf_image(const char *image_name, int image_fd,
     }
     load_bias = load_addr - loaddr;
 
+#ifdef CONFIG_USE_FDPIC
+    {
+        struct elf32_fdpic_loadseg *loadsegs = info->loadsegs =
+            qemu_malloc(sizeof(*loadsegs) * info->nsegs);
+
+        for (i = 0; i < ehdr->e_phnum; ++i) {
+            switch (phdr[i].p_type) {
+            case PT_DYNAMIC:
+                info->pt_dynamic_addr = phdr[i].p_vaddr + load_bias;
+                break;
+            case PT_LOAD:
+                loadsegs->addr = phdr[i].p_vaddr + load_bias;
+                loadsegs->p_vaddr = phdr[i].p_vaddr;
+                loadsegs->p_memsz = phdr[i].p_memsz;
+                ++loadsegs;
+                break;
+            }
+        }
+    }
+#endif
+
     info->load_bias = load_bias;
     info->load_addr = load_addr;
     info->entry = ehdr->e_entry + load_bias;
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 32de241..250814d 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -51,6 +51,13 @@ struct image_info {
         abi_ulong       arg_start;
         abi_ulong       arg_end;
 	int		personality;
+#ifdef CONFIG_USE_FDPIC
+        abi_ulong       loadmap_addr;
+        uint16_t        nsegs;
+        void           *loadsegs;
+        abi_ulong       pt_dynamic_addr;
+        struct image_info *other_info;
+#endif
 };
 
 #ifdef TARGET_I386
commit 73160d952922157f16946e8ebb4419072de4c657
Author: Mike Frysinger <vapier at gentoo.org>
Date:   Mon Feb 7 01:05:49 2011 -0500

    linux-user: fix sizeof handling for getsockopt
    
    Signed-off-by: Mike Frysinger <vapier at gentoo.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 499c4d7..6116ab5 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1448,7 +1448,7 @@ static abi_long do_getsockopt(int sockfd, int level, int optname,
             return -TARGET_EFAULT;
         if (len < 0)
             return -TARGET_EINVAL;
-        lv = sizeof(int);
+        lv = sizeof(lv);
         ret = get_errno(getsockopt(sockfd, level, optname, &val, &lv));
         if (ret < 0)
             return ret;
@@ -1485,7 +1485,7 @@ static abi_long do_getsockopt(int sockfd, int level, int optname,
                 return -TARGET_EFAULT;
             if (len < 0)
                 return -TARGET_EINVAL;
-            lv = sizeof(int);
+            lv = sizeof(lv);
             ret = get_errno(getsockopt(sockfd, level, optname, &val, &lv));
             if (ret < 0)
                 return ret;
commit 8d79de6e42947a4a11ad7c7bb87e8f745a4f8321
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Mon Jan 17 21:36:06 2011 +0100

    linux-user: Fix possible realloc memory leak
    
    Extract from "man realloc":
    "If realloc() fails the original block is left untouched;
    it is not freed or moved."
    
    Fix a possible memory leak (reported by cppcheck).
    
    Cc: Riku Voipio <riku.voipio at iki.fi>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 33d776d..08c44d8 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -1481,7 +1481,7 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias)
     struct elf_shdr *shdr;
     char *strings;
     struct syminfo *s;
-    struct elf_sym *syms;
+    struct elf_sym *syms, *new_syms;
 
     shnum = hdr->e_shnum;
     i = shnum * sizeof(struct elf_shdr);
@@ -1550,12 +1550,14 @@ static void load_symbols(struct elfhdr *hdr, int fd, abi_ulong load_bias)
        that we threw away.  Whether or not this has any effect on the
        memory allocation depends on the malloc implementation and how
        many symbols we managed to discard.  */
-    syms = realloc(syms, nsyms * sizeof(*syms));
-    if (syms == NULL) {
+    new_syms = realloc(syms, nsyms * sizeof(*syms));
+    if (new_syms == NULL) {
         free(s);
+        free(syms);
         free(strings);
         return;
     }
+    syms = new_syms;
 
     qsort(syms, nsyms, sizeof(*syms), symcmp);
 
commit 6672b0b22a8ab92ad3a07889c2220a7568a3da30
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Jan 20 03:28:02 2011 +0000

    linux-user: Add support for -version option
    
    Add support to the linux-user qemu for the -version command line
    option, bringing it into line with the system emulation qemu.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/main.c b/linux-user/main.c
index 0d627d6..e651bfd 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -2624,14 +2624,21 @@ void cpu_loop (CPUState *env)
 }
 #endif /* TARGET_ALPHA */
 
+static void version(void)
+{
+    printf("qemu-" TARGET_ARCH " version " QEMU_VERSION QEMU_PKGVERSION
+           ", Copyright (c) 2003-2008 Fabrice Bellard\n");
+}
+
 static void usage(void)
 {
-    printf("qemu-" TARGET_ARCH " version " QEMU_VERSION QEMU_PKGVERSION ", Copyright (c) 2003-2008 Fabrice Bellard\n"
-           "usage: qemu-" TARGET_ARCH " [options] program [arguments...]\n"
+    version();
+    printf("usage: qemu-" TARGET_ARCH " [options] program [arguments...]\n"
            "Linux CPU emulator (compiled for %s emulation)\n"
            "\n"
            "Standard options:\n"
            "-h                print this help\n"
+           "-version          display version information and exit\n"
            "-g port           wait gdb connection to port\n"
            "-L path           set the elf interpreter prefix (default=%s)\n"
            "-s size           set the stack size in bytes (default=%ld)\n"
@@ -2886,8 +2893,10 @@ int main(int argc, char **argv, char **envp)
             singlestep = 1;
         } else if (!strcmp(r, "strace")) {
             do_strace = 1;
-        } else
-        {
+        } else if (!strcmp(r, "version")) {
+            version();
+            exit(0);
+        } else {
             usage();
         }
     }
commit c0c1dc992584b8ccbae0e8f8b09124b76662633b
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Tue Feb 8 18:18:19 2011 +0100

    cris, microblaze: use cpu_has_work
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-cris/exec.h b/target-cris/exec.h
index 93ce768..34c0132 100644
--- a/target-cris/exec.h
+++ b/target-cris/exec.h
@@ -37,9 +37,7 @@ static inline int cpu_halted(CPUState *env) {
 	if (!env->halted)
 		return 0;
 
-	/* IRQ, NMI and GURU execeptions wakes us up.  */
-	if (env->interrupt_request
-	    & (CPU_INTERRUPT_HARD | CPU_INTERRUPT_NMI)) {
+	if (cpu_has_work(env)) {
 		env->halted = 0;
 		return 0;
 	}
diff --git a/target-microblaze/exec.h b/target-microblaze/exec.h
index 87b2494..ab19828 100644
--- a/target-microblaze/exec.h
+++ b/target-microblaze/exec.h
@@ -36,9 +36,7 @@ static inline int cpu_halted(CPUState *env) {
 	if (!env->halted)
 		return 0;
 
-	/* IRQ, NMI and GURU execeptions wakes us up.  */
-	if (env->interrupt_request
-	    & (CPU_INTERRUPT_HARD | CPU_INTERRUPT_NMI)) {
+	if (cpu_has_work(env)) {
 		env->halted = 0;
 		return 0;
 	}
commit 29057492871e63caeab8ee7cdf1062c0270f19d8
Author: Jan Kiszka <jan.kiszka at web.de>
Date:   Fri Feb 4 13:47:25 2011 -0200

    x86: Fix MCA broadcast parameters for TCG case
    
    When broadcasting MCEs, we need to set MCIP and RIPV in mcg_status like
    it is done for KVM. Use the symbolic constants at this chance.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-i386/helper.c b/target-i386/helper.c
index 1217452..f0c546d 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -1147,8 +1147,8 @@ void cpu_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
                 if (cenv == env) {
                     continue;
                 }
-
-                qemu_inject_x86_mce(env, 1, 0xa000000000000000, 0, 0, 0);
+                qemu_inject_x86_mce(env, 1, MCI_STATUS_VAL | MCI_STATUS_UC,
+                                    MCG_STATUS_MCIP | MCG_STATUS_RIPV, 0, 0);
             }
         }
     }
commit f26e5a54f0554798a2e6f7a074b809b13635d007
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Feb 4 22:01:32 2011 +0100

    qemu-timer: Fix compilation of new timer code for w32, w64
    
    qemu_next_alarm_deadline() is needed by MinGW, too.
    
    Cc: Paolo Bonzini <pbonzini at redhat.com>
    Cc: Anthony Liguori <aliguori at us.ibm.com>
    Acked-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu-timer.c b/qemu-timer.c
index 658f637..b0db780 100644
--- a/qemu-timer.c
+++ b/qemu-timer.c
@@ -708,8 +708,6 @@ int64_t qemu_next_deadline(void)
     return delta;
 }
 
-#ifndef _WIN32
-
 static int64_t qemu_next_alarm_deadline(void)
 {
     int64_t delta;
@@ -922,6 +920,8 @@ static void dynticks_rearm_timer(struct qemu_alarm_timer *t)
 
 #endif /* defined(__linux__) */
 
+#if !defined(_WIN32)
+
 static int unix_start_timer(struct qemu_alarm_timer *t)
 {
     struct sigaction act;
commit 8591675f44929a9e4b5d3a5fd702a4b6d41c7903
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Jan 26 12:12:35 2011 -0200

    block: enable in_use flag
    
    Set block device in use during block migration, disallow drive_del and
    bdrv_truncate for in use devices.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block-migration.c b/block-migration.c
index 323e1e2..8218bac 100644
--- a/block-migration.c
+++ b/block-migration.c
@@ -301,6 +301,7 @@ static void init_blk_migration_it(void *opaque, BlockDriverState *bs)
         bmds->shared_base = block_mig_state.shared_base;
         alloc_aio_bitmap(bmds);
         drive_get_ref(drive_get_by_blockdev(bs));
+        bdrv_set_in_use(bs, 1);
 
         block_mig_state.total_sector_sum += sectors;
 
@@ -539,6 +540,7 @@ static void blk_mig_cleanup(Monitor *mon)
 
     while ((bmds = QSIMPLEQ_FIRST(&block_mig_state.bmds_list)) != NULL) {
         QSIMPLEQ_REMOVE_HEAD(&block_mig_state.bmds_list, entry);
+        bdrv_set_in_use(bmds->bs, 0);
         drive_put_ref(drive_get_by_blockdev(bmds->bs));
         qemu_free(bmds->aio_bitmap);
         qemu_free(bmds);
diff --git a/block.c b/block.c
index ee9edfc..b476479 100644
--- a/block.c
+++ b/block.c
@@ -1132,6 +1132,8 @@ int bdrv_truncate(BlockDriverState *bs, int64_t offset)
         return -ENOTSUP;
     if (bs->read_only)
         return -EACCES;
+    if (bdrv_in_use(bs))
+        return -EBUSY;
     ret = drv->bdrv_truncate(bs, offset);
     if (ret == 0) {
         ret = refresh_total_sectors(bs, offset >> BDRV_SECTOR_BITS);
diff --git a/blockdev.c b/blockdev.c
index f2a00bd..ecfadc1 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -726,6 +726,10 @@ int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data)
         qerror_report(QERR_DEVICE_NOT_FOUND, id);
         return -1;
     }
+    if (bdrv_in_use(bs)) {
+        qerror_report(QERR_DEVICE_IN_USE, id);
+        return -1;
+    }
 
     /* quiesce block driver; prevent further io */
     qemu_aio_flush();
commit db593f2565dc12442d6bac9e8eaefa027dfcada9
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Jan 26 12:12:34 2011 -0200

    Add flag to indicate external users to block device
    
    Certain operations such as drive_del or resize cannot be performed
    while external users (eg. block migration) reference the block device.
    
    Add a flag to indicate that.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index 998df1b..ee9edfc 100644
--- a/block.c
+++ b/block.c
@@ -2774,6 +2774,17 @@ int64_t bdrv_get_dirty_count(BlockDriverState *bs)
     return bs->dirty_count;
 }
 
+void bdrv_set_in_use(BlockDriverState *bs, int in_use)
+{
+    assert(bs->in_use != in_use);
+    bs->in_use = in_use;
+}
+
+int bdrv_in_use(BlockDriverState *bs)
+{
+    return bs->in_use;
+}
+
 int bdrv_img_create(const char *filename, const char *fmt,
                     const char *base_filename, const char *base_fmt,
                     char *options, uint64_t img_size, int flags)
diff --git a/block.h b/block.h
index 239f729..19f4768 100644
--- a/block.h
+++ b/block.h
@@ -241,6 +241,8 @@ void bdrv_reset_dirty(BlockDriverState *bs, int64_t cur_sector,
                       int nr_sectors);
 int64_t bdrv_get_dirty_count(BlockDriverState *bs);
 
+void bdrv_set_in_use(BlockDriverState *bs, int in_use);
+int bdrv_in_use(BlockDriverState *bs);
 
 typedef enum {
     BLKDBG_L1_UPDATE,
diff --git a/block_int.h b/block_int.h
index 6ebdc3e..545ad11 100644
--- a/block_int.h
+++ b/block_int.h
@@ -199,6 +199,7 @@ struct BlockDriverState {
     char device_name[32];
     unsigned long *dirty_bitmap;
     int64_t dirty_count;
+    int in_use; /* users other than guest access, eg. block migration */
     QTAILQ_ENTRY(BlockDriverState) list;
     void *private;
 };
commit f48905d44f670cd83227b3a8d06ae1406f0c771c
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Jan 26 12:12:33 2011 -0200

    block-migration: add reference to target DriveInfo
    
    So that ejection of attached device by guest does not free data
    in use by block migration instance.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    CC: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block-migration.c b/block-migration.c
index 483ca7b..323e1e2 100644
--- a/block-migration.c
+++ b/block-migration.c
@@ -19,6 +19,7 @@
 #include "monitor.h"
 #include "block-migration.h"
 #include "migration.h"
+#include "blockdev.h"
 #include <assert.h>
 
 #define BLOCK_SIZE (BDRV_SECTORS_PER_DIRTY_CHUNK << BDRV_SECTOR_BITS)
@@ -299,6 +300,7 @@ static void init_blk_migration_it(void *opaque, BlockDriverState *bs)
         bmds->completed_sectors = 0;
         bmds->shared_base = block_mig_state.shared_base;
         alloc_aio_bitmap(bmds);
+        drive_get_ref(drive_get_by_blockdev(bs));
 
         block_mig_state.total_sector_sum += sectors;
 
@@ -537,6 +539,7 @@ static void blk_mig_cleanup(Monitor *mon)
 
     while ((bmds = QSIMPLEQ_FIRST(&block_mig_state.bmds_list)) != NULL) {
         QSIMPLEQ_REMOVE_HEAD(&block_mig_state.bmds_list, entry);
+        drive_put_ref(drive_get_by_blockdev(bmds->bs));
         qemu_free(bmds->aio_bitmap);
         qemu_free(bmds);
     }
commit 84fb392526479d54602a3830326d50d44657f630
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Jan 26 12:12:32 2011 -0200

    blockdev: add refcount to DriveInfo
    
    The host part of a block device can be deleted with in progress
    block migration.
    
    To fix this, add a reference count to DriveInfo, freeing resources
    on last reference.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    CC: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index 1c56da0..f2a00bd 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -71,7 +71,7 @@ void blockdev_auto_del(BlockDriverState *bs)
     DriveInfo *dinfo = drive_get_by_blockdev(bs);
 
     if (dinfo && dinfo->auto_del) {
-        drive_uninit(dinfo);
+        drive_put_ref(dinfo);
     }
 }
 
@@ -178,7 +178,7 @@ static void bdrv_format_print(void *opaque, const char *name)
     error_printf(" %s", name);
 }
 
-void drive_uninit(DriveInfo *dinfo)
+static void drive_uninit(DriveInfo *dinfo)
 {
     qemu_opts_del(dinfo->opts);
     bdrv_delete(dinfo->bdrv);
@@ -186,6 +186,19 @@ void drive_uninit(DriveInfo *dinfo)
     qemu_free(dinfo);
 }
 
+void drive_put_ref(DriveInfo *dinfo)
+{
+    assert(dinfo->refcount);
+    if (--dinfo->refcount == 0) {
+        drive_uninit(dinfo);
+    }
+}
+
+void drive_get_ref(DriveInfo *dinfo)
+{
+    dinfo->refcount++;
+}
+
 static int parse_block_error_action(const char *buf, int is_read)
 {
     if (!strcmp(buf, "ignore")) {
@@ -453,6 +466,7 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi)
     dinfo->bus = bus_id;
     dinfo->unit = unit_id;
     dinfo->opts = opts;
+    dinfo->refcount = 1;
     if (serial)
         strncpy(dinfo->serial, serial, sizeof(dinfo->serial) - 1);
     QTAILQ_INSERT_TAIL(&drives, dinfo, next);
diff --git a/blockdev.h b/blockdev.h
index 84e462a..2c9e780 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -36,13 +36,15 @@ struct DriveInfo {
     QemuOpts *opts;
     char serial[BLOCK_SERIAL_STRLEN + 1];
     QTAILQ_ENTRY(DriveInfo) next;
+    int refcount;
 };
 
 DriveInfo *drive_get(BlockInterfaceType type, int bus, int unit);
 DriveInfo *drive_get_by_index(BlockInterfaceType type, int index);
 int drive_get_max_bus(BlockInterfaceType type);
 DriveInfo *drive_get_next(BlockInterfaceType type);
-void drive_uninit(DriveInfo *dinfo);
+void drive_get_ref(DriveInfo *dinfo);
+void drive_put_ref(DriveInfo *dinfo);
 DriveInfo *drive_get_by_blockdev(BlockDriverState *bs);
 
 QemuOpts *drive_def(const char *optstr);
diff --git a/hw/pci-hotplug.c b/hw/pci-hotplug.c
index b6dcbda..478fe9b 100644
--- a/hw/pci-hotplug.c
+++ b/hw/pci-hotplug.c
@@ -147,7 +147,7 @@ void drive_hot_add(Monitor *mon, const QDict *qdict)
 
 err:
     if (dinfo)
-        drive_uninit(dinfo);
+        drive_put_ref(dinfo);
     return;
 }
 
commit 8f794c557c4b51c7a957d47ef6a2230114bb9e79
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Jan 26 12:12:31 2011 -0200

    block-migration: actually disable dirty tracking on cleanup
    
    Call to set_dirty_tracking() is misplaced.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block-migration.c b/block-migration.c
index c9d3e81..483ca7b 100644
--- a/block-migration.c
+++ b/block-migration.c
@@ -533,6 +533,8 @@ static void blk_mig_cleanup(Monitor *mon)
     BlkMigDevState *bmds;
     BlkMigBlock *blk;
 
+    set_dirty_tracking(0);
+
     while ((bmds = QSIMPLEQ_FIRST(&block_mig_state.bmds_list)) != NULL) {
         QSIMPLEQ_REMOVE_HEAD(&block_mig_state.bmds_list, entry);
         qemu_free(bmds->aio_bitmap);
@@ -545,8 +547,6 @@ static void blk_mig_cleanup(Monitor *mon)
         qemu_free(blk);
     }
 
-    set_dirty_tracking(0);
-
     monitor_printf(mon, "\n");
 }
 
commit 2c4b9d0ea42c27ec2112e437a0fa954afe73bd23
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Feb 1 15:51:31 2011 +0100

    ahci: make number of ports runtime determined
    
    Different AHCI controllers have a different number of ports, so the core
    shouldn't care about the amount of ports available.
    
    This patch makes the number of ports available to the AHCI core runtime
    configurable, allowing us to have multiple different AHCI implementations
    with different amounts of ports.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 105dd53..98bdf70 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -145,7 +145,7 @@ static void ahci_check_irq(AHCIState *s)
 
     DPRINTF(-1, "check irq %#x\n", s->control_regs.irqstatus);
 
-    for (i = 0; i < SATA_PORTS; i++) {
+    for (i = 0; i < s->ports; i++) {
         AHCIPortRegs *pr = &s->dev[i].port_regs;
         if (pr->irq_stat & pr->irq_mask) {
             s->control_regs.irqstatus |= (1 << i);
@@ -303,7 +303,8 @@ static uint32_t ahci_mem_readl(void *ptr, target_phys_addr_t addr)
 
         DPRINTF(-1, "(addr 0x%08X), val 0x%08X\n", (unsigned) addr, val);
     } else if ((addr >= AHCI_PORT_REGS_START_ADDR) &&
-               (addr < AHCI_PORT_REGS_END_ADDR)) {
+               (addr < (AHCI_PORT_REGS_START_ADDR +
+                (s->ports * AHCI_PORT_ADDR_OFFSET_LEN)))) {
         val = ahci_port_read(s, (addr - AHCI_PORT_REGS_START_ADDR) >> 7,
                              addr & AHCI_PORT_ADDR_OFFSET_MASK);
     }
@@ -355,7 +356,8 @@ static void ahci_mem_writel(void *ptr, target_phys_addr_t addr, uint32_t val)
                 DPRINTF(-1, "write to unknown register 0x%x\n", (unsigned)addr);
         }
     } else if ((addr >= AHCI_PORT_REGS_START_ADDR) &&
-               (addr < AHCI_PORT_REGS_END_ADDR)) {
+               (addr < (AHCI_PORT_REGS_START_ADDR +
+                (s->ports * AHCI_PORT_ADDR_OFFSET_LEN)))) {
         ahci_port_write(s, (addr - AHCI_PORT_REGS_START_ADDR) >> 7,
                         addr & AHCI_PORT_ADDR_OFFSET_MASK, val);
     }
@@ -378,16 +380,16 @@ static void ahci_reg_init(AHCIState *s)
 {
     int i;
 
-    s->control_regs.cap = (SATA_PORTS - 1) |
+    s->control_regs.cap = (s->ports - 1) |
                           (AHCI_NUM_COMMAND_SLOTS << 8) |
                           (AHCI_SUPPORTED_SPEED_GEN1 << AHCI_SUPPORTED_SPEED) |
                           HOST_CAP_NCQ | HOST_CAP_AHCI;
 
-    s->control_regs.impl = (1 << SATA_PORTS) - 1;
+    s->control_regs.impl = (1 << s->ports) - 1;
 
     s->control_regs.version = AHCI_VERSION_1_0;
 
-    for (i = 0; i < SATA_PORTS; i++) {
+    for (i = 0; i < s->ports; i++) {
         s->dev[i].port_state = STATE_RUN;
     }
 }
@@ -1096,17 +1098,19 @@ static const IDEDMAOps ahci_dma_ops = {
     .reset = ahci_dma_reset,
 };
 
-void ahci_init(AHCIState *s, DeviceState *qdev)
+void ahci_init(AHCIState *s, DeviceState *qdev, int ports)
 {
     qemu_irq *irqs;
     int i;
 
+    s->ports = ports;
+    s->dev = qemu_mallocz(sizeof(AHCIDevice) * ports);
     ahci_reg_init(s);
     s->mem = cpu_register_io_memory(ahci_readfn, ahci_writefn, s,
                                     DEVICE_LITTLE_ENDIAN);
-    irqs = qemu_allocate_irqs(ahci_irq_set, s, SATA_PORTS);
+    irqs = qemu_allocate_irqs(ahci_irq_set, s, s->ports);
 
-    for (i = 0; i < SATA_PORTS; i++) {
+    for (i = 0; i < s->ports; i++) {
         AHCIDevice *ad = &s->dev[i];
 
         ide_bus_new(&ad->port, qdev, i);
@@ -1120,6 +1124,11 @@ void ahci_init(AHCIState *s, DeviceState *qdev)
     }
 }
 
+void ahci_uninit(AHCIState *s)
+{
+    qemu_free(s->dev);
+}
+
 void ahci_pci_map(PCIDevice *pci_dev, int region_num,
         pcibus_t addr, pcibus_t size, int type)
 {
@@ -1137,7 +1146,7 @@ void ahci_reset(void *opaque)
     d->ahci.control_regs.irqstatus = 0;
     d->ahci.control_regs.ghc = 0;
 
-    for (i = 0; i < SATA_PORTS; i++) {
+    for (i = 0; i < d->ahci.ports; i++) {
         ahci_reset_port(&d->ahci, i);
     }
 }
diff --git a/hw/ide/ahci.h b/hw/ide/ahci.h
index b2786d1..a4560c4 100644
--- a/hw/ide/ahci.h
+++ b/hw/ide/ahci.h
@@ -188,11 +188,9 @@
 #define AHCI_GENERIC_HOST_CONTROL_REGS_MAX_ADDR 0x20
                                             /* Shouldn't this be 0x2c? */
 
-#define SATA_PORTS                         4
-
 #define AHCI_PORT_REGS_START_ADDR          0x100
-#define AHCI_PORT_REGS_END_ADDR (AHCI_PORT_REGS_START_ADDR + SATA_PORTS * 0x80)
 #define AHCI_PORT_ADDR_OFFSET_MASK         0x7f
+#define AHCI_PORT_ADDR_OFFSET_LEN          0x80
 
 #define AHCI_NUM_COMMAND_SLOTS             31
 #define AHCI_SUPPORTED_SPEED               20
@@ -289,9 +287,10 @@ struct AHCIDevice {
 };
 
 typedef struct AHCIState {
-    AHCIDevice dev[SATA_PORTS];
+    AHCIDevice *dev;
     AHCIControlRegs control_regs;
     int mem;
+    int ports;
     qemu_irq irq;
 } AHCIState;
 
@@ -323,7 +322,8 @@ typedef struct NCQFrame {
     uint8_t reserved10;
 } __attribute__ ((packed)) NCQFrame;
 
-void ahci_init(AHCIState *s, DeviceState *qdev);
+void ahci_init(AHCIState *s, DeviceState *qdev, int ports);
+void ahci_uninit(AHCIState *s);
 
 void ahci_pci_map(PCIDevice *pci_dev, int region_num,
         pcibus_t addr, pcibus_t size, int type);
diff --git a/hw/ide/ich.c b/hw/ide/ich.c
index 70cb766..f242d7a 100644
--- a/hw/ide/ich.c
+++ b/hw/ide/ich.c
@@ -100,7 +100,7 @@ static int pci_ich9_ahci_init(PCIDevice *dev)
 
     msi_init(dev, 0x50, 1, true, false);
 
-    ahci_init(&d->ahci, &dev->qdev);
+    ahci_init(&d->ahci, &dev->qdev, 6);
     d->ahci.irq = d->card.irq[0];
 
     return 0;
@@ -116,6 +116,7 @@ static int pci_ich9_uninit(PCIDevice *dev)
     }
 
     qemu_unregister_reset(ahci_reset, d);
+    ahci_uninit(&d->ahci);
 
     return 0;
 }
commit 760c3e44d3a1d8a7e9d22f0429b1805d1c688178
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Feb 1 15:51:30 2011 +0100

    ahci: Implement HBA reset
    
    The ahci code was missing its soft reset functionality. This wasn't really an
    issue for Linux guests, but Windows gets confused when the controller doesn't
    reset when it tells it so.
    
    Using this patch I can now successfully boot Windows 7 from AHCI using AHCI
    enabled SeaBIOS.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index e6ac77c..105dd53 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -335,7 +335,7 @@ static void ahci_mem_writel(void *ptr, target_phys_addr_t addr, uint32_t val)
             case HOST_CTL: /* R/W */
                 if (val & HOST_CTL_RESET) {
                     DPRINTF(-1, "HBA Reset\n");
-                    /* FIXME reset? */
+                    ahci_reset(container_of(s, AHCIPCIState, ahci));
                 } else {
                     s->control_regs.ghc = (val & 0x3) | HOST_CTL_AHCI_EN;
                     ahci_check_irq(s);
@@ -1134,6 +1134,9 @@ void ahci_reset(void *opaque)
     struct AHCIPCIState *d = opaque;
     int i;
 
+    d->ahci.control_regs.irqstatus = 0;
+    d->ahci.control_regs.ghc = 0;
+
     for (i = 0; i < SATA_PORTS; i++) {
         ahci_reset_port(&d->ahci, i);
     }
commit 87e62065bb5e0e544e45e6935e3ac2b053fe446e
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Feb 1 15:51:29 2011 +0100

    ahci: send init d2h fis on fis enable
    
    The drive sends a d2h init fis on initialization. Usually, the guest doesn't
    receive fises yet at that point though, so the delivery is deferred.
    
    Let's reflect that by sending the init fis on fis receive enablement.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 6822046..e6ac77c 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -47,6 +47,7 @@ static void check_cmd(AHCIState *s, int port);
 static int handle_cmd(AHCIState *s,int port,int slot);
 static void ahci_reset_port(AHCIState *s, int port);
 static void ahci_write_fis_d2h(AHCIDevice *ad, uint8_t *cmd_fis);
+static void ahci_init_d2h(AHCIDevice *ad);
 
 static uint32_t  ahci_port_read(AHCIState *s, int port, int offset)
 {
@@ -230,6 +231,16 @@ static void  ahci_port_write(AHCIState *s, int port, int offset, uint32_t val)
                 pr->cmd |= PORT_CMD_FIS_ON;
             }
 
+            /* XXX usually the FIS would be pending on the bus here and
+                   issuing deferred until the OS enables FIS receival.
+                   Instead, we only submit it once - which works in most
+                   cases, but is a hack. */
+            if ((pr->cmd & PORT_CMD_FIS_ON) &&
+                !s->dev[port].init_d2h_sent) {
+                ahci_init_d2h(&s->dev[port]);
+                s->dev[port].init_d2h_sent = 1;
+            }
+
             check_cmd(s, port);
             break;
         case PORT_TFDATA:
@@ -462,12 +473,29 @@ static void ahci_check_cmd_bh(void *opaque)
     check_cmd(ad->hba, ad->port_no);
 }
 
+static void ahci_init_d2h(AHCIDevice *ad)
+{
+    uint8_t init_fis[0x20];
+    IDEState *ide_state = &ad->port.ifs[0];
+
+    memset(init_fis, 0, sizeof(init_fis));
+
+    init_fis[4] = 1;
+    init_fis[12] = 1;
+
+    if (ide_state->drive_kind == IDE_CD) {
+        init_fis[5] = ide_state->lcyl;
+        init_fis[6] = ide_state->hcyl;
+    }
+
+    ahci_write_fis_d2h(ad, init_fis);
+}
+
 static void ahci_reset_port(AHCIState *s, int port)
 {
     AHCIDevice *d = &s->dev[port];
     AHCIPortRegs *pr = &d->port_regs;
     IDEState *ide_state = &d->port.ifs[0];
-    uint8_t init_fis[0x20];
     int i;
 
     DPRINTF(port, "reset port\n");
@@ -482,6 +510,7 @@ static void ahci_reset_port(AHCIState *s, int port)
     pr->scr_err = 0;
     pr->scr_act = 0;
     d->busy_slot = -1;
+    d->init_d2h_sent = 0;
 
     ide_state = &s->dev[port].port.ifs[0];
     if (!ide_state->bs) {
@@ -504,7 +533,6 @@ static void ahci_reset_port(AHCIState *s, int port)
         ncq_tfs->used = 0;
     }
 
-    memset(init_fis, 0, sizeof(init_fis));
     s->dev[port].port_state = STATE_RUN;
     if (!ide_state->bs) {
         s->dev[port].port_regs.sig = 0;
@@ -514,8 +542,6 @@ static void ahci_reset_port(AHCIState *s, int port)
         ide_state->lcyl = 0x14;
         ide_state->hcyl = 0xeb;
         DPRINTF(port, "set lcyl = %d\n", ide_state->lcyl);
-        init_fis[5] = ide_state->lcyl;
-        init_fis[6] = ide_state->hcyl;
         ide_state->status = SEEK_STAT | WRERR_STAT | READY_STAT;
     } else {
         s->dev[port].port_regs.sig = SATA_SIGNATURE_DISK;
@@ -523,9 +549,7 @@ static void ahci_reset_port(AHCIState *s, int port)
     }
 
     ide_state->error = 1;
-    init_fis[4] = 1;
-    init_fis[12] = 1;
-    ahci_write_fis_d2h(d, init_fis);
+    ahci_init_d2h(d);
 }
 
 static void debug_print_fis(uint8_t *fis, int cmd_len)
diff --git a/hw/ide/ahci.h b/hw/ide/ahci.h
index d65b5e3..b2786d1 100644
--- a/hw/ide/ahci.h
+++ b/hw/ide/ahci.h
@@ -282,6 +282,7 @@ struct AHCIDevice {
     int dma_status;
     int done_atapi_packet;
     int busy_slot;
+    int init_d2h_sent;
     BlockDriverCompletionFunc *dma_cb;
     AHCICmdHdr *cur_cmd;
     NCQTransferState ncq_tfs[AHCI_MAX_CMDS];
commit 7fb6577b130c615e42e1ccf8dad69c27c3eef085
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Feb 1 15:51:28 2011 +0100

    ahci: split ICH and AHCI even more
    
    Sebastian's patch already did a pretty good job at splitting up ICH-9
    AHCI code and the AHCI core. We need some more though. Copyright was missing,
    the lspci dump belongs to ICH-9, we don't need the AHCI core to have its
    own qdev device duplicate.
    
    So let's split them a bit more in this patch, making things easier to
    read an understand.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 28412d0..6822046 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -19,47 +19,6 @@
  * You should have received a copy of the GNU Lesser General Public
  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  *
- *
- * lspci dump of a ICH-9 real device in IDE mode (hopefully close enough):
- *
- * 00:1f.2 SATA controller [0106]: Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA AHCI Controller [8086:2922] (rev 02) (prog-if 01 [AHCI 1.0])
- *         Subsystem: Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA AHCI Controller [8086:2922]
- *         Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
- *         Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
- *         Latency: 0
- *         Interrupt: pin B routed to IRQ 222
- *         Region 0: I/O ports at d000 [size=8]
- *         Region 1: I/O ports at cc00 [size=4]
- *         Region 2: I/O ports at c880 [size=8]
- *         Region 3: I/O ports at c800 [size=4]
- *         Region 4: I/O ports at c480 [size=32]
- *         Region 5: Memory at febf9000 (32-bit, non-prefetchable) [size=2K]
- *         Capabilities: [80] Message Signalled Interrupts: Mask- 64bit- Count=1/16 Enable+
- *                 Address: fee0f00c  Data: 41d9
- *         Capabilities: [70] Power Management version 3
- *                 Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0-,D1-,D2-,D3hot+,D3cold-)
- *                 Status: D0 PME-Enable- DSel=0 DScale=0 PME-
- *         Capabilities: [a8] SATA HBA <?>
- *         Capabilities: [b0] Vendor Specific Information <?>
- *         Kernel driver in use: ahci
- *         Kernel modules: ahci
- * 00: 86 80 22 29 07 04 b0 02 02 01 06 01 00 00 00 00
- * 10: 01 d0 00 00 01 cc 00 00 81 c8 00 00 01 c8 00 00
- * 20: 81 c4 00 00 00 90 bf fe 00 00 00 00 86 80 22 29
- * 30: 00 00 00 00 80 00 00 00 00 00 00 00 0f 02 00 00
- * 40: 00 80 00 80 00 00 00 00 00 00 00 00 00 00 00 00
- * 50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- * 60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- * 70: 01 a8 03 40 08 00 00 00 00 00 00 00 00 00 00 00
- * 80: 05 70 09 00 0c f0 e0 fe d9 41 00 00 00 00 00 00
- * 90: 40 00 0f 82 93 01 00 00 00 00 00 00 00 00 00 00
- * a0: ac 00 00 00 0a 00 12 00 12 b0 10 00 48 00 00 00
- * b0: 09 00 06 20 00 00 00 00 00 00 00 00 00 00 00 00
- * c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- * d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- * e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- * f0: 00 00 00 00 00 00 00 00 86 0f 02 00 00 00 00 00
- *
  */
 
 #include <hw/hw.h>
@@ -1155,72 +1114,3 @@ void ahci_reset(void *opaque)
         ahci_reset_port(&d->ahci, i);
     }
 }
-
-static int pci_ahci_init(PCIDevice *dev)
-{
-    struct AHCIPCIState *d;
-    d = DO_UPCAST(struct AHCIPCIState, card, dev);
-
-    pci_config_set_vendor_id(d->card.config, PCI_VENDOR_ID_INTEL);
-    pci_config_set_device_id(d->card.config, PCI_DEVICE_ID_INTEL_82801IR);
-
-    pci_config_set_class(d->card.config, PCI_CLASS_STORAGE_SATA);
-    pci_config_set_revision(d->card.config, 0x02);
-    pci_config_set_prog_interface(d->card.config, AHCI_PROGMODE_MAJOR_REV_1);
-
-    d->card.config[PCI_CACHE_LINE_SIZE] = 0x08;  /* Cache line size */
-    d->card.config[PCI_LATENCY_TIMER]   = 0x00;  /* Latency timer */
-    pci_config_set_interrupt_pin(d->card.config, 1);
-
-    /* XXX Software should program this register */
-    d->card.config[0x90]   = 1 << 6; /* Address Map Register - AHCI mode */
-
-    qemu_register_reset(ahci_reset, d);
-
-    /* XXX BAR size should be 1k, but that breaks, so bump it to 4k for now */
-    pci_register_bar(&d->card, 5, 0x1000, PCI_BASE_ADDRESS_SPACE_MEMORY,
-                     ahci_pci_map);
-
-    msi_init(dev, 0x50, 1, true, false);
-
-    ahci_init(&d->ahci, &dev->qdev);
-    d->ahci.irq = d->card.irq[0];
-
-    return 0;
-}
-
-static int pci_ahci_uninit(PCIDevice *dev)
-{
-    struct AHCIPCIState *d;
-    d = DO_UPCAST(struct AHCIPCIState, card, dev);
-
-    if (msi_enabled(dev)) {
-        msi_uninit(dev);
-    }
-
-    qemu_unregister_reset(ahci_reset, d);
-
-    return 0;
-}
-
-static void pci_ahci_write_config(PCIDevice *pci, uint32_t addr,
-                                  uint32_t val, int len)
-{
-    pci_default_write_config(pci, addr, val, len);
-    msi_write_config(pci, addr, val, len);
-}
-
-static PCIDeviceInfo ahci_info = {
-    .qdev.name  = "ahci",
-    .qdev.size  = sizeof(AHCIPCIState),
-    .init       = pci_ahci_init,
-    .exit       = pci_ahci_uninit,
-    .config_write = pci_ahci_write_config,
-};
-
-static void ahci_pci_register_devices(void)
-{
-    pci_qdev_register(&ahci_info);
-}
-
-device_init(ahci_pci_register_devices)
diff --git a/hw/ide/ich.c b/hw/ide/ich.c
index 9868b73..70cb766 100644
--- a/hw/ide/ich.c
+++ b/hw/ide/ich.c
@@ -1,3 +1,65 @@
+/*
+ * QEMU ICH Emulation
+ *
+ * Copyright (c) 2010 Sebastian Herbszt <herbszt at gmx.de>
+ * Copyright (c) 2010 Alexander Graf <agraf at suse.de>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * lspci dump of a ICH-9 real device
+ *
+ * 00:1f.2 SATA controller [0106]: Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA AHCI Controller [8086:2922] (rev 02) (prog-if 01 [AHCI 1.0])
+ *         Subsystem: Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA AHCI Controller [8086:2922]
+ *         Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
+ *         Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
+ *         Latency: 0
+ *         Interrupt: pin B routed to IRQ 222
+ *         Region 0: I/O ports at d000 [size=8]
+ *         Region 1: I/O ports at cc00 [size=4]
+ *         Region 2: I/O ports at c880 [size=8]
+ *         Region 3: I/O ports at c800 [size=4]
+ *         Region 4: I/O ports at c480 [size=32]
+ *         Region 5: Memory at febf9000 (32-bit, non-prefetchable) [size=2K]
+ *         Capabilities: [80] Message Signalled Interrupts: Mask- 64bit- Count=1/16 Enable+
+ *                 Address: fee0f00c  Data: 41d9
+ *         Capabilities: [70] Power Management version 3
+ *                 Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0-,D1-,D2-,D3hot+,D3cold-)
+ *                 Status: D0 PME-Enable- DSel=0 DScale=0 PME-
+ *         Capabilities: [a8] SATA HBA <?>
+ *         Capabilities: [b0] Vendor Specific Information <?>
+ *         Kernel driver in use: ahci
+ *         Kernel modules: ahci
+ * 00: 86 80 22 29 07 04 b0 02 02 01 06 01 00 00 00 00
+ * 10: 01 d0 00 00 01 cc 00 00 81 c8 00 00 01 c8 00 00
+ * 20: 81 c4 00 00 00 90 bf fe 00 00 00 00 86 80 22 29
+ * 30: 00 00 00 00 80 00 00 00 00 00 00 00 0f 02 00 00
+ * 40: 00 80 00 80 00 00 00 00 00 00 00 00 00 00 00 00
+ * 50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ * 60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ * 70: 01 a8 03 40 08 00 00 00 00 00 00 00 00 00 00 00
+ * 80: 05 70 09 00 0c f0 e0 fe d9 41 00 00 00 00 00 00
+ * 90: 40 00 0f 82 93 01 00 00 00 00 00 00 00 00 00 00
+ * a0: ac 00 00 00 0a 00 12 00 12 b0 10 00 48 00 00 00
+ * b0: 09 00 06 20 00 00 00 00 00 00 00 00 00 00 00 00
+ * c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ * d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ * e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ * f0: 00 00 00 00 00 00 00 00 86 0f 02 00 00 00 00 00
+ *
+ */
+
 #include <hw/hw.h>
 #include <hw/msi.h>
 #include <hw/pc.h>
@@ -11,7 +73,7 @@
 #include <hw/ide/pci.h>
 #include <hw/ide/ahci.h>
 
-static int pci_ich9_ahci_initfn(PCIDevice *dev)
+static int pci_ich9_ahci_init(PCIDevice *dev)
 {
     struct AHCIPCIState *d;
     d = DO_UPCAST(struct AHCIPCIState, card, dev);
@@ -44,11 +106,35 @@ static int pci_ich9_ahci_initfn(PCIDevice *dev)
     return 0;
 }
 
+static int pci_ich9_uninit(PCIDevice *dev)
+{
+    struct AHCIPCIState *d;
+    d = DO_UPCAST(struct AHCIPCIState, card, dev);
+
+    if (msi_enabled(dev)) {
+        msi_uninit(dev);
+    }
+
+    qemu_unregister_reset(ahci_reset, d);
+
+    return 0;
+}
+
+static void pci_ich9_write_config(PCIDevice *pci, uint32_t addr,
+                                  uint32_t val, int len)
+{
+    pci_default_write_config(pci, addr, val, len);
+    msi_write_config(pci, addr, val, len);
+}
+
 static PCIDeviceInfo ich_ahci_info[] = {
     {
         .qdev.name    = "ich9-ahci",
+        .qdev.alias   = "ahci",
         .qdev.size    = sizeof(AHCIPCIState),
-        .init         = pci_ich9_ahci_initfn,
+        .init         = pci_ich9_ahci_init,
+        .exit         = pci_ich9_uninit,
+        .config_write = pci_ich9_write_config,
     },{
         /* end of list */
     }
commit f83a40dcd7c38aef8cb4aa93e1f6f0e21c750992
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Feb 1 15:51:27 2011 +0100

    ahci: add license header in ahci.h
    
    Due to popular request, this patch adds a license header to ahci.h
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/ahci.h b/hw/ide/ahci.h
index 63ef785..d65b5e3 100644
--- a/hw/ide/ahci.h
+++ b/hw/ide/ahci.h
@@ -1,3 +1,26 @@
+/*
+ * QEMU AHCI Emulation
+ *
+ * Copyright (c) 2010 qiaochong at loongson.cn
+ * Copyright (c) 2010 Roland Elek <elek.roland at gmail.com>
+ * Copyright (c) 2010 Sebastian Herbszt <herbszt at gmx.de>
+ * Copyright (c) 2010 Alexander Graf <agraf at suse.de>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
 #ifndef HW_IDE_AHCI_H
 #define HW_IDE_AHCI_H
 
commit 03c7a6a8e7122b9c12a532577046094a69593116
Author: Sebastian Herbszt <herbszt at gmx.de>
Date:   Tue Feb 1 15:51:26 2011 +0100

    ahci: split ICH9 from core
    
    There are multiple ahci devices out there. The currently implemented ich-9
    is only one of the many. So let's split that one out into a separate file
    to stress the difference.
    
    Signed-off-by: Sebastian Herbszt <herbszt at gmx.de>
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index f1c7bfe..353b1a8 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -244,6 +244,7 @@ hw-obj-$(CONFIG_IDE_CMD646) += ide/cmd646.o
 hw-obj-$(CONFIG_IDE_MACIO) += ide/macio.o
 hw-obj-$(CONFIG_IDE_VIA) += ide/via.o
 hw-obj-$(CONFIG_AHCI) += ide/ahci.o
+hw-obj-$(CONFIG_AHCI) += ide/ich.o
 
 # SCSI layer
 hw-obj-$(CONFIG_LSI_SCSI_PCI) += lsi53c895a.o
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 671b4df..28412d0 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -72,6 +72,7 @@
 #include "cpu-common.h"
 #include "internal.h"
 #include <hw/ide/pci.h>
+#include <hw/ide/ahci.h>
 
 /* #define DEBUG_AHCI */
 
@@ -83,304 +84,6 @@ do { fprintf(stderr, "ahci: %s: [%d] ", __FUNCTION__, port); \
 #define DPRINTF(port, fmt, ...) do {} while(0)
 #endif
 
-#define AHCI_PCI_BAR              5
-#define AHCI_MAX_PORTS            32
-#define AHCI_MAX_SG               168 /* hardware max is 64K */
-#define AHCI_DMA_BOUNDARY         0xffffffff
-#define AHCI_USE_CLUSTERING       0
-#define AHCI_MAX_CMDS             32
-#define AHCI_CMD_SZ               32
-#define AHCI_CMD_SLOT_SZ          (AHCI_MAX_CMDS * AHCI_CMD_SZ)
-#define AHCI_RX_FIS_SZ            256
-#define AHCI_CMD_TBL_CDB          0x40
-#define AHCI_CMD_TBL_HDR_SZ       0x80
-#define AHCI_CMD_TBL_SZ           (AHCI_CMD_TBL_HDR_SZ + (AHCI_MAX_SG * 16))
-#define AHCI_CMD_TBL_AR_SZ        (AHCI_CMD_TBL_SZ * AHCI_MAX_CMDS)
-#define AHCI_PORT_PRIV_DMA_SZ     (AHCI_CMD_SLOT_SZ + AHCI_CMD_TBL_AR_SZ + \
-                                   AHCI_RX_FIS_SZ)
-
-#define AHCI_IRQ_ON_SG            (1 << 31)
-#define AHCI_CMD_ATAPI            (1 << 5)
-#define AHCI_CMD_WRITE            (1 << 6)
-#define AHCI_CMD_PREFETCH         (1 << 7)
-#define AHCI_CMD_RESET            (1 << 8)
-#define AHCI_CMD_CLR_BUSY         (1 << 10)
-
-#define RX_FIS_D2H_REG            0x40 /* offset of D2H Register FIS data */
-#define RX_FIS_SDB                0x58 /* offset of SDB FIS data */
-#define RX_FIS_UNK                0x60 /* offset of Unknown FIS data */
-
-/* global controller registers */
-#define HOST_CAP                  0x00 /* host capabilities */
-#define HOST_CTL                  0x04 /* global host control */
-#define HOST_IRQ_STAT             0x08 /* interrupt status */
-#define HOST_PORTS_IMPL           0x0c /* bitmap of implemented ports */
-#define HOST_VERSION              0x10 /* AHCI spec. version compliancy */
-
-/* HOST_CTL bits */
-#define HOST_CTL_RESET            (1 << 0)  /* reset controller; self-clear */
-#define HOST_CTL_IRQ_EN           (1 << 1)  /* global IRQ enable */
-#define HOST_CTL_AHCI_EN          (1 << 31) /* AHCI enabled */
-
-/* HOST_CAP bits */
-#define HOST_CAP_SSC              (1 << 14) /* Slumber capable */
-#define HOST_CAP_AHCI             (1 << 18) /* AHCI only */
-#define HOST_CAP_CLO              (1 << 24) /* Command List Override support */
-#define HOST_CAP_SSS              (1 << 27) /* Staggered Spin-up */
-#define HOST_CAP_NCQ              (1 << 30) /* Native Command Queueing */
-#define HOST_CAP_64               (1 << 31) /* PCI DAC (64-bit DMA) support */
-
-/* registers for each SATA port */
-#define PORT_LST_ADDR             0x00 /* command list DMA addr */
-#define PORT_LST_ADDR_HI          0x04 /* command list DMA addr hi */
-#define PORT_FIS_ADDR             0x08 /* FIS rx buf addr */
-#define PORT_FIS_ADDR_HI          0x0c /* FIS rx buf addr hi */
-#define PORT_IRQ_STAT             0x10 /* interrupt status */
-#define PORT_IRQ_MASK             0x14 /* interrupt enable/disable mask */
-#define PORT_CMD                  0x18 /* port command */
-#define PORT_TFDATA               0x20 /* taskfile data */
-#define PORT_SIG                  0x24 /* device TF signature */
-#define PORT_SCR_STAT             0x28 /* SATA phy register: SStatus */
-#define PORT_SCR_CTL              0x2c /* SATA phy register: SControl */
-#define PORT_SCR_ERR              0x30 /* SATA phy register: SError */
-#define PORT_SCR_ACT              0x34 /* SATA phy register: SActive */
-#define PORT_CMD_ISSUE            0x38 /* command issue */
-#define PORT_RESERVED             0x3c /* reserved */
-
-/* PORT_IRQ_{STAT,MASK} bits */
-#define PORT_IRQ_COLD_PRES        (1 << 31) /* cold presence detect */
-#define PORT_IRQ_TF_ERR           (1 << 30) /* task file error */
-#define PORT_IRQ_HBUS_ERR         (1 << 29) /* host bus fatal error */
-#define PORT_IRQ_HBUS_DATA_ERR    (1 << 28) /* host bus data error */
-#define PORT_IRQ_IF_ERR           (1 << 27) /* interface fatal error */
-#define PORT_IRQ_IF_NONFATAL      (1 << 26) /* interface non-fatal error */
-#define PORT_IRQ_OVERFLOW         (1 << 24) /* xfer exhausted available S/G */
-#define PORT_IRQ_BAD_PMP          (1 << 23) /* incorrect port multiplier */
-
-#define PORT_IRQ_PHYRDY           (1 << 22) /* PhyRdy changed */
-#define PORT_IRQ_DEV_ILCK         (1 << 7) /* device interlock */
-#define PORT_IRQ_CONNECT          (1 << 6) /* port connect change status */
-#define PORT_IRQ_SG_DONE          (1 << 5) /* descriptor processed */
-#define PORT_IRQ_UNK_FIS          (1 << 4) /* unknown FIS rx'd */
-#define PORT_IRQ_SDB_FIS          (1 << 3) /* Set Device Bits FIS rx'd */
-#define PORT_IRQ_DMAS_FIS         (1 << 2) /* DMA Setup FIS rx'd */
-#define PORT_IRQ_PIOS_FIS         (1 << 1) /* PIO Setup FIS rx'd */
-#define PORT_IRQ_D2H_REG_FIS      (1 << 0) /* D2H Register FIS rx'd */
-
-#define PORT_IRQ_FREEZE           (PORT_IRQ_HBUS_ERR | PORT_IRQ_IF_ERR |   \
-                                   PORT_IRQ_CONNECT | PORT_IRQ_PHYRDY |    \
-                                   PORT_IRQ_UNK_FIS)
-#define PORT_IRQ_ERROR            (PORT_IRQ_FREEZE | PORT_IRQ_TF_ERR |     \
-                                   PORT_IRQ_HBUS_DATA_ERR)
-#define DEF_PORT_IRQ              (PORT_IRQ_ERROR | PORT_IRQ_SG_DONE |     \
-                                   PORT_IRQ_SDB_FIS | PORT_IRQ_DMAS_FIS |  \
-                                   PORT_IRQ_PIOS_FIS | PORT_IRQ_D2H_REG_FIS)
-
-/* PORT_CMD bits */
-#define PORT_CMD_ATAPI            (1 << 24) /* Device is ATAPI */
-#define PORT_CMD_LIST_ON          (1 << 15) /* cmd list DMA engine running */
-#define PORT_CMD_FIS_ON           (1 << 14) /* FIS DMA engine running */
-#define PORT_CMD_FIS_RX           (1 << 4) /* Enable FIS receive DMA engine */
-#define PORT_CMD_CLO              (1 << 3) /* Command list override */
-#define PORT_CMD_POWER_ON         (1 << 2) /* Power up device */
-#define PORT_CMD_SPIN_UP          (1 << 1) /* Spin up device */
-#define PORT_CMD_START            (1 << 0) /* Enable port DMA engine */
-
-#define PORT_CMD_ICC_MASK         (0xf << 28) /* i/f ICC state mask */
-#define PORT_CMD_ICC_ACTIVE       (0x1 << 28) /* Put i/f in active state */
-#define PORT_CMD_ICC_PARTIAL      (0x2 << 28) /* Put i/f in partial state */
-#define PORT_CMD_ICC_SLUMBER      (0x6 << 28) /* Put i/f in slumber state */
-
-#define PORT_IRQ_STAT_DHRS        (1 << 0) /* Device to Host Register FIS */
-#define PORT_IRQ_STAT_PSS         (1 << 1) /* PIO Setup FIS */
-#define PORT_IRQ_STAT_DSS         (1 << 2) /* DMA Setup FIS */
-#define PORT_IRQ_STAT_SDBS        (1 << 3) /* Set Device Bits */
-#define PORT_IRQ_STAT_UFS         (1 << 4) /* Unknown FIS */
-#define PORT_IRQ_STAT_DPS         (1 << 5) /* Descriptor Processed */
-#define PORT_IRQ_STAT_PCS         (1 << 6) /* Port Connect Change Status */
-#define PORT_IRQ_STAT_DMPS        (1 << 7) /* Device Mechanical Presence
-                                              Status */
-#define PORT_IRQ_STAT_PRCS        (1 << 22) /* File Ready Status */
-#define PORT_IRQ_STAT_IPMS        (1 << 23) /* Incorrect Port Multiplier
-                                               Status */
-#define PORT_IRQ_STAT_OFS         (1 << 24) /* Overflow Status */
-#define PORT_IRQ_STAT_INFS        (1 << 26) /* Interface Non-Fatal Error
-                                               Status */
-#define PORT_IRQ_STAT_IFS         (1 << 27) /* Interface Fatal Error */
-#define PORT_IRQ_STAT_HBDS        (1 << 28) /* Host Bus Data Error Status */
-#define PORT_IRQ_STAT_HBFS        (1 << 29) /* Host Bus Fatal Error Status */
-#define PORT_IRQ_STAT_TFES        (1 << 30) /* Task File Error Status */
-#define PORT_IRQ_STAT_CPDS        (1 << 31) /* Code Port Detect Status */
-
-/* ap->flags bits */
-#define AHCI_FLAG_NO_NCQ                  (1 << 24)
-#define AHCI_FLAG_IGN_IRQ_IF_ERR          (1 << 25) /* ignore IRQ_IF_ERR */
-#define AHCI_FLAG_HONOR_PI                (1 << 26) /* honor PORTS_IMPL */
-#define AHCI_FLAG_IGN_SERR_INTERNAL       (1 << 27) /* ignore SERR_INTERNAL */
-#define AHCI_FLAG_32BIT_ONLY              (1 << 28) /* force 32bit */
-
-#define ATA_SRST                          (1 << 2)  /* software reset */
-
-#define STATE_RUN                         0
-#define STATE_RESET                       1
-
-#define SATA_SCR_SSTATUS_DET_NODEV        0x0
-#define SATA_SCR_SSTATUS_DET_DEV_PRESENT_PHY_UP 0x3
-
-#define SATA_SCR_SSTATUS_SPD_NODEV        0x00
-#define SATA_SCR_SSTATUS_SPD_GEN1         0x10
-
-#define SATA_SCR_SSTATUS_IPM_NODEV        0x000
-#define SATA_SCR_SSTATUS_IPM_ACTIVE       0X100
-
-#define AHCI_SCR_SCTL_DET                 0xf
-
-#define SATA_FIS_TYPE_REGISTER_H2D        0x27
-#define SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER 0x80
-
-#define AHCI_CMD_HDR_CMD_FIS_LEN           0x1f
-#define AHCI_CMD_HDR_PRDT_LEN              16
-
-#define SATA_SIGNATURE_CDROM               0xeb140000
-#define SATA_SIGNATURE_DISK                0x00000101
-
-#define AHCI_GENERIC_HOST_CONTROL_REGS_MAX_ADDR 0x20
-                                            /* Shouldn't this be 0x2c? */
-
-#define SATA_PORTS                         4
-
-#define AHCI_PORT_REGS_START_ADDR          0x100
-#define AHCI_PORT_REGS_END_ADDR (AHCI_PORT_REGS_START_ADDR + SATA_PORTS * 0x80)
-#define AHCI_PORT_ADDR_OFFSET_MASK         0x7f
-
-#define AHCI_NUM_COMMAND_SLOTS             31
-#define AHCI_SUPPORTED_SPEED               20
-#define AHCI_SUPPORTED_SPEED_GEN1          1
-#define AHCI_VERSION_1_0                   0x10000
-
-#define AHCI_PROGMODE_MAJOR_REV_1          1
-
-#define AHCI_COMMAND_TABLE_ACMD            0x40
-
-#define IDE_FEATURE_DMA                    1
-
-#define READ_FPDMA_QUEUED                  0x60
-#define WRITE_FPDMA_QUEUED                 0x61
-
-#define RES_FIS_DSFIS                      0x00
-#define RES_FIS_PSFIS                      0x20
-#define RES_FIS_RFIS                       0x40
-#define RES_FIS_SDBFIS                     0x58
-#define RES_FIS_UFIS                       0x60
-
-typedef struct AHCIControlRegs {
-    uint32_t    cap;
-    uint32_t    ghc;
-    uint32_t    irqstatus;
-    uint32_t    impl;
-    uint32_t    version;
-} AHCIControlRegs;
-
-typedef struct AHCIPortRegs {
-    uint32_t    lst_addr;
-    uint32_t    lst_addr_hi;
-    uint32_t    fis_addr;
-    uint32_t    fis_addr_hi;
-    uint32_t    irq_stat;
-    uint32_t    irq_mask;
-    uint32_t    cmd;
-    uint32_t    unused0;
-    uint32_t    tfdata;
-    uint32_t    sig;
-    uint32_t    scr_stat;
-    uint32_t    scr_ctl;
-    uint32_t    scr_err;
-    uint32_t    scr_act;
-    uint32_t    cmd_issue;
-    uint32_t    reserved;
-} AHCIPortRegs;
-
-typedef struct AHCICmdHdr {
-    uint32_t    opts;
-    uint32_t    status;
-    uint64_t    tbl_addr;
-    uint32_t    reserved[4];
-} __attribute__ ((packed)) AHCICmdHdr;
-
-typedef struct AHCI_SG {
-    uint64_t    addr;
-    uint32_t    reserved;
-    uint32_t    flags_size;
-} __attribute__ ((packed)) AHCI_SG;
-
-typedef struct AHCIDevice AHCIDevice;
-
-typedef struct NCQTransferState {
-    AHCIDevice *drive;
-    BlockDriverAIOCB *aiocb;
-    QEMUSGList sglist;
-    int is_read;
-    uint16_t sector_count;
-    uint64_t lba;
-    uint8_t tag;
-    int slot;
-    int used;
-} NCQTransferState;
-
-struct AHCIDevice {
-    IDEDMA dma;
-    IDEBus port;
-    int port_no;
-    uint32_t port_state;
-    uint32_t finished;
-    AHCIPortRegs port_regs;
-    struct AHCIState *hba;
-    QEMUBH *check_bh;
-    uint8_t *lst;
-    uint8_t *res_fis;
-    int dma_status;
-    int done_atapi_packet;
-    int busy_slot;
-    BlockDriverCompletionFunc *dma_cb;
-    AHCICmdHdr *cur_cmd;
-    NCQTransferState ncq_tfs[AHCI_MAX_CMDS];
-};
-
-typedef struct AHCIState {
-    AHCIDevice dev[SATA_PORTS];
-    AHCIControlRegs control_regs;
-    int mem;
-    qemu_irq irq;
-} AHCIState;
-
-typedef struct AHCIPCIState {
-    PCIDevice card;
-    AHCIState ahci;
-} AHCIPCIState;
-
-typedef struct NCQFrame {
-    uint8_t fis_type;
-    uint8_t c;
-    uint8_t command;
-    uint8_t sector_count_low;
-    uint8_t lba0;
-    uint8_t lba1;
-    uint8_t lba2;
-    uint8_t fua;
-    uint8_t lba3;
-    uint8_t lba4;
-    uint8_t lba5;
-    uint8_t sector_count_high;
-    uint8_t tag;
-    uint8_t reserved5;
-    uint8_t reserved6;
-    uint8_t control;
-    uint8_t reserved7;
-    uint8_t reserved8;
-    uint8_t reserved9;
-    uint8_t reserved10;
-} __attribute__ ((packed)) NCQFrame;
-
 static void check_cmd(AHCIState *s, int port);
 static int handle_cmd(AHCIState *s,int port,int slot);
 static void ahci_reset_port(AHCIState *s, int port);
@@ -1410,7 +1113,7 @@ static const IDEDMAOps ahci_dma_ops = {
     .reset = ahci_dma_reset,
 };
 
-static void ahci_init(AHCIState *s, DeviceState *qdev)
+void ahci_init(AHCIState *s, DeviceState *qdev)
 {
     qemu_irq *irqs;
     int i;
@@ -1434,7 +1137,7 @@ static void ahci_init(AHCIState *s, DeviceState *qdev)
     }
 }
 
-static void ahci_pci_map(PCIDevice *pci_dev, int region_num,
+void ahci_pci_map(PCIDevice *pci_dev, int region_num,
         pcibus_t addr, pcibus_t size, int type)
 {
     struct AHCIPCIState *d = (struct AHCIPCIState *)pci_dev;
@@ -1443,7 +1146,7 @@ static void ahci_pci_map(PCIDevice *pci_dev, int region_num,
     cpu_register_physical_memory(addr, size, s->mem);
 }
 
-static void ahci_reset(void *opaque)
+void ahci_reset(void *opaque)
 {
     struct AHCIPCIState *d = opaque;
     int i;
diff --git a/hw/ide/ahci.h b/hw/ide/ahci.h
new file mode 100644
index 0000000..63ef785
--- /dev/null
+++ b/hw/ide/ahci.h
@@ -0,0 +1,309 @@
+#ifndef HW_IDE_AHCI_H
+#define HW_IDE_AHCI_H
+
+#define AHCI_PCI_BAR              5
+#define AHCI_MAX_PORTS            32
+#define AHCI_MAX_SG               168 /* hardware max is 64K */
+#define AHCI_DMA_BOUNDARY         0xffffffff
+#define AHCI_USE_CLUSTERING       0
+#define AHCI_MAX_CMDS             32
+#define AHCI_CMD_SZ               32
+#define AHCI_CMD_SLOT_SZ          (AHCI_MAX_CMDS * AHCI_CMD_SZ)
+#define AHCI_RX_FIS_SZ            256
+#define AHCI_CMD_TBL_CDB          0x40
+#define AHCI_CMD_TBL_HDR_SZ       0x80
+#define AHCI_CMD_TBL_SZ           (AHCI_CMD_TBL_HDR_SZ + (AHCI_MAX_SG * 16))
+#define AHCI_CMD_TBL_AR_SZ        (AHCI_CMD_TBL_SZ * AHCI_MAX_CMDS)
+#define AHCI_PORT_PRIV_DMA_SZ     (AHCI_CMD_SLOT_SZ + AHCI_CMD_TBL_AR_SZ + \
+                                   AHCI_RX_FIS_SZ)
+
+#define AHCI_IRQ_ON_SG            (1 << 31)
+#define AHCI_CMD_ATAPI            (1 << 5)
+#define AHCI_CMD_WRITE            (1 << 6)
+#define AHCI_CMD_PREFETCH         (1 << 7)
+#define AHCI_CMD_RESET            (1 << 8)
+#define AHCI_CMD_CLR_BUSY         (1 << 10)
+
+#define RX_FIS_D2H_REG            0x40 /* offset of D2H Register FIS data */
+#define RX_FIS_SDB                0x58 /* offset of SDB FIS data */
+#define RX_FIS_UNK                0x60 /* offset of Unknown FIS data */
+
+/* global controller registers */
+#define HOST_CAP                  0x00 /* host capabilities */
+#define HOST_CTL                  0x04 /* global host control */
+#define HOST_IRQ_STAT             0x08 /* interrupt status */
+#define HOST_PORTS_IMPL           0x0c /* bitmap of implemented ports */
+#define HOST_VERSION              0x10 /* AHCI spec. version compliancy */
+
+/* HOST_CTL bits */
+#define HOST_CTL_RESET            (1 << 0)  /* reset controller; self-clear */
+#define HOST_CTL_IRQ_EN           (1 << 1)  /* global IRQ enable */
+#define HOST_CTL_AHCI_EN          (1 << 31) /* AHCI enabled */
+
+/* HOST_CAP bits */
+#define HOST_CAP_SSC              (1 << 14) /* Slumber capable */
+#define HOST_CAP_AHCI             (1 << 18) /* AHCI only */
+#define HOST_CAP_CLO              (1 << 24) /* Command List Override support */
+#define HOST_CAP_SSS              (1 << 27) /* Staggered Spin-up */
+#define HOST_CAP_NCQ              (1 << 30) /* Native Command Queueing */
+#define HOST_CAP_64               (1 << 31) /* PCI DAC (64-bit DMA) support */
+
+/* registers for each SATA port */
+#define PORT_LST_ADDR             0x00 /* command list DMA addr */
+#define PORT_LST_ADDR_HI          0x04 /* command list DMA addr hi */
+#define PORT_FIS_ADDR             0x08 /* FIS rx buf addr */
+#define PORT_FIS_ADDR_HI          0x0c /* FIS rx buf addr hi */
+#define PORT_IRQ_STAT             0x10 /* interrupt status */
+#define PORT_IRQ_MASK             0x14 /* interrupt enable/disable mask */
+#define PORT_CMD                  0x18 /* port command */
+#define PORT_TFDATA               0x20 /* taskfile data */
+#define PORT_SIG                  0x24 /* device TF signature */
+#define PORT_SCR_STAT             0x28 /* SATA phy register: SStatus */
+#define PORT_SCR_CTL              0x2c /* SATA phy register: SControl */
+#define PORT_SCR_ERR              0x30 /* SATA phy register: SError */
+#define PORT_SCR_ACT              0x34 /* SATA phy register: SActive */
+#define PORT_CMD_ISSUE            0x38 /* command issue */
+#define PORT_RESERVED             0x3c /* reserved */
+
+/* PORT_IRQ_{STAT,MASK} bits */
+#define PORT_IRQ_COLD_PRES        (1 << 31) /* cold presence detect */
+#define PORT_IRQ_TF_ERR           (1 << 30) /* task file error */
+#define PORT_IRQ_HBUS_ERR         (1 << 29) /* host bus fatal error */
+#define PORT_IRQ_HBUS_DATA_ERR    (1 << 28) /* host bus data error */
+#define PORT_IRQ_IF_ERR           (1 << 27) /* interface fatal error */
+#define PORT_IRQ_IF_NONFATAL      (1 << 26) /* interface non-fatal error */
+#define PORT_IRQ_OVERFLOW         (1 << 24) /* xfer exhausted available S/G */
+#define PORT_IRQ_BAD_PMP          (1 << 23) /* incorrect port multiplier */
+
+#define PORT_IRQ_PHYRDY           (1 << 22) /* PhyRdy changed */
+#define PORT_IRQ_DEV_ILCK         (1 << 7) /* device interlock */
+#define PORT_IRQ_CONNECT          (1 << 6) /* port connect change status */
+#define PORT_IRQ_SG_DONE          (1 << 5) /* descriptor processed */
+#define PORT_IRQ_UNK_FIS          (1 << 4) /* unknown FIS rx'd */
+#define PORT_IRQ_SDB_FIS          (1 << 3) /* Set Device Bits FIS rx'd */
+#define PORT_IRQ_DMAS_FIS         (1 << 2) /* DMA Setup FIS rx'd */
+#define PORT_IRQ_PIOS_FIS         (1 << 1) /* PIO Setup FIS rx'd */
+#define PORT_IRQ_D2H_REG_FIS      (1 << 0) /* D2H Register FIS rx'd */
+
+#define PORT_IRQ_FREEZE           (PORT_IRQ_HBUS_ERR | PORT_IRQ_IF_ERR |   \
+                                   PORT_IRQ_CONNECT | PORT_IRQ_PHYRDY |    \
+                                   PORT_IRQ_UNK_FIS)
+#define PORT_IRQ_ERROR            (PORT_IRQ_FREEZE | PORT_IRQ_TF_ERR |     \
+                                   PORT_IRQ_HBUS_DATA_ERR)
+#define DEF_PORT_IRQ              (PORT_IRQ_ERROR | PORT_IRQ_SG_DONE |     \
+                                   PORT_IRQ_SDB_FIS | PORT_IRQ_DMAS_FIS |  \
+                                   PORT_IRQ_PIOS_FIS | PORT_IRQ_D2H_REG_FIS)
+
+/* PORT_CMD bits */
+#define PORT_CMD_ATAPI            (1 << 24) /* Device is ATAPI */
+#define PORT_CMD_LIST_ON          (1 << 15) /* cmd list DMA engine running */
+#define PORT_CMD_FIS_ON           (1 << 14) /* FIS DMA engine running */
+#define PORT_CMD_FIS_RX           (1 << 4) /* Enable FIS receive DMA engine */
+#define PORT_CMD_CLO              (1 << 3) /* Command list override */
+#define PORT_CMD_POWER_ON         (1 << 2) /* Power up device */
+#define PORT_CMD_SPIN_UP          (1 << 1) /* Spin up device */
+#define PORT_CMD_START            (1 << 0) /* Enable port DMA engine */
+
+#define PORT_CMD_ICC_MASK         (0xf << 28) /* i/f ICC state mask */
+#define PORT_CMD_ICC_ACTIVE       (0x1 << 28) /* Put i/f in active state */
+#define PORT_CMD_ICC_PARTIAL      (0x2 << 28) /* Put i/f in partial state */
+#define PORT_CMD_ICC_SLUMBER      (0x6 << 28) /* Put i/f in slumber state */
+
+#define PORT_IRQ_STAT_DHRS        (1 << 0) /* Device to Host Register FIS */
+#define PORT_IRQ_STAT_PSS         (1 << 1) /* PIO Setup FIS */
+#define PORT_IRQ_STAT_DSS         (1 << 2) /* DMA Setup FIS */
+#define PORT_IRQ_STAT_SDBS        (1 << 3) /* Set Device Bits */
+#define PORT_IRQ_STAT_UFS         (1 << 4) /* Unknown FIS */
+#define PORT_IRQ_STAT_DPS         (1 << 5) /* Descriptor Processed */
+#define PORT_IRQ_STAT_PCS         (1 << 6) /* Port Connect Change Status */
+#define PORT_IRQ_STAT_DMPS        (1 << 7) /* Device Mechanical Presence
+                                              Status */
+#define PORT_IRQ_STAT_PRCS        (1 << 22) /* File Ready Status */
+#define PORT_IRQ_STAT_IPMS        (1 << 23) /* Incorrect Port Multiplier
+                                               Status */
+#define PORT_IRQ_STAT_OFS         (1 << 24) /* Overflow Status */
+#define PORT_IRQ_STAT_INFS        (1 << 26) /* Interface Non-Fatal Error
+                                               Status */
+#define PORT_IRQ_STAT_IFS         (1 << 27) /* Interface Fatal Error */
+#define PORT_IRQ_STAT_HBDS        (1 << 28) /* Host Bus Data Error Status */
+#define PORT_IRQ_STAT_HBFS        (1 << 29) /* Host Bus Fatal Error Status */
+#define PORT_IRQ_STAT_TFES        (1 << 30) /* Task File Error Status */
+#define PORT_IRQ_STAT_CPDS        (1 << 31) /* Code Port Detect Status */
+
+/* ap->flags bits */
+#define AHCI_FLAG_NO_NCQ                  (1 << 24)
+#define AHCI_FLAG_IGN_IRQ_IF_ERR          (1 << 25) /* ignore IRQ_IF_ERR */
+#define AHCI_FLAG_HONOR_PI                (1 << 26) /* honor PORTS_IMPL */
+#define AHCI_FLAG_IGN_SERR_INTERNAL       (1 << 27) /* ignore SERR_INTERNAL */
+#define AHCI_FLAG_32BIT_ONLY              (1 << 28) /* force 32bit */
+
+#define ATA_SRST                          (1 << 2)  /* software reset */
+
+#define STATE_RUN                         0
+#define STATE_RESET                       1
+
+#define SATA_SCR_SSTATUS_DET_NODEV        0x0
+#define SATA_SCR_SSTATUS_DET_DEV_PRESENT_PHY_UP 0x3
+
+#define SATA_SCR_SSTATUS_SPD_NODEV        0x00
+#define SATA_SCR_SSTATUS_SPD_GEN1         0x10
+
+#define SATA_SCR_SSTATUS_IPM_NODEV        0x000
+#define SATA_SCR_SSTATUS_IPM_ACTIVE       0X100
+
+#define AHCI_SCR_SCTL_DET                 0xf
+
+#define SATA_FIS_TYPE_REGISTER_H2D        0x27
+#define SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER 0x80
+
+#define AHCI_CMD_HDR_CMD_FIS_LEN           0x1f
+#define AHCI_CMD_HDR_PRDT_LEN              16
+
+#define SATA_SIGNATURE_CDROM               0xeb140000
+#define SATA_SIGNATURE_DISK                0x00000101
+
+#define AHCI_GENERIC_HOST_CONTROL_REGS_MAX_ADDR 0x20
+                                            /* Shouldn't this be 0x2c? */
+
+#define SATA_PORTS                         4
+
+#define AHCI_PORT_REGS_START_ADDR          0x100
+#define AHCI_PORT_REGS_END_ADDR (AHCI_PORT_REGS_START_ADDR + SATA_PORTS * 0x80)
+#define AHCI_PORT_ADDR_OFFSET_MASK         0x7f
+
+#define AHCI_NUM_COMMAND_SLOTS             31
+#define AHCI_SUPPORTED_SPEED               20
+#define AHCI_SUPPORTED_SPEED_GEN1          1
+#define AHCI_VERSION_1_0                   0x10000
+
+#define AHCI_PROGMODE_MAJOR_REV_1          1
+
+#define AHCI_COMMAND_TABLE_ACMD            0x40
+
+#define IDE_FEATURE_DMA                    1
+
+#define READ_FPDMA_QUEUED                  0x60
+#define WRITE_FPDMA_QUEUED                 0x61
+
+#define RES_FIS_DSFIS                      0x00
+#define RES_FIS_PSFIS                      0x20
+#define RES_FIS_RFIS                       0x40
+#define RES_FIS_SDBFIS                     0x58
+#define RES_FIS_UFIS                       0x60
+
+typedef struct AHCIControlRegs {
+    uint32_t    cap;
+    uint32_t    ghc;
+    uint32_t    irqstatus;
+    uint32_t    impl;
+    uint32_t    version;
+} AHCIControlRegs;
+
+typedef struct AHCIPortRegs {
+    uint32_t    lst_addr;
+    uint32_t    lst_addr_hi;
+    uint32_t    fis_addr;
+    uint32_t    fis_addr_hi;
+    uint32_t    irq_stat;
+    uint32_t    irq_mask;
+    uint32_t    cmd;
+    uint32_t    unused0;
+    uint32_t    tfdata;
+    uint32_t    sig;
+    uint32_t    scr_stat;
+    uint32_t    scr_ctl;
+    uint32_t    scr_err;
+    uint32_t    scr_act;
+    uint32_t    cmd_issue;
+    uint32_t    reserved;
+} AHCIPortRegs;
+
+typedef struct AHCICmdHdr {
+    uint32_t    opts;
+    uint32_t    status;
+    uint64_t    tbl_addr;
+    uint32_t    reserved[4];
+} __attribute__ ((packed)) AHCICmdHdr;
+
+typedef struct AHCI_SG {
+    uint64_t    addr;
+    uint32_t    reserved;
+    uint32_t    flags_size;
+} __attribute__ ((packed)) AHCI_SG;
+
+typedef struct AHCIDevice AHCIDevice;
+
+typedef struct NCQTransferState {
+    AHCIDevice *drive;
+    BlockDriverAIOCB *aiocb;
+    QEMUSGList sglist;
+    int is_read;
+    uint16_t sector_count;
+    uint64_t lba;
+    uint8_t tag;
+    int slot;
+    int used;
+} NCQTransferState;
+
+struct AHCIDevice {
+    IDEDMA dma;
+    IDEBus port;
+    int port_no;
+    uint32_t port_state;
+    uint32_t finished;
+    AHCIPortRegs port_regs;
+    struct AHCIState *hba;
+    QEMUBH *check_bh;
+    uint8_t *lst;
+    uint8_t *res_fis;
+    int dma_status;
+    int done_atapi_packet;
+    int busy_slot;
+    BlockDriverCompletionFunc *dma_cb;
+    AHCICmdHdr *cur_cmd;
+    NCQTransferState ncq_tfs[AHCI_MAX_CMDS];
+};
+
+typedef struct AHCIState {
+    AHCIDevice dev[SATA_PORTS];
+    AHCIControlRegs control_regs;
+    int mem;
+    qemu_irq irq;
+} AHCIState;
+
+typedef struct AHCIPCIState {
+    PCIDevice card;
+    AHCIState ahci;
+} AHCIPCIState;
+
+typedef struct NCQFrame {
+    uint8_t fis_type;
+    uint8_t c;
+    uint8_t command;
+    uint8_t sector_count_low;
+    uint8_t lba0;
+    uint8_t lba1;
+    uint8_t lba2;
+    uint8_t fua;
+    uint8_t lba3;
+    uint8_t lba4;
+    uint8_t lba5;
+    uint8_t sector_count_high;
+    uint8_t tag;
+    uint8_t reserved5;
+    uint8_t reserved6;
+    uint8_t control;
+    uint8_t reserved7;
+    uint8_t reserved8;
+    uint8_t reserved9;
+    uint8_t reserved10;
+} __attribute__ ((packed)) NCQFrame;
+
+void ahci_init(AHCIState *s, DeviceState *qdev);
+
+void ahci_pci_map(PCIDevice *pci_dev, int region_num,
+        pcibus_t addr, pcibus_t size, int type);
+
+void ahci_reset(void *opaque);
+
+#endif /* HW_IDE_AHCI_H */
diff --git a/hw/ide/ich.c b/hw/ide/ich.c
new file mode 100644
index 0000000..9868b73
--- /dev/null
+++ b/hw/ide/ich.c
@@ -0,0 +1,61 @@
+#include <hw/hw.h>
+#include <hw/msi.h>
+#include <hw/pc.h>
+#include <hw/pci.h>
+#include <hw/isa.h>
+#include "block.h"
+#include "block_int.h"
+#include "sysemu.h"
+#include "dma.h"
+
+#include <hw/ide/pci.h>
+#include <hw/ide/ahci.h>
+
+static int pci_ich9_ahci_initfn(PCIDevice *dev)
+{
+    struct AHCIPCIState *d;
+    d = DO_UPCAST(struct AHCIPCIState, card, dev);
+
+    pci_config_set_vendor_id(d->card.config, PCI_VENDOR_ID_INTEL);
+    pci_config_set_device_id(d->card.config, PCI_DEVICE_ID_INTEL_82801IR);
+
+    pci_config_set_class(d->card.config, PCI_CLASS_STORAGE_SATA);
+    pci_config_set_revision(d->card.config, 0x02);
+    pci_config_set_prog_interface(d->card.config, AHCI_PROGMODE_MAJOR_REV_1);
+
+    d->card.config[PCI_CACHE_LINE_SIZE] = 0x08;  /* Cache line size */
+    d->card.config[PCI_LATENCY_TIMER]   = 0x00;  /* Latency timer */
+    pci_config_set_interrupt_pin(d->card.config, 1);
+
+    /* XXX Software should program this register */
+    d->card.config[0x90]   = 1 << 6; /* Address Map Register - AHCI mode */
+
+    qemu_register_reset(ahci_reset, d);
+
+    /* XXX BAR size should be 1k, but that breaks, so bump it to 4k for now */
+    pci_register_bar(&d->card, 5, 0x1000, PCI_BASE_ADDRESS_SPACE_MEMORY,
+                     ahci_pci_map);
+
+    msi_init(dev, 0x50, 1, true, false);
+
+    ahci_init(&d->ahci, &dev->qdev);
+    d->ahci.irq = d->card.irq[0];
+
+    return 0;
+}
+
+static PCIDeviceInfo ich_ahci_info[] = {
+    {
+        .qdev.name    = "ich9-ahci",
+        .qdev.size    = sizeof(AHCIPCIState),
+        .init         = pci_ich9_ahci_initfn,
+    },{
+        /* end of list */
+    }
+};
+
+static void ich_ahci_register(void)
+{
+    pci_qdev_register_many(ich_ahci_info);
+}
+device_init(ich_ahci_register);
commit 4f3669ea5bd73ade0dce5f1155cb9ad9788fd54c
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Feb 4 21:01:16 2011 +0100

    block/vdi: Fix wrong size in conditionally used memset, memcmp
    
    Error report from cppcheck:
    block/vdi.c:122: error: Using sizeof for array given as function argument returns the size of pointer.
    block/vdi.c:128: error: Using sizeof for array given as function argument returns the size of pointer.
    
    Fix both by setting the correct size.
    
    The buggy code is only used when QEMU is build without uuid support.
    The bug is not critical, so there is no urgent need to apply it to
    old versions of QEMU.
    
    Cc: Kevin Wolf <kwolf at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/vdi.c b/block/vdi.c
index ab8f70f..116b25b 100644
--- a/block/vdi.c
+++ b/block/vdi.c
@@ -119,13 +119,13 @@ void uuid_unparse(const uuid_t uu, char *out);
 #if !defined(CONFIG_UUID)
 void uuid_generate(uuid_t out)
 {
-    memset(out, 0, sizeof(out));
+    memset(out, 0, sizeof(uuid_t));
 }
 
 int uuid_is_null(const uuid_t uu)
 {
     uuid_t null_uuid = { 0 };
-    return memcmp(uu, null_uuid, sizeof(uu)) == 0;
+    return memcmp(uu, null_uuid, sizeof(uuid_t)) == 0;
 }
 
 void uuid_unparse(const uuid_t uu, char *out)
commit 42af9c30ea9a963ce604ac96230fde2f987634db
Author: MORITA Kazutaka <morita.kazutaka at lab.ntt.co.jp>
Date:   Mon Feb 7 16:04:04 2011 +0900

    Documentation: add Sheepdog disk images
    
    Signed-off-by: MORITA Kazutaka <morita.kazutaka at lab.ntt.co.jp>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-doc.texi b/qemu-doc.texi
index 22a8663..86e017c 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -407,6 +407,7 @@ snapshots.
 * host_drives::               Using host drives
 * disk_images_fat_images::    Virtual FAT disk images
 * disk_images_nbd::           NBD access
+* disk_images_sheepdog::      Sheepdog disk images
 @end menu
 
 @node disk_images_quickstart
@@ -630,6 +631,57 @@ qemu -cdrom nbd:localhost:exportname=debian-500-ppc-netinst
 qemu -cdrom nbd:localhost:exportname=openSUSE-11.1-ppc-netinst
 @end example
 
+ at node disk_images_sheepdog
+ at subsection Sheepdog disk images
+
+Sheepdog is a distributed storage system for QEMU.  It provides highly
+available block level storage volumes that can be attached to
+QEMU-based virtual machines.
+
+You can create a Sheepdog disk image with the command:
+ at example
+qemu-img create sheepdog:@var{image} @var{size}
+ at end example
+where @var{image} is the Sheepdog image name and @var{size} is its
+size.
+
+To import the existing @var{filename} to Sheepdog, you can use a
+convert command.
+ at example
+qemu-img convert @var{filename} sheepdog:@var{image}
+ at end example
+
+You can boot from the Sheepdog disk image with the command:
+ at example
+qemu sheepdog:@var{image}
+ at end example
+
+You can also create a snapshot of the Sheepdog image like qcow2.
+ at example
+qemu-img snapshot -c @var{tag} sheepdog:@var{image}
+ at end example
+where @var{tag} is a tag name of the newly created snapshot.
+
+To boot from the Sheepdog snapshot, specify the tag name of the
+snapshot.
+ at example
+qemu sheepdog:@var{image}:@var{tag}
+ at end example
+
+You can create a cloned image from the existing snapshot.
+ at example
+qemu-img create -b sheepdog:@var{base}:@var{tag} sheepdog:@var{image}
+ at end example
+where @var{base} is a image name of the source snapshot and @var{tag}
+is its tag name.
+
+If the Sheepdog daemon doesn't run on the local host, you need to
+specify one of the Sheepdog servers to connect to.
+ at example
+qemu-img create sheepdog:@var{hostname}:@var{port}:@var{image} @var{size}
+qemu sheepdog:@var{hostname}:@var{port}:@var{image}
+ at end example
+
 @node pcsys_network
 @section Network emulation
 
commit e1a7107f2d92af646ec37b74d074dc150e688559
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Thu Jan 27 16:46:01 2011 +0100

    qcow2: Really use cache=unsafe for image creation
    
    For cache=unsafe we also need to set BDRV_O_CACHE_WB, otherwise we have some
    strange unsafe writethrough mode.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/block/qcow2.c b/block/qcow2.c
index dbe4fdd..a1773e4 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -975,7 +975,8 @@ static int qcow2_create2(const char *filename, int64_t total_size,
      */
     BlockDriver* drv = bdrv_find_format("qcow2");
     assert(drv != NULL);
-    ret = bdrv_open(bs, filename, BDRV_O_RDWR | BDRV_O_NO_FLUSH, drv);
+    ret = bdrv_open(bs, filename,
+        BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_FLUSH, drv);
     if (ret < 0) {
         goto out;
     }
commit ad36ce8ba95a756ef558579c6e9ecedfae4dfd0b
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Feb 5 13:18:20 2011 +0000

    checkpatch.pl: don't complain about old lines with tabs
    
    Don't complain when the patch includes lines with tabs
    only in the hunk's untouched context.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index 4fa06c0..075b614 100755
--- a/scripts/checkpatch.pl
+++ b/scripts/checkpatch.pl
@@ -1495,7 +1495,7 @@ sub process {
 		next if ($realfile !~ /\.(h|c|pl)$/);
 
 # in QEMU, no tabs are allowed
-		if ($rawline =~ /\t/) {
+		if ($rawline =~ /^\+.*\t/) {
 			my $herevet = "$here\n" . cat_vet($rawline) . "\n";
 			ERROR("code indent should never use tabs\n" . $herevet);
 			$rpt_cleaners = 1;
commit a2fdc8907bee6eb572fea992be7126e1b616d5bf
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 3 19:43:25 2011 +0000

    target-arm: Fix decoding of Thumb preload and hint space
    
    Refine the decoding of the Thumb preload and hint space, so we
    UNDEF on the patterns that are supposed to UNDEF rather than NOP.
    We also move the tests for this space earlier, so we don't emit
    harmless but unnecessary address generation code for preload
    hints (which by their nature are likely to be in hot code paths).
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index a8f1ffe..e4649e6 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -8306,6 +8306,42 @@ static int disas_thumb2_insn(CPUState *env, DisasContext *s, uint16_t insn_hw1)
                 goto illegal_op;
             break;
         }
+        op = ((insn >> 21) & 3) | ((insn >> 22) & 4);
+        if (rs == 15) {
+            if (!(insn & (1 << 20))) {
+                goto illegal_op;
+            }
+            if (op != 2) {
+                /* Byte or halfword load space with dest == r15 : memory hints.
+                 * Catch them early so we don't emit pointless addressing code.
+                 * This space is a mix of:
+                 *  PLD/PLDW/PLI,  which we implement as NOPs (note that unlike
+                 *     the ARM encodings, PLDW space doesn't UNDEF for non-v7MP
+                 *     cores)
+                 *  unallocated hints, which must be treated as NOPs
+                 *  UNPREDICTABLE space, which we NOP or UNDEF depending on
+                 *     which is easiest for the decoding logic
+                 *  Some space which must UNDEF
+                 */
+                int op1 = (insn >> 23) & 3;
+                int op2 = (insn >> 6) & 0x3f;
+                if (op & 2) {
+                    goto illegal_op;
+                }
+                if (rn == 15) {
+                    /* UNPREDICTABLE or unallocated hint */
+                    return 0;
+                }
+                if (op1 & 1) {
+                    return 0; /* PLD* or unallocated hint */
+                }
+                if ((op2 == 0) || ((op2 & 0x3c) == 0x30)) {
+                    return 0; /* PLD* or unallocated hint */
+                }
+                /* UNDEF space, or an UNPREDICTABLE */
+                return 1;
+            }
+        }
         user = IS_USER(s);
         if (rn == 15) {
             addr = new_tmp();
@@ -8324,9 +8360,8 @@ static int disas_thumb2_insn(CPUState *env, DisasContext *s, uint16_t insn_hw1)
                 imm = insn & 0xfff;
                 tcg_gen_addi_i32(addr, addr, imm);
             } else {
-                op = (insn >> 8) & 7;
                 imm = insn & 0xff;
-                switch (op) {
+                switch ((insn >> 8) & 7) {
                 case 0: case 8: /* Shifted Register.  */
                     shift = (insn >> 4) & 0xf;
                     if (shift > 3)
@@ -8363,32 +8398,23 @@ static int disas_thumb2_insn(CPUState *env, DisasContext *s, uint16_t insn_hw1)
                 }
             }
         }
-        op = ((insn >> 21) & 3) | ((insn >> 22) & 4);
         if (insn & (1 << 20)) {
             /* Load.  */
-            if (rs == 15 && op != 2) {
-                if (op & 2)
-                    goto illegal_op;
-                /* Memory hint.  Implemented as NOP.  */
+            switch (op) {
+            case 0: tmp = gen_ld8u(addr, user); break;
+            case 4: tmp = gen_ld8s(addr, user); break;
+            case 1: tmp = gen_ld16u(addr, user); break;
+            case 5: tmp = gen_ld16s(addr, user); break;
+            case 2: tmp = gen_ld32(addr, user); break;
+            default: goto illegal_op;
+            }
+            if (rs == 15) {
+                gen_bx(s, tmp);
             } else {
-                switch (op) {
-                case 0: tmp = gen_ld8u(addr, user); break;
-                case 4: tmp = gen_ld8s(addr, user); break;
-                case 1: tmp = gen_ld16u(addr, user); break;
-                case 5: tmp = gen_ld16s(addr, user); break;
-                case 2: tmp = gen_ld32(addr, user); break;
-                default: goto illegal_op;
-                }
-                if (rs == 15) {
-                    gen_bx(s, tmp);
-                } else {
-                    store_reg(s, rs, tmp);
-                }
+                store_reg(s, rs, tmp);
             }
         } else {
             /* Store.  */
-            if (rs == 15)
-                goto illegal_op;
             tmp = load_reg(s, rs);
             switch (op) {
             case 0: gen_st8(tmp, addr, user); break;
commit 3d185e5dd4967b7d03772d806ee566ed09d67485
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 3 19:43:24 2011 +0000

    target-arm: Fix decoding of preload and memory hint space
    
    Correct the decoding of the ARM preload and memory hint space,
    by adding decoding of PLI, PLDW and the v7MP unallocated hint
    space. This commit also corrects a slightly overexuberant
    decoding of PLD(register) which was not checking that bit 4
    was one.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 5149543..a8f1ffe 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -6100,9 +6100,31 @@ static void disas_arm_insn(CPUState * env, DisasContext *s)
                 goto illegal_op;
             return;
         }
-        if ((insn & 0x0d70f000) == 0x0550f000)
-            return; /* PLD */
-        else if ((insn & 0x0ffffdff) == 0x01010000) {
+        if (((insn & 0x0f30f000) == 0x0510f000) ||
+            ((insn & 0x0f30f010) == 0x0710f000)) {
+            if ((insn & (1 << 22)) == 0) {
+                /* PLDW; v7MP */
+                if (!arm_feature(env, ARM_FEATURE_V7MP)) {
+                    goto illegal_op;
+                }
+            }
+            /* Otherwise PLD; v5TE+ */
+            return;
+        }
+        if (((insn & 0x0f70f000) == 0x0450f000) ||
+            ((insn & 0x0f70f010) == 0x0650f000)) {
+            ARCH(7);
+            return; /* PLI; V7 */
+        }
+        if (((insn & 0x0f700000) == 0x04100000) ||
+            ((insn & 0x0f700010) == 0x06100000)) {
+            if (!arm_feature(env, ARM_FEATURE_V7MP)) {
+                goto illegal_op;
+            }
+            return; /* v7MP: Unallocated memory hint: must NOP */
+        }
+
+        if ((insn & 0x0ffffdff) == 0x01010000) {
             ARCH(6);
             /* setend */
             if (insn & (1 << 9)) {
commit 607b4b0876bd3b1f33786ecc010ca2723de57270
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 3 19:43:23 2011 +0000

    target-arm: Clean up handling of MPIDR
    
    The ARM cp15 register 0,c0,c0,5 is standardised in the v7 architecture
    as the MPIDR. Clean up its implementation to remove A9 specific handling.
    
    This commit includes fixing an error in the value returned for the
    MPIDR on A9, where we were erroneously claiming a cluster ID of 9.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 3cf9181..d46defc 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -1608,12 +1608,28 @@ uint32_t HELPER(get_cp15)(CPUState *env, uint32_t insn)
                     return 0;
                 case 3: /* TLB type register.  */
                     return 0; /* No lockable TLB entries.  */
-                case 5: /* CPU ID */
-                    if (ARM_CPUID(env) == ARM_CPUID_CORTEXA9) {
-                        return env->cpu_index | 0x80000900;
-                    } else {
-                        return env->cpu_index;
+                case 5: /* MPIDR */
+                    /* The MPIDR was standardised in v7; prior to
+                     * this it was implemented only in the 11MPCore.
+                     * For all other pre-v7 cores it does not exist.
+                     */
+                    if (arm_feature(env, ARM_FEATURE_V7) ||
+                        ARM_CPUID(env) == ARM_CPUID_ARM11MPCORE) {
+                        int mpidr = env->cpu_index;
+                        /* We don't support setting cluster ID ([8..11])
+                         * so these bits always RAZ.
+                         */
+                        if (arm_feature(env, ARM_FEATURE_V7MP)) {
+                            mpidr |= (1 << 31);
+                            /* Cores which are uniprocessor (non-coherent)
+                             * but still implement the MP extensions set
+                             * bit 30. (For instance, A9UP.) However we do
+                             * not currently model any of those cores.
+                             */
+                        }
+                        return mpidr;
                     }
+                    /* otherwise fall through to the unimplemented-reg case */
                 default:
                     goto bad_reg;
                 }
commit e1bbf44636a7435be0582f56aa0947d5186d6009
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 3 19:43:22 2011 +0000

    target-arm: Add CPU feature flag for v7MP
    
    Add a CPU feature flag for v7MP (the multiprocessing extensions); some
    instructions exist only for v7MP and not for the base v7 architecture.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 5bcd53a..0d96325 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -362,7 +362,8 @@ enum arm_features {
     ARM_FEATURE_DIV,
     ARM_FEATURE_M, /* Microcontroller profile.  */
     ARM_FEATURE_OMAPCP, /* OMAP specific CP15 ops handling.  */
-    ARM_FEATURE_THUMB2EE
+    ARM_FEATURE_THUMB2EE,
+    ARM_FEATURE_V7MP    /* v7 Multiprocessing Extensions */
 };
 
 static inline int arm_feature(CPUARMState *env, int feature)
diff --git a/target-arm/helper.c b/target-arm/helper.c
index b562767..3cf9181 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -123,6 +123,11 @@ static void cpu_reset_model_id(CPUARMState *env, uint32_t id)
         set_feature(env, ARM_FEATURE_VFP_FP16);
         set_feature(env, ARM_FEATURE_NEON);
         set_feature(env, ARM_FEATURE_THUMB2EE);
+        /* Note that A9 supports the MP extensions even for
+         * A9UP and single-core A9MP (which are both different
+         * and valid configurations; we don't model A9UP).
+         */
+        set_feature(env, ARM_FEATURE_V7MP);
         env->vfp.xregs[ARM_VFP_FPSID] = 0x41034000; /* Guess */
         env->vfp.xregs[ARM_VFP_MVFR0] = 0x11110222;
         env->vfp.xregs[ARM_VFP_MVFR1] = 0x01111111;
@@ -152,6 +157,7 @@ static void cpu_reset_model_id(CPUARMState *env, uint32_t id)
         set_feature(env, ARM_FEATURE_NEON);
         set_feature(env, ARM_FEATURE_THUMB2EE);
         set_feature(env, ARM_FEATURE_DIV);
+        set_feature(env, ARM_FEATURE_V7MP);
         break;
     case ARM_CPUID_TI915T:
     case ARM_CPUID_TI925T:
commit 4fef930af8d7fab4b6c777fa4c6e2b902359262a
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Feb 2 17:34:34 2011 +0200

    do not pass NULL to strdup.
    
    Also use qemu_strdup() instead of strdup() in bootindex code.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/vl.c b/vl.c
index 655617f..ed2cdfa 100644
--- a/vl.c
+++ b/vl.c
@@ -738,7 +738,7 @@ void add_boot_device_path(int32_t bootindex, DeviceState *dev,
 
     node = qemu_mallocz(sizeof(FWBootEntry));
     node->bootindex = bootindex;
-    node->suffix = strdup(suffix);
+    node->suffix = suffix ? qemu_strdup(suffix) : NULL;
     node->dev = dev;
 
     QTAILQ_FOREACH(i, &fw_boot_order, link) {
@@ -785,7 +785,7 @@ char *get_boot_devices_list(uint32_t *size)
         } else if (devpath) {
             bootpath = devpath;
         } else {
-            bootpath = strdup(i->suffix);
+            bootpath = qemu_strdup(i->suffix);
             assert(bootpath);
         }
 
commit 72902672dc2ed6281cdb205259c1d52ecf01f6b2
Author: Christophe Lyon <christophe.lyon at st.com>
Date:   Fri Feb 4 15:17:51 2011 +0100

    Set the right overflow bit for neon 32 and 64 bit saturating add/sub.
    
    Signed-off-by: Christophe Lyon <christophe.lyon at st.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/helpers.h b/target-arm/helpers.h
index b88ebae..8a2564e 100644
--- a/target-arm/helpers.h
+++ b/target-arm/helpers.h
@@ -137,10 +137,6 @@ DEF_HELPER_2(rsqrte_f32, f32, f32, env)
 DEF_HELPER_2(recpe_u32, i32, i32, env)
 DEF_HELPER_2(rsqrte_u32, i32, i32, env)
 DEF_HELPER_4(neon_tbl, i32, i32, i32, i32, i32)
-DEF_HELPER_2(neon_add_saturate_u64, i64, i64, i64)
-DEF_HELPER_2(neon_add_saturate_s64, i64, i64, i64)
-DEF_HELPER_2(neon_sub_saturate_u64, i64, i64, i64)
-DEF_HELPER_2(neon_sub_saturate_s64, i64, i64, i64)
 
 DEF_HELPER_2(add_cc, i32, i32, i32)
 DEF_HELPER_2(adc_cc, i32, i32, i32)
@@ -160,10 +156,18 @@ DEF_HELPER_3(neon_qadd_u8, i32, env, i32, i32)
 DEF_HELPER_3(neon_qadd_s8, i32, env, i32, i32)
 DEF_HELPER_3(neon_qadd_u16, i32, env, i32, i32)
 DEF_HELPER_3(neon_qadd_s16, i32, env, i32, i32)
+DEF_HELPER_3(neon_qadd_u32, i32, env, i32, i32)
+DEF_HELPER_3(neon_qadd_s32, i32, env, i32, i32)
 DEF_HELPER_3(neon_qsub_u8, i32, env, i32, i32)
 DEF_HELPER_3(neon_qsub_s8, i32, env, i32, i32)
 DEF_HELPER_3(neon_qsub_u16, i32, env, i32, i32)
 DEF_HELPER_3(neon_qsub_s16, i32, env, i32, i32)
+DEF_HELPER_3(neon_qsub_u32, i32, env, i32, i32)
+DEF_HELPER_3(neon_qsub_s32, i32, env, i32, i32)
+DEF_HELPER_3(neon_qadd_u64, i64, env, i64, i64)
+DEF_HELPER_3(neon_qadd_s64, i64, env, i64, i64)
+DEF_HELPER_3(neon_qsub_u64, i64, env, i64, i64)
+DEF_HELPER_3(neon_qsub_s64, i64, env, i64, i64)
 
 DEF_HELPER_2(neon_hadd_s8, i32, i32, i32)
 DEF_HELPER_2(neon_hadd_u8, i32, i32, i32)
diff --git a/target-arm/neon_helper.c b/target-arm/neon_helper.c
index fead152..268af33 100644
--- a/target-arm/neon_helper.c
+++ b/target-arm/neon_helper.c
@@ -198,6 +198,28 @@ NEON_VOP_ENV(qadd_u16, neon_u16, 2)
 #undef NEON_FN
 #undef NEON_USAT
 
+uint32_t HELPER(neon_qadd_u32)(CPUState *env, uint32_t a, uint32_t b)
+{
+    uint32_t res = a + b;
+    if (res < a) {
+        SET_QC();
+        res = ~0;
+    }
+    return res;
+}
+
+uint64_t HELPER(neon_qadd_u64)(CPUState *env, uint64_t src1, uint64_t src2)
+{
+    uint64_t res;
+
+    res = src1 + src2;
+    if (res < src1) {
+        SET_QC();
+        res = ~(uint64_t)0;
+    }
+    return res;
+}
+
 #define NEON_SSAT(dest, src1, src2, type) do { \
     int32_t tmp = (uint32_t)src1 + (uint32_t)src2; \
     if (tmp != (type)tmp) { \
@@ -218,6 +240,28 @@ NEON_VOP_ENV(qadd_s16, neon_s16, 2)
 #undef NEON_FN
 #undef NEON_SSAT
 
+uint32_t HELPER(neon_qadd_s32)(CPUState *env, uint32_t a, uint32_t b)
+{
+    uint32_t res = a + b;
+    if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT)) {
+        SET_QC();
+        res = ~(((int32_t)a >> 31) ^ SIGNBIT);
+    }
+    return res;
+}
+
+uint64_t HELPER(neon_qadd_s64)(CPUState *env, uint64_t src1, uint64_t src2)
+{
+    uint64_t res;
+
+    res = src1 + src2;
+    if (((res ^ src1) & SIGNBIT64) && !((src1 ^ src2) & SIGNBIT64)) {
+        SET_QC();
+        res = ((int64_t)src1 >> 63) ^ ~SIGNBIT64;
+    }
+    return res;
+}
+
 #define NEON_USAT(dest, src1, src2, type) do { \
     uint32_t tmp = (uint32_t)src1 - (uint32_t)src2; \
     if (tmp != (type)tmp) { \
@@ -234,6 +278,29 @@ NEON_VOP_ENV(qsub_u16, neon_u16, 2)
 #undef NEON_FN
 #undef NEON_USAT
 
+uint32_t HELPER(neon_qsub_u32)(CPUState *env, uint32_t a, uint32_t b)
+{
+    uint32_t res = a - b;
+    if (res > a) {
+        SET_QC();
+        res = 0;
+    }
+    return res;
+}
+
+uint64_t HELPER(neon_qsub_u64)(CPUState *env, uint64_t src1, uint64_t src2)
+{
+    uint64_t res;
+
+    if (src1 < src2) {
+        SET_QC();
+        res = 0;
+    } else {
+        res = src1 - src2;
+    }
+    return res;
+}
+
 #define NEON_SSAT(dest, src1, src2, type) do { \
     int32_t tmp = (uint32_t)src1 - (uint32_t)src2; \
     if (tmp != (type)tmp) { \
@@ -254,6 +321,28 @@ NEON_VOP_ENV(qsub_s16, neon_s16, 2)
 #undef NEON_FN
 #undef NEON_SSAT
 
+uint32_t HELPER(neon_qsub_s32)(CPUState *env, uint32_t a, uint32_t b)
+{
+    uint32_t res = a - b;
+    if (((res ^ a) & SIGNBIT) && ((a ^ b) & SIGNBIT)) {
+        SET_QC();
+        res = ~(((int32_t)a >> 31) ^ SIGNBIT);
+    }
+    return res;
+}
+
+uint64_t HELPER(neon_qsub_s64)(CPUState *env, uint64_t src1, uint64_t src2)
+{
+    uint64_t res;
+
+    res = src1 - src2;
+    if (((res ^ src1) & SIGNBIT64) && ((src1 ^ src2) & SIGNBIT64)) {
+        SET_QC();
+        res = ((int64_t)src1 >> 63) ^ ~SIGNBIT64;
+    }
+    return res;
+}
+
 #define NEON_FN(dest, src1, src2) dest = (src1 + src2) >> 1
 NEON_VOP(hadd_s8, neon_s8, 4)
 NEON_VOP(hadd_u8, neon_u8, 4)
diff --git a/target-arm/op_helper.c b/target-arm/op_helper.c
index 43baa63..3de2610 100644
--- a/target-arm/op_helper.c
+++ b/target-arm/op_helper.c
@@ -424,52 +424,3 @@ uint32_t HELPER(ror_cc)(uint32_t x, uint32_t i)
         return ((uint32_t)x >> shift) | (x << (32 - shift));
     }
 }
-
-uint64_t HELPER(neon_add_saturate_s64)(uint64_t src1, uint64_t src2)
-{
-    uint64_t res;
-
-    res = src1 + src2;
-    if (((res ^ src1) & SIGNBIT64) && !((src1 ^ src2) & SIGNBIT64)) {
-        env->QF = 1;
-        res = ((int64_t)src1 >> 63) ^ ~SIGNBIT64;
-    }
-    return res;
-}
-
-uint64_t HELPER(neon_add_saturate_u64)(uint64_t src1, uint64_t src2)
-{
-    uint64_t res;
-
-    res = src1 + src2;
-    if (res < src1) {
-        env->QF = 1;
-        res = ~(uint64_t)0;
-    }
-    return res;
-}
-
-uint64_t HELPER(neon_sub_saturate_s64)(uint64_t src1, uint64_t src2)
-{
-    uint64_t res;
-
-    res = src1 - src2;
-    if (((res ^ src1) & SIGNBIT64) && ((src1 ^ src2) & SIGNBIT64)) {
-        env->QF = 1;
-        res = ((int64_t)src1 >> 63) ^ ~SIGNBIT64;
-    }
-    return res;
-}
-
-uint64_t HELPER(neon_sub_saturate_u64)(uint64_t src1, uint64_t src2)
-{
-    uint64_t res;
-
-    if (src1 < src2) {
-        env->QF = 1;
-        res = 0;
-    } else {
-        res = src1 - src2;
-    }
-    return res;
-}
diff --git a/target-arm/translate.c b/target-arm/translate.c
index 92d0ef0..5149543 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -3539,12 +3539,6 @@ static inline void gen_neon_rsb(int size, TCGv t0, TCGv t1)
 #define gen_helper_neon_pmin_s32  gen_helper_neon_min_s32
 #define gen_helper_neon_pmin_u32  gen_helper_neon_min_u32
 
-/* FIXME: This is wrong.  They set the wrong overflow bit.  */
-#define gen_helper_neon_qadd_s32(a, e, b, c) gen_helper_add_saturate(a, b, c)
-#define gen_helper_neon_qadd_u32(a, e, b, c) gen_helper_add_usaturate(a, b, c)
-#define gen_helper_neon_qsub_s32(a, e, b, c) gen_helper_sub_saturate(a, b, c)
-#define gen_helper_neon_qsub_u32(a, e, b, c) gen_helper_sub_usaturate(a, b, c)
-
 #define GEN_NEON_INTEGER_OP_ENV(name) do { \
     switch ((size << 1) | u) { \
     case 0: \
@@ -4233,16 +4227,20 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                 switch (op) {
                 case 1: /* VQADD */
                     if (u) {
-                        gen_helper_neon_add_saturate_u64(CPU_V001);
+                        gen_helper_neon_qadd_u64(cpu_V0, cpu_env,
+                                                 cpu_V0, cpu_V1);
                     } else {
-                        gen_helper_neon_add_saturate_s64(CPU_V001);
+                        gen_helper_neon_qadd_s64(cpu_V0, cpu_env,
+                                                 cpu_V0, cpu_V1);
                     }
                     break;
                 case 5: /* VQSUB */
                     if (u) {
-                        gen_helper_neon_sub_saturate_u64(CPU_V001);
+                        gen_helper_neon_qsub_u64(cpu_V0, cpu_env,
+                                                 cpu_V0, cpu_V1);
                     } else {
-                        gen_helper_neon_sub_saturate_s64(CPU_V001);
+                        gen_helper_neon_qsub_s64(cpu_V0, cpu_env,
+                                                 cpu_V0, cpu_V1);
                     }
                     break;
                 case 8: /* VSHL */
commit 5371cb81405a35ca4c1f6ab23f93a4f7260ffa53
Author: Christophe Lyon <christophe.lyon at st.com>
Date:   Tue Jan 25 18:18:08 2011 +0100

    target-arm: Fix Neon vsra instructions.
    
    This patch fixes the errors reported by my tests in VSRA.
    
    Signed-off-by: Christophe Lyon <christophe.lyon at st.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index d95133f..92d0ef0 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -4686,7 +4686,7 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                         }
                         if (op == 1 || op == 3) {
                             /* Accumulate.  */
-                            neon_load_reg64(cpu_V0, rd + pass);
+                            neon_load_reg64(cpu_V1, rd + pass);
                             tcg_gen_add_i64(cpu_V0, cpu_V0, cpu_V1);
                         } else if (op == 4 || (op == 5 && u)) {
                             /* Insert */
@@ -4750,7 +4750,7 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                         if (op == 1 || op == 3) {
                             /* Accumulate.  */
                             tmp2 = neon_load_reg(rd, pass);
-                            gen_neon_add(size, tmp2, tmp);
+                            gen_neon_add(size, tmp, tmp2);
                             dead_tmp(tmp2);
                         } else if (op == 4 || (op == 5 && u)) {
                             /* Insert */
commit 7026259f79ffc85ceaaaeee32df518ea96863ee4
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Feb 4 20:19:33 2011 +0100

    target-sh4: fix negc
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index 35573be..58e9b8f 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -960,9 +960,9 @@ static void _decode_opc(DisasContext * ctx)
             tcg_gen_andi_i32(t1, cpu_sr, SR_T);
             tcg_gen_sub_i32(REG(B11_8), t0, t1);
             tcg_gen_andi_i32(cpu_sr, cpu_sr, ~SR_T);
-            tcg_gen_setcond_i32(TCG_COND_GE, t1, REG(B11_8), t0);
+            tcg_gen_setcondi_i32(TCG_COND_GTU, t1, t0, 0);
             tcg_gen_or_i32(cpu_sr, cpu_sr, t1);
-            tcg_gen_setcondi_i32(TCG_COND_GE, t1, t0, 0);
+            tcg_gen_setcond_i32(TCG_COND_GTU, t1, REG(B11_8), t0);
             tcg_gen_or_i32(cpu_sr, cpu_sr, t1);
             tcg_temp_free(t0);
             tcg_temp_free(t1);
commit 1f5e71a8e6b24dce74b156472ff9253b9bd33a11
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Thu Feb 3 22:54:14 2011 +0100

    ioapic: Style & magics cleanup
    
    Fix a few style issues and convert magic numbers into prober symbolic
    constants, also fixing the wrong but unused IOAPIC_DM_SIPI value.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/ioapic.c b/hw/ioapic.c
index fb3d173..569327d 100644
--- a/hw/ioapic.c
+++ b/hw/ioapic.c
@@ -39,20 +39,48 @@
 
 #define MAX_IOAPICS                     1
 
-#define IOAPIC_LVT_MASKED               (1 << 16)
-#define IOAPIC_LVT_REMOTE_IRR           (1 << 14)
+#define IOAPIC_VERSION                  0x11
 
-#define IOAPIC_TRIGGER_EDGE		0
-#define IOAPIC_TRIGGER_LEVEL		1
+#define IOAPIC_LVT_DEST_SHIFT           56
+#define IOAPIC_LVT_MASKED_SHIFT         16
+#define IOAPIC_LVT_TRIGGER_MODE_SHIFT   15
+#define IOAPIC_LVT_REMOTE_IRR_SHIFT     14
+#define IOAPIC_LVT_POLARITY_SHIFT       13
+#define IOAPIC_LVT_DELIV_STATUS_SHIFT   12
+#define IOAPIC_LVT_DEST_MODE_SHIFT      11
+#define IOAPIC_LVT_DELIV_MODE_SHIFT     8
+
+#define IOAPIC_LVT_MASKED               (1 << IOAPIC_LVT_MASKED_SHIFT)
+#define IOAPIC_LVT_REMOTE_IRR           (1 << IOAPIC_LVT_REMOTE_IRR_SHIFT)
+
+#define IOAPIC_TRIGGER_EDGE             0
+#define IOAPIC_TRIGGER_LEVEL            1
 
 /*io{apic,sapic} delivery mode*/
-#define IOAPIC_DM_FIXED			0x0
-#define IOAPIC_DM_LOWEST_PRIORITY	0x1
-#define IOAPIC_DM_PMI			0x2
-#define IOAPIC_DM_NMI			0x4
-#define IOAPIC_DM_INIT			0x5
-#define IOAPIC_DM_SIPI			0x5
-#define IOAPIC_DM_EXTINT		0x7
+#define IOAPIC_DM_FIXED                 0x0
+#define IOAPIC_DM_LOWEST_PRIORITY       0x1
+#define IOAPIC_DM_PMI                   0x2
+#define IOAPIC_DM_NMI                   0x4
+#define IOAPIC_DM_INIT                  0x5
+#define IOAPIC_DM_SIPI                  0x6
+#define IOAPIC_DM_EXTINT                0x7
+#define IOAPIC_DM_MASK                  0x7
+
+#define IOAPIC_VECTOR_MASK              0xff
+
+#define IOAPIC_IOREGSEL                 0x00
+#define IOAPIC_IOWIN                    0x10
+
+#define IOAPIC_REG_ID                   0x00
+#define IOAPIC_REG_VER                  0x01
+#define IOAPIC_REG_ARB                  0x02
+#define IOAPIC_REG_REDTBL_BASE          0x10
+#define IOAPIC_ID                       0x00
+
+#define IOAPIC_ID_SHIFT                 24
+#define IOAPIC_ID_MASK                  0xf
+
+#define IOAPIC_VER_ENTRIES_SHIFT        16
 
 typedef struct IOAPICState IOAPICState;
 
@@ -60,7 +88,6 @@ struct IOAPICState {
     SysBusDevice busdev;
     uint8_t id;
     uint8_t ioregsel;
-
     uint32_t irr;
     uint64_t ioredtbl[IOAPIC_NUM_PINS];
 };
@@ -84,21 +111,22 @@ static void ioapic_service(IOAPICState *s)
         if (s->irr & mask) {
             entry = s->ioredtbl[i];
             if (!(entry & IOAPIC_LVT_MASKED)) {
-                trig_mode = ((entry >> 15) & 1);
-                dest = entry >> 56;
-                dest_mode = (entry >> 11) & 1;
-                delivery_mode = (entry >> 8) & 7;
-                polarity = (entry >> 13) & 1;
+                trig_mode = ((entry >> IOAPIC_LVT_TRIGGER_MODE_SHIFT) & 1);
+                dest = entry >> IOAPIC_LVT_DEST_SHIFT;
+                dest_mode = (entry >> IOAPIC_LVT_DEST_MODE_SHIFT) & 1;
+                delivery_mode =
+                    (entry >> IOAPIC_LVT_DELIV_MODE_SHIFT) & IOAPIC_DM_MASK;
+                polarity = (entry >> IOAPIC_LVT_POLARITY_SHIFT) & 1;
                 if (trig_mode == IOAPIC_TRIGGER_EDGE) {
                     s->irr &= ~mask;
                 } else {
                     s->ioredtbl[i] |= IOAPIC_LVT_REMOTE_IRR;
                 }
-                if (delivery_mode == IOAPIC_DM_EXTINT)
+                if (delivery_mode == IOAPIC_DM_EXTINT) {
                     vector = pic_read_irq(isa_pic);
-                else
-                    vector = entry & 0xff;
-
+                } else {
+                    vector = entry & IOAPIC_VECTOR_MASK;
+                }
                 apic_deliver_irq(dest, dest_mode, delivery_mode,
                                  vector, polarity, trig_mode);
             }
@@ -114,15 +142,16 @@ static void ioapic_set_irq(void *opaque, int vector, int level)
      * to GSI 2.  GSI maps to ioapic 1-1.  This is not
      * the cleanest way of doing it but it should work. */
 
-    DPRINTF("%s: %s vec %x\n", __func__, level? "raise" : "lower", vector);
-    if (vector == 0)
+    DPRINTF("%s: %s vec %x\n", __func__, level ? "raise" : "lower", vector);
+    if (vector == 0) {
         vector = 2;
-
+    }
     if (vector >= 0 && vector < IOAPIC_NUM_PINS) {
         uint32_t mask = 1 << vector;
         uint64_t entry = s->ioredtbl[vector];
 
-        if ((entry >> 15) & 1) {
+        if (((entry >> IOAPIC_LVT_TRIGGER_MODE_SHIFT) & 1) ==
+            IOAPIC_TRIGGER_LEVEL) {
             /* level triggered */
             if (level) {
                 s->irr |= mask;
@@ -153,7 +182,8 @@ void ioapic_eoi_broadcast(int vector)
         }
         for (n = 0; n < IOAPIC_NUM_PINS; n++) {
             entry = s->ioredtbl[n];
-            if ((entry & IOAPIC_LVT_REMOTE_IRR) && (entry & 0xff) == vector) {
+            if ((entry & IOAPIC_LVT_REMOTE_IRR)
+                && (entry & IOAPIC_VECTOR_MASK) == vector) {
                 s->ioredtbl[n] = entry & ~IOAPIC_LVT_REMOTE_IRR;
                 if (!(entry & IOAPIC_LVT_MASKED) && (s->irr & (1 << n))) {
                     ioapic_service(s);
@@ -169,65 +199,71 @@ static uint32_t ioapic_mem_readl(void *opaque, target_phys_addr_t addr)
     int index;
     uint32_t val = 0;
 
-    addr &= 0xff;
-    if (addr == 0x00) {
+    switch (addr & 0xff) {
+    case IOAPIC_IOREGSEL:
         val = s->ioregsel;
-    } else if (addr == 0x10) {
+        break;
+    case IOAPIC_IOWIN:
         switch (s->ioregsel) {
-            case 0x00:
-                val = s->id << 24;
-                break;
-            case 0x01:
-                val = 0x11 | ((IOAPIC_NUM_PINS - 1) << 16); /* version 0x11 */
-                break;
-            case 0x02:
-                val = 0;
-                break;
-            default:
-                index = (s->ioregsel - 0x10) >> 1;
-                if (index >= 0 && index < IOAPIC_NUM_PINS) {
-                    if (s->ioregsel & 1)
-                        val = s->ioredtbl[index] >> 32;
-                    else
-                        val = s->ioredtbl[index] & 0xffffffff;
+        case IOAPIC_REG_ID:
+            val = s->id << IOAPIC_ID_SHIFT;
+            break;
+        case IOAPIC_REG_VER:
+            val = IOAPIC_VERSION |
+                ((IOAPIC_NUM_PINS - 1) << IOAPIC_VER_ENTRIES_SHIFT);
+            break;
+        case IOAPIC_REG_ARB:
+            val = 0;
+            break;
+        default:
+            index = (s->ioregsel - IOAPIC_REG_REDTBL_BASE) >> 1;
+            if (index >= 0 && index < IOAPIC_NUM_PINS) {
+                if (s->ioregsel & 1) {
+                    val = s->ioredtbl[index] >> 32;
+                } else {
+                    val = s->ioredtbl[index] & 0xffffffff;
                 }
+            }
         }
         DPRINTF("read: %08x = %08x\n", s->ioregsel, val);
+        break;
     }
     return val;
 }
 
-static void ioapic_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
+static void
+ioapic_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
 {
     IOAPICState *s = opaque;
     int index;
 
-    addr &= 0xff;
-    if (addr == 0x00)  {
+    switch (addr & 0xff) {
+    case IOAPIC_IOREGSEL:
         s->ioregsel = val;
-        return;
-    } else if (addr == 0x10) {
+        break;
+    case IOAPIC_IOWIN:
         DPRINTF("write: %08x = %08x\n", s->ioregsel, val);
         switch (s->ioregsel) {
-            case 0x00:
-                s->id = (val >> 24) & 0xff;
-                return;
-            case 0x01:
-            case 0x02:
-                return;
-            default:
-                index = (s->ioregsel - 0x10) >> 1;
-                if (index >= 0 && index < IOAPIC_NUM_PINS) {
-                    if (s->ioregsel & 1) {
-                        s->ioredtbl[index] &= 0xffffffff;
-                        s->ioredtbl[index] |= (uint64_t)val << 32;
-                    } else {
-                        s->ioredtbl[index] &= ~0xffffffffULL;
-                        s->ioredtbl[index] |= val;
-                    }
-                    ioapic_service(s);
+        case IOAPIC_REG_ID:
+            s->id = (val >> IOAPIC_ID_SHIFT) & IOAPIC_ID_MASK;
+            break;
+        case IOAPIC_REG_VER:
+        case IOAPIC_REG_ARB:
+            break;
+        default:
+            index = (s->ioregsel - IOAPIC_REG_REDTBL_BASE) >> 1;
+            if (index >= 0 && index < IOAPIC_NUM_PINS) {
+                if (s->ioregsel & 1) {
+                    s->ioredtbl[index] &= 0xffffffff;
+                    s->ioredtbl[index] |= (uint64_t)val << 32;
+                } else {
+                    s->ioredtbl[index] &= ~0xffffffffULL;
+                    s->ioredtbl[index] |= val;
                 }
+                ioapic_service(s);
+            }
         }
+        break;
     }
 }
 
@@ -248,7 +284,7 @@ static const VMStateDescription vmstate_ioapic = {
     .post_load = ioapic_post_load,
     .minimum_version_id = 1,
     .minimum_version_id_old = 1,
-    .fields      = (VMStateField []) {
+    .fields = (VMStateField[]) {
         VMSTATE_UINT8(id, IOAPICState),
         VMSTATE_UINT8(ioregsel, IOAPICState),
         VMSTATE_UNUSED_V(2, 8), /* to account for qemu-kvm's v2 format */
@@ -266,8 +302,9 @@ static void ioapic_reset(DeviceState *d)
     s->id = 0;
     s->ioregsel = 0;
     s->irr = 0;
-    for(i = 0; i < IOAPIC_NUM_PINS; i++)
-        s->ioredtbl[i] = 1 << 16; /* mask LVT */
+    for (i = 0; i < IOAPIC_NUM_PINS; i++) {
+        s->ioredtbl[i] = 1 << IOAPIC_LVT_MASKED_SHIFT;
+    }
 }
 
 static CPUReadMemoryFunc * const ioapic_mem_read[3] = {
commit 5dce499948e4a4abe62f010baf4a7ed3d49e53cb
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Thu Feb 3 22:54:13 2011 +0100

    ioapic: Add support for qemu-kvm's vmstate v2
    
    qemu-kvm carries the IOAPIC base address in its v2 vmstate. We only
    support the default base address so far, and saving even that in the
    device state was rejected.
    
    Add a padding field to be able to read qemu-kvm's old state, but
    increase our version to 3, indicating that we are not saving a valid
    address. This also gives downstream the chance to change to stop
    evaluating the base_address and move to v3 as well.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/ioapic.c b/hw/ioapic.c
index 8c46c1d..fb3d173 100644
--- a/hw/ioapic.c
+++ b/hw/ioapic.c
@@ -244,13 +244,14 @@ static int ioapic_post_load(void *opaque, int version_id)
 
 static const VMStateDescription vmstate_ioapic = {
     .name = "ioapic",
-    .version_id = 2,
+    .version_id = 3,
     .post_load = ioapic_post_load,
     .minimum_version_id = 1,
     .minimum_version_id_old = 1,
     .fields      = (VMStateField []) {
         VMSTATE_UINT8(id, IOAPICState),
         VMSTATE_UINT8(ioregsel, IOAPICState),
+        VMSTATE_UNUSED_V(2, 8), /* to account for qemu-kvm's v2 format */
         VMSTATE_UINT32_V(irr, IOAPICState, 2),
         VMSTATE_UINT64_ARRAY(ioredtbl, IOAPICState, IOAPIC_NUM_PINS),
         VMSTATE_END_OF_LIST()
commit 35a74c5c5941b474d8b985237e1bde0b8cd2a20f
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Thu Feb 3 22:54:12 2011 +0100

    ioapic: Save/restore irr
    
    This is a guest modifiable state that must be saved/restored properly.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/ioapic.c b/hw/ioapic.c
index 8bc31f7..8c46c1d 100644
--- a/hw/ioapic.c
+++ b/hw/ioapic.c
@@ -231,14 +231,27 @@ static void ioapic_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t va
     }
 }
 
+static int ioapic_post_load(void *opaque, int version_id)
+{
+    IOAPICState *s = opaque;
+
+    if (version_id == 1) {
+        /* set sane value */
+        s->irr = 0;
+    }
+    return 0;
+}
+
 static const VMStateDescription vmstate_ioapic = {
     .name = "ioapic",
-    .version_id = 1,
+    .version_id = 2,
+    .post_load = ioapic_post_load,
     .minimum_version_id = 1,
     .minimum_version_id_old = 1,
     .fields      = (VMStateField []) {
         VMSTATE_UINT8(id, IOAPICState),
         VMSTATE_UINT8(ioregsel, IOAPICState),
+        VMSTATE_UINT32_V(irr, IOAPICState, 2),
         VMSTATE_UINT64_ARRAY(ioredtbl, IOAPICState, IOAPIC_NUM_PINS),
         VMSTATE_END_OF_LIST()
     }
commit 0280b571c1a153f8926612d8c8d7359242d596f5
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Thu Feb 3 22:54:11 2011 +0100

    ioapic: Implement EOI handling for level-triggered IRQs
    
    Add the missing EOI broadcast from local APIC to the IOAPICs on
    completion of level-triggered IRQs. This ensures that a still asserted
    IRQ source properly re-triggers an APIC IRQ.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/apic.c b/hw/apic.c
index ff581f0..2f8376a 100644
--- a/hw/apic.c
+++ b/hw/apic.c
@@ -18,6 +18,7 @@
  */
 #include "hw.h"
 #include "apic.h"
+#include "ioapic.h"
 #include "qemu-timer.h"
 #include "host-utils.h"
 #include "sysbus.h"
@@ -57,7 +58,8 @@
 
 #define ESR_ILLEGAL_ADDRESS (1 << 7)
 
-#define APIC_SV_ENABLE (1 << 8)
+#define APIC_SV_DIRECTED_IO             (1<<12)
+#define APIC_SV_ENABLE                  (1<<8)
 
 #define MAX_APICS 255
 #define MAX_APIC_WORDS 8
@@ -420,8 +422,9 @@ static void apic_eoi(APICState *s)
     if (isrv < 0)
         return;
     reset_bit(s->isr, isrv);
-    /* XXX: send the EOI packet to the APIC bus to allow the I/O APIC to
-            set the remote IRR bit for level triggered interrupts. */
+    if (!(s->spurious_vec & APIC_SV_DIRECTED_IO) && get_bit(s->tmr, isrv)) {
+        ioapic_eoi_broadcast(isrv);
+    }
     apic_update_irq(s);
 }
 
diff --git a/hw/ioapic.c b/hw/ioapic.c
index 2109568..8bc31f7 100644
--- a/hw/ioapic.c
+++ b/hw/ioapic.c
@@ -23,6 +23,7 @@
 #include "hw.h"
 #include "pc.h"
 #include "apic.h"
+#include "ioapic.h"
 #include "qemu-timer.h"
 #include "host-utils.h"
 #include "sysbus.h"
@@ -36,7 +37,10 @@
 #define DPRINTF(fmt, ...)
 #endif
 
-#define IOAPIC_LVT_MASKED 		(1<<16)
+#define MAX_IOAPICS                     1
+
+#define IOAPIC_LVT_MASKED               (1 << 16)
+#define IOAPIC_LVT_REMOTE_IRR           (1 << 14)
 
 #define IOAPIC_TRIGGER_EDGE		0
 #define IOAPIC_TRIGGER_LEVEL		1
@@ -61,6 +65,8 @@ struct IOAPICState {
     uint64_t ioredtbl[IOAPIC_NUM_PINS];
 };
 
+static IOAPICState *ioapics[MAX_IOAPICS];
+
 static void ioapic_service(IOAPICState *s)
 {
     uint8_t i;
@@ -83,8 +89,11 @@ static void ioapic_service(IOAPICState *s)
                 dest_mode = (entry >> 11) & 1;
                 delivery_mode = (entry >> 8) & 7;
                 polarity = (entry >> 13) & 1;
-                if (trig_mode == IOAPIC_TRIGGER_EDGE)
+                if (trig_mode == IOAPIC_TRIGGER_EDGE) {
                     s->irr &= ~mask;
+                } else {
+                    s->ioredtbl[i] |= IOAPIC_LVT_REMOTE_IRR;
+                }
                 if (delivery_mode == IOAPIC_DM_EXTINT)
                     vector = pic_read_irq(isa_pic);
                 else
@@ -131,6 +140,29 @@ static void ioapic_set_irq(void *opaque, int vector, int level)
     }
 }
 
+void ioapic_eoi_broadcast(int vector)
+{
+    IOAPICState *s;
+    uint64_t entry;
+    int i, n;
+
+    for (i = 0; i < MAX_IOAPICS; i++) {
+        s = ioapics[i];
+        if (!s) {
+            continue;
+        }
+        for (n = 0; n < IOAPIC_NUM_PINS; n++) {
+            entry = s->ioredtbl[n];
+            if ((entry & IOAPIC_LVT_REMOTE_IRR) && (entry & 0xff) == vector) {
+                s->ioredtbl[n] = entry & ~IOAPIC_LVT_REMOTE_IRR;
+                if (!(entry & IOAPIC_LVT_MASKED) && (s->irr & (1 << n))) {
+                    ioapic_service(s);
+                }
+            }
+        }
+    }
+}
+
 static uint32_t ioapic_mem_readl(void *opaque, target_phys_addr_t addr)
 {
     IOAPICState *s = opaque;
@@ -240,6 +272,11 @@ static int ioapic_init1(SysBusDevice *dev)
 {
     IOAPICState *s = FROM_SYSBUS(IOAPICState, dev);
     int io_memory;
+    static int ioapic_no;
+
+    if (ioapic_no >= MAX_IOAPICS) {
+        return -1;
+    }
 
     io_memory = cpu_register_io_memory(ioapic_mem_read,
                                        ioapic_mem_write, s,
@@ -248,6 +285,8 @@ static int ioapic_init1(SysBusDevice *dev)
 
     qdev_init_gpio_in(&dev->qdev, ioapic_set_irq, IOAPIC_NUM_PINS);
 
+    ioapics[ioapic_no++] = s;
+
     return 0;
 }
 
diff --git a/hw/ioapic.h b/hw/ioapic.h
new file mode 100644
index 0000000..cb2642a
--- /dev/null
+++ b/hw/ioapic.h
@@ -0,0 +1,20 @@
+/*
+ *  ioapic.c IOAPIC emulation logic
+ *
+ *  Copyright (c) 2011 Jan Kiszka, Siemens AG
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+void ioapic_eoi_broadcast(int vector);
commit 73eb4c04e9e8ea7f6eb83694cb0c43e38d882a7c
Author: Corentin Chary <corentincj at iksaif.net>
Date:   Fri Feb 4 09:05:53 2011 +0100

    vnc: qemu can die if the client is disconnected while updating screen
    
    agraf reported that qemu_mutex_destroy(vs->output_mutex) while failing
    in vnc_disconnect_finish().
    
    It's because vnc_worker_thread_loop() tries to unlock the mutex while
    not locked. The unlocking call doesn't fail (pthread bug ?), but
    the destroy call does.
    
    Signed-off-by: Corentin Chary <corentincj at iksaif.net>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/ui/vnc-jobs-async.c b/ui/vnc-jobs-async.c
index 6e9cf08..0b5d750 100644
--- a/ui/vnc-jobs-async.c
+++ b/ui/vnc-jobs-async.c
@@ -227,6 +227,10 @@ static int vnc_worker_thread_loop(VncJobQueue *queue)
 
         if (job->vs->csock == -1) {
             vnc_unlock_display(job->vs->vd);
+            /* output mutex must be locked before going to
+             * disconnected:
+             */
+            vnc_lock_output(job->vs);
             goto disconnected;
         }
 
commit 7185f9315bcf90e99b123370cf4d19b8c20afbd5
Author: Amit Shah <amit.shah at redhat.com>
Date:   Fri Feb 4 14:24:18 2011 +0530

    virtio-serial: Make sure virtqueue is ready before discarding data
    
    This can happen if a port gets unplugged before guest has chance to
    initialise vqs.
    
    Reported-by: Juan Quintela <quintela at redhat.com>
    Signed-off-by: Amit Shah <amit.shah at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
index 09e22aa..e05ab5e 100644
--- a/hw/virtio-serial-bus.c
+++ b/hw/virtio-serial-bus.c
@@ -117,6 +117,9 @@ static void discard_vq_data(VirtQueue *vq, VirtIODevice *vdev)
 {
     VirtQueueElement elem;
 
+    if (!virtio_queue_ready(vq)) {
+        return;
+    }
     while (virtqueue_pop(vq, &elem)) {
         virtqueue_push(vq, &elem, 0);
     }
commit 4e79bcbb96d3c189e50adbdac7b1e28d834ba43e
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Feb 3 22:35:07 2011 +0100

    ui/sdl: Fix handling of caps lock and num lock keys
    
    Starting with SDL version 1.2.14, caps lock and num lock keys
    will send a SDL_KEYUP when SDL_DISABLE_LOCK_KEYS=1 is set in
    the environment.
    
    The new code sets the environment unconditionally
    (it won't harm old versions which do not know it).
    
    The workaround for SDL_KEYUP is only compiled with old SDL versions.
    
    A similar patch without handling of old SDL versions was already
    published by Benjamin Drung for Ubuntu.
    
    Cc: Anthony Liguori <aliguori at us.ibm.com>
    Cc: Kevin Wolf <kwolf at redhat.com>
    Cc: Benjamin Drung <benjamin.drung at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/ui/sdl.c b/ui/sdl.c
index a1458ce..47ac49c 100644
--- a/ui/sdl.c
+++ b/ui/sdl.c
@@ -388,12 +388,16 @@ static void sdl_process_key(SDL_KeyboardEvent *ev)
         else
             modifiers_state[keycode] = 1;
         break;
+#define QEMU_SDL_VERSION ((SDL_MAJOR_VERSION << 8) + SDL_MINOR_VERSION)
+#if QEMU_SDL_VERSION < 0x102 || QEMU_SDL_VERSION == 0x102 && SDL_PATCHLEVEL < 14
+        /* SDL versions before 1.2.14 don't support key up for caps/num lock. */
     case 0x45: /* num lock */
     case 0x3a: /* caps lock */
         /* SDL does not send the key up event, so we generate it */
         kbd_put_keycode(keycode);
         kbd_put_keycode(keycode | SCANCODE_UP);
         return;
+#endif
     }
 
     /* now send the key code */
@@ -831,6 +835,10 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame)
         setenv("SDL_VIDEO_ALLOW_SCREENSAVER", "1", 0);
     }
 
+    /* Enable normal up/down events for Caps-Lock and Num-Lock keys.
+     * This requires SDL >= 1.2.14. */
+    setenv("SDL_DISABLE_LOCK_KEYS", "1", 1);
+
     flags = SDL_INIT_VIDEO | SDL_INIT_NOPARACHUTE;
     if (SDL_Init (flags)) {
         fprintf(stderr, "Could not initialize SDL(%s) - exiting\n",
commit 4c3d45eb694de3e0bda10841a06ba98be4d569b1
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 3 14:49:01 2011 +0100

    Unify alarm deadline computation
    
    This patch shows how using the correct formula for
    qemu_next_deadline_dyntick can simplify the code of
    host_alarm_handler and eliminate useless duplication.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/qemu-timer.c b/qemu-timer.c
index 69e71d7..658f637 100644
--- a/qemu-timer.c
+++ b/qemu-timer.c
@@ -635,6 +635,8 @@ void qemu_run_all_timers(void)
     qemu_run_timers(host_clock);
 }
 
+static int64_t qemu_next_alarm_deadline(void);
+
 #ifdef _WIN32
 static void CALLBACK host_alarm_handler(UINT uTimerID, UINT uMsg,
                                         DWORD_PTR dwUser, DWORD_PTR dw1,
@@ -677,14 +679,7 @@ static void host_alarm_handler(int host_signum)
     }
 #endif
     if (alarm_has_dynticks(t) ||
-        (!use_icount &&
-            qemu_timer_expired(active_timers[QEMU_CLOCK_VIRTUAL],
-                               qemu_get_clock(vm_clock))) ||
-        qemu_timer_expired(active_timers[QEMU_CLOCK_REALTIME],
-                           qemu_get_clock(rt_clock)) ||
-        qemu_timer_expired(active_timers[QEMU_CLOCK_HOST],
-                           qemu_get_clock(host_clock))) {
-
+        qemu_next_alarm_deadline () <= 0) {
         t->expired = alarm_has_dynticks(t);
         t->pending = 1;
         qemu_notify_event();
@@ -715,11 +710,7 @@ int64_t qemu_next_deadline(void)
 
 #ifndef _WIN32
 
-#if defined(__linux__)
-
-#define RTC_FREQ 1024
-
-static uint64_t qemu_next_deadline_dyntick(void)
+static int64_t qemu_next_alarm_deadline(void)
 {
     int64_t delta;
     int64_t rtdelta;
@@ -743,12 +734,13 @@ static uint64_t qemu_next_deadline_dyntick(void)
             delta = rtdelta;
     }
 
-    if (delta < MIN_TIMER_REARM_NS)
-        delta = MIN_TIMER_REARM_NS;
-
     return delta;
 }
 
+#if defined(__linux__)
+
+#define RTC_FREQ 1024
+
 static void enable_sigio_timer(int fd)
 {
     struct sigaction act;
@@ -903,7 +895,9 @@ static void dynticks_rearm_timer(struct qemu_alarm_timer *t)
         !active_timers[QEMU_CLOCK_HOST])
         return;
 
-    nearest_delta_ns = qemu_next_deadline_dyntick();
+    nearest_delta_ns = qemu_next_alarm_deadline();
+    if (nearest_delta_ns < MIN_TIMER_REARM_NS)
+        nearest_delta_ns = MIN_TIMER_REARM_NS;
 
     /* check whether a timer is already running */
     if (timer_gettime(host_timer, &timeout)) {
commit 6ad0a1ed21ecd187dbe3239eb45c3598672af6a8
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 3 14:49:00 2011 +0100

    Correct alarm deadline computation
    
    When the QEMU_CLOCK_HOST clock was added, computation of its
    deadline was added to qemu_next_deadline, which is correct but
    incomplete.
    
    I noticed this by reading the very convoluted rules whereby
    qemu_next_deadline_dyntick is computed, which miss QEMU_CLOCK_HOST
    when use_icount is true.  This patch inlines qemu_next_deadline
    into qemu_next_deadline_dyntick, and then corrects the logic to skip
    only QEMU_CLOCK_VIRTUAL when use_icount is true.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Cc: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/qemu-timer.c b/qemu-timer.c
index bda072f..69e71d7 100644
--- a/qemu-timer.c
+++ b/qemu-timer.c
@@ -724,11 +724,18 @@ static uint64_t qemu_next_deadline_dyntick(void)
     int64_t delta;
     int64_t rtdelta;
 
-    if (use_icount)
+    if (!use_icount && active_timers[QEMU_CLOCK_VIRTUAL]) {
+        delta = active_timers[QEMU_CLOCK_VIRTUAL]->expire_time -
+                     qemu_get_clock(vm_clock);
+    } else {
         delta = INT32_MAX;
-    else
-        delta = qemu_next_deadline();
-
+    }
+    if (active_timers[QEMU_CLOCK_HOST]) {
+        int64_t hdelta = active_timers[QEMU_CLOCK_HOST]->expire_time -
+                 qemu_get_clock_ns(host_clock);
+        if (hdelta < delta)
+            delta = hdelta;
+    }
     if (active_timers[QEMU_CLOCK_REALTIME]) {
         rtdelta = (active_timers[QEMU_CLOCK_REALTIME]->expire_time * 1000000 -
                  qemu_get_clock_ns(rt_clock));
commit 9c13246ac13a87e05b5e6e7158e715dfa65fc7aa
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 3 14:48:59 2011 +0100

    use nanoseconds everywhere for timeout computation
    
    Suggested by Aurelien Jarno.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/qemu-timer.c b/qemu-timer.c
index db1ec49..bda072f 100644
--- a/qemu-timer.c
+++ b/qemu-timer.c
@@ -197,8 +197,8 @@ static void qemu_rearm_alarm_timer(struct qemu_alarm_timer *t)
     t->rearm(t);
 }
 
-/* TODO: MIN_TIMER_REARM_US should be optimized */
-#define MIN_TIMER_REARM_US 250
+/* TODO: MIN_TIMER_REARM_NS should be optimized */
+#define MIN_TIMER_REARM_NS 250000
 
 #ifdef _WIN32
 
@@ -698,11 +698,11 @@ int64_t qemu_next_deadline(void)
 
     if (active_timers[QEMU_CLOCK_VIRTUAL]) {
         delta = active_timers[QEMU_CLOCK_VIRTUAL]->expire_time -
-                     qemu_get_clock(vm_clock);
+                     qemu_get_clock_ns(vm_clock);
     }
     if (active_timers[QEMU_CLOCK_HOST]) {
         int64_t hdelta = active_timers[QEMU_CLOCK_HOST]->expire_time -
-                 qemu_get_clock(host_clock);
+                 qemu_get_clock_ns(host_clock);
         if (hdelta < delta)
             delta = hdelta;
     }
@@ -727,17 +727,17 @@ static uint64_t qemu_next_deadline_dyntick(void)
     if (use_icount)
         delta = INT32_MAX;
     else
-        delta = (qemu_next_deadline() + 999) / 1000;
+        delta = qemu_next_deadline();
 
     if (active_timers[QEMU_CLOCK_REALTIME]) {
-        rtdelta = (active_timers[QEMU_CLOCK_REALTIME]->expire_time -
-                 qemu_get_clock(rt_clock))*1000;
+        rtdelta = (active_timers[QEMU_CLOCK_REALTIME]->expire_time * 1000000 -
+                 qemu_get_clock_ns(rt_clock));
         if (rtdelta < delta)
             delta = rtdelta;
     }
 
-    if (delta < MIN_TIMER_REARM_US)
-        delta = MIN_TIMER_REARM_US;
+    if (delta < MIN_TIMER_REARM_NS)
+        delta = MIN_TIMER_REARM_NS;
 
     return delta;
 }
@@ -887,8 +887,8 @@ static void dynticks_rearm_timer(struct qemu_alarm_timer *t)
 {
     timer_t host_timer = (timer_t)(long)t->priv;
     struct itimerspec timeout;
-    int64_t nearest_delta_us = INT64_MAX;
-    int64_t current_us;
+    int64_t nearest_delta_ns = INT64_MAX;
+    int64_t current_ns;
 
     assert(alarm_has_dynticks(t));
     if (!active_timers[QEMU_CLOCK_REALTIME] &&
@@ -896,7 +896,7 @@ static void dynticks_rearm_timer(struct qemu_alarm_timer *t)
         !active_timers[QEMU_CLOCK_HOST])
         return;
 
-    nearest_delta_us = qemu_next_deadline_dyntick();
+    nearest_delta_ns = qemu_next_deadline_dyntick();
 
     /* check whether a timer is already running */
     if (timer_gettime(host_timer, &timeout)) {
@@ -904,14 +904,14 @@ static void dynticks_rearm_timer(struct qemu_alarm_timer *t)
         fprintf(stderr, "Internal timer error: aborting\n");
         exit(1);
     }
-    current_us = timeout.it_value.tv_sec * 1000000 + timeout.it_value.tv_nsec/1000;
-    if (current_us && current_us <= nearest_delta_us)
+    current_ns = timeout.it_value.tv_sec * 1000000000LL + timeout.it_value.tv_nsec;
+    if (current_ns && current_ns <= nearest_delta_ns)
         return;
 
     timeout.it_interval.tv_sec = 0;
     timeout.it_interval.tv_nsec = 0; /* 0 for one-shot timer */
-    timeout.it_value.tv_sec =  nearest_delta_us / 1000000;
-    timeout.it_value.tv_nsec = (nearest_delta_us % 1000000) * 1000;
+    timeout.it_value.tv_sec =  nearest_delta_ns / 1000000000;
+    timeout.it_value.tv_nsec = nearest_delta_ns % 1000000000;
     if (timer_settime(host_timer, 0 /* RELATIVE */, &timeout, NULL)) {
         perror("settime");
         fprintf(stderr, "Internal timer error: aborting\n");
commit eb60260de0b050a5e8ab725e84d377d0b44c43ae
Author: Yoshiaki Tamura <tamura.yoshiaki at lab.ntt.co.jp>
Date:   Thu Feb 3 13:34:08 2011 +0900

    savevm: fix corruption in vmstate_subsection_load().
    
    Although it's rare to happen in live migration, when the head of a
    byte stream contains 0x05 which is the marker of subsection, the
    loader gets corrupted because vmstate_subsection_load() continues even
    the device doesn't require it.  This patch adds a checker whether
    subsection is needed, and skips following routines if not needed.
    
    Signed-off-by: Yoshiaki Tamura <tamura.yoshiaki at lab.ntt.co.jp>
    Acked-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/savevm.c b/savevm.c
index 4453217..6d83b0f 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1638,6 +1638,12 @@ static const VMStateDescription *vmstate_get_subsection(const VMStateSubsection
 static int vmstate_subsection_load(QEMUFile *f, const VMStateDescription *vmsd,
                                    void *opaque)
 {
+    const VMStateSubsection *sub = vmsd->subsections;
+
+    if (!sub || !sub->needed) {
+        return 0;
+    }
+
     while (qemu_peek_byte(f) == QEMU_VM_SUBSECTION) {
         char idstr[256];
         int ret;
@@ -1650,10 +1656,11 @@ static int vmstate_subsection_load(QEMUFile *f, const VMStateDescription *vmsd,
         idstr[len] = 0;
         version_id = qemu_get_be32(f);
 
-        sub_vmsd = vmstate_get_subsection(vmsd->subsections, idstr);
+        sub_vmsd = vmstate_get_subsection(sub, idstr);
         if (sub_vmsd == NULL) {
             return -ENOENT;
         }
+        assert(!sub_vmsd->subsections);
         ret = vmstate_load_state(f, sub_vmsd, opaque, version_id);
         if (ret) {
             return ret;
@@ -1677,6 +1684,7 @@ static void vmstate_subsection_save(QEMUFile *f, const VMStateDescription *vmsd,
             qemu_put_byte(f, len);
             qemu_put_buffer(f, (uint8_t *)vmsd->name, len);
             qemu_put_be32(f, vmsd->version_id);
+            assert(!vmsd->subsections);
             vmstate_save_state(f, vmsd, opaque);
         }
         sub++;
commit 3593e6b592067d4a9a0131deedbe2581a9763548
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Feb 3 06:57:46 2011 -0200

    qemu-kvm-x86: initialize has_msr_star/has_msr_hsave_pa
    
    Fixes 64-bit guest migration.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index 2f1a090..4be5e32 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -509,6 +509,12 @@ int kvm_arch_qemu_create_context(void)
         kvm_set_shadow_pages(kvm_context, kvm_shadow_memory);
     }
 
+    /* initialize has_msr_star/has_msr_hsave_pa */
+    r = kvm_get_supported_msrs(kvm_state);
+    if (r < 0) {
+        return r;
+    }
+
     kvm_msr_list = kvm_get_msr_list();
     if (!kvm_msr_list) {
         return -1;
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 5e0865a..f389b85 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -472,7 +472,6 @@ void kvm_arch_reset_vcpu(CPUState *env)
     }
 }
 
-#ifdef OBSOLETE_KVM_IMPL
 
 static int kvm_get_supported_msrs(KVMState *s)
 {
@@ -521,6 +520,8 @@ static int kvm_get_supported_msrs(KVMState *s)
     return ret;
 }
 
+#ifdef OBSOLETE_KVM_IMPL
+
 int kvm_arch_init(KVMState *s)
 {
     uint64_t identity_base = 0xfffbc000;
commit 4d330984eea55b7c7005e63710597bf72f84f753
Merge: 6f32e3d... 825cc54...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Feb 2 20:22:40 2011 -0200

    Merge branch 'upstream-merge'
    
    * upstream-merge: (177 commits)
      Open up the 0.15 development branch
      Update version for 0.14.0-rc0
      Update SeaBIOS to 0.6.1.2
      vhost: force vhost off for non-MSI guests
      tap: safe sndbuf default
      Add boot index documentation.
      Add bootindex handling into usb storage device.
      fix QemuOpts leak
      remove text_console_opts
      add set_echo implementation for text consoles
      create TextConsole together with the CharDeviceState
      add set_echo implementation for qemu_chr_stdio
      move atexit(term_exit) and O_NONBLOCK to qemu_chr_open_stdio
      add qemu_chr_set_echo
      remove broken code for tty
      vnc: Fix password expiration through 'change vnc ""' (v2)
      linux-user: avoid gcc array overrun warning for sparc
      hw/slavio_intctl.c: fix gcc warning about array bounds overrun
      SPARC: Fix Leon3 cache control
      blockdev: Fix drive_add for drives without media
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit 825cc54385606bc5e471da985ff7d695da249a8f
Merge: 2d2339f... bfddb47...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Feb 2 20:20:35 2011 -0200

    Merge commit 'bfddb47a343b4718e5768aa80bce8adead0f7fca' into upstream-merge
    
    * commit 'bfddb47a343b4718e5768aa80bce8adead0f7fca':
      Open up the 0.15 development branch
      Update version for 0.14.0-rc0
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit 2d2339f995d7176dcb2de10d162aed323a1ffbf3
Merge: 16b0249... f487d62...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Feb 2 20:18:11 2011 -0200

    Merge commit 'f487d6278f75f84378833b8c3a67443346d639dc' into upstream-merge
    
    * commit 'f487d6278f75f84378833b8c3a67443346d639dc': (140 commits)
      Update SeaBIOS to 0.6.1.2
      vhost: force vhost off for non-MSI guests
      tap: safe sndbuf default
      Add boot index documentation.
      Add bootindex handling into usb storage device.
      fix QemuOpts leak
      remove text_console_opts
      add set_echo implementation for text consoles
      create TextConsole together with the CharDeviceState
      add set_echo implementation for qemu_chr_stdio
      move atexit(term_exit) and O_NONBLOCK to qemu_chr_open_stdio
      add qemu_chr_set_echo
      remove broken code for tty
      vnc: Fix password expiration through 'change vnc ""' (v2)
      linux-user: avoid gcc array overrun warning for sparc
      hw/slavio_intctl.c: fix gcc warning about array bounds overrun
      SPARC: Fix Leon3 cache control
      blockdev: Fix drive_add for drives without media
      blockdev: Replace drive_add()'s fmt, ... by optstr parameter
      blockdev: Reject multiple definitions for the same drive
      ...
    
    Conflicts:
    	roms/seabios
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc Makefile.objs
index c3b7604,f1c7bfe..c4b4883
--- a/Makefile.objs
+++ b/Makefile.objs
@@@ -17,10 -17,9 +17,10 @@@ block-obj-y = cutils.o cache-utils.o qe
  block-obj-y += nbd.o block.o aio.o aes.o qemu-config.o
  block-obj-$(CONFIG_POSIX) += posix-aio-compat.o
  block-obj-$(CONFIG_LINUX_AIO) += linux-aio.o
 +block-obj-$(CONFIG_POSIX) += compatfd.o
  
  block-nested-y += raw.o cow.o qcow.o vdi.o vmdk.o cloop.o dmg.o bochs.o vpc.o vvfat.o
- block-nested-y += qcow2.o qcow2-refcount.o qcow2-cluster.o qcow2-snapshot.o
+ block-nested-y += qcow2.o qcow2-refcount.o qcow2-cluster.o qcow2-snapshot.o qcow2-cache.o
  block-nested-y += qed.o qed-gencb.o qed-l2-cache.o qed-table.o qed-cluster.o
  block-nested-y += qed-check.o
  block-nested-y += parallels.o nbd.o blkdebug.o sheepdog.o blkverify.o
diff --cc blockdev.c
index 82abfe5,1c56da0..c9e249e
--- a/blockdev.c
+++ b/blockdev.c
@@@ -17,10 -17,39 +17,41 @@@
  #include "hw/qdev.h"
  #include "block_int.h"
  
 +DriveInfo *extboot_drive = NULL;
 +
  static QTAILQ_HEAD(drivelist, DriveInfo) drives = QTAILQ_HEAD_INITIALIZER(drives);
  
+ static const char *const if_name[IF_COUNT] = {
+     [IF_NONE] = "none",
+     [IF_IDE] = "ide",
+     [IF_SCSI] = "scsi",
+     [IF_FLOPPY] = "floppy",
+     [IF_PFLASH] = "pflash",
+     [IF_MTD] = "mtd",
+     [IF_SD] = "sd",
+     [IF_VIRTIO] = "virtio",
+     [IF_XEN] = "xen",
+ };
+ 
+ static const int if_max_devs[IF_COUNT] = {
+     /*
+      * Do not change these numbers!  They govern how drive option
+      * index maps to unit and bus.  That mapping is ABI.
+      *
+      * All controllers used to imlement if=T drives need to support
+      * if_max_devs[T] units, for any T with if_max_devs[T] != 0.
+      * Otherwise, some index values map to "impossible" bus, unit
+      * values.
+      *
+      * For instance, if you change [IF_SCSI] to 255, -drive
+      * if=scsi,index=12 no longer means bus=1,unit=5, but
+      * bus=0,unit=12.  With an lsi53c895a controller (7 units max),
+      * the drive can't be set up.  Regression.
+      */
+     [IF_IDE] = 2,
+     [IF_SCSI] = 7,
+ };
+ 
  /*
   * We automatically delete the drive when a device using it gets
   * unplugged.  Questionable feature, but we can't just drop it.
diff --cc blockdev.h
index 7faa472,84e462a..c0ee199
--- a/blockdev.h
+++ b/blockdev.h
@@@ -53,7 -61,6 +61,8 @@@ int do_change_block(Monitor *mon, cons
                      const char *filename, const char *fmt);
  int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data);
  int do_snapshot_blkdev(Monitor *mon, const QDict *qdict, QObject **ret_data);
+ int do_block_resize(Monitor *mon, const QDict *qdict, QObject **ret_data);
  
 +extern DriveInfo *extboot_drive;
 +
  #endif
diff --cc hw/pc_piix.c
index 318745b,7b74473..ad45148
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@@ -34,10 -34,9 +34,11 @@@
  #include "kvm.h"
  #include "sysemu.h"
  #include "sysbus.h"
+ #include "arch_init.h"
  #include "blockdev.h"
  
 +qemu_irq *ioapic_irq_hack;
 +
  #define MAX_IDE_BUS 2
  
  static const int ide_iobase[MAX_IDE_BUS] = { 0x1f0, 0x170 };
diff --cc target-i386/kvm.c
index cb82899,05010bb..5e0865a
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -441,24 -437,10 +447,22 @@@ int kvm_arch_init_vcpu(CPUState *env
      return kvm_vcpu_ioctl(env, KVM_SET_CPUID2, &cpuid_data);
  }
  
 +static void kvm_clear_vapic(CPUState *env)
 +{
 +#ifdef KVM_SET_VAPIC_ADDR
 +    struct kvm_vapic_addr va = {
 +        .vapic_addr = 0,
 +    };
 +
 +    kvm_vcpu_ioctl(env, KVM_SET_VAPIC_ADDR, &va);
 +#endif
 +}
 +
  void kvm_arch_reset_vcpu(CPUState *env)
  {
 +    kvm_clear_vapic(env);
      env->exception_injected = -1;
      env->interrupt_injected = -1;
-     env->nmi_injected = 0;
-     env->nmi_pending = 0;
      env->xcr0 = 1;
      if (kvm_irqchip_in_kernel()) {
          env->mp_state = cpu_is_bsp(env) ? KVM_MP_STATE_RUNNABLE :
@@@ -569,11 -546,9 +570,11 @@@ int kvm_arch_init(KVMState *s
          return ret;
      }
  
-     return kvm_init_identity_map_page(s);
+     return 0;
  }
  
 +#endif
 +
  static void set_v8086_seg(struct kvm_segment *lhs, const SegmentCache *rhs)
  {
      lhs->selector = rhs->selector;
commit 16b0249ee000c083c359a419bad4b460a465b3b8
Merge: 774dce1... 94a8d39...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Feb 2 19:29:32 2011 -0200

    Merge commit '94a8d39afd8ccfdbf578af04c3385fdb5f545af1' into upstream-merge
    
    * commit '94a8d39afd8ccfdbf578af04c3385fdb5f545af1':
      kvm: Consolidate must-have capability checks
    
    Conflicts:
    	kvm-all.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc kvm-all.c
index f7df264,3a1f63b..114c6b9
--- a/kvm-all.c
+++ b/kvm-all.c
@@@ -84,8 -80,12 +82,15 @@@ struct KVMStat
  
  static KVMState *kvm_state;
  
++
+ static const KVMCapabilityInfo kvm_required_capabilites[] = {
+     KVM_CAP_INFO(USER_MEMORY),
+     KVM_CAP_INFO(DESTROY_MEMORY_REGION_WORKS),
+     KVM_CAP_LAST_INFO
+ };
+ 
 +#endif
 +
  static KVMSlot *kvm_alloc_slot(KVMState *s)
  {
      int i;
@@@ -489,6 -479,18 +488,20 @@@ static int kvm_check_many_ioeventfds(vo
  #endif
  }
  
++#ifdef OBSOLETE_KVM_IMPL
+ static const KVMCapabilityInfo *
+ kvm_check_extension_list(KVMState *s, const KVMCapabilityInfo *list)
+ {
+     while (list->name) {
+         if (!kvm_check_extension(s, list->value)) {
+             return list;
+         }
+         list++;
+     }
+     return NULL;
+ }
++#endif
+ 
  static void kvm_set_phys_mem(target_phys_addr_t start_addr, ram_addr_t size,
                               ram_addr_t phys_offset)
  {
@@@ -875,11 -853,8 +872,10 @@@ void kvm_flush_coalesced_mmio_buffer(vo
              ring->first = (ring->first + 1) % KVM_COALESCED_MMIO_MAX;
          }
      }
- #endif
  }
  
 +#ifdef OBSOLETE_KVM_IMPL
 +
  static void do_kvm_cpu_synchronize_state(void *_env)
  {
      CPUState *env = _env;
diff --cc kvm.h
index 3f06cce,ca57517..f06676c
--- a/kvm.h
+++ b/kvm.h
@@@ -33,9 -30,16 +33,17 @@@ extern int kvm_allowed
  #define kvm_enabled() (0)
  #endif
  
 +#ifdef OBSOLETE_KVM_IMPL
  struct kvm_run;
  
+ typedef struct KVMCapabilityInfo {
+     const char *name;
+     int value;
+ } KVMCapabilityInfo;
+ 
+ #define KVM_CAP_INFO(CAP) { "KVM_CAP_" stringify(CAP), KVM_CAP_##CAP }
+ #define KVM_CAP_LAST_INFO { NULL, 0 }
+ 
  /* external API */
  
  int kvm_init(void);
@@@ -92,6 -94,8 +100,10 @@@ int kvm_vcpu_ioctl(CPUState *env, int t
  
  /* Arch specific hooks */
  
++#ifdef OBSOLETE_KVM_IMPL
+ extern const KVMCapabilityInfo kvm_arch_required_capabilities[];
++#endif
+ 
  int kvm_arch_post_run(CPUState *env, struct kvm_run *run);
  
  int kvm_arch_handle_exit(CPUState *env, struct kvm_run *run);
diff --cc target-i386/kvm.c
index 8784de1,1db8227..cb82899
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -54,6 -54,13 +54,15 @@@
  #define BUS_MCEERR_AO 5
  #endif
  
++#ifdef OBSOLETE_KVM_IMPL
+ const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
+     KVM_CAP_INFO(SET_TSS_ADDR),
+     KVM_CAP_INFO(EXT_CPUID),
+     KVM_CAP_INFO(MP_STATE),
+     KVM_CAP_LAST_INFO
+ };
++#endif
+ 
  static bool has_msr_star;
  static bool has_msr_hsave_pa;
  static int lm_capable_kernel;
commit 774dce1308b01518571795825e46d6f4104ee251
Merge: b131811... cad1e28...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Feb 2 19:11:35 2011 -0200

    Merge commit 'cad1e2827b616487e3574300f2eaeea13a355197' into upstream-merge
    
    * commit 'cad1e2827b616487e3574300f2eaeea13a355197':
      kvm: Drop smp_cpus argument from init functions
      kvm: x86: Fix !CONFIG_KVM_PARA build
      kvm: x86: Reset paravirtual MSRs
    
    Conflicts:
    	kvm-all.c
    	kvm.h
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc kvm-all.c
index a334ae8,8053f92..f7df264
--- a/kvm-all.c
+++ b/kvm-all.c
@@@ -644,15 -636,7 +644,14 @@@ static CPUPhysMemoryClient kvm_cpu_phys
      .migration_log = kvm_client_migration_log,
  };
  
- 
 +void kvm_cpu_register_phys_memory_client(void)
 +{
 +    cpu_register_phys_memory_client(&kvm_cpu_phys_memory_client);
 +}
 +
 +#ifdef OBSOLETE_KVM_IMPL
 +
- int kvm_init(int smp_cpus)
+ int kvm_init(void)
  {
      static const char upgrade_note[] =
          "Please upgrade to at least kernel 2.6.29 or recent kvm-kmod\n"
diff --cc kvm.h
index 45124ef,a971752..3f06cce
--- a/kvm.h
+++ b/kvm.h
@@@ -38,8 -34,7 +38,8 @@@ struct kvm_run
  
  /* external API */
  
- int kvm_init(int smp_cpus);
+ int kvm_init(void);
 +#endif /* OBSOLETE_KVM_IMPL */
  
  int kvm_has_sync_mmu(void);
  int kvm_has_vcpu_events(void);
diff --cc qemu-kvm.c
index 76731fe,0000000..4974179
mode 100644,000000..100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@@ -1,1783 -1,0 +1,1783 @@@
 +/*
 + * qemu/kvm integration
 + *
 + * Copyright (C) 2006-2008 Qumranet Technologies
 + *
 + * Licensed under the terms of the GNU GPL version 2 or higher.
 + */
 +#include "config.h"
 +#include "config-host.h"
 +
 +#include <assert.h>
 +#include <string.h>
 +#include "hw/hw.h"
 +#include "sysemu.h"
 +#include "qemu-common.h"
 +#include "console.h"
 +#include "block.h"
 +#include "compatfd.h"
 +#include "gdbstub.h"
 +#include "monitor.h"
 +
 +#include "qemu-kvm.h"
 +#include "libkvm.h"
 +
 +#include <pthread.h>
 +#include <sys/utsname.h>
 +#include <sys/syscall.h>
 +#include <sys/mman.h>
 +#include <sys/ioctl.h>
 +#include "compatfd.h"
 +#include <sys/prctl.h>
 +
 +#define false 0
 +#define true 1
 +
 +#ifndef PR_MCE_KILL
 +#define PR_MCE_KILL 33
 +#endif
 +
 +#ifndef BUS_MCEERR_AR
 +#define BUS_MCEERR_AR 4
 +#endif
 +#ifndef BUS_MCEERR_AO
 +#define BUS_MCEERR_AO 5
 +#endif
 +
 +#define EXPECTED_KVM_API_VERSION 12
 +
 +#if EXPECTED_KVM_API_VERSION != KVM_API_VERSION
 +#error libkvm: userspace and kernel version mismatch
 +#endif
 +
 +int kvm_irqchip = 1;
 +int kvm_pit = 1;
 +int kvm_pit_reinject = 1;
 +int kvm_nested = 0;
 +
 +
 +KVMState *kvm_state;
 +kvm_context_t kvm_context;
 +
 +pthread_mutex_t qemu_mutex = PTHREAD_MUTEX_INITIALIZER;
 +pthread_cond_t qemu_vcpu_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_system_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_pause_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_work_cond = PTHREAD_COND_INITIALIZER;
 +__thread CPUState *current_env;
 +
 +static int qemu_system_ready;
 +
 +#define SIG_IPI (SIGRTMIN+4)
 +
 +pthread_t io_thread;
 +static int io_thread_sigfd = -1;
 +
 +static CPUState *kvm_debug_cpu_requested;
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +/* The list of ioperm_data */
 +static QLIST_HEAD(, ioperm_data) ioperm_head;
 +#endif
 +
 +#define ALIGN(x, y) (((x)+(y)-1) & ~((y)-1))
 +
 +int kvm_abi = EXPECTED_KVM_API_VERSION;
 +int kvm_page_size;
 +
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +static int kvm_debug(CPUState *env,
 +                     struct kvm_debug_exit_arch *arch_info)
 +{
 +    int handle = kvm_arch_debug(arch_info);
 +
 +    if (handle) {
 +        kvm_debug_cpu_requested = env;
 +        env->stopped = 1;
 +    }
 +    return handle;
 +}
 +#endif
 +
 +static int handle_unhandled(uint64_t reason)
 +{
 +    fprintf(stderr, "kvm: unhandled exit %" PRIx64 "\n", reason);
 +    return -EINVAL;
 +}
 +
 +#define VMX_INVALID_GUEST_STATE 0x80000021
 +
 +static int handle_failed_vmentry(uint64_t reason)
 +{
 +    fprintf(stderr, "kvm: vm entry failed with error 0x%" PRIx64 "\n\n", reason);
 +
 +    /* Perhaps we will need to check if this machine is intel since exit reason 0x21
 +       has a different interpretation on SVM */
 +    if (reason == VMX_INVALID_GUEST_STATE) {
 +        fprintf(stderr, "If you're runnning a guest on an Intel machine without\n");
 +        fprintf(stderr, "unrestricted mode support, the failure can be most likely\n");
 +        fprintf(stderr, "due to the guest entering an invalid state for Intel VT.\n");
 +        fprintf(stderr, "For example, the guest maybe running in big real mode\n");
 +        fprintf(stderr, "which is not supported on less recent Intel processors.\n\n");
 +    }
 +
 +    return -EINVAL;
 +}
 +
 +static inline void set_gsi(kvm_context_t kvm, unsigned int gsi)
 +{
 +    uint32_t *bitmap = kvm->used_gsi_bitmap;
 +
 +    if (gsi < kvm->max_gsi)
 +        bitmap[gsi / 32] |= 1U << (gsi % 32);
 +    else
 +        DPRINTF("Invalid GSI %u\n", gsi);
 +}
 +
 +static inline void clear_gsi(kvm_context_t kvm, unsigned int gsi)
 +{
 +    uint32_t *bitmap = kvm->used_gsi_bitmap;
 +
 +    if (gsi < kvm->max_gsi)
 +        bitmap[gsi / 32] &= ~(1U << (gsi % 32));
 +    else
 +        DPRINTF("Invalid GSI %u\n", gsi);
 +}
 +
 +static int kvm_create_context(void);
 +
- int kvm_init(int smp_cpus)
++int kvm_init(void)
 +{
 +    int fd;
 +    int r, gsi_count;
 +
 +
 +    fd = open("/dev/kvm", O_RDWR);
 +    if (fd == -1) {
 +        perror("open /dev/kvm");
 +        return -1;
 +    }
 +    r = ioctl(fd, KVM_GET_API_VERSION, 0);
 +    if (r == -1) {
 +        fprintf(stderr,
 +                "kvm kernel version too old: "
 +                "KVM_GET_API_VERSION ioctl not supported\n");
 +        goto out_close;
 +    }
 +    if (r < EXPECTED_KVM_API_VERSION) {
 +        fprintf(stderr, "kvm kernel version too old: "
 +                "We expect API version %d or newer, but got "
 +                "version %d\n", EXPECTED_KVM_API_VERSION, r);
 +        goto out_close;
 +    }
 +    if (r > EXPECTED_KVM_API_VERSION) {
 +        fprintf(stderr, "kvm userspace version too old\n");
 +        goto out_close;
 +    }
 +    kvm_abi = r;
 +    kvm_page_size = getpagesize();
 +    kvm_state = qemu_mallocz(sizeof(*kvm_state));
 +    kvm_context = &kvm_state->kvm_context;
 +
 +    kvm_state->fd = fd;
 +    kvm_state->vmfd = -1;
 +    kvm_context->opaque = cpu_single_env;
 +    kvm_context->dirty_pages_log_all = 0;
 +    kvm_context->no_irqchip_creation = 0;
 +    kvm_context->no_pit_creation = 0;
 +
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    QTAILQ_INIT(&kvm_state->kvm_sw_breakpoints);
 +#endif
 +
 +    gsi_count = kvm_get_gsi_count(kvm_context);
 +    if (gsi_count > 0) {
 +        int gsi_bits, i;
 +
 +        /* Round up so we can search ints using ffs */
 +        gsi_bits = ALIGN(gsi_count, 32);
 +        kvm_context->used_gsi_bitmap = qemu_mallocz(gsi_bits / 8);
 +        kvm_context->max_gsi = gsi_bits;
 +
 +        /* Mark any over-allocated bits as already in use */
 +        for (i = gsi_count; i < gsi_bits; i++) {
 +            set_gsi(kvm_context, i);
 +        }
 +    }
 +
 +    kvm_cpu_register_phys_memory_client();
 +
 +    pthread_mutex_lock(&qemu_mutex);
 +    return kvm_create_context();
 +
 +  out_close:
 +    close(fd);
 +    return -1;
 +}
 +
 +static void kvm_finalize(KVMState *s)
 +{
 +    /* FIXME
 +       if (kvm->vcpu_fd[0] != -1)
 +           close(kvm->vcpu_fd[0]);
 +       if (kvm->vm_fd != -1)
 +           close(kvm->vm_fd);
 +     */
 +    close(s->fd);
 +    free(s);
 +}
 +
 +void kvm_disable_irqchip_creation(kvm_context_t kvm)
 +{
 +    kvm->no_irqchip_creation = 1;
 +}
 +
 +void kvm_disable_pit_creation(kvm_context_t kvm)
 +{
 +    kvm->no_pit_creation = 1;
 +}
 +
 +static void kvm_reset_vcpu(void *opaque)
 +{
 +    CPUState *env = opaque;
 +
 +    kvm_arch_cpu_reset(env);
 +}
 +
 +static void kvm_create_vcpu(CPUState *env, int id)
 +{
 +    long mmap_size;
 +    int r;
 +    KVMState *s = kvm_state;
 +
 +    r = kvm_vm_ioctl(kvm_state, KVM_CREATE_VCPU, id);
 +    if (r < 0) {
 +        fprintf(stderr, "kvm_create_vcpu: %m\n");
 +        fprintf(stderr, "Failed to create vCPU. Check the -smp parameter.\n");
 +        goto err;
 +    }
 +
 +    env->kvm_fd = r;
 +    env->kvm_state = kvm_state;
 +
 +    mmap_size = kvm_ioctl(kvm_state, KVM_GET_VCPU_MMAP_SIZE, 0);
 +    if (mmap_size < 0) {
 +        fprintf(stderr, "get vcpu mmap size: %m\n");
 +        goto err_fd;
 +    }
 +    env->kvm_run =
 +        mmap(NULL, mmap_size, PROT_READ | PROT_WRITE, MAP_SHARED, env->kvm_fd,
 +             0);
 +    if (env->kvm_run == MAP_FAILED) {
 +        fprintf(stderr, "mmap vcpu area: %m\n");
 +        goto err_fd;
 +    }
 +
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    if (s->coalesced_mmio && !s->coalesced_mmio_ring)
 +        s->coalesced_mmio_ring = (void *) env->kvm_run +
 +               s->coalesced_mmio * PAGE_SIZE;
 +#endif
 +
 +    r = kvm_arch_init_vcpu(env);
 +    if (r == 0) {
 +        qemu_register_reset(kvm_reset_vcpu, env);
 +    }
 +
 +    return;
 +  err_fd:
 +    close(env->kvm_fd);
 +  err:
 +    /* We're no good with semi-broken states. */
 +    abort();
 +}
 +
 +static int kvm_set_boot_vcpu_id(kvm_context_t kvm, uint32_t id)
 +{
 +#ifdef KVM_CAP_SET_BOOT_CPU_ID
 +    int r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_BOOT_CPU_ID);
 +    if (r > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_SET_BOOT_CPU_ID, id);
 +    }
 +    return -ENOSYS;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_create_vm(kvm_context_t kvm)
 +{
 +    int fd;
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm->irq_routes = qemu_mallocz(sizeof(*kvm->irq_routes));
 +    kvm->nr_allocated_irq_routes = 0;
 +#endif
 +
 +    fd = kvm_ioctl(kvm_state, KVM_CREATE_VM, 0);
 +    if (fd < 0) {
 +        fprintf(stderr, "kvm_create_vm: %m\n");
 +        return -1;
 +    }
 +    kvm_state->vmfd = fd;
 +    return 0;
 +}
 +
 +static int kvm_create_default_phys_mem(kvm_context_t kvm,
 +                                       unsigned long phys_mem_bytes,
 +                                       void **vm_mem)
 +{
 +#ifdef KVM_CAP_USER_MEMORY
 +    int r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_USER_MEMORY);
 +    if (r > 0)
 +        return 0;
 +    fprintf(stderr,
 +            "Hypervisor too old: KVM_CAP_USER_MEMORY extension not supported\n");
 +#else
 +#error Hypervisor too old: KVM_CAP_USER_MEMORY extension not supported
 +#endif
 +    return -1;
 +}
 +
 +void kvm_create_irqchip(kvm_context_t kvm)
 +{
 +    int r;
 +
 +    kvm->irqchip_in_kernel = 0;
 +#ifdef KVM_CAP_IRQCHIP
 +    if (!kvm->no_irqchip_creation) {
 +        r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_IRQCHIP);
 +        if (r > 0) {            /* kernel irqchip supported */
 +            r = kvm_vm_ioctl(kvm_state, KVM_CREATE_IRQCHIP);
 +            if (r >= 0) {
 +                kvm->irqchip_inject_ioctl = KVM_IRQ_LINE;
 +#if defined(KVM_CAP_IRQ_INJECT_STATUS) && defined(KVM_IRQ_LINE_STATUS)
 +                r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
 +                              KVM_CAP_IRQ_INJECT_STATUS);
 +                if (r > 0) {
 +                    kvm->irqchip_inject_ioctl = KVM_IRQ_LINE_STATUS;
 +                }
 +#endif
 +                kvm->irqchip_in_kernel = 1;
 +            } else
 +                fprintf(stderr, "Create kernel PIC irqchip failed\n");
 +        }
 +    }
 +#endif
 +    kvm_state->irqchip_in_kernel = kvm->irqchip_in_kernel;
 +}
 +
 +int kvm_create(kvm_context_t kvm, unsigned long phys_mem_bytes, void **vm_mem)
 +{
 +    int r, i;
 +
 +    r = kvm_create_vm(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +    r = kvm_arch_create(kvm, phys_mem_bytes, vm_mem);
 +    if (r < 0) {
 +        return r;
 +    }
 +    for (i = 0; i < ARRAY_SIZE(kvm_state->slots); i++) {
 +        kvm_state->slots[i].slot = i;
 +    }
 +
 +    r = kvm_create_default_phys_mem(kvm, phys_mem_bytes, vm_mem);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    kvm_create_irqchip(kvm);
 +
 +    return 0;
 +}
 +
 +#ifdef KVM_CAP_IRQCHIP
 +
 +int kvm_set_irq_level(kvm_context_t kvm, int irq, int level, int *status)
 +{
 +    struct kvm_irq_level event;
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    event.level = level;
 +    event.irq = irq;
 +    r = kvm_vm_ioctl(kvm_state, kvm->irqchip_inject_ioctl, &event);
 +    if (r < 0) {
 +        perror("kvm_set_irq_level");
 +    }
 +
 +    if (status) {
 +#ifdef KVM_CAP_IRQ_INJECT_STATUS
 +        *status =
 +            (kvm->irqchip_inject_ioctl == KVM_IRQ_LINE) ? 1 : event.status;
 +#else
 +        *status = 1;
 +#endif
 +    }
 +
 +    return 1;
 +}
 +
 +int kvm_get_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip)
 +{
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    r = kvm_vm_ioctl(kvm_state, KVM_GET_IRQCHIP, chip);
 +    if (r < 0) {
 +        perror("kvm_get_irqchip\n");
 +    }
 +    return r;
 +}
 +
 +int kvm_set_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip)
 +{
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    r = kvm_vm_ioctl(kvm_state, KVM_SET_IRQCHIP, chip);
 +    if (r < 0) {
 +        perror("kvm_set_irqchip\n");
 +    }
 +    return r;
 +}
 +
 +#endif
 +
 +static int handle_debug(CPUState *env)
 +{
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    struct kvm_run *run = env->kvm_run;
 +
 +    return kvm_debug(env, &run->debug.arch);
 +#else
 +    return 0;
 +#endif
 +}
 +
 +int kvm_get_regs(CPUState *env, struct kvm_regs *regs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_REGS, regs);
 +}
 +
 +int kvm_set_regs(CPUState *env, struct kvm_regs *regs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_REGS, regs);
 +}
 +
 +#ifdef KVM_CAP_MP_STATE
 +int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
 +{
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MP_STATE);
 +    if (r > 0) {
 +        return kvm_vcpu_ioctl(env, KVM_GET_MP_STATE, mp_state);
 +    }
 +    return -ENOSYS;
 +}
 +
 +int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
 +{
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MP_STATE);
 +    if (r > 0) {
 +        return kvm_vcpu_ioctl(env, KVM_SET_MP_STATE, mp_state);
 +    }
 +    return -ENOSYS;
 +}
 +#endif
 +
 +static int handle_mmio(CPUState *env)
 +{
 +    unsigned long addr = env->kvm_run->mmio.phys_addr;
 +    struct kvm_run *kvm_run = env->kvm_run;
 +    void *data = kvm_run->mmio.data;
 +
 +    /* hack: Red Hat 7.1 generates these weird accesses. */
 +    if ((addr > 0xa0000 - 4 && addr <= 0xa0000) && kvm_run->mmio.len == 3) {
 +        return 0;
 +    }
 +
 +    cpu_physical_memory_rw(addr, data, kvm_run->mmio.len, kvm_run->mmio.is_write);
 +    return 0;
 +}
 +
 +int handle_io_window(kvm_context_t kvm)
 +{
 +    return 1;
 +}
 +
 +int handle_shutdown(kvm_context_t kvm, CPUState *env)
 +{
 +    /* stop the current vcpu from going back to guest mode */
 +    env->stopped = 1;
 +
 +    qemu_system_reset_request();
 +    return 1;
 +}
 +
 +static inline void push_nmi(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_USER_NMI
 +    kvm_arch_push_nmi(kvm->opaque);
 +#endif                          /* KVM_CAP_USER_NMI */
 +}
 +
 +void post_kvm_run(kvm_context_t kvm, CPUState *env)
 +{
 +    pthread_mutex_lock(&qemu_mutex);
 +    kvm_arch_post_run(env, env->kvm_run);
 +    cpu_single_env = env;
 +}
 +
 +int pre_kvm_run(kvm_context_t kvm, CPUState *env)
 +{
 +    kvm_arch_pre_run(env, env->kvm_run);
 +
 +    pthread_mutex_unlock(&qemu_mutex);
 +    return 0;
 +}
 +
 +int kvm_is_ready_for_interrupt_injection(CPUState *env)
 +{
 +    return env->kvm_run->ready_for_interrupt_injection;
 +}
 +
 +int kvm_run(CPUState *env)
 +{
 +    int r;
 +    kvm_context_t kvm = &env->kvm_state->kvm_context;
 +    struct kvm_run *run = env->kvm_run;
 +    int fd = env->kvm_fd;
 +
 +  again:
 +    if (env->kvm_vcpu_dirty) {
 +        kvm_arch_load_regs(env, KVM_PUT_RUNTIME_STATE);
 +        env->kvm_vcpu_dirty = 0;
 +    }
 +    push_nmi(kvm);
 +#if !defined(__s390__)
 +    if (!kvm->irqchip_in_kernel) {
 +        run->request_interrupt_window = kvm_arch_try_push_interrupts(env);
 +    }
 +#endif
 +
 +    r = pre_kvm_run(kvm, env);
 +    if (r) {
 +        return r;
 +    }
 +    if (env->exit_request) {
 +        env->exit_request = 0;
 +        pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +    }
 +    r = ioctl(fd, KVM_RUN, 0);
 +
 +    if (r == -1 && errno != EINTR && errno != EAGAIN) {
 +        r = -errno;
 +        post_kvm_run(kvm, env);
 +        fprintf(stderr, "kvm_run: %s\n", strerror(-r));
 +        return r;
 +    }
 +
 +    post_kvm_run(kvm, env);
 +
 +    kvm_flush_coalesced_mmio_buffer();
 +
 +#if !defined(__s390__)
 +    if (r == -1) {
 +        r = handle_io_window(kvm);
 +        goto more;
 +    }
 +#endif
 +    if (1) {
 +        switch (run->exit_reason) {
 +        case KVM_EXIT_UNKNOWN:
 +            r = handle_unhandled(run->hw.hardware_exit_reason);
 +            break;
 +        case KVM_EXIT_FAIL_ENTRY:
 +            r = handle_failed_vmentry(run->fail_entry.hardware_entry_failure_reason);
 +            break;
 +        case KVM_EXIT_EXCEPTION:
 +            fprintf(stderr, "exception %d (%x)\n", run->ex.exception,
 +                    run->ex.error_code);
 +            kvm_show_regs(env);
 +            kvm_show_code(env);
 +            abort();
 +            break;
 +        case KVM_EXIT_IO:
 +            r = kvm_handle_io(run->io.port,
 +                                (uint8_t *)run + run->io.data_offset,
 +                                run->io.direction,
 +                                run->io.size,
 +                                run->io.count);
 +            r = 0;
 +            break;
 +        case KVM_EXIT_DEBUG:
 +            r = handle_debug(env);
 +            break;
 +        case KVM_EXIT_MMIO:
 +            r = handle_mmio(env);
 +            break;
 +        case KVM_EXIT_HLT:
 +            r = kvm_arch_halt(env);
 +            break;
 +        case KVM_EXIT_IRQ_WINDOW_OPEN:
 +            break;
 +        case KVM_EXIT_SHUTDOWN:
 +            r = handle_shutdown(kvm, env);
 +            break;
 +#if defined(__s390__)
 +        case KVM_EXIT_S390_SIEIC:
 +            r = kvm_s390_handle_intercept(kvm, env, run);
 +            break;
 +        case KVM_EXIT_S390_RESET:
 +            r = kvm_s390_handle_reset(kvm, env, run);
 +            break;
 +#endif
 +	case KVM_EXIT_INTERNAL_ERROR:
 +            kvm_handle_internal_error(env, run);
 +            r = 1;
 +	    break;
 +        default:
 +            if (kvm_arch_run(env)) {
 +                fprintf(stderr, "unhandled vm exit: 0x%x\n", run->exit_reason);
 +                kvm_show_regs(env);
 +                abort();
 +            }
 +            break;
 +        }
 +    }
 +more:
 +    if (!r) {
 +        goto again;
 +    }
 +    return r;
 +}
 +
 +int kvm_inject_irq(CPUState *env, unsigned irq)
 +{
 +    struct kvm_interrupt intr;
 +
 +    intr.irq = irq;
 +    return kvm_vcpu_ioctl(env, KVM_INTERRUPT, &intr);
 +}
 +
 +int kvm_inject_nmi(CPUState *env)
 +{
 +#ifdef KVM_CAP_USER_NMI
 +    return kvm_vcpu_ioctl(env, KVM_NMI);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_init_coalesced_mmio(kvm_context_t kvm)
 +{
 +    int r = 0;
 +    kvm_state->coalesced_mmio = 0;
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_COALESCED_MMIO);
 +    if (r > 0) {
 +        kvm_state->coalesced_mmio = r;
 +        return 0;
 +    }
 +#endif
 +    return r;
 +}
 +
 +#ifdef KVM_CAP_DEVICE_ASSIGNMENT
 +int kvm_assign_pci_device(kvm_context_t kvm,
 +                          struct kvm_assigned_pci_dev *assigned_dev)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_PCI_DEVICE, assigned_dev);
 +}
 +
 +static int kvm_old_assign_irq(kvm_context_t kvm,
 +                              struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_IRQ, assigned_irq);
 +}
 +
 +#ifdef KVM_CAP_ASSIGN_DEV_IRQ
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    int ret;
 +
 +    ret = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_ASSIGN_DEV_IRQ);
 +    if (ret > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_DEV_IRQ, assigned_irq);
 +    }
 +
 +    return kvm_old_assign_irq(kvm, assigned_irq);
 +}
 +
 +int kvm_deassign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_DEASSIGN_DEV_IRQ, assigned_irq);
 +}
 +#else
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_old_assign_irq(kvm, assigned_irq);
 +}
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_DEASSIGNMENT
 +int kvm_deassign_pci_device(kvm_context_t kvm,
 +                            struct kvm_assigned_pci_dev *assigned_dev)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_DEASSIGN_PCI_DEVICE, assigned_dev);
 +}
 +#endif
 +
 +int kvm_reinject_control(kvm_context_t kvm, int pit_reinject)
 +{
 +#ifdef KVM_CAP_REINJECT_CONTROL
 +    int r;
 +    struct kvm_reinject_control control;
 +
 +    control.pit_reinject = pit_reinject;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_REINJECT_CONTROL);
 +    if (r > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_REINJECT_CONTROL, &control);
 +    }
 +#endif
 +    return -ENOSYS;
 +}
 +
 +int kvm_has_gsi_routing(void)
 +{
 +    int r = 0;
 +
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    r = kvm_check_extension(kvm_state, KVM_CAP_IRQ_ROUTING);
 +#endif
 +    return r;
 +}
 +
 +int kvm_get_gsi_count(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    return kvm_check_extension(kvm_state, KVM_CAP_IRQ_ROUTING);
 +#else
 +    return -EINVAL;
 +#endif
 +}
 +
 +int kvm_clear_gsi_routes(void)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +
 +    kvm->irq_routes->nr = 0;
 +    return 0;
 +#else
 +    return -EINVAL;
 +#endif
 +}
 +
 +int kvm_add_routing_entry(struct kvm_irq_routing_entry *entry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing *z;
 +    struct kvm_irq_routing_entry *new;
 +    int n, size;
 +
 +    if (kvm->irq_routes->nr == kvm->nr_allocated_irq_routes) {
 +        n = kvm->nr_allocated_irq_routes * 2;
 +        if (n < 64) {
 +            n = 64;
 +        }
 +        size = sizeof(struct kvm_irq_routing);
 +        size += n * sizeof(*new);
 +        z = realloc(kvm->irq_routes, size);
 +        if (!z) {
 +            return -ENOMEM;
 +        }
 +        kvm->nr_allocated_irq_routes = n;
 +        kvm->irq_routes = z;
 +    }
 +    n = kvm->irq_routes->nr++;
 +    new = &kvm->irq_routes->entries[n];
 +    memset(new, 0, sizeof(*new));
 +    new->gsi = entry->gsi;
 +    new->type = entry->type;
 +    new->flags = entry->flags;
 +    new->u = entry->u;
 +
 +    set_gsi(kvm, entry->gsi);
 +
 +    return 0;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_add_irq_route(int gsi, int irqchip, int pin)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing_entry e;
 +
 +    e.gsi = gsi;
 +    e.type = KVM_IRQ_ROUTING_IRQCHIP;
 +    e.flags = 0;
 +    e.u.irqchip.irqchip = irqchip;
 +    e.u.irqchip.pin = pin;
 +    return kvm_add_routing_entry(&e);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_del_routing_entry(struct kvm_irq_routing_entry *entry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing_entry *e, *p;
 +    int i, gsi, found = 0;
 +
 +    gsi = entry->gsi;
 +
 +    for (i = 0; i < kvm->irq_routes->nr; ++i) {
 +        e = &kvm->irq_routes->entries[i];
 +        if (e->type == entry->type && e->gsi == gsi) {
 +            switch (e->type) {
 +            case KVM_IRQ_ROUTING_IRQCHIP:{
 +                    if (e->u.irqchip.irqchip ==
 +                        entry->u.irqchip.irqchip
 +                        && e->u.irqchip.pin == entry->u.irqchip.pin) {
 +                        p = &kvm->irq_routes->entries[--kvm->irq_routes->nr];
 +                        *e = *p;
 +                        found = 1;
 +                    }
 +                    break;
 +                }
 +            case KVM_IRQ_ROUTING_MSI:{
 +                    if (e->u.msi.address_lo ==
 +                        entry->u.msi.address_lo
 +                        && e->u.msi.address_hi ==
 +                        entry->u.msi.address_hi
 +                        && e->u.msi.data == entry->u.msi.data) {
 +                        p = &kvm->irq_routes->entries[--kvm->irq_routes->nr];
 +                        *e = *p;
 +                        found = 1;
 +                    }
 +                    break;
 +                }
 +            default:
 +                break;
 +            }
 +            if (found) {
 +                /* If there are no other users of this GSI
 +                 * mark it available in the bitmap */
 +                for (i = 0; i < kvm->irq_routes->nr; i++) {
 +                    e = &kvm->irq_routes->entries[i];
 +                    if (e->gsi == gsi)
 +                        break;
 +                }
 +                if (i == kvm->irq_routes->nr) {
 +                    clear_gsi(kvm, gsi);
 +                }
 +
 +                return 0;
 +            }
 +        }
 +    }
 +    return -ESRCH;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_update_routing_entry(struct kvm_irq_routing_entry *entry,
 +                             struct kvm_irq_routing_entry *newentry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing_entry *e;
 +    int i;
 +
 +    if (entry->gsi != newentry->gsi || entry->type != newentry->type) {
 +        return -EINVAL;
 +    }
 +
 +    for (i = 0; i < kvm->irq_routes->nr; ++i) {
 +        e = &kvm->irq_routes->entries[i];
 +        if (e->type != entry->type || e->gsi != entry->gsi) {
 +            continue;
 +        }
 +        switch (e->type) {
 +        case KVM_IRQ_ROUTING_IRQCHIP:
 +            if (e->u.irqchip.irqchip == entry->u.irqchip.irqchip &&
 +                e->u.irqchip.pin == entry->u.irqchip.pin) {
 +                memcpy(&e->u.irqchip, &newentry->u.irqchip,
 +                       sizeof e->u.irqchip);
 +                return 0;
 +            }
 +            break;
 +        case KVM_IRQ_ROUTING_MSI:
 +            if (e->u.msi.address_lo == entry->u.msi.address_lo &&
 +                e->u.msi.address_hi == entry->u.msi.address_hi &&
 +                e->u.msi.data == entry->u.msi.data) {
 +                memcpy(&e->u.msi, &newentry->u.msi, sizeof e->u.msi);
 +                return 0;
 +            }
 +            break;
 +        default:
 +            break;
 +        }
 +    }
 +    return -ESRCH;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_del_irq_route(int gsi, int irqchip, int pin)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing_entry e;
 +
 +    e.gsi = gsi;
 +    e.type = KVM_IRQ_ROUTING_IRQCHIP;
 +    e.flags = 0;
 +    e.u.irqchip.irqchip = irqchip;
 +    e.u.irqchip.pin = pin;
 +    return kvm_del_routing_entry(&e);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_commit_irq_routes(void)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +
 +    kvm->irq_routes->flags = 0;
 +    return kvm_vm_ioctl(kvm_state, KVM_SET_GSI_ROUTING, kvm->irq_routes);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_get_irq_route_gsi(void)
 +{
 +    kvm_context_t kvm = kvm_context;
 +    int i, bit;
 +    uint32_t *buf = kvm->used_gsi_bitmap;
 +
 +    /* Return the lowest unused GSI in the bitmap */
 +    for (i = 0; i < kvm->max_gsi / 32; i++) {
 +        bit = ffs(~buf[i]);
 +        if (!bit) {
 +            continue;
 +        }
 +
 +        return bit - 1 + i * 32;
 +    }
 +
 +    return -ENOSPC;
 +}
 +
 +static void kvm_msix_routing_entry(struct kvm_irq_routing_entry *e,
 +                                   uint32_t gsi, uint32_t addr_lo,
 +                                   uint32_t addr_hi, uint32_t data)
 +
 +{
 +    e->gsi = gsi;
 +    e->type = KVM_IRQ_ROUTING_MSI;
 +    e->flags = 0;
 +    e->u.msi.address_lo = addr_lo;
 +    e->u.msi.address_hi = addr_hi;
 +    e->u.msi.data = data;
 +}
 +
 +int kvm_add_msix(uint32_t gsi, uint32_t addr_lo,
 +                        uint32_t addr_hi, uint32_t data)
 +{
 +    struct kvm_irq_routing_entry e;
 +
 +    kvm_msix_routing_entry(&e, gsi, addr_lo, addr_hi, data);
 +    return kvm_add_routing_entry(&e);
 +}
 +
 +int kvm_del_msix(uint32_t gsi, uint32_t addr_lo,
 +                        uint32_t addr_hi, uint32_t data)
 +{
 +    struct kvm_irq_routing_entry e;
 +
 +    kvm_msix_routing_entry(&e, gsi, addr_lo, addr_hi, data);
 +    return kvm_del_routing_entry(&e);
 +}
 +
 +int kvm_update_msix(uint32_t old_gsi, uint32_t old_addr_lo,
 +                    uint32_t old_addr_hi, uint32_t old_data,
 +                    uint32_t new_gsi, uint32_t new_addr_lo,
 +                    uint32_t new_addr_hi, uint32_t new_data)
 +{
 +    struct kvm_irq_routing_entry e1, e2;
 +
 +    kvm_msix_routing_entry(&e1, old_gsi, old_addr_lo, old_addr_hi, old_data);
 +    kvm_msix_routing_entry(&e2, new_gsi, new_addr_lo, new_addr_hi, new_data);
 +    return kvm_update_routing_entry(&e1, &e2);
 +}
 +
 +
 +#ifdef KVM_CAP_DEVICE_MSIX
 +int kvm_assign_set_msix_nr(kvm_context_t kvm,
 +                           struct kvm_assigned_msix_nr *msix_nr)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_SET_MSIX_NR, msix_nr);
 +}
 +
 +int kvm_assign_set_msix_entry(kvm_context_t kvm,
 +                              struct kvm_assigned_msix_entry *entry)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_SET_MSIX_ENTRY, entry);
 +}
 +#endif
 +
 +#if defined(KVM_CAP_IRQFD) && defined(CONFIG_EVENTFD)
 +
 +#include <sys/eventfd.h>
 +
 +static int _kvm_irqfd(kvm_context_t kvm, int fd, int gsi, int flags)
 +{
 +    struct kvm_irqfd data = {
 +        .fd = fd,
 +        .gsi = gsi,
 +        .flags = flags,
 +    };
 +
 +    return kvm_vm_ioctl(kvm_state, KVM_IRQFD, &data);
 +}
 +
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags)
 +{
 +    int r;
 +    int fd;
 +
 +    if (!kvm_check_extension(kvm_state, KVM_CAP_IRQFD))
 +        return -ENOENT;
 +
 +    fd = eventfd(0, 0);
 +    if (fd < 0) {
 +        return -errno;
 +    }
 +
 +    r = _kvm_irqfd(kvm, fd, gsi, 0);
 +    if (r < 0) {
 +        close(fd);
 +        return -errno;
 +    }
 +
 +    return fd;
 +}
 +
 +#else                           /* KVM_CAP_IRQFD */
 +
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags)
 +{
 +    return -ENOSYS;
 +}
 +
 +#endif                          /* KVM_CAP_IRQFD */
 +unsigned long kvm_get_thread_id(void)
 +{
 +    return syscall(SYS_gettid);
 +}
 +
 +static void qemu_cond_wait(pthread_cond_t *cond)
 +{
 +    CPUState *env = cpu_single_env;
 +
 +    pthread_cond_wait(cond, &qemu_mutex);
 +    cpu_single_env = env;
 +}
 +
 +static void sig_ipi_handler(int n)
 +{
 +}
 +
 +static void sigbus_reraise(void)
 +{
 +    sigset_t set;
 +    struct sigaction action;
 +
 +    memset(&action, 0, sizeof(action));
 +    action.sa_handler = SIG_DFL;
 +    if (!sigaction(SIGBUS, &action, NULL)) {
 +        raise(SIGBUS);
 +        sigemptyset(&set);
 +        sigaddset(&set, SIGBUS);
 +        sigprocmask(SIG_UNBLOCK, &set, NULL);
 +    }
 +    perror("Failed to re-raise SIGBUS!\n");
 +    abort();
 +}
 +
 +static void sigbus_handler(int n, struct qemu_signalfd_siginfo *siginfo,
 +                           void *ctx)
 +{
 +    if (kvm_on_sigbus(siginfo->ssi_code, (void *)(intptr_t)siginfo->ssi_addr))
 +        sigbus_reraise();
 +}
 +
 +void on_vcpu(CPUState *env, void (*func)(void *data), void *data)
 +{
 +    struct qemu_work_item wi;
 +
 +    if (env == current_env) {
 +        func(data);
 +        return;
 +    }
 +
 +    wi.func = func;
 +    wi.data = data;
 +    if (!env->kvm_cpu_state.queued_work_first) {
 +        env->kvm_cpu_state.queued_work_first = &wi;
 +    } else {
 +        env->kvm_cpu_state.queued_work_last->next = &wi;
 +    }
 +    env->kvm_cpu_state.queued_work_last = &wi;
 +    wi.next = NULL;
 +    wi.done = false;
 +
 +    pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +    while (!wi.done) {
 +        qemu_cond_wait(&qemu_work_cond);
 +    }
 +}
 +
 +static void do_kvm_cpu_synchronize_state(void *_env)
 +{
 +    CPUState *env = _env;
 +
 +    if (!env->kvm_vcpu_dirty) {
 +        kvm_arch_save_regs(env);
 +        env->kvm_vcpu_dirty = 1;
 +    }
 +}
 +
 +void kvm_cpu_synchronize_state(CPUState *env)
 +{
 +    if (!env->kvm_vcpu_dirty) {
 +        on_vcpu(env, do_kvm_cpu_synchronize_state, env);
 +    }
 +}
 +
 +void kvm_cpu_synchronize_post_reset(CPUState *env)
 +{
 +    kvm_arch_load_regs(env, KVM_PUT_RESET_STATE);
 +    env->kvm_vcpu_dirty = 0;
 +}
 +
 +void kvm_cpu_synchronize_post_init(CPUState *env)
 +{
 +    kvm_arch_load_regs(env, KVM_PUT_FULL_STATE);
 +    env->kvm_vcpu_dirty = 0;
 +}
 +
 +static void inject_interrupt(void *data)
 +{
 +    cpu_interrupt(current_env, (long) data);
 +}
 +
 +void kvm_inject_interrupt(CPUState *env, int mask)
 +{
 +    on_vcpu(env, inject_interrupt, (void *) (long) mask);
 +}
 +
 +void kvm_update_interrupt_request(CPUState *env)
 +{
 +    int signal = 0;
 +
 +    if (env) {
 +        if (!current_env || !current_env->created) {
 +            signal = 1;
 +        }
 +        /*
 +         * Testing for created here is really redundant
 +         */
 +        if (current_env && current_env->created &&
 +            env != current_env && !env->kvm_cpu_state.signalled) {
 +            signal = 1;
 +        }
 +
 +        if (signal) {
 +            env->kvm_cpu_state.signalled = 1;
 +            if (env->kvm_cpu_state.thread) {
 +                pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +            }
 +        }
 +    }
 +}
 +
 +int kvm_cpu_exec(CPUState *env)
 +{
 +    int r;
 +
 +    r = kvm_run(env);
 +    if (r < 0) {
 +        printf("kvm_run returned %d\n", r);
 +        vm_stop(0);
 +    }
 +
 +    return 0;
 +}
 +
 +int kvm_cpu_is_stopped(CPUState *env)
 +{
 +    return !vm_running || env->stopped;
 +}
 +
 +static void flush_queued_work(CPUState *env)
 +{
 +    struct qemu_work_item *wi;
 +
 +    if (!env->kvm_cpu_state.queued_work_first) {
 +        return;
 +    }
 +
 +    while ((wi = env->kvm_cpu_state.queued_work_first)) {
 +        env->kvm_cpu_state.queued_work_first = wi->next;
 +        wi->func(wi->data);
 +        wi->done = true;
 +    }
 +    env->kvm_cpu_state.queued_work_last = NULL;
 +    pthread_cond_broadcast(&qemu_work_cond);
 +}
 +
 +static void kvm_main_loop_wait(CPUState *env, int timeout)
 +{
 +    struct timespec ts;
 +    int r, e;
 +    siginfo_t siginfo;
 +    sigset_t waitset;
 +    sigset_t chkset;
 +
 +    ts.tv_sec = timeout / 1000;
 +    ts.tv_nsec = (timeout % 1000) * 1000000;
 +    sigemptyset(&waitset);
 +    sigaddset(&waitset, SIG_IPI);
 +    sigaddset(&waitset, SIGBUS);
 +
 +    do {
 +        pthread_mutex_unlock(&qemu_mutex);
 +
 +        r = sigtimedwait(&waitset, &siginfo, &ts);
 +        e = errno;
 +
 +        pthread_mutex_lock(&qemu_mutex);
 +
 +        if (r == -1 && !(e == EAGAIN || e == EINTR)) {
 +            printf("sigtimedwait: %s\n", strerror(e));
 +            exit(1);
 +        }
 +
 +        switch (r) {
 +        case SIGBUS:
 +            if (kvm_on_sigbus_vcpu(env, siginfo.si_code, siginfo.si_addr))
 +                sigbus_reraise();
 +            break;
 +        default:
 +            break;
 +        }
 +
 +        r = sigpending(&chkset);
 +        if (r == -1) {
 +            printf("sigpending: %s\n", strerror(e));
 +            exit(1);
 +        }
 +    } while (sigismember(&chkset, SIG_IPI) || sigismember(&chkset, SIGBUS));
 +
 +    cpu_single_env = env;
 +    flush_queued_work(env);
 +
 +    if (env->stop) {
 +        env->stop = 0;
 +        env->stopped = 1;
 +        pthread_cond_signal(&qemu_pause_cond);
 +    }
 +
 +    env->kvm_cpu_state.signalled = 0;
 +}
 +
 +static int all_threads_paused(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    while (penv) {
 +        if (penv->stop) {
 +            return 0;
 +        }
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +
 +    return 1;
 +}
 +
 +static void pause_all_threads(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    while (penv) {
 +        if (penv != cpu_single_env) {
 +            penv->stop = 1;
 +            pthread_kill(penv->kvm_cpu_state.thread, SIG_IPI);
 +        } else {
 +            penv->stop = 0;
 +            penv->stopped = 1;
 +            cpu_exit(penv);
 +        }
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +
 +    while (!all_threads_paused()) {
 +        qemu_cond_wait(&qemu_pause_cond);
 +    }
 +}
 +
 +static void resume_all_threads(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    assert(!cpu_single_env);
 +
 +    while (penv) {
 +        penv->stop = 0;
 +        penv->stopped = 0;
 +        pthread_kill(penv->kvm_cpu_state.thread, SIG_IPI);
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +}
 +
 +static void kvm_vm_state_change_handler(void *context, int running, int reason)
 +{
 +    if (running) {
 +        resume_all_threads();
 +    } else {
 +        pause_all_threads();
 +    }
 +}
 +
 +static void setup_kernel_sigmask(CPUState *env)
 +{
 +    sigset_t set;
 +
 +    sigemptyset(&set);
 +    sigaddset(&set, SIGUSR2);
 +    sigaddset(&set, SIGIO);
 +    sigaddset(&set, SIGALRM);
 +    sigprocmask(SIG_BLOCK, &set, NULL);
 +
 +    sigprocmask(SIG_BLOCK, NULL, &set);
 +    sigdelset(&set, SIG_IPI);
 +    sigdelset(&set, SIGBUS);
 +
 +    kvm_set_signal_mask(env, &set);
 +}
 +
 +static void qemu_kvm_system_reset(void)
 +{
 +    pause_all_threads();
 +
 +    qemu_system_reset();
 +
 +    resume_all_threads();
 +}
 +
 +static void process_irqchip_events(CPUState *env)
 +{
 +    kvm_arch_process_irqchip_events(env);
 +    if (kvm_arch_has_work(env))
 +        env->halted = 0;
 +}
 +
 +static int kvm_main_loop_cpu(CPUState *env)
 +{
 +    while (1) {
 +        int run_cpu = !kvm_cpu_is_stopped(env);
 +        if (run_cpu && !kvm_irqchip_in_kernel()) {
 +            process_irqchip_events(env);
 +            run_cpu = !env->halted;
 +        }
 +        if (run_cpu) {
 +            kvm_cpu_exec(env);
 +            kvm_main_loop_wait(env, 0);
 +        } else {
 +            kvm_main_loop_wait(env, 1000);
 +        }
 +    }
 +    pthread_mutex_unlock(&qemu_mutex);
 +    return 0;
 +}
 +
 +static void *ap_main_loop(void *_env)
 +{
 +    CPUState *env = _env;
 +    sigset_t signals;
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +    struct ioperm_data *data = NULL;
 +#endif
 +
 +    current_env = env;
 +    env->thread_id = kvm_get_thread_id();
 +    sigfillset(&signals);
 +    sigprocmask(SIG_BLOCK, &signals, NULL);
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +    /* do ioperm for io ports of assigned devices */
 +    QLIST_FOREACH(data, &ioperm_head, entries)
 +        on_vcpu(env, kvm_arch_do_ioperm, data);
 +#endif
 +
 +    pthread_mutex_lock(&qemu_mutex);
 +    cpu_single_env = env;
 +
 +    kvm_create_vcpu(env, env->cpu_index);
 +    setup_kernel_sigmask(env);
 +
 +    /* signal VCPU creation */
 +    current_env->created = 1;
 +    pthread_cond_signal(&qemu_vcpu_cond);
 +
 +    /* and wait for machine initialization */
 +    while (!qemu_system_ready) {
 +        qemu_cond_wait(&qemu_system_cond);
 +    }
 +
 +    /* re-initialize cpu_single_env after re-acquiring qemu_mutex */
 +    cpu_single_env = env;
 +
 +    kvm_main_loop_cpu(env);
 +    return NULL;
 +}
 +
 +int kvm_init_vcpu(CPUState *env)
 +{
 +    pthread_create(&env->kvm_cpu_state.thread, NULL, ap_main_loop, env);
 +
 +    while (env->created == 0) {
 +        qemu_cond_wait(&qemu_vcpu_cond);
 +    }
 +
 +    return 0;
 +}
 +
 +int kvm_vcpu_inited(CPUState *env)
 +{
 +    return env->created;
 +}
 +
 +#ifdef TARGET_I386
 +void kvm_hpet_disable_kpit(void)
 +{
 +    struct kvm_pit_state2 ps2;
 +
 +    kvm_get_pit2(kvm_context, &ps2);
 +    ps2.flags |= KVM_PIT_FLAGS_HPET_LEGACY;
 +    kvm_set_pit2(kvm_context, &ps2);
 +}
 +
 +void kvm_hpet_enable_kpit(void)
 +{
 +    struct kvm_pit_state2 ps2;
 +
 +    kvm_get_pit2(kvm_context, &ps2);
 +    ps2.flags &= ~KVM_PIT_FLAGS_HPET_LEGACY;
 +    kvm_set_pit2(kvm_context, &ps2);
 +}
 +#endif
 +
 +int kvm_init_ap(void)
 +{
 +    struct sigaction action;
 +
 +    qemu_add_vm_change_state_handler(kvm_vm_state_change_handler, NULL);
 +
 +    signal(SIG_IPI, sig_ipi_handler);
 +
 +    memset(&action, 0, sizeof(action));
 +    action.sa_flags = SA_SIGINFO;
 +    action.sa_sigaction = (void (*)(int, siginfo_t*, void*))sigbus_handler;
 +    sigaction(SIGBUS, &action, NULL);
 +    prctl(PR_MCE_KILL, 1, 1, 0, 0);
 +    return 0;
 +}
 +
 +/* If we have signalfd, we mask out the signals we want to handle and then
 + * use signalfd to listen for them.  We rely on whatever the current signal
 + * handler is to dispatch the signals when we receive them.
 + */
 +
 +static void sigfd_handler(void *opaque)
 +{
 +    int fd = (unsigned long) opaque;
 +    struct qemu_signalfd_siginfo info;
 +    struct sigaction action;
 +    ssize_t len;
 +
 +    while (1) {
 +        do {
 +            len = read(fd, &info, sizeof(info));
 +        } while (len == -1 && errno == EINTR);
 +
 +        if (len == -1 && errno == EAGAIN) {
 +            break;
 +        }
 +
 +        if (len != sizeof(info)) {
 +            printf("read from sigfd returned %zd: %m\n", len);
 +            return;
 +        }
 +
 +        sigaction(info.ssi_signo, NULL, &action);
 +        if ((action.sa_flags & SA_SIGINFO) && action.sa_sigaction) {
 +            action.sa_sigaction(info.ssi_signo,
 +                                (siginfo_t *)&info, NULL);
 +        } else if (action.sa_handler) {
 +            action.sa_handler(info.ssi_signo);
 +        }
 +    }
 +}
 +
 +int kvm_main_loop(void)
 +{
 +    sigset_t mask;
 +    int sigfd;
 +
 +    io_thread = pthread_self();
 +    qemu_system_ready = 1;
 +
 +    sigemptyset(&mask);
 +    sigaddset(&mask, SIGIO);
 +    sigaddset(&mask, SIGALRM);
 +    sigaddset(&mask, SIGBUS);
 +    sigprocmask(SIG_BLOCK, &mask, NULL);
 +
 +    sigfd = qemu_signalfd(&mask);
 +    if (sigfd == -1) {
 +        fprintf(stderr, "failed to create signalfd\n");
 +        return -errno;
 +    }
 +
 +    fcntl(sigfd, F_SETFL, O_NONBLOCK);
 +
 +    qemu_set_fd_handler2(sigfd, NULL, sigfd_handler, NULL,
 +                         (void *)(unsigned long) sigfd);
 +
 +    pthread_cond_broadcast(&qemu_system_cond);
 +
 +    io_thread_sigfd = sigfd;
 +    cpu_single_env = NULL;
 +
 +    while (1) {
 +        main_loop_wait(0);
 +        if (qemu_shutdown_requested()) {
 +            monitor_protocol_event(QEVENT_SHUTDOWN, NULL);
 +            if (qemu_no_shutdown()) {
 +                vm_stop(0);
 +            } else {
 +                break;
 +            }
 +        } else if (qemu_powerdown_requested()) {
 +            monitor_protocol_event(QEVENT_POWERDOWN, NULL);
 +            qemu_irq_raise(qemu_system_powerdown);
 +        } else if (qemu_reset_requested()) {
 +            qemu_kvm_system_reset();
 +        } else if (kvm_debug_cpu_requested) {
 +            gdb_set_stop_cpu(kvm_debug_cpu_requested);
 +            vm_stop(EXCP_DEBUG);
 +            kvm_debug_cpu_requested = NULL;
 +        }
 +    }
 +
 +    pause_all_threads();
 +    pthread_mutex_unlock(&qemu_mutex);
 +
 +    return 0;
 +}
 +
 +#if !defined(TARGET_I386)
 +int kvm_arch_init_irq_routing(void)
 +{
 +    return 0;
 +}
 +#endif
 +
 +extern int no_hpet;
 +
 +static int kvm_create_context(void)
 +{
 +    static const char upgrade_note[] =
 +    "Please upgrade to at least kernel 2.6.29 or recent kvm-kmod\n"
 +    "(see http://sourceforge.net/projects/kvm).\n";
 +
 +    int r;
 +
 +    if (!kvm_irqchip) {
 +        kvm_disable_irqchip_creation(kvm_context);
 +    }
 +    if (!kvm_pit) {
 +        kvm_disable_pit_creation(kvm_context);
 +    }
 +    if (kvm_create(kvm_context, 0, NULL) < 0) {
 +        kvm_finalize(kvm_state);
 +        return -1;
 +    }
 +    r = kvm_arch_qemu_create_context();
 +    if (r < 0) {
 +        kvm_finalize(kvm_state);
 +        return -1;
 +    }
 +    if (kvm_pit && !kvm_pit_reinject) {
 +        if (kvm_reinject_control(kvm_context, 0)) {
 +            fprintf(stderr, "failure to disable in-kernel PIT reinjection\n");
 +            return -1;
 +        }
 +    }
 +
 +    /* There was a nasty bug in < kvm-80 that prevents memory slots from being
 +     * destroyed properly.  Since we rely on this capability, refuse to work
 +     * with any kernel without this capability. */
 +    if (!kvm_check_extension(kvm_state, KVM_CAP_DESTROY_MEMORY_REGION_WORKS)) {
 +        fprintf(stderr,
 +                "KVM kernel module broken (DESTROY_MEMORY_REGION).\n%s",
 +                upgrade_note);
 +        return -EINVAL;
 +    }
 +
 +    r = kvm_arch_init_irq_routing();
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    kvm_state->vcpu_events = 0;
 +#ifdef KVM_CAP_VCPU_EVENTS
 +    kvm_state->vcpu_events = kvm_check_extension(kvm_state, KVM_CAP_VCPU_EVENTS);
 +#endif
 +
 +    kvm_state->debugregs = 0;
 +#ifdef KVM_CAP_DEBUGREGS
 +    kvm_state->debugregs = kvm_check_extension(kvm_state, KVM_CAP_DEBUGREGS);
 +#endif
 +
 +    kvm_state->xsave = 0;
 +#ifdef KVM_CAP_XSAVE
 +    kvm_state->xsave = kvm_check_extension(kvm_state, KVM_CAP_XSAVE);
 +#endif
 +
 +    kvm_state->xcrs = 0;
 +#ifdef KVM_CAP_XCRS
 +    kvm_state->xcrs = kvm_check_extension(kvm_state, KVM_CAP_XCRS);
 +#endif
 +
 +    kvm_state->many_ioeventfds = kvm_check_many_ioeventfds();
 +
 +    kvm_init_ap();
 +    if (kvm_irqchip) {
 +        if (!qemu_kvm_has_gsi_routing()) {
 +            irq0override = 0;
 +#ifdef TARGET_I386
 +            /* if kernel can't do irq routing, interrupt source
 +             * override 0->2 can not be set up as required by hpet,
 +             * so disable hpet.
 +             */
 +            no_hpet = 1;
 +        } else if (!qemu_kvm_has_pit_state2()) {
 +            no_hpet = 1;
 +        }
 +#else
 +        }
 +#endif
 +    }
 +
 +    return 0;
 +}
 +
 +#ifdef KVM_CAP_IRQCHIP
 +
 +int kvm_set_irq(int irq, int level, int *status)
 +{
 +    return kvm_set_irq_level(kvm_context, irq, level, status);
 +}
 +
 +#endif
 +
 +static void kvm_mutex_unlock(void)
 +{
 +    assert(!cpu_single_env);
 +    pthread_mutex_unlock(&qemu_mutex);
 +}
 +
 +static void kvm_mutex_lock(void)
 +{
 +    pthread_mutex_lock(&qemu_mutex);
 +    cpu_single_env = NULL;
 +}
 +
 +void qemu_mutex_unlock_iothread(void)
 +{
 +    if (kvm_enabled()) {
 +        kvm_mutex_unlock();
 +    }
 +}
 +
 +void qemu_mutex_lock_iothread(void)
 +{
 +    if (kvm_enabled()) {
 +        kvm_mutex_lock();
 +    }
 +}
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +void kvm_add_ioperm_data(struct ioperm_data *data)
 +{
 +    QLIST_INSERT_HEAD(&ioperm_head, data, entries);
 +}
 +
 +void kvm_remove_ioperm_data(unsigned long start_port, unsigned long num)
 +{
 +    struct ioperm_data *data;
 +
 +    data = QLIST_FIRST(&ioperm_head);
 +    while (data) {
 +        struct ioperm_data *next = QLIST_NEXT(data, entries);
 +
 +        if (data->start_port == start_port && data->num == num) {
 +            QLIST_REMOVE(data, entries);
 +            qemu_free(data);
 +        }
 +
 +        data = next;
 +    }
 +}
 +
 +void kvm_ioperm(CPUState *env, void *data)
 +{
 +    if (kvm_enabled() && qemu_system_ready) {
 +        on_vcpu(env, kvm_arch_do_ioperm, data);
 +    }
 +}
 +
 +#endif
 +
 +int kvm_set_boot_cpu_id(uint32_t id)
 +{
 +    return kvm_set_boot_vcpu_id(kvm_context, id);
 +}
 +
diff --cc qemu-kvm.h
index db4e340,0000000..88cf276
mode 100644,000000..100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@@ -1,771 -1,0 +1,771 @@@
 +/*
 + * qemu/kvm integration
 + *
 + * Copyright (C) 2006-2008 Qumranet Technologies
 + *
 + * Licensed under the terms of the GNU GPL version 2 or higher.
 + */
 +#ifndef THE_ORIGINAL_AND_TRUE_QEMU_KVM_H
 +#define THE_ORIGINAL_AND_TRUE_QEMU_KVM_H
 +
 +#include "cpu.h"
 +
 +#include <signal.h>
 +#include <stdlib.h>
 +
 +#ifdef CONFIG_KVM
 +
 +#if defined(__s390__)
 +#include <asm/ptrace.h>
 +#endif
 +
 +#include <stdint.h>
 +
 +#ifndef __user
 +#define __user       /* temporary, until installed via make headers_install */
 +#endif
 +
 +#include <linux/kvm.h>
 +
 +#include <signal.h>
 +
 +/* FIXME: share this number with kvm */
 +/* FIXME: or dynamically alloc/realloc regions */
 +#ifdef __s390__
 +#define KVM_MAX_NUM_MEM_REGIONS 1u
 +#define MAX_VCPUS 64
 +#define LIBKVM_S390_ORIGIN (0UL)
 +#elif defined(__ia64__)
 +#define KVM_MAX_NUM_MEM_REGIONS 32u
 +#define MAX_VCPUS 256
 +#else
 +#define KVM_MAX_NUM_MEM_REGIONS 32u
 +#define MAX_VCPUS 16
 +#endif
 +
 +/* kvm abi verison variable */
 +extern int kvm_abi;
 +
 +/**
 + * \brief The KVM context
 + *
 + * The verbose KVM context
 + */
 +
 +struct kvm_context {
 +    void *opaque;
 +    /// is dirty pages logging enabled for all regions or not
 +    int dirty_pages_log_all;
 +    /// do not create in-kernel irqchip if set
 +    int no_irqchip_creation;
 +    /// in-kernel irqchip status
 +    int irqchip_in_kernel;
 +    /// ioctl to use to inject interrupts
 +    int irqchip_inject_ioctl;
 +    /// do not create in-kernel pit if set
 +    int no_pit_creation;
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing *irq_routes;
 +    int nr_allocated_irq_routes;
 +#endif
 +    void *used_gsi_bitmap;
 +    int max_gsi;
 +};
 +
 +typedef struct kvm_context *kvm_context_t;
 +
 +#include "kvm.h"
 +int kvm_alloc_kernel_memory(kvm_context_t kvm, unsigned long memory,
 +                            void **vm_mem);
 +int kvm_alloc_userspace_memory(kvm_context_t kvm, unsigned long memory,
 +                               void **vm_mem);
 +
 +int kvm_arch_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
 +                    void **vm_mem);
 +
 +int kvm_arch_run(CPUState *env);
 +
 +
 +void kvm_show_code(CPUState *env);
 +
 +int handle_halt(CPUState *env);
 +
 +int handle_shutdown(kvm_context_t kvm, CPUState *env);
 +void post_kvm_run(kvm_context_t kvm, CPUState *env);
 +int pre_kvm_run(kvm_context_t kvm, CPUState *env);
 +int handle_io_window(kvm_context_t kvm);
 +int try_push_interrupts(kvm_context_t kvm);
 +
 +#if defined(__x86_64__) || defined(__i386__)
 +struct kvm_x86_mce;
 +#endif
 +
 +/*!
 + * \brief Disable the in-kernel IRQCHIP creation
 + *
 + * In-kernel irqchip is enabled by default. If userspace irqchip is to be used,
 + * this should be called prior to kvm_create().
 + *
 + * \param kvm Pointer to the kvm_context
 + */
 +void kvm_disable_irqchip_creation(kvm_context_t kvm);
 +
 +/*!
 + * \brief Disable the in-kernel PIT creation
 + *
 + * In-kernel pit is enabled by default. If userspace pit is to be used,
 + * this should be called prior to kvm_create().
 + *
 + *  \param kvm Pointer to the kvm_context
 + */
 +void kvm_disable_pit_creation(kvm_context_t kvm);
 +
 +/*!
 + * \brief Create new virtual machine
 + *
 + * This creates a new virtual machine, maps physical RAM to it, and creates a
 + * virtual CPU for it.\n
 + * \n
 + * Memory gets mapped for addresses 0->0xA0000, 0xC0000->phys_mem_bytes
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param phys_mem_bytes The amount of physical ram you want the VM to have
 + * \param phys_mem This pointer will be set to point to the memory that
 + * kvm_create allocates for physical RAM
 + * \return 0 on success
 + */
 +int kvm_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
 +               void **phys_mem);
 +int kvm_create_vm(kvm_context_t kvm);
 +void kvm_create_irqchip(kvm_context_t kvm);
 +
 +/*!
 + * \brief Start the VCPU
 + *
 + * This starts the VCPU and virtualization is started.\n
 + * \n
 + * This function will not return until any of these conditions are met:
 + * - An IO/MMIO handler does not return "0"
 + * - An exception that neither the guest OS, nor KVM can handle occurs
 + *
 + * \note This function will call the callbacks registered in kvm_init()
 + * to emulate those functions
 + * \note If you at any point want to interrupt the VCPU, kvm_run() will
 + * listen to the EINTR signal. This allows you to simulate external interrupts
 + * and asyncronous IO.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be started
 + * \return 0 on success, but you really shouldn't expect this function to
 + * return except for when an error has occured, or when you have sent it
 + * an EINTR signal.
 + */
 +int kvm_run(CPUState *env);
 +
 +/*!
 + * \brief Check if a vcpu is ready for interrupt injection
 + *
 + * This checks if vcpu interrupts are not masked by mov ss or sti.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \return boolean indicating interrupt injection readiness
 + */
 +int kvm_is_ready_for_interrupt_injection(CPUState *env);
 +
 +/*!
 + * \brief Read VCPU registers
 + *
 + * This gets the GP registers from the VCPU and outputs them
 + * into a kvm_regs structure
 + *
 + * \note This function returns a \b copy of the VCPUs registers.\n
 + * If you wish to modify the VCPUs GP registers, you should call kvm_set_regs()
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param regs Pointer to a kvm_regs which will be populated with the VCPUs
 + * registers values
 + * \return 0 on success
 + */
 +int kvm_get_regs(CPUState *env, struct kvm_regs *regs);
 +
 +/*!
 + * \brief Write VCPU registers
 + *
 + * This sets the GP registers on the VCPU from a kvm_regs structure
 + *
 + * \note When this function returns, the regs pointer and the data it points to
 + * can be discarded
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param regs Pointer to a kvm_regs which will be populated with the VCPUs
 + * registers values
 + * \return 0 on success
 + */
 +int kvm_set_regs(CPUState *env, struct kvm_regs *regs);
 +
 +#ifdef KVM_CAP_MP_STATE
 +/*!
 + *  * \brief Read VCPU MP state
 + *
 + */
 +int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
 +
 +/*!
 + *  * \brief Write VCPU MP state
 + *
 + */
 +int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
 +#endif
 +
 +#if defined(__i386__) || defined(__x86_64__)
 +/*!
 + * \brief Simulate an external vectored interrupt
 + *
 + * This allows you to simulate an external vectored interrupt.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param irq Vector number
 + * \return 0 on success
 + */
 +int kvm_inject_irq(CPUState *env, unsigned irq);
 +
 +
 +/*!
 + * \brief Setting the number of shadow pages to be allocated to the vm
 + *
 + * \param kvm pointer to kvm_context
 + * \param nrshadow_pages number of pages to be allocated
 + */
 +int kvm_set_shadow_pages(kvm_context_t kvm, unsigned int nrshadow_pages);
 +
 +/*!
 + * \brief Getting the number of shadow pages that are allocated to the vm
 + *
 + * \param kvm pointer to kvm_context
 + * \param nrshadow_pages number of pages to be allocated
 + */
 +int kvm_get_shadow_pages(kvm_context_t kvm, unsigned int *nrshadow_pages);
 +
 +#endif
 +
 +/*!
 + * \brief Dump VCPU registers
 + *
 + * This dumps some of the information that KVM has about a virtual CPU, namely:
 + * - GP Registers
 + *
 + * A much more verbose version of this is available as kvm_dump_vcpu()
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \return 0 on success
 + */
 +void kvm_show_regs(CPUState *env);
 +
 +
 +void *kvm_create_phys_mem(kvm_context_t, unsigned long phys_start,
 +                          unsigned long len, int log, int writable);
 +void kvm_destroy_phys_mem(kvm_context_t, unsigned long phys_start,
 +                          unsigned long len);
 +
 +int kvm_is_containing_region(kvm_context_t kvm, unsigned long phys_start,
 +                             unsigned long size);
 +int kvm_register_phys_mem(kvm_context_t kvm, unsigned long phys_start,
 +                          void *userspace_addr, unsigned long len, int log);
 +int kvm_get_dirty_pages_range(kvm_context_t kvm, unsigned long phys_addr,
 +                              unsigned long end_addr, void *opaque,
 +                              int (*cb)(unsigned long start,
 +                                        unsigned long len, void *bitmap,
 +                                        void *opaque));
 +int kvm_register_coalesced_mmio(kvm_context_t kvm, uint64_t addr,
 +                                uint32_t size);
 +int kvm_unregister_coalesced_mmio(kvm_context_t kvm, uint64_t addr,
 +                                  uint32_t size);
 +
 +/*!
 + * \brief Get a bitmap of guest ram pages which are allocated to the guest.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param phys_addr Memory slot phys addr
 + * \param bitmap Long aligned address of a big enough bitmap (one bit per page)
 + */
 +int kvm_get_mem_map(kvm_context_t kvm, unsigned long phys_addr, void *bitmap);
 +int kvm_get_mem_map_range(kvm_context_t kvm, unsigned long phys_addr,
 +                          unsigned long len, void *buf, void *opaque,
 +                          int (*cb)(unsigned long start,
 +                                    unsigned long len, void *bitmap,
 +                                    void *opaque));
 +int kvm_set_irq_level(kvm_context_t kvm, int irq, int level, int *status);
 +
 +int kvm_dirty_pages_log_enable_slot(kvm_context_t kvm, uint64_t phys_start,
 +                                    uint64_t len);
 +int kvm_dirty_pages_log_disable_slot(kvm_context_t kvm, uint64_t phys_start,
 +                                     uint64_t len);
 +/*!
 + * \brief Enable dirty-pages-logging for all memory regions
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_dirty_pages_log_enable_all(kvm_context_t kvm);
 +
 +/*!
 + * \brief Disable dirty-page-logging for some memory regions
 + *
 + * Disable dirty-pages-logging for those memory regions that were
 + * created with dirty-page-logging disabled.
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_dirty_pages_log_reset(kvm_context_t kvm);
 +
 +#ifdef KVM_CAP_IRQCHIP
 +/*!
 + * \brief Dump in kernel IRQCHIP contents
 + *
 + * Dump one of the in kernel irq chip devices, including PIC (master/slave)
 + * and IOAPIC into a kvm_irqchip structure
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param chip The irq chip device to be dumped
 + */
 +int kvm_get_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip);
 +
 +/*!
 + * \brief Set in kernel IRQCHIP contents
 + *
 + * Write one of the in kernel irq chip devices, including PIC (master/slave)
 + * and IOAPIC
 + *
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param chip THe irq chip device to be written
 + */
 +int kvm_set_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip);
 +
 +#if defined(__i386__) || defined(__x86_64__)
 +/*!
 + * \brief Get in kernel local APIC for vcpu
 + *
 + * Save the local apic state including the timer of a virtual CPU
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be accessed
 + * \param s Local apic state of the specific virtual CPU
 + */
 +int kvm_get_lapic(CPUState *env, struct kvm_lapic_state *s);
 +
 +/*!
 + * \brief Set in kernel local APIC for vcpu
 + *
 + * Restore the local apic state including the timer of a virtual CPU
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be accessed
 + * \param s Local apic state of the specific virtual CPU
 + */
 +int kvm_set_lapic(CPUState *env, struct kvm_lapic_state *s);
 +
 +#endif
 +
 +/*!
 + * \brief Simulate an NMI
 + *
 + * This allows you to simulate a non-maskable interrupt.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \return 0 on success
 + */
 +int kvm_inject_nmi(CPUState *env);
 +
 +#endif
 +
 +/*!
 + * \brief Initialize coalesced MMIO
 + *
 + * Check for coalesced MMIO capability and store in context
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_init_coalesced_mmio(kvm_context_t kvm);
 +
 +#ifdef KVM_CAP_PIT
 +
 +#if defined(__i386__) || defined(__x86_64__)
 +/*!
 + * \brief Get in kernel PIT of the virtual domain
 + *
 + * Save the PIT state.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param s PIT state of the virtual domain
 + */
 +int kvm_get_pit(kvm_context_t kvm, struct kvm_pit_state *s);
 +
 +/*!
 + * \brief Set in kernel PIT of the virtual domain
 + *
 + * Restore the PIT state.
 + * Timer would be retriggerred after restored.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param s PIT state of the virtual domain
 + */
 +int kvm_set_pit(kvm_context_t kvm, struct kvm_pit_state *s);
 +
 +int kvm_reinject_control(kvm_context_t kvm, int pit_reinject);
 +
 +#ifdef KVM_CAP_PIT_STATE2
 +/*!
 + * \brief Check for kvm support of kvm_pit_state2
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \return 0 on success
 + */
 +int kvm_has_pit_state2(kvm_context_t kvm);
 +
 +/*!
 + * \brief Set in kernel PIT state2 of the virtual domain
 + *
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param ps2 PIT state2 of the virtual domain
 + * \return 0 on success
 + */
 +int kvm_set_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2);
 +
 +/*!
 + * \brief Get in kernel PIT state2 of the virtual domain
 + *
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param ps2 PIT state2 of the virtual domain
 + * \return 0 on success
 + */
 +int kvm_get_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2);
 +
 +#endif
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_VAPIC
 +
 +int kvm_enable_vapic(CPUState *env, uint64_t vapic);
 +
 +#endif
 +
 +#if defined(__s390__)
 +int kvm_s390_initial_reset(kvm_context_t kvm, int slot);
 +int kvm_s390_interrupt(kvm_context_t kvm, int slot,
 +                       struct kvm_s390_interrupt *kvmint);
 +int kvm_s390_set_initial_psw(kvm_context_t kvm, int slot, psw_t psw);
 +int kvm_s390_store_status(kvm_context_t kvm, int slot, unsigned long addr);
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_ASSIGNMENT
 +/*!
 + * \brief Notifies host kernel about a PCI device to be assigned to a guest
 + *
 + * Used for PCI device assignment, this function notifies the host
 + * kernel about the assigning of the physical PCI device to a guest.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_dev Parameters, like bus, devfn number, etc
 + */
 +int kvm_assign_pci_device(kvm_context_t kvm,
 +                          struct kvm_assigned_pci_dev *assigned_dev);
 +
 +/*!
 + * \brief Assign IRQ for an assigned device
 + *
 + * Used for PCI device assignment, this function assigns IRQ numbers for
 + * an physical device and guest IRQ handling.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_irq Parameters, like dev id, host irq, guest irq, etc
 + */
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq);
 +
 +#ifdef KVM_CAP_ASSIGN_DEV_IRQ
 +/*!
 + * \brief Deassign IRQ for an assigned device
 + *
 + * Used for PCI device assignment, this function deassigns IRQ numbers
 + * for an assigned device.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_irq Parameters, like dev id, host irq, guest irq, etc
 + */
 +int kvm_deassign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq);
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_DEASSIGNMENT
 +/*!
 + * \brief Notifies host kernel about a PCI device to be deassigned from a guest
 + *
 + * Used for hot remove PCI device, this function notifies the host
 + * kernel about the deassigning of the physical PCI device from a guest.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_dev Parameters, like bus, devfn number, etc
 + */
 +int kvm_deassign_pci_device(kvm_context_t kvm,
 +                            struct kvm_assigned_pci_dev *assigned_dev);
 +#endif
 +
 +/*!
 + * \brief Determines the number of gsis that can be routed
 + *
 + * Returns the number of distinct gsis that can be routed by kvm.  This is
 + * also the number of distinct routes (if a gsi has two routes, than another
 + * gsi cannot be used...)
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_get_gsi_count(kvm_context_t kvm);
 +
 +/*!
 + * \brief Clears the temporary irq routing table
 + *
 + * Clears the temporary irq routing table.  Nothing is committed to the
 + * running VM.
 + *
 + */
 +int kvm_clear_gsi_routes(void);
 +
 +/*!
 + * \brief Adds an irq route to the temporary irq routing table
 + *
 + * Adds an irq route to the temporary irq routing table.  Nothing is
 + * committed to the running VM.
 + */
 +int kvm_add_irq_route(int gsi, int irqchip, int pin);
 +
 +/*!
 + * \brief Removes an irq route from the temporary irq routing table
 + *
 + * Adds an irq route to the temporary irq routing table.  Nothing is
 + * committed to the running VM.
 + */
 +int kvm_del_irq_route(int gsi, int irqchip, int pin);
 +
 +struct kvm_irq_routing_entry;
 +/*!
 + * \brief Adds a routing entry to the temporary irq routing table
 + *
 + * Adds a filled routing entry to the temporary irq routing table. Nothing is
 + * committed to the running VM.
 + */
 +int kvm_add_routing_entry(struct kvm_irq_routing_entry *entry);
 +
 +/*!
 + * \brief Removes a routing from the temporary irq routing table
 + *
 + * Remove a routing to the temporary irq routing table.  Nothing is
 + * committed to the running VM.
 + */
 +int kvm_del_routing_entry(struct kvm_irq_routing_entry *entry);
 +
 +/*!
 + * \brief Updates a routing in the temporary irq routing table
 + *
 + * Update a routing in the temporary irq routing table
 + * with a new value. entry type and GSI can not be changed.
 + * Nothing is committed to the running VM.
 + */
 +int kvm_update_routing_entry(struct kvm_irq_routing_entry *entry,
 +                             struct kvm_irq_routing_entry *newentry);
 +
 +
 +/*!
 + * \brief Create a file descriptor for injecting interrupts
 + *
 + * Creates an eventfd based file-descriptor that maps to a specific GSI
 + * in the guest.  eventfd compliant signaling (write() from userspace, or
 + * eventfd_signal() from kernelspace) will cause the GSI to inject
 + * itself into the guest at the next available window.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param gsi GSI to assign to this fd
 + * \param flags reserved, must be zero
 + */
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags);
 +
 +#ifdef KVM_CAP_DEVICE_MSIX
 +int kvm_assign_set_msix_nr(kvm_context_t kvm,
 +                           struct kvm_assigned_msix_nr *msix_nr);
 +int kvm_assign_set_msix_entry(kvm_context_t kvm,
 +                              struct kvm_assigned_msix_entry *entry);
 +#endif
 +
 +#else                           /* !CONFIG_KVM */
 +
 +typedef struct kvm_context *kvm_context_t;
 +typedef struct kvm_vcpu_context *kvm_vcpu_context_t;
 +
 +struct kvm_pit_state {
 +};
 +
 +#endif                          /* !CONFIG_KVM */
 +
 +
 +/*!
 + * \brief Create new KVM context
 + *
 + * This creates a new kvm_context. A KVM context is a small area of data that
 + * holds information about the KVM instance that gets created by this call.\n
 + * This should always be your first call to KVM.
 + *
 + * \param opaque Not used
 + * \return NULL on failure
 + */
- int kvm_init(int smp_cpus);
++int kvm_init(void);
 +
 +int kvm_main_loop(void);
 +int kvm_init_ap(void);
 +int kvm_vcpu_inited(CPUState *env);
 +void kvm_save_lapic(CPUState *env);
 +void kvm_load_lapic(CPUState *env);
 +
 +void kvm_hpet_enable_kpit(void);
 +void kvm_hpet_disable_kpit(void);
 +
 +int kvm_physical_memory_set_dirty_tracking(int enable);
 +
 +void on_vcpu(CPUState *env, void (*func)(void *data), void *data);
 +void qemu_kvm_call_with_env(void (*func)(void *), void *data, CPUState *env);
 +void qemu_kvm_cpuid_on_env(CPUState *env);
 +void kvm_inject_interrupt(CPUState *env, int mask);
 +void kvm_update_after_sipi(CPUState *env);
 +void kvm_update_interrupt_request(CPUState *env);
 +#ifndef CONFIG_USER_ONLY
 +void *kvm_cpu_create_phys_mem(target_phys_addr_t start_addr, unsigned long size,
 +                              int log, int writable);
 +
 +void kvm_cpu_destroy_phys_mem(target_phys_addr_t start_addr,
 +                              unsigned long size);
 +void kvm_qemu_log_memory(target_phys_addr_t start, target_phys_addr_t size,
 +                         int log);
 +#endif
 +int kvm_qemu_create_memory_alias(uint64_t phys_start, uint64_t len,
 +                                 uint64_t target_phys);
 +int kvm_qemu_destroy_memory_alias(uint64_t phys_start);
 +
 +int kvm_arch_qemu_create_context(void);
 +
 +void kvm_arch_save_regs(CPUState *env);
 +void kvm_arch_load_regs(CPUState *env, int level);
 +int kvm_arch_has_work(CPUState *env);
 +void kvm_arch_process_irqchip_events(CPUState *env);
 +int kvm_arch_try_push_interrupts(void *opaque);
 +void kvm_arch_push_nmi(void *opaque);
 +void kvm_arch_cpu_reset(CPUState *env);
 +int kvm_set_boot_cpu_id(uint32_t id);
 +
 +void qemu_kvm_aio_wait_start(void);
 +void qemu_kvm_aio_wait(void);
 +void qemu_kvm_aio_wait_end(void);
 +
 +void kvm_tpr_access_report(CPUState *env, uint64_t rip, int is_write);
 +
 +int kvm_arch_init_irq_routing(void);
 +
 +int kvm_mmio_read(void *opaque, uint64_t addr, uint8_t * data, int len);
 +int kvm_mmio_write(void *opaque, uint64_t addr, uint8_t * data, int len);
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +struct ioperm_data;
 +
 +void kvm_ioperm(CPUState *env, void *data);
 +void kvm_add_ioperm_data(struct ioperm_data *data);
 +void kvm_remove_ioperm_data(unsigned long start_port, unsigned long num);
 +void kvm_arch_do_ioperm(void *_data);
 +#endif
 +
 +#define ALIGN(x, y)  (((x)+(y)-1) & ~((y)-1))
 +#define BITMAP_SIZE(m) (ALIGN(((m)>>TARGET_PAGE_BITS), HOST_LONG_BITS) / 8)
 +
 +#ifdef CONFIG_KVM
 +#include "qemu-queue.h"
 +
 +extern int kvm_irqchip;
 +extern int kvm_pit;
 +extern int kvm_pit_reinject;
 +extern int kvm_nested;
 +extern kvm_context_t kvm_context;
 +
 +struct ioperm_data {
 +    unsigned long start_port;
 +    unsigned long num;
 +    int turn_on;
 +    QLIST_ENTRY(ioperm_data) entries;
 +};
 +
 +void qemu_kvm_cpu_stop(CPUState *env);
 +int kvm_arch_halt(CPUState *env);
 +int handle_tpr_access(void *opaque, CPUState *env, uint64_t rip,
 +                      int is_write);
 +
 +#define qemu_kvm_has_gsi_routing() kvm_has_gsi_routing()
 +#ifdef TARGET_I386
 +#define qemu_kvm_has_pit_state2() kvm_has_pit_state2(kvm_context)
 +#endif
 +#else
 +#define kvm_nested 0
 +#define qemu_kvm_has_gsi_routing() (0)
 +#ifdef TARGET_I386
 +#define qemu_kvm_has_pit_state2() (0)
 +#endif
 +#define qemu_kvm_cpu_stop(env) do {} while(0)
 +#endif
 +
 +#ifdef CONFIG_KVM
 +
 +typedef struct KVMSlot {
 +    target_phys_addr_t start_addr;
 +    ram_addr_t memory_size;
 +    ram_addr_t phys_offset;
 +    int slot;
 +    int flags;
 +} KVMSlot;
 +
 +typedef struct kvm_dirty_log KVMDirtyLog;
 +
 +struct KVMState {
 +    KVMSlot slots[32];
 +    int fd;
 +    int vmfd;
 +    int coalesced_mmio;
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    struct kvm_coalesced_mmio_ring *coalesced_mmio_ring;
 +#endif
 +    int broken_set_mem_region;
 +    int migration_log;
 +    int vcpu_events;
 +    int robust_singlestep;
 +    int debugregs;
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    QTAILQ_HEAD(, kvm_sw_breakpoint) kvm_sw_breakpoints;
 +#endif
 +    int irqchip_in_kernel;
 +    int pit_in_kernel;
 +    int xsave, xcrs;
 +    int many_ioeventfds;
 +
 +    struct kvm_context kvm_context;
 +};
 +
 +extern struct KVMState *kvm_state;
 +
 +int kvm_tpr_enable_vapic(CPUState *env);
 +
 +unsigned long kvm_get_thread_id(void);
 +int kvm_cpu_is_stopped(CPUState *env);
 +
 +#endif
 +
 +#endif
diff --cc vl.c
index 3b4cd60,33f844f..420a548
--- a/vl.c
+++ b/vl.c
@@@ -2897,19 -2836,15 +2897,19 @@@ int main(int argc, char **argv, char **
      }
  
      if (kvm_allowed) {
-         int ret = kvm_init(smp_cpus);
+         int ret = kvm_init();
          if (ret < 0) {
 -            if (!kvm_available()) {
 -                printf("KVM not supported for this target\n");
 -            } else {
 -                fprintf(stderr, "failed to initialize KVM: %s\n", strerror(-ret));
 +            if (kvm_allowed > 0) {
 +                if (!kvm_available()) {
 +                    printf("KVM not supported for this target\n");
 +                } else {
 +                    fprintf(stderr, "failed to initialize KVM: %s\n", strerror(-ret));
 +                }
 +                exit(1);
              }
 -            exit(1);
 +            fprintf(stderr, "Could not initialize KVM, will disable KVM support\n");
          }
 +        kvm_allowed = ret >= 0;
      }
  
      if (qemu_init_main_loop()) {
commit b13181147c92a61768ed7dd030830c35585456eb
Merge: 509573a... c3a3a7d...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Feb 2 18:47:30 2011 -0200

    Merge commit 'c3a3a7d356c4df2fe145037172ae52cba5f545a5' into upstream-merge
    
    * commit 'c3a3a7d356c4df2fe145037172ae52cba5f545a5':
      kvm: x86: Refactor msr_star/hsave_pa setup and checks
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc target-i386/kvm.c
index ff218df,454ddb1..4c30a98
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -479,13 -461,10 +481,12 @@@ void kvm_arch_reset_vcpu(CPUState *env
      }
  }
  
- int has_msr_star;
- int has_msr_hsave_pa;
++#ifdef OBSOLETE_KVM_IMPL
 +
- static void kvm_supported_msrs(CPUState *env)
+ static int kvm_get_supported_msrs(KVMState *s)
  {
      static int kvm_supported_msrs;
-     int ret;
+     int ret = 0;
  
      /* first time */
      if (kvm_supported_msrs == 0) {
commit 509573a62753ca2263aca029b82f24e3b4731826
Merge: 5347982... 1a5e9d2...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Feb 2 18:35:42 2011 -0200

    Merge commit '1a5e9d2fafa5d31587e218cea462637bfad52b53' into upstream-merge
    
    * commit '1a5e9d2fafa5d31587e218cea462637bfad52b53':
      kvm: x86: Fix xcr0 reset mismerge
    
    Conflicts:
    	target-i386/kvm.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit 5347982c9243c789a7768ec52c35ff1de41858b4
Merge: 0620648... 3390e7f...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Feb 2 18:27:32 2011 -0200

    Merge commit '3390e7f79784cbc75df408740cda4edbcf57ac58' into upstream-merge
    
    * commit '3390e7f79784cbc75df408740cda4edbcf57ac58':
      kvm: x86: Remove redundant mp_state initialization
      kvm: x86: Prepare kvm_get_mp_state for in-kernel irqchip
      kvm: x86: Align kvm_arch_put_registers code with comment
      x86: Optionally dump code bytes on cpu_dump_state
      kvm: Improve reporting of fatal errors
      kvm: Stop on all fatal exit reasons
      kvm: x86: Swallow KVM_EXIT_SET_TPR
      kvm: Fix coding style violations
    
    Conflicts:
    	target-i386/kvm.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc kvm-all.c
index 7418372,41decde..a334ae8
--- a/kvm-all.c
+++ b/kvm-all.c
@@@ -640,19 -631,11 +639,19 @@@ static int kvm_client_migration_log(str
  }
  
  static CPUPhysMemoryClient kvm_cpu_phys_memory_client = {
- 	.set_memory = kvm_client_set_memory,
- 	.sync_dirty_bitmap = kvm_client_sync_dirty_bitmap,
- 	.migration_log = kvm_client_migration_log,
+     .set_memory = kvm_client_set_memory,
+     .sync_dirty_bitmap = kvm_client_sync_dirty_bitmap,
+     .migration_log = kvm_client_migration_log,
  };
  
 +
 +void kvm_cpu_register_phys_memory_client(void)
 +{
 +    cpu_register_phys_memory_client(&kvm_cpu_phys_memory_client);
 +}
 +
 +#ifdef OBSOLETE_KVM_IMPL
 +
  int kvm_init(int smp_cpus)
  {
      static const char upgrade_note[] =
diff --cc target-i386/kvm.c
index 28b13fc,07c75c0..3817dd1
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -324,17 -321,6 +324,11 @@@ int kvm_arch_init_vcpu(CPUState *env
      uint32_t signature[3];
  #endif
  
 +    r = _kvm_arch_init_vcpu(env);
 +    if (r < 0) {
 +        return r;
 +    }
 +
- #ifdef OBSOLETE_KVM_IMPL
- 
-     env->mp_state = KVM_MP_STATE_RUNNABLE;
- 
- #endif
- 
      env->cpuid_features &= kvm_arch_get_supported_cpuid(env, 1, 0, R_EDX);
  
      i = env->cpuid_ext_features & CPUID_EXT_HYPERVISOR;
@@@ -1228,9 -1196,11 +1222,12 @@@ static int kvm_get_mp_state(CPUState *e
          return ret;
      }
      env->mp_state = mp_state.mp_state;
+     if (kvm_irqchip_in_kernel()) {
+         env->halted = (mp_state.mp_state == KVM_MP_STATE_HALTED);
+     }
      return 0;
  }
 +#endif
  
  static int kvm_put_vcpu_events(CPUState *env, int level)
  {
commit 06206483986326dec6425fda889615ba10f5b78b
Merge: a508e1f... b9bec74...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Feb 2 17:52:54 2011 -0200

    Merge commit 'b9bec74bcb16519a876ec21cd5277c526a9b512d' into upstream-merge
    
    * commit 'b9bec74bcb16519a876ec21cd5277c526a9b512d':
      kvm: x86: Fix a few coding style violations
      kvm: x86: Prevent sign extension of DR7 in guest debugging mode
      kvm: x86: Remove obsolete SS.RPL/DPL aligment
      kvm: x86: Fix DPL write back of segment registers
    
    Conflicts:
    	target-i386/kvm.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc target-i386/kvm.c
index c7c3499,fda07d2..28b13fc
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -605,8 -581,6 +608,8 @@@ int kvm_arch_init(KVMState *s, int smp_
      return kvm_init_identity_map_page(s);
  }
  
 +#endif
-                     
++
  static void set_v8086_seg(struct kvm_segment *lhs, const SegmentCache *rhs)
  {
      lhs->selector = rhs->selector;
@@@ -645,24 -619,23 +648,24 @@@ static void get_seg(SegmentCache *lhs, 
      lhs->selector = rhs->selector;
      lhs->base = rhs->base;
      lhs->limit = rhs->limit;
-     lhs->flags =
- 	(rhs->type << DESC_TYPE_SHIFT)
- 	| (rhs->present * DESC_P_MASK)
- 	| (rhs->dpl << DESC_DPL_SHIFT)
- 	| (rhs->db << DESC_B_SHIFT)
- 	| (rhs->s * DESC_S_MASK)
- 	| (rhs->l << DESC_L_SHIFT)
- 	| (rhs->g * DESC_G_MASK)
- 	| (rhs->avl * DESC_AVL_MASK);
+     lhs->flags = (rhs->type << DESC_TYPE_SHIFT) |
+                  (rhs->present * DESC_P_MASK) |
+                  (rhs->dpl << DESC_DPL_SHIFT) |
+                  (rhs->db << DESC_B_SHIFT) |
+                  (rhs->s * DESC_S_MASK) |
+                  (rhs->l << DESC_L_SHIFT) |
+                  (rhs->g * DESC_G_MASK) |
+                  (rhs->avl * DESC_AVL_MASK);
  }
  
 +
  static void kvm_getput_reg(__u64 *kvm_reg, target_ulong *qemu_reg, int set)
  {
-     if (set)
+     if (set) {
          *kvm_reg = *qemu_reg;
-     else
+     } else {
          *qemu_reg = *kvm_reg;
+     }
  }
  
  static int kvm_getput_regs(CPUState *env, int set)
commit a508e1f8868c3c9a7565b18b208e4296315c5a30
Merge: 920eafd... 7cc2cc3...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Feb 2 17:43:06 2011 -0200

    Merge commit '7cc2cc3e2608b182f1e0fc7ecae6e3b1fa4f46e0' into upstream-merge
    
    * commit '7cc2cc3e2608b182f1e0fc7ecae6e3b1fa4f46e0':
      kvm: introduce kvm_inject_x86_mce_on
      kvm: kvm_mce_inj_* subroutines for templated error injections
      kvm: introduce kvm_mce_in_progress
      Add function for checking mca broadcast of CPU
    
    Conflicts:
    	target-i386/kvm.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc target-i386/kvm.c
index 1e41c44,9a4bf98..c7c3499
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -265,6 -263,23 +263,23 @@@ static void kvm_do_inject_x86_mce(void 
      }
  }
  
+ static void kvm_inject_x86_mce_on(CPUState *env, struct kvm_x86_mce *mce,
+                                   int flag)
+ {
+     struct kvm_x86_mce_data data = {
+         .env = env,
+         .mce = mce,
+         .abort_on_error = (flag & ABORT_ON_ERROR),
+     };
+ 
+     if (!env->mcg_cap) {
+         fprintf(stderr, "MCE support is not enabled!\n");
+         return;
+     }
+ 
 -    run_on_cpu(env, kvm_do_inject_x86_mce, &data);
++    on_vcpu(env, kvm_do_inject_x86_mce, &data);
+ }
+ 
  static void kvm_mce_broadcast_rest(CPUState *env);
  #endif
  
commit 920eafdc87e867a7da8af21b4512ca5372da60de
Merge: 99f4953... 31ce5e0...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Feb 2 16:57:21 2011 -0200

    Merge commit '31ce5e0c49821d92fb30cce2f3055ef33613b287' into upstream-merge
    
    * commit '31ce5e0c49821d92fb30cce2f3055ef33613b287':
      Add "broadcast" option for mce command
      Clean up cpu_inject_x86_mce()
      kvm: convert kvm_ioctl(KVM_CHECK_EXTENSION) to kvm_check_extension()
      kvm: Enable user space NMI injection for kvm guest
    
    Conflicts:
    	target-i386/kvm.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc target-i386/kvm.c
index 272594d,8b868ad..1e41c44
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -288,10 -290,15 +290,15 @@@ void kvm_inject_x86_mce(CPUState *cenv
          return;
      }
  
+     if (flag & MCE_BROADCAST) {
+         kvm_mce_broadcast_rest(cenv);
+     }
+ 
 -    run_on_cpu(cenv, kvm_do_inject_x86_mce, &data);
 +    on_vcpu(cenv, kvm_do_inject_x86_mce, &data);
  #else
-     if (abort_on_error)
+     if (flag & ABORT_ON_ERROR) {
          abort();
+     }
  #endif
  }
  
commit 99f49536370b440c45c5b6e962b12b1ad95451ed
Merge: 6f32e3d... 225d02c...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Feb 2 16:46:27 2011 -0200

    Merge commit '225d02cd1a34d5d87e8acefbf8e244a5d12f5f8c' into upstream-merge
    
    * commit '225d02cd1a34d5d87e8acefbf8e244a5d12f5f8c':
      Avoid deadlock whith iothread and icount
      microblaze: cleanup helper_addkc
      microblaze: Improve subkc
      microblaze: Fix 3rd addkc arg when rd is r0
      microblaze: Improve addkc
      microblaze: Remove debug leftovers.
      microblaze: Reorganize for future patches
      ppc: Correct BookE tlb reads
      checkpatch: Fix bracing false positives on #else
    
    Conflicts:
    	qemu-timer.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc qemu-timer.c
index d29d2cd,db1ec49..c250706
--- a/qemu-timer.c
+++ b/qemu-timer.c
@@@ -1079,9 -1075,17 +1075,18 @@@ void quit_timers(void
  
  int qemu_calculate_timeout(void)
  {
- #ifndef CONFIG_IOTHREAD
      int timeout;
  
 -#ifdef CONFIG_IOTHREAD
++#define QEMUKVM 1
++#if defined (CONFIG_IOTHREAD) || defined (QEMUKVM)
+     /* When using icount, making forward progress with qemu_icount when the
+        guest CPU is idle is critical. We only use the static io-thread timeout
+        for non icount runs.  */
+     if (!use_icount) {
+         return 1000;
+     }
+ #endif
+ 
      if (!vm_running)
          timeout = 5000;
      else {
commit bfddb47a343b4718e5768aa80bce8adead0f7fca
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Wed Feb 2 08:39:28 2011 +0100

    Open up the 0.15 development branch
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/VERSION b/VERSION
index 0c123d0..d07c6d0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.13.90
+0.14.50
commit 0e192fae3c79e7d2830f8b1fa694cd8e128084cf
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Feb 1 16:59:46 2011 -0600

    Update version for 0.14.0-rc0
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/VERSION b/VERSION
index d82f77b..0c123d0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.13.50
+0.13.90
commit f487d6278f75f84378833b8c3a67443346d639dc
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Feb 1 16:57:00 2011 -0600

    Update SeaBIOS to 0.6.1.2
    
     - 06d0bdd Minor build fixes.
     - 33abfc0 Update version to 0.6.1.2.
     - 484dd56 fix virtio-blk failure after reboot
     - dd9c0d3 Update version to 0.6.1.1.
     - 50ecfa8 mark irq9 active high in DSDT
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/pc-bios/bios.bin b/pc-bios/bios.bin
index f79c342..e191908 100644
Binary files a/pc-bios/bios.bin and b/pc-bios/bios.bin differ
diff --git a/roms/seabios b/roms/seabios
index 0ff9051..06d0bdd 160000
--- a/roms/seabios
+++ b/roms/seabios
@@ -1 +1 @@
-Subproject commit 0ff9051f756ba739bc2edca77925191c3c6cbc2f
+Subproject commit 06d0bdd9e2e20377b3180e4986b14c8549b393e4
commit 5430a28fe452907c9e1b2097e073bc1ea4b29f39
Author: mst at redhat.com <mst at redhat.com>
Date:   Tue Feb 1 22:13:42 2011 +0200

    vhost: force vhost off for non-MSI guests
    
    When MSI is off, each interrupt needs to be bounced through the io
    thread when it's set/cleared, so vhost-net causes more context switches and
    higher CPU utilization than userspace virtio which handles networking in
    the same thread.
    
    We'll need to fix this by adding level irq support in kvm irqfd,
    for now disable vhost-net in these configurations.
    
    Added a vhostforce flag to force vhost-net back on.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/vhost.c b/hw/vhost.c
index 6082da2..38cc3b3 100644
--- a/hw/vhost.c
+++ b/hw/vhost.c
@@ -581,7 +581,7 @@ static void vhost_virtqueue_cleanup(struct vhost_dev *dev,
                               0, virtio_queue_get_desc_size(vdev, idx));
 }
 
-int vhost_dev_init(struct vhost_dev *hdev, int devfd)
+int vhost_dev_init(struct vhost_dev *hdev, int devfd, bool force)
 {
     uint64_t features;
     int r;
@@ -613,6 +613,7 @@ int vhost_dev_init(struct vhost_dev *hdev, int devfd)
     hdev->log_enabled = false;
     hdev->started = false;
     cpu_register_phys_memory_client(&hdev->client);
+    hdev->force = force;
     return 0;
 fail:
     r = -errno;
@@ -627,6 +628,13 @@ void vhost_dev_cleanup(struct vhost_dev *hdev)
     close(hdev->control);
 }
 
+bool vhost_dev_query(struct vhost_dev *hdev, VirtIODevice *vdev)
+{
+    return !vdev->binding->query_guest_notifiers ||
+        vdev->binding->query_guest_notifiers(vdev->binding_opaque) ||
+        hdev->force;
+}
+
 int vhost_dev_start(struct vhost_dev *hdev, VirtIODevice *vdev)
 {
     int i, r;
diff --git a/hw/vhost.h b/hw/vhost.h
index 86dd834..c8c595a 100644
--- a/hw/vhost.h
+++ b/hw/vhost.h
@@ -38,10 +38,12 @@ struct vhost_dev {
     bool log_enabled;
     vhost_log_chunk_t *log;
     unsigned long long log_size;
+    bool force;
 };
 
-int vhost_dev_init(struct vhost_dev *hdev, int devfd);
+int vhost_dev_init(struct vhost_dev *hdev, int devfd, bool force);
 void vhost_dev_cleanup(struct vhost_dev *hdev);
+bool vhost_dev_query(struct vhost_dev *hdev, VirtIODevice *vdev);
 int vhost_dev_start(struct vhost_dev *hdev, VirtIODevice *vdev);
 void vhost_dev_stop(struct vhost_dev *hdev, VirtIODevice *vdev);
 
diff --git a/hw/vhost_net.c b/hw/vhost_net.c
index c068be1..420e05f 100644
--- a/hw/vhost_net.c
+++ b/hw/vhost_net.c
@@ -81,7 +81,8 @@ static int vhost_net_get_fd(VLANClientState *backend)
     }
 }
 
-struct vhost_net *vhost_net_init(VLANClientState *backend, int devfd)
+struct vhost_net *vhost_net_init(VLANClientState *backend, int devfd,
+                                 bool force)
 {
     int r;
     struct vhost_net *net = qemu_malloc(sizeof *net);
@@ -98,7 +99,7 @@ struct vhost_net *vhost_net_init(VLANClientState *backend, int devfd)
         (1 << VHOST_NET_F_VIRTIO_NET_HDR);
     net->backend = r;
 
-    r = vhost_dev_init(&net->dev, devfd);
+    r = vhost_dev_init(&net->dev, devfd, force);
     if (r < 0) {
         goto fail;
     }
@@ -121,6 +122,11 @@ fail:
     return NULL;
 }
 
+bool vhost_net_query(VHostNetState *net, VirtIODevice *dev)
+{
+    return vhost_dev_query(&net->dev, dev);
+}
+
 int vhost_net_start(struct vhost_net *net,
                     VirtIODevice *dev)
 {
@@ -188,15 +194,21 @@ void vhost_net_cleanup(struct vhost_net *net)
     qemu_free(net);
 }
 #else
-struct vhost_net *vhost_net_init(VLANClientState *backend, int devfd)
+struct vhost_net *vhost_net_init(VLANClientState *backend, int devfd,
+                                 bool force)
+{
+    return NULL;
+}
+
+bool vhost_net_query(VHostNetState *net, VirtIODevice *dev)
 {
-	return NULL;
+    return false;
 }
 
 int vhost_net_start(struct vhost_net *net,
 		    VirtIODevice *dev)
 {
-	return -ENOSYS;
+    return -ENOSYS;
 }
 void vhost_net_stop(struct vhost_net *net,
 		    VirtIODevice *dev)
@@ -209,7 +221,7 @@ void vhost_net_cleanup(struct vhost_net *net)
 
 unsigned vhost_net_get_features(struct vhost_net *net, unsigned features)
 {
-	return features;
+    return features;
 }
 void vhost_net_ack_features(struct vhost_net *net, unsigned features)
 {
diff --git a/hw/vhost_net.h b/hw/vhost_net.h
index 6c18ff7..91e40b1 100644
--- a/hw/vhost_net.h
+++ b/hw/vhost_net.h
@@ -6,8 +6,9 @@
 struct vhost_net;
 typedef struct vhost_net VHostNetState;
 
-VHostNetState *vhost_net_init(VLANClientState *backend, int devfd);
+VHostNetState *vhost_net_init(VLANClientState *backend, int devfd, bool force);
 
+bool vhost_net_query(VHostNetState *net, VirtIODevice *dev);
 int vhost_net_start(VHostNetState *net, VirtIODevice *dev);
 void vhost_net_stop(VHostNetState *net, VirtIODevice *dev);
 
diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index 161f114..671d952 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -119,7 +119,11 @@ static void virtio_net_vhost_status(VirtIONet *n, uint8_t status)
         return;
     }
     if (!n->vhost_started) {
-        int r = vhost_net_start(tap_get_vhost_net(n->nic->nc.peer), &n->vdev);
+        int r;
+        if (!vhost_net_query(tap_get_vhost_net(n->nic->nc.peer), &n->vdev)) {
+            return;
+        }
+        r = vhost_net_start(tap_get_vhost_net(n->nic->nc.peer), &n->vdev);
         if (r < 0) {
             error_report("unable to start vhost net: %d: "
                          "falling back on userspace virtio", -r);
diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index d07ff97..3911b09 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -595,6 +595,12 @@ static int virtio_pci_set_guest_notifier(void *opaque, int n, bool assign)
     return 0;
 }
 
+static bool virtio_pci_query_guest_notifiers(void *opaque)
+{
+    VirtIOPCIProxy *proxy = opaque;
+    return msix_enabled(&proxy->pci_dev);
+}
+
 static int virtio_pci_set_guest_notifiers(void *opaque, bool assign)
 {
     VirtIOPCIProxy *proxy = opaque;
@@ -658,6 +664,7 @@ static const VirtIOBindings virtio_pci_bindings = {
     .save_queue = virtio_pci_save_queue,
     .load_queue = virtio_pci_load_queue,
     .get_features = virtio_pci_get_features,
+    .query_guest_notifiers = virtio_pci_query_guest_notifiers,
     .set_host_notifier = virtio_pci_set_host_notifier,
     .set_guest_notifiers = virtio_pci_set_guest_notifiers,
     .vmstate_change = virtio_pci_vmstate_change,
diff --git a/hw/virtio.h b/hw/virtio.h
index d8546d5..31d16e1 100644
--- a/hw/virtio.h
+++ b/hw/virtio.h
@@ -93,6 +93,7 @@ typedef struct {
     int (*load_config)(void * opaque, QEMUFile *f);
     int (*load_queue)(void * opaque, int n, QEMUFile *f);
     unsigned (*get_features)(void * opaque);
+    bool (*query_guest_notifiers)(void * opaque);
     int (*set_guest_notifiers)(void * opaque, bool assigned);
     int (*set_host_notifier)(void * opaque, int n, bool assigned);
     void (*vmstate_change)(void * opaque, bool running);
diff --git a/net/tap.c b/net/tap.c
index eada34a..b8cd252 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -491,8 +491,10 @@ int net_init_tap(QemuOpts *opts, Monitor *mon, const char *name, VLANState *vlan
         }
     }
 
-    if (qemu_opt_get_bool(opts, "vhost", !!qemu_opt_get(opts, "vhostfd"))) {
+    if (qemu_opt_get_bool(opts, "vhost", !!qemu_opt_get(opts, "vhostfd") ||
+                          qemu_opt_get_bool(opts, "vhostforce", false))) {
         int vhostfd, r;
+        bool force = qemu_opt_get_bool(opts, "vhostforce", false);
         if (qemu_opt_get(opts, "vhostfd")) {
             r = net_handle_fd_param(mon, qemu_opt_get(opts, "vhostfd"));
             if (r == -1) {
@@ -502,7 +504,7 @@ int net_init_tap(QemuOpts *opts, Monitor *mon, const char *name, VLANState *vlan
         } else {
             vhostfd = -1;
         }
-        s->vhost_net = vhost_net_init(&s->nc, vhostfd);
+        s->vhost_net = vhost_net_init(&s->nc, vhostfd, force);
         if (!s->vhost_net) {
             error_report("vhost-net requested but could not be initialized");
             return -1;
diff --git a/qemu-options.hx b/qemu-options.hx
index 598a1bd..945edf3 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1050,7 +1050,7 @@ DEF("net", HAS_ARG, QEMU_OPTION_net,
     "-net tap[,vlan=n][,name=str],ifname=name\n"
     "                connect the host TAP network interface to VLAN 'n'\n"
 #else
-    "-net tap[,vlan=n][,name=str][,fd=h][,ifname=name][,script=file][,downscript=dfile][,sndbuf=nbytes][,vnet_hdr=on|off][,vhost=on|off][,vhostfd=h]\n"
+    "-net tap[,vlan=n][,name=str][,fd=h][,ifname=name][,script=file][,downscript=dfile][,sndbuf=nbytes][,vnet_hdr=on|off][,vhost=on|off][,vhostfd=h][,vhostforce=on|off]\n"
     "                connect the host TAP network interface to VLAN 'n' and use the\n"
     "                network scripts 'file' (default=" DEFAULT_NETWORK_SCRIPT ")\n"
     "                and 'dfile' (default=" DEFAULT_NETWORK_DOWN_SCRIPT ")\n"
@@ -1061,6 +1061,8 @@ DEF("net", HAS_ARG, QEMU_OPTION_net,
     "                use vnet_hdr=off to avoid enabling the IFF_VNET_HDR tap flag\n"
     "                use vnet_hdr=on to make the lack of IFF_VNET_HDR support an error condition\n"
     "                use vhost=on to enable experimental in kernel accelerator\n"
+    "                    (only has effect for virtio guests which use MSIX)\n"
+    "                use vhostforce=on to force vhost on for non-MSIX virtio guests\n"
     "                use 'vhostfd=h' to connect to an already opened vhost net device\n"
 #endif
     "-net socket[,vlan=n][,name=str][,fd=h][,listen=[host]:port][,connect=host:port]\n"
commit f157ed202e51dc2492b201dc34ed28e89c973fb7
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Tue Feb 1 14:25:40 2011 +0200

    tap: safe sndbuf default
    
    With current sndbuf default value, a blocked
    target guest can prevent another guest from
    transmitting any packets. While current
    sndbuf value (1M) is reported to help some
    UDP based workloads, the default should
    be safe (0).
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/net/tap-linux.c b/net/tap-linux.c
index f7aa904..ff8cad0 100644
--- a/net/tap-linux.c
+++ b/net/tap-linux.c
@@ -82,12 +82,17 @@ int tap_open(char *ifname, int ifname_size, int *vnet_hdr, int vnet_hdr_required
     return fd;
 }
 
-/* sndbuf should be set to a value lower than the tx queue
- * capacity of any destination network interface.
+/* sndbuf implements a kind of flow control for tap.
+ * Unfortunately when it's enabled, and packets are sent
+ * to other guests on the same host, the receiver
+ * can lock up the transmitter indefinitely.
+ *
+ * To avoid packet loss, sndbuf should be set to a value lower than the tx
+ * queue capacity of any destination network interface.
  * Ethernet NICs generally have txqueuelen=1000, so 1Mb is
- * a good default, given a 1500 byte MTU.
+ * a good value, given a 1500 byte MTU.
  */
-#define TAP_DEFAULT_SNDBUF 1024*1024
+#define TAP_DEFAULT_SNDBUF 0
 
 int tap_set_sndbuf(int fd, QemuOpts *opts)
 {
diff --git a/qemu-options.hx b/qemu-options.hx
index 939297a..598a1bd 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1057,7 +1057,7 @@ DEF("net", HAS_ARG, QEMU_OPTION_net,
     "                use '[down]script=no' to disable script execution\n"
     "                use 'fd=h' to connect to an already opened TAP interface\n"
     "                use 'sndbuf=nbytes' to limit the size of the send buffer (the\n"
-    "                default of 'sndbuf=1048576' can be disabled using 'sndbuf=0')\n"
+    "                default is disabled 'sndbuf=0' to enable flow control set 'sndbuf=1048576')\n"
     "                use vnet_hdr=off to avoid enabling the IFF_VNET_HDR tap flag\n"
     "                use vnet_hdr=on to make the lack of IFF_VNET_HDR support an error condition\n"
     "                use vhost=on to enable experimental in kernel accelerator\n"
commit 466b58648a7b2ba7edb280b585e0b0c26e3be31e
Author: Gleb Natapov <gleb at redhat.com>
Date:   Sun Jan 30 12:29:19 2011 +0200

    Add boot index documentation.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/docs/bootindex.txt b/docs/bootindex.txt
new file mode 100644
index 0000000..16083b3
--- /dev/null
+++ b/docs/bootindex.txt
@@ -0,0 +1,43 @@
+= Bootindex propery =
+
+Block and net devices have bootindex property. This property is used to
+determine the order in which firmware will consider devices for booting
+the guest OS. If the bootindex property is not set for a device, it gets
+lowest boot priority. There is no particular order in which devices with
+unset bootindex property will be considered for booting, but they will
+still be bootable.
+
+== Example ==
+
+Lets assume we have QEMU machine with two NICs (virtio, e1000) and two
+disks (IDE, virtio):
+
+qemu -drive file=disk1.img,if=none,id=disk1
+     -device ide-drive,drive=disk1,bootindex=4
+     -drive file=disk2.img,if=none,id=disk2
+     -device virtio-blk-pci,drive=disk2,bootindex=3
+     -netdev type=user,id=net0 -device virtio-net-pci,netdev=net0,bootindex=2
+     -netdev type=user,id=net1 -device e1000,netdev=net1,bootindex=1
+
+Given the command above, firmware should try to boot from the e1000 NIC
+first.  If this fails, it should try the virtio NIC next, if this fails
+too, it should try the virtio disk, and then the IDE disk.
+
+== Limitations ==
+
+1. Some firmware has limitations on which devices can be considered for
+booting.  For instance, the PC BIOS boot specification allows only one
+disk to be bootable.  If boot from disk fails for some reason, the BIOS
+won't retry booting from other disk.  It still can try to boot from
+floppy or net, though.
+
+2. Sometimes, firmware cannot map the device path QEMU wants firmware to
+boot from to a boot method.  It doesn't happen for devices the firmware
+can natively boot from, but if firmware relies on an option ROM for
+booting, and the same option ROM is used for booting from more then one
+device, the firmware may not be able to ask the option ROM to boot from
+a particular device reliably.  For instance with PC BIOS, if a SCSI HBA
+has three bootable devices target1, target3, target5 connected to it,
+the option ROM will have a boot method for each of them, but it is not
+possible to map from boot method back to a specific target.  This is a
+shortcoming of PC BIOS boot specification.
commit cf8ce30d03339861a46c31aa44c11279c282f2b0
Author: Gleb Natapov <gleb at redhat.com>
Date:   Sun Jan 30 12:29:18 2011 +0200

    Add bootindex handling into usb storage device.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 97d1e4a..76f5b02 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -532,6 +532,7 @@ static int usb_msd_initfn(USBDevice *dev)
         }
     }
 
+    add_boot_device_path(s->conf.bootindex, &dev->qdev, "/disk at 0,0");
     return 0;
 }
 
@@ -595,6 +596,7 @@ static USBDevice *usb_msd_init(const char *filename)
 static struct USBDeviceInfo msd_info = {
     .product_desc   = "QEMU USB MSD",
     .qdev.name      = "usb-storage",
+    .qdev.fw_name      = "storage",
     .qdev.size      = sizeof(MSDState),
     .usb_desc       = &desc,
     .init           = usb_msd_initfn,
commit 363f8cb9bcd308bd03d28e04ea5f5557dea5d5e8
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 13:42:54 2010 +0100

    fix QemuOpts leak
    
    Now that no backend's open function saves the passed QemuOpts, fix a leak
    in the qemu_chr_open backwards-compatible parser.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/qemu-char.c b/qemu-char.c
index bb0c32d..ee4f4ca 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2559,6 +2559,7 @@ CharDriverState *qemu_chr_open(const char *label, const char *filename, void (*i
     if (chr && qemu_opt_get_bool(opts, "mux", 0)) {
         monitor_init(chr, MONITOR_USE_READLINE);
     }
+    qemu_opts_del(opts);
     return chr;
 }
 
commit 44b37b933745a9005504427dec06f4066af9762e
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 13:42:53 2010 +0100

    remove text_console_opts
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/console.c b/console.c
index 60b80ee..57d6eb5 100644
--- a/console.c
+++ b/console.c
@@ -1437,7 +1437,6 @@ void console_color_init(DisplayState *ds)
 
 static int n_text_consoles;
 static CharDriverState *text_consoles[128];
-static QemuOpts *text_console_opts[128];
 
 static void text_console_set_echo(CharDriverState *chr, bool echo)
 {
@@ -1446,7 +1445,7 @@ static void text_console_set_echo(CharDriverState *chr, bool echo)
     s->echo = echo;
 }
 
-static void text_console_do_init(CharDriverState *chr, DisplayState *ds, QemuOpts *opts)
+static void text_console_do_init(CharDriverState *chr, DisplayState *ds)
 {
     TextConsole *s;
     static int color_inited;
@@ -1520,7 +1519,6 @@ CharDriverState *text_console_init(QemuOpts *opts)
         exit(1);
     }
     text_consoles[n_text_consoles] = chr;
-    text_console_opts[n_text_consoles] = opts;
     n_text_consoles++;
 
     width = qemu_opt_get_number(opts, "width", 0);
@@ -1555,9 +1553,7 @@ void text_consoles_set_display(DisplayState *ds)
     int i;
 
     for (i = 0; i < n_text_consoles; i++) {
-        text_console_do_init(text_consoles[i], ds, text_console_opts[i]);
-        qemu_opts_del(text_console_opts[i]);
-        text_console_opts[i] = NULL;
+        text_console_do_init(text_consoles[i], ds);
     }
 
     n_text_consoles = 0;
commit 4104833f51e9c2e7a3def0411e48159e77bf7906
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 13:42:52 2010 +0100

    add set_echo implementation for text consoles
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/console.c b/console.c
index 42c2ee3..60b80ee 100644
--- a/console.c
+++ b/console.c
@@ -137,6 +137,7 @@ struct TextConsole {
     TextAttributes t_attrib; /* currently active text attributes */
     TextCell *cells;
     int text_x[2], text_y[2], cursor_invalidate;
+    int echo;
 
     int update_x0;
     int update_y0;
@@ -1177,8 +1178,14 @@ void kbd_put_keysym(int keysym)
             *q++ = '\033';
             *q++ = '[';
             *q++ = keysym & 0xff;
+        } else if (s->echo && (keysym == '\r' || keysym == '\n')) {
+            console_puts(s->chr, (const uint8_t *) "\r", 1);
+            *q++ = '\n';
         } else {
-                *q++ = keysym;
+            *q++ = keysym;
+        }
+        if (s->echo) {
+            console_puts(s->chr, buf, q - buf);
         }
         if (s->chr->chr_read) {
             qemu_fifo_write(&s->out_fifo, buf, q - buf);
@@ -1432,6 +1439,13 @@ static int n_text_consoles;
 static CharDriverState *text_consoles[128];
 static QemuOpts *text_console_opts[128];
 
+static void text_console_set_echo(CharDriverState *chr, bool echo)
+{
+    TextConsole *s = chr->opaque;
+
+    s->echo = echo;
+}
+
 static void text_console_do_init(CharDriverState *chr, DisplayState *ds, QemuOpts *opts)
 {
     TextConsole *s;
@@ -1532,6 +1546,7 @@ CharDriverState *text_console_init(QemuOpts *opts)
     s->g_width = width;
     s->g_height = height;
     chr->opaque = s;
+    chr->chr_set_echo = text_console_set_echo;
     return chr;
 }
 
commit 491e114a953d746b5787e72516d052aef0b67bc4
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 13:42:51 2010 +0100

    create TextConsole together with the CharDeviceState
    
    A nicer solution would be to get rid of the opaque pointer and
    use containment, but it would also be a much bigger patch.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/console.c b/console.c
index c1728b1..42c2ee3 100644
--- a/console.c
+++ b/console.c
@@ -1435,35 +1435,13 @@ static QemuOpts *text_console_opts[128];
 static void text_console_do_init(CharDriverState *chr, DisplayState *ds, QemuOpts *opts)
 {
     TextConsole *s;
-    unsigned width;
-    unsigned height;
     static int color_inited;
 
-    width = qemu_opt_get_number(opts, "width", 0);
-    if (width == 0)
-        width = qemu_opt_get_number(opts, "cols", 0) * FONT_WIDTH;
-
-    height = qemu_opt_get_number(opts, "height", 0);
-    if (height == 0)
-        height = qemu_opt_get_number(opts, "rows", 0) * FONT_HEIGHT;
-
-    if (width == 0 || height == 0) {
-        s = new_console(ds, TEXT_CONSOLE);
-        width = ds_get_width(s->ds);
-        height = ds_get_height(s->ds);
-    } else {
-        s = new_console(ds, TEXT_CONSOLE_FIXED_SIZE);
-    }
+    s = chr->opaque;
 
-    if (!s) {
-        free(chr);
-        return;
-    }
-    chr->opaque = s;
     chr->chr_write = console_puts;
     chr->chr_send_event = console_send_event;
 
-    s->chr = chr;
     s->out_fifo.buf = s->out_fifo_buf;
     s->out_fifo.buf_size = sizeof(s->out_fifo_buf);
     s->kbd_timer = qemu_new_timer(rt_clock, kbd_send_chars, s);
@@ -1478,8 +1456,10 @@ static void text_console_do_init(CharDriverState *chr, DisplayState *ds, QemuOpt
     s->total_height = DEFAULT_BACKSCROLL;
     s->x = 0;
     s->y = 0;
-    s->g_width = width;
-    s->g_height = height;
+    if (s->console_type == TEXT_CONSOLE) {
+        s->g_width = ds_get_width(s->ds);
+        s->g_height = ds_get_height(s->ds);
+    }
 
     s->hw_invalidate = text_console_invalidate;
     s->hw_text_update = text_console_update;
@@ -1515,6 +1495,9 @@ static void text_console_do_init(CharDriverState *chr, DisplayState *ds, QemuOpt
 CharDriverState *text_console_init(QemuOpts *opts)
 {
     CharDriverState *chr;
+    TextConsole *s;
+    unsigned width;
+    unsigned height;
 
     chr = qemu_mallocz(sizeof(CharDriverState));
 
@@ -1526,6 +1509,29 @@ CharDriverState *text_console_init(QemuOpts *opts)
     text_console_opts[n_text_consoles] = opts;
     n_text_consoles++;
 
+    width = qemu_opt_get_number(opts, "width", 0);
+    if (width == 0)
+        width = qemu_opt_get_number(opts, "cols", 0) * FONT_WIDTH;
+
+    height = qemu_opt_get_number(opts, "height", 0);
+    if (height == 0)
+        height = qemu_opt_get_number(opts, "rows", 0) * FONT_HEIGHT;
+
+    if (width == 0 || height == 0) {
+        s = new_console(NULL, TEXT_CONSOLE);
+    } else {
+        s = new_console(NULL, TEXT_CONSOLE_FIXED_SIZE);
+    }
+
+    if (!s) {
+        free(chr);
+        return NULL;
+    }
+
+    s->chr = chr;
+    s->g_width = width;
+    s->g_height = height;
+    chr->opaque = s;
     return chr;
 }
 
commit bb002513a9bd2bff169c3d431a8f00c5b2e3aa99
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 13:42:50 2010 +0100

    add set_echo implementation for qemu_chr_stdio
    
    This also requires moving QemuOpts out of term_init.
    
    Clearing ISIG is independent of whether echo is enabled or disabled.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/qemu-char.c b/qemu-char.c
index a6ea516..bb0c32d 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -716,6 +716,7 @@ static void stdio_read(void *opaque)
 /* init terminal so that we can grab keys */
 static struct termios oldtty;
 static int old_fd0_flags;
+static bool stdio_allow_signal;
 
 static void term_exit(void)
 {
@@ -723,22 +724,24 @@ static void term_exit(void)
     fcntl(0, F_SETFL, old_fd0_flags);
 }
 
-static void term_init(QemuOpts *opts)
+static void qemu_chr_set_echo_stdio(CharDriverState *chr, bool echo)
 {
     struct termios tty;
 
     tty = oldtty;
-    tty.c_iflag &= ~(IGNBRK|BRKINT|PARMRK|ISTRIP
+    if (!echo) {
+        tty.c_iflag &= ~(IGNBRK|BRKINT|PARMRK|ISTRIP
                           |INLCR|IGNCR|ICRNL|IXON);
-    tty.c_oflag |= OPOST;
-    tty.c_lflag &= ~(ECHO|ECHONL|ICANON|IEXTEN);
+        tty.c_oflag |= OPOST;
+        tty.c_lflag &= ~(ECHO|ECHONL|ICANON|IEXTEN);
+        tty.c_cflag &= ~(CSIZE|PARENB);
+        tty.c_cflag |= CS8;
+        tty.c_cc[VMIN] = 1;
+        tty.c_cc[VTIME] = 0;
+    }
     /* if graphical mode, we allow Ctrl-C handling */
-    if (!qemu_opt_get_bool(opts, "signal", display_type != DT_NOGRAPHIC))
+    if (!stdio_allow_signal)
         tty.c_lflag &= ~ISIG;
-    tty.c_cflag &= ~(CSIZE|PARENB);
-    tty.c_cflag |= CS8;
-    tty.c_cc[VMIN] = 1;
-    tty.c_cc[VTIME] = 0;
 
     tcsetattr (0, TCSANOW, &tty);
 }
@@ -766,9 +769,12 @@ static CharDriverState *qemu_chr_open_stdio(QemuOpts *opts)
 
     chr = qemu_chr_open_fd(0, 1);
     chr->chr_close = qemu_chr_close_stdio;
+    chr->chr_set_echo = qemu_chr_set_echo_stdio;
     qemu_set_fd_handler2(0, stdio_read_poll, stdio_read, NULL, chr);
     stdio_nb_clients++;
-    term_init(opts);
+    stdio_allow_signal = qemu_opt_get_bool(opts, "signal",
+                                           display_type != DT_NOGRAPHIC);
+    qemu_chr_set_echo(chr, false);
 
     return chr;
 }
commit 0369364be871f9c4b4429a69ddcd2ba21be34ea3
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 13:42:49 2010 +0100

    move atexit(term_exit) and O_NONBLOCK to qemu_chr_open_stdio
    
    In the next patch, term_init will be changed to enable or disable
    echo at will.  Move extraneous stuff out of it.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/qemu-char.c b/qemu-char.c
index b95cfdc..a6ea516 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -716,7 +716,6 @@ static void stdio_read(void *opaque)
 /* init terminal so that we can grab keys */
 static struct termios oldtty;
 static int old_fd0_flags;
-static int term_atexit_done;
 
 static void term_exit(void)
 {
@@ -728,10 +727,7 @@ static void term_init(QemuOpts *opts)
 {
     struct termios tty;
 
-    tcgetattr (0, &tty);
-    oldtty = tty;
-    old_fd0_flags = fcntl(0, F_GETFL);
-
+    tty = oldtty;
     tty.c_iflag &= ~(IGNBRK|BRKINT|PARMRK|ISTRIP
                           |INLCR|IGNCR|ICRNL|IXON);
     tty.c_oflag |= OPOST;
@@ -745,11 +741,6 @@ static void term_init(QemuOpts *opts)
     tty.c_cc[VTIME] = 0;
 
     tcsetattr (0, TCSANOW, &tty);
-
-    if (!term_atexit_done++)
-        atexit(term_exit);
-
-    fcntl(0, F_SETFL, O_NONBLOCK);
 }
 
 static void qemu_chr_close_stdio(struct CharDriverState *chr)
@@ -766,6 +757,13 @@ static CharDriverState *qemu_chr_open_stdio(QemuOpts *opts)
 
     if (stdio_nb_clients >= STDIO_MAX_CLIENTS)
         return NULL;
+    if (stdio_nb_clients == 0) {
+        old_fd0_flags = fcntl(0, F_GETFL);
+        tcgetattr (0, &oldtty);
+        fcntl(0, F_SETFL, O_NONBLOCK);
+        atexit(term_exit);
+    }
+
     chr = qemu_chr_open_fd(0, 1);
     chr->chr_close = qemu_chr_close_stdio;
     qemu_set_fd_handler2(0, stdio_read_poll, stdio_read, NULL, chr);
commit c48855e1404e9b5857e07b7839f806fa98b4abdc
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 13:42:48 2010 +0100

    add qemu_chr_set_echo
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/monitor.c b/monitor.c
index 34c347c..7fc311d 100644
--- a/monitor.c
+++ b/monitor.c
@@ -5175,6 +5175,7 @@ void monitor_init(CharDriverState *chr, int flags)
         /* Control mode requires special handlers */
         qemu_chr_add_handlers(chr, monitor_can_read, monitor_control_read,
                               monitor_control_event, mon);
+        qemu_chr_set_echo(chr, true);
     } else {
         qemu_chr_add_handlers(chr, monitor_can_read, monitor_read,
                               monitor_event, mon);
diff --git a/qemu-char.c b/qemu-char.c
index b570d60..b95cfdc 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2558,6 +2558,13 @@ CharDriverState *qemu_chr_open(const char *label, const char *filename, void (*i
     return chr;
 }
 
+void qemu_chr_set_echo(struct CharDriverState *chr, bool echo)
+{
+    if (chr->chr_set_echo) {
+        chr->chr_set_echo(chr, echo);
+    }
+}
+
 void qemu_chr_close(CharDriverState *chr)
 {
     QTAILQ_REMOVE(&chardevs, chr, next);
diff --git a/qemu-char.h b/qemu-char.h
index e6ee6c4..56d9954 100644
--- a/qemu-char.h
+++ b/qemu-char.h
@@ -64,6 +64,7 @@ struct CharDriverState {
     void (*chr_send_event)(struct CharDriverState *chr, int event);
     void (*chr_close)(struct CharDriverState *chr);
     void (*chr_accept_input)(struct CharDriverState *chr);
+    void (*chr_set_echo)(struct CharDriverState *chr, bool echo);
     void *opaque;
     QEMUBH *bh;
     char *label;
@@ -76,6 +77,7 @@ QemuOpts *qemu_chr_parse_compat(const char *label, const char *filename);
 CharDriverState *qemu_chr_open_opts(QemuOpts *opts,
                                     void (*init)(struct CharDriverState *s));
 CharDriverState *qemu_chr_open(const char *label, const char *filename, void (*init)(struct CharDriverState *s));
+void qemu_chr_set_echo(struct CharDriverState *chr, bool echo);
 void qemu_chr_close(CharDriverState *chr);
 void qemu_chr_printf(CharDriverState *s, const char *fmt, ...)
     GCC_FMT_ATTR(2, 3);
commit d55dbc3acdaf92b42c7fd077c8b6c1392131c043
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 13:42:47 2010 +0100

    remove broken code for tty
    
    This code is taking the settings for a serial port and moving it to
    fd 0 when qemu exits.  This is likely just cut-and-paste, rip it.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/qemu-char.c b/qemu-char.c
index acc7130..b570d60 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -1013,9 +1013,6 @@ static void tty_serial_init(int fd, int speed,
            speed, parity, data_bits, stop_bits);
 #endif
     tcgetattr (fd, &tty);
-    if (!term_atexit_done) {
-        oldtty = tty;
-    }
 
 #define check_speed(val) if (speed <= val) { spd = B##val; break; }
     speed = speed * 10 / 11;
@@ -1187,11 +1184,6 @@ static int tty_serial_ioctl(CharDriverState *chr, int cmd, void *arg)
     return 0;
 }
 
-static void tty_exit(void)
-{
-    tcsetattr(0, TCSANOW, &oldtty);
-}
-
 static void qemu_chr_close_tty(CharDriverState *chr)
 {
     FDCharDriver *s = chr->opaque;
@@ -1226,8 +1218,6 @@ static CharDriverState *qemu_chr_open_tty(QemuOpts *opts)
     }
     chr->chr_ioctl = tty_serial_ioctl;
     chr->chr_close = qemu_chr_close_tty;
-    if (!term_atexit_done++)
-        atexit(tty_exit);
     return chr;
 }
 #else  /* ! __linux__ && ! __sun__ */
commit b3a98367eec7b2d87acca54ef5e4de3b0e0a7ed5
Merge: 9363ee3... c5999bf...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Feb 1 15:23:24 2011 -0600

    Merge remote branch 'qemu-kvm/uq/master' into staging
    
    aliguori: fix build with !defined(KVM_CAP_ASYNC_PF)
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --cc target-i386/kvm.c
index 7dfc357,8e8880a..05010bb
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -170,14 -160,15 +160,17 @@@ struct kvm_para_features 
  
  static int get_para_features(CPUState *env)
  {
-         int i, features = 0;
+     int i, features = 0;
  
-         for (i = 0; i < ARRAY_SIZE(para_features) - 1; i++) {
-                 if (kvm_check_extension(env->kvm_state, para_features[i].cap))
-                         features |= (1 << para_features[i].feature);
+     for (i = 0; i < ARRAY_SIZE(para_features) - 1; i++) {
+         if (kvm_check_extension(env->kvm_state, para_features[i].cap)) {
+             features |= (1 << para_features[i].feature);
          }
- 
-         return features;
+     }
++#ifdef KVM_CAP_ASYNC_PF
+     has_msr_async_pf_en = features & (1 << KVM_FEATURE_ASYNC_PF);
++#endif
+     return features;
  }
  #endif
  
commit 9363ee31ab53fc0fd39fbe5936d9c00a2f4e54a4
Merge: cfb41c8... cbcc633...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Feb 1 15:22:48 2011 -0600

    Merge remote branch 'spice/spice.v29.pull' into staging
    
    Conflicts:
    	trace-events

diff --cc trace-events
index c75a7a9,ed754f5..e6138ea
--- a/trace-events
+++ b/trace-events
@@@ -225,26 -225,8 +225,32 @@@ disable qed_aio_write_prefill(void *s, 
  disable qed_aio_write_postfill(void *s, void *acb, uint64_t start, size_t len, uint64_t offset) "s %p acb %p start %"PRIu64" len %zu offset %"PRIu64""
  disable qed_aio_write_main(void *s, void *acb, int ret, uint64_t offset, size_t len) "s %p acb %p ret %d offset %"PRIu64" len %zu"
  
 +# hw/grlib_gptimer.c
 +disable grlib_gptimer_enable(int id, uint32_t count) "timer:%d set count 0x%x and run"
 +disable grlib_gptimer_disabled(int id, uint32_t config) "timer:%d Timer disable config 0x%x"
 +disable grlib_gptimer_restart(int id, uint32_t reload) "timer:%d reload val: 0x%x"
 +disable grlib_gptimer_set_scaler(uint32_t scaler, uint32_t freq) "scaler:0x%x freq: 0x%x"
 +disable grlib_gptimer_hit(int id) "timer:%d HIT"
 +disable grlib_gptimer_readl(int id, const char *s, uint32_t val) "timer:%d %s 0x%x"
 +disable grlib_gptimer_writel(int id, const char *s, uint32_t val) "timer:%d %s 0x%x"
 +disable grlib_gptimer_unknown_register(const char *op, uint64_t val) "%s unknown register 0x%"PRIx64""
 +
 +# hw/grlib_irqmp.c
 +disable grlib_irqmp_check_irqs(uint32_t pend, uint32_t force, uint32_t mask, uint32_t lvl1, uint32_t lvl2) "pend:0x%04x force:0x%04x mask:0x%04x lvl1:0x%04x lvl0:0x%04x\n"
 +disable grlib_irqmp_ack(int intno) "interrupt:%d"
 +disable grlib_irqmp_set_irq(int irq) "Raise CPU IRQ %d"
 +disable grlib_irqmp_unknown_register(const char *op, uint64_t val) "%s unknown register 0x%"PRIx64""
 +
 +# hw/grlib_apbuart.c
 +disable grlib_apbuart_event(int event) "event:%d"
 +disable grlib_apbuart_unknown_register(const char *op, uint64_t val) "%s unknown register 0x%"PRIx64""
 +
 +# hw/leon3.c
 +disable leon3_set_irq(int intno) "Set CPU IRQ %d"
 +disable leon3_reset_irq(int intno) "Reset CPU IRQ %d"
++
+ # spice-qemu-char.c
+ disable spice_vmc_write(ssize_t out, int len) "spice wrottn %lu of requested %zd"
+ disable spice_vmc_read(int bytes, int len) "spice read %lu of requested %zd"
+ disable spice_vmc_register_interface(void *scd) "spice vmc registered interface %p"
+ disable spice_vmc_unregister_interface(void *scd) "spice vmc unregistered interface %p"
commit cfb41c82ab9c468e599d3603ffcebeb81b6577ca
Merge: e54b7f5... ea87e95...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Feb 1 15:21:23 2011 -0600

    Merge remote branch 'spice/usb.5' into staging

commit e54b7f5256659dddaf6b5c021847859829d7ebd7
Merge: 1cd20f8... 37f95bf...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Feb 1 15:20:56 2011 -0600

    Merge remote branch 'amit/for-anthony' into staging

commit 1cd20f8bf0ecb9d1d1bd5e2ffab3b88835380c9b
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Mon Jan 31 14:27:36 2011 -0600

    vnc: Fix password expiration through 'change vnc ""' (v2)
    
    commit 52c18be9e99dabe295321153fda7fce9f76647ac introduced a regression in the
    change vnc password command that changed the behavior of setting the VNC
    password to an empty string from disabling login to disabling authentication.
    
    This commit refactors the code to eliminate this overloaded semantics in
    vnc_display_password and instead introduces the vnc_display_disable_login.   The
    monitor implementation then determines the behavior of an empty or missing
    string.
    
    Recently, a set_password command was added that allows both the Spice and VNC
    password to be set.  This command has not shown up in a release yet so the
    behavior is not yet defined.
    
    This patch proposes that an empty password be treated as an empty password with
    no special handling.  For specifically disabling login, I believe a new command
    should be introduced instead of overloading semantics.
    
    I'm not sure how Spice handles this but I would recommend that we have Spice
    and VNC have consistent semantics here for the 0.14.0 release.
    
    Reported-by: Neil Wilson <neil at aldur.co.uk>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
    ---
    v1 -> v2
     - Add a proper return to make sure that login is really disabled instead of
       relying on the VNC server to treat empty passwords specially

diff --git a/console.h b/console.h
index 3157330..f4e4741 100644
--- a/console.h
+++ b/console.h
@@ -369,6 +369,7 @@ void vnc_display_init(DisplayState *ds);
 void vnc_display_close(DisplayState *ds);
 int vnc_display_open(DisplayState *ds, const char *display);
 int vnc_display_password(DisplayState *ds, const char *password);
+int vnc_display_disable_login(DisplayState *ds);
 int vnc_display_pw_expire(DisplayState *ds, time_t expires);
 void do_info_vnc_print(Monitor *mon, const QObject *data);
 void do_info_vnc(Monitor *mon, QObject **ret_data);
diff --git a/monitor.c b/monitor.c
index c5f54f4..64e41e3 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1018,6 +1018,14 @@ static int do_quit(Monitor *mon, const QDict *qdict, QObject **ret_data)
 
 static int change_vnc_password(const char *password)
 {
+    if (!password || !password[0]) {
+        if (vnc_display_disable_login(NULL)) {
+            qerror_report(QERR_SET_PASSWD_FAILED);
+            return -1;
+        }
+        return 0;
+    }
+
     if (vnc_display_password(NULL, password) < 0) {
         qerror_report(QERR_SET_PASSWD_FAILED);
         return -1;
@@ -1117,6 +1125,8 @@ static int set_password(Monitor *mon, const QDict *qdict, QObject **ret_data)
             qerror_report(QERR_INVALID_PARAMETER, "connected");
             return -1;
         }
+        /* Note that setting an empty password will not disable login through
+         * this interface. */
         rc = vnc_display_password(NULL, password);
         if (rc != 0) {
             qerror_report(QERR_SET_PASSWD_FAILED);
diff --git a/ui/vnc.c b/ui/vnc.c
index 495d6d6..8067b31 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2084,7 +2084,7 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
     unsigned char key[8];
     time_t now = time(NULL);
 
-    if (!vs->vd->password || !vs->vd->password[0]) {
+    if (!vs->vd->password) {
         VNC_DEBUG("No password configured on server");
         goto reject;
     }
@@ -2484,6 +2484,24 @@ void vnc_display_close(DisplayState *ds)
 #endif
 }
 
+int vnc_display_disable_login(DisplayState *ds)
+{
+    VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
+
+    if (!vs) {
+        return -1;
+    }
+
+    if (vs->password) {
+        qemu_free(vs->password);
+    }
+
+    vs->password = NULL;
+    vs->auth = VNC_AUTH_VNC;
+
+    return 0;
+}
+
 int vnc_display_password(DisplayState *ds, const char *password)
 {
     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
@@ -2492,19 +2510,18 @@ int vnc_display_password(DisplayState *ds, const char *password)
         return -1;
     }
 
+    if (!password) {
+        /* This is not the intention of this interface but err on the side
+           of being safe */
+        return vnc_display_disable_login(ds);
+    }
+
     if (vs->password) {
         qemu_free(vs->password);
         vs->password = NULL;
     }
-    if (password && password[0]) {
-        if (!(vs->password = qemu_strdup(password)))
-            return -1;
-        if (vs->auth == VNC_AUTH_NONE) {
-            vs->auth = VNC_AUTH_VNC;
-        }
-    } else {
-        vs->auth = VNC_AUTH_NONE;
-    }
+    vs->password = qemu_strdup(password);
+    vs->auth = VNC_AUTH_VNC;
 
     return 0;
 }
commit e321c34aa1d2560bea4d525af66417147467c515
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Feb 1 15:54:52 2011 +0000

    linux-user: avoid gcc array overrun warning for sparc
    
    Suppress a gcc array bounds overrun warning when filling in the SPARC
    signal frame by adjusting our definition of the structure so that the
    fp and callers_pc membes are part of the ins[] array rather than
    separate fields; since qemu has no need to access the fields individually
    there is no need to follow the kernel's structure field naming exactly.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/linux-user/signal.c b/linux-user/signal.c
index 0664770..b01bd64 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1817,9 +1817,10 @@ struct target_sigcontext {
 /* A Sparc stack frame */
 struct sparc_stackf {
         abi_ulong locals[8];
-        abi_ulong ins[6];
-        struct sparc_stackf *fp;
-        abi_ulong callers_pc;
+        abi_ulong ins[8];
+        /* It's simpler to treat fp and callers_pc as elements of ins[]
+         * since we never need to access them ourselves.
+         */
         char *structptr;
         abi_ulong xargs[6];
         abi_ulong xxargs[1];
commit c84a88d8cb298b6757ad01a12a8bbba66cb6eaa2
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Mon Jan 31 10:42:26 2011 +0000

    hw/slavio_intctl.c: fix gcc warning about array bounds overrun
    
    The Ubuntu 10.10 gcc for ARM complains that we might be overrunning
    the cpu_irqs[][] array: silence this by correcting the bounds on the
    loop. (In fact we would not have overrun the array because bit
    MAX_PILS in pil_pending and irl_out will always be 0.)
    
    Also add a comment about why the loop's lower bound is OK.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/slavio_intctl.c b/hw/slavio_intctl.c
index fd69354..a83e5b8 100644
--- a/hw/slavio_intctl.c
+++ b/hw/slavio_intctl.c
@@ -289,7 +289,12 @@ static void slavio_check_interrupts(SLAVIO_INTCTLState *s, int set_irqs)
         pil_pending |= (s->slaves[i].intreg_pending & CPU_SOFTIRQ_MASK) >> 16;
 
         if (set_irqs) {
-            for (j = MAX_PILS; j > 0; j--) {
+            /* Since there is not really an interrupt 0 (and pil_pending
+             * and irl_out bit zero are thus always zero) there is no need
+             * to do anything with cpu_irqs[i][0] and it is OK not to do
+             * the j=0 iteration of this loop.
+             */
+            for (j = MAX_PILS-1; j > 0; j--) {
                 if (pil_pending & (1 << j)) {
                     if (!(s->slaves[i].irl_out & (1 << j))) {
                         qemu_irq_raise(s->cpu_irqs[i][j]);
commit 60f356e86d66a4a22530ec7570f7582af602d200
Author: Fabien Chouteau <chouteau at adacore.com>
Date:   Mon Jan 31 11:36:54 2011 +0100

    SPARC: Fix Leon3 cache control
    
    The "leon3_cache_control_int" (op_helper.c) function is called within leon3.c
    which leads to segfault error with the global "env".
    
    Now cache control is a CPU feature and everything is handled in op_helper.c.
    
    Signed-off-by: Fabien Chouteau <chouteau at adacore.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/leon3.c b/hw/leon3.c
index 69d8f3b..919f49f 100644
--- a/hw/leon3.c
+++ b/hw/leon3.c
@@ -56,10 +56,9 @@ static void main_cpu_reset(void *opaque)
     env->npc    = s->entry + 4;
 }
 
-static void leon3_irq_ack(void *irq_manager, int intno)
+void leon3_irq_ack(void *irq_manager, int intno)
 {
     grlib_irqmp_ack((DeviceState *)irq_manager, intno);
-    leon3_cache_control_int();
 }
 
 static void leon3_set_pil_in(void *opaque, uint32_t pil_in)
@@ -130,7 +129,7 @@ static void leon3_generic_hw_init(ram_addr_t  ram_size,
     /* Allocate IRQ manager */
     grlib_irqmp_create(0x80000200, env, &cpu_irqs, MAX_PILS, &leon3_set_pil_in);
 
-    env->qemu_irq_ack = leon3_irq_ack;
+    env->qemu_irq_ack = leon3_irq_manager;
 
     /* Allocate RAM */
     if ((uint64_t)ram_size > (1UL << 30)) {
diff --git a/target-sparc/cpu.h b/target-sparc/cpu.h
index 6f5990b..320530e 100644
--- a/target-sparc/cpu.h
+++ b/target-sparc/cpu.h
@@ -268,6 +268,8 @@ typedef struct sparc_def_t {
 #define CPU_FEATURE_GL           (1 << 13)
 #define CPU_FEATURE_TA0_SHUTDOWN (1 << 14) /* Shutdown on "ta 0x0" */
 #define CPU_FEATURE_ASR17        (1 << 15)
+#define CPU_FEATURE_CACHE_CTRL   (1 << 16)
+
 #ifndef TARGET_SPARC64
 #define CPU_DEFAULT_FEATURES (CPU_FEATURE_FLOAT | CPU_FEATURE_SWAP |  \
                               CPU_FEATURE_MUL | CPU_FEATURE_DIV |     \
@@ -476,12 +478,14 @@ void cpu_put_cwp64(CPUState *env1, int cwp);
 int cpu_cwp_inc(CPUState *env1, int cwp);
 int cpu_cwp_dec(CPUState *env1, int cwp);
 void cpu_set_cwp(CPUState *env1, int new_cwp);
-
-void leon3_cache_control_int(void);
+void leon3_irq_manager(void *irq_manager, int intno);
 
 /* sun4m.c, sun4u.c */
 void cpu_check_irqs(CPUSPARCState *env);
 
+/* leon3.c */
+void leon3_irq_ack(void *irq_manager, int intno);
+
 #if defined (TARGET_SPARC64)
 
 static inline int compare_masked(uint64_t x, uint64_t y, uint64_t mask)
diff --git a/target-sparc/helper.c b/target-sparc/helper.c
index 2f3d1e6..b2d4d70 100644
--- a/target-sparc/helper.c
+++ b/target-sparc/helper.c
@@ -1289,7 +1289,7 @@ static const sparc_def_t sparc_defs[] = {
         .mmu_trcr_mask = 0xffffffff,
         .nwindows = 8,
         .features = CPU_DEFAULT_FEATURES | CPU_FEATURE_TA0_SHUTDOWN |
-        CPU_FEATURE_ASR17,
+        CPU_FEATURE_ASR17 | CPU_FEATURE_CACHE_CTRL,
     },
 #endif
 };
diff --git a/target-sparc/op_helper.c b/target-sparc/op_helper.c
index d3e1b63..854f168 100644
--- a/target-sparc/op_helper.c
+++ b/target-sparc/op_helper.c
@@ -1653,7 +1653,7 @@ static void dump_asi(const char *txt, target_ulong addr, int asi, int size,
 
 /* Leon3 cache control */
 
-void leon3_cache_control_int(void)
+static void leon3_cache_control_int(void)
 {
     uint32_t state = 0;
 
@@ -1741,11 +1741,17 @@ static uint64_t leon3_cache_control_ld(target_ulong addr, int size)
         DPRINTF_CACHE_CONTROL("read unknown register %08x\n", addr);
         break;
     };
-    DPRINTF_CACHE_CONTROL("st addr:%08x, ret:%" PRIx64 ", size:%d\n",
+    DPRINTF_CACHE_CONTROL("ld addr:%08x, ret:0x%" PRIx64 ", size:%d\n",
                           addr, ret, size);
     return ret;
 }
 
+void leon3_irq_manager(void *irq_manager, int intno)
+{
+    leon3_irq_ack(irq_manager, intno);
+    leon3_cache_control_int();
+}
+
 uint64_t helper_ld_asi(target_ulong addr, int asi, int size, int sign)
 {
     uint64_t ret = 0;
@@ -1760,7 +1766,9 @@ uint64_t helper_ld_asi(target_ulong addr, int asi, int size, int sign)
         case 0x00:          /* Leon3 Cache Control */
         case 0x08:          /* Leon3 Instruction Cache config */
         case 0x0C:          /* Leon3 Date Cache config */
-            ret = leon3_cache_control_ld(addr, size);
+            if (env->def->features & CPU_FEATURE_CACHE_CTRL) {
+                ret = leon3_cache_control_ld(addr, size);
+            }
             break;
         case 0x01c00a00: /* MXCC control register */
             if (size == 8)
@@ -1994,7 +2002,9 @@ void helper_st_asi(target_ulong addr, uint64_t val, int asi, int size)
         case 0x00:          /* Leon3 Cache Control */
         case 0x08:          /* Leon3 Instruction Cache config */
         case 0x0C:          /* Leon3 Date Cache config */
-            leon3_cache_control_st(addr, val, size);
+            if (env->def->features & CPU_FEATURE_CACHE_CTRL) {
+                leon3_cache_control_st(addr, val, size);
+            }
             break;
 
         case 0x01c00000: /* MXCC stream data register 0 */
commit 2685d2961b51437d0c7bc71f4ed7c320f6cbd010
Merge: 319ae52... 4c90051...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Mon Jan 31 12:07:17 2011 -0600

    Merge remote branch 'mst/for_anthony' into staging

commit 319ae529b8d55ea60b1036809aaab2130048d0e1
Author: Markus Armbruster <armbru at redhat.com>
Date:   Fri Jan 28 11:21:46 2011 +0100

    blockdev: Fix drive_add for drives without media
    
    Watch this:
    
        (qemu) drive_add 0 if=none
        (qemu) info block
        none0: type=hd removable=0 [not inserted]
        (qemu) drive_del none0
        Segmentation fault (core dumped)
    
    add_init_drive() is confused about drive_init()'s failure modes, and
    cleans up when it shouldn't.  This leaves the DriveInfo with member
    opts dangling.  drive_del attempts to free it, and dies.
    
    drive_init() behaves as follows:
    
    * If it created a drive with media, it returns its DriveInfo.
    
    * If it created a drive without media, it clears *fatal_error and
      returns NULL.
    
    * If it couldn't create a drive, it sets *fatal_error and returns
      NULL.
    
    Of its three callers:
    
    * drive_init_func() is correct.
    
    * usb_msd_init() assumes drive_init() failed when it returns NULL.
      This is correct only because it always passes option "file", and
      "drive without media" can't happen then.
    
    * add_init_drive() assumes drive_init() failed when it returns NULL.
      This is incorrect.
    
    Clean up drive_init() to return NULL on failure and only on failure.
    Drop its parameter fatal_error.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index 4b2145c..1c56da0 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -203,7 +203,7 @@ static int parse_block_error_action(const char *buf, int is_read)
     }
 }
 
-DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
+DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi)
 {
     const char *buf;
     const char *file = NULL;
@@ -225,8 +225,6 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
     int snapshot = 0;
     int ret;
 
-    *fatal_error = 1;
-
     translation = BIOS_ATA_TRANSLATION_AUTO;
 
     if (default_to_scsi) {
@@ -499,8 +497,7 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
         abort();
     }
     if (!file || !*file) {
-        *fatal_error = 0;
-        return NULL;
+        return dinfo;
     }
     if (snapshot) {
         /* always use cache=unsafe with snapshot */
@@ -529,7 +526,6 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
 
     if (bdrv_key_required(dinfo->bdrv))
         autostart = 0;
-    *fatal_error = 0;
     return dinfo;
 }
 
diff --git a/blockdev.h b/blockdev.h
index e5d8c56..84e462a 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -48,7 +48,7 @@ DriveInfo *drive_get_by_blockdev(BlockDriverState *bs);
 QemuOpts *drive_def(const char *optstr);
 QemuOpts *drive_add(BlockInterfaceType type, int index, const char *file,
                     const char *optstr);
-DriveInfo *drive_init(QemuOpts *arg, int default_to_scsi, int *fatal_error);
+DriveInfo *drive_init(QemuOpts *arg, int default_to_scsi);
 
 /* device-hotplug */
 
diff --git a/hw/device-hotplug.c b/hw/device-hotplug.c
index 95a6372..8b2ed7a 100644
--- a/hw/device-hotplug.c
+++ b/hw/device-hotplug.c
@@ -29,7 +29,6 @@
 
 DriveInfo *add_init_drive(const char *optstr)
 {
-    int fatal_error;
     DriveInfo *dinfo;
     QemuOpts *opts;
 
@@ -37,7 +36,7 @@ DriveInfo *add_init_drive(const char *optstr)
     if (!opts)
         return NULL;
 
-    dinfo = drive_init(opts, current_machine->use_scsi, &fatal_error);
+    dinfo = drive_init(opts, current_machine->use_scsi);
     if (!dinfo) {
         qemu_opts_del(opts);
         return NULL;
diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 11722c7..97d1e4a 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -542,7 +542,6 @@ static USBDevice *usb_msd_init(const char *filename)
     QemuOpts *opts;
     DriveInfo *dinfo;
     USBDevice *dev;
-    int fatal_error;
     const char *p1;
     char fmt[32];
 
@@ -572,7 +571,7 @@ static USBDevice *usb_msd_init(const char *filename)
     qemu_opt_set(opts, "if", "none");
 
     /* create host drive */
-    dinfo = drive_init(opts, 0, &fatal_error);
+    dinfo = drive_init(opts, 0);
     if (!dinfo) {
         qemu_opts_del(opts);
         return NULL;
diff --git a/vl.c b/vl.c
index f86724f..ce5708b 100644
--- a/vl.c
+++ b/vl.c
@@ -631,13 +631,8 @@ static int bt_parse(const char *opt)
 static int drive_init_func(QemuOpts *opts, void *opaque)
 {
     int *use_scsi = opaque;
-    int fatal_error = 0;
 
-    if (drive_init(opts, *use_scsi, &fatal_error) == NULL) {
-        if (fatal_error)
-            return 1;
-    }
-    return 0;
+    return drive_init(opts, *use_scsi) == NULL;
 }
 
 static int drive_enable_snapshot(QemuOpts *opts, void *opaque)
@@ -666,7 +661,7 @@ static void default_drive(int enable, int snapshot, int use_scsi,
     if (snapshot) {
         drive_enable_snapshot(opts, NULL);
     }
-    if (drive_init_func(opts, &use_scsi)) {
+    if (!drive_init(opts, use_scsi)) {
         exit(1);
     }
 }
commit 5645b0f4f2185437d8df03810ce9c102cc4c90db
Author: Markus Armbruster <armbru at redhat.com>
Date:   Mon Jan 31 11:50:09 2011 +0100

    blockdev: Replace drive_add()'s fmt, ... by optstr parameter
    
    Let the callers build the optstr.  Only one wants to.  All the others
    become simpler, because they don't have to worry about escaping '%'.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index 3f7b560..4b2145c 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -93,17 +93,11 @@ QemuOpts *drive_def(const char *optstr)
 }
 
 QemuOpts *drive_add(BlockInterfaceType type, int index, const char *file,
-                    const char *fmt, ...)
+                    const char *optstr)
 {
-    va_list ap;
-    char optstr[1024];
     QemuOpts *opts;
     char buf[32];
 
-    va_start(ap, fmt);
-    vsnprintf(optstr, sizeof(optstr), fmt, ap);
-    va_end(ap);
-
     opts = drive_def(optstr);
     if (!opts) {
         return NULL;
diff --git a/blockdev.h b/blockdev.h
index 18278cc..e5d8c56 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -47,10 +47,7 @@ DriveInfo *drive_get_by_blockdev(BlockDriverState *bs);
 
 QemuOpts *drive_def(const char *optstr);
 QemuOpts *drive_add(BlockInterfaceType type, int index, const char *file,
-                    const char *fmt, ...) /*GCC_FMT_ATTR(4, 5)*/;
-    /* GCC_FMT_ATTR() commented out to avoid the (pretty useless)
-     * "zero-length gnu_printf format string" warning we insist to
-     * enable */
+                    const char *optstr);
 DriveInfo *drive_init(QemuOpts *arg, int default_to_scsi, int *fatal_error);
 
 /* device-hotplug */
diff --git a/vl.c b/vl.c
index 99f5bfe..f86724f 100644
--- a/vl.c
+++ b/vl.c
@@ -621,7 +621,6 @@ static int bt_parse(const char *opt)
 /***********************************************************/
 /* QEMU Block devices */
 
-/* Any % in the following strings must be escaped as %% */
 #define HD_OPTS "media=disk"
 #define CDROM_OPTS "media=cdrom"
 #define FD_OPTS ""
@@ -2050,17 +2049,21 @@ int main(int argc, char **argv, char **envp)
                 initrd_filename = optarg;
                 break;
             case QEMU_OPTION_hda:
-                if (cyls == 0)
-                    hda_opts = drive_add(IF_DEFAULT, 0, optarg, HD_OPTS);
-                else
-                    hda_opts = drive_add(IF_DEFAULT, 0, optarg, HD_OPTS
-			     ",cyls=%d,heads=%d,secs=%d%s",
-                             cyls, heads, secs,
-                             translation == BIOS_ATA_TRANSLATION_LBA ?
+                {
+                    char buf[256];
+                    if (cyls == 0)
+                        snprintf(buf, sizeof(buf), "%s", HD_OPTS);
+                    else
+                        snprintf(buf, sizeof(buf),
+                                 "%s,cyls=%d,heads=%d,secs=%d%s",
+                                 HD_OPTS , cyls, heads, secs,
+                                 translation == BIOS_ATA_TRANSLATION_LBA ?
                                  ",trans=lba" :
-                             translation == BIOS_ATA_TRANSLATION_NONE ?
+                                 translation == BIOS_ATA_TRANSLATION_NONE ?
                                  ",trans=none" : "");
-                 break;
+                    drive_add(IF_DEFAULT, 0, optarg, buf);
+                    break;
+                }
             case QEMU_OPTION_hdb:
             case QEMU_OPTION_hdc:
             case QEMU_OPTION_hdd:
commit 4e5d9b578f5d5ffbf7ef7e26abed23a0548a853a
Author: Markus Armbruster <armbru at redhat.com>
Date:   Fri Jan 28 11:21:45 2011 +0100

    blockdev: Reject multiple definitions for the same drive
    
    We silently ignore multiple definitions for the same drive:
    
        $ qemu-system-x86_64 -nodefaults -vnc :1 -S -monitor stdio -drive if=ide,index=1,file=tmp.qcow2 -drive if=ide,index=1,file=nonexistant
        QEMU 0.13.50 monitor - type 'help' for more information
        (qemu) info block
        ide0-hd1: type=hd removable=0 file=tmp.qcow2 backing_file=tmp.img ro=0 drv=qcow2 encrypted=0
    
    With if=none, this can become quite confusing:
    
        $ qemu-system-x86_64 -nodefaults -vnc :1 -S -monitor stdio -drive if=none,index=1,file=tmp.qcow2,id=eins -drive if=none,index=1,file=nonexistant,id=zwei -device ide-drive,drive=eins -device ide-drive,drive=zwei
        qemu-system-x86_64: -device ide-drive,drive=zwei: Property 'ide-drive.drive' can't find value 'zwei'
    
    The second -device fails, because it refers to drive zwei, which got
    silently ignored.
    
    Make multiple drive definitions fail cleanly.
    
    Unfortunately, there's code that relies on multiple drive definitions
    being silently ignored: main() merrily adds default drives even when
    the user already defined these drives.  Fix that up.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index 01228f6..3f7b560 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -429,11 +429,12 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
     }
 
     /*
-     * ignore multiple definitions
+     * catch multiple definitions
      */
 
     if (drive_get(type, bus_id, unit_id) != NULL) {
-        *fatal_error = 0;
+        error_report("drive with bus=%d, unit=%d (index=%d) exists",
+                     bus_id, unit_id, index);
         return NULL;
     }
 
diff --git a/vl.c b/vl.c
index 5399e33..99f5bfe 100644
--- a/vl.c
+++ b/vl.c
@@ -649,6 +649,29 @@ static int drive_enable_snapshot(QemuOpts *opts, void *opaque)
     return 0;
 }
 
+static void default_drive(int enable, int snapshot, int use_scsi,
+                          BlockInterfaceType type, int index,
+                          const char *optstr)
+{
+    QemuOpts *opts;
+
+    if (type == IF_DEFAULT) {
+        type = use_scsi ? IF_SCSI : IF_IDE;
+    }
+
+    if (!enable || drive_get_by_index(type, index)) {
+        return;
+    }
+
+    opts = drive_add(type, index, NULL, optstr);
+    if (snapshot) {
+        drive_enable_snapshot(opts, NULL);
+    }
+    if (drive_init_func(opts, &use_scsi)) {
+        exit(1);
+    }
+}
+
 void qemu_register_boot_set(QEMUBootSetHandler *func, void *opaque)
 {
     boot_set_handler = func;
@@ -2893,27 +2916,19 @@ int main(int argc, char **argv, char **envp)
 
     blk_mig_init();
 
-    if (default_cdrom) {
-        /* we always create the cdrom drive, even if no disk is there */
-        drive_add(IF_DEFAULT, 2, NULL, CDROM_OPTS);
-    }
-
-    if (default_floppy) {
-        /* we always create at least one floppy */
-        drive_add(IF_FLOPPY, 0, NULL, FD_OPTS);
-    }
-
-    if (default_sdcard) {
-        /* we always create one sd slot, even if no card is in it */
-        drive_add(IF_SD, 0, NULL, SD_OPTS);
-    }
-
     /* open the virtual block devices */
     if (snapshot)
         qemu_opts_foreach(qemu_find_opts("drive"), drive_enable_snapshot, NULL, 0);
     if (qemu_opts_foreach(qemu_find_opts("drive"), drive_init_func, &machine->use_scsi, 1) != 0)
         exit(1);
 
+    default_drive(default_cdrom, snapshot, machine->use_scsi,
+                  IF_DEFAULT, 2, CDROM_OPTS);
+    default_drive(default_floppy, snapshot, machine->use_scsi,
+                  IF_FLOPPY, 0, FD_OPTS);
+    default_drive(default_sdcard, snapshot, machine->use_scsi,
+                  IF_SD, 0, SD_OPTS);
+
     register_savevm_live(NULL, "ram", 0, 4, NULL, ram_save_live, NULL,
                          ram_load, NULL);
 
commit f1bd51ac2b6e6ccd3d13dfd52c1c381a68bf261c
Author: Markus Armbruster <armbru at redhat.com>
Date:   Fri Jan 28 11:21:44 2011 +0100

    blockdev: New drive_get_by_index()
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index a42c5e4..01228f6 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -136,6 +136,13 @@ DriveInfo *drive_get(BlockInterfaceType type, int bus, int unit)
     return NULL;
 }
 
+DriveInfo *drive_get_by_index(BlockInterfaceType type, int index)
+{
+    return drive_get(type,
+                     drive_index_to_bus_id(type, index),
+                     drive_index_to_unit_id(type, index));
+}
+
 int drive_get_max_bus(BlockInterfaceType type)
 {
     int max_bus;
diff --git a/blockdev.h b/blockdev.h
index 0c01e08..18278cc 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -39,6 +39,7 @@ struct DriveInfo {
 };
 
 DriveInfo *drive_get(BlockInterfaceType type, int bus, int unit);
+DriveInfo *drive_get_by_index(BlockInterfaceType type, int index);
 int drive_get_max_bus(BlockInterfaceType type);
 DriveInfo *drive_get_next(BlockInterfaceType type);
 void drive_uninit(DriveInfo *dinfo);
commit 505a7fb1b1bfa732117d526a8d3a0f27741155d6
Author: Markus Armbruster <armbru at redhat.com>
Date:   Fri Jan 28 11:21:43 2011 +0100

    blockdev: Factor drive_index_to_{bus,unit}_id out of drive_init()
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index 6d828f2..a42c5e4 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -75,6 +75,18 @@ void blockdev_auto_del(BlockDriverState *bs)
     }
 }
 
+static int drive_index_to_bus_id(BlockInterfaceType type, int index)
+{
+    int max_devs = if_max_devs[type];
+    return max_devs ? index / max_devs : 0;
+}
+
+static int drive_index_to_unit_id(BlockInterfaceType type, int index)
+{
+    int max_devs = if_max_devs[type];
+    return max_devs ? index % max_devs : index;
+}
+
 QemuOpts *drive_def(const char *optstr)
 {
     return qemu_opts_parse(qemu_find_opts("drive"), optstr, 0);
@@ -382,14 +394,8 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
             error_report("index cannot be used with bus and unit");
             return NULL;
         }
-        if (max_devs == 0)
-        {
-            unit_id = index;
-            bus_id = 0;
-        } else {
-            unit_id = index % max_devs;
-            bus_id = index / max_devs;
-        }
+        bus_id = drive_index_to_bus_id(type, index);
+        unit_id = drive_index_to_unit_id(type, index);
     }
 
     /* if user doesn't specify a unit_id,
commit 2292ddaeab3467c68efd9e07e17ca0c9fc510fdc
Author: Markus Armbruster <armbru at redhat.com>
Date:   Fri Jan 28 11:21:41 2011 +0100

    blockdev: Make drive_add() take explicit type, index parameters
    
    Before, type & index were hidden in printf-like fmt, ... parameters,
    which get expanded into an option string.  Rather inconvenient for
    uses later in this series.
    
    New IF_DEFAULT to ask for the machine's default interface.  Before,
    that was done by having no option "if" in the option string.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index fba53f9..6d828f2 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -75,20 +75,34 @@ void blockdev_auto_del(BlockDriverState *bs)
     }
 }
 
-QemuOpts *drive_add(const char *file, const char *fmt, ...)
+QemuOpts *drive_def(const char *optstr)
+{
+    return qemu_opts_parse(qemu_find_opts("drive"), optstr, 0);
+}
+
+QemuOpts *drive_add(BlockInterfaceType type, int index, const char *file,
+                    const char *fmt, ...)
 {
     va_list ap;
     char optstr[1024];
     QemuOpts *opts;
+    char buf[32];
 
     va_start(ap, fmt);
     vsnprintf(optstr, sizeof(optstr), fmt, ap);
     va_end(ap);
 
-    opts = qemu_opts_parse(qemu_find_opts("drive"), optstr, 0);
+    opts = drive_def(optstr);
     if (!opts) {
         return NULL;
     }
+    if (type != IF_DEFAULT) {
+        qemu_opt_set(opts, "if", if_name[type]);
+    }
+    if (index >= 0) {
+        snprintf(buf, sizeof(buf), "%d", index);
+        qemu_opt_set(opts, "index", buf);
+    }
     if (file)
         qemu_opt_set(opts, "file", file);
     return opts;
@@ -473,7 +487,7 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
         if (devaddr)
             qemu_opt_set(opts, "addr", devaddr);
         break;
-    case IF_COUNT:
+    default:
         abort();
     }
     if (!file || !*file) {
diff --git a/blockdev.h b/blockdev.h
index cf8fc01..0c01e08 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -19,6 +19,7 @@ void blockdev_auto_del(BlockDriverState *bs);
 #define BLOCK_SERIAL_STRLEN 20
 
 typedef enum {
+    IF_DEFAULT = -1,            /* for use with drive_add() only */
     IF_NONE,
     IF_IDE, IF_SCSI, IF_FLOPPY, IF_PFLASH, IF_MTD, IF_SD, IF_VIRTIO, IF_XEN,
     IF_COUNT
@@ -43,7 +44,12 @@ DriveInfo *drive_get_next(BlockInterfaceType type);
 void drive_uninit(DriveInfo *dinfo);
 DriveInfo *drive_get_by_blockdev(BlockDriverState *bs);
 
-QemuOpts *drive_add(const char *file, const char *fmt, ...) GCC_FMT_ATTR(2, 3);
+QemuOpts *drive_def(const char *optstr);
+QemuOpts *drive_add(BlockInterfaceType type, int index, const char *file,
+                    const char *fmt, ...) /*GCC_FMT_ATTR(4, 5)*/;
+    /* GCC_FMT_ATTR() commented out to avoid the (pretty useless)
+     * "zero-length gnu_printf format string" warning we insist to
+     * enable */
 DriveInfo *drive_init(QemuOpts *arg, int default_to_scsi, int *fatal_error);
 
 /* device-hotplug */
diff --git a/hw/device-hotplug.c b/hw/device-hotplug.c
index 9704e2f..95a6372 100644
--- a/hw/device-hotplug.c
+++ b/hw/device-hotplug.c
@@ -33,7 +33,7 @@ DriveInfo *add_init_drive(const char *optstr)
     DriveInfo *dinfo;
     QemuOpts *opts;
 
-    opts = drive_add(NULL, "%s", optstr);
+    opts = drive_def(optstr);
     if (!opts)
         return NULL;
 
diff --git a/vl.c b/vl.c
index 14255c4..5399e33 100644
--- a/vl.c
+++ b/vl.c
@@ -621,12 +621,13 @@ static int bt_parse(const char *opt)
 /***********************************************************/
 /* QEMU Block devices */
 
-#define HD_ALIAS "index=%d,media=disk"
-#define CDROM_ALIAS "index=2,media=cdrom"
-#define FD_ALIAS "index=%d,if=floppy"
-#define PFLASH_ALIAS "if=pflash"
-#define MTD_ALIAS "if=mtd"
-#define SD_ALIAS "index=0,if=sd"
+/* Any % in the following strings must be escaped as %% */
+#define HD_OPTS "media=disk"
+#define CDROM_OPTS "media=cdrom"
+#define FD_OPTS ""
+#define PFLASH_OPTS ""
+#define MTD_OPTS ""
+#define SD_OPTS ""
 
 static int drive_init_func(QemuOpts *opts, void *opaque)
 {
@@ -1987,7 +1988,7 @@ int main(int argc, char **argv, char **envp)
         if (optind >= argc)
             break;
         if (argv[optind][0] != '-') {
-	    hda_opts = drive_add(argv[optind++], HD_ALIAS, 0);
+	    hda_opts = drive_add(IF_DEFAULT, 0, argv[optind++], HD_OPTS);
         } else {
             const QEMUOption *popt;
 
@@ -2027,11 +2028,11 @@ int main(int argc, char **argv, char **envp)
                 break;
             case QEMU_OPTION_hda:
                 if (cyls == 0)
-                    hda_opts = drive_add(optarg, HD_ALIAS, 0);
+                    hda_opts = drive_add(IF_DEFAULT, 0, optarg, HD_OPTS);
                 else
-                    hda_opts = drive_add(optarg, HD_ALIAS
+                    hda_opts = drive_add(IF_DEFAULT, 0, optarg, HD_OPTS
 			     ",cyls=%d,heads=%d,secs=%d%s",
-                             0, cyls, heads, secs,
+                             cyls, heads, secs,
                              translation == BIOS_ATA_TRANSLATION_LBA ?
                                  ",trans=lba" :
                              translation == BIOS_ATA_TRANSLATION_NONE ?
@@ -2040,10 +2041,11 @@ int main(int argc, char **argv, char **envp)
             case QEMU_OPTION_hdb:
             case QEMU_OPTION_hdc:
             case QEMU_OPTION_hdd:
-                drive_add(optarg, HD_ALIAS, popt->index - QEMU_OPTION_hda);
+                drive_add(IF_DEFAULT, popt->index - QEMU_OPTION_hda, optarg,
+                          HD_OPTS);
                 break;
             case QEMU_OPTION_drive:
-                drive_add(NULL, "%s", optarg);
+                drive_def(optarg);
 	        break;
             case QEMU_OPTION_set:
                 if (qemu_set_option(optarg) != 0)
@@ -2054,13 +2056,13 @@ int main(int argc, char **argv, char **envp)
                     exit(1);
 	        break;
             case QEMU_OPTION_mtdblock:
-                drive_add(optarg, MTD_ALIAS);
+                drive_add(IF_MTD, -1, optarg, MTD_OPTS);
                 break;
             case QEMU_OPTION_sd:
-                drive_add(optarg, SD_ALIAS);
+                drive_add(IF_SD, 0, optarg, SD_OPTS);
                 break;
             case QEMU_OPTION_pflash:
-                drive_add(optarg, PFLASH_ALIAS);
+                drive_add(IF_PFLASH, -1, optarg, PFLASH_OPTS);
                 break;
             case QEMU_OPTION_snapshot:
                 snapshot = 1;
@@ -2139,7 +2141,7 @@ int main(int argc, char **argv, char **envp)
                 kernel_cmdline = optarg;
                 break;
             case QEMU_OPTION_cdrom:
-                drive_add(optarg, CDROM_ALIAS);
+                drive_add(IF_DEFAULT, 2, optarg, CDROM_OPTS);
                 break;
             case QEMU_OPTION_boot:
                 {
@@ -2192,7 +2194,8 @@ int main(int argc, char **argv, char **envp)
                 break;
             case QEMU_OPTION_fda:
             case QEMU_OPTION_fdb:
-                drive_add(optarg, FD_ALIAS, popt->index - QEMU_OPTION_fda);
+                drive_add(IF_FLOPPY, popt->index - QEMU_OPTION_fda,
+                          optarg, FD_OPTS);
                 break;
             case QEMU_OPTION_no_fd_bootchk:
                 fd_bootchk = 0;
@@ -2892,17 +2895,17 @@ int main(int argc, char **argv, char **envp)
 
     if (default_cdrom) {
         /* we always create the cdrom drive, even if no disk is there */
-        drive_add(NULL, CDROM_ALIAS);
+        drive_add(IF_DEFAULT, 2, NULL, CDROM_OPTS);
     }
 
     if (default_floppy) {
         /* we always create at least one floppy */
-        drive_add(NULL, FD_ALIAS, 0);
+        drive_add(IF_FLOPPY, 0, NULL, FD_OPTS);
     }
 
     if (default_sdcard) {
         /* we always create one sd slot, even if no card is in it */
-        drive_add(NULL, SD_ALIAS);
+        drive_add(IF_SD, 0, NULL, SD_OPTS);
     }
 
     /* open the virtual block devices */
commit 27d6bf40edc346a61ade6d4c5d4f27f6b40acc81
Author: Markus Armbruster <armbru at redhat.com>
Date:   Fri Jan 28 11:21:40 2011 +0100

    blockdev: Fix regression in -drive if=scsi,index=N
    
    Before commit 622b520f, index=12 meant bus=1,unit=5.
    
    Since the commit, it means bus=0,unit=12.  The drive is created, but
    not the guest device.  That's because the controllers we use with
    if=scsi drives (lsi53c895a and esp) support only 7 units, and
    scsi_bus_legacy_handle_cmdline() ignores drives with unit numbers
    exceeding that limit.
    
    Changing the mapping of index to bus, unit is a regression.  Breaking
    -drive invocations that used to work just makes it worse.
    
    Revert the part of commit 622b520f that causes this, and clean up
    some.
    
    Note that the fix only affects if=scsi.  You can still put more than 7
    units on a SCSI bus with -device & friends.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index 9c883ce..fba53f9 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -32,8 +32,22 @@ static const char *const if_name[IF_COUNT] = {
 };
 
 static const int if_max_devs[IF_COUNT] = {
-    [IF_IDE] = MAX_IDE_DEVS,
-    [IF_SCSI] = MAX_SCSI_DEVS,
+    /*
+     * Do not change these numbers!  They govern how drive option
+     * index maps to unit and bus.  That mapping is ABI.
+     *
+     * All controllers used to imlement if=T drives need to support
+     * if_max_devs[T] units, for any T with if_max_devs[T] != 0.
+     * Otherwise, some index values map to "impossible" bus, unit
+     * values.
+     *
+     * For instance, if you change [IF_SCSI] to 255, -drive
+     * if=scsi,index=12 no longer means bus=1,unit=5, but
+     * bus=0,unit=12.  With an lsi53c895a controller (7 units max),
+     * the drive can't be set up.  Regression.
+     */
+    [IF_IDE] = 2,
+    [IF_SCSI] = 7,
 };
 
 /*
diff --git a/blockdev.h b/blockdev.h
index 2cbbb87..cf8fc01 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -37,9 +37,6 @@ struct DriveInfo {
     QTAILQ_ENTRY(DriveInfo) next;
 };
 
-#define MAX_IDE_DEVS	2
-#define MAX_SCSI_DEVS	255
-
 DriveInfo *drive_get(BlockInterfaceType type, int bus, int unit);
 int drive_get_max_bus(BlockInterfaceType type);
 DriveInfo *drive_get_next(BlockInterfaceType type);
diff --git a/hw/ide.h b/hw/ide.h
index 2b5ae7c..73fb550 100644
--- a/hw/ide.h
+++ b/hw/ide.h
@@ -4,6 +4,8 @@
 #include "isa.h"
 #include "pci.h"
 
+#define MAX_IDE_DEVS	2
+
 /* ide-isa.c */
 ISADevice *isa_ide_init(int iobase, int iobase2, int isairq,
                         DriveInfo *hd0, DriveInfo *hd1);
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 433171c..671b4df 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -70,7 +70,6 @@
 #include "monitor.h"
 #include "dma.h"
 #include "cpu-common.h"
-#include "blockdev.h"
 #include "internal.h"
 #include <hw/ide/pci.h>
 
diff --git a/hw/qdev.c b/hw/qdev.c
index 0c94fb2..c7fec44 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -29,7 +29,6 @@
 #include "qdev.h"
 #include "sysemu.h"
 #include "monitor.h"
-#include "blockdev.h"
 
 static int qdev_hotplug = 0;
 static bool qdev_hot_added = false;
diff --git a/hw/scsi.h b/hw/scsi.h
index 846fbba..d3b5d56 100644
--- a/hw/scsi.h
+++ b/hw/scsi.h
@@ -3,9 +3,10 @@
 
 #include "qdev.h"
 #include "block.h"
-#include "blockdev.h"
 #include "block_int.h"
 
+#define MAX_SCSI_DEVS	255
+
 #define SCSI_CMD_BUF_SIZE     16
 
 /* scsi-disk.c */
diff --git a/savevm.c b/savevm.c
index fcd8db4..4453217 100644
--- a/savevm.c
+++ b/savevm.c
@@ -78,7 +78,6 @@
 #include "sysemu.h"
 #include "qemu-timer.h"
 #include "qemu-char.h"
-#include "blockdev.h"
 #include "audio/audio.h"
 #include "migration.h"
 #include "qemu_socket.h"
commit 1960966d1b57628f730b66fe33cd2005846092e0
Author: Markus Armbruster <armbru at redhat.com>
Date:   Fri Jan 28 11:21:39 2011 +0100

    blockdev: Put BlockInterfaceType names and max_devs in tables
    
    Turns drive_init()'s lengthy conditional into a concise loop, and
    makes the data available elsewhere.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index 699f312..9c883ce 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -19,6 +19,23 @@
 
 static QTAILQ_HEAD(drivelist, DriveInfo) drives = QTAILQ_HEAD_INITIALIZER(drives);
 
+static const char *const if_name[IF_COUNT] = {
+    [IF_NONE] = "none",
+    [IF_IDE] = "ide",
+    [IF_SCSI] = "scsi",
+    [IF_FLOPPY] = "floppy",
+    [IF_PFLASH] = "pflash",
+    [IF_MTD] = "mtd",
+    [IF_SD] = "sd",
+    [IF_VIRTIO] = "virtio",
+    [IF_XEN] = "xen",
+};
+
+static const int if_max_devs[IF_COUNT] = {
+    [IF_IDE] = MAX_IDE_DEVS,
+    [IF_SCSI] = MAX_SCSI_DEVS,
+};
+
 /*
  * We automatically delete the drive when a device using it gets
  * unplugged.  Questionable feature, but we can't just drop it.
@@ -173,11 +190,9 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
 
     if (default_to_scsi) {
         type = IF_SCSI;
-        max_devs = MAX_SCSI_DEVS;
         pstrcpy(devname, sizeof(devname), "scsi");
     } else {
         type = IF_IDE;
-        max_devs = MAX_IDE_DEVS;
         pstrcpy(devname, sizeof(devname), "ide");
     }
     media = MEDIA_DISK;
@@ -199,38 +214,14 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
 
     if ((buf = qemu_opt_get(opts, "if")) != NULL) {
         pstrcpy(devname, sizeof(devname), buf);
-        if (!strcmp(buf, "ide")) {
-	    type = IF_IDE;
-            max_devs = MAX_IDE_DEVS;
-        } else if (!strcmp(buf, "scsi")) {
-	    type = IF_SCSI;
-            max_devs = MAX_SCSI_DEVS;
-        } else if (!strcmp(buf, "floppy")) {
-	    type = IF_FLOPPY;
-            max_devs = 0;
-        } else if (!strcmp(buf, "pflash")) {
-	    type = IF_PFLASH;
-            max_devs = 0;
-	} else if (!strcmp(buf, "mtd")) {
-	    type = IF_MTD;
-            max_devs = 0;
-	} else if (!strcmp(buf, "sd")) {
-	    type = IF_SD;
-            max_devs = 0;
-        } else if (!strcmp(buf, "virtio")) {
-            type = IF_VIRTIO;
-            max_devs = 0;
-	} else if (!strcmp(buf, "xen")) {
-	    type = IF_XEN;
-            max_devs = 0;
-	} else if (!strcmp(buf, "none")) {
-	    type = IF_NONE;
-            max_devs = 0;
-	} else {
+        for (type = 0; type < IF_COUNT && strcmp(buf, if_name[type]); type++)
+            ;
+        if (type == IF_COUNT) {
             error_report("unsupported bus type '%s'", buf);
             return NULL;
 	}
     }
+    max_devs = if_max_devs[type];
 
     if (cyls || heads || secs) {
         if (cyls < 1 || (type == IF_IDE && cyls > 16383)) {
commit 904ebffee5a7e7d246039ad5826195fe51ccf769
Author: Markus Armbruster <armbru at redhat.com>
Date:   Fri Jan 28 11:21:38 2011 +0100

    blockdev: Move BlockInterfaceType from qemu-common.h to blockdev.h
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.h b/blockdev.h
index 3ed6634..2cbbb87 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -18,6 +18,12 @@ void blockdev_auto_del(BlockDriverState *bs);
 
 #define BLOCK_SERIAL_STRLEN 20
 
+typedef enum {
+    IF_NONE,
+    IF_IDE, IF_SCSI, IF_FLOPPY, IF_PFLASH, IF_MTD, IF_SD, IF_VIRTIO, IF_XEN,
+    IF_COUNT
+} BlockInterfaceType;
+
 struct DriveInfo {
     BlockDriverState *bdrv;
     char *id;
diff --git a/qemu-common.h b/qemu-common.h
index 79e1149..c7ff280 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -274,12 +274,6 @@ typedef struct VirtIODevice VirtIODevice;
 
 typedef uint64_t pcibus_t;
 
-typedef enum {
-    IF_NONE,
-    IF_IDE, IF_SCSI, IF_FLOPPY, IF_PFLASH, IF_MTD, IF_SD, IF_VIRTIO, IF_XEN,
-    IF_COUNT
-} BlockInterfaceType;
-
 void cpu_exec_init_all(unsigned long tb_size);
 
 /* CPU save/load.  */
commit 13839974d14701626a2f9dcc5f8cf65783d51c11
Author: Markus Armbruster <armbru at redhat.com>
Date:   Fri Jan 28 11:21:37 2011 +0100

    blockdev: New drive_get_next(), replacing qdev_init_bdrv()
    
    qdev_init_bdrv() doesn't belong into qdev.c; it's about drives, not
    qdevs.  Rename to drive_get_next, move to blockdev.c, drop the bogus
    DeviceState argument, and return DriveInfo instead of
    BlockDriverState.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index e48d33d..699f312 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -93,6 +93,16 @@ int drive_get_max_bus(BlockInterfaceType type)
     return max_bus;
 }
 
+/* Get a block device.  This should only be used for single-drive devices
+   (e.g. SD/Floppy/MTD).  Multi-disk devices (scsi/ide) should use the
+   appropriate bus.  */
+DriveInfo *drive_get_next(BlockInterfaceType type)
+{
+    static int next_block_unit[IF_COUNT];
+
+    return drive_get(type, 0, next_block_unit[type]++);
+}
+
 DriveInfo *drive_get_by_blockdev(BlockDriverState *bs)
 {
     DriveInfo *dinfo;
diff --git a/blockdev.h b/blockdev.h
index b8a88bf..3ed6634 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -36,6 +36,7 @@ struct DriveInfo {
 
 DriveInfo *drive_get(BlockInterfaceType type, int bus, int unit);
 int drive_get_max_bus(BlockInterfaceType type);
+DriveInfo *drive_get_next(BlockInterfaceType type);
 void drive_uninit(DriveInfo *dinfo);
 DriveInfo *drive_get_by_blockdev(BlockDriverState *bs);
 
diff --git a/hw/pl181.c b/hw/pl181.c
index 3e5f92f..36d9d02 100644
--- a/hw/pl181.c
+++ b/hw/pl181.c
@@ -7,6 +7,7 @@
  * This code is licenced under the GPL.
  */
 
+#include "blockdev.h"
 #include "sysbus.h"
 #include "sd.h"
 
@@ -449,15 +450,15 @@ static int pl181_init(SysBusDevice *dev)
 {
     int iomemtype;
     pl181_state *s = FROM_SYSBUS(pl181_state, dev);
-    BlockDriverState *bd;
+    DriveInfo *dinfo;
 
     iomemtype = cpu_register_io_memory(pl181_readfn, pl181_writefn, s,
                                        DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     sysbus_init_irq(dev, &s->irq[0]);
     sysbus_init_irq(dev, &s->irq[1]);
-    bd = qdev_init_bdrv(&dev->qdev, IF_SD);
-    s->card = sd_init(bd, 0);
+    dinfo = drive_get_next(IF_SD);
+    s->card = sd_init(dinfo ? dinfo->bdrv : NULL, 0);
     qemu_register_reset(pl181_reset, s);
     pl181_reset(s);
     /* ??? Save/restore.  */
diff --git a/hw/qdev.c b/hw/qdev.c
index 5b8d374..0c94fb2 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -458,20 +458,6 @@ void qdev_set_nic_properties(DeviceState *dev, NICInfo *nd)
     }
 }
 
-static int next_block_unit[IF_COUNT];
-
-/* Get a block device.  This should only be used for single-drive devices
-   (e.g. SD/Floppy/MTD).  Multi-disk devices (scsi/ide) should use the
-   appropriate bus.  */
-BlockDriverState *qdev_init_bdrv(DeviceState *dev, BlockInterfaceType type)
-{
-    int unit = next_block_unit[type]++;
-    DriveInfo *dinfo;
-
-    dinfo = drive_get(type, 0, unit);
-    return dinfo ? dinfo->bdrv : NULL;
-}
-
 BusState *qdev_get_child_bus(DeviceState *dev, const char *name)
 {
     BusState *bus;
diff --git a/hw/qdev.h b/hw/qdev.h
index e520aaa..9808f85 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -137,8 +137,6 @@ bool qdev_machine_modified(void);
 qemu_irq qdev_get_gpio_in(DeviceState *dev, int n);
 void qdev_connect_gpio_out(DeviceState *dev, int n, qemu_irq pin);
 
-BlockDriverState *qdev_init_bdrv(DeviceState *dev, BlockInterfaceType type);
-
 BusState *qdev_get_child_bus(DeviceState *dev, const char *name);
 
 /*** Device API.  ***/
diff --git a/hw/ssi-sd.c b/hw/ssi-sd.c
index a1a63b2..fb4b649 100644
--- a/hw/ssi-sd.c
+++ b/hw/ssi-sd.c
@@ -7,6 +7,7 @@
  * This code is licenced under the GNU GPL v2.
  */
 
+#include "blockdev.h"
 #include "ssi.h"
 #include "sd.h"
 
@@ -231,11 +232,11 @@ static int ssi_sd_load(QEMUFile *f, void *opaque, int version_id)
 static int ssi_sd_init(SSISlave *dev)
 {
     ssi_sd_state *s = FROM_SSI_SLAVE(ssi_sd_state, dev);
-    BlockDriverState *bs;
+    DriveInfo *dinfo;
 
     s->mode = SSI_SD_CMD;
-    bs = qdev_init_bdrv(&dev->qdev, IF_SD);
-    s->sd = sd_init(bs, 1);
+    dinfo = drive_get_next(IF_SD);
+    s->sd = sd_init(dinfo ? dinfo->bdrv : NULL, 1);
     register_savevm(&dev->qdev, "ssi_sd", -1, 1, ssi_sd_save, ssi_sd_load, s);
     return 0;
 }
commit 1869a65385e9d81f490b4203dd070cc49b7749c9
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Jan 29 08:19:15 2011 +0000

    qcow2-refcount: remove write-only variables
    
    Variables l2_modified and l2_size are not really used, remove them.
    Spotted by GCC 4.6.0:
      CC    block/qcow2-refcount.o
    /src/qemu/block/qcow2-refcount.c: In function 'qcow2_update_snapshot_refcount':
    /src/qemu/block/qcow2-refcount.c:708:37: error: variable 'l2_modified' set but not used [-Werror=unused-but-set-variable]
    /src/qemu/block/qcow2-refcount.c:708:9: error: variable 'l2_size' set but not used [-Werror=unused-but-set-variable]
    
    CC: Kevin Wolf <kwolf at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index e37e226..915d85a 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -705,7 +705,7 @@ int qcow2_update_snapshot_refcount(BlockDriverState *bs,
     BDRVQcowState *s = bs->opaque;
     uint64_t *l1_table, *l2_table, l2_offset, offset, l1_size2, l1_allocated;
     int64_t old_offset, old_l2_offset;
-    int l2_size, i, j, l1_modified, l2_modified, nb_csectors, refcount;
+    int i, j, l1_modified, nb_csectors, refcount;
     int ret;
 
     l2_table = NULL;
@@ -729,14 +729,12 @@ int qcow2_update_snapshot_refcount(BlockDriverState *bs,
         l1_allocated = 0;
     }
 
-    l2_size = s->l2_size * sizeof(uint64_t);
     l1_modified = 0;
     for(i = 0; i < l1_size; i++) {
         l2_offset = l1_table[i];
         if (l2_offset) {
             old_l2_offset = l2_offset;
             l2_offset &= ~QCOW_OFLAG_COPIED;
-            l2_modified = 0;
 
             ret = qcow2_cache_get(bs, s->l2_table_cache, l2_offset,
                 (void**) &l2_table);
@@ -788,7 +786,6 @@ int qcow2_update_snapshot_refcount(BlockDriverState *bs,
                                 s->refcount_block_cache);
                         }
                         l2_table[j] = cpu_to_be64(offset);
-                        l2_modified = 1;
                         qcow2_cache_entry_mark_dirty(s->l2_table_cache, l2_table);
                     }
                 }
commit 31e1ea3ee7d05ab1aa134fe07a8f33b42417641f
Author: Markus Armbruster <armbru at redhat.com>
Date:   Fri Jan 28 11:21:36 2011 +0100

    scsi hotplug: Set DriveInfo member bus correctly
    
    drive_init() picks the first free bus and unit number, unless the user
    specifies them.
    
    This isn't a good fit for the drive_add monitor command, because there
    we specify the controller by PCI address instead of using bus number
    set by drive_init().
    
    scsi_hot_add() takes care to replace the unit number set by
    drive_init() by the real one, but it neglects to replace the bus
    number.  Thus, bus/unit in DriveInfo may be bogus.  Affects
    drive_get() and drive_get_max_bus().  I'm not aware of anything bad
    happening because of that; looks like by the time we're hot-plugging,
    the two functions aren't used anymore.  Fix it anyway.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/pci-hotplug.c b/hw/pci-hotplug.c
index 270a982..b6dcbda 100644
--- a/hw/pci-hotplug.c
+++ b/hw/pci-hotplug.c
@@ -90,6 +90,7 @@ static int scsi_hot_add(Monitor *mon, DeviceState *adapter,
      * specified).
      */
     dinfo->unit = qemu_opt_get_number(dinfo->opts, "unit", -1);
+    dinfo->bus = scsibus->busnr;
     scsidev = scsi_bus_legacy_add_drive(scsibus, dinfo->bdrv, dinfo->unit, false);
     if (!scsidev) {
         return -1;
commit 1b40bbd13a2d37dcd88763b84d01ec68bc96ff14
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Jan 28 15:57:39 2011 +0100

    raw-win32: Fix bdrv_flush return value
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/raw-win32.c b/block/raw-win32.c
index 06c9710..c204a80 100644
--- a/block/raw-win32.c
+++ b/block/raw-win32.c
@@ -153,7 +153,7 @@ static int raw_flush(BlockDriverState *bs)
     int ret;
 
     ret = FlushFileBuffers(s->hfile);
-    if (ret != 0) {
+    if (ret == 0) {
         return -EIO;
     }
 
commit 0d09c7970063ecdabdc2841ffa32e1cf3e032336
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Fri Jan 28 17:11:59 2011 +0000

    qed: Images with backing file do not require QED_F_NEED_CHECK
    
    The consistency check on open is necessary in order to fix inconsistent
    table offsets left as a result of a crash mid-operation.  Images with a
    backing file actually flush before updating table offsets and are
    therefore guaranteed to be consistent.  Do not mark these images dirty.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qed.c b/block/qed.c
index a46f9ef..3273448 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -977,6 +977,19 @@ static void qed_aio_write_prefill(void *opaque, int ret)
 }
 
 /**
+ * Check if the QED_F_NEED_CHECK bit should be set during allocating write
+ */
+static bool qed_should_set_need_check(BDRVQEDState *s)
+{
+    /* The flush before L2 update path ensures consistency */
+    if (s->bs->backing_hd) {
+        return false;
+    }
+
+    return !(s->header.features & QED_F_NEED_CHECK);
+}
+
+/**
  * Write new data cluster
  *
  * @acb:        Write request
@@ -1001,15 +1014,12 @@ static void qed_aio_write_alloc(QEDAIOCB *acb, size_t len)
     acb->cur_cluster = qed_alloc_clusters(s, acb->cur_nclusters);
     qemu_iovec_copy(&acb->cur_qiov, acb->qiov, acb->qiov_offset, len);
 
-    /* Write new cluster if the image is already marked dirty */
-    if (s->header.features & QED_F_NEED_CHECK) {
+    if (qed_should_set_need_check(s)) {
+        s->header.features |= QED_F_NEED_CHECK;
+        qed_write_header(s, qed_aio_write_prefill, acb);
+    } else {
         qed_aio_write_prefill(acb, 0);
-        return;
     }
-
-    /* Mark the image dirty before writing the new cluster */
-    s->header.features |= QED_F_NEED_CHECK;
-    qed_write_header(s, qed_aio_write_prefill, acb);
 }
 
 /**
commit 5ea929e3d13622e5d06ca8795819f1590644cda2
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Wed Jan 26 16:56:48 2011 +0100

    qcow2: Add bdrv_discard support
    
    This adds a bdrv_discard function to qcow2 that frees the discarded clusters.
    It does not yet pass the discard on to the underlying file system driver, but
    the space can be reused by future writes to the image.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 1c2003a..5fb8c66 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -888,3 +888,85 @@ int qcow2_decompress_cluster(BlockDriverState *bs, uint64_t cluster_offset)
     }
     return 0;
 }
+
+/*
+ * This discards as many clusters of nb_clusters as possible at once (i.e.
+ * all clusters in the same L2 table) and returns the number of discarded
+ * clusters.
+ */
+static int discard_single_l2(BlockDriverState *bs, uint64_t offset,
+    unsigned int nb_clusters)
+{
+    BDRVQcowState *s = bs->opaque;
+    uint64_t l2_offset, *l2_table;
+    int l2_index;
+    int ret;
+    int i;
+
+    ret = get_cluster_table(bs, offset, &l2_table, &l2_offset, &l2_index);
+    if (ret < 0) {
+        return ret;
+    }
+
+    /* Limit nb_clusters to one L2 table */
+    nb_clusters = MIN(nb_clusters, s->l2_size - l2_index);
+
+    for (i = 0; i < nb_clusters; i++) {
+        uint64_t old_offset;
+
+        old_offset = be64_to_cpu(l2_table[l2_index + i]);
+        old_offset &= ~QCOW_OFLAG_COPIED;
+
+        if (old_offset == 0) {
+            continue;
+        }
+
+        /* First remove L2 entries */
+        qcow2_cache_entry_mark_dirty(s->l2_table_cache, l2_table);
+        l2_table[l2_index + i] = cpu_to_be64(0);
+
+        /* Then decrease the refcount */
+        qcow2_free_any_clusters(bs, old_offset, 1);
+    }
+
+    ret = qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
+    if (ret < 0) {
+        return ret;
+    }
+
+    return nb_clusters;
+}
+
+int qcow2_discard_clusters(BlockDriverState *bs, uint64_t offset,
+    int nb_sectors)
+{
+    BDRVQcowState *s = bs->opaque;
+    uint64_t end_offset;
+    unsigned int nb_clusters;
+    int ret;
+
+    end_offset = offset + (nb_sectors << BDRV_SECTOR_BITS);
+
+    /* Round start up and end down */
+    offset = align_offset(offset, s->cluster_size);
+    end_offset &= ~(s->cluster_size - 1);
+
+    if (offset > end_offset) {
+        return 0;
+    }
+
+    nb_clusters = size_to_clusters(s, end_offset - offset);
+
+    /* Each L2 table is handled by its own loop iteration */
+    while (nb_clusters > 0) {
+        ret = discard_single_l2(bs, offset, nb_clusters);
+        if (ret < 0) {
+            return ret;
+        }
+
+        nb_clusters -= ret;
+        offset += (ret * s->cluster_size);
+    }
+
+    return 0;
+}
diff --git a/block/qcow2.c b/block/qcow2.c
index 49bf7b9..dbe4fdd 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1084,6 +1084,13 @@ static int qcow2_make_empty(BlockDriverState *bs)
     return 0;
 }
 
+static int qcow2_discard(BlockDriverState *bs, int64_t sector_num,
+    int nb_sectors)
+{
+    return qcow2_discard_clusters(bs, sector_num << BDRV_SECTOR_BITS,
+        nb_sectors);
+}
+
 static int qcow2_truncate(BlockDriverState *bs, int64_t offset)
 {
     BDRVQcowState *s = bs->opaque;
@@ -1349,6 +1356,7 @@ static BlockDriver bdrv_qcow2 = {
     .bdrv_aio_writev    = qcow2_aio_writev,
     .bdrv_aio_flush     = qcow2_aio_flush,
 
+    .bdrv_discard           = qcow2_discard,
     .bdrv_truncate          = qcow2_truncate,
     .bdrv_write_compressed  = qcow2_write_compressed,
 
diff --git a/block/qcow2.h b/block/qcow2.h
index 6d80120..a019831 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -209,6 +209,8 @@ uint64_t qcow2_alloc_compressed_cluster_offset(BlockDriverState *bs,
                                          int compressed_size);
 
 int qcow2_alloc_cluster_link_l2(BlockDriverState *bs, QCowL2Meta *m);
+int qcow2_discard_clusters(BlockDriverState *bs, uint64_t offset,
+    int nb_sectors);
 
 /* qcow2-snapshot.c functions */
 int qcow2_snapshot_create(BlockDriverState *bs, QEMUSnapshotInfo *sn_info);
commit a9c49a6b023fd3706002fd8d549c58f0343932f8
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Wed Jan 26 16:56:34 2011 +0100

    qemu-io: Fix discard command
    
    qemu-io passed bytes where it's supposed to pass sectors, so discard requests
    were off.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/qemu-io.c b/qemu-io.c
index 5b24c5e..4470e49 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -1465,7 +1465,7 @@ discard_f(int argc, char **argv)
 	}
 
 	gettimeofday(&t1, NULL);
-	ret = bdrv_discard(bs, offset, count);
+	ret = bdrv_discard(bs, offset >> BDRV_SECTOR_BITS, count >> BDRV_SECTOR_BITS);
 	gettimeofday(&t2, NULL);
 
 	if (ret < 0) {
commit b4447363469650fc98f67714336cb0baa6156a5e
Author: MORITA Kazutaka <morita.kazutaka at lab.ntt.co.jp>
Date:   Fri Jan 28 01:33:10 2011 +0900

    sheepdog: support creating images on remote hosts
    
    This patch parses the input filename in sd_create(), and enables us
    specifying a target server to create sheepdog images.
    
    Signed-off-by: MORITA Kazutaka <morita.kazutaka at lab.ntt.co.jp>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/sheepdog.c b/block/sheepdog.c
index e62820a..a54e0de 100644
--- a/block/sheepdog.c
+++ b/block/sheepdog.c
@@ -1294,12 +1294,23 @@ static int do_sd_create(char *filename, int64_t vdi_size,
 static int sd_create(const char *filename, QEMUOptionParameter *options)
 {
     int ret;
-    uint32_t vid = 0;
+    uint32_t vid = 0, base_vid = 0;
     int64_t vdi_size = 0;
     char *backing_file = NULL;
+    BDRVSheepdogState s;
+    char vdi[SD_MAX_VDI_LEN], tag[SD_MAX_VDI_TAG_LEN];
+    uint32_t snapid;
 
     strstart(filename, "sheepdog:", (const char **)&filename);
 
+    memset(&s, 0, sizeof(s));
+    memset(vdi, 0, sizeof(vdi));
+    memset(tag, 0, sizeof(tag));
+    if (parse_vdiname(&s, filename, vdi, &snapid, tag) < 0) {
+        error_report("invalid filename\n");
+        return -EINVAL;
+    }
+
     while (options && options->name) {
         if (!strcmp(options->name, BLOCK_OPT_SIZE)) {
             vdi_size = options->value.n;
@@ -1338,11 +1349,11 @@ static int sd_create(const char *filename, QEMUOptionParameter *options)
             return -EINVAL;
         }
 
-        vid = s->inode.vdi_id;
+        base_vid = s->inode.vdi_id;
         bdrv_delete(bs);
     }
 
-    return do_sd_create((char *)filename, vdi_size, vid, NULL, 0, NULL, NULL);
+    return do_sd_create((char *)vdi, vdi_size, base_vid, &vid, 0, s.addr, s.port);
 }
 
 static void sd_close(BlockDriverState *bs)
commit bf595021c765c8869cf2942874c419d7b73bbaf6
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Jan 27 11:25:03 2011 +0100

    Reorganize struct Qcow2Cache for better struct packing
    
    Move size after the two pointers in struct Qcow2Cache to get better
    packing of struct elements on 64 bit architectures.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-cache.c b/block/qcow2-cache.c
index 8f2955b..3824739 100644
--- a/block/qcow2-cache.c
+++ b/block/qcow2-cache.c
@@ -35,9 +35,9 @@ typedef struct Qcow2CachedTable {
 } Qcow2CachedTable;
 
 struct Qcow2Cache {
-    int                     size;
     Qcow2CachedTable*       entries;
     struct Qcow2Cache*      depends;
+    int                     size;
     bool                    depends_on_flush;
     bool                    writethrough;
 };
commit fe6ceac86041ecdf7b99a3d57991941277fa7694
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Wed Jan 26 10:24:56 2011 +0000

    ahci: Fix cpu_physical_memory_unmap() argument ordering
    
    The len and is_write arguments to cpu_physical_memory_unmap() were
    swapped.  This patch changes calls to use the correct argument ordering.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 968fdce..433171c 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -513,12 +513,12 @@ static void map_page(uint8_t **ptr, uint64_t addr, uint32_t wanted)
     target_phys_addr_t len = wanted;
 
     if (*ptr) {
-        cpu_physical_memory_unmap(*ptr, 1, len, len);
+        cpu_physical_memory_unmap(*ptr, len, 1, len);
     }
 
     *ptr = cpu_physical_memory_map(addr, &len, 1);
     if (len < wanted) {
-        cpu_physical_memory_unmap(*ptr, 1, len, len);
+        cpu_physical_memory_unmap(*ptr, len, 1, len);
         *ptr = NULL;
     }
 }
@@ -956,7 +956,7 @@ static void ahci_write_fis_d2h(AHCIDevice *ad, uint8_t *cmd_fis)
     ahci_trigger_irq(ad->hba, ad, PORT_IRQ_D2H_REG_FIS);
 
     if (cmd_mapped) {
-        cpu_physical_memory_unmap(cmd_fis, 0, cmd_len, cmd_len);
+        cpu_physical_memory_unmap(cmd_fis, cmd_len, 0, cmd_len);
     }
 }
 
@@ -1002,7 +1002,7 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist)
     }
 
 out:
-    cpu_physical_memory_unmap(prdt, 0, prdt_len, prdt_len);
+    cpu_physical_memory_unmap(prdt, prdt_len, 0, prdt_len);
     return r;
 }
 
@@ -1228,7 +1228,7 @@ static int handle_cmd(AHCIState *s, int port, int slot)
     }
 
 out:
-    cpu_physical_memory_unmap(cmd_fis, 1, cmd_len, cmd_len);
+    cpu_physical_memory_unmap(cmd_fis, cmd_len, 1, cmd_len);
 
     if (s->dev[port].port.ifs[0].status & (BUSY_STAT|DRQ_STAT)) {
         /* async command, complete later */
commit d7142456c4c0a8793a7888e00ef7fbf0553f9c66
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Wed Jan 26 11:54:58 2011 +0100

    Add documentation for STRTOSZ_DEFSUFFIX_ macros
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Acked-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-common.h b/qemu-common.h
index c351131..79e1149 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -153,6 +153,13 @@ int qemu_fls(int i);
 int qemu_fdatasync(int fd);
 int fcntl_setfl(int fd, int flag);
 
+/*
+ * strtosz() suffixes used to specify the default treatment of an
+ * argument passed to strtosz() without an explicit suffix.
+ * These should be defined using upper case characters in the range
+ * A-Z, as strtosz() will use qemu_toupper() on the given argument
+ * prior to comparison.
+ */
 #define STRTOSZ_DEFSUFFIX_TB	'T'
 #define STRTOSZ_DEFSUFFIX_GB	'G'
 #define STRTOSZ_DEFSUFFIX_MB	'M'
commit d0dcac833a767dade968a07aba4d116f162ebc72
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Jan 25 16:17:14 2011 +0000

    virtio-pci: Disable virtio-ioeventfd when !CONFIG_IOTHREAD
    
    It is not possible to use virtio-ioeventfd when building without an I/O
    thread.  We rely on a signal to kick us out of vcpu execution.  Timers
    and AIO use SIGALRM and SIGUSR2 respectively.  Unfortunately eventfd
    does not support O_ASYNC (SIGIO) so eventfd cannot be used in a signal
    driven manner.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/kvm-all.c b/kvm-all.c
index 255b6fa..8f0e17c 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -449,10 +449,14 @@ int kvm_check_extension(KVMState *s, unsigned int extension)
 
 static int kvm_check_many_ioeventfds(void)
 {
-    /* Older kernels have a 6 device limit on the KVM io bus.  Find out so we
+    /* Userspace can use ioeventfd for io notification.  This requires a host
+     * that supports eventfd(2) and an I/O thread; since eventfd does not
+     * support SIGIO it cannot interrupt the vcpu.
+     *
+     * Older kernels have a 6 device limit on the KVM io bus.  Find out so we
      * can avoid creating too many ioeventfds.
      */
-#ifdef CONFIG_EVENTFD
+#if defined(CONFIG_EVENTFD) && defined(CONFIG_IOTHREAD)
     int ioeventfds[7];
     int i, ret = 0;
     for (i = 0; i < ARRAY_SIZE(ioeventfds); i++) {
commit e5051fc70807750f7a4798d2d83e159793c466d3
Author: Christoph Hellwig <hch at lst.de>
Date:   Mon Jan 24 13:32:51 2011 +0100

    virtio-blk: tell the guest about size changes
    
    Raise a config change interrupt when the size changed.  This allows
    virtio-blk guest drivers to read-read the information from the
    config space once it got the config chaged interrupt.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
index 9f2a9c0..ffac5a4 100644
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -514,6 +514,15 @@ static int virtio_blk_load(QEMUFile *f, void *opaque, int version_id)
     return 0;
 }
 
+static void virtio_blk_change_cb(void *opaque, int reason)
+{
+    VirtIOBlock *s = opaque;
+
+    if (reason & CHANGE_SIZE) {
+        virtio_notify_config(&s->vdev);
+    }
+}
+
 VirtIODevice *virtio_blk_init(DeviceState *dev, BlockConf *conf)
 {
     VirtIOBlock *s;
@@ -556,6 +565,7 @@ VirtIODevice *virtio_blk_init(DeviceState *dev, BlockConf *conf)
     register_savevm(dev, "virtio-blk", virtio_blk_id++, 2,
                     virtio_blk_save, virtio_blk_load, s);
     bdrv_set_removable(s->bs, 0);
+    bdrv_set_change_cb(s->bs, virtio_blk_change_cb, s);
     s->bs->buffer_alignment = conf->logical_block_size;
 
     add_boot_device_path(conf->bootindex, dev, "/disk at 0,0");
commit db97ee6a976bacbb0d18818e951cfc41b39269a7
Author: Christoph Hellwig <hch at lst.de>
Date:   Mon Jan 24 13:32:41 2011 +0100

    block: tell drivers about an image resize
    
    Extend the change_cb callback with a reason argument, and use it
    to tell drivers about size changes.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index 7ad3ddf..998df1b 100644
--- a/block.c
+++ b/block.c
@@ -645,7 +645,7 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
         /* call the change callback */
         bs->media_changed = 1;
         if (bs->change_cb)
-            bs->change_cb(bs->change_opaque);
+            bs->change_cb(bs->change_opaque, CHANGE_MEDIA);
     }
 
     return 0;
@@ -684,7 +684,7 @@ void bdrv_close(BlockDriverState *bs)
         /* call the change callback */
         bs->media_changed = 1;
         if (bs->change_cb)
-            bs->change_cb(bs->change_opaque);
+            bs->change_cb(bs->change_opaque, CHANGE_MEDIA);
     }
 }
 
@@ -1135,6 +1135,9 @@ int bdrv_truncate(BlockDriverState *bs, int64_t offset)
     ret = drv->bdrv_truncate(bs, offset);
     if (ret == 0) {
         ret = refresh_total_sectors(bs, offset >> BDRV_SECTOR_BITS);
+        if (bs->change_cb) {
+            bs->change_cb(bs->change_opaque, CHANGE_SIZE);
+        }
     }
     return ret;
 }
@@ -1366,7 +1369,8 @@ int bdrv_enable_write_cache(BlockDriverState *bs)
 
 /* XXX: no longer used */
 void bdrv_set_change_cb(BlockDriverState *bs,
-                        void (*change_cb)(void *opaque), void *opaque)
+                        void (*change_cb)(void *opaque, int reason),
+                        void *opaque)
 {
     bs->change_cb = change_cb;
     bs->change_opaque = opaque;
@@ -1411,7 +1415,7 @@ int bdrv_set_key(BlockDriverState *bs, const char *key)
         /* call the change callback now, we skipped it on open */
         bs->media_changed = 1;
         if (bs->change_cb)
-            bs->change_cb(bs->change_opaque);
+            bs->change_cb(bs->change_opaque, CHANGE_MEDIA);
     }
     return ret;
 }
diff --git a/block.h b/block.h
index f923add..239f729 100644
--- a/block.h
+++ b/block.h
@@ -182,7 +182,8 @@ int bdrv_is_locked(BlockDriverState *bs);
 void bdrv_set_locked(BlockDriverState *bs, int locked);
 int bdrv_eject(BlockDriverState *bs, int eject_flag);
 void bdrv_set_change_cb(BlockDriverState *bs,
-                        void (*change_cb)(void *opaque), void *opaque);
+                        void (*change_cb)(void *opaque, int reason),
+                        void *opaque);
 void bdrv_get_format(BlockDriverState *bs, char *buf, int buf_size);
 BlockDriverState *bdrv_find(const char *name);
 BlockDriverState *bdrv_next(BlockDriverState *bs);
diff --git a/block_int.h b/block_int.h
index 12663e8..6ebdc3e 100644
--- a/block_int.h
+++ b/block_int.h
@@ -153,7 +153,7 @@ struct BlockDriverState {
     int valid_key; /* if true, a valid encryption key has been set */
     int sg;        /* if true, the device is a /dev/sg* */
     /* event callback when inserting/removing */
-    void (*change_cb)(void *opaque);
+    void (*change_cb)(void *opaque, int reason);
     void *change_opaque;
 
     BlockDriver *drv; /* NULL means no media */
@@ -203,6 +203,9 @@ struct BlockDriverState {
     void *private;
 };
 
+#define CHANGE_MEDIA	0x01
+#define CHANGE_SIZE	0x02
+
 struct BlockDriverAIOCB {
     AIOPool *pool;
     BlockDriverState *bs;
diff --git a/hw/ide/core.c b/hw/ide/core.c
index e698c13..dd63664 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -1584,11 +1584,15 @@ static void ide_cfata_metadata_write(IDEState *s)
 }
 
 /* called when the inserted state of the media has changed */
-static void cdrom_change_cb(void *opaque)
+static void cdrom_change_cb(void *opaque, int reason)
 {
     IDEState *s = opaque;
     uint64_t nb_sectors;
 
+    if (!(reason & CHANGE_MEDIA)) {
+        return;
+    }
+
     bdrv_get_geometry(s->bs, &nb_sectors);
     s->nb_sectors = nb_sectors;
 
diff --git a/hw/sd.c b/hw/sd.c
index 601545b..789ca84 100644
--- a/hw/sd.c
+++ b/hw/sd.c
@@ -422,9 +422,14 @@ static void sd_reset(SDState *sd, BlockDriverState *bdrv)
     sd->pwd_len = 0;
 }
 
-static void sd_cardchange(void *opaque)
+static void sd_cardchange(void *opaque, int reason)
 {
     SDState *sd = opaque;
+
+    if (!(reason & CHANGE_MEDIA)) {
+        return;
+    }
+
     qemu_set_irq(sd->inserted_cb, bdrv_is_inserted(sd->bdrv));
     if (bdrv_is_inserted(sd->bdrv)) {
         sd_reset(sd, sd->bdrv);
commit 6d4a2b3a47959f02e7f307f50396e70e8464f95e
Author: Christoph Hellwig <hch at lst.de>
Date:   Mon Jan 24 13:32:33 2011 +0100

    block: add block_resize monitor command
    
    Add a monitor command that allows resizing of block devices while
    qemu is running.  It uses the existing bdrv_truncate method already
    used by qemu-img to do it's work.  Compared to qemu-img the size
    parsing is very simplicistic, but I think having a properly numering
    object is more useful for non-humand monitor users than having
    the units and relative resize parsing.
    
    For SCSI devices the new size can be updated in Linux guests by
    doing the following shell command:
    
    	echo > /sys/class/scsi_device/0:0:0:0/device/rescan
    
    For ATA devices I don't know of a way to update the block device
    size in Linux system, and for virtio-blk the next two patches
    will provide an automatic update of the size when this command
    is issued on the host.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index f7f591f..e48d33d 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -705,3 +705,33 @@ int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data)
 
     return 0;
 }
+
+/*
+ * XXX: replace the QERR_UNDEFINED_ERROR errors with real values once the
+ * existing QERR_ macro mess is cleaned up.  A good example for better
+ * error reports can be found in the qemu-img resize code.
+ */
+int do_block_resize(Monitor *mon, const QDict *qdict, QObject **ret_data)
+{
+    const char *device = qdict_get_str(qdict, "device");
+    int64_t size = qdict_get_int(qdict, "size");
+    BlockDriverState *bs;
+
+    bs = bdrv_find(device);
+    if (!bs) {
+        qerror_report(QERR_DEVICE_NOT_FOUND, device);
+        return -1;
+    }
+
+    if (size < 0) {
+        qerror_report(QERR_UNDEFINED_ERROR);
+        return -1;
+    }
+
+    if (bdrv_truncate(bs, size)) {
+        qerror_report(QERR_UNDEFINED_ERROR);
+        return -1;
+    }
+
+    return 0;
+}
diff --git a/blockdev.h b/blockdev.h
index 4536b5c..b8a88bf 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -53,5 +53,6 @@ int do_change_block(Monitor *mon, const char *device,
                     const char *filename, const char *fmt);
 int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data);
 int do_snapshot_blkdev(Monitor *mon, const QDict *qdict, QObject **ret_data);
+int do_block_resize(Monitor *mon, const QDict *qdict, QObject **ret_data);
 
 #endif
diff --git a/hmp-commands.hx b/hmp-commands.hx
index 1cea572..8df4adf 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -53,6 +53,25 @@ Quit the emulator.
 ETEXI
 
     {
+        .name       = "block_resize",
+        .args_type  = "device:B,size:o",
+        .params     = "device size",
+        .help       = "resize a block image",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_block_resize,
+    },
+
+STEXI
+ at item block_resize
+ at findex block_resize
+Resize a block image while a guest is running.  Usually requires guest
+action to see the updated size.  Resize to a lower size is supported,
+but should be used with extreme caution.  Note that this command only
+resizes image files, it can not resize block devices like LVM volumes.
+ETEXI
+
+
+    {
         .name       = "eject",
         .args_type  = "force:-f,device:B",
         .params     = "[-f] device",
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 56c4d8b..9f79f5f 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -601,6 +601,34 @@ Example:
 -> { "execute": "netdev_del", "arguments": { "id": "netdev1" } }
 <- { "return": {} }
 
+
+EQMP
+
+    {
+        .name       = "block_resize",
+        .args_type  = "device:B,size:o",
+        .params     = "device size",
+        .help       = "resize a block image",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_block_resize,
+    },
+
+SQMP
+block_resize
+------------
+
+Resize a block image while a guest is running.
+
+Arguments:
+
+- "device": the device's ID, must be unique (json-string)
+- "size": new size
+
+Example:
+
+-> { "execute": "block_resize", "arguments": { "device": "scratch", "size": 1073741824 } }
+<- { "return": {} }
+
 EQMP
 
     {
commit 2be22ca5a8dd96c68ef0e90fd916aa6555ae915b
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Jan 24 16:33:31 2011 +0100

    strtosz(): Use suffix macros in switch() statement
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/cutils.c b/cutils.c
index 369a016..8d562b2 100644
--- a/cutils.c
+++ b/cutils.c
@@ -324,26 +324,26 @@ int64_t strtosz_suffix(const char *nptr, char **end, const char default_suffix)
         }
     }
     switch (qemu_toupper(d)) {
-    case 'B':
+    case STRTOSZ_DEFSUFFIX_B:
         mul = 1;
         if (mul_required) {
             goto fail;
         }
         break;
-    case 'K':
+    case STRTOSZ_DEFSUFFIX_KB:
         mul = 1 << 10;
         break;
     case 0:
         if (mul_required) {
             goto fail;
         }
-    case 'M':
+    case STRTOSZ_DEFSUFFIX_MB:
         mul = 1ULL << 20;
         break;
-    case 'G':
+    case STRTOSZ_DEFSUFFIX_GB:
         mul = 1ULL << 30;
         break;
-    case 'T':
+    case STRTOSZ_DEFSUFFIX_TB:
         mul = 1ULL << 40;
         break;
     default:
commit 7eb053494c76bb417f83b6e6784a5dbb27638dba
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Jan 24 16:33:30 2011 +0100

    strtosz(): Fix name confusion in use of modf()
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/cutils.c b/cutils.c
index 78d35e2..369a016 100644
--- a/cutils.c
+++ b/cutils.c
@@ -304,8 +304,8 @@ int64_t strtosz_suffix(const char *nptr, char **end, const char default_suffix)
     if (isnan(val) || endptr == nptr || errno != 0) {
         goto fail;
     }
-    integral = modf(val, &fraction);
-    if (integral != 0) {
+    fraction = modf(val, &integral);
+    if (fraction != 0) {
         mul_required = 1;
     }
     /*
commit a2afc2c16339a85176696738e4c58ed4ff36f8b5
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Jan 24 16:33:29 2011 +0100

    strtosz() use qemu_toupper() to simplify switch statement
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/cutils.c b/cutils.c
index a067cf4..78d35e2 100644
--- a/cutils.c
+++ b/cutils.c
@@ -323,16 +323,14 @@ int64_t strtosz_suffix(const char *nptr, char **end, const char default_suffix)
             d = c;
         }
     }
-    switch (d) {
+    switch (qemu_toupper(d)) {
     case 'B':
-    case 'b':
         mul = 1;
         if (mul_required) {
             goto fail;
         }
         break;
     case 'K':
-    case 'k':
         mul = 1 << 10;
         break;
     case 0:
@@ -340,15 +338,12 @@ int64_t strtosz_suffix(const char *nptr, char **end, const char default_suffix)
             goto fail;
         }
     case 'M':
-    case 'm':
         mul = 1ULL << 20;
         break;
     case 'G':
-    case 'g':
         mul = 1ULL << 30;
         break;
     case 'T':
-    case 't':
         mul = 1ULL << 40;
         break;
     default:
commit f3bd362a1857c617a4154062cadd501fc52c4199
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Jan 24 16:33:28 2011 +0100

    strtosz(): use unsigned char and switch to qemu_isspace()
    
    isspace() behavior is undefined for signed char.
    
    Bug pointed out by Eric Blake, thanks!
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/cutils.c b/cutils.c
index 4d2e27c..a067cf4 100644
--- a/cutils.c
+++ b/cutils.c
@@ -294,7 +294,8 @@ int fcntl_setfl(int fd, int flag)
 int64_t strtosz_suffix(const char *nptr, char **end, const char default_suffix)
 {
     int64_t retval = -1;
-    char *endptr, c, d;
+    char *endptr;
+    unsigned char c, d;
     int mul_required = 0;
     double val, mul, integral, fraction;
 
@@ -314,7 +315,7 @@ int64_t strtosz_suffix(const char *nptr, char **end, const char default_suffix)
      */
     c = *endptr;
     d = c;
-    if (isspace(c) || c == '\0' || c == ',') {
+    if (qemu_isspace(c) || c == '\0' || c == ',') {
         c = 0;
         if (default_suffix) {
             d = default_suffix;
@@ -361,7 +362,7 @@ int64_t strtosz_suffix(const char *nptr, char **end, const char default_suffix)
      */
     if (c != 0) {
         endptr++;
-        if (!isspace(*endptr) && *endptr != ',' && *endptr != 0) {
+        if (!qemu_isspace(*endptr) && *endptr != ',' && *endptr != 0) {
             goto fail;
         }
     }
commit 45d1aa828f8c94b082a0aa2dbf76535594ee45df
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Jan 30 13:10:10 2011 +0000

    Update OpenBIOS images to r1018
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/pc-bios/README b/pc-bios/README
index 4b019e0..3fc0944 100644
--- a/pc-bios/README
+++ b/pc-bios/README
@@ -11,7 +11,7 @@
   firmware implementation. The goal is to implement a 100% IEEE
   1275-1994 (referred to as Open Firmware) compliant firmware.
   The included image for PowerPC (for 32 and 64 bit PPC CPUs), Sparc32
-  and Sparc64 are built from OpenBIOS SVN revision 859.
+  and Sparc64 are built from OpenBIOS SVN revision 1018.
 
 - The PXE roms come from Rom-o-Matic gPXE 0.9.9 with BANNER_TIMEOUT=0
 
diff --git a/pc-bios/openbios-ppc b/pc-bios/openbios-ppc
index cb0af05..ee6f5ae 100644
Binary files a/pc-bios/openbios-ppc and b/pc-bios/openbios-ppc differ
diff --git a/pc-bios/openbios-sparc32 b/pc-bios/openbios-sparc32
index aaff1f0..b2dc5c5 100644
Binary files a/pc-bios/openbios-sparc32 and b/pc-bios/openbios-sparc32 differ
diff --git a/pc-bios/openbios-sparc64 b/pc-bios/openbios-sparc64
index a1b692e..70a223d 100644
Binary files a/pc-bios/openbios-sparc64 and b/pc-bios/openbios-sparc64 differ
commit 1b958498acaeee61f0db648b464c04f228f8aab6
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Jan 29 22:52:33 2011 +0000

    sdl: remove unused variable
    
    Variable rec is not used, remove it. Spotted by GCC 4.6.0:
      CC    ui/sdl.o
    /src/qemu/ui/sdl.c: In function 'sdl_setdata':
    /src/qemu/ui/sdl.c:90:14: error: variable 'rec' set but not used [-Werror=unused-but-set-variable]
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/ui/sdl.c b/ui/sdl.c
index f599d42..a1458ce 100644
--- a/ui/sdl.c
+++ b/ui/sdl.c
@@ -87,12 +87,6 @@ static void sdl_update(DisplayState *ds, int x, int y, int w, int h)
 
 static void sdl_setdata(DisplayState *ds)
 {
-    SDL_Rect rec;
-    rec.x = 0;
-    rec.y = 0;
-    rec.w = real_screen->w;
-    rec.h = real_screen->h;
-
     if (guest_screen != NULL) SDL_FreeSurface(guest_screen);
 
     guest_screen = SDL_CreateRGBSurfaceFrom(ds_get_data(ds), ds_get_width(ds), ds_get_height(ds),
commit 320fba2a1f384e17db150d74540a2cf005eb47b5
Author: Fabien Chouteau <chouteau at adacore.com>
Date:   Thu Jan 27 10:24:41 2011 +0100

    New trace-event backend: stderr
    
    This backend sends trace events to standard error output during the emulation.
    
    Also add a "--list-backends" option to tracetool, so configure script can
    display the list of available backends.
    
    Signed-off-by: Fabien Chouteau <chouteau at adacore.com>
    Acked-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 210670c..fcc5a71 100755
--- a/configure
+++ b/configure
@@ -907,7 +907,8 @@ echo "  --enable-docs            enable documentation build"
 echo "  --disable-docs           disable documentation build"
 echo "  --disable-vhost-net      disable vhost-net acceleration support"
 echo "  --enable-vhost-net       enable vhost-net acceleration support"
-echo "  --enable-trace-backend=B Trace backend nop simple ust dtrace"
+echo "  --enable-trace-backend=B Set trace backend"
+echo "                           Available backends:" $("$source_path"/scripts/tracetool --list-backends)
 echo "  --with-trace-file=NAME   Full PATH,NAME of file to store traces"
 echo "                           Default:trace-<pid>"
 echo "  --disable-spice          disable spice"
diff --git a/docs/tracing.txt b/docs/tracing.txt
index 963c504..21183f9 100644
--- a/docs/tracing.txt
+++ b/docs/tracing.txt
@@ -133,6 +133,11 @@ source tree.  It may not be as powerful as platform-specific or third-party
 trace backends but it is portable.  This is the recommended trace backend
 unless you have specific needs for more advanced backends.
 
+=== Stderr ===
+
+The "stderr" backend sends trace events directly to standard error output
+during emulation.
+
 ==== Monitor commands ====
 
 * info trace
diff --git a/scripts/tracetool b/scripts/tracetool
index fce491c..e046683 100755
--- a/scripts/tracetool
+++ b/scripts/tracetool
@@ -13,12 +13,13 @@ set -f
 usage()
 {
     cat >&2 <<EOF
-usage: $0 [--nop | --simple | --ust] [-h | -c]
+usage: $0 [--nop | --simple | --stderr | --ust | --dtrace] [-h | -c]
 Generate tracing code for a file on stdin.
 
 Backends:
   --nop     Tracing disabled
   --simple  Simple built-in backend
+  --stderr  Stderr built-in backend
   --ust     LTTng User Space Tracing backend
   --dtrace  DTrace/SystemTAP backend
 
@@ -236,6 +237,56 @@ linetoc_end_simple()
 EOF
 }
 
+#STDERR
+linetoh_begin_stderr()
+{
+    cat <<EOF
+#include <stdio.h>
+EOF
+}
+
+linetoh_stderr()
+{
+    local name args argnames argc fmt
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    argnames=$(get_argnames "$1" ",")
+    argc=$(get_argc "$1")
+    fmt=$(get_fmt "$1")
+
+    if [ "$argc" -gt 0 ]; then
+        argnames=", $argnames"
+    fi
+
+    cat <<EOF
+static inline void trace_$name($args)
+{
+    fprintf(stderr, "$name $fmt\n" $argnames);
+}
+EOF
+}
+
+linetoh_end_stderr()
+{
+return
+}
+
+linetoc_begin_stderr()
+{
+return
+}
+
+linetoc_stderr()
+{
+return
+}
+
+linetoc_end_stderr()
+{
+return
+}
+#END OF STDERR
+
 # Clean up after UST headers which pollute the namespace
 ust_clean_namespace() {
     cat <<EOF
@@ -546,7 +597,7 @@ targetarch=
 until [ -z "$1" ]
 do
   case "$1" in
-    "--nop" | "--simple" | "--ust" | "--dtrace") backend="${1#--}" ;;
+    "--nop" | "--simple" | "--stderr" | "--ust" | "--dtrace") backend="${1#--}" ;;
 
     "--binary") shift ; binary="$1" ;;
     "--target-arch") shift ; targetarch="$1" ;;
@@ -557,6 +608,11 @@ do
 
     "--check-backend") exit 0 ;; # used by ./configure to test for backend
 
+    "--list-backends") # used by ./configure to list available backends
+          echo "nop simple stderr ust dtrace"
+          exit 0
+          ;;
+
     *)
       usage;;
   esac
commit 491e2a338fdf8310c84f6ebaed1683a871a0700e
Author: Hervé Poussineau <hpoussin at reactos.org>
Date:   Tue Jan 18 22:43:56 2011 +0100

    prep: Disable second IDE channel, as long as ISA IDE emulation doesn't support same irq for both channels
    
    Cc: Andreas Färber <andreas.faerber at web.de>
    Signed-off-by: Hervé Poussineau <hpoussin at reactos.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/ppc_prep.c b/hw/ppc_prep.c
index 6b22122..6c1499a 100644
--- a/hw/ppc_prep.c
+++ b/hw/ppc_prep.c
@@ -690,7 +690,7 @@ static void ppc_prep_init (ram_addr_t ram_size,
         hd[i] = drive_get(IF_IDE, i / MAX_IDE_DEVS, i % MAX_IDE_DEVS);
     }
 
-    for(i = 0; i < MAX_IDE_BUS; i++) {
+    for(i = 0; i < 1/*MAX_IDE_BUS*/; i++) {
         isa_ide_init(ide_iobase[i], ide_iobase2[i], ide_irq[i],
                      hd[2 * i],
 		     hd[2 * i + 1]);
commit 74145374bfc0b7b02415184606236f0390479deb
Author: Andreas Färber <andreas.faerber at web.de>
Date:   Tue Jan 18 22:43:55 2011 +0100

    prep: Remove bogus BIOS size check
    
    r3480 added this check to account for the entry vector 0xfff00100 to be
    available for CPUs that need it. Today however, the NIP is not yet
    initialized at this point (zero), so the check always triggers.
    
    Moreover, BIOS size check is already done previously, so this part can
    be removed too.
    
    Cc: Alexander Graf <agraf at suse.de>
    Signed-off-by: Andreas Färber <andreas.faerber at web.de>
    Signed-off-by: Hervé Poussineau <hpoussin at reactos.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/ppc_prep.c b/hw/ppc_prep.c
index 1492266..6b22122 100644
--- a/hw/ppc_prep.c
+++ b/hw/ppc_prep.c
@@ -600,9 +600,6 @@ static void ppc_prep_init (ram_addr_t ram_size,
     if (filename) {
         qemu_free(filename);
     }
-    if (env->nip < 0xFFF80000 && bios_size < 0x00100000) {
-        hw_error("PowerPC 601 / 620 / 970 need a 1MB BIOS\n");
-    }
 
     if (linux_boot) {
         kernel_base = KERNEL_LOAD_ADDR;
commit 51e08f3e4b8a3b6d27fde9a9e75c8fa32eaa72d0
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Tue Jan 25 11:55:15 2011 +0100

    mc146818rtc: update registers after a format change
    
    For some unknown reason, the MIPS kernel briefly changes the RTC to
    binary mode during boot, switch back to BCD mode and read the time. As
    the registers are updated only every second, they may still be in the
    old format when they are read.
    
    This patch forces a register update immediately after a format change
    (BCD/binary or 12/24H). This avoid long fsck during boot due to time
    wrap.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/mc146818rtc.c b/hw/mc146818rtc.c
index ec7c4ec..a1b0e31 100644
--- a/hw/mc146818rtc.c
+++ b/hw/mc146818rtc.c
@@ -247,7 +247,15 @@ static void cmos_ioport_write(void *opaque, uint32_t addr, uint32_t data)
                     rtc_set_time(s);
                 }
             }
-            s->cmos_data[RTC_REG_B] = data;
+            if (((s->cmos_data[RTC_REG_B] ^ data) & (REG_B_DM | REG_B_24H)) &&
+                !(data & REG_B_SET)) {
+                /* If the time format has changed and not in set mode,
+                   update the registers immediately. */
+                s->cmos_data[RTC_REG_B] = data;
+                rtc_copy_date(s);
+            } else {
+                s->cmos_data[RTC_REG_B] = data;
+            }
             rtc_timer_update(s, qemu_get_clock(rtc_clock));
             break;
         case RTC_REG_C:
commit c29cd656a8fad633fb9ca45b88ade9838d35fd5c
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Tue Jan 25 11:55:15 2011 +0100

    mc146818rtc: constantify
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/mc146818rtc.c b/hw/mc146818rtc.c
index 6466aff..ec7c4ec 100644
--- a/hw/mc146818rtc.c
+++ b/hw/mc146818rtc.c
@@ -72,6 +72,7 @@
 #define REG_B_UIE  0x10
 #define REG_B_SQWE 0x08
 #define REG_B_DM   0x04
+#define REG_B_24H  0x02
 
 #define REG_C_UF   0x10
 #define REG_C_IRQF 0x80
@@ -285,7 +286,7 @@ static void rtc_set_time(RTCState *s)
     tm->tm_sec = rtc_from_bcd(s, s->cmos_data[RTC_SECONDS]);
     tm->tm_min = rtc_from_bcd(s, s->cmos_data[RTC_MINUTES]);
     tm->tm_hour = rtc_from_bcd(s, s->cmos_data[RTC_HOURS] & 0x7f);
-    if (!(s->cmos_data[RTC_REG_B] & 0x02) &&
+    if (!(s->cmos_data[RTC_REG_B] & REG_B_24H) &&
         (s->cmos_data[RTC_HOURS] & 0x80)) {
         tm->tm_hour += 12;
     }
@@ -304,7 +305,7 @@ static void rtc_copy_date(RTCState *s)
 
     s->cmos_data[RTC_SECONDS] = rtc_to_bcd(s, tm->tm_sec);
     s->cmos_data[RTC_MINUTES] = rtc_to_bcd(s, tm->tm_min);
-    if (s->cmos_data[RTC_REG_B] & 0x02) {
+    if (s->cmos_data[RTC_REG_B] & REG_B_24H) {
         /* 24 hour format */
         s->cmos_data[RTC_HOURS] = rtc_to_bcd(s, tm->tm_hour);
     } else {
commit 46eece9d8969ac37bcdf0a3f056a9cceb20bc641
Author: Juha Riihimäki <juha.riihimaki at nokia.com>
Date:   Thu Jan 27 19:18:35 2011 +0000

    target-arm: Fix Neon VQ(R)DMULH.S16 instructions
    
    Correct an error in the implementation of the 16 bit
    forms of VQ(R)DMULH, bringing them into line with the
    32 bit implementation.
    
    Signed-off-by: Juha Riihimäki <juha.riihimaki at nokia.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/neon_helper.c b/target-arm/neon_helper.c
index 20f3c16..fead152 100644
--- a/target-arm/neon_helper.c
+++ b/target-arm/neon_helper.c
@@ -880,8 +880,9 @@ uint32_t HELPER(neon_cnt_u8)(uint32_t x)
     if ((tmp ^ (tmp << 1)) & SIGNBIT) { \
         SET_QC(); \
         tmp = (tmp >> 31) ^ ~SIGNBIT; \
+    } else { \
+        tmp <<= 1; \
     } \
-    tmp <<= 1; \
     if (round) { \
         int32_t old = tmp; \
         tmp += 1 << 15; \
commit 92e3c2a39e95576dd215b063e493069c67ffaab8
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Tue Jan 25 11:55:14 2011 +0100

    virtio-blk: fix cross-endianness targets
    
    virtio-blk doesn't work on cross-endian configuration, as endianness is
    not handled correctly.
    
    This patch adds missing endianness conversions to make virtio-blk
    working. Tested on the following configurations:
    - i386 guest on x86_64 host
    - ppc guest on x86_64 host
    - i386 guest on mips host
    - ppc guest on mips host
    
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
index f62ccd1..9f2a9c0 100644
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -55,7 +55,7 @@ static void virtio_blk_req_complete(VirtIOBlockReq *req, int status)
 
     trace_virtio_blk_req_complete(req, status);
 
-    req->in->status = status;
+    stb_p(&req->in->status, status);
     virtqueue_push(s->vq, &req->elem, req->qiov.size + sizeof(*req->in));
     virtio_notify(&s->vdev, s->vq);
 
@@ -94,7 +94,7 @@ static void virtio_blk_rw_complete(void *opaque, int ret)
     trace_virtio_blk_rw_complete(req, ret);
 
     if (ret) {
-        int is_read = !(req->out->type & VIRTIO_BLK_T_OUT);
+        int is_read = !(ldl_p(&req->out->type) & VIRTIO_BLK_T_OUT);
         if (virtio_blk_handle_rw_error(req, -ret, is_read))
             return;
     }
@@ -223,10 +223,10 @@ static void virtio_blk_handle_scsi(VirtIOBlockReq *req)
         status = VIRTIO_BLK_S_OK;
     }
 
-    req->scsi->errors = hdr.status;
-    req->scsi->residual = hdr.resid;
-    req->scsi->sense_len = hdr.sb_len_wr;
-    req->scsi->data_len = hdr.dxfer_len;
+    stl_p(&req->scsi->errors, hdr.status);
+    stl_p(&req->scsi->residual, hdr.resid);
+    stl_p(&req->scsi->sense_len, hdr.sb_len_wr);
+    stl_p(&req->scsi->data_len, hdr.dxfer_len);
 
     virtio_blk_req_complete(req, status);
 }
@@ -280,10 +280,13 @@ static void virtio_blk_handle_flush(VirtIOBlockReq *req, MultiReqBuffer *mrb)
 static void virtio_blk_handle_write(VirtIOBlockReq *req, MultiReqBuffer *mrb)
 {
     BlockRequest *blkreq;
+    uint64_t sector;
 
-    trace_virtio_blk_handle_write(req, req->out->sector, req->qiov.size / 512);
+    sector = ldq_p(&req->out->sector);
 
-    if (req->out->sector & req->dev->sector_mask) {
+    trace_virtio_blk_handle_write(req, sector, req->qiov.size / 512);
+
+    if (sector & req->dev->sector_mask) {
         virtio_blk_rw_complete(req, -EIO);
         return;
     }
@@ -293,7 +296,7 @@ static void virtio_blk_handle_write(VirtIOBlockReq *req, MultiReqBuffer *mrb)
     }
 
     blkreq = &mrb->blkreq[mrb->num_writes];
-    blkreq->sector = req->out->sector;
+    blkreq->sector = sector;
     blkreq->nb_sectors = req->qiov.size / BDRV_SECTOR_SIZE;
     blkreq->qiov = &req->qiov;
     blkreq->cb = virtio_blk_rw_complete;
@@ -306,13 +309,16 @@ static void virtio_blk_handle_write(VirtIOBlockReq *req, MultiReqBuffer *mrb)
 static void virtio_blk_handle_read(VirtIOBlockReq *req)
 {
     BlockDriverAIOCB *acb;
+    uint64_t sector;
+
+    sector = ldq_p(&req->out->sector);
 
-    if (req->out->sector & req->dev->sector_mask) {
+    if (sector & req->dev->sector_mask) {
         virtio_blk_rw_complete(req, -EIO);
         return;
     }
 
-    acb = bdrv_aio_readv(req->dev->bs, req->out->sector, &req->qiov,
+    acb = bdrv_aio_readv(req->dev->bs, sector, &req->qiov,
                          req->qiov.size / BDRV_SECTOR_SIZE,
                          virtio_blk_rw_complete, req);
     if (!acb) {
@@ -323,6 +329,8 @@ static void virtio_blk_handle_read(VirtIOBlockReq *req)
 static void virtio_blk_handle_request(VirtIOBlockReq *req,
     MultiReqBuffer *mrb)
 {
+    uint32_t type;
+
     if (req->elem.out_num < 1 || req->elem.in_num < 1) {
         error_report("virtio-blk missing headers");
         exit(1);
@@ -337,17 +345,19 @@ static void virtio_blk_handle_request(VirtIOBlockReq *req,
     req->out = (void *)req->elem.out_sg[0].iov_base;
     req->in = (void *)req->elem.in_sg[req->elem.in_num - 1].iov_base;
 
-    if (req->out->type & VIRTIO_BLK_T_FLUSH) {
+    type = ldl_p(&req->out->type);
+
+    if (type & VIRTIO_BLK_T_FLUSH) {
         virtio_blk_handle_flush(req, mrb);
-    } else if (req->out->type & VIRTIO_BLK_T_SCSI_CMD) {
+    } else if (type & VIRTIO_BLK_T_SCSI_CMD) {
         virtio_blk_handle_scsi(req);
-    } else if (req->out->type & VIRTIO_BLK_T_GET_ID) {
+    } else if (type & VIRTIO_BLK_T_GET_ID) {
         VirtIOBlock *s = req->dev;
 
         memcpy(req->elem.in_sg[0].iov_base, s->sn,
                MIN(req->elem.in_sg[0].iov_len, sizeof(s->sn)));
         virtio_blk_req_complete(req, VIRTIO_BLK_S_OK);
-    } else if (req->out->type & VIRTIO_BLK_T_OUT) {
+    } else if (type & VIRTIO_BLK_T_OUT) {
         qemu_iovec_init_external(&req->qiov, &req->elem.out_sg[1],
                                  req->elem.out_num - 1);
         virtio_blk_handle_write(req, mrb);
commit 44b15bc5c65ab6b3103f508504e4adf8ee9902d7
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Tue Jan 25 11:55:14 2011 +0100

    virtio-net: fix cross-endianness support
    
    virtio-net used to work on cross-endianness configurations, but doesn't
    anymore with recent guest kernels, as the new features don't handle
    endianness correctly.
    
    This patch fixes wrong conversion, and add missing ones to make
    virtio-net working. Tested on the following configurations:
    - i386 guest on x86_64 host
    - ppc guest on x86_64 host
    - i386 guest on mips host
    - ppc guest on mips host
    
    Cc: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index ccb3e63..161f114 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -79,7 +79,7 @@ static void virtio_net_get_config(VirtIODevice *vdev, uint8_t *config)
     VirtIONet *n = to_virtio_net(vdev);
     struct virtio_net_config netcfg;
 
-    netcfg.status = n->status;
+    netcfg.status = lduw_p(&n->status);
     memcpy(netcfg.mac, n->mac, ETH_ALEN);
     memcpy(config, &netcfg, sizeof(netcfg));
 }
@@ -338,7 +338,7 @@ static int virtio_net_handle_mac(VirtIONet *n, uint8_t cmd,
     n->mac_table.multi_overflow = 0;
     memset(n->mac_table.macs, 0, MAC_TABLE_ENTRIES * ETH_ALEN);
 
-    mac_data.entries = ldl_le_p(elem->out_sg[1].iov_base);
+    mac_data.entries = ldl_p(elem->out_sg[1].iov_base);
 
     if (sizeof(mac_data.entries) +
         (mac_data.entries * ETH_ALEN) > elem->out_sg[1].iov_len)
@@ -354,7 +354,7 @@ static int virtio_net_handle_mac(VirtIONet *n, uint8_t cmd,
 
     n->mac_table.first_multi = n->mac_table.in_use;
 
-    mac_data.entries = ldl_le_p(elem->out_sg[2].iov_base);
+    mac_data.entries = ldl_p(elem->out_sg[2].iov_base);
 
     if (sizeof(mac_data.entries) +
         (mac_data.entries * ETH_ALEN) > elem->out_sg[2].iov_len)
@@ -384,7 +384,7 @@ static int virtio_net_handle_vlan_table(VirtIONet *n, uint8_t cmd,
         return VIRTIO_NET_ERR;
     }
 
-    vid = lduw_le_p(elem->out_sg[1].iov_base);
+    vid = lduw_p(elem->out_sg[1].iov_base);
 
     if (vid >= MAX_VLAN)
         return VIRTIO_NET_ERR;
@@ -673,8 +673,9 @@ static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
         virtqueue_fill(n->rx_vq, &elem, total, i++);
     }
 
-    if (mhdr)
-        mhdr->num_buffers = i;
+    if (mhdr) {
+        mhdr->num_buffers = lduw_p(&i);
+    }
 
     virtqueue_flush(n->rx_vq, i);
     virtio_notify(&n->vdev, n->rx_vq);
commit f53671c054ba0b5d5b10e2a7294786fa2f73479e
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 27 08:21:35 2011 +0100

    escc: fix interrupt flags
    
    Recent PowerPC kernel end up in kernel panic during boot in -nographic
    mode. In this mode the second serial port is used as the udbg console,
    and thus a few characters are sent on this port. This activates the
    tx interrupt flag, and later choke the Linux kernel, as it was not
    expecting such a flag to be set.
    
    The problem here comes from the fact that contrary to most devices the
    interrupt flags are only set if the interrupt is enabled. Quoting the
    datasheet: "If the corresponding IE bit is not set, the IP for that
    source of interrupt will never be set."
    
    This patch fixes that by enabling the interrupt flag only when the
    corresponding interrupt is enabled.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/escc.c b/hw/escc.c
index ba60636..f6fd919 100644
--- a/hw/escc.c
+++ b/hw/escc.c
@@ -369,14 +369,18 @@ static inline void set_txint(ChannelState *s)
     if (!s->rxint_under_svc) {
         s->txint_under_svc = 1;
         if (s->chn == chn_a) {
-            s->rregs[R_INTR] |= INTR_TXINTA;
+            if (s->wregs[W_INTR] & INTR_TXINT) {
+                s->rregs[R_INTR] |= INTR_TXINTA;
+            }
             if (s->wregs[W_MINTR] & MINTR_STATUSHI)
                 s->otherchn->rregs[R_IVEC] = IVEC_HITXINTA;
             else
                 s->otherchn->rregs[R_IVEC] = IVEC_LOTXINTA;
         } else {
             s->rregs[R_IVEC] = IVEC_TXINTB;
-            s->otherchn->rregs[R_INTR] |= INTR_TXINTB;
+            if (s->wregs[W_INTR] & INTR_TXINT) {
+                s->otherchn->rregs[R_INTR] |= INTR_TXINTB;
+            }
         }
     escc_update_irq(s);
     }
commit 0bb533374a110f22412d95e75768afb8212f8243
Author: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
Date:   Fri Jan 21 19:57:50 2011 +0300

    pxa2xx_gpio: switch to using qdev
    
    As noted by Markus Armbruster pxa2xx_gpio vmstate version bumped
    because of a change in the or .ilevel / .olevel arrays are saved,
    for convenience.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
    Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>

diff --git a/hw/gumstix.c b/hw/gumstix.c
index af8b464..ee63f63 100644
--- a/hw/gumstix.c
+++ b/hw/gumstix.c
@@ -78,7 +78,7 @@ static void connex_init(ram_addr_t ram_size,
 
     /* Interrupt line of NIC is connected to GPIO line 36 */
     smc91c111_init(&nd_table[0], 0x04000300,
-                    pxa2xx_gpio_in_get(cpu->gpio)[36]);
+                    qdev_get_gpio_in(cpu->gpio, 36));
 }
 
 static void verdex_init(ram_addr_t ram_size,
@@ -117,7 +117,7 @@ static void verdex_init(ram_addr_t ram_size,
 
     /* Interrupt line of NIC is connected to GPIO line 99 */
     smc91c111_init(&nd_table[0], 0x04000300,
-                    pxa2xx_gpio_in_get(cpu->gpio)[99]);
+                    qdev_get_gpio_in(cpu->gpio, 99));
 }
 
 static QEMUMachine connex_machine = {
diff --git a/hw/pxa.h b/hw/pxa.h
index 8d6a8c3..f73d33b 100644
--- a/hw/pxa.h
+++ b/hw/pxa.h
@@ -70,13 +70,9 @@ void pxa25x_timer_init(target_phys_addr_t base, qemu_irq *irqs);
 void pxa27x_timer_init(target_phys_addr_t base, qemu_irq *irqs, qemu_irq irq4);
 
 /* pxa2xx_gpio.c */
-typedef struct PXA2xxGPIOInfo PXA2xxGPIOInfo;
-PXA2xxGPIOInfo *pxa2xx_gpio_init(target_phys_addr_t base,
+DeviceState *pxa2xx_gpio_init(target_phys_addr_t base,
                 CPUState *env, qemu_irq *pic, int lines);
-qemu_irq *pxa2xx_gpio_in_get(PXA2xxGPIOInfo *s);
-void pxa2xx_gpio_out_set(PXA2xxGPIOInfo *s,
-                int line, qemu_irq handler);
-void pxa2xx_gpio_read_notifier(PXA2xxGPIOInfo *s, qemu_irq handler);
+void pxa2xx_gpio_read_notifier(DeviceState *dev, qemu_irq handler);
 
 /* pxa2xx_dma.c */
 typedef struct PXA2xxDMAState PXA2xxDMAState;
@@ -132,7 +128,7 @@ typedef struct {
     qemu_irq *pic;
     qemu_irq reset;
     PXA2xxDMAState *dma;
-    PXA2xxGPIOInfo *gpio;
+    DeviceState *gpio;
     PXA2xxLCDState *lcd;
     SSIBus **ssp;
     PXA2xxI2CState *i2c[2];
diff --git a/hw/pxa2xx.c b/hw/pxa2xx.c
index 6e72a5c..d966846 100644
--- a/hw/pxa2xx.c
+++ b/hw/pxa2xx.c
@@ -2158,7 +2158,7 @@ PXA2xxState *pxa270_init(unsigned int sdram_size, const char *revision)
 
     /* GPIO1 resets the processor */
     /* The handler can be overridden by board-specific code */
-    pxa2xx_gpio_out_set(s->gpio, 1, s->reset);
+    qdev_connect_gpio_out(s->gpio, 1, s->reset);
     return s;
 }
 
@@ -2279,7 +2279,7 @@ PXA2xxState *pxa255_init(unsigned int sdram_size)
 
     /* GPIO1 resets the processor */
     /* The handler can be overridden by board-specific code */
-    pxa2xx_gpio_out_set(s->gpio, 1, s->reset);
+    qdev_connect_gpio_out(s->gpio, 1, s->reset);
     return s;
 }
 
diff --git a/hw/pxa2xx_gpio.c b/hw/pxa2xx_gpio.c
index 0d03446..789965d 100644
--- a/hw/pxa2xx_gpio.c
+++ b/hw/pxa2xx_gpio.c
@@ -8,15 +8,18 @@
  */
 
 #include "hw.h"
+#include "sysbus.h"
 #include "pxa.h"
 
 #define PXA2XX_GPIO_BANKS	4
 
+typedef struct PXA2xxGPIOInfo PXA2xxGPIOInfo;
 struct PXA2xxGPIOInfo {
-    qemu_irq *pic;
+    SysBusDevice busdev;
+    qemu_irq irq0, irq1, irqX;
     int lines;
+    int ncpu;
     CPUState *cpu_env;
-    qemu_irq *in;
 
     /* XXX: GNU C vectors are more suitable */
     uint32_t ilevel[PXA2XX_GPIO_BANKS];
@@ -66,19 +69,19 @@ static struct {
 static void pxa2xx_gpio_irq_update(PXA2xxGPIOInfo *s)
 {
     if (s->status[0] & (1 << 0))
-        qemu_irq_raise(s->pic[PXA2XX_PIC_GPIO_0]);
+        qemu_irq_raise(s->irq0);
     else
-        qemu_irq_lower(s->pic[PXA2XX_PIC_GPIO_0]);
+        qemu_irq_lower(s->irq0);
 
     if (s->status[0] & (1 << 1))
-        qemu_irq_raise(s->pic[PXA2XX_PIC_GPIO_1]);
+        qemu_irq_raise(s->irq1);
     else
-        qemu_irq_lower(s->pic[PXA2XX_PIC_GPIO_1]);
+        qemu_irq_lower(s->irq1);
 
     if ((s->status[0] & ~3) | s->status[1] | s->status[2] | s->status[3])
-        qemu_irq_raise(s->pic[PXA2XX_PIC_GPIO_X]);
+        qemu_irq_raise(s->irqX);
     else
-        qemu_irq_lower(s->pic[PXA2XX_PIC_GPIO_X]);
+        qemu_irq_lower(s->irqX);
 }
 
 /* Bitmap of pins used as standby and sleep wake-up sources.  */
@@ -249,96 +252,89 @@ static CPUWriteMemoryFunc * const pxa2xx_gpio_writefn[] = {
     pxa2xx_gpio_write
 };
 
-static void pxa2xx_gpio_save(QEMUFile *f, void *opaque)
-{
-    PXA2xxGPIOInfo *s = (PXA2xxGPIOInfo *) opaque;
-    int i;
-
-    qemu_put_be32(f, s->lines);
-
-    for (i = 0; i < PXA2XX_GPIO_BANKS; i ++) {
-        qemu_put_be32s(f, &s->ilevel[i]);
-        qemu_put_be32s(f, &s->olevel[i]);
-        qemu_put_be32s(f, &s->dir[i]);
-        qemu_put_be32s(f, &s->rising[i]);
-        qemu_put_be32s(f, &s->falling[i]);
-        qemu_put_be32s(f, &s->status[i]);
-        qemu_put_be32s(f, &s->gafr[i * 2 + 0]);
-        qemu_put_be32s(f, &s->gafr[i * 2 + 1]);
-
-        qemu_put_be32s(f, &s->prev_level[i]);
-    }
-}
-
-static int pxa2xx_gpio_load(QEMUFile *f, void *opaque, int version_id)
+DeviceState *pxa2xx_gpio_init(target_phys_addr_t base,
+                CPUState *env, qemu_irq *pic, int lines)
 {
-    PXA2xxGPIOInfo *s = (PXA2xxGPIOInfo *) opaque;
-    int i;
+    DeviceState *dev;
 
-    if (qemu_get_be32(f) != s->lines)
-        return -EINVAL;
+    dev = qdev_create(NULL, "pxa2xx-gpio");
+    qdev_prop_set_int32(dev, "lines", lines);
+    qdev_prop_set_int32(dev, "ncpu", env->cpu_index);
+    qdev_init_nofail(dev);
 
-    for (i = 0; i < PXA2XX_GPIO_BANKS; i ++) {
-        qemu_get_be32s(f, &s->ilevel[i]);
-        qemu_get_be32s(f, &s->olevel[i]);
-        qemu_get_be32s(f, &s->dir[i]);
-        qemu_get_be32s(f, &s->rising[i]);
-        qemu_get_be32s(f, &s->falling[i]);
-        qemu_get_be32s(f, &s->status[i]);
-        qemu_get_be32s(f, &s->gafr[i * 2 + 0]);
-        qemu_get_be32s(f, &s->gafr[i * 2 + 1]);
-
-        qemu_get_be32s(f, &s->prev_level[i]);
-    }
+    sysbus_mmio_map(sysbus_from_qdev(dev), 0, base);
+    sysbus_connect_irq(sysbus_from_qdev(dev), 0, pic[PXA2XX_PIC_GPIO_0]);
+    sysbus_connect_irq(sysbus_from_qdev(dev), 1, pic[PXA2XX_PIC_GPIO_1]);
+    sysbus_connect_irq(sysbus_from_qdev(dev), 2, pic[PXA2XX_PIC_GPIO_X]);
 
-    return 0;
+    return dev;
 }
 
-PXA2xxGPIOInfo *pxa2xx_gpio_init(target_phys_addr_t base,
-                CPUState *env, qemu_irq *pic, int lines)
+static int pxa2xx_gpio_initfn(SysBusDevice *dev)
 {
     int iomemtype;
     PXA2xxGPIOInfo *s;
 
-    s = (PXA2xxGPIOInfo *)
-            qemu_mallocz(sizeof(PXA2xxGPIOInfo));
-    memset(s, 0, sizeof(PXA2xxGPIOInfo));
-    s->pic = pic;
-    s->lines = lines;
-    s->cpu_env = env;
-    s->in = qemu_allocate_irqs(pxa2xx_gpio_set, s, lines);
+    s = FROM_SYSBUS(PXA2xxGPIOInfo, dev);
 
-    iomemtype = cpu_register_io_memory(pxa2xx_gpio_readfn,
-                    pxa2xx_gpio_writefn, s, DEVICE_NATIVE_ENDIAN);
-    cpu_register_physical_memory(base, 0x00001000, iomemtype);
+    s->cpu_env = qemu_get_cpu(s->ncpu);
 
-    register_savevm(NULL, "pxa2xx_gpio", 0, 0,
-                    pxa2xx_gpio_save, pxa2xx_gpio_load, s);
-
-    return s;
-}
+    qdev_init_gpio_in(&dev->qdev, pxa2xx_gpio_set, s->lines);
+    qdev_init_gpio_out(&dev->qdev, s->handler, s->lines);
 
-qemu_irq *pxa2xx_gpio_in_get(PXA2xxGPIOInfo *s)
-{
-    return s->in;
-}
+    iomemtype = cpu_register_io_memory(pxa2xx_gpio_readfn,
+                    pxa2xx_gpio_writefn, s, DEVICE_NATIVE_ENDIAN);
 
-void pxa2xx_gpio_out_set(PXA2xxGPIOInfo *s,
-                int line, qemu_irq handler)
-{
-    if (line >= s->lines) {
-        printf("%s: No GPIO pin %i\n", __FUNCTION__, line);
-        return;
-    }
+    sysbus_init_mmio(dev, 0x1000, iomemtype);
+    sysbus_init_irq(dev, &s->irq0);
+    sysbus_init_irq(dev, &s->irq1);
+    sysbus_init_irq(dev, &s->irqX);
 
-    s->handler[line] = handler;
+    return 0;
 }
 
 /*
  * Registers a callback to notify on GPLR reads.  This normally
  * shouldn't be needed but it is used for the hack on Spitz machines.
  */
-void pxa2xx_gpio_read_notifier(PXA2xxGPIOInfo *s, qemu_irq handler)
+void pxa2xx_gpio_read_notifier(DeviceState *dev, qemu_irq handler)
 {
+    PXA2xxGPIOInfo *s = FROM_SYSBUS(PXA2xxGPIOInfo, sysbus_from_qdev(dev));
     s->read_notify = handler;
 }
+
+static const VMStateDescription vmstate_pxa2xx_gpio_regs = {
+    .name = "pxa2xx-gpio",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField []) {
+        VMSTATE_INT32(lines, PXA2xxGPIOInfo),
+        VMSTATE_UINT32_ARRAY(ilevel, PXA2xxGPIOInfo, PXA2XX_GPIO_BANKS),
+        VMSTATE_UINT32_ARRAY(olevel, PXA2xxGPIOInfo, PXA2XX_GPIO_BANKS),
+        VMSTATE_UINT32_ARRAY(dir, PXA2xxGPIOInfo, PXA2XX_GPIO_BANKS),
+        VMSTATE_UINT32_ARRAY(rising, PXA2xxGPIOInfo, PXA2XX_GPIO_BANKS),
+        VMSTATE_UINT32_ARRAY(falling, PXA2xxGPIOInfo, PXA2XX_GPIO_BANKS),
+        VMSTATE_UINT32_ARRAY(status, PXA2xxGPIOInfo, PXA2XX_GPIO_BANKS),
+        VMSTATE_UINT32_ARRAY(gafr, PXA2xxGPIOInfo, PXA2XX_GPIO_BANKS * 2),
+        VMSTATE_END_OF_LIST(),
+    },
+};
+
+static SysBusDeviceInfo pxa2xx_gpio_info = {
+    .init       = pxa2xx_gpio_initfn,
+    .qdev.name  = "pxa2xx-gpio",
+    .qdev.desc  = "PXA2xx GPIO controller",
+    .qdev.size  = sizeof(PXA2xxGPIOInfo),
+    .qdev.props = (Property []) {
+        DEFINE_PROP_INT32("lines", PXA2xxGPIOInfo, lines, 0),
+        DEFINE_PROP_INT32("ncpu", PXA2xxGPIOInfo, ncpu, 0),
+        DEFINE_PROP_END_OF_LIST(),
+    }
+};
+
+static void pxa2xx_gpio_register(void)
+{
+    sysbus_register_withprop(&pxa2xx_gpio_info);
+}
+device_init(pxa2xx_gpio_register);
diff --git a/hw/spitz.c b/hw/spitz.c
index e225931..5b1e42d 100644
--- a/hw/spitz.c
+++ b/hw/spitz.c
@@ -470,10 +470,10 @@ static void spitz_keyboard_register(PXA2xxState *cpu)
     s = FROM_SYSBUS(SpitzKeyboardState, sysbus_from_qdev(dev));
 
     for (i = 0; i < SPITZ_KEY_SENSE_NUM; i ++)
-        qdev_connect_gpio_out(dev, i, pxa2xx_gpio_in_get(cpu->gpio)[spitz_gpio_key_sense[i]]);
+        qdev_connect_gpio_out(dev, i, qdev_get_gpio_in(cpu->gpio, spitz_gpio_key_sense[i]));
 
     for (i = 0; i < 5; i ++)
-        s->gpiomap[i] = pxa2xx_gpio_in_get(cpu->gpio)[spitz_gpiomap[i]];
+        s->gpiomap[i] = qdev_get_gpio_in(cpu->gpio, spitz_gpiomap[i]);
 
     if (!graphic_rotate)
         s->gpiomap[4] = qemu_irq_invert(s->gpiomap[4]);
@@ -482,7 +482,7 @@ static void spitz_keyboard_register(PXA2xxState *cpu)
         qemu_set_irq(s->gpiomap[i], 0);
 
     for (i = 0; i < SPITZ_KEY_STROBE_NUM; i ++)
-        pxa2xx_gpio_out_set(cpu->gpio, spitz_gpio_key_strobe[i],
+        qdev_connect_gpio_out(cpu->gpio, spitz_gpio_key_strobe[i],
                 qdev_get_gpio_in(dev, i));
 
     qemu_mod_timer(s->kbdtimer, qemu_get_clock(vm_clock));
@@ -685,7 +685,7 @@ static void spitz_ssp_attach(PXA2xxState *cpu)
     bus = qdev_get_child_bus(mux, "ssi1");
     dev = ssi_create_slave(bus, "ads7846");
     qdev_connect_gpio_out(dev, 0,
-                          pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_TP_INT]);
+                          qdev_get_gpio_in(cpu->gpio, SPITZ_GPIO_TP_INT));
 
     bus = qdev_get_child_bus(mux, "ssi2");
     max1111 = ssi_create_slave(bus, "max1111");
@@ -693,11 +693,11 @@ static void spitz_ssp_attach(PXA2xxState *cpu)
     max111x_set_input(max1111, MAX1111_BATT_TEMP, 0);
     max111x_set_input(max1111, MAX1111_ACIN_VOLT, SPITZ_CHARGEON_ACIN);
 
-    pxa2xx_gpio_out_set(cpu->gpio, SPITZ_GPIO_LCDCON_CS,
+    qdev_connect_gpio_out(cpu->gpio, SPITZ_GPIO_LCDCON_CS,
                         qdev_get_gpio_in(mux, 0));
-    pxa2xx_gpio_out_set(cpu->gpio, SPITZ_GPIO_ADS7846_CS,
+    qdev_connect_gpio_out(cpu->gpio, SPITZ_GPIO_ADS7846_CS,
                         qdev_get_gpio_in(mux, 1));
-    pxa2xx_gpio_out_set(cpu->gpio, SPITZ_GPIO_MAX1111_CS,
+    qdev_connect_gpio_out(cpu->gpio, SPITZ_GPIO_MAX1111_CS,
                         qdev_get_gpio_in(mux, 2));
 }
 
@@ -747,7 +747,7 @@ static void spitz_i2c_setup(PXA2xxState *cpu)
     wm = i2c_create_slave(bus, "wm8750", 0);
 
     spitz_wm8750_addr(wm, 0, 0);
-    pxa2xx_gpio_out_set(cpu->gpio, SPITZ_GPIO_WM,
+    qdev_connect_gpio_out(cpu->gpio, SPITZ_GPIO_WM,
                     qemu_allocate_irqs(spitz_wm8750_addr, wm, 1)[0]);
     /* .. and to the sound interface.  */
     cpu->i2s->opaque = wm;
@@ -840,7 +840,7 @@ static int spitz_hsync;
 static void spitz_lcd_hsync_handler(void *opaque, int line, int level)
 {
     PXA2xxState *cpu = (PXA2xxState *) opaque;
-    qemu_set_irq(pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_HSYNC], spitz_hsync);
+    qemu_set_irq(qdev_get_gpio_in(cpu->gpio, SPITZ_GPIO_HSYNC), spitz_hsync);
     spitz_hsync ^= 1;
 }
 
@@ -860,24 +860,24 @@ static void spitz_gpio_setup(PXA2xxState *cpu, int slots)
 
     /* MMC/SD host */
     pxa2xx_mmci_handlers(cpu->mmc,
-                    pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_SD_WP],
-                    pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_SD_DETECT]);
+                    qdev_get_gpio_in(cpu->gpio, SPITZ_GPIO_SD_WP),
+                    qdev_get_gpio_in(cpu->gpio, SPITZ_GPIO_SD_DETECT));
 
     /* Battery lock always closed */
-    qemu_irq_raise(pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_BAT_COVER]);
+    qemu_irq_raise(qdev_get_gpio_in(cpu->gpio, SPITZ_GPIO_BAT_COVER));
 
     /* Handle reset */
-    pxa2xx_gpio_out_set(cpu->gpio, SPITZ_GPIO_ON_RESET, cpu->reset);
+    qdev_connect_gpio_out(cpu->gpio, SPITZ_GPIO_ON_RESET, cpu->reset);
 
     /* PCMCIA signals: card's IRQ and Card-Detect */
     if (slots >= 1)
         pxa2xx_pcmcia_set_irq_cb(cpu->pcmcia[0],
-                        pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_CF1_IRQ],
-                        pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_CF1_CD]);
+                        qdev_get_gpio_in(cpu->gpio, SPITZ_GPIO_CF1_IRQ),
+                        qdev_get_gpio_in(cpu->gpio, SPITZ_GPIO_CF1_CD));
     if (slots >= 2)
         pxa2xx_pcmcia_set_irq_cb(cpu->pcmcia[1],
-                        pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_CF2_IRQ],
-                        pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_CF2_CD]);
+                        qdev_get_gpio_in(cpu->gpio, SPITZ_GPIO_CF2_IRQ),
+                        qdev_get_gpio_in(cpu->gpio, SPITZ_GPIO_CF2_CD));
 }
 
 /* Board init.  */
diff --git a/hw/tosa.c b/hw/tosa.c
index 18e3be5..0bfab16 100644
--- a/hw/tosa.c
+++ b/hw/tosa.c
@@ -95,18 +95,18 @@ static void tosa_gpio_setup(PXA2xxState *cpu,
     /* MMC/SD host */
     pxa2xx_mmci_handlers(cpu->mmc,
                     qdev_get_gpio_in(scp0, TOSA_GPIO_SD_WP),
-                    qemu_irq_invert(pxa2xx_gpio_in_get(cpu->gpio)[TOSA_GPIO_nSD_DETECT]));
+                    qemu_irq_invert(qdev_get_gpio_in(cpu->gpio, TOSA_GPIO_nSD_DETECT)));
 
     /* Handle reset */
-    pxa2xx_gpio_out_set(cpu->gpio, TOSA_GPIO_ON_RESET, cpu->reset);
+    qdev_connect_gpio_out(cpu->gpio, TOSA_GPIO_ON_RESET, cpu->reset);
 
     /* PCMCIA signals: card's IRQ and Card-Detect */
     pxa2xx_pcmcia_set_irq_cb(cpu->pcmcia[0],
-                        pxa2xx_gpio_in_get(cpu->gpio)[TOSA_GPIO_CF_IRQ],
-                        pxa2xx_gpio_in_get(cpu->gpio)[TOSA_GPIO_CF_CD]);
+                        qdev_get_gpio_in(cpu->gpio, TOSA_GPIO_CF_IRQ),
+                        qdev_get_gpio_in(cpu->gpio, TOSA_GPIO_CF_CD));
 
     pxa2xx_pcmcia_set_irq_cb(cpu->pcmcia[1],
-                        pxa2xx_gpio_in_get(cpu->gpio)[TOSA_GPIO_JC_CF_IRQ],
+                        qdev_get_gpio_in(cpu->gpio, TOSA_GPIO_JC_CF_IRQ),
                         NULL);
 
     qdev_connect_gpio_out(scp1, TOSA_GPIO_BT_LED, outsignals[0]);
@@ -220,7 +220,7 @@ static void tosa_init(ram_addr_t ram_size,
                     qemu_ram_alloc(NULL, "tosa.rom", TOSA_ROM) | IO_MEM_ROM);
 
     tmio = tc6393xb_init(0x10000000,
-            pxa2xx_gpio_in_get(cpu->gpio)[TOSA_GPIO_TC6393XB_INT]);
+            qdev_get_gpio_in(cpu->gpio, TOSA_GPIO_TC6393XB_INT));
 
     scp0 = sysbus_create_simple("scoop", 0x08800000, NULL);
     scp1 = sysbus_create_simple("scoop", 0x14800040, NULL);
commit 7ef4227baae2cdd460bfe714393cb8e7e4cff354
Author: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
Date:   Fri Jan 21 19:56:10 2011 +0300

    spitz: make spitz-keyboard to use qdev infrastructure
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
    Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>

diff --git a/hw/spitz.c b/hw/spitz.c
index ad26049..e225931 100644
--- a/hw/spitz.c
+++ b/hw/spitz.c
@@ -219,11 +219,10 @@ static const int spitz_gpiomap[5] = {
     SPITZ_GPIO_AK_INT, SPITZ_GPIO_SYNC, SPITZ_GPIO_ON_KEY,
     SPITZ_GPIO_SWA, SPITZ_GPIO_SWB,
 };
-static int spitz_gpio_invert[5] = { 0, 0, 0, 0, 0, };
 
 typedef struct {
+    SysBusDevice busdev;
     qemu_irq sense[SPITZ_KEY_SENSE_NUM];
-    qemu_irq *strobe;
     qemu_irq gpiomap[5];
     int keymap[0x80];
     uint16_t keyrow[SPITZ_KEY_SENSE_NUM];
@@ -274,8 +273,7 @@ static void spitz_keyboard_keydown(SpitzKeyboardState *s, int keycode)
 
     /* Handle the additional keys */
     if ((spitz_keycode >> 4) == SPITZ_KEY_SENSE_NUM) {
-        qemu_set_irq(s->gpiomap[spitz_keycode & 0xf], (keycode < 0x80) ^
-                        spitz_gpio_invert[spitz_keycode & 0xf]);
+        qemu_set_irq(s->gpiomap[spitz_keycode & 0xf], (keycode < 0x80));
         return;
     }
 
@@ -293,8 +291,9 @@ static void spitz_keyboard_keydown(SpitzKeyboardState *s, int keycode)
 
 #define QUEUE_KEY(c)	s->fifo[(s->fifopos + s->fifolen ++) & 0xf] = c
 
-static void spitz_keyboard_handler(SpitzKeyboardState *s, int keycode)
+static void spitz_keyboard_handler(void *opaque, int keycode)
 {
+    SpitzKeyboardState *s = opaque;
     uint16_t code;
     int mapcode;
     switch (keycode) {
@@ -440,34 +439,15 @@ static void spitz_keyboard_pre_map(SpitzKeyboardState *s)
     s->imodifiers = 0;
     s->fifopos = 0;
     s->fifolen = 0;
-    s->kbdtimer = qemu_new_timer(vm_clock, spitz_keyboard_tick, s);
-    spitz_keyboard_tick(s);
 }
 
 #undef SHIFT
 #undef CTRL
 #undef FN
 
-static void spitz_keyboard_save(QEMUFile *f, void *opaque)
+static int spitz_keyboard_post_load(void *opaque, int version_id)
 {
     SpitzKeyboardState *s = (SpitzKeyboardState *) opaque;
-    int i;
-
-    qemu_put_be16s(f, &s->sense_state);
-    qemu_put_be16s(f, &s->strobe_state);
-    for (i = 0; i < 5; i ++)
-        qemu_put_byte(f, spitz_gpio_invert[i]);
-}
-
-static int spitz_keyboard_load(QEMUFile *f, void *opaque, int version_id)
-{
-    SpitzKeyboardState *s = (SpitzKeyboardState *) opaque;
-    int i;
-
-    qemu_get_be16s(f, &s->sense_state);
-    qemu_get_be16s(f, &s->strobe_state);
-    for (i = 0; i < 5; i ++)
-        spitz_gpio_invert[i] = qemu_get_byte(f);
 
     /* Release all pressed keys */
     memset(s->keyrow, 0, sizeof(s->keyrow));
@@ -482,36 +462,55 @@ static int spitz_keyboard_load(QEMUFile *f, void *opaque, int version_id)
 
 static void spitz_keyboard_register(PXA2xxState *cpu)
 {
-    int i, j;
+    int i;
+    DeviceState *dev;
     SpitzKeyboardState *s;
 
-    s = (SpitzKeyboardState *)
-            qemu_mallocz(sizeof(SpitzKeyboardState));
-    memset(s, 0, sizeof(SpitzKeyboardState));
-
-    for (i = 0; i < 0x80; i ++)
-        s->keymap[i] = -1;
-    for (i = 0; i < SPITZ_KEY_SENSE_NUM + 1; i ++)
-        for (j = 0; j < SPITZ_KEY_STROBE_NUM; j ++)
-            if (spitz_keymap[i][j] != -1)
-                s->keymap[spitz_keymap[i][j]] = (i << 4) | j;
+    dev = sysbus_create_simple("spitz-keyboard", -1, NULL);
+    s = FROM_SYSBUS(SpitzKeyboardState, sysbus_from_qdev(dev));
 
     for (i = 0; i < SPITZ_KEY_SENSE_NUM; i ++)
-        s->sense[i] = pxa2xx_gpio_in_get(cpu->gpio)[spitz_gpio_key_sense[i]];
+        qdev_connect_gpio_out(dev, i, pxa2xx_gpio_in_get(cpu->gpio)[spitz_gpio_key_sense[i]]);
 
     for (i = 0; i < 5; i ++)
         s->gpiomap[i] = pxa2xx_gpio_in_get(cpu->gpio)[spitz_gpiomap[i]];
 
-    s->strobe = qemu_allocate_irqs(spitz_keyboard_strobe, s,
-                    SPITZ_KEY_STROBE_NUM);
+    if (!graphic_rotate)
+        s->gpiomap[4] = qemu_irq_invert(s->gpiomap[4]);
+
+    for (i = 0; i < 5; i++)
+        qemu_set_irq(s->gpiomap[i], 0);
+
     for (i = 0; i < SPITZ_KEY_STROBE_NUM; i ++)
-        pxa2xx_gpio_out_set(cpu->gpio, spitz_gpio_key_strobe[i], s->strobe[i]);
+        pxa2xx_gpio_out_set(cpu->gpio, spitz_gpio_key_strobe[i],
+                qdev_get_gpio_in(dev, i));
+
+    qemu_mod_timer(s->kbdtimer, qemu_get_clock(vm_clock));
+
+    qemu_add_kbd_event_handler(spitz_keyboard_handler, s);
+}
+
+static int spitz_keyboard_init(SysBusDevice *dev)
+{
+    SpitzKeyboardState *s;
+    int i, j;
+
+    s = FROM_SYSBUS(SpitzKeyboardState, dev);
+
+    for (i = 0; i < 0x80; i ++)
+        s->keymap[i] = -1;
+    for (i = 0; i < SPITZ_KEY_SENSE_NUM + 1; i ++)
+        for (j = 0; j < SPITZ_KEY_STROBE_NUM; j ++)
+            if (spitz_keymap[i][j] != -1)
+                s->keymap[spitz_keymap[i][j]] = (i << 4) | j;
 
     spitz_keyboard_pre_map(s);
-    qemu_add_kbd_event_handler((QEMUPutKBDEvent *) spitz_keyboard_handler, s);
 
-    register_savevm(NULL, "spitz_keyboard", 0, 0,
-                    spitz_keyboard_save, spitz_keyboard_load, s);
+    s->kbdtimer = qemu_new_timer(vm_clock, spitz_keyboard_tick, s);
+    qdev_init_gpio_in(&dev->qdev, spitz_keyboard_strobe, SPITZ_KEY_STROBE_NUM);
+    qdev_init_gpio_out(&dev->qdev, s->sense, SPITZ_KEY_SENSE_NUM);
+
+    return 0;
 }
 
 /* LCD backlight controller */
@@ -879,18 +878,6 @@ static void spitz_gpio_setup(PXA2xxState *cpu, int slots)
         pxa2xx_pcmcia_set_irq_cb(cpu->pcmcia[1],
                         pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_CF2_IRQ],
                         pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_CF2_CD]);
-
-    /* Initialise the screen rotation related signals */
-    spitz_gpio_invert[3] = 0;	/* Always open */
-    if (graphic_rotate) {	/* Tablet mode */
-        spitz_gpio_invert[4] = 0;
-    } else {			/* Portrait mode */
-        spitz_gpio_invert[4] = 1;
-    }
-    qemu_set_irq(pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_SWA],
-                    spitz_gpio_invert[3]);
-    qemu_set_irq(pxa2xx_gpio_in_get(cpu->gpio)[SPITZ_GPIO_SWB],
-                    spitz_gpio_invert[4]);
 }
 
 /* Board init.  */
@@ -1027,6 +1014,11 @@ static void spitz_machine_init(void)
 
 machine_init(spitz_machine_init);
 
+static bool is_version_0(void *opaque, int version_id)
+{
+    return version_id == 0;
+}
+
 static VMStateDescription vmstate_sl_nand_info = {
     .name = "sl-nand",
     .version_id = 0,
@@ -1051,6 +1043,30 @@ static SysBusDeviceInfo sl_nand_info = {
     },
 };
 
+static VMStateDescription vmstate_spitz_kbd = {
+    .name = "spitz-keyboard",
+    .version_id = 1,
+    .minimum_version_id = 0,
+    .minimum_version_id_old = 0,
+    .post_load = spitz_keyboard_post_load,
+    .fields = (VMStateField []) {
+        VMSTATE_UINT16(sense_state, SpitzKeyboardState),
+        VMSTATE_UINT16(strobe_state, SpitzKeyboardState),
+        VMSTATE_UNUSED_TEST(is_version_0, 5),
+        VMSTATE_END_OF_LIST(),
+    },
+};
+
+static SysBusDeviceInfo spitz_keyboard_info = {
+    .init = spitz_keyboard_init,
+    .qdev.name = "spitz-keyboard",
+    .qdev.size = sizeof(SpitzKeyboardState),
+    .qdev.vmsd = &vmstate_spitz_kbd,
+    .qdev.props = (Property []) {
+        DEFINE_PROP_END_OF_LIST(),
+    },
+};
+
 static const VMStateDescription vmstate_corgi_ssp_regs = {
     .name = "corgi-ssp",
     .version_id = 1,
@@ -1094,6 +1110,7 @@ static void spitz_register_devices(void)
 {
     ssi_register_slave(&corgi_ssp_info);
     ssi_register_slave(&spitz_lcdtg_info);
+    sysbus_register_withprop(&spitz_keyboard_info);
     sysbus_register_withprop(&sl_nand_info);
 }
 
commit 34f9f0b5802a6ff9ec0be00810f7910d3935df3e
Author: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
Date:   Fri Jan 21 13:12:11 2011 +0300

    spitz: make sl-nand emulation use qdev infrastructure
    
    Switch sl-nand emulation to use qdev and vmstate. Also drop ecc_get/_put
    functions as sl-nand was the only user of that code.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
    Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>

diff --git a/hw/ecc.c b/hw/ecc.c
index 2fbf167..a75408b 100644
--- a/hw/ecc.c
+++ b/hw/ecc.c
@@ -74,18 +74,15 @@ void ecc_reset(ECCState *s)
 }
 
 /* Save/restore */
-void ecc_put(QEMUFile *f, ECCState *s)
-{
-    qemu_put_8s(f, &s->cp);
-    qemu_put_be16s(f, &s->lp[0]);
-    qemu_put_be16s(f, &s->lp[1]);
-    qemu_put_be16s(f, &s->count);
-}
-
-void ecc_get(QEMUFile *f, ECCState *s)
-{
-    qemu_get_8s(f, &s->cp);
-    qemu_get_be16s(f, &s->lp[0]);
-    qemu_get_be16s(f, &s->lp[1]);
-    qemu_get_be16s(f, &s->count);
-}
+VMStateDescription vmstate_ecc_state = {
+    .name = "ecc-state",
+    .version_id = 0,
+    .minimum_version_id = 0,
+    .minimum_version_id_old = 0,
+    .fields = (VMStateField []) {
+        VMSTATE_UINT8(cp, ECCState),
+        VMSTATE_UINT16_ARRAY(lp, ECCState, 2),
+        VMSTATE_UINT16(count, ECCState),
+        VMSTATE_END_OF_LIST(),
+    },
+};
diff --git a/hw/flash.h b/hw/flash.h
index a80205c..d7d103e 100644
--- a/hw/flash.h
+++ b/hw/flash.h
@@ -51,5 +51,4 @@ typedef struct {
 
 uint8_t ecc_digest(ECCState *s, uint8_t sample);
 void ecc_reset(ECCState *s);
-void ecc_put(QEMUFile *f, ECCState *s);
-void ecc_get(QEMUFile *f, ECCState *s);
+extern VMStateDescription vmstate_ecc_state;
diff --git a/hw/onenand.c b/hw/onenand.c
index d9cdcf2..71c1ab4 100644
--- a/hw/onenand.c
+++ b/hw/onenand.c
@@ -19,6 +19,7 @@
  */
 
 #include "qemu-common.h"
+#include "hw.h"
 #include "flash.h"
 #include "irq.h"
 #include "blockdev.h"
diff --git a/hw/spitz.c b/hw/spitz.c
index c7a1c60..ad26049 100644
--- a/hw/spitz.c
+++ b/hw/spitz.c
@@ -47,8 +47,11 @@
 #define FLASHCTL_NCE		(FLASHCTL_CE0 | FLASHCTL_CE1)
 
 typedef struct {
+    SysBusDevice busdev;
     NANDFlashState *nand;
     uint8_t ctl;
+    uint8_t manf_id;
+    uint8_t chip_id;
     ECCState ecc;
 } SLNANDState;
 
@@ -131,56 +134,53 @@ static void sl_writeb(void *opaque, target_phys_addr_t addr,
     }
 }
 
-static void sl_save(QEMUFile *f, void *opaque)
-{
-    SLNANDState *s = (SLNANDState *) opaque;
-
-    qemu_put_8s(f, &s->ctl);
-    ecc_put(f, &s->ecc);
-}
-
-static int sl_load(QEMUFile *f, void *opaque, int version_id)
-{
-    SLNANDState *s = (SLNANDState *) opaque;
-
-    qemu_get_8s(f, &s->ctl);
-    ecc_get(f, &s->ecc);
-
-    return 0;
-}
-
 enum {
     FLASH_128M,
     FLASH_1024M,
 };
 
+static CPUReadMemoryFunc * const sl_readfn[] = {
+    sl_readb,
+    sl_readb,
+    sl_readl,
+};
+static CPUWriteMemoryFunc * const sl_writefn[] = {
+    sl_writeb,
+    sl_writeb,
+    sl_writeb,
+};
+
 static void sl_flash_register(PXA2xxState *cpu, int size)
 {
+    DeviceState *dev;
+
+    dev = qdev_create(NULL, "sl-nand");
+
+    qdev_prop_set_uint8(dev, "manf_id", NAND_MFR_SAMSUNG);
+    if (size == FLASH_128M)
+        qdev_prop_set_uint8(dev, "chip_id", 0x73);
+    else if (size == FLASH_1024M)
+        qdev_prop_set_uint8(dev, "chip_id", 0xf1);
+
+    qdev_init_nofail(dev);
+    sysbus_mmio_map(sysbus_from_qdev(dev), 0, FLASH_BASE);
+}
+
+static int sl_nand_init(SysBusDevice *dev) {
     int iomemtype;
     SLNANDState *s;
-    CPUReadMemoryFunc * const sl_readfn[] = {
-        sl_readb,
-        sl_readb,
-        sl_readl,
-    };
-    CPUWriteMemoryFunc * const sl_writefn[] = {
-        sl_writeb,
-        sl_writeb,
-        sl_writeb,
-    };
-
-    s = (SLNANDState *) qemu_mallocz(sizeof(SLNANDState));
+
+    s = FROM_SYSBUS(SLNANDState, dev);
+
     s->ctl = 0;
-    if (size == FLASH_128M)
-        s->nand = nand_init(NAND_MFR_SAMSUNG, 0x73);
-    else if (size == FLASH_1024M)
-        s->nand = nand_init(NAND_MFR_SAMSUNG, 0xf1);
+    s->nand = nand_init(s->manf_id, s->chip_id);
 
     iomemtype = cpu_register_io_memory(sl_readfn,
                     sl_writefn, s, DEVICE_NATIVE_ENDIAN);
-    cpu_register_physical_memory(FLASH_BASE, 0x40, iomemtype);
 
-    register_savevm(NULL, "sl_flash", 0, 0, sl_save, sl_load, s);
+    sysbus_init_mmio(dev, 0x40, iomemtype);
+
+    return 0;
 }
 
 /* Spitz Keyboard */
@@ -1027,6 +1027,30 @@ static void spitz_machine_init(void)
 
 machine_init(spitz_machine_init);
 
+static VMStateDescription vmstate_sl_nand_info = {
+    .name = "sl-nand",
+    .version_id = 0,
+    .minimum_version_id = 0,
+    .minimum_version_id_old = 0,
+    .fields = (VMStateField []) {
+        VMSTATE_UINT8(ctl, SLNANDState),
+        VMSTATE_STRUCT(ecc, SLNANDState, 0, vmstate_ecc_state, ECCState),
+        VMSTATE_END_OF_LIST(),
+    },
+};
+
+static SysBusDeviceInfo sl_nand_info = {
+    .init = sl_nand_init,
+    .qdev.name = "sl-nand",
+    .qdev.size = sizeof(SLNANDState),
+    .qdev.vmsd = &vmstate_sl_nand_info,
+    .qdev.props = (Property []) {
+        DEFINE_PROP_UINT8("manf_id", SLNANDState, manf_id, NAND_MFR_SAMSUNG),
+        DEFINE_PROP_UINT8("chip_id", SLNANDState, chip_id, 0xf1),
+        DEFINE_PROP_END_OF_LIST(),
+    },
+};
+
 static const VMStateDescription vmstate_corgi_ssp_regs = {
     .name = "corgi-ssp",
     .version_id = 1,
@@ -1070,6 +1094,7 @@ static void spitz_register_devices(void)
 {
     ssi_register_slave(&corgi_ssp_info);
     ssi_register_slave(&spitz_lcdtg_info);
+    sysbus_register_withprop(&sl_nand_info);
 }
 
 device_init(spitz_register_devices)
commit 43842120f482564ea2059a78ae6b8a93bb18c91d
Author: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
Date:   Thu Jan 20 18:52:28 2011 +0300

    Use vmstate to save/load spitz-lcdtg and corgi-ssp state
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
    Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>

diff --git a/hw/spitz.c b/hw/spitz.c
index 1e2f16b..c7a1c60 100644
--- a/hw/spitz.c
+++ b/hw/spitz.c
@@ -527,8 +527,8 @@ static void spitz_keyboard_register(PXA2xxState *cpu)
 
 typedef struct {
     SSISlave ssidev;
-    int bl_intensity;
-    int bl_power;
+    uint32_t bl_intensity;
+    uint32_t bl_power;
 } SpitzLCDTG;
 
 static void spitz_bl_update(SpitzLCDTG *s)
@@ -592,21 +592,6 @@ static uint32_t spitz_lcdtg_transfer(SSISlave *dev, uint32_t value)
     return 0;
 }
 
-static void spitz_lcdtg_save(QEMUFile *f, void *opaque)
-{
-    SpitzLCDTG *s = (SpitzLCDTG *)opaque;
-    qemu_put_be32(f, s->bl_intensity);
-    qemu_put_be32(f, s->bl_power);
-}
-
-static int spitz_lcdtg_load(QEMUFile *f, void *opaque, int version_id)
-{
-    SpitzLCDTG *s = (SpitzLCDTG *)opaque;
-    s->bl_intensity = qemu_get_be32(f);
-    s->bl_power = qemu_get_be32(f);
-    return 0;
-}
-
 static int spitz_lcdtg_init(SSISlave *dev)
 {
     SpitzLCDTG *s = FROM_SSI_SLAVE(SpitzLCDTG, dev);
@@ -615,8 +600,6 @@ static int spitz_lcdtg_init(SSISlave *dev)
     s->bl_power = 0;
     s->bl_intensity = 0x20;
 
-    register_savevm(&dev->qdev, "spitz-lcdtg", -1, 1,
-                    spitz_lcdtg_save, spitz_lcdtg_load, s);
     return 0;
 }
 
@@ -635,7 +618,7 @@ static DeviceState *max1111;
 typedef struct {
     SSISlave ssidev;
     SSIBus *bus[3];
-    int enable[3];
+    uint32_t enable[3];
 } CorgiSSPState;
 
 static uint32_t corgi_ssp_transfer(SSISlave *dev, uint32_t value)
@@ -677,30 +660,6 @@ static void spitz_adc_temp_on(void *opaque, int line, int level)
         max111x_set_input(max1111, MAX1111_BATT_TEMP, 0);
 }
 
-static void spitz_ssp_save(QEMUFile *f, void *opaque)
-{
-    CorgiSSPState *s = (CorgiSSPState *)opaque;
-    int i;
-
-    for (i = 0; i < 3; i++) {
-        qemu_put_be32(f, s->enable[i]);
-    }
-}
-
-static int spitz_ssp_load(QEMUFile *f, void *opaque, int version_id)
-{
-    CorgiSSPState *s = (CorgiSSPState *)opaque;
-    int i;
-
-    if (version_id != 1) {
-        return -EINVAL;
-    }
-    for (i = 0; i < 3; i++) {
-        s->enable[i] = qemu_get_be32(f);
-    }
-    return 0;
-}
-
 static int corgi_ssp_init(SSISlave *dev)
 {
     CorgiSSPState *s = FROM_SSI_SLAVE(CorgiSSPState, dev);
@@ -710,8 +669,6 @@ static int corgi_ssp_init(SSISlave *dev)
     s->bus[1] = ssi_create_bus(&dev->qdev, "ssi1");
     s->bus[2] = ssi_create_bus(&dev->qdev, "ssi2");
 
-    register_savevm(&dev->qdev, "spitz_ssp", -1, 1,
-                    spitz_ssp_save, spitz_ssp_load, s);
     return 0;
 }
 
@@ -1070,16 +1027,41 @@ static void spitz_machine_init(void)
 
 machine_init(spitz_machine_init);
 
+static const VMStateDescription vmstate_corgi_ssp_regs = {
+    .name = "corgi-ssp",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField []) {
+        VMSTATE_UINT32_ARRAY(enable, CorgiSSPState, 3),
+        VMSTATE_END_OF_LIST(),
+    }
+};
+
 static SSISlaveInfo corgi_ssp_info = {
     .qdev.name = "corgi-ssp",
     .qdev.size = sizeof(CorgiSSPState),
+    .qdev.vmsd = &vmstate_corgi_ssp_regs,
     .init = corgi_ssp_init,
     .transfer = corgi_ssp_transfer
 };
 
+static const VMStateDescription vmstate_spitz_lcdtg_regs = {
+    .name = "spitz-lcdtg",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField []) {
+        VMSTATE_UINT32(bl_intensity, SpitzLCDTG),
+        VMSTATE_UINT32(bl_power, SpitzLCDTG),
+        VMSTATE_END_OF_LIST(),
+    }
+};
+
 static SSISlaveInfo spitz_lcdtg_info = {
     .qdev.name = "spitz-lcdtg",
     .qdev.size = sizeof(SpitzLCDTG),
+    .qdev.vmsd = &vmstate_spitz_lcdtg_regs,
     .init = spitz_lcdtg_init,
     .transfer = spitz_lcdtg_transfer
 };
commit 383d01c663290e09d4529bf539ee9e91b75d2fec
Author: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
Date:   Thu Jan 20 18:52:27 2011 +0300

    SharpSL scoop device - convert to qdev
    
    Convert SharpSL scoop device to qdev, remove lots of supporting code, as
    lot of init and gpio related things can now be done automagically.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
    Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>

diff --git a/hw/sharpsl.h b/hw/sharpsl.h
index c5ccf79..0b3a774 100644
--- a/hw/sharpsl.h
+++ b/hw/sharpsl.h
@@ -10,13 +10,6 @@
     fprintf(stderr, "%s: " format, __FUNCTION__, ##__VA_ARGS__)
 
 /* zaurus.c */
-typedef struct ScoopInfo ScoopInfo;
-ScoopInfo *scoop_init(PXA2xxState *cpu,
-                int instance, target_phys_addr_t target_base);
-void scoop_gpio_set(void *opaque, int line, int level);
-qemu_irq *scoop_gpio_in_get(ScoopInfo *s);
-void scoop_gpio_out_set(ScoopInfo *s, int line,
-                qemu_irq handler);
 
 #define SL_PXA_PARAM_BASE	0xa0000a00
 void sl_bootparam_write(target_phys_addr_t ptr);
diff --git a/hw/spitz.c b/hw/spitz.c
index 092bb64..1e2f16b 100644
--- a/hw/spitz.c
+++ b/hw/spitz.c
@@ -23,6 +23,7 @@
 #include "audio/audio.h"
 #include "boards.h"
 #include "blockdev.h"
+#include "sysbus.h"
 
 #undef REG_FMT
 #define REG_FMT			"0x%02lx"
@@ -851,21 +852,21 @@ static void spitz_out_switch(void *opaque, int line, int level)
 #define SPITZ_SCP2_MIC_BIAS		9
 
 static void spitz_scoop_gpio_setup(PXA2xxState *cpu,
-                ScoopInfo *scp0, ScoopInfo *scp1)
+                DeviceState *scp0, DeviceState *scp1)
 {
     qemu_irq *outsignals = qemu_allocate_irqs(spitz_out_switch, cpu, 8);
 
-    scoop_gpio_out_set(scp0, SPITZ_SCP_CHRG_ON, outsignals[0]);
-    scoop_gpio_out_set(scp0, SPITZ_SCP_JK_B, outsignals[1]);
-    scoop_gpio_out_set(scp0, SPITZ_SCP_LED_GREEN, outsignals[2]);
-    scoop_gpio_out_set(scp0, SPITZ_SCP_LED_ORANGE, outsignals[3]);
+    qdev_connect_gpio_out(scp0, SPITZ_SCP_CHRG_ON, outsignals[0]);
+    qdev_connect_gpio_out(scp0, SPITZ_SCP_JK_B, outsignals[1]);
+    qdev_connect_gpio_out(scp0, SPITZ_SCP_LED_GREEN, outsignals[2]);
+    qdev_connect_gpio_out(scp0, SPITZ_SCP_LED_ORANGE, outsignals[3]);
 
     if (scp1) {
-        scoop_gpio_out_set(scp1, SPITZ_SCP2_BACKLIGHT_CONT, outsignals[4]);
-        scoop_gpio_out_set(scp1, SPITZ_SCP2_BACKLIGHT_ON, outsignals[5]);
+        qdev_connect_gpio_out(scp1, SPITZ_SCP2_BACKLIGHT_CONT, outsignals[4]);
+        qdev_connect_gpio_out(scp1, SPITZ_SCP2_BACKLIGHT_ON, outsignals[5]);
     }
 
-    scoop_gpio_out_set(scp0, SPITZ_SCP_ADC_TEMP_ON, outsignals[6]);
+    qdev_connect_gpio_out(scp0, SPITZ_SCP_ADC_TEMP_ON, outsignals[6]);
 }
 
 #define SPITZ_GPIO_HSYNC		22
@@ -952,7 +953,7 @@ static void spitz_common_init(ram_addr_t ram_size,
                 const char *cpu_model, enum spitz_model_e model, int arm_id)
 {
     PXA2xxState *cpu;
-    ScoopInfo *scp0, *scp1 = NULL;
+    DeviceState *scp0, *scp1 = NULL;
 
     if (!cpu_model)
         cpu_model = (model == terrier) ? "pxa270-c5" : "pxa270-c0";
@@ -970,9 +971,9 @@ static void spitz_common_init(ram_addr_t ram_size,
 
     spitz_ssp_attach(cpu);
 
-    scp0 = scoop_init(cpu, 0, 0x10800000);
+    scp0 = sysbus_create_simple("scoop", 0x10800000, NULL);
     if (model != akita) {
-	    scp1 = scoop_init(cpu, 1, 0x08800040);
+        scp1 = sysbus_create_simple("scoop", 0x08800040, NULL);
     }
 
     spitz_scoop_gpio_setup(cpu, scp0, scp1);
diff --git a/hw/tosa.c b/hw/tosa.c
index cc8ce6d..18e3be5 100644
--- a/hw/tosa.c
+++ b/hw/tosa.c
@@ -20,6 +20,7 @@
 #include "i2c.h"
 #include "ssi.h"
 #include "blockdev.h"
+#include "sysbus.h"
 
 #define TOSA_RAM    0x04000000
 #define TOSA_ROM	0x00800000
@@ -86,14 +87,14 @@ static void tosa_out_switch(void *opaque, int line, int level)
 
 
 static void tosa_gpio_setup(PXA2xxState *cpu,
-                ScoopInfo *scp0,
-                ScoopInfo *scp1,
+                DeviceState *scp0,
+                DeviceState *scp1,
                 TC6393xbState *tmio)
 {
     qemu_irq *outsignals = qemu_allocate_irqs(tosa_out_switch, cpu, 4);
     /* MMC/SD host */
     pxa2xx_mmci_handlers(cpu->mmc,
-                    scoop_gpio_in_get(scp0)[TOSA_GPIO_SD_WP],
+                    qdev_get_gpio_in(scp0, TOSA_GPIO_SD_WP),
                     qemu_irq_invert(pxa2xx_gpio_in_get(cpu->gpio)[TOSA_GPIO_nSD_DETECT]));
 
     /* Handle reset */
@@ -108,12 +109,12 @@ static void tosa_gpio_setup(PXA2xxState *cpu,
                         pxa2xx_gpio_in_get(cpu->gpio)[TOSA_GPIO_JC_CF_IRQ],
                         NULL);
 
-    scoop_gpio_out_set(scp1, TOSA_GPIO_BT_LED, outsignals[0]);
-    scoop_gpio_out_set(scp1, TOSA_GPIO_NOTE_LED, outsignals[1]);
-    scoop_gpio_out_set(scp1, TOSA_GPIO_CHRG_ERR_LED, outsignals[2]);
-    scoop_gpio_out_set(scp1, TOSA_GPIO_WLAN_LED, outsignals[3]);
+    qdev_connect_gpio_out(scp1, TOSA_GPIO_BT_LED, outsignals[0]);
+    qdev_connect_gpio_out(scp1, TOSA_GPIO_NOTE_LED, outsignals[1]);
+    qdev_connect_gpio_out(scp1, TOSA_GPIO_CHRG_ERR_LED, outsignals[2]);
+    qdev_connect_gpio_out(scp1, TOSA_GPIO_WLAN_LED, outsignals[3]);
 
-    scoop_gpio_out_set(scp1, TOSA_GPIO_TC6393XB_L3V_ON, tc6393xb_l3v_get(tmio));
+    qdev_connect_gpio_out(scp1, TOSA_GPIO_TC6393XB_L3V_ON, tc6393xb_l3v_get(tmio));
 }
 
 static uint32_t tosa_ssp_tansfer(SSISlave *dev, uint32_t value)
@@ -208,7 +209,7 @@ static void tosa_init(ram_addr_t ram_size,
 {
     PXA2xxState *cpu;
     TC6393xbState *tmio;
-    ScoopInfo *scp0, *scp1;
+    DeviceState *scp0, *scp1;
 
     if (!cpu_model)
         cpu_model = "pxa255";
@@ -221,8 +222,8 @@ static void tosa_init(ram_addr_t ram_size,
     tmio = tc6393xb_init(0x10000000,
             pxa2xx_gpio_in_get(cpu->gpio)[TOSA_GPIO_TC6393XB_INT]);
 
-    scp0 = scoop_init(cpu, 0, 0x08800000);
-    scp1 = scoop_init(cpu, 1, 0x14800040);
+    scp0 = sysbus_create_simple("scoop", 0x08800000, NULL);
+    scp1 = sysbus_create_simple("scoop", 0x14800040, NULL);
 
     tosa_gpio_setup(cpu, scp0, scp1, tmio);
 
diff --git a/hw/zaurus.c b/hw/zaurus.c
index 36be94a..fca11a5 100644
--- a/hw/zaurus.c
+++ b/hw/zaurus.c
@@ -18,15 +18,17 @@
 #include "hw.h"
 #include "pxa.h"
 #include "sharpsl.h"
+#include "sysbus.h"
 
 #undef REG_FMT
 #define REG_FMT			"0x%02lx"
 
 /* SCOOP devices */
 
+typedef struct ScoopInfo ScoopInfo;
 struct ScoopInfo {
+    SysBusDevice busdev;
     qemu_irq handler[16];
-    qemu_irq *in;
     uint16_t status;
     uint16_t power;
     uint32_t gpio_level;
@@ -153,7 +155,7 @@ static CPUWriteMemoryFunc * const scoop_writefn[] = {
     scoop_writeb,
 };
 
-void scoop_gpio_set(void *opaque, int line, int level)
+static void scoop_gpio_set(void *opaque, int line, int level)
 {
     ScoopInfo *s = (ScoopInfo *) opaque;
 
@@ -163,77 +165,66 @@ void scoop_gpio_set(void *opaque, int line, int level)
         s->gpio_level &= ~(1 << line);
 }
 
-qemu_irq *scoop_gpio_in_get(ScoopInfo *s)
+static int scoop_init(SysBusDevice *dev)
 {
-    return s->in;
-}
+    ScoopInfo *s = FROM_SYSBUS(ScoopInfo, dev);
+    int iomemtype;
 
-void scoop_gpio_out_set(ScoopInfo *s, int line,
-                qemu_irq handler) {
-    if (line >= 16) {
-        fprintf(stderr, "No GPIO pin %i\n", line);
-        exit(-1);
-    }
+    s->status = 0x02;
+    qdev_init_gpio_out(&s->busdev.qdev, s->handler, 16);
+    qdev_init_gpio_in(&s->busdev.qdev, scoop_gpio_set, 16);
+    iomemtype = cpu_register_io_memory(scoop_readfn,
+                    scoop_writefn, s, DEVICE_NATIVE_ENDIAN);
 
-    s->handler[line] = handler;
-}
+    sysbus_init_mmio(dev, 0x1000, iomemtype);
 
-static void scoop_save(QEMUFile *f, void *opaque)
-{
-    ScoopInfo *s = (ScoopInfo *) opaque;
-    qemu_put_be16s(f, &s->status);
-    qemu_put_be16s(f, &s->power);
-    qemu_put_be32s(f, &s->gpio_level);
-    qemu_put_be32s(f, &s->gpio_dir);
-    qemu_put_be32s(f, &s->prev_level);
-    qemu_put_be16s(f, &s->mcr);
-    qemu_put_be16s(f, &s->cdr);
-    qemu_put_be16s(f, &s->ccr);
-    qemu_put_be16s(f, &s->irr);
-    qemu_put_be16s(f, &s->imr);
-    qemu_put_be16s(f, &s->isr);
+    return 0;
 }
 
-static int scoop_load(QEMUFile *f, void *opaque, int version_id)
+static bool is_version_0 (void *opaque, int version_id)
 {
-    uint16_t dummy;
-    ScoopInfo *s = (ScoopInfo *) opaque;
-    qemu_get_be16s(f, &s->status);
-    qemu_get_be16s(f, &s->power);
-    qemu_get_be32s(f, &s->gpio_level);
-    qemu_get_be32s(f, &s->gpio_dir);
-    qemu_get_be32s(f, &s->prev_level);
-    qemu_get_be16s(f, &s->mcr);
-    qemu_get_be16s(f, &s->cdr);
-    qemu_get_be16s(f, &s->ccr);
-    qemu_get_be16s(f, &s->irr);
-    qemu_get_be16s(f, &s->imr);
-    qemu_get_be16s(f, &s->isr);
-    if (version_id < 1)
-	    qemu_get_be16s(f, &dummy);
-
-    return 0;
+    return version_id == 0;
 }
 
-ScoopInfo *scoop_init(PXA2xxState *cpu,
-		int instance,
-		target_phys_addr_t target_base) {
-    int iomemtype;
-    ScoopInfo *s;
 
-    s = (ScoopInfo *)
-            qemu_mallocz(sizeof(ScoopInfo));
-    memset(s, 0, sizeof(ScoopInfo));
+static const VMStateDescription vmstate_scoop_regs = {
+    .name = "scoop",
+    .version_id = 1,
+    .minimum_version_id = 0,
+    .minimum_version_id_old = 0,
+    .fields = (VMStateField []) {
+        VMSTATE_UINT16(status, ScoopInfo),
+        VMSTATE_UINT16(power, ScoopInfo),
+        VMSTATE_UINT32(gpio_level, ScoopInfo),
+        VMSTATE_UINT32(gpio_dir, ScoopInfo),
+        VMSTATE_UINT32(prev_level, ScoopInfo),
+        VMSTATE_UINT16(mcr, ScoopInfo),
+        VMSTATE_UINT16(cdr, ScoopInfo),
+        VMSTATE_UINT16(ccr, ScoopInfo),
+        VMSTATE_UINT16(irr, ScoopInfo),
+        VMSTATE_UINT16(imr, ScoopInfo),
+        VMSTATE_UINT16(isr, ScoopInfo),
+        VMSTATE_UNUSED_TEST(is_version_0, 2),
+        VMSTATE_END_OF_LIST(),
+    },
+};
 
-    s->status = 0x02;
-    s->in = qemu_allocate_irqs(scoop_gpio_set, s, 16);
-    iomemtype = cpu_register_io_memory(scoop_readfn,
-                    scoop_writefn, s, DEVICE_NATIVE_ENDIAN);
-    cpu_register_physical_memory(target_base, 0x1000, iomemtype);
-    register_savevm(NULL, "scoop", instance, 1, scoop_save, scoop_load, s);
+static SysBusDeviceInfo scoop_sysbus_info = {
+    .init           = scoop_init,
+    .qdev.name      = "scoop",
+    .qdev.desc      = "Scoop2 Sharp custom ASIC",
+    .qdev.size      = sizeof(ScoopInfo),
+    .qdev.vmsd      = &vmstate_scoop_regs,
+    .qdev.props     = (Property[]) {
+        DEFINE_PROP_END_OF_LIST(),
+    }
+};
 
-    return s;
+static void scoop_register(void)
+{
+    sysbus_register_withprop(&scoop_sysbus_info);
 }
+device_init(scoop_register);
 
 /* Write the bootloader parameters memory area.  */
 
commit 4c90051801725d5bd12979a585a8da5f1eecd497
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Thu Jan 27 12:49:04 2011 +0900

    pci: typo in pcibus_get_dev_path()
    
    This patch fixes typo in pcibus_get_dev_path().
    Without this patch, the result of pcibus_get_dev_path() isn't unique.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 712280a..d5bbba9 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -2072,7 +2072,7 @@ static char *pcibus_get_dev_path(DeviceState *dev)
     for (t = d; t; t = t->bus->parent_dev) {
         p -= slot_len;
         s = snprintf(slot, sizeof slot, ":%02x.%x",
-                     PCI_SLOT(t->devfn), PCI_FUNC(d->devfn));
+                     PCI_SLOT(t->devfn), PCI_FUNC(t->devfn));
         assert(s == slot_len);
         memcpy(p, slot, slot_len);
     }
commit bb34007e86aa2a7902ee60e0f6fa2f0e4cccbffe
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Jan 26 15:55:07 2011 +0200

    pci: bridge control fixup
    
    PCI_BRIDGE_CTL_DISCARD_STATUS (bit 10 in bridge control register)
    is W1C so we should not make it writeable, otherwise the assert(!(wmask
    & w1cmask)) in pci_default_write_config() is hit
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Reported-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Tested-by: Isaku Yamahata <yamahata at valinux.co.jp>

diff --git a/hw/pci.c b/hw/pci.c
index 044c4bd..712280a 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -641,7 +641,6 @@ static void pci_init_wmask_bridge(PCIDevice *d)
                  PCI_BRIDGE_CTL_FAST_BACK |
                  PCI_BRIDGE_CTL_DISCARD |
                  PCI_BRIDGE_CTL_SEC_DISCARD |
-                 PCI_BRIDGE_CTL_DISCARD_STATUS |
                  PCI_BRIDGE_CTL_DISCARD_SERR);
     /* Below does not do anything as we never set this bit, put here for
      * completeness. */
commit 0fad6efce5d3f18278b7239dece3c251b3e7c04d
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Wed Jan 19 19:29:53 2011 +0000

    target-arm: Fix loading of scalar value for Neon multiply-by-scalar
    
    Fix the register and part of register we get the scalar from in
    the various "multiply vector by scalar" ops (VMUL by scalar
    and friends).
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 41cbb96..d95133f 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -3608,14 +3608,14 @@ static inline TCGv neon_get_scalar(int size, int reg)
 {
     TCGv tmp;
     if (size == 1) {
-        tmp = neon_load_reg(reg >> 1, reg & 1);
-    } else {
-        tmp = neon_load_reg(reg >> 2, (reg >> 1) & 1);
-        if (reg & 1) {
-            gen_neon_dup_low16(tmp);
-        } else {
+        tmp = neon_load_reg(reg & 7, reg >> 4);
+        if (reg & 8) {
             gen_neon_dup_high16(tmp);
+        } else {
+            gen_neon_dup_low16(tmp);
         }
+    } else {
+        tmp = neon_load_reg(reg & 15, reg >> 4);
     }
     return tmp;
 }
commit c6067f04c5bb40547f79b5c02b1cdef043b39c5f
Author: Christophe Lyon <christophe.lyon at st.com>
Date:   Wed Jan 19 15:37:58 2011 +0100

    target-arm: Fix garbage collection of temporaries in Neon emulation.
    
    Fix garbage collection of temporaries in Neon emulation.
    
    Signed-off-by: Christophe Lyon <christophe.lyon at st.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index f445c87..41cbb96 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -4183,6 +4183,13 @@ static inline void gen_neon_mull(TCGv_i64 dest, TCGv a, TCGv b, int size, int u)
         break;
     default: abort();
     }
+
+    /* gen_helper_neon_mull_[su]{8|16} do not free their parameters.
+       Don't forget to clean them now.  */
+    if (size < 2) {
+      dead_tmp(a);
+      dead_tmp(b);
+    }
 }
 
 /* Translate a NEON data processing instruction.  Return nonzero if the
@@ -4847,7 +4854,7 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                 if (size == 3) {
                     tcg_temp_free_i64(tmp64);
                 } else {
-                    dead_tmp(tmp2);
+                    tcg_temp_free_i32(tmp2);
                 }
             } else if (op == 10) {
                 /* VSHLL */
@@ -5083,8 +5090,6 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                     case 8: case 9: case 10: case 11: case 12: case 13:
                         /* VMLAL, VQDMLAL, VMLSL, VQDMLSL, VMULL, VQDMULL */
                         gen_neon_mull(cpu_V0, tmp, tmp2, size, u);
-                        dead_tmp(tmp2);
-                        dead_tmp(tmp);
                         break;
                     case 14: /* Polynomial VMULL */
                         cpu_abort(env, "Polynomial VMULL not implemented");
@@ -5235,6 +5240,10 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                         return 1;
 
                     tmp2 = neon_get_scalar(size, rm);
+                    /* We need a copy of tmp2 because gen_neon_mull
+                     * deletes it during pass 0.  */
+                    tmp4 = new_tmp();
+                    tcg_gen_mov_i32(tmp4, tmp2);
                     tmp3 = neon_load_reg(rn, 1);
 
                     for (pass = 0; pass < 2; pass++) {
@@ -5242,9 +5251,9 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                             tmp = neon_load_reg(rn, 0);
                         } else {
                             tmp = tmp3;
+                            tmp2 = tmp4;
                         }
                         gen_neon_mull(cpu_V0, tmp, tmp2, size, u);
-                        dead_tmp(tmp);
                         if (op == 6 || op == 7) {
                             gen_neon_negl(cpu_V0, size);
                         }
@@ -5271,7 +5280,6 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                         neon_store_reg64(cpu_V0, rd + pass);
                     }
 
-                    dead_tmp(tmp2);
 
                     break;
                 default: /* 14 and 15 are RESERVED */
commit 40d3c433606530ee1bb46ce95a6ca1cf2ee9d9c7
Author: Christophe Lyon <christophe.lyon at st.com>
Date:   Wed Jan 19 17:10:52 2011 +0100

    Support saturation with shift=0.
    
    This patch fixes corner-case saturations, when the target range is
    zero. It merely removes the guard against (sh == 0), and makes:
    __ssat(0x87654321, 1) return 0xffffffff and set the saturation flag
    __usat(0x87654321, 0) return 0 and set the saturation flag
    
    Signed-off-by: Christophe Lyon <christophe.lyon at st.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index c60cd18..f445c87 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -6888,27 +6888,23 @@ static void disas_arm_insn(CPUState * env, DisasContext *s)
                             tcg_gen_shli_i32(tmp, tmp, shift);
                         }
                         sh = (insn >> 16) & 0x1f;
-                        if (sh != 0) {
-                            tmp2 = tcg_const_i32(sh);
-                            if (insn & (1 << 22))
-                                gen_helper_usat(tmp, tmp, tmp2);
-                            else
-                                gen_helper_ssat(tmp, tmp, tmp2);
-                            tcg_temp_free_i32(tmp2);
-                        }
+                        tmp2 = tcg_const_i32(sh);
+                        if (insn & (1 << 22))
+                          gen_helper_usat(tmp, tmp, tmp2);
+                        else
+                          gen_helper_ssat(tmp, tmp, tmp2);
+                        tcg_temp_free_i32(tmp2);
                         store_reg(s, rd, tmp);
                     } else if ((insn & 0x00300fe0) == 0x00200f20) {
                         /* [us]sat16 */
                         tmp = load_reg(s, rm);
                         sh = (insn >> 16) & 0x1f;
-                        if (sh != 0) {
-                            tmp2 = tcg_const_i32(sh);
-                            if (insn & (1 << 22))
-                                gen_helper_usat16(tmp, tmp, tmp2);
-                            else
-                                gen_helper_ssat16(tmp, tmp, tmp2);
-                            tcg_temp_free_i32(tmp2);
-                        }
+                        tmp2 = tcg_const_i32(sh);
+                        if (insn & (1 << 22))
+                          gen_helper_usat16(tmp, tmp, tmp2);
+                        else
+                          gen_helper_ssat16(tmp, tmp, tmp2);
+                        tcg_temp_free_i32(tmp2);
                         store_reg(s, rd, tmp);
                     } else if ((insn & 0x00700fe0) == 0x00000fa0) {
                         /* Select bytes.  */
commit e3f114f761fd44db3b33f5d704da48392fce4ce8
Author: Alexandre Courbot <gnurou at gmail.com>
Date:   Wed Jan 26 11:57:53 2011 +0900

    target-sh4: update PTEH upon MMU exception
    
    Update the PTEH register to contain the VPN at which an MMU
    exception occured as specified by the SH4 reference.
    
    Signed-off-by: Alexandre Courbot <gnurou at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/helper.c b/target-sh4/helper.c
index 785e9e5..d2038bd 100644
--- a/target-sh4/helper.c
+++ b/target-sh4/helper.c
@@ -453,6 +453,10 @@ int cpu_sh4_handle_mmu_fault(CPUState * env, target_ulong address, int rw,
 
     if (ret != MMU_OK) {
 	env->tea = address;
+	if (ret != MMU_DTLB_MULTIPLE && ret != MMU_ITLB_MULTIPLE) {
+	    env->pteh = (env->pteh & PTEH_ASID_MASK) |
+		    (address & PTEH_VPN_MASK);
+	}
 	switch (ret) {
 	case MMU_ITLB_MISS:
 	case MMU_DTLB_MISS_READ:
commit bc656a296885b8be7a27f49ae827298fd1b9d153
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Wed Jan 26 02:16:39 2011 +0100

    sh4: implement missing mmaped TLB read functions
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/sh7750.c b/hw/sh7750.c
index f76f271..19d5bf8 100644
--- a/hw/sh7750.c
+++ b/hw/sh7750.c
@@ -625,6 +625,7 @@ static uint32_t invalid_read(void *opaque, target_phys_addr_t addr)
 
 static uint32_t sh7750_mmct_readl(void *opaque, target_phys_addr_t addr)
 {
+    SH7750State *s = opaque;
     uint32_t ret = 0;
 
     switch (MM_REGION_TYPE(addr)) {
@@ -633,19 +634,21 @@ static uint32_t sh7750_mmct_readl(void *opaque, target_phys_addr_t addr)
         /* do nothing */
 	break;
     case MM_ITLB_ADDR:
+        ret = cpu_sh4_read_mmaped_itlb_addr(s->cpu, addr);
+        break;
     case MM_ITLB_DATA:
-        /* XXXXX */
-        abort();
-	break;
+        ret = cpu_sh4_read_mmaped_itlb_data(s->cpu, addr);
+        break;
     case MM_OCACHE_ADDR:
     case MM_OCACHE_DATA:
         /* do nothing */
 	break;
     case MM_UTLB_ADDR:
+        ret = cpu_sh4_read_mmaped_utlb_addr(s->cpu, addr);
+        break;
     case MM_UTLB_DATA:
-        /* XXXXX */
-        abort();
-	break;
+        ret = cpu_sh4_read_mmaped_utlb_data(s->cpu, addr);
+        break;
     default:
         abort();
     }
diff --git a/target-sh4/cpu.h b/target-sh4/cpu.h
index 9eccb0c..789d188 100644
--- a/target-sh4/cpu.h
+++ b/target-sh4/cpu.h
@@ -201,12 +201,20 @@ void do_interrupt(CPUSH4State * env);
 void sh4_cpu_list(FILE *f, fprintf_function cpu_fprintf);
 #if !defined(CONFIG_USER_ONLY)
 void cpu_sh4_invalidate_tlb(CPUSH4State *s);
+uint32_t cpu_sh4_read_mmaped_itlb_addr(CPUSH4State *s,
+                                       target_phys_addr_t addr);
 void cpu_sh4_write_mmaped_itlb_addr(CPUSH4State *s, target_phys_addr_t addr,
                                     uint32_t mem_value);
+uint32_t cpu_sh4_read_mmaped_itlb_data(CPUSH4State *s,
+                                       target_phys_addr_t addr);
 void cpu_sh4_write_mmaped_itlb_data(CPUSH4State *s, target_phys_addr_t addr,
                                     uint32_t mem_value);
+uint32_t cpu_sh4_read_mmaped_utlb_addr(CPUSH4State *s,
+                                       target_phys_addr_t addr);
 void cpu_sh4_write_mmaped_utlb_addr(CPUSH4State *s, target_phys_addr_t addr,
                                     uint32_t mem_value);
+uint32_t cpu_sh4_read_mmaped_utlb_data(CPUSH4State *s,
+                                       target_phys_addr_t addr);
 void cpu_sh4_write_mmaped_utlb_data(CPUSH4State *s, target_phys_addr_t addr,
                                     uint32_t mem_value);
 #endif
diff --git a/target-sh4/helper.c b/target-sh4/helper.c
index 4cd42b5..785e9e5 100644
--- a/target-sh4/helper.c
+++ b/target-sh4/helper.c
@@ -567,6 +567,17 @@ void cpu_load_tlb(CPUSH4State * env)
     tlb_flush(s, 1);
 }
 
+uint32_t cpu_sh4_read_mmaped_itlb_addr(CPUSH4State *s,
+                                       target_phys_addr_t addr)
+{
+    int index = (addr & 0x00000300) >> 8;
+    tlb_t * entry = &s->itlb[index];
+
+    return (entry->vpn  << 10) |
+           (entry->v    <<  8) |
+           (entry->asid);
+}
+
 void cpu_sh4_write_mmaped_itlb_addr(CPUSH4State *s, target_phys_addr_t addr,
 				    uint32_t mem_value)
 {
@@ -586,6 +597,29 @@ void cpu_sh4_write_mmaped_itlb_addr(CPUSH4State *s, target_phys_addr_t addr,
     entry->v = v;
 }
 
+uint32_t cpu_sh4_read_mmaped_itlb_data(CPUSH4State *s,
+                                       target_phys_addr_t addr)
+{
+    int array = (addr & 0x00800000) >> 23;
+    int index = (addr & 0x00000300) >> 8;
+    tlb_t * entry = &s->itlb[index];
+
+    if (array == 0) {
+        /* ITLB Data Array 1 */
+        return (entry->ppn << 10) |
+               (entry->v   <<  8) |
+               (entry->pr  <<  5) |
+               ((entry->sz & 1) <<  6) |
+               ((entry->sz & 2) <<  4) |
+               (entry->c   <<  3) |
+               (entry->sh  <<  1);
+    } else {
+        /* ITLB Data Array 2 */
+        return (entry->tc << 1) |
+               (entry->sa);
+    }
+}
+
 void cpu_sh4_write_mmaped_itlb_data(CPUSH4State *s, target_phys_addr_t addr,
                                     uint32_t mem_value)
 {
@@ -614,6 +648,19 @@ void cpu_sh4_write_mmaped_itlb_data(CPUSH4State *s, target_phys_addr_t addr,
     }
 }
 
+uint32_t cpu_sh4_read_mmaped_utlb_addr(CPUSH4State *s,
+                                       target_phys_addr_t addr)
+{
+    int index = (addr & 0x00003f00) >> 8;
+    tlb_t * entry = &s->utlb[index];
+
+    increment_urc(s); /* per utlb access */
+
+    return (entry->vpn  << 10) |
+           (entry->v    <<  8) |
+           (entry->asid);
+}
+
 void cpu_sh4_write_mmaped_utlb_addr(CPUSH4State *s, target_phys_addr_t addr,
 				    uint32_t mem_value)
 {
@@ -686,6 +733,33 @@ void cpu_sh4_write_mmaped_utlb_addr(CPUSH4State *s, target_phys_addr_t addr,
     }
 }
 
+uint32_t cpu_sh4_read_mmaped_utlb_data(CPUSH4State *s,
+                                       target_phys_addr_t addr)
+{
+    int array = (addr & 0x00800000) >> 23;
+    int index = (addr & 0x00003f00) >> 8;
+    tlb_t * entry = &s->utlb[index];
+
+    increment_urc(s); /* per utlb access */
+
+    if (array == 0) {
+        /* ITLB Data Array 1 */
+        return (entry->ppn << 10) |
+               (entry->v   <<  8) |
+               (entry->pr  <<  5) |
+               ((entry->sz & 1) <<  6) |
+               ((entry->sz & 2) <<  4) |
+               (entry->c   <<  3) |
+               (entry->d   <<  2) |
+               (entry->sh  <<  1) |
+               (entry->wt);
+    } else {
+        /* ITLB Data Array 2 */
+        return (entry->tc << 1) |
+               (entry->sa);
+    }
+}
+
 void cpu_sh4_write_mmaped_utlb_data(CPUSH4State *s, target_phys_addr_t addr,
                                     uint32_t mem_value)
 {
commit 9f97309a70f12df5f9104f1fcc280bceac7ea27e
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Wed Jan 26 02:07:50 2011 +0100

    sh4: implement missing mmaped TLB write functions
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/sh7750.c b/hw/sh7750.c
index 36b702f..f76f271 100644
--- a/hw/sh7750.c
+++ b/hw/sh7750.c
@@ -673,7 +673,7 @@ static void sh7750_mmct_writel(void *opaque, target_phys_addr_t addr,
         cpu_sh4_write_mmaped_itlb_addr(s->cpu, addr, mem_value);
         break;
     case MM_ITLB_DATA:
-        /* XXXXX */
+        cpu_sh4_write_mmaped_itlb_data(s->cpu, addr, mem_value);
         abort();
 	break;
     case MM_OCACHE_ADDR:
@@ -684,8 +684,7 @@ static void sh7750_mmct_writel(void *opaque, target_phys_addr_t addr,
         cpu_sh4_write_mmaped_utlb_addr(s->cpu, addr, mem_value);
 	break;
     case MM_UTLB_DATA:
-        /* XXXXX */
-        abort();
+        cpu_sh4_write_mmaped_utlb_data(s->cpu, addr, mem_value);
 	break;
     default:
         abort();
diff --git a/target-sh4/cpu.h b/target-sh4/cpu.h
index 95df6d2..9eccb0c 100644
--- a/target-sh4/cpu.h
+++ b/target-sh4/cpu.h
@@ -202,9 +202,13 @@ void sh4_cpu_list(FILE *f, fprintf_function cpu_fprintf);
 #if !defined(CONFIG_USER_ONLY)
 void cpu_sh4_invalidate_tlb(CPUSH4State *s);
 void cpu_sh4_write_mmaped_itlb_addr(CPUSH4State *s, target_phys_addr_t addr,
-				    uint32_t mem_value);
+                                    uint32_t mem_value);
+void cpu_sh4_write_mmaped_itlb_data(CPUSH4State *s, target_phys_addr_t addr,
+                                    uint32_t mem_value);
 void cpu_sh4_write_mmaped_utlb_addr(CPUSH4State *s, target_phys_addr_t addr,
-				    uint32_t mem_value);
+                                    uint32_t mem_value);
+void cpu_sh4_write_mmaped_utlb_data(CPUSH4State *s, target_phys_addr_t addr,
+                                    uint32_t mem_value);
 #endif
 
 int cpu_sh4_is_cached(CPUSH4State * env, target_ulong addr);
diff --git a/target-sh4/helper.c b/target-sh4/helper.c
index 19b309b..4cd42b5 100644
--- a/target-sh4/helper.c
+++ b/target-sh4/helper.c
@@ -574,7 +574,7 @@ void cpu_sh4_write_mmaped_itlb_addr(CPUSH4State *s, target_phys_addr_t addr,
     uint8_t v = (uint8_t)((mem_value & 0x00000100) >> 8);
     uint8_t asid = (uint8_t)(mem_value & 0x000000ff);
 
-    int index = (addr & 0x00003f00) >> 8;
+    int index = (addr & 0x00000300) >> 8;
     tlb_t * entry = &s->itlb[index];
     if (entry->v) {
         /* Overwriting valid entry in itlb. */
@@ -586,6 +586,34 @@ void cpu_sh4_write_mmaped_itlb_addr(CPUSH4State *s, target_phys_addr_t addr,
     entry->v = v;
 }
 
+void cpu_sh4_write_mmaped_itlb_data(CPUSH4State *s, target_phys_addr_t addr,
+                                    uint32_t mem_value)
+{
+    int array = (addr & 0x00800000) >> 23;
+    int index = (addr & 0x00000300) >> 8;
+    tlb_t * entry = &s->itlb[index];
+
+    if (array == 0) {
+        /* ITLB Data Array 1 */
+        if (entry->v) {
+            /* Overwriting valid entry in utlb. */
+            target_ulong address = entry->vpn << 10;
+            tlb_flush_page(s, address);
+        }
+        entry->ppn = (mem_value & 0x1ffffc00) >> 10;
+        entry->v   = (mem_value & 0x00000100) >> 8;
+        entry->sz  = (mem_value & 0x00000080) >> 6 |
+                     (mem_value & 0x00000010) >> 4;
+        entry->pr  = (mem_value & 0x00000040) >> 5;
+        entry->c   = (mem_value & 0x00000008) >> 3;
+        entry->sh  = (mem_value & 0x00000002) >> 1;
+    } else {
+        /* ITLB Data Array 2 */
+        entry->tc  = (mem_value & 0x00000008) >> 3;
+        entry->sa  = (mem_value & 0x00000007);
+    }
+}
+
 void cpu_sh4_write_mmaped_utlb_addr(CPUSH4State *s, target_phys_addr_t addr,
 				    uint32_t mem_value)
 {
@@ -658,6 +686,38 @@ void cpu_sh4_write_mmaped_utlb_addr(CPUSH4State *s, target_phys_addr_t addr,
     }
 }
 
+void cpu_sh4_write_mmaped_utlb_data(CPUSH4State *s, target_phys_addr_t addr,
+                                    uint32_t mem_value)
+{
+    int array = (addr & 0x00800000) >> 23;
+    int index = (addr & 0x00003f00) >> 8;
+    tlb_t * entry = &s->utlb[index];
+
+    increment_urc(s); /* per utlb access */
+
+    if (array == 0) {
+        /* UTLB Data Array 1 */
+        if (entry->v) {
+            /* Overwriting valid entry in utlb. */
+            target_ulong address = entry->vpn << 10;
+            tlb_flush_page(s, address);
+        }
+        entry->ppn = (mem_value & 0x1ffffc00) >> 10;
+        entry->v   = (mem_value & 0x00000100) >> 8;
+        entry->sz  = (mem_value & 0x00000080) >> 6 |
+                     (mem_value & 0x00000010) >> 4;
+        entry->pr  = (mem_value & 0x00000060) >> 5;
+        entry->c   = (mem_value & 0x00000008) >> 3;
+        entry->d   = (mem_value & 0x00000004) >> 2;
+        entry->sh  = (mem_value & 0x00000002) >> 1;
+        entry->wt  = (mem_value & 0x00000001);
+    } else {
+        /* UTLB Data Array 2 */
+        entry->tc = (mem_value & 0x00000008) >> 3;
+        entry->sa = (mem_value & 0x00000007);
+    }
+}
+
 int cpu_sh4_is_cached(CPUSH4State * env, target_ulong addr)
 {
     int n;
commit 7f0958161056ae4e4794dfeb30bc57e432d6e8e5
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Wed Jan 26 10:36:37 2011 +0100

    etrax: Dont decrease the granularity of timers
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/hw/etraxfs_timer.c b/hw/etraxfs_timer.c
index ba1adbe..133741b 100644
--- a/hw/etraxfs_timer.c
+++ b/hw/etraxfs_timer.c
@@ -100,7 +100,6 @@ static uint32_t timer_readl (void *opaque, target_phys_addr_t addr)
     return r;
 }
 
-#define TIMER_SLOWDOWN 1
 static void update_ctrl(struct etrax_timer *t, int tnum)
 {
     unsigned int op;
@@ -142,9 +141,6 @@ static void update_ctrl(struct etrax_timer *t, int tnum)
     }
 
     D(printf ("freq_hz=%d div=%d\n", freq_hz, div));
-    div = div * TIMER_SLOWDOWN;
-    div /= 1000;
-    freq_hz /= 1000;
     ptimer_set_freq(timer, freq_hz);
     ptimer_set_limit(timer, div, 0);
 
commit 5a30b7f6f19d65c0e204bf4cabe1fb5600f3836c
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Tue Jan 25 19:47:06 2011 +0100

    cris: Replace tcg branch sequence with setcond
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-cris/translate.c b/target-cris/translate.c
index f4cc125..b4648a0 100644
--- a/target-cris/translate.c
+++ b/target-cris/translate.c
@@ -947,15 +947,8 @@ static void gen_tst_cc (DisasContext *dc, TCGv cc, int cond)
 		case CC_EQ:
 			if ((arith_opt || move_opt)
 			    && dc->cc_x_uptodate != (2 | X_FLAG)) {
-				/* If cc_result is zero, T0 should be 
-				   non-zero otherwise T0 should be zero.  */
-				int l1;
-				l1 = gen_new_label();
-				tcg_gen_movi_tl(cc, 0);
-				tcg_gen_brcondi_tl(TCG_COND_NE, cc_result, 
-						   0, l1);
-				tcg_gen_movi_tl(cc, 1);
-				gen_set_label(l1);
+				tcg_gen_setcond_tl(TCG_COND_EQ, cc,
+						   cc_result, tcg_const_tl(0));
 			}
 			else {
 				cris_evaluate_flags(dc);
commit bf1064b587321b1af02e444201215141bd049c97
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Jan 24 22:07:46 2011 +0100

    pulseaudio: tweak config
    
    Zap unused divisor field.
    Raise the buffer size default.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/audio/paaudio.c b/audio/paaudio.c
index 75e3ea0..fb4510e 100644
--- a/audio/paaudio.c
+++ b/audio/paaudio.c
@@ -33,13 +33,11 @@ typedef struct {
 
 static struct {
     int samples;
-    int divisor;
     char *server;
     char *sink;
     char *source;
 } conf = {
-    .samples = 1024,
-    .divisor = 2,
+    .samples = 4096,
 };
 
 static void GCC_FMT_ATTR (2, 3) qpa_logerr (int err, const char *fmt, ...)
@@ -478,12 +476,6 @@ struct audio_option qpa_options[] = {
         .descr = "buffer size in samples"
     },
     {
-        .name  = "DIVISOR",
-        .tag   = AUD_OPT_INT,
-        .valp  = &conf.divisor,
-        .descr = "threshold divisor"
-    },
-    {
         .name  = "SERVER",
         .tag   = AUD_OPT_STR,
         .valp  = &conf.server,
commit e6d16fa439aeebd34e135edd3e29d4a2db6b1a33
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Jan 24 22:07:45 2011 +0100

    pulseaudio: setup buffer attrs
    
    Request reasonable buffer sizes from pulseaudio.  Without this
    pa_simple_write() can block quite long and lead to dropouts,
    especially with guests which use small audio ring buffers.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/audio/paaudio.c b/audio/paaudio.c
index 858ca81..75e3ea0 100644
--- a/audio/paaudio.c
+++ b/audio/paaudio.c
@@ -289,6 +289,7 @@ static int qpa_init_out (HWVoiceOut *hw, struct audsettings *as)
 {
     int error;
     static pa_sample_spec ss;
+    static pa_buffer_attr ba;
     struct audsettings obt_as = *as;
     PAVoiceOut *pa = (PAVoiceOut *) hw;
 
@@ -296,6 +297,15 @@ static int qpa_init_out (HWVoiceOut *hw, struct audsettings *as)
     ss.channels = as->nchannels;
     ss.rate = as->freq;
 
+    /*
+     * qemu audio tick runs at 250 Hz (by default), so processing
+     * data chunks worth 4 ms of sound should be a good fit.
+     */
+    ba.tlength = pa_usec_to_bytes (4 * 1000, &ss);
+    ba.minreq = pa_usec_to_bytes (2 * 1000, &ss);
+    ba.maxlength = -1;
+    ba.prebuf = -1;
+
     obt_as.fmt = pa_to_audfmt (ss.format, &obt_as.endianness);
 
     pa->s = pa_simple_new (
@@ -306,7 +316,7 @@ static int qpa_init_out (HWVoiceOut *hw, struct audsettings *as)
         "pcm.playback",
         &ss,
         NULL,                   /* channel map */
-        NULL,                   /* buffering attributes */
+        &ba,                    /* buffering attributes */
         &error
         );
     if (!pa->s) {
commit 6315633b2535dc82dc1b3403f884b81e26b4c72c
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Jan 24 22:07:44 2011 +0100

    pulseaudio: process 1/4 buffer max at once
    
    Limit the size of data pieces processed by the pulseaudio worker
    threads.  Never ever process more than 1/4 of the buffer at once.
    
    Background: The buffer area currently processed by the pulseaudio thread
    is blocked, i.e. the main thread (or iothread) can't fill in more data
    there.  The buffer processing time is roughly real-time due to the
    pa_simple_write() call blocking when the output queue to the pulse
    server is full.  Thus processing big chunks at once means blocking
    a large part of the buffer for a long time.  This brings high latency
    and can lead to dropouts.
    
    When processing the buffer in smaller chunks the rpos handling becomes a
    problem though.  The thread reads hw->rpos without knowing whenever
    qpa_run_out has already seen the last (small) chunk processed and
    updated rpos accordingly.  There is no point in reading hw->rpos though,
    pa->rpos can be used instead.  We just need to take care to initialize
    pa->rpos before kicking the thread.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/audio/paaudio.c b/audio/paaudio.c
index 9cf685d..858ca81 100644
--- a/audio/paaudio.c
+++ b/audio/paaudio.c
@@ -57,9 +57,6 @@ static void *qpa_thread_out (void *arg)
 {
     PAVoiceOut *pa = arg;
     HWVoiceOut *hw = &pa->hw;
-    int threshold;
-
-    threshold = conf.divisor ? hw->samples / conf.divisor : 0;
 
     if (audio_pt_lock (&pa->pt, AUDIO_FUNC)) {
         return NULL;
@@ -73,7 +70,7 @@ static void *qpa_thread_out (void *arg)
                 goto exit;
             }
 
-            if (pa->live > threshold) {
+            if (pa->live > 0) {
                 break;
             }
 
@@ -82,8 +79,8 @@ static void *qpa_thread_out (void *arg)
             }
         }
 
-        decr = to_mix = pa->live;
-        rpos = hw->rpos;
+        decr = to_mix = audio_MIN (pa->live, conf.samples >> 2);
+        rpos = pa->rpos;
 
         if (audio_pt_unlock (&pa->pt, AUDIO_FUNC)) {
             return NULL;
@@ -110,8 +107,8 @@ static void *qpa_thread_out (void *arg)
             return NULL;
         }
 
-        pa->live = 0;
         pa->rpos = rpos;
+        pa->live -= decr;
         pa->decr += decr;
     }
 
@@ -152,9 +149,6 @@ static void *qpa_thread_in (void *arg)
 {
     PAVoiceIn *pa = arg;
     HWVoiceIn *hw = &pa->hw;
-    int threshold;
-
-    threshold = conf.divisor ? hw->samples / conf.divisor : 0;
 
     if (audio_pt_lock (&pa->pt, AUDIO_FUNC)) {
         return NULL;
@@ -168,7 +162,7 @@ static void *qpa_thread_in (void *arg)
                 goto exit;
             }
 
-            if (pa->dead > threshold) {
+            if (pa->dead > 0) {
                 break;
             }
 
@@ -177,8 +171,8 @@ static void *qpa_thread_in (void *arg)
             }
         }
 
-        incr = to_grab = pa->dead;
-        wpos = hw->wpos;
+        incr = to_grab = audio_MIN (pa->dead, conf.samples >> 2);
+        wpos = pa->wpos;
 
         if (audio_pt_unlock (&pa->pt, AUDIO_FUNC)) {
             return NULL;
@@ -323,6 +317,7 @@ static int qpa_init_out (HWVoiceOut *hw, struct audsettings *as)
     audio_pcm_init_info (&hw->info, &obt_as);
     hw->samples = conf.samples;
     pa->pcm_buf = audio_calloc (AUDIO_FUNC, hw->samples, 1 << hw->info.shift);
+    pa->rpos = hw->rpos;
     if (!pa->pcm_buf) {
         dolog ("Could not allocate buffer (%d bytes)\n",
                hw->samples << hw->info.shift);
@@ -377,6 +372,7 @@ static int qpa_init_in (HWVoiceIn *hw, struct audsettings *as)
     audio_pcm_init_info (&hw->info, &obt_as);
     hw->samples = conf.samples;
     pa->pcm_buf = audio_calloc (AUDIO_FUNC, hw->samples, 1 << hw->info.shift);
+    pa->wpos = hw->wpos;
     if (!pa->pcm_buf) {
         dolog ("Could not allocate buffer (%d bytes)\n",
                hw->samples << hw->info.shift);
commit d00b261816872d3e48adca584fca80ca21985f3b
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Fri Jan 21 19:53:55 2011 +0900

    monitor: use after free in do_wav_capture()
    
    use after free in do_wav_capture() on the error path.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/monitor.c b/monitor.c
index 0cda3da..c5f54f4 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2509,8 +2509,9 @@ static void do_wav_capture(Monitor *mon, const QDict *qdict)
     nchannels = has_channels ? nchannels : 2;
 
     if (wav_start_capture (s, path, freq, bits, nchannels)) {
-        monitor_printf(mon, "Faied to add wave capture\n");
+        monitor_printf(mon, "Failed to add wave capture\n");
         qemu_free (s);
+        return;
     }
     QLIST_INSERT_HEAD (&capture_head, s, entries);
 }
commit 52108a1ff02263e10b20544b7637241b0920983d
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Fri Jan 21 19:53:51 2011 +0900

    mips_fulong: remove bogus HAS_AUDIO
    
    remove bogus HAS_AUDIO according to 738012bec4c67e697e766edadab3f522c552a04d.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Cc: Huacai Chen <zltjiangshi at gmail.com>
    Cc: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/mips_fulong2e.c b/hw/mips_fulong2e.c
index 07eb9ee..2783ed5 100644
--- a/hw/mips_fulong2e.c
+++ b/hw/mips_fulong2e.c
@@ -218,13 +218,11 @@ uint8_t eeprom_spd[0x80] = {
 };
 
 /* Audio support */
-#ifdef HAS_AUDIO
 static void audio_init (PCIBus *pci_bus)
 {
     vt82c686b_ac97_init(pci_bus, PCI_DEVFN(FULONG2E_VIA_SLOT, 5));
     vt82c686b_mc97_init(pci_bus, PCI_DEVFN(FULONG2E_VIA_SLOT, 6));
 }
-#endif
 
 /* Network support */
 static void network_init (void)
@@ -391,9 +389,7 @@ static void mips_fulong2e_init(ram_addr_t ram_size, const char *boot_device,
     }
 
     /* Sound card */
-#ifdef HAS_AUDIO
     audio_init(pci_bus);
-#endif
     /* Network card */
     network_init();
 }
commit 0dfa5ef90d0b4eebaf810a897459a009e4b1cef2
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Fri Jan 21 19:53:45 2011 +0900

    audio: consolidate audio_init()
    
    consolidate audio_init() and remove references to shoundhw.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Acked-by: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/arch_init.c b/arch_init.c
index e32e289..cc56f0f 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -461,7 +461,18 @@ void qemu_service_io(void)
 }
 
 #ifdef HAS_AUDIO
-struct soundhw soundhw[] = {
+struct soundhw {
+    const char *name;
+    const char *descr;
+    int enabled;
+    int isa;
+    union {
+        int (*init_isa) (qemu_irq *pic);
+        int (*init_pci) (PCIBus *bus);
+    } init;
+};
+
+static struct soundhw soundhw[] = {
 #ifdef HAS_AUDIO_CHOICE
 #if defined(TARGET_I386) || defined(TARGET_MIPS)
     {
@@ -610,10 +621,32 @@ void select_soundhw(const char *optarg)
         }
     }
 }
+
+void audio_init(qemu_irq *isa_pic, PCIBus *pci_bus)
+{
+    struct soundhw *c;
+
+    for (c = soundhw; c->name; ++c) {
+        if (c->enabled) {
+            if (c->isa) {
+                if (isa_pic) {
+                    c->init.init_isa(isa_pic);
+                }
+            } else {
+                if (pci_bus) {
+                    c->init.init_pci(pci_bus);
+                }
+            }
+        }
+    }
+}
 #else
 void select_soundhw(const char *optarg)
 {
 }
+void audio_init(qemu_irq *isa_pic, PCIBus *pci_bus)
+{
+}
 #endif
 
 int qemu_uuid_parse(const char *str, uint8_t *uuid)
diff --git a/arch_init.h b/arch_init.h
index 682890c..17c9164 100644
--- a/arch_init.h
+++ b/arch_init.h
@@ -27,6 +27,7 @@ void do_acpitable_option(const char *optarg);
 void do_smbios_option(const char *optarg);
 void cpudef_init(void);
 int audio_available(void);
+void audio_init(qemu_irq *isa_pic, PCIBus *pci_bus);
 int kvm_available(void);
 int xen_available(void);
 
diff --git a/hw/mips_jazz.c b/hw/mips_jazz.c
index a7caa3f..85eba5a 100644
--- a/hw/mips_jazz.c
+++ b/hw/mips_jazz.c
@@ -29,7 +29,7 @@
 #include "isa.h"
 #include "fdc.h"
 #include "sysemu.h"
-#include "audio/audio.h"
+#include "arch_init.h"
 #include "boards.h"
 #include "net.h"
 #include "esp.h"
@@ -90,26 +90,6 @@ static CPUWriteMemoryFunc * const dma_dummy_write[3] = {
     dma_dummy_writeb,
 };
 
-static void audio_init(qemu_irq *pic)
-{
-    struct soundhw *c;
-    int audio_enabled = 0;
-
-    for (c = soundhw; !audio_enabled && c->name; ++c) {
-        audio_enabled = c->enabled;
-    }
-
-    if (audio_enabled) {
-        for (c = soundhw; c->name; ++c) {
-            if (c->enabled) {
-                if (c->isa) {
-                    c->init.init_isa(pic);
-                }
-            }
-        }
-    }
-}
-
 #define MAGNUM_BIOS_SIZE_MAX 0x7e000
 #define MAGNUM_BIOS_SIZE (BIOS_SIZE < MAGNUM_BIOS_SIZE_MAX ? BIOS_SIZE : MAGNUM_BIOS_SIZE_MAX)
 
@@ -284,7 +264,7 @@ void mips_jazz_init (ram_addr_t ram_size,
 
     /* Sound card */
     /* FIXME: missing Jazz sound at 0x8000c000, rc4030[2] */
-    audio_init(i8259);
+    audio_init(i8259, NULL);
 
     /* NVRAM: Unprotected at 0x9000, Protected at 0xa000, Read only at 0xb000 */
     ds1225y_init(0x80009000, "nvram");
diff --git a/hw/mips_malta.c b/hw/mips_malta.c
index 8755416..2d3f242 100644
--- a/hw/mips_malta.c
+++ b/hw/mips_malta.c
@@ -37,7 +37,7 @@
 #include "vmware_vga.h"
 #include "qemu-char.h"
 #include "sysemu.h"
-#include "audio/audio.h"
+#include "arch_init.h"
 #include "boards.h"
 #include "qemu-log.h"
 #include "mips-bios.h"
@@ -457,25 +457,6 @@ static MaltaFPGAState *malta_fpga_init(target_phys_addr_t base, qemu_irq uart_ir
     return s;
 }
 
-/* Audio support */
-static void audio_init (PCIBus *pci_bus)
-{
-    struct soundhw *c;
-    int audio_enabled = 0;
-
-    for (c = soundhw; !audio_enabled && c->name; ++c) {
-        audio_enabled = c->enabled;
-    }
-
-    if (audio_enabled) {
-        for (c = soundhw; c->name; ++c) {
-            if (c->enabled) {
-                c->init.init_pci(pci_bus);
-            }
-        }
-    }
-}
-
 /* Network support */
 static void network_init(void)
 {
@@ -967,7 +948,7 @@ void mips_malta_init (ram_addr_t ram_size,
     fdctrl_init_isa(fd);
 
     /* Sound card */
-    audio_init(pci_bus);
+    audio_init(NULL, pci_bus);
 
     /* Network card */
     network_init();
diff --git a/hw/pc.c b/hw/pc.c
index fface7d..4dfdc0b 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -829,23 +829,6 @@ static const int ne2000_irq[NE2000_NB_MAX] = { 9, 10, 11, 3, 4, 5 };
 static const int parallel_io[MAX_PARALLEL_PORTS] = { 0x378, 0x278, 0x3bc };
 static const int parallel_irq[MAX_PARALLEL_PORTS] = { 7, 7, 7 };
 
-void pc_audio_init (PCIBus *pci_bus, qemu_irq *pic)
-{
-    struct soundhw *c;
-
-    for (c = soundhw; c->name; ++c) {
-        if (c->enabled) {
-            if (c->isa) {
-                c->init.init_isa(pic);
-            } else {
-                if (pci_bus) {
-                    c->init.init_pci(pci_bus);
-                }
-            }
-        }
-    }
-}
-
 void pc_init_ne2k_isa(NICInfo *nd)
 {
     static int nb_ne2k = 0;
diff --git a/hw/pc.h b/hw/pc.h
index 6852790..a048768 100644
--- a/hw/pc.h
+++ b/hw/pc.h
@@ -100,9 +100,6 @@ void pc_basic_device_init(qemu_irq *isa_irq,
                           FDCtrl **floppy_controller,
                           ISADevice **rtc_state);
 void pc_init_ne2k_isa(NICInfo *nd);
-#ifdef HAS_AUDIO
-void pc_audio_init (PCIBus *pci_bus, qemu_irq *pic);
-#endif
 void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
                   const char *boot_device,
                   BusState *ide0, BusState *ide1,
diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index f82508d..7b74473 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -34,6 +34,7 @@
 #include "kvm.h"
 #include "sysemu.h"
 #include "sysbus.h"
+#include "arch_init.h"
 #include "blockdev.h"
 
 #define MAX_IDE_BUS 2
@@ -148,7 +149,7 @@ static void pc_init1(ram_addr_t ram_size,
         }
     }
 
-    pc_audio_init(pci_enabled ? pci_bus : NULL, isa_irq);
+    audio_init(isa_irq, pci_enabled ? pci_bus : NULL);
 
     pc_cmos_init(below_4g_mem_size, above_4g_mem_size, boot_device,
                  idebus[0], idebus[1], floppy_controller, rtc_state);
diff --git a/sysemu.h b/sysemu.h
index 0c969f2..23ae17e 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -178,21 +178,6 @@ extern CharDriverState *parallel_hds[MAX_PARALLEL_PORTS];
 
 #define TFR(expr) do { if ((expr) != -1) break; } while (errno == EINTR)
 
-#ifdef HAS_AUDIO
-struct soundhw {
-    const char *name;
-    const char *descr;
-    int enabled;
-    int isa;
-    union {
-        int (*init_isa) (qemu_irq *pic);
-        int (*init_pci) (PCIBus *bus);
-    } init;
-};
-
-extern struct soundhw soundhw[];
-#endif
-
 void do_usb_add(Monitor *mon, const QDict *qdict);
 void do_usb_del(Monitor *mon, const QDict *qdict);
 void usb_info(Monitor *mon);
commit bec43cc3b61d025841d550800d3835986446061d
Author: Alexandre Courbot <gnurou at gmail.com>
Date:   Tue Jan 25 14:00:14 2011 +0900

    target-sh4: fix index of address read error exception
    
    Exception index of address read error should be 0x0e0.
    
    Signed-off-by: Alexandre Courbot <gnurou at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/helper.c b/target-sh4/helper.c
index bee0527..19b309b 100644
--- a/target-sh4/helper.c
+++ b/target-sh4/helper.c
@@ -479,7 +479,7 @@ int cpu_sh4_handle_mmu_fault(CPUState * env, target_ulong address, int rw,
 	    break;
 	case MMU_IADDR_ERROR:
 	case MMU_DADDR_ERROR_READ:
-	    env->exception_index = 0x0c0;
+	    env->exception_index = 0x0e0;
 	    break;
 	case MMU_DADDR_ERROR_WRITE:
 	    env->exception_index = 0x100;
commit e40a67beeda6aa6e735546e9f08f3db41e23592a
Author: Alexandre Courbot <gnurou at gmail.com>
Date:   Tue Jan 25 15:32:01 2011 +0900

    target-sh4: fix TLB invalidation code
    
    In cpu_sh4_invalidate_tlb, the UTLB was invalidated twice and the
    ITLB left unchaged, probably because of some unfortunate copy/paste.
    
    Signed-off-by: Alexandre Courbot <gnurou at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/helper.c b/target-sh4/helper.c
index 45449ea..bee0527 100644
--- a/target-sh4/helper.c
+++ b/target-sh4/helper.c
@@ -559,8 +559,8 @@ void cpu_load_tlb(CPUSH4State * env)
         entry->v = 0;
     }
     /* ITLB */
-    for (i = 0; i < UTLB_SIZE; i++) {
-        tlb_t * entry = &s->utlb[i];
+    for (i = 0; i < ITLB_SIZE; i++) {
+        tlb_t * entry = &s->itlb[i];
         entry->v = 0;
     }
 
commit b22b7b729d2d617c49381843362bc3ef336d66ec
Merge: 4a2ba23... a5c062e...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Mon Jan 24 15:16:56 2011 -0600

    Merge remote branch 'kwolf/for-anthony' into staging

commit 4a2ba232843ac4197c586c1f0f0adbb1eb02fe34
Author: Fabien Chouteau <chouteau at adacore.com>
Date:   Mon Jan 24 12:56:56 2011 +0100

    SPARC: Add asr17 register support
    
    This register is activated by CPU_FEATURE_ASR17 in the feature field.
    
    Signed-off-by: Fabien Chouteau <chouteau at adacore.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/target-sparc/cpu.h b/target-sparc/cpu.h
index 5c50d9e..6f5990b 100644
--- a/target-sparc/cpu.h
+++ b/target-sparc/cpu.h
@@ -267,6 +267,7 @@ typedef struct sparc_def_t {
 #define CPU_FEATURE_CMT          (1 << 12)
 #define CPU_FEATURE_GL           (1 << 13)
 #define CPU_FEATURE_TA0_SHUTDOWN (1 << 14) /* Shutdown on "ta 0x0" */
+#define CPU_FEATURE_ASR17        (1 << 15)
 #ifndef TARGET_SPARC64
 #define CPU_DEFAULT_FEATURES (CPU_FEATURE_FLOAT | CPU_FEATURE_SWAP |  \
                               CPU_FEATURE_MUL | CPU_FEATURE_DIV |     \
diff --git a/target-sparc/helper.c b/target-sparc/helper.c
index ec6ac27..2f3d1e6 100644
--- a/target-sparc/helper.c
+++ b/target-sparc/helper.c
@@ -1288,7 +1288,8 @@ static const sparc_def_t sparc_defs[] = {
         .mmu_sfsr_mask = 0xffffffff,
         .mmu_trcr_mask = 0xffffffff,
         .nwindows = 8,
-        .features = CPU_DEFAULT_FEATURES | CPU_FEATURE_TA0_SHUTDOWN,
+        .features = CPU_DEFAULT_FEATURES | CPU_FEATURE_TA0_SHUTDOWN |
+        CPU_FEATURE_ASR17,
     },
 #endif
 };
diff --git a/target-sparc/translate.c b/target-sparc/translate.c
index dff0f19..e26462e 100644
--- a/target-sparc/translate.c
+++ b/target-sparc/translate.c
@@ -2067,6 +2067,17 @@ static void disas_sparc_insn(DisasContext * dc)
                 case 0x10 ... 0x1f: /* implementation-dependent in the
                                        SPARCv8 manual, rdy on the
                                        microSPARC II */
+                    /* Read Asr17 */
+                    if (rs1 == 0x11 && dc->def->features & CPU_FEATURE_ASR17) {
+                        TCGv r_const;
+
+                        /* Read Asr17 for a Leon3 monoprocessor */
+                        r_const = tcg_const_tl((1 << 8)
+                                               | (dc->def->nwindows - 1));
+                        gen_movl_TN_reg(rd, r_const);
+                        tcg_temp_free(r_const);
+                        break;
+                    }
 #endif
                     gen_movl_TN_reg(rd, cpu_y);
                     break;
commit b04d98905400aeb7dd62ce938d7eecddf2816817
Author: Fabien Chouteau <chouteau at adacore.com>
Date:   Mon Jan 24 12:56:55 2011 +0100

    SPARC: Emulation of Leon3
    
    Leon3 is an open-source VHDL System-On-Chip, well known in space industry (more
    information on http://www.gaisler.com).
    
    Leon3 is made of multiple components available in the GrLib VHDL library.
    Three devices are implemented: uart, timers and IRQ manager.
    You can find code for these peripherals in the grlib_* files.
    
    Signed-off-by: Fabien Chouteau <chouteau at adacore.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile.target b/Makefile.target
index cd2abde..b0ba95f 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -286,7 +286,10 @@ obj-sparc-y += cirrus_vga.o
 else
 obj-sparc-y = sun4m.o lance.o tcx.o sun4m_iommu.o slavio_intctl.o
 obj-sparc-y += slavio_timer.o slavio_misc.o sparc32_dma.o
-obj-sparc-y += cs4231.o eccmemctl.o sbi.o sun4c_intctl.o
+obj-sparc-y += cs4231.o eccmemctl.o sbi.o sun4c_intctl.o leon3.o
+
+# GRLIB
+obj-sparc-y += grlib_gptimer.o grlib_irqmp.o grlib_apbuart.o
 endif
 
 obj-arm-y = integratorcp.o versatilepb.o arm_pic.o arm_timer.o
diff --git a/hw/leon3.c b/hw/leon3.c
new file mode 100644
index 0000000..69d8f3b
--- /dev/null
+++ b/hw/leon3.c
@@ -0,0 +1,218 @@
+/*
+ * QEMU Leon3 System Emulator
+ *
+ * Copyright (c) 2010-2011 AdaCore
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#include "hw.h"
+#include "qemu-timer.h"
+#include "qemu-char.h"
+#include "sysemu.h"
+#include "boards.h"
+#include "loader.h"
+#include "elf.h"
+#include "trace.h"
+
+#include "grlib.h"
+
+/* Default system clock.  */
+#define CPU_CLK (40 * 1000 * 1000)
+
+#define PROM_FILENAME        "u-boot.bin"
+
+#define MAX_PILS 16
+
+typedef struct ResetData {
+    CPUState *env;
+    uint32_t  entry;            /* save kernel entry in case of reset */
+} ResetData;
+
+static void main_cpu_reset(void *opaque)
+{
+    ResetData *s   = (ResetData *)opaque;
+    CPUState  *env = s->env;
+
+    cpu_reset(env);
+
+    env->halted = 0;
+    env->pc     = s->entry;
+    env->npc    = s->entry + 4;
+}
+
+static void leon3_irq_ack(void *irq_manager, int intno)
+{
+    grlib_irqmp_ack((DeviceState *)irq_manager, intno);
+    leon3_cache_control_int();
+}
+
+static void leon3_set_pil_in(void *opaque, uint32_t pil_in)
+{
+    CPUState *env = (CPUState *)opaque;
+
+    assert(env != NULL);
+
+    env->pil_in = pil_in;
+
+    if (env->pil_in && (env->interrupt_index == 0 ||
+                        (env->interrupt_index & ~15) == TT_EXTINT)) {
+        unsigned int i;
+
+        for (i = 15; i > 0; i--) {
+            if (env->pil_in & (1 << i)) {
+                int old_interrupt = env->interrupt_index;
+
+                env->interrupt_index = TT_EXTINT | i;
+                if (old_interrupt != env->interrupt_index) {
+                    trace_leon3_set_irq(i);
+                    cpu_interrupt(env, CPU_INTERRUPT_HARD);
+                }
+                break;
+            }
+        }
+    } else if (!env->pil_in && (env->interrupt_index & ~15) == TT_EXTINT) {
+        trace_leon3_reset_irq(env->interrupt_index & 15);
+        env->interrupt_index = 0;
+        cpu_reset_interrupt(env, CPU_INTERRUPT_HARD);
+    }
+}
+
+static void leon3_generic_hw_init(ram_addr_t  ram_size,
+                                  const char *boot_device,
+                                  const char *kernel_filename,
+                                  const char *kernel_cmdline,
+                                  const char *initrd_filename,
+                                  const char *cpu_model)
+{
+    CPUState   *env;
+    ram_addr_t  ram_offset, prom_offset;
+    int         ret;
+    char       *filename;
+    qemu_irq   *cpu_irqs = NULL;
+    int         bios_size;
+    int         prom_size;
+    ResetData  *reset_info;
+
+    /* Init CPU */
+    if (!cpu_model) {
+        cpu_model = "LEON3";
+    }
+
+    env = cpu_init(cpu_model);
+    if (!env) {
+        fprintf(stderr, "qemu: Unable to find Sparc CPU definition\n");
+        exit(1);
+    }
+
+    cpu_sparc_set_id(env, 0);
+
+    /* Reset data */
+    reset_info        = qemu_mallocz(sizeof(ResetData));
+    reset_info->env   = env;
+    qemu_register_reset(main_cpu_reset, reset_info);
+
+    /* Allocate IRQ manager */
+    grlib_irqmp_create(0x80000200, env, &cpu_irqs, MAX_PILS, &leon3_set_pil_in);
+
+    env->qemu_irq_ack = leon3_irq_ack;
+
+    /* Allocate RAM */
+    if ((uint64_t)ram_size > (1UL << 30)) {
+        fprintf(stderr,
+                "qemu: Too much memory for this machine: %d, maximum 1G\n",
+                (unsigned int)(ram_size / (1024 * 1024)));
+        exit(1);
+    }
+
+    ram_offset = qemu_ram_alloc(NULL, "leon3.ram", ram_size);
+    cpu_register_physical_memory(0x40000000, ram_size, ram_offset | IO_MEM_RAM);
+
+    /* Allocate BIOS */
+    prom_size = 8 * 1024 * 1024; /* 8Mb */
+    prom_offset = qemu_ram_alloc(NULL, "Leon3.bios", prom_size);
+    cpu_register_physical_memory(0x00000000, prom_size,
+                                 prom_offset | IO_MEM_ROM);
+
+    /* Load boot prom */
+    if (bios_name == NULL) {
+        bios_name = PROM_FILENAME;
+    }
+    filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
+
+    bios_size = get_image_size(filename);
+
+    if (bios_size > prom_size) {
+        fprintf(stderr, "qemu: could not load prom '%s': file too big\n",
+                filename);
+        exit(1);
+    }
+
+    if (bios_size > 0) {
+        ret = load_image_targphys(filename, 0x00000000, bios_size);
+        if (ret < 0 || ret > prom_size) {
+            fprintf(stderr, "qemu: could not load prom '%s'\n", filename);
+            exit(1);
+        }
+    } else if (kernel_filename == NULL) {
+        fprintf(stderr, "Can't read bios image %s\n", filename);
+        exit(1);
+    }
+
+    /* Can directly load an application. */
+    if (kernel_filename != NULL) {
+        long     kernel_size;
+        uint64_t entry;
+
+        kernel_size = load_elf(kernel_filename, NULL, NULL, &entry, NULL, NULL,
+                               1 /* big endian */, ELF_MACHINE, 0);
+        if (kernel_size < 0) {
+            fprintf(stderr, "qemu: could not load kernel '%s'\n",
+                    kernel_filename);
+            exit(1);
+        }
+        if (bios_size <= 0) {
+            /* If there is no bios/monitor, start the application.  */
+            env->pc = entry;
+            env->npc = entry + 4;
+            reset_info->entry = entry;
+        }
+    }
+
+    /* Allocate timers */
+    grlib_gptimer_create(0x80000300, 2, CPU_CLK, cpu_irqs, 6);
+
+    /* Allocate uart */
+    if (serial_hds[0]) {
+        grlib_apbuart_create(0x80000100, serial_hds[0], cpu_irqs[3]);
+    }
+}
+
+QEMUMachine leon3_generic_machine = {
+    .name     = "leon3_generic",
+    .desc     = "Leon-3 generic",
+    .init     = leon3_generic_hw_init,
+    .use_scsi = 0,
+};
+
+static void leon3_machine_init(void)
+{
+    qemu_register_machine(&leon3_generic_machine);
+}
+
+machine_init(leon3_machine_init);
diff --git a/target-sparc/cpu.h b/target-sparc/cpu.h
index 7225b2e..5c50d9e 100644
--- a/target-sparc/cpu.h
+++ b/target-sparc/cpu.h
@@ -252,20 +252,21 @@ typedef struct sparc_def_t {
     uint32_t maxtl;
 } sparc_def_t;
 
-#define CPU_FEATURE_FLOAT    (1 << 0)
-#define CPU_FEATURE_FLOAT128 (1 << 1)
-#define CPU_FEATURE_SWAP     (1 << 2)
-#define CPU_FEATURE_MUL      (1 << 3)
-#define CPU_FEATURE_DIV      (1 << 4)
-#define CPU_FEATURE_FLUSH    (1 << 5)
-#define CPU_FEATURE_FSQRT    (1 << 6)
-#define CPU_FEATURE_FMUL     (1 << 7)
-#define CPU_FEATURE_VIS1     (1 << 8)
-#define CPU_FEATURE_VIS2     (1 << 9)
-#define CPU_FEATURE_FSMULD   (1 << 10)
-#define CPU_FEATURE_HYPV     (1 << 11)
-#define CPU_FEATURE_CMT      (1 << 12)
-#define CPU_FEATURE_GL       (1 << 13)
+#define CPU_FEATURE_FLOAT        (1 << 0)
+#define CPU_FEATURE_FLOAT128     (1 << 1)
+#define CPU_FEATURE_SWAP         (1 << 2)
+#define CPU_FEATURE_MUL          (1 << 3)
+#define CPU_FEATURE_DIV          (1 << 4)
+#define CPU_FEATURE_FLUSH        (1 << 5)
+#define CPU_FEATURE_FSQRT        (1 << 6)
+#define CPU_FEATURE_FMUL         (1 << 7)
+#define CPU_FEATURE_VIS1         (1 << 8)
+#define CPU_FEATURE_VIS2         (1 << 9)
+#define CPU_FEATURE_FSMULD       (1 << 10)
+#define CPU_FEATURE_HYPV         (1 << 11)
+#define CPU_FEATURE_CMT          (1 << 12)
+#define CPU_FEATURE_GL           (1 << 13)
+#define CPU_FEATURE_TA0_SHUTDOWN (1 << 14) /* Shutdown on "ta 0x0" */
 #ifndef TARGET_SPARC64
 #define CPU_DEFAULT_FEATURES (CPU_FEATURE_FLOAT | CPU_FEATURE_SWAP |  \
                               CPU_FEATURE_MUL | CPU_FEATURE_DIV |     \
@@ -437,6 +438,12 @@ typedef struct CPUSPARCState {
 #define SOFTINT_REG_MASK (SOFTINT_STIMER|SOFTINT_INTRMASK|SOFTINT_TIMER)
 #endif
     sparc_def_t *def;
+
+    void *irq_manager;
+    void (*qemu_irq_ack) (void *irq_manager, int intno);
+
+    /* Leon3 cache control */
+    uint32_t cache_control;
 } CPUSPARCState;
 
 #ifndef NO_CPU_IO_DEFS
@@ -469,6 +476,8 @@ int cpu_cwp_inc(CPUState *env1, int cwp);
 int cpu_cwp_dec(CPUState *env1, int cwp);
 void cpu_set_cwp(CPUState *env1, int new_cwp);
 
+void leon3_cache_control_int(void);
+
 /* sun4m.c, sun4u.c */
 void cpu_check_irqs(CPUSPARCState *env);
 
diff --git a/target-sparc/helper.c b/target-sparc/helper.c
index 6b337ca..ec6ac27 100644
--- a/target-sparc/helper.c
+++ b/target-sparc/helper.c
@@ -770,6 +770,7 @@ void cpu_reset(CPUSPARCState *env)
     env->pc = 0;
     env->npc = env->pc + 4;
 #endif
+    env->cache_control = 0;
 }
 
 static int cpu_sparc_register(CPUSPARCState *env, const char *cpu_model)
@@ -1274,20 +1275,20 @@ static const sparc_def_t sparc_defs[] = {
         .mmu_sfsr_mask = 0xffffffff,
         .mmu_trcr_mask = 0xffffffff,
         .nwindows = 8,
-        .features = CPU_DEFAULT_FEATURES,
+        .features = CPU_DEFAULT_FEATURES | CPU_FEATURE_TA0_SHUTDOWN,
     },
     {
         .name = "LEON3",
         .iu_version = 0xf3000000,
         .fpu_version = 4 << 17, /* FPU version 4 (Meiko) */
         .mmu_version = 0xf3000000,
-        .mmu_bm = 0x00004000,
+        .mmu_bm = 0x00000000,
         .mmu_ctpr_mask = 0x007ffff0,
         .mmu_cxr_mask = 0x0000003f,
         .mmu_sfsr_mask = 0xffffffff,
         .mmu_trcr_mask = 0xffffffff,
         .nwindows = 8,
-        .features = CPU_DEFAULT_FEATURES,
+        .features = CPU_DEFAULT_FEATURES | CPU_FEATURE_TA0_SHUTDOWN,
     },
 #endif
 };
diff --git a/target-sparc/helper.h b/target-sparc/helper.h
index e6d82f9..12e8557 100644
--- a/target-sparc/helper.h
+++ b/target-sparc/helper.h
@@ -85,6 +85,7 @@ DEF_HELPER_0(fcmpeq_fcc2, void)
 DEF_HELPER_0(fcmpeq_fcc3, void)
 #endif
 DEF_HELPER_1(raise_exception, void, int)
+DEF_HELPER_0(shutdown, void)
 #define F_HELPER_0_0(name) DEF_HELPER_0(f ## name, void)
 #define F_HELPER_DQ_0_0(name)                   \
     F_HELPER_0_0(name ## d);                    \
diff --git a/target-sparc/op_helper.c b/target-sparc/op_helper.c
index b70970a..d3e1b63 100644
--- a/target-sparc/op_helper.c
+++ b/target-sparc/op_helper.c
@@ -1,6 +1,7 @@
 #include "exec.h"
 #include "host-utils.h"
 #include "helper.h"
+#include "sysemu.h"
 
 //#define DEBUG_MMU
 //#define DEBUG_MXCC
@@ -9,6 +10,7 @@
 //#define DEBUG_ASI
 //#define DEBUG_PCALL
 //#define DEBUG_PSTATE
+//#define DEBUG_CACHE_CONTROL
 
 #ifdef DEBUG_MMU
 #define DPRINTF_MMU(fmt, ...)                                   \
@@ -36,6 +38,13 @@
 #define DPRINTF_PSTATE(fmt, ...) do {} while (0)
 #endif
 
+#ifdef DEBUG_CACHE_CONTROL
+#define DPRINTF_CACHE_CONTROL(fmt, ...)                                   \
+    do { printf("CACHE_CONTROL: " fmt , ## __VA_ARGS__); } while (0)
+#else
+#define DPRINTF_CACHE_CONTROL(fmt, ...) do {} while (0)
+#endif
+
 #ifdef TARGET_SPARC64
 #ifndef TARGET_ABI32
 #define AM_CHECK(env1) ((env1)->pstate & PS_AM)
@@ -49,6 +58,27 @@
 #define QT0 (env->qt0)
 #define QT1 (env->qt1)
 
+/* Leon3 cache control */
+
+/* Cache control: emulate the behavior of cache control registers but without
+   any effect on the emulated */
+
+#define CACHE_STATE_MASK 0x3
+#define CACHE_DISABLED   0x0
+#define CACHE_FROZEN     0x1
+#define CACHE_ENABLED    0x3
+
+/* Cache Control register fields */
+
+#define CACHE_CTRL_IF (1 <<  4)  /* Instruction Cache Freeze on Interrupt */
+#define CACHE_CTRL_DF (1 <<  5)  /* Data Cache Freeze on Interrupt */
+#define CACHE_CTRL_DP (1 << 14)  /* Data cache flush pending */
+#define CACHE_CTRL_IP (1 << 15)  /* Instruction cache flush pending */
+#define CACHE_CTRL_IB (1 << 16)  /* Instruction burst fetch */
+#define CACHE_CTRL_FI (1 << 21)  /* Flush Instruction cache (Write only) */
+#define CACHE_CTRL_FD (1 << 22)  /* Flush Data cache (Write only) */
+#define CACHE_CTRL_DS (1 << 23)  /* Data cache snoop enable */
+
 #if defined(CONFIG_USER_ONLY) && defined(TARGET_SPARC64)
 static void do_unassigned_access(target_ulong addr, int is_write, int is_exec,
                           int is_asi, int size);
@@ -294,6 +324,13 @@ void HELPER(raise_exception)(int tt)
     raise_exception(tt);
 }
 
+void helper_shutdown(void)
+{
+#if !defined(CONFIG_USER_ONLY)
+    qemu_system_shutdown_request();
+#endif
+}
+
 void helper_check_align(target_ulong addr, uint32_t align)
 {
     if (addr & align) {
@@ -1612,6 +1649,103 @@ static void dump_asi(const char *txt, target_ulong addr, int asi, int size,
 
 #ifndef TARGET_SPARC64
 #ifndef CONFIG_USER_ONLY
+
+
+/* Leon3 cache control */
+
+void leon3_cache_control_int(void)
+{
+    uint32_t state = 0;
+
+    if (env->cache_control & CACHE_CTRL_IF) {
+        /* Instruction cache state */
+        state = env->cache_control & CACHE_STATE_MASK;
+        if (state == CACHE_ENABLED) {
+            state = CACHE_FROZEN;
+            DPRINTF_CACHE_CONTROL("Instruction cache: freeze\n");
+        }
+
+        env->cache_control &= ~CACHE_STATE_MASK;
+        env->cache_control |= state;
+    }
+
+    if (env->cache_control & CACHE_CTRL_DF) {
+        /* Data cache state */
+        state = (env->cache_control >> 2) & CACHE_STATE_MASK;
+        if (state == CACHE_ENABLED) {
+            state = CACHE_FROZEN;
+            DPRINTF_CACHE_CONTROL("Data cache: freeze\n");
+        }
+
+        env->cache_control &= ~(CACHE_STATE_MASK << 2);
+        env->cache_control |= (state << 2);
+    }
+}
+
+static void leon3_cache_control_st(target_ulong addr, uint64_t val, int size)
+{
+    DPRINTF_CACHE_CONTROL("st addr:%08x, val:%" PRIx64 ", size:%d\n",
+                          addr, val, size);
+
+    if (size != 4) {
+        DPRINTF_CACHE_CONTROL("32bits only\n");
+        return;
+    }
+
+    switch (addr) {
+    case 0x00:              /* Cache control */
+
+        /* These values must always be read as zeros */
+        val &= ~CACHE_CTRL_FD;
+        val &= ~CACHE_CTRL_FI;
+        val &= ~CACHE_CTRL_IB;
+        val &= ~CACHE_CTRL_IP;
+        val &= ~CACHE_CTRL_DP;
+
+        env->cache_control = val;
+        break;
+    case 0x04:              /* Instruction cache configuration */
+    case 0x08:              /* Data cache configuration */
+        /* Read Only */
+        break;
+    default:
+        DPRINTF_CACHE_CONTROL("write unknown register %08x\n", addr);
+        break;
+    };
+}
+
+static uint64_t leon3_cache_control_ld(target_ulong addr, int size)
+{
+    uint64_t ret = 0;
+
+    if (size != 4) {
+        DPRINTF_CACHE_CONTROL("32bits only\n");
+        return 0;
+    }
+
+    switch (addr) {
+    case 0x00:              /* Cache control */
+        ret = env->cache_control;
+        break;
+
+        /* Configuration registers are read and only always keep those
+           predefined values */
+
+    case 0x04:              /* Instruction cache configuration */
+        ret = 0x10220000;
+        break;
+    case 0x08:              /* Data cache configuration */
+        ret = 0x18220000;
+        break;
+    default:
+        DPRINTF_CACHE_CONTROL("read unknown register %08x\n", addr);
+        break;
+    };
+    DPRINTF_CACHE_CONTROL("st addr:%08x, ret:%" PRIx64 ", size:%d\n",
+                          addr, ret, size);
+    return ret;
+}
+
 uint64_t helper_ld_asi(target_ulong addr, int asi, int size, int sign)
 {
     uint64_t ret = 0;
@@ -1621,8 +1755,13 @@ uint64_t helper_ld_asi(target_ulong addr, int asi, int size, int sign)
 
     helper_check_align(addr, size - 1);
     switch (asi) {
-    case 2: /* SuperSparc MXCC registers */
+    case 2: /* SuperSparc MXCC registers and Leon3 cache control */
         switch (addr) {
+        case 0x00:          /* Leon3 Cache Control */
+        case 0x08:          /* Leon3 Instruction Cache config */
+        case 0x0C:          /* Leon3 Date Cache config */
+            ret = leon3_cache_control_ld(addr, size);
+            break;
         case 0x01c00a00: /* MXCC control register */
             if (size == 8)
                 ret = env->mxccregs[3];
@@ -1850,8 +1989,14 @@ void helper_st_asi(target_ulong addr, uint64_t val, int asi, int size)
 {
     helper_check_align(addr, size - 1);
     switch(asi) {
-    case 2: /* SuperSparc MXCC registers */
+    case 2: /* SuperSparc MXCC registers and Leon3 cache control */
         switch (addr) {
+        case 0x00:          /* Leon3 Cache Control */
+        case 0x08:          /* Leon3 Instruction Cache config */
+        case 0x0C:          /* Leon3 Date Cache config */
+            leon3_cache_control_st(addr, val, size);
+            break;
+
         case 0x01c00000: /* MXCC stream data register 0 */
             if (size == 8)
                 env->mxccdata[0] = val;
@@ -4177,6 +4322,13 @@ void do_interrupt(CPUState *env)
     env->pc = env->tbr;
     env->npc = env->pc + 4;
     env->exception_index = -1;
+
+#if !defined(CONFIG_USER_ONLY)
+    /* IRQ acknowledgment */
+    if ((intno & ~15) == TT_EXTINT && env->qemu_irq_ack != NULL) {
+        env->qemu_irq_ack(env->irq_manager, intno);
+    }
+#endif
 }
 #endif
 
diff --git a/target-sparc/translate.c b/target-sparc/translate.c
index 21c5675..dff0f19 100644
--- a/target-sparc/translate.c
+++ b/target-sparc/translate.c
@@ -1997,8 +1997,9 @@ static void disas_sparc_insn(DisasContext * dc)
                     } else
                         tcg_gen_mov_tl(cpu_dst, cpu_src1);
                 }
+
                 cond = GET_FIELD(insn, 3, 6);
-                if (cond == 0x8) {
+                if (cond == 0x8) { /* Trap Always */
                     save_state(dc, cpu_cond);
                     if ((dc->def->features & CPU_FEATURE_HYPV) &&
                         supervisor(dc))
@@ -2007,7 +2008,15 @@ static void disas_sparc_insn(DisasContext * dc)
                         tcg_gen_andi_tl(cpu_dst, cpu_dst, V8_TRAP_MASK);
                     tcg_gen_addi_tl(cpu_dst, cpu_dst, TT_TRAP);
                     tcg_gen_trunc_tl_i32(cpu_tmp32, cpu_dst);
-                    gen_helper_raise_exception(cpu_tmp32);
+
+                    if (rs2 == 0 &&
+                        dc->def->features & CPU_FEATURE_TA0_SHUTDOWN) {
+
+                        gen_helper_shutdown();
+
+                    } else {
+                        gen_helper_raise_exception(cpu_tmp32);
+                    }
                 } else if (cond != 0) {
                     TCGv r_cond = tcg_temp_new();
                     int l1;
diff --git a/trace-events b/trace-events
index 8e8573e..c75a7a9 100644
--- a/trace-events
+++ b/trace-events
@@ -244,3 +244,7 @@ disable grlib_irqmp_unknown_register(const char *op, uint64_t val) "%s unknown r
 # hw/grlib_apbuart.c
 disable grlib_apbuart_event(int event) "event:%d"
 disable grlib_apbuart_unknown_register(const char *op, uint64_t val) "%s unknown register 0x%"PRIx64""
+
+# hw/leon3.c
+disable leon3_set_irq(int intno) "Set CPU IRQ %d"
+disable leon3_reset_irq(int intno) "Reset CPU IRQ %d"
commit 8b1e1320748f0aca2319ee272f106ca41a7580a2
Author: Fabien Chouteau <chouteau at adacore.com>
Date:   Mon Jan 24 12:56:54 2011 +0100

    SPARC: Emulation of GRLIB APB UART
    
    This device exposes one parameter:
     - chardev (ptr) : Pointer to a qemu character device
    
    Emulation of GrLib devices is base on the GRLIB IP Core User's Manual:
    http://www.gaisler.com/products/grlib/grip.pdf
    
    Signed-off-by: Fabien Chouteau <chouteau at adacore.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/grlib.h b/hw/grlib.h
index f92d6d3..fdf4b11 100644
--- a/hw/grlib.h
+++ b/hw/grlib.h
@@ -100,4 +100,27 @@ DeviceState *grlib_gptimer_create(target_phys_addr_t  base,
     return dev;
 }
 
+/* APB UART */
+
+static inline
+DeviceState *grlib_apbuart_create(target_phys_addr_t  base,
+                                  CharDriverState    *serial,
+                                  qemu_irq            irq)
+{
+    DeviceState *dev;
+
+    dev = qdev_create(NULL, "grlib,apbuart");
+    qdev_prop_set_chr(dev, "chrdev", serial);
+
+    if (qdev_init(dev)) {
+        return NULL;
+    }
+
+    sysbus_mmio_map(sysbus_from_qdev(dev), 0, base);
+
+    sysbus_connect_irq(sysbus_from_qdev(dev), 0, irq);
+
+    return dev;
+}
+
 #endif /* ! _GRLIB_H_ */
diff --git a/hw/grlib_apbuart.c b/hw/grlib_apbuart.c
new file mode 100644
index 0000000..101b150
--- /dev/null
+++ b/hw/grlib_apbuart.c
@@ -0,0 +1,187 @@
+/*
+ * QEMU GRLIB APB UART Emulator
+ *
+ * Copyright (c) 2010-2011 AdaCore
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "sysbus.h"
+#include "qemu-char.h"
+
+#include "trace.h"
+
+#define UART_REG_SIZE 20     /* Size of memory mapped registers */
+
+/* UART status register fields */
+#define UART_DATA_READY           (1 <<  0)
+#define UART_TRANSMIT_SHIFT_EMPTY (1 <<  1)
+#define UART_TRANSMIT_FIFO_EMPTY  (1 <<  2)
+#define UART_BREAK_RECEIVED       (1 <<  3)
+#define UART_OVERRUN              (1 <<  4)
+#define UART_PARITY_ERROR         (1 <<  5)
+#define UART_FRAMING_ERROR        (1 <<  6)
+#define UART_TRANSMIT_FIFO_HALF   (1 <<  7)
+#define UART_RECEIVE_FIFO_HALF    (1 <<  8)
+#define UART_TRANSMIT_FIFO_FULL   (1 <<  9)
+#define UART_RECEIVE_FIFO_FULL    (1 << 10)
+
+/* UART control register fields */
+#define UART_RECEIVE_ENABLE          (1 <<  0)
+#define UART_TRANSMIT_ENABLE         (1 <<  1)
+#define UART_RECEIVE_INTERRUPT       (1 <<  2)
+#define UART_TRANSMIT_INTERRUPT      (1 <<  3)
+#define UART_PARITY_SELECT           (1 <<  4)
+#define UART_PARITY_ENABLE           (1 <<  5)
+#define UART_FLOW_CONTROL            (1 <<  6)
+#define UART_LOOPBACK                (1 <<  7)
+#define UART_EXTERNAL_CLOCK          (1 <<  8)
+#define UART_RECEIVE_FIFO_INTERRUPT  (1 <<  9)
+#define UART_TRANSMIT_FIFO_INTERRUPT (1 << 10)
+#define UART_FIFO_DEBUG_MODE         (1 << 11)
+#define UART_OUTPUT_ENABLE           (1 << 12)
+#define UART_FIFO_AVAILABLE          (1 << 31)
+
+/* Memory mapped register offsets */
+#define DATA_OFFSET       0x00
+#define STATUS_OFFSET     0x04
+#define CONTROL_OFFSET    0x08
+#define SCALER_OFFSET     0x0C  /* not supported */
+#define FIFO_DEBUG_OFFSET 0x10  /* not supported */
+
+typedef struct UART {
+    SysBusDevice busdev;
+
+    qemu_irq irq;
+
+    CharDriverState *chr;
+
+    /* registers */
+    uint32_t receive;
+    uint32_t status;
+    uint32_t control;
+} UART;
+
+static int grlib_apbuart_can_receive(void *opaque)
+{
+    UART *uart = opaque;
+
+    return !!(uart->status & UART_DATA_READY);
+}
+
+static void grlib_apbuart_receive(void *opaque, const uint8_t *buf, int size)
+{
+    UART *uart = opaque;
+
+    uart->receive  = *buf;
+    uart->status  |= UART_DATA_READY;
+
+    if (uart->control & UART_RECEIVE_INTERRUPT) {
+        qemu_irq_pulse(uart->irq);
+    }
+}
+
+static void grlib_apbuart_event(void *opaque, int event)
+{
+    trace_grlib_apbuart_event(event);
+}
+
+static void
+grlib_apbuart_writel(void *opaque, target_phys_addr_t addr, uint32_t value)
+{
+    UART          *uart = opaque;
+    unsigned char  c    = 0;
+
+    addr &= 0xff;
+
+    /* Unit registers */
+    switch (addr) {
+    case DATA_OFFSET:
+        c = value & 0xFF;
+        qemu_chr_write(uart->chr, &c, 1);
+        return;
+
+    case STATUS_OFFSET:
+        /* Read Only */
+        return;
+
+    case CONTROL_OFFSET:
+        /* Not supported */
+        return;
+
+    case SCALER_OFFSET:
+        /* Not supported */
+        return;
+
+    default:
+        break;
+    }
+
+    trace_grlib_apbuart_unknown_register("write", addr);
+}
+
+static CPUReadMemoryFunc * const grlib_apbuart_read[] = {
+    NULL, NULL, NULL,
+};
+
+static CPUWriteMemoryFunc * const grlib_apbuart_write[] = {
+    NULL, NULL, grlib_apbuart_writel,
+};
+
+static int grlib_apbuart_init(SysBusDevice *dev)
+{
+    UART *uart      = FROM_SYSBUS(typeof(*uart), dev);
+    int   uart_regs = 0;
+
+    qemu_chr_add_handlers(uart->chr,
+                          grlib_apbuart_can_receive,
+                          grlib_apbuart_receive,
+                          grlib_apbuart_event,
+                          uart);
+
+    sysbus_init_irq(dev, &uart->irq);
+
+    uart_regs = cpu_register_io_memory(grlib_apbuart_read,
+                                       grlib_apbuart_write,
+                                       uart, DEVICE_NATIVE_ENDIAN);
+    if (uart_regs < 0) {
+        return -1;
+    }
+
+    sysbus_init_mmio(dev, UART_REG_SIZE, uart_regs);
+
+    return 0;
+}
+
+static SysBusDeviceInfo grlib_gptimer_info = {
+    .init       = grlib_apbuart_init,
+    .qdev.name  = "grlib,apbuart",
+    .qdev.size  = sizeof(UART),
+    .qdev.props = (Property[]) {
+        DEFINE_PROP_CHR("chrdev", UART, chr),
+        DEFINE_PROP_END_OF_LIST()
+    }
+};
+
+static void grlib_gptimer_register(void)
+{
+    sysbus_register_withprop(&grlib_gptimer_info);
+}
+
+device_init(grlib_gptimer_register)
diff --git a/trace-events b/trace-events
index 832b561..8e8573e 100644
--- a/trace-events
+++ b/trace-events
@@ -240,3 +240,7 @@ disable grlib_irqmp_check_irqs(uint32_t pend, uint32_t force, uint32_t mask, uin
 disable grlib_irqmp_ack(int intno) "interrupt:%d"
 disable grlib_irqmp_set_irq(int irq) "Raise CPU IRQ %d"
 disable grlib_irqmp_unknown_register(const char *op, uint64_t val) "%s unknown register 0x%"PRIx64""
+
+# hw/grlib_apbuart.c
+disable grlib_apbuart_event(int event) "event:%d"
+disable grlib_apbuart_unknown_register(const char *op, uint64_t val) "%s unknown register 0x%"PRIx64""
commit 3f10bcbb647372f888a9e34f428eb6f0225c38ca
Author: Fabien Chouteau <chouteau at adacore.com>
Date:   Mon Jan 24 12:56:53 2011 +0100

    SPARC: Emulation of GRLIB IRQMP
    
    This device exposes two parameters:
     - set_pil_in        (ptr) : A function to set the pil_in of the SPARC CPU
     - set_pil_in_opaque (ptr) : Opaque argument of the set_pil_in function
    
    Emulation of GrLib devices is base on the GRLIB IP Core User's Manual:
    http://www.gaisler.com/products/grlib/grip.pdf
    
    Signed-off-by: Fabien Chouteau <chouteau at adacore.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/grlib.h b/hw/grlib.h
index 776acf9..f92d6d3 100644
--- a/hw/grlib.h
+++ b/hw/grlib.h
@@ -32,6 +32,44 @@
  * http://www.gaisler.com/products/grlib/grip.pdf
  */
 
+/* IRQMP */
+
+typedef void (*set_pil_in_fn) (void *opaque, uint32_t pil_in);
+
+void grlib_irqmp_set_irq(void *opaque, int irq, int level);
+
+void grlib_irqmp_ack(DeviceState *dev, int intno);
+
+static inline
+DeviceState *grlib_irqmp_create(target_phys_addr_t   base,
+                                CPUState            *env,
+                                qemu_irq           **cpu_irqs,
+                                uint32_t             nr_irqs,
+                                set_pil_in_fn        set_pil_in)
+{
+    DeviceState *dev;
+
+    assert(cpu_irqs != NULL);
+
+    dev = qdev_create(NULL, "grlib,irqmp");
+    qdev_prop_set_ptr(dev, "set_pil_in", set_pil_in);
+    qdev_prop_set_ptr(dev, "set_pil_in_opaque", env);
+
+    if (qdev_init(dev)) {
+        return NULL;
+    }
+
+    env->irq_manager = dev;
+
+    sysbus_mmio_map(sysbus_from_qdev(dev), 0, base);
+
+    *cpu_irqs = qemu_allocate_irqs(grlib_irqmp_set_irq,
+                                   dev,
+                                   nr_irqs);
+
+    return dev;
+}
+
 /* GPTimer */
 
 static inline
diff --git a/hw/grlib_irqmp.c b/hw/grlib_irqmp.c
new file mode 100644
index 0000000..f47c491
--- /dev/null
+++ b/hw/grlib_irqmp.c
@@ -0,0 +1,376 @@
+/*
+ * QEMU GRLIB IRQMP Emulator
+ *
+ * (Multiprocessor and extended interrupt not supported)
+ *
+ * Copyright (c) 2010-2011 AdaCore
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "sysbus.h"
+#include "cpu.h"
+
+#include "grlib.h"
+
+#include "trace.h"
+
+#define IRQMP_MAX_CPU 16
+#define IRQMP_REG_SIZE 256      /* Size of memory mapped registers */
+
+/* Memory mapped register offsets */
+#define LEVEL_OFFSET     0x00
+#define PENDING_OFFSET   0x04
+#define FORCE0_OFFSET    0x08
+#define CLEAR_OFFSET     0x0C
+#define MP_STATUS_OFFSET 0x10
+#define BROADCAST_OFFSET 0x14
+#define MASK_OFFSET      0x40
+#define FORCE_OFFSET     0x80
+#define EXTENDED_OFFSET  0xC0
+
+typedef struct IRQMPState IRQMPState;
+
+typedef struct IRQMP {
+    SysBusDevice busdev;
+
+    void *set_pil_in;
+    void *set_pil_in_opaque;
+
+    IRQMPState *state;
+} IRQMP;
+
+struct IRQMPState {
+    uint32_t level;
+    uint32_t pending;
+    uint32_t clear;
+    uint32_t broadcast;
+
+    uint32_t mask[IRQMP_MAX_CPU];
+    uint32_t force[IRQMP_MAX_CPU];
+    uint32_t extended[IRQMP_MAX_CPU];
+
+    IRQMP    *parent;
+};
+
+static void grlib_irqmp_check_irqs(IRQMPState *state)
+{
+    uint32_t      pend   = 0;
+    uint32_t      level0 = 0;
+    uint32_t      level1 = 0;
+    set_pil_in_fn set_pil_in;
+
+    assert(state != NULL);
+    assert(state->parent != NULL);
+
+    /* IRQ for CPU 0 (no SMP support) */
+    pend = (state->pending | state->force[0])
+        & state->mask[0];
+
+    level0 = pend & ~state->level;
+    level1 = pend &  state->level;
+
+    trace_grlib_irqmp_check_irqs(state->pending, state->force[0],
+                                 state->mask[0], level1, level0);
+
+    set_pil_in = (set_pil_in_fn)state->parent->set_pil_in;
+
+    /* Trigger level1 interrupt first and level0 if there is no level1 */
+    if (level1 != 0) {
+        set_pil_in(state->parent->set_pil_in_opaque, level1);
+    } else {
+        set_pil_in(state->parent->set_pil_in_opaque, level0);
+    }
+}
+
+void grlib_irqmp_ack(DeviceState *dev, int intno)
+{
+    SysBusDevice *sdev;
+    IRQMP        *irqmp;
+    IRQMPState   *state;
+    uint32_t      mask;
+
+    assert(dev != NULL);
+
+    sdev = sysbus_from_qdev(dev);
+    assert(sdev != NULL);
+
+    irqmp = FROM_SYSBUS(typeof(*irqmp), sdev);
+    assert(irqmp != NULL);
+
+    state = irqmp->state;
+    assert(state != NULL);
+
+    intno &= 15;
+    mask = 1 << intno;
+
+    trace_grlib_irqmp_ack(intno);
+
+    /* Clear registers */
+    state->pending  &= ~mask;
+    state->force[0] &= ~mask; /* Only CPU 0 (No SMP support) */
+
+    grlib_irqmp_check_irqs(state);
+}
+
+void grlib_irqmp_set_irq(void *opaque, int irq, int level)
+{
+    IRQMP      *irqmp;
+    IRQMPState *s;
+    int         i = 0;
+
+    assert(opaque != NULL);
+
+    irqmp = FROM_SYSBUS(typeof(*irqmp), sysbus_from_qdev(opaque));
+    assert(irqmp != NULL);
+
+    s = irqmp->state;
+    assert(s         != NULL);
+    assert(s->parent != NULL);
+
+
+    if (level) {
+        trace_grlib_irqmp_set_irq(irq);
+
+        if (s->broadcast & 1 << irq) {
+            /* Broadcasted IRQ */
+            for (i = 0; i < IRQMP_MAX_CPU; i++) {
+                s->force[i] |= 1 << irq;
+            }
+        } else {
+            s->pending |= 1 << irq;
+        }
+        grlib_irqmp_check_irqs(s);
+
+    }
+}
+
+static uint32_t grlib_irqmp_readl(void *opaque, target_phys_addr_t addr)
+{
+    IRQMP      *irqmp = opaque;
+    IRQMPState *state;
+
+    assert(irqmp != NULL);
+    state = irqmp->state;
+    assert(state != NULL);
+
+    addr &= 0xff;
+
+    /* global registers */
+    switch (addr) {
+    case LEVEL_OFFSET:
+        return state->level;
+
+    case PENDING_OFFSET:
+        return state->pending;
+
+    case FORCE0_OFFSET:
+        /* This register is an "alias" for the force register of CPU 0 */
+        return state->force[0];
+
+    case CLEAR_OFFSET:
+    case MP_STATUS_OFFSET:
+        /* Always read as 0 */
+        return 0;
+
+    case BROADCAST_OFFSET:
+        return state->broadcast;
+
+    default:
+        break;
+    }
+
+    /* mask registers */
+    if (addr >= MASK_OFFSET && addr < FORCE_OFFSET) {
+        int cpu = (addr - MASK_OFFSET) / 4;
+        assert(cpu >= 0 && cpu < IRQMP_MAX_CPU);
+
+        return state->mask[cpu];
+    }
+
+    /* force registers */
+    if (addr >= FORCE_OFFSET && addr < EXTENDED_OFFSET) {
+        int cpu = (addr - FORCE_OFFSET) / 4;
+        assert(cpu >= 0 && cpu < IRQMP_MAX_CPU);
+
+        return state->force[cpu];
+    }
+
+    /* extended (not supported) */
+    if (addr >= EXTENDED_OFFSET && addr < IRQMP_REG_SIZE) {
+        int cpu = (addr - EXTENDED_OFFSET) / 4;
+        assert(cpu >= 0 && cpu < IRQMP_MAX_CPU);
+
+        return state->extended[cpu];
+    }
+
+    trace_grlib_irqmp_unknown_register("read", addr);
+    return 0;
+}
+
+static void
+grlib_irqmp_writel(void *opaque, target_phys_addr_t addr, uint32_t value)
+{
+    IRQMP      *irqmp = opaque;
+    IRQMPState *state;
+
+    assert(irqmp != NULL);
+    state = irqmp->state;
+    assert(state != NULL);
+
+    addr &= 0xff;
+
+    /* global registers */
+    switch (addr) {
+    case LEVEL_OFFSET:
+        value &= 0xFFFF << 1; /* clean up the value */
+        state->level = value;
+        return;
+
+    case PENDING_OFFSET:
+        /* Read Only */
+        return;
+
+    case FORCE0_OFFSET:
+        /* This register is an "alias" for the force register of CPU 0 */
+
+        value &= 0xFFFE; /* clean up the value */
+        state->force[0] = value;
+        grlib_irqmp_check_irqs(irqmp->state);
+        return;
+
+    case CLEAR_OFFSET:
+        value &= ~1; /* clean up the value */
+        state->pending &= ~value;
+        return;
+
+    case MP_STATUS_OFFSET:
+        /* Read Only (no SMP support) */
+        return;
+
+    case BROADCAST_OFFSET:
+        value &= 0xFFFE; /* clean up the value */
+        state->broadcast = value;
+        return;
+
+    default:
+        break;
+    }
+
+    /* mask registers */
+    if (addr >= MASK_OFFSET && addr < FORCE_OFFSET) {
+        int cpu = (addr - MASK_OFFSET) / 4;
+        assert(cpu >= 0 && cpu < IRQMP_MAX_CPU);
+
+        value &= ~1; /* clean up the value */
+        state->mask[cpu] = value;
+        grlib_irqmp_check_irqs(irqmp->state);
+        return;
+    }
+
+    /* force registers */
+    if (addr >= FORCE_OFFSET && addr < EXTENDED_OFFSET) {
+        int cpu = (addr - FORCE_OFFSET) / 4;
+        assert(cpu >= 0 && cpu < IRQMP_MAX_CPU);
+
+        uint32_t force = value & 0xFFFE;
+        uint32_t clear = (value >> 16) & 0xFFFE;
+        uint32_t old   = state->force[cpu];
+
+        state->force[cpu] = (old | force) & ~clear;
+        grlib_irqmp_check_irqs(irqmp->state);
+        return;
+    }
+
+    /* extended (not supported) */
+    if (addr >= EXTENDED_OFFSET && addr < IRQMP_REG_SIZE) {
+        int cpu = (addr - EXTENDED_OFFSET) / 4;
+        assert(cpu >= 0 && cpu < IRQMP_MAX_CPU);
+
+        value &= 0xF; /* clean up the value */
+        state->extended[cpu] = value;
+        return;
+    }
+
+    trace_grlib_irqmp_unknown_register("write", addr);
+}
+
+static CPUReadMemoryFunc * const grlib_irqmp_read[] = {
+    NULL, NULL, &grlib_irqmp_readl,
+};
+
+static CPUWriteMemoryFunc * const grlib_irqmp_write[] = {
+    NULL, NULL, &grlib_irqmp_writel,
+};
+
+static void grlib_irqmp_reset(DeviceState *d)
+{
+    IRQMP *irqmp = container_of(d, IRQMP, busdev.qdev);
+    assert(irqmp        != NULL);
+    assert(irqmp->state != NULL);
+
+    memset(irqmp->state, 0, sizeof *irqmp->state);
+    irqmp->state->parent = irqmp;
+}
+
+static int grlib_irqmp_init(SysBusDevice *dev)
+{
+    IRQMP *irqmp = FROM_SYSBUS(typeof(*irqmp), dev);
+    int    irqmp_regs;
+
+    assert(irqmp != NULL);
+
+    /* Check parameters */
+    if (irqmp->set_pil_in == NULL) {
+        return -1;
+    }
+
+    irqmp_regs = cpu_register_io_memory(grlib_irqmp_read,
+                                        grlib_irqmp_write,
+                                        irqmp, DEVICE_NATIVE_ENDIAN);
+
+    irqmp->state = qemu_mallocz(sizeof *irqmp->state);
+
+    if (irqmp_regs < 0) {
+        return -1;
+    }
+
+    sysbus_init_mmio(dev, IRQMP_REG_SIZE, irqmp_regs);
+
+    return 0;
+}
+
+static SysBusDeviceInfo grlib_irqmp_info = {
+    .init = grlib_irqmp_init,
+    .qdev.name  = "grlib,irqmp",
+    .qdev.reset = grlib_irqmp_reset,
+    .qdev.size  = sizeof(IRQMP),
+    .qdev.props = (Property[]) {
+        DEFINE_PROP_PTR("set_pil_in", IRQMP, set_pil_in),
+        DEFINE_PROP_PTR("set_pil_in_opaque", IRQMP, set_pil_in_opaque),
+        DEFINE_PROP_END_OF_LIST(),
+    }
+};
+
+static void grlib_irqmp_register(void)
+{
+    sysbus_register_withprop(&grlib_irqmp_info);
+}
+
+device_init(grlib_irqmp_register)
diff --git a/trace-events b/trace-events
index 3761fd1..832b561 100644
--- a/trace-events
+++ b/trace-events
@@ -234,3 +234,9 @@ disable grlib_gptimer_hit(int id) "timer:%d HIT"
 disable grlib_gptimer_readl(int id, const char *s, uint32_t val) "timer:%d %s 0x%x"
 disable grlib_gptimer_writel(int id, const char *s, uint32_t val) "timer:%d %s 0x%x"
 disable grlib_gptimer_unknown_register(const char *op, uint64_t val) "%s unknown register 0x%"PRIx64""
+
+# hw/grlib_irqmp.c
+disable grlib_irqmp_check_irqs(uint32_t pend, uint32_t force, uint32_t mask, uint32_t lvl1, uint32_t lvl2) "pend:0x%04x force:0x%04x mask:0x%04x lvl1:0x%04x lvl0:0x%04x\n"
+disable grlib_irqmp_ack(int intno) "interrupt:%d"
+disable grlib_irqmp_set_irq(int irq) "Raise CPU IRQ %d"
+disable grlib_irqmp_unknown_register(const char *op, uint64_t val) "%s unknown register 0x%"PRIx64""
commit 0f3a4a01ebafe93055069418c9d65cc7b1493b41
Author: Fabien Chouteau <chouteau at adacore.com>
Date:   Mon Jan 24 12:56:52 2011 +0100

    SPARC: Emulation of GRLIB GPTimer
    
    This device exposes three parameters:
     - frequency (uint32) : The system frequency
     - irq-line  (uint32) : IRQ line number for the first timer
                            (others use irq-line + 1, irq-line + 2...)
     - nr-timers (uint32) : Number of timers
    
    Emulation of GrLib devices is base on the GRLIB IP Core User's Manual:
    http://www.gaisler.com/products/grlib/grip.pdf
    
    Signed-off-by: Fabien Chouteau <chouteau at adacore.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/grlib.h b/hw/grlib.h
new file mode 100644
index 0000000..776acf9
--- /dev/null
+++ b/hw/grlib.h
@@ -0,0 +1,65 @@
+/*
+ * QEMU GRLIB Components
+ *
+ * Copyright (c) 2010-2011 AdaCore
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef _GRLIB_H_
+#define _GRLIB_H_
+
+#include "qdev.h"
+#include "sysbus.h"
+
+/* Emulation of GrLib device is base on the GRLIB IP Core User's Manual:
+ * http://www.gaisler.com/products/grlib/grip.pdf
+ */
+
+/* GPTimer */
+
+static inline
+DeviceState *grlib_gptimer_create(target_phys_addr_t  base,
+                                  uint32_t            nr_timers,
+                                  uint32_t            freq,
+                                  qemu_irq           *cpu_irqs,
+                                  int                 base_irq)
+{
+    DeviceState *dev;
+    int i;
+
+    dev = qdev_create(NULL, "grlib,gptimer");
+    qdev_prop_set_uint32(dev, "nr-timers", nr_timers);
+    qdev_prop_set_uint32(dev, "frequency", freq);
+    qdev_prop_set_uint32(dev, "irq-line", base_irq);
+
+    if (qdev_init(dev)) {
+        return NULL;
+    }
+
+    sysbus_mmio_map(sysbus_from_qdev(dev), 0, base);
+
+    for (i = 0; i < nr_timers; i++) {
+        sysbus_connect_irq(sysbus_from_qdev(dev), i, cpu_irqs[base_irq + i]);
+    }
+
+    return dev;
+}
+
+#endif /* ! _GRLIB_H_ */
diff --git a/hw/grlib_gptimer.c b/hw/grlib_gptimer.c
new file mode 100644
index 0000000..596a900
--- /dev/null
+++ b/hw/grlib_gptimer.c
@@ -0,0 +1,395 @@
+/*
+ * QEMU GRLIB GPTimer Emulator
+ *
+ * Copyright (c) 2010-2011 AdaCore
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "sysbus.h"
+#include "qemu-timer.h"
+
+#include "trace.h"
+
+#define UNIT_REG_SIZE    16     /* Size of memory mapped regs for the unit */
+#define GPTIMER_REG_SIZE 16     /* Size of memory mapped regs for a GPTimer */
+
+#define GPTIMER_MAX_TIMERS 8
+
+/* GPTimer Config register fields */
+#define GPTIMER_ENABLE      (1 << 0)
+#define GPTIMER_RESTART     (1 << 1)
+#define GPTIMER_LOAD        (1 << 2)
+#define GPTIMER_INT_ENABLE  (1 << 3)
+#define GPTIMER_INT_PENDING (1 << 4)
+#define GPTIMER_CHAIN       (1 << 5) /* Not supported */
+#define GPTIMER_DEBUG_HALT  (1 << 6) /* Not supported */
+
+/* Memory mapped register offsets */
+#define SCALER_OFFSET         0x00
+#define SCALER_RELOAD_OFFSET  0x04
+#define CONFIG_OFFSET         0x08
+#define COUNTER_OFFSET        0x00
+#define COUNTER_RELOAD_OFFSET 0x04
+#define TIMER_BASE            0x10
+
+typedef struct GPTimer     GPTimer;
+typedef struct GPTimerUnit GPTimerUnit;
+
+struct GPTimer {
+    QEMUBH *bh;
+    struct ptimer_state *ptimer;
+
+    qemu_irq     irq;
+    int          id;
+    GPTimerUnit *unit;
+
+    /* registers */
+    uint32_t counter;
+    uint32_t reload;
+    uint32_t config;
+};
+
+struct GPTimerUnit {
+    SysBusDevice  busdev;
+
+    uint32_t nr_timers;         /* Number of timers available */
+    uint32_t freq_hz;           /* System frequency */
+    uint32_t irq_line;          /* Base irq line */
+
+    GPTimer *timers;
+
+    /* registers */
+    uint32_t scaler;
+    uint32_t reload;
+    uint32_t config;
+};
+
+static void grlib_gptimer_enable(GPTimer *timer)
+{
+    assert(timer != NULL);
+
+
+    ptimer_stop(timer->ptimer);
+
+    if (!(timer->config & GPTIMER_ENABLE)) {
+        /* Timer disabled */
+        trace_grlib_gptimer_disabled(timer->id, timer->config);
+        return;
+    }
+
+    /* ptimer is triggered when the counter reach 0 but GPTimer is triggered at
+       underflow. Set count + 1 to simulate the GPTimer behavior. */
+
+    trace_grlib_gptimer_enable(timer->id, timer->counter + 1);
+
+    ptimer_set_count(timer->ptimer, timer->counter + 1);
+    ptimer_run(timer->ptimer, 1);
+}
+
+static void grlib_gptimer_restart(GPTimer *timer)
+{
+    assert(timer != NULL);
+
+    trace_grlib_gptimer_restart(timer->id, timer->reload);
+
+    timer->counter = timer->reload;
+    grlib_gptimer_enable(timer);
+}
+
+static void grlib_gptimer_set_scaler(GPTimerUnit *unit, uint32_t scaler)
+{
+    int i = 0;
+    uint32_t value = 0;
+
+    assert(unit != NULL);
+
+    if (scaler > 0) {
+        value = unit->freq_hz / (scaler + 1);
+    } else {
+        value = unit->freq_hz;
+    }
+
+    trace_grlib_gptimer_set_scaler(scaler, value);
+
+    for (i = 0; i < unit->nr_timers; i++) {
+        ptimer_set_freq(unit->timers[i].ptimer, value);
+    }
+}
+
+static void grlib_gptimer_hit(void *opaque)
+{
+    GPTimer *timer = opaque;
+    assert(timer != NULL);
+
+    trace_grlib_gptimer_hit(timer->id);
+
+    /* Timer expired */
+
+    if (timer->config & GPTIMER_INT_ENABLE) {
+        /* Set the pending bit (only unset by write in the config register) */
+        timer->config |= GPTIMER_INT_PENDING;
+        qemu_irq_pulse(timer->irq);
+    }
+
+    if (timer->config & GPTIMER_RESTART) {
+        grlib_gptimer_restart(timer);
+    }
+}
+
+static uint32_t grlib_gptimer_readl(void *opaque, target_phys_addr_t addr)
+{
+    GPTimerUnit        *unit  = opaque;
+    target_phys_addr_t  timer_addr;
+    int                 id;
+    uint32_t            value = 0;
+
+    addr &= 0xff;
+
+    /* Unit registers */
+    switch (addr) {
+    case SCALER_OFFSET:
+        trace_grlib_gptimer_readl(-1, "scaler:", unit->scaler);
+        return unit->scaler;
+
+    case SCALER_RELOAD_OFFSET:
+        trace_grlib_gptimer_readl(-1, "reload:", unit->reload);
+        return unit->reload;
+
+    case CONFIG_OFFSET:
+        trace_grlib_gptimer_readl(-1, "config:", unit->config);
+        return unit->config;
+
+    default:
+        break;
+    }
+
+    timer_addr = (addr % TIMER_BASE);
+    id         = (addr - TIMER_BASE) / TIMER_BASE;
+
+    if (id >= 0 && id < unit->nr_timers) {
+
+        /* GPTimer registers */
+        switch (timer_addr) {
+        case COUNTER_OFFSET:
+            value = ptimer_get_count(unit->timers[id].ptimer);
+            trace_grlib_gptimer_readl(id, "counter value:", value);
+            return value;
+
+        case COUNTER_RELOAD_OFFSET:
+            value = unit->timers[id].reload;
+            trace_grlib_gptimer_readl(id, "reload value:", value);
+            return value;
+
+        case CONFIG_OFFSET:
+            trace_grlib_gptimer_readl(id, "scaler value:",
+                                      unit->timers[id].config);
+            return unit->timers[id].config;
+
+        default:
+            break;
+        }
+
+    }
+
+    trace_grlib_gptimer_unknown_register("read", addr);
+    return 0;
+}
+
+static void
+grlib_gptimer_writel(void *opaque, target_phys_addr_t addr, uint32_t value)
+{
+    GPTimerUnit        *unit = opaque;
+    target_phys_addr_t  timer_addr;
+    int                 id;
+
+    addr &= 0xff;
+
+    /* Unit registers */
+    switch (addr) {
+    case SCALER_OFFSET:
+        value &= 0xFFFF; /* clean up the value */
+        unit->scaler = value;
+        trace_grlib_gptimer_writel(-1, "scaler:", unit->scaler);
+        return;
+
+    case SCALER_RELOAD_OFFSET:
+        value &= 0xFFFF; /* clean up the value */
+        unit->reload = value;
+        trace_grlib_gptimer_writel(-1, "reload:", unit->reload);
+        grlib_gptimer_set_scaler(unit, value);
+        return;
+
+    case CONFIG_OFFSET:
+        /* Read Only (disable timer freeze not supported) */
+        trace_grlib_gptimer_writel(-1, "config (Read Only):", 0);
+        return;
+
+    default:
+        break;
+    }
+
+    timer_addr = (addr % TIMER_BASE);
+    id         = (addr - TIMER_BASE) / TIMER_BASE;
+
+    if (id >= 0 && id < unit->nr_timers) {
+
+        /* GPTimer registers */
+        switch (timer_addr) {
+        case COUNTER_OFFSET:
+            trace_grlib_gptimer_writel(id, "counter:", value);
+            unit->timers[id].counter = value;
+            grlib_gptimer_enable(&unit->timers[id]);
+            return;
+
+        case COUNTER_RELOAD_OFFSET:
+            trace_grlib_gptimer_writel(id, "reload:", value);
+            unit->timers[id].reload = value;
+            return;
+
+        case CONFIG_OFFSET:
+            trace_grlib_gptimer_writel(id, "config:", value);
+
+            if (value & GPTIMER_INT_PENDING) {
+                /* clear pending bit */
+                value &= ~GPTIMER_INT_PENDING;
+            } else {
+                /* keep pending bit */
+                value |= unit->timers[id].config & GPTIMER_INT_PENDING;
+            }
+
+            unit->timers[id].config = value;
+
+            /* gptimer_restart calls gptimer_enable, so if "enable" and "load"
+               bits are present, we just have to call restart. */
+
+            if (value & GPTIMER_LOAD) {
+                grlib_gptimer_restart(&unit->timers[id]);
+            } else if (value & GPTIMER_ENABLE) {
+                grlib_gptimer_enable(&unit->timers[id]);
+            }
+
+            /* These fields must always be read as 0 */
+            value &= ~(GPTIMER_LOAD & GPTIMER_DEBUG_HALT);
+
+            unit->timers[id].config = value;
+            return;
+
+        default:
+            break;
+        }
+
+    }
+
+    trace_grlib_gptimer_unknown_register("write", addr);
+}
+
+static CPUReadMemoryFunc * const grlib_gptimer_read[] = {
+    NULL, NULL, grlib_gptimer_readl,
+};
+
+static CPUWriteMemoryFunc * const grlib_gptimer_write[] = {
+    NULL, NULL, grlib_gptimer_writel,
+};
+
+static void grlib_gptimer_reset(DeviceState *d)
+{
+    GPTimerUnit *unit = container_of(d, GPTimerUnit, busdev.qdev);
+    int          i    = 0;
+
+    assert(unit != NULL);
+
+    unit->scaler = 0;
+    unit->reload = 0;
+    unit->config = 0;
+
+    unit->config  = unit->nr_timers;
+    unit->config |= unit->irq_line << 3;
+    unit->config |= 1 << 8;     /* separate interrupt */
+    unit->config |= 1 << 9;     /* Disable timer freeze */
+
+
+    for (i = 0; i < unit->nr_timers; i++) {
+        GPTimer *timer = &unit->timers[i];
+
+        timer->counter = 0;
+        timer->reload = 0;
+        timer->config = 0;
+        ptimer_stop(timer->ptimer);
+        ptimer_set_count(timer->ptimer, 0);
+        ptimer_set_freq(timer->ptimer, unit->freq_hz);
+    }
+}
+
+static int grlib_gptimer_init(SysBusDevice *dev)
+{
+    GPTimerUnit  *unit = FROM_SYSBUS(typeof(*unit), dev);
+    unsigned int  i;
+    int           timer_regs;
+
+    assert(unit->nr_timers > 0);
+    assert(unit->nr_timers <= GPTIMER_MAX_TIMERS);
+
+    unit->timers = qemu_mallocz(sizeof unit->timers[0] * unit->nr_timers);
+
+    for (i = 0; i < unit->nr_timers; i++) {
+        GPTimer *timer = &unit->timers[i];
+
+        timer->unit   = unit;
+        timer->bh     = qemu_bh_new(grlib_gptimer_hit, timer);
+        timer->ptimer = ptimer_init(timer->bh);
+        timer->id     = i;
+
+        /* One IRQ line for each timer */
+        sysbus_init_irq(dev, &timer->irq);
+
+        ptimer_set_freq(timer->ptimer, unit->freq_hz);
+    }
+
+    timer_regs = cpu_register_io_memory(grlib_gptimer_read,
+                                        grlib_gptimer_write,
+                                        unit, DEVICE_NATIVE_ENDIAN);
+    if (timer_regs < 0) {
+        return -1;
+    }
+
+    sysbus_init_mmio(dev, UNIT_REG_SIZE + GPTIMER_REG_SIZE * unit->nr_timers,
+                     timer_regs);
+    return 0;
+}
+
+static SysBusDeviceInfo grlib_gptimer_info = {
+    .init       = grlib_gptimer_init,
+    .qdev.name  = "grlib,gptimer",
+    .qdev.reset = grlib_gptimer_reset,
+    .qdev.size  = sizeof(GPTimerUnit),
+    .qdev.props = (Property[]) {
+        DEFINE_PROP_UINT32("frequency", GPTimerUnit, freq_hz,   40000000),
+        DEFINE_PROP_UINT32("irq-line",  GPTimerUnit, irq_line,  8),
+        DEFINE_PROP_UINT32("nr-timers", GPTimerUnit, nr_timers, 2),
+        DEFINE_PROP_END_OF_LIST()
+    }
+};
+
+static void grlib_gptimer_register(void)
+{
+    sysbus_register_withprop(&grlib_gptimer_info);
+}
+
+device_init(grlib_gptimer_register)
diff --git a/trace-events b/trace-events
index 19cee6a..3761fd1 100644
--- a/trace-events
+++ b/trace-events
@@ -224,3 +224,13 @@ disable qed_aio_write_data(void *s, void *acb, int ret, uint64_t offset, size_t
 disable qed_aio_write_prefill(void *s, void *acb, uint64_t start, size_t len, uint64_t offset) "s %p acb %p start %"PRIu64" len %zu offset %"PRIu64""
 disable qed_aio_write_postfill(void *s, void *acb, uint64_t start, size_t len, uint64_t offset) "s %p acb %p start %"PRIu64" len %zu offset %"PRIu64""
 disable qed_aio_write_main(void *s, void *acb, int ret, uint64_t offset, size_t len) "s %p acb %p ret %d offset %"PRIu64" len %zu"
+
+# hw/grlib_gptimer.c
+disable grlib_gptimer_enable(int id, uint32_t count) "timer:%d set count 0x%x and run"
+disable grlib_gptimer_disabled(int id, uint32_t config) "timer:%d Timer disable config 0x%x"
+disable grlib_gptimer_restart(int id, uint32_t reload) "timer:%d reload val: 0x%x"
+disable grlib_gptimer_set_scaler(uint32_t scaler, uint32_t freq) "scaler:0x%x freq: 0x%x"
+disable grlib_gptimer_hit(int id) "timer:%d HIT"
+disable grlib_gptimer_readl(int id, const char *s, uint32_t val) "timer:%d %s 0x%x"
+disable grlib_gptimer_writel(int id, const char *s, uint32_t val) "timer:%d %s 0x%x"
+disable grlib_gptimer_unknown_register(const char *op, uint64_t val) "%s unknown register 0x%"PRIx64""
commit a5c062edd272a222179c2bbf54c539c992aefc93
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Jan 24 15:35:01 2011 +0000

    docs: Document scsi-disk and usb-storage removable parameter
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/docs/qdev-device-use.txt b/docs/qdev-device-use.txt
index f2f9b75..4bb2be8 100644
--- a/docs/qdev-device-use.txt
+++ b/docs/qdev-device-use.txt
@@ -80,7 +80,11 @@ The -device argument differs in detail for each kind of drive:
   This SCSI controller a single SCSI bus, named ID.0.  Put a disk on
   it:
 
-  -device scsi-disk,drive=DRIVE-ID,bus=ID.0,scsi-id=SCSI-ID
+  -device scsi-disk,drive=DRIVE-ID,bus=ID.0,scsi-id=SCSI-ID,removable=RMB
+
+  The (optional) removable parameter lets you override the SCSI INQUIRY
+  removable (RMB) bit for non CD-ROM devices.  It is ignored for CD-ROM devices
+  which are always removable.  RMB is "on" or "off".
 
 * if=floppy
 
@@ -116,7 +120,12 @@ For USB devices, the old way is actually different:
 Provides much less control than -drive's HOST-OPTS...  The new way
 fixes that:
 
-    -device usb-storage,drive=DRIVE-ID
+    -device usb-storage,drive=DRIVE-ID,removable=RMB
+
+The removable parameter gives control over the SCSI INQUIRY removable (RMB)
+bit.  USB thumbdrives usually set removable=on, while USB hard disks set
+removable=off.  See the if=scsi description above for details on the removable
+parameter, which applies only to scsi-disk devices and not to scsi-generic.
 
 === Character Devices ===
 
commit 6bb7b86722c6cc772f66cdc7923dec56e8458c29
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Jan 24 15:35:00 2011 +0000

    usb-msd: Propagate removable bit to SCSI device
    
    USB Mass Storage Devices sometimes have the RMB (removable) bit set in
    the SCSI INQUIRY response.  Thumbdrives tend to have the bit set whereas
    hard disks do not.
    
    Operating systems differentiate between removable devices and fixed
    devices.  Under Linux, the anaconda installer looks for removable
    devices.  Under Windows, only fixed devices may have more than one
    partition and AutoRun is also affected by the removable bit.
    
    For these reasons, allow USB Mass Storage Devices to override the
    removable bit:
    
    qemu -usb
         -drive if=none,file=test.img,cache=none,id=disk0
         -device usb-storage,drive=disk0,removable=on
    
    The default is off.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index ccdf8ff..11722c7 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -51,6 +51,7 @@ typedef struct {
     SCSIBus bus;
     BlockConf conf;
     SCSIDevice *scsi_dev;
+    uint32_t removable;
     int result;
     /* For async completion.  */
     USBPacket *packet;
@@ -515,7 +516,7 @@ static int usb_msd_initfn(USBDevice *dev)
 
     usb_desc_init(dev);
     scsi_bus_new(&s->bus, &s->dev.qdev, 0, 1, usb_msd_command_complete);
-    s->scsi_dev = scsi_bus_legacy_add_drive(&s->bus, bs, 0, false);
+    s->scsi_dev = scsi_bus_legacy_add_drive(&s->bus, bs, 0, !!s->removable);
     if (!s->scsi_dev) {
         return -1;
     }
@@ -607,6 +608,7 @@ static struct USBDeviceInfo msd_info = {
     .usbdevice_init = usb_msd_init,
     .qdev.props     = (Property[]) {
         DEFINE_BLOCK_PROPERTIES(MSDState, conf),
+        DEFINE_PROP_BIT("removable", MSDState, removable, 0, false),
         DEFINE_PROP_END_OF_LIST(),
     },
 };
commit 2d1fd2613769d99e5fad1f57ab8466434e2079fd
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Jan 24 15:34:59 2011 +0000

    scsi: Allow scsi_bus_legacy_add_drive() to set removable bit
    
    scsi-disk devices may wish to override the removable bit.  Add support
    for a qdev property on SCSI devices.  This is will be used by usb-msd.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/pci-hotplug.c b/hw/pci-hotplug.c
index 716133c..270a982 100644
--- a/hw/pci-hotplug.c
+++ b/hw/pci-hotplug.c
@@ -90,7 +90,7 @@ static int scsi_hot_add(Monitor *mon, DeviceState *adapter,
      * specified).
      */
     dinfo->unit = qemu_opt_get_number(dinfo->opts, "unit", -1);
-    scsidev = scsi_bus_legacy_add_drive(scsibus, dinfo->bdrv, dinfo->unit);
+    scsidev = scsi_bus_legacy_add_drive(scsibus, dinfo->bdrv, dinfo->unit, false);
     if (!scsidev) {
         return -1;
     }
diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 7febb86..ceeb4ec 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -87,7 +87,8 @@ void scsi_qdev_register(SCSIDeviceInfo *info)
 }
 
 /* handle legacy '-drive if=scsi,...' cmd line args */
-SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockDriverState *bdrv, int unit)
+SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockDriverState *bdrv,
+                                      int unit, bool removable)
 {
     const char *driver;
     DeviceState *dev;
@@ -95,6 +96,9 @@ SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockDriverState *bdrv, int
     driver = bdrv_is_sg(bdrv) ? "scsi-generic" : "scsi-disk";
     dev = qdev_create(&bus->qbus, driver);
     qdev_prop_set_uint32(dev, "scsi-id", unit);
+    if (qdev_prop_exists(dev, "removable")) {
+        qdev_prop_set_bit(dev, "removable", removable);
+    }
     if (qdev_prop_set_drive(dev, "drive", bdrv) < 0) {
         qdev_free(dev);
         return NULL;
@@ -117,7 +121,7 @@ int scsi_bus_legacy_handle_cmdline(SCSIBus *bus)
             continue;
         }
         qemu_opts_loc_restore(dinfo->opts);
-        if (!scsi_bus_legacy_add_drive(bus, dinfo->bdrv, unit)) {
+        if (!scsi_bus_legacy_add_drive(bus, dinfo->bdrv, unit, false)) {
             res = -1;
             break;
         }
diff --git a/hw/scsi.h b/hw/scsi.h
index bf02adf..846fbba 100644
--- a/hw/scsi.h
+++ b/hw/scsi.h
@@ -94,7 +94,8 @@ static inline SCSIBus *scsi_bus_from_device(SCSIDevice *d)
     return DO_UPCAST(SCSIBus, qbus, d->qdev.parent_bus);
 }
 
-SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockDriverState *bdrv, int unit);
+SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockDriverState *bdrv,
+                                      int unit, bool removable);
 int scsi_bus_legacy_handle_cmdline(SCSIBus *bus);
 
 SCSIRequest *scsi_req_alloc(size_t size, SCSIDevice *d, uint32_t tag, uint32_t lun);
diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 729d96c..ccdf8ff 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -515,7 +515,7 @@ static int usb_msd_initfn(USBDevice *dev)
 
     usb_desc_init(dev);
     scsi_bus_new(&s->bus, &s->dev.qdev, 0, 1, usb_msd_command_complete);
-    s->scsi_dev = scsi_bus_legacy_add_drive(&s->bus, bs, 0);
+    s->scsi_dev = scsi_bus_legacy_add_drive(&s->bus, bs, 0, false);
     if (!s->scsi_dev) {
         return -1;
     }
commit 419e691f8ef16635e73d814ef3ab825272208ba8
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Jan 24 15:34:58 2011 +0000

    scsi-disk: Allow overriding SCSI INQUIRY removable bit
    
    Provide the "removable" qdev property bit to override the SCSI INQUIRY
    removable (RMB) bit for non-CDROM devices.  This will be used by USB
    Mass Storage Devices, which sometimes have this guest-visible bit set
    and sometimes do not.  They therefore requires a means for user
    configuration.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 6cb317c..488eedd 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -72,6 +72,7 @@ struct SCSIDiskState
     /* The qemu block layer uses a fixed 512 byte sector size.
        This is the number of 512 byte blocks in a single scsi sector.  */
     int cluster_size;
+    uint32_t removable;
     uint64_t max_lba;
     QEMUBH *bh;
     char *version;
@@ -552,6 +553,7 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
         memcpy(&outbuf[16], "QEMU CD-ROM     ", 16);
     } else {
         outbuf[0] = 0;
+        outbuf[1] = s->removable ? 0x80 : 0;
         memcpy(&outbuf[16], "QEMU HARDDISK   ", 16);
     }
     memcpy(&outbuf[8], "QEMU    ", 8);
@@ -1295,6 +1297,7 @@ static SCSIDeviceInfo scsi_disk_info = {
         DEFINE_BLOCK_PROPERTIES(SCSIDiskState, qdev.conf),
         DEFINE_PROP_STRING("ver",  SCSIDiskState, version),
         DEFINE_PROP_STRING("serial",  SCSIDiskState, serial),
+        DEFINE_PROP_BIT("removable", SCSIDiskState, removable, 0, false),
         DEFINE_PROP_END_OF_LIST(),
     },
 };
commit b835e919f022d768abdf00e8dc94f1a23fdcab15
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Mon Jan 17 19:29:34 2011 +0100

    target-mips: fix save_cpu_state() calls
    
    The rule is:
    - don't save PC if the exception is only triggered by softmmu.
    - save PC if the exception can be triggered by an helper.
    
    Fix a 64-bit kernel crash when loading modules.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-mips/translate.c b/target-mips/translate.c
index 187930e..0f93e2a 100644
--- a/target-mips/translate.c
+++ b/target-mips/translate.c
@@ -1066,7 +1066,7 @@ static void gen_ld (CPUState *env, DisasContext *ctx, uint32_t opc,
         opn = "ld";
         break;
     case OPC_LLD:
-        save_cpu_state(ctx, 0);
+        save_cpu_state(ctx, 1);
         op_ld_lld(t0, t0, ctx);
         gen_store_gpr(t0, rt);
         opn = "lld";
@@ -1086,7 +1086,7 @@ static void gen_ld (CPUState *env, DisasContext *ctx, uint32_t opc,
         opn = "ldr";
         break;
     case OPC_LDPC:
-        save_cpu_state(ctx, 1);
+        save_cpu_state(ctx, 0);
         tcg_gen_movi_tl(t1, pc_relative_pc(ctx));
         gen_op_addr_add(ctx, t0, t0, t1);
         op_ld_ld(t0, t0, ctx);
@@ -1095,7 +1095,7 @@ static void gen_ld (CPUState *env, DisasContext *ctx, uint32_t opc,
         break;
 #endif
     case OPC_LWPC:
-        save_cpu_state(ctx, 1);
+        save_cpu_state(ctx, 0);
         tcg_gen_movi_tl(t1, pc_relative_pc(ctx));
         gen_op_addr_add(ctx, t0, t0, t1);
         op_ld_lw(t0, t0, ctx);
@@ -1238,7 +1238,7 @@ static void gen_st_cond (DisasContext *ctx, uint32_t opc, int rt,
     switch (opc) {
 #if defined(TARGET_MIPS64)
     case OPC_SCD:
-        save_cpu_state(ctx, 0);
+        save_cpu_state(ctx, 1);
         op_st_scd(t1, t0, rt, ctx);
         opn = "scd";
         break;
@@ -9971,7 +9971,7 @@ static void gen_ldst_pair (DisasContext *ctx, uint32_t opc, int rd,
         opn = "lwp";
         break;
     case SWP:
-        save_cpu_state(ctx, 1);
+        save_cpu_state(ctx, 0);
         gen_load_gpr(t1, rd);
         op_st_sw(t1, t0, ctx);
         tcg_gen_movi_tl(t1, 4);
@@ -9992,7 +9992,7 @@ static void gen_ldst_pair (DisasContext *ctx, uint32_t opc, int rd,
         opn = "ldp";
         break;
     case SDP:
-        save_cpu_state(ctx, 1);
+        save_cpu_state(ctx, 0);
         gen_load_gpr(t1, rd);
         op_st_sd(t1, t0, ctx);
         tcg_gen_movi_tl(t1, 8);
commit ea87e95f8fda609fa665c2abd33c30ae65e6fae2
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Jan 23 08:48:41 2011 +0000

    usb-bus: use snprintf
    
    Avoid this warning from OpenBSD linker:
      LINK  i386-softmmu/qemu
    ../usb-bus.o(.text+0x27c): In function `usb_get_fw_dev_path':
    /src/qemu/hw/usb-bus.c:294: warning: sprintf() is often misused,
    please use snprintf()
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index ac56fbc..abc7e61 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -298,20 +298,22 @@ static char *usb_get_fw_dev_path(DeviceState *qdev)
 {
     USBDevice *dev = DO_UPCAST(USBDevice, qdev, qdev);
     char *fw_path, *in;
-    int pos = 0;
+    ssize_t pos = 0, fw_len;
     long nr;
 
-    fw_path = qemu_malloc(32 + strlen(dev->port->path) * 6);
+    fw_len = 32 + strlen(dev->port->path) * 6;
+    fw_path = qemu_malloc(fw_len);
     in = dev->port->path;
-    while (true) {
+    while (fw_len - pos > 0) {
         nr = strtol(in, &in, 10);
         if (in[0] == '.') {
             /* some hub between root port and device */
-            pos += sprintf(fw_path + pos, "hub@%ld/", nr);
+            pos += snprintf(fw_path + pos, fw_len - pos, "hub@%ld/", nr);
             in++;
         } else {
             /* the device itself */
-            pos += sprintf(fw_path + pos, "%s@%ld", qdev_fw_name(qdev), nr);
+            pos += snprintf(fw_path + pos, fw_len - pos, "%s@%ld",
+                            qdev_fw_name(qdev), nr);
             break;
         }
     }
commit ee59e6b3bf2074774a0626bc3d5389f2b7bd05bd
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Dec 10 14:40:30 2010 +0100

    usb hid: add migration support
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 168e67d..79b20df 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -65,7 +65,7 @@ typedef struct USBKeyboardState {
     uint16_t modifiers;
     uint8_t leds;
     uint8_t key[16];
-    int keys;
+    int32_t keys;
 } USBKeyboardState;
 
 typedef struct USBHIDState {
@@ -77,7 +77,7 @@ typedef struct USBHIDState {
     uint32_t head; /* index into circular queue */
     uint32_t n;
     int kind;
-    int protocol;
+    int32_t protocol;
     uint8_t idle;
     int64_t next_idle_clock;
     int changed;
@@ -895,12 +895,72 @@ void usb_hid_datain_cb(USBDevice *dev, void *opaque, void (*datain)(void *))
     s->datain = datain;
 }
 
+static int usb_hid_post_load(void *opaque, int version_id)
+{
+    USBHIDState *s = opaque;
+
+    if (s->idle) {
+        usb_hid_set_next_idle(s, qemu_get_clock(vm_clock));
+    }
+    return 0;
+}
+
+static const VMStateDescription vmstate_usb_ptr_queue = {
+    .name = "usb-ptr-queue",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField []) {
+        VMSTATE_INT32(xdx, USBPointerEvent),
+        VMSTATE_INT32(ydy, USBPointerEvent),
+        VMSTATE_INT32(dz, USBPointerEvent),
+        VMSTATE_INT32(buttons_state, USBPointerEvent),
+        VMSTATE_END_OF_LIST()
+    }
+};
+static const VMStateDescription vmstate_usb_ptr = {
+    .name = "usb-ptr",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .post_load = usb_hid_post_load,
+    .fields = (VMStateField []) {
+        VMSTATE_USB_DEVICE(dev, USBHIDState),
+        VMSTATE_STRUCT_ARRAY(ptr.queue, USBHIDState, QUEUE_LENGTH, 0,
+                             vmstate_usb_ptr_queue, USBPointerEvent),
+        VMSTATE_UINT32(head, USBHIDState),
+        VMSTATE_UINT32(n, USBHIDState),
+        VMSTATE_INT32(protocol, USBHIDState),
+        VMSTATE_UINT8(idle, USBHIDState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_usb_kbd = {
+    .name = "usb-kbd",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .post_load = usb_hid_post_load,
+    .fields = (VMStateField []) {
+        VMSTATE_USB_DEVICE(dev, USBHIDState),
+        VMSTATE_UINT32_ARRAY(kbd.keycodes, USBHIDState, QUEUE_LENGTH),
+        VMSTATE_UINT32(head, USBHIDState),
+        VMSTATE_UINT32(n, USBHIDState),
+        VMSTATE_UINT16(kbd.modifiers, USBHIDState),
+        VMSTATE_UINT8(kbd.leds, USBHIDState),
+        VMSTATE_UINT8_ARRAY(kbd.key, USBHIDState, 16),
+        VMSTATE_INT32(kbd.keys, USBHIDState),
+        VMSTATE_INT32(protocol, USBHIDState),
+        VMSTATE_UINT8(idle, USBHIDState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static struct USBDeviceInfo hid_info[] = {
     {
         .product_desc   = "QEMU USB Tablet",
         .qdev.name      = "usb-tablet",
         .usbdevice_name = "tablet",
         .qdev.size      = sizeof(USBHIDState),
+        .qdev.vmsd      = &vmstate_usb_ptr,
         .usb_desc       = &desc_tablet,
         .init           = usb_tablet_initfn,
         .handle_packet  = usb_generic_handle_packet,
@@ -913,6 +973,7 @@ static struct USBDeviceInfo hid_info[] = {
         .qdev.name      = "usb-mouse",
         .usbdevice_name = "mouse",
         .qdev.size      = sizeof(USBHIDState),
+        .qdev.vmsd      = &vmstate_usb_ptr,
         .usb_desc       = &desc_mouse,
         .init           = usb_mouse_initfn,
         .handle_packet  = usb_generic_handle_packet,
@@ -925,6 +986,7 @@ static struct USBDeviceInfo hid_info[] = {
         .qdev.name      = "usb-kbd",
         .usbdevice_name = "keyboard",
         .qdev.size      = sizeof(USBHIDState),
+        .qdev.vmsd      = &vmstate_usb_kbd,
         .usb_desc       = &desc_keyboard,
         .init           = usb_keyboard_initfn,
         .handle_packet  = usb_generic_handle_packet,
commit d15500902adb79034ef40ee3a06bbc0a7e0d8b19
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Dec 15 12:45:24 2010 +0100

    usb hub: add migration support
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 78698ca..3dd31ba 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -544,11 +544,35 @@ static int usb_hub_initfn(USBDevice *dev)
     return 0;
 }
 
+static const VMStateDescription vmstate_usb_hub_port = {
+    .name = "usb-hub-port",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField []) {
+        VMSTATE_UINT16(wPortStatus, USBHubPort),
+        VMSTATE_UINT16(wPortChange, USBHubPort),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_usb_hub = {
+    .name = "usb-hub",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField []) {
+        VMSTATE_USB_DEVICE(dev, USBHubState),
+        VMSTATE_STRUCT_ARRAY(ports, USBHubState, NUM_PORTS, 0,
+                             vmstate_usb_hub_port, USBHubPort),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static struct USBDeviceInfo hub_info = {
     .product_desc   = "QEMU USB Hub",
     .qdev.name      = "usb-hub",
     .qdev.fw_name    = "hub",
     .qdev.size      = sizeof(USBHubState),
+    .qdev.vmsd      = &vmstate_usb_hub,
     .usb_desc       = &desc_hub,
     .init           = usb_hub_initfn,
     .handle_packet  = usb_hub_handle_packet,
commit c1ecb40a6124b80f1e346e38a1975e82da6507ca
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Dec 10 14:20:46 2010 +0100

    usb core: add migration support
    
    Yes, seriously.  There is no migration support at all for usb devices.
    They loose state, especially the device address, and stop responding
    because of that.  Oops.
    
    Luckily there is so much broken usb hardware out there that the guest
    usually just kicks the device hard (via port reset and
    reinitialization), then continues without a hitch.  So we got away with
    that in a surprising high number of cases.
    
    The arrival of remote wakeup (which enables autosuspend support) changes
    that picture though.  The usb devices also forget that it they are
    supposed to wakeup, so they don't do that.  The host also doesn't notice
    the device stopped working in case it suspended the device and thus
    expects it waking up instead of polling it.  Result is that your mouse
    is dead.
    
    Lets start fixing that.  Add a vmstate struct for USBDevice.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/hw.h b/hw/hw.h
index dd993de..5e24329 100644
--- a/hw/hw.h
+++ b/hw/hw.h
@@ -587,6 +587,16 @@ extern const VMStateDescription vmstate_i2c_slave;
     .offset     = vmstate_offset_value(_state, _field, i2c_slave),   \
 }
 
+extern const VMStateDescription vmstate_usb_device;
+
+#define VMSTATE_USB_DEVICE(_field, _state) {                         \
+    .name       = (stringify(_field)),                               \
+    .size       = sizeof(USBDevice),                                 \
+    .vmsd       = &vmstate_usb_device,                               \
+    .flags      = VMS_STRUCT,                                        \
+    .offset     = vmstate_offset_value(_state, _field, USBDevice),   \
+}
+
 #define vmstate_offset_macaddr(_state, _field)                       \
     vmstate_offset_array(_state, _field.a, uint8_t,                \
                          sizeof(typeof_field(_state, _field)))
diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index 6e2e5fd..ac56fbc 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -23,6 +23,22 @@ static struct BusInfo usb_bus_info = {
 static int next_usb_bus = 0;
 static QTAILQ_HEAD(, USBBus) busses = QTAILQ_HEAD_INITIALIZER(busses);
 
+const VMStateDescription vmstate_usb_device = {
+    .name = "USBDevice",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField []) {
+        VMSTATE_UINT8(addr, USBDevice),
+        VMSTATE_INT32(state, USBDevice),
+        VMSTATE_INT32(remote_wakeup, USBDevice),
+        VMSTATE_INT32(setup_state, USBDevice),
+        VMSTATE_INT32(setup_len, USBDevice),
+        VMSTATE_INT32(setup_index, USBDevice),
+        VMSTATE_UINT8_ARRAY(setup_buf, USBDevice, 8),
+        VMSTATE_END_OF_LIST(),
+    }
+};
+
 void usb_bus_new(USBBus *bus, DeviceState *host)
 {
     qbus_create_inplace(&bus->qbus, &usb_bus_info, host, NULL);
diff --git a/hw/usb.h b/hw/usb.h
index 5c1da3e..d3d755d 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -165,13 +165,13 @@ struct USBDevice {
     int auto_attach;
     int attached;
 
-    int state;
+    int32_t state;
     uint8_t setup_buf[8];
     uint8_t data_buf[1024];
-    int remote_wakeup;
-    int setup_state;
-    int setup_len;
-    int setup_index;
+    int32_t remote_wakeup;
+    int32_t setup_state;
+    int32_t setup_len;
+    int32_t setup_index;
 
     QLIST_HEAD(, USBDescString) strings;
     const USBDescDevice *device;
commit 9892088b52da05c3944e84982922fa984e048044
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Jan 14 10:56:54 2011 +0100

    vnc: fix numlock+capslock tracking
    
    This patch makes the numlock+capslock tracking logic only look at
    keydown events.  Without this patch the vnc server will insert
    bogous capslock keypress in case it sees the following key sequence:
    
      shift down --- 'A' down --- shift up  --- 'A' up
                                             ^ here
    
    It doesn't hurt with a PS/2 keyboard, but it disturbs the USB Keyboard.
    And with the key event queue just added to the usb keyboard the guest
    will actually notice.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/ui/vnc.c b/ui/vnc.c
index 495d6d6..0820d99 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1504,7 +1504,7 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
         break;
     }
 
-    if (vs->vd->lock_key_sync &&
+    if (down && vs->vd->lock_key_sync &&
         keycode_is_keypad(vs->vd->kbd_layout, keycode)) {
         /* If the numlock state needs to change then simulate an additional
            keypress before sending this one.  This will happen if the user
@@ -1523,7 +1523,7 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
         }
     }
 
-    if (vs->vd->lock_key_sync &&
+    if (down && vs->vd->lock_key_sync &&
         ((sym >= 'A' && sym <= 'Z') || (sym >= 'a' && sym <= 'z'))) {
         /* If the capslock state needs to change then simulate an additional
            keypress before sending this one.  This will happen if the user
commit 42292d4e51ac01eb28360d53127337fe275c39c5
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Jan 14 09:23:22 2011 +0100

    usb hid: move head+n to common struct
    
    This patch moves the 'head' and 'n' fields from USBMouseState and
    USBKeyboardState to the common USBHIDState struct.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 5f1451b..168e67d 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -56,16 +56,12 @@ typedef struct USBPointerEvent {
 
 typedef struct USBMouseState {
     USBPointerEvent queue[QUEUE_LENGTH];
-    uint32_t head; /* index into circular queue */
-    uint32_t n;
     int mouse_grabbed;
     QEMUPutMouseEntry *eh_entry;
 } USBMouseState;
 
 typedef struct USBKeyboardState {
     uint32_t keycodes[QUEUE_LENGTH];
-    uint32_t head; /* index into circular queue */
-    uint32_t n;
     uint16_t modifiers;
     uint8_t leds;
     uint8_t key[16];
@@ -78,6 +74,8 @@ typedef struct USBHIDState {
         USBMouseState ptr;
         USBKeyboardState kbd;
     };
+    uint32_t head; /* index into circular queue */
+    uint32_t n;
     int kind;
     int protocol;
     uint8_t idle;
@@ -468,7 +466,7 @@ static void usb_pointer_event(void *opaque,
 {
     USBHIDState *hs = opaque;
     USBMouseState *s = &hs->ptr;
-    unsigned use_slot = (s->head + s->n - 1) & QUEUE_MASK;
+    unsigned use_slot = (hs->head + hs->n - 1) & QUEUE_MASK;
     unsigned previous_slot = (use_slot - 1) & QUEUE_MASK;
 
     /* We combine events where feasible to keep the queue small.  We shouldn't
@@ -476,15 +474,15 @@ static void usb_pointer_event(void *opaque,
      * that would change the location of the button state change.  When the
      * queue is empty, a second event is needed because we don't know if
      * the first event changed the button state.  */
-    if (s->n == QUEUE_LENGTH) {
+    if (hs->n == QUEUE_LENGTH) {
         /* Queue full.  Discard old button state, combine motion normally.  */
         s->queue[use_slot].buttons_state = buttons_state;
-    } else if (s->n < 2 ||
+    } else if (hs->n < 2 ||
                s->queue[use_slot].buttons_state != buttons_state ||
                s->queue[previous_slot].buttons_state != s->queue[use_slot].buttons_state) {
         /* Cannot or should not combine, so add an empty item to the queue.  */
         QUEUE_INCR(use_slot);
-        s->n++;
+        hs->n++;
         usb_pointer_event_clear(&s->queue[use_slot], buttons_state);
     }
     usb_pointer_event_combine(&s->queue[use_slot],
@@ -499,24 +497,25 @@ static void usb_keyboard_event(void *opaque, int keycode)
     USBKeyboardState *s = &hs->kbd;
     int slot;
 
-    if (s->n == QUEUE_LENGTH) {
+    if (hs->n == QUEUE_LENGTH) {
         fprintf(stderr, "usb-kbd: warning: key event queue full\n");
         return;
     }
-    slot = (s->head + s->n) & QUEUE_MASK; s->n++;
+    slot = (hs->head + hs->n) & QUEUE_MASK; hs->n++;
     s->keycodes[slot] = keycode;
     usb_hid_changed(hs);
 }
 
-static void usb_keyboard_process_keycode(USBKeyboardState *s)
+static void usb_keyboard_process_keycode(USBHIDState *hs)
 {
+    USBKeyboardState *s = &hs->kbd;
     uint8_t hid_code, key;
     int i, keycode, slot;
 
-    if (s->n == 0) {
+    if (hs->n == 0) {
         return;
     }
-    slot = s->head & QUEUE_MASK; QUEUE_INCR(s->head); s->n--;
+    slot = hs->head & QUEUE_MASK; QUEUE_INCR(hs->head); hs->n--;
     keycode = s->keycodes[slot];
 
     key = keycode & 0x7f;
@@ -590,7 +589,7 @@ static int usb_pointer_poll(USBHIDState *hs, uint8_t *buf, int len)
 
     /* When the buffer is empty, return the last event.  Relative
        movements will all be zero.  */
-    index = (s->n ? s->head : s->head - 1);
+    index = (hs->n ? hs->head : hs->head - 1);
     e = &s->queue[index & QUEUE_MASK];
 
     if (hs->kind == USB_MOUSE) {
@@ -613,12 +612,12 @@ static int usb_pointer_poll(USBHIDState *hs, uint8_t *buf, int len)
     if (e->buttons_state & MOUSE_EVENT_MBUTTON)
         b |= 0x04;
 
-    if (s->n &&
+    if (hs->n &&
         !e->dz &&
         (hs->kind == USB_TABLET || (!e->xdx && !e->ydy))) {
         /* that deals with this event */
-        QUEUE_INCR(s->head);
-        s->n--;
+        QUEUE_INCR(hs->head);
+        hs->n--;
     }
 
     /* Appears we have to invert the wheel direction */
@@ -664,7 +663,7 @@ static int usb_keyboard_poll(USBHIDState *hs, uint8_t *buf, int len)
     if (len < 2)
         return 0;
 
-    usb_keyboard_process_keycode(s);
+    usb_keyboard_process_keycode(hs);
 
     buf[0] = s->modifiers & 0xff;
     buf[1] = 0;
@@ -702,8 +701,8 @@ static void usb_mouse_handle_reset(USBDevice *dev)
     USBHIDState *s = (USBHIDState *)dev;
 
     memset(s->ptr.queue, 0, sizeof (s->ptr.queue));
-    s->ptr.head = 0;
-    s->ptr.n = 0;
+    s->head = 0;
+    s->n = 0;
     s->protocol = 1;
 }
 
@@ -713,8 +712,8 @@ static void usb_keyboard_handle_reset(USBDevice *dev)
 
     qemu_add_kbd_event_handler(usb_keyboard_event, s);
     memset(s->kbd.keycodes, 0, sizeof (s->kbd.keycodes));
-    s->kbd.head = 0;
-    s->kbd.n = 0;
+    s->head = 0;
+    s->n = 0;
     memset(s->kbd.key, 0, sizeof (s->kbd.key));
     s->kbd.keys = 0;
     s->protocol = 1;
@@ -822,12 +821,11 @@ static int usb_hid_handle_data(USBDevice *dev, USBPacket *p)
             usb_hid_set_next_idle(s, curtime);
             if (s->kind == USB_MOUSE || s->kind == USB_TABLET) {
                 ret = usb_pointer_poll(s, p->data, p->len);
-                s->changed = s->ptr.n > 0;
             }
             else if (s->kind == USB_KEYBOARD) {
                 ret = usb_keyboard_poll(s, p->data, p->len);
-                s->changed = s->kbd.n > 0;
             }
+            s->changed = s->n > 0;
         } else {
             goto fail;
         }
commit 5fae51a9c26c025b94f8d7c40f54b65049de7227
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Jan 13 17:42:06 2011 +0100

    usb keyboard: add event event queue
    
    This patch adds a event queue to the usb keyboard.  This makes sure the
    guest will see all key events even if they come in bursts.  With this
    patch applied sending Ctrl-Alt-Del using vncviewer's F8 menu works.
    Also with autosuspend enabled the first keypress on a suspended keyboard
    takes a little longer to be delivered to the guest because the usb bus
    must be resumed first.  Without event queue this easily gets lost.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index ea49543..5f1451b 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -63,6 +63,9 @@ typedef struct USBMouseState {
 } USBMouseState;
 
 typedef struct USBKeyboardState {
+    uint32_t keycodes[QUEUE_LENGTH];
+    uint32_t head; /* index into circular queue */
+    uint32_t n;
     uint16_t modifiers;
     uint8_t leds;
     uint8_t key[16];
@@ -494,8 +497,27 @@ static void usb_keyboard_event(void *opaque, int keycode)
 {
     USBHIDState *hs = opaque;
     USBKeyboardState *s = &hs->kbd;
+    int slot;
+
+    if (s->n == QUEUE_LENGTH) {
+        fprintf(stderr, "usb-kbd: warning: key event queue full\n");
+        return;
+    }
+    slot = (s->head + s->n) & QUEUE_MASK; s->n++;
+    s->keycodes[slot] = keycode;
+    usb_hid_changed(hs);
+}
+
+static void usb_keyboard_process_keycode(USBKeyboardState *s)
+{
     uint8_t hid_code, key;
-    int i;
+    int i, keycode, slot;
+
+    if (s->n == 0) {
+        return;
+    }
+    slot = s->head & QUEUE_MASK; QUEUE_INCR(s->head); s->n--;
+    keycode = s->keycodes[slot];
 
     key = keycode & 0x7f;
     hid_code = usb_hid_usage_keys[key | ((s->modifiers >> 1) & (1 << 7))];
@@ -528,7 +550,6 @@ static void usb_keyboard_event(void *opaque, int keycode)
             if (s->key[i] == hid_code) {
                 s->key[i] = s->key[-- s->keys];
                 s->key[s->keys] = 0x00;
-                usb_hid_changed(hs);
                 break;
             }
         if (i < 0)
@@ -543,8 +564,6 @@ static void usb_keyboard_event(void *opaque, int keycode)
         } else
             return;
     }
-
-    usb_hid_changed(hs);
 }
 
 static inline int int_clamp(int val, int vmin, int vmax)
@@ -645,6 +664,8 @@ static int usb_keyboard_poll(USBHIDState *hs, uint8_t *buf, int len)
     if (len < 2)
         return 0;
 
+    usb_keyboard_process_keycode(s);
+
     buf[0] = s->modifiers & 0xff;
     buf[1] = 0;
     if (s->keys > 6)
@@ -680,7 +701,7 @@ static void usb_mouse_handle_reset(USBDevice *dev)
 {
     USBHIDState *s = (USBHIDState *)dev;
 
-    memset (s->ptr.queue, 0, sizeof (s->ptr.queue));
+    memset(s->ptr.queue, 0, sizeof (s->ptr.queue));
     s->ptr.head = 0;
     s->ptr.n = 0;
     s->protocol = 1;
@@ -691,6 +712,11 @@ static void usb_keyboard_handle_reset(USBDevice *dev)
     USBHIDState *s = (USBHIDState *)dev;
 
     qemu_add_kbd_event_handler(usb_keyboard_event, s);
+    memset(s->kbd.keycodes, 0, sizeof (s->kbd.keycodes));
+    s->kbd.head = 0;
+    s->kbd.n = 0;
+    memset(s->kbd.key, 0, sizeof (s->kbd.key));
+    s->kbd.keys = 0;
     s->protocol = 1;
 }
 
@@ -800,7 +826,7 @@ static int usb_hid_handle_data(USBDevice *dev, USBPacket *p)
             }
             else if (s->kind == USB_KEYBOARD) {
                 ret = usb_keyboard_poll(s, p->data, p->len);
-                s->changed = 0;
+                s->changed = s->kbd.n > 0;
             }
         } else {
             goto fail;
commit 13f8b97a57450534ccb7aaeb55095a668183fbee
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Wed Jan 12 13:19:20 2011 +0100

    add event queueing to USB HID
    
    The polling nature of the USB HID device makes it very hard to double
    click or drag while on a high-latency VNC connection.  This patch,
    based on work done in the Xen qemu-dm tree by Ian Jackson, fixes this
    bug by adding an event queue to the device.  The event queue associates
    each movement with the correct button state, and remembers all button
    presses and releases as well.
    
    Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
    Signed-off-by: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Gerd Hoffman <kraxel at redhat.com>

diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 90a2b49..ea49543 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -45,9 +45,19 @@
 #define USB_TABLET    2
 #define USB_KEYBOARD  3
 
+typedef struct USBPointerEvent {
+    int32_t xdx, ydy; /* relative iff it's a mouse, otherwise absolute */
+    int32_t dz, buttons_state;
+} USBPointerEvent;
+
+#define QUEUE_LENGTH    16 /* should be enough for a triple-click */
+#define QUEUE_MASK      (QUEUE_LENGTH-1u)
+#define QUEUE_INCR(v)   ((v)++, (v) &= QUEUE_MASK)
+
 typedef struct USBMouseState {
-    int dx, dy, dz, buttons_state;
-    int x, y;
+    USBPointerEvent queue[QUEUE_LENGTH];
+    uint32_t head; /* index into circular queue */
+    uint32_t n;
     int mouse_grabbed;
     QEMUPutMouseEntry *eh_entry;
 } USBMouseState;
@@ -433,31 +443,50 @@ static void usb_hid_changed(USBHIDState *hs)
     usb_wakeup(&hs->dev);
 }
 
-static void usb_mouse_event(void *opaque,
-                            int dx1, int dy1, int dz1, int buttons_state)
-{
-    USBHIDState *hs = opaque;
-    USBMouseState *s = &hs->ptr;
-
-    s->dx += dx1;
-    s->dy += dy1;
-    s->dz += dz1;
-    s->buttons_state = buttons_state;
+static void usb_pointer_event_clear(USBPointerEvent *e, int buttons) {
+    e->xdx = e->ydy = e->dz = 0;
+    e->buttons_state = buttons;
+}
 
-    usb_hid_changed(hs);
+static void usb_pointer_event_combine(USBPointerEvent *e, int xyrel,
+                                      int x1, int y1, int z1) {
+    if (xyrel) {
+        e->xdx += x1;
+        e->ydy += y1;
+    } else {
+        e->xdx = x1;
+        e->ydy = y1;
+    }
+    e->dz += z1;
 }
 
-static void usb_tablet_event(void *opaque,
-			     int x, int y, int dz, int buttons_state)
+static void usb_pointer_event(void *opaque,
+                              int x1, int y1, int z1, int buttons_state)
 {
     USBHIDState *hs = opaque;
     USBMouseState *s = &hs->ptr;
-
-    s->x = x;
-    s->y = y;
-    s->dz += dz;
-    s->buttons_state = buttons_state;
-
+    unsigned use_slot = (s->head + s->n - 1) & QUEUE_MASK;
+    unsigned previous_slot = (use_slot - 1) & QUEUE_MASK;
+
+    /* We combine events where feasible to keep the queue small.  We shouldn't
+     * combine anything with the first event of a particular button state, as
+     * that would change the location of the button state change.  When the
+     * queue is empty, a second event is needed because we don't know if
+     * the first event changed the button state.  */
+    if (s->n == QUEUE_LENGTH) {
+        /* Queue full.  Discard old button state, combine motion normally.  */
+        s->queue[use_slot].buttons_state = buttons_state;
+    } else if (s->n < 2 ||
+               s->queue[use_slot].buttons_state != buttons_state ||
+               s->queue[previous_slot].buttons_state != s->queue[use_slot].buttons_state) {
+        /* Cannot or should not combine, so add an empty item to the queue.  */
+        QUEUE_INCR(use_slot);
+        s->n++;
+        usb_pointer_event_clear(&s->queue[use_slot], buttons_state);
+    }
+    usb_pointer_event_combine(&s->queue[use_slot],
+                              hs->kind == USB_MOUSE,
+                              x1, y1, z1);
     usb_hid_changed(hs);
 }
 
@@ -528,83 +557,91 @@ static inline int int_clamp(int val, int vmin, int vmax)
         return val;
 }
 
-static int usb_mouse_poll(USBHIDState *hs, uint8_t *buf, int len)
+static int usb_pointer_poll(USBHIDState *hs, uint8_t *buf, int len)
 {
     int dx, dy, dz, b, l;
+    int index;
     USBMouseState *s = &hs->ptr;
+    USBPointerEvent *e;
 
     if (!s->mouse_grabbed) {
         qemu_activate_mouse_event_handler(s->eh_entry);
-	s->mouse_grabbed = 1;
+        s->mouse_grabbed = 1;
     }
 
-    dx = int_clamp(s->dx, -127, 127);
-    dy = int_clamp(s->dy, -127, 127);
-    dz = int_clamp(s->dz, -127, 127);
-
-    s->dx -= dx;
-    s->dy -= dy;
-    s->dz -= dz;
+    /* When the buffer is empty, return the last event.  Relative
+       movements will all be zero.  */
+    index = (s->n ? s->head : s->head - 1);
+    e = &s->queue[index & QUEUE_MASK];
 
-    /* Appears we have to invert the wheel direction */
-    dz = 0 - dz;
+    if (hs->kind == USB_MOUSE) {
+        dx = int_clamp(e->xdx, -127, 127);
+        dy = int_clamp(e->ydy, -127, 127);
+        e->xdx -= dx;
+        e->ydy -= dy;
+    } else {
+        dx = e->xdx;
+        dy = e->ydy;
+    }
+    dz = int_clamp(e->dz, -127, 127);
+    e->dz -= dz;
 
     b = 0;
-    if (s->buttons_state & MOUSE_EVENT_LBUTTON)
+    if (e->buttons_state & MOUSE_EVENT_LBUTTON)
         b |= 0x01;
-    if (s->buttons_state & MOUSE_EVENT_RBUTTON)
+    if (e->buttons_state & MOUSE_EVENT_RBUTTON)
         b |= 0x02;
-    if (s->buttons_state & MOUSE_EVENT_MBUTTON)
+    if (e->buttons_state & MOUSE_EVENT_MBUTTON)
         b |= 0x04;
 
-    l = 0;
-    if (len > l)
-        buf[l ++] = b;
-    if (len > l)
-        buf[l ++] = dx;
-    if (len > l)
-        buf[l ++] = dy;
-    if (len > l)
-        buf[l ++] = dz;
-    return l;
-}
-
-static int usb_tablet_poll(USBHIDState *hs, uint8_t *buf, int len)
-{
-    int dz, b, l;
-    USBMouseState *s = &hs->ptr;
-
-    if (!s->mouse_grabbed) {
-        qemu_activate_mouse_event_handler(s->eh_entry);
-	s->mouse_grabbed = 1;
+    if (s->n &&
+        !e->dz &&
+        (hs->kind == USB_TABLET || (!e->xdx && !e->ydy))) {
+        /* that deals with this event */
+        QUEUE_INCR(s->head);
+        s->n--;
     }
 
-    dz = int_clamp(s->dz, -127, 127);
-    s->dz -= dz;
-
     /* Appears we have to invert the wheel direction */
     dz = 0 - dz;
-    b = 0;
-    if (s->buttons_state & MOUSE_EVENT_LBUTTON)
-        b |= 0x01;
-    if (s->buttons_state & MOUSE_EVENT_RBUTTON)
-        b |= 0x02;
-    if (s->buttons_state & MOUSE_EVENT_MBUTTON)
-        b |= 0x04;
+    l = 0;
+    switch (hs->kind) {
+    case USB_MOUSE:
+        if (len > l)
+            buf[l++] = b;
+        if (len > l)
+            buf[l++] = dx;
+        if (len > l)
+            buf[l++] = dy;
+        if (len > l)
+            buf[l++] = dz;
+        break;
 
-    buf[0] = b;
-    buf[1] = s->x & 0xff;
-    buf[2] = s->x >> 8;
-    buf[3] = s->y & 0xff;
-    buf[4] = s->y >> 8;
-    buf[5] = dz;
-    l = 6;
+    case USB_TABLET:
+        if (len > l)
+            buf[l++] = b;
+        if (len > l)
+            buf[l++] = dx & 0xff;
+        if (len > l)
+            buf[l++] = dx >> 8;
+        if (len > l)
+            buf[l++] = dy & 0xff;
+        if (len > l)
+            buf[l++] = dy >> 8;
+        if (len > l)
+            buf[l++] = dz;
+        break;
+
+    default:
+        abort();
+    }
 
     return l;
 }
 
-static int usb_keyboard_poll(USBKeyboardState *s, uint8_t *buf, int len)
+static int usb_keyboard_poll(USBHIDState *hs, uint8_t *buf, int len)
 {
+    USBKeyboardState *s = &hs->kbd;
     if (len < 2)
         return 0;
 
@@ -643,12 +680,9 @@ static void usb_mouse_handle_reset(USBDevice *dev)
 {
     USBHIDState *s = (USBHIDState *)dev;
 
-    s->ptr.dx = 0;
-    s->ptr.dy = 0;
-    s->ptr.dz = 0;
-    s->ptr.x = 0;
-    s->ptr.y = 0;
-    s->ptr.buttons_state = 0;
+    memset (s->ptr.queue, 0, sizeof (s->ptr.queue));
+    s->ptr.head = 0;
+    s->ptr.n = 0;
     s->protocol = 1;
 }
 
@@ -708,12 +742,10 @@ static int usb_hid_handle_control(USBDevice *dev, int request, int value,
         }
         break;
     case GET_REPORT:
-	if (s->kind == USB_MOUSE)
-            ret = usb_mouse_poll(s, data, length);
-	else if (s->kind == USB_TABLET)
-            ret = usb_tablet_poll(s, data, length);
+        if (s->kind == USB_MOUSE || s->kind == USB_TABLET)
+            ret = usb_pointer_poll(s, data, length);
         else if (s->kind == USB_KEYBOARD)
-            ret = usb_keyboard_poll(&s->kbd, data, length);
+            ret = usb_keyboard_poll(s, data, length);
         break;
     case SET_REPORT:
         if (s->kind == USB_KEYBOARD)
@@ -762,13 +794,14 @@ static int usb_hid_handle_data(USBDevice *dev, USBPacket *p)
             if (!s->changed && (!s->idle || s->next_idle_clock - curtime > 0))
                 return USB_RET_NAK;
             usb_hid_set_next_idle(s, curtime);
-            s->changed = 0;
-            if (s->kind == USB_MOUSE)
-                ret = usb_mouse_poll(s, p->data, p->len);
-            else if (s->kind == USB_TABLET)
-                ret = usb_tablet_poll(s, p->data, p->len);
-            else if (s->kind == USB_KEYBOARD)
-                ret = usb_keyboard_poll(&s->kbd, p->data, p->len);
+            if (s->kind == USB_MOUSE || s->kind == USB_TABLET) {
+                ret = usb_pointer_poll(s, p->data, p->len);
+                s->changed = s->ptr.n > 0;
+            }
+            else if (s->kind == USB_KEYBOARD) {
+                ret = usb_keyboard_poll(s, p->data, p->len);
+                s->changed = 0;
+            }
         } else {
             goto fail;
         }
@@ -803,13 +836,13 @@ static int usb_hid_initfn(USBDevice *dev, int kind)
     s->kind = kind;
 
     if (s->kind == USB_MOUSE) {
-        s->ptr.eh_entry = qemu_add_mouse_event_handler(usb_mouse_event, s,
+        s->ptr.eh_entry = qemu_add_mouse_event_handler(usb_pointer_event, s,
                                                        0, "QEMU USB Mouse");
     } else if (s->kind == USB_TABLET) {
-        s->ptr.eh_entry = qemu_add_mouse_event_handler(usb_tablet_event, s,
+        s->ptr.eh_entry = qemu_add_mouse_event_handler(usb_pointer_event, s,
                                                        1, "QEMU USB Tablet");
     }
-        
+
     /* Force poll routine to be run and grab input the first time.  */
     s->changed = 1;
     return 0;
commit 96df67d1c3928704cd76d0b2e76372ef18658e85
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Jan 24 09:32:20 2011 +0000

    block: Use backing format driver during image creation
    
    The backing format should be honored during image creation.  For some
    reason we currently use the image format to open the backing file.  This
    fails when the backing file has a different format than the image being
    created.  Keep the image and backing format drivers completely separate.
    
    Also print the backing filename if there is an error opening the backing
    file instead of the image filename.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Acked-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index ff2795b..7ad3ddf 100644
--- a/block.c
+++ b/block.c
@@ -2778,6 +2778,7 @@ int bdrv_img_create(const char *filename, const char *fmt,
     QEMUOptionParameter *backing_fmt, *backing_file;
     BlockDriverState *bs = NULL;
     BlockDriver *drv, *proto_drv;
+    BlockDriver *backing_drv = NULL;
     int ret = 0;
 
     /* Find driver and parse its options */
@@ -2846,7 +2847,8 @@ int bdrv_img_create(const char *filename, const char *fmt,
 
     backing_fmt = get_option_parameter(param, BLOCK_OPT_BACKING_FMT);
     if (backing_fmt && backing_fmt->value.s) {
-        if (!bdrv_find_format(backing_fmt->value.s)) {
+        backing_drv = bdrv_find_format(backing_fmt->value.s);
+        if (!backing_drv) {
             error_report("Unknown backing file format '%s'",
                          backing_fmt->value.s);
             ret = -EINVAL;
@@ -2863,9 +2865,9 @@ int bdrv_img_create(const char *filename, const char *fmt,
 
             bs = bdrv_new("");
 
-            ret = bdrv_open(bs, backing_file->value.s, flags, drv);
+            ret = bdrv_open(bs, backing_file->value.s, flags, backing_drv);
             if (ret < 0) {
-                error_report("Could not open '%s'", filename);
+                error_report("Could not open '%s'", backing_file->value.s);
                 goto out;
             }
             bdrv_get_geometry(bs, &size);
commit 850ec1133bf0f78ff19402cfd5d77eea376599a9
Author: Markus Armbruster <armbru at redhat.com>
Date:   Mon Jan 17 19:31:29 2011 +0100

    blockdev: Fix drive_del not to crash when drive is not in use
    
    Watch this:
    
        (qemu) drive_add 0 if=none,file=tmp.img
        OK
        (qemu) info block
        none0: type=hd removable=0 file=tmp.img ro=0 drv=raw encrypted=0
        (qemu) drive_del none0
        Segmentation fault (core dumped)
    
    do_drive_del()'s code to clean up the pointer from a qdev using the
    drive back to the drive needs to check whether such a device exists.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index 0621390..f7f591f 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -687,13 +687,15 @@ int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data)
 
     /* clean up guest state from pointing to host resource by
      * finding and removing DeviceState "drive" property */
-    for (prop = bs->peer->info->props; prop && prop->name; prop++) {
-        if (prop->info->type == PROP_TYPE_DRIVE) {
-            ptr = qdev_get_prop_ptr(bs->peer, prop);
-            if ((*ptr) == bs) {
-                bdrv_detach(bs, bs->peer);
-                *ptr = NULL;
-                break;
+    if (bs->peer) {
+        for (prop = bs->peer->info->props; prop && prop->name; prop++) {
+            if (prop->info->type == PROP_TYPE_DRIVE) {
+                ptr = qdev_get_prop_ptr(bs->peer, prop);
+                if (*ptr == bs) {
+                    bdrv_detach(bs, bs->peer);
+                    *ptr = NULL;
+                    break;
+                }
             }
         }
     }
commit 807105a775323be9b45ef1e965c5aad85a5ec281
Author: Markus Armbruster <armbru at redhat.com>
Date:   Mon Jan 17 19:31:27 2011 +0100

    blockdev: Make drive_init() use error_report()
    
    This makes the errors point to the error location, and fixes drive_add
    to report errors in the monitor instead of stderr.
    
    While there, tweak a few error messages for consistency.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index 28c051b..0621390 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -107,7 +107,7 @@ DriveInfo *drive_get_by_blockdev(BlockDriverState *bs)
 
 static void bdrv_format_print(void *opaque, const char *name)
 {
-    fprintf(stderr, " %s", name);
+    error_printf(" %s", name);
 }
 
 void drive_uninit(DriveInfo *dinfo)
@@ -129,8 +129,8 @@ static int parse_block_error_action(const char *buf, int is_read)
     } else if (!strcmp(buf, "report")) {
         return BLOCK_ERR_REPORT;
     } else {
-        fprintf(stderr, "qemu: '%s' invalid %s error action\n",
-            buf, is_read ? "read" : "write");
+        error_report("'%s' invalid %s error action",
+                     buf, is_read ? "read" : "write");
         return -1;
     }
 }
@@ -217,31 +217,30 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
 	    type = IF_NONE;
             max_devs = 0;
 	} else {
-            fprintf(stderr, "qemu: unsupported bus type '%s'\n", buf);
+            error_report("unsupported bus type '%s'", buf);
             return NULL;
 	}
     }
 
     if (cyls || heads || secs) {
         if (cyls < 1 || (type == IF_IDE && cyls > 16383)) {
-            fprintf(stderr, "qemu: invalid physical cyls number\n");
+            error_report("invalid physical cyls number");
 	    return NULL;
 	}
         if (heads < 1 || (type == IF_IDE && heads > 16)) {
-            fprintf(stderr, "qemu: invalid physical heads number\n");
+            error_report("invalid physical heads number");
 	    return NULL;
 	}
         if (secs < 1 || (type == IF_IDE && secs > 63)) {
-            fprintf(stderr, "qemu: invalid physical secs number\n");
+            error_report("invalid physical secs number");
 	    return NULL;
 	}
     }
 
     if ((buf = qemu_opt_get(opts, "trans")) != NULL) {
         if (!cyls) {
-            fprintf(stderr,
-                    "qemu: '%s' trans must be used with cyls,heads and secs\n",
-                    buf);
+            error_report("'%s' trans must be used with cyls,heads and secs",
+                         buf);
             return NULL;
         }
         if (!strcmp(buf, "none"))
@@ -251,7 +250,7 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
         else if (!strcmp(buf, "auto"))
             translation = BIOS_ATA_TRANSLATION_AUTO;
 	else {
-            fprintf(stderr, "qemu: '%s' invalid translation type\n", buf);
+            error_report("'%s' invalid translation type", buf);
 	    return NULL;
 	}
     }
@@ -261,13 +260,12 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
 	    media = MEDIA_DISK;
 	} else if (!strcmp(buf, "cdrom")) {
             if (cyls || secs || heads) {
-                fprintf(stderr,
-                        "qemu: '%s' invalid physical CHS format\n", buf);
+                error_report("'%s' invalid physical CHS format", buf);
 	        return NULL;
             }
 	    media = MEDIA_CDROM;
 	} else {
-	    fprintf(stderr, "qemu: '%s' invalid media\n", buf);
+	    error_report("'%s' invalid media", buf);
 	    return NULL;
 	}
     }
@@ -283,7 +281,7 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
         } else if (!strcmp(buf, "writethrough")) {
             /* this is the default */
         } else {
-           fprintf(stderr, "qemu: invalid cache option\n");
+           error_report("invalid cache option");
            return NULL;
         }
     }
@@ -295,7 +293,7 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
         } else if (!strcmp(buf, "threads")) {
             /* this is the default */
         } else {
-           fprintf(stderr, "qemu: invalid aio option\n");
+           error_report("invalid aio option");
            return NULL;
         }
     }
@@ -303,14 +301,14 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
 
     if ((buf = qemu_opt_get(opts, "format")) != NULL) {
        if (strcmp(buf, "?") == 0) {
-            fprintf(stderr, "qemu: Supported formats:");
-            bdrv_iterate_format(bdrv_format_print, NULL);
-            fprintf(stderr, "\n");
-	    return NULL;
+           error_printf("Supported formats:");
+           bdrv_iterate_format(bdrv_format_print, NULL);
+           error_printf("\n");
+           return NULL;
         }
         drv = bdrv_find_whitelisted_format(buf);
         if (!drv) {
-            fprintf(stderr, "qemu: '%s' invalid format\n", buf);
+            error_report("'%s' invalid format", buf);
             return NULL;
         }
     }
@@ -318,7 +316,7 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
     on_write_error = BLOCK_ERR_STOP_ENOSPC;
     if ((buf = qemu_opt_get(opts, "werror")) != NULL) {
         if (type != IF_IDE && type != IF_SCSI && type != IF_VIRTIO && type != IF_NONE) {
-            fprintf(stderr, "werror is not supported by this format\n");
+            error_report("werror is not supported by this bus type");
             return NULL;
         }
 
@@ -331,7 +329,7 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
     on_read_error = BLOCK_ERR_REPORT;
     if ((buf = qemu_opt_get(opts, "rerror")) != NULL) {
         if (type != IF_IDE && type != IF_VIRTIO && type != IF_SCSI && type != IF_NONE) {
-            fprintf(stderr, "rerror is not supported by this format\n");
+            error_report("rerror is not supported by this bus type");
             return NULL;
         }
 
@@ -343,7 +341,7 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
 
     if ((devaddr = qemu_opt_get(opts, "addr")) != NULL) {
         if (type != IF_VIRTIO) {
-            fprintf(stderr, "addr is not supported\n");
+            error_report("addr is not supported by this bus type");
             return NULL;
         }
     }
@@ -352,8 +350,7 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
 
     if (index != -1) {
         if (bus_id != 0 || unit_id != -1) {
-            fprintf(stderr,
-                    "qemu: index cannot be used with bus and unit\n");
+            error_report("index cannot be used with bus and unit");
             return NULL;
         }
         if (max_devs == 0)
@@ -384,8 +381,8 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
     /* check unit id */
 
     if (max_devs && unit_id >= max_devs) {
-        fprintf(stderr, "qemu: unit %d too big (max is %d)\n",
-                unit_id, max_devs - 1);
+        error_report("unit %d too big (max is %d)",
+                     unit_id, max_devs - 1);
         return NULL;
     }
 
@@ -479,7 +476,7 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
         ro = 1;
     } else if (ro == 1) {
         if (type != IF_SCSI && type != IF_VIRTIO && type != IF_FLOPPY && type != IF_NONE) {
-            fprintf(stderr, "qemu: readonly flag not supported for drive with this interface\n");
+            error_report("readonly not supported by this bus type");
             return NULL;
         }
     }
@@ -488,8 +485,8 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
 
     ret = bdrv_open(dinfo->bdrv, file, bdrv_flags, drv);
     if (ret < 0) {
-        fprintf(stderr, "qemu: could not open disk image %s: %s\n",
-                        file, strerror(-ret));
+        error_report("could not open disk image %s: %s",
+                     file, strerror(-ret));
         return NULL;
     }
 
commit 483848540557aef6af08adbe3ef8201b961220d5
Author: Markus Armbruster <armbru at redhat.com>
Date:   Mon Jan 17 19:31:26 2011 +0100

    blockdev: Fix error message for invalid -drive CHS
    
    When cyls, heads or secs are out of range, the error message prints
    buf, which points to the value of option "if".  Bogus, may even be
    null.  Drop that.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index 662f7a9..28c051b 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -224,15 +224,15 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
 
     if (cyls || heads || secs) {
         if (cyls < 1 || (type == IF_IDE && cyls > 16383)) {
-            fprintf(stderr, "qemu: '%s' invalid physical cyls number\n", buf);
+            fprintf(stderr, "qemu: invalid physical cyls number\n");
 	    return NULL;
 	}
         if (heads < 1 || (type == IF_IDE && heads > 16)) {
-            fprintf(stderr, "qemu: '%s' invalid physical heads number\n", buf);
+            fprintf(stderr, "qemu: invalid physical heads number\n");
 	    return NULL;
 	}
         if (secs < 1 || (type == IF_IDE && secs > 63)) {
-            fprintf(stderr, "qemu: '%s' invalid physical secs number\n", buf);
+            fprintf(stderr, "qemu: invalid physical secs number\n");
 	    return NULL;
 	}
     }
commit 77358b59f6f3ef571fb2262f5f6216e179d07ecb
Author: Pierre Riteau <Pierre.Riteau at irisa.fr>
Date:   Fri Jan 21 12:42:30 2011 +0100

    Fix block migration when the device size is not a multiple of 1 MB
    
    b02bea3a85cc939f09aa674a3f1e4f36d418c007 added a check on the return
    value of bdrv_write and aborts migration when it fails. However, if the
    size of the block device to migrate is not a multiple of BLOCK_SIZE
    (currently 1 MB), the last bdrv_write will fail with -EIO.
    
    Fixed by calling bdrv_write with the correct size of the last block.
    
    Signed-off-by: Pierre Riteau <Pierre.Riteau at irisa.fr>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block-migration.c b/block-migration.c
index 60b9fc0..c9d3e81 100644
--- a/block-migration.c
+++ b/block-migration.c
@@ -638,8 +638,10 @@ static int block_load(QEMUFile *f, void *opaque, int version_id)
     int len, flags;
     char device_name[256];
     int64_t addr;
-    BlockDriverState *bs;
+    BlockDriverState *bs, *bs_prev = NULL;
     uint8_t *buf;
+    int64_t total_sectors = 0;
+    int nr_sectors;
 
     do {
         addr = qemu_get_be64(f);
@@ -661,10 +663,26 @@ static int block_load(QEMUFile *f, void *opaque, int version_id)
                 return -EINVAL;
             }
 
+            if (bs != bs_prev) {
+                bs_prev = bs;
+                total_sectors = bdrv_getlength(bs) >> BDRV_SECTOR_BITS;
+                if (total_sectors <= 0) {
+                    error_report("Error getting length of block device %s\n",
+                                 device_name);
+                    return -EINVAL;
+                }
+            }
+
+            if (total_sectors - addr < BDRV_SECTORS_PER_DIRTY_CHUNK) {
+                nr_sectors = total_sectors - addr;
+            } else {
+                nr_sectors = BDRV_SECTORS_PER_DIRTY_CHUNK;
+            }
+
             buf = qemu_malloc(BLOCK_SIZE);
 
             qemu_get_buffer(f, buf, BLOCK_SIZE);
-            ret = bdrv_write(bs, addr, buf, BDRV_SECTORS_PER_DIRTY_CHUNK);
+            ret = bdrv_write(bs, addr, buf, nr_sectors);
 
             qemu_free(buf);
             if (ret < 0) {
commit c743849bee7333c7ef256b7e12e34ed6f907064f
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Fri Jan 14 22:44:33 2011 +0000

    qed: Refuse to create images on block devices
    
    QED relies on the underlying filesystem to extend the file and maintain
    its size.  Check that images are not created on a block device.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qed.c b/block/qed.c
index 085c4f2..a46f9ef 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -469,6 +469,12 @@ static int qed_create(const char *filename, uint32_t cluster_size,
         return ret;
     }
 
+    /* File must start empty and grow, check truncate is supported */
+    ret = bdrv_truncate(bs, 0);
+    if (ret < 0) {
+        goto out;
+    }
+
     if (backing_file) {
         header.features |= QED_F_BACKING_FILE;
         header.backing_filename_offset = sizeof(le_header);
commit e61846908efd5ea0916d157a82adabf0674a01b0
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Jan 17 15:35:28 2011 +0100

    Documentation: Add qemu-img check/rebase
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.texi b/qemu-img.texi
index 1b90ddb..ced64a4 100644
--- a/qemu-img.texi
+++ b/qemu-img.texi
@@ -59,6 +59,13 @@ lists all snapshots in the given image
 Command description:
 
 @table @option
+ at item check [-f @var{fmt}] @var{filename}
+
+Perform a consistency check on the disk image @var{filename}.
+
+Only the formats @code{qcow2}, @code{qed} and @code{vdi} support
+consistency checks.
+
 @item create [-f @var{fmt}] [-o @var{options}] @var{filename} [@var{size}]
 
 Create the new disk image @var{filename} of size @var{size} and format
@@ -107,6 +114,40 @@ they are displayed too.
 
 List, apply, create or delete snapshots in image @var{filename}.
 
+ at item rebase [-f @var{fmt}] [-u] -b @var{backing_file} [-F @var{backing_fmt}] @var{filename}
+
+Changes the backing file of an image. Only the formats @code{qcow2} and
+ at code{qed} support changing the backing file.
+
+The backing file is changed to @var{backing_file} and (if the image format of
+ at var{filename} supports this) the backing file format is changed to
+ at var{backing_fmt}.
+
+There are two different modes in which @code{rebase} can operate:
+ at table @option
+ at item Safe mode
+This is the default mode and performs a real rebase operation. The new backing
+file may differ from the old one and qemu-img rebase will take care of keeping
+the guest-visible content of @var{filename} unchanged.
+
+In order to achieve this, any clusters that differ between @var{backing_file}
+and the old backing file of @var{filename} are merged into @var{filename}
+before actually changing the backing file.
+
+Note that the safe mode is an expensive operation, comparable to converting
+an image. It only works if the old backing file still exists.
+
+ at item Unsafe mode
+qemu-img uses the unsafe mode if @code{-u} is specified. In this mode, only the
+backing file name and format of @var{filename} is changed without any checks
+on the file contents. The user must take care of specifying the correct new
+backing file, or the guest-visible content of the image will be corrupted.
+
+This mode is useful for renaming or moving the backing file to somewhere else.
+It can be used without an accessible old backing file, i.e. you can use it to
+fix an image whose backing file has already been moved/renamed.
+ at end table
+
 @item resize @var{filename} [+ | -]@var{size}
 
 Change the disk image as if it had been created with @var{size}.
commit 1635eecc413ed680013cf77e6994901cafe15590
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Sat Jan 15 19:01:03 2011 +0100

    ide: Remove unneeded null pointer check
    
    With bm == NULL, other code in the same function would crash.
    
    This bug was reported by cppcheck:
    hw/ide/pci.c:280: error: Possible null pointer dereference: bm
    
    Cc: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/pci.c b/hw/ide/pci.c
index 987caff..35168cb 100644
--- a/hw/ide/pci.c
+++ b/hw/ide/pci.c
@@ -267,9 +267,7 @@ static void bmdma_irq(void *opaque, int n, int level)
         return;
     }
 
-    if (bm) {
-        bm->status |= BM_STATUS_INT;
-    }
+    bm->status |= BM_STATUS_INT;
 
     /* trigger the real irq */
     qemu_set_irq(bm->irq, level);
commit 3de0a2944bdb3047dce275560631834bcb4afe22
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Jan 14 15:55:38 2011 +0100

    qcow2: Batch flushes for COW
    
    qcow2 calls bdrv_flush() after performing COW in order to ensure that the
    L2 table change is never written before the copy is safe on disk. Now that the
    L2 table is cached, we can wait with flushing until we write out the next L2
    table.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-cache.c b/block/qcow2-cache.c
index 5f1740b..8f2955b 100644
--- a/block/qcow2-cache.c
+++ b/block/qcow2-cache.c
@@ -38,6 +38,7 @@ struct Qcow2Cache {
     int                     size;
     Qcow2CachedTable*       entries;
     struct Qcow2Cache*      depends;
+    bool                    depends_on_flush;
     bool                    writethrough;
 };
 
@@ -85,13 +86,15 @@ static int qcow2_cache_flush_dependency(BlockDriverState *bs, Qcow2Cache *c)
     }
 
     c->depends = NULL;
+    c->depends_on_flush = false;
+
     return 0;
 }
 
 static int qcow2_cache_entry_flush(BlockDriverState *bs, Qcow2Cache *c, int i)
 {
     BDRVQcowState *s = bs->opaque;
-    int ret;
+    int ret = 0;
 
     if (!c->entries[i].dirty || !c->entries[i].offset) {
         return 0;
@@ -99,11 +102,17 @@ static int qcow2_cache_entry_flush(BlockDriverState *bs, Qcow2Cache *c, int i)
 
     if (c->depends) {
         ret = qcow2_cache_flush_dependency(bs, c);
-        if (ret < 0) {
-            return ret;
+    } else if (c->depends_on_flush) {
+        ret = bdrv_flush(bs->file);
+        if (ret >= 0) {
+            c->depends_on_flush = false;
         }
     }
 
+    if (ret < 0) {
+        return ret;
+    }
+
     if (c == s->refcount_block_cache) {
         BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_UPDATE_PART);
     } else if (c == s->l2_table_cache) {
@@ -167,6 +176,11 @@ int qcow2_cache_set_dependency(BlockDriverState *bs, Qcow2Cache *c,
     return 0;
 }
 
+void qcow2_cache_depends_on_flush(Qcow2Cache *c)
+{
+    c->depends_on_flush = true;
+}
+
 static int qcow2_cache_find_entry_to_replace(Qcow2Cache *c)
 {
     int i;
diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 76e7e07..1c2003a 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -637,7 +637,7 @@ int qcow2_alloc_cluster_link_l2(BlockDriverState *bs, QCowL2Meta *m)
      * handled.
      */
     if (cow) {
-        bdrv_flush(bs->file);
+        qcow2_cache_depends_on_flush(s->l2_table_cache);
     }
 
     qcow2_cache_set_dependency(bs, s->l2_table_cache, s->refcount_block_cache);
diff --git a/block/qcow2.h b/block/qcow2.h
index 11cbce3..6d80120 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -229,6 +229,7 @@ void qcow2_cache_entry_mark_dirty(Qcow2Cache *c, void *table);
 int qcow2_cache_flush(BlockDriverState *bs, Qcow2Cache *c);
 int qcow2_cache_set_dependency(BlockDriverState *bs, Qcow2Cache *c,
     Qcow2Cache *dependency);
+void qcow2_cache_depends_on_flush(Qcow2Cache *c);
 
 int qcow2_cache_get(BlockDriverState *bs, Qcow2Cache *c, uint64_t offset,
     void **table);
commit 29c1a7301af752de6721e031d31faa48887204bd
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Jan 10 17:17:28 2011 +0100

    qcow2: Use QcowCache
    
    Use the new functions of qcow2-cache.c for everything that works on refcount
    block and L2 tables.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-cache.c b/block/qcow2-cache.c
index f7c4e2a..5f1740b 100644
--- a/block/qcow2-cache.c
+++ b/block/qcow2-cache.c
@@ -104,6 +104,12 @@ static int qcow2_cache_entry_flush(BlockDriverState *bs, Qcow2Cache *c, int i)
         }
     }
 
+    if (c == s->refcount_block_cache) {
+        BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_UPDATE_PART);
+    } else if (c == s->l2_table_cache) {
+        BLKDBG_EVENT(bs->file, BLKDBG_L2_UPDATE);
+    }
+
     ret = bdrv_pwrite(bs->file, c->entries[i].offset, c->entries[i].table,
         s->cluster_size);
     if (ret < 0) {
@@ -218,6 +224,10 @@ static int qcow2_cache_do_get(BlockDriverState *bs, Qcow2Cache *c,
 
     c->entries[i].offset = 0;
     if (read_from_disk) {
+        if (c == s->l2_table_cache) {
+            BLKDBG_EVENT(bs->file, BLKDBG_L2_LOAD);
+        }
+
         ret = bdrv_pread(bs->file, offset, c->entries[i].table, s->cluster_size);
         if (ret < 0) {
             return ret;
diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index c3ef550..76e7e07 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -67,7 +67,11 @@ int qcow2_grow_l1_table(BlockDriverState *bs, int min_size, bool exact_size)
         qemu_free(new_l1_table);
         return new_l1_table_offset;
     }
-    bdrv_flush(bs->file);
+
+    ret = qcow2_cache_flush(bs, s->refcount_block_cache);
+    if (ret < 0) {
+        return ret;
+    }
 
     BLKDBG_EVENT(bs->file, BLKDBG_L1_GROW_WRITE_TABLE);
     for(i = 0; i < s->l1_size; i++)
@@ -98,63 +102,6 @@ int qcow2_grow_l1_table(BlockDriverState *bs, int min_size, bool exact_size)
     return ret;
 }
 
-void qcow2_l2_cache_reset(BlockDriverState *bs)
-{
-    BDRVQcowState *s = bs->opaque;
-
-    memset(s->l2_cache, 0, s->l2_size * L2_CACHE_SIZE * sizeof(uint64_t));
-    memset(s->l2_cache_offsets, 0, L2_CACHE_SIZE * sizeof(uint64_t));
-    memset(s->l2_cache_counts, 0, L2_CACHE_SIZE * sizeof(uint32_t));
-}
-
-static inline int l2_cache_new_entry(BlockDriverState *bs)
-{
-    BDRVQcowState *s = bs->opaque;
-    uint32_t min_count;
-    int min_index, i;
-
-    /* find a new entry in the least used one */
-    min_index = 0;
-    min_count = 0xffffffff;
-    for(i = 0; i < L2_CACHE_SIZE; i++) {
-        if (s->l2_cache_counts[i] < min_count) {
-            min_count = s->l2_cache_counts[i];
-            min_index = i;
-        }
-    }
-    return min_index;
-}
-
-/*
- * seek_l2_table
- *
- * seek l2_offset in the l2_cache table
- * if not found, return NULL,
- * if found,
- *   increments the l2 cache hit count of the entry,
- *   if counter overflow, divide by two all counters
- *   return the pointer to the l2 cache entry
- *
- */
-
-static uint64_t *seek_l2_table(BDRVQcowState *s, uint64_t l2_offset)
-{
-    int i, j;
-
-    for(i = 0; i < L2_CACHE_SIZE; i++) {
-        if (l2_offset == s->l2_cache_offsets[i]) {
-            /* increment the hit count */
-            if (++s->l2_cache_counts[i] == 0xffffffff) {
-                for(j = 0; j < L2_CACHE_SIZE; j++) {
-                    s->l2_cache_counts[j] >>= 1;
-                }
-            }
-            return s->l2_cache + (i << s->l2_bits);
-        }
-    }
-    return NULL;
-}
-
 /*
  * l2_load
  *
@@ -169,33 +116,11 @@ static int l2_load(BlockDriverState *bs, uint64_t l2_offset,
     uint64_t **l2_table)
 {
     BDRVQcowState *s = bs->opaque;
-    int min_index;
     int ret;
 
-    /* seek if the table for the given offset is in the cache */
-
-    *l2_table = seek_l2_table(s, l2_offset);
-    if (*l2_table != NULL) {
-        return 0;
-    }
-
-    /* not found: load a new entry in the least used one */
-
-    min_index = l2_cache_new_entry(bs);
-    *l2_table = s->l2_cache + (min_index << s->l2_bits);
-
-    BLKDBG_EVENT(bs->file, BLKDBG_L2_LOAD);
-    ret = bdrv_pread(bs->file, l2_offset, *l2_table,
-        s->l2_size * sizeof(uint64_t));
-    if (ret < 0) {
-        qcow2_l2_cache_reset(bs);
-        return ret;
-    }
-
-    s->l2_cache_offsets[min_index] = l2_offset;
-    s->l2_cache_counts[min_index] = 1;
+    ret = qcow2_cache_get(bs, s->l2_table_cache, l2_offset, (void**) l2_table);
 
-    return 0;
+    return ret;
 }
 
 /*
@@ -238,7 +163,6 @@ static int write_l1_entry(BlockDriverState *bs, int l1_index)
 static int l2_allocate(BlockDriverState *bs, int l1_index, uint64_t **table)
 {
     BDRVQcowState *s = bs->opaque;
-    int min_index;
     uint64_t old_l2_offset;
     uint64_t *l2_table;
     int64_t l2_offset;
@@ -252,29 +176,48 @@ static int l2_allocate(BlockDriverState *bs, int l1_index, uint64_t **table)
     if (l2_offset < 0) {
         return l2_offset;
     }
-    bdrv_flush(bs->file);
+
+    ret = qcow2_cache_flush(bs, s->refcount_block_cache);
+    if (ret < 0) {
+        goto fail;
+    }
 
     /* allocate a new entry in the l2 cache */
 
-    min_index = l2_cache_new_entry(bs);
-    l2_table = s->l2_cache + (min_index << s->l2_bits);
+    ret = qcow2_cache_get_empty(bs, s->l2_table_cache, l2_offset, (void**) table);
+    if (ret < 0) {
+        return ret;
+    }
+
+    l2_table = *table;
 
     if (old_l2_offset == 0) {
         /* if there was no old l2 table, clear the new table */
         memset(l2_table, 0, s->l2_size * sizeof(uint64_t));
     } else {
+        uint64_t* old_table;
+
         /* if there was an old l2 table, read it from the disk */
         BLKDBG_EVENT(bs->file, BLKDBG_L2_ALLOC_COW_READ);
-        ret = bdrv_pread(bs->file, old_l2_offset, l2_table,
-            s->l2_size * sizeof(uint64_t));
+        ret = qcow2_cache_get(bs, s->l2_table_cache, old_l2_offset,
+            (void**) &old_table);
+        if (ret < 0) {
+            goto fail;
+        }
+
+        memcpy(l2_table, old_table, s->cluster_size);
+
+        ret = qcow2_cache_put(bs, s->l2_table_cache, (void**) &old_table);
         if (ret < 0) {
             goto fail;
         }
     }
+
     /* write the l2 table to the file */
     BLKDBG_EVENT(bs->file, BLKDBG_L2_ALLOC_WRITE);
-    ret = bdrv_pwrite_sync(bs->file, l2_offset, l2_table,
-        s->l2_size * sizeof(uint64_t));
+
+    qcow2_cache_entry_mark_dirty(s->l2_table_cache, l2_table);
+    ret = qcow2_cache_flush(bs, s->l2_table_cache);
     if (ret < 0) {
         goto fail;
     }
@@ -286,17 +229,12 @@ static int l2_allocate(BlockDriverState *bs, int l1_index, uint64_t **table)
         goto fail;
     }
 
-    /* update the l2 cache entry */
-
-    s->l2_cache_offsets[min_index] = l2_offset;
-    s->l2_cache_counts[min_index] = 1;
-
     *table = l2_table;
     return 0;
 
 fail:
+    qcow2_cache_put(bs, s->l2_table_cache, (void**) table);
     s->l1_table[l1_index] = old_l2_offset;
-    qcow2_l2_cache_reset(bs);
     return ret;
 }
 
@@ -521,6 +459,8 @@ int qcow2_get_cluster_offset(BlockDriverState *bs, uint64_t offset,
                 &l2_table[l2_index], 0, QCOW_OFLAG_COPIED);
     }
 
+    qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
+
    nb_available = (c * s->cluster_sectors);
 out:
     if (nb_available > nb_needed)
@@ -575,6 +515,7 @@ static int get_cluster_table(BlockDriverState *bs, uint64_t offset,
             return ret;
         }
     } else {
+        /* FIXME Order */
         if (l2_offset)
             qcow2_free_clusters(bs, l2_offset, s->l2_size * sizeof(uint64_t));
         ret = l2_allocate(bs, l1_index, &l2_table);
@@ -632,6 +573,7 @@ uint64_t qcow2_alloc_compressed_cluster_offset(BlockDriverState *bs,
 
     cluster_offset = qcow2_alloc_bytes(bs, compressed_size);
     if (cluster_offset < 0) {
+        qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
         return 0;
     }
 
@@ -646,38 +588,14 @@ uint64_t qcow2_alloc_compressed_cluster_offset(BlockDriverState *bs,
     /* compressed clusters never have the copied flag */
 
     BLKDBG_EVENT(bs->file, BLKDBG_L2_UPDATE_COMPRESSED);
+    qcow2_cache_entry_mark_dirty(s->l2_table_cache, l2_table);
     l2_table[l2_index] = cpu_to_be64(cluster_offset);
-    if (bdrv_pwrite_sync(bs->file,
-                    l2_offset + l2_index * sizeof(uint64_t),
-                    l2_table + l2_index,
-                    sizeof(uint64_t)) < 0)
-        return 0;
-
-    return cluster_offset;
-}
-
-/*
- * Write L2 table updates to disk, writing whole sectors to avoid a
- * read-modify-write in bdrv_pwrite
- */
-#define L2_ENTRIES_PER_SECTOR (512 / 8)
-static int write_l2_entries(BlockDriverState *bs, uint64_t *l2_table,
-    uint64_t l2_offset, int l2_index, int num)
-{
-    int l2_start_index = l2_index & ~(L1_ENTRIES_PER_SECTOR - 1);
-    int start_offset = (8 * l2_index) & ~511;
-    int end_offset = (8 * (l2_index + num) + 511) & ~511;
-    size_t len = end_offset - start_offset;
-    int ret;
-
-    BLKDBG_EVENT(bs->file, BLKDBG_L2_UPDATE);
-    ret = bdrv_pwrite(bs->file, l2_offset + start_offset,
-        &l2_table[l2_start_index], len);
+    ret = qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
     if (ret < 0) {
-        return ret;
+        return 0;
     }
 
-    return 0;
+    return cluster_offset;
 }
 
 int qcow2_alloc_cluster_link_l2(BlockDriverState *bs, QCowL2Meta *m)
@@ -686,6 +604,7 @@ int qcow2_alloc_cluster_link_l2(BlockDriverState *bs, QCowL2Meta *m)
     int i, j = 0, l2_index, ret;
     uint64_t *old_cluster, start_sect, l2_offset, *l2_table;
     uint64_t cluster_offset = m->cluster_offset;
+    bool cow = false;
 
     if (m->nb_clusters == 0)
         return 0;
@@ -695,6 +614,7 @@ int qcow2_alloc_cluster_link_l2(BlockDriverState *bs, QCowL2Meta *m)
     /* copy content of unmodified sectors */
     start_sect = (m->offset & ~(s->cluster_size - 1)) >> 9;
     if (m->n_start) {
+        cow = true;
         ret = copy_sectors(bs, start_sect, cluster_offset, 0, m->n_start);
         if (ret < 0)
             goto err;
@@ -702,17 +622,30 @@ int qcow2_alloc_cluster_link_l2(BlockDriverState *bs, QCowL2Meta *m)
 
     if (m->nb_available & (s->cluster_sectors - 1)) {
         uint64_t end = m->nb_available & ~(uint64_t)(s->cluster_sectors - 1);
+        cow = true;
         ret = copy_sectors(bs, start_sect + end, cluster_offset + (end << 9),
                 m->nb_available - end, s->cluster_sectors);
         if (ret < 0)
             goto err;
     }
 
-    /* update L2 table */
+    /*
+     * Update L2 table.
+     *
+     * Before we update the L2 table to actually point to the new cluster, we
+     * need to be sure that the refcounts have been increased and COW was
+     * handled.
+     */
+    if (cow) {
+        bdrv_flush(bs->file);
+    }
+
+    qcow2_cache_set_dependency(bs, s->l2_table_cache, s->refcount_block_cache);
     ret = get_cluster_table(bs, m->offset, &l2_table, &l2_offset, &l2_index);
     if (ret < 0) {
         goto err;
     }
+    qcow2_cache_entry_mark_dirty(s->l2_table_cache, l2_table);
 
     for (i = 0; i < m->nb_clusters; i++) {
         /* if two concurrent writes happen to the same unallocated cluster
@@ -728,16 +661,9 @@ int qcow2_alloc_cluster_link_l2(BlockDriverState *bs, QCowL2Meta *m)
                     (i << s->cluster_bits)) | QCOW_OFLAG_COPIED);
      }
 
-    /*
-     * Before we update the L2 table to actually point to the new cluster, we
-     * need to be sure that the refcounts have been increased and COW was
-     * handled.
-     */
-    bdrv_flush(bs->file);
 
-    ret = write_l2_entries(bs, l2_table, l2_offset, l2_index, m->nb_clusters);
+    ret = qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
     if (ret < 0) {
-        qcow2_l2_cache_reset(bs);
         goto err;
     }
 
@@ -746,7 +672,6 @@ int qcow2_alloc_cluster_link_l2(BlockDriverState *bs, QCowL2Meta *m)
      * Also flush bs->file to get the right order for L2 and refcount update.
      */
     if (j != 0) {
-        bdrv_flush(bs->file);
         for (i = 0; i < j; i++) {
             qcow2_free_any_clusters(bs,
                 be64_to_cpu(old_cluster[i]) & ~QCOW_OFLAG_COPIED, 1);
@@ -868,7 +793,8 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
                 m->depends_on = old_alloc;
                 m->nb_clusters = 0;
                 *num = 0;
-                return 0;
+                ret = 0;
+                goto fail;
             }
         }
     }
@@ -884,7 +810,8 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
     cluster_offset = qcow2_alloc_clusters(bs, nb_clusters * s->cluster_size);
     if (cluster_offset < 0) {
         QLIST_REMOVE(m, next_in_flight);
-        return cluster_offset;
+        ret = cluster_offset;
+        goto fail;
     }
 
     /* save info needed for meta data update */
@@ -893,12 +820,21 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
     m->nb_clusters = nb_clusters;
 
 out:
+    ret = qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
+    if (ret < 0) {
+        return ret;
+    }
+
     m->nb_available = MIN(nb_clusters << (s->cluster_bits - 9), n_end);
     m->cluster_offset = cluster_offset;
 
     *num = m->nb_available - n_start;
 
     return 0;
+
+fail:
+    qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
+    return ret;
 }
 
 static int decompress_buffer(uint8_t *out_buf, int out_buf_size,
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index a10453c..e37e226 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -32,27 +32,6 @@ static int QEMU_WARN_UNUSED_RESULT update_refcount(BlockDriverState *bs,
                             int addend);
 
 
-static int cache_refcount_updates = 0;
-
-static int write_refcount_block(BlockDriverState *bs)
-{
-    BDRVQcowState *s = bs->opaque;
-    size_t size = s->cluster_size;
-
-    if (s->refcount_block_cache_offset == 0) {
-        return 0;
-    }
-
-    BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_UPDATE);
-    if (bdrv_pwrite_sync(bs->file, s->refcount_block_cache_offset,
-            s->refcount_block_cache, size) < 0)
-    {
-        return -EIO;
-    }
-
-    return 0;
-}
-
 /*********************************************************/
 /* refcount handling */
 
@@ -61,7 +40,6 @@ int qcow2_refcount_init(BlockDriverState *bs)
     BDRVQcowState *s = bs->opaque;
     int ret, refcount_table_size2, i;
 
-    s->refcount_block_cache = qemu_malloc(s->cluster_size);
     refcount_table_size2 = s->refcount_table_size * sizeof(uint64_t);
     s->refcount_table = qemu_malloc(refcount_table_size2);
     if (s->refcount_table_size > 0) {
@@ -81,34 +59,22 @@ int qcow2_refcount_init(BlockDriverState *bs)
 void qcow2_refcount_close(BlockDriverState *bs)
 {
     BDRVQcowState *s = bs->opaque;
-    qemu_free(s->refcount_block_cache);
     qemu_free(s->refcount_table);
 }
 
 
 static int load_refcount_block(BlockDriverState *bs,
-                               int64_t refcount_block_offset)
+                               int64_t refcount_block_offset,
+                               void **refcount_block)
 {
     BDRVQcowState *s = bs->opaque;
     int ret;
 
-    if (cache_refcount_updates) {
-        ret = write_refcount_block(bs);
-        if (ret < 0) {
-            return ret;
-        }
-    }
-
     BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_LOAD);
-    ret = bdrv_pread(bs->file, refcount_block_offset, s->refcount_block_cache,
-                     s->cluster_size);
-    if (ret < 0) {
-        s->refcount_block_cache_offset = 0;
-        return ret;
-    }
+    ret = qcow2_cache_get(bs, s->refcount_block_cache, refcount_block_offset,
+        refcount_block);
 
-    s->refcount_block_cache_offset = refcount_block_offset;
-    return 0;
+    return ret;
 }
 
 /*
@@ -122,6 +88,8 @@ static int get_refcount(BlockDriverState *bs, int64_t cluster_index)
     int refcount_table_index, block_index;
     int64_t refcount_block_offset;
     int ret;
+    uint16_t *refcount_block;
+    uint16_t refcount;
 
     refcount_table_index = cluster_index >> (s->cluster_bits - REFCOUNT_SHIFT);
     if (refcount_table_index >= s->refcount_table_size)
@@ -129,16 +97,24 @@ static int get_refcount(BlockDriverState *bs, int64_t cluster_index)
     refcount_block_offset = s->refcount_table[refcount_table_index];
     if (!refcount_block_offset)
         return 0;
-    if (refcount_block_offset != s->refcount_block_cache_offset) {
-        /* better than nothing: return allocated if read error */
-        ret = load_refcount_block(bs, refcount_block_offset);
-        if (ret < 0) {
-            return ret;
-        }
+
+    ret = qcow2_cache_get(bs, s->refcount_block_cache, refcount_block_offset,
+        (void**) &refcount_block);
+    if (ret < 0) {
+        return ret;
     }
+
     block_index = cluster_index &
         ((1 << (s->cluster_bits - REFCOUNT_SHIFT)) - 1);
-    return be16_to_cpu(s->refcount_block_cache[block_index]);
+    refcount = be16_to_cpu(refcount_block[block_index]);
+
+    ret = qcow2_cache_put(bs, s->refcount_block_cache,
+        (void**) &refcount_block);
+    if (ret < 0) {
+        return ret;
+    }
+
+    return refcount;
 }
 
 /*
@@ -174,9 +150,10 @@ static int in_same_refcount_block(BDRVQcowState *s, uint64_t offset_a,
  * Loads a refcount block. If it doesn't exist yet, it is allocated first
  * (including growing the refcount table if needed).
  *
- * Returns the offset of the refcount block on success or -errno in error case
+ * Returns 0 on success or -errno in error case
  */
-static int64_t alloc_refcount_block(BlockDriverState *bs, int64_t cluster_index)
+static int alloc_refcount_block(BlockDriverState *bs,
+    int64_t cluster_index, uint16_t **refcount_block)
 {
     BDRVQcowState *s = bs->opaque;
     unsigned int refcount_table_index;
@@ -194,13 +171,8 @@ static int64_t alloc_refcount_block(BlockDriverState *bs, int64_t cluster_index)
 
         /* If it's already there, we're done */
         if (refcount_block_offset) {
-            if (refcount_block_offset != s->refcount_block_cache_offset) {
-                ret = load_refcount_block(bs, refcount_block_offset);
-                if (ret < 0) {
-                    return ret;
-                }
-            }
-            return refcount_block_offset;
+             return load_refcount_block(bs, refcount_block_offset,
+                 (void**) refcount_block);
         }
     }
 
@@ -226,12 +198,10 @@ static int64_t alloc_refcount_block(BlockDriverState *bs, int64_t cluster_index)
      *   refcount block into the cache
      */
 
-    if (cache_refcount_updates) {
-        ret = write_refcount_block(bs);
-        if (ret < 0) {
-            return ret;
-        }
-    }
+    *refcount_block = NULL;
+
+    /* We write to the refcount table, so we might depend on L2 tables */
+    qcow2_cache_flush(bs, s->l2_table_cache);
 
     /* Allocate the refcount block itself and mark it as used */
     int64_t new_block = alloc_clusters_noref(bs, s->cluster_size);
@@ -247,13 +217,18 @@ static int64_t alloc_refcount_block(BlockDriverState *bs, int64_t cluster_index)
 
     if (in_same_refcount_block(s, new_block, cluster_index << s->cluster_bits)) {
         /* Zero the new refcount block before updating it */
-        memset(s->refcount_block_cache, 0, s->cluster_size);
-        s->refcount_block_cache_offset = new_block;
+        ret = qcow2_cache_get_empty(bs, s->refcount_block_cache, new_block,
+            (void**) refcount_block);
+        if (ret < 0) {
+            goto fail_block;
+        }
+
+        memset(*refcount_block, 0, s->cluster_size);
 
         /* The block describes itself, need to update the cache */
         int block_index = (new_block >> s->cluster_bits) &
             ((1 << (s->cluster_bits - REFCOUNT_SHIFT)) - 1);
-        s->refcount_block_cache[block_index] = cpu_to_be16(1);
+        (*refcount_block)[block_index] = cpu_to_be16(1);
     } else {
         /* Described somewhere else. This can recurse at most twice before we
          * arrive at a block that describes itself. */
@@ -266,14 +241,19 @@ static int64_t alloc_refcount_block(BlockDriverState *bs, int64_t cluster_index)
 
         /* Initialize the new refcount block only after updating its refcount,
          * update_refcount uses the refcount cache itself */
-        memset(s->refcount_block_cache, 0, s->cluster_size);
-        s->refcount_block_cache_offset = new_block;
+        ret = qcow2_cache_get_empty(bs, s->refcount_block_cache, new_block,
+            (void**) refcount_block);
+        if (ret < 0) {
+            goto fail_block;
+        }
+
+        memset(*refcount_block, 0, s->cluster_size);
     }
 
     /* Now the new refcount block needs to be written to disk */
     BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_ALLOC_WRITE);
-    ret = bdrv_pwrite_sync(bs->file, new_block, s->refcount_block_cache,
-        s->cluster_size);
+    qcow2_cache_entry_mark_dirty(s->refcount_block_cache, *refcount_block);
+    ret = qcow2_cache_flush(bs, s->refcount_block_cache);
     if (ret < 0) {
         goto fail_block;
     }
@@ -290,7 +270,12 @@ static int64_t alloc_refcount_block(BlockDriverState *bs, int64_t cluster_index)
         }
 
         s->refcount_table[refcount_table_index] = new_block;
-        return new_block;
+        return 0;
+    }
+
+    ret = qcow2_cache_put(bs, s->refcount_block_cache, (void**) refcount_block);
+    if (ret < 0) {
+        goto fail_block;
     }
 
     /*
@@ -410,9 +395,9 @@ static int64_t alloc_refcount_block(BlockDriverState *bs, int64_t cluster_index)
     qcow2_free_clusters(bs, old_table_offset, old_table_size * sizeof(uint64_t));
     s->free_cluster_index = old_free_cluster_index;
 
-    ret = load_refcount_block(bs, new_block);
+    ret = load_refcount_block(bs, new_block, (void**) refcount_block);
     if (ret < 0) {
-        goto fail_block;
+        return ret;
     }
 
     return new_block;
@@ -420,41 +405,10 @@ static int64_t alloc_refcount_block(BlockDriverState *bs, int64_t cluster_index)
 fail_table:
     qemu_free(new_table);
 fail_block:
-    s->refcount_block_cache_offset = 0;
-    return ret;
-}
-
-#define REFCOUNTS_PER_SECTOR (512 >> REFCOUNT_SHIFT)
-static int write_refcount_block_entries(BlockDriverState *bs,
-    int64_t refcount_block_offset, int first_index, int last_index)
-{
-    BDRVQcowState *s = bs->opaque;
-    size_t size;
-    int ret;
-
-    if (cache_refcount_updates) {
-        return 0;
-    }
-
-    if (first_index < 0) {
-        return 0;
-    }
-
-    first_index &= ~(REFCOUNTS_PER_SECTOR - 1);
-    last_index = (last_index + REFCOUNTS_PER_SECTOR)
-        & ~(REFCOUNTS_PER_SECTOR - 1);
-
-    size = (last_index - first_index) << REFCOUNT_SHIFT;
-
-    BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_UPDATE_PART);
-    ret = bdrv_pwrite(bs->file,
-        refcount_block_offset + (first_index << REFCOUNT_SHIFT),
-        &s->refcount_block_cache[first_index], size);
-    if (ret < 0) {
-        return ret;
+    if (*refcount_block != NULL) {
+        qcow2_cache_put(bs, s->refcount_block_cache, (void**) refcount_block);
     }
-
-    return 0;
+    return ret;
 }
 
 /* XXX: cache several refcount block clusters ? */
@@ -463,9 +417,8 @@ static int QEMU_WARN_UNUSED_RESULT update_refcount(BlockDriverState *bs,
 {
     BDRVQcowState *s = bs->opaque;
     int64_t start, last, cluster_offset;
-    int64_t refcount_block_offset = 0;
-    int64_t table_index = -1, old_table_index;
-    int first_index = -1, last_index = -1;
+    uint16_t *refcount_block = NULL;
+    int64_t old_table_index = -1;
     int ret;
 
 #ifdef DEBUG_ALLOC2
@@ -478,6 +431,11 @@ static int QEMU_WARN_UNUSED_RESULT update_refcount(BlockDriverState *bs,
         return 0;
     }
 
+    if (addend < 0) {
+        qcow2_cache_set_dependency(bs, s->refcount_block_cache,
+            s->l2_table_cache);
+    }
+
     start = offset & ~(s->cluster_size - 1);
     last = (offset + length - 1) & ~(s->cluster_size - 1);
     for(cluster_offset = start; cluster_offset <= last;
@@ -485,42 +443,33 @@ static int QEMU_WARN_UNUSED_RESULT update_refcount(BlockDriverState *bs,
     {
         int block_index, refcount;
         int64_t cluster_index = cluster_offset >> s->cluster_bits;
-        int64_t new_block;
+        int64_t table_index =
+            cluster_index >> (s->cluster_bits - REFCOUNT_SHIFT);
 
-        /* Only write refcount block to disk when we are done with it */
-        old_table_index = table_index;
-        table_index = cluster_index >> (s->cluster_bits - REFCOUNT_SHIFT);
-        if ((old_table_index >= 0) && (table_index != old_table_index)) {
+        /* Load the refcount block and allocate it if needed */
+        if (table_index != old_table_index) {
+            if (refcount_block) {
+                ret = qcow2_cache_put(bs, s->refcount_block_cache,
+                    (void**) &refcount_block);
+                if (ret < 0) {
+                    goto fail;
+                }
+            }
 
-            ret = write_refcount_block_entries(bs, refcount_block_offset,
-                first_index, last_index);
+            ret = alloc_refcount_block(bs, cluster_index, &refcount_block);
             if (ret < 0) {
-                return ret;
+                goto fail;
             }
-
-            first_index = -1;
-            last_index = -1;
         }
+        old_table_index = table_index;
 
-        /* Load the refcount block and allocate it if needed */
-        new_block = alloc_refcount_block(bs, cluster_index);
-        if (new_block < 0) {
-            ret = new_block;
-            goto fail;
-        }
-        refcount_block_offset = new_block;
+        qcow2_cache_entry_mark_dirty(s->refcount_block_cache, refcount_block);
 
         /* we can update the count and save it */
         block_index = cluster_index &
             ((1 << (s->cluster_bits - REFCOUNT_SHIFT)) - 1);
-        if (first_index == -1 || block_index < first_index) {
-            first_index = block_index;
-        }
-        if (block_index > last_index) {
-            last_index = block_index;
-        }
 
-        refcount = be16_to_cpu(s->refcount_block_cache[block_index]);
+        refcount = be16_to_cpu(refcount_block[block_index]);
         refcount += addend;
         if (refcount < 0 || refcount > 0xffff) {
             ret = -EINVAL;
@@ -529,17 +478,16 @@ static int QEMU_WARN_UNUSED_RESULT update_refcount(BlockDriverState *bs,
         if (refcount == 0 && cluster_index < s->free_cluster_index) {
             s->free_cluster_index = cluster_index;
         }
-        s->refcount_block_cache[block_index] = cpu_to_be16(refcount);
+        refcount_block[block_index] = cpu_to_be16(refcount);
     }
 
     ret = 0;
 fail:
-
     /* Write last changed block to disk */
-    if (refcount_block_offset != 0) {
+    if (refcount_block) {
         int wret;
-        wret = write_refcount_block_entries(bs, refcount_block_offset,
-            first_index, last_index);
+        wret = qcow2_cache_put(bs, s->refcount_block_cache,
+            (void**) &refcount_block);
         if (wret < 0) {
             return ret < 0 ? ret : wret;
         }
@@ -758,9 +706,7 @@ int qcow2_update_snapshot_refcount(BlockDriverState *bs,
     uint64_t *l1_table, *l2_table, l2_offset, offset, l1_size2, l1_allocated;
     int64_t old_offset, old_l2_offset;
     int l2_size, i, j, l1_modified, l2_modified, nb_csectors, refcount;
-
-    qcow2_l2_cache_reset(bs);
-    cache_refcount_updates = 1;
+    int ret;
 
     l2_table = NULL;
     l1_table = NULL;
@@ -784,7 +730,6 @@ int qcow2_update_snapshot_refcount(BlockDriverState *bs,
     }
 
     l2_size = s->l2_size * sizeof(uint64_t);
-    l2_table = qemu_malloc(l2_size);
     l1_modified = 0;
     for(i = 0; i < l1_size; i++) {
         l2_offset = l1_table[i];
@@ -792,8 +737,13 @@ int qcow2_update_snapshot_refcount(BlockDriverState *bs,
             old_l2_offset = l2_offset;
             l2_offset &= ~QCOW_OFLAG_COPIED;
             l2_modified = 0;
-            if (bdrv_pread(bs->file, l2_offset, l2_table, l2_size) != l2_size)
+
+            ret = qcow2_cache_get(bs, s->l2_table_cache, l2_offset,
+                (void**) &l2_table);
+            if (ret < 0) {
                 goto fail;
+            }
+
             for(j = 0; j < s->l2_size; j++) {
                 offset = be64_to_cpu(l2_table[j]);
                 if (offset != 0) {
@@ -833,17 +783,23 @@ int qcow2_update_snapshot_refcount(BlockDriverState *bs,
                         offset |= QCOW_OFLAG_COPIED;
                     }
                     if (offset != old_offset) {
+                        if (addend > 0) {
+                            qcow2_cache_set_dependency(bs, s->l2_table_cache,
+                                s->refcount_block_cache);
+                        }
                         l2_table[j] = cpu_to_be64(offset);
                         l2_modified = 1;
+                        qcow2_cache_entry_mark_dirty(s->l2_table_cache, l2_table);
                     }
                 }
             }
-            if (l2_modified) {
-                if (bdrv_pwrite_sync(bs->file,
-                                l2_offset, l2_table, l2_size) < 0)
-                    goto fail;
+
+            ret = qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
+            if (ret < 0) {
+                goto fail;
             }
 
+
             if (addend != 0) {
                 refcount = update_cluster_refcount(bs, l2_offset >> s->cluster_bits, addend);
             } else {
@@ -871,16 +827,14 @@ int qcow2_update_snapshot_refcount(BlockDriverState *bs,
     }
     if (l1_allocated)
         qemu_free(l1_table);
-    qemu_free(l2_table);
-    cache_refcount_updates = 0;
-    write_refcount_block(bs);
     return 0;
  fail:
+    if (l2_table) {
+        qcow2_cache_put(bs, s->l2_table_cache, (void**) &l2_table);
+    }
+
     if (l1_allocated)
         qemu_free(l1_table);
-    qemu_free(l2_table);
-    cache_refcount_updates = 0;
-    write_refcount_block(bs);
     return -EIO;
 }
 
diff --git a/block/qcow2.c b/block/qcow2.c
index b6b094c..49bf7b9 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -143,6 +143,7 @@ static int qcow2_open(BlockDriverState *bs, int flags)
     int len, i, ret = 0;
     QCowHeader header;
     uint64_t ext_end;
+    bool writethrough;
 
     ret = bdrv_pread(bs->file, 0, &header, sizeof(header));
     if (ret < 0) {
@@ -217,8 +218,13 @@ static int qcow2_open(BlockDriverState *bs, int flags)
             be64_to_cpus(&s->l1_table[i]);
         }
     }
-    /* alloc L2 cache */
-    s->l2_cache = qemu_malloc(s->l2_size * L2_CACHE_SIZE * sizeof(uint64_t));
+
+    /* alloc L2 table/refcount block cache */
+    writethrough = ((flags & BDRV_O_CACHE_MASK) == 0);
+    s->l2_table_cache = qcow2_cache_create(bs, L2_CACHE_SIZE, writethrough);
+    s->refcount_block_cache = qcow2_cache_create(bs, REFCOUNT_CACHE_SIZE,
+        writethrough);
+
     s->cluster_cache = qemu_malloc(s->cluster_size);
     /* one more sector for decompressed data alignment */
     s->cluster_data = qemu_malloc(QCOW_MAX_CRYPT_CLUSTERS * s->cluster_size
@@ -270,7 +276,9 @@ static int qcow2_open(BlockDriverState *bs, int flags)
     qcow2_free_snapshots(bs);
     qcow2_refcount_close(bs);
     qemu_free(s->l1_table);
-    qemu_free(s->l2_cache);
+    if (s->l2_table_cache) {
+        qcow2_cache_destroy(bs, s->l2_table_cache);
+    }
     qemu_free(s->cluster_cache);
     qemu_free(s->cluster_data);
     return ret;
@@ -719,7 +727,13 @@ static void qcow2_close(BlockDriverState *bs)
 {
     BDRVQcowState *s = bs->opaque;
     qemu_free(s->l1_table);
-    qemu_free(s->l2_cache);
+
+    qcow2_cache_flush(bs, s->l2_table_cache);
+    qcow2_cache_flush(bs, s->refcount_block_cache);
+
+    qcow2_cache_destroy(bs, s->l2_table_cache);
+    qcow2_cache_destroy(bs, s->refcount_block_cache);
+
     qemu_free(s->cluster_cache);
     qemu_free(s->cluster_data);
     qcow2_refcount_close(bs);
@@ -1179,6 +1193,19 @@ static int qcow2_write_compressed(BlockDriverState *bs, int64_t sector_num,
 
 static int qcow2_flush(BlockDriverState *bs)
 {
+    BDRVQcowState *s = bs->opaque;
+    int ret;
+
+    ret = qcow2_cache_flush(bs, s->l2_table_cache);
+    if (ret < 0) {
+        return ret;
+    }
+
+    ret = qcow2_cache_flush(bs, s->refcount_block_cache);
+    if (ret < 0) {
+        return ret;
+    }
+
     return bdrv_flush(bs->file);
 }
 
@@ -1186,6 +1213,19 @@ static BlockDriverAIOCB *qcow2_aio_flush(BlockDriverState *bs,
                                          BlockDriverCompletionFunc *cb,
                                          void *opaque)
 {
+    BDRVQcowState *s = bs->opaque;
+    int ret;
+
+    ret = qcow2_cache_flush(bs, s->l2_table_cache);
+    if (ret < 0) {
+        return NULL;
+    }
+
+    ret = qcow2_cache_flush(bs, s->refcount_block_cache);
+    if (ret < 0) {
+        return NULL;
+    }
+
     return bdrv_aio_flush(bs->file, cb, opaque);
 }
 
diff --git a/block/qcow2.h b/block/qcow2.h
index e5473e1..11cbce3 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -51,6 +51,9 @@
 
 #define L2_CACHE_SIZE 16
 
+/* Must be at least 4 to cover all cases of refcount table growth */
+#define REFCOUNT_CACHE_SIZE 4
+
 typedef struct QCowHeader {
     uint32_t magic;
     uint32_t version;
@@ -94,9 +97,10 @@ typedef struct BDRVQcowState {
     uint64_t cluster_offset_mask;
     uint64_t l1_table_offset;
     uint64_t *l1_table;
-    uint64_t *l2_cache;
-    uint64_t l2_cache_offsets[L2_CACHE_SIZE];
-    uint32_t l2_cache_counts[L2_CACHE_SIZE];
+
+    Qcow2Cache* l2_table_cache;
+    Qcow2Cache* refcount_block_cache;
+
     uint8_t *cluster_cache;
     uint8_t *cluster_data;
     uint64_t cluster_cache_offset;
@@ -105,8 +109,6 @@ typedef struct BDRVQcowState {
     uint64_t *refcount_table;
     uint64_t refcount_table_offset;
     uint32_t refcount_table_size;
-    uint64_t refcount_block_cache_offset;
-    uint16_t *refcount_block_cache;
     int64_t free_cluster_index;
     int64_t free_byte_offset;
 
commit cbcc6336ce9e5c048821b136649712e078c4d05f
Author: Alon Levy <alevy at redhat.com>
Date:   Wed Jan 19 10:49:50 2011 +0200

    spice: add chardev (v5)
    
    Adding a chardev backend for spice, where spice determines what
    to do with it based on the name attribute given during chardev creation.
    For usage by spice vdagent in conjunction with a properly named
    virtio-serial device, and future smartcard channel usage.
    
    Example usage:
     qemu -device virtio-serial -chardev spicevmc,name=vdagent,id=vdagent \
     -device virtserialport,chardev=vdagent,name=com.redhat.spice.0
    
    v4->v5:
     * add tracing events
     * fix missing comma
     * fix help string to show debug is optional
    
    v3->v4:
     * updated commit message
    
    v1->v3 changes: (v2 had a wrong commit message)
     * removed spice-qemu-char.h, folded into ui/qemu-spice.h
     * removed dead IOCTL code
     * removed comment
     * removed ifdef CONFIG_SPICE from qemu-config.c and qemu-options.hx help.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index fda366d..13f6b38 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -105,7 +105,7 @@ common-obj-$(CONFIG_BRLAPI) += baum.o
 common-obj-$(CONFIG_POSIX) += migration-exec.o migration-unix.o migration-fd.o
 common-obj-$(CONFIG_WIN32) += version.o
 
-common-obj-$(CONFIG_SPICE) += ui/spice-core.o ui/spice-input.o ui/spice-display.o
+common-obj-$(CONFIG_SPICE) += ui/spice-core.o ui/spice-input.o ui/spice-display.o spice-qemu-char.o
 
 audio-obj-y = audio.o noaudio.o wavaudio.o mixeng.o
 audio-obj-$(CONFIG_SDL) += sdlaudio.o
diff --git a/qemu-char.c b/qemu-char.c
index edc9ad6..acc7130 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -97,6 +97,7 @@
 #endif
 
 #include "qemu_socket.h"
+#include "ui/qemu-spice.h"
 
 #define READ_BUF_LEN 4096
 
@@ -2495,6 +2496,9 @@ static const struct {
     || defined(__FreeBSD_kernel__)
     { .name = "parport",   .open = qemu_chr_open_pp },
 #endif
+#ifdef CONFIG_SPICE
+    { .name = "spicevmc",     .open = qemu_chr_open_spice },
+#endif
 };
 
 CharDriverState *qemu_chr_open_opts(QemuOpts *opts,
diff --git a/qemu-config.c b/qemu-config.c
index 965fa46..323d3c2 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -146,6 +146,12 @@ static QemuOptsList qemu_chardev_opts = {
         },{
             .name = "signal",
             .type = QEMU_OPT_BOOL,
+        },{
+            .name = "name",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "debug",
+            .type = QEMU_OPT_NUMBER,
         },
         { /* end of list */ }
     },
diff --git a/qemu-options.hx b/qemu-options.hx
index 898561d..939297a 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1368,6 +1368,9 @@ DEF("chardev", HAS_ARG, QEMU_OPTION_chardev,
 #if defined(__linux__) || defined(__FreeBSD__) || defined(__DragonFly__)
     "-chardev parport,id=id,path=path[,mux=on|off]\n"
 #endif
+#if defined(CONFIG_SPICE)
+    "-chardev spicevmc,id=id,name=name[,debug=debug]\n"
+#endif
     , QEMU_ARCH_ALL
 )
 
@@ -1392,7 +1395,8 @@ Backend is one of:
 @option{stdio},
 @option{braille},
 @option{tty},
- at option{parport}.
+ at option{parport},
+ at option{spicevmc}.
 The specific backend will determine the applicable options.
 
 All devices must have an id, which can be any string up to 127 characters long.
@@ -1568,6 +1572,16 @@ Connect to a local parallel port.
 @option{path} specifies the path to the parallel port device. @option{path} is
 required.
 
+#if defined(CONFIG_SPICE)
+ at item -chardev spicevmc ,id=@var{id} ,debug=@var{debug}, name=@var{name}
+
+ at option{debug} debug level for spicevmc
+
+ at option{name} name of spice channel to connect to
+
+Connect to a spice virtual machine channel, such as vdiport.
+#endif
+
 @end table
 ETEXI
 
diff --git a/spice-qemu-char.c b/spice-qemu-char.c
new file mode 100644
index 0000000..517f337
--- /dev/null
+++ b/spice-qemu-char.c
@@ -0,0 +1,190 @@
+#include "config-host.h"
+#include "trace.h"
+#include "ui/qemu-spice.h"
+#include <spice.h>
+#include <spice-experimental.h>
+
+#include "osdep.h"
+
+#define dprintf(_scd, _level, _fmt, ...)                                \
+    do {                                                                \
+        static unsigned __dprintf_counter = 0;                          \
+        if (_scd->debug >= _level) {                                    \
+            fprintf(stderr, "scd: %3d: " _fmt, ++__dprintf_counter, ## __VA_ARGS__);\
+        }                                                               \
+    } while (0)
+
+#define VMC_MAX_HOST_WRITE    2048
+
+typedef struct SpiceCharDriver {
+    CharDriverState*      chr;
+    SpiceCharDeviceInstance     sin;
+    char                  *subtype;
+    bool                  active;
+    uint8_t               *buffer;
+    uint8_t               *datapos;
+    ssize_t               bufsize, datalen;
+    uint32_t              debug;
+} SpiceCharDriver;
+
+static int vmc_write(SpiceCharDeviceInstance *sin, const uint8_t *buf, int len)
+{
+    SpiceCharDriver *scd = container_of(sin, SpiceCharDriver, sin);
+    ssize_t out = 0;
+    ssize_t last_out;
+    uint8_t* p = (uint8_t*)buf;
+
+    while (len > 0) {
+        last_out = MIN(len, VMC_MAX_HOST_WRITE);
+        qemu_chr_read(scd->chr, p, last_out);
+        if (last_out > 0) {
+            out += last_out;
+            len -= last_out;
+            p += last_out;
+        } else {
+            break;
+        }
+    }
+
+    dprintf(scd, 3, "%s: %lu/%zd\n", __func__, out, len + out);
+    trace_spice_vmc_write(out, len + out);
+    return out;
+}
+
+static int vmc_read(SpiceCharDeviceInstance *sin, uint8_t *buf, int len)
+{
+    SpiceCharDriver *scd = container_of(sin, SpiceCharDriver, sin);
+    int bytes = MIN(len, scd->datalen);
+
+    dprintf(scd, 2, "%s: %p %d/%d/%zd\n", __func__, scd->datapos, len, bytes, scd->datalen);
+    if (bytes > 0) {
+        memcpy(buf, scd->datapos, bytes);
+        scd->datapos += bytes;
+        scd->datalen -= bytes;
+        assert(scd->datalen >= 0);
+        if (scd->datalen == 0) {
+            scd->datapos = 0;
+        }
+    }
+    trace_spice_vmc_read(bytes, len);
+    return bytes;
+}
+
+static SpiceCharDeviceInterface vmc_interface = {
+    .base.type          = SPICE_INTERFACE_CHAR_DEVICE,
+    .base.description   = "spice virtual channel char device",
+    .base.major_version = SPICE_INTERFACE_CHAR_DEVICE_MAJOR,
+    .base.minor_version = SPICE_INTERFACE_CHAR_DEVICE_MINOR,
+    .write              = vmc_write,
+    .read               = vmc_read,
+};
+
+
+static void vmc_register_interface(SpiceCharDriver *scd)
+{
+    if (scd->active) {
+        return;
+    }
+    dprintf(scd, 1, "%s\n", __func__);
+    scd->sin.base.sif = &vmc_interface.base;
+    qemu_spice_add_interface(&scd->sin.base);
+    scd->active = true;
+    trace_spice_vmc_register_interface(scd);
+}
+
+static void vmc_unregister_interface(SpiceCharDriver *scd)
+{
+    if (!scd->active) {
+        return;
+    }
+    dprintf(scd, 1, "%s\n", __func__);
+    spice_server_remove_interface(&scd->sin.base);
+    scd->active = false;
+    trace_spice_vmc_unregister_interface(scd);
+}
+
+
+static int spice_chr_write(CharDriverState *chr, const uint8_t *buf, int len)
+{
+    SpiceCharDriver *s = chr->opaque;
+
+    dprintf(s, 2, "%s: %d\n", __func__, len);
+    vmc_register_interface(s);
+    assert(s->datalen == 0);
+    if (s->bufsize < len) {
+        s->bufsize = len;
+        s->buffer = qemu_realloc(s->buffer, s->bufsize);
+    }
+    memcpy(s->buffer, buf, len);
+    s->datapos = s->buffer;
+    s->datalen = len;
+    spice_server_char_device_wakeup(&s->sin);
+    return len;
+}
+
+static void spice_chr_close(struct CharDriverState *chr)
+{
+    SpiceCharDriver *s = chr->opaque;
+
+    printf("%s\n", __func__);
+    vmc_unregister_interface(s);
+    qemu_free(s);
+}
+
+static void print_allowed_subtypes(void)
+{
+    const char** psubtype;
+    int i;
+
+    fprintf(stderr, "allowed names: ");
+    for(i=0, psubtype = spice_server_char_device_recognized_subtypes();
+        *psubtype != NULL; ++psubtype, ++i) {
+        if (i == 0) {
+            fprintf(stderr, "%s", *psubtype);
+        } else {
+            fprintf(stderr, ", %s", *psubtype);
+        }
+    }
+    fprintf(stderr, "\n");
+}
+
+CharDriverState *qemu_chr_open_spice(QemuOpts *opts)
+{
+    CharDriverState *chr;
+    SpiceCharDriver *s;
+    const char* name = qemu_opt_get(opts, "name");
+    uint32_t debug = qemu_opt_get_number(opts, "debug", 0);
+    const char** psubtype = spice_server_char_device_recognized_subtypes();
+    const char *subtype = NULL;
+
+    if (name == NULL) {
+        fprintf(stderr, "spice-qemu-char: missing name parameter\n");
+        print_allowed_subtypes();
+        return NULL;
+    }
+    for(;*psubtype != NULL; ++psubtype) {
+        if (strcmp(name, *psubtype) == 0) {
+            subtype = *psubtype;
+            break;
+        }
+    }
+    if (subtype == NULL) {
+        fprintf(stderr, "spice-qemu-char: unsupported name\n");
+        print_allowed_subtypes();
+        return NULL;
+    }
+
+    chr = qemu_mallocz(sizeof(CharDriverState));
+    s = qemu_mallocz(sizeof(SpiceCharDriver));
+    s->chr = chr;
+    s->debug = debug;
+    s->active = false;
+    s->sin.subtype = subtype;
+    chr->opaque = s;
+    chr->chr_write = spice_chr_write;
+    chr->chr_close = spice_chr_close;
+
+    qemu_chr_generic_open(chr);
+
+    return chr;
+}
diff --git a/trace-events b/trace-events
index 19cee6a..ed754f5 100644
--- a/trace-events
+++ b/trace-events
@@ -224,3 +224,9 @@ disable qed_aio_write_data(void *s, void *acb, int ret, uint64_t offset, size_t
 disable qed_aio_write_prefill(void *s, void *acb, uint64_t start, size_t len, uint64_t offset) "s %p acb %p start %"PRIu64" len %zu offset %"PRIu64""
 disable qed_aio_write_postfill(void *s, void *acb, uint64_t start, size_t len, uint64_t offset) "s %p acb %p start %"PRIu64" len %zu offset %"PRIu64""
 disable qed_aio_write_main(void *s, void *acb, int ret, uint64_t offset, size_t len) "s %p acb %p ret %d offset %"PRIu64" len %zu"
+
+# spice-qemu-char.c
+disable spice_vmc_write(ssize_t out, int len) "spice wrottn %lu of requested %zd"
+disable spice_vmc_read(int bytes, int len) "spice read %lu of requested %zd"
+disable spice_vmc_register_interface(void *scd) "spice vmc registered interface %p"
+disable spice_vmc_unregister_interface(void *scd) "spice vmc unregistered interface %p"
diff --git a/ui/qemu-spice.h b/ui/qemu-spice.h
index 05dc50a..916e5dc 100644
--- a/ui/qemu-spice.h
+++ b/ui/qemu-spice.h
@@ -24,6 +24,7 @@
 
 #include "qemu-option.h"
 #include "qemu-config.h"
+#include "qemu-char.h"
 
 extern int using_spice;
 
@@ -41,6 +42,8 @@ int qemu_spice_migrate_info(const char *hostname, int port, int tls_port,
 void do_info_spice_print(Monitor *mon, const QObject *data);
 void do_info_spice(Monitor *mon, QObject **ret_data);
 
+CharDriverState *qemu_chr_open_spice(QemuOpts *opts);
+
 #else  /* CONFIG_SPICE */
 
 #define using_spice 0
commit 710fc4f5f1cbb6d2cebdc575def9f9dba4b0263f
Author: Jiri Denemark <Jiri.Denemark at gmail.com>
Date:   Mon Jan 24 13:20:29 2011 +0100

    configure: Fix spice probe
    
    Non-existent $pkgconfig instead of $pkg_config was used when configure
    probes for spice availability.
    
    Signed-off-by: Jiri Denemark <jdenemar at redhat.com>

diff --git a/configure b/configure
index 210670c..dc469b2 100755
--- a/configure
+++ b/configure
@@ -2207,9 +2207,9 @@ if test "$spice" != "no" ; then
 #include <spice.h>
 int main(void) { spice_server_new(); return 0; }
 EOF
-  spice_cflags=$($pkgconfig --cflags spice-protocol spice-server 2>/dev/null)
-  spice_libs=$($pkgconfig --libs spice-protocol spice-server 2>/dev/null)
-  if $pkgconfig --atleast-version=0.5.3 spice-server >/dev/null 2>&1 && \
+  spice_cflags=$($pkg_config --cflags spice-protocol spice-server 2>/dev/null)
+  spice_libs=$($pkg_config --libs spice-protocol spice-server 2>/dev/null)
+  if $pkg_config --atleast-version=0.5.3 spice-server >/dev/null 2>&1 && \
      compile_prog "$spice_cflags" "$spice_libs" ; then
     spice="yes"
     libs_softmmu="$libs_softmmu $spice_libs"
commit 17268d54be2e15b0d8ccfc4102bc48c84299b027
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Jan 21 10:32:03 2011 +0100

    qxl: locking fix
    
    One spice worker call lacks the unlock/relock calls,
    which may lead to deadlocks, add them.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/qxl.c b/hw/qxl.c
index dcea65d..fe4212b 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -866,7 +866,9 @@ static void qxl_destroy_primary(PCIQXLDevice *d)
     dprint(d, 1, "%s\n", __FUNCTION__);
 
     d->mode = QXL_MODE_UNDEFINED;
+    qemu_mutex_unlock_iothread();
     d->ssd.worker->destroy_primary_surface(d->ssd.worker, 0);
+    qemu_mutex_lock_iothread();
 }
 
 static void qxl_set_mode(PCIQXLDevice *d, int modenr, int loadvm)
commit b67737a6cf71d1f029a692e5dc2dc26579299b97
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Jan 5 18:05:52 2011 +0100

    spice/qxl: zap spice 0.4 migration compatibility bits
    
    Live migration from and to spice 0.4 qxl devices isn't going to work.
    Rip out the bits which attempt to support that.  Zap the subsection
    logic which is obsolete now.  Bumb the version to make a clean cut.
    This should obviously go in before 0.14 is released.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/qxl.c b/hw/qxl.c
index bd71e58..dcea65d 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1418,43 +1418,10 @@ static int qxl_post_load(void *opaque, int version)
     }
     dprint(d, 1, "%s: done\n", __FUNCTION__);
 
-    /* spice 0.4 compatibility -- accept but ignore */
-    qemu_free(d->worker_data);
-    d->worker_data = NULL;
-    d->worker_data_size = 0;
-
     return 0;
 }
 
-#define QXL_SAVE_VERSION 20
-
-static bool qxl_test_worker_data(void *opaque, int version_id)
-{
-    PCIQXLDevice* d = opaque;
-
-    if (d->revision != 1) {
-        return false;
-    }
-    if (!d->worker_data_size) {
-        return false;
-    }
-    if (!d->worker_data) {
-        d->worker_data = qemu_malloc(d->worker_data_size);
-    }
-    return true;
-}
-
-static bool qxl_test_spice04(void *opaque, int version_id)
-{
-    PCIQXLDevice* d = opaque;
-    return d->revision == 1;
-}
-
-static bool qxl_test_spice06(void *opaque)
-{
-    PCIQXLDevice* d = opaque;
-    return d->revision > 1;
-}
+#define QXL_SAVE_VERSION 21
 
 static VMStateDescription qxl_memslot = {
     .name               = "qxl-memslot",
@@ -1486,24 +1453,6 @@ static VMStateDescription qxl_surface = {
     }
 };
 
-static VMStateDescription qxl_vmstate_spice06 = {
-    .name               = "qxl/spice06",
-    .version_id         = QXL_SAVE_VERSION,
-    .minimum_version_id = QXL_SAVE_VERSION,
-    .fields = (VMStateField []) {
-        VMSTATE_INT32_EQUAL(num_memslots, PCIQXLDevice),
-        VMSTATE_STRUCT_ARRAY(guest_slots, PCIQXLDevice, NUM_MEMSLOTS, 0,
-                             qxl_memslot, struct guest_slots),
-        VMSTATE_STRUCT(guest_primary.surface, PCIQXLDevice, 0,
-                       qxl_surface, QXLSurfaceCreate),
-        VMSTATE_INT32_EQUAL(num_surfaces, PCIQXLDevice),
-        VMSTATE_ARRAY(guest_surfaces.cmds, PCIQXLDevice, NUM_SURFACES, 0,
-                      vmstate_info_uint64, uint64_t),
-        VMSTATE_UINT64(guest_cursor, PCIQXLDevice),
-        VMSTATE_END_OF_LIST()
-    },
-};
-
 static VMStateDescription qxl_vmstate = {
     .name               = "qxl",
     .version_id         = QXL_SAVE_VERSION,
@@ -1519,25 +1468,17 @@ static VMStateDescription qxl_vmstate = {
         VMSTATE_UINT32(last_release_offset, PCIQXLDevice),
         VMSTATE_UINT32(mode, PCIQXLDevice),
         VMSTATE_UINT32(ssd.unique, PCIQXLDevice),
-
-        /* spice 0.4 sends/expects them */
-        VMSTATE_VBUFFER_UINT32(vga.vram_ptr, PCIQXLDevice, 0, qxl_test_spice04, 0,
-                               vga.vram_size),
-        VMSTATE_UINT32_TEST(worker_data_size, PCIQXLDevice, qxl_test_spice04),
-        VMSTATE_VBUFFER_UINT32(worker_data, PCIQXLDevice, 0, qxl_test_worker_data, 0,
-                               worker_data_size),
-
+        VMSTATE_INT32_EQUAL(num_memslots, PCIQXLDevice),
+        VMSTATE_STRUCT_ARRAY(guest_slots, PCIQXLDevice, NUM_MEMSLOTS, 0,
+                             qxl_memslot, struct guest_slots),
+        VMSTATE_STRUCT(guest_primary.surface, PCIQXLDevice, 0,
+                       qxl_surface, QXLSurfaceCreate),
+        VMSTATE_INT32_EQUAL(num_surfaces, PCIQXLDevice),
+        VMSTATE_ARRAY(guest_surfaces.cmds, PCIQXLDevice, NUM_SURFACES, 0,
+                      vmstate_info_uint64, uint64_t),
+        VMSTATE_UINT64(guest_cursor, PCIQXLDevice),
         VMSTATE_END_OF_LIST()
     },
-    .subsections = (VMStateSubsection[]) {
-        {
-            /* additional spice 0.6 state */
-            .vmsd   = &qxl_vmstate_spice06,
-            .needed = qxl_test_spice06,
-        },{
-            /* end of list */
-        },
-    },
 };
 
 static PCIDeviceInfo qxl_info_primary = {
diff --git a/hw/qxl.h b/hw/qxl.h
index 98e11ce..f6c450d 100644
--- a/hw/qxl.h
+++ b/hw/qxl.h
@@ -80,10 +80,6 @@ typedef struct PCIQXLDevice {
 
     /* io bar */
     uint32_t           io_base;
-
-    /* spice 0.4 loadvm compatibility */
-    void               *worker_data;
-    uint32_t           worker_data_size;
 } PCIQXLDevice;
 
 #define PANIC_ON(x) if ((x)) {                         \
commit 8d86e2bfe36ae8e03bf2ba0c8206b91e29ad292f
Author: Marc-André Lureau <marcandre.lureau at redhat.com>
Date:   Thu Jan 6 11:43:17 2011 +0100

    vnc/spice: fix "never" and "now" expire_time

diff --git a/monitor.c b/monitor.c
index 4c92d38..6aa1bb9 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1136,9 +1136,9 @@ static int expire_password(Monitor *mon, const QDict *qdict, QObject **ret_data)
     time_t when;
     int rc;
 
-    if (strcmp(whenstr, "now")) {
+    if (strcmp(whenstr, "now") == 0) {
         when = 0;
-    } else if (strcmp(whenstr, "never")) {
+    } else if (strcmp(whenstr, "never") == 0) {
         when = TIME_MAX;
     } else if (whenstr[0] == '+') {
         when = time(NULL) + strtoull(whenstr+1, NULL, 10);
commit 7ee3bf03984ada1ac7c7a4f27d8583a5718adadb
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Dec 13 21:30:37 2010 +0100

    spice: MAINTAINERS update

diff --git a/MAINTAINERS b/MAINTAINERS
index f20d390..ab48380 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -383,6 +383,14 @@ S: Odd Fixes
 F: gdbstub*
 F: gdb-xml/
 
+SPICE
+M: Gerd Hoffmann <kraxel at redhat.com>
+S: Supported
+F: ui/qemu-spice.h
+F: ui/spice-*.c
+F: audio/spiceaudio.c
+F: hw/qxl*
+
 Graphics
 M: Anthony Liguori <aliguori at us.ibm.com>
 S: Maintained
commit e866e23959b45325414ac84a21f31dea79867ee6
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Apr 23 13:28:21 2010 +0200

    spice/vnc: client migration.
    
    Handle spice client migration, i.e. inform a spice client connected
    about the new host and connection parameters, so it can move over the
    connection automatically.
    
    The monitor command has a not-yet used protocol argument simliar to
    set_password and expire_password commands.  This allows to add a simliar
    feature to vnc in the future.  Daniel Berrange plans to work on this.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hmp-commands.hx b/hmp-commands.hx
index 1cea572..4906d89 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -815,6 +815,23 @@ ETEXI
     },
 
 STEXI
+ at item client_migrate_info @var{protocol} @var{hostname} @var{port} @var{tls-port} @var{cert-subject}
+ at findex client_migrate_info
+Set the spice/vnc connection info for the migration target.  The spice/vnc
+server will ask the spice/vnc client to automatically reconnect using the
+new parameters (if specified) once the vm migration finished successfully.
+ETEXI
+
+    {
+        .name       = "client_migrate_info",
+        .args_type  = "protocol:s,hostname:s,port:i?,tls-port:i?,cert-subject:s?",
+        .params     = "protocol hostname port tls-port cert-subject",
+        .help       = "send migration info to spice/vnc client",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = client_migrate_info,
+    },
+
+STEXI
 @item snapshot_blkdev
 @findex snapshot_blkdev
 Snapshot device, using snapshot file as target if provided
diff --git a/monitor.c b/monitor.c
index d291158..4c92d38 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1173,6 +1173,33 @@ static int expire_password(Monitor *mon, const QDict *qdict, QObject **ret_data)
     return -1;
 }
 
+static int client_migrate_info(Monitor *mon, const QDict *qdict, QObject **ret_data)
+{
+    const char *protocol = qdict_get_str(qdict, "protocol");
+    const char *hostname = qdict_get_str(qdict, "hostname");
+    const char *subject  = qdict_get_try_str(qdict, "cert-subject");
+    int port             = qdict_get_try_int(qdict, "port", -1);
+    int tls_port         = qdict_get_try_int(qdict, "tls-port", -1);
+    int ret;
+
+    if (strcmp(protocol, "spice") == 0) {
+        if (!using_spice) {
+            qerror_report(QERR_DEVICE_NOT_ACTIVE, "spice");
+            return -1;
+        }
+
+        ret = qemu_spice_migrate_info(hostname, port, tls_port, subject);
+        if (ret != 0) {
+            qerror_report(QERR_UNDEFINED_ERROR);
+            return -1;
+        }
+        return 0;
+    }
+
+    qerror_report(QERR_INVALID_PARAMETER, "protocol");
+    return -1;
+}
+
 static int do_screen_dump(Monitor *mon, const QDict *qdict, QObject **ret_data)
 {
     vga_hw_screen_dump(qdict_get_str(qdict, "filename"));
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 56c4d8b..2ed8f44 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -503,6 +503,41 @@ EQMP
     },
 
 SQMP
+client_migrate_info
+------------------
+
+Set the spice/vnc connection info for the migration target.  The spice/vnc
+server will ask the spice/vnc client to automatically reconnect using the
+new parameters (if specified) once the vm migration finished successfully.
+
+Arguments:
+
+- "protocol":     protocol: "spice" or "vnc" (json-string)
+- "hostname":     migration target hostname (json-string)
+- "port":         spice/vnc tcp port for plaintext channels (json-int, optional)
+- "tls-port":     spice tcp port for tls-secured channels (json-int, optional)
+- "cert-subject": server certificate subject (json-string, optional)
+
+Example:
+
+-> { "execute": "client_migrate_info",
+     "arguments": { "protocol": "spice",
+                    "hostname": "virt42.lab.kraxel.org",
+                    "port": 1234 } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "client_migrate_info",
+        .args_type  = "protocol:s,hostname:s,port:i?,tls-port:i?,cert-subject:s?",
+        .params     = "protocol hostname port tls-port cert-subject",
+        .help       = "send migration info to spice/vnc client",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = client_migrate_info,
+    },
+
+SQMP
 migrate_set_speed
 -----------------
 
diff --git a/ui/qemu-spice.h b/ui/qemu-spice.h
index 48239c3..05dc50a 100644
--- a/ui/qemu-spice.h
+++ b/ui/qemu-spice.h
@@ -35,6 +35,8 @@ int qemu_spice_add_interface(SpiceBaseInstance *sin);
 int qemu_spice_set_passwd(const char *passwd,
                           bool fail_if_connected, bool disconnect_if_connected);
 int qemu_spice_set_pw_expire(time_t expires);
+int qemu_spice_migrate_info(const char *hostname, int port, int tls_port,
+                            const char *subject);
 
 void do_info_spice_print(Monitor *mon, const QObject *data);
 void do_info_spice(Monitor *mon, QObject **ret_data);
@@ -44,6 +46,8 @@ void do_info_spice(Monitor *mon, QObject **ret_data);
 #define using_spice 0
 #define qemu_spice_set_passwd(_p, _f1, _f2) (-1)
 #define qemu_spice_set_pw_expire(_e) (-1)
+static inline int qemu_spice_migrate_info(const char *h, int p, int t, const char *s)
+{ return -1; }
 
 #endif /* CONFIG_SPICE */
 
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 27a1ced..1aa1a5e 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -30,11 +30,15 @@
 #include "qbool.h"
 #include "qstring.h"
 #include "qjson.h"
+#include "notify.h"
+#include "migration.h"
 #include "monitor.h"
+#include "hw/hw.h"
 
 /* core bits */
 
 static SpiceServer *spice_server;
+static Notifier migration_state;
 static const char *auth = "spice";
 static char *auth_passwd;
 static time_t auth_expires = TIME_MAX;
@@ -416,6 +420,24 @@ void do_info_spice(Monitor *mon, QObject **ret_data)
     *ret_data = QOBJECT(server);
 }
 
+static void migration_state_notifier(Notifier *notifier)
+{
+    int state = get_migration_state();
+
+    if (state == MIG_STATE_COMPLETED) {
+#if SPICE_SERVER_VERSION >= 0x000701 /* 0.7.1 */
+        spice_server_migrate_switch(spice_server);
+#endif
+    }
+}
+
+int qemu_spice_migrate_info(const char *hostname, int port, int tls_port,
+                            const char *subject)
+{
+    return spice_server_migrate_info(spice_server, hostname,
+                                     port, tls_port, subject);
+}
+
 static int add_channel(const char *name, const char *value, void *opaque)
 {
     int security = 0;
@@ -573,6 +595,9 @@ void qemu_spice_init(void)
     spice_server_init(spice_server, &core_interface);
     using_spice = 1;
 
+    migration_state.notify = migration_state_notifier;
+    add_migration_state_change_notifier(&migration_state);
+
     qemu_spice_input_init();
     qemu_spice_audio_init();
 
commit 99a0db9b8dd72ea20a2d4cd99fe91b08903ae857
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Dec 13 17:30:12 2010 +0100

    add migration state change notifiers
    
    This patch adds functions to register and unregister notifiers for
    migration state changes and a function to query the migration state.
    The notifier is called on every state change.  Once after establishing a
    new migration object (which is in active state then) and once when the
    state changes from active to completed, canceled or error.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/migration.c b/migration.c
index d593b1d..3612572 100644
--- a/migration.c
+++ b/migration.c
@@ -36,6 +36,9 @@ static int64_t max_throttle = (32 << 20);
 
 static MigrationState *current_migration;
 
+static NotifierList migration_state_notifiers =
+    NOTIFIER_LIST_INITIALIZER(migration_state_notifiers);
+
 int qemu_start_incoming_migration(const char *uri)
 {
     const char *p;
@@ -121,6 +124,7 @@ int do_migrate(Monitor *mon, const QDict *qdict, QObject **ret_data)
     }
 
     current_migration = s;
+    notifier_list_notify(&migration_state_notifiers);
     return 0;
 }
 
@@ -272,6 +276,7 @@ void migrate_fd_error(FdMigrationState *s)
 {
     DPRINTF("setting error state\n");
     s->state = MIG_STATE_ERROR;
+    notifier_list_notify(&migration_state_notifiers);
     migrate_fd_cleanup(s);
 }
 
@@ -329,6 +334,7 @@ ssize_t migrate_fd_put_buffer(void *opaque, const void *data, size_t size)
             monitor_resume(s->mon);
         }
         s->state = MIG_STATE_ERROR;
+        notifier_list_notify(&migration_state_notifiers);
     }
 
     return ret;
@@ -389,6 +395,7 @@ void migrate_fd_put_ready(void *opaque)
             state = MIG_STATE_ERROR;
         }
         s->state = state;
+        notifier_list_notify(&migration_state_notifiers);
     }
 }
 
@@ -408,6 +415,7 @@ void migrate_fd_cancel(MigrationState *mig_state)
     DPRINTF("cancelling migration\n");
 
     s->state = MIG_STATE_CANCELLED;
+    notifier_list_notify(&migration_state_notifiers);
     qemu_savevm_state_cancel(s->mon, s->file);
 
     migrate_fd_cleanup(s);
@@ -421,6 +429,7 @@ void migrate_fd_release(MigrationState *mig_state)
    
     if (s->state == MIG_STATE_ACTIVE) {
         s->state = MIG_STATE_CANCELLED;
+        notifier_list_notify(&migration_state_notifiers);
         migrate_fd_cleanup(s);
     }
     qemu_free(s);
@@ -452,3 +461,22 @@ int migrate_fd_close(void *opaque)
     qemu_set_fd_handler2(s->fd, NULL, NULL, NULL, NULL);
     return s->close(s);
 }
+
+void add_migration_state_change_notifier(Notifier *notify)
+{
+    notifier_list_add(&migration_state_notifiers, notify);
+}
+
+void remove_migration_state_change_notifier(Notifier *notify)
+{
+    notifier_list_remove(&migration_state_notifiers, notify);
+}
+
+int get_migration_state(void)
+{
+    if (current_migration) {
+        return migrate_fd_get_status(current_migration);
+    } else {
+        return MIG_STATE_ERROR;
+    }
+}
diff --git a/migration.h b/migration.h
index d13ed4f..2170792 100644
--- a/migration.h
+++ b/migration.h
@@ -16,6 +16,7 @@
 
 #include "qdict.h"
 #include "qemu-common.h"
+#include "notify.h"
 
 #define MIG_STATE_ERROR		-1
 #define MIG_STATE_COMPLETED	0
@@ -134,4 +135,8 @@ static inline FdMigrationState *migrate_to_fms(MigrationState *mig_state)
     return container_of(mig_state, FdMigrationState, mig_state);
 }
 
+void add_migration_state_change_notifier(Notifier *notify);
+void remove_migration_state_change_notifier(Notifier *notify);
+int get_migration_state(void);
+
 #endif
commit be7052c2a8f667f1dc42b06afcebb964ee0b03ff
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Mon Jan 24 19:00:47 2011 +0900

    pci: memory leak of PCIDevice::rom_file
    
    PCIDevice::rom_file is leaked.
    PCIDevice::rom_file is allocated in pci_qdev_init(), but not freed anywhere.
    free it in qemu_unregister_device().
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index b8f5385..044c4bd 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -833,6 +833,7 @@ static int pci_unregister_device(DeviceState *dev)
 
     pci_unregister_io_regions(pci_dev);
     pci_del_option_rom(pci_dev);
+    qemu_free(pci_dev->romfile);
     do_pci_unregister_device(pci_dev);
     return 0;
 }
commit 493810940bfaad0fd5dd9bfb79cdc89519f89588
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Jan 10 17:15:10 2011 +0100

    qcow2: Add QcowCache
    
    This adds some new cache functions to qcow2 which can be used for caching
    refcount blocks and L2 tables. When used with cache=writethrough they work
    like the old caching code which is spread all over qcow2, so for this case we
    have merely a cleanup.
    
    The interesting case is with writeback caching (this includes cache=none) where
    data isn't written to disk immediately but only kept in cache initially. This
    leads to some form of metadata write batching which avoids the current "write
    to refcount block, flush, write to L2 table" pattern for each single request
    when a lot of cluster allocations happen. Instead, cache entries are only
    written out if its required to maintain the right order. In the pure cluster
    allocation case this means that all metadata updates for requests are done in
    memory initially and on sync, first the refcount blocks are written to disk,
    then fsync, then L2 tables.
    
    This improves performance of scenarios with lots of cluster allocations
    noticably (e.g. installation or after taking a snapshot).
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index fda366d..93406ff 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -19,7 +19,7 @@ block-obj-$(CONFIG_POSIX) += posix-aio-compat.o
 block-obj-$(CONFIG_LINUX_AIO) += linux-aio.o
 
 block-nested-y += raw.o cow.o qcow.o vdi.o vmdk.o cloop.o dmg.o bochs.o vpc.o vvfat.o
-block-nested-y += qcow2.o qcow2-refcount.o qcow2-cluster.o qcow2-snapshot.o
+block-nested-y += qcow2.o qcow2-refcount.o qcow2-cluster.o qcow2-snapshot.o qcow2-cache.o
 block-nested-y += qed.o qed-gencb.o qed-l2-cache.o qed-table.o qed-cluster.o
 block-nested-y += qed-check.o
 block-nested-y += parallels.o nbd.o blkdebug.o sheepdog.o blkverify.o
diff --git a/block/qcow2-cache.c b/block/qcow2-cache.c
new file mode 100644
index 0000000..f7c4e2a
--- /dev/null
+++ b/block/qcow2-cache.c
@@ -0,0 +1,290 @@
+/*
+ * L2/refcount table cache for the QCOW2 format
+ *
+ * Copyright (c) 2010 Kevin Wolf <kwolf at redhat.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "block_int.h"
+#include "qemu-common.h"
+#include "qcow2.h"
+
+typedef struct Qcow2CachedTable {
+    void*   table;
+    int64_t offset;
+    bool    dirty;
+    int     cache_hits;
+    int     ref;
+} Qcow2CachedTable;
+
+struct Qcow2Cache {
+    int                     size;
+    Qcow2CachedTable*       entries;
+    struct Qcow2Cache*      depends;
+    bool                    writethrough;
+};
+
+Qcow2Cache *qcow2_cache_create(BlockDriverState *bs, int num_tables,
+    bool writethrough)
+{
+    BDRVQcowState *s = bs->opaque;
+    Qcow2Cache *c;
+    int i;
+
+    c = qemu_mallocz(sizeof(*c));
+    c->size = num_tables;
+    c->entries = qemu_mallocz(sizeof(*c->entries) * num_tables);
+    c->writethrough = writethrough;
+
+    for (i = 0; i < c->size; i++) {
+        c->entries[i].table = qemu_blockalign(bs, s->cluster_size);
+    }
+
+    return c;
+}
+
+int qcow2_cache_destroy(BlockDriverState* bs, Qcow2Cache *c)
+{
+    int i;
+
+    for (i = 0; i < c->size; i++) {
+        assert(c->entries[i].ref == 0);
+        qemu_vfree(c->entries[i].table);
+    }
+
+    qemu_free(c->entries);
+    qemu_free(c);
+
+    return 0;
+}
+
+static int qcow2_cache_flush_dependency(BlockDriverState *bs, Qcow2Cache *c)
+{
+    int ret;
+
+    ret = qcow2_cache_flush(bs, c->depends);
+    if (ret < 0) {
+        return ret;
+    }
+
+    c->depends = NULL;
+    return 0;
+}
+
+static int qcow2_cache_entry_flush(BlockDriverState *bs, Qcow2Cache *c, int i)
+{
+    BDRVQcowState *s = bs->opaque;
+    int ret;
+
+    if (!c->entries[i].dirty || !c->entries[i].offset) {
+        return 0;
+    }
+
+    if (c->depends) {
+        ret = qcow2_cache_flush_dependency(bs, c);
+        if (ret < 0) {
+            return ret;
+        }
+    }
+
+    ret = bdrv_pwrite(bs->file, c->entries[i].offset, c->entries[i].table,
+        s->cluster_size);
+    if (ret < 0) {
+        return ret;
+    }
+
+    c->entries[i].dirty = false;
+
+    return 0;
+}
+
+int qcow2_cache_flush(BlockDriverState *bs, Qcow2Cache *c)
+{
+    int result = 0;
+    int ret;
+    int i;
+
+    for (i = 0; i < c->size; i++) {
+        ret = qcow2_cache_entry_flush(bs, c, i);
+        if (ret < 0 && result != -ENOSPC) {
+            result = ret;
+        }
+    }
+
+    if (result == 0) {
+        ret = bdrv_flush(bs->file);
+        if (ret < 0) {
+            result = ret;
+        }
+    }
+
+    return result;
+}
+
+int qcow2_cache_set_dependency(BlockDriverState *bs, Qcow2Cache *c,
+    Qcow2Cache *dependency)
+{
+    int ret;
+
+    if (dependency->depends) {
+        ret = qcow2_cache_flush_dependency(bs, dependency);
+        if (ret < 0) {
+            return ret;
+        }
+    }
+
+    if (c->depends && (c->depends != dependency)) {
+        ret = qcow2_cache_flush_dependency(bs, c);
+        if (ret < 0) {
+            return ret;
+        }
+    }
+
+    c->depends = dependency;
+    return 0;
+}
+
+static int qcow2_cache_find_entry_to_replace(Qcow2Cache *c)
+{
+    int i;
+    int min_count = INT_MAX;
+    int min_index = -1;
+
+
+    for (i = 0; i < c->size; i++) {
+        if (c->entries[i].ref) {
+            continue;
+        }
+
+        if (c->entries[i].cache_hits < min_count) {
+            min_index = i;
+            min_count = c->entries[i].cache_hits;
+        }
+
+        /* Give newer hits priority */
+        /* TODO Check how to optimize the replacement strategy */
+        c->entries[i].cache_hits /= 2;
+    }
+
+    if (min_index == -1) {
+        /* This can't happen in current synchronous code, but leave the check
+         * here as a reminder for whoever starts using AIO with the cache */
+        abort();
+    }
+    return min_index;
+}
+
+static int qcow2_cache_do_get(BlockDriverState *bs, Qcow2Cache *c,
+    uint64_t offset, void **table, bool read_from_disk)
+{
+    BDRVQcowState *s = bs->opaque;
+    int i;
+    int ret;
+
+    /* Check if the table is already cached */
+    for (i = 0; i < c->size; i++) {
+        if (c->entries[i].offset == offset) {
+            goto found;
+        }
+    }
+
+    /* If not, write a table back and replace it */
+    i = qcow2_cache_find_entry_to_replace(c);
+    if (i < 0) {
+        return i;
+    }
+
+    ret = qcow2_cache_entry_flush(bs, c, i);
+    if (ret < 0) {
+        return ret;
+    }
+
+    c->entries[i].offset = 0;
+    if (read_from_disk) {
+        ret = bdrv_pread(bs->file, offset, c->entries[i].table, s->cluster_size);
+        if (ret < 0) {
+            return ret;
+        }
+    }
+
+    /* Give the table some hits for the start so that it won't be replaced
+     * immediately. The number 32 is completely arbitrary. */
+    c->entries[i].cache_hits = 32;
+    c->entries[i].offset = offset;
+
+    /* And return the right table */
+found:
+    c->entries[i].cache_hits++;
+    c->entries[i].ref++;
+    *table = c->entries[i].table;
+    return 0;
+}
+
+int qcow2_cache_get(BlockDriverState *bs, Qcow2Cache *c, uint64_t offset,
+    void **table)
+{
+    return qcow2_cache_do_get(bs, c, offset, table, true);
+}
+
+int qcow2_cache_get_empty(BlockDriverState *bs, Qcow2Cache *c, uint64_t offset,
+    void **table)
+{
+    return qcow2_cache_do_get(bs, c, offset, table, false);
+}
+
+int qcow2_cache_put(BlockDriverState *bs, Qcow2Cache *c, void **table)
+{
+    int i;
+
+    for (i = 0; i < c->size; i++) {
+        if (c->entries[i].table == *table) {
+            goto found;
+        }
+    }
+    return -ENOENT;
+
+found:
+    c->entries[i].ref--;
+    *table = NULL;
+
+    assert(c->entries[i].ref >= 0);
+
+    if (c->writethrough) {
+        return qcow2_cache_entry_flush(bs, c, i);
+    } else {
+        return 0;
+    }
+}
+
+void qcow2_cache_entry_mark_dirty(Qcow2Cache *c, void *table)
+{
+    int i;
+
+    for (i = 0; i < c->size; i++) {
+        if (c->entries[i].table == table) {
+            goto found;
+        }
+    }
+    abort();
+
+found:
+    c->entries[i].dirty = true;
+}
+
diff --git a/block/qcow2.h b/block/qcow2.h
index 5217bea..e5473e1 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -78,6 +78,9 @@ typedef struct QCowSnapshot {
     uint64_t vm_clock_nsec;
 } QCowSnapshot;
 
+struct Qcow2Cache;
+typedef struct Qcow2Cache Qcow2Cache;
+
 typedef struct BDRVQcowState {
     int cluster_bits;
     int cluster_size;
@@ -215,4 +218,20 @@ int qcow2_snapshot_load_tmp(BlockDriverState *bs, const char *snapshot_name);
 void qcow2_free_snapshots(BlockDriverState *bs);
 int qcow2_read_snapshots(BlockDriverState *bs);
 
+/* qcow2-cache.c functions */
+Qcow2Cache *qcow2_cache_create(BlockDriverState *bs, int num_tables,
+    bool writethrough);
+int qcow2_cache_destroy(BlockDriverState* bs, Qcow2Cache *c);
+
+void qcow2_cache_entry_mark_dirty(Qcow2Cache *c, void *table);
+int qcow2_cache_flush(BlockDriverState *bs, Qcow2Cache *c);
+int qcow2_cache_set_dependency(BlockDriverState *bs, Qcow2Cache *c,
+    Qcow2Cache *dependency);
+
+int qcow2_cache_get(BlockDriverState *bs, Qcow2Cache *c, uint64_t offset,
+    void **table);
+int qcow2_cache_get_empty(BlockDriverState *bs, Qcow2Cache *c, uint64_t offset,
+    void **table);
+int qcow2_cache_put(BlockDriverState *bs, Qcow2Cache *c, void **table);
+
 #endif
commit c641483fbe0aa08cd7c0580d019dc2d5a7e71138
Author: Christoph Hellwig <hch at lst.de>
Date:   Mon Dec 20 13:46:09 2010 +0100

    ide: kill ide_dma_submit_check
    
    Merge ide_dma_submit_check into it's only caller.  Also use tail recursion
    using a goto instead of a real recursion - this avoid overflowing the
    stack in the pathological situation of an recurring error that is ignored.
    We'll still be busy looping in ide_dma_cb, but at least won't eat up
    all stack space after this.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 12b9c53..e698c13 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -321,14 +321,6 @@ static inline void ide_abort_command(IDEState *s)
     s->error = ABRT_ERR;
 }
 
-static inline void ide_dma_submit_check(IDEState *s,
-          BlockDriverCompletionFunc *dma_cb)
-{
-    if (s->bus->dma->aiocb)
-	return;
-    dma_cb(s, -1);
-}
-
 /* prepare data transfer and tell what to do after */
 static void ide_transfer_start(IDEState *s, uint8_t *buf, int size,
                                EndTransferFunc *end_transfer_func)
@@ -493,6 +485,7 @@ void ide_dma_cb(void *opaque, int ret)
     int n;
     int64_t sector_num;
 
+handle_rw_error:
     if (ret < 0) {
         int op = BM_STATUS_DMA_RETRY;
 
@@ -538,7 +531,11 @@ void ide_dma_cb(void *opaque, int ret)
         s->bus->dma->aiocb = dma_bdrv_write(s->bs, &s->sg, sector_num,
                                             ide_dma_cb, s);
     }
-    ide_dma_submit_check(s, ide_dma_cb);
+
+    if (!s->bus->dma->aiocb) {
+        ret = -1;
+        goto handle_rw_error;
+    }
     return;
 
 eot:
commit 596bb44dead047249c11df24b0e1ffaa514f4909
Author: Christoph Hellwig <hch at lst.de>
Date:   Mon Dec 20 13:45:58 2010 +0100

    ide: also reset io_buffer_index for writes
    
    Currenly the code only resets the io_buffer_index field for reads,
    but the code seems to expect this for all types of I/O.  I guess
    we simply don't hit large enough transfers that would require this
    often enough.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index e93dd46..12b9c53 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -521,8 +521,7 @@ void ide_dma_cb(void *opaque, int ret)
 
     /* launch next transfer */
     n = s->nsector;
-    if (s->is_read)
-        s->io_buffer_index = 0;
+    s->io_buffer_index = 0;
     s->io_buffer_size = n * 512;
     if (s->bus->dma->ops->prepare_buf(s->bus->dma, s->is_read) == 0)
         goto eot;
commit cd369c4634e58a99fb82f076e6117bfdf0012b8e
Author: Christoph Hellwig <hch at lst.de>
Date:   Mon Dec 20 13:45:48 2010 +0100

    ide: factor dma handling helpers
    
    Factor the DMA I/O path that is duplicated between read and write
    commands, into common helpers using the s->is_read flag added for
    the macio ATA controller.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 9496e99..e93dd46 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -487,16 +487,18 @@ static int ide_handle_rw_error(IDEState *s, int error, int op)
     return 1;
 }
 
-void ide_read_dma_cb(void *opaque, int ret)
+void ide_dma_cb(void *opaque, int ret)
 {
     IDEState *s = opaque;
     int n;
     int64_t sector_num;
 
     if (ret < 0) {
-        if (ide_handle_rw_error(s, -ret,
-            BM_STATUS_DMA_RETRY | BM_STATUS_RETRY_READ))
-        {
+        int op = BM_STATUS_DMA_RETRY;
+
+        if (s->is_read)
+            op |= BM_STATUS_RETRY_READ;
+        if (ide_handle_rw_error(s, -ret, op)) {
             return;
         }
     }
@@ -504,7 +506,7 @@ void ide_read_dma_cb(void *opaque, int ret)
     n = s->io_buffer_size >> 9;
     sector_num = ide_get_sector(s);
     if (n > 0) {
-        dma_buf_commit(s, 1);
+        dma_buf_commit(s, s->is_read);
         sector_num += n;
         ide_set_sector(s, sector_num);
         s->nsector -= n;
@@ -514,32 +516,44 @@ void ide_read_dma_cb(void *opaque, int ret)
     if (s->nsector == 0) {
         s->status = READY_STAT | SEEK_STAT;
         ide_set_irq(s->bus);
-    eot:
-        s->bus->dma->ops->add_status(s->bus->dma, BM_STATUS_INT);
-        ide_set_inactive(s);
-        return;
+        goto eot;
     }
 
     /* launch next transfer */
     n = s->nsector;
-    s->io_buffer_index = 0;
+    if (s->is_read)
+        s->io_buffer_index = 0;
     s->io_buffer_size = n * 512;
-    if (s->bus->dma->ops->prepare_buf(s->bus->dma, 1) == 0)
+    if (s->bus->dma->ops->prepare_buf(s->bus->dma, s->is_read) == 0)
         goto eot;
+
 #ifdef DEBUG_AIO
-    printf("aio_read: sector_num=%" PRId64 " n=%d\n", sector_num, n);
+    printf("ide_dma_cb: sector_num=%" PRId64 " n=%d, is_read=%d\n",
+           sector_num, n, s->is_read);
 #endif
-    s->bus->dma->aiocb = dma_bdrv_read(s->bs, &s->sg, sector_num, ide_read_dma_cb, s);
-    ide_dma_submit_check(s, ide_read_dma_cb);
+
+    if (s->is_read) {
+        s->bus->dma->aiocb = dma_bdrv_read(s->bs, &s->sg, sector_num,
+                                           ide_dma_cb, s);
+    } else {
+        s->bus->dma->aiocb = dma_bdrv_write(s->bs, &s->sg, sector_num,
+                                            ide_dma_cb, s);
+    }
+    ide_dma_submit_check(s, ide_dma_cb);
+    return;
+
+eot:
+   s->bus->dma->ops->add_status(s->bus->dma, BM_STATUS_INT);
+   ide_set_inactive(s);
 }
 
-static void ide_sector_read_dma(IDEState *s)
+static void ide_sector_start_dma(IDEState *s, int is_read)
 {
     s->status = READY_STAT | SEEK_STAT | DRQ_STAT | BUSY_STAT;
     s->io_buffer_index = 0;
     s->io_buffer_size = 0;
-    s->is_read = 1;
-    s->bus->dma->ops->start_dma(s->bus->dma, s, ide_read_dma_cb);
+    s->is_read = is_read;
+    s->bus->dma->ops->start_dma(s->bus->dma, s, ide_dma_cb);
 }
 
 static void ide_sector_write_timer_cb(void *opaque)
@@ -594,57 +608,6 @@ void ide_sector_write(IDEState *s)
     }
 }
 
-void ide_write_dma_cb(void *opaque, int ret)
-{
-    IDEState *s = opaque;
-    int n;
-    int64_t sector_num;
-
-    if (ret < 0) {
-        if (ide_handle_rw_error(s, -ret,  BM_STATUS_DMA_RETRY))
-            return;
-    }
-
-    n = s->io_buffer_size >> 9;
-    sector_num = ide_get_sector(s);
-    if (n > 0) {
-        dma_buf_commit(s, 0);
-        sector_num += n;
-        ide_set_sector(s, sector_num);
-        s->nsector -= n;
-    }
-
-    /* end of transfer ? */
-    if (s->nsector == 0) {
-        s->status = READY_STAT | SEEK_STAT;
-        ide_set_irq(s->bus);
-    eot:
-        s->bus->dma->ops->add_status(s->bus->dma, BM_STATUS_INT);
-        ide_set_inactive(s);
-        return;
-    }
-
-    n = s->nsector;
-    s->io_buffer_size = n * 512;
-    /* launch next transfer */
-    if (s->bus->dma->ops->prepare_buf(s->bus->dma, 0) == 0)
-        goto eot;
-#ifdef DEBUG_AIO
-    printf("aio_write: sector_num=%" PRId64 " n=%d\n", sector_num, n);
-#endif
-    s->bus->dma->aiocb = dma_bdrv_write(s->bs, &s->sg, sector_num, ide_write_dma_cb, s);
-    ide_dma_submit_check(s, ide_write_dma_cb);
-}
-
-static void ide_sector_write_dma(IDEState *s)
-{
-    s->status = READY_STAT | SEEK_STAT | DRQ_STAT | BUSY_STAT;
-    s->io_buffer_index = 0;
-    s->io_buffer_size = 0;
-    s->is_read = 0;
-    s->bus->dma->ops->start_dma(s->bus->dma, s, ide_write_dma_cb);
-}
-
 void ide_atapi_cmd_ok(IDEState *s)
 {
     s->error = 0;
@@ -1858,7 +1821,7 @@ void ide_exec_cmd(IDEBus *bus, uint32_t val)
         if (!s->bs)
             goto abort_cmd;
 	ide_cmd_lba48_transform(s, lba48);
-        ide_sector_read_dma(s);
+        ide_sector_start_dma(s, 1);
         break;
 	case WIN_WRITEDMA_EXT:
 	lba48 = 1;
@@ -1867,7 +1830,7 @@ void ide_exec_cmd(IDEBus *bus, uint32_t val)
         if (!s->bs)
             goto abort_cmd;
 	ide_cmd_lba48_transform(s, lba48);
-        ide_sector_write_dma(s);
+        ide_sector_start_dma(s, 0);
         s->media_changed = 1;
         break;
     case WIN_READ_NATIVE_MAX_EXT:
diff --git a/hw/ide/internal.h b/hw/ide/internal.h
index 697c3b4..d533fb6 100644
--- a/hw/ide/internal.h
+++ b/hw/ide/internal.h
@@ -439,7 +439,6 @@ struct IDEState {
     uint32_t mdata_size;
     uint8_t *mdata_storage;
     int media_changed;
-    /* for pmac */
     int is_read;
     /* SMART */
     uint8_t smart_enabled;
@@ -560,8 +559,7 @@ void ide_init2_with_non_qdev_drives(IDEBus *bus, DriveInfo *hd0,
 void ide_init_ioport(IDEBus *bus, int iobase, int iobase2);
 
 void ide_exec_cmd(IDEBus *bus, uint32_t val);
-void ide_read_dma_cb(void *opaque, int ret);
-void ide_write_dma_cb(void *opaque, int ret);
+void ide_dma_cb(void *opaque, int ret);
 void ide_sector_write(IDEState *s);
 void ide_sector_read(IDEState *s);
 void ide_flush_cache(IDEState *s);
diff --git a/hw/ide/pci.c b/hw/ide/pci.c
index 510b2de..987caff 100644
--- a/hw/ide/pci.c
+++ b/hw/ide/pci.c
@@ -178,14 +178,9 @@ static void bmdma_restart_dma(BMDMAState *bm, int is_read)
     s->io_buffer_index = 0;
     s->io_buffer_size = 0;
     s->nsector = bm->nsector;
+    s->is_read = is_read;
     bm->cur_addr = bm->addr;
-
-    if (is_read) {
-        bm->dma_cb = ide_read_dma_cb;
-    } else {
-        bm->dma_cb = ide_write_dma_cb;
-    }
-
+    bm->dma_cb = ide_dma_cb;
     bmdma_start_dma(&bm->dma, s, bm->dma_cb);
 }
 
commit 8b6b2afcf85dd5ff33075e93a2e30fbea34c5a55
Author: Pierre Riteau <Pierre.Riteau at irisa.fr>
Date:   Wed Jan 12 14:41:00 2011 +0100

    Avoid divide by zero when there is no block device to migrate
    
    When block migration is requested and no read-write block device is
    present, a divide by zero exception is triggered because
    total_sector_sum equals zero.
    
    Signed-off-by: Pierre Riteau <Pierre.Riteau at irisa.fr>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block-migration.c b/block-migration.c
index 1475325..60b9fc0 100644
--- a/block-migration.c
+++ b/block-migration.c
@@ -350,7 +350,12 @@ static int blk_mig_save_bulked_block(Monitor *mon, QEMUFile *f)
         }
     }
 
-    progress = completed_sector_sum * 100 / block_mig_state.total_sector_sum;
+    if (block_mig_state.total_sector_sum != 0) {
+        progress = completed_sector_sum * 100 /
+                   block_mig_state.total_sector_sum;
+    } else {
+        progress = 100;
+    }
     if (progress != block_mig_state.prev_progress) {
         block_mig_state.prev_progress = progress;
         qemu_put_be64(f, (progress << BDRV_SECTOR_BITS)
commit 70b4f4bb05ff5e6812c6593eeefbd19bd61b517d
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Wed Jan 5 11:41:02 2011 +0100

    Make strtosz() return int64_t instead of ssize_t
    
    strtosz() needs to return a 64 bit type even on 32 bit
    architectures. Otherwise qemu-img will fail to create disk
    images >= 2GB
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/cutils.c b/cutils.c
index 7984bc1..4d2e27c 100644
--- a/cutils.c
+++ b/cutils.c
@@ -291,9 +291,9 @@ int fcntl_setfl(int fd, int flag)
  * value must be terminated by whitespace, ',' or '\0'. Return -1 on
  * error.
  */
-ssize_t strtosz_suffix(const char *nptr, char **end, const char default_suffix)
+int64_t strtosz_suffix(const char *nptr, char **end, const char default_suffix)
 {
-    ssize_t retval = -1;
+    int64_t retval = -1;
     char *endptr, c, d;
     int mul_required = 0;
     double val, mul, integral, fraction;
@@ -365,7 +365,7 @@ ssize_t strtosz_suffix(const char *nptr, char **end, const char default_suffix)
             goto fail;
         }
     }
-    if ((val * mul >= ~(size_t)0) || val < 0) {
+    if ((val * mul >= INT64_MAX) || val < 0) {
         goto fail;
     }
     retval = val * mul;
@@ -378,7 +378,7 @@ fail:
     return retval;
 }
 
-ssize_t strtosz(const char *nptr, char **end)
+int64_t strtosz(const char *nptr, char **end)
 {
     return strtosz_suffix(nptr, end, STRTOSZ_DEFSUFFIX_MB);
 }
diff --git a/monitor.c b/monitor.c
index d291158..0cda3da 100644
--- a/monitor.c
+++ b/monitor.c
@@ -4162,7 +4162,7 @@ static const mon_cmd_t *monitor_parse_command(Monitor *mon,
             break;
         case 'o':
             {
-                ssize_t val;
+                int64_t val;
                 char *end;
 
                 while (qemu_isspace(*p)) {
diff --git a/qemu-common.h b/qemu-common.h
index c766b99..c351131 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -158,8 +158,8 @@ int fcntl_setfl(int fd, int flag);
 #define STRTOSZ_DEFSUFFIX_MB	'M'
 #define STRTOSZ_DEFSUFFIX_KB	'K'
 #define STRTOSZ_DEFSUFFIX_B	'B'
-ssize_t strtosz(const char *nptr, char **end);
-ssize_t strtosz_suffix(const char *nptr, char **end, const char default_suffix);
+int64_t strtosz(const char *nptr, char **end);
+int64_t strtosz_suffix(const char *nptr, char **end, const char default_suffix);
 
 /* path.c */
 void init_paths(const char *prefix);
diff --git a/qemu-img.c b/qemu-img.c
index 1e65ea8..4a37358 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -320,7 +320,7 @@ static int img_create(int argc, char **argv)
 
     /* Get image size, if specified */
     if (optind < argc) {
-        ssize_t sval;
+        int64_t sval;
         sval = strtosz_suffix(argv[optind++], NULL, STRTOSZ_DEFSUFFIX_B);
         if (sval < 0) {
             error_report("Invalid image size specified! You may use k, M, G or "
diff --git a/vl.c b/vl.c
index 0292184..14255c4 100644
--- a/vl.c
+++ b/vl.c
@@ -804,7 +804,7 @@ static void numa_add(const char *optarg)
         if (get_param_value(option, 128, "mem", optarg) == 0) {
             node_mem[nodenr] = 0;
         } else {
-            ssize_t sval;
+            int64_t sval;
             sval = strtosz(option, NULL);
             if (sval < 0) {
                 fprintf(stderr, "qemu: invalid numa mem size: %s\n", optarg);
@@ -2245,7 +2245,7 @@ int main(int argc, char **argv, char **envp)
                 exit(0);
                 break;
             case QEMU_OPTION_m: {
-                ssize_t value;
+                int64_t value;
 
                 value = strtosz(optarg, NULL);
                 if (value < 0) {
commit c90f1b3297943f2f142d8114bef1092f9ac9acef
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Jan 6 17:02:23 2011 +0100

    do_snapshot_blkdev() error on missing snapshot_file argument
    
    Current code does not support snapshot internally to the running
    image. Error in case no snapshot_file is specified.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index d7add36..662f7a9 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -526,6 +526,12 @@ int do_snapshot_blkdev(Monitor *mon, const QDict *qdict, QObject **ret_data)
     int ret = 0;
     int flags;
 
+    if (!filename) {
+        qerror_report(QERR_MISSING_PARAMETER, "snapshot_file");
+        ret = -1;
+        goto out;
+    }
+
     bs = bdrv_find(device);
     if (!bs) {
         qerror_report(QERR_DEVICE_NOT_FOUND, device);
commit 710da702beb0dc4aeeab1b9e712cd9473b083a89
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Jan 10 12:33:02 2011 +0100

    qemu-img snapshot: Use writeback caching
    
    None of the other qemu-img subcommands uses writethrough, and there's no reason
    why snapshot should be special.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/qemu-img.c b/qemu-img.c
index afd9ed2..1e65ea8 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -1068,7 +1068,7 @@ static int img_snapshot(int argc, char **argv)
     int action = 0;
     qemu_timeval tv;
 
-    bdrv_oflags = BDRV_O_RDWR;
+    bdrv_oflags = BDRV_O_FLAGS | BDRV_O_RDWR;
     /* Parse commandline parameters */
     for(;;) {
         c = getopt(argc, argv, "la:c:d:h");
commit 653df36bbe58e20258610bc74c5940c456b31084
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Sat Jan 1 21:50:34 2011 +0100

    qcow2: fix unaligned access
    
    cpu_to_be64w() is called with an obviously non-aligned pointer. Use
    cpu_to_be64wu() instead. It fixes unaligned accesses errors on IA64
    hosts.
    
    Cc: Kevin Wolf <kwolf at redhat.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 6928c63..c3ef550 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -81,7 +81,7 @@ int qcow2_grow_l1_table(BlockDriverState *bs, int min_size, bool exact_size)
     /* set new table */
     BLKDBG_EVENT(bs->file, BLKDBG_L1_GROW_ACTIVATE_TABLE);
     cpu_to_be32w((uint32_t*)data, new_l1_size);
-    cpu_to_be64w((uint64_t*)(data + 4), new_l1_table_offset);
+    cpu_to_be64wu((uint64_t*)(data + 4), new_l1_table_offset);
     ret = bdrv_pwrite_sync(bs->file, offsetof(QCowHeader, l1_size), data,sizeof(data));
     if (ret < 0) {
         goto fail;
commit 0bfe006c5380c5f8a485a55ded3329fbbc224396
Author: Kevin Wolf <mail at kevin-wolf.de>
Date:   Tue Jan 4 14:03:30 2011 +0100

    multiboot: Fix upper memory size in multiboot info
    
    The upper memory size field should exclude the first MB of RAM.
    
    Signed-off-by: Kevin Wolf <mail at kevin-wolf.de>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/multiboot.c b/hw/multiboot.c
index 7cc3055..0d2bfb4 100644
--- a/hw/multiboot.c
+++ b/hw/multiboot.c
@@ -306,7 +306,7 @@ int load_multiboot(void *fw_cfg,
                                 | MULTIBOOT_FLAGS_MODULES
                                 | MULTIBOOT_FLAGS_MMAP);
     stl_p(bootinfo + MBI_MEM_LOWER,   640);
-    stl_p(bootinfo + MBI_MEM_UPPER,   ram_size / 1024);
+    stl_p(bootinfo + MBI_MEM_UPPER,   (ram_size / 1024) - 1024);
     stl_p(bootinfo + MBI_BOOT_DEVICE, 0x8001ffff); /* XXX: use the -boot switch? */
     stl_p(bootinfo + MBI_MMAP_ADDR,   ADDR_E820_MAP);
 
commit 64b85a8f2359ca3a995499afaf3c87d8e036e030
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Jan 23 16:21:20 2011 +0000

    Delete useless 'extern' qualifiers for functions
    
    'extern' qualifier is useless for function declarations. Delete
    them.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/cache-utils.h b/cache-utils.h
index b45fde4..0b65907 100644
--- a/cache-utils.h
+++ b/cache-utils.h
@@ -9,7 +9,7 @@ struct qemu_cache_conf {
 
 extern struct qemu_cache_conf qemu_cache_conf;
 
-extern void qemu_cache_utils_init(char **envp);
+void qemu_cache_utils_init(char **envp);
 
 /* mildly adjusted code from tcg-dyngen.c */
 static inline void flush_icache_range(unsigned long start, unsigned long stop)
diff --git a/cmd.h b/cmd.h
index cbe9549..b763b19 100644
--- a/cmd.h
+++ b/cmd.h
@@ -38,33 +38,33 @@ typedef struct cmdinfo {
 extern cmdinfo_t	*cmdtab;
 extern int		ncmds;
 
-extern void		help_init(void);
-extern void		quit_init(void);
+void help_init(void);
+void quit_init(void);
 
 typedef int (*argsfunc_t)(int index);
 typedef int (*checkfunc_t)(const cmdinfo_t *ci);
 
-extern void		add_command(const cmdinfo_t *ci);
-extern void		add_user_command(char *optarg);
-extern void		add_args_command(argsfunc_t af);
-extern void		add_check_command(checkfunc_t cf);
+void add_command(const cmdinfo_t *ci);
+void add_user_command(char *optarg);
+void add_args_command(argsfunc_t af);
+void add_check_command(checkfunc_t cf);
 
-extern const cmdinfo_t	*find_command(const char *cmd);
+const cmdinfo_t *find_command(const char *cmd);
 
-extern void		command_loop(void);
-extern int		command_usage(const cmdinfo_t *ci);
-extern int		command(const cmdinfo_t *ci, int argc, char **argv);
+void command_loop(void);
+int command_usage(const cmdinfo_t *ci);
+int command(const cmdinfo_t *ci, int argc, char **argv);
 
 /* from input.h */
-extern char	**breakline(char *input, int *count);
-extern void	doneline(char *input, char **vec);
-extern char	*fetchline(void);
+char **breakline(char *input, int *count);
+void doneline(char *input, char **vec);
+char *fetchline(void);
 
-extern long long cvtnum(char *s);
-extern void	cvtstr(double value, char *str, size_t sz);
+long long cvtnum(char *s);
+void cvtstr(double value, char *str, size_t sz);
 
-extern struct timeval tsub(struct timeval t1, struct timeval t2);
-extern double	tdiv(double value, struct timeval tv);
+struct timeval tsub(struct timeval t1, struct timeval t2);
+double tdiv(double value, struct timeval tv);
 
 enum {
 	DEFAULT_TIME		= 0x0,
@@ -72,7 +72,7 @@ enum {
 	VERBOSE_FIXED_TIME	= 0x2
 };
 
-extern void	timestr(struct timeval *tv, char *str, size_t sz, int flags);
+void timestr(struct timeval *tv, char *str, size_t sz, int flags);
 
 extern char *progname;
 
diff --git a/dis-asm.h b/dis-asm.h
index 356459c..296537a 100644
--- a/dis-asm.h
+++ b/dis-asm.h
@@ -362,48 +362,48 @@ typedef struct disassemble_info {
    target address.  Return number of bytes processed.  */
 typedef int (*disassembler_ftype) (bfd_vma, disassemble_info *);
 
-extern int print_insn_big_mips		(bfd_vma, disassemble_info*);
-extern int print_insn_little_mips	(bfd_vma, disassemble_info*);
-extern int print_insn_i386		(bfd_vma, disassemble_info*);
-extern int print_insn_m68k		(bfd_vma, disassemble_info*);
-extern int print_insn_z8001		(bfd_vma, disassemble_info*);
-extern int print_insn_z8002		(bfd_vma, disassemble_info*);
-extern int print_insn_h8300		(bfd_vma, disassemble_info*);
-extern int print_insn_h8300h		(bfd_vma, disassemble_info*);
-extern int print_insn_h8300s		(bfd_vma, disassemble_info*);
-extern int print_insn_h8500		(bfd_vma, disassemble_info*);
-extern int print_insn_alpha		(bfd_vma, disassemble_info*);
-extern disassembler_ftype arc_get_disassembler (int, int);
-extern int print_insn_arm		(bfd_vma, disassemble_info*);
-extern int print_insn_sparc		(bfd_vma, disassemble_info*);
-extern int print_insn_big_a29k		(bfd_vma, disassemble_info*);
-extern int print_insn_little_a29k	(bfd_vma, disassemble_info*);
-extern int print_insn_i960		(bfd_vma, disassemble_info*);
-extern int print_insn_sh		(bfd_vma, disassemble_info*);
-extern int print_insn_shl		(bfd_vma, disassemble_info*);
-extern int print_insn_hppa		(bfd_vma, disassemble_info*);
-extern int print_insn_m32r		(bfd_vma, disassemble_info*);
-extern int print_insn_m88k		(bfd_vma, disassemble_info*);
-extern int print_insn_mn10200		(bfd_vma, disassemble_info*);
-extern int print_insn_mn10300		(bfd_vma, disassemble_info*);
-extern int print_insn_ns32k		(bfd_vma, disassemble_info*);
-extern int print_insn_big_powerpc	(bfd_vma, disassemble_info*);
-extern int print_insn_little_powerpc	(bfd_vma, disassemble_info*);
-extern int print_insn_rs6000		(bfd_vma, disassemble_info*);
-extern int print_insn_w65		(bfd_vma, disassemble_info*);
-extern int print_insn_d10v		(bfd_vma, disassemble_info*);
-extern int print_insn_v850		(bfd_vma, disassemble_info*);
-extern int print_insn_tic30		(bfd_vma, disassemble_info*);
-extern int print_insn_ppc		(bfd_vma, disassemble_info*);
-extern int print_insn_s390		(bfd_vma, disassemble_info*);
-extern int print_insn_crisv32           (bfd_vma, disassemble_info*);
-extern int print_insn_crisv10           (bfd_vma, disassemble_info*);
-extern int print_insn_microblaze        (bfd_vma, disassemble_info*);
-extern int print_insn_ia64              (bfd_vma, disassemble_info*);
+int print_insn_big_mips         (bfd_vma, disassemble_info*);
+int print_insn_little_mips      (bfd_vma, disassemble_info*);
+int print_insn_i386             (bfd_vma, disassemble_info*);
+int print_insn_m68k             (bfd_vma, disassemble_info*);
+int print_insn_z8001            (bfd_vma, disassemble_info*);
+int print_insn_z8002            (bfd_vma, disassemble_info*);
+int print_insn_h8300            (bfd_vma, disassemble_info*);
+int print_insn_h8300h           (bfd_vma, disassemble_info*);
+int print_insn_h8300s           (bfd_vma, disassemble_info*);
+int print_insn_h8500            (bfd_vma, disassemble_info*);
+int print_insn_alpha            (bfd_vma, disassemble_info*);
+disassembler_ftype arc_get_disassembler (int, int);
+int print_insn_arm              (bfd_vma, disassemble_info*);
+int print_insn_sparc            (bfd_vma, disassemble_info*);
+int print_insn_big_a29k         (bfd_vma, disassemble_info*);
+int print_insn_little_a29k      (bfd_vma, disassemble_info*);
+int print_insn_i960             (bfd_vma, disassemble_info*);
+int print_insn_sh               (bfd_vma, disassemble_info*);
+int print_insn_shl              (bfd_vma, disassemble_info*);
+int print_insn_hppa             (bfd_vma, disassemble_info*);
+int print_insn_m32r             (bfd_vma, disassemble_info*);
+int print_insn_m88k             (bfd_vma, disassemble_info*);
+int print_insn_mn10200          (bfd_vma, disassemble_info*);
+int print_insn_mn10300          (bfd_vma, disassemble_info*);
+int print_insn_ns32k            (bfd_vma, disassemble_info*);
+int print_insn_big_powerpc      (bfd_vma, disassemble_info*);
+int print_insn_little_powerpc   (bfd_vma, disassemble_info*);
+int print_insn_rs6000           (bfd_vma, disassemble_info*);
+int print_insn_w65              (bfd_vma, disassemble_info*);
+int print_insn_d10v             (bfd_vma, disassemble_info*);
+int print_insn_v850             (bfd_vma, disassemble_info*);
+int print_insn_tic30            (bfd_vma, disassemble_info*);
+int print_insn_ppc              (bfd_vma, disassemble_info*);
+int print_insn_s390             (bfd_vma, disassemble_info*);
+int print_insn_crisv32          (bfd_vma, disassemble_info*);
+int print_insn_crisv10          (bfd_vma, disassemble_info*);
+int print_insn_microblaze       (bfd_vma, disassemble_info*);
+int print_insn_ia64             (bfd_vma, disassemble_info*);
 
 #if 0
 /* Fetch the disassembler for a given BFD, if that support is available.  */
-extern disassembler_ftype disassembler	(bfd *);
+disassembler_ftype disassembler(bfd *);
 #endif
 
 
@@ -412,21 +412,20 @@ extern disassembler_ftype disassembler	(bfd *);
 
 /* Here is a function which callers may wish to use for read_memory_func.
    It gets bytes from a buffer.  */
-extern int buffer_read_memory
-  (bfd_vma, bfd_byte *, int, struct disassemble_info *);
+int buffer_read_memory(bfd_vma, bfd_byte *, int, struct disassemble_info *);
 
 /* This function goes with buffer_read_memory.
    It prints a message using info->fprintf_func and info->stream.  */
-extern void perror_memory (int, bfd_vma, struct disassemble_info *);
+void perror_memory(int, bfd_vma, struct disassemble_info *);
 
 
 /* Just print the address in hex.  This is included for completeness even
    though both GDB and objdump provide their own (to print symbolic
    addresses).  */
-extern void generic_print_address (bfd_vma, struct disassemble_info *);
+void generic_print_address(bfd_vma, struct disassemble_info *);
 
 /* Always true.  */
-extern int generic_symbol_at_address (bfd_vma, struct disassemble_info *);
+int generic_symbol_at_address(bfd_vma, struct disassemble_info *);
 
 /* Macro to initialize a disassemble_info struct.  This should be called
    by all applications creating such a struct.  */
diff --git a/envlist.h b/envlist.h
index e76d4a1..b9addcc 100644
--- a/envlist.h
+++ b/envlist.h
@@ -7,13 +7,13 @@ extern "C" {
 
 typedef struct envlist envlist_t;
 
-extern	envlist_t *envlist_create(void);
-extern	void envlist_free(envlist_t *);
-extern	int envlist_setenv(envlist_t *, const char *);
-extern	int envlist_unsetenv(envlist_t *, const char *);
-extern	int envlist_parse_set(envlist_t *, const char *);
-extern	int envlist_parse_unset(envlist_t *, const char *);
-extern	char **envlist_to_environ(const envlist_t *, size_t *);
+envlist_t *envlist_create(void);
+void envlist_free(envlist_t *);
+int envlist_setenv(envlist_t *, const char *);
+int envlist_unsetenv(envlist_t *, const char *);
+int envlist_parse_set(envlist_t *, const char *);
+int envlist_parse_unset(envlist_t *, const char *);
+char **envlist_to_environ(const envlist_t *, size_t *);
 
 #ifdef __cplusplus
 }
diff --git a/exec-all.h b/exec-all.h
index a4b75bd..e3a82bc 100644
--- a/exec-all.h
+++ b/exec-all.h
@@ -192,7 +192,7 @@ extern TranslationBlock *tb_phys_hash[CODE_GEN_PHYS_HASH_SIZE];
 #if defined(USE_DIRECT_JUMP)
 
 #if defined(_ARCH_PPC)
-extern void ppc_tb_set_jmp_target(unsigned long jmp_addr, unsigned long addr);
+void ppc_tb_set_jmp_target(unsigned long jmp_addr, unsigned long addr);
 #define tb_set_jmp_target1 ppc_tb_set_jmp_target
 #elif defined(__i386__) || defined(__x86_64__)
 static inline void tb_set_jmp_target1(unsigned long jmp_addr, unsigned long addr)
diff --git a/fsdev/qemu-fsdev.h b/fsdev/qemu-fsdev.h
index 6c27881..a704043 100644
--- a/fsdev/qemu-fsdev.h
+++ b/fsdev/qemu-fsdev.h
@@ -49,7 +49,7 @@ typedef struct FsTypeListEntry {
     QTAILQ_ENTRY(FsTypeListEntry) next;
 } FsTypeListEntry;
 
-extern int qemu_fsdev_add(QemuOpts *opts);
-extern FsTypeEntry *get_fsdev_fsentry(char *id);
+int qemu_fsdev_add(QemuOpts *opts);
+FsTypeEntry *get_fsdev_fsentry(char *id);
 extern FileOperations local_ops;
 #endif
diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index c7731c2..126e60e 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -57,7 +57,7 @@ typedef struct FsContext
     struct xattr_operations **xops;
 } FsContext;
 
-extern void cred_init(FsCred *);
+void cred_init(FsCred *);
 
 typedef struct FileOperations
 {
diff --git a/hw/hw.h b/hw/hw.h
index 163a683..dd993de 100644
--- a/hw/hw.h
+++ b/hw/hw.h
@@ -799,17 +799,16 @@ extern const VMStateDescription vmstate_i2c_slave;
 #define VMSTATE_END_OF_LIST()                                         \
     {}
 
-extern int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd,
-                              void *opaque, int version_id);
-extern void vmstate_save_state(QEMUFile *f, const VMStateDescription *vmsd,
-                               void *opaque);
-extern int vmstate_register(DeviceState *dev, int instance_id,
-                            const VMStateDescription *vmsd, void *base);
-extern int vmstate_register_with_alias_id(DeviceState *dev,
-                                          int instance_id,
-                                          const VMStateDescription *vmsd,
-                                          void *base, int alias_id,
-                                          int required_for_version);
+int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd,
+                       void *opaque, int version_id);
+void vmstate_save_state(QEMUFile *f, const VMStateDescription *vmsd,
+                        void *opaque);
+int vmstate_register(DeviceState *dev, int instance_id,
+                     const VMStateDescription *vmsd, void *base);
+int vmstate_register_with_alias_id(DeviceState *dev, int instance_id,
+                                   const VMStateDescription *vmsd,
+                                   void *base, int alias_id,
+                                   int required_for_version);
 void vmstate_unregister(DeviceState *dev, const VMStateDescription *vmsd,
                         void *opaque);
 #endif
diff --git a/hw/mips.h b/hw/mips.h
index 757e8f9..73aa8f8 100644
--- a/hw/mips.h
+++ b/hw/mips.h
@@ -21,7 +21,7 @@ int g364fb_mm_init(target_phys_addr_t vram_base,
 void mipsnet_init(int base, qemu_irq irq, NICInfo *nd);
 
 /* jazz_led.c */
-extern void jazz_led_init(target_phys_addr_t base);
+void jazz_led_init(target_phys_addr_t base);
 
 /* rc4030.c */
 typedef struct rc4030DMAState *rc4030_dma;
diff --git a/hw/s390-virtio-bus.h b/hw/s390-virtio-bus.h
index 669b610..33379a3 100644
--- a/hw/s390-virtio-bus.h
+++ b/hw/s390-virtio-bus.h
@@ -58,14 +58,12 @@ typedef struct VirtIOS390Bus {
 } VirtIOS390Bus;
 
 
-extern void s390_virtio_device_update_status(VirtIOS390Device *dev);
+void s390_virtio_device_update_status(VirtIOS390Device *dev);
 
-extern VirtIOS390Device *s390_virtio_bus_console(VirtIOS390Bus *bus);
-extern VirtIOS390Bus *s390_virtio_bus_init(ram_addr_t *ram_size);
+VirtIOS390Device *s390_virtio_bus_console(VirtIOS390Bus *bus);
+VirtIOS390Bus *s390_virtio_bus_init(ram_addr_t *ram_size);
 
-extern VirtIOS390Device *s390_virtio_bus_find_vring(VirtIOS390Bus *bus,
-                                                    ram_addr_t mem,
-                                                    int *vq_num);
-extern VirtIOS390Device *s390_virtio_bus_find_mem(VirtIOS390Bus *bus,
-                                                  ram_addr_t mem);
-extern void s390_virtio_device_sync(VirtIOS390Device *dev);
+VirtIOS390Device *s390_virtio_bus_find_vring(VirtIOS390Bus *bus,
+                                             ram_addr_t mem, int *vq_num);
+VirtIOS390Device *s390_virtio_bus_find_mem(VirtIOS390Bus *bus, ram_addr_t mem);
+void s390_virtio_device_sync(VirtIOS390Device *dev);
diff --git a/hw/virtio-9p-xattr.h b/hw/virtio-9p-xattr.h
index a6e31a1..2bbae2d 100644
--- a/hw/virtio-9p-xattr.h
+++ b/hw/virtio-9p-xattr.h
@@ -41,16 +41,15 @@ extern XattrOperations *mapped_xattr_ops[];
 extern XattrOperations *passthrough_xattr_ops[];
 extern XattrOperations *none_xattr_ops[];
 
-extern ssize_t v9fs_get_xattr(FsContext *ctx, const char *path,
-                              const char *name, void *value, size_t size);
-extern ssize_t v9fs_list_xattr(FsContext *ctx, const char *path,
-                               void *value, size_t vsize);
-extern int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name,
+ssize_t v9fs_get_xattr(FsContext *ctx, const char *path, const char *name,
+                       void *value, size_t size);
+ssize_t v9fs_list_xattr(FsContext *ctx, const char *path, void *value,
+                        size_t vsize);
+int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name,
                           void *value, size_t size, int flags);
-extern int v9fs_remove_xattr(FsContext *ctx,
-                             const char *path, const char *name);
-extern ssize_t pt_listxattr(FsContext *ctx, const char *path,
-                            char *name, void *value, size_t size);
+int v9fs_remove_xattr(FsContext *ctx, const char *path, const char *name);
+ssize_t pt_listxattr(FsContext *ctx, const char *path, char *name, void *value,
+                     size_t size);
 
 static inline ssize_t pt_getxattr(FsContext *ctx, const char *path,
                                   const char *name, void *value, size_t size)
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 6c23319..2ae4ce7 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -495,8 +495,8 @@ typedef struct V9fsReadLinkState
     V9fsString target;
 } V9fsReadLinkState;
 
-extern size_t pdu_packunpack(void *addr, struct iovec *sg, int sg_count,
-                            size_t offset, size_t size, int pack);
+size_t pdu_packunpack(void *addr, struct iovec *sg, int sg_count,
+                      size_t offset, size_t size, int pack);
 
 static inline size_t do_pdu_unpack(void *dst, struct iovec *sg, int sg_count,
                         size_t offset, size_t size)
diff --git a/hw/watchdog.h b/hw/watchdog.h
index 8fd32c3..c12a293 100644
--- a/hw/watchdog.h
+++ b/hw/watchdog.h
@@ -35,9 +35,9 @@ struct WatchdogTimerModel {
 typedef struct WatchdogTimerModel WatchdogTimerModel;
 
 /* in hw/watchdog.c */
-extern int select_watchdog(const char *p);
-extern int select_watchdog_action(const char *action);
-extern void watchdog_add_model(WatchdogTimerModel *model);
-extern void watchdog_perform_action(void);
+int select_watchdog(const char *p);
+int select_watchdog_action(const char *action);
+void watchdog_add_model(WatchdogTimerModel *model);
+void watchdog_perform_action(void);
 
 #endif /* QEMU_WATCHDOG_H */
diff --git a/linux-user/arm/nwfpe/fpa11.h b/linux-user/arm/nwfpe/fpa11.h
index 07419e2..f17647b 100644
--- a/linux-user/arm/nwfpe/fpa11.h
+++ b/linux-user/arm/nwfpe/fpa11.h
@@ -89,9 +89,9 @@ typedef struct tagFPA11 {
 
 extern FPA11* qemufpa;
 
-extern void resetFPA11(void);
-extern void SetRoundingMode(const unsigned int);
-extern void SetRoundingPrecision(const unsigned int);
+void resetFPA11(void);
+void SetRoundingMode(const unsigned int);
+void SetRoundingPrecision(const unsigned int);
 
 static inline unsigned int readRegister(unsigned int reg)
 {
diff --git a/linux-user/arm/nwfpe/fpopcode.h b/linux-user/arm/nwfpe/fpopcode.h
index 16fa34a..e7d1009 100644
--- a/linux-user/arm/nwfpe/fpopcode.h
+++ b/linux-user/arm/nwfpe/fpopcode.h
@@ -384,7 +384,7 @@ static inline float32 getSingleConstant(const unsigned int nIndex)
    return float32Constant[nIndex];
 }
 
-extern unsigned int getRegisterCount(const unsigned int opcode);
-extern unsigned int getDestinationSize(const unsigned int opcode);
+unsigned int getRegisterCount(const unsigned int opcode);
+unsigned int getDestinationSize(const unsigned int opcode);
 
 #endif
diff --git a/qemu-common.h b/qemu-common.h
index 63d9943..c766b99 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -90,7 +90,7 @@ typedef int (*fprintf_function)(FILE *f, const char *fmt, ...)
 #ifdef _WIN32
 #define fsync _commit
 #define lseek _lseeki64
-extern int qemu_ftruncate64(int, int64_t);
+int qemu_ftruncate64(int, int64_t);
 #define ftruncate qemu_ftruncate64
 
 static inline char *realpath(const char *path, char *resolved_path)
diff --git a/slirp/slirp.h b/slirp/slirp.h
index dfd977a..954289a 100644
--- a/slirp/slirp.h
+++ b/slirp/slirp.h
@@ -238,7 +238,7 @@ void if_start(struct ttys *);
 #endif
 
 #ifndef HAVE_STRERROR
- extern char *strerror(int error);
+ char *strerror(int error);
 #endif
 
 #ifndef HAVE_INDEX
diff --git a/target-s390x/cpu.h b/target-s390x/cpu.h
index 8d73fad..e47c372 100644
--- a/target-s390x/cpu.h
+++ b/target-s390x/cpu.h
@@ -105,9 +105,9 @@ int cpu_s390x_handle_mmu_fault (CPUS390XState *env, target_ulong address, int rw
 #define TARGET_VIRT_ADDR_SPACE_BITS 32
 
 #ifndef CONFIG_USER_ONLY
-extern int s390_virtio_hypercall(CPUState *env);
-extern void kvm_s390_virtio_irq(CPUState *env, int config_change, uint64_t token);
-extern CPUState *s390_cpu_addr2state(uint16_t cpu_addr);
+int s390_virtio_hypercall(CPUState *env);
+void kvm_s390_virtio_irq(CPUState *env, int config_change, uint64_t token);
+CPUState *s390_cpu_addr2state(uint16_t cpu_addr);
 #endif
 
 
diff --git a/tests/cris/sys.h b/tests/cris/sys.h
index d2ed4ce..c5f88e1 100644
--- a/tests/cris/sys.h
+++ b/tests/cris/sys.h
@@ -12,5 +12,5 @@
 
 #define mb() asm volatile ("" : : : "memory")
 
-extern void pass(void);
-extern void _fail(char *reason);
+void pass(void);
+void _fail(char *reason);
diff --git a/ui/cocoa.m b/ui/cocoa.m
index 56c789a..20f91bc 100644
--- a/ui/cocoa.m
+++ b/ui/cocoa.m
@@ -852,9 +852,9 @@ typedef struct CPSProcessSerNum
         UInt32                hi;
 } CPSProcessSerNum;
 
-extern OSErr    CPSGetCurrentProcess( CPSProcessSerNum *psn);
-extern OSErr    CPSEnableForegroundOperation( CPSProcessSerNum *psn, UInt32 _arg2, UInt32 _arg3, UInt32 _arg4, UInt32 _arg5);
-extern OSErr    CPSSetFrontProcess( CPSProcessSerNum *psn);
+OSErr CPSGetCurrentProcess( CPSProcessSerNum *psn);
+OSErr CPSEnableForegroundOperation( CPSProcessSerNum *psn, UInt32 _arg2, UInt32 _arg3, UInt32 _arg4, UInt32 _arg5);
+OSErr CPSSetFrontProcess( CPSProcessSerNum *psn);
 
 int main (int argc, const char * argv[]) {
 
diff --git a/ui/d3des.h b/ui/d3des.h
index ea3da44..78d546f 100644
--- a/ui/d3des.h
+++ b/ui/d3des.h
@@ -22,25 +22,25 @@
 #define EN0	0	/* MODE == encrypt */
 #define DE1	1	/* MODE == decrypt */
 
-extern void deskey(unsigned char *, int);
+void deskey(unsigned char *, int);
 /*		      hexkey[8]     MODE
  * Sets the internal key register according to the hexadecimal
  * key contained in the 8 bytes of hexkey, according to the DES,
  * for encryption or decryption according to MODE.
  */
 
-extern void usekey(unsigned long *);
+void usekey(unsigned long *);
 /*		    cookedkey[32]
  * Loads the internal key register with the data in cookedkey.
  */
 
-extern void cpkey(unsigned long *);
+void cpkey(unsigned long *);
 /*		   cookedkey[32]
  * Copies the contents of the internal key register into the storage
  * located at &cookedkey[0].
  */
 
-extern void des(unsigned char *, unsigned char *);
+void des(unsigned char *, unsigned char *);
 /*		    from[8]	      to[8]
  * Encrypts/Decrypts (according to the key currently loaded in the
  * internal key register) one block of eight bytes at address 'from'
diff --git a/ui/x_keymap.h b/ui/x_keymap.h
index 2042ce0..afde2e9 100644
--- a/ui/x_keymap.h
+++ b/ui/x_keymap.h
@@ -25,8 +25,8 @@
 #ifndef QEMU_X_KEYMAP_H
 #define QEMU_X_KEYMAP_H
 
-extern uint8_t translate_xfree86_keycode(const int key);
+uint8_t translate_xfree86_keycode(const int key);
 
-extern uint8_t translate_evdev_keycode(const int key);
+uint8_t translate_evdev_keycode(const int key);
 
 #endif
commit ba76a84d2d420ccab7383bb60c61b96491f50b33
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Jan 23 11:43:25 2011 +0000

    gdbstub-xml: avoid a warning from sparse
    
    Include a header to get the declaration for xml_builtin. This
    avoids a warning from sparse:
      CC    m68k-softmmu/gdbstub-xml.o
    gdbstub-xml.c:244:12: warning: symbol 'xml_builtin' was not declared. Should it be static?
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/scripts/feature_to_c.sh b/scripts/feature_to_c.sh
index 0994d95..b62da8a 100644
--- a/scripts/feature_to_c.sh
+++ b/scripts/feature_to_c.sh
@@ -36,6 +36,9 @@ for input; do
   arrayname=xml_feature_`echo $input | sed 's,.*/,,; s/[-.]/_/g'`
 
   ${AWK:-awk} 'BEGIN { n = 0
+      printf "#include \"config.h\"\n"
+      printf "#include \"qemu-common.h\"\n"
+      printf "#include \"gdbstub.h\"\n"
       print "static const char '$arrayname'[] = {"
       for (i = 0; i < 255; i++)
         _ord_[sprintf("%c", i)] = i
commit 94a8d39afd8ccfdbf578af04c3385fdb5f545af1
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:17 2011 +0100

    kvm: Consolidate must-have capability checks
    
    Instead of splattering the code with #ifdefs and runtime checks for
    capabilities we cannot work without anyway, provide central test
    infrastructure for verifying their availability both at build and
    runtime.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/configure b/configure
index 9a02d1f..4673bf0 100755
--- a/configure
+++ b/configure
@@ -1662,18 +1662,31 @@ if test "$kvm" != "no" ; then
 #if !defined(KVM_API_VERSION) || KVM_API_VERSION < 12 || KVM_API_VERSION > 12
 #error Invalid KVM version
 #endif
-#if !defined(KVM_CAP_USER_MEMORY)
-#error Missing KVM capability KVM_CAP_USER_MEMORY
-#endif
-#if !defined(KVM_CAP_SET_TSS_ADDR)
-#error Missing KVM capability KVM_CAP_SET_TSS_ADDR
-#endif
-#if !defined(KVM_CAP_DESTROY_MEMORY_REGION_WORKS)
-#error Missing KVM capability KVM_CAP_DESTROY_MEMORY_REGION_WORKS
-#endif
-#if !defined(KVM_CAP_USER_NMI)
-#error Missing KVM capability KVM_CAP_USER_NMI
+EOF
+    must_have_caps="KVM_CAP_USER_MEMORY \
+                    KVM_CAP_DESTROY_MEMORY_REGION_WORKS \
+                    KVM_CAP_COALESCED_MMIO \
+                    KVM_CAP_SYNC_MMU \
+                   "
+    if test \( "$cpu" = "i386" -o "$cpu" = "x86_64" \) ; then
+      must_have_caps="$caps \
+                      KVM_CAP_SET_TSS_ADDR \
+                      KVM_CAP_EXT_CPUID \
+                      KVM_CAP_CLOCKSOURCE \
+                      KVM_CAP_NOP_IO_DELAY \
+                      KVM_CAP_PV_MMU \
+                      KVM_CAP_MP_STATE \
+                      KVM_CAP_USER_NMI \
+                     "
+    fi
+    for c in $must_have_caps ; do
+      cat >> $TMPC <<EOF
+#if !defined($c)
+#error Missing KVM capability $c
 #endif
+EOF
+    done
+    cat >> $TMPC <<EOF
 int main(void) { return 0; }
 EOF
   if test "$kerneldir" != "" ; then
@@ -1708,8 +1721,8 @@ EOF
 	| awk -F "error: " '{if (NR>1) printf(", "); printf("%s",$2);}'`
         if test "$kvmerr" != "" ; then
           echo -e "${kvmerr}\n\
-      NOTE: To enable KVM support, update your kernel to 2.6.29+ or install \
-  recent kvm-kmod from http://sourceforge.net/projects/kvm."
+NOTE: To enable KVM support, update your kernel to 2.6.29+ or install \
+recent kvm-kmod from http://sourceforge.net/projects/kvm."
         fi
       fi
       feature_not_found "kvm"
diff --git a/kvm-all.c b/kvm-all.c
index 8053f92..3a1f63b 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -63,9 +63,7 @@ struct KVMState
     int fd;
     int vmfd;
     int coalesced_mmio;
-#ifdef KVM_CAP_COALESCED_MMIO
     struct kvm_coalesced_mmio_ring *coalesced_mmio_ring;
-#endif
     int broken_set_mem_region;
     int migration_log;
     int vcpu_events;
@@ -82,6 +80,12 @@ struct KVMState
 
 static KVMState *kvm_state;
 
+static const KVMCapabilityInfo kvm_required_capabilites[] = {
+    KVM_CAP_INFO(USER_MEMORY),
+    KVM_CAP_INFO(DESTROY_MEMORY_REGION_WORKS),
+    KVM_CAP_LAST_INFO
+};
+
 static KVMSlot *kvm_alloc_slot(KVMState *s)
 {
     int i;
@@ -227,12 +231,10 @@ int kvm_init_vcpu(CPUState *env)
         goto err;
     }
 
-#ifdef KVM_CAP_COALESCED_MMIO
     if (s->coalesced_mmio && !s->coalesced_mmio_ring) {
         s->coalesced_mmio_ring =
             (void *)env->kvm_run + s->coalesced_mmio * PAGE_SIZE;
     }
-#endif
 
     ret = kvm_arch_init_vcpu(env);
     if (ret == 0) {
@@ -401,7 +403,6 @@ static int kvm_physical_sync_dirty_bitmap(target_phys_addr_t start_addr,
 int kvm_coalesce_mmio_region(target_phys_addr_t start, ram_addr_t size)
 {
     int ret = -ENOSYS;
-#ifdef KVM_CAP_COALESCED_MMIO
     KVMState *s = kvm_state;
 
     if (s->coalesced_mmio) {
@@ -412,7 +413,6 @@ int kvm_coalesce_mmio_region(target_phys_addr_t start, ram_addr_t size)
 
         ret = kvm_vm_ioctl(s, KVM_REGISTER_COALESCED_MMIO, &zone);
     }
-#endif
 
     return ret;
 }
@@ -420,7 +420,6 @@ int kvm_coalesce_mmio_region(target_phys_addr_t start, ram_addr_t size)
 int kvm_uncoalesce_mmio_region(target_phys_addr_t start, ram_addr_t size)
 {
     int ret = -ENOSYS;
-#ifdef KVM_CAP_COALESCED_MMIO
     KVMState *s = kvm_state;
 
     if (s->coalesced_mmio) {
@@ -431,7 +430,6 @@ int kvm_uncoalesce_mmio_region(target_phys_addr_t start, ram_addr_t size)
 
         ret = kvm_vm_ioctl(s, KVM_UNREGISTER_COALESCED_MMIO, &zone);
     }
-#endif
 
     return ret;
 }
@@ -481,6 +479,18 @@ static int kvm_check_many_ioeventfds(void)
 #endif
 }
 
+static const KVMCapabilityInfo *
+kvm_check_extension_list(KVMState *s, const KVMCapabilityInfo *list)
+{
+    while (list->name) {
+        if (!kvm_check_extension(s, list->value)) {
+            return list;
+        }
+        list++;
+    }
+    return NULL;
+}
+
 static void kvm_set_phys_mem(target_phys_addr_t start_addr, ram_addr_t size,
                              ram_addr_t phys_offset)
 {
@@ -642,6 +652,7 @@ int kvm_init(void)
         "Please upgrade to at least kernel 2.6.29 or recent kvm-kmod\n"
         "(see http://sourceforge.net/projects/kvm).\n";
     KVMState *s;
+    const KVMCapabilityInfo *missing_cap;
     int ret;
     int i;
 
@@ -685,35 +696,19 @@ int kvm_init(void)
         goto err;
     }
 
-    /* initially, KVM allocated its own memory and we had to jump through
-     * hooks to make phys_ram_base point to this.  Modern versions of KVM
-     * just use a user allocated buffer so we can use regular pages
-     * unmodified.  Make sure we have a sufficiently modern version of KVM.
-     */
-    if (!kvm_check_extension(s, KVM_CAP_USER_MEMORY)) {
-        ret = -EINVAL;
-        fprintf(stderr, "kvm does not support KVM_CAP_USER_MEMORY\n%s",
-                upgrade_note);
-        goto err;
+    missing_cap = kvm_check_extension_list(s, kvm_required_capabilites);
+    if (!missing_cap) {
+        missing_cap =
+            kvm_check_extension_list(s, kvm_arch_required_capabilities);
     }
-
-    /* There was a nasty bug in < kvm-80 that prevents memory slots from being
-     * destroyed properly.  Since we rely on this capability, refuse to work
-     * with any kernel without this capability. */
-    if (!kvm_check_extension(s, KVM_CAP_DESTROY_MEMORY_REGION_WORKS)) {
+    if (missing_cap) {
         ret = -EINVAL;
-
-        fprintf(stderr,
-                "KVM kernel module broken (DESTROY_MEMORY_REGION).\n%s",
-                upgrade_note);
+        fprintf(stderr, "kvm does not support %s\n%s",
+                missing_cap->name, upgrade_note);
         goto err;
     }
 
-    s->coalesced_mmio = 0;
-#ifdef KVM_CAP_COALESCED_MMIO
     s->coalesced_mmio = kvm_check_extension(s, KVM_CAP_COALESCED_MMIO);
-    s->coalesced_mmio_ring = NULL;
-#endif
 
     s->broken_set_mem_region = 1;
 #ifdef KVM_CAP_JOIN_MEMORY_REGIONS_WORKS
@@ -845,7 +840,6 @@ static int kvm_handle_internal_error(CPUState *env, struct kvm_run *run)
 
 void kvm_flush_coalesced_mmio_buffer(void)
 {
-#ifdef KVM_CAP_COALESCED_MMIO
     KVMState *s = kvm_state;
     if (s->coalesced_mmio_ring) {
         struct kvm_coalesced_mmio_ring *ring = s->coalesced_mmio_ring;
@@ -859,7 +853,6 @@ void kvm_flush_coalesced_mmio_buffer(void)
             ring->first = (ring->first + 1) % KVM_COALESCED_MMIO_MAX;
         }
     }
-#endif
 }
 
 static void do_kvm_cpu_synchronize_state(void *_env)
@@ -1059,13 +1052,7 @@ int kvm_vcpu_ioctl(CPUState *env, int type, ...)
 
 int kvm_has_sync_mmu(void)
 {
-#ifdef KVM_CAP_SYNC_MMU
-    KVMState *s = kvm_state;
-
-    return kvm_check_extension(s, KVM_CAP_SYNC_MMU);
-#else
-    return 0;
-#endif
+    return kvm_check_extension(kvm_state, KVM_CAP_SYNC_MMU);
 }
 
 int kvm_has_vcpu_events(void)
diff --git a/kvm.h b/kvm.h
index a971752..ca57517 100644
--- a/kvm.h
+++ b/kvm.h
@@ -32,6 +32,14 @@ extern int kvm_allowed;
 
 struct kvm_run;
 
+typedef struct KVMCapabilityInfo {
+    const char *name;
+    int value;
+} KVMCapabilityInfo;
+
+#define KVM_CAP_INFO(CAP) { "KVM_CAP_" stringify(CAP), KVM_CAP_##CAP }
+#define KVM_CAP_LAST_INFO { NULL, 0 }
+
 /* external API */
 
 int kvm_init(void);
@@ -86,6 +94,8 @@ int kvm_vcpu_ioctl(CPUState *env, int type, ...);
 
 /* Arch specific hooks */
 
+extern const KVMCapabilityInfo kvm_arch_required_capabilities[];
+
 int kvm_arch_post_run(CPUState *env, struct kvm_run *run);
 
 int kvm_arch_handle_exit(CPUState *env, struct kvm_run *run);
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 016b67d..1db8227 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -54,12 +54,17 @@
 #define BUS_MCEERR_AO 5
 #endif
 
+const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
+    KVM_CAP_INFO(SET_TSS_ADDR),
+    KVM_CAP_INFO(EXT_CPUID),
+    KVM_CAP_INFO(MP_STATE),
+    KVM_CAP_LAST_INFO
+};
+
 static bool has_msr_star;
 static bool has_msr_hsave_pa;
 static int lm_capable_kernel;
 
-#ifdef KVM_CAP_EXT_CPUID
-
 static struct kvm_cpuid2 *try_get_cpuid(KVMState *s, int max)
 {
     struct kvm_cpuid2 *cpuid;
@@ -93,10 +98,6 @@ uint32_t kvm_arch_get_supported_cpuid(CPUState *env, uint32_t function,
     uint32_t ret = 0;
     uint32_t cpuid_1_edx;
 
-    if (!kvm_check_extension(env->kvm_state, KVM_CAP_EXT_CPUID)) {
-        return -1U;
-    }
-
     max = 1;
     while ((cpuid = try_get_cpuid(env->kvm_state, max)) == NULL) {
         max *= 2;
@@ -140,30 +141,14 @@ uint32_t kvm_arch_get_supported_cpuid(CPUState *env, uint32_t function,
     return ret;
 }
 
-#else
-
-uint32_t kvm_arch_get_supported_cpuid(CPUState *env, uint32_t function,
-                                      uint32_t index, int reg)
-{
-    return -1U;
-}
-
-#endif
-
 #ifdef CONFIG_KVM_PARA
 struct kvm_para_features {
     int cap;
     int feature;
 } para_features[] = {
-#ifdef KVM_CAP_CLOCKSOURCE
     { KVM_CAP_CLOCKSOURCE, KVM_FEATURE_CLOCKSOURCE },
-#endif
-#ifdef KVM_CAP_NOP_IO_DELAY
     { KVM_CAP_NOP_IO_DELAY, KVM_FEATURE_NOP_IO_DELAY },
-#endif
-#ifdef KVM_CAP_PV_MMU
     { KVM_CAP_PV_MMU, KVM_FEATURE_MMU_OP },
-#endif
 #ifdef KVM_CAP_ASYNC_PF
     { KVM_CAP_ASYNC_PF, KVM_FEATURE_ASYNC_PF },
 #endif
@@ -542,15 +527,7 @@ int kvm_arch_init(KVMState *s)
 
     /* create vm86 tss.  KVM uses vm86 mode to emulate 16-bit code
      * directly.  In order to use vm86 mode, a TSS is needed.  Since this
-     * must be part of guest physical memory, we need to allocate it.  Older
-     * versions of KVM just assumed that it would be at the end of physical
-     * memory but that doesn't work with more than 4GB of memory.  We simply
-     * refuse to work with those older versions of KVM. */
-    ret = kvm_check_extension(s, KVM_CAP_SET_TSS_ADDR);
-    if (ret <= 0) {
-        fprintf(stderr, "kvm does not support KVM_CAP_SET_TSS_ADDR\n");
-        return ret;
-    }
+     * must be part of guest physical memory, we need to allocate it. */
 
     /* this address is 3 pages before the bios, and the bios should present
      * as unavaible memory.  FIXME, need to ensure the e820 map deals with
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
index 3c05630..710eca1 100644
--- a/target-ppc/kvm.c
+++ b/target-ppc/kvm.c
@@ -37,6 +37,10 @@
     do { } while (0)
 #endif
 
+const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
+    KVM_CAP_LAST_INFO
+};
+
 static int cap_interrupt_unset = false;
 static int cap_interrupt_level = false;
 
diff --git a/target-s390x/kvm.c b/target-s390x/kvm.c
index b177e10..38823f5 100644
--- a/target-s390x/kvm.c
+++ b/target-s390x/kvm.c
@@ -70,6 +70,10 @@
 #define SCLP_CMDW_READ_SCP_INFO         0x00020001
 #define SCLP_CMDW_READ_SCP_INFO_FORCED  0x00120001
 
+const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
+    KVM_CAP_LAST_INFO
+};
+
 int kvm_arch_init(KVMState *s)
 {
     return 0;
commit c5999bfcfdf66390c98115044cb6fd174fbcf36d
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:22 2011 +0100

    kvm: x86: Only read/write MSR_KVM_ASYNC_PF_EN if supported
    
    If the kernel does not support KVM_CAP_ASYNC_PF, it also does not know
    about the related MSR. So skip it during state synchronization in that
    case. Fixes annoying kernel warnings.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index b2c5ee0..8e8880a 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -63,6 +63,9 @@ const KVMCapabilityInfo kvm_arch_required_capabilities[] = {
 
 static bool has_msr_star;
 static bool has_msr_hsave_pa;
+#if defined(CONFIG_KVM_PARA) && defined(KVM_CAP_ASYNC_PF)
+static bool has_msr_async_pf_en;
+#endif
 static int lm_capable_kernel;
 
 static struct kvm_cpuid2 *try_get_cpuid(KVMState *s, int max)
@@ -164,6 +167,7 @@ static int get_para_features(CPUState *env)
             features |= (1 << para_features[i].feature);
         }
     }
+    has_msr_async_pf_en = features & (1 << KVM_FEATURE_ASYNC_PF);
     return features;
 }
 #endif
@@ -828,7 +832,10 @@ static int kvm_put_msrs(CPUState *env, int level)
                           env->system_time_msr);
         kvm_msr_entry_set(&msrs[n++], MSR_KVM_WALL_CLOCK, env->wall_clock_msr);
 #if defined(CONFIG_KVM_PARA) && defined(KVM_CAP_ASYNC_PF)
-        kvm_msr_entry_set(&msrs[n++], MSR_KVM_ASYNC_PF_EN, env->async_pf_en_msr);
+        if (has_msr_async_pf_en) {
+            kvm_msr_entry_set(&msrs[n++], MSR_KVM_ASYNC_PF_EN,
+                              env->async_pf_en_msr);
+        }
 #endif
     }
 #ifdef KVM_CAP_MCE
@@ -1064,7 +1071,9 @@ static int kvm_get_msrs(CPUState *env)
     msrs[n++].index = MSR_KVM_SYSTEM_TIME;
     msrs[n++].index = MSR_KVM_WALL_CLOCK;
 #if defined(CONFIG_KVM_PARA) && defined(KVM_CAP_ASYNC_PF)
-    msrs[n++].index = MSR_KVM_ASYNC_PF_EN;
+    if (has_msr_async_pf_en) {
+        msrs[n++].index = MSR_KVM_ASYNC_PF_EN;
+    }
 #endif
 
 #ifdef KVM_CAP_MCE
commit d8f771d9124e9a295b564d47d7546d93e844b526
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:21 2011 +0100

    kvm: x86: Implicitly clear nmi_injected/pending on reset
    
    All CPUX86State variables before CPU_COMMON are automatically cleared on
    reset. Reorder nmi_injected and nmi_pending to avoid having to touch
    them explicitly.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index a457423..af701a4 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -699,6 +699,10 @@ typedef struct CPUX86State {
     uint32_t smbase;
     int old_exception;  /* exception in flight */
 
+    /* KVM states, automatically cleared on reset */
+    uint8_t nmi_injected;
+    uint8_t nmi_pending;
+
     CPU_COMMON
 
     /* processor features (e.g. for CPUID insn) */
@@ -726,8 +730,6 @@ typedef struct CPUX86State {
     int32_t exception_injected;
     int32_t interrupt_injected;
     uint8_t soft_interrupt;
-    uint8_t nmi_injected;
-    uint8_t nmi_pending;
     uint8_t has_error_code;
     uint32_t sipi_vector;
     uint32_t cpuid_kvm_features;
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 72f9fdf..b2c5ee0 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -435,8 +435,6 @@ void kvm_arch_reset_vcpu(CPUState *env)
 {
     env->exception_injected = -1;
     env->interrupt_injected = -1;
-    env->nmi_injected = 0;
-    env->nmi_pending = 0;
     env->xcr0 = 1;
     if (kvm_irqchip_in_kernel()) {
         env->mp_state = cpu_is_bsp(env) ? KVM_MP_STATE_RUNNABLE :
commit b66042c722e4e7b2811a08873b1ecf2c2c1e5f0a
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:20 2011 +0100

    kvm: Do not use qemu_fair_mutex
    
    The imbalance in the hold time of qemu_global_mutex only exists in TCG
    mode. In contrast to TCG VCPUs, KVM drops the global lock during guest
    execution. We already avoid touching the fairness lock from the
    IO-thread in KVM mode, so also stop using it from the VCPU threads.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/cpus.c b/cpus.c
index 0309189..4c9928e 100644
--- a/cpus.c
+++ b/cpus.c
@@ -735,9 +735,7 @@ static sigset_t block_io_signals(void)
 void qemu_mutex_lock_iothread(void)
 {
     if (kvm_enabled()) {
-        qemu_mutex_lock(&qemu_fair_mutex);
         qemu_mutex_lock(&qemu_global_mutex);
-        qemu_mutex_unlock(&qemu_fair_mutex);
     } else {
         qemu_mutex_lock(&qemu_fair_mutex);
         if (qemu_mutex_trylock(&qemu_global_mutex)) {
commit b0c883b5e079a4f719c43f875034e5e665ccc232
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:19 2011 +0100

    kvm: Flush coalesced mmio buffer on IO window exits
    
    We must flush pending mmio writes if we leave kvm_cpu_exec for an IO
    window. Otherwise we risk to loose those requests when migrating to a
    different host during that window.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/kvm-all.c b/kvm-all.c
index 3a1f63b..9976762 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -918,6 +918,8 @@ int kvm_cpu_exec(CPUState *env)
         cpu_single_env = env;
         kvm_arch_post_run(env, run);
 
+        kvm_flush_coalesced_mmio_buffer();
+
         if (ret == -EINTR || ret == -EAGAIN) {
             cpu_exit(env);
             DPRINTF("io window exit\n");
@@ -930,8 +932,6 @@ int kvm_cpu_exec(CPUState *env)
             abort();
         }
 
-        kvm_flush_coalesced_mmio_buffer();
-
         ret = 0; /* exit loop */
         switch (run->exit_reason) {
         case KVM_EXIT_IO:
commit 110761987d10c6e6983cc445618acfd158d7ce02
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:18 2011 +0100

    kvm: x86: Rework identity map and TSS setup for larger BIOS sizes
    
    In order to support loading BIOSes > 256K, reorder the code, adjusting
    the base if the kernel supports moving the identity map.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 1db8227..72f9fdf 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -493,27 +493,9 @@ static int kvm_get_supported_msrs(KVMState *s)
     return ret;
 }
 
-static int kvm_init_identity_map_page(KVMState *s)
-{
-#ifdef KVM_CAP_SET_IDENTITY_MAP_ADDR
-    int ret;
-    uint64_t addr = 0xfffbc000;
-
-    if (!kvm_check_extension(s, KVM_CAP_SET_IDENTITY_MAP_ADDR)) {
-        return 0;
-    }
-
-    ret = kvm_vm_ioctl(s, KVM_SET_IDENTITY_MAP_ADDR, &addr);
-    if (ret < 0) {
-        fprintf(stderr, "kvm_set_identity_map_addr: %s\n", strerror(ret));
-        return ret;
-    }
-#endif
-    return 0;
-}
-
 int kvm_arch_init(KVMState *s)
 {
+    uint64_t identity_base = 0xfffbc000;
     int ret;
     struct utsname utsname;
 
@@ -525,27 +507,42 @@ int kvm_arch_init(KVMState *s)
     uname(&utsname);
     lm_capable_kernel = strcmp(utsname.machine, "x86_64") == 0;
 
-    /* create vm86 tss.  KVM uses vm86 mode to emulate 16-bit code
-     * directly.  In order to use vm86 mode, a TSS is needed.  Since this
-     * must be part of guest physical memory, we need to allocate it. */
-
-    /* this address is 3 pages before the bios, and the bios should present
-     * as unavaible memory.  FIXME, need to ensure the e820 map deals with
-     * this?
-     */
     /*
-     * Tell fw_cfg to notify the BIOS to reserve the range.
+     * On older Intel CPUs, KVM uses vm86 mode to emulate 16-bit code directly.
+     * In order to use vm86 mode, an EPT identity map and a TSS  are needed.
+     * Since these must be part of guest physical memory, we need to allocate
+     * them, both by setting their start addresses in the kernel and by
+     * creating a corresponding e820 entry. We need 4 pages before the BIOS.
+     *
+     * Older KVM versions may not support setting the identity map base. In
+     * that case we need to stick with the default, i.e. a 256K maximum BIOS
+     * size.
      */
-    if (e820_add_entry(0xfffbc000, 0x4000, E820_RESERVED) < 0) {
-        perror("e820_add_entry() table is full");
-        exit(1);
+#ifdef KVM_CAP_SET_IDENTITY_MAP_ADDR
+    if (kvm_check_extension(s, KVM_CAP_SET_IDENTITY_MAP_ADDR)) {
+        /* Allows up to 16M BIOSes. */
+        identity_base = 0xfeffc000;
+
+        ret = kvm_vm_ioctl(s, KVM_SET_IDENTITY_MAP_ADDR, &identity_base);
+        if (ret < 0) {
+            return ret;
+        }
     }
-    ret = kvm_vm_ioctl(s, KVM_SET_TSS_ADDR, 0xfffbd000);
+#endif
+    /* Set TSS base one page after EPT identity map. */
+    ret = kvm_vm_ioctl(s, KVM_SET_TSS_ADDR, identity_base + 0x1000);
+    if (ret < 0) {
+        return ret;
+    }
+
+    /* Tell fw_cfg to notify the BIOS to reserve the range. */
+    ret = e820_add_entry(identity_base, 0x4000, E820_RESERVED);
     if (ret < 0) {
+        fprintf(stderr, "e820_add_entry() table is full\n");
         return ret;
     }
 
-    return kvm_init_identity_map_page(s);
+    return 0;
 }
 
 static void set_v8086_seg(struct kvm_segment *lhs, const SegmentCache *rhs)
commit cad1e2827b616487e3574300f2eaeea13a355197
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:16 2011 +0100

    kvm: Drop smp_cpus argument from init functions
    
    No longer used.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/kvm-all.c b/kvm-all.c
index 41decde..8053f92 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -636,7 +636,7 @@ static CPUPhysMemoryClient kvm_cpu_phys_memory_client = {
     .migration_log = kvm_client_migration_log,
 };
 
-int kvm_init(int smp_cpus)
+int kvm_init(void)
 {
     static const char upgrade_note[] =
         "Please upgrade to at least kernel 2.6.29 or recent kvm-kmod\n"
@@ -749,7 +749,7 @@ int kvm_init(int smp_cpus)
     s->xcrs = kvm_check_extension(s, KVM_CAP_XCRS);
 #endif
 
-    ret = kvm_arch_init(s, smp_cpus);
+    ret = kvm_arch_init(s);
     if (ret < 0) {
         goto err;
     }
diff --git a/kvm-stub.c b/kvm-stub.c
index 33d4476..88682f2 100644
--- a/kvm-stub.c
+++ b/kvm-stub.c
@@ -58,7 +58,7 @@ int kvm_check_extension(KVMState *s, unsigned int extension)
     return 0;
 }
 
-int kvm_init(int smp_cpus)
+int kvm_init(void)
 {
     return -ENOSYS;
 }
diff --git a/kvm.h b/kvm.h
index ce08d42..a971752 100644
--- a/kvm.h
+++ b/kvm.h
@@ -34,7 +34,7 @@ struct kvm_run;
 
 /* external API */
 
-int kvm_init(int smp_cpus);
+int kvm_init(void);
 
 int kvm_has_sync_mmu(void);
 int kvm_has_vcpu_events(void);
@@ -105,7 +105,7 @@ int kvm_arch_get_registers(CPUState *env);
 
 int kvm_arch_put_registers(CPUState *env, int level);
 
-int kvm_arch_init(KVMState *s, int smp_cpus);
+int kvm_arch_init(KVMState *s);
 
 int kvm_arch_init_vcpu(CPUState *env);
 
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index feaf33d..016b67d 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -527,7 +527,7 @@ static int kvm_init_identity_map_page(KVMState *s)
     return 0;
 }
 
-int kvm_arch_init(KVMState *s, int smp_cpus)
+int kvm_arch_init(KVMState *s)
 {
     int ret;
     struct utsname utsname;
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
index 849b404..3c05630 100644
--- a/target-ppc/kvm.c
+++ b/target-ppc/kvm.c
@@ -56,7 +56,7 @@ static void kvm_kick_env(void *env)
     qemu_cpu_kick(env);
 }
 
-int kvm_arch_init(KVMState *s, int smp_cpus)
+int kvm_arch_init(KVMState *s)
 {
 #ifdef KVM_CAP_PPC_UNSET_IRQ
     cap_interrupt_unset = kvm_check_extension(s, KVM_CAP_PPC_UNSET_IRQ);
diff --git a/target-s390x/kvm.c b/target-s390x/kvm.c
index adf4a9e..b177e10 100644
--- a/target-s390x/kvm.c
+++ b/target-s390x/kvm.c
@@ -70,7 +70,7 @@
 #define SCLP_CMDW_READ_SCP_INFO         0x00020001
 #define SCLP_CMDW_READ_SCP_INFO_FORCED  0x00120001
 
-int kvm_arch_init(KVMState *s, int smp_cpus)
+int kvm_arch_init(KVMState *s)
 {
     return 0;
 }
diff --git a/vl.c b/vl.c
index 0292184..33f844f 100644
--- a/vl.c
+++ b/vl.c
@@ -2836,7 +2836,7 @@ int main(int argc, char **argv, char **envp)
     }
 
     if (kvm_allowed) {
-        int ret = kvm_init(smp_cpus);
+        int ret = kvm_init();
         if (ret < 0) {
             if (!kvm_available()) {
                 printf("KVM not supported for this target\n");
commit c3a3a7d356c4df2fe145037172ae52cba5f545a5
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:13 2011 +0100

    kvm: x86: Refactor msr_star/hsave_pa setup and checks
    
    Simplify kvm_has_msr_star/hsave_pa to booleans and push their one-time
    initialization into kvm_arch_init. Also handle potential errors of that
    setup procedure.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index c4a22dd..454ddb1 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -54,6 +54,8 @@
 #define BUS_MCEERR_AO 5
 #endif
 
+static bool has_msr_star;
+static bool has_msr_hsave_pa;
 static int lm_capable_kernel;
 
 #ifdef KVM_CAP_EXT_CPUID
@@ -459,13 +461,10 @@ void kvm_arch_reset_vcpu(CPUState *env)
     }
 }
 
-int has_msr_star;
-int has_msr_hsave_pa;
-
-static void kvm_supported_msrs(CPUState *env)
+static int kvm_get_supported_msrs(KVMState *s)
 {
     static int kvm_supported_msrs;
-    int ret;
+    int ret = 0;
 
     /* first time */
     if (kvm_supported_msrs == 0) {
@@ -476,9 +475,9 @@ static void kvm_supported_msrs(CPUState *env)
         /* Obtain MSR list from KVM.  These are the MSRs that we must
          * save/restore */
         msr_list.nmsrs = 0;
-        ret = kvm_ioctl(env->kvm_state, KVM_GET_MSR_INDEX_LIST, &msr_list);
+        ret = kvm_ioctl(s, KVM_GET_MSR_INDEX_LIST, &msr_list);
         if (ret < 0 && ret != -E2BIG) {
-            return;
+            return ret;
         }
         /* Old kernel modules had a bug and could write beyond the provided
            memory. Allocate at least a safe amount of 1K. */
@@ -487,17 +486,17 @@ static void kvm_supported_msrs(CPUState *env)
                                               sizeof(msr_list.indices[0])));
 
         kvm_msr_list->nmsrs = msr_list.nmsrs;
-        ret = kvm_ioctl(env->kvm_state, KVM_GET_MSR_INDEX_LIST, kvm_msr_list);
+        ret = kvm_ioctl(s, KVM_GET_MSR_INDEX_LIST, kvm_msr_list);
         if (ret >= 0) {
             int i;
 
             for (i = 0; i < kvm_msr_list->nmsrs; i++) {
                 if (kvm_msr_list->indices[i] == MSR_STAR) {
-                    has_msr_star = 1;
+                    has_msr_star = true;
                     continue;
                 }
                 if (kvm_msr_list->indices[i] == MSR_VM_HSAVE_PA) {
-                    has_msr_hsave_pa = 1;
+                    has_msr_hsave_pa = true;
                     continue;
                 }
             }
@@ -506,19 +505,7 @@ static void kvm_supported_msrs(CPUState *env)
         free(kvm_msr_list);
     }
 
-    return;
-}
-
-static int kvm_has_msr_hsave_pa(CPUState *env)
-{
-    kvm_supported_msrs(env);
-    return has_msr_hsave_pa;
-}
-
-static int kvm_has_msr_star(CPUState *env)
-{
-    kvm_supported_msrs(env);
-    return has_msr_star;
+    return ret;
 }
 
 static int kvm_init_identity_map_page(KVMState *s)
@@ -543,9 +530,13 @@ static int kvm_init_identity_map_page(KVMState *s)
 int kvm_arch_init(KVMState *s, int smp_cpus)
 {
     int ret;
-
     struct utsname utsname;
 
+    ret = kvm_get_supported_msrs(s);
+    if (ret < 0) {
+        return ret;
+    }
+
     uname(&utsname);
     lm_capable_kernel = strcmp(utsname.machine, "x86_64") == 0;
 
@@ -830,10 +821,10 @@ static int kvm_put_msrs(CPUState *env, int level)
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_CS, env->sysenter_cs);
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_ESP, env->sysenter_esp);
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_EIP, env->sysenter_eip);
-    if (kvm_has_msr_star(env)) {
+    if (has_msr_star) {
         kvm_msr_entry_set(&msrs[n++], MSR_STAR, env->star);
     }
-    if (kvm_has_msr_hsave_pa(env)) {
+    if (has_msr_hsave_pa) {
         kvm_msr_entry_set(&msrs[n++], MSR_VM_HSAVE_PA, env->vm_hsave);
     }
 #ifdef TARGET_X86_64
@@ -1076,10 +1067,10 @@ static int kvm_get_msrs(CPUState *env)
     msrs[n++].index = MSR_IA32_SYSENTER_CS;
     msrs[n++].index = MSR_IA32_SYSENTER_ESP;
     msrs[n++].index = MSR_IA32_SYSENTER_EIP;
-    if (kvm_has_msr_star(env)) {
+    if (has_msr_star) {
         msrs[n++].index = MSR_STAR;
     }
-    if (kvm_has_msr_hsave_pa(env)) {
+    if (has_msr_hsave_pa) {
         msrs[n++].index = MSR_VM_HSAVE_PA;
     }
     msrs[n++].index = MSR_IA32_TSC;
commit 1a5e9d2fafa5d31587e218cea462637bfad52b53
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:12 2011 +0100

    kvm: x86: Fix xcr0 reset mismerge
    
    For unknown reasons, xcr0 reset ended up in kvm_arch_update_guest_debug
    on upstream merge. Fix this and also remove the misleading comment (1 is
    THE reset value).
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 07c75c0..c4a22dd 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -450,6 +450,7 @@ void kvm_arch_reset_vcpu(CPUState *env)
     env->interrupt_injected = -1;
     env->nmi_injected = 0;
     env->nmi_pending = 0;
+    env->xcr0 = 1;
     if (kvm_irqchip_in_kernel()) {
         env->mp_state = cpu_is_bsp(env) ? KVM_MP_STATE_RUNNABLE :
                                           KVM_MP_STATE_UNINITIALIZED;
@@ -1759,8 +1760,6 @@ void kvm_arch_update_guest_debug(CPUState *env, struct kvm_guest_debug *dbg)
                 ((uint32_t)len_code[hw_breakpoint[n].len] << (18 + n*4));
         }
     }
-    /* Legal xcr0 for loading */
-    env->xcr0 = 1;
 }
 #endif /* KVM_CAP_SET_GUEST_DEBUG */
 
commit 3390e7f79784cbc75df408740cda4edbcf57ac58
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:11 2011 +0100

    kvm: x86: Remove redundant mp_state initialization
    
    kvm_arch_reset_vcpu initializes mp_state, and that function is invoked
    right after kvm_arch_init_vcpu.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 531b69e..07c75c0 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -321,8 +321,6 @@ int kvm_arch_init_vcpu(CPUState *env)
     uint32_t signature[3];
 #endif
 
-    env->mp_state = KVM_MP_STATE_RUNNABLE;
-
     env->cpuid_features &= kvm_arch_get_supported_cpuid(env, 1, 0, R_EDX);
 
     i = env->cpuid_ext_features & CPUID_EXT_HYPERVISOR;
commit 521f0798d7e38c21983211a6585ebcf79de4c14a
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:15 2011 +0100

    kvm: x86: Fix !CONFIG_KVM_PARA build
    
    If we lack kvm_para.h, MSR_KVM_ASYNC_PF_EN is not defined. The change in
    kvm_arch_init_vcpu is just for consistency reasons.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 825af42..feaf33d 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -319,7 +319,7 @@ int kvm_arch_init_vcpu(CPUState *env)
     uint32_t limit, i, j, cpuid_i;
     uint32_t unused;
     struct kvm_cpuid_entry2 *c;
-#ifdef KVM_CPUID_SIGNATURE
+#ifdef CONFIG_KVM_PARA
     uint32_t signature[3];
 #endif
 
@@ -855,7 +855,7 @@ static int kvm_put_msrs(CPUState *env, int level)
         kvm_msr_entry_set(&msrs[n++], MSR_KVM_SYSTEM_TIME,
                           env->system_time_msr);
         kvm_msr_entry_set(&msrs[n++], MSR_KVM_WALL_CLOCK, env->wall_clock_msr);
-#ifdef KVM_CAP_ASYNC_PF
+#if defined(CONFIG_KVM_PARA) && defined(KVM_CAP_ASYNC_PF)
         kvm_msr_entry_set(&msrs[n++], MSR_KVM_ASYNC_PF_EN, env->async_pf_en_msr);
 #endif
     }
@@ -1091,7 +1091,7 @@ static int kvm_get_msrs(CPUState *env)
 #endif
     msrs[n++].index = MSR_KVM_SYSTEM_TIME;
     msrs[n++].index = MSR_KVM_WALL_CLOCK;
-#ifdef KVM_CAP_ASYNC_PF
+#if defined(CONFIG_KVM_PARA) && defined(KVM_CAP_ASYNC_PF)
     msrs[n++].index = MSR_KVM_ASYNC_PF_EN;
 #endif
 
@@ -1167,7 +1167,7 @@ static int kvm_get_msrs(CPUState *env)
             }
 #endif
             break;
-#ifdef KVM_CAP_ASYNC_PF
+#if defined(CONFIG_KVM_PARA) && defined(KVM_CAP_ASYNC_PF)
         case MSR_KVM_ASYNC_PF_EN:
             env->async_pf_en_msr = msrs[i].data;
             break;
commit c14750e8ad4a9d8d7621e2594abda34df19a6eff
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:10 2011 +0100

    kvm: x86: Prepare kvm_get_mp_state for in-kernel irqchip
    
    This code path will not yet be taken as we still lack in-kernel irqchip
    support. But qemu-kvm can already make use of it and drop its own
    mp_state access services.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 9bb34ab..531b69e 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -1198,6 +1198,9 @@ static int kvm_get_mp_state(CPUState *env)
         return ret;
     }
     env->mp_state = mp_state.mp_state;
+    if (kvm_irqchip_in_kernel()) {
+        env->halted = (mp_state.mp_state == KVM_MP_STATE_HALTED);
+    }
     return 0;
 }
 
commit ff5c186b8b6169bf25a6f30670a75fb9d4c945e3
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:14 2011 +0100

    kvm: x86: Reset paravirtual MSRs
    
    Make sure to write the cleared MSR_KVM_SYSTEM_TIME, MSR_KVM_WALL_CLOCK,
    and MSR_KVM_ASYNC_PF_EN to the kernel state so that a freshly booted
    guest cannot be disturbed by old values.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    CC: Glauber Costa <glommer at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 454ddb1..825af42 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -845,6 +845,13 @@ static int kvm_put_msrs(CPUState *env, int level)
         if (smp_cpus == 1 || env->tsc != 0) {
             kvm_msr_entry_set(&msrs[n++], MSR_IA32_TSC, env->tsc);
         }
+    }
+    /*
+     * The following paravirtual MSRs have side effects on the guest or are
+     * too heavy for normal writeback. Limit them to reset or full state
+     * updates.
+     */
+    if (level >= KVM_PUT_RESET_STATE) {
         kvm_msr_entry_set(&msrs[n++], MSR_KVM_SYSTEM_TIME,
                           env->system_time_msr);
         kvm_msr_entry_set(&msrs[n++], MSR_KVM_WALL_CLOCK, env->wall_clock_msr);
commit 0d75a9ecd7ff77db0f1b5bfb3a3fee2438acefa4
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:09 2011 +0100

    kvm: x86: Align kvm_arch_put_registers code with comment
    
    The ordering doesn't matter in this case, but better keep it consistent.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 0ba13fc..9bb34ab 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -1388,12 +1388,12 @@ int kvm_arch_put_registers(CPUState *env, int level)
     if (ret < 0) {
         return ret;
     }
-    /* must be last */
-    ret = kvm_guest_debug_workarounds(env);
+    ret = kvm_put_debugregs(env);
     if (ret < 0) {
         return ret;
     }
-    ret = kvm_put_debugregs(env);
+    /* must be last */
+    ret = kvm_guest_debug_workarounds(env);
     if (ret < 0) {
         return ret;
     }
commit f5c848eed769b795ac9c06bfb315e4aa9116337c
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:08 2011 +0100

    x86: Optionally dump code bytes on cpu_dump_state
    
    Introduce the cpu_dump_state flag CPU_DUMP_CODE and implement it for
    x86. This writes out the code bytes around the current instruction
    pointer. Make use of this feature in KVM to help debugging fatal vm
    exits.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/cpu-all.h b/cpu-all.h
index 4ce4e83..ffbd6a4 100644
--- a/cpu-all.h
+++ b/cpu-all.h
@@ -765,6 +765,8 @@ int page_check_range(target_ulong start, target_ulong len, int flags);
 CPUState *cpu_copy(CPUState *env);
 CPUState *qemu_get_cpu(int cpu);
 
+#define CPU_DUMP_CODE 0x00010000
+
 void cpu_dump_state(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                     int flags);
 void cpu_dump_statistics(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
diff --git a/kvm-all.c b/kvm-all.c
index 10e1194..41decde 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -832,7 +832,7 @@ static int kvm_handle_internal_error(CPUState *env, struct kvm_run *run)
     if (run->internal.suberror == KVM_INTERNAL_ERROR_EMULATION) {
         fprintf(stderr, "emulation failure\n");
         if (!kvm_arch_stop_on_emulation_error(env)) {
-            cpu_dump_state(env, stderr, fprintf, 0);
+            cpu_dump_state(env, stderr, fprintf, CPU_DUMP_CODE);
             return 0;
         }
     }
@@ -994,7 +994,7 @@ int kvm_cpu_exec(CPUState *env)
     } while (ret > 0);
 
     if (ret < 0) {
-        cpu_dump_state(env, stderr, fprintf, 0);
+        cpu_dump_state(env, stderr, fprintf, CPU_DUMP_CODE);
         vm_stop(0);
         env->exit_request = 1;
     }
diff --git a/target-i386/helper.c b/target-i386/helper.c
index 6dfa27d..1217452 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -249,6 +249,9 @@ done:
     cpu_fprintf(f, "\n");
 }
 
+#define DUMP_CODE_BYTES_TOTAL    50
+#define DUMP_CODE_BYTES_BACKWARD 20
+
 void cpu_dump_state(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                     int flags)
 {
@@ -434,6 +437,24 @@ void cpu_dump_state(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                 cpu_fprintf(f, " ");
         }
     }
+    if (flags & CPU_DUMP_CODE) {
+        target_ulong base = env->segs[R_CS].base + env->eip;
+        target_ulong offs = MIN(env->eip, DUMP_CODE_BYTES_BACKWARD);
+        uint8_t code;
+        char codestr[3];
+
+        cpu_fprintf(f, "Code=");
+        for (i = 0; i < DUMP_CODE_BYTES_TOTAL; i++) {
+            if (cpu_memory_rw_debug(env, base - offs + i, &code, 1, 0) == 0) {
+                snprintf(codestr, sizeof(codestr), "%02x", code);
+            } else {
+                snprintf(codestr, sizeof(codestr), "??");
+            }
+            cpu_fprintf(f, "%s%s%s%s", i > 0 ? " " : "",
+                        i == offs ? "<" : "", codestr, i == offs ? ">" : "");
+        }
+        cpu_fprintf(f, "\n");
+    }
 }
 
 /***********************************************************/
commit bb44e0d12df70bd4a653341db4446daf6a9326be
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:07 2011 +0100

    kvm: Improve reporting of fatal errors
    
    Report KVM_EXIT_UNKNOWN, KVM_EXIT_FAIL_ENTRY, and KVM_EXIT_EXCEPTION
    with more details to stderr. The latter two are so far x86-only, so move
    them into the arch-specific handler. Integrate the Intel real mode
    warning on KVM_EXIT_FAIL_ENTRY that qemu-kvm carries, but actually
    restrict it to Intel CPUs. Moreover, always dump the CPU state in case
    we fail.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/kvm-all.c b/kvm-all.c
index eaf9272..10e1194 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -817,22 +817,22 @@ static int kvm_handle_io(uint16_t port, void *data, int direction, int size,
 #ifdef KVM_CAP_INTERNAL_ERROR_DATA
 static int kvm_handle_internal_error(CPUState *env, struct kvm_run *run)
 {
-
+    fprintf(stderr, "KVM internal error.");
     if (kvm_check_extension(kvm_state, KVM_CAP_INTERNAL_ERROR_DATA)) {
         int i;
 
-        fprintf(stderr, "KVM internal error. Suberror: %d\n",
-                run->internal.suberror);
-
+        fprintf(stderr, " Suberror: %d\n", run->internal.suberror);
         for (i = 0; i < run->internal.ndata; ++i) {
             fprintf(stderr, "extra data[%d]: %"PRIx64"\n",
                     i, (uint64_t)run->internal.data[i]);
         }
+    } else {
+        fprintf(stderr, "\n");
     }
-    cpu_dump_state(env, stderr, fprintf, 0);
     if (run->internal.suberror == KVM_INTERNAL_ERROR_EMULATION) {
         fprintf(stderr, "emulation failure\n");
         if (!kvm_arch_stop_on_emulation_error(env)) {
+            cpu_dump_state(env, stderr, fprintf, 0);
             return 0;
         }
     }
@@ -966,15 +966,8 @@ int kvm_cpu_exec(CPUState *env)
             ret = 1;
             break;
         case KVM_EXIT_UNKNOWN:
-            DPRINTF("kvm_exit_unknown\n");
-            ret = -1;
-            break;
-        case KVM_EXIT_FAIL_ENTRY:
-            DPRINTF("kvm_exit_fail_entry\n");
-            ret = -1;
-            break;
-        case KVM_EXIT_EXCEPTION:
-            DPRINTF("kvm_exit_exception\n");
+            fprintf(stderr, "KVM: unknown exit, hardware reason %" PRIx64 "\n",
+                    (uint64_t)run->hw.hardware_exit_reason);
             ret = -1;
             break;
 #ifdef KVM_CAP_INTERNAL_ERROR_DATA
@@ -1001,6 +994,7 @@ int kvm_cpu_exec(CPUState *env)
     } while (ret > 0);
 
     if (ret < 0) {
+        cpu_dump_state(env, stderr, fprintf, 0);
         vm_stop(0);
         env->exit_request = 1;
     }
diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index dddcd74..a457423 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -874,6 +874,8 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
                    uint32_t *ecx, uint32_t *edx);
 int cpu_x86_register (CPUX86State *env, const char *cpu_model);
 void cpu_clear_apic_feature(CPUX86State *env);
+void host_cpuid(uint32_t function, uint32_t count,
+                uint32_t *eax, uint32_t *ebx, uint32_t *ecx, uint32_t *edx);
 
 /* helper.c */
 int cpu_x86_handle_mmu_fault(CPUX86State *env, target_ulong addr,
diff --git a/target-i386/cpuid.c b/target-i386/cpuid.c
index 165045e..5382a28 100644
--- a/target-i386/cpuid.c
+++ b/target-i386/cpuid.c
@@ -103,9 +103,8 @@ typedef struct model_features_t {
 int check_cpuid = 0;
 int enforce_cpuid = 0;
 
-static void host_cpuid(uint32_t function, uint32_t count,
-                       uint32_t *eax, uint32_t *ebx,
-                       uint32_t *ecx, uint32_t *edx)
+void host_cpuid(uint32_t function, uint32_t count,
+                uint32_t *eax, uint32_t *ebx, uint32_t *ecx, uint32_t *edx)
 {
 #if defined(CONFIG_KVM)
     uint32_t vec[4];
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 6b4abaa..0ba13fc 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -1525,8 +1525,19 @@ static int kvm_handle_halt(CPUState *env)
     return 1;
 }
 
+static bool host_supports_vmx(void)
+{
+    uint32_t ecx, unused;
+
+    host_cpuid(1, 0, &unused, &unused, &ecx, &unused);
+    return ecx & CPUID_EXT_VMX;
+}
+
+#define VMX_INVALID_GUEST_STATE 0x80000021
+
 int kvm_arch_handle_exit(CPUState *env, struct kvm_run *run)
 {
+    uint64_t code;
     int ret = 0;
 
     switch (run->exit_reason) {
@@ -1537,6 +1548,28 @@ int kvm_arch_handle_exit(CPUState *env, struct kvm_run *run)
     case KVM_EXIT_SET_TPR:
         ret = 1;
         break;
+    case KVM_EXIT_FAIL_ENTRY:
+        code = run->fail_entry.hardware_entry_failure_reason;
+        fprintf(stderr, "KVM: entry failed, hardware error 0x%" PRIx64 "\n",
+                code);
+        if (host_supports_vmx() && code == VMX_INVALID_GUEST_STATE) {
+            fprintf(stderr,
+                    "\nIf you're runnning a guest on an Intel machine without "
+                        "unrestricted mode\n"
+                    "support, the failure can be most likely due to the guest "
+                        "entering an invalid\n"
+                    "state for Intel VT. For example, the guest maybe running "
+                        "in big real mode\n"
+                    "which is not supported on less recent Intel processors."
+                        "\n\n");
+        }
+        ret = -1;
+        break;
+    case KVM_EXIT_EXCEPTION:
+        fprintf(stderr, "KVM: exception %d exit (error code 0x%x)\n",
+                run->ex.exception, run->ex.error_code);
+        ret = -1;
+        break;
     default:
         fprintf(stderr, "KVM: unknown exit reason %d\n", run->exit_reason);
         ret = -1;
commit 73aaec4a39b3cf11082303a6cf6bcde8796c09c6
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:06 2011 +0100

    kvm: Stop on all fatal exit reasons
    
    Ensure that we stop the guest whenever we face a fatal or unknown exit
    reason. If we stop, we also have to enforce a cpu loop exit.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/kvm-all.c b/kvm-all.c
index 86ddbd6..eaf9272 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -815,7 +815,7 @@ static int kvm_handle_io(uint16_t port, void *data, int direction, int size,
 }
 
 #ifdef KVM_CAP_INTERNAL_ERROR_DATA
-static void kvm_handle_internal_error(CPUState *env, struct kvm_run *run)
+static int kvm_handle_internal_error(CPUState *env, struct kvm_run *run)
 {
 
     if (kvm_check_extension(kvm_state, KVM_CAP_INTERNAL_ERROR_DATA)) {
@@ -833,13 +833,13 @@ static void kvm_handle_internal_error(CPUState *env, struct kvm_run *run)
     if (run->internal.suberror == KVM_INTERNAL_ERROR_EMULATION) {
         fprintf(stderr, "emulation failure\n");
         if (!kvm_arch_stop_on_emulation_error(env)) {
-            return;
+            return 0;
         }
     }
     /* FIXME: Should trigger a qmp message to let management know
      * something went wrong.
      */
-    vm_stop(0);
+    return -1;
 }
 #endif
 
@@ -967,16 +967,19 @@ int kvm_cpu_exec(CPUState *env)
             break;
         case KVM_EXIT_UNKNOWN:
             DPRINTF("kvm_exit_unknown\n");
+            ret = -1;
             break;
         case KVM_EXIT_FAIL_ENTRY:
             DPRINTF("kvm_exit_fail_entry\n");
+            ret = -1;
             break;
         case KVM_EXIT_EXCEPTION:
             DPRINTF("kvm_exit_exception\n");
+            ret = -1;
             break;
 #ifdef KVM_CAP_INTERNAL_ERROR_DATA
         case KVM_EXIT_INTERNAL_ERROR:
-            kvm_handle_internal_error(env, run);
+            ret = kvm_handle_internal_error(env, run);
             break;
 #endif
         case KVM_EXIT_DEBUG:
@@ -997,6 +1000,10 @@ int kvm_cpu_exec(CPUState *env)
         }
     } while (ret > 0);
 
+    if (ret < 0) {
+        vm_stop(0);
+        env->exit_request = 1;
+    }
     if (env->exit_request) {
         env->exit_request = 0;
         env->exception_index = EXCP_INTERRUPT;
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 0aeb079..6b4abaa 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -1537,6 +1537,10 @@ int kvm_arch_handle_exit(CPUState *env, struct kvm_run *run)
     case KVM_EXIT_SET_TPR:
         ret = 1;
         break;
+    default:
+        fprintf(stderr, "KVM: unknown exit reason %d\n", run->exit_reason);
+        ret = -1;
+        break;
     }
 
     return ret;
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
index 5caa07c..849b404 100644
--- a/target-ppc/kvm.c
+++ b/target-ppc/kvm.c
@@ -307,6 +307,10 @@ int kvm_arch_handle_exit(CPUState *env, struct kvm_run *run)
         dprintf("handle halt\n");
         ret = kvmppc_handle_halt(env);
         break;
+    default:
+        fprintf(stderr, "KVM: unknown exit reason %d\n", run->exit_reason);
+        ret = -1;
+        break;
     }
 
     return ret;
commit 646042e1aba31f377892e48f6145fbc8487d4481
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 21:48:05 2011 +0100

    kvm: x86: Swallow KVM_EXIT_SET_TPR
    
    This exit only triggers activity in the common exit path, but we should
    accept it in order to be able to detect unknown exit types.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index fda07d2..0aeb079 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -1534,6 +1534,9 @@ int kvm_arch_handle_exit(CPUState *env, struct kvm_run *run)
         DPRINTF("handle_hlt\n");
         ret = kvm_handle_halt(env);
         break;
+    case KVM_EXIT_SET_TPR:
+        ret = 1;
+        break;
     }
 
     return ret;
commit 225d02cd1a34d5d87e8acefbf8e244a5d12f5f8c
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Sun Jan 23 04:44:51 2011 +0100

    Avoid deadlock whith iothread and icount
    
    When using the iothread together with icount, make sure the
    qemu_icount counter makes forward progress when the vcpu is
    idle to avoid deadlocks.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/qemu-timer.c b/qemu-timer.c
index 95814af..db1ec49 100644
--- a/qemu-timer.c
+++ b/qemu-timer.c
@@ -110,7 +110,6 @@ static int64_t cpu_get_clock(void)
     }
 }
 
-#ifndef CONFIG_IOTHREAD
 static int64_t qemu_icount_delta(void)
 {
     if (!use_icount) {
@@ -124,7 +123,6 @@ static int64_t qemu_icount_delta(void)
         return cpu_get_icount() - cpu_get_clock();
     }
 }
-#endif
 
 /* enable cpu_get_ticks() */
 void cpu_enable_ticks(void)
@@ -1077,9 +1075,17 @@ void quit_timers(void)
 
 int qemu_calculate_timeout(void)
 {
-#ifndef CONFIG_IOTHREAD
     int timeout;
 
+#ifdef CONFIG_IOTHREAD
+    /* When using icount, making forward progress with qemu_icount when the
+       guest CPU is idle is critical. We only use the static io-thread timeout
+       for non icount runs.  */
+    if (!use_icount) {
+        return 1000;
+    }
+#endif
+
     if (!vm_running)
         timeout = 5000;
     else {
@@ -1110,8 +1116,5 @@ int qemu_calculate_timeout(void)
     }
 
     return timeout;
-#else /* CONFIG_IOTHREAD */
-    return 1000;
-#endif
 }
 
commit 5d0bb8239d84292380d0024acd0d510cc957dae0
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Sun Jan 23 03:52:20 2011 +0100

    microblaze: cleanup helper_addkc
    
    Remove unused addition and rename to helper_carry.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-microblaze/helper.h b/target-microblaze/helper.h
index 9c2a1e4..1696b88 100644
--- a/target-microblaze/helper.h
+++ b/target-microblaze/helper.h
@@ -2,7 +2,7 @@
 
 DEF_HELPER_1(raise_exception, void, i32)
 DEF_HELPER_0(debug, void)
-DEF_HELPER_FLAGS_3(addkc, TCG_CALL_PURE | TCG_CALL_CONST, i32, i32, i32, i32)
+DEF_HELPER_FLAGS_3(carry, TCG_CALL_PURE | TCG_CALL_CONST, i32, i32, i32, i32)
 DEF_HELPER_2(cmp, i32, i32, i32)
 DEF_HELPER_2(cmpu, i32, i32, i32)
 
diff --git a/target-microblaze/op_helper.c b/target-microblaze/op_helper.c
index 59e4674..d75a53c 100644
--- a/target-microblaze/op_helper.c
+++ b/target-microblaze/op_helper.c
@@ -128,12 +128,9 @@ uint32_t helper_cmpu(uint32_t a, uint32_t b)
     return t;
 }
 
-uint32_t helper_addkc(uint32_t a, uint32_t b, uint32_t cf)
+uint32_t helper_carry(uint32_t a, uint32_t b, uint32_t cf)
 {
-    uint32_t d, ncf;
-
-    d = a + b + cf;
-
+    uint32_t ncf;
     ncf = compute_carry(a, b, cf);
     return ncf;
 }
diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index 0c5edc3..2207431 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -232,13 +232,13 @@ static void dec_add(DisasContext *dc)
 
     if (dc->rd) {
         TCGv ncf = tcg_temp_new();
-        gen_helper_addkc(ncf, cpu_R[dc->ra], *(dec_alu_op_b(dc)), cf);
+        gen_helper_carry(ncf, cpu_R[dc->ra], *(dec_alu_op_b(dc)), cf);
         tcg_gen_add_tl(cpu_R[dc->rd], cpu_R[dc->ra], *(dec_alu_op_b(dc)));
         tcg_gen_add_tl(cpu_R[dc->rd], cpu_R[dc->rd], cf);
         write_carry(dc, ncf);
         tcg_temp_free(ncf);
     } else {
-        gen_helper_addkc(cf, cpu_R[dc->ra], *(dec_alu_op_b(dc)), cf);
+        gen_helper_carry(cf, cpu_R[dc->ra], *(dec_alu_op_b(dc)), cf);
         write_carry(dc, cf);
     }
     tcg_temp_free(cf);
@@ -302,13 +302,13 @@ static void dec_sub(DisasContext *dc)
 
     if (dc->rd) {
         TCGv ncf = tcg_temp_new();
-        gen_helper_addkc(ncf, na, *(dec_alu_op_b(dc)), cf);
+        gen_helper_carry(ncf, na, *(dec_alu_op_b(dc)), cf);
         tcg_gen_add_tl(cpu_R[dc->rd], na, *(dec_alu_op_b(dc)));
         tcg_gen_add_tl(cpu_R[dc->rd], cpu_R[dc->rd], cf);
         write_carry(dc, ncf);
         tcg_temp_free(ncf);
     } else {
-        gen_helper_addkc(cf, na, *(dec_alu_op_b(dc)), cf);
+        gen_helper_carry(cf, na, *(dec_alu_op_b(dc)), cf);
         write_carry(dc, cf);
     }
     tcg_temp_free(cf);
commit e0a42ebc0831e3ae18e965cc202b5d6649cc38f2
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Sat Jan 22 12:39:16 2011 +0100

    microblaze: Improve subkc
    
    Move code from the helper into the translator. The remaining
    helper parts can reuse helper_addkc, making it possible to
    remove helper_subkc entirely.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-microblaze/helper.h b/target-microblaze/helper.h
index 4871406..9c2a1e4 100644
--- a/target-microblaze/helper.h
+++ b/target-microblaze/helper.h
@@ -3,7 +3,6 @@
 DEF_HELPER_1(raise_exception, void, i32)
 DEF_HELPER_0(debug, void)
 DEF_HELPER_FLAGS_3(addkc, TCG_CALL_PURE | TCG_CALL_CONST, i32, i32, i32, i32)
-DEF_HELPER_4(subkc, i32, i32, i32, i32, i32)
 DEF_HELPER_2(cmp, i32, i32, i32)
 DEF_HELPER_2(cmpu, i32, i32, i32)
 
diff --git a/target-microblaze/op_helper.c b/target-microblaze/op_helper.c
index eb5a8b7..59e4674 100644
--- a/target-microblaze/op_helper.c
+++ b/target-microblaze/op_helper.c
@@ -138,28 +138,6 @@ uint32_t helper_addkc(uint32_t a, uint32_t b, uint32_t cf)
     return ncf;
 }
 
-uint32_t helper_subkc(uint32_t a, uint32_t b, uint32_t k, uint32_t c)
-{
-    uint32_t d, cf = 1, ncf;
-
-    if (c)
-        cf = env->sregs[SR_MSR] >> 31; 
-    assert(cf == 0 || cf == 1);
-    d = b + ~a + cf;
-
-    if (!k) {
-        ncf = compute_carry(b, ~a, cf);
-        assert(ncf == 0 || ncf == 1);
-        if (ncf)
-            env->sregs[SR_MSR] |= MSR_C | MSR_CC;
-        else
-            env->sregs[SR_MSR] &= ~(MSR_C | MSR_CC);
-    }
-    D(qemu_log("%x = %x + %x cf=%d ncf=%d k=%d c=%d\n",
-               d, a, b, cf, ncf, k, c));
-    return d;
-}
-
 static inline int div_prepare(uint32_t a, uint32_t b)
 {
     if (b == 0) {
diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index 264395b..0c5edc3 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -247,6 +247,7 @@ static void dec_add(DisasContext *dc)
 static void dec_sub(DisasContext *dc)
 {
     unsigned int u, cmp, k, c;
+    TCGv cf, na;
 
     u = dc->imm & 2;
     k = dc->opcode & 4;
@@ -261,24 +262,57 @@ static void dec_sub(DisasContext *dc)
             else
                 gen_helper_cmp(cpu_R[dc->rd], cpu_R[dc->ra], cpu_R[dc->rb]);
         }
-    } else {
-        LOG_DIS("sub%s%s r%d, r%d r%d\n",
-                 k ? "k" : "",  c ? "c" : "", dc->rd, dc->ra, dc->rb);
+        return;
+    }
 
-        if (!k || c) {
-            TCGv t;
-            t = tcg_temp_new();
-            if (dc->rd)
-                gen_helper_subkc(cpu_R[dc->rd], cpu_R[dc->ra], *(dec_alu_op_b(dc)),
-                                 tcg_const_tl(k), tcg_const_tl(c));
-            else
-                gen_helper_subkc(t, cpu_R[dc->ra], *(dec_alu_op_b(dc)),
-                                 tcg_const_tl(k), tcg_const_tl(c));
-            tcg_temp_free(t);
-        }
-        else if (dc->rd)
+    LOG_DIS("sub%s%s r%d, r%d r%d\n",
+             k ? "k" : "",  c ? "c" : "", dc->rd, dc->ra, dc->rb);
+
+    /* Take care of the easy cases first.  */
+    if (k) {
+        /* k - keep carry, no need to update MSR.  */
+        /* If rd == r0, it's a nop.  */
+        if (dc->rd) {
             tcg_gen_sub_tl(cpu_R[dc->rd], *(dec_alu_op_b(dc)), cpu_R[dc->ra]);
+
+            if (c) {
+                /* c - Add carry into the result.  */
+                cf = tcg_temp_new();
+
+                read_carry(dc, cf);
+                tcg_gen_add_tl(cpu_R[dc->rd], cpu_R[dc->rd], cf);
+                tcg_temp_free(cf);
+            }
+        }
+        return;
+    }
+
+    /* From now on, we can assume k is zero.  So we need to update MSR.  */
+    /* Extract carry. And complement a into na.  */
+    cf = tcg_temp_new();
+    na = tcg_temp_new();
+    if (c) {
+        read_carry(dc, cf);
+    } else {
+        tcg_gen_movi_tl(cf, 1);
+    }
+
+    /* d = b + ~a + c. carry defaults to 1.  */
+    tcg_gen_not_tl(na, cpu_R[dc->ra]);
+
+    if (dc->rd) {
+        TCGv ncf = tcg_temp_new();
+        gen_helper_addkc(ncf, na, *(dec_alu_op_b(dc)), cf);
+        tcg_gen_add_tl(cpu_R[dc->rd], na, *(dec_alu_op_b(dc)));
+        tcg_gen_add_tl(cpu_R[dc->rd], cpu_R[dc->rd], cf);
+        write_carry(dc, ncf);
+        tcg_temp_free(ncf);
+    } else {
+        gen_helper_addkc(cf, na, *(dec_alu_op_b(dc)), cf);
+        write_carry(dc, cf);
     }
+    tcg_temp_free(cf);
+    tcg_temp_free(na);
 }
 
 static void dec_pattern(DisasContext *dc)
commit 7e9e4330080f40a964cfed2b334b5e231e967792
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Sat Jan 22 12:35:48 2011 +0100

    microblaze: Fix 3rd addkc arg when rd is r0
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index d983c8b..264395b 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -238,8 +238,7 @@ static void dec_add(DisasContext *dc)
         write_carry(dc, ncf);
         tcg_temp_free(ncf);
     } else {
-        gen_helper_addkc(cf, cpu_R[dc->ra], *(dec_alu_op_b(dc)),
-                         tcg_const_tl(cf));
+        gen_helper_addkc(cf, cpu_R[dc->ra], *(dec_alu_op_b(dc)), cf);
         write_carry(dc, cf);
     }
     tcg_temp_free(cf);
commit 40cbf5b7098981f66ef161e6ce7a9f6770537ea4
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Sat Jan 22 12:02:53 2011 +0100

    microblaze: Improve addkc
    
    * Optimize handling when carry is not updated.
    * Optimize handling for adds with nop semantics.
    * Move code from helper_addkc to the translator making
      helper_addkc PURE and CONST.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-microblaze/helper.h b/target-microblaze/helper.h
index 11ad1b6..4871406 100644
--- a/target-microblaze/helper.h
+++ b/target-microblaze/helper.h
@@ -2,7 +2,7 @@
 
 DEF_HELPER_1(raise_exception, void, i32)
 DEF_HELPER_0(debug, void)
-DEF_HELPER_4(addkc, i32, i32, i32, i32, i32)
+DEF_HELPER_FLAGS_3(addkc, TCG_CALL_PURE | TCG_CALL_CONST, i32, i32, i32, i32)
 DEF_HELPER_4(subkc, i32, i32, i32, i32, i32)
 DEF_HELPER_2(cmp, i32, i32, i32)
 DEF_HELPER_2(cmpu, i32, i32, i32)
diff --git a/target-microblaze/op_helper.c b/target-microblaze/op_helper.c
index 97461ae..eb5a8b7 100644
--- a/target-microblaze/op_helper.c
+++ b/target-microblaze/op_helper.c
@@ -128,26 +128,14 @@ uint32_t helper_cmpu(uint32_t a, uint32_t b)
     return t;
 }
 
-uint32_t helper_addkc(uint32_t a, uint32_t b, uint32_t k, uint32_t c)
+uint32_t helper_addkc(uint32_t a, uint32_t b, uint32_t cf)
 {
-    uint32_t d, cf = 0, ncf;
+    uint32_t d, ncf;
 
-    if (c)
-        cf = env->sregs[SR_MSR] >> 31;
-    assert(cf == 0 || cf == 1);
     d = a + b + cf;
 
-    if (!k) {
-        ncf = compute_carry(a, b, cf);
-        assert(ncf == 0 || ncf == 1);
-        if (ncf)
-            env->sregs[SR_MSR] |= MSR_C | MSR_CC;
-        else
-            env->sregs[SR_MSR] &= ~(MSR_C | MSR_CC);
-    }
-    D(qemu_log("%x = %x + %x cf=%d ncf=%d k=%d c=%d\n",
-               d, a, b, cf, ncf, k, c));
-    return d;
+    ncf = compute_carry(a, b, cf);
+    return ncf;
 }
 
 uint32_t helper_subkc(uint32_t a, uint32_t b, uint32_t k, uint32_t c)
diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index dd2865c..d983c8b 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -193,6 +193,7 @@ static inline TCGv *dec_alu_op_b(DisasContext *dc)
 static void dec_add(DisasContext *dc)
 {
     unsigned int k, c;
+    TCGv cf;
 
     k = dc->opcode & 4;
     c = dc->opcode & 2;
@@ -201,17 +202,47 @@ static void dec_add(DisasContext *dc)
             dc->type_b ? "i" : "", k ? "k" : "", c ? "c" : "",
             dc->rd, dc->ra, dc->rb);
 
-    if (k && !c && dc->rd)
+    /* Take care of the easy cases first.  */
+    if (k) {
+        /* k - keep carry, no need to update MSR.  */
+        /* If rd == r0, it's a nop.  */
+        if (dc->rd) {
+            tcg_gen_add_tl(cpu_R[dc->rd], cpu_R[dc->ra], *(dec_alu_op_b(dc)));
+
+            if (c) {
+                /* c - Add carry into the result.  */
+                cf = tcg_temp_new();
+
+                read_carry(dc, cf);
+                tcg_gen_add_tl(cpu_R[dc->rd], cpu_R[dc->rd], cf);
+                tcg_temp_free(cf);
+            }
+        }
+        return;
+    }
+
+    /* From now on, we can assume k is zero.  So we need to update MSR.  */
+    /* Extract carry.  */
+    cf = tcg_temp_new();
+    if (c) {
+        read_carry(dc, cf);
+    } else {
+        tcg_gen_movi_tl(cf, 0);
+    }
+
+    if (dc->rd) {
+        TCGv ncf = tcg_temp_new();
+        gen_helper_addkc(ncf, cpu_R[dc->ra], *(dec_alu_op_b(dc)), cf);
         tcg_gen_add_tl(cpu_R[dc->rd], cpu_R[dc->ra], *(dec_alu_op_b(dc)));
-    else if (dc->rd)
-        gen_helper_addkc(cpu_R[dc->rd], cpu_R[dc->ra], *(dec_alu_op_b(dc)),
-                         tcg_const_tl(k), tcg_const_tl(c));
-    else {
-        TCGv d = tcg_temp_new();
-        gen_helper_addkc(d, cpu_R[dc->ra], *(dec_alu_op_b(dc)),
-                         tcg_const_tl(k), tcg_const_tl(c));
-        tcg_temp_free(d);
+        tcg_gen_add_tl(cpu_R[dc->rd], cpu_R[dc->rd], cf);
+        write_carry(dc, ncf);
+        tcg_temp_free(ncf);
+    } else {
+        gen_helper_addkc(cf, cpu_R[dc->ra], *(dec_alu_op_b(dc)),
+                         tcg_const_tl(cf));
+        write_carry(dc, cf);
     }
+    tcg_temp_free(cf);
 }
 
 static void dec_sub(DisasContext *dc)
commit 2accfb5fa6f097845915973a06824bc72fb26e94
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Sat Jan 22 12:00:12 2011 +0100

    microblaze: Remove debug leftovers.
    
    No functional changes.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index dcc867e..dd2865c 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -884,7 +884,6 @@ static void dec_load(DisasContext *dc)
                 tcg_gen_sub_tl(low, tcg_const_tl(3), low);
                 tcg_gen_andi_tl(t, t, ~3);
                 tcg_gen_or_tl(t, t, low);
-                tcg_gen_mov_tl(env_debug, low);
                 tcg_gen_mov_tl(env_imm, t);
                 tcg_temp_free(low);
                 break;
@@ -1010,7 +1009,6 @@ static void dec_store(DisasContext *dc)
                 tcg_gen_sub_tl(low, tcg_const_tl(3), low);
                 tcg_gen_andi_tl(t, t, ~3);
                 tcg_gen_or_tl(t, t, low);
-                tcg_gen_mov_tl(env_debug, low);
                 tcg_gen_mov_tl(env_imm, t);
                 tcg_temp_free(low);
                 break;
commit ee8b246f825efa0aa299fc33b8dcc8a8a862cc53
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Sat Jan 22 11:57:19 2011 +0100

    microblaze: Reorganize for future patches
    
    No functional changes.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index 4b6ae06..dcc867e 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -153,6 +153,23 @@ static void gen_goto_tb(DisasContext *dc, int n, target_ulong dest)
     }
 }
 
+static void read_carry(DisasContext *dc, TCGv d)
+{
+    tcg_gen_shri_tl(d, cpu_SR[SR_MSR], 31);
+}
+
+static void write_carry(DisasContext *dc, TCGv v)
+{
+    TCGv t0 = tcg_temp_new();
+    tcg_gen_shli_tl(t0, v, 31);
+    tcg_gen_sari_tl(t0, t0, 31);
+    tcg_gen_andi_tl(t0, t0, (MSR_C | MSR_CC));
+    tcg_gen_andi_tl(cpu_SR[SR_MSR], cpu_SR[SR_MSR],
+                    ~(MSR_C | MSR_CC));
+    tcg_gen_or_tl(cpu_SR[SR_MSR], cpu_SR[SR_MSR], t0);
+    tcg_temp_free(t0);
+}
+
 /* True if ALU operand b is a small immediate that may deserve
    faster treatment.  */
 static inline int dec_alu_op_b_is_small_imm(DisasContext *dc)
@@ -337,25 +354,6 @@ static void dec_xor(DisasContext *dc)
         tcg_gen_xor_tl(cpu_R[dc->rd], cpu_R[dc->ra], *(dec_alu_op_b(dc)));
 }
 
-static void read_carry(DisasContext *dc, TCGv d)
-{
-    tcg_gen_shri_tl(d, cpu_SR[SR_MSR], 31);
-}
-
-static void write_carry(DisasContext *dc, TCGv v)
-{
-    TCGv t0 = tcg_temp_new();
-    tcg_gen_shli_tl(t0, v, 31);
-    tcg_gen_sari_tl(t0, t0, 31);
-    tcg_gen_mov_tl(env_debug, t0);
-    tcg_gen_andi_tl(t0, t0, (MSR_C | MSR_CC));
-    tcg_gen_andi_tl(cpu_SR[SR_MSR], cpu_SR[SR_MSR],
-                    ~(MSR_C | MSR_CC));
-    tcg_gen_or_tl(cpu_SR[SR_MSR], cpu_SR[SR_MSR], t0);
-    tcg_temp_free(t0);
-}
-
-
 static inline void msr_read(DisasContext *dc, TCGv d)
 {
     tcg_gen_mov_tl(d, cpu_SR[SR_MSR]);
commit 6f32e3d09d990fd50008756fcb446b55e0c0af79
Merge: f447f8c... 0f46d15...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Jan 21 20:34:47 2011 -0200

    Merge branch 'upstream-merge'
    
    * upstream-merge: (221 commits)
      sm501: fix screen redraw
      checkpatch: adjust to QEMUisms
      Add checkpatch.pl from Linux kernel
      Add scripts directory
      gt64xxx: set isa_mem_base during registration
      hw/pl190.c: Fix writing of default vector address
      target-ppc: fix wrong NaN tests
      target-ppc: fix sNaN propagation
      pci: use qemu_malloc() in pcibus_get_dev_path()
      msix: simplify write config
      msi: simplify write config a bit.
      pci: deassert intx on reset.
      pxa2xx_lcd: restore updating of display
      pxa2xx: fix vmstate_pxa2xx_i2c
      scoop: fix access to registers from second instance
      mainstone: fix name of the allocated memory for roms
      add bepo (french dvorak) keyboard layout
      stc91c111: Implement save/restore
      pl080: Implement save/restore
      pl110: Implement save/restore
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit 0f46d152542a7186a01420b2bb22679a4dffa9f7
Merge: adb7637... b947c12...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Jan 21 20:33:00 2011 -0200

    Merge commit 'b947c12c0bb217fe09968e652873e0d22b269d68' into upstream-merge
    
    * commit 'b947c12c0bb217fe09968e652873e0d22b269d68': (130 commits)
      sm501: fix screen redraw
      checkpatch: adjust to QEMUisms
      Add checkpatch.pl from Linux kernel
      Add scripts directory
      gt64xxx: set isa_mem_base during registration
      hw/pl190.c: Fix writing of default vector address
      target-ppc: fix wrong NaN tests
      target-ppc: fix sNaN propagation
      pci: use qemu_malloc() in pcibus_get_dev_path()
      msix: simplify write config
      msi: simplify write config a bit.
      pci: deassert intx on reset.
      pxa2xx_lcd: restore updating of display
      pxa2xx: fix vmstate_pxa2xx_i2c
      scoop: fix access to registers from second instance
      mainstone: fix name of the allocated memory for roms
      add bepo (french dvorak) keyboard layout
      stc91c111: Implement save/restore
      pl080: Implement save/restore
      pl110: Implement save/restore
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc configure
index f49a826,210670c..292cde7
--- a/configure
+++ b/configure
@@@ -3372,31 -3228,24 +3366,24 @@@ echo "QEMU_INCLUDES+=$includes" >> $con
  
  done # for target in $targets
  
- # build tree in object directory if source path is different from current one
- if test "$source_path_used" = "yes" ; then
-     DIRS="tests tests/cris slirp audio block net pc-bios/optionrom"
-     DIRS="$DIRS roms/seabios roms/vgabios"
-     DIRS="$DIRS fsdev ui"
-     FILES="Makefile tests/Makefile"
-     FILES="$FILES tests/cris/Makefile tests/cris/.gdbinit"
-     FILES="$FILES tests/test-mmap.c"
-     FILES="$FILES pc-bios/optionrom/Makefile pc-bios/keymaps"
-     FILES="$FILES roms/seabios/Makefile roms/vgabios/Makefile"
-     for bios_file in $source_path/pc-bios/*.bin $source_path/pc-bios/*.dtb $source_path/pc-bios/openbios-*; do
-         FILES="$FILES pc-bios/`basename $bios_file`"
-     done
-     for dir in $DIRS ; do
-             mkdir -p $dir
-     done
-     # remove the link and recreate it, as not all "ln -sf" overwrite the link
-     for f in $FILES ; do
-         rm -f $f
-         ln -s $source_path/$f $f
-     done
- fi
+ # build tree in object directory in case the source is not in the current directory
+ DIRS="tests tests/cris slirp audio block net pc-bios/optionrom"
+ DIRS="$DIRS roms/seabios roms/vgabios"
+ DIRS="$DIRS fsdev ui"
+ FILES="Makefile tests/Makefile"
+ FILES="$FILES tests/cris/Makefile tests/cris/.gdbinit"
+ FILES="$FILES pc-bios/optionrom/Makefile pc-bios/keymaps"
+ FILES="$FILES roms/seabios/Makefile roms/vgabios/Makefile"
+ for bios_file in $source_path/pc-bios/*.bin $source_path/pc-bios/*.dtb $source_path/pc-bios/openbios-*; do
+     FILES="$FILES pc-bios/`basename $bios_file`"
+ done
+ mkdir -p $DIRS
+ for f in $FILES ; do
+     test -e $f || symlink $source_path/$f $f
+ done
  
  # temporary config to build submodules
 -for rom in seabios vgabios ; do
 +for rom in seabios vgabios; do
      config_mak=roms/$rom/config.mak
      echo "# Automatically generated by configure - do not modify" > $config_mak
      echo "SRC_PATH=$source_path/roms/$rom" >> $config_mak
commit 5823947f9f1e55fb6599c9ed769ce25cdec38355
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Fri Jan 21 23:12:42 2011 +0100

    ppc: Correct BookE tlb reads
    
    Call the tlb read helper (and not the write helper) for tlb
    reads.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index 74e06d7..89413c5 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -5874,7 +5874,7 @@ static void gen_tlbre_440(DisasContext *ctx)
     case 2:
         {
             TCGv_i32 t0 = tcg_const_i32(rB(ctx->opcode));
-            gen_helper_440_tlbwe(t0, cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)]);
+            gen_helper_440_tlbre(cpu_gpr[rD(ctx->opcode)], t0, cpu_gpr[rA(ctx->opcode)]);
             tcg_temp_free_i32(t0);
         }
         break;
commit adb76372d9b324468da0bf9ca707da94c0adf209
Merge: 966eb0d... 668643b...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Jan 21 18:12:11 2011 -0200

    Merge commit '668643b025dcff72b9b18adb5df794be9e9be5dc' into upstream-merge
    
    * commit '668643b025dcff72b9b18adb5df794be9e9be5dc':
      acpi_piix4: expose no_hotplug attribute via i/o port
      document QEMU<->ACPIBIOS PCI hotplug interface
      virtio-serial-bus: bump up control vq size to 32
      ioeventfd: error handling cleanup
      docs: Document virtio PCI -device ioeventfd=on|off
      virtio-pci: Use ioeventfd for virtqueue notify
    
    Conflicts:
    	hw/acpi_piix4.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc hw/acpi_piix4.c
index d041e13,5bbc2b5..dde8646
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@@ -35,11 -35,10 +35,12 @@@
  #define ACPI_DBG_IO_ADDR  0xb044
  
  #define GPE_BASE 0xafe0
 +#define PROC_BASE 0xaf00
  #define PCI_BASE 0xae00
  #define PCI_EJ_BASE 0xae08
+ #define PCI_RMV_BASE 0xae0c
  
 +#define PIIX4_CPU_HOTPLUG_STATUS 4
  #define PIIX4_PCI_HOTPLUG_STATUS 2
  
  struct gpe_regs {
@@@ -596,8 -598,18 +618,20 @@@ static void pciej_write(void *opaque, u
      PIIX4_DPRINTF("pciej write %x <== %d\n", addr, val);
  }
  
+ static uint32_t pcirmv_read(void *opaque, uint32_t addr)
+ {
+     PIIX4PMState *s = opaque;
+ 
+     return s->pci0_hotplug_enable;
+ }
+ 
+ static void pcirmv_write(void *opaque, uint32_t addr, uint32_t val)
+ {
+     return;
+ }
+ 
 +extern const char *global_cpu_model;
 +
  static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev,
                                  PCIHotplugState state);
  
commit 966eb0dfc6c080e9b870615baa27925414ec7a51
Merge: 777c5d1... d2f2b8a...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Jan 21 17:41:31 2011 -0200

    Merge commit 'd2f2b8a740c82319f9eea51ebed50815fbc3da3e' into upstream-merge
    
    * commit 'd2f2b8a740c82319f9eea51ebed50815fbc3da3e':
      kvm: test for ioeventfd support on old kernels
      virtio: move vmstate change tracking to core
      virtio-pci: Rename bugs field to flags
      qxl: tag as not hotpluggable
      vga: tag as not hotplugable.
      piix: tag as not hotpluggable.
      pci: allow devices being tagged as not hotpluggable.
      rtl8139: Use subsection to restrict migration after hotplug
      qdev: Track runtime machine modifications
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc qemu-kvm.c
index 471306b,0000000..76731fe
mode 100644,000000..100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@@ -1,1781 -1,0 +1,1783 @@@
 +/*
 + * qemu/kvm integration
 + *
 + * Copyright (C) 2006-2008 Qumranet Technologies
 + *
 + * Licensed under the terms of the GNU GPL version 2 or higher.
 + */
 +#include "config.h"
 +#include "config-host.h"
 +
 +#include <assert.h>
 +#include <string.h>
 +#include "hw/hw.h"
 +#include "sysemu.h"
 +#include "qemu-common.h"
 +#include "console.h"
 +#include "block.h"
 +#include "compatfd.h"
 +#include "gdbstub.h"
 +#include "monitor.h"
 +
 +#include "qemu-kvm.h"
 +#include "libkvm.h"
 +
 +#include <pthread.h>
 +#include <sys/utsname.h>
 +#include <sys/syscall.h>
 +#include <sys/mman.h>
 +#include <sys/ioctl.h>
 +#include "compatfd.h"
 +#include <sys/prctl.h>
 +
 +#define false 0
 +#define true 1
 +
 +#ifndef PR_MCE_KILL
 +#define PR_MCE_KILL 33
 +#endif
 +
 +#ifndef BUS_MCEERR_AR
 +#define BUS_MCEERR_AR 4
 +#endif
 +#ifndef BUS_MCEERR_AO
 +#define BUS_MCEERR_AO 5
 +#endif
 +
 +#define EXPECTED_KVM_API_VERSION 12
 +
 +#if EXPECTED_KVM_API_VERSION != KVM_API_VERSION
 +#error libkvm: userspace and kernel version mismatch
 +#endif
 +
 +int kvm_irqchip = 1;
 +int kvm_pit = 1;
 +int kvm_pit_reinject = 1;
 +int kvm_nested = 0;
 +
 +
 +KVMState *kvm_state;
 +kvm_context_t kvm_context;
 +
 +pthread_mutex_t qemu_mutex = PTHREAD_MUTEX_INITIALIZER;
 +pthread_cond_t qemu_vcpu_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_system_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_pause_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_work_cond = PTHREAD_COND_INITIALIZER;
 +__thread CPUState *current_env;
 +
 +static int qemu_system_ready;
 +
 +#define SIG_IPI (SIGRTMIN+4)
 +
 +pthread_t io_thread;
 +static int io_thread_sigfd = -1;
 +
 +static CPUState *kvm_debug_cpu_requested;
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +/* The list of ioperm_data */
 +static QLIST_HEAD(, ioperm_data) ioperm_head;
 +#endif
 +
 +#define ALIGN(x, y) (((x)+(y)-1) & ~((y)-1))
 +
 +int kvm_abi = EXPECTED_KVM_API_VERSION;
 +int kvm_page_size;
 +
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +static int kvm_debug(CPUState *env,
 +                     struct kvm_debug_exit_arch *arch_info)
 +{
 +    int handle = kvm_arch_debug(arch_info);
 +
 +    if (handle) {
 +        kvm_debug_cpu_requested = env;
 +        env->stopped = 1;
 +    }
 +    return handle;
 +}
 +#endif
 +
 +static int handle_unhandled(uint64_t reason)
 +{
 +    fprintf(stderr, "kvm: unhandled exit %" PRIx64 "\n", reason);
 +    return -EINVAL;
 +}
 +
 +#define VMX_INVALID_GUEST_STATE 0x80000021
 +
 +static int handle_failed_vmentry(uint64_t reason)
 +{
 +    fprintf(stderr, "kvm: vm entry failed with error 0x%" PRIx64 "\n\n", reason);
 +
 +    /* Perhaps we will need to check if this machine is intel since exit reason 0x21
 +       has a different interpretation on SVM */
 +    if (reason == VMX_INVALID_GUEST_STATE) {
 +        fprintf(stderr, "If you're runnning a guest on an Intel machine without\n");
 +        fprintf(stderr, "unrestricted mode support, the failure can be most likely\n");
 +        fprintf(stderr, "due to the guest entering an invalid state for Intel VT.\n");
 +        fprintf(stderr, "For example, the guest maybe running in big real mode\n");
 +        fprintf(stderr, "which is not supported on less recent Intel processors.\n\n");
 +    }
 +
 +    return -EINVAL;
 +}
 +
 +static inline void set_gsi(kvm_context_t kvm, unsigned int gsi)
 +{
 +    uint32_t *bitmap = kvm->used_gsi_bitmap;
 +
 +    if (gsi < kvm->max_gsi)
 +        bitmap[gsi / 32] |= 1U << (gsi % 32);
 +    else
 +        DPRINTF("Invalid GSI %u\n", gsi);
 +}
 +
 +static inline void clear_gsi(kvm_context_t kvm, unsigned int gsi)
 +{
 +    uint32_t *bitmap = kvm->used_gsi_bitmap;
 +
 +    if (gsi < kvm->max_gsi)
 +        bitmap[gsi / 32] &= ~(1U << (gsi % 32));
 +    else
 +        DPRINTF("Invalid GSI %u\n", gsi);
 +}
 +
 +static int kvm_create_context(void);
 +
 +int kvm_init(int smp_cpus)
 +{
 +    int fd;
 +    int r, gsi_count;
 +
 +
 +    fd = open("/dev/kvm", O_RDWR);
 +    if (fd == -1) {
 +        perror("open /dev/kvm");
 +        return -1;
 +    }
 +    r = ioctl(fd, KVM_GET_API_VERSION, 0);
 +    if (r == -1) {
 +        fprintf(stderr,
 +                "kvm kernel version too old: "
 +                "KVM_GET_API_VERSION ioctl not supported\n");
 +        goto out_close;
 +    }
 +    if (r < EXPECTED_KVM_API_VERSION) {
 +        fprintf(stderr, "kvm kernel version too old: "
 +                "We expect API version %d or newer, but got "
 +                "version %d\n", EXPECTED_KVM_API_VERSION, r);
 +        goto out_close;
 +    }
 +    if (r > EXPECTED_KVM_API_VERSION) {
 +        fprintf(stderr, "kvm userspace version too old\n");
 +        goto out_close;
 +    }
 +    kvm_abi = r;
 +    kvm_page_size = getpagesize();
 +    kvm_state = qemu_mallocz(sizeof(*kvm_state));
 +    kvm_context = &kvm_state->kvm_context;
 +
 +    kvm_state->fd = fd;
 +    kvm_state->vmfd = -1;
 +    kvm_context->opaque = cpu_single_env;
 +    kvm_context->dirty_pages_log_all = 0;
 +    kvm_context->no_irqchip_creation = 0;
 +    kvm_context->no_pit_creation = 0;
 +
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    QTAILQ_INIT(&kvm_state->kvm_sw_breakpoints);
 +#endif
 +
 +    gsi_count = kvm_get_gsi_count(kvm_context);
 +    if (gsi_count > 0) {
 +        int gsi_bits, i;
 +
 +        /* Round up so we can search ints using ffs */
 +        gsi_bits = ALIGN(gsi_count, 32);
 +        kvm_context->used_gsi_bitmap = qemu_mallocz(gsi_bits / 8);
 +        kvm_context->max_gsi = gsi_bits;
 +
 +        /* Mark any over-allocated bits as already in use */
 +        for (i = gsi_count; i < gsi_bits; i++) {
 +            set_gsi(kvm_context, i);
 +        }
 +    }
 +
 +    kvm_cpu_register_phys_memory_client();
 +
 +    pthread_mutex_lock(&qemu_mutex);
 +    return kvm_create_context();
 +
 +  out_close:
 +    close(fd);
 +    return -1;
 +}
 +
 +static void kvm_finalize(KVMState *s)
 +{
 +    /* FIXME
 +       if (kvm->vcpu_fd[0] != -1)
 +           close(kvm->vcpu_fd[0]);
 +       if (kvm->vm_fd != -1)
 +           close(kvm->vm_fd);
 +     */
 +    close(s->fd);
 +    free(s);
 +}
 +
 +void kvm_disable_irqchip_creation(kvm_context_t kvm)
 +{
 +    kvm->no_irqchip_creation = 1;
 +}
 +
 +void kvm_disable_pit_creation(kvm_context_t kvm)
 +{
 +    kvm->no_pit_creation = 1;
 +}
 +
 +static void kvm_reset_vcpu(void *opaque)
 +{
 +    CPUState *env = opaque;
 +
 +    kvm_arch_cpu_reset(env);
 +}
 +
 +static void kvm_create_vcpu(CPUState *env, int id)
 +{
 +    long mmap_size;
 +    int r;
 +    KVMState *s = kvm_state;
 +
 +    r = kvm_vm_ioctl(kvm_state, KVM_CREATE_VCPU, id);
 +    if (r < 0) {
 +        fprintf(stderr, "kvm_create_vcpu: %m\n");
 +        fprintf(stderr, "Failed to create vCPU. Check the -smp parameter.\n");
 +        goto err;
 +    }
 +
 +    env->kvm_fd = r;
 +    env->kvm_state = kvm_state;
 +
 +    mmap_size = kvm_ioctl(kvm_state, KVM_GET_VCPU_MMAP_SIZE, 0);
 +    if (mmap_size < 0) {
 +        fprintf(stderr, "get vcpu mmap size: %m\n");
 +        goto err_fd;
 +    }
 +    env->kvm_run =
 +        mmap(NULL, mmap_size, PROT_READ | PROT_WRITE, MAP_SHARED, env->kvm_fd,
 +             0);
 +    if (env->kvm_run == MAP_FAILED) {
 +        fprintf(stderr, "mmap vcpu area: %m\n");
 +        goto err_fd;
 +    }
 +
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    if (s->coalesced_mmio && !s->coalesced_mmio_ring)
 +        s->coalesced_mmio_ring = (void *) env->kvm_run +
 +               s->coalesced_mmio * PAGE_SIZE;
 +#endif
 +
 +    r = kvm_arch_init_vcpu(env);
 +    if (r == 0) {
 +        qemu_register_reset(kvm_reset_vcpu, env);
 +    }
 +
 +    return;
 +  err_fd:
 +    close(env->kvm_fd);
 +  err:
 +    /* We're no good with semi-broken states. */
 +    abort();
 +}
 +
 +static int kvm_set_boot_vcpu_id(kvm_context_t kvm, uint32_t id)
 +{
 +#ifdef KVM_CAP_SET_BOOT_CPU_ID
 +    int r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_BOOT_CPU_ID);
 +    if (r > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_SET_BOOT_CPU_ID, id);
 +    }
 +    return -ENOSYS;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_create_vm(kvm_context_t kvm)
 +{
 +    int fd;
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm->irq_routes = qemu_mallocz(sizeof(*kvm->irq_routes));
 +    kvm->nr_allocated_irq_routes = 0;
 +#endif
 +
 +    fd = kvm_ioctl(kvm_state, KVM_CREATE_VM, 0);
 +    if (fd < 0) {
 +        fprintf(stderr, "kvm_create_vm: %m\n");
 +        return -1;
 +    }
 +    kvm_state->vmfd = fd;
 +    return 0;
 +}
 +
 +static int kvm_create_default_phys_mem(kvm_context_t kvm,
 +                                       unsigned long phys_mem_bytes,
 +                                       void **vm_mem)
 +{
 +#ifdef KVM_CAP_USER_MEMORY
 +    int r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_USER_MEMORY);
 +    if (r > 0)
 +        return 0;
 +    fprintf(stderr,
 +            "Hypervisor too old: KVM_CAP_USER_MEMORY extension not supported\n");
 +#else
 +#error Hypervisor too old: KVM_CAP_USER_MEMORY extension not supported
 +#endif
 +    return -1;
 +}
 +
 +void kvm_create_irqchip(kvm_context_t kvm)
 +{
 +    int r;
 +
 +    kvm->irqchip_in_kernel = 0;
 +#ifdef KVM_CAP_IRQCHIP
 +    if (!kvm->no_irqchip_creation) {
 +        r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_IRQCHIP);
 +        if (r > 0) {            /* kernel irqchip supported */
 +            r = kvm_vm_ioctl(kvm_state, KVM_CREATE_IRQCHIP);
 +            if (r >= 0) {
 +                kvm->irqchip_inject_ioctl = KVM_IRQ_LINE;
 +#if defined(KVM_CAP_IRQ_INJECT_STATUS) && defined(KVM_IRQ_LINE_STATUS)
 +                r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
 +                              KVM_CAP_IRQ_INJECT_STATUS);
 +                if (r > 0) {
 +                    kvm->irqchip_inject_ioctl = KVM_IRQ_LINE_STATUS;
 +                }
 +#endif
 +                kvm->irqchip_in_kernel = 1;
 +            } else
 +                fprintf(stderr, "Create kernel PIC irqchip failed\n");
 +        }
 +    }
 +#endif
 +    kvm_state->irqchip_in_kernel = kvm->irqchip_in_kernel;
 +}
 +
 +int kvm_create(kvm_context_t kvm, unsigned long phys_mem_bytes, void **vm_mem)
 +{
 +    int r, i;
 +
 +    r = kvm_create_vm(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +    r = kvm_arch_create(kvm, phys_mem_bytes, vm_mem);
 +    if (r < 0) {
 +        return r;
 +    }
 +    for (i = 0; i < ARRAY_SIZE(kvm_state->slots); i++) {
 +        kvm_state->slots[i].slot = i;
 +    }
 +
 +    r = kvm_create_default_phys_mem(kvm, phys_mem_bytes, vm_mem);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    kvm_create_irqchip(kvm);
 +
 +    return 0;
 +}
 +
 +#ifdef KVM_CAP_IRQCHIP
 +
 +int kvm_set_irq_level(kvm_context_t kvm, int irq, int level, int *status)
 +{
 +    struct kvm_irq_level event;
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    event.level = level;
 +    event.irq = irq;
 +    r = kvm_vm_ioctl(kvm_state, kvm->irqchip_inject_ioctl, &event);
 +    if (r < 0) {
 +        perror("kvm_set_irq_level");
 +    }
 +
 +    if (status) {
 +#ifdef KVM_CAP_IRQ_INJECT_STATUS
 +        *status =
 +            (kvm->irqchip_inject_ioctl == KVM_IRQ_LINE) ? 1 : event.status;
 +#else
 +        *status = 1;
 +#endif
 +    }
 +
 +    return 1;
 +}
 +
 +int kvm_get_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip)
 +{
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    r = kvm_vm_ioctl(kvm_state, KVM_GET_IRQCHIP, chip);
 +    if (r < 0) {
 +        perror("kvm_get_irqchip\n");
 +    }
 +    return r;
 +}
 +
 +int kvm_set_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip)
 +{
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    r = kvm_vm_ioctl(kvm_state, KVM_SET_IRQCHIP, chip);
 +    if (r < 0) {
 +        perror("kvm_set_irqchip\n");
 +    }
 +    return r;
 +}
 +
 +#endif
 +
 +static int handle_debug(CPUState *env)
 +{
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    struct kvm_run *run = env->kvm_run;
 +
 +    return kvm_debug(env, &run->debug.arch);
 +#else
 +    return 0;
 +#endif
 +}
 +
 +int kvm_get_regs(CPUState *env, struct kvm_regs *regs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_REGS, regs);
 +}
 +
 +int kvm_set_regs(CPUState *env, struct kvm_regs *regs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_REGS, regs);
 +}
 +
 +#ifdef KVM_CAP_MP_STATE
 +int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
 +{
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MP_STATE);
 +    if (r > 0) {
 +        return kvm_vcpu_ioctl(env, KVM_GET_MP_STATE, mp_state);
 +    }
 +    return -ENOSYS;
 +}
 +
 +int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
 +{
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MP_STATE);
 +    if (r > 0) {
 +        return kvm_vcpu_ioctl(env, KVM_SET_MP_STATE, mp_state);
 +    }
 +    return -ENOSYS;
 +}
 +#endif
 +
 +static int handle_mmio(CPUState *env)
 +{
 +    unsigned long addr = env->kvm_run->mmio.phys_addr;
 +    struct kvm_run *kvm_run = env->kvm_run;
 +    void *data = kvm_run->mmio.data;
 +
 +    /* hack: Red Hat 7.1 generates these weird accesses. */
 +    if ((addr > 0xa0000 - 4 && addr <= 0xa0000) && kvm_run->mmio.len == 3) {
 +        return 0;
 +    }
 +
 +    cpu_physical_memory_rw(addr, data, kvm_run->mmio.len, kvm_run->mmio.is_write);
 +    return 0;
 +}
 +
 +int handle_io_window(kvm_context_t kvm)
 +{
 +    return 1;
 +}
 +
 +int handle_shutdown(kvm_context_t kvm, CPUState *env)
 +{
 +    /* stop the current vcpu from going back to guest mode */
 +    env->stopped = 1;
 +
 +    qemu_system_reset_request();
 +    return 1;
 +}
 +
 +static inline void push_nmi(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_USER_NMI
 +    kvm_arch_push_nmi(kvm->opaque);
 +#endif                          /* KVM_CAP_USER_NMI */
 +}
 +
 +void post_kvm_run(kvm_context_t kvm, CPUState *env)
 +{
 +    pthread_mutex_lock(&qemu_mutex);
 +    kvm_arch_post_run(env, env->kvm_run);
 +    cpu_single_env = env;
 +}
 +
 +int pre_kvm_run(kvm_context_t kvm, CPUState *env)
 +{
 +    kvm_arch_pre_run(env, env->kvm_run);
 +
 +    pthread_mutex_unlock(&qemu_mutex);
 +    return 0;
 +}
 +
 +int kvm_is_ready_for_interrupt_injection(CPUState *env)
 +{
 +    return env->kvm_run->ready_for_interrupt_injection;
 +}
 +
 +int kvm_run(CPUState *env)
 +{
 +    int r;
 +    kvm_context_t kvm = &env->kvm_state->kvm_context;
 +    struct kvm_run *run = env->kvm_run;
 +    int fd = env->kvm_fd;
 +
 +  again:
 +    if (env->kvm_vcpu_dirty) {
 +        kvm_arch_load_regs(env, KVM_PUT_RUNTIME_STATE);
 +        env->kvm_vcpu_dirty = 0;
 +    }
 +    push_nmi(kvm);
 +#if !defined(__s390__)
 +    if (!kvm->irqchip_in_kernel) {
 +        run->request_interrupt_window = kvm_arch_try_push_interrupts(env);
 +    }
 +#endif
 +
 +    r = pre_kvm_run(kvm, env);
 +    if (r) {
 +        return r;
 +    }
 +    if (env->exit_request) {
 +        env->exit_request = 0;
 +        pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +    }
 +    r = ioctl(fd, KVM_RUN, 0);
 +
 +    if (r == -1 && errno != EINTR && errno != EAGAIN) {
 +        r = -errno;
 +        post_kvm_run(kvm, env);
 +        fprintf(stderr, "kvm_run: %s\n", strerror(-r));
 +        return r;
 +    }
 +
 +    post_kvm_run(kvm, env);
 +
 +    kvm_flush_coalesced_mmio_buffer();
 +
 +#if !defined(__s390__)
 +    if (r == -1) {
 +        r = handle_io_window(kvm);
 +        goto more;
 +    }
 +#endif
 +    if (1) {
 +        switch (run->exit_reason) {
 +        case KVM_EXIT_UNKNOWN:
 +            r = handle_unhandled(run->hw.hardware_exit_reason);
 +            break;
 +        case KVM_EXIT_FAIL_ENTRY:
 +            r = handle_failed_vmentry(run->fail_entry.hardware_entry_failure_reason);
 +            break;
 +        case KVM_EXIT_EXCEPTION:
 +            fprintf(stderr, "exception %d (%x)\n", run->ex.exception,
 +                    run->ex.error_code);
 +            kvm_show_regs(env);
 +            kvm_show_code(env);
 +            abort();
 +            break;
 +        case KVM_EXIT_IO:
 +            r = kvm_handle_io(run->io.port,
 +                                (uint8_t *)run + run->io.data_offset,
 +                                run->io.direction,
 +                                run->io.size,
 +                                run->io.count);
 +            r = 0;
 +            break;
 +        case KVM_EXIT_DEBUG:
 +            r = handle_debug(env);
 +            break;
 +        case KVM_EXIT_MMIO:
 +            r = handle_mmio(env);
 +            break;
 +        case KVM_EXIT_HLT:
 +            r = kvm_arch_halt(env);
 +            break;
 +        case KVM_EXIT_IRQ_WINDOW_OPEN:
 +            break;
 +        case KVM_EXIT_SHUTDOWN:
 +            r = handle_shutdown(kvm, env);
 +            break;
 +#if defined(__s390__)
 +        case KVM_EXIT_S390_SIEIC:
 +            r = kvm_s390_handle_intercept(kvm, env, run);
 +            break;
 +        case KVM_EXIT_S390_RESET:
 +            r = kvm_s390_handle_reset(kvm, env, run);
 +            break;
 +#endif
 +	case KVM_EXIT_INTERNAL_ERROR:
 +            kvm_handle_internal_error(env, run);
 +            r = 1;
 +	    break;
 +        default:
 +            if (kvm_arch_run(env)) {
 +                fprintf(stderr, "unhandled vm exit: 0x%x\n", run->exit_reason);
 +                kvm_show_regs(env);
 +                abort();
 +            }
 +            break;
 +        }
 +    }
 +more:
 +    if (!r) {
 +        goto again;
 +    }
 +    return r;
 +}
 +
 +int kvm_inject_irq(CPUState *env, unsigned irq)
 +{
 +    struct kvm_interrupt intr;
 +
 +    intr.irq = irq;
 +    return kvm_vcpu_ioctl(env, KVM_INTERRUPT, &intr);
 +}
 +
 +int kvm_inject_nmi(CPUState *env)
 +{
 +#ifdef KVM_CAP_USER_NMI
 +    return kvm_vcpu_ioctl(env, KVM_NMI);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_init_coalesced_mmio(kvm_context_t kvm)
 +{
 +    int r = 0;
 +    kvm_state->coalesced_mmio = 0;
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_COALESCED_MMIO);
 +    if (r > 0) {
 +        kvm_state->coalesced_mmio = r;
 +        return 0;
 +    }
 +#endif
 +    return r;
 +}
 +
 +#ifdef KVM_CAP_DEVICE_ASSIGNMENT
 +int kvm_assign_pci_device(kvm_context_t kvm,
 +                          struct kvm_assigned_pci_dev *assigned_dev)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_PCI_DEVICE, assigned_dev);
 +}
 +
 +static int kvm_old_assign_irq(kvm_context_t kvm,
 +                              struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_IRQ, assigned_irq);
 +}
 +
 +#ifdef KVM_CAP_ASSIGN_DEV_IRQ
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    int ret;
 +
 +    ret = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_ASSIGN_DEV_IRQ);
 +    if (ret > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_DEV_IRQ, assigned_irq);
 +    }
 +
 +    return kvm_old_assign_irq(kvm, assigned_irq);
 +}
 +
 +int kvm_deassign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_DEASSIGN_DEV_IRQ, assigned_irq);
 +}
 +#else
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_old_assign_irq(kvm, assigned_irq);
 +}
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_DEASSIGNMENT
 +int kvm_deassign_pci_device(kvm_context_t kvm,
 +                            struct kvm_assigned_pci_dev *assigned_dev)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_DEASSIGN_PCI_DEVICE, assigned_dev);
 +}
 +#endif
 +
 +int kvm_reinject_control(kvm_context_t kvm, int pit_reinject)
 +{
 +#ifdef KVM_CAP_REINJECT_CONTROL
 +    int r;
 +    struct kvm_reinject_control control;
 +
 +    control.pit_reinject = pit_reinject;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_REINJECT_CONTROL);
 +    if (r > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_REINJECT_CONTROL, &control);
 +    }
 +#endif
 +    return -ENOSYS;
 +}
 +
 +int kvm_has_gsi_routing(void)
 +{
 +    int r = 0;
 +
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    r = kvm_check_extension(kvm_state, KVM_CAP_IRQ_ROUTING);
 +#endif
 +    return r;
 +}
 +
 +int kvm_get_gsi_count(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    return kvm_check_extension(kvm_state, KVM_CAP_IRQ_ROUTING);
 +#else
 +    return -EINVAL;
 +#endif
 +}
 +
 +int kvm_clear_gsi_routes(void)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +
 +    kvm->irq_routes->nr = 0;
 +    return 0;
 +#else
 +    return -EINVAL;
 +#endif
 +}
 +
 +int kvm_add_routing_entry(struct kvm_irq_routing_entry *entry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing *z;
 +    struct kvm_irq_routing_entry *new;
 +    int n, size;
 +
 +    if (kvm->irq_routes->nr == kvm->nr_allocated_irq_routes) {
 +        n = kvm->nr_allocated_irq_routes * 2;
 +        if (n < 64) {
 +            n = 64;
 +        }
 +        size = sizeof(struct kvm_irq_routing);
 +        size += n * sizeof(*new);
 +        z = realloc(kvm->irq_routes, size);
 +        if (!z) {
 +            return -ENOMEM;
 +        }
 +        kvm->nr_allocated_irq_routes = n;
 +        kvm->irq_routes = z;
 +    }
 +    n = kvm->irq_routes->nr++;
 +    new = &kvm->irq_routes->entries[n];
 +    memset(new, 0, sizeof(*new));
 +    new->gsi = entry->gsi;
 +    new->type = entry->type;
 +    new->flags = entry->flags;
 +    new->u = entry->u;
 +
 +    set_gsi(kvm, entry->gsi);
 +
 +    return 0;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_add_irq_route(int gsi, int irqchip, int pin)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing_entry e;
 +
 +    e.gsi = gsi;
 +    e.type = KVM_IRQ_ROUTING_IRQCHIP;
 +    e.flags = 0;
 +    e.u.irqchip.irqchip = irqchip;
 +    e.u.irqchip.pin = pin;
 +    return kvm_add_routing_entry(&e);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_del_routing_entry(struct kvm_irq_routing_entry *entry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing_entry *e, *p;
 +    int i, gsi, found = 0;
 +
 +    gsi = entry->gsi;
 +
 +    for (i = 0; i < kvm->irq_routes->nr; ++i) {
 +        e = &kvm->irq_routes->entries[i];
 +        if (e->type == entry->type && e->gsi == gsi) {
 +            switch (e->type) {
 +            case KVM_IRQ_ROUTING_IRQCHIP:{
 +                    if (e->u.irqchip.irqchip ==
 +                        entry->u.irqchip.irqchip
 +                        && e->u.irqchip.pin == entry->u.irqchip.pin) {
 +                        p = &kvm->irq_routes->entries[--kvm->irq_routes->nr];
 +                        *e = *p;
 +                        found = 1;
 +                    }
 +                    break;
 +                }
 +            case KVM_IRQ_ROUTING_MSI:{
 +                    if (e->u.msi.address_lo ==
 +                        entry->u.msi.address_lo
 +                        && e->u.msi.address_hi ==
 +                        entry->u.msi.address_hi
 +                        && e->u.msi.data == entry->u.msi.data) {
 +                        p = &kvm->irq_routes->entries[--kvm->irq_routes->nr];
 +                        *e = *p;
 +                        found = 1;
 +                    }
 +                    break;
 +                }
 +            default:
 +                break;
 +            }
 +            if (found) {
 +                /* If there are no other users of this GSI
 +                 * mark it available in the bitmap */
 +                for (i = 0; i < kvm->irq_routes->nr; i++) {
 +                    e = &kvm->irq_routes->entries[i];
 +                    if (e->gsi == gsi)
 +                        break;
 +                }
 +                if (i == kvm->irq_routes->nr) {
 +                    clear_gsi(kvm, gsi);
 +                }
 +
 +                return 0;
 +            }
 +        }
 +    }
 +    return -ESRCH;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_update_routing_entry(struct kvm_irq_routing_entry *entry,
 +                             struct kvm_irq_routing_entry *newentry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing_entry *e;
 +    int i;
 +
 +    if (entry->gsi != newentry->gsi || entry->type != newentry->type) {
 +        return -EINVAL;
 +    }
 +
 +    for (i = 0; i < kvm->irq_routes->nr; ++i) {
 +        e = &kvm->irq_routes->entries[i];
 +        if (e->type != entry->type || e->gsi != entry->gsi) {
 +            continue;
 +        }
 +        switch (e->type) {
 +        case KVM_IRQ_ROUTING_IRQCHIP:
 +            if (e->u.irqchip.irqchip == entry->u.irqchip.irqchip &&
 +                e->u.irqchip.pin == entry->u.irqchip.pin) {
 +                memcpy(&e->u.irqchip, &newentry->u.irqchip,
 +                       sizeof e->u.irqchip);
 +                return 0;
 +            }
 +            break;
 +        case KVM_IRQ_ROUTING_MSI:
 +            if (e->u.msi.address_lo == entry->u.msi.address_lo &&
 +                e->u.msi.address_hi == entry->u.msi.address_hi &&
 +                e->u.msi.data == entry->u.msi.data) {
 +                memcpy(&e->u.msi, &newentry->u.msi, sizeof e->u.msi);
 +                return 0;
 +            }
 +            break;
 +        default:
 +            break;
 +        }
 +    }
 +    return -ESRCH;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_del_irq_route(int gsi, int irqchip, int pin)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing_entry e;
 +
 +    e.gsi = gsi;
 +    e.type = KVM_IRQ_ROUTING_IRQCHIP;
 +    e.flags = 0;
 +    e.u.irqchip.irqchip = irqchip;
 +    e.u.irqchip.pin = pin;
 +    return kvm_del_routing_entry(&e);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_commit_irq_routes(void)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +
 +    kvm->irq_routes->flags = 0;
 +    return kvm_vm_ioctl(kvm_state, KVM_SET_GSI_ROUTING, kvm->irq_routes);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_get_irq_route_gsi(void)
 +{
 +    kvm_context_t kvm = kvm_context;
 +    int i, bit;
 +    uint32_t *buf = kvm->used_gsi_bitmap;
 +
 +    /* Return the lowest unused GSI in the bitmap */
 +    for (i = 0; i < kvm->max_gsi / 32; i++) {
 +        bit = ffs(~buf[i]);
 +        if (!bit) {
 +            continue;
 +        }
 +
 +        return bit - 1 + i * 32;
 +    }
 +
 +    return -ENOSPC;
 +}
 +
 +static void kvm_msix_routing_entry(struct kvm_irq_routing_entry *e,
 +                                   uint32_t gsi, uint32_t addr_lo,
 +                                   uint32_t addr_hi, uint32_t data)
 +
 +{
 +    e->gsi = gsi;
 +    e->type = KVM_IRQ_ROUTING_MSI;
 +    e->flags = 0;
 +    e->u.msi.address_lo = addr_lo;
 +    e->u.msi.address_hi = addr_hi;
 +    e->u.msi.data = data;
 +}
 +
 +int kvm_add_msix(uint32_t gsi, uint32_t addr_lo,
 +                        uint32_t addr_hi, uint32_t data)
 +{
 +    struct kvm_irq_routing_entry e;
 +
 +    kvm_msix_routing_entry(&e, gsi, addr_lo, addr_hi, data);
 +    return kvm_add_routing_entry(&e);
 +}
 +
 +int kvm_del_msix(uint32_t gsi, uint32_t addr_lo,
 +                        uint32_t addr_hi, uint32_t data)
 +{
 +    struct kvm_irq_routing_entry e;
 +
 +    kvm_msix_routing_entry(&e, gsi, addr_lo, addr_hi, data);
 +    return kvm_del_routing_entry(&e);
 +}
 +
 +int kvm_update_msix(uint32_t old_gsi, uint32_t old_addr_lo,
 +                    uint32_t old_addr_hi, uint32_t old_data,
 +                    uint32_t new_gsi, uint32_t new_addr_lo,
 +                    uint32_t new_addr_hi, uint32_t new_data)
 +{
 +    struct kvm_irq_routing_entry e1, e2;
 +
 +    kvm_msix_routing_entry(&e1, old_gsi, old_addr_lo, old_addr_hi, old_data);
 +    kvm_msix_routing_entry(&e2, new_gsi, new_addr_lo, new_addr_hi, new_data);
 +    return kvm_update_routing_entry(&e1, &e2);
 +}
 +
 +
 +#ifdef KVM_CAP_DEVICE_MSIX
 +int kvm_assign_set_msix_nr(kvm_context_t kvm,
 +                           struct kvm_assigned_msix_nr *msix_nr)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_SET_MSIX_NR, msix_nr);
 +}
 +
 +int kvm_assign_set_msix_entry(kvm_context_t kvm,
 +                              struct kvm_assigned_msix_entry *entry)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_SET_MSIX_ENTRY, entry);
 +}
 +#endif
 +
 +#if defined(KVM_CAP_IRQFD) && defined(CONFIG_EVENTFD)
 +
 +#include <sys/eventfd.h>
 +
 +static int _kvm_irqfd(kvm_context_t kvm, int fd, int gsi, int flags)
 +{
 +    struct kvm_irqfd data = {
 +        .fd = fd,
 +        .gsi = gsi,
 +        .flags = flags,
 +    };
 +
 +    return kvm_vm_ioctl(kvm_state, KVM_IRQFD, &data);
 +}
 +
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags)
 +{
 +    int r;
 +    int fd;
 +
 +    if (!kvm_check_extension(kvm_state, KVM_CAP_IRQFD))
 +        return -ENOENT;
 +
 +    fd = eventfd(0, 0);
 +    if (fd < 0) {
 +        return -errno;
 +    }
 +
 +    r = _kvm_irqfd(kvm, fd, gsi, 0);
 +    if (r < 0) {
 +        close(fd);
 +        return -errno;
 +    }
 +
 +    return fd;
 +}
 +
 +#else                           /* KVM_CAP_IRQFD */
 +
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags)
 +{
 +    return -ENOSYS;
 +}
 +
 +#endif                          /* KVM_CAP_IRQFD */
 +unsigned long kvm_get_thread_id(void)
 +{
 +    return syscall(SYS_gettid);
 +}
 +
 +static void qemu_cond_wait(pthread_cond_t *cond)
 +{
 +    CPUState *env = cpu_single_env;
 +
 +    pthread_cond_wait(cond, &qemu_mutex);
 +    cpu_single_env = env;
 +}
 +
 +static void sig_ipi_handler(int n)
 +{
 +}
 +
 +static void sigbus_reraise(void)
 +{
 +    sigset_t set;
 +    struct sigaction action;
 +
 +    memset(&action, 0, sizeof(action));
 +    action.sa_handler = SIG_DFL;
 +    if (!sigaction(SIGBUS, &action, NULL)) {
 +        raise(SIGBUS);
 +        sigemptyset(&set);
 +        sigaddset(&set, SIGBUS);
 +        sigprocmask(SIG_UNBLOCK, &set, NULL);
 +    }
 +    perror("Failed to re-raise SIGBUS!\n");
 +    abort();
 +}
 +
 +static void sigbus_handler(int n, struct qemu_signalfd_siginfo *siginfo,
 +                           void *ctx)
 +{
 +    if (kvm_on_sigbus(siginfo->ssi_code, (void *)(intptr_t)siginfo->ssi_addr))
 +        sigbus_reraise();
 +}
 +
 +void on_vcpu(CPUState *env, void (*func)(void *data), void *data)
 +{
 +    struct qemu_work_item wi;
 +
 +    if (env == current_env) {
 +        func(data);
 +        return;
 +    }
 +
 +    wi.func = func;
 +    wi.data = data;
 +    if (!env->kvm_cpu_state.queued_work_first) {
 +        env->kvm_cpu_state.queued_work_first = &wi;
 +    } else {
 +        env->kvm_cpu_state.queued_work_last->next = &wi;
 +    }
 +    env->kvm_cpu_state.queued_work_last = &wi;
 +    wi.next = NULL;
 +    wi.done = false;
 +
 +    pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +    while (!wi.done) {
 +        qemu_cond_wait(&qemu_work_cond);
 +    }
 +}
 +
 +static void do_kvm_cpu_synchronize_state(void *_env)
 +{
 +    CPUState *env = _env;
 +
 +    if (!env->kvm_vcpu_dirty) {
 +        kvm_arch_save_regs(env);
 +        env->kvm_vcpu_dirty = 1;
 +    }
 +}
 +
 +void kvm_cpu_synchronize_state(CPUState *env)
 +{
 +    if (!env->kvm_vcpu_dirty) {
 +        on_vcpu(env, do_kvm_cpu_synchronize_state, env);
 +    }
 +}
 +
 +void kvm_cpu_synchronize_post_reset(CPUState *env)
 +{
 +    kvm_arch_load_regs(env, KVM_PUT_RESET_STATE);
 +    env->kvm_vcpu_dirty = 0;
 +}
 +
 +void kvm_cpu_synchronize_post_init(CPUState *env)
 +{
 +    kvm_arch_load_regs(env, KVM_PUT_FULL_STATE);
 +    env->kvm_vcpu_dirty = 0;
 +}
 +
 +static void inject_interrupt(void *data)
 +{
 +    cpu_interrupt(current_env, (long) data);
 +}
 +
 +void kvm_inject_interrupt(CPUState *env, int mask)
 +{
 +    on_vcpu(env, inject_interrupt, (void *) (long) mask);
 +}
 +
 +void kvm_update_interrupt_request(CPUState *env)
 +{
 +    int signal = 0;
 +
 +    if (env) {
 +        if (!current_env || !current_env->created) {
 +            signal = 1;
 +        }
 +        /*
 +         * Testing for created here is really redundant
 +         */
 +        if (current_env && current_env->created &&
 +            env != current_env && !env->kvm_cpu_state.signalled) {
 +            signal = 1;
 +        }
 +
 +        if (signal) {
 +            env->kvm_cpu_state.signalled = 1;
 +            if (env->kvm_cpu_state.thread) {
 +                pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +            }
 +        }
 +    }
 +}
 +
 +int kvm_cpu_exec(CPUState *env)
 +{
 +    int r;
 +
 +    r = kvm_run(env);
 +    if (r < 0) {
 +        printf("kvm_run returned %d\n", r);
 +        vm_stop(0);
 +    }
 +
 +    return 0;
 +}
 +
 +int kvm_cpu_is_stopped(CPUState *env)
 +{
 +    return !vm_running || env->stopped;
 +}
 +
 +static void flush_queued_work(CPUState *env)
 +{
 +    struct qemu_work_item *wi;
 +
 +    if (!env->kvm_cpu_state.queued_work_first) {
 +        return;
 +    }
 +
 +    while ((wi = env->kvm_cpu_state.queued_work_first)) {
 +        env->kvm_cpu_state.queued_work_first = wi->next;
 +        wi->func(wi->data);
 +        wi->done = true;
 +    }
 +    env->kvm_cpu_state.queued_work_last = NULL;
 +    pthread_cond_broadcast(&qemu_work_cond);
 +}
 +
 +static void kvm_main_loop_wait(CPUState *env, int timeout)
 +{
 +    struct timespec ts;
 +    int r, e;
 +    siginfo_t siginfo;
 +    sigset_t waitset;
 +    sigset_t chkset;
 +
 +    ts.tv_sec = timeout / 1000;
 +    ts.tv_nsec = (timeout % 1000) * 1000000;
 +    sigemptyset(&waitset);
 +    sigaddset(&waitset, SIG_IPI);
 +    sigaddset(&waitset, SIGBUS);
 +
 +    do {
 +        pthread_mutex_unlock(&qemu_mutex);
 +
 +        r = sigtimedwait(&waitset, &siginfo, &ts);
 +        e = errno;
 +
 +        pthread_mutex_lock(&qemu_mutex);
 +
 +        if (r == -1 && !(e == EAGAIN || e == EINTR)) {
 +            printf("sigtimedwait: %s\n", strerror(e));
 +            exit(1);
 +        }
 +
 +        switch (r) {
 +        case SIGBUS:
 +            if (kvm_on_sigbus_vcpu(env, siginfo.si_code, siginfo.si_addr))
 +                sigbus_reraise();
 +            break;
 +        default:
 +            break;
 +        }
 +
 +        r = sigpending(&chkset);
 +        if (r == -1) {
 +            printf("sigpending: %s\n", strerror(e));
 +            exit(1);
 +        }
 +    } while (sigismember(&chkset, SIG_IPI) || sigismember(&chkset, SIGBUS));
 +
 +    cpu_single_env = env;
 +    flush_queued_work(env);
 +
 +    if (env->stop) {
 +        env->stop = 0;
 +        env->stopped = 1;
 +        pthread_cond_signal(&qemu_pause_cond);
 +    }
 +
 +    env->kvm_cpu_state.signalled = 0;
 +}
 +
 +static int all_threads_paused(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    while (penv) {
 +        if (penv->stop) {
 +            return 0;
 +        }
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +
 +    return 1;
 +}
 +
 +static void pause_all_threads(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    while (penv) {
 +        if (penv != cpu_single_env) {
 +            penv->stop = 1;
 +            pthread_kill(penv->kvm_cpu_state.thread, SIG_IPI);
 +        } else {
 +            penv->stop = 0;
 +            penv->stopped = 1;
 +            cpu_exit(penv);
 +        }
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +
 +    while (!all_threads_paused()) {
 +        qemu_cond_wait(&qemu_pause_cond);
 +    }
 +}
 +
 +static void resume_all_threads(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    assert(!cpu_single_env);
 +
 +    while (penv) {
 +        penv->stop = 0;
 +        penv->stopped = 0;
 +        pthread_kill(penv->kvm_cpu_state.thread, SIG_IPI);
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +}
 +
 +static void kvm_vm_state_change_handler(void *context, int running, int reason)
 +{
 +    if (running) {
 +        resume_all_threads();
 +    } else {
 +        pause_all_threads();
 +    }
 +}
 +
 +static void setup_kernel_sigmask(CPUState *env)
 +{
 +    sigset_t set;
 +
 +    sigemptyset(&set);
 +    sigaddset(&set, SIGUSR2);
 +    sigaddset(&set, SIGIO);
 +    sigaddset(&set, SIGALRM);
 +    sigprocmask(SIG_BLOCK, &set, NULL);
 +
 +    sigprocmask(SIG_BLOCK, NULL, &set);
 +    sigdelset(&set, SIG_IPI);
 +    sigdelset(&set, SIGBUS);
 +
 +    kvm_set_signal_mask(env, &set);
 +}
 +
 +static void qemu_kvm_system_reset(void)
 +{
 +    pause_all_threads();
 +
 +    qemu_system_reset();
 +
 +    resume_all_threads();
 +}
 +
 +static void process_irqchip_events(CPUState *env)
 +{
 +    kvm_arch_process_irqchip_events(env);
 +    if (kvm_arch_has_work(env))
 +        env->halted = 0;
 +}
 +
 +static int kvm_main_loop_cpu(CPUState *env)
 +{
 +    while (1) {
 +        int run_cpu = !kvm_cpu_is_stopped(env);
 +        if (run_cpu && !kvm_irqchip_in_kernel()) {
 +            process_irqchip_events(env);
 +            run_cpu = !env->halted;
 +        }
 +        if (run_cpu) {
 +            kvm_cpu_exec(env);
 +            kvm_main_loop_wait(env, 0);
 +        } else {
 +            kvm_main_loop_wait(env, 1000);
 +        }
 +    }
 +    pthread_mutex_unlock(&qemu_mutex);
 +    return 0;
 +}
 +
 +static void *ap_main_loop(void *_env)
 +{
 +    CPUState *env = _env;
 +    sigset_t signals;
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +    struct ioperm_data *data = NULL;
 +#endif
 +
 +    current_env = env;
 +    env->thread_id = kvm_get_thread_id();
 +    sigfillset(&signals);
 +    sigprocmask(SIG_BLOCK, &signals, NULL);
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +    /* do ioperm for io ports of assigned devices */
 +    QLIST_FOREACH(data, &ioperm_head, entries)
 +        on_vcpu(env, kvm_arch_do_ioperm, data);
 +#endif
 +
 +    pthread_mutex_lock(&qemu_mutex);
 +    cpu_single_env = env;
 +
 +    kvm_create_vcpu(env, env->cpu_index);
 +    setup_kernel_sigmask(env);
 +
 +    /* signal VCPU creation */
 +    current_env->created = 1;
 +    pthread_cond_signal(&qemu_vcpu_cond);
 +
 +    /* and wait for machine initialization */
 +    while (!qemu_system_ready) {
 +        qemu_cond_wait(&qemu_system_cond);
 +    }
 +
 +    /* re-initialize cpu_single_env after re-acquiring qemu_mutex */
 +    cpu_single_env = env;
 +
 +    kvm_main_loop_cpu(env);
 +    return NULL;
 +}
 +
 +int kvm_init_vcpu(CPUState *env)
 +{
 +    pthread_create(&env->kvm_cpu_state.thread, NULL, ap_main_loop, env);
 +
 +    while (env->created == 0) {
 +        qemu_cond_wait(&qemu_vcpu_cond);
 +    }
 +
 +    return 0;
 +}
 +
 +int kvm_vcpu_inited(CPUState *env)
 +{
 +    return env->created;
 +}
 +
 +#ifdef TARGET_I386
 +void kvm_hpet_disable_kpit(void)
 +{
 +    struct kvm_pit_state2 ps2;
 +
 +    kvm_get_pit2(kvm_context, &ps2);
 +    ps2.flags |= KVM_PIT_FLAGS_HPET_LEGACY;
 +    kvm_set_pit2(kvm_context, &ps2);
 +}
 +
 +void kvm_hpet_enable_kpit(void)
 +{
 +    struct kvm_pit_state2 ps2;
 +
 +    kvm_get_pit2(kvm_context, &ps2);
 +    ps2.flags &= ~KVM_PIT_FLAGS_HPET_LEGACY;
 +    kvm_set_pit2(kvm_context, &ps2);
 +}
 +#endif
 +
 +int kvm_init_ap(void)
 +{
 +    struct sigaction action;
 +
 +    qemu_add_vm_change_state_handler(kvm_vm_state_change_handler, NULL);
 +
 +    signal(SIG_IPI, sig_ipi_handler);
 +
 +    memset(&action, 0, sizeof(action));
 +    action.sa_flags = SA_SIGINFO;
 +    action.sa_sigaction = (void (*)(int, siginfo_t*, void*))sigbus_handler;
 +    sigaction(SIGBUS, &action, NULL);
 +    prctl(PR_MCE_KILL, 1, 1, 0, 0);
 +    return 0;
 +}
 +
 +/* If we have signalfd, we mask out the signals we want to handle and then
 + * use signalfd to listen for them.  We rely on whatever the current signal
 + * handler is to dispatch the signals when we receive them.
 + */
 +
 +static void sigfd_handler(void *opaque)
 +{
 +    int fd = (unsigned long) opaque;
 +    struct qemu_signalfd_siginfo info;
 +    struct sigaction action;
 +    ssize_t len;
 +
 +    while (1) {
 +        do {
 +            len = read(fd, &info, sizeof(info));
 +        } while (len == -1 && errno == EINTR);
 +
 +        if (len == -1 && errno == EAGAIN) {
 +            break;
 +        }
 +
 +        if (len != sizeof(info)) {
 +            printf("read from sigfd returned %zd: %m\n", len);
 +            return;
 +        }
 +
 +        sigaction(info.ssi_signo, NULL, &action);
 +        if ((action.sa_flags & SA_SIGINFO) && action.sa_sigaction) {
 +            action.sa_sigaction(info.ssi_signo,
 +                                (siginfo_t *)&info, NULL);
 +        } else if (action.sa_handler) {
 +            action.sa_handler(info.ssi_signo);
 +        }
 +    }
 +}
 +
 +int kvm_main_loop(void)
 +{
 +    sigset_t mask;
 +    int sigfd;
 +
 +    io_thread = pthread_self();
 +    qemu_system_ready = 1;
 +
 +    sigemptyset(&mask);
 +    sigaddset(&mask, SIGIO);
 +    sigaddset(&mask, SIGALRM);
 +    sigaddset(&mask, SIGBUS);
 +    sigprocmask(SIG_BLOCK, &mask, NULL);
 +
 +    sigfd = qemu_signalfd(&mask);
 +    if (sigfd == -1) {
 +        fprintf(stderr, "failed to create signalfd\n");
 +        return -errno;
 +    }
 +
 +    fcntl(sigfd, F_SETFL, O_NONBLOCK);
 +
 +    qemu_set_fd_handler2(sigfd, NULL, sigfd_handler, NULL,
 +                         (void *)(unsigned long) sigfd);
 +
 +    pthread_cond_broadcast(&qemu_system_cond);
 +
 +    io_thread_sigfd = sigfd;
 +    cpu_single_env = NULL;
 +
 +    while (1) {
 +        main_loop_wait(0);
 +        if (qemu_shutdown_requested()) {
 +            monitor_protocol_event(QEVENT_SHUTDOWN, NULL);
 +            if (qemu_no_shutdown()) {
 +                vm_stop(0);
 +            } else {
 +                break;
 +            }
 +        } else if (qemu_powerdown_requested()) {
 +            monitor_protocol_event(QEVENT_POWERDOWN, NULL);
 +            qemu_irq_raise(qemu_system_powerdown);
 +        } else if (qemu_reset_requested()) {
 +            qemu_kvm_system_reset();
 +        } else if (kvm_debug_cpu_requested) {
 +            gdb_set_stop_cpu(kvm_debug_cpu_requested);
 +            vm_stop(EXCP_DEBUG);
 +            kvm_debug_cpu_requested = NULL;
 +        }
 +    }
 +
 +    pause_all_threads();
 +    pthread_mutex_unlock(&qemu_mutex);
 +
 +    return 0;
 +}
 +
 +#if !defined(TARGET_I386)
 +int kvm_arch_init_irq_routing(void)
 +{
 +    return 0;
 +}
 +#endif
 +
 +extern int no_hpet;
 +
 +static int kvm_create_context(void)
 +{
 +    static const char upgrade_note[] =
 +    "Please upgrade to at least kernel 2.6.29 or recent kvm-kmod\n"
 +    "(see http://sourceforge.net/projects/kvm).\n";
 +
 +    int r;
 +
 +    if (!kvm_irqchip) {
 +        kvm_disable_irqchip_creation(kvm_context);
 +    }
 +    if (!kvm_pit) {
 +        kvm_disable_pit_creation(kvm_context);
 +    }
 +    if (kvm_create(kvm_context, 0, NULL) < 0) {
 +        kvm_finalize(kvm_state);
 +        return -1;
 +    }
 +    r = kvm_arch_qemu_create_context();
 +    if (r < 0) {
 +        kvm_finalize(kvm_state);
 +        return -1;
 +    }
 +    if (kvm_pit && !kvm_pit_reinject) {
 +        if (kvm_reinject_control(kvm_context, 0)) {
 +            fprintf(stderr, "failure to disable in-kernel PIT reinjection\n");
 +            return -1;
 +        }
 +    }
 +
 +    /* There was a nasty bug in < kvm-80 that prevents memory slots from being
 +     * destroyed properly.  Since we rely on this capability, refuse to work
 +     * with any kernel without this capability. */
 +    if (!kvm_check_extension(kvm_state, KVM_CAP_DESTROY_MEMORY_REGION_WORKS)) {
 +        fprintf(stderr,
 +                "KVM kernel module broken (DESTROY_MEMORY_REGION).\n%s",
 +                upgrade_note);
 +        return -EINVAL;
 +    }
 +
 +    r = kvm_arch_init_irq_routing();
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    kvm_state->vcpu_events = 0;
 +#ifdef KVM_CAP_VCPU_EVENTS
 +    kvm_state->vcpu_events = kvm_check_extension(kvm_state, KVM_CAP_VCPU_EVENTS);
 +#endif
 +
 +    kvm_state->debugregs = 0;
 +#ifdef KVM_CAP_DEBUGREGS
 +    kvm_state->debugregs = kvm_check_extension(kvm_state, KVM_CAP_DEBUGREGS);
 +#endif
 +
 +    kvm_state->xsave = 0;
 +#ifdef KVM_CAP_XSAVE
 +    kvm_state->xsave = kvm_check_extension(kvm_state, KVM_CAP_XSAVE);
 +#endif
 +
 +    kvm_state->xcrs = 0;
 +#ifdef KVM_CAP_XCRS
 +    kvm_state->xcrs = kvm_check_extension(kvm_state, KVM_CAP_XCRS);
 +#endif
 +
++    kvm_state->many_ioeventfds = kvm_check_many_ioeventfds();
++
 +    kvm_init_ap();
 +    if (kvm_irqchip) {
 +        if (!qemu_kvm_has_gsi_routing()) {
 +            irq0override = 0;
 +#ifdef TARGET_I386
 +            /* if kernel can't do irq routing, interrupt source
 +             * override 0->2 can not be set up as required by hpet,
 +             * so disable hpet.
 +             */
 +            no_hpet = 1;
 +        } else if (!qemu_kvm_has_pit_state2()) {
 +            no_hpet = 1;
 +        }
 +#else
 +        }
 +#endif
 +    }
 +
 +    return 0;
 +}
 +
 +#ifdef KVM_CAP_IRQCHIP
 +
 +int kvm_set_irq(int irq, int level, int *status)
 +{
 +    return kvm_set_irq_level(kvm_context, irq, level, status);
 +}
 +
 +#endif
 +
 +static void kvm_mutex_unlock(void)
 +{
 +    assert(!cpu_single_env);
 +    pthread_mutex_unlock(&qemu_mutex);
 +}
 +
 +static void kvm_mutex_lock(void)
 +{
 +    pthread_mutex_lock(&qemu_mutex);
 +    cpu_single_env = NULL;
 +}
 +
 +void qemu_mutex_unlock_iothread(void)
 +{
 +    if (kvm_enabled()) {
 +        kvm_mutex_unlock();
 +    }
 +}
 +
 +void qemu_mutex_lock_iothread(void)
 +{
 +    if (kvm_enabled()) {
 +        kvm_mutex_lock();
 +    }
 +}
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +void kvm_add_ioperm_data(struct ioperm_data *data)
 +{
 +    QLIST_INSERT_HEAD(&ioperm_head, data, entries);
 +}
 +
 +void kvm_remove_ioperm_data(unsigned long start_port, unsigned long num)
 +{
 +    struct ioperm_data *data;
 +
 +    data = QLIST_FIRST(&ioperm_head);
 +    while (data) {
 +        struct ioperm_data *next = QLIST_NEXT(data, entries);
 +
 +        if (data->start_port == start_port && data->num == num) {
 +            QLIST_REMOVE(data, entries);
 +            qemu_free(data);
 +        }
 +
 +        data = next;
 +    }
 +}
 +
 +void kvm_ioperm(CPUState *env, void *data)
 +{
 +    if (kvm_enabled() && qemu_system_ready) {
 +        on_vcpu(env, kvm_arch_do_ioperm, data);
 +    }
 +}
 +
 +#endif
 +
 +int kvm_set_boot_cpu_id(uint32_t id)
 +{
 +    return kvm_set_boot_vcpu_id(kvm_context, id);
 +}
 +
diff --cc qemu-kvm.h
index 7e6edfb,0000000..db4e340
mode 100644,000000..100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@@ -1,770 -1,0 +1,771 @@@
 +/*
 + * qemu/kvm integration
 + *
 + * Copyright (C) 2006-2008 Qumranet Technologies
 + *
 + * Licensed under the terms of the GNU GPL version 2 or higher.
 + */
 +#ifndef THE_ORIGINAL_AND_TRUE_QEMU_KVM_H
 +#define THE_ORIGINAL_AND_TRUE_QEMU_KVM_H
 +
 +#include "cpu.h"
 +
 +#include <signal.h>
 +#include <stdlib.h>
 +
 +#ifdef CONFIG_KVM
 +
 +#if defined(__s390__)
 +#include <asm/ptrace.h>
 +#endif
 +
 +#include <stdint.h>
 +
 +#ifndef __user
 +#define __user       /* temporary, until installed via make headers_install */
 +#endif
 +
 +#include <linux/kvm.h>
 +
 +#include <signal.h>
 +
 +/* FIXME: share this number with kvm */
 +/* FIXME: or dynamically alloc/realloc regions */
 +#ifdef __s390__
 +#define KVM_MAX_NUM_MEM_REGIONS 1u
 +#define MAX_VCPUS 64
 +#define LIBKVM_S390_ORIGIN (0UL)
 +#elif defined(__ia64__)
 +#define KVM_MAX_NUM_MEM_REGIONS 32u
 +#define MAX_VCPUS 256
 +#else
 +#define KVM_MAX_NUM_MEM_REGIONS 32u
 +#define MAX_VCPUS 16
 +#endif
 +
 +/* kvm abi verison variable */
 +extern int kvm_abi;
 +
 +/**
 + * \brief The KVM context
 + *
 + * The verbose KVM context
 + */
 +
 +struct kvm_context {
 +    void *opaque;
 +    /// is dirty pages logging enabled for all regions or not
 +    int dirty_pages_log_all;
 +    /// do not create in-kernel irqchip if set
 +    int no_irqchip_creation;
 +    /// in-kernel irqchip status
 +    int irqchip_in_kernel;
 +    /// ioctl to use to inject interrupts
 +    int irqchip_inject_ioctl;
 +    /// do not create in-kernel pit if set
 +    int no_pit_creation;
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing *irq_routes;
 +    int nr_allocated_irq_routes;
 +#endif
 +    void *used_gsi_bitmap;
 +    int max_gsi;
 +};
 +
 +typedef struct kvm_context *kvm_context_t;
 +
 +#include "kvm.h"
 +int kvm_alloc_kernel_memory(kvm_context_t kvm, unsigned long memory,
 +                            void **vm_mem);
 +int kvm_alloc_userspace_memory(kvm_context_t kvm, unsigned long memory,
 +                               void **vm_mem);
 +
 +int kvm_arch_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
 +                    void **vm_mem);
 +
 +int kvm_arch_run(CPUState *env);
 +
 +
 +void kvm_show_code(CPUState *env);
 +
 +int handle_halt(CPUState *env);
 +
 +int handle_shutdown(kvm_context_t kvm, CPUState *env);
 +void post_kvm_run(kvm_context_t kvm, CPUState *env);
 +int pre_kvm_run(kvm_context_t kvm, CPUState *env);
 +int handle_io_window(kvm_context_t kvm);
 +int try_push_interrupts(kvm_context_t kvm);
 +
 +#if defined(__x86_64__) || defined(__i386__)
 +struct kvm_x86_mce;
 +#endif
 +
 +/*!
 + * \brief Disable the in-kernel IRQCHIP creation
 + *
 + * In-kernel irqchip is enabled by default. If userspace irqchip is to be used,
 + * this should be called prior to kvm_create().
 + *
 + * \param kvm Pointer to the kvm_context
 + */
 +void kvm_disable_irqchip_creation(kvm_context_t kvm);
 +
 +/*!
 + * \brief Disable the in-kernel PIT creation
 + *
 + * In-kernel pit is enabled by default. If userspace pit is to be used,
 + * this should be called prior to kvm_create().
 + *
 + *  \param kvm Pointer to the kvm_context
 + */
 +void kvm_disable_pit_creation(kvm_context_t kvm);
 +
 +/*!
 + * \brief Create new virtual machine
 + *
 + * This creates a new virtual machine, maps physical RAM to it, and creates a
 + * virtual CPU for it.\n
 + * \n
 + * Memory gets mapped for addresses 0->0xA0000, 0xC0000->phys_mem_bytes
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param phys_mem_bytes The amount of physical ram you want the VM to have
 + * \param phys_mem This pointer will be set to point to the memory that
 + * kvm_create allocates for physical RAM
 + * \return 0 on success
 + */
 +int kvm_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
 +               void **phys_mem);
 +int kvm_create_vm(kvm_context_t kvm);
 +void kvm_create_irqchip(kvm_context_t kvm);
 +
 +/*!
 + * \brief Start the VCPU
 + *
 + * This starts the VCPU and virtualization is started.\n
 + * \n
 + * This function will not return until any of these conditions are met:
 + * - An IO/MMIO handler does not return "0"
 + * - An exception that neither the guest OS, nor KVM can handle occurs
 + *
 + * \note This function will call the callbacks registered in kvm_init()
 + * to emulate those functions
 + * \note If you at any point want to interrupt the VCPU, kvm_run() will
 + * listen to the EINTR signal. This allows you to simulate external interrupts
 + * and asyncronous IO.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be started
 + * \return 0 on success, but you really shouldn't expect this function to
 + * return except for when an error has occured, or when you have sent it
 + * an EINTR signal.
 + */
 +int kvm_run(CPUState *env);
 +
 +/*!
 + * \brief Check if a vcpu is ready for interrupt injection
 + *
 + * This checks if vcpu interrupts are not masked by mov ss or sti.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \return boolean indicating interrupt injection readiness
 + */
 +int kvm_is_ready_for_interrupt_injection(CPUState *env);
 +
 +/*!
 + * \brief Read VCPU registers
 + *
 + * This gets the GP registers from the VCPU and outputs them
 + * into a kvm_regs structure
 + *
 + * \note This function returns a \b copy of the VCPUs registers.\n
 + * If you wish to modify the VCPUs GP registers, you should call kvm_set_regs()
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param regs Pointer to a kvm_regs which will be populated with the VCPUs
 + * registers values
 + * \return 0 on success
 + */
 +int kvm_get_regs(CPUState *env, struct kvm_regs *regs);
 +
 +/*!
 + * \brief Write VCPU registers
 + *
 + * This sets the GP registers on the VCPU from a kvm_regs structure
 + *
 + * \note When this function returns, the regs pointer and the data it points to
 + * can be discarded
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param regs Pointer to a kvm_regs which will be populated with the VCPUs
 + * registers values
 + * \return 0 on success
 + */
 +int kvm_set_regs(CPUState *env, struct kvm_regs *regs);
 +
 +#ifdef KVM_CAP_MP_STATE
 +/*!
 + *  * \brief Read VCPU MP state
 + *
 + */
 +int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
 +
 +/*!
 + *  * \brief Write VCPU MP state
 + *
 + */
 +int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
 +#endif
 +
 +#if defined(__i386__) || defined(__x86_64__)
 +/*!
 + * \brief Simulate an external vectored interrupt
 + *
 + * This allows you to simulate an external vectored interrupt.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param irq Vector number
 + * \return 0 on success
 + */
 +int kvm_inject_irq(CPUState *env, unsigned irq);
 +
 +
 +/*!
 + * \brief Setting the number of shadow pages to be allocated to the vm
 + *
 + * \param kvm pointer to kvm_context
 + * \param nrshadow_pages number of pages to be allocated
 + */
 +int kvm_set_shadow_pages(kvm_context_t kvm, unsigned int nrshadow_pages);
 +
 +/*!
 + * \brief Getting the number of shadow pages that are allocated to the vm
 + *
 + * \param kvm pointer to kvm_context
 + * \param nrshadow_pages number of pages to be allocated
 + */
 +int kvm_get_shadow_pages(kvm_context_t kvm, unsigned int *nrshadow_pages);
 +
 +#endif
 +
 +/*!
 + * \brief Dump VCPU registers
 + *
 + * This dumps some of the information that KVM has about a virtual CPU, namely:
 + * - GP Registers
 + *
 + * A much more verbose version of this is available as kvm_dump_vcpu()
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \return 0 on success
 + */
 +void kvm_show_regs(CPUState *env);
 +
 +
 +void *kvm_create_phys_mem(kvm_context_t, unsigned long phys_start,
 +                          unsigned long len, int log, int writable);
 +void kvm_destroy_phys_mem(kvm_context_t, unsigned long phys_start,
 +                          unsigned long len);
 +
 +int kvm_is_containing_region(kvm_context_t kvm, unsigned long phys_start,
 +                             unsigned long size);
 +int kvm_register_phys_mem(kvm_context_t kvm, unsigned long phys_start,
 +                          void *userspace_addr, unsigned long len, int log);
 +int kvm_get_dirty_pages_range(kvm_context_t kvm, unsigned long phys_addr,
 +                              unsigned long end_addr, void *opaque,
 +                              int (*cb)(unsigned long start,
 +                                        unsigned long len, void *bitmap,
 +                                        void *opaque));
 +int kvm_register_coalesced_mmio(kvm_context_t kvm, uint64_t addr,
 +                                uint32_t size);
 +int kvm_unregister_coalesced_mmio(kvm_context_t kvm, uint64_t addr,
 +                                  uint32_t size);
 +
 +/*!
 + * \brief Get a bitmap of guest ram pages which are allocated to the guest.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param phys_addr Memory slot phys addr
 + * \param bitmap Long aligned address of a big enough bitmap (one bit per page)
 + */
 +int kvm_get_mem_map(kvm_context_t kvm, unsigned long phys_addr, void *bitmap);
 +int kvm_get_mem_map_range(kvm_context_t kvm, unsigned long phys_addr,
 +                          unsigned long len, void *buf, void *opaque,
 +                          int (*cb)(unsigned long start,
 +                                    unsigned long len, void *bitmap,
 +                                    void *opaque));
 +int kvm_set_irq_level(kvm_context_t kvm, int irq, int level, int *status);
 +
 +int kvm_dirty_pages_log_enable_slot(kvm_context_t kvm, uint64_t phys_start,
 +                                    uint64_t len);
 +int kvm_dirty_pages_log_disable_slot(kvm_context_t kvm, uint64_t phys_start,
 +                                     uint64_t len);
 +/*!
 + * \brief Enable dirty-pages-logging for all memory regions
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_dirty_pages_log_enable_all(kvm_context_t kvm);
 +
 +/*!
 + * \brief Disable dirty-page-logging for some memory regions
 + *
 + * Disable dirty-pages-logging for those memory regions that were
 + * created with dirty-page-logging disabled.
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_dirty_pages_log_reset(kvm_context_t kvm);
 +
 +#ifdef KVM_CAP_IRQCHIP
 +/*!
 + * \brief Dump in kernel IRQCHIP contents
 + *
 + * Dump one of the in kernel irq chip devices, including PIC (master/slave)
 + * and IOAPIC into a kvm_irqchip structure
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param chip The irq chip device to be dumped
 + */
 +int kvm_get_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip);
 +
 +/*!
 + * \brief Set in kernel IRQCHIP contents
 + *
 + * Write one of the in kernel irq chip devices, including PIC (master/slave)
 + * and IOAPIC
 + *
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param chip THe irq chip device to be written
 + */
 +int kvm_set_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip);
 +
 +#if defined(__i386__) || defined(__x86_64__)
 +/*!
 + * \brief Get in kernel local APIC for vcpu
 + *
 + * Save the local apic state including the timer of a virtual CPU
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be accessed
 + * \param s Local apic state of the specific virtual CPU
 + */
 +int kvm_get_lapic(CPUState *env, struct kvm_lapic_state *s);
 +
 +/*!
 + * \brief Set in kernel local APIC for vcpu
 + *
 + * Restore the local apic state including the timer of a virtual CPU
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be accessed
 + * \param s Local apic state of the specific virtual CPU
 + */
 +int kvm_set_lapic(CPUState *env, struct kvm_lapic_state *s);
 +
 +#endif
 +
 +/*!
 + * \brief Simulate an NMI
 + *
 + * This allows you to simulate a non-maskable interrupt.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \return 0 on success
 + */
 +int kvm_inject_nmi(CPUState *env);
 +
 +#endif
 +
 +/*!
 + * \brief Initialize coalesced MMIO
 + *
 + * Check for coalesced MMIO capability and store in context
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_init_coalesced_mmio(kvm_context_t kvm);
 +
 +#ifdef KVM_CAP_PIT
 +
 +#if defined(__i386__) || defined(__x86_64__)
 +/*!
 + * \brief Get in kernel PIT of the virtual domain
 + *
 + * Save the PIT state.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param s PIT state of the virtual domain
 + */
 +int kvm_get_pit(kvm_context_t kvm, struct kvm_pit_state *s);
 +
 +/*!
 + * \brief Set in kernel PIT of the virtual domain
 + *
 + * Restore the PIT state.
 + * Timer would be retriggerred after restored.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param s PIT state of the virtual domain
 + */
 +int kvm_set_pit(kvm_context_t kvm, struct kvm_pit_state *s);
 +
 +int kvm_reinject_control(kvm_context_t kvm, int pit_reinject);
 +
 +#ifdef KVM_CAP_PIT_STATE2
 +/*!
 + * \brief Check for kvm support of kvm_pit_state2
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \return 0 on success
 + */
 +int kvm_has_pit_state2(kvm_context_t kvm);
 +
 +/*!
 + * \brief Set in kernel PIT state2 of the virtual domain
 + *
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param ps2 PIT state2 of the virtual domain
 + * \return 0 on success
 + */
 +int kvm_set_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2);
 +
 +/*!
 + * \brief Get in kernel PIT state2 of the virtual domain
 + *
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param ps2 PIT state2 of the virtual domain
 + * \return 0 on success
 + */
 +int kvm_get_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2);
 +
 +#endif
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_VAPIC
 +
 +int kvm_enable_vapic(CPUState *env, uint64_t vapic);
 +
 +#endif
 +
 +#if defined(__s390__)
 +int kvm_s390_initial_reset(kvm_context_t kvm, int slot);
 +int kvm_s390_interrupt(kvm_context_t kvm, int slot,
 +                       struct kvm_s390_interrupt *kvmint);
 +int kvm_s390_set_initial_psw(kvm_context_t kvm, int slot, psw_t psw);
 +int kvm_s390_store_status(kvm_context_t kvm, int slot, unsigned long addr);
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_ASSIGNMENT
 +/*!
 + * \brief Notifies host kernel about a PCI device to be assigned to a guest
 + *
 + * Used for PCI device assignment, this function notifies the host
 + * kernel about the assigning of the physical PCI device to a guest.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_dev Parameters, like bus, devfn number, etc
 + */
 +int kvm_assign_pci_device(kvm_context_t kvm,
 +                          struct kvm_assigned_pci_dev *assigned_dev);
 +
 +/*!
 + * \brief Assign IRQ for an assigned device
 + *
 + * Used for PCI device assignment, this function assigns IRQ numbers for
 + * an physical device and guest IRQ handling.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_irq Parameters, like dev id, host irq, guest irq, etc
 + */
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq);
 +
 +#ifdef KVM_CAP_ASSIGN_DEV_IRQ
 +/*!
 + * \brief Deassign IRQ for an assigned device
 + *
 + * Used for PCI device assignment, this function deassigns IRQ numbers
 + * for an assigned device.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_irq Parameters, like dev id, host irq, guest irq, etc
 + */
 +int kvm_deassign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq);
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_DEASSIGNMENT
 +/*!
 + * \brief Notifies host kernel about a PCI device to be deassigned from a guest
 + *
 + * Used for hot remove PCI device, this function notifies the host
 + * kernel about the deassigning of the physical PCI device from a guest.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_dev Parameters, like bus, devfn number, etc
 + */
 +int kvm_deassign_pci_device(kvm_context_t kvm,
 +                            struct kvm_assigned_pci_dev *assigned_dev);
 +#endif
 +
 +/*!
 + * \brief Determines the number of gsis that can be routed
 + *
 + * Returns the number of distinct gsis that can be routed by kvm.  This is
 + * also the number of distinct routes (if a gsi has two routes, than another
 + * gsi cannot be used...)
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_get_gsi_count(kvm_context_t kvm);
 +
 +/*!
 + * \brief Clears the temporary irq routing table
 + *
 + * Clears the temporary irq routing table.  Nothing is committed to the
 + * running VM.
 + *
 + */
 +int kvm_clear_gsi_routes(void);
 +
 +/*!
 + * \brief Adds an irq route to the temporary irq routing table
 + *
 + * Adds an irq route to the temporary irq routing table.  Nothing is
 + * committed to the running VM.
 + */
 +int kvm_add_irq_route(int gsi, int irqchip, int pin);
 +
 +/*!
 + * \brief Removes an irq route from the temporary irq routing table
 + *
 + * Adds an irq route to the temporary irq routing table.  Nothing is
 + * committed to the running VM.
 + */
 +int kvm_del_irq_route(int gsi, int irqchip, int pin);
 +
 +struct kvm_irq_routing_entry;
 +/*!
 + * \brief Adds a routing entry to the temporary irq routing table
 + *
 + * Adds a filled routing entry to the temporary irq routing table. Nothing is
 + * committed to the running VM.
 + */
 +int kvm_add_routing_entry(struct kvm_irq_routing_entry *entry);
 +
 +/*!
 + * \brief Removes a routing from the temporary irq routing table
 + *
 + * Remove a routing to the temporary irq routing table.  Nothing is
 + * committed to the running VM.
 + */
 +int kvm_del_routing_entry(struct kvm_irq_routing_entry *entry);
 +
 +/*!
 + * \brief Updates a routing in the temporary irq routing table
 + *
 + * Update a routing in the temporary irq routing table
 + * with a new value. entry type and GSI can not be changed.
 + * Nothing is committed to the running VM.
 + */
 +int kvm_update_routing_entry(struct kvm_irq_routing_entry *entry,
 +                             struct kvm_irq_routing_entry *newentry);
 +
 +
 +/*!
 + * \brief Create a file descriptor for injecting interrupts
 + *
 + * Creates an eventfd based file-descriptor that maps to a specific GSI
 + * in the guest.  eventfd compliant signaling (write() from userspace, or
 + * eventfd_signal() from kernelspace) will cause the GSI to inject
 + * itself into the guest at the next available window.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param gsi GSI to assign to this fd
 + * \param flags reserved, must be zero
 + */
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags);
 +
 +#ifdef KVM_CAP_DEVICE_MSIX
 +int kvm_assign_set_msix_nr(kvm_context_t kvm,
 +                           struct kvm_assigned_msix_nr *msix_nr);
 +int kvm_assign_set_msix_entry(kvm_context_t kvm,
 +                              struct kvm_assigned_msix_entry *entry);
 +#endif
 +
 +#else                           /* !CONFIG_KVM */
 +
 +typedef struct kvm_context *kvm_context_t;
 +typedef struct kvm_vcpu_context *kvm_vcpu_context_t;
 +
 +struct kvm_pit_state {
 +};
 +
 +#endif                          /* !CONFIG_KVM */
 +
 +
 +/*!
 + * \brief Create new KVM context
 + *
 + * This creates a new kvm_context. A KVM context is a small area of data that
 + * holds information about the KVM instance that gets created by this call.\n
 + * This should always be your first call to KVM.
 + *
 + * \param opaque Not used
 + * \return NULL on failure
 + */
 +int kvm_init(int smp_cpus);
 +
 +int kvm_main_loop(void);
 +int kvm_init_ap(void);
 +int kvm_vcpu_inited(CPUState *env);
 +void kvm_save_lapic(CPUState *env);
 +void kvm_load_lapic(CPUState *env);
 +
 +void kvm_hpet_enable_kpit(void);
 +void kvm_hpet_disable_kpit(void);
 +
 +int kvm_physical_memory_set_dirty_tracking(int enable);
 +
 +void on_vcpu(CPUState *env, void (*func)(void *data), void *data);
 +void qemu_kvm_call_with_env(void (*func)(void *), void *data, CPUState *env);
 +void qemu_kvm_cpuid_on_env(CPUState *env);
 +void kvm_inject_interrupt(CPUState *env, int mask);
 +void kvm_update_after_sipi(CPUState *env);
 +void kvm_update_interrupt_request(CPUState *env);
 +#ifndef CONFIG_USER_ONLY
 +void *kvm_cpu_create_phys_mem(target_phys_addr_t start_addr, unsigned long size,
 +                              int log, int writable);
 +
 +void kvm_cpu_destroy_phys_mem(target_phys_addr_t start_addr,
 +                              unsigned long size);
 +void kvm_qemu_log_memory(target_phys_addr_t start, target_phys_addr_t size,
 +                         int log);
 +#endif
 +int kvm_qemu_create_memory_alias(uint64_t phys_start, uint64_t len,
 +                                 uint64_t target_phys);
 +int kvm_qemu_destroy_memory_alias(uint64_t phys_start);
 +
 +int kvm_arch_qemu_create_context(void);
 +
 +void kvm_arch_save_regs(CPUState *env);
 +void kvm_arch_load_regs(CPUState *env, int level);
 +int kvm_arch_has_work(CPUState *env);
 +void kvm_arch_process_irqchip_events(CPUState *env);
 +int kvm_arch_try_push_interrupts(void *opaque);
 +void kvm_arch_push_nmi(void *opaque);
 +void kvm_arch_cpu_reset(CPUState *env);
 +int kvm_set_boot_cpu_id(uint32_t id);
 +
 +void qemu_kvm_aio_wait_start(void);
 +void qemu_kvm_aio_wait(void);
 +void qemu_kvm_aio_wait_end(void);
 +
 +void kvm_tpr_access_report(CPUState *env, uint64_t rip, int is_write);
 +
 +int kvm_arch_init_irq_routing(void);
 +
 +int kvm_mmio_read(void *opaque, uint64_t addr, uint8_t * data, int len);
 +int kvm_mmio_write(void *opaque, uint64_t addr, uint8_t * data, int len);
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +struct ioperm_data;
 +
 +void kvm_ioperm(CPUState *env, void *data);
 +void kvm_add_ioperm_data(struct ioperm_data *data);
 +void kvm_remove_ioperm_data(unsigned long start_port, unsigned long num);
 +void kvm_arch_do_ioperm(void *_data);
 +#endif
 +
 +#define ALIGN(x, y)  (((x)+(y)-1) & ~((y)-1))
 +#define BITMAP_SIZE(m) (ALIGN(((m)>>TARGET_PAGE_BITS), HOST_LONG_BITS) / 8)
 +
 +#ifdef CONFIG_KVM
 +#include "qemu-queue.h"
 +
 +extern int kvm_irqchip;
 +extern int kvm_pit;
 +extern int kvm_pit_reinject;
 +extern int kvm_nested;
 +extern kvm_context_t kvm_context;
 +
 +struct ioperm_data {
 +    unsigned long start_port;
 +    unsigned long num;
 +    int turn_on;
 +    QLIST_ENTRY(ioperm_data) entries;
 +};
 +
 +void qemu_kvm_cpu_stop(CPUState *env);
 +int kvm_arch_halt(CPUState *env);
 +int handle_tpr_access(void *opaque, CPUState *env, uint64_t rip,
 +                      int is_write);
 +
 +#define qemu_kvm_has_gsi_routing() kvm_has_gsi_routing()
 +#ifdef TARGET_I386
 +#define qemu_kvm_has_pit_state2() kvm_has_pit_state2(kvm_context)
 +#endif
 +#else
 +#define kvm_nested 0
 +#define qemu_kvm_has_gsi_routing() (0)
 +#ifdef TARGET_I386
 +#define qemu_kvm_has_pit_state2() (0)
 +#endif
 +#define qemu_kvm_cpu_stop(env) do {} while(0)
 +#endif
 +
 +#ifdef CONFIG_KVM
 +
 +typedef struct KVMSlot {
 +    target_phys_addr_t start_addr;
 +    ram_addr_t memory_size;
 +    ram_addr_t phys_offset;
 +    int slot;
 +    int flags;
 +} KVMSlot;
 +
 +typedef struct kvm_dirty_log KVMDirtyLog;
 +
 +struct KVMState {
 +    KVMSlot slots[32];
 +    int fd;
 +    int vmfd;
 +    int coalesced_mmio;
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    struct kvm_coalesced_mmio_ring *coalesced_mmio_ring;
 +#endif
 +    int broken_set_mem_region;
 +    int migration_log;
 +    int vcpu_events;
 +    int robust_singlestep;
 +    int debugregs;
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    QTAILQ_HEAD(, kvm_sw_breakpoint) kvm_sw_breakpoints;
 +#endif
 +    int irqchip_in_kernel;
 +    int pit_in_kernel;
 +    int xsave, xcrs;
++    int many_ioeventfds;
 +
 +    struct kvm_context kvm_context;
 +};
 +
 +extern struct KVMState *kvm_state;
 +
 +int kvm_tpr_enable_vapic(CPUState *env);
 +
 +unsigned long kvm_get_thread_id(void);
 +int kvm_cpu_is_stopped(CPUState *env);
 +
 +#endif
 +
 +#endif
commit 777c5d1864bb3e218338c8328d7cce269fa51c5c
Merge: 4db75cc... a8bd70a...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Jan 21 17:25:02 2011 -0200

    Merge commit 'a8bd70ad3b62701037e9f3a996762ca7c29581a2' into upstream-merge
    
    * commit 'a8bd70ad3b62701037e9f3a996762ca7c29581a2':
      fix spelling of $pkg_config, move default together with other cross tools
      provide portable HOST_LONG_BITS test
      do not pass bogus $(SRC_PATH) include paths to cc during configure
      test cc with the complete set of chosen flags
      fix sparse support (?)
    
    Conflicts:
    	configure
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc configure
index 95b1625,7eabae4..f49a826
--- a/configure
+++ b/configure
@@@ -1719,25 -1686,8 +1721,25 @@@ EO
              kvm_cflags="$kvm_cflags -I$kerneldir/arch/$cpu/include"
        fi
    else
-     kvm_cflags=`$pkgconfig --cflags kvm-kmod 2>/dev/null`
+     kvm_cflags=`$pkg_config --cflags kvm-kmod 2>/dev/null`
 +    if test "$kvm_cflags" = ""; then
 +      case "$cpu" in
 +      i386 | x86_64)
 +        kvm_arch="x86"
 +        ;;
 +      ppc)
 +        kvm_arch="powerpc"
 +        ;;
 +      *)
 +        kvm_arch="$cpu"
 +        ;;
 +      esac
 +      kvm_cflags="-I$source_path/kvm/include"
 +      kvm_cflags="$kvm_cflags -include $source_path/kvm/include/linux/config.h"
 +      kvm_cflags="$kvm_cflags -I$source_path/kvm/include/$kvm_arch"
 +    fi
    fi
 +  kvm_cflags="$kvm_cflags -idirafter $source_path/compat"
    if compile_prog "$kvm_cflags" "" ; then
      kvm=yes
      cat > $TMPC <<EOF
commit 4db75cca31700219ea07672758c0daae7e7a28ef
Merge: ea2144d... 377529c...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Jan 21 17:09:31 2011 -0200

    Merge commit '377529c009e3fce480d9c233bb3238b14a950816' into upstream-merge
    
    * commit '377529c009e3fce480d9c233bb3238b14a950816': (64 commits)
      move feature variables to the top
      default make and install to environment variables
      default compilation tools to environment variables
      microblaze: Improve unconditional direct branching
      cris: Set btaken when storing direct jumps
      slirp: Use strcasecmp() to check tftp mode, tsize
      ppc405_uc: fix a buffer overflow
      lan9118: fix a buffer overflow
      vpc: fix a file descriptor leak
      qemu-io: fix a memory leak
      vvfat: fix a file descriptor leak
      loader: fix a file descriptor leak
      vnc-auth-sasl: fix a memory leak
      audio: split sample conversion and volume mixing
      disas: remove opcode printing on ARM hosts
      arm-dis: Include opcode hex when doing disassembly
      tcg arm/mips/ia64: add a comment about retranslation and caches
      linux-user: Add configure check for linux/fiemap.h and IOC_FS_FIEMAP
      ARM: Fix decoding of VQSHL/VQSHLU immediate forms
      ARM: add neon helpers for VQSHLU
      ...
    
    Conflicts:
    	configure
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc configure
index 7923ad7,13b2aa7..95b1625
--- a/configure
+++ b/configure
@@@ -94,6 -86,88 +86,101 @@@ audio_pt_int="
  audio_win_int=""
  cc_i386=i386-pc-linux-gnu-gcc
  
 -target_list=""
++target_list="x86_64-softmmu"
++
++kvm_version() {
++    local fname="$(dirname "$0")/KVM_VERSION"
++
++    if test -f "$fname"; then
++        cat "$fname"
++    else
++        echo "qemu-kvm-devel"
++    fi
++}
+ 
+ # Default value for a variable defining feature "foo".
+ #  * foo="no"  feature will only be used if --enable-foo arg is given
+ #  * foo=""    feature will be searched for, and if found, will be used
+ #              unless --disable-foo is given
+ #  * foo="yes" this value will only be set by --enable-foo flag.
+ #              feature will searched for,
+ #              if not found, configure exits with error
+ #
+ # Always add --enable-foo and --disable-foo command line args.
+ # Distributions want to ensure that several features are compiled in, and it
+ # is impossible without a --enable-foo that exits if a feature is not found.
+ 
+ bluez=""
+ brlapi=""
+ curl=""
+ curses=""
+ docs=""
+ fdt=""
+ kvm=""
+ kvm_para=""
+ nptl=""
+ sdl=""
+ sparse="no"
+ uuid=""
+ vde=""
+ vnc_tls=""
+ vnc_sasl=""
+ vnc_jpeg=""
+ vnc_png=""
+ vnc_thread="no"
+ xen=""
+ linux_aio=""
+ attr=""
+ vhost_net=""
+ xfs=""
+ 
+ gprof="no"
+ debug_tcg="no"
+ debug_mon="no"
+ debug="no"
+ strip_opt="yes"
+ bigendian="no"
+ mingw32="no"
+ EXESUF=""
+ prefix="/usr/local"
+ mandir="\${prefix}/share/man"
+ datadir="\${prefix}/share/qemu"
+ docdir="\${prefix}/share/doc/qemu"
+ bindir="\${prefix}/bin"
+ sysconfdir="\${prefix}/etc"
+ confsuffix="/qemu"
+ slirp="yes"
+ fmod_lib=""
+ fmod_inc=""
+ oss_lib=""
+ bsd="no"
+ linux="no"
+ solaris="no"
+ profiler="no"
+ cocoa="no"
+ softmmu="yes"
+ linux_user="no"
+ darwin_user="no"
+ bsd_user="no"
+ guest_base=""
+ uname_release=""
+ io_thread="no"
+ mixemu="no"
++kvm_cap_pit=""
++kvm_cap_device_assignment=""
+ kerneldir=""
+ aix="no"
+ blobs="yes"
 -pkgversion=""
++pkgversion=" ($(kvm_version))"
++cpu_emulation="yes"
+ check_utests="no"
+ user_pie="no"
+ zero_malloc=""
+ trace_backend="nop"
+ trace_file="trace"
+ spice=""
+ rbd=""
+ 
  # parse CC options first
  for opt do
    optarg=`expr "x$opt" : 'x[^=]*=\(.*\)'`
commit ea2144dd66bf1e72067b032dae1284febc1a4f6a
Merge: f447f8c... b3a29fd...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Jan 21 16:49:59 2011 -0200

    Merge commit 'b3a29fd5604841dac8bfee1bac35f150cab976fb' into upstream-merge
    
    * commit 'b3a29fd5604841dac8bfee1bac35f150cab976fb':
      build, pci: remove QMP dependency on core PCI code
      pcie: add flr support
      pc/piix: fix mismerge of b1aeb92666d2fde413c34578b3b42bbfe5f2a506
      qdev: remove an unused function
      qbus: register reset handler for qbus whose parent is NULL
      qdev: sysbus_get_default must not return a NULL pointer (fix regression)
      pci: don't use bus number in migration, stub out
    
    Conflicts:
    	Makefile.objs
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc Makefile.objs
index 38f46e5,c3e52c5..0598ea2
--- a/Makefile.objs
+++ b/Makefile.objs
@@@ -167,12 -166,10 +167,10 @@@ user-obj-y += cutils.o cache-utils.
  # libhw
  
  hw-obj-y =
 -hw-obj-y += vl.o loader.o
 +hw-obj-y += loader.o
  hw-obj-$(CONFIG_VIRTIO) += virtio.o virtio-console.o
  hw-obj-y += fw_cfg.o
- # FIXME: Core PCI code and its direct dependencies are required by the
- # QMP query-pci command.
- hw-obj-y += pci_bridge.o
 -hw-obj-$(CONFIG_PCI) += pci.o pci_bridge.o
++hw-obj-$(CONFIG_PCI) += pci_bridge.o
  hw-obj-$(CONFIG_PCI) += msix.o msi.o
  hw-obj-$(CONFIG_PCI) += pci_host.o pcie_host.o
  hw-obj-$(CONFIG_PCI) += ioh3420.o xio3130_upstream.o xio3130_downstream.o
diff --cc Makefile.target
index c904ae3,38582d4..bf79d37
--- a/Makefile.target
+++ b/Makefile.target
@@@ -194,9 -186,10 +195,10 @@@ endif #CONFIG_BSD_USE
  # System emulator target
  ifdef CONFIG_SOFTMMU
  
 -obj-y = arch_init.o cpus.o monitor.o machine.o gdbstub.o balloon.o
 +obj-y = arch_init.o cpus.o monitor.o pci.o machine.o gdbstub.o vl.o balloon.o
  # virtio has to be here due to weird dependency between PCI and virtio-net.
  # need to fix this properly
+ obj-$(CONFIG_NO_PCI) += pci-stub.o
  obj-$(CONFIG_VIRTIO) += virtio-blk.o virtio-balloon.o virtio-net.o virtio-serial-bus.o
  obj-$(CONFIG_VIRTIO_PCI) += virtio-pci.o
  obj-y += vhost_net.o
commit 789f88d0b21fedfd4251d56bb7a9fbfbda7a4ac7
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Jan 21 18:19:40 2011 +0100

    checkpatch: Fix bracing false positives on #else
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
index 55ef439..4fa06c0 100755
--- a/scripts/checkpatch.pl
+++ b/scripts/checkpatch.pl
@@ -2536,7 +2536,8 @@ sub process {
 			}
 		}
 		if (!defined $suppress_ifbraces{$linenr - 1} &&
-					$line =~ /\b(if|while|for|else)\b/) {
+					$line =~ /\b(if|while|for|else)\b/ &&
+					$line !~ /\#\s*else/) {
 			my $allowed = 0;
 
 			# Check the pre-context.
commit b947c12c0bb217fe09968e652873e0d22b269d68
Merge: 543c4c9... ace1318...
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 21 17:56:50 2011 +0100

    Merge branch 'usb.4' of git://anongit.freedesktop.org/spice/qemu
    
    * 'usb.4' of git://anongit.freedesktop.org/spice/qemu: (32 commits)
      usb: zap pdev from usbport
      usb: rewrite fw path, fix numbering
      usb: add port property.
      usb: keep track of physical port address.
      usb storage: handle long responses
      usb storage: fix status reporting
      usb storage: high speed support
      usb: add device qualifier support
      usb: add usb_desc_attach
      usb: add attach callback
      usb: add speed mask to ports
      usb: hid: change serial number to "42".
      usb: hid: remote wakeup support.
      usb: hub: remote wakeup support.
      usb: uhci: remote wakeup support.
      usb: add usb_wakeup() + wakeup callback to port ops
      usb: rework attach/detach workflow
      usb: create USBPortOps, move attach there.
      usb: move remote wakeup handling to common code
      usb: move USB_REQ_{GET,SET}_CONFIGURATION handling to common code
      ...

commit 543c4c94cf235d11315157bab25a24f7d9a48711
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 21 17:56:32 2011 +0100

    sm501: fix screen redraw
    
    Due to signed/unsigned comparison, the dirty bits are never reset, and
    the screen redrawn each time. Fix that by only using ram_addr_t types,
    and looking for page_min != addr_max instead.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/sm501.c b/hw/sm501.c
index 388fc08..0f0bf96 100644
--- a/hw/sm501.c
+++ b/hw/sm501.c
@@ -1274,8 +1274,8 @@ static void sm501_draw_crt(SM501State * s)
     draw_hwc_line_func * draw_hwc_line = NULL;
     int full_update = 0;
     int y_start = -1;
-    int page_min = 0x7fffffff;
-    int page_max = -1;
+    ram_addr_t page_min = ~0l;
+    ram_addr_t page_max = 0l;
     ram_addr_t offset = s->local_mem_offset;
 
     /* choose draw_line function */
@@ -1371,9 +1371,10 @@ static void sm501_draw_crt(SM501State * s)
 	dpy_update(s->ds, 0, y_start, width, y - y_start);
 
     /* clear dirty flags */
-    if (page_max != -1)
+    if (page_min != ~0l) {
 	cpu_physical_memory_reset_dirty(page_min, page_max + TARGET_PAGE_SIZE,
 					VGA_DIRTY_FLAG);
+    }
 }
 
 static void sm501_update_display(void *opaque)
commit a426e122173f36f05ea2cb72dcff77b7408546ce
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Tue Jan 4 09:32:13 2011 +0100

    kvm: Fix coding style violations
    
    No functional changes.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/kvm-all.c b/kvm-all.c
index 935c436..86ddbd6 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -88,10 +88,12 @@ static KVMSlot *kvm_alloc_slot(KVMState *s)
 
     for (i = 0; i < ARRAY_SIZE(s->slots); i++) {
         /* KVM private memory slots */
-        if (i >= 8 && i < 12)
+        if (i >= 8 && i < 12) {
             continue;
-        if (s->slots[i].memory_size == 0)
+        }
+        if (s->slots[i].memory_size == 0) {
             return &s->slots[i];
+        }
     }
 
     fprintf(stderr, "%s: no free slot available\n", __func__);
@@ -226,9 +228,10 @@ int kvm_init_vcpu(CPUState *env)
     }
 
 #ifdef KVM_CAP_COALESCED_MMIO
-    if (s->coalesced_mmio && !s->coalesced_mmio_ring)
-        s->coalesced_mmio_ring = (void *) env->kvm_run +
-		s->coalesced_mmio * PAGE_SIZE;
+    if (s->coalesced_mmio && !s->coalesced_mmio_ring) {
+        s->coalesced_mmio_ring =
+            (void *)env->kvm_run + s->coalesced_mmio * PAGE_SIZE;
+    }
 #endif
 
     ret = kvm_arch_init_vcpu(env);
@@ -275,16 +278,14 @@ static int kvm_dirty_pages_log_change(target_phys_addr_t phys_addr,
 
 int kvm_log_start(target_phys_addr_t phys_addr, ram_addr_t size)
 {
-        return kvm_dirty_pages_log_change(phys_addr, size,
-                                          KVM_MEM_LOG_DIRTY_PAGES,
-                                          KVM_MEM_LOG_DIRTY_PAGES);
+    return kvm_dirty_pages_log_change(phys_addr, size, KVM_MEM_LOG_DIRTY_PAGES,
+                                      KVM_MEM_LOG_DIRTY_PAGES);
 }
 
 int kvm_log_stop(target_phys_addr_t phys_addr, ram_addr_t size)
 {
-        return kvm_dirty_pages_log_change(phys_addr, size,
-                                          0,
-                                          KVM_MEM_LOG_DIRTY_PAGES);
+    return kvm_dirty_pages_log_change(phys_addr, size, 0,
+                                      KVM_MEM_LOG_DIRTY_PAGES);
 }
 
 static int kvm_set_migration_log(int enable)
@@ -356,7 +357,7 @@ static int kvm_get_dirty_pages_log_range(unsigned long start_addr,
  * @end_addr: end of logged region.
  */
 static int kvm_physical_sync_dirty_bitmap(target_phys_addr_t start_addr,
-					  target_phys_addr_t end_addr)
+                                          target_phys_addr_t end_addr)
 {
     KVMState *s = kvm_state;
     unsigned long size, allocated_size = 0;
@@ -480,9 +481,8 @@ static int kvm_check_many_ioeventfds(void)
 #endif
 }
 
-static void kvm_set_phys_mem(target_phys_addr_t start_addr,
-			     ram_addr_t size,
-			     ram_addr_t phys_offset)
+static void kvm_set_phys_mem(target_phys_addr_t start_addr, ram_addr_t size,
+                             ram_addr_t phys_offset)
 {
     KVMState *s = kvm_state;
     ram_addr_t flags = phys_offset & ~TARGET_PAGE_MASK;
@@ -589,13 +589,13 @@ static void kvm_set_phys_mem(target_phys_addr_t start_addr,
     }
 
     /* in case the KVM bug workaround already "consumed" the new slot */
-    if (!size)
+    if (!size) {
         return;
-
+    }
     /* KVM does not need to know about this memory */
-    if (flags >= IO_MEM_UNASSIGNED)
+    if (flags >= IO_MEM_UNASSIGNED) {
         return;
-
+    }
     mem = kvm_alloc_slot(s);
     mem->memory_size = size;
     mem->start_addr = start_addr;
@@ -611,30 +611,29 @@ static void kvm_set_phys_mem(target_phys_addr_t start_addr,
 }
 
 static void kvm_client_set_memory(struct CPUPhysMemoryClient *client,
-				  target_phys_addr_t start_addr,
-				  ram_addr_t size,
-				  ram_addr_t phys_offset)
+                                  target_phys_addr_t start_addr,
+                                  ram_addr_t size, ram_addr_t phys_offset)
 {
-	kvm_set_phys_mem(start_addr, size, phys_offset);
+    kvm_set_phys_mem(start_addr, size, phys_offset);
 }
 
 static int kvm_client_sync_dirty_bitmap(struct CPUPhysMemoryClient *client,
-					target_phys_addr_t start_addr,
-					target_phys_addr_t end_addr)
+                                        target_phys_addr_t start_addr,
+                                        target_phys_addr_t end_addr)
 {
-	return kvm_physical_sync_dirty_bitmap(start_addr, end_addr);
+    return kvm_physical_sync_dirty_bitmap(start_addr, end_addr);
 }
 
 static int kvm_client_migration_log(struct CPUPhysMemoryClient *client,
-				    int enable)
+                                    int enable)
 {
-	return kvm_set_migration_log(enable);
+    return kvm_set_migration_log(enable);
 }
 
 static CPUPhysMemoryClient kvm_cpu_phys_memory_client = {
-	.set_memory = kvm_client_set_memory,
-	.sync_dirty_bitmap = kvm_client_sync_dirty_bitmap,
-	.migration_log = kvm_client_migration_log,
+    .set_memory = kvm_client_set_memory,
+    .sync_dirty_bitmap = kvm_client_sync_dirty_bitmap,
+    .migration_log = kvm_client_migration_log,
 };
 
 int kvm_init(int smp_cpus)
@@ -651,9 +650,9 @@ int kvm_init(int smp_cpus)
 #ifdef KVM_CAP_SET_GUEST_DEBUG
     QTAILQ_INIT(&s->kvm_sw_breakpoints);
 #endif
-    for (i = 0; i < ARRAY_SIZE(s->slots); i++)
+    for (i = 0; i < ARRAY_SIZE(s->slots); i++) {
         s->slots[i].slot = i;
-
+    }
     s->vmfd = -1;
     s->fd = qemu_open("/dev/kvm", O_RDWR);
     if (s->fd == -1) {
@@ -664,8 +663,9 @@ int kvm_init(int smp_cpus)
 
     ret = kvm_ioctl(s, KVM_GET_API_VERSION, 0);
     if (ret < KVM_API_VERSION) {
-        if (ret > 0)
+        if (ret > 0) {
             ret = -EINVAL;
+        }
         fprintf(stderr, "kvm version too old\n");
         goto err;
     }
@@ -750,8 +750,9 @@ int kvm_init(int smp_cpus)
 #endif
 
     ret = kvm_arch_init(s, smp_cpus);
-    if (ret < 0)
+    if (ret < 0) {
         goto err;
+    }
 
     kvm_state = s;
     cpu_register_phys_memory_client(&kvm_cpu_phys_memory_client);
@@ -762,10 +763,12 @@ int kvm_init(int smp_cpus)
 
 err:
     if (s) {
-        if (s->vmfd != -1)
+        if (s->vmfd != -1) {
             close(s->vmfd);
-        if (s->fd != -1)
+        }
+        if (s->fd != -1) {
             close(s->fd);
+        }
     }
     qemu_free(s);
 
@@ -829,8 +832,9 @@ static void kvm_handle_internal_error(CPUState *env, struct kvm_run *run)
     cpu_dump_state(env, stderr, fprintf, 0);
     if (run->internal.suberror == KVM_INTERNAL_ERROR_EMULATION) {
         fprintf(stderr, "emulation failure\n");
-        if (!kvm_arch_stop_on_emulation_error(env))
-		return;
+        if (!kvm_arch_stop_on_emulation_error(env)) {
+            return;
+        }
     }
     /* FIXME: Should trigger a qmp message to let management know
      * something went wrong.
@@ -870,8 +874,9 @@ static void do_kvm_cpu_synchronize_state(void *_env)
 
 void kvm_cpu_synchronize_state(CPUState *env)
 {
-    if (!env->kvm_vcpu_dirty)
+    if (!env->kvm_vcpu_dirty) {
         run_on_cpu(env, do_kvm_cpu_synchronize_state, env);
+    }
 }
 
 void kvm_cpu_synchronize_post_reset(CPUState *env)
@@ -1011,9 +1016,9 @@ int kvm_ioctl(KVMState *s, int type, ...)
     va_end(ap);
 
     ret = ioctl(s->fd, type, arg);
-    if (ret == -1)
+    if (ret == -1) {
         ret = -errno;
-
+    }
     return ret;
 }
 
@@ -1028,9 +1033,9 @@ int kvm_vm_ioctl(KVMState *s, int type, ...)
     va_end(ap);
 
     ret = ioctl(s->vmfd, type, arg);
-    if (ret == -1)
+    if (ret == -1) {
         ret = -errno;
-
+    }
     return ret;
 }
 
@@ -1045,9 +1050,9 @@ int kvm_vcpu_ioctl(CPUState *env, int type, ...)
     va_end(ap);
 
     ret = ioctl(env->kvm_fd, type, arg);
-    if (ret == -1)
+    if (ret == -1) {
         ret = -errno;
-
+    }
     return ret;
 }
 
@@ -1116,8 +1121,9 @@ struct kvm_sw_breakpoint *kvm_find_sw_breakpoint(CPUState *env,
     struct kvm_sw_breakpoint *bp;
 
     QTAILQ_FOREACH(bp, &env->kvm_state->kvm_sw_breakpoints, entry) {
-        if (bp->pc == pc)
+        if (bp->pc == pc) {
             return bp;
+        }
     }
     return NULL;
 }
@@ -1172,8 +1178,9 @@ int kvm_insert_breakpoint(CPUState *current_env, target_ulong addr,
         }
 
         bp = qemu_malloc(sizeof(struct kvm_sw_breakpoint));
-        if (!bp)
+        if (!bp) {
             return -ENOMEM;
+        }
 
         bp->pc = addr;
         bp->use_count = 1;
@@ -1187,14 +1194,16 @@ int kvm_insert_breakpoint(CPUState *current_env, target_ulong addr,
                           bp, entry);
     } else {
         err = kvm_arch_insert_hw_breakpoint(addr, len, type);
-        if (err)
+        if (err) {
             return err;
+        }
     }
 
     for (env = first_cpu; env != NULL; env = env->next_cpu) {
         err = kvm_update_guest_debug(env, 0);
-        if (err)
+        if (err) {
             return err;
+        }
     }
     return 0;
 }
@@ -1208,8 +1217,9 @@ int kvm_remove_breakpoint(CPUState *current_env, target_ulong addr,
 
     if (type == GDB_BREAKPOINT_SW) {
         bp = kvm_find_sw_breakpoint(current_env, addr);
-        if (!bp)
+        if (!bp) {
             return -ENOENT;
+        }
 
         if (bp->use_count > 1) {
             bp->use_count--;
@@ -1217,21 +1227,24 @@ int kvm_remove_breakpoint(CPUState *current_env, target_ulong addr,
         }
 
         err = kvm_arch_remove_sw_breakpoint(current_env, bp);
-        if (err)
+        if (err) {
             return err;
+        }
 
         QTAILQ_REMOVE(&current_env->kvm_state->kvm_sw_breakpoints, bp, entry);
         qemu_free(bp);
     } else {
         err = kvm_arch_remove_hw_breakpoint(addr, len, type);
-        if (err)
+        if (err) {
             return err;
+        }
     }
 
     for (env = first_cpu; env != NULL; env = env->next_cpu) {
         err = kvm_update_guest_debug(env, 0);
-        if (err)
+        if (err) {
             return err;
+        }
     }
     return 0;
 }
@@ -1246,15 +1259,17 @@ void kvm_remove_all_breakpoints(CPUState *current_env)
         if (kvm_arch_remove_sw_breakpoint(current_env, bp) != 0) {
             /* Try harder to find a CPU that currently sees the breakpoint. */
             for (env = first_cpu; env != NULL; env = env->next_cpu) {
-                if (kvm_arch_remove_sw_breakpoint(env, bp) == 0)
+                if (kvm_arch_remove_sw_breakpoint(env, bp) == 0) {
                     break;
+                }
             }
         }
     }
     kvm_arch_remove_all_hw_breakpoints();
 
-    for (env = first_cpu; env != NULL; env = env->next_cpu)
+    for (env = first_cpu; env != NULL; env = env->next_cpu) {
         kvm_update_guest_debug(env, 0);
+    }
 }
 
 #else /* !KVM_CAP_SET_GUEST_DEBUG */
@@ -1286,8 +1301,9 @@ int kvm_set_signal_mask(CPUState *env, const sigset_t *sigset)
     struct kvm_signal_mask *sigmask;
     int r;
 
-    if (!sigset)
+    if (!sigset) {
         return kvm_vcpu_ioctl(env, KVM_SET_SIGNAL_MASK, NULL);
+    }
 
     sigmask = qemu_malloc(sizeof(*sigmask) + sizeof(*sigset));
 
@@ -1342,13 +1358,16 @@ int kvm_set_ioeventfd_pio_word(int fd, uint16_t addr, uint16_t val, bool assign)
         .fd = fd,
     };
     int r;
-    if (!kvm_enabled())
+    if (!kvm_enabled()) {
         return -ENOSYS;
-    if (!assign)
+    }
+    if (!assign) {
         kick.flags |= KVM_IOEVENTFD_FLAG_DEASSIGN;
+    }
     r = kvm_vm_ioctl(kvm_state, KVM_IOEVENTFD, &kick);
-    if (r < 0)
+    if (r < 0) {
         return r;
+    }
     return 0;
 #else
     return -ENOSYS;
commit b9bec74bcb16519a876ec21cd5277c526a9b512d
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Mon Dec 27 16:19:29 2010 +0100

    kvm: x86: Fix a few coding style violations
    
    No functional changes.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 85edacc..fda07d2 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -150,34 +150,34 @@ uint32_t kvm_arch_get_supported_cpuid(CPUState *env, uint32_t function,
 
 #ifdef CONFIG_KVM_PARA
 struct kvm_para_features {
-        int cap;
-        int feature;
+    int cap;
+    int feature;
 } para_features[] = {
 #ifdef KVM_CAP_CLOCKSOURCE
-        { KVM_CAP_CLOCKSOURCE, KVM_FEATURE_CLOCKSOURCE },
+    { KVM_CAP_CLOCKSOURCE, KVM_FEATURE_CLOCKSOURCE },
 #endif
 #ifdef KVM_CAP_NOP_IO_DELAY
-        { KVM_CAP_NOP_IO_DELAY, KVM_FEATURE_NOP_IO_DELAY },
+    { KVM_CAP_NOP_IO_DELAY, KVM_FEATURE_NOP_IO_DELAY },
 #endif
 #ifdef KVM_CAP_PV_MMU
-        { KVM_CAP_PV_MMU, KVM_FEATURE_MMU_OP },
+    { KVM_CAP_PV_MMU, KVM_FEATURE_MMU_OP },
 #endif
 #ifdef KVM_CAP_ASYNC_PF
-        { KVM_CAP_ASYNC_PF, KVM_FEATURE_ASYNC_PF },
+    { KVM_CAP_ASYNC_PF, KVM_FEATURE_ASYNC_PF },
 #endif
-        { -1, -1 }
+    { -1, -1 }
 };
 
 static int get_para_features(CPUState *env)
 {
-        int i, features = 0;
+    int i, features = 0;
 
-        for (i = 0; i < ARRAY_SIZE(para_features) - 1; i++) {
-                if (kvm_check_extension(env->kvm_state, para_features[i].cap))
-                        features |= (1 << para_features[i].feature);
+    for (i = 0; i < ARRAY_SIZE(para_features) - 1; i++) {
+        if (kvm_check_extension(env->kvm_state, para_features[i].cap)) {
+            features |= (1 << para_features[i].feature);
         }
-
-        return features;
+    }
+    return features;
 }
 #endif
 
@@ -389,13 +389,15 @@ int kvm_arch_init_vcpu(CPUState *env)
                 c->index = j;
                 cpu_x86_cpuid(env, i, j, &c->eax, &c->ebx, &c->ecx, &c->edx);
 
-                if (i == 4 && c->eax == 0)
+                if (i == 4 && c->eax == 0) {
                     break;
-                if (i == 0xb && !(c->ecx & 0xff00))
+                }
+                if (i == 0xb && !(c->ecx & 0xff00)) {
                     break;
-                if (i == 0xd && c->eax == 0)
+                }
+                if (i == 0xd && c->eax == 0) {
                     break;
-
+                }
                 c = &cpuid_data.entries[cpuid_i++];
             }
             break;
@@ -425,17 +427,18 @@ int kvm_arch_init_vcpu(CPUState *env)
         uint64_t mcg_cap;
         int banks;
 
-        if (kvm_get_mce_cap_supported(env->kvm_state, &mcg_cap, &banks))
+        if (kvm_get_mce_cap_supported(env->kvm_state, &mcg_cap, &banks)) {
             perror("kvm_get_mce_cap_supported FAILED");
-        else {
+        } else {
             if (banks > MCE_BANKS_DEF)
                 banks = MCE_BANKS_DEF;
             mcg_cap &= MCE_CAP_DEF;
             mcg_cap |= banks;
-            if (kvm_setup_mce(env, &mcg_cap))
+            if (kvm_setup_mce(env, &mcg_cap)) {
                 perror("kvm_setup_mce FAILED");
-            else
+            } else {
                 env->mcg_cap = mcg_cap;
+            }
         }
     }
 #endif
@@ -577,7 +580,7 @@ int kvm_arch_init(KVMState *s, int smp_cpus)
 
     return kvm_init_identity_map_page(s);
 }
-                    
+
 static void set_v8086_seg(struct kvm_segment *lhs, const SegmentCache *rhs)
 {
     lhs->selector = rhs->selector;
@@ -616,23 +619,23 @@ static void get_seg(SegmentCache *lhs, const struct kvm_segment *rhs)
     lhs->selector = rhs->selector;
     lhs->base = rhs->base;
     lhs->limit = rhs->limit;
-    lhs->flags =
-	(rhs->type << DESC_TYPE_SHIFT)
-	| (rhs->present * DESC_P_MASK)
-	| (rhs->dpl << DESC_DPL_SHIFT)
-	| (rhs->db << DESC_B_SHIFT)
-	| (rhs->s * DESC_S_MASK)
-	| (rhs->l << DESC_L_SHIFT)
-	| (rhs->g * DESC_G_MASK)
-	| (rhs->avl * DESC_AVL_MASK);
+    lhs->flags = (rhs->type << DESC_TYPE_SHIFT) |
+                 (rhs->present * DESC_P_MASK) |
+                 (rhs->dpl << DESC_DPL_SHIFT) |
+                 (rhs->db << DESC_B_SHIFT) |
+                 (rhs->s * DESC_S_MASK) |
+                 (rhs->l << DESC_L_SHIFT) |
+                 (rhs->g * DESC_G_MASK) |
+                 (rhs->avl * DESC_AVL_MASK);
 }
 
 static void kvm_getput_reg(__u64 *kvm_reg, target_ulong *qemu_reg, int set)
 {
-    if (set)
+    if (set) {
         *kvm_reg = *qemu_reg;
-    else
+    } else {
         *qemu_reg = *kvm_reg;
+    }
 }
 
 static int kvm_getput_regs(CPUState *env, int set)
@@ -642,8 +645,9 @@ static int kvm_getput_regs(CPUState *env, int set)
 
     if (!set) {
         ret = kvm_vcpu_ioctl(env, KVM_GET_REGS, &regs);
-        if (ret < 0)
+        if (ret < 0) {
             return ret;
+        }
     }
 
     kvm_getput_reg(&regs.rax, &env->regs[R_EAX], set);
@@ -668,8 +672,9 @@ static int kvm_getput_regs(CPUState *env, int set)
     kvm_getput_reg(&regs.rflags, &env->eflags, set);
     kvm_getput_reg(&regs.rip, &env->eip, set);
 
-    if (set)
+    if (set) {
         ret = kvm_vcpu_ioctl(env, KVM_SET_REGS, &regs);
+    }
 
     return ret;
 }
@@ -683,8 +688,9 @@ static int kvm_put_fpu(CPUState *env)
     fpu.fsw = env->fpus & ~(7 << 11);
     fpu.fsw |= (env->fpstt & 7) << 11;
     fpu.fcw = env->fpuc;
-    for (i = 0; i < 8; ++i)
-	fpu.ftwx |= (!env->fptags[i]) << i;
+    for (i = 0; i < 8; ++i) {
+        fpu.ftwx |= (!env->fptags[i]) << i;
+    }
     memcpy(fpu.fpr, env->fpregs, sizeof env->fpregs);
     memcpy(fpu.xmm, env->xmm_regs, sizeof env->xmm_regs);
     fpu.mxcsr = env->mxcsr;
@@ -709,8 +715,9 @@ static int kvm_put_xsave(CPUState *env)
     struct kvm_xsave* xsave;
     uint16_t cwd, swd, twd, fop;
 
-    if (!kvm_has_xsave())
+    if (!kvm_has_xsave()) {
         return kvm_put_fpu(env);
+    }
 
     xsave = qemu_memalign(4096, sizeof(struct kvm_xsave));
     memset(xsave, 0, sizeof(struct kvm_xsave));
@@ -718,8 +725,9 @@ static int kvm_put_xsave(CPUState *env)
     swd = env->fpus & ~(7 << 11);
     swd |= (env->fpstt & 7) << 11;
     cwd = env->fpuc;
-    for (i = 0; i < 8; ++i)
+    for (i = 0; i < 8; ++i) {
         twd |= (!env->fptags[i]) << i;
+    }
     xsave->region[0] = (uint32_t)(swd << 16) + cwd;
     xsave->region[1] = (uint32_t)(fop << 16) + twd;
     memcpy(&xsave->region[XSAVE_ST_SPACE], env->fpregs,
@@ -743,8 +751,9 @@ static int kvm_put_xcrs(CPUState *env)
 #ifdef KVM_CAP_XCRS
     struct kvm_xcrs xcrs;
 
-    if (!kvm_has_xcrs())
+    if (!kvm_has_xcrs()) {
         return 0;
+    }
 
     xcrs.nr_xcrs = 1;
     xcrs.flags = 0;
@@ -767,19 +776,19 @@ static int kvm_put_sregs(CPUState *env)
     }
 
     if ((env->eflags & VM_MASK)) {
-	    set_v8086_seg(&sregs.cs, &env->segs[R_CS]);
-	    set_v8086_seg(&sregs.ds, &env->segs[R_DS]);
-	    set_v8086_seg(&sregs.es, &env->segs[R_ES]);
-	    set_v8086_seg(&sregs.fs, &env->segs[R_FS]);
-	    set_v8086_seg(&sregs.gs, &env->segs[R_GS]);
-	    set_v8086_seg(&sregs.ss, &env->segs[R_SS]);
+        set_v8086_seg(&sregs.cs, &env->segs[R_CS]);
+        set_v8086_seg(&sregs.ds, &env->segs[R_DS]);
+        set_v8086_seg(&sregs.es, &env->segs[R_ES]);
+        set_v8086_seg(&sregs.fs, &env->segs[R_FS]);
+        set_v8086_seg(&sregs.gs, &env->segs[R_GS]);
+        set_v8086_seg(&sregs.ss, &env->segs[R_SS]);
     } else {
-	    set_seg(&sregs.cs, &env->segs[R_CS]);
-	    set_seg(&sregs.ds, &env->segs[R_DS]);
-	    set_seg(&sregs.es, &env->segs[R_ES]);
-	    set_seg(&sregs.fs, &env->segs[R_FS]);
-	    set_seg(&sregs.gs, &env->segs[R_GS]);
-	    set_seg(&sregs.ss, &env->segs[R_SS]);
+        set_seg(&sregs.cs, &env->segs[R_CS]);
+        set_seg(&sregs.ds, &env->segs[R_DS]);
+        set_seg(&sregs.es, &env->segs[R_ES]);
+        set_seg(&sregs.fs, &env->segs[R_FS]);
+        set_seg(&sregs.gs, &env->segs[R_GS]);
+        set_seg(&sregs.ss, &env->segs[R_SS]);
     }
 
     set_seg(&sregs.tr, &env->tr);
@@ -822,10 +831,12 @@ static int kvm_put_msrs(CPUState *env, int level)
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_CS, env->sysenter_cs);
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_ESP, env->sysenter_esp);
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_EIP, env->sysenter_eip);
-    if (kvm_has_msr_star(env))
-	kvm_msr_entry_set(&msrs[n++], MSR_STAR, env->star);
-    if (kvm_has_msr_hsave_pa(env))
+    if (kvm_has_msr_star(env)) {
+        kvm_msr_entry_set(&msrs[n++], MSR_STAR, env->star);
+    }
+    if (kvm_has_msr_hsave_pa(env)) {
         kvm_msr_entry_set(&msrs[n++], MSR_VM_HSAVE_PA, env->vm_hsave);
+    }
 #ifdef TARGET_X86_64
     if (lm_capable_kernel) {
         kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar);
@@ -854,13 +865,15 @@ static int kvm_put_msrs(CPUState *env, int level)
 #ifdef KVM_CAP_MCE
     if (env->mcg_cap) {
         int i;
-        if (level == KVM_PUT_RESET_STATE)
+
+        if (level == KVM_PUT_RESET_STATE) {
             kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
-        else if (level == KVM_PUT_FULL_STATE) {
+        } else if (level == KVM_PUT_FULL_STATE) {
             kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
             kvm_msr_entry_set(&msrs[n++], MSR_MCG_CTL, env->mcg_ctl);
-            for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++)
+            for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++) {
                 kvm_msr_entry_set(&msrs[n++], MSR_MC0_CTL + i, env->mce_banks[i]);
+            }
         }
     }
 #endif
@@ -878,14 +891,16 @@ static int kvm_get_fpu(CPUState *env)
     int i, ret;
 
     ret = kvm_vcpu_ioctl(env, KVM_GET_FPU, &fpu);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
+    }
 
     env->fpstt = (fpu.fsw >> 11) & 7;
     env->fpus = fpu.fsw;
     env->fpuc = fpu.fcw;
-    for (i = 0; i < 8; ++i)
-	env->fptags[i] = !((fpu.ftwx >> i) & 1);
+    for (i = 0; i < 8; ++i) {
+        env->fptags[i] = !((fpu.ftwx >> i) & 1);
+    }
     memcpy(env->fpregs, fpu.fpr, sizeof env->fpregs);
     memcpy(env->xmm_regs, fpu.xmm, sizeof env->xmm_regs);
     env->mxcsr = fpu.mxcsr;
@@ -900,8 +915,9 @@ static int kvm_get_xsave(CPUState *env)
     int ret, i;
     uint16_t cwd, swd, twd, fop;
 
-    if (!kvm_has_xsave())
+    if (!kvm_has_xsave()) {
         return kvm_get_fpu(env);
+    }
 
     xsave = qemu_memalign(4096, sizeof(struct kvm_xsave));
     ret = kvm_vcpu_ioctl(env, KVM_GET_XSAVE, xsave);
@@ -917,8 +933,9 @@ static int kvm_get_xsave(CPUState *env)
     env->fpstt = (swd >> 11) & 7;
     env->fpus = swd;
     env->fpuc = cwd;
-    for (i = 0; i < 8; ++i)
+    for (i = 0; i < 8; ++i) {
         env->fptags[i] = !((twd >> i) & 1);
+    }
     env->mxcsr = xsave->region[XSAVE_MXCSR];
     memcpy(env->fpregs, &xsave->region[XSAVE_ST_SPACE],
             sizeof env->fpregs);
@@ -940,19 +957,22 @@ static int kvm_get_xcrs(CPUState *env)
     int i, ret;
     struct kvm_xcrs xcrs;
 
-    if (!kvm_has_xcrs())
+    if (!kvm_has_xcrs()) {
         return 0;
+    }
 
     ret = kvm_vcpu_ioctl(env, KVM_GET_XCRS, &xcrs);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
+    }
 
-    for (i = 0; i < xcrs.nr_xcrs; i++)
+    for (i = 0; i < xcrs.nr_xcrs; i++) {
         /* Only support xcr0 now */
         if (xcrs.xcrs[0].xcr == 0) {
             env->xcr0 = xcrs.xcrs[0].value;
             break;
         }
+    }
     return 0;
 #else
     return 0;
@@ -966,8 +986,9 @@ static int kvm_get_sregs(CPUState *env)
     int bit, i, ret;
 
     ret = kvm_vcpu_ioctl(env, KVM_GET_SREGS, &sregs);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
+    }
 
     /* There can only be one pending IRQ set in the bitmap at a time, so try
        to find it and save its number instead (-1 for none). */
@@ -1005,21 +1026,19 @@ static int kvm_get_sregs(CPUState *env)
     env->efer = sregs.efer;
     //cpu_set_apic_tpr(env->apic_state, sregs.cr8);
 
-#define HFLAG_COPY_MASK ~( \
-			HF_CPL_MASK | HF_PE_MASK | HF_MP_MASK | HF_EM_MASK | \
-			HF_TS_MASK | HF_TF_MASK | HF_VM_MASK | HF_IOPL_MASK | \
-			HF_OSFXSR_MASK | HF_LMA_MASK | HF_CS32_MASK | \
-			HF_SS32_MASK | HF_CS64_MASK | HF_ADDSEG_MASK)
-
-
+#define HFLAG_COPY_MASK \
+    ~( HF_CPL_MASK | HF_PE_MASK | HF_MP_MASK | HF_EM_MASK | \
+       HF_TS_MASK | HF_TF_MASK | HF_VM_MASK | HF_IOPL_MASK | \
+       HF_OSFXSR_MASK | HF_LMA_MASK | HF_CS32_MASK | \
+       HF_SS32_MASK | HF_CS64_MASK | HF_ADDSEG_MASK)
 
     hflags = (env->segs[R_CS].flags >> DESC_DPL_SHIFT) & HF_CPL_MASK;
     hflags |= (env->cr[0] & CR0_PE_MASK) << (HF_PE_SHIFT - CR0_PE_SHIFT);
     hflags |= (env->cr[0] << (HF_MP_SHIFT - CR0_MP_SHIFT)) &
-	    (HF_MP_MASK | HF_EM_MASK | HF_TS_MASK);
+                (HF_MP_MASK | HF_EM_MASK | HF_TS_MASK);
     hflags |= (env->eflags & (HF_TF_MASK | HF_VM_MASK | HF_IOPL_MASK));
     hflags |= (env->cr[4] & CR4_OSFXSR_MASK) <<
-	    (HF_OSFXSR_SHIFT - CR4_OSFXSR_SHIFT);
+                (HF_OSFXSR_SHIFT - CR4_OSFXSR_SHIFT);
 
     if (env->efer & MSR_EFER_LMA) {
         hflags |= HF_LMA_MASK;
@@ -1029,19 +1048,16 @@ static int kvm_get_sregs(CPUState *env)
         hflags |= HF_CS32_MASK | HF_SS32_MASK | HF_CS64_MASK;
     } else {
         hflags |= (env->segs[R_CS].flags & DESC_B_MASK) >>
-		(DESC_B_SHIFT - HF_CS32_SHIFT);
+                    (DESC_B_SHIFT - HF_CS32_SHIFT);
         hflags |= (env->segs[R_SS].flags & DESC_B_MASK) >>
-		(DESC_B_SHIFT - HF_SS32_SHIFT);
-        if (!(env->cr[0] & CR0_PE_MASK) ||
-                   (env->eflags & VM_MASK) ||
-                   !(hflags & HF_CS32_MASK)) {
-                hflags |= HF_ADDSEG_MASK;
-            } else {
-                hflags |= ((env->segs[R_DS].base |
-                                env->segs[R_ES].base |
-                                env->segs[R_SS].base) != 0) <<
-                    HF_ADDSEG_SHIFT;
-            }
+                    (DESC_B_SHIFT - HF_SS32_SHIFT);
+        if (!(env->cr[0] & CR0_PE_MASK) || (env->eflags & VM_MASK) ||
+            !(hflags & HF_CS32_MASK)) {
+            hflags |= HF_ADDSEG_MASK;
+        } else {
+            hflags |= ((env->segs[R_DS].base | env->segs[R_ES].base |
+                        env->segs[R_SS].base) != 0) << HF_ADDSEG_SHIFT;
+        }
     }
     env->hflags = (env->hflags & HFLAG_COPY_MASK) | hflags;
 
@@ -1061,10 +1077,12 @@ static int kvm_get_msrs(CPUState *env)
     msrs[n++].index = MSR_IA32_SYSENTER_CS;
     msrs[n++].index = MSR_IA32_SYSENTER_ESP;
     msrs[n++].index = MSR_IA32_SYSENTER_EIP;
-    if (kvm_has_msr_star(env))
-	msrs[n++].index = MSR_STAR;
-    if (kvm_has_msr_hsave_pa(env))
+    if (kvm_has_msr_star(env)) {
+        msrs[n++].index = MSR_STAR;
+    }
+    if (kvm_has_msr_hsave_pa(env)) {
         msrs[n++].index = MSR_VM_HSAVE_PA;
+    }
     msrs[n++].index = MSR_IA32_TSC;
 #ifdef TARGET_X86_64
     if (lm_capable_kernel) {
@@ -1084,15 +1102,17 @@ static int kvm_get_msrs(CPUState *env)
     if (env->mcg_cap) {
         msrs[n++].index = MSR_MCG_STATUS;
         msrs[n++].index = MSR_MCG_CTL;
-        for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++)
+        for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++) {
             msrs[n++].index = MSR_MC0_CTL + i;
+        }
     }
 #endif
 
     msr_data.info.nmsrs = n;
     ret = kvm_vcpu_ioctl(env, KVM_GET_MSRS, &msr_data);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
+    }
 
     for (i = 0; i < ret; i++) {
         switch (msrs[i].index) {
@@ -1320,7 +1340,7 @@ static int kvm_get_debugregs(CPUState *env)
 
     ret = kvm_vcpu_ioctl(env, KVM_GET_DEBUGREGS, &dbgregs);
     if (ret < 0) {
-       return ret;
+        return ret;
     }
     for (i = 0; i < 4; i++) {
         env->dr[i] = dbgregs.db[i];
@@ -1339,44 +1359,44 @@ int kvm_arch_put_registers(CPUState *env, int level)
     assert(cpu_is_stopped(env) || qemu_cpu_self(env));
 
     ret = kvm_getput_regs(env, 1);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     ret = kvm_put_xsave(env);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     ret = kvm_put_xcrs(env);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     ret = kvm_put_sregs(env);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     ret = kvm_put_msrs(env, level);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     if (level >= KVM_PUT_RESET_STATE) {
         ret = kvm_put_mp_state(env);
-        if (ret < 0)
+        if (ret < 0) {
             return ret;
+        }
     }
-
     ret = kvm_put_vcpu_events(env, level);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     /* must be last */
     ret = kvm_guest_debug_workarounds(env);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     ret = kvm_put_debugregs(env);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     return 0;
 }
 
@@ -1387,37 +1407,37 @@ int kvm_arch_get_registers(CPUState *env)
     assert(cpu_is_stopped(env) || qemu_cpu_self(env));
 
     ret = kvm_getput_regs(env, 0);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     ret = kvm_get_xsave(env);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     ret = kvm_get_xcrs(env);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     ret = kvm_get_sregs(env);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     ret = kvm_get_msrs(env);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     ret = kvm_get_mp_state(env);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     ret = kvm_get_vcpu_events(env);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     ret = kvm_get_debugregs(env);
-    if (ret < 0)
+    if (ret < 0) {
         return ret;
-
+    }
     return 0;
 }
 
@@ -1451,10 +1471,11 @@ int kvm_arch_pre_run(CPUState *env, struct kvm_run *run)
      * interrupt, request an interrupt window exit.  This will
      * cause a return to userspace as soon as the guest is ready to
      * receive interrupts. */
-    if ((env->interrupt_request & CPU_INTERRUPT_HARD))
+    if ((env->interrupt_request & CPU_INTERRUPT_HARD)) {
         run->request_interrupt_window = 1;
-    else
+    } else {
         run->request_interrupt_window = 0;
+    }
 
     DPRINTF("setting tpr\n");
     run->cr8 = cpu_get_apic_tpr(env->apic_state);
@@ -1464,11 +1485,11 @@ int kvm_arch_pre_run(CPUState *env, struct kvm_run *run)
 
 int kvm_arch_post_run(CPUState *env, struct kvm_run *run)
 {
-    if (run->if_flag)
+    if (run->if_flag) {
         env->eflags |= IF_MASK;
-    else
+    } else {
         env->eflags &= ~IF_MASK;
-    
+    }
     cpu_set_apic_tpr(env->apic_state, run->cr8);
     cpu_set_apic_base(env->apic_state, run->apic_base);
 
@@ -1524,8 +1545,9 @@ int kvm_arch_insert_sw_breakpoint(CPUState *env, struct kvm_sw_breakpoint *bp)
     static const uint8_t int3 = 0xcc;
 
     if (cpu_memory_rw_debug(env, bp->pc, (uint8_t *)&bp->saved_insn, 1, 0) ||
-        cpu_memory_rw_debug(env, bp->pc, (uint8_t *)&int3, 1, 1))
+        cpu_memory_rw_debug(env, bp->pc, (uint8_t *)&int3, 1, 1)) {
         return -EINVAL;
+    }
     return 0;
 }
 
@@ -1534,8 +1556,9 @@ int kvm_arch_remove_sw_breakpoint(CPUState *env, struct kvm_sw_breakpoint *bp)
     uint8_t int3;
 
     if (cpu_memory_rw_debug(env, bp->pc, &int3, 1, 0) || int3 != 0xcc ||
-        cpu_memory_rw_debug(env, bp->pc, (uint8_t *)&bp->saved_insn, 1, 1))
+        cpu_memory_rw_debug(env, bp->pc, (uint8_t *)&bp->saved_insn, 1, 1)) {
         return -EINVAL;
+    }
     return 0;
 }
 
@@ -1551,10 +1574,12 @@ static int find_hw_breakpoint(target_ulong addr, int len, int type)
 {
     int n;
 
-    for (n = 0; n < nb_hw_breakpoint; n++)
+    for (n = 0; n < nb_hw_breakpoint; n++) {
         if (hw_breakpoint[n].addr == addr && hw_breakpoint[n].type == type &&
-            (hw_breakpoint[n].len == len || len == -1))
+            (hw_breakpoint[n].len == len || len == -1)) {
             return n;
+        }
+    }
     return -1;
 }
 
@@ -1573,8 +1598,9 @@ int kvm_arch_insert_hw_breakpoint(target_ulong addr,
         case 2:
         case 4:
         case 8:
-            if (addr & (len - 1))
+            if (addr & (len - 1)) {
                 return -EINVAL;
+            }
             break;
         default:
             return -EINVAL;
@@ -1584,12 +1610,12 @@ int kvm_arch_insert_hw_breakpoint(target_ulong addr,
         return -ENOSYS;
     }
 
-    if (nb_hw_breakpoint == 4)
+    if (nb_hw_breakpoint == 4) {
         return -ENOBUFS;
-
-    if (find_hw_breakpoint(addr, len, type) >= 0)
+    }
+    if (find_hw_breakpoint(addr, len, type) >= 0) {
         return -EEXIST;
-
+    }
     hw_breakpoint[nb_hw_breakpoint].addr = addr;
     hw_breakpoint[nb_hw_breakpoint].len = len;
     hw_breakpoint[nb_hw_breakpoint].type = type;
@@ -1604,9 +1630,9 @@ int kvm_arch_remove_hw_breakpoint(target_ulong addr,
     int n;
 
     n = find_hw_breakpoint(addr, (type == GDB_BREAKPOINT_HW) ? 1 : len, type);
-    if (n < 0)
+    if (n < 0) {
         return -ENOENT;
-
+    }
     nb_hw_breakpoint--;
     hw_breakpoint[n] = hw_breakpoint[nb_hw_breakpoint];
 
@@ -1627,11 +1653,12 @@ int kvm_arch_debug(struct kvm_debug_exit_arch *arch_info)
 
     if (arch_info->exception == 1) {
         if (arch_info->dr6 & (1 << 14)) {
-            if (cpu_single_env->singlestep_enabled)
+            if (cpu_single_env->singlestep_enabled) {
                 handle = 1;
+            }
         } else {
-            for (n = 0; n < 4; n++)
-                if (arch_info->dr6 & (1 << n))
+            for (n = 0; n < 4; n++) {
+                if (arch_info->dr6 & (1 << n)) {
                     switch ((arch_info->dr7 >> (16 + n*4)) & 0x3) {
                     case 0x0:
                         handle = 1;
@@ -1649,10 +1676,12 @@ int kvm_arch_debug(struct kvm_debug_exit_arch *arch_info)
                         hw_watchpoint.flags = BP_MEM_ACCESS;
                         break;
                     }
+                }
+            }
         }
-    } else if (kvm_find_sw_breakpoint(cpu_single_env, arch_info->pc))
+    } else if (kvm_find_sw_breakpoint(cpu_single_env, arch_info->pc)) {
         handle = 1;
-
+    }
     if (!handle) {
         cpu_synchronize_state(cpu_single_env);
         assert(cpu_single_env->exception_injected == -1);
@@ -1676,9 +1705,9 @@ void kvm_arch_update_guest_debug(CPUState *env, struct kvm_guest_debug *dbg)
     };
     int n;
 
-    if (kvm_sw_breakpoints_active(env))
+    if (kvm_sw_breakpoints_active(env)) {
         dbg->control |= KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP;
-
+    }
     if (nb_hw_breakpoint > 0) {
         dbg->control |= KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_HW_BP;
         dbg->arch.debugreg[7] = 0x0600;
@@ -1696,8 +1725,8 @@ void kvm_arch_update_guest_debug(CPUState *env, struct kvm_guest_debug *dbg)
 
 bool kvm_arch_stop_on_emulation_error(CPUState *env)
 {
-      return !(env->cr[0] & CR0_PE_MASK) ||
-              ((env->segs[R_CS].selector  & 3) != 3);
+    return !(env->cr[0] & CR0_PE_MASK) ||
+           ((env->segs[R_CS].selector  & 3) != 3);
 }
 
 static void hardware_memory_error(void)
commit 7cc2cc3e2608b182f1e0fc7ecae6e3b1fa4f46e0
Author: Jin Dongming <jin.dongming at np.css.fujitsu.com>
Date:   Wed Dec 22 12:24:51 2010 +0900

    kvm: introduce kvm_inject_x86_mce_on
    
    Pass a table instead of multiple args.
    
    Note:
    
        kvm_inject_x86_mce(env, bank, status, mcg_status, addr, misc,
                           abort_on_error);
    
    is equal to:
    
        struct kvm_x86_mce mce = {
            .bank = bank,
            .status = status,
            .mcg_status = mcg_status,
            .addr = addr,
            .misc = misc,
        };
        kvm_inject_x86_mce_on(env, &mce, abort_on_error);
    
    Signed-off-by: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
    Signed-off-by: Jin Dongming <jin.dongming at np.css.fujitsu.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index ce01e18..9a4bf98 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -263,6 +263,23 @@ static void kvm_do_inject_x86_mce(void *_data)
     }
 }
 
+static void kvm_inject_x86_mce_on(CPUState *env, struct kvm_x86_mce *mce,
+                                  int flag)
+{
+    struct kvm_x86_mce_data data = {
+        .env = env,
+        .mce = mce,
+        .abort_on_error = (flag & ABORT_ON_ERROR),
+    };
+
+    if (!env->mcg_cap) {
+        fprintf(stderr, "MCE support is not enabled!\n");
+        return;
+    }
+
+    run_on_cpu(env, kvm_do_inject_x86_mce, &data);
+}
+
 static void kvm_mce_broadcast_rest(CPUState *env);
 #endif
 
@@ -278,21 +295,12 @@ void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
         .addr = addr,
         .misc = misc,
     };
-    struct kvm_x86_mce_data data = {
-            .env = cenv,
-            .mce = &mce,
-    };
-
-    if (!cenv->mcg_cap) {
-        fprintf(stderr, "MCE support is not enabled!\n");
-        return;
-    }
 
     if (flag & MCE_BROADCAST) {
         kvm_mce_broadcast_rest(cenv);
     }
 
-    run_on_cpu(cenv, kvm_do_inject_x86_mce, &data);
+    kvm_inject_x86_mce_on(cenv, &mce, flag);
 #else
     if (flag & ABORT_ON_ERROR) {
         abort();
@@ -1708,6 +1716,13 @@ static void hardware_memory_error(void)
 #ifdef KVM_CAP_MCE
 static void kvm_mce_broadcast_rest(CPUState *env)
 {
+    struct kvm_x86_mce mce = {
+        .bank = 1,
+        .status = MCI_STATUS_VAL | MCI_STATUS_UC,
+        .mcg_status = MCG_STATUS_MCIP | MCG_STATUS_RIPV,
+        .addr = 0,
+        .misc = 0,
+    };
     CPUState *cenv;
 
     /* Broadcast MCA signal for processor version 06H_EH and above */
@@ -1716,9 +1731,7 @@ static void kvm_mce_broadcast_rest(CPUState *env)
             if (cenv == env) {
                 continue;
             }
-            kvm_inject_x86_mce(cenv, 1, MCI_STATUS_VAL | MCI_STATUS_UC,
-                               MCG_STATUS_MCIP | MCG_STATUS_RIPV, 0, 0,
-                               ABORT_ON_ERROR);
+            kvm_inject_x86_mce_on(cenv, &mce, ABORT_ON_ERROR);
         }
     }
 }
@@ -1767,15 +1780,17 @@ static void kvm_mce_inj_srao_memscrub(CPUState *env, target_phys_addr_t paddr)
 
 static void kvm_mce_inj_srao_memscrub2(CPUState *env, target_phys_addr_t paddr)
 {
-    uint64_t status;
-
-    status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
-            | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
-            | 0xc0;
-    kvm_inject_x86_mce(env, 9, status,
-                       MCG_STATUS_MCIP | MCG_STATUS_RIPV, paddr,
-                       (MCM_ADDR_PHYS << 6) | 0xc, ABORT_ON_ERROR);
+    struct kvm_x86_mce mce = {
+        .bank = 9,
+        .status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
+                  | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
+                  | 0xc0,
+        .mcg_status = MCG_STATUS_MCIP | MCG_STATUS_RIPV,
+        .addr = paddr,
+        .misc = (MCM_ADDR_PHYS << 6) | 0xc,
+    };
 
+    kvm_inject_x86_mce_on(env, &mce, ABORT_ON_ERROR);
     kvm_mce_broadcast_rest(env);
 }
 
commit 31ce5e0c49821d92fb30cce2f3055ef33613b287
Author: Jin Dongming <jin.dongming at np.css.fujitsu.com>
Date:   Fri Dec 10 17:21:02 2010 +0900

    Add "broadcast" option for mce command
    
    When the following test case is injected with mce command, maybe user could not
    get the expected result.
        DATA
                   command cpu bank status             mcg_status  addr   misc
            (qemu) mce     1   1    0xbd00000000000000 0x05        0x1234 0x8c
    
        Expected Result
               panic type: "Fatal Machine check"
    
    That is because each mce command can only inject the given cpu and could not
    inject mce interrupt to other cpus. So user will get the following result:
        panic type: "Fatal machine check on current CPU"
    
    "broadcast" option is used for injecting dummy data into other cpus. Injecting
    mce with this option the expected result could be gotten.
    
    Usage:
        Broadcast[on]
               command broadcast cpu bank status             mcg_status  addr   misc
        (qemu) mce     -b        1   1    0xbd00000000000000 0x05        0x1234 0x8c
    
        Broadcast[off]
               command cpu bank status             mcg_status  addr   misc
        (qemu) mce     1   1    0xbd00000000000000 0x05        0x1234 0x8c
    
    Signed-off-by: Jin Dongming <jin.dongming at np.css.fujitsu.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/cpu-all.h b/cpu-all.h
index 30ae17d..4ce4e83 100644
--- a/cpu-all.h
+++ b/cpu-all.h
@@ -964,6 +964,7 @@ int cpu_memory_rw_debug(CPUState *env, target_ulong addr,
                         uint8_t *buf, int len, int is_write);
 
 void cpu_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
-                        uint64_t mcg_status, uint64_t addr, uint64_t misc);
+                        uint64_t mcg_status, uint64_t addr, uint64_t misc,
+                        int broadcast);
 
 #endif /* CPU_ALL_H */
diff --git a/hmp-commands.hx b/hmp-commands.hx
index 1cea572..d65a41f 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -1116,9 +1116,9 @@ ETEXI
 
     {
         .name       = "mce",
-        .args_type  = "cpu_index:i,bank:i,status:l,mcg_status:l,addr:l,misc:l",
-        .params     = "cpu bank status mcgstatus addr misc",
-        .help       = "inject a MCE on the given CPU",
+        .args_type  = "broadcast:-b,cpu_index:i,bank:i,status:l,mcg_status:l,addr:l,misc:l",
+        .params     = "[-b] cpu bank status mcgstatus addr misc",
+        .help       = "inject a MCE on the given CPU [and broadcast to other CPUs with -b option]",
         .mhandler.cmd = do_inject_mce,
     },
 
diff --git a/monitor.c b/monitor.c
index d291158..396d5cd 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2671,12 +2671,15 @@ static void do_inject_mce(Monitor *mon, const QDict *qdict)
     uint64_t mcg_status = qdict_get_int(qdict, "mcg_status");
     uint64_t addr = qdict_get_int(qdict, "addr");
     uint64_t misc = qdict_get_int(qdict, "misc");
+    int broadcast = qdict_get_try_bool(qdict, "broadcast", 0);
 
-    for (cenv = first_cpu; cenv != NULL; cenv = cenv->next_cpu)
+    for (cenv = first_cpu; cenv != NULL; cenv = cenv->next_cpu) {
         if (cenv->cpu_index == cpu_index && cenv->mcg_cap) {
-            cpu_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc);
+            cpu_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc,
+                               broadcast);
             break;
         }
+    }
 }
 #endif
 
diff --git a/target-i386/helper.c b/target-i386/helper.c
index 2c94130..2cfb4a4 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -1069,18 +1069,34 @@ static void qemu_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
 }
 
 void cpu_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
-                        uint64_t mcg_status, uint64_t addr, uint64_t misc)
+                        uint64_t mcg_status, uint64_t addr, uint64_t misc,
+                        int broadcast)
 {
     unsigned bank_num = cenv->mcg_cap & 0xff;
+    CPUState *env;
+    int flag = 0;
 
     if (bank >= bank_num || !(status & MCI_STATUS_VAL)) {
         return;
     }
 
     if (kvm_enabled()) {
-        kvm_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc, 0);
+        if (broadcast) {
+            flag |= MCE_BROADCAST;
+        }
+
+        kvm_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc, flag);
     } else {
         qemu_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc);
+        if (broadcast) {
+            for (env = first_cpu; env != NULL; env = env->next_cpu) {
+                if (cenv == env) {
+                    continue;
+                }
+
+                qemu_inject_x86_mce(env, 1, 0xa000000000000000, 0, 0, 0);
+            }
+        }
     }
 }
 #endif /* !CONFIG_USER_ONLY */
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 4004de7..8b868ad 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -264,11 +264,13 @@ static void kvm_do_inject_x86_mce(void *_data)
         }
     }
 }
+
+static void kvm_mce_broadcast_rest(CPUState *env);
 #endif
 
 void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
                         uint64_t mcg_status, uint64_t addr, uint64_t misc,
-                        int abort_on_error)
+                        int flag)
 {
 #ifdef KVM_CAP_MCE
     struct kvm_x86_mce mce = {
@@ -288,10 +290,15 @@ void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
         return;
     }
 
+    if (flag & MCE_BROADCAST) {
+        kvm_mce_broadcast_rest(cenv);
+    }
+
     run_on_cpu(cenv, kvm_do_inject_x86_mce, &data);
 #else
-    if (abort_on_error)
+    if (flag & ABORT_ON_ERROR) {
         abort();
+    }
 #endif
 }
 
@@ -1716,7 +1723,8 @@ static void kvm_mce_broadcast_rest(CPUState *env)
                 continue;
             }
             kvm_inject_x86_mce(cenv, 1, MCI_STATUS_VAL | MCI_STATUS_UC,
-                               MCG_STATUS_MCIP | MCG_STATUS_RIPV, 0, 0, 1);
+                               MCG_STATUS_MCIP | MCG_STATUS_RIPV, 0, 0,
+                               ABORT_ON_ERROR);
         }
     }
 }
@@ -1816,7 +1824,7 @@ int kvm_on_sigbus(int code, void *addr)
             | 0xc0;
         kvm_inject_x86_mce(first_cpu, 9, status,
                            MCG_STATUS_MCIP | MCG_STATUS_RIPV, paddr,
-                           (MCM_ADDR_PHYS << 6) | 0xc, 1);
+                           (MCM_ADDR_PHYS << 6) | 0xc, ABORT_ON_ERROR);
         kvm_mce_broadcast_rest(first_cpu);
     } else
 #endif
diff --git a/target-i386/kvm_x86.h b/target-i386/kvm_x86.h
index 04932cf..9d7b584 100644
--- a/target-i386/kvm_x86.h
+++ b/target-i386/kvm_x86.h
@@ -15,8 +15,11 @@
 #ifndef __KVM_X86_H__
 #define __KVM_X86_H__
 
+#define ABORT_ON_ERROR  0x01
+#define MCE_BROADCAST   0x02
+
 void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
                         uint64_t mcg_status, uint64_t addr, uint64_t misc,
-                        int abort_on_error);
+                        int flag);
 
 #endif
commit 95c077c91900c1420cd4f0be996ffeea6fb6cec8
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Mon Dec 27 15:58:23 2010 +0100

    kvm: x86: Prevent sign extension of DR7 in guest debugging mode
    
    This unbreaks guest debugging when the 4th hardware breakpoint used for
    guest debugging is a watchpoint of 4 or 8 byte lenght. The 31st bit of
    DR7 is set in that case and used to cause a sign extension to the high
    word which was breaking the guest state (vm entry failure).
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 7e5982b..85edacc 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -1686,7 +1686,7 @@ void kvm_arch_update_guest_debug(CPUState *env, struct kvm_guest_debug *dbg)
             dbg->arch.debugreg[n] = hw_breakpoint[n].addr;
             dbg->arch.debugreg[7] |= (2 << (n * 2)) |
                 (type_code[hw_breakpoint[n].type] << (16 + n*4)) |
-                (len_code[hw_breakpoint[n].len] << (18 + n*4));
+                ((uint32_t)len_code[hw_breakpoint[n].len] << (18 + n*4));
         }
     }
     /* Legal xcr0 for loading */
commit e387c33892be35ca70255739a2fe118f76c95ac3
Author: Jin Dongming <jin.dongming at np.css.fujitsu.com>
Date:   Wed Dec 22 12:24:38 2010 +0900

    kvm: kvm_mce_inj_* subroutines for templated error injections
    
    Refactor codes for maintainability.
    
    Signed-off-by: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
    Signed-off-by: Jin Dongming <jin.dongming at np.css.fujitsu.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 5a699fc..ce01e18 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -1722,44 +1722,75 @@ static void kvm_mce_broadcast_rest(CPUState *env)
         }
     }
 }
+
+static void kvm_mce_inj_srar_dataload(CPUState *env, target_phys_addr_t paddr)
+{
+    struct kvm_x86_mce mce = {
+        .bank = 9,
+        .status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
+                  | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
+                  | MCI_STATUS_AR | 0x134,
+        .mcg_status = MCG_STATUS_MCIP | MCG_STATUS_EIPV,
+        .addr = paddr,
+        .misc = (MCM_ADDR_PHYS << 6) | 0xc,
+    };
+    int r;
+
+    r = kvm_set_mce(env, &mce);
+    if (r < 0) {
+        fprintf(stderr, "kvm_set_mce: %s\n", strerror(errno));
+        abort();
+    }
+    kvm_mce_broadcast_rest(env);
+}
+
+static void kvm_mce_inj_srao_memscrub(CPUState *env, target_phys_addr_t paddr)
+{
+    struct kvm_x86_mce mce = {
+        .bank = 9,
+        .status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
+                  | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
+                  | 0xc0,
+        .mcg_status = MCG_STATUS_MCIP | MCG_STATUS_RIPV,
+        .addr = paddr,
+        .misc = (MCM_ADDR_PHYS << 6) | 0xc,
+    };
+    int r;
+
+    r = kvm_set_mce(env, &mce);
+    if (r < 0) {
+        fprintf(stderr, "kvm_set_mce: %s\n", strerror(errno));
+        abort();
+    }
+    kvm_mce_broadcast_rest(env);
+}
+
+static void kvm_mce_inj_srao_memscrub2(CPUState *env, target_phys_addr_t paddr)
+{
+    uint64_t status;
+
+    status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
+            | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
+            | 0xc0;
+    kvm_inject_x86_mce(env, 9, status,
+                       MCG_STATUS_MCIP | MCG_STATUS_RIPV, paddr,
+                       (MCM_ADDR_PHYS << 6) | 0xc, ABORT_ON_ERROR);
+
+    kvm_mce_broadcast_rest(env);
+}
+
 #endif
 
 int kvm_on_sigbus_vcpu(CPUState *env, int code, void *addr)
 {
 #if defined(KVM_CAP_MCE)
-    struct kvm_x86_mce mce = {
-            .bank = 9,
-    };
     void *vaddr;
     ram_addr_t ram_addr;
     target_phys_addr_t paddr;
-    int r;
 
     if ((env->mcg_cap & MCG_SER_P) && addr
         && (code == BUS_MCEERR_AR
             || code == BUS_MCEERR_AO)) {
-        if (code == BUS_MCEERR_AR) {
-            /* Fake an Intel architectural Data Load SRAR UCR */
-            mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
-                | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
-                | MCI_STATUS_AR | 0x134;
-            mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
-            mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_EIPV;
-        } else {
-            /*
-             * If there is an MCE excpetion being processed, ignore
-             * this SRAO MCE
-             */
-            if (kvm_mce_in_progress(env)) {
-                return 0;
-            }
-            /* Fake an Intel architectural Memory scrubbing UCR */
-            mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
-                | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
-                | 0xc0;
-            mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
-            mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_RIPV;
-        }
         vaddr = (void *)addr;
         if (qemu_ram_addr_from_host(vaddr, &ram_addr) ||
             !kvm_physical_memory_addr_from_ram(env->kvm_state, ram_addr, &paddr)) {
@@ -1772,13 +1803,20 @@ int kvm_on_sigbus_vcpu(CPUState *env, int code, void *addr)
                 hardware_memory_error();
             }
         }
-        mce.addr = paddr;
-        r = kvm_set_mce(env, &mce);
-        if (r < 0) {
-            fprintf(stderr, "kvm_set_mce: %s\n", strerror(errno));
-            abort();
+
+        if (code == BUS_MCEERR_AR) {
+            /* Fake an Intel architectural Data Load SRAR UCR */
+            kvm_mce_inj_srar_dataload(env, paddr);
+        } else {
+            /*
+             * If there is an MCE excpetion being processed, ignore
+             * this SRAO MCE
+             */
+            if (!kvm_mce_in_progress(env)) {
+                /* Fake an Intel architectural Memory scrubbing UCR */
+                kvm_mce_inj_srao_memscrub(env, paddr);
+            }
         }
-        kvm_mce_broadcast_rest(env);
     } else
 #endif
     {
@@ -1797,7 +1835,6 @@ int kvm_on_sigbus(int code, void *addr)
 {
 #if defined(KVM_CAP_MCE)
     if ((first_cpu->mcg_cap & MCG_SER_P) && addr && code == BUS_MCEERR_AO) {
-        uint64_t status;
         void *vaddr;
         ram_addr_t ram_addr;
         target_phys_addr_t paddr;
@@ -1810,13 +1847,7 @@ int kvm_on_sigbus(int code, void *addr)
                     "QEMU itself instead of guest system!: %p\n", addr);
             return 0;
         }
-        status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
-            | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
-            | 0xc0;
-        kvm_inject_x86_mce(first_cpu, 9, status,
-                           MCG_STATUS_MCIP | MCG_STATUS_RIPV, paddr,
-                           (MCM_ADDR_PHYS << 6) | 0xc, ABORT_ON_ERROR);
-        kvm_mce_broadcast_rest(first_cpu);
+        kvm_mce_inj_srao_memscrub2(first_cpu, paddr);
     } else
 #endif
     {
commit b3cd24e04a2aea342429c09ed93468dd3206fede
Author: Jin Dongming <jin.dongming at np.css.fujitsu.com>
Date:   Fri Dec 10 17:20:44 2010 +0900

    Clean up cpu_inject_x86_mce()
    
    Clean up cpu_inject_x86_mce() for later patch.
    
    Signed-off-by: Jin Dongming <jin.dongming at np.css.fujitsu.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/helper.c b/target-i386/helper.c
index 25a3e36..2c94130 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -1021,21 +1021,12 @@ static void breakpoint_handler(CPUState *env)
 /* This should come from sysemu.h - if we could include it here... */
 void qemu_system_reset_request(void);
 
-void cpu_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
+static void qemu_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
                         uint64_t mcg_status, uint64_t addr, uint64_t misc)
 {
     uint64_t mcg_cap = cenv->mcg_cap;
-    unsigned bank_num = mcg_cap & 0xff;
     uint64_t *banks = cenv->mce_banks;
 
-    if (bank >= bank_num || !(status & MCI_STATUS_VAL))
-        return;
-
-    if (kvm_enabled()) {
-        kvm_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc, 0);
-        return;
-    }
-
     /*
      * if MSR_MCG_CTL is not all 1s, the uncorrected error
      * reporting is disabled
@@ -1076,6 +1067,22 @@ void cpu_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
     } else
         banks[1] |= MCI_STATUS_OVER;
 }
+
+void cpu_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
+                        uint64_t mcg_status, uint64_t addr, uint64_t misc)
+{
+    unsigned bank_num = cenv->mcg_cap & 0xff;
+
+    if (bank >= bank_num || !(status & MCI_STATUS_VAL)) {
+        return;
+    }
+
+    if (kvm_enabled()) {
+        kvm_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc, 0);
+    } else {
+        qemu_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc);
+    }
+}
 #endif /* !CONFIG_USER_ONLY */
 
 static void mce_init(CPUX86State *cenv)
commit 3980e3024b2d1677a9910de5e35d22d5d8392522
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Mon Dec 27 15:57:35 2010 +0100

    kvm: x86: Remove obsolete SS.RPL/DPL aligment
    
    This seems to date back to the days KVM didn't support real mode. The
    check is no longer needed and, even worse, is corrupting the guest state
    in case SS.RPL != DPL.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index ee7bdf8..7e5982b 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -780,13 +780,6 @@ static int kvm_put_sregs(CPUState *env)
 	    set_seg(&sregs.fs, &env->segs[R_FS]);
 	    set_seg(&sregs.gs, &env->segs[R_GS]);
 	    set_seg(&sregs.ss, &env->segs[R_SS]);
-
-	    if (env->cr[0] & CR0_PE_MASK) {
-		/* force ss cpl to cs cpl */
-		sregs.ss.selector = (sregs.ss.selector & ~3) |
-			(sregs.cs.selector & 3);
-		sregs.ss.dpl = sregs.ss.selector & 3;
-	    }
     }
 
     set_seg(&sregs.tr, &env->tr);
commit 6643e2f001f207bdb85646a4c48d1e13244d87c3
Author: Jin Dongming <jin.dongming at np.css.fujitsu.com>
Date:   Wed Dec 22 12:24:22 2010 +0900

    kvm: introduce kvm_mce_in_progress
    
    Share same error handing, and rename this function after
    MCIP (Machine Check In Progress) flag.
    
    Signed-off-by: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
    Signed-off-by: Jin Dongming <jin.dongming at np.css.fujitsu.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 2115a58..5a699fc 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -219,7 +219,7 @@ static int kvm_get_msr(CPUState *env, struct kvm_msr_entry *msrs, int n)
 }
 
 /* FIXME: kill this and kvm_get_msr, use env->mcg_status instead */
-static int kvm_mce_in_exception(CPUState *env)
+static int kvm_mce_in_progress(CPUState *env)
 {
     struct kvm_msr_entry msr_mcg_status = {
         .index = MSR_MCG_STATUS,
@@ -228,7 +228,8 @@ static int kvm_mce_in_exception(CPUState *env)
 
     r = kvm_get_msr(env, &msr_mcg_status, 1);
     if (r == -1 || r == 0) {
-        return -1;
+        fprintf(stderr, "Failed to get MCE status\n");
+        return 0;
     }
     return !!(msr_mcg_status.data & MCG_STATUS_MCIP);
 }
@@ -248,10 +249,7 @@ static void kvm_do_inject_x86_mce(void *_data)
     /* If there is an MCE exception being processed, ignore this SRAO MCE */
     if ((data->env->mcg_cap & MCG_SER_P) &&
         !(data->mce->status & MCI_STATUS_AR)) {
-        r = kvm_mce_in_exception(data->env);
-        if (r == -1) {
-            fprintf(stderr, "Failed to get MCE status\n");
-        } else if (r) {
+        if (kvm_mce_in_progress(data->env)) {
             return;
         }
     }
@@ -1752,10 +1750,7 @@ int kvm_on_sigbus_vcpu(CPUState *env, int code, void *addr)
              * If there is an MCE excpetion being processed, ignore
              * this SRAO MCE
              */
-            r = kvm_mce_in_exception(env);
-            if (r == -1) {
-                fprintf(stderr, "Failed to get MCE status\n");
-            } else if (r) {
+            if (kvm_mce_in_progress(env)) {
                 return 0;
             }
             /* Fake an Intel architectural Memory scrubbing UCR */
commit acaa75507b34f7b588924a09c76c6848d209e08c
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Mon Dec 27 15:56:44 2010 +0100

    kvm: x86: Fix DPL write back of segment registers
    
    The DPL is stored in the flags and not in the selector. In fact, the RPL
    may differ from the DPL at some point in time, and so we were corrupting
    the guest state so far.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 9a4bf98..ee7bdf8 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -602,7 +602,7 @@ static void set_seg(struct kvm_segment *lhs, const SegmentCache *rhs)
     lhs->limit = rhs->limit;
     lhs->type = (flags >> DESC_TYPE_SHIFT) & 15;
     lhs->present = (flags & DESC_P_MASK) != 0;
-    lhs->dpl = rhs->selector & 3;
+    lhs->dpl = (flags >> DESC_DPL_SHIFT) & 3;
     lhs->db = (flags >> DESC_B_SHIFT) & 1;
     lhs->s = (flags & DESC_S_MASK) != 0;
     lhs->l = (flags >> DESC_L_SHIFT) & 1;
commit 2bd3e04c3b3c76d573435a299a4d85bad0021a90
Author: Jin Dongming <jin.dongming at np.css.fujitsu.com>
Date:   Fri Dec 10 17:21:14 2010 +0900

    Add function for checking mca broadcast of CPU
    
    Add function for checking whether current CPU support mca broadcast.
    
    Signed-off-by: Jin Dongming <jin.dongming at np.css.fujitsu.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index f0c07cd..dddcd74 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -760,6 +760,7 @@ int cpu_x86_exec(CPUX86State *s);
 void cpu_x86_close(CPUX86State *s);
 void x86_cpu_list (FILE *f, fprintf_function cpu_fprintf, const char *optarg);
 void x86_cpudef_setup(void);
+int cpu_x86_support_mca_broadcast(CPUState *env);
 
 int cpu_get_pic_interrupt(CPUX86State *s);
 /* MSDOS compatibility mode FPU exception support */
diff --git a/target-i386/helper.c b/target-i386/helper.c
index 2cfb4a4..6dfa27d 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -110,6 +110,32 @@ void cpu_x86_close(CPUX86State *env)
     qemu_free(env);
 }
 
+static void cpu_x86_version(CPUState *env, int *family, int *model)
+{
+    int cpuver = env->cpuid_version;
+
+    if (family == NULL || model == NULL) {
+        return;
+    }
+
+    *family = (cpuver >> 8) & 0x0f;
+    *model = ((cpuver >> 12) & 0xf0) + ((cpuver >> 4) & 0x0f);
+}
+
+/* Broadcast MCA signal for processor version 06H_EH and above */
+int cpu_x86_support_mca_broadcast(CPUState *env)
+{
+    int family = 0;
+    int model = 0;
+
+    cpu_x86_version(env, &family, &model);
+    if ((family == 6 && model >= 14) || family > 6) {
+        return 1;
+    }
+
+    return 0;
+}
+
 /***********************************************************/
 /* x86 debug */
 
@@ -1080,6 +1106,13 @@ void cpu_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
         return;
     }
 
+    if (broadcast) {
+        if (!cpu_x86_support_mca_broadcast(cenv)) {
+            fprintf(stderr, "Current CPU does not support broadcast\n");
+            return;
+        }
+    }
+
     if (kvm_enabled()) {
         if (broadcast) {
             flag |= MCE_BROADCAST;
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 8b868ad..2115a58 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -1711,13 +1711,9 @@ static void hardware_memory_error(void)
 static void kvm_mce_broadcast_rest(CPUState *env)
 {
     CPUState *cenv;
-    int family, model, cpuver = env->cpuid_version;
-
-    family = (cpuver >> 8) & 0xf;
-    model = ((cpuver >> 12) & 0xf0) + ((cpuver >> 4) & 0xf);
 
     /* Broadcast MCA signal for processor version 06H_EH and above */
-    if ((family == 6 && model >= 14) || family > 6) {
+    if (cpu_x86_support_mca_broadcast(env)) {
         for (cenv = first_cpu; cenv != NULL; cenv = cenv->next_cpu) {
             if (cenv == env) {
                 continue;
commit 14a095184c6068c78e67f17c200cf00b4170f704
Author: Lai Jiangshan <laijs at cn.fujitsu.com>
Date:   Fri Dec 10 15:52:36 2010 +0800

    kvm: convert kvm_ioctl(KVM_CHECK_EXTENSION) to kvm_check_extension()
    
    simple cleanup and use existing helper: kvm_check_extension().
    
    Signed-off-by: Lai Jiangshan <laijs at cn.fujitsu.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/kvm-all.c b/kvm-all.c
index 255b6fa..935c436 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -717,7 +717,7 @@ int kvm_init(int smp_cpus)
 
     s->broken_set_mem_region = 1;
 #ifdef KVM_CAP_JOIN_MEMORY_REGIONS_WORKS
-    ret = kvm_ioctl(s, KVM_CHECK_EXTENSION, KVM_CAP_JOIN_MEMORY_REGIONS_WORKS);
+    ret = kvm_check_extension(s, KVM_CAP_JOIN_MEMORY_REGIONS_WORKS);
     if (ret > 0) {
         s->broken_set_mem_region = 0;
     }
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 755f8c9..4004de7 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -187,7 +187,7 @@ static int kvm_get_mce_cap_supported(KVMState *s, uint64_t *mce_cap,
 {
     int r;
 
-    r = kvm_ioctl(s, KVM_CHECK_EXTENSION, KVM_CAP_MCE);
+    r = kvm_check_extension(s, KVM_CAP_MCE);
     if (r > 0) {
         *max_banks = r;
         return kvm_ioctl(s, KVM_X86_GET_MCE_CAP_SUPPORTED, mce_cap);
@@ -540,7 +540,7 @@ int kvm_arch_init(KVMState *s, int smp_cpus)
      * versions of KVM just assumed that it would be at the end of physical
      * memory but that doesn't work with more than 4GB of memory.  We simply
      * refuse to work with those older versions of KVM. */
-    ret = kvm_ioctl(s, KVM_CHECK_EXTENSION, KVM_CAP_SET_TSS_ADDR);
+    ret = kvm_check_extension(s, KVM_CAP_SET_TSS_ADDR);
     if (ret <= 0) {
         fprintf(stderr, "kvm does not support KVM_CAP_SET_TSS_ADDR\n");
         return ret;
commit 276ce81563aeadea5493fbc4fbc84647d5bfbdeb
Author: Lai Jiangshan <laijs at cn.fujitsu.com>
Date:   Fri Dec 10 15:42:53 2010 +0800

    kvm: Enable user space NMI injection for kvm guest
    
    Make use of the new KVM_NMI IOCTL to send NMIs into the KVM guest if the
    user space raised them. (example: qemu monitor's "nmi" command)
    
    Signed-off-by: Lai Jiangshan <laijs at cn.fujitsu.com>
    Acked-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/configure b/configure
index 210670c..9a02d1f 100755
--- a/configure
+++ b/configure
@@ -1671,6 +1671,9 @@ if test "$kvm" != "no" ; then
 #if !defined(KVM_CAP_DESTROY_MEMORY_REGION_WORKS)
 #error Missing KVM capability KVM_CAP_DESTROY_MEMORY_REGION_WORKS
 #endif
+#if !defined(KVM_CAP_USER_NMI)
+#error Missing KVM capability KVM_CAP_USER_NMI
+#endif
 int main(void) { return 0; }
 EOF
   if test "$kerneldir" != "" ; then
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 7dfc357..755f8c9 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -1417,6 +1417,13 @@ int kvm_arch_get_registers(CPUState *env)
 
 int kvm_arch_pre_run(CPUState *env, struct kvm_run *run)
 {
+    /* Inject NMI */
+    if (env->interrupt_request & CPU_INTERRUPT_NMI) {
+        env->interrupt_request &= ~CPU_INTERRUPT_NMI;
+        DPRINTF("injected NMI\n");
+        kvm_vcpu_ioctl(env, KVM_NMI);
+    }
+
     /* Try to inject an interrupt if the guest can accept it */
     if (run->ready_for_interrupt_injection &&
         (env->interrupt_request & CPU_INTERRUPT_HARD) &&
commit b646968336d4180bdd7d2e24209708dcee6ba400
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Thu Jan 20 20:58:56 2011 +0000

    checkpatch: adjust to QEMUisms
    
    Change checkpatch.pl for QEMU use:
     - Root directory detection
     - Forbid tabs
     - Indent at 4 spaces
     - Allow typedefs
     - Enforce brace use even for single statement blocks
     - Don't suggest nonexistent cleanup tools
    
    Mention the script in CODING_STYLE.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/CODING_STYLE b/CODING_STYLE
index 2c8268d..5ecfa22 100644
--- a/CODING_STYLE
+++ b/CODING_STYLE
@@ -1,6 +1,9 @@
 Qemu Coding Style
 =================
 
+Please use the script checkpatch.pl in the scripts directory to check
+patches before submitting.
+
 1. Whitespace
 
 Of course, the most important aspect in any coding style is whitespace.
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
old mode 100644
new mode 100755
index 2a8a0e2..55ef439
--- a/scripts/checkpatch.pl
+++ b/scripts/checkpatch.pl
@@ -328,9 +328,9 @@ sub top_of_kernel_tree {
 	my ($root) = @_;
 
 	my @tree_check = (
-		"COPYING", "CREDITS", "Kbuild", "MAINTAINERS", "Makefile",
-		"README", "Documentation", "arch", "include", "drivers",
-		"fs", "init", "ipc", "kernel", "lib", "scripts",
+		"COPYING", "MAINTAINERS", "Makefile",
+		"README", "docs", "VERSION",
+		"vl.c"
 	);
 
 	foreach my $check (@tree_check) {
@@ -1494,31 +1494,13 @@ sub process {
 # check we are in a valid source file C or perl if not then ignore this hunk
 		next if ($realfile !~ /\.(h|c|pl)$/);
 
-# at the beginning of a line any tabs must come first and anything
-# more than 8 must use tabs.
-		if ($rawline =~ /^\+\s* \t\s*\S/ ||
-		    $rawline =~ /^\+\s*        \s*/) {
+# in QEMU, no tabs are allowed
+		if ($rawline =~ /\t/) {
 			my $herevet = "$here\n" . cat_vet($rawline) . "\n";
-			ERROR("code indent should use tabs where possible\n" . $herevet);
+			ERROR("code indent should never use tabs\n" . $herevet);
 			$rpt_cleaners = 1;
 		}
 
-# check for space before tabs.
-		if ($rawline =~ /^\+/ && $rawline =~ / \t/) {
-			my $herevet = "$here\n" . cat_vet($rawline) . "\n";
-			WARN("please, no space before tabs\n" . $herevet);
-		}
-
-# check for spaces at the beginning of a line.
-# Exceptions:
-#  1) within comments
-#  2) indented preprocessor commands
-#  3) hanging labels
-		if ($rawline =~ /^\+ / && $line !~ /\+ *(?:$;|#|$Ident:)/)  {
-			my $herevet = "$here\n" . cat_vet($rawline) . "\n";
-			WARN("please, no spaces at the start of a line\n" . $herevet);
-		}
-
 # check we are in a valid C source file if not then ignore this hunk
 		next if ($realfile !~ /\.(h|c)$/);
 
@@ -1746,7 +1728,7 @@ sub process {
 
 			#print "line<$line> prevline<$prevline> indent<$indent> sindent<$sindent> check<$check> continuation<$continuation> s<$s> cond_lines<$cond_lines> stat_real<$stat_real> stat<$stat>\n";
 
-			if ($check && (($sindent % 8) != 0 ||
+			if ($check && (($sindent % 4) != 0 ||
 			    ($sindent <= $indent && $s ne ''))) {
 				WARN("suspect code indent for conditional statements ($indent, $sindent)\n" . $herecurr . "$stat_real\n");
 			}
@@ -1869,16 +1851,6 @@ sub process {
 				$herecurr);
 		}
 
-# check for new typedefs, only function parameters and sparse annotations
-# make sense.
-		if ($line =~ /\btypedef\s/ &&
-		    $line !~ /\btypedef\s+$Type\s*\(\s*\*?$Ident\s*\)\s*\(/ &&
-		    $line !~ /\btypedef\s+$Type\s+$Ident\s*\(/ &&
-		    $line !~ /\b$typeTypedefs\b/ &&
-		    $line !~ /\b__bitwise(?:__|)\b/) {
-			WARN("do not add new typedefs\n" . $herecurr);
-		}
-
 # * goes on variable not on type
 		# (char*[ const])
 		if ($line =~ m{\($NonptrType(\s*(?:$Modifier\b\s*|\*\s*)+)\)}) {
@@ -2514,13 +2486,13 @@ sub process {
 			WARN("vmlinux.lds.h needs VMLINUX_SYMBOL() around C-visible symbols\n" . $herecurr);
 		}
 
-# check for redundant bracing round if etc
-		if ($line =~ /(^.*)\bif\b/ && $1 !~ /else\s*$/) {
+# check for missing bracing round if etc
+		if ($line =~ /(^.*)\bif\b/ && $line !~ /\#\s*if/) {
 			my ($level, $endln, @chunks) =
 				ctx_statement_full($linenr, $realcnt, 1);
 			#print "chunks<$#chunks> linenr<$linenr> endln<$endln> level<$level>\n";
 			#print "APW: <<$chunks[1][0]>><<$chunks[1][1]>>\n";
-			if ($#chunks > 0 && $level == 0) {
+			if ($#chunks >= 0 && $level == 0) {
 				my $allowed = 0;
 				my $seen = 0;
 				my $herectx = $here . "\n";
@@ -2558,8 +2530,8 @@ sub process {
 						$allowed = 1;
 					}
 				}
-				if ($seen && !$allowed) {
-					WARN("braces {} are not necessary for any arm of this statement\n" . $herectx);
+				if (!$seen) {
+					WARN("braces {} are necessary for all arms of this statement\n" . $herectx);
 				}
 			}
 		}
@@ -2605,7 +2577,7 @@ sub process {
 					$allowed = 1;
 				}
 			}
-			if ($level == 0 && $block =~ /^\s*\{/ && !$allowed) {
+			if ($level == 0 && $block !~ /^\s*\{/ && !$allowed) {
 				my $herectx = $here . "\n";;
 				my $cnt = statement_rawlines($block);
 
@@ -2613,7 +2585,7 @@ sub process {
 					$herectx .= raw_line($linenr, $n) . "\n";;
 				}
 
-				WARN("braces {} are not necessary for single statement blocks\n" . $herectx);
+				WARN("braces {} are necessary even for single statement blocks\n" . $herectx);
 			}
 		}
 
@@ -2918,10 +2890,10 @@ sub process {
 	if ($quiet == 0) {
 		# If there were whitespace errors which cleanpatch can fix
 		# then suggest that.
-		if ($rpt_cleaners) {
-			print "NOTE: whitespace errors detected, you may wish to use scripts/cleanpatch or\n";
-			print "      scripts/cleanfile\n\n";
-		}
+#		if ($rpt_cleaners) {
+#			print "NOTE: whitespace errors detected, you may wish to use scripts/cleanpatch or\n";
+#			print "      scripts/cleanfile\n\n";
+#		}
 	}
 
 	if ($clean == 1 && $quiet == 0) {
commit 1ec3f6f9abca4f4f73d7e8a74dd9b14c1f087a8e
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Thu Jan 20 20:54:26 2011 +0000

    Add checkpatch.pl from Linux kernel
    
    Unchanged import from
    http://www.kernel.org/pub/linux/kernel/people/apw/checkpatch/checkpatch.pl-0.31
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
new file mode 100644
index 0000000..2a8a0e2
--- /dev/null
+++ b/scripts/checkpatch.pl
@@ -0,0 +1,2937 @@
+#!/usr/bin/perl -w
+# (c) 2001, Dave Jones. (the file handling bit)
+# (c) 2005, Joel Schopp <jschopp at austin.ibm.com> (the ugly bit)
+# (c) 2007,2008, Andy Whitcroft <apw at uk.ibm.com> (new conditions, test suite)
+# (c) 2008-2010 Andy Whitcroft <apw at canonical.com>
+# Licensed under the terms of the GNU GPL License version 2
+
+use strict;
+
+my $P = $0;
+$P =~ s at .*/@@g;
+
+my $V = '0.31';
+
+use Getopt::Long qw(:config no_auto_abbrev);
+
+my $quiet = 0;
+my $tree = 1;
+my $chk_signoff = 1;
+my $chk_patch = 1;
+my $tst_only;
+my $emacs = 0;
+my $terse = 0;
+my $file = 0;
+my $check = 0;
+my $summary = 1;
+my $mailback = 0;
+my $summary_file = 0;
+my $root;
+my %debug;
+my $help = 0;
+
+sub help {
+	my ($exitcode) = @_;
+
+	print << "EOM";
+Usage: $P [OPTION]... [FILE]...
+Version: $V
+
+Options:
+  -q, --quiet                quiet
+  --no-tree                  run without a kernel tree
+  --no-signoff               do not check for 'Signed-off-by' line
+  --patch                    treat FILE as patchfile (default)
+  --emacs                    emacs compile window format
+  --terse                    one line per report
+  -f, --file                 treat FILE as regular source file
+  --subjective, --strict     enable more subjective tests
+  --root=PATH                PATH to the kernel tree root
+  --no-summary               suppress the per-file summary
+  --mailback                 only produce a report in case of warnings/errors
+  --summary-file             include the filename in summary
+  --debug KEY=[0|1]          turn on/off debugging of KEY, where KEY is one of
+                             'values', 'possible', 'type', and 'attr' (default
+                             is all off)
+  --test-only=WORD           report only warnings/errors containing WORD
+                             literally
+  -h, --help, --version      display this help and exit
+
+When FILE is - read standard input.
+EOM
+
+	exit($exitcode);
+}
+
+GetOptions(
+	'q|quiet+'	=> \$quiet,
+	'tree!'		=> \$tree,
+	'signoff!'	=> \$chk_signoff,
+	'patch!'	=> \$chk_patch,
+	'emacs!'	=> \$emacs,
+	'terse!'	=> \$terse,
+	'f|file!'	=> \$file,
+	'subjective!'	=> \$check,
+	'strict!'	=> \$check,
+	'root=s'	=> \$root,
+	'summary!'	=> \$summary,
+	'mailback!'	=> \$mailback,
+	'summary-file!'	=> \$summary_file,
+
+	'debug=s'	=> \%debug,
+	'test-only=s'	=> \$tst_only,
+	'h|help'	=> \$help,
+	'version'	=> \$help
+) or help(1);
+
+help(0) if ($help);
+
+my $exit = 0;
+
+if ($#ARGV < 0) {
+	print "$P: no input files\n";
+	exit(1);
+}
+
+my $dbg_values = 0;
+my $dbg_possible = 0;
+my $dbg_type = 0;
+my $dbg_attr = 0;
+for my $key (keys %debug) {
+	## no critic
+	eval "\${dbg_$key} = '$debug{$key}';";
+	die "$@" if ($@);
+}
+
+my $rpt_cleaners = 0;
+
+if ($terse) {
+	$emacs = 1;
+	$quiet++;
+}
+
+if ($tree) {
+	if (defined $root) {
+		if (!top_of_kernel_tree($root)) {
+			die "$P: $root: --root does not point at a valid tree\n";
+		}
+	} else {
+		if (top_of_kernel_tree('.')) {
+			$root = '.';
+		} elsif ($0 =~ m@(.*)/scripts/[^/]*$@ &&
+						top_of_kernel_tree($1)) {
+			$root = $1;
+		}
+	}
+
+	if (!defined $root) {
+		print "Must be run from the top-level dir. of a kernel tree\n";
+		exit(2);
+	}
+}
+
+my $emitted_corrupt = 0;
+
+our $Ident	= qr{
+			[A-Za-z_][A-Za-z\d_]*
+			(?:\s*\#\#\s*[A-Za-z_][A-Za-z\d_]*)*
+		}x;
+our $Storage	= qr{extern|static|asmlinkage};
+our $Sparse	= qr{
+			__user|
+			__kernel|
+			__force|
+			__iomem|
+			__must_check|
+			__init_refok|
+			__kprobes|
+			__ref
+		}x;
+
+# Notes to $Attribute:
+# We need \b after 'init' otherwise 'initconst' will cause a false positive in a check
+our $Attribute	= qr{
+			const|
+			__percpu|
+			__nocast|
+			__safe|
+			__bitwise__|
+			__packed__|
+			__packed2__|
+			__naked|
+			__maybe_unused|
+			__always_unused|
+			__noreturn|
+			__used|
+			__cold|
+			__noclone|
+			__deprecated|
+			__read_mostly|
+			__kprobes|
+			__(?:mem|cpu|dev|)(?:initdata|initconst|init\b)|
+			____cacheline_aligned|
+			____cacheline_aligned_in_smp|
+			____cacheline_internodealigned_in_smp|
+			__weak
+		  }x;
+our $Modifier;
+our $Inline	= qr{inline|__always_inline|noinline};
+our $Member	= qr{->$Ident|\.$Ident|\[[^]]*\]};
+our $Lval	= qr{$Ident(?:$Member)*};
+
+our $Constant	= qr{(?:[0-9]+|0x[0-9a-fA-F]+)[UL]*};
+our $Assignment	= qr{(?:\*\=|/=|%=|\+=|-=|<<=|>>=|&=|\^=|\|=|=)};
+our $Compare    = qr{<=|>=|==|!=|<|>};
+our $Operators	= qr{
+			<=|>=|==|!=|
+			=>|->|<<|>>|<|>|!|~|
+			&&|\|\||,|\^|\+\+|--|&|\||\+|-|\*|\/|%
+		  }x;
+
+our $NonptrType;
+our $Type;
+our $Declare;
+
+our $UTF8	= qr {
+	[\x09\x0A\x0D\x20-\x7E]              # ASCII
+	| [\xC2-\xDF][\x80-\xBF]             # non-overlong 2-byte
+	|  \xE0[\xA0-\xBF][\x80-\xBF]        # excluding overlongs
+	| [\xE1-\xEC\xEE\xEF][\x80-\xBF]{2}  # straight 3-byte
+	|  \xED[\x80-\x9F][\x80-\xBF]        # excluding surrogates
+	|  \xF0[\x90-\xBF][\x80-\xBF]{2}     # planes 1-3
+	| [\xF1-\xF3][\x80-\xBF]{3}          # planes 4-15
+	|  \xF4[\x80-\x8F][\x80-\xBF]{2}     # plane 16
+}x;
+
+our $typeTypedefs = qr{(?x:
+	(?:__)?(?:u|s|be|le)(?:8|16|32|64)|
+	atomic_t
+)};
+
+our $logFunctions = qr{(?x:
+	printk|
+	pr_(debug|dbg|vdbg|devel|info|warning|err|notice|alert|crit|emerg|cont)|
+	(dev|netdev|netif)_(printk|dbg|vdbg|info|warn|err|notice|alert|crit|emerg|WARN)|
+	WARN|
+	panic
+)};
+
+our @typeList = (
+	qr{void},
+	qr{(?:unsigned\s+)?char},
+	qr{(?:unsigned\s+)?short},
+	qr{(?:unsigned\s+)?int},
+	qr{(?:unsigned\s+)?long},
+	qr{(?:unsigned\s+)?long\s+int},
+	qr{(?:unsigned\s+)?long\s+long},
+	qr{(?:unsigned\s+)?long\s+long\s+int},
+	qr{unsigned},
+	qr{float},
+	qr{double},
+	qr{bool},
+	qr{struct\s+$Ident},
+	qr{union\s+$Ident},
+	qr{enum\s+$Ident},
+	qr{${Ident}_t},
+	qr{${Ident}_handler},
+	qr{${Ident}_handler_fn},
+);
+our @modifierList = (
+	qr{fastcall},
+);
+
+our $allowed_asm_includes = qr{(?x:
+	irq|
+	memory
+)};
+# memory.h: ARM has a custom one
+
+sub build_types {
+	my $mods = "(?x:  \n" . join("|\n  ", @modifierList) . "\n)";
+	my $all = "(?x:  \n" . join("|\n  ", @typeList) . "\n)";
+	$Modifier	= qr{(?:$Attribute|$Sparse|$mods)};
+	$NonptrType	= qr{
+			(?:$Modifier\s+|const\s+)*
+			(?:
+				(?:typeof|__typeof__)\s*\(\s*\**\s*$Ident\s*\)|
+				(?:$typeTypedefs\b)|
+				(?:${all}\b)
+			)
+			(?:\s+$Modifier|\s+const)*
+		  }x;
+	$Type	= qr{
+			$NonptrType
+			(?:[\s\*]+\s*const|[\s\*]+|(?:\s*\[\s*\])+)?
+			(?:\s+$Inline|\s+$Modifier)*
+		  }x;
+	$Declare	= qr{(?:$Storage\s+)?$Type};
+}
+build_types();
+
+$chk_signoff = 0 if ($file);
+
+my @dep_includes = ();
+my @dep_functions = ();
+my $removal = "Documentation/feature-removal-schedule.txt";
+if ($tree && -f "$root/$removal") {
+	open(my $REMOVE, '<', "$root/$removal") ||
+				die "$P: $removal: open failed - $!\n";
+	while (<$REMOVE>) {
+		if (/^Check:\s+(.*\S)/) {
+			for my $entry (split(/[, ]+/, $1)) {
+				if ($entry =~ m at include/(.*)@) {
+					push(@dep_includes, $1);
+
+				} elsif ($entry !~ m@/@) {
+					push(@dep_functions, $entry);
+				}
+			}
+		}
+	}
+	close($REMOVE);
+}
+
+my @rawlines = ();
+my @lines = ();
+my $vname;
+for my $filename (@ARGV) {
+	my $FILE;
+	if ($file) {
+		open($FILE, '-|', "diff -u /dev/null $filename") ||
+			die "$P: $filename: diff failed - $!\n";
+	} elsif ($filename eq '-') {
+		open($FILE, '<&STDIN');
+	} else {
+		open($FILE, '<', "$filename") ||
+			die "$P: $filename: open failed - $!\n";
+	}
+	if ($filename eq '-') {
+		$vname = 'Your patch';
+	} else {
+		$vname = $filename;
+	}
+	while (<$FILE>) {
+		chomp;
+		push(@rawlines, $_);
+	}
+	close($FILE);
+	if (!process($filename)) {
+		$exit = 1;
+	}
+	@rawlines = ();
+	@lines = ();
+}
+
+exit($exit);
+
+sub top_of_kernel_tree {
+	my ($root) = @_;
+
+	my @tree_check = (
+		"COPYING", "CREDITS", "Kbuild", "MAINTAINERS", "Makefile",
+		"README", "Documentation", "arch", "include", "drivers",
+		"fs", "init", "ipc", "kernel", "lib", "scripts",
+	);
+
+	foreach my $check (@tree_check) {
+		if (! -e $root . '/' . $check) {
+			return 0;
+		}
+	}
+	return 1;
+}
+
+sub expand_tabs {
+	my ($str) = @_;
+
+	my $res = '';
+	my $n = 0;
+	for my $c (split(//, $str)) {
+		if ($c eq "\t") {
+			$res .= ' ';
+			$n++;
+			for (; ($n % 8) != 0; $n++) {
+				$res .= ' ';
+			}
+			next;
+		}
+		$res .= $c;
+		$n++;
+	}
+
+	return $res;
+}
+sub copy_spacing {
+	(my $res = shift) =~ tr/\t/ /c;
+	return $res;
+}
+
+sub line_stats {
+	my ($line) = @_;
+
+	# Drop the diff line leader and expand tabs
+	$line =~ s/^.//;
+	$line = expand_tabs($line);
+
+	# Pick the indent from the front of the line.
+	my ($white) = ($line =~ /^(\s*)/);
+
+	return (length($line), length($white));
+}
+
+my $sanitise_quote = '';
+
+sub sanitise_line_reset {
+	my ($in_comment) = @_;
+
+	if ($in_comment) {
+		$sanitise_quote = '*/';
+	} else {
+		$sanitise_quote = '';
+	}
+}
+sub sanitise_line {
+	my ($line) = @_;
+
+	my $res = '';
+	my $l = '';
+
+	my $qlen = 0;
+	my $off = 0;
+	my $c;
+
+	# Always copy over the diff marker.
+	$res = substr($line, 0, 1);
+
+	for ($off = 1; $off < length($line); $off++) {
+		$c = substr($line, $off, 1);
+
+		# Comments we are wacking completly including the begin
+		# and end, all to $;.
+		if ($sanitise_quote eq '' && substr($line, $off, 2) eq '/*') {
+			$sanitise_quote = '*/';
+
+			substr($res, $off, 2, "$;$;");
+			$off++;
+			next;
+		}
+		if ($sanitise_quote eq '*/' && substr($line, $off, 2) eq '*/') {
+			$sanitise_quote = '';
+			substr($res, $off, 2, "$;$;");
+			$off++;
+			next;
+		}
+		if ($sanitise_quote eq '' && substr($line, $off, 2) eq '//') {
+			$sanitise_quote = '//';
+
+			substr($res, $off, 2, $sanitise_quote);
+			$off++;
+			next;
+		}
+
+		# A \ in a string means ignore the next character.
+		if (($sanitise_quote eq "'" || $sanitise_quote eq '"') &&
+		    $c eq "\\") {
+			substr($res, $off, 2, 'XX');
+			$off++;
+			next;
+		}
+		# Regular quotes.
+		if ($c eq "'" || $c eq '"') {
+			if ($sanitise_quote eq '') {
+				$sanitise_quote = $c;
+
+				substr($res, $off, 1, $c);
+				next;
+			} elsif ($sanitise_quote eq $c) {
+				$sanitise_quote = '';
+			}
+		}
+
+		#print "c<$c> SQ<$sanitise_quote>\n";
+		if ($off != 0 && $sanitise_quote eq '*/' && $c ne "\t") {
+			substr($res, $off, 1, $;);
+		} elsif ($off != 0 && $sanitise_quote eq '//' && $c ne "\t") {
+			substr($res, $off, 1, $;);
+		} elsif ($off != 0 && $sanitise_quote && $c ne "\t") {
+			substr($res, $off, 1, 'X');
+		} else {
+			substr($res, $off, 1, $c);
+		}
+	}
+
+	if ($sanitise_quote eq '//') {
+		$sanitise_quote = '';
+	}
+
+	# The pathname on a #include may be surrounded by '<' and '>'.
+	if ($res =~ /^.\s*\#\s*include\s+\<(.*)\>/) {
+		my $clean = 'X' x length($1);
+		$res =~ s@\<.*\>@<$clean>@;
+
+	# The whole of a #error is a string.
+	} elsif ($res =~ /^.\s*\#\s*(?:error|warning)\s+(.*)\b/) {
+		my $clean = 'X' x length($1);
+		$res =~ s@(\#\s*(?:error|warning)\s+).*@$1$clean@;
+	}
+
+	return $res;
+}
+
+sub ctx_statement_block {
+	my ($linenr, $remain, $off) = @_;
+	my $line = $linenr - 1;
+	my $blk = '';
+	my $soff = $off;
+	my $coff = $off - 1;
+	my $coff_set = 0;
+
+	my $loff = 0;
+
+	my $type = '';
+	my $level = 0;
+	my @stack = ();
+	my $p;
+	my $c;
+	my $len = 0;
+
+	my $remainder;
+	while (1) {
+		@stack = (['', 0]) if ($#stack == -1);
+
+		#warn "CSB: blk<$blk> remain<$remain>\n";
+		# If we are about to drop off the end, pull in more
+		# context.
+		if ($off >= $len) {
+			for (; $remain > 0; $line++) {
+				last if (!defined $lines[$line]);
+				next if ($lines[$line] =~ /^-/);
+				$remain--;
+				$loff = $len;
+				$blk .= $lines[$line] . "\n";
+				$len = length($blk);
+				$line++;
+				last;
+			}
+			# Bail if there is no further context.
+			#warn "CSB: blk<$blk> off<$off> len<$len>\n";
+			if ($off >= $len) {
+				last;
+			}
+		}
+		$p = $c;
+		$c = substr($blk, $off, 1);
+		$remainder = substr($blk, $off);
+
+		#warn "CSB: c<$c> type<$type> level<$level> remainder<$remainder> coff_set<$coff_set>\n";
+
+		# Handle nested #if/#else.
+		if ($remainder =~ /^#\s*(?:ifndef|ifdef|if)\s/) {
+			push(@stack, [ $type, $level ]);
+		} elsif ($remainder =~ /^#\s*(?:else|elif)\b/) {
+			($type, $level) = @{$stack[$#stack - 1]};
+		} elsif ($remainder =~ /^#\s*endif\b/) {
+			($type, $level) = @{pop(@stack)};
+		}
+
+		# Statement ends at the ';' or a close '}' at the
+		# outermost level.
+		if ($level == 0 && $c eq ';') {
+			last;
+		}
+
+		# An else is really a conditional as long as its not else if
+		if ($level == 0 && $coff_set == 0 &&
+				(!defined($p) || $p =~ /(?:\s|\}|\+)/) &&
+				$remainder =~ /^(else)(?:\s|{)/ &&
+				$remainder !~ /^else\s+if\b/) {
+			$coff = $off + length($1) - 1;
+			$coff_set = 1;
+			#warn "CSB: mark coff<$coff> soff<$soff> 1<$1>\n";
+			#warn "[" . substr($blk, $soff, $coff - $soff + 1) . "]\n";
+		}
+
+		if (($type eq '' || $type eq '(') && $c eq '(') {
+			$level++;
+			$type = '(';
+		}
+		if ($type eq '(' && $c eq ')') {
+			$level--;
+			$type = ($level != 0)? '(' : '';
+
+			if ($level == 0 && $coff < $soff) {
+				$coff = $off;
+				$coff_set = 1;
+				#warn "CSB: mark coff<$coff>\n";
+			}
+		}
+		if (($type eq '' || $type eq '{') && $c eq '{') {
+			$level++;
+			$type = '{';
+		}
+		if ($type eq '{' && $c eq '}') {
+			$level--;
+			$type = ($level != 0)? '{' : '';
+
+			if ($level == 0) {
+				if (substr($blk, $off + 1, 1) eq ';') {
+					$off++;
+				}
+				last;
+			}
+		}
+		$off++;
+	}
+	# We are truly at the end, so shuffle to the next line.
+	if ($off == $len) {
+		$loff = $len + 1;
+		$line++;
+		$remain--;
+	}
+
+	my $statement = substr($blk, $soff, $off - $soff + 1);
+	my $condition = substr($blk, $soff, $coff - $soff + 1);
+
+	#warn "STATEMENT<$statement>\n";
+	#warn "CONDITION<$condition>\n";
+
+	#print "coff<$coff> soff<$off> loff<$loff>\n";
+
+	return ($statement, $condition,
+			$line, $remain + 1, $off - $loff + 1, $level);
+}
+
+sub statement_lines {
+	my ($stmt) = @_;
+
+	# Strip the diff line prefixes and rip blank lines at start and end.
+	$stmt =~ s/(^|\n)./$1/g;
+	$stmt =~ s/^\s*//;
+	$stmt =~ s/\s*$//;
+
+	my @stmt_lines = ($stmt =~ /\n/g);
+
+	return $#stmt_lines + 2;
+}
+
+sub statement_rawlines {
+	my ($stmt) = @_;
+
+	my @stmt_lines = ($stmt =~ /\n/g);
+
+	return $#stmt_lines + 2;
+}
+
+sub statement_block_size {
+	my ($stmt) = @_;
+
+	$stmt =~ s/(^|\n)./$1/g;
+	$stmt =~ s/^\s*{//;
+	$stmt =~ s/}\s*$//;
+	$stmt =~ s/^\s*//;
+	$stmt =~ s/\s*$//;
+
+	my @stmt_lines = ($stmt =~ /\n/g);
+	my @stmt_statements = ($stmt =~ /;/g);
+
+	my $stmt_lines = $#stmt_lines + 2;
+	my $stmt_statements = $#stmt_statements + 1;
+
+	if ($stmt_lines > $stmt_statements) {
+		return $stmt_lines;
+	} else {
+		return $stmt_statements;
+	}
+}
+
+sub ctx_statement_full {
+	my ($linenr, $remain, $off) = @_;
+	my ($statement, $condition, $level);
+
+	my (@chunks);
+
+	# Grab the first conditional/block pair.
+	($statement, $condition, $linenr, $remain, $off, $level) =
+				ctx_statement_block($linenr, $remain, $off);
+	#print "F: c<$condition> s<$statement> remain<$remain>\n";
+	push(@chunks, [ $condition, $statement ]);
+	if (!($remain > 0 && $condition =~ /^\s*(?:\n[+-])?\s*(?:if|else|do)\b/s)) {
+		return ($level, $linenr, @chunks);
+	}
+
+	# Pull in the following conditional/block pairs and see if they
+	# could continue the statement.
+	for (;;) {
+		($statement, $condition, $linenr, $remain, $off, $level) =
+				ctx_statement_block($linenr, $remain, $off);
+		#print "C: c<$condition> s<$statement> remain<$remain>\n";
+		last if (!($remain > 0 && $condition =~ /^(?:\s*\n[+-])*\s*(?:else|do)\b/s));
+		#print "C: push\n";
+		push(@chunks, [ $condition, $statement ]);
+	}
+
+	return ($level, $linenr, @chunks);
+}
+
+sub ctx_block_get {
+	my ($linenr, $remain, $outer, $open, $close, $off) = @_;
+	my $line;
+	my $start = $linenr - 1;
+	my $blk = '';
+	my @o;
+	my @c;
+	my @res = ();
+
+	my $level = 0;
+	my @stack = ($level);
+	for ($line = $start; $remain > 0; $line++) {
+		next if ($rawlines[$line] =~ /^-/);
+		$remain--;
+
+		$blk .= $rawlines[$line];
+
+		# Handle nested #if/#else.
+		if ($lines[$line] =~ /^.\s*#\s*(?:ifndef|ifdef|if)\s/) {
+			push(@stack, $level);
+		} elsif ($lines[$line] =~ /^.\s*#\s*(?:else|elif)\b/) {
+			$level = $stack[$#stack - 1];
+		} elsif ($lines[$line] =~ /^.\s*#\s*endif\b/) {
+			$level = pop(@stack);
+		}
+
+		foreach my $c (split(//, $lines[$line])) {
+			##print "C<$c>L<$level><$open$close>O<$off>\n";
+			if ($off > 0) {
+				$off--;
+				next;
+			}
+
+			if ($c eq $close && $level > 0) {
+				$level--;
+				last if ($level == 0);
+			} elsif ($c eq $open) {
+				$level++;
+			}
+		}
+
+		if (!$outer || $level <= 1) {
+			push(@res, $rawlines[$line]);
+		}
+
+		last if ($level == 0);
+	}
+
+	return ($level, @res);
+}
+sub ctx_block_outer {
+	my ($linenr, $remain) = @_;
+
+	my ($level, @r) = ctx_block_get($linenr, $remain, 1, '{', '}', 0);
+	return @r;
+}
+sub ctx_block {
+	my ($linenr, $remain) = @_;
+
+	my ($level, @r) = ctx_block_get($linenr, $remain, 0, '{', '}', 0);
+	return @r;
+}
+sub ctx_statement {
+	my ($linenr, $remain, $off) = @_;
+
+	my ($level, @r) = ctx_block_get($linenr, $remain, 0, '(', ')', $off);
+	return @r;
+}
+sub ctx_block_level {
+	my ($linenr, $remain) = @_;
+
+	return ctx_block_get($linenr, $remain, 0, '{', '}', 0);
+}
+sub ctx_statement_level {
+	my ($linenr, $remain, $off) = @_;
+
+	return ctx_block_get($linenr, $remain, 0, '(', ')', $off);
+}
+
+sub ctx_locate_comment {
+	my ($first_line, $end_line) = @_;
+
+	# Catch a comment on the end of the line itself.
+	my ($current_comment) = ($rawlines[$end_line - 1] =~ m at .*(/\*.*\*/)\s*(?:\\\s*)?$@);
+	return $current_comment if (defined $current_comment);
+
+	# Look through the context and try and figure out if there is a
+	# comment.
+	my $in_comment = 0;
+	$current_comment = '';
+	for (my $linenr = $first_line; $linenr < $end_line; $linenr++) {
+		my $line = $rawlines[$linenr - 1];
+		#warn "           $line\n";
+		if ($linenr == $first_line and $line =~ m@^.\s*\*@) {
+			$in_comment = 1;
+		}
+		if ($line =~ m@/\*@) {
+			$in_comment = 1;
+		}
+		if (!$in_comment && $current_comment ne '') {
+			$current_comment = '';
+		}
+		$current_comment .= $line . "\n" if ($in_comment);
+		if ($line =~ m@\*/@) {
+			$in_comment = 0;
+		}
+	}
+
+	chomp($current_comment);
+	return($current_comment);
+}
+sub ctx_has_comment {
+	my ($first_line, $end_line) = @_;
+	my $cmt = ctx_locate_comment($first_line, $end_line);
+
+	##print "LINE: $rawlines[$end_line - 1 ]\n";
+	##print "CMMT: $cmt\n";
+
+	return ($cmt ne '');
+}
+
+sub raw_line {
+	my ($linenr, $cnt) = @_;
+
+	my $offset = $linenr - 1;
+	$cnt++;
+
+	my $line;
+	while ($cnt) {
+		$line = $rawlines[$offset++];
+		next if (defined($line) && $line =~ /^-/);
+		$cnt--;
+	}
+
+	return $line;
+}
+
+sub cat_vet {
+	my ($vet) = @_;
+	my ($res, $coded);
+
+	$res = '';
+	while ($vet =~ /([^[:cntrl:]]*)([[:cntrl:]]|$)/g) {
+		$res .= $1;
+		if ($2 ne '') {
+			$coded = sprintf("^%c", unpack('C', $2) + 64);
+			$res .= $coded;
+		}
+	}
+	$res =~ s/$/\$/;
+
+	return $res;
+}
+
+my $av_preprocessor = 0;
+my $av_pending;
+my @av_paren_type;
+my $av_pend_colon;
+
+sub annotate_reset {
+	$av_preprocessor = 0;
+	$av_pending = '_';
+	@av_paren_type = ('E');
+	$av_pend_colon = 'O';
+}
+
+sub annotate_values {
+	my ($stream, $type) = @_;
+
+	my $res;
+	my $var = '_' x length($stream);
+	my $cur = $stream;
+
+	print "$stream\n" if ($dbg_values > 1);
+
+	while (length($cur)) {
+		@av_paren_type = ('E') if ($#av_paren_type < 0);
+		print " <" . join('', @av_paren_type) .
+				"> <$type> <$av_pending>" if ($dbg_values > 1);
+		if ($cur =~ /^(\s+)/o) {
+			print "WS($1)\n" if ($dbg_values > 1);
+			if ($1 =~ /\n/ && $av_preprocessor) {
+				$type = pop(@av_paren_type);
+				$av_preprocessor = 0;
+			}
+
+		} elsif ($cur =~ /^(\(\s*$Type\s*)\)/) {
+			print "CAST($1)\n" if ($dbg_values > 1);
+			push(@av_paren_type, $type);
+			$type = 'C';
+
+		} elsif ($cur =~ /^($Type)\s*(?:$Ident|,|\)|\(|\s*$)/) {
+			print "DECLARE($1)\n" if ($dbg_values > 1);
+			$type = 'T';
+
+		} elsif ($cur =~ /^($Modifier)\s*/) {
+			print "MODIFIER($1)\n" if ($dbg_values > 1);
+			$type = 'T';
+
+		} elsif ($cur =~ /^(\#\s*define\s*$Ident)(\(?)/o) {
+			print "DEFINE($1,$2)\n" if ($dbg_values > 1);
+			$av_preprocessor = 1;
+			push(@av_paren_type, $type);
+			if ($2 ne '') {
+				$av_pending = 'N';
+			}
+			$type = 'E';
+
+		} elsif ($cur =~ /^(\#\s*(?:undef\s*$Ident|include\b))/o) {
+			print "UNDEF($1)\n" if ($dbg_values > 1);
+			$av_preprocessor = 1;
+			push(@av_paren_type, $type);
+
+		} elsif ($cur =~ /^(\#\s*(?:ifdef|ifndef|if))/o) {
+			print "PRE_START($1)\n" if ($dbg_values > 1);
+			$av_preprocessor = 1;
+
+			push(@av_paren_type, $type);
+			push(@av_paren_type, $type);
+			$type = 'E';
+
+		} elsif ($cur =~ /^(\#\s*(?:else|elif))/o) {
+			print "PRE_RESTART($1)\n" if ($dbg_values > 1);
+			$av_preprocessor = 1;
+
+			push(@av_paren_type, $av_paren_type[$#av_paren_type]);
+
+			$type = 'E';
+
+		} elsif ($cur =~ /^(\#\s*(?:endif))/o) {
+			print "PRE_END($1)\n" if ($dbg_values > 1);
+
+			$av_preprocessor = 1;
+
+			# Assume all arms of the conditional end as this
+			# one does, and continue as if the #endif was not here.
+			pop(@av_paren_type);
+			push(@av_paren_type, $type);
+			$type = 'E';
+
+		} elsif ($cur =~ /^(\\\n)/o) {
+			print "PRECONT($1)\n" if ($dbg_values > 1);
+
+		} elsif ($cur =~ /^(__attribute__)\s*\(?/o) {
+			print "ATTR($1)\n" if ($dbg_values > 1);
+			$av_pending = $type;
+			$type = 'N';
+
+		} elsif ($cur =~ /^(sizeof)\s*(\()?/o) {
+			print "SIZEOF($1)\n" if ($dbg_values > 1);
+			if (defined $2) {
+				$av_pending = 'V';
+			}
+			$type = 'N';
+
+		} elsif ($cur =~ /^(if|while|for)\b/o) {
+			print "COND($1)\n" if ($dbg_values > 1);
+			$av_pending = 'E';
+			$type = 'N';
+
+		} elsif ($cur =~/^(case)/o) {
+			print "CASE($1)\n" if ($dbg_values > 1);
+			$av_pend_colon = 'C';
+			$type = 'N';
+
+		} elsif ($cur =~/^(return|else|goto|typeof|__typeof__)\b/o) {
+			print "KEYWORD($1)\n" if ($dbg_values > 1);
+			$type = 'N';
+
+		} elsif ($cur =~ /^(\()/o) {
+			print "PAREN('$1')\n" if ($dbg_values > 1);
+			push(@av_paren_type, $av_pending);
+			$av_pending = '_';
+			$type = 'N';
+
+		} elsif ($cur =~ /^(\))/o) {
+			my $new_type = pop(@av_paren_type);
+			if ($new_type ne '_') {
+				$type = $new_type;
+				print "PAREN('$1') -> $type\n"
+							if ($dbg_values > 1);
+			} else {
+				print "PAREN('$1')\n" if ($dbg_values > 1);
+			}
+
+		} elsif ($cur =~ /^($Ident)\s*\(/o) {
+			print "FUNC($1)\n" if ($dbg_values > 1);
+			$type = 'V';
+			$av_pending = 'V';
+
+		} elsif ($cur =~ /^($Ident\s*):(?:\s*\d+\s*(,|=|;))?/) {
+			if (defined $2 && $type eq 'C' || $type eq 'T') {
+				$av_pend_colon = 'B';
+			} elsif ($type eq 'E') {
+				$av_pend_colon = 'L';
+			}
+			print "IDENT_COLON($1,$type>$av_pend_colon)\n" if ($dbg_values > 1);
+			$type = 'V';
+
+		} elsif ($cur =~ /^($Ident|$Constant)/o) {
+			print "IDENT($1)\n" if ($dbg_values > 1);
+			$type = 'V';
+
+		} elsif ($cur =~ /^($Assignment)/o) {
+			print "ASSIGN($1)\n" if ($dbg_values > 1);
+			$type = 'N';
+
+		} elsif ($cur =~/^(;|{|})/) {
+			print "END($1)\n" if ($dbg_values > 1);
+			$type = 'E';
+			$av_pend_colon = 'O';
+
+		} elsif ($cur =~/^(,)/) {
+			print "COMMA($1)\n" if ($dbg_values > 1);
+			$type = 'C';
+
+		} elsif ($cur =~ /^(\?)/o) {
+			print "QUESTION($1)\n" if ($dbg_values > 1);
+			$type = 'N';
+
+		} elsif ($cur =~ /^(:)/o) {
+			print "COLON($1,$av_pend_colon)\n" if ($dbg_values > 1);
+
+			substr($var, length($res), 1, $av_pend_colon);
+			if ($av_pend_colon eq 'C' || $av_pend_colon eq 'L') {
+				$type = 'E';
+			} else {
+				$type = 'N';
+			}
+			$av_pend_colon = 'O';
+
+		} elsif ($cur =~ /^(\[)/o) {
+			print "CLOSE($1)\n" if ($dbg_values > 1);
+			$type = 'N';
+
+		} elsif ($cur =~ /^(-(?![->])|\+(?!\+)|\*|\&\&|\&)/o) {
+			my $variant;
+
+			print "OPV($1)\n" if ($dbg_values > 1);
+			if ($type eq 'V') {
+				$variant = 'B';
+			} else {
+				$variant = 'U';
+			}
+
+			substr($var, length($res), 1, $variant);
+			$type = 'N';
+
+		} elsif ($cur =~ /^($Operators)/o) {
+			print "OP($1)\n" if ($dbg_values > 1);
+			if ($1 ne '++' && $1 ne '--') {
+				$type = 'N';
+			}
+
+		} elsif ($cur =~ /(^.)/o) {
+			print "C($1)\n" if ($dbg_values > 1);
+		}
+		if (defined $1) {
+			$cur = substr($cur, length($1));
+			$res .= $type x length($1);
+		}
+	}
+
+	return ($res, $var);
+}
+
+sub possible {
+	my ($possible, $line) = @_;
+	my $notPermitted = qr{(?:
+		^(?:
+			$Modifier|
+			$Storage|
+			$Type|
+			DEFINE_\S+
+		)$|
+		^(?:
+			goto|
+			return|
+			case|
+			else|
+			asm|__asm__|
+			do
+		)(?:\s|$)|
+		^(?:typedef|struct|enum)\b
+	    )}x;
+	warn "CHECK<$possible> ($line)\n" if ($dbg_possible > 2);
+	if ($possible !~ $notPermitted) {
+		# Check for modifiers.
+		$possible =~ s/\s*$Storage\s*//g;
+		$possible =~ s/\s*$Sparse\s*//g;
+		if ($possible =~ /^\s*$/) {
+
+		} elsif ($possible =~ /\s/) {
+			$possible =~ s/\s*$Type\s*//g;
+			for my $modifier (split(' ', $possible)) {
+				if ($modifier !~ $notPermitted) {
+					warn "MODIFIER: $modifier ($possible) ($line)\n" if ($dbg_possible);
+					push(@modifierList, $modifier);
+				}
+			}
+
+		} else {
+			warn "POSSIBLE: $possible ($line)\n" if ($dbg_possible);
+			push(@typeList, $possible);
+		}
+		build_types();
+	} else {
+		warn "NOTPOSS: $possible ($line)\n" if ($dbg_possible > 1);
+	}
+}
+
+my $prefix = '';
+
+sub report {
+	if (defined $tst_only && $_[0] !~ /\Q$tst_only\E/) {
+		return 0;
+	}
+	my $line = $prefix . $_[0];
+
+	$line = (split('\n', $line))[0] . "\n" if ($terse);
+
+	push(our @report, $line);
+
+	return 1;
+}
+sub report_dump {
+	our @report;
+}
+sub ERROR {
+	if (report("ERROR: $_[0]\n")) {
+		our $clean = 0;
+		our $cnt_error++;
+	}
+}
+sub WARN {
+	if (report("WARNING: $_[0]\n")) {
+		our $clean = 0;
+		our $cnt_warn++;
+	}
+}
+sub CHK {
+	if ($check && report("CHECK: $_[0]\n")) {
+		our $clean = 0;
+		our $cnt_chk++;
+	}
+}
+
+sub check_absolute_file {
+	my ($absolute, $herecurr) = @_;
+	my $file = $absolute;
+
+	##print "absolute<$absolute>\n";
+
+	# See if any suffix of this path is a path within the tree.
+	while ($file =~ s@^[^/]*/@@) {
+		if (-f "$root/$file") {
+			##print "file<$file>\n";
+			last;
+		}
+	}
+	if (! -f _)  {
+		return 0;
+	}
+
+	# It is, so see if the prefix is acceptable.
+	my $prefix = $absolute;
+	substr($prefix, -length($file)) = '';
+
+	##print "prefix<$prefix>\n";
+	if ($prefix ne ".../") {
+		WARN("use relative pathname instead of absolute in changelog text\n" . $herecurr);
+	}
+}
+
+sub process {
+	my $filename = shift;
+
+	my $linenr=0;
+	my $prevline="";
+	my $prevrawline="";
+	my $stashline="";
+	my $stashrawline="";
+
+	my $length;
+	my $indent;
+	my $previndent=0;
+	my $stashindent=0;
+
+	our $clean = 1;
+	my $signoff = 0;
+	my $is_patch = 0;
+
+	our @report = ();
+	our $cnt_lines = 0;
+	our $cnt_error = 0;
+	our $cnt_warn = 0;
+	our $cnt_chk = 0;
+
+	# Trace the real file/line as we go.
+	my $realfile = '';
+	my $realline = 0;
+	my $realcnt = 0;
+	my $here = '';
+	my $in_comment = 0;
+	my $comment_edge = 0;
+	my $first_line = 0;
+	my $p1_prefix = '';
+
+	my $prev_values = 'E';
+
+	# suppression flags
+	my %suppress_ifbraces;
+	my %suppress_whiletrailers;
+	my %suppress_export;
+
+	# Pre-scan the patch sanitizing the lines.
+	# Pre-scan the patch looking for any __setup documentation.
+	#
+	my @setup_docs = ();
+	my $setup_docs = 0;
+
+	sanitise_line_reset();
+	my $line;
+	foreach my $rawline (@rawlines) {
+		$linenr++;
+		$line = $rawline;
+
+		if ($rawline=~/^\+\+\+\s+(\S+)/) {
+			$setup_docs = 0;
+			if ($1 =~ m at Documentation/kernel-parameters.txt$@) {
+				$setup_docs = 1;
+			}
+			#next;
+		}
+		if ($rawline=~/^\@\@ -\d+(?:,\d+)? \+(\d+)(,(\d+))? \@\@/) {
+			$realline=$1-1;
+			if (defined $2) {
+				$realcnt=$3+1;
+			} else {
+				$realcnt=1+1;
+			}
+			$in_comment = 0;
+
+			# Guestimate if this is a continuing comment.  Run
+			# the context looking for a comment "edge".  If this
+			# edge is a close comment then we must be in a comment
+			# at context start.
+			my $edge;
+			my $cnt = $realcnt;
+			for (my $ln = $linenr + 1; $cnt > 0; $ln++) {
+				next if (defined $rawlines[$ln - 1] &&
+					 $rawlines[$ln - 1] =~ /^-/);
+				$cnt--;
+				#print "RAW<$rawlines[$ln - 1]>\n";
+				last if (!defined $rawlines[$ln - 1]);
+				if ($rawlines[$ln - 1] =~ m@(/\*|\*/)@ &&
+				    $rawlines[$ln - 1] !~ m@"[^"]*(?:/\*|\*/)[^"]*"@) {
+					($edge) = $1;
+					last;
+				}
+			}
+			if (defined $edge && $edge eq '*/') {
+				$in_comment = 1;
+			}
+
+			# Guestimate if this is a continuing comment.  If this
+			# is the start of a diff block and this line starts
+			# ' *' then it is very likely a comment.
+			if (!defined $edge &&
+			    $rawlines[$linenr] =~ m@^.\s*(?:\*\*+| \*)(?:\s|$)@)
+			{
+				$in_comment = 1;
+			}
+
+			##print "COMMENT:$in_comment edge<$edge> $rawline\n";
+			sanitise_line_reset($in_comment);
+
+		} elsif ($realcnt && $rawline =~ /^(?:\+| |$)/) {
+			# Standardise the strings and chars within the input to
+			# simplify matching -- only bother with positive lines.
+			$line = sanitise_line($rawline);
+		}
+		push(@lines, $line);
+
+		if ($realcnt > 1) {
+			$realcnt-- if ($line =~ /^(?:\+| |$)/);
+		} else {
+			$realcnt = 0;
+		}
+
+		#print "==>$rawline\n";
+		#print "-->$line\n";
+
+		if ($setup_docs && $line =~ /^\+/) {
+			push(@setup_docs, $line);
+		}
+	}
+
+	$prefix = '';
+
+	$realcnt = 0;
+	$linenr = 0;
+	foreach my $line (@lines) {
+		$linenr++;
+
+		my $rawline = $rawlines[$linenr - 1];
+
+#extract the line range in the file after the patch is applied
+		if ($line=~/^\@\@ -\d+(?:,\d+)? \+(\d+)(,(\d+))? \@\@/) {
+			$is_patch = 1;
+			$first_line = $linenr + 1;
+			$realline=$1-1;
+			if (defined $2) {
+				$realcnt=$3+1;
+			} else {
+				$realcnt=1+1;
+			}
+			annotate_reset();
+			$prev_values = 'E';
+
+			%suppress_ifbraces = ();
+			%suppress_whiletrailers = ();
+			%suppress_export = ();
+			next;
+
+# track the line number as we move through the hunk, note that
+# new versions of GNU diff omit the leading space on completely
+# blank context lines so we need to count that too.
+		} elsif ($line =~ /^( |\+|$)/) {
+			$realline++;
+			$realcnt-- if ($realcnt != 0);
+
+			# Measure the line length and indent.
+			($length, $indent) = line_stats($rawline);
+
+			# Track the previous line.
+			($prevline, $stashline) = ($stashline, $line);
+			($previndent, $stashindent) = ($stashindent, $indent);
+			($prevrawline, $stashrawline) = ($stashrawline, $rawline);
+
+			#warn "line<$line>\n";
+
+		} elsif ($realcnt == 1) {
+			$realcnt--;
+		}
+
+		my $hunk_line = ($realcnt != 0);
+
+#make up the handle for any error we report on this line
+		$prefix = "$filename:$realline: " if ($emacs && $file);
+		$prefix = "$filename:$linenr: " if ($emacs && !$file);
+
+		$here = "#$linenr: " if (!$file);
+		$here = "#$realline: " if ($file);
+
+		# extract the filename as it passes
+		if ($line =~ /^diff --git.*?(\S+)$/) {
+			$realfile = $1;
+			$realfile =~ s@^([^/]*)/@@;
+
+		} elsif ($line =~ /^\+\+\+\s+(\S+)/) {
+			$realfile = $1;
+			$realfile =~ s@^([^/]*)/@@;
+
+			$p1_prefix = $1;
+			if (!$file && $tree && $p1_prefix ne '' &&
+			    -e "$root/$p1_prefix") {
+				WARN("patch prefix '$p1_prefix' exists, appears to be a -p0 patch\n");
+			}
+
+			if ($realfile =~ m@^include/asm/@) {
+				ERROR("do not modify files in include/asm, change architecture specific files in include/asm-<architecture>\n" . "$here$rawline\n");
+			}
+			next;
+		}
+
+		$here .= "FILE: $realfile:$realline:" if ($realcnt != 0);
+
+		my $hereline = "$here\n$rawline\n";
+		my $herecurr = "$here\n$rawline\n";
+		my $hereprev = "$here\n$prevrawline\n$rawline\n";
+
+		$cnt_lines++ if ($realcnt != 0);
+
+# Check for incorrect file permissions
+		if ($line =~ /^new (file )?mode.*[7531]\d{0,2}$/) {
+			my $permhere = $here . "FILE: $realfile\n";
+			if ($realfile =~ /(Makefile|Kconfig|\.c|\.h|\.S|\.tmpl)$/) {
+				ERROR("do not set execute permissions for source files\n" . $permhere);
+			}
+		}
+
+#check the patch for a signoff:
+		if ($line =~ /^\s*signed-off-by:/i) {
+			# This is a signoff, if ugly, so do not double report.
+			$signoff++;
+			if (!($line =~ /^\s*Signed-off-by:/)) {
+				WARN("Signed-off-by: is the preferred form\n" .
+					$herecurr);
+			}
+			if ($line =~ /^\s*signed-off-by:\S/i) {
+				WARN("space required after Signed-off-by:\n" .
+					$herecurr);
+			}
+		}
+
+# Check for wrappage within a valid hunk of the file
+		if ($realcnt != 0 && $line !~ m{^(?:\+|-| |\\ No newline|$)}) {
+			ERROR("patch seems to be corrupt (line wrapped?)\n" .
+				$herecurr) if (!$emitted_corrupt++);
+		}
+
+# Check for absolute kernel paths.
+		if ($tree) {
+			while ($line =~ m{(?:^|\s)(/\S*)}g) {
+				my $file = $1;
+
+				if ($file =~ m{^(.*?)(?::\d+)+:?$} &&
+				    check_absolute_file($1, $herecurr)) {
+					#
+				} else {
+					check_absolute_file($file, $herecurr);
+				}
+			}
+		}
+
+# UTF-8 regex found at http://www.w3.org/International/questions/qa-forms-utf-8.en.php
+		if (($realfile =~ /^$/ || $line =~ /^\+/) &&
+		    $rawline !~ m/^$UTF8*$/) {
+			my ($utf8_prefix) = ($rawline =~ /^($UTF8*)/);
+
+			my $blank = copy_spacing($rawline);
+			my $ptr = substr($blank, 0, length($utf8_prefix)) . "^";
+			my $hereptr = "$hereline$ptr\n";
+
+			ERROR("Invalid UTF-8, patch and commit message should be encoded in UTF-8\n" . $hereptr);
+		}
+
+# ignore non-hunk lines and lines being removed
+		next if (!$hunk_line || $line =~ /^-/);
+
+#trailing whitespace
+		if ($line =~ /^\+.*\015/) {
+			my $herevet = "$here\n" . cat_vet($rawline) . "\n";
+			ERROR("DOS line endings\n" . $herevet);
+
+		} elsif ($rawline =~ /^\+.*\S\s+$/ || $rawline =~ /^\+\s+$/) {
+			my $herevet = "$here\n" . cat_vet($rawline) . "\n";
+			ERROR("trailing whitespace\n" . $herevet);
+			$rpt_cleaners = 1;
+		}
+
+# check for Kconfig help text having a real description
+# Only applies when adding the entry originally, after that we do not have
+# sufficient context to determine whether it is indeed long enough.
+		if ($realfile =~ /Kconfig/ &&
+		    $line =~ /\+\s*(?:---)?help(?:---)?$/) {
+			my $length = 0;
+			my $cnt = $realcnt;
+			my $ln = $linenr + 1;
+			my $f;
+			my $is_end = 0;
+			while ($cnt > 0 && defined $lines[$ln - 1]) {
+				$f = $lines[$ln - 1];
+				$cnt-- if ($lines[$ln - 1] !~ /^-/);
+				$is_end = $lines[$ln - 1] =~ /^\+/;
+				$ln++;
+
+				next if ($f =~ /^-/);
+				$f =~ s/^.//;
+				$f =~ s/#.*//;
+				$f =~ s/^\s+//;
+				next if ($f =~ /^$/);
+				if ($f =~ /^\s*config\s/) {
+					$is_end = 1;
+					last;
+				}
+				$length++;
+			}
+			WARN("please write a paragraph that describes the config symbol fully\n" . $herecurr) if ($is_end && $length < 4);
+			#print "is_end<$is_end> length<$length>\n";
+		}
+
+# check we are in a valid source file if not then ignore this hunk
+		next if ($realfile !~ /\.(h|c|s|S|pl|sh)$/);
+
+#80 column limit
+		if ($line =~ /^\+/ && $prevrawline !~ /\/\*\*/ &&
+		    $rawline !~ /^.\s*\*\s*\@$Ident\s/ &&
+		    !($line =~ /^\+\s*$logFunctions\s*\(\s*(?:(KERN_\S+\s*|[^"]*))?"[X\t]*"\s*(?:,|\)\s*;)\s*$/ ||
+		    $line =~ /^\+\s*"[^"]*"\s*(?:\s*|,|\)\s*;)\s*$/) &&
+		    $length > 80)
+		{
+			WARN("line over 80 characters\n" . $herecurr);
+		}
+
+# check for spaces before a quoted newline
+		if ($rawline =~ /^.*\".*\s\\n/) {
+			WARN("unnecessary whitespace before a quoted newline\n" . $herecurr);
+		}
+
+# check for adding lines without a newline.
+		if ($line =~ /^\+/ && defined $lines[$linenr] && $lines[$linenr] =~ /^\\ No newline at end of file/) {
+			WARN("adding a line without newline at end of file\n" . $herecurr);
+		}
+
+# Blackfin: use hi/lo macros
+		if ($realfile =~ m at arch/blackfin/.*\.S$@) {
+			if ($line =~ /\.[lL][[:space:]]*=.*&[[:space:]]*0x[fF][fF][fF][fF]/) {
+				my $herevet = "$here\n" . cat_vet($line) . "\n";
+				ERROR("use the LO() macro, not (... & 0xFFFF)\n" . $herevet);
+			}
+			if ($line =~ /\.[hH][[:space:]]*=.*>>[[:space:]]*16/) {
+				my $herevet = "$here\n" . cat_vet($line) . "\n";
+				ERROR("use the HI() macro, not (... >> 16)\n" . $herevet);
+			}
+		}
+
+# check we are in a valid source file C or perl if not then ignore this hunk
+		next if ($realfile !~ /\.(h|c|pl)$/);
+
+# at the beginning of a line any tabs must come first and anything
+# more than 8 must use tabs.
+		if ($rawline =~ /^\+\s* \t\s*\S/ ||
+		    $rawline =~ /^\+\s*        \s*/) {
+			my $herevet = "$here\n" . cat_vet($rawline) . "\n";
+			ERROR("code indent should use tabs where possible\n" . $herevet);
+			$rpt_cleaners = 1;
+		}
+
+# check for space before tabs.
+		if ($rawline =~ /^\+/ && $rawline =~ / \t/) {
+			my $herevet = "$here\n" . cat_vet($rawline) . "\n";
+			WARN("please, no space before tabs\n" . $herevet);
+		}
+
+# check for spaces at the beginning of a line.
+# Exceptions:
+#  1) within comments
+#  2) indented preprocessor commands
+#  3) hanging labels
+		if ($rawline =~ /^\+ / && $line !~ /\+ *(?:$;|#|$Ident:)/)  {
+			my $herevet = "$here\n" . cat_vet($rawline) . "\n";
+			WARN("please, no spaces at the start of a line\n" . $herevet);
+		}
+
+# check we are in a valid C source file if not then ignore this hunk
+		next if ($realfile !~ /\.(h|c)$/);
+
+# check for RCS/CVS revision markers
+		if ($rawline =~ /^\+.*\$(Revision|Log|Id)(?:\$|)/) {
+			WARN("CVS style keyword markers, these will _not_ be updated\n". $herecurr);
+		}
+
+# Blackfin: don't use __builtin_bfin_[cs]sync
+		if ($line =~ /__builtin_bfin_csync/) {
+			my $herevet = "$here\n" . cat_vet($line) . "\n";
+			ERROR("use the CSYNC() macro in asm/blackfin.h\n" . $herevet);
+		}
+		if ($line =~ /__builtin_bfin_ssync/) {
+			my $herevet = "$here\n" . cat_vet($line) . "\n";
+			ERROR("use the SSYNC() macro in asm/blackfin.h\n" . $herevet);
+		}
+
+# Check for potential 'bare' types
+		my ($stat, $cond, $line_nr_next, $remain_next, $off_next,
+		    $realline_next);
+		if ($realcnt && $line =~ /.\s*\S/) {
+			($stat, $cond, $line_nr_next, $remain_next, $off_next) =
+				ctx_statement_block($linenr, $realcnt, 0);
+			$stat =~ s/\n./\n /g;
+			$cond =~ s/\n./\n /g;
+
+			# Find the real next line.
+			$realline_next = $line_nr_next;
+			if (defined $realline_next &&
+			    (!defined $lines[$realline_next - 1] ||
+			     substr($lines[$realline_next - 1], $off_next) =~ /^\s*$/)) {
+				$realline_next++;
+			}
+
+			my $s = $stat;
+			$s =~ s/{.*$//s;
+
+			# Ignore goto labels.
+			if ($s =~ /$Ident:\*$/s) {
+
+			# Ignore functions being called
+			} elsif ($s =~ /^.\s*$Ident\s*\(/s) {
+
+			} elsif ($s =~ /^.\s*else\b/s) {
+
+			# declarations always start with types
+			} elsif ($prev_values eq 'E' && $s =~ /^.\s*(?:$Storage\s+)?(?:$Inline\s+)?(?:const\s+)?((?:\s*$Ident)+?)\b(?:\s+$Sparse)?\s*\**\s*(?:$Ident|\(\*[^\)]*\))(?:\s*$Modifier)?\s*(?:;|=|,|\()/s) {
+				my $type = $1;
+				$type =~ s/\s+/ /g;
+				possible($type, "A:" . $s);
+
+			# definitions in global scope can only start with types
+			} elsif ($s =~ /^.(?:$Storage\s+)?(?:$Inline\s+)?(?:const\s+)?($Ident)\b\s*(?!:)/s) {
+				possible($1, "B:" . $s);
+			}
+
+			# any (foo ... *) is a pointer cast, and foo is a type
+			while ($s =~ /\(($Ident)(?:\s+$Sparse)*[\s\*]+\s*\)/sg) {
+				possible($1, "C:" . $s);
+			}
+
+			# Check for any sort of function declaration.
+			# int foo(something bar, other baz);
+			# void (*store_gdt)(x86_descr_ptr *);
+			if ($prev_values eq 'E' && $s =~ /^(.(?:typedef\s*)?(?:(?:$Storage|$Inline)\s*)*\s*$Type\s*(?:\b$Ident|\(\*\s*$Ident\))\s*)\(/s) {
+				my ($name_len) = length($1);
+
+				my $ctx = $s;
+				substr($ctx, 0, $name_len + 1, '');
+				$ctx =~ s/\)[^\)]*$//;
+
+				for my $arg (split(/\s*,\s*/, $ctx)) {
+					if ($arg =~ /^(?:const\s+)?($Ident)(?:\s+$Sparse)*\s*\**\s*(:?\b$Ident)?$/s || $arg =~ /^($Ident)$/s) {
+
+						possible($1, "D:" . $s);
+					}
+				}
+			}
+
+		}
+
+#
+# Checks which may be anchored in the context.
+#
+
+# Check for switch () and associated case and default
+# statements should be at the same indent.
+		if ($line=~/\bswitch\s*\(.*\)/) {
+			my $err = '';
+			my $sep = '';
+			my @ctx = ctx_block_outer($linenr, $realcnt);
+			shift(@ctx);
+			for my $ctx (@ctx) {
+				my ($clen, $cindent) = line_stats($ctx);
+				if ($ctx =~ /^\+\s*(case\s+|default:)/ &&
+							$indent != $cindent) {
+					$err .= "$sep$ctx\n";
+					$sep = '';
+				} else {
+					$sep = "[...]\n";
+				}
+			}
+			if ($err ne '') {
+				ERROR("switch and case should be at the same indent\n$hereline$err");
+			}
+		}
+
+# if/while/etc brace do not go on next line, unless defining a do while loop,
+# or if that brace on the next line is for something else
+		if ($line =~ /(.*)\b((?:if|while|for|switch)\s*\(|do\b|else\b)/ && $line !~ /^.\s*\#/) {
+			my $pre_ctx = "$1$2";
+
+			my ($level, @ctx) = ctx_statement_level($linenr, $realcnt, 0);
+			my $ctx_cnt = $realcnt - $#ctx - 1;
+			my $ctx = join("\n", @ctx);
+
+			my $ctx_ln = $linenr;
+			my $ctx_skip = $realcnt;
+
+			while ($ctx_skip > $ctx_cnt || ($ctx_skip == $ctx_cnt &&
+					defined $lines[$ctx_ln - 1] &&
+					$lines[$ctx_ln - 1] =~ /^-/)) {
+				##print "SKIP<$ctx_skip> CNT<$ctx_cnt>\n";
+				$ctx_skip-- if (!defined $lines[$ctx_ln - 1] || $lines[$ctx_ln - 1] !~ /^-/);
+				$ctx_ln++;
+			}
+
+			#print "realcnt<$realcnt> ctx_cnt<$ctx_cnt>\n";
+			#print "pre<$pre_ctx>\nline<$line>\nctx<$ctx>\nnext<$lines[$ctx_ln - 1]>\n";
+
+			if ($ctx !~ /{\s*/ && defined($lines[$ctx_ln -1]) && $lines[$ctx_ln - 1] =~ /^\+\s*{/) {
+				ERROR("that open brace { should be on the previous line\n" .
+					"$here\n$ctx\n$rawlines[$ctx_ln - 1]\n");
+			}
+			if ($level == 0 && $pre_ctx !~ /}\s*while\s*\($/ &&
+			    $ctx =~ /\)\s*\;\s*$/ &&
+			    defined $lines[$ctx_ln - 1])
+			{
+				my ($nlength, $nindent) = line_stats($lines[$ctx_ln - 1]);
+				if ($nindent > $indent) {
+					WARN("trailing semicolon indicates no statements, indent implies otherwise\n" .
+						"$here\n$ctx\n$rawlines[$ctx_ln - 1]\n");
+				}
+			}
+		}
+
+# Check relative indent for conditionals and blocks.
+		if ($line =~ /\b(?:(?:if|while|for)\s*\(|do\b)/ && $line !~ /^.\s*#/ && $line !~ /\}\s*while\s*/) {
+			my ($s, $c) = ($stat, $cond);
+
+			substr($s, 0, length($c), '');
+
+			# Make sure we remove the line prefixes as we have
+			# none on the first line, and are going to readd them
+			# where necessary.
+			$s =~ s/\n./\n/gs;
+
+			# Find out how long the conditional actually is.
+			my @newlines = ($c =~ /\n/gs);
+			my $cond_lines = 1 + $#newlines;
+
+			# We want to check the first line inside the block
+			# starting at the end of the conditional, so remove:
+			#  1) any blank line termination
+			#  2) any opening brace { on end of the line
+			#  3) any do (...) {
+			my $continuation = 0;
+			my $check = 0;
+			$s =~ s/^.*\bdo\b//;
+			$s =~ s/^\s*{//;
+			if ($s =~ s/^\s*\\//) {
+				$continuation = 1;
+			}
+			if ($s =~ s/^\s*?\n//) {
+				$check = 1;
+				$cond_lines++;
+			}
+
+			# Also ignore a loop construct at the end of a
+			# preprocessor statement.
+			if (($prevline =~ /^.\s*#\s*define\s/ ||
+			    $prevline =~ /\\\s*$/) && $continuation == 0) {
+				$check = 0;
+			}
+
+			my $cond_ptr = -1;
+			$continuation = 0;
+			while ($cond_ptr != $cond_lines) {
+				$cond_ptr = $cond_lines;
+
+				# If we see an #else/#elif then the code
+				# is not linear.
+				if ($s =~ /^\s*\#\s*(?:else|elif)/) {
+					$check = 0;
+				}
+
+				# Ignore:
+				#  1) blank lines, they should be at 0,
+				#  2) preprocessor lines, and
+				#  3) labels.
+				if ($continuation ||
+				    $s =~ /^\s*?\n/ ||
+				    $s =~ /^\s*#\s*?/ ||
+				    $s =~ /^\s*$Ident\s*:/) {
+					$continuation = ($s =~ /^.*?\\\n/) ? 1 : 0;
+					if ($s =~ s/^.*?\n//) {
+						$cond_lines++;
+					}
+				}
+			}
+
+			my (undef, $sindent) = line_stats("+" . $s);
+			my $stat_real = raw_line($linenr, $cond_lines);
+
+			# Check if either of these lines are modified, else
+			# this is not this patch's fault.
+			if (!defined($stat_real) ||
+			    $stat !~ /^\+/ && $stat_real !~ /^\+/) {
+				$check = 0;
+			}
+			if (defined($stat_real) && $cond_lines > 1) {
+				$stat_real = "[...]\n$stat_real";
+			}
+
+			#print "line<$line> prevline<$prevline> indent<$indent> sindent<$sindent> check<$check> continuation<$continuation> s<$s> cond_lines<$cond_lines> stat_real<$stat_real> stat<$stat>\n";
+
+			if ($check && (($sindent % 8) != 0 ||
+			    ($sindent <= $indent && $s ne ''))) {
+				WARN("suspect code indent for conditional statements ($indent, $sindent)\n" . $herecurr . "$stat_real\n");
+			}
+		}
+
+		# Track the 'values' across context and added lines.
+		my $opline = $line; $opline =~ s/^./ /;
+		my ($curr_values, $curr_vars) =
+				annotate_values($opline . "\n", $prev_values);
+		$curr_values = $prev_values . $curr_values;
+		if ($dbg_values) {
+			my $outline = $opline; $outline =~ s/\t/ /g;
+			print "$linenr > .$outline\n";
+			print "$linenr > $curr_values\n";
+			print "$linenr >  $curr_vars\n";
+		}
+		$prev_values = substr($curr_values, -1);
+
+#ignore lines not being added
+		if ($line=~/^[^\+]/) {next;}
+
+# TEST: allow direct testing of the type matcher.
+		if ($dbg_type) {
+			if ($line =~ /^.\s*$Declare\s*$/) {
+				ERROR("TEST: is type\n" . $herecurr);
+			} elsif ($dbg_type > 1 && $line =~ /^.+($Declare)/) {
+				ERROR("TEST: is not type ($1 is)\n". $herecurr);
+			}
+			next;
+		}
+# TEST: allow direct testing of the attribute matcher.
+		if ($dbg_attr) {
+			if ($line =~ /^.\s*$Modifier\s*$/) {
+				ERROR("TEST: is attr\n" . $herecurr);
+			} elsif ($dbg_attr > 1 && $line =~ /^.+($Modifier)/) {
+				ERROR("TEST: is not attr ($1 is)\n". $herecurr);
+			}
+			next;
+		}
+
+# check for initialisation to aggregates open brace on the next line
+		if ($line =~ /^.\s*{/ &&
+		    $prevline =~ /(?:^|[^=])=\s*$/) {
+			ERROR("that open brace { should be on the previous line\n" . $hereprev);
+		}
+
+#
+# Checks which are anchored on the added line.
+#
+
+# check for malformed paths in #include statements (uses RAW line)
+		if ($rawline =~ m{^.\s*\#\s*include\s+[<"](.*)[">]}) {
+			my $path = $1;
+			if ($path =~ m{//}) {
+				ERROR("malformed #include filename\n" .
+					$herecurr);
+			}
+		}
+
+# no C99 // comments
+		if ($line =~ m{//}) {
+			ERROR("do not use C99 // comments\n" . $herecurr);
+		}
+		# Remove C99 comments.
+		$line =~ s@//.*@@;
+		$opline =~ s@//.*@@;
+
+# EXPORT_SYMBOL should immediately follow the thing it is exporting, consider
+# the whole statement.
+#print "APW <$lines[$realline_next - 1]>\n";
+		if (defined $realline_next &&
+		    exists $lines[$realline_next - 1] &&
+		    !defined $suppress_export{$realline_next} &&
+		    ($lines[$realline_next - 1] =~ /EXPORT_SYMBOL.*\((.*)\)/ ||
+		     $lines[$realline_next - 1] =~ /EXPORT_UNUSED_SYMBOL.*\((.*)\)/)) {
+			# Handle definitions which produce identifiers with
+			# a prefix:
+			#   XXX(foo);
+			#   EXPORT_SYMBOL(something_foo);
+			my $name = $1;
+			if ($stat =~ /^.([A-Z_]+)\s*\(\s*($Ident)/ &&
+			    $name =~ /^${Ident}_$2/) {
+#print "FOO C name<$name>\n";
+				$suppress_export{$realline_next} = 1;
+
+			} elsif ($stat !~ /(?:
+				\n.}\s*$|
+				^.DEFINE_$Ident\(\Q$name\E\)|
+				^.DECLARE_$Ident\(\Q$name\E\)|
+				^.LIST_HEAD\(\Q$name\E\)|
+				^.(?:$Storage\s+)?$Type\s*\(\s*\*\s*\Q$name\E\s*\)\s*\(|
+				\b\Q$name\E(?:\s+$Attribute)*\s*(?:;|=|\[|\()
+			    )/x) {
+#print "FOO A<$lines[$realline_next - 1]> stat<$stat> name<$name>\n";
+				$suppress_export{$realline_next} = 2;
+			} else {
+				$suppress_export{$realline_next} = 1;
+			}
+		}
+		if (!defined $suppress_export{$linenr} &&
+		    $prevline =~ /^.\s*$/ &&
+		    ($line =~ /EXPORT_SYMBOL.*\((.*)\)/ ||
+		     $line =~ /EXPORT_UNUSED_SYMBOL.*\((.*)\)/)) {
+#print "FOO B <$lines[$linenr - 1]>\n";
+			$suppress_export{$linenr} = 2;
+		}
+		if (defined $suppress_export{$linenr} &&
+		    $suppress_export{$linenr} == 2) {
+			WARN("EXPORT_SYMBOL(foo); should immediately follow its function/variable\n" . $herecurr);
+		}
+
+# check for global initialisers.
+		if ($line =~ /^.$Type\s*$Ident\s*(?:\s+$Modifier)*\s*=\s*(0|NULL|false)\s*;/) {
+			ERROR("do not initialise globals to 0 or NULL\n" .
+				$herecurr);
+		}
+# check for static initialisers.
+		if ($line =~ /\bstatic\s.*=\s*(0|NULL|false)\s*;/) {
+			ERROR("do not initialise statics to 0 or NULL\n" .
+				$herecurr);
+		}
+
+# check for new typedefs, only function parameters and sparse annotations
+# make sense.
+		if ($line =~ /\btypedef\s/ &&
+		    $line !~ /\btypedef\s+$Type\s*\(\s*\*?$Ident\s*\)\s*\(/ &&
+		    $line !~ /\btypedef\s+$Type\s+$Ident\s*\(/ &&
+		    $line !~ /\b$typeTypedefs\b/ &&
+		    $line !~ /\b__bitwise(?:__|)\b/) {
+			WARN("do not add new typedefs\n" . $herecurr);
+		}
+
+# * goes on variable not on type
+		# (char*[ const])
+		if ($line =~ m{\($NonptrType(\s*(?:$Modifier\b\s*|\*\s*)+)\)}) {
+			my ($from, $to) = ($1, $1);
+
+			# Should start with a space.
+			$to =~ s/^(\S)/ $1/;
+			# Should not end with a space.
+			$to =~ s/\s+$//;
+			# '*'s should not have spaces between.
+			while ($to =~ s/\*\s+\*/\*\*/) {
+			}
+
+			#print "from<$from> to<$to>\n";
+			if ($from ne $to) {
+				ERROR("\"(foo$from)\" should be \"(foo$to)\"\n" .  $herecurr);
+			}
+		} elsif ($line =~ m{\b$NonptrType(\s*(?:$Modifier\b\s*|\*\s*)+)($Ident)}) {
+			my ($from, $to, $ident) = ($1, $1, $2);
+
+			# Should start with a space.
+			$to =~ s/^(\S)/ $1/;
+			# Should not end with a space.
+			$to =~ s/\s+$//;
+			# '*'s should not have spaces between.
+			while ($to =~ s/\*\s+\*/\*\*/) {
+			}
+			# Modifiers should have spaces.
+			$to =~ s/(\b$Modifier$)/$1 /;
+
+			#print "from<$from> to<$to> ident<$ident>\n";
+			if ($from ne $to && $ident !~ /^$Modifier$/) {
+				ERROR("\"foo${from}bar\" should be \"foo${to}bar\"\n" .  $herecurr);
+			}
+		}
+
+# # no BUG() or BUG_ON()
+# 		if ($line =~ /\b(BUG|BUG_ON)\b/) {
+# 			print "Try to use WARN_ON & Recovery code rather than BUG() or BUG_ON()\n";
+# 			print "$herecurr";
+# 			$clean = 0;
+# 		}
+
+		if ($line =~ /\bLINUX_VERSION_CODE\b/) {
+			WARN("LINUX_VERSION_CODE should be avoided, code should be for the version to which it is merged\n" . $herecurr);
+		}
+
+# printk should use KERN_* levels.  Note that follow on printk's on the
+# same line do not need a level, so we use the current block context
+# to try and find and validate the current printk.  In summary the current
+# printk includes all preceeding printk's which have no newline on the end.
+# we assume the first bad printk is the one to report.
+		if ($line =~ /\bprintk\((?!KERN_)\s*"/) {
+			my $ok = 0;
+			for (my $ln = $linenr - 1; $ln >= $first_line; $ln--) {
+				#print "CHECK<$lines[$ln - 1]\n";
+				# we have a preceeding printk if it ends
+				# with "\n" ignore it, else it is to blame
+				if ($lines[$ln - 1] =~ m{\bprintk\(}) {
+					if ($rawlines[$ln - 1] !~ m{\\n"}) {
+						$ok = 1;
+					}
+					last;
+				}
+			}
+			if ($ok == 0) {
+				WARN("printk() should include KERN_ facility level\n" . $herecurr);
+			}
+		}
+
+# function brace can't be on same line, except for #defines of do while,
+# or if closed on same line
+		if (($line=~/$Type\s*$Ident\(.*\).*\s{/) and
+		    !($line=~/\#\s*define.*do\s{/) and !($line=~/}/)) {
+			ERROR("open brace '{' following function declarations go on the next line\n" . $herecurr);
+		}
+
+# open braces for enum, union and struct go on the same line.
+		if ($line =~ /^.\s*{/ &&
+		    $prevline =~ /^.\s*(?:typedef\s+)?(enum|union|struct)(?:\s+$Ident)?\s*$/) {
+			ERROR("open brace '{' following $1 go on the same line\n" . $hereprev);
+		}
+
+# missing space after union, struct or enum definition
+		if ($line =~ /^.\s*(?:typedef\s+)?(enum|union|struct)(?:\s+$Ident)?(?:\s+$Ident)?[=\{]/) {
+		    WARN("missing space after $1 definition\n" . $herecurr);
+		}
+
+# check for spacing round square brackets; allowed:
+#  1. with a type on the left -- int [] a;
+#  2. at the beginning of a line for slice initialisers -- [0...10] = 5,
+#  3. inside a curly brace -- = { [0...10] = 5 }
+		while ($line =~ /(.*?\s)\[/g) {
+			my ($where, $prefix) = ($-[1], $1);
+			if ($prefix !~ /$Type\s+$/ &&
+			    ($where != 0 || $prefix !~ /^.\s+$/) &&
+			    $prefix !~ /{\s+$/) {
+				ERROR("space prohibited before open square bracket '['\n" . $herecurr);
+			}
+		}
+
+# check for spaces between functions and their parentheses.
+		while ($line =~ /($Ident)\s+\(/g) {
+			my $name = $1;
+			my $ctx_before = substr($line, 0, $-[1]);
+			my $ctx = "$ctx_before$name";
+
+			# Ignore those directives where spaces _are_ permitted.
+			if ($name =~ /^(?:
+				if|for|while|switch|return|case|
+				volatile|__volatile__|
+				__attribute__|format|__extension__|
+				asm|__asm__)$/x)
+			{
+
+			# cpp #define statements have non-optional spaces, ie
+			# if there is a space between the name and the open
+			# parenthesis it is simply not a parameter group.
+			} elsif ($ctx_before =~ /^.\s*\#\s*define\s*$/) {
+
+			# cpp #elif statement condition may start with a (
+			} elsif ($ctx =~ /^.\s*\#\s*elif\s*$/) {
+
+			# If this whole things ends with a type its most
+			# likely a typedef for a function.
+			} elsif ($ctx =~ /$Type$/) {
+
+			} else {
+				WARN("space prohibited between function name and open parenthesis '('\n" . $herecurr);
+			}
+		}
+# Check operator spacing.
+		if (!($line=~/\#\s*include/)) {
+			my $ops = qr{
+				<<=|>>=|<=|>=|==|!=|
+				\+=|-=|\*=|\/=|%=|\^=|\|=|&=|
+				=>|->|<<|>>|<|>|=|!|~|
+				&&|\|\||,|\^|\+\+|--|&|\||\+|-|\*|\/|%|
+				\?|:
+			}x;
+			my @elements = split(/($ops|;)/, $opline);
+			my $off = 0;
+
+			my $blank = copy_spacing($opline);
+
+			for (my $n = 0; $n < $#elements; $n += 2) {
+				$off += length($elements[$n]);
+
+				# Pick up the preceeding and succeeding characters.
+				my $ca = substr($opline, 0, $off);
+				my $cc = '';
+				if (length($opline) >= ($off + length($elements[$n + 1]))) {
+					$cc = substr($opline, $off + length($elements[$n + 1]));
+				}
+				my $cb = "$ca$;$cc";
+
+				my $a = '';
+				$a = 'V' if ($elements[$n] ne '');
+				$a = 'W' if ($elements[$n] =~ /\s$/);
+				$a = 'C' if ($elements[$n] =~ /$;$/);
+				$a = 'B' if ($elements[$n] =~ /(\[|\()$/);
+				$a = 'O' if ($elements[$n] eq '');
+				$a = 'E' if ($ca =~ /^\s*$/);
+
+				my $op = $elements[$n + 1];
+
+				my $c = '';
+				if (defined $elements[$n + 2]) {
+					$c = 'V' if ($elements[$n + 2] ne '');
+					$c = 'W' if ($elements[$n + 2] =~ /^\s/);
+					$c = 'C' if ($elements[$n + 2] =~ /^$;/);
+					$c = 'B' if ($elements[$n + 2] =~ /^(\)|\]|;)/);
+					$c = 'O' if ($elements[$n + 2] eq '');
+					$c = 'E' if ($elements[$n + 2] =~ /^\s*\\$/);
+				} else {
+					$c = 'E';
+				}
+
+				my $ctx = "${a}x${c}";
+
+				my $at = "(ctx:$ctx)";
+
+				my $ptr = substr($blank, 0, $off) . "^";
+				my $hereptr = "$hereline$ptr\n";
+
+				# Pull out the value of this operator.
+				my $op_type = substr($curr_values, $off + 1, 1);
+
+				# Get the full operator variant.
+				my $opv = $op . substr($curr_vars, $off, 1);
+
+				# Ignore operators passed as parameters.
+				if ($op_type ne 'V' &&
+				    $ca =~ /\s$/ && $cc =~ /^\s*,/) {
+
+#				# Ignore comments
+#				} elsif ($op =~ /^$;+$/) {
+
+				# ; should have either the end of line or a space or \ after it
+				} elsif ($op eq ';') {
+					if ($ctx !~ /.x[WEBC]/ &&
+					    $cc !~ /^\\/ && $cc !~ /^;/) {
+						ERROR("space required after that '$op' $at\n" . $hereptr);
+					}
+
+				# // is a comment
+				} elsif ($op eq '//') {
+
+				# No spaces for:
+				#   ->
+				#   :   when part of a bitfield
+				} elsif ($op eq '->' || $opv eq ':B') {
+					if ($ctx =~ /Wx.|.xW/) {
+						ERROR("spaces prohibited around that '$op' $at\n" . $hereptr);
+					}
+
+				# , must have a space on the right.
+				} elsif ($op eq ',') {
+					if ($ctx !~ /.x[WEC]/ && $cc !~ /^}/) {
+						ERROR("space required after that '$op' $at\n" . $hereptr);
+					}
+
+				# '*' as part of a type definition -- reported already.
+				} elsif ($opv eq '*_') {
+					#warn "'*' is part of type\n";
+
+				# unary operators should have a space before and
+				# none after.  May be left adjacent to another
+				# unary operator, or a cast
+				} elsif ($op eq '!' || $op eq '~' ||
+					 $opv eq '*U' || $opv eq '-U' ||
+					 $opv eq '&U' || $opv eq '&&U') {
+					if ($ctx !~ /[WEBC]x./ && $ca !~ /(?:\)|!|~|\*|-|\&|\||\+\+|\-\-|\{)$/) {
+						ERROR("space required before that '$op' $at\n" . $hereptr);
+					}
+					if ($op eq '*' && $cc =~/\s*$Modifier\b/) {
+						# A unary '*' may be const
+
+					} elsif ($ctx =~ /.xW/) {
+						ERROR("space prohibited after that '$op' $at\n" . $hereptr);
+					}
+
+				# unary ++ and unary -- are allowed no space on one side.
+				} elsif ($op eq '++' or $op eq '--') {
+					if ($ctx !~ /[WEOBC]x[^W]/ && $ctx !~ /[^W]x[WOBEC]/) {
+						ERROR("space required one side of that '$op' $at\n" . $hereptr);
+					}
+					if ($ctx =~ /Wx[BE]/ ||
+					    ($ctx =~ /Wx./ && $cc =~ /^;/)) {
+						ERROR("space prohibited before that '$op' $at\n" . $hereptr);
+					}
+					if ($ctx =~ /ExW/) {
+						ERROR("space prohibited after that '$op' $at\n" . $hereptr);
+					}
+
+
+				# << and >> may either have or not have spaces both sides
+				} elsif ($op eq '<<' or $op eq '>>' or
+					 $op eq '&' or $op eq '^' or $op eq '|' or
+					 $op eq '+' or $op eq '-' or
+					 $op eq '*' or $op eq '/' or
+					 $op eq '%')
+				{
+					if ($ctx =~ /Wx[^WCE]|[^WCE]xW/) {
+						ERROR("need consistent spacing around '$op' $at\n" .
+							$hereptr);
+					}
+
+				# A colon needs no spaces before when it is
+				# terminating a case value or a label.
+				} elsif ($opv eq ':C' || $opv eq ':L') {
+					if ($ctx =~ /Wx./) {
+						ERROR("space prohibited before that '$op' $at\n" . $hereptr);
+					}
+
+				# All the others need spaces both sides.
+				} elsif ($ctx !~ /[EWC]x[CWE]/) {
+					my $ok = 0;
+
+					# Ignore email addresses <foo at bar>
+					if (($op eq '<' &&
+					     $cc =~ /^\S+\@\S+>/) ||
+					    ($op eq '>' &&
+					     $ca =~ /<\S+\@\S+$/))
+					{
+						$ok = 1;
+					}
+
+					# Ignore ?:
+					if (($opv eq ':O' && $ca =~ /\?$/) ||
+					    ($op eq '?' && $cc =~ /^:/)) {
+						$ok = 1;
+					}
+
+					if ($ok == 0) {
+						ERROR("spaces required around that '$op' $at\n" . $hereptr);
+					}
+				}
+				$off += length($elements[$n + 1]);
+			}
+		}
+
+# check for multiple assignments
+		if ($line =~ /^.\s*$Lval\s*=\s*$Lval\s*=(?!=)/) {
+			CHK("multiple assignments should be avoided\n" . $herecurr);
+		}
+
+## # check for multiple declarations, allowing for a function declaration
+## # continuation.
+## 		if ($line =~ /^.\s*$Type\s+$Ident(?:\s*=[^,{]*)?\s*,\s*$Ident.*/ &&
+## 		    $line !~ /^.\s*$Type\s+$Ident(?:\s*=[^,{]*)?\s*,\s*$Type\s*$Ident.*/) {
+##
+## 			# Remove any bracketed sections to ensure we do not
+## 			# falsly report the parameters of functions.
+## 			my $ln = $line;
+## 			while ($ln =~ s/\([^\(\)]*\)//g) {
+## 			}
+## 			if ($ln =~ /,/) {
+## 				WARN("declaring multiple variables together should be avoided\n" . $herecurr);
+## 			}
+## 		}
+
+#need space before brace following if, while, etc
+		if (($line =~ /\(.*\){/ && $line !~ /\($Type\){/) ||
+		    $line =~ /do{/) {
+			ERROR("space required before the open brace '{'\n" . $herecurr);
+		}
+
+# closing brace should have a space following it when it has anything
+# on the line
+		if ($line =~ /}(?!(?:,|;|\)))\S/) {
+			ERROR("space required after that close brace '}'\n" . $herecurr);
+		}
+
+# check spacing on square brackets
+		if ($line =~ /\[\s/ && $line !~ /\[\s*$/) {
+			ERROR("space prohibited after that open square bracket '['\n" . $herecurr);
+		}
+		if ($line =~ /\s\]/) {
+			ERROR("space prohibited before that close square bracket ']'\n" . $herecurr);
+		}
+
+# check spacing on parentheses
+		if ($line =~ /\(\s/ && $line !~ /\(\s*(?:\\)?$/ &&
+		    $line !~ /for\s*\(\s+;/) {
+			ERROR("space prohibited after that open parenthesis '('\n" . $herecurr);
+		}
+		if ($line =~ /(\s+)\)/ && $line !~ /^.\s*\)/ &&
+		    $line !~ /for\s*\(.*;\s+\)/ &&
+		    $line !~ /:\s+\)/) {
+			ERROR("space prohibited before that close parenthesis ')'\n" . $herecurr);
+		}
+
+#goto labels aren't indented, allow a single space however
+		if ($line=~/^.\s+[A-Za-z\d_]+:(?![0-9]+)/ and
+		   !($line=~/^. [A-Za-z\d_]+:/) and !($line=~/^.\s+default:/)) {
+			WARN("labels should not be indented\n" . $herecurr);
+		}
+
+# Return is not a function.
+		if (defined($stat) && $stat =~ /^.\s*return(\s*)(\(.*);/s) {
+			my $spacing = $1;
+			my $value = $2;
+
+			# Flatten any parentheses
+			$value =~ s/\(/ \(/g;
+			$value =~ s/\)/\) /g;
+			while ($value =~ s/\[[^\{\}]*\]/1/ ||
+			       $value !~ /(?:$Ident|-?$Constant)\s*
+					     $Compare\s*
+					     (?:$Ident|-?$Constant)/x &&
+			       $value =~ s/\([^\(\)]*\)/1/) {
+			}
+#print "value<$value>\n";
+			if ($value =~ /^\s*(?:$Ident|-?$Constant)\s*$/) {
+				ERROR("return is not a function, parentheses are not required\n" . $herecurr);
+
+			} elsif ($spacing !~ /\s+/) {
+				ERROR("space required before the open parenthesis '('\n" . $herecurr);
+			}
+		}
+# Return of what appears to be an errno should normally be -'ve
+		if ($line =~ /^.\s*return\s*(E[A-Z]*)\s*;/) {
+			my $name = $1;
+			if ($name ne 'EOF' && $name ne 'ERROR') {
+				CHK("return of an errno should typically be -ve (return -$1)\n" . $herecurr);
+			}
+		}
+
+# Need a space before open parenthesis after if, while etc
+		if ($line=~/\b(if|while|for|switch)\(/) {
+			ERROR("space required before the open parenthesis '('\n" . $herecurr);
+		}
+
+# Check for illegal assignment in if conditional -- and check for trailing
+# statements after the conditional.
+		if ($line =~ /do\s*(?!{)/) {
+			my ($stat_next) = ctx_statement_block($line_nr_next,
+						$remain_next, $off_next);
+			$stat_next =~ s/\n./\n /g;
+			##print "stat<$stat> stat_next<$stat_next>\n";
+
+			if ($stat_next =~ /^\s*while\b/) {
+				# If the statement carries leading newlines,
+				# then count those as offsets.
+				my ($whitespace) =
+					($stat_next =~ /^((?:\s*\n[+-])*\s*)/s);
+				my $offset =
+					statement_rawlines($whitespace) - 1;
+
+				$suppress_whiletrailers{$line_nr_next +
+								$offset} = 1;
+			}
+		}
+		if (!defined $suppress_whiletrailers{$linenr} &&
+		    $line =~ /\b(?:if|while|for)\s*\(/ && $line !~ /^.\s*#/) {
+			my ($s, $c) = ($stat, $cond);
+
+			if ($c =~ /\bif\s*\(.*[^<>!=]=[^=].*/s) {
+				ERROR("do not use assignment in if condition\n" . $herecurr);
+			}
+
+			# Find out what is on the end of the line after the
+			# conditional.
+			substr($s, 0, length($c), '');
+			$s =~ s/\n.*//g;
+			$s =~ s/$;//g; 	# Remove any comments
+			if (length($c) && $s !~ /^\s*{?\s*\\*\s*$/ &&
+			    $c !~ /}\s*while\s*/)
+			{
+				# Find out how long the conditional actually is.
+				my @newlines = ($c =~ /\n/gs);
+				my $cond_lines = 1 + $#newlines;
+				my $stat_real = '';
+
+				$stat_real = raw_line($linenr, $cond_lines)
+							. "\n" if ($cond_lines);
+				if (defined($stat_real) && $cond_lines > 1) {
+					$stat_real = "[...]\n$stat_real";
+				}
+
+				ERROR("trailing statements should be on next line\n" . $herecurr . $stat_real);
+			}
+		}
+
+# Check for bitwise tests written as boolean
+		if ($line =~ /
+			(?:
+				(?:\[|\(|\&\&|\|\|)
+				\s*0[xX][0-9]+\s*
+				(?:\&\&|\|\|)
+			|
+				(?:\&\&|\|\|)
+				\s*0[xX][0-9]+\s*
+				(?:\&\&|\|\||\)|\])
+			)/x)
+		{
+			WARN("boolean test with hexadecimal, perhaps just 1 \& or \|?\n" . $herecurr);
+		}
+
+# if and else should not have general statements after it
+		if ($line =~ /^.\s*(?:}\s*)?else\b(.*)/) {
+			my $s = $1;
+			$s =~ s/$;//g; 	# Remove any comments
+			if ($s !~ /^\s*(?:\sif|(?:{|)\s*\\?\s*$)/) {
+				ERROR("trailing statements should be on next line\n" . $herecurr);
+			}
+		}
+# if should not continue a brace
+		if ($line =~ /}\s*if\b/) {
+			ERROR("trailing statements should be on next line\n" .
+				$herecurr);
+		}
+# case and default should not have general statements after them
+		if ($line =~ /^.\s*(?:case\s*.*|default\s*):/g &&
+		    $line !~ /\G(?:
+			(?:\s*$;*)(?:\s*{)?(?:\s*$;*)(?:\s*\\)?\s*$|
+			\s*return\s+
+		    )/xg)
+		{
+			ERROR("trailing statements should be on next line\n" . $herecurr);
+		}
+
+		# Check for }<nl>else {, these must be at the same
+		# indent level to be relevant to each other.
+		if ($prevline=~/}\s*$/ and $line=~/^.\s*else\s*/ and
+						$previndent == $indent) {
+			ERROR("else should follow close brace '}'\n" . $hereprev);
+		}
+
+		if ($prevline=~/}\s*$/ and $line=~/^.\s*while\s*/ and
+						$previndent == $indent) {
+			my ($s, $c) = ctx_statement_block($linenr, $realcnt, 0);
+
+			# Find out what is on the end of the line after the
+			# conditional.
+			substr($s, 0, length($c), '');
+			$s =~ s/\n.*//g;
+
+			if ($s =~ /^\s*;/) {
+				ERROR("while should follow close brace '}'\n" . $hereprev);
+			}
+		}
+
+#studly caps, commented out until figure out how to distinguish between use of existing and adding new
+#		if (($line=~/[\w_][a-z\d]+[A-Z]/) and !($line=~/print/)) {
+#		    print "No studly caps, use _\n";
+#		    print "$herecurr";
+#		    $clean = 0;
+#		}
+
+#no spaces allowed after \ in define
+		if ($line=~/\#\s*define.*\\\s$/) {
+			WARN("Whitepspace after \\ makes next lines useless\n" . $herecurr);
+		}
+
+#warn if <asm/foo.h> is #included and <linux/foo.h> is available (uses RAW line)
+		if ($tree && $rawline =~ m{^.\s*\#\s*include\s*\<asm\/(.*)\.h\>}) {
+			my $file = "$1.h";
+			my $checkfile = "include/linux/$file";
+			if (-f "$root/$checkfile" &&
+			    $realfile ne $checkfile &&
+			    $1 !~ /$allowed_asm_includes/)
+			{
+				if ($realfile =~ m{^arch/}) {
+					CHK("Consider using #include <linux/$file> instead of <asm/$file>\n" . $herecurr);
+				} else {
+					WARN("Use #include <linux/$file> instead of <asm/$file>\n" . $herecurr);
+				}
+			}
+		}
+
+# multi-statement macros should be enclosed in a do while loop, grab the
+# first statement and ensure its the whole macro if its not enclosed
+# in a known good container
+		if ($realfile !~ m@/vmlinux.lds.h$@ &&
+		    $line =~ /^.\s*\#\s*define\s*$Ident(\()?/) {
+			my $ln = $linenr;
+			my $cnt = $realcnt;
+			my ($off, $dstat, $dcond, $rest);
+			my $ctx = '';
+
+			my $args = defined($1);
+
+			# Find the end of the macro and limit our statement
+			# search to that.
+			while ($cnt > 0 && defined $lines[$ln - 1] &&
+				$lines[$ln - 1] =~ /^(?:-|..*\\$)/)
+			{
+				$ctx .= $rawlines[$ln - 1] . "\n";
+				$cnt-- if ($lines[$ln - 1] !~ /^-/);
+				$ln++;
+			}
+			$ctx .= $rawlines[$ln - 1];
+
+			($dstat, $dcond, $ln, $cnt, $off) =
+				ctx_statement_block($linenr, $ln - $linenr + 1, 0);
+			#print "dstat<$dstat> dcond<$dcond> cnt<$cnt> off<$off>\n";
+			#print "LINE<$lines[$ln-1]> len<" . length($lines[$ln-1]) . "\n";
+
+			# Extract the remainder of the define (if any) and
+			# rip off surrounding spaces, and trailing \'s.
+			$rest = '';
+			while ($off != 0 || ($cnt > 0 && $rest =~ /\\\s*$/)) {
+				#print "ADDING cnt<$cnt> $off <" . substr($lines[$ln - 1], $off) . "> rest<$rest>\n";
+				if ($off != 0 || $lines[$ln - 1] !~ /^-/) {
+					$rest .= substr($lines[$ln - 1], $off) . "\n";
+					$cnt--;
+				}
+				$ln++;
+				$off = 0;
+			}
+			$rest =~ s/\\\n.//g;
+			$rest =~ s/^\s*//s;
+			$rest =~ s/\s*$//s;
+
+			# Clean up the original statement.
+			if ($args) {
+				substr($dstat, 0, length($dcond), '');
+			} else {
+				$dstat =~ s/^.\s*\#\s*define\s+$Ident\s*//;
+			}
+			$dstat =~ s/$;//g;
+			$dstat =~ s/\\\n.//g;
+			$dstat =~ s/^\s*//s;
+			$dstat =~ s/\s*$//s;
+
+			# Flatten any parentheses and braces
+			while ($dstat =~ s/\([^\(\)]*\)/1/ ||
+			       $dstat =~ s/\{[^\{\}]*\}/1/ ||
+			       $dstat =~ s/\[[^\{\}]*\]/1/)
+			{
+			}
+
+			my $exceptions = qr{
+				$Declare|
+				module_param_named|
+				MODULE_PARAM_DESC|
+				DECLARE_PER_CPU|
+				DEFINE_PER_CPU|
+				__typeof__\(|
+				union|
+				struct|
+				\.$Ident\s*=\s*|
+				^\"|\"$
+			}x;
+			#print "REST<$rest> dstat<$dstat> ctx<$ctx>\n";
+			if ($rest ne '' && $rest ne ',') {
+				if ($rest !~ /while\s*\(/ &&
+				    $dstat !~ /$exceptions/)
+				{
+					ERROR("Macros with multiple statements should be enclosed in a do - while loop\n" . "$here\n$ctx\n");
+				}
+
+			} elsif ($ctx !~ /;/) {
+				if ($dstat ne '' &&
+				    $dstat !~ /^(?:$Ident|-?$Constant)$/ &&
+				    $dstat !~ /$exceptions/ &&
+				    $dstat !~ /^\.$Ident\s*=/ &&
+				    $dstat =~ /$Operators/)
+				{
+					ERROR("Macros with complex values should be enclosed in parenthesis\n" . "$here\n$ctx\n");
+				}
+			}
+		}
+
+# make sure symbols are always wrapped with VMLINUX_SYMBOL() ...
+# all assignments may have only one of the following with an assignment:
+#	.
+#	ALIGN(...)
+#	VMLINUX_SYMBOL(...)
+		if ($realfile eq 'vmlinux.lds.h' && $line =~ /(?:(?:^|\s)$Ident\s*=|=\s*$Ident(?:\s|$))/) {
+			WARN("vmlinux.lds.h needs VMLINUX_SYMBOL() around C-visible symbols\n" . $herecurr);
+		}
+
+# check for redundant bracing round if etc
+		if ($line =~ /(^.*)\bif\b/ && $1 !~ /else\s*$/) {
+			my ($level, $endln, @chunks) =
+				ctx_statement_full($linenr, $realcnt, 1);
+			#print "chunks<$#chunks> linenr<$linenr> endln<$endln> level<$level>\n";
+			#print "APW: <<$chunks[1][0]>><<$chunks[1][1]>>\n";
+			if ($#chunks > 0 && $level == 0) {
+				my $allowed = 0;
+				my $seen = 0;
+				my $herectx = $here . "\n";
+				my $ln = $linenr - 1;
+				for my $chunk (@chunks) {
+					my ($cond, $block) = @{$chunk};
+
+					# If the condition carries leading newlines, then count those as offsets.
+					my ($whitespace) = ($cond =~ /^((?:\s*\n[+-])*\s*)/s);
+					my $offset = statement_rawlines($whitespace) - 1;
+
+					#print "COND<$cond> whitespace<$whitespace> offset<$offset>\n";
+
+					# We have looked at and allowed this specific line.
+					$suppress_ifbraces{$ln + $offset} = 1;
+
+					$herectx .= "$rawlines[$ln + $offset]\n[...]\n";
+					$ln += statement_rawlines($block) - 1;
+
+					substr($block, 0, length($cond), '');
+
+					$seen++ if ($block =~ /^\s*{/);
+
+					#print "cond<$cond> block<$block> allowed<$allowed>\n";
+					if (statement_lines($cond) > 1) {
+						#print "APW: ALLOWED: cond<$cond>\n";
+						$allowed = 1;
+					}
+					if ($block =~/\b(?:if|for|while)\b/) {
+						#print "APW: ALLOWED: block<$block>\n";
+						$allowed = 1;
+					}
+					if (statement_block_size($block) > 1) {
+						#print "APW: ALLOWED: lines block<$block>\n";
+						$allowed = 1;
+					}
+				}
+				if ($seen && !$allowed) {
+					WARN("braces {} are not necessary for any arm of this statement\n" . $herectx);
+				}
+			}
+		}
+		if (!defined $suppress_ifbraces{$linenr - 1} &&
+					$line =~ /\b(if|while|for|else)\b/) {
+			my $allowed = 0;
+
+			# Check the pre-context.
+			if (substr($line, 0, $-[0]) =~ /(\}\s*)$/) {
+				#print "APW: ALLOWED: pre<$1>\n";
+				$allowed = 1;
+			}
+
+			my ($level, $endln, @chunks) =
+				ctx_statement_full($linenr, $realcnt, $-[0]);
+
+			# Check the condition.
+			my ($cond, $block) = @{$chunks[0]};
+			#print "CHECKING<$linenr> cond<$cond> block<$block>\n";
+			if (defined $cond) {
+				substr($block, 0, length($cond), '');
+			}
+			if (statement_lines($cond) > 1) {
+				#print "APW: ALLOWED: cond<$cond>\n";
+				$allowed = 1;
+			}
+			if ($block =~/\b(?:if|for|while)\b/) {
+				#print "APW: ALLOWED: block<$block>\n";
+				$allowed = 1;
+			}
+			if (statement_block_size($block) > 1) {
+				#print "APW: ALLOWED: lines block<$block>\n";
+				$allowed = 1;
+			}
+			# Check the post-context.
+			if (defined $chunks[1]) {
+				my ($cond, $block) = @{$chunks[1]};
+				if (defined $cond) {
+					substr($block, 0, length($cond), '');
+				}
+				if ($block =~ /^\s*\{/) {
+					#print "APW: ALLOWED: chunk-1 block<$block>\n";
+					$allowed = 1;
+				}
+			}
+			if ($level == 0 && $block =~ /^\s*\{/ && !$allowed) {
+				my $herectx = $here . "\n";;
+				my $cnt = statement_rawlines($block);
+
+				for (my $n = 0; $n < $cnt; $n++) {
+					$herectx .= raw_line($linenr, $n) . "\n";;
+				}
+
+				WARN("braces {} are not necessary for single statement blocks\n" . $herectx);
+			}
+		}
+
+# don't include deprecated include files (uses RAW line)
+		for my $inc (@dep_includes) {
+			if ($rawline =~ m@^.\s*\#\s*include\s*\<$inc>@) {
+				ERROR("Don't use <$inc>: see Documentation/feature-removal-schedule.txt\n" . $herecurr);
+			}
+		}
+
+# don't use deprecated functions
+		for my $func (@dep_functions) {
+			if ($line =~ /\b$func\b/) {
+				ERROR("Don't use $func(): see Documentation/feature-removal-schedule.txt\n" . $herecurr);
+			}
+		}
+
+# no volatiles please
+		my $asm_volatile = qr{\b(__asm__|asm)\s+(__volatile__|volatile)\b};
+		if ($line =~ /\bvolatile\b/ && $line !~ /$asm_volatile/) {
+			WARN("Use of volatile is usually wrong: see Documentation/volatile-considered-harmful.txt\n" . $herecurr);
+		}
+
+# SPIN_LOCK_UNLOCKED & RW_LOCK_UNLOCKED are deprecated
+		if ($line =~ /\b(SPIN_LOCK_UNLOCKED|RW_LOCK_UNLOCKED)/) {
+			ERROR("Use of $1 is deprecated: see Documentation/spinlocks.txt\n" . $herecurr);
+		}
+
+# warn about #if 0
+		if ($line =~ /^.\s*\#\s*if\s+0\b/) {
+			CHK("if this code is redundant consider removing it\n" .
+				$herecurr);
+		}
+
+# check for needless kfree() checks
+		if ($prevline =~ /\bif\s*\(([^\)]*)\)/) {
+			my $expr = $1;
+			if ($line =~ /\bkfree\(\Q$expr\E\);/) {
+				WARN("kfree(NULL) is safe this check is probably not required\n" . $hereprev);
+			}
+		}
+# check for needless usb_free_urb() checks
+		if ($prevline =~ /\bif\s*\(([^\)]*)\)/) {
+			my $expr = $1;
+			if ($line =~ /\busb_free_urb\(\Q$expr\E\);/) {
+				WARN("usb_free_urb(NULL) is safe this check is probably not required\n" . $hereprev);
+			}
+		}
+
+# prefer usleep_range over udelay
+		if ($line =~ /\budelay\s*\(\s*(\w+)\s*\)/) {
+			# ignore udelay's < 10, however
+			if (! (($1 =~ /(\d+)/) && ($1 < 10)) ) {
+				CHK("usleep_range is preferred over udelay; see Documentation/timers/timers-howto.txt\n" . $line);
+			}
+		}
+
+# warn about unexpectedly long msleep's
+		if ($line =~ /\bmsleep\s*\((\d+)\);/) {
+			if ($1 < 20) {
+				WARN("msleep < 20ms can sleep for up to 20ms; see Documentation/timers/timers-howto.txt\n" . $line);
+			}
+		}
+
+# warn about #ifdefs in C files
+#		if ($line =~ /^.\s*\#\s*if(|n)def/ && ($realfile =~ /\.c$/)) {
+#			print "#ifdef in C files should be avoided\n";
+#			print "$herecurr";
+#			$clean = 0;
+#		}
+
+# warn about spacing in #ifdefs
+		if ($line =~ /^.\s*\#\s*(ifdef|ifndef|elif)\s\s+/) {
+			ERROR("exactly one space required after that #$1\n" . $herecurr);
+		}
+
+# check for spinlock_t definitions without a comment.
+		if ($line =~ /^.\s*(struct\s+mutex|spinlock_t)\s+\S+;/ ||
+		    $line =~ /^.\s*(DEFINE_MUTEX)\s*\(/) {
+			my $which = $1;
+			if (!ctx_has_comment($first_line, $linenr)) {
+				CHK("$1 definition without comment\n" . $herecurr);
+			}
+		}
+# check for memory barriers without a comment.
+		if ($line =~ /\b(mb|rmb|wmb|read_barrier_depends|smp_mb|smp_rmb|smp_wmb|smp_read_barrier_depends)\(/) {
+			if (!ctx_has_comment($first_line, $linenr)) {
+				CHK("memory barrier without comment\n" . $herecurr);
+			}
+		}
+# check of hardware specific defines
+		if ($line =~ m@^.\s*\#\s*if.*\b(__i386__|__powerpc64__|__sun__|__s390x__)\b@ && $realfile !~ m at include/asm-@) {
+			CHK("architecture specific defines should be avoided\n" .  $herecurr);
+		}
+
+# Check that the storage class is at the beginning of a declaration
+		if ($line =~ /\b$Storage\b/ && $line !~ /^.\s*$Storage\b/) {
+			WARN("storage class should be at the beginning of the declaration\n" . $herecurr)
+		}
+
+# check the location of the inline attribute, that it is between
+# storage class and type.
+		if ($line =~ /\b$Type\s+$Inline\b/ ||
+		    $line =~ /\b$Inline\s+$Storage\b/) {
+			ERROR("inline keyword should sit between storage class and type\n" . $herecurr);
+		}
+
+# Check for __inline__ and __inline, prefer inline
+		if ($line =~ /\b(__inline__|__inline)\b/) {
+			WARN("plain inline is preferred over $1\n" . $herecurr);
+		}
+
+# check for sizeof(&)
+		if ($line =~ /\bsizeof\s*\(\s*\&/) {
+			WARN("sizeof(& should be avoided\n" . $herecurr);
+		}
+
+# check for new externs in .c files.
+		if ($realfile =~ /\.c$/ && defined $stat &&
+		    $stat =~ /^.\s*(?:extern\s+)?$Type\s+($Ident)(\s*)\(/s)
+		{
+			my $function_name = $1;
+			my $paren_space = $2;
+
+			my $s = $stat;
+			if (defined $cond) {
+				substr($s, 0, length($cond), '');
+			}
+			if ($s =~ /^\s*;/ &&
+			    $function_name ne 'uninitialized_var')
+			{
+				WARN("externs should be avoided in .c files\n" .  $herecurr);
+			}
+
+			if ($paren_space =~ /\n/) {
+				WARN("arguments for function declarations should follow identifier\n" . $herecurr);
+			}
+
+		} elsif ($realfile =~ /\.c$/ && defined $stat &&
+		    $stat =~ /^.\s*extern\s+/)
+		{
+			WARN("externs should be avoided in .c files\n" .  $herecurr);
+		}
+
+# checks for new __setup's
+		if ($rawline =~ /\b__setup\("([^"]*)"/) {
+			my $name = $1;
+
+			if (!grep(/$name/, @setup_docs)) {
+				CHK("__setup appears un-documented -- check Documentation/kernel-parameters.txt\n" . $herecurr);
+			}
+		}
+
+# check for pointless casting of kmalloc return
+		if ($line =~ /\*\s*\)\s*k[czm]alloc\b/) {
+			WARN("unnecessary cast may hide bugs, see http://c-faq.com/malloc/mallocnocast.html\n" . $herecurr);
+		}
+
+# check for gcc specific __FUNCTION__
+		if ($line =~ /__FUNCTION__/) {
+			WARN("__func__ should be used instead of gcc specific __FUNCTION__\n"  . $herecurr);
+		}
+
+# check for semaphores used as mutexes
+		if ($line =~ /^.\s*(DECLARE_MUTEX|init_MUTEX)\s*\(/) {
+			WARN("mutexes are preferred for single holder semaphores\n" . $herecurr);
+		}
+# check for semaphores used as mutexes
+		if ($line =~ /^.\s*init_MUTEX_LOCKED\s*\(/) {
+			WARN("consider using a completion\n" . $herecurr);
+
+		}
+# recommend strict_strto* over simple_strto*
+		if ($line =~ /\bsimple_(strto.*?)\s*\(/) {
+			WARN("consider using strict_$1 in preference to simple_$1\n" . $herecurr);
+		}
+# check for __initcall(), use device_initcall() explicitly please
+		if ($line =~ /^.\s*__initcall\s*\(/) {
+			WARN("please use device_initcall() instead of __initcall()\n" . $herecurr);
+		}
+# check for various ops structs, ensure they are const.
+		my $struct_ops = qr{acpi_dock_ops|
+				address_space_operations|
+				backlight_ops|
+				block_device_operations|
+				dentry_operations|
+				dev_pm_ops|
+				dma_map_ops|
+				extent_io_ops|
+				file_lock_operations|
+				file_operations|
+				hv_ops|
+				ide_dma_ops|
+				intel_dvo_dev_ops|
+				item_operations|
+				iwl_ops|
+				kgdb_arch|
+				kgdb_io|
+				kset_uevent_ops|
+				lock_manager_operations|
+				microcode_ops|
+				mtrr_ops|
+				neigh_ops|
+				nlmsvc_binding|
+				pci_raw_ops|
+				pipe_buf_operations|
+				platform_hibernation_ops|
+				platform_suspend_ops|
+				proto_ops|
+				rpc_pipe_ops|
+				seq_operations|
+				snd_ac97_build_ops|
+				soc_pcmcia_socket_ops|
+				stacktrace_ops|
+				sysfs_ops|
+				tty_operations|
+				usb_mon_operations|
+				wd_ops}x;
+		if ($line !~ /\bconst\b/ &&
+		    $line =~ /\bstruct\s+($struct_ops)\b/) {
+			WARN("struct $1 should normally be const\n" .
+				$herecurr);
+		}
+
+# use of NR_CPUS is usually wrong
+# ignore definitions of NR_CPUS and usage to define arrays as likely right
+		if ($line =~ /\bNR_CPUS\b/ &&
+		    $line !~ /^.\s*\s*#\s*if\b.*\bNR_CPUS\b/ &&
+		    $line !~ /^.\s*\s*#\s*define\b.*\bNR_CPUS\b/ &&
+		    $line !~ /^.\s*$Declare\s.*\[[^\]]*NR_CPUS[^\]]*\]/ &&
+		    $line !~ /\[[^\]]*\.\.\.[^\]]*NR_CPUS[^\]]*\]/ &&
+		    $line !~ /\[[^\]]*NR_CPUS[^\]]*\.\.\.[^\]]*\]/)
+		{
+			WARN("usage of NR_CPUS is often wrong - consider using cpu_possible(), num_possible_cpus(), for_each_possible_cpu(), etc\n" . $herecurr);
+		}
+
+# check for %L{u,d,i} in strings
+		my $string;
+		while ($line =~ /(?:^|")([X\t]*)(?:"|$)/g) {
+			$string = substr($rawline, $-[1], $+[1] - $-[1]);
+			$string =~ s/%%/__/g;
+			if ($string =~ /(?<!%)%L[udi]/) {
+				WARN("\%Ld/%Lu are not-standard C, use %lld/%llu\n" . $herecurr);
+				last;
+			}
+		}
+
+# whine mightly about in_atomic
+		if ($line =~ /\bin_atomic\s*\(/) {
+			if ($realfile =~ m@^drivers/@) {
+				ERROR("do not use in_atomic in drivers\n" . $herecurr);
+			} elsif ($realfile !~ m@^kernel/@) {
+				WARN("use of in_atomic() is incorrect outside core kernel code\n" . $herecurr);
+			}
+		}
+
+# check for lockdep_set_novalidate_class
+		if ($line =~ /^.\s*lockdep_set_novalidate_class\s*\(/ ||
+		    $line =~ /__lockdep_no_validate__\s*\)/ ) {
+			if ($realfile !~ m@^kernel/lockdep@ &&
+			    $realfile !~ m@^include/linux/lockdep@ &&
+			    $realfile !~ m@^drivers/base/core@) {
+				ERROR("lockdep_no_validate class is reserved for device->mutex.\n" . $herecurr);
+			}
+		}
+	}
+
+	# If we have no input at all, then there is nothing to report on
+	# so just keep quiet.
+	if ($#rawlines == -1) {
+		exit(0);
+	}
+
+	# In mailback mode only produce a report in the negative, for
+	# things that appear to be patches.
+	if ($mailback && ($clean == 1 || !$is_patch)) {
+		exit(0);
+	}
+
+	# This is not a patch, and we are are in 'no-patch' mode so
+	# just keep quiet.
+	if (!$chk_patch && !$is_patch) {
+		exit(0);
+	}
+
+	if (!$is_patch) {
+		ERROR("Does not appear to be a unified-diff format patch\n");
+	}
+	if ($is_patch && $chk_signoff && $signoff == 0) {
+		ERROR("Missing Signed-off-by: line(s)\n");
+	}
+
+	print report_dump();
+	if ($summary && !($clean == 1 && $quiet == 1)) {
+		print "$filename " if ($summary_file);
+		print "total: $cnt_error errors, $cnt_warn warnings, " .
+			(($check)? "$cnt_chk checks, " : "") .
+			"$cnt_lines lines checked\n";
+		print "\n" if ($quiet == 0);
+	}
+
+	if ($quiet == 0) {
+		# If there were whitespace errors which cleanpatch can fix
+		# then suggest that.
+		if ($rpt_cleaners) {
+			print "NOTE: whitespace errors detected, you may wish to use scripts/cleanpatch or\n";
+			print "      scripts/cleanfile\n\n";
+		}
+	}
+
+	if ($clean == 1 && $quiet == 0) {
+		print "$vname has no obvious style problems and is ready for submission.\n"
+	}
+	if ($clean == 0 && $quiet == 0) {
+		print "$vname has style problems, please review.  If any of these errors\n";
+		print "are false positives report them to the maintainer, see\n";
+		print "CHECKPATCH in MAINTAINERS.\n";
+	}
+
+	return $clean;
+}
commit 4c3b5a4891c44ebbc23d80f95e5b66e2ec66b8b1
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Thu Jan 20 20:54:21 2011 +0000

    Add scripts directory
    
    Move build and user scripts into scripts directory.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile b/Makefile
index 6d601ee..eca4c76 100644
--- a/Makefile
+++ b/Makefile
@@ -47,7 +47,7 @@ config-all-devices.mak: $(SUBDIR_DEVICES_MAK)
 -include $(SUBDIR_DEVICES_MAK_DEP)
 
 %/config-devices.mak: default-configs/%.mak
-	$(call quiet-command,$(SHELL) $(SRC_PATH)/make_device_config.sh $@ $<, "  GEN   $@")
+	$(call quiet-command,$(SHELL) $(SRC_PATH)/scripts/make_device_config.sh $@ $<, "  GEN   $@")
 	@if test -f $@; then \
 	  if cmp -s $@.old $@; then \
 	    mv $@.tmp $@; \
@@ -76,7 +76,7 @@ build-all: $(DOCS) $(TOOLS) recurse-all
 config-host.h: config-host.h-timestamp
 config-host.h-timestamp: config-host.mak
 qemu-options.def: $(SRC_PATH)/qemu-options.hx
-	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $@")
+	$(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -h < $< > $@,"  GEN   $@")
 
 SUBDIR_RULES=$(patsubst %,subdir-%, $(TARGET_DIRS))
 
@@ -118,12 +118,12 @@ else
 trace.h: trace.h-timestamp
 endif
 trace.h-timestamp: $(SRC_PATH)/trace-events config-host.mak
-	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -h < $< > $@,"  GEN   trace.h")
+	$(call quiet-command,sh $(SRC_PATH)/scripts/tracetool --$(TRACE_BACKEND) -h < $< > $@,"  GEN   trace.h")
 	@cmp -s $@ trace.h || cp $@ trace.h
 
 trace.c: trace.c-timestamp
 trace.c-timestamp: $(SRC_PATH)/trace-events config-host.mak
-	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -c < $< > $@,"  GEN   trace.c")
+	$(call quiet-command,sh $(SRC_PATH)/scripts/tracetool --$(TRACE_BACKEND) -c < $< > $@,"  GEN   trace.c")
 	@cmp -s $@ trace.c || cp $@ trace.c
 
 trace.o: trace.c $(GENERATED_HEADERS)
@@ -136,7 +136,7 @@ trace-dtrace.h: trace-dtrace.dtrace
 # rule file. So we use '.dtrace' instead
 trace-dtrace.dtrace: trace-dtrace.dtrace-timestamp
 trace-dtrace.dtrace-timestamp: $(SRC_PATH)/trace-events config-host.mak
-	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -d < $< > $@,"  GEN   trace-dtrace.dtrace")
+	$(call quiet-command,sh $(SRC_PATH)/scripts/tracetool --$(TRACE_BACKEND) -d < $< > $@,"  GEN   trace-dtrace.dtrace")
 	@cmp -s $@ trace-dtrace.dtrace || cp $@ trace-dtrace.dtrace
 
 trace-dtrace.o: trace-dtrace.dtrace $(GENERATED_HEADERS)
@@ -160,7 +160,7 @@ qemu-nbd$(EXESUF): qemu-nbd.o qemu-tool.o qemu-error.o $(oslib-obj-y) $(trace-ob
 qemu-io$(EXESUF): qemu-io.o cmd.o qemu-tool.o qemu-error.o $(oslib-obj-y) $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y) qemu-timer-common.o
 
 qemu-img-cmds.h: $(SRC_PATH)/qemu-img-cmds.hx
-	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $@")
+	$(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -h < $< > $@,"  GEN   $@")
 
 check-qint.o check-qstring.o check-qdict.o check-qlist.o check-qfloat.o check-qjson.o: $(GENERATED_HEADERS)
 
@@ -282,32 +282,32 @@ TEXIFLAG=$(if $(V),,--quiet)
 	$(call quiet-command,texi2pdf $(TEXIFLAG) -I . $<,"  GEN   $@")
 
 qemu-options.texi: $(SRC_PATH)/qemu-options.hx
-	$(call quiet-command,sh $(SRC_PATH)/hxtool -t < $< > $@,"  GEN   $@")
+	$(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -t < $< > $@,"  GEN   $@")
 
 qemu-monitor.texi: $(SRC_PATH)/hmp-commands.hx
-	$(call quiet-command,sh $(SRC_PATH)/hxtool -t < $< > $@,"  GEN   $@")
+	$(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -t < $< > $@,"  GEN   $@")
 
 QMP/qmp-commands.txt: $(SRC_PATH)/qmp-commands.hx
-	$(call quiet-command,sh $(SRC_PATH)/hxtool -q < $< > $@,"  GEN   $@")
+	$(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -q < $< > $@,"  GEN   $@")
 
 qemu-img-cmds.texi: $(SRC_PATH)/qemu-img-cmds.hx
-	$(call quiet-command,sh $(SRC_PATH)/hxtool -t < $< > $@,"  GEN   $@")
+	$(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -t < $< > $@,"  GEN   $@")
 
 qemu.1: qemu-doc.texi qemu-options.texi qemu-monitor.texi
 	$(call quiet-command, \
-	  perl -Ww -- $(SRC_PATH)/texi2pod.pl $< qemu.pod && \
+	  perl -Ww -- $(SRC_PATH)/scripts/texi2pod.pl $< qemu.pod && \
 	  pod2man --section=1 --center=" " --release=" " qemu.pod > $@, \
 	  "  GEN   $@")
 
 qemu-img.1: qemu-img.texi qemu-img-cmds.texi
 	$(call quiet-command, \
-	  perl -Ww -- $(SRC_PATH)/texi2pod.pl $< qemu-img.pod && \
+	  perl -Ww -- $(SRC_PATH)/scripts/texi2pod.pl $< qemu-img.pod && \
 	  pod2man --section=1 --center=" " --release=" " qemu-img.pod > $@, \
 	  "  GEN   $@")
 
 qemu-nbd.8: qemu-nbd.texi
 	$(call quiet-command, \
-	  perl -Ww -- $(SRC_PATH)/texi2pod.pl $< qemu-nbd.pod && \
+	  perl -Ww -- $(SRC_PATH)/scripts/texi2pod.pl $< qemu-nbd.pod && \
 	  pod2man --section=8 --center=" " --release=" " qemu-nbd.pod > $@, \
 	  "  GEN   $@")
 
diff --git a/Makefile.target b/Makefile.target
index e15b1c4..cd2abde 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -52,7 +52,7 @@ TARGET_TYPE=system
 endif
 
 $(QEMU_PROG).stp:
-	$(call quiet-command,sh $(SRC_PATH)/tracetool \
+	$(call quiet-command,sh $(SRC_PATH)/scripts/tracetool \
 		--$(TRACE_BACKEND) \
 		--binary $(bindir)/$(QEMU_PROG) \
 		--target-arch $(TARGET_ARCH) \
@@ -344,14 +344,14 @@ $(QEMU_PROG): $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y)
 	$(call LINK,$(obj-y) $(obj-$(TARGET_BASE_ARCH)-y))
 
 
-gdbstub-xml.c: $(TARGET_XML_FILES) $(SRC_PATH)/feature_to_c.sh
-	$(call quiet-command,rm -f $@ && $(SHELL) $(SRC_PATH)/feature_to_c.sh $@ $(TARGET_XML_FILES),"  GEN   $(TARGET_DIR)$@")
+gdbstub-xml.c: $(TARGET_XML_FILES) $(SRC_PATH)/scripts/feature_to_c.sh
+	$(call quiet-command,rm -f $@ && $(SHELL) $(SRC_PATH)/scripts/feature_to_c.sh $@ $(TARGET_XML_FILES),"  GEN   $(TARGET_DIR)$@")
 
 hmp-commands.h: $(SRC_PATH)/hmp-commands.hx
-	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $(TARGET_DIR)$@")
+	$(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -h < $< > $@,"  GEN   $(TARGET_DIR)$@")
 
 qmp-commands.h: $(SRC_PATH)/qmp-commands.hx
-	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $(TARGET_DIR)$@")
+	$(call quiet-command,sh $(SRC_PATH)/scripts/hxtool -h < $< > $@,"  GEN   $(TARGET_DIR)$@")
 
 clean:
 	rm -f *.o *.a *~ $(PROGS) nwfpe/*.o fpu/*.o
diff --git a/configure b/configure
index d68f862..210670c 100755
--- a/configure
+++ b/configure
@@ -2266,7 +2266,7 @@ fi
 ##########################################
 # check if trace backend exists
 
-sh "$source_path/tracetool" "--$trace_backend" --check-backend > /dev/null 2> /dev/null
+sh "$source_path/scripts/tracetool" "--$trace_backend" --check-backend > /dev/null 2> /dev/null
 if test "$?" -ne 0 ; then
   echo
   echo "Error: invalid trace backend"
diff --git a/create_config b/create_config
deleted file mode 100755
index 0098e68..0000000
--- a/create_config
+++ /dev/null
@@ -1,103 +0,0 @@
-#!/bin/sh
-
-echo "/* Automatically generated by create_config - do not modify */"
-
-while read line; do
-
-case $line in
- VERSION=*) # configuration
-    version=${line#*=}
-    echo "#define QEMU_VERSION \"$version\""
-    ;;
- PKGVERSION=*) # configuration
-    pkgversion=${line#*=}
-    echo "#define QEMU_PKGVERSION \"$pkgversion\""
-    ;;
- prefix=* | [a-z]*dir=*) # directory configuration
-    name=${line%=*}
-    value=${line#*=}
-    define_name=`echo $name | tr '[:lower:]' '[:upper:]'`
-    eval "define_value=\"$value\""
-    echo "#define CONFIG_QEMU_$define_name \"$define_value\""
-    # save for the next definitions
-    eval "$name=\$define_value"
-    ;;
- CONFIG_AUDIO_DRIVERS=*)
-    drivers=${line#*=}
-    echo "#define CONFIG_AUDIO_DRIVERS \\"
-    for drv in $drivers; do
-      echo "    &${drv}_audio_driver,\\"
-    done
-    echo ""
-    ;;
- CONFIG_BDRV_WHITELIST=*)
-    echo "#define CONFIG_BDRV_WHITELIST \\"
-    for drv in ${line#*=}; do
-      echo "    \"${drv}\",\\"
-    done
-    echo "    NULL"
-    ;;
- CONFIG_*=y) # configuration
-    name=${line%=*}
-    echo "#define $name 1"
-    ;;
- CONFIG_*=*) # configuration
-    name=${line%=*}
-    value=${line#*=}
-    echo "#define $name $value"
-    ;;
- ARCH=*) # configuration
-    arch=${line#*=}
-    arch_name=`echo $arch | tr '[:lower:]' '[:upper:]'`
-    echo "#define HOST_$arch_name 1"
-    ;;
- HOST_USB=*)
-    # do nothing
-    ;;
- HOST_CC=*)
-    # do nothing
-    ;;
- HOST_*=y) # configuration
-    name=${line%=*}
-    echo "#define $name 1"
-    ;;
- HOST_*=*) # configuration
-    name=${line%=*}
-    value=${line#*=}
-    echo "#define $name $value"
-    ;;
- TARGET_ARCH=*) # configuration
-    target_arch=${line#*=}
-    echo "#define TARGET_ARCH \"$target_arch\""
-    ;;
- TARGET_BASE_ARCH=*) # configuration
-    target_base_arch=${line#*=}
-    if [ "$target_base_arch" != "$target_arch" ]; then
-      base_arch_name=`echo $target_base_arch | tr '[:lower:]' '[:upper:]'`
-      echo "#define TARGET_$base_arch_name 1"
-    fi
-    ;;
- TARGET_XML_FILES=*)
-    # do nothing
-    ;;
- TARGET_ABI_DIR=*)
-    # do nothing
-    ;;
- TARGET_ARCH2=*)
-    # do nothing
-    ;;
- TARGET_DIRS=*)
-    # do nothing
-    ;;
- TARGET_*=y) # configuration
-    name=${line%=*}
-    echo "#define $name 1"
-    ;;
- TARGET_*=*) # configuration
-    name=${line%=*}
-    value=${line#*=}
-    echo "#define $name $value"
-    ;;
-esac
-
-done # read
diff --git a/feature_to_c.sh b/feature_to_c.sh
deleted file mode 100644
index 0994d95..0000000
--- a/feature_to_c.sh
+++ /dev/null
@@ -1,75 +0,0 @@
-#!/bin/sh
-
-# Convert text files to compilable C arrays.
-#
-# Copyright (C) 2007 Free Software Foundation, Inc.
-#
-# This file is part of GDB.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, see <http://www.gnu.org/licenses/>.
-
-output=$1
-shift
-
-if test -z "$output" || test -z "$1"; then
-  echo "Usage: $0 OUTPUTFILE INPUTFILE..."
-  exit 1
-fi
-
-if test -e "$output"; then
-  echo "Output file \"$output\" already exists; refusing to overwrite."
-  exit 1
-fi
-
-for input; do
-  arrayname=xml_feature_`echo $input | sed 's,.*/,,; s/[-.]/_/g'`
-
-  ${AWK:-awk} 'BEGIN { n = 0
-      print "static const char '$arrayname'[] = {"
-      for (i = 0; i < 255; i++)
-        _ord_[sprintf("%c", i)] = i
-    } {
-      split($0, line, "");
-      printf "  "
-      for (i = 1; i <= length($0); i++) {
-        c = line[i]
-        if (c == "'\''") {
-          printf "'\''\\'\'''\'', "
-        } else if (c == "\\") {
-          printf "'\''\\\\'\'', "
-        } else if (_ord_[c] >= 32 && _ord_[c] < 127) {
-	  printf "'\''%s'\'', ", c
-        } else {
-          printf "'\''\\%03o'\'', ", _ord_[c]
-        }
-        if (i % 10 == 0)
-          printf "\n   "
-      }
-      printf "'\''\\n'\'', \n"
-    } END {
-      print "  0 };"
-    }' < $input >> $output
-done
-
-echo >> $output
-echo "const char *const xml_builtin[][2] = {" >> $output
-
-for input; do
-  basename=`echo $input | sed 's,.*/,,'`
-  arrayname=xml_feature_`echo $input | sed 's,.*/,,; s/[-.]/_/g'`
-  echo "  { \"$basename\", $arrayname }," >> $output
-done
-
-echo "  { (char *)0, (char *)0 }" >> $output
-echo "};" >> $output
diff --git a/gdbstub.h b/gdbstub.h
index ce5fdcc..d82334f 100644
--- a/gdbstub.h
+++ b/gdbstub.h
@@ -38,7 +38,7 @@ int gdbserver_start(int);
 int gdbserver_start(const char *port);
 #endif
 
-/* in gdbstub-xml.c, generated by feature_to_c.sh */
+/* in gdbstub-xml.c, generated by scripts/feature_to_c.sh */
 extern const char *const xml_builtin[][2];
 
 #endif
diff --git a/hxtool b/hxtool
deleted file mode 100644
index 7ca83ed..0000000
--- a/hxtool
+++ /dev/null
@@ -1,102 +0,0 @@
-#!/bin/sh
-
-hxtoh()
-{
-    flag=1
-    while read -r str; do
-        case $str in
-            HXCOMM*)
-            ;;
-            STEXI*|ETEXI*|SQMP*|EQMP*) flag=$(($flag^1))
-            ;;
-            *)
-            test $flag -eq 1 && printf "%s\n" "$str"
-            ;;
-        esac
-    done
-}
-
-hxtotexi()
-{
-    flag=0
-    line=1
-    while read -r str; do
-        case "$str" in
-            HXCOMM*)
-            ;;
-            STEXI*)
-            if test $flag -eq 1 ; then
-                echo "line $line: syntax error: expected ETEXI, found $str" >&2
-                exit 1
-            fi
-            flag=1
-            ;;
-            ETEXI*)
-            if test $flag -ne 1 ; then
-                echo "line $line: syntax error: expected STEXI, found $str" >&2
-                exit 1
-            fi
-            flag=0
-            ;;
-            SQMP*|EQMP*)
-            if test $flag -eq 1 ; then
-                echo "line $line: syntax error: expected ETEXI, found $str" >&2
-                exit 1
-            fi
-            ;;
-            DEFHEADING*)
-            echo "$(expr "$str" : "DEFHEADING(\(.*\))")"
-            ;;
-            *)
-            test $flag -eq 1 && echo "$str"
-            ;;
-        esac
-        line=$((line+1))
-    done
-}
-
-hxtoqmp()
-{
-    IFS=
-    flag=0
-    line=1
-    while read -r str; do
-        case "$str" in
-            HXCOMM*)
-            ;;
-            SQMP*)
-            if test $flag -eq 1 ; then
-                echo "line $line: syntax error: expected EQMP, found $str" >&2
-                exit 1
-            fi
-            flag=1
-            ;;
-            EQMP*)
-            if test $flag -ne 1 ; then
-                echo "line $line: syntax error: expected SQMP, found $str" >&2
-                exit 1
-            fi
-            flag=0
-            ;;
-            STEXI*|ETEXI*)
-            if test $flag -eq 1 ; then
-                echo "line $line: syntax error: expected EQMP, found $str" >&2
-                exit 1
-            fi
-            ;;
-            *)
-            test $flag -eq 1 && echo "$str"
-            ;;
-        esac
-        line=$((line+1))
-    done
-}
-
-case "$1" in
-"-h") hxtoh ;;
-"-t") hxtotexi ;;
-"-q") hxtoqmp ;;
-*) exit 1 ;;
-esac
-
-exit 0
diff --git a/make_device_config.sh b/make_device_config.sh
deleted file mode 100644
index 5d14885..0000000
--- a/make_device_config.sh
+++ /dev/null
@@ -1,28 +0,0 @@
-#! /bin/sh
-# Construct a target device config file from a default, pulling in any
-# files from include directives.
-
-dest=$1.tmp
-dep=$1.d
-src=$2
-src_dir=`dirname $src`
-all_includes=
-
-process_includes () {
-  cat $1 | grep '^include' | \
-  while read include file ; do
-    all_includes="$all_includes $src_dir/$file"
-    process_includes $src_dir/$file
-  done
-}
-
-f=$src
-while [ -n "$f" ] ; do
-  f=`tr -d '\r' < $f | awk '/^include / {printf "'$src_dir'/%s", $2}'`
-  [ $? = 0 ] || exit 1
-  all_includes="$all_includes $f"
-done
-process_includes $src > $dest
-
-cat $src $all_includes | grep -v '^include' > $dest
-echo "$1: $all_includes" > $dep
diff --git a/pc-bios/optionrom/Makefile b/pc-bios/optionrom/Makefile
index b4be31e..51da288 100644
--- a/pc-bios/optionrom/Makefile
+++ b/pc-bios/optionrom/Makefile
@@ -23,7 +23,7 @@ build-all: multiboot.bin linuxboot.bin
 	$(call quiet-command,$(OBJCOPY) -O binary -j .text $< $@,"  Building $(TARGET_DIR)$@")
 
 %.bin: %.raw
-	$(call quiet-command,$(SHELL) $(SRC_PATH)/pc-bios/optionrom/signrom.sh $< $@,"  Signing $(TARGET_DIR)$@")
+	$(call quiet-command,$(SHELL) $(SRC_PATH)/scripts/signrom.sh $< $@,"  Signing $(TARGET_DIR)$@")
 
 clean:
 	rm -f *.o *.d *.raw *.img *.bin *~
diff --git a/pc-bios/optionrom/signrom.sh b/pc-bios/optionrom/signrom.sh
deleted file mode 100755
index 9dc5c63..0000000
--- a/pc-bios/optionrom/signrom.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/sh
-
-# Option ROM Signing utility
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, see <http://www.gnu.org/licenses/>.
-#
-# Copyright Novell Inc, 2009
-#   Authors: Alexander Graf <agraf at suse.de>
-#
-# Syntax: signrom.sh <input> <output>
-
-# did we get proper arguments?
-test "$1" -a "$2" || exit 1
-
-sum=0
-
-# find out the file size
-x=`dd if="$1" bs=1 count=1 skip=2 2>/dev/null | od -t u1 -A n`
-#size=`expr $x \* 512 - 1`
-size=$(( $x * 512 - 1 ))
-
-# now get the checksum
-nums=`od -A n -t u1 -v -N $size "$1"`
-for i in ${nums}; do
-    # add each byte's value to sum
-    sum=`expr \( $sum + $i \) % 256`
-done
-
-sum=$(( (256 - $sum) % 256 ))
-sum_octal=$( printf "%o" $sum )
-
-# and write the output file
-cp "$1" "$2"
-printf "\\$sum_octal" | dd of="$2" bs=1 count=1 seek=$size conv=notrunc 2>/dev/null
diff --git a/qemu-binfmt-conf.sh b/qemu-binfmt-conf.sh
deleted file mode 100644
index c50beb7..0000000
--- a/qemu-binfmt-conf.sh
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/bin/sh
-# enable automatic i386/ARM/M68K/MIPS/SPARC/PPC program execution by the kernel
-
-# load the binfmt_misc module
-if [ ! -d /proc/sys/fs/binfmt_misc ]; then
-  /sbin/modprobe binfmt_misc
-fi
-if [ ! -f /proc/sys/fs/binfmt_misc/register ]; then
-  mount binfmt_misc -t binfmt_misc /proc/sys/fs/binfmt_misc
-fi
-
-# probe cpu type
-cpu=`uname -m`
-case "$cpu" in
-  i386|i486|i586|i686|i86pc|BePC|x86_64)
-    cpu="i386"
-  ;;
-  m68k)
-    cpu="m68k"
-  ;;
-  mips*)
-    cpu="mips"
-  ;;
-  "Power Macintosh"|ppc|ppc64)
-    cpu="ppc"
-  ;;
-  armv[4-9]*)
-    cpu="arm"
-  ;;
-esac
-
-# register the interpreter for each cpu except for the native one
-if [ $cpu != "i386" ] ; then
-    echo ':i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-i386:' > /proc/sys/fs/binfmt_misc/register
-    echo ':i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-i386:' > /proc/sys/fs/binfmt_misc/register
-fi
-if [ $cpu != "alpha" ] ; then
-    echo ':alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-alpha:' > /proc/sys/fs/binfmt_misc/register
-fi
-if [ $cpu != "arm" ] ; then
-    echo   ':arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-arm:' > /proc/sys/fs/binfmt_misc/register
-    echo   ':armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-armeb:' > /proc/sys/fs/binfmt_misc/register
-fi
-if [ $cpu != "sparc" ] ; then
-    echo   ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-sparc:' > /proc/sys/fs/binfmt_misc/register
-fi
-if [ $cpu != "ppc" ] ; then
-    echo   ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-ppc:' > /proc/sys/fs/binfmt_misc/register
-fi
-if [ $cpu != "m68k" ] ; then
-    echo   'Please check cpu value and header information for m68k!'
-    echo   ':m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x04:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-m68k:' > /proc/sys/fs/binfmt_misc/register
-fi
-if [ $cpu != "mips" ] ; then
-    # FIXME: We could use the other endianness on a MIPS host.
-    echo   ':mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-mips:' > /proc/sys/fs/binfmt_misc/register
-    echo   ':mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-mipsel:' > /proc/sys/fs/binfmt_misc/register
-    echo   ':mipsn32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-mipsn32:' > /proc/sys/fs/binfmt_misc/register
-    echo   ':mipsn32el:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-mipsn32el:' > /proc/sys/fs/binfmt_misc/register
-    echo   ':mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-mips64:' > /proc/sys/fs/binfmt_misc/register
-    echo   ':mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-mips64el:' > /proc/sys/fs/binfmt_misc/register
-fi
-if [ $cpu != "sh" ] ; then
-    echo    ':sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-sh4:' > /proc/sys/fs/binfmt_misc/register
-    echo    ':sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-sh4eb:' > /proc/sys/fs/binfmt_misc/register
-fi
diff --git a/qemu-doc.texi b/qemu-doc.texi
index 45190f6..22a8663 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -2132,7 +2132,7 @@ Then you can launch the precompiled @file{ls} x86 executable:
 @example
 qemu-i386 tests/i386/ls
 @end example
-You can look at @file{qemu-binfmt-conf.sh} so that
+You can look at @file{scripts/qemu-binfmt-conf.sh} so that
 QEMU is automatically launched by the Linux kernel when you try to
 launch x86 executables. It requires the @code{binfmt_misc} module in the
 Linux kernel.
diff --git a/rules.mak b/rules.mak
index 738eec3..ed59c9e 100644
--- a/rules.mak
+++ b/rules.mak
@@ -57,7 +57,7 @@ find-in-path = $(if $(find-string /, $1), \
 	@test -f $@ || cp $< $@
 
 %.h-timestamp: %.mak
-	$(call quiet-command, sh $(SRC_PATH)/create_config < $< > $@, "  GEN   $*.h")
+	$(call quiet-command, sh $(SRC_PATH)/scripts/create_config < $< > $@, "  GEN   $*.h")
 	@cmp $@ $*.h >/dev/null 2>&1 || cp $@ $*.h
 
 # will delete the target of a rule if commands exit with a nonzero exit status
diff --git a/scripts/create_config b/scripts/create_config
new file mode 100755
index 0000000..0098e68
--- /dev/null
+++ b/scripts/create_config
@@ -0,0 +1,103 @@
+#!/bin/sh
+
+echo "/* Automatically generated by create_config - do not modify */"
+
+while read line; do
+
+case $line in
+ VERSION=*) # configuration
+    version=${line#*=}
+    echo "#define QEMU_VERSION \"$version\""
+    ;;
+ PKGVERSION=*) # configuration
+    pkgversion=${line#*=}
+    echo "#define QEMU_PKGVERSION \"$pkgversion\""
+    ;;
+ prefix=* | [a-z]*dir=*) # directory configuration
+    name=${line%=*}
+    value=${line#*=}
+    define_name=`echo $name | tr '[:lower:]' '[:upper:]'`
+    eval "define_value=\"$value\""
+    echo "#define CONFIG_QEMU_$define_name \"$define_value\""
+    # save for the next definitions
+    eval "$name=\$define_value"
+    ;;
+ CONFIG_AUDIO_DRIVERS=*)
+    drivers=${line#*=}
+    echo "#define CONFIG_AUDIO_DRIVERS \\"
+    for drv in $drivers; do
+      echo "    &${drv}_audio_driver,\\"
+    done
+    echo ""
+    ;;
+ CONFIG_BDRV_WHITELIST=*)
+    echo "#define CONFIG_BDRV_WHITELIST \\"
+    for drv in ${line#*=}; do
+      echo "    \"${drv}\",\\"
+    done
+    echo "    NULL"
+    ;;
+ CONFIG_*=y) # configuration
+    name=${line%=*}
+    echo "#define $name 1"
+    ;;
+ CONFIG_*=*) # configuration
+    name=${line%=*}
+    value=${line#*=}
+    echo "#define $name $value"
+    ;;
+ ARCH=*) # configuration
+    arch=${line#*=}
+    arch_name=`echo $arch | tr '[:lower:]' '[:upper:]'`
+    echo "#define HOST_$arch_name 1"
+    ;;
+ HOST_USB=*)
+    # do nothing
+    ;;
+ HOST_CC=*)
+    # do nothing
+    ;;
+ HOST_*=y) # configuration
+    name=${line%=*}
+    echo "#define $name 1"
+    ;;
+ HOST_*=*) # configuration
+    name=${line%=*}
+    value=${line#*=}
+    echo "#define $name $value"
+    ;;
+ TARGET_ARCH=*) # configuration
+    target_arch=${line#*=}
+    echo "#define TARGET_ARCH \"$target_arch\""
+    ;;
+ TARGET_BASE_ARCH=*) # configuration
+    target_base_arch=${line#*=}
+    if [ "$target_base_arch" != "$target_arch" ]; then
+      base_arch_name=`echo $target_base_arch | tr '[:lower:]' '[:upper:]'`
+      echo "#define TARGET_$base_arch_name 1"
+    fi
+    ;;
+ TARGET_XML_FILES=*)
+    # do nothing
+    ;;
+ TARGET_ABI_DIR=*)
+    # do nothing
+    ;;
+ TARGET_ARCH2=*)
+    # do nothing
+    ;;
+ TARGET_DIRS=*)
+    # do nothing
+    ;;
+ TARGET_*=y) # configuration
+    name=${line%=*}
+    echo "#define $name 1"
+    ;;
+ TARGET_*=*) # configuration
+    name=${line%=*}
+    value=${line#*=}
+    echo "#define $name $value"
+    ;;
+esac
+
+done # read
diff --git a/scripts/feature_to_c.sh b/scripts/feature_to_c.sh
new file mode 100644
index 0000000..0994d95
--- /dev/null
+++ b/scripts/feature_to_c.sh
@@ -0,0 +1,75 @@
+#!/bin/sh
+
+# Convert text files to compilable C arrays.
+#
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GDB.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+
+output=$1
+shift
+
+if test -z "$output" || test -z "$1"; then
+  echo "Usage: $0 OUTPUTFILE INPUTFILE..."
+  exit 1
+fi
+
+if test -e "$output"; then
+  echo "Output file \"$output\" already exists; refusing to overwrite."
+  exit 1
+fi
+
+for input; do
+  arrayname=xml_feature_`echo $input | sed 's,.*/,,; s/[-.]/_/g'`
+
+  ${AWK:-awk} 'BEGIN { n = 0
+      print "static const char '$arrayname'[] = {"
+      for (i = 0; i < 255; i++)
+        _ord_[sprintf("%c", i)] = i
+    } {
+      split($0, line, "");
+      printf "  "
+      for (i = 1; i <= length($0); i++) {
+        c = line[i]
+        if (c == "'\''") {
+          printf "'\''\\'\'''\'', "
+        } else if (c == "\\") {
+          printf "'\''\\\\'\'', "
+        } else if (_ord_[c] >= 32 && _ord_[c] < 127) {
+	  printf "'\''%s'\'', ", c
+        } else {
+          printf "'\''\\%03o'\'', ", _ord_[c]
+        }
+        if (i % 10 == 0)
+          printf "\n   "
+      }
+      printf "'\''\\n'\'', \n"
+    } END {
+      print "  0 };"
+    }' < $input >> $output
+done
+
+echo >> $output
+echo "const char *const xml_builtin[][2] = {" >> $output
+
+for input; do
+  basename=`echo $input | sed 's,.*/,,'`
+  arrayname=xml_feature_`echo $input | sed 's,.*/,,; s/[-.]/_/g'`
+  echo "  { \"$basename\", $arrayname }," >> $output
+done
+
+echo "  { (char *)0, (char *)0 }" >> $output
+echo "};" >> $output
diff --git a/scripts/hxtool b/scripts/hxtool
new file mode 100644
index 0000000..7ca83ed
--- /dev/null
+++ b/scripts/hxtool
@@ -0,0 +1,102 @@
+#!/bin/sh
+
+hxtoh()
+{
+    flag=1
+    while read -r str; do
+        case $str in
+            HXCOMM*)
+            ;;
+            STEXI*|ETEXI*|SQMP*|EQMP*) flag=$(($flag^1))
+            ;;
+            *)
+            test $flag -eq 1 && printf "%s\n" "$str"
+            ;;
+        esac
+    done
+}
+
+hxtotexi()
+{
+    flag=0
+    line=1
+    while read -r str; do
+        case "$str" in
+            HXCOMM*)
+            ;;
+            STEXI*)
+            if test $flag -eq 1 ; then
+                echo "line $line: syntax error: expected ETEXI, found $str" >&2
+                exit 1
+            fi
+            flag=1
+            ;;
+            ETEXI*)
+            if test $flag -ne 1 ; then
+                echo "line $line: syntax error: expected STEXI, found $str" >&2
+                exit 1
+            fi
+            flag=0
+            ;;
+            SQMP*|EQMP*)
+            if test $flag -eq 1 ; then
+                echo "line $line: syntax error: expected ETEXI, found $str" >&2
+                exit 1
+            fi
+            ;;
+            DEFHEADING*)
+            echo "$(expr "$str" : "DEFHEADING(\(.*\))")"
+            ;;
+            *)
+            test $flag -eq 1 && echo "$str"
+            ;;
+        esac
+        line=$((line+1))
+    done
+}
+
+hxtoqmp()
+{
+    IFS=
+    flag=0
+    line=1
+    while read -r str; do
+        case "$str" in
+            HXCOMM*)
+            ;;
+            SQMP*)
+            if test $flag -eq 1 ; then
+                echo "line $line: syntax error: expected EQMP, found $str" >&2
+                exit 1
+            fi
+            flag=1
+            ;;
+            EQMP*)
+            if test $flag -ne 1 ; then
+                echo "line $line: syntax error: expected SQMP, found $str" >&2
+                exit 1
+            fi
+            flag=0
+            ;;
+            STEXI*|ETEXI*)
+            if test $flag -eq 1 ; then
+                echo "line $line: syntax error: expected EQMP, found $str" >&2
+                exit 1
+            fi
+            ;;
+            *)
+            test $flag -eq 1 && echo "$str"
+            ;;
+        esac
+        line=$((line+1))
+    done
+}
+
+case "$1" in
+"-h") hxtoh ;;
+"-t") hxtotexi ;;
+"-q") hxtoqmp ;;
+*) exit 1 ;;
+esac
+
+exit 0
diff --git a/scripts/make_device_config.sh b/scripts/make_device_config.sh
new file mode 100644
index 0000000..5d14885
--- /dev/null
+++ b/scripts/make_device_config.sh
@@ -0,0 +1,28 @@
+#! /bin/sh
+# Construct a target device config file from a default, pulling in any
+# files from include directives.
+
+dest=$1.tmp
+dep=$1.d
+src=$2
+src_dir=`dirname $src`
+all_includes=
+
+process_includes () {
+  cat $1 | grep '^include' | \
+  while read include file ; do
+    all_includes="$all_includes $src_dir/$file"
+    process_includes $src_dir/$file
+  done
+}
+
+f=$src
+while [ -n "$f" ] ; do
+  f=`tr -d '\r' < $f | awk '/^include / {printf "'$src_dir'/%s", $2}'`
+  [ $? = 0 ] || exit 1
+  all_includes="$all_includes $f"
+done
+process_includes $src > $dest
+
+cat $src $all_includes | grep -v '^include' > $dest
+echo "$1: $all_includes" > $dep
diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
new file mode 100644
index 0000000..c50beb7
--- /dev/null
+++ b/scripts/qemu-binfmt-conf.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+# enable automatic i386/ARM/M68K/MIPS/SPARC/PPC program execution by the kernel
+
+# load the binfmt_misc module
+if [ ! -d /proc/sys/fs/binfmt_misc ]; then
+  /sbin/modprobe binfmt_misc
+fi
+if [ ! -f /proc/sys/fs/binfmt_misc/register ]; then
+  mount binfmt_misc -t binfmt_misc /proc/sys/fs/binfmt_misc
+fi
+
+# probe cpu type
+cpu=`uname -m`
+case "$cpu" in
+  i386|i486|i586|i686|i86pc|BePC|x86_64)
+    cpu="i386"
+  ;;
+  m68k)
+    cpu="m68k"
+  ;;
+  mips*)
+    cpu="mips"
+  ;;
+  "Power Macintosh"|ppc|ppc64)
+    cpu="ppc"
+  ;;
+  armv[4-9]*)
+    cpu="arm"
+  ;;
+esac
+
+# register the interpreter for each cpu except for the native one
+if [ $cpu != "i386" ] ; then
+    echo ':i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-i386:' > /proc/sys/fs/binfmt_misc/register
+    echo ':i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-i386:' > /proc/sys/fs/binfmt_misc/register
+fi
+if [ $cpu != "alpha" ] ; then
+    echo ':alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-alpha:' > /proc/sys/fs/binfmt_misc/register
+fi
+if [ $cpu != "arm" ] ; then
+    echo   ':arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-arm:' > /proc/sys/fs/binfmt_misc/register
+    echo   ':armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-armeb:' > /proc/sys/fs/binfmt_misc/register
+fi
+if [ $cpu != "sparc" ] ; then
+    echo   ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-sparc:' > /proc/sys/fs/binfmt_misc/register
+fi
+if [ $cpu != "ppc" ] ; then
+    echo   ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-ppc:' > /proc/sys/fs/binfmt_misc/register
+fi
+if [ $cpu != "m68k" ] ; then
+    echo   'Please check cpu value and header information for m68k!'
+    echo   ':m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x04:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-m68k:' > /proc/sys/fs/binfmt_misc/register
+fi
+if [ $cpu != "mips" ] ; then
+    # FIXME: We could use the other endianness on a MIPS host.
+    echo   ':mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-mips:' > /proc/sys/fs/binfmt_misc/register
+    echo   ':mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-mipsel:' > /proc/sys/fs/binfmt_misc/register
+    echo   ':mipsn32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-mipsn32:' > /proc/sys/fs/binfmt_misc/register
+    echo   ':mipsn32el:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-mipsn32el:' > /proc/sys/fs/binfmt_misc/register
+    echo   ':mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-mips64:' > /proc/sys/fs/binfmt_misc/register
+    echo   ':mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-mips64el:' > /proc/sys/fs/binfmt_misc/register
+fi
+if [ $cpu != "sh" ] ; then
+    echo    ':sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-sh4:' > /proc/sys/fs/binfmt_misc/register
+    echo    ':sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-sh4eb:' > /proc/sys/fs/binfmt_misc/register
+fi
diff --git a/scripts/signrom.sh b/scripts/signrom.sh
new file mode 100755
index 0000000..9dc5c63
--- /dev/null
+++ b/scripts/signrom.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+# Option ROM Signing utility
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# Copyright Novell Inc, 2009
+#   Authors: Alexander Graf <agraf at suse.de>
+#
+# Syntax: signrom.sh <input> <output>
+
+# did we get proper arguments?
+test "$1" -a "$2" || exit 1
+
+sum=0
+
+# find out the file size
+x=`dd if="$1" bs=1 count=1 skip=2 2>/dev/null | od -t u1 -A n`
+#size=`expr $x \* 512 - 1`
+size=$(( $x * 512 - 1 ))
+
+# now get the checksum
+nums=`od -A n -t u1 -v -N $size "$1"`
+for i in ${nums}; do
+    # add each byte's value to sum
+    sum=`expr \( $sum + $i \) % 256`
+done
+
+sum=$(( (256 - $sum) % 256 ))
+sum_octal=$( printf "%o" $sum )
+
+# and write the output file
+cp "$1" "$2"
+printf "\\$sum_octal" | dd of="$2" bs=1 count=1 seek=$size conv=notrunc 2>/dev/null
diff --git a/scripts/simpletrace.py b/scripts/simpletrace.py
new file mode 100755
index 0000000..553a727
--- /dev/null
+++ b/scripts/simpletrace.py
@@ -0,0 +1,93 @@
+#!/usr/bin/env python
+#
+# Pretty-printer for simple trace backend binary trace files
+#
+# Copyright IBM, Corp. 2010
+#
+# This work is licensed under the terms of the GNU GPL, version 2.  See
+# the COPYING file in the top-level directory.
+#
+# For help see docs/tracing.txt
+
+import sys
+import struct
+import re
+
+header_event_id = 0xffffffffffffffff
+header_magic    = 0xf2b177cb0aa429b4
+header_version  = 0
+
+trace_fmt = '=QQQQQQQQ'
+trace_len = struct.calcsize(trace_fmt)
+event_re  = re.compile(r'(disable\s+)?([a-zA-Z0-9_]+)\(([^)]*)\).*')
+
+def err(msg):
+    sys.stderr.write(msg + '\n')
+    sys.exit(1)
+
+def parse_events(fobj):
+    """Parse a trace-events file."""
+
+    def get_argnames(args):
+        """Extract argument names from a parameter list."""
+        return tuple(arg.split()[-1].lstrip('*') for arg in args.split(','))
+
+    events = {}
+    event_num = 0
+    for line in fobj:
+        m = event_re.match(line.strip())
+        if m is None:
+            continue
+
+        disable, name, args = m.groups()
+        events[event_num] = (name,) + get_argnames(args)
+        event_num += 1
+    return events
+
+def read_record(fobj):
+    """Deserialize a trace record from a file."""
+    s = fobj.read(trace_len)
+    if len(s) != trace_len:
+        return None
+    return struct.unpack(trace_fmt, s)
+
+def read_trace_file(fobj):
+    """Deserialize trace records from a file."""
+    header = read_record(fobj)
+    if header is None or \
+       header[0] != header_event_id or \
+       header[1] != header_magic or \
+       header[2] != header_version:
+        err('not a trace file or incompatible version')
+
+    while True:
+        rec = read_record(fobj)
+        if rec is None:
+            break
+
+        yield rec
+
+class Formatter(object):
+    def __init__(self, events):
+        self.events = events
+        self.last_timestamp = None
+
+    def format_record(self, rec):
+        if self.last_timestamp is None:
+            self.last_timestamp = rec[1]
+        delta_ns = rec[1] - self.last_timestamp
+        self.last_timestamp = rec[1]
+
+        event = self.events[rec[0]]
+        fields = [event[0], '%0.3f' % (delta_ns / 1000.0)]
+        for i in xrange(1, len(event)):
+            fields.append('%s=0x%x' % (event[i], rec[i + 1]))
+        return ' '.join(fields)
+
+if len(sys.argv) != 3:
+    err('usage: %s <trace-events> <trace-file>' % sys.argv[0])
+
+events = parse_events(open(sys.argv[1], 'r'))
+formatter = Formatter(events)
+for rec in read_trace_file(open(sys.argv[2], 'rb')):
+    print formatter.format_record(rec)
diff --git a/scripts/texi2pod.pl b/scripts/texi2pod.pl
new file mode 100755
index 0000000..9ed056a
--- /dev/null
+++ b/scripts/texi2pod.pl
@@ -0,0 +1,477 @@
+#! /usr/bin/perl -w
+
+#   Copyright (C) 1999, 2000, 2001, 2003 Free Software Foundation, Inc.
+
+# This file is part of GCC.
+
+# GCC is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+
+# GCC is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with GCC; see the file COPYING.  If not,
+# see <http://www.gnu.org/licenses/>.
+
+# This does trivial (and I mean _trivial_) conversion of Texinfo
+# markup to Perl POD format.  It's intended to be used to extract
+# something suitable for a manpage from a Texinfo document.
+
+$output = 0;
+$skipping = 0;
+%sects = ();
+$section = "";
+ at icstack = ();
+ at endwstack = ();
+ at skstack = ();
+ at instack = ();
+$shift = "";
+%defs = ();
+$fnno = 1;
+$inf = "";
+$ibase = "";
+ at ipath = ();
+
+while ($_ = shift) {
+    if (/^-D(.*)$/) {
+	if ($1 ne "") {
+	    $flag = $1;
+	} else {
+	    $flag = shift;
+	}
+	$value = "";
+	($flag, $value) = ($flag =~ /^([^=]+)(?:=(.+))?/);
+	die "no flag specified for -D\n"
+	    unless $flag ne "";
+	die "flags may only contain letters, digits, hyphens, dashes and underscores\n"
+	    unless $flag =~ /^[a-zA-Z0-9_-]+$/;
+	$defs{$flag} = $value;
+    } elsif (/^-I(.*)$/) {
+	if ($1 ne "") {
+	    $flag = $1;
+	} else {
+	    $flag = shift;
+	}
+        push (@ipath, $flag);
+    } elsif (/^-/) {
+	usage();
+    } else {
+	$in = $_, next unless defined $in;
+	$out = $_, next unless defined $out;
+	usage();
+    }
+}
+
+if (defined $in) {
+    $inf = gensym();
+    open($inf, "<$in") or die "opening \"$in\": $!\n";
+    $ibase = $1 if $in =~ m|^(.+)/[^/]+$|;
+} else {
+    $inf = \*STDIN;
+}
+
+if (defined $out) {
+    open(STDOUT, ">$out") or die "opening \"$out\": $!\n";
+}
+
+while(defined $inf) {
+while(<$inf>) {
+    # Certain commands are discarded without further processing.
+    /^\@(?:
+	 [a-z]+index		# @*index: useful only in complete manual
+	 |need			# @need: useful only in printed manual
+	 |(?:end\s+)?group	# @group .. @end group: ditto
+	 |page			# @page: ditto
+	 |node			# @node: useful only in .info file
+	 |(?:end\s+)?ifnottex   # @ifnottex .. @end ifnottex: use contents
+	)\b/x and next;
+
+    chomp;
+
+    # Look for filename and title markers.
+    /^\@setfilename\s+([^.]+)/ and $fn = $1, next;
+    /^\@settitle\s+([^.]+)/ and $tl = postprocess($1), next;
+
+    # Identify a man title but keep only the one we are interested in.
+    /^\@c\s+man\s+title\s+([A-Za-z0-9-]+)\s+(.+)/ and do {
+	if (exists $defs{$1}) {
+	    $fn = $1;
+	    $tl = postprocess($2);
+	}
+	next;
+    };
+
+    # Look for blocks surrounded by @c man begin SECTION ... @c man end.
+    # This really oughta be @ifman ... @end ifman and the like, but such
+    # would require rev'ing all other Texinfo translators.
+    /^\@c\s+man\s+begin\s+([A-Z]+)\s+([A-Za-z0-9-]+)/ and do {
+	$output = 1 if exists $defs{$2};
+        $sect = $1;
+	next;
+    };
+    /^\@c\s+man\s+begin\s+([A-Z]+)/ and $sect = $1, $output = 1, next;
+    /^\@c\s+man\s+end/ and do {
+	$sects{$sect} = "" unless exists $sects{$sect};
+	$sects{$sect} .= postprocess($section);
+	$section = "";
+	$output = 0;
+	next;
+    };
+
+    # handle variables
+    /^\@set\s+([a-zA-Z0-9_-]+)\s*(.*)$/ and do {
+	$defs{$1} = $2;
+	next;
+    };
+    /^\@clear\s+([a-zA-Z0-9_-]+)/ and do {
+	delete $defs{$1};
+	next;
+    };
+
+    next unless $output;
+
+    # Discard comments.  (Can't do it above, because then we'd never see
+    # @c man lines.)
+    /^\@c\b/ and next;
+
+    # End-block handler goes up here because it needs to operate even
+    # if we are skipping.
+    /^\@end\s+([a-z]+)/ and do {
+	# Ignore @end foo, where foo is not an operation which may
+	# cause us to skip, if we are presently skipping.
+	my $ended = $1;
+	next if $skipping && $ended !~ /^(?:ifset|ifclear|ignore|menu|iftex|copying)$/;
+
+	die "\@end $ended without \@$ended at line $.\n" unless defined $endw;
+	die "\@$endw ended by \@end $ended at line $.\n" unless $ended eq $endw;
+
+	$endw = pop @endwstack;
+
+	if ($ended =~ /^(?:ifset|ifclear|ignore|menu|iftex)$/) {
+	    $skipping = pop @skstack;
+	    next;
+	} elsif ($ended =~ /^(?:example|smallexample|display)$/) {
+	    $shift = "";
+	    $_ = "";	# need a paragraph break
+	} elsif ($ended =~ /^(?:itemize|enumerate|[fv]?table)$/) {
+	    $_ = "\n=back\n";
+	    $ic = pop @icstack;
+	} elsif ($ended eq "multitable") {
+	    $_ = "\n=back\n";
+	} else {
+	    die "unknown command \@end $ended at line $.\n";
+	}
+    };
+
+    # We must handle commands which can cause skipping even while we
+    # are skipping, otherwise we will not process nested conditionals
+    # correctly.
+    /^\@ifset\s+([a-zA-Z0-9_-]+)/ and do {
+	push @endwstack, $endw;
+	push @skstack, $skipping;
+	$endw = "ifset";
+	$skipping = 1 unless exists $defs{$1};
+	next;
+    };
+
+    /^\@ifclear\s+([a-zA-Z0-9_-]+)/ and do {
+	push @endwstack, $endw;
+	push @skstack, $skipping;
+	$endw = "ifclear";
+	$skipping = 1 if exists $defs{$1};
+	next;
+    };
+
+    /^\@(ignore|menu|iftex|copying)\b/ and do {
+	push @endwstack, $endw;
+	push @skstack, $skipping;
+	$endw = $1;
+	$skipping = 1;
+	next;
+    };
+
+    next if $skipping;
+
+    # Character entities.  First the ones that can be replaced by raw text
+    # or discarded outright:
+    s/\@copyright\{\}/(c)/g;
+    s/\@dots\{\}/.../g;
+    s/\@enddots\{\}/..../g;
+    s/\@([.!? ])/$1/g;
+    s/\@[:-]//g;
+    s/\@bullet(?:\{\})?/*/g;
+    s/\@TeX\{\}/TeX/g;
+    s/\@pounds\{\}/\#/g;
+    s/\@minus(?:\{\})?/-/g;
+    s/\\,/,/g;
+
+    # Now the ones that have to be replaced by special escapes
+    # (which will be turned back into text by unmunge())
+    s/&/&amp;/g;
+    s/\@\{/&lbrace;/g;
+    s/\@\}/&rbrace;/g;
+    s/\@\@/&at;/g;
+
+    # Inside a verbatim block, handle @var specially.
+    if ($shift ne "") {
+	s/\@var\{([^\}]*)\}/<$1>/g;
+    }
+
+    # POD doesn't interpret E<> inside a verbatim block.
+    if ($shift eq "") {
+	s/</&lt;/g;
+	s/>/&gt;/g;
+    } else {
+	s/</&LT;/g;
+	s/>/&GT;/g;
+    }
+
+    # Single line command handlers.
+
+    /^\@include\s+(.+)$/ and do {
+	push @instack, $inf;
+	$inf = gensym();
+	$file = postprocess($1);
+
+	# Try cwd and $ibase, then explicit -I paths.
+	$done = 0;
+	foreach $path ("", $ibase, @ipath) {
+	    $mypath = $file;
+	    $mypath = $path . "/" . $mypath if ($path ne "");
+	    open($inf, "<" . $mypath) and ($done = 1, last);
+	}
+	die "cannot find $file" if !$done;
+	next;
+    };
+
+    /^\@(?:section|unnumbered|unnumberedsec|center)\s+(.+)$/
+	and $_ = "\n=head2 $1\n";
+    /^\@subsection\s+(.+)$/
+	and $_ = "\n=head3 $1\n";
+    /^\@subsubsection\s+(.+)$/
+	and $_ = "\n=head4 $1\n";
+
+    # Block command handlers:
+    /^\@itemize(?:\s+(\@[a-z]+|\*|-))?/ and do {
+	push @endwstack, $endw;
+	push @icstack, $ic;
+	if (defined $1) {
+	    $ic = $1;
+	} else {
+	    $ic = '*';
+	}
+	$_ = "\n=over 4\n";
+	$endw = "itemize";
+    };
+
+    /^\@enumerate(?:\s+([a-zA-Z0-9]+))?/ and do {
+	push @endwstack, $endw;
+	push @icstack, $ic;
+	if (defined $1) {
+	    $ic = $1 . ".";
+	} else {
+	    $ic = "1.";
+	}
+	$_ = "\n=over 4\n";
+	$endw = "enumerate";
+    };
+
+    /^\@multitable\s.*/ and do {
+	push @endwstack, $endw;
+	$endw = "multitable";
+	$_ = "\n=over 4\n";
+    };
+
+    /^\@([fv]?table)\s+(\@[a-z]+)/ and do {
+	push @endwstack, $endw;
+	push @icstack, $ic;
+	$endw = $1;
+	$ic = $2;
+	$ic =~ s/\@(?:samp|strong|key|gcctabopt|option|env)/B/;
+	$ic =~ s/\@(?:code|kbd)/C/;
+	$ic =~ s/\@(?:dfn|var|emph|cite|i)/I/;
+	$ic =~ s/\@(?:file)/F/;
+	$_ = "\n=over 4\n";
+    };
+
+    /^\@((?:small)?example|display)/ and do {
+	push @endwstack, $endw;
+	$endw = $1;
+	$shift = "\t";
+	$_ = "";	# need a paragraph break
+    };
+
+    /^\@item\s+(.*\S)\s*$/ and $endw eq "multitable" and do {
+	@columns = ();
+	for $column (split (/\s*\@tab\s*/, $1)) {
+	    # @strong{...} is used a @headitem work-alike
+	    $column =~ s/^\@strong{(.*)}$/$1/;
+	    push @columns, $column;
+	}
+	$_ = "\n=item ".join (" : ", @columns)."\n";
+    };
+
+    /^\@itemx?\s*(.+)?$/ and do {
+	if (defined $1) {
+	    # Entity escapes prevent munging by the <> processing below.
+	    $_ = "\n=item $ic\&LT;$1\&GT;\n";
+	} else {
+	    $_ = "\n=item $ic\n";
+	    $ic =~ y/A-Ya-y/B-Zb-z/;
+	    $ic =~ s/(\d+)/$1 + 1/eg;
+	}
+    };
+
+    $section .= $shift.$_."\n";
+}
+# End of current file.
+close($inf);
+$inf = pop @instack;
+}
+
+die "No filename or title\n" unless defined $fn && defined $tl;
+
+$sects{NAME} = "$fn \- $tl\n";
+$sects{FOOTNOTES} .= "=back\n" if exists $sects{FOOTNOTES};
+
+for $sect (qw(NAME SYNOPSIS DESCRIPTION OPTIONS ENVIRONMENT FILES
+	      BUGS NOTES FOOTNOTES SEEALSO AUTHOR COPYRIGHT)) {
+    if(exists $sects{$sect}) {
+	$head = $sect;
+	$head =~ s/SEEALSO/SEE ALSO/;
+	print "=head1 $head\n\n";
+	print scalar unmunge ($sects{$sect});
+	print "\n";
+    }
+}
+
+sub usage
+{
+    die "usage: $0 [-D toggle...] [infile [outfile]]\n";
+}
+
+sub postprocess
+{
+    local $_ = $_[0];
+
+    # @value{foo} is replaced by whatever 'foo' is defined as.
+    while (m/(\@value\{([a-zA-Z0-9_-]+)\})/g) {
+	if (! exists $defs{$2}) {
+	    print STDERR "Option $2 not defined\n";
+	    s/\Q$1\E//;
+	} else {
+	    $value = $defs{$2};
+	    s/\Q$1\E/$value/;
+	}
+    }
+
+    # Formatting commands.
+    # Temporary escape for @r.
+    s/\@r\{([^\}]*)\}/R<$1>/g;
+    s/\@(?:dfn|var|emph|cite|i)\{([^\}]*)\}/I<$1>/g;
+    s/\@(?:code|kbd)\{([^\}]*)\}/C<$1>/g;
+    s/\@(?:gccoptlist|samp|strong|key|option|env|command|b)\{([^\}]*)\}/B<$1>/g;
+    s/\@sc\{([^\}]*)\}/\U$1/g;
+    s/\@file\{([^\}]*)\}/F<$1>/g;
+    s/\@w\{([^\}]*)\}/S<$1>/g;
+    s/\@(?:dmn|math)\{([^\}]*)\}/$1/g;
+
+    # keep references of the form @ref{...}, print them bold
+    s/\@(?:ref)\{([^\}]*)\}/B<$1>/g;
+
+    # Change double single quotes to double quotes.
+    s/''/"/g;
+    s/``/"/g;
+
+    # Cross references are thrown away, as are @noindent and @refill.
+    # (@noindent is impossible in .pod, and @refill is unnecessary.)
+    # @* is also impossible in .pod; we discard it and any newline that
+    # follows it.  Similarly, our macro @gol must be discarded.
+
+    s/\(?\@xref\{(?:[^\}]*)\}(?:[^.<]|(?:<[^<>]*>))*\.\)?//g;
+    s/\s+\(\@pxref\{(?:[^\}]*)\}\)//g;
+    s/;\s+\@pxref\{(?:[^\}]*)\}//g;
+    s/\@noindent\s*//g;
+    s/\@refill//g;
+    s/\@gol//g;
+    s/\@\*\s*\n?//g;
+
+    # Anchors are thrown away
+    s/\@anchor\{(?:[^\}]*)\}//g;
+
+    # @uref can take one, two, or three arguments, with different
+    # semantics each time.  @url and @email are just like @uref with
+    # one argument, for our purposes.
+    s/\@(?:uref|url|email)\{([^\},]*)\}/&lt;B<$1>&gt;/g;
+    s/\@uref\{([^\},]*),([^\},]*)\}/$2 (C<$1>)/g;
+    s/\@uref\{([^\},]*),([^\},]*),([^\},]*)\}/$3/g;
+
+    # Un-escape <> at this point.
+    s/&LT;/</g;
+    s/&GT;/>/g;
+
+    # Now un-nest all B<>, I<>, R<>.  Theoretically we could have
+    # indefinitely deep nesting; in practice, one level suffices.
+    1 while s/([BIR])<([^<>]*)([BIR])<([^<>]*)>/$1<$2>$3<$4>$1</g;
+
+    # Replace R<...> with bare ...; eliminate empty markup, B<>;
+    # shift white space at the ends of [BI]<...> expressions outside
+    # the expression.
+    s/R<([^<>]*)>/$1/g;
+    s/[BI]<>//g;
+    s/([BI])<(\s+)([^>]+)>/$2$1<$3>/g;
+    s/([BI])<([^>]+?)(\s+)>/$1<$2>$3/g;
+
+    # Extract footnotes.  This has to be done after all other
+    # processing because otherwise the regexp will choke on formatting
+    # inside @footnote.
+    while (/\@footnote/g) {
+	s/\@footnote\{([^\}]+)\}/[$fnno]/;
+	add_footnote($1, $fnno);
+	$fnno++;
+    }
+
+    return $_;
+}
+
+sub unmunge
+{
+    # Replace escaped symbols with their equivalents.
+    local $_ = $_[0];
+
+    s/&lt;/E<lt>/g;
+    s/&gt;/E<gt>/g;
+    s/&lbrace;/\{/g;
+    s/&rbrace;/\}/g;
+    s/&at;/\@/g;
+    s/&amp;/&/g;
+    return $_;
+}
+
+sub add_footnote
+{
+    unless (exists $sects{FOOTNOTES}) {
+	$sects{FOOTNOTES} = "\n=over 4\n\n";
+    }
+
+    $sects{FOOTNOTES} .= "=item $fnno.\n\n"; $fnno++;
+    $sects{FOOTNOTES} .= $_[0];
+    $sects{FOOTNOTES} .= "\n\n";
+}
+
+# stolen from Symbol.pm
+{
+    my $genseq = 0;
+    sub gensym
+    {
+	my $name = "GEN" . $genseq++;
+	my $ref = \*{$name};
+	delete $::{$name};
+	return $ref;
+    }
+}
diff --git a/scripts/tracetool b/scripts/tracetool
new file mode 100755
index 0000000..fce491c
--- /dev/null
+++ b/scripts/tracetool
@@ -0,0 +1,573 @@
+#!/bin/sh
+#
+# Code generator for trace events
+#
+# Copyright IBM, Corp. 2010
+#
+# This work is licensed under the terms of the GNU GPL, version 2.  See
+# the COPYING file in the top-level directory.
+
+# Disable pathname expansion, makes processing text with '*' characters simpler
+set -f
+
+usage()
+{
+    cat >&2 <<EOF
+usage: $0 [--nop | --simple | --ust] [-h | -c]
+Generate tracing code for a file on stdin.
+
+Backends:
+  --nop     Tracing disabled
+  --simple  Simple built-in backend
+  --ust     LTTng User Space Tracing backend
+  --dtrace  DTrace/SystemTAP backend
+
+Output formats:
+  -h     Generate .h file
+  -c     Generate .c file
+  -d     Generate .d file (DTrace only)
+  --stap Generate .stp file (DTrace with SystemTAP only)
+
+Options:
+  --binary      [path]  Full path to QEMU binary
+  --target-arch [arch]  QEMU emulator target arch
+  --target-type [type]  QEMU emulator target type ('system' or 'user')
+
+EOF
+    exit 1
+}
+
+# Get the name of a trace event
+get_name()
+{
+    echo ${1%%\(*}
+}
+
+# Get the argument list of a trace event, including types and names
+get_args()
+{
+    local args
+    args=${1#*\(}
+    args=${args%\)*}
+    echo "$args"
+}
+
+# Get the argument name list of a trace event
+get_argnames()
+{
+    local nfields field name sep
+    nfields=0
+    sep="$2"
+    for field in $(get_args "$1"); do
+        nfields=$((nfields + 1))
+
+        # Drop pointer star
+        field=${field#\*}
+
+        # Only argument names have commas at the end
+        name=${field%,}
+        test "$field" = "$name" && continue
+
+        printf "%s%s " $name $sep
+    done
+
+    # Last argument name
+    if [ "$nfields" -gt 1 ]
+    then
+        printf "%s" "$name"
+    fi
+}
+
+# Get the number of arguments to a trace event
+get_argc()
+{
+    local name argc
+    argc=0
+    for name in $(get_argnames "$1", ","); do
+        argc=$((argc + 1))
+    done
+    echo $argc
+}
+
+# Get the format string for a trace event
+get_fmt()
+{
+    local fmt
+    fmt=${1#*\"}
+    fmt=${fmt%\"*}
+    echo "$fmt"
+}
+
+# Get the state of a trace event
+get_state()
+{
+    local str disable state
+    str=$(get_name "$1")
+    disable=${str##disable }
+    if [ "$disable" = "$str" ] ; then
+        state=1
+    else
+        state=0
+    fi
+    echo "$state"
+}
+
+linetoh_begin_nop()
+{
+    return
+}
+
+linetoh_nop()
+{
+    local name args
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+
+    # Define an empty function for the trace event
+    cat <<EOF
+static inline void trace_$name($args)
+{
+}
+EOF
+}
+
+linetoh_end_nop()
+{
+    return
+}
+
+linetoc_begin_nop()
+{
+    return
+}
+
+linetoc_nop()
+{
+    # No need for function definitions in nop backend
+    return
+}
+
+linetoc_end_nop()
+{
+    return
+}
+
+linetoh_begin_simple()
+{
+    cat <<EOF
+#include "simpletrace.h"
+EOF
+
+    simple_event_num=0
+}
+
+cast_args_to_uint64_t()
+{
+    local arg
+    for arg in $(get_argnames "$1", ","); do
+        printf "%s" "(uint64_t)(uintptr_t)$arg"
+    done
+}
+
+linetoh_simple()
+{
+    local name args argc trace_args state
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    argc=$(get_argc "$1")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ]; then
+        name=${name##disable }
+    fi
+
+    trace_args="$simple_event_num"
+    if [ "$argc" -gt 0 ]
+    then
+        trace_args="$trace_args, $(cast_args_to_uint64_t "$1")"
+    fi
+
+    cat <<EOF
+static inline void trace_$name($args)
+{
+    trace$argc($trace_args);
+}
+EOF
+
+    simple_event_num=$((simple_event_num + 1))
+}
+
+linetoh_end_simple()
+{
+    cat <<EOF
+#define NR_TRACE_EVENTS $simple_event_num
+extern TraceEvent trace_list[NR_TRACE_EVENTS];
+EOF
+}
+
+linetoc_begin_simple()
+{
+    cat <<EOF
+#include "trace.h"
+
+TraceEvent trace_list[] = {
+EOF
+    simple_event_num=0
+
+}
+
+linetoc_simple()
+{
+    local name state
+    name=$(get_name "$1")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ] ; then
+        name=${name##disable }
+    fi
+    cat <<EOF
+{.tp_name = "$name", .state=$state},
+EOF
+    simple_event_num=$((simple_event_num + 1))
+}
+
+linetoc_end_simple()
+{
+    cat <<EOF
+};
+EOF
+}
+
+# Clean up after UST headers which pollute the namespace
+ust_clean_namespace() {
+    cat <<EOF
+#undef mutex_lock
+#undef mutex_unlock
+#undef inline
+#undef wmb
+EOF
+}
+
+linetoh_begin_ust()
+{
+    echo "#include <ust/tracepoint.h>"
+    ust_clean_namespace
+}
+
+linetoh_ust()
+{
+    local name args argnames
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    argnames=$(get_argnames "$1", ",")
+
+    cat <<EOF
+DECLARE_TRACE(ust_$name, TP_PROTO($args), TP_ARGS($argnames));
+#define trace_$name trace_ust_$name
+EOF
+}
+
+linetoh_end_ust()
+{
+    return
+}
+
+linetoc_begin_ust()
+{
+    cat <<EOF
+#include <ust/marker.h>
+$(ust_clean_namespace)
+#include "trace.h"
+EOF
+}
+
+linetoc_ust()
+{
+    local name args argnames fmt
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    argnames=$(get_argnames "$1", ",")
+    fmt=$(get_fmt "$1")
+
+    cat <<EOF
+DEFINE_TRACE(ust_$name);
+
+static void ust_${name}_probe($args)
+{
+    trace_mark(ust, $name, "$fmt", $argnames);
+}
+EOF
+
+    # Collect names for later
+    names="$names $name"
+}
+
+linetoc_end_ust()
+{
+    cat <<EOF
+static void __attribute__((constructor)) trace_init(void)
+{
+EOF
+
+    for name in $names; do
+        cat <<EOF
+    register_trace_ust_$name(ust_${name}_probe);
+EOF
+    done
+
+    echo "}"
+}
+
+linetoh_begin_dtrace()
+{
+    cat <<EOF
+#include "trace-dtrace.h"
+EOF
+}
+
+linetoh_dtrace()
+{
+    local name args argnames state nameupper
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    argnames=$(get_argnames "$1", ",")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ] ; then
+        name=${name##disable }
+    fi
+
+    nameupper=`echo $name | tr '[:lower:]' '[:upper:]'`
+
+    # Define an empty function for the trace event
+    cat <<EOF
+static inline void trace_$name($args) {
+    if (QEMU_${nameupper}_ENABLED()) {
+        QEMU_${nameupper}($argnames);
+    }
+}
+EOF
+}
+
+linetoh_end_dtrace()
+{
+    return
+}
+
+linetoc_begin_dtrace()
+{
+    return
+}
+
+linetoc_dtrace()
+{
+    # No need for function definitions in dtrace backend
+    return
+}
+
+linetoc_end_dtrace()
+{
+    return
+}
+
+linetod_begin_dtrace()
+{
+    cat <<EOF
+provider qemu {
+EOF
+}
+
+linetod_dtrace()
+{
+    local name args state
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ] ; then
+        name=${name##disable }
+    fi
+
+    # DTrace provider syntax expects foo() for empty
+    # params, not foo(void)
+    if [ "$args" = "void" ]; then
+       args=""
+    fi
+
+    # Define prototype for probe arguments
+    cat <<EOF
+        probe $name($args);
+EOF
+}
+
+linetod_end_dtrace()
+{
+    cat <<EOF
+};
+EOF
+}
+
+linetostap_begin_dtrace()
+{
+    return
+}
+
+linetostap_dtrace()
+{
+    local i arg name args arglist state
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    arglist=$(get_argnames "$1", "")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ] ; then
+        name=${name##disable }
+    fi
+
+    # Define prototype for probe arguments
+    cat <<EOF
+probe qemu.$targettype.$targetarch.$name = process("$binary").mark("$name")
+{
+EOF
+
+    i=1
+    for arg in $arglist
+    do
+        # 'limit' is a reserved keyword
+        if [ "$arg" = "limit" ]; then
+          arg="_limit"
+        fi
+        cat <<EOF
+  $arg = \$arg$i;
+EOF
+	i="$((i+1))"
+    done
+
+    cat <<EOF
+}
+EOF
+}
+
+linetostap_end_dtrace()
+{
+    return
+}
+
+# Process stdin by calling begin, line, and end functions for the backend
+convert()
+{
+    local begin process_line end str disable
+    begin="lineto$1_begin_$backend"
+    process_line="lineto$1_$backend"
+    end="lineto$1_end_$backend"
+
+    "$begin"
+
+    while read -r str; do
+        # Skip comments and empty lines
+        test -z "${str%%#*}" && continue
+
+        # Process the line.  The nop backend handles disabled lines.
+        disable=${str%%disable *}
+        echo
+        if test -z "$disable"; then
+            # Pass the disabled state as an arg for the simple
+            # or DTrace backends which handle it dynamically.
+            # For all other backends, call lineto$1_nop()
+            if [ $backend = "simple" -o "$backend" = "dtrace" ]; then
+                "$process_line" "$str"
+            else
+                "lineto$1_nop" "${str##disable }"
+            fi
+        else
+            "$process_line" "$str"
+        fi
+    done
+
+    echo
+    "$end"
+}
+
+tracetoh()
+{
+    cat <<EOF
+#ifndef TRACE_H
+#define TRACE_H
+
+/* This file is autogenerated by tracetool, do not edit. */
+
+#include "qemu-common.h"
+EOF
+    convert h
+    echo "#endif /* TRACE_H */"
+}
+
+tracetoc()
+{
+    echo "/* This file is autogenerated by tracetool, do not edit. */"
+    convert c
+}
+
+tracetod()
+{
+    if [ $backend != "dtrace" ]; then
+       echo "DTrace probe generator not applicable to $backend backend"
+       exit 1
+    fi
+    echo "/* This file is autogenerated by tracetool, do not edit. */"
+    convert d
+}
+
+tracetostap()
+{
+    if [ $backend != "dtrace" ]; then
+       echo "SystemTAP tapset generator not applicable to $backend backend"
+       exit 1
+    fi
+    if [ -z "$binary" ]; then
+       echo "--binary is required for SystemTAP tapset generator"
+       exit 1
+    fi
+    if [ -z "$targettype" ]; then
+       echo "--target-type is required for SystemTAP tapset generator"
+       exit 1
+    fi
+    if [ -z "$targetarch" ]; then
+       echo "--target-arch is required for SystemTAP tapset generator"
+       exit 1
+    fi
+    echo "/* This file is autogenerated by tracetool, do not edit. */"
+    convert stap
+}
+
+
+backend=
+output=
+binary=
+targettype=
+targetarch=
+
+
+until [ -z "$1" ]
+do
+  case "$1" in
+    "--nop" | "--simple" | "--ust" | "--dtrace") backend="${1#--}" ;;
+
+    "--binary") shift ; binary="$1" ;;
+    "--target-arch") shift ; targetarch="$1" ;;
+    "--target-type") shift ; targettype="$1" ;;
+
+    "-h" | "-c" | "-d") output="${1#-}" ;;
+    "--stap") output="${1#--}" ;;
+
+    "--check-backend") exit 0 ;; # used by ./configure to test for backend
+
+    *)
+      usage;;
+  esac
+  shift
+done
+
+if [ "$backend" = "" -o "$output" = "" ]; then
+  usage
+fi
+
+gen="traceto$output"
+"$gen"
+
+exit 0
diff --git a/simpletrace.py b/simpletrace.py
deleted file mode 100755
index 553a727..0000000
--- a/simpletrace.py
+++ /dev/null
@@ -1,93 +0,0 @@
-#!/usr/bin/env python
-#
-# Pretty-printer for simple trace backend binary trace files
-#
-# Copyright IBM, Corp. 2010
-#
-# This work is licensed under the terms of the GNU GPL, version 2.  See
-# the COPYING file in the top-level directory.
-#
-# For help see docs/tracing.txt
-
-import sys
-import struct
-import re
-
-header_event_id = 0xffffffffffffffff
-header_magic    = 0xf2b177cb0aa429b4
-header_version  = 0
-
-trace_fmt = '=QQQQQQQQ'
-trace_len = struct.calcsize(trace_fmt)
-event_re  = re.compile(r'(disable\s+)?([a-zA-Z0-9_]+)\(([^)]*)\).*')
-
-def err(msg):
-    sys.stderr.write(msg + '\n')
-    sys.exit(1)
-
-def parse_events(fobj):
-    """Parse a trace-events file."""
-
-    def get_argnames(args):
-        """Extract argument names from a parameter list."""
-        return tuple(arg.split()[-1].lstrip('*') for arg in args.split(','))
-
-    events = {}
-    event_num = 0
-    for line in fobj:
-        m = event_re.match(line.strip())
-        if m is None:
-            continue
-
-        disable, name, args = m.groups()
-        events[event_num] = (name,) + get_argnames(args)
-        event_num += 1
-    return events
-
-def read_record(fobj):
-    """Deserialize a trace record from a file."""
-    s = fobj.read(trace_len)
-    if len(s) != trace_len:
-        return None
-    return struct.unpack(trace_fmt, s)
-
-def read_trace_file(fobj):
-    """Deserialize trace records from a file."""
-    header = read_record(fobj)
-    if header is None or \
-       header[0] != header_event_id or \
-       header[1] != header_magic or \
-       header[2] != header_version:
-        err('not a trace file or incompatible version')
-
-    while True:
-        rec = read_record(fobj)
-        if rec is None:
-            break
-
-        yield rec
-
-class Formatter(object):
-    def __init__(self, events):
-        self.events = events
-        self.last_timestamp = None
-
-    def format_record(self, rec):
-        if self.last_timestamp is None:
-            self.last_timestamp = rec[1]
-        delta_ns = rec[1] - self.last_timestamp
-        self.last_timestamp = rec[1]
-
-        event = self.events[rec[0]]
-        fields = [event[0], '%0.3f' % (delta_ns / 1000.0)]
-        for i in xrange(1, len(event)):
-            fields.append('%s=0x%x' % (event[i], rec[i + 1]))
-        return ' '.join(fields)
-
-if len(sys.argv) != 3:
-    err('usage: %s <trace-events> <trace-file>' % sys.argv[0])
-
-events = parse_events(open(sys.argv[1], 'r'))
-formatter = Formatter(events)
-for rec in read_trace_file(open(sys.argv[2], 'rb')):
-    print formatter.format_record(rec)
diff --git a/texi2pod.pl b/texi2pod.pl
deleted file mode 100755
index 9ed056a..0000000
--- a/texi2pod.pl
+++ /dev/null
@@ -1,477 +0,0 @@
-#! /usr/bin/perl -w
-
-#   Copyright (C) 1999, 2000, 2001, 2003 Free Software Foundation, Inc.
-
-# This file is part of GCC.
-
-# GCC is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-
-# GCC is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with GCC; see the file COPYING.  If not,
-# see <http://www.gnu.org/licenses/>.
-
-# This does trivial (and I mean _trivial_) conversion of Texinfo
-# markup to Perl POD format.  It's intended to be used to extract
-# something suitable for a manpage from a Texinfo document.
-
-$output = 0;
-$skipping = 0;
-%sects = ();
-$section = "";
- at icstack = ();
- at endwstack = ();
- at skstack = ();
- at instack = ();
-$shift = "";
-%defs = ();
-$fnno = 1;
-$inf = "";
-$ibase = "";
- at ipath = ();
-
-while ($_ = shift) {
-    if (/^-D(.*)$/) {
-	if ($1 ne "") {
-	    $flag = $1;
-	} else {
-	    $flag = shift;
-	}
-	$value = "";
-	($flag, $value) = ($flag =~ /^([^=]+)(?:=(.+))?/);
-	die "no flag specified for -D\n"
-	    unless $flag ne "";
-	die "flags may only contain letters, digits, hyphens, dashes and underscores\n"
-	    unless $flag =~ /^[a-zA-Z0-9_-]+$/;
-	$defs{$flag} = $value;
-    } elsif (/^-I(.*)$/) {
-	if ($1 ne "") {
-	    $flag = $1;
-	} else {
-	    $flag = shift;
-	}
-        push (@ipath, $flag);
-    } elsif (/^-/) {
-	usage();
-    } else {
-	$in = $_, next unless defined $in;
-	$out = $_, next unless defined $out;
-	usage();
-    }
-}
-
-if (defined $in) {
-    $inf = gensym();
-    open($inf, "<$in") or die "opening \"$in\": $!\n";
-    $ibase = $1 if $in =~ m|^(.+)/[^/]+$|;
-} else {
-    $inf = \*STDIN;
-}
-
-if (defined $out) {
-    open(STDOUT, ">$out") or die "opening \"$out\": $!\n";
-}
-
-while(defined $inf) {
-while(<$inf>) {
-    # Certain commands are discarded without further processing.
-    /^\@(?:
-	 [a-z]+index		# @*index: useful only in complete manual
-	 |need			# @need: useful only in printed manual
-	 |(?:end\s+)?group	# @group .. @end group: ditto
-	 |page			# @page: ditto
-	 |node			# @node: useful only in .info file
-	 |(?:end\s+)?ifnottex   # @ifnottex .. @end ifnottex: use contents
-	)\b/x and next;
-
-    chomp;
-
-    # Look for filename and title markers.
-    /^\@setfilename\s+([^.]+)/ and $fn = $1, next;
-    /^\@settitle\s+([^.]+)/ and $tl = postprocess($1), next;
-
-    # Identify a man title but keep only the one we are interested in.
-    /^\@c\s+man\s+title\s+([A-Za-z0-9-]+)\s+(.+)/ and do {
-	if (exists $defs{$1}) {
-	    $fn = $1;
-	    $tl = postprocess($2);
-	}
-	next;
-    };
-
-    # Look for blocks surrounded by @c man begin SECTION ... @c man end.
-    # This really oughta be @ifman ... @end ifman and the like, but such
-    # would require rev'ing all other Texinfo translators.
-    /^\@c\s+man\s+begin\s+([A-Z]+)\s+([A-Za-z0-9-]+)/ and do {
-	$output = 1 if exists $defs{$2};
-        $sect = $1;
-	next;
-    };
-    /^\@c\s+man\s+begin\s+([A-Z]+)/ and $sect = $1, $output = 1, next;
-    /^\@c\s+man\s+end/ and do {
-	$sects{$sect} = "" unless exists $sects{$sect};
-	$sects{$sect} .= postprocess($section);
-	$section = "";
-	$output = 0;
-	next;
-    };
-
-    # handle variables
-    /^\@set\s+([a-zA-Z0-9_-]+)\s*(.*)$/ and do {
-	$defs{$1} = $2;
-	next;
-    };
-    /^\@clear\s+([a-zA-Z0-9_-]+)/ and do {
-	delete $defs{$1};
-	next;
-    };
-
-    next unless $output;
-
-    # Discard comments.  (Can't do it above, because then we'd never see
-    # @c man lines.)
-    /^\@c\b/ and next;
-
-    # End-block handler goes up here because it needs to operate even
-    # if we are skipping.
-    /^\@end\s+([a-z]+)/ and do {
-	# Ignore @end foo, where foo is not an operation which may
-	# cause us to skip, if we are presently skipping.
-	my $ended = $1;
-	next if $skipping && $ended !~ /^(?:ifset|ifclear|ignore|menu|iftex|copying)$/;
-
-	die "\@end $ended without \@$ended at line $.\n" unless defined $endw;
-	die "\@$endw ended by \@end $ended at line $.\n" unless $ended eq $endw;
-
-	$endw = pop @endwstack;
-
-	if ($ended =~ /^(?:ifset|ifclear|ignore|menu|iftex)$/) {
-	    $skipping = pop @skstack;
-	    next;
-	} elsif ($ended =~ /^(?:example|smallexample|display)$/) {
-	    $shift = "";
-	    $_ = "";	# need a paragraph break
-	} elsif ($ended =~ /^(?:itemize|enumerate|[fv]?table)$/) {
-	    $_ = "\n=back\n";
-	    $ic = pop @icstack;
-	} elsif ($ended eq "multitable") {
-	    $_ = "\n=back\n";
-	} else {
-	    die "unknown command \@end $ended at line $.\n";
-	}
-    };
-
-    # We must handle commands which can cause skipping even while we
-    # are skipping, otherwise we will not process nested conditionals
-    # correctly.
-    /^\@ifset\s+([a-zA-Z0-9_-]+)/ and do {
-	push @endwstack, $endw;
-	push @skstack, $skipping;
-	$endw = "ifset";
-	$skipping = 1 unless exists $defs{$1};
-	next;
-    };
-
-    /^\@ifclear\s+([a-zA-Z0-9_-]+)/ and do {
-	push @endwstack, $endw;
-	push @skstack, $skipping;
-	$endw = "ifclear";
-	$skipping = 1 if exists $defs{$1};
-	next;
-    };
-
-    /^\@(ignore|menu|iftex|copying)\b/ and do {
-	push @endwstack, $endw;
-	push @skstack, $skipping;
-	$endw = $1;
-	$skipping = 1;
-	next;
-    };
-
-    next if $skipping;
-
-    # Character entities.  First the ones that can be replaced by raw text
-    # or discarded outright:
-    s/\@copyright\{\}/(c)/g;
-    s/\@dots\{\}/.../g;
-    s/\@enddots\{\}/..../g;
-    s/\@([.!? ])/$1/g;
-    s/\@[:-]//g;
-    s/\@bullet(?:\{\})?/*/g;
-    s/\@TeX\{\}/TeX/g;
-    s/\@pounds\{\}/\#/g;
-    s/\@minus(?:\{\})?/-/g;
-    s/\\,/,/g;
-
-    # Now the ones that have to be replaced by special escapes
-    # (which will be turned back into text by unmunge())
-    s/&/&amp;/g;
-    s/\@\{/&lbrace;/g;
-    s/\@\}/&rbrace;/g;
-    s/\@\@/&at;/g;
-
-    # Inside a verbatim block, handle @var specially.
-    if ($shift ne "") {
-	s/\@var\{([^\}]*)\}/<$1>/g;
-    }
-
-    # POD doesn't interpret E<> inside a verbatim block.
-    if ($shift eq "") {
-	s/</&lt;/g;
-	s/>/&gt;/g;
-    } else {
-	s/</&LT;/g;
-	s/>/&GT;/g;
-    }
-
-    # Single line command handlers.
-
-    /^\@include\s+(.+)$/ and do {
-	push @instack, $inf;
-	$inf = gensym();
-	$file = postprocess($1);
-
-	# Try cwd and $ibase, then explicit -I paths.
-	$done = 0;
-	foreach $path ("", $ibase, @ipath) {
-	    $mypath = $file;
-	    $mypath = $path . "/" . $mypath if ($path ne "");
-	    open($inf, "<" . $mypath) and ($done = 1, last);
-	}
-	die "cannot find $file" if !$done;
-	next;
-    };
-
-    /^\@(?:section|unnumbered|unnumberedsec|center)\s+(.+)$/
-	and $_ = "\n=head2 $1\n";
-    /^\@subsection\s+(.+)$/
-	and $_ = "\n=head3 $1\n";
-    /^\@subsubsection\s+(.+)$/
-	and $_ = "\n=head4 $1\n";
-
-    # Block command handlers:
-    /^\@itemize(?:\s+(\@[a-z]+|\*|-))?/ and do {
-	push @endwstack, $endw;
-	push @icstack, $ic;
-	if (defined $1) {
-	    $ic = $1;
-	} else {
-	    $ic = '*';
-	}
-	$_ = "\n=over 4\n";
-	$endw = "itemize";
-    };
-
-    /^\@enumerate(?:\s+([a-zA-Z0-9]+))?/ and do {
-	push @endwstack, $endw;
-	push @icstack, $ic;
-	if (defined $1) {
-	    $ic = $1 . ".";
-	} else {
-	    $ic = "1.";
-	}
-	$_ = "\n=over 4\n";
-	$endw = "enumerate";
-    };
-
-    /^\@multitable\s.*/ and do {
-	push @endwstack, $endw;
-	$endw = "multitable";
-	$_ = "\n=over 4\n";
-    };
-
-    /^\@([fv]?table)\s+(\@[a-z]+)/ and do {
-	push @endwstack, $endw;
-	push @icstack, $ic;
-	$endw = $1;
-	$ic = $2;
-	$ic =~ s/\@(?:samp|strong|key|gcctabopt|option|env)/B/;
-	$ic =~ s/\@(?:code|kbd)/C/;
-	$ic =~ s/\@(?:dfn|var|emph|cite|i)/I/;
-	$ic =~ s/\@(?:file)/F/;
-	$_ = "\n=over 4\n";
-    };
-
-    /^\@((?:small)?example|display)/ and do {
-	push @endwstack, $endw;
-	$endw = $1;
-	$shift = "\t";
-	$_ = "";	# need a paragraph break
-    };
-
-    /^\@item\s+(.*\S)\s*$/ and $endw eq "multitable" and do {
-	@columns = ();
-	for $column (split (/\s*\@tab\s*/, $1)) {
-	    # @strong{...} is used a @headitem work-alike
-	    $column =~ s/^\@strong{(.*)}$/$1/;
-	    push @columns, $column;
-	}
-	$_ = "\n=item ".join (" : ", @columns)."\n";
-    };
-
-    /^\@itemx?\s*(.+)?$/ and do {
-	if (defined $1) {
-	    # Entity escapes prevent munging by the <> processing below.
-	    $_ = "\n=item $ic\&LT;$1\&GT;\n";
-	} else {
-	    $_ = "\n=item $ic\n";
-	    $ic =~ y/A-Ya-y/B-Zb-z/;
-	    $ic =~ s/(\d+)/$1 + 1/eg;
-	}
-    };
-
-    $section .= $shift.$_."\n";
-}
-# End of current file.
-close($inf);
-$inf = pop @instack;
-}
-
-die "No filename or title\n" unless defined $fn && defined $tl;
-
-$sects{NAME} = "$fn \- $tl\n";
-$sects{FOOTNOTES} .= "=back\n" if exists $sects{FOOTNOTES};
-
-for $sect (qw(NAME SYNOPSIS DESCRIPTION OPTIONS ENVIRONMENT FILES
-	      BUGS NOTES FOOTNOTES SEEALSO AUTHOR COPYRIGHT)) {
-    if(exists $sects{$sect}) {
-	$head = $sect;
-	$head =~ s/SEEALSO/SEE ALSO/;
-	print "=head1 $head\n\n";
-	print scalar unmunge ($sects{$sect});
-	print "\n";
-    }
-}
-
-sub usage
-{
-    die "usage: $0 [-D toggle...] [infile [outfile]]\n";
-}
-
-sub postprocess
-{
-    local $_ = $_[0];
-
-    # @value{foo} is replaced by whatever 'foo' is defined as.
-    while (m/(\@value\{([a-zA-Z0-9_-]+)\})/g) {
-	if (! exists $defs{$2}) {
-	    print STDERR "Option $2 not defined\n";
-	    s/\Q$1\E//;
-	} else {
-	    $value = $defs{$2};
-	    s/\Q$1\E/$value/;
-	}
-    }
-
-    # Formatting commands.
-    # Temporary escape for @r.
-    s/\@r\{([^\}]*)\}/R<$1>/g;
-    s/\@(?:dfn|var|emph|cite|i)\{([^\}]*)\}/I<$1>/g;
-    s/\@(?:code|kbd)\{([^\}]*)\}/C<$1>/g;
-    s/\@(?:gccoptlist|samp|strong|key|option|env|command|b)\{([^\}]*)\}/B<$1>/g;
-    s/\@sc\{([^\}]*)\}/\U$1/g;
-    s/\@file\{([^\}]*)\}/F<$1>/g;
-    s/\@w\{([^\}]*)\}/S<$1>/g;
-    s/\@(?:dmn|math)\{([^\}]*)\}/$1/g;
-
-    # keep references of the form @ref{...}, print them bold
-    s/\@(?:ref)\{([^\}]*)\}/B<$1>/g;
-
-    # Change double single quotes to double quotes.
-    s/''/"/g;
-    s/``/"/g;
-
-    # Cross references are thrown away, as are @noindent and @refill.
-    # (@noindent is impossible in .pod, and @refill is unnecessary.)
-    # @* is also impossible in .pod; we discard it and any newline that
-    # follows it.  Similarly, our macro @gol must be discarded.
-
-    s/\(?\@xref\{(?:[^\}]*)\}(?:[^.<]|(?:<[^<>]*>))*\.\)?//g;
-    s/\s+\(\@pxref\{(?:[^\}]*)\}\)//g;
-    s/;\s+\@pxref\{(?:[^\}]*)\}//g;
-    s/\@noindent\s*//g;
-    s/\@refill//g;
-    s/\@gol//g;
-    s/\@\*\s*\n?//g;
-
-    # Anchors are thrown away
-    s/\@anchor\{(?:[^\}]*)\}//g;
-
-    # @uref can take one, two, or three arguments, with different
-    # semantics each time.  @url and @email are just like @uref with
-    # one argument, for our purposes.
-    s/\@(?:uref|url|email)\{([^\},]*)\}/&lt;B<$1>&gt;/g;
-    s/\@uref\{([^\},]*),([^\},]*)\}/$2 (C<$1>)/g;
-    s/\@uref\{([^\},]*),([^\},]*),([^\},]*)\}/$3/g;
-
-    # Un-escape <> at this point.
-    s/&LT;/</g;
-    s/&GT;/>/g;
-
-    # Now un-nest all B<>, I<>, R<>.  Theoretically we could have
-    # indefinitely deep nesting; in practice, one level suffices.
-    1 while s/([BIR])<([^<>]*)([BIR])<([^<>]*)>/$1<$2>$3<$4>$1</g;
-
-    # Replace R<...> with bare ...; eliminate empty markup, B<>;
-    # shift white space at the ends of [BI]<...> expressions outside
-    # the expression.
-    s/R<([^<>]*)>/$1/g;
-    s/[BI]<>//g;
-    s/([BI])<(\s+)([^>]+)>/$2$1<$3>/g;
-    s/([BI])<([^>]+?)(\s+)>/$1<$2>$3/g;
-
-    # Extract footnotes.  This has to be done after all other
-    # processing because otherwise the regexp will choke on formatting
-    # inside @footnote.
-    while (/\@footnote/g) {
-	s/\@footnote\{([^\}]+)\}/[$fnno]/;
-	add_footnote($1, $fnno);
-	$fnno++;
-    }
-
-    return $_;
-}
-
-sub unmunge
-{
-    # Replace escaped symbols with their equivalents.
-    local $_ = $_[0];
-
-    s/&lt;/E<lt>/g;
-    s/&gt;/E<gt>/g;
-    s/&lbrace;/\{/g;
-    s/&rbrace;/\}/g;
-    s/&at;/\@/g;
-    s/&amp;/&/g;
-    return $_;
-}
-
-sub add_footnote
-{
-    unless (exists $sects{FOOTNOTES}) {
-	$sects{FOOTNOTES} = "\n=over 4\n\n";
-    }
-
-    $sects{FOOTNOTES} .= "=item $fnno.\n\n"; $fnno++;
-    $sects{FOOTNOTES} .= $_[0];
-    $sects{FOOTNOTES} .= "\n\n";
-}
-
-# stolen from Symbol.pm
-{
-    my $genseq = 0;
-    sub gensym
-    {
-	my $name = "GEN" . $genseq++;
-	my $ref = \*{$name};
-	delete $::{$name};
-	return $ref;
-    }
-}
diff --git a/tracetool b/tracetool
deleted file mode 100755
index fce491c..0000000
--- a/tracetool
+++ /dev/null
@@ -1,573 +0,0 @@
-#!/bin/sh
-#
-# Code generator for trace events
-#
-# Copyright IBM, Corp. 2010
-#
-# This work is licensed under the terms of the GNU GPL, version 2.  See
-# the COPYING file in the top-level directory.
-
-# Disable pathname expansion, makes processing text with '*' characters simpler
-set -f
-
-usage()
-{
-    cat >&2 <<EOF
-usage: $0 [--nop | --simple | --ust] [-h | -c]
-Generate tracing code for a file on stdin.
-
-Backends:
-  --nop     Tracing disabled
-  --simple  Simple built-in backend
-  --ust     LTTng User Space Tracing backend
-  --dtrace  DTrace/SystemTAP backend
-
-Output formats:
-  -h     Generate .h file
-  -c     Generate .c file
-  -d     Generate .d file (DTrace only)
-  --stap Generate .stp file (DTrace with SystemTAP only)
-
-Options:
-  --binary      [path]  Full path to QEMU binary
-  --target-arch [arch]  QEMU emulator target arch
-  --target-type [type]  QEMU emulator target type ('system' or 'user')
-
-EOF
-    exit 1
-}
-
-# Get the name of a trace event
-get_name()
-{
-    echo ${1%%\(*}
-}
-
-# Get the argument list of a trace event, including types and names
-get_args()
-{
-    local args
-    args=${1#*\(}
-    args=${args%\)*}
-    echo "$args"
-}
-
-# Get the argument name list of a trace event
-get_argnames()
-{
-    local nfields field name sep
-    nfields=0
-    sep="$2"
-    for field in $(get_args "$1"); do
-        nfields=$((nfields + 1))
-
-        # Drop pointer star
-        field=${field#\*}
-
-        # Only argument names have commas at the end
-        name=${field%,}
-        test "$field" = "$name" && continue
-
-        printf "%s%s " $name $sep
-    done
-
-    # Last argument name
-    if [ "$nfields" -gt 1 ]
-    then
-        printf "%s" "$name"
-    fi
-}
-
-# Get the number of arguments to a trace event
-get_argc()
-{
-    local name argc
-    argc=0
-    for name in $(get_argnames "$1", ","); do
-        argc=$((argc + 1))
-    done
-    echo $argc
-}
-
-# Get the format string for a trace event
-get_fmt()
-{
-    local fmt
-    fmt=${1#*\"}
-    fmt=${fmt%\"*}
-    echo "$fmt"
-}
-
-# Get the state of a trace event
-get_state()
-{
-    local str disable state
-    str=$(get_name "$1")
-    disable=${str##disable }
-    if [ "$disable" = "$str" ] ; then
-        state=1
-    else
-        state=0
-    fi
-    echo "$state"
-}
-
-linetoh_begin_nop()
-{
-    return
-}
-
-linetoh_nop()
-{
-    local name args
-    name=$(get_name "$1")
-    args=$(get_args "$1")
-
-    # Define an empty function for the trace event
-    cat <<EOF
-static inline void trace_$name($args)
-{
-}
-EOF
-}
-
-linetoh_end_nop()
-{
-    return
-}
-
-linetoc_begin_nop()
-{
-    return
-}
-
-linetoc_nop()
-{
-    # No need for function definitions in nop backend
-    return
-}
-
-linetoc_end_nop()
-{
-    return
-}
-
-linetoh_begin_simple()
-{
-    cat <<EOF
-#include "simpletrace.h"
-EOF
-
-    simple_event_num=0
-}
-
-cast_args_to_uint64_t()
-{
-    local arg
-    for arg in $(get_argnames "$1", ","); do
-        printf "%s" "(uint64_t)(uintptr_t)$arg"
-    done
-}
-
-linetoh_simple()
-{
-    local name args argc trace_args state
-    name=$(get_name "$1")
-    args=$(get_args "$1")
-    argc=$(get_argc "$1")
-    state=$(get_state "$1")
-    if [ "$state" = "0" ]; then
-        name=${name##disable }
-    fi
-
-    trace_args="$simple_event_num"
-    if [ "$argc" -gt 0 ]
-    then
-        trace_args="$trace_args, $(cast_args_to_uint64_t "$1")"
-    fi
-
-    cat <<EOF
-static inline void trace_$name($args)
-{
-    trace$argc($trace_args);
-}
-EOF
-
-    simple_event_num=$((simple_event_num + 1))
-}
-
-linetoh_end_simple()
-{
-    cat <<EOF
-#define NR_TRACE_EVENTS $simple_event_num
-extern TraceEvent trace_list[NR_TRACE_EVENTS];
-EOF
-}
-
-linetoc_begin_simple()
-{
-    cat <<EOF
-#include "trace.h"
-
-TraceEvent trace_list[] = {
-EOF
-    simple_event_num=0
-
-}
-
-linetoc_simple()
-{
-    local name state
-    name=$(get_name "$1")
-    state=$(get_state "$1")
-    if [ "$state" = "0" ] ; then
-        name=${name##disable }
-    fi
-    cat <<EOF
-{.tp_name = "$name", .state=$state},
-EOF
-    simple_event_num=$((simple_event_num + 1))
-}
-
-linetoc_end_simple()
-{
-    cat <<EOF
-};
-EOF
-}
-
-# Clean up after UST headers which pollute the namespace
-ust_clean_namespace() {
-    cat <<EOF
-#undef mutex_lock
-#undef mutex_unlock
-#undef inline
-#undef wmb
-EOF
-}
-
-linetoh_begin_ust()
-{
-    echo "#include <ust/tracepoint.h>"
-    ust_clean_namespace
-}
-
-linetoh_ust()
-{
-    local name args argnames
-    name=$(get_name "$1")
-    args=$(get_args "$1")
-    argnames=$(get_argnames "$1", ",")
-
-    cat <<EOF
-DECLARE_TRACE(ust_$name, TP_PROTO($args), TP_ARGS($argnames));
-#define trace_$name trace_ust_$name
-EOF
-}
-
-linetoh_end_ust()
-{
-    return
-}
-
-linetoc_begin_ust()
-{
-    cat <<EOF
-#include <ust/marker.h>
-$(ust_clean_namespace)
-#include "trace.h"
-EOF
-}
-
-linetoc_ust()
-{
-    local name args argnames fmt
-    name=$(get_name "$1")
-    args=$(get_args "$1")
-    argnames=$(get_argnames "$1", ",")
-    fmt=$(get_fmt "$1")
-
-    cat <<EOF
-DEFINE_TRACE(ust_$name);
-
-static void ust_${name}_probe($args)
-{
-    trace_mark(ust, $name, "$fmt", $argnames);
-}
-EOF
-
-    # Collect names for later
-    names="$names $name"
-}
-
-linetoc_end_ust()
-{
-    cat <<EOF
-static void __attribute__((constructor)) trace_init(void)
-{
-EOF
-
-    for name in $names; do
-        cat <<EOF
-    register_trace_ust_$name(ust_${name}_probe);
-EOF
-    done
-
-    echo "}"
-}
-
-linetoh_begin_dtrace()
-{
-    cat <<EOF
-#include "trace-dtrace.h"
-EOF
-}
-
-linetoh_dtrace()
-{
-    local name args argnames state nameupper
-    name=$(get_name "$1")
-    args=$(get_args "$1")
-    argnames=$(get_argnames "$1", ",")
-    state=$(get_state "$1")
-    if [ "$state" = "0" ] ; then
-        name=${name##disable }
-    fi
-
-    nameupper=`echo $name | tr '[:lower:]' '[:upper:]'`
-
-    # Define an empty function for the trace event
-    cat <<EOF
-static inline void trace_$name($args) {
-    if (QEMU_${nameupper}_ENABLED()) {
-        QEMU_${nameupper}($argnames);
-    }
-}
-EOF
-}
-
-linetoh_end_dtrace()
-{
-    return
-}
-
-linetoc_begin_dtrace()
-{
-    return
-}
-
-linetoc_dtrace()
-{
-    # No need for function definitions in dtrace backend
-    return
-}
-
-linetoc_end_dtrace()
-{
-    return
-}
-
-linetod_begin_dtrace()
-{
-    cat <<EOF
-provider qemu {
-EOF
-}
-
-linetod_dtrace()
-{
-    local name args state
-    name=$(get_name "$1")
-    args=$(get_args "$1")
-    state=$(get_state "$1")
-    if [ "$state" = "0" ] ; then
-        name=${name##disable }
-    fi
-
-    # DTrace provider syntax expects foo() for empty
-    # params, not foo(void)
-    if [ "$args" = "void" ]; then
-       args=""
-    fi
-
-    # Define prototype for probe arguments
-    cat <<EOF
-        probe $name($args);
-EOF
-}
-
-linetod_end_dtrace()
-{
-    cat <<EOF
-};
-EOF
-}
-
-linetostap_begin_dtrace()
-{
-    return
-}
-
-linetostap_dtrace()
-{
-    local i arg name args arglist state
-    name=$(get_name "$1")
-    args=$(get_args "$1")
-    arglist=$(get_argnames "$1", "")
-    state=$(get_state "$1")
-    if [ "$state" = "0" ] ; then
-        name=${name##disable }
-    fi
-
-    # Define prototype for probe arguments
-    cat <<EOF
-probe qemu.$targettype.$targetarch.$name = process("$binary").mark("$name")
-{
-EOF
-
-    i=1
-    for arg in $arglist
-    do
-        # 'limit' is a reserved keyword
-        if [ "$arg" = "limit" ]; then
-          arg="_limit"
-        fi
-        cat <<EOF
-  $arg = \$arg$i;
-EOF
-	i="$((i+1))"
-    done
-
-    cat <<EOF
-}
-EOF
-}
-
-linetostap_end_dtrace()
-{
-    return
-}
-
-# Process stdin by calling begin, line, and end functions for the backend
-convert()
-{
-    local begin process_line end str disable
-    begin="lineto$1_begin_$backend"
-    process_line="lineto$1_$backend"
-    end="lineto$1_end_$backend"
-
-    "$begin"
-
-    while read -r str; do
-        # Skip comments and empty lines
-        test -z "${str%%#*}" && continue
-
-        # Process the line.  The nop backend handles disabled lines.
-        disable=${str%%disable *}
-        echo
-        if test -z "$disable"; then
-            # Pass the disabled state as an arg for the simple
-            # or DTrace backends which handle it dynamically.
-            # For all other backends, call lineto$1_nop()
-            if [ $backend = "simple" -o "$backend" = "dtrace" ]; then
-                "$process_line" "$str"
-            else
-                "lineto$1_nop" "${str##disable }"
-            fi
-        else
-            "$process_line" "$str"
-        fi
-    done
-
-    echo
-    "$end"
-}
-
-tracetoh()
-{
-    cat <<EOF
-#ifndef TRACE_H
-#define TRACE_H
-
-/* This file is autogenerated by tracetool, do not edit. */
-
-#include "qemu-common.h"
-EOF
-    convert h
-    echo "#endif /* TRACE_H */"
-}
-
-tracetoc()
-{
-    echo "/* This file is autogenerated by tracetool, do not edit. */"
-    convert c
-}
-
-tracetod()
-{
-    if [ $backend != "dtrace" ]; then
-       echo "DTrace probe generator not applicable to $backend backend"
-       exit 1
-    fi
-    echo "/* This file is autogenerated by tracetool, do not edit. */"
-    convert d
-}
-
-tracetostap()
-{
-    if [ $backend != "dtrace" ]; then
-       echo "SystemTAP tapset generator not applicable to $backend backend"
-       exit 1
-    fi
-    if [ -z "$binary" ]; then
-       echo "--binary is required for SystemTAP tapset generator"
-       exit 1
-    fi
-    if [ -z "$targettype" ]; then
-       echo "--target-type is required for SystemTAP tapset generator"
-       exit 1
-    fi
-    if [ -z "$targetarch" ]; then
-       echo "--target-arch is required for SystemTAP tapset generator"
-       exit 1
-    fi
-    echo "/* This file is autogenerated by tracetool, do not edit. */"
-    convert stap
-}
-
-
-backend=
-output=
-binary=
-targettype=
-targetarch=
-
-
-until [ -z "$1" ]
-do
-  case "$1" in
-    "--nop" | "--simple" | "--ust" | "--dtrace") backend="${1#--}" ;;
-
-    "--binary") shift ; binary="$1" ;;
-    "--target-arch") shift ; targetarch="$1" ;;
-    "--target-type") shift ; targettype="$1" ;;
-
-    "-h" | "-c" | "-d") output="${1#-}" ;;
-    "--stap") output="${1#--}" ;;
-
-    "--check-backend") exit 0 ;; # used by ./configure to test for backend
-
-    *)
-      usage;;
-  esac
-  shift
-done
-
-if [ "$backend" = "" -o "$output" = "" ]; then
-  usage
-fi
-
-gen="traceto$output"
-"$gen"
-
-exit 0
commit 8e5977e5f588b2d4b74831d11860191f815b4c5b
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 20 21:40:53 2011 +0100

    gt64xxx: set isa_mem_base during registration
    
    isa_mem_base is computed from registers during reset, but due to QEMU
    limitations some devices (e.g. VGA card) need to know it earlier when
    they are registered.
    
    Workaround this by setting the value during registration instead of
    reset.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/gt64xxx.c b/hw/gt64xxx.c
index 7ec09df..923073b 100644
--- a/hw/gt64xxx.c
+++ b/hw/gt64xxx.c
@@ -1125,6 +1125,11 @@ static int gt64120_init(SysBusDevice *dev)
 
     s = FROM_SYSBUS(GT64120State, dev);
 
+    /* FIXME: This value is computed from registers during reset, but some
+       devices (e.g. VGA card) need to know it when they are registered.
+       This also mean that changing the register to change the mapping
+       does not fully work. */
+    isa_mem_base = 0x10000000;
     qemu_register_reset(gt64120_reset, s);
     register_savevm(&dev->qdev, "GT64120 PCI Bus", 0, 1,
                     gt64120_save, gt64120_load, &s->pci);
commit f447f8c6ed07302f2f594d171a7fbf716c7d2d4e
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Tue Jan 18 15:42:57 2011 +0200

    virtio-pci: mask notifier error handling fixups
    
    Fix virtio-pci error handling in the mask notifiers: be careful to undo
    exactly what we did so far.
    
    Reported-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 7bfede7..25cdb37 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -475,6 +475,9 @@ static int virtio_pci_mask_notifier(PCIDevice *dev, unsigned vector,
     return 0;
 undo:
     while (--n >= 0) {
+        if (virtio_queue_vector(vdev, n) != vector) {
+            continue;
+        }
         virtio_pci_mask_vq(dev, vector, virtio_get_queue(vdev, n), !masked);
     }
     return r;
@@ -544,9 +547,18 @@ static int virtio_pci_set_guest_notifiers(void *opaque, bool assign)
 
 assign_error:
     /* We get here on assignment failure. Recover by undoing for VQs 0 .. n. */
+    if (assign) {
+        msix_unset_mask_notifier(&proxy->pci_dev);
+    }
+
     while (--n >= 0) {
         virtio_pci_set_guest_notifier(opaque, n, !assign);
     }
+
+    if (!assign) {
+        msix_set_mask_notifier(&proxy->pci_dev,
+                               virtio_pci_mask_notifier);
+    }
     return r;
 }
 
commit 730986e4942188c5ec2b8752e3db47d09cb222b2
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Jan 20 16:04:52 2011 +0000

    hw/pl190.c: Fix writing of default vector address
    
    The PL190 implementation keeps the default vector address
    in vect_addr[16], but we weren't using this for writes to
    the DEFVECTADDR register. As a result of this fix the
    default_addr structure member is unused and we can delete it.
    
    Reported-by: Himanshu Chauhan <hschauhan at nulltrace.org>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/pl190.c b/hw/pl190.c
index 17c279b..75f2ba1 100644
--- a/hw/pl190.c
+++ b/hw/pl190.c
@@ -21,7 +21,6 @@ typedef struct {
     uint32_t soft_level;
     uint32_t irq_enable;
     uint32_t fiq_select;
-    uint32_t default_addr;
     uint8_t vect_control[16];
     uint32_t vect_addr[PL190_NUM_PRIO];
     /* Mask containing interrupts with higher priority than this one.  */
@@ -186,7 +185,7 @@ static void pl190_write(void *opaque, target_phys_addr_t offset, uint32_t val)
             s->priority = s->prev_prio[s->priority];
         break;
     case 13: /* DEFVECTADDR */
-        s->default_addr = val;
+        s->vect_addr[16] = val;
         break;
     case 0xc0: /* ITCR */
         if (val) {
@@ -252,7 +251,6 @@ static const VMStateDescription vmstate_pl190 = {
         VMSTATE_UINT32(soft_level, pl190_state),
         VMSTATE_UINT32(irq_enable, pl190_state),
         VMSTATE_UINT32(fiq_select, pl190_state),
-        VMSTATE_UINT32(default_addr, pl190_state),
         VMSTATE_UINT8_ARRAY(vect_control, pl190_state, 16),
         VMSTATE_UINT32_ARRAY(vect_addr, pl190_state, PL190_NUM_PRIO),
         VMSTATE_UINT32_ARRAY(prio_mask, pl190_state, PL190_NUM_PRIO+1),
commit 367a9617815c0310cfba3648fe6fb3d39ce98133
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Mon Jan 17 10:17:49 2011 -0700

    device-assignment: Properly terminate vmsd.fields
    
    The vmsd code expects the fields structure to be properly terminated,
    not NULL.  An assigned device should never be saved or restored, and
    recent qemu fixes to the no_migrate flag should ensure this, but let's
    avoid setting the wrong precedent.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Acked-by: Juan Quintela <quintela at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 0038526..e5205cf 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -1698,7 +1698,10 @@ static void assigned_dev_unregister_msix_mmio(AssignedDevice *dev)
 }
 
 static const VMStateDescription vmstate_assigned_device = {
-    .name = "pci-assign"
+    .name = "pci-assign",
+    .fields = (VMStateField []) {
+        VMSTATE_END_OF_LIST()
+    }
 };
 
 static void reset_assigned_device(DeviceState *dev)
commit 5dbbda340533cd7d217dcf3ab904fb353598cbde
Merge: d788b57... e10990c...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Thu Jan 20 09:05:37 2011 -0600

    Merge remote branch 'mst/for_anthony' into staging

commit d788b57051ee91aa39de67cff8d8e15953bc100c
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Mon Jan 17 19:29:33 2011 +0100

    target-ppc: fix wrong NaN tests
    
    Some tests in FPU emulation code were wrongly using float64_is_nan()
    before commit 185698715dfb18c82ad2a5dbc169908602d43e81, and wrongly
    using float64_is_quiet_nan() after. Fix them by using float64_is_any_nan()
    instead.
    
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-ppc/op_helper.c b/target-ppc/op_helper.c
index f9d6130..17e070a 100644
--- a/target-ppc/op_helper.c
+++ b/target-ppc/op_helper.c
@@ -546,7 +546,7 @@ uint32_t helper_compute_fprf (uint64_t arg, uint32_t set_fprf)
     int ret;
     farg.ll = arg;
     isneg = float64_is_neg(farg.d);
-    if (unlikely(float64_is_quiet_nan(farg.d))) {
+    if (unlikely(float64_is_any_nan(farg.d))) {
         if (float64_is_signaling_nan(farg.d)) {
             /* Signaling NaN: flags are undefined */
             ret = 0x00;
@@ -1356,8 +1356,9 @@ uint64_t helper_fnmadd (uint64_t arg1, uint64_t arg2, uint64_t arg3)
         /* This is OK on x86 hosts */
         farg1.d = (farg1.d * farg2.d) + farg3.d;
 #endif
-        if (likely(!float64_is_quiet_nan(farg1.d)))
+        if (likely(!float64_is_any_nan(farg1.d))) {
             farg1.d = float64_chs(farg1.d);
+        }
     }
     return farg1.ll;
 }
@@ -1402,8 +1403,9 @@ uint64_t helper_fnmsub (uint64_t arg1, uint64_t arg2, uint64_t arg3)
         /* This is OK on x86 hosts */
         farg1.d = (farg1.d * farg2.d) - farg3.d;
 #endif
-        if (likely(!float64_is_quiet_nan(farg1.d)))
+        if (likely(!float64_is_any_nan(farg1.d))) {
             farg1.d = float64_chs(farg1.d);
+        }
     }
     return farg1.ll;
 }
@@ -1506,10 +1508,11 @@ uint64_t helper_fsel (uint64_t arg1, uint64_t arg2, uint64_t arg3)
 
     farg1.ll = arg1;
 
-    if ((!float64_is_neg(farg1.d) || float64_is_zero(farg1.d)) && !float64_is_quiet_nan(farg1.d))
+    if ((!float64_is_neg(farg1.d) || float64_is_zero(farg1.d)) && !float64_is_any_nan(farg1.d)) {
         return arg2;
-    else
+    } else {
         return arg3;
+    }
 }
 
 void helper_fcmpu (uint64_t arg1, uint64_t arg2, uint32_t crfD)
@@ -1519,8 +1522,8 @@ void helper_fcmpu (uint64_t arg1, uint64_t arg2, uint32_t crfD)
     farg1.ll = arg1;
     farg2.ll = arg2;
 
-    if (unlikely(float64_is_quiet_nan(farg1.d) ||
-                 float64_is_quiet_nan(farg2.d))) {
+    if (unlikely(float64_is_any_nan(farg1.d) ||
+                 float64_is_any_nan(farg2.d))) {
         ret = 0x01UL;
     } else if (float64_lt(farg1.d, farg2.d, &env->fp_status)) {
         ret = 0x08UL;
@@ -1548,8 +1551,8 @@ void helper_fcmpo (uint64_t arg1, uint64_t arg2, uint32_t crfD)
     farg1.ll = arg1;
     farg2.ll = arg2;
 
-    if (unlikely(float64_is_quiet_nan(farg1.d) ||
-                 float64_is_quiet_nan(farg2.d))) {
+    if (unlikely(float64_is_any_nan(farg1.d) ||
+                 float64_is_any_nan(farg2.d))) {
         ret = 0x01UL;
     } else if (float64_lt(farg1.d, farg2.d, &env->fp_status)) {
         ret = 0x08UL;
@@ -3446,8 +3449,9 @@ uint32_t helper_efdctsi (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_quiet_nan(u.d)))
+    if (unlikely(float64_is_any_nan(u.d))) {
         return 0;
+    }
 
     return float64_to_int32(u.d, &env->vec_status);
 }
@@ -3458,8 +3462,9 @@ uint32_t helper_efdctui (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_quiet_nan(u.d)))
+    if (unlikely(float64_is_any_nan(u.d))) {
         return 0;
+    }
 
     return float64_to_uint32(u.d, &env->vec_status);
 }
@@ -3470,8 +3475,9 @@ uint32_t helper_efdctsiz (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_quiet_nan(u.d)))
+    if (unlikely(float64_is_any_nan(u.d))) {
         return 0;
+    }
 
     return float64_to_int32_round_to_zero(u.d, &env->vec_status);
 }
@@ -3482,8 +3488,9 @@ uint64_t helper_efdctsidz (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_quiet_nan(u.d)))
+    if (unlikely(float64_is_any_nan(u.d))) {
         return 0;
+    }
 
     return float64_to_int64_round_to_zero(u.d, &env->vec_status);
 }
@@ -3494,8 +3501,9 @@ uint32_t helper_efdctuiz (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_quiet_nan(u.d)))
+    if (unlikely(float64_is_any_nan(u.d))) {
         return 0;
+    }
 
     return float64_to_uint32_round_to_zero(u.d, &env->vec_status);
 }
@@ -3506,8 +3514,9 @@ uint64_t helper_efdctuidz (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_quiet_nan(u.d)))
+    if (unlikely(float64_is_any_nan(u.d))) {
         return 0;
+    }
 
     return float64_to_uint64_round_to_zero(u.d, &env->vec_status);
 }
@@ -3543,8 +3552,9 @@ uint32_t helper_efdctsf (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_quiet_nan(u.d)))
+    if (unlikely(float64_is_any_nan(u.d))) {
         return 0;
+    }
     tmp = uint64_to_float64(1ULL << 32, &env->vec_status);
     u.d = float64_mul(u.d, tmp, &env->vec_status);
 
@@ -3558,8 +3568,9 @@ uint32_t helper_efdctuf (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_quiet_nan(u.d)))
+    if (unlikely(float64_is_any_nan(u.d))) {
         return 0;
+    }
     tmp = uint64_to_float64(1ULL << 32, &env->vec_status);
     u.d = float64_mul(u.d, tmp, &env->vec_status);
 
commit 96912e39709e8455c013931513eebe8e6356eab4
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Mon Jan 17 19:29:33 2011 +0100

    target-ppc: fix sNaN propagation
    
    The current FPU code returns 0.0 if one of the operand is a
    signaling NaN and the VXSNAN exception is disabled.
    
    fload_invalid_op_excp() doesn't return a qNaN in case of a VXSNAN
    exception as the operand should be propagated instead of a new
    qNaN to be generated. Fix that by calling fload_invalid_op_excp()
    only for the exception generation (if enabled), and use the softfloat
    code to correctly compute the result.
    
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-ppc/op_helper.c b/target-ppc/op_helper.c
index 279f345..f9d6130 100644
--- a/target-ppc/op_helper.c
+++ b/target-ppc/op_helper.c
@@ -975,15 +975,16 @@ uint64_t helper_fadd (uint64_t arg1, uint64_t arg2)
     farg1.ll = arg1;
     farg2.ll = arg2;
 
-    if (unlikely(float64_is_signaling_nan(farg1.d) ||
-                 float64_is_signaling_nan(farg2.d))) {
-        /* sNaN addition */
-        farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else if (unlikely(float64_is_infinity(farg1.d) && float64_is_infinity(farg2.d) &&
-                      float64_is_neg(farg1.d) != float64_is_neg(farg2.d))) {
+    if (unlikely(float64_is_infinity(farg1.d) && float64_is_infinity(farg2.d) &&
+                 float64_is_neg(farg1.d) != float64_is_neg(farg2.d))) {
         /* Magnitude subtraction of infinities */
         farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXISI);
     } else {
+        if (unlikely(float64_is_signaling_nan(farg1.d) ||
+                     float64_is_signaling_nan(farg2.d))) {
+            /* sNaN addition */
+            fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
+        }
         farg1.d = float64_add(farg1.d, farg2.d, &env->fp_status);
     }
 
@@ -998,15 +999,16 @@ uint64_t helper_fsub (uint64_t arg1, uint64_t arg2)
     farg1.ll = arg1;
     farg2.ll = arg2;
 
-    if (unlikely(float64_is_signaling_nan(farg1.d) ||
-                 float64_is_signaling_nan(farg2.d))) {
-        /* sNaN subtraction */
-        farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else if (unlikely(float64_is_infinity(farg1.d) && float64_is_infinity(farg2.d) &&
-                      float64_is_neg(farg1.d) == float64_is_neg(farg2.d))) {
+    if (unlikely(float64_is_infinity(farg1.d) && float64_is_infinity(farg2.d) &&
+                 float64_is_neg(farg1.d) == float64_is_neg(farg2.d))) {
         /* Magnitude subtraction of infinities */
         farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXISI);
     } else {
+        if (unlikely(float64_is_signaling_nan(farg1.d) ||
+                     float64_is_signaling_nan(farg2.d))) {
+            /* sNaN subtraction */
+            fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
+        }
         farg1.d = float64_sub(farg1.d, farg2.d, &env->fp_status);
     }
 
@@ -1021,15 +1023,16 @@ uint64_t helper_fmul (uint64_t arg1, uint64_t arg2)
     farg1.ll = arg1;
     farg2.ll = arg2;
 
-    if (unlikely(float64_is_signaling_nan(farg1.d) ||
-                 float64_is_signaling_nan(farg2.d))) {
-        /* sNaN multiplication */
-        farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else if (unlikely((float64_is_infinity(farg1.d) && float64_is_zero(farg2.d)) ||
-                        (float64_is_zero(farg1.d) && float64_is_infinity(farg2.d)))) {
+    if (unlikely((float64_is_infinity(farg1.d) && float64_is_zero(farg2.d)) ||
+                 (float64_is_zero(farg1.d) && float64_is_infinity(farg2.d)))) {
         /* Multiplication of zero by infinity */
         farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXIMZ);
     } else {
+        if (unlikely(float64_is_signaling_nan(farg1.d) ||
+                     float64_is_signaling_nan(farg2.d))) {
+            /* sNaN multiplication */
+            fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
+        }
         farg1.d = float64_mul(farg1.d, farg2.d, &env->fp_status);
     }
 
@@ -1044,17 +1047,18 @@ uint64_t helper_fdiv (uint64_t arg1, uint64_t arg2)
     farg1.ll = arg1;
     farg2.ll = arg2;
 
-    if (unlikely(float64_is_signaling_nan(farg1.d) ||
-                 float64_is_signaling_nan(farg2.d))) {
-        /* sNaN division */
-        farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else if (unlikely(float64_is_infinity(farg1.d) && float64_is_infinity(farg2.d))) {
+    if (unlikely(float64_is_infinity(farg1.d) && float64_is_infinity(farg2.d))) {
         /* Division of infinity by infinity */
         farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXIDI);
     } else if (unlikely(float64_is_zero(farg1.d) && float64_is_zero(farg2.d))) {
         /* Division of zero by zero */
         farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXZDZ);
     } else {
+        if (unlikely(float64_is_signaling_nan(farg1.d) ||
+                     float64_is_signaling_nan(farg2.d))) {
+            /* sNaN division */
+            fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
+        }
         farg1.d = float64_div(farg1.d, farg2.d, &env->fp_status);
     }
 
@@ -1232,16 +1236,17 @@ uint64_t helper_fmadd (uint64_t arg1, uint64_t arg2, uint64_t arg3)
     farg2.ll = arg2;
     farg3.ll = arg3;
 
-    if (unlikely(float64_is_signaling_nan(farg1.d) ||
-                 float64_is_signaling_nan(farg2.d) ||
-                 float64_is_signaling_nan(farg3.d))) {
-        /* sNaN operation */
-        farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else if (unlikely((float64_is_infinity(farg1.d) && float64_is_zero(farg2.d)) ||
-                        (float64_is_zero(farg1.d) && float64_is_infinity(farg2.d)))) {
+    if (unlikely((float64_is_infinity(farg1.d) && float64_is_zero(farg2.d)) ||
+                 (float64_is_zero(farg1.d) && float64_is_infinity(farg2.d)))) {
         /* Multiplication of zero by infinity */
         farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXIMZ);
     } else {
+        if (unlikely(float64_is_signaling_nan(farg1.d) ||
+                     float64_is_signaling_nan(farg2.d) ||
+                     float64_is_signaling_nan(farg3.d))) {
+            /* sNaN operation */
+            fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
+        }
 #ifdef FLOAT128
         /* This is the way the PowerPC specification defines it */
         float128 ft0_128, ft1_128;
@@ -1276,16 +1281,17 @@ uint64_t helper_fmsub (uint64_t arg1, uint64_t arg2, uint64_t arg3)
     farg2.ll = arg2;
     farg3.ll = arg3;
 
-    if (unlikely(float64_is_signaling_nan(farg1.d) ||
-                 float64_is_signaling_nan(farg2.d) ||
-                 float64_is_signaling_nan(farg3.d))) {
-        /* sNaN operation */
-        farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else if (unlikely((float64_is_infinity(farg1.d) && float64_is_zero(farg2.d)) ||
+    if (unlikely((float64_is_infinity(farg1.d) && float64_is_zero(farg2.d)) ||
                         (float64_is_zero(farg1.d) && float64_is_infinity(farg2.d)))) {
         /* Multiplication of zero by infinity */
         farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXIMZ);
     } else {
+        if (unlikely(float64_is_signaling_nan(farg1.d) ||
+                     float64_is_signaling_nan(farg2.d) ||
+                     float64_is_signaling_nan(farg3.d))) {
+            /* sNaN operation */
+            fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
+        }
 #ifdef FLOAT128
         /* This is the way the PowerPC specification defines it */
         float128 ft0_128, ft1_128;
@@ -1319,16 +1325,17 @@ uint64_t helper_fnmadd (uint64_t arg1, uint64_t arg2, uint64_t arg3)
     farg2.ll = arg2;
     farg3.ll = arg3;
 
-    if (unlikely(float64_is_signaling_nan(farg1.d) ||
-                 float64_is_signaling_nan(farg2.d) ||
-                 float64_is_signaling_nan(farg3.d))) {
-        /* sNaN operation */
-        farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else if (unlikely((float64_is_infinity(farg1.d) && float64_is_zero(farg2.d)) ||
-                        (float64_is_zero(farg1.d) && float64_is_infinity(farg2.d)))) {
+    if (unlikely((float64_is_infinity(farg1.d) && float64_is_zero(farg2.d)) ||
+                 (float64_is_zero(farg1.d) && float64_is_infinity(farg2.d)))) {
         /* Multiplication of zero by infinity */
         farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXIMZ);
     } else {
+        if (unlikely(float64_is_signaling_nan(farg1.d) ||
+                     float64_is_signaling_nan(farg2.d) ||
+                     float64_is_signaling_nan(farg3.d))) {
+            /* sNaN operation */
+            fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
+        }
 #ifdef FLOAT128
         /* This is the way the PowerPC specification defines it */
         float128 ft0_128, ft1_128;
@@ -1364,16 +1371,17 @@ uint64_t helper_fnmsub (uint64_t arg1, uint64_t arg2, uint64_t arg3)
     farg2.ll = arg2;
     farg3.ll = arg3;
 
-    if (unlikely(float64_is_signaling_nan(farg1.d) ||
-                 float64_is_signaling_nan(farg2.d) ||
-                 float64_is_signaling_nan(farg3.d))) {
-        /* sNaN operation */
-        farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else if (unlikely((float64_is_infinity(farg1.d) && float64_is_zero(farg2.d)) ||
+    if (unlikely((float64_is_infinity(farg1.d) && float64_is_zero(farg2.d)) ||
                         (float64_is_zero(farg1.d) && float64_is_infinity(farg2.d)))) {
         /* Multiplication of zero by infinity */
         farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXIMZ);
     } else {
+        if (unlikely(float64_is_signaling_nan(farg1.d) ||
+                     float64_is_signaling_nan(farg2.d) ||
+                     float64_is_signaling_nan(farg3.d))) {
+            /* sNaN operation */
+            fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
+        }
 #ifdef FLOAT128
         /* This is the way the PowerPC specification defines it */
         float128 ft0_128, ft1_128;
@@ -1409,11 +1417,11 @@ uint64_t helper_frsp (uint64_t arg)
 
     if (unlikely(float64_is_signaling_nan(farg.d))) {
         /* sNaN square root */
-       farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else {
-       f32 = float64_to_float32(farg.d, &env->fp_status);
-       farg.d = float32_to_float64(f32, &env->fp_status);
+       fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
     }
+    f32 = float64_to_float32(farg.d, &env->fp_status);
+    farg.d = float32_to_float64(f32, &env->fp_status);
+
     return farg.ll;
 }
 
@@ -1423,13 +1431,14 @@ uint64_t helper_fsqrt (uint64_t arg)
     CPU_DoubleU farg;
     farg.ll = arg;
 
-    if (unlikely(float64_is_signaling_nan(farg.d))) {
-        /* sNaN square root */
-        farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else if (unlikely(float64_is_neg(farg.d) && !float64_is_zero(farg.d))) {
+    if (unlikely(float64_is_neg(farg.d) && !float64_is_zero(farg.d))) {
         /* Square root of a negative nonzero number */
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSQRT);
     } else {
+        if (unlikely(float64_is_signaling_nan(farg.d))) {
+            /* sNaN square root */
+            fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
+        }
         farg.d = float64_sqrt(farg.d, &env->fp_status);
     }
     return farg.ll;
@@ -1443,10 +1452,9 @@ uint64_t helper_fre (uint64_t arg)
 
     if (unlikely(float64_is_signaling_nan(farg.d))) {
         /* sNaN reciprocal */
-        farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else {
-        farg.d = float64_div(float64_one, farg.d, &env->fp_status);
+        fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
     }
+    farg.d = float64_div(float64_one, farg.d, &env->fp_status);
     return farg.d;
 }
 
@@ -1459,12 +1467,12 @@ uint64_t helper_fres (uint64_t arg)
 
     if (unlikely(float64_is_signaling_nan(farg.d))) {
         /* sNaN reciprocal */
-        farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else {
-        farg.d = float64_div(float64_one, farg.d, &env->fp_status);
-        f32 = float64_to_float32(farg.d, &env->fp_status);
-        farg.d = float32_to_float64(f32, &env->fp_status);
+        fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
     }
+    farg.d = float64_div(float64_one, farg.d, &env->fp_status);
+    f32 = float64_to_float32(farg.d, &env->fp_status);
+    farg.d = float32_to_float64(f32, &env->fp_status);
+
     return farg.ll;
 }
 
@@ -1475,13 +1483,14 @@ uint64_t helper_frsqrte (uint64_t arg)
     float32 f32;
     farg.ll = arg;
 
-    if (unlikely(float64_is_signaling_nan(farg.d))) {
-        /* sNaN reciprocal square root */
-        farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
-    } else if (unlikely(float64_is_neg(farg.d) && !float64_is_zero(farg.d))) {
+    if (unlikely(float64_is_neg(farg.d) && !float64_is_zero(farg.d))) {
         /* Reciprocal square root of a negative nonzero number */
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSQRT);
     } else {
+        if (unlikely(float64_is_signaling_nan(farg.d))) {
+            /* sNaN reciprocal square root */
+            fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
+        }
         farg.d = float64_sqrt(farg.d, &env->fp_status);
         farg.d = float64_div(float64_one, farg.d, &env->fp_status);
         f32 = float64_to_float32(farg.d, &env->fp_status);
commit e10990c3f0c39e92ab5f74004b89a24fcc36fa14
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Thu Jan 20 15:57:49 2011 +0900

    pci: use qemu_malloc() in pcibus_get_dev_path()
    
    use qemu_malloc() instead of direct use of malloc().
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 1ffe428..b8f5385 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -2058,7 +2058,7 @@ static char *pcibus_get_dev_path(DeviceState *dev)
     path_len = domain_len + slot_len * slot_depth;
 
     /* Allocate memory, fill in the terminating null byte. */
-    path = malloc(path_len + 1 /* For '\0' */);
+    path = qemu_malloc(path_len + 1 /* For '\0' */);
     path[path_len] = '\0';
 
     /* First field is the domain. */
commit e407bf13ba65163a8f8669e0157839bbefdb43b8
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Thu Jan 20 16:21:40 2011 +0900

    msix: simplify write config
    
    use pci_device_deassert_intx().
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/msix.c b/hw/msix.c
index e123082..daaf9b7 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -159,7 +159,6 @@ void msix_write_config(PCIDevice *dev, uint32_t addr,
 {
     unsigned enable_pos = dev->msix_cap + MSIX_CONTROL_OFFSET;
     int vector;
-    int i;
 
     if (!range_covers_byte(addr, len, enable_pos)) {
         return;
@@ -169,9 +168,7 @@ void msix_write_config(PCIDevice *dev, uint32_t addr,
         return;
     }
 
-    for (i = 0; i < PCI_NUM_PINS; ++i) {
-        qemu_set_irq(dev->irq[i], 0);
-    }
+    pci_device_deassert_intx(dev);
 
     if (msix_function_masked(dev)) {
         return;
commit 59369b0816de3e76fa20204be5f6144de1ce8937
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Thu Jan 20 16:21:39 2011 +0900

    msi: simplify write config a bit.
    
    use pci_device_deassert_intx().
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/msi.c b/hw/msi.c
index f03f519..3dc3a24 100644
--- a/hw/msi.c
+++ b/hw/msi.c
@@ -255,7 +255,6 @@ void msi_write_config(PCIDevice *dev, uint32_t addr, uint32_t val, int len)
     uint8_t log_max_vecs;
     unsigned int vector;
     uint32_t pending;
-    int i;
 
     if (!ranges_overlap(addr, len, dev->msi_cap, msi_cap_sizeof(flags))) {
         return;
@@ -296,9 +295,7 @@ void msi_write_config(PCIDevice *dev, uint32_t addr, uint32_t val, int len)
      *   from using its INTx# pin (if implemented) to request
      *   service (MSI, MSI-X, and INTx# are mutually exclusive).
      */
-    for (i = 0; i < PCI_NUM_PINS; ++i) {
-        qemu_set_irq(dev->irq[i], 0);
-    }
+    pci_device_deassert_intx(dev);
 
     /*
      * nr_vectors might be set bigger than capable. So clamp it.
commit 4c92325b5196ebd34886174a80d2f9fac35a004f
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Thu Jan 20 16:21:38 2011 +0900

    pci: deassert intx on reset.
    
    deassert intx on device reset.
    So far pci_device_reset() is used for system reset.
    In that case, interrupt controller is reset at the same time so that
    all irq is are deasserted.
    But now pci bus reset/flr is supported, and in that case irq needs to be
    disabled explicitly.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index c77f6e9..1ffe428 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -137,6 +137,14 @@ static void pci_update_irq_status(PCIDevice *dev)
     }
 }
 
+void pci_device_deassert_intx(PCIDevice *dev)
+{
+    int i;
+    for (i = 0; i < PCI_NUM_PINS; ++i) {
+        qemu_set_irq(dev->irq[i], 0);
+    }
+}
+
 /*
  * This function is called on #RST and FLR.
  * FLR if PCI_EXP_DEVCTL_BCR_FLR is set
@@ -152,6 +160,7 @@ void pci_device_reset(PCIDevice *dev)
 
     dev->irq_state = 0;
     pci_update_irq_status(dev);
+    pci_device_deassert_intx(dev);
     /* Clear all writeable bits */
     pci_word_test_and_clear_mask(dev->config + PCI_COMMAND,
                                  pci_get_word(dev->wmask + PCI_COMMAND) |
diff --git a/hw/pci.h b/hw/pci.h
index bc8d5bb..0d2753f 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -264,6 +264,8 @@ void do_pci_info_print(Monitor *mon, const QObject *data);
 void do_pci_info(Monitor *mon, QObject **ret_data);
 void pci_bridge_update_mappings(PCIBus *b);
 
+void pci_device_deassert_intx(PCIDevice *dev);
+
 static inline void
 pci_set_byte(uint8_t *config, uint8_t val)
 {
commit b2bf03a90ca3024213e354d3e0a6bc0cc8fc31e8
Author: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
Date:   Tue Jan 18 19:11:33 2011 +0300

    pxa2xx_lcd: restore updating of display
    
    Recently PXA2xx lcd have stopped to be updated incrementally (picture
    frozen). This patch fixes that by passing non min/max x/y, but rather
    (correctly) x/y and w/h.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/pxa2xx_lcd.c b/hw/pxa2xx_lcd.c
index 1f2211a..5b2b07e 100644
--- a/hw/pxa2xx_lcd.c
+++ b/hw/pxa2xx_lcd.c
@@ -796,9 +796,9 @@ static void pxa2xx_update_display(void *opaque)
 
     if (miny >= 0) {
         if (s->orientation)
-            dpy_update(s->ds, miny, 0, maxy, s->xres);
+            dpy_update(s->ds, miny, 0, maxy - miny, s->xres);
         else
-            dpy_update(s->ds, 0, miny, s->xres, maxy);
+            dpy_update(s->ds, 0, miny, s->xres, maxy - miny);
     }
     pxa2xx_lcdc_int_update(s);
 
commit f69866ea32f4e1f54bc14e3b4fa3d7e79754a205
Author: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
Date:   Thu Jan 13 18:37:12 2011 +0300

    pxa2xx: fix vmstate_pxa2xx_i2c
    
    vmstate_pxa2xx_i2c incorrectly recursed to itself instead of going
    to store slave device. Fix that stop stop qemu from segfaulting
    during savevm for pxa2xx-based devices.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/pxa2xx.c b/hw/pxa2xx.c
index ab524a7..6e72a5c 100644
--- a/hw/pxa2xx.c
+++ b/hw/pxa2xx.c
@@ -1476,7 +1476,7 @@ static const VMStateDescription vmstate_pxa2xx_i2c = {
         VMSTATE_UINT8(ibmr, PXA2xxI2CState),
         VMSTATE_UINT8(data, PXA2xxI2CState),
         VMSTATE_STRUCT_POINTER(slave, PXA2xxI2CState,
-                               vmstate_pxa2xx_i2c, PXA2xxI2CSlaveState *),
+                               vmstate_pxa2xx_i2c_slave, PXA2xxI2CSlaveState *),
         VMSTATE_END_OF_LIST()
     }
 };
commit aa9438d9f8a19258514c5cc238d2494a2572ff58
Author: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
Date:   Thu Jan 13 18:37:11 2011 +0300

    scoop: fix access to registers from second instance
    
    Second instance of scoop contains registers shifted to 0x40 from the start
    of the page. Instead of messing with register mapping, just limit register
    address to 0x00..0x3f.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/zaurus.c b/hw/zaurus.c
index 54ec3f0..36be94a 100644
--- a/hw/zaurus.c
+++ b/hw/zaurus.c
@@ -70,7 +70,7 @@ static uint32_t scoop_readb(void *opaque, target_phys_addr_t addr)
 {
     ScoopInfo *s = (ScoopInfo *) opaque;
 
-    switch (addr) {
+    switch (addr & 0x3f) {
     case SCOOP_MCR:
         return s->mcr;
     case SCOOP_CDR:
@@ -104,7 +104,7 @@ static void scoop_writeb(void *opaque, target_phys_addr_t addr, uint32_t value)
     ScoopInfo *s = (ScoopInfo *) opaque;
     value &= 0xffff;
 
-    switch (addr) {
+    switch (addr & 0x3f) {
     case SCOOP_MCR:
         s->mcr = value;
         break;
commit f75d216a80977da3435f507fa6bae0821a5d9076
Author: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
Date:   Thu Jan 13 18:37:10 2011 +0300

    mainstone: fix name of the allocated memory for roms
    
    Mainstone board has two flash chips (emulated by two ram regions), however
    currently code tries to allocate them with the same name, which fails.
    Fix that to make mainstone emulation work again.
    
    Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/mainstone.c b/hw/mainstone.c
index efa2959..58e3f86 100644
--- a/hw/mainstone.c
+++ b/hw/mainstone.c
@@ -106,7 +106,8 @@ static void mainstone_common_init(ram_addr_t ram_size,
         }
 
         if (!pflash_cfi01_register(mainstone_flash_base[i],
-                                   qemu_ram_alloc(NULL, "mainstone.flash",
+                                   qemu_ram_alloc(NULL, i ? "mainstone.flash1" :
+                                                  "mainstone.flash0",
                                                   MAINSTONE_FLASH),
                                    dinfo->bdrv, sector_len,
                                    MAINSTONE_FLASH / sector_len, 4, 0, 0, 0, 0,
commit 2a3c633c1eb8692716220195b6d3fe78b7e411d0
Author: Fred Boiteux <fblistes+qemu at free.fr>
Date:   Sun Jan 9 14:24:59 2011 +0100

    add bepo (french dvorak) keyboard layout
    
    I'm using the Qemu program with VNC I/O, and I had some problems with
    my keyboard layout, so I've prepared a definition to be included in
    Qemu, built from Xorg description.
    
    Signed-off-by: Frédéric Boiteux <fboiteux at free.fr>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/pc-bios/keymaps/bepo b/pc-bios/keymaps/bepo
new file mode 100644
index 0000000..d40041a
--- /dev/null
+++ b/pc-bios/keymaps/bepo
@@ -0,0 +1,333 @@
+include common
+
+# Bépo : Improved ergonomic french keymap using Dvorak method.
+# Built by community on 'Dvorak Fr / Bépo' :
+# see http://www.clavier-dvorak.org/wiki/ to join and help.
+#
+# Bépo layout (1.0rc2 version) for a pc105 keyboard (french) :
+# ┌────┐
+# │ S A│   S = Shift,  A = AltGr + Shift
+# │ s a│   s = normal, a = AltGr
+# └────┘
+#
+# ┌─────┬─────┬─────┬─────┬─────┬─────┬─────┬─────┬─────┬─────┬─────┬─────┬─────┲━━━━━━━━━┓
+# │ # ¶ │ 1 „ │ 2 “ │ 3 ” │ 4 ≤ │ 5 ≥ │ 6   │ 7 ¬ │ 8 ¼ │ 9 ½ │ 0 ¾ │ ° ′ │ ` ″ ┃ ⌫ Retour┃
+# │ $ – │ " — │ « < │ » > │ ( [ │ ) ] │ @ ^ │ + ± │ - − │ / ÷ │ * × │ = ≠ │ % ‰ ┃  arrière┃
+# ┢━━━━━┷━┱───┴─┬───┴─┬───┴─┬───┴─┬───┴─┬───┴─┬───┴─┬───┴─┬───┴─┬───┴─┬───┴─┬───┺━┳━━━━━━━┫
+# ┃       ┃ B ¦ │ É ˝ │ P § │ O Œ │ È ` │ !   │ V   │ D Ð │ L   │ J IJ │ Z Ə │ W   ┃Entrée ┃
+# ┃Tab ↹  ┃ b | │ é ˊ │ p & │ o œ │ è ` │ ˆ ¡ │ v ˇ │ d ð │ l / │ j ij │ z ə │ w ̆ ┃   ⏎   ┃
+# ┣━━━━━━━┻┱────┴┬────┴┬────┴┬────┴┬────┴┬────┴┬────┴┬────┴┬────┴┬────┴┬────┴┬────┺┓      ┃
+# ┃        ┃ A Æ │ U Ù │ I ˙ │ E ¤ │ ; ̛ │ C ſ │ T Þ │ S ẞ │ R ™ │ N   │ M º │ Ç , ┃      ┃
+# ┃Maj ⇬   ┃ a æ │ u ù │ i ̈ │ e € │ , ’ │ c © │ t þ │ s ß │ r ® │ n ˜ │ m ¯ │ ç ¸ ┃      ┃
+# ┣━━━━━━━┳┹────┬┴────┬┴────┬┴────┬┴────┬┴────┬┴────┬┴────┬┴────┬┴────┬┴────┲┷━━━━━┻━━━━━━┫
+# ┃       ┃ Ê   │ À   │ Y ‘ │ X ’ │ : · │ K   │ ? ̉ │ Q ̣ │ G   │ H ‡ │ F ª ┃             ┃
+# ┃Shift ⇧┃ ê / │ à \ │ y { │ x } │ . … │ k ~ │ ' ¿ │ q ˚ │ g µ │ h † │ f ˛ ┃Shift ⇧      ┃
+# ┣━━━━━━━╋━━━━━┷━┳━━━┷━━━┱─┴─────┴─────┴─────┴─────┴─────┴───┲━┷━━━━━╈━━━━━┻━┳━━━━━━━┳━━━┛
+# ┃       ┃       ┃       ┃ Espace inséc.   Espace inséc. fin ┃       ┃       ┃       ┃
+# ┃Ctrl   ┃Meta   ┃Alt    ┃ ␣ (Espace)      _               ␣ ┃AltGr ⇮┃Menu   ┃Ctrl   ┃
+# ┗━━━━━━━┻━━━━━━━┻━━━━━━━┹───────────────────────────────────┺━━━━━━━┻━━━━━━━┻━━━━━━━┛
+
+
+# First row
+## keycode  41 = dollar numbersign       U+2013  U+00b6
+dollar        0x29
+numbersign    0x29  shift
+U2013         0x29        altgr
+U00b6         0x29  shift altgr
+
+## keycode   2 = +quotedbl +one          U+2014  U+201e
+quotedbl      0x2
+one           0x2  shift
+U2014         0x2        altgr
+U201e         0x2  shift altgr
+
+## keycode   3 = +guillemotleft  +two     less    U+201c
+guillemotleft  0x3
+two           0x3  shift
+less          0x3        altgr
+U201c         0x3  shift altgr
+
+## keycode   4 = +guillemotright +three  greater U+201d
+guillemotright  0x4
+three         0x4  shift
+greater       0x4        altgr
+U201d         0x4  shift altgr
+
+## keycode   5 = +parenleft +four        bracketleft  U+2264
+parenleft     0x5
+four          0x5  shift
+bracketleft   0x5        altgr
+U2264         0x5  shift altgr
+
+## keycode   6 = +parenright +five       bracketright  U+2265
+parenright    0x6
+five          0x6  shift
+bracketright  0x6        altgr
+U2265         0x6  shift altgr
+
+## keycode   7 = +at       +six          asciicircum
+at            0x7
+six           0x7  shift
+asciicircum   0x7        altgr
+
+## keycode   8 = +plus     +seven        U+00b1  U+00ac
+plus          0x8
+seven         0x8  shift
+U00b1         0x8        altgr
+U00ac         0x8  shift altgr
+
+## keycode   9 = +minus    +eight        U+2212  U+00bc
+minus         0x9
+eight         0x9  shift
+U2212         0x9        altgr
+U00bc         0x9  shift altgr
+
+## keycode  10 = +slash    +nine         U+00f7  U+00bd
+slash         0xa
+nine          0xa  shift
+U00f7         0xa        altgr
+U00bd         0xa  shift altgr
+
+## keycode  11 = +asterisk +zero         U+00d7  U+00be
+asterisk      0xb
+zero          0xb  shift
+U00d7         0xb        altgr
+U00be         0xb  shift altgr
+
+## keycode  12 = equal     U+00b0        U+2260  U+2032
+equal         0xc
+U00b0         0xc  shift
+U2260         0xc        altgr
+U2032         0xc  shift altgr
+
+## keycode  13 = percent   grave         U+2030  U+2033
+percent       0xd
+grave         0xd  shift
+U2030         0xd        altgr
+U2033         0xd  shift altgr
+
+
+# Second row
+
+# simplified letter definitions notation :
+## keycode 16 = b
+b             0x10  addupper
+## keycode 18 = p
+p             0x12  addupper
+## keycode 19 = o
+o             0x13  addupper
+## keycode 22 = v
+v             0x16  addupper
+## keycode 23 = d
+d             0x17  addupper
+## keycode 24 = l
+l             0x18  addupper
+## keycode 25 = j
+j             0x19  addupper
+## keycode 26 = z
+z             0x1a  addupper
+## keycode 27 = w
+w             0x1b  addupper
+
+# then, add specific definitions
+##                    AltGr keycode  16 = bar
+bar           0x10        altgr
+##              Shift AltGr keycode  16 = brokenbar
+brokenbar     0x10  shift altgr
+
+## keycode 17 = +eacute +Eacute dead_acute
+eacute        0x11
+Eacute        0x11  shift
+dead_acute    0x11        altgr
+
+##                    AltGr keycode  18 = ampersand
+ampersand     0x12        altgr
+##              Shift AltGr keycode  18 = U+00a7
+U00a7         0x12  shift altgr
+
+##                    AltGr keycode  19 = +U+0153
+U+0153        0x13        altgr
+##              Shift AltGr keycode  19 = +U+0152
+U+0152        0x13  shift altgr
+
+## keycode 20 = +egrave +Egrave dead_grave grave # no Meta !
+egrave        0x14
+Egrave        0x14  shift
+dead_grave    0x14        altgr
+
+## keycode 21 = dead_circumflex exclam exclamdown
+dead_circumflex  0x15
+exclam        0x15  shift
+exclamdown    0x15        altgr
+
+##                    AltGr keycode  22 = dead_caron
+dead_caron    0x16        altgr
+
+##                    AltGr keycode  23 = eth
+eth           0x17        altgr
+##              Shift AltGr keycode  23 = ETH
+ETH           0x17  shift altgr
+
+##                    AltGr keycode  25 = +U+0133
+U+0133        0x19        altgr
+##              Shift AltGr keycode  25 = +U+0132
+U+0132        0x19  shift altgr
+
+##                    AltGr keycode  26 = +U+0259
+U+0259        0x1a        altgr
+##              Shift AltGr keycode  26 = +U+018f
+U+018f        0x1a  shift altgr
+
+
+
+# Third row
+
+# simplified letter definitions notation :
+## keycode 30 = a
+a             0x1e  addupper
+## keycode 31 = u
+u             0x1f  addupper
+## keycode 32 = i
+i             0x20  addupper
+## keycode 33 = e
+e             0x21  addupper
+## keycode 35 = c
+c             0x23  addupper
+## keycode 36 = t
+t             0x24  addupper
+## keycode 37 = s
+s             0x25  addupper
+## keycode 38 = r
+r             0x26  addupper
+## keycode 39 = n
+n             0x27  addupper
+## keycode 40 = m
+m             0x28  addupper
+
+# then, add specific definitions
+##                    AltGr keycode  30 = +ae
+ae            0x1e        altgr
+##              Shift AltGr keycode  30 = +AE
+AE            0x1e  shift altgr
+
+##                    AltGr keycode  31 = +ugrave
+ugrave        0x1f        altgr
+##              Shift AltGr keycode  31 = +Ugrave
+Ugrave        0x1f  shift altgr
+
+##                    AltGr keycode  32 = dead_diaeresis
+dead_diaeresis  0x20        altgr
+
+
+##                    AltGr keycode  33 = U+20ac
+U20ac         0x21        altgr
+
+## keycode 34 = comma semicolon U+2019 +U+031b
+comma         0x22
+semicolon     0x22  shift
+U2019         0x22        altgr
+U+031b        0x22  shift altgr
+
+##                    AltGr keycode  35 = copyright
+copyright     0x23        altgr
+##              Shift AltGr keycode  35 = U+017f
+U017f         0x23  shift altgr
+
+##                    AltGr keycode  36 = +thorn
+thorn         0x24        altgr
+##              Shift AltGr keycode  36 = +THORN
+THORN         0x24  shift altgr
+
+##                    AltGr keycode  37 = +ssharp
+ssharp        0x25        altgr
+##              Shift AltGr keycode  37 = U+1e9e
+U1e9e         0x25  shift altgr
+
+##                    AltGr keycode  38 = registered
+registered    0x26        altgr
+##              Shift AltGr keycode  38 = U+2122
+U2122         0x26  shift altgr
+
+##                    AltGr keycode  39 = dead_tilde
+dead_tilde    0x27        altgr
+
+##              Shift AltGr keycode  40 = masculine
+masculine     0x28  shift altgr
+
+## keycode 43 = +ccedilla +Ccedilla dead_cedilla
+ccedilla      0x2b
+Ccedilla      0x2b  shift
+dead_cedilla  0x2b        altgr
+
+
+# Fourth row
+
+# simplified letter definitions notation :
+## keycode 45 = y
+y             0x2d  addupper
+## keycode 46 = x
+x             0x2e  addupper
+## keycode 48 = k
+k             0x30  addupper
+## keycode 50 = q
+q             0x32  addupper
+## keycode 51 = g
+g             0x33  addupper
+## keycode 52 = h
+h             0x34  addupper
+## keycode 53 = f
+f             0x35  addupper
+
+# then, add specific definitions
+## keycode 86 = +ecircumflex +Ecircumflex slash slash
+ecircumflex   0x56
+Ecircumflex   0x56  shift
+
+## keycode 44 = +agrave +Agrave backslash
+agrave        0x2c
+Agrave        0x2c  shift
+backslash     0x2c        altgr
+
+##                    AltGr keycode  45 = braceleft
+braceleft     0x2d        altgr
+##              Shift AltGr keycode  45 = U+2018
+U2018         0x2d  shift altgr
+
+##                    AltGr keycode  46 = braceright
+braceright    0x2e        altgr
+
+## keycode 47 = period colon U+2026 periodcentered
+period        0x2f
+colon         0x2f  shift
+U2026         0x2f        altgr
+periodcentered  0x2f  shift altgr
+
+##                    AltGr keycode  48 = asciitilde
+asciitilde    0x30        altgr
+##              Shift AltGr keycode  48 = U+2328
+U2328         0x30  shift altgr
+
+## keycode 49 = apostrophe question questiondown +U+0309
+apostrophe    0x31
+question      0x31  shift
+questiondown  0x31        altgr
+U+0309        0x31  shift altgr
+
+##                    AltGr keycode  51 = mu
+mu            0x33        altgr
+
+##                    AltGr keycode  52 = U+2020
+U2020         0x34        altgr
+##              Shift AltGr keycode  52 = U+2021
+U2021         0x34  shift altgr
+
+##              Shift AltGr keycode  53 = ordfeminine
+ordfeminine   0x35  shift altgr
+
+
+
+## keycode 57 = space nobreakspace underscore U+202f
+space         0x39
+nobreakspace  0x39  shift
+underscore    0x39        altgr
+U202f         0x39  shift altgr
commit 3ac59434c771ed65ea76f64589807d88c77cf3f5
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Dec 23 17:19:58 2010 +0000

    stc91c111: Implement save/restore
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/smc91c111.c b/hw/smc91c111.c
index fc714d7..dafea5c 100644
--- a/hw/smc91c111.c
+++ b/hw/smc91c111.c
@@ -46,6 +46,35 @@ typedef struct {
     int mmio_index;
 } smc91c111_state;
 
+static const VMStateDescription vmstate_smc91c111 = {
+    .name = "smc91c111",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields      = (VMStateField []) {
+        VMSTATE_UINT16(tcr, smc91c111_state),
+        VMSTATE_UINT16(rcr, smc91c111_state),
+        VMSTATE_UINT16(cr, smc91c111_state),
+        VMSTATE_UINT16(ctr, smc91c111_state),
+        VMSTATE_UINT16(gpr, smc91c111_state),
+        VMSTATE_UINT16(ptr, smc91c111_state),
+        VMSTATE_UINT16(ercv, smc91c111_state),
+        VMSTATE_INT32(bank, smc91c111_state),
+        VMSTATE_INT32(packet_num, smc91c111_state),
+        VMSTATE_INT32(tx_alloc, smc91c111_state),
+        VMSTATE_INT32(allocated, smc91c111_state),
+        VMSTATE_INT32(tx_fifo_len, smc91c111_state),
+        VMSTATE_INT32_ARRAY(tx_fifo, smc91c111_state, NUM_PACKETS),
+        VMSTATE_INT32(rx_fifo_len, smc91c111_state),
+        VMSTATE_INT32_ARRAY(rx_fifo, smc91c111_state, NUM_PACKETS),
+        VMSTATE_INT32(tx_fifo_done_len, smc91c111_state),
+        VMSTATE_INT32_ARRAY(tx_fifo_done, smc91c111_state, NUM_PACKETS),
+        VMSTATE_BUFFER_UNSAFE(data, smc91c111_state, 0, NUM_PACKETS * 2048),
+        VMSTATE_UINT8(int_level, smc91c111_state),
+        VMSTATE_UINT8(int_mask, smc91c111_state),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 #define RCR_SOFT_RST  0x8000
 #define RCR_STRIP_CRC 0x0200
 #define RCR_RXEN      0x0100
@@ -738,6 +767,7 @@ static SysBusDeviceInfo smc91c111_info = {
     .init = smc91c111_init1,
     .qdev.name  = "smc91c111",
     .qdev.size  = sizeof(smc91c111_state),
+    .qdev.vmsd = &vmstate_smc91c111,
     .qdev.props = (Property[]) {
         DEFINE_NIC_PROPERTIES(smc91c111_state, conf),
         DEFINE_PROP_END_OF_LIST(),
commit ff1758533c04ad8e7effc97627f5550b422e4de8
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Dec 23 17:19:57 2010 +0000

    pl080: Implement save/restore
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/pl080.c b/hw/pl080.c
index 1a3e06c..901f04a 100644
--- a/hw/pl080.c
+++ b/hw/pl080.c
@@ -52,6 +52,43 @@ typedef struct {
     qemu_irq irq;
 } pl080_state;
 
+static const VMStateDescription vmstate_pl080_channel = {
+    .name = "pl080_channel",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(src, pl080_channel),
+        VMSTATE_UINT32(dest, pl080_channel),
+        VMSTATE_UINT32(lli, pl080_channel),
+        VMSTATE_UINT32(ctrl, pl080_channel),
+        VMSTATE_UINT32(conf, pl080_channel),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_pl080 = {
+    .name = "pl080",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT8(tc_int, pl080_state),
+        VMSTATE_UINT8(tc_mask, pl080_state),
+        VMSTATE_UINT8(err_int, pl080_state),
+        VMSTATE_UINT8(err_mask, pl080_state),
+        VMSTATE_UINT32(conf, pl080_state),
+        VMSTATE_UINT32(sync, pl080_state),
+        VMSTATE_UINT32(req_single, pl080_state),
+        VMSTATE_UINT32(req_burst, pl080_state),
+        VMSTATE_UINT8(tc_int, pl080_state),
+        VMSTATE_UINT8(tc_int, pl080_state),
+        VMSTATE_UINT8(tc_int, pl080_state),
+        VMSTATE_STRUCT_ARRAY(chan, pl080_state, PL080_MAX_CHANNELS,
+                             1, vmstate_pl080_channel, pl080_channel),
+        VMSTATE_INT32(running, pl080_state),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const unsigned char pl080_id[] =
 { 0x80, 0x10, 0x04, 0x0a, 0x0d, 0xf0, 0x05, 0xb1 };
 
@@ -330,7 +367,6 @@ static int pl08x_init(SysBusDevice *dev, int nchannels)
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     sysbus_init_irq(dev, &s->irq);
     s->nchannels = nchannels;
-    /* ??? Save/restore.  */
     return 0;
 }
 
@@ -344,12 +380,28 @@ static int pl081_init(SysBusDevice *dev)
     return pl08x_init(dev, 2);
 }
 
+static SysBusDeviceInfo pl080_info = {
+    .init = pl080_init,
+    .qdev.name = "pl080",
+    .qdev.size = sizeof(pl080_state),
+    .qdev.vmsd = &vmstate_pl080,
+    .qdev.no_user = 1,
+};
+
+static SysBusDeviceInfo pl081_info = {
+    .init = pl081_init,
+    .qdev.name = "pl081",
+    .qdev.size = sizeof(pl080_state),
+    .qdev.vmsd = &vmstate_pl080,
+    .qdev.no_user = 1,
+};
+
 /* The PL080 and PL081 are the same except for the number of channels
    they implement (8 and 2 respectively).  */
 static void pl080_register_devices(void)
 {
-    sysbus_register_dev("pl080", sizeof(pl080_state), pl080_init);
-    sysbus_register_dev("pl081", sizeof(pl080_state), pl081_init);
+    sysbus_register_withprop(&pl080_info);
+    sysbus_register_withprop(&pl081_info);
 }
 
 device_init(pl080_register_devices)
commit 8c60d0652ead554516125960b5e918cca2621399
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Dec 23 17:19:56 2010 +0000

    pl110: Implement save/restore
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/pl110.c b/hw/pl110.c
index a4adb63..06d2dfa 100644
--- a/hw/pl110.c
+++ b/hw/pl110.c
@@ -48,6 +48,28 @@ typedef struct {
     qemu_irq irq;
 } pl110_state;
 
+static const VMStateDescription vmstate_pl110 = {
+    .name = "pl110",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_INT32(versatile, pl110_state),
+        VMSTATE_UINT32_ARRAY(timing, pl110_state, 4),
+        VMSTATE_UINT32(cr, pl110_state),
+        VMSTATE_UINT32(upbase, pl110_state),
+        VMSTATE_UINT32(lpbase, pl110_state),
+        VMSTATE_UINT32(int_status, pl110_state),
+        VMSTATE_UINT32(int_mask, pl110_state),
+        VMSTATE_INT32(cols, pl110_state),
+        VMSTATE_INT32(rows, pl110_state),
+        VMSTATE_UINT32(bpp, pl110_state),
+        VMSTATE_INT32(invalidate, pl110_state),
+        VMSTATE_UINT32_ARRAY(pallette, pl110_state, 256),
+        VMSTATE_UINT32_ARRAY(raw_pallette, pl110_state, 128),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const unsigned char pl110_id[] =
 { 0x10, 0x11, 0x04, 0x00, 0x0d, 0xf0, 0x05, 0xb1 };
 
@@ -365,7 +387,6 @@ static int pl110_init(SysBusDevice *dev)
     s->ds = graphic_console_init(pl110_update_display,
                                  pl110_invalidate_display,
                                  NULL, NULL, s);
-    /* ??? Save/restore.  */
     return 0;
 }
 
@@ -376,11 +397,26 @@ static int pl110_versatile_init(SysBusDevice *dev)
     return pl110_init(dev);
 }
 
+static SysBusDeviceInfo pl110_info = {
+    .init = pl110_init,
+    .qdev.name = "pl110",
+    .qdev.size = sizeof(pl110_state),
+    .qdev.vmsd = &vmstate_pl110,
+    .qdev.no_user = 1,
+};
+
+static SysBusDeviceInfo pl110_versatile_info = {
+    .init = pl110_versatile_init,
+    .qdev.name = "pl110_versatile",
+    .qdev.size = sizeof(pl110_state),
+    .qdev.vmsd = &vmstate_pl110,
+    .qdev.no_user = 1,
+};
+
 static void pl110_register_devices(void)
 {
-    sysbus_register_dev("pl110", sizeof(pl110_state), pl110_init);
-    sysbus_register_dev("pl110_versatile", sizeof(pl110_state),
-                        pl110_versatile_init);
+    sysbus_register_withprop(&pl110_info);
+    sysbus_register_withprop(&pl110_versatile_info);
 }
 
 device_init(pl110_register_devices)
commit 0dc5595c2c25ce6eb8eeb7704630b76348a53562
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Dec 23 17:19:55 2010 +0000

    pl031: Implement save/restore
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/pl031.c b/hw/pl031.c
index e3700c1..c488f69 100644
--- a/hw/pl031.c
+++ b/hw/pl031.c
@@ -44,6 +44,21 @@ typedef struct {
     uint32_t is;
 } pl031_state;
 
+static const VMStateDescription vmstate_pl031 = {
+    .name = "pl031",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(tick_offset, pl031_state),
+        VMSTATE_UINT32(mr, pl031_state),
+        VMSTATE_UINT32(lr, pl031_state),
+        VMSTATE_UINT32(cr, pl031_state),
+        VMSTATE_UINT32(im, pl031_state),
+        VMSTATE_UINT32(is, pl031_state),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const unsigned char pl031_id[] = {
     0x31, 0x10, 0x14, 0x00,         /* Device ID        */
     0x0d, 0xf0, 0x05, 0xb1          /* Cell ID      */
@@ -206,9 +221,17 @@ static int pl031_init(SysBusDevice *dev)
     return 0;
 }
 
+static SysBusDeviceInfo pl031_info = {
+    .init = pl031_init,
+    .qdev.name = "pl031",
+    .qdev.size = sizeof(pl031_state),
+    .qdev.vmsd = &vmstate_pl031,
+    .qdev.no_user = 1,
+};
+
 static void pl031_register_devices(void)
 {
-    sysbus_register_dev("pl031", sizeof(pl031_state), pl031_init);
+    sysbus_register_withprop(&pl031_info);
 }
 
 device_init(pl031_register_devices)
commit d6ac172a84ba0d3ced0250bafbd63e36aed34378
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Dec 23 17:19:54 2010 +0000

    pl050: Implement save/restore
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/pl050.c b/hw/pl050.c
index 0573839..b155cc0 100644
--- a/hw/pl050.c
+++ b/hw/pl050.c
@@ -21,6 +21,20 @@ typedef struct {
     int is_mouse;
 } pl050_state;
 
+static const VMStateDescription vmstate_pl050 = {
+    .name = "pl050",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(cr, pl050_state),
+        VMSTATE_UINT32(clk, pl050_state),
+        VMSTATE_UINT32(last, pl050_state),
+        VMSTATE_INT32(pending, pl050_state),
+        VMSTATE_INT32(is_mouse, pl050_state),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 #define PL050_TXEMPTY         (1 << 6)
 #define PL050_TXBUSY          (1 << 5)
 #define PL050_RXFULL          (1 << 4)
@@ -137,7 +151,6 @@ static int pl050_init(SysBusDevice *dev, int is_mouse)
         s->dev = ps2_mouse_init(pl050_update, s);
     else
         s->dev = ps2_kbd_init(pl050_update, s);
-    /* ??? Save/restore.  */
     return 0;
 }
 
@@ -151,12 +164,24 @@ static int pl050_init_mouse(SysBusDevice *dev)
     return pl050_init(dev, 1);
 }
 
+static SysBusDeviceInfo pl050_kbd_info = {
+    .init = pl050_init_keyboard,
+    .qdev.name  = "pl050_keyboard",
+    .qdev.size  = sizeof(pl050_state),
+    .qdev.vmsd = &vmstate_pl050,
+};
+
+static SysBusDeviceInfo pl050_mouse_info = {
+    .init = pl050_init_mouse,
+    .qdev.name  = "pl050_mouse",
+    .qdev.size  = sizeof(pl050_state),
+    .qdev.vmsd = &vmstate_pl050,
+};
+
 static void pl050_register_devices(void)
 {
-    sysbus_register_dev("pl050_keyboard", sizeof(pl050_state),
-                        pl050_init_keyboard);
-    sysbus_register_dev("pl050_mouse", sizeof(pl050_state),
-                        pl050_init_mouse);
+    sysbus_register_withprop(&pl050_kbd_info);
+    sysbus_register_withprop(&pl050_mouse_info);
 }
 
 device_init(pl050_register_devices)
commit b5ad0ae767b633305562150734c17bf430ccc045
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Dec 23 17:19:53 2010 +0000

    arm_sysctl: Implement save/restore
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/arm_sysctl.c b/hw/arm_sysctl.c
index bd0664f..d8b062c 100644
--- a/hw/arm_sysctl.c
+++ b/hw/arm_sysctl.c
@@ -28,6 +28,22 @@ typedef struct {
     uint32_t proc_id;
 } arm_sysctl_state;
 
+static const VMStateDescription vmstate_arm_sysctl = {
+    .name = "realview_sysctl",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(leds, arm_sysctl_state),
+        VMSTATE_UINT16(lockval, arm_sysctl_state),
+        VMSTATE_UINT32(cfgdata1, arm_sysctl_state),
+        VMSTATE_UINT32(cfgdata2, arm_sysctl_state),
+        VMSTATE_UINT32(flags, arm_sysctl_state),
+        VMSTATE_UINT32(nvflags, arm_sysctl_state),
+        VMSTATE_UINT32(resetlevel, arm_sysctl_state),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static void arm_sysctl_reset(DeviceState *d)
 {
     arm_sysctl_state *s = FROM_SYSBUS(arm_sysctl_state, sysbus_from_qdev(d));
@@ -231,6 +247,7 @@ static SysBusDeviceInfo arm_sysctl_info = {
     .init = arm_sysctl_init1,
     .qdev.name  = "realview_sysctl",
     .qdev.size  = sizeof(arm_sysctl_state),
+    .qdev.vmsd = &vmstate_arm_sysctl,
     .qdev.reset = arm_sysctl_reset,
     .qdev.props = (Property[]) {
         DEFINE_PROP_UINT32("sys_id", arm_sysctl_state, sys_id, 0),
commit a796d0acbbc6f3c0355b142c0a76c547e825c2ef
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Dec 23 17:19:52 2010 +0000

    vpb_sic: Implement save/restore
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/versatilepb.c b/hw/versatilepb.c
index be758e4..9f1bfcf 100644
--- a/hw/versatilepb.c
+++ b/hw/versatilepb.c
@@ -30,6 +30,18 @@ typedef struct vpb_sic_state
   int irq;
 } vpb_sic_state;
 
+static const VMStateDescription vmstate_vpb_sic = {
+    .name = "versatilepb_sic",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(level, vpb_sic_state),
+        VMSTATE_UINT32(mask, vpb_sic_state),
+        VMSTATE_UINT32(pic_enable, vpb_sic_state),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static void vpb_sic_update(vpb_sic_state *s)
 {
     uint32_t flags;
@@ -146,7 +158,6 @@ static int vpb_sic_init(SysBusDevice *dev)
                                        vpb_sic_writefn, s,
                                        DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
-    /* ??? Save/restore.  */
     return 0;
 }
 
@@ -335,10 +346,17 @@ static void versatile_machine_init(void)
 
 machine_init(versatile_machine_init);
 
+static SysBusDeviceInfo vpb_sic_info = {
+    .init = vpb_sic_init,
+    .qdev.name = "versatilepb_sic",
+    .qdev.size = sizeof(vpb_sic_state),
+    .qdev.vmsd = &vmstate_vpb_sic,
+    .qdev.no_user = 1,
+};
+
 static void versatilepb_register_devices(void)
 {
-    sysbus_register_dev("versatilepb_sic", sizeof(vpb_sic_state),
-                        vpb_sic_init);
+    sysbus_register_withprop(&vpb_sic_info);
 }
 
 device_init(versatilepb_register_devices)
commit ac49d7500110e7380e8b4ea91b3d05a2cfe33448
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Dec 23 17:19:51 2010 +0000

    pl190: Implement save/restore
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/pl190.c b/hw/pl190.c
index e04e6c1..17c279b 100644
--- a/hw/pl190.c
+++ b/hw/pl190.c
@@ -212,8 +212,9 @@ static CPUWriteMemoryFunc * const pl190_writefn[] = {
    pl190_write
 };
 
-static void pl190_reset(pl190_state *s)
+static void pl190_reset(DeviceState *d)
 {
+  pl190_state *s = DO_UPCAST(pl190_state, busdev.qdev, d);
   int i;
 
   for (i = 0; i < 16; i++)
@@ -239,14 +240,41 @@ static int pl190_init(SysBusDevice *dev)
     qdev_init_gpio_in(&dev->qdev, pl190_set_irq, 32);
     sysbus_init_irq(dev, &s->irq);
     sysbus_init_irq(dev, &s->fiq);
-    pl190_reset(s);
-    /* ??? Save/restore.  */
     return 0;
 }
 
+static const VMStateDescription vmstate_pl190 = {
+    .name = "pl190",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(level, pl190_state),
+        VMSTATE_UINT32(soft_level, pl190_state),
+        VMSTATE_UINT32(irq_enable, pl190_state),
+        VMSTATE_UINT32(fiq_select, pl190_state),
+        VMSTATE_UINT32(default_addr, pl190_state),
+        VMSTATE_UINT8_ARRAY(vect_control, pl190_state, 16),
+        VMSTATE_UINT32_ARRAY(vect_addr, pl190_state, PL190_NUM_PRIO),
+        VMSTATE_UINT32_ARRAY(prio_mask, pl190_state, PL190_NUM_PRIO+1),
+        VMSTATE_INT32(protected, pl190_state),
+        VMSTATE_INT32(priority, pl190_state),
+        VMSTATE_INT32_ARRAY(prev_prio, pl190_state, PL190_NUM_PRIO),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static SysBusDeviceInfo pl190_info = {
+    .init = pl190_init,
+    .qdev.name = "pl190",
+    .qdev.size = sizeof(pl190_state),
+    .qdev.vmsd = &vmstate_pl190,
+    .qdev.reset = pl190_reset,
+    .qdev.no_user = 1,
+};
+
 static void pl190_register_devices(void)
 {
-    sysbus_register_dev("pl190", sizeof(pl190_state), pl190_init);
+    sysbus_register_withprop(&pl190_info);
 }
 
 device_init(pl190_register_devices)
commit c2dd2a2352ebd51911460e65453455d489bea564
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Wed Jan 19 23:10:40 2011 +0100

    gt64xxx: qdev conversion
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/gt64xxx.c b/hw/gt64xxx.c
index 14c6ad3..7ec09df 100644
--- a/hw/gt64xxx.c
+++ b/hw/gt64xxx.c
@@ -223,16 +223,14 @@
 #define GT_PCI0_HICMASK    	(0xca4 >> 2)
 #define GT_PCI1_SERR1MASK    	(0xca8 >> 2)
 
-
-typedef PCIHostState GT64120PCIState;
-
 #define PCI_MAPPING_ENTRY(regname)            \
     target_phys_addr_t regname ##_start;      \
     target_phys_addr_t regname ##_length;     \
     int regname ##_handle
 
 typedef struct GT64120State {
-    GT64120PCIState *pci;
+    SysBusDevice busdev;
+    PCIHostState pci;
     uint32_t regs[GT_REGS];
     PCI_MAPPING_ENTRY(PCI0IO);
     PCI_MAPPING_ENTRY(ISD);
@@ -525,13 +523,13 @@ static void gt64120_writel (void *opaque, target_phys_addr_t addr,
         /* not implemented */
         break;
     case GT_PCI0_CFGADDR:
-        s->pci->config_reg = val & 0x80fffffc;
+        s->pci.config_reg = val & 0x80fffffc;
         break;
     case GT_PCI0_CFGDATA:
-        if (!(s->regs[GT_PCI0_CMD] & 1) && (s->pci->config_reg & 0x00fff800))
+        if (!(s->regs[GT_PCI0_CMD] & 1) && (s->pci.config_reg & 0x00fff800))
             val = bswap32(val);
-        if (s->pci->config_reg & (1u << 31))
-            pci_data_write(s->pci->bus, s->pci->config_reg, val, 4);
+        if (s->pci.config_reg & (1u << 31))
+            pci_data_write(s->pci.bus, s->pci.config_reg, val, 4);
         break;
 
     /* Interrupts */
@@ -765,14 +763,14 @@ static uint32_t gt64120_readl (void *opaque,
 
     /* PCI Internal */
     case GT_PCI0_CFGADDR:
-        val = s->pci->config_reg;
+        val = s->pci.config_reg;
         break;
     case GT_PCI0_CFGDATA:
-        if (!(s->pci->config_reg & (1 << 31)))
+        if (!(s->pci.config_reg & (1 << 31)))
             val = 0xffffffff;
         else
-            val = pci_data_read(s->pci->bus, s->pci->config_reg, 4);
-        if (!(s->regs[GT_PCI0_CMD] & 1) && (s->pci->config_reg & 0x00fff800))
+            val = pci_data_read(s->pci.bus, s->pci.config_reg, 4);
+        if (!(s->regs[GT_PCI0_CMD] & 1) && (s->pci.config_reg & 0x00fff800))
             val = bswap32(val);
         break;
 
@@ -864,7 +862,7 @@ static CPUReadMemoryFunc * const gt64120_read[] = {
     &gt64120_readl,
 };
 
-static int pci_gt64120_map_irq(PCIDevice *pci_dev, int irq_num)
+static int gt64120_pci_map_irq(PCIDevice *pci_dev, int irq_num)
 {
     int slot;
 
@@ -891,7 +889,7 @@ static int pci_gt64120_map_irq(PCIDevice *pci_dev, int irq_num)
 
 static int pci_irq_levels[4];
 
-static void pci_gt64120_set_irq(void *opaque, int irq_num, int level)
+static void gt64120_pci_set_irq(void *opaque, int irq_num, int level)
 {
     int i, pic_irq, pic_level;
     qemu_irq *pic = opaque;
@@ -1101,50 +1099,71 @@ static int gt64120_load(QEMUFile* f, void *opaque, int version_id)
     return 0;
 }
 
-PCIBus *pci_gt64120_init(qemu_irq *pic)
+PCIBus *gt64120_register(qemu_irq *pic)
+{
+    SysBusDevice *s;
+    GT64120State *d;
+    DeviceState *dev;
+
+    dev = qdev_create(NULL, "gt64120");
+    qdev_init_nofail(dev);
+    s = sysbus_from_qdev(dev);
+    d = FROM_SYSBUS(GT64120State, s);
+    d->pci.bus = pci_register_bus(&d->busdev.qdev, "pci",
+                                  gt64120_pci_set_irq, gt64120_pci_map_irq,
+                                  pic, PCI_DEVFN(18, 0), 4);
+    d->ISD_handle = cpu_register_io_memory(gt64120_read, gt64120_write, d,
+                                           DEVICE_NATIVE_ENDIAN);
+
+    pci_create_simple(d->pci.bus, PCI_DEVFN(0, 0), "gt64120_pci");
+    return d->pci.bus;
+}
+
+static int gt64120_init(SysBusDevice *dev)
 {
     GT64120State *s;
-    PCIDevice *d;
 
-    s = qemu_mallocz(sizeof(GT64120State));
-    s->pci = qemu_mallocz(sizeof(GT64120PCIState));
+    s = FROM_SYSBUS(GT64120State, dev);
 
-    s->pci->bus = pci_register_bus(NULL, "pci",
-                                   pci_gt64120_set_irq, pci_gt64120_map_irq,
-                                   pic, PCI_DEVFN(18, 0), 4);
-    s->ISD_handle = cpu_register_io_memory(gt64120_read, gt64120_write, s,
-                                           DEVICE_NATIVE_ENDIAN);
-    d = pci_register_device(s->pci->bus, "GT64120 PCI Bus", sizeof(PCIDevice),
-                            0, NULL, NULL);
+    qemu_register_reset(gt64120_reset, s);
+    register_savevm(&dev->qdev, "GT64120 PCI Bus", 0, 1,
+                    gt64120_save, gt64120_load, &s->pci);
+    return 0;
+}
 
+static int gt64120_pci_init(PCIDevice *d)
+{
     /* FIXME: Malta specific hw assumptions ahead */
-
     pci_config_set_vendor_id(d->config, PCI_VENDOR_ID_MARVELL);
     pci_config_set_device_id(d->config, PCI_DEVICE_ID_MARVELL_GT6412X);
-
-    d->config[0x04] = 0x00;
-    d->config[0x05] = 0x00;
-    d->config[0x06] = 0x80;
-    d->config[0x07] = 0x02;
-
-    d->config[0x08] = 0x10;
-    d->config[0x09] = 0x00;
+    pci_set_word(d->config + PCI_COMMAND, 0);
+    pci_set_word(d->config + PCI_STATUS,
+                 PCI_STATUS_FAST_BACK | PCI_STATUS_DEVSEL_MEDIUM);
+    pci_set_byte(d->config + PCI_CLASS_REVISION, 0x10);
+    pci_config_set_prog_interface(d->config, 0);
     pci_config_set_class(d->config, PCI_CLASS_BRIDGE_HOST);
+    pci_set_long(d->config + PCI_BASE_ADDRESS_0, 0x00000008);
+    pci_set_long(d->config + PCI_BASE_ADDRESS_1, 0x01000008);
+    pci_set_long(d->config + PCI_BASE_ADDRESS_2, 0x1c000000);
+    pci_set_long(d->config + PCI_BASE_ADDRESS_3, 0x1f000000);
+    pci_set_long(d->config + PCI_BASE_ADDRESS_4, 0x14000000);
+    pci_set_long(d->config + PCI_BASE_ADDRESS_5, 0x14000001);
+    pci_set_byte(d->config + 0x3d, 0x01);
 
-    d->config[0x10] = 0x08;
-    d->config[0x14] = 0x08;
-    d->config[0x17] = 0x01;
-    d->config[0x1B] = 0x1c;
-    d->config[0x1F] = 0x1f;
-    d->config[0x23] = 0x14;
-    d->config[0x24] = 0x01;
-    d->config[0x27] = 0x14;
-    d->config[0x3D] = 0x01;
-
-    gt64120_reset(s);
+    return 0;
+}
 
-    register_savevm(&d->qdev, "GT64120 PCI Bus", 0, 1,
-                    gt64120_save, gt64120_load, d);
+static PCIDeviceInfo gt64120_pci_info = {
+    .qdev.name = "gt64120_pci",
+    .qdev.size = sizeof(PCIDevice),
+    .init      = gt64120_pci_init,
+};
 
-    return s->pci->bus;
+static void gt64120_pci_register_devices(void)
+{
+    sysbus_register_dev("gt64120", sizeof(GT64120State),
+                        gt64120_init);
+    pci_qdev_register(&gt64120_pci_info);
 }
+
+device_init(gt64120_pci_register_devices)
diff --git a/hw/mips.h b/hw/mips.h
index 617ea10..757e8f9 100644
--- a/hw/mips.h
+++ b/hw/mips.h
@@ -3,7 +3,7 @@
 /* Definitions for mips board emulation.  */
 
 /* gt64xxx.c */
-PCIBus *pci_gt64120_init(qemu_irq *pic);
+PCIBus *gt64120_register(qemu_irq *pic);
 
 /* bonito.c */
 PCIBus *bonito_init(qemu_irq *pic);
diff --git a/hw/mips_malta.c b/hw/mips_malta.c
index d3ba969..8755416 100644
--- a/hw/mips_malta.c
+++ b/hw/mips_malta.c
@@ -921,7 +921,7 @@ void mips_malta_init (ram_addr_t ram_size,
     i8259 = i8259_init(env->irq[2]);
 
     /* Northbridge */
-    pci_bus = pci_gt64120_init(i8259);
+    pci_bus = gt64120_register(i8259);
 
     /* Southbridge */
 
commit cf154394bd0a8e77c3cca3acefbad9b7a54efdaf
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Wed Jan 19 18:23:59 2011 +0100

    sh_pci: qdev conversion
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/r2d.c b/hw/r2d.c
index 90d1af2..a0f8c1f 100644
--- a/hw/r2d.c
+++ b/hw/r2d.c
@@ -23,13 +23,13 @@
  * THE SOFTWARE.
  */
 
+#include "sysbus.h"
 #include "hw.h"
 #include "sh.h"
 #include "devices.h"
 #include "sysemu.h"
 #include "boards.h"
 #include "pci.h"
-#include "sh_pci.h"
 #include "net.h"
 #include "sh7750_regs.h"
 #include "ide.h"
@@ -195,19 +195,6 @@ static qemu_irq *r2d_fpga_init(target_phys_addr_t base, qemu_irq irl)
     return qemu_allocate_irqs(r2d_fpga_irq_set, s, NR_IRQS);
 }
 
-static void r2d_pci_set_irq(void *opaque, int n, int l)
-{
-    qemu_irq *p = opaque;
-
-    qemu_set_irq(p[n], l);
-}
-
-static int r2d_pci_map_irq(PCIDevice *d, int irq_num)
-{
-    const int intx[] = { PCI_INTA, PCI_INTB, PCI_INTC, PCI_INTD };
-    return intx[d->devfn >> 3];
-}
-
 typedef struct ResetData {
     CPUState *env;
     uint32_t vector;
@@ -268,7 +255,8 @@ static void r2d_init(ram_addr_t ram_size,
     /* Register peripherals */
     s = sh7750_init(env);
     irq = r2d_fpga_init(0x04000000, sh7750_irl(s));
-    sh_pci_register_bus(r2d_pci_set_irq, r2d_pci_map_irq, irq, 0, 4);
+    sysbus_create_varargs("sh_pci", 0x1e200000, irq[PCI_INTA], irq[PCI_INTB],
+                          irq[PCI_INTC], irq[PCI_INTD], NULL);
 
     sm501_init(0x10000000, SM501_VRAM_SIZE, irq[SM501], serial_hds[2]);
 
diff --git a/hw/sh_pci.c b/hw/sh_pci.c
index 072078b..e99d8db 100644
--- a/hw/sh_pci.c
+++ b/hw/sh_pci.c
@@ -21,24 +21,26 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
-#include "hw.h"
+#include "sysbus.h"
 #include "sh.h"
 #include "pci.h"
 #include "pci_host.h"
-#include "sh_pci.h"
 #include "bswap.h"
 
-typedef struct {
+typedef struct SHPCIState {
+    SysBusDevice busdev;
     PCIBus *bus;
     PCIDevice *dev;
+    qemu_irq irq[4];
+    int memconfig;
     uint32_t par;
     uint32_t mbr;
     uint32_t iobr;
-} SHPCIC;
+} SHPCIState;
 
 static void sh_pci_reg_write (void *p, target_phys_addr_t addr, uint32_t val)
 {
-    SHPCIC *pcic = p;
+    SHPCIState *pcic = p;
     switch(addr) {
     case 0 ... 0xfc:
         cpu_to_le32w((uint32_t*)(pcic->dev->config + addr), val);
@@ -65,7 +67,7 @@ static void sh_pci_reg_write (void *p, target_phys_addr_t addr, uint32_t val)
 
 static uint32_t sh_pci_reg_read (void *p, target_phys_addr_t addr)
 {
-    SHPCIC *pcic = p;
+    SHPCIState *pcic = p;
     switch(addr) {
     case 0 ... 0xfc:
         return le32_to_cpup((uint32_t*)(pcic->dev->config + addr));
@@ -91,32 +93,69 @@ static MemOp sh_pci_reg = {
     { NULL, NULL, sh_pci_reg_write },
 };
 
-PCIBus *sh_pci_register_bus(pci_set_irq_fn set_irq, pci_map_irq_fn map_irq,
-                            void *opaque, int devfn_min, int nirq)
+static int sh_pci_map_irq(PCIDevice *d, int irq_num)
+{
+    return (d->devfn >> 3);
+}
+
+static void sh_pci_set_irq(void *opaque, int irq_num, int level)
+{
+    qemu_irq *pic = opaque;
+
+    qemu_set_irq(pic[irq_num], level);
+}
+
+static void sh_pci_map(SysBusDevice *dev, target_phys_addr_t base)
+{
+    SHPCIState *s = FROM_SYSBUS(SHPCIState, dev);
+
+    cpu_register_physical_memory(P4ADDR(base), 0x224, s->memconfig);
+    cpu_register_physical_memory(A7ADDR(base), 0x224, s->memconfig);
+
+    s->iobr = 0xfe240000;
+    isa_mmio_init(s->iobr, 0x40000);
+}
+
+static int sh_pci_init_device(SysBusDevice *dev)
+{
+    SHPCIState *s;
+    int i;
+
+    s = FROM_SYSBUS(SHPCIState, dev);
+    for (i = 0; i < 4; i++) {
+        sysbus_init_irq(dev, &s->irq[i]);
+    }
+    s->bus = pci_register_bus(&s->busdev.qdev, "pci",
+                              sh_pci_set_irq, sh_pci_map_irq,
+                              s->irq, PCI_DEVFN(0, 0), 4);
+    s->memconfig = cpu_register_io_memory(sh_pci_reg.r, sh_pci_reg.w,
+                                          s, DEVICE_NATIVE_ENDIAN);
+    sysbus_init_mmio_cb(dev, 0x224, sh_pci_map);
+    s->dev = pci_create_simple(s->bus, PCI_DEVFN(0, 0), "sh_pci_host");
+    return 0;
+}
+
+static int sh_pci_host_init(PCIDevice *d)
+{
+    pci_config_set_vendor_id(d->config, PCI_VENDOR_ID_HITACHI);
+    pci_config_set_device_id(d->config, PCI_DEVICE_ID_HITACHI_SH7751R);
+    pci_set_word(d->config + PCI_COMMAND, PCI_COMMAND_WAIT);
+    pci_set_word(d->config + PCI_STATUS, PCI_STATUS_CAP_LIST |
+                 PCI_STATUS_FAST_BACK | PCI_STATUS_DEVSEL_MEDIUM);
+    return 0;
+}
+
+static PCIDeviceInfo sh_pci_host_info = {
+    .qdev.name = "sh_pci_host",
+    .qdev.size = sizeof(PCIDevice),
+    .init      = sh_pci_host_init,
+};
+
+static void sh_pci_register_devices(void)
 {
-    SHPCIC *p;
-    int reg;
-
-    p = qemu_mallocz(sizeof(SHPCIC));
-    p->bus = pci_register_bus(NULL, "pci",
-                              set_irq, map_irq, opaque, devfn_min, nirq);
-
-    p->dev = pci_register_device(p->bus, "SH PCIC", sizeof(PCIDevice),
-                                 -1, NULL, NULL);
-    reg = cpu_register_io_memory(sh_pci_reg.r, sh_pci_reg.w, p,
-                                 DEVICE_NATIVE_ENDIAN);
-    cpu_register_physical_memory(0x1e200000, 0x224, reg);
-    cpu_register_physical_memory(0xfe200000, 0x224, reg);
-
-    p->iobr = 0xfe240000;
-    isa_mmio_init(p->iobr, 0x40000);
-
-    pci_config_set_vendor_id(p->dev->config, PCI_VENDOR_ID_HITACHI);
-    pci_config_set_device_id(p->dev->config, PCI_DEVICE_ID_HITACHI_SH7751R);
-    p->dev->config[0x04] = 0x80;
-    p->dev->config[0x05] = 0x00;
-    p->dev->config[0x06] = 0x90;
-    p->dev->config[0x07] = 0x02;
-
-    return p->bus;
+    sysbus_register_dev("sh_pci", sizeof(SHPCIState),
+                        sh_pci_init_device);
+    pci_qdev_register(&sh_pci_host_info);
 }
+
+device_init(sh_pci_register_devices)
diff --git a/hw/sh_pci.h b/hw/sh_pci.h
deleted file mode 100644
index b1a5ec3..0000000
--- a/hw/sh_pci.h
+++ /dev/null
@@ -1,9 +0,0 @@
-#ifndef QEMU_SH_PCI_H
-#define QEMU_SH_PCI_H
-
-#include "qemu-common.h"
-
-PCIBus *sh_pci_register_bus(pci_set_irq_fn set_irq, pci_map_irq_fn map_irq,
-                            void *pic, int devfn_min, int nirq);
-
-#endif
commit b7d2b020934d0d3ae857ff486919601819e96dce
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Wed Jan 19 11:38:36 2011 +0100

    sh_serial: process all received characters
    
    When operating on the SCIF, process all the received characters, as long
    as the FIFO can handle them.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/sh_serial.c b/hw/sh_serial.c
index ae9a207..191f4a6 100644
--- a/hw/sh_serial.c
+++ b/hw/sh_serial.c
@@ -293,26 +293,6 @@ static int sh_serial_can_receive(sh_serial_state *s)
     return s->scr & (1 << 4);
 }
 
-static void sh_serial_receive_byte(sh_serial_state *s, int ch)
-{
-    if (s->feat & SH_SERIAL_FEAT_SCIF) {
-        if (s->rx_cnt < SH_RX_FIFO_LENGTH) {
-            s->rx_fifo[s->rx_head++] = ch;
-            if (s->rx_head == SH_RX_FIFO_LENGTH)
-                s->rx_head = 0;
-            s->rx_cnt++;
-            if (s->rx_cnt >= s->rtrg) {
-                s->flags |= SH_SERIAL_FLAG_RDF;
-                if (s->scr & (1 << 6) && s->rxi) {
-                    qemu_set_irq(s->rxi, 1);
-                }
-            }
-        }
-    } else {
-        s->rx_fifo[0] = ch;
-    }
-}
-
 static void sh_serial_receive_break(sh_serial_state *s)
 {
     if (s->feat & SH_SERIAL_FEAT_SCIF)
@@ -328,7 +308,27 @@ static int sh_serial_can_receive1(void *opaque)
 static void sh_serial_receive1(void *opaque, const uint8_t *buf, int size)
 {
     sh_serial_state *s = opaque;
-    sh_serial_receive_byte(s, buf[0]);
+
+    if (s->feat & SH_SERIAL_FEAT_SCIF) {
+        int i;
+        for (i = 0; i < size; i++) {
+            if (s->rx_cnt < SH_RX_FIFO_LENGTH) {
+                s->rx_fifo[s->rx_head++] = buf[i];
+                if (s->rx_head == SH_RX_FIFO_LENGTH) {
+                    s->rx_head = 0;
+                }
+                s->rx_cnt++;
+                if (s->rx_cnt >= s->rtrg) {
+                    s->flags |= SH_SERIAL_FLAG_RDF;
+                    if (s->scr & (1 << 6) && s->rxi) {
+                        qemu_set_irq(s->rxi, 1);
+                    }
+                }
+            }
+        }
+    } else {
+        s->rx_fifo[0] = buf[0];
+    }
 }
 
 static void sh_serial_event(void *opaque, int event)
commit b7277ac28908dbd9e95c3ce084da3d4e6539d0c8
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Wed Jan 19 11:35:02 2011 +0100

    sh_serial: remove one level of indirection
    
    The indirection functions are empty since commit
    8da3ff180974732fc4272cb4433fef85c1822961.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/sh_serial.c b/hw/sh_serial.c
index 1bdc0a5..ae9a207 100644
--- a/hw/sh_serial.c
+++ b/hw/sh_serial.c
@@ -74,7 +74,7 @@ static void sh_serial_clear_fifo(sh_serial_state * s)
     s->rx_tail = 0;
 }
 
-static void sh_serial_ioport_write(void *opaque, uint32_t offs, uint32_t val)
+static void sh_serial_write(void *opaque, uint32_t offs, uint32_t val)
 {
     sh_serial_state *s = opaque;
     unsigned char ch;
@@ -185,7 +185,7 @@ static void sh_serial_ioport_write(void *opaque, uint32_t offs, uint32_t val)
     abort();
 }
 
-static uint32_t sh_serial_ioport_read(void *opaque, uint32_t offs)
+static uint32_t sh_serial_read(void *opaque, uint32_t offs)
 {
     sh_serial_state *s = opaque;
     uint32_t ret = ~0;
@@ -338,19 +338,6 @@ static void sh_serial_event(void *opaque, int event)
         sh_serial_receive_break(s);
 }
 
-static uint32_t sh_serial_read (void *opaque, target_phys_addr_t addr)
-{
-    sh_serial_state *s = opaque;
-    return sh_serial_ioport_read(s, addr);
-}
-
-static void sh_serial_write (void *opaque,
-                             target_phys_addr_t addr, uint32_t value)
-{
-    sh_serial_state *s = opaque;
-    sh_serial_ioport_write(s, addr, value);
-}
-
 static CPUReadMemoryFunc * const sh_serial_readfn[] = {
     &sh_serial_read,
     &sh_serial_read,
commit 373dfc441d55fe6619929fd049ab635bdfca9e62
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Mon Jan 17 19:29:34 2011 +0100

    usb-hid: modifiers should generate an event
    
    When a modifier key is pressed or released, the USB HID keyboard still
    answers NAK, unless another key is also pressed or released.
    
    The patch fixes that by calling usb_hid_changed() when a modifier key
    is pressed or released.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index e8de301..12bf46f 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -460,15 +460,18 @@ static void usb_keyboard_event(void *opaque, int keycode)
     case 0xe0:
         if (s->modifiers & (1 << 9)) {
             s->modifiers ^= 3 << 8;
+            usb_hid_changed(hs);
             return;
         }
     case 0xe1 ... 0xe7:
         if (keycode & (1 << 7)) {
             s->modifiers &= ~(1 << (hid_code & 0x0f));
+            usb_hid_changed(hs);
             return;
         }
     case 0xe8 ... 0xef:
         s->modifiers |= 1 << (hid_code & 0x0f);
+        usb_hid_changed(hs);
         return;
     }
 
commit de4af5f7928bb68d4e2b576598c245a256fcabbb
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Mon Jan 17 19:29:33 2011 +0100

    softfloat: fix floatx80_is_{quiet,signaling}_nan()
    
    floatx80_is_{quiet,signaling}_nan() functions are incorrectly detecting
    the type of NaN, depending on SNAN_BIT_IS_ONE, one of the two is
    returning the correct value, and the other true for any kind of NaN.
    
    This patch fixes that by applying the same kind of comparison as for
    other float formats, but taking into account the explicit bit.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index 11521ce..eb644b2 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -468,7 +468,8 @@ static float64 propagateFloat64NaN( float64 a, float64 b STATUS_PARAM)
 
 /*----------------------------------------------------------------------------
 | Returns 1 if the extended double-precision floating-point value `a' is a
-| quiet NaN; otherwise returns 0.
+| quiet NaN; otherwise returns 0. This slightly differs from the same
+| function for other types as floatx80 has an explicit bit.
 *----------------------------------------------------------------------------*/
 
 int floatx80_is_quiet_nan( floatx80 a )
@@ -482,19 +483,22 @@ int floatx80_is_quiet_nan( floatx80 a )
         && (bits64) ( aLow<<1 )
         && ( a.low == aLow );
 #else
-    return ( ( a.high & 0x7FFF ) == 0x7FFF ) && (bits64) ( a.low<<1 );
+    return ( ( a.high & 0x7FFF ) == 0x7FFF )
+        && (LIT64( 0x8000000000000000 ) <= ((bits64) ( a.low<<1 )));
 #endif
 }
 
 /*----------------------------------------------------------------------------
 | Returns 1 if the extended double-precision floating-point value `a' is a
-| signaling NaN; otherwise returns 0.
+| signaling NaN; otherwise returns 0. This slightly differs from the same
+| function for other types as floatx80 has an explicit bit.
 *----------------------------------------------------------------------------*/
 
 int floatx80_is_signaling_nan( floatx80 a )
 {
 #if SNAN_BIT_IS_ONE
-    return ( ( a.high & 0x7FFF ) == 0x7FFF ) && (bits64) ( a.low<<1 );
+    return ( ( a.high & 0x7FFF ) == 0x7FFF )
+        && (LIT64( 0x8000000000000000 ) <= ((bits64) ( a.low<<1 )));
 #else
     bits64 aLow;
 
commit 3a34dfd7f600e235687fece76b8f763362b883b2
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Thu Jan 20 12:16:57 2011 +0100

    tcg: README, name deposit second argument len/LEN
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/tcg/README b/tcg/README
index a50ecc6..6600122 100644
--- a/tcg/README
+++ b/tcg/README
@@ -285,10 +285,10 @@ the four high order bytes are set to zero.
 Indicate that the value of t0 won't be used later. It is useful to
 force dead code elimination.
 
-* deposit_i32/i64 dest, t1, t2, pos, loc
+* deposit_i32/i64 dest, t1, t2, pos, len
 
 Deposit T2 as a bitfield into T1, placing the result in DEST.
-The bitfield is described by POS/LOC, which are immediate values:
+The bitfield is described by POS/LEN, which are immediate values:
 
   LEN - the length of the bitfield
   POS - the position of the first bit, counting from the LSB
commit c832e3de64f1069313fc0672087791cc3dd5b4d8
Author: Richard Henderson <rth at twiddle.net>
Date:   Mon Jan 10 19:23:47 2011 -0800

    target-i386: Use deposit operation.
    
    Use this for assignment to the low byte or low word of a register.
    
    Acked-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Richard Henderson <rth at twiddle.net>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-i386/translate.c b/target-i386/translate.c
index 7b6e3c2..c008450 100644
--- a/target-i386/translate.c
+++ b/target-i386/translate.c
@@ -274,28 +274,16 @@ static inline void gen_op_andl_A0_ffff(void)
 
 static inline void gen_op_mov_reg_v(int ot, int reg, TCGv t0)
 {
-    TCGv tmp;
-
     switch(ot) {
     case OT_BYTE:
-        tmp = tcg_temp_new();
-        tcg_gen_ext8u_tl(tmp, t0);
         if (reg < 4 X86_64_DEF( || reg >= 8 || x86_64_hregs)) {
-            tcg_gen_andi_tl(cpu_regs[reg], cpu_regs[reg], ~0xff);
-            tcg_gen_or_tl(cpu_regs[reg], cpu_regs[reg], tmp);
+            tcg_gen_deposit_tl(cpu_regs[reg], cpu_regs[reg], t0, 0, 8);
         } else {
-            tcg_gen_shli_tl(tmp, tmp, 8);
-            tcg_gen_andi_tl(cpu_regs[reg - 4], cpu_regs[reg - 4], ~0xff00);
-            tcg_gen_or_tl(cpu_regs[reg - 4], cpu_regs[reg - 4], tmp);
+            tcg_gen_deposit_tl(cpu_regs[reg - 4], cpu_regs[reg - 4], t0, 8, 8);
         }
-        tcg_temp_free(tmp);
         break;
     case OT_WORD:
-        tmp = tcg_temp_new();
-        tcg_gen_ext16u_tl(tmp, t0);
-        tcg_gen_andi_tl(cpu_regs[reg], cpu_regs[reg], ~0xffff);
-        tcg_gen_or_tl(cpu_regs[reg], cpu_regs[reg], tmp);
-        tcg_temp_free(tmp);
+        tcg_gen_deposit_tl(cpu_regs[reg], cpu_regs[reg], t0, 0, 16);
         break;
     default: /* XXX this shouldn't be reached;  abort? */
     case OT_LONG:
@@ -323,15 +311,9 @@ static inline void gen_op_mov_reg_T1(int ot, int reg)
 
 static inline void gen_op_mov_reg_A0(int size, int reg)
 {
-    TCGv tmp;
-
     switch(size) {
     case 0:
-        tmp = tcg_temp_new();
-        tcg_gen_ext16u_tl(tmp, cpu_A0);
-        tcg_gen_andi_tl(cpu_regs[reg], cpu_regs[reg], ~0xffff);
-        tcg_gen_or_tl(cpu_regs[reg], cpu_regs[reg], tmp);
-        tcg_temp_free(tmp);
+        tcg_gen_deposit_tl(cpu_regs[reg], cpu_regs[reg], cpu_A0, 0, 16);
         break;
     default: /* XXX this shouldn't be reached;  abort? */
     case 1:
@@ -415,9 +397,7 @@ static inline void gen_op_add_reg_im(int size, int reg, int32_t val)
     switch(size) {
     case 0:
         tcg_gen_addi_tl(cpu_tmp0, cpu_regs[reg], val);
-        tcg_gen_ext16u_tl(cpu_tmp0, cpu_tmp0);
-        tcg_gen_andi_tl(cpu_regs[reg], cpu_regs[reg], ~0xffff);
-        tcg_gen_or_tl(cpu_regs[reg], cpu_regs[reg], cpu_tmp0);
+        tcg_gen_deposit_tl(cpu_regs[reg], cpu_regs[reg], cpu_tmp0, 0, 16);
         break;
     case 1:
         tcg_gen_addi_tl(cpu_tmp0, cpu_regs[reg], val);
@@ -439,9 +419,7 @@ static inline void gen_op_add_reg_T0(int size, int reg)
     switch(size) {
     case 0:
         tcg_gen_add_tl(cpu_tmp0, cpu_regs[reg], cpu_T[0]);
-        tcg_gen_ext16u_tl(cpu_tmp0, cpu_tmp0);
-        tcg_gen_andi_tl(cpu_regs[reg], cpu_regs[reg], ~0xffff);
-        tcg_gen_or_tl(cpu_regs[reg], cpu_regs[reg], cpu_tmp0);
+        tcg_gen_deposit_tl(cpu_regs[reg], cpu_regs[reg], cpu_tmp0, 0, 16);
         break;
     case 1:
         tcg_gen_add_tl(cpu_tmp0, cpu_regs[reg], cpu_T[0]);
commit b7767f0f3cb6879b42ed47e9375313829028adaf
Author: Richard Henderson <rth at twiddle.net>
Date:   Mon Jan 10 19:23:42 2011 -0800

    tcg: Define "deposit" as an optional operation.
    
    Signed-off-by: Richard Henderson <rth at twiddle.net>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/tcg/README b/tcg/README
index a18a87f..a50ecc6 100644
--- a/tcg/README
+++ b/tcg/README
@@ -285,6 +285,20 @@ the four high order bytes are set to zero.
 Indicate that the value of t0 won't be used later. It is useful to
 force dead code elimination.
 
+* deposit_i32/i64 dest, t1, t2, pos, loc
+
+Deposit T2 as a bitfield into T1, placing the result in DEST.
+The bitfield is described by POS/LOC, which are immediate values:
+
+  LEN - the length of the bitfield
+  POS - the position of the first bit, counting from the LSB
+
+For example, pos=8, len=4 indicates a 4-bit field at bit 8.
+This operation would be equivalent to
+
+  dest = (t1 & ~0x0f00) | ((t2 << 8) & 0x0f00)
+
+
 ********* Conditional moves
 
 * setcond_i32/i64 cond, dest, t1, t2
diff --git a/tcg/tcg-op.h b/tcg/tcg-op.h
index 3ee0a58..207a89f 100644
--- a/tcg/tcg-op.h
+++ b/tcg/tcg-op.h
@@ -254,6 +254,30 @@ static inline void tcg_gen_op5i_i64(TCGOpcode opc, TCGv_i64 arg1, TCGv_i64 arg2,
     *gen_opparam_ptr++ = arg5;
 }
 
+static inline void tcg_gen_op5ii_i32(TCGOpcode opc, TCGv_i32 arg1,
+                                     TCGv_i32 arg2, TCGv_i32 arg3,
+                                     TCGArg arg4, TCGArg arg5)
+{
+    *gen_opc_ptr++ = opc;
+    *gen_opparam_ptr++ = GET_TCGV_I32(arg1);
+    *gen_opparam_ptr++ = GET_TCGV_I32(arg2);
+    *gen_opparam_ptr++ = GET_TCGV_I32(arg3);
+    *gen_opparam_ptr++ = arg4;
+    *gen_opparam_ptr++ = arg5;
+}
+
+static inline void tcg_gen_op5ii_i64(TCGOpcode opc, TCGv_i64 arg1,
+                                     TCGv_i64 arg2, TCGv_i64 arg3,
+                                     TCGArg arg4, TCGArg arg5)
+{
+    *gen_opc_ptr++ = opc;
+    *gen_opparam_ptr++ = GET_TCGV_I64(arg1);
+    *gen_opparam_ptr++ = GET_TCGV_I64(arg2);
+    *gen_opparam_ptr++ = GET_TCGV_I64(arg3);
+    *gen_opparam_ptr++ = arg4;
+    *gen_opparam_ptr++ = arg5;
+}
+
 static inline void tcg_gen_op6_i32(TCGOpcode opc, TCGv_i32 arg1, TCGv_i32 arg2,
                                    TCGv_i32 arg3, TCGv_i32 arg4, TCGv_i32 arg5,
                                    TCGv_i32 arg6)
@@ -2071,6 +2095,44 @@ static inline void tcg_gen_rotri_i64(TCGv_i64 ret, TCGv_i64 arg1, int64_t arg2)
     }
 }
 
+static inline void tcg_gen_deposit_i32(TCGv_i32 ret, TCGv_i32 arg1,
+				       TCGv_i32 arg2, unsigned int ofs,
+				       unsigned int len)
+{
+#ifdef TCG_TARGET_HAS_deposit_i32
+  tcg_gen_op5ii_i32(INDEX_op_deposit_i32, ret, arg1, arg2, ofs, len);
+#else
+  uint32_t mask = (1u << len) - 1;
+  TCGv_i32 t1 = tcg_temp_new_i32 ();
+
+  tcg_gen_andi_i32(t1, arg2, mask);
+  tcg_gen_shli_i32(t1, t1, ofs);
+  tcg_gen_andi_i32(ret, arg1, ~(mask << ofs));
+  tcg_gen_or_i32(ret, ret, t1);
+
+  tcg_temp_free_i32(t1);
+#endif
+}
+
+static inline void tcg_gen_deposit_i64(TCGv_i64 ret, TCGv_i64 arg1,
+				       TCGv_i64 arg2, unsigned int ofs,
+				       unsigned int len)
+{
+#ifdef TCG_TARGET_HAS_deposit_i64
+  tcg_gen_op5ii_i64(INDEX_op_deposit_i64, ret, arg1, arg2, ofs, len);
+#else
+  uint64_t mask = (1ull << len) - 1;
+  TCGv_i64 t1 = tcg_temp_new_i64 ();
+
+  tcg_gen_andi_i64(t1, arg2, mask);
+  tcg_gen_shli_i64(t1, t1, ofs);
+  tcg_gen_andi_i64(ret, arg1, ~(mask << ofs));
+  tcg_gen_or_i64(ret, ret, t1);
+
+  tcg_temp_free_i64(t1);
+#endif
+}
+
 /***************************************/
 /* QEMU specific operations. Their type depend on the QEMU CPU
    type. */
@@ -2384,6 +2446,7 @@ static inline void tcg_gen_qemu_st64(TCGv_i64 arg, TCGv addr, int mem_index)
 #define tcg_gen_rotli_tl tcg_gen_rotli_i64
 #define tcg_gen_rotr_tl tcg_gen_rotr_i64
 #define tcg_gen_rotri_tl tcg_gen_rotri_i64
+#define tcg_gen_deposit_tl tcg_gen_deposit_i64
 #define tcg_const_tl tcg_const_i64
 #define tcg_const_local_tl tcg_const_local_i64
 #else
@@ -2454,6 +2517,7 @@ static inline void tcg_gen_qemu_st64(TCGv_i64 arg, TCGv addr, int mem_index)
 #define tcg_gen_rotli_tl tcg_gen_rotli_i32
 #define tcg_gen_rotr_tl tcg_gen_rotr_i32
 #define tcg_gen_rotri_tl tcg_gen_rotri_i32
+#define tcg_gen_deposit_tl tcg_gen_deposit_i32
 #define tcg_const_tl tcg_const_i32
 #define tcg_const_local_tl tcg_const_local_i32
 #endif
diff --git a/tcg/tcg-opc.h b/tcg/tcg-opc.h
index 2a98fed..2c7ca1a 100644
--- a/tcg/tcg-opc.h
+++ b/tcg/tcg-opc.h
@@ -78,6 +78,9 @@ DEF(sar_i32, 1, 2, 0, 0)
 DEF(rotl_i32, 1, 2, 0, 0)
 DEF(rotr_i32, 1, 2, 0, 0)
 #endif
+#ifdef TCG_TARGET_HAS_deposit_i32
+DEF(deposit_i32, 1, 2, 2, 0)
+#endif
 
 DEF(brcond_i32, 0, 2, 2, TCG_OPF_BB_END | TCG_OPF_SIDE_EFFECTS)
 #if TCG_TARGET_REG_BITS == 32
@@ -168,6 +171,9 @@ DEF(sar_i64, 1, 2, 0, 0)
 DEF(rotl_i64, 1, 2, 0, 0)
 DEF(rotr_i64, 1, 2, 0, 0)
 #endif
+#ifdef TCG_TARGET_HAS_deposit_i64
+DEF(deposit_i64, 1, 2, 2, 0)
+#endif
 
 DEF(brcond_i64, 0, 2, 2, TCG_OPF_BB_END | TCG_OPF_SIDE_EFFECTS)
 #ifdef TCG_TARGET_HAS_ext8s_i64
commit 37f95bf3d063fcfcb3b05f82203629dc50f18615
Author: Amit Shah <amit.shah at redhat.com>
Date:   Wed Jan 19 16:07:10 2011 +0530

    virtio-serial: save/restore new fields in port struct
    
    The new fields that got added as part of not copying over the guest
    buffer to the host need to be saved/restored across migration.  Do that
    and bump up the version number.
    
    Signed-off-by: Amit Shah <amit.shah at redhat.com>

diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
index 32938b5..2ca97a9 100644
--- a/hw/virtio-serial-bus.c
+++ b/hw/virtio-serial-bus.c
@@ -527,9 +527,24 @@ static void virtio_serial_save(QEMUFile *f, void *opaque)
      * Items in struct VirtIOSerialPort.
      */
     QTAILQ_FOREACH(port, &s->ports, next) {
+        uint32_t elem_popped;
+
         qemu_put_be32s(f, &port->id);
         qemu_put_byte(f, port->guest_connected);
         qemu_put_byte(f, port->host_connected);
+
+	elem_popped = 0;
+        if (port->elem.out_num) {
+            elem_popped = 1;
+        }
+        qemu_put_be32s(f, &elem_popped);
+        if (elem_popped) {
+            qemu_put_be32s(f, &port->iov_idx);
+            qemu_put_be64s(f, &port->iov_offset);
+
+            qemu_put_buffer(f, (unsigned char *)&port->elem,
+                            sizeof(port->elem));
+        }
     }
 }
 
@@ -540,7 +555,7 @@ static int virtio_serial_load(QEMUFile *f, void *opaque, int version_id)
     uint32_t max_nr_ports, nr_active_ports, ports_map;
     unsigned int i;
 
-    if (version_id > 2) {
+    if (version_id > 3) {
         return -EINVAL;
     }
 
@@ -593,6 +608,29 @@ static int virtio_serial_load(QEMUFile *f, void *opaque, int version_id)
             send_control_event(port, VIRTIO_CONSOLE_PORT_OPEN,
                                port->host_connected);
         }
+
+        if (version_id > 2) {
+            uint32_t elem_popped;
+
+            qemu_get_be32s(f, &elem_popped);
+            if (elem_popped) {
+                qemu_get_be32s(f, &port->iov_idx);
+                qemu_get_be64s(f, &port->iov_offset);
+
+                qemu_get_buffer(f, (unsigned char *)&port->elem,
+                                sizeof(port->elem));
+                virtqueue_map_sg(port->elem.in_sg, port->elem.in_addr,
+                                 port->elem.in_num, 1);
+                virtqueue_map_sg(port->elem.out_sg, port->elem.out_addr,
+                                 port->elem.out_num, 1);
+
+                /*
+                 *  Port was throttled on source machine.  Let's
+                 *  unthrottle it here so data starts flowing again.
+                 */
+                virtio_serial_throttle_port(port, false);
+            }
+        }
     }
     return 0;
 }
@@ -841,7 +879,7 @@ VirtIODevice *virtio_serial_init(DeviceState *dev, uint32_t max_nr_ports)
      * Register for the savevm section with the virtio-console name
      * to preserve backward compat
      */
-    register_savevm(dev, "virtio-console", -1, 2, virtio_serial_save,
+    register_savevm(dev, "virtio-console", -1, 3, virtio_serial_save,
                     virtio_serial_load, vser);
 
     return vdev;
commit f1925dff7e6c4799f5951cf167a437c0737a266c
Author: Amit Shah <amit.shah at redhat.com>
Date:   Fri Dec 10 16:51:14 2010 +0530

    virtio-serial: Add support for flow control
    
    This commit lets apps signal an incomplete write.  When that happens,
    stop sending out any more data to the app and wait for it to unthrottle
    the port.
    
    Signed-off-by: Amit Shah <amit.shah at redhat.com>

diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
index 6726f72..32938b5 100644
--- a/hw/virtio-serial-bus.c
+++ b/hw/virtio-serial-bus.c
@@ -126,24 +126,49 @@ static void discard_vq_data(VirtQueue *vq, VirtIODevice *vdev)
 static void do_flush_queued_data(VirtIOSerialPort *port, VirtQueue *vq,
                                  VirtIODevice *vdev)
 {
-    VirtQueueElement elem;
-
     assert(port);
     assert(virtio_queue_ready(vq));
 
-    while (!port->throttled && virtqueue_pop(vq, &elem)) {
+    while (!port->throttled) {
         unsigned int i;
 
-        for (i = 0; i < elem.out_num; i++) {
-            size_t buf_size;
-
-            buf_size = elem.out_sg[i].iov_len;
+        /* Pop an elem only if we haven't left off a previous one mid-way */
+        if (!port->elem.out_num) {
+            if (!virtqueue_pop(vq, &port->elem)) {
+                break;
+            }
+            port->iov_idx = 0;
+            port->iov_offset = 0;
+        }
 
-            port->info->have_data(port,
-                                  elem.out_sg[i].iov_base,
-                                  buf_size);
+        for (i = port->iov_idx; i < port->elem.out_num; i++) {
+            size_t buf_size;
+            ssize_t ret;
+
+            buf_size = port->elem.out_sg[i].iov_len - port->iov_offset;
+            ret = port->info->have_data(port,
+                                        port->elem.out_sg[i].iov_base
+                                          + port->iov_offset,
+                                        buf_size);
+            if (ret < 0 && ret != -EAGAIN) {
+                /* We don't handle any other type of errors here */
+                abort();
+            }
+            if (ret == -EAGAIN || (ret >= 0 && ret < buf_size)) {
+                virtio_serial_throttle_port(port, true);
+                port->iov_idx = i;
+                if (ret > 0) {
+                    port->iov_offset += ret;
+                }
+                break;
+            }
+            port->iov_offset = 0;
         }
-        virtqueue_push(vq, &elem, 0);
+        if (port->throttled) {
+            break;
+        }
+        virtqueue_push(vq, &port->elem, 0);
+        port->elem.out_num = 0;
     }
     virtio_notify(vdev, vq);
 }
@@ -709,6 +734,8 @@ static int virtser_port_qdev_init(DeviceState *qdev, DeviceInfo *base)
         port->guest_connected = true;
     }
 
+    port->elem.out_num = 0;
+
     QTAILQ_INSERT_TAIL(&port->vser->ports, port, next);
     port->ivq = port->vser->ivqs[port->id];
     port->ovq = port->vser->ovqs[port->id];
diff --git a/hw/virtio-serial.h b/hw/virtio-serial.h
index 9cc0fb3..a308196 100644
--- a/hw/virtio-serial.h
+++ b/hw/virtio-serial.h
@@ -102,6 +102,23 @@ struct VirtIOSerialPort {
      */
     uint32_t id;
 
+    /*
+     * This is the elem that we pop from the virtqueue.  A slow
+     * backend that consumes guest data (e.g. the file backend for
+     * qemu chardevs) can cause the guest to block till all the output
+     * is flushed.  This isn't desired, so we keep a note of the last
+     * element popped and continue consuming it once the backend
+     * becomes writable again.
+     */
+    VirtQueueElement elem;
+
+    /*
+     * The index and the offset into the iov buffer that was popped in
+     * elem above.
+     */
+    uint32_t iov_idx;
+    uint64_t iov_offset;
+
     /* Identify if this is a port that binds with hvc in the guest */
     uint8_t is_console;
 
commit e300ac275bbf19b31cf5968b8de8abe52c26e163
Author: Amit Shah <amit.shah at redhat.com>
Date:   Mon Dec 13 17:50:07 2010 +0530

    virtio-serial: Let virtio-serial-bus know if all data was consumed
    
    The have_data() API to hand off guest data to apps using virtio-serial
    so far assumed all the data was consumed.  Relax this assumption.
    Future commits will allow for incomplete writes.
    
    Signed-off-by: Amit Shah <amit.shah at redhat.com>

diff --git a/hw/virtio-console.c b/hw/virtio-console.c
index d0b9354..62624ec 100644
--- a/hw/virtio-console.c
+++ b/hw/virtio-console.c
@@ -20,11 +20,11 @@ typedef struct VirtConsole {
 
 
 /* Callback function that's called when the guest sends us data */
-static void flush_buf(VirtIOSerialPort *port, const uint8_t *buf, size_t len)
+static ssize_t flush_buf(VirtIOSerialPort *port, const uint8_t *buf, size_t len)
 {
     VirtConsole *vcon = DO_UPCAST(VirtConsole, port, port);
 
-    qemu_chr_write(vcon->chr, buf, len);
+    return qemu_chr_write(vcon->chr, buf, len);
 }
 
 /* Readiness of the guest to accept data on a port */
diff --git a/hw/virtio-serial.h b/hw/virtio-serial.h
index ff08c40..9cc0fb3 100644
--- a/hw/virtio-serial.h
+++ b/hw/virtio-serial.h
@@ -137,10 +137,11 @@ struct VirtIOSerialPortInfo {
 
     /*
      * Guest wrote some data to the port. This data is handed over to
-     * the app via this callback.  The app is supposed to consume all
-     * the data that is presented to it.
+     * the app via this callback.  The app can return a size less than
+     * 'len'.  In this case, throttling will be enabled for this port.
      */
-    void (*have_data)(VirtIOSerialPort *port, const uint8_t *buf, size_t len);
+    ssize_t (*have_data)(VirtIOSerialPort *port, const uint8_t *buf,
+                         size_t len);
 };
 
 /* Interface to the virtio-serial bus */
commit 471344db88cc3e7adf7664aa34d54ce0cacc3419
Author: Amit Shah <amit.shah at redhat.com>
Date:   Fri Dec 10 17:29:49 2010 +0530

    virtio-serial: Don't copy over guest buffer to host
    
    When the guest writes something to a host, we copied over the entire
    buffer first into the host and then processed it.  Do away with that, it
    could result in a malicious guest causing a DoS on the host.
    
    Reported-by: Paul Brook <paul at codesourcery.com>
    Signed-off-by: Amit Shah <amit.shah at redhat.com>

diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
index e8c2a16..6726f72 100644
--- a/hw/virtio-serial-bus.c
+++ b/hw/virtio-serial-bus.c
@@ -132,16 +132,17 @@ static void do_flush_queued_data(VirtIOSerialPort *port, VirtQueue *vq,
     assert(virtio_queue_ready(vq));
 
     while (!port->throttled && virtqueue_pop(vq, &elem)) {
-        uint8_t *buf;
-        size_t ret, buf_size;
+        unsigned int i;
 
-        buf_size = iov_size(elem.out_sg, elem.out_num);
-        buf = qemu_malloc(buf_size);
-        ret = iov_to_buf(elem.out_sg, elem.out_num, buf, 0, buf_size);
+        for (i = 0; i < elem.out_num; i++) {
+            size_t buf_size;
 
-        port->info->have_data(port, buf, ret);
-        qemu_free(buf);
+            buf_size = elem.out_sg[i].iov_len;
 
+            port->info->have_data(port,
+                                  elem.out_sg[i].iov_base,
+                                  buf_size);
+        }
         virtqueue_push(vq, &elem, 0);
     }
     virtio_notify(vdev, vq);
commit 6bff86560d42a9c391cf1e502ebd764c293c4d02
Author: Amit Shah <amit.shah at redhat.com>
Date:   Fri Jan 7 14:33:36 2011 +0530

    virtio-serial: move out discard logic in a separate function
    
    Instead of combining flush logic into the discard case and not discard
    case, have one function doing discard case.  This will help later when
    adding flow control logic to the do_flush_queued_data() function.
    
    Signed-off-by: Amit Shah <amit.shah at redhat.com>

diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
index 74ba5ec..e8c2a16 100644
--- a/hw/virtio-serial-bus.c
+++ b/hw/virtio-serial-bus.c
@@ -113,39 +113,48 @@ static size_t write_to_port(VirtIOSerialPort *port,
     return offset;
 }
 
+static void discard_vq_data(VirtQueue *vq, VirtIODevice *vdev)
+{
+    VirtQueueElement elem;
+
+    while (virtqueue_pop(vq, &elem)) {
+        virtqueue_push(vq, &elem, 0);
+    }
+    virtio_notify(vdev, vq);
+}
+
 static void do_flush_queued_data(VirtIOSerialPort *port, VirtQueue *vq,
-                                 VirtIODevice *vdev, bool discard)
+                                 VirtIODevice *vdev)
 {
     VirtQueueElement elem;
 
-    assert(port || discard);
+    assert(port);
     assert(virtio_queue_ready(vq));
 
-    while ((discard || !port->throttled) && virtqueue_pop(vq, &elem)) {
+    while (!port->throttled && virtqueue_pop(vq, &elem)) {
         uint8_t *buf;
         size_t ret, buf_size;
 
-        if (!discard) {
-            buf_size = iov_size(elem.out_sg, elem.out_num);
-            buf = qemu_malloc(buf_size);
-            ret = iov_to_buf(elem.out_sg, elem.out_num, buf, 0, buf_size);
+        buf_size = iov_size(elem.out_sg, elem.out_num);
+        buf = qemu_malloc(buf_size);
+        ret = iov_to_buf(elem.out_sg, elem.out_num, buf, 0, buf_size);
+
+        port->info->have_data(port, buf, ret);
+        qemu_free(buf);
 
-            port->info->have_data(port, buf, ret);
-            qemu_free(buf);
-        }
         virtqueue_push(vq, &elem, 0);
     }
     virtio_notify(vdev, vq);
 }
 
-static void flush_queued_data(VirtIOSerialPort *port, bool discard)
+static void flush_queued_data(VirtIOSerialPort *port)
 {
     assert(port);
 
     if (!virtio_queue_ready(port->ovq)) {
         return;
     }
-    do_flush_queued_data(port, port->ovq, &port->vser->vdev, discard);
+    do_flush_queued_data(port, port->ovq, &port->vser->vdev);
 }
 
 static size_t send_control_msg(VirtIOSerialPort *port, void *buf, size_t len)
@@ -204,7 +213,7 @@ int virtio_serial_close(VirtIOSerialPort *port)
      * consume, reset the throttling flag and discard the data.
      */
     port->throttled = false;
-    flush_queued_data(port, true);
+    discard_vq_data(port->ovq, &port->vser->vdev);
 
     send_control_event(port, VIRTIO_CONSOLE_PORT_OPEN, 0);
 
@@ -258,7 +267,7 @@ void virtio_serial_throttle_port(VirtIOSerialPort *port, bool throttle)
         return;
     }
 
-    flush_queued_data(port, false);
+    flush_queued_data(port);
 }
 
 /* Guest wants to notify us of some event */
@@ -414,11 +423,15 @@ static void handle_output(VirtIODevice *vdev, VirtQueue *vq)
         discard = true;
     }
 
-    if (!discard && port->throttled) {
+    if (discard) {
+        discard_vq_data(vq, vdev);
+        return;
+    }
+    if (port->throttled) {
         return;
     }
 
-    do_flush_queued_data(port, vq, vdev, discard);
+    do_flush_queued_data(port, vq, vdev);
 }
 
 static void handle_input(VirtIODevice *vdev, VirtQueue *vq)
@@ -634,7 +647,7 @@ static void remove_port(VirtIOSerial *vser, uint32_t port_id)
 
     port = find_port_by_id(vser, port_id);
     /* Flush out any unconsumed buffers first */
-    flush_queued_data(port, true);
+    discard_vq_data(port->ovq, &port->vser->vdev);
 
     send_control_event(port, VIRTIO_CONSOLE_PORT_REMOVE, 1);
 }
commit 9f8beb6636fdd913a25fa536238a3a047ce4cf63
Author: Edgar E. Iglesias <edgar.iglesias at petalogix.com>
Date:   Wed Jan 19 23:18:00 2011 +0100

    microblaze: Add support for load/store reversed
    
    Load/store reversed (lwr/swr) are insns that endian translate
    the sub-word part of the address and byteswap the data lanes.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at petalogix.com>

diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index 2673167..4b6ae06 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -817,12 +817,35 @@ static inline TCGv *compute_ldst_addr(DisasContext *dc, TCGv *t)
     return t;
 }
 
+static inline void dec_byteswap(DisasContext *dc, TCGv dst, TCGv src, int size)
+{
+    if (size == 4) {
+        tcg_gen_bswap32_tl(dst, src);
+    } else if (size == 2) {
+        TCGv t = tcg_temp_new();
+
+        /* bswap16 assumes the high bits are zero.  */
+        tcg_gen_andi_tl(t, src, 0xffff);
+        tcg_gen_bswap16_tl(dst, t);
+        tcg_temp_free(t);
+    } else {
+        /* Ignore.
+        cpu_abort(dc->env, "Invalid ldst byteswap size %d\n", size);
+        */
+    }
+}
+
 static void dec_load(DisasContext *dc)
 {
     TCGv t, *addr;
-    unsigned int size;
+    unsigned int size, rev = 0;
 
     size = 1 << (dc->opcode & 3);
+
+    if (!dc->type_b) {
+        rev = (dc->ir >> 9) & 1;
+    }
+
     if (size > 4 && (dc->tb_flags & MSR_EE_FLAG)
           && (dc->env->pvr.regs[2] & PVR2_ILL_OPCODE_EXC_MASK)) {
         tcg_gen_movi_tl(cpu_SR[SR_ESR], ESR_EC_ILLEGAL_OP);
@@ -830,10 +853,63 @@ static void dec_load(DisasContext *dc)
         return;
     }
 
-    LOG_DIS("l %x %d\n", dc->opcode, size);
+    LOG_DIS("l%d%s%s\n", size, dc->type_b ? "i" : "", rev ? "r" : "");
+
     t_sync_flags(dc);
     addr = compute_ldst_addr(dc, &t);
 
+    /*
+     * When doing reverse accesses we need to do two things.
+     *
+     * 1. Reverse the address wrt endianess.
+     * 2. Byteswap the data lanes on the way back into the CPU core.
+     */
+    if (rev && size != 4) {
+        /* Endian reverse the address. t is addr.  */
+        switch (size) {
+            case 1:
+            {
+                /* 00 -> 11
+                   01 -> 10
+                   10 -> 10
+                   11 -> 00 */
+                TCGv low = tcg_temp_new();
+
+                /* Force addr into the temp.  */
+                if (addr != &t) {
+                    t = tcg_temp_new();
+                    tcg_gen_mov_tl(t, *addr);
+                    addr = &t;
+                }
+
+                tcg_gen_andi_tl(low, t, 3);
+                tcg_gen_sub_tl(low, tcg_const_tl(3), low);
+                tcg_gen_andi_tl(t, t, ~3);
+                tcg_gen_or_tl(t, t, low);
+                tcg_gen_mov_tl(env_debug, low);
+                tcg_gen_mov_tl(env_imm, t);
+                tcg_temp_free(low);
+                break;
+            }
+
+            case 2:
+                /* 00 -> 10
+                   10 -> 00.  */
+                /* Force addr into the temp.  */
+                if (addr != &t) {
+                    t = tcg_temp_new();
+                    tcg_gen_xori_tl(t, *addr, 2);
+                    addr = &t;
+                } else {
+                    tcg_gen_xori_tl(t, t, 2);
+                }
+                break;
+            default:
+                cpu_abort(dc->env, "Invalid reverse size\n");
+                break;
+        }
+    }
+
     /* If we get a fault on a dslot, the jmpstate better be in sync.  */
     sync_jmpstate(dc);
 
@@ -852,13 +928,22 @@ static void dec_load(DisasContext *dc)
         tcg_gen_movi_tl(cpu_SR[SR_PC], dc->pc);
         gen_helper_memalign(*addr, tcg_const_tl(dc->rd),
                             tcg_const_tl(0), tcg_const_tl(size - 1));
-        if (dc->rd)
-            tcg_gen_mov_tl(cpu_R[dc->rd], v);
+        if (dc->rd) {
+            if (rev) {
+                dec_byteswap(dc, cpu_R[dc->rd], v, size);
+            } else {
+                tcg_gen_mov_tl(cpu_R[dc->rd], v);
+            }
+        }
         tcg_temp_free(v);
     } else {
         if (dc->rd) {
             gen_load(dc, cpu_R[dc->rd], *addr, size);
+            if (rev) {
+                dec_byteswap(dc, cpu_R[dc->rd], cpu_R[dc->rd], size);
+            }
         } else {
+            /* We are loading into r0, no need to reverse.  */
             gen_load(dc, env_imm, *addr, size);
         }
     }
@@ -885,9 +970,12 @@ static void gen_store(DisasContext *dc, TCGv addr, TCGv val,
 static void dec_store(DisasContext *dc)
 {
     TCGv t, *addr;
-    unsigned int size;
+    unsigned int size, rev = 0;
 
     size = 1 << (dc->opcode & 3);
+    if (!dc->type_b) {
+        rev = (dc->ir >> 9) & 1;
+    }
 
     if (size > 4 && (dc->tb_flags & MSR_EE_FLAG)
           && (dc->env->pvr.regs[2] & PVR2_ILL_OPCODE_EXC_MASK)) {
@@ -896,19 +984,84 @@ static void dec_store(DisasContext *dc)
         return;
     }
 
-    LOG_DIS("s%d%s\n", size, dc->type_b ? "i" : "");
+    LOG_DIS("s%d%s%s\n", size, dc->type_b ? "i" : "", rev ? "r" : "");
     t_sync_flags(dc);
     /* If we get a fault on a dslot, the jmpstate better be in sync.  */
     sync_jmpstate(dc);
     addr = compute_ldst_addr(dc, &t);
 
-    gen_store(dc, *addr, cpu_R[dc->rd], size);
+    if (rev && size != 4) {
+        /* Endian reverse the address. t is addr.  */
+        switch (size) {
+            case 1:
+            {
+                /* 00 -> 11
+                   01 -> 10
+                   10 -> 10
+                   11 -> 00 */
+                TCGv low = tcg_temp_new();
+
+                /* Force addr into the temp.  */
+                if (addr != &t) {
+                    t = tcg_temp_new();
+                    tcg_gen_mov_tl(t, *addr);
+                    addr = &t;
+                }
+
+                tcg_gen_andi_tl(low, t, 3);
+                tcg_gen_sub_tl(low, tcg_const_tl(3), low);
+                tcg_gen_andi_tl(t, t, ~3);
+                tcg_gen_or_tl(t, t, low);
+                tcg_gen_mov_tl(env_debug, low);
+                tcg_gen_mov_tl(env_imm, t);
+                tcg_temp_free(low);
+                break;
+            }
+
+            case 2:
+                /* 00 -> 10
+                   10 -> 00.  */
+                /* Force addr into the temp.  */
+                if (addr != &t) {
+                    t = tcg_temp_new();
+                    tcg_gen_xori_tl(t, *addr, 2);
+                    addr = &t;
+                } else {
+                    tcg_gen_xori_tl(t, t, 2);
+                }
+                break;
+            default:
+                cpu_abort(dc->env, "Invalid reverse size\n");
+                break;
+        }
+
+        if (size != 1) {
+            TCGv bs_data = tcg_temp_new();
+            dec_byteswap(dc, bs_data, cpu_R[dc->rd], size);
+            gen_store(dc, *addr, bs_data, size);
+            tcg_temp_free(bs_data);
+        } else {
+            gen_store(dc, *addr, cpu_R[dc->rd], size);
+        }
+    } else {
+        if (rev) {
+            TCGv bs_data = tcg_temp_new();
+            dec_byteswap(dc, bs_data, cpu_R[dc->rd], size);
+            gen_store(dc, *addr, bs_data, size);
+            tcg_temp_free(bs_data);
+        } else {
+            gen_store(dc, *addr, cpu_R[dc->rd], size);
+        }
+    }
 
     /* Verify alignment if needed.  */
     if ((dc->env->pvr.regs[2] & PVR2_UNALIGNED_EXC_MASK) && size > 1) {
         tcg_gen_movi_tl(cpu_SR[SR_PC], dc->pc);
         /* FIXME: if the alignment is wrong, we should restore the value
-         *        in memory.
+         *        in memory. One possible way to acheive this is to probe
+         *        the MMU prior to the memaccess, thay way we could put
+         *        the alignment checks in between the probe and the mem
+         *        access.
          */
         gen_helper_memalign(*addr, tcg_const_tl(dc->rd),
                             tcg_const_tl(1), tcg_const_tl(size - 1));
commit 9ef55357634d57331243c780439efc596c8d460d
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Wed Jan 19 22:48:07 2011 +0100

    microblaze: Tweak comment, fast cases -> common cases
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index 2e236fb..2673167 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -788,7 +788,7 @@ static inline TCGv *compute_ldst_addr(DisasContext *dc, TCGv *t)
 {
     unsigned int extimm = dc->tb_flags & IMM_FLAG;
 
-    /* Treat the fast cases first.  */
+    /* Treat the common cases first.  */
     if (!dc->type_b) {
         /* If any of the regs is r0, return a ptr to the other.  */
         if (dc->ra == 0) {
commit 2991181aaa026d8b1444bfaa9c4bcd82065ba5a3
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Jan 19 21:18:19 2011 +0200

    pci: fix device paths
    
    Patch a6a7005d14b3c32d4864a718fb1cb19c789f58a5 generated
    broken device paths. We snprintf with a length shorter
    than the output, so the last character is discarded and replaced
    by the null byte. Fix it up by snprintf to a buffer
    which is larger by 1 byte and then memcpy the data (without
    the null byte) to where we need it.
    
    Reported-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 8d0e3df..c77f6e9 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -2032,10 +2032,13 @@ static char *pcibus_get_dev_path(DeviceState *dev)
      * domain:Bus:Slot.Func for systems without nested PCI bridges.
      * Slot.Function list specifies the slot and function numbers for all
      * devices on the path from root to the specific device. */
-    int domain_len = strlen("DDDD:00");
-    int slot_len = strlen(":SS.F");
+    char domain[] = "DDDD:00";
+    char slot[] = ":SS.F";
+    int domain_len = sizeof domain - 1 /* For '\0' */;
+    int slot_len = sizeof slot - 1 /* For '\0' */;
     int path_len;
     char *path, *p;
+    int s;
 
     /* Calculate # of slots on path between device and root. */;
     slot_depth = 0;
@@ -2050,14 +2053,19 @@ static char *pcibus_get_dev_path(DeviceState *dev)
     path[path_len] = '\0';
 
     /* First field is the domain. */
-    snprintf(path, domain_len, "%04x:00", pci_find_domain(d->bus));
+    s = snprintf(domain, sizeof domain, "%04x:00", pci_find_domain(d->bus));
+    assert(s == domain_len);
+    memcpy(path, domain, domain_len);
 
     /* Fill in slot numbers. We walk up from device to root, so need to print
      * them in the reverse order, last to first. */
     p = path + path_len;
     for (t = d; t; t = t->bus->parent_dev) {
         p -= slot_len;
-        snprintf(p, slot_len, ":%02x.%x", PCI_SLOT(t->devfn), PCI_FUNC(d->devfn));
+        s = snprintf(slot, sizeof slot, ":%02x.%x",
+                     PCI_SLOT(t->devfn), PCI_FUNC(d->devfn));
+        assert(s == slot_len);
+        memcpy(p, slot, slot_len);
     }
 
     return path;
commit 28eaf465316491884952f855f7bfc9dab597e6fb
Author: Amit Shah <amit.shah at redhat.com>
Date:   Fri Dec 10 17:10:43 2010 +0530

    virtio-console: Remove unnecessary braces
    
    Remove unnecessary braces around a case statement.
    
    Signed-off-by: Amit Shah <amit.shah at redhat.com>

diff --git a/hw/virtio-console.c b/hw/virtio-console.c
index d7fe68b..d0b9354 100644
--- a/hw/virtio-console.c
+++ b/hw/virtio-console.c
@@ -48,10 +48,9 @@ static void chr_event(void *opaque, int event)
     VirtConsole *vcon = opaque;
 
     switch (event) {
-    case CHR_EVENT_OPENED: {
+    case CHR_EVENT_OPENED:
         virtio_serial_open(&vcon->port);
         break;
-    }
     case CHR_EVENT_CLOSED:
         virtio_serial_close(&vcon->port);
         break;
commit cbe77b616cb73d0a0aedbf9c80cb3dcb7d324535
Author: Amit Shah <amit.shah at redhat.com>
Date:   Mon Apr 5 14:20:29 2010 +0530

    virtio-console: Factor out common init between console and generic ports
    
    The initialisation for generic ports and console ports is similar.
    Factor out the parts that are the same in a different function that can
    be called from each of the initfns.
    
    Signed-off-by: Amit Shah <amit.shah at redhat.com>

diff --git a/hw/virtio-console.c b/hw/virtio-console.c
index caea11f..d7fe68b 100644
--- a/hw/virtio-console.c
+++ b/hw/virtio-console.c
@@ -58,24 +58,28 @@ static void chr_event(void *opaque, int event)
     }
 }
 
-/* Virtio Console Ports */
-static int virtconsole_initfn(VirtIOSerialDevice *dev)
+static int generic_port_init(VirtConsole *vcon, VirtIOSerialDevice *dev)
 {
-    VirtIOSerialPort *port = DO_UPCAST(VirtIOSerialPort, dev, &dev->qdev);
-    VirtConsole *vcon = DO_UPCAST(VirtConsole, port, port);
-
-    port->info = dev->info;
-
-    port->is_console = true;
+    vcon->port.info = dev->info;
 
     if (vcon->chr) {
         qemu_chr_add_handlers(vcon->chr, chr_can_read, chr_read, chr_event,
                               vcon);
-        port->info->have_data = flush_buf;
+        vcon->port.info->have_data = flush_buf;
     }
     return 0;
 }
 
+/* Virtio Console Ports */
+static int virtconsole_initfn(VirtIOSerialDevice *dev)
+{
+    VirtIOSerialPort *port = DO_UPCAST(VirtIOSerialPort, dev, &dev->qdev);
+    VirtConsole *vcon = DO_UPCAST(VirtConsole, port, port);
+
+    port->is_console = true;
+    return generic_port_init(vcon, dev);
+}
+
 static int virtconsole_exitfn(VirtIOSerialDevice *dev)
 {
     VirtIOSerialPort *port = DO_UPCAST(VirtIOSerialPort, dev, &dev->qdev);
@@ -115,14 +119,7 @@ static int virtserialport_initfn(VirtIOSerialDevice *dev)
     VirtIOSerialPort *port = DO_UPCAST(VirtIOSerialPort, dev, &dev->qdev);
     VirtConsole *vcon = DO_UPCAST(VirtConsole, port, port);
 
-    port->info = dev->info;
-
-    if (vcon->chr) {
-        qemu_chr_add_handlers(vcon->chr, chr_can_read, chr_read, chr_event,
-                              vcon);
-        port->info->have_data = flush_buf;
-    }
-    return 0;
+    return generic_port_init(vcon, dev);
 }
 
 static VirtIOSerialPortInfo virtserialport_info = {
commit 1b5f56b134dc2d338911242424795de70c7475fd
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Tue Jan 18 21:34:51 2011 +0000

    sparc: fix NaN handling
    
    Fix several bugs in NaN handling:
     * e in fcmpe* only changes qNaN handling
     * FCC is unchanged if an exception is raised
     * clear previous FTT before setting it
    
    Reported-by: Mateusz Loskot <mateusz at loskot.net>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/target-sparc/op_helper.c b/target-sparc/op_helper.c
index 58f9f82..b70970a 100644
--- a/target-sparc/op_helper.c
+++ b/target-sparc/op_helper.c
@@ -857,65 +857,77 @@ void helper_fsqrtq(void)
     QT0 = float128_sqrt(QT1, &env->fp_status);
 }
 
-#define GEN_FCMP(name, size, reg1, reg2, FS, TRAP)                      \
+#define GEN_FCMP(name, size, reg1, reg2, FS, E)                         \
     void glue(helper_, name) (void)                                     \
     {                                                                   \
-        target_ulong new_fsr;                                           \
-                                                                        \
-        env->fsr &= ~((FSR_FCC1 | FSR_FCC0) << FS);                     \
+        env->fsr &= FSR_FTT_NMASK;                                      \
+        if (E && (glue(size, _is_any_nan)(reg1) ||                      \
+                     glue(size, _is_any_nan)(reg2)) &&                  \
+            (env->fsr & FSR_NVM)) {                                     \
+            env->fsr |= FSR_NVC;                                        \
+            env->fsr |= FSR_FTT_IEEE_EXCP;                              \
+            raise_exception(TT_FP_EXCP);                                \
+        }                                                               \
         switch (glue(size, _compare) (reg1, reg2, &env->fp_status)) {   \
         case float_relation_unordered:                                  \
-            new_fsr = (FSR_FCC1 | FSR_FCC0) << FS;                      \
-            if ((env->fsr & FSR_NVM) || TRAP) {                         \
-                env->fsr |= new_fsr;                                    \
+            if ((env->fsr & FSR_NVM)) {                                 \
                 env->fsr |= FSR_NVC;                                    \
                 env->fsr |= FSR_FTT_IEEE_EXCP;                          \
                 raise_exception(TT_FP_EXCP);                            \
             } else {                                                    \
+                env->fsr &= ~((FSR_FCC1 | FSR_FCC0) << FS);             \
+                env->fsr |= (FSR_FCC1 | FSR_FCC0) << FS;                \
                 env->fsr |= FSR_NVA;                                    \
             }                                                           \
             break;                                                      \
         case float_relation_less:                                       \
-            new_fsr = FSR_FCC0 << FS;                                   \
+            env->fsr &= ~((FSR_FCC1 | FSR_FCC0) << FS);                 \
+            env->fsr |= FSR_FCC0 << FS;                                 \
             break;                                                      \
         case float_relation_greater:                                    \
-            new_fsr = FSR_FCC1 << FS;                                   \
+            env->fsr &= ~((FSR_FCC1 | FSR_FCC0) << FS);                 \
+            env->fsr |= FSR_FCC1 << FS;                                 \
             break;                                                      \
         default:                                                        \
-            new_fsr = 0;                                                \
+            env->fsr &= ~((FSR_FCC1 | FSR_FCC0) << FS);                 \
             break;                                                      \
         }                                                               \
-        env->fsr |= new_fsr;                                            \
     }
-#define GEN_FCMPS(name, size, FS, TRAP)                                 \
+#define GEN_FCMPS(name, size, FS, E)                                    \
     void glue(helper_, name)(float32 src1, float32 src2)                \
     {                                                                   \
-        target_ulong new_fsr;                                           \
-                                                                        \
-        env->fsr &= ~((FSR_FCC1 | FSR_FCC0) << FS);                     \
+        env->fsr &= FSR_FTT_NMASK;                                      \
+        if (E && (glue(size, _is_any_nan)(src1) ||                      \
+                     glue(size, _is_any_nan)(src2)) &&                  \
+            (env->fsr & FSR_NVM)) {                                     \
+            env->fsr |= FSR_NVC;                                        \
+            env->fsr |= FSR_FTT_IEEE_EXCP;                              \
+            raise_exception(TT_FP_EXCP);                                \
+        }                                                               \
         switch (glue(size, _compare) (src1, src2, &env->fp_status)) {   \
         case float_relation_unordered:                                  \
-            new_fsr = (FSR_FCC1 | FSR_FCC0) << FS;                      \
-            if ((env->fsr & FSR_NVM) || TRAP) {                         \
-                env->fsr |= new_fsr;                                    \
+            if ((env->fsr & FSR_NVM)) {                                 \
                 env->fsr |= FSR_NVC;                                    \
                 env->fsr |= FSR_FTT_IEEE_EXCP;                          \
                 raise_exception(TT_FP_EXCP);                            \
             } else {                                                    \
+                env->fsr &= ~((FSR_FCC1 | FSR_FCC0) << FS);             \
+                env->fsr |= (FSR_FCC1 | FSR_FCC0) << FS;                \
                 env->fsr |= FSR_NVA;                                    \
             }                                                           \
             break;                                                      \
         case float_relation_less:                                       \
-            new_fsr = FSR_FCC0 << FS;                                   \
+            env->fsr &= ~((FSR_FCC1 | FSR_FCC0) << FS);                 \
+            env->fsr |= FSR_FCC0 << FS;                                 \
             break;                                                      \
         case float_relation_greater:                                    \
-            new_fsr = FSR_FCC1 << FS;                                   \
+            env->fsr &= ~((FSR_FCC1 | FSR_FCC0) << FS);                 \
+            env->fsr |= FSR_FCC1 << FS;                                 \
             break;                                                      \
         default:                                                        \
-            new_fsr = 0;                                                \
+            env->fsr &= ~((FSR_FCC1 | FSR_FCC0) << FS);                 \
             break;                                                      \
         }                                                               \
-        env->fsr |= new_fsr;                                            \
     }
 
 GEN_FCMPS(fcmps, float32, 0, 0);
commit 54ccaa575d588602148a018dffdb332c0aa861ad
Author: Gleb Natapov <gleb at redhat.com>
Date:   Mon Jan 10 11:54:54 2011 +0200

    add bootindex parameter to assigned device
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index e97f565..0038526 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -40,6 +40,7 @@
 #include "monitor.h"
 #include "range.h"
 #include <pci/header.h>
+#include "sysemu.h"
 
 /* From linux/ioport.h */
 #define IORESOURCE_IO       0x00000100  /* Resource type */
@@ -1771,6 +1772,8 @@ static int assigned_initfn(struct PCIDevice *pci_dev)
     assigned_dev_load_option_rom(dev);
     QLIST_INSERT_HEAD(&devs, dev, next);
 
+    add_boot_device_path(dev->bootindex, &pci_dev->qdev, NULL);
+
     /* Register a vmsd so that we can mark it unmigratable. */
     vmstate_register(&dev->dev.qdev, 0, &vmstate_assigned_device, dev);
     register_device_unmigratable(&dev->dev.qdev,
@@ -1837,6 +1840,7 @@ static PCIDeviceInfo assign_info = {
                         ASSIGNED_DEVICE_USE_IOMMU_BIT, true),
         DEFINE_PROP_BIT("prefer_msi", AssignedDevice, features,
                         ASSIGNED_DEVICE_PREFER_MSI_BIT, true),
+        DEFINE_PROP_INT32("bootindex", AssignedDevice, bootindex, -1),
         DEFINE_PROP_STRING("configfd", AssignedDevice, configfd_name),
         DEFINE_PROP_END_OF_LIST(),
     },
diff --git a/hw/device-assignment.h b/hw/device-assignment.h
index c94a730..86af0a9 100644
--- a/hw/device-assignment.h
+++ b/hw/device-assignment.h
@@ -111,6 +111,7 @@ typedef struct AssignedDevice {
     int mmio_index;
     int need_emulate_cmd;
     char *configfd_name;
+    int32_t bootindex;
     QLIST_ENTRY(AssignedDevice) next;
 } AssignedDevice;
 
commit 5642463aeeb187597e217706d9ed2663cd3734c0
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Jan 18 13:08:40 2011 +0000

    target-arm: Log instruction start in TCG code
    
    Add support for logging the start of instructions in TCG
    code debug dumps for ARM targets.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 907d73a..c60cd18 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -9199,6 +9199,10 @@ static inline void gen_intermediate_code_internal(CPUState *env,
         if (num_insns + 1 == max_insns && (tb->cflags & CF_LAST_IO))
             gen_io_start();
 
+        if (unlikely(qemu_loglevel_mask(CPU_LOG_TB_OP))) {
+            tcg_gen_debug_insn_start(dc->pc);
+        }
+
         if (dc->thumb) {
             disas_thumb_insn(env, dc);
             if (dc->condexec_mask) {
commit 55807224561b9ac278bb65960b6c12666fd30db9
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Mon Jan 17 23:00:08 2011 +0100

    mips: Break TBs after mfc0_count
    
    Break the TB after reading the count register. This makes it
    possible to take timer interrupts immediately after a read of
    a possibly expired timer.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-mips/translate.c b/target-mips/translate.c
index cce77be..187930e 100644
--- a/target-mips/translate.c
+++ b/target-mips/translate.c
@@ -3410,8 +3410,10 @@ static void gen_mfc0 (CPUState *env, DisasContext *ctx, TCGv arg, int reg, int s
             gen_helper_mfc0_count(arg);
             if (use_icount) {
                 gen_io_end();
-                ctx->bstate = BS_STOP;
             }
+            /* Break the TB to be able to take timer interrupts immediately
+               after reading count.  */
+            ctx->bstate = BS_STOP;
             rn = "Count";
             break;
         /* 6,7 are implementation dependent */
@@ -4581,8 +4583,10 @@ static void gen_dmfc0 (CPUState *env, DisasContext *ctx, TCGv arg, int reg, int
             gen_helper_mfc0_count(arg);
             if (use_icount) {
                 gen_io_end();
-                ctx->bstate = BS_STOP;
             }
+            /* Break the TB to be able to take timer interrupts immediately
+               after reading count.  */
+            ctx->bstate = BS_STOP;
             rn = "Count";
             break;
         /* 6,7 are implementation dependent */
commit e027e1f075afe36698ce55d86f01b7817707c8b6
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Tue Jan 18 00:12:22 2011 +0100

    mips: Expire late timers when reading cp0_count
    
    When reading cp0_count from a timer with a late trigger that should
    already have expired, expire it and raise the timer irq.
    
    This makes it possible for guest code (e.g, Linux) that first read
    cp0_count, then compare it with cp0_compare and check for raised
    timer interrupt lines to run reliably.
    
    Acked-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/hw/mips_timer.c b/hw/mips_timer.c
index 8c32087..9c95f28 100644
--- a/hw/mips_timer.c
+++ b/hw/mips_timer.c
@@ -69,9 +69,17 @@ uint32_t cpu_mips_get_count (CPUState *env)
     if (env->CP0_Cause & (1 << CP0Ca_DC)) {
         return env->CP0_Count;
     } else {
+        uint64_t now;
+
+        now = qemu_get_clock(vm_clock);
+        if (qemu_timer_pending(env->timer)
+            && qemu_timer_expired(env->timer, now)) {
+            /* The timer has already expired.  */
+            cpu_mips_timer_expire(env);
+        }
+
         return env->CP0_Count +
-            (uint32_t)muldiv64(qemu_get_clock(vm_clock),
-                               TIMER_FREQ, get_ticks_per_sec());
+            (uint32_t)muldiv64(now, TIMER_FREQ, get_ticks_per_sec());
     }
 }
 
commit b1dfe6437c776f6441cf8b71c706f32f2456c530
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Tue Jan 18 00:07:49 2011 +0100

    mips: Break out cpu_mips_timer_expire
    
    Reorganize for future patches, no functional change.
    
    Acked-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/hw/mips_timer.c b/hw/mips_timer.c
index e3beee8..8c32087 100644
--- a/hw/mips_timer.c
+++ b/hw/mips_timer.c
@@ -42,16 +42,6 @@ uint32_t cpu_mips_get_random (CPUState *env)
 }
 
 /* MIPS R4K timer */
-uint32_t cpu_mips_get_count (CPUState *env)
-{
-    if (env->CP0_Cause & (1 << CP0Ca_DC))
-        return env->CP0_Count;
-    else
-        return env->CP0_Count +
-            (uint32_t)muldiv64(qemu_get_clock(vm_clock),
-                               TIMER_FREQ, get_ticks_per_sec());
-}
-
 static void cpu_mips_timer_update(CPUState *env)
 {
     uint64_t now, next;
@@ -64,6 +54,27 @@ static void cpu_mips_timer_update(CPUState *env)
     qemu_mod_timer(env->timer, next);
 }
 
+/* Expire the timer.  */
+static void cpu_mips_timer_expire(CPUState *env)
+{
+    cpu_mips_timer_update(env);
+    if (env->insn_flags & ISA_MIPS32R2) {
+        env->CP0_Cause |= 1 << CP0Ca_TI;
+    }
+    qemu_irq_raise(env->irq[(env->CP0_IntCtl >> CP0IntCtl_IPTI) & 0x7]);
+}
+
+uint32_t cpu_mips_get_count (CPUState *env)
+{
+    if (env->CP0_Cause & (1 << CP0Ca_DC)) {
+        return env->CP0_Count;
+    } else {
+        return env->CP0_Count +
+            (uint32_t)muldiv64(qemu_get_clock(vm_clock),
+                               TIMER_FREQ, get_ticks_per_sec());
+    }
+}
+
 void cpu_mips_store_count (CPUState *env, uint32_t count)
 {
     if (env->CP0_Cause & (1 << CP0Ca_DC))
@@ -116,11 +127,8 @@ static void mips_timer_cb (void *opaque)
        the comparator value.  Offset the count by one to avoid immediately
        retriggering the callback before any virtual time has passed.  */
     env->CP0_Count++;
-    cpu_mips_timer_update(env);
+    cpu_mips_timer_expire(env);
     env->CP0_Count--;
-    if (env->insn_flags & ISA_MIPS32R2)
-        env->CP0_Cause |= 1 << CP0Ca_TI;
-    qemu_irq_raise(env->irq[(env->CP0_IntCtl >> CP0IntCtl_IPTI) & 0x7]);
 }
 
 void cpu_mips_clock_init (CPUState *env)
commit 4a6648f44eefbfbea38a1de56f8a8e44a8892941
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Mon Jan 17 20:26:30 2011 +0000

    Replace 'extern inline' with 'static inline'
    
    Acked-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/tests/cris/check_abs.c b/tests/cris/check_abs.c
index 3966c87..9770a8d 100644
--- a/tests/cris/check_abs.c
+++ b/tests/cris/check_abs.c
@@ -4,13 +4,14 @@
 #include "sys.h"
 #include "crisutils.h"
 
-extern inline int cris_abs(int n) {
+static inline int cris_abs(int n)
+{
 	int r;
 	asm ("abs\t%1, %0\n" : "=r" (r) : "r" (n));
 	return r;
 }
 
-extern inline void
+static inline void
 verify_abs(int val, int res,
 	   const int n, const int z, const int v, const int c)
 {
diff --git a/tests/cris/check_addc.c b/tests/cris/check_addc.c
index e407855..facd1be 100644
--- a/tests/cris/check_addc.c
+++ b/tests/cris/check_addc.c
@@ -4,7 +4,8 @@
 #include "sys.h"
 #include "crisutils.h"
 
-extern inline int cris_addc(int a, const int b) {
+static inline int cris_addc(int a, const int b)
+{
 	asm ("addc\t%1, %0\n" : "+r" (a) : "r" (b));
 	return a;
 }
diff --git a/tests/cris/check_addcm.c b/tests/cris/check_addcm.c
index 9ffea29..7928bc9 100644
--- a/tests/cris/check_addcm.c
+++ b/tests/cris/check_addcm.c
@@ -5,13 +5,15 @@
 #include "crisutils.h"
 
 /* need to avoid acr as source here.  */
-extern inline int cris_addc_m(int a, const int *b) {
+static inline int cris_addc_m(int a, const int *b)
+{
 	asm volatile ("addc [%1], %0\n" : "+r" (a) : "r" (b));
 	return a;
 }
 
 /* 'b' is a crisv32 constrain to avoid postinc with $acr.  */
-extern inline int cris_addc_pi_m(int a, int **b) {
+static inline int cris_addc_pi_m(int a, int **b)
+{
 	asm volatile ("addc [%1+], %0\n" : "+r" (a), "+b" (*b));
 	return a;
 }
diff --git a/tests/cris/check_bound.c b/tests/cris/check_bound.c
index 411d2ad..e883175 100644
--- a/tests/cris/check_bound.c
+++ b/tests/cris/check_bound.c
@@ -4,19 +4,22 @@
 #include "sys.h"
 #include "crisutils.h"
 
-extern inline int cris_bound_b(int v, int b) {
+static inline int cris_bound_b(int v, int b)
+{
 	int r = v;
 	asm ("bound.b\t%1, %0\n" : "+r" (r) : "ri" (b));
 	return r;
 }
 
-extern inline int cris_bound_w(int v, int b) {
+static inline int cris_bound_w(int v, int b)
+{
 	int r = v;
 	asm ("bound.w\t%1, %0\n" : "+r" (r) : "ri" (b));
 	return r;
 }
 
-extern inline int cris_bound_d(int v, int b) {
+static inline int cris_bound_d(int v, int b)
+{
 	int r = v;
 	asm ("bound.d\t%1, %0\n" : "+r" (r) : "ri" (b));
 	return r;
diff --git a/tests/cris/check_ftag.c b/tests/cris/check_ftag.c
index 40d1507..908773a 100644
--- a/tests/cris/check_ftag.c
+++ b/tests/cris/check_ftag.c
@@ -4,19 +4,23 @@
 #include "sys.h"
 #include "crisutils.h"
 
-extern inline void cris_ftag_i(unsigned int x) {
+static inline void cris_ftag_i(unsigned int x)
+{
 	register unsigned int v asm("$r10") = x;
 	asm ("ftagi\t[%0]\n" : : "r" (v) );
 }
-extern inline void cris_ftag_d(unsigned int x) {
+static inline void cris_ftag_d(unsigned int x)
+{
 	register unsigned int v asm("$r10") = x;
 	asm ("ftagd\t[%0]\n" : : "r" (v) );
 }
-extern inline void cris_fidx_i(unsigned int x) {
+static inline void cris_fidx_i(unsigned int x)
+{
 	register unsigned int v asm("$r10") = x;
 	asm ("fidxi\t[%0]\n" : : "r" (v) );
 }
-extern inline void cris_fidx_d(unsigned int x) {
+static inline void cris_fidx_d(unsigned int x)
+{
 	register unsigned int v asm("$r10") = x;
 	asm ("fidxd\t[%0]\n" : : "r" (v) );
 }
diff --git a/tests/cris/check_int64.c b/tests/cris/check_int64.c
index 99ca6f1..fc60017 100644
--- a/tests/cris/check_int64.c
+++ b/tests/cris/check_int64.c
@@ -5,11 +5,13 @@
 #include "crisutils.h"
 
 
-extern inline int64_t add64(const int64_t a, const int64_t b) {
+static inline int64_t add64(const int64_t a, const int64_t b)
+{
 	return a + b;
 }
 
-extern inline int64_t sub64(const int64_t a, const int64_t b) {
+static inline int64_t sub64(const int64_t a, const int64_t b)
+{
 	return a - b;
 }
 
diff --git a/tests/cris/check_lz.c b/tests/cris/check_lz.c
index 7b30a26..69c2e6d 100644
--- a/tests/cris/check_lz.c
+++ b/tests/cris/check_lz.c
@@ -3,7 +3,7 @@
 #include <stdint.h>
 #include "sys.h"
 
-extern inline int cris_lz(int x)
+static inline int cris_lz(int x)
 {
 	int r;
 	asm ("lz\t%1, %0\n" : "=r" (r) : "r" (x));
diff --git a/tests/cris/check_swap.c b/tests/cris/check_swap.c
index 824a685..f851cbc 100644
--- a/tests/cris/check_swap.c
+++ b/tests/cris/check_swap.c
@@ -9,7 +9,7 @@
 #define B 2
 #define R 1
 
-extern inline int cris_swap(const int mode, int x)
+static inline int cris_swap(const int mode, int x)
 {
 	switch (mode)
 	{
diff --git a/tests/cris/crisutils.h b/tests/cris/crisutils.h
index 7d1ea86..29b71cd 100644
--- a/tests/cris/crisutils.h
+++ b/tests/cris/crisutils.h
@@ -10,57 +10,57 @@ void _err(void) {
 	_fail(tst_cc_loc);
 }
 
-extern inline void cris_tst_cc_n1(void)
+static inline void cris_tst_cc_n1(void)
 {
 	asm volatile ("bpl _err\n"
 		      "nop\n");
 }
-extern inline void cris_tst_cc_n0(void)
+static inline void cris_tst_cc_n0(void)
 {
 	asm volatile ("bmi _err\n"
 		      "nop\n");
 }
 
-extern inline void cris_tst_cc_z1(void)
+static inline void cris_tst_cc_z1(void)
 {
 	asm volatile ("bne _err\n"
 		      "nop\n");
 }
-extern inline void cris_tst_cc_z0(void)
+static inline void cris_tst_cc_z0(void)
 {
 	asm volatile ("beq _err\n"
 		      "nop\n");
 }
-extern inline void cris_tst_cc_v1(void)
+static inline void cris_tst_cc_v1(void)
 {
 	asm volatile ("bvc _err\n"
 		      "nop\n");
 }
-extern inline void cris_tst_cc_v0(void)
+static inline void cris_tst_cc_v0(void)
 {
 	asm volatile ("bvs _err\n"
 		      "nop\n");
 }
 
-extern inline void cris_tst_cc_c1(void)
+static inline void cris_tst_cc_c1(void)
 {
 	asm volatile ("bcc _err\n"
 		      "nop\n");
 }
-extern inline void cris_tst_cc_c0(void)
+static inline void cris_tst_cc_c0(void)
 {
 	asm volatile ("bcs _err\n"
 		      "nop\n");
 }
 
-extern inline void cris_tst_mov_cc(int n, int z)
+static inline void cris_tst_mov_cc(int n, int z)
 {
 	if (n) cris_tst_cc_n1(); else cris_tst_cc_n0();
 	if (z) cris_tst_cc_z1(); else cris_tst_cc_z0();
 	asm volatile ("" : : "g" (_err));
 }
 
-extern inline void cris_tst_cc(const int n, const int z,
+static inline void cris_tst_cc(const int n, const int z,
 			       const int v, const int c)
 {
 	if (n) cris_tst_cc_n1(); else cris_tst_cc_n0();
diff --git a/tests/hello-i386.c b/tests/hello-i386.c
index e00245d..86afc34 100644
--- a/tests/hello-i386.c
+++ b/tests/hello-i386.c
@@ -1,6 +1,6 @@
 #include <asm/unistd.h>
 
-extern inline volatile void exit(int status)
+static inline volatile void exit(int status)
 {
   int __res;
   __asm__ volatile ("movl %%ecx,%%ebx\n"\
@@ -8,7 +8,7 @@ extern inline volatile void exit(int status)
 		    :  "=a" (__res) : "0" (__NR_exit),"c" ((long)(status)));
 }
 
-extern inline int write(int fd, const char * buf, int len)
+static inline int write(int fd, const char * buf, int len)
 {
   int status;
   __asm__ volatile ("pushl %%ebx\n"\
commit 29718712eb2e53c09d28f08e39f6514d690f6fd3
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Sun Jan 16 16:28:20 2011 +0100

    bsd-user: Fix possible memory leaks and wrong realloc call
    
    These errors were reported by cppcheck:
    
    [bsd-user/elfload.c:1108]: (error) Common realloc mistake: "syms" nulled but not freed upon failure
    [bsd-user/elfload.c:1076]: (error) Memory leak: s
    [bsd-user/elfload.c:1079]: (error) Memory leak: syms
    
    v2:
    * The previous fix for memory leaks was incomplete (thanks to Peter Maydell for te hint).
    * Fix wrong realloc usage, too.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/bsd-user/elfload.c b/bsd-user/elfload.c
index 7374912..1ef1f97 100644
--- a/bsd-user/elfload.c
+++ b/bsd-user/elfload.c
@@ -1044,7 +1044,7 @@ static void load_symbols(struct elfhdr *hdr, int fd)
     struct elf_shdr sechdr, symtab, strtab;
     char *strings;
     struct syminfo *s;
-    struct elf_sym *syms;
+    struct elf_sym *syms, *new_syms;
 
     lseek(fd, hdr->e_shoff, SEEK_SET);
     for (i = 0; i < hdr->e_shnum; i++) {
@@ -1072,15 +1072,24 @@ static void load_symbols(struct elfhdr *hdr, int fd)
     /* Now know where the strtab and symtab are.  Snarf them. */
     s = malloc(sizeof(*s));
     syms = malloc(symtab.sh_size);
-    if (!syms)
+    if (!syms) {
+        free(s);
         return;
+    }
     s->disas_strtab = strings = malloc(strtab.sh_size);
-    if (!s->disas_strtab)
+    if (!s->disas_strtab) {
+        free(s);
+        free(syms);
         return;
+    }
 
     lseek(fd, symtab.sh_offset, SEEK_SET);
-    if (read(fd, syms, symtab.sh_size) != symtab.sh_size)
+    if (read(fd, syms, symtab.sh_size) != symtab.sh_size) {
+        free(s);
+        free(syms);
+        free(strings);
         return;
+    }
 
     nsyms = symtab.sh_size / sizeof(struct elf_sym);
 
@@ -1105,13 +1114,29 @@ static void load_symbols(struct elfhdr *hdr, int fd)
 #endif
         i++;
     }
-    syms = realloc(syms, nsyms * sizeof(*syms));
+
+     /* Attempt to free the storage associated with the local symbols
+        that we threw away.  Whether or not this has any effect on the
+        memory allocation depends on the malloc implementation and how
+        many symbols we managed to discard. */
+    new_syms = realloc(syms, nsyms * sizeof(*syms));
+    if (new_syms == NULL) {
+        free(s);
+        free(syms);
+        free(strings);
+        return;
+    }
+    syms = new_syms;
 
     qsort(syms, nsyms, sizeof(*syms), symcmp);
 
     lseek(fd, strtab.sh_offset, SEEK_SET);
-    if (read(fd, strings, strtab.sh_size) != strtab.sh_size)
+    if (read(fd, strings, strtab.sh_size) != strtab.sh_size) {
+        free(s);
+        free(syms);
+        free(strings);
         return;
+    }
     s->disas_num_syms = nsyms;
 #if ELF_CLASS == ELFCLASS32
     s->disas_symtab.elf32 = syms;
commit 07d8a50cb0e096c5cdc5a81b8030e40833664dd3
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Mon Jan 17 19:29:33 2011 +0100

    sm501: add 2D engine copyrect support
    
    Linux kernel started to use the SM501 2D engine for the console, and
    especially the copyrect operation.
    
    Implement this operation so that recent kernels can be used with QEMU.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/sm501.c b/hw/sm501.c
index f16e6e4..388fc08 100644
--- a/hw/sm501.c
+++ b/hw/sm501.c
@@ -511,6 +511,7 @@ typedef struct SM501State {
     uint32_t dc_crt_hwc_color_1_2;
     uint32_t dc_crt_hwc_color_3;
 
+    uint32_t twoD_source;
     uint32_t twoD_destination;
     uint32_t twoD_dimension;
     uint32_t twoD_control;
@@ -636,6 +637,9 @@ static void sm501_2d_operation(SM501State * s)
 {
     /* obtain operation parameters */
     int operation = (s->twoD_control >> 16) & 0x1f;
+    int rtl = s->twoD_control & 0x8000000;
+    int src_x = (s->twoD_source >> 16) & 0x01FFF;
+    int src_y = s->twoD_source & 0xFFFF;
     int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
     int dst_y = s->twoD_destination & 0xFFFF;
     int operation_width = (s->twoD_dimension >> 16) & 0x1FFF;
@@ -645,10 +649,9 @@ static void sm501_2d_operation(SM501State * s)
     int addressing = (s->twoD_stretch >> 16) & 0xF;
 
     /* get frame buffer info */
-#if 0 /* for future use */
     uint8_t * src = s->local_mem + (s->twoD_source_base & 0x03FFFFFF);
-#endif
     uint8_t * dst = s->local_mem + (s->twoD_destination_base & 0x03FFFFFF);
+    int src_width = (s->dc_crt_h_total & 0x00000FFF) + 1;
     int dst_width = (s->dc_crt_h_total & 0x00000FFF) + 1;
 
     if (addressing != 0x0) {
@@ -663,8 +666,36 @@ static void sm501_2d_operation(SM501State * s)
     }
 
     switch (operation) {
-    case 0x01: /* fill rectangle */
+    case 0x00: /* copy area */
+#define COPY_AREA(_bpp, _pixel_type, rtl) {                                 \
+        int y, x, index_d, index_s;                                         \
+        for (y = 0; y < operation_height; y++) {                            \
+            for (x = 0; x < operation_width; x++) {                         \
+                if (rtl) {                                                  \
+                    index_s = ((src_y - y) * src_width + src_x - x) * _bpp; \
+                    index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp; \
+                } else {                                                    \
+                    index_s = ((src_y + y) * src_width + src_x + x) * _bpp; \
+                    index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
+                }                                                           \
+                *(_pixel_type*)&dst[index_d] = *(_pixel_type*)&src[index_s];\
+            }                                                               \
+        }                                                                   \
+    }
+        switch (format_flags) {
+        case 0:
+            COPY_AREA(1, uint8_t, rtl);
+            break;
+        case 1:
+            COPY_AREA(2, uint16_t, rtl);
+            break;
+        case 2:
+            COPY_AREA(4, uint32_t, rtl);
+            break;
+        }
+        break;
 
+    case 0x01: /* fill rectangle */
 #define FILL_RECT(_bpp, _pixel_type) {                                      \
         int y, x;                                                           \
         for (y = 0; y < operation_height; y++) {                            \
@@ -1072,6 +1103,9 @@ static void sm501_2d_engine_write(void *opaque,
                   addr, value);
 
     switch(addr) {
+    case SM501_2D_SOURCE:
+        s->twoD_source = value;
+        break;
     case SM501_2D_DESTINATION:
         s->twoD_destination = value;
         break;
commit dc9121210eaf34e768901ffc6992dd13062c743a
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Tue Jan 11 14:39:43 2011 -0700

    savevm: Fix no_migrate
    
    The no_migrate save state flag is currently only checked in the
    last phase of migration.  This means that we potentially waste
    a lot of time and bandwidth with the live state handlers before
    we ever check the no_migrate flags.  The error message printed
    when we catch a non-migratable device doesn't get printed for
    a detached migration.  And, no_migrate does nothing to prevent
    an incoming migration to a target that includes a non-migratable
    device.  This attempts to fix all of these.
    
    One notable difference in behavior is that an outgoing migration
    now checks for non-migratable devices before ever connecting to
    the target system.  This means the target will remain listening
    rather than exit from failure.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/migration.c b/migration.c
index e5ba51c..d593b1d 100644
--- a/migration.c
+++ b/migration.c
@@ -88,6 +88,10 @@ int do_migrate(Monitor *mon, const QDict *qdict, QObject **ret_data)
         return -1;
     }
 
+    if (qemu_savevm_state_blocked(mon)) {
+        return -1;
+    }
+
     if (strstart(uri, "tcp:", &p)) {
         s = tcp_start_outgoing_migration(mon, p, max_throttle, detach,
                                          blk, inc);
diff --git a/savevm.c b/savevm.c
index 90aa237..fcd8db4 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1401,19 +1401,13 @@ static int vmstate_load(QEMUFile *f, SaveStateEntry *se, int version_id)
     return vmstate_load_state(f, se->vmsd, se->opaque, version_id);
 }
 
-static int vmstate_save(QEMUFile *f, SaveStateEntry *se)
+static void vmstate_save(QEMUFile *f, SaveStateEntry *se)
 {
-    if (se->no_migrate) {
-        return -1;
-    }
-
     if (!se->vmsd) {         /* Old style */
         se->save_state(f, se->opaque);
-        return 0;
+        return;
     }
     vmstate_save_state(f,se->vmsd, se->opaque);
-
-    return 0;
 }
 
 #define QEMU_VM_FILE_MAGIC           0x5145564d
@@ -1427,6 +1421,20 @@ static int vmstate_save(QEMUFile *f, SaveStateEntry *se)
 #define QEMU_VM_SECTION_FULL         0x04
 #define QEMU_VM_SUBSECTION           0x05
 
+bool qemu_savevm_state_blocked(Monitor *mon)
+{
+    SaveStateEntry *se;
+
+    QTAILQ_FOREACH(se, &savevm_handlers, entry) {
+        if (se->no_migrate) {
+            monitor_printf(mon, "state blocked by non-migratable device '%s'\n",
+                           se->idstr);
+            return true;
+        }
+    }
+    return false;
+}
+
 int qemu_savevm_state_begin(Monitor *mon, QEMUFile *f, int blk_enable,
                             int shared)
 {
@@ -1508,7 +1516,6 @@ int qemu_savevm_state_iterate(Monitor *mon, QEMUFile *f)
 int qemu_savevm_state_complete(Monitor *mon, QEMUFile *f)
 {
     SaveStateEntry *se;
-    int r;
 
     cpu_synchronize_all_states();
 
@@ -1541,11 +1548,7 @@ int qemu_savevm_state_complete(Monitor *mon, QEMUFile *f)
         qemu_put_be32(f, se->instance_id);
         qemu_put_be32(f, se->version_id);
 
-        r = vmstate_save(f, se);
-        if (r < 0) {
-            monitor_printf(mon, "cannot migrate with device '%s'\n", se->idstr);
-            return r;
-        }
+        vmstate_save(f, se);
     }
 
     qemu_put_byte(f, QEMU_VM_EOF);
@@ -1575,6 +1578,11 @@ static int qemu_savevm_state(Monitor *mon, QEMUFile *f)
     saved_vm_running = vm_running;
     vm_stop(0);
 
+    if (qemu_savevm_state_blocked(mon)) {
+        ret = -EINVAL;
+        goto out;
+    }
+
     ret = qemu_savevm_state_begin(mon, f, 0, 0);
     if (ret < 0)
         goto out;
@@ -1692,6 +1700,10 @@ int qemu_loadvm_state(QEMUFile *f)
     unsigned int v;
     int ret;
 
+    if (qemu_savevm_state_blocked(default_mon)) {
+        return -EINVAL;
+    }
+
     v = qemu_get_be32(f);
     if (v != QEMU_VM_FILE_MAGIC)
         return -EINVAL;
diff --git a/sysemu.h b/sysemu.h
index d8fceec..0c969f2 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -75,6 +75,7 @@ void qemu_announce_self(void);
 
 void main_loop_wait(int nonblocking);
 
+bool qemu_savevm_state_blocked(Monitor *mon);
 int qemu_savevm_state_begin(Monitor *mon, QEMUFile *f, int blk_enable,
                             int shared);
 int qemu_savevm_state_iterate(Monitor *mon, QEMUFile *f);
commit 9e8a69cfd6f0fe2585528fc7a85110fc25c05d0b
Merge: 51f9b84... b36e391...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Mon Jan 17 09:49:38 2011 -0600

    Merge remote branch 'mst/for_anthony' into staging

commit 668643b025dcff72b9b18adb5df794be9e9be5dc
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Tue Jan 11 14:20:39 2011 -0200

    acpi_piix4: expose no_hotplug attribute via i/o port
    
    Expose no_hotplug attribute via I/O port, so ACPI BIOS can indicate
    removability status to guest OS.
    
    An updated seabios is required to make use of this feature (seabios.git
    commit ID 3c241edf3d7ef29c21).
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Tested-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index 273097d..5bbc2b5 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -37,6 +37,7 @@
 #define GPE_BASE 0xafe0
 #define PCI_BASE 0xae00
 #define PCI_EJ_BASE 0xae08
+#define PCI_RMV_BASE 0xae0c
 
 #define PIIX4_PCI_HOTPLUG_STATUS 2
 
@@ -73,6 +74,7 @@ typedef struct PIIX4PMState {
     /* for pci hotplug */
     struct gpe_regs gpe;
     struct pci_status pci0_status;
+    uint32_t pci0_hotplug_enable;
 } PIIX4PMState;
 
 static void piix4_acpi_system_hot_add_init(PCIBus *bus, PIIX4PMState *s);
@@ -322,6 +324,25 @@ static const VMStateDescription vmstate_acpi = {
     }
 };
 
+static void piix4_update_hotplug(PIIX4PMState *s)
+{
+    PCIDevice *dev = &s->dev;
+    BusState *bus = qdev_get_parent_bus(&dev->qdev);
+    DeviceState *qdev, *next;
+
+    s->pci0_hotplug_enable = ~0;
+
+    QLIST_FOREACH_SAFE(qdev, &bus->children, sibling, next) {
+        PCIDeviceInfo *info = container_of(qdev->info, PCIDeviceInfo, qdev);
+        PCIDevice *pdev = DO_UPCAST(PCIDevice, qdev, qdev);
+        int slot = PCI_SLOT(pdev->devfn);
+
+        if (info->no_hotplug) {
+            s->pci0_hotplug_enable &= ~(1 << slot);
+        }
+    }
+}
+
 static void piix4_reset(void *opaque)
 {
     PIIX4PMState *s = opaque;
@@ -336,6 +357,7 @@ static void piix4_reset(void *opaque)
         /* Mark SMM as already inited (until KVM supports SMM). */
         pci_conf[0x5B] = 0x02;
     }
+    piix4_update_hotplug(s);
 }
 
 static void piix4_powerdown(void *opaque, int irq, int power_failing)
@@ -576,6 +598,18 @@ static void pciej_write(void *opaque, uint32_t addr, uint32_t val)
     PIIX4_DPRINTF("pciej write %x <== %d\n", addr, val);
 }
 
+static uint32_t pcirmv_read(void *opaque, uint32_t addr)
+{
+    PIIX4PMState *s = opaque;
+
+    return s->pci0_hotplug_enable;
+}
+
+static void pcirmv_write(void *opaque, uint32_t addr, uint32_t val)
+{
+    return;
+}
+
 static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev,
                                 PCIHotplugState state);
 
@@ -592,6 +626,9 @@ static void piix4_acpi_system_hot_add_init(PCIBus *bus, PIIX4PMState *s)
     register_ioport_write(PCI_EJ_BASE, 4, 4, pciej_write, bus);
     register_ioport_read(PCI_EJ_BASE, 4, 4,  pciej_read, bus);
 
+    register_ioport_write(PCI_RMV_BASE, 4, 4, pcirmv_write, s);
+    register_ioport_read(PCI_RMV_BASE, 4, 4,  pcirmv_read, s);
+
     pci_bus_hotplug(bus, piix4_device_hotplug, &s->dev.qdev);
 }
 
commit 9c046d96d4d0d1fef89a30b1491775492082da9d
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Tue Jan 11 14:20:38 2011 -0200

    document QEMU<->ACPIBIOS PCI hotplug interface
    
    Document how QEMU communicates with ACPI BIOS for PCI hotplug.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/docs/specs/acpi_pci_hotplug.txt b/docs/specs/acpi_pci_hotplug.txt
new file mode 100644
index 0000000..f0f74a7
--- /dev/null
+++ b/docs/specs/acpi_pci_hotplug.txt
@@ -0,0 +1,37 @@
+QEMU<->ACPI BIOS PCI hotplug interface
+--------------------------------------
+
+QEMU supports PCI hotplug via ACPI, for PCI bus 0. This document
+describes the interface between QEMU and the ACPI BIOS.
+
+ACPI GPE block (IO ports 0xafe0-0xafe3, byte access):
+-----------------------------------------
+
+Generic ACPI GPE block. Bit 1 (GPE.1) used to notify PCI hotplug/eject
+event to ACPI BIOS, via SCI interrupt.
+
+PCI slot injection notification pending (IO port 0xae00-0xae03, 4-byte access):
+---------------------------------------------------------------
+Slot injection notification pending. One bit per slot.
+
+Read by ACPI BIOS GPE.1 handler to notify OS of injection
+events.
+
+PCI slot removal notification (IO port 0xae04-0xae07, 4-byte access):
+-----------------------------------------------------
+Slot removal notification pending. One bit per slot.
+
+Read by ACPI BIOS GPE.1 handler to notify OS of removal
+events.
+
+PCI device eject (IO port 0xae08-0xae0b, 4-byte access):
+----------------------------------------
+
+Used by ACPI BIOS _EJ0 method to request device removal. One bit per slot.
+Reads return 0.
+
+PCI removability status (IO port 0xae0c-0xae0f, 4-byte access):
+-----------------------------------------------
+
+Used by ACPI BIOS _RMV method to indicate removability status to OS. One
+bit per slot.
commit 51f9b84e759c692575542627dd8d39ae216ac521
Author: Hervé Poussineau <hpoussin at reactos.org>
Date:   Sun Jan 2 19:44:49 2011 +0100

    m48t59: Fix a wrong opaque passed to nvram read and write routines
    
    This fixes boot on PPC prep.
    
    Signed-off-by: Hervé Poussineau <hpoussin at reactos.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/m48t59.c b/hw/m48t59.c
index 6991e2e..2020487 100644
--- a/hw/m48t59.c
+++ b/hw/m48t59.c
@@ -642,6 +642,7 @@ M48t59State *m48t59_init(qemu_irq IRQ, target_phys_addr_t mem_base,
     DeviceState *dev;
     SysBusDevice *s;
     M48t59SysBusState *d;
+    M48t59State *state;
 
     dev = qdev_create(NULL, "m48t59");
     qdev_prop_set_uint32(dev, "type", type);
@@ -649,18 +650,18 @@ M48t59State *m48t59_init(qemu_irq IRQ, target_phys_addr_t mem_base,
     qdev_prop_set_uint32(dev, "io_base", io_base);
     qdev_init_nofail(dev);
     s = sysbus_from_qdev(dev);
+    d = FROM_SYSBUS(M48t59SysBusState, s);
+    state = &d->state;
     sysbus_connect_irq(s, 0, IRQ);
     if (io_base != 0) {
-        register_ioport_read(io_base, 0x04, 1, NVRAM_readb, s);
-        register_ioport_write(io_base, 0x04, 1, NVRAM_writeb, s);
+        register_ioport_read(io_base, 0x04, 1, NVRAM_readb, state);
+        register_ioport_write(io_base, 0x04, 1, NVRAM_writeb, state);
     }
     if (mem_base != 0) {
         sysbus_mmio_map(s, 0, mem_base);
     }
 
-    d = FROM_SYSBUS(M48t59SysBusState, s);
-
-    return &d->state;
+    return state;
 }
 
 M48t59State *m48t59_init_isa(uint32_t io_base, uint16_t size, int type)
commit e2af15b2ad57d3c61b79c8aea0871e3a00264e96
Author: Fabien Chouteau <chouteau at adacore.com>
Date:   Thu Jan 13 12:46:57 2011 +0100

    gdbstub: Close connection in gdb_exit
    
    On Windows, this is required to flush the remaining data in the IO stream,
    otherwise Gdb do not receive the last packet.
    
    Version 2:
       Fix linux-user build error.
    
    Signed-off-by: Fabien Chouteau <chouteau at adacore.com>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at petalogix.com>

diff --git a/gdbstub.c b/gdbstub.c
index 0aa081b..d6556c9 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -2391,6 +2391,12 @@ void gdb_exit(CPUState *env, int code)
 
   snprintf(buf, sizeof(buf), "W%02x", (uint8_t)code);
   put_packet(s, buf);
+
+#ifndef CONFIG_USER_ONLY
+  if (s->chr) {
+      qemu_chr_close(s->chr);
+  }
+#endif
 }
 
 #ifdef CONFIG_USER_ONLY
commit a8fb7ff3fdd05ffb4cce1ab4d3ff7768a490f2f5
Author: Michael Tokarev <mjt at tls.msk.ru>
Date:   Mon Oct 18 16:55:25 2010 +0400

    USB keyboard emulation key mapping error
    
    The USB keyboard emulation's translation table in hw/usb-hid.c doesn't
    match the codes actually sent for the Logo (a.k.a. "Windows") or Menu
    keys. This results in the guest OS not being able to receive these keys
    at all when the USB keyboard emulation is being used.
    
    In particular, both the keymap in /usr/share/kvm/keymaps/modifiers and
    the evdev table in x_keymap.c map these keys to 0xdb, 0xdc, and 0xdd,
    while usb_hid_usage_keys[] seems to be expecting them to be mapped to
    0x7d, 0x7e, and 0x7f.
    
    The attached patch seems to fix the problem, at least in my (limited)
    testing.
    
    http://bugs.debian.org/578846
    http://bugs.debian.org/600593 (cloned from the above against different pkg)
    https://bugs.launchpad.net/qemu/+bug/584139
    
    Signed-Off-By: Brad Jorsch <anomie at users.sourceforge.net>
    Signed-Off-By: Michael Tokarev <mjt at tls.msk.ru>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 882d933..e8de301 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -399,7 +399,7 @@ static const uint8_t usb_hid_usage_keys[0x100] = {
     0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x4a,
     0x52, 0x4b, 0x00, 0x50, 0x00, 0x4f, 0x00, 0x4d,
     0x51, 0x4e, 0x49, 0x4c, 0x00, 0x00, 0x00, 0x00,
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0xe3, 0xe7, 0x65, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
commit b2d9eda5d473fa7251319a368b0ee72d75218aed
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 13 08:20:39 2011 +0100

    target-sh4: implement negc using TCG
    
    Using setcond it's now possible to generate a relatively short negc
    instruction in TCG.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/helper.h b/target-sh4/helper.h
index 4e595c8..2e52768 100644
--- a/target-sh4/helper.h
+++ b/target-sh4/helper.h
@@ -17,7 +17,6 @@ DEF_HELPER_2(addv, i32, i32, i32)
 DEF_HELPER_2(addc, i32, i32, i32)
 DEF_HELPER_2(subv, i32, i32, i32)
 DEF_HELPER_2(subc, i32, i32, i32)
-DEF_HELPER_1(negc, i32, i32)
 DEF_HELPER_2(div1, i32, i32, i32)
 DEF_HELPER_2(macl, void, i32, i32)
 DEF_HELPER_2(macw, void, i32, i32)
diff --git a/target-sh4/op_helper.c b/target-sh4/op_helper.c
index 9d7652f..30f9842 100644
--- a/target-sh4/op_helper.c
+++ b/target-sh4/op_helper.c
@@ -379,21 +379,6 @@ void helper_macw(uint32_t arg0, uint32_t arg1)
     }
 }
 
-uint32_t helper_negc(uint32_t arg)
-{
-    uint32_t temp;
-
-    temp = -arg;
-    arg = temp - (env->sr & SR_T);
-    if (0 < temp)
-	env->sr |= SR_T;
-    else
-	env->sr &= ~SR_T;
-    if (temp < arg)
-	env->sr |= SR_T;
-    return arg;
-}
-
 uint32_t helper_subc(uint32_t arg0, uint32_t arg1)
 {
     uint32_t tmp0, tmp1;
diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index 743d76a..35573be 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -952,7 +952,21 @@ static void _decode_opc(DisasContext * ctx)
 	tcg_gen_neg_i32(REG(B11_8), REG(B7_4));
 	return;
     case 0x600a:		/* negc Rm,Rn */
-	gen_helper_negc(REG(B11_8), REG(B7_4));
+        {
+	    TCGv t0, t1;
+            t0 = tcg_temp_new();
+            tcg_gen_neg_i32(t0, REG(B7_4));
+            t1 = tcg_temp_new();
+            tcg_gen_andi_i32(t1, cpu_sr, SR_T);
+            tcg_gen_sub_i32(REG(B11_8), t0, t1);
+            tcg_gen_andi_i32(cpu_sr, cpu_sr, ~SR_T);
+            tcg_gen_setcond_i32(TCG_COND_GE, t1, REG(B11_8), t0);
+            tcg_gen_or_i32(cpu_sr, cpu_sr, t1);
+            tcg_gen_setcondi_i32(TCG_COND_GE, t1, t0, 0);
+            tcg_gen_or_i32(cpu_sr, cpu_sr, t1);
+            tcg_temp_free(t0);
+            tcg_temp_free(t1);
+        }
 	return;
     case 0x6007:		/* not Rm,Rn */
 	tcg_gen_not_i32(REG(B11_8), REG(B7_4));
commit 2411fde9a41323310d472dd352006989f30049b2
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 13 08:20:39 2011 +0100

    target-sh4: use rotl/rotr when possible
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index c8fffbc..743d76a 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -1690,14 +1690,12 @@ static void _decode_opc(DisasContext * ctx)
 	}
 	return;
     case 0x4004:		/* rotl Rn */
-	gen_copy_bit_i32(cpu_sr, 0, REG(B11_8), 31);
-	tcg_gen_shli_i32(REG(B11_8), REG(B11_8), 1);
-	gen_copy_bit_i32(REG(B11_8), 0, cpu_sr, 0);
+	tcg_gen_rotli_i32(REG(B11_8), REG(B11_8), 1);
+	gen_copy_bit_i32(cpu_sr, 0, REG(B11_8), 0);
 	return;
     case 0x4005:		/* rotr Rn */
 	gen_copy_bit_i32(cpu_sr, 0, REG(B11_8), 0);
-	tcg_gen_shri_i32(REG(B11_8), REG(B11_8), 1);
-	gen_copy_bit_i32(REG(B11_8), 31, cpu_sr, 0);
+	tcg_gen_rotri_i32(REG(B11_8), REG(B11_8), 1);
 	return;
     case 0x4000:		/* shll Rn */
     case 0x4020:		/* shal Rn */
commit 4cd31ad264b11274f199bbd8e96474d8cde60c42
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Jan 16 08:32:27 2011 +0000

    tcg/sparc64: fix segfault
    
    With current OpenBSD, code_gen_buffer was mapped 8GB away from
    text segment. Then any helpers were beyond the 2GB range of call
    instruction genereated by TCG and so the calls would go nowhere,
    leading to a segfault.
    
    Fix by specifying an address for the code_gen_buffer,
    hopefully free and nearby the helpers.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/exec.c b/exec.c
index 49c28b1..e950df2 100644
--- a/exec.c
+++ b/exec.c
@@ -531,6 +531,13 @@ static void code_gen_alloc(unsigned long tb_size)
         /* Cannot map more than that */
         if (code_gen_buffer_size > (800 * 1024 * 1024))
             code_gen_buffer_size = (800 * 1024 * 1024);
+#elif defined(__sparc_v9__)
+        // Map the buffer below 2G, so we can use direct calls and branches
+        flags |= MAP_FIXED;
+        addr = (void *) 0x60000000UL;
+        if (code_gen_buffer_size > (512 * 1024 * 1024)) {
+            code_gen_buffer_size = (512 * 1024 * 1024);
+        }
 #endif
         code_gen_buffer = mmap(addr, code_gen_buffer_size,
                                PROT_WRITE | PROT_READ | PROT_EXEC, 
commit 0c16e71e6a96a91e65c2a2e7b14b86423a21dd94
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Sat Jan 15 13:50:38 2011 +0100

    target-sh4: correct use of ! and &
    
    Fix wrong usage of ! and & in MMU related functions. Thanks to Blue
    Swirl for reporting the issue.
    
    Reported-by: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/helper.c b/target-sh4/helper.c
index 2343366..45449ea 100644
--- a/target-sh4/helper.c
+++ b/target-sh4/helper.c
@@ -380,7 +380,7 @@ static int get_mmu_address(CPUState * env, target_ulong * physical,
                     MMU_DTLB_VIOLATION_READ;
             } else if ((rw == 1) && !(matching->pr & 1)) {
                 n = MMU_DTLB_VIOLATION_WRITE;
-            } else if ((rw == 1) & !matching->d) {
+            } else if ((rw == 1) && !matching->d) {
                 n = MMU_DTLB_INITIAL_WRITE;
             } else {
                 *prot = PAGE_READ;
@@ -430,7 +430,7 @@ static int get_physical_address(CPUState * env, target_ulong * physical,
     }
 
     /* If MMU is disabled, return the corresponding physical page */
-    if (!env->mmucr & MMUCR_AT) {
+    if (!(env->mmucr & MMUCR_AT)) {
 	*physical = address & 0x1FFFFFFF;
 	*prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
 	return MMU_OK;
commit 2d5b50749adeda4e45066290deec19aa8e2322c3
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Jan 15 08:31:00 2011 +0000

    monitor: fix a typo
    
    Fix usage of wrong variable, spotted by clang:
    /src/qemu/monitor.c:2278:36: warning: The left operand of '&' is a garbage value
                            prot = pde & (PG_USER_MASK | PG_RW_MASK |
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/monitor.c b/monitor.c
index f258000..d291158 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2275,8 +2275,8 @@ static void mem_info_64(Monitor *mon, CPUState *env)
                 end = (l1 << 39) + (l2 << 30);
                 if (pdpe & PG_PRESENT_MASK) {
                     if (pdpe & PG_PSE_MASK) {
-                        prot = pde & (PG_USER_MASK | PG_RW_MASK |
-                                      PG_PRESENT_MASK);
+                        prot = pdpe & (PG_USER_MASK | PG_RW_MASK |
+                                       PG_PRESENT_MASK);
                         mem_print(mon, &start, &last_prot, end, prot);
                     } else {
                         pd_addr = pdpe & 0x3fffffffff000ULL;
commit 0601740a5db12ea7ae0f2f7826f0cfb05854500a
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Dec 30 12:04:57 2010 +0000

    make_device_config: Fix non-fatal error message with dash and other shells
    
    ORS=" " adds a blank to the name of the include file.
    Some shells (e.g. dash) don't accept input redirection
    (tr -d '\r' < $f) when $f ends with a blank, so they
    print an error message instead of reading pci.mak.
    This is a non-fatal error because pci.mak does not
    contain an include line. It was introduced by commit
    5d6b423c5cd6f9dfac30959ff1d5c088996719c3.
    
    Using printf avoids adding a blank and is also supported
    by older awk versions (this solution was suggested by
    Paolo Bonzini, thank you).
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Tested-by: Andreas Färber <andreas.faerber at web.de>

diff --git a/make_device_config.sh b/make_device_config.sh
index 596fc5b..5d14885 100644
--- a/make_device_config.sh
+++ b/make_device_config.sh
@@ -18,7 +18,7 @@ process_includes () {
 
 f=$src
 while [ -n "$f" ] ; do
-  f=`tr -d '\r' < $f | awk '/^include / {ORS=" "; print "'$src_dir'/" $2}'`
+  f=`tr -d '\r' < $f | awk '/^include / {printf "'$src_dir'/%s", $2}'`
   [ $? = 0 ] || exit 1
   all_includes="$all_includes $f"
 done
commit 42f5a7e9367c1f2cadea3b5af8cccc2781c442df
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:19 2011 +0100

    MAINTAINERS: add entries for TCG
    
    The MAINTAINERS file was lacking entries concerning the TCG code, add
    them based on the git history.
    
    For the common TCG code, is probably better to keep qemu-devel at non-gnu.org
    as this code can break easily, so it's better to get it reviewed by a few
    persons.
    
    Acked-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/MAINTAINERS b/MAINTAINERS
index 3f15b21..98db322 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -426,3 +426,56 @@ Linux user
 M: Riku Voipio <riku.voipio at iki.fi>
 S: Maintained
 F: linux-user/
+
+Tiny Code Generator (TCG)
+-------------------------
+Common code
+M: qemu-devel at nongnu.org
+S: Maintained
+F: tcg/
+
+ARM target
+M: Andrzej Zaborowski <balrogg at gmail.com>
+S: Maintained
+F: tcg/arm/
+
+HPPA target
+M: Richard Henderson <rth at twiddle.net>
+S: Maintained
+F: tcg/hppa/
+
+i386 target
+M: qemu-devel at nongnu.org
+S: Maintained
+F: tcg/i386/
+
+IA64 target
+M: Aurelien Jarno <aurelien at aurel32.net>
+S: Maintained
+F: tcg/ia64/
+
+MIPS target
+M: Aurelien Jarno <aurelien at aurel32.ne>
+S: Maintained
+F: tcg/mips/
+
+PPC
+M: Vassili Karpov (malc) <av1474 at comtv.ru>
+S: Maintained
+F: tcg/ppc/
+
+PPC64 target
+M: Vassili Karpov (malc) <av1474 at comtv.ru>
+S: Maintained
+F: tcg/ppc64/
+
+S390 target
+M: Alexander Graf <agraf at suse.de>
+M: Richard Henderson <rth at twiddle.net>
+S: Maintained
+F: tcg/s390/
+
+SPARC target
+M: Blue Swirl <blauwirbel at gmail.com>
+S: Maintained
+F: tcg/sparc/
commit ddb13561ac49e1cf496fab61cf18a4a60b32d3a5
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:19 2011 +0100

    MAINTAINERS: Change MIPS and SH4 maintainers
    
    Since nobody else seems interested in maintaining MIPS and SH4 targets,
    and as I have done most of the recent code changes, let officialize
    that.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/MAINTAINERS b/MAINTAINERS
index 98af4ab..3f15b21 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -81,8 +81,8 @@ S: Maintained
 F: target-microblaze/
 
 MIPS
-M: qemu-devel at nongnu.org
-S: Orphan
+M: Aurelien Jarno <aurelien at aurel32.net>
+S: Maintained
 F: target-mips/
 
 PowerPC
@@ -96,8 +96,8 @@ S: Maintained
 F: target-s390x/
 
 SH4
-M: qemu-devel at nongnu.org
-S: Orphan
+M: Aurelien Jarno <aurelien at aurel32.net>
+S: Maintained
 F: target-sh4/
 
 SPARC
commit afcacd536e1c12d357520302e1bb7add115918e5
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:19 2011 +0100

    MAINTAINERS: fix typos
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/MAINTAINERS b/MAINTAINERS
index 59effc7..98af4ab 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -202,7 +202,7 @@ M: Edgar E. Iglesias <edgar.iglesias at gmail.com>
 S: Maintained
 F: hw/etraxfs.c
 
-M86K Machines
+M68K Machines
 -------------
 an5206
 M: Paul Brook <paul at codesourcery.com>
@@ -279,7 +279,7 @@ F: hw/r2d.c
 
 Shix
 M: Magnus Damm <magnus.damm at gmail.com>
-S: Oprhan
+S: Orphan
 F: hw/shix.c
 
 SPARC Machines
commit e12ce78d4aa05ccf80d6a843a9227042647db39d
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:19 2011 +0100

    target-arm: Restore IT bits when resuming after an exception
    
    We were not correctly restoring the IT bits when resuming execution
    after taking an unexpected exception in the middle of an IT block.
    Fix this by tracking them along with PC changes and restoring in
    gen_pc_load().
    
    This fixes bug https://bugs.launchpad.net/qemu/+bug/581335
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 946f767..907d73a 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -64,6 +64,8 @@ typedef struct DisasContext {
     int vec_stride;
 } DisasContext;
 
+static uint32_t gen_opc_condexec_bits[OPC_BUF_SIZE];
+
 #if defined(CONFIG_USER_ONLY)
 #define IS_USER(s) 1
 #else
@@ -9109,6 +9111,38 @@ static inline void gen_intermediate_code_internal(CPUState *env,
         max_insns = CF_COUNT_MASK;
 
     gen_icount_start();
+
+    /* A note on handling of the condexec (IT) bits:
+     *
+     * We want to avoid the overhead of having to write the updated condexec
+     * bits back to the CPUState for every instruction in an IT block. So:
+     * (1) if the condexec bits are not already zero then we write
+     * zero back into the CPUState now. This avoids complications trying
+     * to do it at the end of the block. (For example if we don't do this
+     * it's hard to identify whether we can safely skip writing condexec
+     * at the end of the TB, which we definitely want to do for the case
+     * where a TB doesn't do anything with the IT state at all.)
+     * (2) if we are going to leave the TB then we call gen_set_condexec()
+     * which will write the correct value into CPUState if zero is wrong.
+     * This is done both for leaving the TB at the end, and for leaving
+     * it because of an exception we know will happen, which is done in
+     * gen_exception_insn(). The latter is necessary because we need to
+     * leave the TB with the PC/IT state just prior to execution of the
+     * instruction which caused the exception.
+     * (3) if we leave the TB unexpectedly (eg a data abort on a load)
+     * then the CPUState will be wrong and we need to reset it.
+     * This is handled in the same way as restoration of the
+     * PC in these situations: we will be called again with search_pc=1
+     * and generate a mapping of the condexec bits for each PC in
+     * gen_opc_condexec_bits[]. gen_pc_load[] then uses this to restore
+     * the condexec bits.
+     *
+     * Note that there are no instructions which can read the condexec
+     * bits, and none which can write non-static values to them, so
+     * we don't need to care about whether CPUState is correct in the
+     * middle of a TB.
+     */
+
     /* Reset the conditional execution bits immediately. This avoids
        complications trying to do it at the end of the block.  */
     if (dc->condexec_mask || dc->condexec_cond)
@@ -9157,6 +9191,7 @@ static inline void gen_intermediate_code_internal(CPUState *env,
                     gen_opc_instr_start[lj++] = 0;
             }
             gen_opc_pc[lj] = dc->pc;
+            gen_opc_condexec_bits[lj] = (dc->condexec_cond << 4) | (dc->condexec_mask >> 1);
             gen_opc_instr_start[lj] = 1;
             gen_opc_icount[lj] = num_insns;
         }
@@ -9364,4 +9399,5 @@ void gen_pc_load(CPUState *env, TranslationBlock *tb,
                 unsigned long searched_pc, int pc_pos, void *puc)
 {
     env->regs[15] = gen_opc_pc[pc_pos];
+    env->condexec_bits = gen_opc_condexec_bits[pc_pos];
 }
commit 964413d9d96ab81ee6bf81b176c767342aa90db9
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:19 2011 +0100

    linux-user: ARM: clear the IT bits when invoking a signal handler
    
    When invoking a signal handler for an ARM target, make sure the IT
    bits in the CPSR are cleared. (This would otherwise cause incorrect
    execution if the IT state was non-zero when an exception occured.
    This bug has been masked previously because we weren't getting the
    IT state bits at exception entry right anyway.)
    
    Also use the proper cpsr_read()/cpsr_write() interface to update
    the CPSR rather than manipulating CPUState fields directly.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/linux-user/signal.c b/linux-user/signal.c
index c846b8c..0664770 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1256,6 +1256,14 @@ setup_return(CPUState *env, struct target_sigaction *ka,
 	abi_ulong handler = ka->_sa_handler;
 	abi_ulong retcode;
 	int thumb = handler & 1;
+	uint32_t cpsr = cpsr_read(env);
+
+	cpsr &= ~CPSR_IT;
+	if (thumb) {
+		cpsr |= CPSR_T;
+	} else {
+		cpsr &= ~CPSR_T;
+	}
 
 	if (ka->sa_flags & TARGET_SA_RESTORER) {
 		retcode = ka->sa_restorer;
@@ -1278,13 +1286,7 @@ setup_return(CPUState *env, struct target_sigaction *ka,
 	env->regs[13] = frame_addr;
 	env->regs[14] = retcode;
 	env->regs[15] = handler & (thumb ? ~1 : ~3);
-	env->thumb = thumb;
-
-#if 0
-#ifdef TARGET_CONFIG_CPU_32
-	env->cpsr = cpsr;
-#endif
-#endif
+	cpsr_write(env, cpsr, 0xffffffff);
 
 	return 0;
 }
commit bc4a0de0a2c891b8daba4806baf9f11436f5f562
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:19 2011 +0100

    target-arm: Refactor translation of exception generating instructions
    
    Create a new function which does the common sequence of gen_set_condexec,
    gen_set_pc_im, gen_exception, set is_jmp to DISAS_JUMP.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 74b9657..946f767 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -3485,6 +3485,14 @@ gen_set_condexec (DisasContext *s)
     }
 }
 
+static void gen_exception_insn(DisasContext *s, int offset, int excp)
+{
+    gen_set_condexec(s);
+    gen_set_pc_im(s->pc - offset);
+    gen_exception(excp);
+    s->is_jmp = DISAS_JUMP;
+}
+
 static void gen_nop_hint(DisasContext *s, int val)
 {
     switch (val) {
@@ -5976,10 +5984,7 @@ static void gen_store_exclusive(DisasContext *s, int rd, int rt, int rt2,
     tcg_gen_mov_i32(cpu_exclusive_test, addr);
     tcg_gen_movi_i32(cpu_exclusive_info,
                      size | (rd << 4) | (rt << 8) | (rt2 << 12));
-    gen_set_condexec(s);
-    gen_set_pc_im(s->pc - 4);
-    gen_exception(EXCP_STREX);
-    s->is_jmp = DISAS_JUMP;
+    gen_exception_insn(s, 4, EXCP_STREX);
 }
 #else
 static void gen_store_exclusive(DisasContext *s, int rd, int rt, int rt2,
@@ -6376,10 +6381,7 @@ static void disas_arm_insn(CPUState * env, DisasContext *s)
                 goto illegal_op;
             }
             /* bkpt */
-            gen_set_condexec(s);
-            gen_set_pc_im(s->pc - 4);
-            gen_exception(EXCP_BKPT);
-            s->is_jmp = DISAS_JUMP;
+            gen_exception_insn(s, 4, EXCP_BKPT);
             break;
         case 0x8: /* signed multiply */
         case 0xa:
@@ -7278,10 +7280,7 @@ static void disas_arm_insn(CPUState * env, DisasContext *s)
             break;
         default:
         illegal_op:
-            gen_set_condexec(s);
-            gen_set_pc_im(s->pc - 4);
-            gen_exception(EXCP_UDEF);
-            s->is_jmp = DISAS_JUMP;
+            gen_exception_insn(s, 4, EXCP_UDEF);
             break;
         }
     }
@@ -8927,10 +8926,7 @@ static void disas_thumb_insn(CPUState *env, DisasContext *s)
             break;
 
         case 0xe: /* bkpt */
-            gen_set_condexec(s);
-            gen_set_pc_im(s->pc - 2);
-            gen_exception(EXCP_BKPT);
-            s->is_jmp = DISAS_JUMP;
+            gen_exception_insn(s, 2, EXCP_BKPT);
             break;
 
         case 0xa: /* rev */
@@ -9052,17 +9048,11 @@ static void disas_thumb_insn(CPUState *env, DisasContext *s)
     }
     return;
 undef32:
-    gen_set_condexec(s);
-    gen_set_pc_im(s->pc - 4);
-    gen_exception(EXCP_UDEF);
-    s->is_jmp = DISAS_JUMP;
+    gen_exception_insn(s, 4, EXCP_UDEF);
     return;
 illegal_op:
 undef:
-    gen_set_condexec(s);
-    gen_set_pc_im(s->pc - 2);
-    gen_exception(EXCP_UDEF);
-    s->is_jmp = DISAS_JUMP;
+    gen_exception_insn(s, 2, EXCP_UDEF);
 }
 
 /* generate intermediate code in gen_opc_buf and gen_opparam_buf for
@@ -9150,10 +9140,7 @@ static inline void gen_intermediate_code_internal(CPUState *env,
         if (unlikely(!QTAILQ_EMPTY(&env->breakpoints))) {
             QTAILQ_FOREACH(bp, &env->breakpoints, entry) {
                 if (bp->pc == dc->pc) {
-                    gen_set_condexec(dc);
-                    gen_set_pc_im(dc->pc);
-                    gen_exception(EXCP_DEBUG);
-                    dc->is_jmp = DISAS_JUMP;
+                    gen_exception_insn(dc, 0, EXCP_DEBUG);
                     /* Advance PC so that clearing the breakpoint will
                        invalidate this TB.  */
                     dc->pc += 2;
commit 5de3a9d3b72a9aebc126caee95fe515a900130bf
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:19 2011 +0100

    target-arm: Remove redundant setting of IT bits before Thumb SWI
    
    Remove a redundant call to gen_set_condexec() in the translation of Thumb
    mode SWI. (SWI and WFI generate "exceptions" which happen after the
    execution of the instruction, ie when PC and IT bits have updated.
    So the condexec bits at this point are not correct. However, the code
    that handles finishing the translation of the TB will write the correct
    value of the condexec bits later, so the only effect was that a conditional
    Thumb SWI would generate slightly worse code than necessary.)
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 10bd545..74b9657 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -9016,7 +9016,6 @@ static void disas_thumb_insn(CPUState *env, DisasContext *s)
 
         if (cond == 0xf) {
             /* swi */
-            gen_set_condexec(s);
             gen_set_pc_im(s->pc);
             s->is_jmp = DISAS_SWI;
             break;
commit 61f74d6a290d606504e4fbd6a94cbee3ce277533
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:19 2011 +0100

    target-arm: Translate with user-state from TB flags, not CPUState
    
    When translating, get the user/priv state from the TB flags, not
    the CPUState.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 0e28ffd..10bd545 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -9099,11 +9099,7 @@ static inline void gen_intermediate_code_internal(CPUState *env,
     dc->condexec_mask = (ARM_TBFLAG_CONDEXEC(tb->flags) & 0xf) << 1;
     dc->condexec_cond = ARM_TBFLAG_CONDEXEC(tb->flags) >> 4;
 #if !defined(CONFIG_USER_ONLY)
-    if (IS_M(env)) {
-        dc->user = ((env->v7m.exception == 0) && (env->v7m.control & 1));
-    } else {
-        dc->user = (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_USR;
-    }
+    dc->user = (ARM_TBFLAG_PRIV(tb->flags) == 0);
 #endif
     dc->vfp_enabled = ARM_TBFLAG_VFPEN(tb->flags);
     dc->vec_len = ARM_TBFLAG_VECLEN(tb->flags);
commit 05ed9a991987fd2f117914f9b0f7157553837d1b
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:19 2011 +0100

    target-arm: Set privileged bit in TB flags correctly for M profile
    
    M profile ARM cores don't have a CPSR mode field. Set the bit in the
    TB flags that indicates non-user mode correctly for these cores.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 07b92d6..5bcd53a 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -485,13 +485,19 @@ static inline void cpu_clone_regs(CPUState *env, target_ulong newsp)
 static inline void cpu_get_tb_cpu_state(CPUState *env, target_ulong *pc,
                                         target_ulong *cs_base, int *flags)
 {
+    int privmode;
     *pc = env->regs[15];
     *cs_base = 0;
     *flags = (env->thumb << ARM_TBFLAG_THUMB_SHIFT)
         | (env->vfp.vec_len << ARM_TBFLAG_VECLEN_SHIFT)
         | (env->vfp.vec_stride << ARM_TBFLAG_VECSTRIDE_SHIFT)
         | (env->condexec_bits << ARM_TBFLAG_CONDEXEC_SHIFT);
-    if ((env->uncached_cpsr & CPSR_M) != ARM_CPU_MODE_USR) {
+    if (arm_feature(env, ARM_FEATURE_M)) {
+        privmode = !((env->v7m.exception == 0) && (env->v7m.control & 1));
+    } else {
+        privmode = (env->uncached_cpsr & CPSR_M) != ARM_CPU_MODE_USR;
+    }
+    if (privmode) {
         *flags |= ARM_TBFLAG_PRIV_MASK;
     }
     if (env->vfp.xregs[ARM_VFP_FPEXC] & (1 << 30)) {
commit 98eac7cab4392ab28fa22265e27906f5b9c6c9da
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:19 2011 +0100

    target-arm: Translate with condexec bits from TB flags, not CPUState
    
    When translating, the condexec bits for the TB are in the TB flags;
    the CPUState condexec bits may be different.
    
    This patch fixes https://bugs.launchpad.net/bugs/604872 where we might
    segfault if we took an exception in the middle of a TB with an IT
    block, because when we came to retranslate in cpu_restore_state()
    the CPUState condexec bits would have advanced compared to the start
    of the TB and we would generate different (wrong) code.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 45f8e3e..0e28ffd 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -9096,8 +9096,8 @@ static inline void gen_intermediate_code_internal(CPUState *env,
     dc->singlestep_enabled = env->singlestep_enabled;
     dc->condjmp = 0;
     dc->thumb = ARM_TBFLAG_THUMB(tb->flags);
-    dc->condexec_mask = (env->condexec_bits & 0xf) << 1;
-    dc->condexec_cond = env->condexec_bits >> 4;
+    dc->condexec_mask = (ARM_TBFLAG_CONDEXEC(tb->flags) & 0xf) << 1;
+    dc->condexec_cond = ARM_TBFLAG_CONDEXEC(tb->flags) >> 4;
 #if !defined(CONFIG_USER_ONLY)
     if (IS_M(env)) {
         dc->user = ((env->v7m.exception == 0) && (env->v7m.control & 1));
@@ -9126,7 +9126,7 @@ static inline void gen_intermediate_code_internal(CPUState *env,
     gen_icount_start();
     /* Reset the conditional execution bits immediately. This avoids
        complications trying to do it at the end of the block.  */
-    if (env->condexec_bits)
+    if (dc->condexec_mask || dc->condexec_cond)
       {
         TCGv tmp = new_tmp();
         tcg_gen_movi_i32(tmp, 0);
commit 7204ab889f1cf5b09026af22185525edbee07a97
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:19 2011 +0100

    target-arm: Translate with Thumb state from TB flags, not CPUState
    
    The Thumb/ARM state for the TB being translated should come from
    the TB flags, not the CPUState.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index e15d10b..45f8e3e 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -9095,7 +9095,7 @@ static inline void gen_intermediate_code_internal(CPUState *env,
     dc->pc = pc_start;
     dc->singlestep_enabled = env->singlestep_enabled;
     dc->condjmp = 0;
-    dc->thumb = env->thumb;
+    dc->thumb = ARM_TBFLAG_THUMB(tb->flags);
     dc->condexec_mask = (env->condexec_bits & 0xf) << 1;
     dc->condexec_cond = env->condexec_bits >> 4;
 #if !defined(CONFIG_USER_ONLY)
@@ -9182,7 +9182,7 @@ static inline void gen_intermediate_code_internal(CPUState *env,
         if (num_insns + 1 == max_insns && (tb->cflags & CF_LAST_IO))
             gen_io_start();
 
-        if (env->thumb) {
+        if (dc->thumb) {
             disas_thumb_insn(env, dc);
             if (dc->condexec_mask) {
                 dc->condexec_cond = (dc->condexec_cond & 0xe)
@@ -9296,7 +9296,7 @@ done_generating:
     if (qemu_loglevel_mask(CPU_LOG_TB_IN_ASM)) {
         qemu_log("----------------\n");
         qemu_log("IN: %s\n", lookup_symbol(pc_start));
-        log_target_disas(pc_start, dc->pc - pc_start, env->thumb);
+        log_target_disas(pc_start, dc->pc - pc_start, dc->thumb);
         qemu_log("\n");
     }
 #endif
commit 69d1fc221a0bcd6a9a17e79ab933ab7525f15973
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:19 2011 +0100

    target-arm: Translate with VFP len/stride from TB flags, not CPUState
    
    When translating, the VFP vector length and stride for this TB are encoded
    in the TB flags; the CPUState copies may be different and must not be used.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index f8e3616..e15d10b 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -60,6 +60,8 @@ typedef struct DisasContext {
     int user;
 #endif
     int vfp_enabled;
+    int vec_len;
+    int vec_stride;
 } DisasContext;
 
 #if defined(CONFIG_USER_ONLY)
@@ -2895,7 +2897,7 @@ static int disas_vfp_insn(CPUState * env, DisasContext *s, uint32_t insn)
                 rm = VFP_SREG_M(insn);
             }
 
-            veclen = env->vfp.vec_len;
+            veclen = s->vec_len;
             if (op == 15 && rn > 3)
                 veclen = 0;
 
@@ -2916,9 +2918,9 @@ static int disas_vfp_insn(CPUState * env, DisasContext *s, uint32_t insn)
                     veclen = 0;
                 } else {
                     if (dp)
-                        delta_d = (env->vfp.vec_stride >> 1) + 1;
+                        delta_d = (s->vec_stride >> 1) + 1;
                     else
-                        delta_d = env->vfp.vec_stride + 1;
+                        delta_d = s->vec_stride + 1;
 
                     if ((rm & bank_mask) == 0) {
                         /* mixed scalar/vector */
@@ -9104,6 +9106,8 @@ static inline void gen_intermediate_code_internal(CPUState *env,
     }
 #endif
     dc->vfp_enabled = ARM_TBFLAG_VFPEN(tb->flags);
+    dc->vec_len = ARM_TBFLAG_VECLEN(tb->flags);
+    dc->vec_stride = ARM_TBFLAG_VECSTRIDE(tb->flags);
     cpu_F0s = tcg_temp_new_i32();
     cpu_F1s = tcg_temp_new_i32();
     cpu_F0d = tcg_temp_new_i64();
commit 5df8bac1d3ea43b7f55ffab07cbc6d81a37d82ab
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:19 2011 +0100

    target-arm: Translate with VFP-enabled from TB flags, not CPUState
    
    When translating code, whether the VFP unit is enabled for this TB
    is stored in a bit in the TB flags. Use this rather than incorrectly
    reading the FPEXC from the CPUState passed to translation.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index ee19d76..f8e3616 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -59,6 +59,7 @@ typedef struct DisasContext {
 #if !defined(CONFIG_USER_ONLY)
     int user;
 #endif
+    int vfp_enabled;
 } DisasContext;
 
 #if defined(CONFIG_USER_ONLY)
@@ -2603,12 +2604,6 @@ static void gen_vfp_msr(TCGv tmp)
     dead_tmp(tmp);
 }
 
-static inline int
-vfp_enabled(CPUState * env)
-{
-    return ((env->vfp.xregs[ARM_VFP_FPEXC] & (1 << 30)) != 0);
-}
-
 static void gen_neon_dup_u8(TCGv var, int shift)
 {
     TCGv tmp = new_tmp();
@@ -2653,7 +2648,7 @@ static int disas_vfp_insn(CPUState * env, DisasContext *s, uint32_t insn)
     if (!arm_feature(env, ARM_FEATURE_VFP))
         return 1;
 
-    if (!vfp_enabled(env)) {
+    if (!s->vfp_enabled) {
         /* VFP disabled.  Only allow fmxr/fmrx to/from some control regs.  */
         if ((insn & 0x0fe00fff) != 0x0ee00a10)
             return 1;
@@ -3804,7 +3799,7 @@ static int disas_neon_ls_insn(CPUState * env, DisasContext *s, uint32_t insn)
     TCGv tmp2;
     TCGv_i64 tmp64;
 
-    if (!vfp_enabled(env))
+    if (!s->vfp_enabled)
       return 1;
     VFP_DREG_D(rd, insn);
     rn = (insn >> 16) & 0xf;
@@ -4199,7 +4194,7 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
     TCGv tmp, tmp2, tmp3, tmp4, tmp5;
     TCGv_i64 tmp64;
 
-    if (!vfp_enabled(env))
+    if (!s->vfp_enabled)
       return 1;
     q = (insn & (1 << 6)) != 0;
     u = (insn >> 24) & 1;
@@ -9108,6 +9103,7 @@ static inline void gen_intermediate_code_internal(CPUState *env,
         dc->user = (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_USR;
     }
 #endif
+    dc->vfp_enabled = ARM_TBFLAG_VFPEN(tb->flags);
     cpu_F0s = tcg_temp_new_i32();
     cpu_F1s = tcg_temp_new_i32();
     cpu_F0d = tcg_temp_new_i64();
commit a170576856fedfcdd7d8602cb5650a33d13d38f5
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-arm: Add symbolic constants for bitfields in TB flags
    
    Add symbolic constants for the bitfields we use in the TB flags.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index e501cf5..07b92d6 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -453,17 +453,50 @@ static inline void cpu_clone_regs(CPUState *env, target_ulong newsp)
 
 #include "cpu-all.h"
 
+/* Bit usage in the TB flags field: */
+#define ARM_TBFLAG_THUMB_SHIFT      0
+#define ARM_TBFLAG_THUMB_MASK       (1 << ARM_TBFLAG_THUMB_SHIFT)
+#define ARM_TBFLAG_VECLEN_SHIFT     1
+#define ARM_TBFLAG_VECLEN_MASK      (0x7 << ARM_TBFLAG_VECLEN_SHIFT)
+#define ARM_TBFLAG_VECSTRIDE_SHIFT  4
+#define ARM_TBFLAG_VECSTRIDE_MASK   (0x3 << ARM_TBFLAG_VECSTRIDE_SHIFT)
+#define ARM_TBFLAG_PRIV_SHIFT       6
+#define ARM_TBFLAG_PRIV_MASK        (1 << ARM_TBFLAG_PRIV_SHIFT)
+#define ARM_TBFLAG_VFPEN_SHIFT      7
+#define ARM_TBFLAG_VFPEN_MASK       (1 << ARM_TBFLAG_VFPEN_SHIFT)
+#define ARM_TBFLAG_CONDEXEC_SHIFT   8
+#define ARM_TBFLAG_CONDEXEC_MASK    (0xff << ARM_TBFLAG_CONDEXEC_SHIFT)
+/* Bits 31..16 are currently unused. */
+
+/* some convenience accessor macros */
+#define ARM_TBFLAG_THUMB(F) \
+    (((F) & ARM_TBFLAG_THUMB_MASK) >> ARM_TBFLAG_THUMB_SHIFT)
+#define ARM_TBFLAG_VECLEN(F) \
+    (((F) & ARM_TBFLAG_VECLEN_MASK) >> ARM_TBFLAG_VECLEN_SHIFT)
+#define ARM_TBFLAG_VECSTRIDE(F) \
+    (((F) & ARM_TBFLAG_VECSTRIDE_MASK) >> ARM_TBFLAG_VECSTRIDE_SHIFT)
+#define ARM_TBFLAG_PRIV(F) \
+    (((F) & ARM_TBFLAG_PRIV_MASK) >> ARM_TBFLAG_PRIV_SHIFT)
+#define ARM_TBFLAG_VFPEN(F) \
+    (((F) & ARM_TBFLAG_VFPEN_MASK) >> ARM_TBFLAG_VFPEN_SHIFT)
+#define ARM_TBFLAG_CONDEXEC(F) \
+    (((F) & ARM_TBFLAG_CONDEXEC_MASK) >> ARM_TBFLAG_CONDEXEC_SHIFT)
+
 static inline void cpu_get_tb_cpu_state(CPUState *env, target_ulong *pc,
                                         target_ulong *cs_base, int *flags)
 {
     *pc = env->regs[15];
     *cs_base = 0;
-    *flags = env->thumb | (env->vfp.vec_len << 1)
-            | (env->vfp.vec_stride << 4) | (env->condexec_bits << 8);
-    if ((env->uncached_cpsr & CPSR_M) != ARM_CPU_MODE_USR)
-        *flags |= (1 << 6);
-    if (env->vfp.xregs[ARM_VFP_FPEXC] & (1 << 30))
-        *flags |= (1 << 7);
+    *flags = (env->thumb << ARM_TBFLAG_THUMB_SHIFT)
+        | (env->vfp.vec_len << ARM_TBFLAG_VECLEN_SHIFT)
+        | (env->vfp.vec_stride << ARM_TBFLAG_VECSTRIDE_SHIFT)
+        | (env->condexec_bits << ARM_TBFLAG_CONDEXEC_SHIFT);
+    if ((env->uncached_cpsr & CPSR_M) != ARM_CPU_MODE_USR) {
+        *flags |= ARM_TBFLAG_PRIV_MASK;
+    }
+    if (env->vfp.xregs[ARM_VFP_FPEXC] & (1 << 30)) {
+        *flags |= ARM_TBFLAG_VFPEN_MASK;
+    }
 }
 
 #endif
commit 39ea3d4eaf1ff300ee55946108394729bc053dfa
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-arm: Don't generate code specific to current CPU mode for SRS
    
    When translating the SRS instruction, handle the "store registers
    to stack of current mode" case in the helper function rather than
    inline. This means the generated code does not make assumptions
    about the current CPU mode which might not be valid when the TB
    is executed later.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 8186500..b562767 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -1849,12 +1849,20 @@ bad_reg:
 
 void HELPER(set_r13_banked)(CPUState *env, uint32_t mode, uint32_t val)
 {
-    env->banked_r13[bank_number(mode)] = val;
+    if ((env->uncached_cpsr & CPSR_M) == mode) {
+        env->regs[13] = val;
+    } else {
+        env->banked_r13[bank_number(mode)] = val;
+    }
 }
 
 uint32_t HELPER(get_r13_banked)(CPUState *env, uint32_t mode)
 {
-    return env->banked_r13[bank_number(mode)];
+    if ((env->uncached_cpsr & CPSR_M) == mode) {
+        return env->regs[13];
+    } else {
+        return env->banked_r13[bank_number(mode)];
+    }
 }
 
 uint32_t HELPER(v7m_mrs)(CPUState *env, uint32_t reg)
diff --git a/target-arm/translate.c b/target-arm/translate.c
index 57664bc..ee19d76 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -6122,14 +6122,10 @@ static void disas_arm_insn(CPUState * env, DisasContext *s)
                 goto illegal_op;
             ARCH(6);
             op1 = (insn & 0x1f);
-            if (op1 == (env->uncached_cpsr & CPSR_M)) {
-                addr = load_reg(s, 13);
-            } else {
-                addr = new_tmp();
-                tmp = tcg_const_i32(op1);
-                gen_helper_get_r13_banked(addr, cpu_env, tmp);
-                tcg_temp_free_i32(tmp);
-            }
+            addr = new_tmp();
+            tmp = tcg_const_i32(op1);
+            gen_helper_get_r13_banked(addr, cpu_env, tmp);
+            tcg_temp_free_i32(tmp);
             i = (insn >> 23) & 3;
             switch (i) {
             case 0: offset = -4; break; /* DA */
@@ -6156,14 +6152,10 @@ static void disas_arm_insn(CPUState * env, DisasContext *s)
                 }
                 if (offset)
                     tcg_gen_addi_i32(addr, addr, offset);
-                if (op1 == (env->uncached_cpsr & CPSR_M)) {
-                    store_reg(s, 13, addr);
-                } else {
-                    tmp = tcg_const_i32(op1);
-                    gen_helper_set_r13_banked(cpu_env, tmp, addr);
-                    tcg_temp_free_i32(tmp);
-                    dead_tmp(addr);
-                }
+                tmp = tcg_const_i32(op1);
+                gen_helper_set_r13_banked(cpu_env, tmp, addr);
+                tcg_temp_free_i32(tmp);
+                dead_tmp(addr);
             } else {
                 dead_tmp(addr);
             }
@@ -7575,14 +7567,10 @@ static int disas_thumb2_insn(CPUState *env, DisasContext *s, uint16_t insn_hw1)
                 } else {
                     /* srs */
                     op = (insn & 0x1f);
-                    if (op == (env->uncached_cpsr & CPSR_M)) {
-                        addr = load_reg(s, 13);
-                    } else {
-                        addr = new_tmp();
-                        tmp = tcg_const_i32(op);
-                        gen_helper_get_r13_banked(addr, cpu_env, tmp);
-                        tcg_temp_free_i32(tmp);
-                    }
+                    addr = new_tmp();
+                    tmp = tcg_const_i32(op);
+                    gen_helper_get_r13_banked(addr, cpu_env, tmp);
+                    tcg_temp_free_i32(tmp);
                     if ((insn & (1 << 24)) == 0) {
                         tcg_gen_addi_i32(addr, addr, -8);
                     }
@@ -7598,13 +7586,9 @@ static int disas_thumb2_insn(CPUState *env, DisasContext *s, uint16_t insn_hw1)
                         } else {
                             tcg_gen_addi_i32(addr, addr, 4);
                         }
-                        if (op == (env->uncached_cpsr & CPSR_M)) {
-                            store_reg(s, 13, addr);
-                        } else {
-                            tmp = tcg_const_i32(op);
-                            gen_helper_set_r13_banked(cpu_env, tmp, addr);
-                            tcg_temp_free_i32(tmp);
-                        }
+                        tmp = tcg_const_i32(op);
+                        gen_helper_set_r13_banked(cpu_env, tmp, addr);
+                        tcg_temp_free_i32(tmp);
                     } else {
                         dead_tmp(addr);
                     }
commit 718269667ab60c878940ab7a4e3e0ef1e984d784
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-arm: Use the standard FPSCR value for VRSQRTS
    
    VSQRTS always uses the standard FPSCR value as it is a Neon instruction.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index d779055..8186500 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2616,7 +2616,7 @@ float32 HELPER(recps_f32)(float32 a, float32 b, CPUState *env)
 
 float32 HELPER(rsqrts_f32)(float32 a, float32 b, CPUState *env)
 {
-    float_status *s = &env->vfp.fp_status;
+    float_status *s = &env->vfp.standard_fp_status;
     float32 two = int32_to_float32(2, s);
     float32 three = int32_to_float32(3, s);
     float32 product;
commit 3a492f3a606642879637d50777444d82440c9f5c
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-arm: Add support for 'Standard FPSCR Value' as used by Neon
    
    Add support to the ARM helper routines for a second fp_status value
    which should be used for operations which the ARM ARM indicates use
    "ARM standard floating-point arithmetic" rather than being controlled
    by the rounding/flush/NaN settings in the FPSCR.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 340933e..e501cf5 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -173,7 +173,20 @@ typedef struct CPUARMState {
         /* scratch space when Tn are not sufficient.  */
         uint32_t scratch[8];
 
+        /* fp_status is the "normal" fp status. standard_fp_status retains
+         * values corresponding to the ARM "Standard FPSCR Value", ie
+         * default-NaN, flush-to-zero, round-to-nearest and is used by
+         * any operations (generally Neon) which the architecture defines
+         * as controlled by the standard FPSCR value rather than the FPSCR.
+         *
+         * To avoid having to transfer exception bits around, we simply
+         * say that the FPSCR cumulative exception flags are the logical
+         * OR of the flags in the two fp statuses. This relies on the
+         * only thing which needs to read the exception flags being
+         * an explicit FPSCR read.
+         */
         float_status fp_status;
+        float_status standard_fp_status;
     } vfp;
     uint32_t exclusive_addr;
     uint32_t exclusive_val;
diff --git a/target-arm/helper.c b/target-arm/helper.c
index ac47de0..d779055 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -237,6 +237,9 @@ void cpu_reset(CPUARMState *env)
     env->vfp.xregs[ARM_VFP_FPEXC] = 0;
     env->cp15.c2_base_mask = 0xffffc000u;
 #endif
+    set_flush_to_zero(1, &env->vfp.standard_fp_status);
+    set_flush_inputs_to_zero(1, &env->vfp.standard_fp_status);
+    set_default_nan_mode(1, &env->vfp.standard_fp_status);
     tlb_flush(env, 1);
 }
 
@@ -2256,6 +2259,7 @@ uint32_t HELPER(vfp_get_fpscr)(CPUState *env)
             | (env->vfp.vec_len << 16)
             | (env->vfp.vec_stride << 20);
     i = get_float_exception_flags(&env->vfp.fp_status);
+    i |= get_float_exception_flags(&env->vfp.standard_fp_status);
     fpscr |= vfp_exceptbits_from_host(i);
     return fpscr;
 }
@@ -2323,6 +2327,7 @@ void HELPER(vfp_set_fpscr)(CPUState *env, uint32_t val)
 
     i = vfp_exceptbits_to_host(val);
     set_float_exception_flags(i, &env->vfp.fp_status);
+    set_float_exception_flags(0, &env->vfp.standard_fp_status);
 }
 
 void vfp_set_fpscr(CPUState *env, uint32_t val)
commit 9ea62f571ce8953dba1d2bad2bdeaf9c3a84b7d7
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-arm: Fix implementation of VRSQRTS
    
    The implementation of the ARM VRSQRTS instruction (which calculates
    (3 - op1 * op2) / 2) was missing the division operation. It also
    did not handle the special cases of (0,inf) and (inf,0).
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 705b99f..ac47de0 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2612,8 +2612,16 @@ float32 HELPER(recps_f32)(float32 a, float32 b, CPUState *env)
 float32 HELPER(rsqrts_f32)(float32 a, float32 b, CPUState *env)
 {
     float_status *s = &env->vfp.fp_status;
+    float32 two = int32_to_float32(2, s);
     float32 three = int32_to_float32(3, s);
-    return float32_sub(three, float32_mul(a, b, s), s);
+    float32 product;
+    if ((float32_is_infinity(a) && float32_is_zero_or_denormal(b)) ||
+        (float32_is_infinity(b) && float32_is_zero_or_denormal(a))) {
+        product = float32_zero;
+    } else {
+        product = float32_mul(a, b, s);
+    }
+    return float32_div(float32_sub(three, product, s), two, s);
 }
 
 /* NEON helpers.  */
commit 6f3300ad2b5a1e7090720993d9fcb9f550259e12
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 14 20:39:18 2011 +0100

    softfloat: Add float32_is_zero_or_denormal() function
    
    Add a utility function to softfloat to test whether a float32
    is zero or denormal.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat.h b/fpu/softfloat.h
index a6d0f16..4a5345c 100644
--- a/fpu/softfloat.h
+++ b/fpu/softfloat.h
@@ -336,6 +336,11 @@ INLINE int float32_is_any_nan(float32 a)
     return ((float32_val(a) & ~(1 << 31)) > 0x7f800000UL);
 }
 
+INLINE int float32_is_zero_or_denormal(float32 a)
+{
+    return (float32_val(a) & 0x7f800000) == 0;
+}
+
 #define float32_zero make_float32(0)
 #define float32_one make_float32(0x3f800000)
 #define float32_ln2 make_float32(0x3f317218)
commit 3bd4be3ada596bbed81fe955c963bb6a64335011
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:18 2011 +0100

    lsi53c895a: fix endianness issues
    
    lsi_ram_read*() and lsi_ram_write*() are not consistent, one uses
    leXX_to_cpu() the other uses nothing. As the comment above the RAM
    declaration says: "Script ram is stored as 32-bit words in host
    byteorder.", remove the leXX_to_cpu() calls.
    
    This fixes the boot of an ARM versatile machine on MIPS and PowerPC
    hosts.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/lsi53c895a.c b/hw/lsi53c895a.c
index 0129ae3..9c761cd 100644
--- a/hw/lsi53c895a.c
+++ b/hw/lsi53c895a.c
@@ -1930,7 +1930,7 @@ static uint32_t lsi_ram_readw(void *opaque, target_phys_addr_t addr)
     val = s->script_ram[addr >> 2];
     if (addr & 2)
         val >>= 16;
-    return le16_to_cpu(val);
+    return val;
 }
 
 static uint32_t lsi_ram_readl(void *opaque, target_phys_addr_t addr)
@@ -1938,7 +1938,7 @@ static uint32_t lsi_ram_readl(void *opaque, target_phys_addr_t addr)
     LSIState *s = opaque;
 
     addr &= 0x1fff;
-    return le32_to_cpu(s->script_ram[addr >> 2]);
+    return s->script_ram[addr >> 2];
 }
 
 static CPUReadMemoryFunc * const lsi_ram_readfn[3] = {
commit d30df5cec94cc165d76ccabb0d1847357178795e
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:18 2011 +0100

    mips/malta: fix board id
    
    Board id can't be written with stl_phys() as it's read-only part of
    memory. Use stl_p() on the memory buffer instead.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/mips_malta.c b/hw/mips_malta.c
index 5ef3fcb..d3ba969 100644
--- a/hw/mips_malta.c
+++ b/hw/mips_malta.c
@@ -910,7 +910,7 @@ void mips_malta_init (ram_addr_t ram_size,
     /* Board ID = 0x420 (Malta Board with CoreLV)
        XXX: theoretically 0x1e000010 should map to flash and 0x1fc00010 should
        map to the board ID. */
-    stl_phys(0x1fc00010LL, 0x00000420);
+    stl_p(qemu_get_ram_ptr(bios_offset) + 0x10, 0x00000420);
 
     /* Init internal devices */
     cpu_mips_irq_init_cpu(env);
commit c5c191370e82e3f27a7b3c6616544b39b7487410
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-sh4: use setcond when possible
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index b3cbe91..c8fffbc 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -381,26 +381,26 @@ static inline void gen_clr_t(void)
 
 static inline void gen_cmp(int cond, TCGv t0, TCGv t1)
 {
-    int label1 = gen_new_label();
-    int label2 = gen_new_label();
-    tcg_gen_brcond_i32(cond, t1, t0, label1);
-    gen_clr_t();
-    tcg_gen_br(label2);
-    gen_set_label(label1);
-    gen_set_t();
-    gen_set_label(label2);
+    TCGv t;
+
+    t = tcg_temp_new();
+    tcg_gen_setcond_i32(cond, t, t1, t0);
+    tcg_gen_andi_i32(cpu_sr, cpu_sr, ~SR_T);
+    tcg_gen_or_i32(cpu_sr, cpu_sr, t);
+
+    tcg_temp_free(t);
 }
 
 static inline void gen_cmp_imm(int cond, TCGv t0, int32_t imm)
 {
-    int label1 = gen_new_label();
-    int label2 = gen_new_label();
-    tcg_gen_brcondi_i32(cond, t0, imm, label1);
-    gen_clr_t();
-    tcg_gen_br(label2);
-    gen_set_label(label1);
-    gen_set_t();
-    gen_set_label(label2);
+    TCGv t;
+
+    t = tcg_temp_new();
+    tcg_gen_setcondi_i32(cond, t, t0, imm);
+    tcg_gen_andi_i32(cpu_sr, cpu_sr, ~SR_T);
+    tcg_gen_or_i32(cpu_sr, cpu_sr, t);
+
+    tcg_temp_free(t);
 }
 
 static inline void gen_store_flags(uint32_t flags)
@@ -816,24 +816,22 @@ static void _decode_opc(DisasContext * ctx)
 	return;
     case 0x200c:		/* cmp/str Rm,Rn */
 	{
-	    int label1 = gen_new_label();
-	    int label2 = gen_new_label();
-	    TCGv cmp1 = tcg_temp_local_new();
-	    TCGv cmp2 = tcg_temp_local_new();
+	    TCGv cmp1 = tcg_temp_new();
+	    TCGv cmp2 = tcg_temp_new();
+	    tcg_gen_andi_i32(cpu_sr, cpu_sr, ~SR_T);
 	    tcg_gen_xor_i32(cmp1, REG(B7_4), REG(B11_8));
 	    tcg_gen_andi_i32(cmp2, cmp1, 0xff000000);
-	    tcg_gen_brcondi_i32(TCG_COND_EQ, cmp2, 0, label1);
+	    tcg_gen_setcondi_i32(TCG_COND_EQ, cmp2, cmp2, 0);
+	    tcg_gen_or_i32(cpu_sr, cpu_sr, cmp2);
 	    tcg_gen_andi_i32(cmp2, cmp1, 0x00ff0000);
-	    tcg_gen_brcondi_i32(TCG_COND_EQ, cmp2, 0, label1);
+	    tcg_gen_setcondi_i32(TCG_COND_EQ, cmp2, cmp2, 0);
+	    tcg_gen_or_i32(cpu_sr, cpu_sr, cmp2);
 	    tcg_gen_andi_i32(cmp2, cmp1, 0x0000ff00);
-	    tcg_gen_brcondi_i32(TCG_COND_EQ, cmp2, 0, label1);
+	    tcg_gen_setcondi_i32(TCG_COND_EQ, cmp2, cmp2, 0);
+	    tcg_gen_or_i32(cpu_sr, cpu_sr, cmp2);
 	    tcg_gen_andi_i32(cmp2, cmp1, 0x000000ff);
-	    tcg_gen_brcondi_i32(TCG_COND_EQ, cmp2, 0, label1);
-	    tcg_gen_andi_i32(cpu_sr, cpu_sr, ~SR_T);
-	    tcg_gen_br(label2);
-	    gen_set_label(label1);
-	    tcg_gen_ori_i32(cpu_sr, cpu_sr, SR_T);
-	    gen_set_label(label2);
+	    tcg_gen_setcondi_i32(TCG_COND_EQ, cmp2, cmp2, 0);
+	    tcg_gen_or_i32(cpu_sr, cpu_sr, cmp2);
 	    tcg_temp_free(cmp2);
 	    tcg_temp_free(cmp1);
 	}
commit be15c50d8e20edf9338c689764e6398ccec92ed9
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-sh4: log instructions start in TCG code
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index 65ea7f6..b3cbe91 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -1892,6 +1892,10 @@ static void decode_opc(DisasContext * ctx)
 {
     uint32_t old_flags = ctx->flags;
 
+    if (unlikely(qemu_loglevel_mask(CPU_LOG_TB_OP))) {
+        tcg_gen_debug_insn_start(ctx->pc);
+    }
+
     _decode_opc(ctx);
 
     if (old_flags & (DELAY_SLOT | DELAY_SLOT_CONDITIONAL)) {
commit 6f396c8f38fb47dda5622880f7f2c646b145bc23
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-sh4: simplify comparisons after a 'and' op
    
    When a TCG variable is anded with a value and the compared with the same
    value, we can simply invert the comparison and compare it with 0. The
    generated code is smaller.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index 04bc94a..65ea7f6 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -332,7 +332,7 @@ static inline void gen_branch_slot(uint32_t delayed_pc, int t)
     tcg_gen_movi_i32(cpu_delayed_pc, delayed_pc);
     sr = tcg_temp_new();
     tcg_gen_andi_i32(sr, cpu_sr, SR_T);
-    tcg_gen_brcondi_i32(TCG_COND_NE, sr, t ? SR_T : 0, label);
+    tcg_gen_brcondi_i32(t ? TCG_COND_EQ:TCG_COND_NE, sr, 0, label);
     tcg_gen_ori_i32(cpu_flags, cpu_flags, DELAY_SLOT_TRUE);
     gen_set_label(label);
 }
@@ -347,7 +347,7 @@ static void gen_conditional_jump(DisasContext * ctx,
     l1 = gen_new_label();
     sr = tcg_temp_new();
     tcg_gen_andi_i32(sr, cpu_sr, SR_T);
-    tcg_gen_brcondi_i32(TCG_COND_EQ, sr, SR_T, l1);
+    tcg_gen_brcondi_i32(TCG_COND_NE, sr, 0, l1);
     gen_goto_tb(ctx, 0, ifnott);
     gen_set_label(l1);
     gen_goto_tb(ctx, 1, ift);
@@ -362,7 +362,7 @@ static void gen_delayed_conditional_jump(DisasContext * ctx)
     l1 = gen_new_label();
     ds = tcg_temp_new();
     tcg_gen_andi_i32(ds, cpu_flags, DELAY_SLOT_TRUE);
-    tcg_gen_brcondi_i32(TCG_COND_EQ, ds, DELAY_SLOT_TRUE, l1);
+    tcg_gen_brcondi_i32(TCG_COND_NE, ds, 0, l1);
     gen_goto_tb(ctx, 1, ctx->pc + 2);
     gen_set_label(l1);
     tcg_gen_andi_i32(cpu_flags, cpu_flags, ~DELAY_SLOT_TRUE);
commit 4f6493ff8a73bbb24ad81b080cc256c1c896b7fb
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-sh4: fix reset on r2d
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/r2d.c b/hw/r2d.c
index c4f32ef..90d1af2 100644
--- a/hw/r2d.c
+++ b/hw/r2d.c
@@ -208,6 +208,20 @@ static int r2d_pci_map_irq(PCIDevice *d, int irq_num)
     return intx[d->devfn >> 3];
 }
 
+typedef struct ResetData {
+    CPUState *env;
+    uint32_t vector;
+} ResetData;
+
+static void main_cpu_reset(void *opaque)
+{
+    ResetData *s = (ResetData *)opaque;
+    CPUState *env = s->env;
+
+    cpu_reset(env);
+    env->pc = s->vector;
+}
+
 static struct __attribute__((__packed__))
 {
     int mount_root_rdonly;
@@ -228,6 +242,7 @@ static void r2d_init(ram_addr_t ram_size,
 	      const char *initrd_filename, const char *cpu_model)
 {
     CPUState *env;
+    ResetData *reset_info;
     struct SH7750State *s;
     ram_addr_t sdram_addr;
     qemu_irq *irq;
@@ -242,6 +257,10 @@ static void r2d_init(ram_addr_t ram_size,
         fprintf(stderr, "Unable to find CPU definition\n");
         exit(1);
     }
+    reset_info = qemu_mallocz(sizeof(ResetData));
+    reset_info->env = env;
+    reset_info->vector = env->pc;
+    qemu_register_reset(main_cpu_reset, reset_info);
 
     /* Allocate memory space */
     sdram_addr = qemu_ram_alloc(NULL, "r2d.sdram", SDRAM_SIZE);
@@ -290,7 +309,7 @@ static void r2d_init(ram_addr_t ram_size,
         /* initialization which should be done by firmware */
         stl_phys(SH7750_BCR1, 1<<3); /* cs3 SDRAM */
         stw_phys(SH7750_BCR2, 3<<(3*2)); /* cs3 32bit */
-        env->pc = (SDRAM_BASE + LINUX_LOAD_OFFSET) | 0xa0000000; /* Start from P2 area */
+        reset_info->vector = (SDRAM_BASE + LINUX_LOAD_OFFSET) | 0xa0000000; /* Start from P2 area */
     }
 
     if (initrd_filename) {
diff --git a/target-sh4/cpu.h b/target-sh4/cpu.h
index fe33b8a..95df6d2 100644
--- a/target-sh4/cpu.h
+++ b/target-sh4/cpu.h
@@ -136,8 +136,6 @@ typedef struct memory_content {
 } memory_content;
 
 typedef struct CPUSH4State {
-    int id;			/* CPU model */
-
     uint32_t flags;		/* general execution flags */
     uint32_t gregs[24];		/* general registers */
     float32 fregs[32];		/* floating point registers */
@@ -173,14 +171,18 @@ typedef struct CPUSH4State {
     uint32_t expevt;		/* exception event register */
     uint32_t intevt;		/* interrupt event register */
 
+    tlb_t itlb[ITLB_SIZE];	/* instruction translation table */
+    tlb_t utlb[UTLB_SIZE];	/* unified translation table */
+
+    uint32_t ldst;
+
+    CPU_COMMON
+
+    int id;			/* CPU model */
     uint32_t pvr;		/* Processor Version Register */
     uint32_t prr;		/* Processor Revision Register */
     uint32_t cvr;		/* Cache Version Register */
 
-    uint32_t ldst;
-
-     CPU_COMMON tlb_t utlb[UTLB_SIZE];	/* unified translation table */
-    tlb_t itlb[ITLB_SIZE];	/* instruction translation table */
     void *intc_handle;
     int intr_at_halt;		/* SR_BL ignored during sleep */
     memory_content *movcal_backup;
diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index 69d507d..04bc94a 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -185,30 +185,27 @@ void cpu_dump_state(CPUState * env, FILE * f,
     }
 }
 
-static void cpu_sh4_reset(CPUSH4State * env)
+void cpu_reset(CPUSH4State * env)
 {
     if (qemu_loglevel_mask(CPU_LOG_RESET)) {
         qemu_log("CPU Reset (CPU %d)\n", env->cpu_index);
         log_cpu_state(env, 0);
     }
 
-#if defined(CONFIG_USER_ONLY)
-    env->sr = 0;
-#else
-    env->sr = SR_MD | SR_RB | SR_BL | SR_I3 | SR_I2 | SR_I1 | SR_I0;
-#endif
-    env->vbr = 0;
+    memset(env, 0, offsetof(CPUSH4State, breakpoints));
+    tlb_flush(env, 1);
+
     env->pc = 0xA0000000;
 #if defined(CONFIG_USER_ONLY)
     env->fpscr = FPSCR_PR; /* value for userspace according to the kernel */
     set_float_rounding_mode(float_round_nearest_even, &env->fp_status); /* ?! */
 #else
+    env->sr = SR_MD | SR_RB | SR_BL | SR_I3 | SR_I2 | SR_I1 | SR_I0;
     env->fpscr = FPSCR_DN | FPSCR_RM_ZERO; /* CPU reset value according to SH4 manual */
     set_float_rounding_mode(float_round_to_zero, &env->fp_status);
     set_flush_to_zero(1, &env->fp_status);
 #endif
     set_default_nan_mode(1, &env->fp_status);
-    env->mmucr = 0;
 }
 
 typedef struct {
@@ -267,7 +264,7 @@ void sh4_cpu_list(FILE *f, fprintf_function cpu_fprintf)
 	(*cpu_fprintf)(f, "%s\n", sh4_defs[i].name);
 }
 
-static void cpu_sh4_register(CPUSH4State *env, const sh4_def_t *def)
+static void cpu_register(CPUSH4State *env, const sh4_def_t *def)
 {
     env->pvr = def->pvr;
     env->prr = def->prr;
@@ -289,9 +286,8 @@ CPUSH4State *cpu_sh4_init(const char *cpu_model)
     env->movcal_backup_tail = &(env->movcal_backup);
     sh4_translate_init();
     env->cpu_model_str = cpu_model;
-    cpu_sh4_reset(env);
-    cpu_sh4_register(env, def);
-    tlb_flush(env, 1);
+    cpu_reset(env);
+    cpu_register(env, def);
     qemu_init_vcpu(env);
     return env;
 }
commit fd4bab102c14171f8a5a6b04def6434b75a658a2
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-sh4: optimize exceptions
    
    As exception is not the normal path, don't bother saving PC, before
    raising one, instead rely on code retranslation to get the CPU state.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/op_helper.c b/target-sh4/op_helper.c
index 525b060..9d7652f 100644
--- a/target-sh4/op_helper.c
+++ b/target-sh4/op_helper.c
@@ -83,28 +83,31 @@ void helper_ldtlb(void)
 #endif
 }
 
-void helper_raise_illegal_instruction(void)
+static inline void raise_exception(int index, void *retaddr)
 {
-    env->exception_index = 0x180;
+    env->exception_index = index;
+    cpu_restore_state_from_retaddr(retaddr);
     cpu_loop_exit();
 }
 
+void helper_raise_illegal_instruction(void)
+{
+    raise_exception(0x180, GETPC());
+}
+
 void helper_raise_slot_illegal_instruction(void)
 {
-    env->exception_index = 0x1a0;
-    cpu_loop_exit();
+    raise_exception(0x1a0, GETPC());
 }
 
 void helper_raise_fpu_disable(void)
 {
-  env->exception_index = 0x800;
-  cpu_loop_exit();
+    raise_exception(0x800, GETPC());
 }
 
 void helper_raise_slot_fpu_disable(void)
 {
-  env->exception_index = 0x820;
-  cpu_loop_exit();
+    raise_exception(0x820, GETPC());
 }
 
 void helper_debug(void)
@@ -124,8 +127,7 @@ void helper_sleep(uint32_t next_pc)
 void helper_trapa(uint32_t tra)
 {
     env->tra = tra << 2;
-    env->exception_index = 0x160;
-    cpu_loop_exit();
+    raise_exception(0x160, GETPC());
 }
 
 void helper_movcal(uint32_t address, uint32_t value)
diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index 65b6ea4..69d507d 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -471,7 +471,6 @@ static inline void gen_store_fpr64 (TCGv_i64 t, int reg)
 #define CHECK_NOT_DELAY_SLOT \
   if (ctx->flags & (DELAY_SLOT | DELAY_SLOT_CONDITIONAL))     \
   {                                                           \
-      tcg_gen_movi_i32(cpu_pc, ctx->pc);                      \
       gen_helper_raise_slot_illegal_instruction();            \
       ctx->bstate = BS_EXCP;                                  \
       return;                                                 \
@@ -479,7 +478,6 @@ static inline void gen_store_fpr64 (TCGv_i64 t, int reg)
 
 #define CHECK_PRIVILEGED                                        \
   if (IS_USER(ctx)) {                                           \
-      tcg_gen_movi_i32(cpu_pc, ctx->pc);                        \
       if (ctx->flags & (DELAY_SLOT | DELAY_SLOT_CONDITIONAL)) { \
          gen_helper_raise_slot_illegal_instruction();           \
       } else {                                                  \
@@ -491,7 +489,6 @@ static inline void gen_store_fpr64 (TCGv_i64 t, int reg)
 
 #define CHECK_FPU_ENABLED                                       \
   if (ctx->flags & SR_FD) {                                     \
-      tcg_gen_movi_i32(cpu_pc, ctx->pc);                        \
       if (ctx->flags & (DELAY_SLOT | DELAY_SLOT_CONDITIONAL)) { \
           gen_helper_raise_slot_fpu_disable();                  \
       } else {                                                  \
@@ -1380,7 +1377,6 @@ static void _decode_opc(DisasContext * ctx)
 	{
 	    TCGv imm;
 	    CHECK_NOT_DELAY_SLOT
-	    tcg_gen_movi_i32(cpu_pc, ctx->pc);
 	    imm = tcg_const_i32(B7_0);
 	    gen_helper_trapa(imm);
 	    tcg_temp_free(imm);
@@ -1888,7 +1884,6 @@ static void _decode_opc(DisasContext * ctx)
 	    ctx->opcode, ctx->pc);
     fflush(stderr);
 #endif
-    tcg_gen_movi_i32(cpu_pc, ctx->pc);
     if (ctx->flags & (DELAY_SLOT | DELAY_SLOT_CONDITIONAL)) {
        gen_helper_raise_slot_illegal_instruction();
     } else {
commit 17075f10ff9e2c8bd59ecbf9569421e437707e43
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-sh4: add ftrv instruction
    
    Add the ftrv XMTRX,FVn instruction, which computes the 4-row x 4-column
    matrix XMTRX by the 4-dimensional vector FVn.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/helper.h b/target-sh4/helper.h
index 544031c..4e595c8 100644
--- a/target-sh4/helper.h
+++ b/target-sh4/helper.h
@@ -50,5 +50,6 @@ DEF_HELPER_1(fsqrt_DT, i64, i64)
 DEF_HELPER_1(ftrc_FT, i32, i32)
 DEF_HELPER_1(ftrc_DT, i32, i64)
 DEF_HELPER_2(fipr, void, i32, i32)
+DEF_HELPER_1(ftrv, void, i32)
 
 #include "def-helper.h"
diff --git a/target-sh4/op_helper.c b/target-sh4/op_helper.c
index 030f60d..525b060 100644
--- a/target-sh4/op_helper.c
+++ b/target-sh4/op_helper.c
@@ -802,3 +802,29 @@ void helper_fipr(uint32_t m, uint32_t n)
 
     env->fregs[bank + n + 3] = r;
 }
+
+void helper_ftrv(uint32_t n)
+{
+    int bank_matrix, bank_vector;
+    int i, j;
+    float32 r[4];
+    float32 p;
+
+    bank_matrix = (env->sr & FPSCR_FR) ? 0 : 16;
+    bank_vector = (env->sr & FPSCR_FR) ? 16 : 0;
+    set_float_exception_flags(0, &env->fp_status);
+    for (i = 0 ; i < 4 ; i++) {
+        r[i] = float32_zero;
+        for (j = 0 ; j < 4 ; j++) {
+            p = float32_mul(env->fregs[bank_matrix + 4 * j + i],
+                            env->fregs[bank_vector + j],
+                            &env->fp_status);
+            r[i] = float32_add(r[i], p, &env->fp_status);
+        }
+    }
+    update_fpscr(GETPC());
+
+    for (i = 0 ; i < 4 ; i++) {
+        env->fregs[bank_vector + i] = r[i];
+    }
+}
diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index 557550f..65b6ea4 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -1871,6 +1871,17 @@ static void _decode_opc(DisasContext * ctx)
             return;
         }
         break;
+    case 0xf0fd: /* ftrv XMTRX,FVn */
+        CHECK_FPU_ENABLED
+        if ((ctx->opcode & 0x0300) == 0x0100 &&
+            (ctx->fpscr & FPSCR_PR) == 0) {
+            TCGv n;
+            n = tcg_const_i32((ctx->opcode >> 18) & 3);
+            gen_helper_ftrv(n);
+            tcg_temp_free(n);
+            return;
+        }
+        break;
     }
 #if 0
     fprintf(stderr, "unknown instruction 0x%04x at pc 0x%08x\n",
commit af8c2bde4b4d4111e5bf49417b74069ce8750435
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-sh4: add fipr instruction
    
    Add the fipr FVm,FVn instruction, which computes the inner products of
    a 4-dimensional single precision floating-point vector.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/helper.h b/target-sh4/helper.h
index 4b2fcdd..544031c 100644
--- a/target-sh4/helper.h
+++ b/target-sh4/helper.h
@@ -49,5 +49,6 @@ DEF_HELPER_1(fsqrt_FT, i32, i32)
 DEF_HELPER_1(fsqrt_DT, i64, i64)
 DEF_HELPER_1(ftrc_FT, i32, i32)
 DEF_HELPER_1(ftrc_DT, i32, i64)
+DEF_HELPER_2(fipr, void, i32, i32)
 
 #include "def-helper.h"
diff --git a/target-sh4/op_helper.c b/target-sh4/op_helper.c
index aea0eb1..030f60d 100644
--- a/target-sh4/op_helper.c
+++ b/target-sh4/op_helper.c
@@ -782,3 +782,23 @@ uint32_t helper_ftrc_DT(uint64_t t0)
     update_fpscr(GETPC());
     return ret;
 }
+
+void helper_fipr(uint32_t m, uint32_t n)
+{
+    int bank, i;
+    float32 r, p;
+
+    bank = (env->sr & FPSCR_FR) ? 16 : 0;
+    r = float32_zero;
+    set_float_exception_flags(0, &env->fp_status);
+
+    for (i = 0 ; i < 4 ; i++) {
+        p = float32_mul(env->fregs[bank + m + i],
+                        env->fregs[bank + n + i],
+                        &env->fp_status);
+        r = float32_add(r, p, &env->fp_status);
+    }
+    update_fpscr(GETPC());
+
+    env->fregs[bank + n + 3] = r;
+}
diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index 8b2f1fc..557550f 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -1859,6 +1859,18 @@ static void _decode_opc(DisasContext * ctx)
 	    tcg_temp_free_i64(fp);
 	}
 	return;
+    case 0xf0ed: /* fipr FVm,FVn */
+        CHECK_FPU_ENABLED
+        if ((ctx->fpscr & FPSCR_PR) == 0) {
+            TCGv m, n;
+            m = tcg_const_i32((ctx->opcode >> 16) & 3);
+            n = tcg_const_i32((ctx->opcode >> 18) & 3);
+            gen_helper_fipr(m, n);
+            tcg_temp_free(m);
+            tcg_temp_free(n);
+            return;
+        }
+        break;
     }
 #if 0
     fprintf(stderr, "unknown instruction 0x%04x at pc 0x%08x\n",
commit 21829e9b39e3aa0874931aa6981f258c82f41715
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-sh4: implement FPU exceptions
    
    FPU exception support where not implemented on SH4. Implement them by
    clearing the softfloat exceptions flags before an FP instruction (the
    SH4 FPU also clear them before an instruction), and calling a function
    to update the FPSCR register after an FP instruction. This function
    update the corresponding FPSCR bits (both flags and cumulative flags)
    and trigger exception if enabled.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/op_helper.c b/target-sh4/op_helper.c
index 9025a29..aea0eb1 100644
--- a/target-sh4/op_helper.c
+++ b/target-sh4/op_helper.c
@@ -21,6 +21,22 @@
 #include "exec.h"
 #include "helper.h"
 
+static void cpu_restore_state_from_retaddr(void *retaddr)
+{
+    TranslationBlock *tb;
+    unsigned long pc;
+
+    if (retaddr) {
+        pc = (unsigned long) retaddr;
+        tb = tb_find_pc(pc);
+        if (tb) {
+            /* the PC is inside the translated code. It means that we have
+               a virtual CPU fault */
+            cpu_restore_state(tb, env, pc, NULL);
+        }
+    }
+}
+
 #ifndef CONFIG_USER_ONLY
 
 #define MMUSUFFIX _mmu
@@ -39,9 +55,7 @@
 
 void tlb_fill(target_ulong addr, int is_write, int mmu_idx, void *retaddr)
 {
-    TranslationBlock *tb;
     CPUState *saved_env;
-    unsigned long pc;
     int ret;
 
     /* XXX: hack to restore env in all cases, even if not called from
@@ -50,16 +64,8 @@ void tlb_fill(target_ulong addr, int is_write, int mmu_idx, void *retaddr)
     env = cpu_single_env;
     ret = cpu_sh4_handle_mmu_fault(env, addr, is_write, mmu_idx, 1);
     if (ret) {
-	if (retaddr) {
-	    /* now we have a real cpu fault */
-	    pc = (unsigned long) retaddr;
-	    tb = tb_find_pc(pc);
-	    if (tb) {
-		/* the PC is inside the translated code. It means that we have
-		   a virtual CPU fault */
-		cpu_restore_state(tb, env, pc, NULL);
-	    }
-	}
+        /* now we have a real cpu fault */
+        cpu_restore_state_from_retaddr(retaddr);
 	cpu_loop_exit();
     }
     env = saved_env;
@@ -452,6 +458,47 @@ void helper_ld_fpscr(uint32_t val)
     set_flush_to_zero((val & FPSCR_DN) != 0, &env->fp_status);
 }
 
+static void update_fpscr(void *retaddr)
+{
+    int xcpt, cause, enable;
+
+    xcpt = get_float_exception_flags(&env->fp_status);
+
+    /* Clear the flag entries */
+    env->fpscr &= ~FPSCR_FLAG_MASK;
+
+    if (unlikely(xcpt)) {
+        if (xcpt & float_flag_invalid) {
+            env->fpscr |= FPSCR_FLAG_V;
+        }
+        if (xcpt & float_flag_divbyzero) {
+            env->fpscr |= FPSCR_FLAG_Z;
+        }
+        if (xcpt & float_flag_overflow) {
+            env->fpscr |= FPSCR_FLAG_O;
+        }
+        if (xcpt & float_flag_underflow) {
+            env->fpscr |= FPSCR_FLAG_U;
+        }
+        if (xcpt & float_flag_inexact) {
+            env->fpscr |= FPSCR_FLAG_I;
+        }
+
+        /* Accumulate in cause entries */
+        env->fpscr |= (env->fpscr & FPSCR_FLAG_MASK)
+                      << (FPSCR_CAUSE_SHIFT - FPSCR_FLAG_SHIFT);
+
+        /* Generate an exception if enabled */
+        cause = (env->fpscr & FPSCR_CAUSE_MASK) >> FPSCR_CAUSE_SHIFT;
+        enable = (env->fpscr & FPSCR_ENABLE_MASK) >> FPSCR_ENABLE_SHIFT;
+        if (cause & enable) {
+            cpu_restore_state_from_retaddr(retaddr);
+            env->exception_index = 0x120;
+            cpu_loop_exit();
+        }
+    }
+}
+
 uint32_t helper_fabs_FT(uint32_t t0)
 {
     CPU_FloatU f;
@@ -473,7 +520,9 @@ uint32_t helper_fadd_FT(uint32_t t0, uint32_t t1)
     CPU_FloatU f0, f1;
     f0.l = t0;
     f1.l = t1;
+    set_float_exception_flags(0, &env->fp_status);
     f0.f = float32_add(f0.f, f1.f, &env->fp_status);
+    update_fpscr(GETPC());
     return f0.l;
 }
 
@@ -482,56 +531,82 @@ uint64_t helper_fadd_DT(uint64_t t0, uint64_t t1)
     CPU_DoubleU d0, d1;
     d0.ll = t0;
     d1.ll = t1;
+    set_float_exception_flags(0, &env->fp_status);
     d0.d = float64_add(d0.d, d1.d, &env->fp_status);
+    update_fpscr(GETPC());
     return d0.ll;
 }
 
 void helper_fcmp_eq_FT(uint32_t t0, uint32_t t1)
 {
     CPU_FloatU f0, f1;
+    int relation;
     f0.l = t0;
     f1.l = t1;
 
-    if (float32_compare(f0.f, f1.f, &env->fp_status) == 0)
+    set_float_exception_flags(0, &env->fp_status);
+    relation = float32_compare(f0.f, f1.f, &env->fp_status);
+    if (unlikely(relation == float_relation_unordered)) {
+        update_fpscr(GETPC());
+    } else if (relation == float_relation_equal) {
 	set_t();
-    else
+    } else {
 	clr_t();
+    }
 }
 
 void helper_fcmp_eq_DT(uint64_t t0, uint64_t t1)
 {
     CPU_DoubleU d0, d1;
+    int relation;
     d0.ll = t0;
     d1.ll = t1;
 
-    if (float64_compare(d0.d, d1.d, &env->fp_status) == 0)
+    set_float_exception_flags(0, &env->fp_status);
+    relation = float64_compare(d0.d, d1.d, &env->fp_status);
+    if (unlikely(relation == float_relation_unordered)) {
+        update_fpscr(GETPC());
+    } else if (relation == float_relation_equal) {
 	set_t();
-    else
+    } else {
 	clr_t();
+    }
 }
 
 void helper_fcmp_gt_FT(uint32_t t0, uint32_t t1)
 {
     CPU_FloatU f0, f1;
+    int relation;
     f0.l = t0;
     f1.l = t1;
 
-    if (float32_compare(f0.f, f1.f, &env->fp_status) == 1)
+    set_float_exception_flags(0, &env->fp_status);
+    relation = float32_compare(f0.f, f1.f, &env->fp_status);
+    if (unlikely(relation == float_relation_unordered)) {
+        update_fpscr(GETPC());
+    } else if (relation == float_relation_greater) {
 	set_t();
-    else
+    } else {
 	clr_t();
+    }
 }
 
 void helper_fcmp_gt_DT(uint64_t t0, uint64_t t1)
 {
     CPU_DoubleU d0, d1;
+    int relation;
     d0.ll = t0;
     d1.ll = t1;
 
-    if (float64_compare(d0.d, d1.d, &env->fp_status) == 1)
+    set_float_exception_flags(0, &env->fp_status);
+    relation = float64_compare(d0.d, d1.d, &env->fp_status);
+    if (unlikely(relation == float_relation_unordered)) {
+        update_fpscr(GETPC());
+    } else if (relation == float_relation_greater) {
 	set_t();
-    else
+    } else {
 	clr_t();
+    }
 }
 
 uint64_t helper_fcnvsd_FT_DT(uint32_t t0)
@@ -539,7 +614,9 @@ uint64_t helper_fcnvsd_FT_DT(uint32_t t0)
     CPU_DoubleU d;
     CPU_FloatU f;
     f.l = t0;
+    set_float_exception_flags(0, &env->fp_status);
     d.d = float32_to_float64(f.f, &env->fp_status);
+    update_fpscr(GETPC());
     return d.ll;
 }
 
@@ -548,7 +625,9 @@ uint32_t helper_fcnvds_DT_FT(uint64_t t0)
     CPU_DoubleU d;
     CPU_FloatU f;
     d.ll = t0;
+    set_float_exception_flags(0, &env->fp_status);
     f.f = float64_to_float32(d.d, &env->fp_status);
+    update_fpscr(GETPC());
     return f.l;
 }
 
@@ -557,7 +636,9 @@ uint32_t helper_fdiv_FT(uint32_t t0, uint32_t t1)
     CPU_FloatU f0, f1;
     f0.l = t0;
     f1.l = t1;
+    set_float_exception_flags(0, &env->fp_status);
     f0.f = float32_div(f0.f, f1.f, &env->fp_status);
+    update_fpscr(GETPC());
     return f0.l;
 }
 
@@ -566,21 +647,29 @@ uint64_t helper_fdiv_DT(uint64_t t0, uint64_t t1)
     CPU_DoubleU d0, d1;
     d0.ll = t0;
     d1.ll = t1;
+    set_float_exception_flags(0, &env->fp_status);
     d0.d = float64_div(d0.d, d1.d, &env->fp_status);
+    update_fpscr(GETPC());
     return d0.ll;
 }
 
 uint32_t helper_float_FT(uint32_t t0)
 {
     CPU_FloatU f;
+
+    set_float_exception_flags(0, &env->fp_status);
     f.f = int32_to_float32(t0, &env->fp_status);
+    update_fpscr(GETPC());
+
     return f.l;
 }
 
 uint64_t helper_float_DT(uint32_t t0)
 {
     CPU_DoubleU d;
+    set_float_exception_flags(0, &env->fp_status);
     d.d = int32_to_float64(t0, &env->fp_status);
+    update_fpscr(GETPC());
     return d.ll;
 }
 
@@ -590,8 +679,11 @@ uint32_t helper_fmac_FT(uint32_t t0, uint32_t t1, uint32_t t2)
     f0.l = t0;
     f1.l = t1;
     f2.l = t2;
+    set_float_exception_flags(0, &env->fp_status);
     f0.f = float32_mul(f0.f, f1.f, &env->fp_status);
     f0.f = float32_add(f0.f, f2.f, &env->fp_status);
+    update_fpscr(GETPC());
+
     return f0.l;
 }
 
@@ -600,7 +692,9 @@ uint32_t helper_fmul_FT(uint32_t t0, uint32_t t1)
     CPU_FloatU f0, f1;
     f0.l = t0;
     f1.l = t1;
+    set_float_exception_flags(0, &env->fp_status);
     f0.f = float32_mul(f0.f, f1.f, &env->fp_status);
+    update_fpscr(GETPC());
     return f0.l;
 }
 
@@ -609,7 +703,10 @@ uint64_t helper_fmul_DT(uint64_t t0, uint64_t t1)
     CPU_DoubleU d0, d1;
     d0.ll = t0;
     d1.ll = t1;
+    set_float_exception_flags(0, &env->fp_status);
     d0.d = float64_mul(d0.d, d1.d, &env->fp_status);
+    update_fpscr(GETPC());
+
     return d0.ll;
 }
 
@@ -625,7 +722,9 @@ uint32_t helper_fsqrt_FT(uint32_t t0)
 {
     CPU_FloatU f;
     f.l = t0;
+    set_float_exception_flags(0, &env->fp_status);
     f.f = float32_sqrt(f.f, &env->fp_status);
+    update_fpscr(GETPC());
     return f.l;
 }
 
@@ -633,7 +732,9 @@ uint64_t helper_fsqrt_DT(uint64_t t0)
 {
     CPU_DoubleU d;
     d.ll = t0;
+    set_float_exception_flags(0, &env->fp_status);
     d.d = float64_sqrt(d.d, &env->fp_status);
+    update_fpscr(GETPC());
     return d.ll;
 }
 
@@ -642,29 +743,42 @@ uint32_t helper_fsub_FT(uint32_t t0, uint32_t t1)
     CPU_FloatU f0, f1;
     f0.l = t0;
     f1.l = t1;
+    set_float_exception_flags(0, &env->fp_status);
     f0.f = float32_sub(f0.f, f1.f, &env->fp_status);
+    update_fpscr(GETPC());
     return f0.l;
 }
 
 uint64_t helper_fsub_DT(uint64_t t0, uint64_t t1)
 {
     CPU_DoubleU d0, d1;
+
     d0.ll = t0;
     d1.ll = t1;
+    set_float_exception_flags(0, &env->fp_status);
     d0.d = float64_sub(d0.d, d1.d, &env->fp_status);
+    update_fpscr(GETPC());
     return d0.ll;
 }
 
 uint32_t helper_ftrc_FT(uint32_t t0)
 {
     CPU_FloatU f;
+    uint32_t ret;
     f.l = t0;
-    return float32_to_int32_round_to_zero(f.f, &env->fp_status);
+    set_float_exception_flags(0, &env->fp_status);
+    ret = float32_to_int32_round_to_zero(f.f, &env->fp_status);
+    update_fpscr(GETPC());
+    return ret;
 }
 
 uint32_t helper_ftrc_DT(uint64_t t0)
 {
     CPU_DoubleU d;
+    uint32_t ret;
     d.ll = t0;
-    return float64_to_int32_round_to_zero(d.d, &env->fp_status);
+    set_float_exception_flags(0, &env->fp_status);
+    ret = float64_to_int32_round_to_zero(d.d, &env->fp_status);
+    update_fpscr(GETPC());
+    return ret;
 }
commit a0d4ac333a8e59152c48ce659dc831391fff6df3
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-sh4: implement flush-to-zero
    
    When the FPSCR.DN bit is set, the SH4 FPU treat denormalized numbers as
    zero. Enable the corresponding softfloat option when this bit is set.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/op_helper.c b/target-sh4/op_helper.c
index d69b94b..9025a29 100644
--- a/target-sh4/op_helper.c
+++ b/target-sh4/op_helper.c
@@ -449,6 +449,7 @@ void helper_ld_fpscr(uint32_t val)
     } else {
 	set_float_rounding_mode(float_round_nearest_even, &env->fp_status);
     }
+    set_flush_to_zero((val & FPSCR_DN) != 0, &env->fp_status);
 }
 
 uint32_t helper_fabs_FT(uint32_t t0)
diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index d4cd0a3..8b2f1fc 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -205,6 +205,7 @@ static void cpu_sh4_reset(CPUSH4State * env)
 #else
     env->fpscr = FPSCR_DN | FPSCR_RM_ZERO; /* CPU reset value according to SH4 manual */
     set_float_rounding_mode(float_round_to_zero, &env->fp_status);
+    set_flush_to_zero(1, &env->fp_status);
 #endif
     set_default_nan_mode(1, &env->fp_status);
     env->mmucr = 0;
commit 26ac1ea5590c2710d050bfe2630c1546f109d28c
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:18 2011 +0100

    target-sh4: define FPSCR constants
    
    Define FPSCR constants for all field and use them instead of hardcoded
    values.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/cpu.h b/target-sh4/cpu.h
index 8ccf25c..fe33b8a 100644
--- a/target-sh4/cpu.h
+++ b/target-sh4/cpu.h
@@ -61,10 +61,37 @@
 #define SR_S  (1 << 1)
 #define SR_T  (1 << 0)
 
-#define FPSCR_FR (1 << 21)
-#define FPSCR_SZ (1 << 20)
-#define FPSCR_PR (1 << 19)
-#define FPSCR_DN (1 << 18)
+#define FPSCR_MASK             (0x003fffff)
+#define FPSCR_FR               (1 << 21)
+#define FPSCR_SZ               (1 << 20)
+#define FPSCR_PR               (1 << 19)
+#define FPSCR_DN               (1 << 18)
+#define FPSCR_CAUSE_MASK       (0x3f << 12)
+#define FPSCR_CAUSE_SHIFT      (12)
+#define FPSCR_CAUSE_E          (1 << 17)
+#define FPSCR_CAUSE_V          (1 << 16)
+#define FPSCR_CAUSE_Z          (1 << 15)
+#define FPSCR_CAUSE_O          (1 << 14)
+#define FPSCR_CAUSE_U          (1 << 13)
+#define FPSCR_CAUSE_I          (1 << 12)
+#define FPSCR_ENABLE_MASK      (0x1f << 7)
+#define FPSCR_ENABLE_SHIFT     (7)
+#define FPSCR_ENABLE_V         (1 << 11)
+#define FPSCR_ENABLE_Z         (1 << 10)
+#define FPSCR_ENABLE_O         (1 << 9)
+#define FPSCR_ENABLE_U         (1 << 8)
+#define FPSCR_ENABLE_I         (1 << 7)
+#define FPSCR_FLAG_MASK        (0x1f << 2)
+#define FPSCR_FLAG_SHIFT       (2)
+#define FPSCR_FLAG_V           (1 << 6)
+#define FPSCR_FLAG_Z           (1 << 5)
+#define FPSCR_FLAG_O           (1 << 4)
+#define FPSCR_FLAG_U           (1 << 3)
+#define FPSCR_FLAG_I           (1 << 2)
+#define FPSCR_RM_MASK          (0x03 << 0)
+#define FPSCR_RM_NEAREST       (0 << 0)
+#define FPSCR_RM_ZERO          (1 << 0)
+
 #define DELAY_SLOT             (1 << 0)
 #define DELAY_SLOT_CONDITIONAL (1 << 1)
 #define DELAY_SLOT_TRUE        (1 << 2)
diff --git a/target-sh4/op_helper.c b/target-sh4/op_helper.c
index 2e5f555..d69b94b 100644
--- a/target-sh4/op_helper.c
+++ b/target-sh4/op_helper.c
@@ -443,11 +443,12 @@ static inline void clr_t(void)
 
 void helper_ld_fpscr(uint32_t val)
 {
-    env->fpscr = val & 0x003fffff;
-    if (val & 0x01)
+    env->fpscr = val & FPSCR_MASK;
+    if ((val & FPSCR_RM_MASK) == FPSCR_RM_ZERO) {
 	set_float_rounding_mode(float_round_to_zero, &env->fp_status);
-    else
+    } else {
 	set_float_rounding_mode(float_round_nearest_even, &env->fp_status);
+    }
 }
 
 uint32_t helper_fabs_FT(uint32_t t0)
diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index 1858423..d4cd0a3 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -203,10 +203,10 @@ static void cpu_sh4_reset(CPUSH4State * env)
     env->fpscr = FPSCR_PR; /* value for userspace according to the kernel */
     set_float_rounding_mode(float_round_nearest_even, &env->fp_status); /* ?! */
 #else
-    env->fpscr = 0x00040001; /* CPU reset value according to SH4 manual */
+    env->fpscr = FPSCR_DN | FPSCR_RM_ZERO; /* CPU reset value according to SH4 manual */
     set_float_rounding_mode(float_round_to_zero, &env->fp_status);
 #endif
-    set_default_nan_mode(1, &env->vfp.fp_status);
+    set_default_nan_mode(1, &env->fp_status);
     env->mmucr = 0;
 }
 
commit 442599a340ad04f2915c471430ae8a93cb42b261
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:17 2011 +0100

    target-sh4: use default-NaN mode
    
    SH4 FPU doesn't propagate NaN, and instead always regenerate new ones.
    Enable the default-NaN mode by default.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index 37915d5..1858423 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -206,6 +206,7 @@ static void cpu_sh4_reset(CPUSH4State * env)
     env->fpscr = 0x00040001; /* CPU reset value according to SH4 manual */
     set_float_rounding_mode(float_round_to_zero, &env->fp_status);
 #endif
+    set_default_nan_mode(1, &env->vfp.fp_status);
     env->mmucr = 0;
 }
 
commit 102016020bb0f368958ae91d293e13c61b3923a1
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:17 2011 +0100

    softfloat: fix default-NaN mode
    
    When the default-NaN mode is enabled, it should return the default NaN
    value, but it should anyway raise the invalid operation flag if one of
    the operand is an sNaN.
    
    I have checked that this behavior matches the ARM and SH4 manuals, as
    well as real SH4 hardware.
    
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index 186b4da..11521ce 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -278,9 +278,6 @@ static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
     flag aIsLargerSignificand;
     bits32 av, bv;
 
-    if ( STATUS(default_nan_mode) )
-        return float32_default_nan;
-
     aIsQuietNaN = float32_is_quiet_nan( a );
     aIsSignalingNaN = float32_is_signaling_nan( a );
     bIsQuietNaN = float32_is_quiet_nan( b );
@@ -290,6 +287,9 @@ static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
 
     if ( aIsSignalingNaN | bIsSignalingNaN ) float_raise( float_flag_invalid STATUS_VAR);
 
+    if ( STATUS(default_nan_mode) )
+        return float32_default_nan;
+
     if ((bits32)(av<<1) < (bits32)(bv<<1)) {
         aIsLargerSignificand = 0;
     } else if ((bits32)(bv<<1) < (bits32)(av<<1)) {
@@ -423,9 +423,6 @@ static float64 propagateFloat64NaN( float64 a, float64 b STATUS_PARAM)
     flag aIsLargerSignificand;
     bits64 av, bv;
 
-    if ( STATUS(default_nan_mode) )
-        return float64_default_nan;
-
     aIsQuietNaN = float64_is_quiet_nan( a );
     aIsSignalingNaN = float64_is_signaling_nan( a );
     bIsQuietNaN = float64_is_quiet_nan( b );
@@ -435,6 +432,9 @@ static float64 propagateFloat64NaN( float64 a, float64 b STATUS_PARAM)
 
     if ( aIsSignalingNaN | bIsSignalingNaN ) float_raise( float_flag_invalid STATUS_VAR);
 
+    if ( STATUS(default_nan_mode) )
+        return float64_default_nan;
+
     if ((bits64)(av<<1) < (bits64)(bv<<1)) {
         aIsLargerSignificand = 0;
     } else if ((bits64)(bv<<1) < (bits64)(av<<1)) {
@@ -574,12 +574,6 @@ static floatx80 propagateFloatx80NaN( floatx80 a, floatx80 b STATUS_PARAM)
     flag aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN;
     flag aIsLargerSignificand;
 
-    if ( STATUS(default_nan_mode) ) {
-        a.low = floatx80_default_nan_low;
-        a.high = floatx80_default_nan_high;
-        return a;
-    }
-
     aIsQuietNaN = floatx80_is_quiet_nan( a );
     aIsSignalingNaN = floatx80_is_signaling_nan( a );
     bIsQuietNaN = floatx80_is_quiet_nan( b );
@@ -587,6 +581,12 @@ static floatx80 propagateFloatx80NaN( floatx80 a, floatx80 b STATUS_PARAM)
 
     if ( aIsSignalingNaN | bIsSignalingNaN ) float_raise( float_flag_invalid STATUS_VAR);
 
+    if ( STATUS(default_nan_mode) ) {
+        a.low = floatx80_default_nan_low;
+        a.high = floatx80_default_nan_high;
+        return a;
+    }
+
     if (a.low < b.low) {
         aIsLargerSignificand = 0;
     } else if (b.low < a.low) {
@@ -719,12 +719,6 @@ static float128 propagateFloat128NaN( float128 a, float128 b STATUS_PARAM)
     flag aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN;
     flag aIsLargerSignificand;
 
-    if ( STATUS(default_nan_mode) ) {
-        a.low = float128_default_nan_low;
-        a.high = float128_default_nan_high;
-        return a;
-    }
-
     aIsQuietNaN = float128_is_quiet_nan( a );
     aIsSignalingNaN = float128_is_signaling_nan( a );
     bIsQuietNaN = float128_is_quiet_nan( b );
@@ -732,6 +726,12 @@ static float128 propagateFloat128NaN( float128 a, float128 b STATUS_PARAM)
 
     if ( aIsSignalingNaN | bIsSignalingNaN ) float_raise( float_flag_invalid STATUS_VAR);
 
+    if ( STATUS(default_nan_mode) ) {
+        a.low = float128_default_nan_low;
+        a.high = float128_default_nan_high;
+        return a;
+    }
+
     if (lt128(a.high<<1, a.low, b.high<<1, b.low)) {
         aIsLargerSignificand = 0;
     } else if (lt128(b.high<<1, b.low, a.high<<1, a.low)) {
commit e90877507ea8864e32692cb79da1685f5ada8c78
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:17 2011 +0100

    softfloat: SH4 has the sNaN bit set
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index f293f24..186b4da 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -30,7 +30,7 @@ these four paragraphs for those parts of this code that are retained.
 
 =============================================================================*/
 
-#if defined(TARGET_MIPS)
+#if defined(TARGET_MIPS) || defined(TARGET_SH4)
 #define SNAN_BIT_IS_ONE		1
 #else
 #define SNAN_BIT_IS_ONE		0
@@ -108,7 +108,7 @@ float32 float32_maybe_silence_nan( float32 a_ )
 {
     if (float32_is_signaling_nan(a_)) {
 #if SNAN_BIT_IS_ONE
-#  if defined(TARGET_MIPS)
+#  if defined(TARGET_MIPS) || defined(TARGET_SH4)
         return float32_default_nan;
 #  else
 #    error Rules for silencing a signaling NaN are target-specific
@@ -362,7 +362,7 @@ float64 float64_maybe_silence_nan( float64 a_ )
 {
     if (float64_is_signaling_nan(a_)) {
 #if SNAN_BIT_IS_ONE
-#  if defined(TARGET_MIPS)
+#  if defined(TARGET_MIPS) || defined(TARGET_SH4)
         return float64_default_nan;
 #  else
 #    error Rules for silencing a signaling NaN are target-specific
@@ -515,7 +515,7 @@ floatx80 floatx80_maybe_silence_nan( floatx80 a )
 {
     if (floatx80_is_signaling_nan(a)) {
 #if SNAN_BIT_IS_ONE
-#  if defined(TARGET_MIPS)
+#  if defined(TARGET_MIPS) || defined(TARGET_SH4)
         a.low = floatx80_default_nan_low;
         a.high = floatx80_default_nan_high;
 #  else
@@ -664,7 +664,7 @@ float128 float128_maybe_silence_nan( float128 a )
 {
     if (float128_is_signaling_nan(a)) {
 #if SNAN_BIT_IS_ONE
-#  if defined(TARGET_MIPS)
+#  if defined(TARGET_MIPS) || defined(TARGET_SH4)
         a.low = float128_default_nan_low;
         a.high = float128_default_nan_high;
 #  else
commit eb8f77761e88a3e281de5e76fc4baa7f34258b82
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:39:17 2011 +0100

    target-sh4: switch sh4 to softfloat
    
    We need to be able to catch exceptions correctly and thus enable softfloat
    on SH4.
    
    As all machines except i386 and x86_64 are using softfloat, make it the
    default and change the case to detect i386 and x86_64. Note that CRIS
    doesn't have an FPU, so it can be configured with both softfloat-native
    and softfloat.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/configure b/configure
index 54afdda..d68f862 100755
--- a/configure
+++ b/configure
@@ -3061,11 +3061,11 @@ if test ! -z "$gdb_xml_files" ; then
 fi
 
 case "$target_arch2" in
-  alpha|arm|armeb|m68k|microblaze|mips|mipsel|mipsn32|mipsn32el|mips64|mips64el|ppc|ppc64|ppc64abi32|ppcemb|s390x|sparc|sparc64|sparc32plus)
-    echo "CONFIG_SOFTFLOAT=y" >> $config_target_mak
+  i386|x86_64)
+    echo "CONFIG_NOSOFTFLOAT=y" >> $config_target_mak
     ;;
   *)
-    echo "CONFIG_NOSOFTFLOAT=y" >> $config_target_mak
+    echo "CONFIG_SOFTFLOAT=y" >> $config_target_mak
     ;;
 esac
 
commit eae30c8f409ad17d7064a7f0e5c00a80f5f52d35
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Jan 14 20:21:22 2011 +0100

    configure: fix broken test
    
    Since commit d1807a4f836c27f6dc7061e53a834dd27f78e46a ./configure tries
    to test files and directories with "test -f", which only test for regular
    files. Test with "test -e", which looks for any kind of files.
    
    This unbreak the configure script when not using a separate object
    directory.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/configure b/configure
index c058934..54afdda 100755
--- a/configure
+++ b/configure
@@ -3241,7 +3241,7 @@ for bios_file in $source_path/pc-bios/*.bin $source_path/pc-bios/*.dtb $source_p
 done
 mkdir -p $DIRS
 for f in $FILES ; do
-    test -f $f || symlink $source_path/$f $f
+    test -e $f || symlink $source_path/$f $f
 done
 
 # temporary config to build submodules
commit 74242e0f7f4bf3d85fe28b939a3d66827fe653e5
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:44:02 2010 +0100

    make trace options use autoconfy names
    
    These are not in any release, so I am just renaming them.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index ee782db..c058934 100755
--- a/configure
+++ b/configure
@@ -515,9 +515,9 @@ for opt do
   ;;
   --target-list=*) target_list="$optarg"
   ;;
-  --trace-backend=*) trace_backend="$optarg"
+  --enable-trace-backend=*) trace_backend="$optarg"
   ;;
-  --trace-file=*) trace_file="$optarg"
+  --with-trace-file=*) trace_file="$optarg"
   ;;
   --enable-gprof) gprof="yes"
   ;;
@@ -907,8 +907,8 @@ echo "  --enable-docs            enable documentation build"
 echo "  --disable-docs           disable documentation build"
 echo "  --disable-vhost-net      disable vhost-net acceleration support"
 echo "  --enable-vhost-net       enable vhost-net acceleration support"
-echo "  --trace-backend=B        Trace backend nop simple ust dtrace"
-echo "  --trace-file=NAME        Full PATH,NAME of file to store traces"
+echo "  --enable-trace-backend=B Trace backend nop simple ust dtrace"
+echo "  --with-trace-file=NAME   Full PATH,NAME of file to store traces"
 echo "                           Default:trace-<pid>"
 echo "  --disable-spice          disable spice"
 echo "  --enable-spice           enable spice"
commit ca4deeb13abc72e3ac5a9e5bc86a25bc2d423b16
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:44:00 2010 +0100

    move --srcdir detection earlier
    
    This will help getting config.guess and config.sub from the srcdir.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 988008a..ee782db 100755
--- a/configure
+++ b/configure
@@ -75,6 +75,7 @@ path_of() {
 }
 
 # default parameters
+source_path=`dirname "$0"`
 cpu=""
 interp_prefix="/usr/gnemul/qemu-%M"
 static="no"
@@ -182,6 +183,8 @@ for opt do
   ;;
   --cc=*) CC="$optarg"
   ;;
+  --source-path=*) source_path="$optarg"
+  ;;
   --cpu=*) cpu="$optarg"
   ;;
   --extra-cflags=*) QEMU_CFLAGS="$optarg $QEMU_CFLAGS"
@@ -228,6 +231,9 @@ QEMU_CFLAGS="-D_FORTIFY_SOURCE=2 $QEMU_CFLAGS"
 QEMU_INCLUDES="-I. -I\$(SRC_PATH)"
 LDFLAGS="-g $LDFLAGS"
 
+# make source path absolute
+source_path=`cd "$source_path"; pwd`
+
 check_define() {
 cat > $TMPC <<EOF
 #if !defined($1)
@@ -478,10 +484,6 @@ if test "$mingw32" = "yes" ; then
   confsuffix=""
 fi
 
-# find source path
-source_path=`dirname "$0"`
-source_path=`cd "$source_path"; pwd`
-
 werror=""
 
 for opt do
@@ -493,7 +495,7 @@ for opt do
   ;;
   --interp-prefix=*) interp_prefix="$optarg"
   ;;
-  --source-path=*) source_path="$optarg"
+  --source-path=*)
   ;;
   --cross-prefix=*)
   ;;
commit ddc0966462ebd05211020b29a5d620bf44ddefaf
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:44:01 2010 +0100

     [PATCH v3 14/15] remove HOST_CC mention from roms/{sea, vga}bios/config.mak
    
    Not used in the submodules.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 6ade985..988008a 100755
--- a/configure
+++ b/configure
@@ -3252,7 +3252,6 @@ for rom in seabios vgabios ; do
     echo "CPP=${cross_prefix}cpp" >> $config_mak
     echo "OBJCOPY=objcopy" >> $config_mak
     echo "IASL=iasl" >> $config_mak
-    echo "HOST_CC=$host_cc" >> $config_mak
     echo "LD=$ld" >> $config_mak
 done
 
commit d1807a4f836c27f6dc7061e53a834dd27f78e46a
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:43:59 2010 +0100

    remove source_path_used
    
    Not necessary since we use mkdir -p and from this patch test -f.
    
    Also, dirname returns "." if a path has no directory component,
    as is the case for "sh configure".
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 5bbf909..6ade985 100755
--- a/configure
+++ b/configure
@@ -480,14 +480,7 @@ fi
 
 # find source path
 source_path=`dirname "$0"`
-source_path_used="no"
-workdir=`pwd`
-if [ -z "$source_path" ]; then
-    source_path=$workdir
-else
-    source_path=`cd "$source_path"; pwd`
-fi
-[ -f "$workdir/vl.c" ] || source_path_used="yes"
+source_path=`cd "$source_path"; pwd`
 
 werror=""
 
@@ -501,7 +494,6 @@ for opt do
   --interp-prefix=*) interp_prefix="$optarg"
   ;;
   --source-path=*) source_path="$optarg"
-  source_path_used="yes"
   ;;
   --cross-prefix=*)
   ;;
@@ -3234,26 +3226,21 @@ echo "QEMU_INCLUDES+=$includes" >> $config_target_mak
 
 done # for target in $targets
 
-# build tree in object directory if source path is different from current one
-if test "$source_path_used" = "yes" ; then
-    DIRS="tests tests/cris slirp audio block net pc-bios/optionrom"
-    DIRS="$DIRS roms/seabios roms/vgabios"
-    DIRS="$DIRS fsdev ui"
-    FILES="Makefile tests/Makefile"
-    FILES="$FILES tests/cris/Makefile tests/cris/.gdbinit"
-    FILES="$FILES tests/test-mmap.c"
-    FILES="$FILES pc-bios/optionrom/Makefile pc-bios/keymaps"
-    FILES="$FILES roms/seabios/Makefile roms/vgabios/Makefile"
-    for bios_file in $source_path/pc-bios/*.bin $source_path/pc-bios/*.dtb $source_path/pc-bios/openbios-*; do
-        FILES="$FILES pc-bios/`basename $bios_file`"
-    done
-    for dir in $DIRS ; do
-            mkdir -p $dir
-    done
-    for f in $FILES ; do
-        symlink $source_path/$f $f
-    done
-fi
+# build tree in object directory in case the source is not in the current directory
+DIRS="tests tests/cris slirp audio block net pc-bios/optionrom"
+DIRS="$DIRS roms/seabios roms/vgabios"
+DIRS="$DIRS fsdev ui"
+FILES="Makefile tests/Makefile"
+FILES="$FILES tests/cris/Makefile tests/cris/.gdbinit"
+FILES="$FILES pc-bios/optionrom/Makefile pc-bios/keymaps"
+FILES="$FILES roms/seabios/Makefile roms/vgabios/Makefile"
+for bios_file in $source_path/pc-bios/*.bin $source_path/pc-bios/*.dtb $source_path/pc-bios/openbios-*; do
+    FILES="$FILES pc-bios/`basename $bios_file`"
+done
+mkdir -p $DIRS
+for f in $FILES ; do
+    test -f $f || symlink $source_path/$f $f
+done
 
 # temporary config to build submodules
 for rom in seabios vgabios ; do
commit 11568d6df9113bb9e7c3d84de6914f335376bd6a
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:43:58 2010 +0100

    move "ln -sf" emulation to a function
    
    "ln -sf" does not really do anything more than "ln -s" on Solaris.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 134863b..5bbf909 100755
--- a/configure
+++ b/configure
@@ -32,6 +32,12 @@ compile_prog() {
   $cc $QEMU_CFLAGS $local_cflags -o $TMPE $TMPC $LDFLAGS $local_ldflags >> config.log 2>&1
 }
 
+# symbolically link $1 to $2.  Portable version of "ln -sf".
+symlink() {
+  rm -f $2
+  ln -s $1 $2
+}
+
 # check whether a command is available to this shell (may be either an
 # executable or a builtin)
 has() {
@@ -2811,8 +2817,7 @@ fi
 
 for d in libdis libdis-user; do
     mkdir -p $d
-    rm -f $d/Makefile
-    ln -s $source_path/Makefile.dis $d/Makefile
+    symlink $source_path/Makefile.dis $d/Makefile
     echo > $d/config.mak
 done
 if test "$static" = "no" -a "$user_pie" = "yes" ; then
@@ -2876,12 +2881,7 @@ mkdir -p $target_dir/ide
 if test "$target" = "arm-linux-user" -o "$target" = "armeb-linux-user" -o "$target" = "arm-bsd-user" -o "$target" = "armeb-bsd-user" ; then
   mkdir -p $target_dir/nwfpe
 fi
-
-#
-# don't use ln -sf as not all "ln -sf" over write the file/link
-#
-rm -f $target_dir/Makefile
-ln -s $source_path/Makefile.target $target_dir/Makefile
+symlink $source_path/Makefile.target $target_dir/Makefile
 
 
 echo "# Automatically generated by configure - do not modify" > $config_target_mak
@@ -3250,10 +3250,8 @@ if test "$source_path_used" = "yes" ; then
     for dir in $DIRS ; do
             mkdir -p $dir
     done
-    # remove the link and recreate it, as not all "ln -sf" overwrite the link
     for f in $FILES ; do
-        rm -f $f
-        ln -s $source_path/$f $f
+        symlink $source_path/$f $f
     done
 fi
 
@@ -3275,15 +3273,13 @@ for hwlib in 32 64; do
   d=libhw$hwlib
   mkdir -p $d
   mkdir -p $d/ide
-  rm -f $d/Makefile
-  ln -s $source_path/Makefile.hw $d/Makefile
+  symlink $source_path/Makefile.hw $d/Makefile
   echo "QEMU_CFLAGS+=-DTARGET_PHYS_ADDR_BITS=$hwlib" > $d/config.mak
 done
 
 d=libuser
 mkdir -p $d
-rm -f $d/Makefile
-ln -s $source_path/Makefile.user $d/Makefile
+symlink $source_path/Makefile.user $d/Makefile
 if test "$static" = "no" -a "$user_pie" = "yes" ; then
   echo "QEMU_CFLAGS+=-fpie" > $d/config.mak
 fi
commit 3ec87ffe17650c585c52cb3d89d0645ccccd49e1
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:43:57 2010 +0100

    reorganize sdl-config tests
    
    This also allows overriding it with SDL_CONFIG, and warning in suspicious
    cross-compilation scenarios.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index c6e4aa0..134863b 100755
--- a/configure
+++ b/configure
@@ -210,6 +210,7 @@ ld="${cross_prefix}${LD-ld}"
 strip="${cross_prefix}${STRIP-strip}"
 windres="${cross_prefix}${WINDRES-windres}"
 pkg_config="${cross_prefix}${PKG_CONFIG-pkg-config}"
+sdl_config="${cross_prefix}${SDL_CONFIG-sdl-config}"
 
 # default flags for all hosts
 QEMU_CFLAGS="-fno-strict-aliasing $QEMU_CFLAGS"
@@ -1183,21 +1184,17 @@ fi
 ##########################################
 # SDL probe
 
-# Look for sdl configuration program (pkg-config or sdl-config).
-# Prefer variant with cross prefix if cross compiling,
-# and favour pkg-config with sdl over sdl-config.
-if test -n "$cross_prefix" -a $pkg_config != pkg-config && \
-     $pkg_config sdl --modversion >/dev/null 2>&1; then
-  sdlconfig="$pkg_config sdl"
-  _sdlversion=`$sdlconfig --modversion 2>/dev/null | sed 's/[^0-9]//g'`
-elif test -n "$cross_prefix" && has ${cross_prefix}sdl-config; then
-  sdlconfig="${cross_prefix}sdl-config"
-  _sdlversion=`$sdlconfig --version | sed 's/[^0-9]//g'`
-elif $pkg_config sdl --modversion >/dev/null 2>&1; then
+# Look for sdl configuration program (pkg-config or sdl-config).  Try
+# sdl-config even without cross prefix, and favour pkg-config over sdl-config.
+if test "`basename $sdl_config`" != sdl-config && ! has ${sdl_config}; then
+  sdl_config=sdl-config
+fi
+
+if $pkg_config sdl --modversion >/dev/null 2>&1; then
   sdlconfig="$pkg_config sdl"
   _sdlversion=`$sdlconfig --modversion 2>/dev/null | sed 's/[^0-9]//g'`
-elif has sdl-config; then
-  sdlconfig='sdl-config'
+elif has ${sdl_config}; then
+  sdlconfig="$sdl_config"
   _sdlversion=`$sdlconfig --version | sed 's/[^0-9]//g'`
 else
   if test "$sdl" = "yes" ; then
@@ -1205,6 +1202,9 @@ else
   fi
   sdl=no
 fi
+if test -n "$cross_prefix" && test "`basename $sdlconfig`" = sdl-config; then
+  echo warning: using "\"$sdlconfig\"" to detect cross-compiled sdl >&2
+fi
 
 sdl_too_old=no
 if test "$sdl" != "no" ; then
commit 0842154128a6763c63ef011cb967219605625f18
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:43:56 2010 +0100

    do not default to non-prefixed pkg-config when cross compiling
    
    This can still be requested with PKG_CONFIG=/path/to/pkg-config.
    Just do not use it as a default, and print a warning.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 7eabae4..c6e4aa0 100755
--- a/configure
+++ b/configure
@@ -1163,8 +1163,8 @@ fi
 # pkg-config probe
 
 if ! has $pkg_config; then
-  # likely not cross compiling, or hope for the best
-  pkg_config=pkg-config
+  echo warning: proceeding without "$pkg_config" >&2
+  pkg_config=/bin/false
 fi
 
 ##########################################
commit a8bd70ad3b62701037e9f3a996762ca7c29581a2
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:43:55 2010 +0100

    fix spelling of $pkg_config, move default together with other cross tools
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 758751e..7eabae4 100755
--- a/configure
+++ b/configure
@@ -209,6 +209,7 @@ objcopy="${cross_prefix}${OBJCOPY-objcopy}"
 ld="${cross_prefix}${LD-ld}"
 strip="${cross_prefix}${STRIP-strip}"
 windres="${cross_prefix}${WINDRES-windres}"
+pkg_config="${cross_prefix}${PKG_CONFIG-pkg-config}"
 
 # default flags for all hosts
 QEMU_CFLAGS="-fno-strict-aliasing $QEMU_CFLAGS"
@@ -1159,12 +1160,11 @@ EOF
 fi
 
 ##########################################
-# pkgconfig probe
+# pkg-config probe
 
-pkgconfig="${cross_prefix}pkg-config"
-if ! has $pkgconfig; then
+if ! has $pkg_config; then
   # likely not cross compiling, or hope for the best
-  pkgconfig=pkg-config
+  pkg_config=pkg-config
 fi
 
 ##########################################
@@ -1186,15 +1186,15 @@ fi
 # Look for sdl configuration program (pkg-config or sdl-config).
 # Prefer variant with cross prefix if cross compiling,
 # and favour pkg-config with sdl over sdl-config.
-if test -n "$cross_prefix" -a $pkgconfig != pkg-config && \
-     $pkgconfig sdl --modversion >/dev/null 2>&1; then
-  sdlconfig="$pkgconfig sdl"
+if test -n "$cross_prefix" -a $pkg_config != pkg-config && \
+     $pkg_config sdl --modversion >/dev/null 2>&1; then
+  sdlconfig="$pkg_config sdl"
   _sdlversion=`$sdlconfig --modversion 2>/dev/null | sed 's/[^0-9]//g'`
 elif test -n "$cross_prefix" && has ${cross_prefix}sdl-config; then
   sdlconfig="${cross_prefix}sdl-config"
   _sdlversion=`$sdlconfig --version | sed 's/[^0-9]//g'`
-elif $pkgconfig sdl --modversion >/dev/null 2>&1; then
-  sdlconfig="$pkgconfig sdl"
+elif $pkg_config sdl --modversion >/dev/null 2>&1; then
+  sdlconfig="$pkg_config sdl"
   _sdlversion=`$sdlconfig --modversion 2>/dev/null | sed 's/[^0-9]//g'`
 elif has sdl-config; then
   sdlconfig='sdl-config'
@@ -1274,8 +1274,8 @@ if test "$vnc_tls" != "no" ; then
 #include <gnutls/gnutls.h>
 int main(void) { gnutls_session_t s; gnutls_init(&s, GNUTLS_SERVER); return 0; }
 EOF
-  vnc_tls_cflags=`$pkgconfig --cflags gnutls 2> /dev/null`
-  vnc_tls_libs=`$pkgconfig --libs gnutls 2> /dev/null`
+  vnc_tls_cflags=`$pkg_config --cflags gnutls 2> /dev/null`
+  vnc_tls_libs=`$pkg_config --libs gnutls 2> /dev/null`
   if compile_prog "$vnc_tls_cflags" "$vnc_tls_libs" ; then
     vnc_tls=yes
     libs_softmmu="$vnc_tls_libs $libs_softmmu"
@@ -1589,8 +1589,8 @@ fi
 ##########################################
 # curl probe
 
-if $pkgconfig libcurl --modversion >/dev/null 2>&1; then
-  curlconfig="$pkgconfig libcurl"
+if $pkg_config libcurl --modversion >/dev/null 2>&1; then
+  curlconfig="$pkg_config libcurl"
 else
   curlconfig=curl-config
 fi
@@ -1622,7 +1622,7 @@ if test "$check_utests" != "no" ; then
 #include <check.h>
 int main(void) { suite_create("qemu test"); return 0; }
 EOF
-  check_libs=`$pkgconfig --libs check`
+  check_libs=`$pkg_config --libs check`
   if compile_prog "" $check_libs ; then
     check_utests=yes
     libs_tools="$check_libs $libs_tools"
@@ -1641,8 +1641,8 @@ if test "$bluez" != "no" ; then
 #include <bluetooth/bluetooth.h>
 int main(void) { return bt_error(0); }
 EOF
-  bluez_cflags=`$pkgconfig --cflags bluez 2> /dev/null`
-  bluez_libs=`$pkgconfig --libs bluez 2> /dev/null`
+  bluez_cflags=`$pkg_config --cflags bluez 2> /dev/null`
+  bluez_libs=`$pkg_config --libs bluez 2> /dev/null`
   if compile_prog "$bluez_cflags" "$bluez_libs" ; then
     bluez=yes
     libs_softmmu="$bluez_libs $libs_softmmu"
@@ -1686,7 +1686,7 @@ EOF
             kvm_cflags="$kvm_cflags -I$kerneldir/arch/$cpu/include"
       fi
   else
-    kvm_cflags=`$pkgconfig --cflags kvm-kmod 2>/dev/null`
+    kvm_cflags=`$pkg_config --cflags kvm-kmod 2>/dev/null`
   fi
   if compile_prog "$kvm_cflags" "" ; then
     kvm=yes
commit 70be1a2e1ac5ce37e809d220bb4db449633e07b1
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:43:54 2010 +0100

    provide portable HOST_LONG_BITS test
    
    Do not hardcode the list of 64-bit CPUs.  Use sizeof(void *) to
    compute it.  Renaming it to HOST_LONG_BITS to HOST_POINTER_BITS
    is left for later.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index a9ffa22..758751e 100755
--- a/configure
+++ b/configure
@@ -1084,13 +1084,15 @@ esac
 
 fi
 
-# host long bits test
-hostlongbits="32"
-case "$cpu" in
-  x86_64|alpha|ia64|sparc64|ppc64|s390x)
-    hostlongbits=64
-  ;;
-esac
+# host long bits test, actually a pointer size test
+cat > $TMPC << EOF
+int sizeof_pointer_is_8[sizeof(void *) == 8 ? 1 : -1];
+EOF
+if compile_object; then
+hostlongbits=64
+else
+hostlongbits=32
+fi
 
 
 ##########################################
commit f9728943ff8eec02c17e9eaa34dc8203e0ef8cc2
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:43:53 2010 +0100

    do not pass bogus $(SRC_PATH) include paths to cc during configure
    
    Non-existent -I paths are dropped silently by the compiler, but still
    it is not polite to pass bogus options.  Configure-time tests do not
    need any include files from the source path, so only include -I flags
    at make time (when they're properly expanded).
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 113ede6..a9ffa22 100755
--- a/configure
+++ b/configure
@@ -217,7 +217,7 @@ QEMU_CFLAGS="-Wall -Wundef -Wendif-labels -Wwrite-strings -Wmissing-prototypes $
 QEMU_CFLAGS="-Wstrict-prototypes -Wredundant-decls $QEMU_CFLAGS"
 QEMU_CFLAGS="-D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE $QEMU_CFLAGS"
 QEMU_CFLAGS="-D_FORTIFY_SOURCE=2 $QEMU_CFLAGS"
-QEMU_CFLAGS="-I. -I\$(SRC_PATH) $QEMU_CFLAGS"
+QEMU_INCLUDES="-I. -I\$(SRC_PATH)"
 LDFLAGS="-g $LDFLAGS"
 
 check_define() {
@@ -2545,7 +2545,7 @@ if test $profiler = "yes" ; then
 fi
 if test "$slirp" = "yes" ; then
   echo "CONFIG_SLIRP=y" >> $config_host_mak
-  QEMU_CFLAGS="-I\$(SRC_PATH)/slirp $QEMU_CFLAGS"
+  QEMU_INCLUDES="-I\$(SRC_PATH)/slirp $QEMU_INCLUDES"
 fi
 if test "$vde" = "yes" ; then
   echo "CONFIG_VDE=y" >> $config_host_mak
@@ -2781,6 +2781,7 @@ echo "LD=$ld" >> $config_host_mak
 echo "WINDRES=$windres" >> $config_host_mak
 echo "CFLAGS=$CFLAGS" >> $config_host_mak
 echo "QEMU_CFLAGS=$QEMU_CFLAGS" >> $config_host_mak
+echo "QEMU_INCLUDES=$QEMU_INCLUDES" >> $config_host_mak
 if test "$sparse" = "yes" ; then
   echo "CC           := REAL_CC=\"\$(CC)\" cgcc"       >> $config_host_mak
   echo "HOST_CC      := REAL_CC=\"\$(HOST_CC)\" cgcc"  >> $config_host_mak
@@ -3089,19 +3090,20 @@ fi
 # generate QEMU_CFLAGS/LDFLAGS for targets
 
 cflags=""
+includes=""
 ldflags=""
 
 if test "$ARCH" = "sparc64" ; then
-  cflags="-I\$(SRC_PATH)/tcg/sparc $cflags"
+  includes="-I\$(SRC_PATH)/tcg/sparc $includes"
 elif test "$ARCH" = "s390x" ; then
-  cflags="-I\$(SRC_PATH)/tcg/s390 $cflags"
+  includes="-I\$(SRC_PATH)/tcg/s390 $includes"
 elif test "$ARCH" = "x86_64" ; then
-  cflags="-I\$(SRC_PATH)/tcg/i386 $cflags"
+  includes="-I\$(SRC_PATH)/tcg/i386 $includes"
 else
-  cflags="-I\$(SRC_PATH)/tcg/\$(ARCH) $cflags"
+  includes="-I\$(SRC_PATH)/tcg/\$(ARCH) $includes"
 fi
-cflags="-I\$(SRC_PATH)/tcg $cflags"
-cflags="-I\$(SRC_PATH)/fpu $cflags"
+includes="-I\$(SRC_PATH)/tcg $includes"
+includes="-I\$(SRC_PATH)/fpu $includes"
 
 if test "$target_user_only" = "yes" ; then
     libdis_config_mak=libdis-user/config.mak
@@ -3226,6 +3228,7 @@ fi
 
 echo "LDFLAGS+=$ldflags" >> $config_target_mak
 echo "QEMU_CFLAGS+=$cflags" >> $config_target_mak
+echo "QEMU_INCLUDES+=$includes" >> $config_target_mak
 
 done # for target in $targets
 
diff --git a/rules.mak b/rules.mak
index 6dac777..738eec3 100644
--- a/rules.mak
+++ b/rules.mak
@@ -15,13 +15,13 @@ MAKEFLAGS += -rR
 QEMU_DGFLAGS += -MMD -MP -MT $@ -MF $(*D)/$(*F).d
 
 %.o: %.c
-	$(call quiet-command,$(CC) $(QEMU_CFLAGS) $(QEMU_DGFLAGS) $(CFLAGS) -c -o $@ $<,"  CC    $(TARGET_DIR)$@")
+	$(call quiet-command,$(CC) $(QEMU_CFLAGS) $(QEMU_INCLUDES) $(QEMU_DGFLAGS) $(CFLAGS) -c -o $@ $<,"  CC    $(TARGET_DIR)$@")
 
 %.o: %.S
-	$(call quiet-command,$(CC) $(QEMU_CFLAGS) $(QEMU_DGFLAGS) $(CFLAGS) -c -o $@ $<,"  AS    $(TARGET_DIR)$@")
+	$(call quiet-command,$(CC) $(QEMU_CFLAGS) $(QEMU_INCLUDES) $(QEMU_DGFLAGS) $(CFLAGS) -c -o $@ $<,"  AS    $(TARGET_DIR)$@")
 
 %.o: %.m
-	$(call quiet-command,$(CC) $(QEMU_CFLAGS) $(QEMU_DGFLAGS) $(CFLAGS) -c -o $@ $<,"  OBJC  $(TARGET_DIR)$@")
+	$(call quiet-command,$(CC) $(QEMU_CFLAGS) $(QEMU_INCLUDES) $(QEMU_DGFLAGS) $(CFLAGS) -c -o $@ $<,"  OBJC  $(TARGET_DIR)$@")
 
 LINK = $(call quiet-command,$(CC) $(QEMU_CFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $(1) $(LIBS),"  LINK  $(TARGET_DIR)$@")
 
diff --git a/tests/Makefile b/tests/Makefile
index e43ec70..9ded4b7 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -7,7 +7,8 @@ QEMU=../i386-linux-user/qemu-i386
 QEMU_X86_64=../x86_64-linux-user/qemu-x86_64
 CC_X86_64=$(CC_I386) -m64
 
-CFLAGS=-Wall -O2 -g -fno-strict-aliasing -I..
+QEMU_INCLUDES += -I..
+CFLAGS=-Wall -O2 -g -fno-strict-aliasing
 #CFLAGS+=-msse2
 LDFLAGS=
 
commit 8d05095cec5feabba03078d5fabf5ac207fa8d4b
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:43:52 2010 +0100

    test cc with the complete set of chosen flags
    
    The "test the C compiler works ok" comes before a bunch of flags
    are added for --cpu or just depending on the host.  It helps
    debugging if the test is done after these flags are (unconditionally)
    added.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 11a7b18..113ede6 100755
--- a/configure
+++ b/configure
@@ -220,31 +220,6 @@ QEMU_CFLAGS="-D_FORTIFY_SOURCE=2 $QEMU_CFLAGS"
 QEMU_CFLAGS="-I. -I\$(SRC_PATH) $QEMU_CFLAGS"
 LDFLAGS="-g $LDFLAGS"
 
-gcc_flags="-Wold-style-declaration -Wold-style-definition -Wtype-limits"
-gcc_flags="-Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers $gcc_flags"
-gcc_flags="-Wmissing-include-dirs -Wempty-body -Wnested-externs $gcc_flags"
-gcc_flags="-fstack-protector-all $gcc_flags"
-cat > $TMPC << EOF
-int main(void) { return 0; }
-EOF
-for flag in $gcc_flags; do
-    if compile_prog "-Werror $QEMU_CFLAGS" "-Werror $flag" ; then
-	QEMU_CFLAGS="$QEMU_CFLAGS $flag"
-    fi
-done
-
-# check that the C compiler works.
-cat > $TMPC <<EOF
-int main(void) {}
-EOF
-
-if compile_object ; then
-  : C compiler works ok
-else
-    echo "ERROR: \"$cc\" either does not exist or does not work"
-    exit 1
-fi
-
 check_define() {
 cat > $TMPC <<EOF
 #if !defined($1)
@@ -941,6 +916,31 @@ echo "NOTE: The object files are built at the place where configure is launched"
 exit 1
 fi
 
+# check that the C compiler works.
+cat > $TMPC <<EOF
+int main(void) {}
+EOF
+
+if compile_object ; then
+  : C compiler works ok
+else
+    echo "ERROR: \"$cc\" either does not exist or does not work"
+    exit 1
+fi
+
+gcc_flags="-Wold-style-declaration -Wold-style-definition -Wtype-limits"
+gcc_flags="-Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers $gcc_flags"
+gcc_flags="-Wmissing-include-dirs -Wempty-body -Wnested-externs $gcc_flags"
+gcc_flags="-fstack-protector-all $gcc_flags"
+cat > $TMPC << EOF
+int main(void) { return 0; }
+EOF
+for flag in $gcc_flags; do
+    if compile_prog "-Werror $QEMU_CFLAGS" "-Werror $flag" ; then
+	QEMU_CFLAGS="$QEMU_CFLAGS $flag"
+    fi
+done
+
 #
 # Solaris specific configure tool chain decisions
 #
commit 377529c009e3fce480d9c233bb3238b14a950816
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:43:50 2010 +0100

    move feature variables to the top
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 89cfa12..13b2aa7 100755
--- a/configure
+++ b/configure
@@ -86,6 +86,88 @@ audio_pt_int=""
 audio_win_int=""
 cc_i386=i386-pc-linux-gnu-gcc
 
+target_list=""
+
+# Default value for a variable defining feature "foo".
+#  * foo="no"  feature will only be used if --enable-foo arg is given
+#  * foo=""    feature will be searched for, and if found, will be used
+#              unless --disable-foo is given
+#  * foo="yes" this value will only be set by --enable-foo flag.
+#              feature will searched for,
+#              if not found, configure exits with error
+#
+# Always add --enable-foo and --disable-foo command line args.
+# Distributions want to ensure that several features are compiled in, and it
+# is impossible without a --enable-foo that exits if a feature is not found.
+
+bluez=""
+brlapi=""
+curl=""
+curses=""
+docs=""
+fdt=""
+kvm=""
+kvm_para=""
+nptl=""
+sdl=""
+sparse="no"
+uuid=""
+vde=""
+vnc_tls=""
+vnc_sasl=""
+vnc_jpeg=""
+vnc_png=""
+vnc_thread="no"
+xen=""
+linux_aio=""
+attr=""
+vhost_net=""
+xfs=""
+
+gprof="no"
+debug_tcg="no"
+debug_mon="no"
+debug="no"
+strip_opt="yes"
+bigendian="no"
+mingw32="no"
+EXESUF=""
+prefix="/usr/local"
+mandir="\${prefix}/share/man"
+datadir="\${prefix}/share/qemu"
+docdir="\${prefix}/share/doc/qemu"
+bindir="\${prefix}/bin"
+sysconfdir="\${prefix}/etc"
+confsuffix="/qemu"
+slirp="yes"
+fmod_lib=""
+fmod_inc=""
+oss_lib=""
+bsd="no"
+linux="no"
+solaris="no"
+profiler="no"
+cocoa="no"
+softmmu="yes"
+linux_user="no"
+darwin_user="no"
+bsd_user="no"
+guest_base=""
+uname_release=""
+io_thread="no"
+mixemu="no"
+kerneldir=""
+aix="no"
+blobs="yes"
+pkgversion=""
+check_utests="no"
+user_pie="no"
+zero_malloc=""
+trace_backend="nop"
+trace_file="trace"
+spice=""
+rbd=""
+
 # parse CC options first
 for opt do
   optarg=`expr "x$opt" : 'x[^=]*=\(.*\)'`
@@ -208,7 +290,6 @@ else
   cpu=`uname -m`
 fi
 
-target_list=""
 case "$cpu" in
   alpha|cris|ia64|m68k|microblaze|ppc|ppc64|sparc64)
     cpu="$cpu"
@@ -246,87 +327,6 @@ case "$cpu" in
   ;;
 esac
 
-# Default value for a variable defining feature "foo".
-#  * foo="no"  feature will only be used if --enable-foo arg is given
-#  * foo=""    feature will be searched for, and if found, will be used
-#              unless --disable-foo is given
-#  * foo="yes" this value will only be set by --enable-foo flag.
-#              feature will searched for,
-#              if not found, configure exits with error
-#
-# Always add --enable-foo and --disable-foo command line args.
-# Distributions want to ensure that several features are compiled in, and it
-# is impossible without a --enable-foo that exits if a feature is not found.
-
-bluez=""
-brlapi=""
-curl=""
-curses=""
-docs=""
-fdt=""
-kvm=""
-kvm_para=""
-nptl=""
-sdl=""
-sparse="no"
-uuid=""
-vde=""
-vnc_tls=""
-vnc_sasl=""
-vnc_jpeg=""
-vnc_png=""
-vnc_thread="no"
-xen=""
-linux_aio=""
-attr=""
-vhost_net=""
-xfs=""
-
-gprof="no"
-debug_tcg="no"
-debug_mon="no"
-debug="no"
-strip_opt="yes"
-bigendian="no"
-mingw32="no"
-EXESUF=""
-prefix="/usr/local"
-mandir="\${prefix}/share/man"
-datadir="\${prefix}/share/qemu"
-docdir="\${prefix}/share/doc/qemu"
-bindir="\${prefix}/bin"
-sysconfdir="\${prefix}/etc"
-confsuffix="/qemu"
-slirp="yes"
-fmod_lib=""
-fmod_inc=""
-oss_lib=""
-bsd="no"
-linux="no"
-solaris="no"
-profiler="no"
-cocoa="no"
-softmmu="yes"
-linux_user="no"
-darwin_user="no"
-bsd_user="no"
-guest_base=""
-uname_release=""
-io_thread="no"
-mixemu="no"
-kerneldir=""
-aix="no"
-haiku="no"
-blobs="yes"
-pkgversion=""
-check_utests="no"
-user_pie="no"
-zero_malloc=""
-trace_backend="nop"
-trace_file="trace"
-spice=""
-rbd=""
-
 # OS specific
 if check_define __linux__ ; then
   targetos="Linux"
commit e39f0062cccaade333bd10fa27f3807f0a76f383
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:43:51 2010 +0100

    fix sparse support (?)
    
    I didn't test with sparse, but the old code using += before a variable
    was set was wrong.  Sparse support should probably be ripped out or
    redone, but this at least keeps some sanity.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 13b2aa7..11a7b18 100755
--- a/configure
+++ b/configure
@@ -2775,17 +2775,17 @@ echo "INSTALL_PROG=$install -m0755 -p" >> $config_host_mak
 echo "CC=$cc" >> $config_host_mak
 echo "CC_I386=$cc_i386" >> $config_host_mak
 echo "HOST_CC=$host_cc" >> $config_host_mak
-if test "$sparse" = "yes" ; then
-  echo "CC      := REAL_CC=\"\$(CC)\" cgcc"       >> $config_host_mak
-  echo "HOST_CC := REAL_CC=\"\$(HOST_CC)\" cgcc"  >> $config_host_mak
-  echo "QEMU_CFLAGS  += -Wbitwise -Wno-transparent-union -Wno-old-initializer -Wno-non-pointer-null" >> $config_host_mak
-fi
 echo "AR=$ar" >> $config_host_mak
 echo "OBJCOPY=$objcopy" >> $config_host_mak
 echo "LD=$ld" >> $config_host_mak
 echo "WINDRES=$windres" >> $config_host_mak
 echo "CFLAGS=$CFLAGS" >> $config_host_mak
 echo "QEMU_CFLAGS=$QEMU_CFLAGS" >> $config_host_mak
+if test "$sparse" = "yes" ; then
+  echo "CC           := REAL_CC=\"\$(CC)\" cgcc"       >> $config_host_mak
+  echo "HOST_CC      := REAL_CC=\"\$(HOST_CC)\" cgcc"  >> $config_host_mak
+  echo "QEMU_CFLAGS  += -Wbitwise -Wno-transparent-union -Wno-old-initializer -Wno-non-pointer-null" >> $config_host_mak
+fi
 echo "HELPER_CFLAGS=$helper_cflags" >> $config_host_mak
 echo "LDFLAGS=$LDFLAGS" >> $config_host_mak
 echo "ARLIBS_BEGIN=$arlibs_begin" >> $config_host_mak
commit 0db4a067594b506678cdaece6c32e870d391695e
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:43:49 2010 +0100

    default make and install to environment variables
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index fa68359..89cfa12 100755
--- a/configure
+++ b/configure
@@ -79,8 +79,6 @@ audio_card_list="ac97 es1370 sb16 hda"
 audio_possible_cards="ac97 es1370 sb16 cs4231a adlib gus hda"
 block_drv_whitelist=""
 host_cc="gcc"
-make="make"
-install="install"
 helper_cflags=""
 libs_softmmu=""
 libs_tools=""
@@ -363,7 +361,7 @@ GNU/kFreeBSD)
 ;;
 FreeBSD)
   bsd="yes"
-  make="gmake"
+  make="${MAKE-gmake}"
   audio_drv_list="oss"
   audio_possible_drivers="oss sdl esd pa"
   # needed for kinfo_getvmmap(3) in libutil.h
@@ -371,20 +369,20 @@ FreeBSD)
 ;;
 DragonFly)
   bsd="yes"
-  make="gmake"
+  make="${MAKE-gmake}"
   audio_drv_list="oss"
   audio_possible_drivers="oss sdl esd pa"
 ;;
 NetBSD)
   bsd="yes"
-  make="gmake"
+  make="${MAKE-gmake}"
   audio_drv_list="oss"
   audio_possible_drivers="oss sdl esd"
   oss_lib="-lossaudio"
 ;;
 OpenBSD)
   bsd="yes"
-  make="gmake"
+  make="${MAKE-gmake}"
   audio_drv_list="oss"
   audio_possible_drivers="oss sdl esd"
   oss_lib="-lossaudio"
@@ -413,8 +411,8 @@ Darwin)
 ;;
 SunOS)
   solaris="yes"
-  make="gmake"
-  install="ginstall"
+  make="${MAKE-gmake}"
+  install="${INSTALL-ginstall}"
   ld="gld"
   needs_libsunmath="no"
   solarisrev=`uname -r | cut -f2 -d.`
@@ -453,7 +451,7 @@ SunOS)
 ;;
 AIX)
   aix="yes"
-  make="gmake"
+  make="${MAKE-gmake}"
 ;;
 Haiku)
   haiku="yes"
@@ -479,6 +477,9 @@ if [ "$bsd" = "yes" ] ; then
   bsd_user="yes"
 fi
 
+: ${make=${MAKE-make}}
+: ${install=${INSTALL-install}}
+
 if test "$mingw32" = "yes" ; then
   EXESUF=".exe"
   QEMU_CFLAGS="-DWIN32_LEAN_AND_MEAN -DWINVER=0x501 $QEMU_CFLAGS"
commit 3d8df6409bdbd6c2f6df44c136ebb24d1248f408
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Dec 23 11:43:48 2010 +0100

    default compilation tools to environment variables
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 438219b..fa68359 100755
--- a/configure
+++ b/configure
@@ -74,19 +74,13 @@ interp_prefix="/usr/gnemul/qemu-%M"
 static="no"
 sparc_cpu=""
 cross_prefix=""
-cc="gcc"
 audio_drv_list=""
 audio_card_list="ac97 es1370 sb16 hda"
 audio_possible_cards="ac97 es1370 sb16 cs4231a adlib gus hda"
 block_drv_whitelist=""
 host_cc="gcc"
-ar="ar"
 make="make"
 install="install"
-objcopy="objcopy"
-ld="ld"
-strip="strip"
-windres="windres"
 helper_cflags=""
 libs_softmmu=""
 libs_tools=""
@@ -100,7 +94,7 @@ for opt do
   case "$opt" in
   --cross-prefix=*) cross_prefix="$optarg"
   ;;
-  --cc=*) cc="$optarg"
+  --cc=*) CC="$optarg"
   ;;
   --cpu=*) cpu="$optarg"
   ;;
@@ -129,12 +123,12 @@ done
 # Using uname is really, really broken.  Once we have the right set of checks
 # we can eliminate it's usage altogether
 
-cc="${cross_prefix}${cc}"
-ar="${cross_prefix}${ar}"
-objcopy="${cross_prefix}${objcopy}"
-ld="${cross_prefix}${ld}"
-strip="${cross_prefix}${strip}"
-windres="${cross_prefix}${windres}"
+cc="${cross_prefix}${CC-gcc}"
+ar="${cross_prefix}${AR-ar}"
+objcopy="${cross_prefix}${OBJCOPY-objcopy}"
+ld="${cross_prefix}${LD-ld}"
+strip="${cross_prefix}${STRIP-strip}"
+windres="${cross_prefix}${WINDRES-windres}"
 
 # default flags for all hosts
 QEMU_CFLAGS="-fno-strict-aliasing $QEMU_CFLAGS"
commit 844bab604b4369f6ee84065756da0b1d7f915715
Author: Edgar E. Iglesias <edgar.iglesias at petalogix.com>
Date:   Fri Jan 14 12:30:26 2011 +0100

    microblaze: Improve unconditional direct branching
    
    Avoid emitting conditional tcg operations for uncoditional
    direct branches.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at petalogix.com>

diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index c018c99..2e236fb 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -78,9 +78,10 @@ typedef struct DisasContext {
     unsigned int clear_imm;
     int is_jmp;
 
-#define JMP_NOJMP    0
-#define JMP_DIRECT   1
-#define JMP_INDIRECT 2
+#define JMP_NOJMP     0
+#define JMP_DIRECT    1
+#define JMP_DIRECT_CC 2
+#define JMP_INDIRECT  3
     unsigned int jmp;
     uint32_t jmp_pc;
 
@@ -751,7 +752,10 @@ static void dec_bit(DisasContext *dc)
 
 static inline void sync_jmpstate(DisasContext *dc)
 {
-    if (dc->jmp == JMP_DIRECT) {
+    if (dc->jmp == JMP_DIRECT || dc->jmp == JMP_DIRECT_CC) {
+        if (dc->jmp == JMP_DIRECT) {
+            tcg_gen_movi_tl(env_btaken, 1);
+        }
         dc->jmp = JMP_INDIRECT;
         tcg_gen_movi_tl(env_btarget, dc->jmp_pc);
     }
@@ -975,7 +979,7 @@ static void dec_bcc(DisasContext *dc)
         int32_t offset = (int32_t)((int16_t)dc->imm); /* sign-extend.  */
 
         tcg_gen_movi_tl(env_btarget, dc->pc + offset);
-        dc->jmp = JMP_DIRECT;
+        dc->jmp = JMP_DIRECT_CC;
         dc->jmp_pc = dc->pc + offset;
     } else {
         dc->jmp = JMP_INDIRECT;
@@ -1029,7 +1033,6 @@ static void dec_br(DisasContext *dc)
         if (dec_alu_op_b_is_small_imm(dc)) {
             dc->jmp = JMP_DIRECT;
             dc->jmp_pc = dc->pc + (int32_t)((int16_t)dc->imm);
-            tcg_gen_movi_tl(env_btaken, 1);
         } else {
             tcg_gen_movi_tl(env_btaken, 1);
             tcg_gen_movi_tl(env_btarget, dc->pc);
@@ -1451,6 +1454,10 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
                     eval_cond_jmp(dc, env_btarget, tcg_const_tl(dc->pc));
                     dc->is_jmp = DISAS_JUMP;
                 } else if (dc->jmp == JMP_DIRECT) {
+                    t_sync_flags(dc);
+                    gen_goto_tb(dc, 0, dc->jmp_pc);
+                    dc->is_jmp = DISAS_TB_JUMP;
+                } else if (dc->jmp == JMP_DIRECT_CC) {
                     int l1;
 
                     t_sync_flags(dc);
@@ -1475,7 +1482,7 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
                  && num_insns < max_insns);
 
     npc = dc->pc;
-    if (dc->jmp == JMP_DIRECT) {
+    if (dc->jmp == JMP_DIRECT || dc->jmp == JMP_DIRECT_CC) {
         if (dc->tb_flags & D_FLAG) {
             dc->is_jmp = DISAS_UPDATE;
             tcg_gen_movi_tl(cpu_SR[SR_PC], npc);
commit d03d11260ee2d55579e8b76116e35ccdf5031833
Author: Edgar E. Iglesias <edgar at axis.com>
Date:   Thu Jan 13 15:14:04 2011 +0100

    cris: Set btaken when storing direct jumps
    
    When storing a direct jmp from translation state into
    runtime state we should set the btaken flag.
    
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/target-cris/translate.c b/target-cris/translate.c
index e09aaa9..f4cc125 100644
--- a/target-cris/translate.c
+++ b/target-cris/translate.c
@@ -1129,6 +1129,9 @@ static void cris_store_direct_jmp(DisasContext *dc)
 {
 	/* Store the direct jmp state into the cpu-state.  */
 	if (dc->jmp == JMP_DIRECT || dc->jmp == JMP_DIRECT_CC) {
+		if (dc->jmp == JMP_DIRECT) {
+			tcg_gen_movi_tl(env_btaken, 1);
+		}
 		tcg_gen_movi_tl(env_btarget, dc->jmp_pc);
 		dc->jmp = JMP_INDIRECT;
 	}
commit facf1a60f29853590073f321e3cba491a5ee097a
Author: Sergei Gavrikov <sergei.gavrikov at gmail.com>
Date:   Wed Jan 12 15:57:18 2011 +0200

    slirp: Use strcasecmp() to check tftp mode, tsize
    
    According to RFC 1350 (TFTP Revision 2) the mode field can contain any
    combination of upper and lower case; also RFC 2349 propagates that the
    transfer size option ("tsize") is case in-sensitive too.
    
    Current implementation of embedded TFTP server missed that what does
    mess some TFTP clients. Fixed by using STRCASECMP(3) in the required
    places.
    
    Signed-off-by: Sergei Gavrikov <sergei.gavrikov at gmail.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/slirp/tftp.c b/slirp/tftp.c
index 55e4692..1821648 100644
--- a/slirp/tftp.c
+++ b/slirp/tftp.c
@@ -311,7 +311,7 @@ static void tftp_handle_rrq(Slirp *slirp, struct tftp_t *tp, int pktlen)
     return;
   }
 
-  if (memcmp(&tp->x.tp_buf[k], "octet\0", 6) != 0) {
+  if (strcasecmp((const char *)&tp->x.tp_buf[k], "octet") != 0) {
       tftp_send_error(spt, 4, "Unsupported transfer mode", tp);
       return;
   }
@@ -351,7 +351,7 @@ static void tftp_handle_rrq(Slirp *slirp, struct tftp_t *tp, int pktlen)
       value = (const char *)&tp->x.tp_buf[k];
       k += strlen(value) + 1;
 
-      if (strcmp(key, "tsize") == 0) {
+      if (strcasecmp(key, "tsize") == 0) {
 	  int tsize = atoi(value);
 	  struct stat stat_p;
 
commit 4508d81a788f451c83604e1d0033243e191d71a7
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Jan 12 21:12:31 2011 +0000

    ppc405_uc: fix a buffer overflow
    
    Fix a buffer overflow, reported by cppcheck:
    [/src/qemu/hw/ppc405_uc.c:72]: (error) Buffer access out-of-bounds: bd.bi_s_version
    
    The use of field bi_s_version seems to be a typo, it should be
    bi_r_version.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/ppc405_uc.c b/hw/ppc405_uc.c
index 8136cb9..334187e 100644
--- a/hw/ppc405_uc.c
+++ b/hw/ppc405_uc.c
@@ -68,8 +68,9 @@ ram_addr_t ppc405_set_bootinfo (CPUState *env, ppc4xx_bd_info_t *bd,
     stl_phys(bdloc + 0x34, bd->bi_baudrate);
     for (i = 0; i < 4; i++)
         stb_phys(bdloc + 0x38 + i, bd->bi_s_version[i]);
-    for (i = 0; i < 32; i++)
-        stb_phys(bdloc + 0x3C + i, bd->bi_s_version[i]);
+    for (i = 0; i < 32; i++) {
+        stb_phys(bdloc + 0x3C + i, bd->bi_r_version[i]);
+    }
     stl_phys(bdloc + 0x5C, bd->bi_plb_busfreq);
     stl_phys(bdloc + 0x60, bd->bi_pci_busfreq);
     for (i = 0; i < 6; i++)
commit c46a3ea025b147d58e4c7a222307ccba1e9e376f
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Jan 12 21:00:01 2011 +0000

    lan9118: fix a buffer overflow
    
    Fix a buffer overflow, reported by cppcheck:
    [/src/qemu/hw/lan9118.c:849]: (error) Buffer access out-of-bounds: s.eeprom
    
    All eeprom handling code assumes that the size of eeprom is 128,
    except lan9118_eeprom_cmd. Fix this by restricting the address passed.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/lan9118.c b/hw/lan9118.c
index a988664..9cc7952 100644
--- a/hw/lan9118.c
+++ b/hw/lan9118.c
@@ -187,7 +187,7 @@ typedef struct {
     uint32_t phy_int_mask;
 
     int eeprom_writable;
-    uint8_t eeprom[8];
+    uint8_t eeprom[128];
 
     int tx_fifo_size;
     LAN9118Packet *txp;
@@ -1003,7 +1003,7 @@ static void lan9118_writel(void *opaque, target_phys_addr_t offset,
         s->afc_cfg = val & 0x00ffffff;
         break;
     case CSR_E2P_CMD:
-        lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0xff);
+        lan9118_eeprom_cmd(s, (val >> 28) & 7, val & 0x7f);
         break;
     case CSR_E2P_DATA:
         s->e2p_data = val & 0xff;
commit f0ff243a16362b82e4dae7bd991d13ba25bb5b2f
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Jan 12 19:49:00 2011 +0000

    vpc: fix a file descriptor leak
    
    Fix a file descriptor leak, reported by cppcheck:
    [/src/qemu/block/vpc.c:524]: (error) Resource leak: fd
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/block/vpc.c b/block/vpc.c
index 21e2a68..7b025be 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -502,6 +502,7 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options)
     uint8_t secs_per_cyl = 0;
     size_t block_size, num_bat_entries;
     int64_t total_sectors = 0;
+    int ret = -EIO;
 
     // Read out options
     while (options && options->name) {
@@ -521,7 +522,8 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options)
     for (i = 0; total_sectors > (int64_t)cyls * heads * secs_per_cyl; i++) {
         if (calculate_geometry(total_sectors + i,
                                &cyls, &heads, &secs_per_cyl)) {
-            return -EFBIG;
+            ret = -EFBIG;
+            goto fail;
         }
     }
     total_sectors = (int64_t) cyls * heads * secs_per_cyl;
@@ -560,22 +562,28 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options)
     block_size = 0x200000;
     num_bat_entries = (total_sectors + block_size / 512) / (block_size / 512);
 
-    if (write(fd, buf, HEADER_SIZE) != HEADER_SIZE)
-        return -EIO;
+    if (write(fd, buf, HEADER_SIZE) != HEADER_SIZE) {
+        goto fail;
+    }
 
-    if (lseek(fd, 1536 + ((num_bat_entries * 4 + 511) & ~511), SEEK_SET) < 0)
-        return -EIO;
-    if (write(fd, buf, HEADER_SIZE) != HEADER_SIZE)
-        return -EIO;
+    if (lseek(fd, 1536 + ((num_bat_entries * 4 + 511) & ~511), SEEK_SET) < 0) {
+        goto fail;
+    }
+    if (write(fd, buf, HEADER_SIZE) != HEADER_SIZE) {
+        goto fail;
+    }
 
     // Write the initial BAT
-    if (lseek(fd, 3 * 512, SEEK_SET) < 0)
-        return -EIO;
+    if (lseek(fd, 3 * 512, SEEK_SET) < 0) {
+        goto fail;
+    }
 
     memset(buf, 0xFF, 512);
-    for (i = 0; i < (num_bat_entries * 4 + 511) / 512; i++)
-        if (write(fd, buf, 512) != 512)
-            return -EIO;
+    for (i = 0; i < (num_bat_entries * 4 + 511) / 512; i++) {
+        if (write(fd, buf, 512) != 512) {
+            goto fail;
+        }
+    }
 
 
     // Prepare the Dynamic Disk Header
@@ -592,13 +600,18 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options)
     dyndisk_header->checksum = be32_to_cpu(vpc_checksum(buf, 1024));
 
     // Write the header
-    if (lseek(fd, 512, SEEK_SET) < 0)
-        return -EIO;
-    if (write(fd, buf, 1024) != 1024)
-        return -EIO;
+    if (lseek(fd, 512, SEEK_SET) < 0) {
+        goto fail;
+    }
 
+    if (write(fd, buf, 1024) != 1024) {
+        goto fail;
+    }
+    ret = 0;
+
+ fail:
     close(fd);
-    return 0;
+    return ret;
 }
 
 static void vpc_close(BlockDriverState *bs)
commit 1afec9138f848cfba517bd2d80167b27216b9df9
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Jan 12 19:48:59 2011 +0000

    qemu-io: fix a memory leak
    
    Fix a memory leak, reported by cppcheck:
    [/src/qemu/qemu-io.c:1135]: (error) Memory leak: ctx
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu-io.c b/qemu-io.c
index 65dee13..5b24c5e 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -1131,8 +1131,10 @@ aio_read_f(int argc, char **argv)
 		case 'P':
 			ctx->Pflag = 1;
 			ctx->pattern = parse_pattern(optarg);
-			if (ctx->pattern < 0)
+			if (ctx->pattern < 0) {
+                                free(ctx);
 				return 0;
+                        }
 			break;
 		case 'q':
 			ctx->qflag = 1;
commit 08089edcd25b2105a7599309afd0225e839debc6
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Jan 12 19:48:58 2011 +0000

    vvfat: fix a file descriptor leak
    
    Fix a file descriptor leak, reported by cppcheck:
    [/src/qemu/block/vvfat.c:759]: (error) Resource leak: dir
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/block/vvfat.c b/block/vvfat.c
index 26dd474..fe568fe 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -756,6 +756,7 @@ static int read_directory(BDRVVVFATState* s, int mapping_index)
         if (st.st_size > 0x7fffffff) {
 	    fprintf(stderr, "File %s is larger than 2GB\n", buffer);
 	    free(buffer);
+            closedir(dir);
 	    return -2;
         }
 	direntry->size=cpu_to_le32(S_ISDIR(st.st_mode)?0:st.st_size);
commit cedf9a6f4549900f857954059284a96814e4c7a3
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Jan 12 19:48:57 2011 +0000

    loader: fix a file descriptor leak
    
    Fix a file descriptor leak, reported by cppcheck:
    [/src/qemu/hw/loader.c:311]: (error) Resource leak: fd
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/loader.c b/hw/loader.c
index eb198f6..35d792e 100644
--- a/hw/loader.c
+++ b/hw/loader.c
@@ -307,8 +307,9 @@ int load_elf(const char *filename, uint64_t (*translate_fn)(void *, uint64_t),
         target_data_order = ELFDATA2LSB;
     }
 
-    if (target_data_order != e_ident[EI_DATA])
-        return -1;
+    if (target_data_order != e_ident[EI_DATA]) {
+        goto fail;
+    }
 
     lseek(fd, 0, SEEK_SET);
     if (e_ident[EI_CLASS] == ELFCLASS64) {
commit 8ce7d35273352ebe19c871e6b32a52db77fa08c3
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Jan 12 19:48:56 2011 +0000

    vnc-auth-sasl: fix a memory leak
    
    Fix a memory leak reported by cppcheck:
    [/src/qemu/ui/vnc-auth-sasl.c:448]: (error) Memory leak: mechname
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/ui/vnc-auth-sasl.c b/ui/vnc-auth-sasl.c
index a51ddc8..17a621a 100644
--- a/ui/vnc-auth-sasl.c
+++ b/ui/vnc-auth-sasl.c
@@ -444,22 +444,19 @@ static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_
         if (vs->sasl.mechlist[len] != '\0' &&
             vs->sasl.mechlist[len] != ',') {
             VNC_DEBUG("One %d", vs->sasl.mechlist[len]);
-            vnc_client_error(vs);
-            return -1;
+            goto fail;
         }
     } else {
         char *offset = strstr(vs->sasl.mechlist, mechname);
         VNC_DEBUG("Two %p\n", offset);
         if (!offset) {
-            vnc_client_error(vs);
-            return -1;
+            goto fail;
         }
         VNC_DEBUG("Two '%s'\n", offset);
         if (offset[-1] != ',' ||
             (offset[len] != '\0'&&
              offset[len] != ',')) {
-            vnc_client_error(vs);
-            return -1;
+            goto fail;
         }
     }
 
@@ -469,6 +466,11 @@ static int protocol_client_auth_sasl_mechname(VncState *vs, uint8_t *data, size_
     VNC_DEBUG("Validated mechname '%s'\n", mechname);
     vnc_read_when(vs, protocol_client_auth_sasl_start_len, 4);
     return 0;
+
+ fail:
+    vnc_client_error(vs);
+    free(mechname);
+    return -1;
 }
 
 static int protocol_client_auth_sasl_mechname_len(VncState *vs, uint8_t *data, size_t len)
commit a01a9cb821a29852abb142ec52b26c8488ced6e8
Author: Amit Shah <amit.shah at redhat.com>
Date:   Tue Nov 23 17:01:15 2010 +0530

    virtio-serial-bus: bump up control vq size to 32
    
    The current default of 16 buffers for the control vq is too small.  We
    can get more entries in there, for example when asking the guest to add
    max. allowed ports.
    
    Note: a more robust solution would involve some kind of event queueing
    in host to guarantee no event loss. Added a TODO to look into
    this later.
    
    Signed-off-by: Amit Shah <amit.shah at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
index 74ba5ec..b728040 100644
--- a/hw/virtio-serial-bus.c
+++ b/hw/virtio-serial-bus.c
@@ -769,10 +769,16 @@ VirtIODevice *virtio_serial_init(DeviceState *dev, uint32_t max_nr_ports)
     /* Add a queue for guest to host transfers for port 0 (backward compat) */
     vser->ovqs[0] = virtio_add_queue(vdev, 128, handle_output);
 
+    /* TODO: host to guest notifications can get dropped
+     * if the queue fills up. Implement queueing in host,
+     * this might also make it possible to reduce the control
+     * queue size: as guest preposts buffers there,
+     * this will save 4Kbyte of guest memory per entry. */
+
     /* control queue: host to guest */
-    vser->c_ivq = virtio_add_queue(vdev, 16, control_in);
+    vser->c_ivq = virtio_add_queue(vdev, 32, control_in);
     /* control queue: guest to host */
-    vser->c_ovq = virtio_add_queue(vdev, 16, control_out);
+    vser->c_ovq = virtio_add_queue(vdev, 32, control_out);
 
     for (i = 1; i < vser->bus->max_nr_ports; i++) {
         /* Add a per-port queue for host to guest transfers */
commit c2e08bddcd1fa32415c0ee5aa6d3c88a258db4c0
Merge: b36e391... 05bf441...
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Jan 12 17:39:36 2011 +0200

    Merge remote branch 'origin/master' into pci

commit 00e076795f2d6dfa0c078ff5d5ee5d77190cb4b9
Author: Michael Walle <michael at walle.cc>
Date:   Wed Jan 5 01:05:47 2011 +0100

    audio: split sample conversion and volume mixing
    
    Refactor the volume mixing, so it can be reused for capturing devices.
    Additionally, it removes superfluous multiplications with the nominal
    volume within the hardware voice code path.
    
    Signed-off-by: Michael Walle <michael at walle.cc>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/audio/alsaaudio.c b/audio/alsaaudio.c
index 727b9f8..4d72014 100644
--- a/audio/alsaaudio.c
+++ b/audio/alsaaudio.c
@@ -1097,7 +1097,7 @@ static int alsa_run_in (HWVoiceIn *hw)
                 }
             }
 
-            hw->conv (dst, src, nread, &nominal_volume);
+            hw->conv (dst, src, nread);
 
             src = advance (src, nread << hwshift);
             dst += nread;
diff --git a/audio/audio.c b/audio/audio.c
index 1707446..1729c0b 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -104,7 +104,7 @@ static struct {
 
 static AudioState glob_audio_state;
 
-struct mixeng_volume nominal_volume = {
+const struct mixeng_volume nominal_volume = {
     .mute = 0,
 #ifdef FLOAT_MIXENG
     .r = 1.0,
@@ -702,13 +702,11 @@ void audio_pcm_info_clear_buf (struct audio_pcm_info *info, void *buf, int len)
 /*
  * Capture
  */
-static void noop_conv (struct st_sample *dst, const void *src,
-                       int samples, struct mixeng_volume *vol)
+static void noop_conv (struct st_sample *dst, const void *src, int samples)
 {
     (void) src;
     (void) dst;
     (void) samples;
-    (void) vol;
 }
 
 static CaptureVoiceOut *audio_pcm_capture_find_specific (
@@ -956,6 +954,8 @@ int audio_pcm_sw_read (SWVoiceIn *sw, void *buf, int size)
         total += isamp;
     }
 
+    mixeng_volume (sw->buf, ret, &sw->vol);
+
     sw->clip (buf, sw->buf, ret);
     sw->total_hw_samples_acquired += total;
     return ret << sw->info.shift;
@@ -1037,7 +1037,8 @@ int audio_pcm_sw_write (SWVoiceOut *sw, void *buf, int size)
     swlim = ((int64_t) dead << 32) / sw->ratio;
     swlim = audio_MIN (swlim, samples);
     if (swlim) {
-        sw->conv (sw->buf, buf, swlim, &sw->vol);
+        sw->conv (sw->buf, buf, swlim);
+        mixeng_volume (sw->buf, swlim, &sw->vol);
     }
 
     while (swlim) {
diff --git a/audio/audio_int.h b/audio/audio_int.h
index d66f2c3..2003f8b 100644
--- a/audio/audio_int.h
+++ b/audio/audio_int.h
@@ -211,7 +211,7 @@ extern struct audio_driver esd_audio_driver;
 extern struct audio_driver pa_audio_driver;
 extern struct audio_driver spice_audio_driver;
 extern struct audio_driver winwave_audio_driver;
-extern struct mixeng_volume nominal_volume;
+extern const struct mixeng_volume nominal_volume;
 
 void audio_pcm_init_info (struct audio_pcm_info *info, struct audsettings *as);
 void audio_pcm_info_clear_buf (struct audio_pcm_info *info, void *buf, int len);
diff --git a/audio/dsoundaudio.c b/audio/dsoundaudio.c
index e547955..e2d89fd 100644
--- a/audio/dsoundaudio.c
+++ b/audio/dsoundaudio.c
@@ -831,11 +831,11 @@ static int dsound_run_in (HWVoiceIn *hw)
     decr = len1 + len2;
 
     if (p1 && len1) {
-        hw->conv (hw->conv_buf + hw->wpos, p1, len1, &nominal_volume);
+        hw->conv (hw->conv_buf + hw->wpos, p1, len1);
     }
 
     if (p2 && len2) {
-        hw->conv (hw->conv_buf, p2, len2, &nominal_volume);
+        hw->conv (hw->conv_buf, p2, len2);
     }
 
     dsound_unlock_in (dscb, p1, p2, blen1, blen2);
diff --git a/audio/esdaudio.c b/audio/esdaudio.c
index 9a1f2f8..ff97b39 100644
--- a/audio/esdaudio.c
+++ b/audio/esdaudio.c
@@ -346,8 +346,7 @@ static void *qesd_thread_in (void *arg)
                 break;
             }
 
-            hw->conv (hw->conv_buf + wpos, buf, nread >> hw->info.shift,
-                      &nominal_volume);
+            hw->conv (hw->conv_buf + wpos, buf, nread >> hw->info.shift);
             wpos = (wpos + chunk) % hw->samples;
             to_grab -= chunk;
         }
diff --git a/audio/fmodaudio.c b/audio/fmodaudio.c
index 7f08e14..c34cf53 100644
--- a/audio/fmodaudio.c
+++ b/audio/fmodaudio.c
@@ -488,10 +488,10 @@ static int fmod_run_in (HWVoiceIn *hw)
     decr = len1 + len2;
 
     if (p1 && blen1) {
-        hw->conv (hw->conv_buf + hw->wpos, p1, len1, &nominal_volume);
+        hw->conv (hw->conv_buf + hw->wpos, p1, len1);
     }
     if (p2 && len2) {
-        hw->conv (hw->conv_buf, p2, len2, &nominal_volume);
+        hw->conv (hw->conv_buf, p2, len2);
     }
 
     fmod_unlock_sample (fmd->fmod_sample, p1, p2, blen1, blen2);
diff --git a/audio/mixeng.c b/audio/mixeng.c
index 9f1d93f..4a9e8eb 100644
--- a/audio/mixeng.c
+++ b/audio/mixeng.c
@@ -333,3 +333,28 @@ void mixeng_clear (struct st_sample *buf, int len)
 {
     memset (buf, 0, len * sizeof (struct st_sample));
 }
+
+void mixeng_volume (struct st_sample *buf, int len, struct mixeng_volume *vol)
+{
+#ifdef CONFIG_MIXEMU
+    if (vol->mute) {
+        mixeng_clear (buf, len);
+        return;
+    }
+
+    while (len--) {
+#ifdef FLOAT_MIXENG
+        buf->l = buf->l * vol->l;
+        buf->r = buf->r * vol->r;
+#else
+        buf->l = (buf->l * vol->l) >> 32;
+        buf->r = (buf->r * vol->r) >> 32;
+#endif
+        buf += 1;
+    }
+#else
+    (void) buf;
+    (void) len;
+    (void) vol;
+#endif
+}
diff --git a/audio/mixeng.h b/audio/mixeng.h
index 4af1dd9..9de443b 100644
--- a/audio/mixeng.h
+++ b/audio/mixeng.h
@@ -33,8 +33,7 @@ struct mixeng_volume { int mute; int64_t r; int64_t l; };
 struct st_sample { int64_t l; int64_t r; };
 #endif
 
-typedef void (t_sample) (struct st_sample *dst, const void *src,
-                         int samples, struct mixeng_volume *vol);
+typedef void (t_sample) (struct st_sample *dst, const void *src, int samples);
 typedef void (f_sample) (void *dst, const struct st_sample *src, int samples);
 
 extern t_sample *mixeng_conv[2][2][2][3];
@@ -47,5 +46,6 @@ void st_rate_flow_mix (void *opaque, struct st_sample *ibuf, struct st_sample *o
                        int *isamp, int *osamp);
 void st_rate_stop (void *opaque);
 void mixeng_clear (struct st_sample *buf, int len);
+void mixeng_volume (struct st_sample *buf, int len, struct mixeng_volume *vol);
 
 #endif  /* mixeng.h */
diff --git a/audio/mixeng_template.h b/audio/mixeng_template.h
index 5617705..a2d0ef8 100644
--- a/audio/mixeng_template.h
+++ b/audio/mixeng_template.h
@@ -31,16 +31,6 @@
 #define HALF (IN_MAX >> 1)
 #endif
 
-#ifdef CONFIG_MIXEMU
-#ifdef FLOAT_MIXENG
-#define VOL(a, b) ((a) * (b))
-#else
-#define VOL(a, b) ((a) * (b)) >> 32
-#endif
-#else
-#define VOL(a, b) a
-#endif
-
 #define ET glue (ENDIAN_CONVERSION, glue (_, IN_T))
 
 #ifdef FLOAT_MIXENG
@@ -109,40 +99,26 @@ static inline IN_T glue (clip_, ET) (int64_t v)
 #endif
 
 static void glue (glue (conv_, ET), _to_stereo)
-    (struct st_sample *dst, const void *src, int samples, struct mixeng_volume *vol)
+    (struct st_sample *dst, const void *src, int samples)
 {
     struct st_sample *out = dst;
     IN_T *in = (IN_T *) src;
-#ifdef CONFIG_MIXEMU
-    if (vol->mute) {
-        mixeng_clear (dst, samples);
-        return;
-    }
-#else
-    (void) vol;
-#endif
+
     while (samples--) {
-        out->l = VOL (glue (conv_, ET) (*in++), vol->l);
-        out->r = VOL (glue (conv_, ET) (*in++), vol->r);
+        out->l = glue (conv_, ET) (*in++);
+        out->r = glue (conv_, ET) (*in++);
         out += 1;
     }
 }
 
 static void glue (glue (conv_, ET), _to_mono)
-    (struct st_sample *dst, const void *src, int samples, struct mixeng_volume *vol)
+    (struct st_sample *dst, const void *src, int samples)
 {
     struct st_sample *out = dst;
     IN_T *in = (IN_T *) src;
-#ifdef CONFIG_MIXEMU
-    if (vol->mute) {
-        mixeng_clear (dst, samples);
-        return;
-    }
-#else
-    (void) vol;
-#endif
+
     while (samples--) {
-        out->l = VOL (glue (conv_, ET) (in[0]), vol->l);
+        out->l = glue (conv_, ET) (in[0]);
         out->r = out->l;
         out += 1;
         in += 1;
@@ -174,4 +150,3 @@ static void glue (glue (clip_, ET), _from_mono)
 
 #undef ET
 #undef HALF
-#undef VOL
diff --git a/audio/ossaudio.c b/audio/ossaudio.c
index d7a55e5..b49e102 100644
--- a/audio/ossaudio.c
+++ b/audio/ossaudio.c
@@ -788,8 +788,7 @@ static int oss_run_in (HWVoiceIn *hw)
                            hw->info.align + 1);
                 }
                 read_samples += nread >> hwshift;
-                hw->conv (hw->conv_buf + bufs[i].add, p, nread >> hwshift,
-                          &nominal_volume);
+                hw->conv (hw->conv_buf + bufs[i].add, p, nread >> hwshift);
             }
 
             if (bufs[i].len - nread) {
diff --git a/audio/paaudio.c b/audio/paaudio.c
index ff71dac..9cf685d 100644
--- a/audio/paaudio.c
+++ b/audio/paaudio.c
@@ -195,7 +195,7 @@ static void *qpa_thread_in (void *arg)
                 return NULL;
             }
 
-            hw->conv (hw->conv_buf + wpos, buf, chunk, &nominal_volume);
+            hw->conv (hw->conv_buf + wpos, buf, chunk);
             wpos = (wpos + chunk) % hw->samples;
             to_grab -= chunk;
         }
diff --git a/audio/spiceaudio.c b/audio/spiceaudio.c
index 373e4c4..a5c0d6b 100644
--- a/audio/spiceaudio.c
+++ b/audio/spiceaudio.c
@@ -268,11 +268,10 @@ static int line_in_run (HWVoiceIn *hw)
         len[1] = 0;
     }
 
-    hw->conv (hw->conv_buf + hw->wpos, samples, len[0], &nominal_volume);
+    hw->conv (hw->conv_buf + hw->wpos, samples, len[0]);
 
     if (len[1]) {
-        hw->conv (hw->conv_buf, samples + len[0], len[1],
-                  &nominal_volume);
+        hw->conv (hw->conv_buf, samples + len[0], len[1]);
     }
 
     hw->wpos = (hw->wpos + num_samples) % hw->samples;
diff --git a/audio/winwaveaudio.c b/audio/winwaveaudio.c
index cdf483b..e5ad3c6 100644
--- a/audio/winwaveaudio.c
+++ b/audio/winwaveaudio.c
@@ -581,8 +581,7 @@ static int winwave_run_in (HWVoiceIn *hw)
         int conv = audio_MIN (left, decr);
         hw->conv (hw->conv_buf + hw->wpos,
                   advance (wave->pcm_buf, wave->rpos << hw->info.shift),
-                  conv,
-                  &nominal_volume);
+                  conv);
 
         wave->rpos = (wave->rpos + conv) % hw->samples;
         hw->wpos = (hw->wpos + conv) % hw->samples;
commit 0f136d9e060ad879d0b840274ddfd1955e24fc10
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Wed Jan 12 14:55:36 2011 +0100

    disas: remove opcode printing on ARM hosts
    
    Following commit 5d48e9174e3bfa8655e1dc8f80887acd9040b427, it's possible
    to remove the hack that used to display the opcodes on ARM hosts only.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/disas.c b/disas.c
index dd2db14..c76f36f 100644
--- a/disas.c
+++ b/disas.c
@@ -307,11 +307,6 @@ void disas(FILE *out, void *code, unsigned long size)
 #endif
     for (pc = (unsigned long)code; size > 0; pc += count, size -= count) {
 	fprintf(out, "0x%08lx:  ", pc);
-#ifdef __arm__
-        /* since data is included in the code, it is better to
-           display code data too */
-        fprintf(out, "%08x  ", (int)bfd_getl32((const bfd_byte *)pc));
-#endif
 	count = print_insn(pc, &disasm_info);
 	fprintf(out, "\n");
 	if (count < 0)
commit 5d48e9174e3bfa8655e1dc8f80887acd9040b427
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Mon Jan 10 16:16:26 2011 +0000

    arm-dis: Include opcode hex when doing disassembly
    
    Enhance the ARM disassembler used for debugging so that it includes
    the hex dump of the opcode as well as the symbolic disassembly.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/arm-dis.c b/arm-dis.c
index af21739..3ece02c 100644
--- a/arm-dis.c
+++ b/arm-dis.c
@@ -4101,6 +4101,30 @@ print_insn_arm (bfd_vma pc, struct disassemble_info *info)
        addresses, since the addend is not currently pc-relative.  */
     pc = 0;
 
+  /* We include the hexdump of the instruction. The format here
+     matches that used by objdump and the ARM ARM (in particular,
+     32 bit Thumb instructions are displayed as pairs of halfwords,
+     not as a single word.)  */
+  if (is_thumb)
+    {
+      if (size == 2)
+	{
+	  info->fprintf_func(info->stream, "%04lx       ",
+			     ((unsigned long)given) & 0xffff);
+	}
+      else
+	{
+	  info->fprintf_func(info->stream, "%04lx %04lx  ",
+			     (((unsigned long)given) >> 16) & 0xffff,
+			     ((unsigned long)given) & 0xffff);
+	}
+    }
+  else
+    {
+      info->fprintf_func(info->stream, "%08lx      ",
+			 ((unsigned long)given) & 0xffffffff);
+    }
+
   printer (pc, info, given);
 
   if (is_thumb)
commit ace1318b8ea95efa332fb3e8e159924d4f928753
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Jan 12 11:34:50 2011 +0100

    usb: zap pdev from usbport
    
    It isn't needed any more.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index f89176b..6e2e5fd 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -120,11 +120,10 @@ USBDevice *usb_create_simple(USBBus *bus, const char *name)
 }
 
 void usb_register_port(USBBus *bus, USBPort *port, void *opaque, int index,
-                       USBDevice *pdev, USBPortOps *ops, int speedmask)
+                       USBPortOps *ops, int speedmask)
 {
     port->opaque = opaque;
     port->index = index;
-    port->pdev = pdev;
     port->opaque = opaque;
     port->index = index;
     port->ops = ops;
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 387c40c..78698ca 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -536,7 +536,7 @@ static int usb_hub_initfn(USBDevice *dev)
     for (i = 0; i < NUM_PORTS; i++) {
         port = &s->ports[i];
         usb_register_port(usb_bus_from_device(dev),
-                          &port->port, s, i, &s->dev, &usb_hub_port_ops,
+                          &port->port, s, i, &usb_hub_port_ops,
                           USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
         port->wPortStatus = PORT_STAT_POWER;
         port->wPortChange = 0;
diff --git a/hw/usb-musb.c b/hw/usb-musb.c
index 4b5f35b..782cfa2 100644
--- a/hw/usb-musb.c
+++ b/hw/usb-musb.c
@@ -349,7 +349,7 @@ struct MUSBState {
     }
 
     usb_bus_new(&s->bus, NULL /* FIXME */);
-    usb_register_port(&s->bus, &s->port, s, 0, NULL, &musb_port_ops,
+    usb_register_port(&s->bus, &s->port, s, 0, &musb_port_ops,
                       USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
     usb_port_location(&s->port, NULL, 1);
 
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index 6344f81..09ea0b6 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -1699,7 +1699,7 @@ static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
     usb_bus_new(&ohci->bus, dev);
     ohci->num_ports = num_ports;
     for (i = 0; i < num_ports; i++) {
-        usb_register_port(&ohci->bus, &ohci->rhport[i].port, ohci, i, NULL, &ohci_port_ops,
+        usb_register_port(&ohci->bus, &ohci->rhport[i].port, ohci, i, &ohci_port_ops,
                           USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
         usb_port_location(&ohci->rhport[i].port, NULL, i+1);
     }
diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index 6db1960..b384e1d 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -1129,7 +1129,7 @@ static int usb_uhci_common_initfn(UHCIState *s)
 
     usb_bus_new(&s->bus, &s->dev.qdev);
     for(i = 0; i < NB_PORTS; i++) {
-        usb_register_port(&s->bus, &s->ports[i].port, s, i, NULL, &uhci_port_ops,
+        usb_register_port(&s->bus, &s->ports[i].port, s, i, &uhci_port_ops,
                           USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
         usb_port_location(&s->ports[i].port, NULL, i+1);
     }
diff --git a/hw/usb.h b/hw/usb.h
index c6e3e25..5c1da3e 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -244,7 +244,6 @@ struct USBPort {
     char path[16];
     USBPortOps *ops;
     void *opaque;
-    USBDevice *pdev;
     int index; /* internal port index, may be used with the opaque */
     QTAILQ_ENTRY(USBPort) next;
 };
@@ -355,7 +354,7 @@ USBDevice *usb_create(USBBus *bus, const char *name);
 USBDevice *usb_create_simple(USBBus *bus, const char *name);
 USBDevice *usbdevice_create(const char *cmdline);
 void usb_register_port(USBBus *bus, USBPort *port, void *opaque, int index,
-                       USBDevice *pdev, USBPortOps *ops, int speedmask);
+                       USBPortOps *ops, int speedmask);
 void usb_port_location(USBPort *downstream, USBPort *upstream, int portnr);
 void usb_unregister_port(USBBus *bus, USBPort *port);
 int usb_device_attach(USBDevice *dev);
commit 70d31cb22cb67745741b2bb349c9c7c3a184f88b
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Jan 12 10:58:27 2011 +0100

    usb: rewrite fw path, fix numbering
    
    This patch rewrites the firmware path code to use the physical port
    location tracking just added to the qemu usb core.  It also fixes the
    port numbering to start with "1" in the firmware path.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index 1f59f9a..f89176b 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -7,14 +7,14 @@
 static void usb_bus_dev_print(Monitor *mon, DeviceState *qdev, int indent);
 
 static char *usb_get_dev_path(DeviceState *dev);
-static char *usbbus_get_fw_dev_path(DeviceState *dev);
+static char *usb_get_fw_dev_path(DeviceState *qdev);
 
 static struct BusInfo usb_bus_info = {
     .name      = "USB",
     .size      = sizeof(USBBus),
     .print_dev = usb_bus_dev_print,
     .get_dev_path = usb_get_dev_path,
-    .get_fw_dev_path = usbbus_get_fw_dev_path,
+    .get_fw_dev_path = usb_get_fw_dev_path,
     .props      = (Property[]) {
         DEFINE_PROP_STRING("port", USBDevice, port_path),
         DEFINE_PROP_END_OF_LIST()
@@ -279,6 +279,30 @@ static char *usb_get_dev_path(DeviceState *qdev)
     return qemu_strdup(dev->port->path);
 }
 
+static char *usb_get_fw_dev_path(DeviceState *qdev)
+{
+    USBDevice *dev = DO_UPCAST(USBDevice, qdev, qdev);
+    char *fw_path, *in;
+    int pos = 0;
+    long nr;
+
+    fw_path = qemu_malloc(32 + strlen(dev->port->path) * 6);
+    in = dev->port->path;
+    while (true) {
+        nr = strtol(in, &in, 10);
+        if (in[0] == '.') {
+            /* some hub between root port and device */
+            pos += sprintf(fw_path + pos, "hub@%ld/", nr);
+            in++;
+        } else {
+            /* the device itself */
+            pos += sprintf(fw_path + pos, "%s@%ld", qdev_fw_name(qdev), nr);
+            break;
+        }
+    }
+    return fw_path;
+}
+
 void usb_info(Monitor *mon)
 {
     USBBus *bus;
@@ -351,43 +375,3 @@ USBDevice *usbdevice_create(const char *cmdline)
     }
     return usb->usbdevice_init(params);
 }
-
-static int usbbus_get_fw_dev_path_helper(USBDevice *d, USBBus *bus, char *p,
-                                         int len)
-{
-    int l = 0;
-    USBPort *port;
-
-    QTAILQ_FOREACH(port, &bus->used, next) {
-        if (port->dev == d) {
-            if (port->pdev) {
-                l = usbbus_get_fw_dev_path_helper(port->pdev, bus, p, len);
-            }
-            l += snprintf(p + l, len - l, "%s@%x/", qdev_fw_name(&d->qdev),
-                          port->index);
-            break;
-        }
-    }
-
-    return l;
-}
-
-static char *usbbus_get_fw_dev_path(DeviceState *dev)
-{
-    USBDevice *d = (USBDevice*)dev;
-    USBBus *bus = usb_bus_from_device(d);
-    char path[100];
-    int l;
-
-    assert(d->attached != 0);
-
-    l = usbbus_get_fw_dev_path_helper(d, bus, path, sizeof(path));
-
-    if (l == 0) {
-        abort();
-    }
-
-    path[l-1] = '\0';
-
-    return strdup(path);
-}
commit 56779034530944eb6171d843f652f3fba710ed30
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Mon Jan 10 18:30:05 2011 +0100

    tcg arm/mips/ia64: add a comment about retranslation and caches
    
    Add a comment about cache coherency and retranslation, so that people
    developping new targets based on existing ones are warned of the issue.
    
    Acked-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c
index 1eb5605..918e2f7 100644
--- a/tcg/arm/tcg-target.c
+++ b/tcg/arm/tcg-target.c
@@ -352,6 +352,9 @@ static inline void tcg_out_b(TCGContext *s, int cond, int32_t offset)
 
 static inline void tcg_out_b_noaddr(TCGContext *s, int cond)
 {
+    /* We pay attention here to not modify the branch target by skipping
+       the corresponding bytes. This ensure that caches and memory are
+       kept coherent during retranslation. */
 #ifdef HOST_WORDS_BIGENDIAN
     tcg_out8(s, (cond << 4) | 0x0a);
     s->code_ptr += 3;
diff --git a/tcg/ia64/tcg-target.c b/tcg/ia64/tcg-target.c
index e2e44f7..8dac7f7 100644
--- a/tcg/ia64/tcg-target.c
+++ b/tcg/ia64/tcg-target.c
@@ -871,6 +871,9 @@ static void tcg_out_br(TCGContext *s, int label_index)
 {
     TCGLabel *l = &s->labels[label_index];
 
+    /* We pay attention here to not modify the branch target by reading
+       the existing value and using it again. This ensure that caches and
+       memory are kept coherent during retranslation. */
     tcg_out_bundle(s, mmB,
                    tcg_opc_m48(TCG_REG_P0, OPC_NOP_M48, 0),
                    tcg_opc_m48(TCG_REG_P0, OPC_NOP_M48, 0),
diff --git a/tcg/mips/tcg-target.c b/tcg/mips/tcg-target.c
index 4e92a50..e04b0dc 100644
--- a/tcg/mips/tcg-target.c
+++ b/tcg/mips/tcg-target.c
@@ -351,7 +351,9 @@ static inline void tcg_out_opc_imm(TCGContext *s, int opc, int rt, int rs, int i
  */
 static inline void tcg_out_opc_br(TCGContext *s, int opc, int rt, int rs)
 {
-    /* We need to keep the offset unchanged for retranslation */
+    /* We pay attention here to not modify the branch target by reading
+       the existing value and using it again. This ensure that caches and
+       memory are kept coherent during retranslation. */
     uint16_t offset = (uint16_t)(*(uint32_t *) s->code_ptr);
 
     tcg_out_opc_imm(s, opc, rt, rs, offset);
commit dace20dcc98f90a931e88aa641f5633cdcf30c30
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Mon Jan 10 13:11:24 2011 +0000

    linux-user: Add configure check for linux/fiemap.h and IOC_FS_FIEMAP
    
    Add a configure check for the existence of linux/fiemap.h and the
    IOC_FS_FIEMAP ioctl. This fixes a compilation failure on Linux
    systems which don't have that header file.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/configure b/configure
index 831a741..438219b 100755
--- a/configure
+++ b/configure
@@ -2090,6 +2090,23 @@ if compile_prog "$ARCH_CFLAGS" "" ; then
   sync_file_range=yes
 fi
 
+# check for linux/fiemap.h and FS_IOC_FIEMAP
+fiemap=no
+cat > $TMPC << EOF
+#include <sys/ioctl.h>
+#include <linux/fs.h>
+#include <linux/fiemap.h>
+
+int main(void)
+{
+    ioctl(0, FS_IOC_FIEMAP, 0);
+    return 0;
+}
+EOF
+if compile_prog "$ARCH_CFLAGS" "" ; then
+  fiemap=yes
+fi
+
 # check for dup3
 dup3=no
 cat > $TMPC << EOF
@@ -2631,6 +2648,9 @@ fi
 if test "$sync_file_range" = "yes" ; then
   echo "CONFIG_SYNC_FILE_RANGE=y" >> $config_host_mak
 fi
+if test "$fiemap" = "yes" ; then
+  echo "CONFIG_FIEMAP=y" >> $config_host_mak
+fi
 if test "$dup3" = "yes" ; then
   echo "CONFIG_DUP3=y" >> $config_host_mak
 fi
diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index 538e257..acff781 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -76,7 +76,7 @@
 #ifdef FIGETBSZ
      IOCTL(FIGETBSZ, IOC_R, MK_PTR(TYPE_LONG))
 #endif
-#ifdef FS_IOC_FIEMAP
+#ifdef CONFIG_FIEMAP
      IOCTL_SPECIAL(FS_IOC_FIEMAP, IOC_W | IOC_R, do_ioctl_fs_ioc_fiemap,
                    MK_PTR(MK_STRUCT(STRUCT_fiemap)))
 #endif
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index f10e17a..499c4d7 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -83,7 +83,9 @@ int __clone2(int (*fn)(void *), void *child_stack_base,
 #include <linux/kd.h>
 #include <linux/mtio.h>
 #include <linux/fs.h>
+#if defined(CONFIG_FIEMAP)
 #include <linux/fiemap.h>
+#endif
 #include <linux/fb.h>
 #include <linux/vt.h>
 #include "linux_loop.h"
@@ -2986,6 +2988,7 @@ struct IOCTLEntry {
 
 #define MAX_STRUCT_SIZE 4096
 
+#ifdef CONFIG_FIEMAP
 /* So fiemap access checks don't overflow on 32 bit systems.
  * This is very slightly smaller than the limit imposed by
  * the underlying kernel.
@@ -3072,6 +3075,7 @@ static abi_long do_ioctl_fs_ioc_fiemap(const IOCTLEntry *ie, uint8_t *buf_temp,
     }
     return ret;
 }
+#endif
 
 static IOCTLEntry ioctl_entries[] = {
 #define IOCTL(cmd, access, ...) \
commit 0322b26e2d451c3c0fe5f54b1ff4fa18a17525aa
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Sat Jan 8 16:01:16 2011 +0000

    ARM: Fix decoding of VQSHL/VQSHLU immediate forms
    
    Fix errors in the decoding of ARM VQSHL/VQSHLU immediate forms,
    including using the new VQSHLU helper functions where appropriate.
    
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 2ce82f3..57664bc 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -4652,14 +4652,22 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                         case 5: /* VSHL, VSLI */
                             gen_helper_neon_shl_u64(cpu_V0, cpu_V0, cpu_V1);
                             break;
-                        case 6: /* VQSHL */
-                            if (u)
-                                gen_helper_neon_qshl_u64(cpu_V0, cpu_env, cpu_V0, cpu_V1);
-                            else
-                                gen_helper_neon_qshl_s64(cpu_V0, cpu_env, cpu_V0, cpu_V1);
+                        case 6: /* VQSHLU */
+                            if (u) {
+                                gen_helper_neon_qshlu_s64(cpu_V0, cpu_env,
+                                                          cpu_V0, cpu_V1);
+                            } else {
+                                return 1;
+                            }
                             break;
-                        case 7: /* VQSHLU */
-                            gen_helper_neon_qshl_u64(cpu_V0, cpu_env, cpu_V0, cpu_V1);
+                        case 7: /* VQSHL */
+                            if (u) {
+                                gen_helper_neon_qshl_u64(cpu_V0, cpu_env,
+                                                         cpu_V0, cpu_V1);
+                            } else {
+                                gen_helper_neon_qshl_s64(cpu_V0, cpu_env,
+                                                         cpu_V0, cpu_V1);
+                            }
                             break;
                         }
                         if (op == 1 || op == 3) {
@@ -4698,17 +4706,30 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                             default: return 1;
                             }
                             break;
-                        case 6: /* VQSHL */
-                            GEN_NEON_INTEGER_OP_ENV(qshl);
-                            break;
-                        case 7: /* VQSHLU */
+                        case 6: /* VQSHLU */
+                            if (!u) {
+                                return 1;
+                            }
                             switch (size) {
-                            case 0: gen_helper_neon_qshl_u8(tmp, cpu_env, tmp, tmp2); break;
-                            case 1: gen_helper_neon_qshl_u16(tmp, cpu_env, tmp, tmp2); break;
-                            case 2: gen_helper_neon_qshl_u32(tmp, cpu_env, tmp, tmp2); break;
-                            default: return 1;
+                            case 0:
+                                gen_helper_neon_qshlu_s8(tmp, cpu_env,
+                                                         tmp, tmp2);
+                                break;
+                            case 1:
+                                gen_helper_neon_qshlu_s16(tmp, cpu_env,
+                                                          tmp, tmp2);
+                                break;
+                            case 2:
+                                gen_helper_neon_qshlu_s32(tmp, cpu_env,
+                                                          tmp, tmp2);
+                                break;
+                            default:
+                                return 1;
                             }
                             break;
+                        case 7: /* VQSHL */
+                            GEN_NEON_INTEGER_OP_ENV(qshl);
+                            break;
                         }
                         dead_tmp(tmp2);
 
commit 4ca4502c93a7ebc358d4e3b5574574e1d84f64b2
Author: Juha Riihimäki <juha.riihimaki at nokia.com>
Date:   Sat Jan 8 16:01:15 2011 +0000

    ARM: add neon helpers for VQSHLU
    
    Add neon helper functions to implement VQSHLU, which is a
    signed-to-unsigned version of VQSHL available only as an
    immediate form.
    
    Signed-off-by: Juha Riihimäki <juha.riihimaki at nokia.com>
    Reviewed-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/helpers.h b/target-arm/helpers.h
index 0d1bc47..b88ebae 100644
--- a/target-arm/helpers.h
+++ b/target-arm/helpers.h
@@ -249,6 +249,10 @@ DEF_HELPER_3(neon_qshl_u32, i32, env, i32, i32)
 DEF_HELPER_3(neon_qshl_s32, i32, env, i32, i32)
 DEF_HELPER_3(neon_qshl_u64, i64, env, i64, i64)
 DEF_HELPER_3(neon_qshl_s64, i64, env, i64, i64)
+DEF_HELPER_3(neon_qshlu_s8, i32, env, i32, i32);
+DEF_HELPER_3(neon_qshlu_s16, i32, env, i32, i32);
+DEF_HELPER_3(neon_qshlu_s32, i32, env, i32, i32);
+DEF_HELPER_3(neon_qshlu_s64, i64, env, i64, i64);
 DEF_HELPER_3(neon_qrshl_u8, i32, env, i32, i32)
 DEF_HELPER_3(neon_qrshl_s8, i32, env, i32, i32)
 DEF_HELPER_3(neon_qrshl_u16, i32, env, i32, i32)
diff --git a/target-arm/neon_helper.c b/target-arm/neon_helper.c
index dae063e..20f3c16 100644
--- a/target-arm/neon_helper.c
+++ b/target-arm/neon_helper.c
@@ -632,6 +632,53 @@ uint64_t HELPER(neon_qshl_s64)(CPUState *env, uint64_t valop, uint64_t shiftop)
     return val;
 }
 
+#define NEON_FN(dest, src1, src2) do { \
+    if (src1 & (1 << (sizeof(src1) * 8 - 1))) { \
+        SET_QC(); \
+        dest = 0; \
+    } else { \
+        int8_t tmp; \
+        tmp = (int8_t)src2; \
+        if (tmp >= (ssize_t)sizeof(src1) * 8) { \
+            if (src1) { \
+                SET_QC(); \
+                dest = ~0; \
+            } else { \
+                dest = 0; \
+            } \
+        } else if (tmp <= -(ssize_t)sizeof(src1) * 8) { \
+            dest = 0; \
+        } else if (tmp < 0) { \
+            dest = src1 >> -tmp; \
+        } else { \
+            dest = src1 << tmp; \
+            if ((dest >> tmp) != src1) { \
+                SET_QC(); \
+                dest = ~0; \
+            } \
+        } \
+    }} while (0)
+NEON_VOP_ENV(qshlu_s8, neon_u8, 4)
+NEON_VOP_ENV(qshlu_s16, neon_u16, 2)
+#undef NEON_FN
+
+uint32_t HELPER(neon_qshlu_s32)(CPUState *env, uint32_t valop, uint32_t shiftop)
+{
+    if ((int32_t)valop < 0) {
+        SET_QC();
+        return 0;
+    }
+    return helper_neon_qshl_u32(env, valop, shiftop);
+}
+
+uint64_t HELPER(neon_qshlu_s64)(CPUState *env, uint64_t valop, uint64_t shiftop)
+{
+    if ((int64_t)valop < 0) {
+        SET_QC();
+        return 0;
+    }
+    return helper_neon_qshl_u64(env, valop, shiftop);
+}
 
 /* FIXME: This is wrong.  */
 #define NEON_FN(dest, src1, src2) do { \
commit 5f69076b8dda325dcbbc87bdb00e04ffac0f6137
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Dec 10 11:43:35 2010 +0100

    usb: add port property.
    
    This allows to explictily set the physical port where you want to
    plug the usb device.  Example:
    
      -device usb-tablet,bus=usb.0,port=2
    
    With explicit port addressing qemu can and will not automagically add
    USB Hubs.  This means that:
    
      (a) You can plug two devices of your choice into the two uhci
          root ports.
      (b) If you want plug in more that two devices you have to care
          about adding a hub yourself.
    
    Plugging a hub works this way:
    
      -device usb-hub,bus=usb.0,port=1
    
    Use this to add a device to the hub:
    
      -device usb-tablet,bus=usb.0,port=1.1
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index 0cb03c9..1f59f9a 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -15,6 +15,10 @@ static struct BusInfo usb_bus_info = {
     .print_dev = usb_bus_dev_print,
     .get_dev_path = usb_get_dev_path,
     .get_fw_dev_path = usbbus_get_fw_dev_path,
+    .props      = (Property[]) {
+        DEFINE_PROP_STRING("port", USBDevice, port_path),
+        DEFINE_PROP_END_OF_LIST()
+    },
 };
 static int next_usb_bus = 0;
 static QTAILQ_HEAD(, USBBus) busses = QTAILQ_HEAD_INITIALIZER(busses);
@@ -157,9 +161,22 @@ static void do_attach(USBDevice *dev)
                 dev->product_desc);
         return;
     }
-    dev->attached++;
+    if (dev->port_path) {
+        QTAILQ_FOREACH(port, &bus->free, next) {
+            if (strcmp(port->path, dev->port_path) == 0) {
+                break;
+            }
+        }
+        if (port == NULL) {
+            fprintf(stderr, "Warning: usb port %s (bus %s) not found\n",
+                    dev->port_path, bus->qbus.name);
+            return;
+        }
+    } else {
+        port = QTAILQ_FIRST(&bus->free);
+    }
 
-    port = QTAILQ_FIRST(&bus->free);
+    dev->attached++;
     QTAILQ_REMOVE(&bus->free, port, next);
     bus->nfree--;
 
@@ -173,8 +190,9 @@ int usb_device_attach(USBDevice *dev)
 {
     USBBus *bus = usb_bus_from_device(dev);
 
-    if (bus->nfree == 1) {
-        /* Create a new hub and chain it on.  */
+    if (bus->nfree == 1 && dev->port_path == NULL) {
+        /* Create a new hub and chain it on
+           (unless a physical port location is specified). */
         usb_create_simple(bus, "usb-hub");
     }
     do_attach(dev);
diff --git a/hw/usb.h b/hw/usb.h
index 8fdda29..c6e3e25 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -156,6 +156,7 @@ struct USBDevice {
     DeviceState qdev;
     USBDeviceInfo *info;
     USBPort *port;
+    char *port_path;
     void *opaque;
 
     int speed;
commit 86865c5ff16bd1a2ef2b9ce217a7bb8f39e2126c
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Tue Jan 11 16:13:34 2011 +0100

    target-sh4: fix fpu disabled/illegal exception
    
    Illegal instructions in a slot delay should generate a slot illegal
    instruction exception instead of an illegal instruction exception.
    
    The current PC should be saved before generating such an exception,
    but should not be corrected if in a delay slot, given it's already
    done in the exception handler do_interrupt().
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index f418139..37915d5 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -469,27 +469,30 @@ static inline void gen_store_fpr64 (TCGv_i64 t, int reg)
 #define CHECK_NOT_DELAY_SLOT \
   if (ctx->flags & (DELAY_SLOT | DELAY_SLOT_CONDITIONAL))     \
   {                                                           \
-      tcg_gen_movi_i32(cpu_pc, ctx->pc-2);                    \
+      tcg_gen_movi_i32(cpu_pc, ctx->pc);                      \
       gen_helper_raise_slot_illegal_instruction();            \
       ctx->bstate = BS_EXCP;                                  \
       return;                                                 \
   }
 
-#define CHECK_PRIVILEGED                                      \
-  if (IS_USER(ctx)) {                                         \
-      tcg_gen_movi_i32(cpu_pc, ctx->pc);                      \
-      gen_helper_raise_illegal_instruction();                 \
-      ctx->bstate = BS_EXCP;                                  \
-      return;                                                 \
+#define CHECK_PRIVILEGED                                        \
+  if (IS_USER(ctx)) {                                           \
+      tcg_gen_movi_i32(cpu_pc, ctx->pc);                        \
+      if (ctx->flags & (DELAY_SLOT | DELAY_SLOT_CONDITIONAL)) { \
+         gen_helper_raise_slot_illegal_instruction();           \
+      } else {                                                  \
+         gen_helper_raise_illegal_instruction();                \
+      }                                                         \
+      ctx->bstate = BS_EXCP;                                    \
+      return;                                                   \
   }
 
 #define CHECK_FPU_ENABLED                                       \
   if (ctx->flags & SR_FD) {                                     \
+      tcg_gen_movi_i32(cpu_pc, ctx->pc);                        \
       if (ctx->flags & (DELAY_SLOT | DELAY_SLOT_CONDITIONAL)) { \
-          tcg_gen_movi_i32(cpu_pc, ctx->pc-2);                  \
           gen_helper_raise_slot_fpu_disable();                  \
       } else {                                                  \
-          tcg_gen_movi_i32(cpu_pc, ctx->pc);                    \
           gen_helper_raise_fpu_disable();                       \
       }                                                         \
       ctx->bstate = BS_EXCP;                                    \
@@ -1860,7 +1863,12 @@ static void _decode_opc(DisasContext * ctx)
 	    ctx->opcode, ctx->pc);
     fflush(stderr);
 #endif
-    gen_helper_raise_illegal_instruction();
+    tcg_gen_movi_i32(cpu_pc, ctx->pc);
+    if (ctx->flags & (DELAY_SLOT | DELAY_SLOT_CONDITIONAL)) {
+       gen_helper_raise_slot_illegal_instruction();
+    } else {
+       gen_helper_raise_illegal_instruction();
+    }
     ctx->bstate = BS_EXCP;
 }
 
commit c7a2196a4fcdaba977b99aca0b6a6de5e5e7f64a
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Dec 10 11:37:45 2010 +0100

    usb: keep track of physical port address.
    
    Add a path string to USBPort.  Add usb_port_location() function to set
    the physical location of the usb port.  Update all drivers implementing
    usb ports to call it.  Update the monitor commands to print it.  Wind it
    up in qdev.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index e94b88d..0cb03c9 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -5,12 +5,15 @@
 #include "monitor.h"
 
 static void usb_bus_dev_print(Monitor *mon, DeviceState *qdev, int indent);
+
+static char *usb_get_dev_path(DeviceState *dev);
 static char *usbbus_get_fw_dev_path(DeviceState *dev);
 
 static struct BusInfo usb_bus_info = {
     .name      = "USB",
     .size      = sizeof(USBBus),
     .print_dev = usb_bus_dev_print,
+    .get_dev_path = usb_get_dev_path,
     .get_fw_dev_path = usbbus_get_fw_dev_path,
 };
 static int next_usb_bus = 0;
@@ -126,6 +129,16 @@ void usb_register_port(USBBus *bus, USBPort *port, void *opaque, int index,
     bus->nfree++;
 }
 
+void usb_port_location(USBPort *downstream, USBPort *upstream, int portnr)
+{
+    if (upstream) {
+        snprintf(downstream->path, sizeof(downstream->path), "%s.%d",
+                 upstream->path, portnr);
+    } else {
+        snprintf(downstream->path, sizeof(downstream->path), "%d", portnr);
+    }
+}
+
 void usb_unregister_port(USBBus *bus, USBPort *port)
 {
     if (port->dev)
@@ -235,12 +248,19 @@ static void usb_bus_dev_print(Monitor *mon, DeviceState *qdev, int indent)
     USBDevice *dev = DO_UPCAST(USBDevice, qdev, qdev);
     USBBus *bus = usb_bus_from_device(dev);
 
-    monitor_printf(mon, "%*saddr %d.%d, speed %s, name %s%s\n",
+    monitor_printf(mon, "%*saddr %d.%d, port %s, speed %s, name %s%s\n",
                    indent, "", bus->busnr, dev->addr,
+                   dev->port ? dev->port->path : "-",
                    usb_speed(dev->speed), dev->product_desc,
                    dev->attached ? ", attached" : "");
 }
 
+static char *usb_get_dev_path(DeviceState *qdev)
+{
+    USBDevice *dev = DO_UPCAST(USBDevice, qdev, qdev);
+    return qemu_strdup(dev->port->path);
+}
+
 void usb_info(Monitor *mon)
 {
     USBBus *bus;
@@ -257,8 +277,8 @@ void usb_info(Monitor *mon)
             dev = port->dev;
             if (!dev)
                 continue;
-            monitor_printf(mon, "  Device %d.%d, Speed %s Mb/s, Product %s\n",
-                           bus->busnr, dev->addr, usb_speed(dev->speed),
+            monitor_printf(mon, "  Device %d.%d, Port %s, Speed %s Mb/s, Product %s\n",
+                           bus->busnr, dev->addr, port->path, usb_speed(dev->speed),
                            dev->product_desc);
         }
     }
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index ba712d6..387c40c 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -256,6 +256,16 @@ static void usb_hub_wakeup(USBDevice *dev)
     }
 }
 
+static void usb_hub_handle_attach(USBDevice *dev)
+{
+    USBHubState *s = DO_UPCAST(USBHubState, dev, dev);
+    int i;
+
+    for (i = 0; i < NUM_PORTS; i++) {
+        usb_port_location(&s->ports[i].port, dev->port, i+1);
+    }
+}
+
 static void usb_hub_handle_reset(USBDevice *dev)
 {
     /* XXX: do it */
@@ -542,6 +552,7 @@ static struct USBDeviceInfo hub_info = {
     .usb_desc       = &desc_hub,
     .init           = usb_hub_initfn,
     .handle_packet  = usb_hub_handle_packet,
+    .handle_attach  = usb_hub_handle_attach,
     .handle_reset   = usb_hub_handle_reset,
     .handle_control = usb_hub_handle_control,
     .handle_data    = usb_hub_handle_data,
diff --git a/hw/usb-musb.c b/hw/usb-musb.c
index 87eb9ca..4b5f35b 100644
--- a/hw/usb-musb.c
+++ b/hw/usb-musb.c
@@ -351,6 +351,7 @@ struct MUSBState {
     usb_bus_new(&s->bus, NULL /* FIXME */);
     usb_register_port(&s->bus, &s->port, s, 0, NULL, &musb_port_ops,
                       USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
+    usb_port_location(&s->port, NULL, 1);
 
     return s;
 }
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index 0d42716..6344f81 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -1701,6 +1701,7 @@ static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
     for (i = 0; i < num_ports; i++) {
         usb_register_port(&ohci->bus, &ohci->rhport[i].port, ohci, i, NULL, &ohci_port_ops,
                           USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
+        usb_port_location(&ohci->rhport[i].port, NULL, i+1);
     }
 
     ohci->async_td = 0;
diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index 253561f..6db1960 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -1131,6 +1131,7 @@ static int usb_uhci_common_initfn(UHCIState *s)
     for(i = 0; i < NB_PORTS; i++) {
         usb_register_port(&s->bus, &s->ports[i].port, s, i, NULL, &uhci_port_ops,
                           USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
+        usb_port_location(&s->ports[i].port, NULL, i+1);
     }
     s->frame_timer = qemu_new_timer(vm_clock, uhci_frame_timer, s);
     s->expire_time = qemu_get_clock(vm_clock) +
diff --git a/hw/usb.h b/hw/usb.h
index 99139e2..8fdda29 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -240,6 +240,7 @@ typedef struct USBPortOps {
 struct USBPort {
     USBDevice *dev;
     int speedmask;
+    char path[16];
     USBPortOps *ops;
     void *opaque;
     USBDevice *pdev;
@@ -354,6 +355,7 @@ USBDevice *usb_create_simple(USBBus *bus, const char *name);
 USBDevice *usbdevice_create(const char *cmdline);
 void usb_register_port(USBBus *bus, USBPort *port, void *opaque, int index,
                        USBDevice *pdev, USBPortOps *ops, int speedmask);
+void usb_port_location(USBPort *downstream, USBPort *upstream, int portnr);
 void usb_unregister_port(USBBus *bus, USBPort *port);
 int usb_device_attach(USBDevice *dev);
 int usb_device_detach(USBDevice *dev);
commit fa7935c1e1f84b600fcb1983485352b8d99e01d3
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Dec 9 23:31:49 2010 +0100

    usb storage: handle long responses
    
    The scsi layer may return us more data than the guests wants to have.
    Handle this by just ignoring the extra bytes and calling the
    {read,write}_data callback to finish the request.
    
    Seen happening in real life with some extended inquiry command.
    With this patch applied the linux kernel stops reseting the device
    once at boot.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 28c12dd..729d96c 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -187,7 +187,7 @@ static void usb_msd_copy_data(MSDState *s)
     s->usb_buf += len;
     s->scsi_buf += len;
     s->data_len -= len;
-    if (s->scsi_len == 0) {
+    if (s->scsi_len == 0 || s->data_len == 0) {
         if (s->mode == USB_MSDM_DATAIN) {
             s->scsi_dev->info->read_data(s->scsi_dev, s->tag);
         } else if (s->mode == USB_MSDM_DATAOUT) {
@@ -434,7 +434,7 @@ static int usb_msd_handle_data(USBDevice *dev, USBPacket *p)
             break;
 
         case USB_MSDM_DATAIN:
-            DPRINTF("Data in %d/%d\n", len, s->data_len);
+            DPRINTF("Data in %d/%d, scsi_len %d\n", len, s->data_len, s->scsi_len);
             if (len > s->data_len)
                 len = s->data_len;
             s->usb_buf = data;
commit ab4797ad2ec34e63ee8751fbd3e5d0a9888eaf4a
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Dec 9 10:36:35 2010 +0100

    usb storage: fix status reporting
    
    Change usb_msd_send_status() to take a pointer to the status packet
    instead of writing the status to s->usb_buf which might not point
    to the correct location.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 7b8189f..28c12dd 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -196,15 +196,18 @@ static void usb_msd_copy_data(MSDState *s)
     }
 }
 
-static void usb_msd_send_status(MSDState *s)
+static void usb_msd_send_status(MSDState *s, USBPacket *p)
 {
     struct usb_msd_csw csw;
+    int len;
 
     csw.sig = cpu_to_le32(0x53425355);
     csw.tag = cpu_to_le32(s->tag);
     csw.residue = s->residue;
     csw.status = s->result;
-    memcpy(s->usb_buf, &csw, 13);
+
+    len = MIN(sizeof(csw), p->len);
+    memcpy(p->data, &csw, len);
 }
 
 static void usb_msd_command_complete(SCSIBus *bus, int reason, uint32_t tag,
@@ -224,7 +227,7 @@ static void usb_msd_command_complete(SCSIBus *bus, int reason, uint32_t tag,
             if (s->data_len == 0 && s->mode == USB_MSDM_DATAOUT) {
                 /* A deferred packet with no write data remaining must be
                    the status read packet.  */
-                usb_msd_send_status(s);
+                usb_msd_send_status(s, p);
                 s->mode = USB_MSDM_CBW;
             } else {
                 if (s->data_len) {
@@ -425,9 +428,7 @@ static int usb_msd_handle_data(USBDevice *dev, USBPacket *p)
             if (len < 13)
                 goto fail;
 
-            s->usb_len = len;
-            s->usb_buf = data;
-            usb_msd_send_status(s);
+            usb_msd_send_status(s, p);
             s->mode = USB_MSDM_CBW;
             ret = 13;
             break;
commit ca0c730df977abd7ca24afd17fa640f1af47f0b1
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Dec 3 17:12:49 2010 +0100

    usb storage: high speed support
    
    Add high speed support to the usb mass storage device.  With this patch
    applied the linux kernel recognises the usb storage device as highspeed
    capable device and suggests to connect it to a highspeed port instead of
    the uhci.  Tested with both uhci and (not-yet submitted) ehci.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 74e657e..7b8189f 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -77,15 +77,19 @@ enum {
     STR_MANUFACTURER = 1,
     STR_PRODUCT,
     STR_SERIALNUMBER,
+    STR_CONFIG_FULL,
+    STR_CONFIG_HIGH,
 };
 
 static const USBDescStrings desc_strings = {
     [STR_MANUFACTURER] = "QEMU " QEMU_VERSION,
     [STR_PRODUCT]      = "QEMU USB HARDDRIVE",
     [STR_SERIALNUMBER] = "1",
+    [STR_CONFIG_FULL]  = "Full speed config (usb 1.1)",
+    [STR_CONFIG_HIGH]  = "High speed config (usb 2.0)",
 };
 
-static const USBDescIface desc_iface0 = {
+static const USBDescIface desc_iface_full = {
     .bInterfaceNumber              = 0,
     .bNumEndpoints                 = 2,
     .bInterfaceClass               = USB_CLASS_MASS_STORAGE,
@@ -104,16 +108,51 @@ static const USBDescIface desc_iface0 = {
     }
 };
 
-static const USBDescDevice desc_device = {
-    .bcdUSB                        = 0x0100,
+static const USBDescDevice desc_device_full = {
+    .bcdUSB                        = 0x0200,
     .bMaxPacketSize0               = 8,
     .bNumConfigurations            = 1,
     .confs = (USBDescConfig[]) {
         {
             .bNumInterfaces        = 1,
             .bConfigurationValue   = 1,
+            .iConfiguration        = STR_CONFIG_FULL,
             .bmAttributes          = 0xc0,
-            .ifs = &desc_iface0,
+            .ifs = &desc_iface_full,
+        },
+    },
+};
+
+static const USBDescIface desc_iface_high = {
+    .bInterfaceNumber              = 0,
+    .bNumEndpoints                 = 2,
+    .bInterfaceClass               = USB_CLASS_MASS_STORAGE,
+    .bInterfaceSubClass            = 0x06, /* SCSI */
+    .bInterfaceProtocol            = 0x50, /* Bulk */
+    .eps = (USBDescEndpoint[]) {
+        {
+            .bEndpointAddress      = USB_DIR_IN | 0x01,
+            .bmAttributes          = USB_ENDPOINT_XFER_BULK,
+            .wMaxPacketSize        = 512,
+        },{
+            .bEndpointAddress      = USB_DIR_OUT | 0x02,
+            .bmAttributes          = USB_ENDPOINT_XFER_BULK,
+            .wMaxPacketSize        = 512,
+        },
+    }
+};
+
+static const USBDescDevice desc_device_high = {
+    .bcdUSB                        = 0x0200,
+    .bMaxPacketSize0               = 64,
+    .bNumConfigurations            = 1,
+    .confs = (USBDescConfig[]) {
+        {
+            .bNumInterfaces        = 1,
+            .bConfigurationValue   = 1,
+            .iConfiguration        = STR_CONFIG_HIGH,
+            .bmAttributes          = 0xc0,
+            .ifs = &desc_iface_high,
         },
     },
 };
@@ -127,7 +166,8 @@ static const USBDesc desc = {
         .iProduct          = STR_PRODUCT,
         .iSerialNumber     = STR_SERIALNUMBER,
     },
-    .full = &desc_device,
+    .full = &desc_device_full,
+    .high = &desc_device_high,
     .str  = desc_strings,
 };
 
@@ -558,6 +598,7 @@ static struct USBDeviceInfo msd_info = {
     .usb_desc       = &desc,
     .init           = usb_msd_initfn,
     .handle_packet  = usb_generic_handle_packet,
+    .handle_attach  = usb_desc_attach,
     .handle_reset   = usb_msd_handle_reset,
     .handle_control = usb_msd_handle_control,
     .handle_data    = usb_msd_handle_data,
commit 25620cba94d7ca126a24d74ce6f2ac42aa9a2fe8
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Dec 8 17:35:22 2010 +0100

    usb: add device qualifier support
    
    Add support for device_qualifier and other_speed_config descriptors.
    These are used to query the "other speed" configuration of usb 2.0
    devices, i.e. in high-speed mode they return the full-speed
    configuration and visa versa.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-desc.c b/hw/usb-desc.c
index f01e1cf..62591f2 100644
--- a/hw/usb-desc.c
+++ b/hw/usb-desc.c
@@ -48,6 +48,30 @@ int usb_desc_device(const USBDescID *id, const USBDescDevice *dev,
     return bLength;
 }
 
+int usb_desc_device_qualifier(const USBDescDevice *dev,
+                              uint8_t *dest, size_t len)
+{
+    uint8_t bLength = 0x0a;
+
+    if (len < bLength) {
+        return -1;
+    }
+
+    dest[0x00] = bLength;
+    dest[0x01] = USB_DT_DEVICE_QUALIFIER;
+
+    dest[0x02] = usb_lo(dev->bcdUSB);
+    dest[0x03] = usb_hi(dev->bcdUSB);
+    dest[0x04] = dev->bDeviceClass;
+    dest[0x05] = dev->bDeviceSubClass;
+    dest[0x06] = dev->bDeviceProtocol;
+    dest[0x07] = dev->bMaxPacketSize0;
+    dest[0x08] = dev->bNumConfigurations;
+    dest[0x09] = 0; /* reserved */
+
+    return bLength;
+}
+
 int usb_desc_config(const USBDescConfig *conf, uint8_t *dest, size_t len)
 {
     uint8_t  bLength = 0x09;
@@ -263,11 +287,18 @@ int usb_desc_string(USBDevice *dev, int index, uint8_t *dest, size_t len)
 int usb_desc_get_descriptor(USBDevice *dev, int value, uint8_t *dest, size_t len)
 {
     const USBDesc *desc = dev->info->usb_desc;
+    const USBDescDevice *other_dev;
     uint8_t buf[256];
     uint8_t type = value >> 8;
     uint8_t index = value & 0xff;
     int ret = -1;
 
+    if (dev->speed == USB_SPEED_HIGH) {
+        other_dev = dev->info->usb_desc->full;
+    } else {
+        other_dev = dev->info->usb_desc->high;
+    }
+
     switch(type) {
     case USB_DT_DEVICE:
         ret = usb_desc_device(&desc->id, dev->device, buf, sizeof(buf));
@@ -283,6 +314,21 @@ int usb_desc_get_descriptor(USBDevice *dev, int value, uint8_t *dest, size_t len
         ret = usb_desc_string(dev, index, buf, sizeof(buf));
         trace_usb_desc_string(dev->addr, index, len, ret);
         break;
+
+    case USB_DT_DEVICE_QUALIFIER:
+        if (other_dev != NULL) {
+            ret = usb_desc_device_qualifier(other_dev, buf, sizeof(buf));
+        }
+        trace_usb_desc_device_qualifier(dev->addr, len, ret);
+        break;
+    case USB_DT_OTHER_SPEED_CONFIG:
+        if (other_dev != NULL && index < other_dev->bNumConfigurations) {
+            ret = usb_desc_config(other_dev->confs + index, buf, sizeof(buf));
+            buf[0x01] = USB_DT_OTHER_SPEED_CONFIG;
+        }
+        trace_usb_desc_other_speed_config(dev->addr, index, len, ret);
+        break;
+
     default:
         fprintf(stderr, "%s: %d unknown type %d (len %zd)\n", __FUNCTION__,
                 dev->addr, type, len);
diff --git a/hw/usb-desc.h b/hw/usb-desc.h
index 484c7c7..ac734ab 100644
--- a/hw/usb-desc.h
+++ b/hw/usb-desc.h
@@ -72,6 +72,8 @@ struct USBDesc {
 /* generate usb packages from structs */
 int usb_desc_device(const USBDescID *id, const USBDescDevice *dev,
                     uint8_t *dest, size_t len);
+int usb_desc_device_qualifier(const USBDescDevice *dev,
+                              uint8_t *dest, size_t len);
 int usb_desc_config(const USBDescConfig *conf, uint8_t *dest, size_t len);
 int usb_desc_iface(const USBDescIface *iface, uint8_t *dest, size_t len);
 int usb_desc_endpoint(const USBDescEndpoint *ep, uint8_t *dest, size_t len);
diff --git a/hw/usb.h b/hw/usb.h
index 892ff72..99139e2 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -122,6 +122,8 @@
 #define USB_DT_STRING			0x03
 #define USB_DT_INTERFACE		0x04
 #define USB_DT_ENDPOINT			0x05
+#define USB_DT_DEVICE_QUALIFIER         0x06
+#define USB_DT_OTHER_SPEED_CONFIG       0x07
 
 #define USB_ENDPOINT_XFER_CONTROL	0
 #define USB_ENDPOINT_XFER_ISOC		1
diff --git a/trace-events b/trace-events
index 45e7582..19cee6a 100644
--- a/trace-events
+++ b/trace-events
@@ -192,7 +192,9 @@ disable sun4m_iommu_bad_addr(uint64_t addr) "bad addr %"PRIx64""
 
 # hw/usb-desc.c
 disable usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret %d"
+disable usb_desc_device_qualifier(int addr, int len, int ret) "dev %d query device qualifier, len %d, ret %d"
 disable usb_desc_config(int addr, int index, int len, int ret) "dev %d query config %d, len %d, ret %d"
+disable usb_desc_other_speed_config(int addr, int index, int len, int ret) "dev %d query config %d, len %d, ret %d"
 disable usb_desc_string(int addr, int index, int len, int ret) "dev %d query string %d, len %d, ret %d"
 disable usb_set_addr(int addr) "dev %d"
 disable usb_set_config(int addr, int config, int ret) "dev %d, config %d, ret %d"
commit 32d41919784abe56b10f6d7784c00bb27e4f4d39
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Dec 3 18:07:20 2010 +0100

    usb: add usb_desc_attach
    
    Add usb_desc_attach() which sets up the device according to the speed
    the usb port is able to handle.  This function can be hooked into the
    handle_attach callback.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-desc.c b/hw/usb-desc.c
index 56ef734..f01e1cf 100644
--- a/hw/usb-desc.c
+++ b/hw/usb-desc.c
@@ -153,16 +153,46 @@ int usb_desc_other(const USBDescOther *desc, uint8_t *dest, size_t len)
 
 /* ------------------------------------------------------------------ */
 
-void usb_desc_init(USBDevice *dev)
+static void usb_desc_setdefaults(USBDevice *dev)
 {
     const USBDesc *desc = dev->info->usb_desc;
 
     assert(desc != NULL);
-    dev->speed  = USB_SPEED_FULL;
-    dev->device = desc->full;
+    switch (dev->speed) {
+    case USB_SPEED_LOW:
+    case USB_SPEED_FULL:
+        dev->device = desc->full;
+        break;
+    case USB_SPEED_HIGH:
+        dev->device = desc->high;
+        break;
+    }
     dev->config = dev->device->confs;
 }
 
+void usb_desc_init(USBDevice *dev)
+{
+    dev->speed = USB_SPEED_FULL;
+    usb_desc_setdefaults(dev);
+}
+
+void usb_desc_attach(USBDevice *dev)
+{
+    const USBDesc *desc = dev->info->usb_desc;
+
+    assert(desc != NULL);
+    if (desc->high && (dev->port->speedmask & USB_SPEED_MASK_HIGH)) {
+        dev->speed = USB_SPEED_HIGH;
+    } else if (desc->full && (dev->port->speedmask & USB_SPEED_MASK_FULL)) {
+        dev->speed = USB_SPEED_FULL;
+    } else {
+        fprintf(stderr, "usb: port/device speed mismatch for \"%s\"\n",
+                dev->info->product_desc);
+        return;
+    }
+    usb_desc_setdefaults(dev);
+}
+
 void usb_desc_set_string(USBDevice *dev, uint8_t index, const char *str)
 {
     USBDescString *s;
diff --git a/hw/usb-desc.h b/hw/usb-desc.h
index d441725..484c7c7 100644
--- a/hw/usb-desc.h
+++ b/hw/usb-desc.h
@@ -79,6 +79,7 @@ int usb_desc_other(const USBDescOther *desc, uint8_t *dest, size_t len);
 
 /* control message emulation helpers */
 void usb_desc_init(USBDevice *dev);
+void usb_desc_attach(USBDevice *dev);
 void usb_desc_set_string(USBDevice *dev, uint8_t index, const char *str);
 const char *usb_desc_get_string(USBDevice *dev, uint8_t index);
 int usb_desc_string(USBDevice *dev, int index, uint8_t *dest, size_t len);
commit b6f77fbe230ad3e9ec5c9115a1535137d5e5d04b
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Dec 3 17:59:36 2010 +0100

    usb: add attach callback
    
    Add handle_attach() callback to USBDeviceInfo which is called by the
    generic package handler when the device is attached to the usb bus
    (i.e. plugged into a port).
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb.c b/hw/usb.c
index ba720b4..82a6217 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -194,6 +194,9 @@ int usb_generic_handle_packet(USBDevice *s, USBPacket *p)
     switch(p->pid) {
     case USB_MSG_ATTACH:
         s->state = USB_STATE_ATTACHED;
+        if (s->info->handle_attach) {
+            s->info->handle_attach(s);
+        }
         return 0;
 
     case USB_MSG_DETACH:
@@ -204,7 +207,9 @@ int usb_generic_handle_packet(USBDevice *s, USBPacket *p)
         s->remote_wakeup = 0;
         s->addr = 0;
         s->state = USB_STATE_DEFAULT;
-        s->info->handle_reset(s);
+        if (s->info->handle_reset) {
+            s->info->handle_reset(s);
+        }
         return 0;
     }
 
diff --git a/hw/usb.h b/hw/usb.h
index 407a114..892ff72 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -194,6 +194,11 @@ struct USBDeviceInfo {
     void (*handle_destroy)(USBDevice *dev);
 
     /*
+     * Attach the device
+     */
+    void (*handle_attach)(USBDevice *dev);
+
+    /*
      * Reset the device
      */
     void (*handle_reset)(USBDevice *dev);
commit 843d4e0c633824a11c4067d0e84bd683520b5d39
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Dec 3 17:30:13 2010 +0100

    usb: add speed mask to ports
    
    Add a field to usb ports indicating the speed(s) they are
    able to handle.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index 9dc8793..e94b88d 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -113,7 +113,7 @@ USBDevice *usb_create_simple(USBBus *bus, const char *name)
 }
 
 void usb_register_port(USBBus *bus, USBPort *port, void *opaque, int index,
-                       USBDevice *pdev, USBPortOps *ops)
+                       USBDevice *pdev, USBPortOps *ops, int speedmask)
 {
     port->opaque = opaque;
     port->index = index;
@@ -121,6 +121,7 @@ void usb_register_port(USBBus *bus, USBPort *port, void *opaque, int index,
     port->opaque = opaque;
     port->index = index;
     port->ops = ops;
+    port->speedmask = speedmask;
     QTAILQ_INSERT_TAIL(&bus->free, port, next);
     bus->nfree++;
 }
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 8a80151..ba712d6 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -526,7 +526,8 @@ static int usb_hub_initfn(USBDevice *dev)
     for (i = 0; i < NUM_PORTS; i++) {
         port = &s->ports[i];
         usb_register_port(usb_bus_from_device(dev),
-                          &port->port, s, i, &s->dev, &usb_hub_port_ops);
+                          &port->port, s, i, &s->dev, &usb_hub_port_ops,
+                          USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
         port->wPortStatus = PORT_STAT_POWER;
         port->wPortChange = 0;
     }
diff --git a/hw/usb-musb.c b/hw/usb-musb.c
index 233a265..87eb9ca 100644
--- a/hw/usb-musb.c
+++ b/hw/usb-musb.c
@@ -349,7 +349,8 @@ struct MUSBState {
     }
 
     usb_bus_new(&s->bus, NULL /* FIXME */);
-    usb_register_port(&s->bus, &s->port, s, 0, NULL, &musb_port_ops);
+    usb_register_port(&s->bus, &s->port, s, 0, NULL, &musb_port_ops,
+                      USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
 
     return s;
 }
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index c859540..0d42716 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -1699,7 +1699,8 @@ static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
     usb_bus_new(&ohci->bus, dev);
     ohci->num_ports = num_ports;
     for (i = 0; i < num_ports; i++) {
-        usb_register_port(&ohci->bus, &ohci->rhport[i].port, ohci, i, NULL, &ohci_port_ops);
+        usb_register_port(&ohci->bus, &ohci->rhport[i].port, ohci, i, NULL, &ohci_port_ops,
+                          USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
     }
 
     ohci->async_td = 0;
diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index 2d2a9e7..253561f 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -1129,7 +1129,8 @@ static int usb_uhci_common_initfn(UHCIState *s)
 
     usb_bus_new(&s->bus, &s->dev.qdev);
     for(i = 0; i < NB_PORTS; i++) {
-        usb_register_port(&s->bus, &s->ports[i].port, s, i, NULL, &uhci_port_ops);
+        usb_register_port(&s->bus, &s->ports[i].port, s, i, NULL, &uhci_port_ops,
+                          USB_SPEED_MASK_LOW | USB_SPEED_MASK_FULL);
     }
     s->frame_timer = qemu_new_timer(vm_clock, uhci_frame_timer, s);
     s->expire_time = qemu_get_clock(vm_clock) +
diff --git a/hw/usb.h b/hw/usb.h
index 250ec71..407a114 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -44,6 +44,12 @@
 #define USB_SPEED_LOW   0
 #define USB_SPEED_FULL  1
 #define USB_SPEED_HIGH  2
+#define USB_SPEED_SUPER 3
+
+#define USB_SPEED_MASK_LOW   (1 << USB_SPEED_LOW)
+#define USB_SPEED_MASK_FULL  (1 << USB_SPEED_FULL)
+#define USB_SPEED_MASK_HIGH  (1 << USB_SPEED_HIGH)
+#define USB_SPEED_MASK_SUPER (1 << USB_SPEED_SUPER)
 
 #define USB_STATE_NOTATTACHED 0
 #define USB_STATE_ATTACHED    1
@@ -226,6 +232,7 @@ typedef struct USBPortOps {
 /* USB port on which a device can be connected */
 struct USBPort {
     USBDevice *dev;
+    int speedmask;
     USBPortOps *ops;
     void *opaque;
     USBDevice *pdev;
@@ -339,7 +346,7 @@ USBDevice *usb_create(USBBus *bus, const char *name);
 USBDevice *usb_create_simple(USBBus *bus, const char *name);
 USBDevice *usbdevice_create(const char *cmdline);
 void usb_register_port(USBBus *bus, USBPort *port, void *opaque, int index,
-                       USBDevice *pdev, USBPortOps *ops);
+                       USBDevice *pdev, USBPortOps *ops, int speedmask);
 void usb_unregister_port(USBBus *bus, USBPort *port);
 int usb_device_attach(USBDevice *dev);
 int usb_device_detach(USBDevice *dev);
commit 7b074a22dab4bdda9864b933f1bc811a3db42845
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Dec 14 16:46:40 2010 +0100

    usb: hid: change serial number to "42".
    
    It would be nice to have some way to signal our hid devices support
    remote wakeup.  There is a descriptor bit for that of course.  Problem
    with using is one is that older qemu versions used to set the bit even
    though they did *not* support remote wakeup.  Bummer.
    
    This patch changes the serial number of our hid devices from "1" to "42"
    to signal "it is safe to enable remote wakeup".  The serial number was
    choosen because it isn't used for anything and it is available in sysfs
    so it is easy to match it using udev rules like this:
    
    ACTION=="add", SUBSYSTEM=="usb", \
    	ATTR{product}=="QEMU USB Tablet", ATTR{serial}=="42", \
    	RUN+="usb_enable_autosuspend %p"
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 60fa57f..1fec163 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -90,7 +90,7 @@ static const USBDescStrings desc_strings = {
     [STR_PRODUCT_MOUSE]    = "QEMU USB Mouse",
     [STR_PRODUCT_TABLET]   = "QEMU USB Tablet",
     [STR_PRODUCT_KEYBOARD] = "QEMU USB Keyboard",
-    [STR_SERIALNUMBER]     = "1",
+    [STR_SERIALNUMBER]     = "42", /* == remote wakeup works */
     [STR_CONFIG_MOUSE]     = "HID Mouse",
     [STR_CONFIG_TABLET]    = "HID Tablet",
     [STR_CONFIG_KEYBOARD]  = "HID Keyboard",
commit ac57bbb614ace4f7b8b965562826a7f7fda00cdc
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Dec 1 11:50:04 2010 +0100

    usb: hid: remote wakeup support.
    
    Add usb_wakeup() call to the hid driver so remote wakeup actually works.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 1c35960..60fa57f 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -429,6 +429,8 @@ static void usb_hid_changed(USBHIDState *hs)
 
     if (hs->datain)
         hs->datain(hs->datain_opaque);
+
+    usb_wakeup(&hs->dev);
 }
 
 static void usb_mouse_event(void *opaque,
commit 34239c7bc972735391ca84283f8c8ad908dc61ef
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Dec 15 12:26:59 2010 +0100

    usb: hub: remote wakeup support.
    
    This patch makes the usb hub handle remote wakeup requests from devices
    properly by updating the port status register and forwarding the wakeup
    to the upstream port.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 8837bd9..8a80151 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -245,6 +245,17 @@ static void usb_hub_detach(USBPort *port1)
     }
 }
 
+static void usb_hub_wakeup(USBDevice *dev)
+{
+    USBHubState *s = dev->port->opaque;
+    USBHubPort *port = &s->ports[dev->port->index];
+
+    if (port->wPortStatus & PORT_STAT_SUSPEND) {
+        port->wPortChange |= PORT_STAT_C_SUSPEND;
+        usb_wakeup(&s->dev);
+    }
+}
+
 static void usb_hub_handle_reset(USBDevice *dev)
 {
     /* XXX: do it */
@@ -502,6 +513,7 @@ static void usb_hub_handle_destroy(USBDevice *dev)
 static USBPortOps usb_hub_port_ops = {
     .attach = usb_hub_attach,
     .detach = usb_hub_detach,
+    .wakeup = usb_hub_wakeup,
 };
 
 static int usb_hub_initfn(USBDevice *dev)
commit 9159f6798ebfe0cdcfd1d1fb91c2c08b6d95954a
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Dec 1 11:47:40 2010 +0100

    usb: uhci: remote wakeup support.
    
    Add support for remote wakeup to the UHCI adapter.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index 5e2e34a..2d2a9e7 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -57,13 +57,18 @@
 #define TD_CTRL_NAK     (1 << 19)
 #define TD_CTRL_TIMEOUT (1 << 18)
 
+#define UHCI_PORT_SUSPEND (1 << 12)
 #define UHCI_PORT_RESET (1 << 9)
 #define UHCI_PORT_LSDA  (1 << 8)
+#define UHCI_PORT_RD    (1 << 6)
 #define UHCI_PORT_ENC   (1 << 3)
 #define UHCI_PORT_EN    (1 << 2)
 #define UHCI_PORT_CSC   (1 << 1)
 #define UHCI_PORT_CCS   (1 << 0)
 
+#define UHCI_PORT_READ_ONLY    (0x1bb)
+#define UHCI_PORT_WRITE_CLEAR  (UHCI_PORT_CSC | UHCI_PORT_ENC)
+
 #define FRAME_TIMER_FREQ 1000
 
 #define FRAME_MAX_LOOPS  100
@@ -497,9 +502,10 @@ static void uhci_ioport_writew(void *opaque, uint32_t addr, uint32_t val)
                     usb_send_msg(dev, USB_MSG_RESET);
                 }
             }
-            port->ctrl = (port->ctrl & 0x01fb) | (val & ~0x01fb);
+            port->ctrl &= UHCI_PORT_READ_ONLY;
+            port->ctrl |= (val & ~UHCI_PORT_READ_ONLY);
             /* some bits are reset when a '1' is written to them */
-            port->ctrl &= ~(val & 0x000a);
+            port->ctrl &= ~(val & UHCI_PORT_WRITE_CLEAR);
         }
         break;
     }
@@ -629,6 +635,18 @@ static void uhci_detach(USBPort *port1)
     uhci_resume(s);
 }
 
+static void uhci_wakeup(USBDevice *dev)
+{
+    USBBus *bus = usb_bus_from_device(dev);
+    UHCIState *s = container_of(bus, UHCIState, bus);
+    UHCIPort *port = s->ports + dev->port->index;
+
+    if (port->ctrl & UHCI_PORT_SUSPEND && !(port->ctrl & UHCI_PORT_RD)) {
+        port->ctrl |= UHCI_PORT_RD;
+        uhci_resume(s);
+    }
+}
+
 static int uhci_broadcast_packet(UHCIState *s, USBPacket *p)
 {
     int i, ret;
@@ -1094,6 +1112,7 @@ static void uhci_map(PCIDevice *pci_dev, int region_num,
 static USBPortOps uhci_port_ops = {
     .attach = uhci_attach,
     .detach = uhci_detach,
+    .wakeup = uhci_wakeup,
 };
 
 static int usb_uhci_common_initfn(UHCIState *s)
commit 01eacab6e95267fd894d0c1013aa5bf55c320dc8
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Dec 1 11:32:45 2010 +0100

    usb: add usb_wakeup() + wakeup callback to port ops
    
    Add wakeup callback to port ops for remote wakeup handling.
    Also add a usb_wakeup() function for devices which want
    trigger a remote wakeup.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb.c b/hw/usb.c
index 2eda86a..ba720b4 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -49,6 +49,13 @@ void usb_attach(USBPort *port, USBDevice *dev)
     }
 }
 
+void usb_wakeup(USBDevice *dev)
+{
+    if (dev->remote_wakeup && dev->port && dev->port->ops->wakeup) {
+        dev->port->ops->wakeup(dev);
+    }
+}
+
 /**********************/
 
 /* generic USB device helpers (you are not forced to use them when
diff --git a/hw/usb.h b/hw/usb.h
index 3744d19..250ec71 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -220,6 +220,7 @@ struct USBDeviceInfo {
 typedef struct USBPortOps {
     void (*attach)(USBPort *port);
     void (*detach)(USBPort *port);
+    void (*wakeup)(USBDevice *dev);
 } USBPortOps;
 
 /* USB port on which a device can be connected */
@@ -275,6 +276,7 @@ static inline void usb_cancel_packet(USBPacket * p)
 }
 
 void usb_attach(USBPort *port, USBDevice *dev);
+void usb_wakeup(USBDevice *dev);
 int usb_generic_handle_packet(USBDevice *s, USBPacket *p);
 int set_usb_string(uint8_t *buf, const char *str);
 void usb_send_msg(USBDevice *dev, int msg);
commit 618c169b577db64ac6589ad48825d2e11760d1a6
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Dec 1 11:27:05 2010 +0100

    usb: rework attach/detach workflow
    
    Add separate detach callback to USBPortOps, split
    uhci/ohci/musb/usbhub attach functions into two.
    
    Move common code to the usb_attach() function, only
    the hardware-specific bits remain in the attach/detach
    callbacks.
    
    Keep track of the port it is attached to for each usb device.
    
    [ v3: fix tyops in usb-musb.c ]
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index b3d7298..8837bd9 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -218,37 +218,30 @@ static const uint8_t qemu_hub_hub_descriptor[] =
         /* DeviceRemovable and PortPwrCtrlMask patched in later */
 };
 
-static void usb_hub_attach(USBPort *port1, USBDevice *dev)
+static void usb_hub_attach(USBPort *port1)
 {
     USBHubState *s = port1->opaque;
     USBHubPort *port = &s->ports[port1->index];
 
-    if (dev) {
-        if (port->port.dev)
-            usb_attach(port1, NULL);
-
-        port->wPortStatus |= PORT_STAT_CONNECTION;
-        port->wPortChange |= PORT_STAT_C_CONNECTION;
-        if (dev->speed == USB_SPEED_LOW)
-            port->wPortStatus |= PORT_STAT_LOW_SPEED;
-        else
-            port->wPortStatus &= ~PORT_STAT_LOW_SPEED;
-        port->port.dev = dev;
-        /* send the attach message */
-        usb_send_msg(dev, USB_MSG_ATTACH);
+    port->wPortStatus |= PORT_STAT_CONNECTION;
+    port->wPortChange |= PORT_STAT_C_CONNECTION;
+    if (port->port.dev->speed == USB_SPEED_LOW) {
+        port->wPortStatus |= PORT_STAT_LOW_SPEED;
     } else {
-        dev = port->port.dev;
-        if (dev) {
-            port->wPortStatus &= ~PORT_STAT_CONNECTION;
-            port->wPortChange |= PORT_STAT_C_CONNECTION;
-            if (port->wPortStatus & PORT_STAT_ENABLE) {
-                port->wPortStatus &= ~PORT_STAT_ENABLE;
-                port->wPortChange |= PORT_STAT_C_ENABLE;
-            }
-            /* send the detach message */
-            usb_send_msg(dev, USB_MSG_DETACH);
-            port->port.dev = NULL;
-        }
+        port->wPortStatus &= ~PORT_STAT_LOW_SPEED;
+    }
+}
+
+static void usb_hub_detach(USBPort *port1)
+{
+    USBHubState *s = port1->opaque;
+    USBHubPort *port = &s->ports[port1->index];
+
+    port->wPortStatus &= ~PORT_STAT_CONNECTION;
+    port->wPortChange |= PORT_STAT_C_CONNECTION;
+    if (port->wPortStatus & PORT_STAT_ENABLE) {
+        port->wPortStatus &= ~PORT_STAT_ENABLE;
+        port->wPortChange |= PORT_STAT_C_ENABLE;
     }
 }
 
@@ -508,6 +501,7 @@ static void usb_hub_handle_destroy(USBDevice *dev)
 
 static USBPortOps usb_hub_port_ops = {
     .attach = usb_hub_attach,
+    .detach = usb_hub_detach,
 };
 
 static int usb_hub_initfn(USBDevice *dev)
diff --git a/hw/usb-musb.c b/hw/usb-musb.c
index 592d3e6..233a265 100644
--- a/hw/usb-musb.c
+++ b/hw/usb-musb.c
@@ -259,10 +259,12 @@
 #endif
 
 
-static void musb_attach(USBPort *port, USBDevice *dev);
+static void musb_attach(USBPort *port);
+static void musb_detach(USBPort *port);
 
 static USBPortOps musb_port_ops = {
     .attach = musb_attach,
+    .detach = musb_detach,
 };
 
 typedef struct {
@@ -464,34 +466,20 @@ static void musb_session_update(MUSBState *s, int prev_dev, int prev_sess)
 }
 
 /* Attach or detach a device on our only port.  */
-static void musb_attach(USBPort *port, USBDevice *dev)
+static void musb_attach(USBPort *port)
 {
     MUSBState *s = (MUSBState *) port->opaque;
-    USBDevice *curr;
 
-    port = &s->port;
-    curr = port->dev;
-
-    if (dev) {
-        if (curr) {
-            usb_attach(port, NULL);
-            /* TODO: signal some interrupts */
-        }
-
-        musb_intr_set(s, musb_irq_vbus_request, 1);
-
-        /* Send the attach message to device */
-        usb_send_msg(dev, USB_MSG_ATTACH);
-    } else if (curr) {
-        /* Send the detach message */
-        usb_send_msg(curr, USB_MSG_DETACH);
-
-        musb_intr_set(s, musb_irq_disconnect, 1);
-    }
+    musb_intr_set(s, musb_irq_vbus_request, 1);
+    musb_session_update(s, 0, s->session);
+}
 
-    port->dev = dev;
+static void musb_detach(USBPort *port)
+{
+    MUSBState *s = (MUSBState *) port->opaque;
 
-    musb_session_update(s, !!curr, s->session);
+    musb_intr_set(s, musb_irq_disconnect, 1);
+    musb_session_update(s, 1, s->session);
 }
 
 static inline void musb_cb_tick0(void *opaque)
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index 7b13bdd..c859540 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -322,52 +322,46 @@ static inline void ohci_set_interrupt(OHCIState *ohci, uint32_t intr)
 }
 
 /* Attach or detach a device on a root hub port.  */
-static void ohci_attach(USBPort *port1, USBDevice *dev)
+static void ohci_attach(USBPort *port1)
 {
     OHCIState *s = port1->opaque;
     OHCIPort *port = &s->rhport[port1->index];
-    uint32_t old_state = port->ctrl;
 
-    if (dev) {
-        if (port->port.dev) {
-            usb_attach(port1, NULL);
-        }
-        /* set connect status */
-        port->ctrl |= OHCI_PORT_CCS | OHCI_PORT_CSC;
-
-        /* update speed */
-        if (dev->speed == USB_SPEED_LOW)
-            port->ctrl |= OHCI_PORT_LSDA;
-        else
-            port->ctrl &= ~OHCI_PORT_LSDA;
-        port->port.dev = dev;
-
-        /* notify of remote-wakeup */
-        if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND)
-            ohci_set_interrupt(s, OHCI_INTR_RD);
-
-        /* send the attach message */
-        usb_send_msg(dev, USB_MSG_ATTACH);
-        DPRINTF("usb-ohci: Attached port %d\n", port1->index);
+    /* set connect status */
+    port->ctrl |= OHCI_PORT_CCS | OHCI_PORT_CSC;
+
+    /* update speed */
+    if (port->port.dev->speed == USB_SPEED_LOW) {
+        port->ctrl |= OHCI_PORT_LSDA;
     } else {
-        /* set connect status */
-        if (port->ctrl & OHCI_PORT_CCS) {
-            port->ctrl &= ~OHCI_PORT_CCS;
-            port->ctrl |= OHCI_PORT_CSC;
-        }
-        /* disable port */
-        if (port->ctrl & OHCI_PORT_PES) {
-            port->ctrl &= ~OHCI_PORT_PES;
-            port->ctrl |= OHCI_PORT_PESC;
-        }
-        dev = port->port.dev;
-        if (dev) {
-            /* send the detach message */
-            usb_send_msg(dev, USB_MSG_DETACH);
-        }
-        port->port.dev = NULL;
-        DPRINTF("usb-ohci: Detached port %d\n", port1->index);
+        port->ctrl &= ~OHCI_PORT_LSDA;
+    }
+
+    /* notify of remote-wakeup */
+    if ((s->ctl & OHCI_CTL_HCFS) == OHCI_USB_SUSPEND) {
+        ohci_set_interrupt(s, OHCI_INTR_RD);
+    }
+
+    DPRINTF("usb-ohci: Attached port %d\n", port1->index);
+}
+
+static void ohci_detach(USBPort *port1)
+{
+    OHCIState *s = port1->opaque;
+    OHCIPort *port = &s->rhport[port1->index];
+    uint32_t old_state = port->ctrl;
+
+    /* set connect status */
+    if (port->ctrl & OHCI_PORT_CCS) {
+        port->ctrl &= ~OHCI_PORT_CCS;
+        port->ctrl |= OHCI_PORT_CSC;
+    }
+    /* disable port */
+    if (port->ctrl & OHCI_PORT_PES) {
+        port->ctrl &= ~OHCI_PORT_PES;
+        port->ctrl |= OHCI_PORT_PESC;
     }
+    DPRINTF("usb-ohci: Detached port %d\n", port1->index);
 
     if (old_state != port->ctrl)
         ohci_set_interrupt(s, OHCI_INTR_RHSC);
@@ -413,8 +407,9 @@ static void ohci_reset(void *opaque)
       {
         port = &ohci->rhport[i];
         port->ctrl = 0;
-        if (port->port.dev)
-            ohci_attach(&port->port, port->port.dev);
+        if (port->port.dev) {
+            usb_attach(&port->port, port->port.dev);
+        }
       }
     if (ohci->async_td) {
         usb_cancel_packet(&ohci->usb_packet);
@@ -1671,6 +1666,7 @@ static CPUWriteMemoryFunc * const ohci_writefn[3]={
 
 static USBPortOps ohci_port_ops = {
     .attach = ohci_attach,
+    .detach = ohci_detach,
 };
 
 static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index 0f9ef1e..5e2e34a 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -307,8 +307,6 @@ static UHCIAsync *uhci_async_find_td(UHCIState *s, uint32_t addr, uint32_t token
     return match;
 }
 
-static void uhci_attach(USBPort *port1, USBDevice *dev);
-
 static void uhci_update_irq(UHCIState *s)
 {
     int level;
@@ -348,8 +346,9 @@ static void uhci_reset(void *opaque)
     for(i = 0; i < NB_PORTS; i++) {
         port = &s->ports[i];
         port->ctrl = 0x0080;
-        if (port->port.dev)
-            uhci_attach(&port->port, port->port.dev);
+        if (port->port.dev) {
+            usb_attach(&port->port, port->port.dev);
+        }
     }
 
     uhci_async_cancel_all(s);
@@ -593,50 +592,41 @@ static void uhci_resume (void *opaque)
     }
 }
 
-static void uhci_attach(USBPort *port1, USBDevice *dev)
+static void uhci_attach(USBPort *port1)
 {
     UHCIState *s = port1->opaque;
     UHCIPort *port = &s->ports[port1->index];
 
-    if (dev) {
-        if (port->port.dev) {
-            usb_attach(port1, NULL);
-        }
-        /* set connect status */
-        port->ctrl |= UHCI_PORT_CCS | UHCI_PORT_CSC;
+    /* set connect status */
+    port->ctrl |= UHCI_PORT_CCS | UHCI_PORT_CSC;
 
-        /* update speed */
-        if (dev->speed == USB_SPEED_LOW)
-            port->ctrl |= UHCI_PORT_LSDA;
-        else
-            port->ctrl &= ~UHCI_PORT_LSDA;
-
-        uhci_resume(s);
-
-        port->port.dev = dev;
-        /* send the attach message */
-        usb_send_msg(dev, USB_MSG_ATTACH);
+    /* update speed */
+    if (port->port.dev->speed == USB_SPEED_LOW) {
+        port->ctrl |= UHCI_PORT_LSDA;
     } else {
-        /* set connect status */
-        if (port->ctrl & UHCI_PORT_CCS) {
-            port->ctrl &= ~UHCI_PORT_CCS;
-            port->ctrl |= UHCI_PORT_CSC;
-        }
-        /* disable port */
-        if (port->ctrl & UHCI_PORT_EN) {
-            port->ctrl &= ~UHCI_PORT_EN;
-            port->ctrl |= UHCI_PORT_ENC;
-        }
+        port->ctrl &= ~UHCI_PORT_LSDA;
+    }
 
-        uhci_resume(s);
+    uhci_resume(s);
+}
 
-        dev = port->port.dev;
-        if (dev) {
-            /* send the detach message */
-            usb_send_msg(dev, USB_MSG_DETACH);
-        }
-        port->port.dev = NULL;
+static void uhci_detach(USBPort *port1)
+{
+    UHCIState *s = port1->opaque;
+    UHCIPort *port = &s->ports[port1->index];
+
+    /* set connect status */
+    if (port->ctrl & UHCI_PORT_CCS) {
+        port->ctrl &= ~UHCI_PORT_CCS;
+        port->ctrl |= UHCI_PORT_CSC;
     }
+    /* disable port */
+    if (port->ctrl & UHCI_PORT_EN) {
+        port->ctrl &= ~UHCI_PORT_EN;
+        port->ctrl |= UHCI_PORT_ENC;
+    }
+
+    uhci_resume(s);
 }
 
 static int uhci_broadcast_packet(UHCIState *s, USBPacket *p)
@@ -1103,6 +1093,7 @@ static void uhci_map(PCIDevice *pci_dev, int region_num,
 
 static USBPortOps uhci_port_ops = {
     .attach = uhci_attach,
+    .detach = uhci_detach,
 };
 
 static int usb_uhci_common_initfn(UHCIState *s)
diff --git a/hw/usb.c b/hw/usb.c
index 39d29f3..2eda86a 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -28,7 +28,25 @@
 
 void usb_attach(USBPort *port, USBDevice *dev)
 {
-    port->ops->attach(port, dev);
+    if (dev != NULL) {
+        /* attach */
+        if (port->dev) {
+            usb_attach(port, NULL);
+        }
+        dev->port = port;
+        port->dev = dev;
+        port->ops->attach(port);
+        usb_send_msg(dev, USB_MSG_ATTACH);
+    } else {
+        /* detach */
+        dev = port->dev;
+        port->ops->detach(port);
+        if (dev) {
+            usb_send_msg(dev, USB_MSG_DETACH);
+            dev->port = NULL;
+            port->dev = NULL;
+        }
+    }
 }
 
 /**********************/
diff --git a/hw/usb.h b/hw/usb.h
index 218788f..3744d19 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -147,6 +147,7 @@ struct USBDescString {
 struct USBDevice {
     DeviceState qdev;
     USBDeviceInfo *info;
+    USBPort *port;
     void *opaque;
 
     int speed;
@@ -217,7 +218,8 @@ struct USBDeviceInfo {
 };
 
 typedef struct USBPortOps {
-    void (*attach)(USBPort *port, USBDevice *dev);
+    void (*attach)(USBPort *port);
+    void (*detach)(USBPort *port);
 } USBPortOps;
 
 /* USB port on which a device can be connected */
commit 0d86d2bebb625a222f70b76972139f6a272e3e0b
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Dec 1 11:08:44 2010 +0100

    usb: create USBPortOps, move attach there.
    
    Create USBPortOps struct, move the attach function to that struct.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index af537c2..9dc8793 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -113,12 +113,14 @@ USBDevice *usb_create_simple(USBBus *bus, const char *name)
 }
 
 void usb_register_port(USBBus *bus, USBPort *port, void *opaque, int index,
-                       USBDevice *pdev, usb_attachfn attach)
+                       USBDevice *pdev, USBPortOps *ops)
 {
     port->opaque = opaque;
     port->index = index;
-    port->attach = attach;
     port->pdev = pdev;
+    port->opaque = opaque;
+    port->index = index;
+    port->ops = ops;
     QTAILQ_INSERT_TAIL(&bus->free, port, next);
     bus->nfree++;
 }
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 3c7c3ee..b3d7298 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -506,6 +506,10 @@ static void usb_hub_handle_destroy(USBDevice *dev)
     }
 }
 
+static USBPortOps usb_hub_port_ops = {
+    .attach = usb_hub_attach,
+};
+
 static int usb_hub_initfn(USBDevice *dev)
 {
     USBHubState *s = DO_UPCAST(USBHubState, dev, dev);
@@ -516,7 +520,7 @@ static int usb_hub_initfn(USBDevice *dev)
     for (i = 0; i < NUM_PORTS; i++) {
         port = &s->ports[i];
         usb_register_port(usb_bus_from_device(dev),
-                          &port->port, s, i, &s->dev, usb_hub_attach);
+                          &port->port, s, i, &s->dev, &usb_hub_port_ops);
         port->wPortStatus = PORT_STAT_POWER;
         port->wPortChange = 0;
     }
diff --git a/hw/usb-musb.c b/hw/usb-musb.c
index 9efe7a6..592d3e6 100644
--- a/hw/usb-musb.c
+++ b/hw/usb-musb.c
@@ -261,6 +261,10 @@
 
 static void musb_attach(USBPort *port, USBDevice *dev);
 
+static USBPortOps musb_port_ops = {
+    .attach = musb_attach,
+};
+
 typedef struct {
     uint16_t faddr[2];
     uint8_t haddr[2];
@@ -343,7 +347,7 @@ struct MUSBState {
     }
 
     usb_bus_new(&s->bus, NULL /* FIXME */);
-    usb_register_port(&s->bus, &s->port, s, 0, NULL, musb_attach);
+    usb_register_port(&s->bus, &s->port, s, 0, NULL, &musb_port_ops);
 
     return s;
 }
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index 240e840..7b13bdd 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -1669,6 +1669,10 @@ static CPUWriteMemoryFunc * const ohci_writefn[3]={
     ohci_mem_write
 };
 
+static USBPortOps ohci_port_ops = {
+    .attach = ohci_attach,
+};
+
 static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
                           int num_ports, uint32_t localmem_base)
 {
@@ -1699,7 +1703,7 @@ static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
     usb_bus_new(&ohci->bus, dev);
     ohci->num_ports = num_ports;
     for (i = 0; i < num_ports; i++) {
-        usb_register_port(&ohci->bus, &ohci->rhport[i].port, ohci, i, NULL, ohci_attach);
+        usb_register_port(&ohci->bus, &ohci->rhport[i].port, ohci, i, NULL, &ohci_port_ops);
     }
 
     ohci->async_td = 0;
diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index b9b822f..0f9ef1e 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -1101,6 +1101,10 @@ static void uhci_map(PCIDevice *pci_dev, int region_num,
     register_ioport_read(addr, 32, 1, uhci_ioport_readb, s);
 }
 
+static USBPortOps uhci_port_ops = {
+    .attach = uhci_attach,
+};
+
 static int usb_uhci_common_initfn(UHCIState *s)
 {
     uint8_t *pci_conf = s->dev.config;
@@ -1115,7 +1119,7 @@ static int usb_uhci_common_initfn(UHCIState *s)
 
     usb_bus_new(&s->bus, &s->dev.qdev);
     for(i = 0; i < NB_PORTS; i++) {
-        usb_register_port(&s->bus, &s->ports[i].port, s, i, NULL, uhci_attach);
+        usb_register_port(&s->bus, &s->ports[i].port, s, i, NULL, &uhci_port_ops);
     }
     s->frame_timer = qemu_new_timer(vm_clock, uhci_frame_timer, s);
     s->expire_time = qemu_get_clock(vm_clock) +
diff --git a/hw/usb.c b/hw/usb.c
index a326bcf..39d29f3 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -28,7 +28,7 @@
 
 void usb_attach(USBPort *port, USBDevice *dev)
 {
-    port->attach(port, dev);
+    port->ops->attach(port, dev);
 }
 
 /**********************/
diff --git a/hw/usb.h b/hw/usb.h
index 966d47e..218788f 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -216,12 +216,14 @@ struct USBDeviceInfo {
     USBDevice *(*usbdevice_init)(const char *params);
 };
 
-typedef void (*usb_attachfn)(USBPort *port, USBDevice *dev);
+typedef struct USBPortOps {
+    void (*attach)(USBPort *port, USBDevice *dev);
+} USBPortOps;
 
 /* USB port on which a device can be connected */
 struct USBPort {
     USBDevice *dev;
-    usb_attachfn attach;
+    USBPortOps *ops;
     void *opaque;
     USBDevice *pdev;
     int index; /* internal port index, may be used with the opaque */
@@ -333,7 +335,7 @@ USBDevice *usb_create(USBBus *bus, const char *name);
 USBDevice *usb_create_simple(USBBus *bus, const char *name);
 USBDevice *usbdevice_create(const char *cmdline);
 void usb_register_port(USBBus *bus, USBPort *port, void *opaque, int index,
-                       USBDevice *pdev, usb_attachfn attach);
+                       USBDevice *pdev, USBPortOps *ops);
 void usb_unregister_port(USBBus *bus, USBPort *port);
 int usb_device_attach(USBDevice *dev);
 int usb_device_detach(USBDevice *dev);
commit b36e391441906c36ed0856b69de84001860402bf
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Tue Jan 11 14:10:15 2011 +0200

    ioeventfd: error handling cleanup
    
    - Don't return status from start/stop functions where it's ignored
    - report errors to make debugging easier
    - assert on unexpected failures
    - don't disable notifiers on error so that we'll
      retry when guest driver restarts
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Acked-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 70c40ee..d07ff97 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -195,12 +195,16 @@ static int virtio_pci_set_host_notifier_internal(VirtIOPCIProxy *proxy,
     if (assign) {
         r = event_notifier_init(notifier, 1);
         if (r < 0) {
+            error_report("%s: unable to init event notifier: %d",
+                         __func__, r);
             return r;
         }
         r = kvm_set_ioeventfd_pio_word(event_notifier_get_fd(notifier),
                                        proxy->addr + VIRTIO_PCI_QUEUE_NOTIFY,
                                        n, assign);
         if (r < 0) {
+            error_report("%s: unable to map ioeventfd: %d",
+                         __func__, r);
             event_notifier_cleanup(notifier);
         }
     } else {
@@ -208,6 +212,8 @@ static int virtio_pci_set_host_notifier_internal(VirtIOPCIProxy *proxy,
                                        proxy->addr + VIRTIO_PCI_QUEUE_NOTIFY,
                                        n, assign);
         if (r < 0) {
+            error_report("%s: unable to unmap ioeventfd: %d",
+                         __func__, r);
             return r;
         }
 
@@ -246,14 +252,14 @@ static void virtio_pci_set_host_notifier_fd_handler(VirtIOPCIProxy *proxy,
     }
 }
 
-static int virtio_pci_start_ioeventfd(VirtIOPCIProxy *proxy)
+static void virtio_pci_start_ioeventfd(VirtIOPCIProxy *proxy)
 {
     int n, r;
 
     if (!(proxy->flags & VIRTIO_PCI_FLAG_USE_IOEVENTFD) ||
         proxy->ioeventfd_disabled ||
         proxy->ioeventfd_started) {
-        return 0;
+        return;
     }
 
     for (n = 0; n < VIRTIO_PCI_QUEUE_MAX; n++) {
@@ -269,7 +275,7 @@ static int virtio_pci_start_ioeventfd(VirtIOPCIProxy *proxy)
         virtio_pci_set_host_notifier_fd_handler(proxy, n, true);
     }
     proxy->ioeventfd_started = true;
-    return 0;
+    return;
 
 assign_error:
     while (--n >= 0) {
@@ -278,19 +284,20 @@ assign_error:
         }
 
         virtio_pci_set_host_notifier_fd_handler(proxy, n, false);
-        virtio_pci_set_host_notifier_internal(proxy, n, false);
+        r = virtio_pci_set_host_notifier_internal(proxy, n, false);
+        assert(r >= 0);
     }
     proxy->ioeventfd_started = false;
-    proxy->ioeventfd_disabled = true;
-    return r;
+    error_report("%s: failed. Fallback to a userspace (slower).", __func__);
 }
 
-static int virtio_pci_stop_ioeventfd(VirtIOPCIProxy *proxy)
+static void virtio_pci_stop_ioeventfd(VirtIOPCIProxy *proxy)
 {
+    int r;
     int n;
 
     if (!proxy->ioeventfd_started) {
-        return 0;
+        return;
     }
 
     for (n = 0; n < VIRTIO_PCI_QUEUE_MAX; n++) {
@@ -299,10 +306,10 @@ static int virtio_pci_stop_ioeventfd(VirtIOPCIProxy *proxy)
         }
 
         virtio_pci_set_host_notifier_fd_handler(proxy, n, false);
-        virtio_pci_set_host_notifier_internal(proxy, n, false);
+        r = virtio_pci_set_host_notifier_internal(proxy, n, false);
+        assert(r >= 0);
     }
     proxy->ioeventfd_started = false;
-    return 0;
 }
 
 static void virtio_pci_reset(DeviceState *d)
@@ -706,7 +713,6 @@ static void virtio_init_pci(VirtIOPCIProxy *proxy, VirtIODevice *vdev,
     proxy->host_features |= 0x1 << VIRTIO_F_NOTIFY_ON_EMPTY;
     proxy->host_features |= 0x1 << VIRTIO_F_BAD_FEATURE;
     proxy->host_features = vdev->get_features(vdev, proxy->host_features);
-
 }
 
 static int virtio_blk_init_pci(PCIDevice *pci_dev)
commit ed5a83ddd8c1d8ec7b1015315530cf29949e7c48
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Nov 30 17:35:34 2010 +0100

    usb: move remote wakeup handling to common code
    
    This patch moves setting and clearing the remote_wakeup feature
    bit (via USB_REQ_{SET,CLEAR}_FEATURE) to common code.  Also
    USB_REQ_GET_STATUS handling is moved to common code.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bt.c b/hw/usb-bt.c
index 36c90a3..22e6845 100644
--- a/hw/usb-bt.c
+++ b/hw/usb-bt.c
@@ -396,33 +396,18 @@ static int usb_bt_handle_control(USBDevice *dev, int request, int value,
 
     ret = 0;
     switch (request) {
-    case DeviceRequest | USB_REQ_GET_STATUS:
     case InterfaceRequest | USB_REQ_GET_STATUS:
     case EndpointRequest | USB_REQ_GET_STATUS:
-        data[0] = (1 << USB_DEVICE_SELF_POWERED) |
-            (dev->remote_wakeup << USB_DEVICE_REMOTE_WAKEUP);
+        data[0] = 0x00;
         data[1] = 0x00;
         ret = 2;
         break;
-    case DeviceOutRequest | USB_REQ_CLEAR_FEATURE:
     case InterfaceOutRequest | USB_REQ_CLEAR_FEATURE:
     case EndpointOutRequest | USB_REQ_CLEAR_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 0;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
-    case DeviceOutRequest | USB_REQ_SET_FEATURE:
+        goto fail;
     case InterfaceOutRequest | USB_REQ_SET_FEATURE:
     case EndpointOutRequest | USB_REQ_SET_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 1;
-        } else {
-            goto fail;
-        }
-        ret = 0;
+        goto fail;
         break;
     case InterfaceRequest | USB_REQ_GET_INTERFACE:
         if (value != 0 || (index & ~1) || length != 1)
diff --git a/hw/usb-desc.c b/hw/usb-desc.c
index 14c9e11..56ef734 100644
--- a/hw/usb-desc.c
+++ b/hw/usb-desc.c
@@ -299,6 +299,32 @@ int usb_desc_handle_control(USBDevice *dev, int request, int value,
         }
         trace_usb_set_config(dev->addr, value, ret);
         break;
+
+    case DeviceRequest | USB_REQ_GET_STATUS:
+        data[0] = 0;
+        if (dev->config->bmAttributes & 0x40) {
+            data[0] |= 1 << USB_DEVICE_SELF_POWERED;
+        }
+        if (dev->remote_wakeup) {
+            data[0] |= 1 << USB_DEVICE_REMOTE_WAKEUP;
+        }
+        data[1] = 0x00;
+        ret = 2;
+        break;
+    case DeviceOutRequest | USB_REQ_CLEAR_FEATURE:
+        if (value == USB_DEVICE_REMOTE_WAKEUP) {
+            dev->remote_wakeup = 0;
+            ret = 0;
+        }
+        trace_usb_clear_device_feature(dev->addr, value, ret);
+        break;
+    case DeviceOutRequest | USB_REQ_SET_FEATURE:
+        if (value == USB_DEVICE_REMOTE_WAKEUP) {
+            dev->remote_wakeup = 1;
+            ret = 0;
+        }
+        trace_usb_set_device_feature(dev->addr, value, ret);
+        break;
     }
     return ret;
 }
diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 21c0c72..1c35960 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -673,28 +673,6 @@ static int usb_hid_handle_control(USBDevice *dev, int request, int value,
 
     ret = 0;
     switch(request) {
-    case DeviceRequest | USB_REQ_GET_STATUS:
-        data[0] = (1 << USB_DEVICE_SELF_POWERED) |
-            (dev->remote_wakeup << USB_DEVICE_REMOTE_WAKEUP);
-        data[1] = 0x00;
-        ret = 2;
-        break;
-    case DeviceOutRequest | USB_REQ_CLEAR_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 0;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
-    case DeviceOutRequest | USB_REQ_SET_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 1;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_INTERFACE:
         data[0] = 0;
         ret = 1;
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index fc0b94b..3c7c3ee 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -269,34 +269,12 @@ static int usb_hub_handle_control(USBDevice *dev, int request, int value,
     }
 
     switch(request) {
-    case DeviceRequest | USB_REQ_GET_STATUS:
-        data[0] = (1 << USB_DEVICE_SELF_POWERED) |
-            (dev->remote_wakeup << USB_DEVICE_REMOTE_WAKEUP);
-        data[1] = 0x00;
-        ret = 2;
-        break;
-    case DeviceOutRequest | USB_REQ_CLEAR_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 0;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
     case EndpointOutRequest | USB_REQ_CLEAR_FEATURE:
         if (value == 0 && index != 0x81) { /* clear ep halt */
             goto fail;
         }
         ret = 0;
         break;
-    case DeviceOutRequest | USB_REQ_SET_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 1;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_INTERFACE:
         data[0] = 0;
         ret = 1;
diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 56c6f3d..74e657e 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -239,28 +239,6 @@ static int usb_msd_handle_control(USBDevice *dev, int request, int value,
 
     ret = 0;
     switch (request) {
-    case DeviceRequest | USB_REQ_GET_STATUS:
-        data[0] = (1 << USB_DEVICE_SELF_POWERED) |
-            (dev->remote_wakeup << USB_DEVICE_REMOTE_WAKEUP);
-        data[1] = 0x00;
-        ret = 2;
-        break;
-    case DeviceOutRequest | USB_REQ_CLEAR_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 0;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
-    case DeviceOutRequest | USB_REQ_SET_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 1;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_INTERFACE:
         data[0] = 0;
         ret = 1;
@@ -285,7 +263,6 @@ static int usb_msd_handle_control(USBDevice *dev, int request, int value,
         ret = 1;
         break;
     default:
-    fail:
         ret = USB_RET_STALL;
         break;
     }
diff --git a/hw/usb-net.c b/hw/usb-net.c
index f123045..bf51bb3 100644
--- a/hw/usb-net.c
+++ b/hw/usb-net.c
@@ -1055,31 +1055,6 @@ static int usb_net_handle_control(USBDevice *dev, int request, int value,
 
     ret = 0;
     switch(request) {
-    case DeviceRequest | USB_REQ_GET_STATUS:
-        data[0] = (1 << USB_DEVICE_SELF_POWERED) |
-                (dev->remote_wakeup << USB_DEVICE_REMOTE_WAKEUP);
-        data[1] = 0x00;
-        ret = 2;
-        break;
-
-    case DeviceOutRequest | USB_REQ_CLEAR_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 0;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
-
-    case DeviceOutRequest | USB_REQ_SET_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 1;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
-
     case ClassInterfaceOutRequest | USB_CDC_SEND_ENCAPSULATED_COMMAND:
         if (!is_rndis(s) || value || index != 0) {
             goto fail;
diff --git a/hw/usb-serial.c b/hw/usb-serial.c
index 2bdb10b..6763d52 100644
--- a/hw/usb-serial.c
+++ b/hw/usb-serial.c
@@ -232,28 +232,6 @@ static int usb_serial_handle_control(USBDevice *dev, int request, int value,
 
     ret = 0;
     switch (request) {
-    case DeviceRequest | USB_REQ_GET_STATUS:
-        data[0] = (0 << USB_DEVICE_SELF_POWERED) |
-            (dev->remote_wakeup << USB_DEVICE_REMOTE_WAKEUP);
-        data[1] = 0x00;
-        ret = 2;
-        break;
-    case DeviceOutRequest | USB_REQ_CLEAR_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 0;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
-    case DeviceOutRequest | USB_REQ_SET_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 1;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_INTERFACE:
         data[0] = 0;
         ret = 1;
diff --git a/hw/usb-wacom.c b/hw/usb-wacom.c
index 3a98e80..16be7a2 100644
--- a/hw/usb-wacom.c
+++ b/hw/usb-wacom.c
@@ -262,28 +262,6 @@ static int usb_wacom_handle_control(USBDevice *dev, int request, int value,
 
     ret = 0;
     switch (request) {
-    case DeviceRequest | USB_REQ_GET_STATUS:
-        data[0] = (1 << USB_DEVICE_SELF_POWERED) |
-            (dev->remote_wakeup << USB_DEVICE_REMOTE_WAKEUP);
-        data[1] = 0x00;
-        ret = 2;
-        break;
-    case DeviceOutRequest | USB_REQ_CLEAR_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 0;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
-    case DeviceOutRequest | USB_REQ_SET_FEATURE:
-        if (value == USB_DEVICE_REMOTE_WAKEUP) {
-            dev->remote_wakeup = 1;
-        } else {
-            goto fail;
-        }
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_INTERFACE:
         data[0] = 0;
         ret = 1;
@@ -320,7 +298,6 @@ static int usb_wacom_handle_control(USBDevice *dev, int request, int value,
         ret = 0;
         break;
     default:
-    fail:
         ret = USB_RET_STALL;
         break;
     }
diff --git a/trace-events b/trace-events
index 9ef8474..45e7582 100644
--- a/trace-events
+++ b/trace-events
@@ -196,6 +196,8 @@ disable usb_desc_config(int addr, int index, int len, int ret) "dev %d query con
 disable usb_desc_string(int addr, int index, int len, int ret) "dev %d query string %d, len %d, ret %d"
 disable usb_set_addr(int addr) "dev %d"
 disable usb_set_config(int addr, int config, int ret) "dev %d, config %d, ret %d"
+disable usb_clear_device_feature(int addr, int feature, int ret) "dev %d, feature %d, ret %d"
+disable usb_set_device_feature(int addr, int feature, int ret) "dev %d, feature %d, ret %d"
 
 # vl.c
 disable vm_state_notify(int running, int reason) "running %d reason %d"
commit a980a065fb5e86d6dec337e6cb6ff432f1a143c9
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Nov 26 20:20:41 2010 +0100

    usb: move USB_REQ_{GET,SET}_CONFIGURATION handling to common code
    
    This patch adds fields to the USBDevice struct for the current
    speed (hard-wired to full speed for now) and current device
    configuration.  Also a init function is added which inializes
    these fields.  This allows USB_REQ_{GET,SET}_CONFIGURATION
    handling to be moved to common code.
    
    For most drivers the conversion is trivial ad they support a single
    configuration only anyway.  One exception is bluetooth where some
    device-specific setup code runs after get/set configuration.  The
    other is usb-net which actually has two configurations so the
    the code to check for the active configuration has been adapted.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bt.c b/hw/usb-bt.c
index c0bfc35..36c90a3 100644
--- a/hw/usb-bt.c
+++ b/hw/usb-bt.c
@@ -380,6 +380,17 @@ static int usb_bt_handle_control(USBDevice *dev, int request, int value,
 
     ret = usb_desc_handle_control(dev, request, value, index, length, data);
     if (ret >= 0) {
+        switch (request) {
+        case DeviceRequest | USB_REQ_GET_CONFIGURATION:
+            s->config = 0;
+            break;
+        case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
+            s->config = 1;
+            usb_bt_fifo_reset(&s->evt);
+            usb_bt_fifo_reset(&s->acl);
+            usb_bt_fifo_reset(&s->sco);
+            break;
+        }
         return ret;
     }
 
@@ -413,23 +424,6 @@ static int usb_bt_handle_control(USBDevice *dev, int request, int value,
         }
         ret = 0;
         break;
-    case DeviceRequest | USB_REQ_GET_CONFIGURATION:
-        data[0] = 1;
-        ret = 1;
-        s->config = 0;
-        break;
-    case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
-        ret = 0;
-        if (value != 1 && value != 0) {
-            printf("%s: Wrong SET_CONFIGURATION request (%i)\n",
-                            __FUNCTION__, value);
-            goto fail;
-        }
-        s->config = 1;
-        usb_bt_fifo_reset(&s->evt);
-        usb_bt_fifo_reset(&s->acl);
-        usb_bt_fifo_reset(&s->sco);
-        break;
     case InterfaceRequest | USB_REQ_GET_INTERFACE:
         if (value != 0 || (index & ~1) || length != 1)
             goto fail;
@@ -544,8 +538,7 @@ static void usb_bt_handle_destroy(USBDevice *dev)
 
 static int usb_bt_initfn(USBDevice *dev)
 {
-    struct USBBtState *s = DO_UPCAST(struct USBBtState, dev, dev);
-    s->dev.speed = USB_SPEED_HIGH;
+    usb_desc_init(dev);
     return 0;
 }
 
diff --git a/hw/usb-desc.c b/hw/usb-desc.c
index 3e87f46..14c9e11 100644
--- a/hw/usb-desc.c
+++ b/hw/usb-desc.c
@@ -153,6 +153,16 @@ int usb_desc_other(const USBDescOther *desc, uint8_t *dest, size_t len)
 
 /* ------------------------------------------------------------------ */
 
+void usb_desc_init(USBDevice *dev)
+{
+    const USBDesc *desc = dev->info->usb_desc;
+
+    assert(desc != NULL);
+    dev->speed  = USB_SPEED_FULL;
+    dev->device = desc->full;
+    dev->config = dev->device->confs;
+}
+
 void usb_desc_set_string(USBDevice *dev, uint8_t index, const char *str)
 {
     USBDescString *s;
@@ -230,12 +240,12 @@ int usb_desc_get_descriptor(USBDevice *dev, int value, uint8_t *dest, size_t len
 
     switch(type) {
     case USB_DT_DEVICE:
-        ret = usb_desc_device(&desc->id, desc->full, buf, sizeof(buf));
+        ret = usb_desc_device(&desc->id, dev->device, buf, sizeof(buf));
         trace_usb_desc_device(dev->addr, len, ret);
         break;
     case USB_DT_CONFIG:
-        if (index < desc->full->bNumConfigurations) {
-            ret = usb_desc_config(desc->full->confs + index, buf, sizeof(buf));
+        if (index < dev->device->bNumConfigurations) {
+            ret = usb_desc_config(dev->device->confs + index, buf, sizeof(buf));
         }
         trace_usb_desc_config(dev->addr, index, len, ret);
         break;
@@ -262,7 +272,7 @@ int usb_desc_handle_control(USBDevice *dev, int request, int value,
                             int index, int length, uint8_t *data)
 {
     const USBDesc *desc = dev->info->usb_desc;
-    int ret = -1;
+    int i, ret = -1;
 
     assert(desc != NULL);
     switch(request) {
@@ -275,6 +285,20 @@ int usb_desc_handle_control(USBDevice *dev, int request, int value,
     case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
         ret = usb_desc_get_descriptor(dev, value, data, length);
         break;
+
+    case DeviceRequest | USB_REQ_GET_CONFIGURATION:
+        data[0] = dev->config->bConfigurationValue;
+        ret = 1;
+        break;
+    case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
+        for (i = 0; i < dev->device->bNumConfigurations; i++) {
+            if (dev->device->confs[i].bConfigurationValue == value) {
+                dev->config = dev->device->confs + i;
+                ret = 0;
+            }
+        }
+        trace_usb_set_config(dev->addr, value, ret);
+        break;
     }
     return ret;
 }
diff --git a/hw/usb-desc.h b/hw/usb-desc.h
index 20fc400..d441725 100644
--- a/hw/usb-desc.h
+++ b/hw/usb-desc.h
@@ -78,6 +78,7 @@ int usb_desc_endpoint(const USBDescEndpoint *ep, uint8_t *dest, size_t len);
 int usb_desc_other(const USBDescOther *desc, uint8_t *dest, size_t len);
 
 /* control message emulation helpers */
+void usb_desc_init(USBDevice *dev);
 void usb_desc_set_string(USBDevice *dev, uint8_t index, const char *str);
 const char *usb_desc_get_string(USBDevice *dev, uint8_t index);
 int usb_desc_string(USBDevice *dev, int index, uint8_t *dest, size_t len);
diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 72daddf..21c0c72 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -695,13 +695,6 @@ static int usb_hid_handle_control(USBDevice *dev, int request, int value,
         }
         ret = 0;
         break;
-    case DeviceRequest | USB_REQ_GET_CONFIGURATION:
-        data[0] = 1;
-        ret = 1;
-        break;
-    case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_INTERFACE:
         data[0] = 0;
         ret = 1;
@@ -822,7 +815,8 @@ static void usb_hid_handle_destroy(USBDevice *dev)
 static int usb_hid_initfn(USBDevice *dev, int kind)
 {
     USBHIDState *s = DO_UPCAST(USBHIDState, dev, dev);
-    s->dev.speed = USB_SPEED_FULL;
+
+    usb_desc_init(dev);
     s->kind = kind;
 
     if (s->kind == USB_MOUSE) {
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 1d321ac..fc0b94b 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -297,13 +297,6 @@ static int usb_hub_handle_control(USBDevice *dev, int request, int value,
         }
         ret = 0;
         break;
-    case DeviceRequest | USB_REQ_GET_CONFIGURATION:
-        data[0] = 1;
-        ret = 1;
-        break;
-    case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_INTERFACE:
         data[0] = 0;
         ret = 1;
@@ -541,7 +534,7 @@ static int usb_hub_initfn(USBDevice *dev)
     USBHubPort *port;
     int i;
 
-    s->dev.speed = USB_SPEED_FULL;
+    usb_desc_init(dev);
     for (i = 0; i < NUM_PORTS; i++) {
         port = &s->ports[i];
         usb_register_port(usb_bus_from_device(dev),
diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index b54ccbc..56c6f3d 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -261,13 +261,6 @@ static int usb_msd_handle_control(USBDevice *dev, int request, int value,
         }
         ret = 0;
         break;
-    case DeviceRequest | USB_REQ_GET_CONFIGURATION:
-        data[0] = 1;
-        ret = 1;
-        break;
-    case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_INTERFACE:
         data[0] = 0;
         ret = 1;
@@ -502,7 +495,7 @@ static int usb_msd_initfn(USBDevice *dev)
         usb_desc_set_string(dev, STR_SERIALNUMBER, dinfo->serial);
     }
 
-    s->dev.speed = USB_SPEED_FULL;
+    usb_desc_init(dev);
     scsi_bus_new(&s->bus, &s->dev.qdev, 0, 1, usb_msd_command_complete);
     s->scsi_dev = scsi_bus_legacy_add_drive(&s->bus, bs, 0);
     if (!s->scsi_dev) {
diff --git a/hw/usb-net.c b/hw/usb-net.c
index 141d749..f123045 100644
--- a/hw/usb-net.c
+++ b/hw/usb-net.c
@@ -627,7 +627,6 @@ struct rndis_response {
 typedef struct USBNetState {
     USBDevice dev;
 
-    unsigned int rndis;
     enum rndis_state rndis_state;
     uint32_t medium;
     uint32_t speed;
@@ -648,6 +647,11 @@ typedef struct USBNetState {
     QTAILQ_HEAD(rndis_resp_head, rndis_response) rndis_resp;
 } USBNetState;
 
+static int is_rndis(USBNetState *s)
+{
+    return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
+}
+
 static int ndis_query(USBNetState *s, uint32_t oid,
                       uint8_t *inbuf, unsigned int inlen, uint8_t *outbuf,
                       size_t outlen)
@@ -1077,8 +1081,9 @@ static int usb_net_handle_control(USBDevice *dev, int request, int value,
         break;
 
     case ClassInterfaceOutRequest | USB_CDC_SEND_ENCAPSULATED_COMMAND:
-        if (!s->rndis || value || index != 0)
+        if (!is_rndis(s) || value || index != 0) {
             goto fail;
+        }
 #ifdef TRAFFIC_DEBUG
         {
             unsigned int i;
@@ -1095,8 +1100,9 @@ static int usb_net_handle_control(USBDevice *dev, int request, int value,
         break;
 
     case ClassInterfaceRequest | USB_CDC_GET_ENCAPSULATED_RESPONSE:
-        if (!s->rndis || value || index != 0)
+        if (!is_rndis(s) || value || index != 0) {
             goto fail;
+        }
         ret = rndis_get_response(s, data);
         if (!ret) {
             data[0] = 0;
@@ -1116,27 +1122,6 @@ static int usb_net_handle_control(USBDevice *dev, int request, int value,
 #endif
         break;
 
-    case DeviceRequest | USB_REQ_GET_CONFIGURATION:
-        data[0] = s->rndis ? DEV_RNDIS_CONFIG_VALUE : DEV_CONFIG_VALUE;
-        ret = 1;
-        break;
-
-    case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
-        switch (value & 0xff) {
-        case DEV_CONFIG_VALUE:
-            s->rndis = 0;
-            break;
-
-        case DEV_RNDIS_CONFIG_VALUE:
-            s->rndis = 1;
-            break;
-
-        default:
-            goto fail;
-        }
-        ret = 0;
-        break;
-
     case DeviceRequest | USB_REQ_GET_INTERFACE:
     case InterfaceRequest | USB_REQ_GET_INTERFACE:
         data[0] = 0;
@@ -1207,7 +1192,7 @@ static int usb_net_handle_datain(USBNetState *s, USBPacket *p)
     memcpy(p->data, &s->in_buf[s->in_ptr], ret);
     s->in_ptr += ret;
     if (s->in_ptr >= s->in_len &&
-                    (s->rndis || (s->in_len & (64 - 1)) || !ret)) {
+                    (is_rndis(s) || (s->in_len & (64 - 1)) || !ret)) {
         /* no short packet necessary */
         s->in_ptr = s->in_len = 0;
     }
@@ -1256,7 +1241,7 @@ static int usb_net_handle_dataout(USBNetState *s, USBPacket *p)
     memcpy(&s->out_buf[s->out_ptr], p->data, sz);
     s->out_ptr += sz;
 
-    if (!s->rndis) {
+    if (!is_rndis(s)) {
         if (ret < 64) {
             qemu_send_packet(&s->nic->nc, s->out_buf, s->out_ptr);
             s->out_ptr = 0;
@@ -1327,7 +1312,7 @@ static ssize_t usbnet_receive(VLANClientState *nc, const uint8_t *buf, size_t si
     USBNetState *s = DO_UPCAST(NICState, nc, nc)->opaque;
     struct rndis_packet_msg_type *msg;
 
-    if (s->rndis) {
+    if (is_rndis(s)) {
         msg = (struct rndis_packet_msg_type *) s->in_buf;
         if (!s->rndis_state == RNDIS_DATA_INITIALIZED)
             return -1;
@@ -1363,8 +1348,9 @@ static int usbnet_can_receive(VLANClientState *nc)
 {
     USBNetState *s = DO_UPCAST(NICState, nc, nc)->opaque;
 
-    if (s->rndis && !s->rndis_state == RNDIS_DATA_INITIALIZED)
+    if (is_rndis(s) && !s->rndis_state == RNDIS_DATA_INITIALIZED) {
         return 1;
+    }
 
     return !s->in_len;
 }
@@ -1397,9 +1383,8 @@ static int usb_net_initfn(USBDevice *dev)
 {
     USBNetState *s = DO_UPCAST(USBNetState, dev, dev);
 
-    s->dev.speed  = USB_SPEED_FULL;
+    usb_desc_init(dev);
 
-    s->rndis = 1;
     s->rndis_state = RNDIS_UNINITIALIZED;
     QTAILQ_INIT(&s->rndis_resp);
 
diff --git a/hw/usb-serial.c b/hw/usb-serial.c
index c1f31c7..2bdb10b 100644
--- a/hw/usb-serial.c
+++ b/hw/usb-serial.c
@@ -254,13 +254,6 @@ static int usb_serial_handle_control(USBDevice *dev, int request, int value,
         }
         ret = 0;
         break;
-    case DeviceRequest | USB_REQ_GET_CONFIGURATION:
-        data[0] = 1;
-        ret = 1;
-        break;
-    case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_INTERFACE:
         data[0] = 0;
         ret = 1;
@@ -507,7 +500,8 @@ static void usb_serial_event(void *opaque, int event)
 static int usb_serial_initfn(USBDevice *dev)
 {
     USBSerialState *s = DO_UPCAST(USBSerialState, dev, dev);
-    s->dev.speed = USB_SPEED_FULL;
+
+    usb_desc_init(dev);
 
     if (!s->cs) {
         error_report("Property chardev is required");
diff --git a/hw/usb-wacom.c b/hw/usb-wacom.c
index ad1c3ae..3a98e80 100644
--- a/hw/usb-wacom.c
+++ b/hw/usb-wacom.c
@@ -284,13 +284,6 @@ static int usb_wacom_handle_control(USBDevice *dev, int request, int value,
         }
         ret = 0;
         break;
-    case DeviceRequest | USB_REQ_GET_CONFIGURATION:
-        data[0] = 1;
-        ret = 1;
-        break;
-    case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_INTERFACE:
         data[0] = 0;
         ret = 1;
@@ -373,7 +366,7 @@ static void usb_wacom_handle_destroy(USBDevice *dev)
 static int usb_wacom_initfn(USBDevice *dev)
 {
     USBWacomState *s = DO_UPCAST(USBWacomState, dev, dev);
-    s->dev.speed = USB_SPEED_FULL;
+    usb_desc_init(dev);
     s->changed = 1;
     return 0;
 }
diff --git a/hw/usb.h b/hw/usb.h
index 7b5c8df..966d47e 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -164,6 +164,8 @@ struct USBDevice {
     int setup_index;
 
     QLIST_HEAD(, USBDescString) strings;
+    const USBDescDevice *device;
+    const USBDescConfig *config;
 };
 
 struct USBDeviceInfo {
diff --git a/trace-events b/trace-events
index 7948c6c..9ef8474 100644
--- a/trace-events
+++ b/trace-events
@@ -195,6 +195,7 @@ disable usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d
 disable usb_desc_config(int addr, int index, int len, int ret) "dev %d query config %d, len %d, ret %d"
 disable usb_desc_string(int addr, int index, int len, int ret) "dev %d query string %d, len %d, ret %d"
 disable usb_set_addr(int addr) "dev %d"
+disable usb_set_config(int addr, int config, int ret) "dev %d, config %d, ret %d"
 
 # vl.c
 disable vm_state_notify(int running, int reason) "running %d reason %d"
commit 41c6abbdeb5a86a135ee80a30541ecf52ffd3e23
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Nov 26 12:35:10 2010 +0100

    usb: move USB_REQ_SET_ADDRESS handling to common code
    
    USB_REQ_SET_ADDRESS handling is identical in *all* emulated devices.
    Move it to common code.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bt.c b/hw/usb-bt.c
index d7959ad..c0bfc35 100644
--- a/hw/usb-bt.c
+++ b/hw/usb-bt.c
@@ -413,10 +413,6 @@ static int usb_bt_handle_control(USBDevice *dev, int request, int value,
         }
         ret = 0;
         break;
-    case DeviceOutRequest | USB_REQ_SET_ADDRESS:
-        dev->addr = value;
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
         data[0] = 1;
         ret = 1;
diff --git a/hw/usb-desc.c b/hw/usb-desc.c
index 69ab207..3e87f46 100644
--- a/hw/usb-desc.c
+++ b/hw/usb-desc.c
@@ -266,6 +266,12 @@ int usb_desc_handle_control(USBDevice *dev, int request, int value,
 
     assert(desc != NULL);
     switch(request) {
+    case DeviceOutRequest | USB_REQ_SET_ADDRESS:
+        dev->addr = value;
+        trace_usb_set_addr(dev->addr);
+        ret = 0;
+        break;
+
     case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
         ret = usb_desc_get_descriptor(dev, value, data, length);
         break;
diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 74d17fc..72daddf 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -695,10 +695,6 @@ static int usb_hid_handle_control(USBDevice *dev, int request, int value,
         }
         ret = 0;
         break;
-    case DeviceOutRequest | USB_REQ_SET_ADDRESS:
-        dev->addr = value;
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
         data[0] = 1;
         ret = 1;
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 421d43d..1d321ac 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -297,10 +297,6 @@ static int usb_hub_handle_control(USBDevice *dev, int request, int value,
         }
         ret = 0;
         break;
-    case DeviceOutRequest | USB_REQ_SET_ADDRESS:
-        dev->addr = value;
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
         data[0] = 1;
         ret = 1;
diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 9aa8888..b54ccbc 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -261,10 +261,6 @@ static int usb_msd_handle_control(USBDevice *dev, int request, int value,
         }
         ret = 0;
         break;
-    case DeviceOutRequest | USB_REQ_SET_ADDRESS:
-        dev->addr = value;
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
         data[0] = 1;
         ret = 1;
diff --git a/hw/usb-net.c b/hw/usb-net.c
index b2fe42e..141d749 100644
--- a/hw/usb-net.c
+++ b/hw/usb-net.c
@@ -1076,11 +1076,6 @@ static int usb_net_handle_control(USBDevice *dev, int request, int value,
         ret = 0;
         break;
 
-    case DeviceOutRequest | USB_REQ_SET_ADDRESS:
-        dev->addr = value;
-        ret = 0;
-        break;
-
     case ClassInterfaceOutRequest | USB_CDC_SEND_ENCAPSULATED_COMMAND:
         if (!s->rndis || value || index != 0)
             goto fail;
diff --git a/hw/usb-serial.c b/hw/usb-serial.c
index f89eb9b..c1f31c7 100644
--- a/hw/usb-serial.c
+++ b/hw/usb-serial.c
@@ -254,10 +254,6 @@ static int usb_serial_handle_control(USBDevice *dev, int request, int value,
         }
         ret = 0;
         break;
-    case DeviceOutRequest | USB_REQ_SET_ADDRESS:
-        dev->addr = value;
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
         data[0] = 1;
         ret = 1;
diff --git a/hw/usb-wacom.c b/hw/usb-wacom.c
index ffe6ac7..ad1c3ae 100644
--- a/hw/usb-wacom.c
+++ b/hw/usb-wacom.c
@@ -284,10 +284,6 @@ static int usb_wacom_handle_control(USBDevice *dev, int request, int value,
         }
         ret = 0;
         break;
-    case DeviceOutRequest | USB_REQ_SET_ADDRESS:
-        dev->addr = value;
-        ret = 0;
-        break;
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
         data[0] = 1;
         ret = 1;
diff --git a/trace-events b/trace-events
index 8264ff0..7948c6c 100644
--- a/trace-events
+++ b/trace-events
@@ -194,6 +194,7 @@ disable sun4m_iommu_bad_addr(uint64_t addr) "bad addr %"PRIx64""
 disable usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret %d"
 disable usb_desc_config(int addr, int index, int len, int ret) "dev %d query config %d, len %d, ret %d"
 disable usb_desc_string(int addr, int index, int len, int ret) "dev %d query string %d, len %d, ret %d"
+disable usb_set_addr(int addr) "dev %d"
 
 # vl.c
 disable vm_state_notify(int running, int reason) "running %d reason %d"
commit 30c7d32a0a822a9496aee51e7269073311339ed9
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Nov 26 10:25:06 2010 +0100

    usb network: use new descriptor infrastructure.
    
    Switch the usb network driver over to the
    new descriptor infrastructure.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-net.c b/hw/usb-net.c
index 8492455..b2fe42e 100644
--- a/hw/usb-net.c
+++ b/hw/usb-net.c
@@ -25,6 +25,7 @@
 
 #include "qemu-common.h"
 #include "usb.h"
+#include "usb-desc.h"
 #include "net.h"
 #include "qemu-queue.h"
 #include "sysemu.h"
@@ -89,182 +90,209 @@ enum usbstring_idx {
 
 #define ETH_FRAME_LEN			1514 /* Max. octets in frame sans FCS */
 
-/*
- * mostly the same descriptor as the linux gadget rndis driver
- */
-static const uint8_t qemu_net_dev_descriptor[] = {
-    0x12,			/*  u8 bLength; */
-    USB_DT_DEVICE,		/*  u8 bDescriptorType; Device */
-    0x00, 0x02,			/*  u16 bcdUSB; v2.0 */
-    USB_CLASS_COMM,		/*  u8  bDeviceClass; */
-    0x00,			/*  u8  bDeviceSubClass; */
-    0x00,			/*  u8  bDeviceProtocol; [ low/full only ] */
-    0x40,			/*  u8  bMaxPacketSize0 */
-    RNDIS_VENDOR_NUM & 0xff, RNDIS_VENDOR_NUM >> 8,	/*  u16 idVendor; */
-    RNDIS_PRODUCT_NUM & 0xff, RNDIS_PRODUCT_NUM >> 8,	/*  u16 idProduct; */
-    0x00, 0x00,			/*  u16 bcdDevice */
-    STRING_MANUFACTURER,	/*  u8  iManufacturer; */
-    STRING_PRODUCT,		/*  u8  iProduct; */
-    STRING_SERIALNUMBER,	/*  u8  iSerialNumber; */
-    0x02,			/*  u8  bNumConfigurations; */
+static const USBDescStrings usb_net_stringtable = {
+    [STRING_MANUFACTURER]       = "QEMU",
+    [STRING_PRODUCT]            = "RNDIS/QEMU USB Network Device",
+    [STRING_ETHADDR]            = "400102030405",
+    [STRING_DATA]               = "QEMU USB Net Data Interface",
+    [STRING_CONTROL]            = "QEMU USB Net Control Interface",
+    [STRING_RNDIS_CONTROL]      = "QEMU USB Net RNDIS Control Interface",
+    [STRING_CDC]                = "QEMU USB Net CDC",
+    [STRING_SUBSET]             = "QEMU USB Net Subset",
+    [STRING_RNDIS]              = "QEMU USB Net RNDIS",
+    [STRING_SERIALNUMBER]       = "1",
 };
 
-static const uint8_t qemu_net_rndis_config_descriptor[] = {
-    /* Configuration Descriptor */
-    0x09,			/*  u8  bLength */
-    USB_DT_CONFIG,		/*  u8  bDescriptorType */
-    0x43, 0x00,			/*  le16 wTotalLength */
-    0x02,			/*  u8  bNumInterfaces */
-    DEV_RNDIS_CONFIG_VALUE,	/*  u8  bConfigurationValue */
-    STRING_RNDIS,		/*  u8  iConfiguration */
-    0xc0,			/*  u8  bmAttributes */
-    0x32,			/*  u8  bMaxPower */
-    /* RNDIS Control Interface */
-    0x09,			/*  u8  bLength */
-    USB_DT_INTERFACE,		/*  u8  bDescriptorType */
-    0x00,			/*  u8  bInterfaceNumber */
-    0x00,			/*  u8  bAlternateSetting */
-    0x01,			/*  u8  bNumEndpoints */
-    USB_CLASS_COMM,		/*  u8  bInterfaceClass */
-    USB_CDC_SUBCLASS_ACM,	/*  u8  bInterfaceSubClass */
-    USB_CDC_ACM_PROTO_VENDOR,	/*  u8  bInterfaceProtocol */
-    STRING_RNDIS_CONTROL,	/*  u8  iInterface */
-    /* Header Descriptor */
-    0x05,			/*  u8    bLength */
-    USB_DT_CS_INTERFACE,	/*  u8    bDescriptorType */
-    USB_CDC_HEADER_TYPE,	/*  u8    bDescriptorSubType */
-    0x10, 0x01,			/*  le16  bcdCDC */
-    /* Call Management Descriptor */
-    0x05,			/*  u8    bLength */
-    USB_DT_CS_INTERFACE,	/*  u8    bDescriptorType */
-    USB_CDC_CALL_MANAGEMENT_TYPE,	/*  u8    bDescriptorSubType */
-    0x00,			/*  u8    bmCapabilities */
-    0x01,			/*  u8    bDataInterface */
-    /* ACM Descriptor */
-    0x04,			/*  u8    bLength */
-    USB_DT_CS_INTERFACE,	/*  u8    bDescriptorType */
-    USB_CDC_ACM_TYPE,		/*  u8    bDescriptorSubType */
-    0x00,			/*  u8    bmCapabilities */
-    /* Union Descriptor */
-    0x05,			/*  u8    bLength */
-    USB_DT_CS_INTERFACE,	/*  u8    bDescriptorType */
-    USB_CDC_UNION_TYPE,		/*  u8    bDescriptorSubType */
-    0x00,			/*  u8    bMasterInterface0 */
-    0x01,			/*  u8    bSlaveInterface0 */
-    /* Status Descriptor */
-    0x07,			/*  u8  bLength */
-    USB_DT_ENDPOINT,		/*  u8  bDescriptorType */
-    USB_DIR_IN | 1,		/*  u8  bEndpointAddress */
-    USB_ENDPOINT_XFER_INT,	/*  u8  bmAttributes */
-    STATUS_BYTECOUNT & 0xff, STATUS_BYTECOUNT >> 8, /*  le16 wMaxPacketSize */
-    1 << LOG2_STATUS_INTERVAL_MSEC,	/*  u8  bInterval */
-    /* RNDIS Data Interface */
-    0x09,			/*  u8  bLength */
-    USB_DT_INTERFACE,		/*  u8  bDescriptorType */
-    0x01,			/*  u8  bInterfaceNumber */
-    0x00,			/*  u8  bAlternateSetting */
-    0x02,			/*  u8  bNumEndpoints */
-    USB_CLASS_CDC_DATA,		/*  u8  bInterfaceClass */
-    0x00,			/*  u8  bInterfaceSubClass */
-    0x00,			/*  u8  bInterfaceProtocol */
-    STRING_DATA,		/*  u8  iInterface */
-    /* Source Endpoint */
-    0x07,			/*  u8  bLength */
-    USB_DT_ENDPOINT,		/*  u8  bDescriptorType */
-    USB_DIR_IN | 2,		/*  u8  bEndpointAddress */
-    USB_ENDPOINT_XFER_BULK,	/*  u8  bmAttributes */
-    0x40, 0x00,			/*  le16 wMaxPacketSize */
-    0x00,			/*  u8  bInterval */
-    /* Sink Endpoint */
-    0x07,			/*  u8  bLength */
-    USB_DT_ENDPOINT,		/*  u8  bDescriptorType */
-    USB_DIR_OUT | 2,		/*  u8  bEndpointAddress */
-    USB_ENDPOINT_XFER_BULK,	/*  u8  bmAttributes */
-    0x40, 0x00,			/*  le16 wMaxPacketSize */
-    0x00			/*  u8  bInterval */
+static const USBDescIface desc_iface_rndis[] = {
+    {
+        /* RNDIS Control Interface */
+        .bInterfaceNumber              = 0,
+        .bNumEndpoints                 = 1,
+        .bInterfaceClass               = USB_CLASS_COMM,
+        .bInterfaceSubClass            = USB_CDC_SUBCLASS_ACM,
+        .bInterfaceProtocol            = USB_CDC_ACM_PROTO_VENDOR,
+        .iInterface                    = STRING_RNDIS_CONTROL,
+        .ndesc                         = 4,
+        .descs = (USBDescOther[]) {
+            {
+                /* Header Descriptor */
+                .data = (uint8_t[]) {
+                    0x05,                       /*  u8    bLength */
+                    USB_DT_CS_INTERFACE,        /*  u8    bDescriptorType */
+                    USB_CDC_HEADER_TYPE,        /*  u8    bDescriptorSubType */
+                    0x10, 0x01,                 /*  le16  bcdCDC */
+                },
+            },{
+                /* Call Management Descriptor */
+                .data = (uint8_t[]) {
+                    0x05,                       /*  u8    bLength */
+                    USB_DT_CS_INTERFACE,        /*  u8    bDescriptorType */
+                    USB_CDC_CALL_MANAGEMENT_TYPE, /*  u8    bDescriptorSubType */
+                    0x00,                       /*  u8    bmCapabilities */
+                    0x01,                       /*  u8    bDataInterface */
+                },
+            },{
+                /* ACM Descriptor */
+                .data = (uint8_t[]) {
+                    0x04,                       /*  u8    bLength */
+                    USB_DT_CS_INTERFACE,        /*  u8    bDescriptorType */
+                    USB_CDC_ACM_TYPE,           /*  u8    bDescriptorSubType */
+                    0x00,                       /*  u8    bmCapabilities */
+                },
+            },{
+                /* Union Descriptor */
+                .data = (uint8_t[]) {
+                    0x05,                       /*  u8    bLength */
+                    USB_DT_CS_INTERFACE,        /*  u8    bDescriptorType */
+                    USB_CDC_UNION_TYPE,         /*  u8    bDescriptorSubType */
+                    0x00,                       /*  u8    bMasterInterface0 */
+                    0x01,                       /*  u8    bSlaveInterface0 */
+                },
+            },
+        },
+        .eps = (USBDescEndpoint[]) {
+            {
+                .bEndpointAddress      = USB_DIR_IN | 0x01,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = STATUS_BYTECOUNT,
+                .bInterval             = 1 << LOG2_STATUS_INTERVAL_MSEC,
+            },
+        }
+    },{
+        /* RNDIS Data Interface */
+        .bInterfaceNumber              = 1,
+        .bNumEndpoints                 = 2,
+        .bInterfaceClass               = USB_CLASS_CDC_DATA,
+        .iInterface                    = STRING_DATA,
+        .eps = (USBDescEndpoint[]) {
+            {
+                .bEndpointAddress      = USB_DIR_IN | 0x02,
+                .bmAttributes          = USB_ENDPOINT_XFER_BULK,
+                .wMaxPacketSize        = 0x40,
+            },{
+                .bEndpointAddress      = USB_DIR_OUT | 0x02,
+                .bmAttributes          = USB_ENDPOINT_XFER_BULK,
+                .wMaxPacketSize        = 0x40,
+            }
+        }
+    }
 };
 
-static const uint8_t qemu_net_cdc_config_descriptor[] = {
-    /* Configuration Descriptor */
-    0x09,			/*  u8  bLength */
-    USB_DT_CONFIG,		/*  u8  bDescriptorType */
-    0x50, 0x00,			/*  le16 wTotalLength */
-    0x02,			/*  u8  bNumInterfaces */
-    DEV_CONFIG_VALUE,		/*  u8  bConfigurationValue */
-    STRING_CDC,			/*  u8  iConfiguration */
-    0xc0,			/*  u8  bmAttributes */
-    0x32,			/*  u8  bMaxPower */
-    /* CDC Control Interface */
-    0x09,			/*  u8  bLength */
-    USB_DT_INTERFACE,		/*  u8  bDescriptorType */
-    0x00,			/*  u8  bInterfaceNumber */
-    0x00,			/*  u8  bAlternateSetting */
-    0x01,			/*  u8  bNumEndpoints */
-    USB_CLASS_COMM,		/*  u8  bInterfaceClass */
-    USB_CDC_SUBCLASS_ETHERNET,	/*  u8  bInterfaceSubClass */
-    USB_CDC_PROTO_NONE,		/*  u8  bInterfaceProtocol */
-    STRING_CONTROL,		/*  u8  iInterface */
-    /* Header Descriptor */
-    0x05,			/*  u8    bLength */
-    USB_DT_CS_INTERFACE,	/*  u8    bDescriptorType */
-    USB_CDC_HEADER_TYPE,	/*  u8    bDescriptorSubType */
-    0x10, 0x01,			/*  le16  bcdCDC */
-    /* Union Descriptor */
-    0x05,			/*  u8    bLength */
-    USB_DT_CS_INTERFACE,	/*  u8    bDescriptorType */
-    USB_CDC_UNION_TYPE,		/*  u8    bDescriptorSubType */
-    0x00,			/*  u8    bMasterInterface0 */
-    0x01,			/*  u8    bSlaveInterface0 */
-    /* Ethernet Descriptor */
-    0x0d,			/*  u8    bLength */
-    USB_DT_CS_INTERFACE,	/*  u8    bDescriptorType */
-    USB_CDC_ETHERNET_TYPE,	/*  u8    bDescriptorSubType */
-    STRING_ETHADDR,		/*  u8    iMACAddress */
-    0x00, 0x00, 0x00, 0x00,	/*  le32  bmEthernetStatistics */
-    ETH_FRAME_LEN & 0xff, ETH_FRAME_LEN >> 8,	/*  le16  wMaxSegmentSize */
-    0x00, 0x00,			/*  le16  wNumberMCFilters */
-    0x00,			/*  u8    bNumberPowerFilters */
-    /* Status Descriptor */
-    0x07,			/*  u8  bLength */
-    USB_DT_ENDPOINT,		/*  u8  bDescriptorType */
-    USB_DIR_IN | 1,		/*  u8  bEndpointAddress */
-    USB_ENDPOINT_XFER_INT,	/*  u8  bmAttributes */
-    STATUS_BYTECOUNT & 0xff, STATUS_BYTECOUNT >> 8, /*  le16 wMaxPacketSize */
-    1 << LOG2_STATUS_INTERVAL_MSEC,	/*  u8  bInterval */
-    /* CDC Data (nop) Interface */
-    0x09,			/*  u8  bLength */
-    USB_DT_INTERFACE,		/*  u8  bDescriptorType */
-    0x01,			/*  u8  bInterfaceNumber */
-    0x00,			/*  u8  bAlternateSetting */
-    0x00,			/*  u8  bNumEndpoints */
-    USB_CLASS_CDC_DATA,		/*  u8  bInterfaceClass */
-    0x00,			/*  u8  bInterfaceSubClass */
-    0x00,			/*  u8  bInterfaceProtocol */
-    0x00,			/*  u8  iInterface */
-    /* CDC Data Interface */
-    0x09,			/*  u8  bLength */
-    USB_DT_INTERFACE,		/*  u8  bDescriptorType */
-    0x01,			/*  u8  bInterfaceNumber */
-    0x01,			/*  u8  bAlternateSetting */
-    0x02,			/*  u8  bNumEndpoints */
-    USB_CLASS_CDC_DATA,		/*  u8  bInterfaceClass */
-    0x00,			/*  u8  bInterfaceSubClass */
-    0x00,			/*  u8  bInterfaceProtocol */
-    STRING_DATA,		/*  u8  iInterface */
-    /* Source Endpoint */
-    0x07,			/*  u8  bLength */
-    USB_DT_ENDPOINT,		/*  u8  bDescriptorType */
-    USB_DIR_IN | 2,		/*  u8  bEndpointAddress */
-    USB_ENDPOINT_XFER_BULK,	/*  u8  bmAttributes */
-    0x40, 0x00,			/*  le16 wMaxPacketSize */
-    0x00,			/*  u8  bInterval */
-    /* Sink Endpoint */
-    0x07,			/*  u8  bLength */
-    USB_DT_ENDPOINT,		/*  u8  bDescriptorType */
-    USB_DIR_OUT | 2,		/*  u8  bEndpointAddress */
-    USB_ENDPOINT_XFER_BULK,	/*  u8  bmAttributes */
-    0x40, 0x00,			/*  le16 wMaxPacketSize */
-    0x00			/*  u8  bInterval */
+static const USBDescIface desc_iface_cdc[] = {
+    {
+        /* CDC Control Interface */
+        .bInterfaceNumber              = 0,
+        .bNumEndpoints                 = 1,
+        .bInterfaceClass               = USB_CLASS_COMM,
+        .bInterfaceSubClass            = USB_CDC_SUBCLASS_ETHERNET,
+        .bInterfaceProtocol            = USB_CDC_PROTO_NONE,
+        .iInterface                    = STRING_CONTROL,
+        .ndesc                         = 3,
+        .descs = (USBDescOther[]) {
+            {
+                /* Header Descriptor */
+                .data = (uint8_t[]) {
+                    0x05,                       /*  u8    bLength */
+                    USB_DT_CS_INTERFACE,        /*  u8    bDescriptorType */
+                    USB_CDC_HEADER_TYPE,        /*  u8    bDescriptorSubType */
+                    0x10, 0x01,                 /*  le16  bcdCDC */
+                },
+            },{
+                /* Union Descriptor */
+                .data = (uint8_t[]) {
+                    0x05,                       /*  u8    bLength */
+                    USB_DT_CS_INTERFACE,        /*  u8    bDescriptorType */
+                    USB_CDC_UNION_TYPE,         /*  u8    bDescriptorSubType */
+                    0x00,                       /*  u8    bMasterInterface0 */
+                    0x01,                       /*  u8    bSlaveInterface0 */
+                },
+            },{
+                /* Ethernet Descriptor */
+                .data = (uint8_t[]) {
+                    0x0d,                       /*  u8    bLength */
+                    USB_DT_CS_INTERFACE,        /*  u8    bDescriptorType */
+                    USB_CDC_ETHERNET_TYPE,      /*  u8    bDescriptorSubType */
+                    STRING_ETHADDR,             /*  u8    iMACAddress */
+                    0x00, 0x00, 0x00, 0x00,     /*  le32  bmEthernetStatistics */
+                    ETH_FRAME_LEN & 0xff,
+                    ETH_FRAME_LEN >> 8,         /*  le16  wMaxSegmentSize */
+                    0x00, 0x00,                 /*  le16  wNumberMCFilters */
+                    0x00,                       /*  u8    bNumberPowerFilters */
+                },
+            },
+        },
+        .eps = (USBDescEndpoint[]) {
+            {
+                .bEndpointAddress      = USB_DIR_IN | 0x01,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = STATUS_BYTECOUNT,
+                .bInterval             = 1 << LOG2_STATUS_INTERVAL_MSEC,
+            },
+        }
+    },{
+        /* CDC Data Interface (off) */
+        .bInterfaceNumber              = 1,
+        .bAlternateSetting             = 0,
+        .bNumEndpoints                 = 0,
+        .bInterfaceClass               = USB_CLASS_CDC_DATA,
+    },{
+        /* CDC Data Interface */
+        .bInterfaceNumber              = 1,
+        .bAlternateSetting             = 1,
+        .bNumEndpoints                 = 2,
+        .bInterfaceClass               = USB_CLASS_CDC_DATA,
+        .iInterface                    = STRING_DATA,
+        .eps = (USBDescEndpoint[]) {
+            {
+                .bEndpointAddress      = USB_DIR_IN | 0x02,
+                .bmAttributes          = USB_ENDPOINT_XFER_BULK,
+                .wMaxPacketSize        = 0x40,
+            },{
+                .bEndpointAddress      = USB_DIR_OUT | 0x02,
+                .bmAttributes          = USB_ENDPOINT_XFER_BULK,
+                .wMaxPacketSize        = 0x40,
+            }
+        }
+    }
+};
+
+static const USBDescDevice desc_device_net = {
+    .bcdUSB                        = 0x0200,
+    .bDeviceClass                  = USB_CLASS_COMM,
+    .bMaxPacketSize0               = 0x40,
+    .bNumConfigurations            = 2,
+    .confs = (USBDescConfig[]) {
+        {
+            .bNumInterfaces        = 2,
+            .bConfigurationValue   = DEV_RNDIS_CONFIG_VALUE,
+            .iConfiguration        = STRING_RNDIS,
+            .bmAttributes          = 0xc0,
+            .bMaxPower             = 0x32,
+            .nif = ARRAY_SIZE(desc_iface_rndis),
+            .ifs = desc_iface_rndis,
+        },{
+            .bNumInterfaces        = 2,
+            .bConfigurationValue   = DEV_CONFIG_VALUE,
+            .iConfiguration        = STRING_CDC,
+            .bmAttributes          = 0xc0,
+            .bMaxPower             = 0x32,
+            .nif = ARRAY_SIZE(desc_iface_cdc),
+            .ifs = desc_iface_cdc,
+        }
+    },
+};
+
+static const USBDesc desc_net = {
+    .id = {
+        .idVendor          = RNDIS_VENDOR_NUM,
+        .idProduct         = RNDIS_PRODUCT_NUM,
+        .bcdDevice         = 0,
+        .iManufacturer     = STRING_MANUFACTURER,
+        .iProduct          = STRING_PRODUCT,
+        .iSerialNumber     = STRING_SERIALNUMBER,
+    },
+    .full = &desc_device_net,
+    .str  = usb_net_stringtable,
 };
 
 /*
@@ -1010,25 +1038,18 @@ static void usb_net_handle_reset(USBDevice *dev)
 {
 }
 
-static const char * const usb_net_stringtable[] = {
-    [STRING_MANUFACTURER]	= "QEMU",
-    [STRING_PRODUCT]		= "RNDIS/QEMU USB Network Device",
-    [STRING_ETHADDR]		= "400102030405",
-    [STRING_DATA]		= "QEMU USB Net Data Interface",
-    [STRING_CONTROL]		= "QEMU USB Net Control Interface",
-    [STRING_RNDIS_CONTROL]	= "QEMU USB Net RNDIS Control Interface",
-    [STRING_CDC]		= "QEMU USB Net CDC",
-    [STRING_SUBSET]		= "QEMU USB Net Subset",
-    [STRING_RNDIS]		= "QEMU USB Net RNDIS",
-    [STRING_SERIALNUMBER]	= "1",
-};
-
 static int usb_net_handle_control(USBDevice *dev, int request, int value,
                 int index, int length, uint8_t *data)
 {
     USBNetState *s = (USBNetState *) dev;
-    int ret = 0;
+    int ret;
 
+    ret = usb_desc_handle_control(dev, request, value, index, length, data);
+    if (ret >= 0) {
+        return ret;
+    }
+
+    ret = 0;
     switch(request) {
     case DeviceRequest | USB_REQ_GET_STATUS:
         data[0] = (1 << USB_DEVICE_SELF_POWERED) |
@@ -1100,64 +1121,6 @@ static int usb_net_handle_control(USBDevice *dev, int request, int value,
 #endif
         break;
 
-    case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
-        switch(value >> 8) {
-        case USB_DT_DEVICE:
-            ret = sizeof(qemu_net_dev_descriptor);
-            memcpy(data, qemu_net_dev_descriptor, ret);
-            break;
-
-        case USB_DT_CONFIG:
-            switch (value & 0xff) {
-            case 0:
-                ret = sizeof(qemu_net_rndis_config_descriptor);
-                memcpy(data, qemu_net_rndis_config_descriptor, ret);
-                break;
-
-            case 1:
-                ret = sizeof(qemu_net_cdc_config_descriptor);
-                memcpy(data, qemu_net_cdc_config_descriptor, ret);
-                break;
-
-            default:
-                goto fail;
-            }
-
-            data[2] = ret & 0xff;
-            data[3] = ret >> 8;
-            break;
-
-        case USB_DT_STRING:
-            switch (value & 0xff) {
-            case 0:
-                /* language ids */
-                data[0] = 4;
-                data[1] = 3;
-                data[2] = 0x09;
-                data[3] = 0x04;
-                ret = 4;
-                break;
-
-            case STRING_ETHADDR:
-                ret = set_usb_string(data, s->usbstring_mac);
-                break;
-
-            default:
-                if (ARRAY_SIZE(usb_net_stringtable) > (value & 0xff)) {
-                    ret = set_usb_string(data,
-                                    usb_net_stringtable[value & 0xff]);
-                    break;
-                }
-
-                goto fail;
-            }
-            break;
-
-        default:
-            goto fail;
-        }
-        break;
-
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
         data[0] = s->rndis ? DEV_RNDIS_CONFIG_VALUE : DEV_CONFIG_VALUE;
         ret = 1;
@@ -1463,6 +1426,7 @@ static int usb_net_initfn(USBDevice *dev)
              s->conf.macaddr.a[3],
              s->conf.macaddr.a[4],
              s->conf.macaddr.a[5]);
+    usb_desc_set_string(dev, STRING_ETHADDR, s->usbstring_mac);
 
     add_boot_device_path(s->conf.bootindex, &dev->qdev, "/ethernet at 0");
     return 0;
@@ -1500,6 +1464,7 @@ static struct USBDeviceInfo net_info = {
     .qdev.name      = "usb-net",
     .qdev.fw_name    = "network",
     .qdev.size      = sizeof(USBNetState),
+    .usb_desc       = &desc_net,
     .init           = usb_net_initfn,
     .handle_packet  = usb_generic_handle_packet,
     .handle_reset   = usb_net_handle_reset,
commit 4a1e1bc416e99254dcc59a689b3806775ae8dabd
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Nov 26 12:26:17 2010 +0100

    usb storage: serial number support
    
    If a serial number is present for the drive fill it into the usb
    serialnumber string descriptor.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 20ab886..9aa8888 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -482,6 +482,7 @@ static int usb_msd_initfn(USBDevice *dev)
 {
     MSDState *s = DO_UPCAST(MSDState, dev, dev);
     BlockDriverState *bs = s->conf.bs;
+    DriveInfo *dinfo;
 
     if (!bs) {
         error_report("usb-msd: drive property not set");
@@ -500,6 +501,11 @@ static int usb_msd_initfn(USBDevice *dev)
     bdrv_detach(bs, &s->dev.qdev);
     s->conf.bs = NULL;
 
+    dinfo = drive_get_by_blockdev(bs);
+    if (dinfo && dinfo->serial) {
+        usb_desc_set_string(dev, STR_SERIALNUMBER, dinfo->serial);
+    }
+
     s->dev.speed = USB_SPEED_FULL;
     scsi_bus_new(&s->bus, &s->dev.qdev, 0, 1, usb_msd_command_complete);
     s->scsi_dev = scsi_bus_legacy_add_drive(&s->bus, bs, 0);
commit 132a3f55f05dff4eedde0d23d844ecdedef8ba68
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Nov 26 12:25:32 2010 +0100

    usb descriptors: add settable strings.
    
    This patch allows to set usb descriptor strings per device instance.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index 8b4583c..af537c2 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -48,6 +48,7 @@ static int usb_qdev_init(DeviceState *qdev, DeviceInfo *base)
     pstrcpy(dev->product_desc, sizeof(dev->product_desc), info->product_desc);
     dev->info = info;
     dev->auto_attach = 1;
+    QLIST_INIT(&dev->strings);
     rc = dev->info->init(dev);
     if (rc == 0 && dev->auto_attach)
         usb_device_attach(dev);
diff --git a/hw/usb-desc.c b/hw/usb-desc.c
index 559ced7..69ab207 100644
--- a/hw/usb-desc.c
+++ b/hw/usb-desc.c
@@ -151,9 +151,42 @@ int usb_desc_other(const USBDescOther *desc, uint8_t *dest, size_t len)
     return bLength;
 }
 
-int usb_desc_string(const char* const *str, int index, uint8_t *dest, size_t len)
+/* ------------------------------------------------------------------ */
+
+void usb_desc_set_string(USBDevice *dev, uint8_t index, const char *str)
+{
+    USBDescString *s;
+
+    QLIST_FOREACH(s, &dev->strings, next) {
+        if (s->index == index) {
+            break;
+        }
+    }
+    if (s == NULL) {
+        s = qemu_mallocz(sizeof(*s));
+        s->index = index;
+        QLIST_INSERT_HEAD(&dev->strings, s, next);
+    }
+    qemu_free(s->str);
+    s->str = qemu_strdup(str);
+}
+
+const char *usb_desc_get_string(USBDevice *dev, uint8_t index)
+{
+    USBDescString *s;
+
+    QLIST_FOREACH(s, &dev->strings, next) {
+        if (s->index == index) {
+            return s->str;
+        }
+    }
+    return NULL;
+}
+
+int usb_desc_string(USBDevice *dev, int index, uint8_t *dest, size_t len)
 {
     uint8_t bLength, pos, i;
+    const char *str;
 
     if (len < 4) {
         return -1;
@@ -168,22 +201,25 @@ int usb_desc_string(const char* const *str, int index, uint8_t *dest, size_t len
         return 4;
     }
 
-    if (str[index] == NULL) {
-        return 0;
+    str = usb_desc_get_string(dev, index);
+    if (str == NULL) {
+        str = dev->info->usb_desc->str[index];
+        if (str == NULL) {
+            return 0;
+        }
     }
-    bLength = strlen(str[index]) * 2 + 2;
+
+    bLength = strlen(str) * 2 + 2;
     dest[0] = bLength;
     dest[1] = USB_DT_STRING;
     i = 0; pos = 2;
     while (pos+1 < bLength && pos+1 < len) {
-        dest[pos++] = str[index][i++];
+        dest[pos++] = str[i++];
         dest[pos++] = 0;
     }
     return pos;
 }
 
-/* ------------------------------------------------------------------ */
-
 int usb_desc_get_descriptor(USBDevice *dev, int value, uint8_t *dest, size_t len)
 {
     const USBDesc *desc = dev->info->usb_desc;
@@ -204,7 +240,7 @@ int usb_desc_get_descriptor(USBDevice *dev, int value, uint8_t *dest, size_t len
         trace_usb_desc_config(dev->addr, index, len, ret);
         break;
     case USB_DT_STRING:
-        ret = usb_desc_string(desc->str, index, buf, sizeof(buf));
+        ret = usb_desc_string(dev, index, buf, sizeof(buf));
         trace_usb_desc_string(dev->addr, index, len, ret);
         break;
     default:
diff --git a/hw/usb-desc.h b/hw/usb-desc.h
index d80efdb..20fc400 100644
--- a/hw/usb-desc.h
+++ b/hw/usb-desc.h
@@ -76,9 +76,11 @@ int usb_desc_config(const USBDescConfig *conf, uint8_t *dest, size_t len);
 int usb_desc_iface(const USBDescIface *iface, uint8_t *dest, size_t len);
 int usb_desc_endpoint(const USBDescEndpoint *ep, uint8_t *dest, size_t len);
 int usb_desc_other(const USBDescOther *desc, uint8_t *dest, size_t len);
-int usb_desc_string(const char* const *str, int index, uint8_t *dest, size_t len);
 
 /* control message emulation helpers */
+void usb_desc_set_string(USBDevice *dev, uint8_t index, const char *str);
+const char *usb_desc_get_string(USBDevice *dev, uint8_t index);
+int usb_desc_string(USBDevice *dev, int index, uint8_t *dest, size_t len);
 int usb_desc_get_descriptor(USBDevice *dev, int value, uint8_t *dest, size_t len);
 int usb_desc_handle_control(USBDevice *dev, int request, int value,
                             int index, int length, uint8_t *data);
diff --git a/hw/usb.h b/hw/usb.h
index a29b6d6..7b5c8df 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -135,6 +135,13 @@ typedef struct USBDescConfig USBDescConfig;
 typedef struct USBDescIface USBDescIface;
 typedef struct USBDescEndpoint USBDescEndpoint;
 typedef struct USBDescOther USBDescOther;
+typedef struct USBDescString USBDescString;
+
+struct USBDescString {
+    uint8_t index;
+    char *str;
+    QLIST_ENTRY(USBDescString) next;
+};
 
 /* definition of a USB device */
 struct USBDevice {
@@ -155,6 +162,8 @@ struct USBDevice {
     int setup_state;
     int setup_len;
     int setup_index;
+
+    QLIST_HEAD(, USBDescString) strings;
 };
 
 struct USBDeviceInfo {
commit 062651c7e750a0c06a693d336c2b9edb893a2c94
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Nov 26 13:13:22 2010 +0100

    usb hub: use new descriptor infrastructure.
    
    Switch the usb hub driver over to the
    new descriptor infrastructure.
    
    It also removes the nr_ports variable and MAX_PORTS define and
    introduces a NUM_PORTS define instead.  The numver of ports was
    (and still is) fixed at 8 anyway.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 8a3f829..421d43d 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -23,10 +23,11 @@
  */
 #include "qemu-common.h"
 #include "usb.h"
+#include "usb-desc.h"
 
 //#define DEBUG
 
-#define MAX_PORTS 8
+#define NUM_PORTS 8
 
 typedef struct USBHubPort {
     USBPort port;
@@ -36,8 +37,7 @@ typedef struct USBHubPort {
 
 typedef struct USBHubState {
     USBDevice dev;
-    int nb_ports;
-    USBHubPort ports[MAX_PORTS];
+    USBHubPort ports[NUM_PORTS];
 } USBHubState;
 
 #define ClearHubFeature		(0x2000 | USB_REQ_CLEAR_FEATURE)
@@ -83,6 +83,60 @@ typedef struct USBHubState {
 
 /* same as Linux kernel root hubs */
 
+enum {
+    STR_MANUFACTURER = 1,
+    STR_PRODUCT,
+    STR_SERIALNUMBER,
+};
+
+static const USBDescStrings desc_strings = {
+    [STR_MANUFACTURER] = "QEMU " QEMU_VERSION,
+    [STR_PRODUCT]      = "QEMU USB Hub",
+    [STR_SERIALNUMBER] = "314159",
+};
+
+static const USBDescIface desc_iface_hub = {
+    .bInterfaceNumber              = 0,
+    .bNumEndpoints                 = 1,
+    .bInterfaceClass               = USB_CLASS_HUB,
+    .eps = (USBDescEndpoint[]) {
+        {
+            .bEndpointAddress      = USB_DIR_IN | 0x01,
+            .bmAttributes          = USB_ENDPOINT_XFER_INT,
+            .wMaxPacketSize        = 1 + (NUM_PORTS + 7) / 8,
+            .bInterval             = 0xff,
+        },
+    }
+};
+
+static const USBDescDevice desc_device_hub = {
+    .bcdUSB                        = 0x0110,
+    .bDeviceClass                  = USB_CLASS_HUB,
+    .bMaxPacketSize0               = 8,
+    .bNumConfigurations            = 1,
+    .confs = (USBDescConfig[]) {
+        {
+            .bNumInterfaces        = 1,
+            .bConfigurationValue   = 1,
+            .bmAttributes          = 0xe0,
+            .ifs = &desc_iface_hub,
+        },
+    },
+};
+
+static const USBDesc desc_hub = {
+    .id = {
+        .idVendor          = 0,
+        .idProduct         = 0,
+        .bcdDevice         = 0x0101,
+        .iManufacturer     = STR_MANUFACTURER,
+        .iProduct          = STR_PRODUCT,
+        .iSerialNumber     = STR_SERIALNUMBER,
+    },
+    .full = &desc_device_hub,
+    .str  = desc_strings,
+};
+
 static const uint8_t qemu_hub_dev_descriptor[] = {
 	0x12,       /*  u8 bLength; */
 	0x01,       /*  u8 bDescriptorType; Device */
@@ -209,6 +263,11 @@ static int usb_hub_handle_control(USBDevice *dev, int request, int value,
     USBHubState *s = (USBHubState *)dev;
     int ret;
 
+    ret = usb_desc_handle_control(dev, request, value, index, length, data);
+    if (ret >= 0) {
+        return ret;
+    }
+
     switch(request) {
     case DeviceRequest | USB_REQ_GET_STATUS:
         data[0] = (1 << USB_DEVICE_SELF_POWERED) |
@@ -242,53 +301,6 @@ static int usb_hub_handle_control(USBDevice *dev, int request, int value,
         dev->addr = value;
         ret = 0;
         break;
-    case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
-        switch(value >> 8) {
-        case USB_DT_DEVICE:
-            memcpy(data, qemu_hub_dev_descriptor,
-                   sizeof(qemu_hub_dev_descriptor));
-            ret = sizeof(qemu_hub_dev_descriptor);
-            break;
-        case USB_DT_CONFIG:
-            memcpy(data, qemu_hub_config_descriptor,
-                   sizeof(qemu_hub_config_descriptor));
-
-            /* status change endpoint size based on number
-             * of ports */
-            data[22] = (s->nb_ports + 1 + 7) / 8;
-
-            ret = sizeof(qemu_hub_config_descriptor);
-            break;
-        case USB_DT_STRING:
-            switch(value & 0xff) {
-            case 0:
-                /* language ids */
-                data[0] = 4;
-                data[1] = 3;
-                data[2] = 0x09;
-                data[3] = 0x04;
-                ret = 4;
-                break;
-            case 1:
-                /* serial number */
-                ret = set_usb_string(data, "314159");
-                break;
-            case 2:
-                /* product description */
-                ret = set_usb_string(data, "QEMU USB Hub");
-                break;
-            case 3:
-                /* vendor description */
-                ret = set_usb_string(data, "QEMU " QEMU_VERSION);
-                break;
-            default:
-                goto fail;
-            }
-            break;
-        default:
-            goto fail;
-        }
-        break;
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
         data[0] = 1;
         ret = 1;
@@ -315,8 +327,9 @@ static int usb_hub_handle_control(USBDevice *dev, int request, int value,
         {
             unsigned int n = index - 1;
             USBHubPort *port;
-            if (n >= s->nb_ports)
+            if (n >= NUM_PORTS) {
                 goto fail;
+            }
             port = &s->ports[n];
             data[0] = port->wPortStatus;
             data[1] = port->wPortStatus >> 8;
@@ -338,8 +351,9 @@ static int usb_hub_handle_control(USBDevice *dev, int request, int value,
             unsigned int n = index - 1;
             USBHubPort *port;
             USBDevice *dev;
-            if (n >= s->nb_ports)
+            if (n >= NUM_PORTS) {
                 goto fail;
+            }
             port = &s->ports[n];
             dev = port->port.dev;
             switch(value) {
@@ -367,8 +381,9 @@ static int usb_hub_handle_control(USBDevice *dev, int request, int value,
             unsigned int n = index - 1;
             USBHubPort *port;
 
-            if (n >= s->nb_ports)
+            if (n >= NUM_PORTS) {
                 goto fail;
+            }
             port = &s->ports[n];
             switch(value) {
             case PORT_ENABLE:
@@ -403,17 +418,17 @@ static int usb_hub_handle_control(USBDevice *dev, int request, int value,
             unsigned int n, limit, var_hub_size = 0;
             memcpy(data, qemu_hub_hub_descriptor,
                    sizeof(qemu_hub_hub_descriptor));
-            data[2] = s->nb_ports;
+            data[2] = NUM_PORTS;
 
             /* fill DeviceRemovable bits */
-            limit = ((s->nb_ports + 1 + 7) / 8) + 7;
+            limit = ((NUM_PORTS + 1 + 7) / 8) + 7;
             for (n = 7; n < limit; n++) {
                 data[n] = 0x00;
                 var_hub_size++;
             }
 
             /* fill PortPwrCtrlMask bits */
-            limit = limit + ((s->nb_ports + 7) / 8);
+            limit = limit + ((NUM_PORTS + 7) / 8);
             for (;n < limit; n++) {
                 data[n] = 0xff;
                 var_hub_size++;
@@ -442,14 +457,14 @@ static int usb_hub_handle_data(USBDevice *dev, USBPacket *p)
             USBHubPort *port;
             unsigned int status;
             int i, n;
-            n = (s->nb_ports + 1 + 7) / 8;
+            n = (NUM_PORTS + 1 + 7) / 8;
             if (p->len == 1) { /* FreeBSD workaround */
                 n = 1;
             } else if (n > p->len) {
                 return USB_RET_BABBLE;
             }
             status = 0;
-            for(i = 0; i < s->nb_ports; i++) {
+            for(i = 0; i < NUM_PORTS; i++) {
                 port = &s->ports[i];
                 if (port->wPortChange)
                     status |= (1 << (i + 1));
@@ -481,7 +496,7 @@ static int usb_hub_broadcast_packet(USBHubState *s, USBPacket *p)
     USBDevice *dev;
     int i, ret;
 
-    for(i = 0; i < s->nb_ports; i++) {
+    for(i = 0; i < NUM_PORTS; i++) {
         port = &s->ports[i];
         dev = port->port.dev;
         if (dev && (port->wPortStatus & PORT_STAT_ENABLE)) {
@@ -518,7 +533,7 @@ static void usb_hub_handle_destroy(USBDevice *dev)
     USBHubState *s = (USBHubState *)dev;
     int i;
 
-    for (i = 0; i < s->nb_ports; i++) {
+    for (i = 0; i < NUM_PORTS; i++) {
         usb_unregister_port(usb_bus_from_device(dev),
                             &s->ports[i].port);
     }
@@ -530,9 +545,8 @@ static int usb_hub_initfn(USBDevice *dev)
     USBHubPort *port;
     int i;
 
-    s->dev.speed  = USB_SPEED_FULL,
-    s->nb_ports = MAX_PORTS; /* FIXME: make configurable */
-    for (i = 0; i < s->nb_ports; i++) {
+    s->dev.speed = USB_SPEED_FULL;
+    for (i = 0; i < NUM_PORTS; i++) {
         port = &s->ports[i];
         usb_register_port(usb_bus_from_device(dev),
                           &port->port, s, i, &s->dev, usb_hub_attach);
@@ -547,6 +561,7 @@ static struct USBDeviceInfo hub_info = {
     .qdev.name      = "usb-hub",
     .qdev.fw_name    = "hub",
     .qdev.size      = sizeof(USBHubState),
+    .usb_desc       = &desc_hub,
     .init           = usb_hub_initfn,
     .handle_packet  = usb_hub_handle_packet,
     .handle_reset   = usb_hub_handle_reset,
commit 4696425cd05c7baa0a4b469d43ba4b8488bcfc0f
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Nov 25 16:12:18 2010 +0100

    usb bluetooth: use new descriptor infrastructure.
    
    Switch the usb bluetooth driver over to the
    new descriptor infrastructure.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bt.c b/hw/usb-bt.c
index 56d1a6c..d7959ad 100644
--- a/hw/usb-bt.c
+++ b/hw/usb-bt.c
@@ -20,6 +20,7 @@
 
 #include "qemu-common.h"
 #include "usb.h"
+#include "usb-desc.h"
 #include "net.h"
 #include "bt.h"
 
@@ -51,251 +52,202 @@ struct USBBtState {
 #define USB_ACL_EP	2
 #define USB_SCO_EP	3
 
-static const uint8_t qemu_bt_dev_descriptor[] = {
-    0x12,		/*  u8 bLength; */
-    USB_DT_DEVICE,	/*  u8 bDescriptorType; Device */
-    0x10, 0x01,		/*  u16 bcdUSB; v1.10 */
+enum {
+    STR_MANUFACTURER = 1,
+    STR_SERIALNUMBER,
+};
 
-    0xe0,	/*  u8  bDeviceClass; Wireless */
-    0x01,	/*  u8  bDeviceSubClass; Radio Frequency */
-    0x01,	/*  u8  bDeviceProtocol; Bluetooth */
-    0x40,	/*  u8  bMaxPacketSize0; 64 Bytes */
+static const USBDescStrings desc_strings = {
+    [STR_MANUFACTURER]     = "QEMU " QEMU_VERSION,
+    [STR_SERIALNUMBER]     = "1",
+};
 
-    0x12, 0x0a,	/*  u16 idVendor; */
-    0x01, 0x00,	/*  u16 idProduct; Bluetooth Dongle (HCI mode) */
-    0x58, 0x19,	/*  u16 bcdDevice; (some devices have 0x48, 0x02) */
+static const USBDescIface desc_iface_bluetooth[] = {
+    {
+        .bInterfaceNumber              = 0,
+        .bNumEndpoints                 = 3,
+        .bInterfaceClass               = 0xe0, /* Wireless */
+        .bInterfaceSubClass            = 0x01, /* Radio Frequency */
+        .bInterfaceProtocol            = 0x01, /* Bluetooth */
+        .eps = (USBDescEndpoint[]) {
+            {
+                .bEndpointAddress      = USB_DIR_IN | USB_EVT_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0x10,
+                .bInterval             = 0x02,
+            },
+            {
+                .bEndpointAddress      = USB_DIR_OUT | USB_ACL_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_BULK,
+                .wMaxPacketSize        = 0x40,
+                .bInterval             = 0x0a,
+            },
+            {
+                .bEndpointAddress      = USB_DIR_IN | USB_ACL_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_BULK,
+                .wMaxPacketSize        = 0x40,
+                .bInterval             = 0x0a,
+            },
+        },
+    },{
+        .bInterfaceNumber              = 1,
+        .bAlternateSetting             = 0,
+        .bNumEndpoints                 = 2,
+        .bInterfaceClass               = 0xe0, /* Wireless */
+        .bInterfaceSubClass            = 0x01, /* Radio Frequency */
+        .bInterfaceProtocol            = 0x01, /* Bluetooth */
+        .eps = (USBDescEndpoint[]) {
+            {
+                .bEndpointAddress      = USB_DIR_OUT | USB_SCO_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0,
+                .bInterval             = 0x01,
+            },
+            {
+                .bEndpointAddress      = USB_DIR_IN | USB_SCO_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0,
+                .bInterval             = 0x01,
+            },
+        },
+    },{
+        .bInterfaceNumber              = 1,
+        .bAlternateSetting             = 1,
+        .bNumEndpoints                 = 2,
+        .bInterfaceClass               = 0xe0, /* Wireless */
+        .bInterfaceSubClass            = 0x01, /* Radio Frequency */
+        .bInterfaceProtocol            = 0x01, /* Bluetooth */
+        .eps = (USBDescEndpoint[]) {
+            {
+                .bEndpointAddress      = USB_DIR_OUT | USB_SCO_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0x09,
+                .bInterval             = 0x01,
+            },
+            {
+                .bEndpointAddress      = USB_DIR_IN | USB_SCO_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0x09,
+                .bInterval             = 0x01,
+            },
+        },
+    },{
+        .bInterfaceNumber              = 1,
+        .bAlternateSetting             = 2,
+        .bNumEndpoints                 = 2,
+        .bInterfaceClass               = 0xe0, /* Wireless */
+        .bInterfaceSubClass            = 0x01, /* Radio Frequency */
+        .bInterfaceProtocol            = 0x01, /* Bluetooth */
+        .eps = (USBDescEndpoint[]) {
+            {
+                .bEndpointAddress      = USB_DIR_OUT | USB_SCO_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0x11,
+                .bInterval             = 0x01,
+            },
+            {
+                .bEndpointAddress      = USB_DIR_IN | USB_SCO_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0x11,
+                .bInterval             = 0x01,
+            },
+        },
+    },{
+        .bInterfaceNumber              = 1,
+        .bAlternateSetting             = 3,
+        .bNumEndpoints                 = 2,
+        .bInterfaceClass               = 0xe0, /* Wireless */
+        .bInterfaceSubClass            = 0x01, /* Radio Frequency */
+        .bInterfaceProtocol            = 0x01, /* Bluetooth */
+        .eps = (USBDescEndpoint[]) {
+            {
+                .bEndpointAddress      = USB_DIR_OUT | USB_SCO_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0x19,
+                .bInterval             = 0x01,
+            },
+            {
+                .bEndpointAddress      = USB_DIR_IN | USB_SCO_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0x19,
+                .bInterval             = 0x01,
+            },
+        },
+    },{
+        .bInterfaceNumber              = 1,
+        .bAlternateSetting             = 4,
+        .bNumEndpoints                 = 2,
+        .bInterfaceClass               = 0xe0, /* Wireless */
+        .bInterfaceSubClass            = 0x01, /* Radio Frequency */
+        .bInterfaceProtocol            = 0x01, /* Bluetooth */
+        .eps = (USBDescEndpoint[]) {
+            {
+                .bEndpointAddress      = USB_DIR_OUT | USB_SCO_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0x21,
+                .bInterval             = 0x01,
+            },
+            {
+                .bEndpointAddress      = USB_DIR_IN | USB_SCO_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0x21,
+                .bInterval             = 0x01,
+            },
+        },
+    },{
+        .bInterfaceNumber              = 1,
+        .bAlternateSetting             = 5,
+        .bNumEndpoints                 = 2,
+        .bInterfaceClass               = 0xe0, /* Wireless */
+        .bInterfaceSubClass            = 0x01, /* Radio Frequency */
+        .bInterfaceProtocol            = 0x01, /* Bluetooth */
+        .eps = (USBDescEndpoint[]) {
+            {
+                .bEndpointAddress      = USB_DIR_OUT | USB_SCO_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0x31,
+                .bInterval             = 0x01,
+            },
+            {
+                .bEndpointAddress      = USB_DIR_IN | USB_SCO_EP,
+                .bmAttributes          = USB_ENDPOINT_XFER_INT,
+                .wMaxPacketSize        = 0x31,
+                .bInterval             = 0x01,
+            },
+        },
+    }
+};
 
-    0x00,	/*  u8  iManufacturer; */
-    0x00,	/*  u8  iProduct; */
-    0x00,	/*  u8  iSerialNumber; */
-    0x01,	/*  u8  bNumConfigurations; */
+static const USBDescDevice desc_device_bluetooth = {
+    .bcdUSB                        = 0x0110,
+    .bDeviceClass                  = 0xe0, /* Wireless */
+    .bDeviceSubClass               = 0x01, /* Radio Frequency */
+    .bDeviceProtocol               = 0x01, /* Bluetooth */
+    .bMaxPacketSize0               = 64,
+    .bNumConfigurations            = 1,
+    .confs = (USBDescConfig[]) {
+        {
+            .bNumInterfaces        = 2,
+            .bConfigurationValue   = 1,
+            .bmAttributes          = 0xc0,
+            .bMaxPower             = 0,
+            .nif = ARRAY_SIZE(desc_iface_bluetooth),
+            .ifs = desc_iface_bluetooth,
+        },
+    },
 };
 
-static const uint8_t qemu_bt_config_descriptor[] = {
-    /* one configuration */
-    0x09,		/*  u8  bLength; */
-    USB_DT_CONFIG,	/*  u8  bDescriptorType; */
-    0xb1, 0x00,		/*  u16 wTotalLength; */
-    0x02,		/*  u8  bNumInterfaces; (2) */
-    0x01,		/*  u8  bConfigurationValue; */
-    0x00,		/*  u8  iConfiguration; */
-    0xc0,		/*  u8  bmAttributes;
-				     Bit 7: must be set,
-					 6: Self-powered,
-					 5: Remote wakeup,
-					 4..0: resvd */
-    0x00,		/*  u8  MaxPower; */
-
-    /* USB 1.1:
-     * USB 2.0, single TT organization (mandatory):
-     *	one interface, protocol 0
-     *
-     * USB 2.0, multiple TT organization (optional):
-     *	two interfaces, protocols 1 (like single TT)
-     *	and 2 (multiple TT mode) ... config is
-     *	sometimes settable
-     *	NOT IMPLEMENTED
-     */
-
-    /* interface one */
-    0x09,		/*  u8  if_bLength; */
-    USB_DT_INTERFACE,	/*  u8  if_bDescriptorType; */
-    0x00,		/*  u8  if_bInterfaceNumber; */
-    0x00,		/*  u8  if_bAlternateSetting; */
-    0x03,		/*  u8  if_bNumEndpoints; */
-    0xe0,		/*  u8  if_bInterfaceClass; Wireless */
-    0x01,		/*  u8  if_bInterfaceSubClass; Radio Frequency */
-    0x01,		/*  u8  if_bInterfaceProtocol; Bluetooth */
-    0x00,		/*  u8  if_iInterface; */
-
-    /* endpoint one */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_IN | USB_EVT_EP,	/*  u8  ep_bEndpointAddress; */
-    0x03,		/*  u8  ep_bmAttributes; Interrupt */
-    0x10, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x02,		/*  u8  ep_bInterval; */
-
-    /* endpoint two */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_OUT | USB_ACL_EP,	/*  u8  ep_bEndpointAddress; */
-    0x02,		/*  u8  ep_bmAttributes; Bulk */
-    0x40, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x0a,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* endpoint three */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_IN | USB_ACL_EP,	/*  u8  ep_bEndpointAddress; */
-    0x02,		/*  u8  ep_bmAttributes; Bulk */
-    0x40, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x0a,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* interface two setting one */
-    0x09,		/*  u8  if_bLength; */
-    USB_DT_INTERFACE,	/*  u8  if_bDescriptorType; */
-    0x01,		/*  u8  if_bInterfaceNumber; */
-    0x00,		/*  u8  if_bAlternateSetting; */
-    0x02,		/*  u8  if_bNumEndpoints; */
-    0xe0,		/*  u8  if_bInterfaceClass; Wireless */
-    0x01,		/*  u8  if_bInterfaceSubClass; Radio Frequency */
-    0x01,		/*  u8  if_bInterfaceProtocol; Bluetooth */
-    0x00,		/*  u8  if_iInterface; */
-
-    /* endpoint one */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_OUT | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
-    0x01,		/*  u8  ep_bmAttributes; Isochronous */
-    0x00, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x01,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* endpoint two */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_IN | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
-    0x01,		/*  u8  ep_bmAttributes; Isochronous */
-    0x00, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x01,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* interface two setting two */
-    0x09,		/*  u8  if_bLength; */
-    USB_DT_INTERFACE,	/*  u8  if_bDescriptorType; */
-    0x01,		/*  u8  if_bInterfaceNumber; */
-    0x01,		/*  u8  if_bAlternateSetting; */
-    0x02,		/*  u8  if_bNumEndpoints; */
-    0xe0,		/*  u8  if_bInterfaceClass; Wireless */
-    0x01,		/*  u8  if_bInterfaceSubClass; Radio Frequency */
-    0x01,		/*  u8  if_bInterfaceProtocol; Bluetooth */
-    0x00,		/*  u8  if_iInterface; */
-
-    /* endpoint one */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_OUT | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
-    0x01,		/*  u8  ep_bmAttributes; Isochronous */
-    0x09, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x01,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* endpoint two */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_IN | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
-    0x01,		/*  u8  ep_bmAttributes; Isochronous */
-    0x09, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x01,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* interface two setting three */
-    0x09,		/*  u8  if_bLength; */
-    USB_DT_INTERFACE,	/*  u8  if_bDescriptorType; */
-    0x01,		/*  u8  if_bInterfaceNumber; */
-    0x02,		/*  u8  if_bAlternateSetting; */
-    0x02,		/*  u8  if_bNumEndpoints; */
-    0xe0,		/*  u8  if_bInterfaceClass; Wireless */
-    0x01,		/*  u8  if_bInterfaceSubClass; Radio Frequency */
-    0x01,		/*  u8  if_bInterfaceProtocol; Bluetooth */
-    0x00,		/*  u8  if_iInterface; */
-
-    /* endpoint one */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_OUT | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
-    0x01,		/*  u8  ep_bmAttributes; Isochronous */
-    0x11, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x01,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* endpoint two */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_IN | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
-    0x01,		/*  u8  ep_bmAttributes; Isochronous */
-    0x11, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x01,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* interface two setting four */
-    0x09,		/*  u8  if_bLength; */
-    USB_DT_INTERFACE,	/*  u8  if_bDescriptorType; */
-    0x01,		/*  u8  if_bInterfaceNumber; */
-    0x03,		/*  u8  if_bAlternateSetting; */
-    0x02,		/*  u8  if_bNumEndpoints; */
-    0xe0,		/*  u8  if_bInterfaceClass; Wireless */
-    0x01,		/*  u8  if_bInterfaceSubClass; Radio Frequency */
-    0x01,		/*  u8  if_bInterfaceProtocol; Bluetooth */
-    0x00,		/*  u8  if_iInterface; */
-
-    /* endpoint one */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_OUT | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
-    0x01,		/*  u8  ep_bmAttributes; Isochronous */
-    0x19, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x01,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* endpoint two */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_IN | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
-    0x01,		/*  u8  ep_bmAttributes; Isochronous */
-    0x19, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x01,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* interface two setting five */
-    0x09,		/*  u8  if_bLength; */
-    USB_DT_INTERFACE,	/*  u8  if_bDescriptorType; */
-    0x01,		/*  u8  if_bInterfaceNumber; */
-    0x04,		/*  u8  if_bAlternateSetting; */
-    0x02,		/*  u8  if_bNumEndpoints; */
-    0xe0,		/*  u8  if_bInterfaceClass; Wireless */
-    0x01,		/*  u8  if_bInterfaceSubClass; Radio Frequency */
-    0x01,		/*  u8  if_bInterfaceProtocol; Bluetooth */
-    0x00,		/*  u8  if_iInterface; */
-
-    /* endpoint one */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_OUT | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
-    0x01,		/*  u8  ep_bmAttributes; Isochronous */
-    0x21, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x01,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* endpoint two */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_IN | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
-    0x01,		/*  u8  ep_bmAttributes; Isochronous */
-    0x21, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x01,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* interface two setting six */
-    0x09,		/*  u8  if_bLength; */
-    USB_DT_INTERFACE,	/*  u8  if_bDescriptorType; */
-    0x01,		/*  u8  if_bInterfaceNumber; */
-    0x05,		/*  u8  if_bAlternateSetting; */
-    0x02,		/*  u8  if_bNumEndpoints; */
-    0xe0,		/*  u8  if_bInterfaceClass; Wireless */
-    0x01,		/*  u8  if_bInterfaceSubClass; Radio Frequency */
-    0x01,		/*  u8  if_bInterfaceProtocol; Bluetooth */
-    0x00,		/*  u8  if_iInterface; */
-
-    /* endpoint one */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_OUT | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
-    0x01,		/*  u8  ep_bmAttributes; Isochronous */
-    0x31, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x01,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* endpoint two */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; */
-    USB_DIR_IN | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
-    0x01,		/*  u8  ep_bmAttributes; Isochronous */
-    0x31, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x01,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
-
-    /* If implemented, the DFU interface descriptor goes here with no
-     * endpoints or alternative settings.  */
+static const USBDesc desc_bluetooth = {
+    .id = {
+        .idVendor          = 0x0a12,
+        .idProduct         = 0x0001,
+        .bcdDevice         = 0x1958,
+        .iManufacturer     = STR_MANUFACTURER,
+        .iProduct          = 0,
+        .iSerialNumber     = STR_SERIALNUMBER,
+    },
+    .full = &desc_device_bluetooth,
+    .str  = desc_strings,
 };
 
 static void usb_bt_fifo_reset(struct usb_hci_in_fifo_s *fifo)
@@ -424,8 +376,14 @@ static int usb_bt_handle_control(USBDevice *dev, int request, int value,
                 int index, int length, uint8_t *data)
 {
     struct USBBtState *s = (struct USBBtState *) dev->opaque;
-    int ret = 0;
+    int ret;
+
+    ret = usb_desc_handle_control(dev, request, value, index, length, data);
+    if (ret >= 0) {
+        return ret;
+    }
 
+    ret = 0;
     switch (request) {
     case DeviceRequest | USB_REQ_GET_STATUS:
     case InterfaceRequest | USB_REQ_GET_STATUS:
@@ -459,42 +417,14 @@ static int usb_bt_handle_control(USBDevice *dev, int request, int value,
         dev->addr = value;
         ret = 0;
         break;
-    case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
-        switch (value >> 8) {
-        case USB_DT_DEVICE:
-            ret = sizeof(qemu_bt_dev_descriptor);
-            memcpy(data, qemu_bt_dev_descriptor, ret);
-            break;
-        case USB_DT_CONFIG:
-            ret = sizeof(qemu_bt_config_descriptor);
-            memcpy(data, qemu_bt_config_descriptor, ret);
-            break;
-        case USB_DT_STRING:
-            switch(value & 0xff) {
-            case 0:
-                /* language ids */
-                data[0] = 4;
-                data[1] = 3;
-                data[2] = 0x09;
-                data[3] = 0x04;
-                ret = 4;
-                break;
-            default:
-                goto fail;
-            }
-            break;
-        default:
-            goto fail;
-        }
-        break;
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
-        data[0] = qemu_bt_config_descriptor[0x5];
+        data[0] = 1;
         ret = 1;
         s->config = 0;
         break;
     case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
         ret = 0;
-        if (value != qemu_bt_config_descriptor[0x5] && value != 0) {
+        if (value != 1 && value != 0) {
             printf("%s: Wrong SET_CONFIGURATION request (%i)\n",
                             __FUNCTION__, value);
             goto fail;
@@ -648,6 +578,7 @@ static struct USBDeviceInfo bt_info = {
     .product_desc   = "QEMU BT dongle",
     .qdev.name      = "usb-bt-dongle",
     .qdev.size      = sizeof(struct USBBtState),
+    .usb_desc       = &desc_bluetooth,
     .init           = usb_bt_initfn,
     .handle_packet  = usb_generic_handle_packet,
     .handle_reset   = usb_bt_handle_reset,
commit 037a5203de7b12e2e33a7f71753002ae582ac196
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Nov 25 16:12:06 2010 +0100

    usb wacom: use new descriptor infrastructure.
    
    Switch the usb wavom driver over to the
    new descriptor infrastructure.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-wacom.c b/hw/usb-wacom.c
index 47f26cd..ffe6ac7 100644
--- a/hw/usb-wacom.c
+++ b/hw/usb-wacom.c
@@ -28,6 +28,7 @@
 #include "hw.h"
 #include "console.h"
 #include "usb.h"
+#include "usb-desc.h"
 
 /* Interface requests */
 #define WACOM_GET_REPORT	0x2101
@@ -54,68 +55,75 @@ typedef struct USBWacomState {
     int changed;
 } USBWacomState;
 
-static const uint8_t qemu_wacom_dev_descriptor[] = {
-    0x12,	/*  u8 bLength; */
-    0x01,	/*  u8 bDescriptorType; Device */
-    0x10, 0x10,	/*  u16 bcdUSB; v1.10 */
+enum {
+    STR_MANUFACTURER = 1,
+    STR_PRODUCT,
+    STR_SERIALNUMBER,
+};
 
-    0x00,	/*  u8  bDeviceClass; */
-    0x00,	/*  u8  bDeviceSubClass; */
-    0x00,	/*  u8  bDeviceProtocol; [ low/full speeds only ] */
-    0x08,	/*  u8  bMaxPacketSize0; 8 Bytes */
+static const USBDescStrings desc_strings = {
+    [STR_MANUFACTURER]     = "QEMU " QEMU_VERSION,
+    [STR_PRODUCT]          = "Wacom PenPartner",
+    [STR_SERIALNUMBER]     = "1",
+};
 
-    0x6a, 0x05,	/*  u16 idVendor; */
-    0x00, 0x00,	/*  u16 idProduct; */
-    0x10, 0x42,	/*  u16 bcdDevice */
+static const USBDescIface desc_iface_wacom = {
+    .bInterfaceNumber              = 0,
+    .bNumEndpoints                 = 1,
+    .bInterfaceClass               = USB_CLASS_HID,
+    .bInterfaceSubClass            = 0x01, /* boot */
+    .bInterfaceProtocol            = 0x02,
+    .ndesc                         = 1,
+    .descs = (USBDescOther[]) {
+        {
+            /* HID descriptor */
+            .data = (uint8_t[]) {
+                0x09,          /*  u8  bLength */
+                0x21,          /*  u8  bDescriptorType */
+                0x01, 0x10,    /*  u16 HID_class */
+                0x00,          /*  u8  country_code */
+                0x01,          /*  u8  num_descriptors */
+                0x22,          /*  u8  type: Report */
+                0x6e, 0,       /*  u16 len */
+            },
+        },
+    },
+    .eps = (USBDescEndpoint[]) {
+        {
+            .bEndpointAddress      = USB_DIR_IN | 0x01,
+            .bmAttributes          = USB_ENDPOINT_XFER_INT,
+            .wMaxPacketSize        = 8,
+            .bInterval             = 0x0a,
+        },
+    },
+};
 
-    0x01,	/*  u8  iManufacturer; */
-    0x02,	/*  u8  iProduct; */
-    0x00,	/*  u8  iSerialNumber; */
-    0x01,	/*  u8  bNumConfigurations; */
+static const USBDescDevice desc_device_wacom = {
+    .bcdUSB                        = 0x0110,
+    .bMaxPacketSize0               = 8,
+    .bNumConfigurations            = 1,
+    .confs = (USBDescConfig[]) {
+        {
+            .bNumInterfaces        = 1,
+            .bConfigurationValue   = 1,
+            .bmAttributes          = 0x80,
+            .bMaxPower             = 40,
+            .ifs = &desc_iface_wacom,
+        },
+    },
 };
 
-static const uint8_t qemu_wacom_config_descriptor[] = {
-    /* one configuration */
-    0x09,	/*  u8  bLength; */
-    0x02,	/*  u8  bDescriptorType; Configuration */
-    0x22, 0x00,	/*  u16 wTotalLength; */
-    0x01,	/*  u8  bNumInterfaces; (1) */
-    0x01,	/*  u8  bConfigurationValue; */
-    0x00,	/*  u8  iConfiguration; */
-    0x80,	/*  u8  bmAttributes;
-				 Bit 7: must be set,
-				     6: Self-powered,
-				     5: Remote wakeup,
-				     4..0: resvd */
-    40,		/*  u8  MaxPower; */
-
-    /* one interface */
-    0x09,	/*  u8  if_bLength; */
-    0x04,	/*  u8  if_bDescriptorType; Interface */
-    0x00,	/*  u8  if_bInterfaceNumber; */
-    0x00,	/*  u8  if_bAlternateSetting; */
-    0x01,	/*  u8  if_bNumEndpoints; */
-    0x03,	/*  u8  if_bInterfaceClass; HID */
-    0x01,	/*  u8  if_bInterfaceSubClass; Boot */
-    0x02,	/*  u8  if_bInterfaceProtocol; [usb1.1 or single tt] */
-    0x00,	/*  u8  if_iInterface; */
-
-    /* HID descriptor */
-    0x09,	/*  u8  bLength; */
-    0x21,	/*  u8  bDescriptorType; */
-    0x01, 0x10,	/*  u16 HID_class */
-    0x00,	/*  u8  country_code */
-    0x01,	/*  u8  num_descriptors */
-    0x22,	/*  u8  type; Report */
-    0x6e, 0x00,	/*  u16 len */
-
-    /* one endpoint (status change endpoint) */
-    0x07,	/*  u8  ep_bLength; */
-    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
-    0x81,	/*  u8  ep_bEndpointAddress; IN Endpoint 1 */
-    0x03,	/*  u8  ep_bmAttributes; Interrupt */
-    0x08, 0x00,	/*  u16 ep_wMaxPacketSize; */
-    0x0a,	/*  u8  ep_bInterval; */
+static const USBDesc desc_wacom = {
+    .id = {
+        .idVendor          = 0x056a,
+        .idProduct         = 0x0000,
+        .bcdDevice         = 0x4210,
+        .iManufacturer     = STR_MANUFACTURER,
+        .iProduct          = STR_PRODUCT,
+        .iSerialNumber     = STR_SERIALNUMBER,
+    },
+    .full = &desc_device_wacom,
+    .str  = desc_strings,
 };
 
 static void usb_mouse_event(void *opaque,
@@ -245,8 +253,14 @@ static int usb_wacom_handle_control(USBDevice *dev, int request, int value,
                                     int index, int length, uint8_t *data)
 {
     USBWacomState *s = (USBWacomState *) dev;
-    int ret = 0;
+    int ret;
+
+    ret = usb_desc_handle_control(dev, request, value, index, length, data);
+    if (ret >= 0) {
+        return ret;
+    }
 
+    ret = 0;
     switch (request) {
     case DeviceRequest | USB_REQ_GET_STATUS:
         data[0] = (1 << USB_DEVICE_SELF_POWERED) |
@@ -274,53 +288,6 @@ static int usb_wacom_handle_control(USBDevice *dev, int request, int value,
         dev->addr = value;
         ret = 0;
         break;
-    case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
-        switch (value >> 8) {
-        case USB_DT_DEVICE:
-            memcpy(data, qemu_wacom_dev_descriptor,
-                   sizeof(qemu_wacom_dev_descriptor));
-            ret = sizeof(qemu_wacom_dev_descriptor);
-            break;
-        case USB_DT_CONFIG:
-       	    memcpy(data, qemu_wacom_config_descriptor,
-                   sizeof(qemu_wacom_config_descriptor));
-            ret = sizeof(qemu_wacom_config_descriptor);
-            break;
-        case USB_DT_STRING:
-            switch (value & 0xff) {
-            case 0:
-                /* language ids */
-                data[0] = 4;
-                data[1] = 3;
-                data[2] = 0x09;
-                data[3] = 0x04;
-                ret = 4;
-                break;
-            case 1:
-                /* serial number */
-                ret = set_usb_string(data, "1");
-                break;
-            case 2:
-		ret = set_usb_string(data, "Wacom PenPartner");
-                break;
-            case 3:
-                /* vendor description */
-                ret = set_usb_string(data, "QEMU " QEMU_VERSION);
-                break;
-            case 4:
-                ret = set_usb_string(data, "Wacom Tablet");
-                break;
-            case 5:
-                ret = set_usb_string(data, "Endpoint1 Interrupt Pipe");
-                break;
-            default:
-                goto fail;
-            }
-            break;
-        default:
-            goto fail;
-        }
-        break;
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
         data[0] = 1;
         ret = 1;
@@ -420,6 +387,7 @@ static struct USBDeviceInfo wacom_info = {
     .qdev.name      = "usb-wacom-tablet",
     .qdev.desc      = "QEMU PenPartner Tablet",
     .usbdevice_name = "wacom-tablet",
+    .usb_desc       = &desc_wacom,
     .qdev.size      = sizeof(USBWacomState),
     .init           = usb_wacom_initfn,
     .handle_packet  = usb_generic_handle_packet,
commit 81bfd2f24678c5f36d9a6942af3d4b48e4b87226
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Nov 17 11:05:41 2010 +0100

    usb storage: use new descriptor infrastructure.
    
    Switch the usb storage driver over to the
    new descriptor infrastructure.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 0a95d8d..20ab886 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -11,6 +11,7 @@
 #include "qemu-option.h"
 #include "qemu-config.h"
 #include "usb.h"
+#include "usb-desc.h"
 #include "scsi.h"
 #include "console.h"
 #include "monitor.h"
@@ -72,69 +73,62 @@ struct usb_msd_csw {
     uint8_t status;
 };
 
-static const uint8_t qemu_msd_dev_descriptor[] = {
-	0x12,       /*  u8 bLength; */
-	0x01,       /*  u8 bDescriptorType; Device */
-	0x00, 0x01, /*  u16 bcdUSB; v1.0 */
-
-	0x00,	    /*  u8  bDeviceClass; */
-	0x00,	    /*  u8  bDeviceSubClass; */
-	0x00,       /*  u8  bDeviceProtocol; [ low/full speeds only ] */
-	0x08,       /*  u8  bMaxPacketSize0; 8 Bytes */
-
-        /* Vendor and product id are arbitrary.  */
-	0x00, 0x00, /*  u16 idVendor; */
- 	0x00, 0x00, /*  u16 idProduct; */
-	0x00, 0x00, /*  u16 bcdDevice */
-
-	0x01,       /*  u8  iManufacturer; */
-	0x02,       /*  u8  iProduct; */
-	0x03,       /*  u8  iSerialNumber; */
-	0x01        /*  u8  bNumConfigurations; */
+enum {
+    STR_MANUFACTURER = 1,
+    STR_PRODUCT,
+    STR_SERIALNUMBER,
 };
 
-static const uint8_t qemu_msd_config_descriptor[] = {
-
-	/* one configuration */
-	0x09,       /*  u8  bLength; */
-	0x02,       /*  u8  bDescriptorType; Configuration */
-	0x20, 0x00, /*  u16 wTotalLength; */
-	0x01,       /*  u8  bNumInterfaces; (1) */
-	0x01,       /*  u8  bConfigurationValue; */
-	0x00,       /*  u8  iConfiguration; */
-	0xc0,       /*  u8  bmAttributes;
-				 Bit 7: must be set,
-				     6: Self-powered,
-				     5: Remote wakeup,
-				     4..0: resvd */
-	0x00,       /*  u8  MaxPower; */
-
-	/* one interface */
-	0x09,       /*  u8  if_bLength; */
-	0x04,       /*  u8  if_bDescriptorType; Interface */
-	0x00,       /*  u8  if_bInterfaceNumber; */
-	0x00,       /*  u8  if_bAlternateSetting; */
-	0x02,       /*  u8  if_bNumEndpoints; */
-	0x08,       /*  u8  if_bInterfaceClass; MASS STORAGE */
-	0x06,       /*  u8  if_bInterfaceSubClass; SCSI */
-	0x50,       /*  u8  if_bInterfaceProtocol; Bulk Only */
-	0x00,       /*  u8  if_iInterface; */
-
-	/* Bulk-In endpoint */
-	0x07,       /*  u8  ep_bLength; */
-	0x05,       /*  u8  ep_bDescriptorType; Endpoint */
-	0x81,       /*  u8  ep_bEndpointAddress; IN Endpoint 1 */
- 	0x02,       /*  u8  ep_bmAttributes; Bulk */
- 	0x40, 0x00, /*  u16 ep_wMaxPacketSize; */
-	0x00,       /*  u8  ep_bInterval; */
-
-	/* Bulk-Out endpoint */
-	0x07,       /*  u8  ep_bLength; */
-	0x05,       /*  u8  ep_bDescriptorType; Endpoint */
-	0x02,       /*  u8  ep_bEndpointAddress; OUT Endpoint 2 */
- 	0x02,       /*  u8  ep_bmAttributes; Bulk */
- 	0x40, 0x00, /*  u16 ep_wMaxPacketSize; */
-	0x00        /*  u8  ep_bInterval; */
+static const USBDescStrings desc_strings = {
+    [STR_MANUFACTURER] = "QEMU " QEMU_VERSION,
+    [STR_PRODUCT]      = "QEMU USB HARDDRIVE",
+    [STR_SERIALNUMBER] = "1",
+};
+
+static const USBDescIface desc_iface0 = {
+    .bInterfaceNumber              = 0,
+    .bNumEndpoints                 = 2,
+    .bInterfaceClass               = USB_CLASS_MASS_STORAGE,
+    .bInterfaceSubClass            = 0x06, /* SCSI */
+    .bInterfaceProtocol            = 0x50, /* Bulk */
+    .eps = (USBDescEndpoint[]) {
+        {
+            .bEndpointAddress      = USB_DIR_IN | 0x01,
+            .bmAttributes          = USB_ENDPOINT_XFER_BULK,
+            .wMaxPacketSize        = 64,
+        },{
+            .bEndpointAddress      = USB_DIR_OUT | 0x02,
+            .bmAttributes          = USB_ENDPOINT_XFER_BULK,
+            .wMaxPacketSize        = 64,
+        },
+    }
+};
+
+static const USBDescDevice desc_device = {
+    .bcdUSB                        = 0x0100,
+    .bMaxPacketSize0               = 8,
+    .bNumConfigurations            = 1,
+    .confs = (USBDescConfig[]) {
+        {
+            .bNumInterfaces        = 1,
+            .bConfigurationValue   = 1,
+            .bmAttributes          = 0xc0,
+            .ifs = &desc_iface0,
+        },
+    },
+};
+
+static const USBDesc desc = {
+    .id = {
+        .idVendor          = 0,
+        .idProduct         = 0,
+        .bcdDevice         = 0,
+        .iManufacturer     = STR_MANUFACTURER,
+        .iProduct          = STR_PRODUCT,
+        .iSerialNumber     = STR_SERIALNUMBER,
+    },
+    .full = &desc_device,
+    .str  = desc_strings,
 };
 
 static void usb_msd_copy_data(MSDState *s)
@@ -236,8 +230,14 @@ static int usb_msd_handle_control(USBDevice *dev, int request, int value,
                                   int index, int length, uint8_t *data)
 {
     MSDState *s = (MSDState *)dev;
-    int ret = 0;
+    int ret;
 
+    ret = usb_desc_handle_control(dev, request, value, index, length, data);
+    if (ret >= 0) {
+        return ret;
+    }
+
+    ret = 0;
     switch (request) {
     case DeviceRequest | USB_REQ_GET_STATUS:
         data[0] = (1 << USB_DEVICE_SELF_POWERED) |
@@ -265,48 +265,6 @@ static int usb_msd_handle_control(USBDevice *dev, int request, int value,
         dev->addr = value;
         ret = 0;
         break;
-    case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
-        switch(value >> 8) {
-        case USB_DT_DEVICE:
-            memcpy(data, qemu_msd_dev_descriptor,
-                   sizeof(qemu_msd_dev_descriptor));
-            ret = sizeof(qemu_msd_dev_descriptor);
-            break;
-        case USB_DT_CONFIG:
-            memcpy(data, qemu_msd_config_descriptor,
-                   sizeof(qemu_msd_config_descriptor));
-            ret = sizeof(qemu_msd_config_descriptor);
-            break;
-        case USB_DT_STRING:
-            switch(value & 0xff) {
-            case 0:
-                /* language ids */
-                data[0] = 4;
-                data[1] = 3;
-                data[2] = 0x09;
-                data[3] = 0x04;
-                ret = 4;
-                break;
-            case 1:
-                /* vendor description */
-                ret = set_usb_string(data, "QEMU " QEMU_VERSION);
-                break;
-            case 2:
-                /* product description */
-                ret = set_usb_string(data, "QEMU USB HARDDRIVE");
-                break;
-            case 3:
-                /* serial number */
-                ret = set_usb_string(data, "1");
-                break;
-            default:
-                goto fail;
-            }
-            break;
-        default:
-            goto fail;
-        }
-        break;
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
         data[0] = 1;
         ret = 1;
@@ -625,6 +583,7 @@ static struct USBDeviceInfo msd_info = {
     .product_desc   = "QEMU USB MSD",
     .qdev.name      = "usb-storage",
     .qdev.size      = sizeof(MSDState),
+    .usb_desc       = &desc,
     .init           = usb_msd_initfn,
     .handle_packet  = usb_generic_handle_packet,
     .handle_reset   = usb_msd_handle_reset,
commit f29783f72ea77dfbd7ea0c993d62d253d4c4e023
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Nov 17 11:05:32 2010 +0100

    usb serial: use new descriptor infrastructure.
    
    Switch the usb serial drivers (serial, braille) over to the
    new descriptor infrastructure.
    
    Note that this removes the freely configurable vendor and product id
    properties.  I think the only reason this was configurable is that the
    only difference between the serial and the braille device is the
    vendor+product id.  Of course the serial and braille devices keep their
    different IDs, but they can't be overritten from the command line any
    more.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-serial.c b/hw/usb-serial.c
index c19580f..f89eb9b 100644
--- a/hw/usb-serial.c
+++ b/hw/usb-serial.c
@@ -11,6 +11,7 @@
 #include "qemu-common.h"
 #include "qemu-error.h"
 #include "usb.h"
+#include "usb-desc.h"
 #include "qemu-char.h"
 
 //#define DEBUG_Serial
@@ -91,8 +92,6 @@ do { printf("usb-serial: " fmt , ## __VA_ARGS__); } while (0)
 
 typedef struct {
     USBDevice dev;
-    uint32_t vendorid;
-    uint32_t productid;
     uint8_t recv_buf[RECV_BUF];
     uint16_t recv_ptr;
     uint16_t recv_used;
@@ -104,69 +103,78 @@ typedef struct {
     CharDriverState *cs;
 } USBSerialState;
 
-static const uint8_t qemu_serial_dev_descriptor[] = {
-        0x12,       /*  u8 bLength; */
-        0x01,       /*  u8 bDescriptorType; Device */
-        0x00, 0x02, /*  u16 bcdUSB; v2.0 */
-
-        0x00,       /*  u8  bDeviceClass; */
-        0x00,       /*  u8  bDeviceSubClass; */
-        0x00,       /*  u8  bDeviceProtocol; [ low/full speeds only ] */
-        0x08,       /*  u8  bMaxPacketSize0; 8 Bytes */
-
-        /* Vendor and product id are arbitrary.  */
-        0x03, 0x04, /*  u16 idVendor; */
-        0x00, 0xFF, /*  u16 idProduct; */
-        0x00, 0x04, /*  u16 bcdDevice */
-
-        0x01,       /*  u8  iManufacturer; */
-        0x02,       /*  u8  iProduct; */
-        0x03,       /*  u8  iSerialNumber; */
-        0x01        /*  u8  bNumConfigurations; */
+enum {
+    STR_MANUFACTURER = 1,
+    STR_PRODUCT_SERIAL,
+    STR_PRODUCT_BRAILLE,
+    STR_SERIALNUMBER,
 };
 
-static const uint8_t qemu_serial_config_descriptor[] = {
-
-        /* one configuration */
-        0x09,       /*  u8  bLength; */
-        0x02,       /*  u8  bDescriptorType; Configuration */
-        0x20, 0x00, /*  u16 wTotalLength; */
-        0x01,       /*  u8  bNumInterfaces; (1) */
-        0x01,       /*  u8  bConfigurationValue; */
-        0x00,       /*  u8  iConfiguration; */
-        0x80,       /*  u8  bmAttributes;
-                                 Bit 7: must be set,
-                                     6: Self-powered,
-                                     5: Remote wakeup,
-                                     4..0: resvd */
-        100/2,       /*  u8  MaxPower; */
-
-        /* one interface */
-        0x09,       /*  u8  if_bLength; */
-        0x04,       /*  u8  if_bDescriptorType; Interface */
-        0x00,       /*  u8  if_bInterfaceNumber; */
-        0x00,       /*  u8  if_bAlternateSetting; */
-        0x02,       /*  u8  if_bNumEndpoints; */
-        0xff,       /*  u8  if_bInterfaceClass; Vendor Specific */
-        0xff,       /*  u8  if_bInterfaceSubClass; Vendor Specific */
-        0xff,       /*  u8  if_bInterfaceProtocol; Vendor Specific */
-        0x02,       /*  u8  if_iInterface; */
-
-        /* Bulk-In endpoint */
-        0x07,       /*  u8  ep_bLength; */
-        0x05,       /*  u8  ep_bDescriptorType; Endpoint */
-        0x81,       /*  u8  ep_bEndpointAddress; IN Endpoint 1 */
-        0x02,       /*  u8  ep_bmAttributes; Bulk */
-        0x40, 0x00, /*  u16 ep_wMaxPacketSize; */
-        0x00,       /*  u8  ep_bInterval; */
-
-        /* Bulk-Out endpoint */
-        0x07,       /*  u8  ep_bLength; */
-        0x05,       /*  u8  ep_bDescriptorType; Endpoint */
-        0x02,       /*  u8  ep_bEndpointAddress; OUT Endpoint 2 */
-        0x02,       /*  u8  ep_bmAttributes; Bulk */
-        0x40, 0x00, /*  u16 ep_wMaxPacketSize; */
-        0x00        /*  u8  ep_bInterval; */
+static const USBDescStrings desc_strings = {
+    [STR_MANUFACTURER]    = "QEMU " QEMU_VERSION,
+    [STR_PRODUCT_SERIAL]  = "QEMU USB SERIAL",
+    [STR_PRODUCT_BRAILLE] = "QEMU USB BRAILLE",
+    [STR_SERIALNUMBER]    = "1",
+};
+
+static const USBDescIface desc_iface0 = {
+    .bInterfaceNumber              = 0,
+    .bNumEndpoints                 = 2,
+    .bInterfaceClass               = 0xff,
+    .bInterfaceSubClass            = 0xff,
+    .bInterfaceProtocol            = 0xff,
+    .eps = (USBDescEndpoint[]) {
+        {
+            .bEndpointAddress      = USB_DIR_IN | 0x01,
+            .bmAttributes          = USB_ENDPOINT_XFER_BULK,
+            .wMaxPacketSize        = 64,
+        },{
+            .bEndpointAddress      = USB_DIR_OUT | 0x02,
+            .bmAttributes          = USB_ENDPOINT_XFER_BULK,
+            .wMaxPacketSize        = 64,
+        },
+    }
+};
+
+static const USBDescDevice desc_device = {
+    .bcdUSB                        = 0x0200,
+    .bMaxPacketSize0               = 8,
+    .bNumConfigurations            = 1,
+    .confs = (USBDescConfig[]) {
+        {
+            .bNumInterfaces        = 1,
+            .bConfigurationValue   = 1,
+            .bmAttributes          = 0x80,
+            .bMaxPower             = 50,
+            .ifs = &desc_iface0,
+        },
+    },
+};
+
+static const USBDesc desc_serial = {
+    .id = {
+        .idVendor          = 0x0403,
+        .idProduct         = 0x6001,
+        .bcdDevice         = 0x0400,
+        .iManufacturer     = STR_MANUFACTURER,
+        .iProduct          = STR_PRODUCT_SERIAL,
+        .iSerialNumber     = STR_SERIALNUMBER,
+    },
+    .full = &desc_device,
+    .str  = desc_strings,
+};
+
+static const USBDesc desc_braille = {
+    .id = {
+        .idVendor          = 0x0403,
+        .idProduct         = 0xfe72,
+        .bcdDevice         = 0x0400,
+        .iManufacturer     = STR_MANUFACTURER,
+        .iProduct          = STR_PRODUCT_BRAILLE,
+        .iSerialNumber     = STR_SERIALNUMBER,
+    },
+    .full = &desc_device,
+    .str  = desc_strings,
 };
 
 static void usb_serial_reset(USBSerialState *s)
@@ -214,9 +222,15 @@ static int usb_serial_handle_control(USBDevice *dev, int request, int value,
                                   int index, int length, uint8_t *data)
 {
     USBSerialState *s = (USBSerialState *)dev;
-    int ret = 0;
+    int ret;
+
+    DPRINTF("got control %x, value %x\n",request, value);
+    ret = usb_desc_handle_control(dev, request, value, index, length, data);
+    if (ret >= 0) {
+        return ret;
+    }
 
-    //DPRINTF("got control %x, value %x\n",request, value);
+    ret = 0;
     switch (request) {
     case DeviceRequest | USB_REQ_GET_STATUS:
         data[0] = (0 << USB_DEVICE_SELF_POWERED) |
@@ -244,52 +258,6 @@ static int usb_serial_handle_control(USBDevice *dev, int request, int value,
         dev->addr = value;
         ret = 0;
         break;
-    case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
-        switch(value >> 8) {
-        case USB_DT_DEVICE:
-            memcpy(data, qemu_serial_dev_descriptor,
-                   sizeof(qemu_serial_dev_descriptor));
-            data[8] = s->vendorid & 0xff;
-            data[9] = ((s->vendorid) >> 8) & 0xff;
-            data[10] = s->productid & 0xff;
-            data[11] = ((s->productid) >> 8) & 0xff;
-            ret = sizeof(qemu_serial_dev_descriptor);
-            break;
-        case USB_DT_CONFIG:
-            memcpy(data, qemu_serial_config_descriptor,
-                   sizeof(qemu_serial_config_descriptor));
-            ret = sizeof(qemu_serial_config_descriptor);
-            break;
-        case USB_DT_STRING:
-            switch(value & 0xff) {
-            case 0:
-                /* language ids */
-                data[0] = 4;
-                data[1] = 3;
-                data[2] = 0x09;
-                data[3] = 0x04;
-                ret = 4;
-                break;
-            case 1:
-                /* vendor description */
-                ret = set_usb_string(data, "QEMU " QEMU_VERSION);
-                break;
-            case 2:
-                /* product description */
-                ret = set_usb_string(data, "QEMU USB SERIAL");
-                break;
-            case 3:
-                /* serial number */
-                ret = set_usb_string(data, "1");
-                break;
-            default:
-                goto fail;
-            }
-            break;
-        default:
-            goto fail;
-        }
-        break;
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
         data[0] = 1;
         ret = 1;
@@ -633,6 +601,7 @@ static struct USBDeviceInfo serial_info = {
     .product_desc   = "QEMU USB Serial",
     .qdev.name      = "usb-serial",
     .qdev.size      = sizeof(USBSerialState),
+    .usb_desc       = &desc_serial,
     .init           = usb_serial_initfn,
     .handle_packet  = usb_generic_handle_packet,
     .handle_reset   = usb_serial_handle_reset,
@@ -642,9 +611,7 @@ static struct USBDeviceInfo serial_info = {
     .usbdevice_name = "serial",
     .usbdevice_init = usb_serial_init,
     .qdev.props     = (Property[]) {
-        DEFINE_PROP_CHR("chardev",     USBSerialState, cs),
-        DEFINE_PROP_HEX32("vendorid",  USBSerialState, vendorid,  0x0403),
-        DEFINE_PROP_HEX32("productid", USBSerialState, productid, 0x6001),
+        DEFINE_PROP_CHR("chardev", USBSerialState, cs),
         DEFINE_PROP_END_OF_LIST(),
     },
 };
@@ -653,6 +620,7 @@ static struct USBDeviceInfo braille_info = {
     .product_desc   = "QEMU USB Braille",
     .qdev.name      = "usb-braille",
     .qdev.size      = sizeof(USBSerialState),
+    .usb_desc       = &desc_braille,
     .init           = usb_serial_initfn,
     .handle_packet  = usb_generic_handle_packet,
     .handle_reset   = usb_serial_handle_reset,
@@ -662,9 +630,7 @@ static struct USBDeviceInfo braille_info = {
     .usbdevice_name = "braille",
     .usbdevice_init = usb_braille_init,
     .qdev.props     = (Property[]) {
-        DEFINE_PROP_CHR("chardev",     USBSerialState, cs),
-        DEFINE_PROP_HEX32("vendorid",  USBSerialState, vendorid,  0x0403),
-        DEFINE_PROP_HEX32("productid", USBSerialState, productid, 0xfe72),
+        DEFINE_PROP_CHR("chardev", USBSerialState, cs),
         DEFINE_PROP_END_OF_LIST(),
     },
 };
commit 0e4e9695d5c4a5923094906433b5f7b431ba35e4
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Nov 17 11:05:05 2010 +0100

    usb hid: use new descriptor infrastructure.
    
    Switch the usb hid drivers (keyboard, mouse, tablet) over to the
    new descriptor infrastructure.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 882d933..74d17fc 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -25,6 +25,7 @@
 #include "hw.h"
 #include "console.h"
 #include "usb.h"
+#include "usb-desc.h"
 #include "sysemu.h"
 
 /* HID interface requests */
@@ -73,190 +74,206 @@ typedef struct USBHIDState {
     void (*datain)(void *);
 } USBHIDState;
 
-/* mostly the same values as the Bochs USB Mouse device */
-static const uint8_t qemu_mouse_dev_descriptor[] = {
-	0x12,       /*  u8 bLength; */
-	0x01,       /*  u8 bDescriptorType; Device */
-	0x00, 0x01, /*  u16 bcdUSB; v1.0 */
-
-	0x00,	    /*  u8  bDeviceClass; */
-	0x00,	    /*  u8  bDeviceSubClass; */
-	0x00,       /*  u8  bDeviceProtocol; [ low/full speeds only ] */
-	0x08,       /*  u8  bMaxPacketSize0; 8 Bytes */
-
-	0x27, 0x06, /*  u16 idVendor; */
- 	0x01, 0x00, /*  u16 idProduct; */
-	0x00, 0x00, /*  u16 bcdDevice */
-
-	0x03,       /*  u8  iManufacturer; */
-	0x02,       /*  u8  iProduct; */
-	0x01,       /*  u8  iSerialNumber; */
-	0x01        /*  u8  bNumConfigurations; */
+enum {
+    STR_MANUFACTURER = 1,
+    STR_PRODUCT_MOUSE,
+    STR_PRODUCT_TABLET,
+    STR_PRODUCT_KEYBOARD,
+    STR_SERIALNUMBER,
+    STR_CONFIG_MOUSE,
+    STR_CONFIG_TABLET,
+    STR_CONFIG_KEYBOARD,
 };
 
-static const uint8_t qemu_mouse_config_descriptor[] = {
-	/* one configuration */
-	0x09,       /*  u8  bLength; */
-	0x02,       /*  u8  bDescriptorType; Configuration */
-	0x22, 0x00, /*  u16 wTotalLength; */
-	0x01,       /*  u8  bNumInterfaces; (1) */
-	0x01,       /*  u8  bConfigurationValue; */
-	0x04,       /*  u8  iConfiguration; */
-	0xe0,       /*  u8  bmAttributes;
-				 Bit 7: must be set,
-				     6: Self-powered,
-				     5: Remote wakeup,
-				     4..0: resvd */
-	50,         /*  u8  MaxPower; */
-
-	/* USB 1.1:
-	 * USB 2.0, single TT organization (mandatory):
-	 *	one interface, protocol 0
-	 *
-	 * USB 2.0, multiple TT organization (optional):
-	 *	two interfaces, protocols 1 (like single TT)
-	 *	and 2 (multiple TT mode) ... config is
-	 *	sometimes settable
-	 *	NOT IMPLEMENTED
-	 */
-
-	/* one interface */
-	0x09,       /*  u8  if_bLength; */
-	0x04,       /*  u8  if_bDescriptorType; Interface */
-	0x00,       /*  u8  if_bInterfaceNumber; */
-	0x00,       /*  u8  if_bAlternateSetting; */
-	0x01,       /*  u8  if_bNumEndpoints; */
-	0x03,       /*  u8  if_bInterfaceClass; */
-	0x01,       /*  u8  if_bInterfaceSubClass; */
-	0x02,       /*  u8  if_bInterfaceProtocol; [usb1.1 or single tt] */
-	0x07,       /*  u8  if_iInterface; */
-
-        /* HID descriptor */
-        0x09,        /*  u8  bLength; */
-        0x21,        /*  u8 bDescriptorType; */
-        0x01, 0x00,  /*  u16 HID_class */
-        0x00,        /*  u8 country_code */
-        0x01,        /*  u8 num_descriptors */
-        0x22,        /*  u8 type; Report */
-        52, 0,       /*  u16 len */
-
-	/* one endpoint (status change endpoint) */
-	0x07,       /*  u8  ep_bLength; */
-	0x05,       /*  u8  ep_bDescriptorType; Endpoint */
-	0x81,       /*  u8  ep_bEndpointAddress; IN Endpoint 1 */
- 	0x03,       /*  u8  ep_bmAttributes; Interrupt */
- 	0x04, 0x00, /*  u16 ep_wMaxPacketSize; */
-	0x0a,       /*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+static const USBDescStrings desc_strings = {
+    [STR_MANUFACTURER]     = "QEMU " QEMU_VERSION,
+    [STR_PRODUCT_MOUSE]    = "QEMU USB Mouse",
+    [STR_PRODUCT_TABLET]   = "QEMU USB Tablet",
+    [STR_PRODUCT_KEYBOARD] = "QEMU USB Keyboard",
+    [STR_SERIALNUMBER]     = "1",
+    [STR_CONFIG_MOUSE]     = "HID Mouse",
+    [STR_CONFIG_TABLET]    = "HID Tablet",
+    [STR_CONFIG_KEYBOARD]  = "HID Keyboard",
 };
 
-static const uint8_t qemu_tablet_config_descriptor[] = {
-	/* one configuration */
-	0x09,       /*  u8  bLength; */
-	0x02,       /*  u8  bDescriptorType; Configuration */
-	0x22, 0x00, /*  u16 wTotalLength; */
-	0x01,       /*  u8  bNumInterfaces; (1) */
-	0x01,       /*  u8  bConfigurationValue; */
-	0x05,       /*  u8  iConfiguration; */
-	0xa0,       /*  u8  bmAttributes;
-				 Bit 7: must be set,
-				     6: Self-powered,
-				     5: Remote wakeup,
-				     4..0: resvd */
-	50,         /*  u8  MaxPower; */
-
-	/* USB 1.1:
-	 * USB 2.0, single TT organization (mandatory):
-	 *	one interface, protocol 0
-	 *
-	 * USB 2.0, multiple TT organization (optional):
-	 *	two interfaces, protocols 1 (like single TT)
-	 *	and 2 (multiple TT mode) ... config is
-	 *	sometimes settable
-	 *	NOT IMPLEMENTED
-	 */
-
-	/* one interface */
-	0x09,       /*  u8  if_bLength; */
-	0x04,       /*  u8  if_bDescriptorType; Interface */
-	0x00,       /*  u8  if_bInterfaceNumber; */
-	0x00,       /*  u8  if_bAlternateSetting; */
-	0x01,       /*  u8  if_bNumEndpoints; */
-	0x03,       /*  u8  if_bInterfaceClass; */
-	0x01,       /*  u8  if_bInterfaceSubClass; */
-	0x02,       /*  u8  if_bInterfaceProtocol; [usb1.1 or single tt] */
-	0x07,       /*  u8  if_iInterface; */
-
-        /* HID descriptor */
-        0x09,        /*  u8  bLength; */
-        0x21,        /*  u8 bDescriptorType; */
-        0x01, 0x00,  /*  u16 HID_class */
-        0x00,        /*  u8 country_code */
-        0x01,        /*  u8 num_descriptors */
-        0x22,        /*  u8 type; Report */
-        74, 0,       /*  u16 len */
-
-	/* one endpoint (status change endpoint) */
-	0x07,       /*  u8  ep_bLength; */
-	0x05,       /*  u8  ep_bDescriptorType; Endpoint */
-	0x81,       /*  u8  ep_bEndpointAddress; IN Endpoint 1 */
- 	0x03,       /*  u8  ep_bmAttributes; Interrupt */
- 	0x08, 0x00, /*  u16 ep_wMaxPacketSize; */
-	0x0a,       /*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+static const USBDescIface desc_iface_mouse = {
+    .bInterfaceNumber              = 0,
+    .bNumEndpoints                 = 1,
+    .bInterfaceClass               = USB_CLASS_HID,
+    .bInterfaceSubClass            = 0x01, /* boot */
+    .bInterfaceProtocol            = 0x02,
+    .ndesc                         = 1,
+    .descs = (USBDescOther[]) {
+        {
+            /* HID descriptor */
+            .data = (uint8_t[]) {
+                0x09,          /*  u8  bLength */
+                USB_DT_HID,    /*  u8  bDescriptorType */
+                0x01, 0x00,    /*  u16 HID_class */
+                0x00,          /*  u8  country_code */
+                0x01,          /*  u8  num_descriptors */
+                USB_DT_REPORT, /*  u8  type: Report */
+                52, 0,         /*  u16 len */
+            },
+        },
+    },
+    .eps = (USBDescEndpoint[]) {
+        {
+            .bEndpointAddress      = USB_DIR_IN | 0x01,
+            .bmAttributes          = USB_ENDPOINT_XFER_INT,
+            .wMaxPacketSize        = 4,
+            .bInterval             = 0x0a,
+        },
+    },
 };
 
-static const uint8_t qemu_keyboard_config_descriptor[] = {
-    /* one configuration */
-    0x09,		/*  u8  bLength; */
-    USB_DT_CONFIG,	/*  u8  bDescriptorType; Configuration */
-    0x22, 0x00,		/*  u16 wTotalLength; */
-    0x01,		/*  u8  bNumInterfaces; (1) */
-    0x01,		/*  u8  bConfigurationValue; */
-    0x06,		/*  u8  iConfiguration; */
-    0xa0,		/*  u8  bmAttributes;
-				Bit 7: must be set,
-				    6: Self-powered,
-				    5: Remote wakeup,
-				    4..0: resvd */
-    0x32,		/*  u8  MaxPower; */
-
-    /* USB 1.1:
-     * USB 2.0, single TT organization (mandatory):
-     *	one interface, protocol 0
-     *
-     * USB 2.0, multiple TT organization (optional):
-     *	two interfaces, protocols 1 (like single TT)
-     *	and 2 (multiple TT mode) ... config is
-     *	sometimes settable
-     *	NOT IMPLEMENTED
-     */
-
-    /* one interface */
-    0x09,		/*  u8  if_bLength; */
-    USB_DT_INTERFACE,	/*  u8  if_bDescriptorType; Interface */
-    0x00,		/*  u8  if_bInterfaceNumber; */
-    0x00,		/*  u8  if_bAlternateSetting; */
-    0x01,		/*  u8  if_bNumEndpoints; */
-    0x03,		/*  u8  if_bInterfaceClass; HID */
-    0x01,		/*  u8  if_bInterfaceSubClass; Boot */
-    0x01,		/*  u8  if_bInterfaceProtocol; Keyboard */
-    0x07,		/*  u8  if_iInterface; */
-
-    /* HID descriptor */
-    0x09,		/*  u8  bLength; */
-    USB_DT_HID,		/*  u8  bDescriptorType; */
-    0x11, 0x01,		/*  u16 HID_class */
-    0x00,		/*  u8  country_code */
-    0x01,		/*  u8  num_descriptors */
-    USB_DT_REPORT,	/*  u8  type; Report */
-    0x3f, 0x00,		/*  u16 len */
-
-    /* one endpoint (status change endpoint) */
-    0x07,		/*  u8  ep_bLength; */
-    USB_DT_ENDPOINT,	/*  u8  ep_bDescriptorType; Endpoint */
-    USB_DIR_IN | 0x01,	/*  u8  ep_bEndpointAddress; IN Endpoint 1 */
-    0x03,		/*  u8  ep_bmAttributes; Interrupt */
-    0x08, 0x00,		/*  u16 ep_wMaxPacketSize; */
-    0x0a,		/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+static const USBDescIface desc_iface_tablet = {
+    .bInterfaceNumber              = 0,
+    .bNumEndpoints                 = 1,
+    .bInterfaceClass               = USB_CLASS_HID,
+    .bInterfaceSubClass            = 0x01, /* boot */
+    .bInterfaceProtocol            = 0x02,
+    .ndesc                         = 1,
+    .descs = (USBDescOther[]) {
+        {
+            /* HID descriptor */
+            .data = (uint8_t[]) {
+                0x09,          /*  u8  bLength */
+                USB_DT_HID,    /*  u8  bDescriptorType */
+                0x01, 0x00,    /*  u16 HID_class */
+                0x00,          /*  u8  country_code */
+                0x01,          /*  u8  num_descriptors */
+                USB_DT_REPORT, /*  u8  type: Report */
+                74, 0,         /*  u16 len */
+            },
+        },
+    },
+    .eps = (USBDescEndpoint[]) {
+        {
+            .bEndpointAddress      = USB_DIR_IN | 0x01,
+            .bmAttributes          = USB_ENDPOINT_XFER_INT,
+            .wMaxPacketSize        = 8,
+            .bInterval             = 0x0a,
+        },
+    },
+};
+
+static const USBDescIface desc_iface_keyboard = {
+    .bInterfaceNumber              = 0,
+    .bNumEndpoints                 = 1,
+    .bInterfaceClass               = USB_CLASS_HID,
+    .bInterfaceSubClass            = 0x01, /* boot */
+    .bInterfaceProtocol            = 0x01, /* keyboard */
+    .ndesc                         = 1,
+    .descs = (USBDescOther[]) {
+        {
+            /* HID descriptor */
+            .data = (uint8_t[]) {
+                0x09,          /*  u8  bLength */
+                USB_DT_HID,    /*  u8  bDescriptorType */
+                0x11, 0x01,    /*  u16 HID_class */
+                0x00,          /*  u8  country_code */
+                0x01,          /*  u8  num_descriptors */
+                USB_DT_REPORT, /*  u8  type: Report */
+                0x3f, 0,       /*  u16 len */
+            },
+        },
+    },
+    .eps = (USBDescEndpoint[]) {
+        {
+            .bEndpointAddress      = USB_DIR_IN | 0x01,
+            .bmAttributes          = USB_ENDPOINT_XFER_INT,
+            .wMaxPacketSize        = 8,
+            .bInterval             = 0x0a,
+        },
+    },
+};
+
+static const USBDescDevice desc_device_mouse = {
+    .bcdUSB                        = 0x0100,
+    .bMaxPacketSize0               = 8,
+    .bNumConfigurations            = 1,
+    .confs = (USBDescConfig[]) {
+        {
+            .bNumInterfaces        = 1,
+            .bConfigurationValue   = 1,
+            .iConfiguration        = STR_CONFIG_MOUSE,
+            .bmAttributes          = 0xa0,
+            .bMaxPower             = 50,
+            .ifs = &desc_iface_mouse,
+        },
+    },
+};
+
+static const USBDescDevice desc_device_tablet = {
+    .bcdUSB                        = 0x0100,
+    .bMaxPacketSize0               = 8,
+    .bNumConfigurations            = 1,
+    .confs = (USBDescConfig[]) {
+        {
+            .bNumInterfaces        = 1,
+            .bConfigurationValue   = 1,
+            .iConfiguration        = STR_CONFIG_TABLET,
+            .bmAttributes          = 0xa0,
+            .bMaxPower             = 50,
+            .ifs = &desc_iface_tablet,
+        },
+    },
+};
+
+static const USBDescDevice desc_device_keyboard = {
+    .bcdUSB                        = 0x0100,
+    .bMaxPacketSize0               = 8,
+    .bNumConfigurations            = 1,
+    .confs = (USBDescConfig[]) {
+        {
+            .bNumInterfaces        = 1,
+            .bConfigurationValue   = 1,
+            .iConfiguration        = STR_CONFIG_KEYBOARD,
+            .bmAttributes          = 0xa0,
+            .bMaxPower             = 50,
+            .ifs = &desc_iface_keyboard,
+        },
+    },
+};
+
+static const USBDesc desc_mouse = {
+    .id = {
+        .idVendor          = 0x0627,
+        .idProduct         = 0x0001,
+        .bcdDevice         = 0,
+        .iManufacturer     = STR_MANUFACTURER,
+        .iProduct          = STR_PRODUCT_MOUSE,
+        .iSerialNumber     = STR_SERIALNUMBER,
+    },
+    .full = &desc_device_mouse,
+    .str  = desc_strings,
+};
+
+static const USBDesc desc_tablet = {
+    .id = {
+        .idVendor          = 0x0627,
+        .idProduct         = 0x0001,
+        .bcdDevice         = 0,
+        .iManufacturer     = STR_MANUFACTURER,
+        .iProduct          = STR_PRODUCT_TABLET,
+        .iSerialNumber     = STR_SERIALNUMBER,
+    },
+    .full = &desc_device_tablet,
+    .str  = desc_strings,
+};
+
+static const USBDesc desc_keyboard = {
+    .id = {
+        .idVendor          = 0x0627,
+        .idProduct         = 0x0001,
+        .bcdDevice         = 0,
+        .iManufacturer     = STR_MANUFACTURER,
+        .iProduct          = STR_PRODUCT_KEYBOARD,
+        .iSerialNumber     = STR_SERIALNUMBER,
+    },
+    .full = &desc_device_keyboard,
+    .str  = desc_strings,
 };
 
 static const uint8_t qemu_mouse_hid_report_descriptor[] = {
@@ -647,8 +664,14 @@ static int usb_hid_handle_control(USBDevice *dev, int request, int value,
                                   int index, int length, uint8_t *data)
 {
     USBHIDState *s = (USBHIDState *)dev;
-    int ret = 0;
+    int ret;
 
+    ret = usb_desc_handle_control(dev, request, value, index, length, data);
+    if (ret >= 0) {
+        return ret;
+    }
+
+    ret = 0;
     switch(request) {
     case DeviceRequest | USB_REQ_GET_STATUS:
         data[0] = (1 << USB_DEVICE_SELF_POWERED) |
@@ -676,70 +699,6 @@ static int usb_hid_handle_control(USBDevice *dev, int request, int value,
         dev->addr = value;
         ret = 0;
         break;
-    case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
-        switch(value >> 8) {
-        case USB_DT_DEVICE:
-            memcpy(data, qemu_mouse_dev_descriptor,
-                   sizeof(qemu_mouse_dev_descriptor));
-            ret = sizeof(qemu_mouse_dev_descriptor);
-            break;
-        case USB_DT_CONFIG:
-	    if (s->kind == USB_MOUSE) {
-		memcpy(data, qemu_mouse_config_descriptor,
-		       sizeof(qemu_mouse_config_descriptor));
-		ret = sizeof(qemu_mouse_config_descriptor);
-	    } else if (s->kind == USB_TABLET) {
-		memcpy(data, qemu_tablet_config_descriptor,
-		       sizeof(qemu_tablet_config_descriptor));
-		ret = sizeof(qemu_tablet_config_descriptor);
-            } else if (s->kind == USB_KEYBOARD) {
-                memcpy(data, qemu_keyboard_config_descriptor,
-                       sizeof(qemu_keyboard_config_descriptor));
-                ret = sizeof(qemu_keyboard_config_descriptor);
-            }
-            break;
-        case USB_DT_STRING:
-            switch(value & 0xff) {
-            case 0:
-                /* language ids */
-                data[0] = 4;
-                data[1] = 3;
-                data[2] = 0x09;
-                data[3] = 0x04;
-                ret = 4;
-                break;
-            case 1:
-                /* serial number */
-                ret = set_usb_string(data, "1");
-                break;
-            case 2:
-                /* product description */
-                ret = set_usb_string(data, s->dev.product_desc);
-                break;
-            case 3:
-                /* vendor description */
-                ret = set_usb_string(data, "QEMU " QEMU_VERSION);
-                break;
-            case 4:
-                ret = set_usb_string(data, "HID Mouse");
-                break;
-            case 5:
-                ret = set_usb_string(data, "HID Tablet");
-                break;
-            case 6:
-                ret = set_usb_string(data, "HID Keyboard");
-                break;
-            case 7:
-                ret = set_usb_string(data, "Endpoint1 Interrupt Pipe");
-                break;
-            default:
-                goto fail;
-            }
-            break;
-        default:
-            goto fail;
-        }
-        break;
     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
         data[0] = 1;
         ret = 1;
@@ -912,6 +871,7 @@ static struct USBDeviceInfo hid_info[] = {
         .qdev.name      = "usb-tablet",
         .usbdevice_name = "tablet",
         .qdev.size      = sizeof(USBHIDState),
+        .usb_desc       = &desc_tablet,
         .init           = usb_tablet_initfn,
         .handle_packet  = usb_generic_handle_packet,
         .handle_reset   = usb_mouse_handle_reset,
@@ -923,6 +883,7 @@ static struct USBDeviceInfo hid_info[] = {
         .qdev.name      = "usb-mouse",
         .usbdevice_name = "mouse",
         .qdev.size      = sizeof(USBHIDState),
+        .usb_desc       = &desc_mouse,
         .init           = usb_mouse_initfn,
         .handle_packet  = usb_generic_handle_packet,
         .handle_reset   = usb_mouse_handle_reset,
@@ -934,6 +895,7 @@ static struct USBDeviceInfo hid_info[] = {
         .qdev.name      = "usb-kbd",
         .usbdevice_name = "keyboard",
         .qdev.size      = sizeof(USBHIDState),
+        .usb_desc       = &desc_keyboard,
         .init           = usb_keyboard_initfn,
         .handle_packet  = usb_generic_handle_packet,
         .handle_reset   = usb_keyboard_handle_reset,
commit 37fb59d3032687b6f0d94c307bd0a846e0ca1fe0
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Nov 17 11:03:53 2010 +0100

    usb: data structs and helpers for usb descriptors.
    
    This patch adds hw/usb-desc.[ch] files.  They carry data structures
    for various usb descriptors and helper functions to generate usb
    packets from the structures.
    
    The intention is to have a internal representation of the device
    desription which is more usable than the current char array blobs,
    so we can have common code handle common usb device emulation using
    the device description.
    
    The usage of this infrastructure is optional for usb drivers as there
    are cases such as pass-through where it probably isn't very useful.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index c3e52c5..fda366d 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -88,7 +88,7 @@ common-obj-y += eeprom93xx.o
 common-obj-y += scsi-disk.o cdrom.o
 common-obj-y += scsi-generic.o scsi-bus.o
 common-obj-y += usb.o usb-hub.o usb-$(HOST_USB).o usb-hid.o usb-msd.o usb-wacom.o
-common-obj-y += usb-serial.o usb-net.o usb-bus.o
+common-obj-y += usb-serial.o usb-net.o usb-bus.o usb-desc.o
 common-obj-$(CONFIG_SSI) += ssi.o
 common-obj-$(CONFIG_SSI_SD) += ssi-sd.o
 common-obj-$(CONFIG_SD) += sd.o
diff --git a/hw/usb-desc.c b/hw/usb-desc.c
new file mode 100644
index 0000000..559ced7
--- /dev/null
+++ b/hw/usb-desc.c
@@ -0,0 +1,238 @@
+#include "usb.h"
+#include "usb-desc.h"
+#include "trace.h"
+
+/* ------------------------------------------------------------------ */
+
+static uint8_t usb_lo(uint16_t val)
+{
+    return val & 0xff;
+}
+
+static uint8_t usb_hi(uint16_t val)
+{
+    return (val >> 8) & 0xff;
+}
+
+int usb_desc_device(const USBDescID *id, const USBDescDevice *dev,
+                    uint8_t *dest, size_t len)
+{
+    uint8_t bLength = 0x12;
+
+    if (len < bLength) {
+        return -1;
+    }
+
+    dest[0x00] = bLength;
+    dest[0x01] = USB_DT_DEVICE;
+
+    dest[0x02] = usb_lo(dev->bcdUSB);
+    dest[0x03] = usb_hi(dev->bcdUSB);
+    dest[0x04] = dev->bDeviceClass;
+    dest[0x05] = dev->bDeviceSubClass;
+    dest[0x06] = dev->bDeviceProtocol;
+    dest[0x07] = dev->bMaxPacketSize0;
+
+    dest[0x08] = usb_lo(id->idVendor);
+    dest[0x09] = usb_hi(id->idVendor);
+    dest[0x0a] = usb_lo(id->idProduct);
+    dest[0x0b] = usb_hi(id->idProduct);
+    dest[0x0c] = usb_lo(id->bcdDevice);
+    dest[0x0d] = usb_hi(id->bcdDevice);
+    dest[0x0e] = id->iManufacturer;
+    dest[0x0f] = id->iProduct;
+    dest[0x10] = id->iSerialNumber;
+
+    dest[0x11] = dev->bNumConfigurations;
+
+    return bLength;
+}
+
+int usb_desc_config(const USBDescConfig *conf, uint8_t *dest, size_t len)
+{
+    uint8_t  bLength = 0x09;
+    uint16_t wTotalLength = 0;
+    int i, rc, count;
+
+    if (len < bLength) {
+        return -1;
+    }
+
+    dest[0x00] = bLength;
+    dest[0x01] = USB_DT_CONFIG;
+    dest[0x04] = conf->bNumInterfaces;
+    dest[0x05] = conf->bConfigurationValue;
+    dest[0x06] = conf->iConfiguration;
+    dest[0x07] = conf->bmAttributes;
+    dest[0x08] = conf->bMaxPower;
+    wTotalLength += bLength;
+
+    count = conf->nif ? conf->nif : conf->bNumInterfaces;
+    for (i = 0; i < count; i++) {
+        rc = usb_desc_iface(conf->ifs + i, dest + wTotalLength, len - wTotalLength);
+        if (rc < 0) {
+            return rc;
+        }
+        wTotalLength += rc;
+    }
+
+    dest[0x02] = usb_lo(wTotalLength);
+    dest[0x03] = usb_hi(wTotalLength);
+    return wTotalLength;
+}
+
+int usb_desc_iface(const USBDescIface *iface, uint8_t *dest, size_t len)
+{
+    uint8_t bLength = 0x09;
+    int i, rc, pos = 0;
+
+    if (len < bLength) {
+        return -1;
+    }
+
+    dest[0x00] = bLength;
+    dest[0x01] = USB_DT_INTERFACE;
+    dest[0x02] = iface->bInterfaceNumber;
+    dest[0x03] = iface->bAlternateSetting;
+    dest[0x04] = iface->bNumEndpoints;
+    dest[0x05] = iface->bInterfaceClass;
+    dest[0x06] = iface->bInterfaceSubClass;
+    dest[0x07] = iface->bInterfaceProtocol;
+    dest[0x08] = iface->iInterface;
+    pos += bLength;
+
+    for (i = 0; i < iface->ndesc; i++) {
+        rc = usb_desc_other(iface->descs + i, dest + pos, len - pos);
+        if (rc < 0) {
+            return rc;
+        }
+        pos += rc;
+    }
+
+    for (i = 0; i < iface->bNumEndpoints; i++) {
+        rc = usb_desc_endpoint(iface->eps + i, dest + pos, len - pos);
+        if (rc < 0) {
+            return rc;
+        }
+        pos += rc;
+    }
+
+    return pos;
+}
+
+int usb_desc_endpoint(const USBDescEndpoint *ep, uint8_t *dest, size_t len)
+{
+    uint8_t bLength = 0x07;
+
+    if (len < bLength) {
+        return -1;
+    }
+
+    dest[0x00] = bLength;
+    dest[0x01] = USB_DT_ENDPOINT;
+    dest[0x02] = ep->bEndpointAddress;
+    dest[0x03] = ep->bmAttributes;
+    dest[0x04] = usb_lo(ep->wMaxPacketSize);
+    dest[0x05] = usb_hi(ep->wMaxPacketSize);
+    dest[0x06] = ep->bInterval;
+
+    return bLength;
+}
+
+int usb_desc_other(const USBDescOther *desc, uint8_t *dest, size_t len)
+{
+    int bLength = desc->length ? desc->length : desc->data[0];
+
+    if (len < bLength) {
+        return -1;
+    }
+
+    memcpy(dest, desc->data, bLength);
+    return bLength;
+}
+
+int usb_desc_string(const char* const *str, int index, uint8_t *dest, size_t len)
+{
+    uint8_t bLength, pos, i;
+
+    if (len < 4) {
+        return -1;
+    }
+
+    if (index == 0) {
+        /* language ids */
+        dest[0] = 4;
+        dest[1] = USB_DT_STRING;
+        dest[2] = 0x09;
+        dest[3] = 0x04;
+        return 4;
+    }
+
+    if (str[index] == NULL) {
+        return 0;
+    }
+    bLength = strlen(str[index]) * 2 + 2;
+    dest[0] = bLength;
+    dest[1] = USB_DT_STRING;
+    i = 0; pos = 2;
+    while (pos+1 < bLength && pos+1 < len) {
+        dest[pos++] = str[index][i++];
+        dest[pos++] = 0;
+    }
+    return pos;
+}
+
+/* ------------------------------------------------------------------ */
+
+int usb_desc_get_descriptor(USBDevice *dev, int value, uint8_t *dest, size_t len)
+{
+    const USBDesc *desc = dev->info->usb_desc;
+    uint8_t buf[256];
+    uint8_t type = value >> 8;
+    uint8_t index = value & 0xff;
+    int ret = -1;
+
+    switch(type) {
+    case USB_DT_DEVICE:
+        ret = usb_desc_device(&desc->id, desc->full, buf, sizeof(buf));
+        trace_usb_desc_device(dev->addr, len, ret);
+        break;
+    case USB_DT_CONFIG:
+        if (index < desc->full->bNumConfigurations) {
+            ret = usb_desc_config(desc->full->confs + index, buf, sizeof(buf));
+        }
+        trace_usb_desc_config(dev->addr, index, len, ret);
+        break;
+    case USB_DT_STRING:
+        ret = usb_desc_string(desc->str, index, buf, sizeof(buf));
+        trace_usb_desc_string(dev->addr, index, len, ret);
+        break;
+    default:
+        fprintf(stderr, "%s: %d unknown type %d (len %zd)\n", __FUNCTION__,
+                dev->addr, type, len);
+        break;
+    }
+
+    if (ret > 0) {
+        if (ret > len) {
+            ret = len;
+        }
+        memcpy(dest, buf, ret);
+    }
+    return ret;
+}
+
+int usb_desc_handle_control(USBDevice *dev, int request, int value,
+                            int index, int length, uint8_t *data)
+{
+    const USBDesc *desc = dev->info->usb_desc;
+    int ret = -1;
+
+    assert(desc != NULL);
+    switch(request) {
+    case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
+        ret = usb_desc_get_descriptor(dev, value, data, length);
+        break;
+    }
+    return ret;
+}
diff --git a/hw/usb-desc.h b/hw/usb-desc.h
new file mode 100644
index 0000000..d80efdb
--- /dev/null
+++ b/hw/usb-desc.h
@@ -0,0 +1,86 @@
+#ifndef QEMU_HW_USB_DESC_H
+#define QEMU_HW_USB_DESC_H
+
+#include <inttypes.h>
+
+struct USBDescID {
+    uint16_t                  idVendor;
+    uint16_t                  idProduct;
+    uint16_t                  bcdDevice;
+    uint8_t                   iManufacturer;
+    uint8_t                   iProduct;
+    uint8_t                   iSerialNumber;
+};
+
+struct USBDescDevice {
+    uint16_t                  bcdUSB;
+    uint8_t                   bDeviceClass;
+    uint8_t                   bDeviceSubClass;
+    uint8_t                   bDeviceProtocol;
+    uint8_t                   bMaxPacketSize0;
+    uint8_t                   bNumConfigurations;
+
+    const USBDescConfig       *confs;
+};
+
+struct USBDescConfig {
+    uint8_t                   bNumInterfaces;
+    uint8_t                   bConfigurationValue;
+    uint8_t                   iConfiguration;
+    uint8_t                   bmAttributes;
+    uint8_t                   bMaxPower;
+
+    uint8_t                   nif;
+    const USBDescIface        *ifs;
+};
+
+struct USBDescIface {
+    uint8_t                   bInterfaceNumber;
+    uint8_t                   bAlternateSetting;
+    uint8_t                   bNumEndpoints;
+    uint8_t                   bInterfaceClass;
+    uint8_t                   bInterfaceSubClass;
+    uint8_t                   bInterfaceProtocol;
+    uint8_t                   iInterface;
+
+    uint8_t                   ndesc;
+    USBDescOther              *descs;
+    USBDescEndpoint           *eps;
+};
+
+struct USBDescEndpoint {
+    uint8_t                   bEndpointAddress;
+    uint8_t                   bmAttributes;
+    uint16_t                  wMaxPacketSize;
+    uint8_t                   bInterval;
+};
+
+struct USBDescOther {
+    uint8_t                   length;
+    uint8_t                   *data;
+};
+
+typedef const char *USBDescStrings[256];
+
+struct USBDesc {
+    USBDescID                 id;
+    const USBDescDevice       *full;
+    const USBDescDevice       *high;
+    const char* const         *str;
+};
+
+/* generate usb packages from structs */
+int usb_desc_device(const USBDescID *id, const USBDescDevice *dev,
+                    uint8_t *dest, size_t len);
+int usb_desc_config(const USBDescConfig *conf, uint8_t *dest, size_t len);
+int usb_desc_iface(const USBDescIface *iface, uint8_t *dest, size_t len);
+int usb_desc_endpoint(const USBDescEndpoint *ep, uint8_t *dest, size_t len);
+int usb_desc_other(const USBDescOther *desc, uint8_t *dest, size_t len);
+int usb_desc_string(const char* const *str, int index, uint8_t *dest, size_t len);
+
+/* control message emulation helpers */
+int usb_desc_get_descriptor(USBDevice *dev, int value, uint8_t *dest, size_t len);
+int usb_desc_handle_control(USBDevice *dev, int request, int value,
+                            int index, int length, uint8_t *data);
+
+#endif /* QEMU_HW_USB_DESC_H */
diff --git a/hw/usb.h b/hw/usb.h
index 0b32d77..a29b6d6 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -128,6 +128,14 @@ typedef struct USBDevice USBDevice;
 typedef struct USBDeviceInfo USBDeviceInfo;
 typedef struct USBPacket USBPacket;
 
+typedef struct USBDesc USBDesc;
+typedef struct USBDescID USBDescID;
+typedef struct USBDescDevice USBDescDevice;
+typedef struct USBDescConfig USBDescConfig;
+typedef struct USBDescIface USBDescIface;
+typedef struct USBDescEndpoint USBDescEndpoint;
+typedef struct USBDescOther USBDescOther;
+
 /* definition of a USB device */
 struct USBDevice {
     DeviceState qdev;
@@ -190,6 +198,7 @@ struct USBDeviceInfo {
     int (*handle_data)(USBDevice *dev, USBPacket *p);
 
     const char *product_desc;
+    const USBDesc *usb_desc;
 
     /* handle legacy -usbdevice command line options */
     const char *usbdevice_name;
diff --git a/trace-events b/trace-events
index e8fed0f..8264ff0 100644
--- a/trace-events
+++ b/trace-events
@@ -190,6 +190,11 @@ disable sun4m_iommu_page_get_flags(uint64_t pa, uint64_t iopte, uint32_t ret) "g
 disable sun4m_iommu_translate_pa(uint64_t addr, uint64_t pa, uint32_t iopte) "xlate dva %"PRIx64" => pa %"PRIx64" iopte = %x"
 disable sun4m_iommu_bad_addr(uint64_t addr) "bad addr %"PRIx64""
 
+# hw/usb-desc.c
+disable usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret %d"
+disable usb_desc_config(int addr, int index, int len, int ret) "dev %d query config %d, len %d, ret %d"
+disable usb_desc_string(int addr, int index, int len, int ret) "dev %d query string %d, len %d, ret %d"
+
 # vl.c
 disable vm_state_notify(int running, int reason) "running %d reason %d"
 
commit 5d0d62feee8aa75525207ef24919c0522651a432
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Dec 17 11:11:25 2010 +0100

    usb: update MAINTAINERS
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/MAINTAINERS b/MAINTAINERS
index 59effc7..4b07192 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -329,8 +329,8 @@ F: hw/lsi53c895a.c
 F: hw/scsi*
 
 USB
-M: qemu-devel at nongnu.org
-S: Odd Fixes
+M: Gerd Hoffmann <kraxel at redhat.com>
+S: Maintained
 F: hw/usb*
 
 vhost
commit 05bf441eb69a813d3893174d54faa6afa8c0d39b
Author: Edgar E. Iglesias <edgar at axis.com>
Date:   Mon Jan 10 23:28:08 2011 +0100

    cris: Remove unused orig_flags
    
    Based on a patch by Blue Swirl <blauwirbel at gmail.com>.
    
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/target-cris/translate.c b/target-cris/translate.c
index 9e403dc..e09aaa9 100644
--- a/target-cris/translate.c
+++ b/target-cris/translate.c
@@ -3185,7 +3185,7 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
 {
 	uint16_t *gen_opc_end;
    	uint32_t pc_start;
-	unsigned int insn_len, orig_flags;
+	unsigned int insn_len;
 	int j, lj;
 	struct DisasContext ctx;
 	struct DisasContext *dc = &ctx;
@@ -3229,7 +3229,7 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
 	dc->cc_size_uptodate = -1;
 
 	/* Decode TB flags.  */
-	orig_flags = dc->tb_flags = tb->flags & (S_FLAG | P_FLAG | U_FLAG \
+	dc->tb_flags = tb->flags & (S_FLAG | P_FLAG | U_FLAG \
 					| X_FLAG | PFIX_FLAG);
 	dc->delayed_branch = !!(tb->flags & 7);
 	if (dc->delayed_branch)
commit 5cabc5ccfe180241a9086bd9bcbb1b5de8f3fc72
Author: Edgar E. Iglesias <edgar at axis.com>
Date:   Mon Jan 10 23:24:36 2011 +0100

    cris: Allow more TB chaining for crisv10
    
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/target-cris/translate.c b/target-cris/translate.c
index 5184155..9e403dc 100644
--- a/target-cris/translate.c
+++ b/target-cris/translate.c
@@ -120,9 +120,10 @@ typedef struct DisasContext {
 	unsigned int tb_flags; /* tb dependent flags.  */
 	int is_jmp;
 
-#define JMP_NOJMP    0
-#define JMP_DIRECT   1
-#define JMP_INDIRECT 2
+#define JMP_NOJMP     0
+#define JMP_DIRECT    1
+#define JMP_DIRECT_CC 2
+#define JMP_INDIRECT  3
 	int jmp; /* 0=nojmp, 1=direct, 2=indirect.  */ 
 	uint32_t jmp_pc;
 
@@ -1127,7 +1128,7 @@ static void gen_tst_cc (DisasContext *dc, TCGv cc, int cond)
 static void cris_store_direct_jmp(DisasContext *dc)
 {
 	/* Store the direct jmp state into the cpu-state.  */
-	if (dc->jmp == JMP_DIRECT) {
+	if (dc->jmp == JMP_DIRECT || dc->jmp == JMP_DIRECT_CC) {
 		tcg_gen_movi_tl(env_btarget, dc->jmp_pc);
 		dc->jmp = JMP_INDIRECT;
 	}
@@ -1139,7 +1140,7 @@ static void cris_prepare_cc_branch (DisasContext *dc,
 	/* This helps us re-schedule the micro-code to insns in delay-slots
 	   before the actual jump.  */
 	dc->delayed_branch = 2;
-	dc->jmp = JMP_DIRECT;
+	dc->jmp = JMP_DIRECT_CC;
 	dc->jmp_pc = dc->pc + offset;
 
 	gen_tst_cc (dc, env_btaken, cond);
@@ -1155,7 +1156,9 @@ static inline void cris_prepare_jmp (DisasContext *dc, unsigned int type)
 	   before the actual jump.  */
 	dc->delayed_branch = 2;
 	dc->jmp = type;
-	tcg_gen_movi_tl(env_btaken, 1);
+	if (type == JMP_INDIRECT) {
+		tcg_gen_movi_tl(env_btaken, 1);
+	}
 }
 
 static void gen_load64(DisasContext *dc, TCGv_i64 dst, TCGv addr)
@@ -3193,10 +3196,13 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
 
 	qemu_log_try_set_file(stderr);
 
-	if (env->pregs[PR_VR] == 32)
+	if (env->pregs[PR_VR] == 32) {
 		dc->decoder = crisv32_decoder;
-	else
+		dc->clear_locked_irq = 0;
+	} else {
 		dc->decoder = crisv10_decoder;
+		dc->clear_locked_irq = 1;
+	}
 
 	/* Odd PC indicates that branch is rexecuting due to exception in the
 	 * delayslot, like in real hw.
@@ -3218,7 +3224,6 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
 	dc->cc_mask = 0;
 	dc->update_cc = 0;
 	dc->clear_prefix = 0;
-	dc->clear_locked_irq = 1;
 
 	cris_update_cc_op(dc, CC_OP_FLAGS, 4);
 	dc->cc_size_uptodate = -1;
@@ -3312,7 +3317,14 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
 				    || (dc->flags_x != (tb->flags & X_FLAG))) {
 					cris_store_direct_jmp(dc);
 				}
-				if (dc->jmp == JMP_DIRECT) {
+
+				if (dc->clear_locked_irq) {
+					dc->clear_locked_irq = 0;
+					t_gen_mov_env_TN(locked_irq,
+							 tcg_const_tl(0));
+				}
+
+				if (dc->jmp == JMP_DIRECT_CC) {
 					int l1;
 
 					l1 = gen_new_label();
@@ -3326,6 +3338,11 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
 					gen_goto_tb(dc, 0, dc->pc);
 					dc->is_jmp = DISAS_TB_JUMP;
 					dc->jmp = JMP_NOJMP;
+				} else if (dc->jmp == JMP_DIRECT) {
+					cris_evaluate_flags(dc);
+					gen_goto_tb(dc, 0, dc->jmp_pc);
+					dc->is_jmp = DISAS_TB_JUMP;
+					dc->jmp = JMP_NOJMP;
 				} else {
 					t_gen_cc_jmp(env_btarget, 
 						     tcg_const_tl(dc->pc));
diff --git a/target-cris/translate_v10.c b/target-cris/translate_v10.c
index 6944827..41db158 100644
--- a/target-cris/translate_v10.c
+++ b/target-cris/translate_v10.c
@@ -1060,15 +1060,15 @@ static unsigned int dec10_ind(DisasContext *dc)
             break;
         case CRISV10_IND_JUMP_M:
             if (dc->src == 15) {
-                LOG_DIS("jump.%d %d r%d r%d\n", size,
+                LOG_DIS("jump.%d %d r%d r%d direct\n", size,
                          dc->opcode, dc->src, dc->dst);
                 imm = ldl_code(dc->pc + 2);
                 if (dc->mode == CRISV10_MODE_AUTOINC)
                     insn_len += size;
 
                 t_gen_mov_preg_TN(dc, dc->dst, tcg_const_tl(dc->pc + insn_len));
-                tcg_gen_movi_tl(env_btarget, imm);
-                cris_prepare_jmp(dc, JMP_INDIRECT);
+                dc->jmp_pc = imm;
+                cris_prepare_jmp(dc, JMP_DIRECT);
                 dc->delayed_branch--; /* v10 has no dslot here.  */
             } else {
                 if (dc->dst == 14) {
@@ -1184,7 +1184,9 @@ static unsigned int crisv10_decoder(DisasContext *dc)
     if (dc->clear_prefix && dc->tb_flags & PFIX_FLAG) {
         dc->tb_flags &= ~PFIX_FLAG;
         tcg_gen_andi_tl(cpu_PR[PR_CCS], cpu_PR[PR_CCS], ~PFIX_FLAG);
-        dc->cpustate_changed = 1;
+        if (dc->tb_flags != dc->tb->flags) {
+            dc->cpustate_changed = 1;
+        }
     }
 
     /* CRISv10 locks out interrupts on dslots.  */
commit b09cd072df07c63997cc81b6767f2e145d9496e5
Author: Edgar E. Iglesias <edgar at axis.com>
Date:   Mon Jan 10 22:31:09 2011 +0100

    cris: Support disassembly of crisv10
    
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/cris-dis.c b/cris-dis.c
index afd775c..5fa67d9 100644
--- a/cris-dis.c
+++ b/cris-dis.c
@@ -2767,7 +2767,6 @@ print_insn_cris_generic (bfd_vma memaddr,
 }
 
 /* Disassemble, prefixing register names with `$'.  CRIS v0..v10.  */
-#if 0
 static int
 print_insn_cris_with_register_prefix (bfd_vma vma,
 				      disassemble_info *info)
@@ -2777,7 +2776,6 @@ print_insn_cris_with_register_prefix (bfd_vma vma,
     return -1;
   return print_insn_cris_generic (vma, info, true);
 }
-#endif
 /* Disassemble, prefixing register names with `$'.  CRIS v32.  */
 
 static int
@@ -2843,6 +2841,13 @@ print_insn_crisv10_v32_without_register_prefix (bfd_vma vma,
 #endif
 
 int
+print_insn_crisv10 (bfd_vma vma,
+		    disassemble_info *info)
+{
+  return print_insn_cris_with_register_prefix(vma, info);
+}
+
+int
 print_insn_crisv32 (bfd_vma vma,
 		    disassemble_info *info)
 {
diff --git a/dis-asm.h b/dis-asm.h
index 3fb4838..356459c 100644
--- a/dis-asm.h
+++ b/dis-asm.h
@@ -397,6 +397,7 @@ extern int print_insn_tic30		(bfd_vma, disassemble_info*);
 extern int print_insn_ppc		(bfd_vma, disassemble_info*);
 extern int print_insn_s390		(bfd_vma, disassemble_info*);
 extern int print_insn_crisv32           (bfd_vma, disassemble_info*);
+extern int print_insn_crisv10           (bfd_vma, disassemble_info*);
 extern int print_insn_microblaze        (bfd_vma, disassemble_info*);
 extern int print_insn_ia64              (bfd_vma, disassemble_info*);
 
diff --git a/disas.c b/disas.c
index afe331f..dd2db14 100644
--- a/disas.c
+++ b/disas.c
@@ -208,8 +208,13 @@ void target_disas(FILE *out, target_ulong code, target_ulong size, int flags)
     disasm_info.mach = bfd_mach_alpha;
     print_insn = print_insn_alpha;
 #elif defined(TARGET_CRIS)
-    disasm_info.mach = bfd_mach_cris_v32;
-    print_insn = print_insn_crisv32;
+    if (flags != 32) {
+        disasm_info.mach = bfd_mach_cris_v0_v10;
+        print_insn = print_insn_crisv10;
+    } else {
+        disasm_info.mach = bfd_mach_cris_v32;
+        print_insn = print_insn_crisv32;
+    }
 #elif defined(TARGET_MICROBLAZE)
     disasm_info.mach = bfd_arch_microblaze;
     print_insn = print_insn_microblaze;
commit a7bd621d7a270645fb98426c82a0b251fdbc6000
Merge: 8aaf42e... a6a7005...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Mon Jan 10 10:32:01 2011 -0600

    Merge remote branch 'mst/for_anthony' into staging

commit d2f2b8a740c82319f9eea51ebed50815fbc3da3e
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Jan 10 13:50:05 2011 +0200

    kvm: test for ioeventfd support on old kernels
    
    There used to be a limit of 6 KVM io bus devices in the kernel.
    On such a kernel, we can't use many ioeventfds for host notification
    since the limit is reached too easily.
    
    Add an API to test for this condition.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/kvm-all.c b/kvm-all.c
index cae24bb..255b6fa 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -28,6 +28,11 @@
 #include "kvm.h"
 #include "bswap.h"
 
+/* This check must be after config-host.h is included */
+#ifdef CONFIG_EVENTFD
+#include <sys/eventfd.h>
+#endif
+
 /* KVM uses PAGE_SIZE in it's definition of COALESCED_MMIO_MAX */
 #define PAGE_SIZE TARGET_PAGE_SIZE
 
@@ -72,6 +77,7 @@ struct KVMState
     int irqchip_in_kernel;
     int pit_in_kernel;
     int xsave, xcrs;
+    int many_ioeventfds;
 };
 
 static KVMState *kvm_state;
@@ -441,6 +447,39 @@ int kvm_check_extension(KVMState *s, unsigned int extension)
     return ret;
 }
 
+static int kvm_check_many_ioeventfds(void)
+{
+    /* Older kernels have a 6 device limit on the KVM io bus.  Find out so we
+     * can avoid creating too many ioeventfds.
+     */
+#ifdef CONFIG_EVENTFD
+    int ioeventfds[7];
+    int i, ret = 0;
+    for (i = 0; i < ARRAY_SIZE(ioeventfds); i++) {
+        ioeventfds[i] = eventfd(0, EFD_CLOEXEC);
+        if (ioeventfds[i] < 0) {
+            break;
+        }
+        ret = kvm_set_ioeventfd_pio_word(ioeventfds[i], 0, i, true);
+        if (ret < 0) {
+            close(ioeventfds[i]);
+            break;
+        }
+    }
+
+    /* Decide whether many devices are supported or not */
+    ret = i == ARRAY_SIZE(ioeventfds);
+
+    while (i-- > 0) {
+        kvm_set_ioeventfd_pio_word(ioeventfds[i], 0, i, false);
+        close(ioeventfds[i]);
+    }
+    return ret;
+#else
+    return 0;
+#endif
+}
+
 static void kvm_set_phys_mem(target_phys_addr_t start_addr,
 			     ram_addr_t size,
 			     ram_addr_t phys_offset)
@@ -717,6 +756,8 @@ int kvm_init(int smp_cpus)
     kvm_state = s;
     cpu_register_phys_memory_client(&kvm_cpu_phys_memory_client);
 
+    s->many_ioeventfds = kvm_check_many_ioeventfds();
+
     return 0;
 
 err:
@@ -1046,6 +1087,14 @@ int kvm_has_xcrs(void)
     return kvm_state->xcrs;
 }
 
+int kvm_has_many_ioeventfds(void)
+{
+    if (!kvm_enabled()) {
+        return 0;
+    }
+    return kvm_state->many_ioeventfds;
+}
+
 void kvm_setup_guest_memory(void *start, size_t size)
 {
     if (!kvm_has_sync_mmu()) {
diff --git a/kvm-stub.c b/kvm-stub.c
index 5384a4b..33d4476 100644
--- a/kvm-stub.c
+++ b/kvm-stub.c
@@ -99,6 +99,11 @@ int kvm_has_robust_singlestep(void)
     return 0;
 }
 
+int kvm_has_many_ioeventfds(void)
+{
+    return 0;
+}
+
 void kvm_setup_guest_memory(void *start, size_t size)
 {
 }
diff --git a/kvm.h b/kvm.h
index 60a9b42..ce08d42 100644
--- a/kvm.h
+++ b/kvm.h
@@ -42,6 +42,7 @@ int kvm_has_robust_singlestep(void);
 int kvm_has_debugregs(void);
 int kvm_has_xsave(void);
 int kvm_has_xcrs(void);
+int kvm_has_many_ioeventfds(void);
 
 #ifdef NEED_CPU_H
 int kvm_init_vcpu(CPUState *env);
commit 65d6dcbde84314c6d05a365a26a384f880a5c8fe
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Fri Dec 17 12:01:52 2010 +0000

    docs: Document virtio PCI -device ioeventfd=on|off
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/docs/qdev-device-use.txt b/docs/qdev-device-use.txt
index f252c8e..f2f9b75 100644
--- a/docs/qdev-device-use.txt
+++ b/docs/qdev-device-use.txt
@@ -97,10 +97,13 @@ The -device argument differs in detail for each kind of drive:
 
 * if=virtio
 
-  -device virtio-blk-pci,drive=DRIVE-ID,class=C,vectors=V
+  -device virtio-blk-pci,drive=DRIVE-ID,class=C,vectors=V,ioeventfd=IOEVENTFD
 
   This lets you control PCI device class and MSI-X vectors.
 
+  IOEVENTFD controls whether or not ioeventfd is used for virtqueue notify.  It
+  can be set to on (default) or off.
+
   As for all PCI devices, you can add bus=PCI-BUS,addr=DEVFN to
   control the PCI device address.
 
@@ -240,6 +243,9 @@ For PCI devices, you can add bus=PCI-BUS,addr=DEVFN to control the PCI
 device address, as usual.  The old -net nic provides parameter addr
 for that, it is silently ignored when the NIC is not a PCI device.
 
+For virtio-net-pci, you can control whether or not ioeventfd is used for
+virtqueue notify by setting ioeventfd= to on or off (default).
+
 -net nic accepts vectors=V for all models, but it's silently ignored
 except for virtio-net-pci (model=virtio).  With -device, only devices
 that support it accept it.
commit 25db9ebe15125deb32958c6df74996f745edf1f9
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Fri Dec 17 12:01:50 2010 +0000

    virtio-pci: Use ioeventfd for virtqueue notify
    
    Virtqueue notify is currently handled synchronously in userspace virtio.  This
    prevents the vcpu from executing guest code while hardware emulation code
    handles the notify.
    
    On systems that support KVM, the ioeventfd mechanism can be used to make
    virtqueue notify a lightweight exit by deferring hardware emulation to the
    iothread and allowing the VM to continue execution.  This model is similar to
    how vhost receives virtqueue notifies.
    
    The result of this change is improved performance for userspace virtio devices.
    Virtio-blk throughput increases especially for multithreaded scenarios and
    virtio-net transmit throughput increases substantially.
    
    Some virtio devices are known to have guest drivers which expect a notify to be
    processed synchronously and spin waiting for completion.
    For virtio-net, this also seems to interact with the guest stack in strange
    ways so that TCP throughput for small message sizes (~200bytes)
    is harmed. Only enable ioeventfd for virtio-blk for now.
    
    Care must be taken not to interfere with vhost-net, which uses host
    notifiers.  If the set_host_notifier() API is used by a device
    virtio-pci will disable virtio-ioeventfd and let the device deal with
    host notifiers as it wishes.
    
    Finally, there used to be a limit of 6 KVM io bus devices inside the
    kernel.  On such a kernel, don't use ioeventfd for virtqueue host
    notification since the limit is reached too easily.  This ensures that
    existing vhost-net setups (which always use ioeventfd) have ioeventfds
    available so they can continue to work.
    
    After migration and on VM change state (running/paused) virtio-ioeventfd
    will enable/disable itself.
    
     * VIRTIO_CONFIG_S_DRIVER_OK -> enable virtio-ioeventfd
     * !VIRTIO_CONFIG_S_DRIVER_OK -> disable virtio-ioeventfd
     * virtio_pci_set_host_notifier() -> disable virtio-ioeventfd
     * vm_change_state(running=0) -> disable virtio-ioeventfd
     * vm_change_state(running=1) -> enable virtio-ioeventfd
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 13dd391..70c40ee 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -83,6 +83,11 @@
 /* Flags track per-device state like workarounds for quirks in older guests. */
 #define VIRTIO_PCI_FLAG_BUS_MASTER_BUG  (1 << 0)
 
+/* Performance improves when virtqueue kick processing is decoupled from the
+ * vcpu thread using ioeventfd for some devices. */
+#define VIRTIO_PCI_FLAG_USE_IOEVENTFD_BIT 1
+#define VIRTIO_PCI_FLAG_USE_IOEVENTFD   (1 << VIRTIO_PCI_FLAG_USE_IOEVENTFD_BIT)
+
 /* QEMU doesn't strictly need write barriers since everything runs in
  * lock-step.  We'll leave the calls to wmb() in though to make it obvious for
  * KVM or if kqemu gets SMP support.
@@ -107,6 +112,8 @@ typedef struct {
     /* Max. number of ports we can have for a the virtio-serial device */
     uint32_t max_virtserial_ports;
     virtio_net_conf net;
+    bool ioeventfd_disabled;
+    bool ioeventfd_started;
 } VirtIOPCIProxy;
 
 /* virtio device */
@@ -179,12 +186,132 @@ static int virtio_pci_load_queue(void * opaque, int n, QEMUFile *f)
     return 0;
 }
 
+static int virtio_pci_set_host_notifier_internal(VirtIOPCIProxy *proxy,
+                                                 int n, bool assign)
+{
+    VirtQueue *vq = virtio_get_queue(proxy->vdev, n);
+    EventNotifier *notifier = virtio_queue_get_host_notifier(vq);
+    int r;
+    if (assign) {
+        r = event_notifier_init(notifier, 1);
+        if (r < 0) {
+            return r;
+        }
+        r = kvm_set_ioeventfd_pio_word(event_notifier_get_fd(notifier),
+                                       proxy->addr + VIRTIO_PCI_QUEUE_NOTIFY,
+                                       n, assign);
+        if (r < 0) {
+            event_notifier_cleanup(notifier);
+        }
+    } else {
+        r = kvm_set_ioeventfd_pio_word(event_notifier_get_fd(notifier),
+                                       proxy->addr + VIRTIO_PCI_QUEUE_NOTIFY,
+                                       n, assign);
+        if (r < 0) {
+            return r;
+        }
+
+        /* Handle the race condition where the guest kicked and we deassigned
+         * before we got around to handling the kick.
+         */
+        if (event_notifier_test_and_clear(notifier)) {
+            virtio_queue_notify_vq(vq);
+        }
+
+        event_notifier_cleanup(notifier);
+    }
+    return r;
+}
+
+static void virtio_pci_host_notifier_read(void *opaque)
+{
+    VirtQueue *vq = opaque;
+    EventNotifier *n = virtio_queue_get_host_notifier(vq);
+    if (event_notifier_test_and_clear(n)) {
+        virtio_queue_notify_vq(vq);
+    }
+}
+
+static void virtio_pci_set_host_notifier_fd_handler(VirtIOPCIProxy *proxy,
+                                                    int n, bool assign)
+{
+    VirtQueue *vq = virtio_get_queue(proxy->vdev, n);
+    EventNotifier *notifier = virtio_queue_get_host_notifier(vq);
+    if (assign) {
+        qemu_set_fd_handler(event_notifier_get_fd(notifier),
+                            virtio_pci_host_notifier_read, NULL, vq);
+    } else {
+        qemu_set_fd_handler(event_notifier_get_fd(notifier),
+                            NULL, NULL, NULL);
+    }
+}
+
+static int virtio_pci_start_ioeventfd(VirtIOPCIProxy *proxy)
+{
+    int n, r;
+
+    if (!(proxy->flags & VIRTIO_PCI_FLAG_USE_IOEVENTFD) ||
+        proxy->ioeventfd_disabled ||
+        proxy->ioeventfd_started) {
+        return 0;
+    }
+
+    for (n = 0; n < VIRTIO_PCI_QUEUE_MAX; n++) {
+        if (!virtio_queue_get_num(proxy->vdev, n)) {
+            continue;
+        }
+
+        r = virtio_pci_set_host_notifier_internal(proxy, n, true);
+        if (r < 0) {
+            goto assign_error;
+        }
+
+        virtio_pci_set_host_notifier_fd_handler(proxy, n, true);
+    }
+    proxy->ioeventfd_started = true;
+    return 0;
+
+assign_error:
+    while (--n >= 0) {
+        if (!virtio_queue_get_num(proxy->vdev, n)) {
+            continue;
+        }
+
+        virtio_pci_set_host_notifier_fd_handler(proxy, n, false);
+        virtio_pci_set_host_notifier_internal(proxy, n, false);
+    }
+    proxy->ioeventfd_started = false;
+    proxy->ioeventfd_disabled = true;
+    return r;
+}
+
+static int virtio_pci_stop_ioeventfd(VirtIOPCIProxy *proxy)
+{
+    int n;
+
+    if (!proxy->ioeventfd_started) {
+        return 0;
+    }
+
+    for (n = 0; n < VIRTIO_PCI_QUEUE_MAX; n++) {
+        if (!virtio_queue_get_num(proxy->vdev, n)) {
+            continue;
+        }
+
+        virtio_pci_set_host_notifier_fd_handler(proxy, n, false);
+        virtio_pci_set_host_notifier_internal(proxy, n, false);
+    }
+    proxy->ioeventfd_started = false;
+    return 0;
+}
+
 static void virtio_pci_reset(DeviceState *d)
 {
     VirtIOPCIProxy *proxy = container_of(d, VirtIOPCIProxy, pci_dev.qdev);
+    virtio_pci_stop_ioeventfd(proxy);
     virtio_reset(proxy->vdev);
     msix_reset(&proxy->pci_dev);
-    proxy->flags = 0;
+    proxy->flags &= ~VIRTIO_PCI_FLAG_BUS_MASTER_BUG;
 }
 
 static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val)
@@ -209,6 +336,7 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val)
     case VIRTIO_PCI_QUEUE_PFN:
         pa = (target_phys_addr_t)val << VIRTIO_PCI_QUEUE_ADDR_SHIFT;
         if (pa == 0) {
+            virtio_pci_stop_ioeventfd(proxy);
             virtio_reset(proxy->vdev);
             msix_unuse_all_vectors(&proxy->pci_dev);
         }
@@ -223,7 +351,16 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val)
         virtio_queue_notify(vdev, val);
         break;
     case VIRTIO_PCI_STATUS:
+        if (!(val & VIRTIO_CONFIG_S_DRIVER_OK)) {
+            virtio_pci_stop_ioeventfd(proxy);
+        }
+
         virtio_set_status(vdev, val & 0xFF);
+
+        if (val & VIRTIO_CONFIG_S_DRIVER_OK) {
+            virtio_pci_start_ioeventfd(proxy);
+        }
+
         if (vdev->status == 0) {
             virtio_reset(proxy->vdev);
             msix_unuse_all_vectors(&proxy->pci_dev);
@@ -403,6 +540,7 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address,
     if (PCI_COMMAND == address) {
         if (!(val & PCI_COMMAND_MASTER)) {
             if (!(proxy->flags & VIRTIO_PCI_FLAG_BUS_MASTER_BUG)) {
+                virtio_pci_stop_ioeventfd(proxy);
                 virtio_set_status(proxy->vdev,
                                   proxy->vdev->status & ~VIRTIO_CONFIG_S_DRIVER_OK);
             }
@@ -480,30 +618,30 @@ assign_error:
 static int virtio_pci_set_host_notifier(void *opaque, int n, bool assign)
 {
     VirtIOPCIProxy *proxy = opaque;
-    VirtQueue *vq = virtio_get_queue(proxy->vdev, n);
-    EventNotifier *notifier = virtio_queue_get_host_notifier(vq);
-    int r;
+
+    /* Stop using ioeventfd for virtqueue kick if the device starts using host
+     * notifiers.  This makes it easy to avoid stepping on each others' toes.
+     */
+    proxy->ioeventfd_disabled = assign;
     if (assign) {
-        r = event_notifier_init(notifier, 1);
-        if (r < 0) {
-            return r;
-        }
-        r = kvm_set_ioeventfd_pio_word(event_notifier_get_fd(notifier),
-                                       proxy->addr + VIRTIO_PCI_QUEUE_NOTIFY,
-                                       n, assign);
-        if (r < 0) {
-            event_notifier_cleanup(notifier);
-        }
+        virtio_pci_stop_ioeventfd(proxy);
+    }
+    /* We don't need to start here: it's not needed because backend
+     * currently only stops on status change away from ok,
+     * reset, vmstop and such. If we do add code to start here,
+     * need to check vmstate, device state etc. */
+    return virtio_pci_set_host_notifier_internal(proxy, n, assign);
+}
+
+static void virtio_pci_vmstate_change(void *opaque, bool running)
+{
+    VirtIOPCIProxy *proxy = opaque;
+
+    if (running) {
+        virtio_pci_start_ioeventfd(proxy);
     } else {
-        r = kvm_set_ioeventfd_pio_word(event_notifier_get_fd(notifier),
-                                       proxy->addr + VIRTIO_PCI_QUEUE_NOTIFY,
-                                       n, assign);
-        if (r < 0) {
-            return r;
-        }
-        event_notifier_cleanup(notifier);
+        virtio_pci_stop_ioeventfd(proxy);
     }
-    return r;
 }
 
 static const VirtIOBindings virtio_pci_bindings = {
@@ -515,6 +653,7 @@ static const VirtIOBindings virtio_pci_bindings = {
     .get_features = virtio_pci_get_features,
     .set_host_notifier = virtio_pci_set_host_notifier,
     .set_guest_notifiers = virtio_pci_set_guest_notifiers,
+    .vmstate_change = virtio_pci_vmstate_change,
 };
 
 static void virtio_init_pci(VirtIOPCIProxy *proxy, VirtIODevice *vdev,
@@ -559,10 +698,15 @@ static void virtio_init_pci(VirtIOPCIProxy *proxy, VirtIODevice *vdev,
     pci_register_bar(&proxy->pci_dev, 0, size, PCI_BASE_ADDRESS_SPACE_IO,
                            virtio_map);
 
+    if (!kvm_has_many_ioeventfds()) {
+        proxy->flags &= ~VIRTIO_PCI_FLAG_USE_IOEVENTFD;
+    }
+
     virtio_bind_device(vdev, &virtio_pci_bindings, proxy);
     proxy->host_features |= 0x1 << VIRTIO_F_NOTIFY_ON_EMPTY;
     proxy->host_features |= 0x1 << VIRTIO_F_BAD_FEATURE;
     proxy->host_features = vdev->get_features(vdev, proxy->host_features);
+
 }
 
 static int virtio_blk_init_pci(PCIDevice *pci_dev)
@@ -597,6 +741,7 @@ static int virtio_blk_exit_pci(PCIDevice *pci_dev)
 {
     VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev);
 
+    virtio_pci_stop_ioeventfd(proxy);
     virtio_blk_exit(proxy->vdev);
     blockdev_mark_auto_del(proxy->block.bs);
     return virtio_exit_pci(pci_dev);
@@ -658,6 +803,7 @@ static int virtio_net_exit_pci(PCIDevice *pci_dev)
 {
     VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev);
 
+    virtio_pci_stop_ioeventfd(proxy);
     virtio_net_exit(proxy->vdev);
     return virtio_exit_pci(pci_dev);
 }
@@ -705,6 +851,8 @@ static PCIDeviceInfo virtio_info[] = {
         .qdev.props = (Property[]) {
             DEFINE_PROP_HEX32("class", VirtIOPCIProxy, class_code, 0),
             DEFINE_BLOCK_PROPERTIES(VirtIOPCIProxy, block),
+            DEFINE_PROP_BIT("ioeventfd", VirtIOPCIProxy, flags,
+                            VIRTIO_PCI_FLAG_USE_IOEVENTFD_BIT, true),
             DEFINE_PROP_UINT32("vectors", VirtIOPCIProxy, nvectors, 2),
             DEFINE_VIRTIO_BLK_FEATURES(VirtIOPCIProxy, host_features),
             DEFINE_PROP_END_OF_LIST(),
@@ -717,6 +865,8 @@ static PCIDeviceInfo virtio_info[] = {
         .exit       = virtio_net_exit_pci,
         .romfile    = "pxe-virtio.bin",
         .qdev.props = (Property[]) {
+            DEFINE_PROP_BIT("ioeventfd", VirtIOPCIProxy, flags,
+                            VIRTIO_PCI_FLAG_USE_IOEVENTFD_BIT, false),
             DEFINE_PROP_UINT32("vectors", VirtIOPCIProxy, nvectors, 3),
             DEFINE_VIRTIO_NET_FEATURES(VirtIOPCIProxy, host_features),
             DEFINE_NIC_PROPERTIES(VirtIOPCIProxy, nic),
diff --git a/hw/virtio.c b/hw/virtio.c
index 1d20be2..31bd9e3 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -575,11 +575,19 @@ int virtio_queue_get_num(VirtIODevice *vdev, int n)
     return vdev->vq[n].vring.num;
 }
 
+void virtio_queue_notify_vq(VirtQueue *vq)
+{
+    if (vq->vring.desc) {
+        VirtIODevice *vdev = vq->vdev;
+        trace_virtio_queue_notify(vdev, vq - vdev->vq, vq);
+        vq->handle_output(vdev, vq);
+    }
+}
+
 void virtio_queue_notify(VirtIODevice *vdev, int n)
 {
-    if (n < VIRTIO_PCI_QUEUE_MAX && vdev->vq[n].vring.desc) {
-        trace_virtio_queue_notify(vdev, n, &vdev->vq[n]);
-        vdev->vq[n].handle_output(vdev, &vdev->vq[n]);
+    if (n < VIRTIO_PCI_QUEUE_MAX) {
+        virtio_queue_notify_vq(&vdev->vq[n]);
     }
 }
 
diff --git a/hw/virtio.h b/hw/virtio.h
index bd52742..d8546d5 100644
--- a/hw/virtio.h
+++ b/hw/virtio.h
@@ -222,5 +222,6 @@ void virtio_queue_set_last_avail_idx(VirtIODevice *vdev, int n, uint16_t idx);
 VirtQueue *virtio_get_queue(VirtIODevice *vdev, int n);
 EventNotifier *virtio_queue_get_guest_notifier(VirtQueue *vq);
 EventNotifier *virtio_queue_get_host_notifier(VirtQueue *vq);
+void virtio_queue_notify_vq(VirtQueue *vq);
 void virtio_irq(VirtQueue *vq);
 #endif
commit 85cf2a8d7435754f685a26f95dcb43a93a84ff60
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Jan 10 14:28:40 2011 +0200

    virtio: move vmstate change tracking to core
    
    Move tracking vmstate change from virtio-net to virtio.c
    as it is going to be used by virito-blk and virtio-pci
    for the ioeventfd support.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index ec1bf8d..ccb3e63 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -54,8 +54,6 @@ typedef struct VirtIONet
     uint8_t nouni;
     uint8_t nobcast;
     uint8_t vhost_started;
-    bool vm_running;
-    VMChangeStateEntry *vmstate;
     struct {
         int in_use;
         int first_multi;
@@ -102,7 +100,7 @@ static void virtio_net_set_config(VirtIODevice *vdev, const uint8_t *config)
 static bool virtio_net_started(VirtIONet *n, uint8_t status)
 {
     return (status & VIRTIO_CONFIG_S_DRIVER_OK) &&
-        (n->status & VIRTIO_NET_S_LINK_UP) && n->vm_running;
+        (n->status & VIRTIO_NET_S_LINK_UP) && n->vdev.vm_running;
 }
 
 static void virtio_net_vhost_status(VirtIONet *n, uint8_t status)
@@ -453,7 +451,7 @@ static void virtio_net_handle_rx(VirtIODevice *vdev, VirtQueue *vq)
 static int virtio_net_can_receive(VLANClientState *nc)
 {
     VirtIONet *n = DO_UPCAST(NICState, nc, nc)->opaque;
-    if (!n->vm_running) {
+    if (!n->vdev.vm_running) {
         return 0;
     }
 
@@ -708,7 +706,7 @@ static int32_t virtio_net_flush_tx(VirtIONet *n, VirtQueue *vq)
         return num_packets;
     }
 
-    assert(n->vm_running);
+    assert(n->vdev.vm_running);
 
     if (n->async_tx.elem.out_num) {
         virtio_queue_set_notification(n->tx_vq, 0);
@@ -769,7 +767,7 @@ static void virtio_net_handle_tx_timer(VirtIODevice *vdev, VirtQueue *vq)
     VirtIONet *n = to_virtio_net(vdev);
 
     /* This happens when device was stopped but VCPU wasn't. */
-    if (!n->vm_running) {
+    if (!n->vdev.vm_running) {
         n->tx_waiting = 1;
         return;
     }
@@ -796,7 +794,7 @@ static void virtio_net_handle_tx_bh(VirtIODevice *vdev, VirtQueue *vq)
     }
     n->tx_waiting = 1;
     /* This happens when device was stopped but VCPU wasn't. */
-    if (!n->vm_running) {
+    if (!n->vdev.vm_running) {
         return;
     }
     virtio_queue_set_notification(vq, 0);
@@ -806,7 +804,7 @@ static void virtio_net_handle_tx_bh(VirtIODevice *vdev, VirtQueue *vq)
 static void virtio_net_tx_timer(void *opaque)
 {
     VirtIONet *n = opaque;
-    assert(n->vm_running);
+    assert(n->vdev.vm_running);
 
     n->tx_waiting = 0;
 
@@ -823,7 +821,7 @@ static void virtio_net_tx_bh(void *opaque)
     VirtIONet *n = opaque;
     int32_t ret;
 
-    assert(n->vm_running);
+    assert(n->vdev.vm_running);
 
     n->tx_waiting = 0;
 
@@ -988,16 +986,6 @@ static NetClientInfo net_virtio_info = {
     .link_status_changed = virtio_net_set_link_status,
 };
 
-static void virtio_net_vmstate_change(void *opaque, int running, int reason)
-{
-    VirtIONet *n = opaque;
-    n->vm_running = running;
-    /* This is called when vm is started/stopped,
-     * it will start/stop vhost backend if appropriate
-     * e.g. after migration. */
-    virtio_net_set_status(&n->vdev, n->vdev.status);
-}
-
 VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
                               virtio_net_conf *net)
 {
@@ -1052,7 +1040,6 @@ VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
     n->qdev = dev;
     register_savevm(dev, "virtio-net", -1, VIRTIO_NET_VM_VERSION,
                     virtio_net_save, virtio_net_load, n);
-    n->vmstate = qemu_add_vm_change_state_handler(virtio_net_vmstate_change, n);
 
     add_boot_device_path(conf->bootindex, dev, "/ethernet-phy at 0");
 
@@ -1062,7 +1049,6 @@ VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
 void virtio_net_exit(VirtIODevice *vdev)
 {
     VirtIONet *n = DO_UPCAST(VirtIONet, vdev, vdev);
-    qemu_del_vm_change_state_handler(n->vmstate);
 
     /* This will stop vhost backend if appropriate. */
     virtio_net_set_status(vdev, 0);
diff --git a/hw/virtio.c b/hw/virtio.c
index 07dbf86..1d20be2 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -743,11 +743,31 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
 
 void virtio_cleanup(VirtIODevice *vdev)
 {
+    qemu_del_vm_change_state_handler(vdev->vmstate);
     if (vdev->config)
         qemu_free(vdev->config);
     qemu_free(vdev->vq);
 }
 
+static void virtio_vmstate_change(void *opaque, int running, int reason)
+{
+    VirtIODevice *vdev = opaque;
+    bool backend_run = running && (vdev->status & VIRTIO_CONFIG_S_DRIVER_OK);
+    vdev->vm_running = running;
+
+    if (backend_run) {
+        virtio_set_status(vdev, vdev->status);
+    }
+
+    if (vdev->binding->vmstate_change) {
+        vdev->binding->vmstate_change(vdev->binding_opaque, backend_run);
+    }
+
+    if (!backend_run) {
+        virtio_set_status(vdev, vdev->status);
+    }
+}
+
 VirtIODevice *virtio_common_init(const char *name, uint16_t device_id,
                                  size_t config_size, size_t struct_size)
 {
@@ -774,6 +794,8 @@ VirtIODevice *virtio_common_init(const char *name, uint16_t device_id,
     else
         vdev->config = NULL;
 
+    vdev->vmstate = qemu_add_vm_change_state_handler(virtio_vmstate_change, vdev);
+
     return vdev;
 }
 
diff --git a/hw/virtio.h b/hw/virtio.h
index 02fa312..bd52742 100644
--- a/hw/virtio.h
+++ b/hw/virtio.h
@@ -95,6 +95,7 @@ typedef struct {
     unsigned (*get_features)(void * opaque);
     int (*set_guest_notifiers)(void * opaque, bool assigned);
     int (*set_host_notifier)(void * opaque, int n, bool assigned);
+    void (*vmstate_change)(void * opaque, bool running);
 } VirtIOBindings;
 
 #define VIRTIO_PCI_QUEUE_MAX 64
@@ -123,6 +124,8 @@ struct VirtIODevice
     const VirtIOBindings *binding;
     void *binding_opaque;
     uint16_t device_id;
+    bool vm_running;
+    VMChangeStateEntry *vmstate;
 };
 
 static inline void virtio_set_status(VirtIODevice *vdev, uint8_t val)
commit 3dbca8e6a7a5be52c3251ad03bf30d73301babf3
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Fri Dec 17 12:01:49 2010 +0000

    virtio-pci: Rename bugs field to flags
    
    The VirtIOPCIProxy bugs field is currently used to enable workarounds
    for older guests.  Rename it to flags so that other per-device behavior
    can be tracked.
    
    A later patch uses the flags field to remember whether ioeventfd should
    be used for virtqueue host notification.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 6186142..13dd391 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -80,9 +80,8 @@
  * 12 is historical, and due to x86 page size. */
 #define VIRTIO_PCI_QUEUE_ADDR_SHIFT    12
 
-/* We can catch some guest bugs inside here so we continue supporting older
-   guests. */
-#define VIRTIO_PCI_BUG_BUS_MASTER	(1 << 0)
+/* Flags track per-device state like workarounds for quirks in older guests. */
+#define VIRTIO_PCI_FLAG_BUS_MASTER_BUG  (1 << 0)
 
 /* QEMU doesn't strictly need write barriers since everything runs in
  * lock-step.  We'll leave the calls to wmb() in though to make it obvious for
@@ -95,7 +94,7 @@
 typedef struct {
     PCIDevice pci_dev;
     VirtIODevice *vdev;
-    uint32_t bugs;
+    uint32_t flags;
     uint32_t addr;
     uint32_t class_code;
     uint32_t nvectors;
@@ -159,7 +158,7 @@ static int virtio_pci_load_config(void * opaque, QEMUFile *f)
        in ready state. Then we have a buggy guest OS. */
     if ((proxy->vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) &&
         !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) {
-        proxy->bugs |= VIRTIO_PCI_BUG_BUS_MASTER;
+        proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG;
     }
     return 0;
 }
@@ -185,7 +184,7 @@ static void virtio_pci_reset(DeviceState *d)
     VirtIOPCIProxy *proxy = container_of(d, VirtIOPCIProxy, pci_dev.qdev);
     virtio_reset(proxy->vdev);
     msix_reset(&proxy->pci_dev);
-    proxy->bugs = 0;
+    proxy->flags = 0;
 }
 
 static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val)
@@ -235,7 +234,7 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val)
            some safety checks. */
         if ((val & VIRTIO_CONFIG_S_DRIVER_OK) &&
             !(proxy->pci_dev.config[PCI_COMMAND] & PCI_COMMAND_MASTER)) {
-            proxy->bugs |= VIRTIO_PCI_BUG_BUS_MASTER;
+            proxy->flags |= VIRTIO_PCI_FLAG_BUS_MASTER_BUG;
         }
         break;
     case VIRTIO_MSI_CONFIG_VECTOR:
@@ -403,7 +402,7 @@ static void virtio_write_config(PCIDevice *pci_dev, uint32_t address,
 
     if (PCI_COMMAND == address) {
         if (!(val & PCI_COMMAND_MASTER)) {
-            if (!(proxy->bugs & VIRTIO_PCI_BUG_BUS_MASTER)) {
+            if (!(proxy->flags & VIRTIO_PCI_FLAG_BUS_MASTER_BUG)) {
                 virtio_set_status(proxy->vdev,
                                   proxy->vdev->status & ~VIRTIO_CONFIG_S_DRIVER_OK);
             }
commit 2f6bfe3b0c5bb216abfe015d824eaf84c449c6a5
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Jan 6 15:14:40 2011 +0100

    qxl: tag as not hotpluggable
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/qxl.c b/hw/qxl.c
index 207aa63..bd71e58 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1546,6 +1546,7 @@ static PCIDeviceInfo qxl_info_primary = {
     .qdev.size    = sizeof(PCIQXLDevice),
     .qdev.reset   = qxl_reset_handler,
     .qdev.vmsd    = &qxl_vmstate,
+    .no_hotplug   = 1,
     .init         = qxl_init_primary,
     .config_write = qxl_write_config,
     .romfile      = "vgabios-qxl.bin",
commit 6107ff12922e5508a44b376b40a3041810cb00d2
Merge: be92bbf... 8aaf42e...
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Jan 10 13:43:48 2011 +0200

    Merge remote branch 'origin/master' into pci

commit be92bbf73dfd7d8a4786dc5f6c71590f4fbc5a32
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Jan 6 15:14:39 2011 +0100

    vga: tag as not hotplugable.
    
    This patch tags all vga cards as not hotpluggable.  The qemu
    standard vga will never ever be hotpluggable.  For cirrus + vmware
    it might be possible to get that work some day.  Todays we can't
    handle that for a number of reasons though.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index 4f5040c..0d522a0 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -3227,6 +3227,7 @@ static PCIDeviceInfo cirrus_vga_info = {
     .qdev.desc    = "Cirrus CLGD 54xx VGA",
     .qdev.size    = sizeof(PCICirrusVGAState),
     .qdev.vmsd    = &vmstate_pci_cirrus_vga,
+    .no_hotplug   = 1,
     .init         = pci_cirrus_vga_initfn,
     .romfile      = VGABIOS_CIRRUS_FILENAME,
     .config_write = pci_cirrus_write_config,
diff --git a/hw/vga-pci.c b/hw/vga-pci.c
index 791ca22..ce9ec45 100644
--- a/hw/vga-pci.c
+++ b/hw/vga-pci.c
@@ -110,6 +110,7 @@ static PCIDeviceInfo vga_info = {
     .qdev.name    = "VGA",
     .qdev.size    = sizeof(PCIVGAState),
     .qdev.vmsd    = &vmstate_vga_pci,
+    .no_hotplug   = 1,
     .init         = pci_vga_initfn,
     .config_write = pci_vga_write_config,
     .romfile      = "vgabios-stdvga.bin",
diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index d9dd52f..6c59053 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -1318,6 +1318,7 @@ static PCIDeviceInfo vmsvga_info = {
     .qdev.name    = "vmware-svga",
     .qdev.size    = sizeof(struct pci_vmsvga_state_s),
     .qdev.vmsd    = &vmstate_vmware_vga,
+    .no_hotplug   = 1,
     .init         = pci_vmsvga_initfn,
     .romfile      = "vgabios-vmware.bin",
 };
commit 0965f12da61cbfe62252d21a8e6fa309753760e8
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Jan 6 15:14:38 2011 +0100

    piix: tag as not hotpluggable.
    
    This patch tags all pci devices which belong to the piix3/4 chipsets as
    not hotpluggable (Host bridge, ISA bridge, IDE controller, ACPI bridge).
    
    Acked-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index 173d781..273097d 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -428,6 +428,8 @@ static PCIDeviceInfo piix4_pm_info = {
     .qdev.desc          = "PM",
     .qdev.size          = sizeof(PIIX4PMState),
     .qdev.vmsd          = &vmstate_acpi,
+    .qdev.no_user       = 1,
+    .no_hotplug         = 1,
     .init               = piix4_pm_initfn,
     .config_write       = pm_write_config,
     .qdev.props         = (Property[]) {
diff --git a/hw/ide/piix.c b/hw/ide/piix.c
index 1cad906..d4289af 100644
--- a/hw/ide/piix.c
+++ b/hw/ide/piix.c
@@ -194,11 +194,13 @@ static PCIDeviceInfo piix_ide_info[] = {
         .qdev.name    = "piix3-ide",
         .qdev.size    = sizeof(PCIIDEState),
         .qdev.no_user = 1,
+        .no_hotplug   = 1,
         .init         = pci_piix3_ide_initfn,
     },{
         .qdev.name    = "piix4-ide",
         .qdev.size    = sizeof(PCIIDEState),
         .qdev.no_user = 1,
+        .no_hotplug   = 1,
         .init         = pci_piix4_ide_initfn,
     },{
         /* end of list */
diff --git a/hw/piix4.c b/hw/piix4.c
index 5489386..72073cd 100644
--- a/hw/piix4.c
+++ b/hw/piix4.c
@@ -113,6 +113,7 @@ static PCIDeviceInfo piix4_info[] = {
         .qdev.desc    = "ISA bridge",
         .qdev.size    = sizeof(PCIDevice),
         .qdev.no_user = 1,
+        .no_hotplug   = 1,
         .init         = piix4_initfn,
     },{
         /* end of list */
diff --git a/hw/piix_pci.c b/hw/piix_pci.c
index 38f9d9e..358da58 100644
--- a/hw/piix_pci.c
+++ b/hw/piix_pci.c
@@ -348,6 +348,7 @@ static PCIDeviceInfo i440fx_info[] = {
         .qdev.size    = sizeof(PCII440FXState),
         .qdev.vmsd    = &vmstate_i440fx,
         .qdev.no_user = 1,
+        .no_hotplug   = 1,
         .init         = i440fx_initfn,
         .config_write = i440fx_write_config,
     },{
@@ -356,6 +357,7 @@ static PCIDeviceInfo i440fx_info[] = {
         .qdev.size    = sizeof(PIIX3State),
         .qdev.vmsd    = &vmstate_piix3,
         .qdev.no_user = 1,
+        .no_hotplug   = 1,
         .init         = piix3_initfn,
     },{
         /* end of list */
commit 180c22e18b0a9be21445271f94347238b0bc0a25
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Jan 6 15:14:37 2011 +0100

    pci: allow devices being tagged as not hotpluggable.
    
    This patch adds a field to PCIDeviceInfo to tag devices as being
    not hotpluggable.  Any attempt to plug-in or -out such a device
    will throw an error.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index d0b51b8..8d0e3df 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1624,6 +1624,11 @@ static int pci_qdev_init(DeviceState *qdev, DeviceInfo *base)
                                      info->is_bridge);
     if (pci_dev == NULL)
         return -1;
+    if (qdev->hotplugged && info->no_hotplug) {
+        qerror_report(QERR_DEVICE_NO_HOTPLUG, info->qdev.name);
+        do_pci_unregister_device(pci_dev);
+        return -1;
+    }
     rc = info->init(pci_dev);
     if (rc != 0) {
         do_pci_unregister_device(pci_dev);
@@ -1656,7 +1661,12 @@ static int pci_qdev_init(DeviceState *qdev, DeviceInfo *base)
 static int pci_unplug_device(DeviceState *qdev)
 {
     PCIDevice *dev = DO_UPCAST(PCIDevice, qdev, qdev);
+    PCIDeviceInfo *info = container_of(qdev->info, PCIDeviceInfo, qdev);
 
+    if (info->no_hotplug) {
+        qerror_report(QERR_DEVICE_NO_HOTPLUG, info->qdev.name);
+        return -1;
+    }
     return dev->bus->hotplug(dev->bus->hotplug_qdev, dev,
                              PCI_HOTPLUG_DISABLED);
 }
diff --git a/hw/pci.h b/hw/pci.h
index 052960e..bc8d5bb 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -436,6 +436,9 @@ typedef struct {
     /* pcie stuff */
     int is_express;   /* is this device pci express? */
 
+    /* device isn't hot-pluggable */
+    int no_hotplug;
+
     /* rom bar */
     const char *romfile;
 } PCIDeviceInfo;
diff --git a/qerror.c b/qerror.c
index ac2cdaf..9d0cdeb 100644
--- a/qerror.c
+++ b/qerror.c
@@ -101,6 +101,10 @@ static const QErrorStringTable qerror_table[] = {
         .desc      = "Device '%(device)' has no child bus",
     },
     {
+        .error_fmt = QERR_DEVICE_NO_HOTPLUG,
+        .desc      = "Device '%(device)' does not support hotplugging",
+    },
+    {
         .error_fmt = QERR_DUPLICATE_ID,
         .desc      = "Duplicate ID '%(id)' for %(object)",
     },
diff --git a/qerror.h b/qerror.h
index 943a24b..b0f69da 100644
--- a/qerror.h
+++ b/qerror.h
@@ -90,6 +90,9 @@ QError *qobject_to_qerror(const QObject *obj);
 #define QERR_DEVICE_NO_BUS \
     "{ 'class': 'DeviceNoBus', 'data': { 'device': %s } }"
 
+#define QERR_DEVICE_NO_HOTPLUG \
+    "{ 'class': 'DeviceNoHotplug', 'data': { 'device': %s } }"
+
 #define QERR_DUPLICATE_ID \
     "{ 'class': 'DuplicateId', 'data': { 'id': %s, 'object': %s } }"
 
commit 8aaf42ed0f203da63860b0a3ab3ff2bdfe9b4cb0
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 22:43:13 2011 +0100

    slirp: fix unaligned access in bootp code
    
    Slirp code tries to be smart an avoid data copy by using pointer to
    the data. This solution leads to unaligned access, in this case
    preq_addr, which is a 32-bit long structure. There is no real point
    of avoiding data copy in a such case, as the value itself is smaller
    or the same size as a pointer.
    
    The patch replaces pointers to the preq_addr structure by the strcture
    itself, and use the address 0.0.0.0 if no address has been requested
    (this is not a valid address in such a request). It compares it with
    htonl(0L) for correctness reasons, in case a code checker look for such
    mistakes. It also uses memcpy() for copying the data, which takes care
    of alignement issues.
    
    This fixes an unaligned access on IA64 host while requesting a DHCP
    address.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/slirp/bootp.c b/slirp/bootp.c
index 41460ff..0905c6d 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -92,13 +92,13 @@ static BOOTPClient *find_addr(Slirp *slirp, struct in_addr *paddr,
 }
 
 static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
-                        const struct in_addr **preq_addr)
+                        struct in_addr *preq_addr)
 {
     const uint8_t *p, *p_end;
     int len, tag;
 
     *pmsg_type = 0;
-    *preq_addr = NULL;
+    preq_addr->s_addr = htonl(0L);
 
     p = bp->bp_vend;
     p_end = p + DHCP_OPT_LEN;
@@ -124,8 +124,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
                     *pmsg_type = p[0];
                 break;
             case RFC2132_REQ_ADDR:
-                if (len >= 4)
-                    *preq_addr = (struct in_addr *)p;
+                if (len >= 4) {
+                    memcpy(&(preq_addr->s_addr), p, 4);
+                }
                 break;
             default:
                 break;
@@ -133,8 +134,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
             p += len;
         }
     }
-    if (*pmsg_type == DHCPREQUEST && !*preq_addr && bp->bp_ciaddr.s_addr) {
-        *preq_addr = &bp->bp_ciaddr;
+    if (*pmsg_type == DHCPREQUEST && preq_addr->s_addr == htonl(0L) &&
+        bp->bp_ciaddr.s_addr) {
+        memcpy(&(preq_addr->s_addr), &bp->bp_ciaddr, 4);
     }
 }
 
@@ -144,15 +146,15 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
     struct mbuf *m;
     struct bootp_t *rbp;
     struct sockaddr_in saddr, daddr;
-    const struct in_addr *preq_addr;
+    struct in_addr preq_addr;
     int dhcp_msg_type, val;
     uint8_t *q;
 
     /* extract exact DHCP msg type */
     dhcp_decode(bp, &dhcp_msg_type, &preq_addr);
     DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type);
-    if (preq_addr)
-        DPRINTF(" req_addr=%08x\n", ntohl(preq_addr->s_addr));
+    if (preq_addr.s_addr != htonl(0L))
+        DPRINTF(" req_addr=%08x\n", ntohl(preq_addr.s_addr));
     else
         DPRINTF("\n");
 
@@ -175,10 +177,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
     memset(rbp, 0, sizeof(struct bootp_t));
 
     if (dhcp_msg_type == DHCPDISCOVER) {
-        if (preq_addr) {
-            bc = request_addr(slirp, preq_addr, slirp->client_ethaddr);
+        if (preq_addr.s_addr != htonl(0L)) {
+            bc = request_addr(slirp, &preq_addr, slirp->client_ethaddr);
             if (bc) {
-                daddr.sin_addr = *preq_addr;
+                daddr.sin_addr = preq_addr;
             }
         }
         if (!bc) {
@@ -190,10 +192,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
             }
         }
         memcpy(bc->macaddr, slirp->client_ethaddr, 6);
-    } else if (preq_addr) {
-        bc = request_addr(slirp, preq_addr, slirp->client_ethaddr);
+    } else if (preq_addr.s_addr != htonl(0L)) {
+        bc = request_addr(slirp, &preq_addr, slirp->client_ethaddr);
         if (bc) {
-            daddr.sin_addr = *preq_addr;
+            daddr.sin_addr = preq_addr;
             memcpy(bc->macaddr, slirp->client_ethaddr, 6);
         } else {
             daddr.sin_addr.s_addr = 0;
commit 102c29769fa7cd564053ea41735395f428b6f197
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 22:43:13 2011 +0100

    bswap.h: add cpu_to_be64wu()
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/bswap.h b/bswap.h
index 20caae6..82a7951 100644
--- a/bswap.h
+++ b/bswap.h
@@ -144,6 +144,7 @@ CPU_CONVERT(le, 64, uint64_t)
 
 #define cpu_to_be16wu(p, v) cpu_to_be16w(p, v)
 #define cpu_to_be32wu(p, v) cpu_to_be32w(p, v)
+#define cpu_to_be64wu(p, v) cpu_to_be64w(p, v)
 
 #else
 
@@ -201,6 +202,20 @@ static inline void cpu_to_be32wu(uint32_t *p, uint32_t v)
     p1[3] = v & 0xff;
 }
 
+static inline void cpu_to_be64wu(uint64_t *p, uint64_t v)
+{
+    uint8_t *p1 = (uint8_t *)p;
+
+    p1[0] = v >> 56;
+    p1[1] = v >> 48;
+    p1[2] = v >> 40;
+    p1[3] = v >> 32;
+    p1[4] = v >> 24;
+    p1[5] = v >> 16;
+    p1[6] = v >> 8;
+    p1[7] = v & 0xff;
+}
+
 #endif
 
 #ifdef HOST_WORDS_BIGENDIAN
commit 0f11f25a001f6adca18689192182d415ff3dbb7c
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 22:43:13 2011 +0100

    tcg/arm: improve constant loading
    
    Improve constant loading in two ways:
    - On all ARM versions, it's possible to load 0xffffff00 = -0x100 using
      the mvn rd, #0. Fix the conditions.
    - On <= ARMv6 versions, where movw and movt are not available, load the
      constants using mov and orr with rotations depending on the constant
      to load. This is very useful for example to load constants where the
      low byte is 0. This reduce the generated code size by about 7%.
    
    Also fix the coding style at the same time.
    
    Cc: Andrzej Zaborowski <balrog at zabor.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c
index 08c44c1..1eb5605 100644
--- a/tcg/arm/tcg-target.c
+++ b/tcg/arm/tcg-target.c
@@ -406,35 +406,38 @@ static inline void tcg_out_dat_imm(TCGContext *s,
 }
 
 static inline void tcg_out_movi32(TCGContext *s,
-                int cond, int rd, int32_t arg)
+                int cond, int rd, uint32_t arg)
 {
     /* TODO: This is very suboptimal, we can easily have a constant
      * pool somewhere after all the instructions.  */
-
-    if (arg < 0 && arg > -0x100)
-        return tcg_out_dat_imm(s, cond, ARITH_MVN, rd, 0, (~arg) & 0xff);
-
-    if (use_armv7_instructions) {
+    if ((int)arg < 0 && (int)arg >= -0x100) {
+        tcg_out_dat_imm(s, cond, ARITH_MVN, rd, 0, (~arg) & 0xff);
+    } else if (use_armv7_instructions) {
         /* use movw/movt */
         /* movw */
         tcg_out32(s, (cond << 28) | 0x03000000 | (rd << 12)
                   | ((arg << 4) & 0x000f0000) | (arg & 0xfff));
-        if (arg & 0xffff0000)
+        if (arg & 0xffff0000) {
             /* movt */
             tcg_out32(s, (cond << 28) | 0x03400000 | (rd << 12)
                       | ((arg >> 12) & 0x000f0000) | ((arg >> 16) & 0xfff));
-    } else {
-        tcg_out_dat_imm(s, cond, ARITH_MOV, rd, 0, arg & 0xff);
-        if (arg & 0x0000ff00)
-            tcg_out_dat_imm(s, cond, ARITH_ORR, rd, rd,
-                            ((arg >>  8) & 0xff) | 0xc00);
-        if (arg & 0x00ff0000)
-            tcg_out_dat_imm(s, cond, ARITH_ORR, rd, rd,
-                            ((arg >> 16) & 0xff) | 0x800);
-        if (arg & 0xff000000)
-            tcg_out_dat_imm(s, cond, ARITH_ORR, rd, rd,
-                            ((arg >> 24) & 0xff) | 0x400);
         }
+    } else {
+        int opc = ARITH_MOV;
+        int rn = 0;
+
+        do {
+            int i, rot;
+
+            i = ctz32(arg) & ~1;
+            rot = ((32 - i) << 7) & 0xf00;
+            tcg_out_dat_imm(s, cond, opc, rd, rn, ((arg >> i) & 0xff) | rot);
+            arg &= ~(0xff << i);
+
+            opc = ARITH_ORR;
+            rn = rd;
+        } while (arg);
+    }
 }
 
 static inline void tcg_out_mul32(TCGContext *s,
commit a3e28aa5c748958e5719451aaff88a4d78e09a80
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Mon Jan 10 01:39:49 2011 +0100

    tcg/ia64: remove an unnecessary stop bit
    
    Spotted by Richard Henderson.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/tcg/ia64/tcg-target.c b/tcg/ia64/tcg-target.c
index 3ddf434..e2e44f7 100644
--- a/tcg/ia64/tcg-target.c
+++ b/tcg/ia64/tcg-target.c
@@ -1329,7 +1329,7 @@ static inline void tcg_out_bswap32(TCGContext *s, TCGArg ret, TCGArg arg)
 
 static inline void tcg_out_bswap64(TCGContext *s, TCGArg ret, TCGArg arg)
 {
-    tcg_out_bundle(s, mII,
+    tcg_out_bundle(s, miI,
                    tcg_opc_m48(TCG_REG_P0, OPC_NOP_M48, 0),
                    tcg_opc_i18(TCG_REG_P0, OPC_NOP_I18, 0),
                    tcg_opc_i3 (TCG_REG_P0, OPC_MUX1_I3, ret, arg, 0xb));
commit 829a49274f6741c0f3d3a2ba4698baf381a7e264
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Sun Jan 9 23:53:45 2011 +0100

    target-sh4: improve TLB
    
    SH4 is using 16-bit instructions which means most of the constants are
    loaded through a constant pool at the end of the subroutine. The same
    memory page is therefore accessed in exec and read mode.
    
    With the current implementation, a QEMU TLB entry is set to read or
    read/write mode after an UTLB search and to exec mode after an ITLB
    search, which causes a lot of TLB exceptions to switch from read or
    read/write to exec and vice versa.
    
    This patch optimizes that by already setting the QEMU TLB entry in read
    or read/write mode when an UTLB entry is copied into ITLB (during an
    ITLB miss). This improve the emulation speed by about 14%.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-sh4/helper.c b/target-sh4/helper.c
index 863886b..2343366 100644
--- a/target-sh4/helper.c
+++ b/target-sh4/helper.c
@@ -280,35 +280,40 @@ static void increment_urc(CPUState * env)
     env->mmucr = (env->mmucr & 0xffff03ff) | (urc << 10);
 }
 
-/* Find itlb entry - update itlb from utlb if necessary and asked for
+/* Copy and utlb entry into itlb
+   Return entry
+*/
+static int copy_utlb_entry_itlb(CPUState *env, int utlb)
+{
+    int itlb;
+
+    tlb_t * ientry;
+    itlb = itlb_replacement(env);
+    ientry = &env->itlb[itlb];
+    if (ientry->v) {
+        tlb_flush_page(env, ientry->vpn << 10);
+    }
+    *ientry = env->utlb[utlb];
+    update_itlb_use(env, itlb);
+    return itlb;
+}
+
+/* Find itlb entry
    Return entry, MMU_ITLB_MISS, MMU_ITLB_MULTIPLE or MMU_DTLB_MULTIPLE
-   Update the itlb from utlb if update is not 0
 */
 static int find_itlb_entry(CPUState * env, target_ulong address,
-                           int use_asid, int update)
+                           int use_asid)
 {
-    int e, n;
+    int e;
 
     e = find_tlb_entry(env, address, env->itlb, ITLB_SIZE, use_asid);
-    if (e == MMU_DTLB_MULTIPLE)
+    if (e == MMU_DTLB_MULTIPLE) {
 	e = MMU_ITLB_MULTIPLE;
-    else if (e == MMU_DTLB_MISS && update) {
-	e = find_tlb_entry(env, address, env->utlb, UTLB_SIZE, use_asid);
-	if (e >= 0) {
-	    tlb_t * ientry;
-	    n = itlb_replacement(env);
-	    ientry = &env->itlb[n];
-	    if (ientry->v) {
-                tlb_flush_page(env, ientry->vpn << 10);
-	    }
-	    *ientry = env->utlb[e];
-	    e = n;
-	} else if (e == MMU_DTLB_MISS)
-	    e = MMU_ITLB_MISS;
-    } else if (e == MMU_DTLB_MISS)
+    } else if (e == MMU_DTLB_MISS) {
 	e = MMU_ITLB_MISS;
-    if (e >= 0)
+    } else if (e >= 0) {
 	update_itlb_use(env, e);
+    }
     return e;
 }
 
@@ -340,13 +345,31 @@ static int get_mmu_address(CPUState * env, target_ulong * physical,
     use_asid = (env->mmucr & MMUCR_SV) == 0 || (env->sr & SR_MD) == 0;
 
     if (rw == 2) {
-	n = find_itlb_entry(env, address, use_asid, 1);
+        n = find_itlb_entry(env, address, use_asid);
 	if (n >= 0) {
 	    matching = &env->itlb[n];
 	    if (!(env->sr & SR_MD) && !(matching->pr & 2))
 		n = MMU_ITLB_VIOLATION;
 	    else
 		*prot = PAGE_EXEC;
+        } else {
+            n = find_utlb_entry(env, address, use_asid);
+            if (n >= 0) {
+                n = copy_utlb_entry_itlb(env, n);
+                matching = &env->itlb[n];
+                if (!(env->sr & SR_MD) && !(matching->pr & 2)) {
+                      n = MMU_ITLB_VIOLATION;
+                } else {
+                    *prot = PAGE_READ | PAGE_EXEC;
+                    if ((matching->pr & 1) && matching->d) {
+                        *prot |= PAGE_WRITE;
+                    }
+                }
+            } else if (n == MMU_DTLB_MULTIPLE) {
+                n = MMU_ITLB_MULTIPLE;
+            } else if (n == MMU_DTLB_MISS) {
+                n = MMU_ITLB_MISS;
+            }
 	}
     } else {
 	n = find_utlb_entry(env, address, use_asid);
commit c0f809c46aa271f29a9e6268cdeda1f21301a8ef
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Sun Jan 9 23:53:45 2011 +0100

    target-sh4: implement writes to mmaped ITLB
    
    Some Linux kernels seems to implement ITLB/UTLB flushing through by
    writing all TLB entries through the memory mapped interface instead
    of writing one to MMUCR.TI.
    
    Implement memory mapped ITLB write interface so that such kernels can
    boot. This fixes https://bugs.launchpad.net/bugs/700774 .
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/sh7750.c b/hw/sh7750.c
index 9e54ad1..36b702f 100644
--- a/hw/sh7750.c
+++ b/hw/sh7750.c
@@ -670,6 +670,8 @@ static void sh7750_mmct_writel(void *opaque, target_phys_addr_t addr,
         /* do nothing */
 	break;
     case MM_ITLB_ADDR:
+        cpu_sh4_write_mmaped_itlb_addr(s->cpu, addr, mem_value);
+        break;
     case MM_ITLB_DATA:
         /* XXXXX */
         abort();
diff --git a/target-sh4/cpu.h b/target-sh4/cpu.h
index e197766..8ccf25c 100644
--- a/target-sh4/cpu.h
+++ b/target-sh4/cpu.h
@@ -172,6 +172,8 @@ void do_interrupt(CPUSH4State * env);
 void sh4_cpu_list(FILE *f, fprintf_function cpu_fprintf);
 #if !defined(CONFIG_USER_ONLY)
 void cpu_sh4_invalidate_tlb(CPUSH4State *s);
+void cpu_sh4_write_mmaped_itlb_addr(CPUSH4State *s, target_phys_addr_t addr,
+				    uint32_t mem_value);
 void cpu_sh4_write_mmaped_utlb_addr(CPUSH4State *s, target_phys_addr_t addr,
 				    uint32_t mem_value);
 #endif
diff --git a/target-sh4/helper.c b/target-sh4/helper.c
index 9e70352..863886b 100644
--- a/target-sh4/helper.c
+++ b/target-sh4/helper.c
@@ -544,6 +544,25 @@ void cpu_load_tlb(CPUSH4State * env)
     tlb_flush(s, 1);
 }
 
+void cpu_sh4_write_mmaped_itlb_addr(CPUSH4State *s, target_phys_addr_t addr,
+				    uint32_t mem_value)
+{
+    uint32_t vpn = (mem_value & 0xfffffc00) >> 10;
+    uint8_t v = (uint8_t)((mem_value & 0x00000100) >> 8);
+    uint8_t asid = (uint8_t)(mem_value & 0x000000ff);
+
+    int index = (addr & 0x00003f00) >> 8;
+    tlb_t * entry = &s->itlb[index];
+    if (entry->v) {
+        /* Overwriting valid entry in itlb. */
+        target_ulong address = entry->vpn << 10;
+        tlb_flush_page(s, address);
+    }
+    entry->asid = asid;
+    entry->vpn = vpn;
+    entry->v = v;
+}
+
 void cpu_sh4_write_mmaped_utlb_addr(CPUSH4State *s, target_phys_addr_t addr,
 				    uint32_t mem_value)
 {
commit 759c90ba3d4f8dcb748d7719f7ea82b181ffd590
Author: Mike Frysinger <vapier at gentoo.org>
Date:   Sun Jan 9 03:45:45 2011 -0500

    tcg: fix typo in readme
    
    Signed-off-by: Mike Frysinger <vapier at gentoo.org>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/tcg/README b/tcg/README
index a2b69dd..a18a87f 100644
--- a/tcg/README
+++ b/tcg/README
@@ -364,7 +364,7 @@ formed from two 32-bit arguments.  The result is a 32-bit value.
 
 ********* QEMU specific operations
 
-* tb_exit t0
+* exit_tb t0
 
 Exit the current TB and return the value t0 (word type).
 
commit aa95e3a57fe4c9485c7540ab64c6d4883e4cd01d
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Jan 7 21:34:50 2011 +0100

    tcg/README: Spelling fixes
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/tcg/README b/tcg/README
index 68d27ff..a2b69dd 100644
--- a/tcg/README
+++ b/tcg/README
@@ -75,11 +75,11 @@ destroyed, but local temporaries and globals are preserved.
 * Helpers:
 
 Using the tcg_gen_helper_x_y it is possible to call any function
-taking i32, i64 or pointer types. By default, before calling an helper,
+taking i32, i64 or pointer types. By default, before calling a helper,
 all globals are stored at their canonical location and it is assumed
-that the function can modify them. This can be overriden by the
+that the function can modify them. This can be overridden by the
 TCG_CALL_CONST function modifier. By default, the helper is allowed to
-modify the CPU state or raise an exception. This can be overriden by
+modify the CPU state or raise an exception. This can be overridden by
 the TCG_CALL_PURE function modifier, in which case the call to the
 function is removed if the return value is not used.
 
@@ -488,7 +488,7 @@ register.
   the speed of the translation.
 
 - Don't hesitate to use helpers for complicated or seldom used target
-  intructions. There is little performance advantage in using TCG to
+  instructions. There is little performance advantage in using TCG to
   implement target instructions taking more than about twenty TCG
   instructions.
 
commit e8dc09382289fee771999e135c05e8938900c410
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Jan 7 21:31:39 2011 +0100

    qemu-tech: Spelling fixes
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu-tech.texi b/qemu-tech.texi
index 2e2a081..138e3ce 100644
--- a/qemu-tech.texi
+++ b/qemu-tech.texi
@@ -516,7 +516,7 @@ timers, especially together with the use of bottom halves (BHs).
 @section Hardware interrupts
 
 In order to be faster, QEMU does not check at every basic block if an
-hardware interrupt is pending. Instead, the user must asynchrously
+hardware interrupt is pending. Instead, the user must asynchronously
 call a specific function to tell that an interrupt is pending. This
 function resets the chaining of the currently executing basic
 block. It ensures that the execution will return soon in the main loop
@@ -548,7 +548,7 @@ Linux kernel does. The @code{sigreturn()} system call is emulated to return
 from the virtual signal handler.
 
 Some signals (such as SIGALRM) directly come from the host. Other
-signals are synthetized from the virtual CPU exceptions such as SIGFPE
+signals are synthesized from the virtual CPU exceptions such as SIGFPE
 when a division by zero is done (see @code{main.c:cpu_loop()}).
 
 The blocked signal mask is still handled by the host Linux kernel so
commit 40c5c6cd2bb2b6cc2e15fbd071dab956811f3266
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Jan 7 18:59:16 2011 +0100

    qemu-doc: Spelling fixes
    
    neccessary -> necessary
    Keberos -> Kerberos
    emuilated -> emulated
    transciever -> transceiver
    emulaton -> emulation
    inital -> initial
    MingGW -> MinGW
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu-doc.texi b/qemu-doc.texi
index a1e6130..45190f6 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -1049,7 +1049,7 @@ qemu [...OPTIONS...] -vnc :1,tls,x509,sasl -monitor stdio
 
 The GNU TLS packages provides a command called @code{certtool} which can
 be used to generate certificates and keys in PEM format. At a minimum it
-is neccessary to setup a certificate authority, and issue certificates to
+is necessary to setup a certificate authority, and issue certificates to
 each server. If using certificates for authentication, then each client
 will also need to be issued a certificate. The recommendation is for the
 server to keep its certificates in either @code{/etc/pki/qemu} or for
@@ -1192,7 +1192,7 @@ keytab: /etc/qemu/krb5.tab
 For this to work the administrator of your KDC must generate a Kerberos
 principal for the server, with a name of  'qemu/somehost.example.com@@EXAMPLE.COM'
 replacing 'somehost.example.com' with the fully qualified host name of the
-machine running QEMU, and 'EXAMPLE.COM' with the Keberos Realm.
+machine running QEMU, and 'EXAMPLE.COM' with the Kerberos Realm.
 
 Other configurations will be left as an exercise for the reader. It should
 be noted that only Digest-MD5 and GSSAPI provides a SSF layer for data
@@ -1774,7 +1774,7 @@ enabled in the kernel, and expect 512M RAM.  Kernels for The PBX-A9 board
 should have CONFIG_SPARSEMEM enabled, CONFIG_REALVIEW_HIGH_PHYS_OFFSET
 disabled and expect 1024M RAM.
 
-The following devices are emuilated:
+The following devices are emulated:
 
 @itemize @minus
 @item
@@ -1874,7 +1874,7 @@ Secure Digital card connected to OMAP MMC/SD host
 @item
 Three OMAP on-chip UARTs and on-chip STI debugging console
 @item
-A Bluetooth(R) transciever and HCI connected to an UART
+A Bluetooth(R) transceiver and HCI connected to an UART
 @item
 Mentor Graphics "Inventra" dual-role USB controller embedded in a TI
 TUSB6010 chip - only USB host mode is supported
@@ -1936,7 +1936,7 @@ MV88W8618 audio controller, WM8750 CODEC and mixer
 @end itemize
 
 The Siemens SX1 models v1 and v2 (default) basic emulation.
-The emulaton includes the following elements:
+The emulation includes the following elements:
 
 @itemize @minus
 @item
@@ -2192,7 +2192,7 @@ Set the x86 stack size in bytes (default=524288)
 Select CPU model (-cpu ? for list and additional feature selection)
 @item -ignore-environment
 Start with an empty environment. Without this option,
-the inital environment is a copy of the caller's environment.
+the initial environment is a copy of the caller's environment.
 @item -E @var{var}=@var{value}
 Set environment @var{var} to @var{value}.
 @item -U @var{var}
@@ -2422,7 +2422,7 @@ Set the library root path (default=/)
 Set the stack size in bytes (default=524288)
 @item -ignore-environment
 Start with an empty environment. Without this option,
-the inital environment is a copy of the caller's environment.
+the initial environment is a copy of the caller's environment.
 @item -E @var{var}=@var{value}
 Set environment @var{var} to @var{value}.
 @item -U @var{var}
@@ -2495,7 +2495,7 @@ correct SDL directory when invoked.
 
 @item Install the MinGW version of zlib and make sure
 @file{zlib.h} and @file{libz.dll.a} are in
-MingGW's default header and linker search paths.
+MinGW's default header and linker search paths.
 
 @item Extract the current version of QEMU.
 
@@ -2530,7 +2530,7 @@ the QEMU configuration script.
 
 @item Install the MinGW version of zlib and make sure
 @file{zlib.h} and @file{libz.dll.a} are in
-MingGW's default header and linker search paths.
+MinGW's default header and linker search paths.
 
 @item
 Configure QEMU for Windows cross compilation:
@@ -2539,7 +2539,7 @@ PATH=/usr/i686-pc-mingw32/sys-root/mingw/bin:$PATH ./configure --cross-prefix='i
 @end example
 The example assumes @file{sdl-config} is installed under @file{/usr/i686-pc-mingw32/sys-root/mingw/bin} and
 MinGW cross compilation tools have names like @file{i686-pc-mingw32-gcc} and @file{i686-pc-mingw32-strip}.
-We set the @code{PATH} environment variable to ensure the MingW version of @file{sdl-config} is used and
+We set the @code{PATH} environment variable to ensure the MinGW version of @file{sdl-config} is used and
 use --cross-prefix to specify the name of the cross compiler.
 You can also use --prefix to set the Win32 install path which defaults to @file{c:/Program Files/Qemu}.
 
commit 2d983446ff853490f63eeefeabd7e352843cf856
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Jan 7 18:59:15 2011 +0100

    qemu-doc: Add missing blanks
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu-doc.texi b/qemu-doc.texi
index 744ba73..a1e6130 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -203,7 +203,7 @@ Intel 82801AA AC97 Audio compatible sound card
 @item
 Intel HD Audio Controller and HDA codec
 @item
-Adlib(OPL2) - Yamaha YM3812 compatible chip
+Adlib (OPL2) - Yamaha YM3812 compatible chip
 @item
 Gravis Ultrasound GF1 sound card
 @item
@@ -223,7 +223,7 @@ VGA BIOS.
 
 QEMU uses YM3812 emulation by Tatsuyuki Satoh.
 
-QEMU uses GUS emulation(GUSEMU32 @url{http://www.deinmeister.de/gusemu/})
+QEMU uses GUS emulation (GUSEMU32 @url{http://www.deinmeister.de/gusemu/})
 by Tibor "TS" Schütz.
 
 Not that, by default, GUS shares IRQ(7) with parallel ports and so
commit 576fd0a1cb07f6ee325f70d69ae3a4e2f0b283fc
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Jan 7 18:59:14 2011 +0100

    qemu-doc: Add missing menu entry
    
    Each @section should have a menu entry and a @node entry.
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu-doc.texi b/qemu-doc.texi
index 21d8a82..744ba73 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -162,6 +162,7 @@ TODO (no longer available)
 * pcsys_monitor::      QEMU Monitor
 * disk_images::        Disk Images
 * pcsys_network::      Network emulation
+* pcsys_other_devs::   Other Devices
 * direct_linux_boot::  Direct Linux Boot
 * pcsys_usb::          USB emulation
 * vnc_security::       VNC security
@@ -715,6 +716,7 @@ Using the @option{-net socket} option, it is possible to make VLANs
 that span several QEMU instances. See @ref{sec_invocation} to have a
 basic example.
 
+ at node pcsys_other_devs
 @section Other Devices
 
 @subsection Inter-VM Shared Memory device
commit 0d6753e5b3115c09313114afcdf554c34670359a
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Jan 7 18:59:13 2011 +0100

    qemu-doc: Clean whitespace
    
    Remove blanks at line endings.
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu-doc.texi b/qemu-doc.texi
index 7ce8999..21d8a82 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -832,7 +832,7 @@ Standard USB keyboard.  Will override the PS/2 keyboard (if present).
 Serial converter. This emulates an FTDI FT232BM chip connected to host character
 device @var{dev}. The available character devices are the same as for the
 @code{-serial} option. The @code{vendorid} and @code{productid} options can be
-used to override the default 0403:6001. For instance, 
+used to override the default 0403:6001. For instance,
 @example
 usb_add serial:productid=FA00:tcp:192.168.0.2:4444
 @end example
@@ -2201,7 +2201,7 @@ the address region required by guest applications is reserved on the host.
 This option is currently only supported on some hosts.
 @item -R size
 Pre-allocate a guest virtual address space of the given size (in bytes).
-"G", "M", and "k" suffixes may be used when specifying the size.  
+"G", "M", and "k" suffixes may be used when specifying the size.
 @end table
 
 Debug options:
commit 1a20a032ccbb5800bfdfc75accfcff2ac67f5bcb
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Jan 9 14:43:33 2011 +0000

    usb-bsd: fix a file descriptor leak
    
    Fix a file descriptor leak reported by cppcheck:
    [/src/qemu/usb-bsd.c:392]: (error) Resource leak: bfd
    [/src/qemu/usb-bsd.c:388]: (error) Resource leak: dfd
    
    Rearrange the code to avoid descriptor leaks. Also add braces as
    needed.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/usb-bsd.c b/usb-bsd.c
index 48567a3..abcb60c 100644
--- a/usb-bsd.c
+++ b/usb-bsd.c
@@ -306,14 +306,15 @@ USBDevice *usb_host_device_open(const char *devname)
 {
     struct usb_device_info bus_info, dev_info;
     USBDevice *d = NULL;
-    USBHostDevice *dev;
+    USBHostDevice *dev, *ret = NULL;
     char ctlpath[PATH_MAX + 1];
     char buspath[PATH_MAX + 1];
     int bfd, dfd, bus, address, i;
     int ugendebug = UGEN_DEBUG_LEVEL;
 
-    if (usb_host_find_device(&bus, &address, devname) < 0)
-        return NULL;
+    if (usb_host_find_device(&bus, &address, devname) < 0) {
+        goto fail;
+    }
 
     snprintf(buspath, PATH_MAX, "/dev/usb%d", bus);
 
@@ -323,7 +324,7 @@ USBDevice *usb_host_device_open(const char *devname)
         printf("usb_host_device_open: failed to open usb bus - %s\n",
                strerror(errno));
 #endif
-        return NULL;
+        goto fail;
     }
 
     bus_info.udi_addr = address;
@@ -332,7 +333,7 @@ USBDevice *usb_host_device_open(const char *devname)
         printf("usb_host_device_open: failed to grab bus information - %s\n",
                strerror(errno));
 #endif
-        return NULL;
+        goto fail_bfd;
     }
 
 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__DragonFly__)
@@ -350,46 +351,52 @@ USBDevice *usb_host_device_open(const char *devname)
                    ctlpath, strerror(errno));
 #endif
         }
+        goto fail_dfd;
     }
 
-    if (dfd >= 0) {
-        if (ioctl(dfd, USB_GET_DEVICEINFO, &dev_info) < 0) {
+    if (ioctl(dfd, USB_GET_DEVICEINFO, &dev_info) < 0) {
 #ifdef DEBUG
-            printf("usb_host_device_open: failed to grab device info - %s\n",
-                   strerror(errno));
+        printf("usb_host_device_open: failed to grab device info - %s\n",
+               strerror(errno));
 #endif
-            goto fail;
-        }
+        goto fail_dfd;
+    }
 
-        d = usb_create(NULL /* FIXME */, "usb-host");
-        dev = DO_UPCAST(USBHostDevice, dev, d);
+    d = usb_create(NULL /* FIXME */, "usb-host");
+    dev = DO_UPCAST(USBHostDevice, dev, d);
 
-        if (dev_info.udi_speed == 1)
-            dev->dev.speed = USB_SPEED_LOW - 1;
-        else
-            dev->dev.speed = USB_SPEED_FULL - 1;
+    if (dev_info.udi_speed == 1) {
+        dev->dev.speed = USB_SPEED_LOW - 1;
+    } else {
+        dev->dev.speed = USB_SPEED_FULL - 1;
+    }
 
-        if (strncmp(dev_info.udi_product, "product", 7) != 0)
-            pstrcpy(dev->dev.product_desc, sizeof(dev->dev.product_desc),
-                    dev_info.udi_product);
-        else
-            snprintf(dev->dev.product_desc, sizeof(dev->dev.product_desc),
-                     "host:%s", devname);
+    if (strncmp(dev_info.udi_product, "product", 7) != 0) {
+        pstrcpy(dev->dev.product_desc, sizeof(dev->dev.product_desc),
+                dev_info.udi_product);
+    } else {
+        snprintf(dev->dev.product_desc, sizeof(dev->dev.product_desc),
+                 "host:%s", devname);
+    }
 
-        pstrcpy(dev->devpath, sizeof(dev->devpath), "/dev/");
-        pstrcat(dev->devpath, sizeof(dev->devpath), dev_info.udi_devnames[0]);
+    pstrcpy(dev->devpath, sizeof(dev->devpath), "/dev/");
+    pstrcat(dev->devpath, sizeof(dev->devpath), dev_info.udi_devnames[0]);
 
-        /* Mark the endpoints as not yet open */
-        for (i = 0; i < USB_MAX_ENDPOINTS; i++)
-           dev->ep_fd[i] = -1;
+    /* Mark the endpoints as not yet open */
+    for (i = 0; i < USB_MAX_ENDPOINTS; i++) {
+        dev->ep_fd[i] = -1;
+    }
 
-        ioctl(dfd, USB_SETDEBUG, &ugendebug);
+    ioctl(dfd, USB_SETDEBUG, &ugendebug);
 
-        return (USBDevice *)dev;
-    }
+    ret = (USBDevice *)dev;
 
+fail_dfd:
+    close(dfd);
+fail_bfd:
+    close(bfd);
 fail:
-    return NULL;
+    return ret;
 }
 
 static struct USBDeviceInfo usb_host_dev_info = {
commit d66bddd7a4535cca3fc9e98c3195a7411779693c
Author: Michael Walle <michael at walle.cc>
Date:   Sat Jan 8 17:53:30 2011 +0100

    alsaaudio: add endianness support for VoiceIn
    
    Signed-off-by: Michael Walle <michael at walle.cc>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/audio/alsaaudio.c b/audio/alsaaudio.c
index 0741203..727b9f8 100644
--- a/audio/alsaaudio.c
+++ b/audio/alsaaudio.c
@@ -318,7 +318,7 @@ static int alsa_write (SWVoiceOut *sw, void *buf, int len)
     return audio_pcm_sw_write (sw, buf, len);
 }
 
-static snd_pcm_format_t aud_to_alsafmt (audfmt_e fmt)
+static snd_pcm_format_t aud_to_alsafmt (audfmt_e fmt, int endianness)
 {
     switch (fmt) {
     case AUD_FMT_S8:
@@ -328,16 +328,36 @@ static snd_pcm_format_t aud_to_alsafmt (audfmt_e fmt)
         return SND_PCM_FORMAT_U8;
 
     case AUD_FMT_S16:
-        return SND_PCM_FORMAT_S16_LE;
+        if (endianness) {
+            return SND_PCM_FORMAT_S16_BE;
+        }
+        else {
+            return SND_PCM_FORMAT_S16_LE;
+        }
 
     case AUD_FMT_U16:
-        return SND_PCM_FORMAT_U16_LE;
+        if (endianness) {
+            return SND_PCM_FORMAT_U16_BE;
+        }
+        else {
+            return SND_PCM_FORMAT_U16_LE;
+        }
 
     case AUD_FMT_S32:
-        return SND_PCM_FORMAT_S32_LE;
+        if (endianness) {
+            return SND_PCM_FORMAT_S32_BE;
+        }
+        else {
+            return SND_PCM_FORMAT_S32_LE;
+        }
 
     case AUD_FMT_U32:
-        return SND_PCM_FORMAT_U32_LE;
+        if (endianness) {
+            return SND_PCM_FORMAT_U32_BE;
+        }
+        else {
+            return SND_PCM_FORMAT_U32_LE;
+        }
 
     default:
         dolog ("Internal logic error: Bad audio format %d\n", fmt);
@@ -809,7 +829,7 @@ static int alsa_init_out (HWVoiceOut *hw, struct audsettings *as)
     snd_pcm_t *handle;
     struct audsettings obt_as;
 
-    req.fmt = aud_to_alsafmt (as->fmt);
+    req.fmt = aud_to_alsafmt (as->fmt, as->endianness);
     req.freq = as->freq;
     req.nchannels = as->nchannels;
     req.period_size = conf.period_size_out;
@@ -918,7 +938,7 @@ static int alsa_init_in (HWVoiceIn *hw, struct audsettings *as)
     snd_pcm_t *handle;
     struct audsettings obt_as;
 
-    req.fmt = aud_to_alsafmt (as->fmt);
+    req.fmt = aud_to_alsafmt (as->fmt, as->endianness);
     req.freq = as->freq;
     req.nchannels = as->nchannels;
     req.period_size = conf.period_size_in;
commit b6c9c9401c2f9eaf3ef93770c258d819ede7e11a
Author: Michael Walle <michael at walle.cc>
Date:   Sat Jan 8 17:53:29 2011 +0100

    ossaudio: add endianness support for VoiceIn
    
    Signed-off-by: Michael Walle <michael at walle.cc>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/audio/ossaudio.c b/audio/ossaudio.c
index 42bffae..d7a55e5 100644
--- a/audio/ossaudio.c
+++ b/audio/ossaudio.c
@@ -161,7 +161,7 @@ static int oss_write (SWVoiceOut *sw, void *buf, int len)
     return audio_pcm_sw_write (sw, buf, len);
 }
 
-static int aud_to_ossfmt (audfmt_e fmt)
+static int aud_to_ossfmt (audfmt_e fmt, int endianness)
 {
     switch (fmt) {
     case AUD_FMT_S8:
@@ -171,10 +171,20 @@ static int aud_to_ossfmt (audfmt_e fmt)
         return AFMT_U8;
 
     case AUD_FMT_S16:
-        return AFMT_S16_LE;
+        if (endianness) {
+            return AFMT_S16_BE;
+        }
+        else {
+            return AFMT_S16_LE;
+        }
 
     case AUD_FMT_U16:
-        return AFMT_U16_LE;
+        if (endianness) {
+            return AFMT_U16_BE;
+        }
+        else {
+            return AFMT_U16_LE;
+        }
 
     default:
         dolog ("Internal logic error: Bad audio format %d\n", fmt);
@@ -516,7 +526,7 @@ static int oss_init_out (HWVoiceOut *hw, struct audsettings *as)
 
     oss->fd = -1;
 
-    req.fmt = aud_to_ossfmt (as->fmt);
+    req.fmt = aud_to_ossfmt (as->fmt, as->endianness);
     req.freq = as->freq;
     req.nchannels = as->nchannels;
     req.fragsize = conf.fragsize;
@@ -682,7 +692,7 @@ static int oss_init_in (HWVoiceIn *hw, struct audsettings *as)
 
     oss->fd = -1;
 
-    req.fmt = aud_to_ossfmt (as->fmt);
+    req.fmt = aud_to_ossfmt (as->fmt, as->endianness);
     req.freq = as->freq;
     req.nchannels = as->nchannels;
     req.fragsize = conf.fragsize;
commit d43ffce14023df871d6065eb864d1f41eb441f37
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 22:43:14 2011 +0100

    tcg/mips: fix branch target change during code retranslation
    
    TCG on MIPS was trying to avoid changing the branch offset, but didn't
    due to a stupid typo. Fix it.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/tcg/mips/tcg-target.c b/tcg/mips/tcg-target.c
index 2af7a2e..4e92a50 100644
--- a/tcg/mips/tcg-target.c
+++ b/tcg/mips/tcg-target.c
@@ -352,7 +352,7 @@ static inline void tcg_out_opc_imm(TCGContext *s, int opc, int rt, int rs, int i
 static inline void tcg_out_opc_br(TCGContext *s, int opc, int rt, int rs)
 {
     /* We need to keep the offset unchanged for retranslation */
-    uint16_t offset = (uint16_t)(*(uint32_t *) &s->code_ptr);
+    uint16_t offset = (uint16_t)(*(uint32_t *) s->code_ptr);
 
     tcg_out_opc_imm(s, opc, rt, rs, offset);
 }
commit 9a3abc21a61f95799c1f301b0b480a98a29fa0ff
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 22:43:13 2011 +0100

    tcg/arm: fix qemu_st64 for big endian targets
    
    Due to a typo, qemu_st64 doesn't properly byteswap the 32-bit low word of
    a 64 bit word before saving it. This patch fixes that.
    
    Acked-by: Andrzej Zaborowski <balrogg at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c
index 9def2e5..08c44c1 100644
--- a/tcg/arm/tcg-target.c
+++ b/tcg/arm/tcg-target.c
@@ -1248,7 +1248,7 @@ static inline void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, int opc)
             tcg_out_bswap32(s, COND_EQ, TCG_REG_R0, data_reg2);
             tcg_out_st32_rwb(s, COND_EQ, TCG_REG_R0, TCG_REG_R1, addr_reg);
             tcg_out_bswap32(s, COND_EQ, TCG_REG_R0, data_reg);
-            tcg_out_st32_12(s, COND_EQ, data_reg, TCG_REG_R1, 4);
+            tcg_out_st32_12(s, COND_EQ, TCG_REG_R0, TCG_REG_R1, 4);
         } else {
             tcg_out_st32_rwb(s, COND_EQ, data_reg, TCG_REG_R1, addr_reg);
             tcg_out_st32_12(s, COND_EQ, data_reg2, TCG_REG_R1, 4);
commit c69806ab82760a2e5ca880d41e8786276c838152
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 22:43:13 2011 +0100

    tcg/arm: fix branch target change during code retranslation
    
    QEMU uses code retranslation to restore the CPU state when an exception
    happens. For it to work the retranslation must not modify the generated
    code. This is what is currently implemented in ARM TCG.
    
    However on CPU that don't have icache/dcache/memory synchronised like
    ARM, this requirement is stronger and code retranslation must not modify
    the generated code "atomically", as the cache line might be flushed
    at any moment (interrupt, exception, task switching), even if not
    triggered by QEMU. The probability for this to happen is very low, and
    depends on cache size and associativiy, machine load, interrupts, so the
    symptoms are might happen randomly.
    
    This requirement is currently not followed in tcg/arm, for the
    load/store code, which basically has the following structure:
      1) tlb access code is written
      2) conditional fast path code is written
      3) branch is written with a temporary target
      4) slow path code is written
      5) branch target is updated
    The cache lines corresponding to the retranslated code is not flushed
    after code retranslation as the generated code is supposed to be the
    same. However if the cache line corresponding to the branch instruction
    is flushed between step 3 and 5, and is not flushed again before the
    code is executed again, the branch target is wrong. In the guest, the
    symptoms are MMU page fault at a random addresses, which leads to
    kernel page fault or segmentation faults.
    
    The patch fixes this issue by avoiding writing the branch target until
    it is known, that is by writing only the branch instruction first, and
    later only the offset.
    
    This fixes booting linux guests on ARM hosts (tested: arm, i386, mips,
    mipsel, sh4, sparc).
    
    Acked-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/tcg/arm/tcg-target.c b/tcg/arm/tcg-target.c
index a3af5b2..9def2e5 100644
--- a/tcg/arm/tcg-target.c
+++ b/tcg/arm/tcg-target.c
@@ -113,12 +113,25 @@ static const int tcg_target_call_oarg_regs[2] = {
     TCG_REG_R0, TCG_REG_R1
 };
 
+static inline void reloc_abs32(void *code_ptr, tcg_target_long target)
+{
+    *(uint32_t *) code_ptr = target;
+}
+
+static inline void reloc_pc24(void *code_ptr, tcg_target_long target)
+{
+    uint32_t offset = ((target - ((tcg_target_long) code_ptr + 8)) >> 2);
+
+    *(uint32_t *) code_ptr = ((*(uint32_t *) code_ptr) & ~0xffffff)
+                             | (offset & 0xffffff);
+}
+
 static void patch_reloc(uint8_t *code_ptr, int type,
                 tcg_target_long value, tcg_target_long addend)
 {
     switch (type) {
     case R_ARM_ABS32:
-        *(uint32_t *) code_ptr = value;
+        reloc_abs32(code_ptr, value);
         break;
 
     case R_ARM_CALL:
@@ -127,8 +140,7 @@ static void patch_reloc(uint8_t *code_ptr, int type,
         tcg_abort();
 
     case R_ARM_PC24:
-        *(uint32_t *) code_ptr = ((*(uint32_t *) code_ptr) & 0xff000000) |
-                (((value - ((tcg_target_long) code_ptr + 8)) >> 2) & 0xffffff);
+        reloc_pc24(code_ptr, value);
         break;
     }
 }
@@ -1031,7 +1043,7 @@ static inline void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, int opc)
     }
 
     label_ptr = (void *) s->code_ptr;
-    tcg_out_b(s, COND_EQ, 8);
+    tcg_out_b_noaddr(s, COND_EQ);
 
     /* TODO: move this code to where the constants pool will be */
     if (addr_reg != TCG_REG_R0) {
@@ -1076,7 +1088,7 @@ static inline void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, int opc)
         break;
     }
 
-    *label_ptr += ((void *) s->code_ptr - (void *) label_ptr - 8) >> 2;
+    reloc_pc24(label_ptr, (tcg_target_long)s->code_ptr);
 #else /* !CONFIG_SOFTMMU */
     if (GUEST_BASE) {
         uint32_t offset = GUEST_BASE;
@@ -1245,7 +1257,7 @@ static inline void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, int opc)
     }
 
     label_ptr = (void *) s->code_ptr;
-    tcg_out_b(s, COND_EQ, 8);
+    tcg_out_b_noaddr(s, COND_EQ);
 
     /* TODO: move this code to where the constants pool will be */
     tcg_out_dat_reg(s, COND_AL, ARITH_MOV,
@@ -1317,7 +1329,7 @@ static inline void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, int opc)
     if (opc == 3)
         tcg_out_dat_imm(s, COND_AL, ARITH_ADD, TCG_REG_R13, TCG_REG_R13, 0x10);
 
-    *label_ptr += ((void *) s->code_ptr - (void *) label_ptr - 8) >> 2;
+    reloc_pc24(label_ptr, (tcg_target_long)s->code_ptr);
 #else /* !CONFIG_SOFTMMU */
     if (GUEST_BASE) {
         uint32_t offset = GUEST_BASE;
@@ -1399,7 +1411,7 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc,
             /* Direct jump method */
 #if defined(USE_DIRECT_JUMP)
             s->tb_jmp_offset[args[0]] = s->code_ptr - s->code_buf;
-            tcg_out_b(s, COND_AL, 8);
+            tcg_out_b_noaddr(s, COND_AL);
 #else
             tcg_out_ld32_12(s, COND_AL, TCG_REG_PC, TCG_REG_PC, -4);
             s->tb_jmp_offset[args[0]] = s->code_ptr - s->code_buf;
commit 497aebb99e0700ba30b9b8d1e86f3452dcb18b28
Merge: cb752a6... 67af42a...
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Sat Jan 8 16:25:48 2011 +0100

    Merge branch 'linux-user-for-upstream' of git://gitorious.org/qemu-maemo/qemu
    
    * 'linux-user-for-upstream' of git://gitorious.org/qemu-maemo/qemu:
      Remove dead code for ARM semihosting commandline handling
      Fix commandline handling for ARM semihosted executables
      linux-user: Fix incorrect NaN detection in ARM nwfpe emulation
      softfloat: Implement floatx80_is_any_nan() and float128_is_any_nan()
      linux-user: Implement FS_IOC_FIEMAP ioctl
      linux-user: Support ioctls whose parameter size is not constant
      linux-user: Implement sync_file_range{,2} syscalls

commit 67af42ac5a6227d61a8ef4ba7289ada9418f2fb8
Author: Wolfgang Schildbach <wschi at dolby.com>
Date:   Mon Dec 6 15:06:06 2010 +0000

    Remove dead code for ARM semihosting commandline handling
    
    There are some bits in the code which were used to store the commandline for
    the semihosting call. These bits are now write-only and can be removed.
    
    Signed-off-by: Wolfgang Schildbach <wschi at dolby.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at iki.fi>

diff --git a/bsd-user/bsdload.c b/bsd-user/bsdload.c
index 14a93bf..6d9bb6f 100644
--- a/bsd-user/bsdload.c
+++ b/bsd-user/bsdload.c
@@ -176,8 +176,6 @@ int loader_exec(const char * filename, char ** argv, char ** envp,
 
     retval = prepare_binprm(&bprm);
 
-    infop->host_argv = argv;
-
     if(retval>=0) {
         if (bprm.buf[0] == 0x7f
                 && bprm.buf[1] == 'E'
diff --git a/bsd-user/qemu.h b/bsd-user/qemu.h
index 9763616..e343894 100644
--- a/bsd-user/qemu.h
+++ b/bsd-user/qemu.h
@@ -50,7 +50,6 @@ struct image_info {
     abi_ulong entry;
     abi_ulong code_offset;
     abi_ulong data_offset;
-    char      **host_argv;
     int       personality;
 };
 
diff --git a/linux-user/linuxload.c b/linux-user/linuxload.c
index 9ee27c3..ac8c486 100644
--- a/linux-user/linuxload.c
+++ b/linux-user/linuxload.c
@@ -174,8 +174,6 @@ int loader_exec(const char * filename, char ** argv, char ** envp,
 
     retval = prepare_binprm(bprm);
 
-    infop->host_argv = argv;
-
     if(retval>=0) {
         if (bprm->buf[0] == 0x7f
                 && bprm->buf[1] == 'E'
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index e66a02b..32de241 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -50,7 +50,6 @@ struct image_info {
         abi_ulong       saved_auxv;
         abi_ulong       arg_start;
         abi_ulong       arg_end;
-        char            **host_argv;
 	int		personality;
 };
 
commit 2e8785acc601f72dd10ce19929c455689fc2649d
Author: Wolfgang Schildbach <wschi at dolby.com>
Date:   Mon Dec 6 15:06:05 2010 +0000

    Fix commandline handling for ARM semihosted executables
    
    Use the copy of the command line that loader_build_argptr() sets up in guest
    memory as the command line to return from the ARM SYS_GET_CMDLINE semihosting
    call. Previously we were using a pointer to memory which had already been
    freed before the guest program started.
    
    This fixes https://bugs.launchpad.net/qemu/+bug/673613 .
    
    Signed-off-by: Wolfgang Schildbach <wschi at dolby.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at iki.fi>

diff --git a/arm-semi.c b/arm-semi.c
index 0687b03..1d5179b 100644
--- a/arm-semi.c
+++ b/arm-semi.c
@@ -373,45 +373,64 @@ uint32_t do_arm_semihosting(CPUState *env)
 #ifdef CONFIG_USER_ONLY
         /* Build a commandline from the original argv.  */
         {
-            char **arg = ts->info->host_argv;
-            int len = ARG(1);
-            /* lock the buffer on the ARM side */
-            char *cmdline_buffer = (char*)lock_user(VERIFY_WRITE, ARG(0), len, 0);
+            char *arm_cmdline_buffer;
+            const char *host_cmdline_buffer;
 
-            if (!cmdline_buffer)
-                /* FIXME - should this error code be -TARGET_EFAULT ? */
-                return (uint32_t)-1;
+            unsigned int i;
+            unsigned int arm_cmdline_len = ARG(1);
+            unsigned int host_cmdline_len =
+                ts->info->arg_end-ts->info->arg_start;
+
+            if (!arm_cmdline_len || host_cmdline_len > arm_cmdline_len) {
+                return -1; /* not enough space to store command line */
+            }
 
-            s = cmdline_buffer;
-            while (*arg && len > 2) {
-                int n = strlen(*arg);
+            if (!host_cmdline_len) {
+                /* We special-case the "empty command line" case (argc==0).
+                   Just provide the terminating 0. */
+                arm_cmdline_buffer = lock_user(VERIFY_WRITE, ARG(0), 1, 0);
+                arm_cmdline_buffer[0] = 0;
+                unlock_user(arm_cmdline_buffer, ARG(0), 1);
 
-                if (s != cmdline_buffer) {
-                    *(s++) = ' ';
-                    len--;
-                }
-                if (n >= len)
-                    n = len - 1;
-                memcpy(s, *arg, n);
-                s += n;
-                len -= n;
-                arg++;
+                /* Adjust the commandline length argument. */
+                SET_ARG(1, 0);
+                return 0;
             }
-            /* Null terminate the string.  */
-            *s = 0;
-            len = s - cmdline_buffer;
 
-            /* Unlock the buffer on the ARM side.  */
-            unlock_user(cmdline_buffer, ARG(0), len);
+            /* lock the buffers on the ARM side */
+            arm_cmdline_buffer =
+                lock_user(VERIFY_WRITE, ARG(0), host_cmdline_len, 0);
+            host_cmdline_buffer =
+                lock_user(VERIFY_READ, ts->info->arg_start,
+                                       host_cmdline_len, 1);
 
-            /* Adjust the commandline length argument.  */
-            SET_ARG(1, len);
+            if (arm_cmdline_buffer && host_cmdline_buffer)
+            {
+                /* the last argument is zero-terminated;
+                   no need for additional termination */
+                memcpy(arm_cmdline_buffer, host_cmdline_buffer,
+                       host_cmdline_len);
 
-            /* Return success if commandline fit into buffer.  */
-            return *arg ? -1 : 0;
+                /* separate arguments by white spaces */
+                for (i = 0; i < host_cmdline_len-1; i++) {
+                    if (arm_cmdline_buffer[i] == 0) {
+                        arm_cmdline_buffer[i] = ' ';
+                    }
+                }
+
+                /* Adjust the commandline length argument. */
+                SET_ARG(1, host_cmdline_len-1);
+            }
+
+            /* Unlock the buffers on the ARM side.  */
+            unlock_user(arm_cmdline_buffer, ARG(0), host_cmdline_len);
+            unlock_user((void*)host_cmdline_buffer, ts->info->arg_start, 0);
+
+            /* Return success if we could return a commandline.  */
+            return (arm_cmdline_buffer && host_cmdline_buffer) ? 0 : -1;
         }
 #else
-      return -1;
+        return -1;
 #endif
     case SYS_HEAPINFO:
         {
commit 3ebe80c2993205ad6ad7ee0e800068f08932775c
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Jan 6 18:34:44 2011 +0000

    linux-user: Fix incorrect NaN detection in ARM nwfpe emulation
    
    The code in the linux-user ARM nwfpe emulation was incorrectly
    checking only for quiet NaNs when it should have been checking
    for any kind of NaN. This is probably because the code in
    question was taken from the Linux kernel, whose copy of the
    softfloat library had been modified so that float*_is_nan()
    returned true for all NaNs, not just quiet ones. The qemu
    equivalent function is float*_is_any_nan(), so use that.
    NB that this code is really obsolete since nobody uses FPE
    for actual arithmetic now; this is just cleanup following
    the recent renaming of the NaN related functions.
    
    Acked-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at iki.fi>

diff --git a/linux-user/arm/nwfpe/fpa11_cprt.c b/linux-user/arm/nwfpe/fpa11_cprt.c
index 0e61b58..be54e95 100644
--- a/linux-user/arm/nwfpe/fpa11_cprt.c
+++ b/linux-user/arm/nwfpe/fpa11_cprt.c
@@ -199,21 +199,21 @@ static unsigned int PerformComparison(const unsigned int opcode)
    {
       case typeSingle:
         //printk("single.\n");
-	if (float32_is_quiet_nan(fpa11->fpreg[Fn].fSingle))
+	if (float32_is_any_nan(fpa11->fpreg[Fn].fSingle))
 	   goto unordered;
         rFn = float32_to_floatx80(fpa11->fpreg[Fn].fSingle, &fpa11->fp_status);
       break;
 
       case typeDouble:
         //printk("double.\n");
-	if (float64_is_quiet_nan(fpa11->fpreg[Fn].fDouble))
+	if (float64_is_any_nan(fpa11->fpreg[Fn].fDouble))
 	   goto unordered;
         rFn = float64_to_floatx80(fpa11->fpreg[Fn].fDouble, &fpa11->fp_status);
       break;
 
       case typeExtended:
         //printk("extended.\n");
-	if (floatx80_is_quiet_nan(fpa11->fpreg[Fn].fExtended))
+	if (floatx80_is_any_nan(fpa11->fpreg[Fn].fExtended))
 	   goto unordered;
         rFn = fpa11->fpreg[Fn].fExtended;
       break;
@@ -225,7 +225,7 @@ static unsigned int PerformComparison(const unsigned int opcode)
    {
      //printk("Fm is a constant: #%d.\n",Fm);
      rFm = getExtendedConstant(Fm);
-     if (floatx80_is_quiet_nan(rFm))
+     if (floatx80_is_any_nan(rFm))
         goto unordered;
    }
    else
@@ -235,21 +235,21 @@ static unsigned int PerformComparison(const unsigned int opcode)
       {
          case typeSingle:
            //printk("single.\n");
-	   if (float32_is_quiet_nan(fpa11->fpreg[Fm].fSingle))
+	   if (float32_is_any_nan(fpa11->fpreg[Fm].fSingle))
 	      goto unordered;
            rFm = float32_to_floatx80(fpa11->fpreg[Fm].fSingle, &fpa11->fp_status);
          break;
 
          case typeDouble:
            //printk("double.\n");
-	   if (float64_is_quiet_nan(fpa11->fpreg[Fm].fDouble))
+	   if (float64_is_any_nan(fpa11->fpreg[Fm].fDouble))
 	      goto unordered;
            rFm = float64_to_floatx80(fpa11->fpreg[Fm].fDouble, &fpa11->fp_status);
          break;
 
          case typeExtended:
            //printk("extended.\n");
-	   if (floatx80_is_quiet_nan(fpa11->fpreg[Fm].fExtended))
+	   if (floatx80_is_any_nan(fpa11->fpreg[Fm].fExtended))
 	      goto unordered;
            rFm = fpa11->fpreg[Fm].fExtended;
          break;
commit 2bed652fc596dee09f27dd7ab20528cf5eaf9203
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Jan 6 18:34:43 2011 +0000

    softfloat: Implement floatx80_is_any_nan() and float128_is_any_nan()
    
    Implement versions of float*_is_any_nan() for the floatx80 and
    float128 types.
    
    Acked-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at iki.fi>

diff --git a/fpu/softfloat.h b/fpu/softfloat.h
index 15052cc..a6d0f16 100644
--- a/fpu/softfloat.h
+++ b/fpu/softfloat.h
@@ -489,6 +489,11 @@ INLINE int floatx80_is_zero(floatx80 a)
     return (a.high & 0x7fff) == 0 && a.low == 0;
 }
 
+INLINE int floatx80_is_any_nan(floatx80 a)
+{
+    return ((a.high & 0x7fff) == 0x7fff) && (a.low<<1);
+}
+
 #endif
 
 #ifdef FLOAT128
@@ -556,6 +561,12 @@ INLINE int float128_is_zero(float128 a)
     return (a.high & 0x7fffffffffffffffLL) == 0 && a.low == 0;
 }
 
+INLINE int float128_is_any_nan(float128 a)
+{
+    return ((a.high >> 48) & 0x7fff) == 0x7fff &&
+        ((a.low != 0) || ((a.high & 0xffffffffffffLL) != 0));
+}
+
 #endif
 
 #else /* CONFIG_SOFTFLOAT */
commit 285da2b9a83353703d07e141fdb447e82944146c
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Jan 6 15:04:18 2011 +0000

    linux-user: Implement FS_IOC_FIEMAP ioctl
    
    Implement the FS_IOC_FIEMAP ioctl using the new support for
    custom handling of ioctls; this is needed because the struct
    that is passed includes a variable-length array.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at iki.fi>

diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index 769e1bc..538e257 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -76,6 +76,10 @@
 #ifdef FIGETBSZ
      IOCTL(FIGETBSZ, IOC_R, MK_PTR(TYPE_LONG))
 #endif
+#ifdef FS_IOC_FIEMAP
+     IOCTL_SPECIAL(FS_IOC_FIEMAP, IOC_W | IOC_R, do_ioctl_fs_ioc_fiemap,
+                   MK_PTR(MK_STRUCT(STRUCT_fiemap)))
+#endif
 
   IOCTL(SIOCATMARK, 0, TYPE_NULL)
   IOCTL(SIOCADDRT, IOC_W, MK_PTR(MK_STRUCT(STRUCT_rtentry)))
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 970efe3..f10e17a 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -83,6 +83,7 @@ int __clone2(int (*fn)(void *), void *child_stack_base,
 #include <linux/kd.h>
 #include <linux/mtio.h>
 #include <linux/fs.h>
+#include <linux/fiemap.h>
 #include <linux/fb.h>
 #include <linux/vt.h>
 #include "linux_loop.h"
@@ -2985,6 +2986,93 @@ struct IOCTLEntry {
 
 #define MAX_STRUCT_SIZE 4096
 
+/* So fiemap access checks don't overflow on 32 bit systems.
+ * This is very slightly smaller than the limit imposed by
+ * the underlying kernel.
+ */
+#define FIEMAP_MAX_EXTENTS ((UINT_MAX - sizeof(struct fiemap))  \
+                            / sizeof(struct fiemap_extent))
+
+static abi_long do_ioctl_fs_ioc_fiemap(const IOCTLEntry *ie, uint8_t *buf_temp,
+                                       int fd, abi_long cmd, abi_long arg)
+{
+    /* The parameter for this ioctl is a struct fiemap followed
+     * by an array of struct fiemap_extent whose size is set
+     * in fiemap->fm_extent_count. The array is filled in by the
+     * ioctl.
+     */
+    int target_size_in, target_size_out;
+    struct fiemap *fm;
+    const argtype *arg_type = ie->arg_type;
+    const argtype extent_arg_type[] = { MK_STRUCT(STRUCT_fiemap_extent) };
+    void *argptr, *p;
+    abi_long ret;
+    int i, extent_size = thunk_type_size(extent_arg_type, 0);
+    uint32_t outbufsz;
+    int free_fm = 0;
+
+    assert(arg_type[0] == TYPE_PTR);
+    assert(ie->access == IOC_RW);
+    arg_type++;
+    target_size_in = thunk_type_size(arg_type, 0);
+    argptr = lock_user(VERIFY_READ, arg, target_size_in, 1);
+    if (!argptr) {
+        return -TARGET_EFAULT;
+    }
+    thunk_convert(buf_temp, argptr, arg_type, THUNK_HOST);
+    unlock_user(argptr, arg, 0);
+    fm = (struct fiemap *)buf_temp;
+    if (fm->fm_extent_count > FIEMAP_MAX_EXTENTS) {
+        return -TARGET_EINVAL;
+    }
+
+    outbufsz = sizeof (*fm) +
+        (sizeof(struct fiemap_extent) * fm->fm_extent_count);
+
+    if (outbufsz > MAX_STRUCT_SIZE) {
+        /* We can't fit all the extents into the fixed size buffer.
+         * Allocate one that is large enough and use it instead.
+         */
+        fm = malloc(outbufsz);
+        if (!fm) {
+            return -TARGET_ENOMEM;
+        }
+        memcpy(fm, buf_temp, sizeof(struct fiemap));
+        free_fm = 1;
+    }
+    ret = get_errno(ioctl(fd, ie->host_cmd, fm));
+    if (!is_error(ret)) {
+        target_size_out = target_size_in;
+        /* An extent_count of 0 means we were only counting the extents
+         * so there are no structs to copy
+         */
+        if (fm->fm_extent_count != 0) {
+            target_size_out += fm->fm_mapped_extents * extent_size;
+        }
+        argptr = lock_user(VERIFY_WRITE, arg, target_size_out, 0);
+        if (!argptr) {
+            ret = -TARGET_EFAULT;
+        } else {
+            /* Convert the struct fiemap */
+            thunk_convert(argptr, fm, arg_type, THUNK_TARGET);
+            if (fm->fm_extent_count != 0) {
+                p = argptr + target_size_in;
+                /* ...and then all the struct fiemap_extents */
+                for (i = 0; i < fm->fm_mapped_extents; i++) {
+                    thunk_convert(p, &fm->fm_extents[i], extent_arg_type,
+                                  THUNK_TARGET);
+                    p += extent_size;
+                }
+            }
+            unlock_user(argptr, arg, target_size_out);
+        }
+    }
+    if (free_fm) {
+        free(fm);
+    }
+    return ret;
+}
+
 static IOCTLEntry ioctl_entries[] = {
 #define IOCTL(cmd, access, ...) \
     { TARGET_ ## cmd, cmd, #cmd, access, 0, {  __VA_ARGS__ } },
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 20c93d0..d02a9bf 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -783,6 +783,7 @@ struct target_pollfd {
 #define TARGET_BLKGETSIZE64 TARGET_IOR(0x12,114,sizeof(uint64_t)) /* return device size in bytes (u64 *arg) */
 #define TARGET_FIBMAP     TARGET_IO(0x00,1)  /* bmap access */
 #define TARGET_FIGETBSZ   TARGET_IO(0x00,2)  /* get the block size used for bmap */
+#define TARGET_FS_IOC_FIEMAP TARGET_IOWR('f',11,struct fiemap)
 
 /* cdrom commands */
 #define TARGET_CDROMPAUSE		0x5301 /* Pause Audio Operation */
diff --git a/linux-user/syscall_types.h b/linux-user/syscall_types.h
index 340dbd3..0e67cd8 100644
--- a/linux-user/syscall_types.h
+++ b/linux-user/syscall_types.h
@@ -165,3 +165,19 @@ STRUCT(vt_stat,
        TYPE_SHORT, /* v_active */
        TYPE_SHORT, /* v_signal */
        TYPE_SHORT) /* v_state */
+
+STRUCT(fiemap_extent,
+       TYPE_ULONGLONG, /* fe_logical */
+       TYPE_ULONGLONG, /* fe_physical */
+       TYPE_ULONGLONG, /* fe_length */
+       MK_ARRAY(TYPE_ULONGLONG, 2), /* fe_reserved64[2] */
+       TYPE_INT, /* fe_flags */
+       MK_ARRAY(TYPE_INT, 3)) /* fe_reserved[3] */
+
+STRUCT(fiemap,
+       TYPE_ULONGLONG, /* fm_start */
+       TYPE_ULONGLONG, /* fm_length */
+       TYPE_INT, /* fm_flags */
+       TYPE_INT, /* fm_mapped_extents */
+       TYPE_INT, /* fm_extent_count */
+       TYPE_INT) /* fm_reserved */
commit d2ef05bb44e044e30f779ed9c4882c3c8299350d
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Jan 6 15:04:17 2011 +0000

    linux-user: Support ioctls whose parameter size is not constant
    
    Some ioctls (for example FS_IOC_FIEMAP) use structures whose size is
    not constant. The generic argument conversion code in do_ioctl()
    cannot handle this, so add support for implementing a special-case
    handler for a particular ioctl which does the conversion itself.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at iki.fi>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 1939a5f..970efe3 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2965,13 +2965,19 @@ enum {
 #undef STRUCT
 #undef STRUCT_SPECIAL
 
-typedef struct IOCTLEntry {
+typedef struct IOCTLEntry IOCTLEntry;
+
+typedef abi_long do_ioctl_fn(const IOCTLEntry *ie, uint8_t *buf_temp,
+                             int fd, abi_long cmd, abi_long arg);
+
+struct IOCTLEntry {
     unsigned int target_cmd;
     unsigned int host_cmd;
     const char *name;
     int access;
+    do_ioctl_fn *do_ioctl;
     const argtype arg_type[5];
-} IOCTLEntry;
+};
 
 #define IOC_R 0x0001
 #define IOC_W 0x0002
@@ -2981,7 +2987,9 @@ typedef struct IOCTLEntry {
 
 static IOCTLEntry ioctl_entries[] = {
 #define IOCTL(cmd, access, ...) \
-    { TARGET_ ## cmd, cmd, #cmd, access, {  __VA_ARGS__ } },
+    { TARGET_ ## cmd, cmd, #cmd, access, 0, {  __VA_ARGS__ } },
+#define IOCTL_SPECIAL(cmd, access, dofn, ...)                      \
+    { TARGET_ ## cmd, cmd, #cmd, access, dofn, {  __VA_ARGS__ } },
 #include "ioctls.h"
     { 0, 0, },
 };
@@ -3011,6 +3019,10 @@ static abi_long do_ioctl(int fd, abi_long cmd, abi_long arg)
 #if defined(DEBUG)
     gemu_log("ioctl: cmd=0x%04lx (%s)\n", (long)cmd, ie->name);
 #endif
+    if (ie->do_ioctl) {
+        return ie->do_ioctl(ie, buf_temp, fd, cmd, arg);
+    }
+
     switch(arg_type[0]) {
     case TYPE_NULL:
         /* no argument */
commit cb752a608c514c1f493144f25828b3ff15049f5e
Author: Edgar E. Iglesias <edgar at axis.com>
Date:   Fri Jan 7 16:18:13 2011 +0100

    cris: Allow more TB chaning
    
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/target-cris/translate.c b/target-cris/translate.c
index 57d8532..5184155 100644
--- a/target-cris/translate.c
+++ b/target-cris/translate.c
@@ -1129,7 +1129,7 @@ static void cris_store_direct_jmp(DisasContext *dc)
 	/* Store the direct jmp state into the cpu-state.  */
 	if (dc->jmp == JMP_DIRECT) {
 		tcg_gen_movi_tl(env_btarget, dc->jmp_pc);
-		tcg_gen_movi_tl(env_btaken, 1);
+		dc->jmp = JMP_INDIRECT;
 	}
 }
 
@@ -1139,17 +1139,11 @@ static void cris_prepare_cc_branch (DisasContext *dc,
 	/* This helps us re-schedule the micro-code to insns in delay-slots
 	   before the actual jump.  */
 	dc->delayed_branch = 2;
+	dc->jmp = JMP_DIRECT;
 	dc->jmp_pc = dc->pc + offset;
 
-	if (cond != CC_A)
-	{
-		dc->jmp = JMP_INDIRECT;
-		gen_tst_cc (dc, env_btaken, cond);
-		tcg_gen_movi_tl(env_btarget, dc->jmp_pc);
-	} else {
-		/* Allow chaining.  */
-		dc->jmp = JMP_DIRECT;
-	}
+	gen_tst_cc (dc, env_btaken, cond);
+	tcg_gen_movi_tl(env_btarget, dc->jmp_pc);
 }
 
 
@@ -1161,8 +1155,7 @@ static inline void cris_prepare_jmp (DisasContext *dc, unsigned int type)
 	   before the actual jump.  */
 	dc->delayed_branch = 2;
 	dc->jmp = type;
-	if (type == JMP_INDIRECT)
-		tcg_gen_movi_tl(env_btaken, 1);
+	tcg_gen_movi_tl(env_btaken, 1);
 }
 
 static void gen_load64(DisasContext *dc, TCGv_i64 dst, TCGv addr)
@@ -3315,8 +3308,24 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
 				if (tb->flags & 7)
 					t_gen_mov_env_TN(dslot, 
 						tcg_const_tl(0));
+				if (dc->cpustate_changed || !dc->flagx_known
+				    || (dc->flags_x != (tb->flags & X_FLAG))) {
+					cris_store_direct_jmp(dc);
+				}
 				if (dc->jmp == JMP_DIRECT) {
-					dc->is_jmp = DISAS_NEXT;
+					int l1;
+
+					l1 = gen_new_label();
+					cris_evaluate_flags(dc);
+
+					/* Conditional jmp.  */
+					tcg_gen_brcondi_tl(TCG_COND_EQ,
+							   env_btaken, 0, l1);
+					gen_goto_tb(dc, 1, dc->jmp_pc);
+					gen_set_label(l1);
+					gen_goto_tb(dc, 0, dc->pc);
+					dc->is_jmp = DISAS_TB_JUMP;
+					dc->jmp = JMP_NOJMP;
 				} else {
 					t_gen_cc_jmp(env_btarget, 
 						     tcg_const_tl(dc->pc));
@@ -3336,16 +3345,10 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
 		 && (dc->pc < next_page_start)
                  && num_insns < max_insns);
 
-	if (dc->tb_flags != orig_flags) {
-		dc->cpustate_changed = 1;
-	}
-
 	if (dc->clear_locked_irq)
 		t_gen_mov_env_TN(locked_irq, tcg_const_tl(0));
 
 	npc = dc->pc;
-	if (dc->jmp == JMP_DIRECT && !dc->delayed_branch)
-		npc = dc->jmp_pc;
 
         if (tb->cflags & CF_LAST_IO)
             gen_io_end();
commit c727f47d59641c43ce171126232fd8049296adf6
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Jan 6 11:05:10 2011 +0000

    linux-user: Implement sync_file_range{,2} syscalls
    
    Implement the missing syscalls sync_file_range and sync_file_range2.
    The latter in particular is used by newer versions of apt on Ubuntu
    for ARM.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at iki.fi>

diff --git a/configure b/configure
index 47e4cf0..831a741 100755
--- a/configure
+++ b/configure
@@ -2075,6 +2075,21 @@ if compile_prog "$ARCH_CFLAGS" "" ; then
   fallocate=yes
 fi
 
+# check for sync_file_range
+sync_file_range=no
+cat > $TMPC << EOF
+#include <fcntl.h>
+
+int main(void)
+{
+    sync_file_range(0, 0, 0, 0);
+    return 0;
+}
+EOF
+if compile_prog "$ARCH_CFLAGS" "" ; then
+  sync_file_range=yes
+fi
+
 # check for dup3
 dup3=no
 cat > $TMPC << EOF
@@ -2613,6 +2628,9 @@ fi
 if test "$fallocate" = "yes" ; then
   echo "CONFIG_FALLOCATE=y" >> $config_host_mak
 fi
+if test "$sync_file_range" = "yes" ; then
+  echo "CONFIG_SYNC_FILE_RANGE=y" >> $config_host_mak
+fi
 if test "$dup3" = "yes" ; then
   echo "CONFIG_DUP3=y" >> $config_host_mak
 fi
diff --git a/linux-user/strace.list b/linux-user/strace.list
index 97b7f76..d7be0e7 100644
--- a/linux-user/strace.list
+++ b/linux-user/strace.list
@@ -1518,3 +1518,9 @@
 #ifdef TARGET_NR_utimensat
 { TARGET_NR_utimensat, "utimensat", NULL, print_utimensat, NULL },
 #endif
+#ifdef TARGET_NR_sync_file_range
+{ TARGET_NR_sync_file_range, "sync_file_range", NULL, NULL, NULL },
+#endif
+#ifdef TARGET_NR_sync_file_range2
+{ TARGET_NR_sync_file_range2, "sync_file_range2", NULL, NULL, NULL },
+#endif
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index c3e8706..1939a5f 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -7365,6 +7365,29 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
         ret = get_errno(fallocate(arg1, arg2, arg3, arg4));
         break;
 #endif
+#if defined(CONFIG_SYNC_FILE_RANGE)
+#if defined(TARGET_NR_sync_file_range)
+    case TARGET_NR_sync_file_range:
+#if TARGET_ABI_BITS == 32
+        ret = get_errno(sync_file_range(arg1, target_offset64(arg2, arg3),
+                                        target_offset64(arg4, arg5), arg6));
+#else
+        ret = get_errno(sync_file_range(arg1, arg2, arg3, arg4));
+#endif
+        break;
+#endif
+#if defined(TARGET_NR_sync_file_range2)
+    case TARGET_NR_sync_file_range2:
+        /* This is like sync_file_range but the arguments are reordered */
+#if TARGET_ABI_BITS == 32
+        ret = get_errno(sync_file_range(arg1, target_offset64(arg3, arg4),
+                                        target_offset64(arg5, arg6), arg2));
+#else
+        ret = get_errno(sync_file_range(arg1, arg3, arg4, arg2));
+#endif
+        break;
+#endif
+#endif
     default:
     unimplemented:
         gemu_log("qemu: Unsupported syscall: %d\n", num);
commit 2a704b137f1acfbd972aa6e9f031c5015c7e28cb
Author: Edgar E. Iglesias <edgar at axis.com>
Date:   Fri Jan 7 12:50:38 2011 +0100

    cris: Avoid useless tmp in t_gen_cc_jmp()
    
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/target-cris/translate.c b/target-cris/translate.c
index 4e4606c..57d8532 100644
--- a/target-cris/translate.c
+++ b/target-cris/translate.c
@@ -577,20 +577,15 @@ static inline void t_gen_swapr(TCGv d, TCGv s)
 
 static void t_gen_cc_jmp(TCGv pc_true, TCGv pc_false)
 {
-	TCGv btaken;
 	int l1;
 
 	l1 = gen_new_label();
-	btaken = tcg_temp_new();
 
 	/* Conditional jmp.  */
-	tcg_gen_mov_tl(btaken, env_btaken);
 	tcg_gen_mov_tl(env_pc, pc_false);
-	tcg_gen_brcondi_tl(TCG_COND_EQ, btaken, 0, l1);
+	tcg_gen_brcondi_tl(TCG_COND_EQ, env_btaken, 0, l1);
 	tcg_gen_mov_tl(env_pc, pc_true);
 	gen_set_label(l1);
-
-	tcg_temp_free(btaken);
 }
 
 static void gen_goto_tb(DisasContext *dc, int n, target_ulong dest)
commit 8e5da4e292723499184b0f802106ef398b777974
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Tue Jan 4 22:04:30 2011 +0100

    pci-assign: Fix transition MSI->INTx
    
    Make sure to re-register the IRQ of an assigned device as INTx when the
    guest disables MSI[X] mode again.
    
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Acked-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index a25f3e0..e97f565 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -1136,7 +1136,10 @@ static void assigned_dev_update_msi(PCIDevice *pci_dev, unsigned int ctrl_pos)
         if (kvm_assign_irq(kvm_context, &assigned_irq_data) < 0)
             perror("assigned_dev_enable_msi: assign irq");
 
+        assigned_dev->girq = -1;
         assigned_dev->irq_requested_type = assigned_irq_data.flags;
+    } else {
+        assign_irq(assigned_dev);
     }
 }
 #endif
@@ -1276,7 +1279,10 @@ static void assigned_dev_update_msix(PCIDevice *pci_dev, unsigned int ctrl_pos)
             perror("assigned_dev_enable_msix: assign irq");
             return;
         }
+        assigned_dev->girq = -1;
         assigned_dev->irq_requested_type = assigned_irq_data.flags;
+    } else {
+        assign_irq(assigned_dev);
     }
 }
 #endif
commit 78935c4a4bfec8ef2f4f924cfc35ac09a963e81e
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 22:28:33 2011 +0100

    cirrus: delete GCC 4.6 warnings
    
    Commit 92d675d1c1f23f3617e24b63c825074a1d1da44b triggered uninitialized
    variables warning with GCC 4.6. Fix them by adding zero initializers.
    
    Acked-by: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index 833a2eb..75d1cc6 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -673,9 +673,9 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
 
 static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
 {
-    int sx, sy;
-    int dx, dy;
-    int depth;
+    int sx = 0, sy = 0;
+    int dx = 0, dy = 0;
+    int depth = 0;
     int notify = 0;
 
     /* make sure to only copy if it's a plain copy ROP */
commit ea6b0f11ecbd39d35ed8e638055215fc156aca96
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Jan 6 19:26:23 2011 -0200

    remove qemu-kvm.h inclusion from monitor.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/monitor.c b/monitor.c
index cf1d3d0..40768bb 100644
--- a/monitor.c
+++ b/monitor.c
@@ -61,7 +61,6 @@
 #include "trace.h"
 #endif
 #include "ui/qemu-spice.h"
-#include "qemu-kvm.h"
 
 //#define DEBUG
 //#define DEBUG_COMPLETION
commit 3790795d0a88be1c2f306e5bd97227242f3ad2d0
Merge: 5f4a6f4... 3393ee0...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Jan 6 19:20:15 2011 -0200

    Merge branch 'upstream-merge'
    
    * upstream-merge: (279 commits)
      target-ppc: Implement correct NaN propagation rules
      target-mips: Implement correct NaN propagation rules
      softfloat: use float{32,64,x80,128}_maybe_silence_nan()
      softfloat: add float{x80,128}_maybe_silence_nan()
      softfloat: fix float{32,64}_maybe_silence_nan() for MIPS
      softfloat: rename *IsNaN variables to *IsQuietNaN
      softfloat: remove HPPA specific code
      target-ppc: use float32_is_any_nan()
      target-ppc: fix default qNaN
      target-ppc: remove PRECISE_EMULATION define
      microblaze: Use more TB chaining
      cirrus_vga: fix division by 0 for color expansion rop
      Fix curses on big endian hosts
      noaudio: correctly account acquired samples
      target-arm: Implement correct NaN propagation rules
      softfloat: abstract out target-specific NaN propagation rules
      softfloat: Rename float*_is_nan() functions to float*_is_quiet_nan()
      TCG: Improve tb_phys_hash_func()
      target-arm: fix UMAAL instruction
      Fix translation of unary PPC/SPE instructions (efdneg etc.).
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit 3393ee074f89bbd827a2c5737f5bec365e8460a5
Merge: ea59ccd... e024e88...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Jan 6 19:19:20 2011 -0200

    Merge commit 'e024e881bb1a8b5085026589360d26ed97acdd64' into upstream-merge
    
    * commit 'e024e881bb1a8b5085026589360d26ed97acdd64': (133 commits)
      target-ppc: Implement correct NaN propagation rules
      target-mips: Implement correct NaN propagation rules
      softfloat: use float{32,64,x80,128}_maybe_silence_nan()
      softfloat: add float{x80,128}_maybe_silence_nan()
      softfloat: fix float{32,64}_maybe_silence_nan() for MIPS
      softfloat: rename *IsNaN variables to *IsQuietNaN
      softfloat: remove HPPA specific code
      target-ppc: use float32_is_any_nan()
      target-ppc: fix default qNaN
      target-ppc: remove PRECISE_EMULATION define
      microblaze: Use more TB chaining
      cirrus_vga: fix division by 0 for color expansion rop
      Fix curses on big endian hosts
      noaudio: correctly account acquired samples
      target-arm: Implement correct NaN propagation rules
      softfloat: abstract out target-specific NaN propagation rules
      softfloat: Rename float*_is_nan() functions to float*_is_quiet_nan()
      TCG: Improve tb_phys_hash_func()
      target-arm: fix UMAAL instruction
      Fix translation of unary PPC/SPE instructions (efdneg etc.).
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc blockdev.h
index 5c5c6cf,4536b5c..7faa472
--- a/blockdev.h
+++ b/blockdev.h
@@@ -52,7 -52,6 +52,8 @@@ int do_block_set_passwd(Monitor *mon, c
  int do_change_block(Monitor *mon, const char *device,
                      const char *filename, const char *fmt);
  int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data);
+ int do_snapshot_blkdev(Monitor *mon, const QDict *qdict, QObject **ret_data);
  
 +extern DriveInfo *extboot_drive;
 +
  #endif
commit cecd8504b80148b66cdc1ce32046429bc3549090
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Jan 6 19:37:55 2011 +0000

    target-arm: wire up the softfloat flush_input_to_zero flag
    
    Wire up the new softfloat support for flushing input denormals
    to zero on ARM. The FPSCR FZ bit enables flush-to-zero for
    both inputs and outputs, but the reporting of when inputs are
    flushed to zero is via a separate IDC bit rather than the UFC
    (underflow) bit used when output denormals are flushed to zero.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Acked-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 05684a2..705b99f 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2242,6 +2242,8 @@ static inline int vfp_exceptbits_from_host(int host_bits)
         target_bits |= 8;
     if (host_bits & float_flag_inexact)
         target_bits |= 0x10;
+    if (host_bits & float_flag_input_denormal)
+        target_bits |= 0x80;
     return target_bits;
 }
 
@@ -2278,6 +2280,8 @@ static inline int vfp_exceptbits_to_host(int target_bits)
         host_bits |= float_flag_underflow;
     if (target_bits & 0x10)
         host_bits |= float_flag_inexact;
+    if (target_bits & 0x80)
+        host_bits |= float_flag_input_denormal;
     return host_bits;
 }
 
@@ -2310,8 +2314,10 @@ void HELPER(vfp_set_fpscr)(CPUState *env, uint32_t val)
         }
         set_float_rounding_mode(i, &env->vfp.fp_status);
     }
-    if (changed & (1 << 24))
+    if (changed & (1 << 24)) {
         set_flush_to_zero((val & (1 << 24)) != 0, &env->vfp.fp_status);
+        set_flush_inputs_to_zero((val & (1 << 24)) != 0, &env->vfp.fp_status);
+    }
     if (changed & (1 << 25))
         set_default_nan_mode((val & (1 << 25)) != 0, &env->vfp.fp_status);
 
commit b12c390b9108d44cb0b05900d6c11a73ee0e9cae
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Jan 6 19:37:54 2011 +0000

    target-arm: Set softfloat cumulative exc flags from correct FPSCR bits
    
    When handling a write to the ARM FPSCR, set the softfloat cumulative
    exception flags from the cumulative flags in the FPSCR, not the
    exception-enable bits. Also don't apply a mask: vfp_exceptbits_to_host
    will only look at the correct bits anyway.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Acked-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 50c1017..05684a2 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2315,7 +2315,7 @@ void HELPER(vfp_set_fpscr)(CPUState *env, uint32_t val)
     if (changed & (1 << 25))
         set_default_nan_mode((val & (1 << 25)) != 0, &env->vfp.fp_status);
 
-    i = vfp_exceptbits_to_host((val >> 8) & 0x1f);
+    i = vfp_exceptbits_to_host(val);
     set_float_exception_flags(i, &env->vfp.fp_status);
 }
 
commit 37d18660bbb1d60b4e59bf407b4b301749e0c3b9
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Jan 6 19:37:53 2011 +0000

    softfloat: Implement flushing input denormals to zero
    
    Add support to softfloat for flushing input denormal float32 and float64
    to zero. softfloat's existing 'flush_to_zero' flag only flushes denormals
    to zero on output. Some CPUs need input denormals to be flushed before
    processing as well. Implement this, using a new status flag to enable it
    and a new exception status bit to indicate when it has happened. Existing
    CPUs should be unaffected as there is no behaviour change unless the
    mode is enabled.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Acked-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat.c b/fpu/softfloat.c
index 6f5b05d..17842f4 100644
--- a/fpu/softfloat.c
+++ b/fpu/softfloat.c
@@ -30,8 +30,6 @@ these four paragraphs for those parts of this code that are retained.
 
 =============================================================================*/
 
-/* FIXME: Flush-To-Zero only effects results.  Denormal inputs should also
-   be flushed to zero.  */
 #include "softfloat.h"
 
 /*----------------------------------------------------------------------------
@@ -204,6 +202,21 @@ INLINE flag extractFloat32Sign( float32 a )
 }
 
 /*----------------------------------------------------------------------------
+| If `a' is denormal and we are in flush-to-zero mode then set the
+| input-denormal exception and return zero. Otherwise just return the value.
+*----------------------------------------------------------------------------*/
+static float32 float32_squash_input_denormal(float32 a STATUS_PARAM)
+{
+    if (STATUS(flush_inputs_to_zero)) {
+        if (extractFloat32Exp(a) == 0 && extractFloat32Frac(a) != 0) {
+            float_raise(float_flag_input_denormal STATUS_VAR);
+            return make_float32(float32_val(a) & 0x80000000);
+        }
+    }
+    return a;
+}
+
+/*----------------------------------------------------------------------------
 | Normalizes the subnormal single-precision floating-point value represented
 | by the denormalized significand `aSig'.  The normalized exponent and
 | significand are stored at the locations pointed to by `zExpPtr' and
@@ -368,6 +381,21 @@ INLINE flag extractFloat64Sign( float64 a )
 }
 
 /*----------------------------------------------------------------------------
+| If `a' is denormal and we are in flush-to-zero mode then set the
+| input-denormal exception and return zero. Otherwise just return the value.
+*----------------------------------------------------------------------------*/
+static float64 float64_squash_input_denormal(float64 a STATUS_PARAM)
+{
+    if (STATUS(flush_inputs_to_zero)) {
+        if (extractFloat64Exp(a) == 0 && extractFloat64Frac(a) != 0) {
+            float_raise(float_flag_input_denormal STATUS_VAR);
+            return make_float64(float64_val(a) & (1ULL << 63));
+        }
+    }
+    return a;
+}
+
+/*----------------------------------------------------------------------------
 | Normalizes the subnormal double-precision floating-point value represented
 | by the denormalized significand `aSig'.  The normalized exponent and
 | significand are stored at the locations pointed to by `zExpPtr' and
@@ -1298,6 +1326,7 @@ int32 float32_to_int32( float32 a STATUS_PARAM )
     bits32 aSig;
     bits64 aSig64;
 
+    a = float32_squash_input_denormal(a STATUS_VAR);
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
     aSign = extractFloat32Sign( a );
@@ -1327,6 +1356,7 @@ int32 float32_to_int32_round_to_zero( float32 a STATUS_PARAM )
     int16 aExp, shiftCount;
     bits32 aSig;
     int32 z;
+    a = float32_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
@@ -1418,6 +1448,7 @@ int64 float32_to_int64( float32 a STATUS_PARAM )
     int16 aExp, shiftCount;
     bits32 aSig;
     bits64 aSig64, aSigExtra;
+    a = float32_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
@@ -1455,6 +1486,7 @@ int64 float32_to_int64_round_to_zero( float32 a STATUS_PARAM )
     bits32 aSig;
     bits64 aSig64;
     int64 z;
+    a = float32_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
@@ -1496,6 +1528,7 @@ float64 float32_to_float64( float32 a STATUS_PARAM )
     flag aSign;
     int16 aExp;
     bits32 aSig;
+    a = float32_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
@@ -1528,6 +1561,7 @@ floatx80 float32_to_floatx80( float32 a STATUS_PARAM )
     int16 aExp;
     bits32 aSig;
 
+    a = float32_squash_input_denormal(a STATUS_VAR);
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
     aSign = extractFloat32Sign( a );
@@ -1561,6 +1595,7 @@ float128 float32_to_float128( float32 a STATUS_PARAM )
     int16 aExp;
     bits32 aSig;
 
+    a = float32_squash_input_denormal(a STATUS_VAR);
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
     aSign = extractFloat32Sign( a );
@@ -1593,6 +1628,7 @@ float32 float32_round_to_int( float32 a STATUS_PARAM)
     bits32 lastBitMask, roundBitsMask;
     int8 roundingMode;
     bits32 z;
+    a = float32_squash_input_denormal(a STATUS_VAR);
 
     aExp = extractFloat32Exp( a );
     if ( 0x96 <= aExp ) {
@@ -1796,6 +1832,8 @@ static float32 subFloat32Sigs( float32 a, float32 b, flag zSign STATUS_PARAM)
 float32 float32_add( float32 a, float32 b STATUS_PARAM )
 {
     flag aSign, bSign;
+    a = float32_squash_input_denormal(a STATUS_VAR);
+    b = float32_squash_input_denormal(b STATUS_VAR);
 
     aSign = extractFloat32Sign( a );
     bSign = extractFloat32Sign( b );
@@ -1817,6 +1855,8 @@ float32 float32_add( float32 a, float32 b STATUS_PARAM )
 float32 float32_sub( float32 a, float32 b STATUS_PARAM )
 {
     flag aSign, bSign;
+    a = float32_squash_input_denormal(a STATUS_VAR);
+    b = float32_squash_input_denormal(b STATUS_VAR);
 
     aSign = extractFloat32Sign( a );
     bSign = extractFloat32Sign( b );
@@ -1843,6 +1883,9 @@ float32 float32_mul( float32 a, float32 b STATUS_PARAM )
     bits64 zSig64;
     bits32 zSig;
 
+    a = float32_squash_input_denormal(a STATUS_VAR);
+    b = float32_squash_input_denormal(b STATUS_VAR);
+
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
     aSign = extractFloat32Sign( a );
@@ -1900,6 +1943,8 @@ float32 float32_div( float32 a, float32 b STATUS_PARAM )
     flag aSign, bSign, zSign;
     int16 aExp, bExp, zExp;
     bits32 aSig, bSig, zSig;
+    a = float32_squash_input_denormal(a STATUS_VAR);
+    b = float32_squash_input_denormal(b STATUS_VAR);
 
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
@@ -1966,6 +2011,8 @@ float32 float32_rem( float32 a, float32 b STATUS_PARAM )
     bits64 aSig64, bSig64, q64;
     bits32 alternateASig;
     sbits32 sigMean;
+    a = float32_squash_input_denormal(a STATUS_VAR);
+    b = float32_squash_input_denormal(b STATUS_VAR);
 
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
@@ -2062,6 +2109,7 @@ float32 float32_sqrt( float32 a STATUS_PARAM )
     int16 aExp, zExp;
     bits32 aSig, zSig;
     bits64 rem, term;
+    a = float32_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
@@ -2148,6 +2196,7 @@ float32 float32_exp2( float32 a STATUS_PARAM )
     bits32 aSig;
     float64 r, x, xn;
     int i;
+    a = float32_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
@@ -2194,6 +2243,7 @@ float32 float32_log2( float32 a STATUS_PARAM )
     int16 aExp;
     bits32 aSig, zSig, i;
 
+    a = float32_squash_input_denormal(a STATUS_VAR);
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
     aSign = extractFloat32Sign( a );
@@ -2238,6 +2288,8 @@ float32 float32_log2( float32 a STATUS_PARAM )
 
 int float32_eq( float32 a, float32 b STATUS_PARAM )
 {
+    a = float32_squash_input_denormal(a STATUS_VAR);
+    b = float32_squash_input_denormal(b STATUS_VAR);
 
     if (    ( ( extractFloat32Exp( a ) == 0xFF ) && extractFloat32Frac( a ) )
          || ( ( extractFloat32Exp( b ) == 0xFF ) && extractFloat32Frac( b ) )
@@ -2263,6 +2315,8 @@ int float32_le( float32 a, float32 b STATUS_PARAM )
 {
     flag aSign, bSign;
     bits32 av, bv;
+    a = float32_squash_input_denormal(a STATUS_VAR);
+    b = float32_squash_input_denormal(b STATUS_VAR);
 
     if (    ( ( extractFloat32Exp( a ) == 0xFF ) && extractFloat32Frac( a ) )
          || ( ( extractFloat32Exp( b ) == 0xFF ) && extractFloat32Frac( b ) )
@@ -2289,6 +2343,8 @@ int float32_lt( float32 a, float32 b STATUS_PARAM )
 {
     flag aSign, bSign;
     bits32 av, bv;
+    a = float32_squash_input_denormal(a STATUS_VAR);
+    b = float32_squash_input_denormal(b STATUS_VAR);
 
     if (    ( ( extractFloat32Exp( a ) == 0xFF ) && extractFloat32Frac( a ) )
          || ( ( extractFloat32Exp( b ) == 0xFF ) && extractFloat32Frac( b ) )
@@ -2315,6 +2371,8 @@ int float32_lt( float32 a, float32 b STATUS_PARAM )
 int float32_eq_signaling( float32 a, float32 b STATUS_PARAM )
 {
     bits32 av, bv;
+    a = float32_squash_input_denormal(a STATUS_VAR);
+    b = float32_squash_input_denormal(b STATUS_VAR);
 
     if (    ( ( extractFloat32Exp( a ) == 0xFF ) && extractFloat32Frac( a ) )
          || ( ( extractFloat32Exp( b ) == 0xFF ) && extractFloat32Frac( b ) )
@@ -2339,6 +2397,8 @@ int float32_le_quiet( float32 a, float32 b STATUS_PARAM )
 {
     flag aSign, bSign;
     bits32 av, bv;
+    a = float32_squash_input_denormal(a STATUS_VAR);
+    b = float32_squash_input_denormal(b STATUS_VAR);
 
     if (    ( ( extractFloat32Exp( a ) == 0xFF ) && extractFloat32Frac( a ) )
          || ( ( extractFloat32Exp( b ) == 0xFF ) && extractFloat32Frac( b ) )
@@ -2368,6 +2428,8 @@ int float32_lt_quiet( float32 a, float32 b STATUS_PARAM )
 {
     flag aSign, bSign;
     bits32 av, bv;
+    a = float32_squash_input_denormal(a STATUS_VAR);
+    b = float32_squash_input_denormal(b STATUS_VAR);
 
     if (    ( ( extractFloat32Exp( a ) == 0xFF ) && extractFloat32Frac( a ) )
          || ( ( extractFloat32Exp( b ) == 0xFF ) && extractFloat32Frac( b ) )
@@ -2401,6 +2463,7 @@ int32 float64_to_int32( float64 a STATUS_PARAM )
     flag aSign;
     int16 aExp, shiftCount;
     bits64 aSig;
+    a = float64_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
@@ -2429,6 +2492,7 @@ int32 float64_to_int32_round_to_zero( float64 a STATUS_PARAM )
     int16 aExp, shiftCount;
     bits64 aSig, savedASig;
     int32 z;
+    a = float64_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
@@ -2525,6 +2589,7 @@ int64 float64_to_int64( float64 a STATUS_PARAM )
     flag aSign;
     int16 aExp, shiftCount;
     bits64 aSig, aSigExtra;
+    a = float64_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
@@ -2568,6 +2633,7 @@ int64 float64_to_int64_round_to_zero( float64 a STATUS_PARAM )
     int16 aExp, shiftCount;
     bits64 aSig;
     int64 z;
+    a = float64_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
@@ -2617,6 +2683,7 @@ float32 float64_to_float32( float64 a STATUS_PARAM )
     int16 aExp;
     bits64 aSig;
     bits32 zSig;
+    a = float64_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
@@ -2694,6 +2761,7 @@ bits16 float32_to_float16( float32 a, flag ieee STATUS_PARAM)
     bits32 mask;
     bits32 increment;
     int8 roundingMode;
+    a = float32_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
@@ -2788,6 +2856,7 @@ floatx80 float64_to_floatx80( float64 a STATUS_PARAM )
     int16 aExp;
     bits64 aSig;
 
+    a = float64_squash_input_denormal(a STATUS_VAR);
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
     aSign = extractFloat64Sign( a );
@@ -2822,6 +2891,7 @@ float128 float64_to_float128( float64 a STATUS_PARAM )
     int16 aExp;
     bits64 aSig, zSig0, zSig1;
 
+    a = float64_squash_input_denormal(a STATUS_VAR);
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
     aSign = extractFloat64Sign( a );
@@ -2855,6 +2925,7 @@ float64 float64_round_to_int( float64 a STATUS_PARAM )
     bits64 lastBitMask, roundBitsMask;
     int8 roundingMode;
     bits64 z;
+    a = float64_squash_input_denormal(a STATUS_VAR);
 
     aExp = extractFloat64Exp( a );
     if ( 0x433 <= aExp ) {
@@ -3071,6 +3142,8 @@ static float64 subFloat64Sigs( float64 a, float64 b, flag zSign STATUS_PARAM )
 float64 float64_add( float64 a, float64 b STATUS_PARAM )
 {
     flag aSign, bSign;
+    a = float64_squash_input_denormal(a STATUS_VAR);
+    b = float64_squash_input_denormal(b STATUS_VAR);
 
     aSign = extractFloat64Sign( a );
     bSign = extractFloat64Sign( b );
@@ -3092,6 +3165,8 @@ float64 float64_add( float64 a, float64 b STATUS_PARAM )
 float64 float64_sub( float64 a, float64 b STATUS_PARAM )
 {
     flag aSign, bSign;
+    a = float64_squash_input_denormal(a STATUS_VAR);
+    b = float64_squash_input_denormal(b STATUS_VAR);
 
     aSign = extractFloat64Sign( a );
     bSign = extractFloat64Sign( b );
@@ -3116,6 +3191,9 @@ float64 float64_mul( float64 a, float64 b STATUS_PARAM )
     int16 aExp, bExp, zExp;
     bits64 aSig, bSig, zSig0, zSig1;
 
+    a = float64_squash_input_denormal(a STATUS_VAR);
+    b = float64_squash_input_denormal(b STATUS_VAR);
+
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
     aSign = extractFloat64Sign( a );
@@ -3175,6 +3253,8 @@ float64 float64_div( float64 a, float64 b STATUS_PARAM )
     bits64 aSig, bSig, zSig;
     bits64 rem0, rem1;
     bits64 term0, term1;
+    a = float64_squash_input_denormal(a STATUS_VAR);
+    b = float64_squash_input_denormal(b STATUS_VAR);
 
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
@@ -3246,6 +3326,8 @@ float64 float64_rem( float64 a, float64 b STATUS_PARAM )
     bits64 q, alternateASig;
     sbits64 sigMean;
 
+    a = float64_squash_input_denormal(a STATUS_VAR);
+    b = float64_squash_input_denormal(b STATUS_VAR);
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
     aSign = extractFloat64Sign( a );
@@ -3328,6 +3410,7 @@ float64 float64_sqrt( float64 a STATUS_PARAM )
     int16 aExp, zExp;
     bits64 aSig, zSig, doubleZSig;
     bits64 rem0, rem1, term0, term1;
+    a = float64_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
@@ -3377,6 +3460,7 @@ float64 float64_log2( float64 a STATUS_PARAM )
     flag aSign, zSign;
     int16 aExp;
     bits64 aSig, aSig0, aSig1, zSig, i;
+    a = float64_squash_input_denormal(a STATUS_VAR);
 
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
@@ -3422,6 +3506,8 @@ float64 float64_log2( float64 a STATUS_PARAM )
 int float64_eq( float64 a, float64 b STATUS_PARAM )
 {
     bits64 av, bv;
+    a = float64_squash_input_denormal(a STATUS_VAR);
+    b = float64_squash_input_denormal(b STATUS_VAR);
 
     if (    ( ( extractFloat64Exp( a ) == 0x7FF ) && extractFloat64Frac( a ) )
          || ( ( extractFloat64Exp( b ) == 0x7FF ) && extractFloat64Frac( b ) )
@@ -3448,6 +3534,8 @@ int float64_le( float64 a, float64 b STATUS_PARAM )
 {
     flag aSign, bSign;
     bits64 av, bv;
+    a = float64_squash_input_denormal(a STATUS_VAR);
+    b = float64_squash_input_denormal(b STATUS_VAR);
 
     if (    ( ( extractFloat64Exp( a ) == 0x7FF ) && extractFloat64Frac( a ) )
          || ( ( extractFloat64Exp( b ) == 0x7FF ) && extractFloat64Frac( b ) )
@@ -3475,6 +3563,8 @@ int float64_lt( float64 a, float64 b STATUS_PARAM )
     flag aSign, bSign;
     bits64 av, bv;
 
+    a = float64_squash_input_denormal(a STATUS_VAR);
+    b = float64_squash_input_denormal(b STATUS_VAR);
     if (    ( ( extractFloat64Exp( a ) == 0x7FF ) && extractFloat64Frac( a ) )
          || ( ( extractFloat64Exp( b ) == 0x7FF ) && extractFloat64Frac( b ) )
        ) {
@@ -3500,6 +3590,8 @@ int float64_lt( float64 a, float64 b STATUS_PARAM )
 int float64_eq_signaling( float64 a, float64 b STATUS_PARAM )
 {
     bits64 av, bv;
+    a = float64_squash_input_denormal(a STATUS_VAR);
+    b = float64_squash_input_denormal(b STATUS_VAR);
 
     if (    ( ( extractFloat64Exp( a ) == 0x7FF ) && extractFloat64Frac( a ) )
          || ( ( extractFloat64Exp( b ) == 0x7FF ) && extractFloat64Frac( b ) )
@@ -3524,6 +3616,8 @@ int float64_le_quiet( float64 a, float64 b STATUS_PARAM )
 {
     flag aSign, bSign;
     bits64 av, bv;
+    a = float64_squash_input_denormal(a STATUS_VAR);
+    b = float64_squash_input_denormal(b STATUS_VAR);
 
     if (    ( ( extractFloat64Exp( a ) == 0x7FF ) && extractFloat64Frac( a ) )
          || ( ( extractFloat64Exp( b ) == 0x7FF ) && extractFloat64Frac( b ) )
@@ -3553,6 +3647,8 @@ int float64_lt_quiet( float64 a, float64 b STATUS_PARAM )
 {
     flag aSign, bSign;
     bits64 av, bv;
+    a = float64_squash_input_denormal(a STATUS_VAR);
+    b = float64_squash_input_denormal(b STATUS_VAR);
 
     if (    ( ( extractFloat64Exp( a ) == 0x7FF ) && extractFloat64Frac( a ) )
          || ( ( extractFloat64Exp( b ) == 0x7FF ) && extractFloat64Frac( b ) )
@@ -5833,6 +5929,8 @@ INLINE int float ## s ## _compare_internal( float ## s a, float ## s b,      \
 {                                                                            \
     flag aSign, bSign;                                                       \
     bits ## s av, bv;                                                        \
+    a = float ## s ## _squash_input_denormal(a STATUS_VAR);                  \
+    b = float ## s ## _squash_input_denormal(b STATUS_VAR);                  \
                                                                              \
     if (( ( extractFloat ## s ## Exp( a ) == nan_exp ) &&                    \
          extractFloat ## s ## Frac( a ) ) ||                                 \
@@ -5929,6 +6027,7 @@ float32 float32_scalbn( float32 a, int n STATUS_PARAM )
     int16 aExp;
     bits32 aSig;
 
+    a = float32_squash_input_denormal(a STATUS_VAR);
     aSig = extractFloat32Frac( a );
     aExp = extractFloat32Exp( a );
     aSign = extractFloat32Sign( a );
@@ -5952,6 +6051,7 @@ float64 float64_scalbn( float64 a, int n STATUS_PARAM )
     int16 aExp;
     bits64 aSig;
 
+    a = float64_squash_input_denormal(a STATUS_VAR);
     aSig = extractFloat64Frac( a );
     aExp = extractFloat64Exp( a );
     aSign = extractFloat64Sign( a );
diff --git a/fpu/softfloat.h b/fpu/softfloat.h
index f2104c6..15052cc 100644
--- a/fpu/softfloat.h
+++ b/fpu/softfloat.h
@@ -180,7 +180,8 @@ enum {
     float_flag_divbyzero =  4,
     float_flag_overflow  =  8,
     float_flag_underflow = 16,
-    float_flag_inexact   = 32
+    float_flag_inexact   = 32,
+    float_flag_input_denormal = 64
 };
 
 typedef struct float_status {
@@ -190,7 +191,10 @@ typedef struct float_status {
 #ifdef FLOATX80
     signed char floatx80_rounding_precision;
 #endif
+    /* should denormalised results go to zero and set the inexact flag? */
     flag flush_to_zero;
+    /* should denormalised inputs go to zero and set the input_denormal flag? */
+    flag flush_inputs_to_zero;
     flag default_nan_mode;
 } float_status;
 
@@ -200,6 +204,10 @@ INLINE void set_flush_to_zero(flag val STATUS_PARAM)
 {
     STATUS(flush_to_zero) = val;
 }
+INLINE void set_flush_inputs_to_zero(flag val STATUS_PARAM)
+{
+    STATUS(flush_inputs_to_zero) = val;
+}
 INLINE void set_default_nan_mode(flag val STATUS_PARAM)
 {
     STATUS(default_nan_mode) = val;
@@ -294,11 +302,17 @@ float32 float32_scalbn( float32, int STATUS_PARAM );
 
 INLINE float32 float32_abs(float32 a)
 {
+    /* Note that abs does *not* handle NaN specially, nor does
+     * it flush denormal inputs to zero.
+     */
     return make_float32(float32_val(a) & 0x7fffffff);
 }
 
 INLINE float32 float32_chs(float32 a)
 {
+    /* Note that chs does *not* handle NaN specially, nor does
+     * it flush denormal inputs to zero.
+     */
     return make_float32(float32_val(a) ^ 0x80000000);
 }
 
@@ -374,11 +388,17 @@ float64 float64_scalbn( float64, int STATUS_PARAM );
 
 INLINE float64 float64_abs(float64 a)
 {
+    /* Note that abs does *not* handle NaN specially, nor does
+     * it flush denormal inputs to zero.
+     */
     return make_float64(float64_val(a) & 0x7fffffffffffffffLL);
 }
 
 INLINE float64 float64_chs(float64 a)
 {
+    /* Note that chs does *not* handle NaN specially, nor does
+     * it flush denormal inputs to zero.
+     */
     return make_float64(float64_val(a) ^ 0x8000000000000000LL);
 }
 
commit 838fa72d0b721766616e94a0f7dc76b15146cd82
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 19:53:56 2011 +0100

    target-arm: fix SMMLA/SMMLS instructions
    
    SMMLA and SMMLS are broken on both in normal and thumb mode, that is
    both (different) implementations are wrong. They try to avoid a 64-bit
    add for the rounding, which is not trivial if you want to support both
    SMMLA and SMMLS with the same code.
    
    The code below uses the same implementation for both modes, using the
    code from the ARM manual. It also fixes the thumb decoding that was a
    mix between normal and thumb mode.
    
    This fixes the issues reported in
    https://bugs.launchpad.net/qemu/+bug/629298
    
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 2598268..2ce82f3 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -287,11 +287,32 @@ static void gen_bfi(TCGv dest, TCGv base, TCGv val, int shift, uint32_t mask)
     tcg_gen_or_i32(dest, base, val);
 }
 
-/* Round the top 32 bits of a 64-bit value.  */
-static void gen_roundqd(TCGv a, TCGv b)
+/* Return (b << 32) + a. Mark inputs as dead */
+static TCGv_i64 gen_addq_msw(TCGv_i64 a, TCGv b)
 {
-    tcg_gen_shri_i32(a, a, 31);
-    tcg_gen_add_i32(a, a, b);
+    TCGv_i64 tmp64 = tcg_temp_new_i64();
+
+    tcg_gen_extu_i32_i64(tmp64, b);
+    dead_tmp(b);
+    tcg_gen_shli_i64(tmp64, tmp64, 32);
+    tcg_gen_add_i64(a, tmp64, a);
+
+    tcg_temp_free_i64(tmp64);
+    return a;
+}
+
+/* Return (b << 32) - a. Mark inputs as dead. */
+static TCGv_i64 gen_subq_msw(TCGv_i64 a, TCGv b)
+{
+    TCGv_i64 tmp64 = tcg_temp_new_i64();
+
+    tcg_gen_extu_i32_i64(tmp64, b);
+    dead_tmp(b);
+    tcg_gen_shli_i64(tmp64, tmp64, 32);
+    tcg_gen_sub_i64(a, tmp64, a);
+
+    tcg_temp_free_i64(tmp64);
+    return a;
 }
 
 /* FIXME: Most targets have native widening multiplication.
@@ -325,22 +346,6 @@ static TCGv_i64 gen_muls_i64_i32(TCGv a, TCGv b)
     return tmp1;
 }
 
-/* Signed 32x32->64 multiply.  */
-static void gen_imull(TCGv a, TCGv b)
-{
-    TCGv_i64 tmp1 = tcg_temp_new_i64();
-    TCGv_i64 tmp2 = tcg_temp_new_i64();
-
-    tcg_gen_ext_i32_i64(tmp1, a);
-    tcg_gen_ext_i32_i64(tmp2, b);
-    tcg_gen_mul_i64(tmp1, tmp1, tmp2);
-    tcg_temp_free_i64(tmp2);
-    tcg_gen_trunc_i64_i32(a, tmp1);
-    tcg_gen_shri_i64(tmp1, tmp1, 32);
-    tcg_gen_trunc_i64_i32(b, tmp1);
-    tcg_temp_free_i64(tmp1);
-}
-
 /* Swap low and high halfwords.  */
 static void gen_swap_half(TCGv var)
 {
@@ -6953,23 +6958,25 @@ static void disas_arm_insn(CPUState * env, DisasContext *s)
                     tmp = load_reg(s, rm);
                     tmp2 = load_reg(s, rs);
                     if (insn & (1 << 20)) {
-                        /* Signed multiply most significant [accumulate].  */
+                        /* Signed multiply most significant [accumulate].
+                           (SMMUL, SMMLA, SMMLS) */
                         tmp64 = gen_muls_i64_i32(tmp, tmp2);
-                        if (insn & (1 << 5))
-                            tcg_gen_addi_i64(tmp64, tmp64, 0x80000000u);
-                        tcg_gen_shri_i64(tmp64, tmp64, 32);
-                        tmp = new_tmp();
-                        tcg_gen_trunc_i64_i32(tmp, tmp64);
-                        tcg_temp_free_i64(tmp64);
+
                         if (rd != 15) {
-                            tmp2 = load_reg(s, rd);
+                            tmp = load_reg(s, rd);
                             if (insn & (1 << 6)) {
-                                tcg_gen_sub_i32(tmp, tmp, tmp2);
+                                tmp64 = gen_subq_msw(tmp64, tmp);
                             } else {
-                                tcg_gen_add_i32(tmp, tmp, tmp2);
+                                tmp64 = gen_addq_msw(tmp64, tmp);
                             }
-                            dead_tmp(tmp2);
                         }
+                        if (insn & (1 << 5)) {
+                            tcg_gen_addi_i64(tmp64, tmp64, 0x80000000u);
+                        }
+                        tcg_gen_shri_i64(tmp64, tmp64, 32);
+                        tmp = new_tmp();
+                        tcg_gen_trunc_i64_i32(tmp, tmp64);
+                        tcg_temp_free_i64(tmp64);
                         store_reg(s, rn, tmp);
                     } else {
                         if (insn & (1 << 5))
@@ -7840,24 +7847,23 @@ static int disas_thumb2_insn(CPUState *env, DisasContext *s, uint16_t insn_hw1)
                     dead_tmp(tmp2);
                   }
                 break;
-            case 5: case 6: /* 32 * 32 -> 32msb */
-                gen_imull(tmp, tmp2);
-                if (insn & (1 << 5)) {
-                    gen_roundqd(tmp, tmp2);
-                    dead_tmp(tmp2);
-                } else {
-                    dead_tmp(tmp);
-                    tmp = tmp2;
-                }
+            case 5: case 6: /* 32 * 32 -> 32msb (SMMUL, SMMLA, SMMLS) */
+                tmp64 = gen_muls_i64_i32(tmp, tmp2);
                 if (rs != 15) {
-                    tmp2 = load_reg(s, rs);
-                    if (insn & (1 << 21)) {
-                        tcg_gen_add_i32(tmp, tmp, tmp2);
+                    tmp = load_reg(s, rs);
+                    if (insn & (1 << 20)) {
+                        tmp64 = gen_addq_msw(tmp64, tmp);
                     } else {
-                        tcg_gen_sub_i32(tmp, tmp2, tmp);
+                        tmp64 = gen_subq_msw(tmp64, tmp);
                     }
-                    dead_tmp(tmp2);
                 }
+                if (insn & (1 << 4)) {
+                    tcg_gen_addi_i64(tmp64, tmp64, 0x80000000u);
+                }
+                tcg_gen_shri_i64(tmp64, tmp64, 32);
+                tmp = new_tmp();
+                tcg_gen_trunc_i64_i32(tmp, tmp64);
+                tcg_temp_free_i64(tmp64);
                 break;
             case 7: /* Unsigned sum of absolute differences.  */
                 gen_helper_usad8(tmp, tmp, tmp2);
commit ea59ccd22c3957f9ef8c7828b5c1e778ab35b302
Merge: 5e10257... 7572150...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Jan 6 19:14:12 2011 -0200

    Merge commit '7572150c189c6553c2448334116ab717680de66d' into upstream-merge
    
    * commit '7572150c189c6553c2448334116ab717680de66d':
      vnc/spice: add set_passwd monitor command.
      vnc: support password expire
      vnc: auth reject cleanup
      spice: add qmp 'query-spice' and hmp 'info spice' commands.
      spice: connection events.
    
    Conflicts:
    	hmp-commands.hx
    	monitor.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc hmp-commands.hx
index f610004,f0ae3b9..d8ae9f0
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@@ -1135,19 -1135,60 +1135,73 @@@ Set the encrypted device @var{device} p
  ETEXI
  
      {
 +        .name       = "cpu_set",
 +        .args_type  = "cpu:i,state:s",
 +        .params     = "cpu [online|offline]",
 +        .help       = "change cpu state",
 +        .mhandler.cmd  = do_cpu_set_nr,
 +    },
 +
 +STEXI
 + at item cpu_set @var{cpu} [online|offline]
 +Set CPU @var{cpu} online or offline.
 +ETEXI
 +
 +    {
+         .name       = "set_password",
+         .args_type  = "protocol:s,password:s,connected:s?",
+         .params     = "protocol password action-if-connected",
+         .help       = "set spice/vnc password",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = set_password,
+     },
+ 
+ STEXI
+ @item set_password [ vnc | spice ] password [ action-if-connected ]
+ @findex set_password
+ 
+ Change spice/vnc password.  Use zero to make the password stay valid
+ forever.  @var{action-if-connected} specifies what should happen in
+ case a connection is established: @var{fail} makes the password change
+ fail.  @var{disconnect} changes the password and disconnects the
+ client.  @var{keep} changes the password and keeps the connection up.
+ @var{keep} is the default.
+ ETEXI
+ 
+     {
+         .name       = "expire_password",
+         .args_type  = "protocol:s,time:s",
+         .params     = "protocol time",
+         .help       = "set spice/vnc password expire-time",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = expire_password,
+     },
+ 
+ STEXI
+ @item expire_password [ vnc | spice ] expire-time
+ @findex expire_password
+ 
+ Specify when a password for spice/vnc becomes
+ invalid. @var{expire-time} accepts:
+ 
+ @table @var
+ @item now
+ Invalidate password instantly.
+ 
+ @item never
+ Password stays valid forever.
+ 
+ @item +nsec
+ Password stays valid for @var{nsec} seconds starting now.
+ 
+ @item nsec
+ Password is invalidated at the given time.  @var{nsec} are the seconds
+ passed since 1970, i.e. unix epoch.
+ 
+ @end table
+ ETEXI
+ 
+     {
          .name       = "info",
          .args_type  = "item:s?",
          .params     = "[subcommand]",
diff --cc monitor.c
index c789e9a,b13a363..24e6c69
--- a/monitor.c
+++ b/monitor.c
@@@ -59,7 -60,7 +60,8 @@@
  #ifdef CONFIG_SIMPLE_TRACE
  #include "trace.h"
  #endif
+ #include "ui/qemu-spice.h"
 +#include "qemu-kvm.h"
  
  //#define DEBUG
  //#define DEBUG_COMPLETION
commit 5e10257364dd653cae26eb61b699f8562f445d4d
Merge: d65356c... a19cbfb...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Jan 6 18:57:47 2011 -0200

    Merge commit 'a19cbfb346425cc760ed19b4e746417df636b761' into upstream-merge
    
    * commit 'a19cbfb346425cc760ed19b4e746417df636b761':
      spice: add qxl device
      spice: add qxl vgabios binary.
    
    Conflicts:
    	Makefile.target
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc Makefile.target
index ff0c1ba,c40833b..c904ae3
--- a/Makefile.target
+++ b/Makefile.target
@@@ -225,22 -222,9 +225,23 @@@ obj-i386-y += mc146818rtc.o i8259.o pc.
  obj-i386-y += cirrus_vga.o apic.o ioapic.o piix_pci.o
  obj-i386-y += vmmouse.o vmport.o hpet.o applesmc.o
  obj-i386-y += device-hotplug.o pci-hotplug.o smbios.o wdt_ib700.o
 +obj-i386-y += extboot.o
  obj-i386-y += debugcon.o multiboot.o
  obj-i386-y += pc_piix.o
+ obj-i386-$(CONFIG_SPICE) += qxl.o qxl-logger.o qxl-render.o
 +obj-i386-y += testdev.o
 +obj-i386-y += acpi.o acpi_piix4.o
 +
 +obj-i386-y += pcspk.o i8254.o
 +obj-i386-$(CONFIG_KVM_PIT) += i8254-kvm.o
 +obj-i386-$(CONFIG_KVM_DEVICE_ASSIGNMENT) += device-assignment.o
 +
 +# Hardware support
 +obj-ia64-y += ide.o pckbd.o vga.o $(SOUND_HW) dma.o $(AUDIODRV)
 +obj-ia64-y += fdc.o mc146818rtc.o serial.o i8259.o ipf.o
 +obj-ia64-y += cirrus_vga.o parallel.o acpi.o piix_pci.o
 +obj-ia64-y += usb-uhci.o
 +obj-ia64-$(CONFIG_KVM_DEVICE_ASSIGNMENT) += device-assignment.o
  
  # shared objects
  obj-ppc-y = ppc.o
diff --cc hw/pc.c
index df17168,f28e237..aeecb16
--- a/hw/pc.c
+++ b/hw/pc.c
@@@ -39,9 -39,8 +39,10 @@@
  #include "msix.h"
  #include "sysbus.h"
  #include "sysemu.h"
 +#include "device-assignment.h"
 +#include "kvm.h"
  #include "blockdev.h"
+ #include "ui/qemu-spice.h"
  
  /* output Bochs bios info messages */
  //#define DEBUG_BIOS
commit d65356c9b59a1894aede7fa37e7fda2859bd3215
Merge: 0768091... 624c716...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Jan 6 18:53:20 2011 -0200

    Merge commit '624c716cc576ec5e6bed50da3deb45aa9537cacd' into upstream-merge
    
    * commit '624c716cc576ec5e6bed50da3deb45aa9537cacd':
      Makefile: make msix/msi depend on CONFIG_PCI
    
    Conflicts:
    	Makefile.objs
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc Makefile.objs
index 7b38cac,d1e63ce..d4dd535
--- a/Makefile.objs
+++ b/Makefile.objs
@@@ -169,7 -168,8 +169,8 @@@ hw-obj-$(CONFIG_VIRTIO) += virtio.o vir
  hw-obj-y += fw_cfg.o
  # FIXME: Core PCI code and its direct dependencies are required by the
  # QMP query-pci command.
- hw-obj-y += pci_bridge.o msix.o msi.o
 -hw-obj-y += pci.o pci_bridge.o
++hw-obj-y += pci_bridge.o
+ hw-obj-$(CONFIG_PCI) += msix.o msi.o
  hw-obj-$(CONFIG_PCI) += pci_host.o pcie_host.o
  hw-obj-$(CONFIG_PCI) += ioh3420.o xio3130_upstream.o xio3130_downstream.o
  hw-obj-y += watchdog.o
commit 0768091bceffd095f9f2df9f846a596bbb4bed32
Merge: 4f5c5b0... 962630f...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Jan 6 18:46:00 2011 -0200

    Merge commit '962630f207a33b7de4316022884b5241e05491cd' into upstream-merge
    
    * commit '962630f207a33b7de4316022884b5241e05491cd': (33 commits)
      Pass boot device list to firmware.
      Add notifier that will be called when machine is fully created.
      Add bootindex for option roms.
      Change fw_cfg_add_file() to get full file path as a parameter.
      Add bootindex parameter to net/block/fd device
      Add get_fw_dev_path callback to scsi bus.
      Add get_fw_dev_path callback for usb bus.
      Record which USBDevice USBPort belongs too.
      Add get_fw_dev_path callback for pci bus.
      Add get_fw_dev_path callback for system bus.
      Add get_fw_dev_path callback to IDE bus.
      Store IDE bus id in IDEBus structure for easy access.
      Add get_fw_dev_path callback to ISA bus in qdev.
      Keep track of ISA ports ISA device is using in qdev.
      Introduce new BusInfo callback get_fw_dev_path.
      Introduce fw_name field to DeviceInfo structure.
      monitor: implement x86 info mem for PAE and long modes
      monitor: implement x86 info tlb for PAE and long modes
      wdt_i6300esb: register a reset function
      isa-bus.c: use hw_error instead of fprintf
      ...
    
    Conflicts:
    	vl.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc Makefile.objs
index d5f6c1f,cebb945..7b38cac
--- a/Makefile.objs
+++ b/Makefile.objs
@@@ -185,14 -184,13 +185,15 @@@ hw-obj-$(CONFIG_EMPTY_SLOT) += empty_sl
  
  hw-obj-$(CONFIG_SERIAL) += serial.o
  hw-obj-$(CONFIG_PARALLEL) += parallel.o
 -hw-obj-$(CONFIG_I8254) += i8254.o
 -hw-obj-$(CONFIG_PCSPK) += pcspk.o
 +# Moved back to Makefile.target due to #include qemu-kvm.h:
 +#hw-obj-$(CONFIG_I8254) += i8254.o
 +#hw-obj-$(CONFIG_PCSPK) += pcspk.o
  hw-obj-$(CONFIG_PCKBD) += pckbd.o
  hw-obj-$(CONFIG_USB_UHCI) += usb-uhci.o
+ hw-obj-$(CONFIG_USB_OHCI) += usb-ohci.o
  hw-obj-$(CONFIG_FDC) += fdc.o
 -hw-obj-$(CONFIG_ACPI) += acpi.o acpi_piix4.o
 +# needs fixes for cpu hotplug, so moved to Makefile.target:
 +# hw-obj-$(CONFIG_ACPI) += acpi.o acpi_piix4.o
  hw-obj-$(CONFIG_APM) += pm_smbus.o apm.o
  hw-obj-$(CONFIG_DMA) += dma.o
  
diff --cc hw/pc.c
index ea8a2a1,e1b2667..df17168
--- a/hw/pc.c
+++ b/hw/pc.c
@@@ -960,11 -955,6 +961,15 @@@ void pc_memory_init(ram_addr_t ram_size
                                   isa_bios_size,
                                   (bios_offset + bios_size - isa_bios_size) | IO_MEM_ROM);
  
 +    if (extboot_drive) {
-         option_rom[nb_option_roms++] = qemu_strdup(EXTBOOT_FILENAME);
++        option_rom[nb_option_roms].name = qemu_strdup(EXTBOOT_FILENAME);
++        option_rom[nb_option_roms].bootindex = 0;
++        nb_option_roms++;
 +    }
-     option_rom[nb_option_roms++] = qemu_strdup(VAPIC_FILENAME);
++    option_rom[nb_option_roms].name = qemu_strdup(VAPIC_FILENAME);
++    option_rom[nb_option_roms].bootindex = -1;
++    nb_option_roms++;
 +
      option_rom_offset = qemu_ram_alloc(NULL, "pc.rom", PC_ROM_SIZE);
      cpu_register_physical_memory(PC_ROM_MIN_VGA, PC_ROM_SIZE, option_rom_offset);
  
diff --cc vl.c
index e1eceb2,c4d3fc0..3bb854e
--- a/vl.c
+++ b/vl.c
@@@ -219,20 -218,28 +219,31 @@@ int cursor_hide = 1
  int graphic_rotate = 0;
  uint8_t irq0override = 1;
  const char *watchdog;
- const char *option_rom[MAX_OPTION_ROMS];
+ QEMUOptionRom option_rom[MAX_OPTION_ROMS];
  int nb_option_roms;
  int semihosting_enabled = 0;
 +int time_drift_fix = 0;
 +unsigned int kvm_shadow_memory = 0;
  int old_param = 0;
  const char *qemu_name;
  int alt_grab = 0;
  int ctrl_grab = 0;
  unsigned int nb_prom_envs = 0;
  const char *prom_envs[MAX_PROM_ENVS];
 +const char *nvram = NULL;
  int boot_menu;
  
+ typedef struct FWBootEntry FWBootEntry;
+ 
+ struct FWBootEntry {
+     QTAILQ_ENTRY(FWBootEntry) link;
+     int32_t bootindex;
+     DeviceState *dev;
+     char *suffix;
+ };
+ 
+ QTAILQ_HEAD(, FWBootEntry) fw_boot_order = QTAILQ_HEAD_INITIALIZER(fw_boot_order);
+ 
  int nb_numa_nodes;
  uint64_t node_mem[MAX_NODES];
  uint64_t node_cpumask[MAX_NODES];
@@@ -247,7 -254,10 +258,10 @@@ static void *boot_set_opaque
  static NotifierList exit_notifiers =
      NOTIFIER_LIST_INITIALIZER(exit_notifiers);
  
+ static NotifierList machine_init_done_notifiers =
+     NOTIFIER_LIST_INITIALIZER(machine_init_done_notifiers);
+ 
 -int kvm_allowed = 0;
 +int kvm_allowed = -1;
  uint32_t xen_domid;
  enum xen_mode xen_mode = XEN_EMULATE;
  
commit 4f5c5b063247675a7d76df7c75f3af2cc979db38
Merge: 4598704... 4a9dd66...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Jan 6 17:59:52 2011 -0200

    Merge commit '4a9dd6658268a942a8ea230f950a951229355cbb' into upstream-merge
    
    * commit '4a9dd6658268a942a8ea230f950a951229355cbb':
      pci: untangle pci/msi dependency
      pci: make command SERR bit writable
      virtio-net: stop/start bh when appropriate
      virtio-net: don't dma while vm is stopped
      migration/savevm: no need to flush requests
      cpus: flush all requests on each vm stop
      net/sock: option to specify local address
    
    Conflicts:
    	hw/pci.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc hw/pci.c
index 5773dfb,254647b..fbac159
--- a/hw/pci.c
+++ b/hw/pci.c
@@@ -1188,28 -1097,6 +1191,11 @@@ static void pci_set_irq(void *opaque, i
      pci_change_irq_level(pci_dev, irq_num, change);
  }
  
- bool pci_msi_enabled(PCIDevice *dev)
- {
-     return msix_enabled(dev) || msi_enabled(dev);
- }
- 
- void pci_msi_notify(PCIDevice *dev, unsigned int vector)
- {
-     if (msix_enabled(dev)) {
-         msix_notify(dev, vector);
-     } else if (msi_enabled(dev)) {
-         msi_notify(dev, vector);
-     } else {
-         /* MSI/MSI-X must be enabled */
-         abort();
-     }
- }
- 
 +int pci_map_irq(PCIDevice *pci_dev, int pin)
 +{
 +    return pci_dev->bus->map_irq(pci_dev, pin);
 +}
 +
  /***********************************************************/
  /* monitor info on PCI */
  
diff --cc hw/pci.h
index 912b61c,aa3afe9..50aad49
--- a/hw/pci.h
+++ b/hw/pci.h
@@@ -120,18 -118,12 +120,22 @@@ enum 
      /* multifunction capable device */
  #define QEMU_PCI_CAP_MULTIFUNCTION_BITNR        3
      QEMU_PCI_CAP_MULTIFUNCTION = (1 << QEMU_PCI_CAP_MULTIFUNCTION_BITNR),
+ 
+     /* command register SERR bit enabled */
+ #define QEMU_PCI_CAP_SERR_BITNR 4
+     QEMU_PCI_CAP_SERR = (1 << QEMU_PCI_CAP_SERR_BITNR),
  };
  
 +typedef int (*msix_mask_notifier_func)(PCIDevice *, unsigned vector,
 +				       int masked);
 +
 +struct kvm_msix_message {
 +    uint32_t gsi;
 +    uint32_t addr_lo;
 +    uint32_t addr_hi;
 +    uint32_t data;
 +};
 +
  struct PCIDevice {
      DeviceState qdev;
      /* PCI config space */
commit 4598704bba5f10fcd6591b15be2ad99b7622a06a
Merge: 833ae13... 2507c12...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Jan 6 17:54:29 2011 -0200

    Merge commit '2507c12ab026b2286b0a47035c629f3d568c96f4' into upstream-merge
    
    * commit '2507c12ab026b2286b0a47035c629f3d568c96f4': (89 commits)
      Add endianness as io mem parameter
      exec: introduce endianness swapped mmio
      noaudio: fix return value for read()
      ppc: kvm: fix signedness warning
      Speedup 'tb_find_slow' by using the same heuristic as during memory page lookup
      Remove unused spin_trylock() function
      darwin-user: Use GCC_FMT_ATTR (format checking)
      audio: Use GCC_FMT_ATTR (format checking)
      target-sparc: Use fprintf_function (format checking)
      *-dis: Replace fprintf_ftype by fprintf_function (format checking)
      Fix mingw32 and OpenBSD warnings
      exec: Remove debugging fprintf() that slipped into qemu_ram_alloc_from_ptr()
      linux-user: fix mips and ppc to use UID16
      update binfmt conf
      linux-user: fix compiler error on nptl
      ARM: linux-user: Restore iWMMXT state from ucontext on sigreturn
      ARM: linux-user: Expose iWMMXT registers to signal handlers
      ARM: linux-user: Restore VFP state from ucontext on sigreturn
      ARM: linux-user: Expose VFP registers to signal handlers
      ARM: Expose vfp_get_fpscr() and vfp_set_fpscr() to C code
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc blockdev.c
index af0a99e,f6ac439..0392d42
--- a/blockdev.c
+++ b/blockdev.c
@@@ -14,9 -14,9 +14,11 @@@
  #include "qemu-option.h"
  #include "qemu-config.h"
  #include "sysemu.h"
+ #include "hw/qdev.h"
+ #include "block_int.h"
  
 +DriveInfo *extboot_drive = NULL;
 +
  static QTAILQ_HEAD(drivelist, DriveInfo) drives = QTAILQ_HEAD_INITIALIZER(drives);
  
  /*
diff --cc blockdev.h
index 5c41f3e,4cb8ca9..5c5c6cf
--- a/blockdev.h
+++ b/blockdev.h
@@@ -51,7 -51,6 +51,8 @@@ int do_eject(Monitor *mon, const QDict 
  int do_block_set_passwd(Monitor *mon, const QDict *qdict, QObject **ret_data);
  int do_change_block(Monitor *mon, const char *device,
                      const char *filename, const char *fmt);
+ int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data);
  
 +extern DriveInfo *extboot_drive;
 +
  #endif
diff --cc hw/device-assignment.c
index 8446cd4,0000000..a25f3e0
mode 100644,000000..100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@@ -1,1911 -1,0 +1,1913 @@@
 +/*
 + * Copyright (c) 2007, Neocleus Corporation.
 + *
 + * This program is free software; you can redistribute it and/or modify it
 + * under the terms and conditions of the GNU General Public License,
 + * version 2, as published by the Free Software Foundation.
 + *
 + * This program is distributed in the hope it will be useful, but WITHOUT
 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
 + * more details.
 + *
 + * You should have received a copy of the GNU General Public License along with
 + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
 + * Place - Suite 330, Boston, MA 02111-1307 USA.
 + *
 + *
 + *  Assign a PCI device from the host to a guest VM.
 + *
 + *  Adapted for KVM by Qumranet.
 + *
 + *  Copyright (c) 2007, Neocleus, Alex Novik (alex at neocleus.com)
 + *  Copyright (c) 2007, Neocleus, Guy Zana (guy at neocleus.com)
 + *  Copyright (C) 2008, Qumranet, Amit Shah (amit.shah at qumranet.com)
 + *  Copyright (C) 2008, Red Hat, Amit Shah (amit.shah at redhat.com)
 + *  Copyright (C) 2008, IBM, Muli Ben-Yehuda (muli at il.ibm.com)
 + */
 +#include <stdio.h>
 +#include <unistd.h>
 +#include <sys/io.h>
 +#include <sys/types.h>
 +#include <sys/stat.h>
 +#include "qemu-kvm.h"
 +#include "hw.h"
 +#include "pc.h"
 +#include "qemu-error.h"
 +#include "console.h"
 +#include "device-assignment.h"
 +#include "loader.h"
 +#include "monitor.h"
 +#include "range.h"
 +#include <pci/header.h>
 +
 +/* From linux/ioport.h */
 +#define IORESOURCE_IO       0x00000100  /* Resource type */
 +#define IORESOURCE_MEM      0x00000200
 +#define IORESOURCE_IRQ      0x00000400
 +#define IORESOURCE_DMA      0x00000800
 +#define IORESOURCE_PREFETCH 0x00001000  /* No side effects */
 +
 +/* #define DEVICE_ASSIGNMENT_DEBUG 1 */
 +
 +#ifdef DEVICE_ASSIGNMENT_DEBUG
 +#define DEBUG(fmt, ...)                                       \
 +    do {                                                      \
 +      fprintf(stderr, "%s: " fmt, __func__ , __VA_ARGS__);    \
 +    } while (0)
 +#else
 +#define DEBUG(fmt, ...) do { } while(0)
 +#endif
 +
 +static void assigned_dev_load_option_rom(AssignedDevice *dev);
 +
 +static void assigned_dev_unregister_msix_mmio(AssignedDevice *dev);
 +
 +static void assigned_device_pci_cap_write_config(PCIDevice *pci_dev,
 +                                                 uint32_t address,
 +                                                 uint32_t val, int len);
 +
 +static uint32_t assigned_device_pci_cap_read_config(PCIDevice *pci_dev,
 +                                                    uint32_t address, int len);
 +
 +static uint32_t assigned_dev_ioport_rw(AssignedDevRegion *dev_region,
 +                                       uint32_t addr, int len, uint32_t *val)
 +{
 +    uint32_t ret = 0;
 +    uint32_t offset = addr - dev_region->e_physbase;
 +    int fd = dev_region->region->resource_fd;
 +
 +    if (fd >= 0) {
 +        if (val) {
 +            DEBUG("pwrite val=%x, len=%d, e_phys=%x, offset=%x\n",
 +                  *val, len, addr, offset);
 +            if (pwrite(fd, val, len, offset) != len) {
 +                fprintf(stderr, "%s - pwrite failed %s\n",
 +                        __func__, strerror(errno));
 +            }
 +        } else {
 +            if (pread(fd, &ret, len, offset) != len) {
 +                fprintf(stderr, "%s - pread failed %s\n",
 +                        __func__, strerror(errno));
 +                ret = (1UL << (len * 8)) - 1;
 +            }
 +            DEBUG("pread ret=%x, len=%d, e_phys=%x, offset=%x\n",
 +                  ret, len, addr, offset);
 +        }
 +    } else {
 +        uint32_t port = offset + dev_region->u.r_baseport;
 +
 +        if (val) {
 +            DEBUG("out val=%x, len=%d, e_phys=%x, host=%x\n",
 +                  *val, len, addr, port);
 +            switch (len) {
 +                case 1:
 +                    outb(*val, port);
 +                    break;
 +                case 2:
 +                    outw(*val, port);
 +                    break;
 +                case 4:
 +                    outl(*val, port);
 +                    break;
 +            }
 +        } else {
 +            switch (len) {
 +                case 1:
 +                    ret = inb(port);
 +                    break;
 +                case 2:
 +                    ret = inw(port);
 +                    break;
 +                case 4:
 +                    ret = inl(port);
 +                    break;
 +            }
 +            DEBUG("in val=%x, len=%d, e_phys=%x, host=%x\n",
 +                  ret, len, addr, port);
 +        }
 +    }
 +    return ret;
 +}
 +
 +static void assigned_dev_ioport_writeb(void *opaque, uint32_t addr,
 +                                       uint32_t value)
 +{
 +    assigned_dev_ioport_rw(opaque, addr, 1, &value);
 +    return;
 +}
 +
 +static void assigned_dev_ioport_writew(void *opaque, uint32_t addr,
 +                                       uint32_t value)
 +{
 +    assigned_dev_ioport_rw(opaque, addr, 2, &value);
 +    return;
 +}
 +
 +static void assigned_dev_ioport_writel(void *opaque, uint32_t addr,
 +                       uint32_t value)
 +{
 +    assigned_dev_ioport_rw(opaque, addr, 4, &value);
 +    return;
 +}
 +
 +static uint32_t assigned_dev_ioport_readb(void *opaque, uint32_t addr)
 +{
 +    return assigned_dev_ioport_rw(opaque, addr, 1, NULL);
 +}
 +
 +static uint32_t assigned_dev_ioport_readw(void *opaque, uint32_t addr)
 +{
 +    return assigned_dev_ioport_rw(opaque, addr, 2, NULL);
 +}
 +
 +static uint32_t assigned_dev_ioport_readl(void *opaque, uint32_t addr)
 +{
 +    return assigned_dev_ioport_rw(opaque, addr, 4, NULL);
 +}
 +
 +static uint32_t slow_bar_readb(void *opaque, target_phys_addr_t addr)
 +{
 +    AssignedDevRegion *d = opaque;
 +    uint8_t *in = d->u.r_virtbase + addr;
 +    uint32_t r;
 +
 +    r = *in;
 +    DEBUG("slow_bar_readl addr=0x" TARGET_FMT_plx " val=0x%08x\n", addr, r);
 +
 +    return r;
 +}
 +
 +static uint32_t slow_bar_readw(void *opaque, target_phys_addr_t addr)
 +{
 +    AssignedDevRegion *d = opaque;
 +    uint16_t *in = d->u.r_virtbase + addr;
 +    uint32_t r;
 +
 +    r = *in;
 +    DEBUG("slow_bar_readl addr=0x" TARGET_FMT_plx " val=0x%08x\n", addr, r);
 +
 +    return r;
 +}
 +
 +static uint32_t slow_bar_readl(void *opaque, target_phys_addr_t addr)
 +{
 +    AssignedDevRegion *d = opaque;
 +    uint32_t *in = d->u.r_virtbase + addr;
 +    uint32_t r;
 +
 +    r = *in;
 +    DEBUG("slow_bar_readl addr=0x" TARGET_FMT_plx " val=0x%08x\n", addr, r);
 +
 +    return r;
 +}
 +
 +static void slow_bar_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
 +{
 +    AssignedDevRegion *d = opaque;
 +    uint8_t *out = d->u.r_virtbase + addr;
 +
 +    DEBUG("slow_bar_writeb addr=0x" TARGET_FMT_plx " val=0x%02x\n", addr, val);
 +    *out = val;
 +}
 +
 +static void slow_bar_writew(void *opaque, target_phys_addr_t addr, uint32_t val)
 +{
 +    AssignedDevRegion *d = opaque;
 +    uint16_t *out = d->u.r_virtbase + addr;
 +
 +    DEBUG("slow_bar_writew addr=0x" TARGET_FMT_plx " val=0x%04x\n", addr, val);
 +    *out = val;
 +}
 +
 +static void slow_bar_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
 +{
 +    AssignedDevRegion *d = opaque;
 +    uint32_t *out = d->u.r_virtbase + addr;
 +
 +    DEBUG("slow_bar_writel addr=0x" TARGET_FMT_plx " val=0x%08x\n", addr, val);
 +    *out = val;
 +}
 +
 +static CPUWriteMemoryFunc * const slow_bar_write[] = {
 +    &slow_bar_writeb,
 +    &slow_bar_writew,
 +    &slow_bar_writel
 +};
 +
 +static CPUReadMemoryFunc * const slow_bar_read[] = {
 +    &slow_bar_readb,
 +    &slow_bar_readw,
 +    &slow_bar_readl
 +};
 +
 +static void assigned_dev_iomem_map_slow(PCIDevice *pci_dev, int region_num,
 +                                        pcibus_t e_phys, pcibus_t e_size,
 +                                        int type)
 +{
 +    AssignedDevice *r_dev = container_of(pci_dev, AssignedDevice, dev);
 +    AssignedDevRegion *region = &r_dev->v_addrs[region_num];
 +    PCIRegion *real_region = &r_dev->real_device.regions[region_num];
 +    int m;
 +
 +    DEBUG("%s", "slow map\n");
-     m = cpu_register_io_memory(slow_bar_read, slow_bar_write, region);
++    m = cpu_register_io_memory(slow_bar_read, slow_bar_write, region,
++                               DEVICE_NATIVE_ENDIAN);
 +    cpu_register_physical_memory(e_phys, e_size, m);
 +
 +    /* MSI-X MMIO page */
 +    if ((e_size > 0) &&
 +        real_region->base_addr <= r_dev->msix_table_addr &&
 +        real_region->base_addr + real_region->size >= r_dev->msix_table_addr) {
 +        int offset = r_dev->msix_table_addr - real_region->base_addr;
 +
 +        cpu_register_physical_memory(e_phys + offset,
 +                TARGET_PAGE_SIZE, r_dev->mmio_index);
 +    }
 +}
 +
 +static void assigned_dev_iomem_map(PCIDevice *pci_dev, int region_num,
 +                                   pcibus_t e_phys, pcibus_t e_size, int type)
 +{
 +    AssignedDevice *r_dev = container_of(pci_dev, AssignedDevice, dev);
 +    AssignedDevRegion *region = &r_dev->v_addrs[region_num];
 +    PCIRegion *real_region = &r_dev->real_device.regions[region_num];
 +    int ret = 0;
 +
 +    DEBUG("e_phys=%08" FMT_PCIBUS " r_virt=%p type=%d len=%08" FMT_PCIBUS " region_num=%d \n",
 +          e_phys, region->u.r_virtbase, type, e_size, region_num);
 +
 +    region->e_physbase = e_phys;
 +    region->e_size = e_size;
 +
 +    if (e_size > 0) {
 +        cpu_register_physical_memory(e_phys, e_size, region->memory_index);
 +
 +        /* deal with MSI-X MMIO page */
 +        if (real_region->base_addr <= r_dev->msix_table_addr &&
 +                real_region->base_addr + real_region->size >=
 +                r_dev->msix_table_addr) {
 +            int offset = r_dev->msix_table_addr - real_region->base_addr;
 +
 +            cpu_register_physical_memory(e_phys + offset,
 +                    TARGET_PAGE_SIZE, r_dev->mmio_index);
 +        }
 +    }
 +
 +    if (ret != 0) {
 +	fprintf(stderr, "%s: Error: create new mapping failed\n", __func__);
 +	exit(1);
 +    }
 +}
 +
 +static void assigned_dev_ioport_map(PCIDevice *pci_dev, int region_num,
 +                                    pcibus_t addr, pcibus_t size, int type)
 +{
 +    AssignedDevice *r_dev = container_of(pci_dev, AssignedDevice, dev);
 +    AssignedDevRegion *region = &r_dev->v_addrs[region_num];
 +    int first_map = (region->e_size == 0);
 +    CPUState *env;
 +
 +    region->e_physbase = addr;
 +    region->e_size = size;
 +
 +    DEBUG("e_phys=0x%" FMT_PCIBUS " r_baseport=%x type=0x%x len=%" FMT_PCIBUS " region_num=%d \n",
 +          addr, region->u.r_baseport, type, size, region_num);
 +
 +    if (first_map && region->region->resource_fd < 0) {
 +	struct ioperm_data *data;
 +
 +	data = qemu_mallocz(sizeof(struct ioperm_data));
 +	if (data == NULL) {
 +	    fprintf(stderr, "%s: Out of memory\n", __func__);
 +	    exit(1);
 +	}
 +
 +	data->start_port = region->u.r_baseport;
 +	data->num = region->r_size;
 +	data->turn_on = 1;
 +
 +	kvm_add_ioperm_data(data);
 +
 +	for (env = first_cpu; env; env = env->next_cpu)
 +	    kvm_ioperm(env, data);
 +    }
 +
 +    register_ioport_read(addr, size, 1, assigned_dev_ioport_readb,
 +                         (r_dev->v_addrs + region_num));
 +    register_ioport_read(addr, size, 2, assigned_dev_ioport_readw,
 +                         (r_dev->v_addrs + region_num));
 +    register_ioport_read(addr, size, 4, assigned_dev_ioport_readl,
 +                         (r_dev->v_addrs + region_num));
 +    register_ioport_write(addr, size, 1, assigned_dev_ioport_writeb,
 +                          (r_dev->v_addrs + region_num));
 +    register_ioport_write(addr, size, 2, assigned_dev_ioport_writew,
 +                          (r_dev->v_addrs + region_num));
 +    register_ioport_write(addr, size, 4, assigned_dev_ioport_writel,
 +                          (r_dev->v_addrs + region_num));
 +}
 +
 +static uint32_t assigned_dev_pci_read(PCIDevice *d, int pos, int len)
 +{
 +    AssignedDevice *pci_dev = container_of(d, AssignedDevice, dev);
 +    uint32_t val;
 +    ssize_t ret;
 +    int fd = pci_dev->real_device.config_fd;
 +
 +again:
 +    ret = pread(fd, &val, len, pos);
 +    if (ret != len) {
 +	if ((ret < 0) && (errno == EINTR || errno == EAGAIN))
 +	    goto again;
 +
 +	fprintf(stderr, "%s: pread failed, ret = %zd errno = %d\n",
 +		__func__, ret, errno);
 +
 +	exit(1);
 +    }
 +
 +    return val;
 +}
 +
 +static uint8_t assigned_dev_pci_read_byte(PCIDevice *d, int pos)
 +{
 +    return (uint8_t)assigned_dev_pci_read(d, pos, 1);
 +}
 +
 +static void assigned_dev_pci_write(PCIDevice *d, int pos, uint32_t val, int len)
 +{
 +    AssignedDevice *pci_dev = container_of(d, AssignedDevice, dev);
 +    ssize_t ret;
 +    int fd = pci_dev->real_device.config_fd;
 +
 +again:
 +    ret = pwrite(fd, &val, len, pos);
 +    if (ret != len) {
 +	if ((ret < 0) && (errno == EINTR || errno == EAGAIN))
 +	    goto again;
 +
 +	fprintf(stderr, "%s: pwrite failed, ret = %zd errno = %d\n",
 +		__func__, ret, errno);
 +
 +	exit(1);
 +    }
 +
 +    return;
 +}
 +
 +static uint8_t pci_find_cap_offset(PCIDevice *d, uint8_t cap, uint8_t start)
 +{
 +    int id;
 +    int max_cap = 48;
 +    int pos = start ? start : PCI_CAPABILITY_LIST;
 +    int status;
 +
 +    status = assigned_dev_pci_read_byte(d, PCI_STATUS);
 +    if ((status & PCI_STATUS_CAP_LIST) == 0)
 +        return 0;
 +
 +    while (max_cap--) {
 +        pos = assigned_dev_pci_read_byte(d, pos);
 +        if (pos < 0x40)
 +            break;
 +
 +        pos &= ~3;
 +        id = assigned_dev_pci_read_byte(d, pos + PCI_CAP_LIST_ID);
 +
 +        if (id == 0xff)
 +            break;
 +        if (id == cap)
 +            return pos;
 +
 +        pos += PCI_CAP_LIST_NEXT;
 +    }
 +    return 0;
 +}
 +
 +static void assigned_dev_pci_write_config(PCIDevice *d, uint32_t address,
 +                                          uint32_t val, int len)
 +{
 +    int fd;
 +    ssize_t ret;
 +    AssignedDevice *pci_dev = container_of(d, AssignedDevice, dev);
 +
 +    DEBUG("(%x.%x): address=%04x val=0x%08x len=%d\n",
 +          ((d->devfn >> 3) & 0x1F), (d->devfn & 0x7),
 +          (uint16_t) address, val, len);
 +
 +    if (address >= PCI_CONFIG_HEADER_SIZE && d->config_map[address]) {
 +        return assigned_device_pci_cap_write_config(d, address, val, len);
 +    }
 +
 +    if (address == 0x4) {
 +        pci_default_write_config(d, address, val, len);
 +        /* Continue to program the card */
 +    }
 +
 +    if ((address >= 0x10 && address <= 0x24) || address == 0x30 ||
 +        address == 0x34 || address == 0x3c || address == 0x3d) {
 +        /* used for update-mappings (BAR emulation) */
 +        pci_default_write_config(d, address, val, len);
 +        return;
 +    }
 +
 +    DEBUG("NON BAR (%x.%x): address=%04x val=0x%08x len=%d\n",
 +          ((d->devfn >> 3) & 0x1F), (d->devfn & 0x7),
 +          (uint16_t) address, val, len);
 +
 +    fd = pci_dev->real_device.config_fd;
 +
 +again:
 +    ret = pwrite(fd, &val, len, address);
 +    if (ret != len) {
 +	if ((ret < 0) && (errno == EINTR || errno == EAGAIN))
 +	    goto again;
 +
 +	fprintf(stderr, "%s: pwrite failed, ret = %zd errno = %d\n",
 +		__func__, ret, errno);
 +
 +	exit(1);
 +    }
 +}
 +
 +static uint32_t assigned_dev_pci_read_config(PCIDevice *d, uint32_t address,
 +                                             int len)
 +{
 +    uint32_t val = 0;
 +    int fd;
 +    ssize_t ret;
 +    AssignedDevice *pci_dev = container_of(d, AssignedDevice, dev);
 +
 +    if (address >= PCI_CONFIG_HEADER_SIZE && d->config_map[address]) {
 +        val = assigned_device_pci_cap_read_config(d, address, len);
 +        DEBUG("(%x.%x): address=%04x val=0x%08x len=%d\n",
 +              (d->devfn >> 3) & 0x1F, (d->devfn & 0x7), address, val, len);
 +        return val;
 +    }
 +
 +    if (address < 0x4 || (pci_dev->need_emulate_cmd && address == 0x4) ||
 +	(address >= 0x10 && address <= 0x24) || address == 0x30 ||
 +        address == 0x34 || address == 0x3c || address == 0x3d) {
 +        val = pci_default_read_config(d, address, len);
 +        DEBUG("(%x.%x): address=%04x val=0x%08x len=%d\n",
 +              (d->devfn >> 3) & 0x1F, (d->devfn & 0x7), address, val, len);
 +        return val;
 +    }
 +
 +    /* vga specific, remove later */
 +    if (address == 0xFC)
 +        goto do_log;
 +
 +    fd = pci_dev->real_device.config_fd;
 +
 +again:
 +    ret = pread(fd, &val, len, address);
 +    if (ret != len) {
 +	if ((ret < 0) && (errno == EINTR || errno == EAGAIN))
 +	    goto again;
 +
 +	fprintf(stderr, "%s: pread failed, ret = %zd errno = %d\n",
 +		__func__, ret, errno);
 +
 +	exit(1);
 +    }
 +
 +do_log:
 +    DEBUG("(%x.%x): address=%04x val=0x%08x len=%d\n",
 +          (d->devfn >> 3) & 0x1F, (d->devfn & 0x7), address, val, len);
 +
 +    if (!pci_dev->cap.available) {
 +        /* kill the special capabilities */
 +        if (address == 4 && len == 4)
 +            val &= ~0x100000;
 +        else if (address == 6)
 +            val &= ~0x10;
 +    }
 +
 +    return val;
 +}
 +
 +static int assigned_dev_register_regions(PCIRegion *io_regions,
 +                                         unsigned long regions_num,
 +                                         AssignedDevice *pci_dev)
 +{
 +    uint32_t i;
 +    PCIRegion *cur_region = io_regions;
 +
 +    for (i = 0; i < regions_num; i++, cur_region++) {
 +        if (!cur_region->valid)
 +            continue;
 +        pci_dev->v_addrs[i].num = i;
 +
 +        /* handle memory io regions */
 +        if (cur_region->type & IORESOURCE_MEM) {
 +            int slow_map = 0;
 +            int t = cur_region->type & IORESOURCE_PREFETCH
 +                ? PCI_BASE_ADDRESS_MEM_PREFETCH
 +                : PCI_BASE_ADDRESS_SPACE_MEMORY;
 +
 +            if (cur_region->size & 0xFFF) {
 +                fprintf(stderr, "PCI region %d at address 0x%llx "
 +                        "has size 0x%x, which is not a multiple of 4K. "
 +                        "You might experience some performance hit "
 +                        "due to that.\n",
 +                        i, (unsigned long long)cur_region->base_addr,
 +                        cur_region->size);
 +                slow_map = 1;
 +            }
 +
 +            /* map physical memory */
 +            pci_dev->v_addrs[i].e_physbase = cur_region->base_addr;
 +            pci_dev->v_addrs[i].u.r_virtbase = mmap(NULL, cur_region->size,
 +                                                    PROT_WRITE | PROT_READ,
 +                                                    MAP_SHARED,
 +                                                    cur_region->resource_fd,
 +                                                    (off_t)0);
 +
 +            if (pci_dev->v_addrs[i].u.r_virtbase == MAP_FAILED) {
 +                pci_dev->v_addrs[i].u.r_virtbase = NULL;
 +                fprintf(stderr, "%s: Error: Couldn't mmap 0x%x!"
 +                        "\n", __func__,
 +                        (uint32_t) (cur_region->base_addr));
 +                return -1;
 +            }
 +
 +            pci_dev->v_addrs[i].r_size = cur_region->size;
 +            pci_dev->v_addrs[i].e_size = 0;
 +
 +            /* add offset */
 +            pci_dev->v_addrs[i].u.r_virtbase +=
 +                (cur_region->base_addr & 0xFFF);
 +
 +
 +            if (!slow_map) {
 +                void *virtbase = pci_dev->v_addrs[i].u.r_virtbase;
 +                char name[32];
 +                snprintf(name, sizeof(name), "%s.bar%d",
 +                         pci_dev->dev.qdev.info->name, i);
 +                pci_dev->v_addrs[i].memory_index =
 +                                            qemu_ram_alloc_from_ptr(
 +                                                         &pci_dev->dev.qdev,
 +                                                         name, cur_region->size,
 +                                                         virtbase);
 +            } else
 +                pci_dev->v_addrs[i].memory_index = 0;
 +
 +            pci_register_bar((PCIDevice *) pci_dev, i,
 +                             cur_region->size, t,
 +                             slow_map ? assigned_dev_iomem_map_slow
 +                                      : assigned_dev_iomem_map);
 +            continue;
 +        } else {
 +            /* handle port io regions */
 +            uint32_t val;
 +            int ret;
 +
 +            /* Test kernel support for ioport resource read/write.  Old
 +             * kernels return EIO.  New kernels only allow 1/2/4 byte reads
 +             * so should return EINVAL for a 3 byte read */
 +            ret = pread(pci_dev->v_addrs[i].region->resource_fd, &val, 3, 0);
 +            if (ret == 3) {
 +                fprintf(stderr, "I/O port resource supports 3 byte read?!\n");
 +                abort();
 +            } else if (errno != EINVAL) {
 +                fprintf(stderr, "Using raw in/out ioport access (sysfs - %s)\n",
 +                        strerror(errno));
 +                close(pci_dev->v_addrs[i].region->resource_fd);
 +                pci_dev->v_addrs[i].region->resource_fd = -1;
 +            }
 +
 +            pci_dev->v_addrs[i].e_physbase = cur_region->base_addr;
 +            pci_dev->v_addrs[i].u.r_baseport = cur_region->base_addr;
 +            pci_dev->v_addrs[i].r_size = cur_region->size;
 +            pci_dev->v_addrs[i].e_size = 0;
 +
 +            pci_register_bar((PCIDevice *) pci_dev, i,
 +                             cur_region->size, PCI_BASE_ADDRESS_SPACE_IO,
 +                             assigned_dev_ioport_map);
 +
 +            /* not relevant for port io */
 +            pci_dev->v_addrs[i].memory_index = 0;
 +        }
 +    }
 +
 +    /* success */
 +    return 0;
 +}
 +
 +static int get_real_id(const char *devpath, const char *idname, uint16_t *val)
 +{
 +    FILE *f;
 +    char name[128];
 +    long id;
 +
 +    snprintf(name, sizeof(name), "%s%s", devpath, idname);
 +    f = fopen(name, "r");
 +    if (f == NULL) {
 +        fprintf(stderr, "%s: %s: %m\n", __func__, name);
 +        return -1;
 +    }
 +    if (fscanf(f, "%li\n", &id) == 1) {
 +        *val = id;
 +    } else {
 +        return -1;
 +    }
 +    fclose(f);
 +
 +    return 0;
 +}
 +
 +static int get_real_vendor_id(const char *devpath, uint16_t *val)
 +{
 +    return get_real_id(devpath, "vendor", val);
 +}
 +
 +static int get_real_device_id(const char *devpath, uint16_t *val)
 +{
 +    return get_real_id(devpath, "device", val);
 +}
 +
 +static int get_real_device(AssignedDevice *pci_dev, uint16_t r_seg,
 +                           uint8_t r_bus, uint8_t r_dev, uint8_t r_func)
 +{
 +    char dir[128], name[128];
 +    int fd, r = 0, v;
 +    FILE *f;
 +    unsigned long long start, end, size, flags;
 +    uint16_t id;
 +    struct stat statbuf;
 +    PCIRegion *rp;
 +    PCIDevRegions *dev = &pci_dev->real_device;
 +
 +    dev->region_number = 0;
 +
 +    snprintf(dir, sizeof(dir), "/sys/bus/pci/devices/%04x:%02x:%02x.%x/",
 +	     r_seg, r_bus, r_dev, r_func);
 +
 +    snprintf(name, sizeof(name), "%sconfig", dir);
 +
 +    if (pci_dev->configfd_name && *pci_dev->configfd_name) {
 +        if (qemu_isdigit(pci_dev->configfd_name[0])) {
 +            dev->config_fd = strtol(pci_dev->configfd_name, NULL, 0);
 +        } else {
 +            dev->config_fd = monitor_get_fd(cur_mon, pci_dev->configfd_name);
 +            if (dev->config_fd < 0) {
 +                fprintf(stderr, "%s: (%s) unkown\n", __func__,
 +                        pci_dev->configfd_name);
 +                return 1;
 +            }
 +        }
 +    } else {
 +        dev->config_fd = open(name, O_RDWR);
 +
 +        if (dev->config_fd == -1) {
 +            fprintf(stderr, "%s: %s: %m\n", __func__, name);
 +            return 1;
 +        }
 +    }
 +again:
 +    r = read(dev->config_fd, pci_dev->dev.config,
 +             pci_config_size(&pci_dev->dev));
 +    if (r < 0) {
 +        if (errno == EINTR || errno == EAGAIN)
 +            goto again;
 +        fprintf(stderr, "%s: read failed, errno = %d\n", __func__, errno);
 +    }
 +
 +    /* Clear host resource mapping info.  If we choose not to register a
 +     * BAR, such as might be the case with the option ROM, we can get
 +     * confusing, unwritable, residual addresses from the host here. */
 +    memset(&pci_dev->dev.config[PCI_BASE_ADDRESS_0], 0, 24);
 +    memset(&pci_dev->dev.config[PCI_ROM_ADDRESS], 0, 4);
 +
 +    snprintf(name, sizeof(name), "%sresource", dir);
 +
 +    f = fopen(name, "r");
 +    if (f == NULL) {
 +        fprintf(stderr, "%s: %s: %m\n", __func__, name);
 +        return 1;
 +    }
 +
 +    for (r = 0; r < PCI_ROM_SLOT; r++) {
 +	if (fscanf(f, "%lli %lli %lli\n", &start, &end, &flags) != 3)
 +	    break;
 +
 +        rp = dev->regions + r;
 +        rp->valid = 0;
 +        rp->resource_fd = -1;
 +        size = end - start + 1;
 +        flags &= IORESOURCE_IO | IORESOURCE_MEM | IORESOURCE_PREFETCH;
 +        if (size == 0 || (flags & ~IORESOURCE_PREFETCH) == 0)
 +            continue;
 +        if (flags & IORESOURCE_MEM) {
 +            flags &= ~IORESOURCE_IO;
 +        } else {
 +            flags &= ~IORESOURCE_PREFETCH;
 +        }
 +        snprintf(name, sizeof(name), "%sresource%d", dir, r);
 +        fd = open(name, O_RDWR);
 +        if (fd == -1)
 +            continue;
 +        rp->resource_fd = fd;
 +
 +        rp->type = flags;
 +        rp->valid = 1;
 +        rp->base_addr = start;
 +        rp->size = size;
 +        pci_dev->v_addrs[r].region = rp;
 +        DEBUG("region %d size %d start 0x%llx type %d resource_fd %d\n",
 +              r, rp->size, start, rp->type, rp->resource_fd);
 +    }
 +
 +    fclose(f);
 +
 +    /* read and fill vendor ID */
 +    v = get_real_vendor_id(dir, &id);
 +    if (v) {
 +        return 1;
 +    }
 +    pci_dev->dev.config[0] = id & 0xff;
 +    pci_dev->dev.config[1] = (id & 0xff00) >> 8;
 +
 +    /* read and fill device ID */
 +    v = get_real_device_id(dir, &id);
 +    if (v) {
 +        return 1;
 +    }
 +    pci_dev->dev.config[2] = id & 0xff;
 +    pci_dev->dev.config[3] = (id & 0xff00) >> 8;
 +
 +    /* dealing with virtual function device */
 +    snprintf(name, sizeof(name), "%sphysfn/", dir);
 +    if (!stat(name, &statbuf))
 +	    pci_dev->need_emulate_cmd = 1;
 +    else
 +	    pci_dev->need_emulate_cmd = 0;
 +
 +    dev->region_number = r;
 +    return 0;
 +}
 +
 +static QLIST_HEAD(, AssignedDevice) devs = QLIST_HEAD_INITIALIZER(devs);
 +
 +#ifdef KVM_CAP_IRQ_ROUTING
 +static void free_dev_irq_entries(AssignedDevice *dev)
 +{
 +    int i;
 +
 +    for (i = 0; i < dev->irq_entries_nr; i++)
 +        kvm_del_routing_entry(&dev->entry[i]);
 +    free(dev->entry);
 +    dev->entry = NULL;
 +    dev->irq_entries_nr = 0;
 +}
 +#endif
 +
 +static void free_assigned_device(AssignedDevice *dev)
 +{
 +    if (dev) {
 +        int i;
 +
 +        for (i = 0; i < dev->real_device.region_number; i++) {
 +            PCIRegion *pci_region = &dev->real_device.regions[i];
 +            AssignedDevRegion *region = &dev->v_addrs[i];
 +
 +            if (!pci_region->valid)
 +                continue;
 +
 +            if (pci_region->type & IORESOURCE_IO) {
 +                if (pci_region->resource_fd < 0) {
 +                    kvm_remove_ioperm_data(region->u.r_baseport,
 +                                           region->r_size);
 +                }
 +            } else if (pci_region->type & IORESOURCE_MEM) {
 +                if (region->u.r_virtbase) {
 +                    if (region->memory_index) {
 +                        cpu_register_physical_memory(region->e_physbase,
 +                                                     region->e_size,
 +                                                     IO_MEM_UNASSIGNED);
 +                        qemu_ram_unmap(region->memory_index);
 +                    }
 +                    if (munmap(region->u.r_virtbase,
 +                               (pci_region->size + 0xFFF) & 0xFFFFF000))
 +                        fprintf(stderr,
 +				"Failed to unmap assigned device region: %s\n",
 +				strerror(errno));
 +                }
 +            }
 +            if (pci_region->resource_fd >= 0) {
 +                close(pci_region->resource_fd);
 +            }
 +        }
 +
 +        if (dev->cap.available & ASSIGNED_DEVICE_CAP_MSIX)
 +            assigned_dev_unregister_msix_mmio(dev);
 +
 +        if (dev->real_device.config_fd >= 0) {
 +            close(dev->real_device.config_fd);
 +        }
 +
 +#ifdef KVM_CAP_IRQ_ROUTING
 +        free_dev_irq_entries(dev);
 +#endif
 +    }
 +}
 +
 +static uint32_t calc_assigned_dev_id(uint16_t seg, uint8_t bus, uint8_t devfn)
 +{
 +    return (uint32_t)seg << 16 | (uint32_t)bus << 8 | (uint32_t)devfn;
 +}
 +
 +static void assign_failed_examine(AssignedDevice *dev)
 +{
 +    char name[PATH_MAX], dir[PATH_MAX], driver[PATH_MAX] = {}, *ns;
 +    uint16_t vendor_id, device_id;
 +    int r;
 +
 +    sprintf(dir, "/sys/bus/pci/devices/%04x:%02x:%02x.%01x/",
 +            dev->host.seg, dev->host.bus, dev->host.dev, dev->host.func);
 +
 +    sprintf(name, "%sdriver", dir);
 +
 +    r = readlink(name, driver, sizeof(driver));
 +    if ((r <= 0) || r >= sizeof(driver) || !(ns = strrchr(driver, '/'))) {
 +        goto fail;
 +    }
 +
 +    ns++;
 +
 +    if (get_real_vendor_id(dir, &vendor_id) ||
 +        get_real_device_id(dir, &device_id)) {
 +        goto fail;
 +    }
 +
 +    fprintf(stderr, "*** The driver '%s' is occupying your device "
 +                    "%04x:%02x:%02x.%x.\n",
 +            ns, dev->host.seg, dev->host.bus, dev->host.dev, dev->host.func);
 +    fprintf(stderr, "***\n");
 +    fprintf(stderr, "*** You can try the following commands to free it:\n");
 +    fprintf(stderr, "***\n");
 +    fprintf(stderr, "*** $ echo \"%04x %04x\" > /sys/bus/pci/drivers/pci-stub/"
 +                    "new_id\n", vendor_id, device_id);
 +    fprintf(stderr, "*** $ echo \"%04x:%02x:%02x.%x\" > /sys/bus/pci/drivers/"
 +                    "%s/unbind\n",
 +            dev->host.seg, dev->host.bus, dev->host.dev, dev->host.func, ns);
 +    fprintf(stderr, "*** $ echo \"%04x:%02x:%02x.%x\" > /sys/bus/pci/drivers/"
 +                    "pci-stub/bind\n",
 +            dev->host.seg, dev->host.bus, dev->host.dev, dev->host.func);
 +    fprintf(stderr, "*** $ echo \"%04x %04x\" > /sys/bus/pci/drivers/pci-stub"
 +                    "/remove_id\n", vendor_id, device_id);
 +    fprintf(stderr, "***\n");
 +
 +    return;
 +
 +fail:
 +    fprintf(stderr, "Couldn't find out why.\n");
 +}
 +
 +static int assign_device(AssignedDevice *dev)
 +{
 +    struct kvm_assigned_pci_dev assigned_dev_data;
 +    int r;
 +
 +#ifdef KVM_CAP_PCI_SEGMENT
 +    /* Only pass non-zero PCI segment to capable module */
 +    if (!kvm_check_extension(kvm_state, KVM_CAP_PCI_SEGMENT) &&
 +        dev->h_segnr) {
 +        fprintf(stderr, "Can't assign device inside non-zero PCI segment "
 +                "as this KVM module doesn't support it.\n");
 +        return -ENODEV;
 +    }
 +#endif
 +
 +    memset(&assigned_dev_data, 0, sizeof(assigned_dev_data));
 +    assigned_dev_data.assigned_dev_id  =
 +	calc_assigned_dev_id(dev->h_segnr, dev->h_busnr, dev->h_devfn);
 +#ifdef KVM_CAP_PCI_SEGMENT
 +    assigned_dev_data.segnr = dev->h_segnr;
 +#endif
 +    assigned_dev_data.busnr = dev->h_busnr;
 +    assigned_dev_data.devfn = dev->h_devfn;
 +
 +#ifdef KVM_CAP_IOMMU
 +    /* We always enable the IOMMU unless disabled on the command line */
 +    if (dev->features & ASSIGNED_DEVICE_USE_IOMMU_MASK) {
 +        if (!kvm_check_extension(kvm_state, KVM_CAP_IOMMU)) {
 +            fprintf(stderr, "No IOMMU found.  Unable to assign device \"%s\"\n",
 +                    dev->dev.qdev.id);
 +            return -ENODEV;
 +        }
 +        assigned_dev_data.flags |= KVM_DEV_ASSIGN_ENABLE_IOMMU;
 +    }
 +#else
 +    dev->features &= ~ASSIGNED_DEVICE_USE_IOMMU_MASK;
 +#endif
 +    if (!(dev->features & ASSIGNED_DEVICE_USE_IOMMU_MASK)) {
 +        fprintf(stderr,
 +                "WARNING: Assigning a device without IOMMU protection can "
 +                "cause host memory corruption if the device issues DMA write "
 +                "requests!\n");
 +    }
 +
 +    r = kvm_assign_pci_device(kvm_context, &assigned_dev_data);
 +    if (r < 0) {
 +        fprintf(stderr, "Failed to assign device \"%s\" : %s\n",
 +                dev->dev.qdev.id, strerror(-r));
 +
 +        switch (r) {
 +            case -EBUSY:
 +                assign_failed_examine(dev);
 +                break;
 +            default:
 +                break;
 +        }
 +    }
 +    return r;
 +}
 +
 +static int assign_irq(AssignedDevice *dev)
 +{
 +    struct kvm_assigned_irq assigned_irq_data;
 +    int irq, r = 0;
 +
 +    /* Interrupt PIN 0 means don't use INTx */
 +    if (assigned_dev_pci_read_byte(&dev->dev, PCI_INTERRUPT_PIN) == 0)
 +        return 0;
 +
 +    irq = pci_map_irq(&dev->dev, dev->intpin);
 +    irq = piix_get_irq(irq);
 +
 +#ifdef TARGET_IA64
 +    irq = ipf_map_irq(&dev->dev, irq);
 +#endif
 +
 +    if (dev->girq == irq)
 +        return r;
 +
 +    memset(&assigned_irq_data, 0, sizeof(assigned_irq_data));
 +    assigned_irq_data.assigned_dev_id =
 +        calc_assigned_dev_id(dev->h_segnr, dev->h_busnr, dev->h_devfn);
 +    assigned_irq_data.guest_irq = irq;
 +    assigned_irq_data.host_irq = dev->real_device.irq;
 +#ifdef KVM_CAP_ASSIGN_DEV_IRQ
 +    if (dev->irq_requested_type) {
 +        assigned_irq_data.flags = dev->irq_requested_type;
 +        r = kvm_deassign_irq(kvm_context, &assigned_irq_data);
 +        /* -ENXIO means no assigned irq */
 +        if (r && r != -ENXIO)
 +            perror("assign_irq: deassign");
 +    }
 +
 +    assigned_irq_data.flags = KVM_DEV_IRQ_GUEST_INTX;
 +    if (dev->features & ASSIGNED_DEVICE_PREFER_MSI_MASK &&
 +        dev->cap.available & ASSIGNED_DEVICE_CAP_MSI)
 +        assigned_irq_data.flags |= KVM_DEV_IRQ_HOST_MSI;
 +    else
 +        assigned_irq_data.flags |= KVM_DEV_IRQ_HOST_INTX;
 +#endif
 +
 +    r = kvm_assign_irq(kvm_context, &assigned_irq_data);
 +    if (r < 0) {
 +        fprintf(stderr, "Failed to assign irq for \"%s\": %s\n",
 +                dev->dev.qdev.id, strerror(-r));
 +        fprintf(stderr, "Perhaps you are assigning a device "
 +                "that shares an IRQ with another device?\n");
 +        return r;
 +    }
 +
 +    dev->girq = irq;
 +    dev->irq_requested_type = assigned_irq_data.flags;
 +    return r;
 +}
 +
 +static void deassign_device(AssignedDevice *dev)
 +{
 +#ifdef KVM_CAP_DEVICE_DEASSIGNMENT
 +    struct kvm_assigned_pci_dev assigned_dev_data;
 +    int r;
 +
 +    memset(&assigned_dev_data, 0, sizeof(assigned_dev_data));
 +    assigned_dev_data.assigned_dev_id  =
 +	calc_assigned_dev_id(dev->h_segnr, dev->h_busnr, dev->h_devfn);
 +
 +    r = kvm_deassign_pci_device(kvm_context, &assigned_dev_data);
 +    if (r < 0)
 +	fprintf(stderr, "Failed to deassign device \"%s\" : %s\n",
 +                dev->dev.qdev.id, strerror(-r));
 +#endif
 +}
 +
 +#if 0
 +AssignedDevInfo *get_assigned_device(int pcibus, int slot)
 +{
 +    AssignedDevice *assigned_dev = NULL;
 +    AssignedDevInfo *adev = NULL;
 +
 +    QLIST_FOREACH(adev, &adev_head, next) {
 +        assigned_dev = adev->assigned_dev;
 +        if (pci_bus_num(assigned_dev->dev.bus) == pcibus &&
 +            PCI_SLOT(assigned_dev->dev.devfn) == slot)
 +            return adev;
 +    }
 +
 +    return NULL;
 +}
 +#endif
 +
 +/* The pci config space got updated. Check if irq numbers have changed
 + * for our devices
 + */
 +void assigned_dev_update_irqs(void)
 +{
 +    AssignedDevice *dev, *next;
 +    int r;
 +
 +    dev = QLIST_FIRST(&devs);
 +    while (dev) {
 +        next = QLIST_NEXT(dev, next);
 +        r = assign_irq(dev);
 +        if (r < 0)
 +            qdev_unplug(&dev->dev.qdev);
 +        dev = next;
 +    }
 +}
 +
 +#ifdef KVM_CAP_IRQ_ROUTING
 +
 +#ifdef KVM_CAP_DEVICE_MSI
 +static void assigned_dev_update_msi(PCIDevice *pci_dev, unsigned int ctrl_pos)
 +{
 +    struct kvm_assigned_irq assigned_irq_data;
 +    AssignedDevice *assigned_dev = container_of(pci_dev, AssignedDevice, dev);
 +    uint8_t ctrl_byte = pci_dev->config[ctrl_pos];
 +    int r;
 +
 +    memset(&assigned_irq_data, 0, sizeof assigned_irq_data);
 +    assigned_irq_data.assigned_dev_id  =
 +        calc_assigned_dev_id(assigned_dev->h_segnr, assigned_dev->h_busnr,
 +                (uint8_t)assigned_dev->h_devfn);
 +
 +    /* Some guests gratuitously disable MSI even if they're not using it,
 +     * try to catch this by only deassigning irqs if the guest is using
 +     * MSI or intends to start. */
 +    if ((assigned_dev->irq_requested_type & KVM_DEV_IRQ_GUEST_MSI) ||
 +        (ctrl_byte & PCI_MSI_FLAGS_ENABLE)) {
 +
 +        assigned_irq_data.flags = assigned_dev->irq_requested_type;
 +        free_dev_irq_entries(assigned_dev);
 +        r = kvm_deassign_irq(kvm_context, &assigned_irq_data);
 +        /* -ENXIO means no assigned irq */
 +        if (r && r != -ENXIO)
 +            perror("assigned_dev_update_msi: deassign irq");
 +
 +        assigned_dev->irq_requested_type = 0;
 +    }
 +
 +    if (ctrl_byte & PCI_MSI_FLAGS_ENABLE) {
 +        int pos = ctrl_pos - PCI_MSI_FLAGS;
 +        assigned_dev->entry = calloc(1, sizeof(struct kvm_irq_routing_entry));
 +        if (!assigned_dev->entry) {
 +            perror("assigned_dev_update_msi: ");
 +            return;
 +        }
 +        assigned_dev->entry->u.msi.address_lo =
 +            pci_get_long(pci_dev->config + pos + PCI_MSI_ADDRESS_LO);
 +        assigned_dev->entry->u.msi.address_hi = 0;
 +        assigned_dev->entry->u.msi.data =
 +            pci_get_word(pci_dev->config + pos + PCI_MSI_DATA_32);
 +        assigned_dev->entry->type = KVM_IRQ_ROUTING_MSI;
 +        r = kvm_get_irq_route_gsi();
 +        if (r < 0) {
 +            perror("assigned_dev_update_msi: kvm_get_irq_route_gsi");
 +            return;
 +        }
 +        assigned_dev->entry->gsi = r;
 +
 +        kvm_add_routing_entry(assigned_dev->entry);
 +        if (kvm_commit_irq_routes() < 0) {
 +            perror("assigned_dev_update_msi: kvm_commit_irq_routes");
 +            assigned_dev->cap.state &= ~ASSIGNED_DEVICE_MSI_ENABLED;
 +            return;
 +        }
 +	assigned_dev->irq_entries_nr = 1;
 +
 +        assigned_irq_data.guest_irq = assigned_dev->entry->gsi;
 +	assigned_irq_data.flags = KVM_DEV_IRQ_HOST_MSI | KVM_DEV_IRQ_GUEST_MSI;
 +        if (kvm_assign_irq(kvm_context, &assigned_irq_data) < 0)
 +            perror("assigned_dev_enable_msi: assign irq");
 +
 +        assigned_dev->irq_requested_type = assigned_irq_data.flags;
 +    }
 +}
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_MSIX
 +static int assigned_dev_update_msix_mmio(PCIDevice *pci_dev)
 +{
 +    AssignedDevice *adev = container_of(pci_dev, AssignedDevice, dev);
 +    uint16_t entries_nr = 0, entries_max_nr;
 +    int pos = 0, i, r = 0;
 +    uint32_t msg_addr, msg_upper_addr, msg_data, msg_ctrl;
 +    struct kvm_assigned_msix_nr msix_nr;
 +    struct kvm_assigned_msix_entry msix_entry;
 +    void *va = adev->msix_table_page;
 +
 +    pos = pci_find_capability(pci_dev, PCI_CAP_ID_MSIX);
 +
 +    entries_max_nr = *(uint16_t *)(pci_dev->config + pos + 2);
 +    entries_max_nr &= PCI_MSIX_TABSIZE;
 +    entries_max_nr += 1;
 +
 +    /* Get the usable entry number for allocating */
 +    for (i = 0; i < entries_max_nr; i++) {
 +        memcpy(&msg_ctrl, va + i * 16 + 12, 4);
 +        memcpy(&msg_data, va + i * 16 + 8, 4);
 +        /* Ignore unused entry even it's unmasked */
 +        if (msg_data == 0)
 +            continue;
 +        entries_nr ++;
 +    }
 +
 +    if (entries_nr == 0) {
 +        fprintf(stderr, "MSI-X entry number is zero!\n");
 +        return -EINVAL;
 +    }
 +    msix_nr.assigned_dev_id = calc_assigned_dev_id(adev->h_segnr, adev->h_busnr,
 +                                          (uint8_t)adev->h_devfn);
 +    msix_nr.entry_nr = entries_nr;
 +    r = kvm_assign_set_msix_nr(kvm_context, &msix_nr);
 +    if (r != 0) {
 +        fprintf(stderr, "fail to set MSI-X entry number for MSIX! %s\n",
 +			strerror(-r));
 +        return r;
 +    }
 +
 +    free_dev_irq_entries(adev);
 +    adev->irq_entries_nr = entries_nr;
 +    adev->entry = calloc(entries_nr, sizeof(struct kvm_irq_routing_entry));
 +    if (!adev->entry) {
 +        perror("assigned_dev_update_msix_mmio: ");
 +        return -errno;
 +    }
 +
 +    msix_entry.assigned_dev_id = msix_nr.assigned_dev_id;
 +    entries_nr = 0;
 +    for (i = 0; i < entries_max_nr; i++) {
 +        if (entries_nr >= msix_nr.entry_nr)
 +            break;
 +        memcpy(&msg_ctrl, va + i * 16 + 12, 4);
 +        memcpy(&msg_data, va + i * 16 + 8, 4);
 +        if (msg_data == 0)
 +            continue;
 +
 +        memcpy(&msg_addr, va + i * 16, 4);
 +        memcpy(&msg_upper_addr, va + i * 16 + 4, 4);
 +
 +        r = kvm_get_irq_route_gsi();
 +        if (r < 0)
 +            return r;
 +
 +        adev->entry[entries_nr].gsi = r;
 +        adev->entry[entries_nr].type = KVM_IRQ_ROUTING_MSI;
 +        adev->entry[entries_nr].flags = 0;
 +        adev->entry[entries_nr].u.msi.address_lo = msg_addr;
 +        adev->entry[entries_nr].u.msi.address_hi = msg_upper_addr;
 +        adev->entry[entries_nr].u.msi.data = msg_data;
 +        DEBUG("MSI-X data 0x%x, MSI-X addr_lo 0x%x\n!", msg_data, msg_addr);
 +	kvm_add_routing_entry(&adev->entry[entries_nr]);
 +
 +        msix_entry.gsi = adev->entry[entries_nr].gsi;
 +        msix_entry.entry = i;
 +        r = kvm_assign_set_msix_entry(kvm_context, &msix_entry);
 +        if (r) {
 +            fprintf(stderr, "fail to set MSI-X entry! %s\n", strerror(-r));
 +            break;
 +        }
 +        DEBUG("MSI-X entry gsi 0x%x, entry %d\n!",
 +                msix_entry.gsi, msix_entry.entry);
 +        entries_nr ++;
 +    }
 +
 +    if (r == 0 && kvm_commit_irq_routes() < 0) {
 +	    perror("assigned_dev_update_msix_mmio: kvm_commit_irq_routes");
 +	    return -EINVAL;
 +    }
 +
 +    return r;
 +}
 +
 +static void assigned_dev_update_msix(PCIDevice *pci_dev, unsigned int ctrl_pos)
 +{
 +    struct kvm_assigned_irq assigned_irq_data;
 +    AssignedDevice *assigned_dev = container_of(pci_dev, AssignedDevice, dev);
 +    uint16_t *ctrl_word = (uint16_t *)(pci_dev->config + ctrl_pos);
 +    int r;
 +
 +    memset(&assigned_irq_data, 0, sizeof assigned_irq_data);
 +    assigned_irq_data.assigned_dev_id  =
 +            calc_assigned_dev_id(assigned_dev->h_segnr, assigned_dev->h_busnr,
 +                    (uint8_t)assigned_dev->h_devfn);
 +
 +    /* Some guests gratuitously disable MSIX even if they're not using it,
 +     * try to catch this by only deassigning irqs if the guest is using
 +     * MSIX or intends to start. */
 +    if ((assigned_dev->irq_requested_type & KVM_DEV_IRQ_GUEST_MSIX) ||
 +        (*ctrl_word & PCI_MSIX_ENABLE)) {
 +
 +        assigned_irq_data.flags = assigned_dev->irq_requested_type;
 +        free_dev_irq_entries(assigned_dev);
 +        r = kvm_deassign_irq(kvm_context, &assigned_irq_data);
 +        /* -ENXIO means no assigned irq */
 +        if (r && r != -ENXIO)
 +            perror("assigned_dev_update_msix: deassign irq");
 +
 +        assigned_dev->irq_requested_type = 0;
 +    }
 +
 +    if (*ctrl_word & PCI_MSIX_ENABLE) {
 +        assigned_irq_data.flags = KVM_DEV_IRQ_HOST_MSIX |
 +                                  KVM_DEV_IRQ_GUEST_MSIX;
 +
 +        if (assigned_dev_update_msix_mmio(pci_dev) < 0) {
 +            perror("assigned_dev_update_msix_mmio");
 +            return;
 +        }
 +        if (kvm_assign_irq(kvm_context, &assigned_irq_data) < 0) {
 +            perror("assigned_dev_enable_msix: assign irq");
 +            return;
 +        }
 +        assigned_dev->irq_requested_type = assigned_irq_data.flags;
 +    }
 +}
 +#endif
 +#endif
 +
 +/* There can be multiple VNDR capabilities per device, we need to find the
 + * one that starts closet to the given address without going over. */
 +static uint8_t find_vndr_start(PCIDevice *pci_dev, uint32_t address)
 +{
 +    uint8_t cap, pos;
 +
 +    for (cap = pos = 0;
 +         (pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_VNDR, pos));
 +         pos += PCI_CAP_LIST_NEXT) {
 +        if (pos <= address) {
 +            cap = MAX(pos, cap);
 +        }
 +    }
 +    return cap;
 +}
 +
 +/* Merge the bits set in mask from mval into val.  Both val and mval are
 + * at the same addr offset, pos is the starting offset of the mask. */
 +static uint32_t merge_bits(uint32_t val, uint32_t mval, uint8_t addr,
 +                           int len, uint8_t pos, uint32_t mask)
 +{
 +    if (!ranges_overlap(addr, len, pos, 4)) {
 +        return val;
 +    }
 +
 +    if (addr >= pos) {
 +        mask >>= (addr - pos) * 8;
 +    } else {
 +        mask <<= (pos - addr) * 8;
 +    }
 +    mask &= 0xffffffffU >> (4 - len) * 8;
 +
 +    val &= ~mask;
 +    val |= (mval & mask);
 +
 +    return val;
 +}
 +
 +static uint32_t assigned_device_pci_cap_read_config(PCIDevice *pci_dev,
 +                                                    uint32_t address, int len)
 +{
 +    uint8_t cap, cap_id = pci_dev->config_map[address];
 +    uint32_t val;
 +
 +    switch (cap_id) {
 +
 +    case PCI_CAP_ID_VPD:
 +        cap = pci_find_capability(pci_dev, cap_id);
 +        val = assigned_dev_pci_read(pci_dev, address, len);
 +        return merge_bits(val, pci_get_long(pci_dev->config + address),
 +                          address, len, cap + PCI_CAP_LIST_NEXT, 0xff);
 +
 +    case PCI_CAP_ID_VNDR:
 +        cap = find_vndr_start(pci_dev, address);
 +        val = assigned_dev_pci_read(pci_dev, address, len);
 +        return merge_bits(val, pci_get_long(pci_dev->config + address),
 +                          address, len, cap + PCI_CAP_LIST_NEXT, 0xff);
 +    }
 +
 +    return pci_default_read_config(pci_dev, address, len);
 +}
 +
 +static void assigned_device_pci_cap_write_config(PCIDevice *pci_dev,
 +                                                 uint32_t address,
 +                                                 uint32_t val, int len)
 +{
 +    uint8_t cap_id = pci_dev->config_map[address];
 +
 +    pci_default_write_config(pci_dev, address, val, len);
 +    switch (cap_id) {
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    case PCI_CAP_ID_MSI:
 +#ifdef KVM_CAP_DEVICE_MSI
 +        {
 +            uint8_t cap = pci_find_capability(pci_dev, cap_id);
 +            if (ranges_overlap(address - cap, len, PCI_MSI_FLAGS, 1)) {
 +                assigned_dev_update_msi(pci_dev, cap + PCI_MSI_FLAGS);
 +            }
 +        }
 +#endif
 +        break;
 +
 +    case PCI_CAP_ID_MSIX:
 +#ifdef KVM_CAP_DEVICE_MSIX
 +        {
 +            uint8_t cap = pci_find_capability(pci_dev, cap_id);
 +            if (ranges_overlap(address - cap, len, PCI_MSIX_FLAGS + 1, 1)) {
 +                assigned_dev_update_msix(pci_dev, cap + PCI_MSIX_FLAGS);
 +            }
 +        }
 +#endif
 +        break;
 +#endif
 +
 +    case PCI_CAP_ID_VPD:
 +    case PCI_CAP_ID_VNDR:
 +        assigned_dev_pci_write(pci_dev, address, val, len);
 +        break;
 +    }
 +}
 +
 +static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
 +{
 +    AssignedDevice *dev = container_of(pci_dev, AssignedDevice, dev);
 +    PCIRegion *pci_region = dev->real_device.regions;
 +    int ret, pos;
 +
 +    /* Clear initial capabilities pointer and status copied from hw */
 +    pci_set_byte(pci_dev->config + PCI_CAPABILITY_LIST, 0);
 +    pci_set_word(pci_dev->config + PCI_STATUS,
 +                 pci_get_word(pci_dev->config + PCI_STATUS) &
 +                 ~PCI_STATUS_CAP_LIST);
 +
 +#ifdef KVM_CAP_IRQ_ROUTING
 +#ifdef KVM_CAP_DEVICE_MSI
 +    /* Expose MSI capability
 +     * MSI capability is the 1st capability in capability config */
 +    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSI, 0))) {
 +        dev->cap.available |= ASSIGNED_DEVICE_CAP_MSI;
 +        /* Only 32-bit/no-mask currently supported */
 +        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_MSI, pos, 10)) < 0) {
 +            return ret;
 +        }
 +
 +        pci_set_word(pci_dev->config + pos + PCI_MSI_FLAGS,
 +                     pci_get_word(pci_dev->config + pos + PCI_MSI_FLAGS) &
 +                     PCI_MSI_FLAGS_QMASK);
 +        pci_set_long(pci_dev->config + pos + PCI_MSI_ADDRESS_LO, 0);
 +        pci_set_word(pci_dev->config + pos + PCI_MSI_DATA_32, 0);
 +
 +        /* Set writable fields */
 +        pci_set_word(pci_dev->wmask + pos + PCI_MSI_FLAGS,
 +                     PCI_MSI_FLAGS_QSIZE | PCI_MSI_FLAGS_ENABLE);
 +        pci_set_long(pci_dev->wmask + pos + PCI_MSI_ADDRESS_LO, 0xfffffffc);
 +        pci_set_word(pci_dev->wmask + pos + PCI_MSI_DATA_32, 0xffff);
 +    }
 +#endif
 +#ifdef KVM_CAP_DEVICE_MSIX
 +    /* Expose MSI-X capability */
 +    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSIX, 0))) {
 +        int bar_nr;
 +        uint32_t msix_table_entry;
 +
 +        dev->cap.available |= ASSIGNED_DEVICE_CAP_MSIX;
 +        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_MSIX, pos, 12)) < 0) {
 +            return ret;
 +        }
 +
 +        pci_set_word(pci_dev->config + pos + PCI_MSIX_FLAGS,
 +                     pci_get_word(pci_dev->config + pos + PCI_MSIX_FLAGS) &
 +                     PCI_MSIX_TABSIZE);
 +
 +        /* Only enable and function mask bits are writable */
 +        pci_set_word(pci_dev->wmask + pos + PCI_MSIX_FLAGS,
 +                     PCI_MSIX_FLAGS_ENABLE | PCI_MSIX_FLAGS_MASKALL);
 +
 +        msix_table_entry = pci_get_long(pci_dev->config + pos + PCI_MSIX_TABLE);
 +        bar_nr = msix_table_entry & PCI_MSIX_BIR;
 +        msix_table_entry &= ~PCI_MSIX_BIR;
 +        dev->msix_table_addr = pci_region[bar_nr].base_addr + msix_table_entry;
 +    }
 +#endif
 +#endif
 +
 +    /* Minimal PM support, nothing writable, device appears to NAK changes */
 +    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_PM, 0))) {
 +        uint16_t pmc;
 +        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_PM, pos,
 +                                      PCI_PM_SIZEOF)) < 0) {
 +            return ret;
 +        }
 +
 +        pmc = pci_get_word(pci_dev->config + pos + PCI_CAP_FLAGS);
 +        pmc &= (PCI_PM_CAP_VER_MASK | PCI_PM_CAP_DSI);
 +        pci_set_word(pci_dev->config + pos + PCI_CAP_FLAGS, pmc);
 +
 +        /* assign_device will bring the device up to D0, so we don't need
 +         * to worry about doing that ourselves here. */
 +        pci_set_word(pci_dev->config + pos + PCI_PM_CTRL,
 +                     PCI_PM_CTRL_NO_SOFT_RESET);
 +
 +        pci_set_byte(pci_dev->config + pos + PCI_PM_PPB_EXTENSIONS, 0);
 +        pci_set_byte(pci_dev->config + pos + PCI_PM_DATA_REGISTER, 0);
 +    }
 +
 +    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_EXP, 0))) {
 +        uint8_t version;
 +        uint16_t type, devctl, lnkcap, lnksta;
 +        uint32_t devcap;
 +        int size = 0x3c; /* version 2 size */
 +
 +        version = pci_get_byte(pci_dev->config + pos + PCI_EXP_FLAGS);
 +        version &= PCI_EXP_FLAGS_VERS;
 +        if (version == 1) {
 +            size = 0x14;
 +        } else if (version > 2) {
 +            fprintf(stderr, "Unsupported PCI express capability version %d\n",
 +                    version);
 +            return -EINVAL;
 +        }
 +
 +        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_EXP,
 +                                      pos, size)) < 0) {
 +            return ret;
 +        }
 +
 +        type = pci_get_word(pci_dev->config + pos + PCI_EXP_FLAGS);
 +        type = (type & PCI_EXP_FLAGS_TYPE) >> 8;
 +        if (type != PCI_EXP_TYPE_ENDPOINT &&
 +            type != PCI_EXP_TYPE_LEG_END && type != PCI_EXP_TYPE_RC_END) {
 +            fprintf(stderr,
 +                    "Device assignment only supports endpoint assignment, "
 +                    "device type %d\n", type);
 +            return -EINVAL;
 +        }
 +
 +        /* capabilities, pass existing read-only copy
 +         * PCI_EXP_FLAGS_IRQ: updated by hardware, should be direct read */
 +
 +        /* device capabilities: hide FLR */
 +        devcap = pci_get_long(pci_dev->config + pos + PCI_EXP_DEVCAP);
 +        devcap &= ~PCI_EXP_DEVCAP_FLR;
 +        pci_set_long(pci_dev->config + pos + PCI_EXP_DEVCAP, devcap);
 +
 +        /* device control: clear all error reporting enable bits, leaving
 +         *                 leaving only a few host values.  Note, these are
 +         *                 all writable, but not passed to hw.
 +         */
 +        devctl = pci_get_word(pci_dev->config + pos + PCI_EXP_DEVCTL);
 +        devctl = (devctl & (PCI_EXP_DEVCTL_READRQ | PCI_EXP_DEVCTL_PAYLOAD)) |
 +                  PCI_EXP_DEVCTL_RELAX_EN | PCI_EXP_DEVCTL_NOSNOOP_EN;
 +        pci_set_word(pci_dev->config + pos + PCI_EXP_DEVCTL, devctl);
 +        devctl = PCI_EXP_DEVCTL_BCR_FLR | PCI_EXP_DEVCTL_AUX_PME;
 +        pci_set_word(pci_dev->wmask + pos + PCI_EXP_DEVCTL, ~devctl);
 +
 +        /* Clear device status */
 +        pci_set_word(pci_dev->config + pos + PCI_EXP_DEVSTA, 0);
 +
 +        /* Link capabilities, expose links and latencues, clear reporting */
 +        lnkcap = pci_get_word(pci_dev->config + pos + PCI_EXP_LNKCAP);
 +        lnkcap &= (PCI_EXP_LNKCAP_SLS | PCI_EXP_LNKCAP_MLW |
 +                   PCI_EXP_LNKCAP_ASPMS | PCI_EXP_LNKCAP_L0SEL |
 +                   PCI_EXP_LNKCAP_L1EL);
 +        pci_set_word(pci_dev->config + pos + PCI_EXP_LNKCAP, lnkcap);
 +        pci_set_word(pci_dev->wmask + pos + PCI_EXP_LNKCAP,
 +                     PCI_EXP_LNKCTL_ASPMC | PCI_EXP_LNKCTL_RCB |
 +                     PCI_EXP_LNKCTL_CCC | PCI_EXP_LNKCTL_ES |
 +                     PCI_EXP_LNKCTL_CLKREQ_EN | PCI_EXP_LNKCTL_HAWD);
 +
 +        /* Link control, pass existing read-only copy.  Should be writable? */
 +
 +        /* Link status, only expose current speed and width */
 +        lnksta = pci_get_word(pci_dev->config + pos + PCI_EXP_LNKSTA);
 +        lnksta &= (PCI_EXP_LNKSTA_CLS | PCI_EXP_LNKSTA_NLW);
 +        pci_set_word(pci_dev->config + pos + PCI_EXP_LNKSTA, lnksta);
 +
 +        if (version >= 2) {
 +            /* Slot capabilities, control, status - not needed for endpoints */
 +            pci_set_long(pci_dev->config + pos + PCI_EXP_SLTCAP, 0);
 +            pci_set_word(pci_dev->config + pos + PCI_EXP_SLTCTL, 0);
 +            pci_set_word(pci_dev->config + pos + PCI_EXP_SLTSTA, 0);
 +
 +            /* Root control, capabilities, status - not needed for endpoints */
 +            pci_set_word(pci_dev->config + pos + PCI_EXP_RTCTL, 0);
 +            pci_set_word(pci_dev->config + pos + PCI_EXP_RTCAP, 0);
 +            pci_set_long(pci_dev->config + pos + PCI_EXP_RTSTA, 0);
 +
 +            /* Device capabilities/control 2, pass existing read-only copy */
 +            /* Link control 2, pass existing read-only copy */
 +        }
 +    }
 +
 +    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_PCIX, 0))) {
 +        uint16_t cmd;
 +        uint32_t status;
 +
 +        /* Only expose the minimum, 8 byte capability */
 +        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_PCIX, pos, 8)) < 0) {
 +            return ret;
 +        }
 +
 +        /* Command register, clear upper bits, including extended modes */
 +        cmd = pci_get_word(pci_dev->config + pos + PCI_X_CMD);
 +        cmd &= (PCI_X_CMD_DPERR_E | PCI_X_CMD_ERO | PCI_X_CMD_MAX_READ |
 +                PCI_X_CMD_MAX_SPLIT);
 +        pci_set_word(pci_dev->config + pos + PCI_X_CMD, cmd);
 +
 +        /* Status register, update with emulated PCI bus location, clear
 +         * error bits, leave the rest. */
 +        status = pci_get_long(pci_dev->config + pos + PCI_X_STATUS);
 +        status &= ~(PCI_X_STATUS_BUS | PCI_X_STATUS_DEVFN);
 +        status |= (pci_bus_num(pci_dev->bus) << 8) | pci_dev->devfn;
 +        status &= ~(PCI_X_STATUS_SPL_DISC | PCI_X_STATUS_UNX_SPL |
 +                    PCI_X_STATUS_SPL_ERR);
 +        pci_set_long(pci_dev->config + pos + PCI_X_STATUS, status);
 +    }
 +
 +    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_VPD, 0))) {
 +        /* Direct R/W passthrough */
 +        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_VPD, pos, 8)) < 0) {
 +            return ret;
 +        }
 +    }
 +
 +    /* Devices can have multiple vendor capabilities, get them all */
 +    for (pos = 0; (pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_VNDR, pos));
 +        pos += PCI_CAP_LIST_NEXT) {
 +        uint8_t len = pci_get_byte(pci_dev->config + pos + PCI_CAP_FLAGS);
 +        /* Direct R/W passthrough */
 +        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_VNDR,
 +                                      pos, len)) < 0) {
 +            return ret;
 +        }
 +    }
 +
 +    return 0;
 +}
 +
 +static uint32_t msix_mmio_readl(void *opaque, target_phys_addr_t addr)
 +{
 +    AssignedDevice *adev = opaque;
 +    unsigned int offset = addr & 0xfff;
 +    void *page = adev->msix_table_page;
 +    uint32_t val = 0;
 +
 +    memcpy(&val, (void *)((char *)page + offset), 4);
 +
 +    return val;
 +}
 +
 +static uint32_t msix_mmio_readb(void *opaque, target_phys_addr_t addr)
 +{
 +    return ((msix_mmio_readl(opaque, addr & ~3)) >>
 +            (8 * (addr & 3))) & 0xff;
 +}
 +
 +static uint32_t msix_mmio_readw(void *opaque, target_phys_addr_t addr)
 +{
 +    return ((msix_mmio_readl(opaque, addr & ~3)) >>
 +            (8 * (addr & 3))) & 0xffff;
 +}
 +
 +static void msix_mmio_writel(void *opaque,
 +                             target_phys_addr_t addr, uint32_t val)
 +{
 +    AssignedDevice *adev = opaque;
 +    unsigned int offset = addr & 0xfff;
 +    void *page = adev->msix_table_page;
 +
 +    DEBUG("write to MSI-X entry table mmio offset 0x%lx, val 0x%x\n",
 +		    addr, val);
 +    memcpy((void *)((char *)page + offset), &val, 4);
 +}
 +
 +static void msix_mmio_writew(void *opaque,
 +                             target_phys_addr_t addr, uint32_t val)
 +{
 +    msix_mmio_writel(opaque, addr & ~3,
 +                     (val & 0xffff) << (8*(addr & 3)));
 +}
 +
 +static void msix_mmio_writeb(void *opaque,
 +                             target_phys_addr_t addr, uint32_t val)
 +{
 +    msix_mmio_writel(opaque, addr & ~3,
 +                     (val & 0xff) << (8*(addr & 3)));
 +}
 +
 +static CPUWriteMemoryFunc *msix_mmio_write[] = {
 +    msix_mmio_writeb,	msix_mmio_writew,	msix_mmio_writel
 +};
 +
 +static CPUReadMemoryFunc *msix_mmio_read[] = {
 +    msix_mmio_readb,	msix_mmio_readw,	msix_mmio_readl
 +};
 +
 +static int assigned_dev_register_msix_mmio(AssignedDevice *dev)
 +{
 +    dev->msix_table_page = mmap(NULL, 0x1000,
 +                                PROT_READ|PROT_WRITE,
 +                                MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
 +    if (dev->msix_table_page == MAP_FAILED) {
 +        fprintf(stderr, "fail allocate msix_table_page! %s\n",
 +                strerror(errno));
 +        return -EFAULT;
 +    }
 +    memset(dev->msix_table_page, 0, 0x1000);
 +    dev->mmio_index = cpu_register_io_memory(
-                         msix_mmio_read, msix_mmio_write, dev);
++                        msix_mmio_read, msix_mmio_write, dev,
++                        DEVICE_NATIVE_ENDIAN);
 +    return 0;
 +}
 +
 +static void assigned_dev_unregister_msix_mmio(AssignedDevice *dev)
 +{
 +    if (!dev->msix_table_page)
 +        return;
 +
 +    cpu_unregister_io_memory(dev->mmio_index);
 +    dev->mmio_index = 0;
 +
 +    if (munmap(dev->msix_table_page, 0x1000) == -1) {
 +        fprintf(stderr, "error unmapping msix_table_page! %s\n",
 +                strerror(errno));
 +    }
 +    dev->msix_table_page = NULL;
 +}
 +
 +static const VMStateDescription vmstate_assigned_device = {
 +    .name = "pci-assign"
 +};
 +
 +static void reset_assigned_device(DeviceState *dev)
 +{
 +    PCIDevice *d = DO_UPCAST(PCIDevice, qdev, dev);
 +
 +    /*
 +     * When a 0 is written to the command register, the device is logically
 +     * disconnected from the PCI bus. This avoids further DMA transfers.
 +     */
 +    assigned_dev_pci_write_config(d, PCI_COMMAND, 0, 2);
 +}
 +
 +static int assigned_initfn(struct PCIDevice *pci_dev)
 +{
 +    AssignedDevice *dev = DO_UPCAST(AssignedDevice, dev, pci_dev);
 +    uint8_t e_device, e_intx;
 +    int r;
 +
 +    if (!kvm_enabled()) {
 +        error_report("pci-assign: error: requires KVM support");
 +        return -1;
 +    }
 +
 +    if (!dev->host.seg && !dev->host.bus && !dev->host.dev && !dev->host.func) {
 +        error_report("pci-assign: error: no host device specified");
 +        return -1;
 +    }
 +
 +    if (get_real_device(dev, dev->host.seg, dev->host.bus,
 +                        dev->host.dev, dev->host.func)) {
 +        error_report("pci-assign: Error: Couldn't get real device (%s)!",
 +                     dev->dev.qdev.id);
 +        goto out;
 +    }
 +
 +    /* handle real device's MMIO/PIO BARs */
 +    if (assigned_dev_register_regions(dev->real_device.regions,
 +                                      dev->real_device.region_number,
 +                                      dev))
 +        goto out;
 +
 +    /* handle interrupt routing */
 +    e_device = (dev->dev.devfn >> 3) & 0x1f;
 +    e_intx = dev->dev.config[0x3d] - 1;
 +    dev->intpin = e_intx;
 +    dev->run = 0;
 +    dev->girq = -1;
 +    dev->h_segnr = dev->host.seg;
 +    dev->h_busnr = dev->host.bus;
 +    dev->h_devfn = PCI_DEVFN(dev->host.dev, dev->host.func);
 +
 +    if (assigned_device_pci_cap_init(pci_dev) < 0)
 +        goto out;
 +
 +    /* assign device to guest */
 +    r = assign_device(dev);
 +    if (r < 0)
 +        goto out;
 +
 +    /* assign irq for the device */
 +    r = assign_irq(dev);
 +    if (r < 0)
 +        goto assigned_out;
 +
 +    /* intercept MSI-X entry page in the MMIO */
 +    if (dev->cap.available & ASSIGNED_DEVICE_CAP_MSIX)
 +        if (assigned_dev_register_msix_mmio(dev))
 +            goto assigned_out;
 +
 +    assigned_dev_load_option_rom(dev);
 +    QLIST_INSERT_HEAD(&devs, dev, next);
 +
 +    /* Register a vmsd so that we can mark it unmigratable. */
 +    vmstate_register(&dev->dev.qdev, 0, &vmstate_assigned_device, dev);
 +    register_device_unmigratable(&dev->dev.qdev,
 +                                 vmstate_assigned_device.name, dev);
 +
 +    return 0;
 +
 +assigned_out:
 +    deassign_device(dev);
 +out:
 +    free_assigned_device(dev);
 +    return -1;
 +}
 +
 +static int assigned_exitfn(struct PCIDevice *pci_dev)
 +{
 +    AssignedDevice *dev = DO_UPCAST(AssignedDevice, dev, pci_dev);
 +
 +    vmstate_unregister(&dev->dev.qdev, &vmstate_assigned_device, dev);
 +    QLIST_REMOVE(dev, next);
 +    deassign_device(dev);
 +    free_assigned_device(dev);
 +    return 0;
 +}
 +
 +static int parse_hostaddr(DeviceState *dev, Property *prop, const char *str)
 +{
 +    PCIHostDevice *ptr = qdev_get_prop_ptr(dev, prop);
 +    int rc;
 +
 +    rc = pci_parse_host_devaddr(str, &ptr->seg, &ptr->bus, &ptr->dev, &ptr->func);
 +    if (rc != 0)
 +        return -1;
 +    return 0;
 +}
 +
 +static int print_hostaddr(DeviceState *dev, Property *prop, char *dest, size_t len)
 +{
 +    PCIHostDevice *ptr = qdev_get_prop_ptr(dev, prop);
 +
 +    return snprintf(dest, len, "%02x:%02x.%x", ptr->bus, ptr->dev, ptr->func);
 +}
 +
 +PropertyInfo qdev_prop_hostaddr = {
 +    .name  = "pci-hostaddr",
 +    .type  = -1,
 +    .size  = sizeof(PCIHostDevice),
 +    .parse = parse_hostaddr,
 +    .print = print_hostaddr,
 +};
 +
 +static PCIDeviceInfo assign_info = {
 +    .qdev.name    = "pci-assign",
 +    .qdev.desc    = "pass through host pci devices to the guest",
 +    .qdev.size    = sizeof(AssignedDevice),
 +    .qdev.reset   = reset_assigned_device,
 +    .init         = assigned_initfn,
 +    .exit         = assigned_exitfn,
 +    .config_read  = assigned_dev_pci_read_config,
 +    .config_write = assigned_dev_pci_write_config,
 +    .qdev.props   = (Property[]) {
 +        DEFINE_PROP("host", AssignedDevice, host, qdev_prop_hostaddr, PCIHostDevice),
 +        DEFINE_PROP_BIT("iommu", AssignedDevice, features,
 +                        ASSIGNED_DEVICE_USE_IOMMU_BIT, true),
 +        DEFINE_PROP_BIT("prefer_msi", AssignedDevice, features,
 +                        ASSIGNED_DEVICE_PREFER_MSI_BIT, true),
 +        DEFINE_PROP_STRING("configfd", AssignedDevice, configfd_name),
 +        DEFINE_PROP_END_OF_LIST(),
 +    },
 +};
 +
 +static void assign_register_devices(void)
 +{
 +    pci_qdev_register(&assign_info);
 +}
 +
 +device_init(assign_register_devices)
 +
 +/*
 + * Scan the assigned devices for the devices that have an option ROM, and then
 + * load the corresponding ROM data to RAM. If an error occurs while loading an
 + * option ROM, we just ignore that option ROM and continue with the next one.
 + */
 +static void assigned_dev_load_option_rom(AssignedDevice *dev)
 +{
 +    char name[32], rom_file[64];
 +    FILE *fp;
 +    uint8_t val;
 +    struct stat st;
 +    void *ptr;
 +
 +    /* If loading ROM from file, pci handles it */
 +    if (dev->dev.romfile || !dev->dev.rom_bar)
 +        return;
 +
 +    snprintf(rom_file, sizeof(rom_file),
 +             "/sys/bus/pci/devices/%04x:%02x:%02x.%01x/rom",
 +             dev->host.seg, dev->host.bus, dev->host.dev, dev->host.func);
 +
 +    if (stat(rom_file, &st)) {
 +        return;
 +    }
 +
 +    if (access(rom_file, F_OK)) {
 +        fprintf(stderr, "pci-assign: Insufficient privileges for %s\n",
 +                rom_file);
 +        return;
 +    }
 +
 +    /* Write "1" to the ROM file to enable it */
 +    fp = fopen(rom_file, "r+");
 +    if (fp == NULL) {
 +        return;
 +    }
 +    val = 1;
 +    if (fwrite(&val, 1, 1, fp) != 1) {
 +        goto close_rom;
 +    }
 +    fseek(fp, 0, SEEK_SET);
 +
 +    snprintf(name, sizeof(name), "%s.rom", dev->dev.qdev.info->name);
 +    dev->dev.rom_offset = qemu_ram_alloc(&dev->dev.qdev, name, st.st_size);
 +    ptr = qemu_get_ram_ptr(dev->dev.rom_offset);
 +    memset(ptr, 0xff, st.st_size);
 +
 +    if (!fread(ptr, 1, st.st_size, fp)) {
 +        fprintf(stderr, "pci-assign: Cannot read from host %s\n"
 +                "\tDevice option ROM contents are probably invalid "
 +                "(check dmesg).\n\tSkip option ROM probe with rombar=0, "
 +                "or load from file with romfile=\n", rom_file);
 +        qemu_ram_free(dev->dev.rom_offset);
 +        dev->dev.rom_offset = 0;
 +        goto close_rom;
 +    }
 +
 +    pci_register_bar(&dev->dev, PCI_ROM_SLOT,
 +                     st.st_size, 0, pci_map_option_rom);
 +close_rom:
 +    /* Write "0" to disable ROM */
 +    fseek(fp, 0, SEEK_SET);
 +    val = 0;
 +    if (!fwrite(&val, 1, 1, fp)) {
 +        DEBUG("%s\n", "Failed to disable pci-sysfs rom file");
 +    }
 +    fclose(fp);
 +}
diff --cc hw/testdev.c
index 29df385,0000000..f0355c8
mode 100644,000000..100644
--- a/hw/testdev.c
+++ b/hw/testdev.c
@@@ -1,141 -1,0 +1,142 @@@
 +#include <sys/mman.h>
 +#include "hw.h"
 +#include "qdev.h"
 +#include "isa.h"
 +
 +struct testdev {
 +    ISADevice dev;
 +    CharDriverState *chr;
 +};
 +
 +static void test_device_serial_write(void *opaque, uint32_t addr, uint32_t data)
 +{
 +    struct testdev *dev = opaque;
 +    uint8_t buf[1] = { data };
 +
 +    if (dev->chr) {
 +        qemu_chr_write(dev->chr, buf, 1);
 +    }
 +}
 +
 +static void test_device_exit(void *opaque, uint32_t addr, uint32_t data)
 +{
 +    exit(data);
 +}
 +
 +static uint32_t test_device_memsize_read(void *opaque, uint32_t addr)
 +{
 +    return ram_size;
 +}
 +
 +extern qemu_irq *ioapic_irq_hack;
 +
 +static void test_device_irq_line(void *opaque, uint32_t addr, uint32_t data)
 +{
 +    qemu_set_irq(ioapic_irq_hack[addr - 0x2000], !!data);
 +}
 +
 +static uint32 test_device_ioport_data;
 +
 +static void test_device_ioport_write(void *opaque, uint32_t addr, uint32_t data)
 +{
 +    test_device_ioport_data = data;
 +}
 +
 +static uint32_t test_device_ioport_read(void *opaque, uint32_t addr)
 +{
 +    return test_device_ioport_data;
 +}
 +
 +static void test_device_flush_page(void *opaque, uint32_t addr, uint32_t data)
 +{
 +    target_phys_addr_t len = 4096;
 +    void *a = cpu_physical_memory_map(data & ~0xffful, &len, 0);
 +
 +    mprotect(a, 4096, PROT_NONE);
 +    mprotect(a, 4096, PROT_READ|PROT_WRITE);
 +    cpu_physical_memory_unmap(a, len, 0, 0);
 +}
 +
 +static char *iomem_buf;
 +
 +static uint32_t test_iomem_readb(void *opaque, target_phys_addr_t addr)
 +{
 +    return iomem_buf[addr];
 +}
 +
 +static uint32_t test_iomem_readw(void *opaque, target_phys_addr_t addr)
 +{
 +    return *(uint16_t*)(iomem_buf + addr);
 +}
 +
 +static uint32_t test_iomem_readl(void *opaque, target_phys_addr_t addr)
 +{
 +    return *(uint32_t*)(iomem_buf + addr);
 +}
 +
 +static void test_iomem_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
 +{
 +    iomem_buf[addr] = val;
 +}
 +
 +static void test_iomem_writew(void *opaque, target_phys_addr_t addr, uint32_t val)
 +{
 +    *(uint16_t*)(iomem_buf + addr) = val;
 +}
 +
 +static void test_iomem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
 +{
 +    *(uint32_t*)(iomem_buf + addr) = val;
 +}
 +
 +static CPUReadMemoryFunc * const test_iomem_read[3] = {
 +    test_iomem_readb,
 +    test_iomem_readw,
 +    test_iomem_readl,
 +};
 +
 +static CPUWriteMemoryFunc * const test_iomem_write[3] = {
 +    test_iomem_writeb,
 +    test_iomem_writew,
 +    test_iomem_writel,
 +};
 +
 +static int init_test_device(ISADevice *isa)
 +{
 +    struct testdev *dev = DO_UPCAST(struct testdev, dev, isa);
 +    int iomem;
 +
 +    register_ioport_write(0xf1, 1, 1, test_device_serial_write, dev);
 +    register_ioport_write(0xf4, 1, 4, test_device_exit, dev);
 +    register_ioport_read(0xd1, 1, 4, test_device_memsize_read, dev);
 +    register_ioport_read(0xe0, 1, 1, test_device_ioport_read, dev);
 +    register_ioport_write(0xe0, 1, 1, test_device_ioport_write, dev);
 +    register_ioport_read(0xe0, 1, 2, test_device_ioport_read, dev);
 +    register_ioport_write(0xe0, 1, 2, test_device_ioport_write, dev);
 +    register_ioport_read(0xe0, 1, 4, test_device_ioport_read, dev);
 +    register_ioport_write(0xe0, 1, 4, test_device_ioport_write, dev);
 +    register_ioport_write(0xe4, 1, 4, test_device_flush_page, dev);
 +    register_ioport_write(0x2000, 24, 1, test_device_irq_line, NULL);
 +    iomem_buf = qemu_mallocz(0x10000);
-     iomem = cpu_register_io_memory(test_iomem_read, test_iomem_write, NULL);
++    iomem = cpu_register_io_memory(test_iomem_read, test_iomem_write, NULL,
++                                   DEVICE_NATIVE_ENDIAN);
 +    cpu_register_physical_memory(0xff000000, 0x10000, iomem);
 +    return 0;
 +}
 +
 +static ISADeviceInfo testdev_info = {
 +    .qdev.name  = "testdev",
 +    .qdev.size  = sizeof(struct testdev),
 +    .init       = init_test_device,
 +    .qdev.props = (Property[]) {
 +        DEFINE_PROP_CHR("chardev", struct testdev, chr),
 +        DEFINE_PROP_END_OF_LIST(),
 +    },
 +};
 +
 +static void testdev_register_devices(void)
 +{
 +    isa_qdev_register(&testdev_info);
 +}
 +
 +device_init(testdev_register_devices)
commit 833ae13cfbeb9f5ef32b885f5d127d801e4ca654
Merge: 5f4a6f4... 661a179...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Jan 6 17:44:19 2011 -0200

    Merge commit '661a1799ba6544a54888283db19dd51469da01e5' into upstream-merge
    
    * commit '661a1799ba6544a54888283db19dd51469da01e5':
      Add pcnet-pci.c
      Split out common pcnet code
      Remove PCI from sparc32 target
      Detect missing config includes
      Fix previous commit
      VirtIO config option
      PCI config include
      Include directives in default configs
      Add missing dependency.
    
    Conflicts:
    	Makefile.objs
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc Makefile.objs
index 5170cc2,13ba26f..f0a6f28
--- a/Makefile.objs
+++ b/Makefile.objs
@@@ -159,10 -163,14 +164,14 @@@ user-obj-y += cutils.o cache-utils.
  # libhw
  
  hw-obj-y =
 -hw-obj-y += vl.o loader.o
 +hw-obj-y += loader.o
- hw-obj-y += virtio.o virtio-console.o
- hw-obj-y += fw_cfg.o pci_host.o pcie_host.o pci_bridge.o
- hw-obj-y += ioh3420.o xio3130_upstream.o xio3130_downstream.o
+ hw-obj-$(CONFIG_VIRTIO) += virtio.o virtio-console.o
+ hw-obj-y += fw_cfg.o
+ # FIXME: Core PCI code and its direct dependencies are required by the
+ # QMP query-pci command.
 -hw-obj-y += pci.o pci_bridge.o msix.o msi.o
++hw-obj-y += pci_bridge.o msix.o msi.o
+ hw-obj-$(CONFIG_PCI) += pci_host.o pcie_host.o
+ hw-obj-$(CONFIG_PCI) += ioh3420.o xio3130_upstream.o xio3130_downstream.o
  hw-obj-y += watchdog.o
  hw-obj-$(CONFIG_ISA_MMIO) += isa_mmio.o
  hw-obj-$(CONFIG_ECC) += ecc.o
diff --cc Makefile.target
index 6a4d1ac,5784844..d5e4991
--- a/Makefile.target
+++ b/Makefile.target
@@@ -194,10 -185,10 +194,10 @@@ endif #CONFIG_BSD_USE
  # System emulator target
  ifdef CONFIG_SOFTMMU
  
 -obj-y = arch_init.o cpus.o monitor.o machine.o gdbstub.o balloon.o
 +obj-y = arch_init.o cpus.o monitor.o pci.o machine.o gdbstub.o vl.o balloon.o
  # virtio has to be here due to weird dependency between PCI and virtio-net.
  # need to fix this properly
- obj-y += virtio-blk.o virtio-balloon.o virtio-net.o virtio-serial-bus.o
+ obj-$(CONFIG_VIRTIO) += virtio-blk.o virtio-balloon.o virtio-net.o virtio-serial-bus.o
  obj-$(CONFIG_VIRTIO_PCI) += virtio-pci.o
  obj-y += vhost_net.o
  obj-$(CONFIG_VHOST_NET) += vhost.o
commit 71df0eeb98a1ecff7770aa486faf08a8c1049745
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Thu Jan 6 18:25:37 2011 +0000

    block: delete a write-only variable
    
    Avoid a warning with GCC 4.6.0:
    /src/qemu/block.c: In function 'bdrv_img_create':
    /src/qemu/block.c:2862:25: error: variable 'fmt' set but not used [-Werror=unused-but-set-variable]
    
    CC: Kevin Wolf <kwolf at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/block.c b/block.c
index 9b5e9e1..ff2795b 100644
--- a/block.c
+++ b/block.c
@@ -2859,13 +2859,8 @@ int bdrv_img_create(const char *filename, const char *fmt,
     if (get_option_parameter(param, BLOCK_OPT_SIZE)->value.n == -1) {
         if (backing_file && backing_file->value.s) {
             uint64_t size;
-            const char *fmt = NULL;
             char buf[32];
 
-            if (backing_fmt && backing_fmt->value.s) {
-                fmt = backing_fmt->value.s;
-            }
-
             bs = bdrv_new("");
 
             ret = bdrv_open(bs, backing_file->value.s, flags, drv);
commit 3fbb33d08d63908849a037ad6432cb12c763dd12
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Thu Jan 6 18:25:26 2011 +0000

    cirrus_vga: Declare as little endian
    
    This patch replaces explicit bswaps with endianness hints to the
    mmio layer.
    
    CC: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index 199136c..833a2eb 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -2004,30 +2004,20 @@ static uint32_t cirrus_vga_mem_readb(void *opaque, target_phys_addr_t addr)
 static uint32_t cirrus_vga_mem_readw(void *opaque, target_phys_addr_t addr)
 {
     uint32_t v;
-#ifdef TARGET_WORDS_BIGENDIAN
-    v = cirrus_vga_mem_readb(opaque, addr) << 8;
-    v |= cirrus_vga_mem_readb(opaque, addr + 1);
-#else
+
     v = cirrus_vga_mem_readb(opaque, addr);
     v |= cirrus_vga_mem_readb(opaque, addr + 1) << 8;
-#endif
     return v;
 }
 
 static uint32_t cirrus_vga_mem_readl(void *opaque, target_phys_addr_t addr)
 {
     uint32_t v;
-#ifdef TARGET_WORDS_BIGENDIAN
-    v = cirrus_vga_mem_readb(opaque, addr) << 24;
-    v |= cirrus_vga_mem_readb(opaque, addr + 1) << 16;
-    v |= cirrus_vga_mem_readb(opaque, addr + 2) << 8;
-    v |= cirrus_vga_mem_readb(opaque, addr + 3);
-#else
+
     v = cirrus_vga_mem_readb(opaque, addr);
     v |= cirrus_vga_mem_readb(opaque, addr + 1) << 8;
     v |= cirrus_vga_mem_readb(opaque, addr + 2) << 16;
     v |= cirrus_vga_mem_readb(opaque, addr + 3) << 24;
-#endif
     return v;
 }
 
@@ -2098,28 +2088,16 @@ static void cirrus_vga_mem_writeb(void *opaque, target_phys_addr_t addr,
 
 static void cirrus_vga_mem_writew(void *opaque, target_phys_addr_t addr, uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    cirrus_vga_mem_writeb(opaque, addr, (val >> 8) & 0xff);
-    cirrus_vga_mem_writeb(opaque, addr + 1, val & 0xff);
-#else
     cirrus_vga_mem_writeb(opaque, addr, val & 0xff);
     cirrus_vga_mem_writeb(opaque, addr + 1, (val >> 8) & 0xff);
-#endif
 }
 
 static void cirrus_vga_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    cirrus_vga_mem_writeb(opaque, addr, (val >> 24) & 0xff);
-    cirrus_vga_mem_writeb(opaque, addr + 1, (val >> 16) & 0xff);
-    cirrus_vga_mem_writeb(opaque, addr + 2, (val >> 8) & 0xff);
-    cirrus_vga_mem_writeb(opaque, addr + 3, val & 0xff);
-#else
     cirrus_vga_mem_writeb(opaque, addr, val & 0xff);
     cirrus_vga_mem_writeb(opaque, addr + 1, (val >> 8) & 0xff);
     cirrus_vga_mem_writeb(opaque, addr + 2, (val >> 16) & 0xff);
     cirrus_vga_mem_writeb(opaque, addr + 3, (val >> 24) & 0xff);
-#endif
 }
 
 static CPUReadMemoryFunc * const cirrus_vga_mem_read[3] = {
@@ -2341,30 +2319,20 @@ static uint32_t cirrus_linear_readb(void *opaque, target_phys_addr_t addr)
 static uint32_t cirrus_linear_readw(void *opaque, target_phys_addr_t addr)
 {
     uint32_t v;
-#ifdef TARGET_WORDS_BIGENDIAN
-    v = cirrus_linear_readb(opaque, addr) << 8;
-    v |= cirrus_linear_readb(opaque, addr + 1);
-#else
+
     v = cirrus_linear_readb(opaque, addr);
     v |= cirrus_linear_readb(opaque, addr + 1) << 8;
-#endif
     return v;
 }
 
 static uint32_t cirrus_linear_readl(void *opaque, target_phys_addr_t addr)
 {
     uint32_t v;
-#ifdef TARGET_WORDS_BIGENDIAN
-    v = cirrus_linear_readb(opaque, addr) << 24;
-    v |= cirrus_linear_readb(opaque, addr + 1) << 16;
-    v |= cirrus_linear_readb(opaque, addr + 2) << 8;
-    v |= cirrus_linear_readb(opaque, addr + 3);
-#else
+
     v = cirrus_linear_readb(opaque, addr);
     v |= cirrus_linear_readb(opaque, addr + 1) << 8;
     v |= cirrus_linear_readb(opaque, addr + 2) << 16;
     v |= cirrus_linear_readb(opaque, addr + 3) << 24;
-#endif
     return v;
 }
 
@@ -2412,29 +2380,17 @@ static void cirrus_linear_writeb(void *opaque, target_phys_addr_t addr,
 static void cirrus_linear_writew(void *opaque, target_phys_addr_t addr,
 				 uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    cirrus_linear_writeb(opaque, addr, (val >> 8) & 0xff);
-    cirrus_linear_writeb(opaque, addr + 1, val & 0xff);
-#else
     cirrus_linear_writeb(opaque, addr, val & 0xff);
     cirrus_linear_writeb(opaque, addr + 1, (val >> 8) & 0xff);
-#endif
 }
 
 static void cirrus_linear_writel(void *opaque, target_phys_addr_t addr,
 				 uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    cirrus_linear_writeb(opaque, addr, (val >> 24) & 0xff);
-    cirrus_linear_writeb(opaque, addr + 1, (val >> 16) & 0xff);
-    cirrus_linear_writeb(opaque, addr + 2, (val >> 8) & 0xff);
-    cirrus_linear_writeb(opaque, addr + 3, val & 0xff);
-#else
     cirrus_linear_writeb(opaque, addr, val & 0xff);
     cirrus_linear_writeb(opaque, addr + 1, (val >> 8) & 0xff);
     cirrus_linear_writeb(opaque, addr + 2, (val >> 16) & 0xff);
     cirrus_linear_writeb(opaque, addr + 3, (val >> 24) & 0xff);
-#endif
 }
 
 
@@ -2469,30 +2425,20 @@ static uint32_t cirrus_linear_bitblt_readb(void *opaque, target_phys_addr_t addr
 static uint32_t cirrus_linear_bitblt_readw(void *opaque, target_phys_addr_t addr)
 {
     uint32_t v;
-#ifdef TARGET_WORDS_BIGENDIAN
-    v = cirrus_linear_bitblt_readb(opaque, addr) << 8;
-    v |= cirrus_linear_bitblt_readb(opaque, addr + 1);
-#else
+
     v = cirrus_linear_bitblt_readb(opaque, addr);
     v |= cirrus_linear_bitblt_readb(opaque, addr + 1) << 8;
-#endif
     return v;
 }
 
 static uint32_t cirrus_linear_bitblt_readl(void *opaque, target_phys_addr_t addr)
 {
     uint32_t v;
-#ifdef TARGET_WORDS_BIGENDIAN
-    v = cirrus_linear_bitblt_readb(opaque, addr) << 24;
-    v |= cirrus_linear_bitblt_readb(opaque, addr + 1) << 16;
-    v |= cirrus_linear_bitblt_readb(opaque, addr + 2) << 8;
-    v |= cirrus_linear_bitblt_readb(opaque, addr + 3);
-#else
+
     v = cirrus_linear_bitblt_readb(opaque, addr);
     v |= cirrus_linear_bitblt_readb(opaque, addr + 1) << 8;
     v |= cirrus_linear_bitblt_readb(opaque, addr + 2) << 16;
     v |= cirrus_linear_bitblt_readb(opaque, addr + 3) << 24;
-#endif
     return v;
 }
 
@@ -2513,29 +2459,17 @@ static void cirrus_linear_bitblt_writeb(void *opaque, target_phys_addr_t addr,
 static void cirrus_linear_bitblt_writew(void *opaque, target_phys_addr_t addr,
 				 uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    cirrus_linear_bitblt_writeb(opaque, addr, (val >> 8) & 0xff);
-    cirrus_linear_bitblt_writeb(opaque, addr + 1, val & 0xff);
-#else
     cirrus_linear_bitblt_writeb(opaque, addr, val & 0xff);
     cirrus_linear_bitblt_writeb(opaque, addr + 1, (val >> 8) & 0xff);
-#endif
 }
 
 static void cirrus_linear_bitblt_writel(void *opaque, target_phys_addr_t addr,
 				 uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    cirrus_linear_bitblt_writeb(opaque, addr, (val >> 24) & 0xff);
-    cirrus_linear_bitblt_writeb(opaque, addr + 1, (val >> 16) & 0xff);
-    cirrus_linear_bitblt_writeb(opaque, addr + 2, (val >> 8) & 0xff);
-    cirrus_linear_bitblt_writeb(opaque, addr + 3, val & 0xff);
-#else
     cirrus_linear_bitblt_writeb(opaque, addr, val & 0xff);
     cirrus_linear_bitblt_writeb(opaque, addr + 1, (val >> 8) & 0xff);
     cirrus_linear_bitblt_writeb(opaque, addr + 2, (val >> 16) & 0xff);
     cirrus_linear_bitblt_writeb(opaque, addr + 3, (val >> 24) & 0xff);
-#endif
 }
 
 
@@ -2842,30 +2776,20 @@ static uint32_t cirrus_mmio_readb(void *opaque, target_phys_addr_t addr)
 static uint32_t cirrus_mmio_readw(void *opaque, target_phys_addr_t addr)
 {
     uint32_t v;
-#ifdef TARGET_WORDS_BIGENDIAN
-    v = cirrus_mmio_readb(opaque, addr) << 8;
-    v |= cirrus_mmio_readb(opaque, addr + 1);
-#else
+
     v = cirrus_mmio_readb(opaque, addr);
     v |= cirrus_mmio_readb(opaque, addr + 1) << 8;
-#endif
     return v;
 }
 
 static uint32_t cirrus_mmio_readl(void *opaque, target_phys_addr_t addr)
 {
     uint32_t v;
-#ifdef TARGET_WORDS_BIGENDIAN
-    v = cirrus_mmio_readb(opaque, addr) << 24;
-    v |= cirrus_mmio_readb(opaque, addr + 1) << 16;
-    v |= cirrus_mmio_readb(opaque, addr + 2) << 8;
-    v |= cirrus_mmio_readb(opaque, addr + 3);
-#else
+
     v = cirrus_mmio_readb(opaque, addr);
     v |= cirrus_mmio_readb(opaque, addr + 1) << 8;
     v |= cirrus_mmio_readb(opaque, addr + 2) << 16;
     v |= cirrus_mmio_readb(opaque, addr + 3) << 24;
-#endif
     return v;
 }
 
@@ -2886,29 +2810,17 @@ static void cirrus_mmio_writeb(void *opaque, target_phys_addr_t addr,
 static void cirrus_mmio_writew(void *opaque, target_phys_addr_t addr,
 			       uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    cirrus_mmio_writeb(opaque, addr, (val >> 8) & 0xff);
-    cirrus_mmio_writeb(opaque, addr + 1, val & 0xff);
-#else
     cirrus_mmio_writeb(opaque, addr, val & 0xff);
     cirrus_mmio_writeb(opaque, addr + 1, (val >> 8) & 0xff);
-#endif
 }
 
 static void cirrus_mmio_writel(void *opaque, target_phys_addr_t addr,
 			       uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    cirrus_mmio_writeb(opaque, addr, (val >> 24) & 0xff);
-    cirrus_mmio_writeb(opaque, addr + 1, (val >> 16) & 0xff);
-    cirrus_mmio_writeb(opaque, addr + 2, (val >> 8) & 0xff);
-    cirrus_mmio_writeb(opaque, addr + 3, val & 0xff);
-#else
     cirrus_mmio_writeb(opaque, addr, val & 0xff);
     cirrus_mmio_writeb(opaque, addr + 1, (val >> 8) & 0xff);
     cirrus_mmio_writeb(opaque, addr + 2, (val >> 16) & 0xff);
     cirrus_mmio_writeb(opaque, addr + 3, (val >> 24) & 0xff);
-#endif
 }
 
 
@@ -3078,7 +2990,7 @@ static void cirrus_init_common(CirrusVGAState * s, int device_id, int is_pci)
 
     s->vga.vga_io_memory = cpu_register_io_memory(cirrus_vga_mem_read,
                                                   cirrus_vga_mem_write, s,
-                                                  DEVICE_NATIVE_ENDIAN);
+                                                  DEVICE_LITTLE_ENDIAN);
     cpu_register_physical_memory(isa_mem_base + 0x000a0000, 0x20000,
                                  s->vga.vga_io_memory);
     qemu_register_coalesced_mmio(isa_mem_base + 0x000a0000, 0x20000);
@@ -3086,18 +2998,18 @@ static void cirrus_init_common(CirrusVGAState * s, int device_id, int is_pci)
     /* I/O handler for LFB */
     s->cirrus_linear_io_addr =
         cpu_register_io_memory(cirrus_linear_read, cirrus_linear_write, s,
-                               DEVICE_NATIVE_ENDIAN);
+                               DEVICE_LITTLE_ENDIAN);
 
     /* I/O handler for LFB */
     s->cirrus_linear_bitblt_io_addr =
         cpu_register_io_memory(cirrus_linear_bitblt_read,
                                cirrus_linear_bitblt_write, s,
-                               DEVICE_NATIVE_ENDIAN);
+                               DEVICE_LITTLE_ENDIAN);
 
     /* I/O handler for memory-mapped I/O */
     s->cirrus_mmio_io_addr =
         cpu_register_io_memory(cirrus_mmio_read, cirrus_mmio_write, s,
-                               DEVICE_NATIVE_ENDIAN);
+                               DEVICE_LITTLE_ENDIAN);
 
     s->real_vram_size =
         (s->device_id == CIRRUS_ID_CLGD5446) ? 4096 * 1024 : 2048 * 1024;
commit 4b78a802ffaabb325a0f7b773031da92d173bde1
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Thu Jan 6 18:24:35 2011 +0000

    pc: move port 92 stuff back to pc.c from pckbd.c
    
    956a3e6bb7386de48b642d4fee11f7f86a2fcf9a introduced a bug concerning
    reset bit for port 92.
    
    Since the keyboard output port and port 92 are not compatible anyway,
    let's separate them.
    
    Reported-by: Peter Lieven <pl at dlh.net>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>
    --
    v2: added reset handler and VMState

diff --git a/hw/pc.c b/hw/pc.c
index 18a4a9f..fface7d 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -411,11 +411,92 @@ void pc_cmos_init(ram_addr_t ram_size, ram_addr_t above_4g_mem_size,
     qemu_register_reset(pc_cmos_init_late, &arg);
 }
 
+/* port 92 stuff: could be split off */
+typedef struct Port92State {
+    ISADevice dev;
+    uint8_t outport;
+    qemu_irq *a20_out;
+} Port92State;
+
+static void port92_write(void *opaque, uint32_t addr, uint32_t val)
+{
+    Port92State *s = opaque;
+
+    DPRINTF("port92: write 0x%02x\n", val);
+    s->outport = val;
+    qemu_set_irq(*s->a20_out, (val >> 1) & 1);
+    if (val & 1) {
+        qemu_system_reset_request();
+    }
+}
+
+static uint32_t port92_read(void *opaque, uint32_t addr)
+{
+    Port92State *s = opaque;
+    uint32_t ret;
+
+    ret = s->outport;
+    DPRINTF("port92: read 0x%02x\n", ret);
+    return ret;
+}
+
+static void port92_init(ISADevice *dev, qemu_irq *a20_out)
+{
+    Port92State *s = DO_UPCAST(Port92State, dev, dev);
+
+    s->a20_out = a20_out;
+}
+
+static const VMStateDescription vmstate_port92_isa = {
+    .name = "port92",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields      = (VMStateField []) {
+        VMSTATE_UINT8(outport, Port92State),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static void port92_reset(DeviceState *d)
+{
+    Port92State *s = container_of(d, Port92State, dev.qdev);
+
+    s->outport &= ~1;
+}
+
+static int port92_initfn(ISADevice *dev)
+{
+    Port92State *s = DO_UPCAST(Port92State, dev, dev);
+
+    register_ioport_read(0x92, 1, 1, port92_read, s);
+    register_ioport_write(0x92, 1, 1, port92_write, s);
+    isa_init_ioport(dev, 0x92);
+    s->outport = 0;
+    return 0;
+}
+
+static ISADeviceInfo port92_info = {
+    .qdev.name     = "port92",
+    .qdev.size     = sizeof(Port92State),
+    .qdev.vmsd     = &vmstate_port92_isa,
+    .qdev.no_user  = 1,
+    .qdev.reset    = port92_reset,
+    .init          = port92_initfn,
+};
+
+static void port92_register(void)
+{
+    isa_qdev_register(&port92_info);
+}
+device_init(port92_register)
+
 static void handle_a20_line_change(void *opaque, int irq, int level)
 {
     CPUState *cpu = opaque;
 
     /* XXX: send to all CPUs ? */
+    /* XXX: add logic to handle multiple A20 line sources */
     cpu_x86_set_a20(cpu, level);
 }
 
@@ -1027,7 +1108,7 @@ void pc_basic_device_init(qemu_irq *isa_irq,
     PITState *pit;
     qemu_irq rtc_irq = NULL;
     qemu_irq *a20_line;
-    ISADevice *i8042;
+    ISADevice *i8042, *port92;
     qemu_irq *cpu_exit_irq;
 
     register_ioport_write(0x80, 1, 1, ioport80_write, NULL);
@@ -1061,10 +1142,12 @@ void pc_basic_device_init(qemu_irq *isa_irq,
         }
     }
 
-    a20_line = qemu_allocate_irqs(handle_a20_line_change, first_cpu, 1);
+    a20_line = qemu_allocate_irqs(handle_a20_line_change, first_cpu, 2);
     i8042 = isa_create_simple("i8042");
-    i8042_setup_a20_line(i8042, a20_line);
+    i8042_setup_a20_line(i8042, &a20_line[0]);
     vmmouse_init(i8042);
+    port92 = isa_create_simple("port92");
+    port92_init(port92, &a20_line[1]);
 
     cpu_exit_irq = qemu_allocate_irqs(cpu_request_exit, NULL, 1);
     DMA_init(0, cpu_exit_irq);
diff --git a/hw/pckbd.c b/hw/pckbd.c
index 863b485..ae65c04 100644
--- a/hw/pckbd.c
+++ b/hw/pckbd.c
@@ -211,10 +211,8 @@ static void kbd_queue(KBDState *s, int b, int aux)
         ps2_queue(s->kbd, b);
 }
 
-static void ioport92_write(void *opaque, uint32_t addr, uint32_t val)
+static void outport_write(KBDState *s, uint32_t val)
 {
-    KBDState *s = opaque;
-
     DPRINTF("kbd: write outport=0x%02x\n", val);
     s->outport = val;
     if (s->a20_out) {
@@ -225,16 +223,6 @@ static void ioport92_write(void *opaque, uint32_t addr, uint32_t val)
     }
 }
 
-static uint32_t ioport92_read(void *opaque, uint32_t addr)
-{
-    KBDState *s = opaque;
-    uint32_t ret;
-
-    ret = s->outport;
-    DPRINTF("kbd: read outport=0x%02x\n", ret);
-    return ret;
-}
-
 static void kbd_write_command(void *opaque, uint32_t addr, uint32_t val)
 {
     KBDState *s = opaque;
@@ -357,7 +345,7 @@ static void kbd_write_data(void *opaque, uint32_t addr, uint32_t val)
         kbd_queue(s, val, 1);
         break;
     case KBD_CCMD_WRITE_OUTPORT:
-        ioport92_write(s, 0, val);
+        outport_write(s, val);
         break;
     case KBD_CCMD_WRITE_MOUSE:
         ps2_write_mouse(s->mouse, val);
@@ -489,9 +477,6 @@ static int i8042_initfn(ISADevice *dev)
     register_ioport_read(0x64, 1, 1, kbd_read_status, s);
     register_ioport_write(0x64, 1, 1, kbd_write_command, s);
     isa_init_ioport(dev, 0x64);
-    register_ioport_read(0x92, 1, 1, ioport92_read, s);
-    register_ioport_write(0x92, 1, 1, ioport92_write, s);
-    isa_init_ioport(dev, 0x92);
 
     s->kbd = ps2_kbd_init(kbd_update_kbd_irq, s);
     s->mouse = ps2_mouse_init(kbd_update_aux_irq, s);
commit e024e881bb1a8b5085026589360d26ed97acdd64
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 15:38:19 2011 +0100

    target-ppc: Implement correct NaN propagation rules
    
    Implement the correct NaN propagation rules for PowerPC targets by
    providing an appropriate pickNaN function.
    
    Also fix the #ifdef tests for default NaN definition, the correct name
    is TARGET_PPC instead of TARGET_POWERPC.
    
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index acdd299..f293f24 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -61,7 +61,7 @@ typedef struct {
 *----------------------------------------------------------------------------*/
 #if defined(TARGET_SPARC)
 #define float32_default_nan make_float32(0x7FFFFFFF)
-#elif defined(TARGET_POWERPC) || defined(TARGET_ARM) || defined(TARGET_ALPHA)
+#elif defined(TARGET_PPC) || defined(TARGET_ARM) || defined(TARGET_ALPHA)
 #define float32_default_nan make_float32(0x7FC00000)
 #elif SNAN_BIT_IS_ONE
 #define float32_default_nan make_float32(0x7FBFFFFF)
@@ -219,6 +219,21 @@ static int pickNaN(flag aIsQNaN, flag aIsSNaN, flag bIsQNaN, flag bIsSNaN,
         return 1;
     }
 }
+#elif defined(TARGET_PPC)
+static int pickNaN(flag aIsQNaN, flag aIsSNaN, flag bIsQNaN, flag bIsSNaN,
+                   flag aIsLargerSignificand)
+{
+    /* PowerPC propagation rules:
+     *  1. A if it sNaN or qNaN
+     *  2. B if it sNaN or qNaN
+     * A signaling NaN is always silenced before returning it.
+     */
+    if (aIsSNaN || aIsQNaN) {
+        return 0;
+    } else {
+        return 1;
+    }
+}
 #else
 static int pickNaN(flag aIsQNaN, flag aIsSNaN, flag bIsQNaN, flag bIsSNaN,
                     flag aIsLargerSignificand)
@@ -296,7 +311,7 @@ static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
 *----------------------------------------------------------------------------*/
 #if defined(TARGET_SPARC)
 #define float64_default_nan make_float64(LIT64( 0x7FFFFFFFFFFFFFFF ))
-#elif defined(TARGET_POWERPC) || defined(TARGET_ARM) || defined(TARGET_ALPHA)
+#elif defined(TARGET_PPC) || defined(TARGET_ARM) || defined(TARGET_ALPHA)
 #define float64_default_nan make_float64(LIT64( 0x7FF8000000000000 ))
 #elif SNAN_BIT_IS_ONE
 #define float64_default_nan make_float64(LIT64( 0x7FF7FFFFFFFFFFFF ))
commit 084d19ba718a08d434dc44a83ff01f3152d59635
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 15:38:19 2011 +0100

    target-mips: Implement correct NaN propagation rules
    
    Implement the correct NaN propagation rules for MIPS targets by
    providing an appropriate pickNaN function.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index 3ce5bb5..acdd299 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -192,6 +192,33 @@ static int pickNaN(flag aIsQNaN, flag aIsSNaN, flag bIsQNaN, flag bIsSNaN,
         return 1;
     }
 }
+#elif defined(TARGET_MIPS)
+static int pickNaN(flag aIsQNaN, flag aIsSNaN, flag bIsQNaN, flag bIsSNaN,
+                    flag aIsLargerSignificand)
+{
+    /* According to MIPS specifications, if one of the two operands is
+     * a sNaN, a new qNaN has to be generated. This is done in
+     * floatXX_maybe_silence_nan(). For qNaN inputs the specifications
+     * says: "When possible, this QNaN result is one of the operand QNaN
+     * values." In practice it seems that most implementations choose
+     * the first operand if both operands are qNaN. In short this gives
+     * the following rules:
+     *  1. A if it is signaling
+     *  2. B if it is signaling
+     *  3. A (quiet)
+     *  4. B (quiet)
+     * A signaling NaN is always silenced before returning it.
+     */
+    if (aIsSNaN) {
+        return 0;
+    } else if (bIsSNaN) {
+        return 1;
+    } else if (aIsQNaN) {
+        return 0;
+    } else {
+        return 1;
+    }
+}
 #else
 static int pickNaN(flag aIsQNaN, flag aIsSNaN, flag bIsQNaN, flag bIsSNaN,
                     flag aIsLargerSignificand)
commit 1f398e0825b3365746ac3a3f6f5a9954b0064f28
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 15:38:19 2011 +0100

    softfloat: use float{32,64,x80,128}_maybe_silence_nan()
    
    Use float{32,64,x80,128}_maybe_silence_nan() instead of toggling the
    sNaN bit manually. This allow per target implementation of sNaN to qNaN
    conversion.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index b1acc45..3ce5bb5 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -161,7 +161,8 @@ static float32 commonNaNToFloat32( commonNaNT a )
 | The routine is passed various bits of information about the
 | two NaNs and should return 0 to select NaN a and 1 for NaN b.
 | Note that signalling NaNs are always squashed to quiet NaNs
-| by the caller, by flipping the SNaN bit before returning them.
+| by the caller, by calling floatXX_maybe_silence_nan() before
+| returning them.
 |
 | aIsLargerSignificand is only valid if both a and b are NaNs
 | of some kind, and is true if a has the larger significand,
@@ -233,7 +234,7 @@ static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
 {
     flag aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN;
     flag aIsLargerSignificand;
-    bits32 av, bv, res;
+    bits32 av, bv;
 
     if ( STATUS(default_nan_mode) )
         return float32_default_nan;
@@ -244,13 +245,7 @@ static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
     bIsSignalingNaN = float32_is_signaling_nan( b );
     av = float32_val(a);
     bv = float32_val(b);
-#if SNAN_BIT_IS_ONE
-    av &= ~0x00400000;
-    bv &= ~0x00400000;
-#else
-    av |= 0x00400000;
-    bv |= 0x00400000;
-#endif
+
     if ( aIsSignalingNaN | bIsSignalingNaN ) float_raise( float_flag_invalid STATUS_VAR);
 
     if ((bits32)(av<<1) < (bits32)(bv<<1)) {
@@ -263,12 +258,10 @@ static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
 
     if (pickNaN(aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN,
                 aIsLargerSignificand)) {
-        res = bv;
+        return float32_maybe_silence_nan(b);
     } else {
-        res = av;
+        return float32_maybe_silence_nan(a);
     }
-
-    return make_float32(res);
 }
 
 /*----------------------------------------------------------------------------
@@ -386,7 +379,7 @@ static float64 propagateFloat64NaN( float64 a, float64 b STATUS_PARAM)
 {
     flag aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN;
     flag aIsLargerSignificand;
-    bits64 av, bv, res;
+    bits64 av, bv;
 
     if ( STATUS(default_nan_mode) )
         return float64_default_nan;
@@ -397,13 +390,7 @@ static float64 propagateFloat64NaN( float64 a, float64 b STATUS_PARAM)
     bIsSignalingNaN = float64_is_signaling_nan( b );
     av = float64_val(a);
     bv = float64_val(b);
-#if SNAN_BIT_IS_ONE
-    av &= ~LIT64( 0x0008000000000000 );
-    bv &= ~LIT64( 0x0008000000000000 );
-#else
-    av |= LIT64( 0x0008000000000000 );
-    bv |= LIT64( 0x0008000000000000 );
-#endif
+
     if ( aIsSignalingNaN | bIsSignalingNaN ) float_raise( float_flag_invalid STATUS_VAR);
 
     if ((bits64)(av<<1) < (bits64)(bv<<1)) {
@@ -416,12 +403,10 @@ static float64 propagateFloat64NaN( float64 a, float64 b STATUS_PARAM)
 
     if (pickNaN(aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN,
                 aIsLargerSignificand)) {
-        res = bv;
+        return float64_maybe_silence_nan(b);
     } else {
-        res = av;
+        return float64_maybe_silence_nan(a);
     }
-
-    return make_float64(res);
 }
 
 #ifdef FLOATX80
@@ -557,13 +542,7 @@ static floatx80 propagateFloatx80NaN( floatx80 a, floatx80 b STATUS_PARAM)
     aIsSignalingNaN = floatx80_is_signaling_nan( a );
     bIsQuietNaN = floatx80_is_quiet_nan( b );
     bIsSignalingNaN = floatx80_is_signaling_nan( b );
-#if SNAN_BIT_IS_ONE
-    a.low &= ~LIT64( 0xC000000000000000 );
-    b.low &= ~LIT64( 0xC000000000000000 );
-#else
-    a.low |= LIT64( 0xC000000000000000 );
-    b.low |= LIT64( 0xC000000000000000 );
-#endif
+
     if ( aIsSignalingNaN | bIsSignalingNaN ) float_raise( float_flag_invalid STATUS_VAR);
 
     if (a.low < b.low) {
@@ -576,9 +555,9 @@ static floatx80 propagateFloatx80NaN( floatx80 a, floatx80 b STATUS_PARAM)
 
     if (pickNaN(aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN,
                 aIsLargerSignificand)) {
-        return b;
+        return floatx80_maybe_silence_nan(b);
     } else {
-        return a;
+        return floatx80_maybe_silence_nan(a);
     }
 }
 
@@ -708,13 +687,7 @@ static float128 propagateFloat128NaN( float128 a, float128 b STATUS_PARAM)
     aIsSignalingNaN = float128_is_signaling_nan( a );
     bIsQuietNaN = float128_is_quiet_nan( b );
     bIsSignalingNaN = float128_is_signaling_nan( b );
-#if SNAN_BIT_IS_ONE
-    a.high &= ~LIT64( 0x0000800000000000 );
-    b.high &= ~LIT64( 0x0000800000000000 );
-#else
-    a.high |= LIT64( 0x0000800000000000 );
-    b.high |= LIT64( 0x0000800000000000 );
-#endif
+
     if ( aIsSignalingNaN | bIsSignalingNaN ) float_raise( float_flag_invalid STATUS_VAR);
 
     if (lt128(a.high<<1, a.low, b.high<<1, b.low)) {
@@ -727,9 +700,9 @@ static float128 propagateFloat128NaN( float128 a, float128 b STATUS_PARAM)
 
     if (pickNaN(aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN,
                 aIsLargerSignificand)) {
-        return b;
+        return float128_maybe_silence_nan(b);
     } else {
-        return a;
+        return float128_maybe_silence_nan(a);
     }
 }
 
commit f6a7d92aed30964b6096d921e3c0df0487bb7b22
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 15:38:19 2011 +0100

    softfloat: add float{x80,128}_maybe_silence_nan()
    
    Add float{x80,128}_maybe_silence_nan() functions, they will be need by
    propagateFloat{x80,128}NaN().
    
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index bc6f0c1..b1acc45 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -480,6 +480,29 @@ int floatx80_is_signaling_nan( floatx80 a )
 }
 
 /*----------------------------------------------------------------------------
+| Returns a quiet NaN if the extended double-precision floating point value
+| `a' is a signaling NaN; otherwise returns `a'.
+*----------------------------------------------------------------------------*/
+
+floatx80 floatx80_maybe_silence_nan( floatx80 a )
+{
+    if (floatx80_is_signaling_nan(a)) {
+#if SNAN_BIT_IS_ONE
+#  if defined(TARGET_MIPS)
+        a.low = floatx80_default_nan_low;
+        a.high = floatx80_default_nan_high;
+#  else
+#    error Rules for silencing a signaling NaN are target-specific
+#  endif
+#else
+        a.low |= LIT64( 0xC000000000000000 );
+        return a;
+#endif
+    }
+    return a;
+}
+
+/*----------------------------------------------------------------------------
 | Returns the result of converting the extended double-precision floating-
 | point NaN `a' to the canonical NaN format.  If `a' is a signaling NaN, the
 | invalid exception is raised.
@@ -612,6 +635,29 @@ int float128_is_signaling_nan( float128 a )
 }
 
 /*----------------------------------------------------------------------------
+| Returns a quiet NaN if the quadruple-precision floating point value `a' is
+| a signaling NaN; otherwise returns `a'.
+*----------------------------------------------------------------------------*/
+
+float128 float128_maybe_silence_nan( float128 a )
+{
+    if (float128_is_signaling_nan(a)) {
+#if SNAN_BIT_IS_ONE
+#  if defined(TARGET_MIPS)
+        a.low = float128_default_nan_low;
+        a.high = float128_default_nan_high;
+#  else
+#    error Rules for silencing a signaling NaN are target-specific
+#  endif
+#else
+        a.high |= LIT64( 0x0000800000000000 );
+        return a;
+#endif
+    }
+    return a;
+}
+
+/*----------------------------------------------------------------------------
 | Returns the result of converting the quadruple-precision floating-point NaN
 | `a' to the canonical NaN format.  If `a' is a signaling NaN, the invalid
 | exception is raised.
diff --git a/fpu/softfloat.h b/fpu/softfloat.h
index 1f37877..f2104c6 100644
--- a/fpu/softfloat.h
+++ b/fpu/softfloat.h
@@ -439,6 +439,7 @@ int floatx80_le_quiet( floatx80, floatx80 STATUS_PARAM );
 int floatx80_lt_quiet( floatx80, floatx80 STATUS_PARAM );
 int floatx80_is_quiet_nan( floatx80 );
 int floatx80_is_signaling_nan( floatx80 );
+floatx80 floatx80_maybe_silence_nan( floatx80 );
 floatx80 floatx80_scalbn( floatx80, int STATUS_PARAM );
 
 INLINE floatx80 floatx80_abs(floatx80 a)
@@ -505,6 +506,7 @@ int float128_compare( float128, float128 STATUS_PARAM );
 int float128_compare_quiet( float128, float128 STATUS_PARAM );
 int float128_is_quiet_nan( float128 );
 int float128_is_signaling_nan( float128 );
+float128 float128_maybe_silence_nan( float128 );
 float128 float128_scalbn( float128, int STATUS_PARAM );
 
 INLINE float128 float128_abs(float128 a)
commit 93ae1c6fea6433bca732c907d7c3ee9be4f8a2ab
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 15:38:19 2011 +0100

    softfloat: fix float{32,64}_maybe_silence_nan() for MIPS
    
    On targets that define sNaN with the sNaN bit as one, simply clearing
    this bit may correspond to an infinite value.
    
    Convert it to a default NaN if SNAN_BIT_IS_ONE, as it corresponds to
    the MIPS implementation, the only emulated CPU with SNAN_BIT_IS_ONE.
    When other CPU of this type are added, this might be updated to include
    more cases.
    
    Acked-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index 33930f9..bc6f0c1 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -107,13 +107,17 @@ int float32_is_signaling_nan( float32 a_ )
 float32 float32_maybe_silence_nan( float32 a_ )
 {
     if (float32_is_signaling_nan(a_)) {
-        uint32_t a = float32_val(a_);
 #if SNAN_BIT_IS_ONE
-        a &= ~(1 << 22);
+#  if defined(TARGET_MIPS)
+        return float32_default_nan;
+#  else
+#    error Rules for silencing a signaling NaN are target-specific
+#  endif
 #else
+        bits32 a = float32_val(a_);
         a |= (1 << 22);
-#endif
         return make_float32(a);
+#endif
     }
     return a_;
 }
@@ -322,13 +326,17 @@ int float64_is_signaling_nan( float64 a_ )
 float64 float64_maybe_silence_nan( float64 a_ )
 {
     if (float64_is_signaling_nan(a_)) {
-        bits64 a = float64_val(a_);
 #if SNAN_BIT_IS_ONE
-        a &= ~LIT64( 0x0008000000000000 );
+#  if defined(TARGET_MIPS)
+        return float64_default_nan;
+#  else
+#    error Rules for silencing a signaling NaN are target-specific
+#  endif
 #else
+        bits64 a = float64_val(a_);
         a |= LIT64( 0x0008000000000000 );
-#endif
         return make_float64(a);
+#endif
     }
     return a_;
 }
commit d735d695e7b547272412f63433e023496c4d36ed
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 15:38:19 2011 +0100

    softfloat: rename *IsNaN variables to *IsQuietNaN
    
    Similarly to what has been done in commit
    185698715dfb18c82ad2a5dbc169908602d43e81 rename the misnamed *IsNaN
    variables into *IsQuietNaN.
    
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index 5da3a85..33930f9 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -227,15 +227,16 @@ static int pickNaN(flag aIsQNaN, flag aIsSNaN, flag bIsQNaN, flag bIsSNaN,
 
 static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
 {
-    flag aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN, aIsLargerSignificand;
+    flag aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN;
+    flag aIsLargerSignificand;
     bits32 av, bv, res;
 
     if ( STATUS(default_nan_mode) )
         return float32_default_nan;
 
-    aIsNaN = float32_is_quiet_nan( a );
+    aIsQuietNaN = float32_is_quiet_nan( a );
     aIsSignalingNaN = float32_is_signaling_nan( a );
-    bIsNaN = float32_is_quiet_nan( b );
+    bIsQuietNaN = float32_is_quiet_nan( b );
     bIsSignalingNaN = float32_is_signaling_nan( b );
     av = float32_val(a);
     bv = float32_val(b);
@@ -256,7 +257,7 @@ static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
         aIsLargerSignificand = (av < bv) ? 1 : 0;
     }
 
-    if (pickNaN(aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN,
+    if (pickNaN(aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN,
                 aIsLargerSignificand)) {
         res = bv;
     } else {
@@ -375,15 +376,16 @@ static float64 commonNaNToFloat64( commonNaNT a )
 
 static float64 propagateFloat64NaN( float64 a, float64 b STATUS_PARAM)
 {
-    flag aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN, aIsLargerSignificand;
+    flag aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN;
+    flag aIsLargerSignificand;
     bits64 av, bv, res;
 
     if ( STATUS(default_nan_mode) )
         return float64_default_nan;
 
-    aIsNaN = float64_is_quiet_nan( a );
+    aIsQuietNaN = float64_is_quiet_nan( a );
     aIsSignalingNaN = float64_is_signaling_nan( a );
-    bIsNaN = float64_is_quiet_nan( b );
+    bIsQuietNaN = float64_is_quiet_nan( b );
     bIsSignalingNaN = float64_is_signaling_nan( b );
     av = float64_val(a);
     bv = float64_val(b);
@@ -404,7 +406,7 @@ static float64 propagateFloat64NaN( float64 a, float64 b STATUS_PARAM)
         aIsLargerSignificand = (av < bv) ? 1 : 0;
     }
 
-    if (pickNaN(aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN,
+    if (pickNaN(aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN,
                 aIsLargerSignificand)) {
         res = bv;
     } else {
@@ -511,7 +513,8 @@ static floatx80 commonNaNToFloatx80( commonNaNT a )
 
 static floatx80 propagateFloatx80NaN( floatx80 a, floatx80 b STATUS_PARAM)
 {
-    flag aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN, aIsLargerSignificand;
+    flag aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN;
+    flag aIsLargerSignificand;
 
     if ( STATUS(default_nan_mode) ) {
         a.low = floatx80_default_nan_low;
@@ -519,9 +522,9 @@ static floatx80 propagateFloatx80NaN( floatx80 a, floatx80 b STATUS_PARAM)
         return a;
     }
 
-    aIsNaN = floatx80_is_quiet_nan( a );
+    aIsQuietNaN = floatx80_is_quiet_nan( a );
     aIsSignalingNaN = floatx80_is_signaling_nan( a );
-    bIsNaN = floatx80_is_quiet_nan( b );
+    bIsQuietNaN = floatx80_is_quiet_nan( b );
     bIsSignalingNaN = floatx80_is_signaling_nan( b );
 #if SNAN_BIT_IS_ONE
     a.low &= ~LIT64( 0xC000000000000000 );
@@ -540,7 +543,7 @@ static floatx80 propagateFloatx80NaN( floatx80 a, floatx80 b STATUS_PARAM)
         aIsLargerSignificand = (a.high < b.high) ? 1 : 0;
     }
 
-    if (pickNaN(aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN,
+    if (pickNaN(aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN,
                 aIsLargerSignificand)) {
         return b;
     } else {
@@ -638,7 +641,8 @@ static float128 commonNaNToFloat128( commonNaNT a )
 
 static float128 propagateFloat128NaN( float128 a, float128 b STATUS_PARAM)
 {
-    flag aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN, aIsLargerSignificand;
+    flag aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN;
+    flag aIsLargerSignificand;
 
     if ( STATUS(default_nan_mode) ) {
         a.low = float128_default_nan_low;
@@ -646,9 +650,9 @@ static float128 propagateFloat128NaN( float128 a, float128 b STATUS_PARAM)
         return a;
     }
 
-    aIsNaN = float128_is_quiet_nan( a );
+    aIsQuietNaN = float128_is_quiet_nan( a );
     aIsSignalingNaN = float128_is_signaling_nan( a );
-    bIsNaN = float128_is_quiet_nan( b );
+    bIsQuietNaN = float128_is_quiet_nan( b );
     bIsSignalingNaN = float128_is_signaling_nan( b );
 #if SNAN_BIT_IS_ONE
     a.high &= ~LIT64( 0x0000800000000000 );
@@ -667,7 +671,7 @@ static float128 propagateFloat128NaN( float128 a, float128 b STATUS_PARAM)
         aIsLargerSignificand = (a.high < b.high) ? 1 : 0;
     }
 
-    if (pickNaN(aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN,
+    if (pickNaN(aIsQuietNaN, aIsSignalingNaN, bIsQuietNaN, bIsSignalingNaN,
                 aIsLargerSignificand)) {
         return b;
     } else {
commit 34d23861989a2901fa76385940817cc94072c721
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 15:38:19 2011 +0100

    softfloat: remove HPPA specific code
    
    We don't have any HPPA target, so let's remove HPPA specific code. It
    can be re-added when someone adds an HPPA target.
    
    This has been blessed by Stuart Brady <sdb at zubnet.me.uk>, author of the
    target-hppa fork.
    
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index f43f2d0..5da3a85 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -30,7 +30,7 @@ these four paragraphs for those parts of this code that are retained.
 
 =============================================================================*/
 
-#if defined(TARGET_MIPS) || defined(TARGET_HPPA)
+#if defined(TARGET_MIPS)
 #define SNAN_BIT_IS_ONE		1
 #else
 #define SNAN_BIT_IS_ONE		0
@@ -63,8 +63,6 @@ typedef struct {
 #define float32_default_nan make_float32(0x7FFFFFFF)
 #elif defined(TARGET_POWERPC) || defined(TARGET_ARM) || defined(TARGET_ALPHA)
 #define float32_default_nan make_float32(0x7FC00000)
-#elif defined(TARGET_HPPA)
-#define float32_default_nan make_float32(0x7FA00000)
 #elif SNAN_BIT_IS_ONE
 #define float32_default_nan make_float32(0x7FBFFFFF)
 #else
@@ -275,8 +273,6 @@ static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
 #define float64_default_nan make_float64(LIT64( 0x7FFFFFFFFFFFFFFF ))
 #elif defined(TARGET_POWERPC) || defined(TARGET_ARM) || defined(TARGET_ALPHA)
 #define float64_default_nan make_float64(LIT64( 0x7FF8000000000000 ))
-#elif defined(TARGET_HPPA)
-#define float64_default_nan make_float64(LIT64( 0x7FF4000000000000 ))
 #elif SNAN_BIT_IS_ONE
 #define float64_default_nan make_float64(LIT64( 0x7FF7FFFFFFFFFFFF ))
 #else
commit 82b323cd296a079caf818c8c97eab3b4673cad29
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 15:38:18 2011 +0100

    target-ppc: use float32_is_any_nan()
    
    Use the new function float32_is_any_nan() instead of
    float32_is_quiet_nan() || float32_is_signaling_nan().
    
    Acked-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-ppc/op_helper.c b/target-ppc/op_helper.c
index c69ffc9..279f345 100644
--- a/target-ppc/op_helper.c
+++ b/target-ppc/op_helper.c
@@ -1902,7 +1902,7 @@ target_ulong helper_dlmzb (target_ulong high, target_ulong low, uint32_t update_
 /* If X is a NaN, store the corresponding QNaN into RESULT.  Otherwise,
  * execute the following block.  */
 #define DO_HANDLE_NAN(result, x)                \
-    if (float32_is_quiet_nan(x) || float32_is_signaling_nan(x)) {     \
+    if (float32_is_any_nan(x)) {                                \
         CPU_FloatU __f;                                         \
         __f.f = x;                                              \
         __f.l = __f.l | (1 << 22);  /* Set QNaN bit. */         \
@@ -2247,8 +2247,7 @@ void helper_vcmpbfp_dot (ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
         float_status s = env->vec_status;                               \
         set_float_rounding_mode(float_round_to_zero, &s);               \
         for (i = 0; i < ARRAY_SIZE(r->f); i++) {                        \
-            if (float32_is_quiet_nan(b->f[i]) ||                              \
-                float32_is_signaling_nan(b->f[i])) {                    \
+            if (float32_is_any_nan(b->f[i])) {                          \
                 r->element[i] = 0;                                      \
             } else {                                                    \
                 float64 t = float32_to_float64(b->f[i], &s);            \
commit 3eb28bbd472c0d4e3182421c4af7043afa059903
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 15:38:18 2011 +0100

    target-ppc: fix default qNaN
    
    On PPC the default qNaN doesn't have the sign bit set.
    
    Acked-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-ppc/op_helper.c b/target-ppc/op_helper.c
index 31520ab..c69ffc9 100644
--- a/target-ppc/op_helper.c
+++ b/target-ppc/op_helper.c
@@ -643,7 +643,7 @@ static inline uint64_t fload_invalid_op_excp(int op)
         env->fpscr &= ~((1 << FPSCR_FR) | (1 << FPSCR_FI));
         if (ve == 0) {
             /* Set the result to quiet NaN */
-            ret = 0xFFF8000000000000ULL;
+            ret = 0x7FF8000000000000ULL;
             env->fpscr &= ~(0xF << FPSCR_FPCC);
             env->fpscr |= 0x11 << FPSCR_FPCC;
         }
@@ -654,7 +654,7 @@ static inline uint64_t fload_invalid_op_excp(int op)
         env->fpscr &= ~((1 << FPSCR_FR) | (1 << FPSCR_FI));
         if (ve == 0) {
             /* Set the result to quiet NaN */
-            ret = 0xFFF8000000000000ULL;
+            ret = 0x7FF8000000000000ULL;
             env->fpscr &= ~(0xF << FPSCR_FPCC);
             env->fpscr |= 0x11 << FPSCR_FPCC;
         }
commit dd94ad96e51457d8d9562a73659734b559d2f4b1
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Thu Jan 6 15:38:18 2011 +0100

    target-ppc: remove PRECISE_EMULATION define
    
    The PRECISE_EMULATION is "hardcoded" to one in target-ppc/exec.h and not
    something easily tunable. Remove it and non-precise emulation code as
    it doesn't make a noticeable difference in speed. People wanting speed
    improvement should use softfloat-native instead.
    
    Acked-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-ppc/exec.h b/target-ppc/exec.h
index 44cc5e9..4688ef5 100644
--- a/target-ppc/exec.h
+++ b/target-ppc/exec.h
@@ -26,9 +26,6 @@
 #include "cpu.h"
 #include "exec-all.h"
 
-/* Precise emulation is needed to correctly emulate exception flags */
-#define USE_PRECISE_EMULATION 1
-
 register struct CPUPPCState *env asm(AREG0);
 
 #if !defined(CONFIG_USER_ONLY)
diff --git a/target-ppc/op_helper.c b/target-ppc/op_helper.c
index 5ded1c1..31520ab 100644
--- a/target-ppc/op_helper.c
+++ b/target-ppc/op_helper.c
@@ -974,7 +974,7 @@ uint64_t helper_fadd (uint64_t arg1, uint64_t arg2)
 
     farg1.ll = arg1;
     farg2.ll = arg2;
-#if USE_PRECISE_EMULATION
+
     if (unlikely(float64_is_signaling_nan(farg1.d) ||
                  float64_is_signaling_nan(farg2.d))) {
         /* sNaN addition */
@@ -986,9 +986,7 @@ uint64_t helper_fadd (uint64_t arg1, uint64_t arg2)
     } else {
         farg1.d = float64_add(farg1.d, farg2.d, &env->fp_status);
     }
-#else
-    farg1.d = float64_add(farg1.d, farg2.d, &env->fp_status);
-#endif
+
     return farg1.ll;
 }
 
@@ -999,8 +997,7 @@ uint64_t helper_fsub (uint64_t arg1, uint64_t arg2)
 
     farg1.ll = arg1;
     farg2.ll = arg2;
-#if USE_PRECISE_EMULATION
-{
+
     if (unlikely(float64_is_signaling_nan(farg1.d) ||
                  float64_is_signaling_nan(farg2.d))) {
         /* sNaN subtraction */
@@ -1012,10 +1009,7 @@ uint64_t helper_fsub (uint64_t arg1, uint64_t arg2)
     } else {
         farg1.d = float64_sub(farg1.d, farg2.d, &env->fp_status);
     }
-}
-#else
-    farg1.d = float64_sub(farg1.d, farg2.d, &env->fp_status);
-#endif
+
     return farg1.ll;
 }
 
@@ -1026,7 +1020,7 @@ uint64_t helper_fmul (uint64_t arg1, uint64_t arg2)
 
     farg1.ll = arg1;
     farg2.ll = arg2;
-#if USE_PRECISE_EMULATION
+
     if (unlikely(float64_is_signaling_nan(farg1.d) ||
                  float64_is_signaling_nan(farg2.d))) {
         /* sNaN multiplication */
@@ -1038,9 +1032,7 @@ uint64_t helper_fmul (uint64_t arg1, uint64_t arg2)
     } else {
         farg1.d = float64_mul(farg1.d, farg2.d, &env->fp_status);
     }
-#else
-    farg1.d = float64_mul(farg1.d, farg2.d, &env->fp_status);
-#endif
+
     return farg1.ll;
 }
 
@@ -1051,7 +1043,7 @@ uint64_t helper_fdiv (uint64_t arg1, uint64_t arg2)
 
     farg1.ll = arg1;
     farg2.ll = arg2;
-#if USE_PRECISE_EMULATION
+
     if (unlikely(float64_is_signaling_nan(farg1.d) ||
                  float64_is_signaling_nan(farg2.d))) {
         /* sNaN division */
@@ -1065,9 +1057,7 @@ uint64_t helper_fdiv (uint64_t arg1, uint64_t arg2)
     } else {
         farg1.d = float64_div(farg1.d, farg2.d, &env->fp_status);
     }
-#else
-    farg1.d = float64_div(farg1.d, farg2.d, &env->fp_status);
-#endif
+
     return farg1.ll;
 }
 
@@ -1116,12 +1106,10 @@ uint64_t helper_fctiw (uint64_t arg)
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXCVI);
     } else {
         farg.ll = float64_to_int32(farg.d, &env->fp_status);
-#if USE_PRECISE_EMULATION
         /* XXX: higher bits are not supposed to be significant.
          *     to make tests easier, return the same as a real PowerPC 750
          */
         farg.ll |= 0xFFF80000ULL << 32;
-#endif
     }
     return farg.ll;
 }
@@ -1140,12 +1128,10 @@ uint64_t helper_fctiwz (uint64_t arg)
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXCVI);
     } else {
         farg.ll = float64_to_int32_round_to_zero(farg.d, &env->fp_status);
-#if USE_PRECISE_EMULATION
         /* XXX: higher bits are not supposed to be significant.
          *     to make tests easier, return the same as a real PowerPC 750
          */
         farg.ll |= 0xFFF80000ULL << 32;
-#endif
     }
     return farg.ll;
 }
@@ -1245,7 +1231,7 @@ uint64_t helper_fmadd (uint64_t arg1, uint64_t arg2, uint64_t arg3)
     farg1.ll = arg1;
     farg2.ll = arg2;
     farg3.ll = arg3;
-#if USE_PRECISE_EMULATION
+
     if (unlikely(float64_is_signaling_nan(farg1.d) ||
                  float64_is_signaling_nan(farg2.d) ||
                  float64_is_signaling_nan(farg3.d))) {
@@ -1277,10 +1263,7 @@ uint64_t helper_fmadd (uint64_t arg1, uint64_t arg2, uint64_t arg3)
         farg1.d = (farg1.d * farg2.d) + farg3.d;
 #endif
     }
-#else
-    farg1.d = float64_mul(farg1.d, farg2.d, &env->fp_status);
-    farg1.d = float64_add(farg1.d, farg3.d, &env->fp_status);
-#endif
+
     return farg1.ll;
 }
 
@@ -1292,7 +1275,7 @@ uint64_t helper_fmsub (uint64_t arg1, uint64_t arg2, uint64_t arg3)
     farg1.ll = arg1;
     farg2.ll = arg2;
     farg3.ll = arg3;
-#if USE_PRECISE_EMULATION
+
     if (unlikely(float64_is_signaling_nan(farg1.d) ||
                  float64_is_signaling_nan(farg2.d) ||
                  float64_is_signaling_nan(farg3.d))) {
@@ -1324,10 +1307,6 @@ uint64_t helper_fmsub (uint64_t arg1, uint64_t arg2, uint64_t arg3)
         farg1.d = (farg1.d * farg2.d) - farg3.d;
 #endif
     }
-#else
-    farg1.d = float64_mul(farg1.d, farg2.d, &env->fp_status);
-    farg1.d = float64_sub(farg1.d, farg3.d, &env->fp_status);
-#endif
     return farg1.ll;
 }
 
@@ -1350,7 +1329,6 @@ uint64_t helper_fnmadd (uint64_t arg1, uint64_t arg2, uint64_t arg3)
         /* Multiplication of zero by infinity */
         farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXIMZ);
     } else {
-#if USE_PRECISE_EMULATION
 #ifdef FLOAT128
         /* This is the way the PowerPC specification defines it */
         float128 ft0_128, ft1_128;
@@ -1371,10 +1349,6 @@ uint64_t helper_fnmadd (uint64_t arg1, uint64_t arg2, uint64_t arg3)
         /* This is OK on x86 hosts */
         farg1.d = (farg1.d * farg2.d) + farg3.d;
 #endif
-#else
-        farg1.d = float64_mul(farg1.d, farg2.d, &env->fp_status);
-        farg1.d = float64_add(farg1.d, farg3.d, &env->fp_status);
-#endif
         if (likely(!float64_is_quiet_nan(farg1.d)))
             farg1.d = float64_chs(farg1.d);
     }
@@ -1400,7 +1374,6 @@ uint64_t helper_fnmsub (uint64_t arg1, uint64_t arg2, uint64_t arg3)
         /* Multiplication of zero by infinity */
         farg1.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXIMZ);
     } else {
-#if USE_PRECISE_EMULATION
 #ifdef FLOAT128
         /* This is the way the PowerPC specification defines it */
         float128 ft0_128, ft1_128;
@@ -1421,10 +1394,6 @@ uint64_t helper_fnmsub (uint64_t arg1, uint64_t arg2, uint64_t arg3)
         /* This is OK on x86 hosts */
         farg1.d = (farg1.d * farg2.d) - farg3.d;
 #endif
-#else
-        farg1.d = float64_mul(farg1.d, farg2.d, &env->fp_status);
-        farg1.d = float64_sub(farg1.d, farg3.d, &env->fp_status);
-#endif
         if (likely(!float64_is_quiet_nan(farg1.d)))
             farg1.d = float64_chs(farg1.d);
     }
@@ -1438,7 +1407,6 @@ uint64_t helper_frsp (uint64_t arg)
     float32 f32;
     farg.ll = arg;
 
-#if USE_PRECISE_EMULATION
     if (unlikely(float64_is_signaling_nan(farg.d))) {
         /* sNaN square root */
        farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN);
@@ -1446,10 +1414,6 @@ uint64_t helper_frsp (uint64_t arg)
        f32 = float64_to_float32(farg.d, &env->fp_status);
        farg.d = float32_to_float64(f32, &env->fp_status);
     }
-#else
-    f32 = float64_to_float32(farg.d, &env->fp_status);
-    farg.d = float32_to_float64(f32, &env->fp_status);
-#endif
     return farg.ll;
 }
 
commit c574ba5a4ce0faee6a687412804d6045ef815327
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Tue Jan 4 12:38:02 2011 -0700

    rtl8139: Use subsection to restrict migration after hotplug
    
    rtl8139 includes a cpu_register_io_memory acquired value in it's
    migration data.  This is not only unecessary, but we should treat
    these values as unique to the VM instances since the value depends
    on call order.  In most cases, this miraculously still works.
    However, if devices are added or removed from the system, it may
    represent an ordering change, which could cause the target rtl8139
    device to make use of another device's cpu_register_io_memory value.
    If we detect that a hot-add/remove has occured, include a subsection
    to restrict migrations only to driver versions known to include this
    fix.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Acked-by: Juan Quintela <quintela at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index a8aed89..a22530c 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -495,6 +495,8 @@ typedef struct RTL8139State {
     QEMUTimer *timer;
     int64_t TimerExpire;
 
+    /* Support migration to/from old versions */
+    int rtl8139_mmio_io_addr_dummy;
 } RTL8139State;
 
 static void rtl8139_set_next_tctr_time(RTL8139State *s, int64_t current_time);
@@ -3162,6 +3164,21 @@ static int rtl8139_post_load(void *opaque, int version_id)
     return 0;
 }
 
+static bool rtl8139_hotplug_ready_needed(void *opaque)
+{
+    return qdev_machine_modified();
+}
+
+static const VMStateDescription vmstate_rtl8139_hotplug_ready ={
+    .name = "rtl8139/hotplug_ready",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields      = (VMStateField []) {
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static void rtl8139_pre_save(void *opaque)
 {
     RTL8139State* s = opaque;
@@ -3171,6 +3188,7 @@ static void rtl8139_pre_save(void *opaque)
     rtl8139_set_next_tctr_time(s, current_time);
     s->TCTR = muldiv64(current_time - s->TCTR_base, PCI_FREQUENCY,
                        get_ticks_per_sec());
+    s->rtl8139_mmio_io_addr_dummy = s->rtl8139_mmio_io_addr;
 }
 
 static const VMStateDescription vmstate_rtl8139 = {
@@ -3223,7 +3241,7 @@ static const VMStateDescription vmstate_rtl8139 = {
 
         VMSTATE_UNUSED(4),
         VMSTATE_MACADDR(conf.macaddr, RTL8139State),
-        VMSTATE_INT32(rtl8139_mmio_io_addr, RTL8139State),
+        VMSTATE_INT32(rtl8139_mmio_io_addr_dummy, RTL8139State),
 
         VMSTATE_UINT32(currTxDesc, RTL8139State),
         VMSTATE_UINT32(currCPlusRxDesc, RTL8139State),
@@ -3252,6 +3270,14 @@ static const VMStateDescription vmstate_rtl8139 = {
 
         VMSTATE_UINT32_V(cplus_enabled, RTL8139State, 4),
         VMSTATE_END_OF_LIST()
+    },
+    .subsections = (VMStateSubsection []) {
+        {
+            .vmsd = &vmstate_rtl8139_hotplug_ready,
+            .needed = rtl8139_hotplug_ready_needed,
+        }, {
+            /* empty */
+        }
     }
 };
 
commit 0ac8ef71329ee242951074eb2dc7136f99421d8c
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Tue Jan 4 12:37:50 2011 -0700

    qdev: Track runtime machine modifications
    
    Create a trivial interface to track whether the machine has been
    modified since boot.  Adding or removing devices will trigger this
    to return true.  An example usage scenario for such an interface is
    the rtl8139 driver which includes a cpu_register_io_memory() value
    in it's migration stream.  For the majority of migrations, where
    no hotplug has occured in the machine, this works correctly.  Once
    the machine is modified, we can use this interface to detect that
    and include a subsection for the device to prevent migrations to
    rtl8139 versions with this bug.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Acked-by: Juan Quintela <quintela at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/qdev.c b/hw/qdev.c
index 31eb464..5b8d374 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -32,6 +32,8 @@
 #include "blockdev.h"
 
 static int qdev_hotplug = 0;
+static bool qdev_hot_added = false;
+static bool qdev_hot_removed = false;
 
 /* This is a nasty hack to allow passing a NULL bus to qdev_create.  */
 static BusState *main_system_bus;
@@ -93,6 +95,7 @@ static DeviceState *qdev_create_from_info(BusState *bus, DeviceInfo *info)
     if (qdev_hotplug) {
         assert(bus->allow_hotplug);
         dev->hotplugged = 1;
+        qdev_hot_added = true;
     }
     dev->instance_id_alias = -1;
     dev->state = DEV_STATE_CREATED;
@@ -294,6 +297,8 @@ int qdev_unplug(DeviceState *dev)
     }
     assert(dev->info->unplug != NULL);
 
+    qdev_hot_removed = true;
+
     return dev->info->unplug(dev);
 }
 
@@ -395,6 +400,11 @@ void qdev_machine_creation_done(void)
     qdev_hotplug = 1;
 }
 
+bool qdev_machine_modified(void)
+{
+    return qdev_hot_added || qdev_hot_removed;
+}
+
 /* Get a character (serial) device interface.  */
 CharDriverState *qdev_init_chardev(DeviceState *dev)
 {
diff --git a/hw/qdev.h b/hw/qdev.h
index 2be775f..e520aaa 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -132,6 +132,7 @@ int qdev_unplug(DeviceState *dev);
 void qdev_free(DeviceState *dev);
 int qdev_simple_unplug_cb(DeviceState *dev);
 void qdev_machine_creation_done(void);
+bool qdev_machine_modified(void);
 
 qemu_irq qdev_get_gpio_in(DeviceState *dev, int n);
 void qdev_connect_gpio_out(DeviceState *dev, int n, qemu_irq pin);
commit 23979dc5411befabe9049e37075b2b6320debc4e
Author: Edgar E. Iglesias <edgar.iglesias at petalogix.com>
Date:   Wed Jan 5 02:21:19 2011 +0100

    microblaze: Use more TB chaining
    
    For some workloads with tight loops this ~doubles the emulation
    speed.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at petalogix.com>

diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index 1ada15e..c018c99 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -752,9 +752,8 @@ static void dec_bit(DisasContext *dc)
 static inline void sync_jmpstate(DisasContext *dc)
 {
     if (dc->jmp == JMP_DIRECT) {
-            dc->jmp = JMP_INDIRECT;
-            tcg_gen_movi_tl(env_btaken, 1);
-            tcg_gen_movi_tl(env_btarget, dc->jmp_pc);
+        dc->jmp = JMP_INDIRECT;
+        tcg_gen_movi_tl(env_btarget, dc->jmp_pc);
     }
 }
 
@@ -976,11 +975,13 @@ static void dec_bcc(DisasContext *dc)
         int32_t offset = (int32_t)((int16_t)dc->imm); /* sign-extend.  */
 
         tcg_gen_movi_tl(env_btarget, dc->pc + offset);
+        dc->jmp = JMP_DIRECT;
+        dc->jmp_pc = dc->pc + offset;
     } else {
+        dc->jmp = JMP_INDIRECT;
         tcg_gen_movi_tl(env_btarget, dc->pc);
         tcg_gen_add_tl(env_btarget, env_btarget, *(dec_alu_op_b(dc)));
     }
-    dc->jmp = JMP_INDIRECT;
     eval_cc(dc, cc, env_btaken, cpu_R[dc->ra], tcg_const_tl(0));
 }
 
@@ -1028,6 +1029,7 @@ static void dec_br(DisasContext *dc)
         if (dec_alu_op_b_is_small_imm(dc)) {
             dc->jmp = JMP_DIRECT;
             dc->jmp_pc = dc->pc + (int32_t)((int16_t)dc->imm);
+            tcg_gen_movi_tl(env_btaken, 1);
         } else {
             tcg_gen_movi_tl(env_btaken, 1);
             tcg_gen_movi_tl(env_btarget, dc->pc);
@@ -1130,6 +1132,7 @@ static void dec_rts(DisasContext *dc)
     } else
         LOG_DIS("rts ir=%x\n", dc->ir);
 
+    dc->jmp = JMP_INDIRECT;
     tcg_gen_movi_tl(env_btaken, 1);
     tcg_gen_add_tl(env_btarget, cpu_R[dc->ra], *(dec_alu_op_b(dc)));
 }
@@ -1370,6 +1373,9 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
     dc->is_jmp = DISAS_NEXT;
     dc->jmp = 0;
     dc->delayed_branch = !!(dc->tb_flags & D_FLAG);
+    if (dc->delayed_branch) {
+        dc->jmp = JMP_INDIRECT;
+    }
     dc->pc = pc_start;
     dc->singlestep_enabled = env->singlestep_enabled;
     dc->cpustate_changed = 0;
@@ -1441,9 +1447,21 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
                 /* Clear the delay slot flag.  */
                 dc->tb_flags &= ~D_FLAG;
                 /* If it is a direct jump, try direct chaining.  */
-                if (dc->jmp != JMP_DIRECT) {
+                if (dc->jmp == JMP_INDIRECT) {
                     eval_cond_jmp(dc, env_btarget, tcg_const_tl(dc->pc));
                     dc->is_jmp = DISAS_JUMP;
+                } else if (dc->jmp == JMP_DIRECT) {
+                    int l1;
+
+                    t_sync_flags(dc);
+                    l1 = gen_new_label();
+                    /* Conditional jmp.  */
+                    tcg_gen_brcondi_tl(TCG_COND_NE, env_btaken, 0, l1);
+                    gen_goto_tb(dc, 1, dc->pc);
+                    gen_set_label(l1);
+                    gen_goto_tb(dc, 0, dc->jmp_pc);
+
+                    dc->is_jmp = DISAS_TB_JUMP;
                 }
                 break;
             }
commit 5f4a6f4efa393162def29f8e54a4a717803cb56a
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Sun Jan 2 20:33:13 2011 +0100

    qemu-kvm: x86: Remove duplicate MSR_VM_HSAVE_PA from kvm_get_msrs
    
    Obviously a merge artifact.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 940600c..272594d 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -1089,7 +1089,6 @@ static int kvm_get_msrs(CPUState *env)
     if (kvm_has_msr_hsave_pa(env))
         msrs[n++].index = MSR_VM_HSAVE_PA;
     msrs[n++].index = MSR_IA32_TSC;
-    msrs[n++].index = MSR_VM_HSAVE_PA;
 #ifdef TARGET_X86_64
     if (lm_capable_kernel) {
         msrs[n++].index = MSR_CSTAR;
commit 92d675d1c1f23f3617e24b63c825074a1d1da44b
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Tue Jan 4 21:58:24 2011 +0100

    cirrus_vga: fix division by 0 for color expansion rop
    
    Commit d85d0d3883f5a567fa2969a0396e42e0a662b3fa introduces a regression
    with Windows ME that leads to a division by 0 and a crash.
    
    It uses the color expansion rop with the source pitch set to 0. This is
    something allowed, as the manual explicitely says "When the source of
    color-expand data is display memory, the source pitch is ignored.".
    
    This patch fixes this regression by computing sx, sy and others
    variables only if they are going to be used later, that is for a plain
    copy ROP. It basically consists in moving code.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index 4f5040c..199136c 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -675,43 +675,44 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
 {
     int sx, sy;
     int dx, dy;
-    int width, height;
     int depth;
     int notify = 0;
 
-    depth = s->vga.get_bpp(&s->vga) / 8;
-    s->vga.get_resolution(&s->vga, &width, &height);
-
-    /* extra x, y */
-    sx = (src % ABS(s->cirrus_blt_srcpitch)) / depth;
-    sy = (src / ABS(s->cirrus_blt_srcpitch));
-    dx = (dst % ABS(s->cirrus_blt_dstpitch)) / depth;
-    dy = (dst / ABS(s->cirrus_blt_dstpitch));
-
-    /* normalize width */
-    w /= depth;
-
-    /* if we're doing a backward copy, we have to adjust
-       our x/y to be the upper left corner (instead of the lower
-       right corner) */
-    if (s->cirrus_blt_dstpitch < 0) {
-	sx -= (s->cirrus_blt_width / depth) - 1;
-	dx -= (s->cirrus_blt_width / depth) - 1;
-	sy -= s->cirrus_blt_height - 1;
-	dy -= s->cirrus_blt_height - 1;
-    }
+    /* make sure to only copy if it's a plain copy ROP */
+    if (*s->cirrus_rop == cirrus_bitblt_rop_fwd_src ||
+        *s->cirrus_rop == cirrus_bitblt_rop_bkwd_src) {
 
-    /* are we in the visible portion of memory? */
-    if (sx >= 0 && sy >= 0 && dx >= 0 && dy >= 0 &&
-	(sx + w) <= width && (sy + h) <= height &&
-	(dx + w) <= width && (dy + h) <= height) {
-	notify = 1;
-    }
+        int width, height;
+
+        depth = s->vga.get_bpp(&s->vga) / 8;
+        s->vga.get_resolution(&s->vga, &width, &height);
+
+        /* extra x, y */
+        sx = (src % ABS(s->cirrus_blt_srcpitch)) / depth;
+        sy = (src / ABS(s->cirrus_blt_srcpitch));
+        dx = (dst % ABS(s->cirrus_blt_dstpitch)) / depth;
+        dy = (dst / ABS(s->cirrus_blt_dstpitch));
 
-    /* make to sure only copy if it's a plain copy ROP */
-    if (*s->cirrus_rop != cirrus_bitblt_rop_fwd_src &&
-	*s->cirrus_rop != cirrus_bitblt_rop_bkwd_src)
-	notify = 0;
+        /* normalize width */
+        w /= depth;
+
+        /* if we're doing a backward copy, we have to adjust
+           our x/y to be the upper left corner (instead of the lower
+           right corner) */
+        if (s->cirrus_blt_dstpitch < 0) {
+            sx -= (s->cirrus_blt_width / depth) - 1;
+            dx -= (s->cirrus_blt_width / depth) - 1;
+            sy -= s->cirrus_blt_height - 1;
+            dy -= s->cirrus_blt_height - 1;
+        }
+
+        /* are we in the visible portion of memory? */
+        if (sx >= 0 && sy >= 0 && dx >= 0 && dy >= 0 &&
+            (sx + w) <= width && (sy + h) <= height &&
+            (dx + w) <= width && (dy + h) <= height) {
+            notify = 1;
+        }
+    }
 
     /* we have to flush all pending changes so that the copy
        is generated at the appropriate moment in time */
commit 9ae19b657ee20f4d03bdca8dbf367b932801ac93
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Tue Jan 4 21:58:24 2011 +0100

    Fix curses on big endian hosts
    
    On big endian hosts, the curses interface is unusable: the emulated
    graphic card only displays garbage, while the monitor interface displays
    nothing (or rather only spaces).
    
    The curses interface is waiting for data in native endianness, so
    console_write_ch() should not do any conversion. The conversion should
    be done when reading the video buffer in hw/vga.c. I supposed this
    buffer is in little endian mode, though it's not impossible that the
    data is actually in guest endianness. I currently have no big endian
    guest to way (they all switch to graphic mode immediately).
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/console.h b/console.h
index b2fc908..3157330 100644
--- a/console.h
+++ b/console.h
@@ -329,7 +329,7 @@ static inline void console_write_ch(console_ch_t *dest, uint32_t ch)
 {
     if (!(ch & 0xff))
         ch |= ' ';
-    cpu_to_le32wu((uint32_t *) dest, ch);
+    *dest = ch;
 }
 
 typedef void (*vga_hw_update_ptr)(void *);
diff --git a/hw/vga.c b/hw/vga.c
index c632fd7..e2151a2 100644
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -2073,14 +2073,14 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
 
         if (full_update) {
             for (i = 0; i < size; src ++, dst ++, i ++)
-                console_write_ch(dst, VMEM2CHTYPE(*src));
+                console_write_ch(dst, VMEM2CHTYPE(le32_to_cpu(*src)));
 
             dpy_update(s->ds, 0, 0, width, height);
         } else {
             c_max = 0;
 
             for (i = 0; i < size; src ++, dst ++, i ++) {
-                console_write_ch(&val, VMEM2CHTYPE(*src));
+                console_write_ch(&val, VMEM2CHTYPE(le32_to_cpu(*src)));
                 if (*dst != val) {
                     *dst = val;
                     c_max = i;
@@ -2089,7 +2089,7 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
             }
             c_min = i;
             for (; i < size; src ++, dst ++, i ++) {
-                console_write_ch(&val, VMEM2CHTYPE(*src));
+                console_write_ch(&val, VMEM2CHTYPE(le32_to_cpu(*src)));
                 if (*dst != val) {
                     *dst = val;
                     c_max = i;
commit 5968ae92b5cc51d3a7b70cf3b117ab313a3ae420
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Wed Dec 29 19:53:39 2010 +0100

    qemu-kvm: Drop redundant kvm_reset_mpstate
    
    kvm_arch_reset_vcpu includes the same logic (minus the obsolete feature
    check), and every caller of kvm_reset_mpstate also calls that function.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index 672bcbf..2f1a090 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -564,20 +564,6 @@ static void kvm_arch_load_mpstate(CPUState *env)
 #endif
 }
 
-static void kvm_reset_mpstate(CPUState *env)
-{
-#ifdef KVM_CAP_MP_STATE
-    if (kvm_check_extension(kvm_state, KVM_CAP_MP_STATE)) {
-        if (kvm_irqchip_in_kernel()) {
-            env->mp_state = cpu_is_bsp(env) ? KVM_MP_STATE_RUNNABLE :
-                                              KVM_MP_STATE_UNINITIALIZED;
-        } else {
-            env->mp_state = KVM_MP_STATE_RUNNABLE;
-        }
-    }
-#endif
-}
-
 #define XSAVE_CWD_RIP     2
 #define XSAVE_CWD_RDP     4
 #define XSAVE_MXCSR       6
@@ -652,7 +638,6 @@ static int _kvm_arch_init_vcpu(CPUState *env)
 #ifdef KVM_EXIT_TPR_ACCESS
     kvm_enable_tpr_access_reporting(env);
 #endif
-    kvm_reset_mpstate(env);
     return 0;
 }
 
@@ -761,7 +746,6 @@ void kvm_arch_cpu_reset(CPUState *env)
 {
     kvm_reset_msrs(env);
     kvm_arch_reset_vcpu(env);
-    kvm_reset_mpstate(env);
 }
 
 #ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
commit 8a7d0890acd03f45f1d86e12449938891ae18ed9
Author: Michael Walle <michael at walle.cc>
Date:   Tue Jan 4 01:48:55 2011 +0100

    noaudio: correctly account acquired samples
    
    This will fix the return value of the function which otherwise returns too
    many samples because sw->total_hw_samples_acquired isn't correctly
    accounted.
    
    Signed-off-by: Michael Walle <michael at walle.cc>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/audio/noaudio.c b/audio/noaudio.c
index 8015858..0304094 100644
--- a/audio/noaudio.c
+++ b/audio/noaudio.c
@@ -117,9 +117,12 @@ static int no_run_in (HWVoiceIn *hw)
 
 static int no_read (SWVoiceIn *sw, void *buf, int size)
 {
+    /* use custom code here instead of audio_pcm_sw_read() to avoid
+     * useless resampling/mixing */
     int samples = size >> sw->info.shift;
     int total = sw->hw->total_samples_captured - sw->total_hw_samples_acquired;
     int to_clear = audio_MIN (samples, total);
+    sw->total_hw_samples_acquired += total;
     audio_pcm_info_clear_buf (&sw->info, buf, to_clear);
     return to_clear << sw->info.shift;
 }
commit 011da610ba6416df54feed46bcde1955211a2149
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Dec 16 11:51:18 2010 +0000

    target-arm: Implement correct NaN propagation rules
    
    Implement the correct NaN propagation rules for ARM targets by
    providing an appropriate pickNaN function.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index 8dcf469..f43f2d0 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -168,6 +168,28 @@ static float32 commonNaNToFloat32( commonNaNT a )
 | tie-break rule.
 *----------------------------------------------------------------------------*/
 
+#if defined(TARGET_ARM)
+static int pickNaN(flag aIsQNaN, flag aIsSNaN, flag bIsQNaN, flag bIsSNaN,
+                    flag aIsLargerSignificand)
+{
+    /* ARM mandated NaN propagation rules: take the first of:
+     *  1. A if it is signaling
+     *  2. B if it is signaling
+     *  3. A (quiet)
+     *  4. B (quiet)
+     * A signaling NaN is always quietened before returning it.
+     */
+    if (aIsSNaN) {
+        return 0;
+    } else if (bIsSNaN) {
+        return 1;
+    } else if (aIsQNaN) {
+        return 0;
+    } else {
+        return 1;
+    }
+}
+#else
 static int pickNaN(flag aIsQNaN, flag aIsSNaN, flag bIsQNaN, flag bIsSNaN,
                     flag aIsLargerSignificand)
 {
@@ -197,6 +219,7 @@ static int pickNaN(flag aIsQNaN, flag aIsSNaN, flag bIsQNaN, flag bIsSNaN,
         return 1;
     }
 }
+#endif
 
 /*----------------------------------------------------------------------------
 | Takes two single-precision floating-point values `a' and `b', one of which
commit 354f211b1a49a7387929e22d6e63849fcba48f8a
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Dec 16 11:51:17 2010 +0000

    softfloat: abstract out target-specific NaN propagation rules
    
    IEEE754 doesn't specify precisely what NaN should be returned as
    the result of an operation on two input NaNs. This is therefore
    target-specific. Abstract out the code in propagateFloat*NaN()
    which was implementing the x87 propagation rules, so that it
    can be easily replaced on a per-target basis.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index f382f7a..8dcf469 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -153,6 +153,52 @@ static float32 commonNaNToFloat32( commonNaNT a )
 }
 
 /*----------------------------------------------------------------------------
+| Select which NaN to propagate for a two-input operation.
+| IEEE754 doesn't specify all the details of this, so the
+| algorithm is target-specific.
+| The routine is passed various bits of information about the
+| two NaNs and should return 0 to select NaN a and 1 for NaN b.
+| Note that signalling NaNs are always squashed to quiet NaNs
+| by the caller, by flipping the SNaN bit before returning them.
+|
+| aIsLargerSignificand is only valid if both a and b are NaNs
+| of some kind, and is true if a has the larger significand,
+| or if both a and b have the same significand but a is
+| positive but b is negative. It is only needed for the x87
+| tie-break rule.
+*----------------------------------------------------------------------------*/
+
+static int pickNaN(flag aIsQNaN, flag aIsSNaN, flag bIsQNaN, flag bIsSNaN,
+                    flag aIsLargerSignificand)
+{
+    /* This implements x87 NaN propagation rules:
+     * SNaN + QNaN => return the QNaN
+     * two SNaNs => return the one with the larger significand, silenced
+     * two QNaNs => return the one with the larger significand
+     * SNaN and a non-NaN => return the SNaN, silenced
+     * QNaN and a non-NaN => return the QNaN
+     *
+     * If we get down to comparing significands and they are the same,
+     * return the NaN with the positive sign bit (if any).
+     */
+    if (aIsSNaN) {
+        if (bIsSNaN) {
+            return aIsLargerSignificand ? 0 : 1;
+        }
+        return bIsQNaN ? 1 : 0;
+    }
+    else if (aIsQNaN) {
+        if (bIsSNaN || !bIsQNaN)
+            return 0;
+        else {
+            return aIsLargerSignificand ? 0 : 1;
+        }
+    } else {
+        return 1;
+    }
+}
+
+/*----------------------------------------------------------------------------
 | Takes two single-precision floating-point values `a' and `b', one of which
 | is a NaN, and returns the appropriate NaN result.  If either `a' or `b' is a
 | signaling NaN, the invalid exception is raised.
@@ -160,7 +206,7 @@ static float32 commonNaNToFloat32( commonNaNT a )
 
 static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
 {
-    flag aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN;
+    flag aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN, aIsLargerSignificand;
     bits32 av, bv, res;
 
     if ( STATUS(default_nan_mode) )
@@ -180,26 +226,22 @@ static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
     bv |= 0x00400000;
 #endif
     if ( aIsSignalingNaN | bIsSignalingNaN ) float_raise( float_flag_invalid STATUS_VAR);
-    if ( aIsSignalingNaN ) {
-        if ( bIsSignalingNaN ) goto returnLargerSignificand;
-        res = bIsNaN ? bv : av;
-    }
-    else if ( aIsNaN ) {
-        if ( bIsSignalingNaN || ! bIsNaN )
-            res = av;
-        else {
- returnLargerSignificand:
-            if ( (bits32) ( av<<1 ) < (bits32) ( bv<<1 ) )
-                res = bv;
-            else if ( (bits32) ( bv<<1 ) < (bits32) ( av<<1 ) )
-                res = av;
-            else
-                res = ( av < bv ) ? av : bv;
-        }
+
+    if ((bits32)(av<<1) < (bits32)(bv<<1)) {
+        aIsLargerSignificand = 0;
+    } else if ((bits32)(bv<<1) < (bits32)(av<<1)) {
+        aIsLargerSignificand = 1;
+    } else {
+        aIsLargerSignificand = (av < bv) ? 1 : 0;
     }
-    else {
+
+    if (pickNaN(aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN,
+                aIsLargerSignificand)) {
         res = bv;
+    } else {
+        res = av;
     }
+
     return make_float32(res);
 }
 
@@ -314,7 +356,7 @@ static float64 commonNaNToFloat64( commonNaNT a )
 
 static float64 propagateFloat64NaN( float64 a, float64 b STATUS_PARAM)
 {
-    flag aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN;
+    flag aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN, aIsLargerSignificand;
     bits64 av, bv, res;
 
     if ( STATUS(default_nan_mode) )
@@ -334,26 +376,22 @@ static float64 propagateFloat64NaN( float64 a, float64 b STATUS_PARAM)
     bv |= LIT64( 0x0008000000000000 );
 #endif
     if ( aIsSignalingNaN | bIsSignalingNaN ) float_raise( float_flag_invalid STATUS_VAR);
-    if ( aIsSignalingNaN ) {
-        if ( bIsSignalingNaN ) goto returnLargerSignificand;
-        res = bIsNaN ? bv : av;
-    }
-    else if ( aIsNaN ) {
-        if ( bIsSignalingNaN || ! bIsNaN )
-            res = av;
-        else {
- returnLargerSignificand:
-            if ( (bits64) ( av<<1 ) < (bits64) ( bv<<1 ) )
-                res = bv;
-            else if ( (bits64) ( bv<<1 ) < (bits64) ( av<<1 ) )
-                res = av;
-            else
-                res = ( av < bv ) ? av : bv;
-        }
+
+    if ((bits64)(av<<1) < (bits64)(bv<<1)) {
+        aIsLargerSignificand = 0;
+    } else if ((bits64)(bv<<1) < (bits64)(av<<1)) {
+        aIsLargerSignificand = 1;
+    } else {
+        aIsLargerSignificand = (av < bv) ? 1 : 0;
     }
-    else {
+
+    if (pickNaN(aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN,
+                aIsLargerSignificand)) {
         res = bv;
+    } else {
+        res = av;
     }
+
     return make_float64(res);
 }
 
@@ -454,7 +492,7 @@ static floatx80 commonNaNToFloatx80( commonNaNT a )
 
 static floatx80 propagateFloatx80NaN( floatx80 a, floatx80 b STATUS_PARAM)
 {
-    flag aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN;
+    flag aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN, aIsLargerSignificand;
 
     if ( STATUS(default_nan_mode) ) {
         a.low = floatx80_default_nan_low;
@@ -474,19 +512,20 @@ static floatx80 propagateFloatx80NaN( floatx80 a, floatx80 b STATUS_PARAM)
     b.low |= LIT64( 0xC000000000000000 );
 #endif
     if ( aIsSignalingNaN | bIsSignalingNaN ) float_raise( float_flag_invalid STATUS_VAR);
-    if ( aIsSignalingNaN ) {
-        if ( bIsSignalingNaN ) goto returnLargerSignificand;
-        return bIsNaN ? b : a;
-    }
-    else if ( aIsNaN ) {
-        if ( bIsSignalingNaN || ! bIsNaN ) return a;
- returnLargerSignificand:
-        if ( a.low < b.low ) return b;
-        if ( b.low < a.low ) return a;
-        return ( a.high < b.high ) ? a : b;
+
+    if (a.low < b.low) {
+        aIsLargerSignificand = 0;
+    } else if (b.low < a.low) {
+        aIsLargerSignificand = 1;
+    } else {
+        aIsLargerSignificand = (a.high < b.high) ? 1 : 0;
     }
-    else {
+
+    if (pickNaN(aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN,
+                aIsLargerSignificand)) {
         return b;
+    } else {
+        return a;
     }
 }
 
@@ -580,7 +619,7 @@ static float128 commonNaNToFloat128( commonNaNT a )
 
 static float128 propagateFloat128NaN( float128 a, float128 b STATUS_PARAM)
 {
-    flag aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN;
+    flag aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN, aIsLargerSignificand;
 
     if ( STATUS(default_nan_mode) ) {
         a.low = float128_default_nan_low;
@@ -600,19 +639,20 @@ static float128 propagateFloat128NaN( float128 a, float128 b STATUS_PARAM)
     b.high |= LIT64( 0x0000800000000000 );
 #endif
     if ( aIsSignalingNaN | bIsSignalingNaN ) float_raise( float_flag_invalid STATUS_VAR);
-    if ( aIsSignalingNaN ) {
-        if ( bIsSignalingNaN ) goto returnLargerSignificand;
-        return bIsNaN ? b : a;
-    }
-    else if ( aIsNaN ) {
-        if ( bIsSignalingNaN || ! bIsNaN ) return a;
- returnLargerSignificand:
-        if ( lt128( a.high<<1, a.low, b.high<<1, b.low ) ) return b;
-        if ( lt128( b.high<<1, b.low, a.high<<1, a.low ) ) return a;
-        return ( a.high < b.high ) ? a : b;
+
+    if (lt128(a.high<<1, a.low, b.high<<1, b.low)) {
+        aIsLargerSignificand = 0;
+    } else if (lt128(b.high<<1, b.low, a.high<<1, a.low)) {
+        aIsLargerSignificand = 1;
+    } else {
+        aIsLargerSignificand = (a.high < b.high) ? 1 : 0;
     }
-    else {
+
+    if (pickNaN(aIsNaN, aIsSignalingNaN, bIsNaN, bIsSignalingNaN,
+                aIsLargerSignificand)) {
         return b;
+    } else {
+        return a;
     }
 }
 
commit 185698715dfb18c82ad2a5dbc169908602d43e81
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Dec 17 15:56:06 2010 +0000

    softfloat: Rename float*_is_nan() functions to float*_is_quiet_nan()
    
    The softfloat functions float*_is_nan() were badly misnamed,
    because they return true only for quiet NaNs, not for all NaNs.
    Rename them to float*_is_quiet_nan() to more accurately reflect
    what they do.
    
    This change was produced by:
     perl -p -i -e 's/_is_nan/_is_quiet_nan/g' $(git grep -l is_nan)
    (with the results manually checked.)
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>
    Acked-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/fpu/softfloat-native.c b/fpu/softfloat-native.c
index 049c830..008bb53 100644
--- a/fpu/softfloat-native.c
+++ b/fpu/softfloat-native.c
@@ -254,7 +254,7 @@ int float32_is_signaling_nan( float32 a1)
     return ( ( ( a>>22 ) & 0x1FF ) == 0x1FE ) && ( a & 0x003FFFFF );
 }
 
-int float32_is_nan( float32 a1 )
+int float32_is_quiet_nan( float32 a1 )
 {
     float32u u;
     uint64_t a;
@@ -411,7 +411,7 @@ int float64_is_signaling_nan( float64 a1)
 
 }
 
-int float64_is_nan( float64 a1 )
+int float64_is_quiet_nan( float64 a1 )
 {
     float64u u;
     uint64_t a;
@@ -504,7 +504,7 @@ int floatx80_is_signaling_nan( floatx80 a1)
         && ( u.i.low == aLow );
 }
 
-int floatx80_is_nan( floatx80 a1 )
+int floatx80_is_quiet_nan( floatx80 a1 )
 {
     floatx80u u;
     u.f = a1;
diff --git a/fpu/softfloat-native.h b/fpu/softfloat-native.h
index 6da0bcb..80b5f28 100644
--- a/fpu/softfloat-native.h
+++ b/fpu/softfloat-native.h
@@ -242,7 +242,7 @@ INLINE int float32_unordered( float32 a, float32 b STATUS_PARAM)
 int float32_compare( float32, float32 STATUS_PARAM );
 int float32_compare_quiet( float32, float32 STATUS_PARAM );
 int float32_is_signaling_nan( float32 );
-int float32_is_nan( float32 );
+int float32_is_quiet_nan( float32 );
 
 INLINE float32 float32_abs(float32 a)
 {
@@ -351,7 +351,7 @@ INLINE int float64_unordered( float64 a, float64 b STATUS_PARAM)
 int float64_compare( float64, float64 STATUS_PARAM );
 int float64_compare_quiet( float64, float64 STATUS_PARAM );
 int float64_is_signaling_nan( float64 );
-int float64_is_nan( float64 );
+int float64_is_quiet_nan( float64 );
 
 INLINE float64 float64_abs(float64 a)
 {
@@ -455,7 +455,7 @@ INLINE int floatx80_unordered( floatx80 a, floatx80 b STATUS_PARAM)
 int floatx80_compare( floatx80, floatx80 STATUS_PARAM );
 int floatx80_compare_quiet( floatx80, floatx80 STATUS_PARAM );
 int floatx80_is_signaling_nan( floatx80 );
-int floatx80_is_nan( floatx80 );
+int floatx80_is_quiet_nan( floatx80 );
 
 INLINE floatx80 floatx80_abs(floatx80 a)
 {
diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index 0746878..f382f7a 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -76,7 +76,7 @@ typedef struct {
 | NaN; otherwise returns 0.
 *----------------------------------------------------------------------------*/
 
-int float32_is_nan( float32 a_ )
+int float32_is_quiet_nan( float32 a_ )
 {
     uint32_t a = float32_val(a_);
 #if SNAN_BIT_IS_ONE
@@ -166,9 +166,9 @@ static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
     if ( STATUS(default_nan_mode) )
         return float32_default_nan;
 
-    aIsNaN = float32_is_nan( a );
+    aIsNaN = float32_is_quiet_nan( a );
     aIsSignalingNaN = float32_is_signaling_nan( a );
-    bIsNaN = float32_is_nan( b );
+    bIsNaN = float32_is_quiet_nan( b );
     bIsSignalingNaN = float32_is_signaling_nan( b );
     av = float32_val(a);
     bv = float32_val(b);
@@ -223,7 +223,7 @@ static float32 propagateFloat32NaN( float32 a, float32 b STATUS_PARAM)
 | NaN; otherwise returns 0.
 *----------------------------------------------------------------------------*/
 
-int float64_is_nan( float64 a_ )
+int float64_is_quiet_nan( float64 a_ )
 {
     bits64 a = float64_val(a_);
 #if SNAN_BIT_IS_ONE
@@ -320,9 +320,9 @@ static float64 propagateFloat64NaN( float64 a, float64 b STATUS_PARAM)
     if ( STATUS(default_nan_mode) )
         return float64_default_nan;
 
-    aIsNaN = float64_is_nan( a );
+    aIsNaN = float64_is_quiet_nan( a );
     aIsSignalingNaN = float64_is_signaling_nan( a );
-    bIsNaN = float64_is_nan( b );
+    bIsNaN = float64_is_quiet_nan( b );
     bIsSignalingNaN = float64_is_signaling_nan( b );
     av = float64_val(a);
     bv = float64_val(b);
@@ -377,7 +377,7 @@ static float64 propagateFloat64NaN( float64 a, float64 b STATUS_PARAM)
 | quiet NaN; otherwise returns 0.
 *----------------------------------------------------------------------------*/
 
-int floatx80_is_nan( floatx80 a )
+int floatx80_is_quiet_nan( floatx80 a )
 {
 #if SNAN_BIT_IS_ONE
     bits64 aLow;
@@ -462,9 +462,9 @@ static floatx80 propagateFloatx80NaN( floatx80 a, floatx80 b STATUS_PARAM)
         return a;
     }
 
-    aIsNaN = floatx80_is_nan( a );
+    aIsNaN = floatx80_is_quiet_nan( a );
     aIsSignalingNaN = floatx80_is_signaling_nan( a );
-    bIsNaN = floatx80_is_nan( b );
+    bIsNaN = floatx80_is_quiet_nan( b );
     bIsSignalingNaN = floatx80_is_signaling_nan( b );
 #if SNAN_BIT_IS_ONE
     a.low &= ~LIT64( 0xC000000000000000 );
@@ -511,7 +511,7 @@ static floatx80 propagateFloatx80NaN( floatx80 a, floatx80 b STATUS_PARAM)
 | NaN; otherwise returns 0.
 *----------------------------------------------------------------------------*/
 
-int float128_is_nan( float128 a )
+int float128_is_quiet_nan( float128 a )
 {
 #if SNAN_BIT_IS_ONE
     return
@@ -588,9 +588,9 @@ static float128 propagateFloat128NaN( float128 a, float128 b STATUS_PARAM)
         return a;
     }
 
-    aIsNaN = float128_is_nan( a );
+    aIsNaN = float128_is_quiet_nan( a );
     aIsSignalingNaN = float128_is_signaling_nan( a );
-    bIsNaN = float128_is_nan( b );
+    bIsNaN = float128_is_quiet_nan( b );
     bIsSignalingNaN = float128_is_signaling_nan( b );
 #if SNAN_BIT_IS_ONE
     a.high &= ~LIT64( 0x0000800000000000 );
diff --git a/fpu/softfloat.h b/fpu/softfloat.h
index 1c1004d..1f37877 100644
--- a/fpu/softfloat.h
+++ b/fpu/softfloat.h
@@ -287,7 +287,7 @@ int float32_le_quiet( float32, float32 STATUS_PARAM );
 int float32_lt_quiet( float32, float32 STATUS_PARAM );
 int float32_compare( float32, float32 STATUS_PARAM );
 int float32_compare_quiet( float32, float32 STATUS_PARAM );
-int float32_is_nan( float32 );
+int float32_is_quiet_nan( float32 );
 int float32_is_signaling_nan( float32 );
 float32 float32_maybe_silence_nan( float32 );
 float32 float32_scalbn( float32, int STATUS_PARAM );
@@ -367,7 +367,7 @@ int float64_le_quiet( float64, float64 STATUS_PARAM );
 int float64_lt_quiet( float64, float64 STATUS_PARAM );
 int float64_compare( float64, float64 STATUS_PARAM );
 int float64_compare_quiet( float64, float64 STATUS_PARAM );
-int float64_is_nan( float64 a );
+int float64_is_quiet_nan( float64 a );
 int float64_is_signaling_nan( float64 );
 float64 float64_maybe_silence_nan( float64 );
 float64 float64_scalbn( float64, int STATUS_PARAM );
@@ -437,7 +437,7 @@ int floatx80_lt( floatx80, floatx80 STATUS_PARAM );
 int floatx80_eq_signaling( floatx80, floatx80 STATUS_PARAM );
 int floatx80_le_quiet( floatx80, floatx80 STATUS_PARAM );
 int floatx80_lt_quiet( floatx80, floatx80 STATUS_PARAM );
-int floatx80_is_nan( floatx80 );
+int floatx80_is_quiet_nan( floatx80 );
 int floatx80_is_signaling_nan( floatx80 );
 floatx80 floatx80_scalbn( floatx80, int STATUS_PARAM );
 
@@ -503,7 +503,7 @@ int float128_le_quiet( float128, float128 STATUS_PARAM );
 int float128_lt_quiet( float128, float128 STATUS_PARAM );
 int float128_compare( float128, float128 STATUS_PARAM );
 int float128_compare_quiet( float128, float128 STATUS_PARAM );
-int float128_is_nan( float128 );
+int float128_is_quiet_nan( float128 );
 int float128_is_signaling_nan( float128 );
 float128 float128_scalbn( float128, int STATUS_PARAM );
 
diff --git a/linux-user/arm/nwfpe/fpa11_cprt.c b/linux-user/arm/nwfpe/fpa11_cprt.c
index 5d64591..0e61b58 100644
--- a/linux-user/arm/nwfpe/fpa11_cprt.c
+++ b/linux-user/arm/nwfpe/fpa11_cprt.c
@@ -199,21 +199,21 @@ static unsigned int PerformComparison(const unsigned int opcode)
    {
       case typeSingle:
         //printk("single.\n");
-	if (float32_is_nan(fpa11->fpreg[Fn].fSingle))
+	if (float32_is_quiet_nan(fpa11->fpreg[Fn].fSingle))
 	   goto unordered;
         rFn = float32_to_floatx80(fpa11->fpreg[Fn].fSingle, &fpa11->fp_status);
       break;
 
       case typeDouble:
         //printk("double.\n");
-	if (float64_is_nan(fpa11->fpreg[Fn].fDouble))
+	if (float64_is_quiet_nan(fpa11->fpreg[Fn].fDouble))
 	   goto unordered;
         rFn = float64_to_floatx80(fpa11->fpreg[Fn].fDouble, &fpa11->fp_status);
       break;
 
       case typeExtended:
         //printk("extended.\n");
-	if (floatx80_is_nan(fpa11->fpreg[Fn].fExtended))
+	if (floatx80_is_quiet_nan(fpa11->fpreg[Fn].fExtended))
 	   goto unordered;
         rFn = fpa11->fpreg[Fn].fExtended;
       break;
@@ -225,7 +225,7 @@ static unsigned int PerformComparison(const unsigned int opcode)
    {
      //printk("Fm is a constant: #%d.\n",Fm);
      rFm = getExtendedConstant(Fm);
-     if (floatx80_is_nan(rFm))
+     if (floatx80_is_quiet_nan(rFm))
         goto unordered;
    }
    else
@@ -235,21 +235,21 @@ static unsigned int PerformComparison(const unsigned int opcode)
       {
          case typeSingle:
            //printk("single.\n");
-	   if (float32_is_nan(fpa11->fpreg[Fm].fSingle))
+	   if (float32_is_quiet_nan(fpa11->fpreg[Fm].fSingle))
 	      goto unordered;
            rFm = float32_to_floatx80(fpa11->fpreg[Fm].fSingle, &fpa11->fp_status);
          break;
 
          case typeDouble:
            //printk("double.\n");
-	   if (float64_is_nan(fpa11->fpreg[Fm].fDouble))
+	   if (float64_is_quiet_nan(fpa11->fpreg[Fm].fDouble))
 	      goto unordered;
            rFm = float64_to_floatx80(fpa11->fpreg[Fm].fDouble, &fpa11->fp_status);
          break;
 
          case typeExtended:
            //printk("extended.\n");
-	   if (floatx80_is_nan(fpa11->fpreg[Fm].fExtended))
+	   if (floatx80_is_quiet_nan(fpa11->fpreg[Fm].fExtended))
 	      goto unordered;
            rFm = fpa11->fpreg[Fm].fExtended;
          break;
diff --git a/target-alpha/op_helper.c b/target-alpha/op_helper.c
index ff5ae26..6c2ae20 100644
--- a/target-alpha/op_helper.c
+++ b/target-alpha/op_helper.c
@@ -904,7 +904,7 @@ uint64_t helper_cmptun (uint64_t a, uint64_t b)
     fa = t_to_float64(a);
     fb = t_to_float64(b);
 
-    if (float64_is_nan(fa) || float64_is_nan(fb))
+    if (float64_is_quiet_nan(fa) || float64_is_quiet_nan(fb))
         return 0x4000000000000000ULL;
     else
         return 0;
diff --git a/target-m68k/helper.c b/target-m68k/helper.c
index 56de897..514b039 100644
--- a/target-m68k/helper.c
+++ b/target-m68k/helper.c
@@ -614,10 +614,10 @@ float64 HELPER(sub_cmp_f64)(CPUState *env, float64 a, float64 b)
     /* ??? Should flush denormals to zero.  */
     float64 res;
     res = float64_sub(a, b, &env->fp_status);
-    if (float64_is_nan(res)) {
+    if (float64_is_quiet_nan(res)) {
         /* +/-inf compares equal against itself, but sub returns nan.  */
-        if (!float64_is_nan(a)
-            && !float64_is_nan(b)) {
+        if (!float64_is_quiet_nan(a)
+            && !float64_is_quiet_nan(b)) {
             res = float64_zero;
             if (float64_lt_quiet(a, res, &env->fp_status))
                 res = float64_chs(res);
diff --git a/target-microblaze/op_helper.c b/target-microblaze/op_helper.c
index 3d2b313..97461ae 100644
--- a/target-microblaze/op_helper.c
+++ b/target-microblaze/op_helper.c
@@ -308,7 +308,7 @@ uint32_t helper_fcmp_un(uint32_t a, uint32_t b)
         r = 1;
     }
 
-    if (float32_is_nan(fa.f) || float32_is_nan(fb.f)) {
+    if (float32_is_quiet_nan(fa.f) || float32_is_quiet_nan(fb.f)) {
         r = 1;
     }
 
diff --git a/target-mips/op_helper.c b/target-mips/op_helper.c
index ec6864d..669faf1 100644
--- a/target-mips/op_helper.c
+++ b/target-mips/op_helper.c
@@ -2877,10 +2877,10 @@ static int float64_is_unordered(int sig, float64 a, float64 b STATUS_PARAM)
 {
     if (float64_is_signaling_nan(a) ||
         float64_is_signaling_nan(b) ||
-        (sig && (float64_is_nan(a) || float64_is_nan(b)))) {
+        (sig && (float64_is_quiet_nan(a) || float64_is_quiet_nan(b)))) {
         float_raise(float_flag_invalid, status);
         return 1;
-    } else if (float64_is_nan(a) || float64_is_nan(b)) {
+    } else if (float64_is_quiet_nan(a) || float64_is_quiet_nan(b)) {
         return 1;
     } else {
         return 0;
@@ -2935,10 +2935,10 @@ static flag float32_is_unordered(int sig, float32 a, float32 b STATUS_PARAM)
 {
     if (float32_is_signaling_nan(a) ||
         float32_is_signaling_nan(b) ||
-        (sig && (float32_is_nan(a) || float32_is_nan(b)))) {
+        (sig && (float32_is_quiet_nan(a) || float32_is_quiet_nan(b)))) {
         float_raise(float_flag_invalid, status);
         return 1;
-    } else if (float32_is_nan(a) || float32_is_nan(b)) {
+    } else if (float32_is_quiet_nan(a) || float32_is_quiet_nan(b)) {
         return 1;
     } else {
         return 0;
diff --git a/target-ppc/op_helper.c b/target-ppc/op_helper.c
index f32a5ff..5ded1c1 100644
--- a/target-ppc/op_helper.c
+++ b/target-ppc/op_helper.c
@@ -546,7 +546,7 @@ uint32_t helper_compute_fprf (uint64_t arg, uint32_t set_fprf)
     int ret;
     farg.ll = arg;
     isneg = float64_is_neg(farg.d);
-    if (unlikely(float64_is_nan(farg.d))) {
+    if (unlikely(float64_is_quiet_nan(farg.d))) {
         if (float64_is_signaling_nan(farg.d)) {
             /* Signaling NaN: flags are undefined */
             ret = 0x00;
@@ -1111,7 +1111,7 @@ uint64_t helper_fctiw (uint64_t arg)
     if (unlikely(float64_is_signaling_nan(farg.d))) {
         /* sNaN conversion */
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN | POWERPC_EXCP_FP_VXCVI);
-    } else if (unlikely(float64_is_nan(farg.d) || float64_is_infinity(farg.d))) {
+    } else if (unlikely(float64_is_quiet_nan(farg.d) || float64_is_infinity(farg.d))) {
         /* qNan / infinity conversion */
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXCVI);
     } else {
@@ -1135,7 +1135,7 @@ uint64_t helper_fctiwz (uint64_t arg)
     if (unlikely(float64_is_signaling_nan(farg.d))) {
         /* sNaN conversion */
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN | POWERPC_EXCP_FP_VXCVI);
-    } else if (unlikely(float64_is_nan(farg.d) || float64_is_infinity(farg.d))) {
+    } else if (unlikely(float64_is_quiet_nan(farg.d) || float64_is_infinity(farg.d))) {
         /* qNan / infinity conversion */
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXCVI);
     } else {
@@ -1168,7 +1168,7 @@ uint64_t helper_fctid (uint64_t arg)
     if (unlikely(float64_is_signaling_nan(farg.d))) {
         /* sNaN conversion */
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN | POWERPC_EXCP_FP_VXCVI);
-    } else if (unlikely(float64_is_nan(farg.d) || float64_is_infinity(farg.d))) {
+    } else if (unlikely(float64_is_quiet_nan(farg.d) || float64_is_infinity(farg.d))) {
         /* qNan / infinity conversion */
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXCVI);
     } else {
@@ -1186,7 +1186,7 @@ uint64_t helper_fctidz (uint64_t arg)
     if (unlikely(float64_is_signaling_nan(farg.d))) {
         /* sNaN conversion */
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN | POWERPC_EXCP_FP_VXCVI);
-    } else if (unlikely(float64_is_nan(farg.d) || float64_is_infinity(farg.d))) {
+    } else if (unlikely(float64_is_quiet_nan(farg.d) || float64_is_infinity(farg.d))) {
         /* qNan / infinity conversion */
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXCVI);
     } else {
@@ -1205,7 +1205,7 @@ static inline uint64_t do_fri(uint64_t arg, int rounding_mode)
     if (unlikely(float64_is_signaling_nan(farg.d))) {
         /* sNaN round */
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXSNAN | POWERPC_EXCP_FP_VXCVI);
-    } else if (unlikely(float64_is_nan(farg.d) || float64_is_infinity(farg.d))) {
+    } else if (unlikely(float64_is_quiet_nan(farg.d) || float64_is_infinity(farg.d))) {
         /* qNan / infinity round */
         farg.ll = fload_invalid_op_excp(POWERPC_EXCP_FP_VXCVI);
     } else {
@@ -1375,7 +1375,7 @@ uint64_t helper_fnmadd (uint64_t arg1, uint64_t arg2, uint64_t arg3)
         farg1.d = float64_mul(farg1.d, farg2.d, &env->fp_status);
         farg1.d = float64_add(farg1.d, farg3.d, &env->fp_status);
 #endif
-        if (likely(!float64_is_nan(farg1.d)))
+        if (likely(!float64_is_quiet_nan(farg1.d)))
             farg1.d = float64_chs(farg1.d);
     }
     return farg1.ll;
@@ -1425,7 +1425,7 @@ uint64_t helper_fnmsub (uint64_t arg1, uint64_t arg2, uint64_t arg3)
         farg1.d = float64_mul(farg1.d, farg2.d, &env->fp_status);
         farg1.d = float64_sub(farg1.d, farg3.d, &env->fp_status);
 #endif
-        if (likely(!float64_is_nan(farg1.d)))
+        if (likely(!float64_is_quiet_nan(farg1.d)))
             farg1.d = float64_chs(farg1.d);
     }
     return farg1.ll;
@@ -1533,7 +1533,7 @@ uint64_t helper_fsel (uint64_t arg1, uint64_t arg2, uint64_t arg3)
 
     farg1.ll = arg1;
 
-    if ((!float64_is_neg(farg1.d) || float64_is_zero(farg1.d)) && !float64_is_nan(farg1.d))
+    if ((!float64_is_neg(farg1.d) || float64_is_zero(farg1.d)) && !float64_is_quiet_nan(farg1.d))
         return arg2;
     else
         return arg3;
@@ -1546,8 +1546,8 @@ void helper_fcmpu (uint64_t arg1, uint64_t arg2, uint32_t crfD)
     farg1.ll = arg1;
     farg2.ll = arg2;
 
-    if (unlikely(float64_is_nan(farg1.d) ||
-                 float64_is_nan(farg2.d))) {
+    if (unlikely(float64_is_quiet_nan(farg1.d) ||
+                 float64_is_quiet_nan(farg2.d))) {
         ret = 0x01UL;
     } else if (float64_lt(farg1.d, farg2.d, &env->fp_status)) {
         ret = 0x08UL;
@@ -1575,8 +1575,8 @@ void helper_fcmpo (uint64_t arg1, uint64_t arg2, uint32_t crfD)
     farg1.ll = arg1;
     farg2.ll = arg2;
 
-    if (unlikely(float64_is_nan(farg1.d) ||
-                 float64_is_nan(farg2.d))) {
+    if (unlikely(float64_is_quiet_nan(farg1.d) ||
+                 float64_is_quiet_nan(farg2.d))) {
         ret = 0x01UL;
     } else if (float64_lt(farg1.d, farg2.d, &env->fp_status)) {
         ret = 0x08UL;
@@ -1938,7 +1938,7 @@ target_ulong helper_dlmzb (target_ulong high, target_ulong low, uint32_t update_
 /* If X is a NaN, store the corresponding QNaN into RESULT.  Otherwise,
  * execute the following block.  */
 #define DO_HANDLE_NAN(result, x)                \
-    if (float32_is_nan(x) || float32_is_signaling_nan(x)) {     \
+    if (float32_is_quiet_nan(x) || float32_is_signaling_nan(x)) {     \
         CPU_FloatU __f;                                         \
         __f.f = x;                                              \
         __f.l = __f.l | (1 << 22);  /* Set QNaN bit. */         \
@@ -2283,7 +2283,7 @@ void helper_vcmpbfp_dot (ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
         float_status s = env->vec_status;                               \
         set_float_rounding_mode(float_round_to_zero, &s);               \
         for (i = 0; i < ARRAY_SIZE(r->f); i++) {                        \
-            if (float32_is_nan(b->f[i]) ||                              \
+            if (float32_is_quiet_nan(b->f[i]) ||                              \
                 float32_is_signaling_nan(b->f[i])) {                    \
                 r->element[i] = 0;                                      \
             } else {                                                    \
@@ -3132,7 +3132,7 @@ static inline int32_t efsctsi(uint32_t val)
 
     u.l = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float32_is_nan(u.f)))
+    if (unlikely(float32_is_quiet_nan(u.f)))
         return 0;
 
     return float32_to_int32(u.f, &env->vec_status);
@@ -3144,7 +3144,7 @@ static inline uint32_t efsctui(uint32_t val)
 
     u.l = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float32_is_nan(u.f)))
+    if (unlikely(float32_is_quiet_nan(u.f)))
         return 0;
 
     return float32_to_uint32(u.f, &env->vec_status);
@@ -3156,7 +3156,7 @@ static inline uint32_t efsctsiz(uint32_t val)
 
     u.l = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float32_is_nan(u.f)))
+    if (unlikely(float32_is_quiet_nan(u.f)))
         return 0;
 
     return float32_to_int32_round_to_zero(u.f, &env->vec_status);
@@ -3168,7 +3168,7 @@ static inline uint32_t efsctuiz(uint32_t val)
 
     u.l = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float32_is_nan(u.f)))
+    if (unlikely(float32_is_quiet_nan(u.f)))
         return 0;
 
     return float32_to_uint32_round_to_zero(u.f, &env->vec_status);
@@ -3205,7 +3205,7 @@ static inline uint32_t efsctsf(uint32_t val)
 
     u.l = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float32_is_nan(u.f)))
+    if (unlikely(float32_is_quiet_nan(u.f)))
         return 0;
     tmp = uint64_to_float32(1ULL << 32, &env->vec_status);
     u.f = float32_mul(u.f, tmp, &env->vec_status);
@@ -3220,7 +3220,7 @@ static inline uint32_t efsctuf(uint32_t val)
 
     u.l = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float32_is_nan(u.f)))
+    if (unlikely(float32_is_quiet_nan(u.f)))
         return 0;
     tmp = uint64_to_float32(1ULL << 32, &env->vec_status);
     u.f = float32_mul(u.f, tmp, &env->vec_status);
@@ -3474,7 +3474,7 @@ uint32_t helper_efdctsi (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_nan(u.d)))
+    if (unlikely(float64_is_quiet_nan(u.d)))
         return 0;
 
     return float64_to_int32(u.d, &env->vec_status);
@@ -3486,7 +3486,7 @@ uint32_t helper_efdctui (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_nan(u.d)))
+    if (unlikely(float64_is_quiet_nan(u.d)))
         return 0;
 
     return float64_to_uint32(u.d, &env->vec_status);
@@ -3498,7 +3498,7 @@ uint32_t helper_efdctsiz (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_nan(u.d)))
+    if (unlikely(float64_is_quiet_nan(u.d)))
         return 0;
 
     return float64_to_int32_round_to_zero(u.d, &env->vec_status);
@@ -3510,7 +3510,7 @@ uint64_t helper_efdctsidz (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_nan(u.d)))
+    if (unlikely(float64_is_quiet_nan(u.d)))
         return 0;
 
     return float64_to_int64_round_to_zero(u.d, &env->vec_status);
@@ -3522,7 +3522,7 @@ uint32_t helper_efdctuiz (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_nan(u.d)))
+    if (unlikely(float64_is_quiet_nan(u.d)))
         return 0;
 
     return float64_to_uint32_round_to_zero(u.d, &env->vec_status);
@@ -3534,7 +3534,7 @@ uint64_t helper_efdctuidz (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_nan(u.d)))
+    if (unlikely(float64_is_quiet_nan(u.d)))
         return 0;
 
     return float64_to_uint64_round_to_zero(u.d, &env->vec_status);
@@ -3571,7 +3571,7 @@ uint32_t helper_efdctsf (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_nan(u.d)))
+    if (unlikely(float64_is_quiet_nan(u.d)))
         return 0;
     tmp = uint64_to_float64(1ULL << 32, &env->vec_status);
     u.d = float64_mul(u.d, tmp, &env->vec_status);
@@ -3586,7 +3586,7 @@ uint32_t helper_efdctuf (uint64_t val)
 
     u.ll = val;
     /* NaN are not treated the same way IEEE 754 does */
-    if (unlikely(float64_is_nan(u.d)))
+    if (unlikely(float64_is_quiet_nan(u.d)))
         return 0;
     tmp = uint64_to_float64(1ULL << 32, &env->vec_status);
     u.d = float64_mul(u.d, tmp, &env->vec_status);
commit f96a38347a0c6ab31fbb6200c13e684d1fee449c
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Tue Dec 28 17:46:59 2010 +0100

    TCG: Improve tb_phys_hash_func()
    
    Most of emulated CPU have instructions aligned on 16 or 32 bits, while
    on others GCC tries to align the target jump location. This means that
    1/2 or 3/4 of tb_phys_hash entries are never used.
    
    Update the hash function tb_phys_hash_func() to ignore the two lowest
    bits of the address. This brings a 6% speed-up when booting a MIPS
    image.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/exec-all.h b/exec-all.h
index 6821b17..a4b75bd 100644
--- a/exec-all.h
+++ b/exec-all.h
@@ -177,7 +177,7 @@ static inline unsigned int tb_jmp_cache_hash_func(target_ulong pc)
 
 static inline unsigned int tb_phys_hash_func(tb_page_addr_t pc)
 {
-    return pc & (CODE_GEN_PHYS_HASH_SIZE - 1);
+    return (pc >> 2) & (CODE_GEN_PHYS_HASH_SIZE - 1);
 }
 
 TranslationBlock *tb_alloc(target_ulong pc);
commit 8aac08b10b2e8c131b9385d2dc37e4a02e1d12c1
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Fri Dec 31 17:50:27 2010 +0100

    target-arm: fix UMAAL instruction
    
    UMAAL should use unsigned multiply instead of signed.
    
    This patch fixes this issue by handling UMAAL separately from
    UMULL/UMLAL/SMULL/SMLAL as these instructions are different
    enough. It also explicitly list instructions in case and catch
    nonexistent instruction as illegal. Also fixes a few style issues.
    
    This fixes the issues reported in
    https://bugs.launchpad.net/qemu/+bug/696015
    
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 8d494ec..2598268 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -6637,26 +6637,38 @@ static void disas_arm_insn(CPUState * env, DisasContext *s)
                             gen_logic_CC(tmp);
                         store_reg(s, rd, tmp);
                         break;
-                    default:
-                        /* 64 bit mul */
+                    case 4:
+                        /* 64 bit mul double accumulate (UMAAL) */
+                        ARCH(6);
                         tmp = load_reg(s, rs);
                         tmp2 = load_reg(s, rm);
-                        if (insn & (1 << 22))
+                        tmp64 = gen_mulu_i64_i32(tmp, tmp2);
+                        gen_addq_lo(s, tmp64, rn);
+                        gen_addq_lo(s, tmp64, rd);
+                        gen_storeq_reg(s, rn, rd, tmp64);
+                        tcg_temp_free_i64(tmp64);
+                        break;
+                    case 8: case 9: case 10: case 11:
+                    case 12: case 13: case 14: case 15:
+                        /* 64 bit mul: UMULL, UMLAL, SMULL, SMLAL. */
+                        tmp = load_reg(s, rs);
+                        tmp2 = load_reg(s, rm);
+                        if (insn & (1 << 22)) {
                             tmp64 = gen_muls_i64_i32(tmp, tmp2);
-                        else
+                        } else {
                             tmp64 = gen_mulu_i64_i32(tmp, tmp2);
-                        if (insn & (1 << 21)) /* mult accumulate */
+                        }
+                        if (insn & (1 << 21)) { /* mult accumulate */
                             gen_addq(s, tmp64, rn, rd);
-                        if (!(insn & (1 << 23))) { /* double accumulate */
-                            ARCH(6);
-                            gen_addq_lo(s, tmp64, rn);
-                            gen_addq_lo(s, tmp64, rd);
                         }
-                        if (insn & (1 << 20))
+                        if (insn & (1 << 20)) {
                             gen_logicq_cc(tmp64);
+                        }
                         gen_storeq_reg(s, rn, rd, tmp64);
                         tcg_temp_free_i64(tmp64);
                         break;
+                    default:
+                        goto illegal_op;
                     }
                 } else {
                     rn = (insn >> 16) & 0xf;
commit 6d5c34fa027d1477c0572ea74421e21b0f733838
Author: Mike Pall <mike-lp10 at luajit.org>
Date:   Fri Dec 31 21:17:53 2010 +0100

    Fix translation of unary PPC/SPE instructions (efdneg etc.).
    
    Signed-off-by: Mike Pall <mike-lp10 at luajit.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index c82a483..74e06d7 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -7751,10 +7751,10 @@ static inline void gen_evfsabs(DisasContext *ctx)
         return;
     }
 #if defined(TARGET_PPC64)
-    tcg_gen_andi_tl(cpu_gpr[rA(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], ~0x8000000080000000LL);
+    tcg_gen_andi_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], ~0x8000000080000000LL);
 #else
-    tcg_gen_andi_tl(cpu_gpr[rA(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], ~0x80000000);
-    tcg_gen_andi_tl(cpu_gprh[rA(ctx->opcode)], cpu_gprh[rA(ctx->opcode)], ~0x80000000);
+    tcg_gen_andi_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], ~0x80000000);
+    tcg_gen_andi_tl(cpu_gprh[rD(ctx->opcode)], cpu_gprh[rA(ctx->opcode)], ~0x80000000);
 #endif
 }
 static inline void gen_evfsnabs(DisasContext *ctx)
@@ -7764,10 +7764,10 @@ static inline void gen_evfsnabs(DisasContext *ctx)
         return;
     }
 #if defined(TARGET_PPC64)
-    tcg_gen_ori_tl(cpu_gpr[rA(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x8000000080000000LL);
+    tcg_gen_ori_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x8000000080000000LL);
 #else
-    tcg_gen_ori_tl(cpu_gpr[rA(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x80000000);
-    tcg_gen_ori_tl(cpu_gprh[rA(ctx->opcode)], cpu_gprh[rA(ctx->opcode)], 0x80000000);
+    tcg_gen_ori_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x80000000);
+    tcg_gen_ori_tl(cpu_gprh[rD(ctx->opcode)], cpu_gprh[rA(ctx->opcode)], 0x80000000);
 #endif
 }
 static inline void gen_evfsneg(DisasContext *ctx)
@@ -7777,10 +7777,10 @@ static inline void gen_evfsneg(DisasContext *ctx)
         return;
     }
 #if defined(TARGET_PPC64)
-    tcg_gen_xori_tl(cpu_gpr[rA(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x8000000080000000LL);
+    tcg_gen_xori_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x8000000080000000LL);
 #else
-    tcg_gen_xori_tl(cpu_gpr[rA(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x80000000);
-    tcg_gen_xori_tl(cpu_gprh[rA(ctx->opcode)], cpu_gprh[rA(ctx->opcode)], 0x80000000);
+    tcg_gen_xori_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x80000000);
+    tcg_gen_xori_tl(cpu_gprh[rD(ctx->opcode)], cpu_gprh[rA(ctx->opcode)], 0x80000000);
 #endif
 }
 
@@ -7832,7 +7832,7 @@ static inline void gen_efsabs(DisasContext *ctx)
         gen_exception(ctx, POWERPC_EXCP_APU);
         return;
     }
-    tcg_gen_andi_tl(cpu_gpr[rA(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], (target_long)~0x80000000LL);
+    tcg_gen_andi_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], (target_long)~0x80000000LL);
 }
 static inline void gen_efsnabs(DisasContext *ctx)
 {
@@ -7840,7 +7840,7 @@ static inline void gen_efsnabs(DisasContext *ctx)
         gen_exception(ctx, POWERPC_EXCP_APU);
         return;
     }
-    tcg_gen_ori_tl(cpu_gpr[rA(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x80000000);
+    tcg_gen_ori_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x80000000);
 }
 static inline void gen_efsneg(DisasContext *ctx)
 {
@@ -7848,7 +7848,7 @@ static inline void gen_efsneg(DisasContext *ctx)
         gen_exception(ctx, POWERPC_EXCP_APU);
         return;
     }
-    tcg_gen_xori_tl(cpu_gpr[rA(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x80000000);
+    tcg_gen_xori_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x80000000);
 }
 
 /* Conversion */
@@ -7901,9 +7901,10 @@ static inline void gen_efdabs(DisasContext *ctx)
         return;
     }
 #if defined(TARGET_PPC64)
-    tcg_gen_andi_tl(cpu_gpr[rA(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], ~0x8000000000000000LL);
+    tcg_gen_andi_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], ~0x8000000000000000LL);
 #else
-    tcg_gen_andi_tl(cpu_gprh[rA(ctx->opcode)], cpu_gprh[rA(ctx->opcode)], ~0x80000000);
+    tcg_gen_mov_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)]);
+    tcg_gen_andi_tl(cpu_gprh[rD(ctx->opcode)], cpu_gprh[rA(ctx->opcode)], ~0x80000000);
 #endif
 }
 static inline void gen_efdnabs(DisasContext *ctx)
@@ -7913,9 +7914,10 @@ static inline void gen_efdnabs(DisasContext *ctx)
         return;
     }
 #if defined(TARGET_PPC64)
-    tcg_gen_ori_tl(cpu_gpr[rA(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x8000000000000000LL);
+    tcg_gen_ori_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x8000000000000000LL);
 #else
-    tcg_gen_ori_tl(cpu_gprh[rA(ctx->opcode)], cpu_gprh[rA(ctx->opcode)], 0x80000000);
+    tcg_gen_mov_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)]);
+    tcg_gen_ori_tl(cpu_gprh[rD(ctx->opcode)], cpu_gprh[rA(ctx->opcode)], 0x80000000);
 #endif
 }
 static inline void gen_efdneg(DisasContext *ctx)
@@ -7925,9 +7927,10 @@ static inline void gen_efdneg(DisasContext *ctx)
         return;
     }
 #if defined(TARGET_PPC64)
-    tcg_gen_xori_tl(cpu_gpr[rA(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x8000000000000000LL);
+    tcg_gen_xori_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)], 0x8000000000000000LL);
 #else
-    tcg_gen_xori_tl(cpu_gprh[rA(ctx->opcode)], cpu_gprh[rA(ctx->opcode)], 0x80000000);
+    tcg_gen_mov_tl(cpu_gpr[rD(ctx->opcode)], cpu_gpr[rA(ctx->opcode)]);
+    tcg_gen_xori_tl(cpu_gprh[rD(ctx->opcode)], cpu_gprh[rA(ctx->opcode)], 0x80000000);
 #endif
 }
 
commit b724fa4bb46b82c54b5f0a2cf9177194020433ef
Author: Markus Armbruster <armbru at redhat.com>
Date:   Wed Dec 22 13:33:39 2010 +0100

    qemu-kvm: Switch to upstream -enable-kvm semantics
    
    We currently enable KVM by default, and when it's not available, we
    print a message and fall back to TCG.  Option -enable-kvm is ignored.
    Option -no-kvm suppresses KVM.
    
    Upstream works differently: KVM is off by default, -enable-kvm
    switches it on.  -enable-kvm terminates the process unsuccessfully if
    KVM is not available.
    
    upstream qemu   |  default  |-enable-kvm
    ----------------+-----------+-----------
    KVM available   | disabled  |  enabled
    KVM unavailable | disabled  |    fail
    
    qemu-kvm        |  default  |-enable-kvm|  -no-kvm
    ----------------+-----------+-----------+----------
    KVM available   |  enabled* |  enabled  |  disabled
    KVM unavailable | disabled  | disabled* |  disabled
    
    * differs from upstream
    
    Users of qemu and qemu-kvm need to be aware of these differences to
    enable / disable use of KVM reliably.  This is bothersome.
    
    Consider -enable-kvm when KVM is unavailable: If the user expects
    qemu-kvm behavior (fall back), but qemu fails, he'll likely be
    surprised and unhappy.  If the user expects upstream behavior (fail),
    but qemu-kvm falls back to TCG, the guest runs slow as molasses, and
    the user will likely be confused and unhappy (unless he spots and
    understands the "disable KVM" message).
    
    Eventually, we'll sort this upstream with -accel (defaults tied to
    machine type).  Until then, this patch reduces the difference to
    upstream so that most users shouldn't need to be aware of them.
    
    Make -enable-kvm behave just like in upstream: enable KVM, fail if not
    available.  But retain current default behavior: enable KVM, fall back
    to TCG.
    
    qemu-kvm new    |  default  |-enable-kvm|  -no-kvm
    ----------------+-----------+-----------+-----------
    KVM available   |  enabled* |  enabled  |  disabled
    KVM unavailable | disabled  |    fail+  |  disabled
    
    * differs from upstream
    + changed by this patch
    
    Bonus fix: -no-kvm -enable-kvm now enables KVM.  Before, it disabled it.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/vl.c b/vl.c
index e3c8919..1958e01 100644
--- a/vl.c
+++ b/vl.c
@@ -247,7 +247,7 @@ static void *boot_set_opaque;
 static NotifierList exit_notifiers =
     NOTIFIER_LIST_INITIALIZER(exit_notifiers);
 
-int kvm_allowed = 1;
+int kvm_allowed = -1;
 uint32_t xen_domid;
 enum xen_mode xen_mode = XEN_EMULATE;
 
@@ -2436,10 +2436,8 @@ int main(int argc, char **argv, char **envp)
             case QEMU_OPTION_smbios:
                 do_smbios_option(optarg);
                 break;
-#ifdef OBSOLETE_KVM_IMPL
             case QEMU_OPTION_enable_kvm:
                 kvm_allowed = 1;
-#endif
                 break;
 	    case QEMU_OPTION_no_kvm:
 		kvm_allowed = 0;
@@ -2789,19 +2787,17 @@ int main(int argc, char **argv, char **envp)
     if (kvm_allowed) {
         int ret = kvm_init(smp_cpus);
         if (ret < 0) {
-#if defined(OBSOLETE_KVM_IMPL) || defined(CONFIG_NO_CPU_EMULATION)
-            if (!kvm_available()) {
-                printf("KVM not supported for this target\n");
-            } else {
-                fprintf(stderr, "failed to initialize KVM: %s\n", strerror(-ret));
+            if (kvm_allowed > 0) {
+                if (!kvm_available()) {
+                    printf("KVM not supported for this target\n");
+                } else {
+                    fprintf(stderr, "failed to initialize KVM: %s\n", strerror(-ret));
+                }
+                exit(1);
             }
-            exit(1);
-#endif
-#ifdef CONFIG_KVM
             fprintf(stderr, "Could not initialize KVM, will disable KVM support\n");
-            kvm_allowed = 0;
-#endif
         }
+        kvm_allowed = ret >= 0;
     }
 
     if (qemu_init_main_loop()) {
commit 8ce764af21a4b1f1754efa7c3fa7041dde55417d
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 22 17:18:49 2010 +0200

    Add ability to drop pages through testdev
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/testdev.c b/hw/testdev.c
index d1abf59..29df385 100644
--- a/hw/testdev.c
+++ b/hw/testdev.c
@@ -1,3 +1,4 @@
+#include <sys/mman.h>
 #include "hw.h"
 #include "qdev.h"
 #include "isa.h"
@@ -46,6 +47,16 @@ static uint32_t test_device_ioport_read(void *opaque, uint32_t addr)
     return test_device_ioport_data;
 }
 
+static void test_device_flush_page(void *opaque, uint32_t addr, uint32_t data)
+{
+    target_phys_addr_t len = 4096;
+    void *a = cpu_physical_memory_map(data & ~0xffful, &len, 0);
+
+    mprotect(a, 4096, PROT_NONE);
+    mprotect(a, 4096, PROT_READ|PROT_WRITE);
+    cpu_physical_memory_unmap(a, len, 0, 0);
+}
+
 static char *iomem_buf;
 
 static uint32_t test_iomem_readb(void *opaque, target_phys_addr_t addr)
@@ -104,6 +115,7 @@ static int init_test_device(ISADevice *isa)
     register_ioport_write(0xe0, 1, 2, test_device_ioport_write, dev);
     register_ioport_read(0xe0, 1, 4, test_device_ioport_read, dev);
     register_ioport_write(0xe0, 1, 4, test_device_ioport_write, dev);
+    register_ioport_write(0xe4, 1, 4, test_device_flush_page, dev);
     register_ioport_write(0x2000, 24, 1, test_device_irq_line, NULL);
     iomem_buf = qemu_mallocz(0x10000);
     iomem = cpu_register_io_memory(test_iomem_read, test_iomem_write, NULL);
commit 0fcec41eec0432c77645b4a407d3a3e030c4abc4
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Sat Dec 25 23:25:47 2010 +0100

    target-sparc: fix udiv(cc) and sdiv(cc)
    
    Since commit 5a4bb580cdb10b066f9fd67658b31cac4a4ea5e5, Xorg crashes on
    a Debian Etch image. The commit itself is fine, but it triggers a bug
    due to wrong computation of flags for udiv(cc) and sdiv(cc).
    
    This patch only compute cc_src2 for the cc version of udiv/sdiv. It
    also moves the update of cc_dst and cc_op to the helper, as it is
    faster doing it here when there is already an helper.
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/target-sparc/helper.h b/target-sparc/helper.h
index 6f103e7..e6d82f9 100644
--- a/target-sparc/helper.h
+++ b/target-sparc/helper.h
@@ -37,7 +37,9 @@ DEF_HELPER_0(save, void)
 DEF_HELPER_0(restore, void)
 DEF_HELPER_1(flush, void, tl)
 DEF_HELPER_2(udiv, tl, tl, tl)
+DEF_HELPER_2(udiv_cc, tl, tl, tl)
 DEF_HELPER_2(sdiv, tl, tl, tl)
+DEF_HELPER_2(sdiv_cc, tl, tl, tl)
 DEF_HELPER_2(stdf, void, tl, int)
 DEF_HELPER_2(lddf, void, tl, int)
 DEF_HELPER_2(ldqf, void, tl, int)
diff --git a/target-sparc/op_helper.c b/target-sparc/op_helper.c
index 4f753ba..58f9f82 100644
--- a/target-sparc/op_helper.c
+++ b/target-sparc/op_helper.c
@@ -3300,8 +3300,9 @@ void helper_rett(void)
 }
 #endif
 
-target_ulong helper_udiv(target_ulong a, target_ulong b)
+static target_ulong helper_udiv_common(target_ulong a, target_ulong b, int cc)
 {
+    int overflow = 0;
     uint64_t x0;
     uint32_t x1;
 
@@ -3314,16 +3315,31 @@ target_ulong helper_udiv(target_ulong a, target_ulong b)
 
     x0 = x0 / x1;
     if (x0 > 0xffffffff) {
-        env->cc_src2 = 1;
-        return 0xffffffff;
-    } else {
-        env->cc_src2 = 0;
-        return x0;
+        x0 = 0xffffffff;
+        overflow = 1;
+    }
+
+    if (cc) {
+        env->cc_dst = x0;
+        env->cc_src2 = overflow;
+        env->cc_op = CC_OP_DIV;
     }
+    return x0;
 }
 
-target_ulong helper_sdiv(target_ulong a, target_ulong b)
+target_ulong helper_udiv(target_ulong a, target_ulong b)
+{
+    return helper_udiv_common(a, b, 0);
+}
+
+target_ulong helper_udiv_cc(target_ulong a, target_ulong b)
+{
+    return helper_udiv_common(a, b, 1);
+}
+
+static target_ulong helper_sdiv_common(target_ulong a, target_ulong b, int cc)
 {
+    int overflow = 0;
     int64_t x0;
     int32_t x1;
 
@@ -3336,12 +3352,26 @@ target_ulong helper_sdiv(target_ulong a, target_ulong b)
 
     x0 = x0 / x1;
     if ((int32_t) x0 != x0) {
-        env->cc_src2 = 1;
-        return x0 < 0? 0x80000000: 0x7fffffff;
-    } else {
-        env->cc_src2 = 0;
-        return x0;
+        x0 = x0 < 0 ? 0x80000000: 0x7fffffff;
+        overflow = 1;
+    }
+
+    if (cc) {
+        env->cc_dst = x0;
+        env->cc_src2 = overflow;
+        env->cc_op = CC_OP_DIV;
     }
+    return x0;
+}
+
+target_ulong helper_sdiv(target_ulong a, target_ulong b)
+{
+    return helper_sdiv_common(a, b, 0);
+}
+
+target_ulong helper_sdiv_cc(target_ulong a, target_ulong b)
+{
+    return helper_sdiv_common(a, b, 1);
 }
 
 void helper_stdf(target_ulong addr, int mem_idx)
diff --git a/target-sparc/translate.c b/target-sparc/translate.c
index 23f9519..21c5675 100644
--- a/target-sparc/translate.c
+++ b/target-sparc/translate.c
@@ -3162,20 +3162,20 @@ static void disas_sparc_insn(DisasContext * dc)
 #endif
                     case 0xe: /* udiv */
                         CHECK_IU_FEATURE(dc, DIV);
-                        gen_helper_udiv(cpu_dst, cpu_src1, cpu_src2);
                         if (xop & 0x10) {
-                            tcg_gen_mov_tl(cpu_cc_dst, cpu_dst);
-                            tcg_gen_movi_i32(cpu_cc_op, CC_OP_DIV);
+                            gen_helper_udiv_cc(cpu_dst, cpu_src1, cpu_src2);
                             dc->cc_op = CC_OP_DIV;
+                        } else {
+                            gen_helper_udiv(cpu_dst, cpu_src1, cpu_src2);
                         }
                         break;
                     case 0xf: /* sdiv */
                         CHECK_IU_FEATURE(dc, DIV);
-                        gen_helper_sdiv(cpu_dst, cpu_src1, cpu_src2);
                         if (xop & 0x10) {
-                            tcg_gen_mov_tl(cpu_cc_dst, cpu_dst);
-                            tcg_gen_movi_i32(cpu_cc_op, CC_OP_DIV);
+                            gen_helper_sdiv_cc(cpu_dst, cpu_src1, cpu_src2);
                             dc->cc_op = CC_OP_DIV;
+                        } else {
+                            gen_helper_sdiv(cpu_dst, cpu_src1, cpu_src2);
                         }
                         break;
                     default:
commit 818c2e1b9777599d333855330d94050b3432c8b7
Merge: 4058fd9... 7572150...
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Mon Dec 27 22:59:48 2010 +0100

    Merge branch 'spice.v23.pull' of git://anongit.freedesktop.org/spice/qemu
    
    * 'spice.v23.pull' of git://anongit.freedesktop.org/spice/qemu:
      vnc/spice: add set_passwd monitor command.
      vnc: support password expire
      vnc: auth reject cleanup
      spice: add qmp 'query-spice' and hmp 'info spice' commands.
      spice: connection events.
      spice: add qxl device
      spice: add qxl vgabios binary.

commit 4058fd98fd7e9c476774717adbd49698dd273166
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Mon Dec 27 15:52:24 2010 +0100

    x86: Filter out garbage from segment flags dump
    
    Only bits 8..23 of the segment flags contain valid data, so only dump
    those when printing the CPU state.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-i386/helper.c b/target-i386/helper.c
index 26ea1e5..25a3e36 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -175,12 +175,12 @@ cpu_x86_dump_seg_cache(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
 #ifdef TARGET_X86_64
     if (env->hflags & HF_CS64_MASK) {
         cpu_fprintf(f, "%-3s=%04x %016" PRIx64 " %08x %08x", name,
-                    sc->selector, sc->base, sc->limit, sc->flags);
+                    sc->selector, sc->base, sc->limit, sc->flags & 0x00ffff00);
     } else
 #endif
     {
         cpu_fprintf(f, "%-3s=%04x %08x %08x %08x", name, sc->selector,
-                    (uint32_t)sc->base, sc->limit, sc->flags);
+                    (uint32_t)sc->base, sc->limit, sc->flags & 0x00ffff00);
     }
 
     if (!(env->hflags & HF_PE_MASK) || !(sc->flags & DESC_P_MASK))
commit 5569fd7c38ddc7482c9b05af0988779cd0027f6d
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Wed Dec 15 17:56:18 2010 -0200

    Fix migrate set speed doc arg
    
    We used to ignore any fractional part in 0.13, but due to recent
    changes (started with 9f9b17a4f0865286391e4d3a0a735230122a2289)
    migrate_set_speed will reject the fractional part.
    
    We don't expect existing clients to be relying on this, but we
    need to update the documentation to reflect the change.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/qmp-commands.hx b/qmp-commands.hx
index 3486223..164ecbc 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -510,7 +510,7 @@ Set maximum speed for migrations.
 
 Arguments:
 
-- "value": maximum speed, in bytes per second (json-number)
+- "value": maximum speed, in bytes per second (json-int)
 
 Example:
 
commit 16440c5fa0a3ba87c7ea92218466673ede7c08f0
Author: Juha Riihimäki <juha.riihimaki at nokia.com>
Date:   Wed Dec 8 13:15:18 2010 +0200

    target-arm: correct cp15 c1_sys reset value for arm1136 and cortex-a9
    
    Signed-off-by: Juha Riihimäki <juha.riihimaki at nokia.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index e54fb27..50c1017 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -76,6 +76,7 @@ static void cpu_reset_model_id(CPUARMState *env, uint32_t id)
         memcpy(env->cp15.c0_c1, arm1136_cp15_c0_c1, 8 * sizeof(uint32_t));
         memcpy(env->cp15.c0_c2, arm1136_cp15_c0_c2, 8 * sizeof(uint32_t));
         env->cp15.c0_cachetype = 0x1dd20d2;
+        env->cp15.c1_sys = 0x00050078;
         break;
     case ARM_CPUID_ARM11MPCORE:
         set_feature(env, ARM_FEATURE_V6);
@@ -131,6 +132,7 @@ static void cpu_reset_model_id(CPUARMState *env, uint32_t id)
         env->cp15.c0_clid = (1 << 27) | (1 << 24) | 3;
         env->cp15.c0_ccsid[0] = 0xe00fe015; /* 16k L1 dcache. */
         env->cp15.c0_ccsid[1] = 0x200fe015; /* 16k L1 icache. */
+        env->cp15.c1_sys = 0x00c50078;
         break;
     case ARM_CPUID_CORTEXM3:
         set_feature(env, ARM_FEATURE_V6);
commit 9c486ad6e4e4afcd582460b4c70b1e2be856dbfd
Author: Mattias Holm <holm at liacs.nl>
Date:   Wed Dec 8 13:15:17 2010 +0200

    target-arm: correct cp15 c1_sys reset value for cortex-a8
    
    Signed-off-by: Juha Riihimäki <juha.riihimaki at nokia.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 409a6c0..e54fb27 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -109,6 +109,7 @@ static void cpu_reset_model_id(CPUARMState *env, uint32_t id)
         env->cp15.c0_ccsid[0] = 0xe007e01a; /* 16k L1 dcache. */
         env->cp15.c0_ccsid[1] = 0x2007e01a; /* 16k L1 icache. */
         env->cp15.c0_ccsid[2] = 0xf0000000; /* No L2 icache. */
+        env->cp15.c1_sys = 0x00c50078;
         break;
     case ARM_CPUID_CORTEXA9:
         set_feature(env, ARM_FEATURE_V6);
commit c0034328090880621ad8f33e03ae03599e353865
Author: Juha Riihimäki <juha.riihimaki at nokia.com>
Date:   Wed Dec 8 13:15:16 2010 +0200

    target-arm: fix vmsav6 access control
    
    Override access control checks (including execute) for mmu translation
    table descriptors assigned to manager domains.
    
    Signed-off-by: Juha Riihimäki <juha.riihimaki at nokia.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 9ba2f4f..409a6c0 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -1084,22 +1084,26 @@ static int get_phys_addr_v6(CPUState *env, uint32_t address, int access_type,
         }
         code = 15;
     }
-    if (xn && access_type == 2)
-        goto do_fault;
+    if (domain == 3) {
+        *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
+    } else {
+        if (xn && access_type == 2)
+            goto do_fault;
 
-    /* The simplified model uses AP[0] as an access control bit.  */
-    if ((env->cp15.c1_sys & (1 << 29)) && (ap & 1) == 0) {
-        /* Access flag fault.  */
-        code = (code == 15) ? 6 : 3;
-        goto do_fault;
-    }
-    *prot = check_ap(env, ap, domain, access_type, is_user);
-    if (!*prot) {
-        /* Access permission fault.  */
-        goto do_fault;
-    }
-    if (!xn) {
-        *prot |= PAGE_EXEC;
+        /* The simplified model uses AP[0] as an access control bit.  */
+        if ((env->cp15.c1_sys & (1 << 29)) && (ap & 1) == 0) {
+            /* Access flag fault.  */
+            code = (code == 15) ? 6 : 3;
+            goto do_fault;
+        }
+        *prot = check_ap(env, ap, domain, access_type, is_user);
+        if (!*prot) {
+            /* Access permission fault.  */
+            goto do_fault;
+        }
+        if (!xn) {
+            *prot |= PAGE_EXEC;
+        }
     }
     *phys_ptr = phys_addr;
     return 0;
commit a5d88f3e030f9f83e63b0cb3c09a3293d8057f4a
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 14:13:45 2010 +0000

    target-arm: Correct result in saturating cases for VQSHL of s8/16/32
    
    Where VQSHL of a signed 8/16/32 bit value saturated, the result
    value was not being calculated correctly (it should be either
    the minimum or maximum value for the size of the signed type).
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/neon_helper.c b/target-arm/neon_helper.c
index 48b9f5b..dae063e 100644
--- a/target-arm/neon_helper.c
+++ b/target-arm/neon_helper.c
@@ -580,9 +580,15 @@ uint64_t HELPER(neon_qshl_u64)(CPUState *env, uint64_t val, uint64_t shiftop)
     int8_t tmp; \
     tmp = (int8_t)src2; \
     if (tmp >= (ssize_t)sizeof(src1) * 8) { \
-        if (src1) \
+        if (src1) { \
             SET_QC(); \
-        dest = src1 >> 31; \
+            dest = (uint32_t)(1 << (sizeof(src1) * 8 - 1)); \
+            if (src1 > 0) { \
+                dest--; \
+            } \
+        } else { \
+            dest = src1; \
+        } \
     } else if (tmp <= -(ssize_t)sizeof(src1) * 8) { \
         dest = src1 >> 31; \
     } else if (tmp < 0) { \
@@ -591,7 +597,10 @@ uint64_t HELPER(neon_qshl_u64)(CPUState *env, uint64_t val, uint64_t shiftop)
         dest = src1 << tmp; \
         if ((dest >> tmp) != src1) { \
             SET_QC(); \
-            dest = src2 >> 31; \
+            dest = (uint32_t)(1 << (sizeof(src1) * 8 - 1)); \
+            if (src1 > 0) { \
+                dest--; \
+            } \
         } \
     }} while (0)
 NEON_VOP_ENV(qshl_s8, neon_s8, 4)
commit 620d791e341fe0b36e6c2a5659b2cc9f7866948f
Author: Juha Riihimäki <juha.riihimaki at nokia.com>
Date:   Tue Dec 7 14:13:44 2010 +0000

    target-arm: remove pointless else clause in VQSHL of u64
    
    Remove a pointless else clause in the neon_qshl_u64 helper.
    
    Signed-off-by: Juha Riihimäki <juha.riihimaki at nokia.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/neon_helper.c b/target-arm/neon_helper.c
index 2dc3d96..48b9f5b 100644
--- a/target-arm/neon_helper.c
+++ b/target-arm/neon_helper.c
@@ -560,8 +560,6 @@ uint64_t HELPER(neon_qshl_u64)(CPUState *env, uint64_t val, uint64_t shiftop)
         if (val) {
             val = ~(uint64_t)0;
             SET_QC();
-        } else {
-            val = 0;
         }
     } else if (shift <= -64) {
         val = 0;
commit eb7a3d7964f748ba815200372d7ff403737c54d7
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 14:13:43 2010 +0000

    target-arm: Fix VQSHL of signed 64 bit values by shift counts >= 64
    
    VQSHL of a signed 64 bit non-zero value by a shift count >= 64 should
    saturate; return the correct value in this case.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/neon_helper.c b/target-arm/neon_helper.c
index d29b884..2dc3d96 100644
--- a/target-arm/neon_helper.c
+++ b/target-arm/neon_helper.c
@@ -608,7 +608,7 @@ uint64_t HELPER(neon_qshl_s64)(CPUState *env, uint64_t valop, uint64_t shiftop)
     if (shift >= 64) {
         if (val) {
             SET_QC();
-            val = (val >> 63) & ~SIGNBIT64;
+            val = (val >> 63) ^ ~SIGNBIT64;
         }
     } else if (shift <= -64) {
         val >>= 63;
commit 4c9b70aeca70b3e0a68a771727f388551620b3ed
Author: Juha Riihimäki <juha.riihimaki at nokia.com>
Date:   Tue Dec 7 14:13:42 2010 +0000

    target-arm: Fix VQSHL of signed 64 bit values
    
    Add a missing '-' which meant that we were misinterpreting the shift
    argument for VQSHL of 64 bit signed values and treating almost every
    shift value as if it were an extremely large right shift.
    
    Signed-off-by: Juha Riihimäki <juha.riihimaki at nokia.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/neon_helper.c b/target-arm/neon_helper.c
index 5e6452b..d29b884 100644
--- a/target-arm/neon_helper.c
+++ b/target-arm/neon_helper.c
@@ -610,7 +610,7 @@ uint64_t HELPER(neon_qshl_s64)(CPUState *env, uint64_t valop, uint64_t shiftop)
             SET_QC();
             val = (val >> 63) & ~SIGNBIT64;
         }
-    } else if (shift <= 64) {
+    } else if (shift <= -64) {
         val >>= 63;
     } else if (shift < 0) {
         val >>= -shift;
commit def126ce37b037afc55878197159d9ddcb24a9e4
Author: Juha Riihimäki <juha.riihimaki at nokia.com>
Date:   Tue Dec 7 14:13:41 2010 +0000

    target-arm: Fix arguments passed to VQSHL helpers
    
    Correct the arguments passed when generating neon qshl_{u,s}64()
    helpers so that we use the correct registers.
    
    Signed-off-by: Juha Riihimäki <juha.riihimaki at nokia.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 24b4fb6..8d494ec 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -4236,9 +4236,9 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                 case 9: /* VQSHL */
                     if (u) {
                         gen_helper_neon_qshl_u64(cpu_V0, cpu_env,
-                                                 cpu_V0, cpu_V0);
+                                                 cpu_V1, cpu_V0);
                     } else {
-                        gen_helper_neon_qshl_s64(cpu_V1, cpu_env,
+                        gen_helper_neon_qshl_s64(cpu_V0, cpu_env,
                                                  cpu_V1, cpu_V0);
                     }
                     break;
commit 1a855029af40df40144a322bba0e1e61c68eed2a
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Mon Dec 27 19:54:49 2010 +0100

    target-arm: fix bug in translation of REVSH
    
    The translation of REVSH shifted the low byte 8 steps left before performing
    an 8-bit sign extend, causing this part of the expression to alwas be 0.
    
    Reported-by: Johan Bengtsson <teofrastius at gmail.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index d4a0666..24b4fb6 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -250,13 +250,9 @@ static void gen_rev16(TCGv var)
 /* Byteswap low halfword and sign extend.  */
 static void gen_revsh(TCGv var)
 {
-    TCGv tmp = new_tmp();
-    tcg_gen_shri_i32(tmp, var, 8);
-    tcg_gen_andi_i32(tmp, tmp, 0x00ff);
-    tcg_gen_shli_i32(var, var, 8);
-    tcg_gen_ext8s_i32(var, var);
-    tcg_gen_or_i32(var, var, tmp);
-    dead_tmp(tmp);
+    tcg_gen_ext16u_i32(var, var);
+    tcg_gen_bswap16_i32(var, var);
+    tcg_gen_ext16s_i32(var, var);
 }
 
 /* Unsigned bitfield extract.  */
commit 5697f6ae4183f3b3320a1fe677e3404a05e75783
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Mon Dec 27 18:29:20 2010 +0100

    Fix a missing trailing newline
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/vl.c b/vl.c
index 768dbf4..c605347 100644
--- a/vl.c
+++ b/vl.c
@@ -2603,7 +2603,7 @@ int main(int argc, char **argv, char **envp)
 		     if (p != NULL) {
 		        *p++ = 0;
 			if (strncmp(p, "process=", 8)) {
-			    fprintf(stderr, "Unknown subargument %s to -name", p);
+			    fprintf(stderr, "Unknown subargument %s to -name\n", p);
 			    exit(1);
 			}
 			p += 8;
commit a6a7005d14b3c32d4864a718fb1cb19c789f58a5
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Dec 27 11:21:38 2010 +0200

    pci: fix migration path for devices behind bridges
    
    The device path used for migration is currently broken for
    for all devices behind a nested bridge.
    
    Replace this by a hierarchical list of slot/function numbers, walking
    the path from root down to device. Add :00 after the domain number
    so that if there are no nested bridges, this is compatible
    with what we have now.
    
    Note: as pointed out by Gleb, using openfirmware paths
    might be cleaner, doing this would break compatibility though,
    and the IDs used are not guest or user visible at all,
    so breaking the compatibility is probably not worth it.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 44bb3b9..d0b51b8 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -2014,17 +2014,43 @@ static char *pcibus_get_fw_dev_path(DeviceState *dev)
 
 static char *pcibus_get_dev_path(DeviceState *dev)
 {
-    PCIDevice *d = (PCIDevice *)dev;
-    char path[16];
-
-    snprintf(path, sizeof(path), "%04x:%02x:%02x.%x",
-             pci_find_domain(d->bus),
-             0 /* TODO: need a persistent path for nested buses.
-                * Note: pci_bus_num(d->bus) is not right as it's guest
-                * assigned. */,
-             PCI_SLOT(d->devfn), PCI_FUNC(d->devfn));
-
-    return strdup(path);
+    PCIDevice *d = container_of(dev, PCIDevice, qdev);
+    PCIDevice *t;
+    int slot_depth;
+    /* Path format: Domain:00:Slot.Function:Slot.Function....:Slot.Function.
+     * 00 is added here to make this format compatible with
+     * domain:Bus:Slot.Func for systems without nested PCI bridges.
+     * Slot.Function list specifies the slot and function numbers for all
+     * devices on the path from root to the specific device. */
+    int domain_len = strlen("DDDD:00");
+    int slot_len = strlen(":SS.F");
+    int path_len;
+    char *path, *p;
+
+    /* Calculate # of slots on path between device and root. */;
+    slot_depth = 0;
+    for (t = d; t; t = t->bus->parent_dev) {
+        ++slot_depth;
+    }
+
+    path_len = domain_len + slot_len * slot_depth;
+
+    /* Allocate memory, fill in the terminating null byte. */
+    path = malloc(path_len + 1 /* For '\0' */);
+    path[path_len] = '\0';
+
+    /* First field is the domain. */
+    snprintf(path, domain_len, "%04x:00", pci_find_domain(d->bus));
+
+    /* Fill in slot numbers. We walk up from device to root, so need to print
+     * them in the reverse order, last to first. */
+    p = path + path_len;
+    for (t = d; t; t = t->bus->parent_dev) {
+        p -= slot_len;
+        snprintf(p, slot_len, ":%02x.%x", PCI_SLOT(t->devfn), PCI_FUNC(d->devfn));
+    }
+
+    return path;
 }
 
 static int pci_qdev_find_recursive(PCIBus *bus,
commit 4cdc1cd137e0b98766916a7cdf2d5a9b3c6632fa
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Sat Dec 25 22:56:32 2010 +0100

    target-mips: fix host CPU consumption when guest is idle
    
    When the CPU is in wait state, do not wake-up if an interrupt can't be
    taken. This avoid host CPU running at 100% if a device (e.g. timer) has
    an interrupt line left enabled.
    
    Also factorize code to check if interrupts are enabled in
    cpu_mips_hw_interrupts_pending().
    
    Based on a patch from Edgar E. Iglesias <edgar.iglesias at gmail.com>
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>
    Acked-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/cpu-exec.c b/cpu-exec.c
index 39e5eea..8c9fb8b 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -454,11 +454,7 @@ int cpu_exec(CPUState *env1)
                     }
 #elif defined(TARGET_MIPS)
                     if ((interrupt_request & CPU_INTERRUPT_HARD) &&
-                        cpu_mips_hw_interrupts_pending(env) &&
-                        (env->CP0_Status & (1 << CP0St_IE)) &&
-                        !(env->CP0_Status & (1 << CP0St_EXL)) &&
-                        !(env->CP0_Status & (1 << CP0St_ERL)) &&
-                        !(env->hflags & MIPS_HFLAG_DM)) {
+                        cpu_mips_hw_interrupts_pending(env)) {
                         /* Raise it */
                         env->exception_index = EXCP_EXT_INTERRUPT;
                         env->error_code = 0;
diff --git a/target-mips/cpu.h b/target-mips/cpu.h
index c1f211f..2419aa9 100644
--- a/target-mips/cpu.h
+++ b/target-mips/cpu.h
@@ -532,6 +532,14 @@ static inline int cpu_mips_hw_interrupts_pending(CPUState *env)
     int32_t status;
     int r;
 
+    if (!(env->CP0_Status & (1 << CP0St_IE)) ||
+        (env->CP0_Status & (1 << CP0St_EXL)) ||
+        (env->CP0_Status & (1 << CP0St_ERL)) ||
+        (env->hflags & MIPS_HFLAG_DM)) {
+        /* Interrupts are disabled */
+        return 0;
+    }
+
     pending = env->CP0_Cause & CP0Ca_IP_mask;
     status = env->CP0_Status & CP0Ca_IP_mask;
 
diff --git a/target-mips/exec.h b/target-mips/exec.h
index af61b54..1273654 100644
--- a/target-mips/exec.h
+++ b/target-mips/exec.h
@@ -19,10 +19,22 @@ register struct CPUMIPSState *env asm(AREG0);
 
 static inline int cpu_has_work(CPUState *env)
 {
-    return (env->interrupt_request &
-            (CPU_INTERRUPT_HARD | CPU_INTERRUPT_TIMER));
-}
+    int has_work = 0;
+
+    /* It is implementation dependent if non-enabled interrupts
+       wake-up the CPU, however most of the implementations only
+       check for interrupts that can be taken. */
+    if ((env->interrupt_request & CPU_INTERRUPT_HARD) &&
+        cpu_mips_hw_interrupts_pending(env)) {
+        has_work = 1;
+    }
 
+    if (env->interrupt_request & CPU_INTERRUPT_TIMER) {
+        has_work = 1;
+    }
+
+    return has_work;
+}
 
 static inline int cpu_halted(CPUState *env)
 {
commit 6c33286ad3a432627d763ee93aa42200cbb68269
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Nov 17 13:01:04 2010 +0100

    s390: compile fixes
    
    The s390 target doesn't compile out of the box anymore. This patch fixes all
    the obvious glitches that got introduced in the last few weeks.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/s390-virtio-bus.h b/hw/s390-virtio-bus.h
index 41558c9..669b610 100644
--- a/hw/s390-virtio-bus.h
+++ b/hw/s390-virtio-bus.h
@@ -17,6 +17,8 @@
  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
  */
 
+#include "virtio-net.h"
+
 #define VIRTIO_DEV_OFFS_TYPE		0	/* 8 bits */
 #define VIRTIO_DEV_OFFS_NUM_VQ		1	/* 8 bits */
 #define VIRTIO_DEV_OFFS_FEATURE_LEN	2	/* 8 bits */
diff --git a/hw/s390-virtio.c b/hw/s390-virtio.c
index e7aec14..f29b624 100644
--- a/hw/s390-virtio.c
+++ b/hw/s390-virtio.c
@@ -19,6 +19,7 @@
 
 #include "hw.h"
 #include "block.h"
+#include "blockdev.h"
 #include "sysemu.h"
 #include "net.h"
 #include "boards.h"
diff --git a/target-s390x/kvm.c b/target-s390x/kvm.c
index 9bf6abb..adf4a9e 100644
--- a/target-s390x/kvm.c
+++ b/target-s390x/kvm.c
@@ -119,7 +119,7 @@ int kvm_arch_put_registers(CPUState *env, int level)
 
 int kvm_arch_get_registers(CPUState *env)
 {
-    uint32_t ret;
+    int ret;
     struct kvm_regs regs;
     int i;
 
diff --git a/target-s390x/translate.c b/target-s390x/translate.c
index 881d8c4..d33bfb1 100644
--- a/target-s390x/translate.c
+++ b/target-s390x/translate.c
@@ -36,7 +36,7 @@ void cpu_dump_state(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
         }
     }
     for (i = 0; i < 16; i++) {
-        cpu_fprintf(f, "F%02d=%016lx", i, env->fregs[i]);
+        cpu_fprintf(f, "F%02d=%016lx", i, (long)env->fregs[i].i);
         if ((i % 4) == 3) {
             cpu_fprintf(f, "\n");
         } else {
commit 2ae63bda50ec864a3e61d375b53c8e453ad50140
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Fri Dec 24 12:14:14 2010 +0900

    pcie/aer: glue aer error injection into qemu monitor
    
    introduce pcie_aer_inject_error command.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hmp-commands.hx b/hmp-commands.hx
index dd3db36..8d84ddc 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -873,6 +873,31 @@ Hot remove PCI device.
 ETEXI
 
     {
+        .name       = "pcie_aer_inject_error",
+        .args_type  = "advisory_non_fatal:-a,correctable:-c,"
+	              "id:s,error_status:s,"
+	              "header0:i?,header1:i?,header2:i?,header3:i?,"
+	              "prefix0:i?,prefix1:i?,prefix2:i?,prefix3:i?",
+        .params     = "[-a] [-c] id "
+                      "<error_status> [<tlp header> [<tlp header prefix>]]",
+        .help       = "inject pcie aer error\n\t\t\t"
+	              " -a for advisory non fatal error\n\t\t\t"
+	              " -c for correctable error\n\t\t\t"
+                      "<id> = qdev device id\n\t\t\t"
+                      "<error_status> = error string or 32bit\n\t\t\t"
+                      "<tlb header> = 32bit x 4\n\t\t\t"
+                      "<tlb header prefix> = 32bit x 4",
+        .user_print  = pcie_aer_inject_error_print,
+        .mhandler.cmd_new = do_pcie_aer_inejct_error,
+    },
+
+STEXI
+ at item pcie_aer_inject_error
+ at findex pcie_aer_inject_error
+Inject PCIe AER error
+ETEXI
+
+    {
         .name       = "host_net_add",
         .args_type  = "device:s,opts:s?",
         .params     = "tap|user|socket|vde|dump [options]",
diff --git a/hw/pci-stub.c b/hw/pci-stub.c
index 674591d..c5a0aa8 100644
--- a/hw/pci-stub.c
+++ b/hw/pci-stub.c
@@ -18,6 +18,7 @@
  * with this program; if not, see <http://www.gnu.org/licenses/>.
  */
 
+#include "sysemu.h"
 #include "monitor.h"
 #include "pci.h"
 
@@ -35,3 +36,15 @@ void do_pci_info_print(Monitor *mon, const QObject *data)
 {
     pci_error_message(mon);
 }
+
+int do_pcie_aer_inejct_error(Monitor *mon,
+                             const QDict *qdict, QObject **ret_data)
+{
+    pci_error_message(mon);
+    return -ENOSYS;
+}
+
+void pcie_aer_inject_error_print(Monitor *mon, const QObject *data)
+{
+    pci_error_message(mon);
+}
diff --git a/hw/pcie_aer.c b/hw/pcie_aer.c
index cb97a95..6e653dd 100644
--- a/hw/pcie_aer.c
+++ b/hw/pcie_aer.c
@@ -19,6 +19,8 @@
  */
 
 #include "sysemu.h"
+#include "qemu-objects.h"
+#include "monitor.h"
 #include "pci_bridge.h"
 #include "pcie.h"
 #include "msix.h"
@@ -806,3 +808,224 @@ const VMStateDescription vmstate_pcie_aer_log = {
         VMSTATE_END_OF_LIST()
     }
 };
+
+void pcie_aer_inject_error_print(Monitor *mon, const QObject *data)
+{
+    QDict *qdict;
+    int devfn;
+    assert(qobject_type(data) == QTYPE_QDICT);
+    qdict = qobject_to_qdict(data);
+
+    devfn = (int)qdict_get_int(qdict, "devfn");
+    monitor_printf(mon, "OK id: %s domain: %x, bus: %x devfn: %x.%x\n",
+                   qdict_get_str(qdict, "id"),
+                   (int) qdict_get_int(qdict, "domain"),
+                   (int) qdict_get_int(qdict, "bus"),
+                   PCI_SLOT(devfn), PCI_FUNC(devfn));
+}
+
+typedef struct PCIEAERErrorName {
+    const char *name;
+    uint32_t val;
+    bool correctable;
+} PCIEAERErrorName;
+
+/*
+ * AER error name -> value convertion table
+ * This naming scheme is same to linux aer-injection tool.
+ */
+static const struct PCIEAERErrorName pcie_aer_error_list[] = {
+    {
+        .name = "TRAIN",
+        .val = PCI_ERR_UNC_TRAIN,
+        .correctable = false,
+    }, {
+        .name = "DLP",
+        .val = PCI_ERR_UNC_DLP,
+        .correctable = false,
+    }, {
+        .name = "SDN",
+        .val = PCI_ERR_UNC_SDN,
+        .correctable = false,
+    }, {
+        .name = "POISON_TLP",
+        .val = PCI_ERR_UNC_POISON_TLP,
+        .correctable = false,
+    }, {
+        .name = "FCP",
+        .val = PCI_ERR_UNC_FCP,
+        .correctable = false,
+    }, {
+        .name = "COMP_TIME",
+        .val = PCI_ERR_UNC_COMP_TIME,
+        .correctable = false,
+    }, {
+        .name = "COMP_ABORT",
+        .val = PCI_ERR_UNC_COMP_ABORT,
+        .correctable = false,
+    }, {
+        .name = "UNX_COMP",
+        .val = PCI_ERR_UNC_UNX_COMP,
+        .correctable = false,
+    }, {
+        .name = "RX_OVER",
+        .val = PCI_ERR_UNC_RX_OVER,
+        .correctable = false,
+    }, {
+        .name = "MALF_TLP",
+        .val = PCI_ERR_UNC_MALF_TLP,
+        .correctable = false,
+    }, {
+        .name = "ECRC",
+        .val = PCI_ERR_UNC_ECRC,
+        .correctable = false,
+    }, {
+        .name = "UNSUP",
+        .val = PCI_ERR_UNC_UNSUP,
+        .correctable = false,
+    }, {
+        .name = "ACSV",
+        .val = PCI_ERR_UNC_ACSV,
+        .correctable = false,
+    }, {
+        .name = "INTN",
+        .val = PCI_ERR_UNC_INTN,
+        .correctable = false,
+    }, {
+        .name = "MCBTLP",
+        .val = PCI_ERR_UNC_MCBTLP,
+        .correctable = false,
+    }, {
+        .name = "ATOP_EBLOCKED",
+        .val = PCI_ERR_UNC_ATOP_EBLOCKED,
+        .correctable = false,
+    }, {
+        .name = "TLP_PRF_BLOCKED",
+        .val = PCI_ERR_UNC_TLP_PRF_BLOCKED,
+        .correctable = false,
+    }, {
+        .name = "RCVR",
+        .val = PCI_ERR_COR_RCVR,
+        .correctable = true,
+    }, {
+        .name = "BAD_TLP",
+        .val = PCI_ERR_COR_BAD_TLP,
+        .correctable = true,
+    }, {
+        .name = "BAD_DLLP",
+        .val = PCI_ERR_COR_BAD_DLLP,
+        .correctable = true,
+    }, {
+        .name = "REP_ROLL",
+        .val = PCI_ERR_COR_REP_ROLL,
+        .correctable = true,
+    }, {
+        .name = "REP_TIMER",
+        .val = PCI_ERR_COR_REP_TIMER,
+        .correctable = true,
+    }, {
+        .name = "ADV_NONFATAL",
+        .val = PCI_ERR_COR_ADV_NONFATAL,
+        .correctable = true,
+    }, {
+        .name = "INTERNAL",
+        .val = PCI_ERR_COR_INTERNAL,
+        .correctable = true,
+    }, {
+        .name = "HL_OVERFLOW",
+        .val = PCI_ERR_COR_HL_OVERFLOW,
+        .correctable = true,
+    },
+};
+
+static int pcie_aer_parse_error_string(const char *error_name,
+                                       uint32_t *status, bool *correctable)
+{
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(pcie_aer_error_list); i++) {
+        const  PCIEAERErrorName *e = &pcie_aer_error_list[i];
+        if (strcmp(error_name, e->name)) {
+            continue;
+        }
+
+        *status = e->val;
+        *correctable = e->correctable;
+        return 0;
+    }
+    return -EINVAL;
+}
+
+int do_pcie_aer_inejct_error(Monitor *mon,
+                             const QDict *qdict, QObject **ret_data)
+{
+    const char *id = qdict_get_str(qdict, "id");
+    const char *error_name;
+    uint32_t error_status;
+    bool correctable;
+    PCIDevice *dev;
+    PCIEAERErr err;
+    int ret;
+
+    ret = pci_qdev_find_device(id, &dev);
+    if (ret < 0) {
+        monitor_printf(mon,
+                       "id or pci device path is invalid or device not "
+                       "found. %s\n", id);
+        return ret;
+    }
+    if (!pci_is_express(dev)) {
+        monitor_printf(mon, "the device doesn't support pci express. %s\n",
+                       id);
+        return -ENOSYS;
+    }
+
+    error_name = qdict_get_str(qdict, "error_status");
+    if (pcie_aer_parse_error_string(error_name, &error_status, &correctable)) {
+        char *e = NULL;
+        error_status = strtoul(error_name, &e, 0);
+        correctable = !!qdict_get_int(qdict, "correctable");
+        if (!e || *e != '\0') {
+            monitor_printf(mon, "invalid error status value. \"%s\"",
+                           error_name);
+            return -EINVAL;
+        }
+    }
+    err.source_id = (pci_bus_num(dev->bus) << 8) | dev->devfn;
+
+    err.flags = 0;
+    if (correctable) {
+        err.flags |= PCIE_AER_ERR_IS_CORRECTABLE;
+    }
+    if (qdict_get_int(qdict, "advisory_non_fatal")) {
+        err.flags |= PCIE_AER_ERR_MAYBE_ADVISORY;
+    }
+    if (qdict_haskey(qdict, "header0")) {
+        err.flags |= PCIE_AER_ERR_HEADER_VALID;
+    }
+    if (qdict_haskey(qdict, "prefix0")) {
+        err.flags |= PCIE_AER_ERR_TLP_PREFIX_PRESENT;
+    }
+
+    err.header[0] = qdict_get_try_int(qdict, "header0", 0);
+    err.header[1] = qdict_get_try_int(qdict, "header1", 0);
+    err.header[2] = qdict_get_try_int(qdict, "header2", 0);
+    err.header[3] = qdict_get_try_int(qdict, "header3", 0);
+
+    err.prefix[0] = qdict_get_try_int(qdict, "prefix0", 0);
+    err.prefix[1] = qdict_get_try_int(qdict, "prefix1", 0);
+    err.prefix[2] = qdict_get_try_int(qdict, "prefix2", 0);
+    err.prefix[3] = qdict_get_try_int(qdict, "prefix3", 0);
+
+    ret = pcie_aer_inject_error(dev, &err);
+    *ret_data = qobject_from_jsonf("{'id': %s, "
+                                   "'domain': %d, 'bus': %d, 'devfn': %d, "
+                                   "'ret': %d}",
+                                   id,
+                                   pci_find_domain(dev->bus),
+                                   pci_bus_num(dev->bus), dev->devfn,
+                                   ret);
+    assert(*ret_data);
+
+    return 0;
+}
diff --git a/sysemu.h b/sysemu.h
index 38a20a3..4182aac 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -157,6 +157,11 @@ void pci_device_hot_add(Monitor *mon, const QDict *qdict);
 void drive_hot_add(Monitor *mon, const QDict *qdict);
 void do_pci_device_hot_remove(Monitor *mon, const QDict *qdict);
 
+/* pcie aer error injection */
+void pcie_aer_inject_error_print(Monitor *mon, const QObject *data);
+int do_pcie_aer_inejct_error(Monitor *mon,
+                             const QDict *qdict, QObject **ret_data);
+
 /* serial ports */
 
 #define MAX_SERIAL_PORTS 4
commit f3006dd1e60af3765c501a082d621f947d6e5974
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Fri Dec 24 12:14:13 2010 +0900

    pci: introduce a helper function to convert qdev id to PCIDevice
    
    This patch introduce a helper function to get PCIDevice from qdev id.
    This function will be used later.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index eb21848..44bb3b9 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -2027,3 +2027,38 @@ static char *pcibus_get_dev_path(DeviceState *dev)
     return strdup(path);
 }
 
+static int pci_qdev_find_recursive(PCIBus *bus,
+                                   const char *id, PCIDevice **pdev)
+{
+    DeviceState *qdev = qdev_find_recursive(&bus->qbus, id);
+    if (!qdev) {
+        return -ENODEV;
+    }
+
+    /* roughly check if given qdev is pci device */
+    if (qdev->info->init == &pci_qdev_init &&
+        qdev->parent_bus->info == &pci_bus_info) {
+        *pdev = DO_UPCAST(PCIDevice, qdev, qdev);
+        return 0;
+    }
+    return -EINVAL;
+}
+
+int pci_qdev_find_device(const char *id, PCIDevice **pdev)
+{
+    struct PCIHostBus *host;
+    int rc = -ENODEV;
+
+    QLIST_FOREACH(host, &host_buses, next) {
+        int tmp = pci_qdev_find_recursive(host->bus, id, pdev);
+        if (!tmp) {
+            rc = 0;
+            break;
+        }
+        if (tmp != -ENODEV) {
+            rc = tmp;
+        }
+    }
+
+    return rc;
+}
diff --git a/hw/pci.h b/hw/pci.h
index 6e80b08..052960e 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -252,6 +252,7 @@ PCIBus *pci_find_root_bus(int domain);
 int pci_find_domain(const PCIBus *bus);
 PCIBus *pci_find_bus(PCIBus *bus, int bus_num);
 PCIDevice *pci_find_device(PCIBus *bus, int bus_num, int slot, int function);
+int pci_qdev_find_device(const char *id, PCIDevice **pdev);
 PCIBus *pci_get_bus_devfn(int *devfnp, const char *devaddr);
 
 int pci_parse_devaddr(const char *addr, int *domp, int *busp,
commit a2ee6b4fcb3e2f2f5d60211ce0f734c61f8e0e30
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Fri Dec 24 12:14:12 2010 +0900

    qdev: export qdev_find_recursive() for later use
    
    This patch exports qdev_find_recursive() for later use.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/qdev.c b/hw/qdev.c
index 4747c67..31eb464 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -548,7 +548,7 @@ static BusState *qbus_find_recursive(BusState *bus, const char *name,
     return NULL;
 }
 
-static DeviceState *qdev_find_recursive(BusState *bus, const char *id)
+DeviceState *qdev_find_recursive(BusState *bus, const char *id)
 {
     DeviceState *dev, *ret;
     BusState *child;
diff --git a/hw/qdev.h b/hw/qdev.h
index 5f5a319..2be775f 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -183,6 +183,8 @@ BusState *qdev_get_parent_bus(DeviceState *dev);
 
 /*** BUS API. ***/
 
+DeviceState *qdev_find_recursive(BusState *bus, const char *id);
+
 /* Returns 0 to walk children, > 0 to skip walk, < 0 to terminate walk. */
 typedef int (qbus_walkerfn)(BusState *bus, void *opaque);
 typedef int (qdev_walkerfn)(DeviceState *dev, void *opaque);
commit b3a29fd5604841dac8bfee1bac35f150cab976fb
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Dec 22 19:54:48 2010 +0900

    build, pci: remove QMP dependency on core PCI code
    
    by introducing pci-stub.c, eliminate QMP dependency on core PCI code
    rquired by query-pci command.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index d6b3d60..c3e52c5 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -169,9 +169,7 @@ hw-obj-y =
 hw-obj-y += vl.o loader.o
 hw-obj-$(CONFIG_VIRTIO) += virtio.o virtio-console.o
 hw-obj-y += fw_cfg.o
-# FIXME: Core PCI code and its direct dependencies are required by the
-# QMP query-pci command.
-hw-obj-y += pci.o pci_bridge.o
+hw-obj-$(CONFIG_PCI) += pci.o pci_bridge.o
 hw-obj-$(CONFIG_PCI) += msix.o msi.o
 hw-obj-$(CONFIG_PCI) += pci_host.o pcie_host.o
 hw-obj-$(CONFIG_PCI) += ioh3420.o xio3130_upstream.o xio3130_downstream.o
diff --git a/Makefile.target b/Makefile.target
index d08f5dd..38582d4 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -1,6 +1,7 @@
 # -*- Mode: makefile -*-
 
 GENERATED_HEADERS = config-target.h
+CONFIG_NO_PCI = $(if $(subst n,,$(CONFIG_PCI)),n,y)
 CONFIG_NO_KVM = $(if $(subst n,,$(CONFIG_KVM)),n,y)
 
 include ../config-host.mak
@@ -188,6 +189,7 @@ ifdef CONFIG_SOFTMMU
 obj-y = arch_init.o cpus.o monitor.o machine.o gdbstub.o balloon.o
 # virtio has to be here due to weird dependency between PCI and virtio-net.
 # need to fix this properly
+obj-$(CONFIG_NO_PCI) += pci-stub.o
 obj-$(CONFIG_VIRTIO) += virtio-blk.o virtio-balloon.o virtio-net.o virtio-serial-bus.o
 obj-$(CONFIG_VIRTIO_PCI) += virtio-pci.o
 obj-y += vhost_net.o
diff --git a/hw/pci-stub.c b/hw/pci-stub.c
new file mode 100644
index 0000000..674591d
--- /dev/null
+++ b/hw/pci-stub.c
@@ -0,0 +1,37 @@
+/*
+ * PCI stubs for plathome that doesn't support pci bus.
+ *
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "monitor.h"
+#include "pci.h"
+
+static void pci_error_message(Monitor *mon)
+{
+    monitor_printf(mon, "PCI devices not supported\n");
+}
+
+void do_pci_info(Monitor *mon, QObject **ret_data)
+{
+    pci_error_message(mon);
+}
+
+void do_pci_info_print(Monitor *mon, const QObject *data)
+{
+    pci_error_message(mon);
+}
commit 9ed5726c043958359b0f1fa44ab3e4f25f9d9a47
Author: Nathan Froyd <froydnj at codesourcery.com>
Date:   Fri Oct 29 07:48:46 2010 -0700

    target-mips: fix translation of MT instructions
    
    The translation of dmt/emt/dvpe/evpe was doing the moral equivalent of:
    
      int x;
      ...		/* no initialization of x */
      x = f (x);
    
    which confused later bits of TCG rather badly, leading to crashes.
    
    Fix the helpers to only return results (those instructions have no
    inputs), and fix the translation code accordingly.
    
    Signed-off-by: Nathan Froyd <froydnj at codesourcery.com>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/target-mips/helper.h b/target-mips/helper.h
index cb13fb2..297ab64 100644
--- a/target-mips/helper.h
+++ b/target-mips/helper.h
@@ -154,10 +154,10 @@ DEF_HELPER_2(mttlo, void, tl, i32)
 DEF_HELPER_2(mtthi, void, tl, i32)
 DEF_HELPER_2(mttacx, void, tl, i32)
 DEF_HELPER_1(mttdsp, void, tl)
-DEF_HELPER_1(dmt, tl, tl)
-DEF_HELPER_1(emt, tl, tl)
-DEF_HELPER_1(dvpe, tl, tl)
-DEF_HELPER_1(evpe, tl, tl)
+DEF_HELPER_0(dmt, tl)
+DEF_HELPER_0(emt, tl)
+DEF_HELPER_0(dvpe, tl)
+DEF_HELPER_0(evpe, tl)
 #endif /* !CONFIG_USER_ONLY */
 
 /* microMIPS functions */
diff --git a/target-mips/op_helper.c b/target-mips/op_helper.c
index 41abd57..ec6864d 100644
--- a/target-mips/op_helper.c
+++ b/target-mips/op_helper.c
@@ -1554,40 +1554,28 @@ void helper_mttdsp(target_ulong arg1)
 }
 
 /* MIPS MT functions */
-target_ulong helper_dmt(target_ulong arg1)
+target_ulong helper_dmt(void)
 {
     // TODO
-    arg1 = 0;
-    // rt = arg1
-
-    return arg1;
+     return 0;
 }
 
-target_ulong helper_emt(target_ulong arg1)
+target_ulong helper_emt(void)
 {
     // TODO
-    arg1 = 0;
-    // rt = arg1
-
-    return arg1;
+    return 0;
 }
 
-target_ulong helper_dvpe(target_ulong arg1)
+target_ulong helper_dvpe(void)
 {
     // TODO
-    arg1 = 0;
-    // rt = arg1
-
-    return arg1;
+    return 0;
 }
 
-target_ulong helper_evpe(target_ulong arg1)
+target_ulong helper_evpe(void)
 {
     // TODO
-    arg1 = 0;
-    // rt = arg1
-
-    return arg1;
+    return 0;
 }
 #endif /* !CONFIG_USER_ONLY */
 
diff --git a/target-mips/translate.c b/target-mips/translate.c
index ba45eb0..cce77be 100644
--- a/target-mips/translate.c
+++ b/target-mips/translate.c
@@ -12033,22 +12033,22 @@ static void decode_opc (CPUState *env, DisasContext *ctx, int *is_branch)
                 switch (op2) {
                 case OPC_DMT:
                     check_insn(env, ctx, ASE_MT);
-                    gen_helper_dmt(t0, t0);
+                    gen_helper_dmt(t0);
                     gen_store_gpr(t0, rt);
                     break;
                 case OPC_EMT:
                     check_insn(env, ctx, ASE_MT);
-                    gen_helper_emt(t0, t0);
+                    gen_helper_emt(t0);
                     gen_store_gpr(t0, rt);
                     break;
                 case OPC_DVPE:
                     check_insn(env, ctx, ASE_MT);
-                    gen_helper_dvpe(t0, t0);
+                    gen_helper_dvpe(t0);
                     gen_store_gpr(t0, rt);
                     break;
                 case OPC_EVPE:
                     check_insn(env, ctx, ASE_MT);
-                    gen_helper_evpe(t0, t0);
+                    gen_helper_evpe(t0);
                     gen_store_gpr(t0, rt);
                     break;
                 case OPC_DI:
commit 0ead87c8debaf12bf4e8cf5130e4e7fb83dbf126
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Dec 22 15:14:35 2010 +0900

    pcie: add flr support
    
    Support flr: trigger device reset on flr config write.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 0cb4117..eb21848 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -137,7 +137,11 @@ static void pci_update_irq_status(PCIDevice *dev)
     }
 }
 
-static void pci_device_reset(PCIDevice *dev)
+/*
+ * This function is called on #RST and FLR.
+ * FLR if PCI_EXP_DEVCTL_BCR_FLR is set
+ */
+void pci_device_reset(PCIDevice *dev)
 {
     int r;
     /* TODO: call the below unconditionally once all pci devices
diff --git a/hw/pci.h b/hw/pci.h
index 17744dc..6e80b08 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -237,6 +237,7 @@ void pci_bus_hotplug(PCIBus *bus, pci_hotplug_fn hotplug, DeviceState *dev);
 PCIBus *pci_register_bus(DeviceState *parent, const char *name,
                          pci_set_irq_fn set_irq, pci_map_irq_fn map_irq,
                          void *irq_opaque, int devfn_min, int nirq);
+void pci_device_reset(PCIDevice *dev);
 void pci_bus_reset(PCIBus *bus);
 
 void pci_bus_set_mem_base(PCIBus *bus, target_phys_addr_t base);
diff --git a/hw/pcie.c b/hw/pcie.c
index d1f0086..6a113a9 100644
--- a/hw/pcie.c
+++ b/hw/pcie.c
@@ -380,10 +380,6 @@ void pcie_cap_root_reset(PCIDevice *dev)
     pci_set_word(dev->config + dev->exp.exp_cap + PCI_EXP_RTCTL, 0);
 }
 
-/*
- * TODO: implement FLR:
- * Right now sets the bit which indicates FLR is supported.
- */
 /* function level reset(FLR) */
 void pcie_cap_flr_init(PCIDevice *dev)
 {
@@ -403,8 +399,11 @@ void pcie_cap_flr_write_config(PCIDevice *dev,
                                uint32_t addr, uint32_t val, int len)
 {
     uint8_t *devctl = dev->config + dev->exp.exp_cap + PCI_EXP_DEVCTL;
-    if (pci_word_test_and_clear_mask(devctl, PCI_EXP_DEVCTL_BCR_FLR)) {
-        /* TODO: implement FLR */
+    if (pci_get_word(devctl) & PCI_EXP_DEVCTL_BCR_FLR) {
+        /* Clear PCI_EXP_DEVCTL_BCR_FLR after invoking the reset handler
+           so the handler can detect FLR by looking at this bit. */
+        pci_device_reset(dev);
+        pci_word_test_and_clear_mask(devctl, PCI_EXP_DEVCTL_BCR_FLR);
     }
 }
 
diff --git a/hw/pcie.h b/hw/pcie.h
index 7baa813..bc909e2 100644
--- a/hw/pcie.h
+++ b/hw/pcie.h
@@ -63,8 +63,6 @@ struct PCIExpressDevice {
     /* Offset of express capability in config space */
     uint8_t exp_cap;
 
-    /* TODO FLR */
-
     /* SLOT */
     unsigned int hpev_intx;     /* INTx for hot plug event (0-3:INT[A-D]#)
                                  * default is 0 = INTA#
diff --git a/hw/xio3130_downstream.c b/hw/xio3130_downstream.c
index 1a2d258..5aa6a6b 100644
--- a/hw/xio3130_downstream.c
+++ b/hw/xio3130_downstream.c
@@ -89,7 +89,7 @@ static int xio3130_downstream_initfn(PCIDevice *d)
     if (rc < 0) {
         goto err_msi;
     }
-    pcie_cap_flr_init(d);       /* TODO: implement FLR */
+    pcie_cap_flr_init(d);
     pcie_cap_deverr_init(d);
     pcie_cap_slot_init(d, s->slot);
     pcie_chassis_create(s->chassis);
diff --git a/hw/xio3130_upstream.c b/hw/xio3130_upstream.c
index 387bf6c..a7640f5 100644
--- a/hw/xio3130_upstream.c
+++ b/hw/xio3130_upstream.c
@@ -85,10 +85,7 @@ static int xio3130_upstream_initfn(PCIDevice *d)
     if (rc < 0) {
         goto err_msi;
     }
-
-    /* TODO: implement FLR */
     pcie_cap_flr_init(d);
-
     pcie_cap_deverr_init(d);
     rc = pcie_aer_init(d, XIO3130_AER_OFFSET);
     if (rc < 0) {
commit 362dd48c16728a656c1ef75f8160838127fd76d5
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Dec 22 15:13:43 2010 +0900

    pc/piix: fix mismerge of b1aeb92666d2fde413c34578b3b42bbfe5f2a506
    
    The change set of b1aeb92666d2fde413c34578b3b42bbfe5f2a506 in pci branch
    was mismerged. The compatibility should be kept for 0.13, not for 0.14.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index a2fb554..f82508d 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -217,14 +217,6 @@ static QEMUMachine pc_machine = {
     .desc = "Standard PC",
     .init = pc_init_pci,
     .max_cpus = 255,
-    .compat_props = (GlobalProperty[]) {
-        {
-            .driver   = "PCI",
-            .property = "command_serr_enable",
-            .value    = "off",
-        },
-        { /* end of list */ }
-    },
     .is_default = 1,
 };
 
@@ -246,6 +238,10 @@ static QEMUMachine pc_machine_v0_13 = {
             .driver   = "vmware-svga",
             .property = "rombar",
             .value    = stringify(0),
+        },{
+            .driver   = "PCI",
+            .property = "command_serr_enable",
+            .value    = "off",
         },
         { /* end of list */ }
     },
commit cbb608a5c8ff918188545edb28127f63db76bd1e
Author: Brad <brad at comstyle.com>
Date:   Mon Dec 20 21:25:40 2010 -0500

    Use mmap() within code_gen_alloc() for OpenBSD.
    
    Signed-off-by: Brad Smith <brad at comstyle.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/exec.c b/exec.c
index a338495..49c28b1 100644
--- a/exec.c
+++ b/exec.c
@@ -517,7 +517,8 @@ static void code_gen_alloc(unsigned long tb_size)
             exit(1);
         }
     }
-#elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__DragonFly__)
+#elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__) \
+    || defined(__DragonFly__) || defined(__OpenBSD__)
     {
         int flags;
         void *addr = NULL;
commit 7ae63a517fb50fe32b8ce88bfc18a1a1ed056189
Author: Brad <brad at comstyle.com>
Date:   Mon Dec 20 21:24:32 2010 -0500

    Add OpenBSD to ifdef list since it has CLOCK_MONOTONIC.
    
    Signed-off-by: Brad Smith <brad at comstyle.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu-timer-common.c b/qemu-timer-common.c
index fff4399..755e300 100644
--- a/qemu-timer-common.c
+++ b/qemu-timer-common.c
@@ -50,7 +50,8 @@ static void __attribute__((constructor)) init_get_clock(void)
 {
     use_rt_clock = 0;
 #if defined(__linux__) || (defined(__FreeBSD__) && __FreeBSD_version >= 500000) \
-    || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
+    || defined(__DragonFly__) || defined(__FreeBSD_kernel__) \
+    || defined(__OpenBSD__)
     {
         struct timespec ts;
         if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0) {
commit 5f668643dc6ef3e59d5bc9b86fdf6778c59c98f2
Author: Brad <brad at comstyle.com>
Date:   Mon Dec 20 21:23:15 2010 -0500

    Add support for OpenBSD to QEMU's tap driver.
    
    Signed-off-by: Brad Smith <brad at comstyle.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/net/tap-bsd.c b/net/tap-bsd.c
index efccfe0..2f3efde 100644
--- a/net/tap-bsd.c
+++ b/net/tap-bsd.c
@@ -43,8 +43,8 @@ int tap_open(char *ifname, int ifname_size, int *vnet_hdr, int vnet_hdr_required
     char *dev;
     struct stat s;
 
-#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
-    /* if no ifname is given, always start the search from tap0. */
+#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__OpenBSD__)
+    /* if no ifname is given, always start the search from tap0/tun0. */
     int i;
     char dname[100];
 
@@ -52,7 +52,11 @@ int tap_open(char *ifname, int ifname_size, int *vnet_hdr, int vnet_hdr_required
         if (*ifname) {
             snprintf(dname, sizeof dname, "/dev/%s", ifname);
         } else {
+#if defined(__OpenBSD__)
+            snprintf(dname, sizeof dname, "/dev/tun%d", i);
+#else
             snprintf(dname, sizeof dname, "/dev/tap%d", i);
+#endif
         }
         TFR(fd = open(dname, O_RDWR));
         if (fd >= 0) {
commit 4a1e19ae05a3f03fdd0896e8f26efe94b2ff60a2
Author: Aurelien Jarno <aurelien at aurel32.net>
Date:   Tue Dec 21 19:32:49 2010 +0100

    tcg-arm: fix __clear_cache() warning
    
    Use __builtin___clear_cache() instead of __clear_cache() to avoid having
    to define the function as extern. Fix the following warning:
    
    | In file included from qemu/cpus.c:34:
    | qemu/exec-all.h: In function 'tb_set_jmp_target1':
    | qemu/exec-all.h:208: error: nested extern declaration of '__clear_cache'
    | make[1]: *** [cpus.o] Error 1
    | make: *** [subdir-i386-softmmu] Error 2
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/exec-all.h b/exec-all.h
index c457058..6821b17 100644
--- a/exec-all.h
+++ b/exec-all.h
@@ -204,9 +204,7 @@ static inline void tb_set_jmp_target1(unsigned long jmp_addr, unsigned long addr
 #elif defined(__arm__)
 static inline void tb_set_jmp_target1(unsigned long jmp_addr, unsigned long addr)
 {
-#if QEMU_GNUC_PREREQ(4, 1)
-    void __clear_cache(char *beg, char *end);
-#else
+#if !QEMU_GNUC_PREREQ(4, 1)
     register unsigned long _beg __asm ("a1");
     register unsigned long _end __asm ("a2");
     register unsigned long _flg __asm ("a3");
@@ -218,7 +216,7 @@ static inline void tb_set_jmp_target1(unsigned long jmp_addr, unsigned long addr
         | (((addr - (jmp_addr + 8)) >> 2) & 0xffffff);
 
 #if QEMU_GNUC_PREREQ(4, 1)
-    __clear_cache((char *) jmp_addr, (char *) jmp_addr + 4);
+    __builtin___clear_cache((char *) jmp_addr, (char *) jmp_addr + 4);
 #else
     /* flush icache */
     _beg = jmp_addr;
commit fcd61af6631fb98c4c12e865572d4d81d73728d0
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Dec 16 19:33:22 2010 +0100

    qdev: sysbus_get_default must not return a NULL pointer (fix regression)
    
    Every system should have some sort of main system bus,
    so sysbus_get_default should always return a valid bus.
    
    Without this patch, at least mipssim and malta no longer
    start but raise a null pointer access exception (caused by
    commit ec990eb622ad46df5ddcb1e94c418c271894d416).
    
    Cc: Anthony Liguori <anthony at codemonkey.ws>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/hw/qdev.c b/hw/qdev.c
index 10e28df..6fc9b02 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -107,10 +107,7 @@ DeviceState *qdev_create(BusState *bus, const char *name)
     DeviceInfo *info;
 
     if (!bus) {
-        if (!main_system_bus) {
-            main_system_bus = qbus_create(&system_bus_info, NULL, "main-system-bus");
-        }
-        bus = main_system_bus;
+        bus = sysbus_get_default();
     }
 
     info = qdev_find_info(bus->info, name);
@@ -311,6 +308,10 @@ static int qdev_reset_one(DeviceState *dev, void *opaque)
 
 BusState *sysbus_get_default(void)
 {
+    if (!main_system_bus) {
+        main_system_bus = qbus_create(&system_bus_info, NULL,
+                                      "main-system-bus");
+    }
     return main_system_bus;
 }
 
commit f530cce3152b55a535e9e87610110fefa4e9c853
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Dec 20 15:17:10 2010 +0200

    qdev: remove an unused function
    
    qbus_reset_all is unused, remove it
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/qdev.c b/hw/qdev.c
index d93a6c4..4747c67 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -328,15 +328,10 @@ void qdev_reset_all(DeviceState *dev)
     qdev_walk_children(dev, qdev_reset_one, qbus_reset_one, NULL);
 }
 
-void qbus_reset_all(BusState *bus)
-{
-    qbus_walk_children(bus, qdev_reset_one, qbus_reset_one, NULL);
-}
-
 void qbus_reset_all_fn(void *opaque)
 {
     BusState *bus = opaque;
-    qbus_reset_all(bus);
+    qbus_walk_children(bus, qdev_reset_one, qbus_reset_one, NULL);
 }
 
 /* can be used as ->unplug() callback for the simple cases */
diff --git a/hw/qdev.h b/hw/qdev.h
index b239bb4..5f5a319 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -198,7 +198,6 @@ int qbus_walk_children(BusState *bus, qdev_walkerfn *devfn,
 int qdev_walk_children(DeviceState *dev, qdev_walkerfn *devfn,
                        qbus_walkerfn *busfn, void *opaque);
 void qdev_reset_all(DeviceState *dev);
-void qbus_reset_all(BusState *bus);
 void qbus_reset_all_fn(void *opaque);
 
 void qbus_free(BusState *bus);
commit e0087e618552c7bc77485561ed96ec2a4f01404a
Author: Bob Breuer <breuerr at mc.net>
Date:   Mon Dec 20 11:55:33 2010 -0600

    sparc32: ledma extra registers need tracing too
    
    Also trace the extra registers, and update the comments with new
    info from Artyom Tarasenko.
    
    Signed-off-by: Bob Breuer <breuerr at mc.net>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/sparc32_dma.c b/hw/sparc32_dma.c
index 56be8c8..e75694b 100644
--- a/hw/sparc32_dma.c
+++ b/hw/sparc32_dma.c
@@ -44,7 +44,7 @@
 /* We need the mask, because one instance of the device is not page
    aligned (ledma, start address 0x0010) */
 #define DMA_MASK (DMA_SIZE - 1)
-/* ledma has more than 4 registers, Solaris reads the 5th one */
+/* OBP says 0x20 bytes for ledma, the extras are aliased to espdma */
 #define DMA_ETH_SIZE (8 * sizeof(uint32_t))
 #define DMA_MAX_REG_OFFSET (2 * DMA_SIZE - 1)
 
@@ -170,7 +170,10 @@ static uint32_t dma_mem_readl(void *opaque, target_phys_addr_t addr)
     uint32_t saddr;
 
     if (s->is_ledma && (addr > DMA_MAX_REG_OFFSET)) {
-        return 0; /* extra mystery register(s) */
+        /* aliased to espdma, but we can't get there from here */
+        /* buggy driver if using undocumented behavior, just return 0 */
+        trace_sparc32_dma_mem_readl(addr, 0);
+        return 0;
     }
     saddr = (addr & DMA_MASK) >> 2;
     trace_sparc32_dma_mem_readl(addr, s->dmaregs[saddr]);
@@ -183,7 +186,9 @@ static void dma_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
     uint32_t saddr;
 
     if (s->is_ledma && (addr > DMA_MAX_REG_OFFSET)) {
-        return; /* extra mystery register(s) */
+        /* aliased to espdma, but we can't get there from here */
+        trace_sparc32_dma_mem_writel(addr, 0, val);
+        return;
     }
     saddr = (addr & DMA_MASK) >> 2;
     trace_sparc32_dma_mem_writel(addr, s->dmaregs[saddr], val);
commit ac6c41204fd33116b8943682bffe47e113c1cc6b
Author: Andreas Färber <andreas.faerber at web.de>
Date:   Sun Dec 19 17:22:41 2010 +0100

    target-i386: Fix accidental use of SoftFloat uint64 type
    
    softfloat.h's uint64 type has least-width semantics.
    Use uint64_t instead since that is used in helpers.
    
    v4:
    * Summary change.
    
    v3:
    * Split off.
    
    Signed-off-by: Andreas Färber <andreas.faerber at web.de>
    Acked-by: Huang Ying <ying.huang at intel.com>
    Acked-by: Juan Quintela <quintela at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index 06e40f3..f0c07cd 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -737,10 +737,10 @@ typedef struct CPUX86State {
        user */
     struct DeviceState *apic_state;
 
-    uint64 mcg_cap;
-    uint64 mcg_status;
-    uint64 mcg_ctl;
-    uint64 mce_banks[MCE_BANKS_DEF*4];
+    uint64_t mcg_cap;
+    uint64_t mcg_status;
+    uint64_t mcg_ctl;
+    uint64_t mce_banks[MCE_BANKS_DEF*4];
 
     uint64_t tsc_aux;
 
commit c910cf96dc8a2a1d3ee0a695979770d13538806f
Author: Andreas Färber <andreas.faerber at web.de>
Date:   Sun Dec 19 17:22:40 2010 +0100

    wdt_ib700: Fix accidental use of SoftFloat int64 type
    
    softfloat.h's int64 type has least-width semantics.
    Since we're assigning an int64_t, use plain int64_t.
    
    v4:
    * Summary change.
    
    v3:
    * Split off.
    
    Signed-off-by: Andreas Färber <andreas.faerber at web.de>
    Acked-by: Richard W.M. Jones <rjones at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/wdt_ib700.c b/hw/wdt_ib700.c
index b6235eb..1248464 100644
--- a/hw/wdt_ib700.c
+++ b/hw/wdt_ib700.c
@@ -53,7 +53,7 @@ static void ib700_write_enable_reg(void *vp, uint32_t addr, uint32_t data)
         30, 28, 26, 24, 22, 20, 18, 16,
         14, 12, 10,  8,  6,  4,  2,  0
     };
-    int64 timeout;
+    int64_t timeout;
 
     ib700_debug("addr = %x, data = %x\n", addr, data);
 
commit f5095c639fe2861b6401be6e26fa3ffb9d30eba4
Author: Andreas Färber <andreas.faerber at web.de>
Date:   Sun Dec 19 17:22:39 2010 +0100

    apic: Fix accidental use of SoftFloat uint32 type
    
    softfloat.h's uint32 type has least-width semantics.
    Surrounding code uses uint32_t, so use uint32_t here, too.
    
    v4:
    * Summary change.
    
    v3:
    * Split off.
    
    Signed-off-by: Andreas Färber <andreas.faerber at web.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/apic.c b/hw/apic.c
index a5a53fb..ff581f0 100644
--- a/hw/apic.c
+++ b/hw/apic.c
@@ -765,7 +765,7 @@ static uint32_t apic_mem_readl(void *opaque, target_phys_addr_t addr)
     return val;
 }
 
-static void apic_send_msi(target_phys_addr_t addr, uint32 data)
+static void apic_send_msi(target_phys_addr_t addr, uint32_t data)
 {
     uint8_t dest = (addr & MSI_ADDR_DEST_ID_MASK) >> MSI_ADDR_DEST_ID_SHIFT;
     uint8_t vector = (data & MSI_DATA_VECTOR_MASK) >> MSI_DATA_VECTOR_SHIFT;
commit 80376c3fc2c38fdd45354e4b0eb45031f35587ed
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Mon Dec 20 14:33:35 2010 +0900

    qbus: register reset handler for qbus whose parent is NULL
    
    Stefan Weil reported the regression caused by
    ec990eb622ad46df5ddcb1e94c418c271894d416 as follows
    
    > The second regression also occurs with MIPS malta.
    > Networking no longer works with the default pcnet nic.
    >
    > This is caused because the reset function for pcnet is no
    > longer called during system boot. The result in an invalid
    > mac address (all zero) and a non-working nic.
    >
    > For this second regression I still have no simple solution.
    > Of course mips_malta.c should be converted to qdev which
    > would fix both problems (but only for malta system emulation).
    
    The issue is, it is assumed that all qbuses, qdeves are under
    main_system_bus. But there are qbuses whose parent is NULL. So it
    is necessary to trigger reset for those qbuses.
    (On the other hand, if NULL is passed to qdev_create(), its parent bus
    is main_system_bus.)
    Ideally those buses should be moved under bus controller
    device which is qdev. But it's not done yet.
    So register qbus reset handler for qbus whose parent is NULL.
    
    Reported-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: "Michael S. Tsirkin" <mst at redhat.com>
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/qdev.c b/hw/qdev.c
index 6fc9b02..d93a6c4 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -333,6 +333,12 @@ void qbus_reset_all(BusState *bus)
     qbus_walk_children(bus, qdev_reset_one, qbus_reset_one, NULL);
 }
 
+void qbus_reset_all_fn(void *opaque)
+{
+    BusState *bus = opaque;
+    qbus_reset_all(bus);
+}
+
 /* can be used as ->unplug() callback for the simple cases */
 int qdev_simple_unplug_cb(DeviceState *dev)
 {
@@ -754,8 +760,11 @@ void qbus_create_inplace(BusState *bus, BusInfo *info,
     if (parent) {
         QLIST_INSERT_HEAD(&parent->child_bus, bus, sibling);
         parent->num_child_bus++;
+    } else if (bus != main_system_bus) {
+        /* TODO: once all bus devices are qdevified,
+           only reset handler for main_system_bus should be registered here. */
+        qemu_register_reset(qbus_reset_all_fn, bus);
     }
-
 }
 
 BusState *qbus_create(BusInfo *info, DeviceState *parent, const char *name)
@@ -778,6 +787,9 @@ void qbus_free(BusState *bus)
     if (bus->parent) {
         QLIST_REMOVE(bus, sibling);
         bus->parent->num_child_bus--;
+    } else {
+        assert(bus != main_system_bus); /* main_system_bus is never freed */
+        qemu_unregister_reset(qbus_reset_all_fn, bus);
     }
     qemu_free((void*)bus->name);
     if (bus->qdev_allocated) {
diff --git a/hw/qdev.h b/hw/qdev.h
index aaaf55a..b239bb4 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -199,6 +199,8 @@ int qdev_walk_children(DeviceState *dev, qdev_walkerfn *devfn,
                        qbus_walkerfn *busfn, void *opaque);
 void qdev_reset_all(DeviceState *dev);
 void qbus_reset_all(BusState *bus);
+void qbus_reset_all_fn(void *opaque);
+
 void qbus_free(BusState *bus);
 
 #define FROM_QBUS(type, dev) DO_UPCAST(type, qbus, dev)
diff --git a/vl.c b/vl.c
index c4d3fc0..8d6bab4 100644
--- a/vl.c
+++ b/vl.c
@@ -3088,7 +3088,9 @@ int main(int argc, char **argv, char **envp)
         exit(1);
     }
 
-    qemu_register_reset((void *)qbus_reset_all, sysbus_get_default());
+    /* TODO: once all bus devices are qdevified, this should be done
+     * when bus is created by qdev.c */
+    qemu_register_reset(qbus_reset_all_fn, sysbus_get_default());
     qemu_run_machine_init_done_notifiers();
 
     qemu_system_reset();
commit 4fd37a98d1248bae54a9f71ee1c252d2b2f1efd5
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Dec 19 14:05:43 2010 +0000

    Avoid a warning from OpenBSD linker
    
    Avoid the warning below by using snprintf:
    ../libhw64/vl.o(.text+0x78d4): In function `get_boot_devices_list':
    /src/qemu/vl.c:763: warning: sprintf() is often misused, please use snprintf()
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/vl.c b/vl.c
index c4d3fc0..768dbf4 100644
--- a/vl.c
+++ b/vl.c
@@ -759,8 +759,10 @@ char *get_boot_devices_list(uint32_t *size)
         }
 
         if (i->suffix && devpath) {
-            bootpath = qemu_malloc(strlen(devpath) + strlen(i->suffix) + 1);
-            sprintf(bootpath, "%s%s", devpath, i->suffix);
+            size_t bootpathlen = strlen(devpath) + strlen(i->suffix) + 1;
+
+            bootpath = qemu_malloc(bootpathlen);
+            snprintf(bootpath, bootpathlen, "%s%s", devpath, i->suffix);
             qemu_free(devpath);
         } else if (devpath) {
             bootpath = devpath;
commit d41160a3e64b26c9d78ecfd78b0e7ef3e878d475
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Dec 19 13:42:56 2010 +0000

    Sparc: implement monitor command 'info tlb'
    
    Use existing dump_mmu() to implement monitor command 'info tlb'.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hmp-commands.hx b/hmp-commands.hx
index dd3db36..4befbe2 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -1190,7 +1190,7 @@ show i8259 (PIC) state
 @item info pci
 show emulated PCI device info
 @item info tlb
-show virtual to physical memory mappings (i386 only)
+show virtual to physical memory mappings (i386, SH4 and SPARC only)
 @item info mem
 show the active virtual memory mappings (i386 only)
 @item info jit
diff --git a/monitor.c b/monitor.c
index aae81bb..5d74fe3 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2272,6 +2272,15 @@ static void tlb_info(Monitor *mon)
 
 #endif
 
+#if defined(TARGET_SPARC)
+static void tlb_info(Monitor *mon)
+{
+    CPUState *env1 = mon_get_cpu();
+
+    dump_mmu((FILE*)mon, (fprintf_function)monitor_printf, env1);
+}
+#endif
+
 static void do_info_kvm_print(Monitor *mon, const QObject *data)
 {
     QDict *qdict;
@@ -2744,7 +2753,7 @@ static const mon_cmd_t info_cmds[] = {
         .user_print = do_pci_info_print,
         .mhandler.info_new = do_pci_info,
     },
-#if defined(TARGET_I386) || defined(TARGET_SH4)
+#if defined(TARGET_I386) || defined(TARGET_SH4) || defined(TARGET_SPARC)
     {
         .name       = "tlb",
         .args_type  = "",
diff --git a/target-sparc/cpu.h b/target-sparc/cpu.h
index 1be66e7..7225b2e 100644
--- a/target-sparc/cpu.h
+++ b/target-sparc/cpu.h
@@ -448,7 +448,7 @@ int cpu_sparc_handle_mmu_fault(CPUSPARCState *env1, target_ulong address, int rw
                                int mmu_idx, int is_softmmu);
 #define cpu_handle_mmu_fault cpu_sparc_handle_mmu_fault
 target_ulong mmu_probe(CPUSPARCState *env, target_ulong address, int mmulev);
-void dump_mmu(CPUSPARCState *env);
+void dump_mmu(FILE *f, fprintf_function cpu_fprintf, CPUState *env);
 
 /* translate.c */
 void gen_intermediate_code_init(CPUSPARCState *env);
diff --git a/target-sparc/helper.c b/target-sparc/helper.c
index 7e45d7a..6b337ca 100644
--- a/target-sparc/helper.c
+++ b/target-sparc/helper.c
@@ -320,47 +320,45 @@ target_ulong mmu_probe(CPUState *env, target_ulong address, int mmulev)
     return 0;
 }
 
-#ifdef DEBUG_MMU
-void dump_mmu(CPUState *env)
+void dump_mmu(FILE *f, fprintf_function cpu_fprintf, CPUState *env)
 {
     target_ulong va, va1, va2;
     unsigned int n, m, o;
     target_phys_addr_t pde_ptr, pa;
     uint32_t pde;
 
-    printf("MMU dump:\n");
     pde_ptr = (env->mmuregs[1] << 4) + (env->mmuregs[2] << 2);
     pde = ldl_phys(pde_ptr);
-    printf("Root ptr: " TARGET_FMT_plx ", ctx: %d\n",
-           (target_phys_addr_t)env->mmuregs[1] << 4, env->mmuregs[2]);
+    (*cpu_fprintf)(f, "Root ptr: " TARGET_FMT_plx ", ctx: %d\n",
+                   (target_phys_addr_t)env->mmuregs[1] << 4, env->mmuregs[2]);
     for (n = 0, va = 0; n < 256; n++, va += 16 * 1024 * 1024) {
         pde = mmu_probe(env, va, 2);
         if (pde) {
             pa = cpu_get_phys_page_debug(env, va);
-            printf("VA: " TARGET_FMT_lx ", PA: " TARGET_FMT_plx
-                   " PDE: " TARGET_FMT_lx "\n", va, pa, pde);
+            (*cpu_fprintf)(f, "VA: " TARGET_FMT_lx ", PA: " TARGET_FMT_plx
+                           " PDE: " TARGET_FMT_lx "\n", va, pa, pde);
             for (m = 0, va1 = va; m < 64; m++, va1 += 256 * 1024) {
                 pde = mmu_probe(env, va1, 1);
                 if (pde) {
                     pa = cpu_get_phys_page_debug(env, va1);
-                    printf(" VA: " TARGET_FMT_lx ", PA: " TARGET_FMT_plx
-                           " PDE: " TARGET_FMT_lx "\n", va1, pa, pde);
+                    (*cpu_fprintf)(f, " VA: " TARGET_FMT_lx ", PA: "
+                                   TARGET_FMT_plx " PDE: " TARGET_FMT_lx "\n",
+                                   va1, pa, pde);
                     for (o = 0, va2 = va1; o < 64; o++, va2 += 4 * 1024) {
                         pde = mmu_probe(env, va2, 0);
                         if (pde) {
                             pa = cpu_get_phys_page_debug(env, va2);
-                            printf("  VA: " TARGET_FMT_lx ", PA: "
-                                   TARGET_FMT_plx " PTE: " TARGET_FMT_lx "\n",
-                                   va2, pa, pde);
+                            (*cpu_fprintf)(f, "  VA: " TARGET_FMT_lx ", PA: "
+                                           TARGET_FMT_plx " PTE: "
+                                           TARGET_FMT_lx "\n",
+                                           va2, pa, pde);
                         }
                     }
                 }
             }
         }
     }
-    printf("MMU dump ends\n");
 }
-#endif /* DEBUG_MMU */
 
 #else /* !TARGET_SPARC64 */
 
@@ -622,18 +620,19 @@ int cpu_sparc_handle_mmu_fault (CPUState *env, target_ulong address, int rw,
     return 1;
 }
 
-#ifdef DEBUG_MMU
-void dump_mmu(CPUState *env)
+void dump_mmu(FILE *f, fprintf_function cpu_fprintf, CPUState *env)
 {
     unsigned int i;
     const char *mask;
 
-    printf("MMU contexts: Primary: %" PRId64 ", Secondary: %" PRId64 "\n",
-           env->dmmu.mmu_primary_context, env->dmmu.mmu_secondary_context);
+    (*cpu_fprintf)(f, "MMU contexts: Primary: %" PRId64 ", Secondary: %"
+                   PRId64 "\n",
+                   env->dmmu.mmu_primary_context,
+                   env->dmmu.mmu_secondary_context);
     if ((env->lsu & DMMU_E) == 0) {
-        printf("DMMU disabled\n");
+        (*cpu_fprintf)(f, "DMMU disabled\n");
     } else {
-        printf("DMMU dump:\n");
+        (*cpu_fprintf)(f, "DMMU dump\n");
         for (i = 0; i < 64; i++) {
             switch ((env->dtlb[i].tte >> 61) & 3) {
             default:
@@ -651,24 +650,25 @@ void dump_mmu(CPUState *env)
                 break;
             }
             if ((env->dtlb[i].tte & 0x8000000000000000ULL) != 0) {
-                printf("[%02u] VA: %" PRIx64 ", PA: %" PRIx64
-                       ", %s, %s, %s, %s, ctx %" PRId64 " %s\n",
-                       i,
-                       env->dtlb[i].tag & (uint64_t)~0x1fffULL,
-                       env->dtlb[i].tte & (uint64_t)0x1ffffffe000ULL,
-                       mask,
-                       env->dtlb[i].tte & 0x4? "priv": "user",
-                       env->dtlb[i].tte & 0x2? "RW": "RO",
-                       env->dtlb[i].tte & 0x40? "locked": "unlocked",
-                       env->dtlb[i].tag & (uint64_t)0x1fffULL,
-                       TTE_IS_GLOBAL(env->dtlb[i].tte)? "global" : "local");
+                (*cpu_fprintf)(f, "[%02u] VA: %" PRIx64 ", PA: %" PRIx64
+                               ", %s, %s, %s, %s, ctx %" PRId64 " %s\n",
+                               i,
+                               env->dtlb[i].tag & (uint64_t)~0x1fffULL,
+                               env->dtlb[i].tte & (uint64_t)0x1ffffffe000ULL,
+                               mask,
+                               env->dtlb[i].tte & 0x4? "priv": "user",
+                               env->dtlb[i].tte & 0x2? "RW": "RO",
+                               env->dtlb[i].tte & 0x40? "locked": "unlocked",
+                               env->dtlb[i].tag & (uint64_t)0x1fffULL,
+                               TTE_IS_GLOBAL(env->dtlb[i].tte)?
+                               "global" : "local");
             }
         }
     }
     if ((env->lsu & IMMU_E) == 0) {
-        printf("IMMU disabled\n");
+        (*cpu_fprintf)(f, "IMMU disabled\n");
     } else {
-        printf("IMMU dump:\n");
+        (*cpu_fprintf)(f, "IMMU dump\n");
         for (i = 0; i < 64; i++) {
             switch ((env->itlb[i].tte >> 61) & 3) {
             default:
@@ -686,21 +686,21 @@ void dump_mmu(CPUState *env)
                 break;
             }
             if ((env->itlb[i].tte & 0x8000000000000000ULL) != 0) {
-                printf("[%02u] VA: %" PRIx64 ", PA: %" PRIx64
-                       ", %s, %s, %s, ctx %" PRId64 " %s\n",
-                       i,
-                       env->itlb[i].tag & (uint64_t)~0x1fffULL,
-                       env->itlb[i].tte & (uint64_t)0x1ffffffe000ULL,
-                       mask,
-                       env->itlb[i].tte & 0x4? "priv": "user",
-                       env->itlb[i].tte & 0x40? "locked": "unlocked",
-                       env->itlb[i].tag & (uint64_t)0x1fffULL,
-                       TTE_IS_GLOBAL(env->itlb[i].tte)? "global" : "local");
+                (*cpu_fprintf)(f, "[%02u] VA: %" PRIx64 ", PA: %" PRIx64
+                               ", %s, %s, %s, ctx %" PRId64 " %s\n",
+                               i,
+                               env->itlb[i].tag & (uint64_t)~0x1fffULL,
+                               env->itlb[i].tte & (uint64_t)0x1ffffffe000ULL,
+                               mask,
+                               env->itlb[i].tte & 0x4? "priv": "user",
+                               env->itlb[i].tte & 0x40? "locked": "unlocked",
+                               env->itlb[i].tag & (uint64_t)0x1fffULL,
+                               TTE_IS_GLOBAL(env->itlb[i].tte)?
+                               "global" : "local");
             }
         }
     }
 }
-#endif /* DEBUG_MMU */
 
 #endif /* TARGET_SPARC64 */
 #endif /* !CONFIG_USER_ONLY */
diff --git a/target-sparc/op_helper.c b/target-sparc/op_helper.c
index be3c1e0..4f753ba 100644
--- a/target-sparc/op_helper.c
+++ b/target-sparc/op_helper.c
@@ -180,7 +180,7 @@ static void demap_tlb(SparcTLBEntry *tlb, target_ulong demap_addr,
             replace_tlb_entry(&tlb[i], 0, 0, env1);
 #ifdef DEBUG_MMU
             DPRINTF_MMU("%s demap invalidated entry [%02u]\n", strmmu, i);
-            dump_mmu(env1);
+            dump_mmu(stdout, fprintf, env1);
 #endif
         }
     }
@@ -198,7 +198,7 @@ static void replace_tlb_1bit_lru(SparcTLBEntry *tlb,
             replace_tlb_entry(&tlb[i], tlb_tag, tlb_tte, env1);
 #ifdef DEBUG_MMU
             DPRINTF_MMU("%s lru replaced invalid entry [%i]\n", strmmu, i);
-            dump_mmu(env1);
+            dump_mmu(stdout, fprintf, env1);
 #endif
             return;
         }
@@ -217,7 +217,7 @@ static void replace_tlb_1bit_lru(SparcTLBEntry *tlb,
 #ifdef DEBUG_MMU
                 DPRINTF_MMU("%s lru replaced unlocked %s entry [%i]\n",
                             strmmu, (replace_used?"used":"unused"), i);
-                dump_mmu(env1);
+                dump_mmu(stdout, fprintf, env1);
 #endif
                 return;
             }
@@ -1959,7 +1959,7 @@ void helper_st_asi(target_ulong addr, uint64_t val, int asi, int size)
                 break;
             }
 #ifdef DEBUG_MMU
-            dump_mmu(env);
+            dump_mmu(stdout, fprintf, env);
 #endif
         }
         break;
@@ -2011,7 +2011,7 @@ void helper_st_asi(target_ulong addr, uint64_t val, int asi, int size)
                             reg, oldreg, env->mmuregs[reg]);
             }
 #ifdef DEBUG_MMU
-            dump_mmu(env);
+            dump_mmu(stdout, fprintf, env);
 #endif
         }
         break;
@@ -2912,7 +2912,7 @@ void helper_st_asi(target_ulong addr, target_ulong val, int asi, int size)
                 DPRINTF_MMU("LSU change: 0x%" PRIx64 " -> 0x%" PRIx64 "\n",
                             oldreg, env->lsu);
 #ifdef DEBUG_MMU
-                dump_mmu(env);
+                dump_mmu(stdout, fprintf, env1);
 #endif
                 tlb_flush(env, 1);
             }
@@ -2957,7 +2957,7 @@ void helper_st_asi(target_ulong addr, target_ulong val, int asi, int size)
                             PRIx64 "\n", reg, oldreg, env->immuregs[reg]);
             }
 #ifdef DEBUG_MMU
-            dump_mmu(env);
+            dump_mmu(stdout, fprintf, env);
 #endif
             return;
         }
@@ -2974,7 +2974,7 @@ void helper_st_asi(target_ulong addr, target_ulong val, int asi, int size)
 
 #ifdef DEBUG_MMU
             DPRINTF_MMU("immu data access replaced entry [%i]\n", i);
-            dump_mmu(env);
+            dump_mmu(stdout, fprintf, env);
 #endif
             return;
         }
@@ -3030,7 +3030,7 @@ void helper_st_asi(target_ulong addr, target_ulong val, int asi, int size)
                             PRIx64 "\n", reg, oldreg, env->dmmuregs[reg]);
             }
 #ifdef DEBUG_MMU
-            dump_mmu(env);
+            dump_mmu(stdout, fprintf, env);
 #endif
             return;
         }
@@ -3045,7 +3045,7 @@ void helper_st_asi(target_ulong addr, target_ulong val, int asi, int size)
 
 #ifdef DEBUG_MMU
             DPRINTF_MMU("dmmu data access replaced entry [%i]\n", i);
-            dump_mmu(env);
+            dump_mmu(stdout, fprintf, env);
 #endif
             return;
         }
commit 68694897e55ebd229898d4b6546877ccea500954
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Dec 16 19:33:22 2010 +0100

    qdev: sysbus_get_default must not return a NULL pointer (fix regression)
    
    Every system should have some sort of main system bus,
    so sysbus_get_default should always return a valid bus.
    
    Without this patch, at least mipssim and malta no longer
    start but raise a null pointer access exception (caused by
    commit ec990eb622ad46df5ddcb1e94c418c271894d416).
    
    Cc: Anthony Liguori <anthony at codemonkey.ws>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/qdev.c b/hw/qdev.c
index 10e28df..6fc9b02 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -107,10 +107,7 @@ DeviceState *qdev_create(BusState *bus, const char *name)
     DeviceInfo *info;
 
     if (!bus) {
-        if (!main_system_bus) {
-            main_system_bus = qbus_create(&system_bus_info, NULL, "main-system-bus");
-        }
-        bus = main_system_bus;
+        bus = sysbus_get_default();
     }
 
     info = qdev_find_info(bus->info, name);
@@ -311,6 +308,10 @@ static int qdev_reset_one(DeviceState *dev, void *opaque)
 
 BusState *sysbus_get_default(void)
 {
+    if (!main_system_bus) {
+        main_system_bus = qbus_create(&system_bus_info, NULL,
+                                      "main-system-bus");
+    }
     return main_system_bus;
 }
 
commit af0669f0edbbcb8c17f7c2b919089485c8327f4f
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Tue Dec 14 14:24:53 2010 +0200

    pci: don't use bus number in migration, stub out
    
    Using bus numbers in migration is clearly wrong as
    they are guest assigned. Not really sure what the
    right thing to do is, for now stick 0 in there so things
    keep working for non-nested setups, add a TODO.
    
    We also probably have to mark nested bridges as non-migrateable
    until this is fixed?
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Acked-by: Alex Williamson <alex.williamson at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index ef00d20..0cb4117 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -2014,7 +2014,10 @@ static char *pcibus_get_dev_path(DeviceState *dev)
     char path[16];
 
     snprintf(path, sizeof(path), "%04x:%02x:%02x.%x",
-             pci_find_domain(d->bus), d->config[PCI_SECONDARY_BUS],
+             pci_find_domain(d->bus),
+             0 /* TODO: need a persistent path for nested buses.
+                * Note: pci_bus_num(d->bus) is not right as it's guest
+                * assigned. */,
              PCI_SLOT(d->devfn), PCI_FUNC(d->devfn));
 
     return strdup(path);
commit cdfe17df88b335269ddabc7ade7a6148a1a20f0d
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Dec 19 10:43:09 2010 +0000

    ahci: delete write-only variables (v2)
    
    Avoid these warnings with GCC 4.6.0:
    /src/qemu/hw/ide/ahci.c: In function 'ahci_reset_port':
    /src/qemu/hw/ide/ahci.c:810:14: error: variable 'tfd' set but not used [-Werror=unused-but-set-variable]
    /src/qemu/hw/ide/ahci.c: In function 'handle_cmd':
    /src/qemu/hw/ide/ahci.c:1103:19: error: variable 'pr' set but not used [-Werror=unused-but-set-variable]
    
    In the tfd variable case, fix the logic also.
    
    CC: Alexander Graf <agraf at suse.de>
    CC: Kevin Wolf <kwolf at redhat.com>
    Acked-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index 8ae236a..968fdce 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -807,7 +807,6 @@ static void ahci_reset_port(AHCIState *s, int port)
     AHCIPortRegs *pr = &d->port_regs;
     IDEState *ide_state = &d->port.ifs[0];
     uint8_t init_fis[0x20];
-    uint32_t tfd;
     int i;
 
     DPRINTF(port, "reset port\n");
@@ -848,7 +847,7 @@ static void ahci_reset_port(AHCIState *s, int port)
     s->dev[port].port_state = STATE_RUN;
     if (!ide_state->bs) {
         s->dev[port].port_regs.sig = 0;
-        tfd = (1 << 8) | SEEK_STAT | WRERR_STAT;
+        ide_state->status = SEEK_STAT | WRERR_STAT;
     } else if (ide_state->drive_kind == IDE_CD) {
         s->dev[port].port_regs.sig = SATA_SIGNATURE_CDROM;
         ide_state->lcyl = 0x14;
@@ -1100,7 +1099,6 @@ static void process_ncq_command(AHCIState *s, int port, uint8_t *cmd_fis,
 static int handle_cmd(AHCIState *s, int port, int slot)
 {
     IDEState *ide_state;
-    AHCIPortRegs *pr;
     uint32_t opts;
     uint64_t tbl_addr;
     AHCICmdHdr *cmd;
@@ -1113,7 +1111,6 @@ static int handle_cmd(AHCIState *s, int port, int slot)
         return -1;
     }
 
-    pr = &s->dev[port].port_regs;
     cmd = &((AHCICmdHdr *)s->dev[port].lst)[slot];
 
     if (!s->dev[port].lst) {
commit 6a0ee36a47f5b0d090316fe10ceada83136338da
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Dec 19 10:04:04 2010 +0000

    vga: Declare as little endian
    
    This patch replaces explicit bswaps with endianness hints to the
    mmio layer.
    
    CC: Alexander Graf <agraf at suse.de>
    Acked-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/vga.c b/hw/vga.c
index b5c8741..c632fd7 100644
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -767,30 +767,18 @@ uint32_t vga_mem_readb(void *opaque, target_phys_addr_t addr)
 static uint32_t vga_mem_readw(void *opaque, target_phys_addr_t addr)
 {
     uint32_t v;
-#ifdef TARGET_WORDS_BIGENDIAN
-    v = vga_mem_readb(opaque, addr) << 8;
-    v |= vga_mem_readb(opaque, addr + 1);
-#else
     v = vga_mem_readb(opaque, addr);
     v |= vga_mem_readb(opaque, addr + 1) << 8;
-#endif
     return v;
 }
 
 static uint32_t vga_mem_readl(void *opaque, target_phys_addr_t addr)
 {
     uint32_t v;
-#ifdef TARGET_WORDS_BIGENDIAN
-    v = vga_mem_readb(opaque, addr) << 24;
-    v |= vga_mem_readb(opaque, addr + 1) << 16;
-    v |= vga_mem_readb(opaque, addr + 2) << 8;
-    v |= vga_mem_readb(opaque, addr + 3);
-#else
     v = vga_mem_readb(opaque, addr);
     v |= vga_mem_readb(opaque, addr + 1) << 8;
     v |= vga_mem_readb(opaque, addr + 2) << 16;
     v |= vga_mem_readb(opaque, addr + 3) << 24;
-#endif
     return v;
 }
 
@@ -931,28 +919,16 @@ void vga_mem_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
 
 static void vga_mem_writew(void *opaque, target_phys_addr_t addr, uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    vga_mem_writeb(opaque, addr, (val >> 8) & 0xff);
-    vga_mem_writeb(opaque, addr + 1, val & 0xff);
-#else
     vga_mem_writeb(opaque, addr, val & 0xff);
     vga_mem_writeb(opaque, addr + 1, (val >> 8) & 0xff);
-#endif
 }
 
 static void vga_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    vga_mem_writeb(opaque, addr, (val >> 24) & 0xff);
-    vga_mem_writeb(opaque, addr + 1, (val >> 16) & 0xff);
-    vga_mem_writeb(opaque, addr + 2, (val >> 8) & 0xff);
-    vga_mem_writeb(opaque, addr + 3, val & 0xff);
-#else
     vga_mem_writeb(opaque, addr, val & 0xff);
     vga_mem_writeb(opaque, addr + 1, (val >> 8) & 0xff);
     vga_mem_writeb(opaque, addr + 2, (val >> 16) & 0xff);
     vga_mem_writeb(opaque, addr + 3, (val >> 24) & 0xff);
-#endif
 }
 
 typedef void vga_draw_glyph8_func(uint8_t *d, int linesize,
@@ -2321,7 +2297,7 @@ void vga_init(VGACommonState *s)
 #endif /* CONFIG_BOCHS_VBE */
 
     vga_io_memory = cpu_register_io_memory(vga_mem_read, vga_mem_write, s,
-                                           DEVICE_NATIVE_ENDIAN);
+                                           DEVICE_LITTLE_ENDIAN);
     cpu_register_physical_memory(isa_mem_base + 0x000a0000, 0x20000,
                                  vga_io_memory);
     qemu_register_coalesced_mmio(isa_mem_base + 0x000a0000, 0x20000);
commit 5d6b423c5cd6f9dfac30959ff1d5c088996719c3
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Sat Dec 18 17:34:26 2010 +0100

    win32: Fix CRLF problem in make_device_config.sh
    
    QEMU source code with CRLF line endings
    which is quite common on windows hosts
    fails with current make_device_config.sh.
    
    The awk script gets the name of the included
    file with \r, so instead of pci.mak it will
    search for pci.mak\r which of course does
    not work.
    
    Fix this by removing any \r.
    
    v2:
        Avoid using sub() and \r with awk because they are unsupported
        on some platforms. Use tr to remove \r. This new solution
        improves portability and was suggested by Paolo Bonzini.
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Acked-by: Andreas Färber <andreas.faerber at web.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/make_device_config.sh b/make_device_config.sh
index 8abadfe..596fc5b 100644
--- a/make_device_config.sh
+++ b/make_device_config.sh
@@ -18,7 +18,7 @@ process_includes () {
 
 f=$src
 while [ -n "$f" ] ; do
-  f=`awk '/^include / {ORS=" " ; print "'$src_dir'/" $2}' $f`
+  f=`tr -d '\r' < $f | awk '/^include / {ORS=" "; print "'$src_dir'/" $2}'`
   [ $? = 0 ] || exit 1
   all_includes="$all_includes $f"
 done
commit 86d1c3887f8665204e2c7454003ac71a6a52e806
Author: Bob Breuer <breuerr at mc.net>
Date:   Sat Dec 18 11:09:04 2010 -0600

    sparc32: ledma extra registers
    
    ledma has 0x20 bytes of registers according to OBP, and at least Solaris9
    reads the 5th register which is beyond what we've mapped.  So let's setup
    a flag (inspired by a previous patch from Blue Swirl) to identify ledma
    from espdma, and map another 16 bytes of registers which return 0.
    
    Signed-off-by: Bob Breuer <breuerr at mc.net>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/sparc32_dma.c b/hw/sparc32_dma.c
index e78f025..56be8c8 100644
--- a/hw/sparc32_dma.c
+++ b/hw/sparc32_dma.c
@@ -44,6 +44,9 @@
 /* We need the mask, because one instance of the device is not page
    aligned (ledma, start address 0x0010) */
 #define DMA_MASK (DMA_SIZE - 1)
+/* ledma has more than 4 registers, Solaris reads the 5th one */
+#define DMA_ETH_SIZE (8 * sizeof(uint32_t))
+#define DMA_MAX_REG_OFFSET (2 * DMA_SIZE - 1)
 
 #define DMA_VER 0xa0000000
 #define DMA_INTR 1
@@ -65,6 +68,7 @@ struct DMAState {
     qemu_irq irq;
     void *iommu;
     qemu_irq gpio[2];
+    uint32_t is_ledma;
 };
 
 enum {
@@ -165,6 +169,9 @@ static uint32_t dma_mem_readl(void *opaque, target_phys_addr_t addr)
     DMAState *s = opaque;
     uint32_t saddr;
 
+    if (s->is_ledma && (addr > DMA_MAX_REG_OFFSET)) {
+        return 0; /* extra mystery register(s) */
+    }
     saddr = (addr & DMA_MASK) >> 2;
     trace_sparc32_dma_mem_readl(addr, s->dmaregs[saddr]);
     return s->dmaregs[saddr];
@@ -175,6 +182,9 @@ static void dma_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
     DMAState *s = opaque;
     uint32_t saddr;
 
+    if (s->is_ledma && (addr > DMA_MAX_REG_OFFSET)) {
+        return; /* extra mystery register(s) */
+    }
     saddr = (addr & DMA_MASK) >> 2;
     trace_sparc32_dma_mem_writel(addr, s->dmaregs[saddr], val);
     switch (saddr) {
@@ -254,12 +264,14 @@ static int sparc32_dma_init1(SysBusDevice *dev)
 {
     DMAState *s = FROM_SYSBUS(DMAState, dev);
     int dma_io_memory;
+    int reg_size;
 
     sysbus_init_irq(dev, &s->irq);
 
     dma_io_memory = cpu_register_io_memory(dma_mem_read, dma_mem_write, s,
                                            DEVICE_NATIVE_ENDIAN);
-    sysbus_init_mmio(dev, DMA_SIZE, dma_io_memory);
+    reg_size = s->is_ledma ? DMA_ETH_SIZE : DMA_SIZE;
+    sysbus_init_mmio(dev, reg_size, dma_io_memory);
 
     qdev_init_gpio_in(&dev->qdev, dma_set_irq, 1);
     qdev_init_gpio_out(&dev->qdev, s->gpio, 2);
@@ -275,6 +287,7 @@ static SysBusDeviceInfo sparc32_dma_info = {
     .qdev.reset = dma_reset,
     .qdev.props = (Property[]) {
         DEFINE_PROP_PTR("iommu_opaque", DMAState, iommu),
+        DEFINE_PROP_UINT32("is_ledma", DMAState, is_ledma, 0),
         DEFINE_PROP_END_OF_LIST(),
     }
 };
diff --git a/hw/sun4m.c b/hw/sun4m.c
index 4795b3f..30e8a21 100644
--- a/hw/sun4m.c
+++ b/hw/sun4m.c
@@ -378,13 +378,14 @@ static void *iommu_init(target_phys_addr_t addr, uint32_t version, qemu_irq irq)
 }
 
 static void *sparc32_dma_init(target_phys_addr_t daddr, qemu_irq parent_irq,
-                              void *iommu, qemu_irq *dev_irq)
+                              void *iommu, qemu_irq *dev_irq, int is_ledma)
 {
     DeviceState *dev;
     SysBusDevice *s;
 
     dev = qdev_create(NULL, "sparc32_dma");
     qdev_prop_set_ptr(dev, "iommu_opaque", iommu);
+    qdev_prop_set_uint32(dev, "is_ledma", is_ledma);
     qdev_init_nofail(dev);
     s = sysbus_from_qdev(dev);
     sysbus_connect_irq(s, 0, parent_irq);
@@ -862,10 +863,10 @@ static void sun4m_hw_init(const struct sun4m_hwdef *hwdef, ram_addr_t RAM_size,
     }
 
     espdma = sparc32_dma_init(hwdef->dma_base, slavio_irq[18],
-                              iommu, &espdma_irq);
+                              iommu, &espdma_irq, 0);
 
     ledma = sparc32_dma_init(hwdef->dma_base + 16ULL,
-                             slavio_irq[16], iommu, &ledma_irq);
+                             slavio_irq[16], iommu, &ledma_irq, 1);
 
     if (graphic_depth != 8 && graphic_depth != 24) {
         fprintf(stderr, "qemu: Unsupported depth: %d\n", graphic_depth);
@@ -1524,10 +1525,11 @@ static void sun4d_hw_init(const struct sun4d_hwdef *hwdef, ram_addr_t RAM_size,
                                     sbi_irq[0]);
 
     espdma = sparc32_dma_init(hwdef->espdma_base, sbi_irq[3],
-                              iounits[0], &espdma_irq);
+                              iounits[0], &espdma_irq, 0);
 
+    /* should be lebuffer instead */
     ledma = sparc32_dma_init(hwdef->ledma_base, sbi_irq[4],
-                             iounits[0], &ledma_irq);
+                             iounits[0], &ledma_irq, 0);
 
     if (graphic_depth != 8 && graphic_depth != 24) {
         fprintf(stderr, "qemu: Unsupported depth: %d\n", graphic_depth);
@@ -1707,10 +1709,10 @@ static void sun4c_hw_init(const struct sun4c_hwdef *hwdef, ram_addr_t RAM_size,
                        slavio_irq[1]);
 
     espdma = sparc32_dma_init(hwdef->dma_base, slavio_irq[2],
-                              iommu, &espdma_irq);
+                              iommu, &espdma_irq, 0);
 
     ledma = sparc32_dma_init(hwdef->dma_base + 16ULL,
-                             slavio_irq[3], iommu, &ledma_irq);
+                             slavio_irq[3], iommu, &ledma_irq, 1);
 
     if (graphic_depth != 8 && graphic_depth != 24) {
         fprintf(stderr, "qemu: Unsupported depth: %d\n", graphic_depth);
commit 4d22c6c2eef69f20e1f4a398e277d6c8dbc4e5b9
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Fri Dec 17 21:03:00 2010 +0000

    Fix warning on mingw32
    
    Avoid this warning like other uses of setsockopt:
    /src/qemu/net/socket.c: In function 'net_socket_mcast_create':
    /src/qemu/net/socket.c:210: warning: passing argument 4 of 'setsockopt' from incompatible pointer type
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/net/socket.c b/net/socket.c
index 916c2a8..3182b37 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -207,7 +207,8 @@ static int net_socket_mcast_create(struct sockaddr_in *mcastaddr, struct in_addr
 
     /* If a bind address is given, only send packets from that address */
     if (localaddr != NULL) {
-        ret = setsockopt(fd, IPPROTO_IP, IP_MULTICAST_IF, localaddr, sizeof(*localaddr));
+        ret = setsockopt(fd, IPPROTO_IP, IP_MULTICAST_IF,
+                         (const char *)localaddr, sizeof(*localaddr));
         if (ret < 0) {
             perror("setsockopt(IP_MULTICAST_IF)");
             goto fail;
commit 653af235c8df7516a94762fc81e639fc08e9f6d9
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Dec 17 19:49:18 2010 +0100

    ide: Build fix for via.c
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/via.c b/hw/ide/via.c
index 5b70bd2..0e90679 100644
--- a/hw/ide/via.c
+++ b/hw/ide/via.c
@@ -150,7 +150,7 @@ static void vt82c686b_init_ports(PCIIDEState *d) {
         bmdma_init(&d->bus[i], &d->bmdma[i]);
         d->bmdma[i].bus = &d->bus[i];
         qemu_add_vm_change_state_handler(d->bus[i].dma->ops->restart_cb,
-                                         &d->bmdma[i]->dma);
+                                         &d->bmdma[i].dma);
     }
 }
 
commit f56b18c08cd29bb47e4d6a72f97c44616bd0611e
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Dec 17 19:43:41 2010 +0100

    ide: Fix build for cmd646.c
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Acked-by: Andreas Färber <andreas.faerber at web.de>

diff --git a/hw/ide/cmd646.c b/hw/ide/cmd646.c
index 89ba836..5d5464a 100644
--- a/hw/ide/cmd646.c
+++ b/hw/ide/cmd646.c
@@ -255,9 +255,9 @@ static int pci_cmd646_ide_initfn(PCIDevice *dev)
         ide_init2(&d->bus[i], irq[i]);
 
         bmdma_init(&d->bus[i], &d->bmdma[i]);
-        bm->bus = &d->bus[i];
+        d->bmdma[i].bus = &d->bus[i];
         qemu_add_vm_change_state_handler(d->bus[i].dma->ops->restart_cb,
-                                         &d->bmdma[i]->dma);
+                                         &d->bmdma[i].dma);
     }
 
     vmstate_register(&dev->qdev, 0, &vmstate_ide_pci, d);
commit e59d688ad112719cb264f395b1f5895866ebf309
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Fri Dec 17 15:58:20 2010 +0000

    docs: Fix missing carets in QED specification
    
    For some reason the carets ('^') in the QED specification disappeared.
    This patch puts them back.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/docs/specs/qed_spec.txt b/docs/specs/qed_spec.txt
index 446b5a2..1d5fa87 100644
--- a/docs/specs/qed_spec.txt
+++ b/docs/specs/qed_spec.txt
@@ -33,7 +33,7 @@ All fields are little-endian.
  }
 
 Field descriptions:
-* ''cluster_size'' must be a power of 2 in range [212, 226].
+* ''cluster_size'' must be a power of 2 in range [2^12, 2^26].
 * ''table_size'' must be a power of 2 in range [1, 16].
 * ''header_size'' is the number of clusters used by the header and any additional information stored before regular clusters.
 * ''features'', ''compat_features'', and ''autoclear_features'' are file format extension bitmaps.  They work as follows:
@@ -90,7 +90,7 @@ L1, L2, and data cluster offsets must be aligned to header.cluster_size.  The fo
 ===Data cluster offsets===
 * 0 - unallocated.  The data cluster is not yet allocated.
 
-Future format extensions may wish to store per-offset information.  The least significant 12 bits of an offset are reserved for this purpose and must be set to zero.  Image files with cluster_size > 212 will have more unused bits which should also be zeroed.
+Future format extensions may wish to store per-offset information.  The least significant 12 bits of an offset are reserved for this purpose and must be set to zero.  Image files with cluster_size > 2^12 will have more unused bits which should also be zeroed.
 
 ===Unallocated L2 tables and data clusters===
 Reads to an unallocated area of the image file access the backing file.  If there is no backing file, then zeroes are produced.  The backing file may be smaller than the image file and reads of unallocated areas beyond the end of the backing file produce zeroes.
commit 6d85a57e20825e72895c31eb69080df8d476edb2
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Fri Dec 17 16:02:40 2010 +0100

    Add proper -errno error return values to qcow2_open()
    
    In addition this adds missing braces to the function to be consistent
    with the coding style.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2.c b/block/qcow2.c
index 4b41190..b6b094c 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -140,12 +140,14 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
 static int qcow2_open(BlockDriverState *bs, int flags)
 {
     BDRVQcowState *s = bs->opaque;
-    int len, i;
+    int len, i, ret = 0;
     QCowHeader header;
     uint64_t ext_end;
 
-    if (bdrv_pread(bs->file, 0, &header, sizeof(header)) != sizeof(header))
+    ret = bdrv_pread(bs->file, 0, &header, sizeof(header));
+    if (ret < 0) {
         goto fail;
+    }
     be32_to_cpus(&header.magic);
     be32_to_cpus(&header.version);
     be64_to_cpus(&header.backing_file_offset);
@@ -160,16 +162,23 @@ static int qcow2_open(BlockDriverState *bs, int flags)
     be64_to_cpus(&header.snapshots_offset);
     be32_to_cpus(&header.nb_snapshots);
 
-    if (header.magic != QCOW_MAGIC || header.version != QCOW_VERSION)
+    if (header.magic != QCOW_MAGIC || header.version != QCOW_VERSION) {
+        ret = -EINVAL;
         goto fail;
+    }
     if (header.cluster_bits < MIN_CLUSTER_BITS ||
-        header.cluster_bits > MAX_CLUSTER_BITS)
+        header.cluster_bits > MAX_CLUSTER_BITS) {
+        ret = -EINVAL;
         goto fail;
-    if (header.crypt_method > QCOW_CRYPT_AES)
+    }
+    if (header.crypt_method > QCOW_CRYPT_AES) {
+        ret = -EINVAL;
         goto fail;
+    }
     s->crypt_method_header = header.crypt_method;
-    if (s->crypt_method_header)
+    if (s->crypt_method_header) {
         bs->encrypted = 1;
+    }
     s->cluster_bits = header.cluster_bits;
     s->cluster_size = 1 << s->cluster_bits;
     s->cluster_sectors = 1 << (s->cluster_bits - 9);
@@ -191,15 +200,19 @@ static int qcow2_open(BlockDriverState *bs, int flags)
     s->l1_vm_state_index = size_to_l1(s, header.size);
     /* the L1 table must contain at least enough entries to put
        header.size bytes */
-    if (s->l1_size < s->l1_vm_state_index)
+    if (s->l1_size < s->l1_vm_state_index) {
+        ret = -EINVAL;
         goto fail;
+    }
     s->l1_table_offset = header.l1_table_offset;
     if (s->l1_size > 0) {
         s->l1_table = qemu_mallocz(
             align_offset(s->l1_size * sizeof(uint64_t), 512));
-        if (bdrv_pread(bs->file, s->l1_table_offset, s->l1_table, s->l1_size * sizeof(uint64_t)) !=
-            s->l1_size * sizeof(uint64_t))
+        ret = bdrv_pread(bs->file, s->l1_table_offset, s->l1_table,
+                         s->l1_size * sizeof(uint64_t));
+        if (ret < 0) {
             goto fail;
+        }
         for(i = 0;i < s->l1_size; i++) {
             be64_to_cpus(&s->l1_table[i]);
         }
@@ -212,35 +225,46 @@ static int qcow2_open(BlockDriverState *bs, int flags)
                                   + 512);
     s->cluster_cache_offset = -1;
 
-    if (qcow2_refcount_init(bs) < 0)
+    ret = qcow2_refcount_init(bs);
+    if (ret != 0) {
         goto fail;
+    }
 
     QLIST_INIT(&s->cluster_allocs);
 
     /* read qcow2 extensions */
-    if (header.backing_file_offset)
+    if (header.backing_file_offset) {
         ext_end = header.backing_file_offset;
-    else
+    } else {
         ext_end = s->cluster_size;
-    if (qcow2_read_extensions(bs, sizeof(header), ext_end))
+    }
+    if (qcow2_read_extensions(bs, sizeof(header), ext_end)) {
+        ret = -EINVAL;
         goto fail;
+    }
 
     /* read the backing file name */
     if (header.backing_file_offset != 0) {
         len = header.backing_file_size;
-        if (len > 1023)
+        if (len > 1023) {
             len = 1023;
-        if (bdrv_pread(bs->file, header.backing_file_offset, bs->backing_file, len) != len)
+        }
+        ret = bdrv_pread(bs->file, header.backing_file_offset,
+                         bs->backing_file, len);
+        if (ret < 0) {
             goto fail;
+        }
         bs->backing_file[len] = '\0';
     }
-    if (qcow2_read_snapshots(bs) < 0)
+    if (qcow2_read_snapshots(bs) < 0) {
+        ret = -EINVAL;
         goto fail;
+    }
 
 #ifdef DEBUG_ALLOC
     qcow2_check_refcounts(bs);
 #endif
-    return 0;
+    return ret;
 
  fail:
     qcow2_free_snapshots(bs);
@@ -249,7 +273,7 @@ static int qcow2_open(BlockDriverState *bs, int flags)
     qemu_free(s->l2_cache);
     qemu_free(s->cluster_cache);
     qemu_free(s->cluster_data);
-    return -1;
+    return ret;
 }
 
 static int qcow2_set_key(BlockDriverState *bs, const char *key)
commit 7c80ab3f21f0b1342f23057d4345ae266c7348d9
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Fri Dec 17 16:02:39 2010 +0100

    block/qcow2.c: rename qcow_ functions to qcow2_
    
    It doesn't really make sense for functions in qcow2.c to be named
    qcow_ so convert the names to match correctly.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index b040208..6928c63 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -352,8 +352,8 @@ void qcow2_encrypt_sectors(BDRVQcowState *s, int64_t sector_num,
 }
 
 
-static int qcow_read(BlockDriverState *bs, int64_t sector_num,
-                     uint8_t *buf, int nb_sectors)
+static int qcow2_read(BlockDriverState *bs, int64_t sector_num,
+                      uint8_t *buf, int nb_sectors)
 {
     BDRVQcowState *s = bs->opaque;
     int ret, index_in_cluster, n, n1;
@@ -419,7 +419,7 @@ static int copy_sectors(BlockDriverState *bs, uint64_t start_sect,
     if (n <= 0)
         return 0;
     BLKDBG_EVENT(bs->file, BLKDBG_COW_READ);
-    ret = qcow_read(bs, start_sect + n_start, s->cluster_data, n);
+    ret = qcow2_read(bs, start_sect + n_start, s->cluster_data, n);
     if (ret < 0)
         return ret;
     if (s->crypt_method) {
diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index aacf357..74823a5 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -116,7 +116,7 @@ int qcow2_read_snapshots(BlockDriverState *bs)
 }
 
 /* add at the end of the file a new list of snapshots */
-static int qcow_write_snapshots(BlockDriverState *bs)
+static int qcow2_write_snapshots(BlockDriverState *bs)
 {
     BDRVQcowState *s = bs->opaque;
     QCowSnapshot *sn;
@@ -300,7 +300,7 @@ int qcow2_snapshot_create(BlockDriverState *bs, QEMUSnapshotInfo *sn_info)
     s->snapshots = snapshots1;
     s->snapshots[s->nb_snapshots++] = *sn;
 
-    if (qcow_write_snapshots(bs) < 0)
+    if (qcow2_write_snapshots(bs) < 0)
         goto fail;
 #ifdef DEBUG_ALLOC
     qcow2_check_refcounts(bs);
@@ -378,7 +378,7 @@ int qcow2_snapshot_delete(BlockDriverState *bs, const char *snapshot_id)
     qemu_free(sn->name);
     memmove(sn, sn + 1, (s->nb_snapshots - snapshot_index - 1) * sizeof(*sn));
     s->nb_snapshots--;
-    ret = qcow_write_snapshots(bs);
+    ret = qcow2_write_snapshots(bs);
     if (ret < 0) {
         /* XXX: restore snapshot if error ? */
         return ret;
diff --git a/block/qcow2.c b/block/qcow2.c
index 537c479..4b41190 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -50,10 +50,10 @@ typedef struct {
     uint32_t magic;
     uint32_t len;
 } QCowExtension;
-#define  QCOW_EXT_MAGIC_END 0
-#define  QCOW_EXT_MAGIC_BACKING_FORMAT 0xE2792ACA
+#define  QCOW2_EXT_MAGIC_END 0
+#define  QCOW2_EXT_MAGIC_BACKING_FORMAT 0xE2792ACA
 
-static int qcow_probe(const uint8_t *buf, int buf_size, const char *filename)
+static int qcow2_probe(const uint8_t *buf, int buf_size, const char *filename)
 {
     const QCowHeader *cow_header = (const void *)buf;
 
@@ -73,14 +73,14 @@ static int qcow_probe(const uint8_t *buf, int buf_size, const char *filename)
  * unknown magic is skipped (future extension this version knows nothing about)
  * return 0 upon success, non-0 otherwise
  */
-static int qcow_read_extensions(BlockDriverState *bs, uint64_t start_offset,
-                                uint64_t end_offset)
+static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
+                                 uint64_t end_offset)
 {
     QCowExtension ext;
     uint64_t offset;
 
 #ifdef DEBUG_EXT
-    printf("qcow_read_extensions: start=%ld end=%ld\n", start_offset, end_offset);
+    printf("qcow2_read_extensions: start=%ld end=%ld\n", start_offset, end_offset);
 #endif
     offset = start_offset;
     while (offset < end_offset) {
@@ -88,13 +88,13 @@ static int qcow_read_extensions(BlockDriverState *bs, uint64_t start_offset,
 #ifdef DEBUG_EXT
         /* Sanity check */
         if (offset > s->cluster_size)
-            printf("qcow_handle_extension: suspicious offset %lu\n", offset);
+            printf("qcow2_read_extension: suspicious offset %lu\n", offset);
 
         printf("attemting to read extended header in offset %lu\n", offset);
 #endif
 
         if (bdrv_pread(bs->file, offset, &ext, sizeof(ext)) != sizeof(ext)) {
-            fprintf(stderr, "qcow_handle_extension: ERROR: "
+            fprintf(stderr, "qcow2_read_extension: ERROR: "
                     "pread fail from offset %" PRIu64 "\n",
                     offset);
             return 1;
@@ -106,10 +106,10 @@ static int qcow_read_extensions(BlockDriverState *bs, uint64_t start_offset,
         printf("ext.magic = 0x%x\n", ext.magic);
 #endif
         switch (ext.magic) {
-        case QCOW_EXT_MAGIC_END:
+        case QCOW2_EXT_MAGIC_END:
             return 0;
 
-        case QCOW_EXT_MAGIC_BACKING_FORMAT:
+        case QCOW2_EXT_MAGIC_BACKING_FORMAT:
             if (ext.len >= sizeof(bs->backing_format)) {
                 fprintf(stderr, "ERROR: ext_backing_format: len=%u too large"
                         " (>=%zu)\n",
@@ -137,7 +137,7 @@ static int qcow_read_extensions(BlockDriverState *bs, uint64_t start_offset,
 }
 
 
-static int qcow_open(BlockDriverState *bs, int flags)
+static int qcow2_open(BlockDriverState *bs, int flags)
 {
     BDRVQcowState *s = bs->opaque;
     int len, i;
@@ -222,7 +222,7 @@ static int qcow_open(BlockDriverState *bs, int flags)
         ext_end = header.backing_file_offset;
     else
         ext_end = s->cluster_size;
-    if (qcow_read_extensions(bs, sizeof(header), ext_end))
+    if (qcow2_read_extensions(bs, sizeof(header), ext_end))
         goto fail;
 
     /* read the backing file name */
@@ -252,7 +252,7 @@ static int qcow_open(BlockDriverState *bs, int flags)
     return -1;
 }
 
-static int qcow_set_key(BlockDriverState *bs, const char *key)
+static int qcow2_set_key(BlockDriverState *bs, const char *key)
 {
     BDRVQcowState *s = bs->opaque;
     uint8_t keybuf[16];
@@ -294,8 +294,8 @@ static int qcow_set_key(BlockDriverState *bs, const char *key)
     return 0;
 }
 
-static int qcow_is_allocated(BlockDriverState *bs, int64_t sector_num,
-                             int nb_sectors, int *pnum)
+static int qcow2_is_allocated(BlockDriverState *bs, int64_t sector_num,
+                              int nb_sectors, int *pnum)
 {
     uint64_t cluster_offset;
     int ret;
@@ -344,7 +344,7 @@ typedef struct QCowAIOCB {
     QLIST_ENTRY(QCowAIOCB) next_depend;
 } QCowAIOCB;
 
-static void qcow_aio_cancel(BlockDriverAIOCB *blockacb)
+static void qcow2_aio_cancel(BlockDriverAIOCB *blockacb)
 {
     QCowAIOCB *acb = container_of(blockacb, QCowAIOCB, common);
     if (acb->hd_aiocb)
@@ -352,21 +352,21 @@ static void qcow_aio_cancel(BlockDriverAIOCB *blockacb)
     qemu_aio_release(acb);
 }
 
-static AIOPool qcow_aio_pool = {
+static AIOPool qcow2_aio_pool = {
     .aiocb_size         = sizeof(QCowAIOCB),
-    .cancel             = qcow_aio_cancel,
+    .cancel             = qcow2_aio_cancel,
 };
 
-static void qcow_aio_read_cb(void *opaque, int ret);
-static void qcow_aio_read_bh(void *opaque)
+static void qcow2_aio_read_cb(void *opaque, int ret);
+static void qcow2_aio_read_bh(void *opaque)
 {
     QCowAIOCB *acb = opaque;
     qemu_bh_delete(acb->bh);
     acb->bh = NULL;
-    qcow_aio_read_cb(opaque, 0);
+    qcow2_aio_read_cb(opaque, 0);
 }
 
-static int qcow_schedule_bh(QEMUBHFunc *cb, QCowAIOCB *acb)
+static int qcow2_schedule_bh(QEMUBHFunc *cb, QCowAIOCB *acb)
 {
     if (acb->bh)
         return -EIO;
@@ -380,7 +380,7 @@ static int qcow_schedule_bh(QEMUBHFunc *cb, QCowAIOCB *acb)
     return 0;
 }
 
-static void qcow_aio_read_cb(void *opaque, int ret)
+static void qcow2_aio_read_cb(void *opaque, int ret)
 {
     QCowAIOCB *acb = opaque;
     BlockDriverState *bs = acb->common.bs;
@@ -447,18 +447,18 @@ static void qcow_aio_read_cb(void *opaque, int ret)
                 BLKDBG_EVENT(bs->file, BLKDBG_READ_BACKING_AIO);
                 acb->hd_aiocb = bdrv_aio_readv(bs->backing_hd, acb->sector_num,
                                     &acb->hd_qiov, acb->cur_nr_sectors,
-				    qcow_aio_read_cb, acb);
+				    qcow2_aio_read_cb, acb);
                 if (acb->hd_aiocb == NULL)
                     goto done;
             } else {
-                ret = qcow_schedule_bh(qcow_aio_read_bh, acb);
+                ret = qcow2_schedule_bh(qcow2_aio_read_bh, acb);
                 if (ret < 0)
                     goto done;
             }
         } else {
             /* Note: in this case, no need to wait */
             qemu_iovec_memset(&acb->hd_qiov, 0, 512 * acb->cur_nr_sectors);
-            ret = qcow_schedule_bh(qcow_aio_read_bh, acb);
+            ret = qcow2_schedule_bh(qcow2_aio_read_bh, acb);
             if (ret < 0)
                 goto done;
         }
@@ -471,7 +471,7 @@ static void qcow_aio_read_cb(void *opaque, int ret)
             s->cluster_cache + index_in_cluster * 512,
             512 * acb->cur_nr_sectors);
 
-        ret = qcow_schedule_bh(qcow_aio_read_bh, acb);
+        ret = qcow2_schedule_bh(qcow2_aio_read_bh, acb);
         if (ret < 0)
             goto done;
     } else {
@@ -501,7 +501,7 @@ static void qcow_aio_read_cb(void *opaque, int ret)
         acb->hd_aiocb = bdrv_aio_readv(bs->file,
                             (acb->cluster_offset >> 9) + index_in_cluster,
                             &acb->hd_qiov, acb->cur_nr_sectors,
-                            qcow_aio_read_cb, acb);
+                            qcow2_aio_read_cb, acb);
         if (acb->hd_aiocb == NULL) {
             ret = -EIO;
             goto done;
@@ -515,13 +515,14 @@ done:
     qemu_aio_release(acb);
 }
 
-static QCowAIOCB *qcow_aio_setup(BlockDriverState *bs,
-        int64_t sector_num, QEMUIOVector *qiov, int nb_sectors,
-        BlockDriverCompletionFunc *cb, void *opaque, int is_write)
+static QCowAIOCB *qcow2_aio_setup(BlockDriverState *bs, int64_t sector_num,
+                                  QEMUIOVector *qiov, int nb_sectors,
+                                  BlockDriverCompletionFunc *cb,
+                                  void *opaque, int is_write)
 {
     QCowAIOCB *acb;
 
-    acb = qemu_aio_get(&qcow_aio_pool, bs, cb, opaque);
+    acb = qemu_aio_get(&qcow2_aio_pool, bs, cb, opaque);
     if (!acb)
         return NULL;
     acb->hd_aiocb = NULL;
@@ -539,21 +540,23 @@ static QCowAIOCB *qcow_aio_setup(BlockDriverState *bs,
     return acb;
 }
 
-static BlockDriverAIOCB *qcow_aio_readv(BlockDriverState *bs,
-        int64_t sector_num, QEMUIOVector *qiov, int nb_sectors,
-        BlockDriverCompletionFunc *cb, void *opaque)
+static BlockDriverAIOCB *qcow2_aio_readv(BlockDriverState *bs,
+                                         int64_t sector_num,
+                                         QEMUIOVector *qiov, int nb_sectors,
+                                         BlockDriverCompletionFunc *cb,
+                                         void *opaque)
 {
     QCowAIOCB *acb;
 
-    acb = qcow_aio_setup(bs, sector_num, qiov, nb_sectors, cb, opaque, 0);
+    acb = qcow2_aio_setup(bs, sector_num, qiov, nb_sectors, cb, opaque, 0);
     if (!acb)
         return NULL;
 
-    qcow_aio_read_cb(acb, 0);
+    qcow2_aio_read_cb(acb, 0);
     return &acb->common;
 }
 
-static void qcow_aio_write_cb(void *opaque, int ret);
+static void qcow2_aio_write_cb(void *opaque, int ret);
 
 static void run_dependent_requests(QCowL2Meta *m)
 {
@@ -567,14 +570,14 @@ static void run_dependent_requests(QCowL2Meta *m)
 
     /* Restart all dependent requests */
     QLIST_FOREACH_SAFE(req, &m->dependent_requests, next_depend, next) {
-        qcow_aio_write_cb(req, 0);
+        qcow2_aio_write_cb(req, 0);
     }
 
     /* Empty the list for the next part of the request */
     QLIST_INIT(&m->dependent_requests);
 }
 
-static void qcow_aio_write_cb(void *opaque, int ret)
+static void qcow2_aio_write_cb(void *opaque, int ret)
 {
     QCowAIOCB *acb = opaque;
     BlockDriverState *bs = acb->common.bs;
@@ -651,7 +654,7 @@ static void qcow_aio_write_cb(void *opaque, int ret)
     acb->hd_aiocb = bdrv_aio_writev(bs->file,
                                     (acb->cluster_offset >> 9) + index_in_cluster,
                                     &acb->hd_qiov, acb->cur_nr_sectors,
-                                    qcow_aio_write_cb, acb);
+                                    qcow2_aio_write_cb, acb);
     if (acb->hd_aiocb == NULL) {
         ret = -EIO;
         goto fail;
@@ -669,24 +672,26 @@ done:
     qemu_aio_release(acb);
 }
 
-static BlockDriverAIOCB *qcow_aio_writev(BlockDriverState *bs,
-        int64_t sector_num, QEMUIOVector *qiov, int nb_sectors,
-        BlockDriverCompletionFunc *cb, void *opaque)
+static BlockDriverAIOCB *qcow2_aio_writev(BlockDriverState *bs,
+                                          int64_t sector_num,
+                                          QEMUIOVector *qiov, int nb_sectors,
+                                          BlockDriverCompletionFunc *cb,
+                                          void *opaque)
 {
     BDRVQcowState *s = bs->opaque;
     QCowAIOCB *acb;
 
     s->cluster_cache_offset = -1; /* disable compressed cache */
 
-    acb = qcow_aio_setup(bs, sector_num, qiov, nb_sectors, cb, opaque, 1);
+    acb = qcow2_aio_setup(bs, sector_num, qiov, nb_sectors, cb, opaque, 1);
     if (!acb)
         return NULL;
 
-    qcow_aio_write_cb(acb, 0);
+    qcow2_aio_write_cb(acb, 0);
     return &acb->common;
 }
 
-static void qcow_close(BlockDriverState *bs)
+static void qcow2_close(BlockDriverState *bs)
 {
     BDRVQcowState *s = bs->opaque;
     qemu_free(s->l1_table);
@@ -721,7 +726,7 @@ static int qcow2_update_ext_header(BlockDriverState *bs,
     /* Prepare the backing file format extension if needed */
     if (backing_fmt) {
         ext_backing_fmt.len = cpu_to_be32(strlen(backing_fmt));
-        ext_backing_fmt.magic = cpu_to_be32(QCOW_EXT_MAGIC_BACKING_FORMAT);
+        ext_backing_fmt.magic = cpu_to_be32(QCOW2_EXT_MAGIC_BACKING_FORMAT);
         backing_fmt_len = ((sizeof(ext_backing_fmt)
             + strlen(backing_fmt) + 7) & ~7);
     }
@@ -848,10 +853,10 @@ static int preallocate(BlockDriverState *bs)
     return 0;
 }
 
-static int qcow_create2(const char *filename, int64_t total_size,
-                        const char *backing_file, const char *backing_format,
-                        int flags, size_t cluster_size, int prealloc,
-                        QEMUOptionParameter *options)
+static int qcow2_create2(const char *filename, int64_t total_size,
+                         const char *backing_file, const char *backing_format,
+                         int flags, size_t cluster_size, int prealloc,
+                         QEMUOptionParameter *options)
 {
     /* Calulate cluster_bits */
     int cluster_bits;
@@ -974,7 +979,7 @@ out:
     return ret;
 }
 
-static int qcow_create(const char *filename, QEMUOptionParameter *options)
+static int qcow2_create(const char *filename, QEMUOptionParameter *options)
 {
     const char *backing_file = NULL;
     const char *backing_fmt = NULL;
@@ -1017,11 +1022,11 @@ static int qcow_create(const char *filename, QEMUOptionParameter *options)
         return -EINVAL;
     }
 
-    return qcow_create2(filename, sectors, backing_file, backing_fmt, flags,
-        cluster_size, prealloc, options);
+    return qcow2_create2(filename, sectors, backing_file, backing_fmt, flags,
+                         cluster_size, prealloc, options);
 }
 
-static int qcow_make_empty(BlockDriverState *bs)
+static int qcow2_make_empty(BlockDriverState *bs)
 {
 #if 0
     /* XXX: not correct */
@@ -1080,8 +1085,8 @@ static int qcow2_truncate(BlockDriverState *bs, int64_t offset)
 
 /* XXX: put compressed sectors first, then all the cluster aligned
    tables to avoid losing bytes in alignment */
-static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
-                                 const uint8_t *buf, int nb_sectors)
+static int qcow2_write_compressed(BlockDriverState *bs, int64_t sector_num,
+                                  const uint8_t *buf, int nb_sectors)
 {
     BDRVQcowState *s = bs->opaque;
     z_stream strm;
@@ -1148,32 +1153,33 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
     return 0;
 }
 
-static int qcow_flush(BlockDriverState *bs)
+static int qcow2_flush(BlockDriverState *bs)
 {
     return bdrv_flush(bs->file);
 }
 
-static BlockDriverAIOCB *qcow_aio_flush(BlockDriverState *bs,
-         BlockDriverCompletionFunc *cb, void *opaque)
+static BlockDriverAIOCB *qcow2_aio_flush(BlockDriverState *bs,
+                                         BlockDriverCompletionFunc *cb,
+                                         void *opaque)
 {
     return bdrv_aio_flush(bs->file, cb, opaque);
 }
 
-static int64_t qcow_vm_state_offset(BDRVQcowState *s)
+static int64_t qcow2_vm_state_offset(BDRVQcowState *s)
 {
 	return (int64_t)s->l1_vm_state_index << (s->cluster_bits + s->l2_bits);
 }
 
-static int qcow_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
+static int qcow2_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
 {
     BDRVQcowState *s = bs->opaque;
     bdi->cluster_size = s->cluster_size;
-    bdi->vm_state_offset = qcow_vm_state_offset(s);
+    bdi->vm_state_offset = qcow2_vm_state_offset(s);
     return 0;
 }
 
 
-static int qcow_check(BlockDriverState *bs, BdrvCheckResult *result)
+static int qcow2_check(BlockDriverState *bs, BdrvCheckResult *result)
 {
     return qcow2_check_refcounts(bs, result);
 }
@@ -1199,8 +1205,8 @@ static void dump_refcounts(BlockDriverState *bs)
 }
 #endif
 
-static int qcow_save_vmstate(BlockDriverState *bs, const uint8_t *buf,
-                           int64_t pos, int size)
+static int qcow2_save_vmstate(BlockDriverState *bs, const uint8_t *buf,
+                              int64_t pos, int size)
 {
     BDRVQcowState *s = bs->opaque;
     int growable = bs->growable;
@@ -1208,14 +1214,14 @@ static int qcow_save_vmstate(BlockDriverState *bs, const uint8_t *buf,
 
     BLKDBG_EVENT(bs->file, BLKDBG_VMSTATE_SAVE);
     bs->growable = 1;
-    ret = bdrv_pwrite(bs, qcow_vm_state_offset(s) + pos, buf, size);
+    ret = bdrv_pwrite(bs, qcow2_vm_state_offset(s) + pos, buf, size);
     bs->growable = growable;
 
     return ret;
 }
 
-static int qcow_load_vmstate(BlockDriverState *bs, uint8_t *buf,
-                           int64_t pos, int size)
+static int qcow2_load_vmstate(BlockDriverState *bs, uint8_t *buf,
+                              int64_t pos, int size)
 {
     BDRVQcowState *s = bs->opaque;
     int growable = bs->growable;
@@ -1223,13 +1229,13 @@ static int qcow_load_vmstate(BlockDriverState *bs, uint8_t *buf,
 
     BLKDBG_EVENT(bs->file, BLKDBG_VMSTATE_LOAD);
     bs->growable = 1;
-    ret = bdrv_pread(bs, qcow_vm_state_offset(s) + pos, buf, size);
+    ret = bdrv_pread(bs, qcow2_vm_state_offset(s) + pos, buf, size);
     bs->growable = growable;
 
     return ret;
 }
 
-static QEMUOptionParameter qcow_create_options[] = {
+static QEMUOptionParameter qcow2_create_options[] = {
     {
         .name = BLOCK_OPT_SIZE,
         .type = OPT_SIZE,
@@ -1264,38 +1270,38 @@ static QEMUOptionParameter qcow_create_options[] = {
 };
 
 static BlockDriver bdrv_qcow2 = {
-    .format_name	= "qcow2",
-    .instance_size	= sizeof(BDRVQcowState),
-    .bdrv_probe		= qcow_probe,
-    .bdrv_open		= qcow_open,
-    .bdrv_close		= qcow_close,
-    .bdrv_create	= qcow_create,
-    .bdrv_flush		= qcow_flush,
-    .bdrv_is_allocated	= qcow_is_allocated,
-    .bdrv_set_key	= qcow_set_key,
-    .bdrv_make_empty	= qcow_make_empty,
-
-    .bdrv_aio_readv	= qcow_aio_readv,
-    .bdrv_aio_writev	= qcow_aio_writev,
-    .bdrv_aio_flush	= qcow_aio_flush,
+    .format_name        = "qcow2",
+    .instance_size      = sizeof(BDRVQcowState),
+    .bdrv_probe         = qcow2_probe,
+    .bdrv_open          = qcow2_open,
+    .bdrv_close         = qcow2_close,
+    .bdrv_create        = qcow2_create,
+    .bdrv_flush         = qcow2_flush,
+    .bdrv_is_allocated  = qcow2_is_allocated,
+    .bdrv_set_key       = qcow2_set_key,
+    .bdrv_make_empty    = qcow2_make_empty,
+
+    .bdrv_aio_readv     = qcow2_aio_readv,
+    .bdrv_aio_writev    = qcow2_aio_writev,
+    .bdrv_aio_flush     = qcow2_aio_flush,
 
     .bdrv_truncate          = qcow2_truncate,
-    .bdrv_write_compressed  = qcow_write_compressed,
+    .bdrv_write_compressed  = qcow2_write_compressed,
 
     .bdrv_snapshot_create   = qcow2_snapshot_create,
     .bdrv_snapshot_goto     = qcow2_snapshot_goto,
     .bdrv_snapshot_delete   = qcow2_snapshot_delete,
     .bdrv_snapshot_list     = qcow2_snapshot_list,
     .bdrv_snapshot_load_tmp     = qcow2_snapshot_load_tmp,
-    .bdrv_get_info	= qcow_get_info,
+    .bdrv_get_info      = qcow2_get_info,
 
-    .bdrv_save_vmstate    = qcow_save_vmstate,
-    .bdrv_load_vmstate    = qcow_load_vmstate,
+    .bdrv_save_vmstate    = qcow2_save_vmstate,
+    .bdrv_load_vmstate    = qcow2_load_vmstate,
 
     .bdrv_change_backing_file   = qcow2_change_backing_file,
 
-    .create_options = qcow_create_options,
-    .bdrv_check = qcow_check,
+    .create_options = qcow2_create_options,
+    .bdrv_check = qcow2_check,
 };
 
 static void bdrv_qcow2_init(void)
commit 01979a98d75b49c2acbbbb71521c285f8d8f9fb7
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Dec 6 16:08:03 2010 +0000

    qed: Consistency check support
    
    This patch adds support for the qemu-img check command.  It also
    introduces a dirty bit in the qed header to mark modified images as
    needing a check.  This bit is cleared when the image file is closed
    cleanly.
    
    If an image file is opened and it has the dirty bit set, a consistency
    check will run and try to fix corrupted table offsets.  These
    corruptions may occur if there is power loss while an allocating write
    is performed.  Once the image is fixed it opens as normal again.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qed-check.c b/block/qed-check.c
new file mode 100644
index 0000000..4600932
--- /dev/null
+++ b/block/qed-check.c
@@ -0,0 +1,210 @@
+/*
+ * QEMU Enhanced Disk Format Consistency Check
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * Authors:
+ *  Stefan Hajnoczi   <stefanha at linux.vnet.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU LGPL, version 2 or later.
+ * See the COPYING.LIB file in the top-level directory.
+ *
+ */
+
+#include "qed.h"
+
+typedef struct {
+    BDRVQEDState *s;
+    BdrvCheckResult *result;
+    bool fix;                           /* whether to fix invalid offsets */
+
+    size_t nclusters;
+    uint32_t *used_clusters;            /* referenced cluster bitmap */
+
+    QEDRequest request;
+} QEDCheck;
+
+static bool qed_test_bit(uint32_t *bitmap, uint64_t n) {
+    return !!(bitmap[n / 32] & (1 << (n % 32)));
+}
+
+static void qed_set_bit(uint32_t *bitmap, uint64_t n) {
+    bitmap[n / 32] |= 1 << (n % 32);
+}
+
+/**
+ * Set bitmap bits for clusters
+ *
+ * @check:          Check structure
+ * @offset:         Starting offset in bytes
+ * @n:              Number of clusters
+ */
+static bool qed_set_used_clusters(QEDCheck *check, uint64_t offset,
+                                  unsigned int n)
+{
+    uint64_t cluster = qed_bytes_to_clusters(check->s, offset);
+    unsigned int corruptions = 0;
+
+    while (n-- != 0) {
+        /* Clusters should only be referenced once */
+        if (qed_test_bit(check->used_clusters, cluster)) {
+            corruptions++;
+        }
+
+        qed_set_bit(check->used_clusters, cluster);
+        cluster++;
+    }
+
+    check->result->corruptions += corruptions;
+    return corruptions == 0;
+}
+
+/**
+ * Check an L2 table
+ *
+ * @ret:            Number of invalid cluster offsets
+ */
+static unsigned int qed_check_l2_table(QEDCheck *check, QEDTable *table)
+{
+    BDRVQEDState *s = check->s;
+    unsigned int i, num_invalid = 0;
+
+    for (i = 0; i < s->table_nelems; i++) {
+        uint64_t offset = table->offsets[i];
+
+        if (!offset) {
+            continue;
+        }
+
+        /* Detect invalid cluster offset */
+        if (!qed_check_cluster_offset(s, offset)) {
+            if (check->fix) {
+                table->offsets[i] = 0;
+            } else {
+                check->result->corruptions++;
+            }
+
+            num_invalid++;
+            continue;
+        }
+
+        qed_set_used_clusters(check, offset, 1);
+    }
+
+    return num_invalid;
+}
+
+/**
+ * Descend tables and check each cluster is referenced once only
+ */
+static int qed_check_l1_table(QEDCheck *check, QEDTable *table)
+{
+    BDRVQEDState *s = check->s;
+    unsigned int i, num_invalid_l1 = 0;
+    int ret, last_error = 0;
+
+    /* Mark L1 table clusters used */
+    qed_set_used_clusters(check, s->header.l1_table_offset,
+                          s->header.table_size);
+
+    for (i = 0; i < s->table_nelems; i++) {
+        unsigned int num_invalid_l2;
+        uint64_t offset = table->offsets[i];
+
+        if (!offset) {
+            continue;
+        }
+
+        /* Detect invalid L2 offset */
+        if (!qed_check_table_offset(s, offset)) {
+            /* Clear invalid offset */
+            if (check->fix) {
+                table->offsets[i] = 0;
+            } else {
+                check->result->corruptions++;
+            }
+
+            num_invalid_l1++;
+            continue;
+        }
+
+        if (!qed_set_used_clusters(check, offset, s->header.table_size)) {
+            continue; /* skip an invalid table */
+        }
+
+        ret = qed_read_l2_table_sync(s, &check->request, offset);
+        if (ret) {
+            check->result->check_errors++;
+            last_error = ret;
+            continue;
+        }
+
+        num_invalid_l2 = qed_check_l2_table(check,
+                                            check->request.l2_table->table);
+
+        /* Write out fixed L2 table */
+        if (num_invalid_l2 > 0 && check->fix) {
+            ret = qed_write_l2_table_sync(s, &check->request, 0,
+                                          s->table_nelems, false);
+            if (ret) {
+                check->result->check_errors++;
+                last_error = ret;
+                continue;
+            }
+        }
+    }
+
+    /* Drop reference to final table */
+    qed_unref_l2_cache_entry(check->request.l2_table);
+    check->request.l2_table = NULL;
+
+    /* Write out fixed L1 table */
+    if (num_invalid_l1 > 0 && check->fix) {
+        ret = qed_write_l1_table_sync(s, 0, s->table_nelems);
+        if (ret) {
+            check->result->check_errors++;
+            last_error = ret;
+        }
+    }
+
+    return last_error;
+}
+
+/**
+ * Check for unreferenced (leaked) clusters
+ */
+static void qed_check_for_leaks(QEDCheck *check)
+{
+    BDRVQEDState *s = check->s;
+    size_t i;
+
+    for (i = s->header.header_size; i < check->nclusters; i++) {
+        if (!qed_test_bit(check->used_clusters, i)) {
+            check->result->leaks++;
+        }
+    }
+}
+
+int qed_check(BDRVQEDState *s, BdrvCheckResult *result, bool fix)
+{
+    QEDCheck check = {
+        .s = s,
+        .result = result,
+        .nclusters = qed_bytes_to_clusters(s, s->file_size),
+        .request = { .l2_table = NULL },
+        .fix = fix,
+    };
+    int ret;
+
+    check.used_clusters = qemu_mallocz(((check.nclusters + 31) / 32) *
+                                       sizeof(check.used_clusters[0]));
+
+    ret = qed_check_l1_table(&check, s->l1_table);
+    if (ret == 0) {
+        /* Only check for leaks if entire image was scanned successfully */
+        qed_check_for_leaks(&check);
+    }
+
+    qemu_free(check.used_clusters);
+    return ret;
+}
diff --git a/block/qed.c b/block/qed.c
index 8e65d18..085c4f2 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -99,6 +99,81 @@ static int qed_write_header_sync(BDRVQEDState *s)
     return 0;
 }
 
+typedef struct {
+    GenericCB gencb;
+    BDRVQEDState *s;
+    struct iovec iov;
+    QEMUIOVector qiov;
+    int nsectors;
+    uint8_t *buf;
+} QEDWriteHeaderCB;
+
+static void qed_write_header_cb(void *opaque, int ret)
+{
+    QEDWriteHeaderCB *write_header_cb = opaque;
+
+    qemu_vfree(write_header_cb->buf);
+    gencb_complete(write_header_cb, ret);
+}
+
+static void qed_write_header_read_cb(void *opaque, int ret)
+{
+    QEDWriteHeaderCB *write_header_cb = opaque;
+    BDRVQEDState *s = write_header_cb->s;
+    BlockDriverAIOCB *acb;
+
+    if (ret) {
+        qed_write_header_cb(write_header_cb, ret);
+        return;
+    }
+
+    /* Update header */
+    qed_header_cpu_to_le(&s->header, (QEDHeader *)write_header_cb->buf);
+
+    acb = bdrv_aio_writev(s->bs->file, 0, &write_header_cb->qiov,
+                          write_header_cb->nsectors, qed_write_header_cb,
+                          write_header_cb);
+    if (!acb) {
+        qed_write_header_cb(write_header_cb, -EIO);
+    }
+}
+
+/**
+ * Update header in-place (does not rewrite backing filename or other strings)
+ *
+ * This function only updates known header fields in-place and does not affect
+ * extra data after the QED header.
+ */
+static void qed_write_header(BDRVQEDState *s, BlockDriverCompletionFunc cb,
+                             void *opaque)
+{
+    /* We must write full sectors for O_DIRECT but cannot necessarily generate
+     * the data following the header if an unrecognized compat feature is
+     * active.  Therefore, first read the sectors containing the header, update
+     * them, and write back.
+     */
+
+    BlockDriverAIOCB *acb;
+    int nsectors = (sizeof(QEDHeader) + BDRV_SECTOR_SIZE - 1) /
+                   BDRV_SECTOR_SIZE;
+    size_t len = nsectors * BDRV_SECTOR_SIZE;
+    QEDWriteHeaderCB *write_header_cb = gencb_alloc(sizeof(*write_header_cb),
+                                                    cb, opaque);
+
+    write_header_cb->s = s;
+    write_header_cb->nsectors = nsectors;
+    write_header_cb->buf = qemu_blockalign(s->bs, len);
+    write_header_cb->iov.iov_base = write_header_cb->buf;
+    write_header_cb->iov.iov_len = len;
+    qemu_iovec_init_external(&write_header_cb->qiov, &write_header_cb->iov, 1);
+
+    acb = bdrv_aio_readv(s->bs->file, 0, &write_header_cb->qiov, nsectors,
+                         qed_write_header_read_cb, write_header_cb);
+    if (!acb) {
+        qed_write_header_cb(write_header_cb, -EIO);
+    }
+}
+
 static uint64_t qed_max_image_size(uint32_t cluster_size, uint32_t table_size)
 {
     uint64_t table_entries;
@@ -310,6 +385,32 @@ static int bdrv_qed_open(BlockDriverState *bs, int flags)
 
     ret = qed_read_l1_table_sync(s);
     if (ret) {
+        goto out;
+    }
+
+    /* If image was not closed cleanly, check consistency */
+    if (s->header.features & QED_F_NEED_CHECK) {
+        /* Read-only images cannot be fixed.  There is no risk of corruption
+         * since write operations are not possible.  Therefore, allow
+         * potentially inconsistent images to be opened read-only.  This can
+         * aid data recovery from an otherwise inconsistent image.
+         */
+        if (!bdrv_is_read_only(bs->file)) {
+            BdrvCheckResult result = {0};
+
+            ret = qed_check(s, &result, true);
+            if (!ret && !result.corruptions && !result.check_errors) {
+                /* Ensure fixes reach storage before clearing check bit */
+                bdrv_flush(s->bs);
+
+                s->header.features &= ~QED_F_NEED_CHECK;
+                qed_write_header_sync(s);
+            }
+        }
+    }
+
+out:
+    if (ret) {
         qed_free_l2_cache(&s->l2_cache);
         qemu_vfree(s->l1_table);
     }
@@ -320,6 +421,15 @@ static void bdrv_qed_close(BlockDriverState *bs)
 {
     BDRVQEDState *s = bs->opaque;
 
+    /* Ensure writes reach stable storage */
+    bdrv_flush(bs->file);
+
+    /* Clean shutdown, no check required on next open */
+    if (s->header.features & QED_F_NEED_CHECK) {
+        s->header.features &= ~QED_F_NEED_CHECK;
+        qed_write_header_sync(s);
+    }
+
     qed_free_l2_cache(&s->l2_cache);
     qemu_vfree(s->l1_table);
 }
@@ -885,8 +995,15 @@ static void qed_aio_write_alloc(QEDAIOCB *acb, size_t len)
     acb->cur_cluster = qed_alloc_clusters(s, acb->cur_nclusters);
     qemu_iovec_copy(&acb->cur_qiov, acb->qiov, acb->qiov_offset, len);
 
-    /* Write new cluster */
-    qed_aio_write_prefill(acb, 0);
+    /* Write new cluster if the image is already marked dirty */
+    if (s->header.features & QED_F_NEED_CHECK) {
+        qed_aio_write_prefill(acb, 0);
+        return;
+    }
+
+    /* Mark the image dirty before writing the new cluster */
+    s->header.features |= QED_F_NEED_CHECK;
+    qed_write_header(s, qed_aio_write_prefill, acb);
 }
 
 /**
@@ -1172,7 +1289,9 @@ static int bdrv_qed_change_backing_file(BlockDriverState *bs,
 
 static int bdrv_qed_check(BlockDriverState *bs, BdrvCheckResult *result)
 {
-    return -ENOTSUP;
+    BDRVQEDState *s = bs->opaque;
+
+    return qed_check(s, result, false);
 }
 
 static QEMUOptionParameter qed_create_options[] = {
diff --git a/block/qed.h b/block/qed.h
index 046a410..2925e37 100644
--- a/block/qed.h
+++ b/block/qed.h
@@ -50,11 +50,15 @@ enum {
     /* The image supports a backing file */
     QED_F_BACKING_FILE = 0x01,
 
+    /* The image needs a consistency check before use */
+    QED_F_NEED_CHECK = 0x02,
+
     /* The backing file format must not be probed, treat as raw image */
     QED_F_BACKING_FORMAT_NO_PROBE = 0x04,
 
     /* Feature bits must be used when the on-disk format changes */
     QED_FEATURE_MASK = QED_F_BACKING_FILE | /* supported feature bits */
+                       QED_F_NEED_CHECK |
                        QED_F_BACKING_FORMAT_NO_PROBE,
     QED_COMPAT_FEATURE_MASK = 0,            /* supported compat feature bits */
     QED_AUTOCLEAR_FEATURE_MASK = 0,         /* supported autoclear feature bits */
commit eabba580e6bb8d6b969c1368c6f90d72b4cde4f4
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Dec 6 16:08:02 2010 +0000

    qed: Read/write support
    
    This patch implements the read/write state machine.  Operations are
    fully asynchronous and multiple operations may be active at any time.
    
    Allocating writes lock tables to ensure metadata updates do not
    interfere with each other.  If two allocating writes need to update the
    same L2 table they will run sequentially.  If two allocating writes need
    to update different L2 tables they will run in parallel.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index 1860152..d6b3d60 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -21,6 +21,7 @@ block-obj-$(CONFIG_LINUX_AIO) += linux-aio.o
 block-nested-y += raw.o cow.o qcow.o vdi.o vmdk.o cloop.o dmg.o bochs.o vpc.o vvfat.o
 block-nested-y += qcow2.o qcow2-refcount.o qcow2-cluster.o qcow2-snapshot.o
 block-nested-y += qed.o qed-gencb.o qed-l2-cache.o qed-table.o qed-cluster.o
+block-nested-y += qed-check.o
 block-nested-y += parallels.o nbd.o blkdebug.o sheepdog.o blkverify.o
 block-nested-$(CONFIG_WIN32) += raw-win32.o
 block-nested-$(CONFIG_POSIX) += raw-posix.o
diff --git a/block/qed.c b/block/qed.c
index cd1bead..8e65d18 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -12,8 +12,26 @@
  *
  */
 
+#include "trace.h"
 #include "qed.h"
 
+static void qed_aio_cancel(BlockDriverAIOCB *blockacb)
+{
+    QEDAIOCB *acb = (QEDAIOCB *)blockacb;
+    bool finished = false;
+
+    /* Wait for the request to finish */
+    acb->finished = &finished;
+    while (!finished) {
+        qemu_aio_wait();
+    }
+}
+
+static AIOPool qed_aio_pool = {
+    .aiocb_size         = sizeof(QEDAIOCB),
+    .cancel             = qed_aio_cancel,
+};
+
 static int bdrv_qed_probe(const uint8_t *buf, int buf_size,
                           const char *filename)
 {
@@ -155,6 +173,24 @@ static int qed_read_string(BlockDriverState *file, uint64_t offset, size_t n,
     return 0;
 }
 
+/**
+ * Allocate new clusters
+ *
+ * @s:          QED state
+ * @n:          Number of contiguous clusters to allocate
+ * @ret:        Offset of first allocated cluster
+ *
+ * This function only produces the offset where the new clusters should be
+ * written.  It updates BDRVQEDState but does not make any changes to the image
+ * file.
+ */
+static uint64_t qed_alloc_clusters(BDRVQEDState *s, unsigned int n)
+{
+    uint64_t offset = s->file_size;
+    s->file_size += n * s->header.cluster_size;
+    return offset;
+}
+
 QEDTable *qed_alloc_table(BDRVQEDState *s)
 {
     /* Honor O_DIRECT memory alignment requirements */
@@ -162,6 +198,23 @@ QEDTable *qed_alloc_table(BDRVQEDState *s)
                            s->header.cluster_size * s->header.table_size);
 }
 
+/**
+ * Allocate a new zeroed L2 table
+ */
+static CachedL2Table *qed_new_l2_table(BDRVQEDState *s)
+{
+    CachedL2Table *l2_table = qed_alloc_l2_cache_entry(&s->l2_cache);
+
+    l2_table->table = qed_alloc_table(s);
+    l2_table->offset = qed_alloc_clusters(s, s->header.table_size);
+
+    memset(l2_table->table->offsets, 0,
+           s->header.cluster_size * s->header.table_size);
+    return l2_table;
+}
+
+static void qed_aio_next_io(void *opaque, int ret);
+
 static int bdrv_qed_open(BlockDriverState *bs, int flags)
 {
     BDRVQEDState *s = bs->opaque;
@@ -170,6 +223,7 @@ static int bdrv_qed_open(BlockDriverState *bs, int flags)
     int ret;
 
     s->bs = bs;
+    QSIMPLEQ_INIT(&s->allocating_write_reqs);
 
     ret = bdrv_pread(bs->file, 0, &le_header, sizeof(le_header));
     if (ret < 0) {
@@ -431,13 +485,583 @@ static int bdrv_qed_make_empty(BlockDriverState *bs)
     return -ENOTSUP;
 }
 
+static BDRVQEDState *acb_to_s(QEDAIOCB *acb)
+{
+    return acb->common.bs->opaque;
+}
+
+/**
+ * Read from the backing file or zero-fill if no backing file
+ *
+ * @s:          QED state
+ * @pos:        Byte position in device
+ * @qiov:       Destination I/O vector
+ * @cb:         Completion function
+ * @opaque:     User data for completion function
+ *
+ * This function reads qiov->size bytes starting at pos from the backing file.
+ * If there is no backing file then zeroes are read.
+ */
+static void qed_read_backing_file(BDRVQEDState *s, uint64_t pos,
+                                  QEMUIOVector *qiov,
+                                  BlockDriverCompletionFunc *cb, void *opaque)
+{
+    BlockDriverAIOCB *aiocb;
+    uint64_t backing_length = 0;
+    size_t size;
+
+    /* If there is a backing file, get its length.  Treat the absence of a
+     * backing file like a zero length backing file.
+     */
+    if (s->bs->backing_hd) {
+        int64_t l = bdrv_getlength(s->bs->backing_hd);
+        if (l < 0) {
+            cb(opaque, l);
+            return;
+        }
+        backing_length = l;
+    }
+
+    /* Zero all sectors if reading beyond the end of the backing file */
+    if (pos >= backing_length ||
+        pos + qiov->size > backing_length) {
+        qemu_iovec_memset(qiov, 0, qiov->size);
+    }
+
+    /* Complete now if there are no backing file sectors to read */
+    if (pos >= backing_length) {
+        cb(opaque, 0);
+        return;
+    }
+
+    /* If the read straddles the end of the backing file, shorten it */
+    size = MIN((uint64_t)backing_length - pos, qiov->size);
+
+    BLKDBG_EVENT(s->bs->file, BLKDBG_READ_BACKING);
+    aiocb = bdrv_aio_readv(s->bs->backing_hd, pos / BDRV_SECTOR_SIZE,
+                           qiov, size / BDRV_SECTOR_SIZE, cb, opaque);
+    if (!aiocb) {
+        cb(opaque, -EIO);
+    }
+}
+
+typedef struct {
+    GenericCB gencb;
+    BDRVQEDState *s;
+    QEMUIOVector qiov;
+    struct iovec iov;
+    uint64_t offset;
+} CopyFromBackingFileCB;
+
+static void qed_copy_from_backing_file_cb(void *opaque, int ret)
+{
+    CopyFromBackingFileCB *copy_cb = opaque;
+    qemu_vfree(copy_cb->iov.iov_base);
+    gencb_complete(&copy_cb->gencb, ret);
+}
+
+static void qed_copy_from_backing_file_write(void *opaque, int ret)
+{
+    CopyFromBackingFileCB *copy_cb = opaque;
+    BDRVQEDState *s = copy_cb->s;
+    BlockDriverAIOCB *aiocb;
+
+    if (ret) {
+        qed_copy_from_backing_file_cb(copy_cb, ret);
+        return;
+    }
+
+    BLKDBG_EVENT(s->bs->file, BLKDBG_COW_WRITE);
+    aiocb = bdrv_aio_writev(s->bs->file, copy_cb->offset / BDRV_SECTOR_SIZE,
+                            &copy_cb->qiov,
+                            copy_cb->qiov.size / BDRV_SECTOR_SIZE,
+                            qed_copy_from_backing_file_cb, copy_cb);
+    if (!aiocb) {
+        qed_copy_from_backing_file_cb(copy_cb, -EIO);
+    }
+}
+
+/**
+ * Copy data from backing file into the image
+ *
+ * @s:          QED state
+ * @pos:        Byte position in device
+ * @len:        Number of bytes
+ * @offset:     Byte offset in image file
+ * @cb:         Completion function
+ * @opaque:     User data for completion function
+ */
+static void qed_copy_from_backing_file(BDRVQEDState *s, uint64_t pos,
+                                       uint64_t len, uint64_t offset,
+                                       BlockDriverCompletionFunc *cb,
+                                       void *opaque)
+{
+    CopyFromBackingFileCB *copy_cb;
+
+    /* Skip copy entirely if there is no work to do */
+    if (len == 0) {
+        cb(opaque, 0);
+        return;
+    }
+
+    copy_cb = gencb_alloc(sizeof(*copy_cb), cb, opaque);
+    copy_cb->s = s;
+    copy_cb->offset = offset;
+    copy_cb->iov.iov_base = qemu_blockalign(s->bs, len);
+    copy_cb->iov.iov_len = len;
+    qemu_iovec_init_external(&copy_cb->qiov, &copy_cb->iov, 1);
+
+    qed_read_backing_file(s, pos, &copy_cb->qiov,
+                          qed_copy_from_backing_file_write, copy_cb);
+}
+
+/**
+ * Link one or more contiguous clusters into a table
+ *
+ * @s:              QED state
+ * @table:          L2 table
+ * @index:          First cluster index
+ * @n:              Number of contiguous clusters
+ * @cluster:        First cluster byte offset in image file
+ */
+static void qed_update_l2_table(BDRVQEDState *s, QEDTable *table, int index,
+                                unsigned int n, uint64_t cluster)
+{
+    int i;
+    for (i = index; i < index + n; i++) {
+        table->offsets[i] = cluster;
+        cluster += s->header.cluster_size;
+    }
+}
+
+static void qed_aio_complete_bh(void *opaque)
+{
+    QEDAIOCB *acb = opaque;
+    BlockDriverCompletionFunc *cb = acb->common.cb;
+    void *user_opaque = acb->common.opaque;
+    int ret = acb->bh_ret;
+    bool *finished = acb->finished;
+
+    qemu_bh_delete(acb->bh);
+    qemu_aio_release(acb);
+
+    /* Invoke callback */
+    cb(user_opaque, ret);
+
+    /* Signal cancel completion */
+    if (finished) {
+        *finished = true;
+    }
+}
+
+static void qed_aio_complete(QEDAIOCB *acb, int ret)
+{
+    BDRVQEDState *s = acb_to_s(acb);
+
+    trace_qed_aio_complete(s, acb, ret);
+
+    /* Free resources */
+    qemu_iovec_destroy(&acb->cur_qiov);
+    qed_unref_l2_cache_entry(acb->request.l2_table);
+
+    /* Arrange for a bh to invoke the completion function */
+    acb->bh_ret = ret;
+    acb->bh = qemu_bh_new(qed_aio_complete_bh, acb);
+    qemu_bh_schedule(acb->bh);
+
+    /* Start next allocating write request waiting behind this one.  Note that
+     * requests enqueue themselves when they first hit an unallocated cluster
+     * but they wait until the entire request is finished before waking up the
+     * next request in the queue.  This ensures that we don't cycle through
+     * requests multiple times but rather finish one at a time completely.
+     */
+    if (acb == QSIMPLEQ_FIRST(&s->allocating_write_reqs)) {
+        QSIMPLEQ_REMOVE_HEAD(&s->allocating_write_reqs, next);
+        acb = QSIMPLEQ_FIRST(&s->allocating_write_reqs);
+        if (acb) {
+            qed_aio_next_io(acb, 0);
+        }
+    }
+}
+
+/**
+ * Commit the current L2 table to the cache
+ */
+static void qed_commit_l2_update(void *opaque, int ret)
+{
+    QEDAIOCB *acb = opaque;
+    BDRVQEDState *s = acb_to_s(acb);
+    CachedL2Table *l2_table = acb->request.l2_table;
+
+    qed_commit_l2_cache_entry(&s->l2_cache, l2_table);
+
+    /* This is guaranteed to succeed because we just committed the entry to the
+     * cache.
+     */
+    acb->request.l2_table = qed_find_l2_cache_entry(&s->l2_cache,
+                                                    l2_table->offset);
+    assert(acb->request.l2_table != NULL);
+
+    qed_aio_next_io(opaque, ret);
+}
+
+/**
+ * Update L1 table with new L2 table offset and write it out
+ */
+static void qed_aio_write_l1_update(void *opaque, int ret)
+{
+    QEDAIOCB *acb = opaque;
+    BDRVQEDState *s = acb_to_s(acb);
+    int index;
+
+    if (ret) {
+        qed_aio_complete(acb, ret);
+        return;
+    }
+
+    index = qed_l1_index(s, acb->cur_pos);
+    s->l1_table->offsets[index] = acb->request.l2_table->offset;
+
+    qed_write_l1_table(s, index, 1, qed_commit_l2_update, acb);
+}
+
+/**
+ * Update L2 table with new cluster offsets and write them out
+ */
+static void qed_aio_write_l2_update(void *opaque, int ret)
+{
+    QEDAIOCB *acb = opaque;
+    BDRVQEDState *s = acb_to_s(acb);
+    bool need_alloc = acb->find_cluster_ret == QED_CLUSTER_L1;
+    int index;
+
+    if (ret) {
+        goto err;
+    }
+
+    if (need_alloc) {
+        qed_unref_l2_cache_entry(acb->request.l2_table);
+        acb->request.l2_table = qed_new_l2_table(s);
+    }
+
+    index = qed_l2_index(s, acb->cur_pos);
+    qed_update_l2_table(s, acb->request.l2_table->table, index, acb->cur_nclusters,
+                         acb->cur_cluster);
+
+    if (need_alloc) {
+        /* Write out the whole new L2 table */
+        qed_write_l2_table(s, &acb->request, 0, s->table_nelems, true,
+                            qed_aio_write_l1_update, acb);
+    } else {
+        /* Write out only the updated part of the L2 table */
+        qed_write_l2_table(s, &acb->request, index, acb->cur_nclusters, false,
+                            qed_aio_next_io, acb);
+    }
+    return;
+
+err:
+    qed_aio_complete(acb, ret);
+}
+
+/**
+ * Flush new data clusters before updating the L2 table
+ *
+ * This flush is necessary when a backing file is in use.  A crash during an
+ * allocating write could result in empty clusters in the image.  If the write
+ * only touched a subregion of the cluster, then backing image sectors have
+ * been lost in the untouched region.  The solution is to flush after writing a
+ * new data cluster and before updating the L2 table.
+ */
+static void qed_aio_write_flush_before_l2_update(void *opaque, int ret)
+{
+    QEDAIOCB *acb = opaque;
+    BDRVQEDState *s = acb_to_s(acb);
+
+    if (!bdrv_aio_flush(s->bs->file, qed_aio_write_l2_update, opaque)) {
+        qed_aio_complete(acb, -EIO);
+    }
+}
+
+/**
+ * Write data to the image file
+ */
+static void qed_aio_write_main(void *opaque, int ret)
+{
+    QEDAIOCB *acb = opaque;
+    BDRVQEDState *s = acb_to_s(acb);
+    uint64_t offset = acb->cur_cluster +
+                      qed_offset_into_cluster(s, acb->cur_pos);
+    BlockDriverCompletionFunc *next_fn;
+    BlockDriverAIOCB *file_acb;
+
+    trace_qed_aio_write_main(s, acb, ret, offset, acb->cur_qiov.size);
+
+    if (ret) {
+        qed_aio_complete(acb, ret);
+        return;
+    }
+
+    if (acb->find_cluster_ret == QED_CLUSTER_FOUND) {
+        next_fn = qed_aio_next_io;
+    } else {
+        if (s->bs->backing_hd) {
+            next_fn = qed_aio_write_flush_before_l2_update;
+        } else {
+            next_fn = qed_aio_write_l2_update;
+        }
+    }
+
+    BLKDBG_EVENT(s->bs->file, BLKDBG_WRITE_AIO);
+    file_acb = bdrv_aio_writev(s->bs->file, offset / BDRV_SECTOR_SIZE,
+                               &acb->cur_qiov,
+                               acb->cur_qiov.size / BDRV_SECTOR_SIZE,
+                               next_fn, acb);
+    if (!file_acb) {
+        qed_aio_complete(acb, -EIO);
+    }
+}
+
+/**
+ * Populate back untouched region of new data cluster
+ */
+static void qed_aio_write_postfill(void *opaque, int ret)
+{
+    QEDAIOCB *acb = opaque;
+    BDRVQEDState *s = acb_to_s(acb);
+    uint64_t start = acb->cur_pos + acb->cur_qiov.size;
+    uint64_t len =
+        qed_start_of_cluster(s, start + s->header.cluster_size - 1) - start;
+    uint64_t offset = acb->cur_cluster +
+                      qed_offset_into_cluster(s, acb->cur_pos) +
+                      acb->cur_qiov.size;
+
+    if (ret) {
+        qed_aio_complete(acb, ret);
+        return;
+    }
+
+    trace_qed_aio_write_postfill(s, acb, start, len, offset);
+    qed_copy_from_backing_file(s, start, len, offset,
+                                qed_aio_write_main, acb);
+}
+
+/**
+ * Populate front untouched region of new data cluster
+ */
+static void qed_aio_write_prefill(void *opaque, int ret)
+{
+    QEDAIOCB *acb = opaque;
+    BDRVQEDState *s = acb_to_s(acb);
+    uint64_t start = qed_start_of_cluster(s, acb->cur_pos);
+    uint64_t len = qed_offset_into_cluster(s, acb->cur_pos);
+
+    trace_qed_aio_write_prefill(s, acb, start, len, acb->cur_cluster);
+    qed_copy_from_backing_file(s, start, len, acb->cur_cluster,
+                                qed_aio_write_postfill, acb);
+}
+
+/**
+ * Write new data cluster
+ *
+ * @acb:        Write request
+ * @len:        Length in bytes
+ *
+ * This path is taken when writing to previously unallocated clusters.
+ */
+static void qed_aio_write_alloc(QEDAIOCB *acb, size_t len)
+{
+    BDRVQEDState *s = acb_to_s(acb);
+
+    /* Freeze this request if another allocating write is in progress */
+    if (acb != QSIMPLEQ_FIRST(&s->allocating_write_reqs)) {
+        QSIMPLEQ_INSERT_TAIL(&s->allocating_write_reqs, acb, next);
+    }
+    if (acb != QSIMPLEQ_FIRST(&s->allocating_write_reqs)) {
+        return; /* wait for existing request to finish */
+    }
+
+    acb->cur_nclusters = qed_bytes_to_clusters(s,
+            qed_offset_into_cluster(s, acb->cur_pos) + len);
+    acb->cur_cluster = qed_alloc_clusters(s, acb->cur_nclusters);
+    qemu_iovec_copy(&acb->cur_qiov, acb->qiov, acb->qiov_offset, len);
+
+    /* Write new cluster */
+    qed_aio_write_prefill(acb, 0);
+}
+
+/**
+ * Write data cluster in place
+ *
+ * @acb:        Write request
+ * @offset:     Cluster offset in bytes
+ * @len:        Length in bytes
+ *
+ * This path is taken when writing to already allocated clusters.
+ */
+static void qed_aio_write_inplace(QEDAIOCB *acb, uint64_t offset, size_t len)
+{
+    /* Calculate the I/O vector */
+    acb->cur_cluster = offset;
+    qemu_iovec_copy(&acb->cur_qiov, acb->qiov, acb->qiov_offset, len);
+
+    /* Do the actual write */
+    qed_aio_write_main(acb, 0);
+}
+
+/**
+ * Write data cluster
+ *
+ * @opaque:     Write request
+ * @ret:        QED_CLUSTER_FOUND, QED_CLUSTER_L2, QED_CLUSTER_L1,
+ *              or -errno
+ * @offset:     Cluster offset in bytes
+ * @len:        Length in bytes
+ *
+ * Callback from qed_find_cluster().
+ */
+static void qed_aio_write_data(void *opaque, int ret,
+                               uint64_t offset, size_t len)
+{
+    QEDAIOCB *acb = opaque;
+
+    trace_qed_aio_write_data(acb_to_s(acb), acb, ret, offset, len);
+
+    acb->find_cluster_ret = ret;
+
+    switch (ret) {
+    case QED_CLUSTER_FOUND:
+        qed_aio_write_inplace(acb, offset, len);
+        break;
+
+    case QED_CLUSTER_L2:
+    case QED_CLUSTER_L1:
+        qed_aio_write_alloc(acb, len);
+        break;
+
+    default:
+        qed_aio_complete(acb, ret);
+        break;
+    }
+}
+
+/**
+ * Read data cluster
+ *
+ * @opaque:     Read request
+ * @ret:        QED_CLUSTER_FOUND, QED_CLUSTER_L2, QED_CLUSTER_L1,
+ *              or -errno
+ * @offset:     Cluster offset in bytes
+ * @len:        Length in bytes
+ *
+ * Callback from qed_find_cluster().
+ */
+static void qed_aio_read_data(void *opaque, int ret,
+                              uint64_t offset, size_t len)
+{
+    QEDAIOCB *acb = opaque;
+    BDRVQEDState *s = acb_to_s(acb);
+    BlockDriverState *bs = acb->common.bs;
+    BlockDriverAIOCB *file_acb;
+
+    /* Adjust offset into cluster */
+    offset += qed_offset_into_cluster(s, acb->cur_pos);
+
+    trace_qed_aio_read_data(s, acb, ret, offset, len);
+
+    if (ret < 0) {
+        goto err;
+    }
+
+    qemu_iovec_copy(&acb->cur_qiov, acb->qiov, acb->qiov_offset, len);
+
+    /* Handle backing file and unallocated sparse hole reads */
+    if (ret != QED_CLUSTER_FOUND) {
+        qed_read_backing_file(s, acb->cur_pos, &acb->cur_qiov,
+                              qed_aio_next_io, acb);
+        return;
+    }
+
+    BLKDBG_EVENT(bs->file, BLKDBG_READ_AIO);
+    file_acb = bdrv_aio_readv(bs->file, offset / BDRV_SECTOR_SIZE,
+                              &acb->cur_qiov,
+                              acb->cur_qiov.size / BDRV_SECTOR_SIZE,
+                              qed_aio_next_io, acb);
+    if (!file_acb) {
+        ret = -EIO;
+        goto err;
+    }
+    return;
+
+err:
+    qed_aio_complete(acb, ret);
+}
+
+/**
+ * Begin next I/O or complete the request
+ */
+static void qed_aio_next_io(void *opaque, int ret)
+{
+    QEDAIOCB *acb = opaque;
+    BDRVQEDState *s = acb_to_s(acb);
+    QEDFindClusterFunc *io_fn =
+        acb->is_write ? qed_aio_write_data : qed_aio_read_data;
+
+    trace_qed_aio_next_io(s, acb, ret, acb->cur_pos + acb->cur_qiov.size);
+
+    /* Handle I/O error */
+    if (ret) {
+        qed_aio_complete(acb, ret);
+        return;
+    }
+
+    acb->qiov_offset += acb->cur_qiov.size;
+    acb->cur_pos += acb->cur_qiov.size;
+    qemu_iovec_reset(&acb->cur_qiov);
+
+    /* Complete request */
+    if (acb->cur_pos >= acb->end_pos) {
+        qed_aio_complete(acb, 0);
+        return;
+    }
+
+    /* Find next cluster and start I/O */
+    qed_find_cluster(s, &acb->request,
+                      acb->cur_pos, acb->end_pos - acb->cur_pos,
+                      io_fn, acb);
+}
+
+static BlockDriverAIOCB *qed_aio_setup(BlockDriverState *bs,
+                                       int64_t sector_num,
+                                       QEMUIOVector *qiov, int nb_sectors,
+                                       BlockDriverCompletionFunc *cb,
+                                       void *opaque, bool is_write)
+{
+    QEDAIOCB *acb = qemu_aio_get(&qed_aio_pool, bs, cb, opaque);
+
+    trace_qed_aio_setup(bs->opaque, acb, sector_num, nb_sectors,
+                         opaque, is_write);
+
+    acb->is_write = is_write;
+    acb->finished = NULL;
+    acb->qiov = qiov;
+    acb->qiov_offset = 0;
+    acb->cur_pos = (uint64_t)sector_num * BDRV_SECTOR_SIZE;
+    acb->end_pos = acb->cur_pos + nb_sectors * BDRV_SECTOR_SIZE;
+    acb->request.l2_table = NULL;
+    qemu_iovec_init(&acb->cur_qiov, qiov->niov);
+
+    /* Start request */
+    qed_aio_next_io(acb, 0);
+    return &acb->common;
+}
+
 static BlockDriverAIOCB *bdrv_qed_aio_readv(BlockDriverState *bs,
                                             int64_t sector_num,
                                             QEMUIOVector *qiov, int nb_sectors,
                                             BlockDriverCompletionFunc *cb,
                                             void *opaque)
 {
-    return NULL;
+    return qed_aio_setup(bs, sector_num, qiov, nb_sectors, cb, opaque, false);
 }
 
 static BlockDriverAIOCB *bdrv_qed_aio_writev(BlockDriverState *bs,
@@ -446,7 +1070,7 @@ static BlockDriverAIOCB *bdrv_qed_aio_writev(BlockDriverState *bs,
                                              BlockDriverCompletionFunc *cb,
                                              void *opaque)
 {
-    return NULL;
+    return qed_aio_setup(bs, sector_num, qiov, nb_sectors, cb, opaque, true);
 }
 
 static BlockDriverAIOCB *bdrv_qed_aio_flush(BlockDriverState *bs,
diff --git a/block/qed.h b/block/qed.h
index 6d49a4d..046a410 100644
--- a/block/qed.h
+++ b/block/qed.h
@@ -116,6 +116,29 @@ typedef struct QEDRequest {
     CachedL2Table *l2_table;
 } QEDRequest;
 
+typedef struct QEDAIOCB {
+    BlockDriverAIOCB common;
+    QEMUBH *bh;
+    int bh_ret;                     /* final return status for completion bh */
+    QSIMPLEQ_ENTRY(QEDAIOCB) next;  /* next request */
+    bool is_write;                  /* false - read, true - write */
+    bool *finished;                 /* signal for cancel completion */
+    uint64_t end_pos;               /* request end on block device, in bytes */
+
+    /* User scatter-gather list */
+    QEMUIOVector *qiov;
+    size_t qiov_offset;             /* byte count already processed */
+
+    /* Current cluster scatter-gather list */
+    QEMUIOVector cur_qiov;
+    uint64_t cur_pos;               /* position on block device, in bytes */
+    uint64_t cur_cluster;           /* cluster offset in image file */
+    unsigned int cur_nclusters;     /* number of clusters being accessed */
+    int find_cluster_ret;           /* used for L1/L2 update */
+
+    QEDRequest request;
+} QEDAIOCB;
+
 typedef struct {
     BlockDriverState *bs;           /* device */
     uint64_t file_size;             /* length of image file, in bytes */
@@ -127,6 +150,9 @@ typedef struct {
     uint32_t l1_shift;
     uint32_t l2_shift;
     uint32_t l2_mask;
+
+    /* Allocating write request queue */
+    QSIMPLEQ_HEAD(, QEDAIOCB) allocating_write_reqs;
 } BDRVQEDState;
 
 enum {
diff --git a/trace-events b/trace-events
index 59f97a2..e8fed0f 100644
--- a/trace-events
+++ b/trace-events
@@ -203,3 +203,13 @@ disable qed_read_table(void *s, uint64_t offset, void *table) "s %p offset %"PRI
 disable qed_read_table_cb(void *s, void *table, int ret) "s %p table %p ret %d"
 disable qed_write_table(void *s, uint64_t offset, void *table, unsigned int index, unsigned int n) "s %p offset %"PRIu64" table %p index %u n %u"
 disable qed_write_table_cb(void *s, void *table, int flush, int ret) "s %p table %p flush %d ret %d"
+
+# block/qed.c
+disable qed_aio_complete(void *s, void *acb, int ret) "s %p acb %p ret %d"
+disable qed_aio_setup(void *s, void *acb, int64_t sector_num, int nb_sectors, void *opaque, int is_write) "s %p acb %p sector_num %"PRId64" nb_sectors %d opaque %p is_write %d"
+disable qed_aio_next_io(void *s, void *acb, int ret, uint64_t cur_pos) "s %p acb %p ret %d cur_pos %"PRIu64""
+disable qed_aio_read_data(void *s, void *acb, int ret, uint64_t offset, size_t len) "s %p acb %p ret %d offset %"PRIu64" len %zu"
+disable qed_aio_write_data(void *s, void *acb, int ret, uint64_t offset, size_t len) "s %p acb %p ret %d offset %"PRIu64" len %zu"
+disable qed_aio_write_prefill(void *s, void *acb, uint64_t start, size_t len, uint64_t offset) "s %p acb %p start %"PRIu64" len %zu offset %"PRIu64""
+disable qed_aio_write_postfill(void *s, void *acb, uint64_t start, size_t len, uint64_t offset) "s %p acb %p start %"PRIu64" len %zu offset %"PRIu64""
+disable qed_aio_write_main(void *s, void *acb, int ret, uint64_t offset, size_t len) "s %p acb %p ret %d offset %"PRIu64" len %zu"
commit 298800cae72eb2a549374189e87615b2b0b79262
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Dec 6 16:08:01 2010 +0000

    qed: Table, L2 cache, and cluster functions
    
    This patch adds code to look up data cluster offsets in the image via
    the L1/L2 tables.  The L2 tables are writethrough cached in memory for
    performance (each read/write requires a lookup so it is essential to
    cache the tables).
    
    With cluster lookup code in place it is possible to implement
    bdrv_is_allocated() to query the number of contiguous
    allocated/unallocated clusters.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index 50b91e8..1860152 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -20,7 +20,7 @@ block-obj-$(CONFIG_LINUX_AIO) += linux-aio.o
 
 block-nested-y += raw.o cow.o qcow.o vdi.o vmdk.o cloop.o dmg.o bochs.o vpc.o vvfat.o
 block-nested-y += qcow2.o qcow2-refcount.o qcow2-cluster.o qcow2-snapshot.o
-block-nested-y += qed.o
+block-nested-y += qed.o qed-gencb.o qed-l2-cache.o qed-table.o qed-cluster.o
 block-nested-y += parallels.o nbd.o blkdebug.o sheepdog.o blkverify.o
 block-nested-$(CONFIG_WIN32) += raw-win32.o
 block-nested-$(CONFIG_POSIX) += raw-posix.o
diff --git a/block/qed-cluster.c b/block/qed-cluster.c
new file mode 100644
index 0000000..0ec864b
--- /dev/null
+++ b/block/qed-cluster.c
@@ -0,0 +1,154 @@
+/*
+ * QEMU Enhanced Disk Format Cluster functions
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * Authors:
+ *  Stefan Hajnoczi   <stefanha at linux.vnet.ibm.com>
+ *  Anthony Liguori   <aliguori at us.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU LGPL, version 2 or later.
+ * See the COPYING.LIB file in the top-level directory.
+ *
+ */
+
+#include "qed.h"
+
+/**
+ * Count the number of contiguous data clusters
+ *
+ * @s:              QED state
+ * @table:          L2 table
+ * @index:          First cluster index
+ * @n:              Maximum number of clusters
+ * @offset:         Set to first cluster offset
+ *
+ * This function scans tables for contiguous allocated or free clusters.
+ */
+static unsigned int qed_count_contiguous_clusters(BDRVQEDState *s,
+                                                  QEDTable *table,
+                                                  unsigned int index,
+                                                  unsigned int n,
+                                                  uint64_t *offset)
+{
+    unsigned int end = MIN(index + n, s->table_nelems);
+    uint64_t last = table->offsets[index];
+    unsigned int i;
+
+    *offset = last;
+
+    for (i = index + 1; i < end; i++) {
+        if (last == 0) {
+            /* Counting free clusters */
+            if (table->offsets[i] != 0) {
+                break;
+            }
+        } else {
+            /* Counting allocated clusters */
+            if (table->offsets[i] != last + s->header.cluster_size) {
+                break;
+            }
+            last = table->offsets[i];
+        }
+    }
+    return i - index;
+}
+
+typedef struct {
+    BDRVQEDState *s;
+    uint64_t pos;
+    size_t len;
+
+    QEDRequest *request;
+
+    /* User callback */
+    QEDFindClusterFunc *cb;
+    void *opaque;
+} QEDFindClusterCB;
+
+static void qed_find_cluster_cb(void *opaque, int ret)
+{
+    QEDFindClusterCB *find_cluster_cb = opaque;
+    BDRVQEDState *s = find_cluster_cb->s;
+    QEDRequest *request = find_cluster_cb->request;
+    uint64_t offset = 0;
+    size_t len = 0;
+    unsigned int index;
+    unsigned int n;
+
+    if (ret) {
+        goto out;
+    }
+
+    index = qed_l2_index(s, find_cluster_cb->pos);
+    n = qed_bytes_to_clusters(s,
+                              qed_offset_into_cluster(s, find_cluster_cb->pos) +
+                              find_cluster_cb->len);
+    n = qed_count_contiguous_clusters(s, request->l2_table->table,
+                                      index, n, &offset);
+
+    ret = offset ? QED_CLUSTER_FOUND : QED_CLUSTER_L2;
+    len = MIN(find_cluster_cb->len, n * s->header.cluster_size -
+              qed_offset_into_cluster(s, find_cluster_cb->pos));
+
+    if (offset && !qed_check_cluster_offset(s, offset)) {
+        ret = -EINVAL;
+    }
+
+out:
+    find_cluster_cb->cb(find_cluster_cb->opaque, ret, offset, len);
+    qemu_free(find_cluster_cb);
+}
+
+/**
+ * Find the offset of a data cluster
+ *
+ * @s:          QED state
+ * @request:    L2 cache entry
+ * @pos:        Byte position in device
+ * @len:        Number of bytes
+ * @cb:         Completion function
+ * @opaque:     User data for completion function
+ *
+ * This function translates a position in the block device to an offset in the
+ * image file.  It invokes the cb completion callback to report back the
+ * translated offset or unallocated range in the image file.
+ *
+ * If the L2 table exists, request->l2_table points to the L2 table cache entry
+ * and the caller must free the reference when they are finished.  The cache
+ * entry is exposed in this way to avoid callers having to read the L2 table
+ * again later during request processing.  If request->l2_table is non-NULL it
+ * will be unreferenced before taking on the new cache entry.
+ */
+void qed_find_cluster(BDRVQEDState *s, QEDRequest *request, uint64_t pos,
+                      size_t len, QEDFindClusterFunc *cb, void *opaque)
+{
+    QEDFindClusterCB *find_cluster_cb;
+    uint64_t l2_offset;
+
+    /* Limit length to L2 boundary.  Requests are broken up at the L2 boundary
+     * so that a request acts on one L2 table at a time.
+     */
+    len = MIN(len, (((pos >> s->l1_shift) + 1) << s->l1_shift) - pos);
+
+    l2_offset = s->l1_table->offsets[qed_l1_index(s, pos)];
+    if (!l2_offset) {
+        cb(opaque, QED_CLUSTER_L1, 0, len);
+        return;
+    }
+    if (!qed_check_table_offset(s, l2_offset)) {
+        cb(opaque, -EINVAL, 0, 0);
+        return;
+    }
+
+    find_cluster_cb = qemu_malloc(sizeof(*find_cluster_cb));
+    find_cluster_cb->s = s;
+    find_cluster_cb->pos = pos;
+    find_cluster_cb->len = len;
+    find_cluster_cb->cb = cb;
+    find_cluster_cb->opaque = opaque;
+    find_cluster_cb->request = request;
+
+    qed_read_l2_table(s, request, l2_offset,
+                      qed_find_cluster_cb, find_cluster_cb);
+}
diff --git a/block/qed-gencb.c b/block/qed-gencb.c
new file mode 100644
index 0000000..1513dc6
--- /dev/null
+++ b/block/qed-gencb.c
@@ -0,0 +1,32 @@
+/*
+ * QEMU Enhanced Disk Format
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * Authors:
+ *  Stefan Hajnoczi   <stefanha at linux.vnet.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU LGPL, version 2 or later.
+ * See the COPYING.LIB file in the top-level directory.
+ *
+ */
+
+#include "qed.h"
+
+void *gencb_alloc(size_t len, BlockDriverCompletionFunc *cb, void *opaque)
+{
+    GenericCB *gencb = qemu_malloc(len);
+    gencb->cb = cb;
+    gencb->opaque = opaque;
+    return gencb;
+}
+
+void gencb_complete(void *opaque, int ret)
+{
+    GenericCB *gencb = opaque;
+    BlockDriverCompletionFunc *cb = gencb->cb;
+    void *user_opaque = gencb->opaque;
+
+    qemu_free(gencb);
+    cb(user_opaque, ret);
+}
diff --git a/block/qed-l2-cache.c b/block/qed-l2-cache.c
new file mode 100644
index 0000000..57518a4
--- /dev/null
+++ b/block/qed-l2-cache.c
@@ -0,0 +1,173 @@
+/*
+ * QEMU Enhanced Disk Format L2 Cache
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * Authors:
+ *  Anthony Liguori   <aliguori at us.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU LGPL, version 2 or later.
+ * See the COPYING.LIB file in the top-level directory.
+ *
+ */
+
+/*
+ * L2 table cache usage is as follows:
+ *
+ * An open image has one L2 table cache that is used to avoid accessing the
+ * image file for recently referenced L2 tables.
+ *
+ * Cluster offset lookup translates the logical offset within the block device
+ * to a cluster offset within the image file.  This is done by indexing into
+ * the L1 and L2 tables which store cluster offsets.  It is here where the L2
+ * table cache serves up recently referenced L2 tables.
+ *
+ * If there is a cache miss, that L2 table is read from the image file and
+ * committed to the cache.  Subsequent accesses to that L2 table will be served
+ * from the cache until the table is evicted from the cache.
+ *
+ * L2 tables are also committed to the cache when new L2 tables are allocated
+ * in the image file.  Since the L2 table cache is write-through, the new L2
+ * table is first written out to the image file and then committed to the
+ * cache.
+ *
+ * Multiple I/O requests may be using an L2 table cache entry at any given
+ * time.  That means an entry may be in use across several requests and
+ * reference counting is needed to free the entry at the correct time.  In
+ * particular, an entry evicted from the cache will only be freed once all
+ * references are dropped.
+ *
+ * An in-flight I/O request will hold a reference to a L2 table cache entry for
+ * the period during which it needs to access the L2 table.  This includes
+ * cluster offset lookup, L2 table allocation, and L2 table update when a new
+ * data cluster has been allocated.
+ *
+ * An interesting case occurs when two requests need to access an L2 table that
+ * is not in the cache.  Since the operation to read the table from the image
+ * file takes some time to complete, both requests may see a cache miss and
+ * start reading the L2 table from the image file.  The first to finish will
+ * commit its L2 table into the cache.  When the second tries to commit its
+ * table will be deleted in favor of the existing cache entry.
+ */
+
+#include "trace.h"
+#include "qed.h"
+
+/* Each L2 holds 2GB so this let's us fully cache a 100GB disk */
+#define MAX_L2_CACHE_SIZE 50
+
+/**
+ * Initialize the L2 cache
+ */
+void qed_init_l2_cache(L2TableCache *l2_cache)
+{
+    QTAILQ_INIT(&l2_cache->entries);
+    l2_cache->n_entries = 0;
+}
+
+/**
+ * Free the L2 cache
+ */
+void qed_free_l2_cache(L2TableCache *l2_cache)
+{
+    CachedL2Table *entry, *next_entry;
+
+    QTAILQ_FOREACH_SAFE(entry, &l2_cache->entries, node, next_entry) {
+        qemu_vfree(entry->table);
+        qemu_free(entry);
+    }
+}
+
+/**
+ * Allocate an uninitialized entry from the cache
+ *
+ * The returned entry has a reference count of 1 and is owned by the caller.
+ * The caller must allocate the actual table field for this entry and it must
+ * be freeable using qemu_vfree().
+ */
+CachedL2Table *qed_alloc_l2_cache_entry(L2TableCache *l2_cache)
+{
+    CachedL2Table *entry;
+
+    entry = qemu_mallocz(sizeof(*entry));
+    entry->ref++;
+
+    trace_qed_alloc_l2_cache_entry(l2_cache, entry);
+
+    return entry;
+}
+
+/**
+ * Decrease an entry's reference count and free if necessary when the reference
+ * count drops to zero.
+ */
+void qed_unref_l2_cache_entry(CachedL2Table *entry)
+{
+    if (!entry) {
+        return;
+    }
+
+    entry->ref--;
+    trace_qed_unref_l2_cache_entry(entry, entry->ref);
+    if (entry->ref == 0) {
+        qemu_vfree(entry->table);
+        qemu_free(entry);
+    }
+}
+
+/**
+ * Find an entry in the L2 cache.  This may return NULL and it's up to the
+ * caller to satisfy the cache miss.
+ *
+ * For a cached entry, this function increases the reference count and returns
+ * the entry.
+ */
+CachedL2Table *qed_find_l2_cache_entry(L2TableCache *l2_cache, uint64_t offset)
+{
+    CachedL2Table *entry;
+
+    QTAILQ_FOREACH(entry, &l2_cache->entries, node) {
+        if (entry->offset == offset) {
+            trace_qed_find_l2_cache_entry(l2_cache, entry, offset, entry->ref);
+            entry->ref++;
+            return entry;
+        }
+    }
+    return NULL;
+}
+
+/**
+ * Commit an L2 cache entry into the cache.  This is meant to be used as part of
+ * the process to satisfy a cache miss.  A caller would allocate an entry which
+ * is not actually in the L2 cache and then once the entry was valid and
+ * present on disk, the entry can be committed into the cache.
+ *
+ * Since the cache is write-through, it's important that this function is not
+ * called until the entry is present on disk and the L1 has been updated to
+ * point to the entry.
+ *
+ * N.B. This function steals a reference to the l2_table from the caller so the
+ * caller must obtain a new reference by issuing a call to
+ * qed_find_l2_cache_entry().
+ */
+void qed_commit_l2_cache_entry(L2TableCache *l2_cache, CachedL2Table *l2_table)
+{
+    CachedL2Table *entry;
+
+    entry = qed_find_l2_cache_entry(l2_cache, l2_table->offset);
+    if (entry) {
+        qed_unref_l2_cache_entry(entry);
+        qed_unref_l2_cache_entry(l2_table);
+        return;
+    }
+
+    if (l2_cache->n_entries >= MAX_L2_CACHE_SIZE) {
+        entry = QTAILQ_FIRST(&l2_cache->entries);
+        QTAILQ_REMOVE(&l2_cache->entries, entry, node);
+        l2_cache->n_entries--;
+        qed_unref_l2_cache_entry(entry);
+    }
+
+    l2_cache->n_entries++;
+    QTAILQ_INSERT_TAIL(&l2_cache->entries, l2_table, node);
+}
diff --git a/block/qed-table.c b/block/qed-table.c
new file mode 100644
index 0000000..d38c673
--- /dev/null
+++ b/block/qed-table.c
@@ -0,0 +1,319 @@
+/*
+ * QEMU Enhanced Disk Format Table I/O
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * Authors:
+ *  Stefan Hajnoczi   <stefanha at linux.vnet.ibm.com>
+ *  Anthony Liguori   <aliguori at us.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU LGPL, version 2 or later.
+ * See the COPYING.LIB file in the top-level directory.
+ *
+ */
+
+#include "trace.h"
+#include "qemu_socket.h" /* for EINPROGRESS on Windows */
+#include "qed.h"
+
+typedef struct {
+    GenericCB gencb;
+    BDRVQEDState *s;
+    QEDTable *table;
+
+    struct iovec iov;
+    QEMUIOVector qiov;
+} QEDReadTableCB;
+
+static void qed_read_table_cb(void *opaque, int ret)
+{
+    QEDReadTableCB *read_table_cb = opaque;
+    QEDTable *table = read_table_cb->table;
+    int noffsets = read_table_cb->iov.iov_len / sizeof(uint64_t);
+    int i;
+
+    /* Handle I/O error */
+    if (ret) {
+        goto out;
+    }
+
+    /* Byteswap offsets */
+    for (i = 0; i < noffsets; i++) {
+        table->offsets[i] = le64_to_cpu(table->offsets[i]);
+    }
+
+out:
+    /* Completion */
+    trace_qed_read_table_cb(read_table_cb->s, read_table_cb->table, ret);
+    gencb_complete(&read_table_cb->gencb, ret);
+}
+
+static void qed_read_table(BDRVQEDState *s, uint64_t offset, QEDTable *table,
+                           BlockDriverCompletionFunc *cb, void *opaque)
+{
+    QEDReadTableCB *read_table_cb = gencb_alloc(sizeof(*read_table_cb),
+                                                cb, opaque);
+    QEMUIOVector *qiov = &read_table_cb->qiov;
+    BlockDriverAIOCB *aiocb;
+
+    trace_qed_read_table(s, offset, table);
+
+    read_table_cb->s = s;
+    read_table_cb->table = table;
+    read_table_cb->iov.iov_base = table->offsets,
+    read_table_cb->iov.iov_len = s->header.cluster_size * s->header.table_size,
+
+    qemu_iovec_init_external(qiov, &read_table_cb->iov, 1);
+    aiocb = bdrv_aio_readv(s->bs->file, offset / BDRV_SECTOR_SIZE, qiov,
+                           read_table_cb->iov.iov_len / BDRV_SECTOR_SIZE,
+                           qed_read_table_cb, read_table_cb);
+    if (!aiocb) {
+        qed_read_table_cb(read_table_cb, -EIO);
+    }
+}
+
+typedef struct {
+    GenericCB gencb;
+    BDRVQEDState *s;
+    QEDTable *orig_table;
+    QEDTable *table;
+    bool flush;             /* flush after write? */
+
+    struct iovec iov;
+    QEMUIOVector qiov;
+} QEDWriteTableCB;
+
+static void qed_write_table_cb(void *opaque, int ret)
+{
+    QEDWriteTableCB *write_table_cb = opaque;
+
+    trace_qed_write_table_cb(write_table_cb->s,
+                             write_table_cb->orig_table,
+                             write_table_cb->flush,
+                             ret);
+
+    if (ret) {
+        goto out;
+    }
+
+    if (write_table_cb->flush) {
+        /* We still need to flush first */
+        write_table_cb->flush = false;
+        bdrv_aio_flush(write_table_cb->s->bs, qed_write_table_cb,
+                       write_table_cb);
+        return;
+    }
+
+out:
+    qemu_vfree(write_table_cb->table);
+    gencb_complete(&write_table_cb->gencb, ret);
+    return;
+}
+
+/**
+ * Write out an updated part or all of a table
+ *
+ * @s:          QED state
+ * @offset:     Offset of table in image file, in bytes
+ * @table:      Table
+ * @index:      Index of first element
+ * @n:          Number of elements
+ * @flush:      Whether or not to sync to disk
+ * @cb:         Completion function
+ * @opaque:     Argument for completion function
+ */
+static void qed_write_table(BDRVQEDState *s, uint64_t offset, QEDTable *table,
+                            unsigned int index, unsigned int n, bool flush,
+                            BlockDriverCompletionFunc *cb, void *opaque)
+{
+    QEDWriteTableCB *write_table_cb;
+    BlockDriverAIOCB *aiocb;
+    unsigned int sector_mask = BDRV_SECTOR_SIZE / sizeof(uint64_t) - 1;
+    unsigned int start, end, i;
+    size_t len_bytes;
+
+    trace_qed_write_table(s, offset, table, index, n);
+
+    /* Calculate indices of the first and one after last elements */
+    start = index & ~sector_mask;
+    end = (index + n + sector_mask) & ~sector_mask;
+
+    len_bytes = (end - start) * sizeof(uint64_t);
+
+    write_table_cb = gencb_alloc(sizeof(*write_table_cb), cb, opaque);
+    write_table_cb->s = s;
+    write_table_cb->orig_table = table;
+    write_table_cb->flush = flush;
+    write_table_cb->table = qemu_blockalign(s->bs, len_bytes);
+    write_table_cb->iov.iov_base = write_table_cb->table->offsets;
+    write_table_cb->iov.iov_len = len_bytes;
+    qemu_iovec_init_external(&write_table_cb->qiov, &write_table_cb->iov, 1);
+
+    /* Byteswap table */
+    for (i = start; i < end; i++) {
+        uint64_t le_offset = cpu_to_le64(table->offsets[i]);
+        write_table_cb->table->offsets[i - start] = le_offset;
+    }
+
+    /* Adjust for offset into table */
+    offset += start * sizeof(uint64_t);
+
+    aiocb = bdrv_aio_writev(s->bs->file, offset / BDRV_SECTOR_SIZE,
+                            &write_table_cb->qiov,
+                            write_table_cb->iov.iov_len / BDRV_SECTOR_SIZE,
+                            qed_write_table_cb, write_table_cb);
+    if (!aiocb) {
+        qed_write_table_cb(write_table_cb, -EIO);
+    }
+}
+
+/**
+ * Propagate return value from async callback
+ */
+static void qed_sync_cb(void *opaque, int ret)
+{
+    *(int *)opaque = ret;
+}
+
+int qed_read_l1_table_sync(BDRVQEDState *s)
+{
+    int ret = -EINPROGRESS;
+
+    async_context_push();
+
+    qed_read_table(s, s->header.l1_table_offset,
+                   s->l1_table, qed_sync_cb, &ret);
+    while (ret == -EINPROGRESS) {
+        qemu_aio_wait();
+    }
+
+    async_context_pop();
+
+    return ret;
+}
+
+void qed_write_l1_table(BDRVQEDState *s, unsigned int index, unsigned int n,
+                        BlockDriverCompletionFunc *cb, void *opaque)
+{
+    BLKDBG_EVENT(s->bs->file, BLKDBG_L1_UPDATE);
+    qed_write_table(s, s->header.l1_table_offset,
+                    s->l1_table, index, n, false, cb, opaque);
+}
+
+int qed_write_l1_table_sync(BDRVQEDState *s, unsigned int index,
+                            unsigned int n)
+{
+    int ret = -EINPROGRESS;
+
+    async_context_push();
+
+    qed_write_l1_table(s, index, n, qed_sync_cb, &ret);
+    while (ret == -EINPROGRESS) {
+        qemu_aio_wait();
+    }
+
+    async_context_pop();
+
+    return ret;
+}
+
+typedef struct {
+    GenericCB gencb;
+    BDRVQEDState *s;
+    uint64_t l2_offset;
+    QEDRequest *request;
+} QEDReadL2TableCB;
+
+static void qed_read_l2_table_cb(void *opaque, int ret)
+{
+    QEDReadL2TableCB *read_l2_table_cb = opaque;
+    QEDRequest *request = read_l2_table_cb->request;
+    BDRVQEDState *s = read_l2_table_cb->s;
+    CachedL2Table *l2_table = request->l2_table;
+
+    if (ret) {
+        /* can't trust loaded L2 table anymore */
+        qed_unref_l2_cache_entry(l2_table);
+        request->l2_table = NULL;
+    } else {
+        l2_table->offset = read_l2_table_cb->l2_offset;
+
+        qed_commit_l2_cache_entry(&s->l2_cache, l2_table);
+
+        /* This is guaranteed to succeed because we just committed the entry
+         * to the cache.
+         */
+        request->l2_table = qed_find_l2_cache_entry(&s->l2_cache,
+                                                    l2_table->offset);
+        assert(request->l2_table != NULL);
+    }
+
+    gencb_complete(&read_l2_table_cb->gencb, ret);
+}
+
+void qed_read_l2_table(BDRVQEDState *s, QEDRequest *request, uint64_t offset,
+                       BlockDriverCompletionFunc *cb, void *opaque)
+{
+    QEDReadL2TableCB *read_l2_table_cb;
+
+    qed_unref_l2_cache_entry(request->l2_table);
+
+    /* Check for cached L2 entry */
+    request->l2_table = qed_find_l2_cache_entry(&s->l2_cache, offset);
+    if (request->l2_table) {
+        cb(opaque, 0);
+        return;
+    }
+
+    request->l2_table = qed_alloc_l2_cache_entry(&s->l2_cache);
+    request->l2_table->table = qed_alloc_table(s);
+
+    read_l2_table_cb = gencb_alloc(sizeof(*read_l2_table_cb), cb, opaque);
+    read_l2_table_cb->s = s;
+    read_l2_table_cb->l2_offset = offset;
+    read_l2_table_cb->request = request;
+
+    BLKDBG_EVENT(s->bs->file, BLKDBG_L2_LOAD);
+    qed_read_table(s, offset, request->l2_table->table,
+                   qed_read_l2_table_cb, read_l2_table_cb);
+}
+
+int qed_read_l2_table_sync(BDRVQEDState *s, QEDRequest *request, uint64_t offset)
+{
+    int ret = -EINPROGRESS;
+
+    async_context_push();
+
+    qed_read_l2_table(s, request, offset, qed_sync_cb, &ret);
+    while (ret == -EINPROGRESS) {
+        qemu_aio_wait();
+    }
+
+    async_context_pop();
+    return ret;
+}
+
+void qed_write_l2_table(BDRVQEDState *s, QEDRequest *request,
+                        unsigned int index, unsigned int n, bool flush,
+                        BlockDriverCompletionFunc *cb, void *opaque)
+{
+    BLKDBG_EVENT(s->bs->file, BLKDBG_L2_UPDATE);
+    qed_write_table(s, request->l2_table->offset,
+                    request->l2_table->table, index, n, flush, cb, opaque);
+}
+
+int qed_write_l2_table_sync(BDRVQEDState *s, QEDRequest *request,
+                            unsigned int index, unsigned int n, bool flush)
+{
+    int ret = -EINPROGRESS;
+
+    async_context_push();
+
+    qed_write_l2_table(s, request, index, n, flush, qed_sync_cb, &ret);
+    while (ret == -EINPROGRESS) {
+        qemu_aio_wait();
+    }
+
+    async_context_pop();
+    return ret;
+}
diff --git a/block/qed.c b/block/qed.c
index 1436ac4..cd1bead 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -155,6 +155,13 @@ static int qed_read_string(BlockDriverState *file, uint64_t offset, size_t n,
     return 0;
 }
 
+QEDTable *qed_alloc_table(BDRVQEDState *s)
+{
+    /* Honor O_DIRECT memory alignment requirements */
+    return qemu_blockalign(s->bs,
+                           s->header.cluster_size * s->header.table_size);
+}
+
 static int bdrv_qed_open(BlockDriverState *bs, int flags)
 {
     BDRVQEDState *s = bs->opaque;
@@ -244,11 +251,23 @@ static int bdrv_qed_open(BlockDriverState *bs, int flags)
         bdrv_flush(bs->file);
     }
 
+    s->l1_table = qed_alloc_table(s);
+    qed_init_l2_cache(&s->l2_cache);
+
+    ret = qed_read_l1_table_sync(s);
+    if (ret) {
+        qed_free_l2_cache(&s->l2_cache);
+        qemu_vfree(s->l1_table);
+    }
     return ret;
 }
 
 static void bdrv_qed_close(BlockDriverState *bs)
 {
+    BDRVQEDState *s = bs->opaque;
+
+    qed_free_l2_cache(&s->l2_cache);
+    qemu_vfree(s->l1_table);
 }
 
 static int bdrv_qed_flush(BlockDriverState *bs)
@@ -368,10 +387,43 @@ static int bdrv_qed_create(const char *filename, QEMUOptionParameter *options)
                       backing_file, backing_fmt);
 }
 
+typedef struct {
+    int is_allocated;
+    int *pnum;
+} QEDIsAllocatedCB;
+
+static void qed_is_allocated_cb(void *opaque, int ret, uint64_t offset, size_t len)
+{
+    QEDIsAllocatedCB *cb = opaque;
+    *cb->pnum = len / BDRV_SECTOR_SIZE;
+    cb->is_allocated = ret == QED_CLUSTER_FOUND;
+}
+
 static int bdrv_qed_is_allocated(BlockDriverState *bs, int64_t sector_num,
                                   int nb_sectors, int *pnum)
 {
-    return -ENOTSUP;
+    BDRVQEDState *s = bs->opaque;
+    uint64_t pos = (uint64_t)sector_num * BDRV_SECTOR_SIZE;
+    size_t len = (size_t)nb_sectors * BDRV_SECTOR_SIZE;
+    QEDIsAllocatedCB cb = {
+        .is_allocated = -1,
+        .pnum = pnum,
+    };
+    QEDRequest request = { .l2_table = NULL };
+
+    async_context_push();
+
+    qed_find_cluster(s, &request, pos, len, qed_is_allocated_cb, &cb);
+
+    while (cb.is_allocated == -1) {
+        qemu_aio_wait();
+    }
+
+    async_context_pop();
+
+    qed_unref_l2_cache_entry(request.l2_table);
+
+    return cb.is_allocated;
 }
 
 static int bdrv_qed_make_empty(BlockDriverState *bs)
diff --git a/block/qed.h b/block/qed.h
index 1f8a125..6d49a4d 100644
--- a/block/qed.h
+++ b/block/qed.h
@@ -96,16 +96,118 @@ typedef struct {
 } QEDHeader;
 
 typedef struct {
+    uint64_t offsets[0];            /* in bytes */
+} QEDTable;
+
+/* The L2 cache is a simple write-through cache for L2 structures */
+typedef struct CachedL2Table {
+    QEDTable *table;
+    uint64_t offset;    /* offset=0 indicates an invalidate entry */
+    QTAILQ_ENTRY(CachedL2Table) node;
+    int ref;
+} CachedL2Table;
+
+typedef struct {
+    QTAILQ_HEAD(, CachedL2Table) entries;
+    unsigned int n_entries;
+} L2TableCache;
+
+typedef struct QEDRequest {
+    CachedL2Table *l2_table;
+} QEDRequest;
+
+typedef struct {
     BlockDriverState *bs;           /* device */
     uint64_t file_size;             /* length of image file, in bytes */
 
     QEDHeader header;               /* always cpu-endian */
+    QEDTable *l1_table;
+    L2TableCache l2_cache;          /* l2 table cache */
     uint32_t table_nelems;
     uint32_t l1_shift;
     uint32_t l2_shift;
     uint32_t l2_mask;
 } BDRVQEDState;
 
+enum {
+    QED_CLUSTER_FOUND,         /* cluster found */
+    QED_CLUSTER_L2,            /* cluster missing in L2 */
+    QED_CLUSTER_L1,            /* cluster missing in L1 */
+};
+
+/**
+ * qed_find_cluster() completion callback
+ *
+ * @opaque:     User data for completion callback
+ * @ret:        QED_CLUSTER_FOUND   Success
+ *              QED_CLUSTER_L2      Data cluster unallocated in L2
+ *              QED_CLUSTER_L1      L2 unallocated in L1
+ *              -errno              POSIX error occurred
+ * @offset:     Data cluster offset
+ * @len:        Contiguous bytes starting from cluster offset
+ *
+ * This function is invoked when qed_find_cluster() completes.
+ *
+ * On success ret is QED_CLUSTER_FOUND and offset/len are a contiguous range
+ * in the image file.
+ *
+ * On failure ret is QED_CLUSTER_L2 or QED_CLUSTER_L1 for missing L2 or L1
+ * table offset, respectively.  len is number of contiguous unallocated bytes.
+ */
+typedef void QEDFindClusterFunc(void *opaque, int ret, uint64_t offset, size_t len);
+
+/**
+ * Generic callback for chaining async callbacks
+ */
+typedef struct {
+    BlockDriverCompletionFunc *cb;
+    void *opaque;
+} GenericCB;
+
+void *gencb_alloc(size_t len, BlockDriverCompletionFunc *cb, void *opaque);
+void gencb_complete(void *opaque, int ret);
+
+/**
+ * L2 cache functions
+ */
+void qed_init_l2_cache(L2TableCache *l2_cache);
+void qed_free_l2_cache(L2TableCache *l2_cache);
+CachedL2Table *qed_alloc_l2_cache_entry(L2TableCache *l2_cache);
+void qed_unref_l2_cache_entry(CachedL2Table *entry);
+CachedL2Table *qed_find_l2_cache_entry(L2TableCache *l2_cache, uint64_t offset);
+void qed_commit_l2_cache_entry(L2TableCache *l2_cache, CachedL2Table *l2_table);
+
+/**
+ * Table I/O functions
+ */
+int qed_read_l1_table_sync(BDRVQEDState *s);
+void qed_write_l1_table(BDRVQEDState *s, unsigned int index, unsigned int n,
+                        BlockDriverCompletionFunc *cb, void *opaque);
+int qed_write_l1_table_sync(BDRVQEDState *s, unsigned int index,
+                            unsigned int n);
+int qed_read_l2_table_sync(BDRVQEDState *s, QEDRequest *request,
+                           uint64_t offset);
+void qed_read_l2_table(BDRVQEDState *s, QEDRequest *request, uint64_t offset,
+                       BlockDriverCompletionFunc *cb, void *opaque);
+void qed_write_l2_table(BDRVQEDState *s, QEDRequest *request,
+                        unsigned int index, unsigned int n, bool flush,
+                        BlockDriverCompletionFunc *cb, void *opaque);
+int qed_write_l2_table_sync(BDRVQEDState *s, QEDRequest *request,
+                            unsigned int index, unsigned int n, bool flush);
+
+/**
+ * Cluster functions
+ */
+void qed_find_cluster(BDRVQEDState *s, QEDRequest *request, uint64_t pos,
+                      size_t len, QEDFindClusterFunc *cb, void *opaque);
+
+/**
+ * Consistency check
+ */
+int qed_check(BDRVQEDState *s, BdrvCheckResult *result, bool fix);
+
+QEDTable *qed_alloc_table(BDRVQEDState *s);
+
 /**
  * Round down to the start of a cluster
  */
@@ -114,6 +216,27 @@ static inline uint64_t qed_start_of_cluster(BDRVQEDState *s, uint64_t offset)
     return offset & ~(uint64_t)(s->header.cluster_size - 1);
 }
 
+static inline uint64_t qed_offset_into_cluster(BDRVQEDState *s, uint64_t offset)
+{
+    return offset & (s->header.cluster_size - 1);
+}
+
+static inline unsigned int qed_bytes_to_clusters(BDRVQEDState *s, size_t bytes)
+{
+    return qed_start_of_cluster(s, bytes + (s->header.cluster_size - 1)) /
+           (s->header.cluster_size - 1);
+}
+
+static inline unsigned int qed_l1_index(BDRVQEDState *s, uint64_t pos)
+{
+    return pos >> s->l1_shift;
+}
+
+static inline unsigned int qed_l2_index(BDRVQEDState *s, uint64_t pos)
+{
+    return (pos >> s->l2_shift) & s->l2_mask;
+}
+
 /**
  * Test if a cluster offset is valid
  */
diff --git a/trace-events b/trace-events
index da03d4b..59f97a2 100644
--- a/trace-events
+++ b/trace-events
@@ -192,3 +192,14 @@ disable sun4m_iommu_bad_addr(uint64_t addr) "bad addr %"PRIx64""
 
 # vl.c
 disable vm_state_notify(int running, int reason) "running %d reason %d"
+
+# block/qed-l2-cache.c
+disable qed_alloc_l2_cache_entry(void *l2_cache, void *entry) "l2_cache %p entry %p"
+disable qed_unref_l2_cache_entry(void *entry, int ref) "entry %p ref %d"
+disable qed_find_l2_cache_entry(void *l2_cache, void *entry, uint64_t offset, int ref) "l2_cache %p entry %p offset %"PRIu64" ref %d"
+
+# block/qed-table.c
+disable qed_read_table(void *s, uint64_t offset, void *table) "s %p offset %"PRIu64" table %p"
+disable qed_read_table_cb(void *s, void *table, int ret) "s %p table %p ret %d"
+disable qed_write_table(void *s, uint64_t offset, void *table, unsigned int index, unsigned int n) "s %p offset %"PRIu64" table %p index %u n %u"
+disable qed_write_table_cb(void *s, void *table, int flush, int ret) "s %p table %p flush %d ret %d"
commit 75411d236d93d79d8052e0116c3eeebe23e2778b
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Dec 6 16:08:00 2010 +0000

    qed: Add QEMU Enhanced Disk image format
    
    This patch introduces the qed on-disk layout and implements image
    creation.  Later patches add read/write and other functionality.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index 72c07dd..50b91e8 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -20,6 +20,7 @@ block-obj-$(CONFIG_LINUX_AIO) += linux-aio.o
 
 block-nested-y += raw.o cow.o qcow.o vdi.o vmdk.o cloop.o dmg.o bochs.o vpc.o vvfat.o
 block-nested-y += qcow2.o qcow2-refcount.o qcow2-cluster.o qcow2-snapshot.o
+block-nested-y += qed.o
 block-nested-y += parallels.o nbd.o blkdebug.o sheepdog.o blkverify.o
 block-nested-$(CONFIG_WIN32) += raw-win32.o
 block-nested-$(CONFIG_POSIX) += raw-posix.o
diff --git a/block/qed.c b/block/qed.c
new file mode 100644
index 0000000..1436ac4
--- /dev/null
+++ b/block/qed.c
@@ -0,0 +1,554 @@
+/*
+ * QEMU Enhanced Disk Format
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * Authors:
+ *  Stefan Hajnoczi   <stefanha at linux.vnet.ibm.com>
+ *  Anthony Liguori   <aliguori at us.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU LGPL, version 2 or later.
+ * See the COPYING.LIB file in the top-level directory.
+ *
+ */
+
+#include "qed.h"
+
+static int bdrv_qed_probe(const uint8_t *buf, int buf_size,
+                          const char *filename)
+{
+    const QEDHeader *header = (const QEDHeader *)buf;
+
+    if (buf_size < sizeof(*header)) {
+        return 0;
+    }
+    if (le32_to_cpu(header->magic) != QED_MAGIC) {
+        return 0;
+    }
+    return 100;
+}
+
+/**
+ * Check whether an image format is raw
+ *
+ * @fmt:    Backing file format, may be NULL
+ */
+static bool qed_fmt_is_raw(const char *fmt)
+{
+    return fmt && strcmp(fmt, "raw") == 0;
+}
+
+static void qed_header_le_to_cpu(const QEDHeader *le, QEDHeader *cpu)
+{
+    cpu->magic = le32_to_cpu(le->magic);
+    cpu->cluster_size = le32_to_cpu(le->cluster_size);
+    cpu->table_size = le32_to_cpu(le->table_size);
+    cpu->header_size = le32_to_cpu(le->header_size);
+    cpu->features = le64_to_cpu(le->features);
+    cpu->compat_features = le64_to_cpu(le->compat_features);
+    cpu->autoclear_features = le64_to_cpu(le->autoclear_features);
+    cpu->l1_table_offset = le64_to_cpu(le->l1_table_offset);
+    cpu->image_size = le64_to_cpu(le->image_size);
+    cpu->backing_filename_offset = le32_to_cpu(le->backing_filename_offset);
+    cpu->backing_filename_size = le32_to_cpu(le->backing_filename_size);
+}
+
+static void qed_header_cpu_to_le(const QEDHeader *cpu, QEDHeader *le)
+{
+    le->magic = cpu_to_le32(cpu->magic);
+    le->cluster_size = cpu_to_le32(cpu->cluster_size);
+    le->table_size = cpu_to_le32(cpu->table_size);
+    le->header_size = cpu_to_le32(cpu->header_size);
+    le->features = cpu_to_le64(cpu->features);
+    le->compat_features = cpu_to_le64(cpu->compat_features);
+    le->autoclear_features = cpu_to_le64(cpu->autoclear_features);
+    le->l1_table_offset = cpu_to_le64(cpu->l1_table_offset);
+    le->image_size = cpu_to_le64(cpu->image_size);
+    le->backing_filename_offset = cpu_to_le32(cpu->backing_filename_offset);
+    le->backing_filename_size = cpu_to_le32(cpu->backing_filename_size);
+}
+
+static int qed_write_header_sync(BDRVQEDState *s)
+{
+    QEDHeader le;
+    int ret;
+
+    qed_header_cpu_to_le(&s->header, &le);
+    ret = bdrv_pwrite(s->bs->file, 0, &le, sizeof(le));
+    if (ret != sizeof(le)) {
+        return ret;
+    }
+    return 0;
+}
+
+static uint64_t qed_max_image_size(uint32_t cluster_size, uint32_t table_size)
+{
+    uint64_t table_entries;
+    uint64_t l2_size;
+
+    table_entries = (table_size * cluster_size) / sizeof(uint64_t);
+    l2_size = table_entries * cluster_size;
+
+    return l2_size * table_entries;
+}
+
+static bool qed_is_cluster_size_valid(uint32_t cluster_size)
+{
+    if (cluster_size < QED_MIN_CLUSTER_SIZE ||
+        cluster_size > QED_MAX_CLUSTER_SIZE) {
+        return false;
+    }
+    if (cluster_size & (cluster_size - 1)) {
+        return false; /* not power of 2 */
+    }
+    return true;
+}
+
+static bool qed_is_table_size_valid(uint32_t table_size)
+{
+    if (table_size < QED_MIN_TABLE_SIZE ||
+        table_size > QED_MAX_TABLE_SIZE) {
+        return false;
+    }
+    if (table_size & (table_size - 1)) {
+        return false; /* not power of 2 */
+    }
+    return true;
+}
+
+static bool qed_is_image_size_valid(uint64_t image_size, uint32_t cluster_size,
+                                    uint32_t table_size)
+{
+    if (image_size % BDRV_SECTOR_SIZE != 0) {
+        return false; /* not multiple of sector size */
+    }
+    if (image_size > qed_max_image_size(cluster_size, table_size)) {
+        return false; /* image is too large */
+    }
+    return true;
+}
+
+/**
+ * Read a string of known length from the image file
+ *
+ * @file:       Image file
+ * @offset:     File offset to start of string, in bytes
+ * @n:          String length in bytes
+ * @buf:        Destination buffer
+ * @buflen:     Destination buffer length in bytes
+ * @ret:        0 on success, -errno on failure
+ *
+ * The string is NUL-terminated.
+ */
+static int qed_read_string(BlockDriverState *file, uint64_t offset, size_t n,
+                           char *buf, size_t buflen)
+{
+    int ret;
+    if (n >= buflen) {
+        return -EINVAL;
+    }
+    ret = bdrv_pread(file, offset, buf, n);
+    if (ret < 0) {
+        return ret;
+    }
+    buf[n] = '\0';
+    return 0;
+}
+
+static int bdrv_qed_open(BlockDriverState *bs, int flags)
+{
+    BDRVQEDState *s = bs->opaque;
+    QEDHeader le_header;
+    int64_t file_size;
+    int ret;
+
+    s->bs = bs;
+
+    ret = bdrv_pread(bs->file, 0, &le_header, sizeof(le_header));
+    if (ret < 0) {
+        return ret;
+    }
+    ret = 0; /* ret should always be 0 or -errno */
+    qed_header_le_to_cpu(&le_header, &s->header);
+
+    if (s->header.magic != QED_MAGIC) {
+        return -EINVAL;
+    }
+    if (s->header.features & ~QED_FEATURE_MASK) {
+        return -ENOTSUP; /* image uses unsupported feature bits */
+    }
+    if (!qed_is_cluster_size_valid(s->header.cluster_size)) {
+        return -EINVAL;
+    }
+
+    /* Round down file size to the last cluster */
+    file_size = bdrv_getlength(bs->file);
+    if (file_size < 0) {
+        return file_size;
+    }
+    s->file_size = qed_start_of_cluster(s, file_size);
+
+    if (!qed_is_table_size_valid(s->header.table_size)) {
+        return -EINVAL;
+    }
+    if (!qed_is_image_size_valid(s->header.image_size,
+                                 s->header.cluster_size,
+                                 s->header.table_size)) {
+        return -EINVAL;
+    }
+    if (!qed_check_table_offset(s, s->header.l1_table_offset)) {
+        return -EINVAL;
+    }
+
+    s->table_nelems = (s->header.cluster_size * s->header.table_size) /
+                      sizeof(uint64_t);
+    s->l2_shift = ffs(s->header.cluster_size) - 1;
+    s->l2_mask = s->table_nelems - 1;
+    s->l1_shift = s->l2_shift + ffs(s->table_nelems) - 1;
+
+    if ((s->header.features & QED_F_BACKING_FILE)) {
+        if ((uint64_t)s->header.backing_filename_offset +
+            s->header.backing_filename_size >
+            s->header.cluster_size * s->header.header_size) {
+            return -EINVAL;
+        }
+
+        ret = qed_read_string(bs->file, s->header.backing_filename_offset,
+                              s->header.backing_filename_size, bs->backing_file,
+                              sizeof(bs->backing_file));
+        if (ret < 0) {
+            return ret;
+        }
+
+        if (s->header.features & QED_F_BACKING_FORMAT_NO_PROBE) {
+            pstrcpy(bs->backing_format, sizeof(bs->backing_format), "raw");
+        }
+    }
+
+    /* Reset unknown autoclear feature bits.  This is a backwards
+     * compatibility mechanism that allows images to be opened by older
+     * programs, which "knock out" unknown feature bits.  When an image is
+     * opened by a newer program again it can detect that the autoclear
+     * feature is no longer valid.
+     */
+    if ((s->header.autoclear_features & ~QED_AUTOCLEAR_FEATURE_MASK) != 0 &&
+        !bdrv_is_read_only(bs->file)) {
+        s->header.autoclear_features &= QED_AUTOCLEAR_FEATURE_MASK;
+
+        ret = qed_write_header_sync(s);
+        if (ret) {
+            return ret;
+        }
+
+        /* From here on only known autoclear feature bits are valid */
+        bdrv_flush(bs->file);
+    }
+
+    return ret;
+}
+
+static void bdrv_qed_close(BlockDriverState *bs)
+{
+}
+
+static int bdrv_qed_flush(BlockDriverState *bs)
+{
+    return bdrv_flush(bs->file);
+}
+
+static int qed_create(const char *filename, uint32_t cluster_size,
+                      uint64_t image_size, uint32_t table_size,
+                      const char *backing_file, const char *backing_fmt)
+{
+    QEDHeader header = {
+        .magic = QED_MAGIC,
+        .cluster_size = cluster_size,
+        .table_size = table_size,
+        .header_size = 1,
+        .features = 0,
+        .compat_features = 0,
+        .l1_table_offset = cluster_size,
+        .image_size = image_size,
+    };
+    QEDHeader le_header;
+    uint8_t *l1_table = NULL;
+    size_t l1_size = header.cluster_size * header.table_size;
+    int ret = 0;
+    BlockDriverState *bs = NULL;
+
+    ret = bdrv_create_file(filename, NULL);
+    if (ret < 0) {
+        return ret;
+    }
+
+    ret = bdrv_file_open(&bs, filename, BDRV_O_RDWR | BDRV_O_CACHE_WB);
+    if (ret < 0) {
+        return ret;
+    }
+
+    if (backing_file) {
+        header.features |= QED_F_BACKING_FILE;
+        header.backing_filename_offset = sizeof(le_header);
+        header.backing_filename_size = strlen(backing_file);
+
+        if (qed_fmt_is_raw(backing_fmt)) {
+            header.features |= QED_F_BACKING_FORMAT_NO_PROBE;
+        }
+    }
+
+    qed_header_cpu_to_le(&header, &le_header);
+    ret = bdrv_pwrite(bs, 0, &le_header, sizeof(le_header));
+    if (ret < 0) {
+        goto out;
+    }
+    ret = bdrv_pwrite(bs, sizeof(le_header), backing_file,
+                      header.backing_filename_size);
+    if (ret < 0) {
+        goto out;
+    }
+
+    l1_table = qemu_mallocz(l1_size);
+    ret = bdrv_pwrite(bs, header.l1_table_offset, l1_table, l1_size);
+    if (ret < 0) {
+        goto out;
+    }
+
+    ret = 0; /* success */
+out:
+    qemu_free(l1_table);
+    bdrv_delete(bs);
+    return ret;
+}
+
+static int bdrv_qed_create(const char *filename, QEMUOptionParameter *options)
+{
+    uint64_t image_size = 0;
+    uint32_t cluster_size = QED_DEFAULT_CLUSTER_SIZE;
+    uint32_t table_size = QED_DEFAULT_TABLE_SIZE;
+    const char *backing_file = NULL;
+    const char *backing_fmt = NULL;
+
+    while (options && options->name) {
+        if (!strcmp(options->name, BLOCK_OPT_SIZE)) {
+            image_size = options->value.n;
+        } else if (!strcmp(options->name, BLOCK_OPT_BACKING_FILE)) {
+            backing_file = options->value.s;
+        } else if (!strcmp(options->name, BLOCK_OPT_BACKING_FMT)) {
+            backing_fmt = options->value.s;
+        } else if (!strcmp(options->name, BLOCK_OPT_CLUSTER_SIZE)) {
+            if (options->value.n) {
+                cluster_size = options->value.n;
+            }
+        } else if (!strcmp(options->name, BLOCK_OPT_TABLE_SIZE)) {
+            if (options->value.n) {
+                table_size = options->value.n;
+            }
+        }
+        options++;
+    }
+
+    if (!qed_is_cluster_size_valid(cluster_size)) {
+        fprintf(stderr, "QED cluster size must be within range [%u, %u] and power of 2\n",
+                QED_MIN_CLUSTER_SIZE, QED_MAX_CLUSTER_SIZE);
+        return -EINVAL;
+    }
+    if (!qed_is_table_size_valid(table_size)) {
+        fprintf(stderr, "QED table size must be within range [%u, %u] and power of 2\n",
+                QED_MIN_TABLE_SIZE, QED_MAX_TABLE_SIZE);
+        return -EINVAL;
+    }
+    if (!qed_is_image_size_valid(image_size, cluster_size, table_size)) {
+        fprintf(stderr, "QED image size must be a non-zero multiple of "
+                        "cluster size and less than %" PRIu64 " bytes\n",
+                qed_max_image_size(cluster_size, table_size));
+        return -EINVAL;
+    }
+
+    return qed_create(filename, cluster_size, image_size, table_size,
+                      backing_file, backing_fmt);
+}
+
+static int bdrv_qed_is_allocated(BlockDriverState *bs, int64_t sector_num,
+                                  int nb_sectors, int *pnum)
+{
+    return -ENOTSUP;
+}
+
+static int bdrv_qed_make_empty(BlockDriverState *bs)
+{
+    return -ENOTSUP;
+}
+
+static BlockDriverAIOCB *bdrv_qed_aio_readv(BlockDriverState *bs,
+                                            int64_t sector_num,
+                                            QEMUIOVector *qiov, int nb_sectors,
+                                            BlockDriverCompletionFunc *cb,
+                                            void *opaque)
+{
+    return NULL;
+}
+
+static BlockDriverAIOCB *bdrv_qed_aio_writev(BlockDriverState *bs,
+                                             int64_t sector_num,
+                                             QEMUIOVector *qiov, int nb_sectors,
+                                             BlockDriverCompletionFunc *cb,
+                                             void *opaque)
+{
+    return NULL;
+}
+
+static BlockDriverAIOCB *bdrv_qed_aio_flush(BlockDriverState *bs,
+                                            BlockDriverCompletionFunc *cb,
+                                            void *opaque)
+{
+    return bdrv_aio_flush(bs->file, cb, opaque);
+}
+
+static int bdrv_qed_truncate(BlockDriverState *bs, int64_t offset)
+{
+    return -ENOTSUP;
+}
+
+static int64_t bdrv_qed_getlength(BlockDriverState *bs)
+{
+    BDRVQEDState *s = bs->opaque;
+    return s->header.image_size;
+}
+
+static int bdrv_qed_get_info(BlockDriverState *bs, BlockDriverInfo *bdi)
+{
+    BDRVQEDState *s = bs->opaque;
+
+    memset(bdi, 0, sizeof(*bdi));
+    bdi->cluster_size = s->header.cluster_size;
+    return 0;
+}
+
+static int bdrv_qed_change_backing_file(BlockDriverState *bs,
+                                        const char *backing_file,
+                                        const char *backing_fmt)
+{
+    BDRVQEDState *s = bs->opaque;
+    QEDHeader new_header, le_header;
+    void *buffer;
+    size_t buffer_len, backing_file_len;
+    int ret;
+
+    /* Refuse to set backing filename if unknown compat feature bits are
+     * active.  If the image uses an unknown compat feature then we may not
+     * know the layout of data following the header structure and cannot safely
+     * add a new string.
+     */
+    if (backing_file && (s->header.compat_features &
+                         ~QED_COMPAT_FEATURE_MASK)) {
+        return -ENOTSUP;
+    }
+
+    memcpy(&new_header, &s->header, sizeof(new_header));
+
+    new_header.features &= ~(QED_F_BACKING_FILE |
+                             QED_F_BACKING_FORMAT_NO_PROBE);
+
+    /* Adjust feature flags */
+    if (backing_file) {
+        new_header.features |= QED_F_BACKING_FILE;
+
+        if (qed_fmt_is_raw(backing_fmt)) {
+            new_header.features |= QED_F_BACKING_FORMAT_NO_PROBE;
+        }
+    }
+
+    /* Calculate new header size */
+    backing_file_len = 0;
+
+    if (backing_file) {
+        backing_file_len = strlen(backing_file);
+    }
+
+    buffer_len = sizeof(new_header);
+    new_header.backing_filename_offset = buffer_len;
+    new_header.backing_filename_size = backing_file_len;
+    buffer_len += backing_file_len;
+
+    /* Make sure we can rewrite header without failing */
+    if (buffer_len > new_header.header_size * new_header.cluster_size) {
+        return -ENOSPC;
+    }
+
+    /* Prepare new header */
+    buffer = qemu_malloc(buffer_len);
+
+    qed_header_cpu_to_le(&new_header, &le_header);
+    memcpy(buffer, &le_header, sizeof(le_header));
+    buffer_len = sizeof(le_header);
+
+    memcpy(buffer + buffer_len, backing_file, backing_file_len);
+    buffer_len += backing_file_len;
+
+    /* Write new header */
+    ret = bdrv_pwrite_sync(bs->file, 0, buffer, buffer_len);
+    qemu_free(buffer);
+    if (ret == 0) {
+        memcpy(&s->header, &new_header, sizeof(new_header));
+    }
+    return ret;
+}
+
+static int bdrv_qed_check(BlockDriverState *bs, BdrvCheckResult *result)
+{
+    return -ENOTSUP;
+}
+
+static QEMUOptionParameter qed_create_options[] = {
+    {
+        .name = BLOCK_OPT_SIZE,
+        .type = OPT_SIZE,
+        .help = "Virtual disk size (in bytes)"
+    }, {
+        .name = BLOCK_OPT_BACKING_FILE,
+        .type = OPT_STRING,
+        .help = "File name of a base image"
+    }, {
+        .name = BLOCK_OPT_BACKING_FMT,
+        .type = OPT_STRING,
+        .help = "Image format of the base image"
+    }, {
+        .name = BLOCK_OPT_CLUSTER_SIZE,
+        .type = OPT_SIZE,
+        .help = "Cluster size (in bytes)"
+    }, {
+        .name = BLOCK_OPT_TABLE_SIZE,
+        .type = OPT_SIZE,
+        .help = "L1/L2 table size (in clusters)"
+    },
+    { /* end of list */ }
+};
+
+static BlockDriver bdrv_qed = {
+    .format_name              = "qed",
+    .instance_size            = sizeof(BDRVQEDState),
+    .create_options           = qed_create_options,
+
+    .bdrv_probe               = bdrv_qed_probe,
+    .bdrv_open                = bdrv_qed_open,
+    .bdrv_close               = bdrv_qed_close,
+    .bdrv_create              = bdrv_qed_create,
+    .bdrv_flush               = bdrv_qed_flush,
+    .bdrv_is_allocated        = bdrv_qed_is_allocated,
+    .bdrv_make_empty          = bdrv_qed_make_empty,
+    .bdrv_aio_readv           = bdrv_qed_aio_readv,
+    .bdrv_aio_writev          = bdrv_qed_aio_writev,
+    .bdrv_aio_flush           = bdrv_qed_aio_flush,
+    .bdrv_truncate            = bdrv_qed_truncate,
+    .bdrv_getlength           = bdrv_qed_getlength,
+    .bdrv_get_info            = bdrv_qed_get_info,
+    .bdrv_change_backing_file = bdrv_qed_change_backing_file,
+    .bdrv_check               = bdrv_qed_check,
+};
+
+static void bdrv_qed_init(void)
+{
+    bdrv_register(&bdrv_qed);
+}
+
+block_init(bdrv_qed_init);
diff --git a/block/qed.h b/block/qed.h
new file mode 100644
index 0000000..1f8a125
--- /dev/null
+++ b/block/qed.h
@@ -0,0 +1,148 @@
+/*
+ * QEMU Enhanced Disk Format
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * Authors:
+ *  Stefan Hajnoczi   <stefanha at linux.vnet.ibm.com>
+ *  Anthony Liguori   <aliguori at us.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU LGPL, version 2 or later.
+ * See the COPYING.LIB file in the top-level directory.
+ *
+ */
+
+#ifndef BLOCK_QED_H
+#define BLOCK_QED_H
+
+#include "block_int.h"
+
+/* The layout of a QED file is as follows:
+ *
+ * +--------+----------+----------+----------+-----+
+ * | header | L1 table | cluster0 | cluster1 | ... |
+ * +--------+----------+----------+----------+-----+
+ *
+ * There is a 2-level pagetable for cluster allocation:
+ *
+ *                     +----------+
+ *                     | L1 table |
+ *                     +----------+
+ *                ,------'  |  '------.
+ *           +----------+   |    +----------+
+ *           | L2 table |  ...   | L2 table |
+ *           +----------+        +----------+
+ *       ,------'  |  '------.
+ *  +----------+   |    +----------+
+ *  |   Data   |  ...   |   Data   |
+ *  +----------+        +----------+
+ *
+ * The L1 table is fixed size and always present.  L2 tables are allocated on
+ * demand.  The L1 table size determines the maximum possible image size; it
+ * can be influenced using the cluster_size and table_size values.
+ *
+ * All fields are little-endian on disk.
+ */
+
+enum {
+    QED_MAGIC = 'Q' | 'E' << 8 | 'D' << 16 | '\0' << 24,
+
+    /* The image supports a backing file */
+    QED_F_BACKING_FILE = 0x01,
+
+    /* The backing file format must not be probed, treat as raw image */
+    QED_F_BACKING_FORMAT_NO_PROBE = 0x04,
+
+    /* Feature bits must be used when the on-disk format changes */
+    QED_FEATURE_MASK = QED_F_BACKING_FILE | /* supported feature bits */
+                       QED_F_BACKING_FORMAT_NO_PROBE,
+    QED_COMPAT_FEATURE_MASK = 0,            /* supported compat feature bits */
+    QED_AUTOCLEAR_FEATURE_MASK = 0,         /* supported autoclear feature bits */
+
+    /* Data is stored in groups of sectors called clusters.  Cluster size must
+     * be large to avoid keeping too much metadata.  I/O requests that have
+     * sub-cluster size will require read-modify-write.
+     */
+    QED_MIN_CLUSTER_SIZE = 4 * 1024, /* in bytes */
+    QED_MAX_CLUSTER_SIZE = 64 * 1024 * 1024,
+    QED_DEFAULT_CLUSTER_SIZE = 64 * 1024,
+
+    /* Allocated clusters are tracked using a 2-level pagetable.  Table size is
+     * a multiple of clusters so large maximum image sizes can be supported
+     * without jacking up the cluster size too much.
+     */
+    QED_MIN_TABLE_SIZE = 1,        /* in clusters */
+    QED_MAX_TABLE_SIZE = 16,
+    QED_DEFAULT_TABLE_SIZE = 4,
+};
+
+typedef struct {
+    uint32_t magic;                 /* QED\0 */
+
+    uint32_t cluster_size;          /* in bytes */
+    uint32_t table_size;            /* for L1 and L2 tables, in clusters */
+    uint32_t header_size;           /* in clusters */
+
+    uint64_t features;              /* format feature bits */
+    uint64_t compat_features;       /* compatible feature bits */
+    uint64_t autoclear_features;    /* self-resetting feature bits */
+
+    uint64_t l1_table_offset;       /* in bytes */
+    uint64_t image_size;            /* total logical image size, in bytes */
+
+    /* if (features & QED_F_BACKING_FILE) */
+    uint32_t backing_filename_offset; /* in bytes from start of header */
+    uint32_t backing_filename_size;   /* in bytes */
+} QEDHeader;
+
+typedef struct {
+    BlockDriverState *bs;           /* device */
+    uint64_t file_size;             /* length of image file, in bytes */
+
+    QEDHeader header;               /* always cpu-endian */
+    uint32_t table_nelems;
+    uint32_t l1_shift;
+    uint32_t l2_shift;
+    uint32_t l2_mask;
+} BDRVQEDState;
+
+/**
+ * Round down to the start of a cluster
+ */
+static inline uint64_t qed_start_of_cluster(BDRVQEDState *s, uint64_t offset)
+{
+    return offset & ~(uint64_t)(s->header.cluster_size - 1);
+}
+
+/**
+ * Test if a cluster offset is valid
+ */
+static inline bool qed_check_cluster_offset(BDRVQEDState *s, uint64_t offset)
+{
+    uint64_t header_size = (uint64_t)s->header.header_size *
+                           s->header.cluster_size;
+
+    if (offset & (s->header.cluster_size - 1)) {
+        return false;
+    }
+    return offset >= header_size && offset < s->file_size;
+}
+
+/**
+ * Test if a table offset is valid
+ */
+static inline bool qed_check_table_offset(BDRVQEDState *s, uint64_t offset)
+{
+    uint64_t end_offset = offset + (s->header.table_size - 1) *
+                          s->header.cluster_size;
+
+    /* Overflow check */
+    if (end_offset <= offset) {
+        return false;
+    }
+
+    return qed_check_cluster_offset(s, offset) &&
+           qed_check_cluster_offset(s, end_offset);
+}
+
+#endif /* BLOCK_QED_H */
diff --git a/block_int.h b/block_int.h
index eb5cd42..12663e8 100644
--- a/block_int.h
+++ b/block_int.h
@@ -37,6 +37,7 @@
 #define BLOCK_OPT_BACKING_FILE  "backing_file"
 #define BLOCK_OPT_BACKING_FMT   "backing_fmt"
 #define BLOCK_OPT_CLUSTER_SIZE  "cluster_size"
+#define BLOCK_OPT_TABLE_SIZE    "table_size"
 #define BLOCK_OPT_PREALLOC      "preallocation"
 
 typedef struct AIOPool {
commit 71af014f1451bec3244e086298813b5aa7b2a0ee
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Dec 6 16:07:59 2010 +0000

    docs: Add QED image format specification
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/docs/specs/qed_spec.txt b/docs/specs/qed_spec.txt
new file mode 100644
index 0000000..446b5a2
--- /dev/null
+++ b/docs/specs/qed_spec.txt
@@ -0,0 +1,130 @@
+=Specification=
+
+The file format looks like this:
+
+ +----------+----------+----------+-----+
+ | cluster0 | cluster1 | cluster2 | ... |
+ +----------+----------+----------+-----+
+
+The first cluster begins with the '''header'''.  The header contains information about where regular clusters start; this allows the header to be extensible and store extra information about the image file.  A regular cluster may be a '''data cluster''', an '''L2''', or an '''L1 table'''.  L1 and L2 tables are composed of one or more contiguous clusters.
+
+Normally the file size will be a multiple of the cluster size.  If the file size is not a multiple, extra information after the last cluster may not be preserved if data is written.  Legitimate extra information should use space between the header and the first regular cluster.
+
+All fields are little-endian.
+
+==Header==
+ Header {
+     uint32_t magic;               /* QED\0 */
+ 
+     uint32_t cluster_size;        /* in bytes */
+     uint32_t table_size;          /* for L1 and L2 tables, in clusters */
+     uint32_t header_size;         /* in clusters */
+ 
+     uint64_t features;            /* format feature bits */
+     uint64_t compat_features;     /* compat feature bits */
+     uint64_t autoclear_features;  /* self-resetting feature bits */
+
+     uint64_t l1_table_offset;     /* in bytes */
+     uint64_t image_size;          /* total logical image size, in bytes */
+ 
+     /* if (features & QED_F_BACKING_FILE) */
+     uint32_t backing_filename_offset; /* in bytes from start of header */
+     uint32_t backing_filename_size;   /* in bytes */
+ }
+
+Field descriptions:
+* ''cluster_size'' must be a power of 2 in range [212, 226].
+* ''table_size'' must be a power of 2 in range [1, 16].
+* ''header_size'' is the number of clusters used by the header and any additional information stored before regular clusters.
+* ''features'', ''compat_features'', and ''autoclear_features'' are file format extension bitmaps.  They work as follows:
+** An image with unknown ''features'' bits enabled must not be opened.  File format changes that are not backwards-compatible must use ''features'' bits.
+** An image with unknown ''compat_features'' bits enabled can be opened safely.  The unknown features are simply ignored and represent backwards-compatible changes to the file format.
+** An image with unknown ''autoclear_features'' bits enable can be opened safely after clearing the unknown bits.  This allows for backwards-compatible changes to the file format which degrade gracefully and can be re-enabled again by a new program later.
+* ''l1_table_offset'' is the offset of the first byte of the L1 table in the image file and must be a multiple of ''cluster_size''.
+* ''image_size'' is the block device size seen by the guest and must be a multiple of 512 bytes.
+* ''backing_filename_offset'' and ''backing_filename_size'' describe a string in (byte offset, byte size) form.  It is not NUL-terminated and has no alignment constraints.  The string must be stored within the first ''header_size'' clusters.  The backing filename may be an absolute path or relative to the image file.
+
+Feature bits:
+* QED_F_BACKING_FILE = 0x01.  The image uses a backing file.
+* QED_F_NEED_CHECK = 0x02.  The image needs a consistency check before use.
+* QED_F_BACKING_FORMAT_NO_PROBE = 0x04.  The backing file is a raw disk image and no file format autodetection should be attempted.  This should be used to ensure that raw backing files are never detected as an image format if they happen to contain magic constants.
+
+There are currently no defined ''compat_features'' or ''autoclear_features'' bits.
+
+Fields predicated on a feature bit are only used when that feature is set.  The fields always take up header space, regardless of whether or not the feature bit is set.
+
+==Tables==
+
+Tables provide the translation from logical offsets in the block device to cluster offsets in the file.
+
+ #define TABLE_NOFFSETS (table_size * cluster_size / sizeof(uint64_t))
+  
+ Table {
+     uint64_t offsets[TABLE_NOFFSETS];
+ }
+
+The tables are organized as follows:
+
+                    +----------+
+                    | L1 table |
+                    +----------+
+               ,------'  |  '------.
+          +----------+   |    +----------+
+          | L2 table |  ...   | L2 table |
+          +----------+        +----------+
+      ,------'  |  '------.
+ +----------+   |    +----------+
+ |   Data   |  ...   |   Data   |
+ +----------+        +----------+
+
+A table is made up of one or more contiguous clusters.  The table_size header field determines table size for an image file.  For example, cluster_size=64 KB and table_size=4 results in 256 KB tables.
+
+The logical image size must be less than or equal to the maximum possible size of clusters rooted by the L1 table:
+ header.image_size <= TABLE_NOFFSETS * TABLE_NOFFSETS * header.cluster_size
+
+L1, L2, and data cluster offsets must be aligned to header.cluster_size.  The following offsets have special meanings:
+
+===L2 table offsets===
+* 0 - unallocated.  The L2 table is not yet allocated.
+
+===Data cluster offsets===
+* 0 - unallocated.  The data cluster is not yet allocated.
+
+Future format extensions may wish to store per-offset information.  The least significant 12 bits of an offset are reserved for this purpose and must be set to zero.  Image files with cluster_size > 212 will have more unused bits which should also be zeroed.
+
+===Unallocated L2 tables and data clusters===
+Reads to an unallocated area of the image file access the backing file.  If there is no backing file, then zeroes are produced.  The backing file may be smaller than the image file and reads of unallocated areas beyond the end of the backing file produce zeroes.
+
+Writes to an unallocated area cause a new data clusters to be allocated, and a new L2 table if that is also unallocated.  The new data cluster is populated with data from the backing file (or zeroes if no backing file) and the data being written.
+
+===Logical offset translation===
+Logical offsets are translated into cluster offsets as follows:
+
+  table_bits table_bits    cluster_bits
+  <--------> <--------> <--------------->
+ +----------+----------+-----------------+
+ | L1 index | L2 index |     byte offset |
+ +----------+----------+-----------------+
+ 
+       Structure of a logical offset
+
+ offset_mask = ~(cluster_size - 1) # mask for the image file byte offset
+ 
+ def logical_to_cluster_offset(l1_index, l2_index, byte_offset):
+   l2_offset = l1_table[l1_index]
+   l2_table = load_table(l2_offset)
+   cluster_offset = l2_table[l2_index] & offset_mask
+   return cluster_offset + byte_offset
+
+==Consistency checking==
+
+This section is informational and included to provide background on the use of the QED_F_NEED_CHECK ''features'' bit.
+
+The QED_F_NEED_CHECK bit is used to mark an image as dirty before starting an operation that could leave the image in an inconsistent state if interrupted by a crash or power failure.  A dirty image must be checked on open because its metadata may not be consistent.
+
+Consistency check includes the following invariants:
+# Each cluster is referenced once and only once.  It is an inconsistency to have a cluster referenced more than once by L1 or L2 tables.  A cluster has been leaked if it has no references.
+# Offsets must be within the image file size and must be ''cluster_size'' aligned.
+# Table offsets must at least ''table_size'' * ''cluster_size'' bytes from the end of the image file so that there is space for the entire table.
+
+The consistency check process starts by from ''l1_table_offset'' and scans all L2 tables.  After the check completes with no other errors besides leaks, the QED_F_NEED_CHECK bit can be cleared and the image can be accessed.
commit 095343adf97212396c1c2d7021d5fb338a4286c8
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Dec 17 11:55:37 2010 +0100

    qemu-io: Fix typo in help texts
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-io.c b/qemu-io.c
index 2318a28..65dee13 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -326,7 +326,7 @@ read_help(void)
 " -l, -- length for pattern verification (only with -P)\n"
 " -p, -- use bdrv_pread to read the file\n"
 " -P, -- use a pattern to verify read data\n"
-" -q, -- quite mode, do not show I/O statistics\n"
+" -q, -- quiet mode, do not show I/O statistics\n"
 " -s, -- start offset for pattern verification (only with -P)\n"
 " -v, -- dump buffer to standard output\n"
 "\n");
@@ -509,7 +509,7 @@ readv_help(void)
 " -C, -- report statistics in a machine parsable format\n"
 " -P, -- use a pattern to verify read data\n"
 " -v, -- dump buffer to standard output\n"
-" -q, -- quite mode, do not show I/O statistics\n"
+" -q, -- quiet mode, do not show I/O statistics\n"
 "\n");
 }
 
@@ -633,7 +633,7 @@ write_help(void)
 " -p, -- use bdrv_pwrite to write the file\n"
 " -P, -- use different pattern to fill file\n"
 " -C, -- report statistics in a machine parsable format\n"
-" -q, -- quite mode, do not show I/O statistics\n"
+" -q, -- quiet mode, do not show I/O statistics\n"
 "\n");
 }
 
@@ -765,7 +765,7 @@ writev_help(void)
 " filled with a set pattern (0xcdcdcdcd).\n"
 " -P, -- use different pattern to fill file\n"
 " -C, -- report statistics in a machine parsable format\n"
-" -q, -- quite mode, do not show I/O statistics\n"
+" -q, -- quiet mode, do not show I/O statistics\n"
 "\n");
 }
 
@@ -1100,7 +1100,7 @@ aio_read_help(void)
 " -C, -- report statistics in a machine parsable format\n"
 " -P, -- use a pattern to verify read data\n"
 " -v, -- dump buffer to standard output\n"
-" -q, -- quite mode, do not show I/O statistics\n"
+" -q, -- quiet mode, do not show I/O statistics\n"
 "\n");
 }
 
@@ -1198,7 +1198,7 @@ aio_write_help(void)
 " used to ensure all outstanding aio requests have been completed\n"
 " -P, -- use different pattern to fill file\n"
 " -C, -- report statistics in a machine parsable format\n"
-" -q, -- quite mode, do not show I/O statistics\n"
+" -q, -- quiet mode, do not show I/O statistics\n"
 "\n");
 }
 
@@ -1406,7 +1406,7 @@ discard_help(void)
 "\n"
 " Discards a segment of the currently open file.\n"
 " -C, -- report statistics in a machine parsable format\n"
-" -q, -- quite mode, do not show I/O statistics\n"
+" -q, -- quiet mode, do not show I/O statistics\n"
 "\n");
 }
 
commit dce512dedf2b842f453f8b20d6ca37ce283103da
Author: Christoph Hellwig <hch at lst.de>
Date:   Fri Dec 17 11:41:15 2010 +0100

    raw-posix: add discard support
    
    Add support to discard blocks in a raw image residing on an XFS filesystem
    by calling the XFS_IOC_UNRESVSP64 ioctl to punch holes.  Support for other
    hole punching mechanisms can be added when they become available.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/raw-posix.c b/block/raw-posix.c
index 9286fb8..6b72470 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -69,6 +69,10 @@
 #include <sys/diskslice.h>
 #endif
 
+#ifdef CONFIG_XFS
+#include <xfs/xfs.h>
+#endif
+
 //#define DEBUG_FLOPPY
 
 //#define DEBUG_BLOCK
@@ -120,6 +124,9 @@ typedef struct BDRVRawState {
 #endif
     uint8_t *aligned_buf;
     unsigned aligned_buf_size;
+#ifdef CONFIG_XFS
+    bool is_xfs : 1;
+#endif
 } BDRVRawState;
 
 static int fd_open(BlockDriverState *bs);
@@ -196,6 +203,12 @@ static int raw_open_common(BlockDriverState *bs, const char *filename,
 #endif
     }
 
+#ifdef CONFIG_XFS
+    if (platform_test_xfs_fd(s->fd)) {
+        s->is_xfs = 1;
+    }
+#endif
+
     return 0;
 
 out_free_buf:
@@ -740,6 +753,37 @@ static int raw_flush(BlockDriverState *bs)
     return qemu_fdatasync(s->fd);
 }
 
+#ifdef CONFIG_XFS
+static int xfs_discard(BDRVRawState *s, int64_t sector_num, int nb_sectors)
+{
+    struct xfs_flock64 fl;
+
+    memset(&fl, 0, sizeof(fl));
+    fl.l_whence = SEEK_SET;
+    fl.l_start = sector_num << 9;
+    fl.l_len = (int64_t)nb_sectors << 9;
+
+    if (xfsctl(NULL, s->fd, XFS_IOC_UNRESVSP64, &fl) < 0) {
+        DEBUG_BLOCK_PRINT("cannot punch hole (%s)\n", strerror(errno));
+        return -errno;
+    }
+
+    return 0;
+}
+#endif
+
+static int raw_discard(BlockDriverState *bs, int64_t sector_num, int nb_sectors)
+{
+#ifdef CONFIG_XFS
+    BDRVRawState *s = bs->opaque;
+
+    if (s->is_xfs) {
+        return xfs_discard(s, sector_num, nb_sectors);
+    }
+#endif
+
+    return 0;
+}
 
 static QEMUOptionParameter raw_create_options[] = {
     {
@@ -761,6 +805,7 @@ static BlockDriver bdrv_file = {
     .bdrv_close = raw_close,
     .bdrv_create = raw_create,
     .bdrv_flush = raw_flush,
+    .bdrv_discard = raw_discard,
 
     .bdrv_aio_readv = raw_aio_readv,
     .bdrv_aio_writev = raw_aio_writev,
diff --git a/configure b/configure
index 62defc4..47e4cf0 100755
--- a/configure
+++ b/configure
@@ -288,6 +288,7 @@ xen=""
 linux_aio=""
 attr=""
 vhost_net=""
+xfs=""
 
 gprof="no"
 debug_tcg="no"
@@ -1399,6 +1400,27 @@ EOF
 fi
 
 ##########################################
+# xfsctl() probe, used for raw-posix
+if test "$xfs" != "no" ; then
+  cat > $TMPC << EOF
+#include <xfs/xfs.h>
+int main(void)
+{
+    xfsctl(NULL, 0, 0, NULL);
+    return 0;
+}
+EOF
+  if compile_prog "" "" ; then
+    xfs="yes"
+  else
+    if test "$xfs" = "yes" ; then
+      feature_not_found "xfs"
+    fi
+    xfs=no
+  fi
+fi
+
+##########################################
 # vde libraries probe
 if test "$vde" != "no" ; then
   vde_libs="-lvdeplug"
@@ -2403,6 +2425,7 @@ echo "Trace backend     $trace_backend"
 echo "Trace output file $trace_file-<pid>"
 echo "spice support     $spice"
 echo "rbd support       $rbd"
+echo "xfsctl support    $xfs"
 
 if test $sdl_too_old = "yes"; then
 echo "-> Your SDL version is too old - please upgrade to have SDL support"
@@ -2548,6 +2571,9 @@ fi
 if test "$uuid" = "yes" ; then
   echo "CONFIG_UUID=y" >> $config_host_mak
 fi
+if test "$xfs" = "yes" ; then
+  echo "CONFIG_XFS=y" >> $config_host_mak
+fi
 qemu_version=`head $source_path/VERSION`
 echo "VERSION=$qemu_version" >>$config_host_mak
 echo "PKGVERSION=$pkgversion" >>$config_host_mak
commit edff5db1f50fd89e807f3fb518c77af7531e8117
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Dec 13 09:36:26 2010 +0000

    qemu-io: Add discard command
    
    discard [-Cq] off len -- discards a number of bytes at a specified
    offset
    
     discards a range of bytes from the given offset
    
     Example:
     'discard 512 1k' - discards 1 kilobyte from 512 bytes into the file
    
     Discards a segment of the currently open file.
     -C, -- report statistics in a machine parsable format
     -q, -- quite mode, do not show I/O statistics
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-io.c b/qemu-io.c
index 0f6d1b6..2318a28 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -1394,6 +1394,93 @@ static const cmdinfo_t info_cmd = {
 	.oneline	= "prints information about the current file",
 };
 
+static void
+discard_help(void)
+{
+	printf(
+"\n"
+" discards a range of bytes from the given offset\n"
+"\n"
+" Example:\n"
+" 'discard 512 1k' - discards 1 kilobyte from 512 bytes into the file\n"
+"\n"
+" Discards a segment of the currently open file.\n"
+" -C, -- report statistics in a machine parsable format\n"
+" -q, -- quite mode, do not show I/O statistics\n"
+"\n");
+}
+
+static int discard_f(int argc, char **argv);
+
+static const cmdinfo_t discard_cmd = {
+	.name		= "discard",
+	.altname	= "d",
+	.cfunc		= discard_f,
+	.argmin		= 2,
+	.argmax		= -1,
+	.args		= "[-Cq] off len",
+	.oneline	= "discards a number of bytes at a specified offset",
+	.help		= discard_help,
+};
+
+static int
+discard_f(int argc, char **argv)
+{
+	struct timeval t1, t2;
+	int Cflag = 0, qflag = 0;
+	int c, ret;
+	int64_t offset;
+	int count;
+
+	while ((c = getopt(argc, argv, "Cq")) != EOF) {
+		switch (c) {
+		case 'C':
+			Cflag = 1;
+			break;
+		case 'q':
+			qflag = 1;
+			break;
+		default:
+			return command_usage(&discard_cmd);
+		}
+	}
+
+	if (optind != argc - 2) {
+		return command_usage(&discard_cmd);
+	}
+
+	offset = cvtnum(argv[optind]);
+	if (offset < 0) {
+		printf("non-numeric length argument -- %s\n", argv[optind]);
+		return 0;
+	}
+
+	optind++;
+	count = cvtnum(argv[optind]);
+	if (count < 0) {
+		printf("non-numeric length argument -- %s\n", argv[optind]);
+		return 0;
+	}
+
+	gettimeofday(&t1, NULL);
+	ret = bdrv_discard(bs, offset, count);
+	gettimeofday(&t2, NULL);
+
+	if (ret < 0) {
+		printf("discard failed: %s\n", strerror(-ret));
+		goto out;
+	}
+
+	/* Finally, report back -- -C gives a parsable format */
+	if (!qflag) {
+		t2 = tsub(t2, t1);
+		print_report("discard", &t2, offset, count, count, 1, Cflag);
+	}
+
+out:
+	return 0;
+}
+
 static int
 alloc_f(int argc, char **argv)
 {
@@ -1715,6 +1802,7 @@ int main(int argc, char **argv)
 	add_command(&truncate_cmd);
 	add_command(&length_cmd);
 	add_command(&info_cmd);
+	add_command(&discard_cmd);
 	add_command(&alloc_cmd);
 	add_command(&map_cmd);
 
commit ea3bd56f56822350bbb91518b3d786948f573359
Author: Christoph Hellwig <hch at lst.de>
Date:   Thu Dec 16 19:36:43 2010 +0100

    scsi-disk: support WRITE SAME (16) with unmap bit
    
    Support discards via the WRITE SAME command with the unmap bit set, and
    tell the initiator about the support for it via the block limit and the
    new thin provisioning EVPD pages.  Also fix the comment which incorrectly
    describedthe block limits EVPD page.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-defs.h b/hw/scsi-defs.h
index 1473ecb..413cce0 100644
--- a/hw/scsi-defs.h
+++ b/hw/scsi-defs.h
@@ -84,6 +84,7 @@
 #define MODE_SENSE_10         0x5a
 #define PERSISTENT_RESERVE_IN 0x5e
 #define PERSISTENT_RESERVE_OUT 0x5f
+#define WRITE_SAME_16         0x93
 #define MAINTENANCE_IN        0xa3
 #define MAINTENANCE_OUT       0xa4
 #define MOVE_MEDIUM           0xa5
diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 87f9e86..6cb317c 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -424,7 +424,8 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
             outbuf[buflen++] = 0x80; // unit serial number
             outbuf[buflen++] = 0x83; // device identification
             if (bdrv_get_type_hint(s->bs) != BDRV_TYPE_CDROM) {
-                outbuf[buflen++] = 0xb0; // block device characteristics
+                outbuf[buflen++] = 0xb0; // block limits
+                outbuf[buflen++] = 0xb2; // thin provisioning
             }
             outbuf[pages] = buflen - pages - 1; // number of pages
             break;
@@ -466,8 +467,10 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
             buflen += id_len;
             break;
         }
-        case 0xb0: /* block device characteristics */
+        case 0xb0: /* block limits */
         {
+            unsigned int unmap_sectors =
+                    s->qdev.conf.discard_granularity / s->qdev.blocksize;
             unsigned int min_io_size =
                     s->qdev.conf.min_io_size / s->qdev.blocksize;
             unsigned int opt_io_size =
@@ -492,6 +495,21 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
             outbuf[13] = (opt_io_size >> 16) & 0xff;
             outbuf[14] = (opt_io_size >> 8) & 0xff;
             outbuf[15] = opt_io_size & 0xff;
+
+            /* optimal unmap granularity */
+            outbuf[28] = (unmap_sectors >> 24) & 0xff;
+            outbuf[29] = (unmap_sectors >> 16) & 0xff;
+            outbuf[30] = (unmap_sectors >> 8) & 0xff;
+            outbuf[31] = unmap_sectors & 0xff;
+            break;
+        }
+        case 0xb2: /* thin provisioning */
+        {
+            outbuf[3] = buflen = 8;
+            outbuf[4] = 0;
+            outbuf[5] = 0x40; /* write same with unmap supported */
+            outbuf[6] = 0;
+            outbuf[7] = 0;
             break;
         }
         default:
@@ -959,6 +977,12 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r, uint8_t *outbuf)
             outbuf[11] = 0;
             outbuf[12] = 0;
             outbuf[13] = get_physical_block_exp(&s->qdev.conf);
+
+            /* set TPE bit if the format supports discard */
+            if (s->qdev.conf.discard_granularity) {
+                outbuf[14] = 0x80;
+            }
+
             /* Protection, exponent and lowest lba field left blank. */
             buflen = req->cmd.xfer;
             break;
@@ -1123,6 +1147,31 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
             goto illegal_lba;
         }
         break;
+    case WRITE_SAME_16:
+        len = r->req.cmd.xfer / d->blocksize;
+
+        DPRINTF("WRITE SAME(16) (sector %" PRId64 ", count %d)\n",
+                r->req.cmd.lba, len);
+
+        if (r->req.cmd.lba > s->max_lba) {
+            goto illegal_lba;
+        }
+
+        /*
+         * We only support WRITE SAME with the unmap bit set for now.
+         */
+        if (!(buf[1] & 0x8)) {
+            goto fail;
+        }
+
+        rc = bdrv_discard(s->bs, r->req.cmd.lba * s->cluster_size,
+                          len * s->cluster_size);
+        if (rc < 0) {
+            /* XXX: better error code ?*/
+            goto fail;
+        }
+
+        break;
     default:
         DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
     fail:
commit bb8bf76fb1c4afa116a7f11fee559b3cca671a4a
Author: Christoph Hellwig <hch at lst.de>
Date:   Thu Dec 16 19:36:31 2010 +0100

    block: add discard support
    
    Add a new bdrv_discard method to free blocks in a mapping image, and a new
    drive property to set the granularity for these discard.  If no discard
    granularity support is set discard support is disabled.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index fe07d0b..9b5e9e1 100644
--- a/block.c
+++ b/block.c
@@ -1515,6 +1515,17 @@ int bdrv_has_zero_init(BlockDriverState *bs)
     return 1;
 }
 
+int bdrv_discard(BlockDriverState *bs, int64_t sector_num, int nb_sectors)
+{
+    if (!bs->drv) {
+        return -ENOMEDIUM;
+    }
+    if (!bs->drv->bdrv_discard) {
+        return 0;
+    }
+    return bs->drv->bdrv_discard(bs, sector_num, nb_sectors);
+}
+
 /*
  * Returns true iff the specified sector is present in the disk image. Drivers
  * not implementing the functionality are assumed to not support backing files,
diff --git a/block.h b/block.h
index b812172..f923add 100644
--- a/block.h
+++ b/block.h
@@ -146,6 +146,7 @@ int bdrv_flush(BlockDriverState *bs);
 void bdrv_flush_all(void);
 void bdrv_close_all(void);
 
+int bdrv_discard(BlockDriverState *bs, int64_t sector_num, int nb_sectors);
 int bdrv_has_zero_init(BlockDriverState *bs);
 int bdrv_is_allocated(BlockDriverState *bs, int64_t sector_num, int nb_sectors,
 	int *pnum);
diff --git a/block/raw.c b/block/raw.c
index 1980deb..b0f72d6 100644
--- a/block/raw.c
+++ b/block/raw.c
@@ -65,6 +65,11 @@ static int raw_probe(const uint8_t *buf, int buf_size, const char *filename)
    return 1; /* everything can be opened as raw image */
 }
 
+static int raw_discard(BlockDriverState *bs, int64_t sector_num, int nb_sectors)
+{
+    return bdrv_discard(bs->file, sector_num, nb_sectors);
+}
+
 static int raw_is_inserted(BlockDriverState *bs)
 {
     return bdrv_is_inserted(bs->file);
@@ -130,6 +135,7 @@ static BlockDriver bdrv_raw = {
     .bdrv_aio_readv     = raw_aio_readv,
     .bdrv_aio_writev    = raw_aio_writev,
     .bdrv_aio_flush     = raw_aio_flush,
+    .bdrv_discard       = raw_discard,
 
     .bdrv_is_inserted   = raw_is_inserted,
     .bdrv_eject         = raw_eject,
diff --git a/block_int.h b/block_int.h
index 6b3b098..eb5cd42 100644
--- a/block_int.h
+++ b/block_int.h
@@ -72,6 +72,8 @@ struct BlockDriver {
         BlockDriverCompletionFunc *cb, void *opaque);
     BlockDriverAIOCB *(*bdrv_aio_flush)(BlockDriverState *bs,
         BlockDriverCompletionFunc *cb, void *opaque);
+    int (*bdrv_discard)(BlockDriverState *bs, int64_t sector_num,
+                        int nb_sectors);
 
     int (*bdrv_aio_multiwrite)(BlockDriverState *bs, BlockRequest *reqs,
         int num_reqs);
@@ -227,6 +229,7 @@ typedef struct BlockConf {
     uint16_t min_io_size;
     uint32_t opt_io_size;
     int32_t bootindex;
+    uint32_t discard_granularity;
 } BlockConf;
 
 static inline unsigned int get_physical_block_exp(BlockConf *conf)
@@ -250,6 +253,8 @@ static inline unsigned int get_physical_block_exp(BlockConf *conf)
                        _conf.physical_block_size, 512),                 \
     DEFINE_PROP_UINT16("min_io_size", _state, _conf.min_io_size, 0),  \
     DEFINE_PROP_UINT32("opt_io_size", _state, _conf.opt_io_size, 0),    \
-    DEFINE_PROP_INT32("bootindex", _state, _conf.bootindex, -1)         \
+    DEFINE_PROP_INT32("bootindex", _state, _conf.bootindex, -1),        \
+    DEFINE_PROP_UINT32("discard_granularity", _state, \
+                       _conf.discard_granularity, 0)
 
 #endif /* BLOCK_INT_H */
commit 61d9d6b091aa04e5e5bd20951aa689a5bbe65aed
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Thu Dec 16 15:54:06 2010 +0000

    ide: Register vm change state handler once only
    
    We register the vm change state handler in a PCI BAR map() function.
    This function can be called multiple times throughout the lifetime of a
    PCI IDE device.  This results in duplicate vm change state handlers
    being register, none of which are ever unregistered.
    
    Instead, register the vm change state handler in the device's init
    function once and for all.
    
    piix tested, cmd646 and via not tested.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/cmd646.c b/hw/ide/cmd646.c
index e191ee6..89ba836 100644
--- a/hw/ide/cmd646.c
+++ b/hw/ide/cmd646.c
@@ -167,10 +167,6 @@ static void bmdma_map(PCIDevice *pci_dev, int region_num,
 
     for(i = 0;i < 2; i++) {
         BMDMAState *bm = &d->bmdma[i];
-        bmdma_init(&d->bus[i], bm);
-        bm->bus = d->bus+i;
-        qemu_add_vm_change_state_handler(d->bus[i].dma->ops->restart_cb,
-                                         &bm->dma);
 
         if (i == 0) {
             register_ioport_write(addr, 4, 1, bmdma_writeb_0, d);
@@ -228,6 +224,7 @@ static int pci_cmd646_ide_initfn(PCIDevice *dev)
     PCIIDEState *d = DO_UPCAST(PCIIDEState, dev, dev);
     uint8_t *pci_conf = d->dev.config;
     qemu_irq *irq;
+    int i;
 
     pci_config_set_vendor_id(pci_conf, PCI_VENDOR_ID_CMD);
     pci_config_set_device_id(pci_conf, PCI_DEVICE_ID_CMD_646);
@@ -253,10 +250,15 @@ static int pci_cmd646_ide_initfn(PCIDevice *dev)
     pci_conf[PCI_INTERRUPT_PIN] = 0x01; // interrupt on pin 1
 
     irq = qemu_allocate_irqs(cmd646_set_irq, d, 2);
-    ide_bus_new(&d->bus[0], &d->dev.qdev, 0);
-    ide_bus_new(&d->bus[1], &d->dev.qdev, 1);
-    ide_init2(&d->bus[0], irq[0]);
-    ide_init2(&d->bus[1], irq[1]);
+    for (i = 0; i < 2; i++) {
+        ide_bus_new(&d->bus[i], &d->dev.qdev, i);
+        ide_init2(&d->bus[i], irq[i]);
+
+        bmdma_init(&d->bus[i], &d->bmdma[i]);
+        bm->bus = &d->bus[i];
+        qemu_add_vm_change_state_handler(d->bus[i].dma->ops->restart_cb,
+                                         &d->bmdma[i]->dma);
+    }
 
     vmstate_register(&dev->qdev, 0, &vmstate_ide_pci, d);
     qemu_register_reset(cmd646_reset, d);
diff --git a/hw/ide/piix.c b/hw/ide/piix.c
index a6b5d92..1cad906 100644
--- a/hw/ide/piix.c
+++ b/hw/ide/piix.c
@@ -76,10 +76,6 @@ static void bmdma_map(PCIDevice *pci_dev, int region_num,
 
     for(i = 0;i < 2; i++) {
         BMDMAState *bm = &d->bmdma[i];
-        bmdma_init(&d->bus[i], bm);
-        bm->bus = d->bus+i;
-        qemu_add_vm_change_state_handler(d->bus[i].dma->ops->restart_cb,
-                                         &bm->dma);
 
         register_ioport_write(addr, 1, 1, bmdma_cmd_writeb, bm);
 
@@ -112,6 +108,29 @@ static void piix3_reset(void *opaque)
     pci_conf[0x20] = 0x01; /* BMIBA: 20-23h */
 }
 
+static void pci_piix_init_ports(PCIIDEState *d) {
+    int i;
+    struct {
+        int iobase;
+        int iobase2;
+        int isairq;
+    } port_info[] = {
+        {0x1f0, 0x3f6, 14},
+        {0x170, 0x376, 15},
+    };
+
+    for (i = 0; i < 2; i++) {
+        ide_bus_new(&d->bus[i], &d->dev.qdev, i);
+        ide_init_ioport(&d->bus[i], port_info[i].iobase, port_info[i].iobase2);
+        ide_init2(&d->bus[i], isa_reserve_irq(port_info[i].isairq));
+
+        bmdma_init(&d->bus[i], &d->bmdma[i]);
+        d->bmdma[i].bus = &d->bus[i];
+        qemu_add_vm_change_state_handler(d->bus[i].dma->ops->restart_cb,
+                                         &d->bmdma[i].dma);
+    }
+}
+
 static int pci_piix_ide_initfn(PCIIDEState *d)
 {
     uint8_t *pci_conf = d->dev.config;
@@ -125,13 +144,8 @@ static int pci_piix_ide_initfn(PCIIDEState *d)
 
     vmstate_register(&d->dev.qdev, 0, &vmstate_ide_pci, d);
 
-    ide_bus_new(&d->bus[0], &d->dev.qdev, 0);
-    ide_bus_new(&d->bus[1], &d->dev.qdev, 1);
-    ide_init_ioport(&d->bus[0], 0x1f0, 0x3f6);
-    ide_init_ioport(&d->bus[1], 0x170, 0x376);
+    pci_piix_init_ports(d);
 
-    ide_init2(&d->bus[0], isa_reserve_irq(14));
-    ide_init2(&d->bus[1], isa_reserve_irq(15));
     return 0;
 }
 
diff --git a/hw/ide/via.c b/hw/ide/via.c
index 2603110..5b70bd2 100644
--- a/hw/ide/via.c
+++ b/hw/ide/via.c
@@ -78,10 +78,6 @@ static void bmdma_map(PCIDevice *pci_dev, int region_num,
 
     for(i = 0;i < 2; i++) {
         BMDMAState *bm = &d->bmdma[i];
-        bmdma_init(&d->bus[i], bm);
-        bm->bus = d->bus+i;
-        qemu_add_vm_change_state_handler(d->bus[i].dma->ops->restart_cb,
-                                         &bm->dma);
 
         register_ioport_write(addr, 1, 1, bmdma_cmd_writeb, bm);
 
@@ -135,6 +131,29 @@ static void via_reset(void *opaque)
     pci_set_long(pci_conf + 0xc0, 0x00020001);
 }
 
+static void vt82c686b_init_ports(PCIIDEState *d) {
+    int i;
+    struct {
+        int iobase;
+        int iobase2;
+        int isairq;
+    } port_info[] = {
+        {0x1f0, 0x3f6, 14},
+        {0x170, 0x376, 15},
+    };
+
+    for (i = 0; i < 2; i++) {
+        ide_bus_new(&d->bus[i], &d->dev.qdev, i);
+        ide_init_ioport(&d->bus[i], port_info[i].iobase, port_info[i].iobase2);
+        ide_init2(&d->bus[i], isa_reserve_irq(port_info[i].isairq));
+
+        bmdma_init(&d->bus[i], &d->bmdma[i]);
+        d->bmdma[i].bus = &d->bus[i];
+        qemu_add_vm_change_state_handler(d->bus[i].dma->ops->restart_cb,
+                                         &d->bmdma[i]->dma);
+    }
+}
+
 /* via ide func */
 static int vt82c686b_ide_initfn(PCIDevice *dev)
 {
@@ -154,12 +173,7 @@ static int vt82c686b_ide_initfn(PCIDevice *dev)
 
     vmstate_register(&dev->qdev, 0, &vmstate_ide_pci, d);
 
-    ide_bus_new(&d->bus[0], &d->dev.qdev, 0);
-    ide_bus_new(&d->bus[1], &d->dev.qdev, 1);
-    ide_init2(&d->bus[0], isa_reserve_irq(14));
-    ide_init2(&d->bus[1], isa_reserve_irq(15));
-    ide_init_ioport(&d->bus[0], 0x1f0, 0x3f6);
-    ide_init_ioport(&d->bus[1], 0x170, 0x376);
+    vt82c686b_init_ports(d);
 
     return 0;
 }
commit ad7171394f2fe3f9b5fe02f0c62496291a859a92
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Thu Dec 16 15:37:41 2010 +0100

    Remove NULL checks for bdrv_new return value
    
    It's an indirect call to qemu_malloc, which never returns an error.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/xen_disk.c b/hw/xen_disk.c
index 85a1c85..ed9e5eb 100644
--- a/hw/xen_disk.c
+++ b/hw/xen_disk.c
@@ -634,17 +634,12 @@ static int blk_init(struct XenDevice *xendev)
     if (!blkdev->dinfo) {
         /* setup via xenbus -> create new block driver instance */
         xen_be_printf(&blkdev->xendev, 2, "create new bdrv (xenbus setup)\n");
-	blkdev->bs = bdrv_new(blkdev->dev);
-	if (blkdev->bs) {
-	    if (bdrv_open(blkdev->bs, blkdev->filename, qflags,
-                           bdrv_find_whitelisted_format(blkdev->fileproto))
-                != 0) {
-		bdrv_delete(blkdev->bs);
-		blkdev->bs = NULL;
-	    }
-	}
-	if (!blkdev->bs)
-	    return -1;
+        blkdev->bs = bdrv_new(blkdev->dev);
+        if (bdrv_open(blkdev->bs, blkdev->filename, qflags,
+                      bdrv_find_whitelisted_format(blkdev->fileproto)) != 0) {
+            bdrv_delete(blkdev->bs);
+            return -1;
+        }
     } else {
         /* setup via qemu cmdline -> already setup for us */
         xen_be_printf(&blkdev->xendev, 2, "get configured bdrv (cmdline setup)\n");
diff --git a/qemu-img.c b/qemu-img.c
index 0b871d8..afd9ed2 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -215,10 +215,7 @@ static BlockDriverState *bdrv_new_open(const char *filename,
     char password[256];
 
     bs = bdrv_new("");
-    if (!bs) {
-        error_report("Not enough memory");
-        goto fail;
-    }
+
     if (fmt) {
         drv = bdrv_find_format(fmt);
         if (!drv) {
diff --git a/qemu-io.c b/qemu-io.c
index ff353eb..0f6d1b6 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -1509,8 +1509,6 @@ static int openfile(char *name, int flags, int growable)
 		}
 	} else {
 		bs = bdrv_new("hda");
-		if (!bs)
-			return 1;
 
 		if (bdrv_open(bs, name, flags, NULL) < 0) {
 			fprintf(stderr, "%s: can't open device %s\n", progname, name);
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 99f1d22..e858033 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -336,8 +336,6 @@ int main(int argc, char **argv)
     bdrv_init();
 
     bs = bdrv_new("hda");
-    if (bs == NULL)
-        return 1;
 
     if ((ret = bdrv_open(bs, argv[optind], flags, NULL)) < 0) {
         errno = -ret;
commit 15654a6d7c3269e922b92f9596e48078c9bfcbfa
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Dec 16 14:31:53 2010 +0100

    qemu.img.c: Use error_report() instead of own error() implementation
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index 0ff179f..0b871d8 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -41,16 +41,6 @@ typedef struct img_cmd_t {
 /* Default to cache=writeback as data integrity is not important for qemu-tcg. */
 #define BDRV_O_FLAGS BDRV_O_CACHE_WB
 
-static void GCC_FMT_ATTR(1, 2) error(const char *fmt, ...)
-{
-    va_list ap;
-    va_start(ap, fmt);
-    fprintf(stderr, "qemu-img: ");
-    vfprintf(stderr, fmt, ap);
-    fprintf(stderr, "\n");
-    va_end(ap);
-}
-
 static void format_print(void *opaque, const char *name)
 {
     printf(" %s", name);
@@ -197,13 +187,13 @@ static int print_block_option_help(const char *filename, const char *fmt)
     /* Find driver and parse its options */
     drv = bdrv_find_format(fmt);
     if (!drv) {
-        error("Unknown file format '%s'", fmt);
+        error_report("Unknown file format '%s'", fmt);
         return 1;
     }
 
     proto_drv = bdrv_find_protocol(filename);
     if (!proto_drv) {
-        error("Unknown protocol '%s'", filename);
+        error_report("Unknown protocol '%s'", filename);
         return 1;
     }
 
@@ -226,30 +216,30 @@ static BlockDriverState *bdrv_new_open(const char *filename,
 
     bs = bdrv_new("");
     if (!bs) {
-        error("Not enough memory");
+        error_report("Not enough memory");
         goto fail;
     }
     if (fmt) {
         drv = bdrv_find_format(fmt);
         if (!drv) {
-            error("Unknown file format '%s'", fmt);
+            error_report("Unknown file format '%s'", fmt);
             goto fail;
         }
     } else {
         drv = NULL;
     }
     if (bdrv_open(bs, filename, flags, drv) < 0) {
-        error("Could not open '%s'", filename);
+        error_report("Could not open '%s'", filename);
         goto fail;
     }
     if (bdrv_is_encrypted(bs)) {
         printf("Disk image '%s' is encrypted.\n", filename);
         if (read_password(password, sizeof(password)) < 0) {
-            error("No password given");
+            error_report("No password given");
             goto fail;
         }
         if (bdrv_set_key(bs, password) < 0) {
-            error("invalid password");
+            error_report("invalid password");
             goto fail;
         }
     }
@@ -267,13 +257,15 @@ static int add_old_style_options(const char *fmt, QEMUOptionParameter *list,
 {
     if (base_filename) {
         if (set_option_parameter(list, BLOCK_OPT_BACKING_FILE, base_filename)) {
-            error("Backing file not supported for file format '%s'", fmt);
+            error_report("Backing file not supported for file format '%s'",
+                         fmt);
             return -1;
         }
     }
     if (base_fmt) {
         if (set_option_parameter(list, BLOCK_OPT_BACKING_FMT, base_fmt)) {
-            error("Backing file format not supported for file format '%s'", fmt);
+            error_report("Backing file format not supported for file "
+                         "format '%s'", fmt);
             return -1;
         }
     }
@@ -310,11 +302,11 @@ static int img_create(int argc, char **argv)
             fmt = optarg;
             break;
         case 'e':
-            error("qemu-img: option -e is deprecated, please use \'-o "
+            error_report("qemu-img: option -e is deprecated, please use \'-o "
                   "encryption\' instead!");
             return 1;
         case '6':
-            error("qemu-img: option -6 is deprecated, please use \'-o "
+            error_report("qemu-img: option -6 is deprecated, please use \'-o "
                   "compat6\' instead!");
             return 1;
         case 'o':
@@ -334,9 +326,9 @@ static int img_create(int argc, char **argv)
         ssize_t sval;
         sval = strtosz_suffix(argv[optind++], NULL, STRTOSZ_DEFSUFFIX_B);
         if (sval < 0) {
-            error("Invalid image size specified! You may use k, M, G or "
+            error_report("Invalid image size specified! You may use k, M, G or "
                   "T suffixes for ");
-            error("kilobytes, megabytes, gigabytes and terabytes.");
+            error_report("kilobytes, megabytes, gigabytes and terabytes.");
             ret = -1;
             goto out;
         }
@@ -400,7 +392,7 @@ static int img_check(int argc, char **argv)
     ret = bdrv_check(bs, &result);
 
     if (ret == -ENOTSUP) {
-        error("This image format does not support checks");
+        error_report("This image format does not support checks");
         bdrv_delete(bs);
         return 1;
     }
@@ -482,16 +474,16 @@ static int img_commit(int argc, char **argv)
         printf("Image committed.\n");
         break;
     case -ENOENT:
-        error("No disk inserted");
+        error_report("No disk inserted");
         break;
     case -EACCES:
-        error("Image is read-only");
+        error_report("Image is read-only");
         break;
     case -ENOTSUP:
-        error("Image is already committed");
+        error_report("Image is already committed");
         break;
     default:
-        error("Error while committing image");
+        error_report("Error while committing image");
         break;
     }
 
@@ -614,11 +606,11 @@ static int img_convert(int argc, char **argv)
             compress = 1;
             break;
         case 'e':
-            error("qemu-img: option -e is deprecated, please use \'-o "
+            error_report("qemu-img: option -e is deprecated, please use \'-o "
                   "encryption\' instead!");
             return 1;
         case '6':
-            error("qemu-img: option -6 is deprecated, please use \'-o "
+            error_report("qemu-img: option -6 is deprecated, please use \'-o "
                   "compat6\' instead!");
             return 1;
         case 'o':
@@ -643,7 +635,8 @@ static int img_convert(int argc, char **argv)
     }
 
     if (bs_n > 1 && out_baseimg) {
-        error("-B makes no sense when concatenating multiple input images");
+        error_report("-B makes no sense when concatenating multiple input "
+                     "images");
         ret = -1;
         goto out;
     }
@@ -654,7 +647,7 @@ static int img_convert(int argc, char **argv)
     for (bs_i = 0; bs_i < bs_n; bs_i++) {
         bs[bs_i] = bdrv_new_open(argv[optind + bs_i], fmt, BDRV_O_FLAGS);
         if (!bs[bs_i]) {
-            error("Could not open '%s'", argv[optind + bs_i]);
+            error_report("Could not open '%s'", argv[optind + bs_i]);
             ret = -1;
             goto out;
         }
@@ -664,12 +657,12 @@ static int img_convert(int argc, char **argv)
 
     if (snapshot_name != NULL) {
         if (bs_n > 1) {
-            error("No support for concatenating multiple snapshot\n");
+            error_report("No support for concatenating multiple snapshot\n");
             ret = -1;
             goto out;
         }
         if (bdrv_snapshot_load_tmp(bs[0], snapshot_name) < 0) {
-            error("Failed to load snapshot\n");
+            error_report("Failed to load snapshot\n");
             ret = -1;
             goto out;
         }
@@ -678,14 +671,14 @@ static int img_convert(int argc, char **argv)
     /* Find driver and parse its options */
     drv = bdrv_find_format(out_fmt);
     if (!drv) {
-        error("Unknown file format '%s'", out_fmt);
+        error_report("Unknown file format '%s'", out_fmt);
         ret = -1;
         goto out;
     }
 
     proto_drv = bdrv_find_protocol(out_filename);
     if (!proto_drv) {
-        error("Unknown protocol '%s'", out_filename);
+        error_report("Unknown protocol '%s'", out_filename);
         ret = -1;
         goto out;
     }
@@ -698,7 +691,7 @@ static int img_convert(int argc, char **argv)
     if (options) {
         param = parse_option_parameters(options, create_options, param);
         if (param == NULL) {
-            error("Invalid options for file format '%s'.", out_fmt);
+            error_report("Invalid options for file format '%s'.", out_fmt);
             ret = -1;
             goto out;
         }
@@ -724,13 +717,14 @@ static int img_convert(int argc, char **argv)
             get_option_parameter(param, BLOCK_OPT_ENCRYPT);
 
         if (!drv->bdrv_write_compressed) {
-            error("Compression not supported for this file format");
+            error_report("Compression not supported for this file format");
             ret = -1;
             goto out;
         }
 
         if (encryption && encryption->value.n) {
-            error("Compression and encryption not supported at the same time");
+            error_report("Compression and encryption not supported at "
+                         "the same time");
             ret = -1;
             goto out;
         }
@@ -740,11 +734,14 @@ static int img_convert(int argc, char **argv)
     ret = bdrv_create(drv, out_filename, param);
     if (ret < 0) {
         if (ret == -ENOTSUP) {
-            error("Formatting not supported for file format '%s'", out_fmt);
+            error_report("Formatting not supported for file format '%s'",
+                         out_fmt);
         } else if (ret == -EFBIG) {
-            error("The image size is too large for file format '%s'", out_fmt);
+            error_report("The image size is too large for file format '%s'",
+                         out_fmt);
         } else {
-            error("%s: error while converting %s: %s", out_filename, out_fmt, strerror(-ret));
+            error_report("%s: error while converting %s: %s",
+                         out_filename, out_fmt, strerror(-ret));
         }
         goto out;
     }
@@ -764,12 +761,12 @@ static int img_convert(int argc, char **argv)
     if (compress) {
         ret = bdrv_get_info(out_bs, &bdi);
         if (ret < 0) {
-            error("could not get block driver info");
+            error_report("could not get block driver info");
             goto out;
         }
         cluster_size = bdi.cluster_size;
         if (cluster_size <= 0 || cluster_size > IO_BUF_SIZE) {
-            error("invalid cluster size");
+            error_report("invalid cluster size");
             ret = -1;
             goto out;
         }
@@ -810,7 +807,7 @@ static int img_convert(int argc, char **argv)
 
                 ret = bdrv_read(bs[bs_i], bs_num, buf2, nlow);
                 if (ret < 0) {
-                    error("error while reading");
+                    error_report("error while reading");
                     goto out;
                 }
 
@@ -828,7 +825,7 @@ static int img_convert(int argc, char **argv)
                 ret = bdrv_write_compressed(out_bs, sector_num, buf,
                                             cluster_sectors);
                 if (ret != 0) {
-                    error("error while compressing sector %" PRId64,
+                    error_report("error while compressing sector %" PRId64,
                           sector_num);
                     goto out;
                 }
@@ -887,7 +884,7 @@ static int img_convert(int argc, char **argv)
 
             ret = bdrv_read(bs[bs_i], sector_num - bs_offset, buf, n);
             if (ret < 0) {
-                error("error while reading");
+                error_report("error while reading");
                 goto out;
             }
             /* NOTE: at the same time we convert, we do not write zero
@@ -906,7 +903,7 @@ static int img_convert(int argc, char **argv)
                     is_allocated_sectors(buf1, n, &n1)) {
                     ret = bdrv_write(out_bs, sector_num, buf1, n1);
                     if (ret < 0) {
-                        error("error while writing");
+                        error_report("error while writing");
                         goto out;
                     }
                 }
@@ -1148,7 +1145,7 @@ static int img_snapshot(int argc, char **argv)
 
         ret = bdrv_snapshot_create(bs, &sn);
         if (ret) {
-            error("Could not create snapshot '%s': %d (%s)",
+            error_report("Could not create snapshot '%s': %d (%s)",
                 snapshot_name, ret, strerror(-ret));
         }
         break;
@@ -1156,7 +1153,7 @@ static int img_snapshot(int argc, char **argv)
     case SNAPSHOT_APPLY:
         ret = bdrv_snapshot_goto(bs, snapshot_name);
         if (ret) {
-            error("Could not apply snapshot '%s': %d (%s)",
+            error_report("Could not apply snapshot '%s': %d (%s)",
                 snapshot_name, ret, strerror(-ret));
         }
         break;
@@ -1164,7 +1161,7 @@ static int img_snapshot(int argc, char **argv)
     case SNAPSHOT_DELETE:
         ret = bdrv_snapshot_delete(bs, snapshot_name);
         if (ret) {
-            error("Could not delete snapshot '%s': %d (%s)",
+            error_report("Could not delete snapshot '%s': %d (%s)",
                 snapshot_name, ret, strerror(-ret));
         }
         break;
@@ -1241,7 +1238,7 @@ static int img_rebase(int argc, char **argv)
     if (!unsafe && bs->backing_format[0] != '\0') {
         old_backing_drv = bdrv_find_format(bs->backing_format);
         if (old_backing_drv == NULL) {
-            error("Invalid format name: '%s'", bs->backing_format);
+            error_report("Invalid format name: '%s'", bs->backing_format);
             ret = -1;
             goto out;
         }
@@ -1250,7 +1247,7 @@ static int img_rebase(int argc, char **argv)
     if (out_basefmt != NULL) {
         new_backing_drv = bdrv_find_format(out_basefmt);
         if (new_backing_drv == NULL) {
-            error("Invalid format name: '%s'", out_basefmt);
+            error_report("Invalid format name: '%s'", out_basefmt);
             ret = -1;
             goto out;
         }
@@ -1269,7 +1266,7 @@ static int img_rebase(int argc, char **argv)
         ret = bdrv_open(bs_old_backing, backing_name, BDRV_O_FLAGS,
                         old_backing_drv);
         if (ret) {
-            error("Could not open old backing file '%s'", backing_name);
+            error_report("Could not open old backing file '%s'", backing_name);
             goto out;
         }
 
@@ -1277,7 +1274,7 @@ static int img_rebase(int argc, char **argv)
         ret = bdrv_open(bs_new_backing, out_baseimg, BDRV_O_FLAGS,
                         new_backing_drv);
         if (ret) {
-            error("Could not open new backing file '%s'", out_baseimg);
+            error_report("Could not open new backing file '%s'", out_baseimg);
             goto out;
         }
     }
@@ -1321,12 +1318,12 @@ static int img_rebase(int argc, char **argv)
             /* Read old and new backing file */
             ret = bdrv_read(bs_old_backing, sector, buf_old, n);
             if (ret < 0) {
-                error("error while reading from old backing file");
+                error_report("error while reading from old backing file");
                 goto out;
             }
             ret = bdrv_read(bs_new_backing, sector, buf_new, n);
             if (ret < 0) {
-                error("error while reading from new backing file");
+                error_report("error while reading from new backing file");
                 goto out;
             }
 
@@ -1342,7 +1339,7 @@ static int img_rebase(int argc, char **argv)
                     ret = bdrv_write(bs, sector + written,
                         buf_old + written * 512, pnum);
                     if (ret < 0) {
-                        error("Error while writing to COW image: %s",
+                        error_report("Error while writing to COW image: %s",
                             strerror(-ret));
                         goto out;
                     }
@@ -1363,10 +1360,10 @@ static int img_rebase(int argc, char **argv)
      */
     ret = bdrv_change_backing_file(bs, out_baseimg, out_basefmt);
     if (ret == -ENOSPC) {
-        error("Could not change the backing file to '%s': No space left in "
-            "the file header", out_baseimg);
+        error_report("Could not change the backing file to '%s': No "
+                     "space left in the file header", out_baseimg);
     } else if (ret < 0) {
-        error("Could not change the backing file to '%s': %s",
+        error_report("Could not change the backing file to '%s': %s",
             out_baseimg, strerror(-ret));
     }
 
@@ -1465,7 +1462,7 @@ static int img_resize(int argc, char **argv)
         total_size = n;
     }
     if (total_size <= 0) {
-        error("New image size must be positive");
+        error_report("New image size must be positive");
         ret = -1;
         goto out;
     }
@@ -1476,13 +1473,13 @@ static int img_resize(int argc, char **argv)
         printf("Image resized.\n");
         break;
     case -ENOTSUP:
-        error("This image format does not support resize");
+        error_report("This image format does not support resize");
         break;
     case -EACCES:
-        error("Image is read-only");
+        error_report("Image is read-only");
         break;
     default:
-        error("Error resizing image (%d)", -ret);
+        error_report("Error resizing image (%d)", -ret);
         break;
     }
 out:
commit 4f70f249ca26e11895b64199f9bcc7a1f894d978
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Dec 16 13:52:18 2010 +0100

    bdrv_img_create() use proper errno return values
    
    Kevin suggested to have bdrv_img_create() return proper -errno values
    on error.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index 0c14eee..fe07d0b 100644
--- a/block.c
+++ b/block.c
@@ -2773,14 +2773,14 @@ int bdrv_img_create(const char *filename, const char *fmt,
     drv = bdrv_find_format(fmt);
     if (!drv) {
         error_report("Unknown file format '%s'", fmt);
-        ret = -1;
+        ret = -EINVAL;
         goto out;
     }
 
     proto_drv = bdrv_find_protocol(filename);
     if (!proto_drv) {
         error_report("Unknown protocol '%s'", filename);
-        ret = -1;
+        ret = -EINVAL;
         goto out;
     }
 
@@ -2799,7 +2799,7 @@ int bdrv_img_create(const char *filename, const char *fmt,
         param = parse_option_parameters(options, create_options, param);
         if (param == NULL) {
             error_report("Invalid options for file format '%s'.", fmt);
-            ret = -1;
+            ret = -EINVAL;
             goto out;
         }
     }
@@ -2809,7 +2809,7 @@ int bdrv_img_create(const char *filename, const char *fmt,
                                  base_filename)) {
             error_report("Backing file not supported for file format '%s'",
                          fmt);
-            ret = -1;
+            ret = -EINVAL;
             goto out;
         }
     }
@@ -2818,7 +2818,7 @@ int bdrv_img_create(const char *filename, const char *fmt,
         if (set_option_parameter(param, BLOCK_OPT_BACKING_FMT, base_fmt)) {
             error_report("Backing file format not supported for file "
                          "format '%s'", fmt);
-            ret = -1;
+            ret = -EINVAL;
             goto out;
         }
     }
@@ -2828,7 +2828,7 @@ int bdrv_img_create(const char *filename, const char *fmt,
         if (!strcmp(filename, backing_file->value.s)) {
             error_report("Error: Trying to create an image with the "
                          "same filename as the backing file");
-            ret = -1;
+            ret = -EINVAL;
             goto out;
         }
     }
@@ -2838,7 +2838,7 @@ int bdrv_img_create(const char *filename, const char *fmt,
         if (!bdrv_find_format(backing_fmt->value.s)) {
             error_report("Unknown backing file format '%s'",
                          backing_fmt->value.s);
-            ret = -1;
+            ret = -EINVAL;
             goto out;
         }
     }
@@ -2860,7 +2860,6 @@ int bdrv_img_create(const char *filename, const char *fmt,
             ret = bdrv_open(bs, backing_file->value.s, flags, drv);
             if (ret < 0) {
                 error_report("Could not open '%s'", filename);
-                ret = -1;
                 goto out;
             }
             bdrv_get_geometry(bs, &size);
@@ -2870,7 +2869,7 @@ int bdrv_img_create(const char *filename, const char *fmt,
             set_option_parameter(param, BLOCK_OPT_SIZE, buf);
         } else {
             error_report("Image creation needs a size parameter");
-            ret = -1;
+            ret = -EINVAL;
             goto out;
         }
     }
@@ -2901,8 +2900,6 @@ out:
     if (bs) {
         bdrv_delete(bs);
     }
-    if (ret) {
-        return 1;
-    }
-    return 0;
+
+    return ret;
 }
commit 792da93a635bce0181c8a46a26941560bf2f7412
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Dec 16 13:52:17 2010 +0100

    Prevent creating an image with the same filename as backing file
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index a48b30c..0c14eee 100644
--- a/block.c
+++ b/block.c
@@ -2764,7 +2764,7 @@ int bdrv_img_create(const char *filename, const char *fmt,
                     char *options, uint64_t img_size, int flags)
 {
     QEMUOptionParameter *param = NULL, *create_options = NULL;
-    QEMUOptionParameter *backing_fmt;
+    QEMUOptionParameter *backing_fmt, *backing_file;
     BlockDriverState *bs = NULL;
     BlockDriver *drv, *proto_drv;
     int ret = 0;
@@ -2823,6 +2823,16 @@ int bdrv_img_create(const char *filename, const char *fmt,
         }
     }
 
+    backing_file = get_option_parameter(param, BLOCK_OPT_BACKING_FILE);
+    if (backing_file && backing_file->value.s) {
+        if (!strcmp(filename, backing_file->value.s)) {
+            error_report("Error: Trying to create an image with the "
+                         "same filename as the backing file");
+            ret = -1;
+            goto out;
+        }
+    }
+
     backing_fmt = get_option_parameter(param, BLOCK_OPT_BACKING_FMT);
     if (backing_fmt && backing_fmt->value.s) {
         if (!bdrv_find_format(backing_fmt->value.s)) {
@@ -2836,9 +2846,6 @@ int bdrv_img_create(const char *filename, const char *fmt,
     // The size for the image must always be specified, with one exception:
     // If we are using a backing file, we can obtain the size from there
     if (get_option_parameter(param, BLOCK_OPT_SIZE)->value.n == -1) {
-        QEMUOptionParameter *backing_file =
-            get_option_parameter(param, BLOCK_OPT_BACKING_FILE);
-
         if (backing_file && backing_file->value.s) {
             uint64_t size;
             const char *fmt = NULL;
commit f88825680aa71eb4069cdaee9d65f2269f5c7cf3
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Dec 16 13:52:16 2010 +0100

    Introduce do_snapshot_blkdev() and monitor command to handle it.
    
    The monitor command is:
    snapshot_blkdev <device> [snapshot-file] [format]
    
    Default format is qcow2. For now snapshots without a snapshot-file, eg
    internal snapshots, are not supported.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index 3b3b82d..d7add36 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -516,6 +516,68 @@ void do_commit(Monitor *mon, const QDict *qdict)
     }
 }
 
+int do_snapshot_blkdev(Monitor *mon, const QDict *qdict, QObject **ret_data)
+{
+    const char *device = qdict_get_str(qdict, "device");
+    const char *filename = qdict_get_try_str(qdict, "snapshot_file");
+    const char *format = qdict_get_try_str(qdict, "format");
+    BlockDriverState *bs;
+    BlockDriver *drv, *proto_drv;
+    int ret = 0;
+    int flags;
+
+    bs = bdrv_find(device);
+    if (!bs) {
+        qerror_report(QERR_DEVICE_NOT_FOUND, device);
+        ret = -1;
+        goto out;
+    }
+
+    if (!format) {
+        format = "qcow2";
+    }
+
+    drv = bdrv_find_format(format);
+    if (!drv) {
+        qerror_report(QERR_INVALID_BLOCK_FORMAT, format);
+        ret = -1;
+        goto out;
+    }
+
+    proto_drv = bdrv_find_protocol(filename);
+    if (!proto_drv) {
+        qerror_report(QERR_INVALID_BLOCK_FORMAT, format);
+        ret = -1;
+        goto out;
+    }
+
+    ret = bdrv_img_create(filename, format, bs->filename,
+                          bs->drv->format_name, NULL, -1, bs->open_flags);
+    if (ret) {
+        goto out;
+    }
+
+    qemu_aio_flush();
+    bdrv_flush(bs);
+
+    flags = bs->open_flags;
+    bdrv_close(bs);
+    ret = bdrv_open(bs, filename, flags, drv);
+    /*
+     * If reopening the image file we just created fails, we really
+     * are in trouble :(
+     */
+    if (ret != 0) {
+        abort();
+    }
+out:
+    if (ret) {
+        ret = -1;
+    }
+
+    return ret;
+}
+
 static int eject_device(Monitor *mon, BlockDriverState *bs, int force)
 {
     if (!force) {
diff --git a/blockdev.h b/blockdev.h
index 4cb8ca9..4536b5c 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -52,5 +52,6 @@ int do_block_set_passwd(Monitor *mon, const QDict *qdict, QObject **ret_data);
 int do_change_block(Monitor *mon, const char *device,
                     const char *filename, const char *fmt);
 int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data);
+int do_snapshot_blkdev(Monitor *mon, const QDict *qdict, QObject **ret_data);
 
 #endif
diff --git a/hmp-commands.hx b/hmp-commands.hx
index 23024ba..dd3db36 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -801,6 +801,25 @@ STEXI
 Set maximum tolerated downtime (in seconds) for migration.
 ETEXI
 
+    {
+        .name       = "snapshot_blkdev",
+        .args_type  = "device:s,snapshot_file:s?,format:s?",
+        .params     = "device [new-image-file] [format]",
+        .help       = "initiates a live snapshot\n\t\t\t"
+                      "of device. If a new image file is specified, the\n\t\t\t"
+                      "new image file will become the new root image.\n\t\t\t"
+                      "If format is specified, the snapshot file will\n\t\t\t"
+                      "be created in that format. Otherwise the\n\t\t\t"
+                      "snapshot will be internal! (currently unsupported)",
+        .mhandler.cmd_new = do_snapshot_blkdev,
+    },
+
+STEXI
+ at item snapshot_blkdev
+ at findex snapshot_blkdev
+Snapshot device, using snapshot file as target if provided
+ETEXI
+
 #if defined(TARGET_I386)
     {
         .name       = "drive_add",
commit f88e1a4201e31cac0438df395dfcdd45ac35c17d
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Dec 16 13:52:15 2010 +0100

    qemu-img.c: Re-factor img_create()
    
    This patch re-factors img_create() moving the code doing the actual
    work into block.c where it can be shared with QEMU. This is needed to
    be able to create images from QEMU to be used for live snapshots.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index b4aaf41..a48b30c 100644
--- a/block.c
+++ b/block.c
@@ -2758,3 +2758,144 @@ int64_t bdrv_get_dirty_count(BlockDriverState *bs)
 {
     return bs->dirty_count;
 }
+
+int bdrv_img_create(const char *filename, const char *fmt,
+                    const char *base_filename, const char *base_fmt,
+                    char *options, uint64_t img_size, int flags)
+{
+    QEMUOptionParameter *param = NULL, *create_options = NULL;
+    QEMUOptionParameter *backing_fmt;
+    BlockDriverState *bs = NULL;
+    BlockDriver *drv, *proto_drv;
+    int ret = 0;
+
+    /* Find driver and parse its options */
+    drv = bdrv_find_format(fmt);
+    if (!drv) {
+        error_report("Unknown file format '%s'", fmt);
+        ret = -1;
+        goto out;
+    }
+
+    proto_drv = bdrv_find_protocol(filename);
+    if (!proto_drv) {
+        error_report("Unknown protocol '%s'", filename);
+        ret = -1;
+        goto out;
+    }
+
+    create_options = append_option_parameters(create_options,
+                                              drv->create_options);
+    create_options = append_option_parameters(create_options,
+                                              proto_drv->create_options);
+
+    /* Create parameter list with default values */
+    param = parse_option_parameters("", create_options, param);
+
+    set_option_parameter_int(param, BLOCK_OPT_SIZE, img_size);
+
+    /* Parse -o options */
+    if (options) {
+        param = parse_option_parameters(options, create_options, param);
+        if (param == NULL) {
+            error_report("Invalid options for file format '%s'.", fmt);
+            ret = -1;
+            goto out;
+        }
+    }
+
+    if (base_filename) {
+        if (set_option_parameter(param, BLOCK_OPT_BACKING_FILE,
+                                 base_filename)) {
+            error_report("Backing file not supported for file format '%s'",
+                         fmt);
+            ret = -1;
+            goto out;
+        }
+    }
+
+    if (base_fmt) {
+        if (set_option_parameter(param, BLOCK_OPT_BACKING_FMT, base_fmt)) {
+            error_report("Backing file format not supported for file "
+                         "format '%s'", fmt);
+            ret = -1;
+            goto out;
+        }
+    }
+
+    backing_fmt = get_option_parameter(param, BLOCK_OPT_BACKING_FMT);
+    if (backing_fmt && backing_fmt->value.s) {
+        if (!bdrv_find_format(backing_fmt->value.s)) {
+            error_report("Unknown backing file format '%s'",
+                         backing_fmt->value.s);
+            ret = -1;
+            goto out;
+        }
+    }
+
+    // The size for the image must always be specified, with one exception:
+    // If we are using a backing file, we can obtain the size from there
+    if (get_option_parameter(param, BLOCK_OPT_SIZE)->value.n == -1) {
+        QEMUOptionParameter *backing_file =
+            get_option_parameter(param, BLOCK_OPT_BACKING_FILE);
+
+        if (backing_file && backing_file->value.s) {
+            uint64_t size;
+            const char *fmt = NULL;
+            char buf[32];
+
+            if (backing_fmt && backing_fmt->value.s) {
+                fmt = backing_fmt->value.s;
+            }
+
+            bs = bdrv_new("");
+
+            ret = bdrv_open(bs, backing_file->value.s, flags, drv);
+            if (ret < 0) {
+                error_report("Could not open '%s'", filename);
+                ret = -1;
+                goto out;
+            }
+            bdrv_get_geometry(bs, &size);
+            size *= 512;
+
+            snprintf(buf, sizeof(buf), "%" PRId64, size);
+            set_option_parameter(param, BLOCK_OPT_SIZE, buf);
+        } else {
+            error_report("Image creation needs a size parameter");
+            ret = -1;
+            goto out;
+        }
+    }
+
+    printf("Formatting '%s', fmt=%s ", filename, fmt);
+    print_option_parameters(param);
+    puts("");
+
+    ret = bdrv_create(drv, filename, param);
+
+    if (ret < 0) {
+        if (ret == -ENOTSUP) {
+            error_report("Formatting or formatting option not supported for "
+                         "file format '%s'", fmt);
+        } else if (ret == -EFBIG) {
+            error_report("The image size is too large for file format '%s'",
+                         fmt);
+        } else {
+            error_report("%s: error while creating %s: %s", filename, fmt,
+                         strerror(-ret));
+        }
+    }
+
+out:
+    free_option_parameters(create_options);
+    free_option_parameters(param);
+
+    if (bs) {
+        bdrv_delete(bs);
+    }
+    if (ret) {
+        return 1;
+    }
+    return 0;
+}
diff --git a/block.h b/block.h
index 78ecfac..b812172 100644
--- a/block.h
+++ b/block.h
@@ -227,6 +227,10 @@ int bdrv_save_vmstate(BlockDriverState *bs, const uint8_t *buf,
 int bdrv_load_vmstate(BlockDriverState *bs, uint8_t *buf,
                       int64_t pos, int size);
 
+int bdrv_img_create(const char *filename, const char *fmt,
+                    const char *base_filename, const char *base_fmt,
+                    char *options, uint64_t img_size, int flags);
+
 #define BDRV_SECTORS_PER_DIRTY_CHUNK 2048
 
 void bdrv_set_dirty_tracking(BlockDriverState *bs, int enable);
diff --git a/qemu-img.c b/qemu-img.c
index f576cfb..0ff179f 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -288,9 +288,6 @@ static int img_create(int argc, char **argv)
     const char *base_fmt = NULL;
     const char *filename;
     const char *base_filename = NULL;
-    BlockDriver *drv, *proto_drv;
-    QEMUOptionParameter *param = NULL, *create_options = NULL;
-    QEMUOptionParameter *backing_fmt = NULL;
     char *options = NULL;
 
     for(;;) {
@@ -351,110 +348,9 @@ static int img_create(int argc, char **argv)
         goto out;
     }
 
-    /* Find driver and parse its options */
-    drv = bdrv_find_format(fmt);
-    if (!drv) {
-        error("Unknown file format '%s'", fmt);
-        ret = -1;
-        goto out;
-    }
-
-    proto_drv = bdrv_find_protocol(filename);
-    if (!proto_drv) {
-        error("Unknown protocol '%s'", filename);
-        ret = -1;
-        goto out;
-    }
-
-    create_options = append_option_parameters(create_options,
-                                              drv->create_options);
-    create_options = append_option_parameters(create_options,
-                                              proto_drv->create_options);
-
-    /* Create parameter list with default values */
-    param = parse_option_parameters("", create_options, param);
-
-    set_option_parameter_int(param, BLOCK_OPT_SIZE, img_size);
-
-    /* Parse -o options */
-    if (options) {
-        param = parse_option_parameters(options, create_options, param);
-        if (param == NULL) {
-            error("Invalid options for file format '%s'.", fmt);
-            ret = -1;
-            goto out;
-        }
-    }
-
-    /* Add old-style options to parameters */
-    ret = add_old_style_options(fmt, param, base_filename, base_fmt);
-    if (ret < 0) {
-        goto out;
-    }
-
-    backing_fmt = get_option_parameter(param, BLOCK_OPT_BACKING_FMT);
-    if (backing_fmt && backing_fmt->value.s) {
-        if (!bdrv_find_format(backing_fmt->value.s)) {
-            error("Unknown backing file format '%s'",
-                  backing_fmt->value.s);
-            ret = -1;
-            goto out;
-        }
-    }
-
-    // The size for the image must always be specified, with one exception:
-    // If we are using a backing file, we can obtain the size from there
-    if (get_option_parameter(param, BLOCK_OPT_SIZE)->value.n == -1) {
-
-        QEMUOptionParameter *backing_file =
-            get_option_parameter(param, BLOCK_OPT_BACKING_FILE);
-
-        if (backing_file && backing_file->value.s) {
-            BlockDriverState *bs;
-            uint64_t size;
-            const char *fmt = NULL;
-            char buf[32];
-
-            if (backing_fmt && backing_fmt->value.s) {
-                fmt = backing_fmt->value.s;
-            }
-
-            bs = bdrv_new_open(backing_file->value.s, fmt, BDRV_O_FLAGS);
-            if (!bs) {
-                ret = -1;
-                goto out;
-            }
-            bdrv_get_geometry(bs, &size);
-            size *= 512;
-            bdrv_delete(bs);
-
-            snprintf(buf, sizeof(buf), "%" PRId64, size);
-            set_option_parameter(param, BLOCK_OPT_SIZE, buf);
-        } else {
-            error("Image creation needs a size parameter");
-            ret = -1;
-            goto out;
-        }
-    }
-
-    printf("Formatting '%s', fmt=%s ", filename, fmt);
-    print_option_parameters(param);
-    puts("");
-
-    ret = bdrv_create(drv, filename, param);
-
-    if (ret < 0) {
-        if (ret == -ENOTSUP) {
-            error("Formatting or formatting option not supported for file format '%s'", fmt);
-        } else if (ret == -EFBIG) {
-            error("The image size is too large for file format '%s'", fmt);
-        } else {
-            error("%s: error while creating %s: %s", filename, fmt, strerror(-ret));
-        }
-    }
+    ret = bdrv_img_create(filename, fmt, base_filename, base_fmt,
+                          options, img_size, BDRV_O_FLAGS);
 out:
-    free_option_parameters(create_options);
-    free_option_parameters(param);
     if (ret) {
         return 1;
     }
commit 53f76e5857b66dd7fa90efa9ea8326eff5aa693f
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Thu Dec 16 15:10:32 2010 +0100

    qemu-img: Call error_set_progname
    
    Call error_set_progname during the qemu-img initialization, so that error
    messages printed with error_report() use the right prefix.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index 1d936ed..f576cfb 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -23,6 +23,7 @@
  */
 #include "qemu-common.h"
 #include "qemu-option.h"
+#include "qemu-error.h"
 #include "osdep.h"
 #include "sysemu.h"
 #include "block_int.h"
@@ -1612,6 +1613,8 @@ int main(int argc, char **argv)
     const img_cmd_t *cmd;
     const char *cmdname;
 
+    error_set_progname(argv[0]);
+
     bdrv_init();
     if (argc < 2)
         help();
commit 1bdaa28d7a521628345a46626c2fd6c279562776
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Dec 14 16:23:38 2010 +0100

    ide: honor ncq for atapi
    
    ATAPI also can do ncq, so let's expose the capability.
    
    This patch makes CD-ROM support work on Windows 7 for me.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 9e1d4e6..9496e99 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -217,6 +217,12 @@ static void ide_atapi_identify(IDEState *s)
     put_le16(p + 71, 30); /* in ns */
     put_le16(p + 72, 30); /* in ns */
 
+    if (s->ncq_queues) {
+        put_le16(p + 75, s->ncq_queues - 1);
+        /* NCQ supported */
+        put_le16(p + 76, (1 << 8));
+    }
+
     put_le16(p + 80, 0x1e); /* support up to ATA/ATAPI-4 */
 #ifdef USE_DMA_CDROM
     put_le16(p + 88, 0x3f | (1 << 13)); /* udma5 set and supported */
commit 38a08f0557418d14ad49616b31f336b30c2c684d
Author: Sebastian Herbszt <herbszt at gmx.de>
Date:   Tue Dec 14 01:34:43 2010 +0100

    ahci: set SATA Mode Select
    
    Set SATA Mode Select to AHCI in the Address Map Register.
    
    Signed-off-by: Sebastian Herbszt <herbszt at gmx.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index f937a92..8ae236a 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1473,6 +1473,9 @@ static int pci_ahci_init(PCIDevice *dev)
     d->card.config[PCI_LATENCY_TIMER]   = 0x00;  /* Latency timer */
     pci_config_set_interrupt_pin(d->card.config, 1);
 
+    /* XXX Software should program this register */
+    d->card.config[0x90]   = 1 << 6; /* Address Map Register - AHCI mode */
+
     qemu_register_reset(ahci_reset, d);
 
     /* XXX BAR size should be 1k, but that breaks, so bump it to 4k for now */
commit f675d5c889363436822e5c10f3da1c843109d1e3
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Dec 14 01:34:42 2010 +0100

    config: add ahci for pci capable machines
    
    This patch enables AHCI for all machines supporting PCI.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/default-configs/pci.mak b/default-configs/pci.mak
index d700b3c..0471efb 100644
--- a/default-configs/pci.mak
+++ b/default-configs/pci.mak
@@ -13,3 +13,4 @@ CONFIG_E1000_PCI=y
 CONFIG_IDE_CORE=y
 CONFIG_IDE_QDEV=y
 CONFIG_IDE_PCI=y
+CONFIG_AHCI=y
commit 461d13d31ca58e9940bc4b935f3e4ab34294ab8f
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Dec 14 01:34:41 2010 +0100

    config: move ide core and pci to pci.mak
    
    Every device that can do PCI should also be able to do IDE. So let's move
    the IDE definitions over to pci.mak.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
index ac48dc1..8d1174f 100644
--- a/default-configs/arm-softmmu.mak
+++ b/default-configs/arm-softmmu.mak
@@ -8,7 +8,6 @@ CONFIG_ECC=y
 CONFIG_SERIAL=y
 CONFIG_PTIMER=y
 CONFIG_SD=y
-CONFIG_IDE_CORE=y
 CONFIG_MAX7310=y
 CONFIG_WM8750=y
 CONFIG_TWL92230=y
diff --git a/default-configs/i386-softmmu.mak b/default-configs/i386-softmmu.mak
index ce905d2..323fafb 100644
--- a/default-configs/i386-softmmu.mak
+++ b/default-configs/i386-softmmu.mak
@@ -13,9 +13,6 @@ CONFIG_FDC=y
 CONFIG_ACPI=y
 CONFIG_APM=y
 CONFIG_DMA=y
-CONFIG_IDE_CORE=y
-CONFIG_IDE_QDEV=y
-CONFIG_IDE_PCI=y
 CONFIG_IDE_ISA=y
 CONFIG_IDE_PIIX=y
 CONFIG_NE2000_ISA=y
diff --git a/default-configs/mips-softmmu.mak b/default-configs/mips-softmmu.mak
index 565e611..f524971 100644
--- a/default-configs/mips-softmmu.mak
+++ b/default-configs/mips-softmmu.mak
@@ -17,9 +17,6 @@ CONFIG_ACPI=y
 CONFIG_APM=y
 CONFIG_DMA=y
 CONFIG_PIIX4=y
-CONFIG_IDE_CORE=y
-CONFIG_IDE_QDEV=y
-CONFIG_IDE_PCI=y
 CONFIG_IDE_ISA=y
 CONFIG_IDE_PIIX=y
 CONFIG_NE2000_ISA=y
diff --git a/default-configs/mips64-softmmu.mak b/default-configs/mips64-softmmu.mak
index 03bd8eb..aeab6b2 100644
--- a/default-configs/mips64-softmmu.mak
+++ b/default-configs/mips64-softmmu.mak
@@ -17,9 +17,6 @@ CONFIG_ACPI=y
 CONFIG_APM=y
 CONFIG_DMA=y
 CONFIG_PIIX4=y
-CONFIG_IDE_CORE=y
-CONFIG_IDE_QDEV=y
-CONFIG_IDE_PCI=y
 CONFIG_IDE_ISA=y
 CONFIG_IDE_PIIX=y
 CONFIG_NE2000_ISA=y
diff --git a/default-configs/mips64el-softmmu.mak b/default-configs/mips64el-softmmu.mak
index 4661617..8e6511c 100644
--- a/default-configs/mips64el-softmmu.mak
+++ b/default-configs/mips64el-softmmu.mak
@@ -17,9 +17,6 @@ CONFIG_ACPI=y
 CONFIG_APM=y
 CONFIG_DMA=y
 CONFIG_PIIX4=y
-CONFIG_IDE_CORE=y
-CONFIG_IDE_QDEV=y
-CONFIG_IDE_PCI=y
 CONFIG_IDE_ISA=y
 CONFIG_IDE_PIIX=y
 CONFIG_IDE_VIA=y
diff --git a/default-configs/mipsel-softmmu.mak b/default-configs/mipsel-softmmu.mak
index 92fc473..a05ac25 100644
--- a/default-configs/mipsel-softmmu.mak
+++ b/default-configs/mipsel-softmmu.mak
@@ -17,9 +17,6 @@ CONFIG_ACPI=y
 CONFIG_APM=y
 CONFIG_DMA=y
 CONFIG_PIIX4=y
-CONFIG_IDE_CORE=y
-CONFIG_IDE_QDEV=y
-CONFIG_IDE_PCI=y
 CONFIG_IDE_ISA=y
 CONFIG_IDE_PIIX=y
 CONFIG_NE2000_ISA=y
diff --git a/default-configs/pci.mak b/default-configs/pci.mak
index c74a99f..d700b3c 100644
--- a/default-configs/pci.mak
+++ b/default-configs/pci.mak
@@ -10,3 +10,6 @@ CONFIG_PCNET_COMMON=y
 CONFIG_LSI_SCSI_PCI=y
 CONFIG_RTL8139_PCI=y
 CONFIG_E1000_PCI=y
+CONFIG_IDE_CORE=y
+CONFIG_IDE_QDEV=y
+CONFIG_IDE_PCI=y
diff --git a/default-configs/ppc-softmmu.mak b/default-configs/ppc-softmmu.mak
index f1cb99e..4563742 100644
--- a/default-configs/ppc-softmmu.mak
+++ b/default-configs/ppc-softmmu.mak
@@ -23,9 +23,6 @@ CONFIG_GRACKLE_PCI=y
 CONFIG_UNIN_PCI=y
 CONFIG_DEC_PCI=y
 CONFIG_PPCE500_PCI=y
-CONFIG_IDE_CORE=y
-CONFIG_IDE_QDEV=y
-CONFIG_IDE_PCI=y
 CONFIG_IDE_ISA=y
 CONFIG_IDE_CMD646=y
 CONFIG_IDE_MACIO=y
diff --git a/default-configs/ppc64-softmmu.mak b/default-configs/ppc64-softmmu.mak
index 83cbe97..d5073b3 100644
--- a/default-configs/ppc64-softmmu.mak
+++ b/default-configs/ppc64-softmmu.mak
@@ -23,9 +23,6 @@ CONFIG_GRACKLE_PCI=y
 CONFIG_UNIN_PCI=y
 CONFIG_DEC_PCI=y
 CONFIG_PPCE500_PCI=y
-CONFIG_IDE_CORE=y
-CONFIG_IDE_QDEV=y
-CONFIG_IDE_PCI=y
 CONFIG_IDE_ISA=y
 CONFIG_IDE_CMD646=y
 CONFIG_IDE_MACIO=y
diff --git a/default-configs/ppcemb-softmmu.mak b/default-configs/ppcemb-softmmu.mak
index 2b52d4a..9f0730c 100644
--- a/default-configs/ppcemb-softmmu.mak
+++ b/default-configs/ppcemb-softmmu.mak
@@ -23,9 +23,6 @@ CONFIG_GRACKLE_PCI=y
 CONFIG_UNIN_PCI=y
 CONFIG_DEC_PCI=y
 CONFIG_PPCE500_PCI=y
-CONFIG_IDE_CORE=y
-CONFIG_IDE_QDEV=y
-CONFIG_IDE_PCI=y
 CONFIG_IDE_ISA=y
 CONFIG_IDE_CMD646=y
 CONFIG_IDE_MACIO=y
diff --git a/default-configs/sh4-softmmu.mak b/default-configs/sh4-softmmu.mak
index 87247a4..5c69acc 100644
--- a/default-configs/sh4-softmmu.mak
+++ b/default-configs/sh4-softmmu.mak
@@ -3,6 +3,5 @@
 include pci.mak
 CONFIG_SERIAL=y
 CONFIG_PTIMER=y
-CONFIG_IDE_CORE=y
 CONFIG_PFLASH_CFI02=y
 CONFIG_ISA_MMIO=y
diff --git a/default-configs/sh4eb-softmmu.mak b/default-configs/sh4eb-softmmu.mak
index 5b8a16e..7cdc122 100644
--- a/default-configs/sh4eb-softmmu.mak
+++ b/default-configs/sh4eb-softmmu.mak
@@ -3,6 +3,5 @@
 include pci.mak
 CONFIG_SERIAL=y
 CONFIG_PTIMER=y
-CONFIG_IDE_CORE=y
 CONFIG_PFLASH_CFI02=y
 CONFIG_ISA_MMIO=y
diff --git a/default-configs/sparc64-softmmu.mak b/default-configs/sparc64-softmmu.mak
index ecc3122..d8f17e7 100644
--- a/default-configs/sparc64-softmmu.mak
+++ b/default-configs/sparc64-softmmu.mak
@@ -9,8 +9,5 @@ CONFIG_SERIAL=y
 CONFIG_PARALLEL=y
 CONFIG_PCKBD=y
 CONFIG_FDC=y
-CONFIG_IDE_CORE=y
-CONFIG_IDE_QDEV=y
-CONFIG_IDE_PCI=y
 CONFIG_IDE_ISA=y
 CONFIG_IDE_CMD646=y
diff --git a/default-configs/x86_64-softmmu.mak b/default-configs/x86_64-softmmu.mak
index 7f22599..eff26d2 100644
--- a/default-configs/x86_64-softmmu.mak
+++ b/default-configs/x86_64-softmmu.mak
@@ -13,9 +13,6 @@ CONFIG_FDC=y
 CONFIG_ACPI=y
 CONFIG_APM=y
 CONFIG_DMA=y
-CONFIG_IDE_CORE=y
-CONFIG_IDE_QDEV=y
-CONFIG_IDE_PCI=y
 CONFIG_IDE_ISA=y
 CONFIG_IDE_PIIX=y
 CONFIG_NE2000_ISA=y
commit f6ad2e32f8d833c7f1c75dc084a84a8f02704d64
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Dec 14 01:34:40 2010 +0100

    ahci: add ahci emulation
    
    This patch adds an emulation layer for an ICH-9 AHCI controller. For now
    this controller does not do IDE legacy emulation. It is a pure AHCI controller.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index 24b2f99..72c07dd 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -243,6 +243,7 @@ hw-obj-$(CONFIG_IDE_PIIX) += ide/piix.o
 hw-obj-$(CONFIG_IDE_CMD646) += ide/cmd646.o
 hw-obj-$(CONFIG_IDE_MACIO) += ide/macio.o
 hw-obj-$(CONFIG_IDE_VIA) += ide/via.o
+hw-obj-$(CONFIG_AHCI) += ide/ahci.o
 
 # SCSI layer
 hw-obj-$(CONFIG_LSI_SCSI_PCI) += lsi53c895a.o
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
new file mode 100644
index 0000000..f937a92
--- /dev/null
+++ b/hw/ide/ahci.c
@@ -0,0 +1,1524 @@
+/*
+ * QEMU AHCI Emulation
+ *
+ * Copyright (c) 2010 qiaochong at loongson.cn
+ * Copyright (c) 2010 Roland Elek <elek.roland at gmail.com>
+ * Copyright (c) 2010 Sebastian Herbszt <herbszt at gmx.de>
+ * Copyright (c) 2010 Alexander Graf <agraf at suse.de>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ *
+ * lspci dump of a ICH-9 real device in IDE mode (hopefully close enough):
+ *
+ * 00:1f.2 SATA controller [0106]: Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA AHCI Controller [8086:2922] (rev 02) (prog-if 01 [AHCI 1.0])
+ *         Subsystem: Intel Corporation 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA AHCI Controller [8086:2922]
+ *         Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
+ *         Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
+ *         Latency: 0
+ *         Interrupt: pin B routed to IRQ 222
+ *         Region 0: I/O ports at d000 [size=8]
+ *         Region 1: I/O ports at cc00 [size=4]
+ *         Region 2: I/O ports at c880 [size=8]
+ *         Region 3: I/O ports at c800 [size=4]
+ *         Region 4: I/O ports at c480 [size=32]
+ *         Region 5: Memory at febf9000 (32-bit, non-prefetchable) [size=2K]
+ *         Capabilities: [80] Message Signalled Interrupts: Mask- 64bit- Count=1/16 Enable+
+ *                 Address: fee0f00c  Data: 41d9
+ *         Capabilities: [70] Power Management version 3
+ *                 Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0-,D1-,D2-,D3hot+,D3cold-)
+ *                 Status: D0 PME-Enable- DSel=0 DScale=0 PME-
+ *         Capabilities: [a8] SATA HBA <?>
+ *         Capabilities: [b0] Vendor Specific Information <?>
+ *         Kernel driver in use: ahci
+ *         Kernel modules: ahci
+ * 00: 86 80 22 29 07 04 b0 02 02 01 06 01 00 00 00 00
+ * 10: 01 d0 00 00 01 cc 00 00 81 c8 00 00 01 c8 00 00
+ * 20: 81 c4 00 00 00 90 bf fe 00 00 00 00 86 80 22 29
+ * 30: 00 00 00 00 80 00 00 00 00 00 00 00 0f 02 00 00
+ * 40: 00 80 00 80 00 00 00 00 00 00 00 00 00 00 00 00
+ * 50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ * 60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ * 70: 01 a8 03 40 08 00 00 00 00 00 00 00 00 00 00 00
+ * 80: 05 70 09 00 0c f0 e0 fe d9 41 00 00 00 00 00 00
+ * 90: 40 00 0f 82 93 01 00 00 00 00 00 00 00 00 00 00
+ * a0: ac 00 00 00 0a 00 12 00 12 b0 10 00 48 00 00 00
+ * b0: 09 00 06 20 00 00 00 00 00 00 00 00 00 00 00 00
+ * c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ * d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ * e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ * f0: 00 00 00 00 00 00 00 00 86 0f 02 00 00 00 00 00
+ *
+ */
+
+#include <hw/hw.h>
+#include <hw/msi.h>
+#include <hw/pc.h>
+#include <hw/pci.h>
+
+#include "monitor.h"
+#include "dma.h"
+#include "cpu-common.h"
+#include "blockdev.h"
+#include "internal.h"
+#include <hw/ide/pci.h>
+
+/* #define DEBUG_AHCI */
+
+#ifdef DEBUG_AHCI
+#define DPRINTF(port, fmt, ...) \
+do { fprintf(stderr, "ahci: %s: [%d] ", __FUNCTION__, port); \
+     fprintf(stderr, fmt, ## __VA_ARGS__); } while (0)
+#else
+#define DPRINTF(port, fmt, ...) do {} while(0)
+#endif
+
+#define AHCI_PCI_BAR              5
+#define AHCI_MAX_PORTS            32
+#define AHCI_MAX_SG               168 /* hardware max is 64K */
+#define AHCI_DMA_BOUNDARY         0xffffffff
+#define AHCI_USE_CLUSTERING       0
+#define AHCI_MAX_CMDS             32
+#define AHCI_CMD_SZ               32
+#define AHCI_CMD_SLOT_SZ          (AHCI_MAX_CMDS * AHCI_CMD_SZ)
+#define AHCI_RX_FIS_SZ            256
+#define AHCI_CMD_TBL_CDB          0x40
+#define AHCI_CMD_TBL_HDR_SZ       0x80
+#define AHCI_CMD_TBL_SZ           (AHCI_CMD_TBL_HDR_SZ + (AHCI_MAX_SG * 16))
+#define AHCI_CMD_TBL_AR_SZ        (AHCI_CMD_TBL_SZ * AHCI_MAX_CMDS)
+#define AHCI_PORT_PRIV_DMA_SZ     (AHCI_CMD_SLOT_SZ + AHCI_CMD_TBL_AR_SZ + \
+                                   AHCI_RX_FIS_SZ)
+
+#define AHCI_IRQ_ON_SG            (1 << 31)
+#define AHCI_CMD_ATAPI            (1 << 5)
+#define AHCI_CMD_WRITE            (1 << 6)
+#define AHCI_CMD_PREFETCH         (1 << 7)
+#define AHCI_CMD_RESET            (1 << 8)
+#define AHCI_CMD_CLR_BUSY         (1 << 10)
+
+#define RX_FIS_D2H_REG            0x40 /* offset of D2H Register FIS data */
+#define RX_FIS_SDB                0x58 /* offset of SDB FIS data */
+#define RX_FIS_UNK                0x60 /* offset of Unknown FIS data */
+
+/* global controller registers */
+#define HOST_CAP                  0x00 /* host capabilities */
+#define HOST_CTL                  0x04 /* global host control */
+#define HOST_IRQ_STAT             0x08 /* interrupt status */
+#define HOST_PORTS_IMPL           0x0c /* bitmap of implemented ports */
+#define HOST_VERSION              0x10 /* AHCI spec. version compliancy */
+
+/* HOST_CTL bits */
+#define HOST_CTL_RESET            (1 << 0)  /* reset controller; self-clear */
+#define HOST_CTL_IRQ_EN           (1 << 1)  /* global IRQ enable */
+#define HOST_CTL_AHCI_EN          (1 << 31) /* AHCI enabled */
+
+/* HOST_CAP bits */
+#define HOST_CAP_SSC              (1 << 14) /* Slumber capable */
+#define HOST_CAP_AHCI             (1 << 18) /* AHCI only */
+#define HOST_CAP_CLO              (1 << 24) /* Command List Override support */
+#define HOST_CAP_SSS              (1 << 27) /* Staggered Spin-up */
+#define HOST_CAP_NCQ              (1 << 30) /* Native Command Queueing */
+#define HOST_CAP_64               (1 << 31) /* PCI DAC (64-bit DMA) support */
+
+/* registers for each SATA port */
+#define PORT_LST_ADDR             0x00 /* command list DMA addr */
+#define PORT_LST_ADDR_HI          0x04 /* command list DMA addr hi */
+#define PORT_FIS_ADDR             0x08 /* FIS rx buf addr */
+#define PORT_FIS_ADDR_HI          0x0c /* FIS rx buf addr hi */
+#define PORT_IRQ_STAT             0x10 /* interrupt status */
+#define PORT_IRQ_MASK             0x14 /* interrupt enable/disable mask */
+#define PORT_CMD                  0x18 /* port command */
+#define PORT_TFDATA               0x20 /* taskfile data */
+#define PORT_SIG                  0x24 /* device TF signature */
+#define PORT_SCR_STAT             0x28 /* SATA phy register: SStatus */
+#define PORT_SCR_CTL              0x2c /* SATA phy register: SControl */
+#define PORT_SCR_ERR              0x30 /* SATA phy register: SError */
+#define PORT_SCR_ACT              0x34 /* SATA phy register: SActive */
+#define PORT_CMD_ISSUE            0x38 /* command issue */
+#define PORT_RESERVED             0x3c /* reserved */
+
+/* PORT_IRQ_{STAT,MASK} bits */
+#define PORT_IRQ_COLD_PRES        (1 << 31) /* cold presence detect */
+#define PORT_IRQ_TF_ERR           (1 << 30) /* task file error */
+#define PORT_IRQ_HBUS_ERR         (1 << 29) /* host bus fatal error */
+#define PORT_IRQ_HBUS_DATA_ERR    (1 << 28) /* host bus data error */
+#define PORT_IRQ_IF_ERR           (1 << 27) /* interface fatal error */
+#define PORT_IRQ_IF_NONFATAL      (1 << 26) /* interface non-fatal error */
+#define PORT_IRQ_OVERFLOW         (1 << 24) /* xfer exhausted available S/G */
+#define PORT_IRQ_BAD_PMP          (1 << 23) /* incorrect port multiplier */
+
+#define PORT_IRQ_PHYRDY           (1 << 22) /* PhyRdy changed */
+#define PORT_IRQ_DEV_ILCK         (1 << 7) /* device interlock */
+#define PORT_IRQ_CONNECT          (1 << 6) /* port connect change status */
+#define PORT_IRQ_SG_DONE          (1 << 5) /* descriptor processed */
+#define PORT_IRQ_UNK_FIS          (1 << 4) /* unknown FIS rx'd */
+#define PORT_IRQ_SDB_FIS          (1 << 3) /* Set Device Bits FIS rx'd */
+#define PORT_IRQ_DMAS_FIS         (1 << 2) /* DMA Setup FIS rx'd */
+#define PORT_IRQ_PIOS_FIS         (1 << 1) /* PIO Setup FIS rx'd */
+#define PORT_IRQ_D2H_REG_FIS      (1 << 0) /* D2H Register FIS rx'd */
+
+#define PORT_IRQ_FREEZE           (PORT_IRQ_HBUS_ERR | PORT_IRQ_IF_ERR |   \
+                                   PORT_IRQ_CONNECT | PORT_IRQ_PHYRDY |    \
+                                   PORT_IRQ_UNK_FIS)
+#define PORT_IRQ_ERROR            (PORT_IRQ_FREEZE | PORT_IRQ_TF_ERR |     \
+                                   PORT_IRQ_HBUS_DATA_ERR)
+#define DEF_PORT_IRQ              (PORT_IRQ_ERROR | PORT_IRQ_SG_DONE |     \
+                                   PORT_IRQ_SDB_FIS | PORT_IRQ_DMAS_FIS |  \
+                                   PORT_IRQ_PIOS_FIS | PORT_IRQ_D2H_REG_FIS)
+
+/* PORT_CMD bits */
+#define PORT_CMD_ATAPI            (1 << 24) /* Device is ATAPI */
+#define PORT_CMD_LIST_ON          (1 << 15) /* cmd list DMA engine running */
+#define PORT_CMD_FIS_ON           (1 << 14) /* FIS DMA engine running */
+#define PORT_CMD_FIS_RX           (1 << 4) /* Enable FIS receive DMA engine */
+#define PORT_CMD_CLO              (1 << 3) /* Command list override */
+#define PORT_CMD_POWER_ON         (1 << 2) /* Power up device */
+#define PORT_CMD_SPIN_UP          (1 << 1) /* Spin up device */
+#define PORT_CMD_START            (1 << 0) /* Enable port DMA engine */
+
+#define PORT_CMD_ICC_MASK         (0xf << 28) /* i/f ICC state mask */
+#define PORT_CMD_ICC_ACTIVE       (0x1 << 28) /* Put i/f in active state */
+#define PORT_CMD_ICC_PARTIAL      (0x2 << 28) /* Put i/f in partial state */
+#define PORT_CMD_ICC_SLUMBER      (0x6 << 28) /* Put i/f in slumber state */
+
+#define PORT_IRQ_STAT_DHRS        (1 << 0) /* Device to Host Register FIS */
+#define PORT_IRQ_STAT_PSS         (1 << 1) /* PIO Setup FIS */
+#define PORT_IRQ_STAT_DSS         (1 << 2) /* DMA Setup FIS */
+#define PORT_IRQ_STAT_SDBS        (1 << 3) /* Set Device Bits */
+#define PORT_IRQ_STAT_UFS         (1 << 4) /* Unknown FIS */
+#define PORT_IRQ_STAT_DPS         (1 << 5) /* Descriptor Processed */
+#define PORT_IRQ_STAT_PCS         (1 << 6) /* Port Connect Change Status */
+#define PORT_IRQ_STAT_DMPS        (1 << 7) /* Device Mechanical Presence
+                                              Status */
+#define PORT_IRQ_STAT_PRCS        (1 << 22) /* File Ready Status */
+#define PORT_IRQ_STAT_IPMS        (1 << 23) /* Incorrect Port Multiplier
+                                               Status */
+#define PORT_IRQ_STAT_OFS         (1 << 24) /* Overflow Status */
+#define PORT_IRQ_STAT_INFS        (1 << 26) /* Interface Non-Fatal Error
+                                               Status */
+#define PORT_IRQ_STAT_IFS         (1 << 27) /* Interface Fatal Error */
+#define PORT_IRQ_STAT_HBDS        (1 << 28) /* Host Bus Data Error Status */
+#define PORT_IRQ_STAT_HBFS        (1 << 29) /* Host Bus Fatal Error Status */
+#define PORT_IRQ_STAT_TFES        (1 << 30) /* Task File Error Status */
+#define PORT_IRQ_STAT_CPDS        (1 << 31) /* Code Port Detect Status */
+
+/* ap->flags bits */
+#define AHCI_FLAG_NO_NCQ                  (1 << 24)
+#define AHCI_FLAG_IGN_IRQ_IF_ERR          (1 << 25) /* ignore IRQ_IF_ERR */
+#define AHCI_FLAG_HONOR_PI                (1 << 26) /* honor PORTS_IMPL */
+#define AHCI_FLAG_IGN_SERR_INTERNAL       (1 << 27) /* ignore SERR_INTERNAL */
+#define AHCI_FLAG_32BIT_ONLY              (1 << 28) /* force 32bit */
+
+#define ATA_SRST                          (1 << 2)  /* software reset */
+
+#define STATE_RUN                         0
+#define STATE_RESET                       1
+
+#define SATA_SCR_SSTATUS_DET_NODEV        0x0
+#define SATA_SCR_SSTATUS_DET_DEV_PRESENT_PHY_UP 0x3
+
+#define SATA_SCR_SSTATUS_SPD_NODEV        0x00
+#define SATA_SCR_SSTATUS_SPD_GEN1         0x10
+
+#define SATA_SCR_SSTATUS_IPM_NODEV        0x000
+#define SATA_SCR_SSTATUS_IPM_ACTIVE       0X100
+
+#define AHCI_SCR_SCTL_DET                 0xf
+
+#define SATA_FIS_TYPE_REGISTER_H2D        0x27
+#define SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER 0x80
+
+#define AHCI_CMD_HDR_CMD_FIS_LEN           0x1f
+#define AHCI_CMD_HDR_PRDT_LEN              16
+
+#define SATA_SIGNATURE_CDROM               0xeb140000
+#define SATA_SIGNATURE_DISK                0x00000101
+
+#define AHCI_GENERIC_HOST_CONTROL_REGS_MAX_ADDR 0x20
+                                            /* Shouldn't this be 0x2c? */
+
+#define SATA_PORTS                         4
+
+#define AHCI_PORT_REGS_START_ADDR          0x100
+#define AHCI_PORT_REGS_END_ADDR (AHCI_PORT_REGS_START_ADDR + SATA_PORTS * 0x80)
+#define AHCI_PORT_ADDR_OFFSET_MASK         0x7f
+
+#define AHCI_NUM_COMMAND_SLOTS             31
+#define AHCI_SUPPORTED_SPEED               20
+#define AHCI_SUPPORTED_SPEED_GEN1          1
+#define AHCI_VERSION_1_0                   0x10000
+
+#define AHCI_PROGMODE_MAJOR_REV_1          1
+
+#define AHCI_COMMAND_TABLE_ACMD            0x40
+
+#define IDE_FEATURE_DMA                    1
+
+#define READ_FPDMA_QUEUED                  0x60
+#define WRITE_FPDMA_QUEUED                 0x61
+
+#define RES_FIS_DSFIS                      0x00
+#define RES_FIS_PSFIS                      0x20
+#define RES_FIS_RFIS                       0x40
+#define RES_FIS_SDBFIS                     0x58
+#define RES_FIS_UFIS                       0x60
+
+typedef struct AHCIControlRegs {
+    uint32_t    cap;
+    uint32_t    ghc;
+    uint32_t    irqstatus;
+    uint32_t    impl;
+    uint32_t    version;
+} AHCIControlRegs;
+
+typedef struct AHCIPortRegs {
+    uint32_t    lst_addr;
+    uint32_t    lst_addr_hi;
+    uint32_t    fis_addr;
+    uint32_t    fis_addr_hi;
+    uint32_t    irq_stat;
+    uint32_t    irq_mask;
+    uint32_t    cmd;
+    uint32_t    unused0;
+    uint32_t    tfdata;
+    uint32_t    sig;
+    uint32_t    scr_stat;
+    uint32_t    scr_ctl;
+    uint32_t    scr_err;
+    uint32_t    scr_act;
+    uint32_t    cmd_issue;
+    uint32_t    reserved;
+} AHCIPortRegs;
+
+typedef struct AHCICmdHdr {
+    uint32_t    opts;
+    uint32_t    status;
+    uint64_t    tbl_addr;
+    uint32_t    reserved[4];
+} __attribute__ ((packed)) AHCICmdHdr;
+
+typedef struct AHCI_SG {
+    uint64_t    addr;
+    uint32_t    reserved;
+    uint32_t    flags_size;
+} __attribute__ ((packed)) AHCI_SG;
+
+typedef struct AHCIDevice AHCIDevice;
+
+typedef struct NCQTransferState {
+    AHCIDevice *drive;
+    BlockDriverAIOCB *aiocb;
+    QEMUSGList sglist;
+    int is_read;
+    uint16_t sector_count;
+    uint64_t lba;
+    uint8_t tag;
+    int slot;
+    int used;
+} NCQTransferState;
+
+struct AHCIDevice {
+    IDEDMA dma;
+    IDEBus port;
+    int port_no;
+    uint32_t port_state;
+    uint32_t finished;
+    AHCIPortRegs port_regs;
+    struct AHCIState *hba;
+    QEMUBH *check_bh;
+    uint8_t *lst;
+    uint8_t *res_fis;
+    int dma_status;
+    int done_atapi_packet;
+    int busy_slot;
+    BlockDriverCompletionFunc *dma_cb;
+    AHCICmdHdr *cur_cmd;
+    NCQTransferState ncq_tfs[AHCI_MAX_CMDS];
+};
+
+typedef struct AHCIState {
+    AHCIDevice dev[SATA_PORTS];
+    AHCIControlRegs control_regs;
+    int mem;
+    qemu_irq irq;
+} AHCIState;
+
+typedef struct AHCIPCIState {
+    PCIDevice card;
+    AHCIState ahci;
+} AHCIPCIState;
+
+typedef struct NCQFrame {
+    uint8_t fis_type;
+    uint8_t c;
+    uint8_t command;
+    uint8_t sector_count_low;
+    uint8_t lba0;
+    uint8_t lba1;
+    uint8_t lba2;
+    uint8_t fua;
+    uint8_t lba3;
+    uint8_t lba4;
+    uint8_t lba5;
+    uint8_t sector_count_high;
+    uint8_t tag;
+    uint8_t reserved5;
+    uint8_t reserved6;
+    uint8_t control;
+    uint8_t reserved7;
+    uint8_t reserved8;
+    uint8_t reserved9;
+    uint8_t reserved10;
+} __attribute__ ((packed)) NCQFrame;
+
+static void check_cmd(AHCIState *s, int port);
+static int handle_cmd(AHCIState *s,int port,int slot);
+static void ahci_reset_port(AHCIState *s, int port);
+static void ahci_write_fis_d2h(AHCIDevice *ad, uint8_t *cmd_fis);
+
+static uint32_t  ahci_port_read(AHCIState *s, int port, int offset)
+{
+    uint32_t val;
+    AHCIPortRegs *pr;
+    pr = &s->dev[port].port_regs;
+
+    switch (offset) {
+    case PORT_LST_ADDR:
+        val = pr->lst_addr;
+        break;
+    case PORT_LST_ADDR_HI:
+        val = pr->lst_addr_hi;
+        break;
+    case PORT_FIS_ADDR:
+        val = pr->fis_addr;
+        break;
+    case PORT_FIS_ADDR_HI:
+        val = pr->fis_addr_hi;
+        break;
+    case PORT_IRQ_STAT:
+        val = pr->irq_stat;
+        break;
+    case PORT_IRQ_MASK:
+        val = pr->irq_mask;
+        break;
+    case PORT_CMD:
+        val = pr->cmd;
+        break;
+    case PORT_TFDATA:
+        val = ((uint16_t)s->dev[port].port.ifs[0].error << 8) |
+              s->dev[port].port.ifs[0].status;
+        break;
+    case PORT_SIG:
+        val = pr->sig;
+        break;
+    case PORT_SCR_STAT:
+        if (s->dev[port].port.ifs[0].bs) {
+            val = SATA_SCR_SSTATUS_DET_DEV_PRESENT_PHY_UP |
+                  SATA_SCR_SSTATUS_SPD_GEN1 | SATA_SCR_SSTATUS_IPM_ACTIVE;
+        } else {
+            val = SATA_SCR_SSTATUS_DET_NODEV;
+        }
+        break;
+    case PORT_SCR_CTL:
+        val = pr->scr_ctl;
+        break;
+    case PORT_SCR_ERR:
+        val = pr->scr_err;
+        break;
+    case PORT_SCR_ACT:
+        pr->scr_act &= ~s->dev[port].finished;
+        s->dev[port].finished = 0;
+        val = pr->scr_act;
+        break;
+    case PORT_CMD_ISSUE:
+        val = pr->cmd_issue;
+        break;
+    case PORT_RESERVED:
+    default:
+        val = 0;
+    }
+    DPRINTF(port, "offset: 0x%x val: 0x%x\n", offset, val);
+    return val;
+
+}
+
+static void ahci_irq_raise(AHCIState *s, AHCIDevice *dev)
+{
+    struct AHCIPCIState *d = container_of(s, AHCIPCIState, ahci);
+
+    DPRINTF(0, "raise irq\n");
+
+    if (msi_enabled(&d->card)) {
+        msi_notify(&d->card, 0);
+    } else {
+        qemu_irq_raise(s->irq);
+    }
+}
+
+static void ahci_irq_lower(AHCIState *s, AHCIDevice *dev)
+{
+    struct AHCIPCIState *d = container_of(s, AHCIPCIState, ahci);
+
+    DPRINTF(0, "lower irq\n");
+
+    if (!msi_enabled(&d->card)) {
+        qemu_irq_lower(s->irq);
+    }
+}
+
+static void ahci_check_irq(AHCIState *s)
+{
+    int i;
+
+    DPRINTF(-1, "check irq %#x\n", s->control_regs.irqstatus);
+
+    for (i = 0; i < SATA_PORTS; i++) {
+        AHCIPortRegs *pr = &s->dev[i].port_regs;
+        if (pr->irq_stat & pr->irq_mask) {
+            s->control_regs.irqstatus |= (1 << i);
+        }
+    }
+
+    if (s->control_regs.irqstatus &&
+        (s->control_regs.ghc & HOST_CTL_IRQ_EN)) {
+            ahci_irq_raise(s, NULL);
+    } else {
+        ahci_irq_lower(s, NULL);
+    }
+}
+
+static void ahci_trigger_irq(AHCIState *s, AHCIDevice *d,
+                             int irq_type)
+{
+    DPRINTF(d->port_no, "trigger irq %#x -> %x\n",
+            irq_type, d->port_regs.irq_mask & irq_type);
+
+    d->port_regs.irq_stat |= irq_type;
+    ahci_check_irq(s);
+}
+
+static void map_page(uint8_t **ptr, uint64_t addr, uint32_t wanted)
+{
+    target_phys_addr_t len = wanted;
+
+    if (*ptr) {
+        cpu_physical_memory_unmap(*ptr, 1, len, len);
+    }
+
+    *ptr = cpu_physical_memory_map(addr, &len, 1);
+    if (len < wanted) {
+        cpu_physical_memory_unmap(*ptr, 1, len, len);
+        *ptr = NULL;
+    }
+}
+
+static void  ahci_port_write(AHCIState *s, int port, int offset, uint32_t val)
+{
+    AHCIPortRegs *pr = &s->dev[port].port_regs;
+
+    DPRINTF(port, "offset: 0x%x val: 0x%x\n", offset, val);
+    switch (offset) {
+        case PORT_LST_ADDR:
+            pr->lst_addr = val;
+            map_page(&s->dev[port].lst,
+                     ((uint64_t)pr->lst_addr_hi << 32) | pr->lst_addr, 1024);
+            s->dev[port].cur_cmd = NULL;
+            break;
+        case PORT_LST_ADDR_HI:
+            pr->lst_addr_hi = val;
+            map_page(&s->dev[port].lst,
+                     ((uint64_t)pr->lst_addr_hi << 32) | pr->lst_addr, 1024);
+            s->dev[port].cur_cmd = NULL;
+            break;
+        case PORT_FIS_ADDR:
+            pr->fis_addr = val;
+            map_page(&s->dev[port].res_fis,
+                     ((uint64_t)pr->fis_addr_hi << 32) | pr->fis_addr, 256);
+            break;
+        case PORT_FIS_ADDR_HI:
+            pr->fis_addr_hi = val;
+            map_page(&s->dev[port].res_fis,
+                     ((uint64_t)pr->fis_addr_hi << 32) | pr->fis_addr, 256);
+            break;
+        case PORT_IRQ_STAT:
+            pr->irq_stat &= ~val;
+            break;
+        case PORT_IRQ_MASK:
+            pr->irq_mask = val & 0xfdc000ff;
+            ahci_check_irq(s);
+            break;
+        case PORT_CMD:
+            pr->cmd = val & ~(PORT_CMD_LIST_ON | PORT_CMD_FIS_ON);
+
+            if (pr->cmd & PORT_CMD_START) {
+                pr->cmd |= PORT_CMD_LIST_ON;
+            }
+
+            if (pr->cmd & PORT_CMD_FIS_RX) {
+                pr->cmd |= PORT_CMD_FIS_ON;
+            }
+
+            check_cmd(s, port);
+            break;
+        case PORT_TFDATA:
+            s->dev[port].port.ifs[0].error = (val >> 8) & 0xff;
+            s->dev[port].port.ifs[0].status = val & 0xff;
+            break;
+        case PORT_SIG:
+            pr->sig = val;
+            break;
+        case PORT_SCR_STAT:
+            pr->scr_stat = val;
+            break;
+        case PORT_SCR_CTL:
+            if (((pr->scr_ctl & AHCI_SCR_SCTL_DET) == 1) &&
+                ((val & AHCI_SCR_SCTL_DET) == 0)) {
+                ahci_reset_port(s, port);
+            }
+            pr->scr_ctl = val;
+            break;
+        case PORT_SCR_ERR:
+            pr->scr_err &= ~val;
+            break;
+        case PORT_SCR_ACT:
+            /* RW1 */
+            pr->scr_act |= val;
+            break;
+        case PORT_CMD_ISSUE:
+            pr->cmd_issue |= val;
+            check_cmd(s, port);
+            break;
+        default:
+            break;
+    }
+}
+
+static uint32_t ahci_mem_readl(void *ptr, target_phys_addr_t addr)
+{
+    AHCIState *s = ptr;
+    uint32_t val = 0;
+
+    addr = addr & 0xfff;
+    if (addr < AHCI_GENERIC_HOST_CONTROL_REGS_MAX_ADDR) {
+        switch (addr) {
+        case HOST_CAP:
+            val = s->control_regs.cap;
+            break;
+        case HOST_CTL:
+            val = s->control_regs.ghc;
+            break;
+        case HOST_IRQ_STAT:
+            val = s->control_regs.irqstatus;
+            break;
+        case HOST_PORTS_IMPL:
+            val = s->control_regs.impl;
+            break;
+        case HOST_VERSION:
+            val = s->control_regs.version;
+            break;
+        }
+
+        DPRINTF(-1, "(addr 0x%08X), val 0x%08X\n", (unsigned) addr, val);
+    } else if ((addr >= AHCI_PORT_REGS_START_ADDR) &&
+               (addr < AHCI_PORT_REGS_END_ADDR)) {
+        val = ahci_port_read(s, (addr - AHCI_PORT_REGS_START_ADDR) >> 7,
+                             addr & AHCI_PORT_ADDR_OFFSET_MASK);
+    }
+
+    return val;
+}
+
+
+
+static void ahci_mem_writel(void *ptr, target_phys_addr_t addr, uint32_t val)
+{
+    AHCIState *s = ptr;
+    addr = addr & 0xfff;
+
+    /* Only aligned reads are allowed on AHCI */
+    if (addr & 3) {
+        fprintf(stderr, "ahci: Mis-aligned write to addr 0x"
+                TARGET_FMT_plx "\n", addr);
+        return;
+    }
+
+    if (addr < AHCI_GENERIC_HOST_CONTROL_REGS_MAX_ADDR) {
+        DPRINTF(-1, "(addr 0x%08X), val 0x%08X\n", (unsigned) addr, val);
+
+        switch (addr) {
+            case HOST_CAP: /* R/WO, RO */
+                /* FIXME handle R/WO */
+                break;
+            case HOST_CTL: /* R/W */
+                if (val & HOST_CTL_RESET) {
+                    DPRINTF(-1, "HBA Reset\n");
+                    /* FIXME reset? */
+                } else {
+                    s->control_regs.ghc = (val & 0x3) | HOST_CTL_AHCI_EN;
+                    ahci_check_irq(s);
+                }
+                break;
+            case HOST_IRQ_STAT: /* R/WC, RO */
+                s->control_regs.irqstatus &= ~val;
+                ahci_check_irq(s);
+                break;
+            case HOST_PORTS_IMPL: /* R/WO, RO */
+                /* FIXME handle R/WO */
+                break;
+            case HOST_VERSION: /* RO */
+                /* FIXME report write? */
+                break;
+            default:
+                DPRINTF(-1, "write to unknown register 0x%x\n", (unsigned)addr);
+        }
+    } else if ((addr >= AHCI_PORT_REGS_START_ADDR) &&
+               (addr < AHCI_PORT_REGS_END_ADDR)) {
+        ahci_port_write(s, (addr - AHCI_PORT_REGS_START_ADDR) >> 7,
+                        addr & AHCI_PORT_ADDR_OFFSET_MASK, val);
+    }
+
+}
+
+static CPUReadMemoryFunc * const ahci_readfn[3]={
+    ahci_mem_readl,
+    ahci_mem_readl,
+    ahci_mem_readl
+};
+
+static CPUWriteMemoryFunc * const ahci_writefn[3]={
+    ahci_mem_writel,
+    ahci_mem_writel,
+    ahci_mem_writel
+};
+
+static void ahci_reg_init(AHCIState *s)
+{
+    int i;
+
+    s->control_regs.cap = (SATA_PORTS - 1) |
+                          (AHCI_NUM_COMMAND_SLOTS << 8) |
+                          (AHCI_SUPPORTED_SPEED_GEN1 << AHCI_SUPPORTED_SPEED) |
+                          HOST_CAP_NCQ | HOST_CAP_AHCI;
+
+    s->control_regs.impl = (1 << SATA_PORTS) - 1;
+
+    s->control_regs.version = AHCI_VERSION_1_0;
+
+    for (i = 0; i < SATA_PORTS; i++) {
+        s->dev[i].port_state = STATE_RUN;
+    }
+}
+
+static uint32_t read_from_sglist(uint8_t *buffer, uint32_t len,
+                                 QEMUSGList *sglist)
+{
+    uint32_t i = 0;
+    uint32_t total = 0, once;
+    ScatterGatherEntry *cur_prd;
+    uint32_t sgcount;
+
+    cur_prd = sglist->sg;
+    sgcount = sglist->nsg;
+    for (i = 0; len && sgcount; i++) {
+        once = MIN(cur_prd->len, len);
+        cpu_physical_memory_read(cur_prd->base, buffer, once);
+        cur_prd++;
+        sgcount--;
+        len -= once;
+        buffer += once;
+        total += once;
+    }
+
+    return total;
+}
+
+static uint32_t write_to_sglist(uint8_t *buffer, uint32_t len,
+                                QEMUSGList *sglist)
+{
+    uint32_t i = 0;
+    uint32_t total = 0, once;
+    ScatterGatherEntry *cur_prd;
+    uint32_t sgcount;
+
+    DPRINTF(-1, "total: 0x%x bytes\n", len);
+
+    cur_prd = sglist->sg;
+    sgcount = sglist->nsg;
+    for (i = 0; len && sgcount; i++) {
+        once = MIN(cur_prd->len, len);
+        DPRINTF(-1, "write 0x%x bytes to 0x%lx\n", once, (long)cur_prd->base);
+        cpu_physical_memory_write(cur_prd->base, buffer, once);
+        cur_prd++;
+        sgcount--;
+        len -= once;
+        buffer += once;
+        total += once;
+    }
+
+    return total;
+}
+
+static void check_cmd(AHCIState *s, int port)
+{
+    AHCIPortRegs *pr = &s->dev[port].port_regs;
+    int slot;
+
+    if ((pr->cmd & PORT_CMD_START) && pr->cmd_issue) {
+        for (slot = 0; (slot < 32) && pr->cmd_issue; slot++) {
+            if ((pr->cmd_issue & (1 << slot)) &&
+                !handle_cmd(s, port, slot)) {
+                pr->cmd_issue &= ~(1 << slot);
+            }
+        }
+    }
+}
+
+static void ahci_check_cmd_bh(void *opaque)
+{
+    AHCIDevice *ad = opaque;
+
+    qemu_bh_delete(ad->check_bh);
+    ad->check_bh = NULL;
+
+    if ((ad->busy_slot != -1) &&
+        !(ad->port.ifs[0].status & (BUSY_STAT|DRQ_STAT))) {
+        /* no longer busy */
+        ad->port_regs.cmd_issue &= ~(1 << ad->busy_slot);
+        ad->busy_slot = -1;
+    }
+
+    check_cmd(ad->hba, ad->port_no);
+}
+
+static void ahci_reset_port(AHCIState *s, int port)
+{
+    AHCIDevice *d = &s->dev[port];
+    AHCIPortRegs *pr = &d->port_regs;
+    IDEState *ide_state = &d->port.ifs[0];
+    uint8_t init_fis[0x20];
+    uint32_t tfd;
+    int i;
+
+    DPRINTF(port, "reset port\n");
+
+    ide_bus_reset(&d->port);
+    ide_state->ncq_queues = AHCI_MAX_CMDS;
+
+    pr->irq_stat = 0;
+    pr->irq_mask = 0;
+    pr->scr_stat = 0;
+    pr->scr_ctl = 0;
+    pr->scr_err = 0;
+    pr->scr_act = 0;
+    d->busy_slot = -1;
+
+    ide_state = &s->dev[port].port.ifs[0];
+    if (!ide_state->bs) {
+        return;
+    }
+
+    /* reset ncq queue */
+    for (i = 0; i < AHCI_MAX_CMDS; i++) {
+        NCQTransferState *ncq_tfs = &s->dev[port].ncq_tfs[i];
+        if (!ncq_tfs->used) {
+            continue;
+        }
+
+        if (ncq_tfs->aiocb) {
+            bdrv_aio_cancel(ncq_tfs->aiocb);
+            ncq_tfs->aiocb = NULL;
+        }
+
+        qemu_sglist_destroy(&ncq_tfs->sglist);
+        ncq_tfs->used = 0;
+    }
+
+    memset(init_fis, 0, sizeof(init_fis));
+    s->dev[port].port_state = STATE_RUN;
+    if (!ide_state->bs) {
+        s->dev[port].port_regs.sig = 0;
+        tfd = (1 << 8) | SEEK_STAT | WRERR_STAT;
+    } else if (ide_state->drive_kind == IDE_CD) {
+        s->dev[port].port_regs.sig = SATA_SIGNATURE_CDROM;
+        ide_state->lcyl = 0x14;
+        ide_state->hcyl = 0xeb;
+        DPRINTF(port, "set lcyl = %d\n", ide_state->lcyl);
+        init_fis[5] = ide_state->lcyl;
+        init_fis[6] = ide_state->hcyl;
+        ide_state->status = SEEK_STAT | WRERR_STAT | READY_STAT;
+    } else {
+        s->dev[port].port_regs.sig = SATA_SIGNATURE_DISK;
+        ide_state->status = SEEK_STAT | WRERR_STAT;
+    }
+
+    ide_state->error = 1;
+    init_fis[4] = 1;
+    init_fis[12] = 1;
+    ahci_write_fis_d2h(d, init_fis);
+}
+
+static void debug_print_fis(uint8_t *fis, int cmd_len)
+{
+#ifdef DEBUG_AHCI
+    int i;
+
+    fprintf(stderr, "fis:");
+    for (i = 0; i < cmd_len; i++) {
+        if ((i & 0xf) == 0) {
+            fprintf(stderr, "\n%02x:",i);
+        }
+        fprintf(stderr, "%02x ",fis[i]);
+    }
+    fprintf(stderr, "\n");
+#endif
+}
+
+static void ahci_write_fis_sdb(AHCIState *s, int port, uint32_t finished)
+{
+    AHCIPortRegs *pr = &s->dev[port].port_regs;
+    IDEState *ide_state;
+    uint8_t *sdb_fis;
+
+    if (!s->dev[port].res_fis ||
+        !(pr->cmd & PORT_CMD_FIS_RX)) {
+        return;
+    }
+
+    sdb_fis = &s->dev[port].res_fis[RES_FIS_SDBFIS];
+    ide_state = &s->dev[port].port.ifs[0];
+
+    /* clear memory */
+    *(uint32_t*)sdb_fis = 0;
+
+    /* write values */
+    sdb_fis[0] = ide_state->error;
+    sdb_fis[2] = ide_state->status & 0x77;
+    s->dev[port].finished |= finished;
+    *(uint32_t*)(sdb_fis + 4) = cpu_to_le32(s->dev[port].finished);
+
+    ahci_trigger_irq(s, &s->dev[port], PORT_IRQ_STAT_SDBS);
+}
+
+static void ahci_write_fis_d2h(AHCIDevice *ad, uint8_t *cmd_fis)
+{
+    AHCIPortRegs *pr = &ad->port_regs;
+    uint8_t *d2h_fis;
+    int i;
+    target_phys_addr_t cmd_len = 0x80;
+    int cmd_mapped = 0;
+
+    if (!ad->res_fis || !(pr->cmd & PORT_CMD_FIS_RX)) {
+        return;
+    }
+
+    if (!cmd_fis) {
+        /* map cmd_fis */
+        uint64_t tbl_addr = le64_to_cpu(ad->cur_cmd->tbl_addr);
+        cmd_fis = cpu_physical_memory_map(tbl_addr, &cmd_len, 0);
+        cmd_mapped = 1;
+    }
+
+    d2h_fis = &ad->res_fis[RES_FIS_RFIS];
+
+    d2h_fis[0] = 0x34;
+    d2h_fis[1] = (ad->hba->control_regs.irqstatus ? (1 << 6) : 0);
+    d2h_fis[2] = ad->port.ifs[0].status;
+    d2h_fis[3] = ad->port.ifs[0].error;
+
+    d2h_fis[4] = cmd_fis[4];
+    d2h_fis[5] = cmd_fis[5];
+    d2h_fis[6] = cmd_fis[6];
+    d2h_fis[7] = cmd_fis[7];
+    d2h_fis[8] = cmd_fis[8];
+    d2h_fis[9] = cmd_fis[9];
+    d2h_fis[10] = cmd_fis[10];
+    d2h_fis[11] = cmd_fis[11];
+    d2h_fis[12] = cmd_fis[12];
+    d2h_fis[13] = cmd_fis[13];
+    for (i = 14; i < 0x20; i++) {
+        d2h_fis[i] = 0;
+    }
+
+    if (d2h_fis[2] & ERR_STAT) {
+        ahci_trigger_irq(ad->hba, ad, PORT_IRQ_STAT_TFES);
+    }
+
+    ahci_trigger_irq(ad->hba, ad, PORT_IRQ_D2H_REG_FIS);
+
+    if (cmd_mapped) {
+        cpu_physical_memory_unmap(cmd_fis, 0, cmd_len, cmd_len);
+    }
+}
+
+static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist)
+{
+    AHCICmdHdr *cmd = ad->cur_cmd;
+    uint32_t opts = le32_to_cpu(cmd->opts);
+    uint64_t prdt_addr = le64_to_cpu(cmd->tbl_addr) + 0x80;
+    int sglist_alloc_hint = opts >> AHCI_CMD_HDR_PRDT_LEN;
+    target_phys_addr_t prdt_len = (sglist_alloc_hint * sizeof(AHCI_SG));
+    target_phys_addr_t real_prdt_len = prdt_len;
+    uint8_t *prdt;
+    int i;
+    int r = 0;
+
+    if (!sglist_alloc_hint) {
+        DPRINTF(ad->port_no, "no sg list given by guest: 0x%08x\n", opts);
+        return -1;
+    }
+
+    /* map PRDT */
+    if (!(prdt = cpu_physical_memory_map(prdt_addr, &prdt_len, 0))){
+        DPRINTF(ad->port_no, "map failed\n");
+        return -1;
+    }
+
+    if (prdt_len < real_prdt_len) {
+        DPRINTF(ad->port_no, "mapped less than expected\n");
+        r = -1;
+        goto out;
+    }
+
+    /* Get entries in the PRDT, init a qemu sglist accordingly */
+    if (sglist_alloc_hint > 0) {
+        AHCI_SG *tbl = (AHCI_SG *)prdt;
+
+        qemu_sglist_init(sglist, sglist_alloc_hint);
+        for (i = 0; i < sglist_alloc_hint; i++) {
+            /* flags_size is zero-based */
+            qemu_sglist_add(sglist, le64_to_cpu(tbl[i].addr),
+                            le32_to_cpu(tbl[i].flags_size) + 1);
+        }
+    }
+
+out:
+    cpu_physical_memory_unmap(prdt, 0, prdt_len, prdt_len);
+    return r;
+}
+
+static void ncq_cb(void *opaque, int ret)
+{
+    NCQTransferState *ncq_tfs = (NCQTransferState *)opaque;
+    IDEState *ide_state = &ncq_tfs->drive->port.ifs[0];
+
+    /* Clear bit for this tag in SActive */
+    ncq_tfs->drive->port_regs.scr_act &= ~(1 << ncq_tfs->tag);
+
+    if (ret < 0) {
+        /* error */
+        ide_state->error = ABRT_ERR;
+        ide_state->status = READY_STAT | ERR_STAT;
+        ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
+    } else {
+        ide_state->status = READY_STAT | SEEK_STAT;
+    }
+
+    ahci_write_fis_sdb(ncq_tfs->drive->hba, ncq_tfs->drive->port_no,
+                       (1 << ncq_tfs->tag));
+
+    DPRINTF(ncq_tfs->drive->port_no, "NCQ transfer tag %d finished\n",
+            ncq_tfs->tag);
+
+    qemu_sglist_destroy(&ncq_tfs->sglist);
+    ncq_tfs->used = 0;
+}
+
+static void process_ncq_command(AHCIState *s, int port, uint8_t *cmd_fis,
+                                int slot)
+{
+    NCQFrame *ncq_fis = (NCQFrame*)cmd_fis;
+    uint8_t tag = ncq_fis->tag >> 3;
+    NCQTransferState *ncq_tfs = &s->dev[port].ncq_tfs[tag];
+
+    if (ncq_tfs->used) {
+        /* error - already in use */
+        fprintf(stderr, "%s: tag %d already used\n", __FUNCTION__, tag);
+        return;
+    }
+
+    ncq_tfs->used = 1;
+    ncq_tfs->drive = &s->dev[port];
+    ncq_tfs->slot = slot;
+    ncq_tfs->lba = ((uint64_t)ncq_fis->lba5 << 40) |
+                   ((uint64_t)ncq_fis->lba4 << 32) |
+                   ((uint64_t)ncq_fis->lba3 << 24) |
+                   ((uint64_t)ncq_fis->lba2 << 16) |
+                   ((uint64_t)ncq_fis->lba1 << 8) |
+                   (uint64_t)ncq_fis->lba0;
+
+    /* Note: We calculate the sector count, but don't currently rely on it.
+     * The total size of the DMA buffer tells us the transfer size instead. */
+    ncq_tfs->sector_count = ((uint16_t)ncq_fis->sector_count_high << 8) |
+                                ncq_fis->sector_count_low;
+
+    DPRINTF(port, "NCQ transfer LBA from %ld to %ld, drive max %ld\n",
+            ncq_tfs->lba, ncq_tfs->lba + ncq_tfs->sector_count - 2,
+            s->dev[port].port.ifs[0].nb_sectors - 1);
+
+    ahci_populate_sglist(&s->dev[port], &ncq_tfs->sglist);
+    ncq_tfs->tag = tag;
+
+    switch(ncq_fis->command) {
+        case READ_FPDMA_QUEUED:
+            DPRINTF(port, "NCQ reading %d sectors from LBA %ld, tag %d\n",
+                    ncq_tfs->sector_count-1, ncq_tfs->lba, ncq_tfs->tag);
+            ncq_tfs->is_read = 1;
+
+            DPRINTF(port, "tag %d aio read %ld\n", ncq_tfs->tag, ncq_tfs->lba);
+            ncq_tfs->aiocb = dma_bdrv_read(ncq_tfs->drive->port.ifs[0].bs,
+                                           &ncq_tfs->sglist, ncq_tfs->lba,
+                                           ncq_cb, ncq_tfs);
+            break;
+        case WRITE_FPDMA_QUEUED:
+            DPRINTF(port, "NCQ writing %d sectors to LBA %ld, tag %d\n",
+                    ncq_tfs->sector_count-1, ncq_tfs->lba, ncq_tfs->tag);
+            ncq_tfs->is_read = 0;
+
+            DPRINTF(port, "tag %d aio write %ld\n", ncq_tfs->tag, ncq_tfs->lba);
+            ncq_tfs->aiocb = dma_bdrv_write(ncq_tfs->drive->port.ifs[0].bs,
+                                            &ncq_tfs->sglist, ncq_tfs->lba,
+                                            ncq_cb, ncq_tfs);
+            break;
+        default:
+            DPRINTF(port, "error: tried to process non-NCQ command as NCQ\n");
+            qemu_sglist_destroy(&ncq_tfs->sglist);
+            break;
+    }
+}
+
+static int handle_cmd(AHCIState *s, int port, int slot)
+{
+    IDEState *ide_state;
+    AHCIPortRegs *pr;
+    uint32_t opts;
+    uint64_t tbl_addr;
+    AHCICmdHdr *cmd;
+    uint8_t *cmd_fis;
+    target_phys_addr_t cmd_len;
+
+    if (s->dev[port].port.ifs[0].status & (BUSY_STAT|DRQ_STAT)) {
+        /* Engine currently busy, try again later */
+        DPRINTF(port, "engine busy\n");
+        return -1;
+    }
+
+    pr = &s->dev[port].port_regs;
+    cmd = &((AHCICmdHdr *)s->dev[port].lst)[slot];
+
+    if (!s->dev[port].lst) {
+        DPRINTF(port, "error: lst not given but cmd handled");
+        return -1;
+    }
+
+    /* remember current slot handle for later */
+    s->dev[port].cur_cmd = cmd;
+
+    opts = le32_to_cpu(cmd->opts);
+    tbl_addr = le64_to_cpu(cmd->tbl_addr);
+
+    cmd_len = 0x80;
+    cmd_fis = cpu_physical_memory_map(tbl_addr, &cmd_len, 1);
+
+    if (!cmd_fis) {
+        DPRINTF(port, "error: guest passed us an invalid cmd fis\n");
+        return -1;
+    }
+
+    /* The device we are working for */
+    ide_state = &s->dev[port].port.ifs[0];
+
+    if (!ide_state->bs) {
+        DPRINTF(port, "error: guest accessed unused port");
+        goto out;
+    }
+
+    debug_print_fis(cmd_fis, 0x90);
+    //debug_print_fis(cmd_fis, (opts & AHCI_CMD_HDR_CMD_FIS_LEN) * 4);
+
+    switch (cmd_fis[0]) {
+        case SATA_FIS_TYPE_REGISTER_H2D:
+            break;
+        default:
+            DPRINTF(port, "unknown command cmd_fis[0]=%02x cmd_fis[1]=%02x "
+                          "cmd_fis[2]=%02x\n", cmd_fis[0], cmd_fis[1],
+                          cmd_fis[2]);
+            goto out;
+            break;
+    }
+
+    switch (cmd_fis[1]) {
+        case SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER:
+            break;
+        case 0:
+            break;
+        default:
+            DPRINTF(port, "unknown command cmd_fis[0]=%02x cmd_fis[1]=%02x "
+                          "cmd_fis[2]=%02x\n", cmd_fis[0], cmd_fis[1],
+                          cmd_fis[2]);
+            goto out;
+            break;
+    }
+
+    switch (s->dev[port].port_state) {
+        case STATE_RUN:
+            if (cmd_fis[15] & ATA_SRST) {
+                s->dev[port].port_state = STATE_RESET;
+            }
+            break;
+        case STATE_RESET:
+            if (!(cmd_fis[15] & ATA_SRST)) {
+                ahci_reset_port(s, port);
+            }
+            break;
+    }
+
+    if (cmd_fis[1] == SATA_FIS_REG_H2D_UPDATE_COMMAND_REGISTER) {
+
+        /* Check for NCQ command */
+        if ((cmd_fis[2] == READ_FPDMA_QUEUED) ||
+            (cmd_fis[2] == WRITE_FPDMA_QUEUED)) {
+            process_ncq_command(s, port, cmd_fis, slot);
+            goto out;
+        }
+
+        /* Decompose the FIS  */
+        ide_state->nsector = (int64_t)((cmd_fis[13] << 8) | cmd_fis[12]);
+        ide_state->feature = cmd_fis[3];
+        if (!ide_state->nsector) {
+            ide_state->nsector = 256;
+        }
+
+        if (ide_state->drive_kind != IDE_CD) {
+            ide_set_sector(ide_state, (cmd_fis[6] << 16) | (cmd_fis[5] << 8) |
+                           cmd_fis[4]);
+        }
+
+        /* Copy the ACMD field (ATAPI packet, if any) from the AHCI command
+         * table to ide_state->io_buffer
+         */
+        if (opts & AHCI_CMD_ATAPI) {
+            memcpy(ide_state->io_buffer, &cmd_fis[AHCI_COMMAND_TABLE_ACMD], 0x10);
+            ide_state->lcyl = 0x14;
+            ide_state->hcyl = 0xeb;
+            debug_print_fis(ide_state->io_buffer, 0x10);
+            ide_state->feature = IDE_FEATURE_DMA;
+            s->dev[port].done_atapi_packet = 0;
+            /* XXX send PIO setup FIS */
+        }
+
+        ide_state->error = 0;
+
+        /* Reset transferred byte counter */
+        cmd->status = 0;
+
+        /* We're ready to process the command in FIS byte 2. */
+        ide_exec_cmd(&s->dev[port].port, cmd_fis[2]);
+
+        if (s->dev[port].port.ifs[0].status & READY_STAT) {
+            ahci_write_fis_d2h(&s->dev[port], cmd_fis);
+        }
+    }
+
+out:
+    cpu_physical_memory_unmap(cmd_fis, 1, cmd_len, cmd_len);
+
+    if (s->dev[port].port.ifs[0].status & (BUSY_STAT|DRQ_STAT)) {
+        /* async command, complete later */
+        s->dev[port].busy_slot = slot;
+        return -1;
+    }
+
+    /* done handling the command */
+    return 0;
+}
+
+/* DMA dev <-> ram */
+static int ahci_start_transfer(IDEDMA *dma)
+{
+    AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
+    IDEState *s = &ad->port.ifs[0];
+    uint32_t size = (uint32_t)(s->data_end - s->data_ptr);
+    /* write == ram -> device */
+    uint32_t opts = le32_to_cpu(ad->cur_cmd->opts);
+    int is_write = opts & AHCI_CMD_WRITE;
+    int is_atapi = opts & AHCI_CMD_ATAPI;
+    int has_sglist = 0;
+
+    if (is_atapi && !ad->done_atapi_packet) {
+        /* already prepopulated iobuffer */
+        ad->done_atapi_packet = 1;
+        goto out;
+    }
+
+    if (!ahci_populate_sglist(ad, &s->sg)) {
+        has_sglist = 1;
+    }
+
+    DPRINTF(ad->port_no, "%sing %d bytes on %s w/%s sglist\n",
+            is_write ? "writ" : "read", size, is_atapi ? "atapi" : "ata",
+            has_sglist ? "" : "o");
+
+    if (is_write && has_sglist && (s->data_ptr < s->data_end)) {
+        read_from_sglist(s->data_ptr, size, &s->sg);
+    }
+
+    if (!is_write && has_sglist && (s->data_ptr < s->data_end)) {
+        write_to_sglist(s->data_ptr, size, &s->sg);
+    }
+
+    /* update number of transferred bytes */
+    ad->cur_cmd->status = cpu_to_le32(le32_to_cpu(ad->cur_cmd->status) + size);
+
+out:
+    /* declare that we processed everything */
+    s->data_ptr = s->data_end;
+
+    if (has_sglist) {
+        qemu_sglist_destroy(&s->sg);
+    }
+
+    s->end_transfer_func(s);
+
+    if (!(s->status & DRQ_STAT)) {
+        /* done with DMA */
+        ahci_trigger_irq(ad->hba, ad, PORT_IRQ_STAT_DSS);
+    }
+
+    return 0;
+}
+
+static void ahci_start_dma(IDEDMA *dma, IDEState *s,
+                           BlockDriverCompletionFunc *dma_cb)
+{
+    AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
+
+    DPRINTF(ad->port_no, "\n");
+    ad->dma_cb = dma_cb;
+    ad->dma_status |= BM_STATUS_DMAING;
+    dma_cb(s, 0);
+}
+
+static int ahci_dma_prepare_buf(IDEDMA *dma, int is_write)
+{
+    AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
+    IDEState *s = &ad->port.ifs[0];
+    int i;
+
+    ahci_populate_sglist(ad, &s->sg);
+
+    s->io_buffer_size = 0;
+    for (i = 0; i < s->sg.nsg; i++) {
+        s->io_buffer_size += s->sg.sg[i].len;
+    }
+
+    DPRINTF(ad->port_no, "len=%#x\n", s->io_buffer_size);
+    return s->io_buffer_size != 0;
+}
+
+static int ahci_dma_rw_buf(IDEDMA *dma, int is_write)
+{
+    AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
+    IDEState *s = &ad->port.ifs[0];
+    uint8_t *p = s->io_buffer + s->io_buffer_index;
+    int l = s->io_buffer_size - s->io_buffer_index;
+
+    if (ahci_populate_sglist(ad, &s->sg)) {
+        return 0;
+    }
+
+    if (is_write) {
+        write_to_sglist(p, l, &s->sg);
+    } else {
+        read_from_sglist(p, l, &s->sg);
+    }
+
+    /* update number of transferred bytes */
+    ad->cur_cmd->status = cpu_to_le32(le32_to_cpu(ad->cur_cmd->status) + l);
+    s->io_buffer_index += l;
+
+    DPRINTF(ad->port_no, "len=%#x\n", l);
+
+    return 1;
+}
+
+static int ahci_dma_set_unit(IDEDMA *dma, int unit)
+{
+    /* only a single unit per link */
+    return 0;
+}
+
+static int ahci_dma_add_status(IDEDMA *dma, int status)
+{
+    AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
+    ad->dma_status |= status;
+    DPRINTF(ad->port_no, "set status: %x\n", status);
+
+    if (status & BM_STATUS_INT) {
+        ahci_trigger_irq(ad->hba, ad, PORT_IRQ_STAT_DSS);
+    }
+
+    return 0;
+}
+
+static int ahci_dma_set_inactive(IDEDMA *dma)
+{
+    AHCIDevice *ad = DO_UPCAST(AHCIDevice, dma, dma);
+
+    DPRINTF(ad->port_no, "dma done\n");
+
+    /* update d2h status */
+    ahci_write_fis_d2h(ad, NULL);
+
+    ad->dma_cb = NULL;
+
+    /* maybe we still have something to process, check later */
+    ad->check_bh = qemu_bh_new(ahci_check_cmd_bh, ad);
+    qemu_bh_schedule(ad->check_bh);
+
+    return 0;
+}
+
+static void ahci_irq_set(void *opaque, int n, int level)
+{
+}
+
+static void ahci_dma_restart_cb(void *opaque, int running, int reason)
+{
+}
+
+static int ahci_dma_reset(IDEDMA *dma)
+{
+    return 0;
+}
+
+static const IDEDMAOps ahci_dma_ops = {
+    .start_dma = ahci_start_dma,
+    .start_transfer = ahci_start_transfer,
+    .prepare_buf = ahci_dma_prepare_buf,
+    .rw_buf = ahci_dma_rw_buf,
+    .set_unit = ahci_dma_set_unit,
+    .add_status = ahci_dma_add_status,
+    .set_inactive = ahci_dma_set_inactive,
+    .restart_cb = ahci_dma_restart_cb,
+    .reset = ahci_dma_reset,
+};
+
+static void ahci_init(AHCIState *s, DeviceState *qdev)
+{
+    qemu_irq *irqs;
+    int i;
+
+    ahci_reg_init(s);
+    s->mem = cpu_register_io_memory(ahci_readfn, ahci_writefn, s,
+                                    DEVICE_LITTLE_ENDIAN);
+    irqs = qemu_allocate_irqs(ahci_irq_set, s, SATA_PORTS);
+
+    for (i = 0; i < SATA_PORTS; i++) {
+        AHCIDevice *ad = &s->dev[i];
+
+        ide_bus_new(&ad->port, qdev, i);
+        ide_init2(&ad->port, irqs[i]);
+
+        ad->hba = s;
+        ad->port_no = i;
+        ad->port.dma = &ad->dma;
+        ad->port.dma->ops = &ahci_dma_ops;
+        ad->port_regs.cmd = PORT_CMD_SPIN_UP | PORT_CMD_POWER_ON;
+    }
+}
+
+static void ahci_pci_map(PCIDevice *pci_dev, int region_num,
+        pcibus_t addr, pcibus_t size, int type)
+{
+    struct AHCIPCIState *d = (struct AHCIPCIState *)pci_dev;
+    AHCIState *s = &d->ahci;
+
+    cpu_register_physical_memory(addr, size, s->mem);
+}
+
+static void ahci_reset(void *opaque)
+{
+    struct AHCIPCIState *d = opaque;
+    int i;
+
+    for (i = 0; i < SATA_PORTS; i++) {
+        ahci_reset_port(&d->ahci, i);
+    }
+}
+
+static int pci_ahci_init(PCIDevice *dev)
+{
+    struct AHCIPCIState *d;
+    d = DO_UPCAST(struct AHCIPCIState, card, dev);
+
+    pci_config_set_vendor_id(d->card.config, PCI_VENDOR_ID_INTEL);
+    pci_config_set_device_id(d->card.config, PCI_DEVICE_ID_INTEL_82801IR);
+
+    pci_config_set_class(d->card.config, PCI_CLASS_STORAGE_SATA);
+    pci_config_set_revision(d->card.config, 0x02);
+    pci_config_set_prog_interface(d->card.config, AHCI_PROGMODE_MAJOR_REV_1);
+
+    d->card.config[PCI_CACHE_LINE_SIZE] = 0x08;  /* Cache line size */
+    d->card.config[PCI_LATENCY_TIMER]   = 0x00;  /* Latency timer */
+    pci_config_set_interrupt_pin(d->card.config, 1);
+
+    qemu_register_reset(ahci_reset, d);
+
+    /* XXX BAR size should be 1k, but that breaks, so bump it to 4k for now */
+    pci_register_bar(&d->card, 5, 0x1000, PCI_BASE_ADDRESS_SPACE_MEMORY,
+                     ahci_pci_map);
+
+    msi_init(dev, 0x50, 1, true, false);
+
+    ahci_init(&d->ahci, &dev->qdev);
+    d->ahci.irq = d->card.irq[0];
+
+    return 0;
+}
+
+static int pci_ahci_uninit(PCIDevice *dev)
+{
+    struct AHCIPCIState *d;
+    d = DO_UPCAST(struct AHCIPCIState, card, dev);
+
+    if (msi_enabled(dev)) {
+        msi_uninit(dev);
+    }
+
+    qemu_unregister_reset(ahci_reset, d);
+
+    return 0;
+}
+
+static void pci_ahci_write_config(PCIDevice *pci, uint32_t addr,
+                                  uint32_t val, int len)
+{
+    pci_default_write_config(pci, addr, val, len);
+    msi_write_config(pci, addr, val, len);
+}
+
+static PCIDeviceInfo ahci_info = {
+    .qdev.name  = "ahci",
+    .qdev.size  = sizeof(AHCIPCIState),
+    .init       = pci_ahci_init,
+    .exit       = pci_ahci_uninit,
+    .config_write = pci_ahci_write_config,
+};
+
+static void ahci_pci_register_devices(void)
+{
+    pci_qdev_register(&ahci_info);
+}
+
+device_init(ahci_pci_register_devices)
commit 1a5a86fb7a9d98d05fe38c78d49a6fe4b923d3d2
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Dec 14 01:34:39 2010 +0100

    pci: add ich9 pci id
    
    We need a PCI ID for our new AHCI adapter. I just picked an ICH-9
    because that's the one in the Q35 chipset.
    
    This patch adds a PCI ID define for an ICH-9 AHCI adapter.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/pci.h b/hw/pci.h
index aa3afe9..17744dc 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -62,6 +62,7 @@
 /* Intel (0x8086) */
 #define PCI_DEVICE_ID_INTEL_82551IT      0x1209
 #define PCI_DEVICE_ID_INTEL_82557        0x1229
+#define PCI_DEVICE_ID_INTEL_82801IR      0x2922
 
 /* Red Hat / Qumranet (for QEMU) -- see pci-ids.txt */
 #define PCI_VENDOR_ID_REDHAT_QUMRANET    0x1af4
commit 6ed6c24a2d4a23c11ac7397a9fb12d5c143333eb
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Dec 14 01:34:38 2010 +0100

    pci: add storage class for sata
    
    This patch adds the storage sata class id.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/pci_ids.h b/hw/pci_ids.h
index 82cba7e..ea3418c 100644
--- a/hw/pci_ids.h
+++ b/hw/pci_ids.h
@@ -15,6 +15,7 @@
 
 #define PCI_CLASS_STORAGE_SCSI           0x0100
 #define PCI_CLASS_STORAGE_IDE            0x0101
+#define PCI_CLASS_STORAGE_SATA           0x0106
 #define PCI_CLASS_STORAGE_OTHER          0x0180
 
 #define PCI_CLASS_NETWORK_ETHERNET       0x0200
commit ccf0fd8b056dec1fa610842dc3eb2f560ca65753
Author: Roland Elek <elek.roland at gmail.com>
Date:   Tue Dec 14 01:34:37 2010 +0100

    ide: add ncq identify data for ahci sata drives
    
    I modified ide_identify() to include the zero-based queue length
    value in word 75, and set bit 8 in word 76 to signal NCQ support
    in the identify data for AHCI SATA drives.
    
    Signed-off-by: Roland Elek <elek.roland at gmail.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 228911d..9e1d4e6 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -140,6 +140,13 @@ static void ide_identify(IDEState *s)
     put_le16(p + 66, 120);
     put_le16(p + 67, 120);
     put_le16(p + 68, 120);
+
+    if (s->ncq_queues) {
+        put_le16(p + 75, s->ncq_queues - 1);
+        /* NCQ supported */
+        put_le16(p + 76, (1 << 8));
+    }
+
     put_le16(p + 80, 0xf0); /* ata3 -> ata6 supported */
     put_le16(p + 81, 0x16); /* conforms to ata5 */
     /* 14=NOP supported, 5=WCACHE supported, 0=SMART supported */
diff --git a/hw/ide/internal.h b/hw/ide/internal.h
index aadb505..697c3b4 100644
--- a/hw/ide/internal.h
+++ b/hw/ide/internal.h
@@ -447,6 +447,8 @@ struct IDEState {
     int smart_errors;
     uint8_t smart_selftest_count;
     uint8_t *smart_selftest_data;
+    /* AHCI */
+    int ncq_queues;
 };
 
 struct IDEDMAOps {
commit 2ff61ff1955cb5268a2604aba8f6aa0c4c658505
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 15 00:23:01 2010 +0100

    ide: move transfer_start after variable modification
    
    We hook into transfer_start and immediately call the end function
    for ahci. This means that everything needs to be in place for the
    end function when we start the transfer, so let's move the function
    down to where all state is in place.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 2032e20..228911d 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -814,11 +814,11 @@ static void ide_atapi_cmd_reply_end(IDEState *s)
             size = s->cd_sector_size - s->io_buffer_index;
             if (size > s->elementary_transfer_size)
                 size = s->elementary_transfer_size;
-            ide_transfer_start(s, s->io_buffer + s->io_buffer_index,
-                               size, ide_atapi_cmd_reply_end);
             s->packet_transfer_size -= size;
             s->elementary_transfer_size -= size;
             s->io_buffer_index += size;
+            ide_transfer_start(s, s->io_buffer + s->io_buffer_index - size,
+                               size, ide_atapi_cmd_reply_end);
         } else {
             /* a new transfer is needed */
             s->nsector = (s->nsector & ~7) | ATAPI_INT_REASON_IO;
@@ -843,11 +843,11 @@ static void ide_atapi_cmd_reply_end(IDEState *s)
                 if (size > (s->cd_sector_size - s->io_buffer_index))
                     size = (s->cd_sector_size - s->io_buffer_index);
             }
-            ide_transfer_start(s, s->io_buffer + s->io_buffer_index,
-                               size, ide_atapi_cmd_reply_end);
             s->packet_transfer_size -= size;
             s->elementary_transfer_size -= size;
             s->io_buffer_index += size;
+            ide_transfer_start(s, s->io_buffer + s->io_buffer_index - size,
+                               size, ide_atapi_cmd_reply_end);
             ide_set_irq(s->bus);
 #ifdef DEBUG_IDE_ATAPI
             printf("status=0x%x\n", s->status);
commit 40a6238a20134a4687f67072d9be99cd97aab59a
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 15 00:23:00 2010 +0100

    ide: Split out BMDMA code from ATA core
    
    The ATA core is currently heavily intertwined with BMDMA code. Let's loosen
    that a bit, so we can happily replace the DMA backend with different
    implementations.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/cmd646.c b/hw/ide/cmd646.c
index ea5d2dc..e191ee6 100644
--- a/hw/ide/cmd646.c
+++ b/hw/ide/cmd646.c
@@ -167,9 +167,10 @@ static void bmdma_map(PCIDevice *pci_dev, int region_num,
 
     for(i = 0;i < 2; i++) {
         BMDMAState *bm = &d->bmdma[i];
-        d->bus[i].bmdma = bm;
+        bmdma_init(&d->bus[i], bm);
         bm->bus = d->bus+i;
-        qemu_add_vm_change_state_handler(ide_dma_restart_cb, bm);
+        qemu_add_vm_change_state_handler(d->bus[i].dma->ops->restart_cb,
+                                         &bm->dma);
 
         if (i == 0) {
             register_ioport_write(addr, 4, 1, bmdma_writeb_0, d);
@@ -218,7 +219,6 @@ static void cmd646_reset(void *opaque)
 
     for (i = 0; i < 2; i++) {
         ide_bus_reset(&d->bus[i]);
-        ide_dma_reset(&d->bmdma[i]);
     }
 }
 
diff --git a/hw/ide/core.c b/hw/ide/core.c
index ed6854d..2032e20 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -34,8 +34,6 @@
 
 #include <hw/ide/internal.h>
 
-#define IDE_PAGE_SIZE 4096
-
 static const int smart_attributes[][5] = {
     /* id,  flags, val, wrst, thrsh */
     { 0x01, 0x03, 0x64, 0x64, 0x06}, /* raw read */
@@ -61,11 +59,8 @@ static inline int media_is_cd(IDEState *s)
     return (media_present(s) && s->nb_sectors <= CD_MAX_SECTORS);
 }
 
-static void ide_dma_start(IDEState *s, BlockDriverCompletionFunc *dma_cb);
-static void ide_dma_restart(IDEState *s, int is_read);
 static void ide_atapi_cmd_read_dma_cb(void *opaque, int ret);
 static int ide_handle_rw_error(IDEState *s, int error, int op);
-static void ide_flush_cache(IDEState *s);
 
 static void padstr(char *str, const char *src, int len)
 {
@@ -314,11 +309,11 @@ static inline void ide_abort_command(IDEState *s)
 }
 
 static inline void ide_dma_submit_check(IDEState *s,
-          BlockDriverCompletionFunc *dma_cb, BMDMAState *bm)
+          BlockDriverCompletionFunc *dma_cb)
 {
-    if (bm->aiocb)
+    if (s->bus->dma->aiocb)
 	return;
-    dma_cb(bm, -1);
+    dma_cb(s, -1);
 }
 
 /* prepare data transfer and tell what to do after */
@@ -328,8 +323,10 @@ static void ide_transfer_start(IDEState *s, uint8_t *buf, int size,
     s->end_transfer_func = end_transfer_func;
     s->data_ptr = buf;
     s->data_end = buf + size;
-    if (!(s->status & ERR_STAT))
+    if (!(s->status & ERR_STAT)) {
         s->status |= DRQ_STAT;
+    }
+    s->bus->dma->ops->start_transfer(s->bus->dma);
 }
 
 static void ide_transfer_stop(IDEState *s)
@@ -394,7 +391,7 @@ static void ide_rw_error(IDEState *s) {
     ide_set_irq(s->bus);
 }
 
-static void ide_sector_read(IDEState *s)
+void ide_sector_read(IDEState *s)
 {
     int64_t sector_num;
     int ret, n;
@@ -427,58 +424,15 @@ static void ide_sector_read(IDEState *s)
     }
 }
 
-
-/* return 0 if buffer completed */
-static int dma_buf_prepare(BMDMAState *bm, int is_write)
-{
-    IDEState *s = bmdma_active_if(bm);
-    struct {
-        uint32_t addr;
-        uint32_t size;
-    } prd;
-    int l, len;
-
-    qemu_sglist_init(&s->sg, s->nsector / (IDE_PAGE_SIZE / 512) + 1);
-    s->io_buffer_size = 0;
-    for(;;) {
-        if (bm->cur_prd_len == 0) {
-            /* end of table (with a fail safe of one page) */
-            if (bm->cur_prd_last ||
-                (bm->cur_addr - bm->addr) >= IDE_PAGE_SIZE)
-                return s->io_buffer_size != 0;
-            cpu_physical_memory_read(bm->cur_addr, (uint8_t *)&prd, 8);
-            bm->cur_addr += 8;
-            prd.addr = le32_to_cpu(prd.addr);
-            prd.size = le32_to_cpu(prd.size);
-            len = prd.size & 0xfffe;
-            if (len == 0)
-                len = 0x10000;
-            bm->cur_prd_len = len;
-            bm->cur_prd_addr = prd.addr;
-            bm->cur_prd_last = (prd.size & 0x80000000);
-        }
-        l = bm->cur_prd_len;
-        if (l > 0) {
-            qemu_sglist_add(&s->sg, bm->cur_prd_addr, l);
-            bm->cur_prd_addr += l;
-            bm->cur_prd_len -= l;
-            s->io_buffer_size += l;
-        }
-    }
-    return 1;
-}
-
 static void dma_buf_commit(IDEState *s, int is_write)
 {
     qemu_sglist_destroy(&s->sg);
 }
 
-static void ide_dma_set_inactive(BMDMAState *bm)
+static void ide_set_inactive(IDEState *s)
 {
-    bm->status &= ~BM_STATUS_DMAING;
-    bm->dma_cb = NULL;
-    bm->unit = -1;
-    bm->aiocb = NULL;
+    s->bus->dma->aiocb = NULL;
+    s->bus->dma->ops->set_inactive(s->bus->dma);
 }
 
 void ide_dma_error(IDEState *s)
@@ -486,8 +440,8 @@ void ide_dma_error(IDEState *s)
     ide_transfer_stop(s);
     s->error = ABRT_ERR;
     s->status = READY_STAT | ERR_STAT;
-    ide_dma_set_inactive(s->bus->bmdma);
-    s->bus->bmdma->status |= BM_STATUS_INT;
+    ide_set_inactive(s);
+    s->bus->dma->ops->add_status(s->bus->dma, BM_STATUS_INT);
     ide_set_irq(s->bus);
 }
 
@@ -503,8 +457,8 @@ static int ide_handle_rw_error(IDEState *s, int error, int op)
 
     if ((error == ENOSPC && action == BLOCK_ERR_STOP_ENOSPC)
             || action == BLOCK_ERR_STOP_ANY) {
-        s->bus->bmdma->unit = s->unit;
-        s->bus->bmdma->status |= op;
+        s->bus->dma->ops->set_unit(s->bus->dma, s->unit);
+        s->bus->dma->ops->add_status(s->bus->dma, op);
         bdrv_mon_event(s->bs, BDRV_ACTION_STOP, is_read);
         vm_stop(0);
     } else {
@@ -520,58 +474,9 @@ static int ide_handle_rw_error(IDEState *s, int error, int op)
     return 1;
 }
 
-/* return 0 if buffer completed */
-static int dma_buf_rw(BMDMAState *bm, int is_write)
+void ide_read_dma_cb(void *opaque, int ret)
 {
-    IDEState *s = bmdma_active_if(bm);
-    struct {
-        uint32_t addr;
-        uint32_t size;
-    } prd;
-    int l, len;
-
-    for(;;) {
-        l = s->io_buffer_size - s->io_buffer_index;
-        if (l <= 0)
-            break;
-        if (bm->cur_prd_len == 0) {
-            /* end of table (with a fail safe of one page) */
-            if (bm->cur_prd_last ||
-                (bm->cur_addr - bm->addr) >= IDE_PAGE_SIZE)
-                return 0;
-            cpu_physical_memory_read(bm->cur_addr, (uint8_t *)&prd, 8);
-            bm->cur_addr += 8;
-            prd.addr = le32_to_cpu(prd.addr);
-            prd.size = le32_to_cpu(prd.size);
-            len = prd.size & 0xfffe;
-            if (len == 0)
-                len = 0x10000;
-            bm->cur_prd_len = len;
-            bm->cur_prd_addr = prd.addr;
-            bm->cur_prd_last = (prd.size & 0x80000000);
-        }
-        if (l > bm->cur_prd_len)
-            l = bm->cur_prd_len;
-        if (l > 0) {
-            if (is_write) {
-                cpu_physical_memory_write(bm->cur_prd_addr,
-                                          s->io_buffer + s->io_buffer_index, l);
-            } else {
-                cpu_physical_memory_read(bm->cur_prd_addr,
-                                          s->io_buffer + s->io_buffer_index, l);
-            }
-            bm->cur_prd_addr += l;
-            bm->cur_prd_len -= l;
-            s->io_buffer_index += l;
-        }
-    }
-    return 1;
-}
-
-static void ide_read_dma_cb(void *opaque, int ret)
-{
-    BMDMAState *bm = opaque;
-    IDEState *s = bmdma_active_if(bm);
+    IDEState *s = opaque;
     int n;
     int64_t sector_num;
 
@@ -597,8 +502,8 @@ static void ide_read_dma_cb(void *opaque, int ret)
         s->status = READY_STAT | SEEK_STAT;
         ide_set_irq(s->bus);
     eot:
-        bm->status |= BM_STATUS_INT;
-        ide_dma_set_inactive(bm);
+        s->bus->dma->ops->add_status(s->bus->dma, BM_STATUS_INT);
+        ide_set_inactive(s);
         return;
     }
 
@@ -606,13 +511,13 @@ static void ide_read_dma_cb(void *opaque, int ret)
     n = s->nsector;
     s->io_buffer_index = 0;
     s->io_buffer_size = n * 512;
-    if (dma_buf_prepare(bm, 1) == 0)
+    if (s->bus->dma->ops->prepare_buf(s->bus->dma, 1) == 0)
         goto eot;
 #ifdef DEBUG_AIO
     printf("aio_read: sector_num=%" PRId64 " n=%d\n", sector_num, n);
 #endif
-    bm->aiocb = dma_bdrv_read(s->bs, &s->sg, sector_num, ide_read_dma_cb, bm);
-    ide_dma_submit_check(s, ide_read_dma_cb, bm);
+    s->bus->dma->aiocb = dma_bdrv_read(s->bs, &s->sg, sector_num, ide_read_dma_cb, s);
+    ide_dma_submit_check(s, ide_read_dma_cb);
 }
 
 static void ide_sector_read_dma(IDEState *s)
@@ -621,7 +526,7 @@ static void ide_sector_read_dma(IDEState *s)
     s->io_buffer_index = 0;
     s->io_buffer_size = 0;
     s->is_read = 1;
-    ide_dma_start(s, ide_read_dma_cb);
+    s->bus->dma->ops->start_dma(s->bus->dma, s, ide_read_dma_cb);
 }
 
 static void ide_sector_write_timer_cb(void *opaque)
@@ -630,7 +535,7 @@ static void ide_sector_write_timer_cb(void *opaque)
     ide_set_irq(s->bus);
 }
 
-static void ide_sector_write(IDEState *s)
+void ide_sector_write(IDEState *s)
 {
     int64_t sector_num;
     int ret, n, n1;
@@ -676,48 +581,9 @@ static void ide_sector_write(IDEState *s)
     }
 }
 
-static void ide_dma_restart_bh(void *opaque)
+void ide_write_dma_cb(void *opaque, int ret)
 {
-    BMDMAState *bm = opaque;
-    int is_read;
-
-    qemu_bh_delete(bm->bh);
-    bm->bh = NULL;
-
-    is_read = !!(bm->status & BM_STATUS_RETRY_READ);
-
-    if (bm->status & BM_STATUS_DMA_RETRY) {
-        bm->status &= ~(BM_STATUS_DMA_RETRY | BM_STATUS_RETRY_READ);
-        ide_dma_restart(bmdma_active_if(bm), is_read);
-    } else if (bm->status & BM_STATUS_PIO_RETRY) {
-        bm->status &= ~(BM_STATUS_PIO_RETRY | BM_STATUS_RETRY_READ);
-        if (is_read) {
-            ide_sector_read(bmdma_active_if(bm));
-        } else {
-            ide_sector_write(bmdma_active_if(bm));
-        }
-    } else if (bm->status & BM_STATUS_RETRY_FLUSH) {
-        ide_flush_cache(bmdma_active_if(bm));
-    }
-}
-
-void ide_dma_restart_cb(void *opaque, int running, int reason)
-{
-    BMDMAState *bm = opaque;
-
-    if (!running)
-        return;
-
-    if (!bm->bh) {
-        bm->bh = qemu_bh_new(ide_dma_restart_bh, bm);
-        qemu_bh_schedule(bm->bh);
-    }
-}
-
-static void ide_write_dma_cb(void *opaque, int ret)
-{
-    BMDMAState *bm = opaque;
-    IDEState *s = bmdma_active_if(bm);
+    IDEState *s = opaque;
     int n;
     int64_t sector_num;
 
@@ -740,21 +606,21 @@ static void ide_write_dma_cb(void *opaque, int ret)
         s->status = READY_STAT | SEEK_STAT;
         ide_set_irq(s->bus);
     eot:
-        bm->status |= BM_STATUS_INT;
-        ide_dma_set_inactive(bm);
+        s->bus->dma->ops->add_status(s->bus->dma, BM_STATUS_INT);
+        ide_set_inactive(s);
         return;
     }
 
     n = s->nsector;
     s->io_buffer_size = n * 512;
     /* launch next transfer */
-    if (dma_buf_prepare(bm, 0) == 0)
+    if (s->bus->dma->ops->prepare_buf(s->bus->dma, 0) == 0)
         goto eot;
 #ifdef DEBUG_AIO
     printf("aio_write: sector_num=%" PRId64 " n=%d\n", sector_num, n);
 #endif
-    bm->aiocb = dma_bdrv_write(s->bs, &s->sg, sector_num, ide_write_dma_cb, bm);
-    ide_dma_submit_check(s, ide_write_dma_cb, bm);
+    s->bus->dma->aiocb = dma_bdrv_write(s->bs, &s->sg, sector_num, ide_write_dma_cb, s);
+    ide_dma_submit_check(s, ide_write_dma_cb);
 }
 
 static void ide_sector_write_dma(IDEState *s)
@@ -763,7 +629,7 @@ static void ide_sector_write_dma(IDEState *s)
     s->io_buffer_index = 0;
     s->io_buffer_size = 0;
     s->is_read = 0;
-    ide_dma_start(s, ide_write_dma_cb);
+    s->bus->dma->ops->start_dma(s->bus->dma, s, ide_write_dma_cb);
 }
 
 void ide_atapi_cmd_ok(IDEState *s)
@@ -813,7 +679,7 @@ static void ide_flush_cb(void *opaque, int ret)
     ide_set_irq(s->bus);
 }
 
-static void ide_flush_cache(IDEState *s)
+void ide_flush_cache(IDEState *s)
 {
     BlockDriverAIOCB *acb;
 
@@ -1003,7 +869,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size)
 
     if (s->atapi_dma) {
     	s->status = READY_STAT | SEEK_STAT | DRQ_STAT;
-	ide_dma_start(s, ide_atapi_cmd_read_dma_cb);
+        s->bus->dma->ops->start_dma(s->bus->dma, s,
+                                   ide_atapi_cmd_read_dma_cb);
     } else {
     	s->status = READY_STAT | SEEK_STAT;
     	ide_atapi_cmd_reply_end(s);
@@ -1029,8 +896,7 @@ static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors,
 /* XXX: handle read errors */
 static void ide_atapi_cmd_read_dma_cb(void *opaque, int ret)
 {
-    BMDMAState *bm = opaque;
-    IDEState *s = bmdma_active_if(bm);
+    IDEState *s = opaque;
     int data_offset, n;
 
     if (ret < 0) {
@@ -1056,7 +922,7 @@ static void ide_atapi_cmd_read_dma_cb(void *opaque, int ret)
 	    s->lba += n;
 	}
         s->packet_transfer_size -= s->io_buffer_size;
-        if (dma_buf_rw(bm, 1) == 0)
+        if (s->bus->dma->ops->rw_buf(s->bus->dma, 1) == 0)
             goto eot;
     }
 
@@ -1065,8 +931,8 @@ static void ide_atapi_cmd_read_dma_cb(void *opaque, int ret)
         s->nsector = (s->nsector & ~7) | ATAPI_INT_REASON_IO | ATAPI_INT_REASON_CD;
         ide_set_irq(s->bus);
     eot:
-        bm->status |= BM_STATUS_INT;
-        ide_dma_set_inactive(bm);
+        s->bus->dma->ops->add_status(s->bus->dma, BM_STATUS_INT);
+        ide_set_inactive(s);
         return;
     }
 
@@ -1085,12 +951,13 @@ static void ide_atapi_cmd_read_dma_cb(void *opaque, int ret)
 #ifdef DEBUG_AIO
     printf("aio_read_cd: lba=%u n=%d\n", s->lba, n);
 #endif
-    bm->iov.iov_base = (void *)(s->io_buffer + data_offset);
-    bm->iov.iov_len = n * 4 * 512;
-    qemu_iovec_init_external(&bm->qiov, &bm->iov, 1);
-    bm->aiocb = bdrv_aio_readv(s->bs, (int64_t)s->lba << 2, &bm->qiov,
-                               n * 4, ide_atapi_cmd_read_dma_cb, bm);
-    if (!bm->aiocb) {
+    s->bus->dma->iov.iov_base = (void *)(s->io_buffer + data_offset);
+    s->bus->dma->iov.iov_len = n * 4 * 512;
+    qemu_iovec_init_external(&s->bus->dma->qiov, &s->bus->dma->iov, 1);
+    s->bus->dma->aiocb = bdrv_aio_readv(s->bs, (int64_t)s->lba << 2,
+                                       &s->bus->dma->qiov, n * 4,
+                                       ide_atapi_cmd_read_dma_cb, s);
+    if (!s->bus->dma->aiocb) {
         /* Note: media not present is the most likely case */
         ide_atapi_cmd_error(s, SENSE_NOT_READY,
                             ASC_MEDIUM_NOT_PRESENT);
@@ -1111,7 +978,8 @@ static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors,
 
     /* XXX: check if BUSY_STAT should be set */
     s->status = READY_STAT | SEEK_STAT | DRQ_STAT | BUSY_STAT;
-    ide_dma_start(s, ide_atapi_cmd_read_dma_cb);
+    s->bus->dma->ops->start_dma(s->bus->dma, s,
+                               ide_atapi_cmd_read_dma_cb);
 }
 
 static void ide_atapi_cmd_read(IDEState *s, int lba, int nb_sectors,
@@ -2638,6 +2506,18 @@ void ide_bus_reset(IDEBus *bus)
     ide_reset(&bus->ifs[0]);
     ide_reset(&bus->ifs[1]);
     ide_clear_hob(bus);
+
+    /* pending async DMA */
+    if (bus->dma->aiocb) {
+#ifdef DEBUG_AIO
+        printf("aio_cancel\n");
+#endif
+        bdrv_aio_cancel(bus->dma->aiocb);
+        bus->dma->aiocb = NULL;
+    }
+
+    /* reset dma provider too */
+    bus->dma->ops->reset(bus->dma);
 }
 
 int ide_init_drive(IDEState *s, BlockDriverState *bs,
@@ -2696,6 +2576,7 @@ int ide_init_drive(IDEState *s, BlockDriverState *bs,
     } else {
         pstrcpy(s->version, sizeof(s->version), QEMU_VERSION);
     }
+
     ide_reset(s);
     bdrv_set_removable(bs, s->drive_kind == IDE_CD);
     return 0;
@@ -2717,6 +2598,42 @@ static void ide_init1(IDEBus *bus, int unit)
                                            ide_sector_write_timer_cb, s);
 }
 
+static void ide_nop_start(IDEDMA *dma, IDEState *s,
+                          BlockDriverCompletionFunc *cb)
+{
+}
+
+static int ide_nop(IDEDMA *dma)
+{
+    return 0;
+}
+
+static int ide_nop_int(IDEDMA *dma, int x)
+{
+    return 0;
+}
+
+static void ide_nop_restart(void *opaque, int x, int y)
+{
+}
+
+static const IDEDMAOps ide_dma_nop_ops = {
+    .start_dma      = ide_nop_start,
+    .start_transfer = ide_nop,
+    .prepare_buf    = ide_nop_int,
+    .rw_buf         = ide_nop_int,
+    .set_unit       = ide_nop_int,
+    .add_status     = ide_nop_int,
+    .set_inactive   = ide_nop,
+    .restart_cb     = ide_nop_restart,
+    .reset          = ide_nop,
+};
+
+static IDEDMA ide_dma_nop = {
+    .ops = &ide_dma_nop_ops,
+    .aiocb = NULL,
+};
+
 void ide_init2(IDEBus *bus, qemu_irq irq)
 {
     int i;
@@ -2726,6 +2643,7 @@ void ide_init2(IDEBus *bus, qemu_irq irq)
         ide_reset(&bus->ifs[i]);
     }
     bus->irq = irq;
+    bus->dma = &ide_dma_nop;
 }
 
 /* TODO convert users to qdev and remove */
@@ -2749,6 +2667,7 @@ void ide_init2_with_non_qdev_drives(IDEBus *bus, DriveInfo *hd0,
         }
     }
     bus->irq = irq;
+    bus->dma = &ide_dma_nop;
 }
 
 void ide_init_ioport(IDEBus *bus, int iobase, int iobase2)
@@ -2916,73 +2835,3 @@ const VMStateDescription vmstate_ide_bus = {
         VMSTATE_END_OF_LIST()
     }
 };
-
-/***********************************************************/
-/* PCI IDE definitions */
-
-static void ide_dma_start(IDEState *s, BlockDriverCompletionFunc *dma_cb)
-{
-    BMDMAState *bm = s->bus->bmdma;
-    if(!bm)
-        return;
-    bm->unit = s->unit;
-    bm->dma_cb = dma_cb;
-    bm->cur_prd_last = 0;
-    bm->cur_prd_addr = 0;
-    bm->cur_prd_len = 0;
-    bm->sector_num = ide_get_sector(s);
-    bm->nsector = s->nsector;
-    if (bm->status & BM_STATUS_DMAING) {
-        bm->dma_cb(bm, 0);
-    }
-}
-
-static void ide_dma_restart(IDEState *s, int is_read)
-{
-    BMDMAState *bm = s->bus->bmdma;
-    ide_set_sector(s, bm->sector_num);
-    s->io_buffer_index = 0;
-    s->io_buffer_size = 0;
-    s->nsector = bm->nsector;
-    bm->cur_addr = bm->addr;
-
-    if (is_read) {
-        bm->dma_cb = ide_read_dma_cb;
-    } else {
-        bm->dma_cb = ide_write_dma_cb;
-    }
-
-    ide_dma_start(s, bm->dma_cb);
-}
-
-void ide_dma_cancel(BMDMAState *bm)
-{
-    if (bm->status & BM_STATUS_DMAING) {
-        if (bm->aiocb) {
-#ifdef DEBUG_AIO
-            printf("aio_cancel\n");
-#endif
-            bdrv_aio_cancel(bm->aiocb);
-        }
-
-        /* cancel DMA request */
-        ide_dma_set_inactive(bm);
-    }
-}
-
-void ide_dma_reset(BMDMAState *bm)
-{
-#ifdef DEBUG_IDE
-    printf("ide: dma_reset\n");
-#endif
-    ide_dma_cancel(bm);
-    bm->cmd = 0;
-    bm->status = 0;
-    bm->addr = 0;
-    bm->cur_addr = 0;
-    bm->cur_prd_last = 0;
-    bm->cur_prd_addr = 0;
-    bm->cur_prd_len = 0;
-    bm->sector_num = 0;
-    bm->nsector = 0;
-}
diff --git a/hw/ide/internal.h b/hw/ide/internal.h
index 029c76c..aadb505 100644
--- a/hw/ide/internal.h
+++ b/hw/ide/internal.h
@@ -20,7 +20,8 @@ typedef struct IDEBus IDEBus;
 typedef struct IDEDevice IDEDevice;
 typedef struct IDEDeviceInfo IDEDeviceInfo;
 typedef struct IDEState IDEState;
-typedef struct BMDMAState BMDMAState;
+typedef struct IDEDMA IDEDMA;
+typedef struct IDEDMAOps IDEDMAOps;
 
 /* Bits of HD_STATUS */
 #define ERR_STAT		0x01
@@ -367,6 +368,11 @@ typedef enum { IDE_HD, IDE_CD, IDE_CFATA } IDEDriveKind;
 
 typedef void EndTransferFunc(IDEState *);
 
+typedef void DMAStartFunc(IDEDMA *, IDEState *, BlockDriverCompletionFunc *);
+typedef int DMAFunc(IDEDMA *);
+typedef int DMAIntFunc(IDEDMA *, int);
+typedef void DMARestartFunc(void *, int, int);
+
 /* NOTE: IDEState represents in fact one drive */
 struct IDEState {
     IDEBus *bus;
@@ -443,13 +449,32 @@ struct IDEState {
     uint8_t *smart_selftest_data;
 };
 
+struct IDEDMAOps {
+    DMAStartFunc *start_dma;
+    DMAFunc *start_transfer;
+    DMAIntFunc *prepare_buf;
+    DMAIntFunc *rw_buf;
+    DMAIntFunc *set_unit;
+    DMAIntFunc *add_status;
+    DMAFunc *set_inactive;
+    DMARestartFunc *restart_cb;
+    DMAFunc *reset;
+};
+
+struct IDEDMA {
+    const struct IDEDMAOps *ops;
+    struct iovec iov;
+    QEMUIOVector qiov;
+    BlockDriverAIOCB *aiocb;
+};
+
 struct IDEBus {
     BusState qbus;
     IDEDevice *master;
     IDEDevice *slave;
-    BMDMAState *bmdma;
     IDEState ifs[2];
     int bus_id;
+    IDEDMA *dma;
     uint8_t unit;
     uint8_t cmd;
     qemu_irq irq;
@@ -480,46 +505,14 @@ struct IDEDeviceInfo {
 #define BM_CMD_START     0x01
 #define BM_CMD_READ      0x08
 
-struct BMDMAState {
-    uint8_t cmd;
-    uint8_t status;
-    uint32_t addr;
-
-    IDEBus *bus;
-    /* current transfer state */
-    uint32_t cur_addr;
-    uint32_t cur_prd_last;
-    uint32_t cur_prd_addr;
-    uint32_t cur_prd_len;
-    uint8_t unit;
-    BlockDriverCompletionFunc *dma_cb;
-    BlockDriverAIOCB *aiocb;
-    struct iovec iov;
-    QEMUIOVector qiov;
-    int64_t sector_num;
-    uint32_t nsector;
-    IORange addr_ioport;
-    QEMUBH *bh;
-};
-
 static inline IDEState *idebus_active_if(IDEBus *bus)
 {
     return bus->ifs + bus->unit;
 }
 
-static inline IDEState *bmdma_active_if(BMDMAState *bmdma)
-{
-    assert(bmdma->unit != (uint8_t)-1);
-    return bmdma->bus->ifs + bmdma->unit;
-}
-
 static inline void ide_set_irq(IDEBus *bus)
 {
-    BMDMAState *bm = bus->bmdma;
     if (!(bus->cmd & IDE_CMD_DISABLE_IRQ)) {
-        if (bm) {
-            bm->status |= BM_STATUS_INT;
-        }
         qemu_irq_raise(bus->irq);
     }
 }
@@ -542,10 +535,7 @@ void ide_bus_reset(IDEBus *bus);
 int64_t ide_get_sector(IDEState *s);
 void ide_set_sector(IDEState *s, int64_t sector_num);
 
-void ide_dma_cancel(BMDMAState *bm);
-void ide_dma_restart_cb(void *opaque, int running, int reason);
 void ide_dma_error(IDEState *s);
-void ide_dma_reset(BMDMAState *bm);
 
 void ide_atapi_cmd_ok(IDEState *s);
 void ide_atapi_cmd_error(IDEState *s, int sense_key, int asc);
@@ -568,6 +558,11 @@ void ide_init2_with_non_qdev_drives(IDEBus *bus, DriveInfo *hd0,
 void ide_init_ioport(IDEBus *bus, int iobase, int iobase2);
 
 void ide_exec_cmd(IDEBus *bus, uint32_t val);
+void ide_read_dma_cb(void *opaque, int ret);
+void ide_write_dma_cb(void *opaque, int ret);
+void ide_sector_write(IDEState *s);
+void ide_sector_read(IDEState *s);
+void ide_flush_cache(IDEState *s);
 
 /* hw/ide/qdev.c */
 void ide_bus_new(IDEBus *idebus, DeviceState *dev, int bus_id);
diff --git a/hw/ide/pci.c b/hw/ide/pci.c
index ad406ee..510b2de 100644
--- a/hw/ide/pci.c
+++ b/hw/ide/pci.c
@@ -33,6 +33,253 @@
 
 #include <hw/ide/pci.h>
 
+#define BMDMA_PAGE_SIZE 4096
+
+static void bmdma_start_dma(IDEDMA *dma, IDEState *s,
+                            BlockDriverCompletionFunc *dma_cb)
+{
+    BMDMAState *bm = DO_UPCAST(BMDMAState, dma, dma);
+
+    bm->unit = s->unit;
+    bm->dma_cb = dma_cb;
+    bm->cur_prd_last = 0;
+    bm->cur_prd_addr = 0;
+    bm->cur_prd_len = 0;
+    bm->sector_num = ide_get_sector(s);
+    bm->nsector = s->nsector;
+
+    if (bm->status & BM_STATUS_DMAING) {
+        bm->dma_cb(bmdma_active_if(bm), 0);
+    }
+}
+
+/* return 0 if buffer completed */
+static int bmdma_prepare_buf(IDEDMA *dma, int is_write)
+{
+    BMDMAState *bm = DO_UPCAST(BMDMAState, dma, dma);
+    IDEState *s = bmdma_active_if(bm);
+    struct {
+        uint32_t addr;
+        uint32_t size;
+    } prd;
+    int l, len;
+
+    qemu_sglist_init(&s->sg, s->nsector / (BMDMA_PAGE_SIZE / 512) + 1);
+    s->io_buffer_size = 0;
+    for(;;) {
+        if (bm->cur_prd_len == 0) {
+            /* end of table (with a fail safe of one page) */
+            if (bm->cur_prd_last ||
+                (bm->cur_addr - bm->addr) >= BMDMA_PAGE_SIZE)
+                return s->io_buffer_size != 0;
+            cpu_physical_memory_read(bm->cur_addr, (uint8_t *)&prd, 8);
+            bm->cur_addr += 8;
+            prd.addr = le32_to_cpu(prd.addr);
+            prd.size = le32_to_cpu(prd.size);
+            len = prd.size & 0xfffe;
+            if (len == 0)
+                len = 0x10000;
+            bm->cur_prd_len = len;
+            bm->cur_prd_addr = prd.addr;
+            bm->cur_prd_last = (prd.size & 0x80000000);
+        }
+        l = bm->cur_prd_len;
+        if (l > 0) {
+            qemu_sglist_add(&s->sg, bm->cur_prd_addr, l);
+            bm->cur_prd_addr += l;
+            bm->cur_prd_len -= l;
+            s->io_buffer_size += l;
+        }
+    }
+    return 1;
+}
+
+/* return 0 if buffer completed */
+static int bmdma_rw_buf(IDEDMA *dma, int is_write)
+{
+    BMDMAState *bm = DO_UPCAST(BMDMAState, dma, dma);
+    IDEState *s = bmdma_active_if(bm);
+    struct {
+        uint32_t addr;
+        uint32_t size;
+    } prd;
+    int l, len;
+
+    for(;;) {
+        l = s->io_buffer_size - s->io_buffer_index;
+        if (l <= 0)
+            break;
+        if (bm->cur_prd_len == 0) {
+            /* end of table (with a fail safe of one page) */
+            if (bm->cur_prd_last ||
+                (bm->cur_addr - bm->addr) >= BMDMA_PAGE_SIZE)
+                return 0;
+            cpu_physical_memory_read(bm->cur_addr, (uint8_t *)&prd, 8);
+            bm->cur_addr += 8;
+            prd.addr = le32_to_cpu(prd.addr);
+            prd.size = le32_to_cpu(prd.size);
+            len = prd.size & 0xfffe;
+            if (len == 0)
+                len = 0x10000;
+            bm->cur_prd_len = len;
+            bm->cur_prd_addr = prd.addr;
+            bm->cur_prd_last = (prd.size & 0x80000000);
+        }
+        if (l > bm->cur_prd_len)
+            l = bm->cur_prd_len;
+        if (l > 0) {
+            if (is_write) {
+                cpu_physical_memory_write(bm->cur_prd_addr,
+                                          s->io_buffer + s->io_buffer_index, l);
+            } else {
+                cpu_physical_memory_read(bm->cur_prd_addr,
+                                          s->io_buffer + s->io_buffer_index, l);
+            }
+            bm->cur_prd_addr += l;
+            bm->cur_prd_len -= l;
+            s->io_buffer_index += l;
+        }
+    }
+    return 1;
+}
+
+static int bmdma_set_unit(IDEDMA *dma, int unit)
+{
+    BMDMAState *bm = DO_UPCAST(BMDMAState, dma, dma);
+    bm->unit = unit;
+
+    return 0;
+}
+
+static int bmdma_add_status(IDEDMA *dma, int status)
+{
+    BMDMAState *bm = DO_UPCAST(BMDMAState, dma, dma);
+    bm->status |= status;
+
+    return 0;
+}
+
+static int bmdma_set_inactive(IDEDMA *dma)
+{
+    BMDMAState *bm = DO_UPCAST(BMDMAState, dma, dma);
+
+    bm->status &= ~BM_STATUS_DMAING;
+    bm->dma_cb = NULL;
+    bm->unit = -1;
+
+    return 0;
+}
+
+static void bmdma_restart_dma(BMDMAState *bm, int is_read)
+{
+    IDEState *s = bmdma_active_if(bm);
+
+    ide_set_sector(s, bm->sector_num);
+    s->io_buffer_index = 0;
+    s->io_buffer_size = 0;
+    s->nsector = bm->nsector;
+    bm->cur_addr = bm->addr;
+
+    if (is_read) {
+        bm->dma_cb = ide_read_dma_cb;
+    } else {
+        bm->dma_cb = ide_write_dma_cb;
+    }
+
+    bmdma_start_dma(&bm->dma, s, bm->dma_cb);
+}
+
+static void bmdma_restart_bh(void *opaque)
+{
+    BMDMAState *bm = opaque;
+    int is_read;
+
+    qemu_bh_delete(bm->bh);
+    bm->bh = NULL;
+
+    is_read = !!(bm->status & BM_STATUS_RETRY_READ);
+
+    if (bm->status & BM_STATUS_DMA_RETRY) {
+        bm->status &= ~(BM_STATUS_DMA_RETRY | BM_STATUS_RETRY_READ);
+        bmdma_restart_dma(bm, is_read);
+    } else if (bm->status & BM_STATUS_PIO_RETRY) {
+        bm->status &= ~(BM_STATUS_PIO_RETRY | BM_STATUS_RETRY_READ);
+        if (is_read) {
+            ide_sector_read(bmdma_active_if(bm));
+        } else {
+            ide_sector_write(bmdma_active_if(bm));
+        }
+    } else if (bm->status & BM_STATUS_RETRY_FLUSH) {
+        ide_flush_cache(bmdma_active_if(bm));
+    }
+}
+
+static void bmdma_restart_cb(void *opaque, int running, int reason)
+{
+    IDEDMA *dma = opaque;
+    BMDMAState *bm = DO_UPCAST(BMDMAState, dma, dma);
+
+    if (!running)
+        return;
+
+    if (!bm->bh) {
+        bm->bh = qemu_bh_new(bmdma_restart_bh, &bm->dma);
+        qemu_bh_schedule(bm->bh);
+    }
+}
+
+static void bmdma_cancel(BMDMAState *bm)
+{
+    if (bm->status & BM_STATUS_DMAING) {
+        /* cancel DMA request */
+        bmdma_set_inactive(&bm->dma);
+    }
+}
+
+static int bmdma_reset(IDEDMA *dma)
+{
+    BMDMAState *bm = DO_UPCAST(BMDMAState, dma, dma);
+
+#ifdef DEBUG_IDE
+    printf("ide: dma_reset\n");
+#endif
+    bmdma_cancel(bm);
+    bm->cmd = 0;
+    bm->status = 0;
+    bm->addr = 0;
+    bm->cur_addr = 0;
+    bm->cur_prd_last = 0;
+    bm->cur_prd_addr = 0;
+    bm->cur_prd_len = 0;
+    bm->sector_num = 0;
+    bm->nsector = 0;
+
+    return 0;
+}
+
+static int bmdma_start_transfer(IDEDMA *dma)
+{
+    return 0;
+}
+
+static void bmdma_irq(void *opaque, int n, int level)
+{
+    BMDMAState *bm = opaque;
+
+    if (!level) {
+        /* pass through lower */
+        qemu_set_irq(bm->irq, level);
+        return;
+    }
+
+    if (bm) {
+        bm->status |= BM_STATUS_INT;
+    }
+
+    /* trigger the real irq */
+    qemu_set_irq(bm->irq, level);
+}
+
 void bmdma_cmd_writeb(void *opaque, uint32_t addr, uint32_t val)
 {
     BMDMAState *bm = opaque;
@@ -55,10 +302,10 @@ void bmdma_cmd_writeb(void *opaque, uint32_t addr, uint32_t val)
              * whole DMA operation will be submitted to disk with a single
              * aio operation with preadv/pwritev.
              */
-            if (bm->aiocb) {
+            if (bm->bus->dma->aiocb) {
                 qemu_aio_flush();
 #ifdef DEBUG_IDE
-                if (bm->aiocb)
+                if (bm->bus->dma->aiocb)
                     printf("ide_dma_cancel: aiocb still pending");
                 if (bm->status & BM_STATUS_DMAING)
                     printf("ide_dma_cancel: BM_STATUS_DMAING still pending");
@@ -70,7 +317,7 @@ void bmdma_cmd_writeb(void *opaque, uint32_t addr, uint32_t val)
                 bm->status |= BM_STATUS_DMAING;
                 /* start dma transfer if possible */
                 if (bm->dma_cb)
-                    bm->dma_cb(bm, 0);
+                    bm->dma_cb(bmdma_active_if(bm), 0);
             }
         }
     }
@@ -198,3 +445,30 @@ void pci_ide_create_devs(PCIDevice *dev, DriveInfo **hd_table)
         ide_create_drive(d->bus+bus[i], unit[i], hd_table[i]);
     }
 }
+
+static const struct IDEDMAOps bmdma_ops = {
+    .start_dma = bmdma_start_dma,
+    .start_transfer = bmdma_start_transfer,
+    .prepare_buf = bmdma_prepare_buf,
+    .rw_buf = bmdma_rw_buf,
+    .set_unit = bmdma_set_unit,
+    .add_status = bmdma_add_status,
+    .set_inactive = bmdma_set_inactive,
+    .restart_cb = bmdma_restart_cb,
+    .reset = bmdma_reset,
+};
+
+void bmdma_init(IDEBus *bus, BMDMAState *bm)
+{
+    qemu_irq *irq;
+
+    if (bus->dma == &bm->dma) {
+        return;
+    }
+
+    bm->dma.ops = &bmdma_ops;
+    bus->dma = &bm->dma;
+    bm->irq = bus->irq;
+    irq = qemu_allocate_irqs(bmdma_irq, bm, 1);
+    bus->irq = *irq;
+}
diff --git a/hw/ide/pci.h b/hw/ide/pci.h
index b81b26c..cd72cba 100644
--- a/hw/ide/pci.h
+++ b/hw/ide/pci.h
@@ -3,6 +3,27 @@
 
 #include <hw/ide/internal.h>
 
+typedef struct BMDMAState {
+    IDEDMA dma;
+    uint8_t cmd;
+    uint8_t status;
+    uint32_t addr;
+
+    IDEBus *bus;
+    /* current transfer state */
+    uint32_t cur_addr;
+    uint32_t cur_prd_last;
+    uint32_t cur_prd_addr;
+    uint32_t cur_prd_len;
+    uint8_t unit;
+    BlockDriverCompletionFunc *dma_cb;
+    int64_t sector_num;
+    uint32_t nsector;
+    IORange addr_ioport;
+    QEMUBH *bh;
+    qemu_irq irq;
+} BMDMAState;
+
 typedef struct PCIIDEState {
     PCIDevice dev;
     IDEBus bus[2];
@@ -10,6 +31,15 @@ typedef struct PCIIDEState {
     uint32_t secondary; /* used only for cmd646 */
 } PCIIDEState;
 
+
+static inline IDEState *bmdma_active_if(BMDMAState *bmdma)
+{
+    assert(bmdma->unit != (uint8_t)-1);
+    return bmdma->bus->ifs + bmdma->unit;
+}
+
+
+void bmdma_init(IDEBus *bus, BMDMAState *bm);
 void bmdma_cmd_writeb(void *opaque, uint32_t addr, uint32_t val);
 extern const IORangeOps bmdma_addr_ioport_ops;
 void pci_ide_create_devs(PCIDevice *dev, DriveInfo **hd_table);
diff --git a/hw/ide/piix.c b/hw/ide/piix.c
index 1c0cb0c..a6b5d92 100644
--- a/hw/ide/piix.c
+++ b/hw/ide/piix.c
@@ -76,9 +76,10 @@ static void bmdma_map(PCIDevice *pci_dev, int region_num,
 
     for(i = 0;i < 2; i++) {
         BMDMAState *bm = &d->bmdma[i];
-        d->bus[i].bmdma = bm;
+        bmdma_init(&d->bus[i], bm);
         bm->bus = d->bus+i;
-        qemu_add_vm_change_state_handler(ide_dma_restart_cb, bm);
+        qemu_add_vm_change_state_handler(d->bus[i].dma->ops->restart_cb,
+                                         &bm->dma);
 
         register_ioport_write(addr, 1, 1, bmdma_cmd_writeb, bm);
 
@@ -99,7 +100,6 @@ static void piix3_reset(void *opaque)
 
     for (i = 0; i < 2; i++) {
         ide_bus_reset(&d->bus[i]);
-        ide_dma_reset(&d->bmdma[i]);
     }
 
     /* TODO: this is the default. do not override. */
diff --git a/hw/ide/via.c b/hw/ide/via.c
index 78857e8..2603110 100644
--- a/hw/ide/via.c
+++ b/hw/ide/via.c
@@ -78,9 +78,10 @@ static void bmdma_map(PCIDevice *pci_dev, int region_num,
 
     for(i = 0;i < 2; i++) {
         BMDMAState *bm = &d->bmdma[i];
-        d->bus[i].bmdma = bm;
+        bmdma_init(&d->bus[i], bm);
         bm->bus = d->bus+i;
-        qemu_add_vm_change_state_handler(ide_dma_restart_cb, bm);
+        qemu_add_vm_change_state_handler(d->bus[i].dma->ops->restart_cb,
+                                         &bm->dma);
 
         register_ioport_write(addr, 1, 1, bmdma_cmd_writeb, bm);
 
@@ -101,7 +102,6 @@ static void via_reset(void *opaque)
 
     for (i = 0; i < 2; i++) {
         ide_bus_reset(&d->bus[i]);
-        ide_dma_reset(&d->bmdma[i]);
     }
 
     pci_set_word(pci_conf + PCI_COMMAND, PCI_COMMAND_WAIT);
commit 6ef2ba5ea64e9feffdd1a8ffff66749323f719c8
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Dec 14 01:34:34 2010 +0100

    ide: fix whitespace gap in ide_exec_cmd
    
    Now that we have the function split out, we have to reindent it.
    In order to increase the readability of the actual functional change,
    this is split out.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index ac4ee71..ed6854d 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -1864,423 +1864,423 @@ void ide_exec_cmd(IDEBus *bus, uint32_t val)
     int lba48 = 0;
 
 #if defined(DEBUG_IDE)
-        printf("ide: CMD=%02x\n", val);
+    printf("ide: CMD=%02x\n", val);
 #endif
-        s = idebus_active_if(bus);
-        /* ignore commands to non existant slave */
-        if (s != bus->ifs && !s->bs)
-            return;
+    s = idebus_active_if(bus);
+    /* ignore commands to non existant slave */
+    if (s != bus->ifs && !s->bs)
+        return;
 
-        /* Only DEVICE RESET is allowed while BSY or/and DRQ are set */
-        if ((s->status & (BUSY_STAT|DRQ_STAT)) && val != WIN_DEVICE_RESET)
-            return;
+    /* Only DEVICE RESET is allowed while BSY or/and DRQ are set */
+    if ((s->status & (BUSY_STAT|DRQ_STAT)) && val != WIN_DEVICE_RESET)
+        return;
 
-        switch(val) {
-        case WIN_IDENTIFY:
-            if (s->bs && s->drive_kind != IDE_CD) {
-                if (s->drive_kind != IDE_CFATA)
-                    ide_identify(s);
-                else
-                    ide_cfata_identify(s);
-                s->status = READY_STAT | SEEK_STAT;
-                ide_transfer_start(s, s->io_buffer, 512, ide_transfer_stop);
-            } else {
-                if (s->drive_kind == IDE_CD) {
-                    ide_set_signature(s);
-                }
-                ide_abort_command(s);
-            }
-            ide_set_irq(s->bus);
-            break;
-        case WIN_SPECIFY:
-        case WIN_RECAL:
-            s->error = 0;
+    switch(val) {
+    case WIN_IDENTIFY:
+        if (s->bs && s->drive_kind != IDE_CD) {
+            if (s->drive_kind != IDE_CFATA)
+                ide_identify(s);
+            else
+                ide_cfata_identify(s);
             s->status = READY_STAT | SEEK_STAT;
-            ide_set_irq(s->bus);
-            break;
-        case WIN_SETMULT:
-            if (s->drive_kind == IDE_CFATA && s->nsector == 0) {
-                /* Disable Read and Write Multiple */
-                s->mult_sectors = 0;
-                s->status = READY_STAT | SEEK_STAT;
-            } else if ((s->nsector & 0xff) != 0 &&
-                ((s->nsector & 0xff) > MAX_MULT_SECTORS ||
-                 (s->nsector & (s->nsector - 1)) != 0)) {
-                ide_abort_command(s);
-            } else {
-                s->mult_sectors = s->nsector & 0xff;
-                s->status = READY_STAT | SEEK_STAT;
+            ide_transfer_start(s, s->io_buffer, 512, ide_transfer_stop);
+        } else {
+            if (s->drive_kind == IDE_CD) {
+                ide_set_signature(s);
             }
-            ide_set_irq(s->bus);
-            break;
-        case WIN_VERIFY_EXT:
-	    lba48 = 1;
-        case WIN_VERIFY:
-        case WIN_VERIFY_ONCE:
-            /* do sector number check ? */
-	    ide_cmd_lba48_transform(s, lba48);
+            ide_abort_command(s);
+        }
+        ide_set_irq(s->bus);
+        break;
+    case WIN_SPECIFY:
+    case WIN_RECAL:
+        s->error = 0;
+        s->status = READY_STAT | SEEK_STAT;
+        ide_set_irq(s->bus);
+        break;
+    case WIN_SETMULT:
+        if (s->drive_kind == IDE_CFATA && s->nsector == 0) {
+            /* Disable Read and Write Multiple */
+            s->mult_sectors = 0;
             s->status = READY_STAT | SEEK_STAT;
-            ide_set_irq(s->bus);
-            break;
+        } else if ((s->nsector & 0xff) != 0 &&
+            ((s->nsector & 0xff) > MAX_MULT_SECTORS ||
+             (s->nsector & (s->nsector - 1)) != 0)) {
+            ide_abort_command(s);
+        } else {
+            s->mult_sectors = s->nsector & 0xff;
+            s->status = READY_STAT | SEEK_STAT;
+        }
+        ide_set_irq(s->bus);
+        break;
+    case WIN_VERIFY_EXT:
+	lba48 = 1;
+    case WIN_VERIFY:
+    case WIN_VERIFY_ONCE:
+        /* do sector number check ? */
+	ide_cmd_lba48_transform(s, lba48);
+        s->status = READY_STAT | SEEK_STAT;
+        ide_set_irq(s->bus);
+        break;
 	case WIN_READ_EXT:
-	    lba48 = 1;
-        case WIN_READ:
-        case WIN_READ_ONCE:
-            if (!s->bs)
-                goto abort_cmd;
-	    ide_cmd_lba48_transform(s, lba48);
-            s->req_nb_sectors = 1;
-            ide_sector_read(s);
-            break;
+	lba48 = 1;
+    case WIN_READ:
+    case WIN_READ_ONCE:
+        if (!s->bs)
+            goto abort_cmd;
+	ide_cmd_lba48_transform(s, lba48);
+        s->req_nb_sectors = 1;
+        ide_sector_read(s);
+        break;
 	case WIN_WRITE_EXT:
-	    lba48 = 1;
-        case WIN_WRITE:
-        case WIN_WRITE_ONCE:
-        case CFA_WRITE_SECT_WO_ERASE:
-        case WIN_WRITE_VERIFY:
-	    ide_cmd_lba48_transform(s, lba48);
-            s->error = 0;
-            s->status = SEEK_STAT | READY_STAT;
-            s->req_nb_sectors = 1;
-            ide_transfer_start(s, s->io_buffer, 512, ide_sector_write);
-            s->media_changed = 1;
-            break;
+	lba48 = 1;
+    case WIN_WRITE:
+    case WIN_WRITE_ONCE:
+    case CFA_WRITE_SECT_WO_ERASE:
+    case WIN_WRITE_VERIFY:
+	ide_cmd_lba48_transform(s, lba48);
+        s->error = 0;
+        s->status = SEEK_STAT | READY_STAT;
+        s->req_nb_sectors = 1;
+        ide_transfer_start(s, s->io_buffer, 512, ide_sector_write);
+        s->media_changed = 1;
+        break;
 	case WIN_MULTREAD_EXT:
-	    lba48 = 1;
-        case WIN_MULTREAD:
-            if (!s->mult_sectors)
-                goto abort_cmd;
-	    ide_cmd_lba48_transform(s, lba48);
-            s->req_nb_sectors = s->mult_sectors;
-            ide_sector_read(s);
-            break;
-        case WIN_MULTWRITE_EXT:
-	    lba48 = 1;
-        case WIN_MULTWRITE:
-        case CFA_WRITE_MULTI_WO_ERASE:
-            if (!s->mult_sectors)
-                goto abort_cmd;
-	    ide_cmd_lba48_transform(s, lba48);
-            s->error = 0;
-            s->status = SEEK_STAT | READY_STAT;
-            s->req_nb_sectors = s->mult_sectors;
-            n = s->nsector;
-            if (n > s->req_nb_sectors)
-                n = s->req_nb_sectors;
-            ide_transfer_start(s, s->io_buffer, 512 * n, ide_sector_write);
-            s->media_changed = 1;
-            break;
+	lba48 = 1;
+    case WIN_MULTREAD:
+        if (!s->mult_sectors)
+            goto abort_cmd;
+	ide_cmd_lba48_transform(s, lba48);
+        s->req_nb_sectors = s->mult_sectors;
+        ide_sector_read(s);
+        break;
+    case WIN_MULTWRITE_EXT:
+	lba48 = 1;
+    case WIN_MULTWRITE:
+    case CFA_WRITE_MULTI_WO_ERASE:
+        if (!s->mult_sectors)
+            goto abort_cmd;
+	ide_cmd_lba48_transform(s, lba48);
+        s->error = 0;
+        s->status = SEEK_STAT | READY_STAT;
+        s->req_nb_sectors = s->mult_sectors;
+        n = s->nsector;
+        if (n > s->req_nb_sectors)
+            n = s->req_nb_sectors;
+        ide_transfer_start(s, s->io_buffer, 512 * n, ide_sector_write);
+        s->media_changed = 1;
+        break;
 	case WIN_READDMA_EXT:
-	    lba48 = 1;
-        case WIN_READDMA:
-        case WIN_READDMA_ONCE:
-            if (!s->bs)
-                goto abort_cmd;
-	    ide_cmd_lba48_transform(s, lba48);
-            ide_sector_read_dma(s);
-            break;
+	lba48 = 1;
+    case WIN_READDMA:
+    case WIN_READDMA_ONCE:
+        if (!s->bs)
+            goto abort_cmd;
+	ide_cmd_lba48_transform(s, lba48);
+        ide_sector_read_dma(s);
+        break;
 	case WIN_WRITEDMA_EXT:
-	    lba48 = 1;
-        case WIN_WRITEDMA:
-        case WIN_WRITEDMA_ONCE:
-            if (!s->bs)
-                goto abort_cmd;
-	    ide_cmd_lba48_transform(s, lba48);
-            ide_sector_write_dma(s);
-            s->media_changed = 1;
-            break;
-        case WIN_READ_NATIVE_MAX_EXT:
-	    lba48 = 1;
-        case WIN_READ_NATIVE_MAX:
-	    ide_cmd_lba48_transform(s, lba48);
-            ide_set_sector(s, s->nb_sectors - 1);
-            s->status = READY_STAT | SEEK_STAT;
-            ide_set_irq(s->bus);
-            break;
-        case WIN_CHECKPOWERMODE1:
-        case WIN_CHECKPOWERMODE2:
-            s->nsector = 0xff; /* device active or idle */
+	lba48 = 1;
+    case WIN_WRITEDMA:
+    case WIN_WRITEDMA_ONCE:
+        if (!s->bs)
+            goto abort_cmd;
+	ide_cmd_lba48_transform(s, lba48);
+        ide_sector_write_dma(s);
+        s->media_changed = 1;
+        break;
+    case WIN_READ_NATIVE_MAX_EXT:
+	lba48 = 1;
+    case WIN_READ_NATIVE_MAX:
+	ide_cmd_lba48_transform(s, lba48);
+        ide_set_sector(s, s->nb_sectors - 1);
+        s->status = READY_STAT | SEEK_STAT;
+        ide_set_irq(s->bus);
+        break;
+    case WIN_CHECKPOWERMODE1:
+    case WIN_CHECKPOWERMODE2:
+        s->nsector = 0xff; /* device active or idle */
+        s->status = READY_STAT | SEEK_STAT;
+        ide_set_irq(s->bus);
+        break;
+    case WIN_SETFEATURES:
+        if (!s->bs)
+            goto abort_cmd;
+        /* XXX: valid for CDROM ? */
+        switch(s->feature) {
+        case 0xcc: /* reverting to power-on defaults enable */
+        case 0x66: /* reverting to power-on defaults disable */
+        case 0x02: /* write cache enable */
+        case 0x82: /* write cache disable */
+        case 0xaa: /* read look-ahead enable */
+        case 0x55: /* read look-ahead disable */
+        case 0x05: /* set advanced power management mode */
+        case 0x85: /* disable advanced power management mode */
+        case 0x69: /* NOP */
+        case 0x67: /* NOP */
+        case 0x96: /* NOP */
+        case 0x9a: /* NOP */
+        case 0x42: /* enable Automatic Acoustic Mode */
+        case 0xc2: /* disable Automatic Acoustic Mode */
             s->status = READY_STAT | SEEK_STAT;
             ide_set_irq(s->bus);
             break;
-        case WIN_SETFEATURES:
-            if (!s->bs)
-                goto abort_cmd;
-            /* XXX: valid for CDROM ? */
-            switch(s->feature) {
-            case 0xcc: /* reverting to power-on defaults enable */
-            case 0x66: /* reverting to power-on defaults disable */
-            case 0x02: /* write cache enable */
-            case 0x82: /* write cache disable */
-            case 0xaa: /* read look-ahead enable */
-            case 0x55: /* read look-ahead disable */
-            case 0x05: /* set advanced power management mode */
-            case 0x85: /* disable advanced power management mode */
-            case 0x69: /* NOP */
-            case 0x67: /* NOP */
-            case 0x96: /* NOP */
-            case 0x9a: /* NOP */
-            case 0x42: /* enable Automatic Acoustic Mode */
-            case 0xc2: /* disable Automatic Acoustic Mode */
-                s->status = READY_STAT | SEEK_STAT;
-                ide_set_irq(s->bus);
-                break;
-            case 0x03: { /* set transfer mode */
+        case 0x03: { /* set transfer mode */
 		uint8_t val = s->nsector & 0x07;
-                uint16_t *identify_data = (uint16_t *)s->identify_data;
+            uint16_t *identify_data = (uint16_t *)s->identify_data;
 
 		switch (s->nsector >> 3) {
-		    case 0x00: /* pio default */
-		    case 0x01: /* pio mode */
+		case 0x00: /* pio default */
+		case 0x01: /* pio mode */
 			put_le16(identify_data + 62,0x07);
 			put_le16(identify_data + 63,0x07);
 			put_le16(identify_data + 88,0x3f);
 			break;
-                    case 0x02: /* sigle word dma mode*/
+                case 0x02: /* sigle word dma mode*/
 			put_le16(identify_data + 62,0x07 | (1 << (val + 8)));
 			put_le16(identify_data + 63,0x07);
 			put_le16(identify_data + 88,0x3f);
 			break;
-		    case 0x04: /* mdma mode */
+		case 0x04: /* mdma mode */
 			put_le16(identify_data + 62,0x07);
 			put_le16(identify_data + 63,0x07 | (1 << (val + 8)));
 			put_le16(identify_data + 88,0x3f);
 			break;
-		    case 0x08: /* udma mode */
+		case 0x08: /* udma mode */
 			put_le16(identify_data + 62,0x07);
 			put_le16(identify_data + 63,0x07);
 			put_le16(identify_data + 88,0x3f | (1 << (val + 8)));
 			break;
-		    default:
+		default:
 			goto abort_cmd;
 		}
-                s->status = READY_STAT | SEEK_STAT;
-                ide_set_irq(s->bus);
-                break;
-	    }
-            default:
-                goto abort_cmd;
-            }
-            break;
-        case WIN_FLUSH_CACHE:
-        case WIN_FLUSH_CACHE_EXT:
-            ide_flush_cache(s);
-            break;
-        case WIN_STANDBY:
-        case WIN_STANDBY2:
-        case WIN_STANDBYNOW1:
-        case WIN_STANDBYNOW2:
-        case WIN_IDLEIMMEDIATE:
-        case CFA_IDLEIMMEDIATE:
-        case WIN_SETIDLE1:
-        case WIN_SETIDLE2:
-        case WIN_SLEEPNOW1:
-        case WIN_SLEEPNOW2:
-            s->status = READY_STAT;
-            ide_set_irq(s->bus);
-            break;
-        case WIN_SEEK:
-            if(s->drive_kind == IDE_CD)
-                goto abort_cmd;
-            /* XXX: Check that seek is within bounds */
             s->status = READY_STAT | SEEK_STAT;
             ide_set_irq(s->bus);
             break;
-            /* ATAPI commands */
-        case WIN_PIDENTIFY:
-            if (s->drive_kind == IDE_CD) {
-                ide_atapi_identify(s);
-                s->status = READY_STAT | SEEK_STAT;
-                ide_transfer_start(s, s->io_buffer, 512, ide_transfer_stop);
-            } else {
-                ide_abort_command(s);
-            }
-            ide_set_irq(s->bus);
-            break;
-        case WIN_DIAGNOSE:
-            ide_set_signature(s);
-            if (s->drive_kind == IDE_CD)
-                s->status = 0; /* ATAPI spec (v6) section 9.10 defines packet
-                                * devices to return a clear status register
-                                * with READY_STAT *not* set. */
-            else
-                s->status = READY_STAT | SEEK_STAT;
-            s->error = 0x01; /* Device 0 passed, Device 1 passed or not
-                              * present. 
-                              */
-            ide_set_irq(s->bus);
-            break;
-        case WIN_SRST:
-            if (s->drive_kind != IDE_CD)
-                goto abort_cmd;
-            ide_set_signature(s);
-            s->status = 0x00; /* NOTE: READY is _not_ set */
-            s->error = 0x01;
-            break;
-        case WIN_PACKETCMD:
-            if (s->drive_kind != IDE_CD)
-                goto abort_cmd;
-            /* overlapping commands not supported */
-            if (s->feature & 0x02)
-                goto abort_cmd;
+	}
+        default:
+            goto abort_cmd;
+        }
+        break;
+    case WIN_FLUSH_CACHE:
+    case WIN_FLUSH_CACHE_EXT:
+        ide_flush_cache(s);
+        break;
+    case WIN_STANDBY:
+    case WIN_STANDBY2:
+    case WIN_STANDBYNOW1:
+    case WIN_STANDBYNOW2:
+    case WIN_IDLEIMMEDIATE:
+    case CFA_IDLEIMMEDIATE:
+    case WIN_SETIDLE1:
+    case WIN_SETIDLE2:
+    case WIN_SLEEPNOW1:
+    case WIN_SLEEPNOW2:
+        s->status = READY_STAT;
+        ide_set_irq(s->bus);
+        break;
+    case WIN_SEEK:
+        if(s->drive_kind == IDE_CD)
+            goto abort_cmd;
+        /* XXX: Check that seek is within bounds */
+        s->status = READY_STAT | SEEK_STAT;
+        ide_set_irq(s->bus);
+        break;
+        /* ATAPI commands */
+    case WIN_PIDENTIFY:
+        if (s->drive_kind == IDE_CD) {
+            ide_atapi_identify(s);
             s->status = READY_STAT | SEEK_STAT;
-            s->atapi_dma = s->feature & 1;
-            s->nsector = 1;
-            ide_transfer_start(s, s->io_buffer, ATAPI_PACKET_SIZE,
-                               ide_atapi_cmd);
-            break;
-        /* CF-ATA commands */
-        case CFA_REQ_EXT_ERROR_CODE:
-            if (s->drive_kind != IDE_CFATA)
-                goto abort_cmd;
-            s->error = 0x09;    /* miscellaneous error */
+            ide_transfer_start(s, s->io_buffer, 512, ide_transfer_stop);
+        } else {
+            ide_abort_command(s);
+        }
+        ide_set_irq(s->bus);
+        break;
+    case WIN_DIAGNOSE:
+        ide_set_signature(s);
+        if (s->drive_kind == IDE_CD)
+            s->status = 0; /* ATAPI spec (v6) section 9.10 defines packet
+                            * devices to return a clear status register
+                            * with READY_STAT *not* set. */
+        else
             s->status = READY_STAT | SEEK_STAT;
-            ide_set_irq(s->bus);
+        s->error = 0x01; /* Device 0 passed, Device 1 passed or not
+                          * present.
+                          */
+        ide_set_irq(s->bus);
+        break;
+    case WIN_SRST:
+        if (s->drive_kind != IDE_CD)
+            goto abort_cmd;
+        ide_set_signature(s);
+        s->status = 0x00; /* NOTE: READY is _not_ set */
+        s->error = 0x01;
+        break;
+    case WIN_PACKETCMD:
+        if (s->drive_kind != IDE_CD)
+            goto abort_cmd;
+        /* overlapping commands not supported */
+        if (s->feature & 0x02)
+            goto abort_cmd;
+        s->status = READY_STAT | SEEK_STAT;
+        s->atapi_dma = s->feature & 1;
+        s->nsector = 1;
+        ide_transfer_start(s, s->io_buffer, ATAPI_PACKET_SIZE,
+                           ide_atapi_cmd);
+        break;
+    /* CF-ATA commands */
+    case CFA_REQ_EXT_ERROR_CODE:
+        if (s->drive_kind != IDE_CFATA)
+            goto abort_cmd;
+        s->error = 0x09;    /* miscellaneous error */
+        s->status = READY_STAT | SEEK_STAT;
+        ide_set_irq(s->bus);
+        break;
+    case CFA_ERASE_SECTORS:
+    case CFA_WEAR_LEVEL:
+        if (s->drive_kind != IDE_CFATA)
+            goto abort_cmd;
+        if (val == CFA_WEAR_LEVEL)
+            s->nsector = 0;
+        if (val == CFA_ERASE_SECTORS)
+            s->media_changed = 1;
+        s->error = 0x00;
+        s->status = READY_STAT | SEEK_STAT;
+        ide_set_irq(s->bus);
+        break;
+    case CFA_TRANSLATE_SECTOR:
+        if (s->drive_kind != IDE_CFATA)
+            goto abort_cmd;
+        s->error = 0x00;
+        s->status = READY_STAT | SEEK_STAT;
+        memset(s->io_buffer, 0, 0x200);
+        s->io_buffer[0x00] = s->hcyl;			/* Cyl MSB */
+        s->io_buffer[0x01] = s->lcyl;			/* Cyl LSB */
+        s->io_buffer[0x02] = s->select;			/* Head */
+        s->io_buffer[0x03] = s->sector;			/* Sector */
+        s->io_buffer[0x04] = ide_get_sector(s) >> 16;	/* LBA MSB */
+        s->io_buffer[0x05] = ide_get_sector(s) >> 8;	/* LBA */
+        s->io_buffer[0x06] = ide_get_sector(s) >> 0;	/* LBA LSB */
+        s->io_buffer[0x13] = 0x00;				/* Erase flag */
+        s->io_buffer[0x18] = 0x00;				/* Hot count */
+        s->io_buffer[0x19] = 0x00;				/* Hot count */
+        s->io_buffer[0x1a] = 0x01;				/* Hot count */
+        ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
+        ide_set_irq(s->bus);
+        break;
+    case CFA_ACCESS_METADATA_STORAGE:
+        if (s->drive_kind != IDE_CFATA)
+            goto abort_cmd;
+        switch (s->feature) {
+        case 0x02:	/* Inquiry Metadata Storage */
+            ide_cfata_metadata_inquiry(s);
             break;
-        case CFA_ERASE_SECTORS:
-        case CFA_WEAR_LEVEL:
-            if (s->drive_kind != IDE_CFATA)
-                goto abort_cmd;
-            if (val == CFA_WEAR_LEVEL)
-                s->nsector = 0;
-            if (val == CFA_ERASE_SECTORS)
-                s->media_changed = 1;
-            s->error = 0x00;
-            s->status = READY_STAT | SEEK_STAT;
-            ide_set_irq(s->bus);
+        case 0x03:	/* Read Metadata Storage */
+            ide_cfata_metadata_read(s);
             break;
-        case CFA_TRANSLATE_SECTOR:
-            if (s->drive_kind != IDE_CFATA)
-                goto abort_cmd;
-            s->error = 0x00;
-            s->status = READY_STAT | SEEK_STAT;
-            memset(s->io_buffer, 0, 0x200);
-            s->io_buffer[0x00] = s->hcyl;			/* Cyl MSB */
-            s->io_buffer[0x01] = s->lcyl;			/* Cyl LSB */
-            s->io_buffer[0x02] = s->select;			/* Head */
-            s->io_buffer[0x03] = s->sector;			/* Sector */
-            s->io_buffer[0x04] = ide_get_sector(s) >> 16;	/* LBA MSB */
-            s->io_buffer[0x05] = ide_get_sector(s) >> 8;	/* LBA */
-            s->io_buffer[0x06] = ide_get_sector(s) >> 0;	/* LBA LSB */
-            s->io_buffer[0x13] = 0x00;				/* Erase flag */
-            s->io_buffer[0x18] = 0x00;				/* Hot count */
-            s->io_buffer[0x19] = 0x00;				/* Hot count */
-            s->io_buffer[0x1a] = 0x01;				/* Hot count */
-            ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
-            ide_set_irq(s->bus);
+        case 0x04:	/* Write Metadata Storage */
+            ide_cfata_metadata_write(s);
             break;
-        case CFA_ACCESS_METADATA_STORAGE:
-            if (s->drive_kind != IDE_CFATA)
-                goto abort_cmd;
-            switch (s->feature) {
-            case 0x02:	/* Inquiry Metadata Storage */
-                ide_cfata_metadata_inquiry(s);
-                break;
-            case 0x03:	/* Read Metadata Storage */
-                ide_cfata_metadata_read(s);
-                break;
-            case 0x04:	/* Write Metadata Storage */
-                ide_cfata_metadata_write(s);
-                break;
-            default:
-                goto abort_cmd;
-            }
-            ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
-            s->status = 0x00; /* NOTE: READY is _not_ set */
-            ide_set_irq(s->bus);
-            break;
-        case IBM_SENSE_CONDITION:
-            if (s->drive_kind != IDE_CFATA)
-                goto abort_cmd;
-            switch (s->feature) {
-            case 0x01:  /* sense temperature in device */
-                s->nsector = 0x50;      /* +20 C */
-                break;
-            default:
-                goto abort_cmd;
-            }
-            s->status = READY_STAT | SEEK_STAT;
-            ide_set_irq(s->bus);
+        default:
+            goto abort_cmd;
+        }
+        ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
+        s->status = 0x00; /* NOTE: READY is _not_ set */
+        ide_set_irq(s->bus);
+        break;
+    case IBM_SENSE_CONDITION:
+        if (s->drive_kind != IDE_CFATA)
+            goto abort_cmd;
+        switch (s->feature) {
+        case 0x01:  /* sense temperature in device */
+            s->nsector = 0x50;      /* +20 C */
             break;
+        default:
+            goto abort_cmd;
+        }
+        s->status = READY_STAT | SEEK_STAT;
+        ide_set_irq(s->bus);
+        break;
 
 	case WIN_SMART:
-	    if (s->drive_kind == IDE_CD)
+	if (s->drive_kind == IDE_CD)
 		goto abort_cmd;
-	    if (s->hcyl != 0xc2 || s->lcyl != 0x4f)
+	if (s->hcyl != 0xc2 || s->lcyl != 0x4f)
 		goto abort_cmd;
-	    if (!s->smart_enabled && s->feature != SMART_ENABLE)
+	if (!s->smart_enabled && s->feature != SMART_ENABLE)
 		goto abort_cmd;
-	    switch (s->feature) {
-	    case SMART_DISABLE:
+	switch (s->feature) {
+	case SMART_DISABLE:
 		s->smart_enabled = 0;
 		s->status = READY_STAT | SEEK_STAT;
 		ide_set_irq(s->bus);
 		break;
-	    case SMART_ENABLE:
+	case SMART_ENABLE:
 		s->smart_enabled = 1;
 		s->status = READY_STAT | SEEK_STAT;
 		ide_set_irq(s->bus);
 		break;
-	    case SMART_ATTR_AUTOSAVE:
+	case SMART_ATTR_AUTOSAVE:
 		switch (s->sector) {
 		case 0x00:
-		    s->smart_autosave = 0;
-		    break;
+		s->smart_autosave = 0;
+		break;
 		case 0xf1:
-		    s->smart_autosave = 1;
-		    break;
+		s->smart_autosave = 1;
+		break;
 		default:
-		    goto abort_cmd;
+		goto abort_cmd;
 		}
 		s->status = READY_STAT | SEEK_STAT;
 		ide_set_irq(s->bus);
 		break;
-	    case SMART_STATUS:
+	case SMART_STATUS:
 		if (!s->smart_errors) {
-		    s->hcyl = 0xc2;
-		    s->lcyl = 0x4f;
+		s->hcyl = 0xc2;
+		s->lcyl = 0x4f;
 		} else {
-		    s->hcyl = 0x2c;
-		    s->lcyl = 0xf4;
+		s->hcyl = 0x2c;
+		s->lcyl = 0xf4;
 		}
 		s->status = READY_STAT | SEEK_STAT;
 		ide_set_irq(s->bus);
 		break;
-	    case SMART_READ_THRESH:
+	case SMART_READ_THRESH:
 		memset(s->io_buffer, 0, 0x200);
 		s->io_buffer[0] = 0x01; /* smart struct version */
 		for (n=0; n<30; n++) {
-		    if (smart_attributes[n][0] == 0)
+		if (smart_attributes[n][0] == 0)
 			break;
-		    s->io_buffer[2+0+(n*12)] = smart_attributes[n][0];
-		    s->io_buffer[2+1+(n*12)] = smart_attributes[n][4];
+		s->io_buffer[2+0+(n*12)] = smart_attributes[n][0];
+		s->io_buffer[2+1+(n*12)] = smart_attributes[n][4];
 		}
 		for (n=0; n<511; n++) /* checksum */
-		    s->io_buffer[511] += s->io_buffer[n];
+		s->io_buffer[511] += s->io_buffer[n];
 		s->io_buffer[511] = 0x100 - s->io_buffer[511];
 		s->status = READY_STAT | SEEK_STAT;
 		ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
 		ide_set_irq(s->bus);
 		break;
-	    case SMART_READ_DATA:
+	case SMART_READ_DATA:
 		memset(s->io_buffer, 0, 0x200);
 		s->io_buffer[0] = 0x01; /* smart struct version */
 		for (n=0; n<30; n++) {
-		    if (smart_attributes[n][0] == 0)
+		if (smart_attributes[n][0] == 0)
 			break;
-		    s->io_buffer[2+0+(n*12)] = smart_attributes[n][0];
-		    s->io_buffer[2+1+(n*12)] = smart_attributes[n][1];
-		    s->io_buffer[2+3+(n*12)] = smart_attributes[n][2];
-		    s->io_buffer[2+4+(n*12)] = smart_attributes[n][3];
+		s->io_buffer[2+0+(n*12)] = smart_attributes[n][0];
+		s->io_buffer[2+1+(n*12)] = smart_attributes[n][1];
+		s->io_buffer[2+3+(n*12)] = smart_attributes[n][2];
+		s->io_buffer[2+4+(n*12)] = smart_attributes[n][3];
 		}
 		s->io_buffer[362] = 0x02 | (s->smart_autosave?0x80:0x00);
 		if (s->smart_selftest_count == 0) {
-		    s->io_buffer[363] = 0;
+		s->io_buffer[363] = 0;
 		} else {
-		    s->io_buffer[363] = 
+		s->io_buffer[363] =
 			s->smart_selftest_data[3 + 
-					       (s->smart_selftest_count - 1) * 
-					       24];
+					   (s->smart_selftest_count - 1) *
+					   24];
 		}
 		s->io_buffer[364] = 0x20; 
 		s->io_buffer[365] = 0x01; 
@@ -2294,76 +2294,76 @@ void ide_exec_cmd(IDEBus *bus, uint32_t val)
 		s->io_buffer[374] = 0x01; /* minutes for poll conveyance */
 
 		for (n=0; n<511; n++) 
-		    s->io_buffer[511] += s->io_buffer[n];
+		s->io_buffer[511] += s->io_buffer[n];
 		s->io_buffer[511] = 0x100 - s->io_buffer[511];
 		s->status = READY_STAT | SEEK_STAT;
 		ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
 		ide_set_irq(s->bus);
 		break;
-	    case SMART_READ_LOG:
+	case SMART_READ_LOG:
 		switch (s->sector) {
 		case 0x01: /* summary smart error log */
-		    memset(s->io_buffer, 0, 0x200);
-		    s->io_buffer[0] = 0x01;
-		    s->io_buffer[1] = 0x00; /* no error entries */
-		    s->io_buffer[452] = s->smart_errors & 0xff;
-		    s->io_buffer[453] = (s->smart_errors & 0xff00) >> 8;
+		memset(s->io_buffer, 0, 0x200);
+		s->io_buffer[0] = 0x01;
+		s->io_buffer[1] = 0x00; /* no error entries */
+		s->io_buffer[452] = s->smart_errors & 0xff;
+		s->io_buffer[453] = (s->smart_errors & 0xff00) >> 8;
 
-		    for (n=0; n<511; n++)
+		for (n=0; n<511; n++)
 			s->io_buffer[511] += s->io_buffer[n];
-		    s->io_buffer[511] = 0x100 - s->io_buffer[511];
-		    break;
+		s->io_buffer[511] = 0x100 - s->io_buffer[511];
+		break;
 		case 0x06: /* smart self test log */
-		    memset(s->io_buffer, 0, 0x200);
-		    s->io_buffer[0] = 0x01; 
-		    if (s->smart_selftest_count == 0) {
+		memset(s->io_buffer, 0, 0x200);
+		s->io_buffer[0] = 0x01;
+		if (s->smart_selftest_count == 0) {
 			s->io_buffer[508] = 0;
-		    } else {
+		} else {
 			s->io_buffer[508] = s->smart_selftest_count;
 			for (n=2; n<506; n++) 
-			    s->io_buffer[n] = s->smart_selftest_data[n];
-		    }		    
-		    for (n=0; n<511; n++)
+			s->io_buffer[n] = s->smart_selftest_data[n];
+		}
+		for (n=0; n<511; n++)
 			s->io_buffer[511] += s->io_buffer[n];
-		    s->io_buffer[511] = 0x100 - s->io_buffer[511];
-		    break;
+		s->io_buffer[511] = 0x100 - s->io_buffer[511];
+		break;
 		default:
-		    goto abort_cmd;
+		goto abort_cmd;
 		}
 		s->status = READY_STAT | SEEK_STAT;
 		ide_transfer_start(s, s->io_buffer, 0x200, ide_transfer_stop);
 		ide_set_irq(s->bus);
 		break;
-	    case SMART_EXECUTE_OFFLINE:
+	case SMART_EXECUTE_OFFLINE:
 		switch (s->sector) {
 		case 0: /* off-line routine */
 		case 1: /* short self test */
 		case 2: /* extended self test */
-		    s->smart_selftest_count++;
-		    if(s->smart_selftest_count > 21)
+		s->smart_selftest_count++;
+		if(s->smart_selftest_count > 21)
 			s->smart_selftest_count = 0;
-		    n = 2 + (s->smart_selftest_count - 1) * 24;
-		    s->smart_selftest_data[n] = s->sector;
-		    s->smart_selftest_data[n+1] = 0x00; /* OK and finished */
-		    s->smart_selftest_data[n+2] = 0x34; /* hour count lsb */
-		    s->smart_selftest_data[n+3] = 0x12; /* hour count msb */
-		    s->status = READY_STAT | SEEK_STAT;
-		    ide_set_irq(s->bus);
-		    break;
+		n = 2 + (s->smart_selftest_count - 1) * 24;
+		s->smart_selftest_data[n] = s->sector;
+		s->smart_selftest_data[n+1] = 0x00; /* OK and finished */
+		s->smart_selftest_data[n+2] = 0x34; /* hour count lsb */
+		s->smart_selftest_data[n+3] = 0x12; /* hour count msb */
+		s->status = READY_STAT | SEEK_STAT;
+		ide_set_irq(s->bus);
+		break;
 		default:
-		    goto abort_cmd;
+		goto abort_cmd;
 		}
 		break;
-	    default:
+	default:
 		goto abort_cmd;
-	    }
-	    break;
-        default:
-        abort_cmd:
-            ide_abort_command(s);
-            ide_set_irq(s->bus);
-            break;
-        }
+	}
+	break;
+    default:
+    abort_cmd:
+        ide_abort_command(s);
+        ide_set_irq(s->bus);
+        break;
+    }
 }
 
 uint32_t ide_ioport_read(void *opaque, uint32_t addr1)
commit 7cff87ff6ab117799e32e42c2e4dc4c0588e583a
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Dec 14 01:34:33 2010 +0100

    ide: split ide command interpretation off
    
    The ATA command interpretation code can be used for PATA and SATA
    interfaces alike. So let's split it out into a separate function.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 430350f..ac4ee71 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -1791,9 +1791,6 @@ static void ide_clear_hob(IDEBus *bus)
 void ide_ioport_write(void *opaque, uint32_t addr, uint32_t val)
 {
     IDEBus *bus = opaque;
-    IDEState *s;
-    int n;
-    int lba48 = 0;
 
 #ifdef DEBUG_IDE
     printf("IDE: write addr=0x%x val=0x%02x\n", addr, val);
@@ -1854,17 +1851,29 @@ void ide_ioport_write(void *opaque, uint32_t addr, uint32_t val)
     default:
     case 7:
         /* command */
+        ide_exec_cmd(bus, val);
+        break;
+    }
+}
+
+
+void ide_exec_cmd(IDEBus *bus, uint32_t val)
+{
+    IDEState *s;
+    int n;
+    int lba48 = 0;
+
 #if defined(DEBUG_IDE)
         printf("ide: CMD=%02x\n", val);
 #endif
         s = idebus_active_if(bus);
         /* ignore commands to non existant slave */
         if (s != bus->ifs && !s->bs)
-            break;
+            return;
 
         /* Only DEVICE RESET is allowed while BSY or/and DRQ are set */
         if ((s->status & (BUSY_STAT|DRQ_STAT)) && val != WIN_DEVICE_RESET)
-            break;
+            return;
 
         switch(val) {
         case WIN_IDENTIFY:
@@ -2355,7 +2364,6 @@ void ide_ioport_write(void *opaque, uint32_t addr, uint32_t val)
             ide_set_irq(s->bus);
             break;
         }
-    }
 }
 
 uint32_t ide_ioport_read(void *opaque, uint32_t addr1)
diff --git a/hw/ide/internal.h b/hw/ide/internal.h
index 71af66f..029c76c 100644
--- a/hw/ide/internal.h
+++ b/hw/ide/internal.h
@@ -567,6 +567,8 @@ void ide_init2_with_non_qdev_drives(IDEBus *bus, DriveInfo *hd0,
                                     DriveInfo *hd1, qemu_irq irq);
 void ide_init_ioport(IDEBus *bus, int iobase, int iobase2);
 
+void ide_exec_cmd(IDEBus *bus, uint32_t val);
+
 /* hw/ide/qdev.c */
 void ide_bus_new(IDEBus *idebus, DeviceState *dev, int bus_id);
 IDEDevice *ide_create_drive(IDEBus *bus, int unit, DriveInfo *drive);
commit 1da7cfbd0117eeb0aa29b187bb01426d9290e8ab
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Dec 9 14:17:25 2010 +0100

    qemu-img.c: Clean up handling of image size in img_create()
    
    This cleans up the handling of image size in img_create() by parsing
    the value early, and then only setting it once if a value has been
    added as the last argument to the command line.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index 52282e3..1d936ed 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -282,6 +282,7 @@ static int add_old_style_options(const char *fmt, QEMUOptionParameter *list,
 static int img_create(int argc, char **argv)
 {
     int c, ret = 0;
+    uint64_t img_size = -1;
     const char *fmt = "raw";
     const char *base_fmt = NULL;
     const char *filename;
@@ -330,6 +331,20 @@ static int img_create(int argc, char **argv)
     }
     filename = argv[optind++];
 
+    /* Get image size, if specified */
+    if (optind < argc) {
+        ssize_t sval;
+        sval = strtosz_suffix(argv[optind++], NULL, STRTOSZ_DEFSUFFIX_B);
+        if (sval < 0) {
+            error("Invalid image size specified! You may use k, M, G or "
+                  "T suffixes for ");
+            error("kilobytes, megabytes, gigabytes and terabytes.");
+            ret = -1;
+            goto out;
+        }
+        img_size = (uint64_t)sval;
+    }
+
     if (options && !strcmp(options, "?")) {
         ret = print_block_option_help(filename, fmt);
         goto out;
@@ -357,7 +372,8 @@ static int img_create(int argc, char **argv)
 
     /* Create parameter list with default values */
     param = parse_option_parameters("", create_options, param);
-    set_option_parameter_int(param, BLOCK_OPT_SIZE, -1);
+
+    set_option_parameter_int(param, BLOCK_OPT_SIZE, img_size);
 
     /* Parse -o options */
     if (options) {
@@ -369,11 +385,6 @@ static int img_create(int argc, char **argv)
         }
     }
 
-    /* Add size to parameters */
-    if (optind < argc) {
-        set_option_parameter(param, BLOCK_OPT_SIZE, argv[optind++]);
-    }
-
     /* Add old-style options to parameters */
     ret = add_old_style_options(fmt, param, base_filename, base_fmt);
     if (ret < 0) {
commit d8427002dc1be0a9337cde3ef505ee6e57718675
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Dec 9 14:17:24 2010 +0100

    Introduce strtosz_suffix()
    
    This introduces strtosz_suffix() which allows the caller to specify a
    default suffix in case the non default of MB is wanted.
    
    strtosz() is kept as a wrapper for strtosz_suffix() which keeps it's
    current default of MB.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/cutils.c b/cutils.c
index 28089aa..7984bc1 100644
--- a/cutils.c
+++ b/cutils.c
@@ -291,10 +291,10 @@ int fcntl_setfl(int fd, int flag)
  * value must be terminated by whitespace, ',' or '\0'. Return -1 on
  * error.
  */
-ssize_t strtosz(const char *nptr, char **end)
+ssize_t strtosz_suffix(const char *nptr, char **end, const char default_suffix)
 {
     ssize_t retval = -1;
-    char *endptr, c;
+    char *endptr, c, d;
     int mul_required = 0;
     double val, mul, integral, fraction;
 
@@ -313,10 +313,16 @@ ssize_t strtosz(const char *nptr, char **end)
      * part of a multi token argument.
      */
     c = *endptr;
+    d = c;
     if (isspace(c) || c == '\0' || c == ',') {
         c = 0;
+        if (default_suffix) {
+            d = default_suffix;
+        } else {
+            d = c;
+        }
     }
-    switch (c) {
+    switch (d) {
     case 'B':
     case 'b':
         mul = 1;
@@ -371,3 +377,8 @@ fail:
 
     return retval;
 }
+
+ssize_t strtosz(const char *nptr, char **end)
+{
+    return strtosz_suffix(nptr, end, STRTOSZ_DEFSUFFIX_MB);
+}
diff --git a/qemu-common.h b/qemu-common.h
index de82c2e..1ed32e5 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -149,7 +149,14 @@ time_t mktimegm(struct tm *tm);
 int qemu_fls(int i);
 int qemu_fdatasync(int fd);
 int fcntl_setfl(int fd, int flag);
+
+#define STRTOSZ_DEFSUFFIX_TB	'T'
+#define STRTOSZ_DEFSUFFIX_GB	'G'
+#define STRTOSZ_DEFSUFFIX_MB	'M'
+#define STRTOSZ_DEFSUFFIX_KB	'K'
+#define STRTOSZ_DEFSUFFIX_B	'B'
 ssize_t strtosz(const char *nptr, char **end);
+ssize_t strtosz_suffix(const char *nptr, char **end, const char default_suffix);
 
 /* path.c */
 void init_paths(const char *prefix);
commit df2dbb4a508ebea7bcacff3f07caecbae969d528
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Thu Dec 2 16:54:13 2010 +0000

    block: Fix the use of protocols in backing files
    
    Backing filenames may contain a protocol.  The code currently doesn't
    consider this case and produces filenames that embed "<protocol>:".
    Don't combine filenames if the backing filename contains a protocol.
    
    Based on an earlier patch by Anthony Liguori <aliguori at us.ibm.com>.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index 65fce80..b4aaf41 100644
--- a/block.c
+++ b/block.c
@@ -611,10 +611,18 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
         BlockDriver *back_drv = NULL;
 
         bs->backing_hd = bdrv_new("");
-        path_combine(backing_filename, sizeof(backing_filename),
-                     filename, bs->backing_file);
-        if (bs->backing_format[0] != '\0')
+
+        if (path_has_protocol(bs->backing_file)) {
+            pstrcpy(backing_filename, sizeof(backing_filename),
+                    bs->backing_file);
+        } else {
+            path_combine(backing_filename, sizeof(backing_filename),
+                         filename, bs->backing_file);
+        }
+
+        if (bs->backing_format[0] != '\0') {
             back_drv = bdrv_find_format(bs->backing_format);
+        }
 
         /* backing files always opened read-only */
         back_flags =
commit 9e0b22f4f2c4122bb3544bb44fb7ce2fd7964c12
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Thu Dec 9 11:53:00 2010 +0000

    block: Introduce path_has_protocol() function
    
    The bdrv_find_protocol() function returns NULL if an unknown protocol
    name is given.  It returns the "file" protocol when the filename
    contains no protocol at all.  This makes it difficult to distinguish
    between paths which contain a protocol and those which do not.
    
    Factor out a helper function that tests whether or not a filename has a
    protocol.  The next patch makes use of this function.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index e7a986c..65fce80 100644
--- a/block.c
+++ b/block.c
@@ -70,6 +70,39 @@ static BlockDriverState *bs_snapshots;
 /* If non-zero, use only whitelisted block drivers */
 static int use_bdrv_whitelist;
 
+#ifdef _WIN32
+static int is_windows_drive_prefix(const char *filename)
+{
+    return (((filename[0] >= 'a' && filename[0] <= 'z') ||
+             (filename[0] >= 'A' && filename[0] <= 'Z')) &&
+            filename[1] == ':');
+}
+
+int is_windows_drive(const char *filename)
+{
+    if (is_windows_drive_prefix(filename) &&
+        filename[2] == '\0')
+        return 1;
+    if (strstart(filename, "\\\\.\\", NULL) ||
+        strstart(filename, "//./", NULL))
+        return 1;
+    return 0;
+}
+#endif
+
+/* check if the path starts with "<protocol>:" */
+static int path_has_protocol(const char *path)
+{
+#ifdef _WIN32
+    if (is_windows_drive(path) ||
+        is_windows_drive_prefix(path)) {
+        return 0;
+    }
+#endif
+
+    return strchr(path, ':') != NULL;
+}
+
 int path_is_absolute(const char *path)
 {
     const char *p;
@@ -244,26 +277,6 @@ void get_tmp_filename(char *filename, int size)
 }
 #endif
 
-#ifdef _WIN32
-static int is_windows_drive_prefix(const char *filename)
-{
-    return (((filename[0] >= 'a' && filename[0] <= 'z') ||
-             (filename[0] >= 'A' && filename[0] <= 'Z')) &&
-            filename[1] == ':');
-}
-
-int is_windows_drive(const char *filename)
-{
-    if (is_windows_drive_prefix(filename) &&
-        filename[2] == '\0')
-        return 1;
-    if (strstart(filename, "\\\\.\\", NULL) ||
-        strstart(filename, "//./", NULL))
-        return 1;
-    return 0;
-}
-#endif
-
 /*
  * Detect host devices. By convention, /dev/cdrom[N] is always
  * recognized as a host CDROM.
@@ -307,16 +320,11 @@ BlockDriver *bdrv_find_protocol(const char *filename)
         return drv1;
     }
 
-#ifdef _WIN32
-     if (is_windows_drive(filename) ||
-         is_windows_drive_prefix(filename))
-         return bdrv_find_format("file");
-#endif
-
-    p = strchr(filename, ':');
-    if (!p) {
+    if (!path_has_protocol(filename)) {
         return bdrv_find_format("file");
     }
+    p = strchr(filename, ':');
+    assert(p != NULL);
     len = p - filename;
     if (len > sizeof(protocol) - 1)
         len = sizeof(protocol) - 1;
commit 0fc0f1fa7f86e9f1d480c6508191ca90ac10b32c
Author: Ryan Harper <ryanh at us.ibm.com>
Date:   Wed Dec 8 10:05:00 2010 -0600

    blockdev: check dinfo ptr before using
    
    If a user decides to punish a guest by revoking its block device via
    drive_del, and subsequently also attempts to remove the pci device
    backing it, and the device is using blockdev_auto_del() then we get a
    segfault when we attempt to access dinfo->auto_del.[1]
    
    The fix is to check if drive_get_by_blockdev() actually returns a valid
    dinfo pointer or not.
    
    1. (qemu) pci_add auto storage file=images/test01.raw,if=virtio,id=block1,snapshot=on
       (qemu) drive_del block1
       (qemu) pci_del 5
       *segfault*
    
    Signed-off-by: Ryan Harper <ryanh at us.ibm.com>
    Tested-by: Luiz Capitulino <lcapitulino at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index f6ac439..3b3b82d 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -30,14 +30,16 @@ void blockdev_mark_auto_del(BlockDriverState *bs)
 {
     DriveInfo *dinfo = drive_get_by_blockdev(bs);
 
-    dinfo->auto_del = 1;
+    if (dinfo) {
+        dinfo->auto_del = 1;
+    }
 }
 
 void blockdev_auto_del(BlockDriverState *bs)
 {
     DriveInfo *dinfo = drive_get_by_blockdev(bs);
 
-    if (dinfo->auto_del) {
+    if (dinfo && dinfo->auto_del) {
         drive_uninit(dinfo);
     }
 }
commit 9d861fa595c93f22d1d55b723a691531c36c9672
Merge: 4a493c6... 72f24d1...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Fri Dec 17 08:25:17 2010 -0600

    Merge remote branch 'arm/for-anthony' into staging

commit 4a493c6fac4db5d9094906a1e9b6d19c1dfff1ed
Merge: fef3957... 5eeaad5...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Fri Dec 17 08:23:53 2010 -0600

    Merge remote branch 'kwolf/for-anthony' into staging

commit fef395782d76fa497bfc89cea741173706669b2e
Merge: 2e44928... 3a019b6...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Fri Dec 17 08:23:05 2010 -0600

    Merge remote branch 'qmp/for-anthony' into staging

commit 2e44928e3c1b9425c17d0786f7d9139871bba43f
Merge: b254b0d... 3867142...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Fri Dec 17 08:22:31 2010 -0600

    Merge remote branch 'jvrao/for-anthony' into staging

commit b254b0d15d48efc3bd43ae535158ded3c1519257
Merge: 36888c6... 513691b...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Fri Dec 17 08:21:29 2010 -0600

    Merge remote branch 'mst/for_anthony' into staging

commit 5eeaad5a57b94d26747ed8a96fab69494baef75d
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Dec 7 09:35:56 2010 +0000

    qemu-img: Fail creation if backing format is invalid
    
    The qemu-img create command should check the backing format to ensure
    only image files with valid backing formats are created.  By checking in
    qemu-img.c we can print a useful error message.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index c5a173c..52282e3 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -288,6 +288,7 @@ static int img_create(int argc, char **argv)
     const char *base_filename = NULL;
     BlockDriver *drv, *proto_drv;
     QEMUOptionParameter *param = NULL, *create_options = NULL;
+    QEMUOptionParameter *backing_fmt = NULL;
     char *options = NULL;
 
     for(;;) {
@@ -379,14 +380,22 @@ static int img_create(int argc, char **argv)
         goto out;
     }
 
+    backing_fmt = get_option_parameter(param, BLOCK_OPT_BACKING_FMT);
+    if (backing_fmt && backing_fmt->value.s) {
+        if (!bdrv_find_format(backing_fmt->value.s)) {
+            error("Unknown backing file format '%s'",
+                  backing_fmt->value.s);
+            ret = -1;
+            goto out;
+        }
+    }
+
     // The size for the image must always be specified, with one exception:
     // If we are using a backing file, we can obtain the size from there
     if (get_option_parameter(param, BLOCK_OPT_SIZE)->value.n == -1) {
 
         QEMUOptionParameter *backing_file =
             get_option_parameter(param, BLOCK_OPT_BACKING_FILE);
-        QEMUOptionParameter *backing_fmt =
-            get_option_parameter(param, BLOCK_OPT_BACKING_FMT);
 
         if (backing_file && backing_file->value.s) {
             BlockDriverState *bs;
@@ -395,14 +404,7 @@ static int img_create(int argc, char **argv)
             char buf[32];
 
             if (backing_fmt && backing_fmt->value.s) {
-                 if (bdrv_find_format(backing_fmt->value.s)) {
-                     fmt = backing_fmt->value.s;
-                } else {
-                     error("Unknown backing file format '%s'",
-                        backing_fmt->value.s);
-                     ret = -1;
-                     goto out;
-                }
+                fmt = backing_fmt->value.s;
             }
 
             bs = bdrv_new_open(backing_file->value.s, fmt, BDRV_O_FLAGS);
commit a87a6721db3975c93798b6fd6fa42996e9aa695a
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Dec 7 09:35:55 2010 +0000

    qemu-img: Free option parameter lists in img_create()
    
    Free option parameter lists in the img_create() error return path.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index d146d8c..c5a173c 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -428,8 +428,6 @@ static int img_create(int argc, char **argv)
     puts("");
 
     ret = bdrv_create(drv, filename, param);
-    free_option_parameters(create_options);
-    free_option_parameters(param);
 
     if (ret < 0) {
         if (ret == -ENOTSUP) {
@@ -441,6 +439,8 @@ static int img_create(int argc, char **argv)
         }
     }
 out:
+    free_option_parameters(create_options);
+    free_option_parameters(param);
     if (ret) {
         return 1;
     }
commit 0e72e753c226b2d6711ca5edc1d956b810fefbcf
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Dec 7 09:35:54 2010 +0000

    qemu-option: Fix parse_option_parameters() documentation typo
    
    Yoda said, "list is the templace is".  Fix this.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-option.c b/qemu-option.c
index e380fc1..65db542 100644
--- a/qemu-option.c
+++ b/qemu-option.c
@@ -394,8 +394,8 @@ QEMUOptionParameter *append_option_parameters(QEMUOptionParameter *dest,
 /*
  * Parses a parameter string (param) into an option list (dest).
  *
- * list is the templace is. If dest is NULL, a new copy of list is created for
- * it. If list is NULL, this function fails.
+ * list is the template option list. If dest is NULL, a new copy of list is
+ * created. If list is NULL, this function fails.
  *
  * A parameter string consists of one or more parameters, separated by commas.
  * Each parameter consists of its name and possibly of a value. In the latter
commit 898c257ba8b611a01bbcd1a88836a5d217ca9568
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Dec 7 09:35:53 2010 +0000

    qemu-option: Don't reinvent append_option_parameters()
    
    parse_option_parameters() may need to create a new option parameter list
    from a template list.  Use append_option_parameters() instead of
    duplicating the code.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-option.c b/qemu-option.c
index 1f8f41a..e380fc1 100644
--- a/qemu-option.c
+++ b/qemu-option.c
@@ -416,20 +416,13 @@ QEMUOptionParameter *parse_option_parameters(const char *param,
     char value[256];
     char *param_delim, *value_delim;
     char next_delim;
-    size_t num_options;
 
     if (list == NULL) {
         return NULL;
     }
 
     if (dest == NULL) {
-        // Count valid options
-        num_options = count_option_parameters(list);
-
-        // Create a copy of the option list to fill in values
-        dest = qemu_mallocz((num_options + 1) * sizeof(QEMUOptionParameter));
-        allocated = dest;
-        memcpy(dest, list, (num_options + 1) * sizeof(QEMUOptionParameter));
+        dest = allocated = append_option_parameters(NULL, list);
     }
 
     while (*param) {
commit eec77d9e712bd4157a4e1c0b5a9249d168add738
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Dec 7 17:44:34 2010 +0100

    qemu-img: Deprecate obsolete -6 and -e options
    
    If -6 or -e is specified, an error message is printed and we exit. It
    does not print help() to avoid the error message getting lost in the
    noise.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block_int.h b/block_int.h
index 0a0e47d..6b3b098 100644
--- a/block_int.h
+++ b/block_int.h
@@ -29,7 +29,6 @@
 #include "qemu-queue.h"
 
 #define BLOCK_FLAG_ENCRYPT	1
-#define BLOCK_FLAG_COMPRESS	2
 #define BLOCK_FLAG_COMPAT6	4
 
 #define BLOCK_OPT_SIZE          "size"
diff --git a/qemu-img.c b/qemu-img.c
index 5b6e648..d146d8c 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -261,21 +261,9 @@ fail:
 }
 
 static int add_old_style_options(const char *fmt, QEMUOptionParameter *list,
-    int flags, const char *base_filename, const char *base_fmt)
+                                 const char *base_filename,
+                                 const char *base_fmt)
 {
-    if (flags & BLOCK_FLAG_ENCRYPT) {
-        if (set_option_parameter(list, BLOCK_OPT_ENCRYPT, "on")) {
-            error("Encryption not supported for file format '%s'", fmt);
-            return -1;
-        }
-    }
-    if (flags & BLOCK_FLAG_COMPAT6) {
-        if (set_option_parameter(list, BLOCK_OPT_COMPAT6, "on")) {
-            error("VMDK version 6 not supported for file format '%s'", fmt);
-            return -1;
-        }
-    }
-
     if (base_filename) {
         if (set_option_parameter(list, BLOCK_OPT_BACKING_FILE, base_filename)) {
             error("Backing file not supported for file format '%s'", fmt);
@@ -293,7 +281,7 @@ static int add_old_style_options(const char *fmt, QEMUOptionParameter *list,
 
 static int img_create(int argc, char **argv)
 {
-    int c, ret = 0, flags;
+    int c, ret = 0;
     const char *fmt = "raw";
     const char *base_fmt = NULL;
     const char *filename;
@@ -302,7 +290,6 @@ static int img_create(int argc, char **argv)
     QEMUOptionParameter *param = NULL, *create_options = NULL;
     char *options = NULL;
 
-    flags = 0;
     for(;;) {
         c = getopt(argc, argv, "F:b:f:he6o:");
         if (c == -1) {
@@ -323,11 +310,13 @@ static int img_create(int argc, char **argv)
             fmt = optarg;
             break;
         case 'e':
-            flags |= BLOCK_FLAG_ENCRYPT;
-            break;
+            error("qemu-img: option -e is deprecated, please use \'-o "
+                  "encryption\' instead!");
+            return 1;
         case '6':
-            flags |= BLOCK_FLAG_COMPAT6;
-            break;
+            error("qemu-img: option -6 is deprecated, please use \'-o "
+                  "compat6\' instead!");
+            return 1;
         case 'o':
             options = optarg;
             break;
@@ -385,7 +374,7 @@ static int img_create(int argc, char **argv)
     }
 
     /* Add old-style options to parameters */
-    ret = add_old_style_options(fmt, param, flags, base_filename, base_fmt);
+    ret = add_old_style_options(fmt, param, base_filename, base_fmt);
     if (ret < 0) {
         goto out;
     }
@@ -674,7 +663,7 @@ static int compare_sectors(const uint8_t *buf1, const uint8_t *buf2, int n,
 
 static int img_convert(int argc, char **argv)
 {
-    int c, ret = 0, n, n1, bs_n, bs_i, flags, cluster_size, cluster_sectors;
+    int c, ret = 0, n, n1, bs_n, bs_i, compress, cluster_size, cluster_sectors;
     const char *fmt, *out_fmt, *out_baseimg, *out_filename;
     BlockDriver *drv, *proto_drv;
     BlockDriverState **bs = NULL, *out_bs = NULL;
@@ -691,7 +680,7 @@ static int img_convert(int argc, char **argv)
     fmt = NULL;
     out_fmt = "raw";
     out_baseimg = NULL;
-    flags = 0;
+    compress = 0;
     for(;;) {
         c = getopt(argc, argv, "f:O:B:s:hce6o:");
         if (c == -1) {
@@ -712,14 +701,16 @@ static int img_convert(int argc, char **argv)
             out_baseimg = optarg;
             break;
         case 'c':
-            flags |= BLOCK_FLAG_COMPRESS;
+            compress = 1;
             break;
         case 'e':
-            flags |= BLOCK_FLAG_ENCRYPT;
-            break;
+            error("qemu-img: option -e is deprecated, please use \'-o "
+                  "encryption\' instead!");
+            return 1;
         case '6':
-            flags |= BLOCK_FLAG_COMPAT6;
-            break;
+            error("qemu-img: option -6 is deprecated, please use \'-o "
+                  "compat6\' instead!");
+            return 1;
         case 'o':
             options = optarg;
             break;
@@ -806,7 +797,7 @@ static int img_convert(int argc, char **argv)
     }
 
     set_option_parameter_int(param, BLOCK_OPT_SIZE, total_sectors * 512);
-    ret = add_old_style_options(out_fmt, param, flags, out_baseimg, NULL);
+    ret = add_old_style_options(out_fmt, param, out_baseimg, NULL);
     if (ret < 0) {
         goto out;
     }
@@ -818,7 +809,7 @@ static int img_convert(int argc, char **argv)
     }
 
     /* Check if compression is supported */
-    if (flags & BLOCK_FLAG_COMPRESS) {
+    if (compress) {
         QEMUOptionParameter *encryption =
             get_option_parameter(param, BLOCK_OPT_ENCRYPT);
 
@@ -860,7 +851,7 @@ static int img_convert(int argc, char **argv)
     bdrv_get_geometry(bs[0], &bs_sectors);
     buf = qemu_malloc(IO_BUF_SIZE);
 
-    if (flags & BLOCK_FLAG_COMPRESS) {
+    if (compress) {
         ret = bdrv_get_info(out_bs, &bdi);
         if (ret < 0) {
             error("could not get block driver info");
commit f27aaf4b531bc0eb4f3e1f7accf4931cae36db0d
Author: Christian Brunner <chb at muc.de>
Date:   Mon Dec 6 20:53:01 2010 +0100

    ceph/rbd block driver for qemu-kvm
    
    RBD is an block driver for the distributed file system Ceph
    (http://ceph.newdream.net/). This driver uses librados (which is part
    of the Ceph server) for direct access to the Ceph object store and is
    running entirely in userspace (Yehuda also wrote a driver for the
    linux kernel, that can be used to access rbd volumes as a block
    device).
    
    Signed-off-by: Yehuda Sadeh <yehuda at hq.newdream.net>
    Signed-off-by: Christian Brunner <chb at muc.de>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index cebb945..b677eb8 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -24,6 +24,7 @@ block-nested-y += parallels.o nbd.o blkdebug.o sheepdog.o blkverify.o
 block-nested-$(CONFIG_WIN32) += raw-win32.o
 block-nested-$(CONFIG_POSIX) += raw-posix.o
 block-nested-$(CONFIG_CURL) += curl.o
+block-nested-$(CONFIG_RBD) += rbd.o
 
 block-obj-y +=  $(addprefix block/, $(block-nested-y))
 
diff --git a/block/rbd.c b/block/rbd.c
new file mode 100644
index 0000000..249a590
--- /dev/null
+++ b/block/rbd.c
@@ -0,0 +1,1059 @@
+/*
+ * QEMU Block driver for RADOS (Ceph)
+ *
+ * Copyright (C) 2010 Christian Brunner <chb at muc.de>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+
+#include "qemu-common.h"
+#include "qemu-error.h"
+
+#include "rbd_types.h"
+#include "block_int.h"
+
+#include <rados/librados.h>
+
+
+
+/*
+ * When specifying the image filename use:
+ *
+ * rbd:poolname/devicename
+ *
+ * poolname must be the name of an existing rados pool
+ *
+ * devicename is the basename for all objects used to
+ * emulate the raw device.
+ *
+ * Metadata information (image size, ...) is stored in an
+ * object with the name "devicename.rbd".
+ *
+ * The raw device is split into 4MB sized objects by default.
+ * The sequencenumber is encoded in a 12 byte long hex-string,
+ * and is attached to the devicename, separated by a dot.
+ * e.g. "devicename.1234567890ab"
+ *
+ */
+
+#define OBJ_MAX_SIZE (1UL << OBJ_DEFAULT_OBJ_ORDER)
+
+typedef struct RBDAIOCB {
+    BlockDriverAIOCB common;
+    QEMUBH *bh;
+    int ret;
+    QEMUIOVector *qiov;
+    char *bounce;
+    int write;
+    int64_t sector_num;
+    int aiocnt;
+    int error;
+    struct BDRVRBDState *s;
+    int cancelled;
+} RBDAIOCB;
+
+typedef struct RADOSCB {
+    int rcbid;
+    RBDAIOCB *acb;
+    struct BDRVRBDState *s;
+    int done;
+    int64_t segsize;
+    char *buf;
+    int ret;
+} RADOSCB;
+
+#define RBD_FD_READ 0
+#define RBD_FD_WRITE 1
+
+typedef struct BDRVRBDState {
+    int fds[2];
+    rados_pool_t pool;
+    rados_pool_t header_pool;
+    char name[RBD_MAX_OBJ_NAME_SIZE];
+    char block_name[RBD_MAX_BLOCK_NAME_SIZE];
+    uint64_t size;
+    uint64_t objsize;
+    int qemu_aio_count;
+    int event_reader_pos;
+    RADOSCB *event_rcb;
+} BDRVRBDState;
+
+typedef struct rbd_obj_header_ondisk RbdHeader1;
+
+static void rbd_aio_bh_cb(void *opaque);
+
+static int rbd_next_tok(char *dst, int dst_len,
+                        char *src, char delim,
+                        const char *name,
+                        char **p)
+{
+    int l;
+    char *end;
+
+    *p = NULL;
+
+    if (delim != '\0') {
+        end = strchr(src, delim);
+        if (end) {
+            *p = end + 1;
+            *end = '\0';
+        }
+    }
+    l = strlen(src);
+    if (l >= dst_len) {
+        error_report("%s too long", name);
+        return -EINVAL;
+    } else if (l == 0) {
+        error_report("%s too short", name);
+        return -EINVAL;
+    }
+
+    pstrcpy(dst, dst_len, src);
+
+    return 0;
+}
+
+static int rbd_parsename(const char *filename,
+                         char *pool, int pool_len,
+                         char *snap, int snap_len,
+                         char *name, int name_len)
+{
+    const char *start;
+    char *p, *buf;
+    int ret;
+
+    if (!strstart(filename, "rbd:", &start)) {
+        return -EINVAL;
+    }
+
+    buf = qemu_strdup(start);
+    p = buf;
+
+    ret = rbd_next_tok(pool, pool_len, p, '/', "pool name", &p);
+    if (ret < 0 || !p) {
+        ret = -EINVAL;
+        goto done;
+    }
+    ret = rbd_next_tok(name, name_len, p, '@', "object name", &p);
+    if (ret < 0) {
+        goto done;
+    }
+    if (!p) {
+        *snap = '\0';
+        goto done;
+    }
+
+    ret = rbd_next_tok(snap, snap_len, p, '\0', "snap name", &p);
+
+done:
+    qemu_free(buf);
+    return ret;
+}
+
+static int create_tmap_op(uint8_t op, const char *name, char **tmap_desc)
+{
+    uint32_t len = strlen(name);
+    uint32_t len_le = cpu_to_le32(len);
+    /* total_len = encoding op + name + empty buffer */
+    uint32_t total_len = 1 + (sizeof(uint32_t) + len) + sizeof(uint32_t);
+    uint8_t *desc = NULL;
+
+    desc = qemu_malloc(total_len);
+
+    *tmap_desc = (char *)desc;
+
+    *desc = op;
+    desc++;
+    memcpy(desc, &len_le, sizeof(len_le));
+    desc += sizeof(len_le);
+    memcpy(desc, name, len);
+    desc += len;
+    len = 0; /* no need for endian conversion for 0 */
+    memcpy(desc, &len, sizeof(len));
+    desc += sizeof(len);
+
+    return (char *)desc - *tmap_desc;
+}
+
+static void free_tmap_op(char *tmap_desc)
+{
+    qemu_free(tmap_desc);
+}
+
+static int rbd_register_image(rados_pool_t pool, const char *name)
+{
+    char *tmap_desc;
+    const char *dir = RBD_DIRECTORY;
+    int ret;
+
+    ret = create_tmap_op(CEPH_OSD_TMAP_SET, name, &tmap_desc);
+    if (ret < 0) {
+        return ret;
+    }
+
+    ret = rados_tmap_update(pool, dir, tmap_desc, ret);
+    free_tmap_op(tmap_desc);
+
+    return ret;
+}
+
+static int touch_rbd_info(rados_pool_t pool, const char *info_oid)
+{
+    int r = rados_write(pool, info_oid, 0, NULL, 0);
+    if (r < 0) {
+        return r;
+    }
+    return 0;
+}
+
+static int rbd_assign_bid(rados_pool_t pool, uint64_t *id)
+{
+    uint64_t out[1];
+    const char *info_oid = RBD_INFO;
+
+    *id = 0;
+
+    int r = touch_rbd_info(pool, info_oid);
+    if (r < 0) {
+        return r;
+    }
+
+    r = rados_exec(pool, info_oid, "rbd", "assign_bid", NULL,
+                   0, (char *)out, sizeof(out));
+    if (r < 0) {
+        return r;
+    }
+
+    le64_to_cpus(out);
+    *id = out[0];
+
+    return 0;
+}
+
+static int rbd_create(const char *filename, QEMUOptionParameter *options)
+{
+    int64_t bytes = 0;
+    int64_t objsize;
+    uint64_t size;
+    time_t mtime;
+    uint8_t obj_order = RBD_DEFAULT_OBJ_ORDER;
+    char pool[RBD_MAX_SEG_NAME_SIZE];
+    char n[RBD_MAX_SEG_NAME_SIZE];
+    char name[RBD_MAX_OBJ_NAME_SIZE];
+    char snap_buf[RBD_MAX_SEG_NAME_SIZE];
+    char *snap = NULL;
+    RbdHeader1 header;
+    rados_pool_t p;
+    uint64_t bid;
+    uint32_t hi, lo;
+    int ret;
+
+    if (rbd_parsename(filename,
+                      pool, sizeof(pool),
+                      snap_buf, sizeof(snap_buf),
+                      name, sizeof(name)) < 0) {
+        return -EINVAL;
+    }
+    if (snap_buf[0] != '\0') {
+        snap = snap_buf;
+    }
+
+    snprintf(n, sizeof(n), "%s%s", name, RBD_SUFFIX);
+
+    /* Read out options */
+    while (options && options->name) {
+        if (!strcmp(options->name, BLOCK_OPT_SIZE)) {
+            bytes = options->value.n;
+        } else if (!strcmp(options->name, BLOCK_OPT_CLUSTER_SIZE)) {
+            if (options->value.n) {
+                objsize = options->value.n;
+                if ((objsize - 1) & objsize) {    /* not a power of 2? */
+                    error_report("obj size needs to be power of 2");
+                    return -EINVAL;
+                }
+                if (objsize < 4096) {
+                    error_report("obj size too small");
+                    return -EINVAL;
+                }
+		obj_order = ffs(objsize) - 1;
+            }
+        }
+        options++;
+    }
+
+    memset(&header, 0, sizeof(header));
+    pstrcpy(header.text, sizeof(header.text), RBD_HEADER_TEXT);
+    pstrcpy(header.signature, sizeof(header.signature), RBD_HEADER_SIGNATURE);
+    pstrcpy(header.version, sizeof(header.version), RBD_HEADER_VERSION);
+    header.image_size = cpu_to_le64(bytes);
+    header.options.order = obj_order;
+    header.options.crypt_type = RBD_CRYPT_NONE;
+    header.options.comp_type = RBD_COMP_NONE;
+    header.snap_seq = 0;
+    header.snap_count = 0;
+
+    if (rados_initialize(0, NULL) < 0) {
+        error_report("error initializing");
+        return -EIO;
+    }
+
+    if (rados_open_pool(pool, &p)) {
+        error_report("error opening pool %s", pool);
+        rados_deinitialize();
+        return -EIO;
+    }
+
+    /* check for existing rbd header file */
+    ret = rados_stat(p, n, &size, &mtime);
+    if (ret == 0) {
+        ret=-EEXIST;
+        goto done;
+    }
+
+    ret = rbd_assign_bid(p, &bid);
+    if (ret < 0) {
+        error_report("failed assigning block id");
+        rados_deinitialize();
+        return -EIO;
+    }
+    hi = bid >> 32;
+    lo = bid & 0xFFFFFFFF;
+    snprintf(header.block_name, sizeof(header.block_name), "rb.%x.%x", hi, lo);
+
+    /* create header file */
+    ret = rados_write(p, n, 0, (const char *)&header, sizeof(header));
+    if (ret < 0) {
+        goto done;
+    }
+
+    ret = rbd_register_image(p, name);
+done:
+    rados_close_pool(p);
+    rados_deinitialize();
+
+    return ret;
+}
+
+/*
+ * This aio completion is being called from rbd_aio_event_reader() and
+ * runs in qemu context. It schedules a bh, but just in case the aio
+ * was not cancelled before.
+ */
+static void rbd_complete_aio(RADOSCB *rcb)
+{
+    RBDAIOCB *acb = rcb->acb;
+    int64_t r;
+
+    acb->aiocnt--;
+
+    if (acb->cancelled) {
+        if (!acb->aiocnt) {
+            qemu_vfree(acb->bounce);
+            qemu_aio_release(acb);
+        }
+        goto done;
+    }
+
+    r = rcb->ret;
+
+    if (acb->write) {
+        if (r < 0) {
+            acb->ret = r;
+            acb->error = 1;
+        } else if (!acb->error) {
+            acb->ret += rcb->segsize;
+        }
+    } else {
+        if (r == -ENOENT) {
+            memset(rcb->buf, 0, rcb->segsize);
+            if (!acb->error) {
+                acb->ret += rcb->segsize;
+            }
+        } else if (r < 0) {
+	    memset(rcb->buf, 0, rcb->segsize);
+            acb->ret = r;
+            acb->error = 1;
+        } else if (r < rcb->segsize) {
+            memset(rcb->buf + r, 0, rcb->segsize - r);
+            if (!acb->error) {
+                acb->ret += rcb->segsize;
+            }
+        } else if (!acb->error) {
+            acb->ret += r;
+        }
+    }
+    /* Note that acb->bh can be NULL in case where the aio was cancelled */
+    if (!acb->aiocnt) {
+        acb->bh = qemu_bh_new(rbd_aio_bh_cb, acb);
+        qemu_bh_schedule(acb->bh);
+    }
+done:
+    qemu_free(rcb);
+}
+
+/*
+ * aio fd read handler. It runs in the qemu context and calls the
+ * completion handling of completed rados aio operations.
+ */
+static void rbd_aio_event_reader(void *opaque)
+{
+    BDRVRBDState *s = opaque;
+
+    ssize_t ret;
+
+    do {
+        char *p = (char *)&s->event_rcb;
+
+        /* now read the rcb pointer that was sent from a non qemu thread */
+        if ((ret = read(s->fds[RBD_FD_READ], p + s->event_reader_pos,
+                        sizeof(s->event_rcb) - s->event_reader_pos)) > 0) {
+            if (ret > 0) {
+                s->event_reader_pos += ret;
+                if (s->event_reader_pos == sizeof(s->event_rcb)) {
+                    s->event_reader_pos = 0;
+                    rbd_complete_aio(s->event_rcb);
+                    s->qemu_aio_count --;
+                }
+            }
+        }
+    } while (ret < 0 && errno == EINTR);
+}
+
+static int rbd_aio_flush_cb(void *opaque)
+{
+    BDRVRBDState *s = opaque;
+
+    return (s->qemu_aio_count > 0);
+}
+
+
+static int rbd_set_snapc(rados_pool_t pool, const char *snap, RbdHeader1 *header)
+{
+    uint32_t snap_count = le32_to_cpu(header->snap_count);
+    rados_snap_t *snaps = NULL;
+    rados_snap_t seq;
+    uint32_t i;
+    uint64_t snap_names_len = le64_to_cpu(header->snap_names_len);
+    int r;
+    rados_snap_t snapid = 0;
+
+    if (snap_count) {
+        const char *header_snap = (const char *)&header->snaps[snap_count];
+        const char *end = header_snap + snap_names_len;
+        snaps = qemu_malloc(sizeof(rados_snap_t) * header->snap_count);
+
+        for (i=0; i < snap_count; i++) {
+            snaps[i] = le64_to_cpu(header->snaps[i].id);
+
+            if (snap && strcmp(snap, header_snap) == 0) {
+                snapid = snaps[i];
+            }
+
+            header_snap += strlen(header_snap) + 1;
+            if (header_snap > end) {
+                error_report("bad header, snapshot list broken");
+            }
+        }
+    }
+
+    if (snap && !snapid) {
+        error_report("snapshot not found");
+        qemu_free(snaps);
+        return -ENOENT;
+    }
+    seq = le32_to_cpu(header->snap_seq);
+
+    r = rados_set_snap_context(pool, seq, snaps, snap_count);
+
+    rados_set_snap(pool, snapid);
+
+    qemu_free(snaps);
+
+    return r;
+}
+
+#define BUF_READ_START_LEN    4096
+
+static int rbd_read_header(BDRVRBDState *s, char **hbuf)
+{
+    char *buf = NULL;
+    char n[RBD_MAX_SEG_NAME_SIZE];
+    uint64_t len = BUF_READ_START_LEN;
+    int r;
+
+    snprintf(n, sizeof(n), "%s%s", s->name, RBD_SUFFIX);
+
+    buf = qemu_malloc(len);
+
+    r = rados_read(s->header_pool, n, 0, buf, len);
+    if (r < 0) {
+        goto failed;
+    }
+
+    if (r < len) {
+        goto done;
+    }
+
+    qemu_free(buf);
+    buf = qemu_malloc(len);
+
+    r = rados_stat(s->header_pool, n, &len, NULL);
+    if (r < 0) {
+        goto failed;
+    }
+
+    r = rados_read(s->header_pool, n, 0, buf, len);
+    if (r < 0) {
+        goto failed;
+    }
+
+done:
+    *hbuf = buf;
+    return 0;
+
+failed:
+    qemu_free(buf);
+    return r;
+}
+
+static int rbd_open(BlockDriverState *bs, const char *filename, int flags)
+{
+    BDRVRBDState *s = bs->opaque;
+    RbdHeader1 *header;
+    char pool[RBD_MAX_SEG_NAME_SIZE];
+    char snap_buf[RBD_MAX_SEG_NAME_SIZE];
+    char *snap = NULL;
+    char *hbuf = NULL;
+    int r;
+
+    if (rbd_parsename(filename, pool, sizeof(pool),
+                      snap_buf, sizeof(snap_buf),
+                      s->name, sizeof(s->name)) < 0) {
+        return -EINVAL;
+    }
+    if (snap_buf[0] != '\0') {
+        snap = snap_buf;
+    }
+
+    if ((r = rados_initialize(0, NULL)) < 0) {
+        error_report("error initializing");
+        return r;
+    }
+
+    if ((r = rados_open_pool(pool, &s->pool))) {
+        error_report("error opening pool %s", pool);
+        rados_deinitialize();
+        return r;
+    }
+
+    if ((r = rados_open_pool(pool, &s->header_pool))) {
+        error_report("error opening pool %s", pool);
+        rados_deinitialize();
+        return r;
+    }
+
+    if ((r = rbd_read_header(s, &hbuf)) < 0) {
+        error_report("error reading header from %s", s->name);
+        goto failed;
+    }
+
+    if (memcmp(hbuf + 64, RBD_HEADER_SIGNATURE, 4)) {
+        error_report("Invalid header signature");
+        r = -EMEDIUMTYPE;
+        goto failed;
+    }
+
+    if (memcmp(hbuf + 68, RBD_HEADER_VERSION, 8)) {
+        error_report("Unknown image version");
+        r = -EMEDIUMTYPE;
+        goto failed;
+    }
+
+    header = (RbdHeader1 *) hbuf;
+    s->size = le64_to_cpu(header->image_size);
+    s->objsize = 1ULL << header->options.order;
+    memcpy(s->block_name, header->block_name, sizeof(header->block_name));
+
+    r = rbd_set_snapc(s->pool, snap, header);
+    if (r < 0) {
+        error_report("failed setting snap context: %s", strerror(-r));
+        goto failed;
+    }
+
+    bs->read_only = (snap != NULL);
+
+    s->event_reader_pos = 0;
+    r = qemu_pipe(s->fds);
+    if (r < 0) {
+        error_report("error opening eventfd");
+        goto failed;
+    }
+    fcntl(s->fds[0], F_SETFL, O_NONBLOCK);
+    fcntl(s->fds[1], F_SETFL, O_NONBLOCK);
+    qemu_aio_set_fd_handler(s->fds[RBD_FD_READ], rbd_aio_event_reader, NULL,
+        rbd_aio_flush_cb, NULL, s);
+
+    qemu_free(hbuf);
+
+    return 0;
+
+failed:
+    qemu_free(hbuf);
+
+    rados_close_pool(s->header_pool);
+    rados_close_pool(s->pool);
+    rados_deinitialize();
+    return r;
+}
+
+static void rbd_close(BlockDriverState *bs)
+{
+    BDRVRBDState *s = bs->opaque;
+
+    close(s->fds[0]);
+    close(s->fds[1]);
+    qemu_aio_set_fd_handler(s->fds[RBD_FD_READ], NULL , NULL, NULL, NULL,
+        NULL);
+
+    rados_close_pool(s->header_pool);
+    rados_close_pool(s->pool);
+    rados_deinitialize();
+}
+
+/*
+ * Cancel aio. Since we don't reference acb in a non qemu threads,
+ * it is safe to access it here.
+ */
+static void rbd_aio_cancel(BlockDriverAIOCB *blockacb)
+{
+    RBDAIOCB *acb = (RBDAIOCB *) blockacb;
+    acb->cancelled = 1;
+}
+
+static AIOPool rbd_aio_pool = {
+    .aiocb_size = sizeof(RBDAIOCB),
+    .cancel = rbd_aio_cancel,
+};
+
+/*
+ * This is the callback function for rados_aio_read and _write
+ *
+ * Note: this function is being called from a non qemu thread so
+ * we need to be careful about what we do here. Generally we only
+ * write to the block notification pipe, and do the rest of the
+ * io completion handling from rbd_aio_event_reader() which
+ * runs in a qemu context.
+ */
+static void rbd_finish_aiocb(rados_completion_t c, RADOSCB *rcb)
+{
+    int ret;
+    rcb->ret = rados_aio_get_return_value(c);
+    rados_aio_release(c);
+    while (1) {
+        fd_set wfd;
+        int fd = rcb->s->fds[RBD_FD_WRITE];
+
+        /* send the rcb pointer to the qemu thread that is responsible
+           for the aio completion. Must do it in a qemu thread context */
+        ret = write(fd, (void *)&rcb, sizeof(rcb));
+        if (ret >= 0) {
+            break;
+        }
+        if (errno == EINTR) {
+            continue;
+	}
+        if (errno != EAGAIN) {
+            break;
+	}
+
+        FD_ZERO(&wfd);
+        FD_SET(fd, &wfd);
+        do {
+            ret = select(fd + 1, NULL, &wfd, NULL, NULL);
+        } while (ret < 0 && errno == EINTR);
+    }
+
+    if (ret < 0) {
+        error_report("failed writing to acb->s->fds\n");
+        qemu_free(rcb);
+    }
+}
+
+/* Callback when all queued rados_aio requests are complete */
+
+static void rbd_aio_bh_cb(void *opaque)
+{
+    RBDAIOCB *acb = opaque;
+
+    if (!acb->write) {
+        qemu_iovec_from_buffer(acb->qiov, acb->bounce, acb->qiov->size);
+    }
+    qemu_vfree(acb->bounce);
+    acb->common.cb(acb->common.opaque, (acb->ret > 0 ? 0 : acb->ret));
+    qemu_bh_delete(acb->bh);
+    acb->bh = NULL;
+
+    qemu_aio_release(acb);
+}
+
+static BlockDriverAIOCB *rbd_aio_rw_vector(BlockDriverState *bs,
+                                           int64_t sector_num,
+                                           QEMUIOVector *qiov,
+                                           int nb_sectors,
+                                           BlockDriverCompletionFunc *cb,
+                                           void *opaque, int write)
+{
+    RBDAIOCB *acb;
+    RADOSCB *rcb;
+    rados_completion_t c;
+    char n[RBD_MAX_SEG_NAME_SIZE];
+    int64_t segnr, segoffs, segsize, last_segnr;
+    int64_t off, size;
+    char *buf;
+
+    BDRVRBDState *s = bs->opaque;
+
+    acb = qemu_aio_get(&rbd_aio_pool, bs, cb, opaque);
+    acb->write = write;
+    acb->qiov = qiov;
+    acb->bounce = qemu_blockalign(bs, qiov->size);
+    acb->aiocnt = 0;
+    acb->ret = 0;
+    acb->error = 0;
+    acb->s = s;
+    acb->cancelled = 0;
+    acb->bh = NULL;
+
+    if (write) {
+        qemu_iovec_to_buffer(acb->qiov, acb->bounce);
+    }
+
+    buf = acb->bounce;
+
+    off = sector_num * BDRV_SECTOR_SIZE;
+    size = nb_sectors * BDRV_SECTOR_SIZE;
+    segnr = off / s->objsize;
+    segoffs = off % s->objsize;
+    segsize = s->objsize - segoffs;
+
+    last_segnr = ((off + size - 1) / s->objsize);
+    acb->aiocnt = (last_segnr - segnr) + 1;
+
+    s->qemu_aio_count += acb->aiocnt; /* All the RADOSCB */
+
+    while (size > 0) {
+        if (size < segsize) {
+            segsize = size;
+        }
+
+        snprintf(n, sizeof(n), "%s.%012" PRIx64, s->block_name,
+                 segnr);
+
+        rcb = qemu_malloc(sizeof(RADOSCB));
+        rcb->done = 0;
+        rcb->acb = acb;
+        rcb->segsize = segsize;
+        rcb->buf = buf;
+        rcb->s = acb->s;
+
+        if (write) {
+            rados_aio_create_completion(rcb, NULL,
+                                        (rados_callback_t) rbd_finish_aiocb,
+                                        &c);
+            rados_aio_write(s->pool, n, segoffs, buf, segsize, c);
+        } else {
+            rados_aio_create_completion(rcb,
+                                        (rados_callback_t) rbd_finish_aiocb,
+                                        NULL, &c);
+            rados_aio_read(s->pool, n, segoffs, buf, segsize, c);
+        }
+
+        buf += segsize;
+        size -= segsize;
+        segoffs = 0;
+        segsize = s->objsize;
+        segnr++;
+    }
+
+    return &acb->common;
+}
+
+static BlockDriverAIOCB *rbd_aio_readv(BlockDriverState * bs,
+                                       int64_t sector_num, QEMUIOVector * qiov,
+                                       int nb_sectors,
+                                       BlockDriverCompletionFunc * cb,
+                                       void *opaque)
+{
+    return rbd_aio_rw_vector(bs, sector_num, qiov, nb_sectors, cb, opaque, 0);
+}
+
+static BlockDriverAIOCB *rbd_aio_writev(BlockDriverState * bs,
+                                        int64_t sector_num, QEMUIOVector * qiov,
+                                        int nb_sectors,
+                                        BlockDriverCompletionFunc * cb,
+                                        void *opaque)
+{
+    return rbd_aio_rw_vector(bs, sector_num, qiov, nb_sectors, cb, opaque, 1);
+}
+
+static int rbd_getinfo(BlockDriverState * bs, BlockDriverInfo * bdi)
+{
+    BDRVRBDState *s = bs->opaque;
+    bdi->cluster_size = s->objsize;
+    return 0;
+}
+
+static int64_t rbd_getlength(BlockDriverState * bs)
+{
+    BDRVRBDState *s = bs->opaque;
+
+    return s->size;
+}
+
+static int rbd_snap_create(BlockDriverState *bs, QEMUSnapshotInfo *sn_info)
+{
+    BDRVRBDState *s = bs->opaque;
+    char inbuf[512], outbuf[128];
+    uint64_t snap_id;
+    int r;
+    char *p = inbuf;
+    char *end = inbuf + sizeof(inbuf);
+    char n[RBD_MAX_SEG_NAME_SIZE];
+    char *hbuf = NULL;
+    RbdHeader1 *header;
+
+    if (sn_info->name[0] == '\0') {
+        return -EINVAL; /* we need a name for rbd snapshots */
+    }
+
+    /*
+     * rbd snapshots are using the name as the user controlled unique identifier
+     * we can't use the rbd snapid for that purpose, as it can't be set
+     */
+    if (sn_info->id_str[0] != '\0' &&
+        strcmp(sn_info->id_str, sn_info->name) != 0) {
+        return -EINVAL;
+    }
+
+    if (strlen(sn_info->name) >= sizeof(sn_info->id_str)) {
+        return -ERANGE;
+    }
+
+    r = rados_selfmanaged_snap_create(s->header_pool, &snap_id);
+    if (r < 0) {
+        error_report("failed to create snap id: %s", strerror(-r));
+        return r;
+    }
+
+    *(uint32_t *)p = strlen(sn_info->name);
+    cpu_to_le32s((uint32_t *)p);
+    p += sizeof(uint32_t);
+    strncpy(p, sn_info->name, end - p);
+    p += strlen(p);
+    if (p + sizeof(snap_id) > end) {
+        error_report("invalid input parameter");
+        return -EINVAL;
+    }
+
+    *(uint64_t *)p = snap_id;
+    cpu_to_le64s((uint64_t *)p);
+
+    snprintf(n, sizeof(n), "%s%s", s->name, RBD_SUFFIX);
+
+    r = rados_exec(s->header_pool, n, "rbd", "snap_add", inbuf,
+                   sizeof(inbuf), outbuf, sizeof(outbuf));
+    if (r < 0) {
+        error_report("rbd.snap_add execution failed failed: %s", strerror(-r));
+        return r;
+    }
+
+    sprintf(sn_info->id_str, "%s", sn_info->name);
+
+    r = rbd_read_header(s, &hbuf);
+    if (r < 0) {
+        error_report("failed reading header: %s", strerror(-r));
+        return r;
+    }
+
+    header = (RbdHeader1 *) hbuf;
+    r = rbd_set_snapc(s->pool, sn_info->name, header);
+    if (r < 0) {
+        error_report("failed setting snap context: %s", strerror(-r));
+        goto failed;
+    }
+
+    return 0;
+
+failed:
+    qemu_free(header);
+    return r;
+}
+
+static int decode32(char **p, const char *end, uint32_t *v)
+{
+    if (*p + 4 > end) {
+	return -ERANGE;
+    }
+
+    *v = *(uint32_t *)(*p);
+    le32_to_cpus(v);
+    *p += 4;
+    return 0;
+}
+
+static int decode64(char **p, const char *end, uint64_t *v)
+{
+    if (*p + 8 > end) {
+        return -ERANGE;
+    }
+
+    *v = *(uint64_t *)(*p);
+    le64_to_cpus(v);
+    *p += 8;
+    return 0;
+}
+
+static int decode_str(char **p, const char *end, char **s)
+{
+    uint32_t len;
+    int r;
+
+    if ((r = decode32(p, end, &len)) < 0) {
+        return r;
+    }
+
+    *s = qemu_malloc(len + 1);
+    memcpy(*s, *p, len);
+    *p += len;
+    (*s)[len] = '\0';
+
+    return len;
+}
+
+static int rbd_snap_list(BlockDriverState *bs, QEMUSnapshotInfo **psn_tab)
+{
+    BDRVRBDState *s = bs->opaque;
+    char n[RBD_MAX_SEG_NAME_SIZE];
+    QEMUSnapshotInfo *sn_info, *sn_tab = NULL;
+    RbdHeader1 *header;
+    char *hbuf = NULL;
+    char *outbuf = NULL, *end, *buf;
+    uint64_t len;
+    uint64_t snap_seq;
+    uint32_t snap_count;
+    int r, i;
+
+    /* read header to estimate how much space we need to read the snap
+     * list */
+    if ((r = rbd_read_header(s, &hbuf)) < 0) {
+        goto done_err;
+    }
+    header = (RbdHeader1 *)hbuf;
+    len = le64_to_cpu(header->snap_names_len);
+    len += 1024; /* should have already been enough, but new snapshots might
+                    already been created since we read the header. just allocate
+                    a bit more, so that in most cases it'll suffice anyway */
+    qemu_free(hbuf);
+
+    snprintf(n, sizeof(n), "%s%s", s->name, RBD_SUFFIX);
+    while (1) {
+        qemu_free(outbuf);
+        outbuf = qemu_malloc(len);
+
+        r = rados_exec(s->header_pool, n, "rbd", "snap_list", NULL, 0,
+                       outbuf, len);
+        if (r < 0) {
+            error_report("rbd.snap_list execution failed failed: %s", strerror(-r));
+            goto done_err;
+        }
+        if (r != len) {
+            break;
+	}
+
+        /* if we're here, we probably raced with some snaps creation */
+        len *= 2;
+    }
+    buf = outbuf;
+    end = buf + len;
+
+    if ((r = decode64(&buf, end, &snap_seq)) < 0) {
+        goto done_err;
+    }
+    if ((r = decode32(&buf, end, &snap_count)) < 0) {
+        goto done_err;
+    }
+
+    sn_tab = qemu_mallocz(snap_count * sizeof(QEMUSnapshotInfo));
+    for (i = 0; i < snap_count; i++) {
+        uint64_t id, image_size;
+        char *snap_name;
+
+        if ((r = decode64(&buf, end, &id)) < 0) {
+            goto done_err;
+        }
+        if ((r = decode64(&buf, end, &image_size)) < 0) {
+            goto done_err;
+        }
+        if ((r = decode_str(&buf, end, &snap_name)) < 0) {
+            goto done_err;
+        }
+
+        sn_info = sn_tab + i;
+        pstrcpy(sn_info->id_str, sizeof(sn_info->id_str), snap_name);
+        pstrcpy(sn_info->name, sizeof(sn_info->name), snap_name);
+        qemu_free(snap_name);
+
+        sn_info->vm_state_size = image_size;
+        sn_info->date_sec = 0;
+        sn_info->date_nsec = 0;
+        sn_info->vm_clock_nsec = 0;
+    }
+    *psn_tab = sn_tab;
+    qemu_free(outbuf);
+    return snap_count;
+done_err:
+    qemu_free(sn_tab);
+    qemu_free(outbuf);
+    return r;
+}
+
+static QEMUOptionParameter rbd_create_options[] = {
+    {
+     .name = BLOCK_OPT_SIZE,
+     .type = OPT_SIZE,
+     .help = "Virtual disk size"
+    },
+    {
+     .name = BLOCK_OPT_CLUSTER_SIZE,
+     .type = OPT_SIZE,
+     .help = "RBD object size"
+    },
+    {NULL}
+};
+
+static BlockDriver bdrv_rbd = {
+    .format_name        = "rbd",
+    .instance_size      = sizeof(BDRVRBDState),
+    .bdrv_file_open     = rbd_open,
+    .bdrv_close         = rbd_close,
+    .bdrv_create        = rbd_create,
+    .bdrv_get_info      = rbd_getinfo,
+    .create_options     = rbd_create_options,
+    .bdrv_getlength     = rbd_getlength,
+    .protocol_name      = "rbd",
+
+    .bdrv_aio_readv     = rbd_aio_readv,
+    .bdrv_aio_writev    = rbd_aio_writev,
+
+    .bdrv_snapshot_create = rbd_snap_create,
+    .bdrv_snapshot_list = rbd_snap_list,
+};
+
+static void bdrv_rbd_init(void)
+{
+    bdrv_register(&bdrv_rbd);
+}
+
+block_init(bdrv_rbd_init);
diff --git a/block/rbd_types.h b/block/rbd_types.h
new file mode 100644
index 0000000..f4cca99
--- /dev/null
+++ b/block/rbd_types.h
@@ -0,0 +1,71 @@
+/*
+ * Ceph - scalable distributed file system
+ *
+ * Copyright (C) 2004-2010 Sage Weil <sage at newdream.net>
+ *
+ * This is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License version 2.1, as published by the Free Software
+ * Foundation.  See file COPYING.LIB.
+ *
+ */
+
+#ifndef CEPH_RBD_TYPES_H
+#define CEPH_RBD_TYPES_H
+
+
+/*
+ * rbd image 'foo' consists of objects
+ *   foo.rbd      - image metadata
+ *   foo.00000000
+ *   foo.00000001
+ *   ...          - data
+ */
+
+#define RBD_SUFFIX              ".rbd"
+#define RBD_DIRECTORY           "rbd_directory"
+#define RBD_INFO                "rbd_info"
+
+#define RBD_DEFAULT_OBJ_ORDER   22   /* 4MB */
+
+#define RBD_MAX_OBJ_NAME_SIZE   96
+#define RBD_MAX_BLOCK_NAME_SIZE 24
+#define RBD_MAX_SEG_NAME_SIZE   128
+
+#define RBD_COMP_NONE           0
+#define RBD_CRYPT_NONE          0
+
+#define RBD_HEADER_TEXT         "<<< Rados Block Device Image >>>\n"
+#define RBD_HEADER_SIGNATURE    "RBD"
+#define RBD_HEADER_VERSION      "001.005"
+
+struct rbd_info {
+    uint64_t max_id;
+} __attribute__ ((packed));
+
+struct rbd_obj_snap_ondisk {
+    uint64_t id;
+    uint64_t image_size;
+} __attribute__((packed));
+
+struct rbd_obj_header_ondisk {
+    char text[40];
+    char block_name[RBD_MAX_BLOCK_NAME_SIZE];
+    char signature[4];
+    char version[8];
+    struct {
+        uint8_t order;
+        uint8_t crypt_type;
+        uint8_t comp_type;
+        uint8_t unused;
+    } __attribute__((packed)) options;
+    uint64_t image_size;
+    uint64_t snap_seq;
+    uint32_t snap_count;
+    uint32_t reserved;
+    uint64_t snap_names_len;
+    struct rbd_obj_snap_ondisk snaps[0];
+} __attribute__((packed));
+
+
+#endif
diff --git a/configure b/configure
index 2917874..62defc4 100755
--- a/configure
+++ b/configure
@@ -332,6 +332,7 @@ zero_malloc=""
 trace_backend="nop"
 trace_file="trace"
 spice=""
+rbd=""
 
 # OS specific
 if check_define __linux__ ; then
@@ -741,6 +742,10 @@ for opt do
   ;;
   --*dir)
   ;;
+  --disable-rbd) rbd="no"
+  ;;
+  --enable-rbd) rbd="yes"
+  ;;
   *) echo "ERROR: unknown option $opt"; show_help="yes"
   ;;
   esac
@@ -934,6 +939,7 @@ echo "  --trace-file=NAME        Full PATH,NAME of file to store traces"
 echo "                           Default:trace-<pid>"
 echo "  --disable-spice          disable spice"
 echo "  --enable-spice           enable spice"
+echo "  --enable-rbd             enable building the rados block device (rbd)"
 echo ""
 echo "NOTE: The object files are built at the place where configure is launched"
 exit 1
@@ -1746,6 +1752,48 @@ if test "$mingw32" != yes -a "$pthread" = no; then
 fi
 
 ##########################################
+# rbd probe
+if test "$rbd" != "no" ; then
+  cat > $TMPC <<EOF
+#include <stdio.h>
+#include <rados/librados.h>
+int main(void) { rados_initialize(0, NULL); return 0; }
+EOF
+  rbd_libs="-lrados -lcrypto"
+  if compile_prog "" "$rbd_libs" ; then
+    librados_too_old=no
+    cat > $TMPC <<EOF
+#include <stdio.h>
+#include <rados/librados.h>
+#ifndef CEPH_OSD_TMAP_SET
+#error missing CEPH_OSD_TMAP_SET
+#endif
+int main(void) {
+    int (*func)(const rados_pool_t pool, uint64_t *snapid) = rados_selfmanaged_snap_create;
+    rados_initialize(0, NULL);
+    return 0;
+}
+EOF
+    if compile_prog "" "$rbd_libs" ; then
+      rbd=yes
+      libs_tools="$rbd_libs $libs_tools"
+      libs_softmmu="$rbd_libs $libs_softmmu"
+    else
+      rbd=no
+      librados_too_old=yes
+    fi
+  else
+    if test "$rbd" = "yes" ; then
+      feature_not_found "rados block device"
+    fi
+    rbd=no
+  fi
+  if test "$librados_too_old" = "yes" ; then
+    echo "-> Your librados version is too old - upgrade needed to have rbd support"
+  fi
+fi
+
+##########################################
 # linux-aio probe
 
 if test "$linux_aio" != "no" ; then
@@ -2354,6 +2402,7 @@ echo "vhost-net support $vhost_net"
 echo "Trace backend     $trace_backend"
 echo "Trace output file $trace_file-<pid>"
 echo "spice support     $spice"
+echo "rbd support       $rbd"
 
 if test $sdl_too_old = "yes"; then
 echo "-> Your SDL version is too old - please upgrade to have SDL support"
@@ -2627,6 +2676,9 @@ echo "CONFIG_UNAME_RELEASE=\"$uname_release\"" >> $config_host_mak
 if test "$zero_malloc" = "yes" ; then
   echo "CONFIG_ZERO_MALLOC=y" >> $config_host_mak
 fi
+if test "$rbd" = "yes" ; then
+  echo "CONFIG_RBD=y" >> $config_host_mak
+fi
 
 # USB host support
 case "$usb" in
commit 2a81998a1af40cbc13a5ab1030ec7f05d13d742c
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Dec 6 17:08:31 2010 +0100

    Make error handling more consistent in img_create() and img_resize()
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index 6fd52e9..5b6e648 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -349,13 +349,15 @@ static int img_create(int argc, char **argv)
     drv = bdrv_find_format(fmt);
     if (!drv) {
         error("Unknown file format '%s'", fmt);
-        return 1;
+        ret = -1;
+        goto out;
     }
 
     proto_drv = bdrv_find_protocol(filename);
     if (!proto_drv) {
         error("Unknown protocol '%s'", filename);
-        return 1;
+        ret = -1;
+        goto out;
     }
 
     create_options = append_option_parameters(create_options,
@@ -1492,7 +1494,7 @@ static int img_resize(int argc, char **argv)
     int c, ret, relative;
     const char *filename, *fmt, *size;
     int64_t n, total_size;
-    BlockDriverState *bs;
+    BlockDriverState *bs = NULL;
     QEMUOptionParameter *param;
     QEMUOptionParameter resize_options[] = {
         {
@@ -1544,14 +1546,16 @@ static int img_resize(int argc, char **argv)
     param = parse_option_parameters("", resize_options, NULL);
     if (set_option_parameter(param, BLOCK_OPT_SIZE, size)) {
         /* Error message already printed when size parsing fails */
-        exit(1);
+        ret = -1;
+        goto out;
     }
     n = get_option_parameter(param, BLOCK_OPT_SIZE)->value.n;
     free_option_parameters(param);
 
     bs = bdrv_new_open(filename, fmt, BDRV_O_FLAGS | BDRV_O_RDWR);
     if (!bs) {
-        return 1;
+        ret = -1;
+        goto out;
     }
 
     if (relative) {
@@ -1581,7 +1585,9 @@ static int img_resize(int argc, char **argv)
         break;
     }
 out:
-    bdrv_delete(bs);
+    if (bs) {
+        bdrv_delete(bs);
+    }
     if (ret) {
         return 1;
     }
commit ef87394c08f348c95dc831e2e45c488f6466172d
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Dec 6 15:25:40 2010 +0100

    Fail if detecting an unknown option
    
    This patch changes qemu-img to exit if an unknown option is detected,
    instead of trying to continue with a set of arguments which may be
    incorrect.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index cc77048..6fd52e9 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -309,6 +309,7 @@ static int img_create(int argc, char **argv)
             break;
         }
         switch(c) {
+        case '?':
         case 'h':
             help();
             break;
@@ -477,6 +478,7 @@ static int img_check(int argc, char **argv)
             break;
         }
         switch(c) {
+        case '?':
         case 'h':
             help();
             break;
@@ -555,6 +557,7 @@ static int img_commit(int argc, char **argv)
             break;
         }
         switch(c) {
+        case '?':
         case 'h':
             help();
             break;
@@ -693,6 +696,7 @@ static int img_convert(int argc, char **argv)
             break;
         }
         switch(c) {
+        case '?':
         case 'h':
             help();
             break;
@@ -1097,6 +1101,7 @@ static int img_info(int argc, char **argv)
             break;
         }
         switch(c) {
+        case '?':
         case 'h':
             help();
             break;
@@ -1174,6 +1179,7 @@ static int img_snapshot(int argc, char **argv)
             break;
         }
         switch(c) {
+        case '?':
         case 'h':
             help();
             return 0;
@@ -1289,6 +1295,7 @@ static int img_rebase(int argc, char **argv)
             break;
         }
         switch(c) {
+        case '?':
         case 'h':
             help();
             return 0;
@@ -1503,6 +1510,7 @@ static int img_resize(int argc, char **argv)
             break;
         }
         switch(c) {
+        case '?':
         case 'h':
             help();
             break;
commit b8fb60da2d27ad52593bea4ee5fb33a2644ebaa6
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Dec 6 15:25:39 2010 +0100

    Fix formatting and missing braces in qemu-img.c
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index 50cfdda..cc77048 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -305,8 +305,9 @@ static int img_create(int argc, char **argv)
     flags = 0;
     for(;;) {
         c = getopt(argc, argv, "F:b:f:he6o:");
-        if (c == -1)
+        if (c == -1) {
             break;
+        }
         switch(c) {
         case 'h':
             help();
@@ -333,8 +334,9 @@ static int img_create(int argc, char **argv)
     }
 
     /* Get the filename */
-    if (optind >= argc)
+    if (optind >= argc) {
         help();
+    }
     filename = argv[optind++];
 
     if (options && !strcmp(options, "?")) {
@@ -471,8 +473,9 @@ static int img_check(int argc, char **argv)
     fmt = NULL;
     for(;;) {
         c = getopt(argc, argv, "f:h");
-        if (c == -1)
+        if (c == -1) {
             break;
+        }
         switch(c) {
         case 'h':
             help();
@@ -482,8 +485,9 @@ static int img_check(int argc, char **argv)
             break;
         }
     }
-    if (optind >= argc)
+    if (optind >= argc) {
         help();
+    }
     filename = argv[optind++];
 
     bs = bdrv_new_open(filename, fmt, BDRV_O_FLAGS);
@@ -547,8 +551,9 @@ static int img_commit(int argc, char **argv)
     fmt = NULL;
     for(;;) {
         c = getopt(argc, argv, "f:h");
-        if (c == -1)
+        if (c == -1) {
             break;
+        }
         switch(c) {
         case 'h':
             help();
@@ -558,8 +563,9 @@ static int img_commit(int argc, char **argv)
             break;
         }
     }
-    if (optind >= argc)
+    if (optind >= argc) {
         help();
+    }
     filename = argv[optind++];
 
     bs = bdrv_new_open(filename, fmt, BDRV_O_FLAGS | BDRV_O_RDWR);
@@ -683,8 +689,9 @@ static int img_convert(int argc, char **argv)
     flags = 0;
     for(;;) {
         c = getopt(argc, argv, "f:O:B:s:hce6o:");
-        if (c == -1)
+        if (c == -1) {
             break;
+        }
         switch(c) {
         case 'h':
             help();
@@ -717,7 +724,9 @@ static int img_convert(int argc, char **argv)
     }
 
     bs_n = argc - optind - 1;
-    if (bs_n < 1) help();
+    if (bs_n < 1) {
+        help();
+    }
 
     out_filename = argv[argc - 1];
 
@@ -905,8 +914,9 @@ static int img_convert(int argc, char **argv)
             }
             assert (remainder == 0);
 
-            if (n < cluster_sectors)
+            if (n < cluster_sectors) {
                 memset(buf + n * 512, 0, cluster_size - n * 512);
+            }
             if (is_not_zero(buf, cluster_size)) {
                 ret = bdrv_write_compressed(out_bs, sector_num, buf,
                                             cluster_sectors);
@@ -926,12 +936,14 @@ static int img_convert(int argc, char **argv)
         sector_num = 0; // total number of sectors converted so far
         for(;;) {
             nb_sectors = total_sectors - sector_num;
-            if (nb_sectors <= 0)
+            if (nb_sectors <= 0) {
                 break;
-            if (nb_sectors >= (IO_BUF_SIZE / 512))
+            }
+            if (nb_sectors >= (IO_BUF_SIZE / 512)) {
                 n = (IO_BUF_SIZE / 512);
-            else
+            } else {
                 n = nb_sectors;
+            }
 
             while (sector_num - bs_offset >= bs_sectors) {
                 bs_i ++;
@@ -943,8 +955,9 @@ static int img_convert(int argc, char **argv)
                    sector_num, bs_i, bs_offset, bs_sectors); */
             }
 
-            if (n > bs_offset + bs_sectors - sector_num)
+            if (n > bs_offset + bs_sectors - sector_num) {
                 n = bs_offset + bs_sectors - sector_num;
+            }
 
             if (has_zero_init) {
                 /* If the output image is being created as a copy on write image,
@@ -1080,8 +1093,9 @@ static int img_info(int argc, char **argv)
     fmt = NULL;
     for(;;) {
         c = getopt(argc, argv, "f:h");
-        if (c == -1)
+        if (c == -1) {
             break;
+        }
         switch(c) {
         case 'h':
             help();
@@ -1091,8 +1105,9 @@ static int img_info(int argc, char **argv)
             break;
         }
     }
-    if (optind >= argc)
+    if (optind >= argc) {
         help();
+    }
     filename = argv[optind++];
 
     bs = bdrv_new_open(filename, fmt, BDRV_O_FLAGS | BDRV_O_NO_BACKING);
@@ -1103,11 +1118,12 @@ static int img_info(int argc, char **argv)
     bdrv_get_geometry(bs, &total_sectors);
     get_human_readable_size(size_buf, sizeof(size_buf), total_sectors * 512);
     allocated_size = get_allocated_file_size(filename);
-    if (allocated_size < 0)
+    if (allocated_size < 0) {
         snprintf(dsize_buf, sizeof(dsize_buf), "unavailable");
-    else
+    } else {
         get_human_readable_size(dsize_buf, sizeof(dsize_buf),
                                 allocated_size);
+    }
     printf("image: %s\n"
            "file format: %s\n"
            "virtual size: %s (%" PRId64 " bytes)\n"
@@ -1115,11 +1131,13 @@ static int img_info(int argc, char **argv)
            filename, fmt_name, size_buf,
            (total_sectors * 512),
            dsize_buf);
-    if (bdrv_is_encrypted(bs))
+    if (bdrv_is_encrypted(bs)) {
         printf("encrypted: yes\n");
+    }
     if (bdrv_get_info(bs, &bdi) >= 0) {
-        if (bdi.cluster_size != 0)
+        if (bdi.cluster_size != 0) {
             printf("cluster_size: %d\n", bdi.cluster_size);
+        }
     }
     bdrv_get_backing_filename(bs, backing_filename, sizeof(backing_filename));
     if (backing_filename[0] != '\0') {
@@ -1152,8 +1170,9 @@ static int img_snapshot(int argc, char **argv)
     /* Parse commandline parameters */
     for(;;) {
         c = getopt(argc, argv, "la:c:d:h");
-        if (c == -1)
+        if (c == -1) {
             break;
+        }
         switch(c) {
         case 'h':
             help();
@@ -1193,8 +1212,9 @@ static int img_snapshot(int argc, char **argv)
         }
     }
 
-    if (optind >= argc)
+    if (optind >= argc) {
         help();
+    }
     filename = argv[optind++];
 
     /* Open the image */
@@ -1218,23 +1238,26 @@ static int img_snapshot(int argc, char **argv)
         sn.date_nsec = tv.tv_usec * 1000;
 
         ret = bdrv_snapshot_create(bs, &sn);
-        if (ret)
+        if (ret) {
             error("Could not create snapshot '%s': %d (%s)",
                 snapshot_name, ret, strerror(-ret));
+        }
         break;
 
     case SNAPSHOT_APPLY:
         ret = bdrv_snapshot_goto(bs, snapshot_name);
-        if (ret)
+        if (ret) {
             error("Could not apply snapshot '%s': %d (%s)",
                 snapshot_name, ret, strerror(-ret));
+        }
         break;
 
     case SNAPSHOT_DELETE:
         ret = bdrv_snapshot_delete(bs, snapshot_name);
-        if (ret)
+        if (ret) {
             error("Could not delete snapshot '%s': %d (%s)",
                 snapshot_name, ret, strerror(-ret));
+        }
         break;
     }
 
@@ -1262,8 +1285,9 @@ static int img_rebase(int argc, char **argv)
 
     for(;;) {
         c = getopt(argc, argv, "uhf:F:b:");
-        if (c == -1)
+        if (c == -1) {
             break;
+        }
         switch(c) {
         case 'h':
             help();
@@ -1283,8 +1307,9 @@ static int img_rebase(int argc, char **argv)
         }
     }
 
-    if ((optind >= argc) || !out_baseimg)
+    if ((optind >= argc) || !out_baseimg) {
         help();
+    }
     filename = argv[optind++];
 
     /*
commit 4ac8aacd954bbc9f3c3006a19cdf13be3caf7ae8
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Dec 6 15:25:38 2010 +0100

    Consolidate printing of block driver options
    
    This consolidates the printing of block driver options in
    print_block_option_help() which is called from both img_create() and
    img_convert().
    
    This allows for the "?" detection to be done just after the parsing of
    options and the filename, instead of half way down the codepath of
    these functions.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index aded72d..50cfdda 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -188,6 +188,33 @@ static int read_password(char *buf, int buf_size)
 }
 #endif
 
+static int print_block_option_help(const char *filename, const char *fmt)
+{
+    BlockDriver *drv, *proto_drv;
+    QEMUOptionParameter *create_options = NULL;
+
+    /* Find driver and parse its options */
+    drv = bdrv_find_format(fmt);
+    if (!drv) {
+        error("Unknown file format '%s'", fmt);
+        return 1;
+    }
+
+    proto_drv = bdrv_find_protocol(filename);
+    if (!proto_drv) {
+        error("Unknown protocol '%s'", filename);
+        return 1;
+    }
+
+    create_options = append_option_parameters(create_options,
+                                              drv->create_options);
+    create_options = append_option_parameters(create_options,
+                                              proto_drv->create_options);
+    print_option_help(create_options);
+    free_option_parameters(create_options);
+    return 0;
+}
+
 static BlockDriverState *bdrv_new_open(const char *filename,
                                        const char *fmt,
                                        int flags)
@@ -310,6 +337,11 @@ static int img_create(int argc, char **argv)
         help();
     filename = argv[optind++];
 
+    if (options && !strcmp(options, "?")) {
+        ret = print_block_option_help(filename, fmt);
+        goto out;
+    }
+
     /* Find driver and parse its options */
     drv = bdrv_find_format(fmt);
     if (!drv) {
@@ -328,11 +360,6 @@ static int img_create(int argc, char **argv)
     create_options = append_option_parameters(create_options,
                                               proto_drv->create_options);
 
-    if (options && !strcmp(options, "?")) {
-        print_option_help(create_options);
-        goto out;
-    }
-
     /* Create parameter list with default values */
     param = parse_option_parameters("", create_options, param);
     set_option_parameter_int(param, BLOCK_OPT_SIZE, -1);
@@ -694,6 +721,11 @@ static int img_convert(int argc, char **argv)
 
     out_filename = argv[argc - 1];
 
+    if (options && !strcmp(options, "?")) {
+        ret = print_block_option_help(out_filename, out_fmt);
+        goto out;
+    }
+
     if (bs_n > 1 && out_baseimg) {
         error("-B makes no sense when concatenating multiple input images");
         ret = -1;
@@ -746,10 +778,6 @@ static int img_convert(int argc, char **argv)
                                               drv->create_options);
     create_options = append_option_parameters(create_options,
                                               proto_drv->create_options);
-    if (options && !strcmp(options, "?")) {
-        print_option_help(create_options);
-        goto out;
-    }
 
     if (options) {
         param = parse_option_parameters(options, create_options, param);
commit 31ca34b8cc2efe1b7e3f726dedb30c450a81abaf
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Dec 6 15:25:36 2010 +0100

    img_convert(): Only try to free bs[] entries if bs is valid.
    
    This allows for jumping to 'out:' consistently for error exit.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index eca99c4..aded72d 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -696,7 +696,8 @@ static int img_convert(int argc, char **argv)
 
     if (bs_n > 1 && out_baseimg) {
         error("-B makes no sense when concatenating multiple input images");
-        return 1;
+        ret = -1;
+        goto out;
     }
         
     bs = qemu_mallocz(bs_n * sizeof(BlockDriverState *));
@@ -974,12 +975,14 @@ out:
     if (out_bs) {
         bdrv_delete(out_bs);
     }
-    for (bs_i = 0; bs_i < bs_n; bs_i++) {
-        if (bs[bs_i]) {
-            bdrv_delete(bs[bs_i]);
+    if (bs) {
+        for (bs_i = 0; bs_i < bs_n; bs_i++) {
+            if (bs[bs_i]) {
+                bdrv_delete(bs[bs_i]);
+            }
         }
+        qemu_free(bs);
     }
-    qemu_free(bs);
     if (ret) {
         return 1;
     }
commit 5bdf61fdd76b5ca7101353abbdbcd1ed692fa9e2
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Dec 6 15:25:35 2010 +0100

    Use qemu_mallocz() instead of calloc() in img_convert()
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index fa77ac0..eca99c4 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -699,11 +699,7 @@ static int img_convert(int argc, char **argv)
         return 1;
     }
         
-    bs = calloc(bs_n, sizeof(BlockDriverState *));
-    if (!bs) {
-        error("Out of memory");
-        return 1;
-    }
+    bs = qemu_mallocz(bs_n * sizeof(BlockDriverState *));
 
     total_sectors = 0;
     for (bs_i = 0; bs_i < bs_n; bs_i++) {
@@ -983,7 +979,7 @@ out:
             bdrv_delete(bs[bs_i]);
         }
     }
-    free(bs);
+    qemu_free(bs);
     if (ret) {
         return 1;
     }
commit 236e2376818251382f8811d46503581fde798ea3
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Dec 6 15:25:34 2010 +0100

    Add missing tracing to qemu_mallocz()
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-malloc.c b/qemu-malloc.c
index 28fb05a..b9b3851 100644
--- a/qemu-malloc.c
+++ b/qemu-malloc.c
@@ -64,10 +64,13 @@ void *qemu_realloc(void *ptr, size_t size)
 
 void *qemu_mallocz(size_t size)
 {
+    void *ptr;
     if (!size && !allow_zero_malloc()) {
         abort();
     }
-    return qemu_oom_check(calloc(1, size ? size : 1));
+    ptr = qemu_oom_check(calloc(1, size ? size : 1));
+    trace_qemu_malloc(size, ptr);
+    return ptr;
 }
 
 char *qemu_strdup(const char *str)
commit 16905d717507d3daffa714c7f0fd5403873807b2
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Nov 30 15:14:14 2010 +0000

    block: Make bdrv_create_file() ':' handling consistent
    
    Filenames may start with "<protocol>:" to explicitly use a protocol like
    nbd.  Filenames with unknown protocols are rejected in most of QEMU
    except for bdrv_create_file().  Even if a file with an invalid filename
    can be created, QEMU cannot use it since all the other relevant
    functions reject such paths.  Make bdrv_create_file() consistent.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index 63effd8..e7a986c 100644
--- a/block.c
+++ b/block.c
@@ -215,7 +215,7 @@ int bdrv_create_file(const char* filename, QEMUOptionParameter *options)
 
     drv = bdrv_find_protocol(filename);
     if (drv == NULL) {
-        drv = bdrv_find_format("file");
+        return -ENOENT;
     }
 
     return bdrv_create(drv, filename, options);
commit 571a2b67f3d6986f768d0623df6d97847e4b153e
Author: Wei Yongjun <yjwei at cn.fujitsu.com>
Date:   Thu Dec 9 14:43:14 2010 +0800

    fix compile error of hw/device-assignment.c
    
    Fix the following compile error in next tree:
      CC    x86_64-softmmu/device-assignment.o
    hw/device-assignment.c: In function ‘assigned_device_pci_cap_init’:
    hw/device-assignment.c:1463: error: ‘PCI_PM_CTRL_NO_SOFT_RST’ undeclared (first use in this function)
    hw/device-assignment.c:1463: error: (Each undeclared identifier is reported only once
    hw/device-assignment.c:1463: error: for each function it appears in.)
    
    Signed-off-by: Wei Yongjun <yjwei at cn.fujitsu.com>
    Acked-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 50c6408..8446cd4 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -1460,7 +1460,7 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
         /* assign_device will bring the device up to D0, so we don't need
          * to worry about doing that ourselves here. */
         pci_set_word(pci_dev->config + pos + PCI_PM_CTRL,
-                     PCI_PM_CTRL_NO_SOFT_RST);
+                     PCI_PM_CTRL_NO_SOFT_RESET);
 
         pci_set_byte(pci_dev->config + pos + PCI_PM_PPB_EXTENSIONS, 0);
         pci_set_byte(pci_dev->config + pos + PCI_PM_DATA_REGISTER, 0);
commit 9e8caf52f2e9976faf83bfc588102912160ce911
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Thu Dec 9 09:16:22 2010 -0700

    pci: Fix PCI capabilities collision error value
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Acked-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 288d6fd..0962416 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1856,7 +1856,7 @@ int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
                         pci_find_domain(pdev->bus), pci_bus_num(pdev->bus),
                         PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn),
                         cap_id, offset, pdev->config_map[i], i);
-                return -EFAULT;
+                return -EINVAL;
             }
         }
     }
commit 36888c6335422f07bbc50bf3443a39f24b90c7c6
Author: Richard W.M. Jones <rjones at redhat.com>
Date:   Fri Sep 24 16:08:06 2010 +0100

    Watchdog: disable watchdog timer when hard-rebooting a guest.
    
    This commit causes the watchdog timer to be reset when a guest is
    hard-rebooted.
    
    The failure case previously was as follows:
    
      (a) guest boots, watchdog is enabled
    
      (b) guest does a reset eg:
            echo 'b' > /proc/sysrq-trigger
        (note that an ordinary /sbin/reboot wouldn't hit this case
        since as the watchdog daemon is shut down, the daemon would
        properly disable the watchdog device)
    
      (c) the reboot takes longer than the remaining time on the
        watchdog
    
      (d) the watchdog therefore fires during the reboot
    
      (e) probably the VM would just reboot again at this point which
        is pretty benign, but it could depend on the action that the
        user had selected for the watchdog
    
    Now we use the qdev reset function to register a reset handler
    which disables the timer.  Note the handler is called _either_
    just after init _or_ when the guest reboots.
    
    In the i6300esb case there is a small refactoring of the code so
    that the device's internal state is now fully restored to defaults
    on a reboot.
    
    Signed-off-by: Richard W.M. Jones <rjones at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/wdt_i6300esb.c b/hw/wdt_i6300esb.c
index 8443b41..90bf5f6 100644
--- a/hw/wdt_i6300esb.c
+++ b/hw/wdt_i6300esb.c
@@ -149,6 +149,8 @@ static void i6300esb_reset(DeviceState *dev)
 
     i6300esb_disable_timer(d);
 
+    /* NB: Don't change d->previous_reboot_flag in this function. */
+
     d->reboot_enabled = 1;
     d->clock_scale = CLOCK_SCALE_1KHZ;
     d->int_type = INT_TYPE_IRQ;
@@ -159,7 +161,6 @@ static void i6300esb_reset(DeviceState *dev)
     d->timer2_preload = 0xfffff;
     d->stage = 1;
     d->unlock_state = 0;
-    d->previous_reboot_flag = 0;
 }
 
 /* This function is called when the watchdog expires.  Note that
@@ -193,6 +194,7 @@ static void i6300esb_timer_expired(void *vp)
         if (d->reboot_enabled) {
             d->previous_reboot_flag = 1;
             watchdog_perform_action(); /* This reboots, exits, etc */
+            i6300esb_reset(&d->dev.qdev);
         }
 
         /* In "free running mode" we start stage 1 again. */
@@ -409,6 +411,7 @@ static int i6300esb_init(PCIDevice *dev)
     i6300esb_debug("I6300State = %p\n", d);
 
     d->timer = qemu_new_timer(vm_clock, i6300esb_timer_expired, d);
+    d->previous_reboot_flag = 0;
 
     pci_conf = d->dev.config;
     pci_config_set_vendor_id(pci_conf, PCI_VENDOR_ID_INTEL);
diff --git a/hw/wdt_ib700.c b/hw/wdt_ib700.c
index c34687b..b6235eb 100644
--- a/hw/wdt_ib700.c
+++ b/hw/wdt_ib700.c
@@ -97,6 +97,8 @@ static int wdt_ib700_init(ISADevice *dev)
 {
     IB700State *s = DO_UPCAST(IB700State, dev, dev);
 
+    ib700_debug("watchdog init\n");
+
     s->timer = qemu_new_timer(vm_clock, ib700_timer_expired, s);
     register_ioport_write(0x441, 2, 1, ib700_write_disable_reg, s);
     register_ioport_write(0x443, 2, 1, ib700_write_enable_reg, s);
@@ -104,16 +106,26 @@ static int wdt_ib700_init(ISADevice *dev)
     return 0;
 }
 
+static void wdt_ib700_reset(DeviceState *dev)
+{
+    IB700State *s = DO_UPCAST(IB700State, dev.qdev, dev);
+
+    ib700_debug("watchdog reset\n");
+
+    qemu_del_timer(s->timer);
+}
+
 static WatchdogTimerModel model = {
     .wdt_name = "ib700",
     .wdt_description = "iBASE 700",
 };
 
 static ISADeviceInfo wdt_ib700_info = {
-    .qdev.name = "ib700",
-    .qdev.size = sizeof(IB700State),
-    .qdev.vmsd = &vmstate_ib700,
-    .init      = wdt_ib700_init,
+    .qdev.name  = "ib700",
+    .qdev.size  = sizeof(IB700State),
+    .qdev.vmsd  = &vmstate_ib700,
+    .qdev.reset = wdt_ib700_reset,
+    .init       = wdt_ib700_init,
 };
 
 static void wdt_ib700_register_devices(void)
commit 962630f207a33b7de4316022884b5241e05491cd
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:35:09 2010 +0200

    Pass boot device list to firmware.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/fw_cfg.c b/hw/fw_cfg.c
index 957466d..85c8c3c 100644
--- a/hw/fw_cfg.c
+++ b/hw/fw_cfg.c
@@ -53,6 +53,7 @@ struct FWCfgState {
     FWCfgFiles *files;
     uint16_t cur_entry;
     uint32_t cur_offset;
+    Notifier machine_ready;
 };
 
 static void fw_cfg_write(FWCfgState *s, uint8_t value)
@@ -315,6 +316,15 @@ int fw_cfg_add_file(FWCfgState *s,  const char *filename, uint8_t *data,
     return 1;
 }
 
+static void fw_cfg_machine_ready(struct Notifier* n)
+{
+    uint32_t len;
+    FWCfgState *s = container_of(n, FWCfgState, machine_ready);
+    char *bootindex = get_boot_devices_list(&len);
+
+    fw_cfg_add_file(s, "bootorder", (uint8_t*)bootindex, len);
+}
+
 FWCfgState *fw_cfg_init(uint32_t ctl_port, uint32_t data_port,
                         target_phys_addr_t ctl_addr, target_phys_addr_t data_addr)
 {
@@ -343,6 +353,10 @@ FWCfgState *fw_cfg_init(uint32_t ctl_port, uint32_t data_port,
     fw_cfg_add_i16(s, FW_CFG_MAX_CPUS, (uint16_t)max_cpus);
     fw_cfg_add_i16(s, FW_CFG_BOOT_MENU, (uint16_t)boot_menu);
 
+
+    s->machine_ready.notify = fw_cfg_machine_ready;
+    qemu_add_machine_init_done_notifier(&s->machine_ready);
+
     return s;
 }
 
diff --git a/sysemu.h b/sysemu.h
index c42f33a..38a20a3 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -196,4 +196,5 @@ void register_devices(void);
 
 void add_boot_device_path(int32_t bootindex, DeviceState *dev,
                           const char *suffix);
+char *get_boot_devices_list(uint32_t *size);
 #endif
diff --git a/vl.c b/vl.c
index 0d20d26..c4d3fc0 100644
--- a/vl.c
+++ b/vl.c
@@ -736,6 +736,54 @@ void add_boot_device_path(int32_t bootindex, DeviceState *dev,
     QTAILQ_INSERT_TAIL(&fw_boot_order, node, link);
 }
 
+/*
+ * This function returns null terminated string that consist of new line
+ * separated device pathes.
+ *
+ * memory pointed by "size" is assigned total length of the array in bytes
+ *
+ */
+char *get_boot_devices_list(uint32_t *size)
+{
+    FWBootEntry *i;
+    uint32_t total = 0;
+    char *list = NULL;
+
+    QTAILQ_FOREACH(i, &fw_boot_order, link) {
+        char *devpath = NULL, *bootpath;
+        int len;
+
+        if (i->dev) {
+            devpath = qdev_get_fw_dev_path(i->dev);
+            assert(devpath);
+        }
+
+        if (i->suffix && devpath) {
+            bootpath = qemu_malloc(strlen(devpath) + strlen(i->suffix) + 1);
+            sprintf(bootpath, "%s%s", devpath, i->suffix);
+            qemu_free(devpath);
+        } else if (devpath) {
+            bootpath = devpath;
+        } else {
+            bootpath = strdup(i->suffix);
+            assert(bootpath);
+        }
+
+        if (total) {
+            list[total-1] = '\n';
+        }
+        len = strlen(bootpath) + 1;
+        list = qemu_realloc(list, total + len);
+        memcpy(&list[total], bootpath, len);
+        total += len;
+        qemu_free(bootpath);
+    }
+
+    *size = total;
+
+    return list;
+}
+
 static void numa_add(const char *optarg)
 {
     char option[128];
commit 4cab946a4adc3094a846dd3c7ea104abe7bdc5f1
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:35:08 2010 +0200

    Add notifier that will be called when machine is fully created.
    
    Action that depends on fully initialized device model should register
    with this notifier chain.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/sysemu.h b/sysemu.h
index 48f8eee..c42f33a 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -60,6 +60,8 @@ void qemu_system_reset(void);
 void qemu_add_exit_notifier(Notifier *notify);
 void qemu_remove_exit_notifier(Notifier *notify);
 
+void qemu_add_machine_init_done_notifier(Notifier *notify);
+
 void do_savevm(Monitor *mon, const QDict *qdict);
 int load_vmstate(const char *name);
 void do_delvm(Monitor *mon, const QDict *qdict);
diff --git a/vl.c b/vl.c
index 844d6a5..0d20d26 100644
--- a/vl.c
+++ b/vl.c
@@ -254,6 +254,9 @@ static void *boot_set_opaque;
 static NotifierList exit_notifiers =
     NOTIFIER_LIST_INITIALIZER(exit_notifiers);
 
+static NotifierList machine_init_done_notifiers =
+    NOTIFIER_LIST_INITIALIZER(machine_init_done_notifiers);
+
 int kvm_allowed = 0;
 uint32_t xen_domid;
 enum xen_mode xen_mode = XEN_EMULATE;
@@ -1782,6 +1785,16 @@ static void qemu_run_exit_notifiers(void)
     notifier_list_notify(&exit_notifiers);
 }
 
+void qemu_add_machine_init_done_notifier(Notifier *notify)
+{
+    notifier_list_add(&machine_init_done_notifiers, notify);
+}
+
+static void qemu_run_machine_init_done_notifiers(void)
+{
+    notifier_list_notify(&machine_init_done_notifiers);
+}
+
 static const QEMUOption *lookup_opt(int argc, char **argv,
                                     const char **poptarg, int *poptind)
 {
@@ -3028,6 +3041,8 @@ int main(int argc, char **argv, char **envp)
     }
 
     qemu_register_reset((void *)qbus_reset_all, sysbus_get_default());
+    qemu_run_machine_init_done_notifiers();
+
     qemu_system_reset();
     if (loadvm) {
         if (load_vmstate(loadvm) < 0) {
commit 2e55e84282c545aeab8f5c9dd52a8073deaf3dbc
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:35:07 2010 +0200

    Add bootindex for option roms.
    
    Extend -option-rom command to have additional parameter ,bootindex=.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/loader.c b/hw/loader.c
index 1e98326..eb198f6 100644
--- a/hw/loader.c
+++ b/hw/loader.c
@@ -107,7 +107,7 @@ int load_image_targphys(const char *filename,
 
     size = get_image_size(filename);
     if (size > 0)
-        rom_add_file_fixed(filename, addr);
+        rom_add_file_fixed(filename, addr, -1);
     return size;
 }
 
@@ -557,10 +557,11 @@ static void rom_insert(Rom *rom)
 }
 
 int rom_add_file(const char *file, const char *fw_dir,
-                 target_phys_addr_t addr)
+                 target_phys_addr_t addr, int32_t bootindex)
 {
     Rom *rom;
     int rc, fd = -1;
+    char devpath[100];
 
     rom = qemu_mallocz(sizeof(*rom));
     rom->name = qemu_strdup(file);
@@ -605,7 +606,12 @@ int rom_add_file(const char *file, const char *fw_dir,
         snprintf(fw_file_name, sizeof(fw_file_name), "%s/%s", rom->fw_dir,
                  basename);
         fw_cfg_add_file(fw_cfg, fw_file_name, rom->data, rom->romsize);
+        snprintf(devpath, sizeof(devpath), "/rom@%s", fw_file_name);
+    } else {
+        snprintf(devpath, sizeof(devpath), "/rom@" TARGET_FMT_plx, addr);
     }
+
+    add_boot_device_path(bootindex, NULL, devpath);
     return 0;
 
 err:
@@ -635,12 +641,12 @@ int rom_add_blob(const char *name, const void *blob, size_t len,
 
 int rom_add_vga(const char *file)
 {
-    return rom_add_file(file, "vgaroms", 0);
+    return rom_add_file(file, "vgaroms", 0, -1);
 }
 
-int rom_add_option(const char *file)
+int rom_add_option(const char *file, int32_t bootindex)
 {
-    return rom_add_file(file, "genroms", 0);
+    return rom_add_file(file, "genroms", 0, bootindex);
 }
 
 static void rom_reset(void *unused)
diff --git a/hw/loader.h b/hw/loader.h
index 1f82fc5..fc6bdff 100644
--- a/hw/loader.h
+++ b/hw/loader.h
@@ -22,7 +22,7 @@ void pstrcpy_targphys(const char *name,
 
 
 int rom_add_file(const char *file, const char *fw_dir,
-                 target_phys_addr_t addr);
+                 target_phys_addr_t addr, int32_t bootindex);
 int rom_add_blob(const char *name, const void *blob, size_t len,
                  target_phys_addr_t addr);
 int rom_load_all(void);
@@ -31,8 +31,8 @@ int rom_copy(uint8_t *dest, target_phys_addr_t addr, size_t size);
 void *rom_ptr(target_phys_addr_t addr);
 void do_info_roms(Monitor *mon);
 
-#define rom_add_file_fixed(_f, _a)              \
-    rom_add_file(_f, NULL, _a)
+#define rom_add_file_fixed(_f, _a, _i)          \
+    rom_add_file(_f, NULL, _a, _i)
 #define rom_add_blob_fixed(_f, _b, _l, _a)      \
     rom_add_blob(_f, _b, _l, _a)
 
@@ -43,6 +43,6 @@ void do_info_roms(Monitor *mon);
 #define PC_ROM_SIZE        (PC_ROM_MAX - PC_ROM_MIN_VGA)
 
 int rom_add_vga(const char *file);
-int rom_add_option(const char *file);
+int rom_add_option(const char *file, int32_t bootindex);
 
 #endif
diff --git a/hw/multiboot.c b/hw/multiboot.c
index e710bbb..7cc3055 100644
--- a/hw/multiboot.c
+++ b/hw/multiboot.c
@@ -331,7 +331,8 @@ int load_multiboot(void *fw_cfg,
     fw_cfg_add_bytes(fw_cfg, FW_CFG_INITRD_DATA, mb_bootinfo_data,
                      sizeof(bootinfo));
 
-    option_rom[nb_option_roms] = "multiboot.bin";
+    option_rom[nb_option_roms].name = "multiboot.bin";
+    option_rom[nb_option_roms].bootindex = 0;
     nb_option_roms++;
 
     return 1; /* yes, we are multiboot */
diff --git a/hw/ne2000.c b/hw/ne2000.c
index a030106..5966359 100644
--- a/hw/ne2000.c
+++ b/hw/ne2000.c
@@ -742,7 +742,7 @@ static int pci_ne2000_init(PCIDevice *pci_dev)
     if (!pci_dev->qdev.hotplugged) {
         static int loaded = 0;
         if (!loaded) {
-            rom_add_option("pxe-ne2k_pci.bin");
+            rom_add_option("pxe-ne2k_pci.bin", -1);
             loaded = 1;
         }
     }
diff --git a/hw/nseries.c b/hw/nseries.c
index 04a028d..2f6f473 100644
--- a/hw/nseries.c
+++ b/hw/nseries.c
@@ -1326,7 +1326,7 @@ static void n8x0_init(ram_addr_t ram_size, const char *boot_device,
         qemu_register_reset(n8x0_boot_init, s);
     }
 
-    if (option_rom[0] && (boot_device[0] == 'n' || !kernel_filename)) {
+    if (option_rom[0].name && (boot_device[0] == 'n' || !kernel_filename)) {
         int rom_size;
         uint8_t nolo_tags[0x10000];
         /* No, wait, better start at the ROM.  */
@@ -1341,7 +1341,7 @@ static void n8x0_init(ram_addr_t ram_size, const char *boot_device,
          *
          * The code above is for loading the `zImage' file from Nokia
          * images.  */
-        rom_size = load_image_targphys(option_rom[0],
+        rom_size = load_image_targphys(option_rom[0].name,
                                        OMAP2_Q2_BASE + 0x400000,
                                        sdram_size - 0x400000);
         printf("%i bytes of image loaded\n", rom_size);
diff --git a/hw/palm.c b/hw/palm.c
index dd8d1e5..f22d777 100644
--- a/hw/palm.c
+++ b/hw/palm.c
@@ -238,20 +238,20 @@ static void palmte_init(ram_addr_t ram_size,
 
     /* Setup initial (reset) machine state */
     if (nb_option_roms) {
-        rom_size = get_image_size(option_rom[0]);
+        rom_size = get_image_size(option_rom[0].name);
         if (rom_size > flash_size) {
             fprintf(stderr, "%s: ROM image too big (%x > %x)\n",
                             __FUNCTION__, rom_size, flash_size);
             rom_size = 0;
         }
         if (rom_size > 0) {
-            rom_size = load_image_targphys(option_rom[0], OMAP_CS0_BASE,
+            rom_size = load_image_targphys(option_rom[0].name, OMAP_CS0_BASE,
                                            flash_size);
             rom_loaded = 1;
         }
         if (rom_size < 0) {
             fprintf(stderr, "%s: error loading '%s'\n",
-                            __FUNCTION__, option_rom[0]);
+                            __FUNCTION__, option_rom[0].name);
         }
     }
 
diff --git a/hw/pc.c b/hw/pc.c
index 119c110..e1b2667 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -733,7 +733,8 @@ static void load_linux(void *fw_cfg,
     fw_cfg_add_i32(fw_cfg, FW_CFG_SETUP_SIZE, setup_size);
     fw_cfg_add_bytes(fw_cfg, FW_CFG_SETUP_DATA, setup, setup_size);
 
-    option_rom[nb_option_roms] = "linuxboot.bin";
+    option_rom[nb_option_roms].name = "linuxboot.bin";
+    option_rom[nb_option_roms].bootindex = 0;
     nb_option_roms++;
 }
 
@@ -937,7 +938,7 @@ void pc_memory_init(ram_addr_t ram_size,
         goto bios_error;
     }
     bios_offset = qemu_ram_alloc(NULL, "pc.bios", bios_size);
-    ret = rom_add_file_fixed(bios_name, (uint32_t)(-bios_size));
+    ret = rom_add_file_fixed(bios_name, (uint32_t)(-bios_size), -1);
     if (ret != 0) {
     bios_error:
         fprintf(stderr, "qemu: could not load PC BIOS '%s'\n", bios_name);
@@ -969,7 +970,7 @@ void pc_memory_init(ram_addr_t ram_size,
     }
 
     for (i = 0; i < nb_option_roms; i++) {
-        rom_add_option(option_rom[i]);
+        rom_add_option(option_rom[i].name, option_rom[i].bootindex);
     }
 }
 
diff --git a/hw/pci.c b/hw/pci.c
index e7ea907..24e650a 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1832,7 +1832,7 @@ static int pci_add_option_rom(PCIDevice *pdev, bool is_default_rom)
         if (class == 0x0300) {
             rom_add_vga(pdev->romfile);
         } else {
-            rom_add_option(pdev->romfile);
+            rom_add_option(pdev->romfile, -1);
         }
         return 0;
     }
diff --git a/hw/pcnet-pci.c b/hw/pcnet-pci.c
index 5c5bd21..339a401 100644
--- a/hw/pcnet-pci.c
+++ b/hw/pcnet-pci.c
@@ -310,7 +310,7 @@ static int pci_pcnet_init(PCIDevice *pci_dev)
     if (!pci_dev->qdev.hotplugged) {
         static int loaded = 0;
         if (!loaded) {
-            rom_add_option("pxe-pcnet.bin");
+            rom_add_option("pxe-pcnet.bin", -1);
             loaded = 1;
         }
     }
diff --git a/qemu-config.c b/qemu-config.c
index 52f18be..965fa46 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -429,6 +429,22 @@ QemuOptsList qemu_spice_opts = {
     },
 };
 
+QemuOptsList qemu_option_rom_opts = {
+    .name = "option-rom",
+    .implied_opt_name = "romfile",
+    .head = QTAILQ_HEAD_INITIALIZER(qemu_option_rom_opts.head),
+    .desc = {
+        {
+            .name = "bootindex",
+            .type = QEMU_OPT_NUMBER,
+        }, {
+            .name = "romfile",
+            .type = QEMU_OPT_STRING,
+        },
+        { /* end if list */ }
+    },
+};
+
 static QemuOptsList *vm_config_groups[32] = {
     &qemu_drive_opts,
     &qemu_chardev_opts,
@@ -442,6 +458,7 @@ static QemuOptsList *vm_config_groups[32] = {
 #ifdef CONFIG_SIMPLE_TRACE
     &qemu_trace_opts,
 #endif
+    &qemu_option_rom_opts,
     NULL,
 };
 
diff --git a/sysemu.h b/sysemu.h
index fe9a582..48f8eee 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -139,7 +139,11 @@ extern uint64_t node_mem[MAX_NODES];
 extern uint64_t node_cpumask[MAX_NODES];
 
 #define MAX_OPTION_ROMS 16
-extern const char *option_rom[MAX_OPTION_ROMS];
+typedef struct QEMUOptionRom {
+    const char *name;
+    int32_t bootindex;
+} QEMUOptionRom;
+extern QEMUOptionRom option_rom[MAX_OPTION_ROMS];
 extern int nb_option_roms;
 
 #define MAX_PROM_ENVS 128
diff --git a/vl.c b/vl.c
index dadc161..844d6a5 100644
--- a/vl.c
+++ b/vl.c
@@ -218,7 +218,7 @@ int cursor_hide = 1;
 int graphic_rotate = 0;
 uint8_t irq0override = 1;
 const char *watchdog;
-const char *option_rom[MAX_OPTION_ROMS];
+QEMUOptionRom option_rom[MAX_OPTION_ROMS];
 int nb_option_roms;
 int semihosting_enabled = 0;
 int old_param = 0;
@@ -2520,7 +2520,14 @@ int main(int argc, char **argv, char **envp)
 		    fprintf(stderr, "Too many option ROMs\n");
 		    exit(1);
 		}
-		option_rom[nb_option_roms] = optarg;
+                opts = qemu_opts_parse(qemu_find_opts("option-rom"), optarg, 1);
+                option_rom[nb_option_roms].name = qemu_opt_get(opts, "romfile");
+                option_rom[nb_option_roms].bootindex =
+                    qemu_opt_get_number(opts, "bootindex", -1);
+                if (!option_rom[nb_option_roms].name) {
+                    fprintf(stderr, "Option ROM file is not specified\n");
+                    exit(1);
+                }
 		nb_option_roms++;
 		break;
             case QEMU_OPTION_semihosting:
commit de1f34cb6351c028ebcc61fea9fa78008ca1a529
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:35:06 2010 +0200

    Change fw_cfg_add_file() to get full file path as a parameter.
    
    Change fw_cfg_add_file() to get full file path as a parameter instead
    of building one internally. Two reasons for that. First caller may need
    to know how file is named. Second this moves policy of file naming out
    from fw_cfg. Platform may want to use more then two levels of
    directories for instance.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/fw_cfg.c b/hw/fw_cfg.c
index 48b92d6..957466d 100644
--- a/hw/fw_cfg.c
+++ b/hw/fw_cfg.c
@@ -277,10 +277,9 @@ int fw_cfg_add_callback(FWCfgState *s, uint16_t key, FWCfgCallback callback,
     return 1;
 }
 
-int fw_cfg_add_file(FWCfgState *s,  const char *dir, const char *filename,
-                    uint8_t *data, uint32_t len)
+int fw_cfg_add_file(FWCfgState *s,  const char *filename, uint8_t *data,
+                    uint32_t len)
 {
-    const char *basename;
     int i, index;
 
     if (!s->files) {
@@ -297,15 +296,8 @@ int fw_cfg_add_file(FWCfgState *s,  const char *dir, const char *filename,
 
     fw_cfg_add_bytes(s, FW_CFG_FILE_FIRST + index, data, len);
 
-    basename = strrchr(filename, '/');
-    if (basename) {
-        basename++;
-    } else {
-        basename = filename;
-    }
-
-    snprintf(s->files->f[index].name, sizeof(s->files->f[index].name),
-             "%s/%s", dir, basename);
+    pstrcpy(s->files->f[index].name, sizeof(s->files->f[index].name),
+            filename);
     for (i = 0; i < index; i++) {
         if (strcmp(s->files->f[index].name, s->files->f[i].name) == 0) {
             FW_CFG_DPRINTF("%s: skip duplicate: %s\n", __FUNCTION__,
diff --git a/hw/fw_cfg.h b/hw/fw_cfg.h
index 4d13a4f..856bf91 100644
--- a/hw/fw_cfg.h
+++ b/hw/fw_cfg.h
@@ -60,8 +60,8 @@ int fw_cfg_add_i32(FWCfgState *s, uint16_t key, uint32_t value);
 int fw_cfg_add_i64(FWCfgState *s, uint16_t key, uint64_t value);
 int fw_cfg_add_callback(FWCfgState *s, uint16_t key, FWCfgCallback callback,
                         void *callback_opaque, uint8_t *data, size_t len);
-int fw_cfg_add_file(FWCfgState *s, const char *dir, const char *filename,
-                    uint8_t *data, uint32_t len);
+int fw_cfg_add_file(FWCfgState *s, const char *filename, uint8_t *data,
+                    uint32_t len);
 FWCfgState *fw_cfg_init(uint32_t ctl_port, uint32_t data_port,
                         target_phys_addr_t crl_addr, target_phys_addr_t data_addr);
 
diff --git a/hw/loader.c b/hw/loader.c
index 49ac1fa..1e98326 100644
--- a/hw/loader.c
+++ b/hw/loader.c
@@ -592,8 +592,20 @@ int rom_add_file(const char *file, const char *fw_dir,
     }
     close(fd);
     rom_insert(rom);
-    if (rom->fw_file && fw_cfg)
-        fw_cfg_add_file(fw_cfg, rom->fw_dir, rom->fw_file, rom->data, rom->romsize);
+    if (rom->fw_file && fw_cfg) {
+        const char *basename;
+        char fw_file_name[56];
+
+        basename = strrchr(rom->fw_file, '/');
+        if (basename) {
+            basename++;
+        } else {
+            basename = rom->fw_file;
+        }
+        snprintf(fw_file_name, sizeof(fw_file_name), "%s/%s", rom->fw_dir,
+                 basename);
+        fw_cfg_add_file(fw_cfg, fw_file_name, rom->data, rom->romsize);
+    }
     return 0;
 
 err:
commit 1ca4d09ae0bcc2fdd6aeef0fdc11f82394f7e757
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:35:05 2010 +0200

    Add bootindex parameter to net/block/fd device
    
    If bootindex is specified on command line a string that describes device
    in firmware readable way is added into sorted list. Later this list will
    be passed into firmware to control boot order.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/block_int.h b/block_int.h
index 3c3adb5..0a0e47d 100644
--- a/block_int.h
+++ b/block_int.h
@@ -227,6 +227,7 @@ typedef struct BlockConf {
     uint16_t logical_block_size;
     uint16_t min_io_size;
     uint32_t opt_io_size;
+    int32_t bootindex;
 } BlockConf;
 
 static inline unsigned int get_physical_block_exp(BlockConf *conf)
@@ -249,6 +250,7 @@ static inline unsigned int get_physical_block_exp(BlockConf *conf)
     DEFINE_PROP_UINT16("physical_block_size", _state,                   \
                        _conf.physical_block_size, 512),                 \
     DEFINE_PROP_UINT16("min_io_size", _state, _conf.min_io_size, 0),  \
-    DEFINE_PROP_UINT32("opt_io_size", _state, _conf.opt_io_size, 0)
+    DEFINE_PROP_UINT32("opt_io_size", _state, _conf.opt_io_size, 0),    \
+    DEFINE_PROP_INT32("bootindex", _state, _conf.bootindex, -1)         \
 
 #endif /* BLOCK_INT_H */
diff --git a/hw/e1000.c b/hw/e1000.c
index a697abd..af101bd 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -30,6 +30,7 @@
 #include "net.h"
 #include "net/checksum.h"
 #include "loader.h"
+#include "sysemu.h"
 
 #include "e1000_hw.h"
 
@@ -1147,6 +1148,9 @@ static int pci_e1000_init(PCIDevice *pci_dev)
                           d->dev.qdev.info->name, d->dev.qdev.id, d);
 
     qemu_format_nic_info_str(&d->nic->nc, macaddr);
+
+    add_boot_device_path(d->conf.bootindex, &pci_dev->qdev, "/ethernet-phy at 0");
+
     return 0;
 }
 
diff --git a/hw/eepro100.c b/hw/eepro100.c
index b31ad3e..edf48f6 100644
--- a/hw/eepro100.c
+++ b/hw/eepro100.c
@@ -46,6 +46,7 @@
 #include "pci.h"
 #include "net.h"
 #include "eeprom93xx.h"
+#include "sysemu.h"
 
 #define KiB 1024
 
@@ -1908,6 +1909,8 @@ static int e100_nic_init(PCIDevice *pci_dev)
     s->vmstate->name = s->nic->nc.model;
     vmstate_register(&pci_dev->qdev, -1, s->vmstate, s);
 
+    add_boot_device_path(s->conf.bootindex, &pci_dev->qdev, "/ethernet-phy at 0");
+
     return 0;
 }
 
diff --git a/hw/fdc.c b/hw/fdc.c
index 9d92e93..4bbcc47 100644
--- a/hw/fdc.c
+++ b/hw/fdc.c
@@ -35,6 +35,7 @@
 #include "sysbus.h"
 #include "qdev-addr.h"
 #include "blockdev.h"
+#include "sysemu.h"
 
 /********************************************************/
 /* debug Floppy devices */
@@ -523,6 +524,8 @@ typedef struct FDCtrlSysBus {
 typedef struct FDCtrlISABus {
     ISADevice busdev;
     struct FDCtrl state;
+    int32_t bootindexA;
+    int32_t bootindexB;
 } FDCtrlISABus;
 
 static uint32_t fdctrl_read (void *opaque, uint32_t reg)
@@ -1992,6 +1995,9 @@ static int isabus_fdc_init1(ISADevice *dev)
     qdev_set_legacy_instance_id(&dev->qdev, iobase, 2);
     ret = fdctrl_init_common(fdctrl);
 
+    add_boot_device_path(isa->bootindexA, &dev->qdev, "/floppy at 0");
+    add_boot_device_path(isa->bootindexB, &dev->qdev, "/floppy at 1");
+
     return ret;
 }
 
@@ -2053,6 +2059,8 @@ static ISADeviceInfo isa_fdc_info = {
     .qdev.props = (Property[]) {
         DEFINE_PROP_DRIVE("driveA", FDCtrlISABus, state.drives[0].bs),
         DEFINE_PROP_DRIVE("driveB", FDCtrlISABus, state.drives[1].bs),
+        DEFINE_PROP_INT32("bootindexA", FDCtrlISABus, bootindexA, -1),
+        DEFINE_PROP_INT32("bootindexB", FDCtrlISABus, bootindexB, -1),
         DEFINE_PROP_END_OF_LIST(),
     },
 };
diff --git a/hw/ide/qdev.c b/hw/ide/qdev.c
index 01a181b..2bb5c27 100644
--- a/hw/ide/qdev.c
+++ b/hw/ide/qdev.c
@@ -21,6 +21,7 @@
 #include "qemu-error.h"
 #include <hw/ide/internal.h>
 #include "blockdev.h"
+#include "sysemu.h"
 
 /* --------------------------------- */
 
@@ -143,6 +144,10 @@ static int ide_drive_initfn(IDEDevice *dev)
     if (!dev->serial) {
         dev->serial = qemu_strdup(s->drive_serial_str);
     }
+
+    add_boot_device_path(dev->conf.bootindex, &dev->qdev,
+                         dev->unit ? "/disk at 1" : "/disk at 0");
+
     return 0;
 }
 
diff --git a/hw/ne2000.c b/hw/ne2000.c
index 126e7cf..a030106 100644
--- a/hw/ne2000.c
+++ b/hw/ne2000.c
@@ -26,6 +26,7 @@
 #include "net.h"
 #include "ne2000.h"
 #include "loader.h"
+#include "sysemu.h"
 
 /* debug NE2000 card */
 //#define DEBUG_NE2000
@@ -746,6 +747,8 @@ static int pci_ne2000_init(PCIDevice *pci_dev)
         }
     }
 
+    add_boot_device_path(s->c.bootindex, &pci_dev->qdev, "/ethernet-phy at 0");
+
     return 0;
 }
 
diff --git a/hw/pcnet.c b/hw/pcnet.c
index 37010b8..db52dc5 100644
--- a/hw/pcnet.c
+++ b/hw/pcnet.c
@@ -39,6 +39,7 @@
 #include "net.h"
 #include "qemu-timer.h"
 #include "qemu_socket.h"
+#include "sysemu.h"
 
 #include "pcnet.h"
 
@@ -1740,5 +1741,8 @@ int pcnet_common_init(DeviceState *dev, PCNetState *s, NetClientInfo *info)
     qemu_macaddr_default_if_unset(&s->conf.macaddr);
     s->nic = qemu_new_nic(info, &s->conf, dev->info->name, dev->id, s);
     qemu_format_nic_info_str(&s->nic->nc, s->conf.macaddr.a);
+
+    add_boot_device_path(s->conf.bootindex, dev, "/ethernet-phy at 0");
+
     return 0;
 }
diff --git a/hw/qdev.c b/hw/qdev.c
index b65b63e..10e28df 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -889,3 +889,35 @@ int do_device_del(Monitor *mon, const QDict *qdict, QObject **ret_data)
     }
     return qdev_unplug(dev);
 }
+
+static int qdev_get_fw_dev_path_helper(DeviceState *dev, char *p, int size)
+{
+    int l = 0;
+
+    if (dev && dev->parent_bus) {
+        char *d;
+        l = qdev_get_fw_dev_path_helper(dev->parent_bus->parent, p, size);
+        if (dev->parent_bus->info->get_fw_dev_path) {
+            d = dev->parent_bus->info->get_fw_dev_path(dev);
+            l += snprintf(p + l, size - l, "%s", d);
+            qemu_free(d);
+        } else {
+            l += snprintf(p + l, size - l, "%s", dev->info->name);
+        }
+    }
+    l += snprintf(p + l , size - l, "/");
+
+    return l;
+}
+
+char* qdev_get_fw_dev_path(DeviceState *dev)
+{
+    char path[128];
+    int l;
+
+    l = qdev_get_fw_dev_path_helper(dev, path, 128);
+
+    path[l-1] = '\0';
+
+    return strdup(path);
+}
diff --git a/hw/qdev.h b/hw/qdev.h
index f72fbde..aaaf55a 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -319,6 +319,7 @@ static inline const char *qdev_fw_name(DeviceState *dev)
     return dev->info->fw_name ? : dev->info->alias ? : dev->info->name;
 }
 
+char *qdev_get_fw_dev_path(DeviceState *dev);
 /* This is a nasty hack to allow passing a NULL bus to qdev_create.  */
 extern struct BusInfo system_bus_info;
 
diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index 4a73f6f..a8aed89 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -52,6 +52,7 @@
 #include "qemu-timer.h"
 #include "net.h"
 #include "loader.h"
+#include "sysemu.h"
 
 /* debug RTL8139 card */
 //#define DEBUG_RTL8139 1
@@ -3376,6 +3377,9 @@ static int pci_rtl8139_init(PCIDevice *dev)
     s->TimerExpire = 0;
     s->timer = qemu_new_timer(vm_clock, rtl8139_timer, s);
     rtl8139_set_next_tctr_time(s, qemu_get_clock(vm_clock));
+
+    add_boot_device_path(s->conf.bootindex, &dev->qdev, "/ethernet-phy at 0");
+
     return 0;
 }
 
diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 851046f..87f9e86 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -1225,6 +1225,7 @@ static int scsi_disk_initfn(SCSIDevice *dev)
     s->qdev.type = TYPE_DISK;
     qemu_add_vm_change_state_handler(scsi_dma_restart_cb, s);
     bdrv_set_removable(s->bs, is_cd);
+    add_boot_device_path(s->qdev.conf.bootindex, &dev->qdev, ",0");
     return 0;
 }
 
diff --git a/hw/usb-net.c b/hw/usb-net.c
index f6bed21..8492455 100644
--- a/hw/usb-net.c
+++ b/hw/usb-net.c
@@ -27,6 +27,7 @@
 #include "usb.h"
 #include "net.h"
 #include "qemu-queue.h"
+#include "sysemu.h"
 
 /*#define TRAFFIC_DEBUG*/
 /* Thanks to NetChip Technologies for donating this product ID.
@@ -1463,6 +1464,7 @@ static int usb_net_initfn(USBDevice *dev)
              s->conf.macaddr.a[4],
              s->conf.macaddr.a[5]);
 
+    add_boot_device_path(s->conf.bootindex, &dev->qdev, "/ethernet at 0");
     return 0;
 }
 
diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
index e5f9b27..f62ccd1 100644
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -548,6 +548,8 @@ VirtIODevice *virtio_blk_init(DeviceState *dev, BlockConf *conf)
     bdrv_set_removable(s->bs, 0);
     s->bs->buffer_alignment = conf->logical_block_size;
 
+    add_boot_device_path(conf->bootindex, dev, "/disk at 0,0");
+
     return &s->vdev;
 }
 
diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index 1d61f19..3472f6b 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -1017,6 +1017,8 @@ VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
                     virtio_net_save, virtio_net_load, n);
     n->vmstate = qemu_add_vm_change_state_handler(virtio_net_vmstate_change, n);
 
+    add_boot_device_path(conf->bootindex, dev, "/ethernet-phy at 0");
+
     return &n->vdev;
 }
 
diff --git a/net.h b/net.h
index 44c31a9..6ceca50 100644
--- a/net.h
+++ b/net.h
@@ -17,12 +17,14 @@ typedef struct NICConf {
     MACAddr macaddr;
     VLANState *vlan;
     VLANClientState *peer;
+    int32_t bootindex;
 } NICConf;
 
 #define DEFINE_NIC_PROPERTIES(_state, _conf)                            \
     DEFINE_PROP_MACADDR("mac",   _state, _conf.macaddr),                \
     DEFINE_PROP_VLAN("vlan",     _state, _conf.vlan),                   \
-    DEFINE_PROP_NETDEV("netdev", _state, _conf.peer)
+    DEFINE_PROP_NETDEV("netdev", _state, _conf.peer),                   \
+    DEFINE_PROP_INT32("bootindex", _state, _conf.bootindex, -1)
 
 /* VLANs support */
 
diff --git a/sysemu.h b/sysemu.h
index b81a70e..fe9a582 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -188,4 +188,6 @@ void rtc_change_mon_event(struct tm *tm);
 
 void register_devices(void);
 
+void add_boot_device_path(int32_t bootindex, DeviceState *dev,
+                          const char *suffix);
 #endif
diff --git a/vl.c b/vl.c
index 2cd263e..dadc161 100644
--- a/vl.c
+++ b/vl.c
@@ -229,6 +229,17 @@ unsigned int nb_prom_envs = 0;
 const char *prom_envs[MAX_PROM_ENVS];
 int boot_menu;
 
+typedef struct FWBootEntry FWBootEntry;
+
+struct FWBootEntry {
+    QTAILQ_ENTRY(FWBootEntry) link;
+    int32_t bootindex;
+    DeviceState *dev;
+    char *suffix;
+};
+
+QTAILQ_HEAD(, FWBootEntry) fw_boot_order = QTAILQ_HEAD_INITIALIZER(fw_boot_order);
+
 int nb_numa_nodes;
 uint64_t node_mem[MAX_NODES];
 uint64_t node_cpumask[MAX_NODES];
@@ -693,6 +704,35 @@ static void restore_boot_devices(void *opaque)
     qemu_free(standard_boot_devices);
 }
 
+void add_boot_device_path(int32_t bootindex, DeviceState *dev,
+                          const char *suffix)
+{
+    FWBootEntry *node, *i;
+
+    if (bootindex < 0) {
+        return;
+    }
+
+    assert(dev != NULL || suffix != NULL);
+
+    node = qemu_mallocz(sizeof(FWBootEntry));
+    node->bootindex = bootindex;
+    node->suffix = strdup(suffix);
+    node->dev = dev;
+
+    QTAILQ_FOREACH(i, &fw_boot_order, link) {
+        if (i->bootindex == bootindex) {
+            fprintf(stderr, "Two devices with same boot index %d\n", bootindex);
+            exit(1);
+        } else if (i->bootindex < bootindex) {
+            continue;
+        }
+        QTAILQ_INSERT_BEFORE(i, node, link);
+        return;
+    }
+    QTAILQ_INSERT_TAIL(&fw_boot_order, node, link);
+}
+
 static void numa_add(const char *optarg)
 {
     char option[128];
commit db07c0f84ba2bedea4b8201ccb62602fd5e64c28
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:35:04 2010 +0200

    Add get_fw_dev_path callback to scsi bus.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 93f0e9a..7febb86 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -5,9 +5,12 @@
 #include "qdev.h"
 #include "blockdev.h"
 
+static char *scsibus_get_fw_dev_path(DeviceState *dev);
+
 static struct BusInfo scsi_bus_info = {
     .name  = "SCSI",
     .size  = sizeof(SCSIBus),
+    .get_fw_dev_path = scsibus_get_fw_dev_path,
     .props = (Property[]) {
         DEFINE_PROP_UINT32("scsi-id", SCSIDevice, id, -1),
         DEFINE_PROP_END_OF_LIST(),
@@ -518,3 +521,23 @@ void scsi_req_complete(SCSIRequest *req)
                        req->tag,
                        req->status);
 }
+
+static char *scsibus_get_fw_dev_path(DeviceState *dev)
+{
+    SCSIDevice *d = (SCSIDevice*)dev;
+    SCSIBus *bus = scsi_bus_from_device(d);
+    char path[100];
+    int i;
+
+    for (i = 0; i < bus->ndev; i++) {
+        if (bus->devs[i] == d) {
+            break;
+        }
+    }
+
+    assert(i != bus->ndev);
+
+    snprintf(path, sizeof(path), "%s@%x", qdev_fw_name(dev), i);
+
+    return strdup(path);
+}
commit cdedd0061306bf204c5751584f69f1bcc9834f14
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:35:03 2010 +0200

    Add get_fw_dev_path callback for usb bus.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index 256b881..8b4583c 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -5,11 +5,13 @@
 #include "monitor.h"
 
 static void usb_bus_dev_print(Monitor *mon, DeviceState *qdev, int indent);
+static char *usbbus_get_fw_dev_path(DeviceState *dev);
 
 static struct BusInfo usb_bus_info = {
     .name      = "USB",
     .size      = sizeof(USBBus),
     .print_dev = usb_bus_dev_print,
+    .get_fw_dev_path = usbbus_get_fw_dev_path,
 };
 static int next_usb_bus = 0;
 static QTAILQ_HEAD(, USBBus) busses = QTAILQ_HEAD_INITIALIZER(busses);
@@ -307,3 +309,43 @@ USBDevice *usbdevice_create(const char *cmdline)
     }
     return usb->usbdevice_init(params);
 }
+
+static int usbbus_get_fw_dev_path_helper(USBDevice *d, USBBus *bus, char *p,
+                                         int len)
+{
+    int l = 0;
+    USBPort *port;
+
+    QTAILQ_FOREACH(port, &bus->used, next) {
+        if (port->dev == d) {
+            if (port->pdev) {
+                l = usbbus_get_fw_dev_path_helper(port->pdev, bus, p, len);
+            }
+            l += snprintf(p + l, len - l, "%s@%x/", qdev_fw_name(&d->qdev),
+                          port->index);
+            break;
+        }
+    }
+
+    return l;
+}
+
+static char *usbbus_get_fw_dev_path(DeviceState *dev)
+{
+    USBDevice *d = (USBDevice*)dev;
+    USBBus *bus = usb_bus_from_device(d);
+    char path[100];
+    int l;
+
+    assert(d->attached != 0);
+
+    l = usbbus_get_fw_dev_path_helper(d, bus, path, sizeof(path));
+
+    if (l == 0) {
+        abort();
+    }
+
+    path[l-1] = '\0';
+
+    return strdup(path);
+}
commit ab28ccc0c67f52d8966b8172108cb8a6f76e6d2a
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:35:02 2010 +0200

    Record which USBDevice USBPort belongs too.
    
    Ports on root hub will have NULL here. This is needed to reconstruct
    path from device to its root hub to build device path.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index b692503..256b881 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -110,11 +110,12 @@ USBDevice *usb_create_simple(USBBus *bus, const char *name)
 }
 
 void usb_register_port(USBBus *bus, USBPort *port, void *opaque, int index,
-                       usb_attachfn attach)
+                       USBDevice *pdev, usb_attachfn attach)
 {
     port->opaque = opaque;
     port->index = index;
     port->attach = attach;
+    port->pdev = pdev;
     QTAILQ_INSERT_TAIL(&bus->free, port, next);
     bus->nfree++;
 }
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 8e3a96b..8a3f829 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -535,7 +535,7 @@ static int usb_hub_initfn(USBDevice *dev)
     for (i = 0; i < s->nb_ports; i++) {
         port = &s->ports[i];
         usb_register_port(usb_bus_from_device(dev),
-                          &port->port, s, i, usb_hub_attach);
+                          &port->port, s, i, &s->dev, usb_hub_attach);
         port->wPortStatus = PORT_STAT_POWER;
         port->wPortChange = 0;
     }
diff --git a/hw/usb-musb.c b/hw/usb-musb.c
index 7f15842..9efe7a6 100644
--- a/hw/usb-musb.c
+++ b/hw/usb-musb.c
@@ -343,7 +343,7 @@ struct MUSBState {
     }
 
     usb_bus_new(&s->bus, NULL /* FIXME */);
-    usb_register_port(&s->bus, &s->port, s, 0, musb_attach);
+    usb_register_port(&s->bus, &s->port, s, 0, NULL, musb_attach);
 
     return s;
 }
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index 8eb4a1e..240e840 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -1699,7 +1699,7 @@ static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
     usb_bus_new(&ohci->bus, dev);
     ohci->num_ports = num_ports;
     for (i = 0; i < num_ports; i++) {
-        usb_register_port(&ohci->bus, &ohci->rhport[i].port, ohci, i, ohci_attach);
+        usb_register_port(&ohci->bus, &ohci->rhport[i].port, ohci, i, NULL, ohci_attach);
     }
 
     ohci->async_td = 0;
diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index 1d83400..b9b822f 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -1115,7 +1115,7 @@ static int usb_uhci_common_initfn(UHCIState *s)
 
     usb_bus_new(&s->bus, &s->dev.qdev);
     for(i = 0; i < NB_PORTS; i++) {
-        usb_register_port(&s->bus, &s->ports[i].port, s, i, uhci_attach);
+        usb_register_port(&s->bus, &s->ports[i].port, s, i, NULL, uhci_attach);
     }
     s->frame_timer = qemu_new_timer(vm_clock, uhci_frame_timer, s);
     s->expire_time = qemu_get_clock(vm_clock) +
diff --git a/hw/usb.h b/hw/usb.h
index 00d2802..0b32d77 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -203,6 +203,7 @@ struct USBPort {
     USBDevice *dev;
     usb_attachfn attach;
     void *opaque;
+    USBDevice *pdev;
     int index; /* internal port index, may be used with the opaque */
     QTAILQ_ENTRY(USBPort) next;
 };
@@ -312,7 +313,7 @@ USBDevice *usb_create(USBBus *bus, const char *name);
 USBDevice *usb_create_simple(USBBus *bus, const char *name);
 USBDevice *usbdevice_create(const char *cmdline);
 void usb_register_port(USBBus *bus, USBPort *port, void *opaque, int index,
-                       usb_attachfn attach);
+                       USBDevice *pdev, usb_attachfn attach);
 void usb_unregister_port(USBBus *bus, USBPort *port);
 int usb_device_attach(USBDevice *dev);
 int usb_device_detach(USBDevice *dev);
commit 5e0259e7facb6aaac326c3beef79e4d2414c38d4
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:35:01 2010 +0200

    Add get_fw_dev_path callback for pci bus.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/pci.c b/hw/pci.c
index 0c15b13..e7ea907 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -43,6 +43,7 @@
 
 static void pcibus_dev_print(Monitor *mon, DeviceState *dev, int indent);
 static char *pcibus_get_dev_path(DeviceState *dev);
+static char *pcibus_get_fw_dev_path(DeviceState *dev);
 static int pcibus_reset(BusState *qbus);
 
 struct BusInfo pci_bus_info = {
@@ -50,6 +51,7 @@ struct BusInfo pci_bus_info = {
     .size       = sizeof(PCIBus),
     .print_dev  = pcibus_dev_print,
     .get_dev_path = pcibus_get_dev_path,
+    .get_fw_dev_path = pcibus_get_fw_dev_path,
     .reset      = pcibus_reset,
     .props      = (Property[]) {
         DEFINE_PROP_PCI_DEVFN("addr", PCIDevice, devfn, -1),
@@ -1117,45 +1119,63 @@ void pci_msi_notify(PCIDevice *dev, unsigned int vector)
 typedef struct {
     uint16_t class;
     const char *desc;
+    const char *fw_name;
+    uint16_t fw_ign_bits;
 } pci_class_desc;
 
 static const pci_class_desc pci_class_descriptions[] =
 {
-    { 0x0100, "SCSI controller"},
-    { 0x0101, "IDE controller"},
-    { 0x0102, "Floppy controller"},
-    { 0x0103, "IPI controller"},
-    { 0x0104, "RAID controller"},
+    { 0x0001, "VGA controller", "display"},
+    { 0x0100, "SCSI controller", "scsi"},
+    { 0x0101, "IDE controller", "ide"},
+    { 0x0102, "Floppy controller", "fdc"},
+    { 0x0103, "IPI controller", "ipi"},
+    { 0x0104, "RAID controller", "raid"},
     { 0x0106, "SATA controller"},
     { 0x0107, "SAS controller"},
     { 0x0180, "Storage controller"},
-    { 0x0200, "Ethernet controller"},
-    { 0x0201, "Token Ring controller"},
-    { 0x0202, "FDDI controller"},
-    { 0x0203, "ATM controller"},
+    { 0x0200, "Ethernet controller", "ethernet"},
+    { 0x0201, "Token Ring controller", "token-ring"},
+    { 0x0202, "FDDI controller", "fddi"},
+    { 0x0203, "ATM controller", "atm"},
     { 0x0280, "Network controller"},
-    { 0x0300, "VGA controller"},
+    { 0x0300, "VGA controller", "display", 0x00ff},
     { 0x0301, "XGA controller"},
     { 0x0302, "3D controller"},
     { 0x0380, "Display controller"},
-    { 0x0400, "Video controller"},
-    { 0x0401, "Audio controller"},
+    { 0x0400, "Video controller", "video"},
+    { 0x0401, "Audio controller", "sound"},
     { 0x0402, "Phone"},
     { 0x0480, "Multimedia controller"},
-    { 0x0500, "RAM controller"},
-    { 0x0501, "Flash controller"},
+    { 0x0500, "RAM controller", "memory"},
+    { 0x0501, "Flash controller", "flash"},
     { 0x0580, "Memory controller"},
-    { 0x0600, "Host bridge"},
-    { 0x0601, "ISA bridge"},
-    { 0x0602, "EISA bridge"},
-    { 0x0603, "MC bridge"},
-    { 0x0604, "PCI bridge"},
-    { 0x0605, "PCMCIA bridge"},
-    { 0x0606, "NUBUS bridge"},
-    { 0x0607, "CARDBUS bridge"},
+    { 0x0600, "Host bridge", "host"},
+    { 0x0601, "ISA bridge", "isa"},
+    { 0x0602, "EISA bridge", "eisa"},
+    { 0x0603, "MC bridge", "mca"},
+    { 0x0604, "PCI bridge", "pci"},
+    { 0x0605, "PCMCIA bridge", "pcmcia"},
+    { 0x0606, "NUBUS bridge", "nubus"},
+    { 0x0607, "CARDBUS bridge", "cardbus"},
     { 0x0608, "RACEWAY bridge"},
     { 0x0680, "Bridge"},
-    { 0x0c03, "USB controller"},
+    { 0x0700, "Serial port", "serial"},
+    { 0x0701, "Parallel port", "parallel"},
+    { 0x0800, "Interrupt controller", "interrupt-controller"},
+    { 0x0801, "DMA controller", "dma-controller"},
+    { 0x0802, "Timer", "timer"},
+    { 0x0803, "RTC", "rtc"},
+    { 0x0900, "Keyboard", "keyboard"},
+    { 0x0901, "Pen", "pen"},
+    { 0x0902, "Mouse", "mouse"},
+    { 0x0A00, "Dock station", "dock", 0x00ff},
+    { 0x0B00, "i386 cpu", "cpu", 0x00ff},
+    { 0x0c00, "Fireware contorller", "fireware"},
+    { 0x0c01, "Access bus controller", "access-bus"},
+    { 0x0c02, "SSA controller", "ssa"},
+    { 0x0c03, "USB controller", "usb"},
+    { 0x0c04, "Fibre channel controller", "fibre-channel"},
     { 0, NULL}
 };
 
@@ -1960,6 +1980,48 @@ static void pcibus_dev_print(Monitor *mon, DeviceState *dev, int indent)
     }
 }
 
+static char *pci_dev_fw_name(DeviceState *dev, char *buf, int len)
+{
+    PCIDevice *d = (PCIDevice *)dev;
+    const char *name = NULL;
+    const pci_class_desc *desc =  pci_class_descriptions;
+    int class = pci_get_word(d->config + PCI_CLASS_DEVICE);
+
+    while (desc->desc &&
+          (class & ~desc->fw_ign_bits) !=
+          (desc->class & ~desc->fw_ign_bits)) {
+        desc++;
+    }
+
+    if (desc->desc) {
+        name = desc->fw_name;
+    }
+
+    if (name) {
+        pstrcpy(buf, len, name);
+    } else {
+        snprintf(buf, len, "pci%04x,%04x",
+                 pci_get_word(d->config + PCI_VENDOR_ID),
+                 pci_get_word(d->config + PCI_DEVICE_ID));
+    }
+
+    return buf;
+}
+
+static char *pcibus_get_fw_dev_path(DeviceState *dev)
+{
+    PCIDevice *d = (PCIDevice *)dev;
+    char path[50], name[33];
+    int off;
+
+    off = snprintf(path, sizeof(path), "%s@%x",
+                   pci_dev_fw_name(dev, name, sizeof name),
+                   PCI_SLOT(d->devfn));
+    if (PCI_FUNC(d->devfn))
+        snprintf(path + off, sizeof(path) + off, ",%x", PCI_FUNC(d->devfn));
+    return strdup(path);
+}
+
 static char *pcibus_get_dev_path(DeviceState *dev)
 {
     PCIDevice *d = (PCIDevice *)dev;
commit c646f74ffdc2c514bc12e0c241faf08fab10d181
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:35:00 2010 +0200

    Add get_fw_dev_path callback for system bus.
    
    Prints out mmio or pio used to access child device.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/pci_host.c b/hw/pci_host.c
index eebff7a..7c40155 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -140,6 +140,7 @@ void pci_host_conf_register_ioport(pio_addr_t ioport, PCIHostState *s)
 {
     pci_host_init(s);
     register_ioport_simple(&s->conf_handler, ioport, 4, 4);
+    sysbus_init_ioports(&s->busdev, ioport, 4);
 }
 
 int pci_host_data_register_mmio(PCIHostState *s, int endian)
@@ -154,4 +155,5 @@ void pci_host_data_register_ioport(pio_addr_t ioport, PCIHostState *s)
     register_ioport_simple(&s->data_handler, ioport, 4, 1);
     register_ioport_simple(&s->data_handler, ioport, 4, 2);
     register_ioport_simple(&s->data_handler, ioport, 4, 4);
+    sysbus_init_ioports(&s->busdev, ioport, 4);
 }
diff --git a/hw/sysbus.c b/hw/sysbus.c
index d817721..1583bd8 100644
--- a/hw/sysbus.c
+++ b/hw/sysbus.c
@@ -22,11 +22,13 @@
 #include "monitor.h"
 
 static void sysbus_dev_print(Monitor *mon, DeviceState *dev, int indent);
+static char *sysbus_get_fw_dev_path(DeviceState *dev);
 
 struct BusInfo system_bus_info = {
     .name       = "System",
     .size       = sizeof(BusState),
     .print_dev  = sysbus_dev_print,
+    .get_fw_dev_path = sysbus_get_fw_dev_path,
 };
 
 void sysbus_connect_irq(SysBusDevice *dev, int n, qemu_irq irq)
@@ -106,6 +108,16 @@ void sysbus_init_mmio_cb(SysBusDevice *dev, target_phys_addr_t size,
     dev->mmio[n].cb = cb;
 }
 
+void sysbus_init_ioports(SysBusDevice *dev, pio_addr_t ioport, pio_addr_t size)
+{
+    pio_addr_t i;
+
+    for (i = 0; i < size; i++) {
+        assert(dev->num_pio < QDEV_MAX_PIO);
+        dev->pio[dev->num_pio++] = ioport++;
+    }
+}
+
 static int sysbus_device_init(DeviceState *dev, DeviceInfo *base)
 {
     SysBusDeviceInfo *info = container_of(base, SysBusDeviceInfo, qdev);
@@ -171,3 +183,21 @@ static void sysbus_dev_print(Monitor *mon, DeviceState *dev, int indent)
                        indent, "", s->mmio[i].addr, s->mmio[i].size);
     }
 }
+
+static char *sysbus_get_fw_dev_path(DeviceState *dev)
+{
+    SysBusDevice *s = sysbus_from_qdev(dev);
+    char path[40];
+    int off;
+
+    off = snprintf(path, sizeof(path), "%s", qdev_fw_name(dev));
+
+    if (s->num_mmio) {
+        snprintf(path + off, sizeof(path) - off, "@"TARGET_FMT_plx,
+                 s->mmio[0].addr);
+    } else if (s->num_pio) {
+        snprintf(path + off, sizeof(path) - off, "@i%04x", s->pio[0]);
+    }
+
+    return strdup(path);
+}
diff --git a/hw/sysbus.h b/hw/sysbus.h
index 5980901..e9eb618 100644
--- a/hw/sysbus.h
+++ b/hw/sysbus.h
@@ -6,6 +6,7 @@
 #include "qdev.h"
 
 #define QDEV_MAX_MMIO 32
+#define QDEV_MAX_PIO 32
 #define QDEV_MAX_IRQ 256
 
 typedef struct SysBusDevice SysBusDevice;
@@ -23,6 +24,8 @@ struct SysBusDevice {
         mmio_mapfunc cb;
         ram_addr_t iofunc;
     } mmio[QDEV_MAX_MMIO];
+    int num_pio;
+    pio_addr_t pio[QDEV_MAX_PIO];
 };
 
 typedef int (*sysbus_initfn)(SysBusDevice *dev);
@@ -45,6 +48,7 @@ void sysbus_init_mmio_cb(SysBusDevice *dev, target_phys_addr_t size,
                             mmio_mapfunc cb);
 void sysbus_init_irq(SysBusDevice *dev, qemu_irq *p);
 void sysbus_pass_irq(SysBusDevice *dev, SysBusDevice *target);
+void sysbus_init_ioports(SysBusDevice *dev, pio_addr_t ioport, pio_addr_t size);
 
 
 void sysbus_connect_irq(SysBusDevice *dev, int n, qemu_irq irq);
commit dc1a46b60941e137b3194936540790b720952055
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:34:59 2010 +0200

    Add get_fw_dev_path callback to IDE bus.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/ide/qdev.c b/hw/ide/qdev.c
index 88ff657..01a181b 100644
--- a/hw/ide/qdev.c
+++ b/hw/ide/qdev.c
@@ -24,9 +24,12 @@
 
 /* --------------------------------- */
 
+static char *idebus_get_fw_dev_path(DeviceState *dev);
+
 static struct BusInfo ide_bus_info = {
     .name  = "IDE",
     .size  = sizeof(IDEBus),
+    .get_fw_dev_path = idebus_get_fw_dev_path,
 };
 
 void ide_bus_new(IDEBus *idebus, DeviceState *dev, int bus_id)
@@ -35,6 +38,16 @@ void ide_bus_new(IDEBus *idebus, DeviceState *dev, int bus_id)
     idebus->bus_id = bus_id;
 }
 
+static char *idebus_get_fw_dev_path(DeviceState *dev)
+{
+    char path[30];
+
+    snprintf(path, sizeof(path), "%s@%d", qdev_fw_name(dev),
+             ((IDEBus*)dev->parent_bus)->bus_id);
+
+    return strdup(path);
+}
+
 static int ide_qdev_init(DeviceState *qdev, DeviceInfo *base)
 {
     IDEDevice *dev = DO_UPCAST(IDEDevice, qdev, qdev);
commit 3835510f10ac74553ff19df3eb254809f0b593c0
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:34:58 2010 +0200

    Store IDE bus id in IDEBus structure for easy access.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/ide/cmd646.c b/hw/ide/cmd646.c
index dfe6091..ea5d2dc 100644
--- a/hw/ide/cmd646.c
+++ b/hw/ide/cmd646.c
@@ -253,8 +253,8 @@ static int pci_cmd646_ide_initfn(PCIDevice *dev)
     pci_conf[PCI_INTERRUPT_PIN] = 0x01; // interrupt on pin 1
 
     irq = qemu_allocate_irqs(cmd646_set_irq, d, 2);
-    ide_bus_new(&d->bus[0], &d->dev.qdev);
-    ide_bus_new(&d->bus[1], &d->dev.qdev);
+    ide_bus_new(&d->bus[0], &d->dev.qdev, 0);
+    ide_bus_new(&d->bus[1], &d->dev.qdev, 1);
     ide_init2(&d->bus[0], irq[0]);
     ide_init2(&d->bus[1], irq[1]);
 
diff --git a/hw/ide/internal.h b/hw/ide/internal.h
index 85f4a16..71af66f 100644
--- a/hw/ide/internal.h
+++ b/hw/ide/internal.h
@@ -449,6 +449,7 @@ struct IDEBus {
     IDEDevice *slave;
     BMDMAState *bmdma;
     IDEState ifs[2];
+    int bus_id;
     uint8_t unit;
     uint8_t cmd;
     qemu_irq irq;
@@ -567,7 +568,7 @@ void ide_init2_with_non_qdev_drives(IDEBus *bus, DriveInfo *hd0,
 void ide_init_ioport(IDEBus *bus, int iobase, int iobase2);
 
 /* hw/ide/qdev.c */
-void ide_bus_new(IDEBus *idebus, DeviceState *dev);
+void ide_bus_new(IDEBus *idebus, DeviceState *dev, int bus_id);
 IDEDevice *ide_create_drive(IDEBus *bus, int unit, DriveInfo *drive);
 
 #endif /* HW_IDE_INTERNAL_H */
diff --git a/hw/ide/isa.c b/hw/ide/isa.c
index 4206afd..8c59c5a 100644
--- a/hw/ide/isa.c
+++ b/hw/ide/isa.c
@@ -67,7 +67,7 @@ static int isa_ide_initfn(ISADevice *dev)
 {
     ISAIDEState *s = DO_UPCAST(ISAIDEState, dev, dev);
 
-    ide_bus_new(&s->bus, &s->dev.qdev);
+    ide_bus_new(&s->bus, &s->dev.qdev, 0);
     ide_init_ioport(&s->bus, s->iobase, s->iobase2);
     isa_init_irq(dev, &s->irq, s->isairq);
     isa_init_ioport_range(dev, s->iobase, 8);
diff --git a/hw/ide/piix.c b/hw/ide/piix.c
index e02b89a..1c0cb0c 100644
--- a/hw/ide/piix.c
+++ b/hw/ide/piix.c
@@ -125,8 +125,8 @@ static int pci_piix_ide_initfn(PCIIDEState *d)
 
     vmstate_register(&d->dev.qdev, 0, &vmstate_ide_pci, d);
 
-    ide_bus_new(&d->bus[0], &d->dev.qdev);
-    ide_bus_new(&d->bus[1], &d->dev.qdev);
+    ide_bus_new(&d->bus[0], &d->dev.qdev, 0);
+    ide_bus_new(&d->bus[1], &d->dev.qdev, 1);
     ide_init_ioport(&d->bus[0], 0x1f0, 0x3f6);
     ide_init_ioport(&d->bus[1], 0x170, 0x376);
 
diff --git a/hw/ide/qdev.c b/hw/ide/qdev.c
index 6d27b60..88ff657 100644
--- a/hw/ide/qdev.c
+++ b/hw/ide/qdev.c
@@ -29,9 +29,10 @@ static struct BusInfo ide_bus_info = {
     .size  = sizeof(IDEBus),
 };
 
-void ide_bus_new(IDEBus *idebus, DeviceState *dev)
+void ide_bus_new(IDEBus *idebus, DeviceState *dev, int bus_id)
 {
     qbus_create_inplace(&idebus->qbus, &ide_bus_info, dev, NULL);
+    idebus->bus_id = bus_id;
 }
 
 static int ide_qdev_init(DeviceState *qdev, DeviceInfo *base)
diff --git a/hw/ide/via.c b/hw/ide/via.c
index 66be0c4..78857e8 100644
--- a/hw/ide/via.c
+++ b/hw/ide/via.c
@@ -154,8 +154,8 @@ static int vt82c686b_ide_initfn(PCIDevice *dev)
 
     vmstate_register(&dev->qdev, 0, &vmstate_ide_pci, d);
 
-    ide_bus_new(&d->bus[0], &d->dev.qdev);
-    ide_bus_new(&d->bus[1], &d->dev.qdev);
+    ide_bus_new(&d->bus[0], &d->dev.qdev, 0);
+    ide_bus_new(&d->bus[1], &d->dev.qdev, 1);
     ide_init2(&d->bus[0], isa_reserve_irq(14));
     ide_init2(&d->bus[1], isa_reserve_irq(15));
     ide_init_ioport(&d->bus[0], 0x1f0, 0x3f6);
commit 6a26e1197db1684798c4255955c04e31270eccb8
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:34:57 2010 +0200

    Add get_fw_dev_path callback to ISA bus in qdev.
    
    Use device ioports to create unique device path.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/isa-bus.c b/hw/isa-bus.c
index 5486efa..0cb1afb 100644
--- a/hw/isa-bus.c
+++ b/hw/isa-bus.c
@@ -31,11 +31,13 @@ static ISABus *isabus;
 target_phys_addr_t isa_mem_base = 0;
 
 static void isabus_dev_print(Monitor *mon, DeviceState *dev, int indent);
+static char *isabus_get_fw_dev_path(DeviceState *dev);
 
 static struct BusInfo isa_bus_info = {
     .name      = "ISA",
     .size      = sizeof(ISABus),
     .print_dev = isabus_dev_print,
+    .get_fw_dev_path = isabus_get_fw_dev_path,
 };
 
 ISABus *isa_bus_new(DeviceState *dev)
@@ -185,4 +187,18 @@ static void isabus_register_devices(void)
     sysbus_register_withprop(&isabus_bridge_info);
 }
 
+static char *isabus_get_fw_dev_path(DeviceState *dev)
+{
+    ISADevice *d = (ISADevice*)dev;
+    char path[40];
+    int off;
+
+    off = snprintf(path, sizeof(path), "%s", qdev_fw_name(dev));
+    if (d->nioports) {
+        snprintf(path + off, sizeof(path) - off, "@%04x", d->ioports[0]);
+    }
+
+    return strdup(path);
+}
+
 device_init(isabus_register_devices)
commit dee41d58ef7b874fd8a07e9e0ae4ef6e7fe624fc
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:34:56 2010 +0200

    Keep track of ISA ports ISA device is using in qdev.
    
    Store all io ports used by device in ISADevice structure.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/cs4231a.c b/hw/cs4231a.c
index 4d5ce5c..598f032 100644
--- a/hw/cs4231a.c
+++ b/hw/cs4231a.c
@@ -645,6 +645,7 @@ static int cs4231a_initfn (ISADevice *dev)
     isa_init_irq (dev, &s->pic, s->irq);
 
     for (i = 0; i < 4; i++) {
+        isa_init_ioport(dev, i);
         register_ioport_write (s->port + i, 1, 1, cs_write, s);
         register_ioport_read (s->port + i, 1, 1, cs_read, s);
     }
diff --git a/hw/fdc.c b/hw/fdc.c
index 589bf06..9d92e93 100644
--- a/hw/fdc.c
+++ b/hw/fdc.c
@@ -1983,6 +1983,9 @@ static int isabus_fdc_init1(ISADevice *dev)
                           &fdctrl_write_port, fdctrl);
     register_ioport_write(iobase + 0x07, 1, 1,
                           &fdctrl_write_port, fdctrl);
+    isa_init_ioport_range(dev, iobase, 6);
+    isa_init_ioport(dev, iobase + 7);
+
     isa_init_irq(&isa->busdev, &fdctrl->irq, isairq);
     fdctrl->dma_chann = dma_chann;
 
diff --git a/hw/gus.c b/hw/gus.c
index e9016d8..ff9e7c7 100644
--- a/hw/gus.c
+++ b/hw/gus.c
@@ -264,20 +264,24 @@ static int gus_initfn (ISADevice *dev)
 
     register_ioport_write (s->port, 1, 1, gus_writeb, s);
     register_ioport_write (s->port, 1, 2, gus_writew, s);
+    isa_init_ioport_range(dev, s->port, 2);
 
     register_ioport_read ((s->port + 0x100) & 0xf00, 1, 1, gus_readb, s);
     register_ioport_read ((s->port + 0x100) & 0xf00, 1, 2, gus_readw, s);
+    isa_init_ioport_range(dev, (s->port + 0x100) & 0xf00, 2);
 
     register_ioport_write (s->port + 6, 10, 1, gus_writeb, s);
     register_ioport_write (s->port + 6, 10, 2, gus_writew, s);
     register_ioport_read (s->port + 6, 10, 1, gus_readb, s);
     register_ioport_read (s->port + 6, 10, 2, gus_readw, s);
+    isa_init_ioport_range(dev, s->port + 6, 10);
 
 
     register_ioport_write (s->port + 0x100, 8, 1, gus_writeb, s);
     register_ioport_write (s->port + 0x100, 8, 2, gus_writew, s);
     register_ioport_read (s->port + 0x100, 8, 1, gus_readb, s);
     register_ioport_read (s->port + 0x100, 8, 2, gus_readw, s);
+    isa_init_ioport_range(dev, s->port + 0x100, 8);
 
     DMA_register_channel (s->emu.gusdma, GUS_read_DMA, s);
     s->emu.himemaddr = s->himem;
diff --git a/hw/ide/isa.c b/hw/ide/isa.c
index 9856435..4206afd 100644
--- a/hw/ide/isa.c
+++ b/hw/ide/isa.c
@@ -70,6 +70,8 @@ static int isa_ide_initfn(ISADevice *dev)
     ide_bus_new(&s->bus, &s->dev.qdev);
     ide_init_ioport(&s->bus, s->iobase, s->iobase2);
     isa_init_irq(dev, &s->irq, s->isairq);
+    isa_init_ioport_range(dev, s->iobase, 8);
+    isa_init_ioport(dev, s->iobase2);
     ide_init2(&s->bus, s->irq);
     vmstate_register(&dev->qdev, 0, &vmstate_ide_isa, s);
     return 0;
diff --git a/hw/isa-bus.c b/hw/isa-bus.c
index f9c7ec0..5486efa 100644
--- a/hw/isa-bus.c
+++ b/hw/isa-bus.c
@@ -89,6 +89,31 @@ void isa_init_irq(ISADevice *dev, qemu_irq *p, int isairq)
     dev->nirqs++;
 }
 
+static void isa_init_ioport_one(ISADevice *dev, uint16_t ioport)
+{
+    assert(dev->nioports < ARRAY_SIZE(dev->ioports));
+    dev->ioports[dev->nioports++] = ioport;
+}
+
+static int isa_cmp_ports(const void *p1, const void *p2)
+{
+    return *(uint16_t*)p1 - *(uint16_t*)p2;
+}
+
+void isa_init_ioport_range(ISADevice *dev, uint16_t start, uint16_t length)
+{
+    int i;
+    for (i = start; i < start + length; i++) {
+        isa_init_ioport_one(dev, i);
+    }
+    qsort(dev->ioports, dev->nioports, sizeof(dev->ioports[0]), isa_cmp_ports);
+}
+
+void isa_init_ioport(ISADevice *dev, uint16_t ioport)
+{
+    isa_init_ioport_range(dev, ioport, 1);
+}
+
 static int isa_qdev_init(DeviceState *qdev, DeviceInfo *base)
 {
     ISADevice *dev = DO_UPCAST(ISADevice, qdev, qdev);
diff --git a/hw/isa.h b/hw/isa.h
index e6848e4..19aa94c 100644
--- a/hw/isa.h
+++ b/hw/isa.h
@@ -14,6 +14,8 @@ struct ISADevice {
     DeviceState qdev;
     uint32_t isairq[2];
     int nirqs;
+    uint16_t ioports[32];
+    int nioports;
 };
 
 typedef int (*isa_qdev_initfn)(ISADevice *dev);
@@ -26,6 +28,8 @@ ISABus *isa_bus_new(DeviceState *dev);
 void isa_bus_irqs(qemu_irq *irqs);
 qemu_irq isa_reserve_irq(int isairq);
 void isa_init_irq(ISADevice *dev, qemu_irq *p, int isairq);
+void isa_init_ioport(ISADevice *dev, uint16_t ioport);
+void isa_init_ioport_range(ISADevice *dev, uint16_t start, uint16_t length);
 void isa_qdev_register(ISADeviceInfo *info);
 ISADevice *isa_create(const char *name);
 ISADevice *isa_create_simple(const char *name);
diff --git a/hw/m48t59.c b/hw/m48t59.c
index 3c26b54..6991e2e 100644
--- a/hw/m48t59.c
+++ b/hw/m48t59.c
@@ -680,6 +680,7 @@ M48t59State *m48t59_init_isa(uint32_t io_base, uint16_t size, int type)
     if (io_base != 0) {
         register_ioport_read(io_base, 0x04, 1, NVRAM_readb, s);
         register_ioport_write(io_base, 0x04, 1, NVRAM_writeb, s);
+        isa_init_ioport_range(dev, io_base, 4);
     }
 
     return s;
diff --git a/hw/mc146818rtc.c b/hw/mc146818rtc.c
index 2b91fa8..6466aff 100644
--- a/hw/mc146818rtc.c
+++ b/hw/mc146818rtc.c
@@ -605,6 +605,7 @@ static int rtc_initfn(ISADevice *dev)
 
     register_ioport_write(base, 2, 1, cmos_ioport_write, s);
     register_ioport_read(base, 2, 1, cmos_ioport_read, s);
+    isa_init_ioport_range(dev, base, 2);
 
     qdev_set_legacy_instance_id(&dev->qdev, base, 2);
     qemu_register_reset(rtc_reset, s);
diff --git a/hw/ne2000-isa.c b/hw/ne2000-isa.c
index 03a5a1f..3ff0d89 100644
--- a/hw/ne2000-isa.c
+++ b/hw/ne2000-isa.c
@@ -68,14 +68,17 @@ static int isa_ne2000_initfn(ISADevice *dev)
 
     register_ioport_write(isa->iobase, 16, 1, ne2000_ioport_write, s);
     register_ioport_read(isa->iobase, 16, 1, ne2000_ioport_read, s);
+    isa_init_ioport_range(dev, isa->iobase, 16);
 
     register_ioport_write(isa->iobase + 0x10, 1, 1, ne2000_asic_ioport_write, s);
     register_ioport_read(isa->iobase + 0x10, 1, 1, ne2000_asic_ioport_read, s);
     register_ioport_write(isa->iobase + 0x10, 2, 2, ne2000_asic_ioport_write, s);
     register_ioport_read(isa->iobase + 0x10, 2, 2, ne2000_asic_ioport_read, s);
+    isa_init_ioport_range(dev, isa->iobase + 0x10, 2);
 
     register_ioport_write(isa->iobase + 0x1f, 1, 1, ne2000_reset_ioport_write, s);
     register_ioport_read(isa->iobase + 0x1f, 1, 1, ne2000_reset_ioport_read, s);
+    isa_init_ioport(dev, isa->iobase + 0x1f);
 
     isa_init_irq(dev, &s->irq, isa->isairq);
 
diff --git a/hw/parallel.c b/hw/parallel.c
index 00005c4..ce311aa 100644
--- a/hw/parallel.c
+++ b/hw/parallel.c
@@ -481,16 +481,21 @@ static int parallel_isa_initfn(ISADevice *dev)
     if (s->hw_driver) {
         register_ioport_write(base, 8, 1, parallel_ioport_write_hw, s);
         register_ioport_read(base, 8, 1, parallel_ioport_read_hw, s);
+        isa_init_ioport_range(dev, base, 8);
+
         register_ioport_write(base+4, 1, 2, parallel_ioport_eppdata_write_hw2, s);
         register_ioport_read(base+4, 1, 2, parallel_ioport_eppdata_read_hw2, s);
         register_ioport_write(base+4, 1, 4, parallel_ioport_eppdata_write_hw4, s);
         register_ioport_read(base+4, 1, 4, parallel_ioport_eppdata_read_hw4, s);
+        isa_init_ioport(dev, base+4);
         register_ioport_write(base+0x400, 8, 1, parallel_ioport_ecp_write, s);
         register_ioport_read(base+0x400, 8, 1, parallel_ioport_ecp_read, s);
+        isa_init_ioport_range(dev, base+0x400, 8);
     }
     else {
         register_ioport_write(base, 8, 1, parallel_ioport_write_sw, s);
         register_ioport_read(base, 8, 1, parallel_ioport_read_sw, s);
+        isa_init_ioport_range(dev, base, 8);
     }
     return 0;
 }
diff --git a/hw/pckbd.c b/hw/pckbd.c
index 7f0e6bb..863b485 100644
--- a/hw/pckbd.c
+++ b/hw/pckbd.c
@@ -485,10 +485,13 @@ static int i8042_initfn(ISADevice *dev)
 
     register_ioport_read(0x60, 1, 1, kbd_read_data, s);
     register_ioport_write(0x60, 1, 1, kbd_write_data, s);
+    isa_init_ioport(dev, 0x60);
     register_ioport_read(0x64, 1, 1, kbd_read_status, s);
     register_ioport_write(0x64, 1, 1, kbd_write_command, s);
+    isa_init_ioport(dev, 0x64);
     register_ioport_read(0x92, 1, 1, ioport92_read, s);
     register_ioport_write(0x92, 1, 1, ioport92_write, s);
+    isa_init_ioport(dev, 0x92);
 
     s->kbd = ps2_kbd_init(kbd_update_kbd_irq, s);
     s->mouse = ps2_mouse_init(kbd_update_aux_irq, s);
diff --git a/hw/sb16.c b/hw/sb16.c
index 78590a7..c9d37ad 100644
--- a/hw/sb16.c
+++ b/hw/sb16.c
@@ -1368,16 +1368,20 @@ static int sb16_initfn (ISADevice *dev)
 
     for (i = 0; i < ARRAY_SIZE (dsp_write_ports); i++) {
         register_ioport_write (s->port + dsp_write_ports[i], 1, 1, dsp_write, s);
+        isa_init_ioport(dev, s->port + dsp_write_ports[i]);
     }
 
     for (i = 0; i < ARRAY_SIZE (dsp_read_ports); i++) {
         register_ioport_read (s->port + dsp_read_ports[i], 1, 1, dsp_read, s);
+        isa_init_ioport(dev, s->port + dsp_read_ports[i]);
     }
 
     register_ioport_write (s->port + 0x4, 1, 1, mixer_write_indexb, s);
     register_ioport_write (s->port + 0x4, 1, 2, mixer_write_indexw, s);
+    isa_init_ioport(dev, s->port + 0x4);
     register_ioport_read (s->port + 0x5, 1, 1, mixer_read, s);
     register_ioport_write (s->port + 0x5, 1, 1, mixer_write_datab, s);
+    isa_init_ioport(dev, s->port + 0x5);
 
     DMA_register_channel (s->hdma, SB_read_DMA, s);
     DMA_register_channel (s->dma, SB_read_DMA, s);
diff --git a/hw/serial.c b/hw/serial.c
index d21cbe9..2c4af61 100644
--- a/hw/serial.c
+++ b/hw/serial.c
@@ -778,6 +778,7 @@ static int serial_isa_initfn(ISADevice *dev)
 
     register_ioport_write(isa->iobase, 8, 1, serial_ioport_write, s);
     register_ioport_read(isa->iobase, 8, 1, serial_ioport_read, s);
+    isa_init_ioport_range(dev, isa->iobase, 8);
     return 0;
 }
 
commit 21150814d9f0d40b77f8ec54e716505b85b87e6b
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:34:55 2010 +0200

    Introduce new BusInfo callback get_fw_dev_path.
    
    New get_fw_dev_path callback will be used for build device path usable
    by firmware in contrast to qdev qemu internal device path.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/qdev.h b/hw/qdev.h
index bc71110..f72fbde 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -49,6 +49,12 @@ struct DeviceState {
 
 typedef void (*bus_dev_printfn)(Monitor *mon, DeviceState *dev, int indent);
 typedef char *(*bus_get_dev_path)(DeviceState *dev);
+/*
+ * This callback is used to create Open Firmware device path in accordance with
+ * OF spec http://forthworks.com/standards/of1275.pdf. Indicidual bus bindings
+ * can be found here http://playground.sun.com/1275/bindings/.
+ */
+typedef char *(*bus_get_fw_dev_path)(DeviceState *dev);
 typedef int (qbus_resetfn)(BusState *bus);
 
 struct BusInfo {
@@ -56,6 +62,7 @@ struct BusInfo {
     size_t size;
     bus_dev_printfn print_dev;
     bus_get_dev_path get_dev_path;
+    bus_get_fw_dev_path get_fw_dev_path;
     qbus_resetfn *reset;
     Property *props;
 };
commit 779206de677533616ec3558bae89ea06fb91fc84
Author: Gleb Natapov <gleb at redhat.com>
Date:   Wed Dec 8 13:34:54 2010 +0200

    Introduce fw_name field to DeviceInfo structure.
    
    Add "fw_name" to DeviceInfo to use in device path building. In
    contrast to "name" "fw_name" should refer to functionality device
    provides instead of particular device model like "name" does.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/fdc.c b/hw/fdc.c
index bea5af2..589bf06 100644
--- a/hw/fdc.c
+++ b/hw/fdc.c
@@ -2042,6 +2042,7 @@ static const VMStateDescription vmstate_isa_fdc ={
 static ISADeviceInfo isa_fdc_info = {
     .init = isabus_fdc_init1,
     .qdev.name  = "isa-fdc",
+    .qdev.fw_name  = "fdc",
     .qdev.size  = sizeof(FDCtrlISABus),
     .qdev.no_user = 1,
     .qdev.vmsd  = &vmstate_isa_fdc,
diff --git a/hw/ide/isa.c b/hw/ide/isa.c
index 6b57e0d..9856435 100644
--- a/hw/ide/isa.c
+++ b/hw/ide/isa.c
@@ -98,6 +98,7 @@ ISADevice *isa_ide_init(int iobase, int iobase2, int isairq,
 
 static ISADeviceInfo isa_ide_info = {
     .qdev.name  = "isa-ide",
+    .qdev.fw_name  = "ide",
     .qdev.size  = sizeof(ISAIDEState),
     .init       = isa_ide_initfn,
     .qdev.reset = isa_ide_reset,
diff --git a/hw/ide/qdev.c b/hw/ide/qdev.c
index 0808760..6d27b60 100644
--- a/hw/ide/qdev.c
+++ b/hw/ide/qdev.c
@@ -134,6 +134,7 @@ static int ide_drive_initfn(IDEDevice *dev)
 
 static IDEDeviceInfo ide_drive_info = {
     .qdev.name  = "ide-drive",
+    .qdev.fw_name  = "drive",
     .qdev.size  = sizeof(IDEDrive),
     .init       = ide_drive_initfn,
     .qdev.props = (Property[]) {
diff --git a/hw/isa-bus.c b/hw/isa-bus.c
index 3a6c961..f9c7ec0 100644
--- a/hw/isa-bus.c
+++ b/hw/isa-bus.c
@@ -150,6 +150,7 @@ static int isabus_bridge_init(SysBusDevice *dev)
 static SysBusDeviceInfo isabus_bridge_info = {
     .init = isabus_bridge_init,
     .qdev.name  = "isabus-bridge",
+    .qdev.fw_name  = "isa",
     .qdev.size  = sizeof(SysBusDevice),
     .qdev.no_user = 1,
 };
diff --git a/hw/lance.c b/hw/lance.c
index 8c51858..ddb1cbb 100644
--- a/hw/lance.c
+++ b/hw/lance.c
@@ -142,6 +142,7 @@ static void lance_reset(DeviceState *dev)
 static SysBusDeviceInfo lance_info = {
     .init       = lance_init,
     .qdev.name  = "lance",
+    .qdev.fw_name  = "ethernet",
     .qdev.size  = sizeof(SysBusPCNetState),
     .qdev.reset = lance_reset,
     .qdev.vmsd  = &vmstate_lance,
diff --git a/hw/piix_pci.c b/hw/piix_pci.c
index b5589b9..38f9d9e 100644
--- a/hw/piix_pci.c
+++ b/hw/piix_pci.c
@@ -365,6 +365,7 @@ static PCIDeviceInfo i440fx_info[] = {
 static SysBusDeviceInfo i440fx_pcihost_info = {
     .init         = i440fx_pcihost_initfn,
     .qdev.name    = "i440FX-pcihost",
+    .qdev.fw_name = "pci",
     .qdev.size    = sizeof(I440FXState),
     .qdev.no_user = 1,
 };
diff --git a/hw/qdev.h b/hw/qdev.h
index 3fac364..bc71110 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -141,6 +141,7 @@ typedef void (*qdev_resetfn)(DeviceState *dev);
 
 struct DeviceInfo {
     const char *name;
+    const char *fw_name;
     const char *alias;
     const char *desc;
     size_t size;
@@ -306,6 +307,11 @@ void qdev_prop_set_defaults(DeviceState *dev, Property *props);
 void qdev_prop_register_global_list(GlobalProperty *props);
 void qdev_prop_set_globals(DeviceState *dev);
 
+static inline const char *qdev_fw_name(DeviceState *dev)
+{
+    return dev->info->fw_name ? : dev->info->alias ? : dev->info->name;
+}
+
 /* This is a nasty hack to allow passing a NULL bus to qdev_create.  */
 extern struct BusInfo system_bus_info;
 
diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 6e49404..851046f 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -1230,6 +1230,7 @@ static int scsi_disk_initfn(SCSIDevice *dev)
 
 static SCSIDeviceInfo scsi_disk_info = {
     .qdev.name    = "scsi-disk",
+    .qdev.fw_name = "disk",
     .qdev.desc    = "virtual scsi disk or cdrom",
     .qdev.size    = sizeof(SCSIDiskState),
     .qdev.reset   = scsi_disk_reset,
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 2a1edfc..8e3a96b 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -545,6 +545,7 @@ static int usb_hub_initfn(USBDevice *dev)
 static struct USBDeviceInfo hub_info = {
     .product_desc   = "QEMU USB Hub",
     .qdev.name      = "usb-hub",
+    .qdev.fw_name    = "hub",
     .qdev.size      = sizeof(USBHubState),
     .init           = usb_hub_initfn,
     .handle_packet  = usb_hub_handle_packet,
diff --git a/hw/usb-net.c b/hw/usb-net.c
index 58c672f..f6bed21 100644
--- a/hw/usb-net.c
+++ b/hw/usb-net.c
@@ -1496,6 +1496,7 @@ static USBDevice *usb_net_init(const char *cmdline)
 static struct USBDeviceInfo net_info = {
     .product_desc   = "QEMU USB Network Interface",
     .qdev.name      = "usb-net",
+    .qdev.fw_name    = "network",
     .qdev.size      = sizeof(USBNetState),
     .init           = usb_net_initfn,
     .handle_packet  = usb_generic_handle_packet,
diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index c65765a..6186142 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -699,6 +699,7 @@ static int virtio_9p_init_pci(PCIDevice *pci_dev)
 static PCIDeviceInfo virtio_info[] = {
     {
         .qdev.name = "virtio-blk-pci",
+        .qdev.alias = "virtio-blk",
         .qdev.size = sizeof(VirtIOPCIProxy),
         .init      = virtio_blk_init_pci,
         .exit      = virtio_blk_exit_pci,
commit 1b3cba6e91ab55a158e49bc5398fd76e67c695a8
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Dec 11 18:56:27 2010 +0000

    monitor: implement x86 info mem for PAE and long modes
    
    'info mem' didn't show correct information for PAE mode and
    x86_64 long mode.
    
    Fix by implementing the output for missing modes.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/monitor.c b/monitor.c
index a4ab163..0896254 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2027,14 +2027,16 @@ static void tlb_info(Monitor *mon)
     }
 }
 
-static void mem_print(Monitor *mon, uint32_t *pstart, int *plast_prot,
-                      uint32_t end, int prot)
+static void mem_print(Monitor *mon, target_phys_addr_t *pstart,
+                      int *plast_prot,
+                      target_phys_addr_t end, int prot)
 {
     int prot1;
     prot1 = *plast_prot;
     if (prot != prot1) {
         if (*pstart != -1) {
-            monitor_printf(mon, "%08x-%08x %08x %c%c%c\n",
+            monitor_printf(mon, TARGET_FMT_plx "-" TARGET_FMT_plx " "
+                           TARGET_FMT_plx " %c%c%c\n",
                            *pstart, end, end - *pstart,
                            prot1 & PG_USER_MASK ? 'u' : '-',
                            'r',
@@ -2048,18 +2050,12 @@ static void mem_print(Monitor *mon, uint32_t *pstart, int *plast_prot,
     }
 }
 
-static void mem_info(Monitor *mon)
+static void mem_info_32(Monitor *mon, CPUState *env)
 {
-    CPUState *env;
     int l1, l2, prot, last_prot;
-    uint32_t pgd, pde, pte, start, end;
-
-    env = mon_get_cpu();
+    uint32_t pgd, pde, pte;
+    target_phys_addr_t start, end;
 
-    if (!(env->cr[0] & CR0_PG_MASK)) {
-        monitor_printf(mon, "PG disabled\n");
-        return;
-    }
     pgd = env->cr[3] & ~0xfff;
     last_prot = 0;
     start = -1;
@@ -2091,6 +2087,162 @@ static void mem_info(Monitor *mon)
         }
     }
 }
+
+static void mem_info_pae32(Monitor *mon, CPUState *env)
+{
+    int l1, l2, l3, prot, last_prot;
+    uint64_t pdpe, pde, pte;
+    uint64_t pdp_addr, pd_addr, pt_addr;
+    target_phys_addr_t start, end;
+
+    pdp_addr = env->cr[3] & ~0x1f;
+    last_prot = 0;
+    start = -1;
+    for (l1 = 0; l1 < 4; l1++) {
+        cpu_physical_memory_read(pdp_addr + l1 * 8, (uint8_t *)&pdpe, 8);
+        pdpe = le64_to_cpu(pdpe);
+        end = l1 << 30;
+        if (pdpe & PG_PRESENT_MASK) {
+            pd_addr = pdpe & 0x3fffffffff000ULL;
+            for (l2 = 0; l2 < 512; l2++) {
+                cpu_physical_memory_read(pd_addr + l2 * 8,
+                                         (uint8_t *)&pde, 8);
+                pde = le64_to_cpu(pde);
+                end = (l1 << 30) + (l2 << 21);
+                if (pde & PG_PRESENT_MASK) {
+                    if (pde & PG_PSE_MASK) {
+                        prot = pde & (PG_USER_MASK | PG_RW_MASK |
+                                      PG_PRESENT_MASK);
+                        mem_print(mon, &start, &last_prot, end, prot);
+                    } else {
+                        pt_addr = pde & 0x3fffffffff000ULL;
+                        for (l3 = 0; l3 < 512; l3++) {
+                            cpu_physical_memory_read(pt_addr + l3 * 8,
+                                                     (uint8_t *)&pte, 8);
+                            pte = le64_to_cpu(pte);
+                            end = (l1 << 30) + (l2 << 21) + (l3 << 12);
+                            if (pte & PG_PRESENT_MASK) {
+                                prot = pte & (PG_USER_MASK | PG_RW_MASK |
+                                              PG_PRESENT_MASK);
+                            } else {
+                                prot = 0;
+                            }
+                            mem_print(mon, &start, &last_prot, end, prot);
+                        }
+                    }
+                } else {
+                    prot = 0;
+                    mem_print(mon, &start, &last_prot, end, prot);
+                }
+            }
+        } else {
+            prot = 0;
+            mem_print(mon, &start, &last_prot, end, prot);
+        }
+    }
+}
+
+
+#ifdef TARGET_X86_64
+static void mem_info_64(Monitor *mon, CPUState *env)
+{
+    int prot, last_prot;
+    uint64_t l1, l2, l3, l4;
+    uint64_t pml4e, pdpe, pde, pte;
+    uint64_t pml4_addr, pdp_addr, pd_addr, pt_addr, start, end;
+
+    pml4_addr = env->cr[3] & 0x3fffffffff000ULL;
+    last_prot = 0;
+    start = -1;
+    for (l1 = 0; l1 < 512; l1++) {
+        cpu_physical_memory_read(pml4_addr + l1 * 8, (uint8_t *)&pml4e, 8);
+        pml4e = le64_to_cpu(pml4e);
+        end = l1 << 39;
+        if (pml4e & PG_PRESENT_MASK) {
+            pdp_addr = pml4e & 0x3fffffffff000ULL;
+            for (l2 = 0; l2 < 512; l2++) {
+                cpu_physical_memory_read(pdp_addr + l2 * 8, (uint8_t *)&pdpe,
+                                         8);
+                pdpe = le64_to_cpu(pdpe);
+                end = (l1 << 39) + (l2 << 30);
+                if (pdpe & PG_PRESENT_MASK) {
+                    if (pdpe & PG_PSE_MASK) {
+                        prot = pde & (PG_USER_MASK | PG_RW_MASK |
+                                      PG_PRESENT_MASK);
+                        mem_print(mon, &start, &last_prot, end, prot);
+                    } else {
+                        pd_addr = pdpe & 0x3fffffffff000ULL;
+                        for (l3 = 0; l3 < 512; l3++) {
+                            cpu_physical_memory_read(pd_addr + l3 * 8,
+                                                     (uint8_t *)&pde, 8);
+                            pde = le64_to_cpu(pde);
+                            end = (l1 << 39) + (l2 << 30) + (l3 << 21);
+                            if (pde & PG_PRESENT_MASK) {
+                                if (pde & PG_PSE_MASK) {
+                                    prot = pde & (PG_USER_MASK | PG_RW_MASK |
+                                                  PG_PRESENT_MASK);
+                                    mem_print(mon, &start, &last_prot, end, prot);
+                                } else {
+                                    pt_addr = pde & 0x3fffffffff000ULL;
+                                    for (l4 = 0; l4 < 512; l4++) {
+                                        cpu_physical_memory_read(pt_addr
+                                                                 + l4 * 8,
+                                                                 (uint8_t *)&pte,
+                                                                 8);
+                                        pte = le64_to_cpu(pte);
+                                        end = (l1 << 39) + (l2 << 30) +
+                                            (l3 << 21) + (l4 << 12);
+                                        if (pte & PG_PRESENT_MASK) {
+                                            prot = pte & (PG_USER_MASK | PG_RW_MASK |
+                                                          PG_PRESENT_MASK);
+                                        } else {
+                                            prot = 0;
+                                        }
+                                        mem_print(mon, &start, &last_prot, end, prot);
+                                    }
+                                }
+                            } else {
+                                prot = 0;
+                                mem_print(mon, &start, &last_prot, end, prot);
+                            }
+                        }
+                    }
+                } else {
+                    prot = 0;
+                    mem_print(mon, &start, &last_prot, end, prot);
+                }
+            }
+        } else {
+            prot = 0;
+            mem_print(mon, &start, &last_prot, end, prot);
+        }
+    }
+}
+#endif
+
+static void mem_info(Monitor *mon)
+{
+    CPUState *env;
+
+    env = mon_get_cpu();
+
+    if (!(env->cr[0] & CR0_PG_MASK)) {
+        monitor_printf(mon, "PG disabled\n");
+        return;
+    }
+    if (env->cr[4] & CR4_PAE_MASK) {
+#ifdef TARGET_X86_64
+        if (env->hflags & HF_LMA_MASK) {
+            mem_info_64(mon, env);
+        } else
+#endif
+        {
+            mem_info_pae32(mon, env);
+        }
+    } else {
+        mem_info_32(mon, env);
+    }
+}
 #endif
 
 #if defined(TARGET_SH4)
commit d65aaf3773e4be7ae97df9d867cbe9b36e2fb8a1
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Dec 11 18:56:24 2010 +0000

    monitor: implement x86 info tlb for PAE and long modes
    
    'info tlb' didn't show correct information for PAE mode and
    x86_64 long mode.
    
    Implement the missing modes. Also print NX bit for PAE and long modes.
    Fix off-by-one error in 32 bit mode mask.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/monitor.c b/monitor.c
index ec31eac..a4ab163 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1848,11 +1848,20 @@ static int do_system_powerdown(Monitor *mon, const QDict *qdict,
 }
 
 #if defined(TARGET_I386)
-static void print_pte(Monitor *mon, uint32_t addr, uint32_t pte, uint32_t mask)
+static void print_pte(Monitor *mon, target_phys_addr_t addr,
+                      target_phys_addr_t pte,
+                      target_phys_addr_t mask)
 {
-    monitor_printf(mon, "%08x: %08x %c%c%c%c%c%c%c%c\n",
+#ifdef TARGET_X86_64
+    if (addr & (1ULL << 47)) {
+        addr |= -1LL << 48;
+    }
+#endif
+    monitor_printf(mon, TARGET_FMT_plx ": " TARGET_FMT_plx
+                   " %c%c%c%c%c%c%c%c%c\n",
                    addr,
                    pte & mask,
+                   pte & PG_NX_MASK ? 'X' : '-',
                    pte & PG_GLOBAL_MASK ? 'G' : '-',
                    pte & PG_PSE_MASK ? 'P' : '-',
                    pte & PG_DIRTY_MASK ? 'D' : '-',
@@ -1863,25 +1872,19 @@ static void print_pte(Monitor *mon, uint32_t addr, uint32_t pte, uint32_t mask)
                    pte & PG_RW_MASK ? 'W' : '-');
 }
 
-static void tlb_info(Monitor *mon)
+static void tlb_info_32(Monitor *mon, CPUState *env)
 {
-    CPUState *env;
     int l1, l2;
     uint32_t pgd, pde, pte;
 
-    env = mon_get_cpu();
-
-    if (!(env->cr[0] & CR0_PG_MASK)) {
-        monitor_printf(mon, "PG disabled\n");
-        return;
-    }
     pgd = env->cr[3] & ~0xfff;
     for(l1 = 0; l1 < 1024; l1++) {
         cpu_physical_memory_read(pgd + l1 * 4, (uint8_t *)&pde, 4);
         pde = le32_to_cpu(pde);
         if (pde & PG_PRESENT_MASK) {
             if ((pde & PG_PSE_MASK) && (env->cr[4] & CR4_PSE_MASK)) {
-                print_pte(mon, (l1 << 22), pde, ~((1 << 20) - 1));
+                /* 4M pages */
+                print_pte(mon, (l1 << 22), pde, ~((1 << 21) - 1));
             } else {
                 for(l2 = 0; l2 < 1024; l2++) {
                     cpu_physical_memory_read((pde & ~0xfff) + l2 * 4,
@@ -1898,6 +1901,132 @@ static void tlb_info(Monitor *mon)
     }
 }
 
+static void tlb_info_pae32(Monitor *mon, CPUState *env)
+{
+    int l1, l2, l3;
+    uint64_t pdpe, pde, pte;
+    uint64_t pdp_addr, pd_addr, pt_addr;
+
+    pdp_addr = env->cr[3] & ~0x1f;
+    for (l1 = 0; l1 < 4; l1++) {
+        cpu_physical_memory_read(pdp_addr + l1 * 8, (uint8_t *)&pdpe, 8);
+        pdpe = le64_to_cpu(pdpe);
+        if (pdpe & PG_PRESENT_MASK) {
+            pd_addr = pdpe & 0x3fffffffff000ULL;
+            for (l2 = 0; l2 < 512; l2++) {
+                cpu_physical_memory_read(pd_addr + l2 * 8,
+                                         (uint8_t *)&pde, 8);
+                pde = le64_to_cpu(pde);
+                if (pde & PG_PRESENT_MASK) {
+                    if (pde & PG_PSE_MASK) {
+                        /* 2M pages with PAE, CR4.PSE is ignored */
+                        print_pte(mon, (l1 << 30 ) + (l2 << 21), pde,
+                                  ~((target_phys_addr_t)(1 << 20) - 1));
+                    } else {
+                        pt_addr = pde & 0x3fffffffff000ULL;
+                        for (l3 = 0; l3 < 512; l3++) {
+                            cpu_physical_memory_read(pt_addr + l3 * 8,
+                                                     (uint8_t *)&pte, 8);
+                            pte = le64_to_cpu(pte);
+                            if (pte & PG_PRESENT_MASK) {
+                                print_pte(mon, (l1 << 30 ) + (l2 << 21)
+                                          + (l3 << 12),
+                                          pte & ~PG_PSE_MASK,
+                                          ~(target_phys_addr_t)0xfff);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+
+#ifdef TARGET_X86_64
+static void tlb_info_64(Monitor *mon, CPUState *env)
+{
+    uint64_t l1, l2, l3, l4;
+    uint64_t pml4e, pdpe, pde, pte;
+    uint64_t pml4_addr, pdp_addr, pd_addr, pt_addr;
+
+    pml4_addr = env->cr[3] & 0x3fffffffff000ULL;
+    for (l1 = 0; l1 < 512; l1++) {
+        cpu_physical_memory_read(pml4_addr + l1 * 8, (uint8_t *)&pml4e, 8);
+        pml4e = le64_to_cpu(pml4e);
+        if (pml4e & PG_PRESENT_MASK) {
+            pdp_addr = pml4e & 0x3fffffffff000ULL;
+            for (l2 = 0; l2 < 512; l2++) {
+                cpu_physical_memory_read(pdp_addr + l2 * 8, (uint8_t *)&pdpe,
+                                         8);
+                pdpe = le64_to_cpu(pdpe);
+                if (pdpe & PG_PRESENT_MASK) {
+                    if (pdpe & PG_PSE_MASK) {
+                        /* 1G pages, CR4.PSE is ignored */
+                        print_pte(mon, (l1 << 39) + (l2 << 30), pdpe,
+                                  0x3ffffc0000000ULL);
+                    } else {
+                        pd_addr = pdpe & 0x3fffffffff000ULL;
+                        for (l3 = 0; l3 < 512; l3++) {
+                            cpu_physical_memory_read(pd_addr + l3 * 8,
+                                                     (uint8_t *)&pde, 8);
+                            pde = le64_to_cpu(pde);
+                            if (pde & PG_PRESENT_MASK) {
+                                if (pde & PG_PSE_MASK) {
+                                    /* 2M pages, CR4.PSE is ignored */
+                                    print_pte(mon, (l1 << 39) + (l2 << 30) +
+                                              (l3 << 21), pde,
+                                              0x3ffffffe00000ULL);
+                                } else {
+                                    pt_addr = pde & 0x3fffffffff000ULL;
+                                    for (l4 = 0; l4 < 512; l4++) {
+                                        cpu_physical_memory_read(pt_addr
+                                                                 + l4 * 8,
+                                                                 (uint8_t *)&pte,
+                                                                 8);
+                                        pte = le64_to_cpu(pte);
+                                        if (pte & PG_PRESENT_MASK) {
+                                            print_pte(mon, (l1 << 39) +
+                                                      (l2 << 30) +
+                                                      (l3 << 21) + (l4 << 12),
+                                                      pte & ~PG_PSE_MASK,
+                                                      0x3fffffffff000ULL);
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+#endif
+
+static void tlb_info(Monitor *mon)
+{
+    CPUState *env;
+
+    env = mon_get_cpu();
+
+    if (!(env->cr[0] & CR0_PG_MASK)) {
+        monitor_printf(mon, "PG disabled\n");
+        return;
+    }
+    if (env->cr[4] & CR4_PAE_MASK) {
+#ifdef TARGET_X86_64
+        if (env->hflags & HF_LMA_MASK) {
+            tlb_info_64(mon, env);
+        } else
+#endif
+        {
+            tlb_info_pae32(mon, env);
+        }
+    } else {
+        tlb_info_32(mon, env);
+    }
+}
+
 static void mem_print(Monitor *mon, uint32_t *pstart, int *plast_prot,
                       uint32_t end, int prot)
 {
commit fa82e9c300df6f7b8bd44a26ac752c4ea5da02c1
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Wed Dec 8 15:59:55 2010 +0100

    wdt_i6300esb: register a reset function
    
    The device shall set its default hardware state after each reset.
    This includes that the timer is stopped which is especially important
    if the guest does a reboot independantly of a watchdog bite. I moved
    the initialization of the state variables completely from the init
    to the reset function which is called right after init during the
    first boot and afterwards during each reboot.
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/wdt_i6300esb.c b/hw/wdt_i6300esb.c
index 09f2f58..8443b41 100644
--- a/hw/wdt_i6300esb.c
+++ b/hw/wdt_i6300esb.c
@@ -140,14 +140,26 @@ static void i6300esb_disable_timer(I6300State *d)
     qemu_del_timer(d->timer);
 }
 
-static void i6300esb_reset(I6300State *d)
+static void i6300esb_reset(DeviceState *dev)
 {
-    /* XXX We should probably reset other parts of the state here,
-     * but we should also reset our state on general machine reset
-     * too.  For now just disable the timer so it doesn't fire
-     * again after the reboot.
-     */
+    PCIDevice *pdev = DO_UPCAST(PCIDevice, qdev, dev);
+    I6300State *d = DO_UPCAST(I6300State, dev, pdev);
+
+    i6300esb_debug("I6300State = %p\n", d);
+
     i6300esb_disable_timer(d);
+
+    d->reboot_enabled = 1;
+    d->clock_scale = CLOCK_SCALE_1KHZ;
+    d->int_type = INT_TYPE_IRQ;
+    d->free_run = 0;
+    d->locked = 0;
+    d->enabled = 0;
+    d->timer1_preload = 0xfffff;
+    d->timer2_preload = 0xfffff;
+    d->stage = 1;
+    d->unlock_state = 0;
+    d->previous_reboot_flag = 0;
 }
 
 /* This function is called when the watchdog expires.  Note that
@@ -181,7 +193,6 @@ static void i6300esb_timer_expired(void *vp)
         if (d->reboot_enabled) {
             d->previous_reboot_flag = 1;
             watchdog_perform_action(); /* This reboots, exits, etc */
-            i6300esb_reset(d);
         }
 
         /* In "free running mode" we start stage 1 again. */
@@ -395,18 +406,9 @@ static int i6300esb_init(PCIDevice *dev)
     I6300State *d = DO_UPCAST(I6300State, dev, dev);
     uint8_t *pci_conf;
 
-    d->reboot_enabled = 1;
-    d->clock_scale = CLOCK_SCALE_1KHZ;
-    d->int_type = INT_TYPE_IRQ;
-    d->free_run = 0;
-    d->locked = 0;
-    d->enabled = 0;
+    i6300esb_debug("I6300State = %p\n", d);
+
     d->timer = qemu_new_timer(vm_clock, i6300esb_timer_expired, d);
-    d->timer1_preload = 0xfffff;
-    d->timer2_preload = 0xfffff;
-    d->stage = 1;
-    d->unlock_state = 0;
-    d->previous_reboot_flag = 0;
 
     pci_conf = d->dev.config;
     pci_config_set_vendor_id(pci_conf, PCI_VENDOR_ID_INTEL);
@@ -428,6 +430,7 @@ static PCIDeviceInfo i6300esb_info = {
     .qdev.name    = "i6300esb",
     .qdev.size    = sizeof(I6300State),
     .qdev.vmsd    = &vmstate_i6300esb,
+    .qdev.reset   = i6300esb_reset,
     .config_read  = i6300esb_config_read,
     .config_write = i6300esb_config_write,
     .init         = i6300esb_init,
commit 74782223de16e30940630b2bdb488e650ece6cd4
Author: Tristan Gingold <gingold at adacore.com>
Date:   Fri Dec 3 12:05:03 2010 +0100

    isa-bus.c: use hw_error instead of fprintf
    
    Minor clean-up in isa-bus.c.  Using hw_error is more consistent.
    There is a difference however: hw_error dumps the cpu state.
    
    Signed-off-by: Tristan Gingold <gingold at adacore.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/isa-bus.c b/hw/isa-bus.c
index 4e306de..3a6c961 100644
--- a/hw/isa-bus.c
+++ b/hw/isa-bus.c
@@ -68,12 +68,10 @@ void isa_bus_irqs(qemu_irq *irqs)
 qemu_irq isa_reserve_irq(int isairq)
 {
     if (isairq < 0 || isairq > 15) {
-        fprintf(stderr, "isa irq %d invalid\n", isairq);
-        exit(1);
+        hw_error("isa irq %d invalid", isairq);
     }
     if (isabus->assigned & (1 << isairq)) {
-        fprintf(stderr, "isa irq %d already assigned\n", isairq);
-        exit(1);
+        hw_error("isa irq %d already assigned", isairq);
     }
     isabus->assigned |= (1 << isairq);
     return isabus->irqs[isairq];
@@ -83,8 +81,7 @@ void isa_init_irq(ISADevice *dev, qemu_irq *p, int isairq)
 {
     assert(dev->nirqs < ARRAY_SIZE(dev->isairq));
     if (isabus->assigned & (1 << isairq)) {
-        fprintf(stderr, "isa irq %d already assigned\n", isairq);
-        exit(1);
+        hw_error("isa irq %d already assigned", isairq);
     }
     isabus->assigned |= (1 << isairq);
     dev->isairq[dev->nirqs] = isairq;
@@ -115,7 +112,7 @@ ISADevice *isa_create(const char *name)
     DeviceState *dev;
 
     if (!isabus) {
-        hw_error("Tried to create isa device %s with no isa bus present.\n",
+        hw_error("Tried to create isa device %s with no isa bus present.",
                  name);
     }
     dev = qdev_create(&isabus->qbus, name);
commit 34557491911f8977b5863628b1b6f5a9c95f9c29
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:50 2010 +0100

    usb_ohci: Always use little endian
    
    This patch replaces explicit bswaps with endianness hints to the
    mmio layer.
    
    Because we don't depend on the target endianness anymore, we can also
    move the driver over to Makefile.objs.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile.objs b/Makefile.objs
index 2b93598..cebb945 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -188,6 +188,7 @@ hw-obj-$(CONFIG_I8254) += i8254.o
 hw-obj-$(CONFIG_PCSPK) += pcspk.o
 hw-obj-$(CONFIG_PCKBD) += pckbd.o
 hw-obj-$(CONFIG_USB_UHCI) += usb-uhci.o
+hw-obj-$(CONFIG_USB_OHCI) += usb-ohci.o
 hw-obj-$(CONFIG_FDC) += fdc.o
 hw-obj-$(CONFIG_ACPI) += acpi.o acpi_piix4.o
 hw-obj-$(CONFIG_APM) += pm_smbus.o apm.o
diff --git a/Makefile.target b/Makefile.target
index 8bef8e3..d08f5dd 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -206,9 +206,6 @@ QEMU_CFLAGS += $(VNC_PNG_CFLAGS)
 # xen backend driver support
 obj-$(CONFIG_XEN) += xen_machine_pv.o xen_domainbuild.o
 
-# USB layer
-obj-$(CONFIG_USB_OHCI) += usb-ohci.o
-
 # Inter-VM PCI shared memory
 obj-$(CONFIG_KVM) += ivshmem.o
 
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index ba1ebbc..8eb4a1e 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -1530,9 +1530,6 @@ static uint32_t ohci_mem_read(void *ptr, target_phys_addr_t addr)
         }
     }
 
-#ifdef TARGET_WORDS_BIGENDIAN
-    retval = bswap32(retval);
-#endif
     return retval;
 }
 
@@ -1542,10 +1539,6 @@ static void ohci_mem_write(void *ptr, target_phys_addr_t addr, uint32_t val)
 
     addr &= 0xff;
 
-#ifdef TARGET_WORDS_BIGENDIAN
-    val = bswap32(val);
-#endif
-
     /* Only aligned reads are allowed on OHCI */
     if (addr & 3) {
         fprintf(stderr, "usb-ohci: Mis-aligned write\n");
@@ -1698,7 +1691,7 @@ static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
     }
 
     ohci->mem = cpu_register_io_memory(ohci_readfn, ohci_writefn, ohci,
-                                       DEVICE_NATIVE_ENDIAN);
+                                       DEVICE_LITTLE_ENDIAN);
     ohci->localmem_base = localmem_base;
 
     ohci->name = dev->info->name;
commit 968d683c042d80821a00a76608ae770a7401cac0
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:49 2010 +0100

    isa_mmio: Always use little endian
    
    This patch converts the ISA MMIO bridge code to always use little endian mmio.
    All bswap code that existed was only there to convert from native cpu
    endianness to little endian ISA devices.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/bonito.c b/hw/bonito.c
index fd90527..65a4a63 100644
--- a/hw/bonito.c
+++ b/hw/bonito.c
@@ -743,12 +743,12 @@ static int bonito_initfn(PCIDevice *dev)
     s->bonito_pciio_start = BONITO_PCIIO_BASE;
     s->bonito_pciio_length = BONITO_PCIIO_SIZE;
     isa_mem_base = s->bonito_pciio_start;
-    isa_mmio_init(s->bonito_pciio_start, s->bonito_pciio_length, 0);
+    isa_mmio_init(s->bonito_pciio_start, s->bonito_pciio_length);
 
     /* add pci local io mapping */
     s->bonito_localio_start = BONITO_DEV_BASE;
     s->bonito_localio_length = BONITO_DEV_SIZE;
-    isa_mmio_init(s->bonito_localio_start, s->bonito_localio_length, 0);
+    isa_mmio_init(s->bonito_localio_start, s->bonito_localio_length);
 
     /* set the default value of north bridge pci config */
     pci_set_word(dev->config + PCI_COMMAND, 0x0000);
diff --git a/hw/gt64xxx.c b/hw/gt64xxx.c
index 51e4db0..14c6ad3 100644
--- a/hw/gt64xxx.c
+++ b/hw/gt64xxx.c
@@ -297,11 +297,7 @@ static void gt64120_pci_mapping(GT64120State *s)
       s->PCI0IO_start = s->regs[GT_PCI0IOLD] << 21;
       s->PCI0IO_length = ((s->regs[GT_PCI0IOHD] + 1) - (s->regs[GT_PCI0IOLD] & 0x7f)) << 21;
       isa_mem_base = s->PCI0IO_start;
-#ifdef TARGET_WORDS_BIGENDIAN
-      isa_mmio_init(s->PCI0IO_start, s->PCI0IO_length, 1);
-#else
-      isa_mmio_init(s->PCI0IO_start, s->PCI0IO_length, 0);
-#endif
+      isa_mmio_init(s->PCI0IO_start, s->PCI0IO_length);
     }
 }
 
diff --git a/hw/isa.h b/hw/isa.h
index aaf0272..e6848e4 100644
--- a/hw/isa.h
+++ b/hw/isa.h
@@ -32,7 +32,7 @@ ISADevice *isa_create_simple(const char *name);
 
 extern target_phys_addr_t isa_mem_base;
 
-void isa_mmio_init(target_phys_addr_t base, target_phys_addr_t size, int be);
+void isa_mmio_init(target_phys_addr_t base, target_phys_addr_t size);
 
 /* dma.c */
 int DMA_get_channel_mode (int nchan);
diff --git a/hw/isa_mmio.c b/hw/isa_mmio.c
index 46458f4..ca957fb 100644
--- a/hw/isa_mmio.c
+++ b/hw/isa_mmio.c
@@ -31,27 +31,13 @@ static void isa_mmio_writeb (void *opaque, target_phys_addr_t addr,
     cpu_outb(addr & IOPORTS_MASK, val);
 }
 
-static void isa_mmio_writew_be(void *opaque, target_phys_addr_t addr,
+static void isa_mmio_writew(void *opaque, target_phys_addr_t addr,
                                uint32_t val)
 {
-    val = bswap16(val);
     cpu_outw(addr & IOPORTS_MASK, val);
 }
 
-static void isa_mmio_writew_le(void *opaque, target_phys_addr_t addr,
-                               uint32_t val)
-{
-    cpu_outw(addr & IOPORTS_MASK, val);
-}
-
-static void isa_mmio_writel_be(void *opaque, target_phys_addr_t addr,
-                               uint32_t val)
-{
-    val = bswap32(val);
-    cpu_outl(addr & IOPORTS_MASK, val);
-}
-
-static void isa_mmio_writel_le(void *opaque, target_phys_addr_t addr,
+static void isa_mmio_writel(void *opaque, target_phys_addr_t addr,
                                uint32_t val)
 {
     cpu_outl(addr & IOPORTS_MASK, val);
@@ -59,86 +45,38 @@ static void isa_mmio_writel_le(void *opaque, target_phys_addr_t addr,
 
 static uint32_t isa_mmio_readb (void *opaque, target_phys_addr_t addr)
 {
-    uint32_t val;
-
-    val = cpu_inb(addr & IOPORTS_MASK);
-    return val;
+    return cpu_inb(addr & IOPORTS_MASK);
 }
 
-static uint32_t isa_mmio_readw_be(void *opaque, target_phys_addr_t addr)
+static uint32_t isa_mmio_readw(void *opaque, target_phys_addr_t addr)
 {
-    uint32_t val;
-
-    val = cpu_inw(addr & IOPORTS_MASK);
-    val = bswap16(val);
-    return val;
+    return cpu_inw(addr & IOPORTS_MASK);
 }
 
-static uint32_t isa_mmio_readw_le(void *opaque, target_phys_addr_t addr)
+static uint32_t isa_mmio_readl(void *opaque, target_phys_addr_t addr)
 {
-    uint32_t val;
-
-    val = cpu_inw(addr & IOPORTS_MASK);
-    return val;
+    return cpu_inl(addr & IOPORTS_MASK);
 }
 
-static uint32_t isa_mmio_readl_be(void *opaque, target_phys_addr_t addr)
-{
-    uint32_t val;
-
-    val = cpu_inl(addr & IOPORTS_MASK);
-    val = bswap32(val);
-    return val;
-}
-
-static uint32_t isa_mmio_readl_le(void *opaque, target_phys_addr_t addr)
-{
-    uint32_t val;
-
-    val = cpu_inl(addr & IOPORTS_MASK);
-    return val;
-}
-
-static CPUWriteMemoryFunc * const isa_mmio_write_be[] = {
-    &isa_mmio_writeb,
-    &isa_mmio_writew_be,
-    &isa_mmio_writel_be,
-};
-
-static CPUReadMemoryFunc * const isa_mmio_read_be[] = {
-    &isa_mmio_readb,
-    &isa_mmio_readw_be,
-    &isa_mmio_readl_be,
-};
-
-static CPUWriteMemoryFunc * const isa_mmio_write_le[] = {
+static CPUWriteMemoryFunc * const isa_mmio_write[] = {
     &isa_mmio_writeb,
-    &isa_mmio_writew_le,
-    &isa_mmio_writel_le,
+    &isa_mmio_writew,
+    &isa_mmio_writel,
 };
 
-static CPUReadMemoryFunc * const isa_mmio_read_le[] = {
+static CPUReadMemoryFunc * const isa_mmio_read[] = {
     &isa_mmio_readb,
-    &isa_mmio_readw_le,
-    &isa_mmio_readl_le,
+    &isa_mmio_readw,
+    &isa_mmio_readl,
 };
 
-static int isa_mmio_iomemtype = 0;
-
-void isa_mmio_init(target_phys_addr_t base, target_phys_addr_t size, int be)
+void isa_mmio_init(target_phys_addr_t base, target_phys_addr_t size)
 {
-    if (!isa_mmio_iomemtype) {
-        if (be) {
-            isa_mmio_iomemtype = cpu_register_io_memory(isa_mmio_read_be,
-                                                        isa_mmio_write_be,
-                                                        NULL,
-                                                        DEVICE_NATIVE_ENDIAN);
-        } else {
-            isa_mmio_iomemtype = cpu_register_io_memory(isa_mmio_read_le,
-                                                        isa_mmio_write_le,
-                                                        NULL,
-                                                        DEVICE_NATIVE_ENDIAN);
-        }
-    }
+    int isa_mmio_iomemtype;
+
+    isa_mmio_iomemtype = cpu_register_io_memory(isa_mmio_read,
+                                                isa_mmio_write,
+                                                NULL,
+                                                DEVICE_LITTLE_ENDIAN);
     cpu_register_physical_memory(base, size, isa_mmio_iomemtype);
 }
diff --git a/hw/mips_jazz.c b/hw/mips_jazz.c
index 1264743..a7caa3f 100644
--- a/hw/mips_jazz.c
+++ b/hw/mips_jazz.c
@@ -205,12 +205,7 @@ void mips_jazz_init (ram_addr_t ram_size,
     pcspk_init(pit);
 
     /* ISA IO space at 0x90000000 */
-#ifdef TARGET_WORDS_BIGENDIAN
-    isa_mmio_init(0x90000000, 0x01000000, 1);
-#else
-    isa_mmio_init(0x90000000, 0x01000000, 0);
-#endif
-
+    isa_mmio_init(0x90000000, 0x01000000);
     isa_mem_base = 0x11000000;
 
     /* Video card */
diff --git a/hw/mips_mipssim.c b/hw/mips_mipssim.c
index 111c759..380a7eb 100644
--- a/hw/mips_mipssim.c
+++ b/hw/mips_mipssim.c
@@ -186,11 +186,7 @@ mips_mipssim_init (ram_addr_t ram_size,
     cpu_mips_clock_init(env);
 
     /* Register 64 KB of ISA IO space at 0x1fd00000. */
-#ifdef TARGET_WORDS_BIGENDIAN
-    isa_mmio_init(0x1fd00000, 0x00010000, 1);
-#else
-    isa_mmio_init(0x1fd00000, 0x00010000, 0);
-#endif
+    isa_mmio_init(0x1fd00000, 0x00010000);
 
     /* A single 16450 sits at offset 0x3f8. It is attached to
        MIPS CPU INT2, which is interrupt 4. */
diff --git a/hw/mips_r4k.c b/hw/mips_r4k.c
index afe52f3..fb34dcf 100644
--- a/hw/mips_r4k.c
+++ b/hw/mips_r4k.c
@@ -271,11 +271,7 @@ void mips_r4k_init (ram_addr_t ram_size,
     rtc_init(2000, NULL);
 
     /* Register 64 KB of ISA IO space at 0x14000000 */
-#ifdef TARGET_WORDS_BIGENDIAN
-    isa_mmio_init(0x14000000, 0x00010000, 1);
-#else
-    isa_mmio_init(0x14000000, 0x00010000, 0);
-#endif
+    isa_mmio_init(0x14000000, 0x00010000);
     isa_mem_base = 0x10000000;
 
     pit = pit_init(0x40, i8259[0]);
diff --git a/hw/ppc440.c b/hw/ppc440.c
index d12cf71..1ed001a 100644
--- a/hw/ppc440.c
+++ b/hw/ppc440.c
@@ -85,7 +85,7 @@ CPUState *ppc440ep_init(ram_addr_t *ram_size, PCIBus **pcip,
     if (!*pcip)
         printf("couldn't create PCI controller!\n");
 
-    isa_mmio_init(PPC440EP_PCI_IO, PPC440EP_PCI_IOLEN, 1);
+    isa_mmio_init(PPC440EP_PCI_IO, PPC440EP_PCI_IOLEN);
 
     if (serial_hds[0] != NULL) {
         serial_mm_init(0xef600300, 0, pic[0], PPC_SERIAL_MM_BAUDBASE,
diff --git a/hw/ppc_newworld.c b/hw/ppc_newworld.c
index 49b046b..b9245f0 100644
--- a/hw/ppc_newworld.c
+++ b/hw/ppc_newworld.c
@@ -257,7 +257,7 @@ static void ppc_core99_init (ram_addr_t ram_size,
     isa_mem_base = 0x80000000;
 
     /* Register 8 MB of ISA IO space */
-    isa_mmio_init(0xf2000000, 0x00800000, 1);
+    isa_mmio_init(0xf2000000, 0x00800000);
 
     /* UniN init */
     unin_memory = cpu_register_io_memory(unin_read, unin_write, NULL,
diff --git a/hw/ppc_oldworld.c b/hw/ppc_oldworld.c
index 5efc93d..8a4e088 100644
--- a/hw/ppc_oldworld.c
+++ b/hw/ppc_oldworld.c
@@ -202,7 +202,7 @@ static void ppc_heathrow_init (ram_addr_t ram_size,
     isa_mem_base = 0x80000000;
 
     /* Register 2 MB of ISA IO space */
-    isa_mmio_init(0xfe000000, 0x00200000, 1);
+    isa_mmio_init(0xfe000000, 0x00200000);
 
     /* XXX: we register only 1 output pin for heathrow PIC */
     heathrow_irqs = qemu_mallocz(smp_cpus * sizeof(qemu_irq *));
diff --git a/hw/ppce500_mpc8544ds.c b/hw/ppce500_mpc8544ds.c
index 59d20d3..b7670ae 100644
--- a/hw/ppce500_mpc8544ds.c
+++ b/hw/ppce500_mpc8544ds.c
@@ -220,7 +220,7 @@ static void mpc8544ds_init(ram_addr_t ram_size,
     if (!pci_bus)
         printf("couldn't create PCI controller!\n");
 
-    isa_mmio_init(MPC8544_PCI_IO, MPC8544_PCI_IOLEN, 1);
+    isa_mmio_init(MPC8544_PCI_IO, MPC8544_PCI_IOLEN);
 
     if (pci_bus) {
         /* Register network interfaces. */
diff --git a/hw/sh_pci.c b/hw/sh_pci.c
index 6042d9c..072078b 100644
--- a/hw/sh_pci.c
+++ b/hw/sh_pci.c
@@ -54,7 +54,7 @@ static void sh_pci_reg_write (void *p, target_phys_addr_t addr, uint32_t val)
             cpu_register_physical_memory(pcic->iobr & 0xfffc0000, 0x40000,
                                          IO_MEM_UNASSIGNED);
             pcic->iobr = val & 0xfffc0001;
-            isa_mmio_init(pcic->iobr & 0xfffc0000, 0x40000, 0);
+            isa_mmio_init(pcic->iobr & 0xfffc0000, 0x40000);
         }
         break;
     case 0x220:
@@ -109,7 +109,7 @@ PCIBus *sh_pci_register_bus(pci_set_irq_fn set_irq, pci_map_irq_fn map_irq,
     cpu_register_physical_memory(0xfe200000, 0x224, reg);
 
     p->iobr = 0xfe240000;
-    isa_mmio_init(p->iobr, 0x40000, 0);
+    isa_mmio_init(p->iobr, 0x40000);
 
     pci_config_set_vendor_id(p->dev->config, PCI_VENDOR_ID_HITACHI);
     pci_config_set_device_id(p->dev->config, PCI_DEVICE_ID_HITACHI_SH7751R);
diff --git a/hw/sun4u.c b/hw/sun4u.c
index 5292ac6..90b1ce2 100644
--- a/hw/sun4u.c
+++ b/hw/sun4u.c
@@ -525,10 +525,10 @@ static void ebus_mmio_mapfunc(PCIDevice *pci_dev, int region_num,
                  region_num, addr);
     switch (region_num) {
     case 0:
-        isa_mmio_init(addr, 0x1000000, 1);
+        isa_mmio_init(addr, 0x1000000);
         break;
     case 1:
-        isa_mmio_init(addr, 0x800000, 1);
+        isa_mmio_init(addr, 0x800000);
         break;
     }
 }
diff --git a/hw/versatile_pci.c b/hw/versatile_pci.c
index cc8f9f8..2fed8a0 100644
--- a/hw/versatile_pci.c
+++ b/hw/versatile_pci.c
@@ -96,11 +96,7 @@ static void pci_vpb_map(SysBusDevice *dev, target_phys_addr_t base)
 
     if (s->realview) {
         /* IO memory area.  */
-#ifdef TARGET_WORDS_BIGENDIAN
-        isa_mmio_init(base + 0x03000000, 0x00100000, 1);
-#else
-        isa_mmio_init(base + 0x03000000, 0x00100000, 0);
-#endif
+        isa_mmio_init(base + 0x03000000, 0x00100000);
     }
 }
 
commit b093c1a3277d4ce531a1a36f85dd542c60db3809
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:48 2010 +0100

    heathrow_pic: Declare as little endian
    
    This patch replaces explicit bswaps with endianness hints to the
    mmio layer.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/heathrow_pic.c b/hw/heathrow_pic.c
index 390b63c..b19b754 100644
--- a/hw/heathrow_pic.c
+++ b/hw/heathrow_pic.c
@@ -68,7 +68,6 @@ static void pic_writel (void *opaque, target_phys_addr_t addr, uint32_t value)
     HeathrowPIC *pic;
     unsigned int n;
 
-    value = bswap32(value);
     n = ((addr & 0xfff) - 0x10) >> 4;
     PIC_DPRINTF("writel: " TARGET_FMT_plx " %u: %08x\n", addr, n, value);
     if (n >= 2)
@@ -118,7 +117,6 @@ static uint32_t pic_readl (void *opaque, target_phys_addr_t addr)
         }
     }
     PIC_DPRINTF("readl: " TARGET_FMT_plx " %u: %08x\n", addr, n, value);
-    value = bswap32(value);
     return value;
 }
 
@@ -223,7 +221,7 @@ qemu_irq *heathrow_pic_init(int *pmem_index,
     /* only 1 CPU */
     s->irqs = irqs[0];
     *pmem_index = cpu_register_io_memory(pic_read, pic_write, s,
-                                         DEVICE_NATIVE_ENDIAN);
+                                         DEVICE_LITTLE_ENDIAN);
 
     register_savevm(NULL, "heathrow_pic", -1, 1, heathrow_pic_save,
                     heathrow_pic_load, s);
commit 5cf7a3ca5bfec0c62bd7ebdecd11320c47dc9be6
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:47 2010 +0100

    rtl8139: Declare as little endian
    
    This patch replaces explicit bswaps with endianness hints to the
    mmio layer.
    
    Because we don't depend on the target endianness anymore, we can also
    move the driver over to Makefile.objs.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile.objs b/Makefile.objs
index 29b1ede..2b93598 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -225,6 +225,7 @@ hw-obj-$(CONFIG_EEPRO100_PCI) += eepro100.o
 hw-obj-$(CONFIG_PCNET_PCI) += pcnet-pci.o
 hw-obj-$(CONFIG_PCNET_COMMON) += pcnet.o
 hw-obj-$(CONFIG_E1000_PCI) += e1000.o
+hw-obj-$(CONFIG_RTL8139_PCI) += rtl8139.o
 
 hw-obj-$(CONFIG_SMC91C111) += smc91c111.o
 hw-obj-$(CONFIG_LAN9118) += lan9118.o
diff --git a/Makefile.target b/Makefile.target
index 39d8df9..8bef8e3 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -209,9 +209,6 @@ obj-$(CONFIG_XEN) += xen_machine_pv.o xen_domainbuild.o
 # USB layer
 obj-$(CONFIG_USB_OHCI) += usb-ohci.o
 
-# PCI network cards
-obj-$(CONFIG_RTL8139_PCI) += rtl8139.o
-
 # Inter-VM PCI shared memory
 obj-$(CONFIG_KVM) += ivshmem.o
 
diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index 30a3960..4a73f6f 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -3125,17 +3125,11 @@ static void rtl8139_mmio_writeb(void *opaque, target_phys_addr_t addr, uint32_t
 
 static void rtl8139_mmio_writew(void *opaque, target_phys_addr_t addr, uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    val = bswap16(val);
-#endif
     rtl8139_io_writew(opaque, addr & 0xFF, val);
 }
 
 static void rtl8139_mmio_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    val = bswap32(val);
-#endif
     rtl8139_io_writel(opaque, addr & 0xFF, val);
 }
 
@@ -3147,18 +3141,12 @@ static uint32_t rtl8139_mmio_readb(void *opaque, target_phys_addr_t addr)
 static uint32_t rtl8139_mmio_readw(void *opaque, target_phys_addr_t addr)
 {
     uint32_t val = rtl8139_io_readw(opaque, addr & 0xFF);
-#ifdef TARGET_WORDS_BIGENDIAN
-    val = bswap16(val);
-#endif
     return val;
 }
 
 static uint32_t rtl8139_mmio_readl(void *opaque, target_phys_addr_t addr)
 {
     uint32_t val = rtl8139_io_readl(opaque, addr & 0xFF);
-#ifdef TARGET_WORDS_BIGENDIAN
-    val = bswap32(val);
-#endif
     return val;
 }
 
@@ -3367,7 +3355,7 @@ static int pci_rtl8139_init(PCIDevice *dev)
     /* I/O handler for memory-mapped I/O */
     s->rtl8139_mmio_io_addr =
         cpu_register_io_memory(rtl8139_mmio_read, rtl8139_mmio_write, s,
-                               DEVICE_NATIVE_ENDIAN);
+                               DEVICE_LITTLE_ENDIAN);
 
     pci_register_bar(&s->dev, 0, 0x100,
                            PCI_BASE_ADDRESS_SPACE_IO,  rtl8139_ioport_map);
commit 82600641c1bb09611ea5e82be7589c86027787a0
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:46 2010 +0100

    openpic: Replace explicit byte swap with endian hints
    
    This patch replaces explicit bswaps with endianness hints to the
    mmio layer.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/openpic.c b/hw/openpic.c
index 9e2500a..6d2cf99 100644
--- a/hw/openpic.c
+++ b/hw/openpic.c
@@ -242,19 +242,10 @@ typedef struct openpic_t {
     int max_irq;
     int irq_ipi0;
     int irq_tim0;
-    int need_swap;
     void (*reset) (void *);
     void (*irq_raise) (struct openpic_t *, int, IRQ_src_t *);
 } openpic_t;
 
-static inline uint32_t openpic_swap32(openpic_t *opp, uint32_t val)
-{
-    if (opp->need_swap)
-        return bswap32(val);
-
-    return val;
-}
-
 static inline void IRQ_setbit (IRQ_queue_t *q, int n_IRQ)
 {
     set_bit(q->queue, n_IRQ);
@@ -599,7 +590,6 @@ static void openpic_gbl_write (void *opaque, target_phys_addr_t addr, uint32_t v
     DPRINTF("%s: addr " TARGET_FMT_plx " <= %08x\n", __func__, addr, val);
     if (addr & 0xF)
         return;
-    val = openpic_swap32(opp, val);
     addr &= 0xFF;
     switch (addr) {
     case 0x00: /* FREP */
@@ -693,7 +683,6 @@ static uint32_t openpic_gbl_read (void *opaque, target_phys_addr_t addr)
         break;
     }
     DPRINTF("%s: => %08x\n", __func__, retval);
-    retval = openpic_swap32(opp, retval);
 
     return retval;
 }
@@ -706,7 +695,6 @@ static void openpic_timer_write (void *opaque, uint32_t addr, uint32_t val)
     DPRINTF("%s: addr %08x <= %08x\n", __func__, addr, val);
     if (addr & 0xF)
         return;
-    val = openpic_swap32(opp, val);
     addr -= 0x1100;
     addr &= 0xFFFF;
     idx = (addr & 0xFFF0) >> 6;
@@ -759,7 +747,6 @@ static uint32_t openpic_timer_read (void *opaque, uint32_t addr)
         break;
     }
     DPRINTF("%s: => %08x\n", __func__, retval);
-    retval = openpic_swap32(opp, retval);
 
     return retval;
 }
@@ -772,7 +759,6 @@ static void openpic_src_write (void *opaque, uint32_t addr, uint32_t val)
     DPRINTF("%s: addr %08x <= %08x\n", __func__, addr, val);
     if (addr & 0xF)
         return;
-    val = openpic_swap32(opp, val);
     addr = addr & 0xFFF0;
     idx = addr >> 5;
     if (addr & 0x10) {
@@ -804,7 +790,6 @@ static uint32_t openpic_src_read (void *opaque, uint32_t addr)
         retval = read_IRQreg(opp, idx, IRQ_IPVP);
     }
     DPRINTF("%s: => %08x\n", __func__, retval);
-    retval = openpic_swap32(opp, retval);
 
     return retval;
 }
@@ -819,7 +804,6 @@ static void openpic_cpu_write (void *opaque, target_phys_addr_t addr, uint32_t v
     DPRINTF("%s: addr " TARGET_FMT_plx " <= %08x\n", __func__, addr, val);
     if (addr & 0xF)
         return;
-    val = openpic_swap32(opp, val);
     addr &= 0x1FFF0;
     idx = addr / 0x1000;
     dst = &opp->dst[idx];
@@ -937,7 +921,6 @@ static uint32_t openpic_cpu_read (void *opaque, target_phys_addr_t addr)
         break;
     }
     DPRINTF("%s: => %08x\n", __func__, retval);
-    retval = openpic_swap32(opp, retval);
 
     return retval;
 }
@@ -1204,7 +1187,7 @@ qemu_irq *openpic_init (PCIBus *bus, int *pmem_index, int nb_cpus,
         opp = qemu_mallocz(sizeof(openpic_t));
     }
     opp->mem_index = cpu_register_io_memory(openpic_read, openpic_write, opp,
-                                            DEVICE_NATIVE_ENDIAN);
+                                            DEVICE_LITTLE_ENDIAN);
 
     //    isu_base &= 0xFFFC0000;
     opp->nb_cpus = nb_cpus;
@@ -1232,7 +1215,6 @@ qemu_irq *openpic_init (PCIBus *bus, int *pmem_index, int nb_cpus,
     for (i = 0; i < nb_cpus; i++)
         opp->dst[i].irqs = irqs[i];
     opp->irq_out = irq_out;
-    opp->need_swap = 1;
 
     register_savevm(&opp->pci_dev.qdev, "openpic", 0, 2,
                     openpic_save, openpic_load, opp);
@@ -1673,7 +1655,7 @@ qemu_irq *mpic_init (target_phys_addr_t base, int nb_cpus,
         int mem_index;
 
         mem_index = cpu_register_io_memory(list[i].read, list[i].write, mpp,
-                                           DEVICE_NATIVE_ENDIAN);
+                                           DEVICE_BIG_ENDIAN);
         if (mem_index < 0) {
             goto free;
         }
@@ -1689,7 +1671,6 @@ qemu_irq *mpic_init (target_phys_addr_t base, int nb_cpus,
     for (i = 0; i < nb_cpus; i++)
         mpp->dst[i].irqs = irqs[i];
     mpp->irq_out = irq_out;
-    mpp->need_swap = 0;    /* MPIC has the same endian as target */
 
     mpp->irq_raise = mpic_irq_raise;
     mpp->reset = mpic_reset;
commit 0d2a73b3abe4d8380579bfeed39530a4b6c597ad
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:45 2010 +0100

    ppc4xx_pci: Declare as little endian
    
    This patch replaces explicit bswaps with endianness hints to the
    mmio layer.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/ppc4xx_pci.c b/hw/ppc4xx_pci.c
index f2ecece..f62f1f9 100644
--- a/hw/ppc4xx_pci.c
+++ b/hw/ppc4xx_pci.c
@@ -24,7 +24,6 @@
 #include "ppc4xx.h"
 #include "pci.h"
 #include "pci_host.h"
-#include "bswap.h"
 
 #undef DEBUG
 #ifdef DEBUG
@@ -102,10 +101,6 @@ static void pci4xx_cfgaddr_writel(void *opaque, target_phys_addr_t addr,
 {
     PPC4xxPCIState *ppc4xx_pci = opaque;
 
-#ifdef TARGET_WORDS_BIGENDIAN
-    value = bswap32(value);
-#endif
-
     ppc4xx_pci->pci_state.config_reg = value & ~0x3;
 }
 
@@ -120,10 +115,6 @@ static void ppc4xx_pci_reg_write4(void *opaque, target_phys_addr_t offset,
 {
     struct PPC4xxPCIState *pci = opaque;
 
-#ifdef TARGET_WORDS_BIGENDIAN
-    value = bswap32(value);
-#endif
-
     /* We ignore all target attempts at PCI configuration, effectively
      * assuming a bidirectional 1:1 mapping of PLB and PCI space. */
 
@@ -251,10 +242,6 @@ static uint32_t ppc4xx_pci_reg_read4(void *opaque, target_phys_addr_t offset)
         value = 0;
     }
 
-#ifdef TARGET_WORDS_BIGENDIAN
-    value = bswap32(value);
-#endif
-
     return value;
 }
 
@@ -373,7 +360,7 @@ PCIBus *ppc4xx_pci_init(CPUState *env, qemu_irq pci_irqs[4],
     /* CFGADDR */
     index = cpu_register_io_memory(pci4xx_cfgaddr_read,
                                    pci4xx_cfgaddr_write, controller,
-                                   DEVICE_NATIVE_ENDIAN);
+                                   DEVICE_LITTLE_ENDIAN);
     if (index < 0)
         goto free;
     cpu_register_physical_memory(config_space + PCIC0_CFGADDR, 4, index);
@@ -386,7 +373,7 @@ PCIBus *ppc4xx_pci_init(CPUState *env, qemu_irq pci_irqs[4],
 
     /* Internal registers */
     index = cpu_register_io_memory(pci_reg_read, pci_reg_write, controller,
-                                   DEVICE_NATIVE_ENDIAN);
+                                   DEVICE_LITTLE_ENDIAN);
     if (index < 0)
         goto free;
     cpu_register_physical_memory(registers, PCI_REG_SIZE, index);
commit 387c3e96bf34222f265d005b6b7aaef0b01ae6e9
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:44 2010 +0100

    versatile_pci: Declare as little endian
    
    This patch replaces explicit bswaps with endianness hints to the
    mmio layer.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/versatile_pci.c b/hw/versatile_pci.c
index 3baad96..cc8f9f8 100644
--- a/hw/versatile_pci.c
+++ b/hw/versatile_pci.c
@@ -32,18 +32,12 @@ static void pci_vpb_config_writeb (void *opaque, target_phys_addr_t addr,
 static void pci_vpb_config_writew (void *opaque, target_phys_addr_t addr,
                                    uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    val = bswap16(val);
-#endif
     pci_data_write(opaque, vpb_pci_config_addr (addr), val, 2);
 }
 
 static void pci_vpb_config_writel (void *opaque, target_phys_addr_t addr,
                                    uint32_t val)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    val = bswap32(val);
-#endif
     pci_data_write(opaque, vpb_pci_config_addr (addr), val, 4);
 }
 
@@ -58,9 +52,6 @@ static uint32_t pci_vpb_config_readw (void *opaque, target_phys_addr_t addr)
 {
     uint32_t val;
     val = pci_data_read(opaque, vpb_pci_config_addr (addr), 2);
-#ifdef TARGET_WORDS_BIGENDIAN
-    val = bswap16(val);
-#endif
     return val;
 }
 
@@ -68,9 +59,6 @@ static uint32_t pci_vpb_config_readl (void *opaque, target_phys_addr_t addr)
 {
     uint32_t val;
     val = pci_data_read(opaque, vpb_pci_config_addr (addr), 4);
-#ifdef TARGET_WORDS_BIGENDIAN
-    val = bswap32(val);
-#endif
     return val;
 }
 
@@ -133,7 +121,7 @@ static int pci_vpb_init(SysBusDevice *dev)
 
     s->mem_config = cpu_register_io_memory(pci_vpb_config_read,
                                            pci_vpb_config_write, bus,
-                                           DEVICE_NATIVE_ENDIAN);
+                                           DEVICE_LITTLE_ENDIAN);
     sysbus_init_mmio_cb(dev, 0x04000000, pci_vpb_map);
 
     pci_create_simple(bus, -1, "versatile_pci_host");
commit 8cb7da56188bbf6b083df5d6f1a7f5db6ec17dda
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:43 2010 +0100

    prep: Declare as little endian
    
    This patch replaces explicit bswaps with endianness hints to the
    mmio layer.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/ppc_prep.c b/hw/ppc_prep.c
index 80f5db6..1492266 100644
--- a/hw/ppc_prep.c
+++ b/hw/ppc_prep.c
@@ -145,20 +145,12 @@ static uint32_t PPC_intack_readb (void *opaque, target_phys_addr_t addr)
 
 static uint32_t PPC_intack_readw (void *opaque, target_phys_addr_t addr)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    return bswap16(_PPC_intack_read(addr));
-#else
     return _PPC_intack_read(addr);
-#endif
 }
 
 static uint32_t PPC_intack_readl (void *opaque, target_phys_addr_t addr)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    return bswap32(_PPC_intack_read(addr));
-#else
     return _PPC_intack_read(addr);
-#endif
 }
 
 static CPUWriteMemoryFunc * const PPC_intack_write[] = {
@@ -210,9 +202,6 @@ static void PPC_XCSR_writeb (void *opaque,
 static void PPC_XCSR_writew (void *opaque,
                              target_phys_addr_t addr, uint32_t value)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    value = bswap16(value);
-#endif
     printf("%s: 0x" TARGET_FMT_plx " => 0x%08" PRIx32 "\n", __func__, addr,
            value);
 }
@@ -220,9 +209,6 @@ static void PPC_XCSR_writew (void *opaque,
 static void PPC_XCSR_writel (void *opaque,
                              target_phys_addr_t addr, uint32_t value)
 {
-#ifdef TARGET_WORDS_BIGENDIAN
-    value = bswap32(value);
-#endif
     printf("%s: 0x" TARGET_FMT_plx " => 0x%08" PRIx32 "\n", __func__, addr,
            value);
 }
@@ -243,9 +229,6 @@ static uint32_t PPC_XCSR_readw (void *opaque, target_phys_addr_t addr)
 
     printf("%s: 0x" TARGET_FMT_plx " <= %08" PRIx32 "\n", __func__, addr,
            retval);
-#ifdef TARGET_WORDS_BIGENDIAN
-    retval = bswap16(retval);
-#endif
 
     return retval;
 }
@@ -256,9 +239,6 @@ static uint32_t PPC_XCSR_readl (void *opaque, target_phys_addr_t addr)
 
     printf("%s: 0x" TARGET_FMT_plx " <= %08" PRIx32 "\n", __func__, addr,
            retval);
-#ifdef TARGET_WORDS_BIGENDIAN
-    retval = bswap32(retval);
-#endif
 
     return retval;
 }
@@ -484,9 +464,6 @@ static void PPC_prep_io_writew (void *opaque, target_phys_addr_t addr,
     sysctrl_t *sysctrl = opaque;
 
     addr = prep_IO_address(sysctrl, addr);
-#ifdef TARGET_WORDS_BIGENDIAN
-    value = bswap16(value);
-#endif
     PPC_IO_DPRINTF("0x" TARGET_FMT_plx " => 0x%08" PRIx32 "\n", addr, value);
     cpu_outw(addr, value);
 }
@@ -498,9 +475,6 @@ static uint32_t PPC_prep_io_readw (void *opaque, target_phys_addr_t addr)
 
     addr = prep_IO_address(sysctrl, addr);
     ret = cpu_inw(addr);
-#ifdef TARGET_WORDS_BIGENDIAN
-    ret = bswap16(ret);
-#endif
     PPC_IO_DPRINTF("0x" TARGET_FMT_plx " <= 0x%08" PRIx32 "\n", addr, ret);
 
     return ret;
@@ -512,9 +486,6 @@ static void PPC_prep_io_writel (void *opaque, target_phys_addr_t addr,
     sysctrl_t *sysctrl = opaque;
 
     addr = prep_IO_address(sysctrl, addr);
-#ifdef TARGET_WORDS_BIGENDIAN
-    value = bswap32(value);
-#endif
     PPC_IO_DPRINTF("0x" TARGET_FMT_plx " => 0x%08" PRIx32 "\n", addr, value);
     cpu_outl(addr, value);
 }
@@ -526,9 +497,6 @@ static uint32_t PPC_prep_io_readl (void *opaque, target_phys_addr_t addr)
 
     addr = prep_IO_address(sysctrl, addr);
     ret = cpu_inl(addr);
-#ifdef TARGET_WORDS_BIGENDIAN
-    ret = bswap32(ret);
-#endif
     PPC_IO_DPRINTF("0x" TARGET_FMT_plx " <= 0x%08" PRIx32 "\n", addr, ret);
 
     return ret;
@@ -691,7 +659,7 @@ static void ppc_prep_init (ram_addr_t ram_size,
     /* Register 8 MB of ISA IO space (needed for non-contiguous map) */
     PPC_io_memory = cpu_register_io_memory(PPC_prep_io_read,
                                            PPC_prep_io_write, sysctrl,
-                                           DEVICE_NATIVE_ENDIAN);
+                                           DEVICE_LITTLE_ENDIAN);
     cpu_register_physical_memory(0x80000000, 0x00800000, PPC_io_memory);
 
     /* init basic PC hardware */
@@ -757,12 +725,12 @@ static void ppc_prep_init (ram_addr_t ram_size,
     /* PCI intack location */
     PPC_io_memory = cpu_register_io_memory(PPC_intack_read,
                                            PPC_intack_write, NULL,
-                                           DEVICE_NATIVE_ENDIAN);
+                                           DEVICE_LITTLE_ENDIAN);
     cpu_register_physical_memory(0xBFFFFFF0, 0x4, PPC_io_memory);
     /* PowerPC control and status register group */
 #if 0
     PPC_io_memory = cpu_register_io_memory(PPC_XCSR_read, PPC_XCSR_write,
-                                           NULL, DEVICE_NATIVE_ENDIAN);
+                                           NULL, DEVICE_LITTLE_ENDIAN);
     cpu_register_physical_memory(0xFEFF0000, 0x1000, PPC_io_memory);
 #endif
 
commit 32600a309f34ab173bbb79de73e85b7879d235bf
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:42 2010 +0100

    e1000: Make little endian
    
    The e1000 has compatibility code to handle big endianness which makes it
    mandatory to be recompiled on different targets.
    
    With the generic mmio endianness solution, there's no need for that anymore.
    We just declare all mmio to be little endian and call it a day.
    
    Because we don't depend on the target endianness anymore, we can also
    move the driver over to Makefile.objs.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile.objs b/Makefile.objs
index 04625eb..29b1ede 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -224,6 +224,7 @@ hw-obj-$(CONFIG_NE2000_PCI) += ne2000.o
 hw-obj-$(CONFIG_EEPRO100_PCI) += eepro100.o
 hw-obj-$(CONFIG_PCNET_PCI) += pcnet-pci.o
 hw-obj-$(CONFIG_PCNET_COMMON) += pcnet.o
+hw-obj-$(CONFIG_E1000_PCI) += e1000.o
 
 hw-obj-$(CONFIG_SMC91C111) += smc91c111.o
 hw-obj-$(CONFIG_LAN9118) += lan9118.o
diff --git a/Makefile.target b/Makefile.target
index 5784844..39d8df9 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -211,7 +211,6 @@ obj-$(CONFIG_USB_OHCI) += usb-ohci.o
 
 # PCI network cards
 obj-$(CONFIG_RTL8139_PCI) += rtl8139.o
-obj-$(CONFIG_E1000_PCI) += e1000.o
 
 # Inter-VM PCI shared memory
 obj-$(CONFIG_KVM) += ivshmem.o
diff --git a/hw/e1000.c b/hw/e1000.c
index bf3f2d3..a697abd 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -857,9 +857,6 @@ e1000_mmio_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
     E1000State *s = opaque;
     unsigned int index = (addr & 0x1ffff) >> 2;
 
-#ifdef TARGET_WORDS_BIGENDIAN
-    val = bswap32(val);
-#endif
     if (index < NWRITEOPS && macreg_writeops[index]) {
         macreg_writeops[index](s, index, val);
     } else if (index < NREADOPS && macreg_readops[index]) {
@@ -894,11 +891,7 @@ e1000_mmio_readl(void *opaque, target_phys_addr_t addr)
 
     if (index < NREADOPS && macreg_readops[index])
     {
-        uint32_t val = macreg_readops[index](s, index);
-#ifdef TARGET_WORDS_BIGENDIAN
-        val = bswap32(val);
-#endif
-        return val;
+        return macreg_readops[index](s, index);
     }
     DBGOUT(UNKNOWN, "MMIO unknown read addr=0x%08x\n", index<<2);
     return 0;
@@ -1131,7 +1124,7 @@ static int pci_e1000_init(PCIDevice *pci_dev)
     pci_conf[PCI_INTERRUPT_PIN] = 1; // interrupt pin 0
 
     d->mmio_index = cpu_register_io_memory(e1000_mmio_read,
-            e1000_mmio_write, d, DEVICE_NATIVE_ENDIAN);
+            e1000_mmio_write, d, DEVICE_LITTLE_ENDIAN);
 
     pci_register_bar(&d->dev, 0, PNPMMIO_SIZE,
                            PCI_BASE_ADDRESS_SPACE_MEMORY, e1000_mmio_map);
commit f23cea4d04287c2e7c1bb614c84c3b0086bcb7d3
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:41 2010 +0100

    uninorth: Get rid of bswap
    
    There's no need to bswap once we correctly set the mmio to be little endian.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/unin_pci.c b/hw/unin_pci.c
index f2e440e..5f15058 100644
--- a/hw/unin_pci.c
+++ b/hw/unin_pci.c
@@ -121,7 +121,6 @@ static void unin_data_write(ReadWriteHandler *handler,
                             pcibus_t addr, uint32_t val, int len)
 {
     UNINState *s = container_of(handler, UNINState, data_handler);
-    val = qemu_bswap_len(val, len);
     UNIN_DPRINTF("write addr %" FMT_PCIBUS " len %d val %x\n", addr, len, val);
     pci_data_write(s->host_state.bus,
                    unin_get_config_reg(s->host_state.config_reg, addr),
@@ -138,7 +137,6 @@ static uint32_t unin_data_read(ReadWriteHandler *handler,
                         unin_get_config_reg(s->host_state.config_reg, addr),
                         len);
     UNIN_DPRINTF("read addr %" FMT_PCIBUS " len %d val %x\n", addr, len, val);
-    val = qemu_bswap_len(val, len);
     return val;
 }
 
@@ -156,7 +154,7 @@ static int pci_unin_main_init_device(SysBusDevice *dev)
     s->data_handler.read = unin_data_read;
     s->data_handler.write = unin_data_write;
     pci_mem_data = cpu_register_io_memory_simple(&s->data_handler,
-                                                 DEVICE_NATIVE_ENDIAN);
+                                                 DEVICE_LITTLE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, pci_mem_config);
     sysbus_init_mmio(dev, 0x1000, pci_mem_data);
 
@@ -179,7 +177,7 @@ static int pci_u3_agp_init_device(SysBusDevice *dev)
     s->data_handler.read = unin_data_read;
     s->data_handler.write = unin_data_write;
     pci_mem_data = cpu_register_io_memory_simple(&s->data_handler,
-                                                 DEVICE_NATIVE_ENDIAN);
+                                                 DEVICE_LITTLE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, pci_mem_config);
     sysbus_init_mmio(dev, 0x1000, pci_mem_data);
 
commit 2507c12ab026b2286b0a47035c629f3d568c96f4
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:37 2010 +0100

    Add endianness as io mem parameter
    
    As stated before, devices can be little, big or native endian. The
    target endianness is not of their concern, so we need to push things
    down a level.
    
    This patch adds a parameter to cpu_register_io_memory that allows a
    device to choose its endianness. For now, all devices simply choose
    native endian, because that's the same behavior as before.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/exec.c b/exec.c
index af1e89d..a338495 100644
--- a/exec.c
+++ b/exec.c
@@ -3331,7 +3331,8 @@ static subpage_t *subpage_init (target_phys_addr_t base, ram_addr_t *phys,
     mmio = qemu_mallocz(sizeof(subpage_t));
 
     mmio->base = base;
-    subpage_memory = cpu_register_io_memory(subpage_read, subpage_write, mmio);
+    subpage_memory = cpu_register_io_memory(subpage_read, subpage_write, mmio,
+                                            DEVICE_NATIVE_ENDIAN);
 #if defined(DEBUG_SUBPAGE)
     printf("%s: %p base " TARGET_FMT_plx " len %08x %d\n", __func__,
            mmio, base, TARGET_PAGE_SIZE, subpage_memory);
@@ -3468,7 +3469,6 @@ static int cpu_register_io_memory_fixed(int io_index,
                                         void *opaque, enum device_endian endian)
 {
     int i;
-    int endian = DEVICE_NATIVE_ENDIAN;
 
     if (io_index <= 0) {
         io_index = get_free_io_mem_idx();
@@ -3513,7 +3513,7 @@ int cpu_register_io_memory(CPUReadMemoryFunc * const *mem_read,
                            CPUWriteMemoryFunc * const *mem_write,
                            void *opaque, enum device_endian endian)
 {
-    return cpu_register_io_memory_fixed(0, mem_read, mem_write, opaque);
+    return cpu_register_io_memory_fixed(0, mem_read, mem_write, opaque, endian);
 }
 
 void cpu_unregister_io_memory(int io_table_address)
@@ -3535,14 +3535,21 @@ static void io_mem_init(void)
 {
     int i;
 
-    cpu_register_io_memory_fixed(IO_MEM_ROM, error_mem_read, unassigned_mem_write, NULL);
-    cpu_register_io_memory_fixed(IO_MEM_UNASSIGNED, unassigned_mem_read, unassigned_mem_write, NULL);
-    cpu_register_io_memory_fixed(IO_MEM_NOTDIRTY, error_mem_read, notdirty_mem_write, NULL);
+    cpu_register_io_memory_fixed(IO_MEM_ROM, error_mem_read,
+                                 unassigned_mem_write, NULL,
+                                 DEVICE_NATIVE_ENDIAN);
+    cpu_register_io_memory_fixed(IO_MEM_UNASSIGNED, unassigned_mem_read,
+                                 unassigned_mem_write, NULL,
+                                 DEVICE_NATIVE_ENDIAN);
+    cpu_register_io_memory_fixed(IO_MEM_NOTDIRTY, error_mem_read,
+                                 notdirty_mem_write, NULL,
+                                 DEVICE_NATIVE_ENDIAN);
     for (i=0; i<5; i++)
         io_mem_used[i] = 1;
 
     io_mem_watch = cpu_register_io_memory(watch_mem_read,
-                                          watch_mem_write, NULL);
+                                          watch_mem_write, NULL,
+                                          DEVICE_NATIVE_ENDIAN);
 }
 
 #endif /* !defined(CONFIG_USER_ONLY) */
diff --git a/hw/apb_pci.c b/hw/apb_pci.c
index c619112..bf00c71 100644
--- a/hw/apb_pci.c
+++ b/hw/apb_pci.c
@@ -410,7 +410,8 @@ static int pci_pbm_init_device(SysBusDevice *dev)
 
     /* apb_config */
     apb_config = cpu_register_io_memory(apb_config_read,
-                                        apb_config_write, s);
+                                        apb_config_write, s,
+                                        DEVICE_NATIVE_ENDIAN);
     /* at region 0 */
     sysbus_init_mmio(dev, 0x10000ULL, apb_config);
 
@@ -424,7 +425,8 @@ static int pci_pbm_init_device(SysBusDevice *dev)
 
     /* pci_ioport */
     pci_ioport = cpu_register_io_memory(pci_apb_ioread,
-                                        pci_apb_iowrite, s);
+                                        pci_apb_iowrite, s,
+                                        DEVICE_NATIVE_ENDIAN);
     /* at region 2 */
     sysbus_init_mmio(dev, 0x10000ULL, pci_ioport);
 
diff --git a/hw/apic.c b/hw/apic.c
index 5f4a87c..a5a53fb 100644
--- a/hw/apic.c
+++ b/hw/apic.c
@@ -980,7 +980,8 @@ static int apic_init1(SysBusDevice *dev)
         return -1;
     }
     apic_io_memory = cpu_register_io_memory(apic_mem_read,
-                                            apic_mem_write, NULL);
+                                            apic_mem_write, NULL,
+                                            DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MSI_ADDR_SIZE, apic_io_memory);
 
     s->timer = qemu_new_timer(vm_clock, apic_timer, s);
diff --git a/hw/arm_gic.c b/hw/arm_gic.c
index 8286a28..e6b1953 100644
--- a/hw/arm_gic.c
+++ b/hw/arm_gic.c
@@ -742,7 +742,8 @@ static void gic_init(gic_state *s)
         sysbus_init_irq(&s->busdev, &s->parent_irq[i]);
     }
     s->iomemtype = cpu_register_io_memory(gic_dist_readfn,
-                                          gic_dist_writefn, s);
+                                          gic_dist_writefn, s,
+                                          DEVICE_NATIVE_ENDIAN);
     gic_reset(s);
     register_savevm(NULL, "arm_gic", -1, 1, gic_save, gic_load, s);
 }
diff --git a/hw/arm_sysctl.c b/hw/arm_sysctl.c
index 0cb2ffc..bd0664f 100644
--- a/hw/arm_sysctl.c
+++ b/hw/arm_sysctl.c
@@ -208,7 +208,8 @@ static int arm_sysctl_init1(SysBusDevice *dev)
     int iomemtype;
 
     iomemtype = cpu_register_io_memory(arm_sysctl_readfn,
-                                       arm_sysctl_writefn, s);
+                                       arm_sysctl_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     /* ??? Save/restore.  */
     return 0;
diff --git a/hw/arm_timer.c b/hw/arm_timer.c
index f009e9e..82f05de 100644
--- a/hw/arm_timer.c
+++ b/hw/arm_timer.c
@@ -269,7 +269,7 @@ static int sp804_init(SysBusDevice *dev)
     s->timer[0]->irq = qi[0];
     s->timer[1]->irq = qi[1];
     iomemtype = cpu_register_io_memory(sp804_readfn,
-                                       sp804_writefn, s);
+                                       sp804_writefn, s, DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     register_savevm(&dev->qdev, "sp804", -1, 1, sp804_save, sp804_load, s);
     return 0;
@@ -340,7 +340,8 @@ static int icp_pit_init(SysBusDevice *dev)
     sysbus_init_irq(dev, &s->timer[2]->irq);
 
     iomemtype = cpu_register_io_memory(icp_pit_readfn,
-                                       icp_pit_writefn, s);
+                                       icp_pit_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     /* This device has no state to save/restore.  The component timers will
        save themselves.  */
diff --git a/hw/armv7m.c b/hw/armv7m.c
index 588ec98..304cd34 100644
--- a/hw/armv7m.c
+++ b/hw/armv7m.c
@@ -130,7 +130,7 @@ static int bitband_init(SysBusDevice *dev)
     int iomemtype;
 
     iomemtype = cpu_register_io_memory(bitband_readfn, bitband_writefn,
-                                       &s->base);
+                                       &s->base, DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x02000000, iomemtype);
     return 0;
 }
diff --git a/hw/axis_dev88.c b/hw/axis_dev88.c
index f16c76a..57b5e2f 100644
--- a/hw/axis_dev88.c
+++ b/hw/axis_dev88.c
@@ -280,11 +280,13 @@ void axisdev88_init (ram_addr_t ram_size,
 
       /* Attach a NAND flash to CS1.  */
     nand_state.nand = nand_init(NAND_MFR_STMICRO, 0x39);
-    nand_regs = cpu_register_io_memory(nand_read, nand_write, &nand_state);
+    nand_regs = cpu_register_io_memory(nand_read, nand_write, &nand_state,
+                                       DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0x10000000, 0x05000000, nand_regs);
 
     gpio_state.nand = &nand_state;
-    gpio_regs = cpu_register_io_memory(gpio_read, gpio_write, &gpio_state);
+    gpio_regs = cpu_register_io_memory(gpio_read, gpio_write, &gpio_state,
+                                       DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0x3001a000, 0x5c, gpio_regs);
 
 
diff --git a/hw/bonito.c b/hw/bonito.c
index dcf0311..fd90527 100644
--- a/hw/bonito.c
+++ b/hw/bonito.c
@@ -698,7 +698,8 @@ static int bonito_initfn(PCIDevice *dev)
     pci_config_set_revision(dev->config, 0x01);
 
     /* set the north bridge register mapping */
-    s->bonito_reg_handle = cpu_register_io_memory(bonito_read, bonito_write, s);
+    s->bonito_reg_handle = cpu_register_io_memory(bonito_read, bonito_write, s,
+                                                  DEVICE_NATIVE_ENDIAN);
     s->bonito_reg_start = BONITO_INTERNAL_REG_BASE;
     s->bonito_reg_length = BONITO_INTERNAL_REG_SIZE;
     cpu_register_physical_memory(s->bonito_reg_start, s->bonito_reg_length,
@@ -706,7 +707,8 @@ static int bonito_initfn(PCIDevice *dev)
 
     /* set the north bridge pci configure  mapping */
     s->bonito_pciconf_handle = cpu_register_io_memory(bonito_pciconf_read,
-                                                      bonito_pciconf_write, s);
+                                                      bonito_pciconf_write, s,
+                                                      DEVICE_NATIVE_ENDIAN);
     s->bonito_pciconf_start = BONITO_PCICONFIG_BASE;
     s->bonito_pciconf_length = BONITO_PCICONFIG_SIZE;
     cpu_register_physical_memory(s->bonito_pciconf_start, s->bonito_pciconf_length,
@@ -714,21 +716,24 @@ static int bonito_initfn(PCIDevice *dev)
 
     /* set the south bridge pci configure  mapping */
     s->bonito_spciconf_handle = cpu_register_io_memory(bonito_spciconf_read,
-                                                       bonito_spciconf_write, s);
+                                                       bonito_spciconf_write, s,
+                                                       DEVICE_NATIVE_ENDIAN);
     s->bonito_spciconf_start = BONITO_SPCICONFIG_BASE;
     s->bonito_spciconf_length = BONITO_SPCICONFIG_SIZE;
     cpu_register_physical_memory(s->bonito_spciconf_start, s->bonito_spciconf_length,
                                  s->bonito_spciconf_handle);
 
     s->bonito_ldma_handle = cpu_register_io_memory(bonito_ldma_read,
-                                                   bonito_ldma_write, s);
+                                                   bonito_ldma_write, s,
+                                                   DEVICE_NATIVE_ENDIAN);
     s->bonito_ldma_start = 0xbfe00200;
     s->bonito_ldma_length = 0x100;
     cpu_register_physical_memory(s->bonito_ldma_start, s->bonito_ldma_length,
                                  s->bonito_ldma_handle);
 
     s->bonito_cop_handle = cpu_register_io_memory(bonito_cop_read,
-                                                  bonito_cop_write, s);
+                                                  bonito_cop_write, s,
+                                                  DEVICE_NATIVE_ENDIAN);
     s->bonito_cop_start = 0xbfe00300;
     s->bonito_cop_length = 0x100;
     cpu_register_physical_memory(s->bonito_cop_start, s->bonito_cop_length,
diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index 40be55d..4f5040c 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -3076,23 +3076,27 @@ static void cirrus_init_common(CirrusVGAState * s, int device_id, int is_pci)
     register_ioport_read(0x3da, 1, 1, cirrus_vga_ioport_read, s);
 
     s->vga.vga_io_memory = cpu_register_io_memory(cirrus_vga_mem_read,
-                                                  cirrus_vga_mem_write, s);
+                                                  cirrus_vga_mem_write, s,
+                                                  DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(isa_mem_base + 0x000a0000, 0x20000,
                                  s->vga.vga_io_memory);
     qemu_register_coalesced_mmio(isa_mem_base + 0x000a0000, 0x20000);
 
     /* I/O handler for LFB */
     s->cirrus_linear_io_addr =
-        cpu_register_io_memory(cirrus_linear_read, cirrus_linear_write, s);
+        cpu_register_io_memory(cirrus_linear_read, cirrus_linear_write, s,
+                               DEVICE_NATIVE_ENDIAN);
 
     /* I/O handler for LFB */
     s->cirrus_linear_bitblt_io_addr =
         cpu_register_io_memory(cirrus_linear_bitblt_read,
-                               cirrus_linear_bitblt_write, s);
+                               cirrus_linear_bitblt_write, s,
+                               DEVICE_NATIVE_ENDIAN);
 
     /* I/O handler for memory-mapped I/O */
     s->cirrus_mmio_io_addr =
-        cpu_register_io_memory(cirrus_mmio_read, cirrus_mmio_write, s);
+        cpu_register_io_memory(cirrus_mmio_read, cirrus_mmio_write, s,
+                               DEVICE_NATIVE_ENDIAN);
 
     s->real_vram_size =
         (s->device_id == CIRRUS_ID_CLGD5446) ? 4096 * 1024 : 2048 * 1024;
diff --git a/hw/cs4231.c b/hw/cs4231.c
index 2977101..a65b697 100644
--- a/hw/cs4231.c
+++ b/hw/cs4231.c
@@ -148,7 +148,8 @@ static int cs4231_init1(SysBusDevice *dev)
     int io;
     CSState *s = FROM_SYSBUS(CSState, dev);
 
-    io = cpu_register_io_memory(cs_mem_read, cs_mem_write, s);
+    io = cpu_register_io_memory(cs_mem_read, cs_mem_write, s,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, CS_SIZE, io);
     sysbus_init_irq(dev, &s->irq);
 
diff --git a/hw/cuda.c b/hw/cuda.c
index 3f238b6..e4c178d 100644
--- a/hw/cuda.c
+++ b/hw/cuda.c
@@ -762,7 +762,8 @@ void cuda_init (int *cuda_mem_index, qemu_irq irq)
     s->tick_offset = (uint32_t)mktimegm(&tm) + RTC_OFFSET;
 
     s->adb_poll_timer = qemu_new_timer(vm_clock, cuda_adb_poll, s);
-    *cuda_mem_index = cpu_register_io_memory(cuda_read, cuda_write, s);
+    *cuda_mem_index = cpu_register_io_memory(cuda_read, cuda_write, s,
+                                             DEVICE_NATIVE_ENDIAN);
     register_savevm(NULL, "cuda", -1, 1, cuda_save, cuda_load, s);
     qemu_register_reset(cuda_reset, s);
 }
diff --git a/hw/dp8393x.c b/hw/dp8393x.c
index e65e4d1..0ef8abe 100644
--- a/hw/dp8393x.c
+++ b/hw/dp8393x.c
@@ -908,6 +908,7 @@ void dp83932_init(NICInfo *nd, target_phys_addr_t base, int it_shift,
     qemu_register_reset(nic_reset, s);
     nic_reset(s);
 
-    s->mmio_index = cpu_register_io_memory(dp8393x_read, dp8393x_write, s);
+    s->mmio_index = cpu_register_io_memory(dp8393x_read, dp8393x_write, s,
+                                           DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x40 << it_shift, s->mmio_index);
 }
diff --git a/hw/ds1225y.c b/hw/ds1225y.c
index 009d127..b1c5232 100644
--- a/hw/ds1225y.c
+++ b/hw/ds1225y.c
@@ -171,10 +171,12 @@ void *ds1225y_init(target_phys_addr_t mem_base, const char *filename)
     }
 
     /* Read/write memory */
-    mem_indexRW = cpu_register_io_memory(nvram_read, nvram_write, s);
+    mem_indexRW = cpu_register_io_memory(nvram_read, nvram_write, s,
+                                         DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(mem_base, s->chip_size, mem_indexRW);
     /* Read/write protected memory */
-    mem_indexRP = cpu_register_io_memory(nvram_read, nvram_write_protected, s);
+    mem_indexRP = cpu_register_io_memory(nvram_read, nvram_write_protected, s,
+                                         DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(mem_base + s->chip_size, s->chip_size, mem_indexRP);
     return s;
 }
diff --git a/hw/e1000.c b/hw/e1000.c
index 57d08cf..bf3f2d3 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -1131,7 +1131,7 @@ static int pci_e1000_init(PCIDevice *pci_dev)
     pci_conf[PCI_INTERRUPT_PIN] = 1; // interrupt pin 0
 
     d->mmio_index = cpu_register_io_memory(e1000_mmio_read,
-            e1000_mmio_write, d);
+            e1000_mmio_write, d, DEVICE_NATIVE_ENDIAN);
 
     pci_register_bar(&d->dev, 0, PNPMMIO_SIZE,
                            PCI_BASE_ADDRESS_SPACE_MEMORY, e1000_mmio_map);
diff --git a/hw/eccmemctl.c b/hw/eccmemctl.c
index a8042e9..2bda87b 100644
--- a/hw/eccmemctl.c
+++ b/hw/eccmemctl.c
@@ -297,12 +297,14 @@ static int ecc_init1(SysBusDevice *dev)
 
     sysbus_init_irq(dev, &s->irq);
     s->regs[0] = s->version;
-    ecc_io_memory = cpu_register_io_memory(ecc_mem_read, ecc_mem_write, s);
+    ecc_io_memory = cpu_register_io_memory(ecc_mem_read, ecc_mem_write, s,
+                                           DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, ECC_SIZE, ecc_io_memory);
 
     if (s->version == ECC_MCC) { // SS-600MP only
         ecc_io_memory = cpu_register_io_memory(ecc_diag_mem_read,
-                                               ecc_diag_mem_write, s);
+                                               ecc_diag_mem_write, s,
+                                               DEVICE_NATIVE_ENDIAN);
         sysbus_init_mmio(dev, ECC_DIAG_SIZE, ecc_io_memory);
     }
 
diff --git a/hw/eepro100.c b/hw/eepro100.c
index f8a700a..b31ad3e 100644
--- a/hw/eepro100.c
+++ b/hw/eepro100.c
@@ -1878,7 +1878,8 @@ static int e100_nic_init(PCIDevice *pci_dev)
 
     /* Handler for memory-mapped I/O */
     s->mmio_index =
-        cpu_register_io_memory(pci_mmio_read, pci_mmio_write, s);
+        cpu_register_io_memory(pci_mmio_read, pci_mmio_write, s,
+                               DEVICE_NATIVE_ENDIAN);
 
     pci_register_bar(&s->dev, 0, PCI_MEM_SIZE,
                            PCI_BASE_ADDRESS_SPACE_MEMORY |
diff --git a/hw/empty_slot.c b/hw/empty_slot.c
index ac1f6eb..664b8d9 100644
--- a/hw/empty_slot.c
+++ b/hw/empty_slot.c
@@ -73,7 +73,8 @@ static int empty_slot_init1(SysBusDevice *dev)
     ram_addr_t empty_slot_offset;
 
     empty_slot_offset = cpu_register_io_memory(empty_slot_read,
-                                               empty_slot_write, s);
+                                               empty_slot_write, s,
+                                               DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, s->size, empty_slot_offset | IO_MEM_RAM);
     return 0;
 }
diff --git a/hw/escc.c b/hw/escc.c
index 8714239..ba60636 100644
--- a/hw/escc.c
+++ b/hw/escc.c
@@ -914,7 +914,8 @@ static int escc_init1(SysBusDevice *dev)
     s->chn[0].otherchn = &s->chn[1];
     s->chn[1].otherchn = &s->chn[0];
 
-    io = cpu_register_io_memory(escc_mem_read, escc_mem_write, s);
+    io = cpu_register_io_memory(escc_mem_read, escc_mem_write, s,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, ESCC_SIZE << s->it_shift, io);
     s->mmio_index = io;
 
diff --git a/hw/esp.c b/hw/esp.c
index 910fd31..fa9d2a2 100644
--- a/hw/esp.c
+++ b/hw/esp.c
@@ -722,7 +722,8 @@ static int esp_init1(SysBusDevice *dev)
     sysbus_init_irq(dev, &s->irq);
     assert(s->it_shift != -1);
 
-    esp_io_memory = cpu_register_io_memory(esp_mem_read, esp_mem_write, s);
+    esp_io_memory = cpu_register_io_memory(esp_mem_read, esp_mem_write, s,
+                                           DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, ESP_REGS << s->it_shift, esp_io_memory);
 
     qdev_init_gpio_in(&dev->qdev, esp_gpio_demux, 2);
diff --git a/hw/etraxfs_dma.c b/hw/etraxfs_dma.c
index 15c8ad3..c205ec1 100644
--- a/hw/etraxfs_dma.c
+++ b/hw/etraxfs_dma.c
@@ -750,7 +750,7 @@ void *etraxfs_dmac_init(target_phys_addr_t base, int nr_channels)
 	ctrl->nr_channels = nr_channels;
 	ctrl->channels = qemu_mallocz(sizeof ctrl->channels[0] * nr_channels);
 
-	ctrl->map = cpu_register_io_memory(dma_read, dma_write, ctrl);
+	ctrl->map = cpu_register_io_memory(dma_read, dma_write, ctrl, DEVICE_NATIVE_ENDIAN);
 	cpu_register_physical_memory(base, nr_channels * 0x2000, ctrl->map);
 	return ctrl;
 }
diff --git a/hw/etraxfs_eth.c b/hw/etraxfs_eth.c
index ade96f1..6aa4007 100644
--- a/hw/etraxfs_eth.c
+++ b/hw/etraxfs_eth.c
@@ -598,7 +598,8 @@ void *etraxfs_eth_init(NICInfo *nd, target_phys_addr_t base, int phyaddr)
 	tdk_init(&eth->phy);
 	mdio_attach(&eth->mdio_bus, &eth->phy, eth->phyaddr);
 
-	eth->ethregs = cpu_register_io_memory(eth_read, eth_write, eth);
+	eth->ethregs = cpu_register_io_memory(eth_read, eth_write, eth,
+                                              DEVICE_NATIVE_ENDIAN);
 	cpu_register_physical_memory (base, 0x5c, eth->ethregs);
 
 	memcpy(eth->conf.macaddr.a, nd->macaddr, sizeof(nd->macaddr));
diff --git a/hw/etraxfs_pic.c b/hw/etraxfs_pic.c
index b2c4859..4feffda 100644
--- a/hw/etraxfs_pic.c
+++ b/hw/etraxfs_pic.c
@@ -145,7 +145,8 @@ static int etraxfs_pic_init(SysBusDevice *dev)
     sysbus_init_irq(dev, &s->parent_irq);
     sysbus_init_irq(dev, &s->parent_nmi);
 
-    intr_vect_regs = cpu_register_io_memory(pic_read, pic_write, s);
+    intr_vect_regs = cpu_register_io_memory(pic_read, pic_write, s,
+                                            DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, R_MAX * 4, intr_vect_regs);
     return 0;
 }
diff --git a/hw/etraxfs_ser.c b/hw/etraxfs_ser.c
index 336cc54..2787ebd 100644
--- a/hw/etraxfs_ser.c
+++ b/hw/etraxfs_ser.c
@@ -200,7 +200,8 @@ static int etraxfs_ser_init(SysBusDevice *dev)
     s->regs[RS_STAT_DIN] |= (1 << STAT_TR_IDLE);
 
     sysbus_init_irq(dev, &s->irq);
-    ser_regs = cpu_register_io_memory(ser_read, ser_write, s);
+    ser_regs = cpu_register_io_memory(ser_read, ser_write, s,
+                                      DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, R_MAX * 4, ser_regs);
     s->chr = qdev_init_chardev(&dev->qdev);
     if (s->chr)
diff --git a/hw/etraxfs_timer.c b/hw/etraxfs_timer.c
index 87700d4..ba1adbe 100644
--- a/hw/etraxfs_timer.c
+++ b/hw/etraxfs_timer.c
@@ -323,7 +323,8 @@ static int etraxfs_timer_init(SysBusDevice *dev)
     sysbus_init_irq(dev, &t->irq);
     sysbus_init_irq(dev, &t->nmi);
 
-    timer_regs = cpu_register_io_memory(timer_read, timer_write, t);
+    timer_regs = cpu_register_io_memory(timer_read, timer_write, t,
+                                        DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x5c, timer_regs);
 
     qemu_register_reset(etraxfs_timer_reset, t);
diff --git a/hw/fdc.c b/hw/fdc.c
index c159dcb..bea5af2 100644
--- a/hw/fdc.c
+++ b/hw/fdc.c
@@ -1999,7 +1999,8 @@ static int sysbus_fdc_init1(SysBusDevice *dev)
     int io;
     int ret;
 
-    io = cpu_register_io_memory(fdctrl_mem_read, fdctrl_mem_write, fdctrl);
+    io = cpu_register_io_memory(fdctrl_mem_read, fdctrl_mem_write, fdctrl,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x08, io);
     sysbus_init_irq(dev, &fdctrl->irq);
     qdev_init_gpio_in(&dev->qdev, fdctrl_handle_tc, 1);
@@ -2017,7 +2018,8 @@ static int sun4m_fdc_init1(SysBusDevice *dev)
     int io;
 
     io = cpu_register_io_memory(fdctrl_mem_read_strict,
-                                fdctrl_mem_write_strict, fdctrl);
+                                fdctrl_mem_write_strict, fdctrl,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x08, io);
     sysbus_init_irq(dev, &fdctrl->irq);
     qdev_init_gpio_in(&dev->qdev, fdctrl_handle_tc, 1);
diff --git a/hw/fw_cfg.c b/hw/fw_cfg.c
index 72866ae..48b92d6 100644
--- a/hw/fw_cfg.c
+++ b/hw/fw_cfg.c
@@ -360,11 +360,13 @@ static int fw_cfg_init1(SysBusDevice *dev)
     int io_ctl_memory, io_data_memory;
 
     io_ctl_memory = cpu_register_io_memory(fw_cfg_ctl_mem_read,
-                                           fw_cfg_ctl_mem_write, s);
+                                           fw_cfg_ctl_mem_write, s,
+                                           DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, FW_CFG_SIZE, io_ctl_memory);
 
     io_data_memory = cpu_register_io_memory(fw_cfg_data_mem_read,
-                                            fw_cfg_data_mem_write, s);
+                                            fw_cfg_data_mem_write, s,
+                                            DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, FW_CFG_SIZE, io_data_memory);
 
     if (s->ctl_iobase) {
diff --git a/hw/g364fb.c b/hw/g364fb.c
index 3c8fb98..a41e988 100644
--- a/hw/g364fb.c
+++ b/hw/g364fb.c
@@ -607,7 +607,8 @@ int g364fb_mm_init(target_phys_addr_t vram_base,
 
     cpu_register_physical_memory(vram_base, s->vram_size, s->vram_offset);
 
-    io_ctrl = cpu_register_io_memory(g364fb_ctrl_read, g364fb_ctrl_write, s);
+    io_ctrl = cpu_register_io_memory(g364fb_ctrl_read, g364fb_ctrl_write, s,
+                                     DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(ctrl_base, 0x200000, io_ctrl);
 
     return 0;
diff --git a/hw/gt64xxx.c b/hw/gt64xxx.c
index cabf7ea..51e4db0 100644
--- a/hw/gt64xxx.c
+++ b/hw/gt64xxx.c
@@ -1116,7 +1116,8 @@ PCIBus *pci_gt64120_init(qemu_irq *pic)
     s->pci->bus = pci_register_bus(NULL, "pci",
                                    pci_gt64120_set_irq, pci_gt64120_map_irq,
                                    pic, PCI_DEVFN(18, 0), 4);
-    s->ISD_handle = cpu_register_io_memory(gt64120_read, gt64120_write, s);
+    s->ISD_handle = cpu_register_io_memory(gt64120_read, gt64120_write, s,
+                                           DEVICE_NATIVE_ENDIAN);
     d = pci_register_device(s->pci->bus, "GT64120 PCI Bus", sizeof(PCIDevice),
                             0, NULL, NULL);
 
diff --git a/hw/heathrow_pic.c b/hw/heathrow_pic.c
index cd86121..390b63c 100644
--- a/hw/heathrow_pic.c
+++ b/hw/heathrow_pic.c
@@ -222,7 +222,8 @@ qemu_irq *heathrow_pic_init(int *pmem_index,
     s = qemu_mallocz(sizeof(HeathrowPICS));
     /* only 1 CPU */
     s->irqs = irqs[0];
-    *pmem_index = cpu_register_io_memory(pic_read, pic_write, s);
+    *pmem_index = cpu_register_io_memory(pic_read, pic_write, s,
+                                         DEVICE_NATIVE_ENDIAN);
 
     register_savevm(NULL, "heathrow_pic", -1, 1, heathrow_pic_save,
                     heathrow_pic_load, s);
diff --git a/hw/hpet.c b/hw/hpet.c
index d5c406c..8fb6811 100644
--- a/hw/hpet.c
+++ b/hw/hpet.c
@@ -720,7 +720,8 @@ static int hpet_init(SysBusDevice *dev)
 
     /* HPET Area */
     iomemtype = cpu_register_io_memory(hpet_ram_read,
-                                       hpet_ram_write, s);
+                                       hpet_ram_write, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x400, iomemtype);
     return 0;
 }
diff --git a/hw/ide/macio.c b/hw/ide/macio.c
index bd1c73e..c1b4caa 100644
--- a/hw/ide/macio.c
+++ b/hw/ide/macio.c
@@ -320,7 +320,8 @@ int pmac_ide_init (DriveInfo **hd_table, qemu_irq irq,
         DBDMA_register_channel(dbdma, channel, dma_irq, pmac_ide_transfer, pmac_ide_flush, d);
 
     pmac_ide_memory = cpu_register_io_memory(pmac_ide_read,
-                                             pmac_ide_write, d);
+                                             pmac_ide_write, d,
+                                             DEVICE_NATIVE_ENDIAN);
     vmstate_register(NULL, 0, &vmstate_pmac, d);
     qemu_register_reset(pmac_ide_reset, d);
 
diff --git a/hw/ide/mmio.c b/hw/ide/mmio.c
index 9f20e8b..82b24b6 100644
--- a/hw/ide/mmio.c
+++ b/hw/ide/mmio.c
@@ -129,8 +129,10 @@ void mmio_ide_init (target_phys_addr_t membase, target_phys_addr_t membase2,
 
     s->shift = shift;
 
-    mem1 = cpu_register_io_memory(mmio_ide_reads, mmio_ide_writes, s);
-    mem2 = cpu_register_io_memory(mmio_ide_status, mmio_ide_cmd, s);
+    mem1 = cpu_register_io_memory(mmio_ide_reads, mmio_ide_writes, s,
+                                  DEVICE_NATIVE_ENDIAN);
+    mem2 = cpu_register_io_memory(mmio_ide_status, mmio_ide_cmd, s,
+                                  DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(membase, 16 << shift, mem1);
     cpu_register_physical_memory(membase2, 2 << shift, mem2);
     vmstate_register(NULL, 0, &vmstate_ide_mmio, s);
diff --git a/hw/integratorcp.c b/hw/integratorcp.c
index 3bf216b..b049940 100644
--- a/hw/integratorcp.c
+++ b/hw/integratorcp.c
@@ -256,7 +256,8 @@ static int integratorcm_init(SysBusDevice *dev)
     s->flash_offset = qemu_ram_alloc(NULL, "integrator.flash", 0x100000);
 
     iomemtype = cpu_register_io_memory(integratorcm_readfn,
-                                       integratorcm_writefn, s);
+                                       integratorcm_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x00800000, iomemtype);
     integratorcm_do_remap(s, 1);
     /* ??? Save/restore.  */
@@ -382,7 +383,8 @@ static int icp_pic_init(SysBusDevice *dev)
     sysbus_init_irq(dev, &s->parent_irq);
     sysbus_init_irq(dev, &s->parent_fiq);
     iomemtype = cpu_register_io_memory(icp_pic_readfn,
-                                       icp_pic_writefn, s);
+                                       icp_pic_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x00800000, iomemtype);
     return 0;
 }
@@ -435,7 +437,8 @@ static void icp_control_init(uint32_t base)
     int iomemtype;
 
     iomemtype = cpu_register_io_memory(icp_control_readfn,
-                                       icp_control_writefn, NULL);
+                                       icp_control_writefn, NULL,
+                                       DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x00800000, iomemtype);
     /* ??? Save/restore.  */
 }
diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index fe31624..b2b6708 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -1156,7 +1156,8 @@ static int intel_hda_init(PCIDevice *pci)
     conf[0x40] = 0x01;
 
     d->mmio_addr = cpu_register_io_memory(intel_hda_mmio_read,
-                                          intel_hda_mmio_write, d);
+                                          intel_hda_mmio_write, d,
+                                          DEVICE_NATIVE_ENDIAN);
     pci_register_bar(&d->pci, 0, 0x4000, PCI_BASE_ADDRESS_SPACE_MEMORY,
                      intel_hda_map);
     if (d->msi) {
diff --git a/hw/ioapic.c b/hw/ioapic.c
index 5ae21e9..2109568 100644
--- a/hw/ioapic.c
+++ b/hw/ioapic.c
@@ -242,7 +242,8 @@ static int ioapic_init1(SysBusDevice *dev)
     int io_memory;
 
     io_memory = cpu_register_io_memory(ioapic_mem_read,
-                                       ioapic_mem_write, s);
+                                       ioapic_mem_write, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, io_memory);
 
     qdev_init_gpio_in(&dev->qdev, ioapic_set_irq, IOAPIC_NUM_PINS);
diff --git a/hw/isa_mmio.c b/hw/isa_mmio.c
index 66bdd2c..46458f4 100644
--- a/hw/isa_mmio.c
+++ b/hw/isa_mmio.c
@@ -131,11 +131,13 @@ void isa_mmio_init(target_phys_addr_t base, target_phys_addr_t size, int be)
         if (be) {
             isa_mmio_iomemtype = cpu_register_io_memory(isa_mmio_read_be,
                                                         isa_mmio_write_be,
-                                                        NULL);
+                                                        NULL,
+                                                        DEVICE_NATIVE_ENDIAN);
         } else {
             isa_mmio_iomemtype = cpu_register_io_memory(isa_mmio_read_le,
                                                         isa_mmio_write_le,
-                                                        NULL);
+                                                        NULL,
+                                                        DEVICE_NATIVE_ENDIAN);
         }
     }
     cpu_register_physical_memory(base, size, isa_mmio_iomemtype);
diff --git a/hw/ivshmem.c b/hw/ivshmem.c
index 06dce70..7b19a81 100644
--- a/hw/ivshmem.c
+++ b/hw/ivshmem.c
@@ -720,7 +720,7 @@ static int pci_ivshmem_init(PCIDevice *dev)
     s->shm_fd = 0;
 
     s->ivshmem_mmio_io_addr = cpu_register_io_memory(ivshmem_mmio_read,
-                                    ivshmem_mmio_write, s);
+                                    ivshmem_mmio_write, s, DEVICE_NATIVE_ENDIAN);
     /* region for registers*/
     pci_register_bar(&s->dev, 0, IVSHMEM_REG_BAR_SIZE,
                            PCI_BASE_ADDRESS_SPACE_MEMORY, ivshmem_mmio_map);
diff --git a/hw/jazz_led.c b/hw/jazz_led.c
index 4cb680c..1dc22cf 100644
--- a/hw/jazz_led.c
+++ b/hw/jazz_led.c
@@ -316,7 +316,8 @@ void jazz_led_init(target_phys_addr_t base)
 
     s->state = REDRAW_SEGMENTS | REDRAW_BACKGROUND;
 
-    io = cpu_register_io_memory(led_read, led_write, s);
+    io = cpu_register_io_memory(led_read, led_write, s,
+                                DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 1, io);
 
     s->ds = graphic_console_init(jazz_led_update_display,
diff --git a/hw/lan9118.c b/hw/lan9118.c
index b996dc4..a988664 100644
--- a/hw/lan9118.c
+++ b/hw/lan9118.c
@@ -1124,7 +1124,8 @@ static int lan9118_init1(SysBusDevice *dev)
     int i;
 
     s->mmio_index = cpu_register_io_memory(lan9118_readfn,
-                                           lan9118_writefn, s);
+                                           lan9118_writefn, s,
+                                           DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x100, s->mmio_index);
     sysbus_init_irq(dev, &s->irq);
     qemu_macaddr_default_if_unset(&s->conf.macaddr);
diff --git a/hw/lance.c b/hw/lance.c
index dc12144..8c51858 100644
--- a/hw/lance.c
+++ b/hw/lance.c
@@ -118,7 +118,8 @@ static int lance_init(SysBusDevice *dev)
     PCNetState *s = &d->state;
 
     s->mmio_index =
-        cpu_register_io_memory(lance_mem_read, lance_mem_write, d);
+        cpu_register_io_memory(lance_mem_read, lance_mem_write, d,
+                               DEVICE_NATIVE_ENDIAN);
 
     qdev_init_gpio_in(&dev->qdev, parent_lance_reset, 1);
 
diff --git a/hw/lsi53c895a.c b/hw/lsi53c895a.c
index 1aef62f..0129ae3 100644
--- a/hw/lsi53c895a.c
+++ b/hw/lsi53c895a.c
@@ -2173,9 +2173,11 @@ static int lsi_scsi_init(PCIDevice *dev)
     pci_conf[PCI_INTERRUPT_PIN] = 0x01;
 
     s->mmio_io_addr = cpu_register_io_memory(lsi_mmio_readfn,
-                                             lsi_mmio_writefn, s);
+                                             lsi_mmio_writefn, s,
+                                             DEVICE_NATIVE_ENDIAN);
     s->ram_io_addr = cpu_register_io_memory(lsi_ram_readfn,
-                                            lsi_ram_writefn, s);
+                                            lsi_ram_writefn, s,
+                                            DEVICE_NATIVE_ENDIAN);
 
     pci_register_bar(&s->dev, 0, 256,
                            PCI_BASE_ADDRESS_SPACE_IO, lsi_io_mapfunc);
diff --git a/hw/m48t59.c b/hw/m48t59.c
index c7492a6..3c26b54 100644
--- a/hw/m48t59.c
+++ b/hw/m48t59.c
@@ -716,7 +716,8 @@ static int m48t59_init1(SysBusDevice *dev)
 
     sysbus_init_irq(dev, &s->IRQ);
 
-    mem_index = cpu_register_io_memory(nvram_read, nvram_write, s);
+    mem_index = cpu_register_io_memory(nvram_read, nvram_write, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, s->size, mem_index);
     m48t59_init_common(s);
 
diff --git a/hw/mac_dbdma.c b/hw/mac_dbdma.c
index 03d2d16..f449a59 100644
--- a/hw/mac_dbdma.c
+++ b/hw/mac_dbdma.c
@@ -844,7 +844,8 @@ void* DBDMA_init (int *dbdma_mem_index)
 
     s = qemu_mallocz(sizeof(DBDMA_channel) * DBDMA_CHANNELS);
 
-    *dbdma_mem_index = cpu_register_io_memory(dbdma_read, dbdma_write, s);
+    *dbdma_mem_index = cpu_register_io_memory(dbdma_read, dbdma_write, s,
+                                              DEVICE_NATIVE_ENDIAN);
     register_savevm(NULL, "dbdma", -1, 1, dbdma_save, dbdma_load, s);
     qemu_register_reset(dbdma_reset, s);
 
diff --git a/hw/mac_nvram.c b/hw/mac_nvram.c
index ce287c3..c2a2fc2 100644
--- a/hw/mac_nvram.c
+++ b/hw/mac_nvram.c
@@ -138,7 +138,8 @@ MacIONVRAMState *macio_nvram_init (int *mem_index, target_phys_addr_t size,
     s->size = size;
     s->it_shift = it_shift;
 
-    s->mem_index = cpu_register_io_memory(nvram_read, nvram_write, s);
+    s->mem_index = cpu_register_io_memory(nvram_read, nvram_write, s,
+                                          DEVICE_NATIVE_ENDIAN);
     *mem_index = s->mem_index;
     register_savevm(NULL, "macio_nvram", -1, 1, macio_nvram_save,
                     macio_nvram_load, s);
diff --git a/hw/marvell_88w8618_audio.c b/hw/marvell_88w8618_audio.c
index 307b584..3eff925 100644
--- a/hw/marvell_88w8618_audio.c
+++ b/hw/marvell_88w8618_audio.c
@@ -249,7 +249,8 @@ static int mv88w8618_audio_init(SysBusDevice *dev)
     wm8750_data_req_set(s->wm, mv88w8618_audio_callback, s);
 
     iomemtype = cpu_register_io_memory(mv88w8618_audio_readfn,
-                                       mv88w8618_audio_writefn, s);
+                                       mv88w8618_audio_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MP_AUDIO_SIZE, iomemtype);
 
     return 0;
diff --git a/hw/mcf5206.c b/hw/mcf5206.c
index c107de8..2a618d4 100644
--- a/hw/mcf5206.c
+++ b/hw/mcf5206.c
@@ -525,7 +525,8 @@ qemu_irq *mcf5206_init(uint32_t base, CPUState *env)
 
     s = (m5206_mbar_state *)qemu_mallocz(sizeof(m5206_mbar_state));
     iomemtype = cpu_register_io_memory(m5206_mbar_readfn,
-                                       m5206_mbar_writefn, s);
+                                       m5206_mbar_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x00001000, iomemtype);
 
     pic = qemu_allocate_irqs(m5206_mbar_set_irq, s, 14);
diff --git a/hw/mcf5208.c b/hw/mcf5208.c
index 38645f7..17a692d 100644
--- a/hw/mcf5208.c
+++ b/hw/mcf5208.c
@@ -179,7 +179,8 @@ static void mcf5208_sys_init(qemu_irq *pic)
     int i;
 
     iomemtype = cpu_register_io_memory(m5208_sys_readfn,
-                                       m5208_sys_writefn, NULL);
+                                       m5208_sys_writefn, NULL,
+                                       DEVICE_NATIVE_ENDIAN);
     /* SDRAMC.  */
     cpu_register_physical_memory(0xfc0a8000, 0x00004000, iomemtype);
     /* Timers.  */
@@ -188,7 +189,8 @@ static void mcf5208_sys_init(qemu_irq *pic)
         bh = qemu_bh_new(m5208_timer_trigger, s);
         s->timer = ptimer_init(bh);
         iomemtype = cpu_register_io_memory(m5208_timer_readfn,
-                                           m5208_timer_writefn, s);
+                                           m5208_timer_writefn, s,
+                                           DEVICE_NATIVE_ENDIAN);
         cpu_register_physical_memory(0xfc080000 + 0x4000 * i, 0x00004000,
                                      iomemtype);
         s->irq = pic[4 + i];
diff --git a/hw/mcf_fec.c b/hw/mcf_fec.c
index 4e7fbed..21035da 100644
--- a/hw/mcf_fec.c
+++ b/hw/mcf_fec.c
@@ -467,7 +467,8 @@ void mcf_fec_init(NICInfo *nd, target_phys_addr_t base, qemu_irq *irq)
     s = (mcf_fec_state *)qemu_mallocz(sizeof(mcf_fec_state));
     s->irq = irq;
     s->mmio_index = cpu_register_io_memory(mcf_fec_readfn,
-                                           mcf_fec_writefn, s);
+                                           mcf_fec_writefn, s,
+                                           DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x400, s->mmio_index);
 
     memcpy(s->conf.macaddr.a, nd->macaddr, sizeof(nd->macaddr));
diff --git a/hw/mcf_intc.c b/hw/mcf_intc.c
index f01bd32..ac04295 100644
--- a/hw/mcf_intc.c
+++ b/hw/mcf_intc.c
@@ -149,7 +149,8 @@ qemu_irq *mcf_intc_init(target_phys_addr_t base, CPUState *env)
     mcf_intc_reset(s);
 
     iomemtype = cpu_register_io_memory(mcf_intc_readfn,
-                                       mcf_intc_writefn, s);
+                                       mcf_intc_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x100, iomemtype);
 
     return qemu_allocate_irqs(mcf_intc_set_irq, s, 64);
diff --git a/hw/mcf_uart.c b/hw/mcf_uart.c
index d16bac7..db57096 100644
--- a/hw/mcf_uart.c
+++ b/hw/mcf_uart.c
@@ -304,6 +304,7 @@ void mcf_uart_mm_init(target_phys_addr_t base, qemu_irq irq,
 
     s = mcf_uart_init(irq, chr);
     iomemtype = cpu_register_io_memory(mcf_uart_readfn,
-                                       mcf_uart_writefn, s);
+                                       mcf_uart_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x40, iomemtype);
 }
diff --git a/hw/mips_jazz.c b/hw/mips_jazz.c
index 66397c0..1264743 100644
--- a/hw/mips_jazz.c
+++ b/hw/mips_jazz.c
@@ -191,7 +191,8 @@ void mips_jazz_init (ram_addr_t ram_size,
 
     /* Chipset */
     rc4030_opaque = rc4030_init(env->irq[6], env->irq[3], &rc4030, &dmas);
-    s_dma_dummy = cpu_register_io_memory(dma_dummy_read, dma_dummy_write, NULL);
+    s_dma_dummy = cpu_register_io_memory(dma_dummy_read, dma_dummy_write, NULL,
+                                         DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0x8000d000, 0x00001000, s_dma_dummy);
 
     /* ISA devices */
@@ -259,7 +260,8 @@ void mips_jazz_init (ram_addr_t ram_size,
 
     /* Real time clock */
     rtc_init(1980, NULL);
-    s_rtc = cpu_register_io_memory(rtc_read, rtc_write, NULL);
+    s_rtc = cpu_register_io_memory(rtc_read, rtc_write, NULL,
+                                   DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0x80004000, 0x00001000, s_rtc);
 
     /* Keyboard (i8042) */
diff --git a/hw/mips_malta.c b/hw/mips_malta.c
index 6be8aa7..5ef3fcb 100644
--- a/hw/mips_malta.c
+++ b/hw/mips_malta.c
@@ -436,7 +436,8 @@ static MaltaFPGAState *malta_fpga_init(target_phys_addr_t base, qemu_irq uart_ir
     s = (MaltaFPGAState *)qemu_mallocz(sizeof(MaltaFPGAState));
 
     malta = cpu_register_io_memory(malta_fpga_read,
-                                   malta_fpga_write, s);
+                                   malta_fpga_write, s,
+                                   DEVICE_NATIVE_ENDIAN);
 
     cpu_register_physical_memory(base, 0x900, malta);
     /* 0xa00 is less than a page, so will still get the right offsets.  */
diff --git a/hw/mips_r4k.c b/hw/mips_r4k.c
index aa34890..afe52f3 100644
--- a/hw/mips_r4k.c
+++ b/hw/mips_r4k.c
@@ -204,7 +204,8 @@ void mips_r4k_init (ram_addr_t ram_size,
 
     if (!mips_qemu_iomemtype) {
         mips_qemu_iomemtype = cpu_register_io_memory(mips_qemu_read,
-                                                     mips_qemu_write, NULL);
+                                                     mips_qemu_write, NULL,
+                                                     DEVICE_NATIVE_ENDIAN);
     }
     cpu_register_physical_memory(0x1fbf0000, 0x10000, mips_qemu_iomemtype);
 
diff --git a/hw/mpcore.c b/hw/mpcore.c
index b4db191..fc05215 100644
--- a/hw/mpcore.c
+++ b/hw/mpcore.c
@@ -276,7 +276,8 @@ static int mpcore_priv_init(SysBusDevice *dev)
 
     gic_init(&s->gic, s->num_cpu);
     s->iomemtype = cpu_register_io_memory(mpcore_priv_readfn,
-                                          mpcore_priv_writefn, s);
+                                          mpcore_priv_writefn, s,
+                                          DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio_cb(dev, 0x2000, mpcore_priv_map);
     for (i = 0; i < s->num_cpu * 2; i++) {
         mpcore_timer_init(s, &s->timer[i], i);
diff --git a/hw/msix.c b/hw/msix.c
index f66d255..e123082 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -254,7 +254,8 @@ int msix_init(struct PCIDevice *dev, unsigned short nentries,
     msix_mask_all(dev, nentries);
 
     dev->msix_mmio_index = cpu_register_io_memory(msix_mmio_read,
-                                                  msix_mmio_write, dev);
+                                                  msix_mmio_write, dev,
+                                                  DEVICE_NATIVE_ENDIAN);
     if (dev->msix_mmio_index == -1) {
         ret = -EBUSY;
         goto err_index;
diff --git a/hw/mst_fpga.c b/hw/mst_fpga.c
index 8fc348f..5252fc5 100644
--- a/hw/mst_fpga.c
+++ b/hw/mst_fpga.c
@@ -232,7 +232,7 @@ qemu_irq *mst_irq_init(PXA2xxState *cpu, uint32_t base, int irq)
 	s->pins = qi;
 
 	iomemtype = cpu_register_io_memory(mst_fpga_readfn,
-		mst_fpga_writefn, s);
+		mst_fpga_writefn, s, DEVICE_NATIVE_ENDIAN);
 	cpu_register_physical_memory(base, 0x00100000, iomemtype);
 	register_savevm(NULL, "mainstone_fpga", 0, 0, mst_fpga_save,
                         mst_fpga_load, s);
diff --git a/hw/musicpal.c b/hw/musicpal.c
index 56f2766..d98aa8d 100644
--- a/hw/musicpal.c
+++ b/hw/musicpal.c
@@ -388,7 +388,8 @@ static int mv88w8618_eth_init(SysBusDevice *dev)
     s->nic = qemu_new_nic(&net_mv88w8618_info, &s->conf,
                           dev->qdev.info->name, dev->qdev.id, s);
     s->mmio_index = cpu_register_io_memory(mv88w8618_eth_readfn,
-                                           mv88w8618_eth_writefn, s);
+                                           mv88w8618_eth_writefn, s,
+                                           DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MP_ETH_SIZE, s->mmio_index);
     return 0;
 }
@@ -600,7 +601,8 @@ static int musicpal_lcd_init(SysBusDevice *dev)
     s->brightness = 7;
 
     iomemtype = cpu_register_io_memory(musicpal_lcd_readfn,
-                                       musicpal_lcd_writefn, s);
+                                       musicpal_lcd_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MP_LCD_SIZE, iomemtype);
 
     s->ds = graphic_console_init(lcd_refresh, lcd_invalidate,
@@ -725,7 +727,8 @@ static int mv88w8618_pic_init(SysBusDevice *dev)
     qdev_init_gpio_in(&dev->qdev, mv88w8618_pic_set_irq, 32);
     sysbus_init_irq(dev, &s->parent_irq);
     iomemtype = cpu_register_io_memory(mv88w8618_pic_readfn,
-                                       mv88w8618_pic_writefn, s);
+                                       mv88w8618_pic_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MP_PIC_SIZE, iomemtype);
     return 0;
 }
@@ -886,7 +889,8 @@ static int mv88w8618_pit_init(SysBusDevice *dev)
     }
 
     iomemtype = cpu_register_io_memory(mv88w8618_pit_readfn,
-                                       mv88w8618_pit_writefn, s);
+                                       mv88w8618_pit_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MP_PIT_SIZE, iomemtype);
     return 0;
 }
@@ -976,7 +980,8 @@ static int mv88w8618_flashcfg_init(SysBusDevice *dev)
 
     s->cfgr0 = 0xfffe4285; /* Default as set by U-Boot for 8 MB flash */
     iomemtype = cpu_register_io_memory(mv88w8618_flashcfg_readfn,
-                                       mv88w8618_flashcfg_writefn, s);
+                                       mv88w8618_flashcfg_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MP_FLASHCFG_SIZE, iomemtype);
     return 0;
 }
@@ -1037,7 +1042,8 @@ static void musicpal_misc_init(void)
     int iomemtype;
 
     iomemtype = cpu_register_io_memory(musicpal_misc_readfn,
-                                       musicpal_misc_writefn, NULL);
+                                       musicpal_misc_writefn, NULL,
+                                       DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(MP_MISC_BASE, MP_MISC_SIZE, iomemtype);
 }
 
@@ -1082,7 +1088,8 @@ static int mv88w8618_wlan_init(SysBusDevice *dev)
     int iomemtype;
 
     iomemtype = cpu_register_io_memory(mv88w8618_wlan_readfn,
-                                       mv88w8618_wlan_writefn, NULL);
+                                       mv88w8618_wlan_writefn, NULL,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MP_WLAN_SIZE, iomemtype);
     return 0;
 }
@@ -1293,7 +1300,8 @@ static int musicpal_gpio_init(SysBusDevice *dev)
     sysbus_init_irq(dev, &s->irq);
 
     iomemtype = cpu_register_io_memory(musicpal_gpio_readfn,
-                                       musicpal_gpio_writefn, s);
+                                       musicpal_gpio_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MP_GPIO_SIZE, iomemtype);
 
     qdev_init_gpio_out(&dev->qdev, s->out, ARRAY_SIZE(s->out));
diff --git a/hw/omap.h b/hw/omap.h
index fe32ca5..c227a82 100644
--- a/hw/omap.h
+++ b/hw/omap.h
@@ -1129,7 +1129,8 @@ inline static int debug_register_io_memory(CPUReadMemoryFunc * const *mem_read,
     s->mem_write = mem_write;
     s->opaque = opaque;
     s->in = 0;
-    return cpu_register_io_memory(io_readfn, io_writefn, s);
+    return cpu_register_io_memory(io_readfn, io_writefn, s,
+                                  DEVICE_NATIVE_ENDIAN);
 }
 #  define cpu_register_io_memory	debug_register_io_memory
 # endif
diff --git a/hw/omap1.c b/hw/omap1.c
index f4966f7..d5e4dab 100644
--- a/hw/omap1.c
+++ b/hw/omap1.c
@@ -264,7 +264,7 @@ static struct omap_mpu_timer_s *omap_mpu_timer_init(target_phys_addr_t base,
     omap_timer_clk_setup(s);
 
     iomemtype = cpu_register_io_memory(omap_mpu_timer_readfn,
-                    omap_mpu_timer_writefn, s);
+                    omap_mpu_timer_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x100, iomemtype);
 
     return s;
@@ -387,7 +387,7 @@ static struct omap_watchdog_timer_s *omap_wd_timer_init(target_phys_addr_t base,
     omap_timer_clk_setup(&s->timer);
 
     iomemtype = cpu_register_io_memory(omap_wd_timer_readfn,
-                    omap_wd_timer_writefn, s);
+                    omap_wd_timer_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x100, iomemtype);
 
     return s;
@@ -489,7 +489,7 @@ static struct omap_32khz_timer_s *omap_os_timer_init(target_phys_addr_t base,
     omap_timer_clk_setup(&s->timer);
 
     iomemtype = cpu_register_io_memory(omap_os_timer_readfn,
-                    omap_os_timer_writefn, s);
+                    omap_os_timer_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x800, iomemtype);
 
     return s;
@@ -716,7 +716,7 @@ static void omap_ulpd_pm_init(target_phys_addr_t base,
                 struct omap_mpu_state_s *mpu)
 {
     int iomemtype = cpu_register_io_memory(omap_ulpd_pm_readfn,
-                    omap_ulpd_pm_writefn, mpu);
+                    omap_ulpd_pm_writefn, mpu, DEVICE_NATIVE_ENDIAN);
 
     cpu_register_physical_memory(base, 0x800, iomemtype);
     omap_ulpd_pm_reset(mpu);
@@ -931,7 +931,7 @@ static void omap_pin_cfg_init(target_phys_addr_t base,
                 struct omap_mpu_state_s *mpu)
 {
     int iomemtype = cpu_register_io_memory(omap_pin_cfg_readfn,
-                    omap_pin_cfg_writefn, mpu);
+                    omap_pin_cfg_writefn, mpu, DEVICE_NATIVE_ENDIAN);
 
     cpu_register_physical_memory(base, 0x800, iomemtype);
     omap_pin_cfg_reset(mpu);
@@ -1001,7 +1001,7 @@ static CPUWriteMemoryFunc * const omap_id_writefn[] = {
 static void omap_id_init(struct omap_mpu_state_s *mpu)
 {
     int iomemtype = cpu_register_io_memory(omap_id_readfn,
-                    omap_id_writefn, mpu);
+                    omap_id_writefn, mpu, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory_offset(0xfffe1800, 0x800, iomemtype, 0xfffe1800);
     cpu_register_physical_memory_offset(0xfffed400, 0x100, iomemtype, 0xfffed400);
     if (!cpu_is_omap15xx(mpu))
@@ -1084,7 +1084,7 @@ static void omap_mpui_init(target_phys_addr_t base,
                 struct omap_mpu_state_s *mpu)
 {
     int iomemtype = cpu_register_io_memory(omap_mpui_readfn,
-                    omap_mpui_writefn, mpu);
+                    omap_mpui_writefn, mpu, DEVICE_NATIVE_ENDIAN);
 
     cpu_register_physical_memory(base, 0x100, iomemtype);
 
@@ -1193,7 +1193,7 @@ static struct omap_tipb_bridge_s *omap_tipb_bridge_init(target_phys_addr_t base,
     omap_tipb_bridge_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_tipb_bridge_readfn,
-                    omap_tipb_bridge_writefn, s);
+                    omap_tipb_bridge_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x100, iomemtype);
 
     return s;
@@ -1299,7 +1299,7 @@ static void omap_tcmi_init(target_phys_addr_t base,
                 struct omap_mpu_state_s *mpu)
 {
     int iomemtype = cpu_register_io_memory(omap_tcmi_readfn,
-                    omap_tcmi_writefn, mpu);
+                    omap_tcmi_writefn, mpu, DEVICE_NATIVE_ENDIAN);
 
     cpu_register_physical_memory(base, 0x100, iomemtype);
     omap_tcmi_reset(mpu);
@@ -1372,7 +1372,7 @@ static void omap_dpll_init(struct dpll_ctl_s *s, target_phys_addr_t base,
                 omap_clk clk)
 {
     int iomemtype = cpu_register_io_memory(omap_dpll_readfn,
-                    omap_dpll_writefn, s);
+                    omap_dpll_writefn, s, DEVICE_NATIVE_ENDIAN);
 
     s->dpll = clk;
     omap_dpll_reset(s);
@@ -1776,8 +1776,10 @@ static void omap_clkm_init(target_phys_addr_t mpu_base,
                 target_phys_addr_t dsp_base, struct omap_mpu_state_s *s)
 {
     int iomemtype[2] = {
-        cpu_register_io_memory(omap_clkm_readfn, omap_clkm_writefn, s),
-        cpu_register_io_memory(omap_clkdsp_readfn, omap_clkdsp_writefn, s),
+        cpu_register_io_memory(omap_clkm_readfn, omap_clkm_writefn, s,
+                               DEVICE_NATIVE_ENDIAN),
+        cpu_register_io_memory(omap_clkdsp_readfn, omap_clkdsp_writefn, s,
+                               DEVICE_NATIVE_ENDIAN),
     };
 
     s->clkm.arm_idlect1 = 0x03ff;
@@ -2031,7 +2033,7 @@ struct omap_mpuio_s *omap_mpuio_init(target_phys_addr_t base,
     omap_mpuio_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_mpuio_readfn,
-                    omap_mpuio_writefn, s);
+                    omap_mpuio_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x800, iomemtype);
 
     omap_clk_adduser(clk, qemu_allocate_irqs(omap_mpuio_onoff, s, 1)[0]);
@@ -2216,7 +2218,7 @@ struct omap_uwire_s *omap_uwire_init(target_phys_addr_t base,
     omap_uwire_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_uwire_readfn,
-                    omap_uwire_writefn, s);
+                    omap_uwire_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x800, iomemtype);
 
     return s;
@@ -2317,7 +2319,7 @@ static void omap_pwl_init(target_phys_addr_t base, struct omap_mpu_state_s *s,
     omap_pwl_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_pwl_readfn,
-                    omap_pwl_writefn, s);
+                    omap_pwl_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x800, iomemtype);
 
     omap_clk_adduser(clk, qemu_allocate_irqs(omap_pwl_clk_update, s, 1)[0]);
@@ -2412,7 +2414,7 @@ static void omap_pwt_init(target_phys_addr_t base, struct omap_mpu_state_s *s,
     omap_pwt_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_pwt_readfn,
-                    omap_pwt_writefn, s);
+                    omap_pwt_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x800, iomemtype);
 }
 
@@ -2825,7 +2827,7 @@ static struct omap_rtc_s *omap_rtc_init(target_phys_addr_t base,
     omap_rtc_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_rtc_readfn,
-                    omap_rtc_writefn, s);
+                    omap_rtc_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x800, iomemtype);
 
     return s;
@@ -3347,7 +3349,7 @@ struct omap_mcbsp_s *omap_mcbsp_init(target_phys_addr_t base,
     omap_mcbsp_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_mcbsp_readfn,
-                    omap_mcbsp_writefn, s);
+                    omap_mcbsp_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x800, iomemtype);
 
     return s;
@@ -3519,7 +3521,7 @@ static struct omap_lpg_s *omap_lpg_init(target_phys_addr_t base, omap_clk clk)
     omap_lpg_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_lpg_readfn,
-                    omap_lpg_writefn, s);
+                    omap_lpg_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x800, iomemtype);
 
     omap_clk_adduser(clk, qemu_allocate_irqs(omap_lpg_clk_update, s, 1)[0]);
@@ -3552,7 +3554,7 @@ static CPUWriteMemoryFunc * const omap_mpui_io_writefn[] = {
 static void omap_setup_mpui_io(struct omap_mpu_state_s *mpu)
 {
     int iomemtype = cpu_register_io_memory(omap_mpui_io_readfn,
-                    omap_mpui_io_writefn, mpu);
+                    omap_mpui_io_writefn, mpu, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(OMAP_MPUI_BASE, 0x7fff, iomemtype);
 }
 
diff --git a/hw/omap2.c b/hw/omap2.c
index e35a56e..0f13272 100644
--- a/hw/omap2.c
+++ b/hw/omap2.c
@@ -600,7 +600,7 @@ static struct omap_eac_s *omap_eac_init(struct omap_target_agent_s *ta,
     AUD_register_card("OMAP EAC", &s->codec.card);
 
     iomemtype = cpu_register_io_memory(omap_eac_readfn,
-                    omap_eac_writefn, s);
+                    omap_eac_writefn, s, DEVICE_NATIVE_ENDIAN);
     omap_l4_attach(ta, 0, iomemtype);
 
     return s;
@@ -788,7 +788,7 @@ static struct omap_sti_s *omap_sti_init(struct omap_target_agent_s *ta,
     omap_l4_attach(ta, 0, iomemtype);
 
     iomemtype = cpu_register_io_memory(omap_sti_fifo_readfn,
-                    omap_sti_fifo_writefn, s);
+                    omap_sti_fifo_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(channel_base, 0x10000, iomemtype);
 
     return s;
diff --git a/hw/omap_dma.c b/hw/omap_dma.c
index 3e718ba..8e2dcc9 100644
--- a/hw/omap_dma.c
+++ b/hw/omap_dma.c
@@ -1659,7 +1659,7 @@ struct soc_dma_s *omap_dma_init(target_phys_addr_t base, qemu_irq *irqs,
     omap_dma_clk_update(s, 0, 1);
 
     iomemtype = cpu_register_io_memory(omap_dma_readfn,
-                    omap_dma_writefn, s);
+                    omap_dma_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, memsize, iomemtype);
 
     mpu->drq = s->dma->drq;
@@ -2066,7 +2066,7 @@ struct soc_dma_s *omap_dma4_init(target_phys_addr_t base, qemu_irq *irqs,
     omap_dma_clk_update(s, 0, !!s->dma->freq);
 
     iomemtype = cpu_register_io_memory(omap_dma4_readfn,
-                    omap_dma4_writefn, s);
+                    omap_dma4_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x1000, iomemtype);
 
     mpu->drq = s->dma->drq;
diff --git a/hw/omap_dss.c b/hw/omap_dss.c
index 044f2d2..afe287a 100644
--- a/hw/omap_dss.c
+++ b/hw/omap_dss.c
@@ -1045,7 +1045,7 @@ struct omap_dss_s *omap_dss_init(struct omap_target_agent_s *ta,
     iomemtype[3] = l4_register_io_memory(omap_venc1_readfn,
                     omap_venc1_writefn, s);
     iomemtype[4] = cpu_register_io_memory(omap_im3_readfn,
-                    omap_im3_writefn, s);
+                    omap_im3_writefn, s, DEVICE_NATIVE_ENDIAN);
     omap_l4_attach(ta, 0, iomemtype[0]);
     omap_l4_attach(ta, 1, iomemtype[1]);
     omap_l4_attach(ta, 2, iomemtype[2]);
diff --git a/hw/omap_gpio.c b/hw/omap_gpio.c
index d978c7a..478f7d9 100644
--- a/hw/omap_gpio.c
+++ b/hw/omap_gpio.c
@@ -183,7 +183,7 @@ struct omap_gpio_s *omap_gpio_init(target_phys_addr_t base,
     omap_gpio_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_gpio_readfn,
-                    omap_gpio_writefn, s);
+                    omap_gpio_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x1000, iomemtype);
 
     return s;
diff --git a/hw/omap_gpmc.c b/hw/omap_gpmc.c
index 72cfecc..8bf3343 100644
--- a/hw/omap_gpmc.c
+++ b/hw/omap_gpmc.c
@@ -390,7 +390,7 @@ struct omap_gpmc_s *omap_gpmc_init(target_phys_addr_t base, qemu_irq irq)
     omap_gpmc_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_gpmc_readfn,
-                    omap_gpmc_writefn, s);
+                    omap_gpmc_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x1000, iomemtype);
 
     return s;
diff --git a/hw/omap_i2c.c b/hw/omap_i2c.c
index d133977..5cabb5a 100644
--- a/hw/omap_i2c.c
+++ b/hw/omap_i2c.c
@@ -437,7 +437,7 @@ struct omap_i2c_s *omap_i2c_init(target_phys_addr_t base,
     omap_i2c_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_i2c_readfn,
-                    omap_i2c_writefn, s);
+                    omap_i2c_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x800, iomemtype);
 
     return s;
diff --git a/hw/omap_intc.c b/hw/omap_intc.c
index 59893b7..001e20b 100644
--- a/hw/omap_intc.c
+++ b/hw/omap_intc.c
@@ -371,7 +371,7 @@ struct omap_intr_handler_s *omap_inth_init(target_phys_addr_t base,
     omap_inth_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_inth_readfn,
-                    omap_inth_writefn, s);
+                    omap_inth_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, size, iomemtype);
 
     return s;
@@ -591,7 +591,7 @@ struct omap_intr_handler_s *omap2_inth_init(target_phys_addr_t base,
     omap_inth_reset(s);
 
     iomemtype = cpu_register_io_memory(omap2_inth_readfn,
-                    omap2_inth_writefn, s);
+                    omap2_inth_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, size, iomemtype);
 
     return s;
diff --git a/hw/omap_l4.c b/hw/omap_l4.c
index bf8ba36..4af0ca8 100644
--- a/hw/omap_l4.c
+++ b/hw/omap_l4.c
@@ -107,7 +107,8 @@ int l4_register_io_memory(CPUReadMemoryFunc * const *mem_read,
                           CPUWriteMemoryFunc * const *mem_write,
                           void *opaque)
 {
-    return cpu_register_io_memory(mem_read, mem_write, opaque);
+    return cpu_register_io_memory(mem_read, mem_write, opaque,
+                                  DEVICE_NATIVE_ENDIAN);
 }
 #endif
 
@@ -131,7 +132,7 @@ struct omap_l4_s *omap_l4_init(target_phys_addr_t base, int ta_num)
 
     omap_cpu_io_entry =
             cpu_register_io_memory(omap_l4_io_readfn,
-                            omap_l4_io_writefn, bus);
+                            omap_l4_io_writefn, bus, DEVICE_NATIVE_ENDIAN);
 # define L4_PAGES	(0xb4000 / TARGET_PAGE_SIZE)
     omap_l4_io_readb_fn = qemu_mallocz(sizeof(void *) * L4_PAGES);
     omap_l4_io_readh_fn = qemu_mallocz(sizeof(void *) * L4_PAGES);
diff --git a/hw/omap_lcdc.c b/hw/omap_lcdc.c
index 6affef6..0c2c550 100644
--- a/hw/omap_lcdc.c
+++ b/hw/omap_lcdc.c
@@ -450,7 +450,7 @@ struct omap_lcd_panel_s *omap_lcdc_init(target_phys_addr_t base, qemu_irq irq,
     omap_lcdc_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_lcdc_readfn,
-                    omap_lcdc_writefn, s);
+                    omap_lcdc_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x100, iomemtype);
 
     s->state = graphic_console_init(omap_update_display,
diff --git a/hw/omap_mmc.c b/hw/omap_mmc.c
index 9d167ff..e9ec2f3 100644
--- a/hw/omap_mmc.c
+++ b/hw/omap_mmc.c
@@ -587,7 +587,7 @@ struct omap_mmc_s *omap_mmc_init(target_phys_addr_t base,
     omap_mmc_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_mmc_readfn,
-                    omap_mmc_writefn, s);
+                    omap_mmc_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x800, iomemtype);
 
     /* Instantiate the storage */
diff --git a/hw/omap_sdrc.c b/hw/omap_sdrc.c
index aefaebe..e183762 100644
--- a/hw/omap_sdrc.c
+++ b/hw/omap_sdrc.c
@@ -158,7 +158,7 @@ struct omap_sdrc_s *omap_sdrc_init(target_phys_addr_t base)
     omap_sdrc_reset(s);
 
     iomemtype = cpu_register_io_memory(omap_sdrc_readfn,
-                    omap_sdrc_writefn, s);
+                    omap_sdrc_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x1000, iomemtype);
 
     return s;
diff --git a/hw/omap_sx1.c b/hw/omap_sx1.c
index 44dc514..06bccbd 100644
--- a/hw/omap_sx1.c
+++ b/hw/omap_sx1.c
@@ -143,12 +143,15 @@ static void sx1_init(ram_addr_t ram_size,
                                  qemu_ram_alloc(NULL, "omap_sx1.flash0-0",
                                                 flash_size) | IO_MEM_ROM);
 
-    io = cpu_register_io_memory(static_readfn, static_writefn, &cs0val);
+    io = cpu_register_io_memory(static_readfn, static_writefn, &cs0val,
+                                DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(OMAP_CS0_BASE + flash_size,
                     OMAP_CS0_SIZE - flash_size, io);
-    io = cpu_register_io_memory(static_readfn, static_writefn, &cs2val);
+    io = cpu_register_io_memory(static_readfn, static_writefn, &cs2val,
+                                DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(OMAP_CS2_BASE, OMAP_CS2_SIZE, io);
-    io = cpu_register_io_memory(static_readfn, static_writefn, &cs3val);
+    io = cpu_register_io_memory(static_readfn, static_writefn, &cs3val,
+                                DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(OMAP_CS3_BASE, OMAP_CS3_SIZE, io);
 
     fl_idx = 0;
@@ -175,7 +178,8 @@ static void sx1_init(ram_addr_t ram_size,
         cpu_register_physical_memory(OMAP_CS1_BASE, flash1_size,
                                      qemu_ram_alloc(NULL, "omap_sx1.flash1-0",
                                                     flash1_size) | IO_MEM_ROM);
-        io = cpu_register_io_memory(static_readfn, static_writefn, &cs1val);
+        io = cpu_register_io_memory(static_readfn, static_writefn, &cs1val,
+                                    DEVICE_NATIVE_ENDIAN);
         cpu_register_physical_memory(OMAP_CS1_BASE + flash1_size,
                         OMAP_CS1_SIZE - flash1_size, io);
 
@@ -189,7 +193,8 @@ static void sx1_init(ram_addr_t ram_size,
         }
         fl_idx++;
     } else {
-        io = cpu_register_io_memory(static_readfn, static_writefn, &cs1val);
+        io = cpu_register_io_memory(static_readfn, static_writefn, &cs1val,
+                                    DEVICE_NATIVE_ENDIAN);
         cpu_register_physical_memory(OMAP_CS1_BASE, OMAP_CS1_SIZE, io);
     }
 
diff --git a/hw/omap_uart.c b/hw/omap_uart.c
index cc66cd9..9cee81d 100644
--- a/hw/omap_uart.c
+++ b/hw/omap_uart.c
@@ -170,7 +170,7 @@ struct omap_uart_s *omap2_uart_init(struct omap_target_agent_s *ta,
     struct omap_uart_s *s = omap_uart_init(base, irq,
                     fclk, iclk, txdma, rxdma, label, chr);
     int iomemtype = cpu_register_io_memory(omap_uart_readfn,
-                    omap_uart_writefn, s);
+                    omap_uart_writefn, s, DEVICE_NATIVE_ENDIAN);
 
     s->ta = ta;
 
diff --git a/hw/onenand.c b/hw/onenand.c
index f7afeca..d9cdcf2 100644
--- a/hw/onenand.c
+++ b/hw/onenand.c
@@ -630,7 +630,7 @@ void *onenand_init(uint32_t id, int regshift, qemu_irq irq)
     s->blockwp = qemu_malloc(s->blocks);
     s->density_mask = (id & (1 << 11)) ? (1 << (6 + ((id >> 12) & 7))) : 0;
     s->iomemtype = cpu_register_io_memory(onenand_readfn,
-                    onenand_writefn, s);
+                    onenand_writefn, s, DEVICE_NATIVE_ENDIAN);
     if (!dinfo)
         s->image = memset(qemu_malloc(size + (size >> 5)),
                         0xff, size + (size >> 5));
diff --git a/hw/openpic.c b/hw/openpic.c
index f6b8f21..9e2500a 100644
--- a/hw/openpic.c
+++ b/hw/openpic.c
@@ -1035,7 +1035,8 @@ static void openpic_map(PCIDevice *pci_dev, int region_num,
     cpu_register_physical_memory(addr, 0x40000, opp->mem_index);
 #if 0 // Don't implement ISU for now
     opp_io_memory = cpu_register_io_memory(openpic_src_read,
-                                           openpic_src_write);
+                                           openpic_src_write, NULL
+                                           DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(isu_base, 0x20 * (EXT_IRQ + 2),
                                  opp_io_memory);
 #endif
@@ -1202,8 +1203,8 @@ qemu_irq *openpic_init (PCIBus *bus, int *pmem_index, int nb_cpus,
     } else {
         opp = qemu_mallocz(sizeof(openpic_t));
     }
-    opp->mem_index = cpu_register_io_memory(openpic_read,
-                                            openpic_write, opp);
+    opp->mem_index = cpu_register_io_memory(openpic_read, openpic_write, opp,
+                                            DEVICE_NATIVE_ENDIAN);
 
     //    isu_base &= 0xFFFC0000;
     opp->nb_cpus = nb_cpus;
@@ -1671,7 +1672,8 @@ qemu_irq *mpic_init (target_phys_addr_t base, int nb_cpus,
     for (i = 0; i < sizeof(list)/sizeof(list[0]); i++) {
         int mem_index;
 
-        mem_index = cpu_register_io_memory(list[i].read, list[i].write, mpp);
+        mem_index = cpu_register_io_memory(list[i].read, list[i].write, mpp,
+                                           DEVICE_NATIVE_ENDIAN);
         if (mem_index < 0) {
             goto free;
         }
diff --git a/hw/palm.c b/hw/palm.c
index 193aa11..dd8d1e5 100644
--- a/hw/palm.c
+++ b/hw/palm.c
@@ -216,14 +216,18 @@ static void palmte_init(ram_addr_t ram_size,
                                  qemu_ram_alloc(NULL, "palmte.flash",
                                                 flash_size) | IO_MEM_ROM);
 
-    io = cpu_register_io_memory(static_readfn, static_writefn, &cs0val);
+    io = cpu_register_io_memory(static_readfn, static_writefn, &cs0val,
+                                DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(OMAP_CS0_BASE + flash_size,
                     OMAP_CS0_SIZE - flash_size, io);
-    io = cpu_register_io_memory(static_readfn, static_writefn, &cs1val);
+    io = cpu_register_io_memory(static_readfn, static_writefn, &cs1val,
+                                DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(OMAP_CS1_BASE, OMAP_CS1_SIZE, io);
-    io = cpu_register_io_memory(static_readfn, static_writefn, &cs2val);
+    io = cpu_register_io_memory(static_readfn, static_writefn, &cs2val,
+                                DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(OMAP_CS2_BASE, OMAP_CS2_SIZE, io);
-    io = cpu_register_io_memory(static_readfn, static_writefn, &cs3val);
+    io = cpu_register_io_memory(static_readfn, static_writefn, &cs3val,
+                                DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(OMAP_CS3_BASE, OMAP_CS3_SIZE, io);
 
     palmte_microwire_setup(cpu);
diff --git a/hw/parallel.c b/hw/parallel.c
index 6b11672..00005c4 100644
--- a/hw/parallel.c
+++ b/hw/parallel.c
@@ -577,7 +577,8 @@ ParallelState *parallel_mm_init(target_phys_addr_t base, int it_shift, qemu_irq
     s->it_shift = it_shift;
     qemu_register_reset(parallel_reset, s);
 
-    io_sw = cpu_register_io_memory(parallel_mm_read_sw, parallel_mm_write_sw, s);
+    io_sw = cpu_register_io_memory(parallel_mm_read_sw, parallel_mm_write_sw,
+                                   s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 8 << it_shift, io_sw);
     return s;
 }
diff --git a/hw/pcie_host.c b/hw/pcie_host.c
index c4feeca..21069ee 100644
--- a/hw/pcie_host.c
+++ b/hw/pcie_host.c
@@ -137,7 +137,8 @@ int pcie_host_init(PCIExpressHost *e)
 {
     e->base_addr = PCIE_BASE_ADDR_UNMAPPED;
     e->mmio_index =
-        cpu_register_io_memory(pcie_mmcfg_read, pcie_mmcfg_write, e);
+        cpu_register_io_memory(pcie_mmcfg_read, pcie_mmcfg_write, e,
+                               DEVICE_NATIVE_ENDIAN);
     if (e->mmio_index < 0) {
         return -1;
     }
diff --git a/hw/pckbd.c b/hw/pckbd.c
index 6e4e406..7f0e6bb 100644
--- a/hw/pckbd.c
+++ b/hw/pckbd.c
@@ -436,7 +436,8 @@ void i8042_mm_init(qemu_irq kbd_irq, qemu_irq mouse_irq,
     s->mask = mask;
 
     vmstate_register(NULL, 0, &vmstate_kbd, s);
-    s_io_memory = cpu_register_io_memory(kbd_mm_read, kbd_mm_write, s);
+    s_io_memory = cpu_register_io_memory(kbd_mm_read, kbd_mm_write, s,
+                                         DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, size, s_io_memory);
 
     s->kbd = ps2_kbd_init(kbd_update_kbd_irq, s);
diff --git a/hw/pcnet-pci.c b/hw/pcnet-pci.c
index 3dfbe46..5c5bd21 100644
--- a/hw/pcnet-pci.c
+++ b/hw/pcnet-pci.c
@@ -294,7 +294,8 @@ static int pci_pcnet_init(PCIDevice *pci_dev)
 
     /* Handler for memory-mapped I/O */
     s->mmio_index =
-      cpu_register_io_memory(pcnet_mmio_read, pcnet_mmio_write, &d->state);
+      cpu_register_io_memory(pcnet_mmio_read, pcnet_mmio_write, &d->state,
+                             DEVICE_NATIVE_ENDIAN);
 
     pci_register_bar(pci_dev, 0, PCNET_IOPORT_SIZE,
                            PCI_BASE_ADDRESS_SPACE_IO, pcnet_ioport_map);
diff --git a/hw/pflash_cfi01.c b/hw/pflash_cfi01.c
index 19e13d6..fb20dfb 100644
--- a/hw/pflash_cfi01.c
+++ b/hw/pflash_cfi01.c
@@ -600,10 +600,12 @@ pflash_t *pflash_cfi01_register(target_phys_addr_t base, ram_addr_t off,
     pfl->storage = qemu_get_ram_ptr(off);
     if (be) {
         pfl->fl_mem = cpu_register_io_memory(pflash_read_ops_be,
-                                             pflash_write_ops_be, pfl);
+                                             pflash_write_ops_be, pfl,
+                                             DEVICE_NATIVE_ENDIAN);
     } else {
         pfl->fl_mem = cpu_register_io_memory(pflash_read_ops_le,
-                                             pflash_write_ops_le, pfl);
+                                             pflash_write_ops_le, pfl,
+                                             DEVICE_NATIVE_ENDIAN);
     }
     pfl->off = off;
     cpu_register_physical_memory(base, total_len,
diff --git a/hw/pflash_cfi02.c b/hw/pflash_cfi02.c
index f3d3f41..3594a36 100644
--- a/hw/pflash_cfi02.c
+++ b/hw/pflash_cfi02.c
@@ -619,11 +619,11 @@ pflash_t *pflash_cfi02_register(target_phys_addr_t base, ram_addr_t off,
     if (be) {
         pfl->fl_mem = cpu_register_io_memory(pflash_read_ops_be,
                                              pflash_write_ops_be,
-                                             pfl);
+                                             pfl, DEVICE_NATIVE_ENDIAN);
     } else {
         pfl->fl_mem = cpu_register_io_memory(pflash_read_ops_le,
                                              pflash_write_ops_le,
-                                             pfl);
+                                             pfl, DEVICE_NATIVE_ENDIAN);
     }
     pfl->off = off;
     pfl->base = base;
diff --git a/hw/pl011.c b/hw/pl011.c
index 02cf84a..77f0dbf 100644
--- a/hw/pl011.c
+++ b/hw/pl011.c
@@ -292,7 +292,8 @@ static int pl011_init(SysBusDevice *dev, const unsigned char *id)
     pl011_state *s = FROM_SYSBUS(pl011_state, dev);
 
     iomemtype = cpu_register_io_memory(pl011_readfn,
-                                       pl011_writefn, s);
+                                       pl011_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000,iomemtype);
     sysbus_init_irq(dev, &s->irq);
     s->id = id;
diff --git a/hw/pl022.c b/hw/pl022.c
index d7862bc..ffe05ab 100644
--- a/hw/pl022.c
+++ b/hw/pl022.c
@@ -294,7 +294,8 @@ static int pl022_init(SysBusDevice *dev)
     int iomemtype;
 
     iomemtype = cpu_register_io_memory(pl022_readfn,
-                                       pl022_writefn, s);
+                                       pl022_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     sysbus_init_irq(dev, &s->irq);
     s->ssi = ssi_create_bus(&dev->qdev, "ssi");
diff --git a/hw/pl031.c b/hw/pl031.c
index 45b7032..e3700c1 100644
--- a/hw/pl031.c
+++ b/hw/pl031.c
@@ -189,7 +189,8 @@ static int pl031_init(SysBusDevice *dev)
     pl031_state *s = FROM_SYSBUS(pl031_state, dev);
     struct tm tm;
 
-    iomemtype = cpu_register_io_memory(pl031_readfn, pl031_writefn, s);
+    iomemtype = cpu_register_io_memory(pl031_readfn, pl031_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     if (iomemtype == -1) {
         hw_error("pl031_init: Can't register I/O memory\n");
     }
diff --git a/hw/pl050.c b/hw/pl050.c
index a47786c..0573839 100644
--- a/hw/pl050.c
+++ b/hw/pl050.c
@@ -128,7 +128,8 @@ static int pl050_init(SysBusDevice *dev, int is_mouse)
     int iomemtype;
 
     iomemtype = cpu_register_io_memory(pl050_readfn,
-                                       pl050_writefn, s);
+                                       pl050_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     sysbus_init_irq(dev, &s->irq);
     s->is_mouse = is_mouse;
diff --git a/hw/pl061.c b/hw/pl061.c
index e4505f5..1997b7c 100644
--- a/hw/pl061.c
+++ b/hw/pl061.c
@@ -297,7 +297,8 @@ static int pl061_init(SysBusDevice *dev)
     pl061_state *s = FROM_SYSBUS(pl061_state, dev);
 
     iomemtype = cpu_register_io_memory(pl061_readfn,
-                                       pl061_writefn, s);
+                                       pl061_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     sysbus_init_irq(dev, &s->irq);
     qdev_init_gpio_in(&dev->qdev, pl061_set_irq, 8);
diff --git a/hw/pl080.c b/hw/pl080.c
index 2df65fa..1a3e06c 100644
--- a/hw/pl080.c
+++ b/hw/pl080.c
@@ -325,7 +325,8 @@ static int pl08x_init(SysBusDevice *dev, int nchannels)
     pl080_state *s = FROM_SYSBUS(pl080_state, dev);
 
     iomemtype = cpu_register_io_memory(pl080_readfn,
-                                       pl080_writefn, s);
+                                       pl080_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     sysbus_init_irq(dev, &s->irq);
     s->nchannels = nchannels;
diff --git a/hw/pl110.c b/hw/pl110.c
index 173458a..a4adb63 100644
--- a/hw/pl110.c
+++ b/hw/pl110.c
@@ -358,7 +358,8 @@ static int pl110_init(SysBusDevice *dev)
     int iomemtype;
 
     iomemtype = cpu_register_io_memory(pl110_readfn,
-                                       pl110_writefn, s);
+                                       pl110_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     sysbus_init_irq(dev, &s->irq);
     s->ds = graphic_console_init(pl110_update_display,
diff --git a/hw/pl181.c b/hw/pl181.c
index 85cadc4..3e5f92f 100644
--- a/hw/pl181.c
+++ b/hw/pl181.c
@@ -451,8 +451,8 @@ static int pl181_init(SysBusDevice *dev)
     pl181_state *s = FROM_SYSBUS(pl181_state, dev);
     BlockDriverState *bd;
 
-    iomemtype = cpu_register_io_memory(pl181_readfn,
-                                       pl181_writefn, s);
+    iomemtype = cpu_register_io_memory(pl181_readfn, pl181_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     sysbus_init_irq(dev, &s->irq[0]);
     sysbus_init_irq(dev, &s->irq[1]);
diff --git a/hw/pl190.c b/hw/pl190.c
index a4bc9c1..e04e6c1 100644
--- a/hw/pl190.c
+++ b/hw/pl190.c
@@ -233,7 +233,8 @@ static int pl190_init(SysBusDevice *dev)
     int iomemtype;
 
     iomemtype = cpu_register_io_memory(pl190_readfn,
-                                       pl190_writefn, s);
+                                       pl190_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     qdev_init_gpio_in(&dev->qdev, pl190_set_irq, 32);
     sysbus_init_irq(dev, &s->irq);
diff --git a/hw/ppc405_boards.c b/hw/ppc405_boards.c
index c5897a9..9abede7 100644
--- a/hw/ppc405_boards.c
+++ b/hw/ppc405_boards.c
@@ -164,7 +164,8 @@ static void ref405ep_fpga_init (uint32_t base)
 
     fpga = qemu_mallocz(sizeof(ref405ep_fpga_t));
     fpga_memory = cpu_register_io_memory(ref405ep_fpga_read,
-                                         ref405ep_fpga_write, fpga);
+                                         ref405ep_fpga_write, fpga,
+                                         DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x00000100, fpga_memory);
     qemu_register_reset(&ref405ep_fpga_reset, fpga);
 }
@@ -488,7 +489,8 @@ static void taihu_cpld_init (uint32_t base)
 
     cpld = qemu_mallocz(sizeof(taihu_cpld_t));
     cpld_memory = cpu_register_io_memory(taihu_cpld_read,
-                                         taihu_cpld_write, cpld);
+                                         taihu_cpld_write, cpld,
+                                         DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x00000100, cpld_memory);
     qemu_register_reset(&taihu_cpld_reset, cpld);
 }
diff --git a/hw/ppc405_uc.c b/hw/ppc405_uc.c
index 3600737..8136cb9 100644
--- a/hw/ppc405_uc.c
+++ b/hw/ppc405_uc.c
@@ -383,7 +383,8 @@ static void ppc4xx_opba_init(target_phys_addr_t base)
 #ifdef DEBUG_OPBA
     printf("%s: offset " TARGET_FMT_plx "\n", __func__, base);
 #endif
-    io = cpu_register_io_memory(opba_read, opba_write, opba);
+    io = cpu_register_io_memory(opba_read, opba_write, opba,
+                                DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x002, io);
     qemu_register_reset(ppc4xx_opba_reset, opba);
 }
@@ -809,7 +810,8 @@ static void ppc405_gpio_init(target_phys_addr_t base)
 #ifdef DEBUG_GPIO
     printf("%s: offset " TARGET_FMT_plx "\n", __func__, base);
 #endif
-    io = cpu_register_io_memory(ppc405_gpio_read, ppc405_gpio_write, gpio);
+    io = cpu_register_io_memory(ppc405_gpio_read, ppc405_gpio_write, gpio,
+                                DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x038, io);
     qemu_register_reset(&ppc405_gpio_reset, gpio);
 }
@@ -1218,7 +1220,8 @@ static void ppc405_i2c_init(target_phys_addr_t base, qemu_irq irq)
 #ifdef DEBUG_I2C
     printf("%s: offset " TARGET_FMT_plx "\n", __func__, base);
 #endif
-    io = cpu_register_io_memory(i2c_read, i2c_write, i2c);
+    io = cpu_register_io_memory(i2c_read, i2c_write, i2c,
+                                DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x011, io);
     qemu_register_reset(ppc4xx_i2c_reset, i2c);
 }
@@ -1501,7 +1504,7 @@ static void ppc4xx_gpt_init(target_phys_addr_t base, qemu_irq irqs[5])
 #ifdef DEBUG_GPT
     printf("%s: offset " TARGET_FMT_plx "\n", __func__, base);
 #endif
-    io = cpu_register_io_memory(gpt_read, gpt_write, gpt);
+    io = cpu_register_io_memory(gpt_read, gpt_write, gpt, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x0d4, io);
     qemu_register_reset(ppc4xx_gpt_reset, gpt);
 }
diff --git a/hw/ppc4xx_pci.c b/hw/ppc4xx_pci.c
index 6e437e7..f2ecece 100644
--- a/hw/ppc4xx_pci.c
+++ b/hw/ppc4xx_pci.c
@@ -372,7 +372,8 @@ PCIBus *ppc4xx_pci_init(CPUState *env, qemu_irq pci_irqs[4],
 
     /* CFGADDR */
     index = cpu_register_io_memory(pci4xx_cfgaddr_read,
-                                   pci4xx_cfgaddr_write, controller);
+                                   pci4xx_cfgaddr_write, controller,
+                                   DEVICE_NATIVE_ENDIAN);
     if (index < 0)
         goto free;
     cpu_register_physical_memory(config_space + PCIC0_CFGADDR, 4, index);
@@ -384,7 +385,8 @@ PCIBus *ppc4xx_pci_init(CPUState *env, qemu_irq pci_irqs[4],
     cpu_register_physical_memory(config_space + PCIC0_CFGDATA, 4, index);
 
     /* Internal registers */
-    index = cpu_register_io_memory(pci_reg_read, pci_reg_write, controller);
+    index = cpu_register_io_memory(pci_reg_read, pci_reg_write, controller,
+                                   DEVICE_NATIVE_ENDIAN);
     if (index < 0)
         goto free;
     cpu_register_physical_memory(registers, PCI_REG_SIZE, index);
diff --git a/hw/ppc_newworld.c b/hw/ppc_newworld.c
index 305b2d4..49b046b 100644
--- a/hw/ppc_newworld.c
+++ b/hw/ppc_newworld.c
@@ -260,7 +260,8 @@ static void ppc_core99_init (ram_addr_t ram_size,
     isa_mmio_init(0xf2000000, 0x00800000, 1);
 
     /* UniN init */
-    unin_memory = cpu_register_io_memory(unin_read, unin_write, NULL);
+    unin_memory = cpu_register_io_memory(unin_read, unin_write, NULL,
+                                         DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0xf8000000, 0x00001000, unin_memory);
 
     openpic_irqs = qemu_mallocz(smp_cpus * sizeof(qemu_irq *));
diff --git a/hw/ppc_prep.c b/hw/ppc_prep.c
index b1f9cc7..80f5db6 100644
--- a/hw/ppc_prep.c
+++ b/hw/ppc_prep.c
@@ -690,7 +690,8 @@ static void ppc_prep_init (ram_addr_t ram_size,
     //    pci_bus = i440fx_init();
     /* Register 8 MB of ISA IO space (needed for non-contiguous map) */
     PPC_io_memory = cpu_register_io_memory(PPC_prep_io_read,
-                                           PPC_prep_io_write, sysctrl);
+                                           PPC_prep_io_write, sysctrl,
+                                           DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0x80000000, 0x00800000, PPC_io_memory);
 
     /* init basic PC hardware */
@@ -755,12 +756,13 @@ static void ppc_prep_init (ram_addr_t ram_size,
     register_ioport_write(0x0800, 0x52, 1, &PREP_io_800_writeb, sysctrl);
     /* PCI intack location */
     PPC_io_memory = cpu_register_io_memory(PPC_intack_read,
-                                           PPC_intack_write, NULL);
+                                           PPC_intack_write, NULL,
+                                           DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0xBFFFFFF0, 0x4, PPC_io_memory);
     /* PowerPC control and status register group */
 #if 0
     PPC_io_memory = cpu_register_io_memory(PPC_XCSR_read, PPC_XCSR_write,
-                                           NULL);
+                                           NULL, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0xFEFF0000, 0x1000, PPC_io_memory);
 #endif
 
diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
index 8ac99f2..71302ba 100644
--- a/hw/ppce500_pci.c
+++ b/hw/ppce500_pci.c
@@ -304,7 +304,8 @@ PCIBus *ppce500_pci_init(qemu_irq pci_irqs[4], target_phys_addr_t registers)
     cpu_register_physical_memory(registers + PCIE500_CFGDATA, 4, index);
 
     index = cpu_register_io_memory(e500_pci_reg_read,
-                                   e500_pci_reg_write, controller);
+                                   e500_pci_reg_write, controller,
+                                   DEVICE_NATIVE_ENDIAN);
     if (index < 0)
         goto free;
     cpu_register_physical_memory(registers + PCIE500_REG_BASE,
diff --git a/hw/prep_pci.c b/hw/prep_pci.c
index 0c2afe9..f88b825 100644
--- a/hw/prep_pci.c
+++ b/hw/prep_pci.c
@@ -125,7 +125,8 @@ PCIBus *pci_prep_init(qemu_irq *pic)
     pci_host_data_register_ioport(0xcfc, s);
 
     PPC_io_memory = cpu_register_io_memory(PPC_PCIIO_read,
-                                           PPC_PCIIO_write, s);
+                                           PPC_PCIIO_write, s,
+                                           DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0x80800000, 0x00400000, PPC_io_memory);
 
     /* PCI host bridge */
diff --git a/hw/pxa2xx.c b/hw/pxa2xx.c
index 6e04645..ab524a7 100644
--- a/hw/pxa2xx.c
+++ b/hw/pxa2xx.c
@@ -859,7 +859,8 @@ static int pxa2xx_ssp_init(SysBusDevice *dev)
     sysbus_init_irq(dev, &s->irq);
 
     iomemtype = cpu_register_io_memory(pxa2xx_ssp_readfn,
-                                       pxa2xx_ssp_writefn, s);
+                                       pxa2xx_ssp_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     register_savevm(&dev->qdev, "pxa2xx_ssp", -1, 0,
                     pxa2xx_ssp_save, pxa2xx_ssp_load, s);
@@ -1512,7 +1513,7 @@ PXA2xxI2CState *pxa2xx_i2c_init(target_phys_addr_t base,
     s->offset = base - (base & (~region_size) & TARGET_PAGE_MASK);
 
     iomemtype = cpu_register_io_memory(pxa2xx_i2c_readfn,
-                    pxa2xx_i2c_writefn, s);
+                    pxa2xx_i2c_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base & ~region_size,
                     region_size + 1, iomemtype);
 
@@ -1749,7 +1750,7 @@ static PXA2xxI2SState *pxa2xx_i2s_init(target_phys_addr_t base,
     pxa2xx_i2s_reset(s);
 
     iomemtype = cpu_register_io_memory(pxa2xx_i2s_readfn,
-                    pxa2xx_i2s_writefn, s);
+                    pxa2xx_i2s_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x100000, iomemtype);
 
     register_savevm(NULL, "pxa2xx_i2s", base, 0,
@@ -2009,7 +2010,7 @@ static PXA2xxFIrState *pxa2xx_fir_init(target_phys_addr_t base,
     pxa2xx_fir_reset(s);
 
     iomemtype = cpu_register_io_memory(pxa2xx_fir_readfn,
-                    pxa2xx_fir_writefn, s);
+                    pxa2xx_fir_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x1000, iomemtype);
 
     if (chr)
@@ -2102,7 +2103,7 @@ PXA2xxState *pxa270_init(unsigned int sdram_size, const char *revision)
     s->cm_regs[CCCR >> 2] = 0x02000210;	/* 416.0 MHz */
     s->clkcfg = 0x00000009;		/* Turbo mode active */
     iomemtype = cpu_register_io_memory(pxa2xx_cm_readfn,
-                    pxa2xx_cm_writefn, s);
+                    pxa2xx_cm_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(s->cm_base, 0x1000, iomemtype);
     register_savevm(NULL, "pxa2xx_cm", 0, 0, pxa2xx_cm_save, pxa2xx_cm_load, s);
 
@@ -2113,13 +2114,13 @@ PXA2xxState *pxa270_init(unsigned int sdram_size, const char *revision)
     s->mm_regs[MDREFR >> 2] = 0x03ca4000;
     s->mm_regs[MECR >> 2] = 0x00000001;	/* Two PC Card sockets */
     iomemtype = cpu_register_io_memory(pxa2xx_mm_readfn,
-                    pxa2xx_mm_writefn, s);
+                    pxa2xx_mm_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(s->mm_base, 0x1000, iomemtype);
     register_savevm(NULL, "pxa2xx_mm", 0, 0, pxa2xx_mm_save, pxa2xx_mm_load, s);
 
     s->pm_base = 0x40f00000;
     iomemtype = cpu_register_io_memory(pxa2xx_pm_readfn,
-                    pxa2xx_pm_writefn, s);
+                    pxa2xx_pm_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(s->pm_base, 0x100, iomemtype);
     register_savevm(NULL, "pxa2xx_pm", 0, 0, pxa2xx_pm_save, pxa2xx_pm_load, s);
 
@@ -2142,7 +2143,7 @@ PXA2xxState *pxa270_init(unsigned int sdram_size, const char *revision)
 
     s->rtc_base = 0x40900000;
     iomemtype = cpu_register_io_memory(pxa2xx_rtc_readfn,
-                    pxa2xx_rtc_writefn, s);
+                    pxa2xx_rtc_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(s->rtc_base, 0x1000, iomemtype);
     pxa2xx_rtc_init(s);
     register_savevm(NULL, "pxa2xx_rtc", 0, 0, pxa2xx_rtc_save,
@@ -2225,7 +2226,7 @@ PXA2xxState *pxa255_init(unsigned int sdram_size)
     s->cm_regs[CCCR >> 2] = 0x02000210;	/* 416.0 MHz */
     s->clkcfg = 0x00000009;		/* Turbo mode active */
     iomemtype = cpu_register_io_memory(pxa2xx_cm_readfn,
-                    pxa2xx_cm_writefn, s);
+                    pxa2xx_cm_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(s->cm_base, 0x1000, iomemtype);
     register_savevm(NULL, "pxa2xx_cm", 0, 0, pxa2xx_cm_save, pxa2xx_cm_load, s);
 
@@ -2236,13 +2237,13 @@ PXA2xxState *pxa255_init(unsigned int sdram_size)
     s->mm_regs[MDREFR >> 2] = 0x03ca4000;
     s->mm_regs[MECR >> 2] = 0x00000001;	/* Two PC Card sockets */
     iomemtype = cpu_register_io_memory(pxa2xx_mm_readfn,
-                    pxa2xx_mm_writefn, s);
+                    pxa2xx_mm_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(s->mm_base, 0x1000, iomemtype);
     register_savevm(NULL, "pxa2xx_mm", 0, 0, pxa2xx_mm_save, pxa2xx_mm_load, s);
 
     s->pm_base = 0x40f00000;
     iomemtype = cpu_register_io_memory(pxa2xx_pm_readfn,
-                    pxa2xx_pm_writefn, s);
+                    pxa2xx_pm_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(s->pm_base, 0x100, iomemtype);
     register_savevm(NULL, "pxa2xx_pm", 0, 0, pxa2xx_pm_save, pxa2xx_pm_load, s);
 
@@ -2265,7 +2266,7 @@ PXA2xxState *pxa255_init(unsigned int sdram_size)
 
     s->rtc_base = 0x40900000;
     iomemtype = cpu_register_io_memory(pxa2xx_rtc_readfn,
-                    pxa2xx_rtc_writefn, s);
+                    pxa2xx_rtc_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(s->rtc_base, 0x1000, iomemtype);
     pxa2xx_rtc_init(s);
     register_savevm(NULL, "pxa2xx_rtc", 0, 0, pxa2xx_rtc_save,
diff --git a/hw/pxa2xx_dma.c b/hw/pxa2xx_dma.c
index 9c479df..b512d34 100644
--- a/hw/pxa2xx_dma.c
+++ b/hw/pxa2xx_dma.c
@@ -504,7 +504,7 @@ static PXA2xxDMAState *pxa2xx_dma_init(target_phys_addr_t base,
     memset(s->req, 0, sizeof(uint8_t) * PXA2XX_DMA_NUM_REQUESTS);
 
     iomemtype = cpu_register_io_memory(pxa2xx_dma_readfn,
-                    pxa2xx_dma_writefn, s);
+                    pxa2xx_dma_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x00010000, iomemtype);
 
     register_savevm(NULL, "pxa2xx_dma", 0, 0, pxa2xx_dma_save, pxa2xx_dma_load, s);
diff --git a/hw/pxa2xx_gpio.c b/hw/pxa2xx_gpio.c
index 2abcb65..0d03446 100644
--- a/hw/pxa2xx_gpio.c
+++ b/hw/pxa2xx_gpio.c
@@ -309,7 +309,7 @@ PXA2xxGPIOInfo *pxa2xx_gpio_init(target_phys_addr_t base,
     s->in = qemu_allocate_irqs(pxa2xx_gpio_set, s, lines);
 
     iomemtype = cpu_register_io_memory(pxa2xx_gpio_readfn,
-                    pxa2xx_gpio_writefn, s);
+                    pxa2xx_gpio_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x00001000, iomemtype);
 
     register_savevm(NULL, "pxa2xx_gpio", 0, 0,
diff --git a/hw/pxa2xx_keypad.c b/hw/pxa2xx_keypad.c
index dfa8945..4c99917 100644
--- a/hw/pxa2xx_keypad.c
+++ b/hw/pxa2xx_keypad.c
@@ -314,7 +314,7 @@ PXA2xxKeyPadState *pxa27x_keypad_init(target_phys_addr_t base,
     s->irq = irq;
 
     iomemtype = cpu_register_io_memory(pxa2xx_keypad_readfn,
-                    pxa2xx_keypad_writefn, s);
+                    pxa2xx_keypad_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x00100000, iomemtype);
 
     register_savevm(NULL, "pxa2xx_keypad", 0, 0,
diff --git a/hw/pxa2xx_lcd.c b/hw/pxa2xx_lcd.c
index 111a0dc..1f2211a 100644
--- a/hw/pxa2xx_lcd.c
+++ b/hw/pxa2xx_lcd.c
@@ -929,7 +929,7 @@ PXA2xxLCDState *pxa2xx_lcdc_init(target_phys_addr_t base, qemu_irq irq)
     pxa2xx_lcdc_orientation(s, graphic_rotate);
 
     iomemtype = cpu_register_io_memory(pxa2xx_lcdc_readfn,
-                    pxa2xx_lcdc_writefn, s);
+                    pxa2xx_lcdc_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x00100000, iomemtype);
 
     s->ds = graphic_console_init(pxa2xx_update_display,
diff --git a/hw/pxa2xx_mmci.c b/hw/pxa2xx_mmci.c
index ca98660..24d409d 100644
--- a/hw/pxa2xx_mmci.c
+++ b/hw/pxa2xx_mmci.c
@@ -528,7 +528,7 @@ PXA2xxMMCIState *pxa2xx_mmci_init(target_phys_addr_t base,
     s->dma = dma;
 
     iomemtype = cpu_register_io_memory(pxa2xx_mmci_readfn,
-                    pxa2xx_mmci_writefn, s);
+                    pxa2xx_mmci_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x00100000, iomemtype);
 
     /* Instantiate the actual storage */
diff --git a/hw/pxa2xx_pcmcia.c b/hw/pxa2xx_pcmcia.c
index be1309f..50d4649 100644
--- a/hw/pxa2xx_pcmcia.c
+++ b/hw/pxa2xx_pcmcia.c
@@ -140,19 +140,19 @@ PXA2xxPCMCIAState *pxa2xx_pcmcia_init(target_phys_addr_t base)
 
     /* Socket I/O Memory Space */
     iomemtype = cpu_register_io_memory(pxa2xx_pcmcia_io_readfn,
-                    pxa2xx_pcmcia_io_writefn, s);
+                    pxa2xx_pcmcia_io_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base | 0x00000000, 0x04000000, iomemtype);
 
     /* Then next 64 MB is reserved */
 
     /* Socket Attribute Memory Space */
     iomemtype = cpu_register_io_memory(pxa2xx_pcmcia_attr_readfn,
-                    pxa2xx_pcmcia_attr_writefn, s);
+                    pxa2xx_pcmcia_attr_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base | 0x08000000, 0x04000000, iomemtype);
 
     /* Socket Common Memory Space */
     iomemtype = cpu_register_io_memory(pxa2xx_pcmcia_common_readfn,
-                    pxa2xx_pcmcia_common_writefn, s);
+                    pxa2xx_pcmcia_common_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base | 0x0c000000, 0x04000000, iomemtype);
 
     if (base == 0x30000000)
diff --git a/hw/pxa2xx_pic.c b/hw/pxa2xx_pic.c
index 4d8944b..a36da23 100644
--- a/hw/pxa2xx_pic.c
+++ b/hw/pxa2xx_pic.c
@@ -300,7 +300,7 @@ qemu_irq *pxa2xx_pic_init(target_phys_addr_t base, CPUState *env)
 
     /* Enable IC memory-mapped registers access.  */
     iomemtype = cpu_register_io_memory(pxa2xx_pic_readfn,
-                    pxa2xx_pic_writefn, s);
+                    pxa2xx_pic_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x00100000, iomemtype);
 
     /* Enable IC coprocessor access.  */
diff --git a/hw/pxa2xx_timer.c b/hw/pxa2xx_timer.c
index 0f0ffd3..b556d11 100644
--- a/hw/pxa2xx_timer.c
+++ b/hw/pxa2xx_timer.c
@@ -452,7 +452,7 @@ static pxa2xx_timer_info *pxa2xx_timer_init(target_phys_addr_t base,
     }
 
     iomemtype = cpu_register_io_memory(pxa2xx_timer_readfn,
-                    pxa2xx_timer_writefn, s);
+                    pxa2xx_timer_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x00001000, iomemtype);
 
     register_savevm(NULL, "pxa2xx_timer", 0, 0,
diff --git a/hw/r2d.c b/hw/r2d.c
index a58f653..c4f32ef 100644
--- a/hw/r2d.c
+++ b/hw/r2d.c
@@ -189,7 +189,8 @@ static qemu_irq *r2d_fpga_init(target_phys_addr_t base, qemu_irq irl)
     s->irl = irl;
 
     iomemtype = cpu_register_io_memory(r2d_fpga_readfn,
-				       r2d_fpga_writefn, s);
+				       r2d_fpga_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x40, iomemtype);
     return qemu_allocate_irqs(r2d_fpga_irq_set, s, NR_IRQS);
 }
diff --git a/hw/rc4030.c b/hw/rc4030.c
index abbc3eb..0a9d98d 100644
--- a/hw/rc4030.c
+++ b/hw/rc4030.c
@@ -819,9 +819,11 @@ void *rc4030_init(qemu_irq timer, qemu_irq jazz_bus,
     register_savevm(NULL, "rc4030", 0, 2, rc4030_save, rc4030_load, s);
     rc4030_reset(s);
 
-    s_chipset = cpu_register_io_memory(rc4030_read, rc4030_write, s);
+    s_chipset = cpu_register_io_memory(rc4030_read, rc4030_write, s,
+                                       DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0x80000000, 0x300, s_chipset);
-    s_jazzio = cpu_register_io_memory(jazzio_read, jazzio_write, s);
+    s_jazzio = cpu_register_io_memory(jazzio_read, jazzio_write, s,
+                                      DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0xf0000000, 0x00001000, s_jazzio);
 
     return s;
diff --git a/hw/realview.c b/hw/realview.c
index e9fcbc9..6eb6c6a 100644
--- a/hw/realview.c
+++ b/hw/realview.c
@@ -81,7 +81,8 @@ static int realview_i2c_init(SysBusDevice *dev)
     bus = i2c_init_bus(&dev->qdev, "i2c");
     s->bitbang = bitbang_i2c_init(bus);
     iomemtype = cpu_register_io_memory(realview_i2c_readfn,
-                                       realview_i2c_writefn, s);
+                                       realview_i2c_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     return 0;
 }
diff --git a/hw/realview_gic.c b/hw/realview_gic.c
index bd02b09..db908b6 100644
--- a/hw/realview_gic.c
+++ b/hw/realview_gic.c
@@ -64,7 +64,8 @@ static int realview_gic_init(SysBusDevice *dev)
 
     gic_init(&s->gic);
     s->iomemtype = cpu_register_io_memory(realview_gic_cpu_readfn,
-                                          realview_gic_cpu_writefn, s);
+                                          realview_gic_cpu_writefn, s,
+                                          DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio_cb(dev, 0x2000, realview_gic_map);
     return 0;
 }
diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index d92981d..30a3960 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -3366,7 +3366,8 @@ static int pci_rtl8139_init(PCIDevice *dev)
 
     /* I/O handler for memory-mapped I/O */
     s->rtl8139_mmio_io_addr =
-        cpu_register_io_memory(rtl8139_mmio_read, rtl8139_mmio_write, s);
+        cpu_register_io_memory(rtl8139_mmio_read, rtl8139_mmio_write, s,
+                               DEVICE_NATIVE_ENDIAN);
 
     pci_register_bar(&s->dev, 0, 0x100,
                            PCI_BASE_ADDRESS_SPACE_IO,  rtl8139_ioport_map);
diff --git a/hw/sbi.c b/hw/sbi.c
index c4adc09..53f66f2 100644
--- a/hw/sbi.c
+++ b/hw/sbi.c
@@ -125,7 +125,8 @@ static int sbi_init1(SysBusDevice *dev)
         sysbus_init_irq(dev, &s->cpu_irqs[i]);
     }
 
-    sbi_io_memory = cpu_register_io_memory(sbi_mem_read, sbi_mem_write, s);
+    sbi_io_memory = cpu_register_io_memory(sbi_mem_read, sbi_mem_write, s,
+                                           DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, SBI_SIZE, sbi_io_memory);
 
     return 0;
diff --git a/hw/serial.c b/hw/serial.c
index 9ebc452..d21cbe9 100644
--- a/hw/serial.c
+++ b/hw/serial.c
@@ -955,10 +955,12 @@ SerialState *serial_mm_init (target_phys_addr_t base, int it_shift,
     if (ioregister) {
         if (be) {
             s_io_memory = cpu_register_io_memory(serial_mm_read_be,
-                                                 serial_mm_write_be, s);
+                                                 serial_mm_write_be, s,
+                                                 DEVICE_NATIVE_ENDIAN);
         } else {
             s_io_memory = cpu_register_io_memory(serial_mm_read_le,
-                                                 serial_mm_write_le, s);
+                                                 serial_mm_write_le, s,
+                                                 DEVICE_NATIVE_ENDIAN);
         }
         cpu_register_physical_memory(base, 8 << it_shift, s_io_memory);
     }
diff --git a/hw/sh7750.c b/hw/sh7750.c
index 0291d5f..9e54ad1 100644
--- a/hw/sh7750.c
+++ b/hw/sh7750.c
@@ -713,7 +713,8 @@ SH7750State *sh7750_init(CPUSH4State * cpu)
     s->cpu = cpu;
     s->periph_freq = 60000000;	/* 60MHz */
     sh7750_io_memory = cpu_register_io_memory(sh7750_mem_read,
-					      sh7750_mem_write, s);
+					      sh7750_mem_write, s,
+                                              DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory_offset(0x1f000000, 0x1000,
                                         sh7750_io_memory, 0x1f000000);
     cpu_register_physical_memory_offset(0xff000000, 0x1000,
@@ -728,7 +729,8 @@ SH7750State *sh7750_init(CPUSH4State * cpu)
                                         sh7750_io_memory, 0x1fc00000);
 
     sh7750_mm_cache_and_tlb = cpu_register_io_memory(sh7750_mmct_read,
-						     sh7750_mmct_write, s);
+						     sh7750_mmct_write, s,
+                                                     DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0xf0000000, 0x08000000,
 				 sh7750_mm_cache_and_tlb);
 
diff --git a/hw/sh_intc.c b/hw/sh_intc.c
index d3f5ea5..0734da9 100644
--- a/hw/sh_intc.c
+++ b/hw/sh_intc.c
@@ -442,7 +442,8 @@ int sh_intc_init(struct intc_desc *desc,
     desc->irqs = qemu_allocate_irqs(sh_intc_set_irq, desc, nr_sources);
  
     desc->iomemtype = cpu_register_io_memory(sh_intc_readfn,
-					     sh_intc_writefn, desc);
+					     sh_intc_writefn, desc,
+                                             DEVICE_NATIVE_ENDIAN);
     if (desc->mask_regs) {
         for (i = 0; i < desc->nr_mask_regs; i++) {
 	    struct intc_mask_reg *mr = desc->mask_regs + i;
diff --git a/hw/sh_pci.c b/hw/sh_pci.c
index cc2f190..6042d9c 100644
--- a/hw/sh_pci.c
+++ b/hw/sh_pci.c
@@ -103,7 +103,8 @@ PCIBus *sh_pci_register_bus(pci_set_irq_fn set_irq, pci_map_irq_fn map_irq,
 
     p->dev = pci_register_device(p->bus, "SH PCIC", sizeof(PCIDevice),
                                  -1, NULL, NULL);
-    reg = cpu_register_io_memory(sh_pci_reg.r, sh_pci_reg.w, p);
+    reg = cpu_register_io_memory(sh_pci_reg.r, sh_pci_reg.w, p,
+                                 DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(0x1e200000, 0x224, reg);
     cpu_register_physical_memory(0xfe200000, 0x224, reg);
 
diff --git a/hw/sh_serial.c b/hw/sh_serial.c
index 93dc144..1bdc0a5 100644
--- a/hw/sh_serial.c
+++ b/hw/sh_serial.c
@@ -395,7 +395,8 @@ void sh_serial_init (target_phys_addr_t base, int feat,
     sh_serial_clear_fifo(s);
 
     s_io_memory = cpu_register_io_memory(sh_serial_readfn,
-					 sh_serial_writefn, s);
+					 sh_serial_writefn, s,
+                                         DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(P4ADDR(base), 0x28, s_io_memory);
     cpu_register_physical_memory(A7ADDR(base), 0x28, s_io_memory);
 
diff --git a/hw/sh_timer.c b/hw/sh_timer.c
index fd2146a..5eec6b7 100644
--- a/hw/sh_timer.c
+++ b/hw/sh_timer.c
@@ -319,7 +319,8 @@ void tmu012_init(target_phys_addr_t base, int feat, uint32_t freq,
         s->timer[2] = sh_timer_init(freq, timer_feat | TIMER_FEAT_CAPT,
 				    ch2_irq0); /* ch2_irq1 not supported */
     iomemtype = cpu_register_io_memory(tmu012_readfn,
-                                       tmu012_writefn, s);
+                                       tmu012_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(P4ADDR(base), 0x00001000, iomemtype);
     cpu_register_physical_memory(A7ADDR(base), 0x00001000, iomemtype);
     /* ??? Save/restore.  */
diff --git a/hw/slavio_intctl.c b/hw/slavio_intctl.c
index 9d5ad86..fd69354 100644
--- a/hw/slavio_intctl.c
+++ b/hw/slavio_intctl.c
@@ -422,7 +422,8 @@ static int slavio_intctl_init1(SysBusDevice *dev)
 
     qdev_init_gpio_in(&dev->qdev, slavio_set_irq_all, 32 + MAX_CPUS);
     io_memory = cpu_register_io_memory(slavio_intctlm_mem_read,
-                                       slavio_intctlm_mem_write, s);
+                                       slavio_intctlm_mem_write, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, INTCTLM_SIZE, io_memory);
 
     for (i = 0; i < MAX_CPUS; i++) {
@@ -431,7 +432,8 @@ static int slavio_intctl_init1(SysBusDevice *dev)
         }
         io_memory = cpu_register_io_memory(slavio_intctl_mem_read,
                                            slavio_intctl_mem_write,
-                                           &s->slaves[i]);
+                                           &s->slaves[i],
+                                           DEVICE_NATIVE_ENDIAN);
         sysbus_init_mmio(dev, INTCTL_SIZE, io_memory);
         s->slaves[i].cpu = i;
         s->slaves[i].master = s;
diff --git a/hw/slavio_misc.c b/hw/slavio_misc.c
index 1d81a63..198360d 100644
--- a/hw/slavio_misc.c
+++ b/hw/slavio_misc.c
@@ -412,7 +412,8 @@ static int apc_init1(SysBusDevice *dev)
     sysbus_init_irq(dev, &s->cpu_halt);
 
     /* Power management (APC) XXX: not a Slavio device */
-    io = cpu_register_io_memory(apc_mem_read, apc_mem_write, s);
+    io = cpu_register_io_memory(apc_mem_read, apc_mem_write, s,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MISC_SIZE, io);
     return 0;
 }
@@ -428,39 +429,46 @@ static int slavio_misc_init1(SysBusDevice *dev)
     /* 8 bit registers */
     /* Slavio control */
     io = cpu_register_io_memory(slavio_cfg_mem_read,
-                                slavio_cfg_mem_write, s);
+                                slavio_cfg_mem_write, s,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MISC_SIZE, io);
 
     /* Diagnostics */
     io = cpu_register_io_memory(slavio_diag_mem_read,
-                                slavio_diag_mem_write, s);
+                                slavio_diag_mem_write, s,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MISC_SIZE, io);
 
     /* Modem control */
     io = cpu_register_io_memory(slavio_mdm_mem_read,
-                                slavio_mdm_mem_write, s);
+                                slavio_mdm_mem_write, s,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MISC_SIZE, io);
 
     /* 16 bit registers */
     /* ss600mp diag LEDs */
     io = cpu_register_io_memory(slavio_led_mem_read,
-                                slavio_led_mem_write, s);
+                                slavio_led_mem_write, s,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MISC_SIZE, io);
 
     /* 32 bit registers */
     /* System control */
     io = cpu_register_io_memory(slavio_sysctrl_mem_read,
-                                slavio_sysctrl_mem_write, s);
+                                slavio_sysctrl_mem_write, s,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, SYSCTRL_SIZE, io);
 
     /* AUX 1 (Misc System Functions) */
     io = cpu_register_io_memory(slavio_aux1_mem_read,
-                                slavio_aux1_mem_write, s);
+                                slavio_aux1_mem_write, s,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MISC_SIZE, io);
 
     /* AUX 2 (Software Powerdown Control) */
     io = cpu_register_io_memory(slavio_aux2_mem_read,
-                                slavio_aux2_mem_write, s);
+                                slavio_aux2_mem_write, s,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, MISC_SIZE, io);
 
     qdev_init_gpio_in(&dev->qdev, slavio_set_power_fail, 1);
diff --git a/hw/slavio_timer.c b/hw/slavio_timer.c
index 13f1e62..5511313 100644
--- a/hw/slavio_timer.c
+++ b/hw/slavio_timer.c
@@ -390,7 +390,8 @@ static int slavio_timer_init1(SysBusDevice *dev)
         ptimer_set_period(s->cputimer[i].timer, TIMER_PERIOD);
 
         io = cpu_register_io_memory(slavio_timer_mem_read,
-                                    slavio_timer_mem_write, tc);
+                                    slavio_timer_mem_write, tc,
+                                    DEVICE_NATIVE_ENDIAN);
         if (i == 0) {
             sysbus_init_mmio(dev, SYS_TIMER_SIZE, io);
         } else {
diff --git a/hw/sm501.c b/hw/sm501.c
index 705e0a5..f16e6e4 100644
--- a/hw/sm501.c
+++ b/hw/sm501.c
@@ -1379,15 +1379,18 @@ void sm501_init(uint32_t base, uint32_t local_mem_bytes, qemu_irq irq,
     /* map mmio */
     sm501_system_config_index
 	= cpu_register_io_memory(sm501_system_config_readfn,
-				 sm501_system_config_writefn, s);
+				 sm501_system_config_writefn, s,
+                                 DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base + MMIO_BASE_OFFSET,
 				 0x6c, sm501_system_config_index);
     sm501_disp_ctrl_index = cpu_register_io_memory(sm501_disp_ctrl_readfn,
-						   sm501_disp_ctrl_writefn, s);
+						   sm501_disp_ctrl_writefn, s,
+                                                   DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base + MMIO_BASE_OFFSET + SM501_DC,
                                  0x1000, sm501_disp_ctrl_index);
     sm501_2d_engine_index = cpu_register_io_memory(sm501_2d_engine_readfn,
-                                                   sm501_2d_engine_writefn, s);
+                                                   sm501_2d_engine_writefn, s,
+                                                   DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base + MMIO_BASE_OFFSET + SM501_2D_ENGINE,
                                  0x54, sm501_2d_engine_index);
 
diff --git a/hw/smc91c111.c b/hw/smc91c111.c
index f7d58e1..fc714d7 100644
--- a/hw/smc91c111.c
+++ b/hw/smc91c111.c
@@ -719,7 +719,8 @@ static int smc91c111_init1(SysBusDevice *dev)
     smc91c111_state *s = FROM_SYSBUS(smc91c111_state, dev);
 
     s->mmio_index = cpu_register_io_memory(smc91c111_readfn,
-                                           smc91c111_writefn, s);
+                                           smc91c111_writefn, s,
+                                           DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 16, s->mmio_index);
     sysbus_init_irq(dev, &s->irq);
     qemu_macaddr_default_if_unset(&s->conf.macaddr);
diff --git a/hw/sparc32_dma.c b/hw/sparc32_dma.c
index 0904188..e78f025 100644
--- a/hw/sparc32_dma.c
+++ b/hw/sparc32_dma.c
@@ -257,7 +257,8 @@ static int sparc32_dma_init1(SysBusDevice *dev)
 
     sysbus_init_irq(dev, &s->irq);
 
-    dma_io_memory = cpu_register_io_memory(dma_mem_read, dma_mem_write, s);
+    dma_io_memory = cpu_register_io_memory(dma_mem_read, dma_mem_write, s,
+                                           DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, DMA_SIZE, dma_io_memory);
 
     qdev_init_gpio_in(&dev->qdev, dma_set_irq, 1);
diff --git a/hw/spitz.c b/hw/spitz.c
index a064460..092bb64 100644
--- a/hw/spitz.c
+++ b/hw/spitz.c
@@ -176,7 +176,7 @@ static void sl_flash_register(PXA2xxState *cpu, int size)
         s->nand = nand_init(NAND_MFR_SAMSUNG, 0xf1);
 
     iomemtype = cpu_register_io_memory(sl_readfn,
-                    sl_writefn, s);
+                    sl_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(FLASH_BASE, 0x40, iomemtype);
 
     register_savevm(NULL, "sl_flash", 0, 0, sl_save, sl_load, s);
diff --git a/hw/stellaris.c b/hw/stellaris.c
index ccad134..b903273 100644
--- a/hw/stellaris.c
+++ b/hw/stellaris.c
@@ -348,7 +348,8 @@ static int stellaris_gptm_init(SysBusDevice *dev)
     qdev_init_gpio_out(&dev->qdev, &s->trigger, 1);
 
     iomemtype = cpu_register_io_memory(gptm_readfn,
-                                       gptm_writefn, s);
+                                       gptm_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
 
     s->opaque[0] = s->opaque[1] = s;
@@ -671,7 +672,8 @@ static int stellaris_sys_init(uint32_t base, qemu_irq irq,
     s->user1 = macaddr[3] | (macaddr[4] << 8) | (macaddr[5] << 16);
 
     iomemtype = cpu_register_io_memory(ssys_readfn,
-                                       ssys_writefn, s);
+                                       ssys_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x00001000, iomemtype);
     ssys_reset(s);
     register_savevm(NULL, "stellaris_sys", -1, 1, ssys_save, ssys_load, s);
@@ -884,7 +886,8 @@ static int stellaris_i2c_init(SysBusDevice * dev)
     s->bus = bus;
 
     iomemtype = cpu_register_io_memory(stellaris_i2c_readfn,
-                                       stellaris_i2c_writefn, s);
+                                       stellaris_i2c_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     /* ??? For now we only implement the master interface.  */
     stellaris_i2c_reset(s);
@@ -1193,7 +1196,8 @@ static int stellaris_adc_init(SysBusDevice *dev)
     }
 
     iomemtype = cpu_register_io_memory(stellaris_adc_readfn,
-                                       stellaris_adc_writefn, s);
+                                       stellaris_adc_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     stellaris_adc_reset(s);
     qdev_init_gpio_in(&dev->qdev, stellaris_adc_trigger, 1);
diff --git a/hw/stellaris_enet.c b/hw/stellaris_enet.c
index 330a9d6..6a0583a 100644
--- a/hw/stellaris_enet.c
+++ b/hw/stellaris_enet.c
@@ -409,7 +409,8 @@ static int stellaris_enet_init(SysBusDevice *dev)
     stellaris_enet_state *s = FROM_SYSBUS(stellaris_enet_state, dev);
 
     s->mmio_index = cpu_register_io_memory(stellaris_enet_readfn,
-                                           stellaris_enet_writefn, s);
+                                           stellaris_enet_writefn, s,
+                                           DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, s->mmio_index);
     sysbus_init_irq(dev, &s->irq);
     qemu_macaddr_default_if_unset(&s->conf.macaddr);
diff --git a/hw/sun4c_intctl.c b/hw/sun4c_intctl.c
index 7d7542d..5c7fdef 100644
--- a/hw/sun4c_intctl.c
+++ b/hw/sun4c_intctl.c
@@ -196,7 +196,8 @@ static int sun4c_intctl_init1(SysBusDevice *dev)
     unsigned int i;
 
     io_memory = cpu_register_io_memory(sun4c_intctl_mem_read,
-                                       sun4c_intctl_mem_write, s);
+                                       sun4c_intctl_mem_write, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, INTCTL_SIZE, io_memory);
     qdev_init_gpio_in(&dev->qdev, sun4c_set_irq, 8);
 
diff --git a/hw/sun4m_iommu.c b/hw/sun4m_iommu.c
index 720ee3f..bba69ee 100644
--- a/hw/sun4m_iommu.c
+++ b/hw/sun4m_iommu.c
@@ -351,7 +351,8 @@ static int iommu_init1(SysBusDevice *dev)
 
     sysbus_init_irq(dev, &s->irq);
 
-    io = cpu_register_io_memory(iommu_mem_read, iommu_mem_write, s);
+    io = cpu_register_io_memory(iommu_mem_read, iommu_mem_write, s,
+                                DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, IOMMU_NREGS * sizeof(uint32_t), io);
 
     return 0;
diff --git a/hw/syborg_fb.c b/hw/syborg_fb.c
index ed57203..7e37364 100644
--- a/hw/syborg_fb.c
+++ b/hw/syborg_fb.c
@@ -510,7 +510,8 @@ static int syborg_fb_init(SysBusDevice *dev)
 
     sysbus_init_irq(dev, &s->irq);
     iomemtype = cpu_register_io_memory(syborg_fb_readfn,
-                                       syborg_fb_writefn, s);
+                                       syborg_fb_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
 
     s->ds = graphic_console_init(syborg_fb_update_display,
diff --git a/hw/syborg_interrupt.c b/hw/syborg_interrupt.c
index 30140fb..5217983 100644
--- a/hw/syborg_interrupt.c
+++ b/hw/syborg_interrupt.c
@@ -210,7 +210,8 @@ static int syborg_int_init(SysBusDevice *dev)
     sysbus_init_irq(dev, &s->parent_irq);
     qdev_init_gpio_in(&dev->qdev, syborg_int_set_irq, s->num_irqs);
     iomemtype = cpu_register_io_memory(syborg_int_readfn,
-                                       syborg_int_writefn, s);
+                                       syborg_int_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     s->flags = qemu_mallocz(s->num_irqs * sizeof(syborg_int_flags));
 
diff --git a/hw/syborg_keyboard.c b/hw/syborg_keyboard.c
index 7709100..d295e99 100644
--- a/hw/syborg_keyboard.c
+++ b/hw/syborg_keyboard.c
@@ -210,7 +210,8 @@ static int syborg_keyboard_init(SysBusDevice *dev)
 
     sysbus_init_irq(dev, &s->irq);
     iomemtype = cpu_register_io_memory(syborg_keyboard_readfn,
-                                       syborg_keyboard_writefn, s);
+                                       syborg_keyboard_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     if (s->fifo_size <= 0) {
         fprintf(stderr, "syborg_keyboard: fifo too small\n");
diff --git a/hw/syborg_pointer.c b/hw/syborg_pointer.c
index 69b8d96..a886888 100644
--- a/hw/syborg_pointer.c
+++ b/hw/syborg_pointer.c
@@ -206,7 +206,8 @@ static int syborg_pointer_init(SysBusDevice *dev)
 
     sysbus_init_irq(dev, &s->irq);
     iomemtype = cpu_register_io_memory(syborg_pointer_readfn,
-				       syborg_pointer_writefn, s);
+				       syborg_pointer_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
 
     if (s->fifo_size <= 0) {
diff --git a/hw/syborg_rtc.c b/hw/syborg_rtc.c
index 78d5edb..329aa42 100644
--- a/hw/syborg_rtc.c
+++ b/hw/syborg_rtc.c
@@ -130,7 +130,8 @@ static int syborg_rtc_init(SysBusDevice *dev)
     int iomemtype;
 
     iomemtype = cpu_register_io_memory(syborg_rtc_readfn,
-                                       syborg_rtc_writefn, s);
+                                       syborg_rtc_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
 
     qemu_get_timedate(&tm, 0);
diff --git a/hw/syborg_serial.c b/hw/syborg_serial.c
index 8c42956..34ce076 100644
--- a/hw/syborg_serial.c
+++ b/hw/syborg_serial.c
@@ -322,7 +322,8 @@ static int syborg_serial_init(SysBusDevice *dev)
 
     sysbus_init_irq(dev, &s->irq);
     iomemtype = cpu_register_io_memory(syborg_serial_readfn,
-                                       syborg_serial_writefn, s);
+                                       syborg_serial_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     s->chr = qdev_init_chardev(&dev->qdev);
     if (s->chr) {
diff --git a/hw/syborg_timer.c b/hw/syborg_timer.c
index 95e07d7..cedcd8e 100644
--- a/hw/syborg_timer.c
+++ b/hw/syborg_timer.c
@@ -215,7 +215,8 @@ static int syborg_timer_init(SysBusDevice *dev)
     }
     sysbus_init_irq(dev, &s->irq);
     iomemtype = cpu_register_io_memory(syborg_timer_readfn,
-                                       syborg_timer_writefn, s);
+                                       syborg_timer_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
 
     bh = qemu_bh_new(syborg_timer_tick, s);
diff --git a/hw/syborg_virtio.c b/hw/syborg_virtio.c
index 4dfd1a8..ee08c49 100644
--- a/hw/syborg_virtio.c
+++ b/hw/syborg_virtio.c
@@ -265,7 +265,8 @@ static int syborg_virtio_init(SyborgVirtIOProxy *proxy, VirtIODevice *vdev)
     proxy->vdev->nvectors = 0;
     sysbus_init_irq(&proxy->busdev, &proxy->irq);
     iomemtype = cpu_register_io_memory(syborg_virtio_readfn,
-                                       syborg_virtio_writefn, proxy);
+                                       syborg_virtio_writefn, proxy,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(&proxy->busdev, 0x1000, iomemtype);
 
     proxy->id = ((uint32_t)0x1af4 << 16) | vdev->device_id;
diff --git a/hw/tc6393xb.c b/hw/tc6393xb.c
index 16db51d..c3fbe4e 100644
--- a/hw/tc6393xb.c
+++ b/hw/tc6393xb.c
@@ -590,7 +590,7 @@ TC6393xbState *tc6393xb_init(uint32_t base, qemu_irq irq)
     s->flash = nand_init(NAND_MFR_TOSHIBA, 0x76);
 
     iomemtype = cpu_register_io_memory(tc6393xb_readfn,
-                    tc6393xb_writefn, s);
+                    tc6393xb_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(base, 0x10000, iomemtype);
 
     s->vram_addr = qemu_ram_alloc(NULL, "tc6393xb.vram", 0x100000);
diff --git a/hw/tcx.c b/hw/tcx.c
index 6ee65bb..0e32830 100644
--- a/hw/tcx.c
+++ b/hw/tcx.c
@@ -522,12 +522,13 @@ static int tcx_init1(SysBusDevice *dev)
     vram_base += size;
 
     /* DAC */
-    io_memory = cpu_register_io_memory(tcx_dac_read, tcx_dac_write, s);
+    io_memory = cpu_register_io_memory(tcx_dac_read, tcx_dac_write, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, TCX_DAC_NREGS, io_memory);
 
     /* TEC (dummy) */
     dummy_memory = cpu_register_io_memory(tcx_dummy_read, tcx_dummy_write,
-                                          s);
+                                          s, DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, TCX_TEC_NREGS, dummy_memory);
     /* THC: NetBSD writes here even with 8-bit display: dummy */
     sysbus_init_mmio(dev, TCX_THC_NREGS_24, dummy_memory);
diff --git a/hw/tusb6010.c b/hw/tusb6010.c
index 4864be5..0005e1c 100644
--- a/hw/tusb6010.c
+++ b/hw/tusb6010.c
@@ -740,7 +740,7 @@ TUSBState *tusb6010_init(qemu_irq intr)
     s->intr = 0x00000000;
     s->otg_timer_val = 0;
     s->iomemtype[1] = cpu_register_io_memory(tusb_async_readfn,
-                    tusb_async_writefn, s);
+                    tusb_async_writefn, s, DEVICE_NATIVE_ENDIAN);
     s->irq = intr;
     s->otg_timer = qemu_new_timer(vm_clock, tusb_otg_tick, s);
     s->pwr_timer = qemu_new_timer(vm_clock, tusb_power_tick, s);
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index 8fb2f83..ba1ebbc 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -1697,7 +1697,8 @@ static void usb_ohci_init(OHCIState *ohci, DeviceState *dev,
                 usb_frame_time, usb_bit_time);
     }
 
-    ohci->mem = cpu_register_io_memory(ohci_readfn, ohci_writefn, ohci);
+    ohci->mem = cpu_register_io_memory(ohci_readfn, ohci_writefn, ohci,
+                                       DEVICE_NATIVE_ENDIAN);
     ohci->localmem_base = localmem_base;
 
     ohci->name = dev->info->name;
diff --git a/hw/versatile_pci.c b/hw/versatile_pci.c
index a76bdfa..3baad96 100644
--- a/hw/versatile_pci.c
+++ b/hw/versatile_pci.c
@@ -132,7 +132,8 @@ static int pci_vpb_init(SysBusDevice *dev)
     /* ??? Register memory space.  */
 
     s->mem_config = cpu_register_io_memory(pci_vpb_config_read,
-                                           pci_vpb_config_write, bus);
+                                           pci_vpb_config_write, bus,
+                                           DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio_cb(dev, 0x04000000, pci_vpb_map);
 
     pci_create_simple(bus, -1, "versatile_pci_host");
diff --git a/hw/versatilepb.c b/hw/versatilepb.c
index c51ee02..be758e4 100644
--- a/hw/versatilepb.c
+++ b/hw/versatilepb.c
@@ -143,7 +143,8 @@ static int vpb_sic_init(SysBusDevice *dev)
     }
     s->irq = 31;
     iomemtype = cpu_register_io_memory(vpb_sic_readfn,
-                                       vpb_sic_writefn, s);
+                                       vpb_sic_writefn, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, iomemtype);
     /* ??? Save/restore.  */
     return 0;
diff --git a/hw/vga-isa-mm.c b/hw/vga-isa-mm.c
index 680b557..4954bb1 100644
--- a/hw/vga-isa-mm.c
+++ b/hw/vga-isa-mm.c
@@ -97,8 +97,10 @@ static void vga_mm_init(ISAVGAMMState *s, target_phys_addr_t vram_base,
     int s_ioport_ctrl, vga_io_memory;
 
     s->it_shift = it_shift;
-    s_ioport_ctrl = cpu_register_io_memory(vga_mm_read_ctrl, vga_mm_write_ctrl, s);
-    vga_io_memory = cpu_register_io_memory(vga_mem_read, vga_mem_write, s);
+    s_ioport_ctrl = cpu_register_io_memory(vga_mm_read_ctrl, vga_mm_write_ctrl, s,
+                                           DEVICE_NATIVE_ENDIAN);
+    vga_io_memory = cpu_register_io_memory(vga_mem_read, vga_mem_write, s,
+                                           DEVICE_NATIVE_ENDIAN);
 
     vmstate_register(NULL, 0, &vmstate_vga_common, s);
 
diff --git a/hw/vga.c b/hw/vga.c
index c057f4f..b5c8741 100644
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -2320,7 +2320,8 @@ void vga_init(VGACommonState *s)
 #endif
 #endif /* CONFIG_BOCHS_VBE */
 
-    vga_io_memory = cpu_register_io_memory(vga_mem_read, vga_mem_write, s);
+    vga_io_memory = cpu_register_io_memory(vga_mem_read, vga_mem_write, s,
+                                           DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(isa_mem_base + 0x000a0000, 0x20000,
                                  vga_io_memory);
     qemu_register_coalesced_mmio(isa_mem_base + 0x000a0000, 0x20000);
diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index d0f4e1b..d9dd52f 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -1250,7 +1250,7 @@ static void pci_vmsvga_map_mem(PCIDevice *pci_dev, int region_num,
     s->vram_base = addr;
 #ifdef DIRECT_VRAM
     iomemtype = cpu_register_io_memory(vmsvga_vram_read,
-                    vmsvga_vram_write, s);
+                    vmsvga_vram_write, s, DEVICE_NATIVE_ENDIAN);
 #else
     iomemtype = s->vga.vram_offset | IO_MEM_RAM;
 #endif
diff --git a/hw/wdt_i6300esb.c b/hw/wdt_i6300esb.c
index 46e1df8..09f2f58 100644
--- a/hw/wdt_i6300esb.c
+++ b/hw/wdt_i6300esb.c
@@ -361,7 +361,8 @@ static void i6300esb_map(PCIDevice *dev, int region_num,
     i6300esb_debug("addr = %"FMT_PCIBUS", size = %"FMT_PCIBUS", type = %d\n",
                    addr, size, type);
 
-    io_mem = cpu_register_io_memory(mem_read, mem_write, d);
+    io_mem = cpu_register_io_memory(mem_read, mem_write, d,
+                                    DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory (addr, 0x10, io_mem);
     /* qemu_register_coalesced_mmio (addr, 0x10); ? */
 }
diff --git a/hw/xilinx_ethlite.c b/hw/xilinx_ethlite.c
index 37e33ec..54b57d7 100644
--- a/hw/xilinx_ethlite.c
+++ b/hw/xilinx_ethlite.c
@@ -224,7 +224,7 @@ static int xilinx_ethlite_init(SysBusDevice *dev)
     sysbus_init_irq(dev, &s->irq);
     s->rxbuf = 0;
 
-    regs = cpu_register_io_memory(eth_read, eth_write, s);
+    regs = cpu_register_io_memory(eth_read, eth_write, s, DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, R_MAX * 4, regs);
 
     qemu_macaddr_default_if_unset(&s->conf.macaddr);
diff --git a/hw/xilinx_intc.c b/hw/xilinx_intc.c
index 8ef6474..cb72d5a 100644
--- a/hw/xilinx_intc.c
+++ b/hw/xilinx_intc.c
@@ -153,7 +153,7 @@ static int xilinx_intc_init(SysBusDevice *dev)
     qdev_init_gpio_in(&dev->qdev, irq_handler, 32);
     sysbus_init_irq(dev, &p->parent_irq);
 
-    pic_regs = cpu_register_io_memory(pic_read, pic_write, p);
+    pic_regs = cpu_register_io_memory(pic_read, pic_write, p, DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, R_MAX * 4, pic_regs);
     return 0;
 }
diff --git a/hw/xilinx_timer.c b/hw/xilinx_timer.c
index e2d9541..30827b0 100644
--- a/hw/xilinx_timer.c
+++ b/hw/xilinx_timer.c
@@ -210,7 +210,8 @@ static int xilinx_timer_init(SysBusDevice *dev)
         ptimer_set_freq(xt->ptimer, t->freq_hz);
     }
 
-    timer_regs = cpu_register_io_memory(timer_read, timer_write, t);
+    timer_regs = cpu_register_io_memory(timer_read, timer_write, t,
+                                        DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, R_MAX * 4 * t->nr_timers, timer_regs);
     return 0;
 }
diff --git a/hw/xilinx_uartlite.c b/hw/xilinx_uartlite.c
index adab759..9b94e98 100644
--- a/hw/xilinx_uartlite.c
+++ b/hw/xilinx_uartlite.c
@@ -201,7 +201,8 @@ static int xilinx_uartlite_init(SysBusDevice *dev)
     sysbus_init_irq(dev, &s->irq);
 
     uart_update_status(s);
-    uart_regs = cpu_register_io_memory(uart_read, uart_write, s);
+    uart_regs = cpu_register_io_memory(uart_read, uart_write, s,
+                                       DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, R_MAX * 4, uart_regs);
 
     s->chr = qdev_init_chardev(&dev->qdev);
diff --git a/hw/zaurus.c b/hw/zaurus.c
index dd999d7..54ec3f0 100644
--- a/hw/zaurus.c
+++ b/hw/zaurus.c
@@ -228,7 +228,7 @@ ScoopInfo *scoop_init(PXA2xxState *cpu,
     s->status = 0x02;
     s->in = qemu_allocate_irqs(scoop_gpio_set, s, 16);
     iomemtype = cpu_register_io_memory(scoop_readfn,
-                    scoop_writefn, s);
+                    scoop_writefn, s, DEVICE_NATIVE_ENDIAN);
     cpu_register_physical_memory(target_base, 0x1000, iomemtype);
     register_savevm(NULL, "scoop", instance, 1, scoop_save, scoop_load, s);
 
diff --git a/rwhandler.c b/rwhandler.c
index 1f9b6db..88dfcc5 100644
--- a/rwhandler.c
+++ b/rwhandler.c
@@ -42,7 +42,7 @@ int cpu_register_io_memory_simple(struct ReadWriteHandler *handler)
     }
     return cpu_register_io_memory(cpu_io_memory_simple_read,
                                   cpu_io_memory_simple_write,
-                                  handler);
+                                  handler, DEVICE_NATIVE_ENDIAN);
 }
 
 RWHANDLER_WRITE(ioport_simple_writeb, 1, uint32_t);
commit 6ebf5905f4a664a873cf7f49094960f08cb3a2d5
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:40 2010 +0100

    pci-host: Delegate bswap to mmio layer
    
    The only reason we have bswap versions of the pci host code is that
    most pci host devices are little endian. The ppc e500 is the only
    odd one here, being big endian.
    
    So let's directly pass the endianness down to the mmio layer and not
    worry about it on the pci host layer.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/dec_pci.c b/hw/dec_pci.c
index aa07ab7..bf88f2a 100644
--- a/hw/dec_pci.c
+++ b/hw/dec_pci.c
@@ -96,8 +96,10 @@ static int pci_dec_21154_init_device(SysBusDevice *dev)
 
     s = FROM_SYSBUS(DECState, dev);
 
-    pci_mem_config = pci_host_conf_register_mmio(&s->host_state, 1);
-    pci_mem_data = pci_host_data_register_mmio(&s->host_state, 1);
+    pci_mem_config = pci_host_conf_register_mmio(&s->host_state,
+                                                 DEVICE_LITTLE_ENDIAN);
+    pci_mem_data = pci_host_data_register_mmio(&s->host_state,
+                                               DEVICE_LITTLE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, pci_mem_config);
     sysbus_init_mmio(dev, 0x1000, pci_mem_data);
     return 0;
diff --git a/hw/grackle_pci.c b/hw/grackle_pci.c
index 91c755f..bd3d6b0 100644
--- a/hw/grackle_pci.c
+++ b/hw/grackle_pci.c
@@ -108,8 +108,10 @@ static int pci_grackle_init_device(SysBusDevice *dev)
 
     s = FROM_SYSBUS(GrackleState, dev);
 
-    pci_mem_config = pci_host_conf_register_mmio(&s->host_state, 1);
-    pci_mem_data = pci_host_data_register_mmio(&s->host_state, 1);
+    pci_mem_config = pci_host_conf_register_mmio(&s->host_state,
+                                                 DEVICE_LITTLE_ENDIAN);
+    pci_mem_data = pci_host_data_register_mmio(&s->host_state,
+                                               DEVICE_LITTLE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, pci_mem_config);
     sysbus_init_mmio(dev, 0x1000, pci_mem_data);
 
diff --git a/hw/pci_host.c b/hw/pci_host.c
index a6e39c9..eebff7a 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -78,64 +78,39 @@ uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len)
     return val;
 }
 
-static void pci_host_config_write_swap(ReadWriteHandler *handler,
-                                       pcibus_t addr, uint32_t val, int len)
+static void pci_host_config_write(ReadWriteHandler *handler,
+                                  pcibus_t addr, uint32_t val, int len)
 {
     PCIHostState *s = container_of(handler, PCIHostState, conf_handler);
 
     PCI_DPRINTF("%s addr %" FMT_PCIBUS " %d val %"PRIx32"\n",
                 __func__, addr, len, val);
-    val = qemu_bswap_len(val, len);
     s->config_reg = val;
 }
 
-static uint32_t pci_host_config_read_swap(ReadWriteHandler *handler,
-                                          pcibus_t addr, int len)
+static uint32_t pci_host_config_read(ReadWriteHandler *handler,
+                                     pcibus_t addr, int len)
 {
     PCIHostState *s = container_of(handler, PCIHostState, conf_handler);
     uint32_t val = s->config_reg;
 
-    val = qemu_bswap_len(val, len);
     PCI_DPRINTF("%s addr %" FMT_PCIBUS " len %d val %"PRIx32"\n",
                 __func__, addr, len, val);
     return val;
 }
 
-static void pci_host_config_write_noswap(ReadWriteHandler *handler,
-                                         pcibus_t addr, uint32_t val, int len)
-{
-    PCIHostState *s = container_of(handler, PCIHostState, conf_noswap_handler);
-
-    PCI_DPRINTF("%s addr %" FMT_PCIBUS " %d val %"PRIx32"\n",
-                __func__, addr, len, val);
-    s->config_reg = val;
-}
-
-static uint32_t pci_host_config_read_noswap(ReadWriteHandler *handler,
-                                            pcibus_t addr, int len)
-{
-    PCIHostState *s = container_of(handler, PCIHostState, conf_noswap_handler);
-    uint32_t val = s->config_reg;
-
-    PCI_DPRINTF("%s addr %" FMT_PCIBUS " len %d val %"PRIx32"\n",
-                __func__, addr, len, val);
-    return val;
-}
-
-static void pci_host_data_write_swap(ReadWriteHandler *handler,
-                                     pcibus_t addr, uint32_t val, int len)
+static void pci_host_data_write(ReadWriteHandler *handler,
+                                pcibus_t addr, uint32_t val, int len)
 {
     PCIHostState *s = container_of(handler, PCIHostState, data_handler);
-
-    val = qemu_bswap_len(val, len);
     PCI_DPRINTF("write addr %" FMT_PCIBUS " len %d val %x\n",
                 addr, len, val);
     if (s->config_reg & (1u << 31))
         pci_data_write(s->bus, s->config_reg | (addr & 3), val, len);
 }
 
-static uint32_t pci_host_data_read_swap(ReadWriteHandler *handler,
-                                        pcibus_t addr, int len)
+static uint32_t pci_host_data_read(ReadWriteHandler *handler,
+                                   pcibus_t addr, int len)
 {
     PCIHostState *s = container_of(handler, PCIHostState, data_handler);
     uint32_t val;
@@ -144,79 +119,39 @@ static uint32_t pci_host_data_read_swap(ReadWriteHandler *handler,
     val = pci_data_read(s->bus, s->config_reg | (addr & 3), len);
     PCI_DPRINTF("read addr %" FMT_PCIBUS " len %d val %x\n",
                 addr, len, val);
-    val = qemu_bswap_len(val, len);
-    return val;
-}
-
-static void pci_host_data_write_noswap(ReadWriteHandler *handler,
-                                       pcibus_t addr, uint32_t val, int len)
-{
-    PCIHostState *s = container_of(handler, PCIHostState, data_noswap_handler);
-    PCI_DPRINTF("write addr %" FMT_PCIBUS " len %d val %x\n",
-                addr, len, val);
-    if (s->config_reg & (1u << 31))
-        pci_data_write(s->bus, s->config_reg | (addr & 3), val, len);
-}
-
-static uint32_t pci_host_data_read_noswap(ReadWriteHandler *handler,
-                                          pcibus_t addr, int len)
-{
-    PCIHostState *s = container_of(handler, PCIHostState, data_noswap_handler);
-    uint32_t val;
-    if (!(s->config_reg & (1 << 31)))
-        return 0xffffffff;
-    val = pci_data_read(s->bus, s->config_reg | (addr & 3), len);
-    PCI_DPRINTF("read addr %" FMT_PCIBUS " len %d val %x\n",
-                addr, len, val);
     return val;
 }
 
 static void pci_host_init(PCIHostState *s)
 {
-    s->conf_handler.write = pci_host_config_write_swap;
-    s->conf_handler.read = pci_host_config_read_swap;
-    s->conf_noswap_handler.write = pci_host_config_write_noswap;
-    s->conf_noswap_handler.read = pci_host_config_read_noswap;
-    s->data_handler.write = pci_host_data_write_swap;
-    s->data_handler.read = pci_host_data_read_swap;
-    s->data_noswap_handler.write = pci_host_data_write_noswap;
-    s->data_noswap_handler.read = pci_host_data_read_noswap;
+    s->conf_handler.write = pci_host_config_write;
+    s->conf_handler.read = pci_host_config_read;
+    s->data_handler.write = pci_host_data_write;
+    s->data_handler.read = pci_host_data_read;
 }
 
-int pci_host_conf_register_mmio(PCIHostState *s, int swap)
+int pci_host_conf_register_mmio(PCIHostState *s, int endian)
 {
     pci_host_init(s);
-    if (swap) {
-        return cpu_register_io_memory_simple(&s->conf_handler,
-                                             DEVICE_NATIVE_ENDIAN);
-    } else {
-        return cpu_register_io_memory_simple(&s->conf_noswap_handler,
-                                             DEVICE_NATIVE_ENDIAN);
-    }
+    return cpu_register_io_memory_simple(&s->conf_handler, endian);
 }
 
 void pci_host_conf_register_ioport(pio_addr_t ioport, PCIHostState *s)
 {
     pci_host_init(s);
-    register_ioport_simple(&s->conf_noswap_handler, ioport, 4, 4);
+    register_ioport_simple(&s->conf_handler, ioport, 4, 4);
 }
 
-int pci_host_data_register_mmio(PCIHostState *s, int swap)
+int pci_host_data_register_mmio(PCIHostState *s, int endian)
 {
     pci_host_init(s);
-    if (swap) {
-        return cpu_register_io_memory_simple(&s->data_handler,
-                                             DEVICE_NATIVE_ENDIAN);
-    } else {
-        return cpu_register_io_memory_simple(&s->data_noswap_handler,
-                                             DEVICE_NATIVE_ENDIAN);
-    }
+    return cpu_register_io_memory_simple(&s->data_handler, endian);
 }
 
 void pci_host_data_register_ioport(pio_addr_t ioport, PCIHostState *s)
 {
     pci_host_init(s);
-    register_ioport_simple(&s->data_noswap_handler, ioport, 4, 1);
-    register_ioport_simple(&s->data_noswap_handler, ioport, 4, 2);
-    register_ioport_simple(&s->data_noswap_handler, ioport, 4, 4);
+    register_ioport_simple(&s->data_handler, ioport, 4, 1);
+    register_ioport_simple(&s->data_handler, ioport, 4, 2);
+    register_ioport_simple(&s->data_handler, ioport, 4, 4);
 }
diff --git a/hw/pci_host.h b/hw/pci_host.h
index bd8ede8..0a58595 100644
--- a/hw/pci_host.h
+++ b/hw/pci_host.h
@@ -33,9 +33,7 @@
 
 struct PCIHostState {
     SysBusDevice busdev;
-    ReadWriteHandler conf_noswap_handler;
     ReadWriteHandler conf_handler;
-    ReadWriteHandler data_noswap_handler;
     ReadWriteHandler data_handler;
     uint32_t config_reg;
     PCIBus *bus;
@@ -45,8 +43,8 @@ void pci_data_write(PCIBus *s, uint32_t addr, uint32_t val, int len);
 uint32_t pci_data_read(PCIBus *s, uint32_t addr, int len);
 
 /* for mmio */
-int pci_host_conf_register_mmio(PCIHostState *s, int swap);
-int pci_host_data_register_mmio(PCIHostState *s, int swap);
+int pci_host_conf_register_mmio(PCIHostState *s, int endian);
+int pci_host_data_register_mmio(PCIHostState *s, int endian);
 
 /* for ioio */
 void pci_host_conf_register_ioport(pio_addr_t ioport, PCIHostState *s);
diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
index 71302ba..11edd03 100644
--- a/hw/ppce500_pci.c
+++ b/hw/ppce500_pci.c
@@ -292,13 +292,15 @@ PCIBus *ppce500_pci_init(qemu_irq pci_irqs[4], target_phys_addr_t registers)
     controller->pci_dev = d;
 
     /* CFGADDR */
-    index = pci_host_conf_register_mmio(&controller->pci_state, 0);
+    index = pci_host_conf_register_mmio(&controller->pci_state,
+                                        DEVICE_BIG_ENDIAN);
     if (index < 0)
         goto free;
     cpu_register_physical_memory(registers + PCIE500_CFGADDR, 4, index);
 
     /* CFGDATA */
-    index = pci_host_data_register_mmio(&controller->pci_state, 0);
+    index = pci_host_data_register_mmio(&controller->pci_state,
+                                        DEVICE_BIG_ENDIAN);
     if (index < 0)
         goto free;
     cpu_register_physical_memory(registers + PCIE500_CFGDATA, 4, index);
diff --git a/hw/unin_pci.c b/hw/unin_pci.c
index 53791dd..f2e440e 100644
--- a/hw/unin_pci.c
+++ b/hw/unin_pci.c
@@ -151,7 +151,8 @@ static int pci_unin_main_init_device(SysBusDevice *dev)
     /* Uninorth main bus */
     s = FROM_SYSBUS(UNINState, dev);
 
-    pci_mem_config = pci_host_conf_register_mmio(&s->host_state, 1);
+    pci_mem_config = pci_host_conf_register_mmio(&s->host_state,
+                                                 DEVICE_LITTLE_ENDIAN);
     s->data_handler.read = unin_data_read;
     s->data_handler.write = unin_data_write;
     pci_mem_data = cpu_register_io_memory_simple(&s->data_handler,
@@ -173,7 +174,8 @@ static int pci_u3_agp_init_device(SysBusDevice *dev)
     /* Uninorth U3 AGP bus */
     s = FROM_SYSBUS(UNINState, dev);
 
-    pci_mem_config = pci_host_conf_register_mmio(&s->host_state, 1);
+    pci_mem_config = pci_host_conf_register_mmio(&s->host_state,
+                                                 DEVICE_LITTLE_ENDIAN);
     s->data_handler.read = unin_data_read;
     s->data_handler.write = unin_data_write;
     pci_mem_data = cpu_register_io_memory_simple(&s->data_handler,
@@ -196,8 +198,10 @@ static int pci_unin_agp_init_device(SysBusDevice *dev)
     /* Uninorth AGP bus */
     s = FROM_SYSBUS(UNINState, dev);
 
-    pci_mem_config = pci_host_conf_register_mmio(&s->host_state, 0);
-    pci_mem_data = pci_host_data_register_mmio(&s->host_state, 1);
+    pci_mem_config = pci_host_conf_register_mmio(&s->host_state,
+                                                 DEVICE_LITTLE_ENDIAN);
+    pci_mem_data = pci_host_data_register_mmio(&s->host_state,
+                                               DEVICE_LITTLE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, pci_mem_config);
     sysbus_init_mmio(dev, 0x1000, pci_mem_data);
     return 0;
@@ -211,8 +215,10 @@ static int pci_unin_internal_init_device(SysBusDevice *dev)
     /* Uninorth internal bus */
     s = FROM_SYSBUS(UNINState, dev);
 
-    pci_mem_config = pci_host_conf_register_mmio(&s->host_state, 0);
-    pci_mem_data = pci_host_data_register_mmio(&s->host_state, 1);
+    pci_mem_config = pci_host_conf_register_mmio(&s->host_state,
+                                                 DEVICE_LITTLE_ENDIAN);
+    pci_mem_data = pci_host_data_register_mmio(&s->host_state,
+                                               DEVICE_LITTLE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, pci_mem_config);
     sysbus_init_mmio(dev, 0x1000, pci_mem_data);
     return 0;
commit dd310534e3bf8045096654df41471fd7132887b2
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:36 2010 +0100

    exec: introduce endianness swapped mmio
    
    The way we're currently modeling mmio is too simplified. We assume that
    every device has the same endianness as the target CPU. In reality,
    most devices are little endian (all PCI and ISA ones I'm aware of). Some
    are big endian (special system devices) and a very little fraction is
    target native endian (fw_cfg).
    
    So instead of assuming every device to be native endianness, let's move
    to a model where the device tells us which endianness it's in.
    
    That way we can compile the devices only once and get rid of all the ugly
    swap will be done by the underlying layer.
    
    For the same of readability, this patch only introduces the helper framework
    but doesn't allow the registering code to set its endianness yet.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/cpu-common.h b/cpu-common.h
index bb6b137..6d4a898 100644
--- a/cpu-common.h
+++ b/cpu-common.h
@@ -20,6 +20,12 @@
 
 #if !defined(CONFIG_USER_ONLY)
 
+enum device_endian {
+    DEVICE_NATIVE_ENDIAN,
+    DEVICE_BIG_ENDIAN,
+    DEVICE_LITTLE_ENDIAN,
+};
+
 /* address in the RAM (different from a physical address) */
 typedef unsigned long ram_addr_t;
 
@@ -55,7 +61,7 @@ ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr);
 
 int cpu_register_io_memory(CPUReadMemoryFunc * const *mem_read,
                            CPUWriteMemoryFunc * const *mem_write,
-                           void *opaque);
+                           void *opaque, enum device_endian endian);
 void cpu_unregister_io_memory(int table_address);
 
 void cpu_physical_memory_rw(target_phys_addr_t addr, uint8_t *buf,
diff --git a/exec.c b/exec.c
index 42a35e0..af1e89d 100644
--- a/exec.c
+++ b/exec.c
@@ -3355,6 +3355,106 @@ static int get_free_io_mem_idx(void)
     return -1;
 }
 
+/*
+ * Usually, devices operate in little endian mode. There are devices out
+ * there that operate in big endian too. Each device gets byte swapped
+ * mmio if plugged onto a CPU that does the other endianness.
+ *
+ * CPU          Device           swap?
+ *
+ * little       little           no
+ * little       big              yes
+ * big          little           yes
+ * big          big              no
+ */
+
+typedef struct SwapEndianContainer {
+    CPUReadMemoryFunc *read[3];
+    CPUWriteMemoryFunc *write[3];
+    void *opaque;
+} SwapEndianContainer;
+
+static uint32_t swapendian_mem_readb (void *opaque, target_phys_addr_t addr)
+{
+    uint32_t val;
+    SwapEndianContainer *c = opaque;
+    val = c->read[0](c->opaque, addr);
+    return val;
+}
+
+static uint32_t swapendian_mem_readw(void *opaque, target_phys_addr_t addr)
+{
+    uint32_t val;
+    SwapEndianContainer *c = opaque;
+    val = bswap16(c->read[1](c->opaque, addr));
+    return val;
+}
+
+static uint32_t swapendian_mem_readl(void *opaque, target_phys_addr_t addr)
+{
+    uint32_t val;
+    SwapEndianContainer *c = opaque;
+    val = bswap32(c->read[2](c->opaque, addr));
+    return val;
+}
+
+static CPUReadMemoryFunc * const swapendian_readfn[3]={
+    swapendian_mem_readb,
+    swapendian_mem_readw,
+    swapendian_mem_readl
+};
+
+static void swapendian_mem_writeb(void *opaque, target_phys_addr_t addr,
+                                  uint32_t val)
+{
+    SwapEndianContainer *c = opaque;
+    c->write[0](c->opaque, addr, val);
+}
+
+static void swapendian_mem_writew(void *opaque, target_phys_addr_t addr,
+                                  uint32_t val)
+{
+    SwapEndianContainer *c = opaque;
+    c->write[1](c->opaque, addr, bswap16(val));
+}
+
+static void swapendian_mem_writel(void *opaque, target_phys_addr_t addr,
+                                  uint32_t val)
+{
+    SwapEndianContainer *c = opaque;
+    c->write[2](c->opaque, addr, bswap32(val));
+}
+
+static CPUWriteMemoryFunc * const swapendian_writefn[3]={
+    swapendian_mem_writeb,
+    swapendian_mem_writew,
+    swapendian_mem_writel
+};
+
+static void swapendian_init(int io_index)
+{
+    SwapEndianContainer *c = qemu_malloc(sizeof(SwapEndianContainer));
+    int i;
+
+    /* Swap mmio for big endian targets */
+    c->opaque = io_mem_opaque[io_index];
+    for (i = 0; i < 3; i++) {
+        c->read[i] = io_mem_read[io_index][i];
+        c->write[i] = io_mem_write[io_index][i];
+
+        io_mem_read[io_index][i] = swapendian_readfn[i];
+        io_mem_write[io_index][i] = swapendian_writefn[i];
+    }
+    io_mem_opaque[io_index] = c;
+}
+
+static void swapendian_del(int io_index)
+{
+    if (io_mem_read[io_index][0] == swapendian_readfn[0]) {
+        qemu_free(io_mem_opaque[io_index]);
+    }
+}
+
 /* mem_read and mem_write are arrays of functions containing the
    function to access byte (index 0), word (index 1) and dword (index
    2). Functions can be omitted with a NULL function pointer.
@@ -3365,9 +3465,10 @@ static int get_free_io_mem_idx(void)
 static int cpu_register_io_memory_fixed(int io_index,
                                         CPUReadMemoryFunc * const *mem_read,
                                         CPUWriteMemoryFunc * const *mem_write,
-                                        void *opaque)
+                                        void *opaque, enum device_endian endian)
 {
     int i;
+    int endian = DEVICE_NATIVE_ENDIAN;
 
     if (io_index <= 0) {
         io_index = get_free_io_mem_idx();
@@ -3389,12 +3490,28 @@ static int cpu_register_io_memory_fixed(int io_index,
     }
     io_mem_opaque[io_index] = opaque;
 
+    switch (endian) {
+    case DEVICE_BIG_ENDIAN:
+#ifndef TARGET_WORDS_BIGENDIAN
+        swapendian_init(io_index);
+#endif
+        break;
+    case DEVICE_LITTLE_ENDIAN:
+#ifdef TARGET_WORDS_BIGENDIAN
+        swapendian_init(io_index);
+#endif
+        break;
+    case DEVICE_NATIVE_ENDIAN:
+    default:
+        break;
+    }
+
     return (io_index << IO_MEM_SHIFT);
 }
 
 int cpu_register_io_memory(CPUReadMemoryFunc * const *mem_read,
                            CPUWriteMemoryFunc * const *mem_write,
-                           void *opaque)
+                           void *opaque, enum device_endian endian)
 {
     return cpu_register_io_memory_fixed(0, mem_read, mem_write, opaque);
 }
@@ -3404,6 +3521,8 @@ void cpu_unregister_io_memory(int io_table_address)
     int i;
     int io_index = io_table_address >> IO_MEM_SHIFT;
 
+    swapendian_del(io_index);
+
     for (i=0;i < 3; i++) {
         io_mem_read[io_index][i] = unassigned_mem_read[i];
         io_mem_write[io_index][i] = unassigned_mem_write[i];
commit 0f4f039b9895e2e52d591a123017cb53fe636f9d
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:39 2010 +0100

    dbdma: Make little endian
    
    The device is only used on big endian systems, but always byte swaps. That's
    a very good indicator that it's actually a little endian device ;-).
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/mac_dbdma.c b/hw/mac_dbdma.c
index f449a59..5680fa9 100644
--- a/hw/mac_dbdma.c
+++ b/hw/mac_dbdma.c
@@ -707,8 +707,6 @@ static void dbdma_writel (void *opaque,
     DBDMA_DPRINTF("channel 0x%x reg 0x%x\n",
                   (uint32_t)addr >> DBDMA_CHANNEL_SHIFT, reg);
 
-    value = bswap32(value);
-
     /* cmdptr cannot be modified if channel is RUN or ACTIVE */
 
     if (reg == DBDMA_CMDPTR_LO &&
@@ -788,7 +786,6 @@ static uint32_t dbdma_readl (void *opaque, target_phys_addr_t addr)
         break;
     }
 
-    value = bswap32(value);
     return value;
 }
 
@@ -845,7 +842,7 @@ void* DBDMA_init (int *dbdma_mem_index)
     s = qemu_mallocz(sizeof(DBDMA_channel) * DBDMA_CHANNELS);
 
     *dbdma_mem_index = cpu_register_io_memory(dbdma_read, dbdma_write, s,
-                                              DEVICE_NATIVE_ENDIAN);
+                                              DEVICE_LITTLE_ENDIAN);
     register_savevm(NULL, "dbdma", -1, 1, dbdma_save, dbdma_load, s);
     qemu_register_reset(dbdma_reset, s);
 
commit 6bef04365589b1b82be1a1c3aa223f4bddb3dabb
Author: Alexander Graf <agraf at suse.de>
Date:   Wed Dec 8 12:05:38 2010 +0100

    Make simple io mem handler endian aware
    
    As an alternative to the 3 individual handlers, there is also a simplified
    io mem hook function. To be consistent, let's add an endianness parameter
    there too.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/apb_pci.c b/hw/apb_pci.c
index bf00c71..84e9af7 100644
--- a/hw/apb_pci.c
+++ b/hw/apb_pci.c
@@ -418,7 +418,8 @@ static int pci_pbm_init_device(SysBusDevice *dev)
     /* PCI configuration space */
     s->pci_config_handler.read = apb_pci_config_read;
     s->pci_config_handler.write = apb_pci_config_write;
-    pci_config = cpu_register_io_memory_simple(&s->pci_config_handler);
+    pci_config = cpu_register_io_memory_simple(&s->pci_config_handler,
+                                               DEVICE_NATIVE_ENDIAN);
     assert(pci_config >= 0);
     /* at region 1 */
     sysbus_init_mmio(dev, 0x1000000ULL, pci_config);
diff --git a/hw/pci_host.c b/hw/pci_host.c
index bc5b771..a6e39c9 100644
--- a/hw/pci_host.c
+++ b/hw/pci_host.c
@@ -187,9 +187,11 @@ int pci_host_conf_register_mmio(PCIHostState *s, int swap)
 {
     pci_host_init(s);
     if (swap) {
-        return cpu_register_io_memory_simple(&s->conf_handler);
+        return cpu_register_io_memory_simple(&s->conf_handler,
+                                             DEVICE_NATIVE_ENDIAN);
     } else {
-        return cpu_register_io_memory_simple(&s->conf_noswap_handler);
+        return cpu_register_io_memory_simple(&s->conf_noswap_handler,
+                                             DEVICE_NATIVE_ENDIAN);
     }
 }
 
@@ -203,9 +205,11 @@ int pci_host_data_register_mmio(PCIHostState *s, int swap)
 {
     pci_host_init(s);
     if (swap) {
-        return cpu_register_io_memory_simple(&s->data_handler);
+        return cpu_register_io_memory_simple(&s->data_handler,
+                                             DEVICE_NATIVE_ENDIAN);
     } else {
-        return cpu_register_io_memory_simple(&s->data_noswap_handler);
+        return cpu_register_io_memory_simple(&s->data_noswap_handler,
+                                             DEVICE_NATIVE_ENDIAN);
     }
 }
 
diff --git a/hw/unin_pci.c b/hw/unin_pci.c
index 1310211..53791dd 100644
--- a/hw/unin_pci.c
+++ b/hw/unin_pci.c
@@ -154,7 +154,8 @@ static int pci_unin_main_init_device(SysBusDevice *dev)
     pci_mem_config = pci_host_conf_register_mmio(&s->host_state, 1);
     s->data_handler.read = unin_data_read;
     s->data_handler.write = unin_data_write;
-    pci_mem_data = cpu_register_io_memory_simple(&s->data_handler);
+    pci_mem_data = cpu_register_io_memory_simple(&s->data_handler,
+                                                 DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, pci_mem_config);
     sysbus_init_mmio(dev, 0x1000, pci_mem_data);
 
@@ -175,7 +176,8 @@ static int pci_u3_agp_init_device(SysBusDevice *dev)
     pci_mem_config = pci_host_conf_register_mmio(&s->host_state, 1);
     s->data_handler.read = unin_data_read;
     s->data_handler.write = unin_data_write;
-    pci_mem_data = cpu_register_io_memory_simple(&s->data_handler);
+    pci_mem_data = cpu_register_io_memory_simple(&s->data_handler,
+                                                 DEVICE_NATIVE_ENDIAN);
     sysbus_init_mmio(dev, 0x1000, pci_mem_config);
     sysbus_init_mmio(dev, 0x1000, pci_mem_data);
 
diff --git a/rwhandler.c b/rwhandler.c
index 88dfcc5..bb2238f 100644
--- a/rwhandler.c
+++ b/rwhandler.c
@@ -35,14 +35,14 @@ static CPUReadMemoryFunc * const cpu_io_memory_simple_read[] = {
     &cpu_io_memory_simple_readl,
 };
 
-int cpu_register_io_memory_simple(struct ReadWriteHandler *handler)
+int cpu_register_io_memory_simple(struct ReadWriteHandler *handler, int endian)
 {
     if (!handler->read || !handler->write) {
         return -1;
     }
     return cpu_register_io_memory(cpu_io_memory_simple_read,
                                   cpu_io_memory_simple_write,
-                                  handler, DEVICE_NATIVE_ENDIAN);
+                                  handler, endian);
 }
 
 RWHANDLER_WRITE(ioport_simple_writeb, 1, uint32_t);
diff --git a/rwhandler.h b/rwhandler.h
index bc11849..b2a5790 100644
--- a/rwhandler.h
+++ b/rwhandler.h
@@ -19,7 +19,7 @@ struct ReadWriteHandler {
 
 /* Helpers for when we want to use a single routine with length. */
 /* CPU memory handler: both read and write must be present. */
-int cpu_register_io_memory_simple(ReadWriteHandler *);
+int cpu_register_io_memory_simple(ReadWriteHandler *, int endian);
 /* io port handler: can supply only read or write handlers. */
 int register_ioport_simple(ReadWriteHandler *,
                            pio_addr_t start, int length, int size);
commit 85882c71a946796c0ddc87dc84cc6fcb05b375c7
Author: Michael Walle <michael at walle.cc>
Date:   Thu Dec 9 00:34:51 2010 +0100

    noaudio: fix return value for read()
    
    Read should return bytes instead of samples.
    
    Signed-off-by: Michael Walle <michael at walle.cc>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/audio/noaudio.c b/audio/noaudio.c
index 4925234..8015858 100644
--- a/audio/noaudio.c
+++ b/audio/noaudio.c
@@ -121,7 +121,7 @@ static int no_read (SWVoiceIn *sw, void *buf, int size)
     int total = sw->hw->total_samples_captured - sw->total_hw_samples_acquired;
     int to_clear = audio_MIN (samples, total);
     audio_pcm_info_clear_buf (&sw->info, buf, to_clear);
-    return to_clear;
+    return to_clear << sw->info.shift;
 }
 
 static int no_ctl_in (HWVoiceIn *hw, int cmd, ...)
commit 7572150c189c6553c2448334116ab717680de66d
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Oct 7 12:22:54 2010 +0200

    vnc/spice: add set_passwd monitor command.
    
    This patch adds new set_password and expire_password monitor commands
    which allows to change and expire the password for spice and vnc
    connections.  See the doc update patch chunk for details.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hmp-commands.hx b/hmp-commands.hx
index 23024ba..f0ae3b9 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -1135,6 +1135,60 @@ Set the encrypted device @var{device} password to @var{password}
 ETEXI
 
     {
+        .name       = "set_password",
+        .args_type  = "protocol:s,password:s,connected:s?",
+        .params     = "protocol password action-if-connected",
+        .help       = "set spice/vnc password",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = set_password,
+    },
+
+STEXI
+ at item set_password [ vnc | spice ] password [ action-if-connected ]
+ at findex set_password
+
+Change spice/vnc password.  Use zero to make the password stay valid
+forever.  @var{action-if-connected} specifies what should happen in
+case a connection is established: @var{fail} makes the password change
+fail.  @var{disconnect} changes the password and disconnects the
+client.  @var{keep} changes the password and keeps the connection up.
+ at var{keep} is the default.
+ETEXI
+
+    {
+        .name       = "expire_password",
+        .args_type  = "protocol:s,time:s",
+        .params     = "protocol time",
+        .help       = "set spice/vnc password expire-time",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = expire_password,
+    },
+
+STEXI
+ at item expire_password [ vnc | spice ] expire-time
+ at findex expire_password
+
+Specify when a password for spice/vnc becomes
+invalid. @var{expire-time} accepts:
+
+ at table @var
+ at item now
+Invalidate password instantly.
+
+ at item never
+Password stays valid forever.
+
+ at item +nsec
+Password stays valid for @var{nsec} seconds starting now.
+
+ at item nsec
+Password is invalidated at the given time.  @var{nsec} are the seconds
+passed since 1970, i.e. unix epoch.
+
+ at end table
+ETEXI
+
+    {
         .name       = "info",
         .args_type  = "item:s?",
         .params     = "[subcommand]",
diff --git a/monitor.c b/monitor.c
index 1047cee..b13a363 100644
--- a/monitor.c
+++ b/monitor.c
@@ -34,6 +34,7 @@
 #include "net.h"
 #include "net/slirp.h"
 #include "qemu-char.h"
+#include "ui/qemu-spice.h"
 #include "sysemu.h"
 #include "monitor.h"
 #include "readline.h"
@@ -1075,6 +1076,105 @@ static int do_change(Monitor *mon, const QDict *qdict, QObject **ret_data)
     return ret;
 }
 
+static int set_password(Monitor *mon, const QDict *qdict, QObject **ret_data)
+{
+    const char *protocol  = qdict_get_str(qdict, "protocol");
+    const char *password  = qdict_get_str(qdict, "password");
+    const char *connected = qdict_get_try_str(qdict, "connected");
+    int disconnect_if_connected = 0;
+    int fail_if_connected = 0;
+    int rc;
+
+    if (connected) {
+        if (strcmp(connected, "fail") == 0) {
+            fail_if_connected = 1;
+        } else if (strcmp(connected, "disconnect") == 0) {
+            disconnect_if_connected = 1;
+        } else if (strcmp(connected, "keep") == 0) {
+            /* nothing */
+        } else {
+            qerror_report(QERR_INVALID_PARAMETER, "connected");
+            return -1;
+        }
+    }
+
+    if (strcmp(protocol, "spice") == 0) {
+        if (!using_spice) {
+            /* correct one? spice isn't a device ,,, */
+            qerror_report(QERR_DEVICE_NOT_ACTIVE, "spice");
+            return -1;
+        }
+        rc = qemu_spice_set_passwd(password, fail_if_connected,
+                                   disconnect_if_connected);
+        if (rc != 0) {
+            qerror_report(QERR_SET_PASSWD_FAILED);
+            return -1;
+        }
+        return 0;
+    }
+
+    if (strcmp(protocol, "vnc") == 0) {
+        if (fail_if_connected || disconnect_if_connected) {
+            /* vnc supports "connected=keep" only */
+            qerror_report(QERR_INVALID_PARAMETER, "connected");
+            return -1;
+        }
+        rc = vnc_display_password(NULL, password);
+        if (rc != 0) {
+            qerror_report(QERR_SET_PASSWD_FAILED);
+            return -1;
+        }
+        return 0;
+    }
+
+    qerror_report(QERR_INVALID_PARAMETER, "protocol");
+    return -1;
+}
+
+static int expire_password(Monitor *mon, const QDict *qdict, QObject **ret_data)
+{
+    const char *protocol  = qdict_get_str(qdict, "protocol");
+    const char *whenstr = qdict_get_str(qdict, "time");
+    time_t when;
+    int rc;
+
+    if (strcmp(whenstr, "now")) {
+        when = 0;
+    } else if (strcmp(whenstr, "never")) {
+        when = TIME_MAX;
+    } else if (whenstr[0] == '+') {
+        when = time(NULL) + strtoull(whenstr+1, NULL, 10);
+    } else {
+        when = strtoull(whenstr, NULL, 10);
+    }
+
+    if (strcmp(protocol, "spice") == 0) {
+        if (!using_spice) {
+            /* correct one? spice isn't a device ,,, */
+            qerror_report(QERR_DEVICE_NOT_ACTIVE, "spice");
+            return -1;
+        }
+        rc = qemu_spice_set_pw_expire(when);
+        if (rc != 0) {
+            qerror_report(QERR_SET_PASSWD_FAILED);
+            return -1;
+        }
+        return 0;
+    }
+
+    if (strcmp(protocol, "vnc") == 0) {
+        rc = vnc_display_pw_expire(NULL, when);
+        if (rc != 0) {
+            qerror_report(QERR_SET_PASSWD_FAILED);
+            return -1;
+        }
+        return 0;
+    }
+
+    qerror_report(QERR_INVALID_PARAMETER, "protocol");
+    return -1;
+}
+
 static int do_screen_dump(Monitor *mon, const QDict *qdict, QObject **ret_data)
 {
     vga_hw_screen_dump(qdict_get_str(qdict, "filename"));
diff --git a/qmp-commands.hx b/qmp-commands.hx
index b4e6017..1d71711 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -738,6 +738,63 @@ Example:
 EQMP
 
     {
+        .name       = "set_password",
+        .args_type  = "protocol:s,password:s,connected:s?",
+        .params     = "protocol password action-if-connected",
+        .help       = "set spice/vnc password",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = set_password,
+    },
+
+SQMP
+set_password
+------------
+
+Set the password for vnc/spice protocols.
+
+Arguments:
+
+- "protocol": protocol name (json-string)
+- "password": password (json-string)
+- "connected": [ keep | disconnect | fail ] (josn-string, optional)
+
+Example:
+
+-> { "execute": "set_password", "arguments": { "protocol": "vnc",
+                                               "password": "secret" } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "expire_password",
+        .args_type  = "protocol:s,time:s",
+        .params     = "protocol time",
+        .help       = "set spice/vnc password expire-time",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = expire_password,
+    },
+
+SQMP
+expire_password
+---------------
+
+Set the password expire time for vnc/spice protocols.
+
+Arguments:
+
+- "protocol": protocol name (json-string)
+- "time": [ now | never | +secs | secs ] (json-string)
+
+Example:
+
+-> { "execute": "expire_password", "arguments": { "protocol": "vnc",
+                                                  "time": "+60" } }
+<- { "return": {} }
+
+EQMP
+
+    {
         .name       = "qmp_capabilities",
         .args_type  = "",
         .params     = "",
diff --git a/ui/qemu-spice.h b/ui/qemu-spice.h
index 8b23ac9..48239c3 100644
--- a/ui/qemu-spice.h
+++ b/ui/qemu-spice.h
@@ -32,6 +32,9 @@ void qemu_spice_input_init(void);
 void qemu_spice_audio_init(void);
 void qemu_spice_display_init(DisplayState *ds);
 int qemu_spice_add_interface(SpiceBaseInstance *sin);
+int qemu_spice_set_passwd(const char *passwd,
+                          bool fail_if_connected, bool disconnect_if_connected);
+int qemu_spice_set_pw_expire(time_t expires);
 
 void do_info_spice_print(Monitor *mon, const QObject *data);
 void do_info_spice(Monitor *mon, QObject **ret_data);
@@ -39,6 +42,8 @@ void do_info_spice(Monitor *mon, QObject **ret_data);
 #else  /* CONFIG_SPICE */
 
 #define using_spice 0
+#define qemu_spice_set_passwd(_p, _f1, _f2) (-1)
+#define qemu_spice_set_pw_expire(_e) (-1)
 
 #endif /* CONFIG_SPICE */
 
diff --git a/ui/spice-core.c b/ui/spice-core.c
index d29d203..27a1ced 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -36,6 +36,8 @@
 
 static SpiceServer *spice_server;
 static const char *auth = "spice";
+static char *auth_passwd;
+static time_t auth_expires = TIME_MAX;
 int using_spice = 0;
 
 struct SpiceTimer {
@@ -599,6 +601,39 @@ int qemu_spice_add_interface(SpiceBaseInstance *sin)
     return spice_server_add_interface(spice_server, sin);
 }
 
+static int qemu_spice_set_ticket(bool fail_if_conn, bool disconnect_if_conn)
+{
+    time_t lifetime, now = time(NULL);
+    char *passwd;
+
+    if (now < auth_expires) {
+        passwd = auth_passwd;
+        lifetime = (auth_expires - now);
+        if (lifetime > INT_MAX) {
+            lifetime = INT_MAX;
+        }
+    } else {
+        passwd = NULL;
+        lifetime = 1;
+    }
+    return spice_server_set_ticket(spice_server, passwd, lifetime,
+                                   fail_if_conn, disconnect_if_conn);
+}
+
+int qemu_spice_set_passwd(const char *passwd,
+                          bool fail_if_conn, bool disconnect_if_conn)
+{
+    free(auth_passwd);
+    auth_passwd = strdup(passwd);
+    return qemu_spice_set_ticket(fail_if_conn, disconnect_if_conn);
+}
+
+int qemu_spice_set_pw_expire(time_t expires)
+{
+    auth_expires = expires;
+    return qemu_spice_set_ticket(false, false);
+}
+
 static void spice_register_config(void)
 {
     qemu_add_opts(&qemu_spice_opts);
commit a19cbfb346425cc760ed19b4e746417df636b761
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Apr 27 11:50:11 2010 +0200

    spice: add qxl device
    
    qxl is a paravirtual graphics card.  The qxl device is the bridge
    between the guest and the spice server (aka libspice-server).  The
    spice server will send the rendering commands to the spice client, which
    will actually render them.
    
    The spice server is also able to render locally, which is done in case
    the guest wants read something from video memory.  Local rendering is
    also used to support display over vnc and sdl.
    
    qxl is activated using "-vga qxl".  qxl supports multihead, additional
    cards can be added via '-device qxl".
    
    [ v2: add copyright to files                     ]
    [ v2: use qemu-common.h for standard includes    ]
    [ v2: create separate qxl-vga device for primary ]
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/Makefile.target b/Makefile.target
index 5784844..c40833b 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -224,6 +224,7 @@ obj-i386-y += vmmouse.o vmport.o hpet.o applesmc.o
 obj-i386-y += device-hotplug.o pci-hotplug.o smbios.o wdt_ib700.o
 obj-i386-y += debugcon.o multiboot.o
 obj-i386-y += pc_piix.o
+obj-i386-$(CONFIG_SPICE) += qxl.o qxl-logger.o qxl-render.o
 
 # shared objects
 obj-ppc-y = ppc.o
diff --git a/hw/hw.h b/hw/hw.h
index 77bfb58..163a683 100644
--- a/hw/hw.h
+++ b/hw/hw.h
@@ -528,6 +528,17 @@ extern const VMStateInfo vmstate_info_unused_buffer;
     .start        = (_start),                                        \
 }
 
+#define VMSTATE_VBUFFER_UINT32(_field, _state, _version, _test, _start, _field_size) { \
+    .name         = (stringify(_field)),                             \
+    .version_id   = (_version),                                      \
+    .field_exists = (_test),                                         \
+    .size_offset  = vmstate_offset_value(_state, _field_size, uint32_t),\
+    .info         = &vmstate_info_buffer,                            \
+    .flags        = VMS_VBUFFER|VMS_POINTER,                         \
+    .offset       = offsetof(_state, _field),                        \
+    .start        = (_start),                                        \
+}
+
 #define VMSTATE_BUFFER_UNSAFE_INFO(_field, _state, _version, _info, _size) { \
     .name       = (stringify(_field)),                               \
     .version_id = (_version),                                        \
@@ -745,6 +756,9 @@ extern const VMStateDescription vmstate_i2c_slave;
 #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size)                        \
     VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size)
 
+#define VMSTATE_PARTIAL_VBUFFER_UINT32(_f, _s, _size)                        \
+    VMSTATE_VBUFFER_UINT32(_f, _s, 0, NULL, 0, _size)
+
 #define VMSTATE_SUB_VBUFFER(_f, _s, _start, _size)                    \
     VMSTATE_VBUFFER(_f, _s, 0, NULL, _start, _size)
 
diff --git a/hw/pc.c b/hw/pc.c
index 119c110..f28e237 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -40,6 +40,7 @@
 #include "sysbus.h"
 #include "sysemu.h"
 #include "blockdev.h"
+#include "ui/qemu-spice.h"
 
 /* output Bochs bios info messages */
 //#define DEBUG_BIOS
@@ -991,6 +992,13 @@ void pc_vga_init(PCIBus *pci_bus)
             pci_vmsvga_init(pci_bus);
         else
             fprintf(stderr, "%s: vmware_vga: no PCI bus\n", __FUNCTION__);
+#ifdef CONFIG_SPICE
+    } else if (qxl_enabled) {
+        if (pci_bus)
+            pci_create_simple(pci_bus, -1, "qxl-vga");
+        else
+            fprintf(stderr, "%s: qxl: no PCI bus\n", __FUNCTION__);
+#endif
     } else if (std_vga_enabled) {
         if (pci_bus) {
             pci_vga_init(pci_bus);
diff --git a/hw/qxl-logger.c b/hw/qxl-logger.c
new file mode 100644
index 0000000..76f43e6
--- /dev/null
+++ b/hw/qxl-logger.c
@@ -0,0 +1,248 @@
+/*
+ * qxl command logging -- for debug purposes
+ *
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * maintained by Gerd Hoffmann <kraxel at redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 or
+ * (at your option) version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "qxl.h"
+
+static const char *qxl_type[] = {
+    [ QXL_CMD_NOP ]     = "nop",
+    [ QXL_CMD_DRAW ]    = "draw",
+    [ QXL_CMD_UPDATE ]  = "update",
+    [ QXL_CMD_CURSOR ]  = "cursor",
+    [ QXL_CMD_MESSAGE ] = "message",
+    [ QXL_CMD_SURFACE ] = "surface",
+};
+
+static const char *qxl_draw_type[] = {
+    [ QXL_DRAW_NOP         ] = "nop",
+    [ QXL_DRAW_FILL        ] = "fill",
+    [ QXL_DRAW_OPAQUE      ] = "opaque",
+    [ QXL_DRAW_COPY        ] = "copy",
+    [ QXL_COPY_BITS        ] = "copy-bits",
+    [ QXL_DRAW_BLEND       ] = "blend",
+    [ QXL_DRAW_BLACKNESS   ] = "blackness",
+    [ QXL_DRAW_WHITENESS   ] = "whitemess",
+    [ QXL_DRAW_INVERS      ] = "invers",
+    [ QXL_DRAW_ROP3        ] = "rop3",
+    [ QXL_DRAW_STROKE      ] = "stroke",
+    [ QXL_DRAW_TEXT        ] = "text",
+    [ QXL_DRAW_TRANSPARENT ] = "transparent",
+    [ QXL_DRAW_ALPHA_BLEND ] = "alpha-blend",
+};
+
+static const char *qxl_draw_effect[] = {
+    [ QXL_EFFECT_BLEND            ] = "blend",
+    [ QXL_EFFECT_OPAQUE           ] = "opaque",
+    [ QXL_EFFECT_REVERT_ON_DUP    ] = "revert-on-dup",
+    [ QXL_EFFECT_BLACKNESS_ON_DUP ] = "blackness-on-dup",
+    [ QXL_EFFECT_WHITENESS_ON_DUP ] = "whiteness-on-dup",
+    [ QXL_EFFECT_NOP_ON_DUP       ] = "nop-on-dup",
+    [ QXL_EFFECT_NOP              ] = "nop",
+    [ QXL_EFFECT_OPAQUE_BRUSH     ] = "opaque-brush",
+};
+
+static const char *qxl_surface_cmd[] = {
+   [ QXL_SURFACE_CMD_CREATE  ] = "create",
+   [ QXL_SURFACE_CMD_DESTROY ] = "destroy",
+};
+
+static const char *spice_surface_fmt[] = {
+   [ SPICE_SURFACE_FMT_INVALID  ] = "invalid",
+   [ SPICE_SURFACE_FMT_1_A      ] = "alpha/1",
+   [ SPICE_SURFACE_FMT_8_A      ] = "alpha/8",
+   [ SPICE_SURFACE_FMT_16_555   ] = "555/16",
+   [ SPICE_SURFACE_FMT_16_565   ] = "565/16",
+   [ SPICE_SURFACE_FMT_32_xRGB  ] = "xRGB/32",
+   [ SPICE_SURFACE_FMT_32_ARGB  ] = "ARGB/32",
+};
+
+static const char *qxl_cursor_cmd[] = {
+   [ QXL_CURSOR_SET   ] = "set",
+   [ QXL_CURSOR_MOVE  ] = "move",
+   [ QXL_CURSOR_HIDE  ] = "hide",
+   [ QXL_CURSOR_TRAIL ] = "trail",
+};
+
+static const char *spice_cursor_type[] = {
+   [ SPICE_CURSOR_TYPE_ALPHA   ] = "alpha",
+   [ SPICE_CURSOR_TYPE_MONO    ] = "mono",
+   [ SPICE_CURSOR_TYPE_COLOR4  ] = "color4",
+   [ SPICE_CURSOR_TYPE_COLOR8  ] = "color8",
+   [ SPICE_CURSOR_TYPE_COLOR16 ] = "color16",
+   [ SPICE_CURSOR_TYPE_COLOR24 ] = "color24",
+   [ SPICE_CURSOR_TYPE_COLOR32 ] = "color32",
+};
+
+static const char *qxl_v2n(const char *n[], size_t l, int v)
+{
+    if (v >= l || !n[v]) {
+        return "???";
+    }
+    return n[v];
+}
+#define qxl_name(_list, _value) qxl_v2n(_list, ARRAY_SIZE(_list), _value)
+
+static void qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id)
+{
+    QXLImage *image;
+    QXLImageDescriptor *desc;
+
+    image = qxl_phys2virt(qxl, addr, group_id);
+    desc = &image->descriptor;
+    fprintf(stderr, " (id %" PRIx64 " type %d flags %d width %d height %d",
+            desc->id, desc->type, desc->flags, desc->width, desc->height);
+    switch (desc->type) {
+    case SPICE_IMAGE_TYPE_BITMAP:
+        fprintf(stderr, ", fmt %d flags %d x %d y %d stride %d"
+                " palette %" PRIx64 " data %" PRIx64,
+                image->bitmap.format, image->bitmap.flags,
+                image->bitmap.x, image->bitmap.y,
+                image->bitmap.stride,
+                image->bitmap.palette, image->bitmap.data);
+        break;
+    }
+    fprintf(stderr, ")");
+}
+
+static void qxl_log_rect(QXLRect *rect)
+{
+    fprintf(stderr, " %dx%d+%d+%d",
+            rect->right - rect->left,
+            rect->bottom - rect->top,
+            rect->left, rect->top);
+}
+
+static void qxl_log_cmd_draw_copy(PCIQXLDevice *qxl, QXLCopy *copy, int group_id)
+{
+    fprintf(stderr, " src %" PRIx64,
+            copy->src_bitmap);
+    qxl_log_image(qxl, copy->src_bitmap, group_id);
+    fprintf(stderr, " area");
+    qxl_log_rect(&copy->src_area);
+    fprintf(stderr, " rop %d", copy->rop_descriptor);
+}
+
+static void qxl_log_cmd_draw(PCIQXLDevice *qxl, QXLDrawable *draw, int group_id)
+{
+    fprintf(stderr, ": surface_id %d type %s effect %s",
+            draw->surface_id,
+            qxl_name(qxl_draw_type, draw->type),
+            qxl_name(qxl_draw_effect, draw->effect));
+    switch (draw->type) {
+    case QXL_DRAW_COPY:
+        qxl_log_cmd_draw_copy(qxl, &draw->u.copy, group_id);
+        break;
+    }
+}
+
+static void qxl_log_cmd_draw_compat(PCIQXLDevice *qxl, QXLCompatDrawable *draw,
+                                    int group_id)
+{
+    fprintf(stderr, ": type %s effect %s",
+            qxl_name(qxl_draw_type, draw->type),
+            qxl_name(qxl_draw_effect, draw->effect));
+    if (draw->bitmap_offset) {
+        fprintf(stderr, ": bitmap %d",
+                draw->bitmap_offset);
+        qxl_log_rect(&draw->bitmap_area);
+    }
+    switch (draw->type) {
+    case QXL_DRAW_COPY:
+        qxl_log_cmd_draw_copy(qxl, &draw->u.copy, group_id);
+        break;
+    }
+}
+
+static void qxl_log_cmd_surface(PCIQXLDevice *qxl, QXLSurfaceCmd *cmd)
+{
+    fprintf(stderr, ": %s id %d",
+            qxl_name(qxl_surface_cmd, cmd->type),
+            cmd->surface_id);
+    if (cmd->type == QXL_SURFACE_CMD_CREATE) {
+        fprintf(stderr, " size %dx%d stride %d format %s (count %d, max %d)",
+                cmd->u.surface_create.width,
+                cmd->u.surface_create.height,
+                cmd->u.surface_create.stride,
+                qxl_name(spice_surface_fmt, cmd->u.surface_create.format),
+                qxl->guest_surfaces.count, qxl->guest_surfaces.max);
+    }
+    if (cmd->type == QXL_SURFACE_CMD_DESTROY) {
+        fprintf(stderr, " (count %d)", qxl->guest_surfaces.count);
+    }
+}
+
+void qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id)
+{
+    QXLCursor *cursor;
+
+    fprintf(stderr, ": %s",
+            qxl_name(qxl_cursor_cmd, cmd->type));
+    switch (cmd->type) {
+    case QXL_CURSOR_SET:
+        fprintf(stderr, " +%d+%d visible %s, shape @ 0x%" PRIx64,
+                cmd->u.set.position.x,
+                cmd->u.set.position.y,
+                cmd->u.set.visible ? "yes" : "no",
+                cmd->u.set.shape);
+        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id);
+        fprintf(stderr, " type %s size %dx%d hot-spot +%d+%d"
+                " unique 0x%" PRIx64 " data-size %d",
+                qxl_name(spice_cursor_type, cursor->header.type),
+                cursor->header.width, cursor->header.height,
+                cursor->header.hot_spot_x, cursor->header.hot_spot_y,
+                cursor->header.unique, cursor->data_size);
+        break;
+    case QXL_CURSOR_MOVE:
+        fprintf(stderr, " +%d+%d", cmd->u.position.x, cmd->u.position.y);
+        break;
+    }
+}
+
+void qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
+{
+    bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT;
+    void *data;
+
+    if (!qxl->cmdlog) {
+        return;
+    }
+    fprintf(stderr, "qxl-%d/%s:", qxl->id, ring);
+    fprintf(stderr, " cmd @ 0x%" PRIx64 " %s%s", ext->cmd.data,
+            qxl_name(qxl_type, ext->cmd.type),
+            compat ? "(compat)" : "");
+
+    data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+    switch (ext->cmd.type) {
+    case QXL_CMD_DRAW:
+        if (!compat) {
+            qxl_log_cmd_draw(qxl, data, ext->group_id);
+        } else {
+            qxl_log_cmd_draw_compat(qxl, data, ext->group_id);
+        }
+        break;
+    case QXL_CMD_SURFACE:
+        qxl_log_cmd_surface(qxl, data);
+        break;
+    case QXL_CMD_CURSOR:
+        qxl_log_cmd_cursor(qxl, data, ext->group_id);
+        break;
+    }
+    fprintf(stderr, "\n");
+}
diff --git a/hw/qxl-render.c b/hw/qxl-render.c
new file mode 100644
index 0000000..58965e0
--- /dev/null
+++ b/hw/qxl-render.c
@@ -0,0 +1,226 @@
+/*
+ * qxl local rendering (aka display on sdl/vnc)
+ *
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * maintained by Gerd Hoffmann <kraxel at redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 or
+ * (at your option) version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "qxl.h"
+
+static void qxl_flip(PCIQXLDevice *qxl, QXLRect *rect)
+{
+    uint8_t *src = qxl->guest_primary.data;
+    uint8_t *dst = qxl->guest_primary.flipped;
+    int len, i;
+
+    src += (qxl->guest_primary.surface.height - rect->top - 1) *
+        qxl->guest_primary.stride;
+    dst += rect->top  * qxl->guest_primary.stride;
+    src += rect->left * qxl->guest_primary.bytes_pp;
+    dst += rect->left * qxl->guest_primary.bytes_pp;
+    len  = (rect->right - rect->left) * qxl->guest_primary.bytes_pp;
+
+    for (i = rect->top; i < rect->bottom; i++) {
+        memcpy(dst, src, len);
+        dst += qxl->guest_primary.stride;
+        src -= qxl->guest_primary.stride;
+    }
+}
+
+void qxl_render_resize(PCIQXLDevice *qxl)
+{
+    QXLSurfaceCreate *sc = &qxl->guest_primary.surface;
+
+    qxl->guest_primary.stride = sc->stride;
+    qxl->guest_primary.resized++;
+    switch (sc->format) {
+    case SPICE_SURFACE_FMT_16_555:
+        qxl->guest_primary.bytes_pp = 2;
+        qxl->guest_primary.bits_pp = 15;
+        break;
+    case SPICE_SURFACE_FMT_16_565:
+        qxl->guest_primary.bytes_pp = 2;
+        qxl->guest_primary.bits_pp = 16;
+        break;
+    case SPICE_SURFACE_FMT_32_xRGB:
+    case SPICE_SURFACE_FMT_32_ARGB:
+        qxl->guest_primary.bytes_pp = 4;
+        qxl->guest_primary.bits_pp = 32;
+        break;
+    default:
+        fprintf(stderr, "%s: unhandled format: %x\n", __FUNCTION__,
+                qxl->guest_primary.surface.format);
+        qxl->guest_primary.bytes_pp = 4;
+        qxl->guest_primary.bits_pp = 32;
+        break;
+    }
+}
+
+void qxl_render_update(PCIQXLDevice *qxl)
+{
+    VGACommonState *vga = &qxl->vga;
+    QXLRect dirty[32], update;
+    void *ptr;
+    int i;
+
+    if (qxl->guest_primary.resized) {
+        qxl->guest_primary.resized = 0;
+
+        if (qxl->guest_primary.flipped) {
+            qemu_free(qxl->guest_primary.flipped);
+            qxl->guest_primary.flipped = NULL;
+        }
+        qemu_free_displaysurface(vga->ds);
+
+        qxl->guest_primary.data = qemu_get_ram_ptr(qxl->vga.vram_offset);
+        if (qxl->guest_primary.stride < 0) {
+            /* spice surface is upside down -> need extra buffer to flip */
+            qxl->guest_primary.stride = -qxl->guest_primary.stride;
+            qxl->guest_primary.flipped = qemu_malloc(qxl->guest_primary.surface.width *
+                                                     qxl->guest_primary.stride);
+            ptr = qxl->guest_primary.flipped;
+        } else {
+            ptr = qxl->guest_primary.data;
+        }
+        dprint(qxl, 1, "%s: %dx%d, stride %d, bpp %d, depth %d, flip %s\n",
+               __FUNCTION__,
+               qxl->guest_primary.surface.width,
+               qxl->guest_primary.surface.height,
+               qxl->guest_primary.stride,
+               qxl->guest_primary.bytes_pp,
+               qxl->guest_primary.bits_pp,
+               qxl->guest_primary.flipped ? "yes" : "no");
+        vga->ds->surface =
+            qemu_create_displaysurface_from(qxl->guest_primary.surface.width,
+                                            qxl->guest_primary.surface.height,
+                                            qxl->guest_primary.bits_pp,
+                                            qxl->guest_primary.stride,
+                                            ptr);
+        dpy_resize(vga->ds);
+    }
+
+    if (!qxl->guest_primary.commands) {
+        return;
+    }
+    qxl->guest_primary.commands = 0;
+
+    update.left   = 0;
+    update.right  = qxl->guest_primary.surface.width;
+    update.top    = 0;
+    update.bottom = qxl->guest_primary.surface.height;
+
+    memset(dirty, 0, sizeof(dirty));
+    qxl->ssd.worker->update_area(qxl->ssd.worker, 0, &update,
+                                 dirty, ARRAY_SIZE(dirty), 1);
+
+    for (i = 0; i < ARRAY_SIZE(dirty); i++) {
+        if (qemu_spice_rect_is_empty(dirty+i)) {
+            break;
+        }
+        if (qxl->guest_primary.flipped) {
+            qxl_flip(qxl, dirty+i);
+        }
+        dpy_update(vga->ds,
+                   dirty[i].left, dirty[i].top,
+                   dirty[i].right - dirty[i].left,
+                   dirty[i].bottom - dirty[i].top);
+    }
+}
+
+static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor)
+{
+    QEMUCursor *c;
+    uint8_t *image, *mask;
+    int size;
+
+    c = cursor_alloc(cursor->header.width, cursor->header.height);
+    c->hot_x = cursor->header.hot_spot_x;
+    c->hot_y = cursor->header.hot_spot_y;
+    switch (cursor->header.type) {
+    case SPICE_CURSOR_TYPE_ALPHA:
+        size = cursor->header.width * cursor->header.height * sizeof(uint32_t);
+        memcpy(c->data, cursor->chunk.data, size);
+        if (qxl->debug > 2) {
+            cursor_print_ascii_art(c, "qxl/alpha");
+        }
+        break;
+    case SPICE_CURSOR_TYPE_MONO:
+        mask  = cursor->chunk.data;
+        image = mask + cursor_get_mono_bpl(c) * c->width;
+        cursor_set_mono(c, 0xffffff, 0x000000, image, 1, mask);
+        if (qxl->debug > 2) {
+            cursor_print_ascii_art(c, "qxl/mono");
+        }
+        break;
+    default:
+        fprintf(stderr, "%s: not implemented: type %d\n",
+                __FUNCTION__, cursor->header.type);
+        goto fail;
+    }
+    return c;
+
+fail:
+    cursor_put(c);
+    return NULL;
+}
+
+
+/* called from spice server thread context only */
+void qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
+{
+    QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+    QXLCursor *cursor;
+    QEMUCursor *c;
+    int x = -1, y = -1;
+
+    if (!qxl->ssd.ds->mouse_set || !qxl->ssd.ds->cursor_define) {
+        return;
+    }
+
+    if (qxl->debug > 1 && cmd->type != QXL_CURSOR_MOVE) {
+        fprintf(stderr, "%s", __FUNCTION__);
+        qxl_log_cmd_cursor(qxl, cmd, ext->group_id);
+        fprintf(stderr, "\n");
+    }
+    switch (cmd->type) {
+    case QXL_CURSOR_SET:
+        x = cmd->u.set.position.x;
+        y = cmd->u.set.position.y;
+        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id);
+        if (cursor->chunk.data_size != cursor->data_size) {
+            fprintf(stderr, "%s: multiple chunks\n", __FUNCTION__);
+            return;
+        }
+        c = qxl_cursor(qxl, cursor);
+        if (c == NULL) {
+            c = cursor_builtin_left_ptr();
+        }
+        qemu_mutex_lock_iothread();
+        qxl->ssd.ds->cursor_define(c);
+        qxl->ssd.ds->mouse_set(x, y, 1);
+        qemu_mutex_unlock_iothread();
+        cursor_put(c);
+        break;
+    case QXL_CURSOR_MOVE:
+        x = cmd->u.position.x;
+        y = cmd->u.position.y;
+        qemu_mutex_lock_iothread();
+        qxl->ssd.ds->mouse_set(x, y, 1);
+        qemu_mutex_unlock_iothread();
+        break;
+    }
+}
diff --git a/hw/qxl.c b/hw/qxl.c
new file mode 100644
index 0000000..207aa63
--- /dev/null
+++ b/hw/qxl.c
@@ -0,0 +1,1587 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * written by Yaniv Kamay, Izik Eidus, Gerd Hoffmann
+ * maintained by Gerd Hoffmann <kraxel at redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 or
+ * (at your option) version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <pthread.h>
+
+#include "qemu-common.h"
+#include "qemu-timer.h"
+#include "qemu-queue.h"
+#include "monitor.h"
+#include "sysemu.h"
+
+#include "qxl.h"
+
+#undef SPICE_RING_PROD_ITEM
+#define SPICE_RING_PROD_ITEM(r, ret) {                                  \
+        typeof(r) start = r;                                            \
+        typeof(r) end = r + 1;                                          \
+        uint32_t prod = (r)->prod & SPICE_RING_INDEX_MASK(r);           \
+        typeof(&(r)->items[prod]) m_item = &(r)->items[prod];           \
+        if (!((uint8_t*)m_item >= (uint8_t*)(start) && (uint8_t*)(m_item + 1) <= (uint8_t*)(end))) { \
+            abort();                                                    \
+        }                                                               \
+        ret = &m_item->el;                                              \
+    }
+
+#undef SPICE_RING_CONS_ITEM
+#define SPICE_RING_CONS_ITEM(r, ret) {                                  \
+        typeof(r) start = r;                                            \
+        typeof(r) end = r + 1;                                          \
+        uint32_t cons = (r)->cons & SPICE_RING_INDEX_MASK(r);           \
+        typeof(&(r)->items[cons]) m_item = &(r)->items[cons];           \
+        if (!((uint8_t*)m_item >= (uint8_t*)(start) && (uint8_t*)(m_item + 1) <= (uint8_t*)(end))) { \
+            abort();                                                    \
+        }                                                               \
+        ret = &m_item->el;                                              \
+    }
+
+#undef ALIGN
+#define ALIGN(a, b) (((a) + ((b) - 1)) & ~((b) - 1))
+
+#define PIXEL_SIZE 0.2936875 //1280x1024 is 14.8" x 11.9" 
+
+#define QXL_MODE(_x, _y, _b, _o)                  \
+    {   .x_res = _x,                              \
+        .y_res = _y,                              \
+        .bits  = _b,                              \
+        .stride = (_x) * (_b) / 8,                \
+        .x_mili = PIXEL_SIZE * (_x),              \
+        .y_mili = PIXEL_SIZE * (_y),              \
+        .orientation = _o,                        \
+    }
+
+#define QXL_MODE_16_32(x_res, y_res, orientation) \
+    QXL_MODE(x_res, y_res, 16, orientation),      \
+    QXL_MODE(x_res, y_res, 32, orientation)
+
+#define QXL_MODE_EX(x_res, y_res)                 \
+    QXL_MODE_16_32(x_res, y_res, 0),              \
+    QXL_MODE_16_32(y_res, x_res, 1),              \
+    QXL_MODE_16_32(x_res, y_res, 2),              \
+    QXL_MODE_16_32(y_res, x_res, 3)
+
+static QXLMode qxl_modes[] = {
+    QXL_MODE_EX(640, 480),
+    QXL_MODE_EX(800, 480),
+    QXL_MODE_EX(800, 600),
+    QXL_MODE_EX(832, 624),
+    QXL_MODE_EX(960, 640),
+    QXL_MODE_EX(1024, 600),
+    QXL_MODE_EX(1024, 768),
+    QXL_MODE_EX(1152, 864),
+    QXL_MODE_EX(1152, 870),
+    QXL_MODE_EX(1280, 720),
+    QXL_MODE_EX(1280, 760),
+    QXL_MODE_EX(1280, 768),
+    QXL_MODE_EX(1280, 800),
+    QXL_MODE_EX(1280, 960),
+    QXL_MODE_EX(1280, 1024),
+    QXL_MODE_EX(1360, 768),
+    QXL_MODE_EX(1366, 768),
+    QXL_MODE_EX(1400, 1050),
+    QXL_MODE_EX(1440, 900),
+    QXL_MODE_EX(1600, 900),
+    QXL_MODE_EX(1600, 1200),
+    QXL_MODE_EX(1680, 1050),
+    QXL_MODE_EX(1920, 1080),
+#if VGA_RAM_SIZE >= (16 * 1024 * 1024)
+    /* these modes need more than 8 MB video memory */
+    QXL_MODE_EX(1920, 1200),
+    QXL_MODE_EX(1920, 1440),
+    QXL_MODE_EX(2048, 1536),
+    QXL_MODE_EX(2560, 1440),
+    QXL_MODE_EX(2560, 1600),
+#endif
+#if VGA_RAM_SIZE >= (32 * 1024 * 1024)
+    /* these modes need more than 16 MB video memory */
+    QXL_MODE_EX(2560, 2048),
+    QXL_MODE_EX(2800, 2100),
+    QXL_MODE_EX(3200, 2400),
+#endif
+};
+
+static PCIQXLDevice *qxl0;
+
+static void qxl_send_events(PCIQXLDevice *d, uint32_t events);
+static void qxl_destroy_primary(PCIQXLDevice *d);
+static void qxl_reset_memslots(PCIQXLDevice *d);
+static void qxl_reset_surfaces(PCIQXLDevice *d);
+static void qxl_ring_set_dirty(PCIQXLDevice *qxl);
+
+static inline uint32_t msb_mask(uint32_t val)
+{
+    uint32_t mask;
+
+    do {
+        mask = ~(val - 1) & val;
+        val &= ~mask;
+    } while (mask < val);
+
+    return mask;
+}
+
+static ram_addr_t qxl_rom_size(void)
+{
+    uint32_t rom_size = sizeof(QXLRom) + sizeof(QXLModes) + sizeof(qxl_modes);
+    rom_size = MAX(rom_size, TARGET_PAGE_SIZE);
+    rom_size = msb_mask(rom_size * 2 - 1);
+    return rom_size;
+}
+
+static void init_qxl_rom(PCIQXLDevice *d)
+{
+    QXLRom *rom = qemu_get_ram_ptr(d->rom_offset);
+    QXLModes *modes = (QXLModes *)(rom + 1);
+    uint32_t ram_header_size;
+    uint32_t surface0_area_size;
+    uint32_t num_pages;
+    uint32_t fb, maxfb = 0;
+    int i;
+
+    memset(rom, 0, d->rom_size);
+
+    rom->magic         = cpu_to_le32(QXL_ROM_MAGIC);
+    rom->id            = cpu_to_le32(d->id);
+    rom->log_level     = cpu_to_le32(d->guestdebug);
+    rom->modes_offset  = cpu_to_le32(sizeof(QXLRom));
+
+    rom->slot_gen_bits = MEMSLOT_GENERATION_BITS;
+    rom->slot_id_bits  = MEMSLOT_SLOT_BITS;
+    rom->slots_start   = 1;
+    rom->slots_end     = NUM_MEMSLOTS - 1;
+    rom->n_surfaces    = cpu_to_le32(NUM_SURFACES);
+
+    modes->n_modes     = cpu_to_le32(ARRAY_SIZE(qxl_modes));
+    for (i = 0; i < modes->n_modes; i++) {
+        fb = qxl_modes[i].y_res * qxl_modes[i].stride;
+        if (maxfb < fb) {
+            maxfb = fb;
+        }
+        modes->modes[i].id          = cpu_to_le32(i);
+        modes->modes[i].x_res       = cpu_to_le32(qxl_modes[i].x_res);
+        modes->modes[i].y_res       = cpu_to_le32(qxl_modes[i].y_res);
+        modes->modes[i].bits        = cpu_to_le32(qxl_modes[i].bits);
+        modes->modes[i].stride      = cpu_to_le32(qxl_modes[i].stride);
+        modes->modes[i].x_mili      = cpu_to_le32(qxl_modes[i].x_mili);
+        modes->modes[i].y_mili      = cpu_to_le32(qxl_modes[i].y_mili);
+        modes->modes[i].orientation = cpu_to_le32(qxl_modes[i].orientation);
+    }
+    if (maxfb < VGA_RAM_SIZE && d->id == 0)
+        maxfb = VGA_RAM_SIZE;
+
+    ram_header_size    = ALIGN(sizeof(QXLRam), 4096);
+    surface0_area_size = ALIGN(maxfb, 4096);
+    num_pages          = d->vga.vram_size;
+    num_pages         -= ram_header_size;
+    num_pages         -= surface0_area_size;
+    num_pages          = num_pages / TARGET_PAGE_SIZE;
+
+    rom->draw_area_offset   = cpu_to_le32(0);
+    rom->surface0_area_size = cpu_to_le32(surface0_area_size);
+    rom->pages_offset       = cpu_to_le32(surface0_area_size);
+    rom->num_pages          = cpu_to_le32(num_pages);
+    rom->ram_header_offset  = cpu_to_le32(d->vga.vram_size - ram_header_size);
+
+    d->shadow_rom = *rom;
+    d->rom        = rom;
+    d->modes      = modes;
+}
+
+static void init_qxl_ram(PCIQXLDevice *d)
+{
+    uint8_t *buf;
+    uint64_t *item;
+
+    buf = d->vga.vram_ptr;
+    d->ram = (QXLRam *)(buf + le32_to_cpu(d->shadow_rom.ram_header_offset));
+    d->ram->magic       = cpu_to_le32(QXL_RAM_MAGIC);
+    d->ram->int_pending = cpu_to_le32(0);
+    d->ram->int_mask    = cpu_to_le32(0);
+    SPICE_RING_INIT(&d->ram->cmd_ring);
+    SPICE_RING_INIT(&d->ram->cursor_ring);
+    SPICE_RING_INIT(&d->ram->release_ring);
+    SPICE_RING_PROD_ITEM(&d->ram->release_ring, item);
+    *item = 0;
+    qxl_ring_set_dirty(d);
+}
+
+/* can be called from spice server thread context */
+static void qxl_set_dirty(ram_addr_t addr, ram_addr_t end)
+{
+    while (addr < end) {
+        cpu_physical_memory_set_dirty(addr);
+        addr += TARGET_PAGE_SIZE;
+    }
+}
+
+static void qxl_rom_set_dirty(PCIQXLDevice *qxl)
+{
+    ram_addr_t addr = qxl->rom_offset;
+    qxl_set_dirty(addr, addr + qxl->rom_size);
+}
+
+/* called from spice server thread context only */
+static void qxl_ram_set_dirty(PCIQXLDevice *qxl, void *ptr)
+{
+    ram_addr_t addr = qxl->vga.vram_offset;
+    void *base = qxl->vga.vram_ptr;
+    intptr_t offset;
+
+    offset = ptr - base;
+    offset &= ~(TARGET_PAGE_SIZE-1);
+    assert(offset < qxl->vga.vram_size);
+    qxl_set_dirty(addr + offset, addr + offset + TARGET_PAGE_SIZE);
+}
+
+/* can be called from spice server thread context */
+static void qxl_ring_set_dirty(PCIQXLDevice *qxl)
+{
+    ram_addr_t addr = qxl->vga.vram_offset + qxl->shadow_rom.ram_header_offset;
+    ram_addr_t end  = qxl->vga.vram_offset + qxl->vga.vram_size;
+    qxl_set_dirty(addr, end);
+}
+
+/*
+ * keep track of some command state, for savevm/loadvm.
+ * called from spice server thread context only
+ */
+static void qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
+{
+    switch (le32_to_cpu(ext->cmd.type)) {
+    case QXL_CMD_SURFACE:
+    {
+        QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+        uint32_t id = le32_to_cpu(cmd->surface_id);
+        PANIC_ON(id >= NUM_SURFACES);
+        if (cmd->type == QXL_SURFACE_CMD_CREATE) {
+            qxl->guest_surfaces.cmds[id] = ext->cmd.data;
+            qxl->guest_surfaces.count++;
+            if (qxl->guest_surfaces.max < qxl->guest_surfaces.count)
+                qxl->guest_surfaces.max = qxl->guest_surfaces.count;
+        }
+        if (cmd->type == QXL_SURFACE_CMD_DESTROY) {
+            qxl->guest_surfaces.cmds[id] = 0;
+            qxl->guest_surfaces.count--;
+        }
+        break;
+    }
+    case QXL_CMD_CURSOR:
+    {
+        QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+        if (cmd->type == QXL_CURSOR_SET) {
+            qxl->guest_cursor = ext->cmd.data;
+        }
+        break;
+    }
+    }
+}
+
+/* spice display interface callbacks */
+
+static void interface_attach_worker(QXLInstance *sin, QXLWorker *qxl_worker)
+{
+    PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
+
+    dprint(qxl, 1, "%s:\n", __FUNCTION__);
+    qxl->ssd.worker = qxl_worker;
+}
+
+static void interface_set_compression_level(QXLInstance *sin, int level)
+{
+    PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
+
+    dprint(qxl, 1, "%s: %d\n", __FUNCTION__, level);
+    qxl->shadow_rom.compression_level = cpu_to_le32(level);
+    qxl->rom->compression_level = cpu_to_le32(level);
+    qxl_rom_set_dirty(qxl);
+}
+
+static void interface_set_mm_time(QXLInstance *sin, uint32_t mm_time)
+{
+    PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
+
+    qxl->shadow_rom.mm_clock = cpu_to_le32(mm_time);
+    qxl->rom->mm_clock = cpu_to_le32(mm_time);
+    qxl_rom_set_dirty(qxl);
+}
+
+static void interface_get_init_info(QXLInstance *sin, QXLDevInitInfo *info)
+{
+    PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
+
+    dprint(qxl, 1, "%s:\n", __FUNCTION__);
+    info->memslot_gen_bits = MEMSLOT_GENERATION_BITS;
+    info->memslot_id_bits = MEMSLOT_SLOT_BITS;
+    info->num_memslots = NUM_MEMSLOTS;
+    info->num_memslots_groups = NUM_MEMSLOTS_GROUPS;
+    info->internal_groupslot_id = 0;
+    info->qxl_ram_size = le32_to_cpu(qxl->shadow_rom.num_pages) << TARGET_PAGE_BITS;
+    info->n_surfaces = NUM_SURFACES;
+}
+
+/* called from spice server thread context only */
+static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext)
+{
+    PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
+    SimpleSpiceUpdate *update;
+    QXLCommandRing *ring;
+    QXLCommand *cmd;
+    int notify;
+
+    switch (qxl->mode) {
+    case QXL_MODE_VGA:
+        dprint(qxl, 2, "%s: vga\n", __FUNCTION__);
+        update = qemu_spice_create_update(&qxl->ssd);
+        if (update == NULL) {
+            return false;
+        }
+        *ext = update->ext;
+        qxl_log_command(qxl, "vga", ext);
+        return true;
+    case QXL_MODE_COMPAT:
+    case QXL_MODE_NATIVE:
+    case QXL_MODE_UNDEFINED:
+        dprint(qxl, 2, "%s: %s\n", __FUNCTION__,
+               qxl->cmdflags ? "compat" : "native");
+        ring = &qxl->ram->cmd_ring;
+        if (SPICE_RING_IS_EMPTY(ring)) {
+            return false;
+        }
+        SPICE_RING_CONS_ITEM(ring, cmd);
+        ext->cmd      = *cmd;
+        ext->group_id = MEMSLOT_GROUP_GUEST;
+        ext->flags    = qxl->cmdflags;
+        SPICE_RING_POP(ring, notify);
+        qxl_ring_set_dirty(qxl);
+        if (notify) {
+            qxl_send_events(qxl, QXL_INTERRUPT_DISPLAY);
+        }
+        qxl->guest_primary.commands++;
+        qxl_track_command(qxl, ext);
+        qxl_log_command(qxl, "cmd", ext);
+        return true;
+    default:
+        return false;
+    }
+}
+
+/* called from spice server thread context only */
+static int interface_req_cmd_notification(QXLInstance *sin)
+{
+    PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
+    int wait = 1;
+
+    switch (qxl->mode) {
+    case QXL_MODE_COMPAT:
+    case QXL_MODE_NATIVE:
+    case QXL_MODE_UNDEFINED:
+        SPICE_RING_CONS_WAIT(&qxl->ram->cmd_ring, wait);
+        qxl_ring_set_dirty(qxl);
+        break;
+    default:
+        /* nothing */
+        break;
+    }
+    return wait;
+}
+
+/* called from spice server thread context only */
+static inline void qxl_push_free_res(PCIQXLDevice *d, int flush)
+{
+    QXLReleaseRing *ring = &d->ram->release_ring;
+    uint64_t *item;
+    int notify;
+
+#define QXL_FREE_BUNCH_SIZE 32
+
+    if (ring->prod - ring->cons + 1 == ring->num_items) {
+        /* ring full -- can't push */
+        return;
+    }
+    if (!flush && d->oom_running) {
+        /* collect everything from oom handler before pushing */
+        return;
+    }
+    if (!flush && d->num_free_res < QXL_FREE_BUNCH_SIZE) {
+        /* collect a bit more before pushing */
+        return;
+    }
+
+    SPICE_RING_PUSH(ring, notify);
+    dprint(d, 2, "free: push %d items, notify %s, ring %d/%d [%d,%d]\n",
+           d->num_free_res, notify ? "yes" : "no",
+           ring->prod - ring->cons, ring->num_items,
+           ring->prod, ring->cons);
+    if (notify) {
+        qxl_send_events(d, QXL_INTERRUPT_DISPLAY);
+    }
+    SPICE_RING_PROD_ITEM(ring, item);
+    *item = 0;
+    d->num_free_res = 0;
+    d->last_release = NULL;
+    qxl_ring_set_dirty(d);
+}
+
+/* called from spice server thread context only */
+static void interface_release_resource(QXLInstance *sin,
+                                       struct QXLReleaseInfoExt ext)
+{
+    PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
+    QXLReleaseRing *ring;
+    uint64_t *item, id;
+
+    if (ext.group_id == MEMSLOT_GROUP_HOST) {
+        /* host group -> vga mode update request */
+        qemu_spice_destroy_update(&qxl->ssd, (void*)ext.info->id);
+        return;
+    }
+
+    /*
+     * ext->info points into guest-visible memory
+     * pci bar 0, $command.release_info
+     */
+    ring = &qxl->ram->release_ring;
+    SPICE_RING_PROD_ITEM(ring, item);
+    if (*item == 0) {
+        /* stick head into the ring */
+        id = ext.info->id;
+        ext.info->next = 0;
+        qxl_ram_set_dirty(qxl, &ext.info->next);
+        *item = id;
+        qxl_ring_set_dirty(qxl);
+    } else {
+        /* append item to the list */
+        qxl->last_release->next = ext.info->id;
+        qxl_ram_set_dirty(qxl, &qxl->last_release->next);
+        ext.info->next = 0;
+        qxl_ram_set_dirty(qxl, &ext.info->next);
+    }
+    qxl->last_release = ext.info;
+    qxl->num_free_res++;
+    dprint(qxl, 3, "%4d\r", qxl->num_free_res);
+    qxl_push_free_res(qxl, 0);
+}
+
+/* called from spice server thread context only */
+static int interface_get_cursor_command(QXLInstance *sin, struct QXLCommandExt *ext)
+{
+    PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
+    QXLCursorRing *ring;
+    QXLCommand *cmd;
+    int notify;
+
+    switch (qxl->mode) {
+    case QXL_MODE_COMPAT:
+    case QXL_MODE_NATIVE:
+    case QXL_MODE_UNDEFINED:
+        ring = &qxl->ram->cursor_ring;
+        if (SPICE_RING_IS_EMPTY(ring)) {
+            return false;
+        }
+        SPICE_RING_CONS_ITEM(ring, cmd);
+        ext->cmd      = *cmd;
+        ext->group_id = MEMSLOT_GROUP_GUEST;
+        ext->flags    = qxl->cmdflags;
+        SPICE_RING_POP(ring, notify);
+        qxl_ring_set_dirty(qxl);
+        if (notify) {
+            qxl_send_events(qxl, QXL_INTERRUPT_CURSOR);
+        }
+        qxl->guest_primary.commands++;
+        qxl_track_command(qxl, ext);
+        qxl_log_command(qxl, "csr", ext);
+        if (qxl->id == 0) {
+            qxl_render_cursor(qxl, ext);
+        }
+        return true;
+    default:
+        return false;
+    }
+}
+
+/* called from spice server thread context only */
+static int interface_req_cursor_notification(QXLInstance *sin)
+{
+    PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
+    int wait = 1;
+
+    switch (qxl->mode) {
+    case QXL_MODE_COMPAT:
+    case QXL_MODE_NATIVE:
+    case QXL_MODE_UNDEFINED:
+        SPICE_RING_CONS_WAIT(&qxl->ram->cursor_ring, wait);
+        qxl_ring_set_dirty(qxl);
+        break;
+    default:
+        /* nothing */
+        break;
+    }
+    return wait;
+}
+
+/* called from spice server thread context */
+static void interface_notify_update(QXLInstance *sin, uint32_t update_id)
+{
+    fprintf(stderr, "%s: abort()\n", __FUNCTION__);
+    abort();
+}
+
+/* called from spice server thread context only */
+static int interface_flush_resources(QXLInstance *sin)
+{
+    PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
+    int ret;
+
+    dprint(qxl, 1, "free: guest flush (have %d)\n", qxl->num_free_res);
+    ret = qxl->num_free_res;
+    if (ret) {
+        qxl_push_free_res(qxl, 1);
+    }
+    return ret;
+}
+
+static const QXLInterface qxl_interface = {
+    .base.type               = SPICE_INTERFACE_QXL,
+    .base.description        = "qxl gpu",
+    .base.major_version      = SPICE_INTERFACE_QXL_MAJOR,
+    .base.minor_version      = SPICE_INTERFACE_QXL_MINOR,
+
+    .attache_worker          = interface_attach_worker,
+    .set_compression_level   = interface_set_compression_level,
+    .set_mm_time             = interface_set_mm_time,
+    .get_init_info           = interface_get_init_info,
+
+    /* the callbacks below are called from spice server thread context */
+    .get_command             = interface_get_command,
+    .req_cmd_notification    = interface_req_cmd_notification,
+    .release_resource        = interface_release_resource,
+    .get_cursor_command      = interface_get_cursor_command,
+    .req_cursor_notification = interface_req_cursor_notification,
+    .notify_update           = interface_notify_update,
+    .flush_resources         = interface_flush_resources,
+};
+
+static void qxl_enter_vga_mode(PCIQXLDevice *d)
+{
+    if (d->mode == QXL_MODE_VGA) {
+        return;
+    }
+    dprint(d, 1, "%s\n", __FUNCTION__);
+    qemu_spice_create_host_primary(&d->ssd);
+    d->mode = QXL_MODE_VGA;
+    memset(&d->ssd.dirty, 0, sizeof(d->ssd.dirty));
+}
+
+static void qxl_exit_vga_mode(PCIQXLDevice *d)
+{
+    if (d->mode != QXL_MODE_VGA) {
+        return;
+    }
+    dprint(d, 1, "%s\n", __FUNCTION__);
+    qxl_destroy_primary(d);
+}
+
+static void qxl_set_irq(PCIQXLDevice *d)
+{
+    uint32_t pending = le32_to_cpu(d->ram->int_pending);
+    uint32_t mask    = le32_to_cpu(d->ram->int_mask);
+    int level = !!(pending & mask);
+    qemu_set_irq(d->pci.irq[0], level);
+    qxl_ring_set_dirty(d);
+}
+
+static void qxl_write_config(PCIDevice *d, uint32_t address,
+                             uint32_t val, int len)
+{
+    PCIQXLDevice *qxl = DO_UPCAST(PCIQXLDevice, pci, d);
+    VGACommonState *vga = &qxl->vga;
+
+    vga_dirty_log_stop(vga);
+    pci_default_write_config(d, address, val, len);
+    if (vga->map_addr && qxl->pci.io_regions[0].addr == -1) {
+        vga->map_addr = 0;
+    }
+    vga_dirty_log_start(vga);
+}
+
+static void qxl_check_state(PCIQXLDevice *d)
+{
+    QXLRam *ram = d->ram;
+
+    assert(SPICE_RING_IS_EMPTY(&ram->cmd_ring));
+    assert(SPICE_RING_IS_EMPTY(&ram->cursor_ring));
+}
+
+static void qxl_reset_state(PCIQXLDevice *d)
+{
+    QXLRam *ram = d->ram;
+    QXLRom *rom = d->rom;
+
+    assert(SPICE_RING_IS_EMPTY(&ram->cmd_ring));
+    assert(SPICE_RING_IS_EMPTY(&ram->cursor_ring));
+    d->shadow_rom.update_id = cpu_to_le32(0);
+    *rom = d->shadow_rom;
+    qxl_rom_set_dirty(d);
+    init_qxl_ram(d);
+    d->num_free_res = 0;
+    d->last_release = NULL;
+    memset(&d->ssd.dirty, 0, sizeof(d->ssd.dirty));
+}
+
+static void qxl_soft_reset(PCIQXLDevice *d)
+{
+    dprint(d, 1, "%s:\n", __FUNCTION__);
+    qxl_check_state(d);
+
+    if (d->id == 0) {
+        qxl_enter_vga_mode(d);
+    } else {
+        d->mode = QXL_MODE_UNDEFINED;
+    }
+}
+
+static void qxl_hard_reset(PCIQXLDevice *d, int loadvm)
+{
+    dprint(d, 1, "%s: start%s\n", __FUNCTION__,
+           loadvm ? " (loadvm)" : "");
+
+    qemu_mutex_unlock_iothread();
+    d->ssd.worker->reset_cursor(d->ssd.worker);
+    d->ssd.worker->reset_image_cache(d->ssd.worker);
+    qemu_mutex_lock_iothread();
+    qxl_reset_surfaces(d);
+    qxl_reset_memslots(d);
+
+    /* pre loadvm reset must not touch QXLRam.  This lives in
+     * device memory, is migrated together with RAM and thus
+     * already loaded at this point */
+    if (!loadvm) {
+        qxl_reset_state(d);
+    }
+    qemu_spice_create_host_memslot(&d->ssd);
+    qxl_soft_reset(d);
+
+    dprint(d, 1, "%s: done\n", __FUNCTION__);
+}
+
+static void qxl_reset_handler(DeviceState *dev)
+{
+    PCIQXLDevice *d = DO_UPCAST(PCIQXLDevice, pci.qdev, dev);
+    qxl_hard_reset(d, 0);
+}
+
+static void qxl_vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+{
+    VGACommonState *vga = opaque;
+    PCIQXLDevice *qxl = container_of(vga, PCIQXLDevice, vga);
+
+    if (qxl->mode != QXL_MODE_VGA) {
+        dprint(qxl, 1, "%s\n", __FUNCTION__);
+        qxl_destroy_primary(qxl);
+        qxl_soft_reset(qxl);
+    }
+    vga_ioport_write(opaque, addr, val);
+}
+
+static void qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta)
+{
+    static const int regions[] = {
+        QXL_RAM_RANGE_INDEX,
+        QXL_VRAM_RANGE_INDEX,
+    };
+    uint64_t guest_start;
+    uint64_t guest_end;
+    int pci_region;
+    pcibus_t pci_start;
+    pcibus_t pci_end;
+    intptr_t virt_start;
+    QXLDevMemSlot memslot;
+    int i;
+
+    guest_start = le64_to_cpu(d->guest_slots[slot_id].slot.mem_start);
+    guest_end   = le64_to_cpu(d->guest_slots[slot_id].slot.mem_end);
+
+    dprint(d, 1, "%s: slot %d: guest phys 0x%" PRIx64 " - 0x%" PRIx64 "\n",
+           __FUNCTION__, slot_id,
+           guest_start, guest_end);
+
+    PANIC_ON(slot_id >= NUM_MEMSLOTS);
+    PANIC_ON(guest_start > guest_end);
+
+    for (i = 0; i < ARRAY_SIZE(regions); i++) {
+        pci_region = regions[i];
+        pci_start = d->pci.io_regions[pci_region].addr;
+        pci_end = pci_start + d->pci.io_regions[pci_region].size;
+        /* mapped? */
+        if (pci_start == -1) {
+            continue;
+        }
+        /* start address in range ? */
+        if (guest_start < pci_start || guest_start > pci_end) {
+            continue;
+        }
+        /* end address in range ? */
+        if (guest_end > pci_end) {
+            continue;
+        }
+        /* passed */
+        break;
+    }
+    PANIC_ON(i == ARRAY_SIZE(regions)); /* finished loop without match */
+
+    switch (pci_region) {
+    case QXL_RAM_RANGE_INDEX:
+        virt_start = (intptr_t)qemu_get_ram_ptr(d->vga.vram_offset);
+        break;
+    case QXL_VRAM_RANGE_INDEX:
+        virt_start = (intptr_t)qemu_get_ram_ptr(d->vram_offset);
+        break;
+    default:
+        /* should not happen */
+        abort();
+    }
+
+    memslot.slot_id = slot_id;
+    memslot.slot_group_id = MEMSLOT_GROUP_GUEST; /* guest group */
+    memslot.virt_start = virt_start + (guest_start - pci_start);
+    memslot.virt_end   = virt_start + (guest_end   - pci_start);
+    memslot.addr_delta = memslot.virt_start - delta;
+    memslot.generation = d->rom->slot_generation = 0;
+    qxl_rom_set_dirty(d);
+
+    dprint(d, 1, "%s: slot %d: host virt 0x%" PRIx64 " - 0x%" PRIx64 "\n",
+           __FUNCTION__, memslot.slot_id,
+           memslot.virt_start, memslot.virt_end);
+
+    d->ssd.worker->add_memslot(d->ssd.worker, &memslot);
+    d->guest_slots[slot_id].ptr = (void*)memslot.virt_start;
+    d->guest_slots[slot_id].size = memslot.virt_end - memslot.virt_start;
+    d->guest_slots[slot_id].delta = delta;
+    d->guest_slots[slot_id].active = 1;
+}
+
+static void qxl_del_memslot(PCIQXLDevice *d, uint32_t slot_id)
+{
+    dprint(d, 1, "%s: slot %d\n", __FUNCTION__, slot_id);
+    d->ssd.worker->del_memslot(d->ssd.worker, MEMSLOT_GROUP_HOST, slot_id);
+    d->guest_slots[slot_id].active = 0;
+}
+
+static void qxl_reset_memslots(PCIQXLDevice *d)
+{
+    dprint(d, 1, "%s:\n", __FUNCTION__);
+    d->ssd.worker->reset_memslots(d->ssd.worker);
+    memset(&d->guest_slots, 0, sizeof(d->guest_slots));
+}
+
+static void qxl_reset_surfaces(PCIQXLDevice *d)
+{
+    dprint(d, 1, "%s:\n", __FUNCTION__);
+    d->mode = QXL_MODE_UNDEFINED;
+    qemu_mutex_unlock_iothread();
+    d->ssd.worker->destroy_surfaces(d->ssd.worker);
+    qemu_mutex_lock_iothread();
+    memset(&d->guest_surfaces.cmds, 0, sizeof(d->guest_surfaces.cmds));
+}
+
+/* called from spice server thread context only */
+void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
+{
+    uint64_t phys   = le64_to_cpu(pqxl);
+    uint32_t slot   = (phys >> (64 -  8)) & 0xff;
+    uint64_t offset = phys & 0xffffffffffff;
+
+    switch (group_id) {
+    case MEMSLOT_GROUP_HOST:
+        return (void*)offset;
+    case MEMSLOT_GROUP_GUEST:
+        PANIC_ON(slot > NUM_MEMSLOTS);
+        PANIC_ON(!qxl->guest_slots[slot].active);
+        PANIC_ON(offset < qxl->guest_slots[slot].delta);
+        offset -= qxl->guest_slots[slot].delta;
+        PANIC_ON(offset > qxl->guest_slots[slot].size)
+        return qxl->guest_slots[slot].ptr + offset;
+    default:
+        PANIC_ON(1);
+    }
+}
+
+static void qxl_create_guest_primary(PCIQXLDevice *qxl, int loadvm)
+{
+    QXLDevSurfaceCreate surface;
+    QXLSurfaceCreate *sc = &qxl->guest_primary.surface;
+
+    assert(qxl->mode != QXL_MODE_NATIVE);
+    qxl_exit_vga_mode(qxl);
+
+    dprint(qxl, 1, "%s: %dx%d\n", __FUNCTION__,
+           le32_to_cpu(sc->width), le32_to_cpu(sc->height));
+
+    surface.format     = le32_to_cpu(sc->format);
+    surface.height     = le32_to_cpu(sc->height);
+    surface.mem        = le64_to_cpu(sc->mem);
+    surface.position   = le32_to_cpu(sc->position);
+    surface.stride     = le32_to_cpu(sc->stride);
+    surface.width      = le32_to_cpu(sc->width);
+    surface.type       = le32_to_cpu(sc->type);
+    surface.flags      = le32_to_cpu(sc->flags);
+
+    surface.mouse_mode = true;
+    surface.group_id   = MEMSLOT_GROUP_GUEST;
+    if (loadvm) {
+        surface.flags |= QXL_SURF_FLAG_KEEP_DATA;
+    }
+
+    qxl->mode = QXL_MODE_NATIVE;
+    qxl->cmdflags = 0;
+    qxl->ssd.worker->create_primary_surface(qxl->ssd.worker, 0, &surface);
+
+    /* for local rendering */
+    qxl_render_resize(qxl);
+}
+
+static void qxl_destroy_primary(PCIQXLDevice *d)
+{
+    if (d->mode == QXL_MODE_UNDEFINED) {
+        return;
+    }
+
+    dprint(d, 1, "%s\n", __FUNCTION__);
+
+    d->mode = QXL_MODE_UNDEFINED;
+    d->ssd.worker->destroy_primary_surface(d->ssd.worker, 0);
+}
+
+static void qxl_set_mode(PCIQXLDevice *d, int modenr, int loadvm)
+{
+    pcibus_t start = d->pci.io_regions[QXL_RAM_RANGE_INDEX].addr;
+    pcibus_t end   = d->pci.io_regions[QXL_RAM_RANGE_INDEX].size + start;
+    QXLMode *mode = d->modes->modes + modenr;
+    uint64_t devmem = d->pci.io_regions[QXL_RAM_RANGE_INDEX].addr;
+    QXLMemSlot slot = {
+        .mem_start = start,
+        .mem_end = end
+    };
+    QXLSurfaceCreate surface = {
+        .width      = mode->x_res,
+        .height     = mode->y_res,
+        .stride     = -mode->x_res * 4,
+        .format     = SPICE_SURFACE_FMT_32_xRGB,
+        .flags      = loadvm ? QXL_SURF_FLAG_KEEP_DATA : 0,
+        .mouse_mode = true,
+        .mem        = devmem + d->shadow_rom.draw_area_offset,
+    };
+
+    dprint(d, 1, "%s: mode %d  [ %d x %d @ %d bpp devmem 0x%lx ]\n", __FUNCTION__,
+           modenr, mode->x_res, mode->y_res, mode->bits, devmem);
+    if (!loadvm) {
+        qxl_hard_reset(d, 0);
+    }
+
+    d->guest_slots[0].slot = slot;
+    qxl_add_memslot(d, 0, devmem);
+
+    d->guest_primary.surface = surface;
+    qxl_create_guest_primary(d, 0);
+
+    d->mode = QXL_MODE_COMPAT;
+    d->cmdflags = QXL_COMMAND_FLAG_COMPAT;
+#ifdef QXL_COMMAND_FLAG_COMPAT_16BPP /* new in spice 0.6.1 */
+    if (mode->bits == 16) {
+        d->cmdflags |= QXL_COMMAND_FLAG_COMPAT_16BPP;
+    }
+#endif
+    d->shadow_rom.mode = cpu_to_le32(modenr);
+    d->rom->mode = cpu_to_le32(modenr);
+    qxl_rom_set_dirty(d);
+}
+
+static void ioport_write(void *opaque, uint32_t addr, uint32_t val)
+{
+    PCIQXLDevice *d = opaque;
+    uint32_t io_port = addr - d->io_base;
+
+    switch (io_port) {
+    case QXL_IO_RESET:
+    case QXL_IO_SET_MODE:
+    case QXL_IO_MEMSLOT_ADD:
+    case QXL_IO_MEMSLOT_DEL:
+    case QXL_IO_CREATE_PRIMARY:
+        break;
+    default:
+        if (d->mode == QXL_MODE_NATIVE || d->mode == QXL_MODE_COMPAT)
+            break;
+        dprint(d, 1, "%s: unexpected port 0x%x in vga mode\n", __FUNCTION__, io_port);
+        return;
+    }
+
+    switch (io_port) {
+    case QXL_IO_UPDATE_AREA:
+    {
+        QXLRect update = d->ram->update_area;
+        qemu_mutex_unlock_iothread();
+        d->ssd.worker->update_area(d->ssd.worker, d->ram->update_surface,
+                                   &update, NULL, 0, 0);
+        qemu_mutex_lock_iothread();
+        break;
+    }
+    case QXL_IO_NOTIFY_CMD:
+        d->ssd.worker->wakeup(d->ssd.worker);
+        break;
+    case QXL_IO_NOTIFY_CURSOR:
+        d->ssd.worker->wakeup(d->ssd.worker);
+        break;
+    case QXL_IO_UPDATE_IRQ:
+        qxl_set_irq(d);
+        break;
+    case QXL_IO_NOTIFY_OOM:
+        if (!SPICE_RING_IS_EMPTY(&d->ram->release_ring)) {
+            break;
+        }
+        pthread_yield();
+        if (!SPICE_RING_IS_EMPTY(&d->ram->release_ring)) {
+            break;
+        }
+        d->oom_running = 1;
+        d->ssd.worker->oom(d->ssd.worker);
+        d->oom_running = 0;
+        break;
+    case QXL_IO_SET_MODE:
+        dprint(d, 1, "QXL_SET_MODE %d\n", val);
+        qxl_set_mode(d, val, 0);
+        break;
+    case QXL_IO_LOG:
+        if (d->guestdebug) {
+            fprintf(stderr, "qxl/guest: %s", d->ram->log_buf);
+        }
+        break;
+    case QXL_IO_RESET:
+        dprint(d, 1, "QXL_IO_RESET\n");
+        qxl_hard_reset(d, 0);
+        break;
+    case QXL_IO_MEMSLOT_ADD:
+        PANIC_ON(val >= NUM_MEMSLOTS);
+        PANIC_ON(d->guest_slots[val].active);
+        d->guest_slots[val].slot = d->ram->mem_slot;
+        qxl_add_memslot(d, val, 0);
+        break;
+    case QXL_IO_MEMSLOT_DEL:
+        qxl_del_memslot(d, val);
+        break;
+    case QXL_IO_CREATE_PRIMARY:
+        PANIC_ON(val != 0);
+        dprint(d, 1, "QXL_IO_CREATE_PRIMARY\n");
+        d->guest_primary.surface = d->ram->create_surface;
+        qxl_create_guest_primary(d, 0);
+        break;
+    case QXL_IO_DESTROY_PRIMARY:
+        PANIC_ON(val != 0);
+        dprint(d, 1, "QXL_IO_DESTROY_PRIMARY\n");
+        qxl_destroy_primary(d);
+        break;
+    case QXL_IO_DESTROY_SURFACE_WAIT:
+        d->ssd.worker->destroy_surface_wait(d->ssd.worker, val);
+        break;
+    case QXL_IO_DESTROY_ALL_SURFACES:
+        d->ssd.worker->destroy_surfaces(d->ssd.worker);
+        break;
+    default:
+        fprintf(stderr, "%s: ioport=0x%x, abort()\n", __FUNCTION__, io_port);
+        abort();
+    }
+}
+
+static uint32_t ioport_read(void *opaque, uint32_t addr)
+{
+    PCIQXLDevice *d = opaque;
+
+    dprint(d, 1, "%s: unexpected\n", __FUNCTION__);
+    return 0xff;
+}
+
+static void qxl_map(PCIDevice *pci, int region_num,
+                    pcibus_t addr, pcibus_t size, int type)
+{
+    static const char *names[] = {
+        [ QXL_IO_RANGE_INDEX ]   = "ioports",
+        [ QXL_RAM_RANGE_INDEX ]  = "devram",
+        [ QXL_ROM_RANGE_INDEX ]  = "rom",
+        [ QXL_VRAM_RANGE_INDEX ] = "vram",
+    };
+    PCIQXLDevice *qxl = DO_UPCAST(PCIQXLDevice, pci, pci);
+
+    dprint(qxl, 1, "%s: bar %d [%s] addr 0x%lx size 0x%lx\n", __FUNCTION__,
+            region_num, names[region_num], addr, size);
+
+    switch (region_num) {
+    case QXL_IO_RANGE_INDEX:
+        register_ioport_write(addr, size, 1, ioport_write, pci);
+        register_ioport_read(addr, size, 1, ioport_read, pci);
+        qxl->io_base = addr;
+        break;
+    case QXL_RAM_RANGE_INDEX:
+        cpu_register_physical_memory(addr, size, qxl->vga.vram_offset | IO_MEM_RAM);
+        qxl->vga.map_addr = addr;
+        qxl->vga.map_end = addr + size;
+        if (qxl->id == 0) {
+            vga_dirty_log_start(&qxl->vga);
+        }
+        break;
+    case QXL_ROM_RANGE_INDEX:
+        cpu_register_physical_memory(addr, size, qxl->rom_offset | IO_MEM_ROM);
+        break;
+    case QXL_VRAM_RANGE_INDEX:
+        cpu_register_physical_memory(addr, size, qxl->vram_offset | IO_MEM_RAM);
+        break;
+    }
+}
+
+static void pipe_read(void *opaque)
+{
+    PCIQXLDevice *d = opaque;
+    char dummy;
+    int len;
+
+    do {
+        len = read(d->pipe[0], &dummy, sizeof(dummy));
+    } while (len == sizeof(dummy));
+    qxl_set_irq(d);
+}
+
+/* called from spice server thread context only */
+static void qxl_send_events(PCIQXLDevice *d, uint32_t events)
+{
+    uint32_t old_pending;
+    uint32_t le_events = cpu_to_le32(events);
+
+    assert(d->ssd.running);
+    old_pending = __sync_fetch_and_or(&d->ram->int_pending, le_events);
+    if ((old_pending & le_events) == le_events) {
+        return;
+    }
+    if (pthread_self() == d->main) {
+        qxl_set_irq(d);
+    } else {
+        if (write(d->pipe[1], d, 1) != 1) {
+            dprint(d, 1, "%s: write to pipe failed\n", __FUNCTION__);
+        }
+    }
+}
+
+static void init_pipe_signaling(PCIQXLDevice *d)
+{
+   if (pipe(d->pipe) < 0) {
+       dprint(d, 1, "%s: pipe creation failed\n", __FUNCTION__);
+       return;
+   }
+#ifdef CONFIG_IOTHREAD
+   fcntl(d->pipe[0], F_SETFL, O_NONBLOCK);
+#else
+   fcntl(d->pipe[0], F_SETFL, O_NONBLOCK /* | O_ASYNC */);
+#endif
+   fcntl(d->pipe[1], F_SETFL, O_NONBLOCK);
+   fcntl(d->pipe[0], F_SETOWN, getpid());
+
+   d->main = pthread_self();
+   qemu_set_fd_handler(d->pipe[0], pipe_read, NULL, d);
+}
+
+/* graphics console */
+
+static void qxl_hw_update(void *opaque)
+{
+    PCIQXLDevice *qxl = opaque;
+    VGACommonState *vga = &qxl->vga;
+
+    switch (qxl->mode) {
+    case QXL_MODE_VGA:
+        vga->update(vga);
+        break;
+    case QXL_MODE_COMPAT:
+    case QXL_MODE_NATIVE:
+        qxl_render_update(qxl);
+        break;
+    default:
+        break;
+    }
+}
+
+static void qxl_hw_invalidate(void *opaque)
+{
+    PCIQXLDevice *qxl = opaque;
+    VGACommonState *vga = &qxl->vga;
+
+    vga->invalidate(vga);
+}
+
+static void qxl_hw_screen_dump(void *opaque, const char *filename)
+{
+    PCIQXLDevice *qxl = opaque;
+    VGACommonState *vga = &qxl->vga;
+
+    switch (qxl->mode) {
+    case QXL_MODE_COMPAT:
+    case QXL_MODE_NATIVE:
+        qxl_render_update(qxl);
+        ppm_save(filename, qxl->ssd.ds->surface);
+        break;
+    case QXL_MODE_VGA:
+        vga->screen_dump(vga, filename);
+        break;
+    default:
+        break;
+    }
+}
+
+static void qxl_hw_text_update(void *opaque, console_ch_t *chardata)
+{
+    PCIQXLDevice *qxl = opaque;
+    VGACommonState *vga = &qxl->vga;
+
+    if (qxl->mode == QXL_MODE_VGA) {
+        vga->text_update(vga, chardata);
+        return;
+    }
+}
+
+static void qxl_vm_change_state_handler(void *opaque, int running, int reason)
+{
+    PCIQXLDevice *qxl = opaque;
+    qemu_spice_vm_change_state_handler(&qxl->ssd, running, reason);
+
+    if (!running && qxl->mode == QXL_MODE_NATIVE) {
+        /* dirty all vram (which holds surfaces) to make sure it is saved */
+        /* FIXME #1: should go out during "live" stage */
+        /* FIXME #2: we only need to save the areas which are actually used */
+        ram_addr_t addr = qxl->vram_offset;
+        qxl_set_dirty(addr, addr + qxl->vram_size);
+    }
+}
+
+/* display change listener */
+
+static void display_update(struct DisplayState *ds, int x, int y, int w, int h)
+{
+    if (qxl0->mode == QXL_MODE_VGA) {
+        qemu_spice_display_update(&qxl0->ssd, x, y, w, h);
+    }
+}
+
+static void display_resize(struct DisplayState *ds)
+{
+    if (qxl0->mode == QXL_MODE_VGA) {
+        qemu_spice_display_resize(&qxl0->ssd);
+    }
+}
+
+static void display_refresh(struct DisplayState *ds)
+{
+    if (qxl0->mode == QXL_MODE_VGA) {
+        qemu_spice_display_refresh(&qxl0->ssd);
+    }
+}
+
+static DisplayChangeListener display_listener = {
+    .dpy_update  = display_update,
+    .dpy_resize  = display_resize,
+    .dpy_refresh = display_refresh,
+};
+
+static int qxl_init_common(PCIQXLDevice *qxl)
+{
+    uint8_t* config = qxl->pci.config;
+    uint32_t pci_device_id;
+    uint32_t pci_device_rev;
+    uint32_t io_size;
+
+    qxl->mode = QXL_MODE_UNDEFINED;
+    qxl->generation = 1;
+    qxl->num_memslots = NUM_MEMSLOTS;
+    qxl->num_surfaces = NUM_SURFACES;
+
+    switch (qxl->revision) {
+    case 1: /* spice 0.4 -- qxl-1 */
+        pci_device_id  = QXL_DEVICE_ID_STABLE;
+        pci_device_rev = QXL_REVISION_STABLE_V04;
+        break;
+    case 2: /* spice 0.6 -- qxl-2 */
+        pci_device_id  = QXL_DEVICE_ID_STABLE;
+        pci_device_rev = QXL_REVISION_STABLE_V06;
+        break;
+    default: /* experimental */
+        pci_device_id  = QXL_DEVICE_ID_DEVEL;
+        pci_device_rev = 1;
+        break;
+    }
+
+    pci_config_set_vendor_id(config, REDHAT_PCI_VENDOR_ID);
+    pci_config_set_device_id(config, pci_device_id);
+    pci_set_byte(&config[PCI_REVISION_ID], pci_device_rev);
+    pci_set_byte(&config[PCI_INTERRUPT_PIN], 1);
+
+    qxl->rom_size = qxl_rom_size();
+    qxl->rom_offset = qemu_ram_alloc(&qxl->pci.qdev, "qxl.vrom", qxl->rom_size);
+    init_qxl_rom(qxl);
+    init_qxl_ram(qxl);
+
+    if (qxl->vram_size < 16 * 1024 * 1024) {
+        qxl->vram_size = 16 * 1024 * 1024;
+    }
+    if (qxl->revision == 1) {
+        qxl->vram_size = 4096;
+    }
+    qxl->vram_size = msb_mask(qxl->vram_size * 2 - 1);
+    qxl->vram_offset = qemu_ram_alloc(&qxl->pci.qdev, "qxl.vram", qxl->vram_size);
+
+    io_size = msb_mask(QXL_IO_RANGE_SIZE * 2 - 1);
+    if (qxl->revision == 1) {
+        io_size = 8;
+    }
+
+    pci_register_bar(&qxl->pci, QXL_IO_RANGE_INDEX,
+                     io_size, PCI_BASE_ADDRESS_SPACE_IO, qxl_map);
+
+    pci_register_bar(&qxl->pci, QXL_ROM_RANGE_INDEX,
+                     qxl->rom_size, PCI_BASE_ADDRESS_SPACE_MEMORY,
+                     qxl_map);
+
+    pci_register_bar(&qxl->pci, QXL_RAM_RANGE_INDEX,
+                     qxl->vga.vram_size, PCI_BASE_ADDRESS_SPACE_MEMORY,
+                     qxl_map);
+
+    pci_register_bar(&qxl->pci, QXL_VRAM_RANGE_INDEX, qxl->vram_size,
+                     PCI_BASE_ADDRESS_SPACE_MEMORY, qxl_map);
+
+    qxl->ssd.qxl.base.sif = &qxl_interface.base;
+    qxl->ssd.qxl.id = qxl->id;
+    qemu_spice_add_interface(&qxl->ssd.qxl.base);
+    qemu_add_vm_change_state_handler(qxl_vm_change_state_handler, qxl);
+
+    init_pipe_signaling(qxl);
+    qxl_reset_state(qxl);
+
+    return 0;
+}
+
+static int qxl_init_primary(PCIDevice *dev)
+{
+    PCIQXLDevice *qxl = DO_UPCAST(PCIQXLDevice, pci, dev);
+    VGACommonState *vga = &qxl->vga;
+    ram_addr_t ram_size = msb_mask(qxl->vga.vram_size * 2 - 1);
+
+    qxl->id = 0;
+
+    if (ram_size < 32 * 1024 * 1024) {
+        ram_size = 32 * 1024 * 1024;
+    }
+    vga_common_init(vga, ram_size);
+    vga_init(vga);
+    register_ioport_write(0x3c0, 16, 1, qxl_vga_ioport_write, vga);
+    register_ioport_write(0x3b4,  2, 1, qxl_vga_ioport_write, vga);
+    register_ioport_write(0x3d4,  2, 1, qxl_vga_ioport_write, vga);
+    register_ioport_write(0x3ba,  1, 1, qxl_vga_ioport_write, vga);
+    register_ioport_write(0x3da,  1, 1, qxl_vga_ioport_write, vga);
+
+    vga->ds = graphic_console_init(qxl_hw_update, qxl_hw_invalidate,
+                                   qxl_hw_screen_dump, qxl_hw_text_update, qxl);
+    qxl->ssd.ds = vga->ds;
+    qxl->ssd.bufsize = (16 * 1024 * 1024);
+    qxl->ssd.buf = qemu_malloc(qxl->ssd.bufsize);
+
+    qxl0 = qxl;
+    register_displaychangelistener(vga->ds, &display_listener);
+
+    pci_config_set_class(dev->config, PCI_CLASS_DISPLAY_VGA);
+    return qxl_init_common(qxl);
+}
+
+static int qxl_init_secondary(PCIDevice *dev)
+{
+    static int device_id = 1;
+    PCIQXLDevice *qxl = DO_UPCAST(PCIQXLDevice, pci, dev);
+    ram_addr_t ram_size = msb_mask(qxl->vga.vram_size * 2 - 1);
+
+    qxl->id = device_id++;
+
+    if (ram_size < 16 * 1024 * 1024) {
+        ram_size = 16 * 1024 * 1024;
+    }
+    qxl->vga.vram_size = ram_size;
+    qxl->vga.vram_offset = qemu_ram_alloc(&qxl->pci.qdev, "qxl.vgavram",
+                                          qxl->vga.vram_size);
+    qxl->vga.vram_ptr = qemu_get_ram_ptr(qxl->vga.vram_offset);
+
+    pci_config_set_class(dev->config, PCI_CLASS_DISPLAY_OTHER);
+    return qxl_init_common(qxl);
+}
+
+static void qxl_pre_save(void *opaque)
+{
+    PCIQXLDevice* d = opaque;
+    uint8_t *ram_start = d->vga.vram_ptr;
+
+    dprint(d, 1, "%s:\n", __FUNCTION__);
+    if (d->last_release == NULL) {
+        d->last_release_offset = 0;
+    } else {
+        d->last_release_offset = (uint8_t *)d->last_release - ram_start;
+    }
+    assert(d->last_release_offset < d->vga.vram_size);
+}
+
+static int qxl_pre_load(void *opaque)
+{
+    PCIQXLDevice* d = opaque;
+
+    dprint(d, 1, "%s: start\n", __FUNCTION__);
+    qxl_hard_reset(d, 1);
+    qxl_exit_vga_mode(d);
+    dprint(d, 1, "%s: done\n", __FUNCTION__);
+    return 0;
+}
+
+static int qxl_post_load(void *opaque, int version)
+{
+    PCIQXLDevice* d = opaque;
+    uint8_t *ram_start = d->vga.vram_ptr;
+    QXLCommandExt *cmds;
+    int in, out, i, newmode;
+
+    dprint(d, 1, "%s: start\n", __FUNCTION__);
+
+    assert(d->last_release_offset < d->vga.vram_size);
+    if (d->last_release_offset == 0) {
+        d->last_release = NULL;
+    } else {
+        d->last_release = (QXLReleaseInfo *)(ram_start + d->last_release_offset);
+    }
+
+    d->modes = (QXLModes*)((uint8_t*)d->rom + d->rom->modes_offset);
+
+    dprint(d, 1, "%s: restore mode\n", __FUNCTION__);
+    newmode = d->mode;
+    d->mode = QXL_MODE_UNDEFINED;
+    switch (newmode) {
+    case QXL_MODE_UNDEFINED:
+        break;
+    case QXL_MODE_VGA:
+        qxl_enter_vga_mode(d);
+        break;
+    case QXL_MODE_NATIVE:
+        for (i = 0; i < NUM_MEMSLOTS; i++) {
+            if (!d->guest_slots[i].active) {
+                continue;
+            }
+            qxl_add_memslot(d, i, 0);
+        }
+        qxl_create_guest_primary(d, 1);
+
+        /* replay surface-create and cursor-set commands */
+        cmds = qemu_mallocz(sizeof(QXLCommandExt) * (NUM_SURFACES + 1));
+        for (in = 0, out = 0; in < NUM_SURFACES; in++) {
+            if (d->guest_surfaces.cmds[in] == 0) {
+                continue;
+            }
+            cmds[out].cmd.data = d->guest_surfaces.cmds[in];
+            cmds[out].cmd.type = QXL_CMD_SURFACE;
+            cmds[out].group_id = MEMSLOT_GROUP_GUEST;
+            out++;
+        }
+        cmds[out].cmd.data = d->guest_cursor;
+        cmds[out].cmd.type = QXL_CMD_CURSOR;
+        cmds[out].group_id = MEMSLOT_GROUP_GUEST;
+        out++;
+        d->ssd.worker->loadvm_commands(d->ssd.worker, cmds, out);
+        qemu_free(cmds);
+
+        break;
+    case QXL_MODE_COMPAT:
+        qxl_set_mode(d, d->shadow_rom.mode, 1);
+        break;
+    }
+    dprint(d, 1, "%s: done\n", __FUNCTION__);
+
+    /* spice 0.4 compatibility -- accept but ignore */
+    qemu_free(d->worker_data);
+    d->worker_data = NULL;
+    d->worker_data_size = 0;
+
+    return 0;
+}
+
+#define QXL_SAVE_VERSION 20
+
+static bool qxl_test_worker_data(void *opaque, int version_id)
+{
+    PCIQXLDevice* d = opaque;
+
+    if (d->revision != 1) {
+        return false;
+    }
+    if (!d->worker_data_size) {
+        return false;
+    }
+    if (!d->worker_data) {
+        d->worker_data = qemu_malloc(d->worker_data_size);
+    }
+    return true;
+}
+
+static bool qxl_test_spice04(void *opaque, int version_id)
+{
+    PCIQXLDevice* d = opaque;
+    return d->revision == 1;
+}
+
+static bool qxl_test_spice06(void *opaque)
+{
+    PCIQXLDevice* d = opaque;
+    return d->revision > 1;
+}
+
+static VMStateDescription qxl_memslot = {
+    .name               = "qxl-memslot",
+    .version_id         = QXL_SAVE_VERSION,
+    .minimum_version_id = QXL_SAVE_VERSION,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT64(slot.mem_start, struct guest_slots),
+        VMSTATE_UINT64(slot.mem_end,   struct guest_slots),
+        VMSTATE_UINT32(active,         struct guest_slots),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static VMStateDescription qxl_surface = {
+    .name               = "qxl-surface",
+    .version_id         = QXL_SAVE_VERSION,
+    .minimum_version_id = QXL_SAVE_VERSION,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(width,      QXLSurfaceCreate),
+        VMSTATE_UINT32(height,     QXLSurfaceCreate),
+        VMSTATE_INT32(stride,      QXLSurfaceCreate),
+        VMSTATE_UINT32(format,     QXLSurfaceCreate),
+        VMSTATE_UINT32(position,   QXLSurfaceCreate),
+        VMSTATE_UINT32(mouse_mode, QXLSurfaceCreate),
+        VMSTATE_UINT32(flags,      QXLSurfaceCreate),
+        VMSTATE_UINT32(type,       QXLSurfaceCreate),
+        VMSTATE_UINT64(mem,        QXLSurfaceCreate),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static VMStateDescription qxl_vmstate_spice06 = {
+    .name               = "qxl/spice06",
+    .version_id         = QXL_SAVE_VERSION,
+    .minimum_version_id = QXL_SAVE_VERSION,
+    .fields = (VMStateField []) {
+        VMSTATE_INT32_EQUAL(num_memslots, PCIQXLDevice),
+        VMSTATE_STRUCT_ARRAY(guest_slots, PCIQXLDevice, NUM_MEMSLOTS, 0,
+                             qxl_memslot, struct guest_slots),
+        VMSTATE_STRUCT(guest_primary.surface, PCIQXLDevice, 0,
+                       qxl_surface, QXLSurfaceCreate),
+        VMSTATE_INT32_EQUAL(num_surfaces, PCIQXLDevice),
+        VMSTATE_ARRAY(guest_surfaces.cmds, PCIQXLDevice, NUM_SURFACES, 0,
+                      vmstate_info_uint64, uint64_t),
+        VMSTATE_UINT64(guest_cursor, PCIQXLDevice),
+        VMSTATE_END_OF_LIST()
+    },
+};
+
+static VMStateDescription qxl_vmstate = {
+    .name               = "qxl",
+    .version_id         = QXL_SAVE_VERSION,
+    .minimum_version_id = QXL_SAVE_VERSION,
+    .pre_save           = qxl_pre_save,
+    .pre_load           = qxl_pre_load,
+    .post_load          = qxl_post_load,
+    .fields = (VMStateField []) {
+        VMSTATE_PCI_DEVICE(pci, PCIQXLDevice),
+        VMSTATE_STRUCT(vga, PCIQXLDevice, 0, vmstate_vga_common, VGACommonState),
+        VMSTATE_UINT32(shadow_rom.mode, PCIQXLDevice),
+        VMSTATE_UINT32(num_free_res, PCIQXLDevice),
+        VMSTATE_UINT32(last_release_offset, PCIQXLDevice),
+        VMSTATE_UINT32(mode, PCIQXLDevice),
+        VMSTATE_UINT32(ssd.unique, PCIQXLDevice),
+
+        /* spice 0.4 sends/expects them */
+        VMSTATE_VBUFFER_UINT32(vga.vram_ptr, PCIQXLDevice, 0, qxl_test_spice04, 0,
+                               vga.vram_size),
+        VMSTATE_UINT32_TEST(worker_data_size, PCIQXLDevice, qxl_test_spice04),
+        VMSTATE_VBUFFER_UINT32(worker_data, PCIQXLDevice, 0, qxl_test_worker_data, 0,
+                               worker_data_size),
+
+        VMSTATE_END_OF_LIST()
+    },
+    .subsections = (VMStateSubsection[]) {
+        {
+            /* additional spice 0.6 state */
+            .vmsd   = &qxl_vmstate_spice06,
+            .needed = qxl_test_spice06,
+        },{
+            /* end of list */
+        },
+    },
+};
+
+static PCIDeviceInfo qxl_info_primary = {
+    .qdev.name    = "qxl-vga",
+    .qdev.desc    = "Spice QXL GPU (primary, vga compatible)",
+    .qdev.size    = sizeof(PCIQXLDevice),
+    .qdev.reset   = qxl_reset_handler,
+    .qdev.vmsd    = &qxl_vmstate,
+    .init         = qxl_init_primary,
+    .config_write = qxl_write_config,
+    .romfile      = "vgabios-qxl.bin",
+    .qdev.props = (Property[]) {
+        DEFINE_PROP_UINT32("ram_size", PCIQXLDevice, vga.vram_size, 64 * 1024 * 1024),
+        DEFINE_PROP_UINT32("vram_size", PCIQXLDevice, vram_size, 64 * 1024 * 1024),
+        DEFINE_PROP_UINT32("revision", PCIQXLDevice, revision, 2),
+        DEFINE_PROP_UINT32("debug", PCIQXLDevice, debug, 0),
+        DEFINE_PROP_UINT32("guestdebug", PCIQXLDevice, guestdebug, 0),
+        DEFINE_PROP_UINT32("cmdlog", PCIQXLDevice, cmdlog, 0),
+        DEFINE_PROP_END_OF_LIST(),
+    }
+};
+
+static PCIDeviceInfo qxl_info_secondary = {
+    .qdev.name    = "qxl",
+    .qdev.desc    = "Spice QXL GPU (secondary)",
+    .qdev.size    = sizeof(PCIQXLDevice),
+    .qdev.reset   = qxl_reset_handler,
+    .qdev.vmsd    = &qxl_vmstate,
+    .init         = qxl_init_secondary,
+    .qdev.props = (Property[]) {
+        DEFINE_PROP_UINT32("ram_size", PCIQXLDevice, vga.vram_size, 64 * 1024 * 1024),
+        DEFINE_PROP_UINT32("vram_size", PCIQXLDevice, vram_size, 64 * 1024 * 1024),
+        DEFINE_PROP_UINT32("revision", PCIQXLDevice, revision, 2),
+        DEFINE_PROP_UINT32("debug", PCIQXLDevice, debug, 0),
+        DEFINE_PROP_UINT32("guestdebug", PCIQXLDevice, guestdebug, 0),
+        DEFINE_PROP_UINT32("cmdlog", PCIQXLDevice, cmdlog, 0),
+        DEFINE_PROP_END_OF_LIST(),
+    }
+};
+
+static void qxl_register(void)
+{
+    pci_qdev_register(&qxl_info_primary);
+    pci_qdev_register(&qxl_info_secondary);
+}
+
+device_init(qxl_register);
diff --git a/hw/qxl.h b/hw/qxl.h
new file mode 100644
index 0000000..98e11ce
--- /dev/null
+++ b/hw/qxl.h
@@ -0,0 +1,112 @@
+#include "qemu-common.h"
+
+#include "console.h"
+#include "hw.h"
+#include "pci.h"
+#include "vga_int.h"
+
+#include "ui/qemu-spice.h"
+#include "ui/spice-display.h"
+
+enum qxl_mode {
+    QXL_MODE_UNDEFINED,
+    QXL_MODE_VGA,
+    QXL_MODE_COMPAT, /* spice 0.4.x */
+    QXL_MODE_NATIVE,
+};
+
+typedef struct PCIQXLDevice {
+    PCIDevice          pci;
+    SimpleSpiceDisplay ssd;
+    int                id;
+    uint32_t           debug;
+    uint32_t           guestdebug;
+    uint32_t           cmdlog;
+    enum qxl_mode      mode;
+    uint32_t           cmdflags;
+    int                generation;
+    uint32_t           revision;
+
+    int32_t            num_memslots;
+    int32_t            num_surfaces;
+
+    struct guest_slots {
+        QXLMemSlot     slot;
+        void           *ptr;
+        uint64_t       size;
+        uint64_t       delta;
+        uint32_t       active;
+    } guest_slots[NUM_MEMSLOTS];
+
+    struct guest_primary {
+        QXLSurfaceCreate surface;
+        uint32_t       commands;
+        uint32_t       resized;
+        int32_t        stride;
+        uint32_t       bits_pp;
+        uint32_t       bytes_pp;
+        uint8_t        *data, *flipped;
+    } guest_primary;
+
+    struct surfaces {
+        QXLPHYSICAL    cmds[NUM_SURFACES];
+        uint32_t       count;
+        uint32_t       max;
+    } guest_surfaces;
+    QXLPHYSICAL        guest_cursor;
+
+    /* thread signaling */
+    pthread_t          main;
+    int                pipe[2];
+
+    /* ram pci bar */
+    QXLRam             *ram;
+    VGACommonState     vga;
+    uint32_t           num_free_res;
+    QXLReleaseInfo     *last_release;
+    uint32_t           last_release_offset;
+    uint32_t           oom_running;
+
+    /* rom pci bar */
+    QXLRom             shadow_rom;
+    QXLRom             *rom;
+    QXLModes           *modes;
+    uint32_t           rom_size;
+    uint64_t           rom_offset;
+
+    /* vram pci bar */
+    uint32_t           vram_size;
+    uint64_t           vram_offset;
+
+    /* io bar */
+    uint32_t           io_base;
+
+    /* spice 0.4 loadvm compatibility */
+    void               *worker_data;
+    uint32_t           worker_data_size;
+} PCIQXLDevice;
+
+#define PANIC_ON(x) if ((x)) {                         \
+    printf("%s: PANIC %s failed\n", __FUNCTION__, #x); \
+    exit(-1);                                          \
+}
+
+#define dprint(_qxl, _level, _fmt, ...)                                 \
+    do {                                                                \
+        if (_qxl->debug >= _level) {                                    \
+            fprintf(stderr, "qxl-%d: ", _qxl->id);                      \
+            fprintf(stderr, _fmt, ## __VA_ARGS__);                      \
+        }                                                               \
+    } while (0)
+
+/* qxl.c */
+void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
+
+/* qxl-logger.c */
+void qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id);
+void qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext);
+
+/* qxl-render.c */
+void qxl_render_resize(PCIQXLDevice *qxl);
+void qxl_render_update(PCIQXLDevice *qxl);
+void qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext);
diff --git a/hw/vga_int.h b/hw/vga_int.h
index bc1327f..1067f2c 100644
--- a/hw/vga_int.h
+++ b/hw/vga_int.h
@@ -106,7 +106,7 @@ typedef void (* vga_update_retrace_info_fn)(struct VGACommonState *s);
 typedef struct VGACommonState {
     uint8_t *vram_ptr;
     ram_addr_t vram_offset;
-    unsigned int vram_size;
+    uint32_t vram_size;
     uint32_t lfb_addr;
     uint32_t lfb_end;
     uint32_t map_addr;
diff --git a/qemu-options.hx b/qemu-options.hx
index 4d99a58..fd73210 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -751,7 +751,7 @@ Rotate graphical output 90 deg left (only PXA LCD).
 ETEXI
 
 DEF("vga", HAS_ARG, QEMU_OPTION_vga,
-    "-vga [std|cirrus|vmware|xenfb|none]\n"
+    "-vga [std|cirrus|vmware|qxl|xenfb|none]\n"
     "                select video card type\n", QEMU_ARCH_ALL)
 STEXI
 @item -vga @var{type}
@@ -772,6 +772,10 @@ this option.
 VMWare SVGA-II compatible adapter. Use it if you have sufficiently
 recent XFree86/XOrg server or Windows guest with a driver for this
 card.
+ at item qxl
+QXL paravirtual graphic card.  It is VGA compatible (including VESA
+2.0 VBE support).  Works best with qxl guest drivers installed though.
+Recommended choice when using the spice protocol.
 @item none
 Disable VGA card.
 @end table
diff --git a/sysemu.h b/sysemu.h
index b81a70e..d9b445b 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -102,7 +102,7 @@ extern int incoming_expected;
 extern int bios_size;
 
 typedef enum {
-    VGA_NONE, VGA_STD, VGA_CIRRUS, VGA_VMWARE, VGA_XENFB
+    VGA_NONE, VGA_STD, VGA_CIRRUS, VGA_VMWARE, VGA_XENFB, VGA_QXL,
 } VGAInterfaceType;
 
 extern int vga_interface_type;
@@ -110,6 +110,7 @@ extern int vga_interface_type;
 #define std_vga_enabled (vga_interface_type == VGA_STD)
 #define xenfb_enabled (vga_interface_type == VGA_XENFB)
 #define vmsvga_enabled (vga_interface_type == VGA_VMWARE)
+#define qxl_enabled (vga_interface_type == VGA_QXL)
 
 extern int graphic_width;
 extern int graphic_height;
diff --git a/ui/spice-core.c b/ui/spice-core.c
index d13bdc2..b7fa031 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -370,6 +370,21 @@ void qemu_spice_init(void)
 
 int qemu_spice_add_interface(SpiceBaseInstance *sin)
 {
+    if (!spice_server) {
+        if (QTAILQ_FIRST(&qemu_spice_opts.head) != NULL) {
+            fprintf(stderr, "Oops: spice configured but not active\n");
+            exit(1);
+        }
+        /*
+         * Create a spice server instance.
+         * It does *not* listen on the network.
+         * It handles QXL local rendering only.
+         *
+         * With a command line like '-vnc :0 -vga qxl' you'll end up here.
+         */
+        spice_server = spice_server_new();
+        spice_server_init(spice_server, &core_interface);
+    }
     return spice_server_add_interface(spice_server, sin);
 }
 
diff --git a/vl.c b/vl.c
index 2cd263e..e3f79e0 100644
--- a/vl.c
+++ b/vl.c
@@ -1411,6 +1411,8 @@ static void select_vgahw (const char *p)
         vga_interface_type = VGA_VMWARE;
     } else if (strstart(p, "xenfb", &opts)) {
         vga_interface_type = VGA_XENFB;
+    } else if (strstart(p, "qxl", &opts)) {
+        vga_interface_type = VGA_QXL;
     } else if (!strstart(p, "none", &opts)) {
     invalid_vga:
         fprintf(stderr, "Unknown vga type: %s\n", p);
@@ -2945,7 +2947,7 @@ int main(int argc, char **argv, char **envp)
         }
     }
 #ifdef CONFIG_SPICE
-    if (using_spice) {
+    if (using_spice && !qxl_enabled) {
         qemu_spice_display_init(ds);
     }
 #endif
commit 3c9405a0f7d76602415b3cbe8d52d7714b6ce5af
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Oct 7 11:50:45 2010 +0200

    vnc: support password expire
    
    This patch adds support for expiring passwords to vnc.  It adds a new
    vnc_display_pw_expire() function which specifies the time when the
    password will expire.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/console.h b/console.h
index aafb031..b2fc908 100644
--- a/console.h
+++ b/console.h
@@ -369,6 +369,7 @@ void vnc_display_init(DisplayState *ds);
 void vnc_display_close(DisplayState *ds);
 int vnc_display_open(DisplayState *ds, const char *display);
 int vnc_display_password(DisplayState *ds, const char *password);
+int vnc_display_pw_expire(DisplayState *ds, time_t expires);
 void do_info_vnc_print(Monitor *mon, const QObject *data);
 void do_info_vnc(Monitor *mon, QObject **ret_data);
 char *vnc_display_local_addr(DisplayState *ds);
diff --git a/qemu-common.h b/qemu-common.h
index de82c2e..188b05f 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -50,6 +50,9 @@ typedef struct DeviceState DeviceState;
 #if !defined(ENOTSUP)
 #define ENOTSUP 4096
 #endif
+#ifndef TIME_MAX
+#define TIME_MAX LONG_MAX
+#endif
 
 #ifndef CONFIG_IOVEC
 #define CONFIG_IOVEC
diff --git a/ui/vnc.c b/ui/vnc.c
index da70757..495d6d6 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2082,11 +2082,16 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
     unsigned char response[VNC_AUTH_CHALLENGE_SIZE];
     int i, j, pwlen;
     unsigned char key[8];
+    time_t now = time(NULL);
 
     if (!vs->vd->password || !vs->vd->password[0]) {
         VNC_DEBUG("No password configured on server");
         goto reject;
     }
+    if (vs->vd->expires < now) {
+        VNC_DEBUG("Password is expired");
+        goto reject;
+    }
 
     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
 
@@ -2432,6 +2437,7 @@ void vnc_display_init(DisplayState *ds)
 
     vs->ds = ds;
     QTAILQ_INIT(&vs->clients);
+    vs->expires = TIME_MAX;
 
     if (keyboard_layout)
         vs->kbd_layout = init_keyboard_layout(name2keysym, keyboard_layout);
@@ -2503,6 +2509,14 @@ int vnc_display_password(DisplayState *ds, const char *password)
     return 0;
 }
 
+int vnc_display_pw_expire(DisplayState *ds, time_t expires)
+{
+    VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
+
+    vs->expires = expires;
+    return 0;
+}
+
 char *vnc_display_local_addr(DisplayState *ds)
 {
     VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
diff --git a/ui/vnc.h b/ui/vnc.h
index 9619b24..4f895be 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -120,6 +120,7 @@ struct VncDisplay
 
     char *display;
     char *password;
+    time_t expires;
     int auth;
     bool lossy;
 #ifdef CONFIG_VNC_TLS
commit 7943a2fac78b1b865093923bf1bdb08ae8664b3d
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Nov 30 11:54:33 2010 +0100

    spice: add qxl vgabios binary.
    
    Just compiled from vgabios git repo @ git.qemu.org,
    copyed over and committed.  Also added to the list
    of blobs in the Makefile.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/Makefile b/Makefile
index c80566c..6d601ee 100644
--- a/Makefile
+++ b/Makefile
@@ -205,7 +205,7 @@ common  de-ch  es     fo  fr-ca  hu     ja  mk  nl-be      pt  sl     tr
 
 ifdef INSTALL_BLOBS
 BLOBS=bios.bin vgabios.bin vgabios-cirrus.bin \
-vgabios-stdvga.bin vgabios-vmware.bin \
+vgabios-stdvga.bin vgabios-vmware.bin vgabios-qxl.bin \
 ppc_rom.bin openbios-sparc32 openbios-sparc64 openbios-ppc \
 gpxe-eepro100-80861209.rom \
 pxe-e1000.bin \
diff --git a/pc-bios/vgabios-qxl.bin b/pc-bios/vgabios-qxl.bin
new file mode 100644
index 0000000..3156c6e
Binary files /dev/null and b/pc-bios/vgabios-qxl.bin differ
commit 6bffdf0f83263bad1dd2187c533758d7cb6f5bcf
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Oct 7 11:50:24 2010 +0200

    vnc: auth reject cleanup
    
    protocol_client_auth_vnc() has two places where the auth can fail,
    with identical code sending the reject message to the client.
    Move the common code to the end of the function and make both
    error paths jump there.  No functional change.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/ui/vnc.c b/ui/vnc.c
index 864342e..da70757 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2085,15 +2085,7 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
 
     if (!vs->vd->password || !vs->vd->password[0]) {
         VNC_DEBUG("No password configured on server");
-        vnc_write_u32(vs, 1); /* Reject auth */
-        if (vs->minor >= 8) {
-            static const char err[] = "Authentication failed";
-            vnc_write_u32(vs, sizeof(err));
-            vnc_write(vs, err, sizeof(err));
-        }
-        vnc_flush(vs);
-        vnc_client_error(vs);
-        return 0;
+        goto reject;
     }
 
     memcpy(response, vs->challenge, VNC_AUTH_CHALLENGE_SIZE);
@@ -2109,14 +2101,7 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
     /* Compare expected vs actual challenge response */
     if (memcmp(response, data, VNC_AUTH_CHALLENGE_SIZE) != 0) {
         VNC_DEBUG("Client challenge reponse did not match\n");
-        vnc_write_u32(vs, 1); /* Reject auth */
-        if (vs->minor >= 8) {
-            static const char err[] = "Authentication failed";
-            vnc_write_u32(vs, sizeof(err));
-            vnc_write(vs, err, sizeof(err));
-        }
-        vnc_flush(vs);
-        vnc_client_error(vs);
+        goto reject;
     } else {
         VNC_DEBUG("Accepting VNC challenge response\n");
         vnc_write_u32(vs, 0); /* Accept auth */
@@ -2125,6 +2110,17 @@ static int protocol_client_auth_vnc(VncState *vs, uint8_t *data, size_t len)
         start_client_init(vs);
     }
     return 0;
+
+reject:
+    vnc_write_u32(vs, 1); /* Reject auth */
+    if (vs->minor >= 8) {
+        static const char err[] = "Authentication failed";
+        vnc_write_u32(vs, sizeof(err));
+        vnc_write(vs, err, sizeof(err));
+    }
+    vnc_flush(vs);
+    vnc_client_error(vs);
+    return 0;
 }
 
 void start_auth_vnc(VncState *vs)
commit cb42a870c3f5b38911b1428cb785dd702bc47d0f
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Nov 30 11:02:51 2010 +0100

    spice: add qmp 'query-spice' and hmp 'info spice' commands.
    
    The patch adds a 'query-spice' monitor command which returns
    informations about the spice server configuration and also a list of
    channel connections.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/monitor.c b/monitor.c
index f04dda5..1047cee 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2581,6 +2581,16 @@ static const mon_cmd_t info_cmds[] = {
         .user_print = do_info_vnc_print,
         .mhandler.info_new = do_info_vnc,
     },
+#if defined(CONFIG_SPICE)
+    {
+        .name       = "spice",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show the spice server status",
+        .user_print = do_info_spice_print,
+        .mhandler.info_new = do_info_spice,
+    },
+#endif
     {
         .name       = "name",
         .args_type  = "",
@@ -2768,6 +2778,16 @@ static const mon_cmd_t qmp_query_cmds[] = {
         .user_print = do_info_vnc_print,
         .mhandler.info_new = do_info_vnc,
     },
+#if defined(CONFIG_SPICE)
+    {
+        .name       = "spice",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show the spice server status",
+        .user_print = do_info_spice_print,
+        .mhandler.info_new = do_info_spice,
+    },
+#endif
     {
         .name       = "name",
         .args_type  = "",
diff --git a/qmp-commands.hx b/qmp-commands.hx
index e5f157f..b4e6017 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -1439,6 +1439,76 @@ Example:
 EQMP
 
 SQMP
+query-spice
+-----------
+
+Show SPICE server information.
+
+Return a json-object with server information. Connected clients are returned
+as a json-array of json-objects.
+
+The main json-object contains the following:
+
+- "enabled": true or false (json-bool)
+- "host": server's IP address (json-string)
+- "port": server's port number (json-int, optional)
+- "tls-port": server's port number (json-int, optional)
+- "auth": authentication method (json-string)
+         - Possible values: "none", "spice"
+- "channels": a json-array of all active channels clients
+
+Channels are described by a json-object, each one contain the following:
+
+- "host": client's IP address (json-string)
+- "family": address family (json-string)
+         - Possible values: "ipv4", "ipv6", "unix", "unknown"
+- "port": client's port number (json-string)
+- "connection-id": spice connection id.  All channels with the same id
+                   belong to the same spice session (json-int)
+- "channel-type": channel type.  "1" is the main control channel, filter for
+                  this one if you want track spice sessions only (json-int)
+- "channel-id": channel id.  Usually "0", might be different needed when
+                multiple channels of the same type exist, such as multiple
+                display channels in a multihead setup (json-int)
+- "tls": whevener the channel is encrypted (json-bool)
+
+Example:
+
+-> { "execute": "query-spice" }
+<- {
+      "return": {
+         "enabled": true,
+         "auth": "spice",
+         "port": 5920,
+         "tls-port": 5921,
+         "host": "0.0.0.0",
+         "channels": [
+            {
+               "port": "54924",
+               "family": "ipv4",
+               "channel-type": 1,
+               "connection-id": 1804289383,
+               "host": "127.0.0.1",
+               "channel-id": 0,
+               "tls": true
+            },
+            {
+               "port": "36710",
+               "family": "ipv4",
+               "channel-type": 4,
+               "connection-id": 1804289383,
+               "host": "127.0.0.1",
+               "channel-id": 0,
+               "tls": false
+            },
+            [ ... more channels follow ... ]
+         ]
+      }
+   }
+
+EQMP
+
+SQMP
 query-name
 ----------
 
diff --git a/ui/qemu-spice.h b/ui/qemu-spice.h
index 0e3ad9b..8b23ac9 100644
--- a/ui/qemu-spice.h
+++ b/ui/qemu-spice.h
@@ -33,6 +33,9 @@ void qemu_spice_audio_init(void);
 void qemu_spice_display_init(DisplayState *ds);
 int qemu_spice_add_interface(SpiceBaseInstance *sin);
 
+void do_info_spice_print(Monitor *mon, const QObject *data);
+void do_info_spice(Monitor *mon, QObject **ret_data);
+
 #else  /* CONFIG_SPICE */
 
 #define using_spice 0
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 93461c6..d29d203 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -131,6 +131,36 @@ static void watch_remove(SpiceWatch *watch)
 
 #if SPICE_INTERFACE_CORE_MINOR >= 3
 
+typedef struct ChannelList ChannelList;
+struct ChannelList {
+    SpiceChannelEventInfo *info;
+    QTAILQ_ENTRY(ChannelList) link;
+};
+static QTAILQ_HEAD(, ChannelList) channel_list = QTAILQ_HEAD_INITIALIZER(channel_list);
+
+static void channel_list_add(SpiceChannelEventInfo *info)
+{
+    ChannelList *item;
+
+    item = qemu_mallocz(sizeof(*item));
+    item->info = info;
+    QTAILQ_INSERT_TAIL(&channel_list, item, link);
+}
+
+static void channel_list_del(SpiceChannelEventInfo *info)
+{
+    ChannelList *item;
+
+    QTAILQ_FOREACH(item, &channel_list, link) {
+        if (item->info != info) {
+            continue;
+        }
+        QTAILQ_REMOVE(&channel_list, item, link);
+        qemu_free(item);
+        return;
+    }
+}
+
 static void add_addr_info(QDict *dict, struct sockaddr *addr, int len)
 {
     char host[NI_MAXHOST], port[NI_MAXSERV];
@@ -155,6 +185,22 @@ static void add_channel_info(QDict *dict, SpiceChannelEventInfo *info)
     qdict_put(dict, "tls", qbool_from_int(tls));
 }
 
+static QList *channel_list_get(void)
+{
+    ChannelList *item;
+    QList *list;
+    QDict *dict;
+
+    list = qlist_new();
+    QTAILQ_FOREACH(item, &channel_list, link) {
+        dict = qdict_new();
+        add_addr_info(dict, &item->info->paddr, item->info->plen);
+        add_channel_info(dict, item->info);
+        qlist_append(list, dict);
+    }
+    return list;
+}
+
 static void channel_event(int event, SpiceChannelEventInfo *info)
 {
     static const int qevent[] = {
@@ -174,6 +220,10 @@ static void channel_event(int event, SpiceChannelEventInfo *info)
     if (event == SPICE_CHANNEL_EVENT_INITIALIZED) {
         qdict_put(server, "auth", qstring_from_str(auth));
         add_channel_info(client, info);
+        channel_list_add(info);
+    }
+    if (event == SPICE_CHANNEL_EVENT_DISCONNECTED) {
+        channel_list_del(info);
     }
 
     data = qobject_from_jsonf("{ 'client': %p, 'server': %p }",
@@ -278,6 +328,92 @@ static const char *wan_compression_names[] = {
 
 /* functions for the rest of qemu */
 
+static void info_spice_iter(QObject *obj, void *opaque)
+{
+    QDict *client;
+    Monitor *mon = opaque;
+
+    client = qobject_to_qdict(obj);
+    monitor_printf(mon, "Channel:\n");
+    monitor_printf(mon, "     address: %s:%s%s\n",
+                   qdict_get_str(client, "host"),
+                   qdict_get_str(client, "port"),
+                   qdict_get_bool(client, "tls") ? " [tls]" : "");
+    monitor_printf(mon, "     session: %" PRId64 "\n",
+                   qdict_get_int(client, "connection-id"));
+    monitor_printf(mon, "     channel: %d:%d\n",
+                   (int)qdict_get_int(client, "channel-type"),
+                   (int)qdict_get_int(client, "channel-id"));
+}
+
+void do_info_spice_print(Monitor *mon, const QObject *data)
+{
+    QDict *server;
+    QList *channels;
+    const char *host;
+    int port;
+
+    server = qobject_to_qdict(data);
+    if (qdict_get_bool(server, "enabled") == 0) {
+        monitor_printf(mon, "Server: disabled\n");
+        return;
+    }
+
+    monitor_printf(mon, "Server:\n");
+    host = qdict_get_str(server, "host");
+    port = qdict_get_try_int(server, "port", -1);
+    if (port != -1) {
+        monitor_printf(mon, "     address: %s:%d\n", host, port);
+    }
+    port = qdict_get_try_int(server, "tls-port", -1);
+    if (port != -1) {
+        monitor_printf(mon, "     address: %s:%d [tls]\n", host, port);
+    }
+    monitor_printf(mon, "        auth: %s\n", qdict_get_str(server, "auth"));
+
+    channels = qdict_get_qlist(server, "channels");
+    if (qlist_empty(channels)) {
+        monitor_printf(mon, "Channels: none\n");
+    } else {
+        qlist_iter(channels, info_spice_iter, mon);
+    }
+}
+
+void do_info_spice(Monitor *mon, QObject **ret_data)
+{
+    QemuOpts *opts = QTAILQ_FIRST(&qemu_spice_opts.head);
+    QDict *server;
+    QList *clist;
+    const char *addr;
+    int port, tls_port;
+
+    if (!spice_server) {
+        *ret_data = qobject_from_jsonf("{ 'enabled': false }");
+        return;
+    }
+
+    addr = qemu_opt_get(opts, "addr");
+    port = qemu_opt_get_number(opts, "port", 0);
+    tls_port = qemu_opt_get_number(opts, "tls-port", 0);
+    clist = channel_list_get();
+
+    server = qdict_new();
+    qdict_put(server, "enabled", qbool_from_int(true));
+    qdict_put(server, "auth", qstring_from_str(auth));
+    qdict_put(server, "host", qstring_from_str(addr ? addr : "0.0.0.0"));
+    if (port) {
+        qdict_put(server, "port", qint_from_int(port));
+    }
+    if (tls_port) {
+        qdict_put(server, "tls-port", qint_from_int(tls_port));
+    }
+    if (clist) {
+        qdict_put(server, "channels", clist);
+    }
+
+    *ret_data = QOBJECT(server);
+}
+
 static int add_channel(const char *name, const char *value, void *opaque)
 {
     int security = 0;
commit 6f8c63fbd7edc0b41c09f8f8e2d41a3a65464a43
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Oct 11 18:03:51 2010 +0200

    spice: connection events.
    
    This patch adds support for connection events to spice.  The events are
    quite simliar to the vnc events.  Unlike vnc spice uses multiple tcp
    channels though.  qemu will report every single tcp connection (aka
    spice channel).  If you want track spice sessions only you can filter
    for the main channel (channel-type == 1).
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/QMP/qmp-events.txt b/QMP/qmp-events.txt
index aa20210..0ce5d4e 100644
--- a/QMP/qmp-events.txt
+++ b/QMP/qmp-events.txt
@@ -182,6 +182,70 @@ Example:
                     "host": "127.0.0.1", "sasl_username": "luiz" } },
         "timestamp": { "seconds": 1263475302, "microseconds": 150772 } }
 
+SPICE_CONNECTED, SPICE_DISCONNECTED
+-----------------------------------
+
+Emitted when a SPICE client connects or disconnects.
+
+Data:
+
+- "server": Server information (json-object)
+  - "host": IP address (json-string)
+  - "port": port number (json-string)
+  - "family": address family (json-string, "ipv4" or "ipv6")
+- "client": Client information (json-object)
+  - "host": IP address (json-string)
+  - "port": port number (json-string)
+  - "family": address family (json-string, "ipv4" or "ipv6")
+
+Example:
+
+{ "timestamp": {"seconds": 1290688046, "microseconds": 388707},
+  "event": "SPICE_CONNECTED",
+  "data": {
+    "server": { "port": "5920", "family": "ipv4", "host": "127.0.0.1"},
+    "client": {"port": "52873", "family": "ipv4", "host": "127.0.0.1"}
+}}
+
+
+SPICE_INITIALIZED
+-----------------
+
+Emitted after initial handshake and authentication takes place (if any)
+and the SPICE channel is up'n'running
+
+Data:
+
+- "server": Server information (json-object)
+  - "host": IP address (json-string)
+  - "port": port number (json-string)
+  - "family": address family (json-string, "ipv4" or "ipv6")
+  - "auth": authentication method (json-string, optional)
+- "client": Client information (json-object)
+  - "host": IP address (json-string)
+  - "port": port number (json-string)
+  - "family": address family (json-string, "ipv4" or "ipv6")
+  - "connection-id": spice connection id.  All channels with the same id
+                     belong to the same spice session (json-int)
+  - "channel-type": channel type.  "1" is the main control channel, filter for
+                    this one if you want track spice sessions only (json-int)
+  - "channel-id": channel id.  Usually "0", might be different needed when
+                  multiple channels of the same type exist, such as multiple
+                  display channels in a multihead setup (json-int)
+  - "tls": whevener the channel is encrypted (json-bool)
+
+Example:
+
+{ "timestamp": {"seconds": 1290688046, "microseconds": 417172},
+  "event": "SPICE_INITIALIZED",
+  "data": {"server": {"auth": "spice", "port": "5921",
+                      "family": "ipv4", "host": "127.0.0.1"},
+           "client": {"port": "49004", "family": "ipv4", "channel-type": 3,
+                      "connection-id": 1804289383, "host": "127.0.0.1",
+                      "channel-id": 0, "tls": true}
+}}
+
+
 WATCHDOG
 --------
 
diff --git a/monitor.c b/monitor.c
index ec31eac..f04dda5 100644
--- a/monitor.c
+++ b/monitor.c
@@ -59,6 +59,7 @@
 #ifdef CONFIG_SIMPLE_TRACE
 #include "trace.h"
 #endif
+#include "ui/qemu-spice.h"
 
 //#define DEBUG
 //#define DEBUG_COMPLETION
@@ -459,6 +460,15 @@ void monitor_protocol_event(MonitorEvent event, QObject *data)
         case QEVENT_WATCHDOG:
             event_name = "WATCHDOG";
             break;
+        case QEVENT_SPICE_CONNECTED:
+            event_name = "SPICE_CONNECTED";
+            break;
+        case QEVENT_SPICE_INITIALIZED:
+            event_name = "SPICE_INITIALIZED";
+            break;
+        case QEVENT_SPICE_DISCONNECTED:
+            event_name = "SPICE_DISCONNECTED";
+            break;
         default:
             abort();
             break;
diff --git a/monitor.h b/monitor.h
index 2d36bba..4f2d328 100644
--- a/monitor.h
+++ b/monitor.h
@@ -32,6 +32,9 @@ typedef enum MonitorEvent {
     QEVENT_BLOCK_IO_ERROR,
     QEVENT_RTC_CHANGE,
     QEVENT_WATCHDOG,
+    QEVENT_SPICE_CONNECTED,
+    QEVENT_SPICE_INITIALIZED,
+    QEVENT_SPICE_DISCONNECTED,
     QEVENT_MAX,
 } MonitorEvent;
 
diff --git a/ui/spice-core.c b/ui/spice-core.c
index b7fa031..93461c6 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -18,16 +18,24 @@
 #include <spice.h>
 #include <spice-experimental.h>
 
+#include <netdb.h>
+
 #include "qemu-common.h"
 #include "qemu-spice.h"
 #include "qemu-timer.h"
 #include "qemu-queue.h"
 #include "qemu-x509.h"
+#include "qemu_socket.h"
+#include "qint.h"
+#include "qbool.h"
+#include "qstring.h"
+#include "qjson.h"
 #include "monitor.h"
 
 /* core bits */
 
 static SpiceServer *spice_server;
+static const char *auth = "spice";
 int using_spice = 0;
 
 struct SpiceTimer {
@@ -121,6 +129,68 @@ static void watch_remove(SpiceWatch *watch)
     qemu_free(watch);
 }
 
+#if SPICE_INTERFACE_CORE_MINOR >= 3
+
+static void add_addr_info(QDict *dict, struct sockaddr *addr, int len)
+{
+    char host[NI_MAXHOST], port[NI_MAXSERV];
+    const char *family;
+
+    getnameinfo(addr, len, host, sizeof(host), port, sizeof(port),
+                NI_NUMERICHOST | NI_NUMERICSERV);
+    family = inet_strfamily(addr->sa_family);
+
+    qdict_put(dict, "host", qstring_from_str(host));
+    qdict_put(dict, "port", qstring_from_str(port));
+    qdict_put(dict, "family", qstring_from_str(family));
+}
+
+static void add_channel_info(QDict *dict, SpiceChannelEventInfo *info)
+{
+    int tls = info->flags & SPICE_CHANNEL_EVENT_FLAG_TLS;
+
+    qdict_put(dict, "connection-id", qint_from_int(info->connection_id));
+    qdict_put(dict, "channel-type", qint_from_int(info->type));
+    qdict_put(dict, "channel-id", qint_from_int(info->id));
+    qdict_put(dict, "tls", qbool_from_int(tls));
+}
+
+static void channel_event(int event, SpiceChannelEventInfo *info)
+{
+    static const int qevent[] = {
+        [ SPICE_CHANNEL_EVENT_CONNECTED    ] = QEVENT_SPICE_CONNECTED,
+        [ SPICE_CHANNEL_EVENT_INITIALIZED  ] = QEVENT_SPICE_INITIALIZED,
+        [ SPICE_CHANNEL_EVENT_DISCONNECTED ] = QEVENT_SPICE_DISCONNECTED,
+    };
+    QDict *server, *client;
+    QObject *data;
+
+    client = qdict_new();
+    add_addr_info(client, &info->paddr, info->plen);
+
+    server = qdict_new();
+    add_addr_info(server, &info->laddr, info->llen);
+
+    if (event == SPICE_CHANNEL_EVENT_INITIALIZED) {
+        qdict_put(server, "auth", qstring_from_str(auth));
+        add_channel_info(client, info);
+    }
+
+    data = qobject_from_jsonf("{ 'client': %p, 'server': %p }",
+                              QOBJECT(client), QOBJECT(server));
+    monitor_protocol_event(qevent[event], data);
+    qobject_decref(data);
+}
+
+#else /* SPICE_INTERFACE_CORE_MINOR >= 3 */
+
+static QList *channel_list_get(void)
+{
+    return NULL;
+}
+
+#endif /* SPICE_INTERFACE_CORE_MINOR >= 3 */
+
 static SpiceCoreInterface core_interface = {
     .base.type          = SPICE_INTERFACE_CORE,
     .base.description   = "qemu core services",
@@ -135,6 +205,10 @@ static SpiceCoreInterface core_interface = {
     .watch_add          = watch_add,
     .watch_update_mask  = watch_update_mask,
     .watch_remove       = watch_remove,
+
+#if SPICE_INTERFACE_CORE_MINOR >= 3
+    .channel_event      = channel_event,
+#endif
 };
 
 /* config string parsing */
@@ -316,6 +390,7 @@ void qemu_spice_init(void)
         spice_server_set_ticket(spice_server, password, 0, 0, 0);
     }
     if (qemu_opt_get_bool(opts, "disable-ticketing", 0)) {
+        auth = "none";
         spice_server_set_noauth(spice_server);
     }
 
commit 513691b7ff20262efe9aafb85c8dd4615588ad48
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Dec 8 17:46:28 2010 +0900

    pci/aer: factor out common code
    
    Same logic is used to assert interrupts
    and send msix messages, so add a static functin for this.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pcie_aer.c b/hw/pcie_aer.c
index f24784a..cb97a95 100644
--- a/hw/pcie_aer.c
+++ b/hw/pcie_aer.c
@@ -273,6 +273,17 @@ static uint32_t pcie_aer_status_to_cmd(uint32_t status)
     return cmd;
 }
 
+static void pcie_aer_root_notify(PCIDevice *dev)
+{
+    if (msix_enabled(dev)) {
+        msix_notify(dev, pcie_aer_root_get_vector(dev));
+    } else if (msi_enabled(dev)) {
+        msi_notify(dev, pcie_aer_root_get_vector(dev));
+    } else {
+        qemu_set_irq(dev->irq[dev->exp.aer_intx], 1);
+    }
+}
+
 /*
  * 6.2.6 Error Message Control
  * Figure 6-3
@@ -344,13 +355,7 @@ static void pcie_aer_msg_root_port(PCIDevice *dev, const PCIEAERMsg *msg)
         return;
     }
 
-    if (msix_enabled(dev)) {
-        msix_notify(dev, pcie_aer_root_get_vector(dev));
-    } else if (msi_enabled(dev)) {
-        msi_notify(dev, pcie_aer_root_get_vector(dev));
-    } else {
-        qemu_set_irq(dev->irq[dev->exp.aer_intx], 1);
-    }
+    pcie_aer_root_notify(dev);
 }
 
 /*
@@ -760,13 +765,7 @@ void pcie_aer_root_write_config(PCIDevice *dev,
         return;
     }
 
-    if (msix_enabled(dev)) {
-        msix_notify(dev, pcie_aer_root_get_vector(dev));
-    } else if (msi_enabled(dev)) {
-        msi_notify(dev, pcie_aer_root_get_vector(dev));
-    } else {
-        abort();
-    }
+    pcie_aer_root_notify(dev);
 }
 
 static const VMStateDescription vmstate_pcie_aer_err = {
commit 5f47c187d992d5147397ddd5323c732d3d39cb8f
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Dec 8 17:46:27 2010 +0900

    pci/aer: remove dead code
    
    Remove some unused variables and return values.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>

diff --git a/hw/pcie_aer.c b/hw/pcie_aer.c
index 04b0f45..f24784a 100644
--- a/hw/pcie_aer.c
+++ b/hw/pcie_aer.c
@@ -274,29 +274,21 @@ static uint32_t pcie_aer_status_to_cmd(uint32_t status)
 }
 
 /*
- * return value:
- * true: error message is sent up
- * false: error message is masked
- *
  * 6.2.6 Error Message Control
  * Figure 6-3
  * root port part
  */
-static bool pcie_aer_msg_root_port(PCIDevice *dev, const PCIEAERMsg *msg)
+static void pcie_aer_msg_root_port(PCIDevice *dev, const PCIEAERMsg *msg)
 {
-    bool msg_sent;
     uint16_t cmd;
     uint8_t *aer_cap;
     uint32_t root_cmd;
     uint32_t root_status, prev_status;
-    bool msi_trigger;
 
-    msg_sent = false;
     cmd = pci_get_word(dev->config + PCI_COMMAND);
     aer_cap = dev->config + dev->exp.aer_cap;
     root_cmd = pci_get_long(aer_cap + PCI_ERR_ROOT_COMMAND);
     prev_status = root_status = pci_get_long(aer_cap + PCI_ERR_ROOT_STATUS);
-    msi_trigger = false;
 
     if (cmd & PCI_COMMAND_SERR) {
         /* System Error.
@@ -315,25 +307,14 @@ static bool pcie_aer_msg_root_port(PCIDevice *dev, const PCIEAERMsg *msg)
         if (root_status & PCI_ERR_ROOT_COR_RCV) {
             root_status |= PCI_ERR_ROOT_MULTI_COR_RCV;
         } else {
-            if (root_cmd & PCI_ERR_ROOT_CMD_COR_EN) {
-                msi_trigger = true;
-            }
             pci_set_word(aer_cap + PCI_ERR_ROOT_COR_SRC, msg->source_id);
         }
         root_status |= PCI_ERR_ROOT_COR_RCV;
         break;
     case PCI_ERR_ROOT_CMD_NONFATAL_EN:
-        if (!(root_status & PCI_ERR_ROOT_NONFATAL_RCV) &&
-            root_cmd & PCI_ERR_ROOT_CMD_NONFATAL_EN) {
-            msi_trigger = true;
-        }
         root_status |= PCI_ERR_ROOT_NONFATAL_RCV;
         break;
     case PCI_ERR_ROOT_CMD_FATAL_EN:
-        if (!(root_status & PCI_ERR_ROOT_FATAL_RCV) &&
-            root_cmd & PCI_ERR_ROOT_CMD_FATAL_EN) {
-            msi_trigger = true;
-        }
         if (!(root_status & PCI_ERR_ROOT_UNCOR_RCV)) {
             root_status |= PCI_ERR_ROOT_FIRST_FATAL;
         }
@@ -360,10 +341,9 @@ static bool pcie_aer_msg_root_port(PCIDevice *dev, const PCIEAERMsg *msg)
     if (!(root_cmd & msg->severity) ||
         (pcie_aer_status_to_cmd(prev_status) & root_cmd)) {
         /* Condition is not being set or was already true so nothing to do. */
-        return msg_sent;
+        return;
     }
 
-    msg_sent = true;
     if (msix_enabled(dev)) {
         msix_notify(dev, pcie_aer_root_get_vector(dev));
     } else if (msi_enabled(dev)) {
@@ -371,7 +351,6 @@ static bool pcie_aer_msg_root_port(PCIDevice *dev, const PCIEAERMsg *msg)
     } else {
         qemu_set_irq(dev->irq[dev->exp.aer_intx], 1);
     }
-    return msg_sent;
 }
 
 /*
commit 2b3cb353e7af7a90eec22ba9720dcef2a80c7f6f
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Dec 8 17:46:26 2010 +0900

    pci/aer: fix interrupt on config write
    
    config write handling for aer seems broken:
    For example, it won't clear a level interrupt
    when command register is set to 0.
    
    Make it match the spec: level should equal
    the logical or of enabled bits, msi only
    be sent when the logical or changes.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>

diff --git a/hw/pcie_aer.c b/hw/pcie_aer.c
index 9505c93..04b0f45 100644
--- a/hw/pcie_aer.c
+++ b/hw/pcie_aer.c
@@ -762,43 +762,31 @@ void pcie_aer_root_reset(PCIDevice *dev)
      */
 }
 
-static bool pcie_aer_root_does_trigger(uint32_t cmd, uint32_t status)
-{
-    return
-        ((cmd & PCI_ERR_ROOT_CMD_COR_EN) && (status & PCI_ERR_ROOT_COR_RCV)) ||
-        ((cmd & PCI_ERR_ROOT_CMD_NONFATAL_EN) &&
-         (status & PCI_ERR_ROOT_NONFATAL_RCV)) ||
-        ((cmd & PCI_ERR_ROOT_CMD_FATAL_EN) &&
-         (status & PCI_ERR_ROOT_FATAL_RCV));
-}
-
 void pcie_aer_root_write_config(PCIDevice *dev,
                                 uint32_t addr, uint32_t val, int len,
                                 uint32_t root_cmd_prev)
 {
     uint8_t *aer_cap = dev->config + dev->exp.aer_cap;
-
-    /* root command register */
+    uint32_t root_status = pci_get_long(aer_cap + PCI_ERR_ROOT_STATUS);
+    uint32_t enabled_cmd = pcie_aer_status_to_cmd(root_status);
     uint32_t root_cmd = pci_get_long(aer_cap + PCI_ERR_ROOT_COMMAND);
-    if (root_cmd & PCI_ERR_ROOT_CMD_EN_MASK) {
-        /* 6.2.4.1.2 Interrupt Generation */
+    /* 6.2.4.1.2 Interrupt Generation */
+    if (!msix_enabled(dev) && !msi_enabled(dev)) {
+        qemu_set_irq(dev->irq[dev->exp.aer_intx], !!(root_cmd & enabled_cmd));
+        return;
+    }
 
-        /* 0 -> 1 */
-        uint32_t root_cmd_set = ~root_cmd_prev & root_cmd;
-        uint32_t root_status = pci_get_long(aer_cap + PCI_ERR_ROOT_STATUS);
-        bool trigger = pcie_aer_root_does_trigger(root_cmd_set, root_status);
+    if ((root_cmd_prev & enabled_cmd) || !(root_cmd & enabled_cmd)) {
+        /* Send MSI on transition from false to true. */
+        return;
+    }
 
-        if (msix_enabled(dev)) {
-            if (trigger) {
-                msix_notify(dev, pcie_aer_root_get_vector(dev));
-            }
-        } else if (msi_enabled(dev)) {
-            if (trigger) {
-                msi_notify(dev, pcie_aer_root_get_vector(dev));
-            }
-        } else {
-            qemu_set_irq(dev->irq[dev->exp.aer_intx], trigger);
-        }
+    if (msix_enabled(dev)) {
+        msix_notify(dev, pcie_aer_root_get_vector(dev));
+    } else if (msi_enabled(dev)) {
+        msi_notify(dev, pcie_aer_root_get_vector(dev));
+    } else {
+        abort();
     }
 }
 
commit c3f33667a64a6de0b92106c862247d97d81490ef
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Dec 8 17:46:25 2010 +0900

    pci/aer: fix error injection
    
    Fix the injection logic upon aer message to follow 6.2.4.1.2 more
    closely: specifically only send an msi interrupt when the logical or of
    the enabled bits changed, not when a bit which was previously clear
    becomes set.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>

diff --git a/hw/pcie_aer.c b/hw/pcie_aer.c
index dac27c3..9505c93 100644
--- a/hw/pcie_aer.c
+++ b/hw/pcie_aer.c
@@ -257,6 +257,22 @@ static unsigned int pcie_aer_root_get_vector(PCIDevice *dev)
     return (root_status & PCI_ERR_ROOT_IRQ) >> PCI_ERR_ROOT_IRQ_SHIFT;
 }
 
+/* Given a status register, get corresponding bits in the command register */
+static uint32_t pcie_aer_status_to_cmd(uint32_t status)
+{
+    uint32_t cmd = 0;
+    if (status & PCI_ERR_ROOT_COR_RCV) {
+        cmd |= PCI_ERR_ROOT_CMD_COR_EN;
+    }
+    if (status & PCI_ERR_ROOT_NONFATAL_RCV) {
+        cmd |= PCI_ERR_ROOT_CMD_NONFATAL_EN;
+    }
+    if (status & PCI_ERR_ROOT_FATAL_RCV) {
+        cmd |= PCI_ERR_ROOT_CMD_FATAL_EN;
+    }
+    return cmd;
+}
+
 /*
  * return value:
  * true: error message is sent up
@@ -272,14 +288,14 @@ static bool pcie_aer_msg_root_port(PCIDevice *dev, const PCIEAERMsg *msg)
     uint16_t cmd;
     uint8_t *aer_cap;
     uint32_t root_cmd;
-    uint32_t root_status;
+    uint32_t root_status, prev_status;
     bool msi_trigger;
 
     msg_sent = false;
     cmd = pci_get_word(dev->config + PCI_COMMAND);
     aer_cap = dev->config + dev->exp.aer_cap;
     root_cmd = pci_get_long(aer_cap + PCI_ERR_ROOT_COMMAND);
-    root_status = pci_get_long(aer_cap + PCI_ERR_ROOT_STATUS);
+    prev_status = root_status = pci_get_long(aer_cap + PCI_ERR_ROOT_STATUS);
     msi_trigger = false;
 
     if (cmd & PCI_COMMAND_SERR) {
@@ -337,20 +353,23 @@ static bool pcie_aer_msg_root_port(PCIDevice *dev, const PCIEAERMsg *msg)
     }
     pci_set_long(aer_cap + PCI_ERR_ROOT_STATUS, root_status);
 
-    if (root_cmd & msg->severity) {
-        /* 6.2.4.1.2 Interrupt Generation */
-        if (msix_enabled(dev)) {
-            if (msi_trigger) {
-                msix_notify(dev, pcie_aer_root_get_vector(dev));
-            }
-        } else if (msi_enabled(dev)) {
-            if (msi_trigger) {
-                msi_notify(dev, pcie_aer_root_get_vector(dev));
-            }
-        } else {
-            qemu_set_irq(dev->irq[dev->exp.aer_intx], 1);
-        }
-        msg_sent = true;
+    /* 6.2.4.1.2 Interrupt Generation */
+    /* All the above did was set some bits in the status register.
+     * Specifically these that match message severity.
+     * The below code relies on this fact. */
+    if (!(root_cmd & msg->severity) ||
+        (pcie_aer_status_to_cmd(prev_status) & root_cmd)) {
+        /* Condition is not being set or was already true so nothing to do. */
+        return msg_sent;
+    }
+
+    msg_sent = true;
+    if (msix_enabled(dev)) {
+        msix_notify(dev, pcie_aer_root_get_vector(dev));
+    } else if (msi_enabled(dev)) {
+        msi_notify(dev, pcie_aer_root_get_vector(dev));
+    } else {
+        qemu_set_irq(dev->irq[dev->exp.aer_intx], 1);
     }
     return msg_sent;
 }
commit 624c716cc576ec5e6bed50da3deb45aa9537cacd
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Dec 8 17:46:24 2010 +0900

    Makefile: make msix/msi depend on CONFIG_PCI
    
    Possible now that pci is not depending on these.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index 04625eb..d1e63ce 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -168,7 +168,8 @@ hw-obj-$(CONFIG_VIRTIO) += virtio.o virtio-console.o
 hw-obj-y += fw_cfg.o
 # FIXME: Core PCI code and its direct dependencies are required by the
 # QMP query-pci command.
-hw-obj-y += pci.o pci_bridge.o msix.o msi.o
+hw-obj-y += pci.o pci_bridge.o
+hw-obj-$(CONFIG_PCI) += msix.o msi.o
 hw-obj-$(CONFIG_PCI) += pci_host.o pcie_host.o
 hw-obj-$(CONFIG_PCI) += ioh3420.o xio3130_upstream.o xio3130_downstream.o
 hw-obj-y += watchdog.o
commit 4a9dd6658268a942a8ea230f950a951229355cbb
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Dec 8 17:46:23 2010 +0900

    pci: untangle pci/msi dependency
    
    msi depends on pci but pci should not depend on msi.
    The only dependency we have is a recent addition
    of pci_msi_ functions, IMO they add little enough to
    open-code in the small number of users.
    
    Follow-up patches add more cleanups.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>

diff --git a/hw/pci.c b/hw/pci.c
index ca878e8..254647b 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -25,8 +25,6 @@
 #include "pci.h"
 #include "pci_bridge.h"
 #include "pci_internals.h"
-#include "msix.h"
-#include "msi.h"
 #include "monitor.h"
 #include "net.h"
 #include "sysemu.h"
@@ -1099,23 +1097,6 @@ static void pci_set_irq(void *opaque, int irq_num, int level)
     pci_change_irq_level(pci_dev, irq_num, change);
 }
 
-bool pci_msi_enabled(PCIDevice *dev)
-{
-    return msix_enabled(dev) || msi_enabled(dev);
-}
-
-void pci_msi_notify(PCIDevice *dev, unsigned int vector)
-{
-    if (msix_enabled(dev)) {
-        msix_notify(dev, vector);
-    } else if (msi_enabled(dev)) {
-        msi_notify(dev, vector);
-    } else {
-        /* MSI/MSI-X must be enabled */
-        abort();
-    }
-}
-
 /***********************************************************/
 /* monitor info on PCI */
 
diff --git a/hw/pci.h b/hw/pci.h
index 099c251..aa3afe9 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -261,9 +261,6 @@ void do_pci_info_print(Monitor *mon, const QObject *data);
 void do_pci_info(Monitor *mon, QObject **ret_data);
 void pci_bridge_update_mappings(PCIBus *b);
 
-bool pci_msi_enabled(PCIDevice *dev);
-void pci_msi_notify(PCIDevice *dev, unsigned int vector);
-
 static inline void
 pci_set_byte(uint8_t *config, uint8_t val)
 {
diff --git a/hw/pcie.c b/hw/pcie.c
index f461c1c..d1f0086 100644
--- a/hw/pcie.c
+++ b/hw/pcie.c
@@ -167,10 +167,12 @@ static void hotplug_event_notify(PCIDevice *dev)
      * The Port may optionally send an MSI when there are hot-plug events that
      * occur while interrupt generation is disabled, and interrupt generation is
      * subsequently enabled. */
-    if (!pci_msi_enabled(dev)) {
+    if (msix_enabled(dev)) {
+        msix_notify(dev, pcie_cap_flags_get_vector(dev));
+    } else if (msi_enabled(dev)) {
+        msi_notify(dev, pcie_cap_flags_get_vector(dev));
+    } else {
         qemu_set_irq(dev->irq[dev->exp.hpev_intx], dev->exp.hpev_notified);
-    } else if (dev->exp.hpev_notified) {
-        pci_msi_notify(dev, pcie_cap_flags_get_vector(dev));
     }
 }
 
diff --git a/hw/pcie_aer.c b/hw/pcie_aer.c
index 47d6400..dac27c3 100644
--- a/hw/pcie_aer.c
+++ b/hw/pcie_aer.c
@@ -339,9 +339,13 @@ static bool pcie_aer_msg_root_port(PCIDevice *dev, const PCIEAERMsg *msg)
 
     if (root_cmd & msg->severity) {
         /* 6.2.4.1.2 Interrupt Generation */
-        if (pci_msi_enabled(dev)) {
+        if (msix_enabled(dev)) {
             if (msi_trigger) {
-                pci_msi_notify(dev, pcie_aer_root_get_vector(dev));
+                msix_notify(dev, pcie_aer_root_get_vector(dev));
+            }
+        } else if (msi_enabled(dev)) {
+            if (msi_trigger) {
+                msi_notify(dev, pcie_aer_root_get_vector(dev));
             }
         } else {
             qemu_set_irq(dev->irq[dev->exp.aer_intx], 1);
@@ -761,16 +765,20 @@ void pcie_aer_root_write_config(PCIDevice *dev,
         /* 6.2.4.1.2 Interrupt Generation */
 
         /* 0 -> 1 */
-        uint32_t root_cmd_set = (root_cmd_prev ^ root_cmd) & root_cmd;
+        uint32_t root_cmd_set = ~root_cmd_prev & root_cmd;
         uint32_t root_status = pci_get_long(aer_cap + PCI_ERR_ROOT_STATUS);
+        bool trigger = pcie_aer_root_does_trigger(root_cmd_set, root_status);
 
-        if (pci_msi_enabled(dev)) {
-            if (pcie_aer_root_does_trigger(root_cmd_set, root_status)) {
-                pci_msi_notify(dev, pcie_aer_root_get_vector(dev));
+        if (msix_enabled(dev)) {
+            if (trigger) {
+                msix_notify(dev, pcie_aer_root_get_vector(dev));
+            }
+        } else if (msi_enabled(dev)) {
+            if (trigger) {
+                msi_notify(dev, pcie_aer_root_get_vector(dev));
             }
         } else {
-            int int_level = pcie_aer_root_does_trigger(root_cmd, root_status);
-            qemu_set_irq(dev->irq[dev->exp.aer_intx], int_level);
+            qemu_set_irq(dev->irq[dev->exp.aer_intx], trigger);
         }
     }
 }
commit b1aeb92666d2fde413c34578b3b42bbfe5f2a506
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Fri Nov 26 21:01:41 2010 +0900

    pci: make command SERR bit writable
    
    pcie aer needs SERR bit to be writable, and the PCI spec requires
    this as well.  For compatibility, introduce compat global property
    command_serr_enable and make this bit readonly for a pre 0.14 pc
    machine.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index 7d29d43..a2fb554 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -217,6 +217,14 @@ static QEMUMachine pc_machine = {
     .desc = "Standard PC",
     .init = pc_init_pci,
     .max_cpus = 255,
+    .compat_props = (GlobalProperty[]) {
+        {
+            .driver   = "PCI",
+            .property = "command_serr_enable",
+            .value    = "off",
+        },
+        { /* end of list */ }
+    },
     .is_default = 1,
 };
 
@@ -265,6 +273,10 @@ static QEMUMachine pc_machine_v0_12 = {
             .driver   = "vmware-svga",
             .property = "rombar",
             .value    = stringify(0),
+        },{
+            .driver   = "PCI",
+            .property = "command_serr_enable",
+            .value    = "off",
         },
         { /* end of list */ }
     }
@@ -300,6 +312,10 @@ static QEMUMachine pc_machine_v0_11 = {
             .driver   = "PCI",
             .property = "rombar",
             .value    = stringify(0),
+        },{
+            .driver   = "PCI",
+            .property = "command_serr_enable",
+            .value    = "off",
         },
         { /* end of list */ }
     }
@@ -347,6 +363,10 @@ static QEMUMachine pc_machine_v0_10 = {
             .driver   = "PCI",
             .property = "rombar",
             .value    = stringify(0),
+        },{
+            .driver   = "PCI",
+            .property = "command_serr_enable",
+            .value    = "off",
         },
         { /* end of list */ }
     },
diff --git a/hw/pci.c b/hw/pci.c
index 0c15b13..ca878e8 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -57,6 +57,8 @@ struct BusInfo pci_bus_info = {
         DEFINE_PROP_UINT32("rombar",  PCIDevice, rom_bar, 1),
         DEFINE_PROP_BIT("multifunction", PCIDevice, cap_present,
                         QEMU_PCI_CAP_MULTIFUNCTION_BITNR, false),
+        DEFINE_PROP_BIT("command_serr_enable", PCIDevice, cap_present,
+                        QEMU_PCI_CAP_SERR_BITNR, true),
         DEFINE_PROP_END_OF_LIST()
     }
 };
@@ -568,6 +570,9 @@ static void pci_init_wmask(PCIDevice *dev)
     pci_set_word(dev->wmask + PCI_COMMAND,
                  PCI_COMMAND_IO | PCI_COMMAND_MEMORY | PCI_COMMAND_MASTER |
                  PCI_COMMAND_INTX_DISABLE);
+    if (dev->cap_present & QEMU_PCI_CAP_SERR) {
+        pci_word_test_and_set_mask(dev->wmask + PCI_COMMAND, PCI_COMMAND_SERR);
+    }
 
     memset(dev->wmask + PCI_CONFIG_HEADER_SIZE, 0xff,
            config_size - PCI_CONFIG_HEADER_SIZE);
diff --git a/hw/pci.h b/hw/pci.h
index 89f7b76..099c251 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -118,6 +118,10 @@ enum {
     /* multifunction capable device */
 #define QEMU_PCI_CAP_MULTIFUNCTION_BITNR        3
     QEMU_PCI_CAP_MULTIFUNCTION = (1 << QEMU_PCI_CAP_MULTIFUNCTION_BITNR),
+
+    /* command register SERR bit enabled */
+#define QEMU_PCI_CAP_SERR_BITNR 4
+    QEMU_PCI_CAP_SERR = (1 << QEMU_PCI_CAP_SERR_BITNR),
 };
 
 struct PCIDevice {
commit 783e7706937fe15523b609b545587a028a2bdd03
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Nov 22 19:52:30 2010 +0200

    virtio-net: stop/start bh when appropriate
    
    Avoid sending out packets, and modifying
    memory, when VM is stopped.
    Add assert statements to verify this does not happen.
    
    Avoid scheduling bh when vhost-net is started.
    
    Stop bh when driver disabled bus mastering
    (we must not access memory after this).
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Tested-by: Jason Wang <jasowang at redhat.com>

diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index 43a2b3d..5881961 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -99,9 +99,14 @@ static void virtio_net_set_config(VirtIODevice *vdev, const uint8_t *config)
     }
 }
 
-static void virtio_net_set_status(struct VirtIODevice *vdev, uint8_t status)
+static bool virtio_net_started(VirtIONet *n, uint8_t status)
+{
+    return (status & VIRTIO_CONFIG_S_DRIVER_OK) &&
+        (n->status & VIRTIO_NET_S_LINK_UP) && n->vm_running;
+}
+
+static void virtio_net_vhost_status(VirtIONet *n, uint8_t status)
 {
-    VirtIONet *n = to_virtio_net(vdev);
     if (!n->nic->nc.peer) {
         return;
     }
@@ -112,9 +117,7 @@ static void virtio_net_set_status(struct VirtIODevice *vdev, uint8_t status)
     if (!tap_get_vhost_net(n->nic->nc.peer)) {
         return;
     }
-    if (!!n->vhost_started == ((status & VIRTIO_CONFIG_S_DRIVER_OK) &&
-                               (n->status & VIRTIO_NET_S_LINK_UP) &&
-                               n->vm_running)) {
+    if (!!n->vhost_started == virtio_net_started(n, status)) {
         return;
     }
     if (!n->vhost_started) {
@@ -131,6 +134,32 @@ static void virtio_net_set_status(struct VirtIODevice *vdev, uint8_t status)
     }
 }
 
+static void virtio_net_set_status(struct VirtIODevice *vdev, uint8_t status)
+{
+    VirtIONet *n = to_virtio_net(vdev);
+
+    virtio_net_vhost_status(n, status);
+
+    if (!n->tx_waiting) {
+        return;
+    }
+
+    if (virtio_net_started(n, status) && !n->vhost_started) {
+        if (n->tx_timer) {
+            qemu_mod_timer(n->tx_timer,
+                           qemu_get_clock(vm_clock) + n->tx_timeout);
+        } else {
+            qemu_bh_schedule(n->tx_bh);
+        }
+    } else {
+        if (n->tx_timer) {
+            qemu_del_timer(n->tx_timer);
+        } else {
+            qemu_bh_cancel(n->tx_bh);
+        }
+    }
+}
+
 static void virtio_net_set_link_status(VLANClientState *nc)
 {
     VirtIONet *n = DO_UPCAST(NICState, nc, nc)->opaque;
@@ -675,11 +704,12 @@ static int32_t virtio_net_flush_tx(VirtIONet *n, VirtQueue *vq)
 {
     VirtQueueElement elem;
     int32_t num_packets = 0;
-
     if (!(n->vdev.status & VIRTIO_CONFIG_S_DRIVER_OK)) {
         return num_packets;
     }
 
+    assert(n->vm_running);
+
     if (n->async_tx.elem.out_num) {
         virtio_queue_set_notification(n->tx_vq, 0);
         return num_packets;
@@ -738,6 +768,12 @@ static void virtio_net_handle_tx_timer(VirtIODevice *vdev, VirtQueue *vq)
 {
     VirtIONet *n = to_virtio_net(vdev);
 
+    /* This happens when device was stopped but VCPU wasn't. */
+    if (!n->vm_running) {
+        n->tx_waiting = 1;
+        return;
+    }
+
     if (n->tx_waiting) {
         virtio_queue_set_notification(vq, 1);
         qemu_del_timer(n->tx_timer);
@@ -758,14 +794,19 @@ static void virtio_net_handle_tx_bh(VirtIODevice *vdev, VirtQueue *vq)
     if (unlikely(n->tx_waiting)) {
         return;
     }
+    n->tx_waiting = 1;
+    /* This happens when device was stopped but VCPU wasn't. */
+    if (!n->vm_running) {
+        return;
+    }
     virtio_queue_set_notification(vq, 0);
     qemu_bh_schedule(n->tx_bh);
-    n->tx_waiting = 1;
 }
 
 static void virtio_net_tx_timer(void *opaque)
 {
     VirtIONet *n = opaque;
+    assert(n->vm_running);
 
     n->tx_waiting = 0;
 
@@ -782,6 +823,8 @@ static void virtio_net_tx_bh(void *opaque)
     VirtIONet *n = opaque;
     int32_t ret;
 
+    assert(n->vm_running);
+
     n->tx_waiting = 0;
 
     /* Just in case the driver is not ready on more */
@@ -926,15 +969,6 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
         }
     }
     n->mac_table.first_multi = i;
-
-    if (n->tx_waiting) {
-        if (n->tx_timer) {
-            qemu_mod_timer(n->tx_timer,
-                           qemu_get_clock(vm_clock) + n->tx_timeout);
-        } else {
-            qemu_bh_schedule(n->tx_bh);
-        }
-    }
     return 0;
 }
 
commit 954773230484f5afeb675e9ff814c97e54e69e17
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Nov 22 19:52:19 2010 +0200

    virtio-net: don't dma while vm is stopped
    
    DMA into memory while VM is stopped makes it
    hard to debug migration (consequitive saves
    result in different files).
    Fixing this completely is a large effort,
    this patch does this for virtio-net.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Tested-by: Jason Wang <jasowang at redhat.com>

diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index 1d61f19..43a2b3d 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -424,6 +424,9 @@ static void virtio_net_handle_rx(VirtIODevice *vdev, VirtQueue *vq)
 static int virtio_net_can_receive(VLANClientState *nc)
 {
     VirtIONet *n = DO_UPCAST(NICState, nc, nc)->opaque;
+    if (!n->vm_running) {
+        return 0;
+    }
 
     if (!virtio_queue_ready(n->rx_vq) ||
         !(n->vdev.status & VIRTIO_CONFIG_S_DRIVER_OK))
commit eff06c40d330cdbea414331337ca6f5032dbf6d7
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Nov 22 19:52:26 2010 +0200

    migration/savevm: no need to flush requests
    
    There's no need to flush requests after vmstop
    as vmstop does it for us automatically now.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Tested-by: Jason Wang <jasowang at redhat.com>

diff --git a/migration.c b/migration.c
index 622a9d2..e5ba51c 100644
--- a/migration.c
+++ b/migration.c
@@ -370,8 +370,6 @@ void migrate_fd_put_ready(void *opaque)
         DPRINTF("done iterating\n");
         vm_stop(0);
 
-        qemu_aio_flush();
-        bdrv_flush_all();
         if ((qemu_savevm_state_complete(s->mon, s->file)) < 0) {
             if (old_vm_running) {
                 vm_start();
diff --git a/savevm.c b/savevm.c
index d38f79e..90aa237 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1575,8 +1575,6 @@ static int qemu_savevm_state(Monitor *mon, QEMUFile *f)
     saved_vm_running = vm_running;
     vm_stop(0);
 
-    bdrv_flush_all();
-
     ret = qemu_savevm_state_begin(mon, f, 0, 0);
     if (ret < 0)
         goto out;
@@ -1885,8 +1883,6 @@ void do_savevm(Monitor *mon, const QDict *qdict)
         monitor_printf(mon, "No block device can accept snapshots\n");
         return;
     }
-    /* ??? Should this occur after vm_stop?  */
-    qemu_aio_flush();
 
     saved_vm_running = vm_running;
     vm_stop(0);
commit 55df6f33655ed4139c824aa3ab9a4ab0c19dca83
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Nov 22 19:52:22 2010 +0200

    cpus: flush all requests on each vm stop
    
    Flush all requests once we have stopped all
    cpus and devices.
    Make sure disk is in consistent state.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Tested-by: Jason Wang <jasowang at redhat.com>
    Acked-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/cpus.c b/cpus.c
index 91a0fb1..0309189 100644
--- a/cpus.c
+++ b/cpus.c
@@ -111,6 +111,8 @@ static void do_vm_stop(int reason)
         vm_running = 0;
         pause_all_vcpus();
         vm_state_notify(0, reason);
+        qemu_aio_flush();
+        bdrv_flush_all();
         monitor_protocol_event(QEVENT_STOP, NULL);
     }
 }
commit 3a75e74c76cef8daa7944159b016c4ee7c56e568
Author: Mike Ryan <mikeryan at isi.edu>
Date:   Wed Dec 1 11:16:47 2010 -0800

    net/sock: option to specify local address
    
    Add an option to specify the host IP to send multicast packets from,
    when using a multicast socket for networking. The option takes an IP
    address and sets the IP_MULTICAST_IF socket option, which causes the
    packets to use that IP's interface as an egress.
    
    This is useful if the host machine has several interfaces with several
    virtual networks across disparate interfaces.
    
    Signed-off-by: Mike Ryan <mikeryan at ISI.EDU>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/net.c b/net.c
index c5e6063..9ba5be2 100644
--- a/net.c
+++ b/net.c
@@ -1050,6 +1050,10 @@ static const struct {
                 .name = "mcast",
                 .type = QEMU_OPT_STRING,
                 .help = "UDP multicast address and port number",
+            }, {
+                .name = "localaddr",
+                .type = QEMU_OPT_STRING,
+                .help = "source address for multicast packets",
             },
             { /* end of list */ }
         },
diff --git a/net/socket.c b/net/socket.c
index 1c4e153..916c2a8 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -149,7 +149,7 @@ static void net_socket_send_dgram(void *opaque)
     qemu_send_packet(&s->nc, s->buf, size);
 }
 
-static int net_socket_mcast_create(struct sockaddr_in *mcastaddr)
+static int net_socket_mcast_create(struct sockaddr_in *mcastaddr, struct in_addr *localaddr)
 {
     struct ip_mreq imr;
     int fd;
@@ -183,7 +183,11 @@ static int net_socket_mcast_create(struct sockaddr_in *mcastaddr)
 
     /* Add host to multicast group */
     imr.imr_multiaddr = mcastaddr->sin_addr;
-    imr.imr_interface.s_addr = htonl(INADDR_ANY);
+    if (localaddr) {
+        imr.imr_interface = *localaddr;
+    } else {
+        imr.imr_interface.s_addr = htonl(INADDR_ANY);
+    }
 
     ret = setsockopt(fd, IPPROTO_IP, IP_ADD_MEMBERSHIP,
                      (const char *)&imr, sizeof(struct ip_mreq));
@@ -201,6 +205,15 @@ static int net_socket_mcast_create(struct sockaddr_in *mcastaddr)
 	goto fail;
     }
 
+    /* If a bind address is given, only send packets from that address */
+    if (localaddr != NULL) {
+        ret = setsockopt(fd, IPPROTO_IP, IP_MULTICAST_IF, localaddr, sizeof(*localaddr));
+        if (ret < 0) {
+            perror("setsockopt(IP_MULTICAST_IF)");
+            goto fail;
+        }
+    }
+
     socket_set_nonblock(fd);
     return fd;
 fail:
@@ -248,7 +261,7 @@ static NetSocketState *net_socket_fd_init_dgram(VLANState *vlan,
 		return NULL;
 	    }
 	    /* clone dgram socket */
-	    newfd = net_socket_mcast_create(&saddr);
+	    newfd = net_socket_mcast_create(&saddr, NULL);
 	    if (newfd < 0) {
 		/* error already reported by net_socket_mcast_create() */
 		close(fd);
@@ -468,17 +481,26 @@ static int net_socket_connect_init(VLANState *vlan,
 static int net_socket_mcast_init(VLANState *vlan,
                                  const char *model,
                                  const char *name,
-                                 const char *host_str)
+                                 const char *host_str,
+                                 const char *localaddr_str)
 {
     NetSocketState *s;
     int fd;
     struct sockaddr_in saddr;
+    struct in_addr localaddr, *param_localaddr;
 
     if (parse_host_port(&saddr, host_str) < 0)
         return -1;
 
+    if (localaddr_str != NULL) {
+        if (inet_aton(localaddr_str, &localaddr) == 0)
+            return -1;
+        param_localaddr = &localaddr;
+    } else {
+        param_localaddr = NULL;
+    }
 
-    fd = net_socket_mcast_create(&saddr);
+    fd = net_socket_mcast_create(&saddr, param_localaddr);
     if (fd < 0)
 	return -1;
 
@@ -505,8 +527,9 @@ int net_init_socket(QemuOpts *opts,
 
         if (qemu_opt_get(opts, "listen") ||
             qemu_opt_get(opts, "connect") ||
-            qemu_opt_get(opts, "mcast")) {
-            error_report("listen=, connect= and mcast= is invalid with fd=");
+            qemu_opt_get(opts, "mcast") ||
+            qemu_opt_get(opts, "localaddr")) {
+            error_report("listen=, connect=, mcast= and localaddr= is invalid with fd=\n");
             return -1;
         }
 
@@ -524,8 +547,9 @@ int net_init_socket(QemuOpts *opts,
 
         if (qemu_opt_get(opts, "fd") ||
             qemu_opt_get(opts, "connect") ||
-            qemu_opt_get(opts, "mcast")) {
-            error_report("fd=, connect= and mcast= is invalid with listen=");
+            qemu_opt_get(opts, "mcast") ||
+            qemu_opt_get(opts, "localaddr")) {
+            error_report("fd=, connect=, mcast= and localaddr= is invalid with listen=\n");
             return -1;
         }
 
@@ -539,8 +563,9 @@ int net_init_socket(QemuOpts *opts,
 
         if (qemu_opt_get(opts, "fd") ||
             qemu_opt_get(opts, "listen") ||
-            qemu_opt_get(opts, "mcast")) {
-            error_report("fd=, listen= and mcast= is invalid with connect=");
+            qemu_opt_get(opts, "mcast") ||
+            qemu_opt_get(opts, "localaddr")) {
+            error_report("fd=, listen=, mcast= and localaddr= is invalid with connect=\n");
             return -1;
         }
 
@@ -550,7 +575,7 @@ int net_init_socket(QemuOpts *opts,
             return -1;
         }
     } else if (qemu_opt_get(opts, "mcast")) {
-        const char *mcast;
+        const char *mcast, *localaddr;
 
         if (qemu_opt_get(opts, "fd") ||
             qemu_opt_get(opts, "connect") ||
@@ -560,8 +585,9 @@ int net_init_socket(QemuOpts *opts,
         }
 
         mcast = qemu_opt_get(opts, "mcast");
+        localaddr = qemu_opt_get(opts, "localaddr");
 
-        if (net_socket_mcast_init(vlan, "socket", name, mcast) == -1) {
+        if (net_socket_mcast_init(vlan, "socket", name, mcast, localaddr) == -1) {
             return -1;
         }
     } else {
diff --git a/qemu-options.hx b/qemu-options.hx
index 4d99a58..accd16a 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1061,8 +1061,9 @@ DEF("net", HAS_ARG, QEMU_OPTION_net,
 #endif
     "-net socket[,vlan=n][,name=str][,fd=h][,listen=[host]:port][,connect=host:port]\n"
     "                connect the vlan 'n' to another VLAN using a socket connection\n"
-    "-net socket[,vlan=n][,name=str][,fd=h][,mcast=maddr:port]\n"
+    "-net socket[,vlan=n][,name=str][,fd=h][,mcast=maddr:port[,localaddr=addr]]\n"
     "                connect the vlan 'n' to multicast maddr and port\n"
+    "                use 'localaddr=addr' to specify the host address to send packets from\n"
 #ifdef CONFIG_VDE
     "-net vde[,vlan=n][,name=str][,sock=socketpath][,port=n][,group=groupname][,mode=octalmode]\n"
     "                connect the vlan 'n' to port 'n' of a vde switch running\n"
@@ -1256,7 +1257,7 @@ qemu linux.img -net nic,macaddr=52:54:00:12:34:57 \
                -net socket,connect=127.0.0.1:1234
 @end example
 
- at item -net socket[,vlan=@var{n}][,name=@var{name}][,fd=@var{h}] [,mcast=@var{maddr}:@var{port}]
+ at item -net socket[,vlan=@var{n}][,name=@var{name}][,fd=@var{h}][,mcast=@var{maddr}:@var{port}[,localaddr=@var{addr}]]
 
 Create a VLAN @var{n} shared with another QEMU virtual
 machines using a UDP multicast socket, effectively making a bus for
@@ -1296,6 +1297,12 @@ qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \
 /path/to/linux ubd0=/path/to/root_fs eth0=mcast
 @end example
 
+Example (send packets from host's 1.2.3.4):
+ at example
+qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \
+               -net socket,mcast=239.192.168.1:1102,localaddr=1.2.3.4
+ at end example
+
 @item -net vde[,vlan=@var{n}][,name=@var{name}][,sock=@var{socketpath}] [,port=@var{n}][,group=@var{groupname}][,mode=@var{octalmode}]
 Connect VLAN @var{n} to PORT @var{n} of a vde switch running on host and
 listening for incoming connections on @var{socketpath}. Use GROUP @var{groupname}
commit 138b38b61bf92d4e9588acf934e532499c94e185
Author: Alexander Graf <agraf at suse.de>
Date:   Thu Nov 25 08:20:46 2010 +0100

    ppc: kvm: fix signedness warning
    
    I get a warning on a signed comparison with an unsigned variable, so
    let's make the variable signed and be happy.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
index 5cacef7..5caa07c 100644
--- a/target-ppc/kvm.c
+++ b/target-ppc/kvm.c
@@ -132,7 +132,7 @@ int kvm_arch_get_registers(CPUState *env)
 {
     struct kvm_regs regs;
     struct kvm_sregs sregs;
-    uint32_t i, ret;
+    int i, ret;
 
     ret = kvm_vcpu_ioctl(env, KVM_GET_REGS, &regs);
     if (ret < 0)
commit 72f24d155ceffa0eb888fd277fa09584bcd1b04c
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 15:37:34 2010 +0000

    ARM: Implement VCVT to 16 bit integer using new softfloat routines
    
    Use the softfloat conversion routines for conversion to 16 bit
    integers, because just casting to a 16 bit type truncates the
    value rather than saturating it at 16-bit MAXINT/MININT.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 2925782..9ba2f4f 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2560,7 +2560,7 @@ ftype VFP_HELPER(to##name, p)(ftype x, uint32_t shift, CPUState *env) \
         return ftype##_zero; \
     } \
     tmp = ftype##_scalbn(x, shift, &env->vfp.fp_status); \
-    return vfp_ito##p((itype)ftype##_to_##sign##int32_round_to_zero(tmp, \
+    return vfp_ito##p(ftype##_to_##itype##_round_to_zero(tmp, \
         &env->vfp.fp_status)); \
 }
 
commit cbcef455a2d29cdd19f4f0a21990cd76c0d03102
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 15:37:34 2010 +0000

    softfloat: Add float/double to 16 bit integer conversion functions
    
    The ARM architecture needs float/double to 16 bit integer conversions.
    (The 32 bit versions aren't sufficient because of the requirement
    to saturate at 16 bit MAXINT/MININT and to get the exception bits right.)
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/fpu/softfloat.c b/fpu/softfloat.c
index 0b82797..6f5b05d 100644
--- a/fpu/softfloat.c
+++ b/fpu/softfloat.c
@@ -1355,6 +1355,55 @@ int32 float32_to_int32_round_to_zero( float32 a STATUS_PARAM )
 
 /*----------------------------------------------------------------------------
 | Returns the result of converting the single-precision floating-point value
+| `a' to the 16-bit two's complement integer format.  The conversion is
+| performed according to the IEC/IEEE Standard for Binary Floating-Point
+| Arithmetic, except that the conversion is always rounded toward zero.
+| If `a' is a NaN, the largest positive integer is returned.  Otherwise, if
+| the conversion overflows, the largest integer with the same sign as `a' is
+| returned.
+*----------------------------------------------------------------------------*/
+
+int16 float32_to_int16_round_to_zero( float32 a STATUS_PARAM )
+{
+    flag aSign;
+    int16 aExp, shiftCount;
+    bits32 aSig;
+    int32 z;
+
+    aSig = extractFloat32Frac( a );
+    aExp = extractFloat32Exp( a );
+    aSign = extractFloat32Sign( a );
+    shiftCount = aExp - 0x8E;
+    if ( 0 <= shiftCount ) {
+        if ( float32_val(a) != 0xC7000000 ) {
+            float_raise( float_flag_invalid STATUS_VAR);
+            if ( ! aSign || ( ( aExp == 0xFF ) && aSig ) ) {
+                return 0x7FFF;
+            }
+        }
+        return (sbits32) 0xffff8000;
+    }
+    else if ( aExp <= 0x7E ) {
+        if ( aExp | aSig ) {
+            STATUS(float_exception_flags) |= float_flag_inexact;
+        }
+        return 0;
+    }
+    shiftCount -= 0x10;
+    aSig = ( aSig | 0x00800000 )<<8;
+    z = aSig>>( - shiftCount );
+    if ( (bits32) ( aSig<<( shiftCount & 31 ) ) ) {
+        STATUS(float_exception_flags) |= float_flag_inexact;
+    }
+    if ( aSign ) {
+        z = - z;
+    }
+    return z;
+
+}
+
+/*----------------------------------------------------------------------------
+| Returns the result of converting the single-precision floating-point value
 | `a' to the 64-bit two's complement integer format.  The conversion is
 | performed according to the IEC/IEEE Standard for Binary Floating-Point
 | Arithmetic---which means in particular that the conversion is rounded
@@ -2412,6 +2461,57 @@ int32 float64_to_int32_round_to_zero( float64 a STATUS_PARAM )
 
 /*----------------------------------------------------------------------------
 | Returns the result of converting the double-precision floating-point value
+| `a' to the 16-bit two's complement integer format.  The conversion is
+| performed according to the IEC/IEEE Standard for Binary Floating-Point
+| Arithmetic, except that the conversion is always rounded toward zero.
+| If `a' is a NaN, the largest positive integer is returned.  Otherwise, if
+| the conversion overflows, the largest integer with the same sign as `a' is
+| returned.
+*----------------------------------------------------------------------------*/
+
+int16 float64_to_int16_round_to_zero( float64 a STATUS_PARAM )
+{
+    flag aSign;
+    int16 aExp, shiftCount;
+    bits64 aSig, savedASig;
+    int32 z;
+
+    aSig = extractFloat64Frac( a );
+    aExp = extractFloat64Exp( a );
+    aSign = extractFloat64Sign( a );
+    if ( 0x40E < aExp ) {
+        if ( ( aExp == 0x7FF ) && aSig ) {
+            aSign = 0;
+        }
+        goto invalid;
+    }
+    else if ( aExp < 0x3FF ) {
+        if ( aExp || aSig ) {
+            STATUS(float_exception_flags) |= float_flag_inexact;
+        }
+        return 0;
+    }
+    aSig |= LIT64( 0x0010000000000000 );
+    shiftCount = 0x433 - aExp;
+    savedASig = aSig;
+    aSig >>= shiftCount;
+    z = aSig;
+    if ( aSign ) {
+        z = - z;
+    }
+    if ( ( (int16_t)z < 0 ) ^ aSign ) {
+ invalid:
+        float_raise( float_flag_invalid STATUS_VAR);
+        return aSign ? (sbits32) 0xffff8000 : 0x7FFF;
+    }
+    if ( ( aSig<<shiftCount ) != savedASig ) {
+        STATUS(float_exception_flags) |= float_flag_inexact;
+    }
+    return z;
+}
+
+/*----------------------------------------------------------------------------
+| Returns the result of converting the double-precision floating-point value
 | `a' to the 64-bit two's complement integer format.  The conversion is
 | performed according to the IEC/IEEE Standard for Binary Floating-Point
 | Arithmetic---which means in particular that the conversion is rounded
@@ -5632,6 +5732,24 @@ unsigned int float32_to_uint32_round_to_zero( float32 a STATUS_PARAM )
     return res;
 }
 
+unsigned int float32_to_uint16_round_to_zero( float32 a STATUS_PARAM )
+{
+    int64_t v;
+    unsigned int res;
+
+    v = float32_to_int64_round_to_zero(a STATUS_VAR);
+    if (v < 0) {
+        res = 0;
+        float_raise( float_flag_invalid STATUS_VAR);
+    } else if (v > 0xffff) {
+        res = 0xffff;
+        float_raise( float_flag_invalid STATUS_VAR);
+    } else {
+        res = v;
+    }
+    return res;
+}
+
 unsigned int float64_to_uint32( float64 a STATUS_PARAM )
 {
     int64_t v;
@@ -5668,6 +5786,24 @@ unsigned int float64_to_uint32_round_to_zero( float64 a STATUS_PARAM )
     return res;
 }
 
+unsigned int float64_to_uint16_round_to_zero( float64 a STATUS_PARAM )
+{
+    int64_t v;
+    unsigned int res;
+
+    v = float64_to_int64_round_to_zero(a STATUS_VAR);
+    if (v < 0) {
+        res = 0;
+        float_raise( float_flag_invalid STATUS_VAR);
+    } else if (v > 0xffff) {
+        res = 0xffff;
+        float_raise( float_flag_invalid STATUS_VAR);
+    } else {
+        res = v;
+    }
+    return res;
+}
+
 /* FIXME: This looks broken.  */
 uint64_t float64_to_uint64 (float64 a STATUS_PARAM)
 {
diff --git a/fpu/softfloat.h b/fpu/softfloat.h
index 2e651e2..1c1004d 100644
--- a/fpu/softfloat.h
+++ b/fpu/softfloat.h
@@ -251,6 +251,8 @@ float32 float16_to_float32( bits16, flag STATUS_PARAM );
 /*----------------------------------------------------------------------------
 | Software IEC/IEEE single-precision conversion routines.
 *----------------------------------------------------------------------------*/
+int float32_to_int16_round_to_zero( float32 STATUS_PARAM );
+unsigned int float32_to_uint16_round_to_zero( float32 STATUS_PARAM );
 int float32_to_int32( float32 STATUS_PARAM );
 int float32_to_int32_round_to_zero( float32 STATUS_PARAM );
 unsigned int float32_to_uint32( float32 STATUS_PARAM );
@@ -327,6 +329,8 @@ INLINE int float32_is_any_nan(float32 a)
 /*----------------------------------------------------------------------------
 | Software IEC/IEEE double-precision conversion routines.
 *----------------------------------------------------------------------------*/
+int float64_to_int16_round_to_zero( float64 STATUS_PARAM );
+unsigned int float64_to_uint16_round_to_zero( float64 STATUS_PARAM );
 int float64_to_int32( float64 STATUS_PARAM );
 int float64_to_int32_round_to_zero( float64 STATUS_PARAM );
 unsigned int float64_to_uint32( float64 STATUS_PARAM );
commit 26a5e69aafd0434922316e4185c45c9bddd4b9ba
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 15:37:34 2010 +0000

    ARM: Ignore top 16 bits when doing VCVT from 16 bit fixed point
    
    VCVT of 16 bit fixed point to float should ignore the top 16 bits
    of the source register. Cast to int16_t and friends rather than
    int16 -- the former is guaranteed exactly 16 bits wide where the
    latter is merely at least 16 bits wide (and so is usually 32 bits).
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 4bd1cd4..2925782 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2549,7 +2549,7 @@ float32 VFP_HELPER(fcvts, d)(float64 x, CPUState *env)
 ftype VFP_HELPER(name##to, p)(ftype x, uint32_t shift, CPUState *env) \
 { \
     ftype tmp; \
-    tmp = sign##int32_to_##ftype ((itype)vfp_##p##toi(x), \
+    tmp = sign##int32_to_##ftype ((itype##_t)vfp_##p##toi(x), \
                                   &env->vfp.fp_status); \
     return ftype##_scalbn(tmp, -(int)shift, &env->vfp.fp_status); \
 } \
commit 2d6277373d3fc18f11504cd05ea82f0fe6d67962
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 15:37:34 2010 +0000

    ARM: Return correct result for single<->double conversion of NaN
    
    The ARM ARM defines that if the input to a single<->double conversion
    is a NaN then the output is always forced to be a quiet NaN by setting
    the most significant bit of the fraction part.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 6d2a8f2..4bd1cd4 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2528,12 +2528,20 @@ float32 VFP_HELPER(tosiz, d)(float64 x, CPUState *env)
 /* floating point conversion */
 float64 VFP_HELPER(fcvtd, s)(float32 x, CPUState *env)
 {
-    return float32_to_float64(x, &env->vfp.fp_status);
+    float64 r = float32_to_float64(x, &env->vfp.fp_status);
+    /* ARM requires that S<->D conversion of any kind of NaN generates
+     * a quiet NaN by forcing the most significant frac bit to 1.
+     */
+    return float64_maybe_silence_nan(r);
 }
 
 float32 VFP_HELPER(fcvts, d)(float64 x, CPUState *env)
 {
-    return float64_to_float32(x, &env->vfp.fp_status);
+    float32 r =  float64_to_float32(x, &env->vfp.fp_status);
+    /* ARM requires that S<->D conversion of any kind of NaN generates
+     * a quiet NaN by forcing the most significant frac bit to 1.
+     */
+    return float32_maybe_silence_nan(r);
 }
 
 /* VFP3 fixed point conversion.  */
commit b408dbdec3d3220b7e2da2b0fd768048f43a2e39
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 15:37:34 2010 +0000

    softfloat: Add float*_maybe_silence_nan() functions
    
    Add functions float*_maybe_silence_nan() which ensure that a
    value is not a signaling NaN by turning it into a quiet NaN.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/fpu/softfloat-specialize.h b/fpu/softfloat-specialize.h
index 8e6aceb..0746878 100644
--- a/fpu/softfloat-specialize.h
+++ b/fpu/softfloat-specialize.h
@@ -102,6 +102,25 @@ int float32_is_signaling_nan( float32 a_ )
 }
 
 /*----------------------------------------------------------------------------
+| Returns a quiet NaN if the single-precision floating point value `a' is a
+| signaling NaN; otherwise returns `a'.
+*----------------------------------------------------------------------------*/
+
+float32 float32_maybe_silence_nan( float32 a_ )
+{
+    if (float32_is_signaling_nan(a_)) {
+        uint32_t a = float32_val(a_);
+#if SNAN_BIT_IS_ONE
+        a &= ~(1 << 22);
+#else
+        a |= (1 << 22);
+#endif
+        return make_float32(a);
+    }
+    return a_;
+}
+
+/*----------------------------------------------------------------------------
 | Returns the result of converting the single-precision floating-point NaN
 | `a' to the canonical NaN format.  If `a' is a signaling NaN, the invalid
 | exception is raised.
@@ -234,6 +253,25 @@ int float64_is_signaling_nan( float64 a_ )
 }
 
 /*----------------------------------------------------------------------------
+| Returns a quiet NaN if the double-precision floating point value `a' is a
+| signaling NaN; otherwise returns `a'.
+*----------------------------------------------------------------------------*/
+
+float64 float64_maybe_silence_nan( float64 a_ )
+{
+    if (float64_is_signaling_nan(a_)) {
+        bits64 a = float64_val(a_);
+#if SNAN_BIT_IS_ONE
+        a &= ~LIT64( 0x0008000000000000 );
+#else
+        a |= LIT64( 0x0008000000000000 );
+#endif
+        return make_float64(a);
+    }
+    return a_;
+}
+
+/*----------------------------------------------------------------------------
 | Returns the result of converting the double-precision floating-point NaN
 | `a' to the canonical NaN format.  If `a' is a signaling NaN, the invalid
 | exception is raised.
diff --git a/fpu/softfloat.h b/fpu/softfloat.h
index 9bece80..2e651e2 100644
--- a/fpu/softfloat.h
+++ b/fpu/softfloat.h
@@ -287,6 +287,7 @@ int float32_compare( float32, float32 STATUS_PARAM );
 int float32_compare_quiet( float32, float32 STATUS_PARAM );
 int float32_is_nan( float32 );
 int float32_is_signaling_nan( float32 );
+float32 float32_maybe_silence_nan( float32 );
 float32 float32_scalbn( float32, int STATUS_PARAM );
 
 INLINE float32 float32_abs(float32 a)
@@ -364,6 +365,7 @@ int float64_compare( float64, float64 STATUS_PARAM );
 int float64_compare_quiet( float64, float64 STATUS_PARAM );
 int float64_is_nan( float64 a );
 int float64_is_signaling_nan( float64 );
+float64 float64_maybe_silence_nan( float64 );
 float64 float64_scalbn( float64, int STATUS_PARAM );
 
 INLINE float64 float64_abs(float64 a)
commit 09d9487fbb5c17226762e73c2b7d84170f5bd092
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 15:37:34 2010 +0000

    ARM: Return correct result for float-to-integer conversion of NaN
    
    The ARM architecture mandates that converting a NaN value to
    integer gives zero (if Invalid Operation FP exceptions are
    not being trapped). This isn't the behaviour of the SoftFloat
    library, so NaNs must be special-cased.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 2a1f448..6d2a8f2 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2463,41 +2463,65 @@ float64 VFP_HELPER(sito, d)(float32 x, CPUState *env)
 /* Float to integer conversion.  */
 float32 VFP_HELPER(toui, s)(float32 x, CPUState *env)
 {
+    if (float32_is_any_nan(x)) {
+        return float32_zero;
+    }
     return vfp_itos(float32_to_uint32(x, &env->vfp.fp_status));
 }
 
 float32 VFP_HELPER(toui, d)(float64 x, CPUState *env)
 {
+    if (float64_is_any_nan(x)) {
+        return float32_zero;
+    }
     return vfp_itos(float64_to_uint32(x, &env->vfp.fp_status));
 }
 
 float32 VFP_HELPER(tosi, s)(float32 x, CPUState *env)
 {
+    if (float32_is_any_nan(x)) {
+        return float32_zero;
+    }
     return vfp_itos(float32_to_int32(x, &env->vfp.fp_status));
 }
 
 float32 VFP_HELPER(tosi, d)(float64 x, CPUState *env)
 {
+    if (float64_is_any_nan(x)) {
+        return float32_zero;
+    }
     return vfp_itos(float64_to_int32(x, &env->vfp.fp_status));
 }
 
 float32 VFP_HELPER(touiz, s)(float32 x, CPUState *env)
 {
+    if (float32_is_any_nan(x)) {
+        return float32_zero;
+    }
     return vfp_itos(float32_to_uint32_round_to_zero(x, &env->vfp.fp_status));
 }
 
 float32 VFP_HELPER(touiz, d)(float64 x, CPUState *env)
 {
+    if (float64_is_any_nan(x)) {
+        return float32_zero;
+    }
     return vfp_itos(float64_to_uint32_round_to_zero(x, &env->vfp.fp_status));
 }
 
 float32 VFP_HELPER(tosiz, s)(float32 x, CPUState *env)
 {
+    if (float32_is_any_nan(x)) {
+        return float32_zero;
+    }
     return vfp_itos(float32_to_int32_round_to_zero(x, &env->vfp.fp_status));
 }
 
 float32 VFP_HELPER(tosiz, d)(float64 x, CPUState *env)
 {
+    if (float64_is_any_nan(x)) {
+        return float32_zero;
+    }
     return vfp_itos(float64_to_int32_round_to_zero(x, &env->vfp.fp_status));
 }
 
@@ -2524,6 +2548,9 @@ ftype VFP_HELPER(name##to, p)(ftype x, uint32_t shift, CPUState *env) \
 ftype VFP_HELPER(to##name, p)(ftype x, uint32_t shift, CPUState *env) \
 { \
     ftype tmp; \
+    if (ftype##_is_any_nan(x)) { \
+        return ftype##_zero; \
+    } \
     tmp = ftype##_scalbn(x, shift, &env->vfp.fp_status); \
     return vfp_ito##p((itype)ftype##_to_##sign##int32_round_to_zero(tmp, \
         &env->vfp.fp_status)); \
commit 21d6ebde76e9e7a89f5d2100816aac920cae109c
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 15:37:34 2010 +0000

    softfloat: Add float*_is_any_nan() functions
    
    Add float*_is_any_nan() functions which return true if the argument
    is a NaN of any kind (quiet or signalling).
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/fpu/softfloat.h b/fpu/softfloat.h
index 9528825..9bece80 100644
--- a/fpu/softfloat.h
+++ b/fpu/softfloat.h
@@ -314,6 +314,11 @@ INLINE int float32_is_zero(float32 a)
     return (float32_val(a) & 0x7fffffff) == 0;
 }
 
+INLINE int float32_is_any_nan(float32 a)
+{
+    return ((float32_val(a) & ~(1 << 31)) > 0x7f800000UL);
+}
+
 #define float32_zero make_float32(0)
 #define float32_one make_float32(0x3f800000)
 #define float32_ln2 make_float32(0x3f317218)
@@ -386,6 +391,11 @@ INLINE int float64_is_zero(float64 a)
     return (float64_val(a) & 0x7fffffffffffffffLL) == 0;
 }
 
+INLINE int float64_is_any_nan(float64 a)
+{
+    return ((float64_val(a) & ~(1ULL << 63)) > 0x7ff0000000000000ULL);
+}
+
 #define float64_zero make_float64(0)
 #define float64_one make_float64(0x3ff0000000000000LL)
 #define float64_ln2 make_float64(0x3fe62e42fefa39efLL)
commit d3587ef81db34885189178d53f99831aea95c702
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 15:37:34 2010 +0000

    ARM: Fix sense of to_integer bit in Neon VCVT float/int conversion
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 0b3e4e6..d4a0666 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -5664,16 +5664,16 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                             gen_helper_rsqrte_f32(cpu_F0s, cpu_F0s, cpu_env);
                             break;
                         case 60: /* VCVT.F32.S32 */
-                            gen_vfp_tosiz(0);
+                            gen_vfp_sito(0);
                             break;
                         case 61: /* VCVT.F32.U32 */
-                            gen_vfp_touiz(0);
+                            gen_vfp_uito(0);
                             break;
                         case 62: /* VCVT.S32.F32 */
-                            gen_vfp_sito(0);
+                            gen_vfp_tosiz(0);
                             break;
                         case 63: /* VCVT.U32.F32 */
-                            gen_vfp_uito(0);
+                            gen_vfp_touiz(0);
                             break;
                         default:
                             /* Reserved: 21, 29, 39-56 */
commit f73534a56e21f0fa37c10941a2a887b3576c2f69
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 15:37:34 2010 +0000

    ARM: Fix decoding of Neon forms of VCVT between float and fixed point
    
    Fix errors in the decoding of the Neon forms of fixed-point VCVT:
     * fixed-point VCVT is op 14 and 15, not 15 and 16
     * the fbits immediate field was being misinterpreted
     * the sense of the to_fixed bit was inverted
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 69a424a..0b3e4e6 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -4850,11 +4850,15 @@ static int disas_neon_data_insn(CPUState * env, DisasContext *s, uint32_t insn)
                     }
                     neon_store_reg64(cpu_V0, rd + pass);
                 }
-            } else if (op == 15 || op == 16) {
+            } else if (op >= 14) {
                 /* VCVT fixed-point.  */
+                /* We have already masked out the must-be-1 top bit of imm6,
+                 * hence this 32-shift where the ARM ARM has 64-imm6.
+                 */
+                shift = 32 - shift;
                 for (pass = 0; pass < (q ? 4 : 2); pass++) {
                     tcg_gen_ld_f32(cpu_F0s, cpu_env, neon_reg_offset(rm, pass));
-                    if (op & 1) {
+                    if (!(op & 1)) {
                         if (u)
                             gen_vfp_ulto(0, shift);
                         else
commit 04595bf66f15cb205cb7f64eaa3a38804bf0893a
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 15:37:34 2010 +0000

    ARM: Fix decoding of VFP forms of VCVT between float and int/fixed
    
    Correct the decoding of source and destination registers
    for the VFP forms of the VCVT instructions which convert
    between floating point and integer or fixed-point.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 7ee5375..69a424a 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -2870,16 +2870,18 @@ static int disas_vfp_insn(CPUState * env, DisasContext *s, uint32_t insn)
                     VFP_DREG_N(rn, insn);
                 }
 
-                if (op == 15 && (rn == 15 || rn > 17)) {
+                if (op == 15 && (rn == 15 || ((rn & 0x1c) == 0x18))) {
                     /* Integer or single precision destination.  */
                     rd = VFP_SREG_D(insn);
                 } else {
                     VFP_DREG_D(rd, insn);
                 }
-
-                if (op == 15 && (rn == 16 || rn == 17)) {
-                    /* Integer source.  */
-                    rm = ((insn << 1) & 0x1e) | ((insn >> 5) & 1);
+                if (op == 15 &&
+                    (((rn & 0x1c) == 0x10) || ((rn & 0x14) == 0x14))) {
+                    /* VCVT from int is always from S reg regardless of dp bit.
+                     * VCVT with immediate frac_bits has same format as SREG_M
+                     */
+                    rm = VFP_SREG_M(insn);
                 } else {
                     VFP_DREG_M(rm, insn);
                 }
@@ -2891,6 +2893,9 @@ static int disas_vfp_insn(CPUState * env, DisasContext *s, uint32_t insn)
                 } else {
                     rd = VFP_SREG_D(insn);
                 }
+                /* NB that we implicitly rely on the encoding for the frac_bits
+                 * in VCVT of fixed to float being the same as that of an SREG_M
+                 */
                 rm = VFP_SREG_M(insn);
             }
 
@@ -3179,8 +3184,8 @@ static int disas_vfp_insn(CPUState * env, DisasContext *s, uint32_t insn)
                 /* Write back the result.  */
                 if (op == 15 && (rn >= 8 && rn <= 11))
                     ; /* Comparison, do nothing.  */
-                else if (op == 15 && rn > 17)
-                    /* Integer result.  */
+                else if (op == 15 && dp && ((rn & 0x1c) == 0x18))
+                    /* VCVT double to int: always integer result. */
                     gen_mov_vreg_F0(0, rd);
                 else if (op == 15 && rn == 15)
                     /* conversion */
commit 2c9adbda721c9996ec6b371cac4a00c1164b818e
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Dec 7 15:37:34 2010 +0000

    ARM: fix ldrexd/strexd
    
    Correct ldrexd and strexd code to always read and write the
    high word of the 64-bit value from addr+4.
    Also make ldrexd and strexd agree that for a 64 bit value the
    address in env->exclusive_addr is that of the low word.
    
    This fixes the issues reported in
    https://bugs.launchpad.net/qemu/+bug/670883
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/linux-user/main.c b/linux-user/main.c
index 7d41d4a..0d627d6 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -589,7 +589,7 @@ static int do_strex(CPUARMState *env)
     }
     if (size == 3) {
         val = env->regs[(env->exclusive_info >> 12) & 0xf];
-        segv = put_user_u32(val, addr);
+        segv = put_user_u32(val, addr + 4);
         if (segv) {
             env->cp15.c6_data = addr + 4;
             goto done;
diff --git a/target-arm/translate.c b/target-arm/translate.c
index bf1e643..7ee5375 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -5926,8 +5926,10 @@ static void gen_load_exclusive(DisasContext *s, int rt, int rt2,
     tcg_gen_mov_i32(cpu_exclusive_val, tmp);
     store_reg(s, rt, tmp);
     if (size == 3) {
-        tcg_gen_addi_i32(addr, addr, 4);
-        tmp = gen_ld32(addr, IS_USER(s));
+        TCGv tmp2 = new_tmp();
+        tcg_gen_addi_i32(tmp2, addr, 4);
+        tmp = gen_ld32(tmp2, IS_USER(s));
+        dead_tmp(tmp2);
         tcg_gen_mov_i32(cpu_exclusive_high, tmp);
         store_reg(s, rt2, tmp);
     }
@@ -5987,7 +5989,7 @@ static void gen_store_exclusive(DisasContext *s, int rd, int rt, int rt2,
     if (size == 3) {
         TCGv tmp2 = new_tmp();
         tcg_gen_addi_i32(tmp2, addr, 4);
-        tmp = gen_ld32(addr, IS_USER(s));
+        tmp = gen_ld32(tmp2, IS_USER(s));
         dead_tmp(tmp2);
         tcg_gen_brcond_i32(TCG_COND_NE, tmp, cpu_exclusive_high, fail_label);
         dead_tmp(tmp);
commit 49e14940adeea797abd2be4ccda97d0349b22aae
Author: Adam Lackorzynski <adam at os.inf.tu-dresden.de>
Date:   Tue Dec 7 12:01:44 2010 +0000

    target-arm: Handle 'smc' as an undefined instruction
    
    Refine check on bkpt so that smc and undefined instruction encodings are
    handled as an undefined instruction and trap.
    
    Signed-off-by: Adam Lackorzynski <adam at os.inf.tu-dresden.de>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 947de6d..bf1e643 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -6346,7 +6346,14 @@ static void disas_arm_insn(CPUState * env, DisasContext *s)
             dead_tmp(tmp2);
             store_reg(s, rd, tmp);
             break;
-        case 7: /* bkpt */
+        case 7:
+            /* SMC instruction (op1 == 3)
+               and undefined instructions (op1 == 0 || op1 == 2)
+               will trap */
+            if (op1 != 1) {
+                goto illegal_op;
+            }
+            /* bkpt */
             gen_set_condexec(s);
             gen_set_pc_im(s->pc - 4);
             gen_exception(EXCP_BKPT);
commit 4809c612bc5eabf158d7a4656a98f5601c6bf104
Author: Johan Bengtsson <teofrastius at gmail.com>
Date:   Tue Dec 7 12:01:44 2010 +0000

    target-arm: Fix mixup in decoding of saturating add and sub
    
    The thumb2 decoder contained a mixup between the bit controlling
    doubling and the bit controlling if the operation was an add or a sub.
    
    Signed-off-by: Johan Bengtsson <teofrastius at gmail.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 183928b..947de6d 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -7713,9 +7713,9 @@ static int disas_thumb2_insn(CPUState *env, DisasContext *s, uint16_t insn_hw1)
                 /* Saturating add/subtract.  */
                 tmp = load_reg(s, rn);
                 tmp2 = load_reg(s, rm);
-                if (op & 2)
-                    gen_helper_double_saturate(tmp, tmp);
                 if (op & 1)
+                    gen_helper_double_saturate(tmp, tmp);
+                if (op & 2)
                     gen_helper_sub_saturate(tmp, tmp2, tmp);
                 else
                     gen_helper_add_saturate(tmp, tmp, tmp2);
commit 2af9ab7737c050e063dc939973a8d669a3ab3743
Author: Johan Bengtsson <teofrastius at gmail.com>
Date:   Tue Dec 7 12:01:44 2010 +0000

    target-arm: Add support for PKHxx in thumb2
    
    The PKHxx instructions were not recognized by the thumb2 decoder. The
    solution provided in this changeset is identical to the arm-mode
    implementation.
    
    Signed-off-by: Johan Bengtsson <teofrastius at gmail.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Nathan Froyd <froydnj at codesourcery.com>

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 99464ab..183928b 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -7601,27 +7601,54 @@ static int disas_thumb2_insn(CPUState *env, DisasContext *s, uint16_t insn_hw1)
             }
         }
         break;
-    case 5: /* Data processing register constant shift.  */
-        if (rn == 15) {
-            tmp = new_tmp();
-            tcg_gen_movi_i32(tmp, 0);
-        } else {
-            tmp = load_reg(s, rn);
-        }
-        tmp2 = load_reg(s, rm);
+    case 5:
+
         op = (insn >> 21) & 0xf;
-        shiftop = (insn >> 4) & 3;
-        shift = ((insn >> 6) & 3) | ((insn >> 10) & 0x1c);
-        conds = (insn & (1 << 20)) != 0;
-        logic_cc = (conds && thumb2_logic_op(op));
-        gen_arm_shift_im(tmp2, shiftop, shift, logic_cc);
-        if (gen_thumb2_data_op(s, op, conds, 0, tmp, tmp2))
-            goto illegal_op;
-        dead_tmp(tmp2);
-        if (rd != 15) {
+        if (op == 6) {
+            /* Halfword pack.  */
+            tmp = load_reg(s, rn);
+            tmp2 = load_reg(s, rm);
+            shift = ((insn >> 10) & 0x1c) | ((insn >> 6) & 0x3);
+            if (insn & (1 << 5)) {
+                /* pkhtb */
+                if (shift == 0)
+                    shift = 31;
+                tcg_gen_sari_i32(tmp2, tmp2, shift);
+                tcg_gen_andi_i32(tmp, tmp, 0xffff0000);
+                tcg_gen_ext16u_i32(tmp2, tmp2);
+            } else {
+                /* pkhbt */
+                if (shift)
+                    tcg_gen_shli_i32(tmp2, tmp2, shift);
+                tcg_gen_ext16u_i32(tmp, tmp);
+                tcg_gen_andi_i32(tmp2, tmp2, 0xffff0000);
+            }
+            tcg_gen_or_i32(tmp, tmp, tmp2);
+            dead_tmp(tmp2);
             store_reg(s, rd, tmp);
         } else {
-            dead_tmp(tmp);
+            /* Data processing register constant shift.  */
+            if (rn == 15) {
+                tmp = new_tmp();
+                tcg_gen_movi_i32(tmp, 0);
+            } else {
+                tmp = load_reg(s, rn);
+            }
+            tmp2 = load_reg(s, rm);
+
+            shiftop = (insn >> 4) & 3;
+            shift = ((insn >> 6) & 3) | ((insn >> 10) & 0x1c);
+            conds = (insn & (1 << 20)) != 0;
+            logic_cc = (conds && thumb2_logic_op(op));
+            gen_arm_shift_im(tmp2, shiftop, shift, logic_cc);
+            if (gen_thumb2_data_op(s, op, conds, 0, tmp, tmp2))
+                goto illegal_op;
+            dead_tmp(tmp2);
+            if (rd != 15) {
+                store_reg(s, rd, tmp);
+            } else {
+                dead_tmp(tmp);
+            }
         }
         break;
     case 13: /* Misc data processing.  */
commit cb1983b8809d0e06a97384a40bad1194a32fc814
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Mon Dec 6 09:23:08 2010 -0700

    device-assignment: pass through and stub more PCI caps
    
    Some drivers depend on finding capabilities like power management,
    PCI express/X, vital product data, or vendor specific fields.  Now
    that we have better capability support, we can pass more of these
    tables through to the guest.  Note that VPD and VNDR are direct pass
    through capabilies, the rest are mostly empty shells with a few
    writable bits where necessary.
    
    It may be possible to consolidate dummy capabilities into common files
    for other drivers to use, but I prefer to leave them here for now as
    we figure out what bits to handle directly with hardware and what bits
    are purely emulated.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 0ae04de..50c6408 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -67,6 +67,9 @@ static void assigned_device_pci_cap_write_config(PCIDevice *pci_dev,
                                                  uint32_t address,
                                                  uint32_t val, int len);
 
+static uint32_t assigned_device_pci_cap_read_config(PCIDevice *pci_dev,
+                                                    uint32_t address, int len);
+
 static uint32_t assigned_dev_ioport_rw(AssignedDevRegion *dev_region,
                                        uint32_t addr, int len, uint32_t *val)
 {
@@ -370,11 +373,32 @@ static uint8_t assigned_dev_pci_read_byte(PCIDevice *d, int pos)
     return (uint8_t)assigned_dev_pci_read(d, pos, 1);
 }
 
-static uint8_t pci_find_cap_offset(PCIDevice *d, uint8_t cap)
+static void assigned_dev_pci_write(PCIDevice *d, int pos, uint32_t val, int len)
+{
+    AssignedDevice *pci_dev = container_of(d, AssignedDevice, dev);
+    ssize_t ret;
+    int fd = pci_dev->real_device.config_fd;
+
+again:
+    ret = pwrite(fd, &val, len, pos);
+    if (ret != len) {
+	if ((ret < 0) && (errno == EINTR || errno == EAGAIN))
+	    goto again;
+
+	fprintf(stderr, "%s: pwrite failed, ret = %zd errno = %d\n",
+		__func__, ret, errno);
+
+	exit(1);
+    }
+
+    return;
+}
+
+static uint8_t pci_find_cap_offset(PCIDevice *d, uint8_t cap, uint8_t start)
 {
     int id;
     int max_cap = 48;
-    int pos = PCI_CAPABILITY_LIST;
+    int pos = start ? start : PCI_CAPABILITY_LIST;
     int status;
 
     status = assigned_dev_pci_read_byte(d, PCI_STATUS);
@@ -453,10 +477,16 @@ static uint32_t assigned_dev_pci_read_config(PCIDevice *d, uint32_t address,
     ssize_t ret;
     AssignedDevice *pci_dev = container_of(d, AssignedDevice, dev);
 
+    if (address >= PCI_CONFIG_HEADER_SIZE && d->config_map[address]) {
+        val = assigned_device_pci_cap_read_config(d, address, len);
+        DEBUG("(%x.%x): address=%04x val=0x%08x len=%d\n",
+              (d->devfn >> 3) & 0x1F, (d->devfn & 0x7), address, val, len);
+        return val;
+    }
+
     if (address < 0x4 || (pci_dev->need_emulate_cmd && address == 0x4) ||
 	(address >= 0x10 && address <= 0x24) || address == 0x30 ||
-        address == 0x34 || address == 0x3c || address == 0x3d ||
-        (address >= PCI_CONFIG_HEADER_SIZE && d->config_map[address])) {
+        address == 0x34 || address == 0x3c || address == 0x3d) {
         val = pci_default_read_config(d, address, len);
         DEBUG("(%x.%x): address=%04x val=0x%08x len=%d\n",
               (d->devfn >> 3) & 0x1F, (d->devfn & 0x7), address, val, len);
@@ -1251,7 +1281,70 @@ static void assigned_dev_update_msix(PCIDevice *pci_dev, unsigned int ctrl_pos)
 #endif
 #endif
 
-static void assigned_device_pci_cap_write_config(PCIDevice *pci_dev, uint32_t address,
+/* There can be multiple VNDR capabilities per device, we need to find the
+ * one that starts closet to the given address without going over. */
+static uint8_t find_vndr_start(PCIDevice *pci_dev, uint32_t address)
+{
+    uint8_t cap, pos;
+
+    for (cap = pos = 0;
+         (pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_VNDR, pos));
+         pos += PCI_CAP_LIST_NEXT) {
+        if (pos <= address) {
+            cap = MAX(pos, cap);
+        }
+    }
+    return cap;
+}
+
+/* Merge the bits set in mask from mval into val.  Both val and mval are
+ * at the same addr offset, pos is the starting offset of the mask. */
+static uint32_t merge_bits(uint32_t val, uint32_t mval, uint8_t addr,
+                           int len, uint8_t pos, uint32_t mask)
+{
+    if (!ranges_overlap(addr, len, pos, 4)) {
+        return val;
+    }
+
+    if (addr >= pos) {
+        mask >>= (addr - pos) * 8;
+    } else {
+        mask <<= (pos - addr) * 8;
+    }
+    mask &= 0xffffffffU >> (4 - len) * 8;
+
+    val &= ~mask;
+    val |= (mval & mask);
+
+    return val;
+}
+
+static uint32_t assigned_device_pci_cap_read_config(PCIDevice *pci_dev,
+                                                    uint32_t address, int len)
+{
+    uint8_t cap, cap_id = pci_dev->config_map[address];
+    uint32_t val;
+
+    switch (cap_id) {
+
+    case PCI_CAP_ID_VPD:
+        cap = pci_find_capability(pci_dev, cap_id);
+        val = assigned_dev_pci_read(pci_dev, address, len);
+        return merge_bits(val, pci_get_long(pci_dev->config + address),
+                          address, len, cap + PCI_CAP_LIST_NEXT, 0xff);
+
+    case PCI_CAP_ID_VNDR:
+        cap = find_vndr_start(pci_dev, address);
+        val = assigned_dev_pci_read(pci_dev, address, len);
+        return merge_bits(val, pci_get_long(pci_dev->config + address),
+                          address, len, cap + PCI_CAP_LIST_NEXT, 0xff);
+    }
+
+    return pci_default_read_config(pci_dev, address, len);
+}
+
+static void assigned_device_pci_cap_write_config(PCIDevice *pci_dev,
+                                                 uint32_t address,
                                                  uint32_t val, int len)
 {
     uint8_t cap_id = pci_dev->config_map[address];
@@ -1281,6 +1374,11 @@ static void assigned_device_pci_cap_write_config(PCIDevice *pci_dev, uint32_t ad
 #endif
         break;
 #endif
+
+    case PCI_CAP_ID_VPD:
+    case PCI_CAP_ID_VNDR:
+        assigned_dev_pci_write(pci_dev, address, val, len);
+        break;
     }
 }
 
@@ -1300,7 +1398,7 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
 #ifdef KVM_CAP_DEVICE_MSI
     /* Expose MSI capability
      * MSI capability is the 1st capability in capability config */
-    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSI))) {
+    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSI, 0))) {
         dev->cap.available |= ASSIGNED_DEVICE_CAP_MSI;
         /* Only 32-bit/no-mask currently supported */
         if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_MSI, pos, 10)) < 0) {
@@ -1322,7 +1420,7 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
 #endif
 #ifdef KVM_CAP_DEVICE_MSIX
     /* Expose MSI-X capability */
-    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSIX))) {
+    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSIX, 0))) {
         int bar_nr;
         uint32_t msix_table_entry;
 
@@ -1347,6 +1445,157 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
 #endif
 #endif
 
+    /* Minimal PM support, nothing writable, device appears to NAK changes */
+    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_PM, 0))) {
+        uint16_t pmc;
+        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_PM, pos,
+                                      PCI_PM_SIZEOF)) < 0) {
+            return ret;
+        }
+
+        pmc = pci_get_word(pci_dev->config + pos + PCI_CAP_FLAGS);
+        pmc &= (PCI_PM_CAP_VER_MASK | PCI_PM_CAP_DSI);
+        pci_set_word(pci_dev->config + pos + PCI_CAP_FLAGS, pmc);
+
+        /* assign_device will bring the device up to D0, so we don't need
+         * to worry about doing that ourselves here. */
+        pci_set_word(pci_dev->config + pos + PCI_PM_CTRL,
+                     PCI_PM_CTRL_NO_SOFT_RST);
+
+        pci_set_byte(pci_dev->config + pos + PCI_PM_PPB_EXTENSIONS, 0);
+        pci_set_byte(pci_dev->config + pos + PCI_PM_DATA_REGISTER, 0);
+    }
+
+    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_EXP, 0))) {
+        uint8_t version;
+        uint16_t type, devctl, lnkcap, lnksta;
+        uint32_t devcap;
+        int size = 0x3c; /* version 2 size */
+
+        version = pci_get_byte(pci_dev->config + pos + PCI_EXP_FLAGS);
+        version &= PCI_EXP_FLAGS_VERS;
+        if (version == 1) {
+            size = 0x14;
+        } else if (version > 2) {
+            fprintf(stderr, "Unsupported PCI express capability version %d\n",
+                    version);
+            return -EINVAL;
+        }
+
+        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_EXP,
+                                      pos, size)) < 0) {
+            return ret;
+        }
+
+        type = pci_get_word(pci_dev->config + pos + PCI_EXP_FLAGS);
+        type = (type & PCI_EXP_FLAGS_TYPE) >> 8;
+        if (type != PCI_EXP_TYPE_ENDPOINT &&
+            type != PCI_EXP_TYPE_LEG_END && type != PCI_EXP_TYPE_RC_END) {
+            fprintf(stderr,
+                    "Device assignment only supports endpoint assignment, "
+                    "device type %d\n", type);
+            return -EINVAL;
+        }
+
+        /* capabilities, pass existing read-only copy
+         * PCI_EXP_FLAGS_IRQ: updated by hardware, should be direct read */
+
+        /* device capabilities: hide FLR */
+        devcap = pci_get_long(pci_dev->config + pos + PCI_EXP_DEVCAP);
+        devcap &= ~PCI_EXP_DEVCAP_FLR;
+        pci_set_long(pci_dev->config + pos + PCI_EXP_DEVCAP, devcap);
+
+        /* device control: clear all error reporting enable bits, leaving
+         *                 leaving only a few host values.  Note, these are
+         *                 all writable, but not passed to hw.
+         */
+        devctl = pci_get_word(pci_dev->config + pos + PCI_EXP_DEVCTL);
+        devctl = (devctl & (PCI_EXP_DEVCTL_READRQ | PCI_EXP_DEVCTL_PAYLOAD)) |
+                  PCI_EXP_DEVCTL_RELAX_EN | PCI_EXP_DEVCTL_NOSNOOP_EN;
+        pci_set_word(pci_dev->config + pos + PCI_EXP_DEVCTL, devctl);
+        devctl = PCI_EXP_DEVCTL_BCR_FLR | PCI_EXP_DEVCTL_AUX_PME;
+        pci_set_word(pci_dev->wmask + pos + PCI_EXP_DEVCTL, ~devctl);
+
+        /* Clear device status */
+        pci_set_word(pci_dev->config + pos + PCI_EXP_DEVSTA, 0);
+
+        /* Link capabilities, expose links and latencues, clear reporting */
+        lnkcap = pci_get_word(pci_dev->config + pos + PCI_EXP_LNKCAP);
+        lnkcap &= (PCI_EXP_LNKCAP_SLS | PCI_EXP_LNKCAP_MLW |
+                   PCI_EXP_LNKCAP_ASPMS | PCI_EXP_LNKCAP_L0SEL |
+                   PCI_EXP_LNKCAP_L1EL);
+        pci_set_word(pci_dev->config + pos + PCI_EXP_LNKCAP, lnkcap);
+        pci_set_word(pci_dev->wmask + pos + PCI_EXP_LNKCAP,
+                     PCI_EXP_LNKCTL_ASPMC | PCI_EXP_LNKCTL_RCB |
+                     PCI_EXP_LNKCTL_CCC | PCI_EXP_LNKCTL_ES |
+                     PCI_EXP_LNKCTL_CLKREQ_EN | PCI_EXP_LNKCTL_HAWD);
+
+        /* Link control, pass existing read-only copy.  Should be writable? */
+
+        /* Link status, only expose current speed and width */
+        lnksta = pci_get_word(pci_dev->config + pos + PCI_EXP_LNKSTA);
+        lnksta &= (PCI_EXP_LNKSTA_CLS | PCI_EXP_LNKSTA_NLW);
+        pci_set_word(pci_dev->config + pos + PCI_EXP_LNKSTA, lnksta);
+
+        if (version >= 2) {
+            /* Slot capabilities, control, status - not needed for endpoints */
+            pci_set_long(pci_dev->config + pos + PCI_EXP_SLTCAP, 0);
+            pci_set_word(pci_dev->config + pos + PCI_EXP_SLTCTL, 0);
+            pci_set_word(pci_dev->config + pos + PCI_EXP_SLTSTA, 0);
+
+            /* Root control, capabilities, status - not needed for endpoints */
+            pci_set_word(pci_dev->config + pos + PCI_EXP_RTCTL, 0);
+            pci_set_word(pci_dev->config + pos + PCI_EXP_RTCAP, 0);
+            pci_set_long(pci_dev->config + pos + PCI_EXP_RTSTA, 0);
+
+            /* Device capabilities/control 2, pass existing read-only copy */
+            /* Link control 2, pass existing read-only copy */
+        }
+    }
+
+    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_PCIX, 0))) {
+        uint16_t cmd;
+        uint32_t status;
+
+        /* Only expose the minimum, 8 byte capability */
+        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_PCIX, pos, 8)) < 0) {
+            return ret;
+        }
+
+        /* Command register, clear upper bits, including extended modes */
+        cmd = pci_get_word(pci_dev->config + pos + PCI_X_CMD);
+        cmd &= (PCI_X_CMD_DPERR_E | PCI_X_CMD_ERO | PCI_X_CMD_MAX_READ |
+                PCI_X_CMD_MAX_SPLIT);
+        pci_set_word(pci_dev->config + pos + PCI_X_CMD, cmd);
+
+        /* Status register, update with emulated PCI bus location, clear
+         * error bits, leave the rest. */
+        status = pci_get_long(pci_dev->config + pos + PCI_X_STATUS);
+        status &= ~(PCI_X_STATUS_BUS | PCI_X_STATUS_DEVFN);
+        status |= (pci_bus_num(pci_dev->bus) << 8) | pci_dev->devfn;
+        status &= ~(PCI_X_STATUS_SPL_DISC | PCI_X_STATUS_UNX_SPL |
+                    PCI_X_STATUS_SPL_ERR);
+        pci_set_long(pci_dev->config + pos + PCI_X_STATUS, status);
+    }
+
+    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_VPD, 0))) {
+        /* Direct R/W passthrough */
+        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_VPD, pos, 8)) < 0) {
+            return ret;
+        }
+    }
+
+    /* Devices can have multiple vendor capabilities, get them all */
+    for (pos = 0; (pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_VNDR, pos));
+        pos += PCI_CAP_LIST_NEXT) {
+        uint8_t len = pci_get_byte(pci_dev->config + pos + PCI_CAP_FLAGS);
+        /* Direct R/W passthrough */
+        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_VNDR,
+                                      pos, len)) < 0) {
+            return ret;
+        }
+    }
+
     return 0;
 }
 
commit ff26d407b43449d9e59284cce2afc8c9c9324776
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Mon Dec 6 09:22:56 2010 -0700

    device-assignment: Error checking when adding capabilities
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 1a90a89..0ae04de 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -1288,7 +1288,7 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
 {
     AssignedDevice *dev = container_of(pci_dev, AssignedDevice, dev);
     PCIRegion *pci_region = dev->real_device.regions;
-    int pos;
+    int ret, pos;
 
     /* Clear initial capabilities pointer and status copied from hw */
     pci_set_byte(pci_dev->config + PCI_CAPABILITY_LIST, 0);
@@ -1303,7 +1303,9 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
     if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSI))) {
         dev->cap.available |= ASSIGNED_DEVICE_CAP_MSI;
         /* Only 32-bit/no-mask currently supported */
-        pci_add_capability(pci_dev, PCI_CAP_ID_MSI, pos, 10);
+        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_MSI, pos, 10)) < 0) {
+            return ret;
+        }
 
         pci_set_word(pci_dev->config + pos + PCI_MSI_FLAGS,
                      pci_get_word(pci_dev->config + pos + PCI_MSI_FLAGS) &
@@ -1325,7 +1327,9 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
         uint32_t msix_table_entry;
 
         dev->cap.available |= ASSIGNED_DEVICE_CAP_MSIX;
-        pci_add_capability(pci_dev, PCI_CAP_ID_MSIX, pos, 12);
+        if ((ret = pci_add_capability(pci_dev, PCI_CAP_ID_MSIX, pos, 12)) < 0) {
+            return ret;
+        }
 
         pci_set_word(pci_dev->config + pos + PCI_MSIX_FLAGS,
                      pci_get_word(pci_dev->config + pos + PCI_MSIX_FLAGS) &
commit 15ddab0ae48b7b7ac8a154d9df7e37b9cd4583a3
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Mon Dec 6 09:22:48 2010 -0700

    pci: Error on PCI capability collisions
    
    Nothing good can happen when we overlap capabilities
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index b08113d..288d6fd 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1845,6 +1845,20 @@ int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
         if (!offset) {
             return -ENOSPC;
         }
+    } else {
+        int i;
+
+        for (i = offset; i < offset + size; i++) {
+            if (pdev->config_map[i]) {
+                fprintf(stderr, "ERROR: %04x:%02x:%02x.%x "
+                        "Attempt to add PCI capability %x at offset "
+                        "%x overlaps existing capability %x at offset %x\n",
+                        pci_find_domain(pdev->bus), pci_bus_num(pdev->bus),
+                        PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn),
+                        cap_id, offset, pdev->config_map[i], i);
+                return -EFAULT;
+            }
+        }
     }
 
     config = pdev->config + offset;
commit 3de4c3634b341335f2750a517eb9754dcc3b580f
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Mon Dec 6 09:22:38 2010 -0700

    pci: Remove PCI_CAPABILITY_CONFIG_*
    
    Half of these aren't used anywhere, the other half are wrong.  Now that
    device assignment is trying to match physical hardware offsets for PCI
    capabilities, we can't round up the MSI and MSI-X length.  MSI-X is
    always 12 bytes.  MSI is variable length depending on features, but for
    the current device assignment implementation, it's always the minimum
    length of 10 bytes.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 6d6e657..1a90a89 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -1302,10 +1302,9 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
      * MSI capability is the 1st capability in capability config */
     if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSI))) {
         dev->cap.available |= ASSIGNED_DEVICE_CAP_MSI;
-        pci_add_capability(pci_dev, PCI_CAP_ID_MSI, pos,
-                           PCI_CAPABILITY_CONFIG_MSI_LENGTH);
-
         /* Only 32-bit/no-mask currently supported */
+        pci_add_capability(pci_dev, PCI_CAP_ID_MSI, pos, 10);
+
         pci_set_word(pci_dev->config + pos + PCI_MSI_FLAGS,
                      pci_get_word(pci_dev->config + pos + PCI_MSI_FLAGS) &
                      PCI_MSI_FLAGS_QMASK);
@@ -1326,8 +1325,7 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
         uint32_t msix_table_entry;
 
         dev->cap.available |= ASSIGNED_DEVICE_CAP_MSIX;
-        pci_add_capability(pci_dev, PCI_CAP_ID_MSIX, pos,
-                           PCI_CAPABILITY_CONFIG_MSIX_LENGTH);
+        pci_add_capability(pci_dev, PCI_CAP_ID_MSIX, pos, 12);
 
         pci_set_word(pci_dev->config + pos + PCI_MSIX_FLAGS,
                      pci_get_word(pci_dev->config + pos + PCI_MSIX_FLAGS) &
diff --git a/hw/pci.h b/hw/pci.h
index 34955d8..d579738 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -122,11 +122,6 @@ enum {
     QEMU_PCI_CAP_MULTIFUNCTION = (1 << QEMU_PCI_CAP_MULTIFUNCTION_BITNR),
 };
 
-#define PCI_CAPABILITY_CONFIG_MAX_LENGTH 0x60
-#define PCI_CAPABILITY_CONFIG_DEFAULT_START_ADDR 0x40
-#define PCI_CAPABILITY_CONFIG_MSI_LENGTH 0x10
-#define PCI_CAPABILITY_CONFIG_MSIX_LENGTH 0x10
-
 typedef int (*msix_mask_notifier_func)(PCIDevice *, unsigned vector,
 				       int masked);
 
commit 058d2ef893549363860c89ad5971ea5f0ab05114
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Mon Dec 6 09:22:10 2010 -0700

    device-assignment: Fix off-by-one in header check
    
    Include the first byte at 40h or else access might go to the
    hardware instead of the emulated config space, resulting in
    capability loops, since the ordering is different.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 832c236..6d6e657 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -410,7 +410,7 @@ static void assigned_dev_pci_write_config(PCIDevice *d, uint32_t address,
           ((d->devfn >> 3) & 0x1F), (d->devfn & 0x7),
           (uint16_t) address, val, len);
 
-    if (address > PCI_CONFIG_HEADER_SIZE && d->config_map[address]) {
+    if (address >= PCI_CONFIG_HEADER_SIZE && d->config_map[address]) {
         return assigned_device_pci_cap_write_config(d, address, val, len);
     }
 
@@ -456,7 +456,7 @@ static uint32_t assigned_dev_pci_read_config(PCIDevice *d, uint32_t address,
     if (address < 0x4 || (pci_dev->need_emulate_cmd && address == 0x4) ||
 	(address >= 0x10 && address <= 0x24) || address == 0x30 ||
         address == 0x34 || address == 0x3c || address == 0x3d ||
-        (address > PCI_CONFIG_HEADER_SIZE && d->config_map[address])) {
+        (address >= PCI_CONFIG_HEADER_SIZE && d->config_map[address])) {
         val = pci_default_read_config(d, address, len);
         DEBUG("(%x.%x): address=%04x val=0x%08x len=%d\n",
               (d->devfn >> 3) & 0x1F, (d->devfn & 0x7), address, val, len);
commit 3a019b6e6ad64e4df452a15dced6c954e45246c4
Author: Wen Congyang <wency at cn.fujitsu.com>
Date:   Thu Nov 25 09:06:05 2010 +0800

    correct migrate_set_speed's args_type
    
    The args_type of migrate_set_speed in qmp-commands.hx is wrong.
    When we set migrate speed by json, qemu will be core dumped.
    
    This bug was caused by 07de3e60b05 and hence affects master only.
    
    Signed-off-by: Wen Congyang <wency at cn.fujitsu.com>
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/qmp-commands.hx b/qmp-commands.hx
index e5f157f..3486223 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -495,7 +495,7 @@ EQMP
 
     {
         .name       = "migrate_set_speed",
-        .args_type  = "value:f",
+        .args_type  = "value:o",
         .params     = "value",
         .help       = "set maximum speed (in bytes) for migrations",
         .user_print = monitor_user_noop,
commit 83a27d4d1c7e6179bd6e5e8bfa505f62c402e999
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Mon Nov 22 17:10:37 2010 -0200

    QMP: Simplify monitor_json_emitter()
    
    Use the ternary operator instead of an if (also fixes bad indentation).
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 1e8b1fc..f1aebc1 100644
--- a/monitor.c
+++ b/monitor.c
@@ -351,10 +351,8 @@ static void monitor_json_emitter(Monitor *mon, const QObject *data)
 {
     QString *json;
 
-    if (mon->flags & MONITOR_USE_PRETTY)
-	json = qobject_to_json_pretty(data);
-    else
-	json = qobject_to_json(data);
+    json = mon->flags & MONITOR_USE_PRETTY ? qobject_to_json_pretty(data) :
+                                             qobject_to_json(data);
     assert(json != NULL);
 
     qstring_append_chr(json, '\n');
commit 6d44143054293995c5e92fbddbd1ee92846013cc
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Mon Nov 22 16:35:09 2010 -0200

    QMP: Drop dead code
    
    The first if/else clause in handler_audit() makes no sense for two
    reasons:
    
      1. this function is now called only by QMP code, so testing if
         it's a QMP call makes no sense anymore
    
      2. the else clause first asserts that there's no error in the
         monitor object, then it tries to free it!
    
    Just drop it.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 1296c40..1e8b1fc 100644
--- a/monitor.c
+++ b/monitor.c
@@ -3891,49 +3891,43 @@ void monitor_set_error(Monitor *mon, QError *qerror)
 
 static void handler_audit(Monitor *mon, const mon_cmd_t *cmd, int ret)
 {
-    if (monitor_ctrl_mode(mon)) {
-        if (ret && !monitor_has_error(mon)) {
-            /*
-             * If it returns failure, it must have passed on error.
-             *
-             * Action: Report an internal error to the client if in QMP.
-             */
-            qerror_report(QERR_UNDEFINED_ERROR);
-            MON_DEBUG("command '%s' returned failure but did not pass an error\n",
-                      cmd->name);
-        }
+    if (ret && !monitor_has_error(mon)) {
+        /*
+         * If it returns failure, it must have passed on error.
+         *
+         * Action: Report an internal error to the client if in QMP.
+         */
+        qerror_report(QERR_UNDEFINED_ERROR);
+        MON_DEBUG("command '%s' returned failure but did not pass an error\n",
+                  cmd->name);
+    }
 
 #ifdef CONFIG_DEBUG_MONITOR
-        if (!ret && monitor_has_error(mon)) {
-            /*
-             * If it returns success, it must not have passed an error.
-             *
-             * Action: Report the passed error to the client.
-             */
-            MON_DEBUG("command '%s' returned success but passed an error\n",
-                      cmd->name);
-        }
-
-        if (mon_print_count_get(mon) > 0 && strcmp(cmd->name, "info") != 0) {
-            /*
-             * Handlers should not call Monitor print functions.
-             *
-             * Action: Ignore them in QMP.
-             *
-             * (XXX: we don't check any 'info' or 'query' command here
-             * because the user print function _is_ called by do_info(), hence
-             * we will trigger this check. This problem will go away when we
-             * make 'query' commands real and kill do_info())
-             */
-            MON_DEBUG("command '%s' called print functions %d time(s)\n",
-                      cmd->name, mon_print_count_get(mon));
-        }
-#endif
-    } else {
-        assert(!monitor_has_error(mon));
-        QDECREF(mon->error);
-        mon->error = NULL;
+    if (!ret && monitor_has_error(mon)) {
+        /*
+         * If it returns success, it must not have passed an error.
+         *
+         * Action: Report the passed error to the client.
+         */
+        MON_DEBUG("command '%s' returned success but passed an error\n",
+                  cmd->name);
+    }
+
+    if (mon_print_count_get(mon) > 0 && strcmp(cmd->name, "info") != 0) {
+        /*
+         * Handlers should not call Monitor print functions.
+         *
+         * Action: Ignore them in QMP.
+         *
+         * (XXX: we don't check any 'info' or 'query' command here
+         * because the user print function _is_ called by do_info(), hence
+         * we will trigger this check. This problem will go away when we
+         * make 'query' commands real and kill do_info())
+         */
+        MON_DEBUG("command '%s' called print functions %d time(s)\n",
+                  cmd->name, mon_print_count_get(mon));
     }
+#endif
 }
 
 static void handle_user_command(Monitor *mon, const char *cmdline)
commit c01e68853148764d32c3a27ab4b39cb553c567fc
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Mon Nov 22 16:22:47 2010 -0200

    QMP: Fix default response regression
    
    Commit 030db6e89d dropped do_info() usage from QMP and introduced
    qmp_call_query_cmd(). However, the new function doesn't emit QMP's
    default OK response when the handler doesn't return data.
    
    Fix that by also calling monitor_protocol_emitter() when
    ret_data == NULL, so that the default response is emitted.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index ec31eac..1296c40 100644
--- a/monitor.c
+++ b/monitor.c
@@ -4464,10 +4464,8 @@ static void qmp_call_query_cmd(Monitor *mon, const mon_cmd_t *cmd)
         }
     } else {
         cmd->mhandler.info_new(mon, &ret_data);
-        if (ret_data) {
-            monitor_protocol_emitter(mon, ret_data);
-            qobject_decref(ret_data);
-        }
+        monitor_protocol_emitter(mon, ret_data);
+        qobject_decref(ret_data);
     }
 }
 
commit 2c90fe2b71df2534884bce96d90cbfcc93aeedb8
Author: Kirill Batuzov <batuzovk at ispras.ru>
Date:   Thu Dec 2 16:12:46 2010 +0300

    Speedup 'tb_find_slow' by using the same heuristic as during memory page lookup
    
    Move the last found TB to the head of the list so it will be found more quickly next time it will be looked for.
    
    Signed-off-by: Kirill Batuzov <batuzovk at ispras.ru>
    Signed-off-by: Pavel Yushchenko <pau at ispras.ru>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/cpu-exec.c b/cpu-exec.c
index dbdfdcc..39e5eea 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -167,6 +167,12 @@ static TranslationBlock *tb_find_slow(target_ulong pc,
     tb = tb_gen_code(env, pc, cs_base, flags, 0);
 
  found:
+    /* Move the last found TB to the head of the list */
+    if (likely(*ptb1)) {
+        *ptb1 = tb->phys_hash_next;
+        tb->phys_hash_next = tb_phys_hash[h];
+        tb_phys_hash[h] = tb;
+    }
     /* we add the TB in the virtual pc hash table */
     env->tb_jmp_cache[tb_jmp_cache_hash_func(pc)] = tb;
     return tb;
commit 53016fa69c1fc7ed257272f36cb84b6623f73332
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Wed Dec 1 19:44:38 2010 +0000

    Remove unused spin_trylock() function
    
    Remove the spin_trylock() function, as it is not used anywhere,
    and is not even implemented if CONFIG_USE_NPTL is defined.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu-lock.h b/qemu-lock.h
index 9a3e6ac..65ca084 100644
--- a/qemu-lock.h
+++ b/qemu-lock.h
@@ -224,11 +224,6 @@ static inline void spin_unlock(spinlock_t *lock)
 {
     resetlock(lock);
 }
-
-static inline int spin_trylock(spinlock_t *lock)
-{
-    return !testandset(lock);
-}
 #else
 static inline void spin_lock(spinlock_t *lock)
 {
@@ -237,11 +232,6 @@ static inline void spin_lock(spinlock_t *lock)
 static inline void spin_unlock(spinlock_t *lock)
 {
 }
-
-static inline int spin_trylock(spinlock_t *lock)
-{
-    return 1;
-}
 #endif
 
 #endif
commit edcdd562baff02bb8de974c46a2b984b7d5b0da9
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Mon Nov 15 21:00:48 2010 +0100

    darwin-user: Use GCC_FMT_ATTR (format checking)
    
    The redundant forward declaration of qerror in machload.c
    is removed because it should be taken from qemu.h.
    
    Please note that this patch is untested because
    I have no matching environment to compile it.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/darwin-user/machload.c b/darwin-user/machload.c
index 4bb5c72..3bc3b65 100644
--- a/darwin-user/machload.c
+++ b/darwin-user/machload.c
@@ -82,7 +82,7 @@ void *macho_text_sect = 0;
 int   macho_offset = 0;
 
 int load_object(const char *filename, struct target_pt_regs * regs, void ** mh);
-void qerror(const char *format, ...);
+
 #ifdef TARGET_I386
 typedef struct mach_i386_thread_state {
     unsigned int    eax;
diff --git a/darwin-user/qemu.h b/darwin-user/qemu.h
index 0c5081b..b6d3e6c 100644
--- a/darwin-user/qemu.h
+++ b/darwin-user/qemu.h
@@ -100,7 +100,7 @@ int do_sigaction(int sig, const struct sigaction *act,
 int do_sigaltstack(const struct sigaltstack *ss, struct sigaltstack *oss);
 
 void gemu_log(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
-void qerror(const char *fmt, ...);
+void qerror(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
 
 void write_dt(void *ptr, unsigned long addr, unsigned long limit, int flags);
 
commit ab9de3692e34dc874ce44c7905590ef98445ce33
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Mon Nov 15 20:54:12 2010 +0100

    audio: Use GCC_FMT_ATTR (format checking)
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/audio/audio_pt_int.c b/audio/audio_pt_int.c
index f15cc70..908c569 100644
--- a/audio/audio_pt_int.c
+++ b/audio/audio_pt_int.c
@@ -8,7 +8,8 @@
 
 #include <signal.h>
 
-static void logerr (struct audio_pt *pt, int err, const char *fmt, ...)
+static void GCC_FMT_ATTR(3, 4) logerr (struct audio_pt *pt, int err,
+                                       const char *fmt, ...)
 {
     va_list ap;
 
commit 047b39e47ca07cf68bdf4074031e8e41bf7de641
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Mon Nov 15 19:58:41 2010 +0100

    target-sparc: Use fprintf_function (format checking)
    
    This change was missing in commit
    9a78eead0c74333a394c0f7bbfc4423ac746fcd5.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/target-sparc/cpu.h b/target-sparc/cpu.h
index 3e93bbb..1be66e7 100644
--- a/target-sparc/cpu.h
+++ b/target-sparc/cpu.h
@@ -2,6 +2,7 @@
 #define CPU_SPARC_H
 
 #include "config.h"
+#include "qemu-common.h"
 
 #if !defined(TARGET_SPARC64)
 #define TARGET_LONG_BITS 32
@@ -442,8 +443,7 @@ typedef struct CPUSPARCState {
 /* helper.c */
 CPUSPARCState *cpu_sparc_init(const char *cpu_model);
 void cpu_sparc_set_id(CPUSPARCState *env, unsigned int cpu);
-void sparc_cpu_list (FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt,
-                                                 ...));
+void sparc_cpu_list(FILE *f, fprintf_function cpu_fprintf);
 int cpu_sparc_handle_mmu_fault(CPUSPARCState *env1, target_ulong address, int rw,
                                int mmu_idx, int is_softmmu);
 #define cpu_handle_mmu_fault cpu_sparc_handle_mmu_fault
commit 6e2d864edf5ef4d75e2fec061f4cd247b4d315be
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Mon Nov 15 19:39:43 2010 +0100

    *-dis: Replace fprintf_ftype by fprintf_function (format checking)
    
    This patch adds more printf format checking.
    
    Additional modifications were needed for this code change:
    
    * alpha-dis.c: The local definition of MAX conflicts with
      a previous definition from osdep.h, so add an #undef.
    
    * dis-asm.h: Add include for fprintf_function (qemu-common.h).
      The standard (now redundant) includes are removed.
    
    * mis-dis.c: The definition of ARRAY_SIZE is no longer needed
      and must be removed (conflict with previous definition from
      qemu-common.h).
    
    * sh4-dis.c: Remove some unneeded forward declarations.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/alpha-dis.c b/alpha-dis.c
index 970da5b..8a2411e 100644
--- a/alpha-dis.c
+++ b/alpha-dis.c
@@ -22,6 +22,9 @@ along with this file; see the file COPYING.  If not, see
 #include <stdio.h>
 #include "dis-asm.h"
 
+/* MAX is redefined below, so remove any previous definition. */
+#undef MAX
+
 /* The opcode table is an array of struct alpha_opcode.  */
 
 struct alpha_opcode
diff --git a/arm-dis.c b/arm-dis.c
index fe7ac99..af21739 100644
--- a/arm-dis.c
+++ b/arm-dis.c
@@ -1587,7 +1587,7 @@ arm_decode_bitfield (const char *ptr, unsigned long insn,
 }
 
 static void
-arm_decode_shift (long given, fprintf_ftype func, void *stream,
+arm_decode_shift (long given, fprintf_function func, void *stream,
 		  int print_shift)
 {
   func (stream, "%s", arm_regnames[given & 0xf]);
@@ -1633,7 +1633,7 @@ print_insn_coprocessor (bfd_vma pc, struct disassemble_info *info, long given,
 {
   const struct opcode32 *insn;
   void *stream = info->stream;
-  fprintf_ftype func = info->fprintf_func;
+  fprintf_function func = info->fprintf_func;
   unsigned long mask;
   unsigned long value;
   int cond;
@@ -2127,7 +2127,7 @@ static void
 print_arm_address (bfd_vma pc, struct disassemble_info *info, long given)
 {
   void *stream = info->stream;
-  fprintf_ftype func = info->fprintf_func;
+  fprintf_function func = info->fprintf_func;
 
   if (((given & 0x000f0000) == 0x000f0000)
       && ((given & 0x02000000) == 0))
@@ -2222,7 +2222,7 @@ print_insn_neon (struct disassemble_info *info, long given, bfd_boolean thumb)
 {
   const struct opcode32 *insn;
   void *stream = info->stream;
-  fprintf_ftype func = info->fprintf_func;
+  fprintf_function func = info->fprintf_func;
 
   if (thumb)
     {
@@ -2676,7 +2676,7 @@ print_insn_arm_internal (bfd_vma pc, struct disassemble_info *info, long given)
 {
   const struct opcode32 *insn;
   void *stream = info->stream;
-  fprintf_ftype func = info->fprintf_func;
+  fprintf_function func = info->fprintf_func;
 
   if (print_insn_coprocessor (pc, info, given, false))
     return;
@@ -3036,7 +3036,7 @@ print_insn_thumb16 (bfd_vma pc, struct disassemble_info *info, long given)
 {
   const struct opcode16 *insn;
   void *stream = info->stream;
-  fprintf_ftype func = info->fprintf_func;
+  fprintf_function func = info->fprintf_func;
 
   for (insn = thumb_opcodes; insn->assembler; insn++)
     if ((given & insn->mask) == insn->value)
@@ -3312,7 +3312,7 @@ print_insn_thumb32 (bfd_vma pc, struct disassemble_info *info, long given)
 {
   const struct opcode32 *insn;
   void *stream = info->stream;
-  fprintf_ftype func = info->fprintf_func;
+  fprintf_function func = info->fprintf_func;
 
   if (print_insn_coprocessor (pc, info, given, true))
     return;
diff --git a/dis-asm.h b/dis-asm.h
index 9b9657e..3fb4838 100644
--- a/dis-asm.h
+++ b/dis-asm.h
@@ -9,11 +9,7 @@
 #ifndef DIS_ASM_H
 #define DIS_ASM_H
 
-#include <stdlib.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <string.h>
-#include <inttypes.h>
+#include "qemu-common.h"
 
 typedef void *PTR;
 typedef uint64_t bfd_vma;
@@ -237,8 +233,6 @@ typedef struct symbol_cache_entry
     } udata;
 } asymbol;
 
-typedef int (*fprintf_ftype) (FILE*, const char*, ...);
-
 enum dis_insn_type {
   dis_noninsn,			/* Not a valid instruction */
   dis_nonbranch,		/* Not a branch instruction */
@@ -261,7 +255,7 @@ enum dis_insn_type {
    by hand, or using one of the initialization macros below.  */
 
 typedef struct disassemble_info {
-  fprintf_ftype fprintf_func;
+  fprintf_function fprintf_func;
   FILE *stream;
   PTR application_data;
 
diff --git a/m68k-dis.c b/m68k-dis.c
index d93943e..04f837a 100644
--- a/m68k-dis.c
+++ b/m68k-dis.c
@@ -1732,7 +1732,7 @@ match_insn_m68k (bfd_vma memaddr,
   const char *d;
 
   bfd_byte *buffer = priv->the_buffer;
-  fprintf_ftype save_printer = info->fprintf_func;
+  fprintf_function save_printer = info->fprintf_func;
   void (* save_print_address) (bfd_vma, struct disassemble_info *)
     = info->print_address_func;
 
diff --git a/microblaze-dis.c b/microblaze-dis.c
index 7694a43..16c312f 100644
--- a/microblaze-dis.c
+++ b/microblaze-dis.c
@@ -789,7 +789,7 @@ read_insn_microblaze (bfd_vma memaddr,
 int 
 print_insn_microblaze (bfd_vma memaddr, struct disassemble_info * info)
 {
-  fprintf_ftype       fprintf_func = info->fprintf_func;
+  fprintf_function    fprintf_func = info->fprintf_func;
   void *              stream = info->stream;
   unsigned long       inst, prev_inst;
   struct op_code_struct * op, *pop;
diff --git a/mips-dis.c b/mips-dis.c
index 279b591..4d8e85b 100644
--- a/mips-dis.c
+++ b/mips-dis.c
@@ -3117,8 +3117,6 @@ struct mips_arch_choice
 #define bfd_mach_mipsisa64             64
 #define bfd_mach_mipsisa64r2           65
 
-#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))
-
 static const struct mips_arch_choice mips_arch_choices[] =
 {
   { "numeric",	0, 0, 0, 0,
diff --git a/sh4-dis.c b/sh4-dis.c
index 078a6b2..673bc78 100644
--- a/sh4-dis.c
+++ b/sh4-dis.c
@@ -1163,15 +1163,9 @@ const sh_opcode_info sh_table[] =
 #define INCLUDE_SHMEDIA
 #endif
 
-static void print_movxy
-  (const sh_opcode_info *, int, int, fprintf_ftype, void *);
-static void print_insn_ddt (int, struct disassemble_info *);
-static void print_dsp_reg (int, fprintf_ftype, void *);
-static void print_insn_ppi (int, struct disassemble_info *);
-
 static void
 print_movxy (const sh_opcode_info *op, int rn, int rm,
-	     fprintf_ftype fprintf_fn, void *stream)
+             fprintf_function fprintf_fn, void *stream)
 {
   int n;
 
@@ -1247,7 +1241,7 @@ print_movxy (const sh_opcode_info *op, int rn, int rm,
 static void
 print_insn_ddt (int insn, struct disassemble_info *info)
 {
-  fprintf_ftype fprintf_fn = info->fprintf_func;
+  fprintf_function fprintf_fn = info->fprintf_func;
   void *stream = info->stream;
 
   /* If this is just a nop, make sure to emit something.  */
@@ -1332,7 +1326,7 @@ print_insn_ddt (int insn, struct disassemble_info *info)
 }
 
 static void
-print_dsp_reg (int rm, fprintf_ftype fprintf_fn, void *stream)
+print_dsp_reg (int rm, fprintf_function fprintf_fn, void *stream)
 {
   switch (rm)
     {
@@ -1377,7 +1371,7 @@ print_insn_ppi (int field_b, struct disassemble_info *info)
 {
   static const char *sx_tab[] = { "x0", "x1", "a0", "a1" };
   static const char *sy_tab[] = { "y0", "y1", "m0", "m1" };
-  fprintf_ftype fprintf_fn = info->fprintf_func;
+  fprintf_function fprintf_fn = info->fprintf_func;
   void *stream = info->stream;
   unsigned int nib1, nib2, nib3;
   unsigned int altnib1, nib4;
@@ -1520,7 +1514,7 @@ print_insn_ppi (int field_b, struct disassemble_info *info)
 int
 print_insn_sh (bfd_vma memaddr, struct disassemble_info *info)
 {
-  fprintf_ftype fprintf_fn = info->fprintf_func;
+  fprintf_function fprintf_fn = info->fprintf_func;
   void *stream = info->stream;
   unsigned char insn[4];
   unsigned char nibs[8];
commit e6e055c9d79c665de200fc46c746d403d3d943ad
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Dec 4 17:37:35 2010 +0000

    Fix mingw32 and OpenBSD warnings
    
    ffsl() is not universally available, so there are these warnings
    on both mingw32 and OpenBSD:
    /src/qemu/hw/pcie_aer.c: In function 'pcie_aer_update_log':
    /src/qemu/hw/pcie_aer.c:399: warning: implicit declaration of function 'ffsl'
    
    Since status field in PCIEAERErr is uint32_t, we can just use ffs() instead.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/pcie_aer.c b/hw/pcie_aer.c
index 235ac53..47d6400 100644
--- a/hw/pcie_aer.c
+++ b/hw/pcie_aer.c
@@ -396,7 +396,7 @@ static void pcie_aer_msg(PCIDevice *dev, const PCIEAERMsg *msg)
 static void pcie_aer_update_log(PCIDevice *dev, const PCIEAERErr *err)
 {
     uint8_t *aer_cap = dev->config + dev->exp.aer_cap;
-    uint8_t first_bit = ffsl(err->status) - 1;
+    uint8_t first_bit = ffs(err->status) - 1;
     uint32_t errcap = pci_get_long(aer_cap + PCI_ERR_CAP);
     int i;
 
commit bcd478781ab1d11911ab5505c34b5577de904eeb
Merge: db1923d... b2e7aab...
Author: Edgar E. Iglesias <edgar at axis.com>
Date:   Sat Dec 4 04:18:28 2010 +0100

    Merge branch 'linux-user-for-upstream' of git://gitorious.org/qemu-maemo/qemu
    
    * 'linux-user-for-upstream' of git://gitorious.org/qemu-maemo/qemu:
      linux-user: fix mips and ppc to use UID16
      update binfmt conf
      linux-user: fix compiler error on nptl
      ARM: linux-user: Restore iWMMXT state from ucontext on sigreturn
      ARM: linux-user: Expose iWMMXT registers to signal handlers
      ARM: linux-user: Restore VFP state from ucontext on sigreturn
      ARM: linux-user: Expose VFP registers to signal handlers
      ARM: Expose vfp_get_fpscr() and vfp_set_fpscr() to C code
      ARM: linux-user: Correct size of padding in target_ucontext_v2
      target-sparc: remove unused functions cpu_lock(), cpu_unlock()
      ARM: enable XScale/iWMMXT in linux-user mode
      linux-user: Translate getsockopt level option
      linux-user: remove unnecessary local from __get_user(), __put_user()
      linux-user: fix memory leaks with NPTL emulation
      linux-user: mmap_reserve() not controlled by RESERVED_VA
      [PATCH] target-arm: remove unused functions cpu_lock(), cpu_unlock()

commit db1923de6099fd2d1eee0693757a639978b15e1b
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Fri Dec 3 17:09:01 2010 +0000

    exec: Remove debugging fprintf() that slipped into qemu_ram_alloc_from_ptr()
    
    Remove the debugging fprintf() slipped in via the following commit:
    
        commit b2e0a138e77245290428a7d599a929e2e1bfe510
        Author: Michael S. Tsirkin <mst at redhat.com>
        Date:   Mon Nov 22 19:52:34 2010 +0200
    
            migration: stable ram block ordering
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/exec.c b/exec.c
index 6c8f635..42a35e0 100644
--- a/exec.c
+++ b/exec.c
@@ -2858,7 +2858,6 @@ ram_addr_t qemu_ram_alloc_from_ptr(DeviceState *dev, const char *name,
     new_block->length = size;
 
     QLIST_INSERT_HEAD(&ram_list.blocks, new_block, next);
-    fprintf(stderr, "alloc ram %s len 0x%x\n", new_block->idstr, (int)new_block->length);
 
     ram_list.phys_dirty = qemu_realloc(ram_list.phys_dirty,
                                        last_ram_offset() >> TARGET_PAGE_BITS);
commit b2e7aab2502260a18c68072f6b6e4271385663c4
Author: Martin Mohring <martin.mohring at 5edatasoft.com>
Date:   Sun Nov 7 20:31:57 2010 +0100

    linux-user: fix mips and ppc to use UID16
    
    Signed-off-by: Martin Mohring <martin.mohring at 5edatasoft.com>
    Signed-off-by: Jan-Simon Möller <jsmoeller at linuxfoundation.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/mips/syscall_nr.h b/linux-user/mips/syscall_nr.h
index 8228616..0595308 100644
--- a/linux-user/mips/syscall_nr.h
+++ b/linux-user/mips/syscall_nr.h
@@ -18,15 +18,15 @@
 #define TARGET_NR_time			(TARGET_NR_Linux +  13)
 #define TARGET_NR_mknod			(TARGET_NR_Linux +  14)
 #define TARGET_NR_chmod			(TARGET_NR_Linux +  15)
-#define TARGET_NR_lchown32		(TARGET_NR_Linux +  16)
+#define TARGET_NR_lchown		(TARGET_NR_Linux +  16)
 #define TARGET_NR_break			(TARGET_NR_Linux +  17)
 #define TARGET_NR_unused18		(TARGET_NR_Linux +  18)
 #define TARGET_NR_lseek			(TARGET_NR_Linux +  19)
 #define TARGET_NR_getpid		(TARGET_NR_Linux +  20)
 #define TARGET_NR_mount			(TARGET_NR_Linux +  21)
 #define TARGET_NR_umount		(TARGET_NR_Linux +  22)
-#define TARGET_NR_setuid32		(TARGET_NR_Linux +  23)
-#define TARGET_NR_getuid32		(TARGET_NR_Linux +  24)
+#define TARGET_NR_setuid		(TARGET_NR_Linux +  23)
+#define TARGET_NR_getuid		(TARGET_NR_Linux +  24)
 #define TARGET_NR_stime			(TARGET_NR_Linux +  25)
 #define TARGET_NR_ptrace		(TARGET_NR_Linux +  26)
 #define TARGET_NR_alarm			(TARGET_NR_Linux +  27)
@@ -48,11 +48,11 @@
 #define TARGET_NR_times			(TARGET_NR_Linux +  43)
 #define TARGET_NR_prof			(TARGET_NR_Linux +  44)
 #define TARGET_NR_brk			(TARGET_NR_Linux +  45)
-#define TARGET_NR_setgid32		(TARGET_NR_Linux +  46)
-#define TARGET_NR_getgid32		(TARGET_NR_Linux +  47)
+#define TARGET_NR_setgid		(TARGET_NR_Linux +  46)
+#define TARGET_NR_getgid		(TARGET_NR_Linux +  47)
 #define TARGET_NR_signal		(TARGET_NR_Linux +  48)
-#define TARGET_NR_geteuid32		(TARGET_NR_Linux +  49)
-#define TARGET_NR_getegid32		(TARGET_NR_Linux +  50)
+#define TARGET_NR_geteuid		(TARGET_NR_Linux +  49)
+#define TARGET_NR_getegid		(TARGET_NR_Linux +  50)
 #define TARGET_NR_acct			(TARGET_NR_Linux +  51)
 #define TARGET_NR_umount2		(TARGET_NR_Linux +  52)
 #define TARGET_NR_lock			(TARGET_NR_Linux +  53)
@@ -72,8 +72,8 @@
 #define TARGET_NR_sigaction		(TARGET_NR_Linux +  67)
 #define TARGET_NR_sgetmask		(TARGET_NR_Linux +  68)
 #define TARGET_NR_ssetmask		(TARGET_NR_Linux +  69)
-#define TARGET_NR_setreuid32		(TARGET_NR_Linux +  70)
-#define TARGET_NR_setregid32		(TARGET_NR_Linux +  71)
+#define TARGET_NR_setreuid		(TARGET_NR_Linux +  70)
+#define TARGET_NR_setregid		(TARGET_NR_Linux +  71)
 #define TARGET_NR_sigsuspend		(TARGET_NR_Linux +  72)
 #define TARGET_NR_sigpending		(TARGET_NR_Linux +  73)
 #define TARGET_NR_sethostname		(TARGET_NR_Linux +  74)
@@ -82,8 +82,8 @@
 #define TARGET_NR_getrusage		(TARGET_NR_Linux +  77)
 #define TARGET_NR_gettimeofday		(TARGET_NR_Linux +  78)
 #define TARGET_NR_settimeofday		(TARGET_NR_Linux +  79)
-#define TARGET_NR_getgroups32		(TARGET_NR_Linux +  80)
-#define TARGET_NR_setgroups32		(TARGET_NR_Linux +  81)
+#define TARGET_NR_getgroups		(TARGET_NR_Linux +  80)
+#define TARGET_NR_setgroups		(TARGET_NR_Linux +  81)
 #define TARGET_NR_reserved82		(TARGET_NR_Linux +  82)
 #define TARGET_NR_symlink		(TARGET_NR_Linux +  83)
 #define TARGET_NR_unused84		(TARGET_NR_Linux +  84)
@@ -97,7 +97,7 @@
 #define TARGET_NR_truncate		(TARGET_NR_Linux +  92)
 #define TARGET_NR_ftruncate		(TARGET_NR_Linux +  93)
 #define TARGET_NR_fchmod		(TARGET_NR_Linux +  94)
-#define TARGET_NR_fchown32		(TARGET_NR_Linux +  95)
+#define TARGET_NR_fchown		(TARGET_NR_Linux +  95)
 #define TARGET_NR_getpriority		(TARGET_NR_Linux +  96)
 #define TARGET_NR_setpriority		(TARGET_NR_Linux +  97)
 #define TARGET_NR_profil		(TARGET_NR_Linux +  98)
@@ -140,8 +140,8 @@
 #define TARGET_NR_sysfs			(TARGET_NR_Linux + 135)
 #define TARGET_NR_personality		(TARGET_NR_Linux + 136)
 #define TARGET_NR_afs_syscall		(TARGET_NR_Linux + 137) /* Syscall for Andrew File System */
-#define TARGET_NR_setfsuid32		(TARGET_NR_Linux + 138)
-#define TARGET_NR_setfsgid32		(TARGET_NR_Linux + 139)
+#define TARGET_NR_setfsuid		(TARGET_NR_Linux + 138)
+#define TARGET_NR_setfsgid		(TARGET_NR_Linux + 139)
 #define TARGET_NR__llseek		(TARGET_NR_Linux + 140)
 #define TARGET_NR_getdents		(TARGET_NR_Linux + 141)
 #define TARGET_NR__newselect		(TARGET_NR_Linux + 142)
@@ -187,13 +187,13 @@
 #define TARGET_NR_shutdown		(TARGET_NR_Linux + 182)
 #define TARGET_NR_socket		(TARGET_NR_Linux + 183)
 #define TARGET_NR_socketpair		(TARGET_NR_Linux + 184)
-#define TARGET_NR_setresuid32		(TARGET_NR_Linux + 185)
-#define TARGET_NR_getresuid32		(TARGET_NR_Linux + 186)
+#define TARGET_NR_setresuid		(TARGET_NR_Linux + 185)
+#define TARGET_NR_getresuid		(TARGET_NR_Linux + 186)
 #define TARGET_NR_query_module		(TARGET_NR_Linux + 187)
 #define TARGET_NR_poll			(TARGET_NR_Linux + 188)
 #define TARGET_NR_nfsservctl		(TARGET_NR_Linux + 189)
-#define TARGET_NR_setresgid32		(TARGET_NR_Linux + 190)
-#define TARGET_NR_getresgid32		(TARGET_NR_Linux + 191)
+#define TARGET_NR_setresgid		(TARGET_NR_Linux + 190)
+#define TARGET_NR_getresgid		(TARGET_NR_Linux + 191)
 #define TARGET_NR_prctl			(TARGET_NR_Linux + 192)
 #define TARGET_NR_rt_sigreturn		(TARGET_NR_Linux + 193)
 #define TARGET_NR_rt_sigaction		(TARGET_NR_Linux + 194)
@@ -204,7 +204,7 @@
 #define TARGET_NR_rt_sigsuspend		(TARGET_NR_Linux + 199)
 #define TARGET_NR_pread64		(TARGET_NR_Linux + 200)
 #define TARGET_NR_pwrite64		(TARGET_NR_Linux + 201)
-#define TARGET_NR_chown32		(TARGET_NR_Linux + 202)
+#define TARGET_NR_chown 		(TARGET_NR_Linux + 202)
 #define TARGET_NR_getcwd		(TARGET_NR_Linux + 203)
 #define TARGET_NR_capget		(TARGET_NR_Linux + 204)
 #define TARGET_NR_capset		(TARGET_NR_Linux + 205)
diff --git a/linux-user/ppc/syscall_nr.h b/linux-user/ppc/syscall_nr.h
index f54276b..cc84a4c 100644
--- a/linux-user/ppc/syscall_nr.h
+++ b/linux-user/ppc/syscall_nr.h
@@ -17,15 +17,15 @@
 #define TARGET_NR_time                    13
 #define TARGET_NR_mknod                   14
 #define TARGET_NR_chmod                   15
-#define TARGET_NR_lchown32                16
+#define TARGET_NR_lchown                  16
 #define TARGET_NR_break                   17
 #define TARGET_NR_oldstat                 18
 #define TARGET_NR_lseek                   19
 #define TARGET_NR_getpid                  20
 #define TARGET_NR_mount                   21
 #define TARGET_NR_umount                  22
-#define TARGET_NR_setuid32                23
-#define TARGET_NR_getuid32                24
+#define TARGET_NR_setuid                  23
+#define TARGET_NR_getuid                  24
 #define TARGET_NR_stime                   25
 #define TARGET_NR_ptrace                  26
 #define TARGET_NR_alarm                   27
@@ -47,11 +47,11 @@
 #define TARGET_NR_times                   43
 #define TARGET_NR_prof                    44
 #define TARGET_NR_brk                     45
-#define TARGET_NR_setgid32                46
-#define TARGET_NR_getgid32                47
+#define TARGET_NR_setgid                  46
+#define TARGET_NR_getgid                  47
 #define TARGET_NR_signal                  48
-#define TARGET_NR_geteuid32               49
-#define TARGET_NR_getegid32               50
+#define TARGET_NR_geteuid                 49
+#define TARGET_NR_getegid                 50
 #define TARGET_NR_acct                    51
 #define TARGET_NR_umount2                 52
 #define TARGET_NR_lock                    53
@@ -71,8 +71,8 @@
 #define TARGET_NR_sigaction               67
 #define TARGET_NR_sgetmask                68
 #define TARGET_NR_ssetmask                69
-#define TARGET_NR_setreuid32              70
-#define TARGET_NR_setregid32              71
+#define TARGET_NR_setreuid                70
+#define TARGET_NR_setregid                71
 #define TARGET_NR_sigsuspend              72
 #define TARGET_NR_sigpending              73
 #define TARGET_NR_sethostname             74
@@ -81,8 +81,8 @@
 #define TARGET_NR_getrusage               77
 #define TARGET_NR_gettimeofday            78
 #define TARGET_NR_settimeofday            79
-#define TARGET_NR_getgroups32             80
-#define TARGET_NR_setgroups32             81
+#define TARGET_NR_getgroups               80
+#define TARGET_NR_setgroups               81
 #define TARGET_NR_select                  82
 #define TARGET_NR_symlink                 83
 #define TARGET_NR_oldlstat                84
@@ -96,7 +96,7 @@
 #define TARGET_NR_truncate                92
 #define TARGET_NR_ftruncate               93
 #define TARGET_NR_fchmod                  94
-#define TARGET_NR_fchown32                95
+#define TARGET_NR_fchown                  95
 #define TARGET_NR_getpriority             96
 #define TARGET_NR_setpriority             97
 #define TARGET_NR_profil                  98
@@ -139,8 +139,8 @@
 #define TARGET_NR_sysfs                  135
 #define TARGET_NR_personality            136
 #define TARGET_NR_afs_syscall            137 /* Syscall for Andrew File System */
-#define TARGET_NR_setfsuid32             138
-#define TARGET_NR_setfsgid32             139
+#define TARGET_NR_setfsuid               138
+#define TARGET_NR_setfsgid               139
 #define TARGET_NR__llseek                140
 #define TARGET_NR_getdents               141
 #define TARGET_NR__newselect             142
@@ -182,7 +182,7 @@
 #define TARGET_NR_rt_sigsuspend          178
 #define TARGET_NR_pread64                179
 #define TARGET_NR_pwrite64               180
-#define TARGET_NR_chown32                181
+#define TARGET_NR_chown                  181
 #define TARGET_NR_getcwd                 182
 #define TARGET_NR_capget                 183
 #define TARGET_NR_capset                 184
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 6c57e24..20c93d0 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -49,7 +49,7 @@
 #define TARGET_IOC_TYPEBITS	8
 
 #if defined(TARGET_I386) || defined(TARGET_ARM) || defined(TARGET_SPARC) \
-    || defined(TARGET_M68K) || defined(TARGET_SH4) || defined(TARGET_CRIS)
+    || defined(TARGET_M68K) || defined(TARGET_SH4) || defined(TARGET_CRIS) || defined(TARGET_PPC) || defined(TARGET_MIPS)
     /* 16 bit uid wrappers emulation */
 #define USE_UID16
 #endif
commit 644d67777947d64d13a27bc67fff9f66815ef4c0
Author: Riku Voipio <riku.voipio at nokia.com>
Date:   Wed Dec 1 14:53:10 2010 +0200

    update binfmt conf
    
    1) dont register i386 qemu on x86_64 host
    2) widen sparc and arm match
    3) add sh4, based on patch by David Kozub <zub at linux.fjfi.cvut.cz>
    
    Rest based on patch by Jan-Simon Möller <jsmoeller at linuxfoundation.org>

diff --git a/qemu-binfmt-conf.sh b/qemu-binfmt-conf.sh
index ba916ac..c50beb7 100644
--- a/qemu-binfmt-conf.sh
+++ b/qemu-binfmt-conf.sh
@@ -12,7 +12,7 @@ fi
 # probe cpu type
 cpu=`uname -m`
 case "$cpu" in
-  i386|i486|i586|i686|i86pc|BePC)
+  i386|i486|i586|i686|i86pc|BePC|x86_64)
     cpu="i386"
   ;;
   m68k)
@@ -24,7 +24,7 @@ case "$cpu" in
   "Power Macintosh"|ppc|ppc64)
     cpu="ppc"
   ;;
-  armv4l)
+  armv[4-9]*)
     cpu="arm"
   ;;
 esac
@@ -60,3 +60,7 @@ if [ $cpu != "mips" ] ; then
     echo   ':mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-mips64:' > /proc/sys/fs/binfmt_misc/register
     echo   ':mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-mips64el:' > /proc/sys/fs/binfmt_misc/register
 fi
+if [ $cpu != "sh" ] ; then
+    echo    ':sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/local/bin/qemu-sh4:' > /proc/sys/fs/binfmt_misc/register
+    echo    ':sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/local/bin/qemu-sh4eb:' > /proc/sys/fs/binfmt_misc/register
+fi
commit 9190749fbe075ece4a72380cc3dea919a8f960c3
Author: Riku Voipio <riku.voipio at nokia.com>
Date:   Fri Nov 26 16:21:34 2010 +0200

    linux-user: fix compiler error on nptl
    
    Some compilers detect that new_stack isnt used after dd75d784
    
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 070241b..c3e8706 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3635,11 +3635,12 @@ static int do_fork(CPUState *env, unsigned int flags, abi_ulong newsp,
 {
     int ret;
     TaskState *ts;
-    uint8_t *new_stack;
     CPUState *new_env;
 #if defined(CONFIG_USE_NPTL)
     unsigned int nptl_flags;
     sigset_t sigmask;
+#else
+    uint8_t *new_stack;
 #endif
 
     /* Emulate vfork() with fork() */
commit a59d69da66da551fa078e05ff08cf535b768c308
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Wed Nov 24 15:20:08 2010 +0000

    ARM: linux-user: Restore iWMMXT state from ucontext on sigreturn
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/signal.c b/linux-user/signal.c
index b4b610b..c846b8c 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1602,6 +1602,30 @@ static abi_ulong *restore_sigframe_v2_vfp(CPUState *env, abi_ulong *regspace)
     return (abi_ulong*)(vfpframe + 1);
 }
 
+static abi_ulong *restore_sigframe_v2_iwmmxt(CPUState *env, abi_ulong *regspace)
+{
+    int i;
+    abi_ulong magic, sz;
+    struct target_iwmmxt_sigframe *iwmmxtframe;
+    iwmmxtframe = (struct target_iwmmxt_sigframe *)regspace;
+
+    __get_user(magic, &iwmmxtframe->magic);
+    __get_user(sz, &iwmmxtframe->size);
+    if (magic != TARGET_IWMMXT_MAGIC || sz != sizeof(*iwmmxtframe)) {
+        return 0;
+    }
+    for (i = 0; i < 16; i++) {
+        __get_user(env->iwmmxt.regs[i], &iwmmxtframe->regs[i]);
+    }
+    __get_user(env->vfp.xregs[ARM_IWMMXT_wCSSF], &iwmmxtframe->wcssf);
+    __get_user(env->vfp.xregs[ARM_IWMMXT_wCASF], &iwmmxtframe->wcssf);
+    __get_user(env->vfp.xregs[ARM_IWMMXT_wCGR0], &iwmmxtframe->wcgr0);
+    __get_user(env->vfp.xregs[ARM_IWMMXT_wCGR1], &iwmmxtframe->wcgr1);
+    __get_user(env->vfp.xregs[ARM_IWMMXT_wCGR2], &iwmmxtframe->wcgr2);
+    __get_user(env->vfp.xregs[ARM_IWMMXT_wCGR3], &iwmmxtframe->wcgr3);
+    return (abi_ulong*)(iwmmxtframe + 1);
+}
+
 static int do_sigframe_return_v2(CPUState *env, target_ulong frame_addr,
                                  struct target_ucontext_v2 *uc)
 {
@@ -1622,6 +1646,12 @@ static int do_sigframe_return_v2(CPUState *env, target_ulong frame_addr,
             return 1;
         }
     }
+    if (arm_feature(env, ARM_FEATURE_IWMMXT)) {
+        regspace = restore_sigframe_v2_iwmmxt(env, regspace);
+        if (!regspace) {
+            return 1;
+        }
+    }
 
     if (do_sigaltstack(frame_addr + offsetof(struct target_ucontext_v2, tuc_stack), 0, get_sp_from_cpustate(env)) == -EFAULT)
         return 1;
commit 08e11256f6a0caae9b8f18fb6a71359b590d97c6
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Wed Nov 24 15:20:07 2010 +0000

    ARM: linux-user: Expose iWMMXT registers to signal handlers
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/signal.c b/linux-user/signal.c
index 63d893b..b4b610b 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1130,7 +1130,21 @@ struct target_vfp_sigframe {
     struct target_user_vfp_exc ufp_exc;
 } __attribute__((__aligned__(8)));
 
+struct target_iwmmxt_sigframe {
+    abi_ulong magic;
+    abi_ulong size;
+    uint64_t regs[16];
+    /* Note that not all the coprocessor control registers are stored here */
+    uint32_t wcssf;
+    uint32_t wcasf;
+    uint32_t wcgr0;
+    uint32_t wcgr1;
+    uint32_t wcgr2;
+    uint32_t wcgr3;
+} __attribute__((__aligned__(8)));
+
 #define TARGET_VFP_MAGIC 0x56465001
+#define TARGET_IWMMXT_MAGIC 0x12ef842a
 
 struct sigframe_v1
 {
@@ -1292,6 +1306,25 @@ static abi_ulong *setup_sigframe_v2_vfp(abi_ulong *regspace, CPUState *env)
     return (abi_ulong*)(vfpframe+1);
 }
 
+static abi_ulong *setup_sigframe_v2_iwmmxt(abi_ulong *regspace, CPUState *env)
+{
+    int i;
+    struct target_iwmmxt_sigframe *iwmmxtframe;
+    iwmmxtframe = (struct target_iwmmxt_sigframe *)regspace;
+    __put_user(TARGET_IWMMXT_MAGIC, &iwmmxtframe->magic);
+    __put_user(sizeof(*iwmmxtframe), &iwmmxtframe->size);
+    for (i = 0; i < 16; i++) {
+        __put_user(env->iwmmxt.regs[i], &iwmmxtframe->regs[i]);
+    }
+    __put_user(env->vfp.xregs[ARM_IWMMXT_wCSSF], &iwmmxtframe->wcssf);
+    __put_user(env->vfp.xregs[ARM_IWMMXT_wCASF], &iwmmxtframe->wcssf);
+    __put_user(env->vfp.xregs[ARM_IWMMXT_wCGR0], &iwmmxtframe->wcgr0);
+    __put_user(env->vfp.xregs[ARM_IWMMXT_wCGR1], &iwmmxtframe->wcgr1);
+    __put_user(env->vfp.xregs[ARM_IWMMXT_wCGR2], &iwmmxtframe->wcgr2);
+    __put_user(env->vfp.xregs[ARM_IWMMXT_wCGR3], &iwmmxtframe->wcgr3);
+    return (abi_ulong*)(iwmmxtframe+1);
+}
+
 static void setup_sigframe_v2(struct target_ucontext_v2 *uc,
                               target_sigset_t *set, CPUState *env)
 {
@@ -1314,6 +1347,10 @@ static void setup_sigframe_v2(struct target_ucontext_v2 *uc,
     if (arm_feature(env, ARM_FEATURE_VFP)) {
         regspace = setup_sigframe_v2_vfp(regspace, env);
     }
+    if (arm_feature(env, ARM_FEATURE_IWMMXT)) {
+        regspace = setup_sigframe_v2_iwmmxt(regspace, env);
+    }
+
     /* Write terminating magic word */
     __put_user(0, regspace);
 
commit 5f9099d9cee0e9ed377aee705ca9f4db75e8948d
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Wed Nov 24 15:20:06 2010 +0000

    ARM: linux-user: Restore VFP state from ucontext on sigreturn
    
    Restore the VFP registers from the ucontext on return from a signal
    handler in linux-user mode. This means that signal handlers cannot
    accidentally corrupt the interrupted code's VFP state, and allows
    them to deliberately modify the state via the ucontext structure.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/signal.c b/linux-user/signal.c
index af1e0eb..63d893b 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1535,10 +1535,41 @@ badframe:
 	return 0;
 }
 
+static abi_ulong *restore_sigframe_v2_vfp(CPUState *env, abi_ulong *regspace)
+{
+    int i;
+    abi_ulong magic, sz;
+    uint32_t fpscr, fpexc;
+    struct target_vfp_sigframe *vfpframe;
+    vfpframe = (struct target_vfp_sigframe *)regspace;
+
+    __get_user(magic, &vfpframe->magic);
+    __get_user(sz, &vfpframe->size);
+    if (magic != TARGET_VFP_MAGIC || sz != sizeof(*vfpframe)) {
+        return 0;
+    }
+    for (i = 0; i < 32; i++) {
+        __get_user(env->vfp.regs[i], &vfpframe->ufp.fpregs[i]);
+    }
+    __get_user(fpscr, &vfpframe->ufp.fpscr);
+    vfp_set_fpscr(env, fpscr);
+    __get_user(fpexc, &vfpframe->ufp_exc.fpexc);
+    /* Sanitise FPEXC: ensure VFP is enabled, FPINST2 is invalid
+     * and the exception flag is cleared
+     */
+    fpexc |= (1 << 30);
+    fpexc &= ~((1 << 31) | (1 << 28));
+    env->vfp.xregs[ARM_VFP_FPEXC] = fpexc;
+    __get_user(env->vfp.xregs[ARM_VFP_FPINST], &vfpframe->ufp_exc.fpinst);
+    __get_user(env->vfp.xregs[ARM_VFP_FPINST2], &vfpframe->ufp_exc.fpinst2);
+    return (abi_ulong*)(vfpframe + 1);
+}
+
 static int do_sigframe_return_v2(CPUState *env, target_ulong frame_addr,
                                  struct target_ucontext_v2 *uc)
 {
     sigset_t host_set;
+    abi_ulong *regspace;
 
     target_to_host_sigset(&host_set, &uc->tuc_sigmask);
     sigprocmask(SIG_SETMASK, &host_set, NULL);
@@ -1546,6 +1577,15 @@ static int do_sigframe_return_v2(CPUState *env, target_ulong frame_addr,
     if (restore_sigcontext(env, &uc->tuc_mcontext))
         return 1;
 
+    /* Restore coprocessor signal frame */
+    regspace = uc->tuc_regspace;
+    if (arm_feature(env, ARM_FEATURE_VFP)) {
+        regspace = restore_sigframe_v2_vfp(env, regspace);
+        if (!regspace) {
+            return 1;
+        }
+    }
+
     if (do_sigaltstack(frame_addr + offsetof(struct target_ucontext_v2, tuc_stack), 0, get_sp_from_cpustate(env)) == -EFAULT)
         return 1;
 
commit 0d871bdbaac428601c84d29233a49f7cf6ecb6fc
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Wed Nov 24 15:20:05 2010 +0000

    ARM: linux-user: Expose VFP registers to signal handlers
    
    For ARM linux-user mode signal handlers, fill in the ucontext with
    VFP register contents in the same way that the kernel does. We only
    do this for v2 format sigframe (2.6.12 and above); this is actually
    bug-for-bug compatible with the older kernels, which don't save and
    restore VFP registers either.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/signal.c b/linux-user/signal.c
index e195eef..af1e0eb 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1112,6 +1112,26 @@ struct target_ucontext_v2 {
     abi_ulong tuc_regspace[128] __attribute__((__aligned__(8)));
 };
 
+struct target_user_vfp {
+    uint64_t fpregs[32];
+    abi_ulong fpscr;
+};
+
+struct target_user_vfp_exc {
+    abi_ulong fpexc;
+    abi_ulong fpinst;
+    abi_ulong fpinst2;
+};
+
+struct target_vfp_sigframe {
+    abi_ulong magic;
+    abi_ulong size;
+    struct target_user_vfp ufp;
+    struct target_user_vfp_exc ufp_exc;
+} __attribute__((__aligned__(8)));
+
+#define TARGET_VFP_MAGIC 0x56465001
+
 struct sigframe_v1
 {
     struct target_sigcontext sc;
@@ -1255,11 +1275,29 @@ setup_return(CPUState *env, struct target_sigaction *ka,
 	return 0;
 }
 
+static abi_ulong *setup_sigframe_v2_vfp(abi_ulong *regspace, CPUState *env)
+{
+    int i;
+    struct target_vfp_sigframe *vfpframe;
+    vfpframe = (struct target_vfp_sigframe *)regspace;
+    __put_user(TARGET_VFP_MAGIC, &vfpframe->magic);
+    __put_user(sizeof(*vfpframe), &vfpframe->size);
+    for (i = 0; i < 32; i++) {
+        __put_user(env->vfp.regs[i], &vfpframe->ufp.fpregs[i]);
+    }
+    __put_user(vfp_get_fpscr(env), &vfpframe->ufp.fpscr);
+    __put_user(env->vfp.xregs[ARM_VFP_FPEXC], &vfpframe->ufp_exc.fpexc);
+    __put_user(env->vfp.xregs[ARM_VFP_FPINST], &vfpframe->ufp_exc.fpinst);
+    __put_user(env->vfp.xregs[ARM_VFP_FPINST2], &vfpframe->ufp_exc.fpinst2);
+    return (abi_ulong*)(vfpframe+1);
+}
+
 static void setup_sigframe_v2(struct target_ucontext_v2 *uc,
                               target_sigset_t *set, CPUState *env)
 {
     struct target_sigaltstack stack;
     int i;
+    abi_ulong *regspace;
 
     /* Clear all the bits of the ucontext we don't use.  */
     memset(uc, 0, offsetof(struct target_ucontext_v2, tuc_mcontext));
@@ -1271,7 +1309,14 @@ static void setup_sigframe_v2(struct target_ucontext_v2 *uc,
     memcpy(&uc->tuc_stack, &stack, sizeof(stack));
 
     setup_sigcontext(&uc->tuc_mcontext, env, set->sig[0]);
-    /* FIXME: Save coprocessor signal frame.  */
+    /* Save coprocessor signal frame.  */
+    regspace = uc->tuc_regspace;
+    if (arm_feature(env, ARM_FEATURE_VFP)) {
+        regspace = setup_sigframe_v2_vfp(regspace, env);
+    }
+    /* Write terminating magic word */
+    __put_user(0, regspace);
+
     for(i = 0; i < TARGET_NSIG_WORDS; i++) {
         __put_user(set->sig[i], &uc->tuc_sigmask.sig[i]);
     }
commit 0165329578eb8f40901825177c0874efb815e342
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Wed Nov 24 15:20:04 2010 +0000

    ARM: Expose vfp_get_fpscr() and vfp_set_fpscr() to C code
    
    Expose the vfp_get_fpscr() and vfp_set_fpscr() functions to C
    code as well as generated code, so we can use them to read and
    write the FPSCR when saving and restoring VFP registers across
    signal handlers in linux-user mode.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 0284bad..340933e 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -300,6 +300,10 @@ static inline void xpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
     }
 }
 
+/* Return the current FPSCR value.  */
+uint32_t vfp_get_fpscr(CPUARMState *env);
+void vfp_set_fpscr(CPUARMState *env, uint32_t val);
+
 enum arm_cpu_mode {
   ARM_CPU_MODE_USR = 0x10,
   ARM_CPU_MODE_FIQ = 0x11,
diff --git a/target-arm/helper.c b/target-arm/helper.c
index 94aef39..2a1f448 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -2251,6 +2251,11 @@ uint32_t HELPER(vfp_get_fpscr)(CPUState *env)
     return fpscr;
 }
 
+uint32_t vfp_get_fpscr(CPUState *env)
+{
+    return HELPER(vfp_get_fpscr)(env);
+}
+
 /* Convert vfp exception flags to target form.  */
 static inline int vfp_exceptbits_to_host(int target_bits)
 {
@@ -2307,6 +2312,11 @@ void HELPER(vfp_set_fpscr)(CPUState *env, uint32_t val)
     set_float_exception_flags(i, &env->vfp.fp_status);
 }
 
+void vfp_set_fpscr(CPUState *env, uint32_t val)
+{
+    HELPER(vfp_set_fpscr)(env, val);
+}
+
 #define VFP_HELPER(name, p) HELPER(glue(glue(vfp_,name),p))
 
 #define VFP_BINOP(name) \
commit 5f0b7c888b5e626d61e0969a6c0dbf4fcf0f522c
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Wed Nov 24 15:20:03 2010 +0000

    ARM: linux-user: Correct size of padding in target_ucontext_v2
    
    The padding in the target_ucontext_v2 is defined by the size of
    the target's sigset_t type, not the host's. (This bug only causes
    problems when we start using the uc_regspace[] array to expose
    VFP registers to userspace signal handlers.)
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/signal.c b/linux-user/signal.c
index 7c62fac..e195eef 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -1108,7 +1108,7 @@ struct target_ucontext_v2 {
     target_stack_t tuc_stack;
     struct target_sigcontext tuc_mcontext;
     target_sigset_t  tuc_sigmask;	/* mask last for extensibility */
-    char __unused[128 - sizeof(sigset_t)];
+    char __unused[128 - sizeof(target_sigset_t)];
     abi_ulong tuc_regspace[128] __attribute__((__aligned__(8)));
 };
 
commit ef5e4ea587c10d3a936f807d6fa2a81c71a86511
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Nov 19 13:54:39 2010 +0000

    target-sparc: remove unused functions cpu_lock(), cpu_unlock()

diff --git a/target-sparc/cpu.h b/target-sparc/cpu.h
index 7e0d17c..3e93bbb 100644
--- a/target-sparc/cpu.h
+++ b/target-sparc/cpu.h
@@ -444,8 +444,6 @@ CPUSPARCState *cpu_sparc_init(const char *cpu_model);
 void cpu_sparc_set_id(CPUSPARCState *env, unsigned int cpu);
 void sparc_cpu_list (FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt,
                                                  ...));
-void cpu_lock(void);
-void cpu_unlock(void);
 int cpu_sparc_handle_mmu_fault(CPUSPARCState *env1, target_ulong address, int rw,
                                int mmu_idx, int is_softmmu);
 #define cpu_handle_mmu_fault cpu_sparc_handle_mmu_fault
diff --git a/target-sparc/helper.c b/target-sparc/helper.c
index e84c312..7e45d7a 100644
--- a/target-sparc/helper.c
+++ b/target-sparc/helper.c
@@ -41,20 +41,6 @@ static int cpu_sparc_find_by_name(sparc_def_t *cpu_def, const char *cpu_model);
 
 /* Sparc MMU emulation */
 
-/* thread support */
-
-static spinlock_t global_cpu_lock = SPIN_LOCK_UNLOCKED;
-
-void cpu_lock(void)
-{
-    spin_lock(&global_cpu_lock);
-}
-
-void cpu_unlock(void)
-{
-    spin_unlock(&global_cpu_lock);
-}
-
 #if defined(CONFIG_USER_ONLY)
 
 int cpu_sparc_handle_mmu_fault(CPUState *env1, target_ulong address, int rw,
commit 3a807decfa5245d3eb50c9301e73fc5da4a484e1
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Nov 19 15:36:47 2010 +0000

    ARM: enable XScale/iWMMXT in linux-user mode
    
    In linux-user mode, the XScale/iWMMXT coprocessors must be enabled
    at reset so that we can run code that uses these instructions.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 996d40d..94aef39 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -203,7 +203,13 @@ void cpu_reset(CPUARMState *env)
         cpu_reset_model_id(env, id);
 #if defined (CONFIG_USER_ONLY)
     env->uncached_cpsr = ARM_CPU_MODE_USR;
+    /* For user mode we must enable access to coprocessors */
     env->vfp.xregs[ARM_VFP_FPEXC] = 1 << 30;
+    if (arm_feature(env, ARM_FEATURE_IWMMXT)) {
+        env->cp15.c15_cpar = 3;
+    } else if (arm_feature(env, ARM_FEATURE_XSCALE)) {
+        env->cp15.c15_cpar = 1;
+    }
 #else
     /* SVC mode with interrupts disabled.  */
     env->uncached_cpsr = ARM_CPU_MODE_SVC | CPSR_A | CPSR_F | CPSR_I;
commit f3b974cd3bb624cc7a3004db902b59d599ff016a
Author: Jamie Lentin <jm at lentin.co.uk>
Date:   Fri Nov 26 15:04:08 2010 +0200

    linux-user: Translate getsockopt level option
    
    n setsockopt, the socket level options are translated to the hosts'
    architecture before the real syscall is called, e.g.
    TARGET_SO_TYPE -> SO_TYPE. This patch does the same with getsockopt.
    
    Tested on a x86 host emulating MIPS.  Without it:-
    
    $ grep getsockopt host.strace
    31311 getsockopt(3, SOL_SOCKET, 0x1007 /* SO_??? */, 0xbff17208,
    0xbff17204) = -1 ENOPROTOOPT (Protocol not available)
    
    With:-
    
    $ grep getsockopt host.strace
    25706 getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
    
    Whitespace cleanup: Riku Voipio
    
    Signed-off-by: Jamie Lentin <jm at lentin.co.uk>
    Signed-off-by: Riku Voipio <riku.voipio at iki.fi>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 5761106..070241b 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1374,15 +1374,66 @@ static abi_long do_getsockopt(int sockfd, int level, int optname,
 
     switch(level) {
     case TARGET_SOL_SOCKET:
-    	level = SOL_SOCKET;
-	switch (optname) {
-	case TARGET_SO_LINGER:
-	case TARGET_SO_RCVTIMEO:
-	case TARGET_SO_SNDTIMEO:
-	case TARGET_SO_PEERCRED:
-	case TARGET_SO_PEERNAME:
-	    /* These don't just return a single integer */
-	    goto unimplemented;
+        level = SOL_SOCKET;
+        switch (optname) {
+        /* These don't just return a single integer */
+        case TARGET_SO_LINGER:
+        case TARGET_SO_RCVTIMEO:
+        case TARGET_SO_SNDTIMEO:
+        case TARGET_SO_PEERCRED:
+        case TARGET_SO_PEERNAME:
+            goto unimplemented;
+        /* Options with 'int' argument.  */
+        case TARGET_SO_DEBUG:
+            optname = SO_DEBUG;
+            goto int_case;
+        case TARGET_SO_REUSEADDR:
+            optname = SO_REUSEADDR;
+            goto int_case;
+        case TARGET_SO_TYPE:
+            optname = SO_TYPE;
+            goto int_case;
+        case TARGET_SO_ERROR:
+            optname = SO_ERROR;
+            goto int_case;
+        case TARGET_SO_DONTROUTE:
+            optname = SO_DONTROUTE;
+            goto int_case;
+        case TARGET_SO_BROADCAST:
+            optname = SO_BROADCAST;
+            goto int_case;
+        case TARGET_SO_SNDBUF:
+            optname = SO_SNDBUF;
+            goto int_case;
+        case TARGET_SO_RCVBUF:
+            optname = SO_RCVBUF;
+            goto int_case;
+        case TARGET_SO_KEEPALIVE:
+            optname = SO_KEEPALIVE;
+            goto int_case;
+        case TARGET_SO_OOBINLINE:
+            optname = SO_OOBINLINE;
+            goto int_case;
+        case TARGET_SO_NO_CHECK:
+            optname = SO_NO_CHECK;
+            goto int_case;
+        case TARGET_SO_PRIORITY:
+            optname = SO_PRIORITY;
+            goto int_case;
+#ifdef SO_BSDCOMPAT
+        case TARGET_SO_BSDCOMPAT:
+            optname = SO_BSDCOMPAT;
+            goto int_case;
+#endif
+        case TARGET_SO_PASSCRED:
+            optname = SO_PASSCRED;
+            goto int_case;
+        case TARGET_SO_TIMESTAMP:
+            optname = SO_TIMESTAMP;
+            goto int_case;
+        case TARGET_SO_RCVLOWAT:
+            optname = SO_RCVLOWAT;
+            goto int_case;
         default:
             goto int_case;
         }
@@ -1406,7 +1457,7 @@ static abi_long do_getsockopt(int sockfd, int level, int optname,
         } else {
             if (put_user_u8(val, optval_addr))
                 return -TARGET_EFAULT;
-	}
+        }
         if (put_user_u32(len, optlen))
             return -TARGET_EFAULT;
         break;
commit bee70008074570ef2c368aec80918c2494065247
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Mon Nov 8 18:13:58 2010 +0000

    linux-user: remove unnecessary local from __get_user(), __put_user()
    
    Remove an unnecessary local variable from the __get_user() and
    __put_user() macros. This avoids confusing compilation failures
    if the name of the local variable ('size') happens to be the
    same as the variable the macro user is trying to read/write.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 00c6549..e66a02b 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -264,8 +264,7 @@ static inline int access_ok(int type, abi_ulong addr, abi_ulong size)
  */
 #define __put_user(x, hptr)\
 ({\
-    int size = sizeof(*hptr);\
-    switch(size) {\
+    switch(sizeof(*hptr)) {\
     case 1:\
         *(uint8_t *)(hptr) = (uint8_t)(typeof(*hptr))(x);\
         break;\
@@ -286,8 +285,7 @@ static inline int access_ok(int type, abi_ulong addr, abi_ulong size)
 
 #define __get_user(x, hptr) \
 ({\
-    int size = sizeof(*hptr);\
-    switch(size) {\
+    switch(sizeof(*hptr)) {\
     case 1:\
         x = (typeof(*hptr))*(uint8_t *)(hptr);\
         break;\
commit 48e15fc2de29276f0c93482f5175b95e50557fbf
Author: Nathan Froyd <froydnj at codesourcery.com>
Date:   Fri Oct 29 07:48:57 2010 -0700

    linux-user: fix memory leaks with NPTL emulation
    
    Running programs that create large numbers of threads, such as this
    snippet from libstdc++'s pthread7-rope.cc:
    
      const int max_thread_count = 4;
      const int max_loop_count = 10000;
      ...
      for (int j = 0; j < max_loop_count; j++)
        {
          ...
          for (int i = 0; i < max_thread_count; i++)
    	pthread_create (&tid[i], NULL, thread_main, 0);
    
          for (int i = 0; i < max_thread_count; i++)
    	pthread_join (tid[i], NULL);
        }
    
    in user-mode emulation will quickly run out of memory.  This is caused
    by a failure to free memory in do_syscall prior to thread exit:
    
              /* TODO: Free CPU state.  */
              pthread_exit(NULL);
    
    The first step in fixing this is to make all TaskStates used by QEMU
    dynamically allocated.  The TaskState used by the initial thread was
    not, as it was allocated on main's stack.  So fix that, free the
    cpu_env, free the TaskState, and we're home free, right?
    
    Not exactly.  When we create a thread, we do:
    
            ts = qemu_mallocz(sizeof(TaskState) + NEW_STACK_SIZE);
            ...
            new_stack = ts->stack;
            ...
            ret = pthread_attr_setstack(&attr, new_stack, NEW_STACK_SIZE);
    
    If we blindly free the TaskState, then, we yank the current (host)
    thread's stack out from underneath it while it still has things to do,
    like calling pthread_exit.  That causes problems, as you might expect.
    
    The solution adopted here is to let the C library allocate the thread's
    stack (so the C library can properly clean it up at pthread_exit) and
    provide a hint that we want NEW_STACK_SIZE bytes of stack.
    
    With those two changes, we're done, right?  Well, almost.  You see,
    we're creating all these host threads and their parent threads never
    bother to check that their children are finished.  There's no good place
    for the parent threads to do so.  Therefore, we need to create the
    threads in a detached state so the parent thread doesn't have to call
    pthread_join on the child to release the child's resources; the child
    does so automatically.
    
    With those three major changes, we can comfortably run programs like the
    above without exhausting memory.  We do need to delete 'stack' from the
    TaskState structure.
    
    Signed-off-by: Nathan Froyd <froydnj at codesourcery.com>
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/main.c b/linux-user/main.c
index dbba8be..7d41d4a 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -2711,7 +2711,7 @@ int main(int argc, char **argv, char **envp)
     struct target_pt_regs regs1, *regs = &regs1;
     struct image_info info1, *info = &info1;
     struct linux_binprm bprm;
-    TaskState ts1, *ts = &ts1;
+    TaskState *ts;
     CPUState *env;
     int optind;
     const char *r;
@@ -3038,7 +3038,7 @@ int main(int argc, char **argv, char **envp)
     }
     target_argv[target_argc] = NULL;
 
-    memset(ts, 0, sizeof(TaskState));
+    ts = qemu_mallocz (sizeof(TaskState));
     init_task_state(ts);
     /* build Task State */
     ts->info = info;
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 708021e..00c6549 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -126,8 +126,6 @@ typedef struct TaskState {
     struct sigqueue sigqueue_table[MAX_SIGQUEUE_SIZE]; /* siginfo queue */
     struct sigqueue *first_free; /* first free siginfo queue entry */
     int signal_pending; /* non zero if a signal may be pending */
-
-    uint8_t stack[0];
 } __attribute__((aligned(16))) TaskState;
 
 extern char *exec_path;
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index d44f512..5761106 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3601,9 +3601,8 @@ static int do_fork(CPUState *env, unsigned int flags, abi_ulong newsp,
         new_thread_info info;
         pthread_attr_t attr;
 #endif
-        ts = qemu_mallocz(sizeof(TaskState) + NEW_STACK_SIZE);
+        ts = qemu_mallocz(sizeof(TaskState));
         init_task_state(ts);
-        new_stack = ts->stack;
         /* we create a new CPU instance. */
         new_env = cpu_copy(env);
 #if defined(TARGET_I386) || defined(TARGET_SPARC) || defined(TARGET_PPC)
@@ -3639,7 +3638,8 @@ static int do_fork(CPUState *env, unsigned int flags, abi_ulong newsp,
             info.parent_tidptr = parent_tidptr;
 
         ret = pthread_attr_init(&attr);
-        ret = pthread_attr_setstack(&attr, new_stack, NEW_STACK_SIZE);
+        ret = pthread_attr_setstacksize(&attr, NEW_STACK_SIZE);
+        ret = pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
         /* It is not safe to deliver signals until the child has finished
            initializing, so temporarily block all signals.  */
         sigfillset(&sigmask);
@@ -3667,6 +3667,7 @@ static int do_fork(CPUState *env, unsigned int flags, abi_ulong newsp,
         if (flags & CLONE_NPTL_FLAGS2)
             return -EINVAL;
         /* This is probably going to die very quickly, but do it anyway.  */
+        new_stack = qemu_mallocz (NEW_STACK_SIZE);
 #ifdef __ia64__
         ret = __clone2(clone_func, new_stack, NEW_STACK_SIZE, flags, new_env);
 #else
@@ -4240,7 +4241,9 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
               sys_futex(g2h(ts->child_tidptr), FUTEX_WAKE, INT_MAX,
                         NULL, NULL, 0);
           }
-          /* TODO: Free CPU state.  */
+          thread_env = NULL;
+          qemu_free(cpu_env);
+          qemu_free(ts);
           pthread_exit(NULL);
       }
 #endif
commit c65ffe6d6ca8b156e729e81054ca7597864354a9
Author: amateur <tianlei.zhao at gmail.com>
Date:   Tue Sep 14 13:22:34 2010 +0800

    linux-user: mmap_reserve() not controlled by RESERVED_VA
    
    mmap_reserve() should be called only when RESERVED_VA is enabled.
    Otherwise, unmaped virtual address space will never be reusable. This
    bug will exhaust virtual address space in extreme conditions.
    
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 035dfbd..abf21f6 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -697,7 +697,9 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size,
                                          old_size, new_size,
                                          flags | MREMAP_FIXED,
                                          g2h(mmap_start));
-            mmap_reserve(old_addr, old_size);
+            if ( RESERVED_VA ) {
+                mmap_reserve(old_addr, old_size);
+            }
         }
     } else {
         int prot = 0;
commit b0e102dd22e7a158fa3dc4148ab6c2e78b363071
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Nov 19 13:54:44 2010 +0000

    [PATCH] target-arm: remove unused functions cpu_lock(), cpu_unlock()
    
    Signed-off-by: Riku Voipio <riku.voipio at nokia.com>

diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index b87c605..0284bad 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -227,8 +227,6 @@ int cpu_arm_handle_mmu_fault (CPUARMState *env, target_ulong address, int rw,
                               int mmu_idx, int is_softmuu);
 #define cpu_handle_mmu_fault cpu_arm_handle_mmu_fault
 
-void cpu_lock(void);
-void cpu_unlock(void);
 static inline void cpu_set_tls(CPUARMState *env, target_ulong newtls)
 {
   env->cp15.c13_tls2 = newtls;
diff --git a/target-arm/op_helper.c b/target-arm/op_helper.c
index 9b1a014..43baa63 100644
--- a/target-arm/op_helper.c
+++ b/target-arm/op_helper.c
@@ -28,20 +28,6 @@ void raise_exception(int tt)
     cpu_loop_exit();
 }
 
-/* thread support */
-
-static spinlock_t global_cpu_lock = SPIN_LOCK_UNLOCKED;
-
-void cpu_lock(void)
-{
-    spin_lock(&global_cpu_lock);
-}
-
-void cpu_unlock(void)
-{
-    spin_unlock(&global_cpu_lock);
-}
-
 uint32_t HELPER(neon_tbl)(uint32_t ireg, uint32_t def,
                           uint32_t rn, uint32_t maxindex)
 {
commit 38671423466875ecd848710cc1d7019448a6b145
Author: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
Date:   Wed Nov 24 11:38:10 2010 +0900

    virtio-9p: fix build on !CONFIG_UTIMENSAT
    
    This patch introduce a fallback mechanism for old systems that do not
    support utimensat().  This fix build failure with following warnings:
    
    hw/virtio-9p-local.c: In function 'local_utimensat':
    hw/virtio-9p-local.c:479: warning: implicit declaration of function 'utimensat'
    hw/virtio-9p-local.c:479: warning: nested extern declaration of 'utimensat'
    
    and:
    
    hw/virtio-9p.c: In function 'v9fs_setattr_post_chmod':
    hw/virtio-9p.c:1410: error: 'UTIME_NOW' undeclared (first use in this function)
    hw/virtio-9p.c:1410: error: (Each undeclared identifier is reported only once
    hw/virtio-9p.c:1410: error: for each function it appears in.)
    hw/virtio-9p.c:1413: error: 'UTIME_OMIT' undeclared (first use in this function)
    hw/virtio-9p.c: In function 'v9fs_wstat_post_chmod':
    hw/virtio-9p.c:2905: error: 'UTIME_OMIT' undeclared (first use in this function)
    
    [NOTE: At this time virtio-9p is only user of utimensat(), and is available
           only when host is linux and CONFIG_VIRTFS is defined.  So there are
           no similar warning for win32.  Please provide a wrapper for win32 in
           oslib-win32.c if new user really requires it.]
    
    v5:
      - Allow fallback on runtime
      - Move qemu_utimensat() to oslib-posix.c
      - Rebased on latest qemu.git
    v4:
      - Use tv_now.tv_usec
    v3:
      - Use better alternative handling for UTIME_NOW/OMIT
      - Move qemu_utimensat() to cutils.c
    V2:
      - Introduce qemu_utimensat()
    
    Acked-by: Chris Wright <chrisw at sous-sol.org>
    Acked-by: M. Mohan Kumar <mohan at in.ibm.com>
    Acked-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 656bfb3..a8e7525 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -480,9 +480,9 @@ static int local_chown(FsContext *fs_ctx, const char *path, FsCred *credp)
 }
 
 static int local_utimensat(FsContext *s, const char *path,
-		       const struct timespec *buf)
+                           const struct timespec *buf)
 {
-    return utimensat(AT_FDCWD, rpath(s, path), buf, AT_SYMLINK_NOFOLLOW);
+    return qemu_utimensat(AT_FDCWD, rpath(s, path), buf, AT_SYMLINK_NOFOLLOW);
 }
 
 static int local_remove(FsContext *ctx, const char *path)
diff --git a/oslib-posix.c b/oslib-posix.c
index 6e9b0c3..7bc5f7c 100644
--- a/oslib-posix.c
+++ b/oslib-posix.c
@@ -107,3 +107,51 @@ int qemu_pipe(int pipefd[2])
 
     return ret;
 }
+
+int qemu_utimensat(int dirfd, const char *path, const struct timespec *times,
+                   int flags)
+{
+    struct timeval tv[2], tv_now;
+    struct stat st;
+    int i;
+#ifdef CONFIG_UTIMENSAT
+    int ret;
+
+    ret = utimensat(dirfd, path, times, flags);
+    if (ret != -1 || errno != ENOSYS) {
+        return ret;
+    }
+#endif
+    /* Fallback: use utimes() instead of utimensat() */
+
+    /* happy if special cases */
+    if (times[0].tv_nsec == UTIME_OMIT && times[1].tv_nsec == UTIME_OMIT) {
+        return 0;
+    }
+    if (times[0].tv_nsec == UTIME_NOW && times[1].tv_nsec == UTIME_NOW) {
+        return utimes(path, NULL);
+    }
+
+    /* prepare for hard cases */
+    if (times[0].tv_nsec == UTIME_NOW || times[1].tv_nsec == UTIME_NOW) {
+        gettimeofday(&tv_now, NULL);
+    }
+    if (times[0].tv_nsec == UTIME_OMIT || times[1].tv_nsec == UTIME_OMIT) {
+        stat(path, &st);
+    }
+
+    for (i = 0; i < 2; i++) {
+        if (times[i].tv_nsec == UTIME_NOW) {
+            tv[i].tv_sec = tv_now.tv_sec;
+            tv[i].tv_usec = tv_now.tv_usec;
+        } else if (times[i].tv_nsec == UTIME_OMIT) {
+            tv[i].tv_sec = (i == 0) ? st.st_atime : st.st_mtime;
+            tv[i].tv_usec = 0;
+        } else {
+            tv[i].tv_sec = times[i].tv_sec;
+            tv[i].tv_usec = times[i].tv_nsec / 1000;
+        }
+    }
+
+    return utimes(path, &tv[0]);
+}
diff --git a/qemu-os-posix.h b/qemu-os-posix.h
index 353f878..81fd9ab 100644
--- a/qemu-os-posix.h
+++ b/qemu-os-posix.h
@@ -39,4 +39,16 @@ void os_setup_post(void);
 typedef struct timeval qemu_timeval;
 #define qemu_gettimeofday(tp) gettimeofday(tp, NULL)
 
+#ifndef CONFIG_UTIMENSAT
+#ifndef UTIME_NOW
+# define UTIME_NOW     ((1l << 30) - 1l)
+#endif
+#ifndef UTIME_OMIT
+# define UTIME_OMIT    ((1l << 30) - 2l)
+#endif
+#endif
+typedef struct timespec qemu_timespec;
+int qemu_utimensat(int dirfd, const char *path, const qemu_timespec *times,
+    int flags);
+
 #endif
commit 0562c67432991d1cee442615d70fd39e638bec71
Author: Kusanagi Kouichi <slash at ac.auone-net.jp>
Date:   Sat Oct 30 11:52:39 2010 +0900

    virtio-9p: Check the return value of llistxattr.
    
    If llistxattr returned 0, qemu aborts.
    
    Signed-off-by: Kusanagi Kouichi <slash at ac.auone-net.jp>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-xattr.c b/hw/virtio-9p-xattr.c
index 175f372..1aab081 100644
--- a/hw/virtio-9p-xattr.c
+++ b/hw/virtio-9p-xattr.c
@@ -73,6 +73,9 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *path,
 
     /* Get the actual len */
     xattr_len = llistxattr(rpath(ctx, path), value, 0);
+    if (xattr_len <= 0) {
+        return xattr_len;
+    }
 
     /* Now fetch the xattr and find the actual size */
     orig_value = qemu_malloc(xattr_len);
commit d04e2826f5509092c8f0c6c3db7fa3232d912f7e
Author: Harsh Prateek Bora <harsh at linux.vnet.ibm.com>
Date:   Sun Oct 24 20:54:26 2010 +0530

    hw/virtio9p: Use appropriate debug print functions in TLINK path
    
    Running fsstress with debug enabled causes assertion failure
    because of inappropriate usage of debug print functions.
    With this patch, fsstress passes without assertion failure.
    
    Signed-off-by: Harsh Prateek Bora <harsh at linux.vnet.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index cff5b07..6b18842 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -552,8 +552,8 @@ void pprint_pdu(V9fsPDU *pdu)
         break;
     case P9_TLINK:
         fprintf(llogfile, "TLINK: (");
-        pprint_int32(pdu, 0, &offset, "fid");
-        pprint_str(pdu, 0, &offset, ", oldpath");
+        pprint_int32(pdu, 0, &offset, "dfid");
+        pprint_int32(pdu, 0, &offset, ", fid");
         pprint_str(pdu, 0, &offset, ", newpath");
         break;
     case P9_RLINK:
commit 49594973fb38283e8c469892fe5eac2942d9bd25
Author: Venkateswararao Jujjuri (JV) <jvrao at linux.vnet.ibm.com>
Date:   Fri Oct 22 10:08:45 2010 -0700

    [virtio-9p] Add datasync to server side TFSYNC/RFSYNC for dotl
    
    SYNOPSIS
        size[4] Tfsync tag[2] fid[4] datasync[4]
    
        size[4] Rfsync tag[2]
    
    DESCRIPTION
    
        The Tfsync transaction transfers ("flushes") all modified in-core data of
        file identified by fid to the disk device (or other  permanent  storage
        device)  where that  file  resides.
    
        If datasync flag is specified data will be fleshed but does not flush
        modified metadata unless  that  metadata  is  needed  in order to allow a
        subsequent data retrieval to be correctly handled.
    
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index 21d60b5..c7731c2 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -86,7 +86,7 @@ typedef struct FileOperations
     int (*fstat)(FsContext *, int, struct stat *);
     int (*rename)(FsContext *, const char *, const char *);
     int (*truncate)(FsContext *, const char *, off_t);
-    int (*fsync)(FsContext *, int);
+    int (*fsync)(FsContext *, int, int);
     int (*statfs)(FsContext *s, const char *path, struct statfs *stbuf);
     ssize_t (*lgetxattr)(FsContext *, const char *,
                          const char *, void *, size_t);
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 0d52020..656bfb3 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -490,9 +490,13 @@ static int local_remove(FsContext *ctx, const char *path)
     return remove(rpath(ctx, path));
 }
 
-static int local_fsync(FsContext *ctx, int fd)
+static int local_fsync(FsContext *ctx, int fd, int datasync)
 {
-    return fsync(fd);
+    if (datasync) {
+        return qemu_fdatasync(fd);
+    } else {
+        return fsync(fd);
+    }
 }
 
 static int local_statfs(FsContext *s, const char *path, struct statfs *stbuf)
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index daade77..7c59988 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -248,9 +248,9 @@ static int v9fs_do_remove(V9fsState *s, V9fsString *path)
     return s->ops->remove(&s->ctx, path->data);
 }
 
-static int v9fs_do_fsync(V9fsState *s, int fd)
+static int v9fs_do_fsync(V9fsState *s, int fd, int datasync)
 {
-    return s->ops->fsync(&s->ctx, fd);
+    return s->ops->fsync(&s->ctx, fd, datasync);
 }
 
 static int v9fs_do_statfs(V9fsState *s, V9fsString *path, struct statfs *stbuf)
@@ -1868,16 +1868,17 @@ static void v9fs_fsync(V9fsState *s, V9fsPDU *pdu)
     int32_t fid;
     size_t offset = 7;
     V9fsFidState *fidp;
+    int datasync;
     int err;
 
-    pdu_unmarshal(pdu, offset, "d", &fid);
+    pdu_unmarshal(pdu, offset, "dd", &fid, &datasync);
     fidp = lookup_fid(s, fid);
     if (fidp == NULL) {
         err = -ENOENT;
         v9fs_post_do_fsync(s, pdu, err);
         return;
     }
-    err = v9fs_do_fsync(s, fidp->fs.fd);
+    err = v9fs_do_fsync(s, fidp->fs.fd, datasync);
     v9fs_post_do_fsync(s, pdu, err);
 }
 
@@ -3001,7 +3002,7 @@ static void v9fs_wstat(V9fsState *s, V9fsPDU *pdu)
 
     /* do we need to sync the file? */
     if (donttouch_stat(&vs->v9stat)) {
-        err = v9fs_do_fsync(s, vs->fidp->fs.fd);
+        err = v9fs_do_fsync(s, vs->fidp->fs.fd, 0);
         v9fs_wstat_post_fsync(s, vs, err);
         return;
     }
commit 6a8657528d94fa1be78d1be0821a01a251fa2de9
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Thu Dec 2 14:41:59 2010 -0600

    Fix build
    
    msix.o and msi.o get pulled into the build unconditionally for QMP.
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/Makefile.objs b/Makefile.objs
index 257623b..04625eb 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -218,7 +218,6 @@ hw-obj-$(CONFIG_PIIX4) += piix4.o
 hw-obj-$(CONFIG_PCI) += wdt_i6300esb.o
 
 hw-obj-$(CONFIG_PCI) += pcie.o pcie_aer.o pcie_port.o
-hw-obj-$(CONFIG_PCI) += msix.o msi.o
 
 # PCI network cards
 hw-obj-$(CONFIG_NE2000_PCI) += ne2000.o
commit 19c71ff41c029517c11ae67d6fbcb093a5d1150f
Merge: 393f398... 0c600ce...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Thu Dec 2 14:16:40 2010 -0600

    Merge remote branch 'mst/for_anthony' into staging

commit 0c600ce2a7a419c7247b2ac63327dea5daa3d5a2
Author: Jason Wang <jasowang at redhat.com>
Date:   Sat Nov 27 22:05:07 2010 +0800

    vhost: Fix address calculation in vhost_dev_sync_region()
    
    We still need advance address even we find there's no dirty pages in
    current chunk.
    
    Signed-off-by: Jason Wang <jasowang at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/vhost.c b/hw/vhost.c
index 8586f66..6082da2 100644
--- a/hw/vhost.c
+++ b/hw/vhost.c
@@ -37,6 +37,7 @@ static void vhost_dev_sync_region(struct vhost_dev *dev,
         /* We first check with non-atomic: much cheaper,
          * and we expect non-dirty to be the common case. */
         if (!*from) {
+            addr += VHOST_LOG_CHUNK;
             continue;
         }
         /* Data must be read atomically. We don't really
commit 3d002df33eb034757d98e1ae529318f57df78f91
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Tue Nov 23 19:05:54 2010 +0200

    migration: allow rate > 4g
    
    I'd like to disable bandwidth limit or make it very high,
    Use int64_t all over to make values >= 4g work.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Tested-by: Jason Wang <jasowang at redhat.com>

diff --git a/buffered_file.c b/buffered_file.c
index 1836e7e..8435a31 100644
--- a/buffered_file.c
+++ b/buffered_file.c
@@ -206,20 +206,23 @@ static int buffered_rate_limit(void *opaque)
     return 0;
 }
 
-static size_t buffered_set_rate_limit(void *opaque, size_t new_rate)
+static int64_t buffered_set_rate_limit(void *opaque, int64_t new_rate)
 {
     QEMUFileBuffered *s = opaque;
-
     if (s->has_error)
         goto out;
 
+    if (new_rate > SIZE_MAX) {
+        new_rate = SIZE_MAX;
+    }
+
     s->xfer_limit = new_rate / 10;
     
 out:
     return s->xfer_limit;
 }
 
-static size_t buffered_get_rate_limit(void *opaque)
+static int64_t buffered_get_rate_limit(void *opaque)
 {
     QEMUFileBuffered *s = opaque;
   
diff --git a/hw/hw.h b/hw/hw.h
index 9d2cfc2..77bfb58 100644
--- a/hw/hw.h
+++ b/hw/hw.h
@@ -39,8 +39,8 @@ typedef int (QEMUFileRateLimit)(void *opaque);
  * the new actual bandwidth. It should be new_rate if everything goes ok, and
  * the old rate otherwise
  */
-typedef size_t (QEMUFileSetRateLimit)(void *opaque, size_t new_rate);
-typedef size_t (QEMUFileGetRateLimit)(void *opaque);
+typedef int64_t (QEMUFileSetRateLimit)(void *opaque, int64_t new_rate);
+typedef int64_t (QEMUFileGetRateLimit)(void *opaque);
 
 QEMUFile *qemu_fopen_ops(void *opaque, QEMUFilePutBufferFunc *put_buffer,
                          QEMUFileGetBufferFunc *get_buffer,
@@ -83,8 +83,8 @@ unsigned int qemu_get_be16(QEMUFile *f);
 unsigned int qemu_get_be32(QEMUFile *f);
 uint64_t qemu_get_be64(QEMUFile *f);
 int qemu_file_rate_limit(QEMUFile *f);
-size_t qemu_file_set_rate_limit(QEMUFile *f, size_t new_rate);
-size_t qemu_file_get_rate_limit(QEMUFile *f);
+int64_t qemu_file_set_rate_limit(QEMUFile *f, int64_t new_rate);
+int64_t qemu_file_get_rate_limit(QEMUFile *f);
 int qemu_file_has_error(QEMUFile *f);
 void qemu_file_set_error(QEMUFile *f);
 
diff --git a/migration.c b/migration.c
index 9ee8b17..622a9d2 100644
--- a/migration.c
+++ b/migration.c
@@ -32,7 +32,7 @@
 #endif
 
 /* Migration speed throttling */
-static uint32_t max_throttle = (32 << 20);
+static int64_t max_throttle = (32 << 20);
 
 static MigrationState *current_migration;
 
@@ -136,7 +136,9 @@ int do_migrate_set_speed(Monitor *mon, const QDict *qdict, QObject **ret_data)
     FdMigrationState *s;
 
     d = qdict_get_int(qdict, "value");
-    d = MAX(0, MIN(UINT32_MAX, d));
+    if (d < 0) {
+        d = 0;
+    }
     max_throttle = d;
 
     s = migrate_to_fms(current_migration);
diff --git a/savevm.c b/savevm.c
index 4e49765..d38f79e 100644
--- a/savevm.c
+++ b/savevm.c
@@ -611,7 +611,7 @@ int qemu_file_rate_limit(QEMUFile *f)
     return 0;
 }
 
-size_t qemu_file_get_rate_limit(QEMUFile *f)
+int64_t qemu_file_get_rate_limit(QEMUFile *f)
 {
     if (f->get_rate_limit)
         return f->get_rate_limit(f->opaque);
@@ -619,7 +619,7 @@ size_t qemu_file_get_rate_limit(QEMUFile *f)
     return 0;
 }
 
-size_t qemu_file_set_rate_limit(QEMUFile *f, size_t new_rate)
+int64_t qemu_file_set_rate_limit(QEMUFile *f, int64_t new_rate)
 {
     /* any failed or completed migration keeps its state to allow probing of
      * migration data, but has no associated file anymore */
commit b2e0a138e77245290428a7d599a929e2e1bfe510
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Nov 22 19:52:34 2010 +0200

    migration: stable ram block ordering
    
    This makes ram block ordering under migration stable, ordered by offset.
    This is especially useful for migration to exec, for debugging.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Tested-by: Jason Wang <jasowang at redhat.com>

diff --git a/arch_init.c b/arch_init.c
index 4486925..e32e289 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -23,6 +23,7 @@
  */
 #include <stdint.h>
 #include <stdarg.h>
+#include <stdlib.h>
 #ifndef _WIN32
 #include <sys/types.h>
 #include <sys/mman.h>
@@ -212,6 +213,39 @@ uint64_t ram_bytes_total(void)
     return total;
 }
 
+static int block_compar(const void *a, const void *b)
+{
+    RAMBlock * const *ablock = a;
+    RAMBlock * const *bblock = b;
+    if ((*ablock)->offset < (*bblock)->offset) {
+        return -1;
+    } else if ((*ablock)->offset > (*bblock)->offset) {
+        return 1;
+    }
+    return 0;
+}
+
+static void sort_ram_list(void)
+{
+    RAMBlock *block, *nblock, **blocks;
+    int n;
+    n = 0;
+    QLIST_FOREACH(block, &ram_list.blocks, next) {
+        ++n;
+    }
+    blocks = qemu_malloc(n * sizeof *blocks);
+    n = 0;
+    QLIST_FOREACH_SAFE(block, &ram_list.blocks, next, nblock) {
+        blocks[n++] = block;
+        QLIST_REMOVE(block, next);
+    }
+    qsort(blocks, n, sizeof *blocks, block_compar);
+    while (--n >= 0) {
+        QLIST_INSERT_HEAD(&ram_list.blocks, blocks[n], next);
+    }
+    qemu_free(blocks);
+}
+
 int ram_save_live(Monitor *mon, QEMUFile *f, int stage, void *opaque)
 {
     ram_addr_t addr;
@@ -234,6 +268,7 @@ int ram_save_live(Monitor *mon, QEMUFile *f, int stage, void *opaque)
         bytes_transferred = 0;
         last_block = NULL;
         last_offset = 0;
+        sort_ram_list();
 
         /* Make sure all dirty bits are set */
         QLIST_FOREACH(block, &ram_list.blocks, next) {
diff --git a/cpu-common.h b/cpu-common.h
index a543b5d..bb6b137 100644
--- a/cpu-common.h
+++ b/cpu-common.h
@@ -46,6 +46,9 @@ ram_addr_t qemu_ram_alloc(DeviceState *dev, const char *name, ram_addr_t size);
 void qemu_ram_free(ram_addr_t addr);
 /* This should only be used for ram local to a device.  */
 void *qemu_get_ram_ptr(ram_addr_t addr);
+/* Same but slower, to use for migration, where the order of
+ * RAMBlocks must not change. */
+void *qemu_safe_ram_ptr(ram_addr_t addr);
 /* This should not be used by devices.  */
 int qemu_ram_addr_from_host(void *ptr, ram_addr_t *ram_addr);
 ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr);
diff --git a/exec.c b/exec.c
index db9ff55..6c8f635 100644
--- a/exec.c
+++ b/exec.c
@@ -2030,10 +2030,10 @@ void cpu_physical_memory_reset_dirty(ram_addr_t start, ram_addr_t end,
 
     /* we modify the TLB cache so that the dirty bit will be set again
        when accessing the range */
-    start1 = (unsigned long)qemu_get_ram_ptr(start);
+    start1 = (unsigned long)qemu_safe_ram_ptr(start);
     /* Chek that we don't span multiple blocks - this breaks the
        address comparisons below.  */
-    if ((unsigned long)qemu_get_ram_ptr(end - 1) - start1
+    if ((unsigned long)qemu_safe_ram_ptr(end - 1) - start1
             != (end - 1) - start) {
         abort();
     }
@@ -2858,6 +2858,7 @@ ram_addr_t qemu_ram_alloc_from_ptr(DeviceState *dev, const char *name,
     new_block->length = size;
 
     QLIST_INSERT_HEAD(&ram_list.blocks, new_block, next);
+    fprintf(stderr, "alloc ram %s len 0x%x\n", new_block->idstr, (int)new_block->length);
 
     ram_list.phys_dirty = qemu_realloc(ram_list.phys_dirty,
                                        last_ram_offset() >> TARGET_PAGE_BITS);
@@ -2931,6 +2932,25 @@ void *qemu_get_ram_ptr(ram_addr_t addr)
     return NULL;
 }
 
+/* Return a host pointer to ram allocated with qemu_ram_alloc.
+ * Same as qemu_get_ram_ptr but avoid reordering ramblocks.
+ */
+void *qemu_safe_ram_ptr(ram_addr_t addr)
+{
+    RAMBlock *block;
+
+    QLIST_FOREACH(block, &ram_list.blocks, next) {
+        if (addr - block->offset < block->length) {
+            return block->host + (addr - block->offset);
+        }
+    }
+
+    fprintf(stderr, "Bad ram offset %" PRIx64 "\n", (uint64_t)addr);
+    abort();
+
+    return NULL;
+}
+
 int qemu_ram_addr_from_host(void *ptr, ram_addr_t *ram_addr)
 {
     RAMBlock *block;
diff --git a/kvm-all.c b/kvm-all.c
index 37b99c7..cae24bb 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -162,7 +162,7 @@ static int kvm_set_user_memory_region(KVMState *s, KVMSlot *slot)
     mem.slot = slot->slot;
     mem.guest_phys_addr = slot->start_addr;
     mem.memory_size = slot->memory_size;
-    mem.userspace_addr = (unsigned long)qemu_get_ram_ptr(slot->phys_offset);
+    mem.userspace_addr = (unsigned long)qemu_safe_ram_ptr(slot->phys_offset);
     mem.flags = slot->flags;
     if (s->migration_log) {
         mem.flags |= KVM_MEM_LOG_DIRTY_PAGES;
commit 53b6d3d5c2522e881c8d194f122de3114f6f76eb
Merge: bdce0cb... a8118d8...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Dec 2 12:15:20 2010 -0200

    Merge branch 'upstream-merge'
    
    * upstream-merge: (51 commits)
      microblaze: target-ify target_ucontext
      virtio-pci: Convert fprintf() to error_report()
      virtio-net: Convert fprintf() to error_report()
      virtio: Convert fprintf() to error_report()
      virtio-blk: Convert fprintf() to error_report()
      vgabios update: handle compatibility with older qemu versions
      pcnet: Do not receive external frames in loopback mode
      piix4 acpi: convert io BAR to type-safe ioport callbacks
      Type-safe ioport callbacks
      trace: Trace vm_start()/vm_stop()
      virtfs: enable MSI-X
      pc: add 0.13 pc machine type
      trace: Use fprintf_function (format checking)
      slirp: Remove unused code for bad sprintf
      pc: disable the BOCHS BIOS panic port
      optionrom: fix bugs in signrom.sh
      Makefile: Fix check dependency breakage
      block migration: do not submit multiple AIOs for same sector
      block: set sector dirty on AIO write completion
      block: fix shift in dirty bitmap calculation
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit a8118d82afa60d435b7033d5f8e42ca3f8f2f10d
Merge: 9b42193... f711df6...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Dec 2 12:13:43 2010 -0200

    Merge commit 'f711df67d611e4762966a249742a5f7499e19f99' into upstream-merge
    
    * commit 'f711df67d611e4762966a249742a5f7499e19f99': (41 commits)
      microblaze: target-ify target_ucontext
      virtio-pci: Convert fprintf() to error_report()
      virtio-net: Convert fprintf() to error_report()
      virtio: Convert fprintf() to error_report()
      virtio-blk: Convert fprintf() to error_report()
      vgabios update: handle compatibility with older qemu versions
      pcnet: Do not receive external frames in loopback mode
      piix4 acpi: convert io BAR to type-safe ioport callbacks
      Type-safe ioport callbacks
      trace: Trace vm_start()/vm_stop()
      virtfs: enable MSI-X
      pc: add 0.13 pc machine type
      trace: Use fprintf_function (format checking)
      slirp: Remove unused code for bad sprintf
      pc: disable the BOCHS BIOS panic port
      optionrom: fix bugs in signrom.sh
      Makefile: Fix check dependency breakage
      block migration: do not submit multiple AIOs for same sector
      block: set sector dirty on AIO write completion
      block: fix shift in dirty bitmap calculation
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc vl.c
index 37ed560,805e11f..e3c8919
--- a/vl.c
+++ b/vl.c
@@@ -1265,19 -1252,18 +1268,20 @@@ void main_loop_wait(int nonblocking
          IOHandlerRecord *pioh;
  
          QLIST_FOREACH_SAFE(ioh, &io_handlers, next, pioh) {
-             if (ioh->deleted) {
-                 QLIST_REMOVE(ioh, next);
-                 qemu_free(ioh);
-                 continue;
-             }
-             if (ioh->fd_read && FD_ISSET(ioh->fd, &rfds)) {
+             if (!ioh->deleted && ioh->fd_read && FD_ISSET(ioh->fd, &rfds)) {
                  ioh->fd_read(ioh->opaque);
 +                if (!(ioh->fd_read_poll && ioh->fd_read_poll(ioh->opaque)))
 +                    FD_CLR(ioh->fd, &rfds);
              }
-             if (ioh->fd_write && FD_ISSET(ioh->fd, &wfds)) {
+             if (!ioh->deleted && ioh->fd_write && FD_ISSET(ioh->fd, &wfds)) {
                  ioh->fd_write(ioh->opaque);
              }
+ 
+             /* Do this last in case read/write handlers marked it for deletion */
+             if (ioh->deleted) {
+                 QLIST_REMOVE(ioh, next);
+                 qemu_free(ioh);
+             }
          }
      }
  
commit 9b421939fb38b8e3573e9f04e2a6b38fcb61b09a
Merge: f6f8864... 4cff0a5...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Dec 2 12:03:34 2010 -0200

    Merge commit '4cff0a5994d0300e6e77e90d3354aa517a120539' into upstream-merge
    
    * commit '4cff0a5994d0300e6e77e90d3354aa517a120539':
      pci: allow hotplug removal of cold-plugged devices
      PCI: Bus number from the bridge, not the device
      e1000: Fix TCP checksum overflow with TSO
      tap: make set_offload a nop after netdev cleanup
      Add support for async page fault to qemu
      tap: clear vhost_net backend on cleanup
      more stdvga cleanups.
      switch vmware_vga to pci vgabios
      switch stdvga to pci vgabios
    
    Conflicts:
    	hw/acpi_piix4.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc hw/acpi_piix4.c
index 283323b,f549089..f9d92ab
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@@ -605,9 -585,8 +605,10 @@@ static void pciej_write(void *opaque, u
      PIIX4_DPRINTF("pciej write %x <== %d\n", addr, val);
  }
  
 +extern const char *global_cpu_model;
 +
- static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev, int state);
+ static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev,
+                                 PCIHotplugState state);
  
  static void piix4_acpi_system_hot_add_init(PCIBus *bus, PIIX4PMState *s)
  {
diff --cc hw/pci.h
index 1fe6e49,09b3e4c..34955d8
--- a/hw/pci.h
+++ b/hw/pci.h
@@@ -241,9 -211,18 +241,17 @@@ void pci_default_write_config(PCIDevic
                                uint32_t address, uint32_t val, int len);
  void pci_device_save(PCIDevice *s, QEMUFile *f);
  int pci_device_load(PCIDevice *s, QEMUFile *f);
 -
  typedef void (*pci_set_irq_fn)(void *opaque, int irq_num, int level);
  typedef int (*pci_map_irq_fn)(PCIDevice *pci_dev, int irq_num);
- typedef int (*pci_hotplug_fn)(DeviceState *qdev, PCIDevice *pci_dev, int state);
+ 
+ typedef enum {
+     PCI_HOTPLUG_DISABLED,
+     PCI_HOTPLUG_ENABLED,
+     PCI_COLDPLUG_ENABLED,
+ } PCIHotplugState;
+ 
+ typedef int (*pci_hotplug_fn)(DeviceState *qdev, PCIDevice *pci_dev,
+                               PCIHotplugState state);
  void pci_bus_new_inplace(PCIBus *bus, DeviceState *parent,
                           const char *name, int devfn_min);
  PCIBus *pci_bus_new(DeviceState *parent, const char *name, int devfn_min);
commit f6f8864b9b3ae1ea151c2b781792a5e72baaa178
Merge: bdce0cb... 3b3d448...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Dec 2 11:51:26 2010 -0200

    Merge commit '3b3d448e01ccfc6fdcb6e3d4ebf47418075e3bb4' into upstream-merge
    
    * commit '3b3d448e01ccfc6fdcb6e3d4ebf47418075e3bb4':
      Add new vgabios binaries to blobs list.
    
    Conflicts:
    	pc-bios/vgabios-cirrus.bin
    	pc-bios/vgabios.bin
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc .gitmodules
index 5217ce7,5217ce7..cb52264
--- a/.gitmodules
+++ b/.gitmodules
@@@ -1,6 -1,6 +1,6 @@@
  [submodule "roms/vgabios"]
  	path = roms/vgabios
--	url = git://git.qemu.org/vgabios.git/
++	url = git://git.kernel.org/pub/scm/virt/kvm/vgabios.git/
  [submodule "roms/seabios"]
  	path = roms/seabios
  	url = git://git.qemu.org/seabios.git/
diff --cc pc-bios/vgabios-cirrus.bin
index 7007bf0,424dd0c..7626ea5
--- a/pc-bios/vgabios-cirrus.bin
+++ b/pc-bios/vgabios-cirrus.bin
@@@ -1,4 -1,4 +1,4 @@@
- UªFé!
 -UªFé!
++UªFé!
  
  
  
@@@ -119,7 -120,7 +120,7 @@@ DD0äPÿvÿvè
  
  
  
- 
- Jï¸
- ºÄ¸ïèV
- €ÿ
+ 
+ Jï¸
+ ºÄ¸ïèV
 -€ÿ
++€ÿ
diff --cc pc-bios/vgabios-stdvga.bin
index 0000000,5123c5f..1e4fc33
mode 000000,100644..100644
--- a/pc-bios/vgabios-stdvga.bin
+++ b/pc-bios/vgabios-stdvga.bin
@@@ -1,0 -1,172 +1,173 @@@
 -UªOé!
++UªOé!
+ 
+ 
+ 
+ 
+ 
 . http://bochs.sourceforge.net
+ 
 . http://www.nongnu.org/vgabios
+ 
 -
 -uè4šë`»
++
++uèüšë`»
+ ÿ
+ ÿP
+ 
A
+ 
+ 
+ 
+ 
+ 
+ 






+ 
+ é 
 -ëVëT,
++ëVëT,
+ ëC¸
+ w!0äÑà‰Ã.ÿ§;…:˜:­:ë:Â:ë:ë:ë:ë:Û:ã:ëÍë¸
 -:&:-O
++:&:-O
+ ‰^úë*»ï
+ ‰^úë"»¯‰^úë»o‰^úëë,
+ 0äP‹Fê@Pè,=ƒÄ‹Fö@‰Fö‹Fö=
+ ;ƒÄ¸
+ 
+ 0äPŠF0ä‰ÃŠFû0ä‰Ù÷éFþP¸
+ ŠFû@ˆFûŠFû:Frµ¸
+ 0䓉Ù÷éF€Ô
+ 0ä‰ÃŠFý0ä‰Ù÷éFþP¸
+ 0äPŠFû0äÑè‰ÃŠF0䓉Ù÷éP‹Fþ
+ ëBŠF
+ 0äPŠFû0äÑè‰ÃŠF0䓉Ù÷éFþP¸
+ ŠFû@ˆFûŠFû:F‚Nÿ‰ì]ÃU‰åƒÄüŠF0ä‰ÃŠF0ä‰Ù÷é‰ÃŠF
+ 0䓉Ù÷éÑèF€Ô
+ 0䓉Ù÷éP‹Fþ
+ 0䓉Ù÷éFþP¸
+ :Fv‰ì]øI
+ ۆ
+ „ÀuY‹FöHPŠF0ä;FðfòuG‹FøHPŠF0ä;Fðfòu5‹Fö‹Nø÷éPŠF0ä¹
+ €Ô
+ €Ô
+ €Ô
+ ‹Fô@‰FôŠF0ä;Fôƒ2ÿéÞ
+ €Ô
+ €Ô
+ €Ô
+ ŠF0ä;Fôsë‹FôH‰FôŠF0ä;Fô†-ÿéÖŠFþ0ä‰ÃŠ‡›0ä±Óà‰ÃÃ¯ŠGˆFýŠFþ0ä±Óà‰ÃÃŠGé’ŠF„À…‰
+ „Àuy‹FöHPŠF0ä;Fðfòug‹FøHPŠF0ä;FðfòuU¸P¸ÎPè|/ƒÄ‹Fö‹Nø÷é‰ÃŠFý0䓉Ù÷éPŠF0äP1ÀPŠFþ0ä±Óà‰ÃÃÿwè .ƒÄ¸
+ 0äPèjùƒÄë(ŠFý0äPÿvøŠFû0äPÿvô‹FôF€Ô
+ 0äPè~øƒÄ‹Fô@‰FôŠF0ä;FôsƒéŽ
+ 0äPèçøƒÄë(ŠFý0äPÿvøŠFû0äP‹Fô*F€Ü
+ 0äPèû÷ƒÄŠF0ä;Fôsë‹FôH‰FôŠF0ä;Fô†|ÿéíŠFþ0ä±Óà‰ÃÃŠGˆFüŠF„ÀuwŠF„ÀupŠF
+ „Àui‹FöHPŠF0ä;FðfòuW‹FøHPŠF0ä;FðfòuE‹Fö‹Nø÷é‰ÃŠFý0䓉Ù÷é‰ÃŠFü0䓉Ù÷éPŠF0äP1ÀPŠFþ0ä±Óà‰ÃÃÿwèZ,ƒÄéDŠFü<uŠF
+ 0äÑàˆF
+ ŠFû0äÑàˆFû‹FøÑà‰FøŠF<…Š
+ 0äPè-ùƒÄë(ŠFý0äPÿvøŠFû0äPÿvô‹FôF€Ô
+ 0äPèñ÷ƒÄ‹Fô@‰FôŠF0ä;FôsƒéŽ
+ 0äPèªøƒÄë(ŠFý0äPÿvøŠFû0äP‹Fô*F€Ü
+ 0äPèn÷ƒÄŠF0ä;Fôsë‹FôH‰FôŠF0ä;Fô†|ÿëë,„þ,„bü,„\ü‰ì]ÃU‰åLLè$,‰FþƒÄò¸I
+ ,tä,tèëîŠF0ä‰ÃŠF
+ 0ä‰Ù÷é‰ÃŠF0䓉Ù÷éF€Ô
+ 0ä¹@÷éPŠF0ä‰ÃŠF0ä‰Ù÷éFòDD‰FøŠF0ä±Óà‰Fô0ÀˆFÿé´ŠFÿ0äÑè¹P
+ FüˆFüŠFý0äÑèˆFýŠFþ@ˆFþŠFþ<rŠŠFü0äPÿvö¸
+ FüˆFüŠFý0äÑèˆFýŠFþ@ˆFþŠFþ<r†ŠFü0äPÿvö¸
+ 0ä‰Ù÷é±ÓàPŠF0ä±ÓàFòDD‰FøŠF0ä±Óà‰Fô0ÀˆFÿé
+ ÿvðÿvôŠFû0ä±Óà‰ÃÃÿwèà$ƒÄéó
+ ëë,t®,„ÿ,„yÿ,tÇŠFþ@ˆFþ‹F
+ H‰F
+ =ÿÿtŠFþ0ä;Fø‚Bÿ‰ì]ÃU‰åƒÄð¸I
+ H‰F
+ =ÿÿuËéó
+ ëë,t®,„ÿ,„yÿ,tÇŠFþ@ˆFþ‹F
+ H‰F
+ =ÿÿtŠFþ0ä;Fø‚Bÿ‰ì]Àÿ
+ ÷éP‹F±ÓèFöDD‰FøŠF$0ä‰Ã¸€
+ Ñè¹P
+ Ñè¹P
+ $„Àt	‹Fø
+ FüˆFûŠFû0äPÿvø¸
+ ÷éF‰FøŠF0äPÿvø¸
+ FüˆFüŠFú@ˆFúŠFú<r®éè
+ ÿvö脃Ä0À
+ FüPÿv
+ ÿvö蝃ĉì]ÃU‰åƒÄðŠF<ÿu¸b
+ 0äPŠF0äPŠF0äP¸ 
+ <u#ŠF0äP‹Fô@PŠFû0ä±Óà‰ÃÃÿwèÛƒÄéÒ
+ ëë,t®,„ÿ,„yÿ,tÇŠFþ@ˆFþë!,„þ,„þ,„)þ,„þ,„þéjþŠFþ0ä;Føu0ÀˆFþŠFý@ˆFýŠFý0ä;Fö…É
+ ˆÄ°ºÎï¸
+ ‹Fú@‰Fú‹Fú;F
+ r´èýýŠF<rŠF0äPè!þDD‰ì]ÃU‰åƒÄøè»ýŠF$0äˆÄ0À±ÓàPŠF$0äˆÄ0À±ÓàFöDD‰Fþ1À‰FúëA‹Fú‰Â±Óà)ÐÑà‰Fø‹Fú±ÓàFþ‰Fü¸
+ ‹Fú@‰Fú‹Fú=
+ ‹Fú@‰Fú‹Fú=
+ ‹Fú@‰Fú‹Fú=
+ ÿvþ褃ĸ„
+ $ï€€äð€Ì»‰
+ H‰F
+ =ÿÿu¥ŠF$„ÀuÿvüŠF0äPèÒՃĉì]Ã<
+ DD0äPÿvÿvèº
+ ƒÄ‹F@‰F‹Fþ@‰Fþ‹Fþ=
+ ƒÄ‹F@@‰F1ÀPÿvÿvè~
+ ƒÄ‹F@‰F1ÀPÿvÿvèh
+ ƒÄ‹F@‰F1ÀPÿvÿvèR
+ ƒÄ‹F@‰F1ÀPÿvÿvè<
+ ƒÄ‹F@‰FŠF$„À„p¸I
+ ƒÄ‹F@‰F¸J
+ ƒÄ‹F@@‰F¸L
+ ƒù
+ ƒù
+ ‰Æüó¤^_YX]ÃU‰åPQWV‹Nƒù
+ ‰Æüó¥^_YX]ÃU‰åS‹FŽØ‹^Š[]ÃU‰åS‹FŽØ‹^‹[]ÃU‰åPS‹FŽØ‹^ŠFˆ[X]ÃU‰åPS‹FŽØ‹^‹F‰[X]ÃU‰åR‹VìZ]ÃU‰åR‹VíZ]ÃU‰åPR‹VŠFîZX]ÃU‰åPR‹V‹FïZX]ÃŒÐÃU‰åƒÄì^‰^öèîÿ‰Fô1À‰Fü1À‰FúéŠFÿ<%u¸
+ ²è
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ € 
+ 
+ ۈ 
+ 
+ 
 -
++
++
++
+ 
+ 
+ 
+ 
+ x-
+ 
+ @}
+ @¼
+ @ ú
+ 
+ 
+ 
+ 
+ 
 -€û
 -Š†þý<VuŠ†ÿý<BuŠ†
++€û
++Š†þý<VuŠ†ÿý<BuŠ†
+ þ0Àˆ†þ‹F‰†þ‹F"
 -
 -ë¸
 -‹žðýŠG0ä1ÛSP‹žðý‹G1ÛSP‹žðý‹G1ۍ¾èýèBþƒÄ¾ìýè8þƒÄ1À‰†òýèWû‹žðý;GrMèmû‹žðýPŠG0ä;†îý¦ðýw6‹†òý;†þw,‹žðýÿ7‹F†ôýPÿvèMæƒÄ‹†öý@‰†öý‹†ôý@@‰†ôýë
 -‹†øþ…Àt°ˆ†ÿ¸4PèÚæDD‰†öþ‹†öþ…Àt‹†öþ1Û“1À‰†$ÿ‰ž&ÿŠ†þþ$„Àt1À»
 -ÿ»[‘‰žÿ¸O
 -ÿvèFäƒÄ
 -ÿvþÿvÿvüèÕäƒÄ‰ì]ÃU‰åLLèå‰FþƒÄø‹F%
 -Fö0äPèñøDDèçùÿv¸º
 -ÿvèdԃĉFúŠF$„Àtÿvúÿv
 -èÅýƒÄëTÿvÿvþèåàƒÄ‰Fúÿvúÿv
 -ÿvèöكĉFúŠF$„Àtÿvúÿv
 -èþƒÄë¸
 -õ0ÿˆãè?ö‰ÁÛuÁè³÷ã‰Ãè;ö‰Â¸O
 -€ÿu
 
++
++ë¸
++‹žðýŠG0ä1ÛSP‹žðý‹G1ÛSP‹žðý‹G1ۍ¾èýèFþƒÄ¾ìýè<þƒÄ1À‰†òýè[û‹žðý;GrMèqû‹žðýPŠG0ä;†îý¦ðýw6‹†òý;†þw,‹žðýÿ7‹F†ôýPÿvè…åƒÄ‹†öý@‰†öý‹†ôý@@‰†ôýë
++‹†øþ…Àt°ˆ†ÿ¸4PèæDD‰†öþ‹†öþ…Àt‹†öþ1Û“1À‰†$ÿ‰ž&ÿŠ†þþ$„Àt1À»
++ÿ»'’‰žÿ¸O
++ÿvè~ãƒÄ
++ÿvþÿvÿvüè
äƒÄ‰ì]ÃU‰åLLèLä‰FþƒÄø‹F%
++Fö0äPèõøDDèëùÿv¸º
++ÿvèœÓƒÄ‰FúŠF$„Àtÿvúÿv
++èÅýƒÄëTÿvÿvþèàƒÄ‰Fúÿvúÿv
++ÿvè.كĉFúŠF$„Àtÿvúÿv
++èþƒÄë¸
++€ÿu
 
diff --cc pc-bios/vgabios-vmware.bin
index 0000000,5e8c06b..9633d9a
mode 000000,100644..100644
--- a/pc-bios/vgabios-vmware.bin
+++ b/pc-bios/vgabios-vmware.bin
@@@ -1,0 -1,172 +1,173 @@@
 -UªOé!
++UªOé!
+ 
+ 
+ 
+ 
+ 
 . http://bochs.sourceforge.net
+ 
 . http://www.nongnu.org/vgabios
+ 
 -
 -uè4šë`»
++
++uèüšë`»
+ ÿ
+ ÿP
+ 
A
+ 
+ 
+ 
+ 
+ 
+ 






+ 
+ é 
 -ëVëT,
++ëVëT,
+ ëC¸
+ w!0äÑà‰Ã.ÿ§;…:˜:­:ë:Â:ë:ë:ë:ë:Û:ã:ëÍë¸
 -:&:-O
++:&:-O
+ ‰^úë*»ï
+ ‰^úë"»¯‰^úë»o‰^úëë,
+ 0äP‹Fê@Pè,=ƒÄ‹Fö@‰Fö‹Fö=
+ ;ƒÄ¸
+ 
+ 0äPŠF0ä‰ÃŠFû0ä‰Ù÷éFþP¸
+ ŠFû@ˆFûŠFû:Frµ¸
+ 0䓉Ù÷éF€Ô
+ 0ä‰ÃŠFý0ä‰Ù÷éFþP¸
+ 0äPŠFû0äÑè‰ÃŠF0䓉Ù÷éP‹Fþ
+ ëBŠF
+ 0äPŠFû0äÑè‰ÃŠF0䓉Ù÷éFþP¸
+ ŠFû@ˆFûŠFû:F‚Nÿ‰ì]ÃU‰åƒÄüŠF0ä‰ÃŠF0ä‰Ù÷é‰ÃŠF
+ 0䓉Ù÷éÑèF€Ô
+ 0䓉Ù÷éP‹Fþ
+ 0䓉Ù÷éFþP¸
+ :Fv‰ì]øI
+ ۆ
+ „ÀuY‹FöHPŠF0ä;FðfòuG‹FøHPŠF0ä;Fðfòu5‹Fö‹Nø÷éPŠF0ä¹
+ €Ô
+ €Ô
+ €Ô
+ ‹Fô@‰FôŠF0ä;Fôƒ2ÿéÞ
+ €Ô
+ €Ô
+ €Ô
+ ŠF0ä;Fôsë‹FôH‰FôŠF0ä;Fô†-ÿéÖŠFþ0ä‰ÃŠ‡›0ä±Óà‰ÃÃ¯ŠGˆFýŠFþ0ä±Óà‰ÃÃŠGé’ŠF„À…‰
+ „Àuy‹FöHPŠF0ä;Fðfòug‹FøHPŠF0ä;FðfòuU¸P¸ÎPè|/ƒÄ‹Fö‹Nø÷é‰ÃŠFý0䓉Ù÷éPŠF0äP1ÀPŠFþ0ä±Óà‰ÃÃÿwè .ƒÄ¸
+ 0äPèjùƒÄë(ŠFý0äPÿvøŠFû0äPÿvô‹FôF€Ô
+ 0äPè~øƒÄ‹Fô@‰FôŠF0ä;FôsƒéŽ
+ 0äPèçøƒÄë(ŠFý0äPÿvøŠFû0äP‹Fô*F€Ü
+ 0äPèû÷ƒÄŠF0ä;Fôsë‹FôH‰FôŠF0ä;Fô†|ÿéíŠFþ0ä±Óà‰ÃÃŠGˆFüŠF„ÀuwŠF„ÀupŠF
+ „Àui‹FöHPŠF0ä;FðfòuW‹FøHPŠF0ä;FðfòuE‹Fö‹Nø÷é‰ÃŠFý0䓉Ù÷é‰ÃŠFü0䓉Ù÷éPŠF0äP1ÀPŠFþ0ä±Óà‰ÃÃÿwèZ,ƒÄéDŠFü<uŠF
+ 0äÑàˆF
+ ŠFû0äÑàˆFû‹FøÑà‰FøŠF<…Š
+ 0äPè-ùƒÄë(ŠFý0äPÿvøŠFû0äPÿvô‹FôF€Ô
+ 0äPèñ÷ƒÄ‹Fô@‰FôŠF0ä;FôsƒéŽ
+ 0äPèªøƒÄë(ŠFý0äPÿvøŠFû0äP‹Fô*F€Ü
+ 0äPèn÷ƒÄŠF0ä;Fôsë‹FôH‰FôŠF0ä;Fô†|ÿëë,„þ,„bü,„\ü‰ì]ÃU‰åLLè$,‰FþƒÄò¸I
+ ,tä,tèëîŠF0ä‰ÃŠF
+ 0ä‰Ù÷é‰ÃŠF0䓉Ù÷éF€Ô
+ 0ä¹@÷éPŠF0ä‰ÃŠF0ä‰Ù÷éFòDD‰FøŠF0ä±Óà‰Fô0ÀˆFÿé´ŠFÿ0äÑè¹P
+ FüˆFüŠFý0äÑèˆFýŠFþ@ˆFþŠFþ<rŠŠFü0äPÿvö¸
+ FüˆFüŠFý0äÑèˆFýŠFþ@ˆFþŠFþ<r†ŠFü0äPÿvö¸
+ 0ä‰Ù÷é±ÓàPŠF0ä±ÓàFòDD‰FøŠF0ä±Óà‰Fô0ÀˆFÿé
+ ÿvðÿvôŠFû0ä±Óà‰ÃÃÿwèà$ƒÄéó
+ ëë,t®,„ÿ,„yÿ,tÇŠFþ@ˆFþ‹F
+ H‰F
+ =ÿÿtŠFþ0ä;Fø‚Bÿ‰ì]ÃU‰åƒÄð¸I
+ H‰F
+ =ÿÿuËéó
+ ëë,t®,„ÿ,„yÿ,tÇŠFþ@ˆFþ‹F
+ H‰F
+ =ÿÿtŠFþ0ä;Fø‚Bÿ‰ì]Àÿ
+ ÷éP‹F±ÓèFöDD‰FøŠF$0ä‰Ã¸€
+ Ñè¹P
+ Ñè¹P
+ $„Àt	‹Fø
+ FüˆFûŠFû0äPÿvø¸
+ ÷éF‰FøŠF0äPÿvø¸
+ FüˆFüŠFú@ˆFúŠFú<r®éè
+ ÿvö脃Ä0À
+ FüPÿv
+ ÿvö蝃ĉì]ÃU‰åƒÄðŠF<ÿu¸b
+ 0äPŠF0äPŠF0äP¸ 
+ <u#ŠF0äP‹Fô@PŠFû0ä±Óà‰ÃÃÿwèÛƒÄéÒ
+ ëë,t®,„ÿ,„yÿ,tÇŠFþ@ˆFþë!,„þ,„þ,„)þ,„þ,„þéjþŠFþ0ä;Føu0ÀˆFþŠFý@ˆFýŠFý0ä;Fö…É
+ ˆÄ°ºÎï¸
+ ‹Fú@‰Fú‹Fú;F
+ r´èýýŠF<rŠF0äPè!þDD‰ì]ÃU‰åƒÄøè»ýŠF$0äˆÄ0À±ÓàPŠF$0äˆÄ0À±ÓàFöDD‰Fþ1À‰FúëA‹Fú‰Â±Óà)ÐÑà‰Fø‹Fú±ÓàFþ‰Fü¸
+ ‹Fú@‰Fú‹Fú=
+ ‹Fú@‰Fú‹Fú=
+ ‹Fú@‰Fú‹Fú=
+ ÿvþ褃ĸ„
+ $ï€€äð€Ì»‰
+ H‰F
+ =ÿÿu¥ŠF$„ÀuÿvüŠF0äPèÒՃĉì]Ã<
+ DD0äPÿvÿvèº
+ ƒÄ‹F@‰F‹Fþ@‰Fþ‹Fþ=
+ ƒÄ‹F@@‰F1ÀPÿvÿvè~
+ ƒÄ‹F@‰F1ÀPÿvÿvèh
+ ƒÄ‹F@‰F1ÀPÿvÿvèR
+ ƒÄ‹F@‰F1ÀPÿvÿvè<
+ ƒÄ‹F@‰FŠF$„À„p¸I
+ ƒÄ‹F@‰F¸J
+ ƒÄ‹F@@‰F¸L
+ ƒù
+ ƒù
+ ‰Æüó¤^_YX]ÃU‰åPQWV‹Nƒù
+ ‰Æüó¥^_YX]ÃU‰åS‹FŽØ‹^Š[]ÃU‰åS‹FŽØ‹^‹[]ÃU‰åPS‹FŽØ‹^ŠFˆ[X]ÃU‰åPS‹FŽØ‹^‹F‰[X]ÃU‰åR‹VìZ]ÃU‰åR‹VíZ]ÃU‰åPR‹VŠFîZX]ÃU‰åPR‹V‹FïZX]ÃŒÐÃU‰åƒÄì^‰^öèîÿ‰Fô1À‰Fü1À‰FúéŠFÿ<%u¸
+ ²è
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ € 
+ 
+ ۈ 
+ 
+ 
 -
++
++
++
+ 
+ 
+ 
+ 
+ x-
+ 
+ @}
+ @¼
+ @ ú
+ 
+ 
+ 
+ 
+ 
 -€û
 -Š†þý<VuŠ†ÿý<BuŠ†
++€û
++Š†þý<VuŠ†ÿý<BuŠ†
+ þ0Àˆ†þ‹F‰†þ‹F"
 -
 -ë¸
 -‹žðýŠG0ä1ÛSP‹žðý‹G1ÛSP‹žðý‹G1ۍ¾èýèBþƒÄ¾ìýè8þƒÄ1À‰†òýèWû‹žðý;GrMèmû‹žðýPŠG0ä;†îý¦ðýw6‹†òý;†þw,‹žðýÿ7‹F†ôýPÿvèMæƒÄ‹†öý@‰†öý‹†ôý@@‰†ôýë
 -‹†øþ…Àt°ˆ†ÿ¸­PèÚæDD‰†öþ‹†öþ…Àt‹†öþ1Û“1À‰†$ÿ‰ž&ÿŠ†þþ$„Àt1À»
 -ÿ»[‘‰žÿ¸O
 -ÿvèFäƒÄ
 -ÿvþÿvÿvüèÕäƒÄ‰ì]ÃU‰åLLèå‰FþƒÄø‹F%
 -Fö0äPèñøDDèçùÿv¸º
 -ÿvèdԃĉFúŠF$„Àtÿvúÿv
 -èÅýƒÄëTÿvÿvþèåàƒÄ‰Fúÿvúÿv
 -ÿvèöكĉFúŠF$„Àtÿvúÿv
 -èþƒÄë¸
 -õ0ÿˆãè?ö‰ÁÛuÁè³÷ã‰Ãè;ö‰Â¸O
 -€ÿu
 
++
++ë¸
++‹žðýŠG0ä1ÛSP‹žðý‹G1ÛSP‹žðý‹G1ۍ¾èýèFþƒÄ¾ìýè<þƒÄ1À‰†òýè[û‹žðý;GrMèqû‹žðýPŠG0ä;†îý¦ðýw6‹†òý;†þw,‹žðýÿ7‹F†ôýPÿvè…åƒÄ‹†öý@‰†öý‹†ôý@@‰†ôýë
++‹†øþ…Àt°ˆ†ÿ¸­PèæDD‰†öþ‹†öþ…Àt‹†öþ1Û“1À‰†$ÿ‰ž&ÿŠ†þþ$„Àt1À»
++ÿ»'’‰žÿ¸O
++ÿvè~ãƒÄ
++ÿvþÿvÿvüè
äƒÄ‰ì]ÃU‰åLLèLä‰FþƒÄø‹F%
++Fö0äPèõøDDèëùÿv¸º
++ÿvèœÓƒÄ‰FúŠF$„Àtÿvúÿv
++èÅýƒÄëTÿvÿvþèàƒÄ‰Fúÿvúÿv
++ÿvè.كĉFúŠF$„Àtÿvúÿv
++èþƒÄë¸
++€ÿu
 
diff --cc pc-bios/vgabios.bin
index c38c62a,892a2b5..d04033e
--- a/pc-bios/vgabios.bin
+++ b/pc-bios/vgabios.bin
@@@ -1,4 -1,4 +1,4 @@@
- UªNé
 -UªOé
++UªOé
  
  
  
@@@ -6,9 -6,8 +6,8 @@@
  
 . http://bochs.sourceforge.net
  
 . http://www.nongnu.org/vgabios
  
- 
- jëv€û2uè"jël€û3uè6jëb€û4uOèPjëX=tE€üuè8`ëI€üOu6<uè–ë;<uèã˜ë2<uè™ë)<uèK™ë <uèp™ë<
- u蟙ë`»
 -
 -uè.šë`»
++
++uèúšë`»
  ÿ
  ÿP
  
A
@@@ -17,40 -16,39 +16,39 @@@
  
  
  
- 






- 
- é 
- ëVëT,
- _Ā
+ 






+ 
+ é 
 -ëVëT,
++ëVëT,
  ëC¸
- w!0äÑà‰Ã.ÿ§è:g:z::Í:¤:Í:Í:Í:Í:½:Å:ëÍë¸
 -w!0äÑà‰Ã.ÿ§è:g:z::Í:¤:Í:Í:Í:Í:½:Å:ëÍë¸
++w!0äÑà‰Ã.ÿ§è:g:z::Í:¤:Í:Í:Í:Í:½:Å:ëÍë¸
  ‰^úë*»Ñ
- ‰^úë"»‘‰^úë»Q‰^úëë,
- 0äP‹Fê@PèÑ<ƒÄ‹Fö@‰Fö‹Fö=
- 
- 0äPŠF0ä‰ÃŠFû0ä‰Ù÷éFþP¸
- ŠFû@ˆFûŠFû:Frµ¸
- 0䓉Ù÷éF€Ô
- 0ä‰ÃŠFý0ä‰Ù÷éFþP¸
- 0äPŠFû0äÑè‰ÃŠF0䓉Ù÷éP‹Fþ
+ ‰^úë"»‘‰^úë»Q‰^úëë,
+ 0äP‹Fê@Pè*=ƒÄ‹Fö@‰Fö‹Fö=
+ 
+ 0äPŠF0ä‰ÃŠFû0ä‰Ù÷éFþP¸
+ ŠFû@ˆFûŠFû:Frµ¸
+ 0䓉Ù÷éF€Ô
+ 0ä‰ÃŠFý0ä‰Ù÷éFþP¸
+ 0äPŠFû0äÑè‰ÃŠF0䓉Ù÷éP‹Fþ
  ëBŠF
- 0äPŠFû0äÑè‰ÃŠF0䓉Ù÷éFþP¸
+ 0äPŠFû0äÑè‰ÃŠF0䓉Ù÷éFþP¸
  ŠFû@ˆFûŠFû:F‚Nÿ‰ì]ÃU‰åƒÄüŠF0ä‰ÃŠF0ä‰Ù÷é‰ÃŠF
  0䓉Ù÷éÑèF€Ô
- 0䓉Ù÷éP‹Fþ
- 0䓉Ù÷éFþP¸
- :Fv‰ì]øI
+ 0䓉Ù÷éP‹Fþ
+ 0䓉Ù÷éFþP¸
+ :Fv‰ì]øI
  ۆ
- „ÀuY‹FöHPŠF0ä;FðfòuG‹FøHPŠF0ä;Fðfòu5‹Fö‹Nø÷éPŠF0ä¹
- €Ô
+ „ÀuY‹FöHPŠF0ä;FðfòuG‹FøHPŠF0ä;Fðfòu5‹Fö‹Nø÷éPŠF0ä¹
+ €Ô
  €Ô
- €Ô
+ €Ô
  ‹Fô@‰FôŠF0ä;Fôƒ2ÿéÞ
- €Ô
+ €Ô
  €Ô
- €Ô
+ €Ô
  ŠF0ä;Fôsë‹FôH‰FôŠF0ä;Fô†-ÿéÕŠFþ0ä‰ÃŠ‡}0ä±Óà‰ÃÃ‘ŠGˆFýŠFþ0ä±Óà‰ÃÃýŠGé‘ŠF„À…‰
- „Àuy‹FöHPŠF0ä;Fðfòug‹FøHPŠF0ä;FðfòuU¸P¸ÎPè /ƒÄ‹Fö‹Nø÷é‰ÃŠFý0䓉Ù÷éPŠF0äP1ÀPŠFþ0ä±Óà‰ÃÃýÿwèÄ-ƒÄ¸
+ „Àuy‹FöHPŠF0ä;Fðfòug‹FøHPŠF0ä;FðfòuU¸P¸ÎPèy/ƒÄ‹Fö‹Nø÷é‰ÃŠFý0䓉Ù÷éPŠF0äP1ÀPŠFþ0ä±Óà‰ÃÃýÿwè.ƒÄ¸
  0äPèkùƒÄë(ŠFý0äPÿvøŠFû0äPÿvô‹FôF€Ô
  0äPèøƒÄ‹Fô@‰FôŠF0ä;FôsƒéŽ
  0äPèèøƒÄë(ŠFý0äPÿvøŠFû0äP‹Fô*F€Ü
@@@ -153,20 -150,20 +152,20 @@@ x-
  
  
  
- 
- €û
- éc¢U‰åLLè>è‰FþÄøý1À‰†öýLL¸"
- Š†þý<VuŠ†ÿý<BuŠ†
- þ0Àˆ†þ‹F‰†þ‹F"
- ë¸
- èÄû‹žòý;GrCèÚû‹žòýPŠG0ä;†ðý¦òýw,‹žòýÿ7‹F†ôýPÿvè]æƒÄ‹†öý@‰†öý‹†ôý@@‰†ôýë
- ‹†øþ…Àt°ˆ†ÿŠ†þþ$„Àt1À»
- ÿ»I‘‰žÿ¸O
- ÿvè€äƒÄ
- ÿvþÿvÿvüèåƒÄ‰ì]ÃU‰åLLèNå‰FþƒÄø‹F%
- Fö0äPè’ùDDèˆúÿv¸º
- ÿvèžÔƒÄ‰FúŠF$„Àtÿvúÿv
- èÅýƒÄëTÿvÿvþèáƒÄ‰Fúÿvúÿv
- ÿvè0ڃĉFúŠF$„Àtÿvúÿv
- èþƒÄë¸
- €ÿu
 
+ 
 -€û
 -Š†þý<VuŠ†ÿý<BuŠ†
++€û
++Š†þý<VuŠ†ÿý<BuŠ†
+ þ0Àˆ†þ‹F‰†þ‹F"
 -
 -ë¸
 -‹žðýŠG0ä1ÛSP‹žðý‹G1ÛSP‹žðý‹G1ۍ¾èýèFþƒÄ¾ìýè<þƒÄ1À‰†òýè[û‹žðý;GrMèqû‹žðýPŠG0ä;†îý¦ðýw6‹†òý;†þw,‹žðýÿ7‹F†ôýPÿvèQæƒÄ‹†öý@‰†öý‹†ôý@@‰†ôýë
 -‹†øþ…Àt°ˆ†ÿ¸4PèÞæDD‰†öþ‹†öþ…Àt‹†öþ1Û“1À‰†$ÿ‰ž&ÿŠ†þþ$„Àt1À»
 -ÿ»;‘‰žÿ¸O
 -ÿvèJäƒÄ
 -ÿvþÿvÿvüèÙäƒÄ‰ì]ÃU‰åLLèå‰FþƒÄø‹F%
 -Fö0äPèõøDDèëùÿv¸º
 -ÿvèhԃĉFúŠF$„Àtÿvúÿv
 -èÅýƒÄëTÿvÿvþèéàƒÄ‰Fúÿvúÿv
 -ÿvèúكĉFúŠF$„Àtÿvúÿv
 -èþƒÄë¸
 -€ÿu
 
++
++ë¸
++‹žðýŠG0ä1ÛSP‹žðý‹G1ÛSP‹žðý‹G1ۍ¾èýèFþƒÄ¾ìýè<þƒÄ1À‰†òýè[û‹žðý;GrMèqû‹žðýPŠG0ä;†îý¦ðýw6‹†òý;†þw,‹žðýÿ7‹F†ôýPÿvè…åƒÄ‹†öý@‰†öý‹†ôý@@‰†ôýë
++‹†øþ…Àt°ˆ†ÿ¸4PèæDD‰†öþ‹†öþ…Àt‹†öþ1Û“1À‰†$ÿ‰ž&ÿŠ†þþ$„Àt1À»
++ÿ»’‰žÿ¸O
++ÿvè~ãƒÄ
++ÿvþÿvÿvüè
äƒÄ‰ì]ÃU‰åLLèLä‰FþƒÄø‹F%
++Fö0äPèõøDDèëùÿv¸º
++ÿvèœÓƒÄ‰FúŠF$„Àtÿvúÿv
++èÅýƒÄëTÿvÿvþèàƒÄ‰Fúÿvúÿv
++ÿvè.كĉFúŠF$„Àtÿvúÿv
++èþƒÄë¸
++€ÿu
 
commit 393f398b69f9baadc3f29d822a0b5b74ca63b919
Author: Richard Henderson <rth at twiddle.net>
Date:   Mon Nov 22 14:57:58 2010 -0800

    tcg-ia64: Fix warning in qemu_ld.
    
    The usermode version of qemu_ld doesn't used mem_index,
    leading to set-but-not-used warnings.
    
    Signed-off-by: Richard Henderson <rth at twiddle.net>
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/tcg/ia64/tcg-target.c b/tcg/ia64/tcg-target.c
index 57d0bcc..3ddf434 100644
--- a/tcg/ia64/tcg-target.c
+++ b/tcg/ia64/tcg-target.c
@@ -1658,11 +1658,10 @@ static inline void tcg_out_qemu_ld(TCGContext *s, const TCGArg *args, int opc)
     static uint64_t const opc_sxt_i29[4] = {
         OPC_SXT1_I29, OPC_SXT2_I29, OPC_SXT4_I29, 0
     };
-    int addr_reg, data_reg, mem_index, s_bits, bswap;
+    int addr_reg, data_reg, s_bits, bswap;
 
     data_reg = *args++;
     addr_reg = *args++;
-    mem_index = *args;
     s_bits = opc & 3;
 
 #ifdef TARGET_WORDS_BIGENDIAN
commit 07f59737d8350fda70171bb7c23d18512d9c038a
Author: Richard Henderson <rth at twiddle.net>
Date:   Mon Nov 22 14:57:57 2010 -0800

    tcg-ia64: Fix address compilation in qemu_st.
    
    A typo in the usermode address calculation path; R3 used where R2 needed.
    
    Signed-off-by: Richard Henderson <rth at twiddle.net>
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/tcg/ia64/tcg-target.c b/tcg/ia64/tcg-target.c
index da81f1b..57d0bcc 100644
--- a/tcg/ia64/tcg-target.c
+++ b/tcg/ia64/tcg-target.c
@@ -1818,7 +1818,7 @@ static inline void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, int opc)
         tcg_out_bundle(s, miI,
                        tcg_opc_m48(TCG_REG_P0, OPC_NOP_M48, 0),
                        tcg_opc_i29(TCG_REG_P0, OPC_ZXT4_I29,
-                                   TCG_REG_R3, addr_reg),
+                                   TCG_REG_R2, addr_reg),
                        tcg_opc_i18(TCG_REG_P0, OPC_NOP_I18, 0));
     }
 
commit 650a217a652a940c164d5a38cedc4d6671da88ce
Author: Richard Henderson <rth at twiddle.net>
Date:   Mon Nov 22 14:57:56 2010 -0800

    tcg-ia64: Fix tlb read error for 32-bit targets.
    
    Use ld4 not ld8 for reading the tlb of 32-bit targets.
    
    Signed-off-by: Richard Henderson <rth at twiddle.net>
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/tcg/ia64/tcg-target.c b/tcg/ia64/tcg-target.c
index 62f0804..da81f1b 100644
--- a/tcg/ia64/tcg-target.c
+++ b/tcg/ia64/tcg-target.c
@@ -1459,7 +1459,9 @@ static inline void tcg_out_qemu_tlb(TCGContext *s, TCGArg addr_reg,
                    tcg_opc_a1 (TCG_REG_P0, OPC_ADD_A1, TCG_REG_R2,
                                TCG_REG_R2, TCG_AREG0));
     tcg_out_bundle(s, mII,
-                   tcg_opc_m3 (TCG_REG_P0, OPC_LD8_M3, TCG_REG_R57,
+                   tcg_opc_m3 (TCG_REG_P0,
+                               (TARGET_LONG_BITS == 32
+                                ? OPC_LD4_M3 : OPC_LD8_M3), TCG_REG_R57,
                                TCG_REG_R2, offset_addend - offset_rw),
                    tcg_opc_a1 (TCG_REG_P0, OPC_AND_A1, TCG_REG_R3,
                                TCG_REG_R3, TCG_REG_R56),
commit b3b0091f07e1c25ba795b3df3ee3c169285f852d
Author: Richard Henderson <rth at twiddle.net>
Date:   Mon Nov 22 14:57:55 2010 -0800

    tcg-ia64: Implement qemu_ld32.
    
    The port was not properly merged following
    86feb1c860dc38e9c89e787c5210e8191800385e
    
    Signed-off-by: Richard Henderson <rth at twiddle.net>
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/tcg/ia64/tcg-target.c b/tcg/ia64/tcg-target.c
index 80c6950..62f0804 100644
--- a/tcg/ia64/tcg-target.c
+++ b/tcg/ia64/tcg-target.c
@@ -2124,6 +2124,7 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc,
     case INDEX_op_qemu_ld16s:
         tcg_out_qemu_ld(s, args, 1 | 4);
         break;
+    case INDEX_op_qemu_ld32:
     case INDEX_op_qemu_ld32u:
         tcg_out_qemu_ld(s, args, 2);
         break;
commit 255108c0e3c78bc437789a3626e53079ef322a4e
Author: Richard Henderson <rth at twiddle.net>
Date:   Mon Nov 22 14:57:54 2010 -0800

    tcg-ia64: Provide default GUEST_BASE.
    
    Fix compilation error when GUEST_BASE is not defined.
    
    Signed-off-by: Richard Henderson <rth at twiddle.net>
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/tcg/ia64/tcg-target.c b/tcg/ia64/tcg-target.c
index a0f3877..80c6950 100644
--- a/tcg/ia64/tcg-target.c
+++ b/tcg/ia64/tcg-target.c
@@ -45,6 +45,9 @@ static const char * const tcg_target_reg_names[TCG_TARGET_NB_REGS] = {
 #else
 #define TCG_GUEST_BASE_REG TCG_REG_R0
 #endif
+#ifndef GUEST_BASE
+#define GUEST_BASE 0
+#endif
 
 /* Branch registers */
 enum {
commit 0909cbde9a1d42be9ab81f4f7e7d89c358212fd1
Author: Richard Henderson <rth at redhat.com>
Date:   Mon Nov 22 14:57:53 2010 -0800

    tcg: Fix default definition of divu_i32 and remu_i32.
    
    The arguments to tcg_gen_helper32 for these functions were not
    updated correctly in rev 2bece2c88331f024a46527634e3dd91c71d22141.
    
    Signed-off-by: Richard Henderson <rth at twiddle.net>
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/tcg/tcg-op.h b/tcg/tcg-op.h
index c68927e..3ee0a58 100644
--- a/tcg/tcg-op.h
+++ b/tcg/tcg-op.h
@@ -727,7 +727,7 @@ static inline void tcg_gen_divu_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2)
     sizemask |= tcg_gen_sizemask(1, 0, 0);
     sizemask |= tcg_gen_sizemask(2, 0, 0);
 
-    tcg_gen_helper32(tcg_helper_divu_i32, ret, arg1, arg2, 0);
+    tcg_gen_helper32(tcg_helper_divu_i32, sizemask, ret, arg1, arg2);
 }
 
 static inline void tcg_gen_remu_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2)
@@ -738,7 +738,7 @@ static inline void tcg_gen_remu_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2)
     sizemask |= tcg_gen_sizemask(1, 0, 0);
     sizemask |= tcg_gen_sizemask(2, 0, 0);
 
-    tcg_gen_helper32(tcg_helper_remu_i32, ret, arg1, arg2, 0);
+    tcg_gen_helper32(tcg_helper_remu_i32, sizemask, ret, arg1, arg2);
 }
 #endif
 
commit c924f36a300cbc54d3cb511116e8e2bae17f5ae6
Merge: 1abeb5a... 09fa35e...
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Dec 1 07:11:51 2010 +0200

    Merge remote branch 'origin/master' into pci
    
    Conflicts:
    	Makefile.objs
    	hw/virtio.c

diff --cc Makefile
index 2883d27,d3bc0f2..c80566c
--- a/Makefile
+++ b/Makefile
@@@ -178,9 -204,11 +204,10 @@@ ar      de     en-us  fi  fr-be  h
  common  de-ch  es     fo  fr-ca  hu     ja  mk  nl-be      pt  sl     tr
  
  ifdef INSTALL_BLOBS
- BLOBS=bios.bin vgabios.bin vgabios-cirrus.bin ppc_rom.bin \
- openbios-sparc32 openbios-sparc64 openbios-ppc \
+ BLOBS=bios.bin vgabios.bin vgabios-cirrus.bin \
+ vgabios-stdvga.bin vgabios-vmware.bin \
+ ppc_rom.bin openbios-sparc32 openbios-sparc64 openbios-ppc \
  gpxe-eepro100-80861209.rom \
 -gpxe-eepro100-80861229.rom \
  pxe-e1000.bin \
  pxe-ne2k_pci.bin pxe-pcnet.bin \
  pxe-rtl8139.bin pxe-virtio.bin \
diff --cc Makefile.objs
index c5919af,13ba26f..257623b
--- a/Makefile.objs
+++ b/Makefile.objs
@@@ -205,15 -215,15 +215,16 @@@ hw-obj-$(CONFIG_PPCE500_PCI) += ppce500
  hw-obj-$(CONFIG_PIIX4) += piix4.o
  
  # PCI watchdog devices
- hw-obj-y += wdt_i6300esb.o
+ hw-obj-$(CONFIG_PCI) += wdt_i6300esb.o
  
- hw-obj-y += pcie.o pcie_aer.o pcie_port.o
- hw-obj-y += msix.o msi.o
 -hw-obj-$(CONFIG_PCI) += pcie.o pcie_port.o
++hw-obj-$(CONFIG_PCI) += pcie.o pcie_aer.o pcie_port.o
++hw-obj-$(CONFIG_PCI) += msix.o msi.o
  
  # PCI network cards
- hw-obj-y += ne2000.o
- hw-obj-y += eepro100.o
- hw-obj-y += pcnet.o
+ hw-obj-$(CONFIG_NE2000_PCI) += ne2000.o
+ hw-obj-$(CONFIG_EEPRO100_PCI) += eepro100.o
+ hw-obj-$(CONFIG_PCNET_PCI) += pcnet-pci.o
+ hw-obj-$(CONFIG_PCNET_COMMON) += pcnet.o
  
  hw-obj-$(CONFIG_SMC91C111) += smc91c111.o
  hw-obj-$(CONFIG_LAN9118) += lan9118.o
commit 09fa35e5cdc7d17ed3e1528ca743893ae77a0ea2
Merge: 9233da7... b76876e...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Nov 30 15:25:34 2010 -0600

    Merge remote branch 'kwolf/for-anthony' into staging

commit 9233da785f55c924c5850cd1ce1b7f5f200d631b
Merge: fd5d5c5... a6f9dd0...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Nov 30 15:24:26 2010 -0600

    Merge remote branch 'qmp/for-anthony' into staging

commit fd5d5c566af040be15f2cae1b14a47919974453d
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Thu Sep 9 14:51:31 2010 -0500

    Use a Linux-style MAINTAINERS file
    
    I make no claims that this is accurate or exhaustive but I think it's a
    reasonable place to start.
    
    As the file mentions, the purpose of this file is to give contributors
    information about who they can go to with questions about a particular piece of
    code or who they can ask for review.
    
    If you sign up for a piece of code and indicate that it's Maintained or
    Supported, please be prepared to be responsive to questions about that
    subsystem.
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
    ---
    
    v1 -> v2
     - Sort alphabetically
     - Copy in instructions from linux MAINTAINERS
     - Fix entries based on review feedback

diff --git a/MAINTAINERS b/MAINTAINERS
index e5165fb..59effc7 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1,88 +1,428 @@
 QEMU Maintainers
 ================
 
-Project leaders:
-----------------
+The intention of this file is not to establish who owns what portions of the
+code base, but to provide a set of names that developers can consult when they
+have a question about a particular subset and also to provide a set of names
+to be CC'd when submitting a patch to obtain appropriate review.
 
-Fabrice Bellard
-Paul Brook
+In general, if you have a question about inclusion of a patch, you should
+consult qemu-devel and not any specific individual privately.
 
-CPU cores:
-----------
+Descriptions of section entries:
+
+	M: Mail patches to: FullName <address at domain>
+	L: Mailing list that is relevant to this area
+	W: Web-page with status/info
+	Q: Patchwork web based patch tracking system site
+	T: SCM tree type and location.  Type is one of: git, hg, quilt, stgit.
+	S: Status, one of the following:
+	   Supported:	Someone is actually paid to look after this.
+	   Maintained:	Someone actually looks after it.
+	   Odd Fixes:	It has a maintainer but they don't have time to do
+			much other than throw the odd patch in. See below..
+	   Orphan:	No current maintainer [but maybe you could take the
+			role as you write your new code].
+	   Obsolete:	Old code. Something tagged obsolete generally means
+			it has been replaced by a better system and you
+			should be using that.
+	F: Files and directories with wildcard patterns.
+	   A trailing slash includes all files and subdirectory files.
+	   F:	drivers/net/	all files in and below drivers/net
+	   F:	drivers/net/*	all files in drivers/net, but not below
+	   F:	*/net/*		all files in "any top level directory"/net
+	   One pattern per line.  Multiple F: lines acceptable.
+	X: Files and directories that are NOT maintained, same rules as F:
+	   Files exclusions are tested before file matches.
+	   Can be useful for excluding a specific subdirectory, for instance:
+	   F:	net/
+	   X:	net/ipv6/
+	   matches all files in and below net excluding net/ipv6/
+	K: Keyword perl extended regex pattern to match content in a
+	   patch or file.  For instance:
+	   K: of_get_profile
+	      matches patches or files that contain "of_get_profile"
+	   K: \b(printk|pr_(info|err))\b
+	      matches patches or files that contain one or more of the words
+	      printk, pr_info or pr_err
+	   One regex pattern per line.  Multiple K: lines acceptable.
+
+
+General Project Administration
+------------------------------
+M: Anthony Liguori <aliguori at us.ibm.com>
+M: Paul Brook <paul at codesourcery.com>
+
+Guest CPU cores (TCG):
+----------------------
+Alpha
+M: qemu-devel at nongnu.org
+S: Orphan
+F: target-alpha/
 
-x86                Fabrice Bellard
-ARM                Paul Brook
-SPARC              Blue Swirl
-MIPS               ?
-PowerPC            Alexander Graf
-M68K               Paul Brook
-SH4                ?
-CRIS               Edgar E. Iglesias
-Alpha              ?
-MicroBlaze         Edgar E. Iglesias
-S390               ?
-
-Machines (sorted by CPU):
--------------------------
-
-x86
-  pc.c                    Fabrice Bellard (new maintainer needed)
 ARM
-  integratorcp.c          Paul Brook
-  versatilepb.c           Paul Brook
-  Real View               Paul Brook
-  spitz.c                 Andrzej Zaborowski
-  palm.c                  Andrzej Zaborowski
-  nseries.c               Andrzej Zaborowski
-  stellaris.c             Paul Brook
-  gumstix.c               Thorsten Zitterell
-  mainstone.c             Armin Kuster
-  musicpal.c              Jan Kiszka
-SPARC
-  sun4u.c                 Blue Swirl
-  sun4m.c                 Blue Swirl
+M: Paul Brook <paul at codesourcery.com>
+S: Maintained
+F: target-arm/
+
+CRIS
+M: Edgar E. Iglesias <edgar.iglesias at gmail.com>
+S: Maintained
+F: target-cris/
+
+M68K
+M: Paul Brook <paul at codesourcery.com>
+S: Maintained
+F: target-m68k/
+
+MicroBlaze
+M: Edgar E. Iglesias <edgar.iglesias at gmail.com>
+S: Maintained
+F: target-microblaze/
+
 MIPS
-  mips_r4k.c              Aurelien Jarno
-  mips_malta.c            Aurelien Jarno
-  mips_jazz.c             Hervé Poussineau
-  mips_mipssim.c          ?
+M: qemu-devel at nongnu.org
+S: Orphan
+F: target-mips/
+
 PowerPC
-  ppc_prep.c              ?
-  ppc_oldworld.c          Alexander Graf
-  ppc_newworld.c          Alexander Graf
-  ppc405_boards.c         Alexander Graf
-M86K
-  mcf5208.c               Paul Brook
-  an5206.c                Paul Brook
-  dummy_m68k.c            Paul Brook
+M: Alexander Graf <agraf at suse.de>
+S: Maintained
+F: target-ppc/
+
+S390
+M: Alexander Graf <agraf at suse.de>
+S: Maintained
+F: target-s390x/
+
 SH4
-  shix.c                  ?
-  r2d.c                   Magnus Damm
-CRIS
-  etraxfs.c               Edgar E. Iglesias
-  axis_dev88.c            Edgar E. Iglesias
-Alpha
-MicroBlaze
-  petalogix_s3adsp1800.c  Edgar E. Iglesias
+M: qemu-devel at nongnu.org
+S: Orphan
+F: target-sh4/
+
+SPARC
+M: Blue Swirl <blauwirbel at gmail.com>
+S: Maintained
+F: target-sparc/
+
+X86
+M: qemu-devel at nongnu.org
+S: Odd Fixes
+F: target-i386/
+
+Guest CPU Cores (KVM):
+----------------------
+
+Overall
+M: Avi Kivity <avi at redhat.com>
+M: Marcelo Tosatti <mtosatti at redhat.com>
+L: kvm at vger.kernel.org
+S: Supported
+F: kvm-*
+F: */kvm.*
+
+PPC
+M: Alexander Graf <agraf at suse.de>
+S: Maintained
+F: target-ppc/kvm.c
+
 S390
-  s390-*.c                Alexander Graf
-
-Generic Subsystems:
--------------------  
-
-Dynamic translator        Fabrice Bellard
-Main loop                 Fabrice Bellard (new maintainer needed)
-TCG                       Fabrice Bellard
-IDE device                ?
-SCSI device               Paul Brook
-PCI layer                 Michael S. Tsirkin
-USB layer                 ?
-Block layer               ?
-Graphic layer             ?
-Audio device layer        Vassili Karpov (malc)
-Character device layer    ?
-Network device layer      ?
-GDB stub                  ?
-Linux user                ?
-Darwin user               ?
-SLIRP                     ?
+M: Alexander Graf <agraf at suse.de>
+S: Maintained
+F: target-s390x/kvm.c
+
+X86
+M: Avi Kivity <avi at redhat.com>
+M: Marcelo Tosatti <mtosatti at redhat.com>
+L: kvm at vger.kernel.org
+S: Supported
+F: target-i386/kvm.c
+
+ARM Machines
+------------
+Gumstix
+M: qemu-devel at nongnu.org
+S: Orphan
+F: hw/gumstix.c
+
+Integrator CP
+M: Paul Brook <paul at codesourcery.com>
+S: Maintained
+F: hw/integratorcp.c
+
+Mainstone
+M: qemu-devel at nongnu.org
+S: Orphan
+F: hw/mainstone.c
+
+Musicpal
+M: Jan Kiszka <jan.kiszka at web.de>
+S: Maintained
+F: hw/musicpal.c
+
+nSeries
+M: Andrzej Zaborowski <balrogg at gmail.com>
+S: Maintained
+F: hw/nseries.c
+
+Palm
+M: Andrzej Zaborowski <balrogg at gmail.com>
+S: Maintained
+F: hw/palm.c
+
+Real View
+M: Paul Brook <paul at codesourcery.com>
+S: Maintained
+F: hw/realview*
+
+Spitz
+M: Andrzej Zaborowski <balrogg at gmail.com>
+S: Maintained
+F: hw/spitz.c
+
+Stellaris
+M: Paul Brook <paul at codesourcery.com>
+S: Maintained
+F: hw/stellaris.c
+
+Versatile PB
+M: Paul Brook <paul at codesourcery.com>
+S: Maintained
+F: hw/versatilepb.c
+
+CRIS Machines
+-------------
+Axis Dev88
+M: Edgar E. Iglesias <edgar.iglesias at gmail.com>
+S: Maintained
+F: hw/axis_dev88.c
+
+etraxfs
+M: Edgar E. Iglesias <edgar.iglesias at gmail.com>
+S: Maintained
+F: hw/etraxfs.c
+
+M86K Machines
+-------------
+an5206
+M: Paul Brook <paul at codesourcery.com>
+S: Maintained
+F: hw/an5206.c
+
+dummy_m68k
+M: Paul Brook <paul at codesourcery.com>
+S: Maintained
+F: hw/dummy_m68k.c
+
+mcf5208
+M: Paul Brook <paul at codesourcery.com>
+S: Maintained
+F: hw/mcf5208.c
+
+MicroBlaze Machines
+-------------------
+petalogix_s3adsp1800
+M: Edgar E. Iglesias <edgar.iglesias at gmail.com>
+S: Maintained
+F: hw/petalogix_s3adsp1800.c
+
+MIPS Machines
+-------------
+Jazz
+M: Hervé Poussineau <hpoussin at reactos.org>
+S: Maintained
+F: hw/mips_jazz.c
+
+Malta
+M: Aurelien Jarno <aurelien at aurel32.net>
+S: Maintained
+F: hw/mips_malta.c
+
+Mipssim
+M: qemu-devel at nongnu.org
+S: Orphan
+F: hw/mips_mipssim.c
+
+R4000
+M: Aurelien Jarno <aurelien at aurel32.net>
+S: Maintained
+F: hw/mips_r4k.c
+
+PowerPC Machines
+----------------
+405
+M: Alexander Graf <agraf at suse.de>
+S: Maintained
+F: hw/ppc405_boards.c
+
+New World
+M: Alexander Graf <agraf at suse.de>
+S: Maintained
+F: hw/ppc_newworld.c
+
+Old World
+M: Alexander Graf <agraf at suse.de>
+S: Maintained
+F: hw/ppc_oldworld.c
+
+Prep
+M: qemu-devel at nongnu.org
+S: Orphan
+F: hw/ppc_prep.c
+
+SH4 Machines
+------------
+R2D
+M: Magnus Damm <magnus.damm at gmail.com>
+S: Maintained
+F: hw/r2d.c
+
+Shix
+M: Magnus Damm <magnus.damm at gmail.com>
+S: Oprhan
+F: hw/shix.c
+
+SPARC Machines
+--------------
+Sun4m
+M: Blue Swirl <blauwirbel at gmail.com>
+S: Maintained
+F: hw/sun4m.c
+
+Sun4u
+M: Blue Swirl <blauwirbel at gmail.com>
+S: Maintained
+F: hw/sun4u.c
+
+S390 Machines
+-------------
+S390 Virtio
+M: Alexander Graf <agraf at suse.de>
+S: Maintained
+F: hw/s390-*.c
+
+X86 Machines
+------------
+PC
+M: Anthony Liguori <aliguori at us.ibm.com>
+S: Supported
+F: hw/pc.[ch] hw/pc_piix.c
+
+Devices
+-------
+IDE
+M: Kevin Wolf <kwolf at redhat.com>
+S: Odd Fixes
+F: hw/ide/
+
+PCI
+M: Michael S. Tsirkin <mst at redhat.com>
+S: Supported
+F: hw/pci*
+F: hw/piix*
+
+SCSI
+M: Paul Brook <paul at codesourcery.com>
+M: Kevin Wolf <kwolf at redhat.com>
+S: Odd Fixes
+F: hw/lsi53c895a.c
+F: hw/scsi*
+
+USB
+M: qemu-devel at nongnu.org
+S: Odd Fixes
+F: hw/usb*
+
+vhost
+M: Michael S. Tsirkin <mst at redhat.com>
+S: Supported
+F: hw/vhost*
+
+virtio
+M: Anthony Liguori <aliguori at us.ibm.com>
+S: Supported
+F: hw/virtio*
+
+virtio-9p
+M: Venkateswararao Jujjuri (JV) <jvrao at linux.vnet.ibm.com>
+S: Supported
+F: hw/virtio-9p*
+
+virtio-blk
+M: Kevin Wolf <kwolf at redhat.com>
+S: Supported
+F: hw/virtio-blk*
+
+virtio-serial
+M: Amit Shah <amit.shah at redhat.com>
+S: Supported
+F: hw/virtio-serial*
+F: hw/virtio-console*
+
+Subsystems
+----------
+Audio
+M: Vassili Karpov (malc) <av1474 at comtv.ru>
+S: Maintained
+F: audio/
+
+Block
+M: Kevin Wolf <kwolf at redhat.com>
+S: Supported
+F: block*
+F: block/
+
+Character Devices
+M: Anthony Liguori <aliguori at us.ibm.com>
+S: Maintained
+F: qemu-char.c
+
+GDB stub
+M: qemu-devel at nongnu.org
+S: Odd Fixes
+F: gdbstub*
+F: gdb-xml/
+
+Graphics
+M: Anthony Liguori <aliguori at us.ibm.com>
+S: Maintained
+F: ui/
+
+Main loop
+M: Anthony Liguori <aliguori at us.ibm.com>
+S: Supported
+F: vl.c
+
+Monitor (QMP/HMP)
+M: Luiz Capitulino <lcapitulino at redhat.com>
+M: Markus Armbruster <armbru at redhat.com>
+S: Supported
+F: monitor.c
+
+Network device layer
+M: Anthony Liguori <aliguori at us.ibm.com>
+M: Mark McLoughlin <markmc at redhat.com>
+S: Maintained
+F: net/
+
+SLIRP
+M: qemu-devel at nongnu.org
+S: Orphan
+F: slirp/
+
+Usermode Emulation
+------------------
+BSD user
+M: Blue Swirl <blauwirbel at gmail.com>
+S: Maintained
+F: bsd-user/
+
+Darwin user
+M: qemu-devel at nongnu.org
+S: Orphan
+F: darwin-user/
+
+Linux user
+M: Riku Voipio <riku.voipio at iki.fi>
+S: Maintained
+F: linux-user/
commit bdce0cb95bc07c2d0585210a4fe42f3c9c437a6b
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Nov 19 16:20:56 2010 -0700

    device-assignment: Make use of config_map
    
    We can figure out the capability being touched much more quickly
    and efficiently with the config_map.  Use it.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 970ffa1..832c236 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -1254,28 +1254,34 @@ static void assigned_dev_update_msix(PCIDevice *pci_dev, unsigned int ctrl_pos)
 static void assigned_device_pci_cap_write_config(PCIDevice *pci_dev, uint32_t address,
                                                  uint32_t val, int len)
 {
-    AssignedDevice *assigned_dev = container_of(pci_dev, AssignedDevice, dev);
+    uint8_t cap_id = pci_dev->config_map[address];
 
     pci_default_write_config(pci_dev, address, val, len);
+    switch (cap_id) {
 #ifdef KVM_CAP_IRQ_ROUTING
+    case PCI_CAP_ID_MSI:
 #ifdef KVM_CAP_DEVICE_MSI
-    if (assigned_dev->cap.available & ASSIGNED_DEVICE_CAP_MSI) {
-        int pos = pci_find_capability(pci_dev, PCI_CAP_ID_MSI);
-        if (ranges_overlap(address, len, pos + PCI_MSI_FLAGS, 1)) {
-            assigned_dev_update_msi(pci_dev, pos + PCI_MSI_FLAGS);
+        {
+            uint8_t cap = pci_find_capability(pci_dev, cap_id);
+            if (ranges_overlap(address - cap, len, PCI_MSI_FLAGS, 1)) {
+                assigned_dev_update_msi(pci_dev, cap + PCI_MSI_FLAGS);
+            }
         }
-    }
 #endif
+        break;
+
+    case PCI_CAP_ID_MSIX:
 #ifdef KVM_CAP_DEVICE_MSIX
-    if (assigned_dev->cap.available & ASSIGNED_DEVICE_CAP_MSIX) {
-        int pos = pci_find_capability(pci_dev, PCI_CAP_ID_MSIX);
-        if (ranges_overlap(address, len, pos + PCI_MSIX_FLAGS + 1, 1)) {
-            assigned_dev_update_msix(pci_dev, pos + PCI_MSIX_FLAGS);
-	}
-    }
+        {
+            uint8_t cap = pci_find_capability(pci_dev, cap_id);
+            if (ranges_overlap(address - cap, len, PCI_MSIX_FLAGS + 1, 1)) {
+                assigned_dev_update_msix(pci_dev, cap + PCI_MSIX_FLAGS);
+            }
+        }
 #endif
+        break;
 #endif
-    return;
+    }
 }
 
 static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
commit fb9b69f921d10213992b12dede53440039d3d820
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Nov 19 16:20:39 2010 -0700

    pci: Remove capability specific handlers
    
    Drivers can break these out on their own if they need to.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 6314773..970ffa1 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -63,6 +63,10 @@ static void assigned_dev_load_option_rom(AssignedDevice *dev);
 
 static void assigned_dev_unregister_msix_mmio(AssignedDevice *dev);
 
+static void assigned_device_pci_cap_write_config(PCIDevice *pci_dev,
+                                                 uint32_t address,
+                                                 uint32_t val, int len);
+
 static uint32_t assigned_dev_ioport_rw(AssignedDevRegion *dev_region,
                                        uint32_t addr, int len, uint32_t *val)
 {
@@ -406,14 +410,17 @@ static void assigned_dev_pci_write_config(PCIDevice *d, uint32_t address,
           ((d->devfn >> 3) & 0x1F), (d->devfn & 0x7),
           (uint16_t) address, val, len);
 
+    if (address > PCI_CONFIG_HEADER_SIZE && d->config_map[address]) {
+        return assigned_device_pci_cap_write_config(d, address, val, len);
+    }
+
     if (address == 0x4) {
         pci_default_write_config(d, address, val, len);
         /* Continue to program the card */
     }
 
     if ((address >= 0x10 && address <= 0x24) || address == 0x30 ||
-        address == 0x34 || address == 0x3c || address == 0x3d ||
-        (address > PCI_CONFIG_HEADER_SIZE && d->config_map[address])) {
+        address == 0x34 || address == 0x3c || address == 0x3d) {
         /* used for update-mappings (BAR emulation) */
         pci_default_write_config(d, address, val, len);
         return;
@@ -1249,7 +1256,7 @@ static void assigned_device_pci_cap_write_config(PCIDevice *pci_dev, uint32_t ad
 {
     AssignedDevice *assigned_dev = container_of(pci_dev, AssignedDevice, dev);
 
-    pci_default_cap_write_config(pci_dev, address, val, len);
+    pci_default_write_config(pci_dev, address, val, len);
 #ifdef KVM_CAP_IRQ_ROUTING
 #ifdef KVM_CAP_DEVICE_MSI
     if (assigned_dev->cap.available & ASSIGNED_DEVICE_CAP_MSI) {
@@ -1478,9 +1485,6 @@ static int assigned_initfn(struct PCIDevice *pci_dev)
     dev->h_busnr = dev->host.bus;
     dev->h_devfn = PCI_DEVFN(dev->host.dev, dev->host.func);
 
-    pci_register_capability_handlers(pci_dev, NULL,
-                                     assigned_device_pci_cap_write_config);
-
     if (assigned_device_pci_cap_init(pci_dev) < 0)
         goto out;
 
diff --git a/hw/pci.c b/hw/pci.c
index 1cf62b6..e529793 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -772,8 +772,6 @@ static PCIDevice *do_pci_register_device(PCIDevice *pci_dev, PCIBus *bus,
         config_write = pci_default_write_config;
     pci_dev->config_read = config_read;
     pci_dev->config_write = config_write;
-    pci_dev->cap.config_read = pci_default_cap_read_config;
-    pci_dev->cap.config_write = pci_default_cap_write_config;
     bus->devices[devfn] = pci_dev;
     pci_dev->irq = qemu_allocate_irqs(pci_set_irq, pci_dev, PCI_NUM_PINS);
     pci_dev->version_id = 2; /* Current pci device vmstate version */
@@ -1070,57 +1068,21 @@ static void pci_update_irq_disabled(PCIDevice *d, int was_irq_disabled)
     }
 }
 
-static uint32_t pci_read_config(PCIDevice *d,
-                                uint32_t address, int len)
+uint32_t pci_default_read_config(PCIDevice *d,
+                                 uint32_t address, int len)
 {
     uint32_t val = 0;
-
+    assert(len == 1 || len == 2 || len == 4);
     len = MIN(len, pci_config_size(d) - address);
     memcpy(&val, d->config + address, len);
     return le32_to_cpu(val);
 }
 
-uint32_t pci_default_read_config(PCIDevice *d,
-                                 uint32_t address, int len)
-{
-    assert(len == 1 || len == 2 || len == 4);
-
-    if (address > PCI_CONFIG_HEADER_SIZE && d->config_map[address]) {
-        return d->cap.config_read(d, address, len);
-    }
-
-    return pci_read_config(d, address, len);
-}
-
-uint32_t pci_default_cap_read_config(PCIDevice *pci_dev,
-                                     uint32_t address, int len)
-{
-    return pci_read_config(pci_dev, address, len);
-}
-
-void pci_default_cap_write_config(PCIDevice *pci_dev,
-                                  uint32_t address, uint32_t val, int len)
-{
-    uint32_t config_size = pci_config_size(pci_dev);
-    int i;
-
-    for (i = 0; i < len && address + i < config_size; val >>= 8, ++i) {
-        uint8_t wmask = pci_dev->wmask[address + i];
-        pci_dev->config[address + i] =
-            (pci_dev->config[address + i] & ~wmask) | (val & wmask);
-    }
-}
-
 void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val, int l)
 {
     int i, was_irq_disabled = pci_irq_disabled(d);
     uint32_t config_size = pci_config_size(d);
 
-    if (addr > PCI_CONFIG_HEADER_SIZE && d->config_map[addr]) {
-        d->cap.config_write(d, addr, val, l);
-        return;
-    }
-
     for (i = 0; i < l && addr + i < config_size; val >>= 8, ++i) {
         uint8_t wmask = d->wmask[addr + i];
         uint8_t w1cmask = d->w1cmask[addr + i];
@@ -1750,23 +1712,6 @@ PCIDevice *pci_create_simple_multifunction(PCIBus *bus, int devfn,
     return dev;
 }
 
-void pci_register_capability_handlers(PCIDevice *pdev,
-                                      PCICapConfigReadFunc *config_read,
-                                      PCICapConfigWriteFunc *config_write)
-{
-    if (config_read) {
-        pdev->cap.config_read = config_read;
-    } else {
-        pdev->cap.config_read = pci_default_cap_read_config;
-    }
-
-    if (config_write) {
-        pdev->cap.config_write = config_write;
-    } else {
-        pdev->cap.config_write = pci_default_cap_write_config;
-    }
-}
-
 PCIDevice *pci_create(PCIBus *bus, int devfn, const char *name)
 {
     return pci_create_multifunction(bus, devfn, false, name);
diff --git a/hw/pci.h b/hw/pci.h
index 146f81d..1fe6e49 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -85,11 +85,6 @@ typedef void PCIMapIORegionFunc(PCIDevice *pci_dev, int region_num,
                                 pcibus_t addr, pcibus_t size, int type);
 typedef int PCIUnregisterFunc(PCIDevice *pci_dev);
 
-typedef void PCICapConfigWriteFunc(PCIDevice *pci_dev,
-                                   uint32_t address, uint32_t val, int len);
-typedef uint32_t PCICapConfigReadFunc(PCIDevice *pci_dev,
-                                      uint32_t address, int len);
-
 typedef struct PCIIORegion {
     pcibus_t addr; /* current PCI mapping address. -1 means not mapped */
 #define PCI_BAR_UNMAPPED (~(pcibus_t)0)
@@ -217,12 +212,6 @@ struct PCIDevice {
     struct kvm_msix_message *msix_irq_entries;
 
     msix_mask_notifier_func msix_mask_notifier;
-
-    /* Device capability configuration space */
-    struct {
-        PCICapConfigReadFunc *config_read;
-        PCICapConfigWriteFunc *config_write;
-    } cap;
 };
 
 PCIDevice *pci_register_device(PCIBus *bus, const char *name,
@@ -237,10 +226,6 @@ void pci_register_bar(PCIDevice *pci_dev, int region_num,
 void pci_map_option_rom(PCIDevice *pdev, int region_num, pcibus_t addr,
                         pcibus_t size, int type);
 
-void pci_register_capability_handlers(PCIDevice *pci_dev,
-                                      PCICapConfigReadFunc *config_read,
-                                      PCICapConfigWriteFunc *config_write);
-
 int pci_map_irq(PCIDevice *pci_dev, int pin);
 
 int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
@@ -256,10 +241,6 @@ void pci_default_write_config(PCIDevice *d,
                               uint32_t address, uint32_t val, int len);
 void pci_device_save(PCIDevice *s, QEMUFile *f);
 int pci_device_load(PCIDevice *s, QEMUFile *f);
-uint32_t pci_default_cap_read_config(PCIDevice *pci_dev,
-                                     uint32_t address, int len);
-void pci_default_cap_write_config(PCIDevice *pci_dev,
-                                  uint32_t address, uint32_t val, int len);
 typedef void (*pci_set_irq_fn)(void *opaque, int irq_num, int level);
 typedef int (*pci_map_irq_fn)(PCIDevice *pci_dev, int irq_num);
 typedef int (*pci_hotplug_fn)(DeviceState *qdev, PCIDevice *pci_dev, int state);
commit a37feb7175532f8fa679e22c501170877befcded
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Nov 19 16:20:18 2010 -0700

    device-assignment: Move PCI capabilities to match physical hardware
    
    Now that common PCI code doesn't have a hangup on capabilities
    being contiguous, move assigned device capabilities to match
    their offset on physical hardware.  This helps for drivers that
    assume a capability configuration and don't bother searching.
    
    We can also remove several calls to assigned_dev_pci_read_* because
    we're overlaying the capability at the same location as the initial
    copy we made of config space.  We can therefore just use pci_get_*.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 975d3cb..6314773 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -366,16 +366,6 @@ static uint8_t assigned_dev_pci_read_byte(PCIDevice *d, int pos)
     return (uint8_t)assigned_dev_pci_read(d, pos, 1);
 }
 
-static uint16_t assigned_dev_pci_read_word(PCIDevice *d, int pos)
-{
-    return (uint16_t)assigned_dev_pci_read(d, pos, 2);
-}
-
-static uint32_t assigned_dev_pci_read_long(PCIDevice *d, int pos)
-{
-    return assigned_dev_pci_read(d, pos, 4);
-}
-
 static uint8_t pci_find_cap_offset(PCIDevice *d, uint8_t cap)
 {
     int id;
@@ -1285,6 +1275,7 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
 {
     AssignedDevice *dev = container_of(pci_dev, AssignedDevice, dev);
     PCIRegion *pci_region = dev->real_device.regions;
+    int pos;
 
     /* Clear initial capabilities pointer and status copied from hw */
     pci_set_byte(pci_dev->config + PCI_CAPABILITY_LIST, 0);
@@ -1296,60 +1287,44 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
 #ifdef KVM_CAP_DEVICE_MSI
     /* Expose MSI capability
      * MSI capability is the 1st capability in capability config */
-    if (pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSI)) {
-        int vpos, ppos;
-        uint16_t flags;
-
+    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSI))) {
         dev->cap.available |= ASSIGNED_DEVICE_CAP_MSI;
-        vpos = pci_add_capability(pci_dev, PCI_CAP_ID_MSI, 0,
-                                  PCI_CAPABILITY_CONFIG_MSI_LENGTH);
-
-        memset(pci_dev->config + vpos + PCI_CAP_FLAGS, 0,
-               PCI_CAPABILITY_CONFIG_MSI_LENGTH - PCI_CAP_FLAGS);
+        pci_add_capability(pci_dev, PCI_CAP_ID_MSI, pos,
+                           PCI_CAPABILITY_CONFIG_MSI_LENGTH);
 
         /* Only 32-bit/no-mask currently supported */
-        ppos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSI);
-        flags = assigned_dev_pci_read_word(pci_dev, ppos + PCI_MSI_FLAGS);
-        flags &= PCI_MSI_FLAGS_QMASK;
-        pci_set_word(pci_dev->config + vpos + PCI_MSI_FLAGS, flags);
+        pci_set_word(pci_dev->config + pos + PCI_MSI_FLAGS,
+                     pci_get_word(pci_dev->config + pos + PCI_MSI_FLAGS) &
+                     PCI_MSI_FLAGS_QMASK);
+        pci_set_long(pci_dev->config + pos + PCI_MSI_ADDRESS_LO, 0);
+        pci_set_word(pci_dev->config + pos + PCI_MSI_DATA_32, 0);
 
         /* Set writable fields */
-        pci_set_word(pci_dev->wmask + vpos + PCI_MSI_FLAGS,
+        pci_set_word(pci_dev->wmask + pos + PCI_MSI_FLAGS,
                      PCI_MSI_FLAGS_QSIZE | PCI_MSI_FLAGS_ENABLE);
-        pci_set_long(pci_dev->wmask + vpos + PCI_MSI_ADDRESS_LO, 0xfffffffc);
-        pci_set_long(pci_dev->wmask + vpos + PCI_MSI_DATA_32, 0xffff);
+        pci_set_long(pci_dev->wmask + pos + PCI_MSI_ADDRESS_LO, 0xfffffffc);
+        pci_set_word(pci_dev->wmask + pos + PCI_MSI_DATA_32, 0xffff);
     }
 #endif
 #ifdef KVM_CAP_DEVICE_MSIX
     /* Expose MSI-X capability */
-    if (pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSIX)) {
-        int vpos, ppos, entry_nr, bar_nr;
+    if ((pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSIX))) {
+        int bar_nr;
         uint32_t msix_table_entry;
 
         dev->cap.available |= ASSIGNED_DEVICE_CAP_MSIX;
-        vpos = pci_add_capability(pci_dev, PCI_CAP_ID_MSIX, 0,
+        pci_add_capability(pci_dev, PCI_CAP_ID_MSIX, pos,
                            PCI_CAPABILITY_CONFIG_MSIX_LENGTH);
 
-        memset(pci_dev->config + vpos + PCI_CAP_FLAGS, 0,
-               PCI_CAPABILITY_CONFIG_MSIX_LENGTH - PCI_CAP_FLAGS);
+        pci_set_word(pci_dev->config + pos + PCI_MSIX_FLAGS,
+                     pci_get_word(pci_dev->config + pos + PCI_MSIX_FLAGS) &
+                     PCI_MSIX_TABSIZE);
 
         /* Only enable and function mask bits are writable */
-        pci_set_word(pci_dev->wmask + vpos + PCI_MSIX_FLAGS,
+        pci_set_word(pci_dev->wmask + pos + PCI_MSIX_FLAGS,
                      PCI_MSIX_FLAGS_ENABLE | PCI_MSIX_FLAGS_MASKALL);
 
-        ppos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSIX);
-
-        entry_nr = assigned_dev_pci_read_word(pci_dev, ppos + PCI_MSIX_FLAGS);
-        entry_nr &= PCI_MSIX_TABSIZE;
-        pci_set_word(pci_dev->config + vpos + PCI_MSIX_FLAGS, entry_nr);
-
-        msix_table_entry = assigned_dev_pci_read_long(pci_dev,
-                                                      ppos + PCI_MSIX_TABLE);
-        pci_set_long(pci_dev->config + vpos + PCI_MSIX_TABLE, msix_table_entry);
-
-        pci_set_long(pci_dev->config + vpos + PCI_MSIX_PBA,
-                     assigned_dev_pci_read_long(pci_dev, ppos + PCI_MSIX_PBA));
-
+        msix_table_entry = pci_get_long(pci_dev->config + pos + PCI_MSIX_TABLE);
         bar_nr = msix_table_entry & PCI_MSIX_BIR;
         msix_table_entry &= ~PCI_MSIX_BIR;
         dev->msix_table_addr = pci_region[bar_nr].base_addr + msix_table_entry;
commit 355f2bf993379398251fddbdc8b1c8cc123a570e
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Nov 19 16:20:04 2010 -0700

    pci: Remove cap.length, cap.start, cap.supported
    
    Capabilities aren't required to be contiguous, so cap.length never
    really made much sense.  Likewise, cap.start is mostly meaningless
    too.  Both of these are better served by the capability map.  We
    can also get rid of cap.supported, since it's really now unused
    and redundant with flag in the status word anyway.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index a4fad60..975d3cb 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -1292,8 +1292,6 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
                  pci_get_word(pci_dev->config + PCI_STATUS) &
                  ~PCI_STATUS_CAP_LIST);
 
-    pci_dev->cap.length = 0;
-
 #ifdef KVM_CAP_IRQ_ROUTING
 #ifdef KVM_CAP_DEVICE_MSI
     /* Expose MSI capability
@@ -1320,7 +1318,6 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
                      PCI_MSI_FLAGS_QSIZE | PCI_MSI_FLAGS_ENABLE);
         pci_set_long(pci_dev->wmask + vpos + PCI_MSI_ADDRESS_LO, 0xfffffffc);
         pci_set_long(pci_dev->wmask + vpos + PCI_MSI_DATA_32, 0xffff);
-        pci_dev->cap.length += PCI_CAPABILITY_CONFIG_MSI_LENGTH;
     }
 #endif
 #ifdef KVM_CAP_DEVICE_MSIX
@@ -1356,7 +1353,6 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
         bar_nr = msix_table_entry & PCI_MSIX_BIR;
         msix_table_entry &= ~PCI_MSIX_BIR;
         dev->msix_table_addr = pci_region[bar_nr].base_addr + msix_table_entry;
-        pci_dev->cap.length += PCI_CAPABILITY_CONFIG_MSIX_LENGTH;
     }
 #endif
 #endif
diff --git a/hw/pci.c b/hw/pci.c
index cbe6fb7..1cf62b6 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1909,8 +1909,6 @@ int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
     memset(pdev->cmask + offset, 0xFF, size);
 
     pdev->config[PCI_STATUS] |= PCI_STATUS_CAP_LIST;
-    pdev->cap.supported = 1;
-    pdev->cap.start = pdev->cap.start ? MIN(pdev->cap.start, offset) : offset;
 
     return offset;
 }
@@ -1931,7 +1929,6 @@ void pci_del_capability(PCIDevice *pdev, uint8_t cap_id, uint8_t size)
 
     if (!pdev->config[PCI_CAPABILITY_LIST]) {
         pdev->config[PCI_STATUS] &= ~PCI_STATUS_CAP_LIST;
-        pdev->cap.start = pdev->cap.length = 0;
     }
 }
 
diff --git a/hw/pci.h b/hw/pci.h
index bd15b43..146f81d 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -220,8 +220,6 @@ struct PCIDevice {
 
     /* Device capability configuration space */
     struct {
-        int supported;
-        unsigned int start, length;
         PCICapConfigReadFunc *config_read;
         PCICapConfigWriteFunc *config_write;
     } cap;
commit 1f3ef957426124e3e7649ce6766874e3753aa055
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Nov 19 16:19:49 2010 -0700

    pci: Replace used bitmap with config byte map
    
    Capabilities are allocated in bytes, so we can track both whether
    a byte is used and by what capability in the same structure.
    
    Remove pci_reserve_capability() as there are no users, remove
    pci_access_cap_config() since it's now a trivial lookup.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 76aacac..a4fad60 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -423,7 +423,7 @@ static void assigned_dev_pci_write_config(PCIDevice *d, uint32_t address,
 
     if ((address >= 0x10 && address <= 0x24) || address == 0x30 ||
         address == 0x34 || address == 0x3c || address == 0x3d ||
-        pci_access_cap_config(d, address, len)) {
+        (address > PCI_CONFIG_HEADER_SIZE && d->config_map[address])) {
         /* used for update-mappings (BAR emulation) */
         pci_default_write_config(d, address, val, len);
         return;
@@ -459,7 +459,7 @@ static uint32_t assigned_dev_pci_read_config(PCIDevice *d, uint32_t address,
     if (address < 0x4 || (pci_dev->need_emulate_cmd && address == 0x4) ||
 	(address >= 0x10 && address <= 0x24) || address == 0x30 ||
         address == 0x34 || address == 0x3c || address == 0x3d ||
-        pci_access_cap_config(d, address, len)) {
+        (address > PCI_CONFIG_HEADER_SIZE && d->config_map[address])) {
         val = pci_default_read_config(d, address, len);
         DEBUG("(%x.%x): address=%04x val=0x%08x len=%d\n",
               (d->devfn >> 3) & 0x1F, (d->devfn & 0x7), address, val, len);
diff --git a/hw/pci.c b/hw/pci.c
index f2896d9..cbe6fb7 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -712,7 +712,7 @@ static void pci_config_alloc(PCIDevice *pci_dev)
     pci_dev->cmask = qemu_mallocz(config_size);
     pci_dev->wmask = qemu_mallocz(config_size);
     pci_dev->w1cmask = qemu_mallocz(config_size);
-    pci_dev->used = qemu_mallocz(config_size);
+    pci_dev->config_map = qemu_mallocz(config_size);
 }
 
 static void pci_config_free(PCIDevice *pci_dev)
@@ -721,7 +721,7 @@ static void pci_config_free(PCIDevice *pci_dev)
     qemu_free(pci_dev->cmask);
     qemu_free(pci_dev->wmask);
     qemu_free(pci_dev->w1cmask);
-    qemu_free(pci_dev->used);
+    qemu_free(pci_dev->config_map);
 }
 
 /* -1 for devfn means auto assign */
@@ -751,6 +751,8 @@ static PCIDevice *do_pci_register_device(PCIDevice *pci_dev, PCIBus *bus,
     pci_dev->irq_state = 0;
     pci_config_alloc(pci_dev);
 
+    memset(pci_dev->config_map, 0xff, PCI_CONFIG_HEADER_SIZE);
+
     if (!is_bridge) {
         pci_set_default_subsystem_id(pci_dev);
     }
@@ -1083,21 +1085,13 @@ uint32_t pci_default_read_config(PCIDevice *d,
 {
     assert(len == 1 || len == 2 || len == 4);
 
-    if (pci_access_cap_config(d, address, len)) {
+    if (address > PCI_CONFIG_HEADER_SIZE && d->config_map[address]) {
         return d->cap.config_read(d, address, len);
     }
 
     return pci_read_config(d, address, len);
 }
 
-int pci_access_cap_config(PCIDevice *pci_dev, uint32_t address, int len)
-{
-    if (pci_dev->cap.supported && address >= pci_dev->cap.start &&
-            (address + len) < pci_dev->cap.start + pci_dev->cap.length)
-        return 1;
-    return 0;
-}
-
 uint32_t pci_default_cap_read_config(PCIDevice *pci_dev,
                                      uint32_t address, int len)
 {
@@ -1122,7 +1116,7 @@ void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val, int l)
     int i, was_irq_disabled = pci_irq_disabled(d);
     uint32_t config_size = pci_config_size(d);
 
-    if (pci_access_cap_config(d, addr, l)) {
+    if (addr > PCI_CONFIG_HEADER_SIZE && d->config_map[addr]) {
         d->cap.config_write(d, addr, val, l);
         return;
     }
@@ -1789,7 +1783,7 @@ static int pci_find_space(PCIDevice *pdev, uint8_t size)
     int offset = PCI_CONFIG_HEADER_SIZE;
     int i;
     for (i = PCI_CONFIG_HEADER_SIZE; i < config_size; ++i)
-        if (pdev->used[i])
+        if (pdev->config_map[i])
             offset = i + 1;
         else if (i - offset + 1 == size)
             return offset;
@@ -1908,7 +1902,7 @@ int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
     config[PCI_CAP_LIST_ID] = cap_id;
     config[PCI_CAP_LIST_NEXT] = pdev->config[PCI_CAPABILITY_LIST];
     pdev->config[PCI_CAPABILITY_LIST] = offset;
-    memset(pdev->used + offset, 0xFF, size);
+    memset(pdev->config_map + offset, cap_id, size);
     /* Make capability read-only by default */
     memset(pdev->wmask + offset, 0, size);
     /* Check capability by default */
@@ -1933,7 +1927,7 @@ void pci_del_capability(PCIDevice *pdev, uint8_t cap_id, uint8_t size)
     memset(pdev->w1cmask + offset, 0, size);
     /* Clear cmask as device-specific registers can't be checked */
     memset(pdev->cmask + offset, 0, size);
-    memset(pdev->used + offset, 0, size);
+    memset(pdev->config_map + offset, 0, size);
 
     if (!pdev->config[PCI_CAPABILITY_LIST]) {
         pdev->config[PCI_STATUS] &= ~PCI_STATUS_CAP_LIST;
@@ -1941,12 +1935,6 @@ void pci_del_capability(PCIDevice *pdev, uint8_t cap_id, uint8_t size)
     }
 }
 
-/* Reserve space for capability at a known offset (to call after load). */
-void pci_reserve_capability(PCIDevice *pdev, uint8_t offset, uint8_t size)
-{
-    memset(pdev->used + offset, 0xff, size);
-}
-
 uint8_t pci_find_capability(PCIDevice *pdev, uint8_t cap_id)
 {
     return pci_find_capability_list(pdev, cap_id, NULL);
diff --git a/hw/pci.h b/hw/pci.h
index fafc2bb..bd15b43 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -157,8 +157,8 @@ struct PCIDevice {
     /* Used to implement RW1C(Write 1 to Clear) bytes */
     uint8_t *w1cmask;
 
-    /* Used to allocate config space for capabilities. */
-    uint8_t *used;
+    /* Used to allocate config space and track capabilities. */
+    uint8_t *config_map;
 
     /* the following fields are read only */
     PCIBus *bus;
@@ -250,8 +250,6 @@ int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
 
 void pci_del_capability(PCIDevice *pci_dev, uint8_t cap_id, uint8_t cap_size);
 
-void pci_reserve_capability(PCIDevice *pci_dev, uint8_t offset, uint8_t size);
-
 uint8_t pci_find_capability(PCIDevice *pci_dev, uint8_t cap_id);
 
 uint32_t pci_default_read_config(PCIDevice *d,
@@ -264,8 +262,6 @@ uint32_t pci_default_cap_read_config(PCIDevice *pci_dev,
                                      uint32_t address, int len);
 void pci_default_cap_write_config(PCIDevice *pci_dev,
                                   uint32_t address, uint32_t val, int len);
-int pci_access_cap_config(PCIDevice *pci_dev, uint32_t address, int len);
-
 typedef void (*pci_set_irq_fn)(void *opaque, int irq_num, int level);
 typedef int (*pci_map_irq_fn)(PCIDevice *pci_dev, int irq_num);
 typedef int (*pci_hotplug_fn)(DeviceState *qdev, PCIDevice *pci_dev, int state);
commit aaab315bfe74e7081380517b1837d28f40e509e3
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Nov 19 16:19:35 2010 -0700

    device-assignment: Use PCI capabilities support
    
    Convert to use common pci_add_capabilities() rather than creating
    our own mess.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index a297cb4..76aacac 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -38,6 +38,7 @@
 #include "device-assignment.h"
 #include "loader.h"
 #include "monitor.h"
+#include "range.h"
 #include <pci/header.h>
 
 /* From linux/ioport.h */
@@ -1075,17 +1076,17 @@ static void assigned_dev_update_msi(PCIDevice *pci_dev, unsigned int ctrl_pos)
     }
 
     if (ctrl_byte & PCI_MSI_FLAGS_ENABLE) {
+        int pos = ctrl_pos - PCI_MSI_FLAGS;
         assigned_dev->entry = calloc(1, sizeof(struct kvm_irq_routing_entry));
         if (!assigned_dev->entry) {
             perror("assigned_dev_update_msi: ");
             return;
         }
         assigned_dev->entry->u.msi.address_lo =
-                *(uint32_t *)(pci_dev->config + pci_dev->cap.start +
-                              PCI_MSI_ADDRESS_LO);
+            pci_get_long(pci_dev->config + pos + PCI_MSI_ADDRESS_LO);
         assigned_dev->entry->u.msi.address_hi = 0;
-        assigned_dev->entry->u.msi.data = *(uint16_t *)(pci_dev->config +
-                pci_dev->cap.start + PCI_MSI_DATA_32);
+        assigned_dev->entry->u.msi.data =
+            pci_get_word(pci_dev->config + pos + PCI_MSI_DATA_32);
         assigned_dev->entry->type = KVM_IRQ_ROUTING_MSI;
         r = kvm_get_irq_route_gsi();
         if (r < 0) {
@@ -1123,10 +1124,7 @@ static int assigned_dev_update_msix_mmio(PCIDevice *pci_dev)
     struct kvm_assigned_msix_entry msix_entry;
     void *va = adev->msix_table_page;
 
-    if (adev->cap.available & ASSIGNED_DEVICE_CAP_MSI)
-        pos = pci_dev->cap.start + PCI_CAPABILITY_CONFIG_MSI_LENGTH;
-    else
-        pos = pci_dev->cap.start;
+    pos = pci_find_capability(pci_dev, PCI_CAP_ID_MSIX);
 
     entries_max_nr = *(uint16_t *)(pci_dev->config + pos + 2);
     entries_max_nr &= PCI_MSIX_TABSIZE;
@@ -1260,26 +1258,23 @@ static void assigned_device_pci_cap_write_config(PCIDevice *pci_dev, uint32_t ad
                                                  uint32_t val, int len)
 {
     AssignedDevice *assigned_dev = container_of(pci_dev, AssignedDevice, dev);
-    unsigned int pos = pci_dev->cap.start, ctrl_pos;
 
     pci_default_cap_write_config(pci_dev, address, val, len);
 #ifdef KVM_CAP_IRQ_ROUTING
 #ifdef KVM_CAP_DEVICE_MSI
     if (assigned_dev->cap.available & ASSIGNED_DEVICE_CAP_MSI) {
-        ctrl_pos = pos + PCI_MSI_FLAGS;
-        if (address <= ctrl_pos && address + len > ctrl_pos)
-            assigned_dev_update_msi(pci_dev, ctrl_pos);
-        pos += PCI_CAPABILITY_CONFIG_MSI_LENGTH;
+        int pos = pci_find_capability(pci_dev, PCI_CAP_ID_MSI);
+        if (ranges_overlap(address, len, pos + PCI_MSI_FLAGS, 1)) {
+            assigned_dev_update_msi(pci_dev, pos + PCI_MSI_FLAGS);
+        }
     }
 #endif
 #ifdef KVM_CAP_DEVICE_MSIX
     if (assigned_dev->cap.available & ASSIGNED_DEVICE_CAP_MSIX) {
-        ctrl_pos = pos + 3;
-        if (address <= ctrl_pos && address + len > ctrl_pos) {
-            ctrl_pos--; /* control is word long */
-            assigned_dev_update_msix(pci_dev, ctrl_pos);
+        int pos = pci_find_capability(pci_dev, PCI_CAP_ID_MSIX);
+        if (ranges_overlap(address, len, pos + PCI_MSIX_FLAGS + 1, 1)) {
+            assigned_dev_update_msix(pci_dev, pos + PCI_MSIX_FLAGS);
 	}
-        pos += PCI_CAPABILITY_CONFIG_MSIX_LENGTH;
     }
 #endif
 #endif
@@ -1290,58 +1285,77 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
 {
     AssignedDevice *dev = container_of(pci_dev, AssignedDevice, dev);
     PCIRegion *pci_region = dev->real_device.regions;
-    int next_cap_pt = 0;
 
-    pci_dev->cap.supported = 1;
-    pci_dev->cap.start = PCI_CAPABILITY_CONFIG_DEFAULT_START_ADDR;
+    /* Clear initial capabilities pointer and status copied from hw */
+    pci_set_byte(pci_dev->config + PCI_CAPABILITY_LIST, 0);
+    pci_set_word(pci_dev->config + PCI_STATUS,
+                 pci_get_word(pci_dev->config + PCI_STATUS) &
+                 ~PCI_STATUS_CAP_LIST);
+
     pci_dev->cap.length = 0;
-    pci_dev->config[PCI_STATUS] |= PCI_STATUS_CAP_LIST;
-    pci_dev->config[PCI_CAPABILITY_LIST] = pci_dev->cap.start;
 
 #ifdef KVM_CAP_IRQ_ROUTING
 #ifdef KVM_CAP_DEVICE_MSI
     /* Expose MSI capability
      * MSI capability is the 1st capability in capability config */
     if (pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSI)) {
+        int vpos, ppos;
+        uint16_t flags;
+
         dev->cap.available |= ASSIGNED_DEVICE_CAP_MSI;
-        memset(&pci_dev->config[pci_dev->cap.start + pci_dev->cap.length],
-               0, PCI_CAPABILITY_CONFIG_MSI_LENGTH);
-        pci_dev->config[pci_dev->cap.start + pci_dev->cap.length] =
-                        PCI_CAP_ID_MSI;
+        vpos = pci_add_capability(pci_dev, PCI_CAP_ID_MSI, 0,
+                                  PCI_CAPABILITY_CONFIG_MSI_LENGTH);
+
+        memset(pci_dev->config + vpos + PCI_CAP_FLAGS, 0,
+               PCI_CAPABILITY_CONFIG_MSI_LENGTH - PCI_CAP_FLAGS);
+
+        /* Only 32-bit/no-mask currently supported */
+        ppos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSI);
+        flags = assigned_dev_pci_read_word(pci_dev, ppos + PCI_MSI_FLAGS);
+        flags &= PCI_MSI_FLAGS_QMASK;
+        pci_set_word(pci_dev->config + vpos + PCI_MSI_FLAGS, flags);
+
+        /* Set writable fields */
+        pci_set_word(pci_dev->wmask + vpos + PCI_MSI_FLAGS,
+                     PCI_MSI_FLAGS_QSIZE | PCI_MSI_FLAGS_ENABLE);
+        pci_set_long(pci_dev->wmask + vpos + PCI_MSI_ADDRESS_LO, 0xfffffffc);
+        pci_set_long(pci_dev->wmask + vpos + PCI_MSI_DATA_32, 0xffff);
         pci_dev->cap.length += PCI_CAPABILITY_CONFIG_MSI_LENGTH;
-        next_cap_pt = 1;
     }
 #endif
 #ifdef KVM_CAP_DEVICE_MSIX
     /* Expose MSI-X capability */
     if (pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSIX)) {
-        int pos, entry_nr, bar_nr;
+        int vpos, ppos, entry_nr, bar_nr;
         uint32_t msix_table_entry;
+
         dev->cap.available |= ASSIGNED_DEVICE_CAP_MSIX;
-        memset(&pci_dev->config[pci_dev->cap.start + pci_dev->cap.length],
-               0, PCI_CAPABILITY_CONFIG_MSIX_LENGTH);
-        pos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSIX);
-        entry_nr = assigned_dev_pci_read_word(pci_dev, pos + 2) &
-                                                             PCI_MSIX_TABSIZE;
-        pci_dev->config[pci_dev->cap.start + pci_dev->cap.length] = 0x11;
-        *(uint16_t *)(pci_dev->config + pci_dev->cap.start +
-                      pci_dev->cap.length + 2) = entry_nr;
+        vpos = pci_add_capability(pci_dev, PCI_CAP_ID_MSIX, 0,
+                           PCI_CAPABILITY_CONFIG_MSIX_LENGTH);
+
+        memset(pci_dev->config + vpos + PCI_CAP_FLAGS, 0,
+               PCI_CAPABILITY_CONFIG_MSIX_LENGTH - PCI_CAP_FLAGS);
+
+        /* Only enable and function mask bits are writable */
+        pci_set_word(pci_dev->wmask + vpos + PCI_MSIX_FLAGS,
+                     PCI_MSIX_FLAGS_ENABLE | PCI_MSIX_FLAGS_MASKALL);
+
+        ppos = pci_find_cap_offset(pci_dev, PCI_CAP_ID_MSIX);
+
+        entry_nr = assigned_dev_pci_read_word(pci_dev, ppos + PCI_MSIX_FLAGS);
+        entry_nr &= PCI_MSIX_TABSIZE;
+        pci_set_word(pci_dev->config + vpos + PCI_MSIX_FLAGS, entry_nr);
+
         msix_table_entry = assigned_dev_pci_read_long(pci_dev,
-                                                      pos + PCI_MSIX_TABLE);
-        *(uint32_t *)(pci_dev->config + pci_dev->cap.start +
-                      pci_dev->cap.length + PCI_MSIX_TABLE) = msix_table_entry;
-        *(uint32_t *)(pci_dev->config + pci_dev->cap.start +
-                      pci_dev->cap.length + PCI_MSIX_PBA) =
-                    assigned_dev_pci_read_long(pci_dev, pos + PCI_MSIX_PBA);
+                                                      ppos + PCI_MSIX_TABLE);
+        pci_set_long(pci_dev->config + vpos + PCI_MSIX_TABLE, msix_table_entry);
+
+        pci_set_long(pci_dev->config + vpos + PCI_MSIX_PBA,
+                     assigned_dev_pci_read_long(pci_dev, ppos + PCI_MSIX_PBA));
+
         bar_nr = msix_table_entry & PCI_MSIX_BIR;
         msix_table_entry &= ~PCI_MSIX_BIR;
         dev->msix_table_addr = pci_region[bar_nr].base_addr + msix_table_entry;
-        if (next_cap_pt != 0) {
-            pci_dev->config[pci_dev->cap.start + next_cap_pt] =
-                pci_dev->cap.start + pci_dev->cap.length;
-            next_cap_pt += PCI_CAPABILITY_CONFIG_MSI_LENGTH;
-        } else
-            next_cap_pt = 1;
         pci_dev->cap.length += PCI_CAPABILITY_CONFIG_MSIX_LENGTH;
     }
 #endif
commit 87ba8237a10bed58d4e6a070ea797998a8c24fef
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Nov 19 16:19:22 2010 -0700

    pci: Remove pci_enable_capability_support()
    
    This interface doesn't make much sense, adding a capability can
    take care of everything, just provide a means to register
    capability read/write handlers.
    
    Device assignment does it's own thing, so requires a couple
    ugly hacks that will be cleaned by subsequent patches.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 369bff9..a297cb4 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -1292,7 +1292,12 @@ static int assigned_device_pci_cap_init(PCIDevice *pci_dev)
     PCIRegion *pci_region = dev->real_device.regions;
     int next_cap_pt = 0;
 
+    pci_dev->cap.supported = 1;
+    pci_dev->cap.start = PCI_CAPABILITY_CONFIG_DEFAULT_START_ADDR;
     pci_dev->cap.length = 0;
+    pci_dev->config[PCI_STATUS] |= PCI_STATUS_CAP_LIST;
+    pci_dev->config[PCI_CAPABILITY_LIST] = pci_dev->cap.start;
+
 #ifdef KVM_CAP_IRQ_ROUTING
 #ifdef KVM_CAP_DEVICE_MSI
     /* Expose MSI capability
@@ -1488,9 +1493,10 @@ static int assigned_initfn(struct PCIDevice *pci_dev)
     dev->h_busnr = dev->host.bus;
     dev->h_devfn = PCI_DEVFN(dev->host.dev, dev->host.func);
 
-    if (pci_enable_capability_support(pci_dev, 0, NULL,
-                    assigned_device_pci_cap_write_config,
-                    assigned_device_pci_cap_init) < 0)
+    pci_register_capability_handlers(pci_dev, NULL,
+                                     assigned_device_pci_cap_write_config);
+
+    if (assigned_device_pci_cap_init(pci_dev) < 0)
         goto out;
 
     /* assign device to guest */
diff --git a/hw/pci.c b/hw/pci.c
index 8e99746..f2896d9 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -770,6 +770,8 @@ static PCIDevice *do_pci_register_device(PCIDevice *pci_dev, PCIBus *bus,
         config_write = pci_default_write_config;
     pci_dev->config_read = config_read;
     pci_dev->config_write = config_write;
+    pci_dev->cap.config_read = pci_default_cap_read_config;
+    pci_dev->cap.config_write = pci_default_cap_write_config;
     bus->devices[devfn] = pci_dev;
     pci_dev->irq = qemu_allocate_irqs(pci_set_irq, pci_dev, PCI_NUM_PINS);
     pci_dev->version_id = 2; /* Current pci device vmstate version */
@@ -1754,35 +1756,21 @@ PCIDevice *pci_create_simple_multifunction(PCIBus *bus, int devfn,
     return dev;
 }
 
-int pci_enable_capability_support(PCIDevice *pci_dev,
-                                  uint32_t config_start,
-                                  PCICapConfigReadFunc *config_read,
-                                  PCICapConfigWriteFunc *config_write,
-                                  PCICapConfigInitFunc *config_init)
+void pci_register_capability_handlers(PCIDevice *pdev,
+                                      PCICapConfigReadFunc *config_read,
+                                      PCICapConfigWriteFunc *config_write)
 {
-    if (!pci_dev)
-        return -ENODEV;
-
-    pci_dev->config[0x06] |= 0x10; // status = capabilities
-
-    if (config_start == 0)
-	pci_dev->cap.start = PCI_CAPABILITY_CONFIG_DEFAULT_START_ADDR;
-    else if (config_start >= 0x40 && config_start < 0xff)
-        pci_dev->cap.start = config_start;
-    else
-        return -EINVAL;
+    if (config_read) {
+        pdev->cap.config_read = config_read;
+    } else {
+        pdev->cap.config_read = pci_default_cap_read_config;
+    }
 
-    if (config_read)
-        pci_dev->cap.config_read = config_read;
-    else
-        pci_dev->cap.config_read = pci_default_cap_read_config;
-    if (config_write)
-        pci_dev->cap.config_write = config_write;
-    else
-        pci_dev->cap.config_write = pci_default_cap_write_config;
-    pci_dev->cap.supported = 1;
-    pci_dev->config[PCI_CAPABILITY_LIST] = pci_dev->cap.start;
-    return config_init(pci_dev);
+    if (config_write) {
+        pdev->cap.config_write = config_write;
+    } else {
+        pdev->cap.config_write = pci_default_cap_write_config;
+    }
 }
 
 PCIDevice *pci_create(PCIBus *bus, int devfn, const char *name)
@@ -1920,12 +1908,16 @@ int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
     config[PCI_CAP_LIST_ID] = cap_id;
     config[PCI_CAP_LIST_NEXT] = pdev->config[PCI_CAPABILITY_LIST];
     pdev->config[PCI_CAPABILITY_LIST] = offset;
-    pdev->config[PCI_STATUS] |= PCI_STATUS_CAP_LIST;
     memset(pdev->used + offset, 0xFF, size);
     /* Make capability read-only by default */
     memset(pdev->wmask + offset, 0, size);
     /* Check capability by default */
     memset(pdev->cmask + offset, 0xFF, size);
+
+    pdev->config[PCI_STATUS] |= PCI_STATUS_CAP_LIST;
+    pdev->cap.supported = 1;
+    pdev->cap.start = pdev->cap.start ? MIN(pdev->cap.start, offset) : offset;
+
     return offset;
 }
 
@@ -1943,8 +1935,10 @@ void pci_del_capability(PCIDevice *pdev, uint8_t cap_id, uint8_t size)
     memset(pdev->cmask + offset, 0, size);
     memset(pdev->used + offset, 0, size);
 
-    if (!pdev->config[PCI_CAPABILITY_LIST])
+    if (!pdev->config[PCI_CAPABILITY_LIST]) {
         pdev->config[PCI_STATUS] &= ~PCI_STATUS_CAP_LIST;
+        pdev->cap.start = pdev->cap.length = 0;
+    }
 }
 
 /* Reserve space for capability at a known offset (to call after load). */
diff --git a/hw/pci.h b/hw/pci.h
index e7a19e5..fafc2bb 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -89,7 +89,6 @@ typedef void PCICapConfigWriteFunc(PCIDevice *pci_dev,
                                    uint32_t address, uint32_t val, int len);
 typedef uint32_t PCICapConfigReadFunc(PCIDevice *pci_dev,
                                       uint32_t address, int len);
-typedef int PCICapConfigInitFunc(PCIDevice *pci_dev);
 
 typedef struct PCIIORegion {
     pcibus_t addr; /* current PCI mapping address. -1 means not mapped */
@@ -240,11 +239,9 @@ void pci_register_bar(PCIDevice *pci_dev, int region_num,
 void pci_map_option_rom(PCIDevice *pdev, int region_num, pcibus_t addr,
                         pcibus_t size, int type);
 
-int pci_enable_capability_support(PCIDevice *pci_dev,
-                                  uint32_t config_start,
-                                  PCICapConfigReadFunc *config_read,
-                                  PCICapConfigWriteFunc *config_write,
-                                  PCICapConfigInitFunc *config_init);
+void pci_register_capability_handlers(PCIDevice *pci_dev,
+                                      PCICapConfigReadFunc *config_read,
+                                      PCICapConfigWriteFunc *config_write);
 
 int pci_map_irq(PCIDevice *pci_dev, int pin);
 
commit 1164350eb791c33a7815e26f33dc45bccf99ef6e
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Nov 19 16:19:11 2010 -0700

    pci: pci_default_cap_write_config ignores wmask
    
    Make use of wmask, just like the rest of config space.
    
    This duplicates code in pci_default_write_config, but we plan to get
    rid of this function anyway, so avoid the code churn.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index c3b5048..8e99746 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1088,16 +1088,6 @@ uint32_t pci_default_read_config(PCIDevice *d,
     return pci_read_config(d, address, len);
 }
 
-static void pci_write_config(PCIDevice *pci_dev,
-                             uint32_t address, uint32_t val, int len)
-{
-    int i;
-    for (i = 0; i < len; i++) {
-        pci_dev->config[address + i] = val & 0xff;
-        val >>= 8;
-    }
-}
-
 int pci_access_cap_config(PCIDevice *pci_dev, uint32_t address, int len)
 {
     if (pci_dev->cap.supported && address >= pci_dev->cap.start &&
@@ -1115,7 +1105,14 @@ uint32_t pci_default_cap_read_config(PCIDevice *pci_dev,
 void pci_default_cap_write_config(PCIDevice *pci_dev,
                                   uint32_t address, uint32_t val, int len)
 {
-    pci_write_config(pci_dev, address, val, len);
+    uint32_t config_size = pci_config_size(pci_dev);
+    int i;
+
+    for (i = 0; i < len && address + i < config_size; val >>= 8, ++i) {
+        uint8_t wmask = pci_dev->wmask[address + i];
+        pci_dev->config[address + i] =
+            (pci_dev->config[address + i] & ~wmask) | (val & wmask);
+    }
 }
 
 void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val, int l)
commit b76876e602ca09ff848d99595a506feb1fd54ff4
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Nov 26 16:36:16 2010 +0100

    ide: Reset current_addr after stopping DMA
    
    Whenever SSBM is reset in the command register all state information is lost.
    Restarting DMA means that current_addr must be reset to the base address of the
    PRD table. The OS is not required to change the base address register before
    starting a DMA operation, it can reuse the value it wrote for an earlier
    request.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/hw/ide/pci.c b/hw/ide/pci.c
index 404f045..ad406ee 100644
--- a/hw/ide/pci.c
+++ b/hw/ide/pci.c
@@ -65,6 +65,7 @@ void bmdma_cmd_writeb(void *opaque, uint32_t addr, uint32_t val)
 #endif
             }
         } else {
+            bm->cur_addr = bm->addr;
             if (!(bm->status & BM_STATUS_DMAING)) {
                 bm->status |= BM_STATUS_DMAING;
                 /* start dma transfer if possible */
@@ -101,7 +102,6 @@ static void bmdma_addr_write(IORange *ioport, uint64_t addr,
 #endif
     bm->addr &= ~(mask << shift);
     bm->addr |= ((data & mask) << shift) & ~3;
-    bm->cur_addr = bm->addr;
 }
 
 const IORangeOps bmdma_addr_ioport_ops = {
commit c29947bbb0978d312074ec73be968bfab1b6c977
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Nov 26 16:44:53 2010 +0100

    ide: Ignore double DMA transfer starts/stops
    
    You can only start a DMA transfer if it's not running yet, and you can only
    cancel it if it's running.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/hw/ide/pci.c b/hw/ide/pci.c
index 3722b77..404f045 100644
--- a/hw/ide/pci.c
+++ b/hw/ide/pci.c
@@ -39,38 +39,42 @@ void bmdma_cmd_writeb(void *opaque, uint32_t addr, uint32_t val)
 #ifdef DEBUG_IDE
     printf("%s: 0x%08x\n", __func__, val);
 #endif
-    if (!(val & BM_CMD_START)) {
-        /*
-         * We can't cancel Scatter Gather DMA in the middle of the
-         * operation or a partial (not full) DMA transfer would reach
-         * the storage so we wait for completion instead (we beahve
-         * like if the DMA was completed by the time the guest trying
-         * to cancel dma with bmdma_cmd_writeb with BM_CMD_START not
-         * set).
-         *
-         * In the future we'll be able to safely cancel the I/O if the
-         * whole DMA operation will be submitted to disk with a single
-         * aio operation with preadv/pwritev.
-         */
-        if (bm->aiocb) {
-            qemu_aio_flush();
+
+    /* Ignore writes to SSBM if it keeps the old value */
+    if ((val & BM_CMD_START) != (bm->cmd & BM_CMD_START)) {
+        if (!(val & BM_CMD_START)) {
+            /*
+             * We can't cancel Scatter Gather DMA in the middle of the
+             * operation or a partial (not full) DMA transfer would reach
+             * the storage so we wait for completion instead (we beahve
+             * like if the DMA was completed by the time the guest trying
+             * to cancel dma with bmdma_cmd_writeb with BM_CMD_START not
+             * set).
+             *
+             * In the future we'll be able to safely cancel the I/O if the
+             * whole DMA operation will be submitted to disk with a single
+             * aio operation with preadv/pwritev.
+             */
+            if (bm->aiocb) {
+                qemu_aio_flush();
 #ifdef DEBUG_IDE
-            if (bm->aiocb)
-                printf("ide_dma_cancel: aiocb still pending");
-            if (bm->status & BM_STATUS_DMAING)
-                printf("ide_dma_cancel: BM_STATUS_DMAING still pending");
+                if (bm->aiocb)
+                    printf("ide_dma_cancel: aiocb still pending");
+                if (bm->status & BM_STATUS_DMAING)
+                    printf("ide_dma_cancel: BM_STATUS_DMAING still pending");
 #endif
+            }
+        } else {
+            if (!(bm->status & BM_STATUS_DMAING)) {
+                bm->status |= BM_STATUS_DMAING;
+                /* start dma transfer if possible */
+                if (bm->dma_cb)
+                    bm->dma_cb(bm, 0);
+            }
         }
-        bm->cmd = val & 0x09;
-    } else {
-        if (!(bm->status & BM_STATUS_DMAING)) {
-            bm->status |= BM_STATUS_DMAING;
-            /* start dma transfer if possible */
-            if (bm->dma_cb)
-                bm->dma_cb(bm, 0);
-        }
-        bm->cmd = val & 0x09;
     }
+
+    bm->cmd = val & 0x09;
 }
 
 static void bmdma_addr_read(IORange *ioport, uint64_t addr,
commit e3982b3cf6d17fbba6839d5252f5f757a8d585dc
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Nov 26 16:47:42 2010 +0100

    ide: Set bus master inactive on error
    
    BMIDEA in the status register must be cleared on error. This makes FreeBSD
    respond (more) correctly to I/O errors.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 7136ade..430350f 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -486,6 +486,8 @@ void ide_dma_error(IDEState *s)
     ide_transfer_stop(s);
     s->error = ABRT_ERR;
     s->status = READY_STAT | ERR_STAT;
+    ide_dma_set_inactive(s->bus->bmdma);
+    s->bus->bmdma->status |= BM_STATUS_INT;
     ide_set_irq(s->bus);
 }
 
commit 8337606d3588f80aea656db74127423bd6b61443
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Nov 26 16:31:37 2010 +0100

    ide: Factor ide_dma_set_inactive out
    
    Several places that stop a DMA transfer duplicate this code. Factor it out into
    a common function.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 484e0ca..7136ade 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -473,6 +473,14 @@ static void dma_buf_commit(IDEState *s, int is_write)
     qemu_sglist_destroy(&s->sg);
 }
 
+static void ide_dma_set_inactive(BMDMAState *bm)
+{
+    bm->status &= ~BM_STATUS_DMAING;
+    bm->dma_cb = NULL;
+    bm->unit = -1;
+    bm->aiocb = NULL;
+}
+
 void ide_dma_error(IDEState *s)
 {
     ide_transfer_stop(s);
@@ -587,11 +595,8 @@ static void ide_read_dma_cb(void *opaque, int ret)
         s->status = READY_STAT | SEEK_STAT;
         ide_set_irq(s->bus);
     eot:
-        bm->status &= ~BM_STATUS_DMAING;
         bm->status |= BM_STATUS_INT;
-        bm->dma_cb = NULL;
-        bm->unit = -1;
-        bm->aiocb = NULL;
+        ide_dma_set_inactive(bm);
         return;
     }
 
@@ -733,11 +738,8 @@ static void ide_write_dma_cb(void *opaque, int ret)
         s->status = READY_STAT | SEEK_STAT;
         ide_set_irq(s->bus);
     eot:
-        bm->status &= ~BM_STATUS_DMAING;
         bm->status |= BM_STATUS_INT;
-        bm->dma_cb = NULL;
-        bm->unit = -1;
-        bm->aiocb = NULL;
+        ide_dma_set_inactive(bm);
         return;
     }
 
@@ -1061,11 +1063,8 @@ static void ide_atapi_cmd_read_dma_cb(void *opaque, int ret)
         s->nsector = (s->nsector & ~7) | ATAPI_INT_REASON_IO | ATAPI_INT_REASON_CD;
         ide_set_irq(s->bus);
     eot:
-        bm->status &= ~BM_STATUS_DMAING;
         bm->status |= BM_STATUS_INT;
-        bm->dma_cb = NULL;
-        bm->unit = -1;
-        bm->aiocb = NULL;
+        ide_dma_set_inactive(bm);
         return;
     }
 
@@ -2954,12 +2953,10 @@ void ide_dma_cancel(BMDMAState *bm)
             printf("aio_cancel\n");
 #endif
             bdrv_aio_cancel(bm->aiocb);
-            bm->aiocb = NULL;
         }
-        bm->status &= ~BM_STATUS_DMAING;
+
         /* cancel DMA request */
-        bm->unit = -1;
-        bm->dma_cb = NULL;
+        ide_dma_set_inactive(bm);
     }
 }
 
commit b1e0e1b96ce3fd8cef0f74e8cff24d97c899f5ea
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Tue Nov 23 16:54:42 2010 +0200

    qemu-kvm: remove unused setupcpuid
    
    kvm_setup_cpuid seems unused, so remove it.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/kvm/libkvm/libkvm-x86.c b/kvm/libkvm/libkvm-x86.c
index f1aef76..2b12408 100644
--- a/kvm/libkvm/libkvm-x86.c
+++ b/kvm/libkvm/libkvm-x86.c
@@ -466,45 +466,6 @@ __u64 kvm_get_cr8(kvm_context_t kvm, int vcpu)
 	return kvm->run[vcpu]->cr8;
 }
 
-int kvm_setup_cpuid(kvm_context_t kvm, int vcpu, int nent,
-		    struct kvm_cpuid_entry *entries)
-{
-	struct kvm_cpuid *cpuid;
-	int r;
-
-	cpuid = malloc(sizeof(*cpuid) + nent * sizeof(*entries));
-	if (!cpuid)
-		return -ENOMEM;
-
-	cpuid->nent = nent;
-	memcpy(cpuid->entries, entries, nent * sizeof(*entries));
-	r = ioctl(kvm->vcpu_fd[vcpu], KVM_SET_CPUID, cpuid);
-
-	free(cpuid);
-	return r;
-}
-
-int kvm_setup_cpuid2(kvm_context_t kvm, int vcpu, int nent,
-		     struct kvm_cpuid_entry2 *entries)
-{
-	struct kvm_cpuid2 *cpuid;
-	int r;
-
-	cpuid = malloc(sizeof(*cpuid) + nent * sizeof(*entries));
-	if (!cpuid)
-		return -ENOMEM;
-
-	cpuid->nent = nent;
-	memcpy(cpuid->entries, entries, nent * sizeof(*entries));
-	r = ioctl(kvm->vcpu_fd[vcpu], KVM_SET_CPUID2, cpuid);
-	if (r == -1) {
-		fprintf(stderr, "kvm_setup_cpuid2: %m\n");
-		r = -errno;
-	}
-	free(cpuid);
-	return r;
-}
-
 int kvm_set_shadow_pages(kvm_context_t kvm, unsigned int nrshadow_pages)
 {
 #ifdef KVM_CAP_MMU_SHADOW_CACHE_CONTROL
diff --git a/kvm/libkvm/libkvm.h b/kvm/libkvm/libkvm.h
index 4821a1e..a70945d 100644
--- a/kvm/libkvm/libkvm.h
+++ b/kvm/libkvm/libkvm.h
@@ -359,36 +359,6 @@ int kvm_set_guest_debug(kvm_context_t, int vcpu, struct kvm_guest_debug *dbg);
 
 #if defined(__i386__) || defined(__x86_64__)
 /*!
- * \brief Setup a vcpu's cpuid instruction emulation
- *
- * Set up a table of cpuid function to cpuid outputs.\n
- *
- * \param kvm Pointer to the current kvm_context
- * \param vcpu Which virtual CPU should be initialized
- * \param nent number of entries to be installed
- * \param entries cpuid function entries table
- * \return 0 on success, or -errno on error
- */
-int kvm_setup_cpuid(kvm_context_t kvm, int vcpu, int nent,
-		    struct kvm_cpuid_entry *entries);
-
-/*!
- * \brief Setup a vcpu's cpuid instruction emulation
- *
- * Set up a table of cpuid function to cpuid outputs.
- * This call replaces the older kvm_setup_cpuid interface by adding a few
- * parameters to support cpuid functions that have sub-leaf values.
- *
- * \param kvm Pointer to the current kvm_context
- * \param vcpu Which virtual CPU should be initialized
- * \param nent number of entries to be installed
- * \param entries cpuid function entries table
- * \return 0 on success, or -errno on error
- */
-int kvm_setup_cpuid2(kvm_context_t kvm, int vcpu, int nent,
-		     struct kvm_cpuid_entry2 *entries);
-
-/*!
  * \brief Setting the number of shadow pages to be allocated to the vm
  *
  * \param kvm pointer to kvm_context
diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index 20b7d6d..672bcbf 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -418,37 +418,6 @@ static void kvm_set_cr8(CPUState *env, uint64_t cr8)
     env->kvm_run->cr8 = cr8;
 }
 
-int kvm_setup_cpuid(CPUState *env, int nent,
-                    struct kvm_cpuid_entry *entries)
-{
-    struct kvm_cpuid *cpuid;
-    int r;
-
-    cpuid = qemu_malloc(sizeof(*cpuid) + nent * sizeof(*entries));
-
-    cpuid->nent = nent;
-    memcpy(cpuid->entries, entries, nent * sizeof(*entries));
-    r = kvm_vcpu_ioctl(env, KVM_SET_CPUID, cpuid);
-
-    free(cpuid);
-    return r;
-}
-
-int kvm_setup_cpuid2(CPUState *env, int nent,
-                     struct kvm_cpuid_entry2 *entries)
-{
-    struct kvm_cpuid2 *cpuid;
-    int r;
-
-    cpuid = qemu_malloc(sizeof(*cpuid) + nent * sizeof(*entries));
-
-    cpuid->nent = nent;
-    memcpy(cpuid->entries, entries, nent * sizeof(*entries));
-    r = kvm_vcpu_ioctl(env, KVM_SET_CPUID2, cpuid);
-    free(cpuid);
-    return r;
-}
-
 int kvm_set_shadow_pages(kvm_context_t kvm, unsigned int nrshadow_pages)
 {
 #ifdef KVM_CAP_MMU_SHADOW_CACHE_CONTROL
diff --git a/qemu-kvm.h b/qemu-kvm.h
index 0f3fb50..7e6edfb 100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@ -219,6 +219,7 @@ int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
 int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
 #endif
 
+#if defined(__i386__) || defined(__x86_64__)
 /*!
  * \brief Simulate an external vectored interrupt
  *
@@ -231,36 +232,6 @@ int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
  */
 int kvm_inject_irq(CPUState *env, unsigned irq);
 
-#if defined(__i386__) || defined(__x86_64__)
-/*!
- * \brief Setup a vcpu's cpuid instruction emulation
- *
- * Set up a table of cpuid function to cpuid outputs.\n
- *
- * \param kvm Pointer to the current kvm_context
- * \param vcpu Which virtual CPU should be initialized
- * \param nent number of entries to be installed
- * \param entries cpuid function entries table
- * \return 0 on success, or -errno on error
- */
-int kvm_setup_cpuid(CPUState *env, int nent,
-                    struct kvm_cpuid_entry *entries);
-
-/*!
- * \brief Setup a vcpu's cpuid instruction emulation
- *
- * Set up a table of cpuid function to cpuid outputs.
- * This call replaces the older kvm_setup_cpuid interface by adding a few
- * parameters to support cpuid functions that have sub-leaf values.
- *
- * \param kvm Pointer to the current kvm_context
- * \param vcpu Which virtual CPU should be initialized
- * \param nent number of entries to be installed
- * \param entries cpuid function entries table
- * \return 0 on success, or -errno on error
- */
-int kvm_setup_cpuid2(CPUState *env, int nent,
-                     struct kvm_cpuid_entry2 *entries);
 
 /*!
  * \brief Setting the number of shadow pages to be allocated to the vm
commit 661a1799ba6544a54888283db19dd51469da01e5
Author: Paul Brook <paul at codesourcery.com>
Date:   Sat Nov 27 11:56:02 2010 +0000

    Add pcnet-pci.c
    
    Add file missing from last commit.
    
    Signed-off-by: Paul Brook <paul at codesourcery.com>

diff --git a/hw/pcnet-pci.c b/hw/pcnet-pci.c
new file mode 100644
index 0000000..3dfbe46
--- /dev/null
+++ b/hw/pcnet-pci.c
@@ -0,0 +1,345 @@
+/*
+ * QEMU AMD PC-Net II (Am79C970A) PCI emulation
+ *
+ * Copyright (c) 2004 Antony T Curtis
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/* This software was written to be compatible with the specification:
+ * AMD Am79C970A PCnet-PCI II Ethernet Controller Data-Sheet
+ * AMD Publication# 19436  Rev:E  Amendment/0  Issue Date: June 2000
+ */
+
+#include "pci.h"
+#include "net.h"
+#include "loader.h"
+#include "qemu-timer.h"
+
+#include "pcnet.h"
+
+//#define PCNET_DEBUG
+//#define PCNET_DEBUG_IO
+//#define PCNET_DEBUG_BCR
+//#define PCNET_DEBUG_CSR
+//#define PCNET_DEBUG_RMD
+//#define PCNET_DEBUG_TMD
+//#define PCNET_DEBUG_MATCH
+
+
+typedef struct {
+    PCIDevice pci_dev;
+    PCNetState state;
+} PCIPCNetState;
+
+static void pcnet_aprom_writeb(void *opaque, uint32_t addr, uint32_t val)
+{
+    PCNetState *s = opaque;
+#ifdef PCNET_DEBUG
+    printf("pcnet_aprom_writeb addr=0x%08x val=0x%02x\n", addr, val);
+#endif
+    /* Check APROMWE bit to enable write access */
+    if (pcnet_bcr_readw(s,2) & 0x100)
+        s->prom[addr & 15] = val;
+}
+
+static uint32_t pcnet_aprom_readb(void *opaque, uint32_t addr)
+{
+    PCNetState *s = opaque;
+    uint32_t val = s->prom[addr & 15];
+#ifdef PCNET_DEBUG
+    printf("pcnet_aprom_readb addr=0x%08x val=0x%02x\n", addr, val);
+#endif
+    return val;
+}
+
+static void pcnet_ioport_map(PCIDevice *pci_dev, int region_num,
+                             pcibus_t addr, pcibus_t size, int type)
+{
+    PCNetState *d = &DO_UPCAST(PCIPCNetState, pci_dev, pci_dev)->state;
+
+#ifdef PCNET_DEBUG_IO
+    printf("pcnet_ioport_map addr=0x%04"FMT_PCIBUS" size=0x%04"FMT_PCIBUS"\n",
+           addr, size);
+#endif
+
+    register_ioport_write(addr, 16, 1, pcnet_aprom_writeb, d);
+    register_ioport_read(addr, 16, 1, pcnet_aprom_readb, d);
+
+    register_ioport_write(addr + 0x10, 0x10, 2, pcnet_ioport_writew, d);
+    register_ioport_read(addr + 0x10, 0x10, 2, pcnet_ioport_readw, d);
+    register_ioport_write(addr + 0x10, 0x10, 4, pcnet_ioport_writel, d);
+    register_ioport_read(addr + 0x10, 0x10, 4, pcnet_ioport_readl, d);
+}
+
+static void pcnet_mmio_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
+{
+    PCNetState *d = opaque;
+#ifdef PCNET_DEBUG_IO
+    printf("pcnet_mmio_writeb addr=0x" TARGET_FMT_plx" val=0x%02x\n", addr,
+           val);
+#endif
+    if (!(addr & 0x10))
+        pcnet_aprom_writeb(d, addr & 0x0f, val);
+}
+
+static uint32_t pcnet_mmio_readb(void *opaque, target_phys_addr_t addr)
+{
+    PCNetState *d = opaque;
+    uint32_t val = -1;
+    if (!(addr & 0x10))
+        val = pcnet_aprom_readb(d, addr & 0x0f);
+#ifdef PCNET_DEBUG_IO
+    printf("pcnet_mmio_readb addr=0x" TARGET_FMT_plx " val=0x%02x\n", addr,
+           val & 0xff);
+#endif
+    return val;
+}
+
+static void pcnet_mmio_writew(void *opaque, target_phys_addr_t addr, uint32_t val)
+{
+    PCNetState *d = opaque;
+#ifdef PCNET_DEBUG_IO
+    printf("pcnet_mmio_writew addr=0x" TARGET_FMT_plx " val=0x%04x\n", addr,
+           val);
+#endif
+    if (addr & 0x10)
+        pcnet_ioport_writew(d, addr & 0x0f, val);
+    else {
+        addr &= 0x0f;
+        pcnet_aprom_writeb(d, addr, val & 0xff);
+        pcnet_aprom_writeb(d, addr+1, (val & 0xff00) >> 8);
+    }
+}
+
+static uint32_t pcnet_mmio_readw(void *opaque, target_phys_addr_t addr)
+{
+    PCNetState *d = opaque;
+    uint32_t val = -1;
+    if (addr & 0x10)
+        val = pcnet_ioport_readw(d, addr & 0x0f);
+    else {
+        addr &= 0x0f;
+        val = pcnet_aprom_readb(d, addr+1);
+        val <<= 8;
+        val |= pcnet_aprom_readb(d, addr);
+    }
+#ifdef PCNET_DEBUG_IO
+    printf("pcnet_mmio_readw addr=0x" TARGET_FMT_plx" val = 0x%04x\n", addr,
+           val & 0xffff);
+#endif
+    return val;
+}
+
+static void pcnet_mmio_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
+{
+    PCNetState *d = opaque;
+#ifdef PCNET_DEBUG_IO
+    printf("pcnet_mmio_writel addr=0x" TARGET_FMT_plx" val=0x%08x\n", addr,
+           val);
+#endif
+    if (addr & 0x10)
+        pcnet_ioport_writel(d, addr & 0x0f, val);
+    else {
+        addr &= 0x0f;
+        pcnet_aprom_writeb(d, addr, val & 0xff);
+        pcnet_aprom_writeb(d, addr+1, (val & 0xff00) >> 8);
+        pcnet_aprom_writeb(d, addr+2, (val & 0xff0000) >> 16);
+        pcnet_aprom_writeb(d, addr+3, (val & 0xff000000) >> 24);
+    }
+}
+
+static uint32_t pcnet_mmio_readl(void *opaque, target_phys_addr_t addr)
+{
+    PCNetState *d = opaque;
+    uint32_t val;
+    if (addr & 0x10)
+        val = pcnet_ioport_readl(d, addr & 0x0f);
+    else {
+        addr &= 0x0f;
+        val = pcnet_aprom_readb(d, addr+3);
+        val <<= 8;
+        val |= pcnet_aprom_readb(d, addr+2);
+        val <<= 8;
+        val |= pcnet_aprom_readb(d, addr+1);
+        val <<= 8;
+        val |= pcnet_aprom_readb(d, addr);
+    }
+#ifdef PCNET_DEBUG_IO
+    printf("pcnet_mmio_readl addr=0x" TARGET_FMT_plx " val=0x%08x\n", addr,
+           val);
+#endif
+    return val;
+}
+
+static const VMStateDescription vmstate_pci_pcnet = {
+    .name = "pcnet",
+    .version_id = 3,
+    .minimum_version_id = 2,
+    .minimum_version_id_old = 2,
+    .fields      = (VMStateField []) {
+        VMSTATE_PCI_DEVICE(pci_dev, PCIPCNetState),
+        VMSTATE_STRUCT(state, PCIPCNetState, 0, vmstate_pcnet, PCNetState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+/* PCI interface */
+
+static CPUWriteMemoryFunc * const pcnet_mmio_write[] = {
+    &pcnet_mmio_writeb,
+    &pcnet_mmio_writew,
+    &pcnet_mmio_writel
+};
+
+static CPUReadMemoryFunc * const pcnet_mmio_read[] = {
+    &pcnet_mmio_readb,
+    &pcnet_mmio_readw,
+    &pcnet_mmio_readl
+};
+
+static void pcnet_mmio_map(PCIDevice *pci_dev, int region_num,
+                            pcibus_t addr, pcibus_t size, int type)
+{
+    PCIPCNetState *d = DO_UPCAST(PCIPCNetState, pci_dev, pci_dev);
+
+#ifdef PCNET_DEBUG_IO
+    printf("pcnet_mmio_map addr=0x%08"FMT_PCIBUS" 0x%08"FMT_PCIBUS"\n",
+           addr, size);
+#endif
+
+    cpu_register_physical_memory(addr, PCNET_PNPMMIO_SIZE, d->state.mmio_index);
+}
+
+static void pci_physical_memory_write(void *dma_opaque, target_phys_addr_t addr,
+                                      uint8_t *buf, int len, int do_bswap)
+{
+    cpu_physical_memory_write(addr, buf, len);
+}
+
+static void pci_physical_memory_read(void *dma_opaque, target_phys_addr_t addr,
+                                     uint8_t *buf, int len, int do_bswap)
+{
+    cpu_physical_memory_read(addr, buf, len);
+}
+
+static void pci_pcnet_cleanup(VLANClientState *nc)
+{
+    PCNetState *d = DO_UPCAST(NICState, nc, nc)->opaque;
+
+    pcnet_common_cleanup(d);
+}
+
+static int pci_pcnet_uninit(PCIDevice *dev)
+{
+    PCIPCNetState *d = DO_UPCAST(PCIPCNetState, pci_dev, dev);
+
+    cpu_unregister_io_memory(d->state.mmio_index);
+    qemu_del_timer(d->state.poll_timer);
+    qemu_free_timer(d->state.poll_timer);
+    qemu_del_vlan_client(&d->state.nic->nc);
+    return 0;
+}
+
+static NetClientInfo net_pci_pcnet_info = {
+    .type = NET_CLIENT_TYPE_NIC,
+    .size = sizeof(NICState),
+    .can_receive = pcnet_can_receive,
+    .receive = pcnet_receive,
+    .cleanup = pci_pcnet_cleanup,
+};
+
+static int pci_pcnet_init(PCIDevice *pci_dev)
+{
+    PCIPCNetState *d = DO_UPCAST(PCIPCNetState, pci_dev, pci_dev);
+    PCNetState *s = &d->state;
+    uint8_t *pci_conf;
+
+#if 0
+    printf("sizeof(RMD)=%d, sizeof(TMD)=%d\n",
+        sizeof(struct pcnet_RMD), sizeof(struct pcnet_TMD));
+#endif
+
+    pci_conf = pci_dev->config;
+
+    pci_config_set_vendor_id(pci_conf, PCI_VENDOR_ID_AMD);
+    pci_config_set_device_id(pci_conf, PCI_DEVICE_ID_AMD_LANCE);
+    pci_set_word(pci_conf + PCI_STATUS,
+                 PCI_STATUS_FAST_BACK | PCI_STATUS_DEVSEL_MEDIUM);
+    pci_conf[PCI_REVISION_ID] = 0x10;
+    pci_config_set_class(pci_conf, PCI_CLASS_NETWORK_ETHERNET);
+
+    pci_set_word(pci_conf + PCI_SUBSYSTEM_VENDOR_ID, 0x0);
+    pci_set_word(pci_conf + PCI_SUBSYSTEM_ID, 0x0);
+
+    pci_conf[PCI_INTERRUPT_PIN] = 1; // interrupt pin 0
+    pci_conf[PCI_MIN_GNT] = 0x06;
+    pci_conf[PCI_MAX_LAT] = 0xff;
+
+    /* Handler for memory-mapped I/O */
+    s->mmio_index =
+      cpu_register_io_memory(pcnet_mmio_read, pcnet_mmio_write, &d->state);
+
+    pci_register_bar(pci_dev, 0, PCNET_IOPORT_SIZE,
+                           PCI_BASE_ADDRESS_SPACE_IO, pcnet_ioport_map);
+
+    pci_register_bar(pci_dev, 1, PCNET_PNPMMIO_SIZE,
+                           PCI_BASE_ADDRESS_SPACE_MEMORY, pcnet_mmio_map);
+
+    s->irq = pci_dev->irq[0];
+    s->phys_mem_read = pci_physical_memory_read;
+    s->phys_mem_write = pci_physical_memory_write;
+
+    if (!pci_dev->qdev.hotplugged) {
+        static int loaded = 0;
+        if (!loaded) {
+            rom_add_option("pxe-pcnet.bin");
+            loaded = 1;
+        }
+    }
+
+    return pcnet_common_init(&pci_dev->qdev, s, &net_pci_pcnet_info);
+}
+
+static void pci_reset(DeviceState *dev)
+{
+    PCIPCNetState *d = DO_UPCAST(PCIPCNetState, pci_dev.qdev, dev);
+
+    pcnet_h_reset(&d->state);
+}
+
+static PCIDeviceInfo pcnet_info = {
+    .qdev.name  = "pcnet",
+    .qdev.size  = sizeof(PCIPCNetState),
+    .qdev.reset = pci_reset,
+    .qdev.vmsd  = &vmstate_pci_pcnet,
+    .init       = pci_pcnet_init,
+    .exit       = pci_pcnet_uninit,
+    .qdev.props = (Property[]) {
+        DEFINE_NIC_PROPERTIES(PCIPCNetState, state.conf),
+        DEFINE_PROP_END_OF_LIST(),
+    }
+};
+
+static void pci_pcnet_register_devices(void)
+{
+    pci_qdev_register(&pcnet_info);
+}
+
+device_init(pci_pcnet_register_devices)
commit a4c75a21f3749b8dc5a8cc252bc57adb3f43453c
Author: Paul Brook <paul at codesourcery.com>
Date:   Sat Nov 27 11:23:34 2010 +0000

    Split out common pcnet code
    
    The core pcnet emulation code is used by both the PCI "pcnet" device
    and the SPARC "lance" device.  Split the common code frm the PCI code so
    that that can be configures independantly.
    
    Signed-off-by: Paul Brook <paul at codesourcery.com>

diff --git a/Makefile.objs b/Makefile.objs
index 72c6c7f..13ba26f 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -222,7 +222,8 @@ hw-obj-$(CONFIG_PCI) += pcie.o pcie_port.o
 # PCI network cards
 hw-obj-$(CONFIG_NE2000_PCI) += ne2000.o
 hw-obj-$(CONFIG_EEPRO100_PCI) += eepro100.o
-hw-obj-$(CONFIG_PCNET_PCI) += pcnet.o
+hw-obj-$(CONFIG_PCNET_PCI) += pcnet-pci.o
+hw-obj-$(CONFIG_PCNET_COMMON) += pcnet.o
 
 hw-obj-$(CONFIG_SMC91C111) += smc91c111.o
 hw-obj-$(CONFIG_LAN9118) += lan9118.o
diff --git a/default-configs/pci.mak b/default-configs/pci.mak
index 0ddfb37..c74a99f 100644
--- a/default-configs/pci.mak
+++ b/default-configs/pci.mak
@@ -6,6 +6,7 @@ CONFIG_USB_OHCI=y
 CONFIG_NE2000_PCI=y
 CONFIG_EEPRO100_PCI=y
 CONFIG_PCNET_PCI=y
+CONFIG_PCNET_COMMON=y
 CONFIG_LSI_SCSI_PCI=y
 CONFIG_RTL8139_PCI=y
 CONFIG_E1000_PCI=y
diff --git a/default-configs/sparc-softmmu.mak b/default-configs/sparc-softmmu.mak
index 436d2a6..b0310c5 100644
--- a/default-configs/sparc-softmmu.mak
+++ b/default-configs/sparc-softmmu.mak
@@ -7,3 +7,4 @@ CONFIG_M48T59=y
 CONFIG_PTIMER=y
 CONFIG_FDC=y
 CONFIG_EMPTY_SLOT=y
+CONFIG_PCNET_COMMON=y
diff --git a/hw/pcnet.c b/hw/pcnet.c
index f970bda..37010b8 100644
--- a/hw/pcnet.c
+++ b/hw/pcnet.c
@@ -35,9 +35,8 @@
  * http://www.ibiblio.org/pub/historic-linux/early-ports/Sparc/NCR/NCR92C990.txt
  */
 
-#include "pci.h"
+#include "qdev.h"
 #include "net.h"
-#include "loader.h"
 #include "qemu-timer.h"
 #include "qemu_socket.h"
 
@@ -52,11 +51,6 @@
 //#define PCNET_DEBUG_MATCH
 
 
-typedef struct {
-    PCIDevice pci_dev;
-    PCNetState state;
-} PCIPCNetState;
-
 struct qemu_ether_header {
     uint8_t ether_dhost[6];
     uint8_t ether_shost[6];
@@ -704,7 +698,6 @@ static void pcnet_poll_timer(void *opaque);
 static uint32_t pcnet_csr_readw(PCNetState *s, uint32_t rap);
 static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value);
 static void pcnet_bcr_writew(PCNetState *s, uint32_t rap, uint32_t val);
-static uint32_t pcnet_bcr_readw(PCNetState *s, uint32_t rap);
 
 static void pcnet_s_reset(PCNetState *s)
 {
@@ -1538,7 +1531,7 @@ static void pcnet_bcr_writew(PCNetState *s, uint32_t rap, uint32_t val)
     }
 }
 
-static uint32_t pcnet_bcr_readw(PCNetState *s, uint32_t rap)
+uint32_t pcnet_bcr_readw(PCNetState *s, uint32_t rap)
 {
     uint32_t val;
     rap &= 127;
@@ -1595,27 +1588,6 @@ void pcnet_h_reset(void *opaque)
     pcnet_poll_timer(s);
 }
 
-static void pcnet_aprom_writeb(void *opaque, uint32_t addr, uint32_t val)
-{
-    PCNetState *s = opaque;
-#ifdef PCNET_DEBUG
-    printf("pcnet_aprom_writeb addr=0x%08x val=0x%02x\n", addr, val);
-#endif
-    /* Check APROMWE bit to enable write access */
-    if (pcnet_bcr_readw(s,2) & 0x100)
-        s->prom[addr & 15] = val;
-}
-
-static uint32_t pcnet_aprom_readb(void *opaque, uint32_t addr)
-{
-    PCNetState *s = opaque;
-    uint32_t val = s->prom[addr & 15];
-#ifdef PCNET_DEBUG
-    printf("pcnet_aprom_readb addr=0x%08x val=0x%02x\n", addr, val);
-#endif
-    return val;
-}
-
 void pcnet_ioport_writew(void *opaque, uint32_t addr, uint32_t val)
 {
     PCNetState *s = opaque;
@@ -1668,7 +1640,7 @@ uint32_t pcnet_ioport_readw(void *opaque, uint32_t addr)
     return val;
 }
 
-static void pcnet_ioport_writel(void *opaque, uint32_t addr, uint32_t val)
+void pcnet_ioport_writel(void *opaque, uint32_t addr, uint32_t val)
 {
     PCNetState *s = opaque;
     pcnet_poll_timer(s);
@@ -1698,7 +1670,7 @@ static void pcnet_ioport_writel(void *opaque, uint32_t addr, uint32_t val)
     pcnet_update_irq(s);
 }
 
-static uint32_t pcnet_ioport_readl(void *opaque, uint32_t addr)
+uint32_t pcnet_ioport_readl(void *opaque, uint32_t addr)
 {
     PCNetState *s = opaque;
     uint32_t val = -1;
@@ -1727,125 +1699,6 @@ static uint32_t pcnet_ioport_readl(void *opaque, uint32_t addr)
     return val;
 }
 
-static void pcnet_ioport_map(PCIDevice *pci_dev, int region_num,
-                             pcibus_t addr, pcibus_t size, int type)
-{
-    PCNetState *d = &DO_UPCAST(PCIPCNetState, pci_dev, pci_dev)->state;
-
-#ifdef PCNET_DEBUG_IO
-    printf("pcnet_ioport_map addr=0x%04"FMT_PCIBUS" size=0x%04"FMT_PCIBUS"\n",
-           addr, size);
-#endif
-
-    register_ioport_write(addr, 16, 1, pcnet_aprom_writeb, d);
-    register_ioport_read(addr, 16, 1, pcnet_aprom_readb, d);
-
-    register_ioport_write(addr + 0x10, 0x10, 2, pcnet_ioport_writew, d);
-    register_ioport_read(addr + 0x10, 0x10, 2, pcnet_ioport_readw, d);
-    register_ioport_write(addr + 0x10, 0x10, 4, pcnet_ioport_writel, d);
-    register_ioport_read(addr + 0x10, 0x10, 4, pcnet_ioport_readl, d);
-}
-
-static void pcnet_mmio_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
-{
-    PCNetState *d = opaque;
-#ifdef PCNET_DEBUG_IO
-    printf("pcnet_mmio_writeb addr=0x" TARGET_FMT_plx" val=0x%02x\n", addr,
-           val);
-#endif
-    if (!(addr & 0x10))
-        pcnet_aprom_writeb(d, addr & 0x0f, val);
-}
-
-static uint32_t pcnet_mmio_readb(void *opaque, target_phys_addr_t addr)
-{
-    PCNetState *d = opaque;
-    uint32_t val = -1;
-    if (!(addr & 0x10))
-        val = pcnet_aprom_readb(d, addr & 0x0f);
-#ifdef PCNET_DEBUG_IO
-    printf("pcnet_mmio_readb addr=0x" TARGET_FMT_plx " val=0x%02x\n", addr,
-           val & 0xff);
-#endif
-    return val;
-}
-
-static void pcnet_mmio_writew(void *opaque, target_phys_addr_t addr, uint32_t val)
-{
-    PCNetState *d = opaque;
-#ifdef PCNET_DEBUG_IO
-    printf("pcnet_mmio_writew addr=0x" TARGET_FMT_plx " val=0x%04x\n", addr,
-           val);
-#endif
-    if (addr & 0x10)
-        pcnet_ioport_writew(d, addr & 0x0f, val);
-    else {
-        addr &= 0x0f;
-        pcnet_aprom_writeb(d, addr, val & 0xff);
-        pcnet_aprom_writeb(d, addr+1, (val & 0xff00) >> 8);
-    }
-}
-
-static uint32_t pcnet_mmio_readw(void *opaque, target_phys_addr_t addr)
-{
-    PCNetState *d = opaque;
-    uint32_t val = -1;
-    if (addr & 0x10)
-        val = pcnet_ioport_readw(d, addr & 0x0f);
-    else {
-        addr &= 0x0f;
-        val = pcnet_aprom_readb(d, addr+1);
-        val <<= 8;
-        val |= pcnet_aprom_readb(d, addr);
-    }
-#ifdef PCNET_DEBUG_IO
-    printf("pcnet_mmio_readw addr=0x" TARGET_FMT_plx" val = 0x%04x\n", addr,
-           val & 0xffff);
-#endif
-    return val;
-}
-
-static void pcnet_mmio_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
-{
-    PCNetState *d = opaque;
-#ifdef PCNET_DEBUG_IO
-    printf("pcnet_mmio_writel addr=0x" TARGET_FMT_plx" val=0x%08x\n", addr,
-           val);
-#endif
-    if (addr & 0x10)
-        pcnet_ioport_writel(d, addr & 0x0f, val);
-    else {
-        addr &= 0x0f;
-        pcnet_aprom_writeb(d, addr, val & 0xff);
-        pcnet_aprom_writeb(d, addr+1, (val & 0xff00) >> 8);
-        pcnet_aprom_writeb(d, addr+2, (val & 0xff0000) >> 16);
-        pcnet_aprom_writeb(d, addr+3, (val & 0xff000000) >> 24);
-    }
-}
-
-static uint32_t pcnet_mmio_readl(void *opaque, target_phys_addr_t addr)
-{
-    PCNetState *d = opaque;
-    uint32_t val;
-    if (addr & 0x10)
-        val = pcnet_ioport_readl(d, addr & 0x0f);
-    else {
-        addr &= 0x0f;
-        val = pcnet_aprom_readb(d, addr+3);
-        val <<= 8;
-        val |= pcnet_aprom_readb(d, addr+2);
-        val <<= 8;
-        val |= pcnet_aprom_readb(d, addr+1);
-        val <<= 8;
-        val |= pcnet_aprom_readb(d, addr);
-    }
-#ifdef PCNET_DEBUG_IO
-    printf("pcnet_mmio_readl addr=0x" TARGET_FMT_plx " val=0x%08x\n", addr,
-           val);
-#endif
-    return val;
-}
-
 static bool is_version_2(void *opaque, int version_id)
 {
     return version_id == 2;
@@ -1875,18 +1728,6 @@ const VMStateDescription vmstate_pcnet = {
     }
 };
 
-static const VMStateDescription vmstate_pci_pcnet = {
-    .name = "pcnet",
-    .version_id = 3,
-    .minimum_version_id = 2,
-    .minimum_version_id_old = 2,
-    .fields      = (VMStateField []) {
-        VMSTATE_PCI_DEVICE(pci_dev, PCIPCNetState),
-        VMSTATE_STRUCT(state, PCIPCNetState, 0, vmstate_pcnet, PCNetState),
-        VMSTATE_END_OF_LIST()
-    }
-};
-
 void pcnet_common_cleanup(PCNetState *d)
 {
     d->nic = NULL;
@@ -1901,147 +1742,3 @@ int pcnet_common_init(DeviceState *dev, PCNetState *s, NetClientInfo *info)
     qemu_format_nic_info_str(&s->nic->nc, s->conf.macaddr.a);
     return 0;
 }
-
-/* PCI interface */
-
-static CPUWriteMemoryFunc * const pcnet_mmio_write[] = {
-    &pcnet_mmio_writeb,
-    &pcnet_mmio_writew,
-    &pcnet_mmio_writel
-};
-
-static CPUReadMemoryFunc * const pcnet_mmio_read[] = {
-    &pcnet_mmio_readb,
-    &pcnet_mmio_readw,
-    &pcnet_mmio_readl
-};
-
-static void pcnet_mmio_map(PCIDevice *pci_dev, int region_num,
-                            pcibus_t addr, pcibus_t size, int type)
-{
-    PCIPCNetState *d = DO_UPCAST(PCIPCNetState, pci_dev, pci_dev);
-
-#ifdef PCNET_DEBUG_IO
-    printf("pcnet_mmio_map addr=0x%08"FMT_PCIBUS" 0x%08"FMT_PCIBUS"\n",
-           addr, size);
-#endif
-
-    cpu_register_physical_memory(addr, PCNET_PNPMMIO_SIZE, d->state.mmio_index);
-}
-
-static void pci_physical_memory_write(void *dma_opaque, target_phys_addr_t addr,
-                                      uint8_t *buf, int len, int do_bswap)
-{
-    cpu_physical_memory_write(addr, buf, len);
-}
-
-static void pci_physical_memory_read(void *dma_opaque, target_phys_addr_t addr,
-                                     uint8_t *buf, int len, int do_bswap)
-{
-    cpu_physical_memory_read(addr, buf, len);
-}
-
-static void pci_pcnet_cleanup(VLANClientState *nc)
-{
-    PCNetState *d = DO_UPCAST(NICState, nc, nc)->opaque;
-
-    pcnet_common_cleanup(d);
-}
-
-static int pci_pcnet_uninit(PCIDevice *dev)
-{
-    PCIPCNetState *d = DO_UPCAST(PCIPCNetState, pci_dev, dev);
-
-    cpu_unregister_io_memory(d->state.mmio_index);
-    qemu_del_timer(d->state.poll_timer);
-    qemu_free_timer(d->state.poll_timer);
-    qemu_del_vlan_client(&d->state.nic->nc);
-    return 0;
-}
-
-static NetClientInfo net_pci_pcnet_info = {
-    .type = NET_CLIENT_TYPE_NIC,
-    .size = sizeof(NICState),
-    .can_receive = pcnet_can_receive,
-    .receive = pcnet_receive,
-    .cleanup = pci_pcnet_cleanup,
-};
-
-static int pci_pcnet_init(PCIDevice *pci_dev)
-{
-    PCIPCNetState *d = DO_UPCAST(PCIPCNetState, pci_dev, pci_dev);
-    PCNetState *s = &d->state;
-    uint8_t *pci_conf;
-
-#if 0
-    printf("sizeof(RMD)=%d, sizeof(TMD)=%d\n",
-        sizeof(struct pcnet_RMD), sizeof(struct pcnet_TMD));
-#endif
-
-    pci_conf = pci_dev->config;
-
-    pci_config_set_vendor_id(pci_conf, PCI_VENDOR_ID_AMD);
-    pci_config_set_device_id(pci_conf, PCI_DEVICE_ID_AMD_LANCE);
-    pci_set_word(pci_conf + PCI_STATUS,
-                 PCI_STATUS_FAST_BACK | PCI_STATUS_DEVSEL_MEDIUM);
-    pci_conf[PCI_REVISION_ID] = 0x10;
-    pci_config_set_class(pci_conf, PCI_CLASS_NETWORK_ETHERNET);
-
-    pci_set_word(pci_conf + PCI_SUBSYSTEM_VENDOR_ID, 0x0);
-    pci_set_word(pci_conf + PCI_SUBSYSTEM_ID, 0x0);
-
-    pci_conf[PCI_INTERRUPT_PIN] = 1; // interrupt pin 0
-    pci_conf[PCI_MIN_GNT] = 0x06;
-    pci_conf[PCI_MAX_LAT] = 0xff;
-
-    /* Handler for memory-mapped I/O */
-    s->mmio_index =
-      cpu_register_io_memory(pcnet_mmio_read, pcnet_mmio_write, &d->state);
-
-    pci_register_bar(pci_dev, 0, PCNET_IOPORT_SIZE,
-                           PCI_BASE_ADDRESS_SPACE_IO, pcnet_ioport_map);
-
-    pci_register_bar(pci_dev, 1, PCNET_PNPMMIO_SIZE,
-                           PCI_BASE_ADDRESS_SPACE_MEMORY, pcnet_mmio_map);
-
-    s->irq = pci_dev->irq[0];
-    s->phys_mem_read = pci_physical_memory_read;
-    s->phys_mem_write = pci_physical_memory_write;
-
-    if (!pci_dev->qdev.hotplugged) {
-        static int loaded = 0;
-        if (!loaded) {
-            rom_add_option("pxe-pcnet.bin");
-            loaded = 1;
-        }
-    }
-
-    return pcnet_common_init(&pci_dev->qdev, s, &net_pci_pcnet_info);
-}
-
-static void pci_reset(DeviceState *dev)
-{
-    PCIPCNetState *d = DO_UPCAST(PCIPCNetState, pci_dev.qdev, dev);
-
-    pcnet_h_reset(&d->state);
-}
-
-static PCIDeviceInfo pcnet_info = {
-    .qdev.name  = "pcnet",
-    .qdev.size  = sizeof(PCIPCNetState),
-    .qdev.reset = pci_reset,
-    .qdev.vmsd  = &vmstate_pci_pcnet,
-    .init       = pci_pcnet_init,
-    .exit       = pci_pcnet_uninit,
-    .qdev.props = (Property[]) {
-        DEFINE_NIC_PROPERTIES(PCIPCNetState, state.conf),
-        DEFINE_PROP_END_OF_LIST(),
-    }
-};
-
-static void pcnet_register_devices(void)
-{
-    pci_qdev_register(&pcnet_info);
-}
-
-device_init(pcnet_register_devices)
diff --git a/hw/pcnet.h b/hw/pcnet.h
index efacc9f..534bdf9 100644
--- a/hw/pcnet.h
+++ b/hw/pcnet.h
@@ -32,6 +32,9 @@ struct PCNetState_st {
 void pcnet_h_reset(void *opaque);
 void pcnet_ioport_writew(void *opaque, uint32_t addr, uint32_t val);
 uint32_t pcnet_ioport_readw(void *opaque, uint32_t addr);
+void pcnet_ioport_writel(void *opaque, uint32_t addr, uint32_t val);
+uint32_t pcnet_ioport_readl(void *opaque, uint32_t addr);
+uint32_t pcnet_bcr_readw(PCNetState *s, uint32_t rap);
 int pcnet_can_receive(VLANClientState *nc);
 ssize_t pcnet_receive(VLANClientState *nc, const uint8_t *buf, size_t size_);
 void pcnet_common_cleanup(PCNetState *d);
commit 129cac5b5af110cfa94eae1a570c33ce795f0104
Author: Paul Brook <paul at codesourcery.com>
Date:   Sat Nov 27 10:33:55 2010 +0000

    Remove PCI from sparc32 target
    
    None of the (current) sparc32 machines have a PCI bus, so remove the PCI
    code from these configs.
    
    Signed-off-by: Paul Brook <paul at codesourcery.com>

diff --git a/default-configs/sparc-softmmu.mak b/default-configs/sparc-softmmu.mak
index 7c788b8..436d2a6 100644
--- a/default-configs/sparc-softmmu.mak
+++ b/default-configs/sparc-softmmu.mak
@@ -1,6 +1,5 @@
 # Default configuration for sparc-softmmu
 
-include pci.mak
 CONFIG_ECC=y
 CONFIG_ESP=y
 CONFIG_ESCC=y
commit cf66924f81f022942e14b4e613f1bf0dd2bdf0eb
Author: Paul Brook <paul at codesourcery.com>
Date:   Sat Nov 27 00:43:04 2010 +0000

    Detect missing config includes
    
    Terminate make_device_config.sh if the awk command fails.
    Typically this means a missing file.
    
    Signed-off-by: Paul Brook <paul at codesourcery.com>

diff --git a/make_device_config.sh b/make_device_config.sh
index 59f267b..8abadfe 100644
--- a/make_device_config.sh
+++ b/make_device_config.sh
@@ -18,7 +18,8 @@ process_includes () {
 
 f=$src
 while [ -n "$f" ] ; do
-  f=`awk '/^include / {print "'$src_dir'/" $2}' $f`
+  f=`awk '/^include / {ORS=" " ; print "'$src_dir'/" $2}' $f`
+  [ $? = 0 ] || exit 1
   all_includes="$all_includes $f"
 done
 process_includes $src > $dest
commit 050e27c8c942151c0685342fe2cbac6a80eb1325
Author: Paul Brook <paul at codesourcery.com>
Date:   Sat Nov 27 00:34:15 2010 +0000

    Fix previous commit
    
    Fix breakage from previous commit (missing pci.mak, and incorrect
    include in default-configs/s390x-softmmu.mak).
    
    Signed-off-by: Paul Brook <paul at codesourcery.com>

diff --git a/default-configs/cris-softmmu.mak b/default-configs/cris-softmmu.mak
index 5f1fd1e..1a479cd 100644
--- a/default-configs/cris-softmmu.mak
+++ b/default-configs/cris-softmmu.mak
@@ -1,6 +1,5 @@
 # Default configuration for cris-softmmu
 
-#include pci.mak
 CONFIG_NAND=y
 CONFIG_PTIMER=y
 CONFIG_PFLASH_CFI02=y
diff --git a/default-configs/pci.mak b/default-configs/pci.mak
new file mode 100644
index 0000000..0ddfb37
--- /dev/null
+++ b/default-configs/pci.mak
@@ -0,0 +1,11 @@
+CONFIG_PCI=y
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO=y
+CONFIG_USB_UHCI=y
+CONFIG_USB_OHCI=y
+CONFIG_NE2000_PCI=y
+CONFIG_EEPRO100_PCI=y
+CONFIG_PCNET_PCI=y
+CONFIG_LSI_SCSI_PCI=y
+CONFIG_RTL8139_PCI=y
+CONFIG_E1000_PCI=y
diff --git a/default-configs/s390x-softmmu.mak b/default-configs/s390x-softmmu.mak
index 16d7259..3005729 100644
--- a/default-configs/s390x-softmmu.mak
+++ b/default-configs/s390x-softmmu.mak
@@ -1 +1 @@
-include virtio.mak
+CONFIG_VIRTIO=y
commit 01af7daf5596e8860c71e72349e1d539b81d9c80
Author: Paul Brook <paul at codesourcery.com>
Date:   Fri Nov 26 22:08:48 2010 +0000

    VirtIO config option
    
    Make virtio devices optional.  Selecting individual devices is not useful
    as the host bindings are all in one file.
    
    Signed-off-by: Paul Brook <paul at codesourcery.com>

diff --git a/Makefile.objs b/Makefile.objs
index 9e85b04..72c6c7f 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -42,6 +42,11 @@ net-nested-$(CONFIG_SLIRP) += slirp.o
 net-nested-$(CONFIG_VDE) += vde.o
 net-obj-y += $(addprefix net/, $(net-nested-y))
 
+ifeq ($(CONFIG_VIRTIO)$(CONFIG_VIRTFS),yy)
+# Lots of the fsdev/9pcode is pulled in by vl.c via qemu_fsdev_add.
+# only pull in the actual virtio-9p device if we also enabled virtio.
+CONFIG_REALLY_VIRTFS=y
+endif
 fsdev-nested-$(CONFIG_VIRTFS) = qemu-fsdev.o
 fsdev-obj-$(CONFIG_VIRTFS) += $(addprefix fsdev/, $(fsdev-nested-y))
 
@@ -159,7 +164,7 @@ user-obj-y += cutils.o cache-utils.o
 
 hw-obj-y =
 hw-obj-y += vl.o loader.o
-hw-obj-y += virtio.o virtio-console.o
+hw-obj-$(CONFIG_VIRTIO) += virtio.o virtio-console.o
 hw-obj-y += fw_cfg.o
 # FIXME: Core PCI code and its direct dependencies are required by the
 # QMP query-pci command.
@@ -264,7 +269,8 @@ sound-obj-$(CONFIG_HDA) += intel-hda.o hda-audio.o
 adlib.o fmopl.o: QEMU_CFLAGS += -DBUILD_Y8950=0
 hw-obj-$(CONFIG_SOUND) += $(sound-obj-y)
 
-hw-obj-$(CONFIG_VIRTFS) += virtio-9p-debug.o virtio-9p-local.o virtio-9p-xattr.o
+hw-obj-$(CONFIG_REALLY_VIRTFS) += virtio-9p-debug.o
+hw-obj-$(CONFIG_VIRTFS) += virtio-9p-local.o virtio-9p-xattr.o
 hw-obj-$(CONFIG_VIRTFS) += virtio-9p-xattr-user.o virtio-9p-posix-acl.o
 
 ######################################################################
diff --git a/Makefile.target b/Makefile.target
index 853045a..5784844 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -188,11 +188,11 @@ ifdef CONFIG_SOFTMMU
 obj-y = arch_init.o cpus.o monitor.o machine.o gdbstub.o balloon.o
 # virtio has to be here due to weird dependency between PCI and virtio-net.
 # need to fix this properly
-obj-y += virtio-blk.o virtio-balloon.o virtio-net.o virtio-serial-bus.o
+obj-$(CONFIG_VIRTIO) += virtio-blk.o virtio-balloon.o virtio-net.o virtio-serial-bus.o
 obj-$(CONFIG_VIRTIO_PCI) += virtio-pci.o
 obj-y += vhost_net.o
 obj-$(CONFIG_VHOST_NET) += vhost.o
-obj-$(CONFIG_VIRTFS) += virtio-9p.o
+obj-$(CONFIG_REALLY_VIRTFS) += virtio-9p.o
 obj-y += rwhandler.o
 obj-$(CONFIG_KVM) += kvm.o kvm-all.o
 obj-$(CONFIG_NO_KVM) += kvm-stub.o
diff --git a/default-configs/s390x-softmmu.mak b/default-configs/s390x-softmmu.mak
index e69de29..16d7259 100644
--- a/default-configs/s390x-softmmu.mak
+++ b/default-configs/s390x-softmmu.mak
@@ -0,0 +1 @@
+include virtio.mak
commit f8f5cfbaa49387a513fddd9c9bf1aeb0ecc64cce
Author: Paul Brook <paul at codesourcery.com>
Date:   Fri Nov 26 21:39:42 2010 +0000

    PCI config include
    
    Split PCI config options into a separate file
    
    Signed-off-by: Paul Brook <paul at codesourcery.com>

diff --git a/Makefile.objs b/Makefile.objs
index 4f4aba3..9e85b04 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -161,8 +161,11 @@ hw-obj-y =
 hw-obj-y += vl.o loader.o
 hw-obj-y += virtio.o virtio-console.o
 hw-obj-y += fw_cfg.o
-hw-obj-$(CONFIG_PCI) += pci.o pci_host.o pcie_host.o pci_bridge.o
-hw-obj-y += ioh3420.o xio3130_upstream.o xio3130_downstream.o
+# FIXME: Core PCI code and its direct dependencies are required by the
+# QMP query-pci command.
+hw-obj-y += pci.o pci_bridge.o msix.o msi.o
+hw-obj-$(CONFIG_PCI) += pci_host.o pcie_host.o
+hw-obj-$(CONFIG_PCI) += ioh3420.o xio3130_upstream.o xio3130_downstream.o
 hw-obj-y += watchdog.o
 hw-obj-$(CONFIG_ISA_MMIO) += isa_mmio.o
 hw-obj-$(CONFIG_ECC) += ecc.o
@@ -207,15 +210,14 @@ hw-obj-$(CONFIG_PPCE500_PCI) += ppce500_pci.o
 hw-obj-$(CONFIG_PIIX4) += piix4.o
 
 # PCI watchdog devices
-hw-obj-y += wdt_i6300esb.o
+hw-obj-$(CONFIG_PCI) += wdt_i6300esb.o
 
-hw-obj-y += pcie.o pcie_port.o
-hw-obj-y += msix.o msi.o
+hw-obj-$(CONFIG_PCI) += pcie.o pcie_port.o
 
 # PCI network cards
-hw-obj-y += ne2000.o
-hw-obj-y += eepro100.o
-hw-obj-y += pcnet.o
+hw-obj-$(CONFIG_NE2000_PCI) += ne2000.o
+hw-obj-$(CONFIG_EEPRO100_PCI) += eepro100.o
+hw-obj-$(CONFIG_PCNET_PCI) += pcnet.o
 
 hw-obj-$(CONFIG_SMC91C111) += smc91c111.o
 hw-obj-$(CONFIG_LAN9118) += lan9118.o
@@ -232,7 +234,7 @@ hw-obj-$(CONFIG_IDE_MACIO) += ide/macio.o
 hw-obj-$(CONFIG_IDE_VIA) += ide/via.o
 
 # SCSI layer
-hw-obj-y += lsi53c895a.o
+hw-obj-$(CONFIG_LSI_SCSI_PCI) += lsi53c895a.o
 hw-obj-$(CONFIG_ESP) += esp.o
 
 hw-obj-y += dma-helpers.o sysbus.o isa-bus.o
diff --git a/Makefile.target b/Makefile.target
index 2800f47..853045a 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -210,8 +210,8 @@ obj-$(CONFIG_XEN) += xen_machine_pv.o xen_domainbuild.o
 obj-$(CONFIG_USB_OHCI) += usb-ohci.o
 
 # PCI network cards
-obj-y += rtl8139.o
-obj-y += e1000.o
+obj-$(CONFIG_RTL8139_PCI) += rtl8139.o
+obj-$(CONFIG_E1000_PCI) += e1000.o
 
 # Inter-VM PCI shared memory
 obj-$(CONFIG_KVM) += ivshmem.o
diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
index e7a4e84..ac48dc1 100644
--- a/default-configs/arm-softmmu.mak
+++ b/default-configs/arm-softmmu.mak
@@ -1,7 +1,7 @@
 # Default configuration for arm-softmmu
 
+include pci.mak
 CONFIG_GDBSTUB_XML=y
-CONFIG_USB_OHCI=y
 CONFIG_ISA_MMIO=y
 CONFIG_NAND=y
 CONFIG_ECC=y
@@ -25,6 +25,5 @@ CONFIG_SSI_SD=y
 CONFIG_LAN9118=y
 CONFIG_SMC91C111=y
 CONFIG_DS1338=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_PFLASH_CFI01=y
 CONFIG_PFLASH_CFI02=y
diff --git a/default-configs/cris-softmmu.mak b/default-configs/cris-softmmu.mak
index e0d2cab..5f1fd1e 100644
--- a/default-configs/cris-softmmu.mak
+++ b/default-configs/cris-softmmu.mak
@@ -1,6 +1,6 @@
 # Default configuration for cris-softmmu
 
+#include pci.mak
 CONFIG_NAND=y
 CONFIG_PTIMER=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_PFLASH_CFI02=y
diff --git a/default-configs/i386-softmmu.mak b/default-configs/i386-softmmu.mak
index ed00471..ce905d2 100644
--- a/default-configs/i386-softmmu.mak
+++ b/default-configs/i386-softmmu.mak
@@ -1,6 +1,6 @@
 # Default configuration for i386-softmmu
 
-CONFIG_USB_OHCI=y
+include pci.mak
 CONFIG_VGA_PCI=y
 CONFIG_VGA_ISA=y
 CONFIG_VMWARE_VGA=y
@@ -9,7 +9,6 @@ CONFIG_PARALLEL=y
 CONFIG_I8254=y
 CONFIG_PCSPK=y
 CONFIG_PCKBD=y
-CONFIG_USB_UHCI=y
 CONFIG_FDC=y
 CONFIG_ACPI=y
 CONFIG_APM=y
@@ -22,4 +21,3 @@ CONFIG_IDE_PIIX=y
 CONFIG_NE2000_ISA=y
 CONFIG_PIIX_PCI=y
 CONFIG_SOUND=y
-CONFIG_VIRTIO_PCI=y
diff --git a/default-configs/m68k-softmmu.mak b/default-configs/m68k-softmmu.mak
index 69ca3ed..3e2ec37 100644
--- a/default-configs/m68k-softmmu.mak
+++ b/default-configs/m68k-softmmu.mak
@@ -1,5 +1,5 @@
 # Default configuration for m68k-softmmu
 
+include pci.mak
 CONFIG_GDBSTUB_XML=y
 CONFIG_PTIMER=y
-CONFIG_VIRTIO_PCI=y
diff --git a/default-configs/microblaze-softmmu.mak b/default-configs/microblaze-softmmu.mak
index 6c4f4f2..4399b8b 100644
--- a/default-configs/microblaze-softmmu.mak
+++ b/default-configs/microblaze-softmmu.mak
@@ -1,5 +1,4 @@
 # Default configuration for microblaze-softmmu
 
 CONFIG_PTIMER=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_PFLASH_CFI01=y
diff --git a/default-configs/mips-softmmu.mak b/default-configs/mips-softmmu.mak
index 3d0af83..565e611 100644
--- a/default-configs/mips-softmmu.mak
+++ b/default-configs/mips-softmmu.mak
@@ -1,5 +1,6 @@
 # Default configuration for mips-softmmu
 
+include pci.mak
 CONFIG_ISA_MMIO=y
 CONFIG_ESP=y
 CONFIG_VGA_PCI=y
@@ -11,7 +12,6 @@ CONFIG_PARALLEL=y
 CONFIG_I8254=y
 CONFIG_PCSPK=y
 CONFIG_PCKBD=y
-CONFIG_USB_UHCI=y
 CONFIG_FDC=y
 CONFIG_ACPI=y
 CONFIG_APM=y
@@ -24,7 +24,6 @@ CONFIG_IDE_ISA=y
 CONFIG_IDE_PIIX=y
 CONFIG_NE2000_ISA=y
 CONFIG_SOUND=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_RC4030=y
 CONFIG_DP8393X=y
 CONFIG_DS1225Y=y
diff --git a/default-configs/mips64-softmmu.mak b/default-configs/mips64-softmmu.mak
index 0030de4..03bd8eb 100644
--- a/default-configs/mips64-softmmu.mak
+++ b/default-configs/mips64-softmmu.mak
@@ -1,5 +1,6 @@
 # Default configuration for mips64-softmmu
 
+include pci.mak
 CONFIG_ISA_MMIO=y
 CONFIG_ESP=y
 CONFIG_VGA_PCI=y
@@ -11,7 +12,6 @@ CONFIG_PARALLEL=y
 CONFIG_I8254=y
 CONFIG_PCSPK=y
 CONFIG_PCKBD=y
-CONFIG_USB_UHCI=y
 CONFIG_FDC=y
 CONFIG_ACPI=y
 CONFIG_APM=y
@@ -24,7 +24,6 @@ CONFIG_IDE_ISA=y
 CONFIG_IDE_PIIX=y
 CONFIG_NE2000_ISA=y
 CONFIG_SOUND=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_RC4030=y
 CONFIG_DP8393X=y
 CONFIG_DS1225Y=y
diff --git a/default-configs/mips64el-softmmu.mak b/default-configs/mips64el-softmmu.mak
index fa2a3ff..4661617 100644
--- a/default-configs/mips64el-softmmu.mak
+++ b/default-configs/mips64el-softmmu.mak
@@ -1,5 +1,6 @@
 # Default configuration for mips64el-softmmu
 
+include pci.mak
 CONFIG_ISA_MMIO=y
 CONFIG_ESP=y
 CONFIG_VGA_PCI=y
@@ -11,7 +12,6 @@ CONFIG_PARALLEL=y
 CONFIG_I8254=y
 CONFIG_PCSPK=y
 CONFIG_PCKBD=y
-CONFIG_USB_UHCI=y
 CONFIG_FDC=y
 CONFIG_ACPI=y
 CONFIG_APM=y
@@ -25,7 +25,6 @@ CONFIG_IDE_PIIX=y
 CONFIG_IDE_VIA=y
 CONFIG_NE2000_ISA=y
 CONFIG_SOUND=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_RC4030=y
 CONFIG_DP8393X=y
 CONFIG_DS1225Y=y
diff --git a/default-configs/mipsel-softmmu.mak b/default-configs/mipsel-softmmu.mak
index 238b73a..92fc473 100644
--- a/default-configs/mipsel-softmmu.mak
+++ b/default-configs/mipsel-softmmu.mak
@@ -1,5 +1,6 @@
 # Default configuration for mipsel-softmmu
 
+include pci.mak
 CONFIG_ISA_MMIO=y
 CONFIG_ESP=y
 CONFIG_VGA_PCI=y
@@ -11,7 +12,6 @@ CONFIG_PARALLEL=y
 CONFIG_I8254=y
 CONFIG_PCSPK=y
 CONFIG_PCKBD=y
-CONFIG_USB_UHCI=y
 CONFIG_FDC=y
 CONFIG_ACPI=y
 CONFIG_APM=y
@@ -24,7 +24,6 @@ CONFIG_IDE_ISA=y
 CONFIG_IDE_PIIX=y
 CONFIG_NE2000_ISA=y
 CONFIG_SOUND=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_RC4030=y
 CONFIG_DP8393X=y
 CONFIG_DS1225Y=y
diff --git a/default-configs/ppc-softmmu.mak b/default-configs/ppc-softmmu.mak
index 940f4bf..f1cb99e 100644
--- a/default-configs/ppc-softmmu.mak
+++ b/default-configs/ppc-softmmu.mak
@@ -1,7 +1,7 @@
 # Default configuration for ppc-softmmu
 
+include pci.mak
 CONFIG_GDBSTUB_XML=y
-CONFIG_USB_OHCI=y
 CONFIG_ISA_MMIO=y
 CONFIG_ESCC=y
 CONFIG_M48T59=y
@@ -31,7 +31,6 @@ CONFIG_IDE_CMD646=y
 CONFIG_IDE_MACIO=y
 CONFIG_NE2000_ISA=y
 CONFIG_SOUND=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_PFLASH_CFI01=y
 CONFIG_PFLASH_CFI02=y
 CONFIG_PTIMER=y
diff --git a/default-configs/ppc64-softmmu.mak b/default-configs/ppc64-softmmu.mak
index e1bc6b8..83cbe97 100644
--- a/default-configs/ppc64-softmmu.mak
+++ b/default-configs/ppc64-softmmu.mak
@@ -1,7 +1,7 @@
 # Default configuration for ppc64-softmmu
 
+include pci.mak
 CONFIG_GDBSTUB_XML=y
-CONFIG_USB_OHCI=y
 CONFIG_ISA_MMIO=y
 CONFIG_ESCC=y
 CONFIG_M48T59=y
@@ -31,7 +31,6 @@ CONFIG_IDE_CMD646=y
 CONFIG_IDE_MACIO=y
 CONFIG_NE2000_ISA=y
 CONFIG_SOUND=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_PFLASH_CFI01=y
 CONFIG_PFLASH_CFI02=y
 CONFIG_PTIMER=y
diff --git a/default-configs/ppcemb-softmmu.mak b/default-configs/ppcemb-softmmu.mak
index 8f1cc09..2b52d4a 100644
--- a/default-configs/ppcemb-softmmu.mak
+++ b/default-configs/ppcemb-softmmu.mak
@@ -1,7 +1,7 @@
 # Default configuration for ppcemb-softmmu
 
+include pci.mak
 CONFIG_GDBSTUB_XML=y
-CONFIG_USB_OHCI=y
 CONFIG_ISA_MMIO=y
 CONFIG_ESCC=y
 CONFIG_M48T59=y
@@ -31,7 +31,6 @@ CONFIG_IDE_CMD646=y
 CONFIG_IDE_MACIO=y
 CONFIG_NE2000_ISA=y
 CONFIG_SOUND=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_PFLASH_CFI01=y
 CONFIG_PFLASH_CFI02=y
 CONFIG_PTIMER=y
diff --git a/default-configs/sh4-softmmu.mak b/default-configs/sh4-softmmu.mak
index 866ed7d..87247a4 100644
--- a/default-configs/sh4-softmmu.mak
+++ b/default-configs/sh4-softmmu.mak
@@ -1,9 +1,8 @@
 # Default configuration for sh4-softmmu
 
-CONFIG_USB_OHCI=y
+include pci.mak
 CONFIG_SERIAL=y
 CONFIG_PTIMER=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_IDE_CORE=y
 CONFIG_PFLASH_CFI02=y
 CONFIG_ISA_MMIO=y
diff --git a/default-configs/sh4eb-softmmu.mak b/default-configs/sh4eb-softmmu.mak
index e3e08b7..5b8a16e 100644
--- a/default-configs/sh4eb-softmmu.mak
+++ b/default-configs/sh4eb-softmmu.mak
@@ -1,9 +1,8 @@
 # Default configuration for sh4eb-softmmu
 
-CONFIG_USB_OHCI=y
+include pci.mak
 CONFIG_SERIAL=y
 CONFIG_PTIMER=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_IDE_CORE=y
 CONFIG_PFLASH_CFI02=y
 CONFIG_ISA_MMIO=y
diff --git a/default-configs/sparc-softmmu.mak b/default-configs/sparc-softmmu.mak
index becf880..7c788b8 100644
--- a/default-configs/sparc-softmmu.mak
+++ b/default-configs/sparc-softmmu.mak
@@ -1,10 +1,10 @@
 # Default configuration for sparc-softmmu
 
+include pci.mak
 CONFIG_ECC=y
 CONFIG_ESP=y
 CONFIG_ESCC=y
 CONFIG_M48T59=y
 CONFIG_PTIMER=y
 CONFIG_FDC=y
-CONFIG_VIRTIO_PCI=y
 CONFIG_EMPTY_SLOT=y
diff --git a/default-configs/sparc64-softmmu.mak b/default-configs/sparc64-softmmu.mak
index 1cc3f13..ecc3122 100644
--- a/default-configs/sparc64-softmmu.mak
+++ b/default-configs/sparc64-softmmu.mak
@@ -1,5 +1,6 @@
 # Default configuration for sparc64-softmmu
 
+include pci.mak
 CONFIG_ISA_MMIO=y
 CONFIG_M48T59=y
 CONFIG_PTIMER=y
@@ -13,4 +14,3 @@ CONFIG_IDE_QDEV=y
 CONFIG_IDE_PCI=y
 CONFIG_IDE_ISA=y
 CONFIG_IDE_CMD646=y
-CONFIG_VIRTIO_PCI=y
diff --git a/default-configs/x86_64-softmmu.mak b/default-configs/x86_64-softmmu.mak
index 5183203..7f22599 100644
--- a/default-configs/x86_64-softmmu.mak
+++ b/default-configs/x86_64-softmmu.mak
@@ -1,6 +1,6 @@
 # Default configuration for x86_64-softmmu
 
-CONFIG_USB_OHCI=y
+include pci.mak
 CONFIG_VGA_PCI=y
 CONFIG_VGA_ISA=y
 CONFIG_VMWARE_VGA=y
@@ -9,7 +9,6 @@ CONFIG_PARALLEL=y
 CONFIG_I8254=y
 CONFIG_PCSPK=y
 CONFIG_PCKBD=y
-CONFIG_USB_UHCI=y
 CONFIG_FDC=y
 CONFIG_ACPI=y
 CONFIG_APM=y
@@ -22,4 +21,3 @@ CONFIG_IDE_PIIX=y
 CONFIG_NE2000_ISA=y
 CONFIG_PIIX_PCI=y
 CONFIG_SOUND=y
-CONFIG_VIRTIO_PCI=y
commit bd9141bb2e53195e3c1abf29275365d7f554beb5
Author: Paul Brook <paul at codesourcery.com>
Date:   Fri Nov 26 18:47:45 2010 +0000

    Include directives in default configs
    
    Allow default configs to be split into several files.
    
    Signed-off-by: Paul Brook <paul at codesourcery.com>

diff --git a/Makefile b/Makefile
index 3389775..d3bc0f2 100644
--- a/Makefile
+++ b/Makefile
@@ -39,18 +39,19 @@ endif
 
 SUBDIR_MAKEFLAGS=$(if $(V),,--no-print-directory)
 SUBDIR_DEVICES_MAK=$(patsubst %, %/config-devices.mak, $(TARGET_DIRS))
+SUBDIR_DEVICES_MAK_DEP=$(patsubst %, %/config-devices.mak.d, $(TARGET_DIRS))
 
 config-all-devices.mak: $(SUBDIR_DEVICES_MAK)
 	$(call quiet-command,cat $(SUBDIR_DEVICES_MAK) | grep =y | sort -u > $@,"  GEN   $@")
 
+-include $(SUBDIR_DEVICES_MAK_DEP)
+
 %/config-devices.mak: default-configs/%.mak
-	$(call quiet-command,cat $< > $@.tmp, "  GEN   $@")
+	$(call quiet-command,$(SHELL) $(SRC_PATH)/make_device_config.sh $@ $<, "  GEN   $@")
 	@if test -f $@; then \
 	  if cmp -s $@.old $@; then \
-	    if ! cmp -s $@ $@.tmp; then \
-	      mv $@.tmp $@; \
-	      cp -p $@ $@.old; \
-	    fi; \
+	    mv $@.tmp $@; \
+	    cp -p $@ $@.old; \
 	  else \
 	    if test -f $@.old; then \
 	      echo "WARNING: $@ (user modified) out of date.";\
diff --git a/Makefile.objs b/Makefile.objs
index 23b17ce..4f4aba3 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -160,7 +160,8 @@ user-obj-y += cutils.o cache-utils.o
 hw-obj-y =
 hw-obj-y += vl.o loader.o
 hw-obj-y += virtio.o virtio-console.o
-hw-obj-y += fw_cfg.o pci.o pci_host.o pcie_host.o pci_bridge.o
+hw-obj-y += fw_cfg.o
+hw-obj-$(CONFIG_PCI) += pci.o pci_host.o pcie_host.o pci_bridge.o
 hw-obj-y += ioh3420.o xio3130_upstream.o xio3130_downstream.o
 hw-obj-y += watchdog.o
 hw-obj-$(CONFIG_ISA_MMIO) += isa_mmio.o
diff --git a/make_device_config.sh b/make_device_config.sh
new file mode 100644
index 0000000..59f267b
--- /dev/null
+++ b/make_device_config.sh
@@ -0,0 +1,27 @@
+#! /bin/sh
+# Construct a target device config file from a default, pulling in any
+# files from include directives.
+
+dest=$1.tmp
+dep=$1.d
+src=$2
+src_dir=`dirname $src`
+all_includes=
+
+process_includes () {
+  cat $1 | grep '^include' | \
+  while read include file ; do
+    all_includes="$all_includes $src_dir/$file"
+    process_includes $src_dir/$file
+  done
+}
+
+f=$src
+while [ -n "$f" ] ; do
+  f=`awk '/^include / {print "'$src_dir'/" $2}' $f`
+  all_includes="$all_includes $f"
+done
+process_includes $src > $dest
+
+cat $src $all_includes | grep -v '^include' > $dest
+echo "$1: $all_includes" > $dep
commit 6e14404aab26f74a448747d1e793ac16bde8a92b
Author: Paul Brook <paul at codesourcery.com>
Date:   Fri Nov 26 18:46:03 2010 +0000

    Add missing dependency.
    
    Teach Makefile that cmd.o depends on a generated header (specifically
    config-host.h).
    
    Signed-off-by: Paul Brook <paul at codesourcery.com>

diff --git a/Makefile b/Makefile
index 4e120a2..3389775 100644
--- a/Makefile
+++ b/Makefile
@@ -150,7 +150,7 @@ version-obj-$(CONFIG_WIN32) += version.o
 ######################################################################
 
 qemu-img.o: qemu-img-cmds.h
-qemu-img.o qemu-tool.o qemu-nbd.o qemu-io.o: $(GENERATED_HEADERS)
+qemu-img.o qemu-tool.o qemu-nbd.o qemu-io.o cmd.o: $(GENERATED_HEADERS)
 
 qemu-img$(EXESUF): qemu-img.o qemu-tool.o qemu-error.o $(oslib-obj-y) $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y) qemu-timer-common.o
 
commit 11a3cb8159278f7452b5bec8b9e17292a3ef53c3
Author: Christoph Hellwig <hch at lst.de>
Date:   Fri Nov 26 14:32:34 2010 +0100

    raw-posix: raw_pwrite comment fixup
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/raw-posix.c b/block/raw-posix.c
index d0960b8..9286fb8 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -463,7 +463,7 @@ static int raw_pwrite(BlockDriverState *bs, int64_t offset,
                 count -= ret;
                 sum += ret;
             }
-            /* here, count < 512 because (count & ~sector_mask) == 0 */
+            /* here, count < sector_size because (count & ~sector_mask) == 0 */
             if (count) {
                 ret = raw_pread_aligned(bs, offset, s->aligned_buf,
                                      bs->buffer_alignment);
commit 2dd791b6302c73345f92dc9b107635787fcff938
Author: Hannes Reinecke <hare at suse.de>
Date:   Wed Nov 24 12:16:00 2010 +0100

    scsi-disk: Remove duplicate cdb parsing
    
    We parse the CDB twice, which is completely unnecessary.
    
    Signed-off-by: Hannes Reinecke <hare at suse.de>
    Acked-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index d692fb0..6e49404 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -1004,9 +1004,7 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
                                  uint8_t *buf, int lun)
 {
     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
-    uint64_t lba;
     uint32_t len;
-    int cmdlen;
     int is_write;
     uint8_t command;
     uint8_t *outbuf;
@@ -1025,55 +1023,21 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
     outbuf = (uint8_t *)r->iov.iov_base;
     is_write = 0;
     DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
-    switch (command >> 5) {
-    case 0:
-        lba = (uint64_t) buf[3] | ((uint64_t) buf[2] << 8) |
-              (((uint64_t) buf[1] & 0x1f) << 16);
-        len = buf[4];
-        cmdlen = 6;
-        break;
-    case 1:
-    case 2:
-        lba = (uint64_t) buf[5] | ((uint64_t) buf[4] << 8) |
-              ((uint64_t) buf[3] << 16) | ((uint64_t) buf[2] << 24);
-        len = buf[8] | (buf[7] << 8);
-        cmdlen = 10;
-        break;
-    case 4:
-        lba = (uint64_t) buf[9] | ((uint64_t) buf[8] << 8) |
-              ((uint64_t) buf[7] << 16) | ((uint64_t) buf[6] << 24) |
-              ((uint64_t) buf[5] << 32) | ((uint64_t) buf[4] << 40) |
-              ((uint64_t) buf[3] << 48) | ((uint64_t) buf[2] << 56);
-        len = buf[13] | (buf[12] << 8) | (buf[11] << 16) | (buf[10] << 24);
-        cmdlen = 16;
-        break;
-    case 5:
-        lba = (uint64_t) buf[5] | ((uint64_t) buf[4] << 8) |
-              ((uint64_t) buf[3] << 16) | ((uint64_t) buf[2] << 24);
-        len = buf[9] | (buf[8] << 8) | (buf[7] << 16) | (buf[6] << 24);
-        cmdlen = 12;
-        break;
-    default:
+
+    if (scsi_req_parse(&r->req, buf) != 0) {
         BADF("Unsupported command length, command %x\n", command);
         goto fail;
     }
 #ifdef DEBUG_SCSI
     {
         int i;
-        for (i = 1; i < cmdlen; i++) {
+        for (i = 1; i < r->req.cmd.len; i++) {
             printf(" 0x%02x", buf[i]);
         }
         printf("\n");
     }
 #endif
 
-    if (scsi_req_parse(&r->req, buf) != 0) {
-        BADF("Unsupported command length, command %x\n", command);
-        goto fail;
-    }
-    assert(r->req.cmd.len == cmdlen);
-    assert(r->req.cmd.lba == lba);
-
     if (lun || buf[1] >> 5) {
         /* Only LUN 0 supported.  */
         DPRINTF("Unimplemented LUN %d\n", lun ? lun : buf[1] >> 5);
@@ -1111,10 +1075,11 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
     case READ_10:
     case READ_12:
     case READ_16:
-        DPRINTF("Read (sector %" PRId64 ", count %d)\n", lba, len);
-        if (lba > s->max_lba)
+        len = r->req.cmd.xfer / d->blocksize;
+        DPRINTF("Read (sector %" PRId64 ", count %d)\n", r->req.cmd.lba, len);
+        if (r->req.cmd.lba > s->max_lba)
             goto illegal_lba;
-        r->sector = lba * s->cluster_size;
+        r->sector = r->req.cmd.lba * s->cluster_size;
         r->sector_count = len * s->cluster_size;
         break;
     case WRITE_6:
@@ -1124,42 +1089,45 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
     case WRITE_VERIFY:
     case WRITE_VERIFY_12:
     case WRITE_VERIFY_16:
+        len = r->req.cmd.xfer / d->blocksize;
         DPRINTF("Write %s(sector %" PRId64 ", count %d)\n",
-                (command & 0xe) == 0xe ? "And Verify " : "", lba, len);
-        if (lba > s->max_lba)
+                (command & 0xe) == 0xe ? "And Verify " : "",
+                r->req.cmd.lba, len);
+        if (r->req.cmd.lba > s->max_lba)
             goto illegal_lba;
-        r->sector = lba * s->cluster_size;
+        r->sector = r->req.cmd.lba * s->cluster_size;
         r->sector_count = len * s->cluster_size;
         is_write = 1;
         break;
     case MODE_SELECT:
-        DPRINTF("Mode Select(6) (len %d)\n", len);
+        DPRINTF("Mode Select(6) (len %lu)\n", (long)r->req.cmd.xfer);
         /* We don't support mode parameter changes.
            Allow the mode parameter header + block descriptors only. */
-        if (len > 12) {
+        if (r->req.cmd.xfer > 12) {
             goto fail;
         }
         break;
     case MODE_SELECT_10:
-        DPRINTF("Mode Select(10) (len %d)\n", len);
+        DPRINTF("Mode Select(10) (len %lu)\n", (long)r->req.cmd.xfer);
         /* We don't support mode parameter changes.
            Allow the mode parameter header + block descriptors only. */
-        if (len > 16) {
+        if (r->req.cmd.xfer > 16) {
             goto fail;
         }
         break;
     case SEEK_6:
     case SEEK_10:
-        DPRINTF("Seek(%d) (sector %" PRId64 ")\n", command == SEEK_6 ? 6 : 10, lba);
-        if (lba > s->max_lba) {
+        DPRINTF("Seek(%d) (sector %" PRId64 ")\n", command == SEEK_6 ? 6 : 10,
+                r->req.cmd.lba);
+        if (r->req.cmd.lba > s->max_lba) {
             goto illegal_lba;
         }
         break;
     default:
-	DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
+        DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
     fail:
         scsi_command_complete(r, CHECK_CONDITION, ILLEGAL_REQUEST);
-	return 0;
+        return 0;
     illegal_lba:
         scsi_command_complete(r, CHECK_CONDITION, HARDWARE_ERROR);
         return 0;
commit a6d96eb78bd1f87ab9d6a377f863f99be4b71538
Author: Hannes Reinecke <hare at suse.de>
Date:   Wed Nov 24 12:15:59 2010 +0100

    scsi: Move sense handling into the driver
    
    The current sense handling in scsi-bus is only used by the
    scsi-disk driver; the scsi-generic driver is using its own.
    So we should move the current sense handling into the
    scsi-disk driver.
    
    Signed-off-by: Hannes Reinecke <hare at suse.de>
    Acked-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 74a08b7..93f0e9a 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -123,16 +123,6 @@ int scsi_bus_legacy_handle_cmdline(SCSIBus *bus)
     return res;
 }
 
-void scsi_dev_clear_sense(SCSIDevice *dev)
-{
-    memset(&dev->sense, 0, sizeof(dev->sense));
-}
-
-void scsi_dev_set_sense(SCSIDevice *dev, uint8_t key)
-{
-    dev->sense.key = key;
-}
-
 SCSIRequest *scsi_req_alloc(size_t size, SCSIDevice *d, uint32_t tag, uint32_t lun)
 {
     SCSIRequest *req;
diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index c41dcfc..d692fb0 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -49,6 +49,10 @@ do { fprintf(stderr, "scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
 
 typedef struct SCSIDiskState SCSIDiskState;
 
+typedef struct SCSISense {
+    uint8_t key;
+} SCSISense;
+
 typedef struct SCSIDiskReq {
     SCSIRequest req;
     /* ??? We should probably keep track of whether the data transfer is
@@ -72,6 +76,7 @@ struct SCSIDiskState
     QEMUBH *bh;
     char *version;
     char *serial;
+    SCSISense sense;
 };
 
 static int scsi_handle_rw_error(SCSIDiskReq *r, int error, int type);
@@ -100,10 +105,22 @@ static SCSIDiskReq *scsi_find_request(SCSIDiskState *s, uint32_t tag)
     return DO_UPCAST(SCSIDiskReq, req, scsi_req_find(&s->qdev, tag));
 }
 
-static void scsi_req_set_status(SCSIRequest *req, int status, int sense_code)
+static void scsi_disk_clear_sense(SCSIDiskState *s)
 {
-    req->status = status;
-    scsi_dev_set_sense(req->dev, sense_code);
+    memset(&s->sense, 0, sizeof(s->sense));
+}
+
+static void scsi_disk_set_sense(SCSIDiskState *s, uint8_t key)
+{
+    s->sense.key = key;
+}
+
+static void scsi_req_set_status(SCSIDiskReq *r, int status, int sense_code)
+{
+    SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
+
+    r->req.status = status;
+    scsi_disk_set_sense(s, sense_code);
 }
 
 /* Helper function for command completion.  */
@@ -111,7 +128,7 @@ static void scsi_command_complete(SCSIDiskReq *r, int status, int sense)
 {
     DPRINTF("Command complete tag=0x%x status=%d sense=%d\n",
             r->req.tag, status, sense);
-    scsi_req_set_status(&r->req, status, sense);
+    scsi_req_set_status(r, status, sense);
     scsi_req_complete(&r->req);
     scsi_remove_request(r);
 }
@@ -822,7 +839,7 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r, uint8_t *outbuf)
             goto illegal_request;
         memset(outbuf, 0, 4);
         buflen = 4;
-        if (req->dev->sense.key == NOT_READY && req->cmd.xfer >= 18) {
+        if (s->sense.key == NOT_READY && req->cmd.xfer >= 18) {
             memset(outbuf, 0, 18);
             buflen = 18;
             outbuf[7] = 10;
@@ -832,8 +849,8 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r, uint8_t *outbuf)
         }
         outbuf[0] = 0xf0;
         outbuf[1] = 0;
-        outbuf[2] = req->dev->sense.key;
-        scsi_dev_clear_sense(req->dev);
+        outbuf[2] = s->sense.key;
+        scsi_disk_clear_sense(s);
         break;
     case INQUIRY:
         buflen = scsi_disk_emulate_inquiry(req, outbuf);
@@ -966,7 +983,7 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r, uint8_t *outbuf)
     default:
         goto illegal_request;
     }
-    scsi_req_set_status(req, GOOD, NO_SENSE);
+    scsi_req_set_status(r, GOOD, NO_SENSE);
     return buflen;
 
 not_ready:
diff --git a/hw/scsi.h b/hw/scsi.h
index 9c798ae..bf02adf 100644
--- a/hw/scsi.h
+++ b/hw/scsi.h
@@ -26,10 +26,6 @@ enum SCSIXferMode {
     SCSI_XFER_TO_DEV,    /*  WRITE, MODE_SELECT, ...         */
 };
 
-typedef struct SCSISense {
-    uint8_t key;
-} SCSISense;
-
 typedef struct SCSIRequest {
     SCSIBus           *bus;
     SCSIDevice        *dev;
@@ -57,7 +53,6 @@ struct SCSIDevice
     QTAILQ_HEAD(, SCSIRequest) requests;
     int blocksize;
     int type;
-    struct SCSISense sense;
 };
 
 /* cdrom.c */
@@ -102,9 +97,6 @@ static inline SCSIBus *scsi_bus_from_device(SCSIDevice *d)
 SCSIDevice *scsi_bus_legacy_add_drive(SCSIBus *bus, BlockDriverState *bdrv, int unit);
 int scsi_bus_legacy_handle_cmdline(SCSIBus *bus);
 
-void scsi_dev_clear_sense(SCSIDevice *dev);
-void scsi_dev_set_sense(SCSIDevice *dev, uint8_t key);
-
 SCSIRequest *scsi_req_alloc(size_t size, SCSIDevice *d, uint32_t tag, uint32_t lun);
 SCSIRequest *scsi_req_find(SCSIDevice *d, uint32_t tag);
 void scsi_req_free(SCSIRequest *req);
commit 39d989823f2c177415a22b84b354716a1f734b70
Author: Hannes Reinecke <hare at suse.de>
Date:   Wed Nov 24 12:15:58 2010 +0100

    scsi: INQUIRY VPD fixes
    
    We should announce and support the block device characterics page
    only on block devices, not on CDROMs. And the VPD page 0x83 has
    an off-by-one error.
    
    Signed-off-by: Hannes Reinecke <hare at suse.de>
    Acked-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 7d85899..c41dcfc 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -398,15 +398,20 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
 
         switch (page_code) {
         case 0x00: /* Supported page codes, mandatory */
+        {
+            int pages;
             DPRINTF("Inquiry EVPD[Supported pages] "
                     "buffer size %zd\n", req->cmd.xfer);
-            outbuf[buflen++] = 4;    // number of pages
+            pages = buflen++;
             outbuf[buflen++] = 0x00; // list of supported pages (this page)
             outbuf[buflen++] = 0x80; // unit serial number
             outbuf[buflen++] = 0x83; // device identification
-            outbuf[buflen++] = 0xb0; // block device characteristics
+            if (bdrv_get_type_hint(s->bs) != BDRV_TYPE_CDROM) {
+                outbuf[buflen++] = 0xb0; // block device characteristics
+            }
+            outbuf[pages] = buflen - pages - 1; // number of pages
             break;
-
+        }
         case 0x80: /* Device serial number, optional */
         {
             int l = strlen(s->serial);
@@ -434,7 +439,7 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
             DPRINTF("Inquiry EVPD[Device identification] "
                     "buffer size %zd\n", req->cmd.xfer);
 
-            outbuf[buflen++] = 3 + id_len;
+            outbuf[buflen++] = 4 + id_len;
             outbuf[buflen++] = 0x2; // ASCII
             outbuf[buflen++] = 0;   // not officially assigned
             outbuf[buflen++] = 0;   // reserved
@@ -451,6 +456,11 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
             unsigned int opt_io_size =
                     s->qdev.conf.opt_io_size / s->qdev.blocksize;
 
+            if (bdrv_get_type_hint(s->bs) == BDRV_TYPE_CDROM) {
+                DPRINTF("Inquiry (EVPD[%02X] not supported for CDROM\n",
+                        page_code);
+                return -1;
+            }
             /* required VPD size with unmap support */
             outbuf[3] = buflen = 0x3c;
 
commit f017132793065abcdc4b9b78d7ca575eeb3de484
Author: Hannes Reinecke <hare at suse.de>
Date:   Wed Nov 24 12:15:57 2010 +0100

    scsi: Return SAM status codes
    
    Traditionally, the linux stack is using SCSI status codes
    which are shifted by one as compared to those defined in SAM.
    A SCSI emulation should naturally return the SAM defined codes,
    not the linux ones.
    So to avoid any confusion this patch modifies the existing
    definitions to match those found in SAM and removes any
    (now obsolete) byte-shift from the returned status codes.
    
    Signed-off-by: Hannes Reinecke <hare at suse.de>
    Acked-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-defs.h b/hw/scsi-defs.h
index a4a3518..1473ecb 100644
--- a/hw/scsi-defs.h
+++ b/hw/scsi-defs.h
@@ -111,18 +111,20 @@
 #define BLANK 0xa1
 
 /*
- *  Status codes
+ *  SAM Status codes
  */
 
 #define GOOD                 0x00
-#define CHECK_CONDITION      0x01
-#define CONDITION_GOOD       0x02
-#define BUSY                 0x04
-#define INTERMEDIATE_GOOD    0x08
-#define INTERMEDIATE_C_GOOD  0x0a
-#define RESERVATION_CONFLICT 0x0c
-#define COMMAND_TERMINATED   0x11
-#define QUEUE_FULL           0x14
+#define CHECK_CONDITION      0x02
+#define CONDITION_GOOD       0x04
+#define BUSY                 0x08
+#define INTERMEDIATE_GOOD    0x10
+#define INTERMEDIATE_C_GOOD  0x14
+#define RESERVATION_CONFLICT 0x18
+#define COMMAND_TERMINATED   0x22
+#define TASK_SET_FULL        0x28
+#define ACA_ACTIVE           0x30
+#define TASK_ABORTED         0x40
 
 #define STATUS_MASK          0x3e
 
diff --git a/hw/scsi-generic.c b/hw/scsi-generic.c
index 7212091..9be1cca 100644
--- a/hw/scsi-generic.c
+++ b/hw/scsi-generic.c
@@ -96,17 +96,17 @@ static void scsi_command_complete(void *opaque, int ret)
         s->senselen = r->io_header.sb_len_wr;
 
     if (ret != 0)
-        r->req.status = BUSY << 1;
+        r->req.status = BUSY;
     else {
         if (s->driver_status & SG_ERR_DRIVER_TIMEOUT) {
-            r->req.status = BUSY << 1;
+            r->req.status = BUSY;
             BADF("Driver Timeout\n");
         } else if (r->io_header.status)
             r->req.status = r->io_header.status;
         else if (s->driver_status & SG_ERR_DRIVER_SENSE)
-            r->req.status = CHECK_CONDITION << 1;
+            r->req.status = CHECK_CONDITION;
         else
-            r->req.status = GOOD << 1;
+            r->req.status = GOOD;
     }
     DPRINTF("Command complete 0x%p tag=0x%x status=%d\n",
             r, r->req.tag, r->req.status);
@@ -333,7 +333,7 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
         s->senselen = 7;
         s->driver_status = SG_ERR_DRIVER_SENSE;
         bus = scsi_bus_from_device(d);
-        bus->complete(bus, SCSI_REASON_DONE, tag, CHECK_CONDITION << 1);
+        bus->complete(bus, SCSI_REASON_DONE, tag, CHECK_CONDITION);
         return 0;
     }
 
commit 622b520fb4ca50b5028485f1d225317ece0a42b9
Author: Hannes Reinecke <hare at suse.de>
Date:   Wed Nov 24 12:15:56 2010 +0100

    scsi: Increase the number of possible devices
    
    The SCSI parallel interface has a limit of 8 devices, but
    not the SCSI stack in general. So we should be removing the
    hard-coded limit and use MAX_SCSI_DEVS instead.
    And we only need to scan those devices which are allocated
    by the bus.
    
    Signed-off-by: Hannes Reinecke <hare at suse.de>
    Acked-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.h b/blockdev.h
index 2a0559e..4cb8ca9 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -32,7 +32,7 @@ struct DriveInfo {
 };
 
 #define MAX_IDE_DEVS	2
-#define MAX_SCSI_DEVS	7
+#define MAX_SCSI_DEVS	255
 
 DriveInfo *drive_get(BlockInterfaceType type, int bus, int unit);
 int drive_get_max_bus(BlockInterfaceType type);
diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 5a3fd4b..74a08b7 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -108,7 +108,7 @@ int scsi_bus_legacy_handle_cmdline(SCSIBus *bus)
     int res = 0, unit;
 
     loc_push_none(&loc);
-    for (unit = 0; unit < MAX_SCSI_DEVS; unit++) {
+    for (unit = 0; unit < bus->ndev; unit++) {
         dinfo = drive_get(IF_SCSI, bus->busnr, unit);
         if (dinfo == NULL) {
             continue;
diff --git a/hw/scsi.h b/hw/scsi.h
index cb06d6d..9c798ae 100644
--- a/hw/scsi.h
+++ b/hw/scsi.h
@@ -3,6 +3,7 @@
 
 #include "qdev.h"
 #include "block.h"
+#include "blockdev.h"
 #include "block_int.h"
 
 #define SCSI_CMD_BUF_SIZE     16
@@ -86,7 +87,7 @@ struct SCSIBus {
     int tcq, ndev;
     scsi_completionfn complete;
 
-    SCSIDevice *devs[8];
+    SCSIDevice *devs[MAX_SCSI_DEVS];
 };
 
 void scsi_bus_new(SCSIBus *bus, DeviceState *host, int tcq, int ndev,
commit 80465c5016f23d8b39efb36db2ca77a35f67eaef
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Tue Nov 16 18:55:01 2010 +0100

    block: Remove unused s->hd in various drivers
    
    All drivers use bs->file instead of s->hd for quite a while now, so it's time
    to remove s->hd.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/block/qcow.c b/block/qcow.c
index 9cd547d..f67d3d3 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -54,7 +54,6 @@ typedef struct QCowHeader {
 #define L2_CACHE_SIZE 16
 
 typedef struct BDRVQcowState {
-    BlockDriverState *hd;
     int cluster_bits;
     int cluster_size;
     int cluster_sectors;
diff --git a/block/qcow2.h b/block/qcow2.h
index 2d22e5e..5217bea 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -79,7 +79,6 @@ typedef struct QCowSnapshot {
 } QCowSnapshot;
 
 typedef struct BDRVQcowState {
-    BlockDriverState *hd;
     int cluster_bits;
     int cluster_size;
     int cluster_sectors;
diff --git a/block/vdi.c b/block/vdi.c
index 3b51e53..ab8f70f 100644
--- a/block/vdi.c
+++ b/block/vdi.c
@@ -186,7 +186,6 @@ typedef struct {
 } VdiHeader;
 
 typedef struct {
-    BlockDriverState *hd;
     /* The block map entries are little endian (even in memory). */
     uint32_t *bmap;
     /* Size of block (bytes). */
diff --git a/block/vmdk.c b/block/vmdk.c
index 872aeba..8fc9d67 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -61,7 +61,6 @@ typedef struct {
 #define L2_CACHE_SIZE 16
 
 typedef struct BDRVVmdkState {
-    BlockDriverState *hd;
     int64_t l1_table_offset;
     int64_t l1_backup_table_offset;
     uint32_t *l1_table;
diff --git a/block/vpc.c b/block/vpc.c
index 416f489..21e2a68 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -110,8 +110,6 @@ struct vhd_dyndisk_header {
 };
 
 typedef struct BDRVVPCState {
-    BlockDriverState *hd;
-
     uint8_t footer_buf[HEADER_SIZE];
     uint64_t free_data_block_offset;
     int max_table_entries;
commit 5cbdebe39e08caf5a373ef1c03a0292d5af955ce
Author: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
Date:   Wed Nov 24 13:08:03 2010 +0000

    qemu and qemu-xen: support empty write barriers in xen_disk
    
    This patch can be applied to both qemu-xen and qemu and adds support
    for empty write barriers to xen_disk.
    
    Signed-off-by: Stefano Stabellini <stefano.stabellini at eu.citrix.com>
    Acked-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/xen_disk.c b/hw/xen_disk.c
index 134ac33..85a1c85 100644
--- a/hw/xen_disk.c
+++ b/hw/xen_disk.c
@@ -181,6 +181,10 @@ static int ioreq_parse(struct ioreq *ioreq)
 	ioreq->prot = PROT_WRITE; /* to memory */
 	break;
     case BLKIF_OP_WRITE_BARRIER:
+        if (!ioreq->req.nr_segments) {
+            ioreq->presync = 1;
+            return 0;
+        }
 	if (!syncwrite)
 	    ioreq->presync = ioreq->postsync = 1;
 	/* fall through */
@@ -305,7 +309,7 @@ static int ioreq_runio_qemu_sync(struct ioreq *ioreq)
     int i, rc, len = 0;
     off_t pos;
 
-    if (ioreq_map(ioreq) == -1)
+    if (ioreq->req.nr_segments && ioreq_map(ioreq) == -1)
 	goto err;
     if (ioreq->presync)
 	bdrv_flush(blkdev->bs);
@@ -329,6 +333,8 @@ static int ioreq_runio_qemu_sync(struct ioreq *ioreq)
 	break;
     case BLKIF_OP_WRITE:
     case BLKIF_OP_WRITE_BARRIER:
+        if (!ioreq->req.nr_segments)
+            break;
 	pos = ioreq->start;
 	for (i = 0; i < ioreq->v.niov; i++) {
 	    rc = bdrv_write(blkdev->bs, pos / BLOCK_SIZE,
@@ -386,7 +392,7 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq)
 {
     struct XenBlkDev *blkdev = ioreq->blkdev;
 
-    if (ioreq_map(ioreq) == -1)
+    if (ioreq->req.nr_segments && ioreq_map(ioreq) == -1)
 	goto err;
 
     ioreq->aio_inflight++;
@@ -403,6 +409,8 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq)
     case BLKIF_OP_WRITE:
     case BLKIF_OP_WRITE_BARRIER:
         ioreq->aio_inflight++;
+        if (!ioreq->req.nr_segments)
+            break;
         bdrv_aio_writev(blkdev->bs, ioreq->start / BLOCK_SIZE,
                         &ioreq->v, ioreq->v.size / BLOCK_SIZE,
                         qemu_aio_complete, ioreq);
commit 9fbef1ac7cc888f29435e9f636b5dd14cd3260df
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Nov 21 18:29:52 2010 +0200

    ide: convert bmdma address ioport to ioport_register()
    
    cmd646, via compile tested, pci lightly boot tested.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/cmd646.c b/hw/ide/cmd646.c
index ff80dd5..dfe6091 100644
--- a/hw/ide/cmd646.c
+++ b/hw/ide/cmd646.c
@@ -179,12 +179,8 @@ static void bmdma_map(PCIDevice *pci_dev, int region_num,
             register_ioport_read(addr, 4, 1, bmdma_readb_1, d);
         }
 
-        register_ioport_write(addr + 4, 4, 1, bmdma_addr_writeb, bm);
-        register_ioport_read(addr + 4, 4, 1, bmdma_addr_readb, bm);
-        register_ioport_write(addr + 4, 4, 2, bmdma_addr_writew, bm);
-        register_ioport_read(addr + 4, 4, 2, bmdma_addr_readw, bm);
-        register_ioport_write(addr + 4, 4, 4, bmdma_addr_writel, bm);
-        register_ioport_read(addr + 4, 4, 4, bmdma_addr_readl, bm);
+        iorange_init(&bm->addr_ioport, &bmdma_addr_ioport_ops, addr + 4, 4);
+        ioport_register(&bm->addr_ioport);
         addr += 8;
     }
 }
diff --git a/hw/ide/internal.h b/hw/ide/internal.h
index d652e06..85f4a16 100644
--- a/hw/ide/internal.h
+++ b/hw/ide/internal.h
@@ -8,6 +8,7 @@
  */
 #include <hw/ide.h>
 #include "block_int.h"
+#include "iorange.h"
 
 /* debug IDE devices */
 //#define DEBUG_IDE
@@ -496,6 +497,7 @@ struct BMDMAState {
     QEMUIOVector qiov;
     int64_t sector_num;
     uint32_t nsector;
+    IORange addr_ioport;
     QEMUBH *bh;
 };
 
diff --git a/hw/ide/pci.c b/hw/ide/pci.c
index ec90f26..3722b77 100644
--- a/hw/ide/pci.c
+++ b/hw/ide/pci.c
@@ -73,72 +73,37 @@ void bmdma_cmd_writeb(void *opaque, uint32_t addr, uint32_t val)
     }
 }
 
-uint32_t bmdma_addr_readb(void *opaque, uint32_t addr)
+static void bmdma_addr_read(IORange *ioport, uint64_t addr,
+                            unsigned width, uint64_t *data)
 {
-    BMDMAState *bm = opaque;
-    uint32_t val;
-    val = (bm->addr >> ((addr & 3) * 8)) & 0xff;
-#ifdef DEBUG_IDE
-    printf("%s: 0x%08x\n", __func__, val);
-#endif
-    return val;
-}
+    BMDMAState *bm = container_of(ioport, BMDMAState, addr_ioport);
+    uint32_t mask = (1ULL << (width * 8)) - 1;
 
-void bmdma_addr_writeb(void *opaque, uint32_t addr, uint32_t val)
-{
-    BMDMAState *bm = opaque;
-    int shift = (addr & 3) * 8;
+    *data = (bm->addr >> (addr * 8)) & mask;
 #ifdef DEBUG_IDE
-    printf("%s: 0x%08x\n", __func__, val);
+    printf("%s: 0x%08x\n", __func__, (unsigned)*data);
 #endif
-    bm->addr &= ~(0xFF << shift);
-    bm->addr |= ((val & 0xFF) << shift) & ~3;
-    bm->cur_addr = bm->addr;
 }
 
-uint32_t bmdma_addr_readw(void *opaque, uint32_t addr)
+static void bmdma_addr_write(IORange *ioport, uint64_t addr,
+                             unsigned width, uint64_t data)
 {
-    BMDMAState *bm = opaque;
-    uint32_t val;
-    val = (bm->addr >> ((addr & 3) * 8)) & 0xffff;
-#ifdef DEBUG_IDE
-    printf("%s: 0x%08x\n", __func__, val);
-#endif
-    return val;
-}
+    BMDMAState *bm = container_of(ioport, BMDMAState, addr_ioport);
+    int shift = addr * 8;
+    uint32_t mask = (1ULL << (width * 8)) - 1;
 
-void bmdma_addr_writew(void *opaque, uint32_t addr, uint32_t val)
-{
-    BMDMAState *bm = opaque;
-    int shift = (addr & 3) * 8;
 #ifdef DEBUG_IDE
-    printf("%s: 0x%08x\n", __func__, val);
+    printf("%s: 0x%08x\n", __func__, (unsigned)data);
 #endif
-    bm->addr &= ~(0xFFFF << shift);
-    bm->addr |= ((val & 0xFFFF) << shift) & ~3;
+    bm->addr &= ~(mask << shift);
+    bm->addr |= ((data & mask) << shift) & ~3;
     bm->cur_addr = bm->addr;
 }
 
-uint32_t bmdma_addr_readl(void *opaque, uint32_t addr)
-{
-    BMDMAState *bm = opaque;
-    uint32_t val;
-    val = bm->addr;
-#ifdef DEBUG_IDE
-    printf("%s: 0x%08x\n", __func__, val);
-#endif
-    return val;
-}
-
-void bmdma_addr_writel(void *opaque, uint32_t addr, uint32_t val)
-{
-    BMDMAState *bm = opaque;
-#ifdef DEBUG_IDE
-    printf("%s: 0x%08x\n", __func__, val);
-#endif
-    bm->addr = val & ~3;
-    bm->cur_addr = bm->addr;
-}
+const IORangeOps bmdma_addr_ioport_ops = {
+    .read = bmdma_addr_read,
+    .write = bmdma_addr_write,
+};
 
 static bool ide_bmdma_current_needed(void *opaque)
 {
diff --git a/hw/ide/pci.h b/hw/ide/pci.h
index d46a95e..b81b26c 100644
--- a/hw/ide/pci.h
+++ b/hw/ide/pci.h
@@ -11,12 +11,7 @@ typedef struct PCIIDEState {
 } PCIIDEState;
 
 void bmdma_cmd_writeb(void *opaque, uint32_t addr, uint32_t val);
-uint32_t bmdma_addr_readb(void *opaque, uint32_t addr);
-void bmdma_addr_writeb(void *opaque, uint32_t addr, uint32_t val);
-uint32_t bmdma_addr_readw(void *opaque, uint32_t addr);
-void bmdma_addr_writew(void *opaque, uint32_t addr, uint32_t val);
-uint32_t bmdma_addr_readl(void *opaque, uint32_t addr);
-void bmdma_addr_writel(void *opaque, uint32_t addr, uint32_t val);
+extern const IORangeOps bmdma_addr_ioport_ops;
 void pci_ide_create_devs(PCIDevice *dev, DriveInfo **hd_table);
 
 extern const VMStateDescription vmstate_ide_pci;
diff --git a/hw/ide/piix.c b/hw/ide/piix.c
index 07483e8..e02b89a 100644
--- a/hw/ide/piix.c
+++ b/hw/ide/piix.c
@@ -85,12 +85,8 @@ static void bmdma_map(PCIDevice *pci_dev, int region_num,
         register_ioport_write(addr + 1, 3, 1, bmdma_writeb, bm);
         register_ioport_read(addr, 4, 1, bmdma_readb, bm);
 
-        register_ioport_write(addr + 4, 4, 1, bmdma_addr_writeb, bm);
-        register_ioport_read(addr + 4, 4, 1, bmdma_addr_readb, bm);
-        register_ioport_write(addr + 4, 4, 2, bmdma_addr_writew, bm);
-        register_ioport_read(addr + 4, 4, 2, bmdma_addr_readw, bm);
-        register_ioport_write(addr + 4, 4, 4, bmdma_addr_writel, bm);
-        register_ioport_read(addr + 4, 4, 4, bmdma_addr_readl, bm);
+        iorange_init(&bm->addr_ioport, &bmdma_addr_ioport_ops, addr + 4, 4);
+        ioport_register(&bm->addr_ioport);
         addr += 8;
     }
 }
diff --git a/hw/ide/via.c b/hw/ide/via.c
index b2c7cad..3e41d00 100644
--- a/hw/ide/via.c
+++ b/hw/ide/via.c
@@ -87,12 +87,8 @@ static void bmdma_map(PCIDevice *pci_dev, int region_num,
         register_ioport_write(addr + 1, 3, 1, bmdma_writeb, bm);
         register_ioport_read(addr, 4, 1, bmdma_readb, bm);
 
-        register_ioport_write(addr + 4, 4, 1, bmdma_addr_writeb, bm);
-        register_ioport_read(addr + 4, 4, 1, bmdma_addr_readb, bm);
-        register_ioport_write(addr + 4, 4, 2, bmdma_addr_writew, bm);
-        register_ioport_read(addr + 4, 4, 2, bmdma_addr_readw, bm);
-        register_ioport_write(addr + 4, 4, 4, bmdma_addr_writel, bm);
-        register_ioport_read(addr + 4, 4, 4, bmdma_addr_readl, bm);
+        iorange_init(&bm->addr_ioport, &bmdma_addr_ioport_ops, addr + 4, 4);
+        ioport_register(&bm->addr_ioport);
         addr += 8;
     }
 }
commit 62155e2b51e3c282ddc30adbb6d7b8d3bb7c386e
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Nov 12 16:07:50 2010 -0200

    block migration: do not submit multiple AIOs for same sector (v2)
    
    An old version of this patch was applied to master, so this contains the
    differences between v1 and v2.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block-migration.c b/block-migration.c
index 3e66f49..1475325 100644
--- a/block-migration.c
+++ b/block-migration.c
@@ -146,8 +146,7 @@ static int bmds_aio_inflight(BlkMigDevState *bmds, int64_t sector)
 {
     int64_t chunk = sector / (int64_t)BDRV_SECTORS_PER_DIRTY_CHUNK;
 
-    if (bmds->aio_bitmap &&
-        (sector << BDRV_SECTOR_BITS) < bdrv_getlength(bmds->bs)) {
+    if ((sector << BDRV_SECTOR_BITS) < bdrv_getlength(bmds->bs)) {
         return !!(bmds->aio_bitmap[chunk / (sizeof(unsigned long) * 8)] &
             (1UL << (chunk % (sizeof(unsigned long) * 8))));
     } else {
@@ -169,13 +168,9 @@ static void bmds_set_aio_inflight(BlkMigDevState *bmds, int64_t sector_num,
         bit = start % (sizeof(unsigned long) * 8);
         val = bmds->aio_bitmap[idx];
         if (set) {
-            if (!(val & (1UL << bit))) {
-                val |= 1UL << bit;
-            }
+            val |= 1UL << bit;
         } else {
-            if (val & (1UL << bit)) {
-                val &= ~(1UL << bit);
-            }
+            val &= ~(1UL << bit);
         }
         bmds->aio_bitmap[idx] = val;
     }
@@ -385,8 +380,9 @@ static int mig_save_device_dirty(Monitor *mon, QEMUFile *f,
     int nr_sectors;
 
     for (sector = bmds->cur_dirty; sector < bmds->total_sectors;) {
-        if (bmds_aio_inflight(bmds, sector))
+        if (bmds_aio_inflight(bmds, sector)) {
             qemu_aio_flush();
+        }
         if (bdrv_get_dirty(bmds->bs, sector)) {
 
             if (total_sectors - sector < BDRV_SECTORS_PER_DIRTY_CHUNK) {
commit 9063f81415f3518ef8206e74085c2a92c96890a0
Author: Ryan Harper <ryanh at us.ibm.com>
Date:   Fri Nov 12 11:07:13 2010 -0600

    Implement drive_del to decouple block removal from device removal
    
    Currently device hotplug removal code is tied to device removal via
    ACPI.  All pci devices that are removable via device_del() require the
    guest to respond to the request.  In some cases the guest may not
    respond leaving the device still accessible to the guest.  The management
    layer doesn't currently have a reliable way to revoke access to host
    resource in the presence of an uncooperative guest.
    
    This patch implements a new monitor command, drive_del, which
    provides an explicit command to revoke access to a host block device.
    
    drive_del first quiesces the block device (qemu_aio_flush;
    bdrv_flush() and bdrv_close()).  This prevents further IO from being
    submitted against the host device.  Finally, drive_del cleans up
    pointers between the drive object (host resource) and the device
    object (guest resource).
    
    Signed-off-by: Ryan Harper <ryanh at us.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/blockdev.c b/blockdev.c
index 6cb179a..f6ac439 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -14,6 +14,8 @@
 #include "qemu-option.h"
 #include "qemu-config.h"
 #include "sysemu.h"
+#include "hw/qdev.h"
+#include "block_int.h"
 
 static QTAILQ_HEAD(drivelist, DriveInfo) drives = QTAILQ_HEAD_INITIALIZER(drives);
 
@@ -597,3 +599,40 @@ int do_change_block(Monitor *mon, const char *device,
     }
     return monitor_read_bdrv_key_start(mon, bs, NULL, NULL);
 }
+
+int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data)
+{
+    const char *id = qdict_get_str(qdict, "id");
+    BlockDriverState *bs;
+    BlockDriverState **ptr;
+    Property *prop;
+
+    bs = bdrv_find(id);
+    if (!bs) {
+        qerror_report(QERR_DEVICE_NOT_FOUND, id);
+        return -1;
+    }
+
+    /* quiesce block driver; prevent further io */
+    qemu_aio_flush();
+    bdrv_flush(bs);
+    bdrv_close(bs);
+
+    /* clean up guest state from pointing to host resource by
+     * finding and removing DeviceState "drive" property */
+    for (prop = bs->peer->info->props; prop && prop->name; prop++) {
+        if (prop->info->type == PROP_TYPE_DRIVE) {
+            ptr = qdev_get_prop_ptr(bs->peer, prop);
+            if ((*ptr) == bs) {
+                bdrv_detach(bs, bs->peer);
+                *ptr = NULL;
+                break;
+            }
+        }
+    }
+
+    /* clean up host side */
+    drive_uninit(drive_get_by_blockdev(bs));
+
+    return 0;
+}
diff --git a/blockdev.h b/blockdev.h
index 653affc..2a0559e 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -51,5 +51,6 @@ int do_eject(Monitor *mon, const QDict *qdict, QObject **ret_data);
 int do_block_set_passwd(Monitor *mon, const QDict *qdict, QObject **ret_data);
 int do_change_block(Monitor *mon, const char *device,
                     const char *filename, const char *fmt);
+int do_drive_del(Monitor *mon, const QDict *qdict, QObject **ret_data);
 
 #endif
diff --git a/hmp-commands.hx b/hmp-commands.hx
index e5585ba..23024ba 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -68,6 +68,24 @@ Eject a removable medium (use -f to force it).
 ETEXI
 
     {
+        .name       = "drive_del",
+        .args_type  = "id:s",
+        .params     = "device",
+        .help       = "remove host block device",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_drive_del,
+    },
+
+STEXI
+ at item drive_del @var{device}
+ at findex drive_del
+Remove host block device.  The result is that guest generated IO is no longer
+submitted against the host device underlying the disk.  Once a drive has
+been deleted, the QEMU Block layer returns -EIO which results in IO
+errors in the guest for applications that are reading/writing to the device.
+ETEXI
+
+    {
         .name       = "change",
         .args_type  = "device:B,target:F,arg:s?",
         .params     = "device filename [format]",
commit 6fa2c95f279dda62aa7e3292cc424ff3fab6a602
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Fri Nov 12 09:57:11 2010 +0000

    scsi-disk: Move active request asserts
    
    SCSI read/write requests should not be re-issued before the current
    fragment of I/O completes.  There are asserts in scsi-disk.c that guard
    this constraint but they trigger on SPARC Linux 2.4.  It turns out that
    the asserts are too early in the code path and don't allow for read
    requests to terminate.
    
    Only the read assert needs to be moved but move the write assert too for
    consistency.
    
    Reported-by: Nigel Horne <njh at bandsman.co.uk>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index dc71957..7d85899 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -170,6 +170,9 @@ static void scsi_read_request(SCSIDiskReq *r)
         return;
     }
 
+    /* No data transfer may already be in progress */
+    assert(r->req.aiocb == NULL);
+
     n = r->sector_count;
     if (n > SCSI_DMA_BUF_SIZE / 512)
         n = SCSI_DMA_BUF_SIZE / 512;
@@ -197,9 +200,6 @@ static void scsi_read_data(SCSIDevice *d, uint32_t tag)
         return;
     }
 
-    /* No data transfer may already be in progress */
-    assert(r->req.aiocb == NULL);
-
     scsi_read_request(r);
 }
 
@@ -269,6 +269,9 @@ static void scsi_write_request(SCSIDiskReq *r)
     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
     uint32_t n;
 
+    /* No data transfer may already be in progress */
+    assert(r->req.aiocb == NULL);
+
     n = r->iov.iov_len / 512;
     if (n) {
         qemu_iovec_init_external(&r->qiov, &r->iov, 1);
@@ -298,9 +301,6 @@ static int scsi_write_data(SCSIDevice *d, uint32_t tag)
         return 1;
     }
 
-    /* No data transfer may already be in progress */
-    assert(r->req.aiocb == NULL);
-
     scsi_write_request(r);
 
     return 0;
commit 1abeb5a65d515f8a8a9cfc4a82342f731bd9321f
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Tue Nov 23 21:55:39 2010 +0200

    virtio: fix up VQ checks
    
    When migration triggers before a VQ is initialized,
    base pa is 0 and last_used_index must be 0 too:
    we don't have a ring to compare to.
    
    Reported-by: Juan Quintela <quintela at redhat.com>
    Tested-by: Juan Quintela <quintela at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/virtio.c b/hw/virtio.c
index 849a60f..07dbf86 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -682,7 +682,6 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
     uint32_t features;
     uint32_t supported_features =
         vdev->binding->get_features(vdev->binding_opaque);
-    uint16_t num_heads;
 
     if (vdev->binding->load_config) {
         ret = vdev->binding->load_config(vdev->binding_opaque, f);
@@ -713,17 +712,23 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
         qemu_get_be16s(f, &vdev->vq[i].last_avail_idx);
 
         if (vdev->vq[i].pa) {
+            uint16_t nheads;
             virtqueue_init(&vdev->vq[i]);
-        }
-	num_heads = vring_avail_idx(&vdev->vq[i]) - vdev->vq[i].last_avail_idx;
-	/* Check it isn't doing very strange things with descriptor numbers. */
-	if (num_heads > vdev->vq[i].vring.num) {
-		error_report("VQ %d size 0x%x Guest index 0x%x "
-		             "inconsistent with Host index 0x%x: delta 0x%x",
-		             i, vdev->vq[i].vring.num,
-		             vring_avail_idx(&vdev->vq[i]),
-		             vdev->vq[i].last_avail_idx, num_heads);
-		return -1;
+            nheads = vring_avail_idx(&vdev->vq[i]) - vdev->vq[i].last_avail_idx;
+            /* Check it isn't doing very strange things with descriptor numbers. */
+            if (nheads > vdev->vq[i].vring.num) {
+                error_report("VQ %d size 0x%x Guest index 0x%x "
+                             "inconsistent with Host index 0x%x: delta 0x%x\n",
+                             i, vdev->vq[i].vring.num,
+                             vring_avail_idx(&vdev->vq[i]),
+                             vdev->vq[i].last_avail_idx, nheads);
+                return -1;
+            }
+        } else if (vdev->vq[i].last_avail_idx) {
+            error_report("VQ %d address 0x0 "
+                         "inconsistent with Host index 0x%x\n",
+                         i, vdev->vq[i].last_avail_idx);
+                return -1;
 	}
         if (vdev->binding->load_queue) {
             ret = vdev->binding->load_queue(vdev->binding_opaque, i, f);
commit ce67ed65000b8f56c6e0576a1a9d3c4b0f596f5c
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Nov 15 20:44:36 2010 +0000

    virtio: Convert fprintf() to error_report()
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
    (cherry picked from commit cd92f4cc22fbe12a7bf60c9430731f768dc1537c)

diff --git a/hw/virtio.c b/hw/virtio.c
index a2a657e..849a60f 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -14,6 +14,7 @@
 #include <inttypes.h>
 
 #include "trace.h"
+#include "qemu-error.h"
 #include "virtio.h"
 #include "sysemu.h"
 
@@ -253,8 +254,8 @@ static int virtqueue_num_heads(VirtQueue *vq, unsigned int idx)
 
     /* Check it isn't doing very strange things with descriptor numbers. */
     if (num_heads > vq->vring.num) {
-        fprintf(stderr, "Guest moved used index from %u to %u",
-                idx, vring_avail_idx(vq));
+        error_report("Guest moved used index from %u to %u",
+                     idx, vring_avail_idx(vq));
         exit(1);
     }
 
@@ -271,7 +272,7 @@ static unsigned int virtqueue_get_head(VirtQueue *vq, unsigned int idx)
 
     /* If their number is silly, that's a fatal mistake. */
     if (head >= vq->vring.num) {
-        fprintf(stderr, "Guest says index %u is available", head);
+        error_report("Guest says index %u is available", head);
         exit(1);
     }
 
@@ -293,7 +294,7 @@ static unsigned virtqueue_next_desc(target_phys_addr_t desc_pa,
     wmb();
 
     if (next >= max) {
-        fprintf(stderr, "Desc next is %u", next);
+        error_report("Desc next is %u", next);
         exit(1);
     }
 
@@ -320,13 +321,13 @@ int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes)
 
         if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_INDIRECT) {
             if (vring_desc_len(desc_pa, i) % sizeof(VRingDesc)) {
-                fprintf(stderr, "Invalid size for indirect buffer table\n");
+                error_report("Invalid size for indirect buffer table");
                 exit(1);
             }
 
             /* If we've got too many, that implies a descriptor loop. */
             if (num_bufs >= max) {
-                fprintf(stderr, "Looped descriptor");
+                error_report("Looped descriptor");
                 exit(1);
             }
 
@@ -340,7 +341,7 @@ int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes)
         do {
             /* If we've got too many, that implies a descriptor loop. */
             if (++num_bufs > max) {
-                fprintf(stderr, "Looped descriptor");
+                error_report("Looped descriptor");
                 exit(1);
             }
 
@@ -374,7 +375,7 @@ void virtqueue_map_sg(struct iovec *sg, target_phys_addr_t *addr,
         len = sg[i].iov_len;
         sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
         if (sg[i].iov_base == NULL || len != sg[i].iov_len) {
-            fprintf(stderr, "virtio: trying to map MMIO memory\n");
+            error_report("virtio: trying to map MMIO memory");
             exit(1);
         }
     }
@@ -397,7 +398,7 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
 
     if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_INDIRECT) {
         if (vring_desc_len(desc_pa, i) % sizeof(VRingDesc)) {
-            fprintf(stderr, "Invalid size for indirect buffer table\n");
+            error_report("Invalid size for indirect buffer table");
             exit(1);
         }
 
@@ -423,7 +424,7 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
 
         /* If we've got too many, that implies a descriptor loop. */
         if ((elem->in_num + elem->out_num) > max) {
-            fprintf(stderr, "Looped descriptor");
+            error_report("Looped descriptor");
             exit(1);
         }
     } while ((i = virtqueue_next_desc(desc_pa, i, max)) != max);
@@ -694,8 +695,8 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
     qemu_get_be16s(f, &vdev->queue_sel);
     qemu_get_be32s(f, &features);
     if (features & ~supported_features) {
-        fprintf(stderr, "Features 0x%x unsupported. Allowed features: 0x%x\n",
-                features, supported_features);
+        error_report("Features 0x%x unsupported. Allowed features: 0x%x",
+                     features, supported_features);
         return -1;
     }
     if (vdev->set_features)
@@ -717,11 +718,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
 	num_heads = vring_avail_idx(&vdev->vq[i]) - vdev->vq[i].last_avail_idx;
 	/* Check it isn't doing very strange things with descriptor numbers. */
 	if (num_heads > vdev->vq[i].vring.num) {
-		fprintf(stderr, "VQ %d size 0x%x Guest index 0x%x "
-                        "inconsistent with Host index 0x%x: delta 0x%x\n",
-			i, vdev->vq[i].vring.num,
-                        vring_avail_idx(&vdev->vq[i]),
-                        vdev->vq[i].last_avail_idx, num_heads);
+		error_report("VQ %d size 0x%x Guest index 0x%x "
+		             "inconsistent with Host index 0x%x: delta 0x%x",
+		             i, vdev->vq[i].vring.num,
+		             vring_avail_idx(&vdev->vq[i]),
+		             vdev->vq[i].last_avail_idx, num_heads);
 		return -1;
 	}
         if (vdev->binding->load_queue) {
commit 929176c3b9f8d5feec9395401f889a3bfb95e816
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Nov 24 07:23:25 2010 +0200

    pci: fix bus walk under secondary bus reset
    
    Take into account secondary bus reset bit for
    bus walk: devices behind a reset bus should not
    respond to configuration cycles.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index d02f980..0c15b13 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1540,6 +1540,16 @@ void pci_bridge_update_mappings(PCIBus *b)
     }
 }
 
+/* Whether a given bus number is in range of the secondary
+ * bus of the given bridge device. */
+static bool pci_secondary_bus_in_range(PCIDevice *dev, int bus_num)
+{
+    return !(pci_get_word(dev->config + PCI_BRIDGE_CONTROL) &
+             PCI_BRIDGE_CTL_BUS_RESET) /* Don't walk the bus if it's reset. */ &&
+        dev->config[PCI_SECONDARY_BUS] < bus_num &&
+        bus_num <= dev->config[PCI_SUBORDINATE_BUS];
+}
+
 PCIBus *pci_find_bus(PCIBus *bus, int bus_num)
 {
     PCIBus *sec;
@@ -1552,20 +1562,21 @@ PCIBus *pci_find_bus(PCIBus *bus, int bus_num)
         return bus;
     }
 
+    /* Consider all bus numbers in range for the host pci bridge. */
+    if (bus->parent_dev &&
+        !pci_secondary_bus_in_range(bus->parent_dev, bus_num)) {
+        return NULL;
+    }
+
     /* try child bus */
-    if (!bus->parent_dev /* host pci bridge */ ||
-        (bus->parent_dev->config[PCI_SECONDARY_BUS] < bus_num &&
-         bus_num <= bus->parent_dev->config[PCI_SUBORDINATE_BUS])) {
-        for (; bus; bus = sec) {
-            QLIST_FOREACH(sec, &bus->child, sibling) {
-                assert(sec->parent_dev);
-                if (sec->parent_dev->config[PCI_SECONDARY_BUS] == bus_num) {
-                    return sec;
-                }
-                if (sec->parent_dev->config[PCI_SECONDARY_BUS] < bus_num &&
-                    bus_num <= sec->parent_dev->config[PCI_SUBORDINATE_BUS]) {
-                    break;
-                }
+    for (; bus; bus = sec) {
+        QLIST_FOREACH(sec, &bus->child, sibling) {
+            assert(sec->parent_dev);
+            if (sec->parent_dev->config[PCI_SECONDARY_BUS] == bus_num) {
+                return sec;
+            }
+            if (pci_secondary_bus_in_range(sec->parent_dev, bus_num)) {
+                break;
             }
         }
     }
commit f711df67d611e4762966a249742a5f7499e19f99
Author: Richard Henderson <rth at redhat.com>
Date:   Mon Nov 22 14:57:52 2010 -0800

    microblaze: target-ify target_ucontext
    
    Rename the members of target_ucontext so that they don't conflict
    with possible host macros for ucontext members.  This has already
    been done for the other targets.
    
    Signed-off-by: Richard Henderson <rth at twiddle.net>
    Signed-off-by: Edgar E. Iglesias <edgar at axis.com>

diff --git a/linux-user/signal.c b/linux-user/signal.c
index 77683f7..7c62fac 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -3071,11 +3071,11 @@ struct target_stack_t {
 };
 
 struct target_ucontext {
-    abi_ulong uc_flags;
-    abi_ulong uc_link;
-    struct target_stack_t uc_stack;
-    struct target_sigcontext sc;
-    uint32_t extramask[TARGET_NSIG_WORDS - 1];
+    abi_ulong tuc_flags;
+    abi_ulong tuc_link;
+    struct target_stack_t tuc_stack;
+    struct target_sigcontext tuc_mcontext;
+    uint32_t tuc_extramask[TARGET_NSIG_WORDS - 1];
 };
 
 /* Signal frames. */
@@ -3189,7 +3189,7 @@ static void setup_frame(int sig, struct target_sigaction *ka,
         goto badframe;
 
     /* Save the mask.  */
-    err |= __put_user(set->sig[0], &frame->uc.sc.oldmask);
+    err |= __put_user(set->sig[0], &frame->uc.tuc_mcontext.oldmask);
     if (err)
         goto badframe;
 
@@ -3198,7 +3198,7 @@ static void setup_frame(int sig, struct target_sigaction *ka,
             goto badframe;
     }
 
-    setup_sigcontext(&frame->uc.sc, env);
+    setup_sigcontext(&frame->uc.tuc_mcontext, env);
 
     /* Set up to return from userspace. If provided, use a stub
        already in userspace. */
@@ -3261,7 +3261,7 @@ long do_sigreturn(CPUState *env)
         goto badframe;
 
     /* Restore blocked signals */
-    if (__get_user(target_set.sig[0], &frame->uc.sc.oldmask))
+    if (__get_user(target_set.sig[0], &frame->uc.tuc_mcontext.oldmask))
         goto badframe;
     for(i = 1; i < TARGET_NSIG_WORDS; i++) {
         if (__get_user(target_set.sig[i], &frame->extramask[i - 1]))
@@ -3270,7 +3270,7 @@ long do_sigreturn(CPUState *env)
     target_to_host_sigset_internal(&set, &target_set);
     sigprocmask(SIG_SETMASK, &set, NULL);
 
-    restore_sigcontext(&frame->uc.sc, env);
+    restore_sigcontext(&frame->uc.tuc_mcontext, env);
     /* We got here through a sigreturn syscall, our path back is via an
        rtb insn so setup r14 for that.  */
     env->regs[14] = env->sregs[SR_PC];
commit a5fce077b134a486794b77b49f4eae1d3c9b960c
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Fri Nov 19 18:56:03 2010 +0900

    pci bridge: implement secondary bus reset
    
    Trigger secondary bus reset when secondary bus reset bit
    value changes from 0 to 1.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci_bridge.c b/hw/pci_bridge.c
index 58cc2e4..464d897 100644
--- a/hw/pci_bridge.c
+++ b/hw/pci_bridge.c
@@ -139,6 +139,10 @@ pcibus_t pci_bridge_get_limit(const PCIDevice *bridge, uint8_t type)
 void pci_bridge_write_config(PCIDevice *d,
                              uint32_t address, uint32_t val, int len)
 {
+    PCIBridge *s = container_of(d, PCIBridge, dev);
+    uint16_t oldctl = pci_get_word(d->config + PCI_BRIDGE_CONTROL);
+    uint16_t newctl;
+
     pci_default_write_config(d, address, val, len);
 
     if (/* io base/limit */
@@ -147,9 +151,14 @@ void pci_bridge_write_config(PCIDevice *d,
         /* memory base/limit, prefetchable base/limit and
            io base/limit upper 16 */
         ranges_overlap(address, len, PCI_MEMORY_BASE, 20)) {
-        PCIBridge *s = container_of(d, PCIBridge, dev);
         pci_bridge_update_mappings(&s->sec_bus);
     }
+
+    newctl = pci_get_word(d->config + PCI_BRIDGE_CONTROL);
+    if (~oldctl & newctl & PCI_BRIDGE_CTL_BUS_RESET) {
+        /* Trigger hot reset on 0->1 transition. */
+        pci_bus_reset(&s->sec_bus);
+    }
 }
 
 void pci_bridge_disable_base_limit(PCIDevice *dev)
commit 9bb3358627d87d8de25fb41b7276575539d799a7
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Fri Nov 19 18:56:02 2010 +0900

    pci: use qdev reset framework for pci bus reset
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index c0a8258..d02f980 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -43,12 +43,14 @@
 
 static void pcibus_dev_print(Monitor *mon, DeviceState *dev, int indent);
 static char *pcibus_get_dev_path(DeviceState *dev);
+static int pcibus_reset(BusState *qbus);
 
 struct BusInfo pci_bus_info = {
     .name       = "PCI",
     .size       = sizeof(PCIBus),
     .print_dev  = pcibus_dev_print,
     .get_dev_path = pcibus_get_dev_path,
+    .reset      = pcibus_reset,
     .props      = (Property[]) {
         DEFINE_PROP_PCI_DEVFN("addr", PCIDevice, devfn, -1),
         DEFINE_PROP_STRING("romfile", PCIDevice, romfile),
@@ -136,6 +138,11 @@ static void pci_update_irq_status(PCIDevice *dev)
 static void pci_device_reset(PCIDevice *dev)
 {
     int r;
+    /* TODO: call the below unconditionally once all pci devices
+     * are qdevified */
+    if (dev->qdev.info) {
+        qdev_reset_all(&dev->qdev);
+    }
 
     dev->irq_state = 0;
     pci_update_irq_status(dev);
@@ -164,9 +171,12 @@ static void pci_device_reset(PCIDevice *dev)
     pci_update_mappings(dev);
 }
 
-static void pci_bus_reset(void *opaque)
+/*
+ * Trigger pci bus reset under a given bus.
+ * To be called on RST# assert.
+ */
+void pci_bus_reset(PCIBus *bus)
 {
-    PCIBus *bus = opaque;
     int i;
 
     for (i = 0; i < bus->nirq; i++) {
@@ -179,6 +189,15 @@ static void pci_bus_reset(void *opaque)
     }
 }
 
+static int pcibus_reset(BusState *qbus)
+{
+    pci_bus_reset(DO_UPCAST(PCIBus, qbus, qbus));
+
+    /* topology traverse is done by pci_bus_reset().
+       Tell qbus/qdev walker not to traverse the tree */
+    return 1;
+}
+
 static void pci_host_bus_register(int domain, PCIBus *bus)
 {
     struct PCIHostBus *host;
@@ -233,7 +252,6 @@ void pci_bus_new_inplace(PCIBus *bus, DeviceState *parent,
     pci_host_bus_register(0, bus); /* for now only pci domain 0 is supported */
 
     vmstate_register(NULL, -1, &vmstate_pcibus, bus);
-    qemu_register_reset(pci_bus_reset, bus);
 }
 
 PCIBus *pci_bus_new(DeviceState *parent, const char *name, int devfn_min)
diff --git a/hw/pci.h b/hw/pci.h
index 09b3e4c..89f7b76 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -232,6 +232,7 @@ void pci_bus_hotplug(PCIBus *bus, pci_hotplug_fn hotplug, DeviceState *dev);
 PCIBus *pci_register_bus(DeviceState *parent, const char *name,
                          pci_set_irq_fn set_irq, pci_map_irq_fn map_irq,
                          void *irq_opaque, int devfn_min, int nirq);
+void pci_bus_reset(PCIBus *bus);
 
 void pci_bus_set_mem_base(PCIBus *bus, target_phys_addr_t base);
 
commit 5af0a04bea1f1704432b7c118c00a466e862bf00
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Fri Nov 19 18:56:01 2010 +0900

    qdev: trigger reset from a given device
    
    Introduce a helper function which triggers reset from a given device.
    Will be used by pci bus emulation.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/qdev.c b/hw/qdev.c
index b76da07..b65b63e 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -322,6 +322,11 @@ static int qbus_reset_one(BusState *bus, void *opaque)
     return 0;
 }
 
+void qdev_reset_all(DeviceState *dev)
+{
+    qdev_walk_children(dev, qdev_reset_one, qbus_reset_one, NULL);
+}
+
 void qbus_reset_all(BusState *bus)
 {
     qbus_walk_children(bus, qdev_reset_one, qbus_reset_one, NULL);
diff --git a/hw/qdev.h b/hw/qdev.h
index 5ac084f..3fac364 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -189,6 +189,7 @@ int qbus_walk_children(BusState *bus, qdev_walkerfn *devfn,
                        qbus_walkerfn *busfn, void *opaque);
 int qdev_walk_children(DeviceState *dev, qdev_walkerfn *devfn,
                        qbus_walkerfn *busfn, void *opaque);
+void qdev_reset_all(DeviceState *dev);
 void qbus_reset_all(BusState *bus);
 void qbus_free(BusState *bus);
 
commit b4694b7ce8bd87c4b9c6c14ad74075a31b15c784
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Fri Nov 19 18:56:00 2010 +0900

    qdev: introduce reset call back for qbus level
    
    and make it called via qbus_reset_all().
    The qbus reset callback will be used by pci bus reset.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/qdev.c b/hw/qdev.c
index 92ccc8d..b76da07 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -314,9 +314,17 @@ BusState *sysbus_get_default(void)
     return main_system_bus;
 }
 
+static int qbus_reset_one(BusState *bus, void *opaque)
+{
+    if (bus->info->reset) {
+        return bus->info->reset(bus);
+    }
+    return 0;
+}
+
 void qbus_reset_all(BusState *bus)
 {
-    qbus_walk_children(bus, qdev_reset_one, NULL, NULL);
+    qbus_walk_children(bus, qdev_reset_one, qbus_reset_one, NULL);
 }
 
 /* can be used as ->unplug() callback for the simple cases */
diff --git a/hw/qdev.h b/hw/qdev.h
index e5ed333..5ac084f 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -49,12 +49,14 @@ struct DeviceState {
 
 typedef void (*bus_dev_printfn)(Monitor *mon, DeviceState *dev, int indent);
 typedef char *(*bus_get_dev_path)(DeviceState *dev);
+typedef int (qbus_resetfn)(BusState *bus);
 
 struct BusInfo {
     const char *name;
     size_t size;
     bus_dev_printfn print_dev;
     bus_get_dev_path get_dev_path;
+    qbus_resetfn *reset;
     Property *props;
 };
 
commit ec990eb622ad46df5ddcb1e94c418c271894d416
Author: Anthony Liguori <anthony at codemonkey.ws>
Date:   Fri Nov 19 18:55:59 2010 +0900

    qdev: reset qdev along with qdev tree
    
    This patch changes the reset handling so that qdev has no knowledge of the
    global system reset.  Instead, a new bus/device level function is introduced
    that allows all devices/buses on the bus/device to be reset using a depth
    first transversal.
    
    N.B. we have to expose the implicit system bus because we have various hacks
    that result in an implicit system bus existing.  Instead, we ought to have an
    explicitly created system bus that we can trigger reset from.  That's a topic
    for a future patch though.
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/qdev.c b/hw/qdev.c
index 11d845a..92ccc8d 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -257,13 +257,6 @@ DeviceState *qdev_device_add(QemuOpts *opts)
     return qdev;
 }
 
-static void qdev_reset(void *opaque)
-{
-    DeviceState *dev = opaque;
-    if (dev->info->reset)
-        dev->info->reset(dev);
-}
-
 /* Initialize a device.  Device properties should be set before calling
    this function.  IRQs and MMIO regions should be connected/mapped after
    calling this function.
@@ -279,7 +272,6 @@ int qdev_init(DeviceState *dev)
         qdev_free(dev);
         return rc;
     }
-    qemu_register_reset(qdev_reset, dev);
     if (dev->info->vmsd) {
         vmstate_register_with_alias_id(dev, -1, dev->info->vmsd, dev,
                                        dev->instance_id_alias,
@@ -308,6 +300,25 @@ int qdev_unplug(DeviceState *dev)
     return dev->info->unplug(dev);
 }
 
+static int qdev_reset_one(DeviceState *dev, void *opaque)
+{
+    if (dev->info->reset) {
+        dev->info->reset(dev);
+    }
+
+    return 0;
+}
+
+BusState *sysbus_get_default(void)
+{
+    return main_system_bus;
+}
+
+void qbus_reset_all(BusState *bus)
+{
+    qbus_walk_children(bus, qdev_reset_one, NULL, NULL);
+}
+
 /* can be used as ->unplug() callback for the simple cases */
 int qdev_simple_unplug_cb(DeviceState *dev)
 {
@@ -351,7 +362,6 @@ void qdev_free(DeviceState *dev)
         if (dev->opts)
             qemu_opts_del(dev->opts);
     }
-    qemu_unregister_reset(qdev_reset, dev);
     QLIST_REMOVE(dev, sibling);
     for (prop = dev->info->props; prop && prop->name; prop++) {
         if (prop->info->free) {
diff --git a/hw/qdev.h b/hw/qdev.h
index 550fd9b..e5ed333 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -187,10 +187,14 @@ int qbus_walk_children(BusState *bus, qdev_walkerfn *devfn,
                        qbus_walkerfn *busfn, void *opaque);
 int qdev_walk_children(DeviceState *dev, qdev_walkerfn *devfn,
                        qbus_walkerfn *busfn, void *opaque);
+void qbus_reset_all(BusState *bus);
 void qbus_free(BusState *bus);
 
 #define FROM_QBUS(type, dev) DO_UPCAST(type, qbus, dev)
 
+/* This should go away once we get rid of the NULL bus hack */
+BusState *sysbus_get_default(void);
+
 /*** monitor commands ***/
 
 void do_info_qtree(Monitor *mon);
diff --git a/vl.c b/vl.c
index c58583d..135fdeb 100644
--- a/vl.c
+++ b/vl.c
@@ -2976,6 +2976,7 @@ int main(int argc, char **argv, char **envp)
         exit(1);
     }
 
+    qemu_register_reset((void *)qbus_reset_all, sysbus_get_default());
     qemu_system_reset();
     if (loadvm) {
         if (load_vmstate(loadvm) < 0) {
commit 81699d8a90deac361e9e14fd853f8341f40b2fad
Author: Anthony Liguori <anthony at codemonkey.ws>
Date:   Fri Nov 19 18:55:58 2010 +0900

    qbus: add functions to walk both devices and busses
    
    There are some cases where you want to walk the busses, in particular, when
    searching for a bus either by name or DeviceInfo.
    Paolo suggested that we model the return values on how GCC's walkers work which
    allows an actor to skip child transversal, or terminate walking with a positive
    value that's returned as the qbus_walk_children's result.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/qdev.c b/hw/qdev.c
index 35858cb..11d845a 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -449,6 +449,52 @@ BusState *qdev_get_child_bus(DeviceState *dev, const char *name)
     return NULL;
 }
 
+int qbus_walk_children(BusState *bus, qdev_walkerfn *devfn,
+                       qbus_walkerfn *busfn, void *opaque)
+{
+    DeviceState *dev;
+    int err;
+
+    if (busfn) {
+        err = busfn(bus, opaque);
+        if (err) {
+            return err;
+        }
+    }
+
+    QLIST_FOREACH(dev, &bus->children, sibling) {
+        err = qdev_walk_children(dev, devfn, busfn, opaque);
+        if (err < 0) {
+            return err;
+        }
+    }
+
+    return 0;
+}
+
+int qdev_walk_children(DeviceState *dev, qdev_walkerfn *devfn,
+                       qbus_walkerfn *busfn, void *opaque)
+{
+    BusState *bus;
+    int err;
+
+    if (devfn) {
+        err = devfn(dev, opaque);
+        if (err) {
+            return err;
+        }
+    }
+
+    QLIST_FOREACH(bus, &dev->child_bus, sibling) {
+        err = qbus_walk_children(bus, devfn, busfn, opaque);
+        if (err < 0) {
+            return err;
+        }
+    }
+
+    return 0;
+}
+
 static BusState *qbus_find_recursive(BusState *bus, const char *name,
                                      const BusInfo *info)
 {
diff --git a/hw/qdev.h b/hw/qdev.h
index 579328a..550fd9b 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -173,9 +173,20 @@ BusState *qdev_get_parent_bus(DeviceState *dev);
 
 /*** BUS API. ***/
 
+/* Returns 0 to walk children, > 0 to skip walk, < 0 to terminate walk. */
+typedef int (qbus_walkerfn)(BusState *bus, void *opaque);
+typedef int (qdev_walkerfn)(DeviceState *dev, void *opaque);
+
 void qbus_create_inplace(BusState *bus, BusInfo *info,
                          DeviceState *parent, const char *name);
 BusState *qbus_create(BusInfo *info, DeviceState *parent, const char *name);
+/* Returns > 0 if either devfn or busfn skip walk somewhere in cursion,
+ *         < 0 if either devfn or busfn terminate walk somewhere in cursion,
+ *           0 otherwise. */
+int qbus_walk_children(BusState *bus, qdev_walkerfn *devfn,
+                       qbus_walkerfn *busfn, void *opaque);
+int qdev_walk_children(DeviceState *dev, qdev_walkerfn *devfn,
+                       qbus_walkerfn *busfn, void *opaque);
 void qbus_free(BusState *bus);
 
 #define FROM_QBUS(type, dev) DO_UPCAST(type, qbus, dev)
commit 0389ced419d249d8742c69e177731b5d18ef3f2f
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Oct 15 22:51:07 2010 +0200

    eepro100: Use a single rom file for all i825xx devices
    
    Patching the rom data during load (in qemu) now
    also supports i82801 (which had no rom file).
    
    We only need a single rom file for the whole device family,
    so remove the second one which is no longer needed.
    
    Cc: Markus Armbruster <armbru at redhat.com>
    Cc: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/Makefile b/Makefile
index 02698e9..2883d27 100644
--- a/Makefile
+++ b/Makefile
@@ -181,7 +181,6 @@ ifdef INSTALL_BLOBS
 BLOBS=bios.bin vgabios.bin vgabios-cirrus.bin ppc_rom.bin \
 openbios-sparc32 openbios-sparc64 openbios-ppc \
 gpxe-eepro100-80861209.rom \
-gpxe-eepro100-80861229.rom \
 pxe-e1000.bin \
 pxe-ne2k_pci.bin pxe-pcnet.bin \
 pxe-rtl8139.bin pxe-virtio.bin \
diff --git a/hw/eepro100.c b/hw/eepro100.c
index 41d792a..f8a700a 100644
--- a/hw/eepro100.c
+++ b/hw/eepro100.c
@@ -2048,17 +2048,9 @@ static void eepro100_register_devices(void)
     size_t i;
     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
         PCIDeviceInfo *pci_dev = &e100_devices[i].pci;
-        switch (e100_devices[i].device_id) {
-            case PCI_DEVICE_ID_INTEL_82551IT:
-                pci_dev->romfile = "gpxe-eepro100-80861209.rom";
-                break;
-            case PCI_DEVICE_ID_INTEL_82557:
-                pci_dev->romfile = "gpxe-eepro100-80861229.rom";
-                break;
-            case 0x2449:
-                pci_dev->romfile = "gpxe-eepro100-80862449.rom";
-                break;
-        }
+        /* We use the same rom file for all device ids.
+           QEMU fixes the device id during rom load. */
+        pci_dev->romfile = "gpxe-eepro100-80861209.rom";
         pci_dev->init = e100_nic_init;
         pci_dev->exit = pci_nic_uninit;
         pci_dev->qdev.props = e100_properties;
diff --git a/pc-bios/README b/pc-bios/README
index 3172cf7..4b019e0 100644
--- a/pc-bios/README
+++ b/pc-bios/README
@@ -16,7 +16,7 @@
 - The PXE roms come from Rom-o-Matic gPXE 0.9.9 with BANNER_TIMEOUT=0
 
   e1000 8086:100E
-  eepro100 8086:1209, 8086:1229
+  eepro100 8086:1209 (also used for 8086:1229 and 8086:2449)
   ns8390 1050:0940
   pcnet32 1022:2000
   rtl8139 10ec:8139
diff --git a/pc-bios/gpxe-eepro100-80861229.rom b/pc-bios/gpxe-eepro100-80861229.rom
deleted file mode 100644
index 9cf397e..0000000
Binary files a/pc-bios/gpxe-eepro100-80861229.rom and /dev/null differ
commit ab85ceb1ad8797af2fb4c06bdc70f0ce0cf9b34f
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Tue Oct 19 23:08:21 2010 +0200

    pci: Automatically patch PCI vendor id and device id in PCI ROM
    
    PCI devices with different vendor or device ids sometimes share
    the same rom code. Only the ids and the checksum
    differs in a boot rom for such devices.
    
    The i825xx ethernet controller family is a typical example
    which is implemented in hw/eepro100.c. It uses at least
    3 different device ids, so normally 3 boot roms would be needed.
    
    By automatically patching vendor id and device id (and the checksum)
    in qemu, all emulated family members can share the same boot rom.
    
    VGA bios roms are another example with different vendor and device ids.
    
    Only qemu's built-in default rom files will be patched.
    
    v2:
        * Patch also the vendor id (and remove the sanity check for vendor id).
    
    v3:
        * Don't patch a rom file when its name was set by the user.
          Thus we avoid modifications of unknown rom data.
    
    Cc: Gerd Hoffmann <kraxel at redhat.com>
    Cc: Markus Armbruster <armbru at redhat.com>
    Cc: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index fc5d340..c0a8258 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -61,7 +61,7 @@ struct BusInfo pci_bus_info = {
 
 static void pci_update_mappings(PCIDevice *d);
 static void pci_set_irq(void *opaque, int irq_num, int level);
-static int pci_add_option_rom(PCIDevice *pdev);
+static int pci_add_option_rom(PCIDevice *pdev, bool is_default_rom);
 static void pci_del_option_rom(PCIDevice *pdev);
 
 static uint16_t pci_default_sub_vendor_id = PCI_SUBVENDOR_ID_REDHAT_QUMRANET;
@@ -1571,6 +1571,7 @@ static int pci_qdev_init(DeviceState *qdev, DeviceInfo *base)
     PCIDeviceInfo *info = container_of(base, PCIDeviceInfo, qdev);
     PCIBus *bus;
     int devfn, rc;
+    bool is_default_rom;
 
     /* initialize cap_present for pci_is_express() and pci_config_size() */
     if (info->is_express) {
@@ -1591,9 +1592,12 @@ static int pci_qdev_init(DeviceState *qdev, DeviceInfo *base)
     }
 
     /* rom loading */
-    if (pci_dev->romfile == NULL && info->romfile != NULL)
+    is_default_rom = false;
+    if (pci_dev->romfile == NULL && info->romfile != NULL) {
         pci_dev->romfile = qemu_strdup(info->romfile);
-    pci_add_option_rom(pci_dev);
+        is_default_rom = true;
+    }
+    pci_add_option_rom(pci_dev, is_default_rom);
 
     if (bus->hotplug) {
         /* Let buses differentiate between hotplug and when device is
@@ -1701,8 +1705,64 @@ static void pci_map_option_rom(PCIDevice *pdev, int region_num, pcibus_t addr, p
     cpu_register_physical_memory(addr, size, pdev->rom_offset);
 }
 
+/* Patch the PCI vendor and device ids in a PCI rom image if necessary.
+   This is needed for an option rom which is used for more than one device. */
+static void pci_patch_ids(PCIDevice *pdev, uint8_t *ptr, int size)
+{
+    uint16_t vendor_id;
+    uint16_t device_id;
+    uint16_t rom_vendor_id;
+    uint16_t rom_device_id;
+    uint16_t rom_magic;
+    uint16_t pcir_offset;
+    uint8_t checksum;
+
+    /* Words in rom data are little endian (like in PCI configuration),
+       so they can be read / written with pci_get_word / pci_set_word. */
+
+    /* Only a valid rom will be patched. */
+    rom_magic = pci_get_word(ptr);
+    if (rom_magic != 0xaa55) {
+        PCI_DPRINTF("Bad ROM magic %04x\n", rom_magic);
+        return;
+    }
+    pcir_offset = pci_get_word(ptr + 0x18);
+    if (pcir_offset + 8 >= size || memcmp(ptr + pcir_offset, "PCIR", 4)) {
+        PCI_DPRINTF("Bad PCIR offset 0x%x or signature\n", pcir_offset);
+        return;
+    }
+
+    vendor_id = pci_get_word(pdev->config + PCI_VENDOR_ID);
+    device_id = pci_get_word(pdev->config + PCI_DEVICE_ID);
+    rom_vendor_id = pci_get_word(ptr + pcir_offset + 4);
+    rom_device_id = pci_get_word(ptr + pcir_offset + 6);
+
+    PCI_DPRINTF("%s: ROM id %04x%04x / PCI id %04x%04x\n", pdev->romfile,
+                vendor_id, device_id, rom_vendor_id, rom_device_id);
+
+    checksum = ptr[6];
+
+    if (vendor_id != rom_vendor_id) {
+        /* Patch vendor id and checksum (at offset 6 for etherboot roms). */
+        checksum += (uint8_t)rom_vendor_id + (uint8_t)(rom_vendor_id >> 8);
+        checksum -= (uint8_t)vendor_id + (uint8_t)(vendor_id >> 8);
+        PCI_DPRINTF("ROM checksum %02x / %02x\n", ptr[6], checksum);
+        ptr[6] = checksum;
+        pci_set_word(ptr + pcir_offset + 4, vendor_id);
+    }
+
+    if (device_id != rom_device_id) {
+        /* Patch device id and checksum (at offset 6 for etherboot roms). */
+        checksum += (uint8_t)rom_device_id + (uint8_t)(rom_device_id >> 8);
+        checksum -= (uint8_t)device_id + (uint8_t)(device_id >> 8);
+        PCI_DPRINTF("ROM checksum %02x / %02x\n", ptr[6], checksum);
+        ptr[6] = checksum;
+        pci_set_word(ptr + pcir_offset + 6, device_id);
+    }
+}
+
 /* Add an option rom for the device */
-static int pci_add_option_rom(PCIDevice *pdev)
+static int pci_add_option_rom(PCIDevice *pdev, bool is_default_rom)
 {
     int size;
     char *path;
@@ -1753,6 +1813,11 @@ static int pci_add_option_rom(PCIDevice *pdev)
     load_image(path, ptr);
     qemu_free(path);
 
+    if (is_default_rom) {
+        /* Only the default rom images will be patched (if needed). */
+        pci_patch_ids(pdev, ptr, size);
+    }
+
     pci_register_bar(pdev, PCI_ROM_SLOT, size,
                      0, pci_map_option_rom);
 
commit b90c73cf475d69959dde208d00961c3cb7a57475
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Nov 19 19:29:07 2010 +0100

    pci: Replace unneeded type casts in calls of pci_register_bar
    
    There is no need for these type casts (as other existing
    code shows). So re-write the first argument without
    type cast (and remove a related TODO comment).
    
    Cc: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index aadc56f..40be55d 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -3204,10 +3204,10 @@ static int pci_cirrus_vga_initfn(PCIDevice *dev)
      /* memory #0 LFB */
      /* memory #1 memory-mapped I/O */
      /* XXX: s->vga.vram_size must be a power of two */
-     pci_register_bar((PCIDevice *)d, 0, 0x2000000,
+     pci_register_bar(&d->dev, 0, 0x2000000,
                       PCI_BASE_ADDRESS_MEM_PREFETCH, cirrus_pci_lfb_map);
      if (device_id == CIRRUS_ID_CLGD5446) {
-         pci_register_bar((PCIDevice *)d, 1, CIRRUS_PNPMMIO_SIZE,
+         pci_register_bar(&d->dev, 1, CIRRUS_PNPMMIO_SIZE,
                           PCI_BASE_ADDRESS_SPACE_MEMORY, cirrus_pci_mmio_map);
      }
      return 0;
diff --git a/hw/e1000.c b/hw/e1000.c
index 677165f..b7f585b 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -1130,10 +1130,10 @@ static int pci_e1000_init(PCIDevice *pci_dev)
     d->mmio_index = cpu_register_io_memory(e1000_mmio_read,
             e1000_mmio_write, d);
 
-    pci_register_bar((PCIDevice *)d, 0, PNPMMIO_SIZE,
+    pci_register_bar(&d->dev, 0, PNPMMIO_SIZE,
                            PCI_BASE_ADDRESS_SPACE_MEMORY, e1000_mmio_map);
 
-    pci_register_bar((PCIDevice *)d, 1, IOPORT_SIZE,
+    pci_register_bar(&d->dev, 1, IOPORT_SIZE,
                            PCI_BASE_ADDRESS_SPACE_IO, ioport_map);
 
     memmove(d->eeprom_data, e1000_eeprom_template,
diff --git a/hw/ide/via.c b/hw/ide/via.c
index b2c7cad..2001a36 100644
--- a/hw/ide/via.c
+++ b/hw/ide/via.c
@@ -153,7 +153,7 @@ static int vt82c686b_ide_initfn(PCIDevice *dev)
     pci_set_long(pci_conf + PCI_CAPABILITY_LIST, 0x000000c0);
 
     qemu_register_reset(via_reset, d);
-    pci_register_bar((PCIDevice *)d, 4, 0x10,
+    pci_register_bar(&d->dev, 4, 0x10,
                            PCI_BASE_ADDRESS_SPACE_IO, bmdma_map);
 
     vmstate_register(&dev->qdev, 0, &vmstate_ide_pci, d);
diff --git a/hw/lsi53c895a.c b/hw/lsi53c895a.c
index f97335e..1aef62f 100644
--- a/hw/lsi53c895a.c
+++ b/hw/lsi53c895a.c
@@ -2177,12 +2177,11 @@ static int lsi_scsi_init(PCIDevice *dev)
     s->ram_io_addr = cpu_register_io_memory(lsi_ram_readfn,
                                             lsi_ram_writefn, s);
 
-    /* TODO: use dev and get rid of cast below */
-    pci_register_bar((struct PCIDevice *)s, 0, 256,
+    pci_register_bar(&s->dev, 0, 256,
                            PCI_BASE_ADDRESS_SPACE_IO, lsi_io_mapfunc);
-    pci_register_bar((struct PCIDevice *)s, 1, 0x400,
+    pci_register_bar(&s->dev, 1, 0x400,
                            PCI_BASE_ADDRESS_SPACE_MEMORY, lsi_mmio_mapfunc);
-    pci_register_bar((struct PCIDevice *)s, 2, 0x2000,
+    pci_register_bar(&s->dev, 2, 0x2000,
                            PCI_BASE_ADDRESS_SPACE_MEMORY, lsi_ram_mapfunc);
     QTAILQ_INIT(&s->queue);
 
diff --git a/hw/openpic.c b/hw/openpic.c
index 01bf15f..f6b8f21 100644
--- a/hw/openpic.c
+++ b/hw/openpic.c
@@ -1197,7 +1197,7 @@ qemu_irq *openpic_init (PCIBus *bus, int *pmem_index, int nb_cpus,
         pci_conf[0x3d] = 0x00; // no interrupt pin
 
         /* Register I/O spaces */
-        pci_register_bar((PCIDevice *)opp, 0, 0x40000,
+        pci_register_bar(&opp->pci_dev, 0, 0x40000,
                                PCI_BASE_ADDRESS_SPACE_MEMORY, &openpic_map);
     } else {
         opp = qemu_mallocz(sizeof(openpic_t));
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index c60fd8d..8fb2f83 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -1741,7 +1741,7 @@ static int usb_ohci_initfn_pci(struct PCIDevice *dev)
     ohci->state.irq = ohci->pci_dev.irq[0];
 
     /* TODO: avoid cast below by using dev */
-    pci_register_bar((struct PCIDevice *)ohci, 0, 256,
+    pci_register_bar(&ohci->pci_dev, 0, 256,
                            PCI_BASE_ADDRESS_SPACE_MEMORY, ohci_mapfunc);
     return 0;
 }
commit bba5ed772a562fefdb218df8d821c3b537ce5759
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Fri Nov 19 13:28:45 2010 +0200

    pcie/port: fix bridge control register wmask
    
    pci generic layer initialized wmask for bridge control register
    according to pci spec. pcie deviates slightly from it,
    so initialize it properly.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pcie_port.c b/hw/pcie_port.c
index 117de61..340dcdb 100644
--- a/hw/pcie_port.c
+++ b/hw/pcie_port.c
@@ -27,6 +27,14 @@ void pcie_port_init_reg(PCIDevice *d)
     pci_set_word(d->config + PCI_STATUS, 0);
     pci_set_word(d->config + PCI_SEC_STATUS, 0);
 
+    /* Unlike conventional pci bridge, some bits are hardwared to 0. */
+    pci_set_word(d->wmask + PCI_BRIDGE_CONTROL,
+                 PCI_BRIDGE_CTL_PARITY |
+                 PCI_BRIDGE_CTL_ISA |
+                 PCI_BRIDGE_CTL_VGA |
+                 PCI_BRIDGE_CTL_SERR |
+                 PCI_BRIDGE_CTL_BUS_RESET);
+
     /* 7.5.3.5 Prefetchable Memory Base Limit
      * The Prefetchable Memory Base and Prefetchable Memory Limit registers
      * must indicate that 64-bit addresses are supported, as defined in
commit f6bdfcc9352e53fac5b9a144fc9ead991163484b
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Thu Nov 18 10:42:50 2010 +0200

    pci: fix bridge control bit wmask
    
    Bits 12 to 15 in bridge control register are reserver and must be
    read-only zero, curent mask is 0xffff which makes them writeable. Fix
    this up by using symbolic bit names for writeable bits instead of a
    hardcoded constant.
    
    Fix a comment w1mask -> w1cmask as well.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 00ec8ea..fc5d340 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -558,7 +558,7 @@ static void pci_init_wmask(PCIDevice *dev)
 static void pci_init_w1cmask(PCIDevice *dev)
 {
     /*
-     * Note: It's okay to set w1mask even for readonly bits as
+     * Note: It's okay to set w1cmask even for readonly bits as
      * long as their value is hardwired to 0.
      */
     pci_set_word(dev->w1cmask + PCI_STATUS,
@@ -588,7 +588,29 @@ static void pci_init_wmask_bridge(PCIDevice *d)
     /* PCI_PREF_BASE_UPPER32 and PCI_PREF_LIMIT_UPPER32 */
     memset(d->wmask + PCI_PREF_BASE_UPPER32, 0xff, 8);
 
-    pci_set_word(d->wmask + PCI_BRIDGE_CONTROL, 0xffff);
+/* TODO: add this define to pci_regs.h in linux and then in qemu. */
+#define  PCI_BRIDGE_CTL_VGA_16BIT	0x10	/* VGA 16-bit decode */
+#define  PCI_BRIDGE_CTL_DISCARD		0x100	/* Primary discard timer */
+#define  PCI_BRIDGE_CTL_SEC_DISCARD	0x200	/* Secondary discard timer */
+#define  PCI_BRIDGE_CTL_DISCARD_STATUS	0x400	/* Discard timer status */
+#define  PCI_BRIDGE_CTL_DISCARD_SERR	0x800	/* Discard timer SERR# enable */
+    pci_set_word(d->wmask + PCI_BRIDGE_CONTROL,
+                 PCI_BRIDGE_CTL_PARITY |
+                 PCI_BRIDGE_CTL_SERR |
+                 PCI_BRIDGE_CTL_ISA |
+                 PCI_BRIDGE_CTL_VGA |
+                 PCI_BRIDGE_CTL_VGA_16BIT |
+                 PCI_BRIDGE_CTL_MASTER_ABORT |
+                 PCI_BRIDGE_CTL_BUS_RESET |
+                 PCI_BRIDGE_CTL_FAST_BACK |
+                 PCI_BRIDGE_CTL_DISCARD |
+                 PCI_BRIDGE_CTL_SEC_DISCARD |
+                 PCI_BRIDGE_CTL_DISCARD_STATUS |
+                 PCI_BRIDGE_CTL_DISCARD_SERR);
+    /* Below does not do anything as we never set this bit, put here for
+     * completeness. */
+    pci_set_word(d->w1cmask + PCI_BRIDGE_CONTROL,
+                 PCI_BRIDGE_CTL_DISCARD_STATUS);
 }
 
 static int pci_init_multifunction(PCIBus *bus, PCIDevice *dev)
commit 09b926d44674cbcf198425a5b8255e3cacb398ae
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Nov 16 17:26:12 2010 +0900

    x3130/downstream: support aer.
    
    add aer support.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/xio3130_downstream.c b/hw/xio3130_downstream.c
index 854eba8..1a2d258 100644
--- a/hw/xio3130_downstream.c
+++ b/hw/xio3130_downstream.c
@@ -42,7 +42,7 @@ static void xio3130_downstream_write_config(PCIDevice *d, uint32_t address,
     pcie_cap_flr_write_config(d, address, val, len);
     pcie_cap_slot_write_config(d, address, val, len);
     msi_write_config(d, address, val, len);
-    /* TODO: AER */
+    pcie_aer_write_config(d, address, val, len);
 }
 
 static void xio3130_downstream_reset(DeviceState *qdev)
@@ -61,6 +61,7 @@ static int xio3130_downstream_initfn(PCIDevice *d)
     PCIEPort *p = DO_UPCAST(PCIEPort, br, br);
     PCIESlot *s = DO_UPCAST(PCIESlot, port, p);
     int rc;
+    int tmp;
 
     rc = pci_bridge_initfn(d);
     if (rc < 0) {
@@ -76,17 +77,17 @@ static int xio3130_downstream_initfn(PCIDevice *d)
                   XIO3130_MSI_SUPPORTED_FLAGS & PCI_MSI_FLAGS_64BIT,
                   XIO3130_MSI_SUPPORTED_FLAGS & PCI_MSI_FLAGS_MASKBIT);
     if (rc < 0) {
-        return rc;
+        goto err_bridge;
     }
     rc = pci_bridge_ssvid_init(d, XIO3130_SSVID_OFFSET,
                                XIO3130_SSVID_SVID, XIO3130_SSVID_SSID);
     if (rc < 0) {
-        return rc;
+        goto err_bridge;
     }
     rc = pcie_cap_init(d, XIO3130_EXP_OFFSET, PCI_EXP_TYPE_DOWNSTREAM,
                        p->port);
     if (rc < 0) {
-        return rc;
+        goto err_msi;
     }
     pcie_cap_flr_init(d);       /* TODO: implement FLR */
     pcie_cap_deverr_init(d);
@@ -94,19 +95,38 @@ static int xio3130_downstream_initfn(PCIDevice *d)
     pcie_chassis_create(s->chassis);
     rc = pcie_chassis_add_slot(s);
     if (rc < 0) {
-        return rc;
+        goto err_pcie_cap;
     }
     pcie_cap_ari_init(d);
-    /* TODO: AER */
+    rc = pcie_aer_init(d, XIO3130_AER_OFFSET);
+    if (rc < 0) {
+        goto err;
+    }
 
     return 0;
+
+err:
+    pcie_chassis_del_slot(s);
+err_pcie_cap:
+    pcie_cap_exit(d);
+err_msi:
+    msi_uninit(d);
+err_bridge:
+    tmp = pci_bridge_exitfn(d);
+    assert(!tmp);
+    return rc;
 }
 
 static int xio3130_downstream_exitfn(PCIDevice *d)
 {
-    /* TODO: AER */
-    msi_uninit(d);
+    PCIBridge* br = DO_UPCAST(PCIBridge, dev, d);
+    PCIEPort *p = DO_UPCAST(PCIEPort, br, br);
+    PCIESlot *s = DO_UPCAST(PCIESlot, port, p);
+
+    pcie_aer_exit(d);
+    pcie_chassis_del_slot(s);
     pcie_cap_exit(d);
+    msi_uninit(d);
     return pci_bridge_exitfn(d);
 }
 
@@ -144,7 +164,8 @@ static const VMStateDescription vmstate_xio3130_downstream = {
     .post_load = pcie_cap_slot_post_load,
     .fields = (VMStateField[]) {
         VMSTATE_PCIE_DEVICE(port.br.dev, PCIESlot),
-        /* TODO: AER */
+        VMSTATE_STRUCT(port.br.dev.exp.aer_log, PCIESlot, 0,
+                       vmstate_pcie_aer_log, PCIEAERLog),
         VMSTATE_END_OF_LIST()
     }
 };
@@ -166,7 +187,9 @@ static PCIDeviceInfo xio3130_downstream_info = {
         DEFINE_PROP_UINT8("port", PCIESlot, port.port, 0),
         DEFINE_PROP_UINT8("chassis", PCIESlot, chassis, 0),
         DEFINE_PROP_UINT16("slot", PCIESlot, slot, 0),
-        /* TODO: AER */
+        DEFINE_PROP_UINT16("aer_log_max", PCIESlot,
+                           port.br.dev.exp.aer_log.log_max,
+                           PCIE_AER_LOG_MAX_DEFAULT),
         DEFINE_PROP_END_OF_LIST(),
     }
 };
commit a158f92fa78b1e87e5d196b72b750fedefb7b43e
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Nov 16 17:26:11 2010 +0900

    x3130/upstream: support aer
    
    add aer support.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/xio3130_upstream.c b/hw/xio3130_upstream.c
index d9d637f..387bf6c 100644
--- a/hw/xio3130_upstream.c
+++ b/hw/xio3130_upstream.c
@@ -41,7 +41,7 @@ static void xio3130_upstream_write_config(PCIDevice *d, uint32_t address,
     pci_bridge_write_config(d, address, val, len);
     pcie_cap_flr_write_config(d, address, val, len);
     msi_write_config(d, address, val, len);
-    /* TODO: AER */
+    pcie_aer_write_config(d, address, val, len);
 }
 
 static void xio3130_upstream_reset(DeviceState *qdev)
@@ -57,6 +57,7 @@ static int xio3130_upstream_initfn(PCIDevice *d)
     PCIBridge* br = DO_UPCAST(PCIBridge, dev, d);
     PCIEPort *p = DO_UPCAST(PCIEPort, br, br);
     int rc;
+    int tmp;
 
     rc = pci_bridge_initfn(d);
     if (rc < 0) {
@@ -72,33 +73,45 @@ static int xio3130_upstream_initfn(PCIDevice *d)
                   XIO3130_MSI_SUPPORTED_FLAGS & PCI_MSI_FLAGS_64BIT,
                   XIO3130_MSI_SUPPORTED_FLAGS & PCI_MSI_FLAGS_MASKBIT);
     if (rc < 0) {
-        return rc;
+        goto err_bridge;
     }
     rc = pci_bridge_ssvid_init(d, XIO3130_SSVID_OFFSET,
                                XIO3130_SSVID_SVID, XIO3130_SSVID_SSID);
     if (rc < 0) {
-        return rc;
+        goto err_bridge;
     }
     rc = pcie_cap_init(d, XIO3130_EXP_OFFSET, PCI_EXP_TYPE_UPSTREAM,
                        p->port);
     if (rc < 0) {
-        return rc;
+        goto err_msi;
     }
 
     /* TODO: implement FLR */
     pcie_cap_flr_init(d);
 
     pcie_cap_deverr_init(d);
-    /* TODO: AER */
+    rc = pcie_aer_init(d, XIO3130_AER_OFFSET);
+    if (rc < 0) {
+        goto err;
+    }
 
     return 0;
+
+err:
+    pcie_cap_exit(d);
+err_msi:
+    msi_uninit(d);
+err_bridge:
+    tmp =  pci_bridge_exitfn(d);
+    assert(!tmp);
+    return rc;
 }
 
 static int xio3130_upstream_exitfn(PCIDevice *d)
 {
-    /* TODO: AER */
-    msi_uninit(d);
+    pcie_aer_exit(d);
     pcie_cap_exit(d);
+    msi_uninit(d);
     return pci_bridge_exitfn(d);
 }
 
@@ -131,7 +144,8 @@ static const VMStateDescription vmstate_xio3130_upstream = {
     .minimum_version_id_old = 1,
     .fields = (VMStateField[]) {
         VMSTATE_PCIE_DEVICE(br.dev, PCIEPort),
-        /* TODO: AER */
+        VMSTATE_STRUCT(br.dev.exp.aer_log, PCIEPort, 0, vmstate_pcie_aer_log,
+                       PCIEAERLog),
         VMSTATE_END_OF_LIST()
     }
 };
@@ -151,7 +165,8 @@ static PCIDeviceInfo xio3130_upstream_info = {
 
     .qdev.props = (Property[]) {
         DEFINE_PROP_UINT8("port", PCIEPort, port, 0),
-        /* TODO: AER */
+        DEFINE_PROP_UINT16("aer_log_max", PCIEPort, br.dev.exp.aer_log.log_max,
+                           PCIE_AER_LOG_MAX_DEFAULT),
         DEFINE_PROP_END_OF_LIST(),
     }
 };
commit 61620c2fff7dda789dbba513c18f534c0062062b
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Nov 16 17:26:10 2010 +0900

    ioh3420: support aer
    
    Add aer support.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/ioh3420.c b/hw/ioh3420.c
index 3cc129f..95adf09 100644
--- a/hw/ioh3420.c
+++ b/hw/ioh3420.c
@@ -36,25 +36,59 @@
 #define IOH_EP_EXP_OFFSET               0x90
 #define IOH_EP_AER_OFFSET               0x100
 
+/*
+ * If two MSI vector are allocated, Advanced Error Interrupt Message Number
+ * is 1. otherwise 0.
+ * 17.12.5.10 RPERRSTS,  32:27 bit Advanced Error Interrupt Message Number.
+ */
+static uint8_t ioh3420_aer_vector(const PCIDevice *d)
+{
+    switch (msi_nr_vectors_allocated(d)) {
+    case 1:
+        return 0;
+    case 2:
+        return 1;
+    case 4:
+    case 8:
+    case 16:
+    case 32:
+    default:
+        break;
+    }
+    abort();
+    return 0;
+}
+
+static void ioh3420_aer_vector_update(PCIDevice *d)
+{
+    pcie_aer_root_set_vector(d, ioh3420_aer_vector(d));
+}
+
 static void ioh3420_write_config(PCIDevice *d,
                                    uint32_t address, uint32_t val, int len)
 {
+    uint32_t root_cmd =
+        pci_get_long(d->config + d->exp.aer_cap + PCI_ERR_ROOT_COMMAND);
+
     pci_bridge_write_config(d, address, val, len);
     msi_write_config(d, address, val, len);
+    ioh3420_aer_vector_update(d);
     pcie_cap_slot_write_config(d, address, val, len);
-    /* TODO: AER */
+    pcie_aer_write_config(d, address, val, len);
+    pcie_aer_root_write_config(d, address, val, len, root_cmd);
 }
 
 static void ioh3420_reset(DeviceState *qdev)
 {
     PCIDevice *d = DO_UPCAST(PCIDevice, qdev, qdev);
     msi_reset(d);
+    ioh3420_aer_vector_update(d);
     pcie_cap_root_reset(d);
     pcie_cap_deverr_reset(d);
     pcie_cap_slot_reset(d);
+    pcie_aer_root_reset(d);
     pci_bridge_reset(qdev);
     pci_bridge_disable_base_limit(d);
-    /* TODO: AER */
 }
 
 static int ioh3420_initfn(PCIDevice *d)
@@ -63,6 +97,7 @@ static int ioh3420_initfn(PCIDevice *d)
     PCIEPort *p = DO_UPCAST(PCIEPort, br, br);
     PCIESlot *s = DO_UPCAST(PCIESlot, port, p);
     int rc;
+    int tmp;
 
     rc = pci_bridge_initfn(d);
     if (rc < 0) {
@@ -78,35 +113,57 @@ static int ioh3420_initfn(PCIDevice *d)
     rc = pci_bridge_ssvid_init(d, IOH_EP_SSVID_OFFSET,
                                IOH_EP_SSVID_SVID, IOH_EP_SSVID_SSID);
     if (rc < 0) {
-        return rc;
+        goto err_bridge;
     }
     rc = msi_init(d, IOH_EP_MSI_OFFSET, IOH_EP_MSI_NR_VECTOR,
                   IOH_EP_MSI_SUPPORTED_FLAGS & PCI_MSI_FLAGS_64BIT,
                   IOH_EP_MSI_SUPPORTED_FLAGS & PCI_MSI_FLAGS_MASKBIT);
     if (rc < 0) {
-        return rc;
+        goto err_bridge;
     }
     rc = pcie_cap_init(d, IOH_EP_EXP_OFFSET, PCI_EXP_TYPE_ROOT_PORT, p->port);
     if (rc < 0) {
-        return rc;
+        goto err_msi;
     }
     pcie_cap_deverr_init(d);
     pcie_cap_slot_init(d, s->slot);
     pcie_chassis_create(s->chassis);
     rc = pcie_chassis_add_slot(s);
     if (rc < 0) {
+        goto err_pcie_cap;
         return rc;
     }
     pcie_cap_root_init(d);
-    /* TODO: AER */
+    rc = pcie_aer_init(d, IOH_EP_AER_OFFSET);
+    if (rc < 0) {
+        goto err;
+    }
+    pcie_aer_root_init(d);
+    ioh3420_aer_vector_update(d);
     return 0;
+
+err:
+    pcie_chassis_del_slot(s);
+err_pcie_cap:
+    pcie_cap_exit(d);
+err_msi:
+    msi_uninit(d);
+err_bridge:
+    tmp = pci_bridge_exitfn(d);
+    assert(!tmp);
+    return rc;
 }
 
 static int ioh3420_exitfn(PCIDevice *d)
 {
-    /* TODO: AER */
-    msi_uninit(d);
+    PCIBridge* br = DO_UPCAST(PCIBridge, dev, d);
+    PCIEPort *p = DO_UPCAST(PCIEPort, br, br);
+    PCIESlot *s = DO_UPCAST(PCIESlot, port, p);
+
+    pcie_aer_exit(d);
+    pcie_chassis_del_slot(s);
     pcie_cap_exit(d);
+    msi_uninit(d);
     return pci_bridge_exitfn(d);
 }
 
@@ -142,7 +199,8 @@ static const VMStateDescription vmstate_ioh3420 = {
     .post_load = pcie_cap_slot_post_load,
     .fields = (VMStateField[]) {
         VMSTATE_PCIE_DEVICE(port.br.dev, PCIESlot),
-        /* TODO: AER */
+        VMSTATE_STRUCT(port.br.dev.exp.aer_log, PCIESlot, 0,
+                       vmstate_pcie_aer_log, PCIEAERLog),
         VMSTATE_END_OF_LIST()
     }
 };
@@ -164,7 +222,9 @@ static PCIDeviceInfo ioh3420_info = {
         DEFINE_PROP_UINT8("port", PCIESlot, port.port, 0),
         DEFINE_PROP_UINT8("chassis", PCIESlot, chassis, 0),
         DEFINE_PROP_UINT16("slot", PCIESlot, slot, 0),
-        /* TODO: AER */
+        DEFINE_PROP_UINT16("aer_log_max", PCIESlot,
+                           port.br.dev.exp.aer_log.log_max,
+                           PCIE_AER_LOG_MAX_DEFAULT),
         DEFINE_PROP_END_OF_LIST(),
     }
 };
commit d33d9156fdffb87c99564c9630023da52c66f37a
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Nov 17 15:45:39 2010 +0200

    pcie_aer: complete unwinding recursion
    
    Open-code functions created in the previous patch,
    to make code more compact and clear.
    Detcted and documented what looks like a bug in code
    that becomes apparent from this refactoring.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pcie_aer.c b/hw/pcie_aer.c
index c565d39..235ac53 100644
--- a/hw/pcie_aer.c
+++ b/hw/pcie_aer.c
@@ -215,33 +215,6 @@ pcie_aer_msg_alldev(PCIDevice *dev, const PCIEAERMsg *msg)
     return true;
 }
 
-/* Get parent port to send up error message on.
- * TODO: clean up and open-code this logic */
-static PCIDevice *pcie_aer_parent_port(PCIDevice *dev)
-{
-    PCIDevice *parent_port;
-    if (pci_is_express(dev) &&
-        pcie_cap_get_type(dev) == PCI_EXP_TYPE_ROOT_PORT) {
-        /* Root port can notify system itself,
-           or send the error message to root complex event collector. */
-        /*
-         * if root port is associated with an event collector,
-         * return the root complex event collector here.
-         * For now root complex event collector isn't supported.
-         */
-        parent_port = NULL;
-    } else {
-        parent_port = pci_bridge_get_device(dev->bus);
-    }
-    if (parent_port) {
-        if (!pci_is_express(parent_port)) {
-            /* just ignore it */
-            return NULL;
-        }
-    }
-    return parent_port;
-}
-
 /*
  * return value:
  * true: error message is sent up
@@ -381,41 +354,42 @@ static bool pcie_aer_msg_root_port(PCIDevice *dev, const PCIEAERMsg *msg)
 /*
  * 6.2.6 Error Message Control Figure 6-3
  *
- * Returns true in case the error needs to
- * be propagated up.
- * TODO: open-code.
+ * Walk up the bus tree from the device, propagate the error message.
  */
-static bool pcie_send_aer_msg(PCIDevice *dev, const PCIEAERMsg *msg)
+static void pcie_aer_msg(PCIDevice *dev, const PCIEAERMsg *msg)
 {
     uint8_t type;
-    bool msg_sent;
-
-    assert(pci_is_express(dev));
 
-    type = pcie_cap_get_type(dev);
-    if (type == PCI_EXP_TYPE_ROOT_PORT ||
-        type == PCI_EXP_TYPE_UPSTREAM ||
-        type == PCI_EXP_TYPE_DOWNSTREAM) {
-        msg_sent = pcie_aer_msg_vbridge(dev, msg);
-        if (!msg_sent) {
+    while (dev) {
+        if (!pci_is_express(dev)) {
+            /* just ignore it */
+            /* TODO: Shouldn't we set PCI_STATUS_SIG_SYSTEM_ERROR?
+             * Consider e.g. a PCI bridge above a PCI Express device. */
             return;
         }
-    }
-    msg_sent = pcie_aer_msg_alldev(dev, msg);
-    if (type == PCI_EXP_TYPE_ROOT_PORT && msg_sent) {
-        pcie_aer_msg_root_port(dev, msg);
-    }
-    return msg_sent;
-}
 
-static void pcie_aer_msg(PCIDevice *dev, const PCIEAERMsg *msg)
-{
-    bool send_to_parent;
-    while (dev) {
-        if (!pcie_send_aer_msg(dev, msg)) {
+        type = pcie_cap_get_type(dev);
+        if ((type == PCI_EXP_TYPE_ROOT_PORT ||
+            type == PCI_EXP_TYPE_UPSTREAM ||
+            type == PCI_EXP_TYPE_DOWNSTREAM) &&
+            !pcie_aer_msg_vbridge(dev, msg)) {
+                return;
+        }
+        if (!pcie_aer_msg_alldev(dev, msg)) {
+            return;
+        }
+        if (type == PCI_EXP_TYPE_ROOT_PORT) {
+            pcie_aer_msg_root_port(dev, msg);
+            /* Root port can notify system itself,
+               or send the error message to root complex event collector. */
+            /*
+             * if root port is associated with an event collector,
+             * return the root complex event collector here.
+             * For now root complex event collector isn't supported.
+             */
             return;
         }
-        dev =  pcie_aer_parent_port(dev);
+        dev = pci_bridge_get_device(dev->bus);
     }
 }
 
commit 247c97f3f5ab0dae60778a2dea438bfed5c69e68
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Nov 17 15:02:26 2010 +0200

    pcie_aer: get rid of recursion
    
    Added some TODOs: they are trivial but omitted here
    to make the patch logic as transparent as possible.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pcie_aer.c b/hw/pcie_aer.c
index acf826a..c565d39 100644
--- a/hw/pcie_aer.c
+++ b/hw/pcie_aer.c
@@ -176,14 +176,8 @@ static void pcie_aer_update_uncor_status(PCIDevice *dev)
 }
 
 /*
- * pcie_aer_msg() is called recursively by
- * pcie_aer_msg_alldev(), pci_aer_msg_vbridge() and pcie_aer_msg_root_port()
- */
-static void pcie_aer_msg(PCIDevice *dev, const PCIEAERMsg *msg);
-
-/*
  * return value:
- * true: error message is sent up
+ * true: error message needs to be sent up
  * false: error message is masked
  *
  * 6.2.6 Error Message Control
@@ -193,8 +187,6 @@ static void pcie_aer_msg(PCIDevice *dev, const PCIEAERMsg *msg);
 static bool
 pcie_aer_msg_alldev(PCIDevice *dev, const PCIEAERMsg *msg)
 {
-    PCIDevice *parent_port;
-
     if (!(pcie_aer_msg_is_uncor(msg) &&
           (pci_get_word(dev->config + PCI_COMMAND) & PCI_COMMAND_SERR))) {
         return false;
@@ -220,13 +212,21 @@ pcie_aer_msg_alldev(PCIDevice *dev, const PCIEAERMsg *msg)
     }
 
     /* send up error message */
+    return true;
+}
+
+/* Get parent port to send up error message on.
+ * TODO: clean up and open-code this logic */
+static PCIDevice *pcie_aer_parent_port(PCIDevice *dev)
+{
+    PCIDevice *parent_port;
     if (pci_is_express(dev) &&
         pcie_cap_get_type(dev) == PCI_EXP_TYPE_ROOT_PORT) {
-        /* Root port notify system itself,
+        /* Root port can notify system itself,
            or send the error message to root complex event collector. */
         /*
-         * if root port is associated to event collector, set
-         * parent_port = root complex event collector
+         * if root port is associated with an event collector,
+         * return the root complex event collector here.
          * For now root complex event collector isn't supported.
          */
         parent_port = NULL;
@@ -236,11 +236,10 @@ pcie_aer_msg_alldev(PCIDevice *dev, const PCIEAERMsg *msg)
     if (parent_port) {
         if (!pci_is_express(parent_port)) {
             /* just ignore it */
-            return false;
+            return NULL;
         }
-        pcie_aer_msg(parent_port, msg);
     }
-    return true;
+    return parent_port;
 }
 
 /*
@@ -381,8 +380,12 @@ static bool pcie_aer_msg_root_port(PCIDevice *dev, const PCIEAERMsg *msg)
 
 /*
  * 6.2.6 Error Message Control Figure 6-3
+ *
+ * Returns true in case the error needs to
+ * be propagated up.
+ * TODO: open-code.
  */
-static void pcie_aer_msg(PCIDevice *dev, const PCIEAERMsg *msg)
+static bool pcie_send_aer_msg(PCIDevice *dev, const PCIEAERMsg *msg)
 {
     uint8_t type;
     bool msg_sent;
@@ -402,6 +405,18 @@ static void pcie_aer_msg(PCIDevice *dev, const PCIEAERMsg *msg)
     if (type == PCI_EXP_TYPE_ROOT_PORT && msg_sent) {
         pcie_aer_msg_root_port(dev, msg);
     }
+    return msg_sent;
+}
+
+static void pcie_aer_msg(PCIDevice *dev, const PCIEAERMsg *msg)
+{
+    bool send_to_parent;
+    while (dev) {
+        if (!pcie_send_aer_msg(dev, msg)) {
+            return;
+        }
+        dev =  pcie_aer_parent_port(dev);
+    }
 }
 
 static void pcie_aer_update_log(PCIDevice *dev, const PCIEAERErr *err)
@@ -824,4 +839,3 @@ const VMStateDescription vmstate_pcie_aer_log = {
         VMSTATE_END_OF_LIST()
     }
 };
-
commit 34e65944c0351fabcd82aa8c85018980c7e87bff
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Nov 16 17:26:09 2010 +0900

    pcie/aer: helper functions for pcie aer capability
    
    This patch implements helper functions for pcie aer capability
    which will be used later.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index faf485e..c5919af 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -207,7 +207,7 @@ hw-obj-$(CONFIG_PIIX4) += piix4.o
 # PCI watchdog devices
 hw-obj-y += wdt_i6300esb.o
 
-hw-obj-y += pcie.o pcie_port.o
+hw-obj-y += pcie.o pcie_aer.o pcie_port.o
 hw-obj-y += msix.o msi.o
 
 # PCI network cards
diff --git a/hw/pcie.h b/hw/pcie.h
index 8708504..7baa813 100644
--- a/hw/pcie.h
+++ b/hw/pcie.h
@@ -24,6 +24,7 @@
 #include "hw.h"
 #include "pci_regs.h"
 #include "pcie_regs.h"
+#include "pcie_aer.h"
 
 typedef enum {
     /* for attention and power indicator */
@@ -79,6 +80,19 @@ struct PCIExpressDevice {
                          Software Notification of Hot-Plug Events, an interrupt
                          is sent whenever the logical and of these conditions
                          transitions from false to true. */
+
+    /* AER */
+    uint16_t aer_cap;
+    PCIEAERLog aer_log;
+    unsigned int aer_intx;      /* INTx for error reporting
+                                 * default is 0 = INTA#
+                                 * If the chip wants to use other interrupt
+                                 * line, initialize this member with the
+                                 * desired number.
+                                 * If the chip dynamically changes this member,
+                                 * also initialize it when loaded as
+                                 * appropreately.
+                                 */
 };
 
 /* PCI express capability helper functions */
diff --git a/hw/pcie_aer.c b/hw/pcie_aer.c
new file mode 100644
index 0000000..acf826a
--- /dev/null
+++ b/hw/pcie_aer.c
@@ -0,0 +1,827 @@
+/*
+ * pcie_aer.c
+ *
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sysemu.h"
+#include "pci_bridge.h"
+#include "pcie.h"
+#include "msix.h"
+#include "msi.h"
+#include "pci_internals.h"
+#include "pcie_regs.h"
+
+//#define DEBUG_PCIE
+#ifdef DEBUG_PCIE
+# define PCIE_DPRINTF(fmt, ...)                                         \
+    fprintf(stderr, "%s:%d " fmt, __func__, __LINE__, ## __VA_ARGS__)
+#else
+# define PCIE_DPRINTF(fmt, ...) do {} while (0)
+#endif
+#define PCIE_DEV_PRINTF(dev, fmt, ...)                                  \
+    PCIE_DPRINTF("%s:%x "fmt, (dev)->name, (dev)->devfn, ## __VA_ARGS__)
+
+/* From 6.2.7 Error Listing and Rules. Table 6-2, 6-3 and 6-4 */
+static uint32_t pcie_aer_uncor_default_severity(uint32_t status)
+{
+    switch (status) {
+    case PCI_ERR_UNC_INTN:
+    case PCI_ERR_UNC_DLP:
+    case PCI_ERR_UNC_SDN:
+    case PCI_ERR_UNC_RX_OVER:
+    case PCI_ERR_UNC_FCP:
+    case PCI_ERR_UNC_MALF_TLP:
+        return PCI_ERR_ROOT_CMD_FATAL_EN;
+    case PCI_ERR_UNC_POISON_TLP:
+    case PCI_ERR_UNC_ECRC:
+    case PCI_ERR_UNC_UNSUP:
+    case PCI_ERR_UNC_COMP_TIME:
+    case PCI_ERR_UNC_COMP_ABORT:
+    case PCI_ERR_UNC_UNX_COMP:
+    case PCI_ERR_UNC_ACSV:
+    case PCI_ERR_UNC_MCBTLP:
+    case PCI_ERR_UNC_ATOP_EBLOCKED:
+    case PCI_ERR_UNC_TLP_PRF_BLOCKED:
+        return PCI_ERR_ROOT_CMD_NONFATAL_EN;
+    default:
+        abort();
+        break;
+    }
+    return PCI_ERR_ROOT_CMD_FATAL_EN;
+}
+
+static int aer_log_add_err(PCIEAERLog *aer_log, const PCIEAERErr *err)
+{
+    if (aer_log->log_num == aer_log->log_max) {
+        return -1;
+    }
+    memcpy(&aer_log->log[aer_log->log_num], err, sizeof *err);
+    aer_log->log_num++;
+    return 0;
+}
+
+static void aer_log_del_err(PCIEAERLog *aer_log, PCIEAERErr *err)
+{
+    assert(aer_log->log_num);
+    *err = aer_log->log[0];
+    aer_log->log_num--;
+    memmove(&aer_log->log[0], &aer_log->log[1],
+            aer_log->log_num * sizeof *err);
+}
+
+static void aer_log_clear_all_err(PCIEAERLog *aer_log)
+{
+    aer_log->log_num = 0;
+}
+
+int pcie_aer_init(PCIDevice *dev, uint16_t offset)
+{
+    PCIExpressDevice *exp;
+
+    pcie_add_capability(dev, PCI_EXT_CAP_ID_ERR, PCI_ERR_VER,
+                        offset, PCI_ERR_SIZEOF);
+    exp = &dev->exp;
+    exp->aer_cap = offset;
+
+    /* log_max is property */
+    if (dev->exp.aer_log.log_max == PCIE_AER_LOG_MAX_UNSET) {
+        dev->exp.aer_log.log_max = PCIE_AER_LOG_MAX_DEFAULT;
+    }
+    /* clip down the value to avoid unreasobale memory usage */
+    if (dev->exp.aer_log.log_max > PCIE_AER_LOG_MAX_LIMIT) {
+        return -EINVAL;
+    }
+    dev->exp.aer_log.log = qemu_mallocz(sizeof dev->exp.aer_log.log[0] *
+                                        dev->exp.aer_log.log_max);
+
+    pci_set_long(dev->w1cmask + offset + PCI_ERR_UNCOR_STATUS,
+                 PCI_ERR_UNC_SUPPORTED);
+
+    pci_set_long(dev->config + offset + PCI_ERR_UNCOR_SEVER,
+                 PCI_ERR_UNC_SEVERITY_DEFAULT);
+    pci_set_long(dev->wmask + offset + PCI_ERR_UNCOR_SEVER,
+                 PCI_ERR_UNC_SUPPORTED);
+
+    pci_long_test_and_set_mask(dev->w1cmask + offset + PCI_ERR_COR_STATUS,
+                               PCI_ERR_COR_STATUS);
+
+    pci_set_long(dev->config + offset + PCI_ERR_COR_MASK,
+                 PCI_ERR_COR_MASK_DEFAULT);
+    pci_set_long(dev->wmask + offset + PCI_ERR_COR_MASK,
+                 PCI_ERR_COR_SUPPORTED);
+
+    /* capabilities and control. multiple header logging is supported */
+    if (dev->exp.aer_log.log_max > 0) {
+        pci_set_long(dev->config + offset + PCI_ERR_CAP,
+                     PCI_ERR_CAP_ECRC_GENC | PCI_ERR_CAP_ECRC_CHKC |
+                     PCI_ERR_CAP_MHRC);
+        pci_set_long(dev->wmask + offset + PCI_ERR_CAP,
+                     PCI_ERR_CAP_ECRC_GENE | PCI_ERR_CAP_ECRC_CHKE |
+                     PCI_ERR_CAP_MHRE);
+    } else {
+        pci_set_long(dev->config + offset + PCI_ERR_CAP,
+                     PCI_ERR_CAP_ECRC_GENC | PCI_ERR_CAP_ECRC_CHKC);
+        pci_set_long(dev->wmask + offset + PCI_ERR_CAP,
+                     PCI_ERR_CAP_ECRC_GENE | PCI_ERR_CAP_ECRC_CHKE);
+    }
+
+    switch (pcie_cap_get_type(dev)) {
+    case PCI_EXP_TYPE_ROOT_PORT:
+        /* this case will be set by pcie_aer_root_init() */
+        /* fallthrough */
+    case PCI_EXP_TYPE_DOWNSTREAM:
+    case PCI_EXP_TYPE_UPSTREAM:
+        pci_word_test_and_set_mask(dev->wmask + PCI_BRIDGE_CONTROL,
+                                   PCI_BRIDGE_CTL_SERR);
+        pci_long_test_and_set_mask(dev->w1cmask + PCI_STATUS,
+                                   PCI_SEC_STATUS_RCV_SYSTEM_ERROR);
+        break;
+    default:
+        /* nothing */
+        break;
+    }
+    return 0;
+}
+
+void pcie_aer_exit(PCIDevice *dev)
+{
+    qemu_free(dev->exp.aer_log.log);
+}
+
+static void pcie_aer_update_uncor_status(PCIDevice *dev)
+{
+    uint8_t *aer_cap = dev->config + dev->exp.aer_cap;
+    PCIEAERLog *aer_log = &dev->exp.aer_log;
+
+    uint16_t i;
+    for (i = 0; i < aer_log->log_num; i++) {
+        pci_long_test_and_set_mask(aer_cap + PCI_ERR_UNCOR_STATUS,
+                                   dev->exp.aer_log.log[i].status);
+    }
+}
+
+/*
+ * pcie_aer_msg() is called recursively by
+ * pcie_aer_msg_alldev(), pci_aer_msg_vbridge() and pcie_aer_msg_root_port()
+ */
+static void pcie_aer_msg(PCIDevice *dev, const PCIEAERMsg *msg);
+
+/*
+ * return value:
+ * true: error message is sent up
+ * false: error message is masked
+ *
+ * 6.2.6 Error Message Control
+ * Figure 6-3
+ * all pci express devices part
+ */
+static bool
+pcie_aer_msg_alldev(PCIDevice *dev, const PCIEAERMsg *msg)
+{
+    PCIDevice *parent_port;
+
+    if (!(pcie_aer_msg_is_uncor(msg) &&
+          (pci_get_word(dev->config + PCI_COMMAND) & PCI_COMMAND_SERR))) {
+        return false;
+    }
+
+    /* Signaled System Error
+     *
+     * 7.5.1.1 Command register
+     * Bit 8 SERR# Enable
+     *
+     * When Set, this bit enables reporting of Non-fatal and Fatal
+     * errors detected by the Function to the Root Complex. Note that
+     * errors are reported if enabled either through this bit or through
+     * the PCI Express specific bits in the Device Control register (see
+     * Section 7.8.4).
+     */
+    pci_word_test_and_set_mask(dev->config + PCI_STATUS,
+                               PCI_STATUS_SIG_SYSTEM_ERROR);
+
+    if (!(msg->severity &
+          pci_get_word(dev->config + dev->exp.exp_cap + PCI_EXP_DEVCTL))) {
+        return false;
+    }
+
+    /* send up error message */
+    if (pci_is_express(dev) &&
+        pcie_cap_get_type(dev) == PCI_EXP_TYPE_ROOT_PORT) {
+        /* Root port notify system itself,
+           or send the error message to root complex event collector. */
+        /*
+         * if root port is associated to event collector, set
+         * parent_port = root complex event collector
+         * For now root complex event collector isn't supported.
+         */
+        parent_port = NULL;
+    } else {
+        parent_port = pci_bridge_get_device(dev->bus);
+    }
+    if (parent_port) {
+        if (!pci_is_express(parent_port)) {
+            /* just ignore it */
+            return false;
+        }
+        pcie_aer_msg(parent_port, msg);
+    }
+    return true;
+}
+
+/*
+ * return value:
+ * true: error message is sent up
+ * false: error message is masked
+ *
+ * 6.2.6 Error Message Control
+ * Figure 6-3
+ * virtual pci bridge part
+ */
+static bool pcie_aer_msg_vbridge(PCIDevice *dev, const PCIEAERMsg *msg)
+{
+    uint16_t bridge_control = pci_get_word(dev->config + PCI_BRIDGE_CONTROL);
+
+    if (pcie_aer_msg_is_uncor(msg)) {
+        /* Received System Error */
+        pci_word_test_and_set_mask(dev->config + PCI_SEC_STATUS,
+                                   PCI_SEC_STATUS_RCV_SYSTEM_ERROR);
+    }
+
+    if (!(bridge_control & PCI_BRIDGE_CTL_SERR)) {
+        return false;
+    }
+    return true;
+}
+
+void pcie_aer_root_set_vector(PCIDevice *dev, unsigned int vector)
+{
+    uint8_t *aer_cap = dev->config + dev->exp.aer_cap;
+    assert(vector < PCI_ERR_ROOT_IRQ_MAX);
+    pci_long_test_and_clear_mask(aer_cap + PCI_ERR_ROOT_STATUS,
+                                 PCI_ERR_ROOT_IRQ);
+    pci_long_test_and_set_mask(aer_cap + PCI_ERR_ROOT_STATUS,
+                               vector << PCI_ERR_ROOT_IRQ_SHIFT);
+}
+
+static unsigned int pcie_aer_root_get_vector(PCIDevice *dev)
+{
+    uint8_t *aer_cap = dev->config + dev->exp.aer_cap;
+    uint32_t root_status = pci_get_long(aer_cap + PCI_ERR_ROOT_STATUS);
+    return (root_status & PCI_ERR_ROOT_IRQ) >> PCI_ERR_ROOT_IRQ_SHIFT;
+}
+
+/*
+ * return value:
+ * true: error message is sent up
+ * false: error message is masked
+ *
+ * 6.2.6 Error Message Control
+ * Figure 6-3
+ * root port part
+ */
+static bool pcie_aer_msg_root_port(PCIDevice *dev, const PCIEAERMsg *msg)
+{
+    bool msg_sent;
+    uint16_t cmd;
+    uint8_t *aer_cap;
+    uint32_t root_cmd;
+    uint32_t root_status;
+    bool msi_trigger;
+
+    msg_sent = false;
+    cmd = pci_get_word(dev->config + PCI_COMMAND);
+    aer_cap = dev->config + dev->exp.aer_cap;
+    root_cmd = pci_get_long(aer_cap + PCI_ERR_ROOT_COMMAND);
+    root_status = pci_get_long(aer_cap + PCI_ERR_ROOT_STATUS);
+    msi_trigger = false;
+
+    if (cmd & PCI_COMMAND_SERR) {
+        /* System Error.
+         *
+         * The way to report System Error is platform specific and
+         * it isn't implemented in qemu right now.
+         * So just discard the error for now.
+         * OS which cares of aer would receive errors via
+         * native aer mechanims, so this wouldn't matter.
+         */
+    }
+
+    /* Errro Message Received: Root Error Status register */
+    switch (msg->severity) {
+    case PCI_ERR_ROOT_CMD_COR_EN:
+        if (root_status & PCI_ERR_ROOT_COR_RCV) {
+            root_status |= PCI_ERR_ROOT_MULTI_COR_RCV;
+        } else {
+            if (root_cmd & PCI_ERR_ROOT_CMD_COR_EN) {
+                msi_trigger = true;
+            }
+            pci_set_word(aer_cap + PCI_ERR_ROOT_COR_SRC, msg->source_id);
+        }
+        root_status |= PCI_ERR_ROOT_COR_RCV;
+        break;
+    case PCI_ERR_ROOT_CMD_NONFATAL_EN:
+        if (!(root_status & PCI_ERR_ROOT_NONFATAL_RCV) &&
+            root_cmd & PCI_ERR_ROOT_CMD_NONFATAL_EN) {
+            msi_trigger = true;
+        }
+        root_status |= PCI_ERR_ROOT_NONFATAL_RCV;
+        break;
+    case PCI_ERR_ROOT_CMD_FATAL_EN:
+        if (!(root_status & PCI_ERR_ROOT_FATAL_RCV) &&
+            root_cmd & PCI_ERR_ROOT_CMD_FATAL_EN) {
+            msi_trigger = true;
+        }
+        if (!(root_status & PCI_ERR_ROOT_UNCOR_RCV)) {
+            root_status |= PCI_ERR_ROOT_FIRST_FATAL;
+        }
+        root_status |= PCI_ERR_ROOT_FATAL_RCV;
+        break;
+    default:
+        abort();
+        break;
+    }
+    if (pcie_aer_msg_is_uncor(msg)) {
+        if (root_status & PCI_ERR_ROOT_UNCOR_RCV) {
+            root_status |= PCI_ERR_ROOT_MULTI_UNCOR_RCV;
+        } else {
+            pci_set_word(aer_cap + PCI_ERR_ROOT_SRC, msg->source_id);
+        }
+        root_status |= PCI_ERR_ROOT_UNCOR_RCV;
+    }
+    pci_set_long(aer_cap + PCI_ERR_ROOT_STATUS, root_status);
+
+    if (root_cmd & msg->severity) {
+        /* 6.2.4.1.2 Interrupt Generation */
+        if (pci_msi_enabled(dev)) {
+            if (msi_trigger) {
+                pci_msi_notify(dev, pcie_aer_root_get_vector(dev));
+            }
+        } else {
+            qemu_set_irq(dev->irq[dev->exp.aer_intx], 1);
+        }
+        msg_sent = true;
+    }
+    return msg_sent;
+}
+
+/*
+ * 6.2.6 Error Message Control Figure 6-3
+ */
+static void pcie_aer_msg(PCIDevice *dev, const PCIEAERMsg *msg)
+{
+    uint8_t type;
+    bool msg_sent;
+
+    assert(pci_is_express(dev));
+
+    type = pcie_cap_get_type(dev);
+    if (type == PCI_EXP_TYPE_ROOT_PORT ||
+        type == PCI_EXP_TYPE_UPSTREAM ||
+        type == PCI_EXP_TYPE_DOWNSTREAM) {
+        msg_sent = pcie_aer_msg_vbridge(dev, msg);
+        if (!msg_sent) {
+            return;
+        }
+    }
+    msg_sent = pcie_aer_msg_alldev(dev, msg);
+    if (type == PCI_EXP_TYPE_ROOT_PORT && msg_sent) {
+        pcie_aer_msg_root_port(dev, msg);
+    }
+}
+
+static void pcie_aer_update_log(PCIDevice *dev, const PCIEAERErr *err)
+{
+    uint8_t *aer_cap = dev->config + dev->exp.aer_cap;
+    uint8_t first_bit = ffsl(err->status) - 1;
+    uint32_t errcap = pci_get_long(aer_cap + PCI_ERR_CAP);
+    int i;
+
+    assert(err->status);
+    assert(err->status & (err->status - 1));
+
+    errcap &= ~(PCI_ERR_CAP_FEP_MASK | PCI_ERR_CAP_TLP);
+    errcap |= PCI_ERR_CAP_FEP(first_bit);
+
+    if (err->flags & PCIE_AER_ERR_HEADER_VALID) {
+        for (i = 0; i < ARRAY_SIZE(err->header); ++i) {
+            /* 7.10.8 Header Log Register */
+            uint8_t *header_log =
+                aer_cap + PCI_ERR_HEADER_LOG + i * sizeof err->header[0];
+            cpu_to_be32wu((uint32_t*)header_log, err->header[i]);
+        }
+    } else {
+        assert(!(err->flags & PCIE_AER_ERR_TLP_PREFIX_PRESENT));
+        memset(aer_cap + PCI_ERR_HEADER_LOG, 0, PCI_ERR_HEADER_LOG_SIZE);
+    }
+
+    if ((err->flags & PCIE_AER_ERR_TLP_PREFIX_PRESENT) &&
+        (pci_get_long(dev->config + dev->exp.exp_cap + PCI_EXP_DEVCTL2) &
+         PCI_EXP_DEVCAP2_EETLPP)) {
+        for (i = 0; i < ARRAY_SIZE(err->prefix); ++i) {
+            /* 7.10.12 tlp prefix log register */
+            uint8_t *prefix_log =
+                aer_cap + PCI_ERR_TLP_PREFIX_LOG + i * sizeof err->prefix[0];
+            cpu_to_be32wu((uint32_t*)prefix_log, err->prefix[i]);
+        }
+        errcap |= PCI_ERR_CAP_TLP;
+    } else {
+        memset(aer_cap + PCI_ERR_TLP_PREFIX_LOG, 0,
+               PCI_ERR_TLP_PREFIX_LOG_SIZE);
+    }
+    pci_set_long(aer_cap + PCI_ERR_CAP, errcap);
+}
+
+static void pcie_aer_clear_log(PCIDevice *dev)
+{
+    uint8_t *aer_cap = dev->config + dev->exp.aer_cap;
+
+    pci_long_test_and_clear_mask(aer_cap + PCI_ERR_CAP,
+                                 PCI_ERR_CAP_FEP_MASK | PCI_ERR_CAP_TLP);
+
+    memset(aer_cap + PCI_ERR_HEADER_LOG, 0, PCI_ERR_HEADER_LOG_SIZE);
+    memset(aer_cap + PCI_ERR_TLP_PREFIX_LOG, 0, PCI_ERR_TLP_PREFIX_LOG_SIZE);
+}
+
+static void pcie_aer_clear_error(PCIDevice *dev)
+{
+    uint8_t *aer_cap = dev->config + dev->exp.aer_cap;
+    uint32_t errcap = pci_get_long(aer_cap + PCI_ERR_CAP);
+    PCIEAERLog *aer_log = &dev->exp.aer_log;
+    PCIEAERErr err;
+
+    if (!(errcap & PCI_ERR_CAP_MHRE) || !aer_log->log_num) {
+        pcie_aer_clear_log(dev);
+        return;
+    }
+
+    /*
+     * If more errors are queued, set corresponding bits in uncorrectable
+     * error status.
+     * We emulate uncorrectable error status register as W1CS.
+     * So set bit in uncorrectable error status here again for multiple
+     * error recording support.
+     *
+     * 6.2.4.2 Multiple Error Handling(Advanced Error Reporting Capability)
+     */
+    pcie_aer_update_uncor_status(dev);
+
+    aer_log_del_err(aer_log, &err);
+    pcie_aer_update_log(dev, &err);
+}
+
+static int pcie_aer_record_error(PCIDevice *dev,
+                                 const PCIEAERErr *err)
+{
+    uint8_t *aer_cap = dev->config + dev->exp.aer_cap;
+    uint32_t errcap = pci_get_long(aer_cap + PCI_ERR_CAP);
+    int fep = PCI_ERR_CAP_FEP(errcap);
+
+    assert(err->status);
+    assert(err->status & (err->status - 1));
+
+    if (errcap & PCI_ERR_CAP_MHRE &&
+        (pci_get_long(aer_cap + PCI_ERR_UNCOR_STATUS) & (1U << fep))) {
+        /*  Not first error. queue error */
+        if (aer_log_add_err(&dev->exp.aer_log, err) < 0) {
+            /* overflow */
+            return -1;
+        }
+        return 0;
+    }
+
+    pcie_aer_update_log(dev, err);
+    return 0;
+}
+
+typedef struct PCIEAERInject {
+    PCIDevice *dev;
+    uint8_t *aer_cap;
+    const PCIEAERErr *err;
+    uint16_t devctl;
+    uint16_t devsta;
+    uint32_t error_status;
+    bool unsupported_request;
+    bool log_overflow;
+    PCIEAERMsg msg;
+} PCIEAERInject;
+
+static bool pcie_aer_inject_cor_error(PCIEAERInject *inj,
+                                      uint32_t uncor_status,
+                                      bool is_advisory_nonfatal)
+{
+    PCIDevice *dev = inj->dev;
+
+    inj->devsta |= PCI_EXP_DEVSTA_CED;
+    if (inj->unsupported_request) {
+        inj->devsta |= PCI_EXP_DEVSTA_URD;
+    }
+    pci_set_word(dev->config + dev->exp.exp_cap + PCI_EXP_DEVSTA, inj->devsta);
+
+    if (inj->aer_cap) {
+        uint32_t mask;
+        pci_long_test_and_set_mask(inj->aer_cap + PCI_ERR_COR_STATUS,
+                                   inj->error_status);
+        mask = pci_get_long(inj->aer_cap + PCI_ERR_COR_MASK);
+        if (mask & inj->error_status) {
+            return false;
+        }
+        if (is_advisory_nonfatal) {
+            uint32_t uncor_mask =
+                pci_get_long(inj->aer_cap + PCI_ERR_UNCOR_MASK);
+            if (!(uncor_mask & uncor_status)) {
+                inj->log_overflow = !!pcie_aer_record_error(dev, inj->err);
+            }
+            pci_long_test_and_set_mask(inj->aer_cap + PCI_ERR_UNCOR_STATUS,
+                                       uncor_status);
+        }
+    }
+
+    if (inj->unsupported_request && !(inj->devctl & PCI_EXP_DEVCTL_URRE)) {
+        return false;
+    }
+    if (!(inj->devctl & PCI_EXP_DEVCTL_CERE)) {
+        return false;
+    }
+
+    inj->msg.severity = PCI_ERR_ROOT_CMD_COR_EN;
+    return true;
+}
+
+static bool pcie_aer_inject_uncor_error(PCIEAERInject *inj, bool is_fatal)
+{
+    PCIDevice *dev = inj->dev;
+    uint16_t cmd;
+
+    if (is_fatal) {
+        inj->devsta |= PCI_EXP_DEVSTA_FED;
+    } else {
+        inj->devsta |= PCI_EXP_DEVSTA_NFED;
+    }
+    if (inj->unsupported_request) {
+        inj->devsta |= PCI_EXP_DEVSTA_URD;
+    }
+    pci_set_long(dev->config + dev->exp.exp_cap + PCI_EXP_DEVSTA, inj->devsta);
+
+    if (inj->aer_cap) {
+        uint32_t mask = pci_get_long(inj->aer_cap + PCI_ERR_UNCOR_MASK);
+        if (mask & inj->error_status) {
+            pci_long_test_and_set_mask(inj->aer_cap + PCI_ERR_UNCOR_STATUS,
+                                       inj->error_status);
+            return false;
+        }
+
+        inj->log_overflow = !!pcie_aer_record_error(dev, inj->err);
+        pci_long_test_and_set_mask(inj->aer_cap + PCI_ERR_UNCOR_STATUS,
+                                   inj->error_status);
+    }
+
+    cmd = pci_get_word(dev->config + PCI_COMMAND);
+    if (inj->unsupported_request &&
+        !(inj->devctl & PCI_EXP_DEVCTL_URRE) && !(cmd & PCI_COMMAND_SERR)) {
+        return false;
+    }
+    if (is_fatal) {
+        if (!((cmd & PCI_COMMAND_SERR) ||
+              (inj->devctl & PCI_EXP_DEVCTL_FERE))) {
+            return false;
+        }
+        inj->msg.severity = PCI_ERR_ROOT_CMD_FATAL_EN;
+    } else {
+        if (!((cmd & PCI_COMMAND_SERR) ||
+              (inj->devctl & PCI_EXP_DEVCTL_NFERE))) {
+            return false;
+        }
+        inj->msg.severity = PCI_ERR_ROOT_CMD_NONFATAL_EN;
+    }
+    return true;
+}
+
+/*
+ * non-Function specific error must be recorded in all functions.
+ * It is the responsibility of the caller of this function.
+ * It is also caller's responsiblity to determine which function should
+ * report the rerror.
+ *
+ * 6.2.4 Error Logging
+ * 6.2.5 Sqeunce of Device Error Signaling and Logging Operations
+ * table 6-2: Flowchard Showing Sequence of Device Error Signaling and Logging
+ *            Operations
+ */
+int pcie_aer_inject_error(PCIDevice *dev, const PCIEAERErr *err)
+{
+    uint8_t *aer_cap = NULL;
+    uint16_t devctl = 0;
+    uint16_t devsta = 0;
+    uint32_t error_status = err->status;
+    PCIEAERInject inj;
+
+    if (!pci_is_express(dev)) {
+        return -ENOSYS;
+    }
+
+    if (err->flags & PCIE_AER_ERR_IS_CORRECTABLE) {
+        error_status &= PCI_ERR_COR_SUPPORTED;
+    } else {
+        error_status &= PCI_ERR_UNC_SUPPORTED;
+    }
+
+    /* invalid status bit. one and only one bit must be set */
+    if (!error_status || (error_status & (error_status - 1))) {
+        return -EINVAL;
+    }
+
+    if (dev->exp.aer_cap) {
+        uint8_t *exp_cap = dev->config + dev->exp.exp_cap;
+        aer_cap = dev->config + dev->exp.aer_cap;
+        devctl = pci_get_long(exp_cap + PCI_EXP_DEVCTL);
+        devsta = pci_get_long(exp_cap + PCI_EXP_DEVSTA);
+    }
+
+    inj.dev = dev;
+    inj.aer_cap = aer_cap;
+    inj.err = err;
+    inj.devctl = devctl;
+    inj.devsta = devsta;
+    inj.error_status = error_status;
+    inj.unsupported_request = !(err->flags & PCIE_AER_ERR_IS_CORRECTABLE) &&
+        err->status == PCI_ERR_UNC_UNSUP;
+    inj.log_overflow = false;
+
+    if (err->flags & PCIE_AER_ERR_IS_CORRECTABLE) {
+        if (!pcie_aer_inject_cor_error(&inj, 0, false)) {
+            return 0;
+        }
+    } else {
+        bool is_fatal =
+            pcie_aer_uncor_default_severity(error_status) ==
+            PCI_ERR_ROOT_CMD_FATAL_EN;
+        if (aer_cap) {
+            is_fatal =
+                error_status & pci_get_long(aer_cap + PCI_ERR_UNCOR_SEVER);
+        }
+        if (!is_fatal && (err->flags & PCIE_AER_ERR_MAYBE_ADVISORY)) {
+            inj.error_status = PCI_ERR_COR_ADV_NONFATAL;
+            if (!pcie_aer_inject_cor_error(&inj, error_status, true)) {
+                return 0;
+            }
+        } else {
+            if (!pcie_aer_inject_uncor_error(&inj, is_fatal)) {
+                return 0;
+            }
+        }
+    }
+
+    /* send up error message */
+    inj.msg.source_id = err->source_id;
+    pcie_aer_msg(dev, &inj.msg);
+
+    if (inj.log_overflow) {
+        PCIEAERErr header_log_overflow = {
+            .status = PCI_ERR_COR_HL_OVERFLOW,
+            .flags = PCIE_AER_ERR_IS_CORRECTABLE,
+        };
+        int ret = pcie_aer_inject_error(dev, &header_log_overflow);
+        assert(!ret);
+    }
+    return 0;
+}
+
+void pcie_aer_write_config(PCIDevice *dev,
+                           uint32_t addr, uint32_t val, int len)
+{
+    uint8_t *aer_cap = dev->config + dev->exp.aer_cap;
+    uint32_t errcap = pci_get_long(aer_cap + PCI_ERR_CAP);
+    uint32_t first_error = 1U << PCI_ERR_CAP_FEP(errcap);
+    uint32_t uncorsta = pci_get_long(aer_cap + PCI_ERR_UNCOR_STATUS);
+
+    /* uncorrectable error */
+    if (!(uncorsta & first_error)) {
+        /* the bit that corresponds to the first error is cleared */
+        pcie_aer_clear_error(dev);
+    } else if (errcap & PCI_ERR_CAP_MHRE) {
+        /* When PCI_ERR_CAP_MHRE is enabled and the first error isn't cleared
+         * nothing should happen. So we have to revert the modification to
+         * the register.
+         */
+        pcie_aer_update_uncor_status(dev);
+    } else {
+        /* capability & control
+         * PCI_ERR_CAP_MHRE might be cleared, so clear of header log.
+         */
+        aer_log_clear_all_err(&dev->exp.aer_log);
+    }
+}
+
+void pcie_aer_root_init(PCIDevice *dev)
+{
+    uint16_t pos = dev->exp.aer_cap;
+
+    pci_set_long(dev->wmask + pos + PCI_ERR_ROOT_COMMAND,
+                 PCI_ERR_ROOT_CMD_EN_MASK);
+    pci_set_long(dev->w1cmask + pos + PCI_ERR_ROOT_STATUS,
+                 PCI_ERR_ROOT_STATUS_REPORT_MASK);
+}
+
+void pcie_aer_root_reset(PCIDevice *dev)
+{
+    uint8_t* aer_cap = dev->config + dev->exp.aer_cap;
+
+    pci_set_long(aer_cap + PCI_ERR_ROOT_COMMAND, 0);
+
+    /*
+     * Advanced Error Interrupt Message Number in Root Error Status Register
+     * must be updated by chip dependent code because it's chip dependent
+     * which number is used.
+     */
+}
+
+static bool pcie_aer_root_does_trigger(uint32_t cmd, uint32_t status)
+{
+    return
+        ((cmd & PCI_ERR_ROOT_CMD_COR_EN) && (status & PCI_ERR_ROOT_COR_RCV)) ||
+        ((cmd & PCI_ERR_ROOT_CMD_NONFATAL_EN) &&
+         (status & PCI_ERR_ROOT_NONFATAL_RCV)) ||
+        ((cmd & PCI_ERR_ROOT_CMD_FATAL_EN) &&
+         (status & PCI_ERR_ROOT_FATAL_RCV));
+}
+
+void pcie_aer_root_write_config(PCIDevice *dev,
+                                uint32_t addr, uint32_t val, int len,
+                                uint32_t root_cmd_prev)
+{
+    uint8_t *aer_cap = dev->config + dev->exp.aer_cap;
+
+    /* root command register */
+    uint32_t root_cmd = pci_get_long(aer_cap + PCI_ERR_ROOT_COMMAND);
+    if (root_cmd & PCI_ERR_ROOT_CMD_EN_MASK) {
+        /* 6.2.4.1.2 Interrupt Generation */
+
+        /* 0 -> 1 */
+        uint32_t root_cmd_set = (root_cmd_prev ^ root_cmd) & root_cmd;
+        uint32_t root_status = pci_get_long(aer_cap + PCI_ERR_ROOT_STATUS);
+
+        if (pci_msi_enabled(dev)) {
+            if (pcie_aer_root_does_trigger(root_cmd_set, root_status)) {
+                pci_msi_notify(dev, pcie_aer_root_get_vector(dev));
+            }
+        } else {
+            int int_level = pcie_aer_root_does_trigger(root_cmd, root_status);
+            qemu_set_irq(dev->irq[dev->exp.aer_intx], int_level);
+        }
+    }
+}
+
+static const VMStateDescription vmstate_pcie_aer_err = {
+    .name = "PCIE_AER_ERROR",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields     = (VMStateField[]) {
+        VMSTATE_UINT32(status, PCIEAERErr),
+        VMSTATE_UINT16(source_id, PCIEAERErr),
+        VMSTATE_UINT16(flags, PCIEAERErr),
+        VMSTATE_UINT32_ARRAY(header, PCIEAERErr, 4),
+        VMSTATE_UINT32_ARRAY(prefix, PCIEAERErr, 4),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+#define VMSTATE_PCIE_AER_ERRS(_field, _state, _field_num, _vmsd, _type) { \
+    .name       = (stringify(_field)),                                    \
+    .version_id = 0,                                                      \
+    .num_offset = vmstate_offset_value(_state, _field_num, uint16_t),     \
+    .size       = sizeof(_type),                                          \
+    .vmsd       = &(_vmsd),                                               \
+    .flags      = VMS_POINTER | VMS_VARRAY_UINT16 | VMS_STRUCT,           \
+    .offset     = vmstate_offset_pointer(_state, _field, _type),          \
+}
+
+const VMStateDescription vmstate_pcie_aer_log = {
+    .name = "PCIE_AER_ERROR_LOG",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields     = (VMStateField[]) {
+        VMSTATE_UINT16(log_num, PCIEAERLog),
+        VMSTATE_UINT16(log_max, PCIEAERLog),
+        VMSTATE_PCIE_AER_ERRS(log, PCIEAERLog, log_num,
+                              vmstate_pcie_aer_err, PCIEAERErr),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
diff --git a/hw/pcie_aer.h b/hw/pcie_aer.h
new file mode 100644
index 0000000..7539500
--- /dev/null
+++ b/hw/pcie_aer.h
@@ -0,0 +1,106 @@
+/*
+ * pcie_aer.h
+ *
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef QEMU_PCIE_AER_H
+#define QEMU_PCIE_AER_H
+
+#include "hw.h"
+
+/* definitions which PCIExpressDevice uses */
+
+/* AER log */
+struct PCIEAERLog {
+    /* This structure is saved/loaded.
+       So explicitly size them instead of unsigned int */
+
+    /* the number of currently recorded log in log member */
+    uint16_t log_num;
+
+    /*
+     * The maximum number of the log. Errors can be logged up to this.
+     *
+     * This is configurable property.
+     * The specified value will be clipped down to PCIE_AER_LOG_MAX_LIMIT
+     * to avoid unreasonable memory usage.
+     * I bet that 128 log size would be big enough, otherwise too many errors
+     * for system to function normaly. But could consecutive errors occur?
+     */
+#define PCIE_AER_LOG_MAX_DEFAULT        8
+#define PCIE_AER_LOG_MAX_LIMIT          128
+#define PCIE_AER_LOG_MAX_UNSET          0xffff
+    uint16_t log_max;
+
+    /* Error log. log_max-sized array */
+    PCIEAERErr *log;
+};
+
+/* aer error message: error signaling message has only error sevirity and
+   source id. See 2.2.8.3 error signaling messages */
+struct PCIEAERMsg {
+    /*
+     * PCI_ERR_ROOT_CMD_{COR, NONFATAL, FATAL}_EN
+     * = PCI_EXP_DEVCTL_{CERE, NFERE, FERE}
+     */
+    uint32_t severity;
+
+    uint16_t source_id; /* bdf */
+};
+
+static inline bool
+pcie_aer_msg_is_uncor(const PCIEAERMsg *msg)
+{
+    return msg->severity == PCI_ERR_ROOT_CMD_NONFATAL_EN ||
+        msg->severity == PCI_ERR_ROOT_CMD_FATAL_EN;
+}
+
+/* error */
+struct PCIEAERErr {
+    uint32_t status;    /* error status bits */
+    uint16_t source_id; /* bdf */
+
+#define PCIE_AER_ERR_IS_CORRECTABLE     0x1     /* correctable/uncorrectable */
+#define PCIE_AER_ERR_MAYBE_ADVISORY     0x2     /* maybe advisory non-fatal */
+#define PCIE_AER_ERR_HEADER_VALID       0x4     /* TLP header is logged */
+#define PCIE_AER_ERR_TLP_PREFIX_PRESENT 0x8     /* TLP Prefix is logged */
+    uint16_t flags;
+
+    uint32_t header[4]; /* TLP header */
+    uint32_t prefix[4]; /* TLP header prefix */
+};
+
+extern const VMStateDescription vmstate_pcie_aer_log;
+
+int pcie_aer_init(PCIDevice *dev, uint16_t offset);
+void pcie_aer_exit(PCIDevice *dev);
+void pcie_aer_write_config(PCIDevice *dev,
+                           uint32_t addr, uint32_t val, int len);
+
+/* aer root port */
+void pcie_aer_root_set_vector(PCIDevice *dev, unsigned int vector);
+void pcie_aer_root_init(PCIDevice *dev);
+void pcie_aer_root_reset(PCIDevice *dev);
+void pcie_aer_root_write_config(PCIDevice *dev,
+                                uint32_t addr, uint32_t val, int len,
+                                uint32_t root_cmd_prev);
+
+/* error injection */
+int pcie_aer_inject_error(PCIDevice *dev, const PCIEAERErr *err);
+
+#endif /* QEMU_PCIE_AER_H */
diff --git a/qemu-common.h b/qemu-common.h
index b3957f1..de82c2e 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -240,6 +240,9 @@ typedef struct PCIBus PCIBus;
 typedef struct PCIDevice PCIDevice;
 typedef struct PCIExpressDevice PCIExpressDevice;
 typedef struct PCIBridge PCIBridge;
+typedef struct PCIEAERMsg PCIEAERMsg;
+typedef struct PCIEAERLog PCIEAERLog;
+typedef struct PCIEAERErr PCIEAERErr;
 typedef struct PCIEPort PCIEPort;
 typedef struct PCIESlot PCIESlot;
 typedef struct SerialState SerialState;
commit 1a1ea6f093eb8cf7c01788bc3708ba7003815563
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Nov 16 17:26:08 2010 +0900

    pcie_regs.h: more constants
    
    Add constants for PCI AER log.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pcie_regs.h b/hw/pcie_regs.h
index 3461a1b..4d123d9 100644
--- a/hw/pcie_regs.h
+++ b/hw/pcie_regs.h
@@ -94,7 +94,9 @@
 #define PCI_ERR_CAP_MHRE                0x00000400
 #define PCI_ERR_CAP_TLP                 0x00000800
 
+#define PCI_ERR_HEADER_LOG_SIZE         16
 #define PCI_ERR_TLP_PREFIX_LOG          0x38
+#define PCI_ERR_TLP_PREFIX_LOG_SIZE     16
 
 #define PCI_SEC_STATUS_RCV_SYSTEM_ERROR         0x4000
 
commit 89d437df5e68e8b289e501dde570917677fd6dfc
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Nov 16 17:26:07 2010 +0900

    pci: add W1C bits to pci status register
    
    This patch adds W1C bit support in the initialization/reset of pci
    status registers.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 438c0d1..00ec8ea 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -143,6 +143,9 @@ static void pci_device_reset(PCIDevice *dev)
     pci_word_test_and_clear_mask(dev->config + PCI_COMMAND,
                                  pci_get_word(dev->wmask + PCI_COMMAND) |
                                  pci_get_word(dev->w1cmask + PCI_COMMAND));
+    pci_word_test_and_clear_mask(dev->config + PCI_STATUS,
+                                 pci_get_word(dev->wmask + PCI_STATUS) |
+                                 pci_get_word(dev->w1cmask + PCI_STATUS));
     dev->config[PCI_CACHE_LINE_SIZE] = 0x0;
     dev->config[PCI_INTERRUPT_LINE] = 0x0;
     for (r = 0; r < PCI_NUM_REGIONS; ++r) {
@@ -552,6 +555,18 @@ static void pci_init_wmask(PCIDevice *dev)
            config_size - PCI_CONFIG_HEADER_SIZE);
 }
 
+static void pci_init_w1cmask(PCIDevice *dev)
+{
+    /*
+     * Note: It's okay to set w1mask even for readonly bits as
+     * long as their value is hardwired to 0.
+     */
+    pci_set_word(dev->w1cmask + PCI_STATUS,
+                 PCI_STATUS_PARITY | PCI_STATUS_SIG_TARGET_ABORT |
+                 PCI_STATUS_REC_TARGET_ABORT | PCI_STATUS_REC_MASTER_ABORT |
+                 PCI_STATUS_SIG_SYSTEM_ERROR | PCI_STATUS_DETECTED_PARITY);
+}
+
 static void pci_init_wmask_bridge(PCIDevice *d)
 {
     /* PCI_PRIMARY_BUS, PCI_SECONDARY_BUS, PCI_SUBORDINATE_BUS and
@@ -676,6 +691,7 @@ static PCIDevice *do_pci_register_device(PCIDevice *pci_dev, PCIBus *bus,
     }
     pci_init_cmask(pci_dev);
     pci_init_wmask(pci_dev);
+    pci_init_w1cmask(pci_dev);
     if (is_bridge) {
         pci_init_wmask_bridge(pci_dev);
     }
commit 4e02d460dd4b60847a1e8b689cb676e3e1f3de95
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Nov 15 20:44:38 2010 +0000

    virtio-pci: Convert fprintf() to error_report()
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 3610d7e..c65765a 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -254,8 +254,8 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val)
         virtio_queue_set_vector(vdev, vdev->queue_sel, val);
         break;
     default:
-        fprintf(stderr, "%s: unexpected address 0x%x value 0x%x\n",
-                __func__, addr, val);
+        error_report("%s: unexpected address 0x%x value 0x%x",
+                     __func__, addr, val);
         break;
     }
 }
commit e7b43f7e60a0a170356e82b01b8ffdcecafad7ed
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Nov 15 20:44:37 2010 +0000

    virtio-net: Convert fprintf() to error_report()
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index 7e1688c..1d61f19 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -120,8 +120,8 @@ static void virtio_net_set_status(struct VirtIODevice *vdev, uint8_t status)
     if (!n->vhost_started) {
         int r = vhost_net_start(tap_get_vhost_net(n->nic->nc.peer), &n->vdev);
         if (r < 0) {
-            fprintf(stderr, "unable to start vhost net: %d: "
-                    "falling back on userspace virtio\n", -r);
+            error_report("unable to start vhost net: %d: "
+                         "falling back on userspace virtio", -r);
         } else {
             n->vhost_started = 1;
         }
@@ -271,7 +271,7 @@ static int virtio_net_handle_rx_mode(VirtIONet *n, uint8_t cmd,
     uint8_t on;
 
     if (elem->out_num != 2 || elem->out_sg[1].iov_len != sizeof(on)) {
-        fprintf(stderr, "virtio-net ctrl invalid rx mode command\n");
+        error_report("virtio-net ctrl invalid rx mode command");
         exit(1);
     }
 
@@ -353,7 +353,7 @@ static int virtio_net_handle_vlan_table(VirtIONet *n, uint8_t cmd,
     uint16_t vid;
 
     if (elem->out_num != 2 || elem->out_sg[1].iov_len != sizeof(vid)) {
-        fprintf(stderr, "virtio-net ctrl invalid vlan command\n");
+        error_report("virtio-net ctrl invalid vlan command");
         return VIRTIO_NET_ERR;
     }
 
@@ -381,13 +381,13 @@ static void virtio_net_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
 
     while (virtqueue_pop(vq, &elem)) {
         if ((elem.in_num < 1) || (elem.out_num < 1)) {
-            fprintf(stderr, "virtio-net ctrl missing headers\n");
+            error_report("virtio-net ctrl missing headers");
             exit(1);
         }
 
         if (elem.out_sg[0].iov_len < sizeof(ctrl) ||
             elem.in_sg[elem.in_num - 1].iov_len < sizeof(status)) {
-            fprintf(stderr, "virtio-net ctrl header not in correct element\n");
+            error_report("virtio-net ctrl header not in correct element");
             exit(1);
         }
 
@@ -591,21 +591,21 @@ static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
         if (virtqueue_pop(n->rx_vq, &elem) == 0) {
             if (i == 0)
                 return -1;
-            fprintf(stderr, "virtio-net unexpected empty queue: "
+            error_report("virtio-net unexpected empty queue: "
                     "i %zd mergeable %d offset %zd, size %zd, "
-                    "guest hdr len %zd, host hdr len %zd guest features 0x%x\n",
+                    "guest hdr len %zd, host hdr len %zd guest features 0x%x",
                     i, n->mergeable_rx_bufs, offset, size,
                     guest_hdr_len, host_hdr_len, n->vdev.guest_features);
             exit(1);
         }
 
         if (elem.in_num < 1) {
-            fprintf(stderr, "virtio-net receive queue contains no in buffers\n");
+            error_report("virtio-net receive queue contains no in buffers");
             exit(1);
         }
 
         if (!n->mergeable_rx_bufs && elem.in_sg[0].iov_len != guest_hdr_len) {
-            fprintf(stderr, "virtio-net header not in first element\n");
+            error_report("virtio-net header not in first element");
             exit(1);
         }
 
@@ -630,12 +630,11 @@ static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
          * Otherwise, drop it. */
         if (!n->mergeable_rx_bufs && offset < size) {
 #if 0
-            fprintf(stderr, "virtio-net truncated non-mergeable packet: "
-
-                    "i %zd mergeable %d offset %zd, size %zd, "
-                    "guest hdr len %zd, host hdr len %zd\n",
-                    i, n->mergeable_rx_bufs,
-                    offset, size, guest_hdr_len, host_hdr_len);
+            error_report("virtio-net truncated non-mergeable packet: "
+                         "i %zd mergeable %d offset %zd, size %zd, "
+                         "guest hdr len %zd, host hdr len %zd",
+                         i, n->mergeable_rx_bufs,
+                         offset, size, guest_hdr_len, host_hdr_len);
 #endif
             return size;
         }
@@ -695,7 +694,7 @@ static int32_t virtio_net_flush_tx(VirtIONet *n, VirtQueue *vq)
             sizeof(struct virtio_net_hdr);
 
         if (out_num < 1 || out_sg->iov_len != hdr_len) {
-            fprintf(stderr, "virtio-net header not in first element\n");
+            error_report("virtio-net header not in first element");
             exit(1);
         }
 
@@ -981,10 +980,10 @@ VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
     n->rx_vq = virtio_add_queue(&n->vdev, 256, virtio_net_handle_rx);
 
     if (net->tx && strcmp(net->tx, "timer") && strcmp(net->tx, "bh")) {
-        fprintf(stderr, "virtio-net: "
-                "Unknown option tx=%s, valid options: \"timer\" \"bh\"\n",
-                net->tx);
-        fprintf(stderr, "Defaulting to \"bh\"\n");
+        error_report("virtio-net: "
+                     "Unknown option tx=%s, valid options: \"timer\" \"bh\"",
+                     net->tx);
+        error_report("Defaulting to \"bh\"");
     }
 
     if (net->tx && !strcmp(net->tx, "timer")) {
commit cd92f4cc22fbe12a7bf60c9430731f768dc1537c
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Nov 15 20:44:36 2010 +0000

    virtio: Convert fprintf() to error_report()
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/virtio.c b/hw/virtio.c
index a2a657e..849a60f 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -14,6 +14,7 @@
 #include <inttypes.h>
 
 #include "trace.h"
+#include "qemu-error.h"
 #include "virtio.h"
 #include "sysemu.h"
 
@@ -253,8 +254,8 @@ static int virtqueue_num_heads(VirtQueue *vq, unsigned int idx)
 
     /* Check it isn't doing very strange things with descriptor numbers. */
     if (num_heads > vq->vring.num) {
-        fprintf(stderr, "Guest moved used index from %u to %u",
-                idx, vring_avail_idx(vq));
+        error_report("Guest moved used index from %u to %u",
+                     idx, vring_avail_idx(vq));
         exit(1);
     }
 
@@ -271,7 +272,7 @@ static unsigned int virtqueue_get_head(VirtQueue *vq, unsigned int idx)
 
     /* If their number is silly, that's a fatal mistake. */
     if (head >= vq->vring.num) {
-        fprintf(stderr, "Guest says index %u is available", head);
+        error_report("Guest says index %u is available", head);
         exit(1);
     }
 
@@ -293,7 +294,7 @@ static unsigned virtqueue_next_desc(target_phys_addr_t desc_pa,
     wmb();
 
     if (next >= max) {
-        fprintf(stderr, "Desc next is %u", next);
+        error_report("Desc next is %u", next);
         exit(1);
     }
 
@@ -320,13 +321,13 @@ int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes)
 
         if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_INDIRECT) {
             if (vring_desc_len(desc_pa, i) % sizeof(VRingDesc)) {
-                fprintf(stderr, "Invalid size for indirect buffer table\n");
+                error_report("Invalid size for indirect buffer table");
                 exit(1);
             }
 
             /* If we've got too many, that implies a descriptor loop. */
             if (num_bufs >= max) {
-                fprintf(stderr, "Looped descriptor");
+                error_report("Looped descriptor");
                 exit(1);
             }
 
@@ -340,7 +341,7 @@ int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes)
         do {
             /* If we've got too many, that implies a descriptor loop. */
             if (++num_bufs > max) {
-                fprintf(stderr, "Looped descriptor");
+                error_report("Looped descriptor");
                 exit(1);
             }
 
@@ -374,7 +375,7 @@ void virtqueue_map_sg(struct iovec *sg, target_phys_addr_t *addr,
         len = sg[i].iov_len;
         sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
         if (sg[i].iov_base == NULL || len != sg[i].iov_len) {
-            fprintf(stderr, "virtio: trying to map MMIO memory\n");
+            error_report("virtio: trying to map MMIO memory");
             exit(1);
         }
     }
@@ -397,7 +398,7 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
 
     if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_INDIRECT) {
         if (vring_desc_len(desc_pa, i) % sizeof(VRingDesc)) {
-            fprintf(stderr, "Invalid size for indirect buffer table\n");
+            error_report("Invalid size for indirect buffer table");
             exit(1);
         }
 
@@ -423,7 +424,7 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
 
         /* If we've got too many, that implies a descriptor loop. */
         if ((elem->in_num + elem->out_num) > max) {
-            fprintf(stderr, "Looped descriptor");
+            error_report("Looped descriptor");
             exit(1);
         }
     } while ((i = virtqueue_next_desc(desc_pa, i, max)) != max);
@@ -694,8 +695,8 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
     qemu_get_be16s(f, &vdev->queue_sel);
     qemu_get_be32s(f, &features);
     if (features & ~supported_features) {
-        fprintf(stderr, "Features 0x%x unsupported. Allowed features: 0x%x\n",
-                features, supported_features);
+        error_report("Features 0x%x unsupported. Allowed features: 0x%x",
+                     features, supported_features);
         return -1;
     }
     if (vdev->set_features)
@@ -717,11 +718,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
 	num_heads = vring_avail_idx(&vdev->vq[i]) - vdev->vq[i].last_avail_idx;
 	/* Check it isn't doing very strange things with descriptor numbers. */
 	if (num_heads > vdev->vq[i].vring.num) {
-		fprintf(stderr, "VQ %d size 0x%x Guest index 0x%x "
-                        "inconsistent with Host index 0x%x: delta 0x%x\n",
-			i, vdev->vq[i].vring.num,
-                        vring_avail_idx(&vdev->vq[i]),
-                        vdev->vq[i].last_avail_idx, num_heads);
+		error_report("VQ %d size 0x%x Guest index 0x%x "
+		             "inconsistent with Host index 0x%x: delta 0x%x",
+		             i, vdev->vq[i].vring.num,
+		             vring_avail_idx(&vdev->vq[i]),
+		             vdev->vq[i].last_avail_idx, num_heads);
 		return -1;
 	}
         if (vdev->binding->load_queue) {
commit 870cef1dae88f131ee3e17fe0aaf45d609798ce1
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Nov 15 20:44:35 2010 +0000

    virtio-blk: Convert fprintf() to error_report()
    
    Errors should be logged using error_report() so they go to the
    appropriate monitor.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
index 49528a9..e5f9b27 100644
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -324,13 +324,13 @@ static void virtio_blk_handle_request(VirtIOBlockReq *req,
     MultiReqBuffer *mrb)
 {
     if (req->elem.out_num < 1 || req->elem.in_num < 1) {
-        fprintf(stderr, "virtio-blk missing headers\n");
+        error_report("virtio-blk missing headers");
         exit(1);
     }
 
     if (req->elem.out_sg[0].iov_len < sizeof(*req->out) ||
         req->elem.in_sg[req->elem.in_num - 1].iov_len < sizeof(*req->in)) {
-        fprintf(stderr, "virtio-blk header not in correct element\n");
+        error_report("virtio-blk header not in correct element");
         exit(1);
     }
 
commit 281a26b15b4adcecb8604216738975abd754bea8
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Nov 17 12:06:44 2010 +0100

    vgabios update: handle compatibility with older qemu versions
    
    As pointed out by avi the vgabios update is guest-visible and thus has
    migration implications.
    
    One change is that the vga has a valid pci rom bar now.  We already have
    a pci bus property to enable/disable the rom bar and we'll load the bios
    via fw_cfg as fallback for the no-rom-bar case.  So we just have to add
    compat properties to handle this case.
    
    A second change is that the magic bochs lfb @ 0xe0000000 is gone.  When
    live-migrating a guest from a older qemu version it might be using the
    lfb though, so we have to keep it for the old machine types.  The patch
    enables the bochs lfb in case we don't have the pci rom bar enabled
    (i.e. we are in 0.13+older compat mode).
    
    This patch depends on these patches which add (and use) the pc-0.13
    machine type:
      http://patchwork.ozlabs.org/patch/70797/
      http://patchwork.ozlabs.org/patch/70798/
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Cc: avi at redhat.com
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index 31c80d2..7d29d43 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -230,6 +230,14 @@ static QEMUMachine pc_machine_v0_13 = {
             .driver   = "virtio-9p-pci",
             .property = "vectors",
             .value    = stringify(0),
+        },{
+            .driver   = "VGA",
+            .property = "rombar",
+            .value    = stringify(0),
+        },{
+            .driver   = "vmware-svga",
+            .property = "rombar",
+            .value    = stringify(0),
         },
         { /* end of list */ }
     },
@@ -249,6 +257,14 @@ static QEMUMachine pc_machine_v0_12 = {
             .driver   = "virtio-serial-pci",
             .property = "vectors",
             .value    = stringify(0),
+        },{
+            .driver   = "VGA",
+            .property = "rombar",
+            .value    = stringify(0),
+        },{
+            .driver   = "vmware-svga",
+            .property = "rombar",
+            .value    = stringify(0),
         },
         { /* end of list */ }
     }
diff --git a/hw/vga-pci.c b/hw/vga-pci.c
index b09789c..791ca22 100644
--- a/hw/vga-pci.c
+++ b/hw/vga-pci.c
@@ -92,6 +92,11 @@ static int pci_vga_initfn(PCIDevice *dev)
      pci_register_bar(&d->dev, 0, VGA_RAM_SIZE,
                       PCI_BASE_ADDRESS_MEM_PREFETCH, vga_map);
 
+     if (!dev->rom_bar) {
+         /* compatibility with pc-0.13 and older */
+         vga_init_vbe(s);
+     }
+
      return 0;
 }
 
diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index 9337fdb..d0f4e1b 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -1301,6 +1301,11 @@ static int pci_vmsvga_initfn(PCIDevice *dev)
 
     vmsvga_init(&s->chip, VGA_RAM_SIZE);
 
+    if (!dev->rom_bar) {
+        /* compatibility with pc-0.13 and older */
+        vga_init_vbe(&s->chip.vga);
+    }
+
     return 0;
 }
 
commit c1ded3dc9f2d6caeb62eb3005510837a62b795d2
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Tue Oct 19 17:03:24 2010 +0200

    pcnet: Do not receive external frames in loopback mode
    
    While not explicitly stated in the spec, it was observed on real systems
    that enabling loopback testing on the pcnet controller disables
    reception of external frames. And some legacy software relies on it, so
    provide this behavior.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/pcnet.c b/hw/pcnet.c
index b52935a..f970bda 100644
--- a/hw/pcnet.c
+++ b/hw/pcnet.c
@@ -1048,9 +1048,10 @@ ssize_t pcnet_receive(VLANClientState *nc, const uint8_t *buf, size_t size_)
     int crc_err = 0;
     int size = size_;
 
-    if (CSR_DRX(s) || CSR_STOP(s) || CSR_SPND(s) || !size)
+    if (CSR_DRX(s) || CSR_STOP(s) || CSR_SPND(s) || !size ||
+        (CSR_LOOP(s) && !s->looptest)) {
         return -1;
-
+    }
 #ifdef PCNET_DEBUG
     printf("pcnet_receive size=%d\n", size);
 #endif
commit 2871a3f6b64966bc78fce0d4033bf32fcd42401c
Author: Avi Kivity <avi at redhat.com>
Date:   Wed Nov 17 11:50:10 2010 +0200

    piix4 acpi: convert io BAR to type-safe ioport callbacks
    
    Acked-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index f549089..173d781 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -52,6 +52,7 @@ struct pci_status {
 
 typedef struct PIIX4PMState {
     PCIDevice dev;
+    IORange ioport;
     uint16_t pmsts;
     uint16_t pmen;
     uint16_t pmcntrl;
@@ -128,10 +129,16 @@ static void pm_tmr_timer(void *opaque)
     pm_update_sci(s);
 }
 
-static void pm_ioport_writew(void *opaque, uint32_t addr, uint32_t val)
+static void pm_ioport_write(IORange *ioport, uint64_t addr, unsigned width,
+                            uint64_t val)
 {
-    PIIX4PMState *s = opaque;
-    addr &= 0x3f;
+    PIIX4PMState *s = container_of(ioport, PIIX4PMState, ioport);
+
+    if (width != 2) {
+        PIIX4_DPRINTF("PM write port=0x%04x width=%d val=0x%08x\n",
+                      (unsigned)addr, width, (unsigned)val);
+    }
+
     switch(addr) {
     case 0x00:
         {
@@ -184,12 +191,12 @@ static void pm_ioport_writew(void *opaque, uint32_t addr, uint32_t val)
     PIIX4_DPRINTF("PM writew port=0x%04x val=0x%04x\n", addr, val);
 }
 
-static uint32_t pm_ioport_readw(void *opaque, uint32_t addr)
+static void pm_ioport_read(IORange *ioport, uint64_t addr, unsigned width,
+                            uint64_t *data)
 {
-    PIIX4PMState *s = opaque;
+    PIIX4PMState *s = container_of(ioport, PIIX4PMState, ioport);
     uint32_t val;
 
-    addr &= 0x3f;
     switch(addr) {
     case 0x00:
         val = get_pmsts(s);
@@ -200,27 +207,6 @@ static uint32_t pm_ioport_readw(void *opaque, uint32_t addr)
     case 0x04:
         val = s->pmcntrl;
         break;
-    default:
-        val = 0;
-        break;
-    }
-    PIIX4_DPRINTF("PM readw port=0x%04x val=0x%04x\n", addr, val);
-    return val;
-}
-
-static void pm_ioport_writel(void *opaque, uint32_t addr, uint32_t val)
-{
-    //    PIIX4PMState *s = opaque;
-    PIIX4_DPRINTF("PM writel port=0x%04x val=0x%08x\n", addr & 0x3f, val);
-}
-
-static uint32_t pm_ioport_readl(void *opaque, uint32_t addr)
-{
-    PIIX4PMState *s = opaque;
-    uint32_t val;
-
-    addr &= 0x3f;
-    switch(addr) {
     case 0x08:
         val = get_pmtmr(s);
         break;
@@ -228,10 +214,15 @@ static uint32_t pm_ioport_readl(void *opaque, uint32_t addr)
         val = 0;
         break;
     }
-    PIIX4_DPRINTF("PM readl port=0x%04x val=0x%08x\n", addr, val);
-    return val;
+    PIIX4_DPRINTF("PM readw port=0x%04x val=0x%04x\n", addr, val);
+    *data = val;
 }
 
+static const IORangeOps pm_iorange_ops = {
+    .read = pm_ioport_read,
+    .write = pm_ioport_write,
+};
+
 static void apm_ctrl_changed(uint32_t val, void *arg)
 {
     PIIX4PMState *s = arg;
@@ -265,10 +256,8 @@ static void pm_io_space_update(PIIX4PMState *s)
 
         /* XXX: need to improve memory and ioport allocation */
         PIIX4_DPRINTF("PM: mapping to 0x%x\n", pm_io_base);
-        register_ioport_write(pm_io_base, 64, 2, pm_ioport_writew, s);
-        register_ioport_read(pm_io_base, 64, 2, pm_ioport_readw, s);
-        register_ioport_write(pm_io_base, 64, 4, pm_ioport_writel, s);
-        register_ioport_read(pm_io_base, 64, 4, pm_ioport_readl, s);
+        iorange_init(&s->ioport, &pm_iorange_ops, pm_io_base, 64);
+        ioport_register(&s->ioport);
     }
 }
 
commit acd1c812b5548c8426e093075362b6d4119db6ac
Author: Avi Kivity <avi at redhat.com>
Date:   Wed Nov 17 11:50:09 2010 +0200

    Type-safe ioport callbacks
    
    The current ioport callbacks are not type-safe, in that they accept an "opaque"
    pointer as an argument whose type must match the argument to the registration
    function; this is not checked by the compiler.
    
    This patch adds an alternative that is type-safe.  Instead of an opaque
    argument, both registation and the callback use a new IOPort type.  The
    callback then uses container_of() to access its main structures.
    
    Currently the old and new methods exist side by side; once the old way is gone,
    we can also save a bunch of memory since the new method requires one pointer
    per ioport instead of 6.
    
    Acked-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/ioport.c b/ioport.c
index ec3dc65..aa4188a 100644
--- a/ioport.c
+++ b/ioport.c
@@ -174,6 +174,70 @@ int register_ioport_write(pio_addr_t start, int length, int size,
     return 0;
 }
 
+static uint32_t ioport_readb_thunk(void *opaque, uint32_t addr)
+{
+    IORange *ioport = opaque;
+    uint64_t data;
+
+    ioport->ops->read(ioport, addr - ioport->base, 1, &data);
+    return data;
+}
+
+static uint32_t ioport_readw_thunk(void *opaque, uint32_t addr)
+{
+    IORange *ioport = opaque;
+    uint64_t data;
+
+    ioport->ops->read(ioport, addr - ioport->base, 2, &data);
+    return data;
+}
+
+static uint32_t ioport_readl_thunk(void *opaque, uint32_t addr)
+{
+    IORange *ioport = opaque;
+    uint64_t data;
+
+    ioport->ops->read(ioport, addr - ioport->base, 4, &data);
+    return data;
+}
+
+static void ioport_writeb_thunk(void *opaque, uint32_t addr, uint32_t data)
+{
+    IORange *ioport = opaque;
+
+    ioport->ops->write(ioport, addr - ioport->base, 1, data);
+}
+
+static void ioport_writew_thunk(void *opaque, uint32_t addr, uint32_t data)
+{
+    IORange *ioport = opaque;
+
+    ioport->ops->write(ioport, addr - ioport->base, 2, data);
+}
+
+static void ioport_writel_thunk(void *opaque, uint32_t addr, uint32_t data)
+{
+    IORange *ioport = opaque;
+
+    ioport->ops->write(ioport, addr - ioport->base, 4, data);
+}
+
+void ioport_register(IORange *ioport)
+{
+    register_ioport_read(ioport->base, ioport->len, 1,
+                         ioport_readb_thunk, ioport);
+    register_ioport_read(ioport->base, ioport->len, 2,
+                         ioport_readw_thunk, ioport);
+    register_ioport_read(ioport->base, ioport->len, 4,
+                         ioport_readl_thunk, ioport);
+    register_ioport_write(ioport->base, ioport->len, 1,
+                          ioport_writeb_thunk, ioport);
+    register_ioport_write(ioport->base, ioport->len, 2,
+                          ioport_writew_thunk, ioport);
+    register_ioport_write(ioport->base, ioport->len, 4,
+                          ioport_writel_thunk, ioport);
+}
+
 void isa_unassign_ioport(pio_addr_t start, int length)
 {
     int i;
diff --git a/ioport.h b/ioport.h
index 3d3c8a3..5ae62a3 100644
--- a/ioport.h
+++ b/ioport.h
@@ -25,6 +25,7 @@
 #define IOPORT_H
 
 #include "qemu-common.h"
+#include "iorange.h"
 
 typedef uint32_t pio_addr_t;
 #define FMT_pioaddr     PRIx32
@@ -36,6 +37,7 @@ typedef uint32_t pio_addr_t;
 typedef void (IOPortWriteFunc)(void *opaque, uint32_t address, uint32_t data);
 typedef uint32_t (IOPortReadFunc)(void *opaque, uint32_t address);
 
+void ioport_register(IORange *iorange);
 int register_ioport_read(pio_addr_t start, int length, int size,
                          IOPortReadFunc *func, void *opaque);
 int register_ioport_write(pio_addr_t start, int length, int size,
diff --git a/iorange.h b/iorange.h
new file mode 100644
index 0000000..9783168
--- /dev/null
+++ b/iorange.h
@@ -0,0 +1,30 @@
+#ifndef IORANGE_H
+#define IORANGE_H
+
+#include <stdint.h>
+
+typedef struct IORange IORange;
+typedef struct IORangeOps IORangeOps;
+
+struct IORangeOps {
+    void (*read)(IORange *iorange, uint64_t offset, unsigned width,
+                 uint64_t *data);
+    void (*write)(IORange *iorange, uint64_t offset, unsigned width,
+                  uint64_t data);
+};
+
+struct IORange {
+    const IORangeOps *ops;
+    uint64_t base;
+    uint64_t len;
+};
+
+static inline void iorange_init(IORange *iorange, const IORangeOps *ops,
+                                uint64_t base, uint64_t len)
+{
+    iorange->ops = ops;
+    iorange->base = base;
+    iorange->len = len;
+}
+
+#endif
commit 94b0b5ff5f5c3ab946fa926d464738edb3713ed4
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Nov 16 12:20:25 2010 +0000

    trace: Trace vm_start()/vm_stop()
    
    VM state change notifications are invoked from vm_start()/vm_stop().
    Trace these state changes so we can reason about the state of the VM
    from trace output.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/trace-events b/trace-events
index 947f8b0..da03d4b 100644
--- a/trace-events
+++ b/trace-events
@@ -189,3 +189,6 @@ disable sun4m_iommu_mem_writel_pgflush(uint32_t val) "page flush %x"
 disable sun4m_iommu_page_get_flags(uint64_t pa, uint64_t iopte, uint32_t ret) "get flags addr %"PRIx64" => pte %"PRIx64", *pte = %x"
 disable sun4m_iommu_translate_pa(uint64_t addr, uint64_t pa, uint32_t iopte) "xlate dva %"PRIx64" => pa %"PRIx64" iopte = %x"
 disable sun4m_iommu_bad_addr(uint64_t addr) "bad addr %"PRIx64""
+
+# vl.c
+disable vm_state_notify(int running, int reason) "running %d reason %d"
diff --git a/vl.c b/vl.c
index 9ee6479..805e11f 100644
--- a/vl.c
+++ b/vl.c
@@ -158,6 +158,7 @@ int main(int argc, char **argv)
 
 #include "slirp/libslirp.h"
 
+#include "trace.h"
 #include "qemu-queue.h"
 #include "cpus.h"
 #include "arch_init.h"
@@ -1074,6 +1075,8 @@ void vm_state_notify(int running, int reason)
 {
     VMChangeStateEntry *e;
 
+    trace_vm_state_notify(running, reason);
+
     for (e = vm_change_state_head.lh_first; e; e = e->entries.le_next) {
         e->cb(e->opaque, running, reason);
     }
commit 9dbcca5aa13cb9ab40788ac4c56bc227d94ca920
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Nov 11 12:59:26 2010 +0100

    virtfs: enable MSI-X
    
    This patch enables MSI-X for virtfs-9p-pci.  It also adds a
    compat property to pc-0.13 which turns it of there to stay
    compatible to 0.13-stable.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index e17e878..31c80d2 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -225,6 +225,14 @@ static QEMUMachine pc_machine_v0_13 = {
     .desc = "Standard PC",
     .init = pc_init_pci,
     .max_cpus = 255,
+    .compat_props = (GlobalProperty[]) {
+        {
+            .driver   = "virtio-9p-pci",
+            .property = "vectors",
+            .value    = stringify(0),
+        },
+        { /* end of list */ }
+    },
 };
 
 static QEMUMachine pc_machine_v0_12 = {
diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 729917d..3610d7e 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -684,12 +684,14 @@ static int virtio_9p_init_pci(PCIDevice *pci_dev)
     VirtIODevice *vdev;
 
     vdev = virtio_9p_init(&pci_dev->qdev, &proxy->fsconf);
+    vdev->nvectors = proxy->nvectors;
     virtio_init_pci(proxy, vdev,
                     PCI_VENDOR_ID_REDHAT_QUMRANET,
                     0x1009,
                     0x2,
                     0x00);
-
+    /* make the actual value visible */
+    proxy->nvectors = vdev->nvectors;
     return 0;
 }
 #endif
@@ -758,6 +760,7 @@ static PCIDeviceInfo virtio_info[] = {
         .qdev.size = sizeof(VirtIOPCIProxy),
         .init      = virtio_9p_init_pci,
         .qdev.props = (Property[]) {
+            DEFINE_PROP_UINT32("vectors", VirtIOPCIProxy, nvectors, 2),
             DEFINE_VIRTIO_COMMON_FEATURES(VirtIOPCIProxy, host_features),
             DEFINE_PROP_STRING("mount_tag", VirtIOPCIProxy, fsconf.tag),
             DEFINE_PROP_STRING("fsdev", VirtIOPCIProxy, fsconf.fsdev_id),
commit b903a0f721f28283e5eaab00a3cb2ada96c2eae0
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Nov 11 12:59:25 2010 +0100

    pc: add 0.13 pc machine type
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index 12359a7..e17e878 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -212,7 +212,7 @@ static void pc_init_isa(ram_addr_t ram_size,
 }
 
 static QEMUMachine pc_machine = {
-    .name = "pc-0.13",
+    .name = "pc-0.14",
     .alias = "pc",
     .desc = "Standard PC",
     .init = pc_init_pci,
@@ -220,6 +220,13 @@ static QEMUMachine pc_machine = {
     .is_default = 1,
 };
 
+static QEMUMachine pc_machine_v0_13 = {
+    .name = "pc-0.13",
+    .desc = "Standard PC",
+    .init = pc_init_pci,
+    .max_cpus = 255,
+};
+
 static QEMUMachine pc_machine_v0_12 = {
     .name = "pc-0.12",
     .desc = "Standard PC",
@@ -331,6 +338,7 @@ static QEMUMachine isapc_machine = {
 static void pc_machine_init(void)
 {
     qemu_register_machine(&pc_machine);
+    qemu_register_machine(&pc_machine_v0_13);
     qemu_register_machine(&pc_machine_v0_12);
     qemu_register_machine(&pc_machine_v0_11);
     qemu_register_machine(&pc_machine_v0_10);
commit 0b2c508856fa23695900c29b6ada57c07843bc6f
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Mon Nov 15 21:17:06 2010 +0100

    trace: Use fprintf_function (format checking)
    
    fprintf_function adds format checking with GCC_FMT_ATTR.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/simpletrace.h b/simpletrace.h
index 72614ec..2f44ed3 100644
--- a/simpletrace.h
+++ b/simpletrace.h
@@ -29,10 +29,10 @@ void trace3(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3);
 void trace4(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4);
 void trace5(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5);
 void trace6(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6);
-void st_print_trace(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...));
-void st_print_trace_events(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...));
+void st_print_trace(FILE *stream, fprintf_function stream_printf);
+void st_print_trace_events(FILE *stream, fprintf_function stream_printf);
 bool st_change_trace_event_state(const char *tname, bool tstate);
-void st_print_trace_file_status(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...));
+void st_print_trace_file_status(FILE *stream, fprintf_function stream_printf);
 void st_set_trace_file_enabled(bool enable);
 bool st_set_trace_file(const char *file);
 void st_flush_trace_buffer(void);
commit 9eca6cc64392b4ad8bd8723e840f491fa36524ad
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Mon Nov 15 21:15:26 2010 +0100

    slirp: Remove unused code for bad sprintf
    
    Neither DECLARE_SPRINTF nor BAD_SPRINTF are needed for QEMU.
    
    QEMU won't support systems with missing or bad declarations
    for sprintf. The unused code was detected while looking for
    functions with missing format checking. Instead of adding
    GCC_FMT_ATTR, the unused code was removed.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/slirp/misc.c b/slirp/misc.c
index 1aeb401..19dbec4 100644
--- a/slirp/misc.c
+++ b/slirp/misc.c
@@ -264,48 +264,6 @@ void lprint(const char *format, ...)
     va_end(args);
 }
 
-#ifdef BAD_SPRINTF
-
-#undef vsprintf
-#undef sprintf
-
-/*
- * Some BSD-derived systems have a sprintf which returns char *
- */
-
-int
-vsprintf_len(string, format, args)
-	char *string;
-	const char *format;
-	va_list args;
-{
-	vsprintf(string, format, args);
-	return strlen(string);
-}
-
-int
-#ifdef __STDC__
-sprintf_len(char *string, const char *format, ...)
-#else
-sprintf_len(va_alist) va_dcl
-#endif
-{
-	va_list args;
-#ifdef __STDC__
-	va_start(args, format);
-#else
-	char *string;
-	char *format;
-	va_start(args);
-	string = va_arg(args, char *);
-	format = va_arg(args, char *);
-#endif
-	vsprintf(string, format, args);
-	return strlen(string);
-}
-
-#endif
-
 void
 u_sleep(int usec)
 {
diff --git a/slirp/slirp.h b/slirp/slirp.h
index 462292d..dfd977a 100644
--- a/slirp/slirp.h
+++ b/slirp/slirp.h
@@ -237,20 +237,6 @@ void if_start(Slirp *);
 void if_start(struct ttys *);
 #endif
 
-#ifdef BAD_SPRINTF
-# define vsprintf vsprintf_len
-# define sprintf sprintf_len
- extern int vsprintf_len(char *, const char *, va_list);
- extern int sprintf_len(char *, const char *, ...);
-#endif
-
-#ifdef DECLARE_SPRINTF
-# ifndef BAD_SPRINTF
- extern int vsprintf(char *, const char *, va_list);
-# endif
- extern int vfprintf(FILE *, const char *, va_list);
-#endif
-
 #ifndef HAVE_STRERROR
  extern char *strerror(int error);
 #endif
diff --git a/slirp/slirp_config.h b/slirp/slirp_config.h
index f19c703..18db45c 100644
--- a/slirp/slirp_config.h
+++ b/slirp/slirp_config.h
@@ -85,9 +85,6 @@
 /* Define if the machine is big endian */
 //#undef HOST_WORDS_BIGENDIAN
 
-/* Define if your sprintf returns char * instead of int */
-#undef BAD_SPRINTF
-
 /* Define if you have readv */
 #undef HAVE_READV
 
@@ -97,9 +94,6 @@
 #define DECLARE_IOVEC
 #endif
 
-/* Define if a declaration of sprintf/fprintf is needed */
-#undef DECLARE_SPRINTF
-
 /* Define if you have a POSIX.1 sys/wait.h */
 #undef HAVE_SYS_WAIT_H
 
commit 0550f9c1b58896a6ca1d1256e26c78f84de2ed55
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Tue Nov 16 13:28:37 2010 +0100

    pc: disable the BOCHS BIOS panic port
    
    We have an OS which writes to port 0x400 when probing for special hardware.
    This causes an exit of the VM. With SeaBIOS this port isn't used anyway.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Reviewed-By: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/pc.c b/hw/pc.c
index c34d194..119c110 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -430,8 +430,8 @@ static void bochs_bios_write(void *opaque, uint32_t addr, uint32_t val)
         /* Bochs BIOS messages */
     case 0x400:
     case 0x401:
-        fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val);
-        exit(1);
+        /* used to be panic, now unused */
+        break;
     case 0x402:
     case 0x403:
 #ifdef DEBUG_BIOS
commit 33bbd1de5ec9b8802d63e811908f2351ba83884c
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Nov 16 16:33:17 2010 +0200

    optionrom: fix bugs in signrom.sh
    
    signrom.sh has multiple bugs:
    
    - the last byte is considered when calculating the existing checksum, but not
      when computing the correction
    - apprently the 'expr' expression overflows and produces incorrect results with
      larger roms
    - if the checksum happened to be zero, we calculated the correction byte to be
      256
    
    Instead of rewriting this in half a line of python, this patch fixes the bugs.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/pc-bios/optionrom/signrom.sh b/pc-bios/optionrom/signrom.sh
index 975b27d..9dc5c63 100755
--- a/pc-bios/optionrom/signrom.sh
+++ b/pc-bios/optionrom/signrom.sh
@@ -31,14 +31,13 @@ x=`dd if="$1" bs=1 count=1 skip=2 2>/dev/null | od -t u1 -A n`
 size=$(( $x * 512 - 1 ))
 
 # now get the checksum
-nums=`od -A n -t u1 -v "$1"`
+nums=`od -A n -t u1 -v -N $size "$1"`
 for i in ${nums}; do
     # add each byte's value to sum
-    sum=`expr $sum + $i`
+    sum=`expr \( $sum + $i \) % 256`
 done
 
-sum=$(( $sum % 256 ))
-sum=$(( 256 - $sum ))
+sum=$(( (256 - $sum) % 256 ))
 sum_octal=$( printf "%o" $sum )
 
 # and write the output file
commit e71e00ed258202052570ae631536f4d7b65792fa
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Fri Nov 12 12:55:46 2010 -0200

    Makefile: Fix check dependency breakage
    
    Commit b152aa84d52882bb1846485a89baf13aa07c86bc broke the unit-tests
    build, fix it.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/Makefile b/Makefile
index 747e47c..4e120a2 100644
--- a/Makefile
+++ b/Makefile
@@ -163,12 +163,14 @@ qemu-img-cmds.h: $(SRC_PATH)/qemu-img-cmds.hx
 
 check-qint.o check-qstring.o check-qdict.o check-qlist.o check-qfloat.o check-qjson.o: $(GENERATED_HEADERS)
 
-check-qint: check-qint.o qint.o qemu-malloc.o $(trace-obj-y)
-check-qstring: check-qstring.o qstring.o qemu-malloc.o $(trace-obj-y)
-check-qdict: check-qdict.o qdict.o qfloat.o qint.o qstring.o qbool.o qemu-malloc.o qlist.o $(trace-obj-y)
-check-qlist: check-qlist.o qlist.o qint.o qemu-malloc.o $(trace-obj-y)
-check-qfloat: check-qfloat.o qfloat.o qemu-malloc.o $(trace-obj-y)
-check-qjson: check-qjson.o qfloat.o qint.o qdict.o qstring.o qlist.o qbool.o qjson.o json-streamer.o json-lexer.o json-parser.o qemu-malloc.o $(trace-obj-y)
+CHECK_PROG_DEPS = qemu-malloc.o $(oslib-obj-y) $(trace-obj-y)
+
+check-qint: check-qint.o qint.o $(CHECK_PROG_DEPS)
+check-qstring: check-qstring.o qstring.o $(CHECK_PROG_DEPS)
+check-qdict: check-qdict.o qdict.o qfloat.o qint.o qstring.o qbool.o qlist.o $(CHECK_PROG_DEPS)
+check-qlist: check-qlist.o qlist.o qint.o $(CHECK_PROG_DEPS)
+check-qfloat: check-qfloat.o qfloat.o $(CHECK_PROG_DEPS)
+check-qjson: check-qjson.o qfloat.o qint.o qdict.o qstring.o qlist.o qbool.o qjson.o json-streamer.o json-lexer.o json-parser.o $(CHECK_PROG_DEPS)
 
 clean:
 # avoid old build problems by removing potentially incorrect old files
commit 33656af70230d5ccebe29e2f3bee38afe17db9b2
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Nov 8 17:02:56 2010 -0200

    block migration: do not submit multiple AIOs for same sector
    
    Block migration can submit multiple AIO reads for the same sector/chunk, but
    completion of such reads can happen out of order:
    
    migration               guest
    - get_dirty(N)
    - aio_read(N)
    - clear_dirty(N)
                            write(N)
                            set_dirty(N)
    - get_dirty(N)
    - aio_read(N)
    
    If the first aio_read completes after the second, stale data will be
    migrated to the destination.
    
    Fix by not allowing multiple AIOs inflight for the same sector.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/block-migration.c b/block-migration.c
index 0bfdb73..3e66f49 100644
--- a/block-migration.c
+++ b/block-migration.c
@@ -49,12 +49,14 @@ typedef struct BlkMigDevState {
     int64_t total_sectors;
     int64_t dirty;
     QSIMPLEQ_ENTRY(BlkMigDevState) entry;
+    unsigned long *aio_bitmap;
 } BlkMigDevState;
 
 typedef struct BlkMigBlock {
     uint8_t *buf;
     BlkMigDevState *bmds;
     int64_t sector;
+    int nr_sectors;
     struct iovec iov;
     QEMUIOVector qiov;
     BlockDriverAIOCB *aiocb;
@@ -140,6 +142,57 @@ static inline long double compute_read_bwidth(void)
     return  (block_mig_state.reads * BLOCK_SIZE)/ block_mig_state.total_time;
 }
 
+static int bmds_aio_inflight(BlkMigDevState *bmds, int64_t sector)
+{
+    int64_t chunk = sector / (int64_t)BDRV_SECTORS_PER_DIRTY_CHUNK;
+
+    if (bmds->aio_bitmap &&
+        (sector << BDRV_SECTOR_BITS) < bdrv_getlength(bmds->bs)) {
+        return !!(bmds->aio_bitmap[chunk / (sizeof(unsigned long) * 8)] &
+            (1UL << (chunk % (sizeof(unsigned long) * 8))));
+    } else {
+        return 0;
+    }
+}
+
+static void bmds_set_aio_inflight(BlkMigDevState *bmds, int64_t sector_num,
+                             int nb_sectors, int set)
+{
+    int64_t start, end;
+    unsigned long val, idx, bit;
+
+    start = sector_num / BDRV_SECTORS_PER_DIRTY_CHUNK;
+    end = (sector_num + nb_sectors - 1) / BDRV_SECTORS_PER_DIRTY_CHUNK;
+
+    for (; start <= end; start++) {
+        idx = start / (sizeof(unsigned long) * 8);
+        bit = start % (sizeof(unsigned long) * 8);
+        val = bmds->aio_bitmap[idx];
+        if (set) {
+            if (!(val & (1UL << bit))) {
+                val |= 1UL << bit;
+            }
+        } else {
+            if (val & (1UL << bit)) {
+                val &= ~(1UL << bit);
+            }
+        }
+        bmds->aio_bitmap[idx] = val;
+    }
+}
+
+static void alloc_aio_bitmap(BlkMigDevState *bmds)
+{
+    BlockDriverState *bs = bmds->bs;
+    int64_t bitmap_size;
+
+    bitmap_size = (bdrv_getlength(bs) >> BDRV_SECTOR_BITS) +
+            BDRV_SECTORS_PER_DIRTY_CHUNK * 8 - 1;
+    bitmap_size /= BDRV_SECTORS_PER_DIRTY_CHUNK * 8;
+
+    bmds->aio_bitmap = qemu_mallocz(bitmap_size);
+}
+
 static void blk_mig_read_cb(void *opaque, int ret)
 {
     BlkMigBlock *blk = opaque;
@@ -151,6 +204,7 @@ static void blk_mig_read_cb(void *opaque, int ret)
     add_avg_read_time(blk->time);
 
     QSIMPLEQ_INSERT_TAIL(&block_mig_state.blk_list, blk, entry);
+    bmds_set_aio_inflight(blk->bmds, blk->sector, blk->nr_sectors, 0);
 
     block_mig_state.submitted--;
     block_mig_state.read_done++;
@@ -194,6 +248,7 @@ static int mig_save_device_bulk(Monitor *mon, QEMUFile *f,
     blk->buf = qemu_malloc(BLOCK_SIZE);
     blk->bmds = bmds;
     blk->sector = cur_sector;
+    blk->nr_sectors = nr_sectors;
 
     blk->iov.iov_base = blk->buf;
     blk->iov.iov_len = nr_sectors * BDRV_SECTOR_SIZE;
@@ -248,6 +303,7 @@ static void init_blk_migration_it(void *opaque, BlockDriverState *bs)
         bmds->total_sectors = sectors;
         bmds->completed_sectors = 0;
         bmds->shared_base = block_mig_state.shared_base;
+        alloc_aio_bitmap(bmds);
 
         block_mig_state.total_sector_sum += sectors;
 
@@ -329,6 +385,8 @@ static int mig_save_device_dirty(Monitor *mon, QEMUFile *f,
     int nr_sectors;
 
     for (sector = bmds->cur_dirty; sector < bmds->total_sectors;) {
+        if (bmds_aio_inflight(bmds, sector))
+            qemu_aio_flush();
         if (bdrv_get_dirty(bmds->bs, sector)) {
 
             if (total_sectors - sector < BDRV_SECTORS_PER_DIRTY_CHUNK) {
@@ -340,6 +398,7 @@ static int mig_save_device_dirty(Monitor *mon, QEMUFile *f,
             blk->buf = qemu_malloc(BLOCK_SIZE);
             blk->bmds = bmds;
             blk->sector = sector;
+            blk->nr_sectors = nr_sectors;
 
             if (is_async) {
                 blk->iov.iov_base = blk->buf;
@@ -354,6 +413,7 @@ static int mig_save_device_dirty(Monitor *mon, QEMUFile *f,
                     goto error;
                 }
                 block_mig_state.submitted++;
+                bmds_set_aio_inflight(bmds, sector, nr_sectors, 1);
             } else {
                 if (bdrv_read(bmds->bs, sector, blk->buf,
                               nr_sectors) < 0) {
@@ -474,6 +534,7 @@ static void blk_mig_cleanup(Monitor *mon)
 
     while ((bmds = QSIMPLEQ_FIRST(&block_mig_state.bmds_list)) != NULL) {
         QSIMPLEQ_REMOVE_HEAD(&block_mig_state.bmds_list, entry);
+        qemu_free(bmds->aio_bitmap);
         qemu_free(bmds);
     }
 
commit 4dcafbb1eba2ee201ec86027982659b669f99c70
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Nov 8 17:02:55 2010 -0200

    block: set sector dirty on AIO write completion
    
    Sectors are marked dirty in the bitmap on AIO submission. This is wrong
    since data has not reached storage.
    
    Set a given sector as dirty in the dirty bitmap on AIO completion, so that
    reading a sector marked as dirty is guaranteed to return uptodate data.
    
    Reviewed-by: Kevin Wolf <kwolf at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/block.c b/block.c
index 53a10de..63effd8 100644
--- a/block.c
+++ b/block.c
@@ -2031,12 +2031,49 @@ BlockDriverAIOCB *bdrv_aio_readv(BlockDriverState *bs, int64_t sector_num,
     return ret;
 }
 
+typedef struct BlockCompleteData {
+    BlockDriverCompletionFunc *cb;
+    void *opaque;
+    BlockDriverState *bs;
+    int64_t sector_num;
+    int nb_sectors;
+} BlockCompleteData;
+
+static void block_complete_cb(void *opaque, int ret)
+{
+    BlockCompleteData *b = opaque;
+
+    if (b->bs->dirty_bitmap) {
+        set_dirty_bitmap(b->bs, b->sector_num, b->nb_sectors, 1);
+    }
+    b->cb(b->opaque, ret);
+    qemu_free(b);
+}
+
+static BlockCompleteData *blk_dirty_cb_alloc(BlockDriverState *bs,
+                                             int64_t sector_num,
+                                             int nb_sectors,
+                                             BlockDriverCompletionFunc *cb,
+                                             void *opaque)
+{
+    BlockCompleteData *blkdata = qemu_mallocz(sizeof(BlockCompleteData));
+
+    blkdata->bs = bs;
+    blkdata->cb = cb;
+    blkdata->opaque = opaque;
+    blkdata->sector_num = sector_num;
+    blkdata->nb_sectors = nb_sectors;
+
+    return blkdata;
+}
+
 BlockDriverAIOCB *bdrv_aio_writev(BlockDriverState *bs, int64_t sector_num,
                                   QEMUIOVector *qiov, int nb_sectors,
                                   BlockDriverCompletionFunc *cb, void *opaque)
 {
     BlockDriver *drv = bs->drv;
     BlockDriverAIOCB *ret;
+    BlockCompleteData *blk_cb_data;
 
     trace_bdrv_aio_writev(bs, sector_num, nb_sectors, opaque);
 
@@ -2048,7 +2085,10 @@ BlockDriverAIOCB *bdrv_aio_writev(BlockDriverState *bs, int64_t sector_num,
         return NULL;
 
     if (bs->dirty_bitmap) {
-        set_dirty_bitmap(bs, sector_num, nb_sectors, 1);
+        blk_cb_data = blk_dirty_cb_alloc(bs, sector_num, nb_sectors, cb,
+                                         opaque);
+        cb = &block_complete_cb;
+        opaque = blk_cb_data;
     }
 
     ret = drv->bdrv_aio_writev(bs, sector_num, qiov, nb_sectors,
commit 6d59fec11eeff8a784dc4991c8fe4f8538510475
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Nov 8 17:02:54 2010 -0200

    block: fix shift in dirty bitmap calculation
    
    Otherwise upper 32 bits of bitmap entries are not correctly calculated.
    
    Reviewed-by: Kevin Wolf <kwolf at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/block.c b/block.c
index 6b505fb..53a10de 100644
--- a/block.c
+++ b/block.c
@@ -930,14 +930,14 @@ static void set_dirty_bitmap(BlockDriverState *bs, int64_t sector_num,
         bit = start % (sizeof(unsigned long) * 8);
         val = bs->dirty_bitmap[idx];
         if (dirty) {
-            if (!(val & (1 << bit))) {
+            if (!(val & (1UL << bit))) {
                 bs->dirty_count++;
-                val |= 1 << bit;
+                val |= 1UL << bit;
             }
         } else {
-            if (val & (1 << bit)) {
+            if (val & (1UL << bit)) {
                 bs->dirty_count--;
-                val &= ~(1 << bit);
+                val &= ~(1UL << bit);
             }
         }
         bs->dirty_bitmap[idx] = val;
@@ -2685,8 +2685,8 @@ int bdrv_get_dirty(BlockDriverState *bs, int64_t sector)
 
     if (bs->dirty_bitmap &&
         (sector << BDRV_SECTOR_BITS) < bdrv_getlength(bs)) {
-        return bs->dirty_bitmap[chunk / (sizeof(unsigned long) * 8)] &
-            (1 << (chunk % (sizeof(unsigned long) * 8)));
+        return !!(bs->dirty_bitmap[chunk / (sizeof(unsigned long) * 8)] &
+            (1UL << (chunk % (sizeof(unsigned long) * 8))));
     } else {
         return 0;
     }
commit c276b17da65b7ff01627722a1abf2b7a684c8fd8
Author: Daniel P. Berrange <berrange at redhat.com>
Date:   Fri Nov 12 13:20:25 2010 +0000

    Add support for generating a systemtap tapset static probes
    
    This introduces generation of a qemu.stp/qemu-system-XXX.stp
    files which provides tapsets with friendly names for static
    probes & their arguments. Instead of
    
        probe process("qemu").mark("qemu_malloc") {
            printf("Malloc %d %p\n", $arg1, $arg2);
        }
    
    It is now possible todo
    
        probe qemu.system.i386.qemu_malloc {
            printf("Malloc %d %p\n", size, ptr);
        }
    
    There is one tapset defined per target arch, for both
    user and system emulators.
    
    * Makefile.target: Generate stp files for each target
    * tracetool: Support for generating systemtap tapsets
    * configure: Check for whether systemtap is available
      with the DTrace backend
    
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/Makefile.target b/Makefile.target
index 31c968c..2800f47 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -41,7 +41,27 @@ kvm.o kvm-all.o vhost.o vhost_net.o: QEMU_CFLAGS+=$(KVM_CFLAGS)
 config-target.h: config-target.h-timestamp
 config-target.h-timestamp: config-target.mak
 
-all: $(PROGS)
+ifdef CONFIG_SYSTEMTAP_TRACE
+stap: $(QEMU_PROG).stp
+
+ifdef CONFIG_USER_ONLY
+TARGET_TYPE=user
+else
+TARGET_TYPE=system
+endif
+
+$(QEMU_PROG).stp:
+	$(call quiet-command,sh $(SRC_PATH)/tracetool \
+		--$(TRACE_BACKEND) \
+		--binary $(bindir)/$(QEMU_PROG) \
+		--target-arch $(TARGET_ARCH) \
+		--target-type $(TARGET_TYPE) \
+		--stap < $(SRC_PATH)/trace-events > $(QEMU_PROG).stp,"  GEN   $(QEMU_PROG).stp")
+else
+stap:
+endif
+
+all: $(PROGS) stap
 
 # Dummy command so that make thinks it has done something
 	@true
@@ -341,6 +361,9 @@ clean:
 	rm -f *.o *.a *~ $(PROGS) nwfpe/*.o fpu/*.o
 	rm -f *.d */*.d tcg/*.o ide/*.o
 	rm -f hmp-commands.h qmp-commands.h gdbstub-xml.c
+ifdef CONFIG_SYSTEMTAP_TRACE
+	rm -f *.stp
+endif
 
 install: all
 ifneq ($(PROGS),)
@@ -349,6 +372,10 @@ ifneq ($(STRIP),)
 	$(STRIP) $(patsubst %,"$(DESTDIR)$(bindir)/%",$(PROGS))
 endif
 endif
+ifdef CONFIG_SYSTEMTAP_TRACE
+	$(INSTALL_DIR) "$(DESTDIR)$(datadir)/../systemtap/tapset"
+	$(INSTALL_DATA) $(QEMU_PROG).stp "$(DESTDIR)$(datadir)/../systemtap/tapset"
+endif
 
 # Include automatically generated dependency files
 -include $(wildcard *.d */*.d)
diff --git a/configure b/configure
index f8dad3e..2917874 100755
--- a/configure
+++ b/configure
@@ -2203,6 +2203,10 @@ if test "$trace_backend" = "dtrace"; then
     echo
     exit 1
   fi
+  trace_backend_stap="no"
+  if has 'stap' ; then
+    trace_backend_stap="yes"
+  fi
 fi
 
 ##########################################
@@ -2645,6 +2649,9 @@ fi
 if test "$trace_backend" = "simple"; then
   trace_file="\"$trace_file-%u\""
 fi
+if test "$trace_backend" = "dtrace" -a "$trace_backend_stap" = "yes" ; then
+  echo "CONFIG_SYSTEMTAP_TRACE=y" >> $config_host_mak
+fi
 echo "CONFIG_TRACE_FILE=$trace_file" >> $config_host_mak
 
 echo "TOOLS=$tools" >> $config_host_mak
diff --git a/tracetool b/tracetool
index 1ade103..fce491c 100755
--- a/tracetool
+++ b/tracetool
@@ -23,9 +23,16 @@ Backends:
   --dtrace  DTrace/SystemTAP backend
 
 Output formats:
-  -h    Generate .h file
-  -c    Generate .c file
-  -d    Generate .d file (DTrace only)
+  -h     Generate .h file
+  -c     Generate .c file
+  -d     Generate .d file (DTrace only)
+  --stap Generate .stp file (DTrace with SystemTAP only)
+
+Options:
+  --binary      [path]  Full path to QEMU binary
+  --target-arch [arch]  QEMU emulator target arch
+  --target-type [type]  QEMU emulator target type ('system' or 'user')
+
 EOF
     exit 1
 }
@@ -396,6 +403,51 @@ linetod_end_dtrace()
 EOF
 }
 
+linetostap_begin_dtrace()
+{
+    return
+}
+
+linetostap_dtrace()
+{
+    local i arg name args arglist state
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    arglist=$(get_argnames "$1", "")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ] ; then
+        name=${name##disable }
+    fi
+
+    # Define prototype for probe arguments
+    cat <<EOF
+probe qemu.$targettype.$targetarch.$name = process("$binary").mark("$name")
+{
+EOF
+
+    i=1
+    for arg in $arglist
+    do
+        # 'limit' is a reserved keyword
+        if [ "$arg" = "limit" ]; then
+          arg="_limit"
+        fi
+        cat <<EOF
+  $arg = \$arg$i;
+EOF
+	i="$((i+1))"
+    done
+
+    cat <<EOF
+}
+EOF
+}
+
+linetostap_end_dtrace()
+{
+    return
+}
+
 # Process stdin by calling begin, line, and end functions for the backend
 convert()
 {
@@ -461,19 +513,61 @@ tracetod()
     convert d
 }
 
-# Choose backend
-case "$1" in
-"--nop" | "--simple" | "--ust" | "--dtrace") backend="${1#--}" ;;
-*) usage ;;
-esac
-shift
-
-case "$1" in
-"-h") tracetoh ;;
-"-c") tracetoc ;;
-"-d") tracetod ;;
-"--check-backend") exit 0 ;; # used by ./configure to test for backend
-*) usage ;;
-esac
+tracetostap()
+{
+    if [ $backend != "dtrace" ]; then
+       echo "SystemTAP tapset generator not applicable to $backend backend"
+       exit 1
+    fi
+    if [ -z "$binary" ]; then
+       echo "--binary is required for SystemTAP tapset generator"
+       exit 1
+    fi
+    if [ -z "$targettype" ]; then
+       echo "--target-type is required for SystemTAP tapset generator"
+       exit 1
+    fi
+    if [ -z "$targetarch" ]; then
+       echo "--target-arch is required for SystemTAP tapset generator"
+       exit 1
+    fi
+    echo "/* This file is autogenerated by tracetool, do not edit. */"
+    convert stap
+}
+
+
+backend=
+output=
+binary=
+targettype=
+targetarch=
+
+
+until [ -z "$1" ]
+do
+  case "$1" in
+    "--nop" | "--simple" | "--ust" | "--dtrace") backend="${1#--}" ;;
+
+    "--binary") shift ; binary="$1" ;;
+    "--target-arch") shift ; targetarch="$1" ;;
+    "--target-type") shift ; targettype="$1" ;;
+
+    "-h" | "-c" | "-d") output="${1#-}" ;;
+    "--stap") output="${1#--}" ;;
+
+    "--check-backend") exit 0 ;; # used by ./configure to test for backend
+
+    *)
+      usage;;
+  esac
+  shift
+done
+
+if [ "$backend" = "" -o "$output" = "" ]; then
+  usage
+fi
+
+gen="traceto$output"
+"$gen"
 
 exit 0
commit b3d08c029dd78ded5e35b74eaaa3d361821f83a7
Author: Daniel P. Berrange <berrange at redhat.com>
Date:   Fri Nov 12 13:20:24 2010 +0000

    Add a DTrace tracing backend targetted for SystemTAP compatability
    
    This introduces a new tracing backend that targets the SystemTAP
    implementation of DTrace userspace tracing. The core functionality
    should be applicable and standard across any DTrace implementation
    on Solaris, OS-X, *BSD, but the Makefile rules will likely need
    some small additional changes to cope with OS specific build
    requirements.
    
    This backend builds a little differently from the other tracing
    backends. Specifically there is no 'trace.c' file, because the
    'dtrace' command line tool generates a '.o' file directly from
    the dtrace probe definition file. The probe definition is usually
    named with a '.d' extension but QEMU uses '.d' files for its
    external makefile dependancy tracking, so this uses '.dtrace' as
    the extension for the probe definition file.
    
    The 'tracetool' program gains the ability to generate a trace.h
    file for DTrace, and also to generate the trace.d file containing
    the dtrace probe definition.
    
    Example usage of a dtrace probe in systemtap looks like:
    
      probe process("qemu").mark("qemu_malloc") {
        printf("Malloc %d %p\n", $arg1, $arg2);
      }
    
    * .gitignore: Ignore trace-dtrace.*
    * Makefile: Extra rules for generating DTrace files
    * Makefile.obj: Don't build trace.o for DTrace, use
      trace-dtrace.o generated by 'dtrace' instead
    * tracetool: Support for generating DTrace data files
    
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/.gitignore b/.gitignore
index a43e4d1..3efb4ec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,8 @@ config-host.*
 config-target.*
 trace.h
 trace.c
+trace-dtrace.h
+trace-dtrace.dtrace
 *-timestamp
 *-softmmu
 *-darwin-user
diff --git a/Makefile b/Makefile
index 6896319..747e47c 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,9 @@
 # Makefile for QEMU.
 
 GENERATED_HEADERS = config-host.h trace.h qemu-options.def
+ifeq ($(TRACE_BACKEND),dtrace)
+GENERATED_HEADERS += trace-dtrace.h
+endif
 
 ifneq ($(wildcard config-host.mak),)
 # Put the all: rule here so that config-host.mak can contain dependencies.
@@ -108,7 +111,11 @@ ui/vnc.o: QEMU_CFLAGS += $(VNC_TLS_CFLAGS)
 
 bt-host.o: QEMU_CFLAGS += $(BLUEZ_CFLAGS)
 
+ifeq ($(TRACE_BACKEND),dtrace)
+trace.h: trace.h-timestamp trace-dtrace.h
+else
 trace.h: trace.h-timestamp
+endif
 trace.h-timestamp: $(SRC_PATH)/trace-events config-host.mak
 	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -h < $< > $@,"  GEN   trace.h")
 	@cmp -s $@ trace.h || cp $@ trace.h
@@ -120,6 +127,20 @@ trace.c-timestamp: $(SRC_PATH)/trace-events config-host.mak
 
 trace.o: trace.c $(GENERATED_HEADERS)
 
+trace-dtrace.h: trace-dtrace.dtrace
+	$(call quiet-command,dtrace -o $@ -h -s $<, "  GEN   trace-dtrace.h")
+
+# Normal practice is to name DTrace probe file with a '.d' extension
+# but that gets picked up by QEMU's Makefile as an external dependancy
+# rule file. So we use '.dtrace' instead
+trace-dtrace.dtrace: trace-dtrace.dtrace-timestamp
+trace-dtrace.dtrace-timestamp: $(SRC_PATH)/trace-events config-host.mak
+	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -d < $< > $@,"  GEN   trace-dtrace.dtrace")
+	@cmp -s $@ trace-dtrace.dtrace || cp $@ trace-dtrace.dtrace
+
+trace-dtrace.o: trace-dtrace.dtrace $(GENERATED_HEADERS)
+	$(call quiet-command,dtrace -o $@ -G -s $<, "  GEN trace-dtrace.o")
+
 simpletrace.o: simpletrace.c $(GENERATED_HEADERS)
 
 version.o: $(SRC_PATH)/version.rc config-host.mak
@@ -157,6 +178,8 @@ clean:
 	rm -f slirp/*.o slirp/*.d audio/*.o audio/*.d block/*.o block/*.d net/*.o net/*.d fsdev/*.o fsdev/*.d ui/*.o ui/*.d
 	rm -f qemu-img-cmds.h
 	rm -f trace.c trace.h trace.c-timestamp trace.h-timestamp
+	rm -f trace-dtrace.dtrace trace-dtrace.dtrace-timestamp
+	rm -f trace-dtrace.h trace-dtrace.h-timestamp
 	$(MAKE) -C tests clean
 	for d in $(ALL_SUBDIRS) libhw32 libhw64 libuser libdis libdis-user; do \
 	if test -d $$d; then $(MAKE) -C $$d $@ || exit 1; fi; \
diff --git a/Makefile.objs b/Makefile.objs
index 15569af..23b17ce 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -286,11 +286,15 @@ libdis-$(CONFIG_SPARC_DIS) += sparc-dis.o
 ######################################################################
 # trace
 
+ifeq ($(TRACE_BACKEND),dtrace)
+trace-obj-y = trace-dtrace.o
+else
 trace-obj-y = trace.o
 ifeq ($(TRACE_BACKEND),simple)
 trace-obj-y += simpletrace.o
 user-obj-y += qemu-timer-common.o
 endif
+endif
 
 vl.o: QEMU_CFLAGS+=$(GPROF_CFLAGS)
 
diff --git a/configure b/configure
index 7025d2b..f8dad3e 100755
--- a/configure
+++ b/configure
@@ -929,7 +929,7 @@ echo "  --enable-docs            enable documentation build"
 echo "  --disable-docs           disable documentation build"
 echo "  --disable-vhost-net      disable vhost-net acceleration support"
 echo "  --enable-vhost-net       enable vhost-net acceleration support"
-echo "  --trace-backend=B        Trace backend nop simple ust"
+echo "  --trace-backend=B        Trace backend nop simple ust dtrace"
 echo "  --trace-file=NAME        Full PATH,NAME of file to store traces"
 echo "                           Default:trace-<pid>"
 echo "  --disable-spice          disable spice"
@@ -2193,6 +2193,18 @@ EOF
     exit 1
   fi
 fi
+
+##########################################
+# For 'dtrace' backend, test if 'dtrace' command is present
+if test "$trace_backend" = "dtrace"; then
+  if ! has 'dtrace' ; then
+    echo
+    echo "Error: dtrace command is not found in PATH $PATH"
+    echo
+    exit 1
+  fi
+fi
+
 ##########################################
 # End of CC checks
 # After here, no more $cc or $ld runs
diff --git a/tracetool b/tracetool
index 7010858..1ade103 100755
--- a/tracetool
+++ b/tracetool
@@ -20,10 +20,12 @@ Backends:
   --nop     Tracing disabled
   --simple  Simple built-in backend
   --ust     LTTng User Space Tracing backend
+  --dtrace  DTrace/SystemTAP backend
 
 Output formats:
   -h    Generate .h file
   -c    Generate .c file
+  -d    Generate .d file (DTrace only)
 EOF
     exit 1
 }
@@ -46,8 +48,9 @@ get_args()
 # Get the argument name list of a trace event
 get_argnames()
 {
-    local nfields field name
+    local nfields field name sep
     nfields=0
+    sep="$2"
     for field in $(get_args "$1"); do
         nfields=$((nfields + 1))
 
@@ -58,7 +61,7 @@ get_argnames()
         name=${field%,}
         test "$field" = "$name" && continue
 
-        printf "%s" "$name, "
+        printf "%s%s " $name $sep
     done
 
     # Last argument name
@@ -73,7 +76,7 @@ get_argc()
 {
     local name argc
     argc=0
-    for name in $(get_argnames "$1"); do
+    for name in $(get_argnames "$1", ","); do
         argc=$((argc + 1))
     done
     echo $argc
@@ -154,7 +157,7 @@ EOF
 cast_args_to_uint64_t()
 {
     local arg
-    for arg in $(get_argnames "$1"); do
+    for arg in $(get_argnames "$1", ","); do
         printf "%s" "(uint64_t)(uintptr_t)$arg"
     done
 }
@@ -247,7 +250,7 @@ linetoh_ust()
     local name args argnames
     name=$(get_name "$1")
     args=$(get_args "$1")
-    argnames=$(get_argnames "$1")
+    argnames=$(get_argnames "$1", ",")
 
     cat <<EOF
 DECLARE_TRACE(ust_$name, TP_PROTO($args), TP_ARGS($argnames));
@@ -274,7 +277,7 @@ linetoc_ust()
     local name args argnames fmt
     name=$(get_name "$1")
     args=$(get_args "$1")
-    argnames=$(get_argnames "$1")
+    argnames=$(get_argnames "$1", ",")
     fmt=$(get_fmt "$1")
 
     cat <<EOF
@@ -306,6 +309,93 @@ EOF
     echo "}"
 }
 
+linetoh_begin_dtrace()
+{
+    cat <<EOF
+#include "trace-dtrace.h"
+EOF
+}
+
+linetoh_dtrace()
+{
+    local name args argnames state nameupper
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    argnames=$(get_argnames "$1", ",")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ] ; then
+        name=${name##disable }
+    fi
+
+    nameupper=`echo $name | tr '[:lower:]' '[:upper:]'`
+
+    # Define an empty function for the trace event
+    cat <<EOF
+static inline void trace_$name($args) {
+    if (QEMU_${nameupper}_ENABLED()) {
+        QEMU_${nameupper}($argnames);
+    }
+}
+EOF
+}
+
+linetoh_end_dtrace()
+{
+    return
+}
+
+linetoc_begin_dtrace()
+{
+    return
+}
+
+linetoc_dtrace()
+{
+    # No need for function definitions in dtrace backend
+    return
+}
+
+linetoc_end_dtrace()
+{
+    return
+}
+
+linetod_begin_dtrace()
+{
+    cat <<EOF
+provider qemu {
+EOF
+}
+
+linetod_dtrace()
+{
+    local name args state
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ] ; then
+        name=${name##disable }
+    fi
+
+    # DTrace provider syntax expects foo() for empty
+    # params, not foo(void)
+    if [ "$args" = "void" ]; then
+       args=""
+    fi
+
+    # Define prototype for probe arguments
+    cat <<EOF
+        probe $name($args);
+EOF
+}
+
+linetod_end_dtrace()
+{
+    cat <<EOF
+};
+EOF
+}
+
 # Process stdin by calling begin, line, and end functions for the backend
 convert()
 {
@@ -324,9 +414,10 @@ convert()
         disable=${str%%disable *}
         echo
         if test -z "$disable"; then
-            # Pass the disabled state as an arg to lineto$1_simple().
-            # For all other cases, call lineto$1_nop()
-            if [ $backend = "simple" ]; then
+            # Pass the disabled state as an arg for the simple
+            # or DTrace backends which handle it dynamically.
+            # For all other backends, call lineto$1_nop()
+            if [ $backend = "simple" -o "$backend" = "dtrace" ]; then
                 "$process_line" "$str"
             else
                 "lineto$1_nop" "${str##disable }"
@@ -360,9 +451,19 @@ tracetoc()
     convert c
 }
 
+tracetod()
+{
+    if [ $backend != "dtrace" ]; then
+       echo "DTrace probe generator not applicable to $backend backend"
+       exit 1
+    fi
+    echo "/* This file is autogenerated by tracetool, do not edit. */"
+    convert d
+}
+
 # Choose backend
 case "$1" in
-"--nop" | "--simple" | "--ust") backend="${1#--}" ;;
+"--nop" | "--simple" | "--ust" | "--dtrace") backend="${1#--}" ;;
 *) usage ;;
 esac
 shift
@@ -370,6 +471,7 @@ shift
 case "$1" in
 "-h") tracetoh ;;
 "-c") tracetoc ;;
+"-d") tracetod ;;
 "--check-backend") exit 0 ;; # used by ./configure to test for backend
 *) usage ;;
 esac
commit 06da6e44d725117be404c3f342ef539099043fe4
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Nov 17 18:06:06 2010 -0600

    Revert "Add a DTrace tracing backend targetted for SystemTAP compatability"
    
    This reverts commit 4addb1127f6327c7ebcbd150a6b589e7677adc92.

diff --git a/.gitignore b/.gitignore
index 3efb4ec..a43e4d1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,8 +4,6 @@ config-host.*
 config-target.*
 trace.h
 trace.c
-trace-dtrace.h
-trace-dtrace.dtrace
 *-timestamp
 *-softmmu
 *-darwin-user
diff --git a/Makefile b/Makefile
index 747e47c..6896319 100644
--- a/Makefile
+++ b/Makefile
@@ -1,9 +1,6 @@
 # Makefile for QEMU.
 
 GENERATED_HEADERS = config-host.h trace.h qemu-options.def
-ifeq ($(TRACE_BACKEND),dtrace)
-GENERATED_HEADERS += trace-dtrace.h
-endif
 
 ifneq ($(wildcard config-host.mak),)
 # Put the all: rule here so that config-host.mak can contain dependencies.
@@ -111,11 +108,7 @@ ui/vnc.o: QEMU_CFLAGS += $(VNC_TLS_CFLAGS)
 
 bt-host.o: QEMU_CFLAGS += $(BLUEZ_CFLAGS)
 
-ifeq ($(TRACE_BACKEND),dtrace)
-trace.h: trace.h-timestamp trace-dtrace.h
-else
 trace.h: trace.h-timestamp
-endif
 trace.h-timestamp: $(SRC_PATH)/trace-events config-host.mak
 	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -h < $< > $@,"  GEN   trace.h")
 	@cmp -s $@ trace.h || cp $@ trace.h
@@ -127,20 +120,6 @@ trace.c-timestamp: $(SRC_PATH)/trace-events config-host.mak
 
 trace.o: trace.c $(GENERATED_HEADERS)
 
-trace-dtrace.h: trace-dtrace.dtrace
-	$(call quiet-command,dtrace -o $@ -h -s $<, "  GEN   trace-dtrace.h")
-
-# Normal practice is to name DTrace probe file with a '.d' extension
-# but that gets picked up by QEMU's Makefile as an external dependancy
-# rule file. So we use '.dtrace' instead
-trace-dtrace.dtrace: trace-dtrace.dtrace-timestamp
-trace-dtrace.dtrace-timestamp: $(SRC_PATH)/trace-events config-host.mak
-	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -d < $< > $@,"  GEN   trace-dtrace.dtrace")
-	@cmp -s $@ trace-dtrace.dtrace || cp $@ trace-dtrace.dtrace
-
-trace-dtrace.o: trace-dtrace.dtrace $(GENERATED_HEADERS)
-	$(call quiet-command,dtrace -o $@ -G -s $<, "  GEN trace-dtrace.o")
-
 simpletrace.o: simpletrace.c $(GENERATED_HEADERS)
 
 version.o: $(SRC_PATH)/version.rc config-host.mak
@@ -178,8 +157,6 @@ clean:
 	rm -f slirp/*.o slirp/*.d audio/*.o audio/*.d block/*.o block/*.d net/*.o net/*.d fsdev/*.o fsdev/*.d ui/*.o ui/*.d
 	rm -f qemu-img-cmds.h
 	rm -f trace.c trace.h trace.c-timestamp trace.h-timestamp
-	rm -f trace-dtrace.dtrace trace-dtrace.dtrace-timestamp
-	rm -f trace-dtrace.h trace-dtrace.h-timestamp
 	$(MAKE) -C tests clean
 	for d in $(ALL_SUBDIRS) libhw32 libhw64 libuser libdis libdis-user; do \
 	if test -d $$d; then $(MAKE) -C $$d $@ || exit 1; fi; \
diff --git a/Makefile.objs b/Makefile.objs
index 23b17ce..15569af 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -286,15 +286,11 @@ libdis-$(CONFIG_SPARC_DIS) += sparc-dis.o
 ######################################################################
 # trace
 
-ifeq ($(TRACE_BACKEND),dtrace)
-trace-obj-y = trace-dtrace.o
-else
 trace-obj-y = trace.o
 ifeq ($(TRACE_BACKEND),simple)
 trace-obj-y += simpletrace.o
 user-obj-y += qemu-timer-common.o
 endif
-endif
 
 vl.o: QEMU_CFLAGS+=$(GPROF_CFLAGS)
 
diff --git a/configure b/configure
index f8dad3e..7025d2b 100755
--- a/configure
+++ b/configure
@@ -929,7 +929,7 @@ echo "  --enable-docs            enable documentation build"
 echo "  --disable-docs           disable documentation build"
 echo "  --disable-vhost-net      disable vhost-net acceleration support"
 echo "  --enable-vhost-net       enable vhost-net acceleration support"
-echo "  --trace-backend=B        Trace backend nop simple ust dtrace"
+echo "  --trace-backend=B        Trace backend nop simple ust"
 echo "  --trace-file=NAME        Full PATH,NAME of file to store traces"
 echo "                           Default:trace-<pid>"
 echo "  --disable-spice          disable spice"
@@ -2193,18 +2193,6 @@ EOF
     exit 1
   fi
 fi
-
-##########################################
-# For 'dtrace' backend, test if 'dtrace' command is present
-if test "$trace_backend" = "dtrace"; then
-  if ! has 'dtrace' ; then
-    echo
-    echo "Error: dtrace command is not found in PATH $PATH"
-    echo
-    exit 1
-  fi
-fi
-
 ##########################################
 # End of CC checks
 # After here, no more $cc or $ld runs
diff --git a/tracetool b/tracetool
index 5b6636a..7010858 100755
--- a/tracetool
+++ b/tracetool
@@ -20,12 +20,10 @@ Backends:
   --nop     Tracing disabled
   --simple  Simple built-in backend
   --ust     LTTng User Space Tracing backend
-  --dtrace  DTrace/SystemTAP backend
 
 Output formats:
   -h    Generate .h file
   -c    Generate .c file
-  -d    Generate .d file (DTrace only)
 EOF
     exit 1
 }
@@ -48,9 +46,8 @@ get_args()
 # Get the argument name list of a trace event
 get_argnames()
 {
-    local nfields field name sep
+    local nfields field name
     nfields=0
-    sep="$2"
     for field in $(get_args "$1"); do
         nfields=$((nfields + 1))
 
@@ -61,7 +58,7 @@ get_argnames()
         name=${field%,}
         test "$field" = "$name" && continue
 
-        printf "%s%s " $name $sep
+        printf "%s" "$name, "
     done
 
     # Last argument name
@@ -76,7 +73,7 @@ get_argc()
 {
     local name argc
     argc=0
-    for name in $(get_argnames "$1", ","); do
+    for name in $(get_argnames "$1"); do
         argc=$((argc + 1))
     done
     echo $argc
@@ -157,7 +154,7 @@ EOF
 cast_args_to_uint64_t()
 {
     local arg
-    for arg in $(get_argnames "$1", ","); do
+    for arg in $(get_argnames "$1"); do
         printf "%s" "(uint64_t)(uintptr_t)$arg"
     done
 }
@@ -250,7 +247,7 @@ linetoh_ust()
     local name args argnames
     name=$(get_name "$1")
     args=$(get_args "$1")
-    argnames=$(get_argnames "$1", ",")
+    argnames=$(get_argnames "$1")
 
     cat <<EOF
 DECLARE_TRACE(ust_$name, TP_PROTO($args), TP_ARGS($argnames));
@@ -277,7 +274,7 @@ linetoc_ust()
     local name args argnames fmt
     name=$(get_name "$1")
     args=$(get_args "$1")
-    argnames=$(get_argnames "$1", ",")
+    argnames=$(get_argnames "$1")
     fmt=$(get_fmt "$1")
 
     cat <<EOF
@@ -309,87 +306,6 @@ EOF
     echo "}"
 }
 
-linetoh_begin_dtrace()
-{
-    cat <<EOF
-#include "trace-dtrace.h"
-EOF
-}
-
-linetoh_dtrace()
-{
-    local name args argnames state nameupper
-    name=$(get_name "$1")
-    args=$(get_args "$1")
-    argnames=$(get_argnames "$1", ",")
-    state=$(get_state "$1")
-    if [ "$state" = "0" ] ; then
-        name=${name##disable }
-    fi
-
-    nameupper=`echo $name | tr '[:lower:]' '[:upper:]'`
-
-    # Define an empty function for the trace event
-    cat <<EOF
-static inline void trace_$name($args) {
-    if (QEMU_${nameupper}_ENABLED()) {
-        QEMU_${nameupper}($argnames);
-    }
-}
-EOF
-}
-
-linetoh_end_dtrace()
-{
-    return
-}
-
-linetoc_begin_dtrace()
-{
-    return
-}
-
-linetoc_dtrace()
-{
-    # No need for function definitions in dtrace backend
-    return
-}
-
-linetoc_end_dtrace()
-{
-    return
-}
-
-linetod_begin_dtrace()
-{
-    cat <<EOF
-provider qemu {
-EOF
-}
-
-linetod_dtrace()
-{
-    local name args state
-    name=$(get_name "$1")
-    args=$(get_args "$1")
-    state=$(get_state "$1")
-    if [ "$state" = "0" ] ; then
-        name=${name##disable }
-    fi
-
-    # Define prototype for probe arguments
-    cat <<EOF
-        probe $name($args);
-EOF
-}
-
-linetod_end_dtrace()
-{
-    cat <<EOF
-};
-EOF
-}
-
 # Process stdin by calling begin, line, and end functions for the backend
 convert()
 {
@@ -408,10 +324,9 @@ convert()
         disable=${str%%disable *}
         echo
         if test -z "$disable"; then
-            # Pass the disabled state as an arg for the simple
-            # or DTrace backends which handle it dynamically.
-            # For all other backends, call lineto$1_nop()
-            if [ $backend = "simple" -o "$backend" = "dtrace" ]; then
+            # Pass the disabled state as an arg to lineto$1_simple().
+            # For all other cases, call lineto$1_nop()
+            if [ $backend = "simple" ]; then
                 "$process_line" "$str"
             else
                 "lineto$1_nop" "${str##disable }"
@@ -445,19 +360,9 @@ tracetoc()
     convert c
 }
 
-tracetod()
-{
-    if [ $backend != "dtrace" ]; then
-       echo "DTrace probe generator not applicable to $backend backend"
-       exit 1
-    fi
-    echo "/* This file is autogenerated by tracetool, do not edit. */"
-    convert d
-}
-
 # Choose backend
 case "$1" in
-"--nop" | "--simple" | "--ust" | "--dtrace") backend="${1#--}" ;;
+"--nop" | "--simple" | "--ust") backend="${1#--}" ;;
 *) usage ;;
 esac
 shift
@@ -465,7 +370,6 @@ shift
 case "$1" in
 "-h") tracetoh ;;
 "-c") tracetoc ;;
-"-d") tracetod ;;
 "--check-backend") exit 0 ;; # used by ./configure to test for backend
 *) usage ;;
 esac
commit 371c338ecae44bb28cc19138484256b1df831e99
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Nov 17 18:05:58 2010 -0600

    Revert "Add support for generating a systemtap tapset static probes"
    
    This reverts commit 2834c3e0140c3b0ed4422909dfa0607b7213d95d.
    
    Conflicts:
    
    	Makefile.target

diff --git a/Makefile.target b/Makefile.target
index 652c7d2..31c968c 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -41,18 +41,7 @@ kvm.o kvm-all.o vhost.o vhost_net.o: QEMU_CFLAGS+=$(KVM_CFLAGS)
 config-target.h: config-target.h-timestamp
 config-target.h-timestamp: config-target.mak
 
-ifdef CONFIG_SYSTEMTAP_TRACE
-STPFILES+=$(QEMU_PROG).stp
-
-$(QEMU_PROG).stp:
-	$(call quiet-command,sh $(SRC_PATH)/tracetool \
-		--$(TRACE_BACKEND) \
-		--bindir $(bindir) \
-		--target $(TARGET_ARCH) \
-		-s < $(SRC_PATH)/trace-events > $@,"  GEN   $@")
-endif
-
-all: $(PROGS) $(STPFILES)
+all: $(PROGS)
 
 # Dummy command so that make thinks it has done something
 	@true
@@ -360,10 +349,6 @@ ifneq ($(STRIP),)
 	$(STRIP) $(patsubst %,"$(DESTDIR)$(bindir)/%",$(PROGS))
 endif
 endif
-ifdef CONFIG_SYSTEMTAP_TRACE
-	$(INSTALL_DIR) "$(DESTDIR)$(datadir)/../systemtap/tapset"
-	$(INSTALL_DATA) $(STPFILES) "$(DESTDIR)$(datadir)/../systemtap/tapset"
-endif
 
 # Include automatically generated dependency files
 -include $(wildcard *.d */*.d)
diff --git a/configure b/configure
index e560f87..f8dad3e 100755
--- a/configure
+++ b/configure
@@ -2192,10 +2192,6 @@ EOF
     echo
     exit 1
   fi
-  trace_backend_stap="no"
-  if has 'stap' ; then
-    trace_backend_stap="yes"
-  fi
 fi
 
 ##########################################
@@ -2649,9 +2645,6 @@ fi
 if test "$trace_backend" = "simple"; then
   trace_file="\"$trace_file-%u\""
 fi
-if test "$trace_backend" = "dtrace" -a "$trace_backend_stap" = "yes" ; then
-  echo "CONFIG_SYSTEMTAP_TRACE=y" >> $config_host_mak
-fi
 echo "CONFIG_TRACE_FILE=$trace_file" >> $config_host_mak
 
 echo "TOOLS=$tools" >> $config_host_mak
diff --git a/tracetool b/tracetool
index d797ab7..5b6636a 100755
--- a/tracetool
+++ b/tracetool
@@ -26,12 +26,6 @@ Output formats:
   -h    Generate .h file
   -c    Generate .c file
   -d    Generate .d file (DTrace only)
-  -s    Generate .stp file (DTrace with SystemTAP only)
-
-Options:
-  --bindir [bindir]  QEMU binary install location
-  --target [arch]    QEMU target architecture
-
 EOF
     exit 1
 }
@@ -396,54 +390,6 @@ linetod_end_dtrace()
 EOF
 }
 
-linetos_begin_dtrace()
-{
-    return
-}
-
-linetos_dtrace()
-{
-    local name args arglist state
-    name=$(get_name "$1")
-    args=$(get_args "$1")
-    arglist=$(get_argnames "$1", "")
-    state=$(get_state "$1")
-    if [ "$state" = "0" ] ; then
-        name=${name##disable }
-    fi
-
-    if [ "$target" = "i386" ]
-    then
-      binary="qemu"
-    else
-      binary="qemu-system-$target"
-    fi
-
-    # Define prototype for probe arguments
-    cat <<EOF
-probe qemu.system.$target.$name = process("$bindir/$binary").mark("$name")
-{
-EOF
-
-    i=1
-    for arg in $arglist
-    do
-        cat <<EOF
-  $arg = \$arg$i;
-EOF
-	i="$((i+1))"
-    done
-
-    cat <<EOF
-}
-EOF
-}
-
-linetos_end_dtrace()
-{
-    return
-}
-
 # Process stdin by calling begin, line, and end functions for the backend
 convert()
 {
@@ -509,24 +455,6 @@ tracetod()
     convert d
 }
 
-tracetos()
-{
-    if [ $backend != "dtrace" ]; then
-       echo "SystemTAP tapset generator not applicable to $backend backend"
-       exit 1
-    fi
-    if [ -z "$target" ]; then
-       echo "--target is required for SystemTAP tapset generator"
-       exit 1
-    fi
-    if [ -z "$bindir" ]; then
-       echo "--bindir is required for SystemTAP tapset generator"
-       exit 1
-    fi
-    echo "/* This file is autogenerated by tracetool, do not edit. */"
-    convert s
-}
-
 # Choose backend
 case "$1" in
 "--nop" | "--simple" | "--ust" | "--dtrace") backend="${1#--}" ;;
@@ -534,30 +462,10 @@ case "$1" in
 esac
 shift
 
-bindir=
-case "$1" in
-  "--bindir")
-    bindir=$2
-    shift
-    shift
-    ;;
-esac
-
-target=
-case "$1" in
-  "--target")
-    target=$2
-    shift
-    shift
-    ;;
-esac
-
-
 case "$1" in
 "-h") tracetoh ;;
 "-c") tracetoc ;;
 "-d") tracetod ;;
-"-s") tracetos ;;
 "--check-backend") exit 0 ;; # used by ./configure to test for backend
 *) usage ;;
 esac
commit 39deb1e496de81957167daebf5cf5d1fbd5e47c2
Author: malc <av1474 at comtv.ru>
Date:   Thu Nov 18 14:30:12 2010 +0300

    audio: Only use audio timer when necessary
    
    Originally proposed by Gerd Hoffmann.
    
    Signed-off-by: malc <av1474 at comtv.ru>
    Acked-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/audio/audio.c b/audio/audio.c
index ade342e..1707446 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -1096,15 +1096,6 @@ static void audio_pcm_print_info (const char *cap, struct audio_pcm_info *info)
 /*
  * Timer
  */
-static void audio_timer (void *opaque)
-{
-    AudioState *s = opaque;
-
-    audio_run ("timer");
-    qemu_mod_timer (s->ts, qemu_get_clock (vm_clock) + conf.period.ticks);
-}
-
-
 static int audio_is_timer_needed (void)
 {
     HWVoiceIn *hwi = NULL;
@@ -1119,10 +1110,8 @@ static int audio_is_timer_needed (void)
     return 0;
 }
 
-static void audio_reset_timer (void)
+static void audio_reset_timer (AudioState *s)
 {
-    AudioState *s = &glob_audio_state;
-
     if (audio_is_timer_needed ()) {
         qemu_mod_timer (s->ts, qemu_get_clock (vm_clock) + 1);
     }
@@ -1131,6 +1120,12 @@ static void audio_reset_timer (void)
     }
 }
 
+static void audio_timer (void *opaque)
+{
+    audio_run ("timer");
+    audio_reset_timer (opaque);
+}
+
 /*
  * Public API
  */
@@ -1195,7 +1190,7 @@ void AUD_set_active_out (SWVoiceOut *sw, int on)
                 hw->enabled = 1;
                 if (s->vm_running) {
                     hw->pcm_ops->ctl_out (hw, VOICE_ENABLE, conf.try_poll_out);
-                    audio_reset_timer ();
+                    audio_reset_timer (s);
                 }
             }
         }
@@ -1240,6 +1235,7 @@ void AUD_set_active_in (SWVoiceIn *sw, int on)
                 hw->enabled = 1;
                 if (s->vm_running) {
                     hw->pcm_ops->ctl_in (hw, VOICE_ENABLE, conf.try_poll_in);
+                    audio_reset_timer (s);
                 }
             }
             sw->total_hw_samples_acquired = hw->total_samples_captured;
@@ -1761,7 +1757,7 @@ static void audio_vm_change_state_handler (void *opaque, int running,
     while ((hwi = audio_pcm_hw_find_any_enabled_in (hwi))) {
         hwi->pcm_ops->ctl_in (hwi, op, conf.try_poll_in);
     }
-    audio_reset_timer ();
+    audio_reset_timer (s);
 }
 
 static void audio_atexit (void)
commit b377474e589e5a1fe2abc7b13fafa8bad802637a
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Tue Nov 16 15:05:29 2010 +0100

    device-assignment: register a reset function
    
    This is necessary because during reboot of a VM the assigned devices
    continue DMA transfers which causes memory corruption.
    
    Acked-by: Alex Williamson <alex.williamson at redhat.com>
    Acked-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Thomas Ostler <thomas.ostler at nsn.com>
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index c2a7b27..369bff9 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -1438,6 +1438,17 @@ static const VMStateDescription vmstate_assigned_device = {
     .name = "pci-assign"
 };
 
+static void reset_assigned_device(DeviceState *dev)
+{
+    PCIDevice *d = DO_UPCAST(PCIDevice, qdev, dev);
+
+    /*
+     * When a 0 is written to the command register, the device is logically
+     * disconnected from the PCI bus. This avoids further DMA transfers.
+     */
+    assigned_dev_pci_write_config(d, PCI_COMMAND, 0, 2);
+}
+
 static int assigned_initfn(struct PCIDevice *pci_dev)
 {
     AssignedDevice *dev = DO_UPCAST(AssignedDevice, dev, pci_dev);
@@ -1555,6 +1566,7 @@ static PCIDeviceInfo assign_info = {
     .qdev.name    = "pci-assign",
     .qdev.desc    = "pass through host pci devices to the guest",
     .qdev.size    = sizeof(AssignedDevice),
+    .qdev.reset   = reset_assigned_device,
     .init         = assigned_initfn,
     .exit         = assigned_exitfn,
     .config_read  = assigned_dev_pci_read_config,
commit 4f21cd82ecede4a065def2ff146cd001078ffcb8
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Mon Nov 15 16:11:19 2010 -0700

    device-assignment: Register as un-migratable
    
    Use register_device_unmigratable() to declare ourselves as
    non-migratable.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 5f5bde1..c2a7b27 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -1434,6 +1434,10 @@ static void assigned_dev_unregister_msix_mmio(AssignedDevice *dev)
     dev->msix_table_page = NULL;
 }
 
+static const VMStateDescription vmstate_assigned_device = {
+    .name = "pci-assign"
+};
+
 static int assigned_initfn(struct PCIDevice *pci_dev)
 {
     AssignedDevice *dev = DO_UPCAST(AssignedDevice, dev, pci_dev);
@@ -1495,6 +1499,12 @@ static int assigned_initfn(struct PCIDevice *pci_dev)
 
     assigned_dev_load_option_rom(dev);
     QLIST_INSERT_HEAD(&devs, dev, next);
+
+    /* Register a vmsd so that we can mark it unmigratable. */
+    vmstate_register(&dev->dev.qdev, 0, &vmstate_assigned_device, dev);
+    register_device_unmigratable(&dev->dev.qdev,
+                                 vmstate_assigned_device.name, dev);
+
     return 0;
 
 assigned_out:
@@ -1508,6 +1518,7 @@ static int assigned_exitfn(struct PCIDevice *pci_dev)
 {
     AssignedDevice *dev = DO_UPCAST(AssignedDevice, dev, pci_dev);
 
+    vmstate_unregister(&dev->dev.qdev, &vmstate_assigned_device, dev);
     QLIST_REMOVE(dev, next);
     deassign_device(dev);
     free_assigned_device(dev);
commit a6f9dd02f75685934ca52f038b6fcb38b661c283
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Wed Nov 10 15:59:57 2010 -0200

    Makefile: Fix check dependency breakage
    
    Commit b152aa84d52882bb1846485a89baf13aa07c86bc broke the unit-tests
    build, fix it.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/Makefile b/Makefile
index 747e47c..4e120a2 100644
--- a/Makefile
+++ b/Makefile
@@ -163,12 +163,14 @@ qemu-img-cmds.h: $(SRC_PATH)/qemu-img-cmds.hx
 
 check-qint.o check-qstring.o check-qdict.o check-qlist.o check-qfloat.o check-qjson.o: $(GENERATED_HEADERS)
 
-check-qint: check-qint.o qint.o qemu-malloc.o $(trace-obj-y)
-check-qstring: check-qstring.o qstring.o qemu-malloc.o $(trace-obj-y)
-check-qdict: check-qdict.o qdict.o qfloat.o qint.o qstring.o qbool.o qemu-malloc.o qlist.o $(trace-obj-y)
-check-qlist: check-qlist.o qlist.o qint.o qemu-malloc.o $(trace-obj-y)
-check-qfloat: check-qfloat.o qfloat.o qemu-malloc.o $(trace-obj-y)
-check-qjson: check-qjson.o qfloat.o qint.o qdict.o qstring.o qlist.o qbool.o qjson.o json-streamer.o json-lexer.o json-parser.o qemu-malloc.o $(trace-obj-y)
+CHECK_PROG_DEPS = qemu-malloc.o $(oslib-obj-y) $(trace-obj-y)
+
+check-qint: check-qint.o qint.o $(CHECK_PROG_DEPS)
+check-qstring: check-qstring.o qstring.o $(CHECK_PROG_DEPS)
+check-qdict: check-qdict.o qdict.o qfloat.o qint.o qstring.o qbool.o qlist.o $(CHECK_PROG_DEPS)
+check-qlist: check-qlist.o qlist.o qint.o $(CHECK_PROG_DEPS)
+check-qfloat: check-qfloat.o qfloat.o $(CHECK_PROG_DEPS)
+check-qjson: check-qjson.o qfloat.o qint.o qdict.o qstring.o qlist.o qbool.o qjson.o json-streamer.o json-lexer.o json-parser.o $(CHECK_PROG_DEPS)
 
 clean:
 # avoid old build problems by removing potentially incorrect old files
commit 11217a757e7dda66fd2e78b10ea0cd8d6b290e42
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Thu Oct 28 13:28:37 2010 -0200

    QMP/qmp-shell: Introduce HMP mode
    
    In which qmp-shell will exclusively use the HMP passthrough feature,
    this is useful for testing.
    
    Example:
    
        # ./qmp-shell -H qmp-sock
        Welcome to the HMP shell!
        Connected to QEMU 0.13.50
    
        (QEMU) info network
        VLAN 0 devices:
          user.0: net=10.0.2.0, restricted=n
            e1000.0: model=e1000,macaddr=52:54:00:12:34:56
            Devices not on any VLAN:
        (QEMU)
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/QMP/qmp-shell b/QMP/qmp-shell
index 1fb7e76..42dabc8 100755
--- a/QMP/qmp-shell
+++ b/QMP/qmp-shell
@@ -145,6 +145,76 @@ class QMPShell(qmp.QEMUMonitorProtocol):
         else:
             return self._execute_cmd(cmdline)
 
+class HMPShell(QMPShell):
+    def __init__(self, address):
+        QMPShell.__init__(self, address)
+        self.__cpu_index = 0
+
+    def __cmd_completion(self):
+        for cmd in self.__cmd_passthrough('help')['return'].split('\r\n'):
+            if cmd and cmd[0] != '[' and cmd[0] != '\t':
+                name = cmd.split()[0] # drop help text
+                if name == 'info':
+                    continue
+                if name.find('|') != -1:
+                    # Command in the form 'foobar|f' or 'f|foobar', take the
+                    # full name
+                    opt = name.split('|')
+                    if len(opt[0]) == 1:
+                        name = opt[1]
+                    else:
+                        name = opt[0]
+                self._completer.append(name)
+                self._completer.append('help ' + name) # help completion
+
+    def __info_completion(self):
+        for cmd in self.__cmd_passthrough('info')['return'].split('\r\n'):
+            if cmd:
+                self._completer.append('info ' + cmd.split()[1])
+
+    def __other_completion(self):
+        # special cases
+        self._completer.append('help info')
+
+    def _fill_completion(self):
+        self.__cmd_completion()
+        self.__info_completion()
+        self.__other_completion()
+
+    def __cmd_passthrough(self, cmdline, cpu_index = 0):
+        return self.cmd_obj({ 'execute': 'human-monitor-command', 'arguments':
+                              { 'command-line': cmdline,
+                                'cpu-index': cpu_index } })
+
+    def _execute_cmd(self, cmdline):
+        if cmdline.split()[0] == "cpu":
+            # trap the cpu command, it requires special setting
+            try:
+                idx = int(cmdline.split()[1])
+                if not 'return' in self.__cmd_passthrough('info version', idx):
+                    print 'bad CPU index'
+                    return True
+                self.__cpu_index = idx
+            except ValueError:
+                print 'cpu command takes an integer argument'
+                return True
+        resp = self.__cmd_passthrough(cmdline, self.__cpu_index)
+        if resp is None:
+            print 'Disconnected'
+            return False
+        assert 'return' in resp or 'error' in resp
+        if 'return' in resp:
+            # Success
+            if len(resp['return']) > 0:
+                print resp['return'],
+        else:
+            # Error
+            print '%s: %s' % (resp['error']['class'], resp['error']['desc'])
+        return True
+
+    def show_banner(self):
+        QMPShell.show_banner(self, msg='Welcome to the HMP shell!')
+
 def die(msg):
     sys.stderr.write('ERROR: %s\n' % msg)
     sys.exit(1)
@@ -156,9 +226,16 @@ def fail_cmdline(option=None):
     sys.exit(1)
 
 def main():
+    addr = ''
     try:
         if len(sys.argv) == 2:
             qemu = QMPShell(sys.argv[1])
+            addr = sys.argv[1]
+        elif len(sys.argv) == 3:
+            if sys.argv[1] != '-H':
+                fail_cmdline(sys.argv[1])
+            qemu = HMPShell(sys.argv[2])
+            addr = sys.argv[2]
         else:
                 fail_cmdline()
     except QMPShellBadPort:
@@ -171,7 +248,7 @@ def main():
     except qmp.QMPCapabilitiesError:
         die('Could not negotiate capabilities')
     except qemu.error:
-        die('Could not connect to %s' % sys.argv[1])
+        die('Could not connect to %s' % addr)
 
     qemu.show_banner()
     while qemu.read_exec_command('(QEMU) '):
commit 0268d97c51207f35a5a01239ad92ef2c35dcd5ba
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Fri Oct 22 10:08:02 2010 -0200

    QMP: Introduce Human Monitor passthrough command
    
    This command allows QMP clients to execute HMP commands.
    
    Please, check the documentation added to the qmp-commands.hx file
    for additional details about the interface and its limitations.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 8cee35d..ec31eac 100644
--- a/monitor.c
+++ b/monitor.c
@@ -491,6 +491,44 @@ static int do_qmp_capabilities(Monitor *mon, const QDict *params,
     return 0;
 }
 
+static int mon_set_cpu(int cpu_index);
+static void handle_user_command(Monitor *mon, const char *cmdline);
+
+static int do_hmp_passthrough(Monitor *mon, const QDict *params,
+                              QObject **ret_data)
+{
+    int ret = 0;
+    Monitor *old_mon, hmp;
+    CharDriverState mchar;
+
+    memset(&hmp, 0, sizeof(hmp));
+    qemu_chr_init_mem(&mchar);
+    hmp.chr = &mchar;
+
+    old_mon = cur_mon;
+    cur_mon = &hmp;
+
+    if (qdict_haskey(params, "cpu-index")) {
+        ret = mon_set_cpu(qdict_get_int(params, "cpu-index"));
+        if (ret < 0) {
+            cur_mon = old_mon;
+            qerror_report(QERR_INVALID_PARAMETER_VALUE, "cpu-index", "a CPU number");
+            goto out;
+        }
+    }
+
+    handle_user_command(&hmp, qdict_get_str(params, "command-line"));
+    cur_mon = old_mon;
+
+    if (qemu_chr_mem_osize(hmp.chr) > 0) {
+        *ret_data = QOBJECT(qemu_chr_mem_to_qs(hmp.chr));
+    }
+
+out:
+    qemu_chr_close_mem(hmp.chr);
+    return ret;
+}
+
 static int compare_cmd(const char *name, const char *list)
 {
     const char *p, *pstart;
diff --git a/qmp-commands.hx b/qmp-commands.hx
index 793cf1c..e5f157f 100644
--- a/qmp-commands.hx
+++ b/qmp-commands.hx
@@ -761,6 +761,51 @@ Example:
 
 Note: This command must be issued before issuing any other command.
 
+EQMP
+
+    {
+        .name       = "human-monitor-command",
+        .args_type  = "command-line:s,cpu-index:i?",
+        .params     = "",
+        .help       = "",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_hmp_passthrough,
+    },
+
+SQMP
+human-monitor-command
+---------------------
+
+Execute a Human Monitor command.
+
+Arguments: 
+
+- command-line: the command name and its arguments, just like the
+                Human Monitor's shell (json-string)
+- cpu-index: select the CPU number to be used by commands which access CPU
+             data, like 'info registers'. The Monitor selects CPU 0 if this
+             argument is not provided (json-int, optional)
+
+Example:
+
+-> { "execute": "human-monitor-command", "arguments": { "command-line": "info kvm" } }
+<- { "return": "kvm support: enabled\r\n" }
+
+Notes:
+
+(1) The Human Monitor is NOT an stable interface, this means that command
+    names, arguments and responses can change or be removed at ANY time.
+    Applications that rely on long term stability guarantees should NOT
+    use this command
+
+(2) Limitations:
+
+    o This command is stateless, this means that commands that depend
+      on state information (such as getfd) might not work
+
+    o Commands that prompt the user for data (eg. 'cont' when the block
+      device is encrypted) don't currently work
+
 3. Query Commands
 =================
 
commit 999bd67c879cbd8bf0fe2b4ff0fb308a9a48ec72
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Fri Oct 22 16:09:05 2010 -0200

    qemu-char: Introduce Memory driver
    
    This driver handles in-memory chardev operations. That's, all writes
    to this driver are stored in an internal buffer and it doesn't talk
    to the external world in any way.
    
    Right now it's very simple: it supports only writes. But it can be
    easily extended to support more operations.
    
    This is going to be used by the monitor's "HMP passthrough via QMP"
    feature, which needs to run monitor handlers without a backing
    device.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/qemu-char.c b/qemu-char.c
index 88997f9..edc9ad6 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -2275,6 +2275,70 @@ static CharDriverState *qemu_chr_open_socket(QemuOpts *opts)
     return NULL;
 }
 
+/***********************************************************/
+/* Memory chardev */
+typedef struct {
+    size_t outbuf_size;
+    size_t outbuf_capacity;
+    uint8_t *outbuf;
+} MemoryDriver;
+
+static int mem_chr_write(CharDriverState *chr, const uint8_t *buf, int len)
+{
+    MemoryDriver *d = chr->opaque;
+
+    /* TODO: the QString implementation has the same code, we should
+     * introduce a generic way to do this in cutils.c */
+    if (d->outbuf_capacity < d->outbuf_size + len) {
+        /* grow outbuf */
+        d->outbuf_capacity += len;
+        d->outbuf_capacity *= 2;
+        d->outbuf = qemu_realloc(d->outbuf, d->outbuf_capacity);
+    }
+
+    memcpy(d->outbuf + d->outbuf_size, buf, len);
+    d->outbuf_size += len;
+
+    return len;
+}
+
+void qemu_chr_init_mem(CharDriverState *chr)
+{
+    MemoryDriver *d;
+
+    d = qemu_malloc(sizeof(*d));
+    d->outbuf_size = 0;
+    d->outbuf_capacity = 4096;
+    d->outbuf = qemu_mallocz(d->outbuf_capacity);
+
+    memset(chr, 0, sizeof(*chr));
+    chr->opaque = d;
+    chr->chr_write = mem_chr_write;
+}
+
+QString *qemu_chr_mem_to_qs(CharDriverState *chr)
+{
+    MemoryDriver *d = chr->opaque;
+    return qstring_from_substr((char *) d->outbuf, 0, d->outbuf_size - 1);
+}
+
+/* NOTE: this driver can not be closed with qemu_chr_close()! */
+void qemu_chr_close_mem(CharDriverState *chr)
+{
+    MemoryDriver *d = chr->opaque;
+
+    qemu_free(d->outbuf);
+    qemu_free(chr->opaque);
+    chr->opaque = NULL;
+    chr->chr_write = NULL;
+}
+
+size_t qemu_chr_mem_osize(const CharDriverState *chr)
+{
+    const MemoryDriver *d = chr->opaque;
+    return d->outbuf_size;
+}
+
 QemuOpts *qemu_chr_parse_compat(const char *label, const char *filename)
 {
     char host[65], port[33], width[8], height[8];
diff --git a/qemu-char.h b/qemu-char.h
index 18ad12b..e6ee6c4 100644
--- a/qemu-char.h
+++ b/qemu-char.h
@@ -6,6 +6,7 @@
 #include "qemu-option.h"
 #include "qemu-config.h"
 #include "qobject.h"
+#include "qstring.h"
 
 /* character device */
 
@@ -100,6 +101,12 @@ CharDriverState *qemu_chr_open_eventfd(int eventfd);
 
 extern int term_escape_char;
 
+/* memory chardev */
+void qemu_chr_init_mem(CharDriverState *chr);
+void qemu_chr_close_mem(CharDriverState *chr);
+QString *qemu_chr_mem_to_qs(CharDriverState *chr);
+size_t qemu_chr_mem_osize(const CharDriverState *chr);
+
 /* async I/O support */
 
 int qemu_set_fd_handler2(int fd,
commit 4cdbc094ca3865696c1456f1586818766bf9aae6
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Wed Oct 27 18:03:01 2010 -0200

    QMP: Drop vm-info example script
    
    It's broken and not really useful, let's just drop it.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/QMP/README b/QMP/README
index 80503f2..c95a08c 100644
--- a/QMP/README
+++ b/QMP/README
@@ -19,10 +19,7 @@ o qmp-spec.txt      QEMU Monitor Protocol current specification
 o qmp-commands.txt  QMP supported commands (auto-generated at build-time)
 o qmp-events.txt    List of available asynchronous events
 
-There are also two simple Python scripts available:
-
-o qmp-shell  A shell
-o vm-info    Show some information about the Virtual Machine
+There is also a simple Python script called 'qmp-shell' available.
 
 IMPORTANT: It's strongly recommended to read the 'Stability Considerations'
 section in the qmp-commands.txt file before making any serious use of QMP.
diff --git a/QMP/vm-info b/QMP/vm-info
deleted file mode 100755
index be5b038..0000000
--- a/QMP/vm-info
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/python
-#
-# Print Virtual Machine information
-#
-# Usage:
-#
-# Start QEMU with:
-#
-# $ qemu [...] -monitor control,unix:./qmp,server
-#
-# Run vm-info:
-#
-# $ vm-info ./qmp
-#
-# Luiz Capitulino <lcapitulino at redhat.com>
-
-import qmp
-from sys import argv,exit
-
-def main():
-    if len(argv) != 2:
-        print 'vm-info <unix-socket>'
-        exit(1)
-
-    qemu = qmp.QEMUMonitorProtocol(argv[1])
-    qemu.connect()
-    qemu.send("qmp_capabilities")
-
-    for cmd in [ 'version', 'kvm', 'status', 'uuid', 'balloon' ]:
-        print cmd + ': ' + str(qemu.send('query-' + cmd))
-
-if __name__ == '__main__':
-    main()
commit 9bed0d0d1c5667a2e1124c8e44d31ac254ca2efb
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Wed Oct 27 17:57:51 2010 -0200

    QMP: Revamp the qmp-shell script
    
    This commit updates the qmp-shell script to use the new interface
    introduced by the last commit.
    
    Additionally, the following fixes/features are also introduced:
    
     o TCP sockets support
     o Update/add documentation
     o Simple command-line completion
     o Fix a number of unhandled errors
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/QMP/qmp-shell b/QMP/qmp-shell
index a5b72d1..1fb7e76 100755
--- a/QMP/qmp-shell
+++ b/QMP/qmp-shell
@@ -1,8 +1,8 @@
 #!/usr/bin/python
 #
-# Simple QEMU shell on top of QMP
+# Low-level QEMU shell on top of QMP.
 #
-# Copyright (C) 2009 Red Hat Inc.
+# Copyright (C) 2009, 2010 Red Hat Inc.
 #
 # Authors:
 #  Luiz Capitulino <lcapitulino at redhat.com>
@@ -14,60 +14,169 @@
 #
 # Start QEMU with:
 #
-# $ qemu [...] -monitor control,unix:./qmp,server
+# # qemu [...] -qmp unix:./qmp-sock,server
 #
 # Run the shell:
 #
-# $ qmp-shell ./qmp
+# $ qmp-shell ./qmp-sock
 #
 # Commands have the following format:
 #
-# < command-name > [ arg-name1=arg1 ] ... [ arg-nameN=argN ]
+#    < command-name > [ arg-name1=arg1 ] ... [ arg-nameN=argN ]
 #
 # For example:
 #
-# (QEMU) info item=network
+# (QEMU) device_add driver=e1000 id=net1
+# {u'return': {}}
+# (QEMU)
 
 import qmp
 import readline
-from sys import argv,exit
+import sys
 
-def shell_help():
-    print 'bye  exit from the shell'
+class QMPCompleter(list):
+    def complete(self, text, state):
+        for cmd in self:
+            if cmd.startswith(text):
+                if not state:
+                    return cmd
+                else:
+                    state -= 1
 
-def main():
-    if len(argv) != 2:
-        print 'qemu-shell <unix-socket>'
-        exit(1)
+class QMPShellError(Exception):
+    pass
+
+class QMPShellBadPort(QMPShellError):
+    pass
+
+# TODO: QMPShell's interface is a bit ugly (eg. _fill_completion() and
+#       _execute_cmd()). Let's design a better one.
+class QMPShell(qmp.QEMUMonitorProtocol):
+    def __init__(self, address):
+        qmp.QEMUMonitorProtocol.__init__(self, self.__get_address(address))
+        self._greeting = None
+        self._completer = None
+
+    def __get_address(self, arg):
+        """
+        Figure out if the argument is in the port:host form, if it's not it's
+        probably a file path.
+        """
+        addr = arg.split(':')
+        if len(addr) == 2:
+            try:
+                port = int(addr[1])
+            except ValueError:
+                raise QMPShellBadPort
+            return ( addr[0], port )
+        # socket path
+        return arg
+
+    def _fill_completion(self):
+        for cmd in self.cmd('query-commands')['return']:
+            self._completer.append(cmd['name'])
+
+    def __completer_setup(self):
+        self._completer = QMPCompleter()
+        self._fill_completion()
+        readline.set_completer(self._completer.complete)
+        readline.parse_and_bind("tab: complete")
+        # XXX: default delimiters conflict with some command names (eg. query-),
+        # clearing everything as it doesn't seem to matter
+        readline.set_completer_delims('')
+
+    def __build_cmd(self, cmdline):
+        """
+        Build a QMP input object from a user provided command-line in the
+        following format:
+    
+            < command-name > [ arg-name1=arg1 ] ... [ arg-nameN=argN ]
+        """
+        cmdargs = cmdline.split()
+        qmpcmd = { 'execute': cmdargs[0], 'arguments': {} }
+        for arg in cmdargs[1:]:
+            opt = arg.split('=')
+            try:
+                value = int(opt[1])
+            except ValueError:
+                value = opt[1]
+            qmpcmd['arguments'][opt[0]] = value
+        return qmpcmd
+
+    def _execute_cmd(self, cmdline):
+        try:
+            qmpcmd = self.__build_cmd(cmdline)
+        except:
+            print 'command format: <command-name> ',
+            print '[arg-name1=arg1] ... [arg-nameN=argN]'
+            return True
+        resp = self.cmd_obj(qmpcmd)
+        if resp is None:
+            print 'Disconnected'
+            return False
+        print resp
+        return True
+
+    def connect(self):
+        self._greeting = qmp.QEMUMonitorProtocol.connect(self)
+        self.__completer_setup()
 
-    qemu = qmp.QEMUMonitorProtocol(argv[1])
-    qemu.connect()
-    qemu.send("qmp_capabilities")
+    def show_banner(self, msg='Welcome to the QMP low-level shell!'):
+        print msg
+        version = self._greeting['QMP']['version']['qemu']
+        print 'Connected to QEMU %d.%d.%d\n' % (version['major'],version['minor'],version['micro'])
 
-    print 'Connected!'
+    def read_exec_command(self, prompt):
+        """
+        Read and execute a command.
 
-    while True:
+        @return True if execution was ok, return False if disconnected.
+        """
         try:
-            cmd = raw_input('(QEMU) ')
+            cmdline = raw_input(prompt)
         except EOFError:
             print
-            break
-        if cmd == '':
-            continue
-        elif cmd == 'bye':
-            break
-        elif cmd == 'help':
-            shell_help()
+            return False
+        if cmdline == '':
+            for ev in self.get_events():
+                print ev
+            self.clear_events()
+            return True
         else:
-            try:
-                resp = qemu.send(cmd)
-                if resp == None:
-                    print 'Disconnected'
-                    break
-                print resp
-            except IndexError:
-                print '-> command format: <command-name> ',
-                print '[arg-name1=arg1] ... [arg-nameN=argN]'
+            return self._execute_cmd(cmdline)
+
+def die(msg):
+    sys.stderr.write('ERROR: %s\n' % msg)
+    sys.exit(1)
+
+def fail_cmdline(option=None):
+    if option:
+        sys.stderr.write('ERROR: bad command-line option \'%s\'\n' % option)
+    sys.stderr.write('qemu-shell [ -H ] < UNIX socket path> | < TCP address:port >\n')
+    sys.exit(1)
+
+def main():
+    try:
+        if len(sys.argv) == 2:
+            qemu = QMPShell(sys.argv[1])
+        else:
+                fail_cmdline()
+    except QMPShellBadPort:
+        die('bad port number in command-line')
+
+    try:
+        qemu.connect()
+    except qmp.QMPConnectError:
+        die('Didn\'t get QMP greeting message')
+    except qmp.QMPCapabilitiesError:
+        die('Could not negotiate capabilities')
+    except qemu.error:
+        die('Could not connect to %s' % sys.argv[1])
+
+    qemu.show_banner()
+    while qemu.read_exec_command('(QEMU) '):
+        pass
+    qemu.close()
 
 if __name__ == '__main__':
     main()
commit 1d00a07de980ecf643c7d7699dfc48e94bec15ae
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Wed Oct 27 17:43:34 2010 -0200

    QMP: Revamp the Python class example
    
    This commit simplifies and fixes a number of problems in the Python
    QEMUMonitorProtocol example class.
    
    It's almost a rewrite and it DOES BREAK the qmp-shell script (which
    is going to be fixed in the next commit).
    
    However, I'm not going to split this in different commits because it
    could get up to 10 commits, it's really not worth it for a simple
    demo class.
    
    Highlights:
    
     o TCP sockets support
     o QMP events support
     o Add documentation
     o Fix a number of unhandled errors
     o Simplify methods that send commands to the Monitor
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/QMP/qmp.py b/QMP/qmp.py
index 4062f84..14ce8b0 100644
--- a/QMP/qmp.py
+++ b/QMP/qmp.py
@@ -1,6 +1,6 @@
 # QEMU Monitor Protocol Python class
 # 
-# Copyright (C) 2009 Red Hat Inc.
+# Copyright (C) 2009, 2010 Red Hat Inc.
 #
 # Authors:
 #  Luiz Capitulino <lcapitulino at redhat.com>
@@ -8,7 +8,9 @@
 # This work is licensed under the terms of the GNU GPL, version 2.  See
 # the COPYING file in the top-level directory.
 
-import socket, json
+import json
+import errno
+import socket
 
 class QMPError(Exception):
     pass
@@ -16,61 +18,114 @@ class QMPError(Exception):
 class QMPConnectError(QMPError):
     pass
 
+class QMPCapabilitiesError(QMPError):
+    pass
+
 class QEMUMonitorProtocol:
+    def __init__(self, address):
+        """
+        Create a QEMUMonitorProtocol class.
+
+        @param address: QEMU address, can be either a unix socket path (string)
+                        or a tuple in the form ( address, port ) for a TCP
+                        connection
+        @note No connection is established, this is done by the connect() method
+        """
+        self.__events = []
+        self.__address = address
+        self.__sock = self.__get_sock()
+        self.__sockfile = self.__sock.makefile()
+
+    def __get_sock(self):
+        if isinstance(self.__address, tuple):
+            family = socket.AF_INET
+        else:
+            family = socket.AF_UNIX
+        return socket.socket(family, socket.SOCK_STREAM)
+
+    def __json_read(self):
+        while True:
+            data = self.__sockfile.readline()
+            if not data:
+                return
+            resp = json.loads(data)
+            if 'event' in resp:
+                self.__events.append(resp)
+                continue
+            return resp
+
+    error = socket.error
+
     def connect(self):
-        self.sock.connect(self.filename)
-        data = self.__json_read()
-        if data == None:
-            raise QMPConnectError
-        if not data.has_key('QMP'):
+        """
+        Connect to the QMP Monitor and perform capabilities negotiation.
+
+        @return QMP greeting dict
+        @raise socket.error on socket connection errors
+        @raise QMPConnectError if the greeting is not received
+        @raise QMPCapabilitiesError if fails to negotiate capabilities
+        """
+        self.__sock.connect(self.__address)
+        greeting = self.__json_read()
+        if greeting is None or not greeting.has_key('QMP'):
             raise QMPConnectError
-        return data['QMP']['capabilities']
+        # Greeting seems ok, negotiate capabilities
+        resp = self.cmd('qmp_capabilities')
+        if "return" in resp:
+            return greeting
+        raise QMPCapabilitiesError
 
-    def close(self):
-        self.sock.close()
+    def cmd_obj(self, qmp_cmd):
+        """
+        Send a QMP command to the QMP Monitor.
 
-    def send_raw(self, line):
-        self.sock.send(str(line))
+        @param qmp_cmd: QMP command to be sent as a Python dict
+        @return QMP response as a Python dict or None if the connection has
+                been closed
+        """
+        try:
+            self.__sock.sendall(json.dumps(qmp_cmd))
+        except socket.error, err:
+            if err[0] == errno.EPIPE:
+                return
+            raise socket.error(err)
         return self.__json_read()
 
-    def send(self, cmdline):
-        cmd = self.__build_cmd(cmdline)
-        self.__json_send(cmd)
-        resp = self.__json_read()
-        if resp == None:
-            return
-        elif resp.has_key('error'):
-            return resp['error']
-        else:
-            return resp['return']
-
-    def __build_cmd(self, cmdline):
-        cmdargs = cmdline.split()
-        qmpcmd = { 'execute': cmdargs[0], 'arguments': {} }
-        for arg in cmdargs[1:]:
-            opt = arg.split('=')
-            try:
-                value = int(opt[1])
-            except ValueError:
-                value = opt[1]
-            qmpcmd['arguments'][opt[0]] = value
-        return qmpcmd
-
-    def __json_send(self, cmd):
-        # XXX: We have to send any additional char, otherwise
-        # the Server won't read our input
-        self.sock.send(json.dumps(cmd) + ' ')
+    def cmd(self, name, args=None, id=None):
+        """
+        Build a QMP command and send it to the QMP Monitor.
 
-    def __json_read(self):
+        @param name: command name (string)
+        @param args: command arguments (dict)
+        @param id: command id (dict, list, string or int)
+        """
+        qmp_cmd = { 'execute': name }
+        if args:
+            qmp_cmd['arguments'] = args
+        if id:
+            qmp_cmd['id'] = id
+        return self.cmd_obj(qmp_cmd)
+
+    def get_events(self):
+        """
+        Get a list of available QMP events.
+        """
+        self.__sock.setblocking(0)
         try:
-            while True:
-                line = json.loads(self.sockfile.readline())
-                if not 'event' in line:
-                    return line
-        except ValueError:
-            return
-
-    def __init__(self, filename):
-        self.filename = filename
-        self.sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
-        self.sockfile = self.sock.makefile()
+            self.__json_read()
+        except socket.error, err:
+            if err[0] == errno.EAGAIN:
+                # No data available
+                pass
+        self.__sock.setblocking(1)
+        return self.__events
+
+    def clear_events(self):
+        """
+        Clear current list of pending events.
+        """
+        self.__events = []
+
+    def close(self):
+        self.__sock.close()
+        self.__sockfile.close()
commit 08bb9f6b1a5d8f4f5dd5bafad2876067797cb8b4
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Mon Nov 15 17:58:17 2010 +0100

    make-release: fix mtime for a wider range of git versions
    
    With the latest git versions, e.g. 1.7.2.3, git still prints out
    the tag info in addition to the requested format. So let's simply
    fetch the first line from the output.
    
    In addition I use the --pretty option instead of --format which
    is not recognized in very old git versions, e.g. 1.5.5.6.
    
    Tested with git versions 1.5.5.6 and 1.7.2.3.
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/kvm/scripts/make-release b/kvm/scripts/make-release
index 56302c3..2d050fc 100755
--- a/kvm/scripts/make-release
+++ b/kvm/scripts/make-release
@@ -51,7 +51,7 @@ cd "$(dirname "$0")"/../..
 mkdir -p "$(dirname "$tarball")"
 git archive --prefix="$name/" --format=tar "$commit" > "$tarball"
 
-mtime=`git show --format=%ct "$commit""^{commit}" --`
+mtime=`git show --pretty=format:%ct "$commit""^{commit}" -- | head -n 1`
 tarargs="--owner=root --group=root"
 
 mkdir -p "$tmpdir/$name"
commit 8ca209ad90bdb678932a6b18caf32b461dbe5eee
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Sun Nov 7 20:57:00 2010 -0700

    pc: Fix e820 fw_cfg for big endian
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/pc.c b/hw/pc.c
index e7f7ac6..c34d194 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -467,19 +467,19 @@ static void bochs_bios_write(void *opaque, uint32_t addr, uint32_t val)
 
 int e820_add_entry(uint64_t address, uint64_t length, uint32_t type)
 {
-    int index = e820_table.count;
+    int index = le32_to_cpu(e820_table.count);
     struct e820_entry *entry;
 
     if (index >= E820_NR_ENTRIES)
         return -EBUSY;
-    entry = &e820_table.entry[index];
+    entry = &e820_table.entry[index++];
 
-    entry->address = address;
-    entry->length = length;
-    entry->type = type;
+    entry->address = cpu_to_le64(address);
+    entry->length = cpu_to_le64(length);
+    entry->type = cpu_to_le32(type);
 
-    e820_table.count++;
-    return e820_table.count;
+    e820_table.count = cpu_to_le32(index);
+    return index;
 }
 
 static void *bochs_bios_init(void)
commit 67d4b0c1907455f42ad8cea445ff10b81b49eebc
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Nov 5 15:40:38 2010 -0600

    pc: e820 qemu_cfg tables need to be packed
    
    We can't let the compiler define the alignment for qemu_cfg data.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/pc.c b/hw/pc.c
index 0e44df8..e7f7ac6 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -75,12 +75,12 @@ struct e820_entry {
     uint64_t address;
     uint64_t length;
     uint32_t type;
-};
+} __attribute((__packed__, __aligned__(4)));
 
 struct e820_table {
     uint32_t count;
     struct e820_entry entry[E820_NR_ENTRIES];
-};
+} __attribute((__packed__, __aligned__(4)));
 
 static struct e820_table e820_table;
 
commit b88417062d5f73e2e8137e94b360ca4412942f33
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Nov 16 20:07:07 2010 +0000

    Fix compilation failure with simple trace when srcdir==objdir
    
    Fix a makefile error that meant that qemu would not compile if
    the source and object directories were the same.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/Makefile.target b/Makefile.target
index a5e6410..652c7d2 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -30,6 +30,7 @@ endif
 endif
 
 PROGS=$(QEMU_PROG)
+STPFILES=
 
 ifndef CONFIG_HAIKU
 LIBS+=-lm
@@ -41,19 +42,17 @@ config-target.h: config-target.h-timestamp
 config-target.h-timestamp: config-target.mak
 
 ifdef CONFIG_SYSTEMTAP_TRACE
-trace: $(QEMU_PROG).stp
+STPFILES+=$(QEMU_PROG).stp
 
 $(QEMU_PROG).stp:
 	$(call quiet-command,sh $(SRC_PATH)/tracetool \
 		--$(TRACE_BACKEND) \
 		--bindir $(bindir) \
 		--target $(TARGET_ARCH) \
-		-s < $(SRC_PATH)/trace-events > $(QEMU_PROG).stp,"  GEN   $(QEMU_PROG).stp")
-else
-trace:
+		-s < $(SRC_PATH)/trace-events > $@,"  GEN   $@")
 endif
 
-all: $(PROGS) trace
+all: $(PROGS) $(STPFILES)
 
 # Dummy command so that make thinks it has done something
 	@true
@@ -363,7 +362,7 @@ endif
 endif
 ifdef CONFIG_SYSTEMTAP_TRACE
 	$(INSTALL_DIR) "$(DESTDIR)$(datadir)/../systemtap/tapset"
-	$(INSTALL_DATA) $(QEMU_PROG).stp "$(DESTDIR)$(datadir)/../systemtap/tapset"
+	$(INSTALL_DATA) $(STPFILES) "$(DESTDIR)$(datadir)/../systemtap/tapset"
 endif
 
 # Include automatically generated dependency files
commit 0290b57bdfec83ca78b6d119ea9847bb17943328
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Wed Nov 3 14:29:44 2010 +0000

    Delete IOHandlers after potentially running them
    
    Since commit 4bed9837309e58d208183f81d8344996744292cf an .fd_read()
    handler that deletes its IOHandler is exposed to .fd_write() being
    called on the deleted IOHandler.
    
    This patch fixes deletion so that .fd_read() and .fd_write() are never
    called on an IOHandler that is marked for deletion.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/vl.c b/vl.c
index c58583d..9ee6479 100644
--- a/vl.c
+++ b/vl.c
@@ -1249,17 +1249,18 @@ void main_loop_wait(int nonblocking)
         IOHandlerRecord *pioh;
 
         QLIST_FOREACH_SAFE(ioh, &io_handlers, next, pioh) {
-            if (ioh->deleted) {
-                QLIST_REMOVE(ioh, next);
-                qemu_free(ioh);
-                continue;
-            }
-            if (ioh->fd_read && FD_ISSET(ioh->fd, &rfds)) {
+            if (!ioh->deleted && ioh->fd_read && FD_ISSET(ioh->fd, &rfds)) {
                 ioh->fd_read(ioh->opaque);
             }
-            if (ioh->fd_write && FD_ISSET(ioh->fd, &wfds)) {
+            if (!ioh->deleted && ioh->fd_write && FD_ISSET(ioh->fd, &wfds)) {
                 ioh->fd_write(ioh->opaque);
             }
+
+            /* Do this last in case read/write handlers marked it for deletion */
+            if (ioh->deleted) {
+                QLIST_REMOVE(ioh, next);
+                qemu_free(ioh);
+            }
         }
     }
 
commit 2cc59d8cb0ebcfa9cf3476c0528e50478997ab0c
Author: Hans de Goede <hdegoede at redhat.com>
Date:   Wed Nov 10 10:06:25 2010 +0100

    usb-linux: Get the active configuration from sysfs rather then asking the dev
    
    Some devices seem to choke on receiving a USB_REQ_GET_CONFIGURATION ctrl msg
    (witnessed with a digital picture frame usb id 1908:1320).
    When usb_fs_type == USB_FS_SYS, the active configuration can be read directly
    from sysfs, which allows using this device through qemu's usb redirection.
    More in general it seems a good idea to not send needless control msg's to
    devices, esp. as the code in question is called every time a set_interface
    is done. Which happens multiple times during virtual machine startup, and
    when device drivers are activating the usb device.
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/usb-linux.c b/usb-linux.c
index 111fe1c..ccf7073 100644
--- a/usb-linux.c
+++ b/usb-linux.c
@@ -152,6 +152,8 @@ static QTAILQ_HEAD(, USBHostDevice) hostdevs = QTAILQ_HEAD_INITIALIZER(hostdevs)
 static int usb_host_close(USBHostDevice *dev);
 static int parse_filter(const char *spec, struct USBAutoFilter *f);
 static void usb_host_auto_check(void *unused);
+static int usb_host_read_file(char *line, size_t line_size,
+                            const char *device_file, const char *device_name);
 
 static int is_isoc(USBHostDevice *s, int ep)
 {
@@ -781,6 +783,23 @@ static int usb_linux_get_configuration(USBHostDevice *s)
     struct usb_ctrltransfer ct;
     int ret;
 
+    if (usb_fs_type == USB_FS_SYS) {
+        char device_name[32], line[1024];
+        int configuration;
+
+        sprintf(device_name, "%d-%d", s->bus_num, s->devpath);
+
+        if (!usb_host_read_file(line, sizeof(line), "bConfigurationValue",
+                                device_name)) {
+            goto usbdevfs;
+        }
+        if (sscanf(line, "%d", &configuration) != 1) {
+            goto usbdevfs;
+        }
+        return configuration;
+    }
+
+usbdevfs:
     ct.bRequestType = USB_DIR_IN;
     ct.bRequest = USB_REQ_GET_CONFIGURATION;
     ct.wValue = 0;
commit 71d71bbdeb39544ac1602c5e307d9e14c78f9d5d
Author: Hans de Goede <hdegoede at redhat.com>
Date:   Wed Nov 10 10:06:24 2010 +0100

    usb-linux: introduce a usb_linux_get_configuration function
    
    The next patch in this series introduces multiple ways to get the
    configuration dependent upon usb_fs_type, it is cleaner to put this
    into its own function.
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/usb-linux.c b/usb-linux.c
index 0b154c2..111fe1c 100644
--- a/usb-linux.c
+++ b/usb-linux.c
@@ -775,13 +775,11 @@ static int usb_host_handle_packet(USBDevice *s, USBPacket *p)
     }
 }
 
-/* returns 1 on problem encountered or 0 for success */
-static int usb_linux_update_endp_table(USBHostDevice *s)
+static int usb_linux_get_configuration(USBHostDevice *s)
 {
-    uint8_t *descriptors;
-    uint8_t devep, type, configuration, alt_interface;
+    uint8_t configuration;
     struct usb_ctrltransfer ct;
-    int interface, ret, length, i;
+    int ret;
 
     ct.bRequestType = USB_DIR_IN;
     ct.bRequest = USB_REQ_GET_CONFIGURATION;
@@ -793,15 +791,31 @@ static int usb_linux_update_endp_table(USBHostDevice *s)
 
     ret = ioctl(s->fd, USBDEVFS_CONTROL, &ct);
     if (ret < 0) {
-        perror("usb_linux_update_endp_table");
-        return 1;
+        perror("usb_linux_get_configuration");
+        return -1;
     }
 
     /* in address state */
     if (configuration == 0) {
-        return 1;
+        return -1;
     }
 
+    return configuration;
+}
+
+/* returns 1 on problem encountered or 0 for success */
+static int usb_linux_update_endp_table(USBHostDevice *s)
+{
+    uint8_t *descriptors;
+    uint8_t devep, type, configuration, alt_interface;
+    struct usb_ctrltransfer ct;
+    int interface, ret, length, i;
+
+    i = usb_linux_get_configuration(s);
+    if (i < 0)
+        return 1;
+    configuration = i;
+
     /* get the desired configuration, interface, and endpoint descriptors
      * from device description */
     descriptors = &s->descr[18];
commit 0f5160d1ea8bcd69d539f8a87a1b350d98fa5d52
Author: Hans de Goede <hdegoede at redhat.com>
Date:   Wed Nov 10 10:06:23 2010 +0100

    usb-linux: Store devpath into USBHostDevice when usb_fs_type == USB_FS_SYS
    
    This allows us to recreate the sysfspath used during scanning later
    (which will be used in a later patch in this series).
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/usb-linux.c b/usb-linux.c
index c3c38ec..0b154c2 100644
--- a/usb-linux.c
+++ b/usb-linux.c
@@ -62,8 +62,8 @@ struct usb_ctrlrequest {
     uint16_t wLength;
 };
 
-typedef int USBScanFunc(void *opaque, int bus_num, int addr, int class_id,
-                        int vendor_id, int product_id,
+typedef int USBScanFunc(void *opaque, int bus_num, int addr, int devpath,
+                        int class_id, int vendor_id, int product_id,
                         const char *product_name, int speed);
 
 //#define DEBUG
@@ -141,6 +141,7 @@ typedef struct USBHostDevice {
     /* Host side address */
     int bus_num;
     int addr;
+    int devpath;
     struct USBAutoFilter match;
 
     QTAILQ_ENTRY(USBHostDevice) next;
@@ -885,7 +886,7 @@ static int usb_linux_update_endp_table(USBHostDevice *s)
 }
 
 static int usb_host_open(USBHostDevice *dev, int bus_num,
-                         int addr, const char *prod_name)
+                         int addr, int devpath, const char *prod_name)
 {
     int fd = -1, ret;
     struct usbdevfs_connectinfo ci;
@@ -911,6 +912,7 @@ static int usb_host_open(USBHostDevice *dev, int bus_num,
 
     dev->bus_num = bus_num;
     dev->addr = addr;
+    dev->devpath = devpath;
     dev->fd = fd;
 
     /* read the device description */
@@ -1173,7 +1175,7 @@ static int usb_host_scan_dev(void *opaque, USBScanFunc *func)
         if (line[0] == 'T' && line[1] == ':') {
             if (device_count && (vendor_id || product_id)) {
                 /* New device.  Add the previously discovered device.  */
-                ret = func(opaque, bus_num, addr, class_id, vendor_id,
+                ret = func(opaque, bus_num, addr, 0, class_id, vendor_id,
                            product_id, product_name, speed);
                 if (ret) {
                     goto the_end;
@@ -1226,7 +1228,7 @@ static int usb_host_scan_dev(void *opaque, USBScanFunc *func)
     }
     if (device_count && (vendor_id || product_id)) {
         /* Add the last device.  */
-        ret = func(opaque, bus_num, addr, class_id, vendor_id,
+        ret = func(opaque, bus_num, addr, 0, class_id, vendor_id,
                    product_id, product_name, speed);
     }
  the_end:
@@ -1275,7 +1277,7 @@ static int usb_host_scan_sys(void *opaque, USBScanFunc *func)
 {
     DIR *dir = NULL;
     char line[1024];
-    int bus_num, addr, speed, class_id, product_id, vendor_id;
+    int bus_num, addr, devpath, speed, class_id, product_id, vendor_id;
     int ret = 0;
     char product_name[512];
     struct dirent *de;
@@ -1292,7 +1294,9 @@ static int usb_host_scan_sys(void *opaque, USBScanFunc *func)
             if (!strncmp(de->d_name, "usb", 3)) {
                 tmpstr += 3;
             }
-            bus_num = atoi(tmpstr);
+            if (sscanf(tmpstr, "%d-%d", &bus_num, &devpath) < 1) {
+                goto the_end;
+            }
 
             if (!usb_host_read_file(line, sizeof(line), "devnum", de->d_name)) {
                 goto the_end;
@@ -1343,7 +1347,7 @@ static int usb_host_scan_sys(void *opaque, USBScanFunc *func)
                 speed = USB_SPEED_FULL;
             }
 
-            ret = func(opaque, bus_num, addr, class_id, vendor_id,
+            ret = func(opaque, bus_num, addr, devpath, class_id, vendor_id,
                        product_id, product_name, speed);
             if (ret) {
                 goto the_end;
@@ -1434,7 +1438,7 @@ static int usb_host_scan(void *opaque, USBScanFunc *func)
 
 static QEMUTimer *usb_auto_timer;
 
-static int usb_host_auto_scan(void *opaque, int bus_num, int addr,
+static int usb_host_auto_scan(void *opaque, int bus_num, int addr, int devpath,
                               int class_id, int vendor_id, int product_id,
                               const char *product_name, int speed)
 {
@@ -1470,7 +1474,7 @@ static int usb_host_auto_scan(void *opaque, int bus_num, int addr,
         }
         DPRINTF("husb: auto open: bus_num %d addr %d\n", bus_num, addr);
 
-        usb_host_open(s, bus_num, addr, product_name);
+        usb_host_open(s, bus_num, addr, devpath, product_name);
     }
 
     return 0;
@@ -1630,7 +1634,7 @@ static void usb_info_device(Monitor *mon, int bus_num, int addr, int class_id,
 }
 
 static int usb_host_info_device(void *opaque, int bus_num, int addr,
-                                int class_id,
+                                int devpath, int class_id,
                                 int vendor_id, int product_id,
                                 const char *product_name,
                                 int speed)
commit 43ad7e3e986dea82831debad68e68cff552b6746
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Nov 11 16:10:04 2010 +0100

    Add missing braces
    
    This patch adds missing braces around if/else statements that call
    macros which are likely to result in errors if the macro is
    changed. It also makes the code comply better with CODING_STYLE.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/e1000.c b/hw/e1000.c
index 677165f..7811699 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -447,9 +447,10 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
         // data descriptor
         tp->sum_needed = le32_to_cpu(dp->upper.data) >> 8;
         tp->cptse = ( txd_lower & E1000_TXD_CMD_TSE ) ? 1 : 0;
-    } else
+    } else {
         // legacy descriptor
         tp->cptse = 0;
+    }
 
     if (vlan_enabled(s) && is_vlan_txd(txd_lower) &&
         (tp->cptse || txd_lower & E1000_TXD_CMD_EOP)) {
@@ -685,8 +686,9 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
                                       (void *)(buf + vlan_offset), size);
             desc.length = cpu_to_le16(size + fcs_len(s));
             desc.status |= E1000_RXD_STAT_EOP|E1000_RXD_STAT_IXSM;
-        } else // as per intel docs; skip descriptors with null buf addr
+        } else { // as per intel docs; skip descriptors with null buf addr
             DBGOUT(RX, "Null RX descriptor!!\n");
+        }
         cpu_physical_memory_write(base, (void *)&desc, sizeof(desc));
 
         if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])
@@ -858,13 +860,14 @@ e1000_mmio_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
 #ifdef TARGET_WORDS_BIGENDIAN
     val = bswap32(val);
 #endif
-    if (index < NWRITEOPS && macreg_writeops[index])
+    if (index < NWRITEOPS && macreg_writeops[index]) {
         macreg_writeops[index](s, index, val);
-    else if (index < NREADOPS && macreg_readops[index])
+    } else if (index < NREADOPS && macreg_readops[index]) {
         DBGOUT(MMIO, "e1000_mmio_writel RO %x: 0x%04x\n", index<<2, val);
-    else
+    } else {
         DBGOUT(UNKNOWN, "MMIO unknown write addr=0x%08x,val=0x%08x\n",
                index<<2, val);
+    }
 }
 
 static void
commit d59f8ba938afd837182e666cce777dfb860559e4
Author: Gleb Natapov <gleb at redhat.com>
Date:   Tue Nov 9 09:36:53 2010 +0200

    Out off array access in usb-net
    
    Properly check array bounds before accessing array element.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/usb-net.c b/hw/usb-net.c
index 70f9263..58c672f 100644
--- a/hw/usb-net.c
+++ b/hw/usb-net.c
@@ -1142,7 +1142,7 @@ static int usb_net_handle_control(USBDevice *dev, int request, int value,
                 break;
 
             default:
-                if (usb_net_stringtable[value & 0xff]) {
+                if (ARRAY_SIZE(usb_net_stringtable) > (value & 0xff)) {
                     ret = set_usb_string(data,
                                     usb_net_stringtable[value & 0xff]);
                     break;
commit 43ae691e775707b854f9920797c81b6b298bde61
Merge: 2834c3e... 7466bc4...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Nov 16 14:11:05 2010 -0600

    Merge remote branch 'spice/bugfix.2' into staging

commit 8b77c9e242537ba86aa4b5a504e7c29d16dad5d2
Merge: 2be8056... 6c52ef3...
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Nov 16 17:58:01 2010 +0200

    Merge branch 'next'
    
    * next:
      kvm: clear vapic after reset
      vapic: fix vapic option rom sizing
      optionrom: fix bugs in signrom.sh
      tpr optimization: clear the vapic area on boot

commit 2834c3e0140c3b0ed4422909dfa0607b7213d95d
Author: Daniel P. Berrange <berrange at redhat.com>
Date:   Mon Nov 8 19:33:08 2010 +0000

    Add support for generating a systemtap tapset static probes
    
    This introduces generation of a qemu.stp/qemu-system-XXX.stp
    files which provides tapsets with friendly names for static
    probes & their arguments. Instead of
    
        probe process("qemu").mark("qemu_malloc") {
            printf("Malloc %d %p\n", $arg1, $arg2);
        }
    
    It is now possible todo
    
        probe qemu.system.i386.qemu_malloc {
            printf("Malloc %d %p\n", size, ptr);
        }
    
    There is one tapset defined per target arch.
    
    * Makefile: Generate a qemu.stp file for systemtap
    * tracetool: Support for generating systemtap tapsets
    
    Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/Makefile.target b/Makefile.target
index 91e6e74..a5e6410 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -40,7 +40,20 @@ kvm.o kvm-all.o vhost.o vhost_net.o: QEMU_CFLAGS+=$(KVM_CFLAGS)
 config-target.h: config-target.h-timestamp
 config-target.h-timestamp: config-target.mak
 
-all: $(PROGS)
+ifdef CONFIG_SYSTEMTAP_TRACE
+trace: $(QEMU_PROG).stp
+
+$(QEMU_PROG).stp:
+	$(call quiet-command,sh $(SRC_PATH)/tracetool \
+		--$(TRACE_BACKEND) \
+		--bindir $(bindir) \
+		--target $(TARGET_ARCH) \
+		-s < $(SRC_PATH)/trace-events > $(QEMU_PROG).stp,"  GEN   $(QEMU_PROG).stp")
+else
+trace:
+endif
+
+all: $(PROGS) trace
 
 # Dummy command so that make thinks it has done something
 	@true
@@ -348,6 +361,10 @@ ifneq ($(STRIP),)
 	$(STRIP) $(patsubst %,"$(DESTDIR)$(bindir)/%",$(PROGS))
 endif
 endif
+ifdef CONFIG_SYSTEMTAP_TRACE
+	$(INSTALL_DIR) "$(DESTDIR)$(datadir)/../systemtap/tapset"
+	$(INSTALL_DATA) $(QEMU_PROG).stp "$(DESTDIR)$(datadir)/../systemtap/tapset"
+endif
 
 # Include automatically generated dependency files
 -include $(wildcard *.d */*.d)
diff --git a/configure b/configure
index f8dad3e..e560f87 100755
--- a/configure
+++ b/configure
@@ -2192,6 +2192,10 @@ EOF
     echo
     exit 1
   fi
+  trace_backend_stap="no"
+  if has 'stap' ; then
+    trace_backend_stap="yes"
+  fi
 fi
 
 ##########################################
@@ -2645,6 +2649,9 @@ fi
 if test "$trace_backend" = "simple"; then
   trace_file="\"$trace_file-%u\""
 fi
+if test "$trace_backend" = "dtrace" -a "$trace_backend_stap" = "yes" ; then
+  echo "CONFIG_SYSTEMTAP_TRACE=y" >> $config_host_mak
+fi
 echo "CONFIG_TRACE_FILE=$trace_file" >> $config_host_mak
 
 echo "TOOLS=$tools" >> $config_host_mak
diff --git a/tracetool b/tracetool
index 5b6636a..d797ab7 100755
--- a/tracetool
+++ b/tracetool
@@ -26,6 +26,12 @@ Output formats:
   -h    Generate .h file
   -c    Generate .c file
   -d    Generate .d file (DTrace only)
+  -s    Generate .stp file (DTrace with SystemTAP only)
+
+Options:
+  --bindir [bindir]  QEMU binary install location
+  --target [arch]    QEMU target architecture
+
 EOF
     exit 1
 }
@@ -390,6 +396,54 @@ linetod_end_dtrace()
 EOF
 }
 
+linetos_begin_dtrace()
+{
+    return
+}
+
+linetos_dtrace()
+{
+    local name args arglist state
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    arglist=$(get_argnames "$1", "")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ] ; then
+        name=${name##disable }
+    fi
+
+    if [ "$target" = "i386" ]
+    then
+      binary="qemu"
+    else
+      binary="qemu-system-$target"
+    fi
+
+    # Define prototype for probe arguments
+    cat <<EOF
+probe qemu.system.$target.$name = process("$bindir/$binary").mark("$name")
+{
+EOF
+
+    i=1
+    for arg in $arglist
+    do
+        cat <<EOF
+  $arg = \$arg$i;
+EOF
+	i="$((i+1))"
+    done
+
+    cat <<EOF
+}
+EOF
+}
+
+linetos_end_dtrace()
+{
+    return
+}
+
 # Process stdin by calling begin, line, and end functions for the backend
 convert()
 {
@@ -455,6 +509,24 @@ tracetod()
     convert d
 }
 
+tracetos()
+{
+    if [ $backend != "dtrace" ]; then
+       echo "SystemTAP tapset generator not applicable to $backend backend"
+       exit 1
+    fi
+    if [ -z "$target" ]; then
+       echo "--target is required for SystemTAP tapset generator"
+       exit 1
+    fi
+    if [ -z "$bindir" ]; then
+       echo "--bindir is required for SystemTAP tapset generator"
+       exit 1
+    fi
+    echo "/* This file is autogenerated by tracetool, do not edit. */"
+    convert s
+}
+
 # Choose backend
 case "$1" in
 "--nop" | "--simple" | "--ust" | "--dtrace") backend="${1#--}" ;;
@@ -462,10 +534,30 @@ case "$1" in
 esac
 shift
 
+bindir=
+case "$1" in
+  "--bindir")
+    bindir=$2
+    shift
+    shift
+    ;;
+esac
+
+target=
+case "$1" in
+  "--target")
+    target=$2
+    shift
+    shift
+    ;;
+esac
+
+
 case "$1" in
 "-h") tracetoh ;;
 "-c") tracetoc ;;
 "-d") tracetod ;;
+"-s") tracetos ;;
 "--check-backend") exit 0 ;; # used by ./configure to test for backend
 *) usage ;;
 esac
commit 4addb1127f6327c7ebcbd150a6b589e7677adc92
Author: Daniel P. Berrange <berrange at redhat.com>
Date:   Mon Nov 8 19:33:07 2010 +0000

    Add a DTrace tracing backend targetted for SystemTAP compatability
    
    This introduces a new tracing backend that targets the SystemTAP
    implementation of DTrace userspace tracing. The core functionality
    should be applicable and standard across any DTrace implementation
    on Solaris, OS-X, *BSD, but the Makefile rules will likely need
    some small additional changes to cope with OS specific build
    requirements.
    
    This backend builds a little differently from the other tracing
    backends. Specifically there is no 'trace.c' file, because the
    'dtrace' command line tool generates a '.o' file directly from
    the dtrace probe definition file. The probe definition is usually
    named with a '.d' extension but QEMU uses '.d' files for its
    external makefile dependancy tracking, so this uses '.dtrace' as
    the extension for the probe definition file.
    
    The 'tracetool' program gains the ability to generate a trace.h
    file for DTrace, and also to generate the trace.d file containing
    the dtrace probe definition.
    
    Example usage of a dtrace probe in systemtap looks like:
    
      probe process("qemu").mark("qemu_malloc") {
        printf("Malloc %d %p\n", $arg1, $arg2);
      }
    
    * .gitignore: Ignore trace-dtrace.*
    * Makefile: Extra rules for generating DTrace files
    * Makefile.obj: Don't build trace.o for DTrace, use
      trace-dtrace.o generated by 'dtrace' instead
    * tracetool: Support for generating DTrace data files
    
    Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/.gitignore b/.gitignore
index a43e4d1..3efb4ec 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,8 @@ config-host.*
 config-target.*
 trace.h
 trace.c
+trace-dtrace.h
+trace-dtrace.dtrace
 *-timestamp
 *-softmmu
 *-darwin-user
diff --git a/Makefile b/Makefile
index 6896319..747e47c 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,9 @@
 # Makefile for QEMU.
 
 GENERATED_HEADERS = config-host.h trace.h qemu-options.def
+ifeq ($(TRACE_BACKEND),dtrace)
+GENERATED_HEADERS += trace-dtrace.h
+endif
 
 ifneq ($(wildcard config-host.mak),)
 # Put the all: rule here so that config-host.mak can contain dependencies.
@@ -108,7 +111,11 @@ ui/vnc.o: QEMU_CFLAGS += $(VNC_TLS_CFLAGS)
 
 bt-host.o: QEMU_CFLAGS += $(BLUEZ_CFLAGS)
 
+ifeq ($(TRACE_BACKEND),dtrace)
+trace.h: trace.h-timestamp trace-dtrace.h
+else
 trace.h: trace.h-timestamp
+endif
 trace.h-timestamp: $(SRC_PATH)/trace-events config-host.mak
 	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -h < $< > $@,"  GEN   trace.h")
 	@cmp -s $@ trace.h || cp $@ trace.h
@@ -120,6 +127,20 @@ trace.c-timestamp: $(SRC_PATH)/trace-events config-host.mak
 
 trace.o: trace.c $(GENERATED_HEADERS)
 
+trace-dtrace.h: trace-dtrace.dtrace
+	$(call quiet-command,dtrace -o $@ -h -s $<, "  GEN   trace-dtrace.h")
+
+# Normal practice is to name DTrace probe file with a '.d' extension
+# but that gets picked up by QEMU's Makefile as an external dependancy
+# rule file. So we use '.dtrace' instead
+trace-dtrace.dtrace: trace-dtrace.dtrace-timestamp
+trace-dtrace.dtrace-timestamp: $(SRC_PATH)/trace-events config-host.mak
+	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -d < $< > $@,"  GEN   trace-dtrace.dtrace")
+	@cmp -s $@ trace-dtrace.dtrace || cp $@ trace-dtrace.dtrace
+
+trace-dtrace.o: trace-dtrace.dtrace $(GENERATED_HEADERS)
+	$(call quiet-command,dtrace -o $@ -G -s $<, "  GEN trace-dtrace.o")
+
 simpletrace.o: simpletrace.c $(GENERATED_HEADERS)
 
 version.o: $(SRC_PATH)/version.rc config-host.mak
@@ -157,6 +178,8 @@ clean:
 	rm -f slirp/*.o slirp/*.d audio/*.o audio/*.d block/*.o block/*.d net/*.o net/*.d fsdev/*.o fsdev/*.d ui/*.o ui/*.d
 	rm -f qemu-img-cmds.h
 	rm -f trace.c trace.h trace.c-timestamp trace.h-timestamp
+	rm -f trace-dtrace.dtrace trace-dtrace.dtrace-timestamp
+	rm -f trace-dtrace.h trace-dtrace.h-timestamp
 	$(MAKE) -C tests clean
 	for d in $(ALL_SUBDIRS) libhw32 libhw64 libuser libdis libdis-user; do \
 	if test -d $$d; then $(MAKE) -C $$d $@ || exit 1; fi; \
diff --git a/Makefile.objs b/Makefile.objs
index 15569af..23b17ce 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -286,11 +286,15 @@ libdis-$(CONFIG_SPARC_DIS) += sparc-dis.o
 ######################################################################
 # trace
 
+ifeq ($(TRACE_BACKEND),dtrace)
+trace-obj-y = trace-dtrace.o
+else
 trace-obj-y = trace.o
 ifeq ($(TRACE_BACKEND),simple)
 trace-obj-y += simpletrace.o
 user-obj-y += qemu-timer-common.o
 endif
+endif
 
 vl.o: QEMU_CFLAGS+=$(GPROF_CFLAGS)
 
diff --git a/configure b/configure
index 7025d2b..f8dad3e 100755
--- a/configure
+++ b/configure
@@ -929,7 +929,7 @@ echo "  --enable-docs            enable documentation build"
 echo "  --disable-docs           disable documentation build"
 echo "  --disable-vhost-net      disable vhost-net acceleration support"
 echo "  --enable-vhost-net       enable vhost-net acceleration support"
-echo "  --trace-backend=B        Trace backend nop simple ust"
+echo "  --trace-backend=B        Trace backend nop simple ust dtrace"
 echo "  --trace-file=NAME        Full PATH,NAME of file to store traces"
 echo "                           Default:trace-<pid>"
 echo "  --disable-spice          disable spice"
@@ -2193,6 +2193,18 @@ EOF
     exit 1
   fi
 fi
+
+##########################################
+# For 'dtrace' backend, test if 'dtrace' command is present
+if test "$trace_backend" = "dtrace"; then
+  if ! has 'dtrace' ; then
+    echo
+    echo "Error: dtrace command is not found in PATH $PATH"
+    echo
+    exit 1
+  fi
+fi
+
 ##########################################
 # End of CC checks
 # After here, no more $cc or $ld runs
diff --git a/tracetool b/tracetool
index 7010858..5b6636a 100755
--- a/tracetool
+++ b/tracetool
@@ -20,10 +20,12 @@ Backends:
   --nop     Tracing disabled
   --simple  Simple built-in backend
   --ust     LTTng User Space Tracing backend
+  --dtrace  DTrace/SystemTAP backend
 
 Output formats:
   -h    Generate .h file
   -c    Generate .c file
+  -d    Generate .d file (DTrace only)
 EOF
     exit 1
 }
@@ -46,8 +48,9 @@ get_args()
 # Get the argument name list of a trace event
 get_argnames()
 {
-    local nfields field name
+    local nfields field name sep
     nfields=0
+    sep="$2"
     for field in $(get_args "$1"); do
         nfields=$((nfields + 1))
 
@@ -58,7 +61,7 @@ get_argnames()
         name=${field%,}
         test "$field" = "$name" && continue
 
-        printf "%s" "$name, "
+        printf "%s%s " $name $sep
     done
 
     # Last argument name
@@ -73,7 +76,7 @@ get_argc()
 {
     local name argc
     argc=0
-    for name in $(get_argnames "$1"); do
+    for name in $(get_argnames "$1", ","); do
         argc=$((argc + 1))
     done
     echo $argc
@@ -154,7 +157,7 @@ EOF
 cast_args_to_uint64_t()
 {
     local arg
-    for arg in $(get_argnames "$1"); do
+    for arg in $(get_argnames "$1", ","); do
         printf "%s" "(uint64_t)(uintptr_t)$arg"
     done
 }
@@ -247,7 +250,7 @@ linetoh_ust()
     local name args argnames
     name=$(get_name "$1")
     args=$(get_args "$1")
-    argnames=$(get_argnames "$1")
+    argnames=$(get_argnames "$1", ",")
 
     cat <<EOF
 DECLARE_TRACE(ust_$name, TP_PROTO($args), TP_ARGS($argnames));
@@ -274,7 +277,7 @@ linetoc_ust()
     local name args argnames fmt
     name=$(get_name "$1")
     args=$(get_args "$1")
-    argnames=$(get_argnames "$1")
+    argnames=$(get_argnames "$1", ",")
     fmt=$(get_fmt "$1")
 
     cat <<EOF
@@ -306,6 +309,87 @@ EOF
     echo "}"
 }
 
+linetoh_begin_dtrace()
+{
+    cat <<EOF
+#include "trace-dtrace.h"
+EOF
+}
+
+linetoh_dtrace()
+{
+    local name args argnames state nameupper
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    argnames=$(get_argnames "$1", ",")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ] ; then
+        name=${name##disable }
+    fi
+
+    nameupper=`echo $name | tr '[:lower:]' '[:upper:]'`
+
+    # Define an empty function for the trace event
+    cat <<EOF
+static inline void trace_$name($args) {
+    if (QEMU_${nameupper}_ENABLED()) {
+        QEMU_${nameupper}($argnames);
+    }
+}
+EOF
+}
+
+linetoh_end_dtrace()
+{
+    return
+}
+
+linetoc_begin_dtrace()
+{
+    return
+}
+
+linetoc_dtrace()
+{
+    # No need for function definitions in dtrace backend
+    return
+}
+
+linetoc_end_dtrace()
+{
+    return
+}
+
+linetod_begin_dtrace()
+{
+    cat <<EOF
+provider qemu {
+EOF
+}
+
+linetod_dtrace()
+{
+    local name args state
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ] ; then
+        name=${name##disable }
+    fi
+
+    # Define prototype for probe arguments
+    cat <<EOF
+        probe $name($args);
+EOF
+}
+
+linetod_end_dtrace()
+{
+    cat <<EOF
+};
+EOF
+}
+
 # Process stdin by calling begin, line, and end functions for the backend
 convert()
 {
@@ -324,9 +408,10 @@ convert()
         disable=${str%%disable *}
         echo
         if test -z "$disable"; then
-            # Pass the disabled state as an arg to lineto$1_simple().
-            # For all other cases, call lineto$1_nop()
-            if [ $backend = "simple" ]; then
+            # Pass the disabled state as an arg for the simple
+            # or DTrace backends which handle it dynamically.
+            # For all other backends, call lineto$1_nop()
+            if [ $backend = "simple" -o "$backend" = "dtrace" ]; then
                 "$process_line" "$str"
             else
                 "lineto$1_nop" "${str##disable }"
@@ -360,9 +445,19 @@ tracetoc()
     convert c
 }
 
+tracetod()
+{
+    if [ $backend != "dtrace" ]; then
+       echo "DTrace probe generator not applicable to $backend backend"
+       exit 1
+    fi
+    echo "/* This file is autogenerated by tracetool, do not edit. */"
+    convert d
+}
+
 # Choose backend
 case "$1" in
-"--nop" | "--simple" | "--ust") backend="${1#--}" ;;
+"--nop" | "--simple" | "--ust" | "--dtrace") backend="${1#--}" ;;
 *) usage ;;
 esac
 shift
@@ -370,6 +465,7 @@ shift
 case "$1" in
 "-h") tracetoh ;;
 "-c") tracetoc ;;
+"-d") tracetod ;;
 "--check-backend") exit 0 ;; # used by ./configure to test for backend
 *) usage ;;
 esac
commit 9696846600cac4bd0dfd6835e45e69d25ec2b11e
Author: Adam Lackorzynski <adam at os.inf.tu-dresden.de>
Date:   Thu Nov 4 23:22:15 2010 +0100

    multiboot: Prevent loading of x86_64 images
    
    A via -kernel supplied x86_64 ELF image is being started in 32bit mode.
    Detect and exit if a 64bit image has been supplied.
    
    Signed-off-by: Adam Lackorzynski <adam at os.inf.tu-dresden.de>
    Acked-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/multiboot.c b/hw/multiboot.c
index f9097a2..e710bbb 100644
--- a/hw/multiboot.c
+++ b/hw/multiboot.c
@@ -171,6 +171,12 @@ int load_multiboot(void *fw_cfg,
         uint64_t elf_low, elf_high;
         int kernel_size;
         fclose(f);
+
+        if (((struct elf64_hdr*)header)->e_machine == EM_X86_64) {
+            fprintf(stderr, "Cannot load x86-64 image, give a 32bit one.\n");
+            exit(1);
+        }
+
         kernel_size = load_elf(kernel_filename, NULL, NULL, &elf_entry,
                                &elf_low, &elf_high, 0, ELF_MACHINE, 0);
         if (kernel_size < 0) {
commit b538e53ee7e8b9e2920d3286b480276cef209fd4
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Nov 5 16:01:29 2010 -0600

    apic: Don't iterate past last used apic
    
    local_apics are allocated sequentially and never removed, so
    we can stop any iterations that go to MAX_APICS as soon as we
    hit the first NULL.  Looking at a small guest running a virtio-net
    workload with oprofile, this drops apic_get_delivery_bitmask()
    from #3 in the profile to down in the noise.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/apic.c b/hw/apic.c
index 63d62c7..5f4a87c 100644
--- a/hw/apic.c
+++ b/hw/apic.c
@@ -437,6 +437,8 @@ static int apic_find_dest(uint8_t dest)
         apic = local_apics[i];
 	if (apic && apic->id == dest)
             return i;
+        if (!apic)
+            break;
     }
 
     return -1;
@@ -472,6 +474,8 @@ static void apic_get_delivery_bitmask(uint32_t *deliver_bitmask,
                         set_bit(deliver_bitmask, i);
                     }
                 }
+            } else {
+                break;
             }
         }
     }
commit 4cff0a5994d0300e6e77e90d3354aa517a120539
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Fri Nov 12 16:21:35 2010 +0900

    pci: allow hotplug removal of cold-plugged devices
    
    This patch fixes hot unplug of cold plugged devices
    (those present at system start), which got broken by
    5beb8ad503c88a76f2b8106c3b74b4ce485a60e1 .
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Acked-by: Cam Macdonell <cam at cs.ualberta.ca>
    Tested-by: Cam Macdonell <cam at cs.ualberta.ca>
    Reported-by: Cam Macdonell <cam at cs.ualberta.ca>.

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index 66c7885..f549089 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -585,7 +585,8 @@ static void pciej_write(void *opaque, uint32_t addr, uint32_t val)
     PIIX4_DPRINTF("pciej write %x <== %d\n", addr, val);
 }
 
-static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev, int state);
+static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev,
+                                PCIHotplugState state);
 
 static void piix4_acpi_system_hot_add_init(PCIBus *bus, PIIX4PMState *s)
 {
@@ -615,18 +616,23 @@ static void disable_device(PIIX4PMState *s, int slot)
     s->pci0_status.down |= (1 << slot);
 }
 
-static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev, int state)
+static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev,
+				PCIHotplugState state)
 {
     int slot = PCI_SLOT(dev->devfn);
     PIIX4PMState *s = DO_UPCAST(PIIX4PMState, dev,
                                 DO_UPCAST(PCIDevice, qdev, qdev));
 
-    if (!dev->qdev.hotplugged)
+    /* Don't send event when device is enabled during qemu machine creation:
+     * it is present on boot, no hotplug event is necessary. We do send an
+     * event when the device is disabled later. */
+    if (state == PCI_COLDPLUG_ENABLED) {
         return 0;
+    }
 
     s->pci0_status.up = 0;
     s->pci0_status.down = 0;
-    if (state) {
+    if (state == PCI_HOTPLUG_ENABLED) {
         enable_device(s, slot);
     } else {
         disable_device(s, slot);
diff --git a/hw/pci.c b/hw/pci.c
index 8f6fcf8..438c0d1 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1558,8 +1558,11 @@ static int pci_qdev_init(DeviceState *qdev, DeviceInfo *base)
     pci_add_option_rom(pci_dev);
 
     if (bus->hotplug) {
-        /* lower layer must check qdev->hotplugged */
-        rc = bus->hotplug(bus->hotplug_qdev, pci_dev, 1);
+        /* Let buses differentiate between hotplug and when device is
+         * enabled during qemu machine creation. */
+        rc = bus->hotplug(bus->hotplug_qdev, pci_dev,
+                          qdev->hotplugged ? PCI_HOTPLUG_ENABLED:
+                          PCI_COLDPLUG_ENABLED);
         if (rc != 0) {
             int r = pci_unregister_device(&pci_dev->qdev);
             assert(!r);
@@ -1573,7 +1576,8 @@ static int pci_unplug_device(DeviceState *qdev)
 {
     PCIDevice *dev = DO_UPCAST(PCIDevice, qdev, qdev);
 
-    return dev->bus->hotplug(dev->bus->hotplug_qdev, dev, 0);
+    return dev->bus->hotplug(dev->bus->hotplug_qdev, dev,
+                             PCI_HOTPLUG_DISABLED);
 }
 
 void pci_qdev_register(PCIDeviceInfo *info)
diff --git a/hw/pci.h b/hw/pci.h
index 7100804..09b3e4c 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -214,7 +214,15 @@ int pci_device_load(PCIDevice *s, QEMUFile *f);
 
 typedef void (*pci_set_irq_fn)(void *opaque, int irq_num, int level);
 typedef int (*pci_map_irq_fn)(PCIDevice *pci_dev, int irq_num);
-typedef int (*pci_hotplug_fn)(DeviceState *qdev, PCIDevice *pci_dev, int state);
+
+typedef enum {
+    PCI_HOTPLUG_DISABLED,
+    PCI_HOTPLUG_ENABLED,
+    PCI_COLDPLUG_ENABLED,
+} PCIHotplugState;
+
+typedef int (*pci_hotplug_fn)(DeviceState *qdev, PCIDevice *pci_dev,
+                              PCIHotplugState state);
 void pci_bus_new_inplace(PCIBus *bus, DeviceState *parent,
                          const char *name, int devfn_min);
 PCIBus *pci_bus_new(DeviceState *parent, const char *name, int devfn_min);
diff --git a/hw/pcie.c b/hw/pcie.c
index 35918f7..f461c1c 100644
--- a/hw/pcie.c
+++ b/hw/pcie.c
@@ -192,14 +192,16 @@ static void pcie_cap_slot_event(PCIDevice *dev, PCIExpressHotPlugEvent event)
 }
 
 static int pcie_cap_slot_hotplug(DeviceState *qdev,
-                                 PCIDevice *pci_dev, int state)
+                                 PCIDevice *pci_dev, PCIHotplugState state)
 {
     PCIDevice *d = DO_UPCAST(PCIDevice, qdev, qdev);
     uint8_t *exp_cap = d->config + d->exp.exp_cap;
     uint16_t sltsta = pci_get_word(exp_cap + PCI_EXP_SLTSTA);
 
-    if (!pci_dev->qdev.hotplugged) {
-        assert(state); /* this case only happens at machine creation. */
+    /* Don't send event when device is enabled during qemu machine creation:
+     * it is present on boot, no hotplug event is necessary. We do send an
+     * event when the device is disabled later. */
+    if (state == PCI_COLDPLUG_ENABLED) {
         pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
                                    PCI_EXP_SLTSTA_PDS);
         return 0;
@@ -219,7 +221,7 @@ static int pcie_cap_slot_hotplug(DeviceState *qdev,
      */
     assert(PCI_FUNC(pci_dev->devfn) == 0);
 
-    if (state) {
+    if (state == PCI_HOTPLUG_ENABLED) {
         pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
                                    PCI_EXP_SLTSTA_PDS);
         pcie_cap_slot_event(d, PCI_EXP_HP_EV_PDC);
commit a6a9239cd87d1bcdade909cf71413686fb70f8d0
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Mon Oct 4 15:53:11 2010 -0600

    PCI: Bus number from the bridge, not the device
    
    pcibus_dev_print() was erroneously retrieving the device bus
    number from the secondary bus number offset of the device
    instead of the bridge above the device.  This ends of landing
    in the 2nd byte of the 3rd BAR for devices, which thankfully
    is usually zero.
    
    Note: pcibus_get_dev_path() copied this code,
    inheriting the same bug.  pcibus_get_dev_path() is used for
    ramblock naming, so changing it can effect migration.  However,
    I've only seen this byte be non-zero for an assigned device,
    which can't migrate anyway, so hopefully we won't run into
    any issues.
    
    This patch does not touch pcibus_get_dev_path, as
    bus number is guest assigned for nested buses,
    so using it for migration is broken anyway.
    Fix it properly later.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 962886e..8f6fcf8 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1806,8 +1806,7 @@ static void pcibus_dev_print(Monitor *mon, DeviceState *dev, int indent)
 
     monitor_printf(mon, "%*sclass %s, addr %02x:%02x.%x, "
                    "pci id %04x:%04x (sub %04x:%04x)\n",
-                   indent, "", ctxt,
-                   d->config[PCI_SECONDARY_BUS],
+                   indent, "", ctxt, pci_bus_num(d->bus),
                    PCI_SLOT(d->devfn), PCI_FUNC(d->devfn),
                    pci_get_word(d->config + PCI_VENDOR_ID),
                    pci_get_word(d->config + PCI_DEVICE_ID),
commit 1f892feb37dabedbb2492c6b499b0c1b22631a1f
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Nov 5 14:52:08 2010 -0600

    e1000: Fix TCP checksum overflow with TSO
    
    When adding the length to the pseudo header, we're not properly
    accounting for overflow.
    
    From: Mark Wu <dwu at redhat.com>
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/e1000.c b/hw/e1000.c
index 532efdc..677165f 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -384,9 +384,12 @@ xmit_seg(E1000State *s)
         } else	// UDP
             cpu_to_be16wu((uint16_t *)(tp->data+css+4), len);
         if (tp->sum_needed & E1000_TXD_POPTS_TXSM) {
+            unsigned int phsum;
             // add pseudo-header length before checksum calculation
             sp = (uint16_t *)(tp->data + tp->tucso);
-            cpu_to_be16wu(sp, be16_to_cpup(sp) + len);
+            phsum = be16_to_cpup(sp) + len;
+            phsum = (phsum >> 16) + (phsum & 0xffff);
+            cpu_to_be16wu(sp, phsum);
         }
         tp->tso_frames++;
     }
commit 27a6375de3edece2e5d115847d54c01e52331f7e
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Sun Oct 31 19:06:47 2010 +0200

    tap: make set_offload a nop after netdev cleanup
    
    virtio-net expects set_offload to succeed after
    peer cleanup.
    Since we don't have an open fd anymore, make it so.
    Fixes warning about the failure of offload setting.
    
    Reported-by: Jason Wang <jasowang at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/net/tap.c b/net/tap.c
index 937d942..eada34a 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -269,8 +269,11 @@ void tap_set_offload(VLANClientState *nc, int csum, int tso4,
                      int tso6, int ecn, int ufo)
 {
     TAPState *s = DO_UPCAST(TAPState, nc, nc);
+    if (s->fd < 0) {
+        return;
+    }
 
-    return tap_fd_set_offload(s->fd, csum, tso4, tso6, ecn, ufo);
+    tap_fd_set_offload(s->fd, csum, tso4, tso6, ecn, ufo);
 }
 
 static void tap_cleanup(VLANClientState *nc)
@@ -290,6 +293,7 @@ static void tap_cleanup(VLANClientState *nc)
     tap_read_poll(s, 0);
     tap_write_poll(s, 0);
     close(s->fd);
+    s->fd = -1;
 }
 
 static void tap_poll(VLANClientState *nc, bool enable)
commit f6584ee20338a74ef3b05b38b8f9dc5e7a7276a6
Author: Gleb Natapov <gleb at redhat.com>
Date:   Sun Oct 24 14:27:55 2010 +0200

    Add support for async page fault to qemu
    
    Add save/restore of MSR for migration and cpuid bit.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index 2440d65..06e40f3 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -681,6 +681,7 @@ typedef struct CPUX86State {
 #endif
     uint64_t system_time_msr;
     uint64_t wall_clock_msr;
+    uint64_t async_pf_en_msr;
 
     uint64_t tsc;
 
diff --git a/target-i386/cpuid.c b/target-i386/cpuid.c
index 650a719..165045e 100644
--- a/target-i386/cpuid.c
+++ b/target-i386/cpuid.c
@@ -73,7 +73,7 @@ static const char *ext3_feature_name[] = {
 };
 
 static const char *kvm_feature_name[] = {
-    "kvmclock", "kvm_nopiodelay", "kvm_mmu", NULL, NULL, NULL, NULL, NULL,
+    "kvmclock", "kvm_nopiodelay", "kvm_mmu", NULL, "kvm_asyncpf", NULL, NULL, NULL,
     NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
     NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
     NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index ae0a034..7dfc357 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -162,6 +162,9 @@ struct kvm_para_features {
 #ifdef KVM_CAP_PV_MMU
         { KVM_CAP_PV_MMU, KVM_FEATURE_MMU_OP },
 #endif
+#ifdef KVM_CAP_ASYNC_PF
+        { KVM_CAP_ASYNC_PF, KVM_FEATURE_ASYNC_PF },
+#endif
         { -1, -1 }
 };
 
@@ -838,6 +841,9 @@ static int kvm_put_msrs(CPUState *env, int level)
         kvm_msr_entry_set(&msrs[n++], MSR_KVM_SYSTEM_TIME,
                           env->system_time_msr);
         kvm_msr_entry_set(&msrs[n++], MSR_KVM_WALL_CLOCK, env->wall_clock_msr);
+#ifdef KVM_CAP_ASYNC_PF
+        kvm_msr_entry_set(&msrs[n++], MSR_KVM_ASYNC_PF_EN, env->async_pf_en_msr);
+#endif
     }
 #ifdef KVM_CAP_MCE
     if (env->mcg_cap) {
@@ -1064,6 +1070,9 @@ static int kvm_get_msrs(CPUState *env)
 #endif
     msrs[n++].index = MSR_KVM_SYSTEM_TIME;
     msrs[n++].index = MSR_KVM_WALL_CLOCK;
+#ifdef KVM_CAP_ASYNC_PF
+    msrs[n++].index = MSR_KVM_ASYNC_PF_EN;
+#endif
 
 #ifdef KVM_CAP_MCE
     if (env->mcg_cap) {
@@ -1135,6 +1144,11 @@ static int kvm_get_msrs(CPUState *env)
             }
 #endif
             break;
+#ifdef KVM_CAP_ASYNC_PF
+        case MSR_KVM_ASYNC_PF_EN:
+            env->async_pf_en_msr = msrs[i].data;
+            break;
+#endif
         }
     }
 
diff --git a/target-i386/machine.c b/target-i386/machine.c
index 5f8376c..d78eceb 100644
--- a/target-i386/machine.c
+++ b/target-i386/machine.c
@@ -373,6 +373,24 @@ static int cpu_post_load(void *opaque, int version_id)
     return 0;
 }
 
+static bool async_pf_msr_needed(void *opaque)
+{
+    CPUState *cpu = opaque;
+
+    return cpu->async_pf_en_msr != 0;
+}
+
+static const VMStateDescription vmstate_async_pf_msr = {
+    .name = "cpu/async_pf_msr",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields      = (VMStateField []) {
+        VMSTATE_UINT64(async_pf_en_msr, CPUState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_cpu = {
     .name = "cpu",
     .version_id = CPU_SAVE_VERSION,
@@ -475,6 +493,14 @@ static const VMStateDescription vmstate_cpu = {
         VMSTATE_YMMH_REGS_VARS(ymmh_regs, CPUState, CPU_NB_REGS, 12),
         VMSTATE_END_OF_LIST()
         /* The above list is not sorted /wrt version numbers, watch out! */
+    },
+    .subsections = (VMStateSubsection []) {
+        {
+            .vmsd = &vmstate_async_pf_msr,
+            .needed = async_pf_msr_needed,
+        } , {
+            /* empty */
+        }
     }
 };
 
commit 43849424cff82803011fad21074531a1101e514e
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 27 20:03:43 2010 +0200

    tap: clear vhost_net backend on cleanup
    
    Frontends calling tap_get_vhost_net get an invalid pointer after the
    peer backend has been deleted. Jason Wang <jasowang at redhat.com> reports
    this leading to a crash in ack_features when we remove the vhost-net
    bakend of a virtio nic.
    
    The fix is simply to clear the backend pointer.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/net/tap.c b/net/tap.c
index 4afb314..937d942 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -279,6 +279,7 @@ static void tap_cleanup(VLANClientState *nc)
 
     if (s->vhost_net) {
         vhost_net_cleanup(s->vhost_net);
+        s->vhost_net = NULL;
     }
 
     qemu_purge_queued_packets(nc);
commit 788954270d339b4b271e1a537a481e7068ba3591
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Oct 15 11:45:13 2010 +0200

    more stdvga cleanups.
    
    video.x is gone now.  It was the only user of the
    vga bios_offset + bios_size logic.  Zap it.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/mips_malta.c b/hw/mips_malta.c
index 8026071..6be8aa7 100644
--- a/hw/mips_malta.c
+++ b/hw/mips_malta.c
@@ -977,7 +977,7 @@ void mips_malta_init (ram_addr_t ram_size,
     } else if (vmsvga_enabled) {
         pci_vmsvga_init(pci_bus);
     } else if (std_vga_enabled) {
-        pci_vga_init(pci_bus, 0, 0);
+        pci_vga_init(pci_bus);
     }
 }
 
diff --git a/hw/pc.c b/hw/pc.c
index 69b13bf..0e44df8 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -993,7 +993,7 @@ void pc_vga_init(PCIBus *pci_bus)
             fprintf(stderr, "%s: vmware_vga: no PCI bus\n", __FUNCTION__);
     } else if (std_vga_enabled) {
         if (pci_bus) {
-            pci_vga_init(pci_bus, 0, 0);
+            pci_vga_init(pci_bus);
         } else {
             isa_vga_init();
         }
diff --git a/hw/pc.h b/hw/pc.h
index 63b0249..6852790 100644
--- a/hw/pc.h
+++ b/hw/pc.h
@@ -154,8 +154,7 @@ enum vga_retrace_method {
 extern enum vga_retrace_method vga_retrace_method;
 
 int isa_vga_init(void);
-int pci_vga_init(PCIBus *bus,
-                 unsigned long vga_bios_offset, int vga_bios_size);
+int pci_vga_init(PCIBus *bus);
 int isa_vga_mm_init(target_phys_addr_t vram_base,
                     target_phys_addr_t ctrl_base, int it_shift);
 
diff --git a/hw/ppc_newworld.c b/hw/ppc_newworld.c
index 4369337..305b2d4 100644
--- a/hw/ppc_newworld.c
+++ b/hw/ppc_newworld.c
@@ -316,7 +316,7 @@ static void ppc_core99_init (ram_addr_t ram_size,
         machine_arch = ARCH_MAC99;
     }
     /* init basic PC hardware */
-    pci_vga_init(pci_bus, 0, 0);
+    pci_vga_init(pci_bus);
 
     escc_mem_index = escc_init(0x80013000, pic[0x25], pic[0x24],
                                serial_hds[0], serial_hds[1], ESCC_CLOCK, 4);
diff --git a/hw/ppc_oldworld.c b/hw/ppc_oldworld.c
index a2f9ddf..5efc93d 100644
--- a/hw/ppc_oldworld.c
+++ b/hw/ppc_oldworld.c
@@ -227,7 +227,7 @@ static void ppc_heathrow_init (ram_addr_t ram_size,
     }
     pic = heathrow_pic_init(&pic_mem_index, 1, heathrow_irqs);
     pci_bus = pci_grackle_init(0xfec00000, pic);
-    pci_vga_init(pci_bus, 0, 0);
+    pci_vga_init(pci_bus);
 
     escc_mem_index = escc_init(0x80013000, pic[0x0f], pic[0x10], serial_hds[0],
                                serial_hds[1], ESCC_CLOCK, 4);
diff --git a/hw/ppc_prep.c b/hw/ppc_prep.c
index a6915f7..b1f9cc7 100644
--- a/hw/ppc_prep.c
+++ b/hw/ppc_prep.c
@@ -694,7 +694,7 @@ static void ppc_prep_init (ram_addr_t ram_size,
     cpu_register_physical_memory(0x80000000, 0x00800000, PPC_io_memory);
 
     /* init basic PC hardware */
-    pci_vga_init(pci_bus, 0, 0);
+    pci_vga_init(pci_bus);
     //    openpic = openpic_init(0x00000000, 0xF0000000, 1);
     //    pit = pit_init(0x40, i8259[0]);
     rtc_init(2000, NULL);
diff --git a/hw/sun4u.c b/hw/sun4u.c
index 45a46d6..5292ac6 100644
--- a/hw/sun4u.c
+++ b/hw/sun4u.c
@@ -767,7 +767,7 @@ static void sun4uv_init(ram_addr_t RAM_size,
     pci_bus = pci_apb_init(APB_SPECIAL_BASE, APB_MEM_BASE, irq, &pci_bus2,
                            &pci_bus3);
     isa_mem_base = APB_PCI_IO_BASE;
-    pci_vga_init(pci_bus, 0, 0);
+    pci_vga_init(pci_bus);
 
     // XXX Should be pci_bus3
     pci_ebus_init(pci_bus, -1);
diff --git a/hw/vga-pci.c b/hw/vga-pci.c
index eef0e3c..b09789c 100644
--- a/hw/vga-pci.c
+++ b/hw/vga-pci.c
@@ -52,14 +52,11 @@ static void vga_map(PCIDevice *pci_dev, int region_num,
 {
     PCIVGAState *d = (PCIVGAState *)pci_dev;
     VGACommonState *s = &d->vga;
-    if (region_num == PCI_ROM_SLOT) {
-        cpu_register_physical_memory(addr, s->bios_size, s->bios_offset);
-    } else {
-        cpu_register_physical_memory(addr, s->vram_size, s->vram_offset);
-        s->map_addr = addr;
-        s->map_end = addr + s->vram_size;
-        vga_dirty_log_start(s);
-    }
+
+    cpu_register_physical_memory(addr, s->vram_size, s->vram_offset);
+    s->map_addr = addr;
+    s->map_end = addr + s->vram_size;
+    vga_dirty_log_start(s);
 }
 
 static void pci_vga_write_config(PCIDevice *d,
@@ -95,31 +92,12 @@ static int pci_vga_initfn(PCIDevice *dev)
      pci_register_bar(&d->dev, 0, VGA_RAM_SIZE,
                       PCI_BASE_ADDRESS_MEM_PREFETCH, vga_map);
 
-     if (s->bios_size) {
-        unsigned int bios_total_size;
-        /* must be a power of two */
-        bios_total_size = 1;
-        while (bios_total_size < s->bios_size)
-            bios_total_size <<= 1;
-        pci_register_bar(&d->dev, PCI_ROM_SLOT, bios_total_size,
-                         PCI_BASE_ADDRESS_MEM_PREFETCH, vga_map);
-     } else {
-         if (dev->romfile == NULL)
-             dev->romfile = qemu_strdup("vgabios-stdvga.bin");
-     }
      return 0;
 }
 
-int pci_vga_init(PCIBus *bus,
-                 unsigned long vga_bios_offset, int vga_bios_size)
+int pci_vga_init(PCIBus *bus)
 {
-    PCIDevice *dev;
-
-    dev = pci_create(bus, -1, "VGA");
-    qdev_prop_set_uint32(&dev->qdev, "bios-offset", vga_bios_offset);
-    qdev_prop_set_uint32(&dev->qdev, "bios-size", vga_bios_size);
-    qdev_init_nofail(&dev->qdev);
-
+    pci_create_simple(bus, -1, "VGA");
     return 0;
 }
 
@@ -129,11 +107,7 @@ static PCIDeviceInfo vga_info = {
     .qdev.vmsd    = &vmstate_vga_pci,
     .init         = pci_vga_initfn,
     .config_write = pci_vga_write_config,
-    .qdev.props   = (Property[]) {
-        DEFINE_PROP_HEX32("bios-offset", PCIVGAState, vga.bios_offset, 0),
-        DEFINE_PROP_HEX32("bios-size",   PCIVGAState, vga.bios_size,   0),
-        DEFINE_PROP_END_OF_LIST(),
-    }
+    .romfile      = "vgabios-stdvga.bin",
 };
 
 static void vga_register(void)
diff --git a/hw/vga.c b/hw/vga.c
index 966185e..c057f4f 100644
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -1934,8 +1934,6 @@ void vga_common_reset(VGACommonState *s)
     s->map_addr = 0;
     s->map_end = 0;
     s->lfb_vram_mapped = 0;
-    s->bios_offset = 0;
-    s->bios_size = 0;
     s->sr_index = 0;
     memset(s->sr, '\0', sizeof(s->sr));
     s->gr_index = 0;
diff --git a/hw/vga_int.h b/hw/vga_int.h
index 6a46a43..bc1327f 100644
--- a/hw/vga_int.h
+++ b/hw/vga_int.h
@@ -112,8 +112,6 @@ typedef struct VGACommonState {
     uint32_t map_addr;
     uint32_t map_end;
     uint32_t lfb_vram_mapped; /* whether 0xa0000 is mapped as ram */
-    uint32_t bios_offset;
-    uint32_t bios_size;
     uint32_t latch;
     uint8_t sr_index;
     uint8_t sr[256];
commit 4eccfec4943db1106c79a01069e18dd4f463219b
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu May 6 11:14:11 2010 +0200

    switch vmware_vga to pci vgabios
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index 3d25c14..9337fdb 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -114,14 +114,12 @@ struct pci_vmsvga_state_s {
 # define SVGA_IO_BASE		SVGA_LEGACY_BASE_PORT
 # define SVGA_IO_MUL		1
 # define SVGA_FIFO_SIZE		0x10000
-# define SVGA_MEM_BASE		0xe0000000
 # define SVGA_PCI_DEVICE_ID	PCI_DEVICE_ID_VMWARE_SVGA2
 #else
 # define SVGA_ID		SVGA_ID_1
 # define SVGA_IO_BASE		SVGA_LEGACY_BASE_PORT
 # define SVGA_IO_MUL		4
 # define SVGA_FIFO_SIZE		0x10000
-# define SVGA_MEM_BASE		0xe0000000
 # define SVGA_PCI_DEVICE_ID	PCI_DEVICE_ID_VMWARE_SVGA
 #endif
 
@@ -1219,10 +1217,6 @@ static void vmsvga_init(struct vmsvga_state_s *s, int vga_ram_size)
     vga_init(&s->vga);
     vmstate_register(NULL, 0, &vmstate_vga_common, &s->vga);
 
-    vga_init_vbe(&s->vga);
-
-    rom_add_vga(VGABIOS_FILENAME);
-
     vmsvga_reset(s);
 }
 
@@ -1320,6 +1314,7 @@ static PCIDeviceInfo vmsvga_info = {
     .qdev.size    = sizeof(struct pci_vmsvga_state_s),
     .qdev.vmsd    = &vmstate_vmware_vga,
     .init         = pci_vmsvga_initfn,
+    .romfile      = "vgabios-vmware.bin",
 };
 
 static void vmsvga_register(void)
commit 543f8e3468e6df32bfde8f84ac36d05a7604e082
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu May 6 11:13:11 2010 +0200

    switch stdvga to pci vgabios
    
    Make stdvga provide the new vgabios binary (with pcibios support)
    using the PCI option rom bar.  Seabios will happily load it from
    there.  The new vga bios will also lookup the framebuffer address
    in pci config space, so the magic bochs lfb @ 0xe0000000 is not
    needed any more -> zap it.
    
    Without the patch:
    
      # dmesg | grep framebuffer
      vesafb: framebuffer at 0xe0000000, mapped to 0xf7e80000, using 1875k, total 8192k
      # lspci -vs2
      00:02.0 VGA compatible controller: Technical Corp. Device 1111 (prog-if 00 [VGA controller])
    	Subsystem: Qumranet, Inc. Device 1100
    	Physical Slot: 2
    	Flags: fast devsel
    	Memory at f0000000 (32-bit, prefetchable) [size=8M]
    	Expansion ROM at <unassigned> [disabled]
    
    With patch applied:
    
      # dmesg | grep framebuffer
      vesafb: framebuffer at 0xf0000000, mapped to 0xf7e80000, using 1875k, total 8192k
      # lspci -vs2
      00:02.0 VGA compatible controller: Technical Corp. Device 1111 (prog-if 00 [VGA controller])
    	Subsystem: Qumranet, Inc. Device 1100
    	Physical Slot: 2
    	Flags: fast devsel
    	Memory at f0000000 (32-bit, prefetchable) [size=8M]
    	Expansion ROM at f0800000 [disabled] [size=64K]
    
    cheers,
      Gerd
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/vga-pci.c b/hw/vga-pci.c
index 2315f70..eef0e3c 100644
--- a/hw/vga-pci.c
+++ b/hw/vga-pci.c
@@ -103,11 +103,10 @@ static int pci_vga_initfn(PCIDevice *dev)
             bios_total_size <<= 1;
         pci_register_bar(&d->dev, PCI_ROM_SLOT, bios_total_size,
                          PCI_BASE_ADDRESS_MEM_PREFETCH, vga_map);
+     } else {
+         if (dev->romfile == NULL)
+             dev->romfile = qemu_strdup("vgabios-stdvga.bin");
      }
-
-    vga_init_vbe(s);
-     /* ROM BIOS */
-     rom_add_vga(VGABIOS_FILENAME);
      return 0;
 }
 
commit 3b3d448e01ccfc6fdcb6e3d4ebf47418075e3bb4
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Aug 23 12:10:46 2010 +0200

    Add new vgabios binaries to blobs list.
    
    aliguori: update VGA BIOS
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/Makefile b/Makefile
index 02698e9..6896319 100644
--- a/Makefile
+++ b/Makefile
@@ -178,8 +178,9 @@ ar      de     en-us  fi  fr-be  hr     it  lv  nl         pl  ru     th \
 common  de-ch  es     fo  fr-ca  hu     ja  mk  nl-be      pt  sl     tr
 
 ifdef INSTALL_BLOBS
-BLOBS=bios.bin vgabios.bin vgabios-cirrus.bin ppc_rom.bin \
-openbios-sparc32 openbios-sparc64 openbios-ppc \
+BLOBS=bios.bin vgabios.bin vgabios-cirrus.bin \
+vgabios-stdvga.bin vgabios-vmware.bin \
+ppc_rom.bin openbios-sparc32 openbios-sparc64 openbios-ppc \
 gpxe-eepro100-80861209.rom \
 gpxe-eepro100-80861229.rom \
 pxe-e1000.bin \
diff --git a/pc-bios/vgabios-cirrus.bin b/pc-bios/vgabios-cirrus.bin
index 4fa8f99..424dd0c 100644
Binary files a/pc-bios/vgabios-cirrus.bin and b/pc-bios/vgabios-cirrus.bin differ
diff --git a/pc-bios/vgabios-stdvga.bin b/pc-bios/vgabios-stdvga.bin
new file mode 100644
index 0000000..5123c5f
Binary files /dev/null and b/pc-bios/vgabios-stdvga.bin differ
diff --git a/pc-bios/vgabios-vmware.bin b/pc-bios/vgabios-vmware.bin
new file mode 100644
index 0000000..5e8c06b
Binary files /dev/null and b/pc-bios/vgabios-vmware.bin differ
diff --git a/pc-bios/vgabios.bin b/pc-bios/vgabios.bin
index fa6f815..892a2b5 100644
Binary files a/pc-bios/vgabios.bin and b/pc-bios/vgabios.bin differ
diff --git a/roms/vgabios b/roms/vgabios
index 6e62666..19ea12c 160000
--- a/roms/vgabios
+++ b/roms/vgabios
@@ -1 +1 @@
-Subproject commit 6e62666cfc19e7fd45dd0d7c3ad62fd8d0b5f67a
+Subproject commit 19ea12c230ded95928ecaef0db47a82231c2e485
commit 6c52ef31bcb351af944ce2882b2cc3ad0938a7c8
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Nov 16 16:31:13 2010 +0200

    kvm: clear vapic after reset
    
    Clear the vapic address immediately after reset.  This allows dual-boot guests
    to work efficiently, and more importantly, works around the bios using
    'rep insb' to read in the option rom and confusing the vapic machinery.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index b7b2430..95e5d02 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -439,8 +439,20 @@ int kvm_arch_init_vcpu(CPUState *env)
     return kvm_vcpu_ioctl(env, KVM_SET_CPUID2, &cpuid_data);
 }
 
+static void kvm_clear_vapic(CPUState *env)
+{
+#ifdef KVM_SET_VAPIC_ADDR
+    struct kvm_vapic_addr va = {
+        .vapic_addr = 0,
+    };
+
+    kvm_vcpu_ioctl(env, KVM_SET_VAPIC_ADDR, &va);
+#endif
+}
+
 void kvm_arch_reset_vcpu(CPUState *env)
 {
+    kvm_clear_vapic(env);
     env->exception_injected = -1;
     env->interrupt_injected = -1;
     env->nmi_injected = 0;
commit 7080e7f20633ab9a566324ccefadd23f0c14bd4f
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Nov 16 16:11:31 2010 +0200

    vapic: fix vapic option rom sizing
    
    An option rom is required to be aligned to 512 bytes, and to have some
    space for a signature.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/pc-bios/optionrom/vapic.S b/pc-bios/optionrom/vapic.S
index 3c8dcf1..97fa19c 100644
--- a/pc-bios/optionrom/vapic.S
+++ b/pc-bios/optionrom/vapic.S
@@ -323,4 +323,8 @@ up_set_tpr_poll_irq:
 
 vapic:
 . = . + vapic_size
+
+.byte 0  # reserve space for signature
+.align 512, 0
+
 _end:
commit 5a14f14187daa197e995f253c76a2c576b1a3b41
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Nov 16 16:05:32 2010 +0200

    optionrom: fix bugs in signrom.sh
    
    signrom.sh has multiple bugs:
    
    - the last byte is considered when calculating the existing checksum, but not
      when computing the correction
    - apprently the 'expr' expression overflows and produces incorrect results with
      larger roms
    - if the checksum happened to be zero, we calculated the correction byte to be
      256
    
    Instead of rewriting this in half a line of python, this patch fixes the bugs.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/pc-bios/optionrom/signrom.sh b/pc-bios/optionrom/signrom.sh
index 975b27d..9dc5c63 100755
--- a/pc-bios/optionrom/signrom.sh
+++ b/pc-bios/optionrom/signrom.sh
@@ -31,14 +31,13 @@ x=`dd if="$1" bs=1 count=1 skip=2 2>/dev/null | od -t u1 -A n`
 size=$(( $x * 512 - 1 ))
 
 # now get the checksum
-nums=`od -A n -t u1 -v "$1"`
+nums=`od -A n -t u1 -v -N $size "$1"`
 for i in ${nums}; do
     # add each byte's value to sum
-    sum=`expr $sum + $i`
+    sum=`expr \( $sum + $i \) % 256`
 done
 
-sum=$(( $sum % 256 ))
-sum=$(( 256 - $sum ))
+sum=$(( (256 - $sum) % 256 ))
 sum_octal=$( printf "%o" $sum )
 
 # and write the output file
commit e927d48722fdcba50f82d653c5a1927752483054
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Fri Nov 12 16:21:35 2010 +0900

    pci: allow hotplug removal of cold-plugged devices
    
    This patch fixes hot unplug of cold plugged devices
    (those present at system start), which got broken by
    5beb8ad503c88a76f2b8106c3b74b4ce485a60e1 .
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Acked-by: Cam Macdonell <cam at cs.ualberta.ca>
    Tested-by: Cam Macdonell <cam at cs.ualberta.ca>
    Reported-by: Cam Macdonell <cam at cs.ualberta.ca>.

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index 66c7885..f549089 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -585,7 +585,8 @@ static void pciej_write(void *opaque, uint32_t addr, uint32_t val)
     PIIX4_DPRINTF("pciej write %x <== %d\n", addr, val);
 }
 
-static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev, int state);
+static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev,
+                                PCIHotplugState state);
 
 static void piix4_acpi_system_hot_add_init(PCIBus *bus, PIIX4PMState *s)
 {
@@ -615,18 +616,23 @@ static void disable_device(PIIX4PMState *s, int slot)
     s->pci0_status.down |= (1 << slot);
 }
 
-static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev, int state)
+static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev,
+				PCIHotplugState state)
 {
     int slot = PCI_SLOT(dev->devfn);
     PIIX4PMState *s = DO_UPCAST(PIIX4PMState, dev,
                                 DO_UPCAST(PCIDevice, qdev, qdev));
 
-    if (!dev->qdev.hotplugged)
+    /* Don't send event when device is enabled during qemu machine creation:
+     * it is present on boot, no hotplug event is necessary. We do send an
+     * event when the device is disabled later. */
+    if (state == PCI_COLDPLUG_ENABLED) {
         return 0;
+    }
 
     s->pci0_status.up = 0;
     s->pci0_status.down = 0;
-    if (state) {
+    if (state == PCI_HOTPLUG_ENABLED) {
         enable_device(s, slot);
     } else {
         disable_device(s, slot);
diff --git a/hw/pci.c b/hw/pci.c
index 8f6fcf8..438c0d1 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1558,8 +1558,11 @@ static int pci_qdev_init(DeviceState *qdev, DeviceInfo *base)
     pci_add_option_rom(pci_dev);
 
     if (bus->hotplug) {
-        /* lower layer must check qdev->hotplugged */
-        rc = bus->hotplug(bus->hotplug_qdev, pci_dev, 1);
+        /* Let buses differentiate between hotplug and when device is
+         * enabled during qemu machine creation. */
+        rc = bus->hotplug(bus->hotplug_qdev, pci_dev,
+                          qdev->hotplugged ? PCI_HOTPLUG_ENABLED:
+                          PCI_COLDPLUG_ENABLED);
         if (rc != 0) {
             int r = pci_unregister_device(&pci_dev->qdev);
             assert(!r);
@@ -1573,7 +1576,8 @@ static int pci_unplug_device(DeviceState *qdev)
 {
     PCIDevice *dev = DO_UPCAST(PCIDevice, qdev, qdev);
 
-    return dev->bus->hotplug(dev->bus->hotplug_qdev, dev, 0);
+    return dev->bus->hotplug(dev->bus->hotplug_qdev, dev,
+                             PCI_HOTPLUG_DISABLED);
 }
 
 void pci_qdev_register(PCIDeviceInfo *info)
diff --git a/hw/pci.h b/hw/pci.h
index 7100804..09b3e4c 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -214,7 +214,15 @@ int pci_device_load(PCIDevice *s, QEMUFile *f);
 
 typedef void (*pci_set_irq_fn)(void *opaque, int irq_num, int level);
 typedef int (*pci_map_irq_fn)(PCIDevice *pci_dev, int irq_num);
-typedef int (*pci_hotplug_fn)(DeviceState *qdev, PCIDevice *pci_dev, int state);
+
+typedef enum {
+    PCI_HOTPLUG_DISABLED,
+    PCI_HOTPLUG_ENABLED,
+    PCI_COLDPLUG_ENABLED,
+} PCIHotplugState;
+
+typedef int (*pci_hotplug_fn)(DeviceState *qdev, PCIDevice *pci_dev,
+                              PCIHotplugState state);
 void pci_bus_new_inplace(PCIBus *bus, DeviceState *parent,
                          const char *name, int devfn_min);
 PCIBus *pci_bus_new(DeviceState *parent, const char *name, int devfn_min);
diff --git a/hw/pcie.c b/hw/pcie.c
index 35918f7..f461c1c 100644
--- a/hw/pcie.c
+++ b/hw/pcie.c
@@ -192,14 +192,16 @@ static void pcie_cap_slot_event(PCIDevice *dev, PCIExpressHotPlugEvent event)
 }
 
 static int pcie_cap_slot_hotplug(DeviceState *qdev,
-                                 PCIDevice *pci_dev, int state)
+                                 PCIDevice *pci_dev, PCIHotplugState state)
 {
     PCIDevice *d = DO_UPCAST(PCIDevice, qdev, qdev);
     uint8_t *exp_cap = d->config + d->exp.exp_cap;
     uint16_t sltsta = pci_get_word(exp_cap + PCI_EXP_SLTSTA);
 
-    if (!pci_dev->qdev.hotplugged) {
-        assert(state); /* this case only happens at machine creation. */
+    /* Don't send event when device is enabled during qemu machine creation:
+     * it is present on boot, no hotplug event is necessary. We do send an
+     * event when the device is disabled later. */
+    if (state == PCI_COLDPLUG_ENABLED) {
         pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
                                    PCI_EXP_SLTSTA_PDS);
         return 0;
@@ -219,7 +221,7 @@ static int pcie_cap_slot_hotplug(DeviceState *qdev,
      */
     assert(PCI_FUNC(pci_dev->devfn) == 0);
 
-    if (state) {
+    if (state == PCI_HOTPLUG_ENABLED) {
         pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
                                    PCI_EXP_SLTSTA_PDS);
         pcie_cap_slot_event(d, PCI_EXP_HP_EV_PDC);
commit 7f5feab4dda39b39dce24113313587587aa2d0ab
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Mon Oct 4 15:53:11 2010 -0600

    PCI: Bus number from the bridge, not the device
    
    pcibus_dev_print() was erroneously retrieving the device bus
    number from the secondary bus number offset of the device
    instead of the bridge above the device.  This ends of landing
    in the 2nd byte of the 3rd BAR for devices, which thankfully
    is usually zero.
    
    Note: pcibus_get_dev_path() copied this code,
    inheriting the same bug.  pcibus_get_dev_path() is used for
    ramblock naming, so changing it can effect migration.  However,
    I've only seen this byte be non-zero for an assigned device,
    which can't migrate anyway, so hopefully we won't run into
    any issues.
    
    This patch does not touch pcibus_get_dev_path, as
    bus number is guest assigned for nested buses,
    so using it for migration is broken anyway.
    Fix it properly later.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 962886e..8f6fcf8 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1806,8 +1806,7 @@ static void pcibus_dev_print(Monitor *mon, DeviceState *dev, int indent)
 
     monitor_printf(mon, "%*sclass %s, addr %02x:%02x.%x, "
                    "pci id %04x:%04x (sub %04x:%04x)\n",
-                   indent, "", ctxt,
-                   d->config[PCI_SECONDARY_BUS],
+                   indent, "", ctxt, pci_bus_num(d->bus),
                    PCI_SLOT(d->devfn), PCI_FUNC(d->devfn),
                    pci_get_word(d->config + PCI_VENDOR_ID),
                    pci_get_word(d->config + PCI_DEVICE_ID),
commit 284e648036510a322d21be574302f7aec1c9a89b
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Nov 16 12:48:02 2010 +0200

    tpr optimization: clear the vapic area on boot
    
    If the option rom is loaded with rep/insb (as newer seabios versions do), then
    the writes to the vapic area may be corrupted by the kernel.
    
    Fix by explicitly clearing the vapic area on option rom startup.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/pc-bios/optionrom/vapic.S b/pc-bios/optionrom/vapic.S
index afe98a9..3c8dcf1 100644
--- a/pc-bios/optionrom/vapic.S
+++ b/pc-bios/optionrom/vapic.S
@@ -4,6 +4,17 @@
 _start:
 	.short 0xaa55
 	.byte (_end - _start) / 512
+	# clear vapic area: firmware load using rep insb may cause
+	# stale tpr/isr/irr data to corrupt the vapic area.
+	push %es
+	push %cs
+	pop %es
+	xor %ax, %ax
+	mov $vapic_size/2, %cx
+	lea vapic, %di
+	cld
+	rep stosw
+	pop %es
 	mov $vapic_base, %ax
 	out %ax, $0x7e
 	lret
commit 2be805620ae3ef1e50bd95459ac5e793f3bd6108
Merge: 420fe74... 38be1ea...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Nov 14 16:49:27 2010 +0200

    Merge branch 'upstream-merge'
    
    * upstream-merge: (91 commits)
      add copyright to spiceaudio
      spice: add audio
      intel-hda: fix codec addressing.
      Revert "intel-hda: fix codec addressing."
      intel-hda: fix codec addressing.
      intel-hda: add msi support
      intel-hda: update irq status on WAKEEN changes.
      intel-hda: Honor WAKEEN bits.
      hda-audio: exit cleanup
      intel-hda: exit cleanup
      Fix win32 build
      scsi-disk: Fix immediate failure of bdrv_aio_*
      virtio-blk: Handle immediate flush failure properly
      ide: Handle immediate bdrv_aio_flush failure
      block: avoid a warning on 64 bit hosts with long as int64_t
      qcow2: Invalidate cache after failed read
      vpc: Implement bdrv_flush
      scsi-disk: Implement werror for flushes
      scsi-disk: Complete failed requests in scsi_disk_emulate_command
      block: Allow bdrv_flush to return errors
      ...
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

commit 38be1ea9d08c2197d68a0c790d5e6ac5d2acd20d
Merge: 0318710... cf2c183...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Nov 14 16:49:09 2010 +0200

    Merge remote branch 'upstream' into upstream-merge
    
    * upstream: (46 commits)
      add copyright to spiceaudio
      spice: add audio
      intel-hda: fix codec addressing.
      Revert "intel-hda: fix codec addressing."
      intel-hda: fix codec addressing.
      intel-hda: add msi support
      intel-hda: update irq status on WAKEEN changes.
      intel-hda: Honor WAKEEN bits.
      hda-audio: exit cleanup
      intel-hda: exit cleanup
      Fix win32 build
      scsi-disk: Fix immediate failure of bdrv_aio_*
      virtio-blk: Handle immediate flush failure properly
      ide: Handle immediate bdrv_aio_flush failure
      block: avoid a warning on 64 bit hosts with long as int64_t
      qcow2: Invalidate cache after failed read
      vpc: Implement bdrv_flush
      scsi-disk: Implement werror for flushes
      scsi-disk: Complete failed requests in scsi_disk_emulate_command
      block: Allow bdrv_flush to return errors
      ...
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

commit 031871007b88a18309807c35568f135a49be60fe
Merge: 338be45... c1b0b93...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Nov 14 16:47:58 2010 +0200

    Merge commit 'c1b0b93b06ab026ef45ae02d0ee7557741910637' into upstream-merge
    
    * commit 'c1b0b93b06ab026ef45ae02d0ee7557741910637':
      Move QEMU OS dependant library functions to OS specific files
      target-xxx: Use fprintf_function (format checking)
    
    Conflicts:
    	osdep.c
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --cc Makefile.objs
index acba01a,c88e82d..9a8999b
--- a/Makefile.objs
+++ b/Makefile.objs
@@@ -8,10 -14,9 +14,10 @@@ oslib-obj-$(CONFIG_POSIX) += oslib-posi
  # block-obj-y is code used by both qemu system emulation and qemu-img
  
  block-obj-y = cutils.o cache-utils.o qemu-malloc.o qemu-option.o module.o
- block-obj-y += nbd.o block.o aio.o aes.o osdep.o qemu-config.o
+ block-obj-y += nbd.o block.o aio.o aes.o qemu-config.o
  block-obj-$(CONFIG_POSIX) += posix-aio-compat.o
  block-obj-$(CONFIG_LINUX_AIO) += linux-aio.o
 +block-obj-$(CONFIG_POSIX) += compatfd.o
  
  block-nested-y += raw.o cow.o qcow.o vdi.o vmdk.o cloop.o dmg.o bochs.o vpc.o vvfat.o
  block-nested-y += qcow2.o qcow2-refcount.o qcow2-cluster.o qcow2-snapshot.o
diff --cc oslib-posix.c
index 0000000,df97304..bf2c673
mode 000000,100644..100644
--- a/oslib-posix.c
+++ b/oslib-posix.c
@@@ -1,0 -1,74 +1,78 @@@
+ /*
+  * os-posix-lib.c
+  *
+  * Copyright (c) 2003-2008 Fabrice Bellard
+  * Copyright (c) 2010 Red Hat, Inc.
+  *
+  * QEMU library functions on POSIX which are shared between QEMU and
+  * the QEMU tools.
+  *
+  * Permission is hereby granted, free of charge, to any person obtaining a copy
+  * of this software and associated documentation files (the "Software"), to deal
+  * in the Software without restriction, including without limitation the rights
+  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+  * copies of the Software, and to permit persons to whom the Software is
+  * furnished to do so, subject to the following conditions:
+  *
+  * The above copyright notice and this permission notice shall be included in
+  * all copies or substantial portions of the Software.
+  *
+  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+  * THE SOFTWARE.
+  */
+ 
+ #include "config-host.h"
+ #include "sysemu.h"
+ #include "trace.h"
+ 
+ #if !defined(_POSIX_C_SOURCE) || defined(__sun__)
+ static void *oom_check(void *ptr)
+ {
+     if (ptr == NULL) {
+         fprintf(stderr, "Failed to allocate memory: %s\n", strerror(errno));
+         abort();
+     }
+     return ptr;
+ }
+ #endif
+ 
+ void *qemu_memalign(size_t alignment, size_t size)
+ {
+     void *ptr;
+ #if defined(_POSIX_C_SOURCE) && !defined(__sun__)
+     int ret;
+     ret = posix_memalign(&ptr, alignment, size);
+     if (ret != 0) {
+         fprintf(stderr, "Failed to allocate %zu B: %s\n",
+                 size, strerror(ret));
+         abort();
+     }
+ #elif defined(CONFIG_BSD)
+     ptr = oom_check(valloc(size));
+ #else
+     ptr = oom_check(memalign(alignment, size));
+ #endif
+     trace_qemu_memalign(alignment, size, ptr);
+     return ptr;
+ }
+ 
+ /* alloc shared memory pages */
+ void *qemu_vmalloc(size_t size)
+ {
++#ifndef __ia64__
+     return qemu_memalign(getpagesize(), size);
++#else
++    return qemu_memalign(65536, size);
++#endif
+ }
+ 
+ void qemu_vfree(void *ptr)
+ {
+     trace_qemu_vfree(ptr);
+     free(ptr);
+ }
commit 338be4505b537f50e345254982e4bf127194dd0c
Merge: 4ba1bf0... b907b69...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Nov 14 16:40:09 2010 +0200

    Merge commit 'b907b69dd75415bc28349d1dd1e9a598ddace463' into upstream-merge
    
    * commit 'b907b69dd75415bc28349d1dd1e9a598ddace463': (24 commits)
      pcie: update satus on reset
      msi: minor cleanups
      msi: simplify range checks
      pci: improve w1c mask handling
      pcie: clean up hot plug notification
      pcie: simplify range check
      Introduce range.h
      qemu-options.def: add to generated header list
      net: properly handle illegal fd/vhostfd from command line
      virtio: sanity-check available index
      migration: don't segfault on invalid input
      x3130: pcie downstream port
      x3130: pcie upstream port
      ioh3420: pcie root port in X58 ioh
      pcie port: define struct PCIEPort/PCIESlot and helper functions
      pci/bridge: fix pci_bridge_reset()
      pcie: comment on hpev_intx
      pcie: helper functions for pcie capability and extended capability
      pcie: add pcie constants to pcie_regs.h
      msi: implements msi
      ...
    
    Conflicts:
    	Makefile.objs
    	hw/pci.c
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --cc Makefile.objs
index b3688a2,702569f..acba01a
--- a/Makefile.objs
+++ b/Makefile.objs
@@@ -151,9 -150,10 +151,10 @@@ user-obj-y += cutils.o cache-utils.
  # libhw
  
  hw-obj-y =
 -hw-obj-y += vl.o loader.o
 +hw-obj-y += loader.o
  hw-obj-y += virtio.o virtio-console.o
 -hw-obj-y += fw_cfg.o pci.o pci_host.o pcie_host.o pci_bridge.o
 +hw-obj-y += fw_cfg.o pci_host.o pcie_host.o pci_bridge.o
+ hw-obj-y += ioh3420.o xio3130_upstream.o xio3130_downstream.o
  hw-obj-y += watchdog.o
  hw-obj-$(CONFIG_ISA_MMIO) += isa_mmio.o
  hw-obj-$(CONFIG_ECC) += ecc.o
diff --cc hw/pci.c
index 87f4969,962886e..c3b5048
--- a/hw/pci.c
+++ b/hw/pci.c
@@@ -1174,11 -1038,23 +1177,28 @@@ static void pci_set_irq(void *opaque, i
      pci_change_irq_level(pci_dev, irq_num, change);
  }
  
+ bool pci_msi_enabled(PCIDevice *dev)
+ {
+     return msix_enabled(dev) || msi_enabled(dev);
+ }
+ 
+ void pci_msi_notify(PCIDevice *dev, unsigned int vector)
+ {
+     if (msix_enabled(dev)) {
+         msix_notify(dev, vector);
+     } else if (msi_enabled(dev)) {
+         msi_notify(dev, vector);
+     } else {
+         /* MSI/MSI-X must be enabled */
+         abort();
+     }
+ }
+ 
 +int pci_map_irq(PCIDevice *pci_dev, int pin)
 +{
 +    return pci_dev->bus->map_irq(pci_dev, pin);
 +}
 +
  /***********************************************************/
  /* monitor info on PCI */
  
commit 4ba1bf027928c79482549d1d8a65134f028a9917
Merge: a243f2c... 57c6db2...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Nov 14 16:35:17 2010 +0200

    Merge commit '57c6db2e2dec77a60bcfe6f93d756653f444a1f2' into upstream-merge
    
    * commit '57c6db2e2dec77a60bcfe6f93d756653f444a1f2':
      msix: clear not only INTA, but all INTx when MSI-X is enabled.
      pci: implement RW1C register framework.
      pci: improve signature of pci_register_bar().
      pci: don't ignore invalid parameter for pci_register_bar().
      pci: sorting out type confusion in pci_register_bar().
      pci_ids.h: add vendor id of Texas Intesruments
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --cc hw/pci.c
index 2ba96c7,abddc6d..87f4969
--- a/hw/pci.c
+++ b/hw/pci.c
@@@ -1119,23 -997,13 +1120,26 @@@ void pci_default_write_config(PCIDevic
      int i, was_irq_disabled = pci_irq_disabled(d);
      uint32_t config_size = pci_config_size(d);
  
 +    if (pci_access_cap_config(d, addr, l)) {
 +        d->cap.config_write(d, addr, val, l);
 +        return;
 +    }
 +
      for (i = 0; i < l && addr + i < config_size; val >>= 8, ++i) {
          uint8_t wmask = d->wmask[addr + i];
+         uint8_t w1cmask = d->w1cmask[addr + i];
+         assert(!(wmask & w1cmask));
          d->config[addr + i] = (d->config[addr + i] & ~wmask) | (val & wmask);
+         d->config[addr + i] &= ~(val & w1cmask); /* W1C: Write 1 to Clear */
      }
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +    if (kvm_enabled() && kvm_irqchip_in_kernel() &&
 +        addr >= PIIX_CONFIG_IRQ_ROUTE &&
 +	addr < PIIX_CONFIG_IRQ_ROUTE + 4)
 +        assigned_dev_update_irqs();
 +#endif /* CONFIG_KVM_DEVICE_ASSIGNMENT */
 +
      if (ranges_overlap(addr, l, PCI_BASE_ADDRESS_0, 24) ||
          ranges_overlap(addr, l, PCI_ROM_ADDRESS, 4) ||
          ranges_overlap(addr, l, PCI_ROM_ADDRESS1, 4) ||
diff --cc hw/pci.h
index f301b7e,d8b399f..62f3714
--- a/hw/pci.h
+++ b/hw/pci.h
@@@ -222,20 -183,9 +225,20 @@@ PCIDevice *pci_register_device(PCIBus *
                                 PCIConfigWriteFunc *config_write);
  
  void pci_register_bar(PCIDevice *pci_dev, int region_num,
-                             pcibus_t size, int type,
+                             pcibus_t size, uint8_t type,
                              PCIMapIORegionFunc *map_func);
  
 +void pci_map_option_rom(PCIDevice *pdev, int region_num, pcibus_t addr,
 +                        pcibus_t size, int type);
 +
 +int pci_enable_capability_support(PCIDevice *pci_dev,
 +                                  uint32_t config_start,
 +                                  PCICapConfigReadFunc *config_read,
 +                                  PCICapConfigWriteFunc *config_write,
 +                                  PCICapConfigInitFunc *config_init);
 +
 +int pci_map_irq(PCIDevice *pci_dev, int pin);
 +
  int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
                         uint8_t offset, uint8_t size);
  
commit a243f2c681abe48b613db63bd2b58366330e6ce0
Merge: 47f1b51... 43c945f...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Nov 14 16:14:08 2010 +0200

    Merge commit '43c945f16a172f07145ca1f30abb958070228690' into upstream-merge
    
    * commit '43c945f16a172f07145ca1f30abb958070228690':
      pci: make pci_parse_devfn() aware of func.
      pci: call hotplug callback even when not hotplug case for later use.
      pci bridge: add helper function for ssvid capability.
    
    Conflicts:
    	hw/pci.c
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --cc hw/pci_bridge.c
index 72858d4,638e3b3..71f4b6b
--- a/hw/pci_bridge.c
+++ b/hw/pci_bridge.c
@@@ -31,8 -31,26 +31,27 @@@
  
  #include "pci_bridge.h"
  #include "pci_internals.h"
 +#include "range.h"
  
+ /* PCI bridge subsystem vendor ID helper functions */
+ #define PCI_SSVID_SIZEOF        8
+ #define PCI_SSVID_SVID          4
+ #define PCI_SSVID_SSID          6
+ 
+ int pci_bridge_ssvid_init(PCIDevice *dev, uint8_t offset,
+                           uint16_t svid, uint16_t ssid)
+ {
+     int pos;
+     pos = pci_add_capability(dev, PCI_CAP_ID_SSVID, offset, PCI_SSVID_SIZEOF);
+     if (pos < 0) {
+         return pos;
+     }
+ 
+     pci_set_word(dev->config + pos + PCI_SSVID_SVID, svid);
+     pci_set_word(dev->config + pos + PCI_SSVID_SSID, ssid);
+     return pos;
+ }
+ 
  /* Accessor function to get parent bridge device from pci bus. */
  PCIDevice *pci_bridge_get_device(PCIBus *bus)
  {
commit 47f1b51a79b2c7b7591e06e7fb01d5c9cc30f0b8
Merge: 9887e4e... 055403b...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Nov 14 16:08:38 2010 +0200

    Merge commit '055403b2a72729497fb58e0c6293547e767679d3' into upstream-merge
    
    * commit '055403b2a72729497fb58e0c6293547e767679d3':
      exec: Use fprintf_function for dump_exec_info (format checking)
      tcg: Use fprintf_function (format checking)
      Add fprintf_function for function pointers to fprintf-like functions
      Mov muldiv64 to qemu-common.h (Thus unbreaking gus)
    
    Conflicts:
    	exec.c
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --cc exec.c
index 69b8a27,db9ff55..2ea87c1
--- a/exec.c
+++ b/exec.c
@@@ -23,24 -23,11 +23,17 @@@
  #include <sys/types.h>
  #include <sys/mman.h>
  #endif
- #include <stdlib.h>
- #include <stdio.h>
- #include <stdarg.h>
- #include <string.h>
- #include <errno.h>
- #include <unistd.h>
- #include <inttypes.h>
  
+ #include "qemu-common.h"
  #include "cpu.h"
  #include "exec-all.h"
- #include "qemu-common.h"
 +#include "cache-utils.h"
 +
 +#if !defined(TARGET_IA64)
  #include "tcg.h"
 +#endif
 +#include "qemu-kvm.h"
 +
  #include "hw/hw.h"
  #include "hw/qdev.h"
  #include "osdep.h"
commit 9887e4e27e04799c8a1328dae9d7d54b34fda825
Merge: cfe2b20... ca77089...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Nov 14 15:47:24 2010 +0200

    Merge commit 'ca77089d2d8e73283bfc73f03d954504561e1ce8' into upstream-merge
    
    * commit 'ca77089d2d8e73283bfc73f03d954504561e1ce8':
      pci: consolidate pci_add_capability_at_offset() into pci_add_capability().
      pci_bridge: introduce pci bridge library.
      pci_bridge: clean up: remove pci_{register, unregister}_secondary_bus()
      pci_bridge: rename PCIBridge::bus -> PCIBridge::sec_bus.
    
    Conflicts:
    	hw/msix.c
    	hw/pci.h
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --cc hw/msix.c
index b98b34a,7ce63eb..012c634
--- a/hw/msix.c
+++ b/hw/msix.c
@@@ -167,43 -55,36 +167,43 @@@ static int msix_add_config(struct PCIDe
  {
      int config_offset;
      uint8_t *config;
 -    uint32_t new_size;
  
 -    if (nentries < 1 || nentries > PCI_MSIX_FLAGS_QSIZE + 1)
 -        return -EINVAL;
 -    if (bar_size > 0x80000000)
 -        return -ENOSPC;
 -
 -    /* Add space for MSI-X structures */
 -    if (!bar_size) {
 -        new_size = MSIX_PAGE_SIZE;
 -    } else if (bar_size < MSIX_PAGE_SIZE) {
 -        bar_size = MSIX_PAGE_SIZE;
 -        new_size = MSIX_PAGE_SIZE * 2;
 -    } else {
 -        new_size = bar_size * 2;
 -    }
 -
 -    pdev->msix_bar_size = new_size;
 -    config_offset = pci_add_capability(pdev, PCI_CAP_ID_MSIX,
 -                                       0, MSIX_CAP_LENGTH);
 -    if (config_offset < 0)
 -        return config_offset;
 -    config = pdev->config + config_offset;
 -
 -    pci_set_word(config + PCI_MSIX_FLAGS, nentries - 1);
 -    /* Table on top of BAR */
 -    pci_set_long(config + MSIX_TABLE_OFFSET, bar_size | bar_nr);
 -    /* Pending bits on top of that */
 -    pci_set_long(config + MSIX_PBA_OFFSET, (bar_size + MSIX_PAGE_PENDING) |
 -                 bar_nr);
 +    pdev->msix_bar_size = bar_size;
 +
 +    config_offset = pci_find_capability(pdev, PCI_CAP_ID_MSIX);
 +
 +    if (!config_offset) {
 +        uint32_t new_size;
 +
 +        if (nentries < 1 || nentries > PCI_MSIX_FLAGS_QSIZE + 1)
 +            return -EINVAL;
 +        if (bar_size > 0x80000000)
 +            return -ENOSPC;
 +
 +        /* Add space for MSI-X structures */
 +        if (!bar_size) {
 +            new_size = MSIX_PAGE_SIZE;
 +        } else if (bar_size < MSIX_PAGE_SIZE) {
 +            bar_size = MSIX_PAGE_SIZE;
 +            new_size = MSIX_PAGE_SIZE * 2;
 +        } else {
 +            new_size = bar_size * 2;
 +        }
 +
 +        pdev->msix_bar_size = new_size;
 +        config_offset = pci_add_capability(pdev, PCI_CAP_ID_MSIX,
-                                            MSIX_CAP_LENGTH);
++                                           0, MSIX_CAP_LENGTH);
 +        if (config_offset < 0)
 +            return config_offset;
 +        config = pdev->config + config_offset;
 +
 +        pci_set_word(config + PCI_MSIX_FLAGS, nentries - 1);
 +        /* Table on top of BAR */
 +        pci_set_long(config + MSIX_TABLE_OFFSET, bar_size | bar_nr);
 +        /* Pending bits on top of that */
 +        pci_set_long(config + MSIX_PBA_OFFSET, (bar_size + MSIX_PAGE_PENDING) |
 +                     bar_nr);
 +    }
      pdev->msix_cap = config_offset;
      /* Make flags bit writeable. */
      pdev->wmask[config_offset + MSIX_CONTROL_OFFSET] |= MSIX_ENABLE_MASK |
diff --cc hw/pci.h
index b4da8a5,2ddba59..77e9353
--- a/hw/pci.h
+++ b/hw/pci.h
@@@ -225,20 -183,8 +225,19 @@@ void pci_register_bar(PCIDevice *pci_de
                              pcibus_t size, int type,
                              PCIMapIORegionFunc *map_func);
  
 +void pci_map_option_rom(PCIDevice *pdev, int region_num, pcibus_t addr,
 +                        pcibus_t size, int type);
 +
 +int pci_enable_capability_support(PCIDevice *pci_dev,
 +                                  uint32_t config_start,
 +                                  PCICapConfigReadFunc *config_read,
 +                                  PCICapConfigWriteFunc *config_write,
 +                                  PCICapConfigInitFunc *config_init);
 +
 +int pci_map_irq(PCIDevice *pci_dev, int pin);
 +
- int pci_add_capability(PCIDevice *pci_dev, uint8_t cap_id, uint8_t cap_size);
- int pci_add_capability_at_offset(PCIDevice *pci_dev, uint8_t cap_id,
-                                  uint8_t cap_offset, uint8_t cap_size);
+ int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
+                        uint8_t offset, uint8_t size);
  
  void pci_del_capability(PCIDevice *pci_dev, uint8_t cap_id, uint8_t cap_size);
  
diff --cc hw/pci_bridge.c
index 9d2173c,198c3c7..72858d4
--- a/hw/pci_bridge.c
+++ b/hw/pci_bridge.c
@@@ -31,8 -31,8 +31,9 @@@
  
  #include "pci_bridge.h"
  #include "pci_internals.h"
 +#include "range.h"
  
+ /* Accessor function to get parent bridge device from pci bus. */
  PCIDevice *pci_bridge_get_device(PCIBus *bus)
  {
      return bus->parent_dev;
commit cfe2b2060a7e087871530602001c0b532c2693fe
Merge: 420fe74... 783753f...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Nov 14 15:18:50 2010 +0200

    Merge commit '783753fd53fe513d37fbbfe6694c0c1ab9701fd1' into upstream-merge
    
    * commit '783753fd53fe513d37fbbfe6694c0c1ab9701fd1':
      pci/bridge: split out pci bridge code into pci_bridge.c from pci.c
      pci: move out pci internal structures, PCIBus, PCIBridge, and pci_bus_info.
    
    Conflicts:
    	Makefile.objs
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --cc Makefile.objs
index e9beeed,594894b..b3688a2
--- a/Makefile.objs
+++ b/Makefile.objs
@@@ -151,9 -137,9 +151,9 @@@ user-obj-y += cutils.o cache-utils.
  # libhw
  
  hw-obj-y =
 -hw-obj-y += vl.o loader.o
 +hw-obj-y += loader.o
  hw-obj-y += virtio.o virtio-console.o
- hw-obj-y += fw_cfg.o pcie_host.o pci_host.o
 -hw-obj-y += fw_cfg.o pci.o pci_host.o pcie_host.o pci_bridge.o
++hw-obj-y += fw_cfg.o pci_host.o pcie_host.o pci_bridge.o
  hw-obj-y += watchdog.o
  hw-obj-$(CONFIG_ISA_MMIO) += isa_mmio.o
  hw-obj-$(CONFIG_ECC) += ecc.o
diff --cc hw/pci.h
index 334e928,c551f96..b4da8a5
--- a/hw/pci.h
+++ b/hw/pci.h
@@@ -288,15 -231,9 +288,12 @@@ PCIBus *pci_get_bus_devfn(int *devfnp, 
  int pci_read_devaddr(Monitor *mon, const char *addr, int *domp, int *busp,
                       unsigned *slotp);
  
 +int pci_parse_host_devaddr(const char *addr, int *segp, int *busp,
 +                           int *slotp, int *funcp);
 +
  void do_pci_info_print(Monitor *mon, const QObject *data);
  void do_pci_info(Monitor *mon, QObject **ret_data);
- PCIBus *pci_bridge_init(PCIBus *bus, int devfn, bool multifunction,
-                         uint16_t vid, uint16_t did,
-                         pci_map_irq_fn map_irq, const char *name);
- PCIDevice *pci_bridge_get_device(PCIBus *bus);
+ void pci_bridge_update_mappings(PCIBus *b);
  
  static inline void
  pci_set_byte(uint8_t *config, uint8_t val)
diff --cc hw/pci_bridge.c
index 0000000,7f27870..9d2173c
mode 000000,100644..100644
--- a/hw/pci_bridge.c
+++ b/hw/pci_bridge.c
@@@ -1,0 -1,208 +1,209 @@@
+ /*
+  * QEMU PCI bus manager
+  *
+  * Copyright (c) 2004 Fabrice Bellard
+  *
+  * Permission is hereby granted, free of charge, to any person obtaining a copy
+  * of this software and associated documentation files (the "Software"), to dea
+ 
+  * in the Software without restriction, including without limitation the rights
+  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+  * copies of the Software, and to permit persons to whom the Software is
+  * furnished to do so, subject to the following conditions:
+  *
+  * The above copyright notice and this permission notice shall be included in
+  * all copies or substantial portions of the Software.
+  *
+  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM
+ 
+  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+  * THE SOFTWARE.
+  */
+ /*
+  * split out from pci.c
+  * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+  *                    VA Linux Systems Japan K.K.
+  */
+ 
+ #include "pci_bridge.h"
+ #include "pci_internals.h"
++#include "range.h"
+ 
+ PCIDevice *pci_bridge_get_device(PCIBus *bus)
+ {
+     return bus->parent_dev;
+ }
+ 
+ static void pci_register_secondary_bus(PCIBus *parent,
+                                        PCIBus *bus,
+                                        PCIDevice *dev,
+                                        pci_map_irq_fn map_irq,
+                                        const char *name)
+ {
+     qbus_create_inplace(&bus->qbus, &pci_bus_info, &dev->qdev, name);
+     bus->map_irq = map_irq;
+     bus->parent_dev = dev;
+ 
+     QLIST_INIT(&bus->child);
+     QLIST_INSERT_HEAD(&parent->child, bus, sibling);
+ }
+ 
+ static void pci_unregister_secondary_bus(PCIBus *bus)
+ {
+     assert(QLIST_EMPTY(&bus->child));
+     QLIST_REMOVE(bus, sibling);
+ }
+ 
+ static uint32_t pci_config_get_io_base(PCIDevice *d,
+                                        uint32_t base, uint32_t base_upper16)
+ {
+     uint32_t val;
+ 
+     val = ((uint32_t)d->config[base] & PCI_IO_RANGE_MASK) << 8;
+     if (d->config[base] & PCI_IO_RANGE_TYPE_32) {
+         val |= (uint32_t)pci_get_word(d->config + base_upper16) << 16;
+     }
+     return val;
+ }
+ 
+ static pcibus_t pci_config_get_memory_base(PCIDevice *d, uint32_t base)
+ {
+     return ((pcibus_t)pci_get_word(d->config + base) & PCI_MEMORY_RANGE_MASK)
+         << 16;
+ }
+ 
+ static pcibus_t pci_config_get_pref_base(PCIDevice *d,
+                                          uint32_t base, uint32_t upper)
+ {
+     pcibus_t tmp;
+     pcibus_t val;
+ 
+     tmp = (pcibus_t)pci_get_word(d->config + base);
+     val = (tmp & PCI_PREF_RANGE_MASK) << 16;
+     if (tmp & PCI_PREF_RANGE_TYPE_64) {
+         val |= (pcibus_t)pci_get_long(d->config + upper) << 32;
+     }
+     return val;
+ }
+ 
+ pcibus_t pci_bridge_get_base(PCIDevice *bridge, uint8_t type)
+ {
+     pcibus_t base;
+     if (type & PCI_BASE_ADDRESS_SPACE_IO) {
+         base = pci_config_get_io_base(bridge,
+                                       PCI_IO_BASE, PCI_IO_BASE_UPPER16);
+     } else {
+         if (type & PCI_BASE_ADDRESS_MEM_PREFETCH) {
+             base = pci_config_get_pref_base(
+                 bridge, PCI_PREF_MEMORY_BASE, PCI_PREF_BASE_UPPER32);
+         } else {
+             base = pci_config_get_memory_base(bridge, PCI_MEMORY_BASE);
+         }
+     }
+ 
+     return base;
+ }
+ 
+ pcibus_t pci_bridge_get_limit(PCIDevice *bridge, uint8_t type)
+ {
+     pcibus_t limit;
+     if (type & PCI_BASE_ADDRESS_SPACE_IO) {
+         limit = pci_config_get_io_base(bridge,
+                                       PCI_IO_LIMIT, PCI_IO_LIMIT_UPPER16);
+         limit |= 0xfff;         /* PCI bridge spec 3.2.5.6. */
+     } else {
+         if (type & PCI_BASE_ADDRESS_MEM_PREFETCH) {
+             limit = pci_config_get_pref_base(
+                 bridge, PCI_PREF_MEMORY_LIMIT, PCI_PREF_LIMIT_UPPER32);
+         } else {
+             limit = pci_config_get_memory_base(bridge, PCI_MEMORY_LIMIT);
+         }
+         limit |= 0xfffff;       /* PCI bridge spec 3.2.5.{1, 8}. */
+     }
+     return limit;
+ }
+ 
+ static void pci_bridge_write_config(PCIDevice *d,
+                              uint32_t address, uint32_t val, int len)
+ {
+     pci_default_write_config(d, address, val, len);
+ 
+     if (/* io base/limit */
+         ranges_overlap(address, len, PCI_IO_BASE, 2) ||
+ 
+         /* memory base/limit, prefetchable base/limit and
+            io base/limit upper 16 */
+         ranges_overlap(address, len, PCI_MEMORY_BASE, 20)) {
+         PCIBridge *s = container_of(d, PCIBridge, dev);
+         PCIBus *secondary_bus = &s->bus;
+         pci_bridge_update_mappings(secondary_bus);
+     }
+ }
+ 
+ static int pci_bridge_initfn(PCIDevice *dev)
+ {
+     PCIBridge *s = DO_UPCAST(PCIBridge, dev, dev);
+ 
+     pci_config_set_vendor_id(s->dev.config, s->vid);
+     pci_config_set_device_id(s->dev.config, s->did);
+ 
+     pci_set_word(dev->config + PCI_STATUS,
+                  PCI_STATUS_66MHZ | PCI_STATUS_FAST_BACK);
+     pci_config_set_class(dev->config, PCI_CLASS_BRIDGE_PCI);
+     dev->config[PCI_HEADER_TYPE] =
+         (dev->config[PCI_HEADER_TYPE] & PCI_HEADER_TYPE_MULTI_FUNCTION) |
+         PCI_HEADER_TYPE_BRIDGE;
+     pci_set_word(dev->config + PCI_SEC_STATUS,
+                  PCI_STATUS_66MHZ | PCI_STATUS_FAST_BACK);
+     return 0;
+ }
+ 
+ static int pci_bridge_exitfn(PCIDevice *pci_dev)
+ {
+     PCIBridge *s = DO_UPCAST(PCIBridge, dev, pci_dev);
+     PCIBus *bus = &s->bus;
+     pci_unregister_secondary_bus(bus);
+     return 0;
+ }
+ 
+ PCIBus *pci_bridge_init(PCIBus *bus, int devfn, bool multifunction,
+                         uint16_t vid, uint16_t did,
+                         pci_map_irq_fn map_irq, const char *name)
+ {
+     PCIDevice *dev;
+     PCIBridge *s;
+ 
+     dev = pci_create_multifunction(bus, devfn, multifunction, "pci-bridge");
+     qdev_prop_set_uint32(&dev->qdev, "vendorid", vid);
+     qdev_prop_set_uint32(&dev->qdev, "deviceid", did);
+     qdev_init_nofail(&dev->qdev);
+ 
+     s = DO_UPCAST(PCIBridge, dev, dev);
+     pci_register_secondary_bus(bus, &s->bus, &s->dev, map_irq, name);
+     return &s->bus;
+ }
+ 
+ static PCIDeviceInfo bridge_info = {
+     .qdev.name    = "pci-bridge",
+     .qdev.size    = sizeof(PCIBridge),
+     .init         = pci_bridge_initfn,
+     .exit         = pci_bridge_exitfn,
+     .config_write = pci_bridge_write_config,
+     .is_bridge    = 1,
+     .qdev.props   = (Property[]) {
+         DEFINE_PROP_HEX32("vendorid", PCIBridge, vid, 0),
+         DEFINE_PROP_HEX32("deviceid", PCIBridge, did, 0),
+         DEFINE_PROP_END_OF_LIST(),
+     }
+ };
+ 
+ static void pci_register_devices(void)
+ {
+     pci_qdev_register(&bridge_info);
+ }
+ 
+ device_init(pci_register_devices)
commit e685b4eb649cbddd26f203b611eabeb714648f4d
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Nov 5 14:52:08 2010 -0600

    e1000: Fix TCP checksum overflow with TSO
    
    When adding the length to the pseudo header, we're not properly
    accounting for overflow.
    
    From: Mark Wu <dwu at redhat.com>
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/e1000.c b/hw/e1000.c
index 532efdc..677165f 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -384,9 +384,12 @@ xmit_seg(E1000State *s)
         } else	// UDP
             cpu_to_be16wu((uint16_t *)(tp->data+css+4), len);
         if (tp->sum_needed & E1000_TXD_POPTS_TXSM) {
+            unsigned int phsum;
             // add pseudo-header length before checksum calculation
             sp = (uint16_t *)(tp->data + tp->tucso);
-            cpu_to_be16wu(sp, be16_to_cpup(sp) + len);
+            phsum = be16_to_cpup(sp) + len;
+            phsum = (phsum >> 16) + (phsum & 0xffff);
+            cpu_to_be16wu(sp, phsum);
         }
         tp->tso_frames++;
     }
commit a5fd2c345f7a616e48e7f2be8b3060d23252180c
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Sun Oct 31 19:06:47 2010 +0200

    tap: make set_offload a nop after netdev cleanup
    
    virtio-net expects set_offload to succeed after
    peer cleanup.
    Since we don't have an open fd anymore, make it so.
    Fixes warning about the failure of offload setting.
    
    Reported-by: Jason Wang <jasowang at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/net/tap.c b/net/tap.c
index 937d942..eada34a 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -269,8 +269,11 @@ void tap_set_offload(VLANClientState *nc, int csum, int tso4,
                      int tso6, int ecn, int ufo)
 {
     TAPState *s = DO_UPCAST(TAPState, nc, nc);
+    if (s->fd < 0) {
+        return;
+    }
 
-    return tap_fd_set_offload(s->fd, csum, tso4, tso6, ecn, ufo);
+    tap_fd_set_offload(s->fd, csum, tso4, tso6, ecn, ufo);
 }
 
 static void tap_cleanup(VLANClientState *nc)
@@ -290,6 +293,7 @@ static void tap_cleanup(VLANClientState *nc)
     tap_read_poll(s, 0);
     tap_write_poll(s, 0);
     close(s->fd);
+    s->fd = -1;
 }
 
 static void tap_poll(VLANClientState *nc, bool enable)
commit cf2c1839a955482f2e208d7400594bf076c222f2
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Nov 11 13:07:52 2010 +0100

    add copyright to spiceaudio
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/audio/spiceaudio.c b/audio/spiceaudio.c
index 51ba53a..373e4c4 100644
--- a/audio/spiceaudio.c
+++ b/audio/spiceaudio.c
@@ -1,3 +1,22 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * maintained by Gerd Hoffmann <kraxel at redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 or
+ * (at your option) version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
 #include "hw/hw.h"
 #include "qemu-timer.h"
 #include "ui/qemu-spice.h"
commit 3e31375378f40558f1ee7c258f3cc63c85596bfc
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Nov 9 17:29:46 2010 +0100

    spice: add audio
    
    Add support for the spice audio interface.  With this patch applied
    audio can be forwarded over the network from/to the spice client.  Both
    recording and playback is supported.
    
    The driver is first in the driver list, but the can_be_default flag is
    set only in case spice is active.  So if you have the spice protocol
    enabled the spice audio driver is the default one, otherwise whatever
    comes first after spice in the list.  Overriding the default using
    QEMU_AUDIO_DRV works in any case.
    
    [ v2: audio codestyle: add spaces before open parenthesis ]
    [ v2: add const to silence array ]
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Cc: malc <av1474 at comtv.ru>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/Makefile.objs b/Makefile.objs
index faf485e..15569af 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -102,6 +102,7 @@ common-obj-$(CONFIG_SPICE) += ui/spice-core.o ui/spice-input.o ui/spice-display.
 audio-obj-y = audio.o noaudio.o wavaudio.o mixeng.o
 audio-obj-$(CONFIG_SDL) += sdlaudio.o
 audio-obj-$(CONFIG_OSS) += ossaudio.o
+audio-obj-$(CONFIG_SPICE) += spiceaudio.o
 audio-obj-$(CONFIG_COREAUDIO) += coreaudio.o
 audio-obj-$(CONFIG_ALSA) += alsaaudio.o
 audio-obj-$(CONFIG_DSOUND) += dsoundaudio.o
diff --git a/audio/audio.c b/audio/audio.c
index ad51077..ade342e 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -44,6 +44,9 @@
     that we generate the list.
 */
 static struct audio_driver *drvtab[] = {
+#ifdef CONFIG_SPICE
+    &spice_audio_driver,
+#endif
     CONFIG_AUDIO_DRIVERS
     &no_audio_driver,
     &wav_audio_driver
diff --git a/audio/audio_int.h b/audio/audio_int.h
index d8560b6..d66f2c3 100644
--- a/audio/audio_int.h
+++ b/audio/audio_int.h
@@ -209,6 +209,7 @@ extern struct audio_driver coreaudio_audio_driver;
 extern struct audio_driver dsound_audio_driver;
 extern struct audio_driver esd_audio_driver;
 extern struct audio_driver pa_audio_driver;
+extern struct audio_driver spice_audio_driver;
 extern struct audio_driver winwave_audio_driver;
 extern struct mixeng_volume nominal_volume;
 
diff --git a/audio/spiceaudio.c b/audio/spiceaudio.c
new file mode 100644
index 0000000..51ba53a
--- /dev/null
+++ b/audio/spiceaudio.c
@@ -0,0 +1,327 @@
+#include "hw/hw.h"
+#include "qemu-timer.h"
+#include "ui/qemu-spice.h"
+
+#define AUDIO_CAP "spice"
+#include "audio.h"
+#include "audio_int.h"
+
+#define LINE_IN_SAMPLES 1024
+#define LINE_OUT_SAMPLES 1024
+
+typedef struct SpiceRateCtl {
+    int64_t               start_ticks;
+    int64_t               bytes_sent;
+} SpiceRateCtl;
+
+typedef struct SpiceVoiceOut {
+    HWVoiceOut            hw;
+    SpicePlaybackInstance sin;
+    SpiceRateCtl          rate;
+    int                   active;
+    uint32_t              *frame;
+    uint32_t              *fpos;
+    uint32_t              fsize;
+} SpiceVoiceOut;
+
+typedef struct SpiceVoiceIn {
+    HWVoiceIn             hw;
+    SpiceRecordInstance   sin;
+    SpiceRateCtl          rate;
+    int                   active;
+    uint32_t              samples[LINE_IN_SAMPLES];
+} SpiceVoiceIn;
+
+static const SpicePlaybackInterface playback_sif = {
+    .base.type          = SPICE_INTERFACE_PLAYBACK,
+    .base.description   = "playback",
+    .base.major_version = SPICE_INTERFACE_PLAYBACK_MAJOR,
+    .base.minor_version = SPICE_INTERFACE_PLAYBACK_MINOR,
+};
+
+static const SpiceRecordInterface record_sif = {
+    .base.type          = SPICE_INTERFACE_RECORD,
+    .base.description   = "record",
+    .base.major_version = SPICE_INTERFACE_RECORD_MAJOR,
+    .base.minor_version = SPICE_INTERFACE_RECORD_MINOR,
+};
+
+static void *spice_audio_init (void)
+{
+    if (!using_spice) {
+        return NULL;
+    }
+    return &spice_audio_init;
+}
+
+static void spice_audio_fini (void *opaque)
+{
+    /* nothing */
+}
+
+static void rate_start (SpiceRateCtl *rate)
+{
+    memset (rate, 0, sizeof (*rate));
+    rate->start_ticks = qemu_get_clock (vm_clock);
+}
+
+static int rate_get_samples (struct audio_pcm_info *info, SpiceRateCtl *rate)
+{
+    int64_t now;
+    int64_t ticks;
+    int64_t bytes;
+    int64_t samples;
+
+    now = qemu_get_clock (vm_clock);
+    ticks = now - rate->start_ticks;
+    bytes = muldiv64 (ticks, info->bytes_per_second, get_ticks_per_sec ());
+    samples = (bytes - rate->bytes_sent) >> info->shift;
+    if (samples < 0 || samples > 65536) {
+        fprintf (stderr, "Resetting rate control (%" PRId64 " samples)\n", samples);
+        rate_start (rate);
+        samples = 0;
+    }
+    rate->bytes_sent += samples << info->shift;
+    return samples;
+}
+
+/* playback */
+
+static int line_out_init (HWVoiceOut *hw, struct audsettings *as)
+{
+    SpiceVoiceOut *out = container_of (hw, SpiceVoiceOut, hw);
+    struct audsettings settings;
+
+    settings.freq       = SPICE_INTERFACE_PLAYBACK_FREQ;
+    settings.nchannels  = SPICE_INTERFACE_PLAYBACK_CHAN;
+    settings.fmt        = AUD_FMT_S16;
+    settings.endianness = AUDIO_HOST_ENDIANNESS;
+
+    audio_pcm_init_info (&hw->info, &settings);
+    hw->samples = LINE_OUT_SAMPLES;
+    out->active = 0;
+
+    out->sin.base.sif = &playback_sif.base;
+    qemu_spice_add_interface (&out->sin.base);
+    return 0;
+}
+
+static void line_out_fini (HWVoiceOut *hw)
+{
+    SpiceVoiceOut *out = container_of (hw, SpiceVoiceOut, hw);
+
+    spice_server_remove_interface (&out->sin.base);
+}
+
+static int line_out_run (HWVoiceOut *hw, int live)
+{
+    SpiceVoiceOut *out = container_of (hw, SpiceVoiceOut, hw);
+    int rpos, decr;
+    int samples;
+
+    if (!live) {
+        return 0;
+    }
+
+    decr = rate_get_samples (&hw->info, &out->rate);
+    decr = audio_MIN (live, decr);
+
+    samples = decr;
+    rpos = hw->rpos;
+    while (samples) {
+        int left_till_end_samples = hw->samples - rpos;
+        int len = audio_MIN (samples, left_till_end_samples);
+
+        if (!out->frame) {
+            spice_server_playback_get_buffer (&out->sin, &out->frame, &out->fsize);
+            out->fpos = out->frame;
+        }
+        if (out->frame) {
+            len = audio_MIN (len, out->fsize);
+            hw->clip (out->fpos, hw->mix_buf + rpos, len);
+            out->fsize -= len;
+            out->fpos  += len;
+            if (out->fsize == 0) {
+                spice_server_playback_put_samples (&out->sin, out->frame);
+                out->frame = out->fpos = NULL;
+            }
+        }
+        rpos = (rpos + len) % hw->samples;
+        samples -= len;
+    }
+    hw->rpos = rpos;
+    return decr;
+}
+
+static int line_out_write (SWVoiceOut *sw, void *buf, int len)
+{
+    return audio_pcm_sw_write (sw, buf, len);
+}
+
+static int line_out_ctl (HWVoiceOut *hw, int cmd, ...)
+{
+    SpiceVoiceOut *out = container_of (hw, SpiceVoiceOut, hw);
+
+    switch (cmd) {
+    case VOICE_ENABLE:
+        if (out->active) {
+            break;
+        }
+        out->active = 1;
+        rate_start (&out->rate);
+        spice_server_playback_start (&out->sin);
+        break;
+    case VOICE_DISABLE:
+        if (!out->active) {
+            break;
+        }
+        out->active = 0;
+        if (out->frame) {
+            memset (out->fpos, 0, out->fsize << 2);
+            spice_server_playback_put_samples (&out->sin, out->frame);
+            out->frame = out->fpos = NULL;
+        }
+        spice_server_playback_stop (&out->sin);
+        break;
+    }
+    return 0;
+}
+
+/* record */
+
+static int line_in_init (HWVoiceIn *hw, struct audsettings *as)
+{
+    SpiceVoiceIn *in = container_of (hw, SpiceVoiceIn, hw);
+    struct audsettings settings;
+
+    settings.freq       = SPICE_INTERFACE_RECORD_FREQ;
+    settings.nchannels  = SPICE_INTERFACE_RECORD_CHAN;
+    settings.fmt        = AUD_FMT_S16;
+    settings.endianness = AUDIO_HOST_ENDIANNESS;
+
+    audio_pcm_init_info (&hw->info, &settings);
+    hw->samples = LINE_IN_SAMPLES;
+    in->active = 0;
+
+    in->sin.base.sif = &record_sif.base;
+    qemu_spice_add_interface (&in->sin.base);
+    return 0;
+}
+
+static void line_in_fini (HWVoiceIn *hw)
+{
+    SpiceVoiceIn *in = container_of (hw, SpiceVoiceIn, hw);
+
+    spice_server_remove_interface (&in->sin.base);
+}
+
+static int line_in_run (HWVoiceIn *hw)
+{
+    SpiceVoiceIn *in = container_of (hw, SpiceVoiceIn, hw);
+    int num_samples;
+    int ready;
+    int len[2];
+    uint64_t delta_samp;
+    const uint32_t *samples;
+
+    if (!(num_samples = hw->samples - audio_pcm_hw_get_live_in (hw))) {
+        return 0;
+    }
+
+    delta_samp = rate_get_samples (&hw->info, &in->rate);
+    num_samples = audio_MIN (num_samples, delta_samp);
+
+    ready = spice_server_record_get_samples (&in->sin, in->samples, num_samples);
+    samples = in->samples;
+    if (ready == 0) {
+        static const uint32_t silence[LINE_IN_SAMPLES];
+        samples = silence;
+        ready = LINE_IN_SAMPLES;
+    }
+
+    num_samples = audio_MIN (ready, num_samples);
+
+    if (hw->wpos + num_samples > hw->samples) {
+        len[0] = hw->samples - hw->wpos;
+        len[1] = num_samples - len[0];
+    } else {
+        len[0] = num_samples;
+        len[1] = 0;
+    }
+
+    hw->conv (hw->conv_buf + hw->wpos, samples, len[0], &nominal_volume);
+
+    if (len[1]) {
+        hw->conv (hw->conv_buf, samples + len[0], len[1],
+                  &nominal_volume);
+    }
+
+    hw->wpos = (hw->wpos + num_samples) % hw->samples;
+
+    return num_samples;
+}
+
+static int line_in_read (SWVoiceIn *sw, void *buf, int size)
+{
+    return audio_pcm_sw_read (sw, buf, size);
+}
+
+static int line_in_ctl (HWVoiceIn *hw, int cmd, ...)
+{
+    SpiceVoiceIn *in = container_of (hw, SpiceVoiceIn, hw);
+
+    switch (cmd) {
+    case VOICE_ENABLE:
+        if (in->active) {
+            break;
+        }
+        in->active = 1;
+        rate_start (&in->rate);
+        spice_server_record_start (&in->sin);
+        break;
+    case VOICE_DISABLE:
+        if (!in->active) {
+            break;
+        }
+        in->active = 0;
+        spice_server_record_stop (&in->sin);
+        break;
+    }
+    return 0;
+}
+
+static struct audio_option audio_options[] = {
+    { /* end of list */ },
+};
+
+static struct audio_pcm_ops audio_callbacks = {
+    .init_out = line_out_init,
+    .fini_out = line_out_fini,
+    .run_out  = line_out_run,
+    .write    = line_out_write,
+    .ctl_out  = line_out_ctl,
+
+    .init_in  = line_in_init,
+    .fini_in  = line_in_fini,
+    .run_in   = line_in_run,
+    .read     = line_in_read,
+    .ctl_in   = line_in_ctl,
+};
+
+struct audio_driver spice_audio_driver = {
+    .name           = "spice",
+    .descr          = "spice audio driver",
+    .options        = audio_options,
+    .init           = spice_audio_init,
+    .fini           = spice_audio_fini,
+    .pcm_ops        = &audio_callbacks,
+    .max_voices_out = 1,
+    .max_voices_in  = 1,
+    .voice_size_out = sizeof (SpiceVoiceOut),
+    .voice_size_in  = sizeof (SpiceVoiceIn),
+};
+
+void qemu_spice_audio_init (void)
+{
+    spice_audio_driver.can_be_default = 1;
+}
diff --git a/ui/qemu-spice.h b/ui/qemu-spice.h
index 063c7dc..0e3ad9b 100644
--- a/ui/qemu-spice.h
+++ b/ui/qemu-spice.h
@@ -29,6 +29,7 @@ extern int using_spice;
 
 void qemu_spice_init(void);
 void qemu_spice_input_init(void);
+void qemu_spice_audio_init(void);
 void qemu_spice_display_init(DisplayState *ds);
 int qemu_spice_add_interface(SpiceBaseInstance *sin);
 
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 6a1cf17..6c404b3 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -361,6 +361,7 @@ void qemu_spice_init(void)
     using_spice = 1;
 
     qemu_spice_input_init();
+    qemu_spice_audio_init();
 
     qemu_free(x509_key_file);
     qemu_free(x509_cert_file);
commit df0db2212d86e98c41774600c44cc960ddc2b68c
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Nov 9 17:28:38 2010 +0100

    intel-hda: fix codec addressing.
    
    The HDA bus supports up to 15 codecs, with addresses 0 ... 14.
    We get that wrong in two places:
    
     * When handing out addresses we accept address 15 as valid.
     * The bitmasks for two registers (WAKEEN and STATESTS) don't
       have bit 14 set.
    
    This patch fixes it.
    
    [ v2: codestyle: add braces ]
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index 5e13dc3..fe31624 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -56,8 +56,9 @@ static int hda_codec_dev_init(DeviceState *qdev, DeviceInfo *base)
     if (dev->cad == -1) {
         dev->cad = bus->next_cad;
     }
-    if (dev->cad > 15)
+    if (dev->cad >= 15) {
         return -1;
+    }
     bus->next_cad = dev->cad + 1;
     return info->init(dev);
 }
@@ -643,15 +644,15 @@ static const struct IntelHDAReg regtab[] = {
     [ ICH6_REG_WAKEEN ] = {
         .name     = "WAKEEN",
         .size     = 2,
-        .wmask    = 0x3fff,
+        .wmask    = 0x7fff,
         .offset   = offsetof(IntelHDAState, wake_en),
         .whandler = intel_hda_set_wake_en,
     },
     [ ICH6_REG_STATESTS ] = {
         .name     = "STATESTS",
         .size     = 2,
-        .wmask    = 0x3fff,
-        .wclear   = 0x3fff,
+        .wmask    = 0x7fff,
+        .wclear   = 0x7fff,
         .offset   = offsetof(IntelHDAState, state_sts),
         .whandler = intel_hda_set_state_sts,
     },
commit e2553eb44e4ddd0b22124216d3dd20b6a0fecefb
Author: malc <av1474 at comtv.ru>
Date:   Tue Nov 9 19:14:15 2010 +0300

    Revert "intel-hda: fix codec addressing."
    
    Misses braces
    
    This reverts commit acc086837e49b44f15eff6007bb1726844df7aec.

diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index b34b140..5e13dc3 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -56,7 +56,7 @@ static int hda_codec_dev_init(DeviceState *qdev, DeviceInfo *base)
     if (dev->cad == -1) {
         dev->cad = bus->next_cad;
     }
-    if (dev->cad >= 15)
+    if (dev->cad > 15)
         return -1;
     bus->next_cad = dev->cad + 1;
     return info->init(dev);
@@ -643,15 +643,15 @@ static const struct IntelHDAReg regtab[] = {
     [ ICH6_REG_WAKEEN ] = {
         .name     = "WAKEEN",
         .size     = 2,
-        .wmask    = 0x7fff,
+        .wmask    = 0x3fff,
         .offset   = offsetof(IntelHDAState, wake_en),
         .whandler = intel_hda_set_wake_en,
     },
     [ ICH6_REG_STATESTS ] = {
         .name     = "STATESTS",
         .size     = 2,
-        .wmask    = 0x7fff,
-        .wclear   = 0x7fff,
+        .wmask    = 0x3fff,
+        .wclear   = 0x3fff,
         .offset   = offsetof(IntelHDAState, state_sts),
         .whandler = intel_hda_set_state_sts,
     },
commit acc086837e49b44f15eff6007bb1726844df7aec
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Nov 9 11:47:49 2010 +0100

    intel-hda: fix codec addressing.
    
    The HDA bus supports up to 15 codecs, with addresses 0 ... 14.
    We get that wrong in two places:
    
     * When handing out addresses we accept address 15 as valid.
     * The bitmasks for two registers (WAKEEN and STATESTS) don't
       have bit 14 set.
    
    This patch fixes it.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index 5e13dc3..b34b140 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -56,7 +56,7 @@ static int hda_codec_dev_init(DeviceState *qdev, DeviceInfo *base)
     if (dev->cad == -1) {
         dev->cad = bus->next_cad;
     }
-    if (dev->cad > 15)
+    if (dev->cad >= 15)
         return -1;
     bus->next_cad = dev->cad + 1;
     return info->init(dev);
@@ -643,15 +643,15 @@ static const struct IntelHDAReg regtab[] = {
     [ ICH6_REG_WAKEEN ] = {
         .name     = "WAKEEN",
         .size     = 2,
-        .wmask    = 0x3fff,
+        .wmask    = 0x7fff,
         .offset   = offsetof(IntelHDAState, wake_en),
         .whandler = intel_hda_set_wake_en,
     },
     [ ICH6_REG_STATESTS ] = {
         .name     = "STATESTS",
         .size     = 2,
-        .wmask    = 0x3fff,
-        .wclear   = 0x3fff,
+        .wmask    = 0x7fff,
+        .wclear   = 0x7fff,
         .offset   = offsetof(IntelHDAState, state_sts),
         .whandler = intel_hda_set_state_sts,
     },
commit 17786d52acd3e18e77cd7e823f7d6bad9ece818e
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Nov 9 11:47:48 2010 +0100

    intel-hda: add msi support
    
    This patch adds MSI support to the intel hda audio driver.  It is
    enabled by default, use '-device intel-hda,msi=0' to disable it.
    
    [ v2: codestyle: add braces ]
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index e478e67..5e13dc3 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -19,6 +19,7 @@
 
 #include "hw.h"
 #include "pci.h"
+#include "msi.h"
 #include "qemu-timer.h"
 #include "audiodev.h"
 #include "intel-hda.h"
@@ -188,6 +189,7 @@ struct IntelHDAState {
 
     /* properties */
     uint32_t debug;
+    uint32_t msi;
 };
 
 struct IntelHDAReg {
@@ -268,6 +270,7 @@ static void intel_hda_update_int_sts(IntelHDAState *d)
 
 static void intel_hda_update_irq(IntelHDAState *d)
 {
+    int msi = d->msi && msi_enabled(&d->pci);
     int level;
 
     intel_hda_update_int_sts(d);
@@ -276,8 +279,15 @@ static void intel_hda_update_irq(IntelHDAState *d)
     } else {
         level = 0;
     }
-    dprint(d, 2, "%s: level %d\n", __FUNCTION__, level);
-    qemu_set_irq(d->pci.irq[0], level);
+    dprint(d, 2, "%s: level %d [%s]\n", __FUNCTION__,
+           level, msi ? "msi" : "intx");
+    if (msi) {
+        if (level) {
+            msi_notify(&d->pci, 0);
+        }
+    } else {
+        qemu_set_irq(d->pci.irq[0], level);
+    }
 }
 
 static int intel_hda_send_command(IntelHDAState *d, uint32_t verb)
@@ -1148,6 +1158,9 @@ static int intel_hda_init(PCIDevice *pci)
                                           intel_hda_mmio_write, d);
     pci_register_bar(&d->pci, 0, 0x4000, PCI_BASE_ADDRESS_SPACE_MEMORY,
                      intel_hda_map);
+    if (d->msi) {
+        msi_init(&d->pci, 0x50, 1, true, false);
+    }
 
     hda_codec_bus_init(&d->pci.qdev, &d->codecs,
                        intel_hda_response, intel_hda_xfer);
@@ -1159,10 +1172,24 @@ static int intel_hda_exit(PCIDevice *pci)
 {
     IntelHDAState *d = DO_UPCAST(IntelHDAState, pci, pci);
 
+    if (d->msi) {
+        msi_uninit(&d->pci);
+    }
     cpu_unregister_io_memory(d->mmio_addr);
     return 0;
 }
 
+static void intel_hda_write_config(PCIDevice *pci, uint32_t addr,
+                                   uint32_t val, int len)
+{
+    IntelHDAState *d = DO_UPCAST(IntelHDAState, pci, pci);
+
+    pci_default_write_config(pci, addr, val, len);
+    if (d->msi) {
+        msi_write_config(pci, addr, val, len);
+    }
+}
+
 static int intel_hda_post_load(void *opaque, int version)
 {
     IntelHDAState* d = opaque;
@@ -1246,8 +1273,10 @@ static PCIDeviceInfo intel_hda_info = {
     .qdev.reset   = intel_hda_reset,
     .init         = intel_hda_init,
     .exit         = intel_hda_exit,
+    .config_write = intel_hda_write_config,
     .qdev.props   = (Property[]) {
         DEFINE_PROP_UINT32("debug", IntelHDAState, debug, 0),
+        DEFINE_PROP_UINT32("msi", IntelHDAState, msi, 1),
         DEFINE_PROP_END_OF_LIST(),
     }
 };
commit 6a0d02f5be44ee17cf0ce843f0658d08e97a68c2
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Nov 9 11:47:47 2010 +0100

    intel-hda: update irq status on WAKEEN changes.
    
    When the guest updates the WAKEEN register we
    must re-calculate the IRQ status.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index 2c1ef12..e478e67 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -508,6 +508,11 @@ static void intel_hda_set_g_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint32
     }
 }
 
+static void intel_hda_set_wake_en(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
+{
+    intel_hda_update_irq(d);
+}
+
 static void intel_hda_set_state_sts(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
 {
     intel_hda_update_irq(d);
@@ -630,6 +635,7 @@ static const struct IntelHDAReg regtab[] = {
         .size     = 2,
         .wmask    = 0x3fff,
         .offset   = offsetof(IntelHDAState, wake_en),
+        .whandler = intel_hda_set_wake_en,
     },
     [ ICH6_REG_STATESTS ] = {
         .name     = "STATESTS",
commit af93485cde810f3c2f488533e0b60c99eae5d01d
Author: François Revol <revol at free.fr>
Date:   Tue Nov 9 11:47:46 2010 +0100

    intel-hda: Honor WAKEEN bits.
    
    HDA: Honor WAKEEN bits when deciding to raise an interrupt on codec
    status change.  This prevents an interrupt storm with the Haiku HDA
    driver which does not handle codec status changes in the irq handler.
    
    Signed-off-by: François Revol <revol at free.fr>
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index 78c32da..2c1ef12 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -246,7 +246,7 @@ static void intel_hda_update_int_sts(IntelHDAState *d)
     if (d->rirb_sts & ICH6_RBSTS_OVERRUN) {
         sts |= (1 << 30);
     }
-    if (d->state_sts) {
+    if (d->state_sts & d->wake_en) {
         sts |= (1 << 30);
     }
 
@@ -628,6 +628,7 @@ static const struct IntelHDAReg regtab[] = {
     [ ICH6_REG_WAKEEN ] = {
         .name     = "WAKEEN",
         .size     = 2,
+        .wmask    = 0x3fff,
         .offset   = offsetof(IntelHDAState, wake_en),
     },
     [ ICH6_REG_STATESTS ] = {
commit 129dcd2c66c3f693425f8a50c553146b8f6f4fd6
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Nov 9 11:47:45 2010 +0100

    hda-audio: exit cleanup
    
    Add exit callback to the driver.  Unregister the sound card properly
    on exit.
    
    [ v2: codestyle: add braces ]
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/hw/hda-audio.c b/hw/hda-audio.c
index 1035774..c699d6f 100644
--- a/hw/hda-audio.c
+++ b/hw/hda-audio.c
@@ -808,6 +808,28 @@ static int hda_audio_init(HDACodecDevice *hda, const struct desc_codec *desc)
     return 0;
 }
 
+static int hda_audio_exit(HDACodecDevice *hda)
+{
+    HDAAudioState *a = DO_UPCAST(HDAAudioState, hda, hda);
+    HDAAudioStream *st;
+    int i;
+
+    dprint(a, 1, "%s\n", __FUNCTION__);
+    for (i = 0; i < ARRAY_SIZE(a->st); i++) {
+        st = a->st + i;
+        if (st->node == NULL) {
+            continue;
+        }
+        if (st->output) {
+            AUD_close_out(&a->card, st->voice.out);
+        } else {
+            AUD_close_in(&a->card, st->voice.in);
+        }
+    }
+    AUD_remove_card(&a->card);
+    return 0;
+}
+
 static int hda_audio_post_load(void *opaque, int version)
 {
     HDAAudioState *a = opaque;
@@ -879,6 +901,7 @@ static HDACodecDeviceInfo hda_audio_info_output = {
     .qdev.vmsd    = &vmstate_hda_audio,
     .qdev.props   = hda_audio_properties,
     .init         = hda_audio_init_output,
+    .exit         = hda_audio_exit,
     .command      = hda_audio_command,
     .stream       = hda_audio_stream,
 };
@@ -890,6 +913,7 @@ static HDACodecDeviceInfo hda_audio_info_duplex = {
     .qdev.vmsd    = &vmstate_hda_audio,
     .qdev.props   = hda_audio_properties,
     .init         = hda_audio_init_duplex,
+    .exit         = hda_audio_exit,
     .command      = hda_audio_command,
     .stream       = hda_audio_stream,
 };
commit dc4b9240dc531f1fc8538e9dc968f2e34e169346
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Nov 9 11:47:44 2010 +0100

    intel-hda: exit cleanup
    
    Add pci exit callback for the intel-hda device and cleanup properly.
    Also add an exit callback to the HDA bus implementation and make sure
    it is called on qdev_free().
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index ccb059d..78c32da 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -61,9 +61,20 @@ static int hda_codec_dev_init(DeviceState *qdev, DeviceInfo *base)
     return info->init(dev);
 }
 
+static int hda_codec_dev_exit(DeviceState *qdev)
+{
+    HDACodecDevice *dev = DO_UPCAST(HDACodecDevice, qdev, qdev);
+
+    if (dev->info->exit) {
+        dev->info->exit(dev);
+    }
+    return 0;
+}
+
 void hda_codec_register(HDACodecDeviceInfo *info)
 {
     info->qdev.init = hda_codec_dev_init;
+    info->qdev.exit = hda_codec_dev_exit;
     info->qdev.bus_info = &hda_codec_bus_info;
     qdev_register(&info->qdev);
 }
@@ -1137,6 +1148,14 @@ static int intel_hda_init(PCIDevice *pci)
     return 0;
 }
 
+static int intel_hda_exit(PCIDevice *pci)
+{
+    IntelHDAState *d = DO_UPCAST(IntelHDAState, pci, pci);
+
+    cpu_unregister_io_memory(d->mmio_addr);
+    return 0;
+}
+
 static int intel_hda_post_load(void *opaque, int version)
 {
     IntelHDAState* d = opaque;
@@ -1219,6 +1238,7 @@ static PCIDeviceInfo intel_hda_info = {
     .qdev.vmsd    = &vmstate_intel_hda,
     .qdev.reset   = intel_hda_reset,
     .init         = intel_hda_init,
+    .exit         = intel_hda_exit,
     .qdev.props   = (Property[]) {
         DEFINE_PROP_UINT32("debug", IntelHDAState, debug, 0),
         DEFINE_PROP_END_OF_LIST(),
diff --git a/hw/intel-hda.h b/hw/intel-hda.h
index ba290ec..4e44e38 100644
--- a/hw/intel-hda.h
+++ b/hw/intel-hda.h
@@ -32,6 +32,7 @@ struct HDACodecDevice {
 struct HDACodecDeviceInfo {
     DeviceInfo qdev;
     int (*init)(HDACodecDevice *dev);
+    int (*exit)(HDACodecDevice *dev);
     void (*command)(HDACodecDevice *dev, uint32_t nid, uint32_t data);
     void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running);
 };
commit 420fe74769cc67baec6f3d962dc054e2972ca3ae
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Sun Nov 7 14:08:01 2010 +0100

    pci-assign: Catch missing KVM support
    
    Report an error instead of raising a SEGV when a pci-assign device is
    about to be initialized without KVM enabled.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index bde231d..5f5bde1 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -1440,6 +1440,11 @@ static int assigned_initfn(struct PCIDevice *pci_dev)
     uint8_t e_device, e_intx;
     int r;
 
+    if (!kvm_enabled()) {
+        error_report("pci-assign: error: requires KVM support");
+        return -1;
+    }
+
     if (!dev->host.seg && !dev->host.bus && !dev->host.dev && !dev->host.func) {
         error_report("pci-assign: error: no host device specified");
         return -1;
commit cfd07e7abb1ef39373cd4ce312b015d61b9eea8d
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Nov 7 15:10:40 2010 +0000

    Fix win32 build
    
    Fix a return value change missed by
    205ef7961f781496366e0a93a4ec621ad3724bd7.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/block/raw-win32.c b/block/raw-win32.c
index 7f32778..06c9710 100644
--- a/block/raw-win32.c
+++ b/block/raw-win32.c
@@ -147,7 +147,7 @@ static int raw_write(BlockDriverState *bs, int64_t sector_num,
     return ret_count;
 }
 
-static void raw_flush(BlockDriverState *bs)
+static int raw_flush(BlockDriverState *bs)
 {
     BDRVRawState *s = bs->opaque;
     int ret;
commit 54cdaa1bad3885448ef39faad93d40be3b223519
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 27 20:03:43 2010 +0200

    tap: clear vhost_net backend on cleanup
    
    Frontends calling tap_get_vhost_net get an invalid pointer after the
    peer backend has been deleted. Jason Wang <jasowang at redhat.com> reports
    this leading to a crash in ack_features when we remove the vhost-net
    bakend of a virtio nic.
    
    The fix is simply to clear the backend pointer.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/net/tap.c b/net/tap.c
index 4afb314..937d942 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -279,6 +279,7 @@ static void tap_cleanup(VLANClientState *nc)
 
     if (s->vhost_net) {
         vhost_net_cleanup(s->vhost_net);
+        s->vhost_net = NULL;
     }
 
     qemu_purge_queued_packets(nc);
commit d33ea50a958b2e050d2b28e5f17e3b55e91c6d74
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Wed Oct 27 13:15:27 2010 +0200

    scsi-disk: Fix immediate failure of bdrv_aio_*
    
    Fix scsi-disk to use the usual completion paths that involve rerror/werror
    handling instead of directly completing the requests in cases where
    bdrv_aio_readv/writev returns NULL.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 6815239..dc71957 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -178,8 +178,9 @@ static void scsi_read_request(SCSIDiskReq *r)
     qemu_iovec_init_external(&r->qiov, &r->iov, 1);
     r->req.aiocb = bdrv_aio_readv(s->bs, r->sector, &r->qiov, n,
                               scsi_read_complete, r);
-    if (r->req.aiocb == NULL)
-        scsi_command_complete(r, CHECK_CONDITION, HARDWARE_ERROR);
+    if (r->req.aiocb == NULL) {
+        scsi_read_complete(r, -EIO);
+    }
 }
 
 /* Read more data from scsi device into buffer.  */
@@ -273,9 +274,9 @@ static void scsi_write_request(SCSIDiskReq *r)
         qemu_iovec_init_external(&r->qiov, &r->iov, 1);
         r->req.aiocb = bdrv_aio_writev(s->bs, r->sector, &r->qiov, n,
                                    scsi_write_complete, r);
-        if (r->req.aiocb == NULL)
-            scsi_command_complete(r, CHECK_CONDITION,
-                                  HARDWARE_ERROR);
+        if (r->req.aiocb == NULL) {
+            scsi_write_complete(r, -EIO);
+        }
     } else {
         /* Invoke completion routine to fetch data from host.  */
         scsi_write_complete(r, 0);
commit 18a8d4214b861aff0caa5acfa921862d0be05bbb
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Wed Oct 27 13:10:15 2010 +0200

    virtio-blk: Handle immediate flush failure properly
    
    Fix virtio-blk to use the usual completion path that involves werror handling
    instead of directly completing the request in cases where bdrv_aio_flush
    returns NULL.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
index dbe2070..49528a9 100644
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -273,7 +273,7 @@ static void virtio_blk_handle_flush(VirtIOBlockReq *req, MultiReqBuffer *mrb)
 
     acb = bdrv_aio_flush(req->dev->bs, virtio_blk_flush_complete, req);
     if (!acb) {
-        virtio_blk_req_complete(req, VIRTIO_BLK_S_IOERR);
+        virtio_blk_flush_complete(req, -EIO);
     }
 }
 
commit b2df7531f3adc4f0f65067b917cef8c66ba812c5
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Wed Oct 27 13:04:15 2010 +0200

    ide: Handle immediate bdrv_aio_flush failure
    
    If bdrv_aio_flush returns NULL, this should be treated as an error.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index bc3e916..484e0ca 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -811,10 +811,16 @@ static void ide_flush_cb(void *opaque, int ret)
 
 static void ide_flush_cache(IDEState *s)
 {
-    if (s->bs) {
-        bdrv_aio_flush(s->bs, ide_flush_cb, s);
-    } else {
+    BlockDriverAIOCB *acb;
+
+    if (s->bs == NULL) {
         ide_flush_cb(s, 0);
+        return;
+    }
+
+    acb = bdrv_aio_flush(s->bs, ide_flush_cb, s);
+    if (acb == NULL) {
+        ide_flush_cb(s, -EIO);
     }
 }
 
commit a31335863648d1e707f59296cffb74205aedba96
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Oct 30 16:46:27 2010 +0000

    block: avoid a warning on 64 bit hosts with long as int64_t
    
    When building on a 64 bit host which uses 'long' for int64_t,
    GCC emits a warning:
      CC    block/blkverify.o
    /src/qemu/block/blkverify.c: In function `blkverify_verify_readv':
    /src/qemu/block/blkverify.c:304: warning: long long int format, long
    unsigned int arg (arg 3)
    
    Rework a77cffe7e916f4dd28f2048982ea2e0d98143b11 to avoid the warning.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/blkverify.c b/block/blkverify.c
index 0a8d691..c7522b4 100644
--- a/block/blkverify.c
+++ b/block/blkverify.c
@@ -300,8 +300,8 @@ static void blkverify_verify_readv(BlkverifyAIOCB *acb)
 {
     ssize_t offset = blkverify_iovec_compare(acb->qiov, &acb->raw_qiov);
     if (offset != -1) {
-        blkverify_err(acb, "contents mismatch in sector %lld",
-                      acb->sector_num + (offset / BDRV_SECTOR_SIZE));
+        blkverify_err(acb, "contents mismatch in sector %" PRId64,
+                      acb->sector_num + (int64_t)(offset / BDRV_SECTOR_SIZE));
     }
 }
 
commit 1c02e2a17104fe7fc11893125864dc0daf1e6d5b
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Thu Oct 28 16:16:00 2010 +0200

    qcow2: Invalidate cache after failed read
    
    The cache content may be destroyed after a failed read, better not use it any
    more.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 4f7dc59..b040208 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -188,6 +188,7 @@ static int l2_load(BlockDriverState *bs, uint64_t l2_offset,
     ret = bdrv_pread(bs->file, l2_offset, *l2_table,
         s->l2_size * sizeof(uint64_t));
     if (ret < 0) {
+        qcow2_l2_cache_reset(bs);
         return ret;
     }
 
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 0efb676..a10453c 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -103,6 +103,7 @@ static int load_refcount_block(BlockDriverState *bs,
     ret = bdrv_pread(bs->file, refcount_block_offset, s->refcount_block_cache,
                      s->cluster_size);
     if (ret < 0) {
+        s->refcount_block_cache_offset = 0;
         return ret;
     }
 
commit 4a4111851fa75bc91028a26eb75dcdd136d9032d
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Oct 22 16:17:57 2010 +0200

    vpc: Implement bdrv_flush
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/vpc.c b/block/vpc.c
index e50509e..416f489 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -439,6 +439,10 @@ static int vpc_write(BlockDriverState *bs, int64_t sector_num,
     return 0;
 }
 
+static int vpc_flush(BlockDriverState *bs)
+{
+    return bdrv_flush(bs->file);
+}
 
 /*
  * Calculates the number of cylinders, heads and sectors per cylinder
@@ -618,14 +622,15 @@ static QEMUOptionParameter vpc_create_options[] = {
 };
 
 static BlockDriver bdrv_vpc = {
-    .format_name	= "vpc",
-    .instance_size	= sizeof(BDRVVPCState),
-    .bdrv_probe		= vpc_probe,
-    .bdrv_open		= vpc_open,
-    .bdrv_read		= vpc_read,
-    .bdrv_write		= vpc_write,
-    .bdrv_close		= vpc_close,
-    .bdrv_create	= vpc_create,
+    .format_name    = "vpc",
+    .instance_size  = sizeof(BDRVVPCState),
+    .bdrv_probe     = vpc_probe,
+    .bdrv_open      = vpc_open,
+    .bdrv_read      = vpc_read,
+    .bdrv_write     = vpc_write,
+    .bdrv_flush     = vpc_flush,
+    .bdrv_close     = vpc_close,
+    .bdrv_create    = vpc_create,
 
     .create_options = vpc_create_options,
 };
commit 78ced65e6ec6d76059f0d943a82103122d4e6494
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Oct 25 16:40:17 2010 +0200

    scsi-disk: Implement werror for flushes
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 96acfe3..6815239 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -45,6 +45,7 @@ do { fprintf(stderr, "scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
 #define SCSI_REQ_STATUS_RETRY_TYPE_MASK 0x06
 #define SCSI_REQ_STATUS_RETRY_READ      0x00
 #define SCSI_REQ_STATUS_RETRY_WRITE     0x02
+#define SCSI_REQ_STATUS_RETRY_FLUSH     0x04
 
 typedef struct SCSIDiskState SCSIDiskState;
 
@@ -74,6 +75,7 @@ struct SCSIDiskState
 };
 
 static int scsi_handle_rw_error(SCSIDiskReq *r, int error, int type);
+static int scsi_disk_emulate_command(SCSIDiskReq *r, uint8_t *outbuf);
 
 static SCSIDiskReq *scsi_new_request(SCSIDiskState *s, uint32_t tag,
         uint32_t lun)
@@ -316,6 +318,8 @@ static void scsi_dma_restart_bh(void *opaque)
         r = DO_UPCAST(SCSIDiskReq, req, req);
         if (r->status & SCSI_REQ_STATUS_RETRY) {
             int status = r->status;
+            int ret;
+
             r->status &=
                 ~(SCSI_REQ_STATUS_RETRY | SCSI_REQ_STATUS_RETRY_TYPE_MASK);
 
@@ -326,6 +330,11 @@ static void scsi_dma_restart_bh(void *opaque)
             case SCSI_REQ_STATUS_RETRY_WRITE:
                 scsi_write_request(r);
                 break;
+            case SCSI_REQ_STATUS_RETRY_FLUSH:
+                ret = scsi_disk_emulate_command(r, r->iov.iov_base);
+                if (ret == 0) {
+                    scsi_command_complete(r, GOOD, NO_SENSE);
+                }
             }
         }
     }
@@ -790,6 +799,7 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r, uint8_t *outbuf)
     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
     uint64_t nb_sectors;
     int buflen = 0;
+    int ret;
 
     switch (req->cmd.buf[0]) {
     case TEST_UNIT_READY:
@@ -880,7 +890,12 @@ static int scsi_disk_emulate_command(SCSIDiskReq *r, uint8_t *outbuf)
         buflen = 8;
 	break;
     case SYNCHRONIZE_CACHE:
-        bdrv_flush(s->bs);
+        ret = bdrv_flush(s->bs);
+        if (ret < 0) {
+            if (scsi_handle_rw_error(r, -ret, SCSI_REQ_STATUS_RETRY_FLUSH)) {
+                return -1;
+            }
+        }
         break;
     case GET_CONFIGURATION:
         memset(outbuf, 0, 8);
commit 8af7a3ab51d9780f52b7d2581f144ab127097362
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Oct 25 12:43:22 2010 +0200

    scsi-disk: Complete failed requests in scsi_disk_emulate_command
    
    This pulls the request completion for error cases from the caller to
    scsi_disk_emulate_command. This should not change semantics, but allows to
    reuse scsi_handle_write_error() for flushes in the next patch.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 43a5b59..96acfe3 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -784,8 +784,9 @@ static int scsi_disk_emulate_read_toc(SCSIRequest *req, uint8_t *outbuf)
     return toclen;
 }
 
-static int scsi_disk_emulate_command(SCSIRequest *req, uint8_t *outbuf)
+static int scsi_disk_emulate_command(SCSIDiskReq *r, uint8_t *outbuf)
 {
+    SCSIRequest *req = &r->req;
     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
     uint64_t nb_sectors;
     int buflen = 0;
@@ -943,12 +944,12 @@ static int scsi_disk_emulate_command(SCSIRequest *req, uint8_t *outbuf)
     return buflen;
 
 not_ready:
-    scsi_req_set_status(req, CHECK_CONDITION, NOT_READY);
-    return 0;
+    scsi_command_complete(r, CHECK_CONDITION, NOT_READY);
+    return -1;
 
 illegal_request:
-    scsi_req_set_status(req, CHECK_CONDITION, ILLEGAL_REQUEST);
-    return 0;
+    scsi_command_complete(r, CHECK_CONDITION, ILLEGAL_REQUEST);
+    return -1;
 }
 
 /* Execute a scsi command.  Returns the length of the data expected by the
@@ -1056,14 +1057,12 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
     case REPORT_LUNS:
     case VERIFY:
     case REZERO_UNIT:
-        rc = scsi_disk_emulate_command(&r->req, outbuf);
-        if (rc > 0) {
-            r->iov.iov_len = rc;
-        } else {
-            scsi_req_complete(&r->req);
-            scsi_remove_request(r);
+        rc = scsi_disk_emulate_command(r, outbuf);
+        if (rc < 0) {
             return 0;
         }
+
+        r->iov.iov_len = rc;
         break;
     case READ_6:
     case READ_10:
commit 205ef7961f781496366e0a93a4ec621ad3724bd7
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Thu Oct 21 16:43:43 2010 +0200

    block: Allow bdrv_flush to return errors
    
    This changes bdrv_flush to return 0 on success and -errno in case of failure.
    It's a requirement for implementing proper error handle in users of bdrv_flush.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/block.c b/block.c
index 985d0b7..6b505fb 100644
--- a/block.c
+++ b/block.c
@@ -1453,14 +1453,27 @@ const char *bdrv_get_device_name(BlockDriverState *bs)
     return bs->device_name;
 }
 
-void bdrv_flush(BlockDriverState *bs)
+int bdrv_flush(BlockDriverState *bs)
 {
     if (bs->open_flags & BDRV_O_NO_FLUSH) {
-        return;
+        return 0;
+    }
+
+    if (bs->drv && bs->drv->bdrv_flush) {
+        return bs->drv->bdrv_flush(bs);
     }
 
-    if (bs->drv && bs->drv->bdrv_flush)
-        bs->drv->bdrv_flush(bs);
+    /*
+     * Some block drivers always operate in either writethrough or unsafe mode
+     * and don't support bdrv_flush therefore. Usually qemu doesn't know how
+     * the server works (because the behaviour is hardcoded or depends on
+     * server-side configuration), so we can't ensure that everything is safe
+     * on disk. Returning an error doesn't work because that would break guests
+     * even if the server operates in writethrough mode.
+     *
+     * Let's hope the user knows what he's doing.
+     */
+    return 0;
 }
 
 void bdrv_flush_all(void)
diff --git a/block.h b/block.h
index a4facf2..78ecfac 100644
--- a/block.h
+++ b/block.h
@@ -142,7 +142,7 @@ BlockDriverAIOCB *bdrv_aio_ioctl(BlockDriverState *bs,
         BlockDriverCompletionFunc *cb, void *opaque);
 
 /* Ensure contents are flushed to disk.  */
-void bdrv_flush(BlockDriverState *bs);
+int bdrv_flush(BlockDriverState *bs);
 void bdrv_flush_all(void);
 void bdrv_close_all(void);
 
diff --git a/block/blkdebug.c b/block/blkdebug.c
index 4d6ff0a..cd9eb80 100644
--- a/block/blkdebug.c
+++ b/block/blkdebug.c
@@ -397,9 +397,9 @@ static void blkdebug_close(BlockDriverState *bs)
     }
 }
 
-static void blkdebug_flush(BlockDriverState *bs)
+static int blkdebug_flush(BlockDriverState *bs)
 {
-    bdrv_flush(bs->file);
+    return bdrv_flush(bs->file);
 }
 
 static BlockDriverAIOCB *blkdebug_aio_flush(BlockDriverState *bs,
diff --git a/block/blkverify.c b/block/blkverify.c
index b2a12fe..0a8d691 100644
--- a/block/blkverify.c
+++ b/block/blkverify.c
@@ -116,12 +116,12 @@ static void blkverify_close(BlockDriverState *bs)
     s->test_file = NULL;
 }
 
-static void blkverify_flush(BlockDriverState *bs)
+static int blkverify_flush(BlockDriverState *bs)
 {
     BDRVBlkverifyState *s = bs->opaque;
 
     /* Only flush test file, the raw file is not important */
-    bdrv_flush(s->test_file);
+    return bdrv_flush(s->test_file);
 }
 
 static int64_t blkverify_getlength(BlockDriverState *bs)
diff --git a/block/cow.c b/block/cow.c
index eedcc48..4cf543c 100644
--- a/block/cow.c
+++ b/block/cow.c
@@ -282,9 +282,9 @@ exit:
     return ret;
 }
 
-static void cow_flush(BlockDriverState *bs)
+static int cow_flush(BlockDriverState *bs)
 {
-    bdrv_flush(bs->file);
+    return bdrv_flush(bs->file);
 }
 
 static QEMUOptionParameter cow_create_options[] = {
diff --git a/block/qcow.c b/block/qcow.c
index 816103d..9cd547d 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -910,9 +910,9 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
     return 0;
 }
 
-static void qcow_flush(BlockDriverState *bs)
+static int qcow_flush(BlockDriverState *bs)
 {
-    bdrv_flush(bs->file);
+    return bdrv_flush(bs->file);
 }
 
 static BlockDriverAIOCB *qcow_aio_flush(BlockDriverState *bs,
diff --git a/block/qcow2.c b/block/qcow2.c
index b816d87..537c479 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1148,9 +1148,9 @@ static int qcow_write_compressed(BlockDriverState *bs, int64_t sector_num,
     return 0;
 }
 
-static void qcow_flush(BlockDriverState *bs)
+static int qcow_flush(BlockDriverState *bs)
 {
-    bdrv_flush(bs->file);
+    return bdrv_flush(bs->file);
 }
 
 static BlockDriverAIOCB *qcow_aio_flush(BlockDriverState *bs,
diff --git a/block/raw-posix.c b/block/raw-posix.c
index d0393e0..d0960b8 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -734,10 +734,10 @@ static int raw_create(const char *filename, QEMUOptionParameter *options)
     return result;
 }
 
-static void raw_flush(BlockDriverState *bs)
+static int raw_flush(BlockDriverState *bs)
 {
     BDRVRawState *s = bs->opaque;
-    qemu_fdatasync(s->fd);
+    return qemu_fdatasync(s->fd);
 }
 
 
diff --git a/block/raw-win32.c b/block/raw-win32.c
index 503ed39..7f32778 100644
--- a/block/raw-win32.c
+++ b/block/raw-win32.c
@@ -150,7 +150,14 @@ static int raw_write(BlockDriverState *bs, int64_t sector_num,
 static void raw_flush(BlockDriverState *bs)
 {
     BDRVRawState *s = bs->opaque;
-    FlushFileBuffers(s->hfile);
+    int ret;
+
+    ret = FlushFileBuffers(s->hfile);
+    if (ret != 0) {
+        return -EIO;
+    }
+
+    return 0;
 }
 
 static void raw_close(BlockDriverState *bs)
diff --git a/block/raw.c b/block/raw.c
index 9108779..1980deb 100644
--- a/block/raw.c
+++ b/block/raw.c
@@ -39,9 +39,9 @@ static void raw_close(BlockDriverState *bs)
 {
 }
 
-static void raw_flush(BlockDriverState *bs)
+static int raw_flush(BlockDriverState *bs)
 {
-    bdrv_flush(bs->file);
+    return bdrv_flush(bs->file);
 }
 
 static BlockDriverAIOCB *raw_aio_flush(BlockDriverState *bs,
diff --git a/block/vdi.c b/block/vdi.c
index f72633c..3b51e53 100644
--- a/block/vdi.c
+++ b/block/vdi.c
@@ -900,10 +900,10 @@ static void vdi_close(BlockDriverState *bs)
 {
 }
 
-static void vdi_flush(BlockDriverState *bs)
+static int vdi_flush(BlockDriverState *bs)
 {
     logout("\n");
-    bdrv_flush(bs->file);
+    return bdrv_flush(bs->file);
 }
 
 
diff --git a/block/vmdk.c b/block/vmdk.c
index 2d4ba42..872aeba 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -823,9 +823,9 @@ static void vmdk_close(BlockDriverState *bs)
     qemu_free(s->l2_cache);
 }
 
-static void vmdk_flush(BlockDriverState *bs)
+static int vmdk_flush(BlockDriverState *bs)
 {
-    bdrv_flush(bs->file);
+    return bdrv_flush(bs->file);
 }
 
 
diff --git a/block_int.h b/block_int.h
index 87e60b8..3c3adb5 100644
--- a/block_int.h
+++ b/block_int.h
@@ -59,7 +59,7 @@ struct BlockDriver {
                       const uint8_t *buf, int nb_sectors);
     void (*bdrv_close)(BlockDriverState *bs);
     int (*bdrv_create)(const char *filename, QEMUOptionParameter *options);
-    void (*bdrv_flush)(BlockDriverState *bs);
+    int (*bdrv_flush)(BlockDriverState *bs);
     int (*bdrv_is_allocated)(BlockDriverState *bs, int64_t sector_num,
                              int nb_sectors, int *pnum);
     int (*bdrv_set_key)(BlockDriverState *bs, const char *key);
commit 5dba48a882c126ccc86db6506cfa6dcca97badab
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Oct 25 14:52:21 2010 +0200

    scsi-disk: Implement rerror option
    
    This implements the rerror option for SCSI disks.
    
    It also includes minor changes to the write path where the same code is used
    that was criticized in the review for the changes to the read path required for
    rerror support.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>
    Reviewed-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/blockdev.c b/blockdev.c
index ff7602b..6cb179a 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -314,7 +314,7 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
     on_write_error = BLOCK_ERR_STOP_ENOSPC;
     if ((buf = qemu_opt_get(opts, "werror")) != NULL) {
         if (type != IF_IDE && type != IF_SCSI && type != IF_VIRTIO && type != IF_NONE) {
-            fprintf(stderr, "werror is no supported by this format\n");
+            fprintf(stderr, "werror is not supported by this format\n");
             return NULL;
         }
 
@@ -326,8 +326,8 @@ DriveInfo *drive_init(QemuOpts *opts, int default_to_scsi, int *fatal_error)
 
     on_read_error = BLOCK_ERR_REPORT;
     if ((buf = qemu_opt_get(opts, "rerror")) != NULL) {
-        if (type != IF_IDE && type != IF_VIRTIO && type != IF_NONE) {
-            fprintf(stderr, "rerror is no supported by this format\n");
+        if (type != IF_IDE && type != IF_VIRTIO && type != IF_SCSI && type != IF_NONE) {
+            fprintf(stderr, "rerror is not supported by this format\n");
             return NULL;
         }
 
diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 9628b39..43a5b59 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -41,7 +41,10 @@ do { fprintf(stderr, "scsi-disk: " fmt , ## __VA_ARGS__); } while (0)
 #define SCSI_DMA_BUF_SIZE    131072
 #define SCSI_MAX_INQUIRY_LEN 256
 
-#define SCSI_REQ_STATUS_RETRY 0x01
+#define SCSI_REQ_STATUS_RETRY           0x01
+#define SCSI_REQ_STATUS_RETRY_TYPE_MASK 0x06
+#define SCSI_REQ_STATUS_RETRY_READ      0x00
+#define SCSI_REQ_STATUS_RETRY_WRITE     0x02
 
 typedef struct SCSIDiskState SCSIDiskState;
 
@@ -70,6 +73,8 @@ struct SCSIDiskState
     char *serial;
 };
 
+static int scsi_handle_rw_error(SCSIDiskReq *r, int error, int type);
+
 static SCSIDiskReq *scsi_new_request(SCSIDiskState *s, uint32_t tag,
         uint32_t lun)
 {
@@ -127,34 +132,30 @@ static void scsi_cancel_io(SCSIDevice *d, uint32_t tag)
 static void scsi_read_complete(void * opaque, int ret)
 {
     SCSIDiskReq *r = (SCSIDiskReq *)opaque;
+    int n;
 
     r->req.aiocb = NULL;
 
     if (ret) {
-        DPRINTF("IO error\n");
-        r->req.bus->complete(r->req.bus, SCSI_REASON_DATA, r->req.tag, 0);
-        scsi_command_complete(r, CHECK_CONDITION, NO_SENSE);
-        return;
+        if (scsi_handle_rw_error(r, -ret, SCSI_REQ_STATUS_RETRY_READ)) {
+            return;
+        }
     }
+
     DPRINTF("Data ready tag=0x%x len=%zd\n", r->req.tag, r->iov.iov_len);
 
+    n = r->iov.iov_len / 512;
+    r->sector += n;
+    r->sector_count -= n;
     r->req.bus->complete(r->req.bus, SCSI_REASON_DATA, r->req.tag, r->iov.iov_len);
 }
 
-/* Read more data from scsi device into buffer.  */
-static void scsi_read_data(SCSIDevice *d, uint32_t tag)
+
+static void scsi_read_request(SCSIDiskReq *r)
 {
-    SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
-    SCSIDiskReq *r;
+    SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
     uint32_t n;
 
-    r = scsi_find_request(s, tag);
-    if (!r) {
-        BADF("Bad read tag 0x%x\n", tag);
-        /* ??? This is the wrong error.  */
-        scsi_command_complete(r, CHECK_CONDITION, HARDWARE_ERROR);
-        return;
-    }
     if (r->sector_count == (uint32_t)-1) {
         DPRINTF("Read buf_len=%zd\n", r->iov.iov_len);
         r->sector_count = 0;
@@ -177,29 +178,54 @@ static void scsi_read_data(SCSIDevice *d, uint32_t tag)
                               scsi_read_complete, r);
     if (r->req.aiocb == NULL)
         scsi_command_complete(r, CHECK_CONDITION, HARDWARE_ERROR);
-    r->sector += n;
-    r->sector_count -= n;
 }
 
-static int scsi_handle_write_error(SCSIDiskReq *r, int error)
+/* Read more data from scsi device into buffer.  */
+static void scsi_read_data(SCSIDevice *d, uint32_t tag)
 {
+    SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, d);
+    SCSIDiskReq *r;
+
+    r = scsi_find_request(s, tag);
+    if (!r) {
+        BADF("Bad read tag 0x%x\n", tag);
+        /* ??? This is the wrong error.  */
+        scsi_command_complete(r, CHECK_CONDITION, HARDWARE_ERROR);
+        return;
+    }
+
+    /* No data transfer may already be in progress */
+    assert(r->req.aiocb == NULL);
+
+    scsi_read_request(r);
+}
+
+static int scsi_handle_rw_error(SCSIDiskReq *r, int error, int type)
+{
+    int is_read = (type == SCSI_REQ_STATUS_RETRY_READ);
     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, r->req.dev);
-    BlockErrorAction action = bdrv_get_on_error(s->bs, 0);
+    BlockErrorAction action = bdrv_get_on_error(s->bs, is_read);
 
     if (action == BLOCK_ERR_IGNORE) {
-        bdrv_mon_event(s->bs, BDRV_ACTION_IGNORE, 0);
+        bdrv_mon_event(s->bs, BDRV_ACTION_IGNORE, is_read);
         return 0;
     }
 
     if ((error == ENOSPC && action == BLOCK_ERR_STOP_ENOSPC)
             || action == BLOCK_ERR_STOP_ANY) {
-        r->status |= SCSI_REQ_STATUS_RETRY;
-        bdrv_mon_event(s->bs, BDRV_ACTION_STOP, 0);
+
+        type &= SCSI_REQ_STATUS_RETRY_TYPE_MASK;
+        r->status |= SCSI_REQ_STATUS_RETRY | type;
+
+        bdrv_mon_event(s->bs, BDRV_ACTION_STOP, is_read);
         vm_stop(0);
     } else {
+        if (type == SCSI_REQ_STATUS_RETRY_READ) {
+            r->req.bus->complete(r->req.bus, SCSI_REASON_DATA, r->req.tag, 0);
+        }
         scsi_command_complete(r, CHECK_CONDITION,
                 HARDWARE_ERROR);
-        bdrv_mon_event(s->bs, BDRV_ACTION_REPORT, 0);
+        bdrv_mon_event(s->bs, BDRV_ACTION_REPORT, is_read);
     }
 
     return 1;
@@ -214,8 +240,9 @@ static void scsi_write_complete(void * opaque, int ret)
     r->req.aiocb = NULL;
 
     if (ret) {
-        if (scsi_handle_write_error(r, -ret))
+        if (scsi_handle_rw_error(r, -ret, SCSI_REQ_STATUS_RETRY_WRITE)) {
             return;
+        }
     }
 
     n = r->iov.iov_len / 512;
@@ -268,8 +295,8 @@ static int scsi_write_data(SCSIDevice *d, uint32_t tag)
         return 1;
     }
 
-    if (r->req.aiocb)
-        BADF("Data transfer already in progress\n");
+    /* No data transfer may already be in progress */
+    assert(r->req.aiocb == NULL);
 
     scsi_write_request(r);
 
@@ -288,8 +315,18 @@ static void scsi_dma_restart_bh(void *opaque)
     QTAILQ_FOREACH(req, &s->qdev.requests, next) {
         r = DO_UPCAST(SCSIDiskReq, req, req);
         if (r->status & SCSI_REQ_STATUS_RETRY) {
-            r->status &= ~SCSI_REQ_STATUS_RETRY;
-            scsi_write_request(r); 
+            int status = r->status;
+            r->status &=
+                ~(SCSI_REQ_STATUS_RETRY | SCSI_REQ_STATUS_RETRY_TYPE_MASK);
+
+            switch (status & SCSI_REQ_STATUS_RETRY_TYPE_MASK) {
+            case SCSI_REQ_STATUS_RETRY_READ:
+                scsi_read_request(r);
+                break;
+            case SCSI_REQ_STATUS_RETRY_WRITE:
+                scsi_write_request(r);
+                break;
+            }
         }
     }
 }
@@ -1152,11 +1189,6 @@ static int scsi_disk_initfn(SCSIDevice *dev)
         return -1;
     }
 
-    if (bdrv_get_on_error(s->bs, 1) != BLOCK_ERR_REPORT) {
-        error_report("Device doesn't support drive option rerror");
-        return -1;
-    }
-
     if (!s->serial) {
         /* try to fall back to value set with legacy -drive serial=... */
         dinfo = drive_get_by_blockdev(s->bs);
commit b2ca03af8204d79b8c290cadbd2e4442a7281b64
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Tue Nov 2 15:55:37 2010 +0100

    pci-assign: Remove broken -pcidevice and pci_add host
    
    These qemu-kvm-only interfaces were broken by b560a9ab9b, but no one
    complained loud enough to get them fixed again. As we have properly
    working "-device pci-assign"/"device_add" and we won't push this
    upstream anyway, there is likely no point in restoring the interface.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    CC: Markus Armbruster <armbru at redhat.com>
    CC: Daniel P. Berrange <berrange at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hmp-commands.hx b/hmp-commands.hx
index 9406496..ba6de28 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -806,7 +806,7 @@ ETEXI
     {
         .name       = "pci_add",
         .args_type  = "pci_addr:s,type:s,opts:s?",
-        .params     = "auto|[[<domain>:]<bus>:]<slot> nic|storage|host [[vlan=n][,macaddr=addr][,model=type]] [file=file][,if=type][,bus=nr]... [host=02:00.0[,name=string][,dma=none]",
+        .params     = "auto|[[<domain>:]<bus>:]<slot> nic|storage [[vlan=n][,macaddr=addr][,model=type]] [file=file][,if=type][,bus=nr]...",
         .help       = "hot-add PCI device",
         .mhandler.cmd = pci_device_hot_add,
     },
diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index d0288a4..bde231d 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -1561,69 +1561,6 @@ static void assign_register_devices(void)
 
 device_init(assign_register_devices)
 
-
-/*
- * Syntax to assign device:
- *
- * -pcidevice host=bus:dev.func[,dma=none][,name=Foo]
- *
- * Example:
- * -pcidevice host=00:13.0,dma=pvdma
- *
- * dma can currently only be 'none' to disable iommu support.
- */
-QemuOpts *add_assigned_device(const char *arg)
-{
-    QemuOpts *opts = NULL;
-    char host[64], id[64], dma[8];
-    int r;
-
-    r = get_param_value(host, sizeof(host), "host", arg);
-    if (!r)
-         goto bad;
-    r = get_param_value(id, sizeof(id), "id", arg);
-    if (!r)
-        r = get_param_value(id, sizeof(id), "name", arg);
-    if (!r)
-        r = get_param_value(id, sizeof(id), "host", arg);
-
-    opts = qemu_opts_create(qemu_find_opts("device"), id, 0);
-    if (!opts)
-        goto bad;
-    qemu_opt_set(opts, "driver", "pci-assign");
-    qemu_opt_set(opts, "host", host);
-
-#ifdef KVM_CAP_IOMMU
-    r = get_param_value(dma, sizeof(dma), "dma", arg);
-    if (r && !strncmp(dma, "none", 4))
-        qemu_opt_set(opts, "iommu", "0");
-#endif
-    qemu_opts_print(opts, NULL);
-    return opts;
-
-bad:
-    fprintf(stderr, "pcidevice argument parse error; "
-            "please check the help text for usage\n");
-    if (opts)
-        qemu_opts_del(opts);
-    return NULL;
-}
-
-void add_assigned_devices(PCIBus *bus, const char **devices, int n_devices)
-{
-    QemuOpts *opts;
-    int i;
-
-    for (i = 0; i < n_devices; i++) {
-        opts = add_assigned_device(devices[i]);
-        if (opts == NULL) {
-            fprintf(stderr, "Could not add assigned device %s\n", devices[i]);
-            exit(1);
-        }
-        /* generic code will call qdev_device_add() for the device */
-    }
-}
-
 /*
  * Scan the assigned devices for the devices that have an option ROM, and then
  * load the corresponding ROM data to RAM. If an error occurs while loading an
diff --git a/hw/device-assignment.h b/hw/device-assignment.h
index 56b7076..c94a730 100644
--- a/hw/device-assignment.h
+++ b/hw/device-assignment.h
@@ -114,13 +114,6 @@ typedef struct AssignedDevice {
     QLIST_ENTRY(AssignedDevice) next;
 } AssignedDevice;
 
-QemuOpts *add_assigned_device(const char *arg);
-void add_assigned_devices(PCIBus *bus, const char **devices, int n_devices);
 void assigned_dev_update_irqs(void);
 
-#define MAX_DEV_ASSIGN_CMDLINE 8
-
-extern const char *assigned_devices[MAX_DEV_ASSIGN_CMDLINE];
-extern int assigned_devices_index;
-
 #endif              /* __DEVICE_ASSIGNMENT_H__ */
diff --git a/hw/ipf.c b/hw/ipf.c
index 21cff72..10c21eb 100644
--- a/hw/ipf.c
+++ b/hw/ipf.c
@@ -635,12 +635,6 @@ static void ipf_init1(ram_addr_t ram_size,
 	    unit_id++;
 	}
     }
-
-#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
-    if (kvm_enabled())
-	add_assigned_devices(pci_bus, assigned_devices, assigned_devices_index);
-#endif /* CONFIG_KVM_DEVICE_ASSIGNMENT */
-
 }
 
 static void ipf_init_pci(ram_addr_t ram_size,
diff --git a/hw/pc.c b/hw/pc.c
index b624873..3bf3862 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -1105,10 +1105,4 @@ void pc_pci_device_init(PCIBus *pci_bus)
 
         extboot_init(info->bdrv);
     }
-
-#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
-    if (kvm_enabled()) {
-        add_assigned_devices(pci_bus, assigned_devices, assigned_devices_index);
-    }
-#endif /* CONFIG_KVM_DEVICE_ASSIGNMENT */
 }
diff --git a/hw/pci-hotplug.c b/hw/pci-hotplug.c
index b370b9b..a2d4bb2 100644
--- a/hw/pci-hotplug.c
+++ b/hw/pci-hotplug.c
@@ -230,24 +230,6 @@ static PCIDevice *qemu_pci_hot_add_storage(Monitor *mon,
     return dev;
 }
 
-#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
-static PCIDevice *qemu_pci_hot_assign_device(Monitor *mon,
-                                             const char *devaddr,
-                                             const char *opts_str)
-{
-    QemuOpts *opts;
-    DeviceState *dev;
-
-    opts = add_assigned_device(opts_str);
-    if (opts == NULL) {
-        monitor_printf(mon, "Error adding device; check syntax\n");
-        return NULL;
-    }
-    dev = qdev_device_add(opts);
-    return DO_UPCAST(PCIDevice, qdev, dev);
-}
-#endif /* CONFIG_KVM_DEVICE_ASSIGNMENT */
-
 void pci_device_hot_add(Monitor *mon, const QDict *qdict)
 {
     PCIDevice *dev = NULL;
@@ -271,10 +253,6 @@ void pci_device_hot_add(Monitor *mon, const QDict *qdict)
         dev = qemu_pci_hot_add_nic(mon, pci_addr, opts);
     } else if (strcmp(type, "storage") == 0) {
         dev = qemu_pci_hot_add_storage(mon, pci_addr, opts);
-#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
-    } else if (strcmp(type, "host") == 0) {
-        dev = qemu_pci_hot_assign_device(mon, pci_addr, opts);
-#endif /* CONFIG_KVM_DEVICE_ASSIGNMENT */
     } else {
         monitor_printf(mon, "invalid type: %s\n", type);
     }
diff --git a/qemu-options.hx b/qemu-options.hx
index 1c9a1e5..699b653 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2278,11 +2278,6 @@ DEF("no-kvm-pit-reinjection", 0, QEMU_OPTION_no_kvm_pit_reinjection,
     "-no-kvm-pit-reinjection\n"
     "                disable KVM kernel mode PIT interrupt reinjection\n",
     QEMU_ARCH_I386)
-DEF("pcidevice", HAS_ARG, QEMU_OPTION_pcidevice,
-    "-pcidevice host=[seg:]bus:dev.func[,dma=none][,name=string]\n"
-    "                expose a PCI device to the guest OS\n"
-    "                dma=none: don't perform any dma translations (default is to use an iommu)\n"
-    "                'string' is used in log output\n", QEMU_ARCH_I386)
 DEF("enable-nesting", 0, QEMU_OPTION_enable_nesting,
     "-enable-nesting enable support for running a VM inside the VM (AMD only)\n", QEMU_ARCH_I386)
 DEF("nvram", HAS_ARG, QEMU_OPTION_nvram,
diff --git a/vl.c b/vl.c
index 01d8afd..4bad675 100644
--- a/vl.c
+++ b/vl.c
@@ -204,8 +204,6 @@ int win2k_install_hack = 0;
 int rtc_td_hack = 0;
 int usb_enabled = 0;
 int singlestep = 0;
-const char *assigned_devices[MAX_DEV_ASSIGN_CMDLINE];
-int assigned_devices_index;
 int smp_cpus = 1;
 int max_cpus = 0;
 int smp_cores = 1;
@@ -1861,8 +1859,6 @@ int main(int argc, char **argv, char **envp)
         node_cpumask[i] = 0;
     }
 
-    assigned_devices_index = 0;
-
     nb_numa_nodes = 0;
     nb_nics = 0;
 
@@ -2478,16 +2474,6 @@ int main(int argc, char **argv, char **envp)
 		break;
 	    }
 #endif
-#if defined(TARGET_I386) || defined(TARGET_X86_64) || defined(TARGET_IA64) || defined(__linux__)
-            case QEMU_OPTION_pcidevice:
-		if (assigned_devices_index >= MAX_DEV_ASSIGN_CMDLINE) {
-                    fprintf(stderr, "Too many assigned devices\n");
-                    exit(1);
-		}
-		assigned_devices[assigned_devices_index] = optarg;
-		assigned_devices_index++;
-                break;
-#endif
             case QEMU_OPTION_usb:
                 usb_enabled = 1;
                 break;
commit 754da3e07f287525e5f75c5acd6b30f522641e73
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Tue Nov 2 15:55:36 2010 +0100

    pci-assign: Issue warning when running w/o IOMMU
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 228d02f..d0288a4 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -913,6 +913,12 @@ static int assign_device(AssignedDevice *dev)
 #else
     dev->features &= ~ASSIGNED_DEVICE_USE_IOMMU_MASK;
 #endif
+    if (!(dev->features & ASSIGNED_DEVICE_USE_IOMMU_MASK)) {
+        fprintf(stderr,
+                "WARNING: Assigning a device without IOMMU protection can "
+                "cause host memory corruption if the device issues DMA write "
+                "requests!\n");
+    }
 
     r = kvm_assign_pci_device(kvm_context, &assigned_dev_data);
     if (r < 0) {
commit 2e04af7e37d7d03890c0fcb01802792d37d8bc5e
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Tue Nov 2 15:55:35 2010 +0100

    pci-assign: Allow to disable MSI perference for host IRQ
    
    Some devices (e.g. the ath9k) claim to support MSI but actually do not
    work when this is enabled. We must not blindly switch such devices to
    MSI but rather provide the user a way to pass control back to the
    guest driver. This can be done by turning the new property "prefer_msi"
    off (default remains on).
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 349e864..228d02f 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -964,7 +964,8 @@ static int assign_irq(AssignedDevice *dev)
     }
 
     assigned_irq_data.flags = KVM_DEV_IRQ_GUEST_INTX;
-    if (dev->cap.available & ASSIGNED_DEVICE_CAP_MSI)
+    if (dev->features & ASSIGNED_DEVICE_PREFER_MSI_MASK &&
+        dev->cap.available & ASSIGNED_DEVICE_CAP_MSI)
         assigned_irq_data.flags |= KVM_DEV_IRQ_HOST_MSI;
     else
         assigned_irq_data.flags |= KVM_DEV_IRQ_HOST_INTX;
@@ -1540,6 +1541,8 @@ static PCIDeviceInfo assign_info = {
         DEFINE_PROP("host", AssignedDevice, host, qdev_prop_hostaddr, PCIHostDevice),
         DEFINE_PROP_BIT("iommu", AssignedDevice, features,
                         ASSIGNED_DEVICE_USE_IOMMU_BIT, true),
+        DEFINE_PROP_BIT("prefer_msi", AssignedDevice, features,
+                        ASSIGNED_DEVICE_PREFER_MSI_BIT, true),
         DEFINE_PROP_STRING("configfd", AssignedDevice, configfd_name),
         DEFINE_PROP_END_OF_LIST(),
     },
diff --git a/hw/device-assignment.h b/hw/device-assignment.h
index 4eb5835..56b7076 100644
--- a/hw/device-assignment.h
+++ b/hw/device-assignment.h
@@ -75,8 +75,10 @@ typedef struct {
 } AssignedDevRegion;
 
 #define ASSIGNED_DEVICE_USE_IOMMU_BIT	0
+#define ASSIGNED_DEVICE_PREFER_MSI_BIT	1
 
 #define ASSIGNED_DEVICE_USE_IOMMU_MASK	(1 << ASSIGNED_DEVICE_USE_IOMMU_BIT)
+#define ASSIGNED_DEVICE_PREFER_MSI_MASK	(1 << ASSIGNED_DEVICE_PREFER_MSI_BIT)
 
 typedef struct AssignedDevice {
     PCIDevice dev;
commit 3d6c783ab0a84a4a51fda7acec2c9858e9b4c51c
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Tue Nov 2 15:55:34 2010 +0100

    pci-assign: Convert iommu property to booleam
    
    Defining the iommu property as an integer opens the door for confusion
    (Is it an index or a switch?). Fix this by converting it to a bit
    property that can be on or off, nothing else.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 2605bd1..349e864 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -902,7 +902,7 @@ static int assign_device(AssignedDevice *dev)
 
 #ifdef KVM_CAP_IOMMU
     /* We always enable the IOMMU unless disabled on the command line */
-    if (dev->use_iommu) {
+    if (dev->features & ASSIGNED_DEVICE_USE_IOMMU_MASK) {
         if (!kvm_check_extension(kvm_state, KVM_CAP_IOMMU)) {
             fprintf(stderr, "No IOMMU found.  Unable to assign device \"%s\"\n",
                     dev->dev.qdev.id);
@@ -911,7 +911,7 @@ static int assign_device(AssignedDevice *dev)
         assigned_dev_data.flags |= KVM_DEV_ASSIGN_ENABLE_IOMMU;
     }
 #else
-    dev->use_iommu = 0;
+    dev->features &= ~ASSIGNED_DEVICE_USE_IOMMU_MASK;
 #endif
 
     r = kvm_assign_pci_device(kvm_context, &assigned_dev_data);
@@ -1538,7 +1538,8 @@ static PCIDeviceInfo assign_info = {
     .config_write = assigned_dev_pci_write_config,
     .qdev.props   = (Property[]) {
         DEFINE_PROP("host", AssignedDevice, host, qdev_prop_hostaddr, PCIHostDevice),
-        DEFINE_PROP_UINT32("iommu", AssignedDevice, use_iommu, 1),
+        DEFINE_PROP_BIT("iommu", AssignedDevice, features,
+                        ASSIGNED_DEVICE_USE_IOMMU_BIT, true),
         DEFINE_PROP_STRING("configfd", AssignedDevice, configfd_name),
         DEFINE_PROP_END_OF_LIST(),
     },
diff --git a/hw/device-assignment.h b/hw/device-assignment.h
index 2f5fa17..4eb5835 100644
--- a/hw/device-assignment.h
+++ b/hw/device-assignment.h
@@ -74,10 +74,14 @@ typedef struct {
     PCIRegion *region;
 } AssignedDevRegion;
 
+#define ASSIGNED_DEVICE_USE_IOMMU_BIT	0
+
+#define ASSIGNED_DEVICE_USE_IOMMU_MASK	(1 << ASSIGNED_DEVICE_USE_IOMMU_BIT)
+
 typedef struct AssignedDevice {
     PCIDevice dev;
     PCIHostDevice host;
-    uint32_t use_iommu;
+    uint32_t features;
     int intpin;
     uint8_t debug_flags;
     AssignedDevRegion v_addrs[PCI_NUM_REGIONS - 1];
commit 5fc9cfedfa09199e10b5f9b67dcd286bfeae4f7a
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Nov 1 20:02:23 2010 +0100

    Fold send_all() wrapper unix_write() into one function
    
    The current send_all() wrapper for POSIX calls does nothing but call
    unix_write(). Merge them to simplify the code.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/qemu-char.c b/qemu-char.c
index 6d2dce7..88997f9 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -508,9 +508,10 @@ int send_all(int fd, const void *buf, int len1)
 
 #else
 
-static int unix_write(int fd, const uint8_t *buf, int len1)
+int send_all(int fd, const void *_buf, int len1)
 {
     int ret, len;
+    const uint8_t *buf = _buf;
 
     len = len1;
     while (len > 0) {
@@ -527,11 +528,6 @@ static int unix_write(int fd, const uint8_t *buf, int len1)
     }
     return len1 - len;
 }
-
-int send_all(int fd, const void *buf, int len1)
-{
-    return unix_write(fd, buf, len1);
-}
 #endif /* !_WIN32 */
 
 #ifndef _WIN32
commit 07de3e60b05d13f255d12f8dfac8e3b1e5e34d7d
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Oct 21 17:15:49 2010 +0200

    Remove obsolete 'f' double parameter type
    
    'f' double is no longer used, and we should be using floating point
    variables to store byte sizes. Remove it.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/monitor.c b/monitor.c
index be8761a..8cee35d 100644
--- a/monitor.c
+++ b/monitor.c
@@ -83,10 +83,6 @@
  *              suffix, which multiplies the value by 2^40 for
  *              suffixes T and t, 2^30 for suffixes G and g, 2^20 for
  *              M and m, 2^10 for K and k
- * 'f'          double
- *              user mode accepts an optional G, g, M, m, K, k suffix,
- *              which multiplies the value by 2^30 for suffixes G and
- *              g, 2^20 for M and m, 2^10 for K and k
  * 'T'          double
  *              user mode accepts an optional ms, us, ns suffix,
  *              which divides the value by 1e3, 1e6, 1e9, respectively
@@ -3731,7 +3727,6 @@ static const mon_cmd_t *monitor_parse_command(Monitor *mon,
                 p = end;
             }
             break;
-        case 'f':
         case 'T':
             {
                 double val;
@@ -3747,17 +3742,7 @@ static const mon_cmd_t *monitor_parse_command(Monitor *mon,
                 if (get_double(mon, &val, &p) < 0) {
                     goto fail;
                 }
-                if (c == 'f' && *p) {
-                    switch (*p) {
-                    case 'K': case 'k':
-                        val *= 1 << 10; p++; break;
-                    case 'M': case 'm':
-                        val *= 1 << 20; p++; break;
-                    case 'G': case 'g':
-                        val *= 1 << 30; p++; break;
-                    }
-                }
-                if (c == 'T' && p[0] && p[1] == 's') {
+                if (p[0] && p[1] == 's') {
                     switch (*p) {
                     case 'm':
                         val /= 1e3; p += 2; break;
@@ -4240,7 +4225,6 @@ static int check_client_args_type(const QDict *client_args,
                 return -1; 
             }
             break;
-        case 'f':
         case 'T':
             if (qobject_type(client_arg) != QTYPE_QINT &&
                 qobject_type(client_arg) != QTYPE_QFLOAT) {
commit ed3d4a8075ac6f2437e100bc063bad82ff3a8671
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Oct 21 17:15:48 2010 +0200

    Switch migrate_set_speed() to take an 'o' argument rather than a float.
    
    Clarify default value of MB in migration speed argument in monitor, if
    no suffix is specified. This differ from previous default of bytes,
    but is consistent with the rest of the places where we accept a size
    argument.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hmp-commands.hx b/hmp-commands.hx
index 81999aa..e5585ba 100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@ -754,9 +754,10 @@ ETEXI
 
     {
         .name       = "migrate_set_speed",
-        .args_type  = "value:f",
+        .args_type  = "value:o",
         .params     = "value",
-        .help       = "set maximum speed (in bytes) for migrations",
+        .help       = "set maximum speed (in bytes) for migrations. "
+	"Defaults to MB if no size suffix is specified, ie. B/K/M/G/T",
         .user_print = monitor_user_noop,
         .mhandler.cmd_new = do_migrate_set_speed,
     },
diff --git a/migration.c b/migration.c
index 468d517..9ee8b17 100644
--- a/migration.c
+++ b/migration.c
@@ -132,10 +132,10 @@ int do_migrate_cancel(Monitor *mon, const QDict *qdict, QObject **ret_data)
 
 int do_migrate_set_speed(Monitor *mon, const QDict *qdict, QObject **ret_data)
 {
-    double d;
+    int64_t d;
     FdMigrationState *s;
 
-    d = qdict_get_double(qdict, "value");
+    d = qdict_get_int(qdict, "value");
     d = MAX(0, MIN(UINT32_MAX, d));
     max_throttle = d;
 
commit dbc0c67faff9f44ff6917eb4157a9c471902a453
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Oct 21 17:15:47 2010 +0200

    Add support for 'o' octet (bytes) format as monitor parameter.
    
    Octet format relies on strtosz which supports K/k, M/m, G/g, T/t
    suffixes and unit support for humans, like 1.3G
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/monitor.c b/monitor.c
index 61607c5..be8761a 100644
--- a/monitor.c
+++ b/monitor.c
@@ -78,6 +78,11 @@
  * 'l'          target long (32 or 64 bit)
  * 'M'          just like 'l', except in user mode the value is
  *              multiplied by 2^20 (think Mebibyte)
+ * 'o'          octets (aka bytes)
+ *              user mode accepts an optional T, t, G, g, M, m, K, k
+ *              suffix, which multiplies the value by 2^40 for
+ *              suffixes T and t, 2^30 for suffixes G and g, 2^20 for
+ *              M and m, 2^10 for K and k
  * 'f'          double
  *              user mode accepts an optional G, g, M, m, K, k suffix,
  *              which multiplies the value by 2^30 for suffixes G and
@@ -3703,6 +3708,29 @@ static const mon_cmd_t *monitor_parse_command(Monitor *mon,
                 qdict_put(qdict, key, qint_from_int(val));
             }
             break;
+        case 'o':
+            {
+                ssize_t val;
+                char *end;
+
+                while (qemu_isspace(*p)) {
+                    p++;
+                }
+                if (*typestr == '?') {
+                    typestr++;
+                    if (*p == '\0') {
+                        break;
+                    }
+                }
+                val = strtosz(p, &end);
+                if (val < 0) {
+                    monitor_printf(mon, "invalid size\n");
+                    goto fail;
+                }
+                qdict_put(qdict, key, qint_from_int(val));
+                p = end;
+            }
+            break;
         case 'f':
         case 'T':
             {
@@ -4205,6 +4233,7 @@ static int check_client_args_type(const QDict *client_args,
         case 'i':
         case 'l':
         case 'M':
+        case 'o':
             if (qobject_type(client_arg) != QTYPE_QINT) {
                 qerror_report(QERR_INVALID_PARAMETER_TYPE, client_arg_name,
                               "int");
commit 9f9b17a4f0865286391e4d3a0a735230122a2289
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Thu Oct 21 17:15:46 2010 +0200

    Introduce strtosz() library function to convert a string to a byte count.
    
    strtosz() returns -1 on error. It now supports human unit formats in
    eg. 1.0G, with better error handling.
    
    The following suffixes are supported:
    B/b = bytes
    K/k = KB
    M/m = MB
    G/g = GB
    T/t = TB
    
    This patch changes -numa and -m input to use strtosz().
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/cutils.c b/cutils.c
index 5883737..28089aa 100644
--- a/cutils.c
+++ b/cutils.c
@@ -23,6 +23,7 @@
  */
 #include "qemu-common.h"
 #include "host-utils.h"
+#include <math.h>
 
 void pstrcpy(char *buf, int buf_size, const char *str)
 {
@@ -283,3 +284,90 @@ int fcntl_setfl(int fd, int flag)
 }
 #endif
 
+/*
+ * Convert string to bytes, allowing either B/b for bytes, K/k for KB,
+ * M/m for MB, G/g for GB or T/t for TB. Default without any postfix
+ * is MB. End pointer will be returned in *end, if not NULL. A valid
+ * value must be terminated by whitespace, ',' or '\0'. Return -1 on
+ * error.
+ */
+ssize_t strtosz(const char *nptr, char **end)
+{
+    ssize_t retval = -1;
+    char *endptr, c;
+    int mul_required = 0;
+    double val, mul, integral, fraction;
+
+    errno = 0;
+    val = strtod(nptr, &endptr);
+    if (isnan(val) || endptr == nptr || errno != 0) {
+        goto fail;
+    }
+    integral = modf(val, &fraction);
+    if (integral != 0) {
+        mul_required = 1;
+    }
+    /*
+     * Any whitespace character is fine for terminating the number,
+     * in addition we accept ',' to handle strings where the size is
+     * part of a multi token argument.
+     */
+    c = *endptr;
+    if (isspace(c) || c == '\0' || c == ',') {
+        c = 0;
+    }
+    switch (c) {
+    case 'B':
+    case 'b':
+        mul = 1;
+        if (mul_required) {
+            goto fail;
+        }
+        break;
+    case 'K':
+    case 'k':
+        mul = 1 << 10;
+        break;
+    case 0:
+        if (mul_required) {
+            goto fail;
+        }
+    case 'M':
+    case 'm':
+        mul = 1ULL << 20;
+        break;
+    case 'G':
+    case 'g':
+        mul = 1ULL << 30;
+        break;
+    case 'T':
+    case 't':
+        mul = 1ULL << 40;
+        break;
+    default:
+        goto fail;
+    }
+    /*
+     * If not terminated by whitespace, ',', or \0, increment endptr
+     * to point to next character, then check that we are terminated
+     * by an appropriate separating character, ie. whitespace, ',', or
+     * \0. If not, we are seeing trailing garbage, thus fail.
+     */
+    if (c != 0) {
+        endptr++;
+        if (!isspace(*endptr) && *endptr != ',' && *endptr != 0) {
+            goto fail;
+        }
+    }
+    if ((val * mul >= ~(size_t)0) || val < 0) {
+        goto fail;
+    }
+    retval = val * mul;
+
+fail:
+    if (end) {
+        *end = endptr;
+    }
+
+    return retval;
+}
diff --git a/qemu-common.h b/qemu-common.h
index 21fc3a5..b3957f1 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -149,6 +149,7 @@ time_t mktimegm(struct tm *tm);
 int qemu_fls(int i);
 int qemu_fdatasync(int fd);
 int fcntl_setfl(int fd, int flag);
+ssize_t strtosz(const char *nptr, char **end);
 
 /* path.c */
 void init_paths(const char *prefix);
diff --git a/vl.c b/vl.c
index 7038952..c58583d 100644
--- a/vl.c
+++ b/vl.c
@@ -710,16 +710,13 @@ static void numa_add(const char *optarg)
         if (get_param_value(option, 128, "mem", optarg) == 0) {
             node_mem[nodenr] = 0;
         } else {
-            value = strtoull(option, &endptr, 0);
-            switch (*endptr) {
-            case 0: case 'M': case 'm':
-                value <<= 20;
-                break;
-            case 'G': case 'g':
-                value <<= 30;
-                break;
+            ssize_t sval;
+            sval = strtosz(option, NULL);
+            if (sval < 0) {
+                fprintf(stderr, "qemu: invalid numa mem size: %s\n", optarg);
+                exit(1);
             }
-            node_mem[nodenr] = value;
+            node_mem[nodenr] = sval;
         }
         if (get_param_value(option, 128, "cpus", optarg) == 0) {
             node_cpumask[nodenr] = 0;
@@ -2139,18 +2136,10 @@ int main(int argc, char **argv, char **envp)
                 exit(0);
                 break;
             case QEMU_OPTION_m: {
-                uint64_t value;
-                char *ptr;
+                ssize_t value;
 
-                value = strtoul(optarg, &ptr, 10);
-                switch (*ptr) {
-                case 0: case 'M': case 'm':
-                    value <<= 20;
-                    break;
-                case 'G': case 'g':
-                    value <<= 30;
-                    break;
-                default:
+                value = strtosz(optarg, NULL);
+                if (value < 0) {
                     fprintf(stderr, "qemu: invalid ram size: %s\n", optarg);
                     exit(1);
                 }
commit 8160019d5f2274916125faef29d2dd2051edca03
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 25 21:10:10 2010 -0200

    qemu-kvm-x86: fix e820 reservation
    
    e820 reserved range should start at 0xfeffc000, which includes
    the EPT identity page, not 0xfeffd000.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index ec7d419..20b7d6d 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -32,13 +32,6 @@ extern unsigned int kvm_shadow_memory;
 int kvm_set_tss_addr(kvm_context_t kvm, unsigned long addr)
 {
     int r;
-    /*
-     * Tell fw_cfg to notify the BIOS to reserve the range.
-     */
-    if (e820_add_entry(addr, 0x4000, E820_RESERVED) < 0) {
-        perror("e820_add_entry() table is full");
-        exit(1);
-    }
 
     r = kvm_vm_ioctl(kvm_state, KVM_SET_TSS_ADDR, addr);
     if (r < 0) {
@@ -146,6 +139,14 @@ int kvm_arch_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
         return r;
     }
 
+    /*
+     * Tell fw_cfg to notify the BIOS to reserve the range.
+     */
+    if (e820_add_entry(0xfeffc000, 0x4000, E820_RESERVED) < 0) {
+        perror("e820_add_entry() table is full");
+        exit(1);
+    }
+
     r = kvm_create_pit(kvm);
     if (r < 0) {
         return r;
commit 28752f4661e7f73cc972fcf507c633e415f669e5
Author: Tim Pepper <lnxninja at linux.vnet.ibm.com>
Date:   Tue Oct 26 10:52:00 2010 -0700

    extraneous allocation in qemu-kvm's hw/pc_piix.c
    
    While doing some source review I noticed what appears to be
    an extraneous call to pc_allocate_cpu_irq() in qemu-kvm and
    which does not appear in qemu.  From the git history it almost
    looks like b725a661eb38c93086e0b98f626a3864ae8651b8 mis-merged
    845773ab03a8dde681ff1b929bbb41e67d0131a6?  At any rate qemu-kvm got
    patched differently than qemu for the piix split out and this line
    appears to allocate something which then goes unused.
    
    Signed-off-by: Tim Pepper <lnxninja at linux.vnet.ibm.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index 3d07ce5..781d5ad 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -128,7 +128,6 @@ static void pc_init1(ram_addr_t ram_size,
     isa_bus_irqs(isa_irq);
 
     pc_register_ferr_irq(isa_reserve_irq(13));
-    cpu_irq = pc_allocate_cpu_irq();
 
     pc_vga_init(pci_enabled? pci_bus: NULL);
 
commit 332669e82c6703ac77c43d066431fc60d6a61b52
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Nov 3 10:30:38 2010 -0200

    Fix -M isapc segfault
    
    Reported-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/apic.c b/hw/apic.c
index 1dd94b1..04ff36a 100644
--- a/hw/apic.c
+++ b/hw/apic.c
@@ -955,6 +955,10 @@ void kvm_load_lapic(CPUState *env)
 #ifdef KVM_CAP_IRQCHIP
     APICState *s = DO_UPCAST(APICState, busdev.qdev, env->apic_state);
 
+    if (!s) {
+        return;
+    }
+
     if (kvm_enabled() && kvm_irqchip_in_kernel()) {
         kvm_kernel_lapic_load_from_user(s);
     }
@@ -966,6 +970,10 @@ void kvm_save_lapic(CPUState *env)
 #ifdef KVM_CAP_IRQCHIP
     APICState *s = DO_UPCAST(APICState, busdev.qdev, env->apic_state);
 
+    if (!s) {
+        return;
+    }
+
     if (kvm_enabled() && kvm_irqchip_in_kernel()) {
         kvm_kernel_lapic_save_to_user(s);
     }
commit 7466bc49107fbd84336ba680f860d5eadd6def13
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Oct 14 16:55:01 2010 +0200

    spice-display: replace private lock with qemu mutex.
    
    qemu_spice_create_update() must aquire the global qemu mutex to
    make sure DisplayState doesn't change while we are accessing it.
    
    Once this is in place the private lock is pretty pointless as
    everything it protects is covered by the global qemu mutex now.
    Drop it.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/ui/spice-display.c b/ui/spice-display.c
index 7b4f5c1..020b423 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -64,10 +64,10 @@ void qemu_spice_rect_union(QXLRect *dest, const QXLRect *r)
 
 /*
  * Called from spice server thread context (via interface_get_command).
- * We do *not* hold the global qemu mutex here, so extra care is needed
- * when calling qemu functions.  Qemu interfaces used:
- *    - pflib (is re-entrant).
- *    - qemu_malloc (underlying glibc malloc is re-entrant).
+ *
+ * We must aquire the global qemu mutex here to make sure the
+ * DisplayState (+DisplaySurface) we are accessing doesn't change
+ * underneath us.
  */
 SimpleSpiceUpdate *qemu_spice_create_update(SimpleSpiceDisplay *ssd)
 {
@@ -78,11 +78,12 @@ SimpleSpiceUpdate *qemu_spice_create_update(SimpleSpiceDisplay *ssd)
     uint8_t *src, *dst;
     int by, bw, bh;
 
+    qemu_mutex_lock_iothread();
     if (qemu_spice_rect_is_empty(&ssd->dirty)) {
+        qemu_mutex_unlock_iothread();
         return NULL;
     };
 
-    pthread_mutex_lock(&ssd->lock);
     dprint(2, "%s: lr %d -> %d,  tb -> %d -> %d\n", __FUNCTION__,
            ssd->dirty.left, ssd->dirty.right,
            ssd->dirty.top, ssd->dirty.bottom);
@@ -140,7 +141,7 @@ SimpleSpiceUpdate *qemu_spice_create_update(SimpleSpiceDisplay *ssd)
     cmd->data = (intptr_t)drawable;
 
     memset(&ssd->dirty, 0, sizeof(ssd->dirty));
-    pthread_mutex_unlock(&ssd->lock);
+    qemu_mutex_unlock_iothread();
     return update;
 }
 
@@ -184,14 +185,19 @@ void qemu_spice_create_host_primary(SimpleSpiceDisplay *ssd)
     surface.type       = 0;
     surface.mem        = (intptr_t)ssd->buf;
     surface.group_id   = MEMSLOT_GROUP_HOST;
+
+    qemu_mutex_unlock_iothread();
     ssd->worker->create_primary_surface(ssd->worker, 0, &surface);
+    qemu_mutex_lock_iothread();
 }
 
 void qemu_spice_destroy_host_primary(SimpleSpiceDisplay *ssd)
 {
     dprint(1, "%s:\n", __FUNCTION__);
 
+    qemu_mutex_unlock_iothread();
     ssd->worker->destroy_primary_surface(ssd->worker, 0);
+    qemu_mutex_lock_iothread();
 }
 
 void qemu_spice_vm_change_state_handler(void *opaque, int running, int reason)
@@ -201,7 +207,9 @@ void qemu_spice_vm_change_state_handler(void *opaque, int running, int reason)
     if (running) {
         ssd->worker->start(ssd->worker);
     } else {
+        qemu_mutex_unlock_iothread();
         ssd->worker->stop(ssd->worker);
+        qemu_mutex_lock_iothread();
     }
     ssd->running = running;
 }
@@ -219,31 +227,25 @@ void qemu_spice_display_update(SimpleSpiceDisplay *ssd,
     update_area.top = y;
     update_area.bottom = y + h;
 
-    pthread_mutex_lock(&ssd->lock);
     if (qemu_spice_rect_is_empty(&ssd->dirty)) {
         ssd->notify++;
     }
     qemu_spice_rect_union(&ssd->dirty, &update_area);
-    pthread_mutex_unlock(&ssd->lock);
 }
 
 void qemu_spice_display_resize(SimpleSpiceDisplay *ssd)
 {
     dprint(1, "%s:\n", __FUNCTION__);
 
-    pthread_mutex_lock(&ssd->lock);
     memset(&ssd->dirty, 0, sizeof(ssd->dirty));
     qemu_pf_conv_put(ssd->conv);
     ssd->conv = NULL;
-    pthread_mutex_unlock(&ssd->lock);
 
     qemu_spice_destroy_host_primary(ssd);
     qemu_spice_create_host_primary(ssd);
 
-    pthread_mutex_lock(&ssd->lock);
     memset(&ssd->dirty, 0, sizeof(ssd->dirty));
     ssd->notify++;
-    pthread_mutex_unlock(&ssd->lock);
 }
 
 void qemu_spice_display_refresh(SimpleSpiceDisplay *ssd)
@@ -398,7 +400,6 @@ void qemu_spice_display_init(DisplayState *ds)
     sdpy.ds = ds;
     sdpy.bufsize = (16 * 1024 * 1024);
     sdpy.buf = qemu_malloc(sdpy.bufsize);
-    pthread_mutex_init(&sdpy.lock, NULL);
     register_displaychangelistener(ds, &display_listener);
 
     sdpy.qxl.base.sif = &dpy_interface.base;
diff --git a/ui/spice-display.h b/ui/spice-display.h
index e17671c..aef0464 100644
--- a/ui/spice-display.h
+++ b/ui/spice-display.h
@@ -40,7 +40,6 @@ typedef struct SimpleSpiceDisplay {
     uint32_t unique;
     QemuPfConv *conv;
 
-    pthread_mutex_t lock;
     QXLRect dirty;
     int notify;
     int running;
commit f61d69607d58a81944a4bfcfc1f260d09a686460
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Nov 2 12:21:50 2010 +0100

    spice-core: fix warning when building with spice < 0.6.0
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/ui/spice-core.c b/ui/spice-core.c
index 45807ed..e97a72d 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -240,7 +240,7 @@ void qemu_spice_init(void)
     char *x509_key_file = NULL,
         *x509_cert_file = NULL,
         *x509_cacert_file = NULL;
-    int port, tls_port, len, addr_flags, streaming_video;
+    int port, tls_port, len, addr_flags;
     spice_image_compression_t compression;
     spice_wan_compression_t wan_compr;
 
@@ -344,7 +344,7 @@ void qemu_spice_init(void)
 
     str = qemu_opt_get(opts, "streaming-video");
     if (str) {
-        streaming_video = parse_stream_video(str);
+        int streaming_video = parse_stream_video(str);
         spice_server_set_streaming_video(spice_server, streaming_video);
     }
 
commit 3d6d306c104abe37610184f12e9342fcbc078395
Author: Hans de Goede <hdegoede at redhat.com>
Date:   Fri Oct 15 09:47:53 2010 +0200

    spice-core: fix watching for write events
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/ui/spice-core.c b/ui/spice-core.c
index 6a1cf17..45807ed 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -95,7 +95,7 @@ static void watch_update_mask(SpiceWatch *watch, int event_mask)
         on_read = watch_read;
     }
     if (watch->event_mask & SPICE_WATCH_EVENT_WRITE) {
-        on_read = watch_write;
+        on_write = watch_write;
     }
     qemu_set_fd_handler(watch->fd, on_read, on_write, watch);
 }
commit 7d72e76228351d18a856f1e4f5365b59d3205dc3
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Nov 1 16:57:48 2010 +0100

    intel-hda: documentation update
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/qemu-doc.texi b/qemu-doc.texi
index c376529..7ce8999 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -200,6 +200,8 @@ ENSONIQ AudioPCI ES1370 sound card
 @item
 Intel 82801AA AC97 Audio compatible sound card
 @item
+Intel HD Audio Controller and HDA codec
+ at item
 Adlib(OPL2) - Yamaha YM3812 compatible chip
 @item
 Gravis Ultrasound GF1 sound card
diff --git a/qemu-options.hx b/qemu-options.hx
index 9e38dfb..4d99a58 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -393,6 +393,7 @@ available sound hardware.
 qemu -soundhw sb16,adlib disk.img
 qemu -soundhw es1370 disk.img
 qemu -soundhw ac97 disk.img
+qemu -soundhw hda disk.img
 qemu -soundhw all disk.img
 qemu -soundhw ?
 @end example
commit e14056ad0573282513f15081be0ce9dc51e09426
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Mon Nov 1 18:09:38 2010 +0000

    Fix out of tree build
    
    df2943ba3c73ca21dbda063f15fa3e80064af864 broke out of tree build.
    
    Fix breakage by adding $(SRC_PATH).
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile b/Makefile
index ec8a6bc..02698e9 100644
--- a/Makefile
+++ b/Makefile
@@ -71,7 +71,7 @@ build-all: $(DOCS) $(TOOLS) recurse-all
 
 config-host.h: config-host.h-timestamp
 config-host.h-timestamp: config-host.mak
-qemu-options.def: qemu-options.hx
+qemu-options.def: $(SRC_PATH)/qemu-options.hx
 	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $@")
 
 SUBDIR_RULES=$(patsubst %,subdir-%, $(TARGET_DIRS))
commit 2d8418ba8a3ab976fd7f9749f24aab8408643a02
Merge: 4f25ac5... 84a23f2...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Mon Nov 1 13:02:56 2010 -0500

    Merge remote branch 'spice/config.2' into staging

commit 4f25ac5f425d435d0c841ab876adfb541cb521a3
Merge: 9fe5497... b907b69...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Mon Nov 1 10:33:45 2010 -0500

    Merge remote branch 'mst/for_anthony' into staging

commit 9fe5497c4f5425c6d593c3f038e8e5bffc32edd6
Author: malc <av1474 at comtv.ru>
Date:   Mon Nov 1 17:44:23 2010 +0300

    hda-audio: Zap tabs
    
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/hw/hda-audio.c b/hw/hda-audio.c
index a21f9a1..1035774 100644
--- a/hw/hda-audio.c
+++ b/hw/hda-audio.c
@@ -559,9 +559,9 @@ static void hda_audio_set_amp(HDAAudioStream *st)
     right = right * 255 / QEMU_HDA_AMP_STEPS;
 
     if (st->output) {
-	AUD_set_volume_out(st->voice.out, muted, left, right);
+        AUD_set_volume_out(st->voice.out, muted, left, right);
     } else {
-	AUD_set_volume_in(st->voice.in, muted, left, right);
+        AUD_set_volume_in(st->voice.in, muted, left, right);
     }
 }
 
commit d61a4ce8f01ac9f1810380e043db467d536eeb6b
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Nov 1 13:05:32 2010 +0100

    Add Intel HD Audio support to qemu.
    
    This patch adds three devices to qemu:
    
    intel-hda
    	Intel HD Audio Controller, the PCI device.  Provides a HDA bus.
    	Emulates ICH6 at the moment.  Adding a ICH9 PCIE
    	variant shouldn't be hard.
    
    hda-duplex
    	HDA Codec.  Attaches to the HDA bus.  Supports 16bit stereo,
    	rates 16k -> 96k, playback, recording and volume control
    	(with CONFIG_MIXEMU=y).
    
    hda-output
    	HDA Codec without recording support.  Subset of the hda-duplex
    	codec.  Use this if you don't want your guests access your mic.
    
    Usage: add '-device intel-hda -device hda-duplex' to your command line.
    
    Tested guests:
     * Linux works.
     * Win7 works.
     * DOS (mpxplay) works.
     * WinXP doesn't work.
    
    [ v2 changes ]
     * Fixed endianess, big endian hosts work now.
     * Fixed some emulation bugs.
     * Added immediate command emulation.
     * Added vmstate support.
     * Make it behave like all other sound card drivers:
       - can be configured via '--audio-card-list=hda'
       - can be added to a VM using '-soundhw hda'
     * Code style fixups.
     * Zapped guest-triggerable asserts.
     * Handle partial reads/writes of audio data correctly.
    
    Cc: malc <av1474 at comtv.ru>
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/Makefile.objs b/Makefile.objs
index c88e82d..0f9142f 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -253,6 +253,7 @@ sound-obj-$(CONFIG_AC97) += ac97.o
 sound-obj-$(CONFIG_ADLIB) += fmopl.o adlib.o
 sound-obj-$(CONFIG_GUS) += gus.o gusemu_hal.o gusemu_mixer.o
 sound-obj-$(CONFIG_CS4231A) += cs4231a.o
+sound-obj-$(CONFIG_HDA) += intel-hda.o hda-audio.o
 
 adlib.o fmopl.o: QEMU_CFLAGS += -DBUILD_Y8950=0
 hw-obj-$(CONFIG_SOUND) += $(sound-obj-y)
diff --git a/arch_init.c b/arch_init.c
index a910033..cea3c8b 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -499,6 +499,16 @@ struct soundhw soundhw[] = {
     },
 #endif
 
+#ifdef CONFIG_HDA
+    {
+        "hda",
+        "Intel HD Audio",
+        0,
+        0,
+        { .init_pci = intel_hda_and_codec_init }
+    },
+#endif
+
 #endif /* HAS_AUDIO_CHOICE */
 
     { NULL, NULL, 0, 0, { NULL } }
diff --git a/configure b/configure
index f62c1fe..7025d2b 100755
--- a/configure
+++ b/configure
@@ -76,8 +76,8 @@ sparc_cpu=""
 cross_prefix=""
 cc="gcc"
 audio_drv_list=""
-audio_card_list="ac97 es1370 sb16"
-audio_possible_cards="ac97 es1370 sb16 cs4231a adlib gus"
+audio_card_list="ac97 es1370 sb16 hda"
+audio_possible_cards="ac97 es1370 sb16 cs4231a adlib gus hda"
 block_drv_whitelist=""
 host_cc="gcc"
 ar="ar"
diff --git a/hw/audiodev.h b/hw/audiodev.h
index 39a729b..8e930b2 100644
--- a/hw/audiodev.h
+++ b/hw/audiodev.h
@@ -15,3 +15,6 @@ int ac97_init(PCIBus *buf);
 
 /* cs4231a.c */
 int cs4231a_init(qemu_irq *pic);
+
+/* intel-hda.c + hda-audio.c */
+int intel_hda_and_codec_init(PCIBus *bus);
diff --git a/hw/hda-audio.c b/hw/hda-audio.c
new file mode 100644
index 0000000..a21f9a1
--- /dev/null
+++ b/hw/hda-audio.c
@@ -0,0 +1,902 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * written by Gerd Hoffmann <kraxel at redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 or
+ * (at your option) version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "hw.h"
+#include "pci.h"
+#include "intel-hda.h"
+#include "intel-hda-defs.h"
+#include "audio/audio.h"
+
+/* -------------------------------------------------------------------------- */
+
+typedef struct desc_param {
+    uint32_t id;
+    uint32_t val;
+} desc_param;
+
+typedef struct desc_node {
+    uint32_t nid;
+    const char *name;
+    const desc_param *params;
+    uint32_t nparams;
+    uint32_t config;
+    uint32_t pinctl;
+    uint32_t *conn;
+    uint32_t stindex;
+} desc_node;
+
+typedef struct desc_codec {
+    const char *name;
+    uint32_t iid;
+    const desc_node *nodes;
+    uint32_t nnodes;
+} desc_codec;
+
+static const desc_param* hda_codec_find_param(const desc_node *node, uint32_t id)
+{
+    int i;
+
+    for (i = 0; i < node->nparams; i++) {
+        if (node->params[i].id == id) {
+            return &node->params[i];
+        }
+    }
+    return NULL;
+}
+
+static const desc_node* hda_codec_find_node(const desc_codec *codec, uint32_t nid)
+{
+    int i;
+
+    for (i = 0; i < codec->nnodes; i++) {
+        if (codec->nodes[i].nid == nid) {
+            return &codec->nodes[i];
+        }
+    }
+    return NULL;
+}
+
+static void hda_codec_parse_fmt(uint32_t format, struct audsettings *as)
+{
+    if (format & AC_FMT_TYPE_NON_PCM) {
+        return;
+    }
+
+    as->freq = (format & AC_FMT_BASE_44K) ? 44100 : 48000;
+
+    switch ((format & AC_FMT_MULT_MASK) >> AC_FMT_MULT_SHIFT) {
+    case 1: as->freq *= 2; break;
+    case 2: as->freq *= 3; break;
+    case 3: as->freq *= 4; break;
+    }
+
+    switch ((format & AC_FMT_DIV_MASK) >> AC_FMT_DIV_SHIFT) {
+    case 1: as->freq /= 2; break;
+    case 2: as->freq /= 3; break;
+    case 3: as->freq /= 4; break;
+    case 4: as->freq /= 5; break;
+    case 5: as->freq /= 6; break;
+    case 6: as->freq /= 7; break;
+    case 7: as->freq /= 8; break;
+    }
+
+    switch (format & AC_FMT_BITS_MASK) {
+    case AC_FMT_BITS_8:  as->fmt = AUD_FMT_S8;  break;
+    case AC_FMT_BITS_16: as->fmt = AUD_FMT_S16; break;
+    case AC_FMT_BITS_32: as->fmt = AUD_FMT_S32; break;
+    }
+
+    as->nchannels = ((format & AC_FMT_CHAN_MASK) >> AC_FMT_CHAN_SHIFT) + 1;
+}
+
+/* -------------------------------------------------------------------------- */
+/*
+ * HDA codec descriptions
+ */
+
+/* some defines */
+
+#define QEMU_HDA_ID_VENDOR  0x1af4
+#define QEMU_HDA_ID_OUTPUT  ((QEMU_HDA_ID_VENDOR << 16) | 0x10)
+#define QEMU_HDA_ID_DUPLEX  ((QEMU_HDA_ID_VENDOR << 16) | 0x20)
+
+#define QEMU_HDA_PCM_FORMATS (AC_SUPPCM_BITS_16 |       \
+                              0x1fc /* 16 -> 96 kHz */)
+#define QEMU_HDA_AMP_NONE    (0)
+#define QEMU_HDA_AMP_STEPS   0x4a
+
+#ifdef CONFIG_MIXEMU
+#define QEMU_HDA_AMP_CAPS                                               \
+    (AC_AMPCAP_MUTE |                                                   \
+     (QEMU_HDA_AMP_STEPS << AC_AMPCAP_OFFSET_SHIFT)    |                \
+     (QEMU_HDA_AMP_STEPS << AC_AMPCAP_NUM_STEPS_SHIFT) |                \
+     (3                  << AC_AMPCAP_STEP_SIZE_SHIFT))
+#else
+#define QEMU_HDA_AMP_CAPS    QEMU_HDA_AMP_NONE
+#endif
+
+/* common: audio output widget */
+static const desc_param common_params_audio_dac[] = {
+    {
+        .id  = AC_PAR_AUDIO_WIDGET_CAP,
+        .val = ((AC_WID_AUD_OUT << AC_WCAP_TYPE_SHIFT) |
+                AC_WCAP_FORMAT_OVRD |
+                AC_WCAP_AMP_OVRD |
+                AC_WCAP_OUT_AMP |
+                AC_WCAP_STEREO),
+    },{
+        .id  = AC_PAR_PCM,
+        .val = QEMU_HDA_PCM_FORMATS,
+    },{
+        .id  = AC_PAR_STREAM,
+        .val = AC_SUPFMT_PCM,
+    },{
+        .id  = AC_PAR_AMP_IN_CAP,
+        .val = QEMU_HDA_AMP_NONE,
+    },{
+        .id  = AC_PAR_AMP_OUT_CAP,
+        .val = QEMU_HDA_AMP_CAPS,
+    },
+};
+
+/* common: pin widget (line-out) */
+static const desc_param common_params_audio_lineout[] = {
+    {
+        .id  = AC_PAR_AUDIO_WIDGET_CAP,
+        .val = ((AC_WID_PIN << AC_WCAP_TYPE_SHIFT) |
+                AC_WCAP_CONN_LIST |
+                AC_WCAP_STEREO),
+    },{
+        .id  = AC_PAR_PIN_CAP,
+        .val = AC_PINCAP_OUT,
+    },{
+        .id  = AC_PAR_CONNLIST_LEN,
+        .val = 1,
+    },{
+        .id  = AC_PAR_AMP_IN_CAP,
+        .val = QEMU_HDA_AMP_NONE,
+    },{
+        .id  = AC_PAR_AMP_OUT_CAP,
+        .val = QEMU_HDA_AMP_NONE,
+    },
+};
+
+/* output: root node */
+static const desc_param output_params_root[] = {
+    {
+        .id  = AC_PAR_VENDOR_ID,
+        .val = QEMU_HDA_ID_OUTPUT,
+    },{
+        .id  = AC_PAR_SUBSYSTEM_ID,
+        .val = QEMU_HDA_ID_OUTPUT,
+    },{
+        .id  = AC_PAR_REV_ID,
+        .val = 0x00100101,
+    },{
+        .id  = AC_PAR_NODE_COUNT,
+        .val = 0x00010001,
+    },
+};
+
+/* output: audio function */
+static const desc_param output_params_audio_func[] = {
+    {
+        .id  = AC_PAR_FUNCTION_TYPE,
+        .val = AC_GRP_AUDIO_FUNCTION,
+    },{
+        .id  = AC_PAR_SUBSYSTEM_ID,
+        .val = QEMU_HDA_ID_OUTPUT,
+    },{
+        .id  = AC_PAR_NODE_COUNT,
+        .val = 0x00020002,
+    },{
+        .id  = AC_PAR_PCM,
+        .val = QEMU_HDA_PCM_FORMATS,
+    },{
+        .id  = AC_PAR_STREAM,
+        .val = AC_SUPFMT_PCM,
+    },{
+        .id  = AC_PAR_AMP_IN_CAP,
+        .val = QEMU_HDA_AMP_NONE,
+    },{
+        .id  = AC_PAR_AMP_OUT_CAP,
+        .val = QEMU_HDA_AMP_NONE,
+    },{
+        .id  = AC_PAR_GPIO_CAP,
+        .val = 0,
+    },{
+        .id  = AC_PAR_AUDIO_FG_CAP,
+        .val = 0x00000808,
+    },{
+        .id  = AC_PAR_POWER_STATE,
+        .val = 0,
+    },
+};
+
+/* output: nodes */
+static const desc_node output_nodes[] = {
+    {
+        .nid     = AC_NODE_ROOT,
+        .name    = "root",
+        .params  = output_params_root,
+        .nparams = ARRAY_SIZE(output_params_root),
+    },{
+        .nid     = 1,
+        .name    = "func",
+        .params  = output_params_audio_func,
+        .nparams = ARRAY_SIZE(output_params_audio_func),
+    },{
+        .nid     = 2,
+        .name    = "dac",
+        .params  = common_params_audio_dac,
+        .nparams = ARRAY_SIZE(common_params_audio_dac),
+        .stindex = 0,
+    },{
+        .nid     = 3,
+        .name    = "out",
+        .params  = common_params_audio_lineout,
+        .nparams = ARRAY_SIZE(common_params_audio_lineout),
+        .config  = ((AC_JACK_PORT_COMPLEX << AC_DEFCFG_PORT_CONN_SHIFT) |
+                    (AC_JACK_LINE_OUT     << AC_DEFCFG_DEVICE_SHIFT)    |
+                    (AC_JACK_CONN_UNKNOWN << AC_DEFCFG_CONN_TYPE_SHIFT) |
+                    (AC_JACK_COLOR_GREEN  << AC_DEFCFG_COLOR_SHIFT)     |
+                    0x10),
+        .pinctl  = AC_PINCTL_OUT_EN,
+        .conn    = (uint32_t[]) { 2 },
+    }
+};
+
+/* output: codec */
+static const desc_codec output = {
+    .name   = "output",
+    .iid    = QEMU_HDA_ID_OUTPUT,
+    .nodes  = output_nodes,
+    .nnodes = ARRAY_SIZE(output_nodes),
+};
+
+/* duplex: root node */
+static const desc_param duplex_params_root[] = {
+    {
+        .id  = AC_PAR_VENDOR_ID,
+        .val = QEMU_HDA_ID_DUPLEX,
+    },{
+        .id  = AC_PAR_SUBSYSTEM_ID,
+        .val = QEMU_HDA_ID_DUPLEX,
+    },{
+        .id  = AC_PAR_REV_ID,
+        .val = 0x00100101,
+    },{
+        .id  = AC_PAR_NODE_COUNT,
+        .val = 0x00010001,
+    },
+};
+
+/* duplex: audio input widget */
+static const desc_param duplex_params_audio_adc[] = {
+    {
+        .id  = AC_PAR_AUDIO_WIDGET_CAP,
+        .val = ((AC_WID_AUD_IN << AC_WCAP_TYPE_SHIFT) |
+                AC_WCAP_CONN_LIST |
+                AC_WCAP_FORMAT_OVRD |
+                AC_WCAP_AMP_OVRD |
+                AC_WCAP_IN_AMP |
+                AC_WCAP_STEREO),
+    },{
+        .id  = AC_PAR_CONNLIST_LEN,
+        .val = 1,
+    },{
+        .id  = AC_PAR_PCM,
+        .val = QEMU_HDA_PCM_FORMATS,
+    },{
+        .id  = AC_PAR_STREAM,
+        .val = AC_SUPFMT_PCM,
+    },{
+        .id  = AC_PAR_AMP_IN_CAP,
+        .val = QEMU_HDA_AMP_CAPS,
+    },{
+        .id  = AC_PAR_AMP_OUT_CAP,
+        .val = QEMU_HDA_AMP_NONE,
+    },
+};
+
+/* duplex: pin widget (line-in) */
+static const desc_param duplex_params_audio_linein[] = {
+    {
+        .id  = AC_PAR_AUDIO_WIDGET_CAP,
+        .val = ((AC_WID_PIN << AC_WCAP_TYPE_SHIFT) |
+                AC_WCAP_STEREO),
+    },{
+        .id  = AC_PAR_PIN_CAP,
+        .val = AC_PINCAP_IN,
+    },{
+        .id  = AC_PAR_AMP_IN_CAP,
+        .val = QEMU_HDA_AMP_NONE,
+    },{
+        .id  = AC_PAR_AMP_OUT_CAP,
+        .val = QEMU_HDA_AMP_NONE,
+    },
+};
+
+/* duplex: audio function */
+static const desc_param duplex_params_audio_func[] = {
+    {
+        .id  = AC_PAR_FUNCTION_TYPE,
+        .val = AC_GRP_AUDIO_FUNCTION,
+    },{
+        .id  = AC_PAR_SUBSYSTEM_ID,
+        .val = QEMU_HDA_ID_DUPLEX,
+    },{
+        .id  = AC_PAR_NODE_COUNT,
+        .val = 0x00020004,
+    },{
+        .id  = AC_PAR_PCM,
+        .val = QEMU_HDA_PCM_FORMATS,
+    },{
+        .id  = AC_PAR_STREAM,
+        .val = AC_SUPFMT_PCM,
+    },{
+        .id  = AC_PAR_AMP_IN_CAP,
+        .val = QEMU_HDA_AMP_NONE,
+    },{
+        .id  = AC_PAR_AMP_OUT_CAP,
+        .val = QEMU_HDA_AMP_NONE,
+    },{
+        .id  = AC_PAR_GPIO_CAP,
+        .val = 0,
+    },{
+        .id  = AC_PAR_AUDIO_FG_CAP,
+        .val = 0x00000808,
+    },{
+        .id  = AC_PAR_POWER_STATE,
+        .val = 0,
+    },
+};
+
+/* duplex: nodes */
+static const desc_node duplex_nodes[] = {
+    {
+        .nid     = AC_NODE_ROOT,
+        .name    = "root",
+        .params  = duplex_params_root,
+        .nparams = ARRAY_SIZE(duplex_params_root),
+    },{
+        .nid     = 1,
+        .name    = "func",
+        .params  = duplex_params_audio_func,
+        .nparams = ARRAY_SIZE(duplex_params_audio_func),
+    },{
+        .nid     = 2,
+        .name    = "dac",
+        .params  = common_params_audio_dac,
+        .nparams = ARRAY_SIZE(common_params_audio_dac),
+        .stindex = 0,
+    },{
+        .nid     = 3,
+        .name    = "out",
+        .params  = common_params_audio_lineout,
+        .nparams = ARRAY_SIZE(common_params_audio_lineout),
+        .config  = ((AC_JACK_PORT_COMPLEX << AC_DEFCFG_PORT_CONN_SHIFT) |
+                    (AC_JACK_LINE_OUT     << AC_DEFCFG_DEVICE_SHIFT)    |
+                    (AC_JACK_CONN_UNKNOWN << AC_DEFCFG_CONN_TYPE_SHIFT) |
+                    (AC_JACK_COLOR_GREEN  << AC_DEFCFG_COLOR_SHIFT)     |
+                    0x10),
+        .pinctl  = AC_PINCTL_OUT_EN,
+        .conn    = (uint32_t[]) { 2 },
+    },{
+        .nid     = 4,
+        .name    = "adc",
+        .params  = duplex_params_audio_adc,
+        .nparams = ARRAY_SIZE(duplex_params_audio_adc),
+        .stindex = 1,
+        .conn    = (uint32_t[]) { 5 },
+    },{
+        .nid     = 5,
+        .name    = "in",
+        .params  = duplex_params_audio_linein,
+        .nparams = ARRAY_SIZE(duplex_params_audio_linein),
+        .config  = ((AC_JACK_PORT_COMPLEX << AC_DEFCFG_PORT_CONN_SHIFT) |
+                    (AC_JACK_LINE_IN      << AC_DEFCFG_DEVICE_SHIFT)    |
+                    (AC_JACK_CONN_UNKNOWN << AC_DEFCFG_CONN_TYPE_SHIFT) |
+                    (AC_JACK_COLOR_RED    << AC_DEFCFG_COLOR_SHIFT)     |
+                    0x20),
+        .pinctl  = AC_PINCTL_IN_EN,
+    }
+};
+
+/* duplex: codec */
+static const desc_codec duplex = {
+    .name   = "duplex",
+    .iid    = QEMU_HDA_ID_DUPLEX,
+    .nodes  = duplex_nodes,
+    .nnodes = ARRAY_SIZE(duplex_nodes),
+};
+
+/* -------------------------------------------------------------------------- */
+
+static const char *fmt2name[] = {
+    [ AUD_FMT_U8  ] = "PCM-U8",
+    [ AUD_FMT_S8  ] = "PCM-S8",
+    [ AUD_FMT_U16 ] = "PCM-U16",
+    [ AUD_FMT_S16 ] = "PCM-S16",
+    [ AUD_FMT_U32 ] = "PCM-U32",
+    [ AUD_FMT_S32 ] = "PCM-S32",
+};
+
+typedef struct HDAAudioState HDAAudioState;
+typedef struct HDAAudioStream HDAAudioStream;
+
+struct HDAAudioStream {
+    HDAAudioState *state;
+    const desc_node *node;
+    bool output, running;
+    uint32_t stream;
+    uint32_t channel;
+    uint32_t format;
+    uint32_t gain_left, gain_right;
+    bool mute_left, mute_right;
+    struct audsettings as;
+    union {
+        SWVoiceIn *in;
+        SWVoiceOut *out;
+    } voice;
+    uint8_t buf[HDA_BUFFER_SIZE];
+    uint32_t bpos;
+};
+
+struct HDAAudioState {
+    HDACodecDevice hda;
+    const char *name;
+
+    QEMUSoundCard card;
+    const desc_codec *desc;
+    HDAAudioStream st[4];
+    bool running[16];
+
+    /* properties */
+    uint32_t debug;
+};
+
+static void hda_audio_input_cb(void *opaque, int avail)
+{
+    HDAAudioStream *st = opaque;
+    int recv = 0;
+    int len;
+    bool rc;
+
+    while (avail - recv >= sizeof(st->buf)) {
+        if (st->bpos != sizeof(st->buf)) {
+            len = AUD_read(st->voice.in, st->buf + st->bpos,
+                           sizeof(st->buf) - st->bpos);
+            st->bpos += len;
+            recv += len;
+            if (st->bpos != sizeof(st->buf)) {
+                break;
+            }
+        }
+        rc = hda_codec_xfer(&st->state->hda, st->stream, false,
+                            st->buf, sizeof(st->buf));
+        if (!rc) {
+            break;
+        }
+        st->bpos = 0;
+    }
+}
+
+static void hda_audio_output_cb(void *opaque, int avail)
+{
+    HDAAudioStream *st = opaque;
+    int sent = 0;
+    int len;
+    bool rc;
+
+    while (avail - sent >= sizeof(st->buf)) {
+        if (st->bpos == sizeof(st->buf)) {
+            rc = hda_codec_xfer(&st->state->hda, st->stream, true,
+                                st->buf, sizeof(st->buf));
+            if (!rc) {
+                break;
+            }
+            st->bpos = 0;
+        }
+        len = AUD_write(st->voice.out, st->buf + st->bpos,
+                        sizeof(st->buf) - st->bpos);
+        st->bpos += len;
+        sent += len;
+        if (st->bpos != sizeof(st->buf)) {
+            break;
+        }
+    }
+}
+
+static void hda_audio_set_running(HDAAudioStream *st, bool running)
+{
+    if (st->node == NULL) {
+        return;
+    }
+    if (st->running == running) {
+        return;
+    }
+    st->running = running;
+    dprint(st->state, 1, "%s: %s (stream %d)\n", st->node->name,
+           st->running ? "on" : "off", st->stream);
+    if (st->output) {
+        AUD_set_active_out(st->voice.out, st->running);
+    } else {
+        AUD_set_active_in(st->voice.in, st->running);
+    }
+}
+
+static void hda_audio_set_amp(HDAAudioStream *st)
+{
+    bool muted;
+    uint32_t left, right;
+
+    if (st->node == NULL) {
+        return;
+    }
+
+    muted = st->mute_left && st->mute_right;
+    left  = st->mute_left  ? 0 : st->gain_left;
+    right = st->mute_right ? 0 : st->gain_right;
+
+    left = left * 255 / QEMU_HDA_AMP_STEPS;
+    right = right * 255 / QEMU_HDA_AMP_STEPS;
+
+    if (st->output) {
+	AUD_set_volume_out(st->voice.out, muted, left, right);
+    } else {
+	AUD_set_volume_in(st->voice.in, muted, left, right);
+    }
+}
+
+static void hda_audio_setup(HDAAudioStream *st)
+{
+    if (st->node == NULL) {
+        return;
+    }
+
+    dprint(st->state, 1, "%s: format: %d x %s @ %d Hz\n",
+           st->node->name, st->as.nchannels,
+           fmt2name[st->as.fmt], st->as.freq);
+
+    if (st->output) {
+        st->voice.out = AUD_open_out(&st->state->card, st->voice.out,
+                                     st->node->name, st,
+                                     hda_audio_output_cb, &st->as);
+    } else {
+        st->voice.in = AUD_open_in(&st->state->card, st->voice.in,
+                                   st->node->name, st,
+                                   hda_audio_input_cb, &st->as);
+    }
+}
+
+static void hda_audio_command(HDACodecDevice *hda, uint32_t nid, uint32_t data)
+{
+    HDAAudioState *a = DO_UPCAST(HDAAudioState, hda, hda);
+    HDAAudioStream *st;
+    const desc_node *node = NULL;
+    const desc_param *param;
+    uint32_t verb, payload, response, count, shift;
+
+    if ((data & 0x70000) == 0x70000) {
+        /* 12/8 id/payload */
+        verb = (data >> 8) & 0xfff;
+        payload = data & 0x00ff;
+    } else {
+        /* 4/16 id/payload */
+        verb = (data >> 8) & 0xf00;
+        payload = data & 0xffff;
+    }
+
+    node = hda_codec_find_node(a->desc, nid);
+    if (node == NULL) {
+        goto fail;
+    }
+    dprint(a, 2, "%s: nid %d (%s), verb 0x%x, payload 0x%x\n",
+           __FUNCTION__, nid, node->name, verb, payload);
+
+    switch (verb) {
+    /* all nodes */
+    case AC_VERB_PARAMETERS:
+        param = hda_codec_find_param(node, payload);
+        if (param == NULL) {
+            goto fail;
+        }
+        hda_codec_response(hda, true, param->val);
+        break;
+    case AC_VERB_GET_SUBSYSTEM_ID:
+        hda_codec_response(hda, true, a->desc->iid);
+        break;
+
+    /* all functions */
+    case AC_VERB_GET_CONNECT_LIST:
+        param = hda_codec_find_param(node, AC_PAR_CONNLIST_LEN);
+        count = param ? param->val : 0;
+        response = 0;
+        shift = 0;
+        while (payload < count && shift < 32) {
+            response |= node->conn[payload] << shift;
+            payload++;
+            shift += 8;
+        }
+        hda_codec_response(hda, true, response);
+        break;
+
+    /* pin widget */
+    case AC_VERB_GET_CONFIG_DEFAULT:
+        hda_codec_response(hda, true, node->config);
+        break;
+    case AC_VERB_GET_PIN_WIDGET_CONTROL:
+        hda_codec_response(hda, true, node->pinctl);
+        break;
+    case AC_VERB_SET_PIN_WIDGET_CONTROL:
+        if (node->pinctl != payload) {
+            dprint(a, 1, "unhandled pin control bit\n");
+        }
+        hda_codec_response(hda, true, 0);
+        break;
+
+    /* audio in/out widget */
+    case AC_VERB_SET_CHANNEL_STREAMID:
+        st = a->st + node->stindex;
+        if (st->node == NULL) {
+            goto fail;
+        }
+        hda_audio_set_running(st, false);
+        st->stream = (payload >> 4) & 0x0f;
+        st->channel = payload & 0x0f;
+        dprint(a, 2, "%s: stream %d, channel %d\n",
+               st->node->name, st->stream, st->channel);
+        hda_audio_set_running(st, a->running[st->stream]);
+        hda_codec_response(hda, true, 0);
+        break;
+    case AC_VERB_GET_CONV:
+        st = a->st + node->stindex;
+        if (st->node == NULL) {
+            goto fail;
+        }
+        response = st->stream << 4 | st->channel;
+        hda_codec_response(hda, true, response);
+        break;
+    case AC_VERB_SET_STREAM_FORMAT:
+        st = a->st + node->stindex;
+        if (st->node == NULL) {
+            goto fail;
+        }
+        st->format = payload;
+        hda_codec_parse_fmt(st->format, &st->as);
+        hda_audio_setup(st);
+        hda_codec_response(hda, true, 0);
+        break;
+    case AC_VERB_GET_STREAM_FORMAT:
+        st = a->st + node->stindex;
+        if (st->node == NULL) {
+            goto fail;
+        }
+        hda_codec_response(hda, true, st->format);
+        break;
+    case AC_VERB_GET_AMP_GAIN_MUTE:
+        st = a->st + node->stindex;
+        if (st->node == NULL) {
+            goto fail;
+        }
+        if (payload & AC_AMP_GET_LEFT) {
+            response = st->gain_left | (st->mute_left ? AC_AMP_MUTE : 0);
+        } else {
+            response = st->gain_right | (st->mute_right ? AC_AMP_MUTE : 0);
+        }
+        hda_codec_response(hda, true, response);
+        break;
+    case AC_VERB_SET_AMP_GAIN_MUTE:
+        st = a->st + node->stindex;
+        if (st->node == NULL) {
+            goto fail;
+        }
+        dprint(a, 1, "amp (%s): %s%s%s%s index %d  gain %3d %s\n",
+               st->node->name,
+               (payload & AC_AMP_SET_OUTPUT) ? "o" : "-",
+               (payload & AC_AMP_SET_INPUT)  ? "i" : "-",
+               (payload & AC_AMP_SET_LEFT)   ? "l" : "-",
+               (payload & AC_AMP_SET_RIGHT)  ? "r" : "-",
+               (payload & AC_AMP_SET_INDEX) >> AC_AMP_SET_INDEX_SHIFT,
+               (payload & AC_AMP_GAIN),
+               (payload & AC_AMP_MUTE) ? "muted" : "");
+        if (payload & AC_AMP_SET_LEFT) {
+            st->gain_left = payload & AC_AMP_GAIN;
+            st->mute_left = payload & AC_AMP_MUTE;
+        }
+        if (payload & AC_AMP_SET_RIGHT) {
+            st->gain_right = payload & AC_AMP_GAIN;
+            st->mute_right = payload & AC_AMP_MUTE;
+        }
+        hda_audio_set_amp(st);
+        hda_codec_response(hda, true, 0);
+        break;
+
+    /* not supported */
+    case AC_VERB_SET_POWER_STATE:
+    case AC_VERB_GET_POWER_STATE:
+    case AC_VERB_GET_SDI_SELECT:
+        hda_codec_response(hda, true, 0);
+        break;
+    default:
+        goto fail;
+    }
+    return;
+
+fail:
+    dprint(a, 1, "%s: not handled: nid %d (%s), verb 0x%x, payload 0x%x\n",
+           __FUNCTION__, nid, node ? node->name : "?", verb, payload);
+    hda_codec_response(hda, true, 0);
+}
+
+static void hda_audio_stream(HDACodecDevice *hda, uint32_t stnr, bool running)
+{
+    HDAAudioState *a = DO_UPCAST(HDAAudioState, hda, hda);
+    int s;
+
+    a->running[stnr] = running;
+    for (s = 0; s < ARRAY_SIZE(a->st); s++) {
+        if (a->st[s].node == NULL) {
+            continue;
+        }
+        if (a->st[s].stream != stnr) {
+            continue;
+        }
+        hda_audio_set_running(&a->st[s], running);
+    }
+}
+
+static int hda_audio_init(HDACodecDevice *hda, const struct desc_codec *desc)
+{
+    HDAAudioState *a = DO_UPCAST(HDAAudioState, hda, hda);
+    HDAAudioStream *st;
+    const desc_node *node;
+    const desc_param *param;
+    uint32_t i, type;
+
+    a->desc = desc;
+    a->name = a->hda.qdev.info->name;
+    dprint(a, 1, "%s: cad %d\n", __FUNCTION__, a->hda.cad);
+
+    AUD_register_card("hda", &a->card);
+    for (i = 0; i < a->desc->nnodes; i++) {
+        node = a->desc->nodes + i;
+        param = hda_codec_find_param(node, AC_PAR_AUDIO_WIDGET_CAP);
+        if (NULL == param)
+            continue;
+        type = (param->val & AC_WCAP_TYPE) >> AC_WCAP_TYPE_SHIFT;
+        switch (type) {
+        case AC_WID_AUD_OUT:
+        case AC_WID_AUD_IN:
+            assert(node->stindex < ARRAY_SIZE(a->st));
+            st = a->st + node->stindex;
+            st->state = a;
+            st->node = node;
+            if (type == AC_WID_AUD_OUT) {
+                /* unmute output by default */
+                st->gain_left = QEMU_HDA_AMP_STEPS;
+                st->gain_right = QEMU_HDA_AMP_STEPS;
+                st->bpos = sizeof(st->buf);
+                st->output = true;
+            } else {
+                st->output = false;
+            }
+            st->format = AC_FMT_TYPE_PCM | AC_FMT_BITS_16 |
+                (1 << AC_FMT_CHAN_SHIFT);
+            hda_codec_parse_fmt(st->format, &st->as);
+            hda_audio_setup(st);
+            break;
+        }
+    }
+    return 0;
+}
+
+static int hda_audio_post_load(void *opaque, int version)
+{
+    HDAAudioState *a = opaque;
+    HDAAudioStream *st;
+    int i;
+
+    dprint(a, 1, "%s\n", __FUNCTION__);
+    for (i = 0; i < ARRAY_SIZE(a->st); i++) {
+        st = a->st + i;
+        if (st->node == NULL)
+            continue;
+        hda_codec_parse_fmt(st->format, &st->as);
+        hda_audio_setup(st);
+        hda_audio_set_amp(st);
+        hda_audio_set_running(st, a->running[st->stream]);
+    }
+    return 0;
+}
+
+static const VMStateDescription vmstate_hda_audio_stream = {
+    .name = "hda-audio-stream",
+    .version_id = 1,
+    .fields = (VMStateField []) {
+        VMSTATE_UINT32(stream, HDAAudioStream),
+        VMSTATE_UINT32(channel, HDAAudioStream),
+        VMSTATE_UINT32(format, HDAAudioStream),
+        VMSTATE_UINT32(gain_left, HDAAudioStream),
+        VMSTATE_UINT32(gain_right, HDAAudioStream),
+        VMSTATE_BOOL(mute_left, HDAAudioStream),
+        VMSTATE_BOOL(mute_right, HDAAudioStream),
+        VMSTATE_UINT32(bpos, HDAAudioStream),
+        VMSTATE_BUFFER(buf, HDAAudioStream),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_hda_audio = {
+    .name = "hda-audio",
+    .version_id = 1,
+    .post_load = hda_audio_post_load,
+    .fields = (VMStateField []) {
+        VMSTATE_STRUCT_ARRAY(st, HDAAudioState, 4, 0,
+                             vmstate_hda_audio_stream,
+                             HDAAudioStream),
+        VMSTATE_BOOL_ARRAY(running, HDAAudioState, 16),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static Property hda_audio_properties[] = {
+    DEFINE_PROP_UINT32("debug", HDAAudioState, debug, 0),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static int hda_audio_init_output(HDACodecDevice *hda)
+{
+    return hda_audio_init(hda, &output);
+}
+
+static int hda_audio_init_duplex(HDACodecDevice *hda)
+{
+    return hda_audio_init(hda, &duplex);
+}
+
+static HDACodecDeviceInfo hda_audio_info_output = {
+    .qdev.name    = "hda-output",
+    .qdev.desc    = "HDA Audio Codec, output-only",
+    .qdev.size    = sizeof(HDAAudioState),
+    .qdev.vmsd    = &vmstate_hda_audio,
+    .qdev.props   = hda_audio_properties,
+    .init         = hda_audio_init_output,
+    .command      = hda_audio_command,
+    .stream       = hda_audio_stream,
+};
+
+static HDACodecDeviceInfo hda_audio_info_duplex = {
+    .qdev.name    = "hda-duplex",
+    .qdev.desc    = "HDA Audio Codec, duplex",
+    .qdev.size    = sizeof(HDAAudioState),
+    .qdev.vmsd    = &vmstate_hda_audio,
+    .qdev.props   = hda_audio_properties,
+    .init         = hda_audio_init_duplex,
+    .command      = hda_audio_command,
+    .stream       = hda_audio_stream,
+};
+
+static void hda_audio_register(void)
+{
+    hda_codec_register(&hda_audio_info_output);
+    hda_codec_register(&hda_audio_info_duplex);
+}
+device_init(hda_audio_register);
diff --git a/hw/intel-hda-defs.h b/hw/intel-hda-defs.h
new file mode 100644
index 0000000..2e37e5b
--- /dev/null
+++ b/hw/intel-hda-defs.h
@@ -0,0 +1,717 @@
+#ifndef HW_INTEL_HDA_DEFS_H
+#define HW_INTEL_HDA_DEFS_H
+
+/* qemu */
+#define HDA_BUFFER_SIZE 256
+
+/* --------------------------------------------------------------------- */
+/* from linux/sound/pci/hda/hda_intel.c                                  */
+
+/*
+ * registers
+ */
+#define ICH6_REG_GCAP			0x00
+#define   ICH6_GCAP_64OK	(1 << 0)   /* 64bit address support */
+#define   ICH6_GCAP_NSDO	(3 << 1)   /* # of serial data out signals */
+#define   ICH6_GCAP_BSS		(31 << 3)  /* # of bidirectional streams */
+#define   ICH6_GCAP_ISS		(15 << 8)  /* # of input streams */
+#define   ICH6_GCAP_OSS		(15 << 12) /* # of output streams */
+#define ICH6_REG_VMIN			0x02
+#define ICH6_REG_VMAJ			0x03
+#define ICH6_REG_OUTPAY			0x04
+#define ICH6_REG_INPAY			0x06
+#define ICH6_REG_GCTL			0x08
+#define   ICH6_GCTL_RESET	(1 << 0)   /* controller reset */
+#define   ICH6_GCTL_FCNTRL	(1 << 1)   /* flush control */
+#define   ICH6_GCTL_UNSOL	(1 << 8)   /* accept unsol. response enable */
+#define ICH6_REG_WAKEEN			0x0c
+#define ICH6_REG_STATESTS		0x0e
+#define ICH6_REG_GSTS			0x10
+#define   ICH6_GSTS_FSTS	(1 << 1)   /* flush status */
+#define ICH6_REG_INTCTL			0x20
+#define ICH6_REG_INTSTS			0x24
+#define ICH6_REG_WALLCLK		0x30	/* 24Mhz source */
+#define ICH6_REG_SYNC			0x34
+#define ICH6_REG_CORBLBASE		0x40
+#define ICH6_REG_CORBUBASE		0x44
+#define ICH6_REG_CORBWP			0x48
+#define ICH6_REG_CORBRP			0x4a
+#define   ICH6_CORBRP_RST	(1 << 15)  /* read pointer reset */
+#define ICH6_REG_CORBCTL		0x4c
+#define   ICH6_CORBCTL_RUN	(1 << 1)   /* enable DMA */
+#define   ICH6_CORBCTL_CMEIE	(1 << 0)   /* enable memory error irq */
+#define ICH6_REG_CORBSTS		0x4d
+#define   ICH6_CORBSTS_CMEI	(1 << 0)   /* memory error indication */
+#define ICH6_REG_CORBSIZE		0x4e
+
+#define ICH6_REG_RIRBLBASE		0x50
+#define ICH6_REG_RIRBUBASE		0x54
+#define ICH6_REG_RIRBWP			0x58
+#define   ICH6_RIRBWP_RST	(1 << 15)  /* write pointer reset */
+#define ICH6_REG_RINTCNT		0x5a
+#define ICH6_REG_RIRBCTL		0x5c
+#define   ICH6_RBCTL_IRQ_EN	(1 << 0)   /* enable IRQ */
+#define   ICH6_RBCTL_DMA_EN	(1 << 1)   /* enable DMA */
+#define   ICH6_RBCTL_OVERRUN_EN	(1 << 2)   /* enable overrun irq */
+#define ICH6_REG_RIRBSTS		0x5d
+#define   ICH6_RBSTS_IRQ	(1 << 0)   /* response irq */
+#define   ICH6_RBSTS_OVERRUN	(1 << 2)   /* overrun irq */
+#define ICH6_REG_RIRBSIZE		0x5e
+
+#define ICH6_REG_IC			0x60
+#define ICH6_REG_IR			0x64
+#define ICH6_REG_IRS			0x68
+#define   ICH6_IRS_VALID	(1<<1)
+#define   ICH6_IRS_BUSY		(1<<0)
+
+#define ICH6_REG_DPLBASE		0x70
+#define ICH6_REG_DPUBASE		0x74
+#define   ICH6_DPLBASE_ENABLE	0x1	/* Enable position buffer */
+
+/* SD offset: SDI0=0x80, SDI1=0xa0, ... SDO3=0x160 */
+enum { SDI0, SDI1, SDI2, SDI3, SDO0, SDO1, SDO2, SDO3 };
+
+/* stream register offsets from stream base */
+#define ICH6_REG_SD_CTL			0x00
+#define ICH6_REG_SD_STS			0x03
+#define ICH6_REG_SD_LPIB		0x04
+#define ICH6_REG_SD_CBL			0x08
+#define ICH6_REG_SD_LVI			0x0c
+#define ICH6_REG_SD_FIFOW		0x0e
+#define ICH6_REG_SD_FIFOSIZE		0x10
+#define ICH6_REG_SD_FORMAT		0x12
+#define ICH6_REG_SD_BDLPL		0x18
+#define ICH6_REG_SD_BDLPU		0x1c
+
+/* PCI space */
+#define ICH6_PCIREG_TCSEL	0x44
+
+/*
+ * other constants
+ */
+
+/* max number of SDs */
+/* ICH, ATI and VIA have 4 playback and 4 capture */
+#define ICH6_NUM_CAPTURE	4
+#define ICH6_NUM_PLAYBACK	4
+
+/* ULI has 6 playback and 5 capture */
+#define ULI_NUM_CAPTURE		5
+#define ULI_NUM_PLAYBACK	6
+
+/* ATI HDMI has 1 playback and 0 capture */
+#define ATIHDMI_NUM_CAPTURE	0
+#define ATIHDMI_NUM_PLAYBACK	1
+
+/* TERA has 4 playback and 3 capture */
+#define TERA_NUM_CAPTURE	3
+#define TERA_NUM_PLAYBACK	4
+
+/* this number is statically defined for simplicity */
+#define MAX_AZX_DEV		16
+
+/* max number of fragments - we may use more if allocating more pages for BDL */
+#define BDL_SIZE		4096
+#define AZX_MAX_BDL_ENTRIES	(BDL_SIZE / 16)
+#define AZX_MAX_FRAG		32
+/* max buffer size - no h/w limit, you can increase as you like */
+#define AZX_MAX_BUF_SIZE	(1024*1024*1024)
+
+/* RIRB int mask: overrun[2], response[0] */
+#define RIRB_INT_RESPONSE	0x01
+#define RIRB_INT_OVERRUN	0x04
+#define RIRB_INT_MASK		0x05
+
+/* STATESTS int mask: S3,SD2,SD1,SD0 */
+#define AZX_MAX_CODECS		8
+#define AZX_DEFAULT_CODECS	4
+#define STATESTS_INT_MASK	((1 << AZX_MAX_CODECS) - 1)
+
+/* SD_CTL bits */
+#define SD_CTL_STREAM_RESET	0x01	/* stream reset bit */
+#define SD_CTL_DMA_START	0x02	/* stream DMA start bit */
+#define SD_CTL_STRIPE		(3 << 16)	/* stripe control */
+#define SD_CTL_TRAFFIC_PRIO	(1 << 18)	/* traffic priority */
+#define SD_CTL_DIR		(1 << 19)	/* bi-directional stream */
+#define SD_CTL_STREAM_TAG_MASK	(0xf << 20)
+#define SD_CTL_STREAM_TAG_SHIFT	20
+
+/* SD_CTL and SD_STS */
+#define SD_INT_DESC_ERR		0x10	/* descriptor error interrupt */
+#define SD_INT_FIFO_ERR		0x08	/* FIFO error interrupt */
+#define SD_INT_COMPLETE		0x04	/* completion interrupt */
+#define SD_INT_MASK		(SD_INT_DESC_ERR|SD_INT_FIFO_ERR|\
+				 SD_INT_COMPLETE)
+
+/* SD_STS */
+#define SD_STS_FIFO_READY	0x20	/* FIFO ready */
+
+/* INTCTL and INTSTS */
+#define ICH6_INT_ALL_STREAM	0xff	   /* all stream interrupts */
+#define ICH6_INT_CTRL_EN	0x40000000 /* controller interrupt enable bit */
+#define ICH6_INT_GLOBAL_EN	0x80000000 /* global interrupt enable bit */
+
+/* below are so far hardcoded - should read registers in future */
+#define ICH6_MAX_CORB_ENTRIES	256
+#define ICH6_MAX_RIRB_ENTRIES	256
+
+/* position fix mode */
+enum {
+	POS_FIX_AUTO,
+	POS_FIX_LPIB,
+	POS_FIX_POSBUF,
+};
+
+/* Defines for ATI HD Audio support in SB450 south bridge */
+#define ATI_SB450_HDAUDIO_MISC_CNTR2_ADDR   0x42
+#define ATI_SB450_HDAUDIO_ENABLE_SNOOP      0x02
+
+/* Defines for Nvidia HDA support */
+#define NVIDIA_HDA_TRANSREG_ADDR      0x4e
+#define NVIDIA_HDA_ENABLE_COHBITS     0x0f
+#define NVIDIA_HDA_ISTRM_COH          0x4d
+#define NVIDIA_HDA_OSTRM_COH          0x4c
+#define NVIDIA_HDA_ENABLE_COHBIT      0x01
+
+/* Defines for Intel SCH HDA snoop control */
+#define INTEL_SCH_HDA_DEVC      0x78
+#define INTEL_SCH_HDA_DEVC_NOSNOOP       (0x1<<11)
+
+/* Define IN stream 0 FIFO size offset in VIA controller */
+#define VIA_IN_STREAM0_FIFO_SIZE_OFFSET	0x90
+/* Define VIA HD Audio Device ID*/
+#define VIA_HDAC_DEVICE_ID		0x3288
+
+/* HD Audio class code */
+#define PCI_CLASS_MULTIMEDIA_HD_AUDIO	0x0403
+
+/* --------------------------------------------------------------------- */
+/* from linux/sound/pci/hda/hda_codec.h                                  */
+
+/*
+ * nodes
+ */
+#define	AC_NODE_ROOT		0x00
+
+/*
+ * function group types
+ */
+enum {
+	AC_GRP_AUDIO_FUNCTION = 0x01,
+	AC_GRP_MODEM_FUNCTION = 0x02,
+};
+	
+/*
+ * widget types
+ */
+enum {
+	AC_WID_AUD_OUT,		/* Audio Out */
+	AC_WID_AUD_IN,		/* Audio In */
+	AC_WID_AUD_MIX,		/* Audio Mixer */
+	AC_WID_AUD_SEL,		/* Audio Selector */
+	AC_WID_PIN,		/* Pin Complex */
+	AC_WID_POWER,		/* Power */
+	AC_WID_VOL_KNB,		/* Volume Knob */
+	AC_WID_BEEP,		/* Beep Generator */
+	AC_WID_VENDOR = 0x0f	/* Vendor specific */
+};
+
+/*
+ * GET verbs
+ */
+#define AC_VERB_GET_STREAM_FORMAT		0x0a00
+#define AC_VERB_GET_AMP_GAIN_MUTE		0x0b00
+#define AC_VERB_GET_PROC_COEF			0x0c00
+#define AC_VERB_GET_COEF_INDEX			0x0d00
+#define AC_VERB_PARAMETERS			0x0f00
+#define AC_VERB_GET_CONNECT_SEL			0x0f01
+#define AC_VERB_GET_CONNECT_LIST		0x0f02
+#define AC_VERB_GET_PROC_STATE			0x0f03
+#define AC_VERB_GET_SDI_SELECT			0x0f04
+#define AC_VERB_GET_POWER_STATE			0x0f05
+#define AC_VERB_GET_CONV			0x0f06
+#define AC_VERB_GET_PIN_WIDGET_CONTROL		0x0f07
+#define AC_VERB_GET_UNSOLICITED_RESPONSE	0x0f08
+#define AC_VERB_GET_PIN_SENSE			0x0f09
+#define AC_VERB_GET_BEEP_CONTROL		0x0f0a
+#define AC_VERB_GET_EAPD_BTLENABLE		0x0f0c
+#define AC_VERB_GET_DIGI_CONVERT_1		0x0f0d
+#define AC_VERB_GET_DIGI_CONVERT_2		0x0f0e /* unused */
+#define AC_VERB_GET_VOLUME_KNOB_CONTROL		0x0f0f
+/* f10-f1a: GPIO */
+#define AC_VERB_GET_GPIO_DATA			0x0f15
+#define AC_VERB_GET_GPIO_MASK			0x0f16
+#define AC_VERB_GET_GPIO_DIRECTION		0x0f17
+#define AC_VERB_GET_GPIO_WAKE_MASK		0x0f18
+#define AC_VERB_GET_GPIO_UNSOLICITED_RSP_MASK	0x0f19
+#define AC_VERB_GET_GPIO_STICKY_MASK		0x0f1a
+#define AC_VERB_GET_CONFIG_DEFAULT		0x0f1c
+/* f20: AFG/MFG */
+#define AC_VERB_GET_SUBSYSTEM_ID		0x0f20
+#define AC_VERB_GET_CVT_CHAN_COUNT		0x0f2d
+#define AC_VERB_GET_HDMI_DIP_SIZE		0x0f2e
+#define AC_VERB_GET_HDMI_ELDD			0x0f2f
+#define AC_VERB_GET_HDMI_DIP_INDEX		0x0f30
+#define AC_VERB_GET_HDMI_DIP_DATA		0x0f31
+#define AC_VERB_GET_HDMI_DIP_XMIT		0x0f32
+#define AC_VERB_GET_HDMI_CP_CTRL		0x0f33
+#define AC_VERB_GET_HDMI_CHAN_SLOT		0x0f34
+
+/*
+ * SET verbs
+ */
+#define AC_VERB_SET_STREAM_FORMAT		0x200
+#define AC_VERB_SET_AMP_GAIN_MUTE		0x300
+#define AC_VERB_SET_PROC_COEF			0x400
+#define AC_VERB_SET_COEF_INDEX			0x500
+#define AC_VERB_SET_CONNECT_SEL			0x701
+#define AC_VERB_SET_PROC_STATE			0x703
+#define AC_VERB_SET_SDI_SELECT			0x704
+#define AC_VERB_SET_POWER_STATE			0x705
+#define AC_VERB_SET_CHANNEL_STREAMID		0x706
+#define AC_VERB_SET_PIN_WIDGET_CONTROL		0x707
+#define AC_VERB_SET_UNSOLICITED_ENABLE		0x708
+#define AC_VERB_SET_PIN_SENSE			0x709
+#define AC_VERB_SET_BEEP_CONTROL		0x70a
+#define AC_VERB_SET_EAPD_BTLENABLE		0x70c
+#define AC_VERB_SET_DIGI_CONVERT_1		0x70d
+#define AC_VERB_SET_DIGI_CONVERT_2		0x70e
+#define AC_VERB_SET_VOLUME_KNOB_CONTROL		0x70f
+#define AC_VERB_SET_GPIO_DATA			0x715
+#define AC_VERB_SET_GPIO_MASK			0x716
+#define AC_VERB_SET_GPIO_DIRECTION		0x717
+#define AC_VERB_SET_GPIO_WAKE_MASK		0x718
+#define AC_VERB_SET_GPIO_UNSOLICITED_RSP_MASK	0x719
+#define AC_VERB_SET_GPIO_STICKY_MASK		0x71a
+#define AC_VERB_SET_CONFIG_DEFAULT_BYTES_0	0x71c
+#define AC_VERB_SET_CONFIG_DEFAULT_BYTES_1	0x71d
+#define AC_VERB_SET_CONFIG_DEFAULT_BYTES_2	0x71e
+#define AC_VERB_SET_CONFIG_DEFAULT_BYTES_3	0x71f
+#define AC_VERB_SET_EAPD				0x788
+#define AC_VERB_SET_CODEC_RESET			0x7ff
+#define AC_VERB_SET_CVT_CHAN_COUNT		0x72d
+#define AC_VERB_SET_HDMI_DIP_INDEX		0x730
+#define AC_VERB_SET_HDMI_DIP_DATA		0x731
+#define AC_VERB_SET_HDMI_DIP_XMIT		0x732
+#define AC_VERB_SET_HDMI_CP_CTRL		0x733
+#define AC_VERB_SET_HDMI_CHAN_SLOT		0x734
+
+/*
+ * Parameter IDs
+ */
+#define AC_PAR_VENDOR_ID		0x00
+#define AC_PAR_SUBSYSTEM_ID		0x01
+#define AC_PAR_REV_ID			0x02
+#define AC_PAR_NODE_COUNT		0x04
+#define AC_PAR_FUNCTION_TYPE		0x05
+#define AC_PAR_AUDIO_FG_CAP		0x08
+#define AC_PAR_AUDIO_WIDGET_CAP		0x09
+#define AC_PAR_PCM			0x0a
+#define AC_PAR_STREAM			0x0b
+#define AC_PAR_PIN_CAP			0x0c
+#define AC_PAR_AMP_IN_CAP		0x0d
+#define AC_PAR_CONNLIST_LEN		0x0e
+#define AC_PAR_POWER_STATE		0x0f
+#define AC_PAR_PROC_CAP			0x10
+#define AC_PAR_GPIO_CAP			0x11
+#define AC_PAR_AMP_OUT_CAP		0x12
+#define AC_PAR_VOL_KNB_CAP		0x13
+#define AC_PAR_HDMI_LPCM_CAP		0x20
+
+/*
+ * AC_VERB_PARAMETERS results (32bit)
+ */
+
+/* Function Group Type */
+#define AC_FGT_TYPE			(0xff<<0)
+#define AC_FGT_TYPE_SHIFT		0
+#define AC_FGT_UNSOL_CAP		(1<<8)
+
+/* Audio Function Group Capabilities */
+#define AC_AFG_OUT_DELAY		(0xf<<0)
+#define AC_AFG_IN_DELAY			(0xf<<8)
+#define AC_AFG_BEEP_GEN			(1<<16)
+
+/* Audio Widget Capabilities */
+#define AC_WCAP_STEREO			(1<<0)	/* stereo I/O */
+#define AC_WCAP_IN_AMP			(1<<1)	/* AMP-in present */
+#define AC_WCAP_OUT_AMP			(1<<2)	/* AMP-out present */
+#define AC_WCAP_AMP_OVRD		(1<<3)	/* AMP-parameter override */
+#define AC_WCAP_FORMAT_OVRD		(1<<4)	/* format override */
+#define AC_WCAP_STRIPE			(1<<5)	/* stripe */
+#define AC_WCAP_PROC_WID		(1<<6)	/* Proc Widget */
+#define AC_WCAP_UNSOL_CAP		(1<<7)	/* Unsol capable */
+#define AC_WCAP_CONN_LIST		(1<<8)	/* connection list */
+#define AC_WCAP_DIGITAL			(1<<9)	/* digital I/O */
+#define AC_WCAP_POWER			(1<<10)	/* power control */
+#define AC_WCAP_LR_SWAP			(1<<11)	/* L/R swap */
+#define AC_WCAP_CP_CAPS			(1<<12) /* content protection */
+#define AC_WCAP_CHAN_CNT_EXT		(7<<13)	/* channel count ext */
+#define AC_WCAP_DELAY			(0xf<<16)
+#define AC_WCAP_DELAY_SHIFT		16
+#define AC_WCAP_TYPE			(0xf<<20)
+#define AC_WCAP_TYPE_SHIFT		20
+
+/* supported PCM rates and bits */
+#define AC_SUPPCM_RATES			(0xfff << 0)
+#define AC_SUPPCM_BITS_8		(1<<16)
+#define AC_SUPPCM_BITS_16		(1<<17)
+#define AC_SUPPCM_BITS_20		(1<<18)
+#define AC_SUPPCM_BITS_24		(1<<19)
+#define AC_SUPPCM_BITS_32		(1<<20)
+
+/* supported PCM stream format */
+#define AC_SUPFMT_PCM			(1<<0)
+#define AC_SUPFMT_FLOAT32		(1<<1)
+#define AC_SUPFMT_AC3			(1<<2)
+
+/* GP I/O count */
+#define AC_GPIO_IO_COUNT		(0xff<<0)
+#define AC_GPIO_O_COUNT			(0xff<<8)
+#define AC_GPIO_O_COUNT_SHIFT		8
+#define AC_GPIO_I_COUNT			(0xff<<16)
+#define AC_GPIO_I_COUNT_SHIFT		16
+#define AC_GPIO_UNSOLICITED		(1<<30)
+#define AC_GPIO_WAKE			(1<<31)
+
+/* Converter stream, channel */
+#define AC_CONV_CHANNEL			(0xf<<0)
+#define AC_CONV_STREAM			(0xf<<4)
+#define AC_CONV_STREAM_SHIFT		4
+
+/* Input converter SDI select */
+#define AC_SDI_SELECT			(0xf<<0)
+
+/* stream format id */
+#define AC_FMT_CHAN_SHIFT		0
+#define AC_FMT_CHAN_MASK		(0x0f << 0)
+#define AC_FMT_BITS_SHIFT		4
+#define AC_FMT_BITS_MASK		(7 << 4)
+#define AC_FMT_BITS_8			(0 << 4)
+#define AC_FMT_BITS_16			(1 << 4)
+#define AC_FMT_BITS_20			(2 << 4)
+#define AC_FMT_BITS_24			(3 << 4)
+#define AC_FMT_BITS_32			(4 << 4)
+#define AC_FMT_DIV_SHIFT		8
+#define AC_FMT_DIV_MASK			(7 << 8)
+#define AC_FMT_MULT_SHIFT		11
+#define AC_FMT_MULT_MASK		(7 << 11)
+#define AC_FMT_BASE_SHIFT		14
+#define AC_FMT_BASE_48K			(0 << 14)
+#define AC_FMT_BASE_44K			(1 << 14)
+#define AC_FMT_TYPE_SHIFT		15
+#define AC_FMT_TYPE_PCM			(0 << 15)
+#define AC_FMT_TYPE_NON_PCM		(1 << 15)
+
+/* Unsolicited response control */
+#define AC_UNSOL_TAG			(0x3f<<0)
+#define AC_UNSOL_ENABLED		(1<<7)
+#define AC_USRSP_EN			AC_UNSOL_ENABLED
+
+/* Unsolicited responses */
+#define AC_UNSOL_RES_TAG		(0x3f<<26)
+#define AC_UNSOL_RES_TAG_SHIFT		26
+#define AC_UNSOL_RES_SUBTAG		(0x1f<<21)
+#define AC_UNSOL_RES_SUBTAG_SHIFT	21
+#define AC_UNSOL_RES_ELDV		(1<<1)	/* ELD Data valid (for HDMI) */
+#define AC_UNSOL_RES_PD			(1<<0)	/* pinsense detect */
+#define AC_UNSOL_RES_CP_STATE		(1<<1)	/* content protection */
+#define AC_UNSOL_RES_CP_READY		(1<<0)	/* content protection */
+
+/* Pin widget capabilies */
+#define AC_PINCAP_IMP_SENSE		(1<<0)	/* impedance sense capable */
+#define AC_PINCAP_TRIG_REQ		(1<<1)	/* trigger required */
+#define AC_PINCAP_PRES_DETECT		(1<<2)	/* presence detect capable */
+#define AC_PINCAP_HP_DRV		(1<<3)	/* headphone drive capable */
+#define AC_PINCAP_OUT			(1<<4)	/* output capable */
+#define AC_PINCAP_IN			(1<<5)	/* input capable */
+#define AC_PINCAP_BALANCE		(1<<6)	/* balanced I/O capable */
+/* Note: This LR_SWAP pincap is defined in the Realtek ALC883 specification,
+ *       but is marked reserved in the Intel HDA specification.
+ */
+#define AC_PINCAP_LR_SWAP		(1<<7)	/* L/R swap */
+/* Note: The same bit as LR_SWAP is newly defined as HDMI capability
+ *       in HD-audio specification
+ */
+#define AC_PINCAP_HDMI			(1<<7)	/* HDMI pin */
+#define AC_PINCAP_DP			(1<<24)	/* DisplayPort pin, can
+						 * coexist with AC_PINCAP_HDMI
+						 */
+#define AC_PINCAP_VREF			(0x37<<8)
+#define AC_PINCAP_VREF_SHIFT		8
+#define AC_PINCAP_EAPD			(1<<16)	/* EAPD capable */
+#define AC_PINCAP_HBR			(1<<27)	/* High Bit Rate */
+/* Vref status (used in pin cap) */
+#define AC_PINCAP_VREF_HIZ		(1<<0)	/* Hi-Z */
+#define AC_PINCAP_VREF_50		(1<<1)	/* 50% */
+#define AC_PINCAP_VREF_GRD		(1<<2)	/* ground */
+#define AC_PINCAP_VREF_80		(1<<4)	/* 80% */
+#define AC_PINCAP_VREF_100		(1<<5)	/* 100% */
+
+/* Amplifier capabilities */
+#define AC_AMPCAP_OFFSET		(0x7f<<0)  /* 0dB offset */
+#define AC_AMPCAP_OFFSET_SHIFT		0
+#define AC_AMPCAP_NUM_STEPS		(0x7f<<8)  /* number of steps */
+#define AC_AMPCAP_NUM_STEPS_SHIFT	8
+#define AC_AMPCAP_STEP_SIZE		(0x7f<<16) /* step size 0-32dB
+						    * in 0.25dB
+						    */
+#define AC_AMPCAP_STEP_SIZE_SHIFT	16
+#define AC_AMPCAP_MUTE			(1<<31)    /* mute capable */
+#define AC_AMPCAP_MUTE_SHIFT		31
+
+/* Connection list */
+#define AC_CLIST_LENGTH			(0x7f<<0)
+#define AC_CLIST_LONG			(1<<7)
+
+/* Supported power status */
+#define AC_PWRST_D0SUP			(1<<0)
+#define AC_PWRST_D1SUP			(1<<1)
+#define AC_PWRST_D2SUP			(1<<2)
+#define AC_PWRST_D3SUP			(1<<3)
+#define AC_PWRST_D3COLDSUP		(1<<4)
+#define AC_PWRST_S3D3COLDSUP		(1<<29)
+#define AC_PWRST_CLKSTOP		(1<<30)
+#define AC_PWRST_EPSS			(1U<<31)
+
+/* Power state values */
+#define AC_PWRST_SETTING		(0xf<<0)
+#define AC_PWRST_ACTUAL			(0xf<<4)
+#define AC_PWRST_ACTUAL_SHIFT		4
+#define AC_PWRST_D0			0x00
+#define AC_PWRST_D1			0x01
+#define AC_PWRST_D2			0x02
+#define AC_PWRST_D3			0x03
+
+/* Processing capabilies */
+#define AC_PCAP_BENIGN			(1<<0)
+#define AC_PCAP_NUM_COEF		(0xff<<8)
+#define AC_PCAP_NUM_COEF_SHIFT		8
+
+/* Volume knobs capabilities */
+#define AC_KNBCAP_NUM_STEPS		(0x7f<<0)
+#define AC_KNBCAP_DELTA			(1<<7)
+
+/* HDMI LPCM capabilities */
+#define AC_LPCMCAP_48K_CP_CHNS		(0x0f<<0) /* max channels w/ CP-on */	
+#define AC_LPCMCAP_48K_NO_CHNS		(0x0f<<4) /* max channels w/o CP-on */
+#define AC_LPCMCAP_48K_20BIT		(1<<8)	/* 20b bitrate supported */
+#define AC_LPCMCAP_48K_24BIT		(1<<9)	/* 24b bitrate supported */
+#define AC_LPCMCAP_96K_CP_CHNS		(0x0f<<10) /* max channels w/ CP-on */	
+#define AC_LPCMCAP_96K_NO_CHNS		(0x0f<<14) /* max channels w/o CP-on */
+#define AC_LPCMCAP_96K_20BIT		(1<<18)	/* 20b bitrate supported */
+#define AC_LPCMCAP_96K_24BIT		(1<<19)	/* 24b bitrate supported */
+#define AC_LPCMCAP_192K_CP_CHNS		(0x0f<<20) /* max channels w/ CP-on */	
+#define AC_LPCMCAP_192K_NO_CHNS		(0x0f<<24) /* max channels w/o CP-on */
+#define AC_LPCMCAP_192K_20BIT		(1<<28)	/* 20b bitrate supported */
+#define AC_LPCMCAP_192K_24BIT		(1<<29)	/* 24b bitrate supported */
+#define AC_LPCMCAP_44K			(1<<30)	/* 44.1kHz support */
+#define AC_LPCMCAP_44K_MS		(1<<31)	/* 44.1kHz-multiplies support */
+
+/*
+ * Control Parameters
+ */
+
+/* Amp gain/mute */
+#define AC_AMP_MUTE			(1<<7)
+#define AC_AMP_GAIN			(0x7f)
+#define AC_AMP_GET_INDEX		(0xf<<0)
+
+#define AC_AMP_GET_LEFT			(1<<13)
+#define AC_AMP_GET_RIGHT		(0<<13)
+#define AC_AMP_GET_OUTPUT		(1<<15)
+#define AC_AMP_GET_INPUT		(0<<15)
+
+#define AC_AMP_SET_INDEX		(0xf<<8)
+#define AC_AMP_SET_INDEX_SHIFT		8
+#define AC_AMP_SET_RIGHT		(1<<12)
+#define AC_AMP_SET_LEFT			(1<<13)
+#define AC_AMP_SET_INPUT		(1<<14)
+#define AC_AMP_SET_OUTPUT		(1<<15)
+
+/* DIGITAL1 bits */
+#define AC_DIG1_ENABLE			(1<<0)
+#define AC_DIG1_V			(1<<1)
+#define AC_DIG1_VCFG			(1<<2)
+#define AC_DIG1_EMPHASIS		(1<<3)
+#define AC_DIG1_COPYRIGHT		(1<<4)
+#define AC_DIG1_NONAUDIO		(1<<5)
+#define AC_DIG1_PROFESSIONAL		(1<<6)
+#define AC_DIG1_LEVEL			(1<<7)
+
+/* DIGITAL2 bits */
+#define AC_DIG2_CC			(0x7f<<0)
+
+/* Pin widget control - 8bit */
+#define AC_PINCTL_EPT			(0x3<<0)
+#define AC_PINCTL_EPT_NATIVE		0
+#define AC_PINCTL_EPT_HBR		3
+#define AC_PINCTL_VREFEN		(0x7<<0)
+#define AC_PINCTL_VREF_HIZ		0	/* Hi-Z */
+#define AC_PINCTL_VREF_50		1	/* 50% */
+#define AC_PINCTL_VREF_GRD		2	/* ground */
+#define AC_PINCTL_VREF_80		4	/* 80% */
+#define AC_PINCTL_VREF_100		5	/* 100% */
+#define AC_PINCTL_IN_EN			(1<<5)
+#define AC_PINCTL_OUT_EN		(1<<6)
+#define AC_PINCTL_HP_EN			(1<<7)
+
+/* Pin sense - 32bit */
+#define AC_PINSENSE_IMPEDANCE_MASK	(0x7fffffff)
+#define AC_PINSENSE_PRESENCE		(1<<31)
+#define AC_PINSENSE_ELDV		(1<<30)	/* ELD valid (HDMI) */
+
+/* EAPD/BTL enable - 32bit */
+#define AC_EAPDBTL_BALANCED		(1<<0)
+#define AC_EAPDBTL_EAPD			(1<<1)
+#define AC_EAPDBTL_LR_SWAP		(1<<2)
+
+/* HDMI ELD data */
+#define AC_ELDD_ELD_VALID		(1<<31)
+#define AC_ELDD_ELD_DATA		0xff
+
+/* HDMI DIP size */
+#define AC_DIPSIZE_ELD_BUF		(1<<3) /* ELD buf size of packet size */
+#define AC_DIPSIZE_PACK_IDX		(0x07<<0) /* packet index */
+
+/* HDMI DIP index */
+#define AC_DIPIDX_PACK_IDX		(0x07<<5) /* packet idnex */
+#define AC_DIPIDX_BYTE_IDX		(0x1f<<0) /* byte index */
+
+/* HDMI DIP xmit (transmit) control */
+#define AC_DIPXMIT_MASK			(0x3<<6)
+#define AC_DIPXMIT_DISABLE		(0x0<<6) /* disable xmit */
+#define AC_DIPXMIT_ONCE			(0x2<<6) /* xmit once then disable */
+#define AC_DIPXMIT_BEST			(0x3<<6) /* best effort */
+
+/* HDMI content protection (CP) control */
+#define AC_CPCTRL_CES			(1<<9) /* current encryption state */
+#define AC_CPCTRL_READY			(1<<8) /* ready bit */
+#define AC_CPCTRL_SUBTAG		(0x1f<<3) /* subtag for unsol-resp */
+#define AC_CPCTRL_STATE			(3<<0) /* current CP request state */
+
+/* Converter channel <-> HDMI slot mapping */
+#define AC_CVTMAP_HDMI_SLOT		(0xf<<0) /* HDMI slot number */
+#define AC_CVTMAP_CHAN			(0xf<<4) /* converter channel number */
+
+/* configuration default - 32bit */
+#define AC_DEFCFG_SEQUENCE		(0xf<<0)
+#define AC_DEFCFG_DEF_ASSOC		(0xf<<4)
+#define AC_DEFCFG_ASSOC_SHIFT		4
+#define AC_DEFCFG_MISC			(0xf<<8)
+#define AC_DEFCFG_MISC_SHIFT		8
+#define AC_DEFCFG_MISC_NO_PRESENCE	(1<<0)
+#define AC_DEFCFG_COLOR			(0xf<<12)
+#define AC_DEFCFG_COLOR_SHIFT		12
+#define AC_DEFCFG_CONN_TYPE		(0xf<<16)
+#define AC_DEFCFG_CONN_TYPE_SHIFT	16
+#define AC_DEFCFG_DEVICE		(0xf<<20)
+#define AC_DEFCFG_DEVICE_SHIFT		20
+#define AC_DEFCFG_LOCATION		(0x3f<<24)
+#define AC_DEFCFG_LOCATION_SHIFT	24
+#define AC_DEFCFG_PORT_CONN		(0x3<<30)
+#define AC_DEFCFG_PORT_CONN_SHIFT	30
+
+/* device device types (0x0-0xf) */
+enum {
+	AC_JACK_LINE_OUT,
+	AC_JACK_SPEAKER,
+	AC_JACK_HP_OUT,
+	AC_JACK_CD,
+	AC_JACK_SPDIF_OUT,
+	AC_JACK_DIG_OTHER_OUT,
+	AC_JACK_MODEM_LINE_SIDE,
+	AC_JACK_MODEM_HAND_SIDE,
+	AC_JACK_LINE_IN,
+	AC_JACK_AUX,
+	AC_JACK_MIC_IN,
+	AC_JACK_TELEPHONY,
+	AC_JACK_SPDIF_IN,
+	AC_JACK_DIG_OTHER_IN,
+	AC_JACK_OTHER = 0xf,
+};
+
+/* jack connection types (0x0-0xf) */
+enum {
+	AC_JACK_CONN_UNKNOWN,
+	AC_JACK_CONN_1_8,
+	AC_JACK_CONN_1_4,
+	AC_JACK_CONN_ATAPI,
+	AC_JACK_CONN_RCA,
+	AC_JACK_CONN_OPTICAL,
+	AC_JACK_CONN_OTHER_DIGITAL,
+	AC_JACK_CONN_OTHER_ANALOG,
+	AC_JACK_CONN_DIN,
+	AC_JACK_CONN_XLR,
+	AC_JACK_CONN_RJ11,
+	AC_JACK_CONN_COMB,
+	AC_JACK_CONN_OTHER = 0xf,
+};
+
+/* jack colors (0x0-0xf) */
+enum {
+	AC_JACK_COLOR_UNKNOWN,
+	AC_JACK_COLOR_BLACK,
+	AC_JACK_COLOR_GREY,
+	AC_JACK_COLOR_BLUE,
+	AC_JACK_COLOR_GREEN,
+	AC_JACK_COLOR_RED,
+	AC_JACK_COLOR_ORANGE,
+	AC_JACK_COLOR_YELLOW,
+	AC_JACK_COLOR_PURPLE,
+	AC_JACK_COLOR_PINK,
+	AC_JACK_COLOR_WHITE = 0xe,
+	AC_JACK_COLOR_OTHER,
+};
+
+/* Jack location (0x0-0x3f) */
+/* common case */
+enum {
+	AC_JACK_LOC_NONE,
+	AC_JACK_LOC_REAR,
+	AC_JACK_LOC_FRONT,
+	AC_JACK_LOC_LEFT,
+	AC_JACK_LOC_RIGHT,
+	AC_JACK_LOC_TOP,
+	AC_JACK_LOC_BOTTOM,
+};
+/* bits 4-5 */
+enum {
+	AC_JACK_LOC_EXTERNAL = 0x00,
+	AC_JACK_LOC_INTERNAL = 0x10,
+	AC_JACK_LOC_SEPARATE = 0x20,
+	AC_JACK_LOC_OTHER    = 0x30,
+};
+enum {
+	/* external on primary chasis */
+	AC_JACK_LOC_REAR_PANEL = 0x07,
+	AC_JACK_LOC_DRIVE_BAY,
+	/* internal */
+	AC_JACK_LOC_RISER = 0x17,
+	AC_JACK_LOC_HDMI,
+	AC_JACK_LOC_ATAPI,
+	/* others */
+	AC_JACK_LOC_MOBILE_IN = 0x37,
+	AC_JACK_LOC_MOBILE_OUT,
+};
+
+/* Port connectivity (0-3) */
+enum {
+	AC_JACK_PORT_COMPLEX,
+	AC_JACK_PORT_NONE,
+	AC_JACK_PORT_FIXED,
+	AC_JACK_PORT_BOTH,
+};
+
+/* max. connections to a widget */
+#define HDA_MAX_CONNECTIONS	32
+
+/* max. codec address */
+#define HDA_MAX_CODEC_ADDRESS	0x0f
+
+/* max number of PCM devics per card */
+#define HDA_MAX_PCMS		10
+
+/* --------------------------------------------------------------------- */
+
+#endif
diff --git a/hw/intel-hda.c b/hw/intel-hda.c
new file mode 100644
index 0000000..ccb059d
--- /dev/null
+++ b/hw/intel-hda.c
@@ -0,0 +1,1250 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * written by Gerd Hoffmann <kraxel at redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 or
+ * (at your option) version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "hw.h"
+#include "pci.h"
+#include "qemu-timer.h"
+#include "audiodev.h"
+#include "intel-hda.h"
+#include "intel-hda-defs.h"
+
+/* --------------------------------------------------------------------- */
+/* hda bus                                                               */
+
+static struct BusInfo hda_codec_bus_info = {
+    .name      = "HDA",
+    .size      = sizeof(HDACodecBus),
+    .props     = (Property[]) {
+        DEFINE_PROP_UINT32("cad", HDACodecDevice, cad, -1),
+        DEFINE_PROP_END_OF_LIST()
+    }
+};
+
+void hda_codec_bus_init(DeviceState *dev, HDACodecBus *bus,
+                        hda_codec_response_func response,
+                        hda_codec_xfer_func xfer)
+{
+    qbus_create_inplace(&bus->qbus, &hda_codec_bus_info, dev, NULL);
+    bus->response = response;
+    bus->xfer = xfer;
+}
+
+static int hda_codec_dev_init(DeviceState *qdev, DeviceInfo *base)
+{
+    HDACodecBus *bus = DO_UPCAST(HDACodecBus, qbus, qdev->parent_bus);
+    HDACodecDevice *dev = DO_UPCAST(HDACodecDevice, qdev, qdev);
+    HDACodecDeviceInfo *info = DO_UPCAST(HDACodecDeviceInfo, qdev, base);
+
+    dev->info = info;
+    if (dev->cad == -1) {
+        dev->cad = bus->next_cad;
+    }
+    if (dev->cad > 15)
+        return -1;
+    bus->next_cad = dev->cad + 1;
+    return info->init(dev);
+}
+
+void hda_codec_register(HDACodecDeviceInfo *info)
+{
+    info->qdev.init = hda_codec_dev_init;
+    info->qdev.bus_info = &hda_codec_bus_info;
+    qdev_register(&info->qdev);
+}
+
+HDACodecDevice *hda_codec_find(HDACodecBus *bus, uint32_t cad)
+{
+    DeviceState *qdev;
+    HDACodecDevice *cdev;
+
+    QLIST_FOREACH(qdev, &bus->qbus.children, sibling) {
+        cdev = DO_UPCAST(HDACodecDevice, qdev, qdev);
+        if (cdev->cad == cad) {
+            return cdev;
+        }
+    }
+    return NULL;
+}
+
+void hda_codec_response(HDACodecDevice *dev, bool solicited, uint32_t response)
+{
+    HDACodecBus *bus = DO_UPCAST(HDACodecBus, qbus, dev->qdev.parent_bus);
+    bus->response(dev, solicited, response);
+}
+
+bool hda_codec_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+                    uint8_t *buf, uint32_t len)
+{
+    HDACodecBus *bus = DO_UPCAST(HDACodecBus, qbus, dev->qdev.parent_bus);
+    return bus->xfer(dev, stnr, output, buf, len);
+}
+
+/* --------------------------------------------------------------------- */
+/* intel hda emulation                                                   */
+
+typedef struct IntelHDAStream IntelHDAStream;
+typedef struct IntelHDAState IntelHDAState;
+typedef struct IntelHDAReg IntelHDAReg;
+
+typedef struct bpl {
+    uint64_t addr;
+    uint32_t len;
+    uint32_t flags;
+} bpl;
+
+struct IntelHDAStream {
+    /* registers */
+    uint32_t ctl;
+    uint32_t lpib;
+    uint32_t cbl;
+    uint32_t lvi;
+    uint32_t fmt;
+    uint32_t bdlp_lbase;
+    uint32_t bdlp_ubase;
+
+    /* state */
+    bpl      *bpl;
+    uint32_t bentries;
+    uint32_t bsize, be, bp;
+};
+
+struct IntelHDAState {
+    PCIDevice pci;
+    const char *name;
+    HDACodecBus codecs;
+
+    /* registers */
+    uint32_t g_ctl;
+    uint32_t wake_en;
+    uint32_t state_sts;
+    uint32_t int_ctl;
+    uint32_t int_sts;
+    uint32_t wall_clk;
+
+    uint32_t corb_lbase;
+    uint32_t corb_ubase;
+    uint32_t corb_rp;
+    uint32_t corb_wp;
+    uint32_t corb_ctl;
+    uint32_t corb_sts;
+    uint32_t corb_size;
+
+    uint32_t rirb_lbase;
+    uint32_t rirb_ubase;
+    uint32_t rirb_wp;
+    uint32_t rirb_cnt;
+    uint32_t rirb_ctl;
+    uint32_t rirb_sts;
+    uint32_t rirb_size;
+
+    uint32_t dp_lbase;
+    uint32_t dp_ubase;
+
+    uint32_t icw;
+    uint32_t irr;
+    uint32_t ics;
+
+    /* streams */
+    IntelHDAStream st[8];
+
+    /* state */
+    int mmio_addr;
+    uint32_t rirb_count;
+    int64_t wall_base_ns;
+
+    /* debug logging */
+    const IntelHDAReg *last_reg;
+    uint32_t last_val;
+    uint32_t last_write;
+    uint32_t last_sec;
+    uint32_t repeat_count;
+
+    /* properties */
+    uint32_t debug;
+};
+
+struct IntelHDAReg {
+    const char *name;      /* register name */
+    uint32_t   size;       /* size in bytes */
+    uint32_t   reset;      /* reset value */
+    uint32_t   wmask;      /* write mask */
+    uint32_t   wclear;     /* write 1 to clear bits */
+    uint32_t   offset;     /* location in IntelHDAState */
+    uint32_t   shift;      /* byte access entries for dwords */
+    uint32_t   stream;
+    void       (*whandler)(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old);
+    void       (*rhandler)(IntelHDAState *d, const IntelHDAReg *reg);
+};
+
+static void intel_hda_reset(DeviceState *dev);
+
+/* --------------------------------------------------------------------- */
+
+static target_phys_addr_t intel_hda_addr(uint32_t lbase, uint32_t ubase)
+{
+    target_phys_addr_t addr;
+
+#if TARGET_PHYS_ADDR_BITS == 32
+    addr = lbase;
+#else
+    addr = ubase;
+    addr <<= 32;
+    addr |= lbase;
+#endif
+    return addr;
+}
+
+static void stl_phys_le(target_phys_addr_t addr, uint32_t value)
+{
+    uint32_t value_le = cpu_to_le32(value);
+    cpu_physical_memory_write(addr, (uint8_t*)(&value_le), sizeof(value_le));
+}
+
+static uint32_t ldl_phys_le(target_phys_addr_t addr)
+{
+    uint32_t value_le;
+    cpu_physical_memory_read(addr, (uint8_t*)(&value_le), sizeof(value_le));
+    return le32_to_cpu(value_le);
+}
+
+static void intel_hda_update_int_sts(IntelHDAState *d)
+{
+    uint32_t sts = 0;
+    uint32_t i;
+
+    /* update controller status */
+    if (d->rirb_sts & ICH6_RBSTS_IRQ) {
+        sts |= (1 << 30);
+    }
+    if (d->rirb_sts & ICH6_RBSTS_OVERRUN) {
+        sts |= (1 << 30);
+    }
+    if (d->state_sts) {
+        sts |= (1 << 30);
+    }
+
+    /* update stream status */
+    for (i = 0; i < 8; i++) {
+        /* buffer completion interrupt */
+        if (d->st[i].ctl & (1 << 26)) {
+            sts |= (1 << i);
+        }
+    }
+
+    /* update global status */
+    if (sts & d->int_ctl) {
+        sts |= (1 << 31);
+    }
+
+    d->int_sts = sts;
+}
+
+static void intel_hda_update_irq(IntelHDAState *d)
+{
+    int level;
+
+    intel_hda_update_int_sts(d);
+    if (d->int_sts & (1 << 31) && d->int_ctl & (1 << 31)) {
+        level = 1;
+    } else {
+        level = 0;
+    }
+    dprint(d, 2, "%s: level %d\n", __FUNCTION__, level);
+    qemu_set_irq(d->pci.irq[0], level);
+}
+
+static int intel_hda_send_command(IntelHDAState *d, uint32_t verb)
+{
+    uint32_t cad, nid, data;
+    HDACodecDevice *codec;
+
+    cad = (verb >> 28) & 0x0f;
+    if (verb & (1 << 27)) {
+        /* indirect node addressing, not specified in HDA 1.0 */
+        dprint(d, 1, "%s: indirect node addressing (guest bug?)\n", __FUNCTION__);
+        return -1;
+    }
+    nid = (verb >> 20) & 0x7f;
+    data = verb & 0xfffff;
+
+    codec = hda_codec_find(&d->codecs, cad);
+    if (codec == NULL) {
+        dprint(d, 1, "%s: addressed non-existing codec\n", __FUNCTION__);
+        return -1;
+    }
+    codec->info->command(codec, nid, data);
+    return 0;
+}
+
+static void intel_hda_corb_run(IntelHDAState *d)
+{
+    target_phys_addr_t addr;
+    uint32_t rp, verb;
+
+    if (d->ics & ICH6_IRS_BUSY) {
+        dprint(d, 2, "%s: [icw] verb 0x%08x\n", __FUNCTION__, d->icw);
+        intel_hda_send_command(d, d->icw);
+        return;
+    }
+
+    for (;;) {
+        if (!(d->corb_ctl & ICH6_CORBCTL_RUN)) {
+            dprint(d, 2, "%s: !run\n", __FUNCTION__);
+            return;
+        }
+        if ((d->corb_rp & 0xff) == d->corb_wp) {
+            dprint(d, 2, "%s: corb ring empty\n", __FUNCTION__);
+            return;
+        }
+        if (d->rirb_count == d->rirb_cnt) {
+            dprint(d, 2, "%s: rirb count reached\n", __FUNCTION__);
+            return;
+        }
+
+        rp = (d->corb_rp + 1) & 0xff;
+        addr = intel_hda_addr(d->corb_lbase, d->corb_ubase);
+        verb = ldl_phys_le(addr + 4*rp);
+        d->corb_rp = rp;
+
+        dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __FUNCTION__, rp, verb);
+        intel_hda_send_command(d, verb);
+    }
+}
+
+static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response)
+{
+    HDACodecBus *bus = DO_UPCAST(HDACodecBus, qbus, dev->qdev.parent_bus);
+    IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
+    target_phys_addr_t addr;
+    uint32_t wp, ex;
+
+    if (d->ics & ICH6_IRS_BUSY) {
+        dprint(d, 2, "%s: [irr] response 0x%x, cad 0x%x\n",
+               __FUNCTION__, response, dev->cad);
+        d->irr = response;
+        d->ics &= ~(ICH6_IRS_BUSY | 0xf0);
+        d->ics |= (ICH6_IRS_VALID | (dev->cad << 4));
+        return;
+    }
+
+    if (!(d->rirb_ctl & ICH6_RBCTL_DMA_EN)) {
+        dprint(d, 1, "%s: rirb dma disabled, drop codec response\n", __FUNCTION__);
+        return;
+    }
+
+    ex = (solicited ? 0 : (1 << 4)) | dev->cad;
+    wp = (d->rirb_wp + 1) & 0xff;
+    addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase);
+    stl_phys_le(addr + 8*wp, response);
+    stl_phys_le(addr + 8*wp + 4, ex);
+    d->rirb_wp = wp;
+
+    dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n",
+           __FUNCTION__, wp, response, ex);
+
+    d->rirb_count++;
+    if (d->rirb_count == d->rirb_cnt) {
+        dprint(d, 2, "%s: rirb count reached (%d)\n", __FUNCTION__, d->rirb_count);
+        if (d->rirb_ctl & ICH6_RBCTL_IRQ_EN) {
+            d->rirb_sts |= ICH6_RBSTS_IRQ;
+            intel_hda_update_irq(d);
+        }
+    } else if ((d->corb_rp & 0xff) == d->corb_wp) {
+        dprint(d, 2, "%s: corb ring empty (%d/%d)\n", __FUNCTION__,
+               d->rirb_count, d->rirb_cnt);
+        if (d->rirb_ctl & ICH6_RBCTL_IRQ_EN) {
+            d->rirb_sts |= ICH6_RBSTS_IRQ;
+            intel_hda_update_irq(d);
+        }
+    }
+}
+
+static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+                           uint8_t *buf, uint32_t len)
+{
+    HDACodecBus *bus = DO_UPCAST(HDACodecBus, qbus, dev->qdev.parent_bus);
+    IntelHDAState *d = container_of(bus, IntelHDAState, codecs);
+    IntelHDAStream *st = NULL;
+    target_phys_addr_t addr;
+    uint32_t s, copy, left;
+    bool irq = false;
+
+    for (s = 0; s < ARRAY_SIZE(d->st); s++) {
+        if (stnr == ((d->st[s].ctl >> 20) & 0x0f)) {
+            st = d->st + s;
+            break;
+        }
+    }
+    if (st == NULL) {
+        return false;
+    }
+    if (st->bpl == NULL) {
+        return false;
+    }
+    if (st->ctl & (1 << 26)) {
+        /*
+         * Wait with the next DMA xfer until the guest
+         * has acked the buffer completion interrupt
+         */
+        return false;
+    }
+
+    left = len;
+    while (left > 0) {
+        copy = left;
+        if (copy > st->bsize - st->lpib)
+            copy = st->bsize - st->lpib;
+        if (copy > st->bpl[st->be].len - st->bp)
+            copy = st->bpl[st->be].len - st->bp;
+
+        dprint(d, 3, "dma: entry %d, pos %d/%d, copy %d\n",
+               st->be, st->bp, st->bpl[st->be].len, copy);
+
+        cpu_physical_memory_rw(st->bpl[st->be].addr + st->bp,
+                               buf, copy, !output);
+        st->lpib += copy;
+        st->bp += copy;
+        buf += copy;
+        left -= copy;
+
+        if (st->bpl[st->be].len == st->bp) {
+            /* bpl entry filled */
+            if (st->bpl[st->be].flags & 0x01) {
+                irq = true;
+            }
+            st->bp = 0;
+            st->be++;
+            if (st->be == st->bentries) {
+                /* bpl wrap around */
+                st->be = 0;
+                st->lpib = 0;
+            }
+        }
+    }
+    if (d->dp_lbase & 0x01) {
+        addr = intel_hda_addr(d->dp_lbase & ~0x01, d->dp_ubase);
+        stl_phys_le(addr + 8*s, st->lpib);
+    }
+    dprint(d, 3, "dma: --\n");
+
+    if (irq) {
+        st->ctl |= (1 << 26); /* buffer completion interrupt */
+        intel_hda_update_irq(d);
+    }
+    return true;
+}
+
+static void intel_hda_parse_bdl(IntelHDAState *d, IntelHDAStream *st)
+{
+    target_phys_addr_t addr;
+    uint8_t buf[16];
+    uint32_t i;
+
+    addr = intel_hda_addr(st->bdlp_lbase, st->bdlp_ubase);
+    st->bentries = st->lvi +1;
+    qemu_free(st->bpl);
+    st->bpl = qemu_malloc(sizeof(bpl) * st->bentries);
+    for (i = 0; i < st->bentries; i++, addr += 16) {
+        cpu_physical_memory_read(addr, buf, 16);
+        st->bpl[i].addr  = le64_to_cpu(*(uint64_t *)buf);
+        st->bpl[i].len   = le32_to_cpu(*(uint32_t *)(buf + 8));
+        st->bpl[i].flags = le32_to_cpu(*(uint32_t *)(buf + 12));
+        dprint(d, 1, "bdl/%d: 0x%" PRIx64 " +0x%x, 0x%x\n",
+               i, st->bpl[i].addr, st->bpl[i].len, st->bpl[i].flags);
+    }
+
+    st->bsize = st->cbl;
+    st->lpib  = 0;
+    st->be    = 0;
+    st->bp    = 0;
+}
+
+static void intel_hda_notify_codecs(IntelHDAState *d, uint32_t stream, bool running)
+{
+    DeviceState *qdev;
+    HDACodecDevice *cdev;
+
+    QLIST_FOREACH(qdev, &d->codecs.qbus.children, sibling) {
+        cdev = DO_UPCAST(HDACodecDevice, qdev, qdev);
+        if (cdev->info->stream) {
+            cdev->info->stream(cdev, stream, running);
+        }
+    }
+}
+
+/* --------------------------------------------------------------------- */
+
+static void intel_hda_set_g_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
+{
+    if ((d->g_ctl & ICH6_GCTL_RESET) == 0) {
+        intel_hda_reset(&d->pci.qdev);
+    }
+}
+
+static void intel_hda_set_state_sts(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
+{
+    intel_hda_update_irq(d);
+}
+
+static void intel_hda_set_int_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
+{
+    intel_hda_update_irq(d);
+}
+
+static void intel_hda_get_wall_clk(IntelHDAState *d, const IntelHDAReg *reg)
+{
+    int64_t ns;
+
+    ns = qemu_get_clock_ns(vm_clock) - d->wall_base_ns;
+    d->wall_clk = (uint32_t)(ns * 24 / 1000);  /* 24 MHz */
+}
+
+static void intel_hda_set_corb_wp(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
+{
+    intel_hda_corb_run(d);
+}
+
+static void intel_hda_set_corb_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
+{
+    intel_hda_corb_run(d);
+}
+
+static void intel_hda_set_rirb_wp(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
+{
+    if (d->rirb_wp & ICH6_RIRBWP_RST) {
+        d->rirb_wp = 0;
+    }
+}
+
+static void intel_hda_set_rirb_sts(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
+{
+    intel_hda_update_irq(d);
+
+    if ((old & ICH6_RBSTS_IRQ) && !(d->rirb_sts & ICH6_RBSTS_IRQ)) {
+        /* cleared ICH6_RBSTS_IRQ */
+        d->rirb_count = 0;
+        intel_hda_corb_run(d);
+    }
+}
+
+static void intel_hda_set_ics(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
+{
+    if (d->ics & ICH6_IRS_BUSY) {
+        intel_hda_corb_run(d);
+    }
+}
+
+static void intel_hda_set_st_ctl(IntelHDAState *d, const IntelHDAReg *reg, uint32_t old)
+{
+    IntelHDAStream *st = d->st + reg->stream;
+
+    if (st->ctl & 0x01) {
+        /* reset */
+        dprint(d, 1, "st #%d: reset\n", reg->stream);
+        st->ctl = 0;
+    }
+    if ((st->ctl & 0x02) != (old & 0x02)) {
+        uint32_t stnr = (st->ctl >> 20) & 0x0f;
+        /* run bit flipped */
+        if (st->ctl & 0x02) {
+            /* start */
+            dprint(d, 1, "st #%d: start %d (ring buf %d bytes)\n",
+                   reg->stream, stnr, st->cbl);
+            intel_hda_parse_bdl(d, st);
+            intel_hda_notify_codecs(d, stnr, true);
+        } else {
+            /* stop */
+            dprint(d, 1, "st #%d: stop %d\n", reg->stream, stnr);
+            intel_hda_notify_codecs(d, stnr, false);
+        }
+    }
+    intel_hda_update_irq(d);
+}
+
+/* --------------------------------------------------------------------- */
+
+#define ST_REG(_n, _o) (0x80 + (_n) * 0x20 + (_o))
+
+static const struct IntelHDAReg regtab[] = {
+    /* global */
+    [ ICH6_REG_GCAP ] = {
+        .name     = "GCAP",
+        .size     = 2,
+        .reset    = 0x4401,
+    },
+    [ ICH6_REG_VMIN ] = {
+        .name     = "VMIN",
+        .size     = 1,
+    },
+    [ ICH6_REG_VMAJ ] = {
+        .name     = "VMAJ",
+        .size     = 1,
+        .reset    = 1,
+    },
+    [ ICH6_REG_OUTPAY ] = {
+        .name     = "OUTPAY",
+        .size     = 2,
+        .reset    = 0x3c,
+    },
+    [ ICH6_REG_INPAY ] = {
+        .name     = "INPAY",
+        .size     = 2,
+        .reset    = 0x1d,
+    },
+    [ ICH6_REG_GCTL ] = {
+        .name     = "GCTL",
+        .size     = 4,
+        .wmask    = 0x0103,
+        .offset   = offsetof(IntelHDAState, g_ctl),
+        .whandler = intel_hda_set_g_ctl,
+    },
+    [ ICH6_REG_WAKEEN ] = {
+        .name     = "WAKEEN",
+        .size     = 2,
+        .offset   = offsetof(IntelHDAState, wake_en),
+    },
+    [ ICH6_REG_STATESTS ] = {
+        .name     = "STATESTS",
+        .size     = 2,
+        .wmask    = 0x3fff,
+        .wclear   = 0x3fff,
+        .offset   = offsetof(IntelHDAState, state_sts),
+        .whandler = intel_hda_set_state_sts,
+    },
+
+    /* interrupts */
+    [ ICH6_REG_INTCTL ] = {
+        .name     = "INTCTL",
+        .size     = 4,
+        .wmask    = 0xc00000ff,
+        .offset   = offsetof(IntelHDAState, int_ctl),
+        .whandler = intel_hda_set_int_ctl,
+    },
+    [ ICH6_REG_INTSTS ] = {
+        .name     = "INTSTS",
+        .size     = 4,
+        .wmask    = 0xc00000ff,
+        .wclear   = 0xc00000ff,
+        .offset   = offsetof(IntelHDAState, int_sts),
+    },
+
+    /* misc */
+    [ ICH6_REG_WALLCLK ] = {
+        .name     = "WALLCLK",
+        .size     = 4,
+        .offset   = offsetof(IntelHDAState, wall_clk),
+        .rhandler = intel_hda_get_wall_clk,
+    },
+    [ ICH6_REG_WALLCLK + 0x2000 ] = {
+        .name     = "WALLCLK(alias)",
+        .size     = 4,
+        .offset   = offsetof(IntelHDAState, wall_clk),
+        .rhandler = intel_hda_get_wall_clk,
+    },
+
+    /* dma engine */
+    [ ICH6_REG_CORBLBASE ] = {
+        .name     = "CORBLBASE",
+        .size     = 4,
+        .wmask    = 0xffffff80,
+        .offset   = offsetof(IntelHDAState, corb_lbase),
+    },
+    [ ICH6_REG_CORBUBASE ] = {
+        .name     = "CORBUBASE",
+        .size     = 4,
+        .wmask    = 0xffffffff,
+        .offset   = offsetof(IntelHDAState, corb_ubase),
+    },
+    [ ICH6_REG_CORBWP ] = {
+        .name     = "CORBWP",
+        .size     = 2,
+        .wmask    = 0xff,
+        .offset   = offsetof(IntelHDAState, corb_wp),
+        .whandler = intel_hda_set_corb_wp,
+    },
+    [ ICH6_REG_CORBRP ] = {
+        .name     = "CORBRP",
+        .size     = 2,
+        .wmask    = 0x80ff,
+        .offset   = offsetof(IntelHDAState, corb_rp),
+    },
+    [ ICH6_REG_CORBCTL ] = {
+        .name     = "CORBCTL",
+        .size     = 1,
+        .wmask    = 0x03,
+        .offset   = offsetof(IntelHDAState, corb_ctl),
+        .whandler = intel_hda_set_corb_ctl,
+    },
+    [ ICH6_REG_CORBSTS ] = {
+        .name     = "CORBSTS",
+        .size     = 1,
+        .wmask    = 0x01,
+        .wclear   = 0x01,
+        .offset   = offsetof(IntelHDAState, corb_sts),
+    },
+    [ ICH6_REG_CORBSIZE ] = {
+        .name     = "CORBSIZE",
+        .size     = 1,
+        .reset    = 0x42,
+        .offset   = offsetof(IntelHDAState, corb_size),
+    },
+    [ ICH6_REG_RIRBLBASE ] = {
+        .name     = "RIRBLBASE",
+        .size     = 4,
+        .wmask    = 0xffffff80,
+        .offset   = offsetof(IntelHDAState, rirb_lbase),
+    },
+    [ ICH6_REG_RIRBUBASE ] = {
+        .name     = "RIRBUBASE",
+        .size     = 4,
+        .wmask    = 0xffffffff,
+        .offset   = offsetof(IntelHDAState, rirb_ubase),
+    },
+    [ ICH6_REG_RIRBWP ] = {
+        .name     = "RIRBWP",
+        .size     = 2,
+        .wmask    = 0x8000,
+        .offset   = offsetof(IntelHDAState, rirb_wp),
+        .whandler = intel_hda_set_rirb_wp,
+    },
+    [ ICH6_REG_RINTCNT ] = {
+        .name     = "RINTCNT",
+        .size     = 2,
+        .wmask    = 0xff,
+        .offset   = offsetof(IntelHDAState, rirb_cnt),
+    },
+    [ ICH6_REG_RIRBCTL ] = {
+        .name     = "RIRBCTL",
+        .size     = 1,
+        .wmask    = 0x07,
+        .offset   = offsetof(IntelHDAState, rirb_ctl),
+    },
+    [ ICH6_REG_RIRBSTS ] = {
+        .name     = "RIRBSTS",
+        .size     = 1,
+        .wmask    = 0x05,
+        .wclear   = 0x05,
+        .offset   = offsetof(IntelHDAState, rirb_sts),
+        .whandler = intel_hda_set_rirb_sts,
+    },
+    [ ICH6_REG_RIRBSIZE ] = {
+        .name     = "RIRBSIZE",
+        .size     = 1,
+        .reset    = 0x42,
+        .offset   = offsetof(IntelHDAState, rirb_size),
+    },
+
+    [ ICH6_REG_DPLBASE ] = {
+        .name     = "DPLBASE",
+        .size     = 4,
+        .wmask    = 0xffffff81,
+        .offset   = offsetof(IntelHDAState, dp_lbase),
+    },
+    [ ICH6_REG_DPUBASE ] = {
+        .name     = "DPUBASE",
+        .size     = 4,
+        .wmask    = 0xffffffff,
+        .offset   = offsetof(IntelHDAState, dp_ubase),
+    },
+
+    [ ICH6_REG_IC ] = {
+        .name     = "ICW",
+        .size     = 4,
+        .wmask    = 0xffffffff,
+        .offset   = offsetof(IntelHDAState, icw),
+    },
+    [ ICH6_REG_IR ] = {
+        .name     = "IRR",
+        .size     = 4,
+        .offset   = offsetof(IntelHDAState, irr),
+    },
+    [ ICH6_REG_IRS ] = {
+        .name     = "ICS",
+        .size     = 2,
+        .wmask    = 0x0003,
+        .wclear   = 0x0002,
+        .offset   = offsetof(IntelHDAState, ics),
+        .whandler = intel_hda_set_ics,
+    },
+
+#define HDA_STREAM(_t, _i)                                            \
+    [ ST_REG(_i, ICH6_REG_SD_CTL) ] = {                               \
+        .stream   = _i,                                               \
+        .name     = _t stringify(_i) " CTL",                          \
+        .size     = 4,                                                \
+        .wmask    = 0x1cff001f,                                       \
+        .offset   = offsetof(IntelHDAState, st[_i].ctl),              \
+        .whandler = intel_hda_set_st_ctl,                             \
+    },                                                                \
+    [ ST_REG(_i, ICH6_REG_SD_CTL) + 2] = {                            \
+        .stream   = _i,                                               \
+        .name     = _t stringify(_i) " CTL(stnr)",                    \
+        .size     = 1,                                                \
+        .shift    = 16,                                               \
+        .wmask    = 0x00ff0000,                                       \
+        .offset   = offsetof(IntelHDAState, st[_i].ctl),              \
+        .whandler = intel_hda_set_st_ctl,                             \
+    },                                                                \
+    [ ST_REG(_i, ICH6_REG_SD_STS)] = {                                \
+        .stream   = _i,                                               \
+        .name     = _t stringify(_i) " CTL(sts)",                     \
+        .size     = 1,                                                \
+        .shift    = 24,                                               \
+        .wmask    = 0x1c000000,                                       \
+        .wclear   = 0x1c000000,                                       \
+        .offset   = offsetof(IntelHDAState, st[_i].ctl),              \
+        .whandler = intel_hda_set_st_ctl,                             \
+    },                                                                \
+    [ ST_REG(_i, ICH6_REG_SD_LPIB) ] = {                              \
+        .stream   = _i,                                               \
+        .name     = _t stringify(_i) " LPIB",                         \
+        .size     = 4,                                                \
+        .offset   = offsetof(IntelHDAState, st[_i].lpib),             \
+    },                                                                \
+    [ ST_REG(_i, ICH6_REG_SD_LPIB) + 0x2000 ] = {                     \
+        .stream   = _i,                                               \
+        .name     = _t stringify(_i) " LPIB(alias)",                  \
+        .size     = 4,                                                \
+        .offset   = offsetof(IntelHDAState, st[_i].lpib),             \
+    },                                                                \
+    [ ST_REG(_i, ICH6_REG_SD_CBL) ] = {                               \
+        .stream   = _i,                                               \
+        .name     = _t stringify(_i) " CBL",                          \
+        .size     = 4,                                                \
+        .wmask    = 0xffffffff,                                       \
+        .offset   = offsetof(IntelHDAState, st[_i].cbl),              \
+    },                                                                \
+    [ ST_REG(_i, ICH6_REG_SD_LVI) ] = {                               \
+        .stream   = _i,                                               \
+        .name     = _t stringify(_i) " LVI",                          \
+        .size     = 2,                                                \
+        .wmask    = 0x00ff,                                           \
+        .offset   = offsetof(IntelHDAState, st[_i].lvi),              \
+    },                                                                \
+    [ ST_REG(_i, ICH6_REG_SD_FIFOSIZE) ] = {                          \
+        .stream   = _i,                                               \
+        .name     = _t stringify(_i) " FIFOS",                        \
+        .size     = 2,                                                \
+        .reset    = HDA_BUFFER_SIZE,                                  \
+    },                                                                \
+    [ ST_REG(_i, ICH6_REG_SD_FORMAT) ] = {                            \
+        .stream   = _i,                                               \
+        .name     = _t stringify(_i) " FMT",                          \
+        .size     = 2,                                                \
+        .wmask    = 0x7f7f,                                           \
+        .offset   = offsetof(IntelHDAState, st[_i].fmt),              \
+    },                                                                \
+    [ ST_REG(_i, ICH6_REG_SD_BDLPL) ] = {                             \
+        .stream   = _i,                                               \
+        .name     = _t stringify(_i) " BDLPL",                        \
+        .size     = 4,                                                \
+        .wmask    = 0xffffff80,                                       \
+        .offset   = offsetof(IntelHDAState, st[_i].bdlp_lbase),       \
+    },                                                                \
+    [ ST_REG(_i, ICH6_REG_SD_BDLPU) ] = {                             \
+        .stream   = _i,                                               \
+        .name     = _t stringify(_i) " BDLPU",                        \
+        .size     = 4,                                                \
+        .wmask    = 0xffffffff,                                       \
+        .offset   = offsetof(IntelHDAState, st[_i].bdlp_ubase),       \
+    },                                                                \
+
+    HDA_STREAM("IN", 0)
+    HDA_STREAM("IN", 1)
+    HDA_STREAM("IN", 2)
+    HDA_STREAM("IN", 3)
+
+    HDA_STREAM("OUT", 4)
+    HDA_STREAM("OUT", 5)
+    HDA_STREAM("OUT", 6)
+    HDA_STREAM("OUT", 7)
+
+};
+
+static const IntelHDAReg *intel_hda_reg_find(IntelHDAState *d, target_phys_addr_t addr)
+{
+    const IntelHDAReg *reg;
+
+    if (addr >= sizeof(regtab)/sizeof(regtab[0])) {
+        goto noreg;
+    }
+    reg = regtab+addr;
+    if (reg->name == NULL) {
+        goto noreg;
+    }
+    return reg;
+
+noreg:
+    dprint(d, 1, "unknown register, addr 0x%x\n", (int) addr);
+    return NULL;
+}
+
+static uint32_t *intel_hda_reg_addr(IntelHDAState *d, const IntelHDAReg *reg)
+{
+    uint8_t *addr = (void*)d;
+
+    addr += reg->offset;
+    return (uint32_t*)addr;
+}
+
+static void intel_hda_reg_write(IntelHDAState *d, const IntelHDAReg *reg, uint32_t val,
+                                uint32_t wmask)
+{
+    uint32_t *addr;
+    uint32_t old;
+
+    if (!reg) {
+        return;
+    }
+
+    if (d->debug) {
+        time_t now = time(NULL);
+        if (d->last_write && d->last_reg == reg && d->last_val == val) {
+            d->repeat_count++;
+            if (d->last_sec != now) {
+                dprint(d, 2, "previous register op repeated %d times\n", d->repeat_count);
+                d->last_sec = now;
+                d->repeat_count = 0;
+            }
+        } else {
+            if (d->repeat_count) {
+                dprint(d, 2, "previous register op repeated %d times\n", d->repeat_count);
+            }
+            dprint(d, 2, "write %-16s: 0x%x (%x)\n", reg->name, val, wmask);
+            d->last_write = 1;
+            d->last_reg   = reg;
+            d->last_val   = val;
+            d->last_sec   = now;
+            d->repeat_count = 0;
+        }
+    }
+    assert(reg->offset != 0);
+
+    addr = intel_hda_reg_addr(d, reg);
+    old = *addr;
+
+    if (reg->shift) {
+        val <<= reg->shift;
+        wmask <<= reg->shift;
+    }
+    wmask &= reg->wmask;
+    *addr &= ~wmask;
+    *addr |= wmask & val;
+    *addr &= ~(val & reg->wclear);
+
+    if (reg->whandler) {
+        reg->whandler(d, reg, old);
+    }
+}
+
+static uint32_t intel_hda_reg_read(IntelHDAState *d, const IntelHDAReg *reg,
+                                   uint32_t rmask)
+{
+    uint32_t *addr, ret;
+
+    if (!reg) {
+        return 0;
+    }
+
+    if (reg->rhandler) {
+        reg->rhandler(d, reg);
+    }
+
+    if (reg->offset == 0) {
+        /* constant read-only register */
+        ret = reg->reset;
+    } else {
+        addr = intel_hda_reg_addr(d, reg);
+        ret = *addr;
+        if (reg->shift) {
+            ret >>= reg->shift;
+        }
+        ret &= rmask;
+    }
+    if (d->debug) {
+        time_t now = time(NULL);
+        if (!d->last_write && d->last_reg == reg && d->last_val == ret) {
+            d->repeat_count++;
+            if (d->last_sec != now) {
+                dprint(d, 2, "previous register op repeated %d times\n", d->repeat_count);
+                d->last_sec = now;
+                d->repeat_count = 0;
+            }
+        } else {
+            if (d->repeat_count) {
+                dprint(d, 2, "previous register op repeated %d times\n", d->repeat_count);
+            }
+            dprint(d, 2, "read  %-16s: 0x%x (%x)\n", reg->name, ret, rmask);
+            d->last_write = 0;
+            d->last_reg   = reg;
+            d->last_val   = ret;
+            d->last_sec   = now;
+            d->repeat_count = 0;
+        }
+    }
+    return ret;
+}
+
+static void intel_hda_regs_reset(IntelHDAState *d)
+{
+    uint32_t *addr;
+    int i;
+
+    for (i = 0; i < sizeof(regtab)/sizeof(regtab[0]); i++) {
+        if (regtab[i].name == NULL) {
+            continue;
+        }
+        if (regtab[i].offset == 0) {
+            continue;
+        }
+        addr = intel_hda_reg_addr(d, regtab + i);
+        *addr = regtab[i].reset;
+    }
+}
+
+/* --------------------------------------------------------------------- */
+
+static void intel_hda_mmio_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
+{
+    IntelHDAState *d = opaque;
+    const IntelHDAReg *reg = intel_hda_reg_find(d, addr);
+
+    intel_hda_reg_write(d, reg, val, 0xff);
+}
+
+static void intel_hda_mmio_writew(void *opaque, target_phys_addr_t addr, uint32_t val)
+{
+    IntelHDAState *d = opaque;
+    const IntelHDAReg *reg = intel_hda_reg_find(d, addr);
+
+    intel_hda_reg_write(d, reg, val, 0xffff);
+}
+
+static void intel_hda_mmio_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
+{
+    IntelHDAState *d = opaque;
+    const IntelHDAReg *reg = intel_hda_reg_find(d, addr);
+
+    intel_hda_reg_write(d, reg, val, 0xffffffff);
+}
+
+static uint32_t intel_hda_mmio_readb(void *opaque, target_phys_addr_t addr)
+{
+    IntelHDAState *d = opaque;
+    const IntelHDAReg *reg = intel_hda_reg_find(d, addr);
+
+    return intel_hda_reg_read(d, reg, 0xff);
+}
+
+static uint32_t intel_hda_mmio_readw(void *opaque, target_phys_addr_t addr)
+{
+    IntelHDAState *d = opaque;
+    const IntelHDAReg *reg = intel_hda_reg_find(d, addr);
+
+    return intel_hda_reg_read(d, reg, 0xffff);
+}
+
+static uint32_t intel_hda_mmio_readl(void *opaque, target_phys_addr_t addr)
+{
+    IntelHDAState *d = opaque;
+    const IntelHDAReg *reg = intel_hda_reg_find(d, addr);
+
+    return intel_hda_reg_read(d, reg, 0xffffffff);
+}
+
+static CPUReadMemoryFunc * const intel_hda_mmio_read[3] = {
+    intel_hda_mmio_readb,
+    intel_hda_mmio_readw,
+    intel_hda_mmio_readl,
+};
+
+static CPUWriteMemoryFunc * const intel_hda_mmio_write[3] = {
+    intel_hda_mmio_writeb,
+    intel_hda_mmio_writew,
+    intel_hda_mmio_writel,
+};
+
+static void intel_hda_map(PCIDevice *pci, int region_num,
+                          pcibus_t addr, pcibus_t size, int type)
+{
+    IntelHDAState *d = DO_UPCAST(IntelHDAState, pci, pci);
+
+    cpu_register_physical_memory(addr, 0x4000, d->mmio_addr);
+}
+
+/* --------------------------------------------------------------------- */
+
+static void intel_hda_reset(DeviceState *dev)
+{
+    IntelHDAState *d = DO_UPCAST(IntelHDAState, pci.qdev, dev);
+    DeviceState *qdev;
+    HDACodecDevice *cdev;
+
+    intel_hda_regs_reset(d);
+    d->wall_base_ns = qemu_get_clock(vm_clock);
+
+    /* reset codecs */
+    QLIST_FOREACH(qdev, &d->codecs.qbus.children, sibling) {
+        cdev = DO_UPCAST(HDACodecDevice, qdev, qdev);
+        if (qdev->info->reset) {
+            qdev->info->reset(qdev);
+        }
+        d->state_sts |= (1 << cdev->cad);
+    }
+    intel_hda_update_irq(d);
+}
+
+static int intel_hda_init(PCIDevice *pci)
+{
+    IntelHDAState *d = DO_UPCAST(IntelHDAState, pci, pci);
+    uint8_t *conf = d->pci.config;
+
+    d->name = d->pci.qdev.info->name;
+
+    pci_config_set_vendor_id(conf, PCI_VENDOR_ID_INTEL);
+    pci_config_set_device_id(conf, 0x2668);
+    pci_config_set_revision(conf, 1);
+    pci_config_set_class(conf, PCI_CLASS_MULTIMEDIA_HD_AUDIO);
+    pci_config_set_interrupt_pin(conf, 1);
+
+    /* HDCTL off 0x40 bit 0 selects signaling mode (1-HDA, 0 - Ac97) 18.1.19 */
+    conf[0x40] = 0x01;
+
+    d->mmio_addr = cpu_register_io_memory(intel_hda_mmio_read,
+                                          intel_hda_mmio_write, d);
+    pci_register_bar(&d->pci, 0, 0x4000, PCI_BASE_ADDRESS_SPACE_MEMORY,
+                     intel_hda_map);
+
+    hda_codec_bus_init(&d->pci.qdev, &d->codecs,
+                       intel_hda_response, intel_hda_xfer);
+
+    return 0;
+}
+
+static int intel_hda_post_load(void *opaque, int version)
+{
+    IntelHDAState* d = opaque;
+    int i;
+
+    dprint(d, 1, "%s\n", __FUNCTION__);
+    for (i = 0; i < ARRAY_SIZE(d->st); i++) {
+        if (d->st[i].ctl & 0x02) {
+            intel_hda_parse_bdl(d, &d->st[i]);
+        }
+    }
+    intel_hda_update_irq(d);
+    return 0;
+}
+
+static const VMStateDescription vmstate_intel_hda_stream = {
+    .name = "intel-hda-stream",
+    .version_id = 1,
+    .fields = (VMStateField []) {
+        VMSTATE_UINT32(ctl, IntelHDAStream),
+        VMSTATE_UINT32(lpib, IntelHDAStream),
+        VMSTATE_UINT32(cbl, IntelHDAStream),
+        VMSTATE_UINT32(lvi, IntelHDAStream),
+        VMSTATE_UINT32(fmt, IntelHDAStream),
+        VMSTATE_UINT32(bdlp_lbase, IntelHDAStream),
+        VMSTATE_UINT32(bdlp_ubase, IntelHDAStream),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_intel_hda = {
+    .name = "intel-hda",
+    .version_id = 1,
+    .post_load = intel_hda_post_load,
+    .fields = (VMStateField []) {
+        VMSTATE_PCI_DEVICE(pci, IntelHDAState),
+
+        /* registers */
+        VMSTATE_UINT32(g_ctl, IntelHDAState),
+        VMSTATE_UINT32(wake_en, IntelHDAState),
+        VMSTATE_UINT32(state_sts, IntelHDAState),
+        VMSTATE_UINT32(int_ctl, IntelHDAState),
+        VMSTATE_UINT32(int_sts, IntelHDAState),
+        VMSTATE_UINT32(wall_clk, IntelHDAState),
+        VMSTATE_UINT32(corb_lbase, IntelHDAState),
+        VMSTATE_UINT32(corb_ubase, IntelHDAState),
+        VMSTATE_UINT32(corb_rp, IntelHDAState),
+        VMSTATE_UINT32(corb_wp, IntelHDAState),
+        VMSTATE_UINT32(corb_ctl, IntelHDAState),
+        VMSTATE_UINT32(corb_sts, IntelHDAState),
+        VMSTATE_UINT32(corb_size, IntelHDAState),
+        VMSTATE_UINT32(rirb_lbase, IntelHDAState),
+        VMSTATE_UINT32(rirb_ubase, IntelHDAState),
+        VMSTATE_UINT32(rirb_wp, IntelHDAState),
+        VMSTATE_UINT32(rirb_cnt, IntelHDAState),
+        VMSTATE_UINT32(rirb_ctl, IntelHDAState),
+        VMSTATE_UINT32(rirb_sts, IntelHDAState),
+        VMSTATE_UINT32(rirb_size, IntelHDAState),
+        VMSTATE_UINT32(dp_lbase, IntelHDAState),
+        VMSTATE_UINT32(dp_ubase, IntelHDAState),
+        VMSTATE_UINT32(icw, IntelHDAState),
+        VMSTATE_UINT32(irr, IntelHDAState),
+        VMSTATE_UINT32(ics, IntelHDAState),
+        VMSTATE_STRUCT_ARRAY(st, IntelHDAState, 8, 0,
+                             vmstate_intel_hda_stream,
+                             IntelHDAStream),
+
+        /* additional state info */
+        VMSTATE_UINT32(rirb_count, IntelHDAState),
+        VMSTATE_INT64(wall_base_ns, IntelHDAState),
+
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static PCIDeviceInfo intel_hda_info = {
+    .qdev.name    = "intel-hda",
+    .qdev.desc    = "Intel HD Audio Controller",
+    .qdev.size    = sizeof(IntelHDAState),
+    .qdev.vmsd    = &vmstate_intel_hda,
+    .qdev.reset   = intel_hda_reset,
+    .init         = intel_hda_init,
+    .qdev.props   = (Property[]) {
+        DEFINE_PROP_UINT32("debug", IntelHDAState, debug, 0),
+        DEFINE_PROP_END_OF_LIST(),
+    }
+};
+
+static void intel_hda_register(void)
+{
+    pci_qdev_register(&intel_hda_info);
+}
+device_init(intel_hda_register);
+
+/*
+ * create intel hda controller with codec attached to it,
+ * so '-soundhw hda' works.
+ */
+int intel_hda_and_codec_init(PCIBus *bus)
+{
+    PCIDevice *controller;
+    BusState *hdabus;
+    DeviceState *codec;
+
+    controller = pci_create_simple(bus, -1, "intel-hda");
+    hdabus = QLIST_FIRST(&controller->qdev.child_bus);
+    codec = qdev_create(hdabus, "hda-duplex");
+    qdev_init_nofail(codec);
+    return 0;
+}
+
diff --git a/hw/intel-hda.h b/hw/intel-hda.h
new file mode 100644
index 0000000..ba290ec
--- /dev/null
+++ b/hw/intel-hda.h
@@ -0,0 +1,61 @@
+#ifndef HW_INTEL_HDA_H
+#define HW_INTEL_HDA_H
+
+#include "qdev.h"
+
+/* --------------------------------------------------------------------- */
+/* hda bus                                                               */
+
+typedef struct HDACodecBus HDACodecBus;
+typedef struct HDACodecDevice HDACodecDevice;
+typedef struct HDACodecDeviceInfo HDACodecDeviceInfo;
+
+typedef void (*hda_codec_response_func)(HDACodecDevice *dev,
+                                        bool solicited, uint32_t response);
+typedef bool (*hda_codec_xfer_func)(HDACodecDevice *dev,
+                                    uint32_t stnr, bool output,
+                                    uint8_t *buf, uint32_t len);
+
+struct HDACodecBus {
+    BusState qbus;
+    uint32_t next_cad;
+    hda_codec_response_func response;
+    hda_codec_xfer_func xfer;
+};
+
+struct HDACodecDevice {
+    DeviceState         qdev;
+    HDACodecDeviceInfo  *info;
+    uint32_t            cad;    /* codec address */
+};
+
+struct HDACodecDeviceInfo {
+    DeviceInfo qdev;
+    int (*init)(HDACodecDevice *dev);
+    void (*command)(HDACodecDevice *dev, uint32_t nid, uint32_t data);
+    void (*stream)(HDACodecDevice *dev, uint32_t stnr, bool running);
+};
+
+void hda_codec_bus_init(DeviceState *dev, HDACodecBus *bus,
+                        hda_codec_response_func response,
+                        hda_codec_xfer_func xfer);
+void hda_codec_register(HDACodecDeviceInfo *info);
+HDACodecDevice *hda_codec_find(HDACodecBus *bus, uint32_t cad);
+
+void hda_codec_response(HDACodecDevice *dev, bool solicited, uint32_t response);
+bool hda_codec_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
+                    uint8_t *buf, uint32_t len);
+
+/* --------------------------------------------------------------------- */
+
+#define dprint(_dev, _level, _fmt, ...)                                 \
+    do {                                                                \
+        if (_dev->debug >= _level) {                                    \
+            fprintf(stderr, "%s: ", _dev->name);                        \
+            fprintf(stderr, _fmt, ## __VA_ARGS__);                      \
+        }                                                               \
+    } while (0)
+
+/* --------------------------------------------------------------------- */
+
+#endif
commit cdae5cfbd3a61a5d4de79b829fb41188073d3002
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Nov 1 15:51:54 2010 +0100

    add VMSTATE_BOOL
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/hw/hw.h b/hw/hw.h
index 4405092..9d2cfc2 100644
--- a/hw/hw.h
+++ b/hw/hw.h
@@ -333,6 +333,8 @@ struct VMStateDescription {
     const VMStateSubsection *subsections;
 };
 
+extern const VMStateInfo vmstate_info_bool;
+
 extern const VMStateInfo vmstate_info_int8;
 extern const VMStateInfo vmstate_info_int16;
 extern const VMStateInfo vmstate_info_int32;
@@ -602,6 +604,9 @@ extern const VMStateDescription vmstate_i2c_slave;
 #define VMSTATE_STRUCT_POINTER(_field, _state, _vmsd, _type)          \
     VMSTATE_STRUCT_POINTER_TEST(_field, _state, NULL, _vmsd, _type)
 
+#define VMSTATE_BOOL_V(_f, _s, _v)                                    \
+    VMSTATE_SINGLE(_f, _s, _v, vmstate_info_bool, bool)
+
 #define VMSTATE_INT8_V(_f, _s, _v)                                    \
     VMSTATE_SINGLE(_f, _s, _v, vmstate_info_int8, int8_t)
 #define VMSTATE_INT16_V(_f, _s, _v)                                   \
@@ -620,6 +625,9 @@ extern const VMStateDescription vmstate_i2c_slave;
 #define VMSTATE_UINT64_V(_f, _s, _v)                                  \
     VMSTATE_SINGLE(_f, _s, _v, vmstate_info_uint64, uint64_t)
 
+#define VMSTATE_BOOL(_f, _s)                                          \
+    VMSTATE_BOOL_V(_f, _s, 0)
+
 #define VMSTATE_INT8(_f, _s)                                          \
     VMSTATE_INT8_V(_f, _s, 0)
 #define VMSTATE_INT16(_f, _s)                                         \
@@ -674,6 +682,12 @@ extern const VMStateDescription vmstate_i2c_slave;
 #define VMSTATE_PTIMER(_f, _s)                                        \
     VMSTATE_PTIMER_V(_f, _s, 0)
 
+#define VMSTATE_BOOL_ARRAY_V(_f, _s, _n, _v)                         \
+    VMSTATE_ARRAY(_f, _s, _n, _v, vmstate_info_bool, bool)
+
+#define VMSTATE_BOOL_ARRAY(_f, _s, _n)                               \
+    VMSTATE_BOOL_ARRAY_V(_f, _s, _n, 0)
+
 #define VMSTATE_UINT16_ARRAY_V(_f, _s, _n, _v)                         \
     VMSTATE_ARRAY(_f, _s, _n, _v, vmstate_info_uint16, uint16_t)
 
diff --git a/savevm.c b/savevm.c
index 2d8cadc..4e49765 100644
--- a/savevm.c
+++ b/savevm.c
@@ -675,6 +675,27 @@ uint64_t qemu_get_be64(QEMUFile *f)
     return v;
 }
 
+/* bool */
+
+static int get_bool(QEMUFile *f, void *pv, size_t size)
+{
+    bool *v = pv;
+    *v = qemu_get_byte(f);
+    return 0;
+}
+
+static void put_bool(QEMUFile *f, void *pv, size_t size)
+{
+    bool *v = pv;
+    qemu_put_byte(f, *v);
+}
+
+const VMStateInfo vmstate_info_bool = {
+    .name = "bool",
+    .get  = get_bool,
+    .put  = put_bool,
+};
+
 /* 8 bit int */
 
 static int get_int8(QEMUFile *f, void *pv, size_t size)
commit 12b6278f9e2a1e3b8f60223fe065ddf2b119c6bc
Author: malc <av1474 at comtv.ru>
Date:   Mon Nov 1 00:53:19 2010 +0300

    Remove trailing whitespace
    
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/cache-utils.c b/cache-utils.c
index b1f2097..2db5af2 100644
--- a/cache-utils.c
+++ b/cache-utils.c
@@ -79,7 +79,7 @@ static void ppc_init_cacheline_sizes(void)
     qemu_cache_conf.dcache_bsize = cacheline;
     qemu_cache_conf.icache_bsize = cacheline;
 }
-#endif    
+#endif
 
 #ifdef __linux__
 void qemu_cache_utils_init(char **envp)
commit 97bf4851fe2542635ebe33bdd1473012a2421b42
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Oct 31 09:24:14 2010 +0000

    sparc32: convert debug printf statements to tracepoints
    
    Replace debug printf statements with tracepoints.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/cs4231.c b/hw/cs4231.c
index f7ce0af..2977101 100644
--- a/hw/cs4231.c
+++ b/hw/cs4231.c
@@ -23,9 +23,7 @@
  */
 
 #include "sysbus.h"
-
-/* debug CS4231 */
-//#define DEBUG_CS
+#include "trace.h"
 
 /*
  * In addition to Crystal CS4231 there is a DMA controller on Sparc.
@@ -46,13 +44,6 @@ typedef struct CSState {
 #define CS_VER 0xa0
 #define CS_CDC_VER 0x8a
 
-#ifdef DEBUG_CS
-#define DPRINTF(fmt, ...)                                       \
-    do { printf("CS: " fmt , ## __VA_ARGS__); } while (0)
-#else
-#define DPRINTF(fmt, ...)
-#endif
-
 static void cs_reset(DeviceState *d)
 {
     CSState *s = container_of(d, CSState, busdev.qdev);
@@ -79,11 +70,11 @@ static uint32_t cs_mem_readl(void *opaque, target_phys_addr_t addr)
             ret = s->dregs[CS_RAP(s)];
             break;
         }
-        DPRINTF("read dreg[%d]: 0x%8.8x\n", CS_RAP(s), ret);
+        trace_cs4231_mem_readl_dreg(CS_RAP(s), ret);
         break;
     default:
         ret = s->regs[saddr];
-        DPRINTF("read reg[%d]: 0x%8.8x\n", saddr, ret);
+        trace_cs4231_mem_readl_reg(saddr, ret);
         break;
     }
     return ret;
@@ -95,11 +86,10 @@ static void cs_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
     uint32_t saddr;
 
     saddr = addr >> 2;
-    DPRINTF("write reg[%d]: 0x%8.8x -> 0x%8.8x\n", saddr, s->regs[saddr], val);
+    trace_cs4231_mem_writel_reg(saddr, s->regs[saddr], val);
     switch (saddr) {
     case 1:
-        DPRINTF("write dreg[%d]: 0x%2.2x -> 0x%2.2x\n", CS_RAP(s),
-                s->dregs[CS_RAP(s)], val);
+        trace_cs4231_mem_writel_dreg(CS_RAP(s), s->dregs[CS_RAP(s)], val);
         switch(CS_RAP(s)) {
         case 11:
         case 25: // Read only
diff --git a/hw/eccmemctl.c b/hw/eccmemctl.c
index 498c61a..a8042e9 100644
--- a/hw/eccmemctl.c
+++ b/hw/eccmemctl.c
@@ -23,15 +23,7 @@
  */
 
 #include "sysbus.h"
-
-//#define DEBUG_ECC
-
-#ifdef DEBUG_ECC
-#define DPRINTF(fmt, ...)                                       \
-    do { printf("ECC: " fmt , ## __VA_ARGS__); } while (0)
-#else
-#define DPRINTF(fmt, ...)
-#endif
+#include "trace.h"
 
 /* There are 3 versions of this chip used in SMP sun4m systems:
  * MCC (version 0, implementation 0) SS-600MP
@@ -148,32 +140,32 @@ static void ecc_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
             s->regs[ECC_MER] = s->version | (val & ECC_MER_MASK_1);
         else if (s->version == ECC_SMC)
             s->regs[ECC_MER] = s->version | (val & ECC_MER_MASK_2);
-        DPRINTF("Write memory enable %08x\n", val);
+        trace_ecc_mem_writel_mer(val);
         break;
     case ECC_MDR:
         s->regs[ECC_MDR] =  val & ECC_MDR_MASK;
-        DPRINTF("Write memory delay %08x\n", val);
+        trace_ecc_mem_writel_mdr(val);
         break;
     case ECC_MFSR:
         s->regs[ECC_MFSR] =  val;
         qemu_irq_lower(s->irq);
-        DPRINTF("Write memory fault status %08x\n", val);
+        trace_ecc_mem_writel_mfsr(val);
         break;
     case ECC_VCR:
         s->regs[ECC_VCR] =  val;
-        DPRINTF("Write slot configuration %08x\n", val);
+        trace_ecc_mem_writel_vcr(val);
         break;
     case ECC_DR:
         s->regs[ECC_DR] =  val;
-        DPRINTF("Write diagnostic %08x\n", val);
+        trace_ecc_mem_writel_dr(val);
         break;
     case ECC_ECR0:
         s->regs[ECC_ECR0] =  val;
-        DPRINTF("Write event count 1 %08x\n", val);
+        trace_ecc_mem_writel_ecr0(val);
         break;
     case ECC_ECR1:
         s->regs[ECC_ECR0] =  val;
-        DPRINTF("Write event count 2 %08x\n", val);
+        trace_ecc_mem_writel_ecr1(val);
         break;
     }
 }
@@ -186,39 +178,39 @@ static uint32_t ecc_mem_readl(void *opaque, target_phys_addr_t addr)
     switch (addr >> 2) {
     case ECC_MER:
         ret = s->regs[ECC_MER];
-        DPRINTF("Read memory enable %08x\n", ret);
+        trace_ecc_mem_readl_mer(ret);
         break;
     case ECC_MDR:
         ret = s->regs[ECC_MDR];
-        DPRINTF("Read memory delay %08x\n", ret);
+        trace_ecc_mem_readl_mdr(ret);
         break;
     case ECC_MFSR:
         ret = s->regs[ECC_MFSR];
-        DPRINTF("Read memory fault status %08x\n", ret);
+        trace_ecc_mem_readl_mfsr(ret);
         break;
     case ECC_VCR:
         ret = s->regs[ECC_VCR];
-        DPRINTF("Read slot configuration %08x\n", ret);
+        trace_ecc_mem_readl_vcr(ret);
         break;
     case ECC_MFAR0:
         ret = s->regs[ECC_MFAR0];
-        DPRINTF("Read memory fault address 0 %08x\n", ret);
+        trace_ecc_mem_readl_mfar0(ret);
         break;
     case ECC_MFAR1:
         ret = s->regs[ECC_MFAR1];
-        DPRINTF("Read memory fault address 1 %08x\n", ret);
+        trace_ecc_mem_readl_mfar1(ret);
         break;
     case ECC_DR:
         ret = s->regs[ECC_DR];
-        DPRINTF("Read diagnostic %08x\n", ret);
+        trace_ecc_mem_readl_dr(ret);
         break;
     case ECC_ECR0:
         ret = s->regs[ECC_ECR0];
-        DPRINTF("Read event count 1 %08x\n", ret);
+        trace_ecc_mem_readl_ecr0(ret);
         break;
     case ECC_ECR1:
         ret = s->regs[ECC_ECR0];
-        DPRINTF("Read event count 2 %08x\n", ret);
+        trace_ecc_mem_readl_ecr1(ret);
         break;
     }
     return ret;
@@ -241,7 +233,7 @@ static void ecc_diag_mem_writeb(void *opaque, target_phys_addr_t addr,
 {
     ECCState *s = opaque;
 
-    DPRINTF("Write diagnostic[%d] = %02x\n", (int)addr, val);
+    trace_ecc_diag_mem_writeb(addr, val);
     s->diag[addr & ECC_DIAG_MASK] = val;
 }
 
@@ -250,7 +242,7 @@ static uint32_t ecc_diag_mem_readb(void *opaque, target_phys_addr_t addr)
     ECCState *s = opaque;
     uint32_t ret = s->diag[(int)addr];
 
-    DPRINTF("Read diagnostic[%d] = %02x\n", (int)addr, ret);
+    trace_ecc_diag_mem_readb(addr, ret);
     return ret;
 }
 
diff --git a/hw/lance.c b/hw/lance.c
index b6b04dd..dc12144 100644
--- a/hw/lance.c
+++ b/hw/lance.c
@@ -40,8 +40,8 @@
 #include "qemu-timer.h"
 #include "qemu_socket.h"
 #include "sun4m.h"
-
 #include "pcnet.h"
+#include "trace.h"
 
 typedef struct {
     SysBusDevice busdev;
@@ -59,10 +59,8 @@ static void lance_mem_writew(void *opaque, target_phys_addr_t addr,
                              uint32_t val)
 {
     SysBusPCNetState *d = opaque;
-#ifdef PCNET_DEBUG_IO
-    printf("lance_mem_writew addr=" TARGET_FMT_plx " val=0x%04x\n", addr,
-           val & 0xffff);
-#endif
+
+    trace_lance_mem_writew(addr, val & 0xffff);
     pcnet_ioport_writew(&d->state, addr, val & 0xffff);
 }
 
@@ -72,11 +70,7 @@ static uint32_t lance_mem_readw(void *opaque, target_phys_addr_t addr)
     uint32_t val;
 
     val = pcnet_ioport_readw(&d->state, addr);
-#ifdef PCNET_DEBUG_IO
-    printf("lance_mem_readw addr=" TARGET_FMT_plx " val = 0x%04x\n", addr,
-           val & 0xffff);
-#endif
-
+    trace_lance_mem_readw(addr, val & 0xffff);
     return val & 0xffff;
 }
 
diff --git a/hw/slavio_intctl.c b/hw/slavio_intctl.c
index 10362a3..9d5ad86 100644
--- a/hw/slavio_intctl.c
+++ b/hw/slavio_intctl.c
@@ -25,16 +25,9 @@
 #include "sun4m.h"
 #include "monitor.h"
 #include "sysbus.h"
+#include "trace.h"
 
 //#define DEBUG_IRQ_COUNT
-//#define DEBUG_IRQ
-
-#ifdef DEBUG_IRQ
-#define DPRINTF(fmt, ...)                                       \
-    do { printf("IRQ: " fmt , ## __VA_ARGS__); } while (0)
-#else
-#define DPRINTF(fmt, ...)
-#endif
 
 /*
  * Registers of interrupt controller in sun4m.
@@ -97,7 +90,7 @@ static uint32_t slavio_intctl_mem_readl(void *opaque, target_phys_addr_t addr)
         ret = 0;
         break;
     }
-    DPRINTF("read cpu %d reg 0x" TARGET_FMT_plx " = %x\n", s->cpu, addr, ret);
+    trace_slavio_intctl_mem_readl(s->cpu, addr, ret);
 
     return ret;
 }
@@ -109,21 +102,19 @@ static void slavio_intctl_mem_writel(void *opaque, target_phys_addr_t addr,
     uint32_t saddr;
 
     saddr = addr >> 2;
-    DPRINTF("write cpu %d reg 0x" TARGET_FMT_plx " = %x\n", s->cpu, addr, val);
+    trace_slavio_intctl_mem_writel(s->cpu, addr, val);
     switch (saddr) {
     case 1: // clear pending softints
         val &= CPU_SOFTIRQ_MASK | CPU_IRQ_INT15_IN;
         s->intreg_pending &= ~val;
         slavio_check_interrupts(s->master, 1);
-        DPRINTF("Cleared cpu %d irq mask %x, curmask %x\n", s->cpu, val,
-                s->intreg_pending);
+        trace_slavio_intctl_mem_writel_clear(s->cpu, val, s->intreg_pending);
         break;
     case 2: // set softint
         val &= CPU_SOFTIRQ_MASK;
         s->intreg_pending |= val;
         slavio_check_interrupts(s->master, 1);
-        DPRINTF("Set cpu %d irq mask %x, curmask %x\n", s->cpu, val,
-                s->intreg_pending);
+        trace_slavio_intctl_mem_writel_set(s->cpu, val, s->intreg_pending);
         break;
     default:
         break;
@@ -163,7 +154,7 @@ static uint32_t slavio_intctlm_mem_readl(void *opaque, target_phys_addr_t addr)
         ret = 0;
         break;
     }
-    DPRINTF("read system reg 0x" TARGET_FMT_plx " = %x\n", addr, ret);
+    trace_slavio_intctlm_mem_readl(addr, ret);
 
     return ret;
 }
@@ -175,14 +166,13 @@ static void slavio_intctlm_mem_writel(void *opaque, target_phys_addr_t addr,
     uint32_t saddr;
 
     saddr = addr >> 2;
-    DPRINTF("write system reg 0x" TARGET_FMT_plx " = %x\n", addr, val);
+    trace_slavio_intctlm_mem_writel(addr, val);
     switch (saddr) {
     case 2: // clear (enable)
         // Force clear unused bits
         val &= MASTER_IRQ_MASK;
         s->intregm_disabled &= ~val;
-        DPRINTF("Enabled master irq mask %x, curmask %x\n", val,
-                s->intregm_disabled);
+        trace_slavio_intctlm_mem_writel_enable(val, s->intregm_disabled);
         slavio_check_interrupts(s, 1);
         break;
     case 3: // set (disable; doesn't affect pending)
@@ -190,13 +180,12 @@ static void slavio_intctlm_mem_writel(void *opaque, target_phys_addr_t addr,
         val &= MASTER_IRQ_MASK;
         s->intregm_disabled |= val;
         slavio_check_interrupts(s, 1);
-        DPRINTF("Disabled master irq mask %x, curmask %x\n", val,
-                s->intregm_disabled);
+        trace_slavio_intctlm_mem_writel_disable(val, s->intregm_disabled);
         break;
     case 4:
         s->target_cpu = val & (MAX_CPUS - 1);
         slavio_check_interrupts(s, 1);
-        DPRINTF("Set master irq cpu %d\n", s->target_cpu);
+        trace_slavio_intctlm_mem_writel_target(s->target_cpu);
         break;
     default:
         break;
@@ -264,7 +253,7 @@ static void slavio_check_interrupts(SLAVIO_INTCTLState *s, int set_irqs)
 
     pending &= ~s->intregm_disabled;
 
-    DPRINTF("pending %x disabled %x\n", pending, s->intregm_disabled);
+    trace_slavio_check_interrupts(pending, s->intregm_disabled);
     for (i = 0; i < MAX_CPUS; i++) {
         pil_pending = 0;
 
@@ -327,8 +316,7 @@ static void slavio_set_irq(void *opaque, int irq, int level)
     uint32_t pil = intbit_to_level[irq];
     unsigned int i;
 
-    DPRINTF("Set cpu %d irq %d -> pil %d level %d\n", s->target_cpu, irq, pil,
-            level);
+    trace_slavio_set_irq(s->target_cpu, irq, pil, level);
     if (pil > 0) {
         if (level) {
 #ifdef DEBUG_IRQ_COUNT
@@ -356,7 +344,7 @@ static void slavio_set_timer_irq_cpu(void *opaque, int cpu, int level)
 {
     SLAVIO_INTCTLState *s = opaque;
 
-    DPRINTF("Set cpu %d local timer level %d\n", cpu, level);
+    trace_slavio_set_timer_irq_cpu(cpu, level);
 
     if (level) {
         s->slaves[cpu].intreg_pending |= CPU_IRQ_TIMER_IN;
diff --git a/hw/slavio_misc.c b/hw/slavio_misc.c
index 5ae628d..1d81a63 100644
--- a/hw/slavio_misc.c
+++ b/hw/slavio_misc.c
@@ -24,9 +24,7 @@
 
 #include "sysemu.h"
 #include "sysbus.h"
-
-/* debug misc */
-//#define DEBUG_MISC
+#include "trace.h"
 
 /*
  * This is the auxio port, chip control and system control part of
@@ -36,13 +34,6 @@
  * This also includes the PMC CPU idle controller.
  */
 
-#ifdef DEBUG_MISC
-#define MISC_DPRINTF(fmt, ...)                                  \
-    do { printf("MISC: " fmt , ## __VA_ARGS__); } while (0)
-#else
-#define MISC_DPRINTF(fmt, ...)
-#endif
-
 typedef struct MiscState {
     SysBusDevice busdev;
     qemu_irq irq;
@@ -79,10 +70,10 @@ static void slavio_misc_update_irq(void *opaque)
     MiscState *s = opaque;
 
     if ((s->aux2 & AUX2_PWRFAIL) && (s->config & CFG_PWRINTEN)) {
-        MISC_DPRINTF("Raise IRQ\n");
+        trace_slavio_misc_update_irq_raise();
         qemu_irq_raise(s->irq);
     } else {
-        MISC_DPRINTF("Lower IRQ\n");
+        trace_slavio_misc_update_irq_lower();
         qemu_irq_lower(s->irq);
     }
 }
@@ -99,7 +90,7 @@ static void slavio_set_power_fail(void *opaque, int irq, int power_failing)
 {
     MiscState *s = opaque;
 
-    MISC_DPRINTF("Power fail: %d, config: %d\n", power_failing, s->config);
+    trace_slavio_set_power_fail(power_failing, s->config);
     if (power_failing && (s->config & CFG_PWRINTEN)) {
         s->aux2 |= AUX2_PWRFAIL;
     } else {
@@ -113,7 +104,7 @@ static void slavio_cfg_mem_writeb(void *opaque, target_phys_addr_t addr,
 {
     MiscState *s = opaque;
 
-    MISC_DPRINTF("Write config %2.2x\n", val & 0xff);
+    trace_slavio_cfg_mem_writeb(val & 0xff);
     s->config = val & 0xff;
     slavio_misc_update_irq(s);
 }
@@ -124,7 +115,7 @@ static uint32_t slavio_cfg_mem_readb(void *opaque, target_phys_addr_t addr)
     uint32_t ret = 0;
 
     ret = s->config;
-    MISC_DPRINTF("Read config %2.2x\n", ret);
+    trace_slavio_cfg_mem_readb(ret);
     return ret;
 }
 
@@ -145,7 +136,7 @@ static void slavio_diag_mem_writeb(void *opaque, target_phys_addr_t addr,
 {
     MiscState *s = opaque;
 
-    MISC_DPRINTF("Write diag %2.2x\n", val & 0xff);
+    trace_slavio_diag_mem_writeb(val & 0xff);
     s->diag = val & 0xff;
 }
 
@@ -155,7 +146,7 @@ static uint32_t slavio_diag_mem_readb(void *opaque, target_phys_addr_t addr)
     uint32_t ret = 0;
 
     ret = s->diag;
-    MISC_DPRINTF("Read diag %2.2x\n", ret);
+    trace_slavio_diag_mem_readb(ret);
     return ret;
 }
 
@@ -176,7 +167,7 @@ static void slavio_mdm_mem_writeb(void *opaque, target_phys_addr_t addr,
 {
     MiscState *s = opaque;
 
-    MISC_DPRINTF("Write modem control %2.2x\n", val & 0xff);
+    trace_slavio_mdm_mem_writeb(val & 0xff);
     s->mctrl = val & 0xff;
 }
 
@@ -186,7 +177,7 @@ static uint32_t slavio_mdm_mem_readb(void *opaque, target_phys_addr_t addr)
     uint32_t ret = 0;
 
     ret = s->mctrl;
-    MISC_DPRINTF("Read modem control %2.2x\n", ret);
+    trace_slavio_mdm_mem_readb(ret);
     return ret;
 }
 
@@ -207,7 +198,7 @@ static void slavio_aux1_mem_writeb(void *opaque, target_phys_addr_t addr,
 {
     MiscState *s = opaque;
 
-    MISC_DPRINTF("Write aux1 %2.2x\n", val & 0xff);
+    trace_slavio_aux1_mem_writeb(val & 0xff);
     if (val & AUX1_TC) {
         // Send a pulse to floppy terminal count line
         if (s->fdc_tc) {
@@ -225,8 +216,7 @@ static uint32_t slavio_aux1_mem_readb(void *opaque, target_phys_addr_t addr)
     uint32_t ret = 0;
 
     ret = s->aux1;
-    MISC_DPRINTF("Read aux1 %2.2x\n", ret);
-
+    trace_slavio_aux1_mem_readb(ret);
     return ret;
 }
 
@@ -248,7 +238,7 @@ static void slavio_aux2_mem_writeb(void *opaque, target_phys_addr_t addr,
     MiscState *s = opaque;
 
     val &= AUX2_PWRINTCLR | AUX2_PWROFF;
-    MISC_DPRINTF("Write aux2 %2.2x\n", val);
+    trace_slavio_aux2_mem_writeb(val & 0xff);
     val |= s->aux2 & AUX2_PWRFAIL;
     if (val & AUX2_PWRINTCLR) // Clear Power Fail int
         val &= AUX2_PWROFF;
@@ -264,8 +254,7 @@ static uint32_t slavio_aux2_mem_readb(void *opaque, target_phys_addr_t addr)
     uint32_t ret = 0;
 
     ret = s->aux2;
-    MISC_DPRINTF("Read aux2 %2.2x\n", ret);
-
+    trace_slavio_aux2_mem_readb(ret);
     return ret;
 }
 
@@ -285,7 +274,7 @@ static void apc_mem_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
 {
     APCState *s = opaque;
 
-    MISC_DPRINTF("Write power management %2.2x\n", val & 0xff);
+    trace_apc_mem_writeb(val & 0xff);
     qemu_irq_raise(s->cpu_halt);
 }
 
@@ -293,7 +282,7 @@ static uint32_t apc_mem_readb(void *opaque, target_phys_addr_t addr)
 {
     uint32_t ret = 0;
 
-    MISC_DPRINTF("Read power management %2.2x\n", ret);
+    trace_apc_mem_readb(ret);
     return ret;
 }
 
@@ -321,7 +310,7 @@ static uint32_t slavio_sysctrl_mem_readl(void *opaque, target_phys_addr_t addr)
     default:
         break;
     }
-    MISC_DPRINTF("Read system control %08x\n", ret);
+    trace_slavio_sysctrl_mem_readl(ret);
     return ret;
 }
 
@@ -330,7 +319,7 @@ static void slavio_sysctrl_mem_writel(void *opaque, target_phys_addr_t addr,
 {
     MiscState *s = opaque;
 
-    MISC_DPRINTF("Write system control %08x\n", val);
+    trace_slavio_sysctrl_mem_writel(val);
     switch (addr) {
     case 0:
         if (val & SYS_RESET) {
@@ -367,7 +356,7 @@ static uint32_t slavio_led_mem_readw(void *opaque, target_phys_addr_t addr)
     default:
         break;
     }
-    MISC_DPRINTF("Read diagnostic LED %04x\n", ret);
+    trace_slavio_led_mem_readw(ret);
     return ret;
 }
 
@@ -376,7 +365,7 @@ static void slavio_led_mem_writew(void *opaque, target_phys_addr_t addr,
 {
     MiscState *s = opaque;
 
-    MISC_DPRINTF("Write diagnostic LED %04x\n", val & 0xffff);
+    trace_slavio_led_mem_readw(val & 0xffff);
     switch (addr) {
     case 0:
         s->leds = val;
diff --git a/hw/slavio_timer.c b/hw/slavio_timer.c
index c125de4..13f1e62 100644
--- a/hw/slavio_timer.c
+++ b/hw/slavio_timer.c
@@ -25,15 +25,7 @@
 #include "sun4m.h"
 #include "qemu-timer.h"
 #include "sysbus.h"
-
-//#define DEBUG_TIMER
-
-#ifdef DEBUG_TIMER
-#define DPRINTF(fmt, ...)                                       \
-    do { printf("TIMER: " fmt , ## __VA_ARGS__); } while (0)
-#else
-#define DPRINTF(fmt, ...) do {} while (0)
-#endif
+#include "trace.h"
 
 /*
  * Registers of hardware timer in sun4m.
@@ -112,8 +104,7 @@ static void slavio_timer_get_out(CPUTimerState *t)
     }
     count = limit - PERIODS_TO_LIMIT(ptimer_get_count(t->timer));
 
-    DPRINTF("get_out: limit %" PRIx64 " count %x%08x\n", t->limit, t->counthigh,
-            t->count);
+    trace_slavio_timer_get_out(t->limit, t->counthigh, t->count);
     t->count = count & TIMER_COUNT_MASK32;
     t->counthigh = count >> 32;
 }
@@ -126,7 +117,7 @@ static void slavio_timer_irq(void *opaque)
     CPUTimerState *t = &s->cputimer[tc->timer_index];
 
     slavio_timer_get_out(t);
-    DPRINTF("callback: count %x%08x\n", t->counthigh, t->count);
+    trace_slavio_timer_irq(t->counthigh, t->count);
     /* if limit is 0 (free-run), there will be no match */
     if (t->limit != 0) {
         t->reached = TIMER_REACHED;
@@ -188,12 +179,11 @@ static uint32_t slavio_timer_mem_readl(void *opaque, target_phys_addr_t addr)
         ret = s->cputimer_mode;
         break;
     default:
-        DPRINTF("invalid read address " TARGET_FMT_plx "\n", addr);
+        trace_slavio_timer_mem_readl_invalid(addr);
         ret = 0;
         break;
     }
-    DPRINTF("read " TARGET_FMT_plx " = %08x\n", addr, ret);
-
+    trace_slavio_timer_mem_readl(addr, ret);
     return ret;
 }
 
@@ -206,7 +196,7 @@ static void slavio_timer_mem_writel(void *opaque, target_phys_addr_t addr,
     unsigned int timer_index = tc->timer_index;
     CPUTimerState *t = &s->cputimer[timer_index];
 
-    DPRINTF("write " TARGET_FMT_plx " %08x\n", addr, val);
+    trace_slavio_timer_mem_writel(addr, val);
     saddr = addr >> 2;
     switch (saddr) {
     case TIMER_LIMIT:
@@ -218,8 +208,7 @@ static void slavio_timer_mem_writel(void *opaque, target_phys_addr_t addr,
             t->counthigh = val & (TIMER_MAX_COUNT64 >> 32);
             t->reached = 0;
             count = ((uint64_t)t->counthigh << 32) | t->count;
-            DPRINTF("processor %d user timer set to %016" PRIx64 "\n",
-                    timer_index, count);
+            trace_slavio_timer_mem_writel_limit(timer_index, count);
             ptimer_set_count(t->timer, LIMIT_TO_PERIODS(t->limit - count));
         } else {
             // set limit, reset counter
@@ -244,11 +233,11 @@ static void slavio_timer_mem_writel(void *opaque, target_phys_addr_t addr,
             t->count = val & TIMER_MAX_COUNT64;
             t->reached = 0;
             count = ((uint64_t)t->counthigh) << 32 | t->count;
-            DPRINTF("processor %d user timer set to %016" PRIx64 "\n",
-                    timer_index, count);
+            trace_slavio_timer_mem_writel_limit(timer_index, count);
             ptimer_set_count(t->timer, LIMIT_TO_PERIODS(t->limit - count));
-        } else
-            DPRINTF("not user timer\n");
+        } else {
+            trace_slavio_timer_mem_writel_counter_invalid();
+        }
         break;
     case TIMER_COUNTER_NORST:
         // set limit without resetting counter
@@ -263,13 +252,11 @@ static void slavio_timer_mem_writel(void *opaque, target_phys_addr_t addr,
         if (slavio_timer_is_user(tc)) {
             // start/stop user counter
             if ((val & 1) && !t->running) {
-                DPRINTF("processor %d user timer started\n",
-                        timer_index);
+                trace_slavio_timer_mem_writel_status_start(timer_index);
                 ptimer_run(t->timer, 0);
                 t->running = 1;
             } else if (!(val & 1) && t->running) {
-                DPRINTF("processor %d user timer stopped\n",
-                        timer_index);
+                trace_slavio_timer_mem_writel_status_stop(timer_index);
                 ptimer_stop(t->timer);
                 t->running = 0;
             }
@@ -298,8 +285,7 @@ static void slavio_timer_mem_writel(void *opaque, target_phys_addr_t addr,
                         // set this processors user timer bit in config
                         // register
                         s->cputimer_mode |= processor;
-                        DPRINTF("processor %d changed from counter to user "
-                                "timer\n", timer_index);
+                        trace_slavio_timer_mem_writel_mode_user(timer_index);
                     } else { // user timer -> counter
                         // stop the user timer if it is running
                         if (curr_timer->running) {
@@ -311,17 +297,16 @@ static void slavio_timer_mem_writel(void *opaque, target_phys_addr_t addr,
                         // clear this processors user timer bit in config
                         // register
                         s->cputimer_mode &= ~processor;
-                        DPRINTF("processor %d changed from user timer to "
-                                "counter\n", timer_index);
+                        trace_slavio_timer_mem_writel_mode_counter(timer_index);
                     }
                 }
             }
         } else {
-            DPRINTF("not system timer\n");
+            trace_slavio_timer_mem_writel_mode_invalid();
         }
         break;
     default:
-        DPRINTF("invalid write address " TARGET_FMT_plx "\n", addr);
+        trace_slavio_timer_mem_writel_invalid(addr);
         break;
     }
 }
diff --git a/hw/sparc32_dma.c b/hw/sparc32_dma.c
index 984ffc3..0904188 100644
--- a/hw/sparc32_dma.c
+++ b/hw/sparc32_dma.c
@@ -29,9 +29,7 @@
 #include "sparc32_dma.h"
 #include "sun4m.h"
 #include "sysbus.h"
-
-/* debug DMA */
-//#define DEBUG_DMA
+#include "trace.h"
 
 /*
  * This is the DMA controller part of chip STP2000 (Master I/O), also
@@ -41,13 +39,6 @@
  * http://www.ibiblio.org/pub/historic-linux/early-ports/Sparc/NCR/DMA2.txt
  */
 
-#ifdef DEBUG_DMA
-#define DPRINTF(fmt, ...)                               \
-    do { printf("DMA: " fmt , ## __VA_ARGS__); } while (0)
-#else
-#define DPRINTF(fmt, ...)
-#endif
-
 #define DMA_REGS 4
 #define DMA_SIZE (4 * sizeof(uint32_t))
 /* We need the mask, because one instance of the device is not page
@@ -88,9 +79,8 @@ void ledma_memory_read(void *opaque, target_phys_addr_t addr,
     DMAState *s = opaque;
     int i;
 
-    DPRINTF("DMA write, direction: %c, addr 0x%8.8x\n",
-            s->dmaregs[0] & DMA_WRITE_MEM ? 'w': 'r', s->dmaregs[1]);
     addr |= s->dmaregs[3];
+    trace_ledma_memory_read(addr);
     if (do_bswap) {
         sparc_iommu_memory_read(s->iommu, addr, buf, len);
     } else {
@@ -110,9 +100,8 @@ void ledma_memory_write(void *opaque, target_phys_addr_t addr,
     int l, i;
     uint16_t tmp_buf[32];
 
-    DPRINTF("DMA read, direction: %c, addr 0x%8.8x\n",
-            s->dmaregs[0] & DMA_WRITE_MEM ? 'w': 'r', s->dmaregs[1]);
     addr |= s->dmaregs[3];
+    trace_ledma_memory_write(addr);
     if (do_bswap) {
         sparc_iommu_memory_write(s->iommu, addr, buf, len);
     } else {
@@ -139,14 +128,14 @@ static void dma_set_irq(void *opaque, int irq, int level)
     if (level) {
         s->dmaregs[0] |= DMA_INTR;
         if (s->dmaregs[0] & DMA_INTREN) {
-            DPRINTF("Raise IRQ\n");
+            trace_sparc32_dma_set_irq_raise();
             qemu_irq_raise(s->irq);
         }
     } else {
         if (s->dmaregs[0] & DMA_INTR) {
             s->dmaregs[0] &= ~DMA_INTR;
             if (s->dmaregs[0] & DMA_INTREN) {
-                DPRINTF("Lower IRQ\n");
+                trace_sparc32_dma_set_irq_lower();
                 qemu_irq_lower(s->irq);
             }
         }
@@ -157,8 +146,7 @@ void espdma_memory_read(void *opaque, uint8_t *buf, int len)
 {
     DMAState *s = opaque;
 
-    DPRINTF("DMA read, direction: %c, addr 0x%8.8x\n",
-            s->dmaregs[0] & DMA_WRITE_MEM ? 'w': 'r', s->dmaregs[1]);
+    trace_espdma_memory_read(s->dmaregs[1]);
     sparc_iommu_memory_read(s->iommu, s->dmaregs[1], buf, len);
     s->dmaregs[1] += len;
 }
@@ -167,8 +155,7 @@ void espdma_memory_write(void *opaque, uint8_t *buf, int len)
 {
     DMAState *s = opaque;
 
-    DPRINTF("DMA write, direction: %c, addr 0x%8.8x\n",
-            s->dmaregs[0] & DMA_WRITE_MEM ? 'w': 'r', s->dmaregs[1]);
+    trace_espdma_memory_write(s->dmaregs[1]);
     sparc_iommu_memory_write(s->iommu, s->dmaregs[1], buf, len);
     s->dmaregs[1] += len;
 }
@@ -179,9 +166,7 @@ static uint32_t dma_mem_readl(void *opaque, target_phys_addr_t addr)
     uint32_t saddr;
 
     saddr = (addr & DMA_MASK) >> 2;
-    DPRINTF("read dmareg " TARGET_FMT_plx ": 0x%8.8x\n", addr,
-            s->dmaregs[saddr]);
-
+    trace_sparc32_dma_mem_readl(addr, s->dmaregs[saddr]);
     return s->dmaregs[saddr];
 }
 
@@ -191,18 +176,17 @@ static void dma_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
     uint32_t saddr;
 
     saddr = (addr & DMA_MASK) >> 2;
-    DPRINTF("write dmareg " TARGET_FMT_plx ": 0x%8.8x -> 0x%8.8x\n", addr,
-            s->dmaregs[saddr], val);
+    trace_sparc32_dma_mem_writel(addr, s->dmaregs[saddr], val);
     switch (saddr) {
     case 0:
         if (val & DMA_INTREN) {
             if (s->dmaregs[0] & DMA_INTR) {
-                DPRINTF("Raise IRQ\n");
+                trace_sparc32_dma_set_irq_raise();
                 qemu_irq_raise(s->irq);
             }
         } else {
             if (s->dmaregs[0] & (DMA_INTR | DMA_INTREN)) {
-                DPRINTF("Lower IRQ\n");
+                trace_sparc32_dma_set_irq_lower();
                 qemu_irq_lower(s->irq);
             }
         }
@@ -215,10 +199,10 @@ static void dma_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
             val = DMA_DRAIN_FIFO;
 
         if (val & DMA_EN && !(s->dmaregs[0] & DMA_EN)) {
-            DPRINTF("Raise DMA enable\n");
+            trace_sparc32_dma_enable_raise();
             qemu_irq_raise(s->gpio[GPIO_DMA]);
         } else if (!(val & DMA_EN) && !!(s->dmaregs[0] & DMA_EN)) {
-            DPRINTF("Lower DMA enable\n");
+            trace_sparc32_dma_enable_lower();
             qemu_irq_lower(s->gpio[GPIO_DMA]);
         }
 
diff --git a/hw/sun4m.c b/hw/sun4m.c
index 0392109..4795b3f 100644
--- a/hw/sun4m.c
+++ b/hw/sun4m.c
@@ -41,8 +41,7 @@
 #include "loader.h"
 #include "elf.h"
 #include "blockdev.h"
-
-//#define DEBUG_IRQ
+#include "trace.h"
 
 /*
  * Sun4m architecture was used in the following machines:
@@ -72,13 +71,6 @@
  * See for example: http://www.sunhelp.org/faq/sunref1.html
  */
 
-#ifdef DEBUG_IRQ
-#define DPRINTF(fmt, ...)                                       \
-    do { printf("CPUIRQ: " fmt , ## __VA_ARGS__); } while (0)
-#else
-#define DPRINTF(fmt, ...)
-#endif
-
 #define KERNEL_LOAD_ADDR     0x00004000
 #define CMDLINE_ADDR         0x007ff000
 #define INITRD_LOAD_ADDR     0x00800000
@@ -248,14 +240,14 @@ void cpu_check_irqs(CPUState *env)
 
                 env->interrupt_index = TT_EXTINT | i;
                 if (old_interrupt != env->interrupt_index) {
-                    DPRINTF("Set CPU IRQ %d\n", i);
+                    trace_sun4m_cpu_interrupt(i);
                     cpu_interrupt(env, CPU_INTERRUPT_HARD);
                 }
                 break;
             }
         }
     } else if (!env->pil_in && (env->interrupt_index & ~15) == TT_EXTINT) {
-        DPRINTF("Reset CPU IRQ %d\n", env->interrupt_index & 15);
+        trace_sun4m_cpu_reset_interrupt(env->interrupt_index & 15);
         env->interrupt_index = 0;
         cpu_reset_interrupt(env, CPU_INTERRUPT_HARD);
     }
@@ -266,12 +258,12 @@ static void cpu_set_irq(void *opaque, int irq, int level)
     CPUState *env = opaque;
 
     if (level) {
-        DPRINTF("Raise CPU IRQ %d\n", irq);
+        trace_sun4m_cpu_set_irq_raise(irq);
         env->halted = 0;
         env->pil_in |= 1 << irq;
         cpu_check_irqs(env);
     } else {
-        DPRINTF("Lower CPU IRQ %d\n", irq);
+        trace_sun4m_cpu_set_irq_lower(irq);
         env->pil_in &= ~(1 << irq);
         cpu_check_irqs(env);
     }
diff --git a/hw/sun4m_iommu.c b/hw/sun4m_iommu.c
index 1dbe077..720ee3f 100644
--- a/hw/sun4m_iommu.c
+++ b/hw/sun4m_iommu.c
@@ -24,16 +24,7 @@
 
 #include "sun4m.h"
 #include "sysbus.h"
-
-/* debug iommu */
-//#define DEBUG_IOMMU
-
-#ifdef DEBUG_IOMMU
-#define DPRINTF(fmt, ...)                                       \
-    do { printf("IOMMU: " fmt , ## __VA_ARGS__); } while (0)
-#else
-#define DPRINTF(fmt, ...)
-#endif
+#include "trace.h"
 
 /*
  * I/O MMU used by Sun4m systems
@@ -160,7 +151,7 @@ static uint32_t iommu_mem_readl(void *opaque, target_phys_addr_t addr)
         qemu_irq_lower(s->irq);
         break;
     }
-    DPRINTF("read reg[%d] = %x\n", (int)saddr, ret);
+    trace_sun4m_iommu_mem_readl(saddr, ret);
     return ret;
 }
 
@@ -171,7 +162,7 @@ static void iommu_mem_writel(void *opaque, target_phys_addr_t addr,
     target_phys_addr_t saddr;
 
     saddr = addr >> 2;
-    DPRINTF("write reg[%d] = %x\n", (int)saddr, val);
+    trace_sun4m_iommu_mem_writel(saddr, val);
     switch (saddr) {
     case IOMMU_CTRL:
         switch (val & IOMMU_CTRL_RNGE) {
@@ -201,18 +192,18 @@ static void iommu_mem_writel(void *opaque, target_phys_addr_t addr,
             s->iostart = 0xffffffff80000000ULL;
             break;
         }
-        DPRINTF("iostart = " TARGET_FMT_plx "\n", s->iostart);
+        trace_sun4m_iommu_mem_writel_ctrl(s->iostart);
         s->regs[saddr] = ((val & IOMMU_CTRL_MASK) | s->version);
         break;
     case IOMMU_BASE:
         s->regs[saddr] = val & IOMMU_BASE_MASK;
         break;
     case IOMMU_TLBFLUSH:
-        DPRINTF("tlb flush %x\n", val);
+        trace_sun4m_iommu_mem_writel_tlbflush(val);
         s->regs[saddr] = val & IOMMU_TLBFLUSH_MASK;
         break;
     case IOMMU_PGFLUSH:
-        DPRINTF("page flush %x\n", val);
+        trace_sun4m_iommu_mem_writel_pgflush(val);
         s->regs[saddr] = val & IOMMU_PGFLUSH_MASK;
         break;
     case IOMMU_AFAR:
@@ -262,18 +253,14 @@ static uint32_t iommu_page_get_flags(IOMMUState *s, target_phys_addr_t addr)
 {
     uint32_t ret;
     target_phys_addr_t iopte;
-#ifdef DEBUG_IOMMU
     target_phys_addr_t pa = addr;
-#endif
 
     iopte = s->regs[IOMMU_BASE] << 4;
     addr &= ~s->iostart;
     iopte += (addr >> (IOMMU_PAGE_SHIFT - 2)) & ~3;
     cpu_physical_memory_read(iopte, (uint8_t *)&ret, 4);
     tswap32s(&ret);
-    DPRINTF("get flags addr " TARGET_FMT_plx " => pte " TARGET_FMT_plx
-            ", *pte = %x\n", pa, iopte, ret);
-
+    trace_sun4m_iommu_page_get_flags(pa, iopte, ret);
     return ret;
 }
 
@@ -283,16 +270,14 @@ static target_phys_addr_t iommu_translate_pa(target_phys_addr_t addr,
     target_phys_addr_t pa;
 
     pa = ((pte & IOPTE_PAGE) << 4) + (addr & ~IOMMU_PAGE_MASK);
-    DPRINTF("xlate dva " TARGET_FMT_plx " => pa " TARGET_FMT_plx
-            " (iopte = %x)\n", addr, pa, pte);
-
+    trace_sun4m_iommu_translate_pa(addr, pa, pte);
     return pa;
 }
 
 static void iommu_bad_addr(IOMMUState *s, target_phys_addr_t addr,
                            int is_write)
 {
-    DPRINTF("bad addr " TARGET_FMT_plx "\n", addr);
+    trace_sun4m_iommu_bad_addr(addr);
     s->regs[IOMMU_AFSR] = IOMMU_AFSR_ERR | IOMMU_AFSR_LE | IOMMU_AFSR_RESV |
         IOMMU_AFSR_FAV;
     if (!is_write)
diff --git a/trace-events b/trace-events
index ed2055e..947f8b0 100644
--- a/trace-events
+++ b/trace-events
@@ -81,3 +81,111 @@ disable apic_mem_writel(uint64_t addr, uint32_t val) "%"PRIx64" = %08x"
 disable apic_reset_irq_delivered(int apic_irq_delivered) "old coalescing %d"
 disable apic_get_irq_delivered(int apic_irq_delivered) "returning coalescing %d"
 disable apic_set_irq(int apic_irq_delivered) "coalescing %d"
+
+# hw/cs4231.c
+disable cs4231_mem_readl_dreg(uint32_t reg, uint32_t ret) "read dreg %d: 0x%02x"
+disable cs4231_mem_readl_reg(uint32_t reg, uint32_t ret) "read reg %d: 0x%08x"
+disable cs4231_mem_writel_reg(uint32_t reg, uint32_t old, uint32_t val) "write reg %d: 0x%08x -> 0x%08x"
+disable cs4231_mem_writel_dreg(uint32_t reg, uint32_t old, uint32_t val) "write dreg %d: 0x%02x -> 0x%02x"
+
+# hw/eccmemctl.c
+disable ecc_mem_writel_mer(uint32_t val) "Write memory enable %08x"
+disable ecc_mem_writel_mdr(uint32_t val) "Write memory delay %08x"
+disable ecc_mem_writel_mfsr(uint32_t val) "Write memory fault status %08x"
+disable ecc_mem_writel_vcr(uint32_t val) "Write slot configuration %08x"
+disable ecc_mem_writel_dr(uint32_t val) "Write diagnostic %08x"
+disable ecc_mem_writel_ecr0(uint32_t val) "Write event count 1 %08x"
+disable ecc_mem_writel_ecr1(uint32_t val) "Write event count 2 %08x"
+disable ecc_mem_readl_mer(uint32_t ret) "Read memory enable %08x"
+disable ecc_mem_readl_mdr(uint32_t ret) "Read memory delay %08x"
+disable ecc_mem_readl_mfsr(uint32_t ret) "Read memory fault status %08x"
+disable ecc_mem_readl_vcr(uint32_t ret) "Read slot configuration %08x"
+disable ecc_mem_readl_mfar0(uint32_t ret) "Read memory fault address 0 %08x"
+disable ecc_mem_readl_mfar1(uint32_t ret) "Read memory fault address 1 %08x"
+disable ecc_mem_readl_dr(uint32_t ret) "Read diagnostic %08x"
+disable ecc_mem_readl_ecr0(uint32_t ret) "Read event count 1 %08x"
+disable ecc_mem_readl_ecr1(uint32_t ret) "Read event count 2 %08x"
+disable ecc_diag_mem_writeb(uint64_t addr, uint32_t val) "Write diagnostic %"PRId64" = %02x"
+disable ecc_diag_mem_readb(uint64_t addr, uint32_t ret) "Read diagnostic %"PRId64"= %02x"
+
+# hw/lance.c
+disable lance_mem_readw(uint64_t addr, uint32_t ret) "addr=%"PRIx64"val=0x%04x"
+disable lance_mem_writew(uint64_t addr, uint32_t val) "addr=%"PRIx64"val=0x%04x"
+
+# hw/slavio_intctl.c
+disable slavio_intctl_mem_readl(uint32_t cpu, uint64_t addr, uint32_t ret) "read cpu %d reg 0x%"PRIx64" = %x"
+disable slavio_intctl_mem_writel(uint32_t cpu, uint64_t addr, uint32_t val) "write cpu %d reg 0x%"PRIx64" = %x"
+disable slavio_intctl_mem_writel_clear(uint32_t cpu, uint32_t val, uint32_t intreg_pending) "Cleared cpu %d irq mask %x, curmask %x"
+disable slavio_intctl_mem_writel_set(uint32_t cpu, uint32_t val, uint32_t intreg_pending) "Set cpu %d irq mask %x, curmask %x"
+disable slavio_intctlm_mem_readl(uint64_t addr, uint32_t ret) "read system reg 0x%"PRIx64" = %x"
+disable slavio_intctlm_mem_writel(uint64_t addr, uint32_t val) "write system reg 0x%"PRIx64" = %x"
+disable slavio_intctlm_mem_writel_enable(uint32_t val, uint32_t intregm_disabled) "Enabled master irq mask %x, curmask %x"
+disable slavio_intctlm_mem_writel_disable(uint32_t val, uint32_t intregm_disabled) "Disabled master irq mask %x, curmask %x"
+disable slavio_intctlm_mem_writel_target(uint32_t cpu) "Set master irq cpu %d"
+disable slavio_check_interrupts(uint32_t pending, uint32_t intregm_disabled) "pending %x disabled %x"
+disable slavio_set_irq(uint32_t target_cpu, int irq, uint32_t pil, int level) "Set cpu %d irq %d -> pil %d level %d"
+disable slavio_set_timer_irq_cpu(int cpu, int level) "Set cpu %d local timer level %d"
+
+# hw/slavio_misc.c
+disable slavio_misc_update_irq_raise(void) "Raise IRQ"
+disable slavio_misc_update_irq_lower(void) "Lower IRQ"
+disable slavio_set_power_fail(int power_failing, uint8_t config) "Power fail: %d, config: %d"
+disable slavio_cfg_mem_writeb(uint32_t val) "Write config %02x"
+disable slavio_cfg_mem_readb(uint32_t ret) "Read config %02x"
+disable slavio_diag_mem_writeb(uint32_t val) "Write diag %02x"
+disable slavio_diag_mem_readb(uint32_t ret) "Read diag %02x"
+disable slavio_mdm_mem_writeb(uint32_t val) "Write modem control %02x"
+disable slavio_mdm_mem_readb(uint32_t ret) "Read modem control %02x"
+disable slavio_aux1_mem_writeb(uint32_t val) "Write aux1 %02x"
+disable slavio_aux1_mem_readb(uint32_t ret) "Read aux1 %02x"
+disable slavio_aux2_mem_writeb(uint32_t val) "Write aux2 %02x"
+disable slavio_aux2_mem_readb(uint32_t ret) "Read aux2 %02x"
+disable apc_mem_writeb(uint32_t val) "Write power management %02x"
+disable apc_mem_readb(uint32_t ret) "Read power management %02x"
+disable slavio_sysctrl_mem_writel(uint32_t val) "Write system control %08x"
+disable slavio_sysctrl_mem_readl(uint32_t ret) "Read system control %08x"
+disable slavio_led_mem_writew(uint32_t val) "Write diagnostic LED %04x"
+disable slavio_led_mem_readw(uint32_t ret) "Read diagnostic LED %04x"
+
+# hw/slavio_timer.c
+disable slavio_timer_get_out(uint64_t limit, uint32_t counthigh, uint32_t count) "limit %"PRIx64" count %x%08x"
+disable slavio_timer_irq(uint32_t counthigh, uint32_t count) "callback: count %x%08x"
+disable slavio_timer_mem_readl_invalid(uint64_t addr) "invalid read address %"PRIx64""
+disable slavio_timer_mem_readl(uint64_t addr, uint32_t ret) "read %"PRIx64" = %08x"
+disable slavio_timer_mem_writel(uint64_t addr, uint32_t val) "write %"PRIx64" = %08x"
+disable slavio_timer_mem_writel_limit(unsigned int timer_index, uint64_t count) "processor %d user timer set to %016"PRIx64""
+disable slavio_timer_mem_writel_counter_invalid(void) "not user timer"
+disable slavio_timer_mem_writel_status_start(unsigned int timer_index) "processor %d user timer started"
+disable slavio_timer_mem_writel_status_stop(unsigned int timer_index) "processor %d user timer stopped"
+disable slavio_timer_mem_writel_mode_user(unsigned int timer_index) "processor %d changed from counter to user timer"
+disable slavio_timer_mem_writel_mode_counter(unsigned int timer_index) "processor %d changed from user timer to counter"
+disable slavio_timer_mem_writel_mode_invalid(void) "not system timer"
+disable slavio_timer_mem_writel_invalid(uint64_t addr) "invalid write address %"PRIx64""
+
+# hw/sparc32_dma.c
+disable ledma_memory_read(uint64_t addr) "DMA read addr 0x%"PRIx64""
+disable ledma_memory_write(uint64_t addr) "DMA write addr 0x%"PRIx64""
+disable sparc32_dma_set_irq_raise(void) "Raise IRQ"
+disable sparc32_dma_set_irq_lower(void) "Lower IRQ"
+disable espdma_memory_read(uint32_t addr) "DMA read addr 0x%08x"
+disable espdma_memory_write(uint32_t addr) "DMA write addr 0x%08x"
+disable sparc32_dma_mem_readl(uint64_t addr, uint32_t ret) "read dmareg %"PRIx64": 0x%08x"
+disable sparc32_dma_mem_writel(uint64_t addr, uint32_t old, uint32_t val) "write dmareg %"PRIx64": 0x%08x -> 0x%08x"
+disable sparc32_dma_enable_raise(void) "Raise DMA enable"
+disable sparc32_dma_enable_lower(void) "Lower DMA enable"
+
+# hw/sun4m.c
+disable sun4m_cpu_interrupt(unsigned int level) "Set CPU IRQ %d"
+disable sun4m_cpu_reset_interrupt(unsigned int level) "Reset CPU IRQ %d"
+disable sun4m_cpu_set_irq_raise(int level) "Raise CPU IRQ %d"
+disable sun4m_cpu_set_irq_lower(int level) "Lower CPU IRQ %d"
+
+# hw/sun4m_iommu.c
+disable sun4m_iommu_mem_readl(uint64_t addr, uint32_t ret) "read reg[%"PRIx64"] = %x"
+disable sun4m_iommu_mem_writel(uint64_t addr, uint32_t val) "write reg[%"PRIx64"] = %x"
+disable sun4m_iommu_mem_writel_ctrl(uint64_t iostart) "iostart = %"PRIx64""
+disable sun4m_iommu_mem_writel_tlbflush(uint32_t val) "tlb flush %x"
+disable sun4m_iommu_mem_writel_pgflush(uint32_t val) "page flush %x"
+disable sun4m_iommu_page_get_flags(uint64_t pa, uint64_t iopte, uint32_t ret) "get flags addr %"PRIx64" => pte %"PRIx64", *pte = %x"
+disable sun4m_iommu_translate_pa(uint64_t addr, uint64_t pa, uint32_t iopte) "xlate dva %"PRIx64" => pa %"PRIx64" iopte = %x"
+disable sun4m_iommu_bad_addr(uint64_t addr) "bad addr %"PRIx64""
commit b45e9c05dbacba8e992f0bffeca04c6379c3ad45
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Oct 26 10:39:27 2010 +0200

    Remove unncessary includes
    
    No need to include stdlib.h for BSD as it is included by
    qemu-common.h, windows.h is handled by sysemu.h and osdep.c no longer
    needs malloc.h
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/osdep.c b/osdep.c
index 0d48561..327583b 100644
--- a/osdep.c
+++ b/osdep.c
@@ -44,14 +44,6 @@
 extern int madvise(caddr_t, size_t, int);
 #endif
 
-#ifdef _WIN32
-#include <windows.h>
-#elif defined(CONFIG_BSD)
-#include <stdlib.h>
-#else
-#include <malloc.h>
-#endif
-
 #include "qemu-common.h"
 #include "trace.h"
 #include "sysemu.h"
commit b152aa84d52882bb1846485a89baf13aa07c86bc
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Oct 26 10:39:26 2010 +0200

    Consolidate oom_check() functions
    
    This consolidates the duplicated oom_check() functions, as well as
    splitting them into OS dependant versions to avoid the #ifdef
    grossness that was present in the old osdep.c version.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile.target b/Makefile.target
index c48cbcc..91e6e74 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -88,7 +88,7 @@ $(call set-vpath, $(SRC_PATH)/linux-user:$(SRC_PATH)/linux-user/$(TARGET_ABI_DIR
 QEMU_CFLAGS+=-I$(SRC_PATH)/linux-user -I$(SRC_PATH)/linux-user/$(TARGET_ABI_DIR)
 obj-y = main.o syscall.o strace.o mmap.o signal.o thunk.o \
       elfload.o linuxload.o uaccess.o gdbstub.o cpu-uname.o \
-      qemu-malloc.o
+      qemu-malloc.o $(oslib-obj-y)
 
 obj-$(TARGET_HAS_BFLT) += flatload.o
 
diff --git a/oslib-posix.c b/oslib-posix.c
index ad44b17..6e9b0c3 100644
--- a/oslib-posix.c
+++ b/oslib-posix.c
@@ -31,8 +31,7 @@
 #include "trace.h"
 #include "qemu_socket.h"
 
-#if !defined(_POSIX_C_SOURCE) || defined(__sun__)
-static void *oom_check(void *ptr)
+void *qemu_oom_check(void *ptr)
 {
     if (ptr == NULL) {
         fprintf(stderr, "Failed to allocate memory: %s\n", strerror(errno));
@@ -40,7 +39,6 @@ static void *oom_check(void *ptr)
     }
     return ptr;
 }
-#endif
 
 void *qemu_memalign(size_t alignment, size_t size)
 {
@@ -54,9 +52,9 @@ void *qemu_memalign(size_t alignment, size_t size)
         abort();
     }
 #elif defined(CONFIG_BSD)
-    ptr = oom_check(valloc(size));
+    ptr = qemu_oom_check(valloc(size));
 #else
-    ptr = oom_check(memalign(alignment, size));
+    ptr = qemu_oom_check(memalign(alignment, size));
 #endif
     trace_qemu_memalign(alignment, size, ptr);
     return ptr;
diff --git a/oslib-win32.c b/oslib-win32.c
index e03c472..ab29eae 100644
--- a/oslib-win32.c
+++ b/oslib-win32.c
@@ -31,7 +31,7 @@
 #include "trace.h"
 #include "qemu_socket.h"
 
-static void *oom_check(void *ptr)
+void *qemu_oom_check(void *ptr)
 {
     if (ptr == NULL) {
         fprintf(stderr, "Failed to allocate memory: %lu\n", GetLastError());
@@ -47,7 +47,7 @@ void *qemu_memalign(size_t alignment, size_t size)
     if (!size) {
         abort();
     }
-    ptr = oom_check(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
+    ptr = qemu_oom_check(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
     trace_qemu_memalign(alignment, size, ptr);
     return ptr;
 }
@@ -62,7 +62,7 @@ void *qemu_vmalloc(size_t size)
     if (!size) {
         abort();
     }
-    ptr = oom_check(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
+    ptr = qemu_oom_check(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
     trace_qemu_vmalloc(size, ptr);
     return ptr;
 }
diff --git a/qemu-common.h b/qemu-common.h
index 5555226..5a18ca5 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -175,6 +175,7 @@ const char *path(const char *pathname);
 int ffs(int i);
 #endif
 
+void *qemu_oom_check(void *ptr);
 void *qemu_malloc(size_t size);
 void *qemu_realloc(void *ptr, size_t size);
 void *qemu_mallocz(size_t size);
diff --git a/qemu-malloc.c b/qemu-malloc.c
index ecffb67..28fb05a 100644
--- a/qemu-malloc.c
+++ b/qemu-malloc.c
@@ -25,14 +25,6 @@
 #include "trace.h"
 #include <stdlib.h>
 
-static void *oom_check(void *ptr)
-{
-    if (ptr == NULL) {
-        abort();
-    }
-    return ptr;
-}
-
 void qemu_free(void *ptr)
 {
     trace_qemu_free(ptr);
@@ -54,7 +46,7 @@ void *qemu_malloc(size_t size)
     if (!size && !allow_zero_malloc()) {
         abort();
     }
-    ptr = oom_check(malloc(size ? size : 1));
+    ptr = qemu_oom_check(malloc(size ? size : 1));
     trace_qemu_malloc(size, ptr);
     return ptr;
 }
@@ -65,7 +57,7 @@ void *qemu_realloc(void *ptr, size_t size)
     if (!size && !allow_zero_malloc()) {
         abort();
     }
-    newptr = oom_check(realloc(ptr, size ? size : 1));
+    newptr = qemu_oom_check(realloc(ptr, size ? size : 1));
     trace_qemu_realloc(ptr, size, newptr);
     return newptr;
 }
@@ -75,7 +67,7 @@ void *qemu_mallocz(size_t size)
     if (!size && !allow_zero_malloc()) {
         abort();
     }
-    return oom_check(calloc(1, size ? size : 1));
+    return qemu_oom_check(calloc(1, size ? size : 1));
 }
 
 char *qemu_strdup(const char *str)
commit bc4a957c46acd8f4b2f2ffe6b2f90512325924dd
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Oct 26 10:39:25 2010 +0200

    Separate qemu_pidfile() into OS specific versions
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/os-posix.c b/os-posix.c
index 612b641..38c29d1 100644
--- a/os-posix.c
+++ b/os-posix.c
@@ -361,3 +361,24 @@ int qemu_eventfd(int fds[2])
 
     return qemu_pipe(fds);
 }
+
+int qemu_create_pidfile(const char *filename)
+{
+    char buffer[128];
+    int len;
+    int fd;
+
+    fd = qemu_open(filename, O_RDWR | O_CREAT, 0600);
+    if (fd == -1) {
+        return -1;
+    }
+    if (lockf(fd, F_TLOCK, 0) == -1) {
+        return -1;
+    }
+    len = snprintf(buffer, sizeof(buffer), "%ld\n", (long)getpid());
+    if (write(fd, buffer, len) != len) {
+        return -1;
+    }
+
+    return 0;
+}
diff --git a/os-win32.c b/os-win32.c
index 3c6f50f..566d5e9 100644
--- a/os-win32.c
+++ b/os-win32.c
@@ -240,3 +240,27 @@ void os_pidfile_error(void)
 {
     fprintf(stderr, "Could not acquire pid file: %s\n", strerror(errno));
 }
+
+int qemu_create_pidfile(const char *filename)
+{
+    char buffer[128];
+    int len;
+    HANDLE file;
+    OVERLAPPED overlap;
+    BOOL ret;
+    memset(&overlap, 0, sizeof(overlap));
+
+    file = CreateFile(filename, GENERIC_WRITE, FILE_SHARE_READ, NULL,
+		      OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+
+    if (file == INVALID_HANDLE_VALUE) {
+        return -1;
+    }
+    len = snprintf(buffer, sizeof(buffer), "%ld\n", (long)getpid());
+    ret = WriteFileEx(file, (LPCVOID)buffer, (DWORD)len,
+		      &overlap, NULL);
+    if (ret == 0) {
+        return -1;
+    }
+    return 0;
+}
diff --git a/osdep.c b/osdep.c
index b1664ac..0d48561 100644
--- a/osdep.c
+++ b/osdep.c
@@ -73,44 +73,6 @@ int qemu_madvise(void *addr, size_t len, int advice)
 #endif
 }
 
-int qemu_create_pidfile(const char *filename)
-{
-    char buffer[128];
-    int len;
-#ifndef _WIN32
-    int fd;
-
-    fd = qemu_open(filename, O_RDWR | O_CREAT, 0600);
-    if (fd == -1)
-        return -1;
-
-    if (lockf(fd, F_TLOCK, 0) == -1)
-        return -1;
-
-    len = snprintf(buffer, sizeof(buffer), "%ld\n", (long)getpid());
-    if (write(fd, buffer, len) != len)
-        return -1;
-#else
-    HANDLE file;
-    OVERLAPPED overlap;
-    BOOL ret;
-    memset(&overlap, 0, sizeof(overlap));
-
-    file = CreateFile(filename, GENERIC_WRITE, FILE_SHARE_READ, NULL,
-		      OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
-
-    if (file == INVALID_HANDLE_VALUE)
-      return -1;
-
-    len = snprintf(buffer, sizeof(buffer), "%ld\n", (long)getpid());
-    ret = WriteFileEx(file, (LPCVOID)buffer, (DWORD)len,
-		      &overlap, NULL);
-    if (ret == 0)
-      return -1;
-#endif
-    return 0;
-}
-
 
 /*
  * Opens a file with FD_CLOEXEC set
commit ff753bb9a60780e7af93288ac55bf1277a30cff7
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Oct 26 10:39:24 2010 +0200

    Do not redefine reserved key-words TRUE/FALSE
    
    TRUE/FALSE are generally reserved keywords and shouldn't be defined in
    a driver like this. Rename the macros to SDP_TRUE and SDP_FALSE
    respectively.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/bt-sdp.c b/hw/bt-sdp.c
index cc0bf2f..cdf2d95 100644
--- a/hw/bt-sdp.c
+++ b/hw/bt-sdp.c
@@ -786,11 +786,11 @@ static void sdp_service_db_build(struct bt_l2cap_sdp_state_s *sdp,
         .type       = SDP_DTYPE_UUID | SDP_DSIZE_16,	\
         .value.uint = val,				\
     },
-#define TRUE	{				\
+#define SDP_TRUE	{				\
         .type       = SDP_DTYPE_BOOL | SDP_DSIZE_1,	\
         .value.uint = 1,				\
     },
-#define FALSE	{				\
+#define SDP_FALSE	{				\
         .type       = SDP_DTYPE_BOOL | SDP_DSIZE_1,	\
         .value.uint = 0,				\
     },
@@ -842,8 +842,8 @@ SERVICE(hid,
     /* TODO: extract from l2cap_device->device.class[0] */
     ATTRIBUTE(DEVICE_SUBCLASS,		UINT8(0x40))
     ATTRIBUTE(COUNTRY_CODE,		UINT8(0x15))
-    ATTRIBUTE(VIRTUAL_CABLE,		TRUE)
-    ATTRIBUTE(RECONNECT_INITIATE,	FALSE)
+    ATTRIBUTE(VIRTUAL_CABLE,		SDP_TRUE)
+    ATTRIBUTE(RECONNECT_INITIATE,	SDP_FALSE)
     /* TODO: extract from hid->usbdev->report_desc */
     ATTRIBUTE(DESCRIPTOR_LIST,		LIST(
         LIST(UINT8(0x22) ARRAY(
@@ -883,12 +883,12 @@ SERVICE(hid,
     ATTRIBUTE(LANG_ID_BASE_LIST,	LIST(
         LIST(UINT16(0x0409) UINT16(0x0100))
     ))
-    ATTRIBUTE(SDP_DISABLE,		FALSE)
-    ATTRIBUTE(BATTERY_POWER,		TRUE)
-    ATTRIBUTE(REMOTE_WAKEUP,		TRUE)
-    ATTRIBUTE(BOOT_DEVICE,		TRUE)	/* XXX: untested */
+    ATTRIBUTE(SDP_DISABLE,		SDP_FALSE)
+    ATTRIBUTE(BATTERY_POWER,		SDP_TRUE)
+    ATTRIBUTE(REMOTE_WAKEUP,		SDP_TRUE)
+    ATTRIBUTE(BOOT_DEVICE,		SDP_TRUE)	/* XXX: untested */
     ATTRIBUTE(SUPERVISION_TIMEOUT,	UINT16(0x0c80))
-    ATTRIBUTE(NORMALLY_CONNECTABLE,	TRUE)
+    ATTRIBUTE(NORMALLY_CONNECTABLE,	SDP_TRUE)
     ATTRIBUTE(PROFILE_VERSION,		UINT16(0x0100))
 )
 
@@ -936,7 +936,7 @@ SERVICE(pnp,
     /* Profile specific */
     ATTRIBUTE(SPECIFICATION_ID, UINT16(0x0100))
     ATTRIBUTE(VERSION,         UINT16(0x0100))
-    ATTRIBUTE(PRIMARY_RECORD,  TRUE)
+    ATTRIBUTE(PRIMARY_RECORD,  SDP_TRUE)
 )
 
 static int bt_l2cap_sdp_new_ch(struct bt_l2cap_device_s *dev,
commit dc786bc9103801fac5b90511b0761255b4eab622
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Oct 26 10:39:23 2010 +0200

    Move qemu_gettimeofday() to OS specific files
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/m68k-semi.c b/m68k-semi.c
index d16bc67..0371089 100644
--- a/m68k-semi.c
+++ b/m68k-semi.c
@@ -33,10 +33,10 @@
 #define SEMIHOSTING_HEAP_SIZE (128 * 1024 * 1024)
 #else
 #include "qemu-common.h"
-#include "sysemu.h"
 #include "gdbstub.h"
 #include "softmmu-semi.h"
 #endif
+#include "sysemu.h"
 
 #define HOSTED_EXIT  0
 #define HOSTED_INIT_SIM 1
diff --git a/osdep.c b/osdep.c
index cb12e5f..b1664ac 100644
--- a/osdep.c
+++ b/osdep.c
@@ -111,37 +111,6 @@ int qemu_create_pidfile(const char *filename)
     return 0;
 }
 
-#ifdef _WIN32
-
-/* mingw32 needs ffs for compilations without optimization. */
-int ffs(int i)
-{
-    /* Use gcc's builtin ffs. */
-    return __builtin_ffs(i);
-}
-
-/* Offset between 1/1/1601 and 1/1/1970 in 100 nanosec units */
-#define _W32_FT_OFFSET (116444736000000000ULL)
-
-int qemu_gettimeofday(qemu_timeval *tp)
-{
-  union {
-    unsigned long long ns100; /*time since 1 Jan 1601 in 100ns units */
-    FILETIME ft;
-  }  _now;
-
-  if(tp)
-    {
-      GetSystemTimeAsFileTime (&_now.ft);
-      tp->tv_usec=(long)((_now.ns100 / 10ULL) % 1000000ULL );
-      tp->tv_sec= (long)((_now.ns100 - _W32_FT_OFFSET) / 10000000ULL);
-    }
-  /* Always return 0 as per Open Group Base Specifications Issue 6.
-     Do not set errno on error.  */
-  return 0;
-}
-#endif /* _WIN32 */
-
 
 /*
  * Opens a file with FD_CLOEXEC set
diff --git a/osdep.h b/osdep.h
index 6716281..8bd30d7 100644
--- a/osdep.h
+++ b/osdep.h
@@ -127,19 +127,4 @@ int qemu_madvise(void *addr, size_t len, int advice);
 
 int qemu_create_pidfile(const char *filename);
 
-#ifdef _WIN32
-int ffs(int i);
-
-int setenv(const char *name, const char *value, int overwrite);
-
-typedef struct {
-    long tv_sec;
-    long tv_usec;
-} qemu_timeval;
-int qemu_gettimeofday(qemu_timeval *tp);
-#else
-typedef struct timeval qemu_timeval;
-#define qemu_gettimeofday(tp) gettimeofday(tp, NULL);
-#endif /* !_WIN32 */
-
 #endif
diff --git a/oslib-win32.c b/oslib-win32.c
index 1ddd857..e03c472 100644
--- a/oslib-win32.c
+++ b/oslib-win32.c
@@ -92,3 +92,30 @@ int inet_aton(const char *cp, struct in_addr *ia)
 void qemu_set_cloexec(int fd)
 {
 }
+
+/* mingw32 needs ffs for compilations without optimization. */
+int ffs(int i)
+{
+    /* Use gcc's builtin ffs. */
+    return __builtin_ffs(i);
+}
+
+/* Offset between 1/1/1601 and 1/1/1970 in 100 nanosec units */
+#define _W32_FT_OFFSET (116444736000000000ULL)
+
+int qemu_gettimeofday(qemu_timeval *tp)
+{
+  union {
+    unsigned long long ns100; /*time since 1 Jan 1601 in 100ns units */
+    FILETIME ft;
+  }  _now;
+
+  if(tp) {
+      GetSystemTimeAsFileTime (&_now.ft);
+      tp->tv_usec=(long)((_now.ns100 / 10ULL) % 1000000ULL );
+      tp->tv_sec= (long)((_now.ns100 - _W32_FT_OFFSET) / 10000000ULL);
+  }
+  /* Always return 0 as per Open Group Base Specifications Issue 6.
+     Do not set errno on error.  */
+  return 0;
+}
diff --git a/posix-aio-compat.c b/posix-aio-compat.c
index 7b862b5..fa5494d 100644
--- a/posix-aio-compat.c
+++ b/posix-aio-compat.c
@@ -24,6 +24,7 @@
 
 #include "qemu-queue.h"
 #include "osdep.h"
+#include "sysemu.h"
 #include "qemu-common.h"
 #include "trace.h"
 #include "block_int.h"
diff --git a/qemu-common.h b/qemu-common.h
index 3496e4f..5555226 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -170,6 +170,11 @@ const char *path(const char *pathname);
 #define qemu_isascii(c)		isascii((unsigned char)(c))
 #define qemu_toascii(c)		toascii((unsigned char)(c))
 
+#ifdef _WIN32
+/* ffs() in oslib-win32.c for WIN32, strings.h for the rest of the world */
+int ffs(int i);
+#endif
+
 void *qemu_malloc(size_t size);
 void *qemu_realloc(void *ptr, size_t size);
 void *qemu_mallocz(size_t size);
diff --git a/qemu-img.c b/qemu-img.c
index 2864cb8..fa77ac0 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -24,6 +24,7 @@
 #include "qemu-common.h"
 #include "qemu-option.h"
 #include "osdep.h"
+#include "sysemu.h"
 #include "block_int.h"
 #include <stdio.h>
 
diff --git a/qemu-os-posix.h b/qemu-os-posix.h
index ed5c058..353f878 100644
--- a/qemu-os-posix.h
+++ b/qemu-os-posix.h
@@ -36,4 +36,7 @@ void os_setup_signal_handling(void);
 void os_daemonize(void);
 void os_setup_post(void);
 
+typedef struct timeval qemu_timeval;
+#define qemu_gettimeofday(tp) gettimeofday(tp, NULL)
+
 #endif
diff --git a/qemu-os-win32.h b/qemu-os-win32.h
index c63778d..1a07e5e 100644
--- a/qemu-os-win32.h
+++ b/qemu-os-win32.h
@@ -52,4 +52,12 @@ static inline void os_set_proc_name(const char *dummy) {}
 # define EPROTONOSUPPORT EINVAL
 #endif
 
+int setenv(const char *name, const char *value, int overwrite);
+
+typedef struct {
+    long tv_sec;
+    long tv_usec;
+} qemu_timeval;
+int qemu_gettimeofday(qemu_timeval *tp);
+
 #endif
diff --git a/qemu-tool.c b/qemu-tool.c
index 9ccca65..392e1c9 100644
--- a/qemu-tool.c
+++ b/qemu-tool.c
@@ -15,6 +15,7 @@
 #include "monitor.h"
 #include "qemu-timer.h"
 #include "qemu-log.h"
+#include "sysemu.h"
 
 #include <sys/time.h>
 
commit 949d31e665e9847b2a8f24a916abd96e79353535
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Oct 26 10:39:22 2010 +0200

    We only support eventfd under POSIX, move qemu_eventfd() to os-posix.c
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/os-posix.c b/os-posix.c
index 6321e99..612b641 100644
--- a/os-posix.c
+++ b/os-posix.c
@@ -43,6 +43,10 @@
 #include <sys/prctl.h>
 #endif
 
+#ifdef CONFIG_EVENTFD
+#include <sys/eventfd.h>
+#endif
+
 static struct passwd *user_pwd;
 static const char *chroot_dir;
 static int daemonize;
@@ -329,3 +333,31 @@ void os_set_line_buffering(void)
 {
     setvbuf(stdout, NULL, _IOLBF, 0);
 }
+
+/*
+ * Creates an eventfd that looks like a pipe and has EFD_CLOEXEC set.
+ */
+int qemu_eventfd(int fds[2])
+{
+#ifdef CONFIG_EVENTFD
+    int ret;
+
+    ret = eventfd(0, 0);
+    if (ret >= 0) {
+        fds[0] = ret;
+        qemu_set_cloexec(ret);
+        if ((fds[1] = dup(ret)) == -1) {
+            close(ret);
+            return -1;
+        }
+        qemu_set_cloexec(fds[1]);
+        return 0;
+    }
+
+    if (errno != ENOSYS) {
+        return -1;
+    }
+#endif
+
+    return qemu_pipe(fds);
+}
diff --git a/osdep.c b/osdep.c
index 926c8ad..cb12e5f 100644
--- a/osdep.c
+++ b/osdep.c
@@ -44,10 +44,6 @@
 extern int madvise(caddr_t, size_t, int);
 #endif
 
-#ifdef CONFIG_EVENTFD
-#include <sys/eventfd.h>
-#endif
-
 #ifdef _WIN32
 #include <windows.h>
 #elif defined(CONFIG_BSD)
@@ -207,36 +203,6 @@ ssize_t qemu_write_full(int fd, const void *buf, size_t count)
     return total;
 }
 
-#ifndef _WIN32
-/*
- * Creates an eventfd that looks like a pipe and has EFD_CLOEXEC set.
- */
-int qemu_eventfd(int fds[2])
-{
-#ifdef CONFIG_EVENTFD
-    int ret;
-
-    ret = eventfd(0, 0);
-    if (ret >= 0) {
-        fds[0] = ret;
-        qemu_set_cloexec(ret);
-        if ((fds[1] = dup(ret)) == -1) {
-            close(ret);
-            return -1;
-        }
-        qemu_set_cloexec(fds[1]);
-        return 0;
-    }
-
-    if (errno != ENOSYS) {
-        return -1;
-    }
-#endif
-
-    return qemu_pipe(fds);
-}
-#endif
-
 /*
  * Opens a socket with FD_CLOEXEC set
  */
commit 70e72ce45e1f06415b5ec28439c2a87a72e5aad3
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Oct 26 10:39:21 2010 +0200

    qemu_pipe() is used only by POSIX code, so move to oslib-posix.c
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/osdep.c b/osdep.c
index 902fce9..926c8ad 100644
--- a/osdep.c
+++ b/osdep.c
@@ -235,28 +235,6 @@ int qemu_eventfd(int fds[2])
 
     return qemu_pipe(fds);
 }
-
-/*
- * Creates a pipe with FD_CLOEXEC set on both file descriptors
- */
-int qemu_pipe(int pipefd[2])
-{
-    int ret;
-
-#ifdef CONFIG_PIPE2
-    ret = pipe2(pipefd, O_CLOEXEC);
-    if (ret != -1 || errno != ENOSYS) {
-        return ret;
-    }
-#endif
-    ret = pipe(pipefd);
-    if (ret == 0) {
-        qemu_set_cloexec(pipefd[0]);
-        qemu_set_cloexec(pipefd[1]);
-    }
-
-    return ret;
-}
 #endif
 
 /*
diff --git a/oslib-posix.c b/oslib-posix.c
index aebe3ac..ad44b17 100644
--- a/oslib-posix.c
+++ b/oslib-posix.c
@@ -87,3 +87,25 @@ void qemu_set_cloexec(int fd)
     f = fcntl(fd, F_GETFD);
     fcntl(fd, F_SETFD, f | FD_CLOEXEC);
 }
+
+/*
+ * Creates a pipe with FD_CLOEXEC set on both file descriptors
+ */
+int qemu_pipe(int pipefd[2])
+{
+    int ret;
+
+#ifdef CONFIG_PIPE2
+    ret = pipe2(pipefd, O_CLOEXEC);
+    if (ret != -1 || errno != ENOSYS) {
+        return ret;
+    }
+#endif
+    ret = pipe(pipefd);
+    if (ret == 0) {
+        qemu_set_cloexec(pipefd[0]);
+        qemu_set_cloexec(pipefd[1]);
+    }
+
+    return ret;
+}
commit c1b0b93b06ab026ef45ae02d0ee7557741910637
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Oct 26 10:39:19 2010 +0200

    Move QEMU OS dependant library functions to OS specific files
    
    This moves library functions used by both QEMU and the QEMU tools,
    such as qemu-img, qemu-nbd etc. from osdep.c to oslib-{posix,win32}.c
    
    In addition it introduces oslib-obj.y to the Makefile set to be
    included by the various targets, instead of relying on these library
    functions magically getting included via block-obj-y.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile b/Makefile
index 3df202c..071baa3 100644
--- a/Makefile
+++ b/Makefile
@@ -129,11 +129,11 @@ version-obj-$(CONFIG_WIN32) += version.o
 qemu-img.o: qemu-img-cmds.h
 qemu-img.o qemu-tool.o qemu-nbd.o qemu-io.o: $(GENERATED_HEADERS)
 
-qemu-img$(EXESUF): qemu-img.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y) qemu-timer-common.o
+qemu-img$(EXESUF): qemu-img.o qemu-tool.o qemu-error.o $(oslib-obj-y) $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y) qemu-timer-common.o
 
-qemu-nbd$(EXESUF): qemu-nbd.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y) qemu-timer-common.o
+qemu-nbd$(EXESUF): qemu-nbd.o qemu-tool.o qemu-error.o $(oslib-obj-y) $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y) qemu-timer-common.o
 
-qemu-io$(EXESUF): qemu-io.o cmd.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y) qemu-timer-common.o
+qemu-io$(EXESUF): qemu-io.o cmd.o qemu-tool.o qemu-error.o $(oslib-obj-y) $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y) qemu-timer-common.o
 
 qemu-img-cmds.h: $(SRC_PATH)/qemu-img-cmds.hx
 	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $@")
diff --git a/Makefile.objs b/Makefile.objs
index f07fb01..c88e82d 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -5,10 +5,16 @@ qobject-obj-y += qjson.o json-lexer.o json-streamer.o json-parser.o
 qobject-obj-y += qerror.o
 
 #######################################################################
+# oslib-obj-y is code depending on the OS (win32 vs posix)
+oslib-obj-y = osdep.o
+oslib-obj-$(CONFIG_WIN32) += oslib-win32.o
+oslib-obj-$(CONFIG_POSIX) += oslib-posix.o
+
+#######################################################################
 # block-obj-y is code used by both qemu system emulation and qemu-img
 
 block-obj-y = cutils.o cache-utils.o qemu-malloc.o qemu-option.o module.o
-block-obj-y += nbd.o block.o aio.o aes.o osdep.o qemu-config.o
+block-obj-y += nbd.o block.o aio.o aes.o qemu-config.o
 block-obj-$(CONFIG_POSIX) += posix-aio-compat.o
 block-obj-$(CONFIG_LINUX_AIO) += linux-aio.o
 
@@ -50,6 +56,7 @@ common-obj-y += $(net-obj-y)
 common-obj-y += $(qobject-obj-y)
 common-obj-$(CONFIG_LINUX) += $(fsdev-obj-$(CONFIG_LINUX))
 common-obj-y += readline.o console.o cursor.o async.o qemu-error.o
+common-obj-y += $(oslib-obj-y)
 common-obj-$(CONFIG_WIN32) += os-win32.o
 common-obj-$(CONFIG_POSIX) += os-posix.o
 
diff --git a/osdep.c b/osdep.c
index 2e05b21..581768a 100644
--- a/osdep.c
+++ b/osdep.c
@@ -61,91 +61,6 @@ extern int madvise(caddr_t, size_t, int);
 #include "sysemu.h"
 #include "qemu_socket.h"
 
-#if !defined(_POSIX_C_SOURCE) || defined(_WIN32) || defined(__sun__)
-static void *oom_check(void *ptr)
-{
-    if (ptr == NULL) {
-#if defined(_WIN32)
-        fprintf(stderr, "Failed to allocate memory: %lu\n", GetLastError());
-#else
-        fprintf(stderr, "Failed to allocate memory: %s\n", strerror(errno));
-#endif
-        abort();
-    }
-    return ptr;
-}
-#endif
-
-#if defined(_WIN32)
-void *qemu_memalign(size_t alignment, size_t size)
-{
-    void *ptr;
-
-    if (!size) {
-        abort();
-    }
-    ptr = oom_check(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
-    trace_qemu_memalign(alignment, size, ptr);
-    return ptr;
-}
-
-void *qemu_vmalloc(size_t size)
-{
-    void *ptr;
-
-    /* FIXME: this is not exactly optimal solution since VirtualAlloc
-       has 64Kb granularity, but at least it guarantees us that the
-       memory is page aligned. */
-    if (!size) {
-        abort();
-    }
-    ptr = oom_check(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
-    trace_qemu_vmalloc(size, ptr);
-    return ptr;
-}
-
-void qemu_vfree(void *ptr)
-{
-    trace_qemu_vfree(ptr);
-    VirtualFree(ptr, 0, MEM_RELEASE);
-}
-
-#else
-
-void *qemu_memalign(size_t alignment, size_t size)
-{
-    void *ptr;
-#if defined(_POSIX_C_SOURCE) && !defined(__sun__)
-    int ret;
-    ret = posix_memalign(&ptr, alignment, size);
-    if (ret != 0) {
-        fprintf(stderr, "Failed to allocate %zu B: %s\n",
-                size, strerror(ret));
-        abort();
-    }
-#elif defined(CONFIG_BSD)
-    ptr = oom_check(valloc(size));
-#else
-    ptr = oom_check(memalign(alignment, size));
-#endif
-    trace_qemu_memalign(alignment, size, ptr);
-    return ptr;
-}
-
-/* alloc shared memory pages */
-void *qemu_vmalloc(size_t size)
-{
-    return qemu_memalign(getpagesize(), size);
-}
-
-void qemu_vfree(void *ptr)
-{
-    trace_qemu_vfree(ptr);
-    free(ptr);
-}
-
-#endif
-
 int qemu_madvise(void *addr, size_t len, int advice)
 {
     if (advice == QEMU_MADV_INVALID) {
diff --git a/oslib-posix.c b/oslib-posix.c
new file mode 100644
index 0000000..df97304
--- /dev/null
+++ b/oslib-posix.c
@@ -0,0 +1,74 @@
+/*
+ * os-posix-lib.c
+ *
+ * Copyright (c) 2003-2008 Fabrice Bellard
+ * Copyright (c) 2010 Red Hat, Inc.
+ *
+ * QEMU library functions on POSIX which are shared between QEMU and
+ * the QEMU tools.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "config-host.h"
+#include "sysemu.h"
+#include "trace.h"
+
+#if !defined(_POSIX_C_SOURCE) || defined(__sun__)
+static void *oom_check(void *ptr)
+{
+    if (ptr == NULL) {
+        fprintf(stderr, "Failed to allocate memory: %s\n", strerror(errno));
+        abort();
+    }
+    return ptr;
+}
+#endif
+
+void *qemu_memalign(size_t alignment, size_t size)
+{
+    void *ptr;
+#if defined(_POSIX_C_SOURCE) && !defined(__sun__)
+    int ret;
+    ret = posix_memalign(&ptr, alignment, size);
+    if (ret != 0) {
+        fprintf(stderr, "Failed to allocate %zu B: %s\n",
+                size, strerror(ret));
+        abort();
+    }
+#elif defined(CONFIG_BSD)
+    ptr = oom_check(valloc(size));
+#else
+    ptr = oom_check(memalign(alignment, size));
+#endif
+    trace_qemu_memalign(alignment, size, ptr);
+    return ptr;
+}
+
+/* alloc shared memory pages */
+void *qemu_vmalloc(size_t size)
+{
+    return qemu_memalign(getpagesize(), size);
+}
+
+void qemu_vfree(void *ptr)
+{
+    trace_qemu_vfree(ptr);
+    free(ptr);
+}
diff --git a/oslib-win32.c b/oslib-win32.c
new file mode 100644
index 0000000..3b5245d
--- /dev/null
+++ b/oslib-win32.c
@@ -0,0 +1,73 @@
+/*
+ * os-win32.c
+ *
+ * Copyright (c) 2003-2008 Fabrice Bellard
+ * Copyright (c) 2010 Red Hat, Inc.
+ *
+ * QEMU library functions for win32 which are shared between QEMU and
+ * the QEMU tools.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#include <windows.h>
+#include "config-host.h"
+#include "sysemu.h"
+#include "trace.h"
+
+static void *oom_check(void *ptr)
+{
+    if (ptr == NULL) {
+        fprintf(stderr, "Failed to allocate memory: %lu\n", GetLastError());
+        abort();
+    }
+    return ptr;
+}
+
+void *qemu_memalign(size_t alignment, size_t size)
+{
+    void *ptr;
+
+    if (!size) {
+        abort();
+    }
+    ptr = oom_check(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
+    trace_qemu_memalign(alignment, size, ptr);
+    return ptr;
+}
+
+void *qemu_vmalloc(size_t size)
+{
+    void *ptr;
+
+    /* FIXME: this is not exactly optimal solution since VirtualAlloc
+       has 64Kb granularity, but at least it guarantees us that the
+       memory is page aligned. */
+    if (!size) {
+        abort();
+    }
+    ptr = oom_check(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
+    trace_qemu_vmalloc(size, ptr);
+    return ptr;
+}
+
+void qemu_vfree(void *ptr)
+{
+    trace_qemu_vfree(ptr);
+    VirtualFree(ptr, 0, MEM_RELEASE);
+}
commit 9549e764bdc24b085cb1bb87400bf6ef79ae9eb1
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Oct 26 10:39:20 2010 +0200

    Move osdep socket code to oslib-{posix,win32}.c
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/osdep.c b/osdep.c
index 581768a..902fce9 100644
--- a/osdep.c
+++ b/osdep.c
@@ -147,44 +147,6 @@ int qemu_gettimeofday(qemu_timeval *tp)
 #endif /* _WIN32 */
 
 
-#ifdef _WIN32
-void socket_set_nonblock(int fd)
-{
-    unsigned long opt = 1;
-    ioctlsocket(fd, FIONBIO, &opt);
-}
-
-int inet_aton(const char *cp, struct in_addr *ia)
-{
-    uint32_t addr = inet_addr(cp);
-    if (addr == 0xffffffff)
-	return 0;
-    ia->s_addr = addr;
-    return 1;
-}
-
-void qemu_set_cloexec(int fd)
-{
-}
-
-#else
-
-void socket_set_nonblock(int fd)
-{
-    int f;
-    f = fcntl(fd, F_GETFL);
-    fcntl(fd, F_SETFL, f | O_NONBLOCK);
-}
-
-void qemu_set_cloexec(int fd)
-{
-    int f;
-    f = fcntl(fd, F_GETFD);
-    fcntl(fd, F_SETFD, f | FD_CLOEXEC);
-}
-
-#endif
-
 /*
  * Opens a file with FD_CLOEXEC set
  */
diff --git a/oslib-posix.c b/oslib-posix.c
index df97304..aebe3ac 100644
--- a/oslib-posix.c
+++ b/oslib-posix.c
@@ -29,6 +29,7 @@
 #include "config-host.h"
 #include "sysemu.h"
 #include "trace.h"
+#include "qemu_socket.h"
 
 #if !defined(_POSIX_C_SOURCE) || defined(__sun__)
 static void *oom_check(void *ptr)
@@ -72,3 +73,17 @@ void qemu_vfree(void *ptr)
     trace_qemu_vfree(ptr);
     free(ptr);
 }
+
+void socket_set_nonblock(int fd)
+{
+    int f;
+    f = fcntl(fd, F_GETFL);
+    fcntl(fd, F_SETFL, f | O_NONBLOCK);
+}
+
+void qemu_set_cloexec(int fd)
+{
+    int f;
+    f = fcntl(fd, F_GETFD);
+    fcntl(fd, F_SETFD, f | FD_CLOEXEC);
+}
diff --git a/oslib-win32.c b/oslib-win32.c
index 3b5245d..1ddd857 100644
--- a/oslib-win32.c
+++ b/oslib-win32.c
@@ -29,6 +29,7 @@
 #include "config-host.h"
 #include "sysemu.h"
 #include "trace.h"
+#include "qemu_socket.h"
 
 static void *oom_check(void *ptr)
 {
@@ -71,3 +72,23 @@ void qemu_vfree(void *ptr)
     trace_qemu_vfree(ptr);
     VirtualFree(ptr, 0, MEM_RELEASE);
 }
+
+void socket_set_nonblock(int fd)
+{
+    unsigned long opt = 1;
+    ioctlsocket(fd, FIONBIO, &opt);
+}
+
+int inet_aton(const char *cp, struct in_addr *ia)
+{
+    uint32_t addr = inet_addr(cp);
+    if (addr == 0xffffffff) {
+	return 0;
+    }
+    ia->s_addr = addr;
+    return 1;
+}
+
+void qemu_set_cloexec(int fd)
+{
+}
commit 055403b2a72729497fb58e0c6293547e767679d3
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Oct 22 23:03:32 2010 +0200

    exec: Use fprintf_function for dump_exec_info (format checking)
    
    fprintf_function uses format checking with GCC_FMT_ATTR.
    
    It is declared in qemu-common.h and used in cpu-all.h
    (which is included from cpu.h), so qemu-common.h must
    be included earlier. Some redundant include statements
    for standard include files were removed.
    
    Fix also two format errors (ptrdiff_t needs %td).
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/cpu-all.h b/cpu-all.h
index 11edddc..ba9d766 100644
--- a/cpu-all.h
+++ b/cpu-all.h
@@ -959,8 +959,7 @@ int cpu_physical_memory_get_dirty_tracking(void);
 int cpu_physical_sync_dirty_bitmap(target_phys_addr_t start_addr,
                                    target_phys_addr_t end_addr);
 
-void dump_exec_info(FILE *f,
-                    int (*cpu_fprintf)(FILE *f, const char *fmt, ...));
+void dump_exec_info(FILE *f, fprintf_function cpu_fprintf);
 #endif /* !CONFIG_USER_ONLY */
 
 int cpu_memory_rw_debug(CPUState *env, target_ulong addr,
diff --git a/exec.c b/exec.c
index 631d8c5..db9ff55 100644
--- a/exec.c
+++ b/exec.c
@@ -23,17 +23,10 @@
 #include <sys/types.h>
 #include <sys/mman.h>
 #endif
-#include <stdlib.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <string.h>
-#include <errno.h>
-#include <unistd.h>
-#include <inttypes.h>
 
+#include "qemu-common.h"
 #include "cpu.h"
 #include "exec-all.h"
-#include "qemu-common.h"
 #include "tcg.h"
 #include "hw/hw.h"
 #include "hw/qdev.h"
@@ -4096,8 +4089,7 @@ void cpu_io_recompile(CPUState *env, void *retaddr)
 
 #if !defined(CONFIG_USER_ONLY)
 
-void dump_exec_info(FILE *f,
-                    int (*cpu_fprintf)(FILE *f, const char *fmt, ...))
+void dump_exec_info(FILE *f, fprintf_function cpu_fprintf)
 {
     int i, target_code_size, max_target_code_size;
     int direct_jmp_count, direct_jmp2_count, cross_page;
@@ -4124,14 +4116,14 @@ void dump_exec_info(FILE *f,
     }
     /* XXX: avoid using doubles ? */
     cpu_fprintf(f, "Translation buffer state:\n");
-    cpu_fprintf(f, "gen code size       %ld/%ld\n",
+    cpu_fprintf(f, "gen code size       %td/%ld\n",
                 code_gen_ptr - code_gen_buffer, code_gen_buffer_max_size);
     cpu_fprintf(f, "TB count            %d/%d\n", 
                 nb_tbs, code_gen_max_blocks);
     cpu_fprintf(f, "TB avg target size  %d max=%d bytes\n",
                 nb_tbs ? target_code_size / nb_tbs : 0,
                 max_target_code_size);
-    cpu_fprintf(f, "TB avg host size    %d bytes (expansion ratio: %0.1f)\n",
+    cpu_fprintf(f, "TB avg host size    %td bytes (expansion ratio: %0.1f)\n",
                 nb_tbs ? (code_gen_ptr - code_gen_buffer) / nb_tbs : 0,
                 target_code_size ? (double) (code_gen_ptr - code_gen_buffer) / target_code_size : 0);
     cpu_fprintf(f, "cross page TB count %d (%d%%)\n",
commit 9a78eead0c74333a394c0f7bbfc4423ac746fcd5
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Oct 22 23:03:33 2010 +0200

    target-xxx: Use fprintf_function (format checking)
    
    fprintf_function uses format checking with GCC_FMT_ATTR.
    
    Format errors were fixed in
    * target-i386/helper.c
    * target-mips/translate.c
    * target-ppc/translate.c
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/cpu-all.h b/cpu-all.h
index ba9d766..30ae17d 100644
--- a/cpu-all.h
+++ b/cpu-all.h
@@ -765,12 +765,10 @@ int page_check_range(target_ulong start, target_ulong len, int flags);
 CPUState *cpu_copy(CPUState *env);
 CPUState *qemu_get_cpu(int cpu);
 
-void cpu_dump_state(CPUState *env, FILE *f,
-                    int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+void cpu_dump_state(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                     int flags);
-void cpu_dump_statistics (CPUState *env, FILE *f,
-                          int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
-                          int flags);
+void cpu_dump_statistics(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
+                         int flags);
 
 void QEMU_NORETURN cpu_abort(CPUState *env, const char *fmt, ...)
     GCC_FMT_ATTR(2, 3);
diff --git a/cpus.c b/cpus.c
index 36a6d1f..91a0fb1 100644
--- a/cpus.c
+++ b/cpus.c
@@ -978,8 +978,7 @@ int64_t cpu_get_icount(void)
     return qemu_icount_bias + (icount << icount_time_shift);
 }
 
-void list_cpus(FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
-               const char *optarg)
+void list_cpus(FILE *f, fprintf_function cpu_fprintf, const char *optarg)
 {
     /* XXX: implement xxx_cpu_list for targets that still miss it */
 #if defined(cpu_list_id)
diff --git a/cpus.h b/cpus.h
index af267ea..bf4d9bb 100644
--- a/cpus.h
+++ b/cpus.h
@@ -16,7 +16,6 @@ void vm_state_notify(int running, int reason);
 bool cpu_exec_all(void);
 void set_numa_modes(void);
 void set_cpu_log(const char *optarg);
-void list_cpus(FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
-               const char *optarg);
+void list_cpus(FILE *f, fprintf_function cpu_fprintf, const char *optarg);
 
 #endif
diff --git a/target-alpha/helper.c b/target-alpha/helper.c
index b6d2160..3ba4478 100644
--- a/target-alpha/helper.c
+++ b/target-alpha/helper.c
@@ -537,8 +537,7 @@ void do_interrupt (CPUState *env)
 }
 #endif
 
-void cpu_dump_state (CPUState *env, FILE *f,
-                     int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+void cpu_dump_state (CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                      int flags)
 {
     static const char *linux_reg_names[] = {
diff --git a/target-arm/cpu.h b/target-arm/cpu.h
index 39c4a0e..b87c605 100644
--- a/target-arm/cpu.h
+++ b/target-arm/cpu.h
@@ -25,6 +25,8 @@
 
 #define CPUState struct CPUARMState
 
+#include "config.h"
+#include "qemu-common.h"
 #include "cpu-defs.h"
 
 #include "softfloat.h"
@@ -353,7 +355,7 @@ static inline int arm_feature(CPUARMState *env, int feature)
     return (env->features & (1u << feature)) != 0;
 }
 
-void arm_cpu_list(FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...));
+void arm_cpu_list(FILE *f, fprintf_function cpu_fprintf);
 
 /* Interface between CPU and Interrupt controller.  */
 void armv7m_nvic_set_pending(void *opaque, int irq);
diff --git a/target-arm/helper.c b/target-arm/helper.c
index 2dd64d9..996d40d 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -348,7 +348,7 @@ static const struct arm_cpu_t arm_cpu_names[] = {
     { 0, NULL}
 };
 
-void arm_cpu_list(FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...))
+void arm_cpu_list(FILE *f, fprintf_function cpu_fprintf)
 {
     int i;
 
diff --git a/target-arm/translate.c b/target-arm/translate.c
index 6fcdd7e..99464ab 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -9262,8 +9262,7 @@ static const char *cpu_mode_names[16] = {
   "???", "???", "???", "und", "???", "???", "???", "sys"
 };
 
-void cpu_dump_state(CPUState *env, FILE *f,
-                    int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+void cpu_dump_state(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                     int flags)
 {
     int i;
diff --git a/target-cris/cpu.h b/target-cris/cpu.h
index e1d48ed..d908775 100644
--- a/target-cris/cpu.h
+++ b/target-cris/cpu.h
@@ -263,6 +263,6 @@ static inline void cpu_get_tb_cpu_state(CPUState *env, target_ulong *pc,
 }
 
 #define cpu_list cris_cpu_list
-void cris_cpu_list(FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...));
+void cris_cpu_list(FILE *f, fprintf_function cpu_fprintf);
 
 #endif
diff --git a/target-cris/translate.c b/target-cris/translate.c
index 8361369..4e4606c 100644
--- a/target-cris/translate.c
+++ b/target-cris/translate.c
@@ -3426,8 +3426,7 @@ void gen_intermediate_code_pc (CPUState *env, struct TranslationBlock *tb)
     gen_intermediate_code_internal(env, tb, 1);
 }
 
-void cpu_dump_state (CPUState *env, FILE *f,
-                     int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+void cpu_dump_state (CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                      int flags)
 {
 	int i;
@@ -3480,7 +3479,7 @@ struct
 	{32, "crisv32"},
 };
 
-void cris_cpu_list(FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...))
+void cris_cpu_list(FILE *f, fprintf_function cpu_fprintf)
 {
     unsigned int i;
 
diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index 85ed30f..2440d65 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -20,6 +20,7 @@
 #define CPU_I386_H
 
 #include "config.h"
+#include "qemu-common.h"
 
 #ifdef TARGET_X86_64
 #define TARGET_LONG_BITS 64
@@ -756,8 +757,7 @@ typedef struct CPUX86State {
 CPUX86State *cpu_x86_init(const char *cpu_model);
 int cpu_x86_exec(CPUX86State *s);
 void cpu_x86_close(CPUX86State *s);
-void x86_cpu_list (FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
-                   const char *optarg);
+void x86_cpu_list (FILE *f, fprintf_function cpu_fprintf, const char *optarg);
 void x86_cpudef_setup(void);
 
 int cpu_get_pic_interrupt(CPUX86State *s);
diff --git a/target-i386/cpuid.c b/target-i386/cpuid.c
index 0e0bf60..650a719 100644
--- a/target-i386/cpuid.c
+++ b/target-i386/cpuid.c
@@ -762,8 +762,7 @@ static void listflags(char *buf, int bufsize, uint32_t fbits,
  * -?dump    output all model (x86_def_t) data
  * -?cpuid   list all recognized cpuid flag names
  */
-void x86_cpu_list (FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
-                  const char *optarg)
+void x86_cpu_list(FILE *f, fprintf_function cpu_fprintf, const char *optarg)
 {
     unsigned char model = !strcmp("?model", optarg);
     unsigned char dump = !strcmp("?dump", optarg);
diff --git a/target-i386/helper.c b/target-i386/helper.c
index 4fff4a8..26ea1e5 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -169,8 +169,7 @@ static const char *cc_op_str[] = {
 };
 
 static void
-cpu_x86_dump_seg_cache(CPUState *env, FILE *f,
-                       int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+cpu_x86_dump_seg_cache(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                        const char *name, struct SegmentCache *sc)
 {
 #ifdef TARGET_X86_64
@@ -224,8 +223,7 @@ done:
     cpu_fprintf(f, "\n");
 }
 
-void cpu_dump_state(CPUState *env, FILE *f,
-                    int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+void cpu_dump_state(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                     int flags)
 {
     int eflags, i, nb;
@@ -335,9 +333,11 @@ void cpu_dump_state(CPUState *env, FILE *f,
                     (uint32_t)env->cr[2],
                     (uint32_t)env->cr[3],
                     (uint32_t)env->cr[4]);
-        for(i = 0; i < 4; i++)
-            cpu_fprintf(f, "DR%d=%08x ", i, env->dr[i]);
-        cpu_fprintf(f, "\nDR6=%08x DR7=%08x\n", env->dr[6], env->dr[7]);
+        for(i = 0; i < 4; i++) {
+            cpu_fprintf(f, "DR%d=" TARGET_FMT_lx " ", i, env->dr[i]);
+        }
+        cpu_fprintf(f, "\nDR6=" TARGET_FMT_lx " DR7=" TARGET_FMT_lx "\n",
+                    env->dr[6], env->dr[7]);
     }
     if (flags & X86_DUMP_CCOP) {
         if ((unsigned)env->cc_op < CC_OP_NB)
diff --git a/target-m68k/cpu.h b/target-m68k/cpu.h
index 33c41b2..b025b66 100644
--- a/target-m68k/cpu.h
+++ b/target-m68k/cpu.h
@@ -24,6 +24,7 @@
 
 #define CPUState struct CPUM68KState
 
+#include "qemu-common.h"
 #include "cpu-defs.h"
 
 #include "softfloat.h"
@@ -198,7 +199,7 @@ static inline int m68k_feature(CPUM68KState *env, int feature)
     return (env->features & (1u << feature)) != 0;
 }
 
-void m68k_cpu_list(FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...));
+void m68k_cpu_list(FILE *f, fprintf_function cpu_fprintf);
 
 void register_m68k_insns (CPUM68KState *env);
 
diff --git a/target-m68k/helper.c b/target-m68k/helper.c
index b4ebb14..56de897 100644
--- a/target-m68k/helper.c
+++ b/target-m68k/helper.c
@@ -53,7 +53,7 @@ static m68k_def_t m68k_cpu_defs[] = {
     {NULL, 0},
 };
 
-void m68k_cpu_list(FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...))
+void m68k_cpu_list(FILE *f, fprintf_function cpu_fprintf)
 {
     unsigned int i;
 
diff --git a/target-m68k/translate.c b/target-m68k/translate.c
index 5351880..6f72a2b 100644
--- a/target-m68k/translate.c
+++ b/target-m68k/translate.c
@@ -3092,8 +3092,7 @@ void gen_intermediate_code_pc(CPUState *env, TranslationBlock *tb)
     gen_intermediate_code_internal(env, tb, 1);
 }
 
-void cpu_dump_state(CPUState *env, FILE *f,
-                    int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+void cpu_dump_state(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                     int flags)
 {
     int i;
diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index 38149bb..1ada15e 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -1534,8 +1534,7 @@ void gen_intermediate_code_pc (CPUState *env, struct TranslationBlock *tb)
     gen_intermediate_code_internal(env, tb, 1);
 }
 
-void cpu_dump_state (CPUState *env, FILE *f,
-                     int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+void cpu_dump_state (CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                      int flags)
 {
     int i;
diff --git a/target-mips/cpu.h b/target-mips/cpu.h
index 19511d7..c1f211f 100644
--- a/target-mips/cpu.h
+++ b/target-mips/cpu.h
@@ -8,6 +8,7 @@
 #define CPUState struct CPUMIPSState
 
 #include "config.h"
+#include "qemu-common.h"
 #include "mips-defs.h"
 #include "cpu-defs.h"
 #include "softfloat.h"
@@ -496,7 +497,7 @@ void do_unassigned_access(target_phys_addr_t addr, int is_write, int is_exec,
                           int unused, int size);
 #endif
 
-void mips_cpu_list (FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...));
+void mips_cpu_list (FILE *f, fprintf_function cpu_fprintf);
 
 #define cpu_init cpu_mips_init
 #define cpu_exec cpu_mips_exec
diff --git a/target-mips/translate.c b/target-mips/translate.c
index d62c615..ba45eb0 100644
--- a/target-mips/translate.c
+++ b/target-mips/translate.c
@@ -12450,8 +12450,7 @@ void gen_intermediate_code_pc (CPUState *env, struct TranslationBlock *tb)
     gen_intermediate_code_internal(env, tb, 1);
 }
 
-static void fpu_dump_state(CPUState *env, FILE *f,
-                           int (*fpu_fprintf)(FILE *f, const char *fmt, ...),
+static void fpu_dump_state(CPUState *env, FILE *f, fprintf_function fpu_fprintf,
                            int flags)
 {
     int i;
@@ -12480,8 +12479,8 @@ static void fpu_dump_state(CPUState *env, FILE *f,
     } while(0)
 
 
-    fpu_fprintf(f, "CP1 FCR0 0x%08x  FCR31 0x%08x  SR.FR %d  fp_status 0x%08x(0x%02x)\n",
-                env->active_fpu.fcr0, env->active_fpu.fcr31, is_fpu64, env->active_fpu.fp_status,
+    fpu_fprintf(f, "CP1 FCR0 0x%08x  FCR31 0x%08x  SR.FR %d  fp_status 0x%02x\n",
+                env->active_fpu.fcr0, env->active_fpu.fcr31, is_fpu64,
                 get_float_exception_flags(&env->active_fpu.fp_status));
     for (i = 0; i < 32; (is_fpu64) ? i++ : (i += 2)) {
         fpu_fprintf(f, "%3s: ", fregnames[i]);
@@ -12499,7 +12498,7 @@ static void fpu_dump_state(CPUState *env, FILE *f,
 
 static void
 cpu_mips_check_sign_extensions (CPUState *env, FILE *f,
-                                int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+                                fprintf_function cpu_fprintf,
                                 int flags)
 {
     int i;
@@ -12525,8 +12524,7 @@ cpu_mips_check_sign_extensions (CPUState *env, FILE *f,
 }
 #endif
 
-void cpu_dump_state (CPUState *env, FILE *f,
-                     int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+void cpu_dump_state (CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                      int flags)
 {
     int i;
diff --git a/target-mips/translate_init.c b/target-mips/translate_init.c
index 8d1ece7..590e092 100644
--- a/target-mips/translate_init.c
+++ b/target-mips/translate_init.c
@@ -500,7 +500,7 @@ static const mips_def_t *cpu_mips_find_by_name (const char *name)
     return NULL;
 }
 
-void mips_cpu_list (FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...))
+void mips_cpu_list (FILE *f, fprintf_function cpu_fprintf)
 {
     int i;
 
diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
index 1334dd1..deb8d7c 100644
--- a/target-ppc/cpu.h
+++ b/target-ppc/cpu.h
@@ -20,7 +20,7 @@
 #define __CPU_PPC_H__
 
 #include "config.h"
-#include <inttypes.h>
+#include "qemu-common.h"
 
 //#define PPC_EMULATE_32BITS_HYPV
 
@@ -761,7 +761,7 @@ void ppc_store_sr (CPUPPCState *env, int srnum, target_ulong value);
 #endif /* !defined(CONFIG_USER_ONLY) */
 void ppc_store_msr (CPUPPCState *env, target_ulong value);
 
-void ppc_cpu_list (FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...));
+void ppc_cpu_list (FILE *f, fprintf_function cpu_fprintf);
 
 const ppc_def_t *cpu_ppc_find_by_name (const char *name);
 int cpu_ppc_register_internal (CPUPPCState *env, const ppc_def_t *def);
diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index fd06861..c82a483 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -8830,8 +8830,7 @@ GEN_SPEOP_LDST(evstwwo, 0x1E, 2),
 
 /*****************************************************************************/
 /* Misc PowerPC helpers */
-void cpu_dump_state (CPUState *env, FILE *f,
-                     int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+void cpu_dump_state (CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                      int flags)
 {
 #define RGPL  4
@@ -8840,15 +8839,15 @@ void cpu_dump_state (CPUState *env, FILE *f,
     int i;
 
     cpu_fprintf(f, "NIP " TARGET_FMT_lx "   LR " TARGET_FMT_lx " CTR "
-                TARGET_FMT_lx " XER %08x\n", env->nip, env->lr, env->ctr,
-                env->xer);
+                TARGET_FMT_lx " XER " TARGET_FMT_lx "\n",
+                env->nip, env->lr, env->ctr, env->xer);
     cpu_fprintf(f, "MSR " TARGET_FMT_lx " HID0 " TARGET_FMT_lx "  HF "
                 TARGET_FMT_lx " idx %d\n", env->msr, env->spr[SPR_HID0],
                 env->hflags, env->mmu_idx);
 #if !defined(NO_TIMER_DUMP)
-    cpu_fprintf(f, "TB %08x %08x "
+    cpu_fprintf(f, "TB %08" PRIu32 " %08" PRIu64
 #if !defined(CONFIG_USER_ONLY)
-                "DECR %08x"
+                " DECR %08" PRIu32
 #endif
                 "\n",
                 cpu_ppc_load_tbu(env), cpu_ppc_load_tbl(env)
@@ -8898,8 +8897,7 @@ void cpu_dump_state (CPUState *env, FILE *f,
 #undef RFPL
 }
 
-void cpu_dump_statistics (CPUState *env, FILE*f,
-                          int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+void cpu_dump_statistics (CPUState *env, FILE*f, fprintf_function cpu_fprintf,
                           int flags)
 {
 #if defined(DO_PPC_STATISTICS)
diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index 05ffe95..dfcd949 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -9756,7 +9756,7 @@ const ppc_def_t *cpu_ppc_find_by_name (const char *name)
     return ret;
 }
 
-void ppc_cpu_list (FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...))
+void ppc_cpu_list (FILE *f, fprintf_function cpu_fprintf)
 {
     int i, max;
 
diff --git a/target-s390x/translate.c b/target-s390x/translate.c
index 44dfa65..881d8c4 100644
--- a/target-s390x/translate.c
+++ b/target-s390x/translate.c
@@ -23,8 +23,7 @@
 #include "tcg-op.h"
 #include "qemu-log.h"
 
-void cpu_dump_state(CPUState *env, FILE *f,
-                    int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+void cpu_dump_state(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                     int flags)
 {
     int i;
diff --git a/target-sh4/cpu.h b/target-sh4/cpu.h
index 64a609b..e197766 100644
--- a/target-sh4/cpu.h
+++ b/target-sh4/cpu.h
@@ -20,6 +20,7 @@
 #define _CPU_SH4_H
 
 #include "config.h"
+#include "qemu-common.h"
 
 #define TARGET_LONG_BITS 32
 #define TARGET_HAS_ICE 1
@@ -168,7 +169,7 @@ int cpu_sh4_handle_mmu_fault(CPUSH4State * env, target_ulong address, int rw,
 #define cpu_handle_mmu_fault cpu_sh4_handle_mmu_fault
 void do_interrupt(CPUSH4State * env);
 
-void sh4_cpu_list(FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...));
+void sh4_cpu_list(FILE *f, fprintf_function cpu_fprintf);
 #if !defined(CONFIG_USER_ONLY)
 void cpu_sh4_invalidate_tlb(CPUSH4State *s);
 void cpu_sh4_write_mmaped_utlb_addr(CPUSH4State *s, target_phys_addr_t addr,
diff --git a/target-sh4/translate.c b/target-sh4/translate.c
index deee939..f418139 100644
--- a/target-sh4/translate.c
+++ b/target-sh4/translate.c
@@ -257,7 +257,7 @@ static const sh4_def_t *cpu_sh4_find_by_name(const char *name)
     return NULL;
 }
 
-void sh4_cpu_list(FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...))
+void sh4_cpu_list(FILE *f, fprintf_function cpu_fprintf)
 {
     int i;
 
diff --git a/target-sparc/helper.c b/target-sparc/helper.c
index aa1fd63..e84c312 100644
--- a/target-sparc/helper.c
+++ b/target-sparc/helper.c
@@ -1323,8 +1323,7 @@ static const char * const feature_name[] = {
     "gl",
 };
 
-static void print_features(FILE *f,
-                           int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+static void print_features(FILE *f, fprintf_function cpu_fprintf,
                            uint32_t features, const char *prefix)
 {
     unsigned int i;
@@ -1452,7 +1451,7 @@ static int cpu_sparc_find_by_name(sparc_def_t *cpu_def, const char *cpu_model)
     return -1;
 }
 
-void sparc_cpu_list(FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...))
+void sparc_cpu_list(FILE *f, fprintf_function cpu_fprintf)
 {
     unsigned int i;
 
@@ -1479,8 +1478,7 @@ void sparc_cpu_list(FILE *f, int (*cpu_fprintf)(FILE *f, const char *fmt, ...))
                    "fpu_version mmu_version nwindows\n");
 }
 
-static void cpu_print_cc(FILE *f,
-                         int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+static void cpu_print_cc(FILE *f, fprintf_function cpu_fprintf,
                          uint32_t cc)
 {
     cpu_fprintf(f, "%c%c%c%c", cc & PSR_NEG? 'N' : '-',
@@ -1494,8 +1492,7 @@ static void cpu_print_cc(FILE *f,
 #define REGS_PER_LINE 8
 #endif
 
-void cpu_dump_state(CPUState *env, FILE *f,
-                    int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
+void cpu_dump_state(CPUState *env, FILE *f, fprintf_function cpu_fprintf,
                     int flags)
 {
     int i, x;
commit 405cf9ff007a62f120e2f38a517b41e1a1dbf0ce
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Oct 22 23:03:31 2010 +0200

    tcg: Use fprintf_function (format checking)
    
    fprintf_function uses format checking with GCC_FMT_ATTR.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/tcg/tcg.c b/tcg/tcg.c
index 0cdef0d..5dd6a2c 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -2124,8 +2124,7 @@ int tcg_gen_code_search_pc(TCGContext *s, uint8_t *gen_code_buf, long offset)
 }
 
 #ifdef CONFIG_PROFILER
-void tcg_dump_info(FILE *f,
-                   int (*cpu_fprintf)(FILE *f, const char *fmt, ...))
+void tcg_dump_info(FILE *f, fprintf_function cpu_fprintf)
 {
     TCGContext *s = &tcg_ctx;
     int64_t tot;
@@ -2169,8 +2168,7 @@ void tcg_dump_info(FILE *f,
     dump_op_count();
 }
 #else
-void tcg_dump_info(FILE *f,
-                   int (*cpu_fprintf)(FILE *f, const char *fmt, ...))
+void tcg_dump_info(FILE *f, fprintf_function cpu_fprintf)
 {
     cpu_fprintf(f, "[TCG profiler not compiled]\n");
 }
diff --git a/tcg/tcg.h b/tcg/tcg.h
index 972df72..e1afde2 100644
--- a/tcg/tcg.h
+++ b/tcg/tcg.h
@@ -392,8 +392,7 @@ static inline TCGv_i64 tcg_temp_local_new_i64(void)
 void tcg_temp_free_i64(TCGv_i64 arg);
 char *tcg_get_arg_str_i64(TCGContext *s, char *buf, int buf_size, TCGv_i64 arg);
 
-void tcg_dump_info(FILE *f,
-                   int (*cpu_fprintf)(FILE *f, const char *fmt, ...));
+void tcg_dump_info(FILE *f, fprintf_function cpu_fprintf);
 
 #define TCG_CT_ALIAS  0x80
 #define TCG_CT_IALIAS 0x40
commit f868445a502a75b6ac785dddbcc3233cc5f986b0
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Oct 22 23:03:30 2010 +0200

    Add fprintf_function for function pointers to fprintf-like functions
    
    This kind of function pointers is used very often in qemu.
    
    The new data type uses format checking with GCC_FMT_ATTR
    and will be used in later patches.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu-common.h b/qemu-common.h
index d31f366..3496e4f 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -81,6 +81,9 @@ struct iovec {
 #define GCC_FMT_ATTR(n, m)
 #endif
 
+typedef int (*fprintf_function)(FILE *f, const char *fmt, ...)
+    GCC_FMT_ATTR(2, 3);
+
 #ifdef _WIN32
 #define fsync _commit
 #define lseek _lseeki64
commit 338b922edd88440ef555f08d6924609915c6f00c
Author: malc <av1474 at comtv.ru>
Date:   Sat Oct 30 01:41:01 2010 +0400

    Mov muldiv64 to qemu-common.h (Thus unbreaking gus)
    
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/hw/omap_clk.c b/hw/omap_clk.c
index 10c9c43..6bcabef 100644
--- a/hw/omap_clk.c
+++ b/hw/omap_clk.c
@@ -20,7 +20,6 @@
  */
 #include "hw.h"
 #include "omap.h"
-#include "qemu-timer.h" /* for muldiv64() */
 
 struct clk {
     const char *name;
diff --git a/qemu-common.h b/qemu-common.h
index 2fbc27f..d31f366 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -309,6 +309,30 @@ static inline uint8_t from_bcd(uint8_t val)
     return ((val >> 4) * 10) + (val & 0x0f);
 }
 
+/* compute with 96 bit intermediate result: (a*b)/c */
+static inline uint64_t muldiv64(uint64_t a, uint32_t b, uint32_t c)
+{
+    union {
+        uint64_t ll;
+        struct {
+#ifdef HOST_WORDS_BIGENDIAN
+            uint32_t high, low;
+#else
+            uint32_t low, high;
+#endif
+        } l;
+    } u, res;
+    uint64_t rl, rh;
+
+    u.ll = a;
+    rl = (uint64_t)u.l.low * (uint64_t)b;
+    rh = (uint64_t)u.l.high * (uint64_t)b;
+    rh += (rl >> 32);
+    res.l.high = rh / c;
+    res.l.low = (((rh % c) << 32) + (rl & 0xffffffff)) / c;
+    return res.ll;
+}
+
 #include "module.h"
 
 #endif
diff --git a/qemu-timer.h b/qemu-timer.h
index 299e387..8cd8f83 100644
--- a/qemu-timer.h
+++ b/qemu-timer.h
@@ -59,30 +59,6 @@ static inline int64_t get_ticks_per_sec(void)
     return 1000000000LL;
 }
 
-/* compute with 96 bit intermediate result: (a*b)/c */
-static inline uint64_t muldiv64(uint64_t a, uint32_t b, uint32_t c)
-{
-    union {
-        uint64_t ll;
-        struct {
-#ifdef HOST_WORDS_BIGENDIAN
-            uint32_t high, low;
-#else
-            uint32_t low, high;
-#endif
-        } l;
-    } u, res;
-    uint64_t rl, rh;
-
-    u.ll = a;
-    rl = (uint64_t)u.l.low * (uint64_t)b;
-    rh = (uint64_t)u.l.high * (uint64_t)b;
-    rh += (rl >> 32);
-    res.l.high = rh / c;
-    res.l.low = (((rh % c) << 32) + (rl & 0xffffffff)) / c;
-    return res.ll;
-}
-
 /* real time host monotonic timer */
 static inline int64_t get_clock_realtime(void)
 {
commit 6983f3bba2cc820b882cf6071d7cf3bb113af47e
Merge: 185b930... 174b287...
Author: Avi Kivity <avi at redhat.com>
Date:   Thu Oct 28 17:01:07 2010 +0200

    Merge branch 'master' of git://git.sv.gnu.org/qemu into next
    
    * 'master' of git://git.sv.gnu.org/qemu: (26 commits)
      seabios: Update to 0.6.1
      qemu-timer: move commonly used timer code to qemu-timer-common
      rewrite i386 tests Makefile
      fix test_path
      make runcom compile on recent distributions
      disable test_enter on i386, it is broken
      unbreak "make" from vpath-built tests directory
      unbreak "make" from tests directory
      mips_fulong2e: fix ram allocation
      Replace remaining gcc format attributes by macro GCC_FMT_ATTR (format checking)
      Remove special handling of system include files (no longer needed)
      virtio-blk: Respect werror option for flushes
      ide: Handle flush failure
      ide: Factor ide_flush_cache out
      qemu-img: Fix qemu-img convert -obacking_file
      block: Use GCC_FMT_ATTR and fix a format error
      qemu-io: New command map
      Copy snapshots out of QCOW2 disk
      ide: set WCACHE supported in IDENTIFY data
      qcow2: Remove old image creation function
      ...
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

commit 185b93006873e14cb2e33720d5a0c7115972032a
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Fri Oct 22 14:40:31 2010 -0600

    msix: Allow msix_init on a device with existing MSI-X capability
    
    To enable common msix support to be used with pass through devices,
    don't attempt to change the BAR if the device already has an
    MSI-X capability.  This also means we want to pay closer attention
    to the size when we map the msix table page, as it isn't necessarily
    covering the entire end of the BAR.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/msix.c b/hw/msix.c
index 4b6133d..b98b34a 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -167,35 +167,43 @@ static int msix_add_config(struct PCIDevice *pdev, unsigned short nentries,
 {
     int config_offset;
     uint8_t *config;
-    uint32_t new_size;
 
-    if (nentries < 1 || nentries > PCI_MSIX_FLAGS_QSIZE + 1)
-        return -EINVAL;
-    if (bar_size > 0x80000000)
-        return -ENOSPC;
-
-    /* Add space for MSI-X structures */
-    if (!bar_size) {
-        new_size = MSIX_PAGE_SIZE;
-    } else if (bar_size < MSIX_PAGE_SIZE) {
-        bar_size = MSIX_PAGE_SIZE;
-        new_size = MSIX_PAGE_SIZE * 2;
-    } else {
-        new_size = bar_size * 2;
-    }
-
-    pdev->msix_bar_size = new_size;
-    config_offset = pci_add_capability(pdev, PCI_CAP_ID_MSIX, MSIX_CAP_LENGTH);
-    if (config_offset < 0)
-        return config_offset;
-    config = pdev->config + config_offset;
-
-    pci_set_word(config + PCI_MSIX_FLAGS, nentries - 1);
-    /* Table on top of BAR */
-    pci_set_long(config + MSIX_TABLE_OFFSET, bar_size | bar_nr);
-    /* Pending bits on top of that */
-    pci_set_long(config + MSIX_PBA_OFFSET, (bar_size + MSIX_PAGE_PENDING) |
-                 bar_nr);
+    pdev->msix_bar_size = bar_size;
+
+    config_offset = pci_find_capability(pdev, PCI_CAP_ID_MSIX);
+
+    if (!config_offset) {
+        uint32_t new_size;
+
+        if (nentries < 1 || nentries > PCI_MSIX_FLAGS_QSIZE + 1)
+            return -EINVAL;
+        if (bar_size > 0x80000000)
+            return -ENOSPC;
+
+        /* Add space for MSI-X structures */
+        if (!bar_size) {
+            new_size = MSIX_PAGE_SIZE;
+        } else if (bar_size < MSIX_PAGE_SIZE) {
+            bar_size = MSIX_PAGE_SIZE;
+            new_size = MSIX_PAGE_SIZE * 2;
+        } else {
+            new_size = bar_size * 2;
+        }
+
+        pdev->msix_bar_size = new_size;
+        config_offset = pci_add_capability(pdev, PCI_CAP_ID_MSIX,
+                                           MSIX_CAP_LENGTH);
+        if (config_offset < 0)
+            return config_offset;
+        config = pdev->config + config_offset;
+
+        pci_set_word(config + PCI_MSIX_FLAGS, nentries - 1);
+        /* Table on top of BAR */
+        pci_set_long(config + MSIX_TABLE_OFFSET, bar_size | bar_nr);
+        /* Pending bits on top of that */
+        pci_set_long(config + MSIX_PBA_OFFSET, (bar_size + MSIX_PAGE_PENDING) |
+                     bar_nr);
+    }
     pdev->msix_cap = config_offset;
     /* Make flags bit writeable. */
     pdev->wmask[config_offset + MSIX_CONTROL_OFFSET] |= MSIX_ENABLE_MASK |
@@ -337,7 +345,8 @@ void msix_mmio_map(PCIDevice *d, int region_num,
         return;
     if (size <= offset)
         return;
-    cpu_register_physical_memory(addr + offset, size - offset,
+    cpu_register_physical_memory(addr + offset,
+                                 MIN(size - offset, MSIX_PAGE_SIZE),
                                  d->msix_mmio_index);
 }
 
commit b907b69dd75415bc28349d1dd1e9a598ddace463
Merge: df2943b... 804b207...
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 27 19:07:10 2010 +0200

    Merge branch 'pci' into for_anthony

commit 804b207170cdccca3672b63caaf82312ad205a7f
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 27 17:48:42 2010 +0200

    pcie: update satus on reset
    
    Reset never triggers a new event, so it's enough to
    update status.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pcie.c b/hw/pcie.c
index 373e33e..35918f7 100644
--- a/hw/pcie.c
+++ b/hw/pcie.c
@@ -307,7 +307,7 @@ void pcie_cap_slot_reset(PCIDevice *dev)
                                  PCI_EXP_SLTSTA_PDC |
                                  PCI_EXP_SLTSTA_ABP);
 
-    hotplug_event_notify(dev);
+    hotplug_event_update_event_status(dev);
 }
 
 void pcie_cap_slot_write_config(PCIDevice *dev,
commit b794ec7ce8ac1aaac825e554c20d1aae1422374e
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 27 16:28:22 2010 +0200

    msi: minor cleanups
    
    Comment fixup (tell what it does not what it does not do),
    typo fix, whitespace fix.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/msi.c b/hw/msi.c
index 016e7a4..f03f519 100644
--- a/hw/msi.c
+++ b/hw/msi.c
@@ -155,9 +155,8 @@ int msi_init(struct PCIDevice *dev, uint8_t offset,
     pci_set_word(dev->wmask + msi_data_off(dev, msi64bit), 0xffff);
 
     if (msi_per_vector_mask) {
+        /* Make mask bits 0 to nr_vectors - 1 writeable. */
         pci_set_long(dev->wmask + msi_mask_off(dev, msi64bit),
-                     /* (1U << nr_vectors) - 1 is undefined
-                        when nr_vectors = 32 */
                      0xffffffff >> (PCI_MSI_VECTORS_MAX - nr_vectors));
     }
     return config_offset;
@@ -225,7 +224,7 @@ void msi_notify(PCIDevice *dev, unsigned int vector)
         return;
     }
 
-    if (msi64bit){
+    if (msi64bit) {
         address = pci_get_quad(dev->config + msi_address_lo_off(dev));
     } else {
         address = pci_get_long(dev->config + msi_address_lo_off(dev));
@@ -269,7 +268,7 @@ void msi_write_config(PCIDevice *dev, uint32_t addr, uint32_t val, int len)
                    flags,
                    pci_get_long(dev->config + msi_address_lo_off(dev)));
     if (msi64bit) {
-        fprintf(stderr, " addrss-hi: 0x%"PRIx32,
+        fprintf(stderr, " address-hi: 0x%"PRIx32,
                 pci_get_long(dev->config + msi_address_hi_off(dev)));
     }
     fprintf(stderr, " data: 0x%"PRIx16,
commit 531a0b82dd0ad352819d4deffe1ecd7f52975fbf
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 27 16:14:56 2010 +0200

    msi: simplify range checks
    
    config write handlers should be idempotent.
    So no need for complex range checks: a simple
    one checking that we are touching the relevant capability
    will do.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/msi.c b/hw/msi.c
index 0f2913a..016e7a4 100644
--- a/hw/msi.c
+++ b/hw/msi.c
@@ -258,34 +258,29 @@ void msi_write_config(PCIDevice *dev, uint32_t addr, uint32_t val, int len)
     uint32_t pending;
     int i;
 
-#ifdef MSI_DEBUG
-    if (ranges_overlap(addr, len, dev->msi_cap, msi_cap_sizeof(flags))) {
-        MSI_DEV_PRINTF(dev, "addr 0x%"PRIx32" val 0x%"PRIx32" len %d\n",
-                       addr, val, len);
-        MSI_DEV_PRINTF(dev, "ctrl: 0x%"PRIx16" address: 0x%"PRIx32,
-                       flags,
-                       pci_get_long(dev->config + msi_address_lo_off(dev)));
-        if (msi64bit) {
-            fprintf(stderr, " addrss-hi: 0x%"PRIx32,
-                    pci_get_long(dev->config + msi_address_hi_off(dev)));
-        }
-        fprintf(stderr, " data: 0x%"PRIx16,
-                pci_get_word(dev->config + msi_data_off(dev, msi64bit)));
-        if (flags & PCI_MSI_FLAGS_MASKBIT) {
-            fprintf(stderr, " mask 0x%"PRIx32" pending 0x%"PRIx32,
-                    pci_get_long(dev->config + msi_mask_off(dev, msi64bit)),
-                    pci_get_long(dev->config + msi_pending_off(dev, msi64bit)));
-        }
-        fprintf(stderr, "\n");
+    if (!ranges_overlap(addr, len, dev->msi_cap, msi_cap_sizeof(flags))) {
+        return;
     }
-#endif
 
-    /* Are we modified? */
-    if (!(ranges_overlap(addr, len, msi_flags_off(dev), 2) ||
-          (msi_per_vector_mask &&
-           ranges_overlap(addr, len, msi_mask_off(dev, msi64bit), 4)))) {
-        return;
+#ifdef MSI_DEBUG
+    MSI_DEV_PRINTF(dev, "addr 0x%"PRIx32" val 0x%"PRIx32" len %d\n",
+                   addr, val, len);
+    MSI_DEV_PRINTF(dev, "ctrl: 0x%"PRIx16" address: 0x%"PRIx32,
+                   flags,
+                   pci_get_long(dev->config + msi_address_lo_off(dev)));
+    if (msi64bit) {
+        fprintf(stderr, " addrss-hi: 0x%"PRIx32,
+                pci_get_long(dev->config + msi_address_hi_off(dev)));
     }
+    fprintf(stderr, " data: 0x%"PRIx16,
+            pci_get_word(dev->config + msi_data_off(dev, msi64bit)));
+    if (flags & PCI_MSI_FLAGS_MASKBIT) {
+        fprintf(stderr, " mask 0x%"PRIx32" pending 0x%"PRIx32,
+                pci_get_long(dev->config + msi_mask_off(dev, msi64bit)),
+                pci_get_long(dev->config + msi_pending_off(dev, msi64bit)));
+    }
+    fprintf(stderr, "\n");
+#endif
 
     if (!(flags & PCI_MSI_FLAGS_ENABLE)) {
         return;
commit f9aebe2ef52ff0dcb733999f57e00a7b430303c6
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 27 16:01:25 2010 +0200

    pci: improve w1c mask handling
    
    - save/restore must not check w1c bits
      since they are in fact guest controlled
    - clear w1c bits on reset
    
    Note: for express there are different kinds of
    reset, some leave part of config space alone.
    We will likely need a sticky bit mask to implement this.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 409e2c0..5386f5a 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -140,7 +140,8 @@ static void pci_device_reset(PCIDevice *dev)
     pci_update_irq_status(dev);
     /* Clear all writeable bits */
     pci_word_test_and_clear_mask(dev->config + PCI_COMMAND,
-                                 pci_get_word(dev->wmask + PCI_COMMAND));
+                                 pci_get_word(dev->wmask + PCI_COMMAND) |
+                                 pci_get_word(dev->w1cmask + PCI_COMMAND));
     dev->config[PCI_CACHE_LINE_SIZE] = 0x0;
     dev->config[PCI_INTERRUPT_LINE] = 0x0;
     for (r = 0; r < PCI_NUM_REGIONS; ++r) {
@@ -292,7 +293,8 @@ static int get_pci_config_device(QEMUFile *f, void *pv, size_t size)
 
     qemu_get_buffer(f, config, size);
     for (i = 0; i < size; ++i) {
-        if ((config[i] ^ s->config[i]) & s->cmask[i] & ~s->wmask[i]) {
+        if ((config[i] ^ s->config[i]) &
+            s->cmask[i] & ~s->wmask[i] & ~s->w1cmask[i]) {
             qemu_free(config);
             return -EINVAL;
         }
commit 6bde6aaac6f2af14557ef65f5eb053cb135ca173
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Oct 25 07:46:47 2010 +0200

    pcie: clean up hot plug notification
    
    Simplify logic for hotplug notification, by tracking state of the
    logical interrupt condition.  We then simply use this variable to make
    the interrupt decision, according to spec.
    
    API is made cleaner as we no longer force users to pass in
    old slot control value.
    
    Includes fixes by Isaku Yamahata.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>

diff --git a/hw/ioh3420.c b/hw/ioh3420.c
index 1f340d3..3cc129f 100644
--- a/hw/ioh3420.c
+++ b/hw/ioh3420.c
@@ -39,12 +39,9 @@
 static void ioh3420_write_config(PCIDevice *d,
                                    uint32_t address, uint32_t val, int len)
 {
-    uint16_t sltctl =
-        pci_get_word(d->config + d->exp.exp_cap + PCI_EXP_SLTCTL);
-
     pci_bridge_write_config(d, address, val, len);
     msi_write_config(d, address, val, len);
-    pcie_cap_slot_write_config(d, address, val, len, sltctl);
+    pcie_cap_slot_write_config(d, address, val, len);
     /* TODO: AER */
 }
 
@@ -142,6 +139,7 @@ static const VMStateDescription vmstate_ioh3420 = {
     .version_id = 1,
     .minimum_version_id = 1,
     .minimum_version_id_old = 1,
+    .post_load = pcie_cap_slot_post_load,
     .fields = (VMStateField[]) {
         VMSTATE_PCIE_DEVICE(port.br.dev, PCIESlot),
         /* TODO: AER */
diff --git a/hw/pcie.c b/hw/pcie.c
index bfccf5e..373e33e 100644
--- a/hw/pcie.c
+++ b/hw/pcie.c
@@ -140,6 +140,40 @@ void pcie_cap_deverr_reset(PCIDevice *dev)
                                  PCI_EXP_DEVCTL_FERE | PCI_EXP_DEVCTL_URRE);
 }
 
+static void hotplug_event_update_event_status(PCIDevice *dev)
+{
+    uint32_t pos = dev->exp.exp_cap;
+    uint8_t *exp_cap = dev->config + pos;
+    uint16_t sltctl = pci_get_word(exp_cap + PCI_EXP_SLTCTL);
+    uint16_t sltsta = pci_get_word(exp_cap + PCI_EXP_SLTSTA);
+
+    dev->exp.hpev_notified = (sltctl & PCI_EXP_SLTCTL_HPIE) &&
+        (sltsta & sltctl & PCI_EXP_HP_EV_SUPPORTED);
+}
+
+static void hotplug_event_notify(PCIDevice *dev)
+{
+    bool prev = dev->exp.hpev_notified;
+
+    hotplug_event_update_event_status(dev);
+
+    if (prev == dev->exp.hpev_notified) {
+        return;
+    }
+
+    /* Note: the logic above does not take into account whether interrupts
+     * are masked. The result is that interrupt will be sent when it is
+     * subsequently unmasked. This appears to be legal: Section 6.7.3.4:
+     * The Port may optionally send an MSI when there are hot-plug events that
+     * occur while interrupt generation is disabled, and interrupt generation is
+     * subsequently enabled. */
+    if (!pci_msi_enabled(dev)) {
+        qemu_set_irq(dev->irq[dev->exp.hpev_intx], dev->exp.hpev_notified);
+    } else if (dev->exp.hpev_notified) {
+        pci_msi_notify(dev, pcie_cap_flags_get_vector(dev));
+    }
+}
+
 /*
  * A PCI Express Hot-Plug Event has occured, so update slot status register
  * and notify OS of the event if necessary.
@@ -149,28 +183,12 @@ void pcie_cap_deverr_reset(PCIDevice *dev)
  */
 static void pcie_cap_slot_event(PCIDevice *dev, PCIExpressHotPlugEvent event)
 {
-    uint8_t *exp_cap = dev->config + dev->exp.exp_cap;
-    uint16_t sltctl = pci_get_word(exp_cap + PCI_EXP_SLTCTL);
-    uint16_t sltsta = pci_get_word(exp_cap + PCI_EXP_SLTSTA);
-
-    PCIE_DEV_PRINTF(dev,
-                    "sltctl: 0x%02"PRIx16" sltsta: 0x%02"PRIx16" event: %x\n",
-                    sltctl, sltsta, event);
-
-    if (pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA, event)) {
+    /* Minor optimization: if nothing changed - no event is needed. */
+    if (pci_word_test_and_set_mask(dev->config + dev->exp.exp_cap +
+                                   PCI_EXP_SLTSTA, event)) {
         return;
     }
-    sltsta = pci_get_word(exp_cap + PCI_EXP_SLTSTA);
-    PCIE_DEV_PRINTF(dev, "sltsta -> %02"PRIx16"\n", sltsta);
-
-    if ((sltctl & PCI_EXP_SLTCTL_HPIE) &&
-        (sltctl & event & PCI_EXP_HP_EV_SUPPORTED)) {
-        if (pci_msi_enabled(dev)) {
-            pci_msi_notify(dev, pcie_cap_flags_get_vector(dev));
-        } else {
-            qemu_set_irq(dev->irq[dev->exp.hpev_intx], 1);
-        }
-    }
+    hotplug_event_notify(dev);
 }
 
 static int pcie_cap_slot_hotplug(DeviceState *qdev,
@@ -258,6 +276,8 @@ void pcie_cap_slot_init(PCIDevice *dev, uint16_t slot)
     pci_word_test_and_set_mask(dev->w1cmask + pos + PCI_EXP_SLTSTA,
                                PCI_EXP_HP_EV_SUPPORTED);
 
+    dev->exp.hpev_notified = false;
+
     pci_bus_hotplug(pci_bridge_get_sec_bus(DO_UPCAST(PCIBridge, dev, dev)),
                     pcie_cap_slot_hotplug, &dev->qdev);
 }
@@ -286,31 +306,21 @@ void pcie_cap_slot_reset(PCIDevice *dev)
                                  PCI_EXP_SLTSTA_CC |
                                  PCI_EXP_SLTSTA_PDC |
                                  PCI_EXP_SLTSTA_ABP);
+
+    hotplug_event_notify(dev);
 }
 
 void pcie_cap_slot_write_config(PCIDevice *dev,
-                                uint32_t addr, uint32_t val, int len,
-                                uint16_t sltctl_prev)
+                                uint32_t addr, uint32_t val, int len)
 {
     uint32_t pos = dev->exp.exp_cap;
     uint8_t *exp_cap = dev->config + pos;
-    uint16_t sltctl = pci_get_word(exp_cap + PCI_EXP_SLTCTL);
     uint16_t sltsta = pci_get_word(exp_cap + PCI_EXP_SLTSTA);
 
     if (!ranges_overlap(addr, len, pos + PCI_EXP_SLTCTL, 2)) {
         return;
     }
 
-    PCIE_DEV_PRINTF(dev,
-                    "addr: 0x%"PRIx32" val: 0x%"PRIx32" len: %d\n"
-                    "\tsltctl_prev: 0x%02"PRIx16" sltctl: 0x%02"PRIx16
-                    " sltsta: 0x%02"PRIx16"\n",
-                    addr, val, len, sltctl_prev, sltctl, sltsta);
-
-    /* SLTCTL */
-    PCIE_DEV_PRINTF(dev, "sltctl: 0x%02"PRIx16" -> 0x%02"PRIx16"\n",
-                    sltctl_prev, sltctl);
-
     if (pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTCTL,
                                      PCI_EXP_SLTCTL_EIC)) {
         sltsta ^= PCI_EXP_SLTSTA_EIS; /* toggle PCI_EXP_SLTSTA_EIS bit */
@@ -320,34 +330,7 @@ void pcie_cap_slot_write_config(PCIDevice *dev,
                         sltsta);
     }
 
-    /*
-     * The events control bits might be enabled or disabled,
-     * Check if the software notificastion condition is satisfied
-     * or disatisfied.
-     *
-     * 6.7.3.4 Software Notification of Hot-plug events
-     */
-    if (pci_msi_enabled(dev)) {
-        bool msi_trigger =
-            (sltctl & PCI_EXP_SLTCTL_HPIE) &&
-            ((sltctl_prev ^ sltctl) & sltctl & /* stlctl: 0 -> 1 */
-             sltsta & PCI_EXP_HP_EV_SUPPORTED);
-        if (msi_trigger) {
-            pci_msi_notify(dev, pcie_cap_flags_get_vector(dev));
-        }
-    } else {
-        int int_level =
-            (sltctl & PCI_EXP_SLTCTL_HPIE) &&
-            (sltctl & sltsta & PCI_EXP_HP_EV_SUPPORTED);
-        qemu_set_irq(dev->irq[dev->exp.hpev_intx], int_level);
-    }
-
-    if (!((sltctl_prev ^ sltctl) & PCI_EXP_SLTCTL_SUPPORTED)) {
-        PCIE_DEV_PRINTF(dev,
-                        "sprious command completion slctl "
-                        "0x%"PRIx16" -> 0x%"PRIx16"\n",
-                        sltctl_prev, sltctl);
-    }
+    hotplug_event_notify(dev);
 
     /* 
      * 6.7.3.2 Command Completed Events
@@ -368,6 +351,13 @@ void pcie_cap_slot_write_config(PCIDevice *dev,
     pcie_cap_slot_event(dev, PCI_EXP_HP_EV_CCI);
 }
 
+int pcie_cap_slot_post_load(void *opaque, int version_id)
+{
+    PCIDevice *dev = opaque;
+    hotplug_event_update_event_status(dev);
+    return 0;
+}
+
 void pcie_cap_slot_push_attention_button(PCIDevice *dev)
 {
     pcie_cap_slot_event(dev, PCI_EXP_HP_EV_ABP);
diff --git a/hw/pcie.h b/hw/pcie.h
index 2871e27..8708504 100644
--- a/hw/pcie.h
+++ b/hw/pcie.h
@@ -74,6 +74,11 @@ struct PCIExpressDevice {
                                  * also initialize it when loaded as
                                  * appropreately.
                                  */
+    bool hpev_notified; /* Logical AND of conditions for hot plug event.
+                         Following 6.7.3.4:
+                         Software Notification of Hot-Plug Events, an interrupt
+                         is sent whenever the logical and of these conditions
+                         transitions from false to true. */
 };
 
 /* PCI express capability helper functions */
@@ -89,8 +94,8 @@ void pcie_cap_deverr_reset(PCIDevice *dev);
 void pcie_cap_slot_init(PCIDevice *dev, uint16_t slot);
 void pcie_cap_slot_reset(PCIDevice *dev);
 void pcie_cap_slot_write_config(PCIDevice *dev,
-                                uint32_t addr, uint32_t val, int len,
-                                uint16_t sltctl_prev);
+                                uint32_t addr, uint32_t val, int len);
+int pcie_cap_slot_post_load(void *opaque, int version_id);
 void pcie_cap_slot_push_attention_button(PCIDevice *dev);
 
 void pcie_cap_root_init(PCIDevice *dev);
diff --git a/hw/xio3130_downstream.c b/hw/xio3130_downstream.c
index a44e188..854eba8 100644
--- a/hw/xio3130_downstream.c
+++ b/hw/xio3130_downstream.c
@@ -38,12 +38,9 @@
 static void xio3130_downstream_write_config(PCIDevice *d, uint32_t address,
                                          uint32_t val, int len)
 {
-    uint16_t sltctl =
-        pci_get_word(d->config + d->exp.exp_cap + PCI_EXP_SLTCTL);
-
     pci_bridge_write_config(d, address, val, len);
     pcie_cap_flr_write_config(d, address, val, len);
-    pcie_cap_slot_write_config(d, address, val, len, sltctl);
+    pcie_cap_slot_write_config(d, address, val, len);
     msi_write_config(d, address, val, len);
     /* TODO: AER */
 }
@@ -144,6 +141,7 @@ static const VMStateDescription vmstate_xio3130_downstream = {
     .version_id = 1,
     .minimum_version_id = 1,
     .minimum_version_id_old = 1,
+    .post_load = pcie_cap_slot_post_load,
     .fields = (VMStateField[]) {
         VMSTATE_PCIE_DEVICE(port.br.dev, PCIESlot),
         /* TODO: AER */
commit ac0cdda347abee6c1aa8a08a7441fc52c6d7badc
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Oct 25 07:03:24 2010 +0200

    pcie: simplify range check
    
    Simplify code slighly by reversing the polarity
    for the range check
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>

diff --git a/hw/pcie.c b/hw/pcie.c
index 881af78..bfccf5e 100644
--- a/hw/pcie.c
+++ b/hw/pcie.c
@@ -19,6 +19,7 @@
  */
 
 #include "sysemu.h"
+#include "range.h"
 #include "pci_bridge.h"
 #include "pcie.h"
 #include "msix.h"
@@ -296,6 +297,10 @@ void pcie_cap_slot_write_config(PCIDevice *dev,
     uint16_t sltctl = pci_get_word(exp_cap + PCI_EXP_SLTCTL);
     uint16_t sltsta = pci_get_word(exp_cap + PCI_EXP_SLTSTA);
 
+    if (!ranges_overlap(addr, len, pos + PCI_EXP_SLTCTL, 2)) {
+        return;
+    }
+
     PCIE_DEV_PRINTF(dev,
                     "addr: 0x%"PRIx32" val: 0x%"PRIx32" len: %d\n"
                     "\tsltctl_prev: 0x%02"PRIx16" sltctl: 0x%02"PRIx16
@@ -303,59 +308,64 @@ void pcie_cap_slot_write_config(PCIDevice *dev,
                     addr, val, len, sltctl_prev, sltctl, sltsta);
 
     /* SLTCTL */
-    if (ranges_overlap(addr, len, pos + PCI_EXP_SLTCTL, 2)) {
-        PCIE_DEV_PRINTF(dev, "sltctl: 0x%02"PRIx16" -> 0x%02"PRIx16"\n",
-                        sltctl_prev, sltctl);
-        if (pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTCTL,
-                                         PCI_EXP_SLTCTL_EIC)) {
-            sltsta ^= PCI_EXP_SLTSTA_EIS; /* toggle PCI_EXP_SLTSTA_EIS bit */
-            pci_set_word(exp_cap + PCI_EXP_SLTSTA, sltsta);
-            PCIE_DEV_PRINTF(dev, "PCI_EXP_SLTCTL_EIC: "
-                            "sltsta -> 0x%02"PRIx16"\n",
-                            sltsta);
-        }
-
-        /*
-         * The events control bits might be enabled or disabled,
-         * Check if the software notificastion condition is satisfied
-         * or disatisfied.
-         *
-         * 6.7.3.4 Software Notification of Hot-plug events
-         */
-        if (pci_msi_enabled(dev)) {
-            bool msi_trigger =
-                (sltctl & PCI_EXP_SLTCTL_HPIE) &&
-                ((sltctl_prev ^ sltctl) & sltctl & /* stlctl: 0 -> 1 */
-                 sltsta & PCI_EXP_HP_EV_SUPPORTED);
-            if (msi_trigger) {
-                pci_msi_notify(dev, pcie_cap_flags_get_vector(dev));
-            }
-        } else {
-            int int_level =
-                (sltctl & PCI_EXP_SLTCTL_HPIE) &&
-                (sltctl & sltsta & PCI_EXP_HP_EV_SUPPORTED);
-            qemu_set_irq(dev->irq[dev->exp.hpev_intx], int_level);
-        }
+    PCIE_DEV_PRINTF(dev, "sltctl: 0x%02"PRIx16" -> 0x%02"PRIx16"\n",
+                    sltctl_prev, sltctl);
+
+    if (pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTCTL,
+                                     PCI_EXP_SLTCTL_EIC)) {
+        sltsta ^= PCI_EXP_SLTSTA_EIS; /* toggle PCI_EXP_SLTSTA_EIS bit */
+        pci_set_word(exp_cap + PCI_EXP_SLTSTA, sltsta);
+        PCIE_DEV_PRINTF(dev, "PCI_EXP_SLTCTL_EIC: "
+                        "sltsta -> 0x%02"PRIx16"\n",
+                        sltsta);
+    }
 
-        if (!((sltctl_prev ^ sltctl) & PCI_EXP_SLTCTL_SUPPORTED)) {
-            PCIE_DEV_PRINTF(dev,
-                            "sprious command completion slctl "
-                            "0x%"PRIx16" -> 0x%"PRIx16"\n",
-                            sltctl_prev, sltctl);
+    /*
+     * The events control bits might be enabled or disabled,
+     * Check if the software notificastion condition is satisfied
+     * or disatisfied.
+     *
+     * 6.7.3.4 Software Notification of Hot-plug events
+     */
+    if (pci_msi_enabled(dev)) {
+        bool msi_trigger =
+            (sltctl & PCI_EXP_SLTCTL_HPIE) &&
+            ((sltctl_prev ^ sltctl) & sltctl & /* stlctl: 0 -> 1 */
+             sltsta & PCI_EXP_HP_EV_SUPPORTED);
+        if (msi_trigger) {
+            pci_msi_notify(dev, pcie_cap_flags_get_vector(dev));
         }
+    } else {
+        int int_level =
+            (sltctl & PCI_EXP_SLTCTL_HPIE) &&
+            (sltctl & sltsta & PCI_EXP_HP_EV_SUPPORTED);
+        qemu_set_irq(dev->irq[dev->exp.hpev_intx], int_level);
+    }
 
-        /* command completion.
-         * Real hardware might take a while to complete
-         * requested command because physical movement would be involved
-         * like locking the electromechanical lock.
-         * However in our case, command is completed instantaneously above,
-         * so send a command completion event right now.
-         *
-         * 6.7.3.2 Command Completed Events
-         */
-        /* set command completed bit */
-        pcie_cap_slot_event(dev, PCI_EXP_HP_EV_CCI);
+    if (!((sltctl_prev ^ sltctl) & PCI_EXP_SLTCTL_SUPPORTED)) {
+        PCIE_DEV_PRINTF(dev,
+                        "sprious command completion slctl "
+                        "0x%"PRIx16" -> 0x%"PRIx16"\n",
+                        sltctl_prev, sltctl);
     }
+
+    /* 
+     * 6.7.3.2 Command Completed Events
+     *
+     * Software issues a command to a hot-plug capable Downstream Port by
+     * issuing a write transaction that targets any portion of the Port’s Slot
+     * Control register. A single write to the Slot Control register is
+     * considered to be a single command, even if the write affects more than
+     * one field in the Slot Control register. In response to this transaction,
+     * the Port must carry out the requested actions and then set the
+     * associated status field for the command completed event. */
+
+    /* Real hardware might take a while to complete requested command because
+     * physical movement would be involved like locking the electromechanical
+     * lock.  However in our case, command is completed instantaneously above,
+     * so send a command completion event right now.
+     */
+    pcie_cap_slot_event(dev, PCI_EXP_HP_EV_CCI);
 }
 
 void pcie_cap_slot_push_attention_button(PCIDevice *dev)
commit 5afb9869171c15c777eee09bc98624221009555f
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:14 2010 +0000

    Introduce range.h
    
    Extract range functions from pci.h. These will be used by later patches
    by non-PCI devices. Adjust current users.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>
    (cherry picked from commit bf1b00712375bea65f2254dea8281fa646eebbd5)

diff --git a/hw/msi.c b/hw/msi.c
index a949d82..0f2913a 100644
--- a/hw/msi.c
+++ b/hw/msi.c
@@ -19,6 +19,7 @@
  */
 
 #include "msi.h"
+#include "range.h"
 
 /* Eventually those constants should go to Linux pci_regs.h */
 #define PCI_MSI_PENDING_32      0x10
diff --git a/hw/pci_bridge.c b/hw/pci_bridge.c
index 7e8488a..58cc2e4 100644
--- a/hw/pci_bridge.c
+++ b/hw/pci_bridge.c
@@ -31,6 +31,7 @@
 
 #include "pci_bridge.h"
 #include "pci_internals.h"
+#include "range.h"
 
 /* PCI bridge subsystem vendor ID helper functions */
 #define PCI_SSVID_SIZEOF        8
diff --git a/hw/pcie.c b/hw/pcie.c
index 53d1fce..881af78 100644
--- a/hw/pcie.c
+++ b/hw/pcie.c
@@ -25,6 +25,7 @@
 #include "msi.h"
 #include "pci_internals.h"
 #include "pcie_regs.h"
+#include "range.h"
 
 //#define DEBUG_PCIE
 #ifdef DEBUG_PCIE
commit df2943ba3c73ca21dbda063f15fa3e80064af864
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Tue Oct 26 17:53:41 2010 +0200

    qemu-options.def: add to generated header list
    
    All files include qemu-options.h which pulls in qemu-options.def from
    the root directory.  Thus generating qemu-options.def from Makefile.objs
    under the target directory is not effective.
    
    Further, people expect .def file to get cleaned with make clean:
    it does not have state so no reason to defer removing it
    until distclean. Also add a rule to remove old files that might
    be around.
    
    This fixes the error: ‘QEMU_OPTION_spice’ undeclared
    (first use in this function) error that some people reported
    which is really down to an out of date .def file.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/Makefile b/Makefile
index a1434b1..cf8f48a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 # Makefile for QEMU.
 
-GENERATED_HEADERS = config-host.h trace.h
+GENERATED_HEADERS = config-host.h trace.h qemu-options.def
 
 ifneq ($(wildcard config-host.mak),)
 # Put the all: rule here so that config-host.mak can contain dependencies.
@@ -71,6 +71,8 @@ build-all: $(DOCS) $(TOOLS) recurse-all
 
 config-host.h: config-host.h-timestamp
 config-host.h-timestamp: config-host.mak
+qemu-options.def: qemu-options.hx
+	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $@")
 
 SUBDIR_RULES=$(patsubst %,subdir-%, $(TARGET_DIRS))
 
@@ -150,6 +152,7 @@ check-qjson: check-qjson.o qfloat.o qint.o qdict.o qstring.o qlist.o qbool.o qjs
 clean:
 # avoid old build problems by removing potentially incorrect old files
 	rm -f config.mak op-i386.h opc-i386.h gen-op-i386.h op-arm.h opc-arm.h gen-op-arm.h
+	rm -f qemu-options.def
 	rm -f *.o *.d *.a $(TOOLS) TAGS cscope.* *.pod *~ */*~
 	rm -f slirp/*.o slirp/*.d audio/*.o audio/*.d block/*.o block/*.d net/*.o net/*.d fsdev/*.o fsdev/*.d ui/*.o ui/*.d
 	rm -f qemu-img-cmds.h
@@ -157,11 +160,11 @@ clean:
 	$(MAKE) -C tests clean
 	for d in $(ALL_SUBDIRS) libhw32 libhw64 libuser libdis libdis-user; do \
 	if test -d $$d; then $(MAKE) -C $$d $@ || exit 1; fi; \
+	rm -f $$d/qemu-options.def; \
         done
 
 distclean: clean
 	rm -f config-host.mak config-host.h* config-host.ld $(DOCS) qemu-options.texi qemu-img-cmds.texi qemu-monitor.texi
-	rm -f qemu-options.def
 	rm -f config-all-devices.mak
 	rm -f roms/seabios/config.mak roms/vgabios/config.mak
 	rm -f qemu-doc.info qemu-doc.aux qemu-doc.cp qemu-doc.dvi qemu-doc.fn qemu-doc.info qemu-doc.ky qemu-doc.log qemu-doc.pdf qemu-doc.pg qemu-doc.toc qemu-doc.tp qemu-doc.vr
diff --git a/Makefile.objs b/Makefile.objs
index f07fb01..231219c 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -285,10 +285,3 @@ vl.o: QEMU_CFLAGS+=$(GPROF_CFLAGS)
 
 vl.o: QEMU_CFLAGS+=$(SDL_CFLAGS)
 
-vl.o: qemu-options.def
-os-posix.o: qemu-options.def
-os-win32.o: qemu-options.def
-
-qemu-options.def: $(SRC_PATH)/qemu-options.hx
-	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $(TARGET_DIR)$@")
-
commit f7c31d6381f2cbac03e82fc23133f6863606edd8
Author: Jason Wang <jasowang at redhat.com>
Date:   Mon Oct 25 13:39:59 2010 +0800

    net: properly handle illegal fd/vhostfd from command line
    
    When hanlding fd/vhostfd form command line through net_handle_fd_param(),
    we need to check mon and return value of strtol() otherwise we could
    get segmentation fault or invalid fd when user type an illegal fd/vhostfd.
    
    This patch is based on the suggestions from
    Luiz Capitulino <lcapitulino at redhat.com>.
    
    Signed-off-by: Jason Wang <jasowang at redhat.com>
    Reviewed-by: Luiz Capitulino <lcapitulino at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/net.c b/net.c
index ed74c7f..c5e6063 100644
--- a/net.c
+++ b/net.c
@@ -774,19 +774,25 @@ int qemu_find_nic_model(NICInfo *nd, const char * const *models,
 
 int net_handle_fd_param(Monitor *mon, const char *param)
 {
-    if (!qemu_isdigit(param[0])) {
-        int fd;
+    int fd;
+
+    if (!qemu_isdigit(param[0]) && mon) {
 
         fd = monitor_get_fd(mon, param);
         if (fd == -1) {
             error_report("No file descriptor named %s found", param);
             return -1;
         }
-
-        return fd;
     } else {
-        return strtol(param, NULL, 0);
+        char *endptr = NULL;
+
+        fd = strtol(param, &endptr, 10);
+        if (*endptr || (fd == 0 && param == endptr)) {
+            return -1;
+        }
     }
+
+    return fd;
 }
 
 static int net_init_nic(QemuOpts *opts,
commit 258dc7c96bb4b7ca71d5bee811e73933310e168c
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Sun Oct 17 20:23:48 2010 +0200

    virtio: sanity-check available index
    
    Checking available index upon load instead of
    only when vm is running makes is easier to
    debug failures.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/virtio.c b/hw/virtio.c
index c8a0fc6..a2a657e 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -681,6 +681,7 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
     uint32_t features;
     uint32_t supported_features =
         vdev->binding->get_features(vdev->binding_opaque);
+    uint16_t num_heads;
 
     if (vdev->binding->load_config) {
         ret = vdev->binding->load_config(vdev->binding_opaque, f);
@@ -713,6 +714,16 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
         if (vdev->vq[i].pa) {
             virtqueue_init(&vdev->vq[i]);
         }
+	num_heads = vring_avail_idx(&vdev->vq[i]) - vdev->vq[i].last_avail_idx;
+	/* Check it isn't doing very strange things with descriptor numbers. */
+	if (num_heads > vdev->vq[i].vring.num) {
+		fprintf(stderr, "VQ %d size 0x%x Guest index 0x%x "
+                        "inconsistent with Host index 0x%x: delta 0x%x\n",
+			i, vdev->vq[i].vring.num,
+                        vring_avail_idx(&vdev->vq[i]),
+                        vdev->vq[i].last_avail_idx, num_heads);
+		return -1;
+	}
         if (vdev->binding->load_queue) {
             ret = vdev->binding->load_queue(vdev->binding_opaque, i, f);
             if (ret)
commit 492fb99c4bef274a71178f5fab9b700c469a4230
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Sun Oct 17 20:43:40 2010 +0200

    migration: don't segfault on invalid input
    
    host_from_stream_offset returns NULL on error,
    return error instead of trying to use that address,
    to avoid segfault on invalid stream.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/arch_init.c b/arch_init.c
index a910033..4caadd0 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -390,6 +390,9 @@ int ram_load(QEMUFile *f, void *opaque, int version_id)
                 host = qemu_get_ram_ptr(addr);
             else
                 host = host_from_stream_offset(f, addr, flags);
+            if (!host) {
+                return -EINVAL;
+            }
 
             ch = qemu_get_byte(f);
             memset(host, ch, TARGET_PAGE_SIZE);
commit 174b2877b0f6a607f994f7a5b9b9a36caaff5d75
Merge: 21bcc59... 46c7fc1...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Oct 26 09:51:03 2010 -0500

    Merge remote branch 'qmp/for-anthony' into staging

commit 21bcc5907f4c4a8acffcda8b6662710784cba388
Merge: 758c309... 8c269b5...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Oct 26 09:50:58 2010 -0500

    Merge remote branch 'kwolf/for-anthony' into staging

commit 758c309f0a5cb52441a1ee015566cf9cd96fa933
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Mon Oct 25 16:06:45 2010 -0500

    seabios: Update to 0.6.1
    
     - 0ff9051 Update version to 0.6.1
     - 9c000e6 Support Samsung SE-S084 USB DVD drive (and probably many others)
     - eebe949 pciinit: remove unused variable, old_addr, in pci_set_io_region_addr().
     - 06644f4 Minor - indentation change to jpeg.c.
     - 2dcd9fa Enhance tools/readserial.py to support reading from a pipe.
     - 7ce09ae Make tools/transdump.py more resilient to unknown input.
     - 6039fc5 Update qemu_cfg_read to use "rep insb".
     - 9a01a9c Only show bootsplash during boot menu.
     - 5feb83c add write support to virtio-blk
     - 22f6378 Don't try to talk to APIC on 486
     - e2074bf Add ACPI SSDT/DSDT support for CPU hotplug.
     - eb6dc78 Add additional debug status messages to bootsplash code.
     - c8e4e88 Allow qemu to use bootsplash code via fwcfg interface.
     - 597040d Add tools/trandump.py tool for converting hexdump() output.
     - 48f5f8b Default bootsplash on (for coreboot users).
     - 8d85eb1 Autodetect video mode based on bootsplash jpeg dimensions.
     - b2b9d4a Rename "decdata" to "jpeg" in bootsplash - to be consistent with jpeg.c.
     - bbc4722 Breakup jpeg_decode into parsing and displaying phases.
     - 2976dd4 Avoid using BSS variables in jpeg.c.
     - cc9e1bf Add FUNC16() helper macro for converting a 16bit func to a segoff_s.
     - b4525a0 Handle unaligned sizes in iomemcpy().
     - 0e27e19 Cleanup bootsplash vesa signature detection.
     - cadaf0e Be sure to disable bootsplash on all BIOS boot cases.
     - 2641186 Add call16_int10 helper to bootsplash.c.
     - 6dc76f4 Don't do "double buffering" in bootsplash code.
     - 227dc3e Check that malloc succeeds in bootsplash code.
     - a576c9c Bootsplash fixes and cleanups.
     - 9fd4851 Minor - clarify bit logic in mptable.c.
     - abf31d3 Fix integer truncating bug in calc_future_timer().
     - 1d5c333 seabios: pciinit: fix 64bit bar initilization.
     - ae6924d Minor - introduce GDT_GRANLIMIT macro.
     - 0f78889 Avoid code addresses >64K in big real mode.
     - aec19c9 seabios: smm: move out piix4 specific smram logic to dev-i440fx.c
     - 08328e7 seabios: shadow: make device finding more generic.
     - 4c67f90 seabios: acpi: clean up of finding pm device.
     - fe54a53 seabios: acpi: split out piix4 pm logic.
     - d06afb4 seabios: acpi: move acpi definitions to acpi.h from acpi.c
     - 2f54bb4 seabios: acpi: move out endian conversion helper function.
     - 23173ac seabios: pci: introduce helper function to find device from table and initialize it.
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/pc-bios/bios.bin b/pc-bios/bios.bin
index d0d4b6a..f79c342 100644
Binary files a/pc-bios/bios.bin and b/pc-bios/bios.bin differ
diff --git a/roms/seabios b/roms/seabios
index 17d3e46..0ff9051 160000
--- a/roms/seabios
+++ b/roms/seabios
@@ -1 +1 @@
-Subproject commit 17d3e46511aeedc9f09a8216d194d749187b80aa
+Subproject commit 0ff9051f756ba739bc2edca77925191c3c6cbc2f
commit 013ddf74dd9ac698d0206effdf268c8768959099
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Sat Oct 23 20:05:29 2010 -0200

    qemu-kvm: use upstream msr save/restore code
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index 9813f47..ec7d419 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -28,10 +28,6 @@
 
 static struct kvm_msr_list *kvm_msr_list;
 extern unsigned int kvm_shadow_memory;
-static int kvm_has_msr_star;
-static int kvm_has_vm_hsave_pa;
-
-static int _lm_capable_kernel;
 
 int kvm_set_tss_addr(kvm_context_t kvm, unsigned long addr)
 {
@@ -358,31 +354,6 @@ static struct kvm_msr_list *kvm_get_msr_list(void)
     return msrs;
 }
 
-int kvm_get_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n)
-{
-    struct kvm_msrs *kmsrs = qemu_malloc(sizeof *kmsrs + n * sizeof *msrs);
-    int r;
-
-    kmsrs->nmsrs = n;
-    memcpy(kmsrs->entries, msrs, n * sizeof *msrs);
-    r = kvm_vcpu_ioctl(env, KVM_GET_MSRS, kmsrs);
-    memcpy(msrs, kmsrs->entries, n * sizeof *msrs);
-    free(kmsrs);
-    return r;
-}
-
-int kvm_set_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n)
-{
-    struct kvm_msrs *kmsrs = qemu_malloc(sizeof *kmsrs + n * sizeof *msrs);
-    int r;
-
-    kmsrs->nmsrs = n;
-    memcpy(kmsrs->entries, msrs, n * sizeof *msrs);
-    r = kvm_vcpu_ioctl(env, KVM_SET_MSRS, kmsrs);
-    free(kmsrs);
-    return r;
-}
-
 static void print_seg(FILE *file, const char *name, struct kvm_segment *seg)
 {
     fprintf(stderr,
@@ -558,11 +529,11 @@ static const VMStateDescription vmstate_kvmclock= {
 
 int kvm_arch_qemu_create_context(void)
 {
-    int i, r;
+    int r;
     struct utsname utsname;
 
     uname(&utsname);
-    _lm_capable_kernel = strcmp(utsname.machine, "x86_64") == 0;
+    lm_capable_kernel = strcmp(utsname.machine, "x86_64") == 0;
 
     if (kvm_shadow_memory) {
         kvm_set_shadow_pages(kvm_context, kvm_shadow_memory);
@@ -572,14 +543,6 @@ int kvm_arch_qemu_create_context(void)
     if (!kvm_msr_list) {
         return -1;
     }
-    for (i = 0; i < kvm_msr_list->nmsrs; ++i) {
-        if (kvm_msr_list->indices[i] == MSR_STAR) {
-            kvm_has_msr_star = 1;
-        }
-        if (kvm_msr_list->indices[i] == MSR_VM_HSAVE_PA) {
-            kvm_has_vm_hsave_pa = 1;
-        }
-    }
 
 #ifdef KVM_CAP_ADJUST_CLOCK
     if (kvm_check_extension(kvm_state, KVM_CAP_ADJUST_CLOCK)) {
@@ -595,70 +558,6 @@ int kvm_arch_qemu_create_context(void)
     return 0;
 }
 
-/* returns 0 on success, non-0 on failure */
-static int get_msr_entry(struct kvm_msr_entry *entry, CPUState *env)
-{
-    switch (entry->index) {
-    case MSR_IA32_SYSENTER_CS:
-        env->sysenter_cs  = entry->data;
-        break;
-    case MSR_IA32_SYSENTER_ESP:
-        env->sysenter_esp = entry->data;
-        break;
-    case MSR_IA32_SYSENTER_EIP:
-        env->sysenter_eip = entry->data;
-        break;
-    case MSR_STAR:
-        env->star         = entry->data;
-        break;
-#ifdef TARGET_X86_64
-    case MSR_CSTAR:
-        env->cstar        = entry->data;
-        break;
-    case MSR_KERNELGSBASE:
-        env->kernelgsbase = entry->data;
-        break;
-    case MSR_FMASK:
-        env->fmask        = entry->data;
-        break;
-    case MSR_LSTAR:
-        env->lstar        = entry->data;
-        break;
-#endif
-    case MSR_IA32_TSC:
-        env->tsc          = entry->data;
-        break;
-    case MSR_VM_HSAVE_PA:
-        env->vm_hsave     = entry->data;
-        break;
-    case MSR_KVM_SYSTEM_TIME:
-        env->system_time_msr = entry->data;
-        break;
-    case MSR_KVM_WALL_CLOCK:
-        env->wall_clock_msr = entry->data;
-        break;
-#ifdef KVM_CAP_MCE
-    case MSR_MCG_STATUS:
-        env->mcg_status = entry->data;
-        break;
-    case MSR_MCG_CTL:
-        env->mcg_ctl = entry->data;
-        break;
-#endif
-    default:
-#ifdef KVM_CAP_MCE
-        if (entry->index >= MSR_MC0_CTL &&
-            entry->index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) {
-            env->mce_banks[entry->index - MSR_MC0_CTL] = entry->data;
-            break;
-        }
-#endif
-        printf("Warning unknown msr index 0x%x\n", entry->index);
-        return 1;
-    }
-    return 0;
-}
-
 static void kvm_arch_save_mpstate(CPUState *env)
 {
 #ifdef KVM_CAP_MP_STATE
@@ -719,8 +618,7 @@ static void kvm_reset_mpstate(CPUState *env)
 
 void kvm_arch_load_regs(CPUState *env, int level)
 {
-    struct kvm_msr_entry msrs[100];
-    int rc, n, i;
+    int rc;
 
     assert(kvm_cpu_is_stopped(env) || env->thread_id == kvm_get_thread_id());
 
@@ -730,56 +628,10 @@ void kvm_arch_load_regs(CPUState *env, int level)
     kvm_put_xcrs(env);
 
     kvm_put_sregs(env);
-    /* msrs */
-    n = 0;
-    /* Remember to increase msrs size if you add new registers below */
-    kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_CS,  env->sysenter_cs);
-    kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_ESP, env->sysenter_esp);
-    kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_EIP, env->sysenter_eip);
-    if (kvm_has_msr_star) {
-        kvm_msr_entry_set(&msrs[n++], MSR_STAR,              env->star);
-    }
-    if (kvm_has_vm_hsave_pa) {
-        kvm_msr_entry_set(&msrs[n++], MSR_VM_HSAVE_PA, env->vm_hsave);
-    }
-#ifdef TARGET_X86_64
-    if (_lm_capable_kernel) {
-        kvm_msr_entry_set(&msrs[n++], MSR_CSTAR,             env->cstar);
-        kvm_msr_entry_set(&msrs[n++], MSR_KERNELGSBASE,      env->kernelgsbase);
-        kvm_msr_entry_set(&msrs[n++], MSR_FMASK,             env->fmask);
-        kvm_msr_entry_set(&msrs[n++], MSR_LSTAR  ,           env->lstar);
-    }
-#endif
-    if (level == KVM_PUT_FULL_STATE) {
-        /*
-         * KVM is yet unable to synchronize TSC values of multiple VCPUs on
-         * writeback. Until this is fixed, we only write the offset to SMP
-         * guests after migration, desynchronizing the VCPUs, but avoiding
-         * huge jump-backs that would occur without any writeback at all.
-         */
-        if (smp_cpus == 1 || env->tsc != 0) {
-            kvm_msr_entry_set(&msrs[n++], MSR_IA32_TSC, env->tsc);
-        }
-        kvm_msr_entry_set(&msrs[n++], MSR_KVM_SYSTEM_TIME, env->system_time_msr);
-        kvm_msr_entry_set(&msrs[n++], MSR_KVM_WALL_CLOCK, env->wall_clock_msr);
-    }
-#ifdef KVM_CAP_MCE
-    if (env->mcg_cap) {
-        if (level == KVM_PUT_RESET_STATE) {
-            kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
-        } else if (level == KVM_PUT_FULL_STATE) {
-            kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
-            kvm_msr_entry_set(&msrs[n++], MSR_MCG_CTL, env->mcg_ctl);
-            for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++) {
-                kvm_msr_entry_set(&msrs[n++], MSR_MC0_CTL + i, env->mce_banks[i]);
-            }
-        }
-    }
-#endif
 
-    rc = kvm_set_msrs(env, msrs, n);
-    if (rc == -1) {
-        perror("kvm_set_msrs FAILED");
+    rc = kvm_put_msrs(env, level);
+    if (rc < 0) {
+        perror("kvm__msrs FAILED");
     }
 
     if (level >= KVM_PUT_RESET_STATE) {
@@ -801,8 +653,7 @@ void kvm_arch_load_regs(CPUState *env, int level)
 
 void kvm_arch_save_regs(CPUState *env)
 {
-    struct kvm_msr_entry msrs[100];
-    uint32_t i, n, rc;
+    int rc;
 
     assert(kvm_cpu_is_stopped(env) || env->thread_id == kvm_get_thread_id());
 
@@ -813,49 +664,11 @@ void kvm_arch_save_regs(CPUState *env)
 
     kvm_get_sregs(env);
 
-    /* msrs */
-    n = 0;
-    /* Remember to increase msrs size if you add new registers below */
-    msrs[n++].index = MSR_IA32_SYSENTER_CS;
-    msrs[n++].index = MSR_IA32_SYSENTER_ESP;
-    msrs[n++].index = MSR_IA32_SYSENTER_EIP;
-    if (kvm_has_msr_star) {
-        msrs[n++].index = MSR_STAR;
-    }
-    msrs[n++].index = MSR_IA32_TSC;
-    if (kvm_has_vm_hsave_pa)
-        msrs[n++].index = MSR_VM_HSAVE_PA;
-#ifdef TARGET_X86_64
-    if (_lm_capable_kernel) {
-        msrs[n++].index = MSR_CSTAR;
-        msrs[n++].index = MSR_KERNELGSBASE;
-        msrs[n++].index = MSR_FMASK;
-        msrs[n++].index = MSR_LSTAR;
-    }
-#endif
-    msrs[n++].index = MSR_KVM_SYSTEM_TIME;
-    msrs[n++].index = MSR_KVM_WALL_CLOCK;
-
-#ifdef KVM_CAP_MCE
-    if (env->mcg_cap) {
-        msrs[n++].index = MSR_MCG_STATUS;
-        msrs[n++].index = MSR_MCG_CTL;
-        for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++)
-            msrs[n++].index = MSR_MC0_CTL + i;
-    }
-#endif
-
-    rc = kvm_get_msrs(env, msrs, n);
-    if (rc == -1) {
+    rc = kvm_get_msrs(env);
+    if (rc < 0) {
         perror("kvm_get_msrs FAILED");
-    } else {
-        n = rc; /* actual number of MSRs */
-        for (i=0 ; i<n; i++) {
-            if (get_msr_entry(&msrs[i], env)) {
-                return;
-            }
-        }
     }
+
     kvm_arch_save_mpstate(env);
     kvm_save_lapic(env);
     kvm_get_vcpu_events(env);
diff --git a/qemu-kvm.h b/qemu-kvm.h
index e1ba7c7..0f3fb50 100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@ -97,8 +97,6 @@ int handle_io_window(kvm_context_t kvm);
 int try_push_interrupts(kvm_context_t kvm);
 
 #if defined(__x86_64__) || defined(__i386__)
-int kvm_get_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n);
-int kvm_set_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n);
 struct kvm_x86_mce;
 #endif
 
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 64a6202..b7b2430 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -54,9 +54,7 @@
 #define BUS_MCEERR_AO 5
 #endif
 
-#ifdef OBSOLETE_KVM_IMPL
 static int lm_capable_kernel;
-#endif
 
 #ifdef KVM_CAP_EXT_CPUID
 
@@ -456,7 +454,6 @@ void kvm_arch_reset_vcpu(CPUState *env)
         env->mp_state = KVM_MP_STATE_RUNNABLE;
     }
 }
-#ifdef OBSOLETE_KVM_IMPL
 
 int has_msr_star;
 int has_msr_hsave_pa;
@@ -520,6 +517,7 @@ static int kvm_has_msr_star(CPUState *env)
     return has_msr_star;
 }
 
+#ifdef OBSOLETE_KVM_IMPL
 static int kvm_init_identity_map_page(KVMState *s)
 {
 #ifdef KVM_CAP_SET_IDENTITY_MAP_ADDR
@@ -821,7 +819,6 @@ static void kvm_msr_entry_set(struct kvm_msr_entry *entry,
     entry->data = value;
 }
 
-#ifdef OBSOLETE_KVM_IMPL
 static int kvm_put_msrs(CPUState *env, int level)
 {
     struct {
@@ -880,8 +877,6 @@ static int kvm_put_msrs(CPUState *env, int level)
 
 }
 
-#endif
-
 static int kvm_get_fpu(CPUState *env)
 {
     struct kvm_fpu fpu;
@@ -1058,8 +1053,6 @@ static int kvm_get_sregs(CPUState *env)
     return 0;
 }
 
-#ifdef OBSOLETE_KVM_IMPL
-
 static int kvm_get_msrs(CPUState *env)
 {
     struct {
@@ -1144,9 +1137,6 @@ static int kvm_get_msrs(CPUState *env)
         case MSR_KVM_WALL_CLOCK:
             env->wall_clock_msr = msrs[i].data;
             break;
-        case MSR_VM_HSAVE_PA:
-            env->vm_hsave = msrs[i].data;
-            break;
 #ifdef KVM_CAP_MCE
         case MSR_MCG_STATUS:
             env->mcg_status = msrs[i].data;
@@ -1169,6 +1159,7 @@ static int kvm_get_msrs(CPUState *env)
     return 0;
 }
 
+#ifdef OBSOLETE_KVM_IMPL
 static int kvm_put_mp_state(CPUState *env)
 {
     struct kvm_mp_state mp_state = { .mp_state = env->mp_state };
commit d6d32e5c7092491e280c5c34078721ef148e9333
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Sat Oct 23 20:05:28 2010 -0200

    qemu-kvm: use upstream regs save/restore code
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index 45c6aae..9813f47 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -719,35 +719,12 @@ static void kvm_reset_mpstate(CPUState *env)
 
 void kvm_arch_load_regs(CPUState *env, int level)
 {
-    struct kvm_regs regs;
     struct kvm_msr_entry msrs[100];
     int rc, n, i;
 
     assert(kvm_cpu_is_stopped(env) || env->thread_id == kvm_get_thread_id());
 
-    regs.rax = env->regs[R_EAX];
-    regs.rbx = env->regs[R_EBX];
-    regs.rcx = env->regs[R_ECX];
-    regs.rdx = env->regs[R_EDX];
-    regs.rsi = env->regs[R_ESI];
-    regs.rdi = env->regs[R_EDI];
-    regs.rsp = env->regs[R_ESP];
-    regs.rbp = env->regs[R_EBP];
-#ifdef TARGET_X86_64
-    regs.r8 = env->regs[8];
-    regs.r9 = env->regs[9];
-    regs.r10 = env->regs[10];
-    regs.r11 = env->regs[11];
-    regs.r12 = env->regs[12];
-    regs.r13 = env->regs[13];
-    regs.r14 = env->regs[14];
-    regs.r15 = env->regs[15];
-#endif
-
-    regs.rflags = env->eflags;
-    regs.rip = env->eip;
-
-    kvm_set_regs(env, &regs);
+    kvm_getput_regs(env, 1);
 
     kvm_put_xsave(env);
     kvm_put_xcrs(env);
@@ -824,35 +801,12 @@ void kvm_arch_load_regs(CPUState *env, int level)
 
 void kvm_arch_save_regs(CPUState *env)
 {
-    struct kvm_regs regs;
     struct kvm_msr_entry msrs[100];
     uint32_t i, n, rc;
 
     assert(kvm_cpu_is_stopped(env) || env->thread_id == kvm_get_thread_id());
 
-    kvm_get_regs(env, &regs);
-
-    env->regs[R_EAX] = regs.rax;
-    env->regs[R_EBX] = regs.rbx;
-    env->regs[R_ECX] = regs.rcx;
-    env->regs[R_EDX] = regs.rdx;
-    env->regs[R_ESI] = regs.rsi;
-    env->regs[R_EDI] = regs.rdi;
-    env->regs[R_ESP] = regs.rsp;
-    env->regs[R_EBP] = regs.rbp;
-#ifdef TARGET_X86_64
-    env->regs[8] = regs.r8;
-    env->regs[9] = regs.r9;
-    env->regs[10] = regs.r10;
-    env->regs[11] = regs.r11;
-    env->regs[12] = regs.r12;
-    env->regs[13] = regs.r13;
-    env->regs[14] = regs.r14;
-    env->regs[15] = regs.r15;
-#endif
-
-    env->eflags = regs.rflags;
-    env->eip = regs.rip;
+    kvm_getput_regs(env, 0);
 
     kvm_get_xsave(env);
     kvm_get_xcrs(env);
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 1e98a2e..64a6202 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -630,7 +630,6 @@ static void get_seg(SegmentCache *lhs, const struct kvm_segment *rhs)
 	| (rhs->avl * DESC_AVL_MASK);
 }
 
-#ifdef OBSOLETE_KVM_IMPL
 
 static void kvm_getput_reg(__u64 *kvm_reg, target_ulong *qemu_reg, int set)
 {
@@ -679,8 +678,6 @@ static int kvm_getput_regs(CPUState *env, int set)
     return ret;
 }
 
-#endif
-
 static int kvm_put_fpu(CPUState *env)
 {
     struct kvm_fpu fpu;
commit 037f32543ca2d1915e7859b16060ac075c4bd738
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Sat Oct 23 20:05:27 2010 -0200

    qemu-kvm: use upstream sregs save/restore code
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index 64bfac6..45c6aae 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -709,55 +709,6 @@ static void kvm_reset_mpstate(CPUState *env)
 #endif
 }
 
-static void set_v8086_seg(struct kvm_segment *lhs, const SegmentCache *rhs)
-{
-    lhs->selector = rhs->selector;
-    lhs->base = rhs->base;
-    lhs->limit = rhs->limit;
-    lhs->type = 3;
-    lhs->present = 1;
-    lhs->dpl = 3;
-    lhs->db = 0;
-    lhs->s = 1;
-    lhs->l = 0;
-    lhs->g = 0;
-    lhs->avl = 0;
-    lhs->unusable = 0;
-}
-
-static void set_seg(struct kvm_segment *lhs, const SegmentCache *rhs)
-{
-    unsigned flags = rhs->flags;
-    lhs->selector = rhs->selector;
-    lhs->base = rhs->base;
-    lhs->limit = rhs->limit;
-    lhs->type = (flags >> DESC_TYPE_SHIFT) & 15;
-    lhs->present = (flags & DESC_P_MASK) != 0;
-    lhs->dpl = rhs->selector & 3;
-    lhs->db = (flags >> DESC_B_SHIFT) & 1;
-    lhs->s = (flags & DESC_S_MASK) != 0;
-    lhs->l = (flags >> DESC_L_SHIFT) & 1;
-    lhs->g = (flags & DESC_G_MASK) != 0;
-    lhs->avl = (flags & DESC_AVL_MASK) != 0;
-    lhs->unusable = 0;
-}
-
-static void get_seg(SegmentCache *lhs, const struct kvm_segment *rhs)
-{
-    lhs->selector = rhs->selector;
-    lhs->base = rhs->base;
-    lhs->limit = rhs->limit;
-    lhs->flags =
-        (rhs->type << DESC_TYPE_SHIFT)
-        | (rhs->present * DESC_P_MASK)
-        | (rhs->dpl << DESC_DPL_SHIFT)
-        | (rhs->db << DESC_B_SHIFT)
-        | (rhs->s * DESC_S_MASK)
-        | (rhs->l << DESC_L_SHIFT)
-        | (rhs->g * DESC_G_MASK)
-        | (rhs->avl * DESC_AVL_MASK);
-}
-
 #define XSAVE_CWD_RIP     2
 #define XSAVE_CWD_RDP     4
 #define XSAVE_MXCSR       6
@@ -769,7 +720,6 @@ static void get_seg(SegmentCache *lhs, const struct kvm_segment *rhs)
 void kvm_arch_load_regs(CPUState *env, int level)
 {
     struct kvm_regs regs;
-    struct kvm_sregs sregs;
     struct kvm_msr_entry msrs[100];
     int rc, n, i;
 
@@ -802,55 +752,7 @@ void kvm_arch_load_regs(CPUState *env, int level)
     kvm_put_xsave(env);
     kvm_put_xcrs(env);
 
-    memset(sregs.interrupt_bitmap, 0, sizeof(sregs.interrupt_bitmap));
-    if (env->interrupt_injected >= 0) {
-        sregs.interrupt_bitmap[env->interrupt_injected / 64] |=
-                (uint64_t)1 << (env->interrupt_injected % 64);
-    }
-
-    if ((env->eflags & VM_MASK)) {
-        set_v8086_seg(&sregs.cs, &env->segs[R_CS]);
-        set_v8086_seg(&sregs.ds, &env->segs[R_DS]);
-        set_v8086_seg(&sregs.es, &env->segs[R_ES]);
-        set_v8086_seg(&sregs.fs, &env->segs[R_FS]);
-        set_v8086_seg(&sregs.gs, &env->segs[R_GS]);
-        set_v8086_seg(&sregs.ss, &env->segs[R_SS]);
-    } else {
-        set_seg(&sregs.cs, &env->segs[R_CS]);
-        set_seg(&sregs.ds, &env->segs[R_DS]);
-        set_seg(&sregs.es, &env->segs[R_ES]);
-        set_seg(&sregs.fs, &env->segs[R_FS]);
-        set_seg(&sregs.gs, &env->segs[R_GS]);
-        set_seg(&sregs.ss, &env->segs[R_SS]);
-
-        if (env->cr[0] & CR0_PE_MASK) {
-            /* force ss cpl to cs cpl */
-            sregs.ss.selector = (sregs.ss.selector & ~3) |
-                (sregs.cs.selector & 3);
-            sregs.ss.dpl = sregs.ss.selector & 3;
-        }
-    }
-
-    set_seg(&sregs.tr, &env->tr);
-    set_seg(&sregs.ldt, &env->ldt);
-
-    sregs.idt.limit = env->idt.limit;
-    sregs.idt.base = env->idt.base;
-    sregs.gdt.limit = env->gdt.limit;
-    sregs.gdt.base = env->gdt.base;
-
-    sregs.cr0 = env->cr[0];
-    sregs.cr2 = env->cr[2];
-    sregs.cr3 = env->cr[3];
-    sregs.cr4 = env->cr[4];
-
-    sregs.cr8 = cpu_get_apic_tpr(env->apic_state);
-    sregs.apic_base = cpu_get_apic_base(env->apic_state);
-
-    sregs.efer = env->efer;
-
-    kvm_set_sregs(env, &sregs);
-
+    kvm_put_sregs(env);
     /* msrs */
     n = 0;
     /* Remember to increase msrs size if you add new registers below */
@@ -923,10 +825,8 @@ void kvm_arch_load_regs(CPUState *env, int level)
 void kvm_arch_save_regs(CPUState *env)
 {
     struct kvm_regs regs;
-    struct kvm_sregs sregs;
     struct kvm_msr_entry msrs[100];
-    uint32_t hflags;
-    uint32_t i, n, rc, bit;
+    uint32_t i, n, rc;
 
     assert(kvm_cpu_is_stopped(env) || env->thread_id == kvm_get_thread_id());
 
@@ -957,81 +857,7 @@ void kvm_arch_save_regs(CPUState *env)
     kvm_get_xsave(env);
     kvm_get_xcrs(env);
 
-    kvm_get_sregs(env, &sregs);
-
-    /* There can only be one pending IRQ set in the bitmap at a time, so try
-       to find it and save its number instead (-1 for none). */
-    env->interrupt_injected = -1;
-    for (i = 0; i < ARRAY_SIZE(sregs.interrupt_bitmap); i++) {
-        if (sregs.interrupt_bitmap[i]) {
-            bit = ctz64(sregs.interrupt_bitmap[i]);
-            env->interrupt_injected = i * 64 + bit;
-            break;
-        }
-    }
-
-    get_seg(&env->segs[R_CS], &sregs.cs);
-    get_seg(&env->segs[R_DS], &sregs.ds);
-    get_seg(&env->segs[R_ES], &sregs.es);
-    get_seg(&env->segs[R_FS], &sregs.fs);
-    get_seg(&env->segs[R_GS], &sregs.gs);
-    get_seg(&env->segs[R_SS], &sregs.ss);
-
-    get_seg(&env->tr, &sregs.tr);
-    get_seg(&env->ldt, &sregs.ldt);
-
-    env->idt.limit = sregs.idt.limit;
-    env->idt.base = sregs.idt.base;
-    env->gdt.limit = sregs.gdt.limit;
-    env->gdt.base = sregs.gdt.base;
-
-    env->cr[0] = sregs.cr0;
-    env->cr[2] = sregs.cr2;
-    env->cr[3] = sregs.cr3;
-    env->cr[4] = sregs.cr4;
-
-    cpu_set_apic_base(env->apic_state, sregs.apic_base);
-
-    env->efer = sregs.efer;
-    //cpu_set_apic_tpr(env, sregs.cr8);
-
-#define HFLAG_COPY_MASK ~(                                              \
-        HF_CPL_MASK | HF_PE_MASK | HF_MP_MASK | HF_EM_MASK |            \
-        HF_TS_MASK | HF_TF_MASK | HF_VM_MASK | HF_IOPL_MASK |           \
-        HF_OSFXSR_MASK | HF_LMA_MASK | HF_CS32_MASK |                   \
-        HF_SS32_MASK | HF_CS64_MASK | HF_ADDSEG_MASK)
-
-    hflags = (env->segs[R_CS].flags >> DESC_DPL_SHIFT) & HF_CPL_MASK;
-    hflags |= (env->cr[0] & CR0_PE_MASK) << (HF_PE_SHIFT - CR0_PE_SHIFT);
-    hflags |= (env->cr[0] << (HF_MP_SHIFT - CR0_MP_SHIFT)) &
-            (HF_MP_MASK | HF_EM_MASK | HF_TS_MASK);
-    hflags |= (env->eflags & (HF_TF_MASK | HF_VM_MASK | HF_IOPL_MASK));
-    hflags |= (env->cr[4] & CR4_OSFXSR_MASK) <<
-            (HF_OSFXSR_SHIFT - CR4_OSFXSR_SHIFT);
-
-    if (env->efer & MSR_EFER_LMA) {
-        hflags |= HF_LMA_MASK;
-    }
-
-    if ((hflags & HF_LMA_MASK) && (env->segs[R_CS].flags & DESC_L_MASK)) {
-        hflags |= HF_CS32_MASK | HF_SS32_MASK | HF_CS64_MASK;
-    } else {
-        hflags |= (env->segs[R_CS].flags & DESC_B_MASK) >>
-                (DESC_B_SHIFT - HF_CS32_SHIFT);
-        hflags |= (env->segs[R_SS].flags & DESC_B_MASK) >>
-                (DESC_B_SHIFT - HF_SS32_SHIFT);
-        if (!(env->cr[0] & CR0_PE_MASK) ||
-            (env->eflags & VM_MASK) ||
-            !(hflags & HF_CS32_MASK)) {
-            hflags |= HF_ADDSEG_MASK;
-        } else {
-            hflags |= ((env->segs[R_DS].base |
-                        env->segs[R_ES].base |
-                        env->segs[R_SS].base) != 0) <<
-                HF_ADDSEG_SHIFT;
-        }
-    }
-    env->hflags = (env->hflags & HFLAG_COPY_MASK) | hflags;
+    kvm_get_sregs(env);
 
     /* msrs */
     n = 0;
diff --git a/qemu-kvm.c b/qemu-kvm.c
index d7d7eee..471306b 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -472,16 +472,6 @@ int kvm_set_regs(CPUState *env, struct kvm_regs *regs)
     return kvm_vcpu_ioctl(env, KVM_SET_REGS, regs);
 }
 
-int kvm_get_sregs(CPUState *env, struct kvm_sregs *sregs)
-{
-    return kvm_vcpu_ioctl(env, KVM_GET_SREGS, sregs);
-}
-
-int kvm_set_sregs(CPUState *env, struct kvm_sregs *sregs)
-{
-    return kvm_vcpu_ioctl(env, KVM_SET_SREGS, sregs);
-}
-
 #ifdef KVM_CAP_MP_STATE
 int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
 {
diff --git a/qemu-kvm.h b/qemu-kvm.h
index 8e27b85..e1ba7c7 100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@ -207,39 +207,6 @@ int kvm_get_regs(CPUState *env, struct kvm_regs *regs);
  */
 int kvm_set_regs(CPUState *env, struct kvm_regs *regs);
 
-/*!
- * \brief Read VCPU system registers
- *
- * This gets the non-GP registers from the VCPU and outputs them
- * into a kvm_sregs structure
- *
- * \note This function returns a \b copy of the VCPUs registers.\n
- * If you wish to modify the VCPUs non-GP registers, you should call
- * kvm_set_sregs()
- *
- * \param kvm Pointer to the current kvm_context
- * \param vcpu Which virtual CPU should get dumped
- * \param regs Pointer to a kvm_sregs which will be populated with the VCPUs
- * registers values
- * \return 0 on success
- */
-int kvm_get_sregs(CPUState *env, struct kvm_sregs *regs);
-
-/*!
- * \brief Write VCPU system registers
- *
- * This sets the non-GP registers on the VCPU from a kvm_sregs structure
- *
- * \note When this function returns, the regs pointer and the data it points to
- * can be discarded
- * \param kvm Pointer to the current kvm_context
- * \param vcpu Which virtual CPU should get dumped
- * \param regs Pointer to a kvm_sregs which will be populated with the VCPUs
- * registers values
- * \return 0 on success
- */
-int kvm_set_sregs(CPUState *env, struct kvm_sregs *regs);
-
 #ifdef KVM_CAP_MP_STATE
 /*!
  *  * \brief Read VCPU MP state
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index e5e8af3..1e98a2e 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -578,6 +578,8 @@ int kvm_arch_init(KVMState *s, int smp_cpus)
 
     return kvm_init_identity_map_page(s);
 }
+
+#endif
                     
 static void set_v8086_seg(struct kvm_segment *lhs, const SegmentCache *rhs)
 {
@@ -628,6 +630,8 @@ static void get_seg(SegmentCache *lhs, const struct kvm_segment *rhs)
 	| (rhs->avl * DESC_AVL_MASK);
 }
 
+#ifdef OBSOLETE_KVM_IMPL
+
 static void kvm_getput_reg(__u64 *kvm_reg, target_ulong *qemu_reg, int set)
 {
     if (set)
@@ -759,8 +763,6 @@ static int kvm_put_xcrs(CPUState *env)
 #endif
 }
 
-#ifdef OBSOLETE_KVM_IMPL
-
 static int kvm_put_sregs(CPUState *env)
 {
     struct kvm_sregs sregs;
@@ -815,8 +817,6 @@ static int kvm_put_sregs(CPUState *env)
     return kvm_vcpu_ioctl(env, KVM_SET_SREGS, &sregs);
 }
 
-#endif
-
 static void kvm_msr_entry_set(struct kvm_msr_entry *entry,
                               uint32_t index, uint64_t value)
 {
@@ -972,8 +972,6 @@ static int kvm_get_xcrs(CPUState *env)
 #endif
 }
 
-#ifdef OBSOLETE_KVM_IMPL
-
 static int kvm_get_sregs(CPUState *env)
 {
     struct kvm_sregs sregs;
@@ -1063,6 +1061,8 @@ static int kvm_get_sregs(CPUState *env)
     return 0;
 }
 
+#ifdef OBSOLETE_KVM_IMPL
+
 static int kvm_get_msrs(CPUState *env)
 {
     struct {
commit 5d709bd76683f158cd36376f4aabab59f406ae75
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Sat Oct 23 20:05:26 2010 -0200

    qemu-kvm: use upstream fpu/xsave/xcrs save/restore code
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm-all.c b/kvm-all.c
index e420298..0e60748 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -1056,7 +1056,6 @@ int kvm_has_debugregs(void)
     return kvm_state->debugregs;
 }
 
-#ifdef OBSOLETE_KVM_IMPL
 int kvm_has_xsave(void)
 {
     return kvm_state->xsave;
@@ -1066,7 +1065,6 @@ int kvm_has_xcrs(void)
 {
     return kvm_state->xcrs;
 }
-#endif
 
 void kvm_setup_guest_memory(void *start, size_t size)
 {
diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index f678c53..64bfac6 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -769,7 +769,6 @@ static void get_seg(SegmentCache *lhs, const struct kvm_segment *rhs)
 void kvm_arch_load_regs(CPUState *env, int level)
 {
     struct kvm_regs regs;
-    struct kvm_fpu fpu;
     struct kvm_sregs sregs;
     struct kvm_msr_entry msrs[100];
     int rc, n, i;
@@ -800,58 +799,8 @@ void kvm_arch_load_regs(CPUState *env, int level)
 
     kvm_set_regs(env, &regs);
 
-#ifdef KVM_CAP_XSAVE
-    if (kvm_check_extension(kvm_state, KVM_CAP_XSAVE)) {
-        struct kvm_xsave* xsave;
-
-        uint16_t cwd, swd, twd, fop;
-
-        xsave = qemu_memalign(4096, sizeof(struct kvm_xsave));
-        memset(xsave, 0, sizeof(struct kvm_xsave));
-        cwd = swd = twd = fop = 0;
-        swd = env->fpus & ~(7 << 11);
-        swd |= (env->fpstt & 7) << 11;
-        cwd = env->fpuc;
-        for (i = 0; i < 8; ++i) {
-            twd |= (!env->fptags[i]) << i;
-        }
-        xsave->region[0] = (uint32_t)(swd << 16) + cwd;
-        xsave->region[1] = (uint32_t)(fop << 16) + twd;
-        memcpy(&xsave->region[XSAVE_ST_SPACE], env->fpregs,
-               sizeof env->fpregs);
-        memcpy(&xsave->region[XSAVE_XMM_SPACE], env->xmm_regs,
-               sizeof env->xmm_regs);
-        xsave->region[XSAVE_MXCSR] = env->mxcsr;
-        *(uint64_t *)&xsave->region[XSAVE_XSTATE_BV] = env->xstate_bv;
-        memcpy(&xsave->region[XSAVE_YMMH_SPACE], env->ymmh_regs,
-               sizeof env->ymmh_regs);
-        kvm_vcpu_ioctl(env, KVM_SET_XSAVE, xsave);
-        if (kvm_check_extension(kvm_state, KVM_CAP_XCRS)) {
-            struct kvm_xcrs xcrs;
-
-            xcrs.nr_xcrs = 1;
-            xcrs.flags = 0;
-            xcrs.xcrs[0].xcr = 0;
-            xcrs.xcrs[0].value = env->xcr0;
-            kvm_vcpu_ioctl(env, KVM_SET_XCRS, &xcrs);
-        }
-        qemu_free(xsave);
-    } else {
-#endif
-        memset(&fpu, 0, sizeof fpu);
-        fpu.fsw = env->fpus & ~(7 << 11);
-        fpu.fsw |= (env->fpstt & 7) << 11;
-        fpu.fcw = env->fpuc;
-        for (i = 0; i < 8; ++i) {
-            fpu.ftwx |= (!env->fptags[i]) << i;
-        }
-        memcpy(fpu.fpr, env->fpregs, sizeof env->fpregs);
-        memcpy(fpu.xmm, env->xmm_regs, sizeof env->xmm_regs);
-        fpu.mxcsr = env->mxcsr;
-        kvm_set_fpu(env, &fpu);
-#ifdef KVM_CAP_XSAVE
-    }
-#endif
+    kvm_put_xsave(env);
+    kvm_put_xcrs(env);
 
     memset(sregs.interrupt_bitmap, 0, sizeof(sregs.interrupt_bitmap));
     if (env->interrupt_injected >= 0) {
@@ -974,7 +923,6 @@ void kvm_arch_load_regs(CPUState *env, int level)
 void kvm_arch_save_regs(CPUState *env)
 {
     struct kvm_regs regs;
-    struct kvm_fpu fpu;
     struct kvm_sregs sregs;
     struct kvm_msr_entry msrs[100];
     uint32_t hflags;
@@ -1006,54 +954,8 @@ void kvm_arch_save_regs(CPUState *env)
     env->eflags = regs.rflags;
     env->eip = regs.rip;
 
-#ifdef KVM_CAP_XSAVE
-    if (kvm_check_extension(kvm_state, KVM_CAP_XSAVE)) {
-        struct kvm_xsave* xsave;
-        uint16_t cwd, swd, twd, fop;
-        xsave = qemu_memalign(4096, sizeof(struct kvm_xsave));
-        kvm_vcpu_ioctl(env, KVM_GET_XSAVE, xsave);
-        cwd = (uint16_t)xsave->region[0];
-        swd = (uint16_t)(xsave->region[0] >> 16);
-        twd = (uint16_t)xsave->region[1];
-        fop = (uint16_t)(xsave->region[1] >> 16);
-        env->fpstt = (swd >> 11) & 7;
-        env->fpus = swd;
-        env->fpuc = cwd;
-        for (i = 0; i < 8; ++i) {
-            env->fptags[i] = !((twd >> i) & 1);
-        }
-        env->mxcsr = xsave->region[XSAVE_MXCSR];
-        memcpy(env->fpregs, &xsave->region[XSAVE_ST_SPACE],
-                sizeof env->fpregs);
-        memcpy(env->xmm_regs, &xsave->region[XSAVE_XMM_SPACE],
-                sizeof env->xmm_regs);
-        env->xstate_bv = *(uint64_t *)&xsave->region[XSAVE_XSTATE_BV];
-        memcpy(env->ymmh_regs, &xsave->region[XSAVE_YMMH_SPACE],
-                sizeof env->ymmh_regs);
-        if (kvm_check_extension(kvm_state, KVM_CAP_XCRS)) {
-            struct kvm_xcrs xcrs;
-
-            kvm_vcpu_ioctl(env, KVM_GET_XCRS, &xcrs);
-            if (xcrs.xcrs[0].xcr == 0) {
-                env->xcr0 = xcrs.xcrs[0].value;
-            }
-        }
-        qemu_free(xsave);
-    } else {
-#endif
-        kvm_get_fpu(env, &fpu);
-        env->fpstt = (fpu.fsw >> 11) & 7;
-        env->fpus = fpu.fsw;
-        env->fpuc = fpu.fcw;
-        for (i = 0; i < 8; ++i) {
-            env->fptags[i] = !((fpu.ftwx >> i) & 1);
-        }
-        memcpy(env->fpregs, fpu.fpr, sizeof env->fpregs);
-        memcpy(env->xmm_regs, fpu.xmm, sizeof env->xmm_regs);
-        env->mxcsr = fpu.mxcsr;
-#ifdef KVM_CAP_XSAVE
-    }
-#endif
+    kvm_get_xsave(env);
+    kvm_get_xcrs(env);
 
     kvm_get_sregs(env, &sregs);
 
diff --git a/qemu-kvm.c b/qemu-kvm.c
index 43cb593..d7d7eee 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -472,16 +472,6 @@ int kvm_set_regs(CPUState *env, struct kvm_regs *regs)
     return kvm_vcpu_ioctl(env, KVM_SET_REGS, regs);
 }
 
-int kvm_get_fpu(CPUState *env, struct kvm_fpu *fpu)
-{
-    return kvm_vcpu_ioctl(env, KVM_GET_FPU, fpu);
-}
-
-int kvm_set_fpu(CPUState *env, struct kvm_fpu *fpu)
-{
-    return kvm_vcpu_ioctl(env, KVM_SET_FPU, fpu);
-}
-
 int kvm_get_sregs(CPUState *env, struct kvm_sregs *sregs)
 {
     return kvm_vcpu_ioctl(env, KVM_GET_SREGS, sregs);
@@ -1696,6 +1686,16 @@ static int kvm_create_context(void)
     kvm_state->debugregs = kvm_check_extension(kvm_state, KVM_CAP_DEBUGREGS);
 #endif
 
+    kvm_state->xsave = 0;
+#ifdef KVM_CAP_XSAVE
+    kvm_state->xsave = kvm_check_extension(kvm_state, KVM_CAP_XSAVE);
+#endif
+
+    kvm_state->xcrs = 0;
+#ifdef KVM_CAP_XCRS
+    kvm_state->xcrs = kvm_check_extension(kvm_state, KVM_CAP_XCRS);
+#endif
+
     kvm_init_ap();
     if (kvm_irqchip) {
         if (!qemu_kvm_has_gsi_routing()) {
diff --git a/qemu-kvm.h b/qemu-kvm.h
index 779409d..8e27b85 100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@ -206,36 +206,6 @@ int kvm_get_regs(CPUState *env, struct kvm_regs *regs);
  * \return 0 on success
  */
 int kvm_set_regs(CPUState *env, struct kvm_regs *regs);
-/*!
- * \brief Read VCPU fpu registers
- *
- * This gets the FPU registers from the VCPU and outputs them
- * into a kvm_fpu structure
- *
- * \note This function returns a \b copy of the VCPUs registers.\n
- * If you wish to modify the VCPU FPU registers, you should call kvm_set_fpu()
- *
- * \param kvm Pointer to the current kvm_context
- * \param vcpu Which virtual CPU should get dumped
- * \param fpu Pointer to a kvm_fpu which will be populated with the VCPUs
- * fpu registers values
- * \return 0 on success
- */
-int kvm_get_fpu(CPUState *env, struct kvm_fpu *fpu);
-
-/*!
- * \brief Write VCPU fpu registers
- *
- * This sets the FPU registers on the VCPU from a kvm_fpu structure
- *
- * \note When this function returns, the fpu pointer and the data it points to
- * can be discarded
- * \param kvm Pointer to the current kvm_context
- * \param vcpu Which virtual CPU should get dumped
- * \param fpu Pointer to a kvm_fpu which holds the new vcpu fpu state
- * \return 0 on success
- */
-int kvm_set_fpu(CPUState *env, struct kvm_fpu *fpu);
 
 /*!
  * \brief Read VCPU system registers
@@ -847,6 +817,7 @@ struct KVMState {
 #endif
     int irqchip_in_kernel;
     int pit_in_kernel;
+    int xsave, xcrs;
 
     struct kvm_context kvm_context;
 };
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 41d42ca..e5e8af3 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -675,6 +675,8 @@ static int kvm_getput_regs(CPUState *env, int set)
     return ret;
 }
 
+#endif
+
 static int kvm_put_fpu(CPUState *env)
 {
     struct kvm_fpu fpu;
@@ -757,6 +759,8 @@ static int kvm_put_xcrs(CPUState *env)
 #endif
 }
 
+#ifdef OBSOLETE_KVM_IMPL
+
 static int kvm_put_sregs(CPUState *env)
 {
     struct kvm_sregs sregs;
@@ -879,6 +883,7 @@ static int kvm_put_msrs(CPUState *env, int level)
 
 }
 
+#endif
 
 static int kvm_get_fpu(CPUState *env)
 {
@@ -967,6 +972,8 @@ static int kvm_get_xcrs(CPUState *env)
 #endif
 }
 
+#ifdef OBSOLETE_KVM_IMPL
+
 static int kvm_get_sregs(CPUState *env)
 {
     struct kvm_sregs sregs;
commit 0abb7a057d04401247368659d86cd5784086591f
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Sat Oct 23 20:05:25 2010 -0200

    qemu-kvm: kill xsave/xcrs helpers
    
    Use kvm_vcpu_ioctl directly instead.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index bd97864..f678c53 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -825,7 +825,7 @@ void kvm_arch_load_regs(CPUState *env, int level)
         *(uint64_t *)&xsave->region[XSAVE_XSTATE_BV] = env->xstate_bv;
         memcpy(&xsave->region[XSAVE_YMMH_SPACE], env->ymmh_regs,
                sizeof env->ymmh_regs);
-        kvm_set_xsave(env, xsave);
+        kvm_vcpu_ioctl(env, KVM_SET_XSAVE, xsave);
         if (kvm_check_extension(kvm_state, KVM_CAP_XCRS)) {
             struct kvm_xcrs xcrs;
 
@@ -833,7 +833,7 @@ void kvm_arch_load_regs(CPUState *env, int level)
             xcrs.flags = 0;
             xcrs.xcrs[0].xcr = 0;
             xcrs.xcrs[0].value = env->xcr0;
-            kvm_set_xcrs(env, &xcrs);
+            kvm_vcpu_ioctl(env, KVM_SET_XCRS, &xcrs);
         }
         qemu_free(xsave);
     } else {
@@ -1011,7 +1011,7 @@ void kvm_arch_save_regs(CPUState *env)
         struct kvm_xsave* xsave;
         uint16_t cwd, swd, twd, fop;
         xsave = qemu_memalign(4096, sizeof(struct kvm_xsave));
-        kvm_get_xsave(env, xsave);
+        kvm_vcpu_ioctl(env, KVM_GET_XSAVE, xsave);
         cwd = (uint16_t)xsave->region[0];
         swd = (uint16_t)(xsave->region[0] >> 16);
         twd = (uint16_t)xsave->region[1];
@@ -1033,7 +1033,7 @@ void kvm_arch_save_regs(CPUState *env)
         if (kvm_check_extension(kvm_state, KVM_CAP_XCRS)) {
             struct kvm_xcrs xcrs;
 
-            kvm_get_xcrs(env, &xcrs);
+            kvm_vcpu_ioctl(env, KVM_GET_XCRS, &xcrs);
             if (xcrs.xcrs[0].xcr == 0) {
                 env->xcr0 = xcrs.xcrs[0].value;
             }
diff --git a/qemu-kvm.c b/qemu-kvm.c
index 625f286..43cb593 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -516,30 +516,6 @@ int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
 }
 #endif
 
-#ifdef KVM_CAP_XSAVE
-int kvm_get_xsave(CPUState *env, struct kvm_xsave *xsave)
-{
-    return kvm_vcpu_ioctl(env, KVM_GET_XSAVE, xsave);
-}
-
-int kvm_set_xsave(CPUState *env, struct kvm_xsave *xsave)
-{
-    return kvm_vcpu_ioctl(env, KVM_SET_XSAVE, xsave);
-}
-#endif
-
-#ifdef KVM_CAP_XCRS
-int kvm_get_xcrs(CPUState *env, struct kvm_xcrs *xcrs)
-{
-    return kvm_vcpu_ioctl(env, KVM_GET_XCRS, xcrs);
-}
-
-int kvm_set_xcrs(CPUState *env, struct kvm_xcrs *xcrs)
-{
-    return kvm_vcpu_ioctl(env, KVM_SET_XCRS, xcrs);
-}
-#endif
-
 static int handle_mmio(CPUState *env)
 {
     unsigned long addr = env->kvm_run->mmio.phys_addr;
diff --git a/qemu-kvm.h b/qemu-kvm.h
index d55bc36..779409d 100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@ -284,34 +284,6 @@ int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
 int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
 #endif
 
-#ifdef KVM_CAP_XSAVE
-/*!
- *  * \brief Read VCPU xsave state
- *
- */
-int kvm_get_xsave(CPUState *env, struct kvm_xsave *xsave);
-
-/*!
- *  * \brief Write VCPU xsave state
- *
- */
-int kvm_set_xsave(CPUState *env, struct kvm_xsave *xsave);
-#endif
-
-#ifdef KVM_CAP_XCRS
-/*!
- *  * \brief Read VCPU XCRs
- *
- */
-int kvm_get_xcrs(CPUState *env, struct kvm_xcrs *xcrs);
-
-/*!
- *  * \brief Write VCPU XCRs
- *
- */
-int kvm_set_xcrs(CPUState *env, struct kvm_xcrs *xcrs);
-#endif
-
 /*!
  * \brief Simulate an external vectored interrupt
  *
commit e71f08bb4a3f4cb12802208bc7143f2cf482424b
Author: Gleb Natapov <gleb at redhat.com>
Date:   Sun Oct 24 16:32:04 2010 +0200

    Fix cpu/pci hotplug to generate level triggered interrupt.
    
    SCI is level triggered. cpu/pci hotplug should behave appropriately.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index dfabc75..de3bb88 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -111,7 +111,8 @@ static void pm_update_sci(PIIX4PMState *s)
                    ACPI_BITMASK_POWER_BUTTON_ENABLE |
                    ACPI_BITMASK_GLOBAL_LOCK_ENABLE |
                    ACPI_BITMASK_TIMER_ENABLE)) != 0) ||
-        (((s->gpe.sts & s->gpe.en) & PIIX4_PCI_HOTPLUG_STATUS) != 0);
+        (((s->gpe.sts & s->gpe.en) &
+          (PIIX4_CPU_HOTPLUG_STATUS | PIIX4_PCI_HOTPLUG_STATUS)) != 0);
 
     qemu_set_irq(s->irq, sci_level);
     /* schedule a timer interruption if needed */
@@ -610,12 +611,11 @@ static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev, int state);
 
 static void piix4_acpi_system_hot_add_init(PCIBus *bus, PIIX4PMState *s)
 {
-    struct gpe_regs *gpe = &s->gpe;
     struct pci_status *pci0_status = &s->pci0_status;
     int i = 0, cpus = smp_cpus;
 
     while (cpus > 0) {
-        gpe->cpus_sts[i++] = (cpus < 8) ? (1 << cpus) - 1 : 0xff;
+        s->gpe.cpus_sts[i++] = (cpus < 8) ? (1 << cpus) - 1 : 0xff;
         cpus -= 8;
     }
 
@@ -665,10 +665,8 @@ void qemu_system_cpu_hot_add(int cpu, int state)
         enable_processor(&s->gpe, cpu);
     else
         disable_processor(&s->gpe, cpu);
-    if (s->gpe.en & 4) {
-        qemu_set_irq(s->irq, 1);
-        qemu_set_irq(s->irq, 0);
-    }
+
+    pm_update_sci(s);
 }
 #endif
 
commit 82915d0c3388fc2c9dc5a47a29fa8f97fdc3c6da
Author: Gleb Natapov <gleb at redhat.com>
Date:   Sun Oct 24 16:32:03 2010 +0200

    Use defines instead of numbers for cpu hotplug
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index 03abc61..dfabc75 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -39,6 +39,7 @@
 #define PCI_BASE 0xae00
 #define PCI_EJ_BASE 0xae08
 
+#define PIIX4_CPU_HOTPLUG_STATUS 4
 #define PIIX4_PCI_HOTPLUG_STATUS 2
 
 struct gpe_regs {
@@ -636,13 +637,13 @@ static void piix4_acpi_system_hot_add_init(PCIBus *bus, PIIX4PMState *s)
 #if defined(TARGET_I386)
 static void enable_processor(struct gpe_regs *g, int cpu)
 {
-    g->sts |= 4;
+    g->sts |= PIIX4_CPU_HOTPLUG_STATUS;
     g->cpus_sts[cpu/8] |= (1 << (cpu%8));
 }
 
 static void disable_processor(struct gpe_regs *g, int cpu)
 {
-    g->sts |= 4;
+    g->sts |= PIIX4_CPU_HOTPLUG_STATUS;
     g->cpus_sts[cpu/8] &= ~(1 << (cpu%8));
 }
 
commit 061e8895422a982e88e5e6d646b8e293a05dcc61
Author: Gleb Natapov <gleb at redhat.com>
Date:   Sun Oct 24 16:32:02 2010 +0200

    Fix cpu hotplug ioport function registration.
    
    Callback gets pointer to PIIX4PMState as parameter now instead of gpe.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index 1c8e4e2..03abc61 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -621,8 +621,8 @@ static void piix4_acpi_system_hot_add_init(PCIBus *bus, PIIX4PMState *s)
     register_ioport_write(GPE_BASE, 4, 1, gpe_writeb, s);
     register_ioport_read(GPE_BASE, 4, 1,  gpe_readb, s);
 
-    register_ioport_write(PROC_BASE, 32, 1, gpe_writeb, gpe);
-    register_ioport_read(PROC_BASE, 32, 1,  gpe_readb, gpe);
+    register_ioport_write(PROC_BASE, 32, 1, gpe_writeb, s);
+    register_ioport_read(PROC_BASE, 32, 1,  gpe_readb, s);
 
     register_ioport_write(PCI_BASE, 8, 4, pcihotplug_write, pci0_status);
     register_ioport_read(PCI_BASE, 8, 4,  pcihotplug_read, pci0_status);
commit c57c846a80f9306aa2c6cf7efdef45ed42723fac
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Oct 23 15:24:07 2010 +0000

    qemu-timer: move commonly used timer code to qemu-timer-common
    
    Move timer init functions to a new file, qemu-timer-common.c. Make other
    critical timer functions inlined to preserve performance in
    qemu-timer.c, also move muldiv64() (used by the inline functions)
    to qemu-timer.h.
    
    Adjust block/raw-posix.c and simpletrace.c to use get_clock() directly.
    Remove a similar/duplicate definition in qemu-tool.c.
    
    Adjust hw/omap_clk.c to include qemu-timer.h because muldiv64() is used
    there.
    
    After this change, tracing can be used also for user code and
    simpletrace on Win32.
    
    Cc: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Acked-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile b/Makefile
index 252c817..a1434b1 100644
--- a/Makefile
+++ b/Makefile
@@ -129,11 +129,11 @@ version-obj-$(CONFIG_WIN32) += version.o
 qemu-img.o: qemu-img-cmds.h
 qemu-img.o qemu-tool.o qemu-nbd.o qemu-io.o: $(GENERATED_HEADERS)
 
-qemu-img$(EXESUF): qemu-img.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y)
+qemu-img$(EXESUF): qemu-img.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y) qemu-timer-common.o
 
-qemu-nbd$(EXESUF): qemu-nbd.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y)
+qemu-nbd$(EXESUF): qemu-nbd.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y) qemu-timer-common.o
 
-qemu-io$(EXESUF): qemu-io.o cmd.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y)
+qemu-io$(EXESUF): qemu-io.o cmd.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y) qemu-timer-common.o
 
 qemu-img-cmds.h: $(SRC_PATH)/qemu-img-cmds.hx
 	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $@")
diff --git a/Makefile.objs b/Makefile.objs
index 6e6f60a..f07fb01 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -127,7 +127,7 @@ common-obj-y += iov.o acl.o
 common-obj-$(CONFIG_THREAD) += qemu-thread.o
 common-obj-$(CONFIG_IOTHREAD) += compatfd.o
 common-obj-y += notify.o event_notifier.o
-common-obj-y += qemu-timer.o
+common-obj-y += qemu-timer.o qemu-timer-common.o
 
 slirp-obj-y = cksum.o if.o ip_icmp.o ip_input.o ip_output.o
 slirp-obj-y += slirp.o mbuf.o misc.o sbuf.o socket.o tcp_input.o tcp_output.o
@@ -278,6 +278,7 @@ libdis-$(CONFIG_SPARC_DIS) += sparc-dis.o
 trace-obj-y = trace.o
 ifeq ($(TRACE_BACKEND),simple)
 trace-obj-y += simpletrace.o
+user-obj-y += qemu-timer-common.o
 endif
 
 vl.o: QEMU_CFLAGS+=$(GPROF_CFLAGS)
diff --git a/block/raw-posix.c b/block/raw-posix.c
index a5cbb7e..d0393e0 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -97,9 +97,9 @@
 #define FTYPE_CD     1
 #define FTYPE_FD     2
 
-/* if the FD is not accessed during that time (in ms), we try to
+/* if the FD is not accessed during that time (in ns), we try to
    reopen it to see if the disk has been changed */
-#define FD_OPEN_TIMEOUT 1000
+#define FD_OPEN_TIMEOUT (1000000000)
 
 #define MAX_BLOCKSIZE	4096
 
@@ -908,7 +908,7 @@ static int fd_open(BlockDriverState *bs)
         return 0;
     last_media_present = (s->fd >= 0);
     if (s->fd >= 0 &&
-        (qemu_get_clock(rt_clock) - s->fd_open_time) >= FD_OPEN_TIMEOUT) {
+        (get_clock() - s->fd_open_time) >= FD_OPEN_TIMEOUT) {
         close(s->fd);
         s->fd = -1;
 #ifdef DEBUG_FLOPPY
@@ -917,7 +917,7 @@ static int fd_open(BlockDriverState *bs)
     }
     if (s->fd < 0) {
         if (s->fd_got_error &&
-            (qemu_get_clock(rt_clock) - s->fd_error_time) < FD_OPEN_TIMEOUT) {
+            (get_clock() - s->fd_error_time) < FD_OPEN_TIMEOUT) {
 #ifdef DEBUG_FLOPPY
             printf("No floppy (open delayed)\n");
 #endif
@@ -925,7 +925,7 @@ static int fd_open(BlockDriverState *bs)
         }
         s->fd = open(bs->filename, s->open_flags & ~O_NONBLOCK);
         if (s->fd < 0) {
-            s->fd_error_time = qemu_get_clock(rt_clock);
+            s->fd_error_time = get_clock();
             s->fd_got_error = 1;
             if (last_media_present)
                 s->fd_media_changed = 1;
@@ -940,7 +940,7 @@ static int fd_open(BlockDriverState *bs)
     }
     if (!last_media_present)
         s->fd_media_changed = 1;
-    s->fd_open_time = qemu_get_clock(rt_clock);
+    s->fd_open_time = get_clock();
     s->fd_got_error = 0;
     return 0;
 }
diff --git a/hw/omap_clk.c b/hw/omap_clk.c
index 6bcabef..10c9c43 100644
--- a/hw/omap_clk.c
+++ b/hw/omap_clk.c
@@ -20,6 +20,7 @@
  */
 #include "hw.h"
 #include "omap.h"
+#include "qemu-timer.h" /* for muldiv64() */
 
 struct clk {
     const char *name;
diff --git a/qemu-common.h b/qemu-common.h
index d5ae420..2fbc27f 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -133,8 +133,6 @@ void qemu_bh_delete(QEMUBH *bh);
 int qemu_bh_poll(void);
 void qemu_bh_update_timeout(int *timeout);
 
-uint64_t muldiv64(uint64_t a, uint32_t b, uint32_t c);
-
 void qemu_get_timedate(struct tm *tm, int offset);
 int qemu_timedate_diff(struct tm *tm);
 
diff --git a/qemu-timer-common.c b/qemu-timer-common.c
new file mode 100644
index 0000000..fff4399
--- /dev/null
+++ b/qemu-timer-common.c
@@ -0,0 +1,62 @@
+/*
+ * QEMU System Emulator
+ *
+ * Copyright (c) 2003-2008 Fabrice Bellard
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+#include "qemu-timer.h"
+
+/***********************************************************/
+/* real time host monotonic timer */
+
+#ifdef _WIN32
+
+int64_t clock_freq;
+
+static void __attribute__((constructor)) init_get_clock(void)
+{
+    LARGE_INTEGER freq;
+    int ret;
+    ret = QueryPerformanceFrequency(&freq);
+    if (ret == 0) {
+        fprintf(stderr, "Could not calibrate ticks\n");
+        exit(1);
+    }
+    clock_freq = freq.QuadPart;
+}
+
+#else
+
+int use_rt_clock;
+
+static void __attribute__((constructor)) init_get_clock(void)
+{
+    use_rt_clock = 0;
+#if defined(__linux__) || (defined(__FreeBSD__) && __FreeBSD_version >= 500000) \
+    || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
+    {
+        struct timespec ts;
+        if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0) {
+            use_rt_clock = 1;
+        }
+    }
+#endif
+}
+#endif
diff --git a/qemu-timer.c b/qemu-timer.c
index bc5f207..95814af 100644
--- a/qemu-timer.c
+++ b/qemu-timer.c
@@ -64,78 +64,6 @@ int64_t qemu_icount_bias;
 static QEMUTimer *icount_rt_timer;
 static QEMUTimer *icount_vm_timer;
 
-
-/***********************************************************/
-/* real time host monotonic timer */
-
-
-static int64_t get_clock_realtime(void)
-{
-    struct timeval tv;
-
-    gettimeofday(&tv, NULL);
-    return tv.tv_sec * 1000000000LL + (tv.tv_usec * 1000);
-}
-
-#ifdef WIN32
-
-static int64_t clock_freq;
-
-static void init_get_clock(void)
-{
-    LARGE_INTEGER freq;
-    int ret;
-    ret = QueryPerformanceFrequency(&freq);
-    if (ret == 0) {
-        fprintf(stderr, "Could not calibrate ticks\n");
-        exit(1);
-    }
-    clock_freq = freq.QuadPart;
-}
-
-static int64_t get_clock(void)
-{
-    LARGE_INTEGER ti;
-    QueryPerformanceCounter(&ti);
-    return muldiv64(ti.QuadPart, get_ticks_per_sec(), clock_freq);
-}
-
-#else
-
-static int use_rt_clock;
-
-static void init_get_clock(void)
-{
-    use_rt_clock = 0;
-#if defined(__linux__) || (defined(__FreeBSD__) && __FreeBSD_version >= 500000) \
-    || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
-    {
-        struct timespec ts;
-        if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0) {
-            use_rt_clock = 1;
-        }
-    }
-#endif
-}
-
-static int64_t get_clock(void)
-{
-#if defined(__linux__) || (defined(__FreeBSD__) && __FreeBSD_version >= 500000) \
-	|| defined(__DragonFly__) || defined(__FreeBSD_kernel__)
-    if (use_rt_clock) {
-        struct timespec ts;
-        clock_gettime(CLOCK_MONOTONIC, &ts);
-        return ts.tv_sec * 1000000000LL + ts.tv_nsec;
-    } else
-#endif
-    {
-        /* XXX: using gettimeofday leads to problems if the date
-           changes, so it should be avoided. */
-        return get_clock_realtime();
-    }
-}
-#endif
-
 /***********************************************************/
 /* guest cycle counter */
 
@@ -614,7 +542,6 @@ int64_t qemu_get_clock_ns(QEMUClock *clock)
 
 void init_clocks(void)
 {
-    init_get_clock();
     rt_clock = qemu_new_clock(QEMU_CLOCK_REALTIME);
     vm_clock = qemu_new_clock(QEMU_CLOCK_VIRTUAL);
     host_clock = qemu_new_clock(QEMU_CLOCK_HOST);
diff --git a/qemu-timer.h b/qemu-timer.h
index 1494f79..299e387 100644
--- a/qemu-timer.h
+++ b/qemu-timer.h
@@ -2,6 +2,13 @@
 #define QEMU_TIMER_H
 
 #include "qemu-common.h"
+#include <time.h>
+#include <sys/time.h>
+
+#ifdef _WIN32
+#include <windows.h>
+#include <mmsystem.h>
+#endif
 
 /* timers */
 
@@ -52,6 +59,73 @@ static inline int64_t get_ticks_per_sec(void)
     return 1000000000LL;
 }
 
+/* compute with 96 bit intermediate result: (a*b)/c */
+static inline uint64_t muldiv64(uint64_t a, uint32_t b, uint32_t c)
+{
+    union {
+        uint64_t ll;
+        struct {
+#ifdef HOST_WORDS_BIGENDIAN
+            uint32_t high, low;
+#else
+            uint32_t low, high;
+#endif
+        } l;
+    } u, res;
+    uint64_t rl, rh;
+
+    u.ll = a;
+    rl = (uint64_t)u.l.low * (uint64_t)b;
+    rh = (uint64_t)u.l.high * (uint64_t)b;
+    rh += (rl >> 32);
+    res.l.high = rh / c;
+    res.l.low = (((rh % c) << 32) + (rl & 0xffffffff)) / c;
+    return res.ll;
+}
+
+/* real time host monotonic timer */
+static inline int64_t get_clock_realtime(void)
+{
+    struct timeval tv;
+
+    gettimeofday(&tv, NULL);
+    return tv.tv_sec * 1000000000LL + (tv.tv_usec * 1000);
+}
+
+/* Warning: don't insert tracepoints into these functions, they are
+   also used by simpletrace backend and tracepoints would cause
+   an infinite recursion! */
+#ifdef _WIN32
+extern int64_t clock_freq;
+
+static inline int64_t get_clock(void)
+{
+    LARGE_INTEGER ti;
+    QueryPerformanceCounter(&ti);
+    return muldiv64(ti.QuadPart, get_ticks_per_sec(), clock_freq);
+}
+
+#else
+
+extern int use_rt_clock;
+
+static inline int64_t get_clock(void)
+{
+#if defined(__linux__) || (defined(__FreeBSD__) && __FreeBSD_version >= 500000) \
+    || defined(__DragonFly__) || defined(__FreeBSD_kernel__)
+    if (use_rt_clock) {
+        struct timespec ts;
+        clock_gettime(CLOCK_MONOTONIC, &ts);
+        return ts.tv_sec * 1000000000LL + ts.tv_nsec;
+    } else
+#endif
+    {
+        /* XXX: using gettimeofday leads to problems if the date
+           changes, so it should be avoided. */
+        return get_clock_realtime();
+    }
+}
+#endif
 
 void qemu_get_timer(QEMUFile *f, QEMUTimer *ts);
 void qemu_put_timer(QEMUFile *f, QEMUTimer *ts);
diff --git a/qemu-tool.c b/qemu-tool.c
index b39af86..9ccca65 100644
--- a/qemu-tool.c
+++ b/qemu-tool.c
@@ -110,10 +110,3 @@ int qemu_set_fd_handler2(int fd,
 {
     return 0;
 }
-
-int64_t qemu_get_clock(QEMUClock *clock)
-{
-    qemu_timeval tv;
-    qemu_gettimeofday(&tv);
-    return (tv.tv_sec * 1000000000LL + (tv.tv_usec * 1000)) / 1000000;
-}
diff --git a/simpletrace.c b/simpletrace.c
index b488d51..9ea0d1f 100644
--- a/simpletrace.c
+++ b/simpletrace.c
@@ -12,6 +12,7 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <time.h>
+#include "qemu-timer.h"
 #include "trace.h"
 
 /** Trace file header event ID */
@@ -140,20 +141,13 @@ static void trace(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3,
                   uint64_t x4, uint64_t x5, uint64_t x6)
 {
     TraceRecord *rec = &trace_buf[trace_idx];
-    struct timespec ts;
-
-    /* TODO Windows?  It would be good to use qemu-timer here but that isn't
-     * linked into qemu-tools.  Also we should avoid recursion in the tracing
-     * code, therefore it is useful to be self-contained.
-     */
-    clock_gettime(CLOCK_MONOTONIC, &ts);
 
     if (!trace_list[event].state) {
         return;
     }
 
     rec->event = event;
-    rec->timestamp_ns = ts.tv_sec * 1000000000LL + ts.tv_nsec;
+    rec->timestamp_ns = get_clock();
     rec->x1 = x1;
     rec->x2 = x2;
     rec->x3 = x3;
diff --git a/vl.c b/vl.c
index df414ef..7038952 100644
--- a/vl.c
+++ b/vl.c
@@ -289,30 +289,6 @@ static int default_driver_check(QemuOpts *opts, void *opaque)
 /***********************************************************/
 /* real time host monotonic timer */
 
-/* compute with 96 bit intermediate result: (a*b)/c */
-uint64_t muldiv64(uint64_t a, uint32_t b, uint32_t c)
-{
-    union {
-        uint64_t ll;
-        struct {
-#ifdef HOST_WORDS_BIGENDIAN
-            uint32_t high, low;
-#else
-            uint32_t low, high;
-#endif
-        } l;
-    } u, res;
-    uint64_t rl, rh;
-
-    u.ll = a;
-    rl = (uint64_t)u.l.low * (uint64_t)b;
-    rh = (uint64_t)u.l.high * (uint64_t)b;
-    rh += (rl >> 32);
-    res.l.high = rh / c;
-    res.l.low = (((rh % c) << 32) + (rl & 0xffffffff)) / c;
-    return res.ll;
-}
-
 /***********************************************************/
 /* host time/date access */
 void qemu_get_timedate(struct tm *tm, int offset)
commit 2b2e59e6c95beff2248069b2b129ba8c92c5f4d3
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Oct 21 10:18:40 2010 +0200

    rewrite i386 tests Makefile
    
    1) compute path to i386 compiler from configure.  If it is found, run
    the i386 tests.  I use macros so that this approach could be applied
    for other arches as well.
    
    2) provide an easily extensible way to add tests
    
    Most tests fail, but at least "make test" does something meaningful.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index f6a63bc..f62c1fe 100755
--- a/configure
+++ b/configure
@@ -92,6 +92,7 @@ libs_softmmu=""
 libs_tools=""
 audio_pt_int=""
 audio_win_int=""
+cc_i386=i386-pc-linux-gnu-gcc
 
 # parse CC options first
 for opt do
@@ -789,12 +790,14 @@ case "$cpu" in
     i386)
            QEMU_CFLAGS="-m32 $QEMU_CFLAGS"
            LDFLAGS="-m32 $LDFLAGS"
+           cc_i386='$(CC) -m32'
            helper_cflags="-fomit-frame-pointer"
            host_guest_base="yes"
            ;;
     x86_64)
            QEMU_CFLAGS="-m64 $QEMU_CFLAGS"
            LDFLAGS="-m64 $LDFLAGS"
+           cc_i386='$(CC) -m32'
            host_guest_base="yes"
            ;;
     arm*)
@@ -2640,6 +2643,7 @@ echo "INSTALL_DIR=$install -d -m0755 -p" >> $config_host_mak
 echo "INSTALL_DATA=$install -m0644 -p" >> $config_host_mak
 echo "INSTALL_PROG=$install -m0755 -p" >> $config_host_mak
 echo "CC=$cc" >> $config_host_mak
+echo "CC_I386=$cc_i386" >> $config_host_mak
 echo "HOST_CC=$host_cc" >> $config_host_mak
 if test "$sparse" = "yes" ; then
   echo "CC      := REAL_CC=\"\$(CC)\" cgcc"       >> $config_host_mak
diff --git a/rules.mak b/rules.mak
index c843a13..6dac777 100644
--- a/rules.mak
+++ b/rules.mak
@@ -42,6 +42,15 @@ cc-option = $(if $(shell $(CC) $1 $2 -S -o /dev/null -xc /dev/null \
 VPATH_SUFFIXES = %.c %.h %.S %.m %.mak %.texi
 set-vpath = $(if $1,$(foreach PATTERN,$(VPATH_SUFFIXES),$(eval vpath $(PATTERN) $1)))
 
+# find-in-path
+# Usage: $(call find-in-path, prog)
+# Looks in the PATH if the argument contains no slash, else only considers one
+# specific directory.  Returns an # empty string if the program doesn't exist
+# there.
+find-in-path = $(if $(find-string /, $1), \
+        $(wildcard $1), \
+        $(wildcard $(patsubst %, %/$1, $(subst :, ,$(PATH)))))
+
 # Generate timestamp files for .h include files
 
 %.h: %.h-timestamp
diff --git a/tests/Makefile b/tests/Makefile
index ef575a4..e43ec70 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -3,82 +3,118 @@
 
 $(call set-vpath, $(SRC_PATH)/tests)
 
+QEMU=../i386-linux-user/qemu-i386
+QEMU_X86_64=../x86_64-linux-user/qemu-x86_64
+CC_X86_64=$(CC_I386) -m64
+
 CFLAGS=-Wall -O2 -g -fno-strict-aliasing -I..
 #CFLAGS+=-msse2
 LDFLAGS=
 
-ifeq ($(ARCH),i386)
-TESTS=linux-test testthread sha1-i386 test-i386
+# TODO: automatically detect ARM and MIPS compilers, and run those too
+
+# runcom maps page 0, so it requires root privileges
+# also, pi_10.com runs indefinitely
+
+I386_TESTS=hello-i386 \
+	   linux-test \
+	   testthread \
+	   sha1-i386 \
+	   test-i386 \
+	   test-mmap \
+	   # runcom
+
+# native i386 compilers sometimes are not biarch.  assume cross-compilers are
+ifneq ($(ARCH),i386)
+I386_TESTS+=run-test-x86_64
 endif
-ifeq ($(ARCH),x86_64)
-TESTS=test-x86_64
+
+TESTS = test_path
+ifneq ($(call find-in-path, $(CC_I386)),)
+TESTS += $(I386_TESTS)
 endif
-TESTS+=sha1# test_path
-#TESTS+=test_path
-#TESTS+=runcom
 
-QEMU=../i386-linux-user/qemu-i386
+all: $(patsubst %,run-%,$(TESTS))
+
+# rules to run tests
+
+.PHONY: $(patsubst %,run-%,$(TESTS))
+
+run-%: %
+	-$(QEMU) ./$*
+
+run-hello-i386: hello-i386
+run-linux-test: linux-test
+run-testthread: testthread
+run-sha1-i386: sha1-i386
+
+run-test-i386: test-i386
+	./test-i386 > test-i386.ref
+	-$(QEMU) test-i386 > test-i386.out
+	@if diff -u test-i386.ref test-i386.out ; then echo "Auto Test OK"; fi
+
+run-test-x86_64: test-x86_64
+	./test-x86_64 > test-x86_64.ref
+	-$(QEMU_X86_64) test-x86_64 > test-x86_64.out
+	@if diff -u test-x86_64.ref test-x86_64.out ; then echo "Auto Test OK"; fi
+
+run-test-mmap: test-mmap
+	-$(QEMU) ./test-mmap
+	-$(QEMU) -p 8192 ./test-mmap 8192
+	-$(QEMU) -p 16384 ./test-mmap 16384
+	-$(QEMU) -p 32768 ./test-mmap 32768
+
+run-runcom: runcom
+	-$(QEMU) ./runcom $(SRC_PATH)/tests/pi_10.com
+
+run-test_path: test_path
+	./test_path
+
+# rules to compile tests
 
-all: $(TESTS)
+test_path: test_path.o
+test_path.o: test_path.c
 
 hello-i386: hello-i386.c
-	$(CC) -nostdlib $(CFLAGS) -static $(LDFLAGS) -o $@ $<
+	$(CC_I386) -nostdlib $(CFLAGS) -static $(LDFLAGS) -o $@ $<
 	strip $@
 
 testthread: testthread.c
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -lpthread
-
-test_path: test_path.c
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
-	./$@ || { rm $@; exit 1; }
+	$(CC_I386) $(CFLAGS) $(LDFLAGS) -o $@ $< -lpthread
 
 # i386/x86_64 emulation test (test various opcodes) */
 test-i386: test-i386.c test-i386-code16.S test-i386-vm86.S \
            test-i386.h test-i386-shift.h test-i386-muldiv.h
-	$(CC) -m32 $(CFLAGS) $(LDFLAGS) -static -o $@ \
+	$(CC_I386) $(CFLAGS) $(LDFLAGS) -o $@ \
               $(<D)/test-i386.c $(<D)/test-i386-code16.S $(<D)/test-i386-vm86.S -lm
 
 test-x86_64: test-i386.c \
            test-i386.h test-i386-shift.h test-i386-muldiv.h
-	$(CC) -m64 $(CFLAGS) $(LDFLAGS) -static -o $@ $(<D)/test-i386.c -lm
-
-ifeq ($(ARCH),i386)
-test: test-i386
-	./test-i386 > test-i386.ref
-else
-test:
-endif
-	$(QEMU) test-i386 > test-i386.out
-	@if diff -u test-i386.ref test-i386.out ; then echo "Auto Test OK"; fi
-
-.PHONY: test-mmap
-test-mmap: test-mmap.c
-	$(CC) $(CFLAGS) -Wall -static -O2 $(LDFLAGS) -o $@ $<
-	-./test-mmap
-	-$(QEMU) ./test-mmap
-	-$(QEMU) -p 8192 ./test-mmap 8192
-	-$(QEMU) -p 16384 ./test-mmap 16384
-	-$(QEMU) -p 32768 ./test-mmap 32768
+	$(CC_X86_64) $(CFLAGS) $(LDFLAGS) -o $@ $(<D)/test-i386.c -lm
 
 # generic Linux and CPU test
 linux-test: linux-test.c
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -lm
+	$(CC_I386) $(CFLAGS) $(LDFLAGS) -o $@ $< -lm
+
+# vm86 test
+runcom: runcom.c
+	$(CC_I386) $(CFLAGS) $(LDFLAGS) -o $@ $<
+
+test-mmap: test-mmap.c
+	$(CC_I386) -m32 $(CFLAGS) -Wall -O2 $(LDFLAGS) -o $@ $<
 
 # speed test
 sha1-i386: sha1.c
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
+	$(CC_I386) $(CFLAGS) $(LDFLAGS) -o $@ $<
 
 sha1: sha1.c
-	$(HOST_CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
 
 speed: sha1 sha1-i386
 	time ./sha1
 	time $(QEMU) ./sha1-i386
 
-# vm86 test
-runcom: runcom.c
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $<
-
+# broken test
 # NOTE: -fomit-frame-pointer is currently needed : this is a bug in libqemu
 qruncom: qruncom.c ../ioport-user.c ../i386-user/libqemu.a
 	$(CC) $(CFLAGS) -fomit-frame-pointer $(LDFLAGS) -I../target-i386 -I.. -I../i386-user -I../fpu \
commit 48118b020558bb4cde05894d9d8322a20cbb2f8d
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Oct 21 10:18:39 2010 +0200

    fix test_path
    
    path.c grew quite a few new dependencies (mostly via cutils.c),
    include them.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/tests/Makefile b/tests/Makefile
index e26b2d7..ef575a4 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -3,7 +3,7 @@
 
 $(call set-vpath, $(SRC_PATH)/tests)
 
-CFLAGS=-Wall -O2 -g -fno-strict-aliasing
+CFLAGS=-Wall -O2 -g -fno-strict-aliasing -I..
 #CFLAGS+=-msse2
 LDFLAGS=
 
diff --git a/tests/test_path.c b/tests/test_path.c
index def7441..234ed97 100644
--- a/tests/test_path.c
+++ b/tests/test_path.c
@@ -1,12 +1,21 @@
 /* Test path override code */
-#define _GNU_SOURCE
+#include "../config-host.h"
+#include "../qemu-malloc.c"
+#include "../cutils.c"
 #include "../path.c"
+#include "../trace.c"
+#ifdef CONFIG_SIMPLE_TRACE
+#include "../simpletrace.c"
+#endif
+
 #include <stdarg.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 
+void qemu_log(const char *fmt, ...);
+
 /* Any log message kills the test. */
-void gemu_log(const char *fmt, ...)
+void qemu_log(const char *fmt, ...)
 {
     va_list ap;
 
commit e311248b6442827820bfc7340ea1401caee3a0f1
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Oct 21 10:18:38 2010 +0200

    make runcom compile on recent distributions
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/tests/runcom.c b/tests/runcom.c
index 6380566..d60342b 100644
--- a/tests/runcom.c
+++ b/tests/runcom.c
@@ -13,15 +13,12 @@
 #include <linux/unistd.h>
 #include <asm/vm86.h>
 
-//#define SIGTEST
+extern int vm86 (unsigned long int subfunction,
+		 struct vm86plus_struct *info);
 
-#undef __syscall_return
-#define __syscall_return(type, res) \
-do { \
-	return (type) (res); \
-} while (0)
+#define VIF_MASK                0x00080000
 
-_syscall2(int, vm86, int, func, struct vm86plus_struct *, v86)
+//#define SIGTEST
 
 #define COM_BASE_ADDR    0x10100
 
commit f34f1fed71a6b63a243962b473a3b69358a07fa0
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Oct 21 10:18:37 2010 +0200

    disable test_enter on i386, it is broken
    
    Many other tests fail, but this has an infinite loop with both
    qemu-i386 and native execution (albeit on x86_64), so there is
    something more going on.  I'm not going to debug it now, so just
    disable the test.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/tests/test-i386.c b/tests/test-i386.c
index b28b257..8f481c7 100644
--- a/tests/test-i386.c
+++ b/tests/test-i386.c
@@ -2047,6 +2047,10 @@ long enter_stack[4096];
 #define RBP "%%ebp"
 #endif
 
+#if !defined(__x86_64__)
+/* causes an infinite loop, disable it for now.  */
+#define TEST_ENTER(size, stack_type, level)
+#else
 #define TEST_ENTER(size, stack_type, level)\
 {\
     long esp_save, esp_val, ebp_val, ebp_save, i;\
@@ -2078,6 +2082,7 @@ long enter_stack[4096];
     for(ptr = (stack_type *)esp_val; ptr < stack_end; ptr++)\
         printf(FMTLX "\n", (long)ptr[0]);\
 }
+#endif
 
 static void test_enter(void)
 {
commit 9517a9e6a550a141f6e60550e1cec65005273170
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Oct 21 10:18:36 2010 +0200

    unbreak "make" from vpath-built tests directory
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/tests/Makefile b/tests/Makefile
index ff7f787..e26b2d7 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -1,4 +1,5 @@
 -include ../config-host.mak
+-include $(SRC_PATH)/rules.mak
 
 $(call set-vpath, $(SRC_PATH)/tests)
 
commit e6c3b0f7c4c544b7e06b72fb7d9813bb80c8784b
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Oct 21 10:18:35 2010 +0200

    unbreak "make" from tests directory
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 9ed05de..f6a63bc 100755
--- a/configure
+++ b/configure
@@ -2348,6 +2348,7 @@ printf "# Configured with:" >> $config_host_mak
 printf " '%s'" "$0" "$@" >> $config_host_mak
 echo >> $config_host_mak
 
+echo all: >> $config_host_mak
 echo "prefix=$prefix" >> $config_host_mak
 echo "bindir=$bindir" >> $config_host_mak
 echo "mandir=$mandir" >> $config_host_mak
commit 5340c8a0f358f2dccf9b1a92da15c9f9fd25096f
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Fri Oct 22 18:26:08 2010 +0000

    mips_fulong2e: fix ram allocation
    
    RAM registration used incorrect offset.
    
    Fix by using the offset obtained previously for this purpose.
    
    Spotted by GCC 4.6.0 20100925 warning, which is also avoided.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/mips_fulong2e.c b/hw/mips_fulong2e.c
index f9723f5..07eb9ee 100644
--- a/hw/mips_fulong2e.c
+++ b/hw/mips_fulong2e.c
@@ -295,7 +295,7 @@ static void mips_fulong2e_init(ram_addr_t ram_size, const char *boot_device,
     ram_offset = qemu_ram_alloc(NULL, "fulong2e.ram", ram_size);
     bios_offset = qemu_ram_alloc(NULL, "fulong2e.bios", bios_size);
 
-    cpu_register_physical_memory(0, ram_size, IO_MEM_RAM);
+    cpu_register_physical_memory(0, ram_size, ram_offset);
     cpu_register_physical_memory(0x1fc00000LL,
 					   bios_size, bios_offset | IO_MEM_ROM);
 
commit 2c80e42395bfe0bf291c082f9399431e1ff9d758
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Wed Oct 13 20:54:27 2010 +0200

    Replace remaining gcc format attributes by macro GCC_FMT_ATTR (format checking)
    
    Replace the remaining format attribute printf by macro
    GCC_FMT_ATTR which uses gnu_printf (if supported).
    
    v2
    * Removal of dyngen specific code is now done in a separate patch.
    * Handle attribute in new ui/spice-display.c, too.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/cpu-all.h b/cpu-all.h
index 67a3266..11edddc 100644
--- a/cpu-all.h
+++ b/cpu-all.h
@@ -773,7 +773,7 @@ void cpu_dump_statistics (CPUState *env, FILE *f,
                           int flags);
 
 void QEMU_NORETURN cpu_abort(CPUState *env, const char *fmt, ...)
-    __attribute__ ((__format__ (__printf__, 2, 3)));
+    GCC_FMT_ATTR(2, 3);
 extern CPUState *first_cpu;
 extern CPUState *cpu_single_env;
 
diff --git a/ui/spice-display.c b/ui/spice-display.c
index 6702dfd..7b4f5c1 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -29,8 +29,7 @@
 
 static int debug = 0;
 
-static void __attribute__((format(printf,2,3)))
-dprint(int level, const char *fmt, ...)
+static void GCC_FMT_ATTR(2, 3) dprint(int level, const char *fmt, ...)
 {
     va_list args;
 
commit 47b01cf3a16b9526f99084e99de13dfd9072882e
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Wed Oct 13 20:54:26 2010 +0200

    Remove special handling of system include files (no longer needed)
    
    The formerly used dyngen code did not work with
    system include files like stdio.h.
    
    Tests with Linux, OSX and Win32 show that this
    restriction is no longer needed.
    
    So we hopefully can remove that special piece of code.
    This results in cleaner code and allows better use of
    the new GCC_FMT_ATTR macro.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/cris-dis.c b/cris-dis.c
index 455ba8a..afd775c 100644
--- a/cris-dis.c
+++ b/cris-dis.c
@@ -18,13 +18,11 @@
    You should have received a copy of the GNU General Public License
    along with this program; if not, see <http://www.gnu.org/licenses/>. */
 
+#include "qemu-common.h"
 #include "dis-asm.h"
 //#include "sysdep.h"
 #include "target-cris/opcode-cris.h"
 //#include "libiberty.h"
-
-
-void *qemu_malloc(size_t len); /* can't include qemu-common.h here */
 
 #define CONST_STRNEQ(STR1,STR2) (strncmp ((STR1), (STR2), sizeof (STR2) - 1) == 0)
 
diff --git a/disas.h b/disas.h
index 6a9332d..f9287f7 100644
--- a/disas.h
+++ b/disas.h
@@ -8,11 +8,8 @@
 void disas(FILE *out, void *code, unsigned long size);
 void target_disas(FILE *out, target_ulong code, target_ulong size, int flags);
 
-/* The usual mess... FIXME: Remove this condition once dyngen-exec.h is gone */
-#ifndef __DYNGEN_EXEC_H__
 void monitor_disas(Monitor *mon, CPUState *env,
                    target_ulong pc, int nb_insn, int is_physical, int flags);
-#endif
 
 /* Look up symbol for debugging purpose.  Returns "" if unknown. */
 const char *lookup_symbol(target_ulong orig_addr);
diff --git a/dyngen-exec.h b/dyngen-exec.h
index 5bfef3f..db00fba 100644
--- a/dyngen-exec.h
+++ b/dyngen-exec.h
@@ -19,19 +19,7 @@
 #if !defined(__DYNGEN_EXEC_H__)
 #define __DYNGEN_EXEC_H__
 
-/* prevent Solaris from trying to typedef FILE in gcc's
-   include/floatingpoint.h which will conflict with the
-   definition down below */
-#ifdef __sun__
-#define _FILEDEFED
-#endif
-
-/* NOTE: standard headers should be used with special care at this
-   point because host CPU registers are used as global variables. Some
-   host headers do not allow that. */
-#include <stddef.h>
-#include <stdint.h>
-#include <stdbool.h>
+#include "qemu-common.h"
 
 #ifdef __OpenBSD__
 #include <sys/types.h>
@@ -40,15 +28,6 @@
 /* XXX: This may be wrong for 64-bit ILP32 hosts.  */
 typedef void * host_reg_t;
 
-#ifdef CONFIG_BSD
-typedef struct __sFILE FILE;
-#else
-typedef struct FILE FILE;
-#endif
-extern int fprintf(FILE *, const char *, ...);
-extern int fputs(const char *, FILE *);
-extern int printf(const char *, ...);
-
 #if defined(__i386__)
 #define AREG0 "ebp"
 #elif defined(__x86_64__)
diff --git a/qemu-common.h b/qemu-common.h
index 81aafa0..d5ae420 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -18,11 +18,6 @@ typedef struct QEMUFile QEMUFile;
 typedef struct QEMUBH QEMUBH;
 typedef struct DeviceState DeviceState;
 
-/* Hack around the mess dyngen-exec.h causes: We need QEMU_NORETURN in files that
-   cannot include the following headers without conflicts. This condition has
-   to be removed once dyngen is gone. */
-#ifndef __DYNGEN_EXEC_H__
-
 /* we put basic includes here to avoid repeating them in device drivers */
 #include <stdlib.h>
 #include <stdio.h>
@@ -318,6 +313,4 @@ static inline uint8_t from_bcd(uint8_t val)
 
 #include "module.h"
 
-#endif /* dyngen-exec.h hack */
-
 #endif
commit 401c2d06086c27fa1a7d8b1549cfc7c447f28d64
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Oct 22 13:50:23 2010 -0200

    fix kvm-stub.c typo
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/kvm-stub.c b/kvm-stub.c
index 07be036..5e57732 100644
--- a/kvm-stub.c
+++ b/kvm-stub.c
@@ -185,4 +185,4 @@ int kvm_set_irq(int irq, int level, int *status)
 int kvm_on_sigbus(int code, void *addr)
 {
     return 1;
-{
+}
commit 067f508c43728e08cfd9110a5e74cd4db4fa3a3e
Merge: 9de479a... 18efa4c...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Oct 22 13:47:58 2010 -0200

    Merge branch 'upstream-merge'
    
    * upstream-merge:
      curses: Fix control-{@[\]^_} and ESC
      kvm: save/restore x86-64 MSRs on x86-64 kernels
      kvm: writeback SMP TSCs on migration only
      kvm: factor out kvm_has_msr_star
      kvm: add save/restore of MSR_VM_HSAVE_PA
      Fix build on !KVM_CAP_MCE
      x86, mce: broadcast mce depending on the cpu version
      x86, mce: ignore SRAO only when MCG_SER_P is available
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit 18efa4c3abdb6ee932a637900b66c146c3df958d
Merge: 03dad62... dbb1413...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Oct 22 11:57:45 2010 -0200

    Merge commit 'dbb1413589512574519abcf52a9a7127ddc7844b' into upstream-merge
    
    * commit 'dbb1413589512574519abcf52a9a7127ddc7844b':
      curses: Fix control-{@[\]^_} and ESC
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit 03dad62368300e9f287ca0cdc5833a5f8737ef82
Merge: 65160cf... 25d2e36...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Oct 22 11:56:01 2010 -0200

    Merge commit '25d2e3613d159782b66f497184ebdcf3ccb686ab' into upstream-merge
    
    * commit '25d2e3613d159782b66f497184ebdcf3ccb686ab':
      kvm: save/restore x86-64 MSRs on x86-64 kernels
      kvm: writeback SMP TSCs on migration only
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc qemu-kvm-x86.c
index 129356c,0000000..bd97864
mode 100644,000000..100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@@ -1,1359 -1,0 +1,1359 @@@
 +/*
 + * qemu/kvm integration, x86 specific code
 + *
 + * Copyright (C) 2006-2008 Qumranet Technologies
 + *
 + * Licensed under the terms of the GNU GPL version 2 or higher.
 + */
 +
 +#include "config.h"
 +#include "config-host.h"
 +
 +#include <string.h>
 +#include "hw/hw.h"
 +#include "gdbstub.h"
 +#include <sys/io.h>
 +
 +#include "qemu-kvm.h"
 +#include "libkvm.h"
 +#include <pthread.h>
 +#include <sys/utsname.h>
 +#include <linux/kvm_para.h>
 +#include <sys/ioctl.h>
 +
 +#include "kvm.h"
 +#include "hw/apic.h"
 +
 +#define MSR_IA32_TSC            0x10
 +
 +static struct kvm_msr_list *kvm_msr_list;
 +extern unsigned int kvm_shadow_memory;
 +static int kvm_has_msr_star;
 +static int kvm_has_vm_hsave_pa;
 +
- static int lm_capable_kernel;
++static int _lm_capable_kernel;
 +
 +int kvm_set_tss_addr(kvm_context_t kvm, unsigned long addr)
 +{
 +    int r;
 +    /*
 +     * Tell fw_cfg to notify the BIOS to reserve the range.
 +     */
 +    if (e820_add_entry(addr, 0x4000, E820_RESERVED) < 0) {
 +        perror("e820_add_entry() table is full");
 +        exit(1);
 +    }
 +
 +    r = kvm_vm_ioctl(kvm_state, KVM_SET_TSS_ADDR, addr);
 +    if (r < 0) {
 +        fprintf(stderr, "kvm_set_tss_addr: %m\n");
 +        return r;
 +    }
 +    return 0;
 +}
 +
 +static int kvm_init_tss(kvm_context_t kvm)
 +{
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_TSS_ADDR);
 +    if (r > 0) {
 +        /*
 +         * this address is 3 pages before the bios, and the bios should present
 +         * as unavaible memory
 +         */
 +        r = kvm_set_tss_addr(kvm, 0xfeffd000);
 +        if (r < 0) {
 +            fprintf(stderr, "kvm_init_tss: unable to set tss addr\n");
 +            return r;
 +        }
 +    } else {
 +        fprintf(stderr, "kvm does not support KVM_CAP_SET_TSS_ADDR\n");
 +    }
 +    return 0;
 +}
 +
 +static int kvm_set_identity_map_addr(kvm_context_t kvm, uint64_t addr)
 +{
 +#ifdef KVM_CAP_SET_IDENTITY_MAP_ADDR
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_IDENTITY_MAP_ADDR);
 +    if (r > 0) {
 +        r = kvm_vm_ioctl(kvm_state, KVM_SET_IDENTITY_MAP_ADDR, &addr);
 +        if (r == -1) {
 +            fprintf(stderr, "kvm_set_identity_map_addr: %m\n");
 +            return -errno;
 +        }
 +        return 0;
 +    }
 +#endif
 +    return -ENOSYS;
 +}
 +
 +static int kvm_init_identity_map_page(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_SET_IDENTITY_MAP_ADDR
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_IDENTITY_MAP_ADDR);
 +    if (r > 0) {
 +        /*
 +         * this address is 4 pages before the bios, and the bios should present
 +         * as unavaible memory
 +         */
 +        r = kvm_set_identity_map_addr(kvm, 0xfeffc000);
 +        if (r < 0) {
 +            fprintf(stderr, "kvm_init_identity_map_page: "
 +                    "unable to set identity mapping addr\n");
 +            return r;
 +        }
 +    }
 +#endif
 +    return 0;
 +}
 +
 +static int kvm_create_pit(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_PIT
 +    int r;
 +
 +    kvm_state->pit_in_kernel = 0;
 +    if (!kvm->no_pit_creation) {
 +        r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_PIT);
 +        if (r > 0) {
 +            r = kvm_vm_ioctl(kvm_state, KVM_CREATE_PIT);
 +            if (r >= 0) {
 +                kvm_state->pit_in_kernel = 1;
 +            } else {
 +                fprintf(stderr, "Create kernel PIC irqchip failed\n");
 +                return r;
 +            }
 +        }
 +    }
 +#endif
 +    return 0;
 +}
 +
 +int kvm_arch_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
 +                        void **vm_mem)
 +{
 +    int r = 0;
 +
 +    r = kvm_init_tss(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    r = kvm_init_identity_map_page(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    r = kvm_create_pit(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    r = kvm_init_coalesced_mmio(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    return 0;
 +}
 +
 +#ifdef KVM_EXIT_TPR_ACCESS
 +
 +static int kvm_handle_tpr_access(CPUState *env)
 +{
 +    struct kvm_run *run = env->kvm_run;
 +    kvm_tpr_access_report(env,
 +                          run->tpr_access.rip,
 +                          run->tpr_access.is_write);
 +    return 0;
 +}
 +
 +
 +int kvm_enable_vapic(CPUState *env, uint64_t vapic)
 +{
 +    struct kvm_vapic_addr va = {
 +        .vapic_addr = vapic,
 +    };
 +
 +    return kvm_vcpu_ioctl(env, KVM_SET_VAPIC_ADDR, &va);
 +}
 +
 +#endif
 +
 +int kvm_arch_run(CPUState *env)
 +{
 +    int r = 0;
 +    struct kvm_run *run = env->kvm_run;
 +
 +    switch (run->exit_reason) {
 +#ifdef KVM_EXIT_SET_TPR
 +    case KVM_EXIT_SET_TPR:
 +        break;
 +#endif
 +#ifdef KVM_EXIT_TPR_ACCESS
 +    case KVM_EXIT_TPR_ACCESS:
 +        r = kvm_handle_tpr_access(env);
 +        break;
 +#endif
 +    default:
 +        r = 1;
 +        break;
 +    }
 +
 +    return r;
 +}
 +
 +#ifdef KVM_CAP_IRQCHIP
 +
 +int kvm_get_lapic(CPUState *env, struct kvm_lapic_state *s)
 +{
 +    int r = 0;
 +
 +    if (!kvm_irqchip_in_kernel()) {
 +        return r;
 +    }
 +
 +    r = kvm_vcpu_ioctl(env, KVM_GET_LAPIC, s);
 +    if (r < 0) {
 +        fprintf(stderr, "KVM_GET_LAPIC failed\n");
 +    }
 +    return r;
 +}
 +
 +int kvm_set_lapic(CPUState *env, struct kvm_lapic_state *s)
 +{
 +    int r = 0;
 +
 +    if (!kvm_irqchip_in_kernel()) {
 +        return 0;
 +    }
 +
 +    r = kvm_vcpu_ioctl(env, KVM_SET_LAPIC, s);
 +
 +    if (r < 0) {
 +        fprintf(stderr, "KVM_SET_LAPIC failed\n");
 +    }
 +    return r;
 +}
 +
 +#endif
 +
 +#ifdef KVM_CAP_PIT
 +
 +int kvm_get_pit(kvm_context_t kvm, struct kvm_pit_state *s)
 +{
 +    if (!kvm_pit_in_kernel()) {
 +        return 0;
 +    }
 +    return kvm_vm_ioctl(kvm_state, KVM_GET_PIT, s);
 +}
 +
 +int kvm_set_pit(kvm_context_t kvm, struct kvm_pit_state *s)
 +{
 +    if (!kvm_pit_in_kernel()) {
 +        return 0;
 +    }
 +    return kvm_vm_ioctl(kvm_state, KVM_SET_PIT, s);
 +}
 +
 +#ifdef KVM_CAP_PIT_STATE2
 +int kvm_get_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2)
 +{
 +    if (!kvm_pit_in_kernel()) {
 +        return 0;
 +    }
 +    return kvm_vm_ioctl(kvm_state, KVM_GET_PIT2, ps2);
 +}
 +
 +int kvm_set_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2)
 +{
 +    if (!kvm_pit_in_kernel()) {
 +        return 0;
 +    }
 +    return kvm_vm_ioctl(kvm_state, KVM_SET_PIT2, ps2);
 +}
 +
 +#endif
 +#endif
 +
 +int kvm_has_pit_state2(kvm_context_t kvm)
 +{
 +    int r = 0;
 +
 +#ifdef KVM_CAP_PIT_STATE2
 +    r = kvm_check_extension(kvm_state, KVM_CAP_PIT_STATE2);
 +#endif
 +    return r;
 +}
 +
 +void kvm_show_code(CPUState *env)
 +{
 +#define SHOW_CODE_LEN 50
 +    struct kvm_regs regs;
 +    struct kvm_sregs sregs;
 +    int r, n;
 +    int back_offset;
 +    unsigned char code;
 +    char code_str[SHOW_CODE_LEN * 3 + 1];
 +    unsigned long rip;
 +
 +    r = kvm_vcpu_ioctl(env, KVM_GET_SREGS, &sregs);
 +    if (r < 0 ) {
 +        perror("KVM_GET_SREGS");
 +        return;
 +    }
 +    r = kvm_vcpu_ioctl(env, KVM_GET_REGS, &regs);
 +    if (r < 0) {
 +        perror("KVM_GET_REGS");
 +        return;
 +    }
 +    rip = sregs.cs.base + regs.rip;
 +    back_offset = regs.rip;
 +    if (back_offset > 20) {
 +        back_offset = 20;
 +    }
 +    *code_str = 0;
 +    for (n = -back_offset; n < SHOW_CODE_LEN-back_offset; ++n) {
 +        if (n == 0) {
 +            strcat(code_str, " -->");
 +        }
 +        cpu_physical_memory_rw(rip + n, &code, 1, 1);
 +        sprintf(code_str + strlen(code_str), " %02x", code);
 +    }
 +    fprintf(stderr, "code:%s\n", code_str);
 +}
 +
 +
 +/*
 + * Returns available msr list.  User must free.
 + */
 +static struct kvm_msr_list *kvm_get_msr_list(void)
 +{
 +    struct kvm_msr_list sizer, *msrs;
 +    int r;
 +
 +    sizer.nmsrs = 0;
 +    r = kvm_ioctl(kvm_state, KVM_GET_MSR_INDEX_LIST, &sizer);
 +    if (r < 0 && r != -E2BIG) {
 +        return NULL;
 +    }
 +    /* Old kernel modules had a bug and could write beyond the provided
 +       memory. Allocate at least a safe amount of 1K. */
 +    msrs = qemu_malloc(MAX(1024, sizeof(*msrs) +
 +                           sizer.nmsrs * sizeof(*msrs->indices)));
 +
 +    msrs->nmsrs = sizer.nmsrs;
 +    r = kvm_ioctl(kvm_state, KVM_GET_MSR_INDEX_LIST, msrs);
 +    if (r < 0) {
 +        free(msrs);
 +        errno = r;
 +        return NULL;
 +    }
 +    return msrs;
 +}
 +
 +int kvm_get_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n)
 +{
 +    struct kvm_msrs *kmsrs = qemu_malloc(sizeof *kmsrs + n * sizeof *msrs);
 +    int r;
 +
 +    kmsrs->nmsrs = n;
 +    memcpy(kmsrs->entries, msrs, n * sizeof *msrs);
 +    r = kvm_vcpu_ioctl(env, KVM_GET_MSRS, kmsrs);
 +    memcpy(msrs, kmsrs->entries, n * sizeof *msrs);
 +    free(kmsrs);
 +    return r;
 +}
 +
 +int kvm_set_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n)
 +{
 +    struct kvm_msrs *kmsrs = qemu_malloc(sizeof *kmsrs + n * sizeof *msrs);
 +    int r;
 +
 +    kmsrs->nmsrs = n;
 +    memcpy(kmsrs->entries, msrs, n * sizeof *msrs);
 +    r = kvm_vcpu_ioctl(env, KVM_SET_MSRS, kmsrs);
 +    free(kmsrs);
 +    return r;
 +}
 +
 +static void print_seg(FILE *file, const char *name, struct kvm_segment *seg)
 +{
 +    fprintf(stderr,
 +            "%s %04x (%08llx/%08x p %d dpl %d db %d s %d type %x l %d"
 +            " g %d avl %d)\n",
 +            name, seg->selector, seg->base, seg->limit, seg->present,
 +            seg->dpl, seg->db, seg->s, seg->type, seg->l, seg->g,
 +            seg->avl);
 +}
 +
 +static void print_dt(FILE *file, const char *name, struct kvm_dtable *dt)
 +{
 +    fprintf(stderr, "%s %llx/%x\n", name, dt->base, dt->limit);
 +}
 +
 +void kvm_show_regs(CPUState *env)
 +{
 +    struct kvm_regs regs;
 +    struct kvm_sregs sregs;
 +    int r;
 +
 +    r = kvm_vcpu_ioctl(env, KVM_GET_REGS, &regs);
 +    if (r < 0) {
 +        perror("KVM_GET_REGS");
 +        return;
 +    }
 +    fprintf(stderr,
 +            "rax %016llx rbx %016llx rcx %016llx rdx %016llx\n"
 +            "rsi %016llx rdi %016llx rsp %016llx rbp %016llx\n"
 +            "r8  %016llx r9  %016llx r10 %016llx r11 %016llx\n"
 +            "r12 %016llx r13 %016llx r14 %016llx r15 %016llx\n"
 +            "rip %016llx rflags %08llx\n",
 +            regs.rax, regs.rbx, regs.rcx, regs.rdx,
 +            regs.rsi, regs.rdi, regs.rsp, regs.rbp,
 +            regs.r8,  regs.r9,  regs.r10, regs.r11,
 +            regs.r12, regs.r13, regs.r14, regs.r15,
 +            regs.rip, regs.rflags);
 +    r = kvm_vcpu_ioctl(env, KVM_GET_SREGS, &sregs);
 +    if (r < 0) {
 +        perror("KVM_GET_SREGS");
 +        return;
 +    }
 +    print_seg(stderr, "cs", &sregs.cs);
 +    print_seg(stderr, "ds", &sregs.ds);
 +    print_seg(stderr, "es", &sregs.es);
 +    print_seg(stderr, "ss", &sregs.ss);
 +    print_seg(stderr, "fs", &sregs.fs);
 +    print_seg(stderr, "gs", &sregs.gs);
 +    print_seg(stderr, "tr", &sregs.tr);
 +    print_seg(stderr, "ldt", &sregs.ldt);
 +    print_dt(stderr, "gdt", &sregs.gdt);
 +    print_dt(stderr, "idt", &sregs.idt);
 +    fprintf(stderr, "cr0 %llx cr2 %llx cr3 %llx cr4 %llx cr8 %llx"
 +            " efer %llx\n",
 +            sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4, sregs.cr8,
 +            sregs.efer);
 +}
 +
 +static void kvm_set_cr8(CPUState *env, uint64_t cr8)
 +{
 +    env->kvm_run->cr8 = cr8;
 +}
 +
 +int kvm_setup_cpuid(CPUState *env, int nent,
 +                    struct kvm_cpuid_entry *entries)
 +{
 +    struct kvm_cpuid *cpuid;
 +    int r;
 +
 +    cpuid = qemu_malloc(sizeof(*cpuid) + nent * sizeof(*entries));
 +
 +    cpuid->nent = nent;
 +    memcpy(cpuid->entries, entries, nent * sizeof(*entries));
 +    r = kvm_vcpu_ioctl(env, KVM_SET_CPUID, cpuid);
 +
 +    free(cpuid);
 +    return r;
 +}
 +
 +int kvm_setup_cpuid2(CPUState *env, int nent,
 +                     struct kvm_cpuid_entry2 *entries)
 +{
 +    struct kvm_cpuid2 *cpuid;
 +    int r;
 +
 +    cpuid = qemu_malloc(sizeof(*cpuid) + nent * sizeof(*entries));
 +
 +    cpuid->nent = nent;
 +    memcpy(cpuid->entries, entries, nent * sizeof(*entries));
 +    r = kvm_vcpu_ioctl(env, KVM_SET_CPUID2, cpuid);
 +    free(cpuid);
 +    return r;
 +}
 +
 +int kvm_set_shadow_pages(kvm_context_t kvm, unsigned int nrshadow_pages)
 +{
 +#ifdef KVM_CAP_MMU_SHADOW_CACHE_CONTROL
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
 +                  KVM_CAP_MMU_SHADOW_CACHE_CONTROL);
 +    if (r > 0) {
 +        r = kvm_vm_ioctl(kvm_state, KVM_SET_NR_MMU_PAGES, nrshadow_pages);
 +        if (r < 0) {
 +            fprintf(stderr, "kvm_set_shadow_pages: %m\n");
 +            return r;
 +        }
 +        return 0;
 +    }
 +#endif
 +    return -1;
 +}
 +
 +int kvm_get_shadow_pages(kvm_context_t kvm, unsigned int *nrshadow_pages)
 +{
 +#ifdef KVM_CAP_MMU_SHADOW_CACHE_CONTROL
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
 +                  KVM_CAP_MMU_SHADOW_CACHE_CONTROL);
 +    if (r > 0) {
 +        *nrshadow_pages = kvm_vm_ioctl(kvm_state, KVM_GET_NR_MMU_PAGES);
 +        return 0;
 +    }
 +#endif
 +    return -1;
 +}
 +
 +#ifdef KVM_CAP_VAPIC
 +static int kvm_enable_tpr_access_reporting(CPUState *env)
 +{
 +    int r;
 +    struct kvm_tpr_access_ctl tac = { .enabled = 1 };
 +
 +    r = kvm_ioctl(env->kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_VAPIC);
 +    if (r <= 0) {
 +        return -ENOSYS;
 +    }
 +    return kvm_vcpu_ioctl(env, KVM_TPR_ACCESS_REPORTING, &tac);
 +}
 +#endif
 +
 +#ifdef KVM_CAP_ADJUST_CLOCK
 +static struct kvm_clock_data kvmclock_data;
 +
 +static void kvmclock_pre_save(void *opaque)
 +{
 +    struct kvm_clock_data *cl = opaque;
 +
 +    kvm_vm_ioctl(kvm_state, KVM_GET_CLOCK, cl);
 +}
 +
 +static int kvmclock_post_load(void *opaque, int version_id)
 +{
 +    struct kvm_clock_data *cl = opaque;
 +
 +    return kvm_vm_ioctl(kvm_state, KVM_SET_CLOCK, cl);
 +}
 +
 +static const VMStateDescription vmstate_kvmclock= {
 +    .name = "kvmclock",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .minimum_version_id_old = 1,
 +    .pre_save = kvmclock_pre_save,
 +    .post_load = kvmclock_post_load,
 +    .fields      = (VMStateField []) {
 +        VMSTATE_U64(clock, struct kvm_clock_data),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +#endif
 +
 +int kvm_arch_qemu_create_context(void)
 +{
 +    int i, r;
 +    struct utsname utsname;
 +
 +    uname(&utsname);
-     lm_capable_kernel = strcmp(utsname.machine, "x86_64") == 0;
++    _lm_capable_kernel = strcmp(utsname.machine, "x86_64") == 0;
 +
 +    if (kvm_shadow_memory) {
 +        kvm_set_shadow_pages(kvm_context, kvm_shadow_memory);
 +    }
 +
 +    kvm_msr_list = kvm_get_msr_list();
 +    if (!kvm_msr_list) {
 +        return -1;
 +    }
 +    for (i = 0; i < kvm_msr_list->nmsrs; ++i) {
 +        if (kvm_msr_list->indices[i] == MSR_STAR) {
 +            kvm_has_msr_star = 1;
 +        }
 +        if (kvm_msr_list->indices[i] == MSR_VM_HSAVE_PA) {
 +            kvm_has_vm_hsave_pa = 1;
 +        }
 +    }
 +
 +#ifdef KVM_CAP_ADJUST_CLOCK
 +    if (kvm_check_extension(kvm_state, KVM_CAP_ADJUST_CLOCK)) {
 +        vmstate_register(NULL, 0, &vmstate_kvmclock, &kvmclock_data);
 +    }
 +#endif
 +
 +    r = kvm_set_boot_cpu_id(0);
 +    if (r < 0 && r != -ENOSYS) {
 +        return r;
 +    }
 +
 +    return 0;
 +}
 +
 +/* returns 0 on success, non-0 on failure */
 +static int get_msr_entry(struct kvm_msr_entry *entry, CPUState *env)
 +{
 +    switch (entry->index) {
 +    case MSR_IA32_SYSENTER_CS:
 +        env->sysenter_cs  = entry->data;
 +        break;
 +    case MSR_IA32_SYSENTER_ESP:
 +        env->sysenter_esp = entry->data;
 +        break;
 +    case MSR_IA32_SYSENTER_EIP:
 +        env->sysenter_eip = entry->data;
 +        break;
 +    case MSR_STAR:
 +        env->star         = entry->data;
 +        break;
 +#ifdef TARGET_X86_64
 +    case MSR_CSTAR:
 +        env->cstar        = entry->data;
 +        break;
 +    case MSR_KERNELGSBASE:
 +        env->kernelgsbase = entry->data;
 +        break;
 +    case MSR_FMASK:
 +        env->fmask        = entry->data;
 +        break;
 +    case MSR_LSTAR:
 +        env->lstar        = entry->data;
 +        break;
 +#endif
 +    case MSR_IA32_TSC:
 +        env->tsc          = entry->data;
 +        break;
 +    case MSR_VM_HSAVE_PA:
 +        env->vm_hsave     = entry->data;
 +        break;
 +    case MSR_KVM_SYSTEM_TIME:
 +        env->system_time_msr = entry->data;
 +        break;
 +    case MSR_KVM_WALL_CLOCK:
 +        env->wall_clock_msr = entry->data;
 +        break;
 +#ifdef KVM_CAP_MCE
 +    case MSR_MCG_STATUS:
 +        env->mcg_status = entry->data;
 +        break;
 +    case MSR_MCG_CTL:
 +        env->mcg_ctl = entry->data;
 +        break;
 +#endif
 +    default:
 +#ifdef KVM_CAP_MCE
 +        if (entry->index >= MSR_MC0_CTL &&
 +            entry->index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) {
 +            env->mce_banks[entry->index - MSR_MC0_CTL] = entry->data;
 +            break;
 +        }
 +#endif
 +        printf("Warning unknown msr index 0x%x\n", entry->index);
 +        return 1;
 +    }
 +    return 0;
 +}
 +
 +static void kvm_arch_save_mpstate(CPUState *env)
 +{
 +#ifdef KVM_CAP_MP_STATE
 +    int r;
 +    struct kvm_mp_state mp_state;
 +
 +    r = kvm_get_mpstate(env, &mp_state);
 +    if (r < 0) {
 +        env->mp_state = -1;
 +    } else {
 +        env->mp_state = mp_state.mp_state;
 +        if (kvm_irqchip_in_kernel()) {
 +            env->halted = (env->mp_state == KVM_MP_STATE_HALTED);
 +        }
 +    }
 +#else
 +    env->mp_state = -1;
 +#endif
 +}
 +
 +static void kvm_arch_load_mpstate(CPUState *env)
 +{
 +#ifdef KVM_CAP_MP_STATE
 +    struct kvm_mp_state mp_state;
 +
 +    /*
 +     * -1 indicates that the host did not support GET_MP_STATE ioctl,
 +     *  so don't touch it.
 +     */
 +    if (env->mp_state != -1) {
 +        mp_state.mp_state = env->mp_state;
 +        kvm_set_mpstate(env, &mp_state);
 +    }
 +#endif
 +}
 +
 +static void kvm_reset_mpstate(CPUState *env)
 +{
 +#ifdef KVM_CAP_MP_STATE
 +    if (kvm_check_extension(kvm_state, KVM_CAP_MP_STATE)) {
 +        if (kvm_irqchip_in_kernel()) {
 +            env->mp_state = cpu_is_bsp(env) ? KVM_MP_STATE_RUNNABLE :
 +                                              KVM_MP_STATE_UNINITIALIZED;
 +        } else {
 +            env->mp_state = KVM_MP_STATE_RUNNABLE;
 +        }
 +    }
 +#endif
 +}
 +
 +static void set_v8086_seg(struct kvm_segment *lhs, const SegmentCache *rhs)
 +{
 +    lhs->selector = rhs->selector;
 +    lhs->base = rhs->base;
 +    lhs->limit = rhs->limit;
 +    lhs->type = 3;
 +    lhs->present = 1;
 +    lhs->dpl = 3;
 +    lhs->db = 0;
 +    lhs->s = 1;
 +    lhs->l = 0;
 +    lhs->g = 0;
 +    lhs->avl = 0;
 +    lhs->unusable = 0;
 +}
 +
 +static void set_seg(struct kvm_segment *lhs, const SegmentCache *rhs)
 +{
 +    unsigned flags = rhs->flags;
 +    lhs->selector = rhs->selector;
 +    lhs->base = rhs->base;
 +    lhs->limit = rhs->limit;
 +    lhs->type = (flags >> DESC_TYPE_SHIFT) & 15;
 +    lhs->present = (flags & DESC_P_MASK) != 0;
 +    lhs->dpl = rhs->selector & 3;
 +    lhs->db = (flags >> DESC_B_SHIFT) & 1;
 +    lhs->s = (flags & DESC_S_MASK) != 0;
 +    lhs->l = (flags >> DESC_L_SHIFT) & 1;
 +    lhs->g = (flags & DESC_G_MASK) != 0;
 +    lhs->avl = (flags & DESC_AVL_MASK) != 0;
 +    lhs->unusable = 0;
 +}
 +
 +static void get_seg(SegmentCache *lhs, const struct kvm_segment *rhs)
 +{
 +    lhs->selector = rhs->selector;
 +    lhs->base = rhs->base;
 +    lhs->limit = rhs->limit;
 +    lhs->flags =
 +        (rhs->type << DESC_TYPE_SHIFT)
 +        | (rhs->present * DESC_P_MASK)
 +        | (rhs->dpl << DESC_DPL_SHIFT)
 +        | (rhs->db << DESC_B_SHIFT)
 +        | (rhs->s * DESC_S_MASK)
 +        | (rhs->l << DESC_L_SHIFT)
 +        | (rhs->g * DESC_G_MASK)
 +        | (rhs->avl * DESC_AVL_MASK);
 +}
 +
 +#define XSAVE_CWD_RIP     2
 +#define XSAVE_CWD_RDP     4
 +#define XSAVE_MXCSR       6
 +#define XSAVE_ST_SPACE    8
 +#define XSAVE_XMM_SPACE   40
 +#define XSAVE_XSTATE_BV   128
 +#define XSAVE_YMMH_SPACE  144
 +
 +void kvm_arch_load_regs(CPUState *env, int level)
 +{
 +    struct kvm_regs regs;
 +    struct kvm_fpu fpu;
 +    struct kvm_sregs sregs;
 +    struct kvm_msr_entry msrs[100];
 +    int rc, n, i;
 +
 +    assert(kvm_cpu_is_stopped(env) || env->thread_id == kvm_get_thread_id());
 +
 +    regs.rax = env->regs[R_EAX];
 +    regs.rbx = env->regs[R_EBX];
 +    regs.rcx = env->regs[R_ECX];
 +    regs.rdx = env->regs[R_EDX];
 +    regs.rsi = env->regs[R_ESI];
 +    regs.rdi = env->regs[R_EDI];
 +    regs.rsp = env->regs[R_ESP];
 +    regs.rbp = env->regs[R_EBP];
 +#ifdef TARGET_X86_64
 +    regs.r8 = env->regs[8];
 +    regs.r9 = env->regs[9];
 +    regs.r10 = env->regs[10];
 +    regs.r11 = env->regs[11];
 +    regs.r12 = env->regs[12];
 +    regs.r13 = env->regs[13];
 +    regs.r14 = env->regs[14];
 +    regs.r15 = env->regs[15];
 +#endif
 +
 +    regs.rflags = env->eflags;
 +    regs.rip = env->eip;
 +
 +    kvm_set_regs(env, &regs);
 +
 +#ifdef KVM_CAP_XSAVE
 +    if (kvm_check_extension(kvm_state, KVM_CAP_XSAVE)) {
 +        struct kvm_xsave* xsave;
 +
 +        uint16_t cwd, swd, twd, fop;
 +
 +        xsave = qemu_memalign(4096, sizeof(struct kvm_xsave));
 +        memset(xsave, 0, sizeof(struct kvm_xsave));
 +        cwd = swd = twd = fop = 0;
 +        swd = env->fpus & ~(7 << 11);
 +        swd |= (env->fpstt & 7) << 11;
 +        cwd = env->fpuc;
 +        for (i = 0; i < 8; ++i) {
 +            twd |= (!env->fptags[i]) << i;
 +        }
 +        xsave->region[0] = (uint32_t)(swd << 16) + cwd;
 +        xsave->region[1] = (uint32_t)(fop << 16) + twd;
 +        memcpy(&xsave->region[XSAVE_ST_SPACE], env->fpregs,
 +               sizeof env->fpregs);
 +        memcpy(&xsave->region[XSAVE_XMM_SPACE], env->xmm_regs,
 +               sizeof env->xmm_regs);
 +        xsave->region[XSAVE_MXCSR] = env->mxcsr;
 +        *(uint64_t *)&xsave->region[XSAVE_XSTATE_BV] = env->xstate_bv;
 +        memcpy(&xsave->region[XSAVE_YMMH_SPACE], env->ymmh_regs,
 +               sizeof env->ymmh_regs);
 +        kvm_set_xsave(env, xsave);
 +        if (kvm_check_extension(kvm_state, KVM_CAP_XCRS)) {
 +            struct kvm_xcrs xcrs;
 +
 +            xcrs.nr_xcrs = 1;
 +            xcrs.flags = 0;
 +            xcrs.xcrs[0].xcr = 0;
 +            xcrs.xcrs[0].value = env->xcr0;
 +            kvm_set_xcrs(env, &xcrs);
 +        }
 +        qemu_free(xsave);
 +    } else {
 +#endif
 +        memset(&fpu, 0, sizeof fpu);
 +        fpu.fsw = env->fpus & ~(7 << 11);
 +        fpu.fsw |= (env->fpstt & 7) << 11;
 +        fpu.fcw = env->fpuc;
 +        for (i = 0; i < 8; ++i) {
 +            fpu.ftwx |= (!env->fptags[i]) << i;
 +        }
 +        memcpy(fpu.fpr, env->fpregs, sizeof env->fpregs);
 +        memcpy(fpu.xmm, env->xmm_regs, sizeof env->xmm_regs);
 +        fpu.mxcsr = env->mxcsr;
 +        kvm_set_fpu(env, &fpu);
 +#ifdef KVM_CAP_XSAVE
 +    }
 +#endif
 +
 +    memset(sregs.interrupt_bitmap, 0, sizeof(sregs.interrupt_bitmap));
 +    if (env->interrupt_injected >= 0) {
 +        sregs.interrupt_bitmap[env->interrupt_injected / 64] |=
 +                (uint64_t)1 << (env->interrupt_injected % 64);
 +    }
 +
 +    if ((env->eflags & VM_MASK)) {
 +        set_v8086_seg(&sregs.cs, &env->segs[R_CS]);
 +        set_v8086_seg(&sregs.ds, &env->segs[R_DS]);
 +        set_v8086_seg(&sregs.es, &env->segs[R_ES]);
 +        set_v8086_seg(&sregs.fs, &env->segs[R_FS]);
 +        set_v8086_seg(&sregs.gs, &env->segs[R_GS]);
 +        set_v8086_seg(&sregs.ss, &env->segs[R_SS]);
 +    } else {
 +        set_seg(&sregs.cs, &env->segs[R_CS]);
 +        set_seg(&sregs.ds, &env->segs[R_DS]);
 +        set_seg(&sregs.es, &env->segs[R_ES]);
 +        set_seg(&sregs.fs, &env->segs[R_FS]);
 +        set_seg(&sregs.gs, &env->segs[R_GS]);
 +        set_seg(&sregs.ss, &env->segs[R_SS]);
 +
 +        if (env->cr[0] & CR0_PE_MASK) {
 +            /* force ss cpl to cs cpl */
 +            sregs.ss.selector = (sregs.ss.selector & ~3) |
 +                (sregs.cs.selector & 3);
 +            sregs.ss.dpl = sregs.ss.selector & 3;
 +        }
 +    }
 +
 +    set_seg(&sregs.tr, &env->tr);
 +    set_seg(&sregs.ldt, &env->ldt);
 +
 +    sregs.idt.limit = env->idt.limit;
 +    sregs.idt.base = env->idt.base;
 +    sregs.gdt.limit = env->gdt.limit;
 +    sregs.gdt.base = env->gdt.base;
 +
 +    sregs.cr0 = env->cr[0];
 +    sregs.cr2 = env->cr[2];
 +    sregs.cr3 = env->cr[3];
 +    sregs.cr4 = env->cr[4];
 +
 +    sregs.cr8 = cpu_get_apic_tpr(env->apic_state);
 +    sregs.apic_base = cpu_get_apic_base(env->apic_state);
 +
 +    sregs.efer = env->efer;
 +
 +    kvm_set_sregs(env, &sregs);
 +
 +    /* msrs */
 +    n = 0;
 +    /* Remember to increase msrs size if you add new registers below */
 +    kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_CS,  env->sysenter_cs);
 +    kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_ESP, env->sysenter_esp);
 +    kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_EIP, env->sysenter_eip);
 +    if (kvm_has_msr_star) {
 +        kvm_msr_entry_set(&msrs[n++], MSR_STAR,              env->star);
 +    }
 +    if (kvm_has_vm_hsave_pa) {
 +        kvm_msr_entry_set(&msrs[n++], MSR_VM_HSAVE_PA, env->vm_hsave);
 +    }
 +#ifdef TARGET_X86_64
-     if (lm_capable_kernel) {
++    if (_lm_capable_kernel) {
 +        kvm_msr_entry_set(&msrs[n++], MSR_CSTAR,             env->cstar);
 +        kvm_msr_entry_set(&msrs[n++], MSR_KERNELGSBASE,      env->kernelgsbase);
 +        kvm_msr_entry_set(&msrs[n++], MSR_FMASK,             env->fmask);
 +        kvm_msr_entry_set(&msrs[n++], MSR_LSTAR  ,           env->lstar);
 +    }
 +#endif
 +    if (level == KVM_PUT_FULL_STATE) {
 +        /*
 +         * KVM is yet unable to synchronize TSC values of multiple VCPUs on
 +         * writeback. Until this is fixed, we only write the offset to SMP
 +         * guests after migration, desynchronizing the VCPUs, but avoiding
 +         * huge jump-backs that would occur without any writeback at all.
 +         */
 +        if (smp_cpus == 1 || env->tsc != 0) {
 +            kvm_msr_entry_set(&msrs[n++], MSR_IA32_TSC, env->tsc);
 +        }
 +        kvm_msr_entry_set(&msrs[n++], MSR_KVM_SYSTEM_TIME, env->system_time_msr);
 +        kvm_msr_entry_set(&msrs[n++], MSR_KVM_WALL_CLOCK, env->wall_clock_msr);
 +    }
 +#ifdef KVM_CAP_MCE
 +    if (env->mcg_cap) {
 +        if (level == KVM_PUT_RESET_STATE) {
 +            kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
 +        } else if (level == KVM_PUT_FULL_STATE) {
 +            kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
 +            kvm_msr_entry_set(&msrs[n++], MSR_MCG_CTL, env->mcg_ctl);
 +            for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++) {
 +                kvm_msr_entry_set(&msrs[n++], MSR_MC0_CTL + i, env->mce_banks[i]);
 +            }
 +        }
 +    }
 +#endif
 +
 +    rc = kvm_set_msrs(env, msrs, n);
 +    if (rc == -1) {
 +        perror("kvm_set_msrs FAILED");
 +    }
 +
 +    if (level >= KVM_PUT_RESET_STATE) {
 +        kvm_arch_load_mpstate(env);
 +        kvm_load_lapic(env);
 +    }
 +    if (level == KVM_PUT_FULL_STATE) {
 +        if (env->kvm_vcpu_update_vapic) {
 +            kvm_tpr_enable_vapic(env);
 +        }
 +    }
 +
 +    kvm_put_vcpu_events(env, level);
 +    kvm_put_debugregs(env);
 +
 +    /* must be last */
 +    kvm_guest_debug_workarounds(env);
 +}
 +
 +void kvm_arch_save_regs(CPUState *env)
 +{
 +    struct kvm_regs regs;
 +    struct kvm_fpu fpu;
 +    struct kvm_sregs sregs;
 +    struct kvm_msr_entry msrs[100];
 +    uint32_t hflags;
 +    uint32_t i, n, rc, bit;
 +
 +    assert(kvm_cpu_is_stopped(env) || env->thread_id == kvm_get_thread_id());
 +
 +    kvm_get_regs(env, &regs);
 +
 +    env->regs[R_EAX] = regs.rax;
 +    env->regs[R_EBX] = regs.rbx;
 +    env->regs[R_ECX] = regs.rcx;
 +    env->regs[R_EDX] = regs.rdx;
 +    env->regs[R_ESI] = regs.rsi;
 +    env->regs[R_EDI] = regs.rdi;
 +    env->regs[R_ESP] = regs.rsp;
 +    env->regs[R_EBP] = regs.rbp;
 +#ifdef TARGET_X86_64
 +    env->regs[8] = regs.r8;
 +    env->regs[9] = regs.r9;
 +    env->regs[10] = regs.r10;
 +    env->regs[11] = regs.r11;
 +    env->regs[12] = regs.r12;
 +    env->regs[13] = regs.r13;
 +    env->regs[14] = regs.r14;
 +    env->regs[15] = regs.r15;
 +#endif
 +
 +    env->eflags = regs.rflags;
 +    env->eip = regs.rip;
 +
 +#ifdef KVM_CAP_XSAVE
 +    if (kvm_check_extension(kvm_state, KVM_CAP_XSAVE)) {
 +        struct kvm_xsave* xsave;
 +        uint16_t cwd, swd, twd, fop;
 +        xsave = qemu_memalign(4096, sizeof(struct kvm_xsave));
 +        kvm_get_xsave(env, xsave);
 +        cwd = (uint16_t)xsave->region[0];
 +        swd = (uint16_t)(xsave->region[0] >> 16);
 +        twd = (uint16_t)xsave->region[1];
 +        fop = (uint16_t)(xsave->region[1] >> 16);
 +        env->fpstt = (swd >> 11) & 7;
 +        env->fpus = swd;
 +        env->fpuc = cwd;
 +        for (i = 0; i < 8; ++i) {
 +            env->fptags[i] = !((twd >> i) & 1);
 +        }
 +        env->mxcsr = xsave->region[XSAVE_MXCSR];
 +        memcpy(env->fpregs, &xsave->region[XSAVE_ST_SPACE],
 +                sizeof env->fpregs);
 +        memcpy(env->xmm_regs, &xsave->region[XSAVE_XMM_SPACE],
 +                sizeof env->xmm_regs);
 +        env->xstate_bv = *(uint64_t *)&xsave->region[XSAVE_XSTATE_BV];
 +        memcpy(env->ymmh_regs, &xsave->region[XSAVE_YMMH_SPACE],
 +                sizeof env->ymmh_regs);
 +        if (kvm_check_extension(kvm_state, KVM_CAP_XCRS)) {
 +            struct kvm_xcrs xcrs;
 +
 +            kvm_get_xcrs(env, &xcrs);
 +            if (xcrs.xcrs[0].xcr == 0) {
 +                env->xcr0 = xcrs.xcrs[0].value;
 +            }
 +        }
 +        qemu_free(xsave);
 +    } else {
 +#endif
 +        kvm_get_fpu(env, &fpu);
 +        env->fpstt = (fpu.fsw >> 11) & 7;
 +        env->fpus = fpu.fsw;
 +        env->fpuc = fpu.fcw;
 +        for (i = 0; i < 8; ++i) {
 +            env->fptags[i] = !((fpu.ftwx >> i) & 1);
 +        }
 +        memcpy(env->fpregs, fpu.fpr, sizeof env->fpregs);
 +        memcpy(env->xmm_regs, fpu.xmm, sizeof env->xmm_regs);
 +        env->mxcsr = fpu.mxcsr;
 +#ifdef KVM_CAP_XSAVE
 +    }
 +#endif
 +
 +    kvm_get_sregs(env, &sregs);
 +
 +    /* There can only be one pending IRQ set in the bitmap at a time, so try
 +       to find it and save its number instead (-1 for none). */
 +    env->interrupt_injected = -1;
 +    for (i = 0; i < ARRAY_SIZE(sregs.interrupt_bitmap); i++) {
 +        if (sregs.interrupt_bitmap[i]) {
 +            bit = ctz64(sregs.interrupt_bitmap[i]);
 +            env->interrupt_injected = i * 64 + bit;
 +            break;
 +        }
 +    }
 +
 +    get_seg(&env->segs[R_CS], &sregs.cs);
 +    get_seg(&env->segs[R_DS], &sregs.ds);
 +    get_seg(&env->segs[R_ES], &sregs.es);
 +    get_seg(&env->segs[R_FS], &sregs.fs);
 +    get_seg(&env->segs[R_GS], &sregs.gs);
 +    get_seg(&env->segs[R_SS], &sregs.ss);
 +
 +    get_seg(&env->tr, &sregs.tr);
 +    get_seg(&env->ldt, &sregs.ldt);
 +
 +    env->idt.limit = sregs.idt.limit;
 +    env->idt.base = sregs.idt.base;
 +    env->gdt.limit = sregs.gdt.limit;
 +    env->gdt.base = sregs.gdt.base;
 +
 +    env->cr[0] = sregs.cr0;
 +    env->cr[2] = sregs.cr2;
 +    env->cr[3] = sregs.cr3;
 +    env->cr[4] = sregs.cr4;
 +
 +    cpu_set_apic_base(env->apic_state, sregs.apic_base);
 +
 +    env->efer = sregs.efer;
 +    //cpu_set_apic_tpr(env, sregs.cr8);
 +
 +#define HFLAG_COPY_MASK ~(                                              \
 +        HF_CPL_MASK | HF_PE_MASK | HF_MP_MASK | HF_EM_MASK |            \
 +        HF_TS_MASK | HF_TF_MASK | HF_VM_MASK | HF_IOPL_MASK |           \
 +        HF_OSFXSR_MASK | HF_LMA_MASK | HF_CS32_MASK |                   \
 +        HF_SS32_MASK | HF_CS64_MASK | HF_ADDSEG_MASK)
 +
 +    hflags = (env->segs[R_CS].flags >> DESC_DPL_SHIFT) & HF_CPL_MASK;
 +    hflags |= (env->cr[0] & CR0_PE_MASK) << (HF_PE_SHIFT - CR0_PE_SHIFT);
 +    hflags |= (env->cr[0] << (HF_MP_SHIFT - CR0_MP_SHIFT)) &
 +            (HF_MP_MASK | HF_EM_MASK | HF_TS_MASK);
 +    hflags |= (env->eflags & (HF_TF_MASK | HF_VM_MASK | HF_IOPL_MASK));
 +    hflags |= (env->cr[4] & CR4_OSFXSR_MASK) <<
 +            (HF_OSFXSR_SHIFT - CR4_OSFXSR_SHIFT);
 +
 +    if (env->efer & MSR_EFER_LMA) {
 +        hflags |= HF_LMA_MASK;
 +    }
 +
 +    if ((hflags & HF_LMA_MASK) && (env->segs[R_CS].flags & DESC_L_MASK)) {
 +        hflags |= HF_CS32_MASK | HF_SS32_MASK | HF_CS64_MASK;
 +    } else {
 +        hflags |= (env->segs[R_CS].flags & DESC_B_MASK) >>
 +                (DESC_B_SHIFT - HF_CS32_SHIFT);
 +        hflags |= (env->segs[R_SS].flags & DESC_B_MASK) >>
 +                (DESC_B_SHIFT - HF_SS32_SHIFT);
 +        if (!(env->cr[0] & CR0_PE_MASK) ||
 +            (env->eflags & VM_MASK) ||
 +            !(hflags & HF_CS32_MASK)) {
 +            hflags |= HF_ADDSEG_MASK;
 +        } else {
 +            hflags |= ((env->segs[R_DS].base |
 +                        env->segs[R_ES].base |
 +                        env->segs[R_SS].base) != 0) <<
 +                HF_ADDSEG_SHIFT;
 +        }
 +    }
 +    env->hflags = (env->hflags & HFLAG_COPY_MASK) | hflags;
 +
 +    /* msrs */
 +    n = 0;
 +    /* Remember to increase msrs size if you add new registers below */
 +    msrs[n++].index = MSR_IA32_SYSENTER_CS;
 +    msrs[n++].index = MSR_IA32_SYSENTER_ESP;
 +    msrs[n++].index = MSR_IA32_SYSENTER_EIP;
 +    if (kvm_has_msr_star) {
 +        msrs[n++].index = MSR_STAR;
 +    }
 +    msrs[n++].index = MSR_IA32_TSC;
 +    if (kvm_has_vm_hsave_pa)
 +        msrs[n++].index = MSR_VM_HSAVE_PA;
 +#ifdef TARGET_X86_64
-     if (lm_capable_kernel) {
++    if (_lm_capable_kernel) {
 +        msrs[n++].index = MSR_CSTAR;
 +        msrs[n++].index = MSR_KERNELGSBASE;
 +        msrs[n++].index = MSR_FMASK;
 +        msrs[n++].index = MSR_LSTAR;
 +    }
 +#endif
 +    msrs[n++].index = MSR_KVM_SYSTEM_TIME;
 +    msrs[n++].index = MSR_KVM_WALL_CLOCK;
 +
 +#ifdef KVM_CAP_MCE
 +    if (env->mcg_cap) {
 +        msrs[n++].index = MSR_MCG_STATUS;
 +        msrs[n++].index = MSR_MCG_CTL;
 +        for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++)
 +            msrs[n++].index = MSR_MC0_CTL + i;
 +    }
 +#endif
 +
 +    rc = kvm_get_msrs(env, msrs, n);
 +    if (rc == -1) {
 +        perror("kvm_get_msrs FAILED");
 +    } else {
 +        n = rc; /* actual number of MSRs */
 +        for (i=0 ; i<n; i++) {
 +            if (get_msr_entry(&msrs[i], env)) {
 +                return;
 +            }
 +        }
 +    }
 +    kvm_arch_save_mpstate(env);
 +    kvm_save_lapic(env);
 +    kvm_get_vcpu_events(env);
 +    kvm_get_debugregs(env);
 +}
 +
 +static int _kvm_arch_init_vcpu(CPUState *env)
 +{
 +    kvm_arch_reset_vcpu(env);
 +
 +#ifdef KVM_EXIT_TPR_ACCESS
 +    kvm_enable_tpr_access_reporting(env);
 +#endif
 +    kvm_reset_mpstate(env);
 +    return 0;
 +}
 +
 +int kvm_arch_halt(CPUState *env)
 +{
 +
 +    if (!((env->interrupt_request & CPU_INTERRUPT_HARD) &&
 +          (env->eflags & IF_MASK)) &&
 +        !(env->interrupt_request & CPU_INTERRUPT_NMI)) {
 +        env->halted = 1;
 +    }
 +    return 1;
 +}
 +
 +int kvm_arch_pre_run(CPUState *env, struct kvm_run *run)
 +{
 +    if (!kvm_irqchip_in_kernel()) {
 +        kvm_set_cr8(env, cpu_get_apic_tpr(env->apic_state));
 +    }
 +    return 0;
 +}
 +
 +int kvm_arch_has_work(CPUState *env)
 +{
 +    if (((env->interrupt_request & CPU_INTERRUPT_HARD) &&
 +         (env->eflags & IF_MASK)) ||
 +        (env->interrupt_request & CPU_INTERRUPT_NMI)) {
 +        return 1;
 +    }
 +    return 0;
 +}
 +
 +int kvm_arch_try_push_interrupts(void *opaque)
 +{
 +    CPUState *env = cpu_single_env;
 +    int r, irq;
 +
 +    if (kvm_is_ready_for_interrupt_injection(env) &&
 +        (env->interrupt_request & CPU_INTERRUPT_HARD) &&
 +        (env->eflags & IF_MASK)) {
 +        env->interrupt_request &= ~CPU_INTERRUPT_HARD;
 +        irq = cpu_get_pic_interrupt(env);
 +        if (irq >= 0) {
 +            r = kvm_inject_irq(env, irq);
 +            if (r < 0) {
 +                printf("cpu %d fail inject %x\n", env->cpu_index, irq);
 +            }
 +        }
 +    }
 +
 +    return (env->interrupt_request & CPU_INTERRUPT_HARD) != 0;
 +}
 +
 +#ifdef KVM_CAP_USER_NMI
 +void kvm_arch_push_nmi(void *opaque)
 +{
 +    CPUState *env = cpu_single_env;
 +    int r;
 +
 +    if (likely(!(env->interrupt_request & CPU_INTERRUPT_NMI))) {
 +        return;
 +    }
 +
 +    env->interrupt_request &= ~CPU_INTERRUPT_NMI;
 +    r = kvm_inject_nmi(env);
 +    if (r < 0) {
 +        printf("cpu %d fail inject NMI\n", env->cpu_index);
 +    }
 +}
 +#endif /* KVM_CAP_USER_NMI */
 +
 +static int kvm_reset_msrs(CPUState *env)
 +{
 +    struct {
 +        struct kvm_msrs info;
 +        struct kvm_msr_entry entries[100];
 +    } msr_data;
 +    int n;
 +    struct kvm_msr_entry *msrs = msr_data.entries;
 +    uint32_t index;
 +    uint64_t data;
 +
 +    if (!kvm_msr_list) {
 +        return -1;
 +    }
 +
 +    for (n = 0; n < kvm_msr_list->nmsrs; n++) {
 +        index = kvm_msr_list->indices[n];
 +        switch (index) {
 +        case MSR_PAT:
 +            data = 0x0007040600070406ULL;
 +            break;
 +        default:
 +            data = 0;
 +        }
 +        kvm_msr_entry_set(&msrs[n], kvm_msr_list->indices[n], data);
 +    }
 +
 +    msr_data.info.nmsrs = n;
 +
 +    return kvm_vcpu_ioctl(env, KVM_SET_MSRS, &msr_data);
 +}
 +
 +
 +void kvm_arch_cpu_reset(CPUState *env)
 +{
 +    kvm_reset_msrs(env);
 +    kvm_arch_reset_vcpu(env);
 +    kvm_reset_mpstate(env);
 +}
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +void kvm_arch_do_ioperm(void *_data)
 +{
 +    struct ioperm_data *data = _data;
 +    ioperm(data->start_port, data->num, data->turn_on);
 +}
 +#endif
 +
 +/*
 + * Setup x86 specific IRQ routing
 + */
 +int kvm_arch_init_irq_routing(void)
 +{
 +    int i, r;
 +
 +    if (kvm_irqchip && kvm_has_gsi_routing()) {
 +        kvm_clear_gsi_routes();
 +        for (i = 0; i < 8; ++i) {
 +            if (i == 2) {
 +                continue;
 +            }
 +            r = kvm_add_irq_route(i, KVM_IRQCHIP_PIC_MASTER, i);
 +            if (r < 0) {
 +                return r;
 +            }
 +        }
 +        for (i = 8; i < 16; ++i) {
 +            r = kvm_add_irq_route(i, KVM_IRQCHIP_PIC_SLAVE, i - 8);
 +            if (r < 0) {
 +                return r;
 +            }
 +        }
 +        for (i = 0; i < 24; ++i) {
 +            if (i == 0 && irq0override) {
 +                r = kvm_add_irq_route(i, KVM_IRQCHIP_IOAPIC, 2);
 +            } else if (i != 2 || !irq0override) {
 +                r = kvm_add_irq_route(i, KVM_IRQCHIP_IOAPIC, i);
 +            }
 +            if (r < 0) {
 +                return r;
 +            }
 +        }
 +        kvm_commit_irq_routes();
 +    }
 +    return 0;
 +}
 +
 +void kvm_arch_process_irqchip_events(CPUState *env)
 +{
 +    if (env->interrupt_request & CPU_INTERRUPT_INIT) {
 +        kvm_cpu_synchronize_state(env);
 +        do_cpu_init(env);
 +    }
 +    if (env->interrupt_request & CPU_INTERRUPT_SIPI) {
 +        kvm_cpu_synchronize_state(env);
 +        do_cpu_sipi(env);
 +    }
 +}
diff --cc target-i386/kvm.c
index b6c7a12,ae0a034..41d42ca
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -53,6 -54,8 +54,10 @@@
  #define BUS_MCEERR_AO 5
  #endif
  
++#ifdef OBSOLETE_KVM_IMPL
+ static int lm_capable_kernel;
++#endif
+ 
  #ifdef KVM_CAP_EXT_CPUID
  
  static struct kvm_cpuid2 *try_get_cpuid(KVMState *s, int max)
@@@ -1055,13 -1054,13 +1074,14 @@@ static int kvm_get_msrs(CPUState *env
      if (kvm_has_msr_hsave_pa(env))
          msrs[n++].index = MSR_VM_HSAVE_PA;
      msrs[n++].index = MSR_IA32_TSC;
 +    msrs[n++].index = MSR_VM_HSAVE_PA;
  #ifdef TARGET_X86_64
-     /* FIXME lm_capable_kernel */
-     msrs[n++].index = MSR_CSTAR;
-     msrs[n++].index = MSR_KERNELGSBASE;
-     msrs[n++].index = MSR_FMASK;
-     msrs[n++].index = MSR_LSTAR;
+     if (lm_capable_kernel) {
+         msrs[n++].index = MSR_CSTAR;
+         msrs[n++].index = MSR_KERNELGSBASE;
+         msrs[n++].index = MSR_FMASK;
+         msrs[n++].index = MSR_LSTAR;
+     }
  #endif
      msrs[n++].index = MSR_KVM_SYSTEM_TIME;
      msrs[n++].index = MSR_KVM_WALL_CLOCK;
commit 65160cfd3d33e90a718e4bc9524614aae8416956
Merge: 9de479a... 75b10c4...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Fri Oct 22 11:52:13 2010 -0200

    Merge commit '75b10c43365e2a9cab5398f31b96a463b0d57eff' into upstream-merge
    
    * commit '75b10c43365e2a9cab5398f31b96a463b0d57eff':
      kvm: factor out kvm_has_msr_star
      kvm: add save/restore of MSR_VM_HSAVE_PA
      Fix build on !KVM_CAP_MCE
      x86, mce: broadcast mce depending on the cpu version
      x86, mce: ignore SRAO only when MCG_SER_P is available
    
    Conflicts:
    	target-i386/kvm.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc target-i386/kvm.c
index 52a7828,06474d6..b6c7a12
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -447,11 -437,13 +451,14 @@@ void kvm_arch_reset_vcpu(CPUState *env
          env->mp_state = KVM_MP_STATE_RUNNABLE;
      }
  }
 +#ifdef OBSOLETE_KVM_IMPL
  
- static int kvm_has_msr_star(CPUState *env)
+ int has_msr_star;
+ int has_msr_hsave_pa;
+ 
+ static void kvm_supported_msrs(CPUState *env)
  {
-     static int has_msr_star;
+     static int kvm_supported_msrs;
      int ret;
  
      /* first time */
@@@ -1029,8 -1034,9 +1052,10 @@@ static int kvm_get_msrs(CPUState *env
      msrs[n++].index = MSR_IA32_SYSENTER_EIP;
      if (kvm_has_msr_star(env))
  	msrs[n++].index = MSR_STAR;
+     if (kvm_has_msr_hsave_pa(env))
+         msrs[n++].index = MSR_VM_HSAVE_PA;
      msrs[n++].index = MSR_IA32_TSC;
 +    msrs[n++].index = MSR_VM_HSAVE_PA;
  #ifdef TARGET_X86_64
      /* FIXME lm_capable_kernel */
      msrs[n++].index = MSR_CSTAR;
commit dbb1413589512574519abcf52a9a7127ddc7844b
Merge: d03703c... 25d2e36...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Fri Oct 22 08:02:14 2010 -0500

    Merge remote branch 'qemu-kvm/uq/master' into staging

commit 8c269b542c5bbbcd74c1664959b223d941a2893b
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Wed Oct 20 13:17:30 2010 +0200

    virtio-blk: Respect werror option for flushes
    
    The werror option now affects not only write requests, but also flush requests.
    Previously, it was not possible to stop a VM on a failed flush.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
index a1df26d..dbe2070 100644
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -106,7 +106,13 @@ static void virtio_blk_flush_complete(void *opaque, int ret)
 {
     VirtIOBlockReq *req = opaque;
 
-    virtio_blk_req_complete(req, ret ? VIRTIO_BLK_S_IOERR : VIRTIO_BLK_S_OK);
+    if (ret) {
+        if (virtio_blk_handle_rw_error(req, -ret, 0)) {
+            return;
+        }
+    }
+
+    virtio_blk_req_complete(req, VIRTIO_BLK_S_OK);
 }
 
 static VirtIOBlockReq *virtio_blk_alloc_request(VirtIOBlock *s)
commit e2bcadadc35673223c1445152445d0c9b6887b9e
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Oct 18 17:13:05 2010 +0200

    ide: Handle flush failure
    
    Instead of always assuming success for bdrv_aio_flush, actually do something
    with the error. This respects the werror option and accordingly ignores the
    error, reports it to the guest or stops the VM and retries after cont.
    
    Ignoring the error is trivial, obviously. For stopping the VM and retrying
    later old code can be reused, but we need to introduce a new status for "retry
    a flush". For reporting to the guest, fortunately the same action is required
    as for a failed read/write (status = DRDY | ERR, error = ABRT), so this code
    can be reused as well.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 6d8606e..bc3e916 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -65,6 +65,7 @@ static void ide_dma_start(IDEState *s, BlockDriverCompletionFunc *dma_cb);
 static void ide_dma_restart(IDEState *s, int is_read);
 static void ide_atapi_cmd_read_dma_cb(void *opaque, int ret);
 static int ide_handle_rw_error(IDEState *s, int error, int op);
+static void ide_flush_cache(IDEState *s);
 
 static void padstr(char *str, const char *src, int len)
 {
@@ -688,6 +689,8 @@ static void ide_dma_restart_bh(void *opaque)
         } else {
             ide_sector_write(bmdma_active_if(bm));
         }
+    } else if (bm->status & BM_STATUS_RETRY_FLUSH) {
+        ide_flush_cache(bmdma_active_if(bm));
     }
 }
 
@@ -795,7 +798,12 @@ static void ide_flush_cb(void *opaque, int ret)
 {
     IDEState *s = opaque;
 
-    /* XXX: how do we signal I/O errors here? */
+    if (ret < 0) {
+        /* XXX: What sector number to set here? */
+        if (ide_handle_rw_error(s, -ret, BM_STATUS_RETRY_FLUSH)) {
+            return;
+        }
+    }
 
     s->status = READY_STAT | SEEK_STAT;
     ide_set_irq(s->bus);
diff --git a/hw/ide/internal.h b/hw/ide/internal.h
index 4165543..d652e06 100644
--- a/hw/ide/internal.h
+++ b/hw/ide/internal.h
@@ -472,7 +472,8 @@ struct IDEDeviceInfo {
 #define BM_STATUS_INT    0x04
 #define BM_STATUS_DMA_RETRY  0x08
 #define BM_STATUS_PIO_RETRY  0x10
-#define BM_STATUS_RETRY_READ 0x20
+#define BM_STATUS_RETRY_READ  0x20
+#define BM_STATUS_RETRY_FLUSH 0x40
 
 #define BM_CMD_START     0x01
 #define BM_CMD_READ      0x08
commit 6bcb1a79a31563f2c414e1bd35d044d6ab385011
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Oct 18 17:10:49 2010 +0200

    ide: Factor ide_flush_cache out
    
    The next patch reuses this code, so put it in its own function.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 5ccb09c..6d8606e 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -801,6 +801,15 @@ static void ide_flush_cb(void *opaque, int ret)
     ide_set_irq(s->bus);
 }
 
+static void ide_flush_cache(IDEState *s)
+{
+    if (s->bs) {
+        bdrv_aio_flush(s->bs, ide_flush_cb, s);
+    } else {
+        ide_flush_cb(s, 0);
+    }
+}
+
 static inline void cpu_to_ube16(uint8_t *buf, int val)
 {
     buf[0] = val >> 8;
@@ -2031,10 +2040,7 @@ void ide_ioport_write(void *opaque, uint32_t addr, uint32_t val)
             break;
         case WIN_FLUSH_CACHE:
         case WIN_FLUSH_CACHE_EXT:
-            if (s->bs)
-                bdrv_aio_flush(s->bs, ide_flush_cb, s);
-            else
-                ide_flush_cb(s, 0);
+            ide_flush_cache(s);
             break;
         case WIN_STANDBY:
         case WIN_STANDBY2:
commit a18953fbe72ba553a564ba11fdda03aac41d4f38
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Thu Oct 14 15:46:04 2010 +0200

    qemu-img: Fix qemu-img convert -obacking_file
    
    The old -B option caused a backing file to be used for the converted image and
    to avoid copying clusters from the old backing file. When replaced with
    -obacking_file, qemu-img convert does assign the backing file to the new image,
    but it doesn't realize that it should avoid copying clusters from the backing
    file.
    
    This patch checks the -o options for a backing_file and applies the same logic
    as for -B in this case.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index d4a3b4e..2864cb8 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -645,6 +645,7 @@ static int img_convert(int argc, char **argv)
     const uint8_t *buf1;
     BlockDriverInfo bdi;
     QEMUOptionParameter *param = NULL, *create_options = NULL;
+    QEMUOptionParameter *out_baseimg_param;
     char *options = NULL;
     const char *snapshot_name = NULL;
 
@@ -769,6 +770,12 @@ static int img_convert(int argc, char **argv)
         goto out;
     }
 
+    /* Get backing file name if -o backing_file was used */
+    out_baseimg_param = get_option_parameter(param, BLOCK_OPT_BACKING_FILE);
+    if (out_baseimg_param) {
+        out_baseimg = out_baseimg_param->value.s;
+    }
+
     /* Check if compression is supported */
     if (flags & BLOCK_FLAG_COMPRESS) {
         QEMUOptionParameter *encryption =
commit a77cffe7e916f4dd28f2048982ea2e0d98143b11
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Sep 24 21:02:05 2010 +0200

    block: Use GCC_FMT_ATTR and fix a format error
    
    Adding the gcc format attribute detects a format bug
    which is fixed here.
    
    v2:
    Don't use type cast. BDRV_SECTOR_SIZE is unsigned long long,
    so %lld should be the correct format specifier.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Cc: Kevin Wolf <kwolf at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/blkverify.c b/block/blkverify.c
index 8083464..b2a12fe 100644
--- a/block/blkverify.c
+++ b/block/blkverify.c
@@ -53,7 +53,8 @@ static AIOPool blkverify_aio_pool = {
     .cancel             = blkverify_aio_cancel,
 };
 
-static void blkverify_err(BlkverifyAIOCB *acb, const char *fmt, ...)
+static void GCC_FMT_ATTR(2, 3) blkverify_err(BlkverifyAIOCB *acb,
+                                             const char *fmt, ...)
 {
     va_list ap;
 
@@ -299,7 +300,7 @@ static void blkverify_verify_readv(BlkverifyAIOCB *acb)
 {
     ssize_t offset = blkverify_iovec_compare(acb->qiov, &acb->raw_qiov);
     if (offset != -1) {
-        blkverify_err(acb, "contents mismatch in sector %ld",
+        blkverify_err(acb, "contents mismatch in sector %lld",
                       acb->sector_num + (offset / BDRV_SECTOR_SIZE));
     }
 }
commit 191c2890ddc9626d35c9e432494e1699a8181025
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Thu Sep 16 13:18:08 2010 +0200

    qemu-io: New command map
    
    The new map command in qemu-io lists all allocated/unallocated areas in an
    image file.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-io.c b/qemu-io.c
index b4e5cc8..ff353eb 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -1443,6 +1443,44 @@ static const cmdinfo_t alloc_cmd = {
 };
 
 static int
+map_f(int argc, char **argv)
+{
+	int64_t offset;
+	int64_t nb_sectors;
+	char s1[64];
+	int num, num_checked;
+	int ret;
+	const char *retstr;
+
+	offset = 0;
+	nb_sectors = bs->total_sectors;
+
+	do {
+		num_checked = MIN(nb_sectors, INT_MAX);
+		ret = bdrv_is_allocated(bs, offset, num_checked, &num);
+		retstr = ret ? "    allocated" : "not allocated";
+		cvtstr(offset << 9ULL, s1, sizeof(s1));
+		printf("[% 24" PRId64 "] % 8d/% 8d sectors %s at offset %s (%d)\n",
+				offset << 9ULL, num, num_checked, retstr, s1, ret);
+
+		offset += num;
+		nb_sectors -= num;
+	} while(offset < bs->total_sectors);
+
+	return 0;
+}
+
+static const cmdinfo_t map_cmd = {
+       .name           = "map",
+       .argmin         = 0,
+       .argmax         = 0,
+       .cfunc          = map_f,
+       .args           = "",
+       .oneline        = "prints the allocated areas of a file",
+};
+
+
+static int
 close_f(int argc, char **argv)
 {
 	bdrv_close(bs);
@@ -1680,6 +1718,7 @@ int main(int argc, char **argv)
 	add_command(&length_cmd);
 	add_command(&info_cmd);
 	add_command(&alloc_cmd);
+	add_command(&map_cmd);
 
 	add_args_command(init_args_command);
 	add_check_command(init_check_command);
commit 51ef67270b1d10e1fcf3de7368dccad1ba0bf9d1
Author: edison <edison at cloud.com>
Date:   Tue Sep 21 19:58:41 2010 -0700

    Copy snapshots out of QCOW2 disk
    
    In order to backup snapshots, created from QCOW2 iamge, we want to copy snapshots out of QCOW2 disk to a seperate storage.
    The following patch adds a new option in "qemu-img": qemu-img convert -f qcow2 -O qcow2 -s snapshot_name src_img bck_img.
    Right now, it only supports to copy the full snapshot, delta snapshot is on the way.
    
    Changes from V1: all the comments from Kevin are addressed:
    Add read-only checking
    Fix coding style
    Change the name from bdrv_snapshot_load to bdrv_snapshot_load_tmp
    
    Signed-off-by: Disheng Su <edison at cloud.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index a19374d..985d0b7 100644
--- a/block.c
+++ b/block.c
@@ -1899,6 +1899,22 @@ int bdrv_snapshot_list(BlockDriverState *bs,
     return -ENOTSUP;
 }
 
+int bdrv_snapshot_load_tmp(BlockDriverState *bs,
+        const char *snapshot_name)
+{
+    BlockDriver *drv = bs->drv;
+    if (!drv) {
+        return -ENOMEDIUM;
+    }
+    if (!bs->read_only) {
+        return -EINVAL;
+    }
+    if (drv->bdrv_snapshot_load_tmp) {
+        return drv->bdrv_snapshot_load_tmp(bs, snapshot_name);
+    }
+    return -ENOTSUP;
+}
+
 #define NB_SUFFIXES 4
 
 char *get_human_readable_size(char *buf, int buf_size, int64_t size)
diff --git a/block.h b/block.h
index 5f64380..a4facf2 100644
--- a/block.h
+++ b/block.h
@@ -211,6 +211,8 @@ int bdrv_snapshot_goto(BlockDriverState *bs,
 int bdrv_snapshot_delete(BlockDriverState *bs, const char *snapshot_id);
 int bdrv_snapshot_list(BlockDriverState *bs,
                        QEMUSnapshotInfo **psn_info);
+int bdrv_snapshot_load_tmp(BlockDriverState *bs,
+                           const char *snapshot_name);
 char *bdrv_snapshot_dump(char *buf, int buf_size, QEMUSnapshotInfo *sn);
 
 char *get_human_readable_size(char *buf, int buf_size, int64_t size);
diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index 8dd5df0..aacf357 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -418,3 +418,34 @@ int qcow2_snapshot_list(BlockDriverState *bs, QEMUSnapshotInfo **psn_tab)
     return s->nb_snapshots;
 }
 
+int qcow2_snapshot_load_tmp(BlockDriverState *bs, const char *snapshot_name)
+{
+    int i, snapshot_index, l1_size2;
+    BDRVQcowState *s = bs->opaque;
+    QCowSnapshot *sn;
+
+    snapshot_index = find_snapshot_by_id_or_name(bs, snapshot_name);
+    if (snapshot_index < 0) {
+        return -ENOENT;
+    }
+
+    sn = &s->snapshots[snapshot_index];
+    s->l1_size = sn->l1_size;
+    l1_size2 = s->l1_size * sizeof(uint64_t);
+    if (s->l1_table != NULL) {
+        qemu_free(s->l1_table);
+    }
+
+    s->l1_table_offset = sn->l1_table_offset;
+    s->l1_table = qemu_mallocz(align_offset(l1_size2, 512));
+
+    if (bdrv_pread(bs->file, sn->l1_table_offset,
+                   s->l1_table, l1_size2) != l1_size2) {
+        return -1;
+    }
+
+    for(i = 0;i < s->l1_size; i++) {
+        be64_to_cpus(&s->l1_table[i]);
+    }
+    return 0;
+}
diff --git a/block/qcow2.c b/block/qcow2.c
index 45ed073..b816d87 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1286,6 +1286,7 @@ static BlockDriver bdrv_qcow2 = {
     .bdrv_snapshot_goto     = qcow2_snapshot_goto,
     .bdrv_snapshot_delete   = qcow2_snapshot_delete,
     .bdrv_snapshot_list     = qcow2_snapshot_list,
+    .bdrv_snapshot_load_tmp     = qcow2_snapshot_load_tmp,
     .bdrv_get_info	= qcow_get_info,
 
     .bdrv_save_vmstate    = qcow_save_vmstate,
diff --git a/block/qcow2.h b/block/qcow2.h
index add710b..2d22e5e 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -211,6 +211,7 @@ int qcow2_snapshot_create(BlockDriverState *bs, QEMUSnapshotInfo *sn_info);
 int qcow2_snapshot_goto(BlockDriverState *bs, const char *snapshot_id);
 int qcow2_snapshot_delete(BlockDriverState *bs, const char *snapshot_id);
 int qcow2_snapshot_list(BlockDriverState *bs, QEMUSnapshotInfo **psn_tab);
+int qcow2_snapshot_load_tmp(BlockDriverState *bs, const char *snapshot_name);
 
 void qcow2_free_snapshots(BlockDriverState *bs);
 int qcow2_read_snapshots(BlockDriverState *bs);
diff --git a/block_int.h b/block_int.h
index e8e7156..87e60b8 100644
--- a/block_int.h
+++ b/block_int.h
@@ -93,6 +93,8 @@ struct BlockDriver {
     int (*bdrv_snapshot_delete)(BlockDriverState *bs, const char *snapshot_id);
     int (*bdrv_snapshot_list)(BlockDriverState *bs,
                               QEMUSnapshotInfo **psn_info);
+    int (*bdrv_snapshot_load_tmp)(BlockDriverState *bs,
+                                  const char *snapshot_name);
     int (*bdrv_get_info)(BlockDriverState *bs, BlockDriverInfo *bdi);
 
     int (*bdrv_save_vmstate)(BlockDriverState *bs, const uint8_t *buf,
diff --git a/qemu-img-cmds.hx b/qemu-img-cmds.hx
index 6d3e5f8..6c7176f 100644
--- a/qemu-img-cmds.hx
+++ b/qemu-img-cmds.hx
@@ -28,9 +28,9 @@ STEXI
 ETEXI
 
 DEF("convert", img_convert,
-    "convert [-c] [-f fmt] [-O output_fmt] [-o options] filename [filename2 [...]] output_filename")
+    "convert [-c] [-f fmt] [-O output_fmt] [-o options] [-s snapshot_name] filename [filename2 [...]] output_filename")
 STEXI
- at item convert [-c] [-f @var{fmt}] [-O @var{output_fmt}] [-o @var{options}] @var{filename} [@var{filename2} [...]] @var{output_filename}
+ at item convert [-c] [-f @var{fmt}] [-O @var{output_fmt}] [-o @var{options}] [-s @var{snapshot_name}] @var{filename} [@var{filename2} [...]] @var{output_filename}
 ETEXI
 
 DEF("info", img_info,
diff --git a/qemu-img.c b/qemu-img.c
index 578b8eb..d4a3b4e 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -646,13 +646,14 @@ static int img_convert(int argc, char **argv)
     BlockDriverInfo bdi;
     QEMUOptionParameter *param = NULL, *create_options = NULL;
     char *options = NULL;
+    const char *snapshot_name = NULL;
 
     fmt = NULL;
     out_fmt = "raw";
     out_baseimg = NULL;
     flags = 0;
     for(;;) {
-        c = getopt(argc, argv, "f:O:B:hce6o:");
+        c = getopt(argc, argv, "f:O:B:s:hce6o:");
         if (c == -1)
             break;
         switch(c) {
@@ -680,6 +681,9 @@ static int img_convert(int argc, char **argv)
         case 'o':
             options = optarg;
             break;
+        case 's':
+            snapshot_name = optarg;
+            break;
         }
     }
 
@@ -711,6 +715,19 @@ static int img_convert(int argc, char **argv)
         total_sectors += bs_sectors;
     }
 
+    if (snapshot_name != NULL) {
+        if (bs_n > 1) {
+            error("No support for concatenating multiple snapshot\n");
+            ret = -1;
+            goto out;
+        }
+        if (bdrv_snapshot_load_tmp(bs[0], snapshot_name) < 0) {
+            error("Failed to load snapshot\n");
+            ret = -1;
+            goto out;
+        }
+    }
+
     /* Find driver and parse its options */
     drv = bdrv_find_format(out_fmt);
     if (!drv) {
diff --git a/qemu-img.texi b/qemu-img.texi
index c1b1f27..1b90ddb 100644
--- a/qemu-img.texi
+++ b/qemu-img.texi
@@ -77,9 +77,9 @@ it doesn't need to be specified separately in this case.
 
 Commit the changes recorded in @var{filename} in its base image.
 
- at item convert [-c] [-f @var{fmt}] [-O @var{output_fmt}] [-o @var{options}] @var{filename} [@var{filename2} [...]] @var{output_filename}
+ at item convert [-c] [-f @var{fmt}] [-O @var{output_fmt}] [-o @var{options}] [-s @var{snapshot_name}] @var{filename} [@var{filename2} [...]] @var{output_filename}
 
-Convert the disk image @var{filename} to disk image @var{output_filename}
+Convert the disk image @var{filename} or a snapshot @var{snapshot_name} to disk image @var{output_filename}
 using format @var{output_fmt}. It can be optionally compressed (@code{-c}
 option) or use any format specific options like encryption (@code{-o} option).
 
commit a58b8d5401b6064d52113f243456115d046bdd12
Author: Christoph Hellwig <hch at lst.de>
Date:   Mon Oct 4 15:29:41 2010 +0200

    ide: set WCACHE supported in IDENTIFY data
    
    ATA does not only have the WCACHE enabled bit in identify word 85, but also
    a WCACHE supported bit in word 82.  While the Linux kernel is fine with the
    latter at least hdparm also needs the former before correctly displaying
    the cache settings.  There's also a non-zero chance other operating systems
    are more picky in their volatile write cache detection.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 06b6e14..5ccb09c 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -146,8 +146,8 @@ static void ide_identify(IDEState *s)
     put_le16(p + 68, 120);
     put_le16(p + 80, 0xf0); /* ata3 -> ata6 supported */
     put_le16(p + 81, 0x16); /* conforms to ata5 */
-    /* 14=NOP supported, 0=SMART supported */
-    put_le16(p + 82, (1 << 14) | 1);
+    /* 14=NOP supported, 5=WCACHE supported, 0=SMART supported */
+    put_le16(p + 82, (1 << 14) | (1 << 5) | 1);
     /* 13=flush_cache_ext,12=flush_cache,10=lba48 */
     put_le16(p + 83, (1 << 14) | (1 << 13) | (1 <<12) | (1 << 10));
     /* 14=set to 1, 1=SMART self test, 0=SMART error logging */
commit 9b036055ef65d0ab3236dfdb0d07828cea961133
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Jun 14 15:15:03 2010 +0200

    qcow2: Remove old image creation function
    
    They have been #ifdef'd out by the previous patch.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2.c b/block/qcow2.c
index 3b2e38c..45ed073 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -795,30 +795,6 @@ static int qcow2_change_backing_file(BlockDriverState *bs,
     return qcow2_update_ext_header(bs, backing_file, backing_fmt);
 }
 
-#if 0
-static int get_bits_from_size(size_t size)
-{
-    int res = 0;
-
-    if (size == 0) {
-        return -1;
-    }
-
-    while (size != 1) {
-        /* Not a power of two */
-        if (size & 1) {
-            return -1;
-        }
-
-        size >>= 1;
-        res++;
-    }
-
-    return res;
-}
-#endif
-
-
 static int preallocate(BlockDriverState *bs)
 {
     uint64_t nb_sectors;
@@ -872,205 +848,6 @@ static int preallocate(BlockDriverState *bs)
     return 0;
 }
 
-#if 0
-static int qcow_create2(const char *filename, int64_t total_size,
-                        const char *backing_file, const char *backing_format,
-                        int flags, size_t cluster_size, int prealloc)
-{
-
-    int fd, header_size, backing_filename_len, l1_size, i, shift, l2_bits;
-    int ref_clusters, reftable_clusters, backing_format_len = 0;
-    int rounded_ext_bf_len = 0;
-    QCowHeader header;
-    uint64_t tmp, offset;
-    uint64_t old_ref_clusters;
-    QCowCreateState s1, *s = &s1;
-    QCowExtension ext_bf = {0, 0};
-    int ret;
-
-    memset(s, 0, sizeof(*s));
-
-    fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644);
-    if (fd < 0)
-        return -errno;
-    memset(&header, 0, sizeof(header));
-    header.magic = cpu_to_be32(QCOW_MAGIC);
-    header.version = cpu_to_be32(QCOW_VERSION);
-    header.size = cpu_to_be64(total_size * 512);
-    header_size = sizeof(header);
-    backing_filename_len = 0;
-    if (backing_file) {
-        if (backing_format) {
-            ext_bf.magic = QCOW_EXT_MAGIC_BACKING_FORMAT;
-            backing_format_len = strlen(backing_format);
-            ext_bf.len = backing_format_len;
-            rounded_ext_bf_len = (sizeof(ext_bf) + ext_bf.len + 7) & ~7;
-            header_size += rounded_ext_bf_len;
-        }
-        header.backing_file_offset = cpu_to_be64(header_size);
-        backing_filename_len = strlen(backing_file);
-        header.backing_file_size = cpu_to_be32(backing_filename_len);
-        header_size += backing_filename_len;
-    }
-
-    /* Cluster size */
-    s->cluster_bits = get_bits_from_size(cluster_size);
-    if (s->cluster_bits < MIN_CLUSTER_BITS ||
-        s->cluster_bits > MAX_CLUSTER_BITS)
-    {
-        fprintf(stderr, "Cluster size must be a power of two between "
-            "%d and %dk\n",
-            1 << MIN_CLUSTER_BITS,
-            1 << (MAX_CLUSTER_BITS - 10));
-        return -EINVAL;
-    }
-    s->cluster_size = 1 << s->cluster_bits;
-
-    header.cluster_bits = cpu_to_be32(s->cluster_bits);
-    header_size = (header_size + 7) & ~7;
-    if (flags & BLOCK_FLAG_ENCRYPT) {
-        header.crypt_method = cpu_to_be32(QCOW_CRYPT_AES);
-    } else {
-        header.crypt_method = cpu_to_be32(QCOW_CRYPT_NONE);
-    }
-    l2_bits = s->cluster_bits - 3;
-    shift = s->cluster_bits + l2_bits;
-    l1_size = (((total_size * 512) + (1LL << shift) - 1) >> shift);
-    offset = align_offset(header_size, s->cluster_size);
-    s->l1_table_offset = offset;
-    header.l1_table_offset = cpu_to_be64(s->l1_table_offset);
-    header.l1_size = cpu_to_be32(l1_size);
-    offset += align_offset(l1_size * sizeof(uint64_t), s->cluster_size);
-
-    /* count how many refcount blocks needed */
-
-#define NUM_CLUSTERS(bytes) \
-    (((bytes) + (s->cluster_size) - 1) / (s->cluster_size))
-
-    ref_clusters = NUM_CLUSTERS(NUM_CLUSTERS(offset) * sizeof(uint16_t));
-
-    do {
-        uint64_t image_clusters;
-        old_ref_clusters = ref_clusters;
-
-        /* Number of clusters used for the refcount table */
-        reftable_clusters = NUM_CLUSTERS(ref_clusters * sizeof(uint64_t));
-
-        /* Number of clusters that the whole image will have */
-        image_clusters = NUM_CLUSTERS(offset) + ref_clusters
-            + reftable_clusters;
-
-        /* Number of refcount blocks needed for the image */
-        ref_clusters = NUM_CLUSTERS(image_clusters * sizeof(uint16_t));
-
-    } while (ref_clusters != old_ref_clusters);
-
-    s->refcount_table = qemu_mallocz(reftable_clusters * s->cluster_size);
-
-    s->refcount_table_offset = offset;
-    header.refcount_table_offset = cpu_to_be64(offset);
-    header.refcount_table_clusters = cpu_to_be32(reftable_clusters);
-    offset += (reftable_clusters * s->cluster_size);
-    s->refcount_block_offset = offset;
-
-    for (i=0; i < ref_clusters; i++) {
-        s->refcount_table[i] = cpu_to_be64(offset);
-        offset += s->cluster_size;
-    }
-
-    s->refcount_block = qemu_mallocz(ref_clusters * s->cluster_size);
-
-    /* update refcounts */
-    qcow2_create_refcount_update(s, 0, header_size);
-    qcow2_create_refcount_update(s, s->l1_table_offset,
-        l1_size * sizeof(uint64_t));
-    qcow2_create_refcount_update(s, s->refcount_table_offset,
-        reftable_clusters * s->cluster_size);
-    qcow2_create_refcount_update(s, s->refcount_block_offset,
-        ref_clusters * s->cluster_size);
-
-    /* write all the data */
-    ret = qemu_write_full(fd, &header, sizeof(header));
-    if (ret != sizeof(header)) {
-        ret = -errno;
-        goto exit;
-    }
-    if (backing_file) {
-        if (backing_format_len) {
-            char zero[16];
-            int padding = rounded_ext_bf_len - (ext_bf.len + sizeof(ext_bf));
-
-            memset(zero, 0, sizeof(zero));
-            cpu_to_be32s(&ext_bf.magic);
-            cpu_to_be32s(&ext_bf.len);
-            ret = qemu_write_full(fd, &ext_bf, sizeof(ext_bf));
-            if (ret != sizeof(ext_bf)) {
-                ret = -errno;
-                goto exit;
-            }
-            ret = qemu_write_full(fd, backing_format, backing_format_len);
-            if (ret != backing_format_len) {
-                ret = -errno;
-                goto exit;
-            }
-            if (padding > 0) {
-                ret = qemu_write_full(fd, zero, padding);
-                if (ret != padding) {
-                    ret = -errno;
-                    goto exit;
-                }
-            }
-        }
-        ret = qemu_write_full(fd, backing_file, backing_filename_len);
-        if (ret != backing_filename_len) {
-            ret = -errno;
-            goto exit;
-        }
-    }
-    lseek(fd, s->l1_table_offset, SEEK_SET);
-    tmp = 0;
-    for(i = 0;i < l1_size; i++) {
-        ret = qemu_write_full(fd, &tmp, sizeof(tmp));
-        if (ret != sizeof(tmp)) {
-            ret = -errno;
-            goto exit;
-        }
-    }
-    lseek(fd, s->refcount_table_offset, SEEK_SET);
-    ret = qemu_write_full(fd, s->refcount_table,
-        reftable_clusters * s->cluster_size);
-    if (ret != reftable_clusters * s->cluster_size) {
-        ret = -errno;
-        goto exit;
-    }
-
-    lseek(fd, s->refcount_block_offset, SEEK_SET);
-    ret = qemu_write_full(fd, s->refcount_block,
-		    ref_clusters * s->cluster_size);
-    if (ret != ref_clusters * s->cluster_size) {
-        ret = -errno;
-        goto exit;
-    }
-
-    ret = 0;
-exit:
-    qemu_free(s->refcount_table);
-    qemu_free(s->refcount_block);
-    close(fd);
-
-    /* Preallocate metadata */
-    if (ret == 0 && prealloc) {
-        BlockDriverState *bs;
-        BlockDriver *drv = bdrv_find_format("qcow2");
-        bs = bdrv_new("");
-        bdrv_open(bs, filename, BDRV_O_CACHE_WB | BDRV_O_RDWR, drv);
-        ret = preallocate(bs);
-        bdrv_close(bs);
-    }
-
-    return ret;
-}
-#else
 static int qcow_create2(const char *filename, int64_t total_size,
                         const char *backing_file, const char *backing_format,
                         int flags, size_t cluster_size, int prealloc,
@@ -1196,7 +973,6 @@ out:
     bdrv_delete(bs);
     return ret;
 }
-#endif
 
 static int qcow_create(const char *filename, QEMUOptionParameter *options)
 {
commit a9420734b617be43d075c55b980479411807512e
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Jun 11 21:37:37 2010 +0200

    qcow2: Simplify image creation
    
    Instead of doing lots of magic for setting up initial refcount blocks and stuff
    create a minimal (inconsistent) image, open it and initialize the rest with
    regular qcow2 functions.
    
    This is a complete rewrite of the image creation function. The old
    implementating is #ifdef'd out and will be removed by the next patch (removing
    it here would have made the diff unreadable because diff tries to find
    similarities when it's really a rewrite)
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2.c b/block/qcow2.c
index 345d2e4..3b2e38c 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -27,6 +27,7 @@
 #include <zlib.h>
 #include "aes.h"
 #include "block/qcow2.h"
+#include "qemu-error.h"
 
 /*
   Differences with QCOW:
@@ -794,6 +795,7 @@ static int qcow2_change_backing_file(BlockDriverState *bs,
     return qcow2_update_ext_header(bs, backing_file, backing_fmt);
 }
 
+#if 0
 static int get_bits_from_size(size_t size)
 {
     int res = 0;
@@ -814,6 +816,7 @@ static int get_bits_from_size(size_t size)
 
     return res;
 }
+#endif
 
 
 static int preallocate(BlockDriverState *bs)
@@ -869,6 +872,7 @@ static int preallocate(BlockDriverState *bs)
     return 0;
 }
 
+#if 0
 static int qcow_create2(const char *filename, int64_t total_size,
                         const char *backing_file, const char *backing_format,
                         int flags, size_t cluster_size, int prealloc)
@@ -1066,6 +1070,133 @@ exit:
 
     return ret;
 }
+#else
+static int qcow_create2(const char *filename, int64_t total_size,
+                        const char *backing_file, const char *backing_format,
+                        int flags, size_t cluster_size, int prealloc,
+                        QEMUOptionParameter *options)
+{
+    /* Calulate cluster_bits */
+    int cluster_bits;
+    cluster_bits = ffs(cluster_size) - 1;
+    if (cluster_bits < MIN_CLUSTER_BITS || cluster_bits > MAX_CLUSTER_BITS ||
+        (1 << cluster_bits) != cluster_size)
+    {
+        error_report(
+            "Cluster size must be a power of two between %d and %dk\n",
+            1 << MIN_CLUSTER_BITS, 1 << (MAX_CLUSTER_BITS - 10));
+        return -EINVAL;
+    }
+
+    /*
+     * Open the image file and write a minimal qcow2 header.
+     *
+     * We keep things simple and start with a zero-sized image. We also
+     * do without refcount blocks or a L1 table for now. We'll fix the
+     * inconsistency later.
+     *
+     * We do need a refcount table because growing the refcount table means
+     * allocating two new refcount blocks - the seconds of which would be at
+     * 2 GB for 64k clusters, and we don't want to have a 2 GB initial file
+     * size for any qcow2 image.
+     */
+    BlockDriverState* bs;
+    QCowHeader header;
+    uint8_t* refcount_table;
+    int ret;
+
+    ret = bdrv_create_file(filename, options);
+    if (ret < 0) {
+        return ret;
+    }
+
+    ret = bdrv_file_open(&bs, filename, BDRV_O_RDWR);
+    if (ret < 0) {
+        return ret;
+    }
+
+    /* Write the header */
+    memset(&header, 0, sizeof(header));
+    header.magic = cpu_to_be32(QCOW_MAGIC);
+    header.version = cpu_to_be32(QCOW_VERSION);
+    header.cluster_bits = cpu_to_be32(cluster_bits);
+    header.size = cpu_to_be64(0);
+    header.l1_table_offset = cpu_to_be64(0);
+    header.l1_size = cpu_to_be32(0);
+    header.refcount_table_offset = cpu_to_be64(cluster_size);
+    header.refcount_table_clusters = cpu_to_be32(1);
+
+    if (flags & BLOCK_FLAG_ENCRYPT) {
+        header.crypt_method = cpu_to_be32(QCOW_CRYPT_AES);
+    } else {
+        header.crypt_method = cpu_to_be32(QCOW_CRYPT_NONE);
+    }
+
+    ret = bdrv_pwrite(bs, 0, &header, sizeof(header));
+    if (ret < 0) {
+        goto out;
+    }
+
+    /* Write an empty refcount table */
+    refcount_table = qemu_mallocz(cluster_size);
+    ret = bdrv_pwrite(bs, cluster_size, refcount_table, cluster_size);
+    qemu_free(refcount_table);
+
+    if (ret < 0) {
+        goto out;
+    }
+
+    bdrv_close(bs);
+
+    /*
+     * And now open the image and make it consistent first (i.e. increase the
+     * refcount of the cluster that is occupied by the header and the refcount
+     * table)
+     */
+    BlockDriver* drv = bdrv_find_format("qcow2");
+    assert(drv != NULL);
+    ret = bdrv_open(bs, filename, BDRV_O_RDWR | BDRV_O_NO_FLUSH, drv);
+    if (ret < 0) {
+        goto out;
+    }
+
+    ret = qcow2_alloc_clusters(bs, 2 * cluster_size);
+    if (ret < 0) {
+        goto out;
+
+    } else if (ret != 0) {
+        error_report("Huh, first cluster in empty image is already in use?");
+        abort();
+    }
+
+    /* Okay, now that we have a valid image, let's give it the right size */
+    ret = bdrv_truncate(bs, total_size * BDRV_SECTOR_SIZE);
+    if (ret < 0) {
+        goto out;
+    }
+
+    /* Want a backing file? There you go.*/
+    if (backing_file) {
+        ret = bdrv_change_backing_file(bs, backing_file, backing_format);
+        if (ret < 0) {
+            goto out;
+        }
+    }
+
+    /* And if we're supposed to preallocate metadata, do that now */
+    if (prealloc) {
+        ret = preallocate(bs);
+        if (ret < 0) {
+            goto out;
+        }
+    }
+
+    ret = 0;
+out:
+    bdrv_delete(bs);
+    return ret;
+}
+#endif
 
 static int qcow_create(const char *filename, QEMUOptionParameter *options)
 {
@@ -1111,7 +1242,7 @@ static int qcow_create(const char *filename, QEMUOptionParameter *options)
     }
 
     return qcow_create2(filename, sectors, backing_file, backing_fmt, flags,
-        cluster_size, prealloc);
+        cluster_size, prealloc, options);
 }
 
 static int qcow_make_empty(BlockDriverState *bs)
commit 72893756e0da74fcb626c52dfff1fc6e9de84f0c
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Oct 18 16:53:53 2010 +0100

    qcow2: Support exact L1 table growth
    
    The L1 table grow operation includes a size calculation that bumps up
    the new L1 table size in order to anticipate the size needs of vmstate
    data.  This helps reduce the number of times that the L1 table has to be
    grown when vmstate data is appended.
    
    This size overhead is not necessary during image creation,
    bdrv_truncate(), or snapshot goto operations.  In fact, existing
    qemu-iotests that exercise table growth are no longer able to trigger it
    because image creation preallocates an L1 table that is too large after
    changes to qcow_create2().
    
    This patch keeps the size calculation but also adds exact growth for
    callers that do not want to inflate the L1 table size unnecessarily.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index fb4224a..4f7dc59 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -28,7 +28,7 @@
 #include "block_int.h"
 #include "block/qcow2.h"
 
-int qcow2_grow_l1_table(BlockDriverState *bs, int min_size)
+int qcow2_grow_l1_table(BlockDriverState *bs, int min_size, bool exact_size)
 {
     BDRVQcowState *s = bs->opaque;
     int new_l1_size, new_l1_size2, ret, i;
@@ -36,15 +36,22 @@ int qcow2_grow_l1_table(BlockDriverState *bs, int min_size)
     int64_t new_l1_table_offset;
     uint8_t data[12];
 
-    new_l1_size = s->l1_size;
-    if (min_size <= new_l1_size)
+    if (min_size <= s->l1_size)
         return 0;
-    if (new_l1_size == 0) {
-        new_l1_size = 1;
-    }
-    while (min_size > new_l1_size) {
-        new_l1_size = (new_l1_size * 3 + 1) / 2;
+
+    if (exact_size) {
+        new_l1_size = min_size;
+    } else {
+        /* Bump size up to reduce the number of times we have to grow */
+        new_l1_size = s->l1_size;
+        if (new_l1_size == 0) {
+            new_l1_size = 1;
+        }
+        while (min_size > new_l1_size) {
+            new_l1_size = (new_l1_size * 3 + 1) / 2;
+        }
     }
+
 #ifdef DEBUG_ALLOC2
     printf("grow l1_table from %d to %d\n", s->l1_size, new_l1_size);
 #endif
@@ -550,7 +557,7 @@ static int get_cluster_table(BlockDriverState *bs, uint64_t offset,
 
     l1_index = offset >> (s->l2_bits + s->cluster_bits);
     if (l1_index >= s->l1_size) {
-        ret = qcow2_grow_l1_table(bs, l1_index + 1);
+        ret = qcow2_grow_l1_table(bs, l1_index + 1, false);
         if (ret < 0) {
             return ret;
         }
diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index bbfcaaa..8dd5df0 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -327,7 +327,7 @@ int qcow2_snapshot_goto(BlockDriverState *bs, const char *snapshot_id)
     if (qcow2_update_snapshot_refcount(bs, s->l1_table_offset, s->l1_size, -1) < 0)
         goto fail;
 
-    if (qcow2_grow_l1_table(bs, sn->l1_size) < 0)
+    if (qcow2_grow_l1_table(bs, sn->l1_size, true) < 0)
         goto fail;
 
     s->l1_size = sn->l1_size;
diff --git a/block/qcow2.c b/block/qcow2.c
index ee3481b..345d2e4 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -1154,7 +1154,7 @@ static int qcow2_truncate(BlockDriverState *bs, int64_t offset)
     }
 
     new_l1_size = size_to_l1(s, offset);
-    ret = qcow2_grow_l1_table(bs, new_l1_size);
+    ret = qcow2_grow_l1_table(bs, new_l1_size, true);
     if (ret < 0) {
         return ret;
     }
diff --git a/block/qcow2.h b/block/qcow2.h
index 356a34a..add710b 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -188,7 +188,7 @@ int qcow2_update_snapshot_refcount(BlockDriverState *bs,
 int qcow2_check_refcounts(BlockDriverState *bs, BdrvCheckResult *res);
 
 /* qcow2-cluster.c functions */
-int qcow2_grow_l1_table(BlockDriverState *bs, int min_size);
+int qcow2_grow_l1_table(BlockDriverState *bs, int min_size, bool exact_size);
 void qcow2_l2_cache_reset(BlockDriverState *bs);
 int qcow2_decompress_cluster(BlockDriverState *bs, uint64_t cluster_offset);
 void qcow2_encrypt_sectors(BDRVQcowState *s, int64_t sector_num,
commit 46c7fc182d990a373d6a9197a69ff05bba902005
Author: Kusanagi Kouichi <slash at ac.auone-net.jp>
Date:   Wed Oct 20 18:00:01 2010 +0900

    monitor: Ignore "." and ".." when completing file name.
    
    Signed-off-by: Kusanagi Kouichi <slash at ac.auone-net.jp>
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 260cc02..61607c5 100644
--- a/monitor.c
+++ b/monitor.c
@@ -3976,6 +3976,11 @@ static void file_completion(const char *input)
         d = readdir(ffs);
         if (!d)
             break;
+
+        if (strcmp(d->d_name, ".") == 0 || strcmp(d->d_name, "..") == 0) {
+            continue;
+        }
+
         if (strstart(d->d_name, file_prefix, NULL)) {
             memcpy(file, input, input_path_len);
             if (input_path_len < sizeof(file))
commit 945d3e6378fc639925370c62cb5e3d32b8f297c3
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Tue Oct 19 16:03:15 2010 +0200

    Fix test suite build with tracing enabled
    
    qemu_malloc instrumentations require linking against the trace objects.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Acked-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/Makefile b/Makefile
index 252c817..106a401 100644
--- a/Makefile
+++ b/Makefile
@@ -140,12 +140,12 @@ qemu-img-cmds.h: $(SRC_PATH)/qemu-img-cmds.hx
 
 check-qint.o check-qstring.o check-qdict.o check-qlist.o check-qfloat.o check-qjson.o: $(GENERATED_HEADERS)
 
-check-qint: check-qint.o qint.o qemu-malloc.o
-check-qstring: check-qstring.o qstring.o qemu-malloc.o
-check-qdict: check-qdict.o qdict.o qfloat.o qint.o qstring.o qbool.o qemu-malloc.o qlist.o
-check-qlist: check-qlist.o qlist.o qint.o qemu-malloc.o
-check-qfloat: check-qfloat.o qfloat.o qemu-malloc.o
-check-qjson: check-qjson.o qfloat.o qint.o qdict.o qstring.o qlist.o qbool.o qjson.o json-streamer.o json-lexer.o json-parser.o qemu-malloc.o
+check-qint: check-qint.o qint.o qemu-malloc.o $(trace-obj-y)
+check-qstring: check-qstring.o qstring.o qemu-malloc.o $(trace-obj-y)
+check-qdict: check-qdict.o qdict.o qfloat.o qint.o qstring.o qbool.o qemu-malloc.o qlist.o $(trace-obj-y)
+check-qlist: check-qlist.o qlist.o qint.o qemu-malloc.o $(trace-obj-y)
+check-qfloat: check-qfloat.o qfloat.o qemu-malloc.o $(trace-obj-y)
+check-qjson: check-qjson.o qfloat.o qint.o qdict.o qstring.o qlist.o qbool.o qjson.o json-streamer.o json-lexer.o json-parser.o qemu-malloc.o $(trace-obj-y)
 
 clean:
 # avoid old build problems by removing potentially incorrect old files
commit e7a06af838a45be4f92e655fd4628e3351a09c98
Author: Jan Kiszka <jan.kiszka at web.de>
Date:   Sat Oct 16 19:42:43 2010 +0200

    Silence compiler warning in json test case
    
    This avoids
    
        error: zero-length gnu_printf format string
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/check-qjson.c b/check-qjson.c
index 0b60e45..64fcdcb 100644
--- a/check-qjson.c
+++ b/check-qjson.c
@@ -639,7 +639,9 @@ END_TEST
 
 START_TEST(empty_input)
 {
-    QObject *obj = qobject_from_json("");
+    const char *empty = "";
+
+    QObject *obj = qobject_from_json(empty);
     fail_unless(obj == NULL);
 }
 END_TEST
commit 7af72c24aed92bfb7ebc999ddd509c3d8c8b3f83
Author: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
Date:   Thu Oct 14 09:51:02 2010 +0900

    Trivial fix for QMP/qmp-events.txt
    
    Fix example of STOP event that was just copy-and-pasted.
    
    Signed-off-by: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/QMP/qmp-events.txt b/QMP/qmp-events.txt
index 01ec85f..aa20210 100644
--- a/QMP/qmp-events.txt
+++ b/QMP/qmp-events.txt
@@ -89,7 +89,7 @@ Data: None.
 
 Example:
 
-{ "event": "SHUTDOWN",
+{ "event": "STOP",
     "timestamp": { "seconds": 1267041730, "microseconds": 281295 } }
 
 VNC_CONNECTED
commit d03703c81a202cea156811e5dbc8e88627c19986
Author: Samuel Thibault <samuel.thibault at gnu.org>
Date:   Tue Oct 19 19:48:20 2010 +0200

    curses: Fix control-{@[\]^_} and ESC
    
    control-{@[\]^_} shouldn't get the 'a' - 'A' offset for correct
    translation. ESC is better simulated as escape key.
    
    Signed-off-by: Samuel Thibault <samuel.thibault at ens-lyon.org>
    Signed-off-by: Andrew Zaborowski <balrogg at gmail.com>

diff --git a/ui/curses.c b/ui/curses.c
index ed3165e..82bc614 100644
--- a/ui/curses.c
+++ b/ui/curses.c
@@ -238,9 +238,12 @@ static void curses_refresh(DisplayState *ds)
                 keysym = curses2keysym[chr];
 
             if (keysym == -1) {
-                if (chr < ' ')
-                    keysym = (chr + '@' - 'A' + 'a') | KEYSYM_CNTRL;
-                else
+                if (chr < ' ') {
+                    keysym = chr + '@';
+                    if (keysym >= 'A' && keysym <= 'Z')
+                        keysym += 'a' - 'A';
+                    keysym |= KEYSYM_CNTRL;
+                } else
                     keysym = chr;
             }
 
diff --git a/ui/curses_keys.h b/ui/curses_keys.h
index 1decd11..c0d5eb4 100644
--- a/ui/curses_keys.h
+++ b/ui/curses_keys.h
@@ -55,6 +55,7 @@ static const int curses2keysym[CURSES_KEYS] = {
     [0x7f] = KEY_BACKSPACE,
     ['\r'] = KEY_ENTER,
     ['\n'] = KEY_ENTER,
+    [27] = 27,
     [KEY_BTAB] = '\t' | KEYSYM_SHIFT,
 };
 
commit 25d2e3613d159782b66f497184ebdcf3ccb686ab
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Oct 21 13:35:04 2010 -0200

    kvm: save/restore x86-64 MSRs on x86-64 kernels
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index e2f7e2e..ae0a034 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -15,6 +15,7 @@
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/mman.h>
+#include <sys/utsname.h>
 
 #include <linux/kvm.h>
 
@@ -53,6 +54,8 @@
 #define BUS_MCEERR_AO 5
 #endif
 
+static int lm_capable_kernel;
+
 #ifdef KVM_CAP_EXT_CPUID
 
 static struct kvm_cpuid2 *try_get_cpuid(KVMState *s, int max)
@@ -523,6 +526,11 @@ int kvm_arch_init(KVMState *s, int smp_cpus)
 {
     int ret;
 
+    struct utsname utsname;
+
+    uname(&utsname);
+    lm_capable_kernel = strcmp(utsname.machine, "x86_64") == 0;
+
     /* create vm86 tss.  KVM uses vm86 mode to emulate 16-bit code
      * directly.  In order to use vm86 mode, a TSS is needed.  Since this
      * must be part of guest physical memory, we need to allocate it.  Older
@@ -810,11 +818,12 @@ static int kvm_put_msrs(CPUState *env, int level)
     if (kvm_has_msr_hsave_pa(env))
         kvm_msr_entry_set(&msrs[n++], MSR_VM_HSAVE_PA, env->vm_hsave);
 #ifdef TARGET_X86_64
-    /* FIXME if lm capable */
-    kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar);
-    kvm_msr_entry_set(&msrs[n++], MSR_KERNELGSBASE, env->kernelgsbase);
-    kvm_msr_entry_set(&msrs[n++], MSR_FMASK, env->fmask);
-    kvm_msr_entry_set(&msrs[n++], MSR_LSTAR, env->lstar);
+    if (lm_capable_kernel) {
+        kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar);
+        kvm_msr_entry_set(&msrs[n++], MSR_KERNELGSBASE, env->kernelgsbase);
+        kvm_msr_entry_set(&msrs[n++], MSR_FMASK, env->fmask);
+        kvm_msr_entry_set(&msrs[n++], MSR_LSTAR, env->lstar);
+    }
 #endif
     if (level == KVM_PUT_FULL_STATE) {
         /*
@@ -1046,11 +1055,12 @@ static int kvm_get_msrs(CPUState *env)
         msrs[n++].index = MSR_VM_HSAVE_PA;
     msrs[n++].index = MSR_IA32_TSC;
 #ifdef TARGET_X86_64
-    /* FIXME lm_capable_kernel */
-    msrs[n++].index = MSR_CSTAR;
-    msrs[n++].index = MSR_KERNELGSBASE;
-    msrs[n++].index = MSR_FMASK;
-    msrs[n++].index = MSR_LSTAR;
+    if (lm_capable_kernel) {
+        msrs[n++].index = MSR_CSTAR;
+        msrs[n++].index = MSR_KERNELGSBASE;
+        msrs[n++].index = MSR_FMASK;
+        msrs[n++].index = MSR_LSTAR;
+    }
 #endif
     msrs[n++].index = MSR_KVM_SYSTEM_TIME;
     msrs[n++].index = MSR_KVM_WALL_CLOCK;
commit 384331a61a8ca42f32516ced20cb52470c5f6f57
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Oct 21 13:35:03 2010 -0200

    kvm: writeback SMP TSCs on migration only
    
    commit 6389c45441269baa2873e6feafebd17105ddeaf6
    Author: Jan Kiszka <jan.kiszka at siemens.com>
    Date:   Mon Mar 1 18:17:26 2010 +0100
    
        qemu-kvm: Cleanup/fix TSC and PV clock writeback
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 06474d6..e2f7e2e 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -817,7 +817,15 @@ static int kvm_put_msrs(CPUState *env, int level)
     kvm_msr_entry_set(&msrs[n++], MSR_LSTAR, env->lstar);
 #endif
     if (level == KVM_PUT_FULL_STATE) {
-        kvm_msr_entry_set(&msrs[n++], MSR_IA32_TSC, env->tsc);
+        /*
+         * KVM is yet unable to synchronize TSC values of multiple VCPUs on
+         * writeback. Until this is fixed, we only write the offset to SMP
+         * guests after migration, desynchronizing the VCPUs, but avoiding
+         * huge jump-backs that would occur without any writeback at all.
+         */
+        if (smp_cpus == 1 || env->tsc != 0) {
+            kvm_msr_entry_set(&msrs[n++], MSR_IA32_TSC, env->tsc);
+        }
         kvm_msr_entry_set(&msrs[n++], MSR_KVM_SYSTEM_TIME,
                           env->system_time_msr);
         kvm_msr_entry_set(&msrs[n++], MSR_KVM_WALL_CLOCK, env->wall_clock_msr);
commit 75b10c43365e2a9cab5398f31b96a463b0d57eff
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Oct 21 13:35:02 2010 -0200

    kvm: factor out kvm_has_msr_star
    
    And add kvm_has_msr_hsave_pa(), to avoid warnings on older
    kernels without support.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index e6c9a1d..06474d6 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -438,23 +438,26 @@ void kvm_arch_reset_vcpu(CPUState *env)
     }
 }
 
-static int kvm_has_msr_star(CPUState *env)
+int has_msr_star;
+int has_msr_hsave_pa;
+
+static void kvm_supported_msrs(CPUState *env)
 {
-    static int has_msr_star;
+    static int kvm_supported_msrs;
     int ret;
 
     /* first time */
-    if (has_msr_star == 0) {        
+    if (kvm_supported_msrs == 0) {
         struct kvm_msr_list msr_list, *kvm_msr_list;
 
-        has_msr_star = -1;
+        kvm_supported_msrs = -1;
 
         /* Obtain MSR list from KVM.  These are the MSRs that we must
          * save/restore */
         msr_list.nmsrs = 0;
         ret = kvm_ioctl(env->kvm_state, KVM_GET_MSR_INDEX_LIST, &msr_list);
         if (ret < 0 && ret != -E2BIG) {
-            return 0;
+            return;
         }
         /* Old kernel modules had a bug and could write beyond the provided
            memory. Allocate at least a safe amount of 1K. */
@@ -470,7 +473,11 @@ static int kvm_has_msr_star(CPUState *env)
             for (i = 0; i < kvm_msr_list->nmsrs; i++) {
                 if (kvm_msr_list->indices[i] == MSR_STAR) {
                     has_msr_star = 1;
-                    break;
+                    continue;
+                }
+                if (kvm_msr_list->indices[i] == MSR_VM_HSAVE_PA) {
+                    has_msr_hsave_pa = 1;
+                    continue;
                 }
             }
         }
@@ -478,9 +485,19 @@ static int kvm_has_msr_star(CPUState *env)
         free(kvm_msr_list);
     }
 
-    if (has_msr_star == 1)
-        return 1;
-    return 0;
+    return;
+}
+
+static int kvm_has_msr_hsave_pa(CPUState *env)
+{
+    kvm_supported_msrs(env);
+    return has_msr_hsave_pa;
+}
+
+static int kvm_has_msr_star(CPUState *env)
+{
+    kvm_supported_msrs(env);
+    return has_msr_star;
 }
 
 static int kvm_init_identity_map_page(KVMState *s)
@@ -790,7 +807,8 @@ static int kvm_put_msrs(CPUState *env, int level)
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_EIP, env->sysenter_eip);
     if (kvm_has_msr_star(env))
 	kvm_msr_entry_set(&msrs[n++], MSR_STAR, env->star);
-    kvm_msr_entry_set(&msrs[n++], MSR_VM_HSAVE_PA, env->vm_hsave);
+    if (kvm_has_msr_hsave_pa(env))
+        kvm_msr_entry_set(&msrs[n++], MSR_VM_HSAVE_PA, env->vm_hsave);
 #ifdef TARGET_X86_64
     /* FIXME if lm capable */
     kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar);
@@ -1016,7 +1034,8 @@ static int kvm_get_msrs(CPUState *env)
     msrs[n++].index = MSR_IA32_SYSENTER_EIP;
     if (kvm_has_msr_star(env))
 	msrs[n++].index = MSR_STAR;
-    msrs[n++].index = MSR_VM_HSAVE_PA;
+    if (kvm_has_msr_hsave_pa(env))
+        msrs[n++].index = MSR_VM_HSAVE_PA;
     msrs[n++].index = MSR_IA32_TSC;
 #ifdef TARGET_X86_64
     /* FIXME lm_capable_kernel */
commit aa851e365b3f62ad86cf599860217b60e02dc893
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Oct 21 13:35:01 2010 -0200

    kvm: add save/restore of MSR_VM_HSAVE_PA
    
    commit 2bba4446746add456ceeb0e8359a43032a2ea333
    Author: Alexander Graf <agraf at suse.de>
    Date:   Thu Dec 18 15:38:32 2008 +0100
    
        Enable nested SVM support in userspace
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 587ee19..e6c9a1d 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -790,6 +790,7 @@ static int kvm_put_msrs(CPUState *env, int level)
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_EIP, env->sysenter_eip);
     if (kvm_has_msr_star(env))
 	kvm_msr_entry_set(&msrs[n++], MSR_STAR, env->star);
+    kvm_msr_entry_set(&msrs[n++], MSR_VM_HSAVE_PA, env->vm_hsave);
 #ifdef TARGET_X86_64
     /* FIXME if lm capable */
     kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar);
@@ -1015,6 +1016,7 @@ static int kvm_get_msrs(CPUState *env)
     msrs[n++].index = MSR_IA32_SYSENTER_EIP;
     if (kvm_has_msr_star(env))
 	msrs[n++].index = MSR_STAR;
+    msrs[n++].index = MSR_VM_HSAVE_PA;
     msrs[n++].index = MSR_IA32_TSC;
 #ifdef TARGET_X86_64
     /* FIXME lm_capable_kernel */
@@ -1071,6 +1073,9 @@ static int kvm_get_msrs(CPUState *env)
         case MSR_IA32_TSC:
             env->tsc = msrs[i].data;
             break;
+        case MSR_VM_HSAVE_PA:
+            env->vm_hsave = msrs[i].data;
+            break;
         case MSR_KVM_SYSTEM_TIME:
             env->system_time_msr = msrs[i].data;
             break;
commit d8da8574b167144d1868f343514dfb88716e2edb
Author: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
Date:   Thu Oct 21 17:23:14 2010 +0900

    Fix build on !KVM_CAP_MCE
    
    This patch removes following warnings:
    
    target-i386/kvm.c: In function 'kvm_put_msrs':
    target-i386/kvm.c:782: error: unused variable 'i'
    target-i386/kvm.c: In function 'kvm_get_msrs':
    target-i386/kvm.c:1083: error: label at end of compound statement
    
    Signed-off-by: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 9144f74..587ee19 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -783,7 +783,7 @@ static int kvm_put_msrs(CPUState *env, int level)
         struct kvm_msr_entry entries[100];
     } msr_data;
     struct kvm_msr_entry *msrs = msr_data.entries;
-    int i, n = 0;
+    int n = 0;
 
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_CS, env->sysenter_cs);
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_ESP, env->sysenter_esp);
@@ -805,6 +805,7 @@ static int kvm_put_msrs(CPUState *env, int level)
     }
 #ifdef KVM_CAP_MCE
     if (env->mcg_cap) {
+        int i;
         if (level == KVM_PUT_RESET_STATE)
             kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
         else if (level == KVM_PUT_FULL_STATE) {
@@ -1089,9 +1090,9 @@ static int kvm_get_msrs(CPUState *env)
             if (msrs[i].index >= MSR_MC0_CTL &&
                 msrs[i].index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) {
                 env->mce_banks[msrs[i].index - MSR_MC0_CTL] = msrs[i].data;
-                break;
             }
 #endif
+            break;
         }
     }
 
commit f71ac88fe97620f9cc80facc5e00826b8256fe5d
Author: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
Date:   Thu Oct 21 17:47:06 2010 +0900

    x86, mce: broadcast mce depending on the cpu version
    
    There is no reason why SRAO event received by the main thread
    is the only one that being broadcasted.
    
    According to the x86 ASDM vol.3A 15.10.4.1,
    MCE signal is broadcast on processor version 06H_EH or later.
    
    This change is required to handle SRAR in smp guests.
    
    Signed-off-by: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index b813953..9144f74 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -1636,6 +1636,28 @@ static void hardware_memory_error(void)
     exit(1);
 }
 
+#ifdef KVM_CAP_MCE
+static void kvm_mce_broadcast_rest(CPUState *env)
+{
+    CPUState *cenv;
+    int family, model, cpuver = env->cpuid_version;
+
+    family = (cpuver >> 8) & 0xf;
+    model = ((cpuver >> 12) & 0xf0) + ((cpuver >> 4) & 0xf);
+
+    /* Broadcast MCA signal for processor version 06H_EH and above */
+    if ((family == 6 && model >= 14) || family > 6) {
+        for (cenv = first_cpu; cenv != NULL; cenv = cenv->next_cpu) {
+            if (cenv == env) {
+                continue;
+            }
+            kvm_inject_x86_mce(cenv, 1, MCI_STATUS_VAL | MCI_STATUS_UC,
+                               MCG_STATUS_MCIP | MCG_STATUS_RIPV, 0, 0, 1);
+        }
+    }
+}
+#endif
+
 int kvm_on_sigbus_vcpu(CPUState *env, int code, void *addr)
 {
 #if defined(KVM_CAP_MCE)
@@ -1693,6 +1715,7 @@ int kvm_on_sigbus_vcpu(CPUState *env, int code, void *addr)
             fprintf(stderr, "kvm_set_mce: %s\n", strerror(errno));
             abort();
         }
+        kvm_mce_broadcast_rest(env);
     } else
 #endif
     {
@@ -1715,7 +1738,6 @@ int kvm_on_sigbus(int code, void *addr)
         void *vaddr;
         ram_addr_t ram_addr;
         target_phys_addr_t paddr;
-        CPUState *cenv;
 
         /* Hope we are lucky for AO MCE */
         vaddr = addr;
@@ -1731,10 +1753,7 @@ int kvm_on_sigbus(int code, void *addr)
         kvm_inject_x86_mce(first_cpu, 9, status,
                            MCG_STATUS_MCIP | MCG_STATUS_RIPV, paddr,
                            (MCM_ADDR_PHYS << 6) | 0xc, 1);
-        for (cenv = first_cpu->next_cpu; cenv != NULL; cenv = cenv->next_cpu) {
-            kvm_inject_x86_mce(cenv, 1, MCI_STATUS_VAL | MCI_STATUS_UC,
-                               MCG_STATUS_MCIP | MCG_STATUS_RIPV, 0, 0, 1);
-        }
+        kvm_mce_broadcast_rest(first_cpu);
     } else
 #endif
     {
commit f8502cfbbf0bdd30603159a23d86cd19ad202a25
Author: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
Date:   Thu Oct 21 17:46:49 2010 +0900

    x86, mce: ignore SRAO only when MCG_SER_P is available
    
    And restruct this block to call kvm_mce_in_exception() only when it is
    required.
    
    Signed-off-by: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 512d533..b813953 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -239,12 +239,16 @@ static void kvm_do_inject_x86_mce(void *_data)
     struct kvm_x86_mce_data *data = _data;
     int r;
 
-    /* If there is an MCE excpetion being processed, ignore this SRAO MCE */
-    r = kvm_mce_in_exception(data->env);
-    if (r == -1)
-        fprintf(stderr, "Failed to get MCE status\n");
-    else if (r && !(data->mce->status & MCI_STATUS_AR))
-        return;
+    /* If there is an MCE exception being processed, ignore this SRAO MCE */
+    if ((data->env->mcg_cap & MCG_SER_P) &&
+        !(data->mce->status & MCI_STATUS_AR)) {
+        r = kvm_mce_in_exception(data->env);
+        if (r == -1) {
+            fprintf(stderr, "Failed to get MCE status\n");
+        } else if (r) {
+            return;
+        }
+    }
 
     r = kvm_set_mce(data->env, data->mce);
     if (r < 0) {
commit 9de479a97aeda2820f4408a760d3152a60cc9bb7
Merge: bd8b215... 81b2246...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Oct 21 11:19:36 2010 -0200

    Merge branch 'upstream-merge'
    
    * upstream-merge: (31 commits)
      Fix pci hotplug to generate level triggered interrupt.
      Use defines instead of numbers for pci hotplug sts bit
      Add savevm/loadvm support for MCE
      MCE: Relay UCR MCE to guest
      Add RAM -> physical addr mapping in MCE simulation
      Export qemu_ram_addr_from_host
      kvm: x86: add mce support
      Add svm cpuid features
      Fix memory leak in register save load due to xsave support
      iothread: use signalfd
      Set cpuid definition to 0 before initializing it
      signalfd compatibility
      configure: Support disabling warnings in $gcc_flags
      tcg: Fix compiler error (comparison of unsigned expression)
      wacom tablet: activate event handlers.
      vmmouse: adapt to mouse handler changes.
      [virtio-9p] Add support to v9fs_string_alloc_printf() for handling %lu.
      [virtio-9p] Use preadv/pwritev instead of readv/writev
      [virtio-9p] Qemu 9p commandline options validity checks
      virtio-9p: Support mapped posix acl
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit 81b2246a4a2874f61a157588fb14cd2de381b9f4
Merge: d0f192b... 633aa0a...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Oct 20 21:42:57 2010 -0200

    Merge commit '633aa0acfe2c4d3e56acfe28c912796bf54de6d3' into upstream-merge
    
    * commit '633aa0acfe2c4d3e56acfe28c912796bf54de6d3':
      Fix pci hotplug to generate level triggered interrupt.
      Use defines instead of numbers for pci hotplug sts bit
      Fix memory leak in register save load due to xsave support
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc hw/acpi_piix4.c
index 86211ba,f74f34c..1c8e4e2
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@@ -474,12 -464,10 +478,14 @@@ static uint32_t gpe_read_val(uint16_t v
  static uint32_t gpe_readb(void *opaque, uint32_t addr)
  {
      uint32_t val = 0;
-     struct gpe_regs *g = opaque;
+     PIIX4PMState *s = opaque;
+     struct gpe_regs *g = &s->gpe;
+ 
      switch (addr) {
 +        case PROC_BASE ... PROC_BASE+31:
 +            val = g->cpus_sts[addr - PROC_BASE];
 +            break;
 +
          case GPE_BASE:
          case GPE_BASE + 1:
              val = gpe_read_val(g->sts, addr);
@@@ -599,21 -589,11 +609,21 @@@ static int piix4_device_hotplug(DeviceS
  
  static void piix4_acpi_system_hot_add_init(PCIBus *bus, PIIX4PMState *s)
  {
 +    struct gpe_regs *gpe = &s->gpe;
      struct pci_status *pci0_status = &s->pci0_status;
 +    int i = 0, cpus = smp_cpus;
 +
 +    while (cpus > 0) {
 +        gpe->cpus_sts[i++] = (cpus < 8) ? (1 << cpus) - 1 : 0xff;
 +        cpus -= 8;
 +    }
  
-     register_ioport_write(GPE_BASE, 4, 1, gpe_writeb, gpe);
-     register_ioport_read(GPE_BASE, 4, 1,  gpe_readb, gpe);
+     register_ioport_write(GPE_BASE, 4, 1, gpe_writeb, s);
+     register_ioport_read(GPE_BASE, 4, 1,  gpe_readb, s);
  
 +    register_ioport_write(PROC_BASE, 32, 1, gpe_writeb, gpe);
 +    register_ioport_read(PROC_BASE, 32, 1,  gpe_readb, gpe);
 +
      register_ioport_write(PCI_BASE, 8, 4, pcihotplug_write, pci0_status);
      register_ioport_read(PCI_BASE, 8, 4,  pcihotplug_read, pci0_status);
  
@@@ -623,47 -603,9 +633,47 @@@
      pci_bus_hotplug(bus, piix4_device_hotplug, &s->dev.qdev);
  }
  
 +#if defined(TARGET_I386)
 +static void enable_processor(struct gpe_regs *g, int cpu)
 +{
 +    g->sts |= 4;
 +    g->cpus_sts[cpu/8] |= (1 << (cpu%8));
 +}
 +
 +static void disable_processor(struct gpe_regs *g, int cpu)
 +{
 +    g->sts |= 4;
 +    g->cpus_sts[cpu/8] &= ~(1 << (cpu%8));
 +}
 +
 +void qemu_system_cpu_hot_add(int cpu, int state)
 +{
 +    CPUState *env;
 +    PIIX4PMState *s = global_piix4_pm_state;
 +
 +    if (state && !qemu_get_cpu(cpu)) {
 +        env = pc_new_cpu(global_cpu_model);
 +        if (!env) {
 +            fprintf(stderr, "cpu %d creation failed\n", cpu);
 +            return;
 +        }
 +        env->cpuid_apic_id = cpu;
 +    }
 +
 +    if (state)
 +        enable_processor(&s->gpe, cpu);
 +    else
 +        disable_processor(&s->gpe, cpu);
 +    if (s->gpe.en & 4) {
 +        qemu_set_irq(s->irq, 1);
 +        qemu_set_irq(s->irq, 0);
 +    }
 +}
 +#endif
 +
  static void enable_device(PIIX4PMState *s, int slot)
  {
-     s->gpe.sts |= 2;
+     s->gpe.sts |= PIIX4_PCI_HOTPLUG_STATUS;
      s->pci0_status.up |= (1 << slot);
  }
  
commit d0f192b0eed6dac8efca49b78be53e9cdc27564c
Merge: 0dd621a... 5778049...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Oct 20 21:40:37 2010 -0200

    Merge commit '577804958ae8ea40b630bc820b72c33f37b01e81' into upstream-merge
    
    * commit '577804958ae8ea40b630bc820b72c33f37b01e81':
      Add savevm/loadvm support for MCE
    
    Conflicts:
    	target-i386/kvm.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc target-i386/kvm.c
index 211a9b2,35daf90..11ca625
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -1066,9 -1067,22 +1087,25 @@@ static int kvm_get_msrs(CPUState *env
          case MSR_KVM_WALL_CLOCK:
              env->wall_clock_msr = msrs[i].data;
              break;
 +        case MSR_VM_HSAVE_PA:
 +            env->vm_hsave = msrs[i].data;
 +            break;
+ #ifdef KVM_CAP_MCE
+         case MSR_MCG_STATUS:
+             env->mcg_status = msrs[i].data;
+             break;
+         case MSR_MCG_CTL:
+             env->mcg_ctl = msrs[i].data;
+             break;
+ #endif
+         default:
+ #ifdef KVM_CAP_MCE
+             if (msrs[i].index >= MSR_MC0_CTL &&
+                 msrs[i].index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) {
+                 env->mce_banks[msrs[i].index - MSR_MC0_CTL] = msrs[i].data;
+                 break;
+             }
+ #endif
          }
      }
  
commit 0dd621a21d2870d6e15a7d12823528aaa397779a
Merge: 57c2f8b... c0532a7...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Oct 20 21:37:59 2010 -0200

    Merge commit 'c0532a76b407af4b276dc5a62d8178db59857ea6' into upstream-merge
    
    * commit 'c0532a76b407af4b276dc5a62d8178db59857ea6':
      MCE: Relay UCR MCE to guest
    
    Conflicts:
    	kvm-stub.c
    	target-i386/kvm.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc kvm-all.c
index 23d4af3,37b99c7..e420298
--- a/kvm-all.c
+++ b/kvm-all.c
@@@ -1083,11 -1061,6 +1083,10 @@@ void kvm_setup_guest_memory(void *start
  }
  
  #ifdef KVM_CAP_SET_GUEST_DEBUG
 +#ifndef OBSOLETE_KVM_IMPL
 +#define run_on_cpu on_vcpu
- static void on_vcpu(CPUState *env, void (*func)(void *data), void *data);
 +#endif /* !OBSOLETE_KVM_IMPL */
 +
  struct kvm_sw_breakpoint *kvm_find_sw_breakpoint(CPUState *env,
                                                   target_ulong pc)
  {
diff --cc kvm-stub.c
index aeee3c0,5384a4b..07be036
--- a/kvm-stub.c
+++ b/kvm-stub.c
@@@ -142,43 -142,7 +142,47 @@@ int kvm_set_ioeventfd_mmio_long(int fd
      return -ENOSYS;
  }
  
 +int kvm_has_gsi_routing(void)
 +{
 +    return 0;
 +}
 +
 +int kvm_get_irq_route_gsi(void)
 +{
 +    return -ENOSYS;
 +}
 +
 +int kvm_add_msix(uint32_t gsi, uint32_t addr_lo,
 +                 uint32_t addr_hi, uint32_t data)
 +{
 +    return -ENOSYS;
 +}
 +
 +int kvm_del_msix(uint32_t gsi, uint32_t addr_lo,
 +                 uint32_t addr_hi, uint32_t data)
 +{
 +    return -ENOSYS;
 +}
 +
 +int kvm_update_msix(uint32_t old_gsi, uint32_t old_addr_lo,
 +                    uint32_t old_addr_hi, uint32_t old_data,
 +                    uint32_t new_gsi, uint32_t new_addr_lo,
 +                    uint32_t new_addr_hi, uint32_t new_data)
 +{
 +    return -ENOSYS;
 +}
 +
 +int kvm_commit_irq_routes(void)
 +{
 +    return -ENOSYS;
 +}
 +
 +int kvm_set_irq(int irq, int level, int *status)
 +{
 +    assert(0);
 +    return -ENOSYS;
 +}
+ int kvm_on_sigbus(int code, void *addr)
+ {
+     return 1;
 -}
++{
diff --cc qemu-kvm.c
index bac5b86,0000000..625f286
mode 100644,000000..100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@@ -1,1944 -1,0 +1,1815 @@@
 +/*
 + * qemu/kvm integration
 + *
 + * Copyright (C) 2006-2008 Qumranet Technologies
 + *
 + * Licensed under the terms of the GNU GPL version 2 or higher.
 + */
 +#include "config.h"
 +#include "config-host.h"
 +
 +#include <assert.h>
 +#include <string.h>
 +#include "hw/hw.h"
 +#include "sysemu.h"
 +#include "qemu-common.h"
 +#include "console.h"
 +#include "block.h"
 +#include "compatfd.h"
 +#include "gdbstub.h"
 +#include "monitor.h"
 +
 +#include "qemu-kvm.h"
 +#include "libkvm.h"
 +
 +#include <pthread.h>
 +#include <sys/utsname.h>
 +#include <sys/syscall.h>
 +#include <sys/mman.h>
 +#include <sys/ioctl.h>
 +#include "compatfd.h"
 +#include <sys/prctl.h>
 +
 +#define false 0
 +#define true 1
 +
 +#ifndef PR_MCE_KILL
 +#define PR_MCE_KILL 33
 +#endif
 +
 +#ifndef BUS_MCEERR_AR
 +#define BUS_MCEERR_AR 4
 +#endif
 +#ifndef BUS_MCEERR_AO
 +#define BUS_MCEERR_AO 5
 +#endif
 +
 +#define EXPECTED_KVM_API_VERSION 12
 +
 +#if EXPECTED_KVM_API_VERSION != KVM_API_VERSION
 +#error libkvm: userspace and kernel version mismatch
 +#endif
 +
 +int kvm_irqchip = 1;
 +int kvm_pit = 1;
 +int kvm_pit_reinject = 1;
 +int kvm_nested = 0;
 +
 +
 +KVMState *kvm_state;
 +kvm_context_t kvm_context;
 +
 +pthread_mutex_t qemu_mutex = PTHREAD_MUTEX_INITIALIZER;
 +pthread_cond_t qemu_vcpu_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_system_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_pause_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_work_cond = PTHREAD_COND_INITIALIZER;
 +__thread CPUState *current_env;
 +
 +static int qemu_system_ready;
 +
 +#define SIG_IPI (SIGRTMIN+4)
 +
 +pthread_t io_thread;
 +static int io_thread_sigfd = -1;
 +
 +static CPUState *kvm_debug_cpu_requested;
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +/* The list of ioperm_data */
 +static QLIST_HEAD(, ioperm_data) ioperm_head;
 +#endif
 +
 +#define ALIGN(x, y) (((x)+(y)-1) & ~((y)-1))
 +
 +int kvm_abi = EXPECTED_KVM_API_VERSION;
 +int kvm_page_size;
 +
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +static int kvm_debug(CPUState *env,
 +                     struct kvm_debug_exit_arch *arch_info)
 +{
 +    int handle = kvm_arch_debug(arch_info);
 +
 +    if (handle) {
 +        kvm_debug_cpu_requested = env;
 +        env->stopped = 1;
 +    }
 +    return handle;
 +}
 +#endif
 +
 +static int handle_unhandled(uint64_t reason)
 +{
 +    fprintf(stderr, "kvm: unhandled exit %" PRIx64 "\n", reason);
 +    return -EINVAL;
 +}
 +
 +#define VMX_INVALID_GUEST_STATE 0x80000021
 +
 +static int handle_failed_vmentry(uint64_t reason)
 +{
 +    fprintf(stderr, "kvm: vm entry failed with error 0x%" PRIx64 "\n\n", reason);
 +
 +    /* Perhaps we will need to check if this machine is intel since exit reason 0x21
 +       has a different interpretation on SVM */
 +    if (reason == VMX_INVALID_GUEST_STATE) {
 +        fprintf(stderr, "If you're runnning a guest on an Intel machine without\n");
 +        fprintf(stderr, "unrestricted mode support, the failure can be most likely\n");
 +        fprintf(stderr, "due to the guest entering an invalid state for Intel VT.\n");
 +        fprintf(stderr, "For example, the guest maybe running in big real mode\n");
 +        fprintf(stderr, "which is not supported on less recent Intel processors.\n\n");
 +    }
 +
 +    return -EINVAL;
 +}
 +
 +static inline void set_gsi(kvm_context_t kvm, unsigned int gsi)
 +{
 +    uint32_t *bitmap = kvm->used_gsi_bitmap;
 +
 +    if (gsi < kvm->max_gsi)
 +        bitmap[gsi / 32] |= 1U << (gsi % 32);
 +    else
 +        DPRINTF("Invalid GSI %u\n", gsi);
 +}
 +
 +static inline void clear_gsi(kvm_context_t kvm, unsigned int gsi)
 +{
 +    uint32_t *bitmap = kvm->used_gsi_bitmap;
 +
 +    if (gsi < kvm->max_gsi)
 +        bitmap[gsi / 32] &= ~(1U << (gsi % 32));
 +    else
 +        DPRINTF("Invalid GSI %u\n", gsi);
 +}
 +
 +static int kvm_create_context(void);
 +
 +int kvm_init(int smp_cpus)
 +{
 +    int fd;
 +    int r, gsi_count;
 +
 +
 +    fd = open("/dev/kvm", O_RDWR);
 +    if (fd == -1) {
 +        perror("open /dev/kvm");
 +        return -1;
 +    }
 +    r = ioctl(fd, KVM_GET_API_VERSION, 0);
 +    if (r == -1) {
 +        fprintf(stderr,
 +                "kvm kernel version too old: "
 +                "KVM_GET_API_VERSION ioctl not supported\n");
 +        goto out_close;
 +    }
 +    if (r < EXPECTED_KVM_API_VERSION) {
 +        fprintf(stderr, "kvm kernel version too old: "
 +                "We expect API version %d or newer, but got "
 +                "version %d\n", EXPECTED_KVM_API_VERSION, r);
 +        goto out_close;
 +    }
 +    if (r > EXPECTED_KVM_API_VERSION) {
 +        fprintf(stderr, "kvm userspace version too old\n");
 +        goto out_close;
 +    }
 +    kvm_abi = r;
 +    kvm_page_size = getpagesize();
 +    kvm_state = qemu_mallocz(sizeof(*kvm_state));
 +    kvm_context = &kvm_state->kvm_context;
 +
 +    kvm_state->fd = fd;
 +    kvm_state->vmfd = -1;
 +    kvm_context->opaque = cpu_single_env;
 +    kvm_context->dirty_pages_log_all = 0;
 +    kvm_context->no_irqchip_creation = 0;
 +    kvm_context->no_pit_creation = 0;
 +
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    QTAILQ_INIT(&kvm_state->kvm_sw_breakpoints);
 +#endif
 +
 +    gsi_count = kvm_get_gsi_count(kvm_context);
 +    if (gsi_count > 0) {
 +        int gsi_bits, i;
 +
 +        /* Round up so we can search ints using ffs */
 +        gsi_bits = ALIGN(gsi_count, 32);
 +        kvm_context->used_gsi_bitmap = qemu_mallocz(gsi_bits / 8);
 +        kvm_context->max_gsi = gsi_bits;
 +
 +        /* Mark any over-allocated bits as already in use */
 +        for (i = gsi_count; i < gsi_bits; i++) {
 +            set_gsi(kvm_context, i);
 +        }
 +    }
 +
 +    kvm_cpu_register_phys_memory_client();
 +
 +    pthread_mutex_lock(&qemu_mutex);
 +    return kvm_create_context();
 +
 +  out_close:
 +    close(fd);
 +    return -1;
 +}
 +
 +static void kvm_finalize(KVMState *s)
 +{
 +    /* FIXME
 +       if (kvm->vcpu_fd[0] != -1)
 +           close(kvm->vcpu_fd[0]);
 +       if (kvm->vm_fd != -1)
 +           close(kvm->vm_fd);
 +     */
 +    close(s->fd);
 +    free(s);
 +}
 +
 +void kvm_disable_irqchip_creation(kvm_context_t kvm)
 +{
 +    kvm->no_irqchip_creation = 1;
 +}
 +
 +void kvm_disable_pit_creation(kvm_context_t kvm)
 +{
 +    kvm->no_pit_creation = 1;
 +}
 +
 +static void kvm_reset_vcpu(void *opaque)
 +{
 +    CPUState *env = opaque;
 +
 +    kvm_arch_cpu_reset(env);
 +}
 +
 +static void kvm_create_vcpu(CPUState *env, int id)
 +{
 +    long mmap_size;
 +    int r;
 +    KVMState *s = kvm_state;
 +
 +    r = kvm_vm_ioctl(kvm_state, KVM_CREATE_VCPU, id);
 +    if (r < 0) {
 +        fprintf(stderr, "kvm_create_vcpu: %m\n");
 +        fprintf(stderr, "Failed to create vCPU. Check the -smp parameter.\n");
 +        goto err;
 +    }
 +
 +    env->kvm_fd = r;
 +    env->kvm_state = kvm_state;
 +
 +    mmap_size = kvm_ioctl(kvm_state, KVM_GET_VCPU_MMAP_SIZE, 0);
 +    if (mmap_size < 0) {
 +        fprintf(stderr, "get vcpu mmap size: %m\n");
 +        goto err_fd;
 +    }
 +    env->kvm_run =
 +        mmap(NULL, mmap_size, PROT_READ | PROT_WRITE, MAP_SHARED, env->kvm_fd,
 +             0);
 +    if (env->kvm_run == MAP_FAILED) {
 +        fprintf(stderr, "mmap vcpu area: %m\n");
 +        goto err_fd;
 +    }
 +
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    if (s->coalesced_mmio && !s->coalesced_mmio_ring)
 +        s->coalesced_mmio_ring = (void *) env->kvm_run +
 +               s->coalesced_mmio * PAGE_SIZE;
 +#endif
 +
 +    r = kvm_arch_init_vcpu(env);
 +    if (r == 0) {
 +        qemu_register_reset(kvm_reset_vcpu, env);
 +    }
 +
 +    return;
 +  err_fd:
 +    close(env->kvm_fd);
 +  err:
 +    /* We're no good with semi-broken states. */
 +    abort();
 +}
 +
 +static int kvm_set_boot_vcpu_id(kvm_context_t kvm, uint32_t id)
 +{
 +#ifdef KVM_CAP_SET_BOOT_CPU_ID
 +    int r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_BOOT_CPU_ID);
 +    if (r > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_SET_BOOT_CPU_ID, id);
 +    }
 +    return -ENOSYS;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_create_vm(kvm_context_t kvm)
 +{
 +    int fd;
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm->irq_routes = qemu_mallocz(sizeof(*kvm->irq_routes));
 +    kvm->nr_allocated_irq_routes = 0;
 +#endif
 +
 +    fd = kvm_ioctl(kvm_state, KVM_CREATE_VM, 0);
 +    if (fd < 0) {
 +        fprintf(stderr, "kvm_create_vm: %m\n");
 +        return -1;
 +    }
 +    kvm_state->vmfd = fd;
 +    return 0;
 +}
 +
 +static int kvm_create_default_phys_mem(kvm_context_t kvm,
 +                                       unsigned long phys_mem_bytes,
 +                                       void **vm_mem)
 +{
 +#ifdef KVM_CAP_USER_MEMORY
 +    int r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_USER_MEMORY);
 +    if (r > 0)
 +        return 0;
 +    fprintf(stderr,
 +            "Hypervisor too old: KVM_CAP_USER_MEMORY extension not supported\n");
 +#else
 +#error Hypervisor too old: KVM_CAP_USER_MEMORY extension not supported
 +#endif
 +    return -1;
 +}
 +
 +void kvm_create_irqchip(kvm_context_t kvm)
 +{
 +    int r;
 +
 +    kvm->irqchip_in_kernel = 0;
 +#ifdef KVM_CAP_IRQCHIP
 +    if (!kvm->no_irqchip_creation) {
 +        r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_IRQCHIP);
 +        if (r > 0) {            /* kernel irqchip supported */
 +            r = kvm_vm_ioctl(kvm_state, KVM_CREATE_IRQCHIP);
 +            if (r >= 0) {
 +                kvm->irqchip_inject_ioctl = KVM_IRQ_LINE;
 +#if defined(KVM_CAP_IRQ_INJECT_STATUS) && defined(KVM_IRQ_LINE_STATUS)
 +                r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
 +                              KVM_CAP_IRQ_INJECT_STATUS);
 +                if (r > 0) {
 +                    kvm->irqchip_inject_ioctl = KVM_IRQ_LINE_STATUS;
 +                }
 +#endif
 +                kvm->irqchip_in_kernel = 1;
 +            } else
 +                fprintf(stderr, "Create kernel PIC irqchip failed\n");
 +        }
 +    }
 +#endif
 +    kvm_state->irqchip_in_kernel = kvm->irqchip_in_kernel;
 +}
 +
 +int kvm_create(kvm_context_t kvm, unsigned long phys_mem_bytes, void **vm_mem)
 +{
 +    int r, i;
 +
 +    r = kvm_create_vm(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +    r = kvm_arch_create(kvm, phys_mem_bytes, vm_mem);
 +    if (r < 0) {
 +        return r;
 +    }
 +    for (i = 0; i < ARRAY_SIZE(kvm_state->slots); i++) {
 +        kvm_state->slots[i].slot = i;
 +    }
 +
 +    r = kvm_create_default_phys_mem(kvm, phys_mem_bytes, vm_mem);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    kvm_create_irqchip(kvm);
 +
 +    return 0;
 +}
 +
 +#ifdef KVM_CAP_IRQCHIP
 +
 +int kvm_set_irq_level(kvm_context_t kvm, int irq, int level, int *status)
 +{
 +    struct kvm_irq_level event;
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    event.level = level;
 +    event.irq = irq;
 +    r = kvm_vm_ioctl(kvm_state, kvm->irqchip_inject_ioctl, &event);
 +    if (r < 0) {
 +        perror("kvm_set_irq_level");
 +    }
 +
 +    if (status) {
 +#ifdef KVM_CAP_IRQ_INJECT_STATUS
 +        *status =
 +            (kvm->irqchip_inject_ioctl == KVM_IRQ_LINE) ? 1 : event.status;
 +#else
 +        *status = 1;
 +#endif
 +    }
 +
 +    return 1;
 +}
 +
 +int kvm_get_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip)
 +{
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    r = kvm_vm_ioctl(kvm_state, KVM_GET_IRQCHIP, chip);
 +    if (r < 0) {
 +        perror("kvm_get_irqchip\n");
 +    }
 +    return r;
 +}
 +
 +int kvm_set_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip)
 +{
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    r = kvm_vm_ioctl(kvm_state, KVM_SET_IRQCHIP, chip);
 +    if (r < 0) {
 +        perror("kvm_set_irqchip\n");
 +    }
 +    return r;
 +}
 +
 +#endif
 +
 +static int handle_debug(CPUState *env)
 +{
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    struct kvm_run *run = env->kvm_run;
 +
 +    return kvm_debug(env, &run->debug.arch);
 +#else
 +    return 0;
 +#endif
 +}
 +
 +int kvm_get_regs(CPUState *env, struct kvm_regs *regs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_REGS, regs);
 +}
 +
 +int kvm_set_regs(CPUState *env, struct kvm_regs *regs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_REGS, regs);
 +}
 +
 +int kvm_get_fpu(CPUState *env, struct kvm_fpu *fpu)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_FPU, fpu);
 +}
 +
 +int kvm_set_fpu(CPUState *env, struct kvm_fpu *fpu)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_FPU, fpu);
 +}
 +
 +int kvm_get_sregs(CPUState *env, struct kvm_sregs *sregs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_SREGS, sregs);
 +}
 +
 +int kvm_set_sregs(CPUState *env, struct kvm_sregs *sregs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_SREGS, sregs);
 +}
 +
 +#ifdef KVM_CAP_MP_STATE
 +int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
 +{
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MP_STATE);
 +    if (r > 0) {
 +        return kvm_vcpu_ioctl(env, KVM_GET_MP_STATE, mp_state);
 +    }
 +    return -ENOSYS;
 +}
 +
 +int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
 +{
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MP_STATE);
 +    if (r > 0) {
 +        return kvm_vcpu_ioctl(env, KVM_SET_MP_STATE, mp_state);
 +    }
 +    return -ENOSYS;
 +}
 +#endif
 +
 +#ifdef KVM_CAP_XSAVE
 +int kvm_get_xsave(CPUState *env, struct kvm_xsave *xsave)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_XSAVE, xsave);
 +}
 +
 +int kvm_set_xsave(CPUState *env, struct kvm_xsave *xsave)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_XSAVE, xsave);
 +}
 +#endif
 +
 +#ifdef KVM_CAP_XCRS
 +int kvm_get_xcrs(CPUState *env, struct kvm_xcrs *xcrs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_XCRS, xcrs);
 +}
 +
 +int kvm_set_xcrs(CPUState *env, struct kvm_xcrs *xcrs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_XCRS, xcrs);
 +}
 +#endif
 +
 +static int handle_mmio(CPUState *env)
 +{
 +    unsigned long addr = env->kvm_run->mmio.phys_addr;
 +    struct kvm_run *kvm_run = env->kvm_run;
 +    void *data = kvm_run->mmio.data;
 +
 +    /* hack: Red Hat 7.1 generates these weird accesses. */
 +    if ((addr > 0xa0000 - 4 && addr <= 0xa0000) && kvm_run->mmio.len == 3) {
 +        return 0;
 +    }
 +
 +    cpu_physical_memory_rw(addr, data, kvm_run->mmio.len, kvm_run->mmio.is_write);
 +    return 0;
 +}
 +
 +int handle_io_window(kvm_context_t kvm)
 +{
 +    return 1;
 +}
 +
 +int handle_shutdown(kvm_context_t kvm, CPUState *env)
 +{
 +    /* stop the current vcpu from going back to guest mode */
 +    env->stopped = 1;
 +
 +    qemu_system_reset_request();
 +    return 1;
 +}
 +
 +static inline void push_nmi(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_USER_NMI
 +    kvm_arch_push_nmi(kvm->opaque);
 +#endif                          /* KVM_CAP_USER_NMI */
 +}
 +
 +void post_kvm_run(kvm_context_t kvm, CPUState *env)
 +{
 +    pthread_mutex_lock(&qemu_mutex);
 +    kvm_arch_post_run(env, env->kvm_run);
 +    cpu_single_env = env;
 +}
 +
 +int pre_kvm_run(kvm_context_t kvm, CPUState *env)
 +{
 +    kvm_arch_pre_run(env, env->kvm_run);
 +
 +    pthread_mutex_unlock(&qemu_mutex);
 +    return 0;
 +}
 +
 +int kvm_is_ready_for_interrupt_injection(CPUState *env)
 +{
 +    return env->kvm_run->ready_for_interrupt_injection;
 +}
 +
 +int kvm_run(CPUState *env)
 +{
 +    int r;
 +    kvm_context_t kvm = &env->kvm_state->kvm_context;
 +    struct kvm_run *run = env->kvm_run;
 +    int fd = env->kvm_fd;
 +
 +  again:
 +    if (env->kvm_vcpu_dirty) {
 +        kvm_arch_load_regs(env, KVM_PUT_RUNTIME_STATE);
 +        env->kvm_vcpu_dirty = 0;
 +    }
 +    push_nmi(kvm);
 +#if !defined(__s390__)
 +    if (!kvm->irqchip_in_kernel) {
 +        run->request_interrupt_window = kvm_arch_try_push_interrupts(env);
 +    }
 +#endif
 +
 +    r = pre_kvm_run(kvm, env);
 +    if (r) {
 +        return r;
 +    }
 +    if (env->exit_request) {
 +        env->exit_request = 0;
 +        pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +    }
 +    r = ioctl(fd, KVM_RUN, 0);
 +
 +    if (r == -1 && errno != EINTR && errno != EAGAIN) {
 +        r = -errno;
 +        post_kvm_run(kvm, env);
 +        fprintf(stderr, "kvm_run: %s\n", strerror(-r));
 +        return r;
 +    }
 +
 +    post_kvm_run(kvm, env);
 +
 +    kvm_flush_coalesced_mmio_buffer();
 +
 +#if !defined(__s390__)
 +    if (r == -1) {
 +        r = handle_io_window(kvm);
 +        goto more;
 +    }
 +#endif
 +    if (1) {
 +        switch (run->exit_reason) {
 +        case KVM_EXIT_UNKNOWN:
 +            r = handle_unhandled(run->hw.hardware_exit_reason);
 +            break;
 +        case KVM_EXIT_FAIL_ENTRY:
 +            r = handle_failed_vmentry(run->fail_entry.hardware_entry_failure_reason);
 +            break;
 +        case KVM_EXIT_EXCEPTION:
 +            fprintf(stderr, "exception %d (%x)\n", run->ex.exception,
 +                    run->ex.error_code);
 +            kvm_show_regs(env);
 +            kvm_show_code(env);
 +            abort();
 +            break;
 +        case KVM_EXIT_IO:
 +            r = kvm_handle_io(run->io.port,
 +                                (uint8_t *)run + run->io.data_offset,
 +                                run->io.direction,
 +                                run->io.size,
 +                                run->io.count);
 +            r = 0;
 +            break;
 +        case KVM_EXIT_DEBUG:
 +            r = handle_debug(env);
 +            break;
 +        case KVM_EXIT_MMIO:
 +            r = handle_mmio(env);
 +            break;
 +        case KVM_EXIT_HLT:
 +            r = kvm_arch_halt(env);
 +            break;
 +        case KVM_EXIT_IRQ_WINDOW_OPEN:
 +            break;
 +        case KVM_EXIT_SHUTDOWN:
 +            r = handle_shutdown(kvm, env);
 +            break;
 +#if defined(__s390__)
 +        case KVM_EXIT_S390_SIEIC:
 +            r = kvm_s390_handle_intercept(kvm, env, run);
 +            break;
 +        case KVM_EXIT_S390_RESET:
 +            r = kvm_s390_handle_reset(kvm, env, run);
 +            break;
 +#endif
 +	case KVM_EXIT_INTERNAL_ERROR:
 +            kvm_handle_internal_error(env, run);
 +            r = 1;
 +	    break;
 +        default:
 +            if (kvm_arch_run(env)) {
 +                fprintf(stderr, "unhandled vm exit: 0x%x\n", run->exit_reason);
 +                kvm_show_regs(env);
 +                abort();
 +            }
 +            break;
 +        }
 +    }
 +more:
 +    if (!r) {
 +        goto again;
 +    }
 +    return r;
 +}
 +
 +int kvm_inject_irq(CPUState *env, unsigned irq)
 +{
 +    struct kvm_interrupt intr;
 +
 +    intr.irq = irq;
 +    return kvm_vcpu_ioctl(env, KVM_INTERRUPT, &intr);
 +}
 +
 +int kvm_inject_nmi(CPUState *env)
 +{
 +#ifdef KVM_CAP_USER_NMI
 +    return kvm_vcpu_ioctl(env, KVM_NMI);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_init_coalesced_mmio(kvm_context_t kvm)
 +{
 +    int r = 0;
 +    kvm_state->coalesced_mmio = 0;
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_COALESCED_MMIO);
 +    if (r > 0) {
 +        kvm_state->coalesced_mmio = r;
 +        return 0;
 +    }
 +#endif
 +    return r;
 +}
 +
 +#ifdef KVM_CAP_DEVICE_ASSIGNMENT
 +int kvm_assign_pci_device(kvm_context_t kvm,
 +                          struct kvm_assigned_pci_dev *assigned_dev)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_PCI_DEVICE, assigned_dev);
 +}
 +
 +static int kvm_old_assign_irq(kvm_context_t kvm,
 +                              struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_IRQ, assigned_irq);
 +}
 +
 +#ifdef KVM_CAP_ASSIGN_DEV_IRQ
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    int ret;
 +
 +    ret = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_ASSIGN_DEV_IRQ);
 +    if (ret > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_DEV_IRQ, assigned_irq);
 +    }
 +
 +    return kvm_old_assign_irq(kvm, assigned_irq);
 +}
 +
 +int kvm_deassign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_DEASSIGN_DEV_IRQ, assigned_irq);
 +}
 +#else
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_old_assign_irq(kvm, assigned_irq);
 +}
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_DEASSIGNMENT
 +int kvm_deassign_pci_device(kvm_context_t kvm,
 +                            struct kvm_assigned_pci_dev *assigned_dev)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_DEASSIGN_PCI_DEVICE, assigned_dev);
 +}
 +#endif
 +
 +int kvm_reinject_control(kvm_context_t kvm, int pit_reinject)
 +{
 +#ifdef KVM_CAP_REINJECT_CONTROL
 +    int r;
 +    struct kvm_reinject_control control;
 +
 +    control.pit_reinject = pit_reinject;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_REINJECT_CONTROL);
 +    if (r > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_REINJECT_CONTROL, &control);
 +    }
 +#endif
 +    return -ENOSYS;
 +}
 +
 +int kvm_has_gsi_routing(void)
 +{
 +    int r = 0;
 +
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    r = kvm_check_extension(kvm_state, KVM_CAP_IRQ_ROUTING);
 +#endif
 +    return r;
 +}
 +
 +int kvm_get_gsi_count(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    return kvm_check_extension(kvm_state, KVM_CAP_IRQ_ROUTING);
 +#else
 +    return -EINVAL;
 +#endif
 +}
 +
 +int kvm_clear_gsi_routes(void)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +
 +    kvm->irq_routes->nr = 0;
 +    return 0;
 +#else
 +    return -EINVAL;
 +#endif
 +}
 +
 +int kvm_add_routing_entry(struct kvm_irq_routing_entry *entry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing *z;
 +    struct kvm_irq_routing_entry *new;
 +    int n, size;
 +
 +    if (kvm->irq_routes->nr == kvm->nr_allocated_irq_routes) {
 +        n = kvm->nr_allocated_irq_routes * 2;
 +        if (n < 64) {
 +            n = 64;
 +        }
 +        size = sizeof(struct kvm_irq_routing);
 +        size += n * sizeof(*new);
 +        z = realloc(kvm->irq_routes, size);
 +        if (!z) {
 +            return -ENOMEM;
 +        }
 +        kvm->nr_allocated_irq_routes = n;
 +        kvm->irq_routes = z;
 +    }
 +    n = kvm->irq_routes->nr++;
 +    new = &kvm->irq_routes->entries[n];
 +    memset(new, 0, sizeof(*new));
 +    new->gsi = entry->gsi;
 +    new->type = entry->type;
 +    new->flags = entry->flags;
 +    new->u = entry->u;
 +
 +    set_gsi(kvm, entry->gsi);
 +
 +    return 0;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_add_irq_route(int gsi, int irqchip, int pin)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing_entry e;
 +
 +    e.gsi = gsi;
 +    e.type = KVM_IRQ_ROUTING_IRQCHIP;
 +    e.flags = 0;
 +    e.u.irqchip.irqchip = irqchip;
 +    e.u.irqchip.pin = pin;
 +    return kvm_add_routing_entry(&e);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_del_routing_entry(struct kvm_irq_routing_entry *entry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing_entry *e, *p;
 +    int i, gsi, found = 0;
 +
 +    gsi = entry->gsi;
 +
 +    for (i = 0; i < kvm->irq_routes->nr; ++i) {
 +        e = &kvm->irq_routes->entries[i];
 +        if (e->type == entry->type && e->gsi == gsi) {
 +            switch (e->type) {
 +            case KVM_IRQ_ROUTING_IRQCHIP:{
 +                    if (e->u.irqchip.irqchip ==
 +                        entry->u.irqchip.irqchip
 +                        && e->u.irqchip.pin == entry->u.irqchip.pin) {
 +                        p = &kvm->irq_routes->entries[--kvm->irq_routes->nr];
 +                        *e = *p;
 +                        found = 1;
 +                    }
 +                    break;
 +                }
 +            case KVM_IRQ_ROUTING_MSI:{
 +                    if (e->u.msi.address_lo ==
 +                        entry->u.msi.address_lo
 +                        && e->u.msi.address_hi ==
 +                        entry->u.msi.address_hi
 +                        && e->u.msi.data == entry->u.msi.data) {
 +                        p = &kvm->irq_routes->entries[--kvm->irq_routes->nr];
 +                        *e = *p;
 +                        found = 1;
 +                    }
 +                    break;
 +                }
 +            default:
 +                break;
 +            }
 +            if (found) {
 +                /* If there are no other users of this GSI
 +                 * mark it available in the bitmap */
 +                for (i = 0; i < kvm->irq_routes->nr; i++) {
 +                    e = &kvm->irq_routes->entries[i];
 +                    if (e->gsi == gsi)
 +                        break;
 +                }
 +                if (i == kvm->irq_routes->nr) {
 +                    clear_gsi(kvm, gsi);
 +                }
 +
 +                return 0;
 +            }
 +        }
 +    }
 +    return -ESRCH;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_update_routing_entry(struct kvm_irq_routing_entry *entry,
 +                             struct kvm_irq_routing_entry *newentry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing_entry *e;
 +    int i;
 +
 +    if (entry->gsi != newentry->gsi || entry->type != newentry->type) {
 +        return -EINVAL;
 +    }
 +
 +    for (i = 0; i < kvm->irq_routes->nr; ++i) {
 +        e = &kvm->irq_routes->entries[i];
 +        if (e->type != entry->type || e->gsi != entry->gsi) {
 +            continue;
 +        }
 +        switch (e->type) {
 +        case KVM_IRQ_ROUTING_IRQCHIP:
 +            if (e->u.irqchip.irqchip == entry->u.irqchip.irqchip &&
 +                e->u.irqchip.pin == entry->u.irqchip.pin) {
 +                memcpy(&e->u.irqchip, &newentry->u.irqchip,
 +                       sizeof e->u.irqchip);
 +                return 0;
 +            }
 +            break;
 +        case KVM_IRQ_ROUTING_MSI:
 +            if (e->u.msi.address_lo == entry->u.msi.address_lo &&
 +                e->u.msi.address_hi == entry->u.msi.address_hi &&
 +                e->u.msi.data == entry->u.msi.data) {
 +                memcpy(&e->u.msi, &newentry->u.msi, sizeof e->u.msi);
 +                return 0;
 +            }
 +            break;
 +        default:
 +            break;
 +        }
 +    }
 +    return -ESRCH;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_del_irq_route(int gsi, int irqchip, int pin)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing_entry e;
 +
 +    e.gsi = gsi;
 +    e.type = KVM_IRQ_ROUTING_IRQCHIP;
 +    e.flags = 0;
 +    e.u.irqchip.irqchip = irqchip;
 +    e.u.irqchip.pin = pin;
 +    return kvm_del_routing_entry(&e);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_commit_irq_routes(void)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +
 +    kvm->irq_routes->flags = 0;
 +    return kvm_vm_ioctl(kvm_state, KVM_SET_GSI_ROUTING, kvm->irq_routes);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_get_irq_route_gsi(void)
 +{
 +    kvm_context_t kvm = kvm_context;
 +    int i, bit;
 +    uint32_t *buf = kvm->used_gsi_bitmap;
 +
 +    /* Return the lowest unused GSI in the bitmap */
 +    for (i = 0; i < kvm->max_gsi / 32; i++) {
 +        bit = ffs(~buf[i]);
 +        if (!bit) {
 +            continue;
 +        }
 +
 +        return bit - 1 + i * 32;
 +    }
 +
 +    return -ENOSPC;
 +}
 +
 +static void kvm_msix_routing_entry(struct kvm_irq_routing_entry *e,
 +                                   uint32_t gsi, uint32_t addr_lo,
 +                                   uint32_t addr_hi, uint32_t data)
 +
 +{
 +    e->gsi = gsi;
 +    e->type = KVM_IRQ_ROUTING_MSI;
 +    e->flags = 0;
 +    e->u.msi.address_lo = addr_lo;
 +    e->u.msi.address_hi = addr_hi;
 +    e->u.msi.data = data;
 +}
 +
 +int kvm_add_msix(uint32_t gsi, uint32_t addr_lo,
 +                        uint32_t addr_hi, uint32_t data)
 +{
 +    struct kvm_irq_routing_entry e;
 +
 +    kvm_msix_routing_entry(&e, gsi, addr_lo, addr_hi, data);
 +    return kvm_add_routing_entry(&e);
 +}
 +
 +int kvm_del_msix(uint32_t gsi, uint32_t addr_lo,
 +                        uint32_t addr_hi, uint32_t data)
 +{
 +    struct kvm_irq_routing_entry e;
 +
 +    kvm_msix_routing_entry(&e, gsi, addr_lo, addr_hi, data);
 +    return kvm_del_routing_entry(&e);
 +}
 +
 +int kvm_update_msix(uint32_t old_gsi, uint32_t old_addr_lo,
 +                    uint32_t old_addr_hi, uint32_t old_data,
 +                    uint32_t new_gsi, uint32_t new_addr_lo,
 +                    uint32_t new_addr_hi, uint32_t new_data)
 +{
 +    struct kvm_irq_routing_entry e1, e2;
 +
 +    kvm_msix_routing_entry(&e1, old_gsi, old_addr_lo, old_addr_hi, old_data);
 +    kvm_msix_routing_entry(&e2, new_gsi, new_addr_lo, new_addr_hi, new_data);
 +    return kvm_update_routing_entry(&e1, &e2);
 +}
 +
 +
 +#ifdef KVM_CAP_DEVICE_MSIX
 +int kvm_assign_set_msix_nr(kvm_context_t kvm,
 +                           struct kvm_assigned_msix_nr *msix_nr)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_SET_MSIX_NR, msix_nr);
 +}
 +
 +int kvm_assign_set_msix_entry(kvm_context_t kvm,
 +                              struct kvm_assigned_msix_entry *entry)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_SET_MSIX_ENTRY, entry);
 +}
 +#endif
 +
 +#if defined(KVM_CAP_IRQFD) && defined(CONFIG_EVENTFD)
 +
 +#include <sys/eventfd.h>
 +
 +static int _kvm_irqfd(kvm_context_t kvm, int fd, int gsi, int flags)
 +{
 +    struct kvm_irqfd data = {
 +        .fd = fd,
 +        .gsi = gsi,
 +        .flags = flags,
 +    };
 +
 +    return kvm_vm_ioctl(kvm_state, KVM_IRQFD, &data);
 +}
 +
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags)
 +{
 +    int r;
 +    int fd;
 +
 +    if (!kvm_check_extension(kvm_state, KVM_CAP_IRQFD))
 +        return -ENOENT;
 +
 +    fd = eventfd(0, 0);
 +    if (fd < 0) {
 +        return -errno;
 +    }
 +
 +    r = _kvm_irqfd(kvm, fd, gsi, 0);
 +    if (r < 0) {
 +        close(fd);
 +        return -errno;
 +    }
 +
 +    return fd;
 +}
 +
 +#else                           /* KVM_CAP_IRQFD */
 +
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags)
 +{
 +    return -ENOSYS;
 +}
 +
 +#endif                          /* KVM_CAP_IRQFD */
 +unsigned long kvm_get_thread_id(void)
 +{
 +    return syscall(SYS_gettid);
 +}
 +
 +static void qemu_cond_wait(pthread_cond_t *cond)
 +{
 +    CPUState *env = cpu_single_env;
 +
 +    pthread_cond_wait(cond, &qemu_mutex);
 +    cpu_single_env = env;
 +}
 +
 +static void sig_ipi_handler(int n)
 +{
 +}
 +
- static void hardware_memory_error(void)
- {
-     fprintf(stderr, "Hardware memory error!\n");
-     exit(1);
- }
- 
 +static void sigbus_reraise(void)
 +{
 +    sigset_t set;
 +    struct sigaction action;
 +
 +    memset(&action, 0, sizeof(action));
 +    action.sa_handler = SIG_DFL;
 +    if (!sigaction(SIGBUS, &action, NULL)) {
 +        raise(SIGBUS);
 +        sigemptyset(&set);
 +        sigaddset(&set, SIGBUS);
 +        sigprocmask(SIG_UNBLOCK, &set, NULL);
 +    }
 +    perror("Failed to re-raise SIGBUS!\n");
 +    abort();
 +}
 +
 +static void sigbus_handler(int n, struct qemu_signalfd_siginfo *siginfo,
 +                           void *ctx)
 +{
- #if defined(KVM_CAP_MCE) && defined(TARGET_I386)
-     if ((first_cpu->mcg_cap & MCG_SER_P) && siginfo->ssi_addr
-         && siginfo->ssi_code == BUS_MCEERR_AO) {
-         uint64_t status;
-         void *vaddr;
-         ram_addr_t ram_addr;
-         unsigned long paddr;
-         //CPUState *cenv;
- 
-         /* Hope we are lucky for AO MCE */
-         vaddr = (void *)(intptr_t)siginfo->ssi_addr;
-         if (qemu_ram_addr_from_host(vaddr, &ram_addr) ||
-             !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, (target_phys_addr_t *)&paddr)) {
-             fprintf(stderr, "Hardware memory error for memory used by "
-                     "QEMU itself instead of guest system!: %llx\n",
-                     (unsigned long long)siginfo->ssi_addr);
-             return;
-         }
-         status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
-             | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
-             | 0xc0;
- #if 0
-         kvm_inject_x86_mce(first_cpu, 9, status,
-                            MCG_STATUS_MCIP | MCG_STATUS_RIPV, paddr,
-                            (MCM_ADDR_PHYS << 6) | 0xc, 1);
-         for (cenv = first_cpu->next_cpu; cenv != NULL; cenv = cenv->next_cpu) {
-             kvm_inject_x86_mce(cenv, 1, MCI_STATUS_VAL | MCI_STATUS_UC,
-                                MCG_STATUS_MCIP | MCG_STATUS_RIPV, 0, 0, 1);
-         }
- #endif
-     } else
- #endif
-     {
-         if (siginfo->ssi_code == BUS_MCEERR_AO) {
-             return;
-         } else if (siginfo->ssi_code == BUS_MCEERR_AR) {
-             hardware_memory_error();
-         } else {
-             sigbus_reraise();
-         }
-     }
++    if (kvm_on_sigbus(siginfo->ssi_code, (void *)(intptr_t)siginfo->ssi_addr))
++        sigbus_reraise();
 +}
 +
- static void on_vcpu(CPUState *env, void (*func)(void *data), void *data)
++void on_vcpu(CPUState *env, void (*func)(void *data), void *data)
 +{
 +    struct qemu_work_item wi;
 +
 +    if (env == current_env) {
 +        func(data);
 +        return;
 +    }
 +
 +    wi.func = func;
 +    wi.data = data;
 +    if (!env->kvm_cpu_state.queued_work_first) {
 +        env->kvm_cpu_state.queued_work_first = &wi;
 +    } else {
 +        env->kvm_cpu_state.queued_work_last->next = &wi;
 +    }
 +    env->kvm_cpu_state.queued_work_last = &wi;
 +    wi.next = NULL;
 +    wi.done = false;
 +
 +    pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +    while (!wi.done) {
 +        qemu_cond_wait(&qemu_work_cond);
 +    }
 +}
 +
 +static void do_kvm_cpu_synchronize_state(void *_env)
 +{
 +    CPUState *env = _env;
 +
 +    if (!env->kvm_vcpu_dirty) {
 +        kvm_arch_save_regs(env);
 +        env->kvm_vcpu_dirty = 1;
 +    }
 +}
 +
 +void kvm_cpu_synchronize_state(CPUState *env)
 +{
 +    if (!env->kvm_vcpu_dirty) {
 +        on_vcpu(env, do_kvm_cpu_synchronize_state, env);
 +    }
 +}
 +
 +void kvm_cpu_synchronize_post_reset(CPUState *env)
 +{
 +    kvm_arch_load_regs(env, KVM_PUT_RESET_STATE);
 +    env->kvm_vcpu_dirty = 0;
 +}
 +
 +void kvm_cpu_synchronize_post_init(CPUState *env)
 +{
 +    kvm_arch_load_regs(env, KVM_PUT_FULL_STATE);
 +    env->kvm_vcpu_dirty = 0;
 +}
 +
 +static void inject_interrupt(void *data)
 +{
 +    cpu_interrupt(current_env, (long) data);
 +}
 +
 +void kvm_inject_interrupt(CPUState *env, int mask)
 +{
 +    on_vcpu(env, inject_interrupt, (void *) (long) mask);
 +}
 +
 +void kvm_update_interrupt_request(CPUState *env)
 +{
 +    int signal = 0;
 +
 +    if (env) {
 +        if (!current_env || !current_env->created) {
 +            signal = 1;
 +        }
 +        /*
 +         * Testing for created here is really redundant
 +         */
 +        if (current_env && current_env->created &&
 +            env != current_env && !env->kvm_cpu_state.signalled) {
 +            signal = 1;
 +        }
 +
 +        if (signal) {
 +            env->kvm_cpu_state.signalled = 1;
 +            if (env->kvm_cpu_state.thread) {
 +                pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +            }
 +        }
 +    }
 +}
 +
 +int kvm_cpu_exec(CPUState *env)
 +{
 +    int r;
 +
 +    r = kvm_run(env);
 +    if (r < 0) {
 +        printf("kvm_run returned %d\n", r);
 +        vm_stop(0);
 +    }
 +
 +    return 0;
 +}
 +
 +int kvm_cpu_is_stopped(CPUState *env)
 +{
 +    return !vm_running || env->stopped;
 +}
 +
 +static void flush_queued_work(CPUState *env)
 +{
 +    struct qemu_work_item *wi;
 +
 +    if (!env->kvm_cpu_state.queued_work_first) {
 +        return;
 +    }
 +
 +    while ((wi = env->kvm_cpu_state.queued_work_first)) {
 +        env->kvm_cpu_state.queued_work_first = wi->next;
 +        wi->func(wi->data);
 +        wi->done = true;
 +    }
 +    env->kvm_cpu_state.queued_work_last = NULL;
 +    pthread_cond_broadcast(&qemu_work_cond);
 +}
 +
- static int kvm_mce_in_exception(CPUState *env)
- {
-     struct kvm_msr_entry msr_mcg_status = {
-         .index = MSR_MCG_STATUS,
-     };
-     int r;
- 
-     r = kvm_get_msrs(env, &msr_mcg_status, 1);
-     if (r == -1 || r == 0) {
-         return -1;
-     }
-     return !!(msr_mcg_status.data & MCG_STATUS_MCIP);
- }
- 
- static void kvm_on_sigbus(CPUState *env, siginfo_t *siginfo)
- {
- #if defined(KVM_CAP_MCE) && defined(TARGET_I386)
-     struct kvm_x86_mce mce = {
-             .bank = 9,
-     };
-     void *vaddr;
-     ram_addr_t ram_addr;
-     unsigned long paddr;
-     int r;
- 
-     if ((env->mcg_cap & MCG_SER_P) && siginfo->si_addr
-         && (siginfo->si_code == BUS_MCEERR_AR
-             || siginfo->si_code == BUS_MCEERR_AO)) {
-         if (siginfo->si_code == BUS_MCEERR_AR) {
-             /* Fake an Intel architectural Data Load SRAR UCR */
-             mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
-                 | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
-                 | MCI_STATUS_AR | 0x134;
-             mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
-             mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_EIPV;
-         } else {
-             /*
-              * If there is an MCE excpetion being processed, ignore
-              * this SRAO MCE
-              */
-             r = kvm_mce_in_exception(env);
-             if (r == -1) {
-                 fprintf(stderr, "Failed to get MCE status\n");
-             } else if (r) {
-                 return;
-             }
-             /* Fake an Intel architectural Memory scrubbing UCR */
-             mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
-                 | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
-                 | 0xc0;
-             mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
-             mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_RIPV;
-         }
-         vaddr = (void *)siginfo->si_addr;
-         if (qemu_ram_addr_from_host(vaddr, &ram_addr) ||
-             !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, (target_phys_addr_t *)&paddr)) {
-             fprintf(stderr, "Hardware memory error for memory used by "
-                     "QEMU itself instead of guest system!\n");
-             /* Hope we are lucky for AO MCE */
-             if (siginfo->si_code == BUS_MCEERR_AO) {
-                 return;
-             } else {
-                 hardware_memory_error();
-             }
-         }
-         mce.addr = paddr;
- //      r = kvm_set_mce(env, &mce);
- 	r = 0;
-         if (r < 0) {
-             fprintf(stderr, "kvm_set_mce: %s\n", strerror(errno));
-             abort();
-         }
-     } else
- #endif
-     {
-         if (siginfo->si_code == BUS_MCEERR_AO) {
-             return;
-         } else if (siginfo->si_code == BUS_MCEERR_AR) {
-             hardware_memory_error();
-         } else {
-             sigbus_reraise();
-         }
-     }
- }
- 
 +static void kvm_main_loop_wait(CPUState *env, int timeout)
 +{
 +    struct timespec ts;
 +    int r, e;
 +    siginfo_t siginfo;
 +    sigset_t waitset;
 +    sigset_t chkset;
 +
 +    ts.tv_sec = timeout / 1000;
 +    ts.tv_nsec = (timeout % 1000) * 1000000;
 +    sigemptyset(&waitset);
 +    sigaddset(&waitset, SIG_IPI);
 +    sigaddset(&waitset, SIGBUS);
 +
 +    do {
 +        pthread_mutex_unlock(&qemu_mutex);
 +
 +        r = sigtimedwait(&waitset, &siginfo, &ts);
 +        e = errno;
 +
 +        pthread_mutex_lock(&qemu_mutex);
 +
 +        if (r == -1 && !(e == EAGAIN || e == EINTR)) {
 +            printf("sigtimedwait: %s\n", strerror(e));
 +            exit(1);
 +        }
 +
 +        switch (r) {
 +        case SIGBUS:
-             kvm_on_sigbus(env, &siginfo);
++            if (kvm_on_sigbus_vcpu(env, siginfo.si_code, siginfo.si_addr))
++                sigbus_reraise();
 +            break;
 +        default:
 +            break;
 +        }
 +
 +        r = sigpending(&chkset);
 +        if (r == -1) {
 +            printf("sigpending: %s\n", strerror(e));
 +            exit(1);
 +        }
 +    } while (sigismember(&chkset, SIG_IPI) || sigismember(&chkset, SIGBUS));
 +
 +    cpu_single_env = env;
 +    flush_queued_work(env);
 +
 +    if (env->stop) {
 +        env->stop = 0;
 +        env->stopped = 1;
 +        pthread_cond_signal(&qemu_pause_cond);
 +    }
 +
 +    env->kvm_cpu_state.signalled = 0;
 +}
 +
 +static int all_threads_paused(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    while (penv) {
 +        if (penv->stop) {
 +            return 0;
 +        }
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +
 +    return 1;
 +}
 +
 +static void pause_all_threads(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    while (penv) {
 +        if (penv != cpu_single_env) {
 +            penv->stop = 1;
 +            pthread_kill(penv->kvm_cpu_state.thread, SIG_IPI);
 +        } else {
 +            penv->stop = 0;
 +            penv->stopped = 1;
 +            cpu_exit(penv);
 +        }
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +
 +    while (!all_threads_paused()) {
 +        qemu_cond_wait(&qemu_pause_cond);
 +    }
 +}
 +
 +static void resume_all_threads(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    assert(!cpu_single_env);
 +
 +    while (penv) {
 +        penv->stop = 0;
 +        penv->stopped = 0;
 +        pthread_kill(penv->kvm_cpu_state.thread, SIG_IPI);
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +}
 +
 +static void kvm_vm_state_change_handler(void *context, int running, int reason)
 +{
 +    if (running) {
 +        resume_all_threads();
 +    } else {
 +        pause_all_threads();
 +    }
 +}
 +
 +static void setup_kernel_sigmask(CPUState *env)
 +{
 +    sigset_t set;
 +
 +    sigemptyset(&set);
 +    sigaddset(&set, SIGUSR2);
 +    sigaddset(&set, SIGIO);
 +    sigaddset(&set, SIGALRM);
 +    sigprocmask(SIG_BLOCK, &set, NULL);
 +
 +    sigprocmask(SIG_BLOCK, NULL, &set);
 +    sigdelset(&set, SIG_IPI);
 +    sigdelset(&set, SIGBUS);
 +
 +    kvm_set_signal_mask(env, &set);
 +}
 +
 +static void qemu_kvm_system_reset(void)
 +{
 +    pause_all_threads();
 +
 +    qemu_system_reset();
 +
 +    resume_all_threads();
 +}
 +
 +static void process_irqchip_events(CPUState *env)
 +{
 +    kvm_arch_process_irqchip_events(env);
 +    if (kvm_arch_has_work(env))
 +        env->halted = 0;
 +}
 +
 +static int kvm_main_loop_cpu(CPUState *env)
 +{
 +    while (1) {
 +        int run_cpu = !kvm_cpu_is_stopped(env);
 +        if (run_cpu && !kvm_irqchip_in_kernel()) {
 +            process_irqchip_events(env);
 +            run_cpu = !env->halted;
 +        }
 +        if (run_cpu) {
 +            kvm_cpu_exec(env);
 +            kvm_main_loop_wait(env, 0);
 +        } else {
 +            kvm_main_loop_wait(env, 1000);
 +        }
 +    }
 +    pthread_mutex_unlock(&qemu_mutex);
 +    return 0;
 +}
 +
 +static void *ap_main_loop(void *_env)
 +{
 +    CPUState *env = _env;
 +    sigset_t signals;
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +    struct ioperm_data *data = NULL;
 +#endif
 +
 +    current_env = env;
 +    env->thread_id = kvm_get_thread_id();
 +    sigfillset(&signals);
 +    sigprocmask(SIG_BLOCK, &signals, NULL);
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +    /* do ioperm for io ports of assigned devices */
 +    QLIST_FOREACH(data, &ioperm_head, entries)
 +        on_vcpu(env, kvm_arch_do_ioperm, data);
 +#endif
 +
 +    pthread_mutex_lock(&qemu_mutex);
 +    cpu_single_env = env;
 +
 +    kvm_create_vcpu(env, env->cpu_index);
 +    setup_kernel_sigmask(env);
 +
 +    /* signal VCPU creation */
 +    current_env->created = 1;
 +    pthread_cond_signal(&qemu_vcpu_cond);
 +
 +    /* and wait for machine initialization */
 +    while (!qemu_system_ready) {
 +        qemu_cond_wait(&qemu_system_cond);
 +    }
 +
 +    /* re-initialize cpu_single_env after re-acquiring qemu_mutex */
 +    cpu_single_env = env;
 +
 +    kvm_main_loop_cpu(env);
 +    return NULL;
 +}
 +
 +int kvm_init_vcpu(CPUState *env)
 +{
 +    pthread_create(&env->kvm_cpu_state.thread, NULL, ap_main_loop, env);
 +
 +    while (env->created == 0) {
 +        qemu_cond_wait(&qemu_vcpu_cond);
 +    }
 +
 +    return 0;
 +}
 +
 +int kvm_vcpu_inited(CPUState *env)
 +{
 +    return env->created;
 +}
 +
 +#ifdef TARGET_I386
 +void kvm_hpet_disable_kpit(void)
 +{
 +    struct kvm_pit_state2 ps2;
 +
 +    kvm_get_pit2(kvm_context, &ps2);
 +    ps2.flags |= KVM_PIT_FLAGS_HPET_LEGACY;
 +    kvm_set_pit2(kvm_context, &ps2);
 +}
 +
 +void kvm_hpet_enable_kpit(void)
 +{
 +    struct kvm_pit_state2 ps2;
 +
 +    kvm_get_pit2(kvm_context, &ps2);
 +    ps2.flags &= ~KVM_PIT_FLAGS_HPET_LEGACY;
 +    kvm_set_pit2(kvm_context, &ps2);
 +}
 +#endif
 +
 +int kvm_init_ap(void)
 +{
 +    struct sigaction action;
 +
 +    qemu_add_vm_change_state_handler(kvm_vm_state_change_handler, NULL);
 +
 +    signal(SIG_IPI, sig_ipi_handler);
 +
 +    memset(&action, 0, sizeof(action));
 +    action.sa_flags = SA_SIGINFO;
 +    action.sa_sigaction = (void (*)(int, siginfo_t*, void*))sigbus_handler;
 +    sigaction(SIGBUS, &action, NULL);
 +    prctl(PR_MCE_KILL, 1, 1, 0, 0);
 +    return 0;
 +}
 +
 +/* If we have signalfd, we mask out the signals we want to handle and then
 + * use signalfd to listen for them.  We rely on whatever the current signal
 + * handler is to dispatch the signals when we receive them.
 + */
 +
 +static void sigfd_handler(void *opaque)
 +{
 +    int fd = (unsigned long) opaque;
 +    struct qemu_signalfd_siginfo info;
 +    struct sigaction action;
 +    ssize_t len;
 +
 +    while (1) {
 +        do {
 +            len = read(fd, &info, sizeof(info));
 +        } while (len == -1 && errno == EINTR);
 +
 +        if (len == -1 && errno == EAGAIN) {
 +            break;
 +        }
 +
 +        if (len != sizeof(info)) {
 +            printf("read from sigfd returned %zd: %m\n", len);
 +            return;
 +        }
 +
 +        sigaction(info.ssi_signo, NULL, &action);
 +        if ((action.sa_flags & SA_SIGINFO) && action.sa_sigaction) {
 +            action.sa_sigaction(info.ssi_signo,
 +                                (siginfo_t *)&info, NULL);
 +        } else if (action.sa_handler) {
 +            action.sa_handler(info.ssi_signo);
 +        }
 +    }
 +}
 +
 +int kvm_main_loop(void)
 +{
 +    sigset_t mask;
 +    int sigfd;
 +
 +    io_thread = pthread_self();
 +    qemu_system_ready = 1;
 +
 +    sigemptyset(&mask);
 +    sigaddset(&mask, SIGIO);
 +    sigaddset(&mask, SIGALRM);
 +    sigaddset(&mask, SIGBUS);
 +    sigprocmask(SIG_BLOCK, &mask, NULL);
 +
 +    sigfd = qemu_signalfd(&mask);
 +    if (sigfd == -1) {
 +        fprintf(stderr, "failed to create signalfd\n");
 +        return -errno;
 +    }
 +
 +    fcntl(sigfd, F_SETFL, O_NONBLOCK);
 +
 +    qemu_set_fd_handler2(sigfd, NULL, sigfd_handler, NULL,
 +                         (void *)(unsigned long) sigfd);
 +
 +    pthread_cond_broadcast(&qemu_system_cond);
 +
 +    io_thread_sigfd = sigfd;
 +    cpu_single_env = NULL;
 +
 +    while (1) {
 +        main_loop_wait(0);
 +        if (qemu_shutdown_requested()) {
 +            monitor_protocol_event(QEVENT_SHUTDOWN, NULL);
 +            if (qemu_no_shutdown()) {
 +                vm_stop(0);
 +            } else {
 +                break;
 +            }
 +        } else if (qemu_powerdown_requested()) {
 +            monitor_protocol_event(QEVENT_POWERDOWN, NULL);
 +            qemu_irq_raise(qemu_system_powerdown);
 +        } else if (qemu_reset_requested()) {
 +            qemu_kvm_system_reset();
 +        } else if (kvm_debug_cpu_requested) {
 +            gdb_set_stop_cpu(kvm_debug_cpu_requested);
 +            vm_stop(EXCP_DEBUG);
 +            kvm_debug_cpu_requested = NULL;
 +        }
 +    }
 +
 +    pause_all_threads();
 +    pthread_mutex_unlock(&qemu_mutex);
 +
 +    return 0;
 +}
 +
 +#if !defined(TARGET_I386)
 +int kvm_arch_init_irq_routing(void)
 +{
 +    return 0;
 +}
 +#endif
 +
 +extern int no_hpet;
 +
 +static int kvm_create_context(void)
 +{
 +    static const char upgrade_note[] =
 +    "Please upgrade to at least kernel 2.6.29 or recent kvm-kmod\n"
 +    "(see http://sourceforge.net/projects/kvm).\n";
 +
 +    int r;
 +
 +    if (!kvm_irqchip) {
 +        kvm_disable_irqchip_creation(kvm_context);
 +    }
 +    if (!kvm_pit) {
 +        kvm_disable_pit_creation(kvm_context);
 +    }
 +    if (kvm_create(kvm_context, 0, NULL) < 0) {
 +        kvm_finalize(kvm_state);
 +        return -1;
 +    }
 +    r = kvm_arch_qemu_create_context();
 +    if (r < 0) {
 +        kvm_finalize(kvm_state);
 +        return -1;
 +    }
 +    if (kvm_pit && !kvm_pit_reinject) {
 +        if (kvm_reinject_control(kvm_context, 0)) {
 +            fprintf(stderr, "failure to disable in-kernel PIT reinjection\n");
 +            return -1;
 +        }
 +    }
 +
 +    /* There was a nasty bug in < kvm-80 that prevents memory slots from being
 +     * destroyed properly.  Since we rely on this capability, refuse to work
 +     * with any kernel without this capability. */
 +    if (!kvm_check_extension(kvm_state, KVM_CAP_DESTROY_MEMORY_REGION_WORKS)) {
 +        fprintf(stderr,
 +                "KVM kernel module broken (DESTROY_MEMORY_REGION).\n%s",
 +                upgrade_note);
 +        return -EINVAL;
 +    }
 +
 +    r = kvm_arch_init_irq_routing();
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    kvm_state->vcpu_events = 0;
 +#ifdef KVM_CAP_VCPU_EVENTS
 +    kvm_state->vcpu_events = kvm_check_extension(kvm_state, KVM_CAP_VCPU_EVENTS);
 +#endif
 +
 +    kvm_state->debugregs = 0;
 +#ifdef KVM_CAP_DEBUGREGS
 +    kvm_state->debugregs = kvm_check_extension(kvm_state, KVM_CAP_DEBUGREGS);
 +#endif
 +
 +    kvm_init_ap();
 +    if (kvm_irqchip) {
 +        if (!qemu_kvm_has_gsi_routing()) {
 +            irq0override = 0;
 +#ifdef TARGET_I386
 +            /* if kernel can't do irq routing, interrupt source
 +             * override 0->2 can not be set up as required by hpet,
 +             * so disable hpet.
 +             */
 +            no_hpet = 1;
 +        } else if (!qemu_kvm_has_pit_state2()) {
 +            no_hpet = 1;
 +        }
 +#else
 +        }
 +#endif
 +    }
 +
 +    return 0;
 +}
 +
 +#ifdef KVM_CAP_IRQCHIP
 +
 +int kvm_set_irq(int irq, int level, int *status)
 +{
 +    return kvm_set_irq_level(kvm_context, irq, level, status);
 +}
 +
 +#endif
 +
 +static void kvm_mutex_unlock(void)
 +{
 +    assert(!cpu_single_env);
 +    pthread_mutex_unlock(&qemu_mutex);
 +}
 +
 +static void kvm_mutex_lock(void)
 +{
 +    pthread_mutex_lock(&qemu_mutex);
 +    cpu_single_env = NULL;
 +}
 +
 +void qemu_mutex_unlock_iothread(void)
 +{
 +    if (kvm_enabled()) {
 +        kvm_mutex_unlock();
 +    }
 +}
 +
 +void qemu_mutex_lock_iothread(void)
 +{
 +    if (kvm_enabled()) {
 +        kvm_mutex_lock();
 +    }
 +}
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +void kvm_add_ioperm_data(struct ioperm_data *data)
 +{
 +    QLIST_INSERT_HEAD(&ioperm_head, data, entries);
 +}
 +
 +void kvm_remove_ioperm_data(unsigned long start_port, unsigned long num)
 +{
 +    struct ioperm_data *data;
 +
 +    data = QLIST_FIRST(&ioperm_head);
 +    while (data) {
 +        struct ioperm_data *next = QLIST_NEXT(data, entries);
 +
 +        if (data->start_port == start_port && data->num == num) {
 +            QLIST_REMOVE(data, entries);
 +            qemu_free(data);
 +        }
 +
 +        data = next;
 +    }
 +}
 +
 +void kvm_ioperm(CPUState *env, void *data)
 +{
 +    if (kvm_enabled() && qemu_system_ready) {
 +        on_vcpu(env, kvm_arch_do_ioperm, data);
 +    }
 +}
 +
 +#endif
 +
 +int kvm_set_boot_cpu_id(uint32_t id)
 +{
 +    return kvm_set_boot_vcpu_id(kvm_context, id);
 +}
 +
diff --cc qemu-kvm.h
index 5600ca5,0000000..d55bc36
mode 100644,000000..100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@@ -1,890 -1,0 +1,891 @@@
 +/*
 + * qemu/kvm integration
 + *
 + * Copyright (C) 2006-2008 Qumranet Technologies
 + *
 + * Licensed under the terms of the GNU GPL version 2 or higher.
 + */
 +#ifndef THE_ORIGINAL_AND_TRUE_QEMU_KVM_H
 +#define THE_ORIGINAL_AND_TRUE_QEMU_KVM_H
 +
 +#include "cpu.h"
 +
 +#include <signal.h>
 +#include <stdlib.h>
 +
 +#ifdef CONFIG_KVM
 +
 +#if defined(__s390__)
 +#include <asm/ptrace.h>
 +#endif
 +
 +#include <stdint.h>
 +
 +#ifndef __user
 +#define __user       /* temporary, until installed via make headers_install */
 +#endif
 +
 +#include <linux/kvm.h>
 +
 +#include <signal.h>
 +
 +/* FIXME: share this number with kvm */
 +/* FIXME: or dynamically alloc/realloc regions */
 +#ifdef __s390__
 +#define KVM_MAX_NUM_MEM_REGIONS 1u
 +#define MAX_VCPUS 64
 +#define LIBKVM_S390_ORIGIN (0UL)
 +#elif defined(__ia64__)
 +#define KVM_MAX_NUM_MEM_REGIONS 32u
 +#define MAX_VCPUS 256
 +#else
 +#define KVM_MAX_NUM_MEM_REGIONS 32u
 +#define MAX_VCPUS 16
 +#endif
 +
 +/* kvm abi verison variable */
 +extern int kvm_abi;
 +
 +/**
 + * \brief The KVM context
 + *
 + * The verbose KVM context
 + */
 +
 +struct kvm_context {
 +    void *opaque;
 +    /// is dirty pages logging enabled for all regions or not
 +    int dirty_pages_log_all;
 +    /// do not create in-kernel irqchip if set
 +    int no_irqchip_creation;
 +    /// in-kernel irqchip status
 +    int irqchip_in_kernel;
 +    /// ioctl to use to inject interrupts
 +    int irqchip_inject_ioctl;
 +    /// do not create in-kernel pit if set
 +    int no_pit_creation;
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing *irq_routes;
 +    int nr_allocated_irq_routes;
 +#endif
 +    void *used_gsi_bitmap;
 +    int max_gsi;
 +};
 +
 +typedef struct kvm_context *kvm_context_t;
 +
 +#include "kvm.h"
 +int kvm_alloc_kernel_memory(kvm_context_t kvm, unsigned long memory,
 +                            void **vm_mem);
 +int kvm_alloc_userspace_memory(kvm_context_t kvm, unsigned long memory,
 +                               void **vm_mem);
 +
 +int kvm_arch_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
 +                    void **vm_mem);
 +
 +int kvm_arch_run(CPUState *env);
 +
 +
 +void kvm_show_code(CPUState *env);
 +
 +int handle_halt(CPUState *env);
 +
 +int handle_shutdown(kvm_context_t kvm, CPUState *env);
 +void post_kvm_run(kvm_context_t kvm, CPUState *env);
 +int pre_kvm_run(kvm_context_t kvm, CPUState *env);
 +int handle_io_window(kvm_context_t kvm);
 +int try_push_interrupts(kvm_context_t kvm);
 +
 +#if defined(__x86_64__) || defined(__i386__)
 +int kvm_get_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n);
 +int kvm_set_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n);
 +struct kvm_x86_mce;
 +#endif
 +
 +/*!
 + * \brief Disable the in-kernel IRQCHIP creation
 + *
 + * In-kernel irqchip is enabled by default. If userspace irqchip is to be used,
 + * this should be called prior to kvm_create().
 + *
 + * \param kvm Pointer to the kvm_context
 + */
 +void kvm_disable_irqchip_creation(kvm_context_t kvm);
 +
 +/*!
 + * \brief Disable the in-kernel PIT creation
 + *
 + * In-kernel pit is enabled by default. If userspace pit is to be used,
 + * this should be called prior to kvm_create().
 + *
 + *  \param kvm Pointer to the kvm_context
 + */
 +void kvm_disable_pit_creation(kvm_context_t kvm);
 +
 +/*!
 + * \brief Create new virtual machine
 + *
 + * This creates a new virtual machine, maps physical RAM to it, and creates a
 + * virtual CPU for it.\n
 + * \n
 + * Memory gets mapped for addresses 0->0xA0000, 0xC0000->phys_mem_bytes
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param phys_mem_bytes The amount of physical ram you want the VM to have
 + * \param phys_mem This pointer will be set to point to the memory that
 + * kvm_create allocates for physical RAM
 + * \return 0 on success
 + */
 +int kvm_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
 +               void **phys_mem);
 +int kvm_create_vm(kvm_context_t kvm);
 +void kvm_create_irqchip(kvm_context_t kvm);
 +
 +/*!
 + * \brief Start the VCPU
 + *
 + * This starts the VCPU and virtualization is started.\n
 + * \n
 + * This function will not return until any of these conditions are met:
 + * - An IO/MMIO handler does not return "0"
 + * - An exception that neither the guest OS, nor KVM can handle occurs
 + *
 + * \note This function will call the callbacks registered in kvm_init()
 + * to emulate those functions
 + * \note If you at any point want to interrupt the VCPU, kvm_run() will
 + * listen to the EINTR signal. This allows you to simulate external interrupts
 + * and asyncronous IO.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be started
 + * \return 0 on success, but you really shouldn't expect this function to
 + * return except for when an error has occured, or when you have sent it
 + * an EINTR signal.
 + */
 +int kvm_run(CPUState *env);
 +
 +/*!
 + * \brief Check if a vcpu is ready for interrupt injection
 + *
 + * This checks if vcpu interrupts are not masked by mov ss or sti.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \return boolean indicating interrupt injection readiness
 + */
 +int kvm_is_ready_for_interrupt_injection(CPUState *env);
 +
 +/*!
 + * \brief Read VCPU registers
 + *
 + * This gets the GP registers from the VCPU and outputs them
 + * into a kvm_regs structure
 + *
 + * \note This function returns a \b copy of the VCPUs registers.\n
 + * If you wish to modify the VCPUs GP registers, you should call kvm_set_regs()
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param regs Pointer to a kvm_regs which will be populated with the VCPUs
 + * registers values
 + * \return 0 on success
 + */
 +int kvm_get_regs(CPUState *env, struct kvm_regs *regs);
 +
 +/*!
 + * \brief Write VCPU registers
 + *
 + * This sets the GP registers on the VCPU from a kvm_regs structure
 + *
 + * \note When this function returns, the regs pointer and the data it points to
 + * can be discarded
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param regs Pointer to a kvm_regs which will be populated with the VCPUs
 + * registers values
 + * \return 0 on success
 + */
 +int kvm_set_regs(CPUState *env, struct kvm_regs *regs);
 +/*!
 + * \brief Read VCPU fpu registers
 + *
 + * This gets the FPU registers from the VCPU and outputs them
 + * into a kvm_fpu structure
 + *
 + * \note This function returns a \b copy of the VCPUs registers.\n
 + * If you wish to modify the VCPU FPU registers, you should call kvm_set_fpu()
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param fpu Pointer to a kvm_fpu which will be populated with the VCPUs
 + * fpu registers values
 + * \return 0 on success
 + */
 +int kvm_get_fpu(CPUState *env, struct kvm_fpu *fpu);
 +
 +/*!
 + * \brief Write VCPU fpu registers
 + *
 + * This sets the FPU registers on the VCPU from a kvm_fpu structure
 + *
 + * \note When this function returns, the fpu pointer and the data it points to
 + * can be discarded
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param fpu Pointer to a kvm_fpu which holds the new vcpu fpu state
 + * \return 0 on success
 + */
 +int kvm_set_fpu(CPUState *env, struct kvm_fpu *fpu);
 +
 +/*!
 + * \brief Read VCPU system registers
 + *
 + * This gets the non-GP registers from the VCPU and outputs them
 + * into a kvm_sregs structure
 + *
 + * \note This function returns a \b copy of the VCPUs registers.\n
 + * If you wish to modify the VCPUs non-GP registers, you should call
 + * kvm_set_sregs()
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param regs Pointer to a kvm_sregs which will be populated with the VCPUs
 + * registers values
 + * \return 0 on success
 + */
 +int kvm_get_sregs(CPUState *env, struct kvm_sregs *regs);
 +
 +/*!
 + * \brief Write VCPU system registers
 + *
 + * This sets the non-GP registers on the VCPU from a kvm_sregs structure
 + *
 + * \note When this function returns, the regs pointer and the data it points to
 + * can be discarded
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param regs Pointer to a kvm_sregs which will be populated with the VCPUs
 + * registers values
 + * \return 0 on success
 + */
 +int kvm_set_sregs(CPUState *env, struct kvm_sregs *regs);
 +
 +#ifdef KVM_CAP_MP_STATE
 +/*!
 + *  * \brief Read VCPU MP state
 + *
 + */
 +int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
 +
 +/*!
 + *  * \brief Write VCPU MP state
 + *
 + */
 +int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
 +#endif
 +
 +#ifdef KVM_CAP_XSAVE
 +/*!
 + *  * \brief Read VCPU xsave state
 + *
 + */
 +int kvm_get_xsave(CPUState *env, struct kvm_xsave *xsave);
 +
 +/*!
 + *  * \brief Write VCPU xsave state
 + *
 + */
 +int kvm_set_xsave(CPUState *env, struct kvm_xsave *xsave);
 +#endif
 +
 +#ifdef KVM_CAP_XCRS
 +/*!
 + *  * \brief Read VCPU XCRs
 + *
 + */
 +int kvm_get_xcrs(CPUState *env, struct kvm_xcrs *xcrs);
 +
 +/*!
 + *  * \brief Write VCPU XCRs
 + *
 + */
 +int kvm_set_xcrs(CPUState *env, struct kvm_xcrs *xcrs);
 +#endif
 +
 +/*!
 + * \brief Simulate an external vectored interrupt
 + *
 + * This allows you to simulate an external vectored interrupt.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param irq Vector number
 + * \return 0 on success
 + */
 +int kvm_inject_irq(CPUState *env, unsigned irq);
 +
 +#if defined(__i386__) || defined(__x86_64__)
 +/*!
 + * \brief Setup a vcpu's cpuid instruction emulation
 + *
 + * Set up a table of cpuid function to cpuid outputs.\n
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be initialized
 + * \param nent number of entries to be installed
 + * \param entries cpuid function entries table
 + * \return 0 on success, or -errno on error
 + */
 +int kvm_setup_cpuid(CPUState *env, int nent,
 +                    struct kvm_cpuid_entry *entries);
 +
 +/*!
 + * \brief Setup a vcpu's cpuid instruction emulation
 + *
 + * Set up a table of cpuid function to cpuid outputs.
 + * This call replaces the older kvm_setup_cpuid interface by adding a few
 + * parameters to support cpuid functions that have sub-leaf values.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be initialized
 + * \param nent number of entries to be installed
 + * \param entries cpuid function entries table
 + * \return 0 on success, or -errno on error
 + */
 +int kvm_setup_cpuid2(CPUState *env, int nent,
 +                     struct kvm_cpuid_entry2 *entries);
 +
 +/*!
 + * \brief Setting the number of shadow pages to be allocated to the vm
 + *
 + * \param kvm pointer to kvm_context
 + * \param nrshadow_pages number of pages to be allocated
 + */
 +int kvm_set_shadow_pages(kvm_context_t kvm, unsigned int nrshadow_pages);
 +
 +/*!
 + * \brief Getting the number of shadow pages that are allocated to the vm
 + *
 + * \param kvm pointer to kvm_context
 + * \param nrshadow_pages number of pages to be allocated
 + */
 +int kvm_get_shadow_pages(kvm_context_t kvm, unsigned int *nrshadow_pages);
 +
 +#endif
 +
 +/*!
 + * \brief Dump VCPU registers
 + *
 + * This dumps some of the information that KVM has about a virtual CPU, namely:
 + * - GP Registers
 + *
 + * A much more verbose version of this is available as kvm_dump_vcpu()
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \return 0 on success
 + */
 +void kvm_show_regs(CPUState *env);
 +
 +
 +void *kvm_create_phys_mem(kvm_context_t, unsigned long phys_start,
 +                          unsigned long len, int log, int writable);
 +void kvm_destroy_phys_mem(kvm_context_t, unsigned long phys_start,
 +                          unsigned long len);
 +
 +int kvm_is_containing_region(kvm_context_t kvm, unsigned long phys_start,
 +                             unsigned long size);
 +int kvm_register_phys_mem(kvm_context_t kvm, unsigned long phys_start,
 +                          void *userspace_addr, unsigned long len, int log);
 +int kvm_get_dirty_pages_range(kvm_context_t kvm, unsigned long phys_addr,
 +                              unsigned long end_addr, void *opaque,
 +                              int (*cb)(unsigned long start,
 +                                        unsigned long len, void *bitmap,
 +                                        void *opaque));
 +int kvm_register_coalesced_mmio(kvm_context_t kvm, uint64_t addr,
 +                                uint32_t size);
 +int kvm_unregister_coalesced_mmio(kvm_context_t kvm, uint64_t addr,
 +                                  uint32_t size);
 +
 +/*!
 + * \brief Get a bitmap of guest ram pages which are allocated to the guest.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param phys_addr Memory slot phys addr
 + * \param bitmap Long aligned address of a big enough bitmap (one bit per page)
 + */
 +int kvm_get_mem_map(kvm_context_t kvm, unsigned long phys_addr, void *bitmap);
 +int kvm_get_mem_map_range(kvm_context_t kvm, unsigned long phys_addr,
 +                          unsigned long len, void *buf, void *opaque,
 +                          int (*cb)(unsigned long start,
 +                                    unsigned long len, void *bitmap,
 +                                    void *opaque));
 +int kvm_set_irq_level(kvm_context_t kvm, int irq, int level, int *status);
 +
 +int kvm_dirty_pages_log_enable_slot(kvm_context_t kvm, uint64_t phys_start,
 +                                    uint64_t len);
 +int kvm_dirty_pages_log_disable_slot(kvm_context_t kvm, uint64_t phys_start,
 +                                     uint64_t len);
 +/*!
 + * \brief Enable dirty-pages-logging for all memory regions
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_dirty_pages_log_enable_all(kvm_context_t kvm);
 +
 +/*!
 + * \brief Disable dirty-page-logging for some memory regions
 + *
 + * Disable dirty-pages-logging for those memory regions that were
 + * created with dirty-page-logging disabled.
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_dirty_pages_log_reset(kvm_context_t kvm);
 +
 +#ifdef KVM_CAP_IRQCHIP
 +/*!
 + * \brief Dump in kernel IRQCHIP contents
 + *
 + * Dump one of the in kernel irq chip devices, including PIC (master/slave)
 + * and IOAPIC into a kvm_irqchip structure
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param chip The irq chip device to be dumped
 + */
 +int kvm_get_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip);
 +
 +/*!
 + * \brief Set in kernel IRQCHIP contents
 + *
 + * Write one of the in kernel irq chip devices, including PIC (master/slave)
 + * and IOAPIC
 + *
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param chip THe irq chip device to be written
 + */
 +int kvm_set_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip);
 +
 +#if defined(__i386__) || defined(__x86_64__)
 +/*!
 + * \brief Get in kernel local APIC for vcpu
 + *
 + * Save the local apic state including the timer of a virtual CPU
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be accessed
 + * \param s Local apic state of the specific virtual CPU
 + */
 +int kvm_get_lapic(CPUState *env, struct kvm_lapic_state *s);
 +
 +/*!
 + * \brief Set in kernel local APIC for vcpu
 + *
 + * Restore the local apic state including the timer of a virtual CPU
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be accessed
 + * \param s Local apic state of the specific virtual CPU
 + */
 +int kvm_set_lapic(CPUState *env, struct kvm_lapic_state *s);
 +
 +#endif
 +
 +/*!
 + * \brief Simulate an NMI
 + *
 + * This allows you to simulate a non-maskable interrupt.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \return 0 on success
 + */
 +int kvm_inject_nmi(CPUState *env);
 +
 +#endif
 +
 +/*!
 + * \brief Initialize coalesced MMIO
 + *
 + * Check for coalesced MMIO capability and store in context
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_init_coalesced_mmio(kvm_context_t kvm);
 +
 +#ifdef KVM_CAP_PIT
 +
 +#if defined(__i386__) || defined(__x86_64__)
 +/*!
 + * \brief Get in kernel PIT of the virtual domain
 + *
 + * Save the PIT state.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param s PIT state of the virtual domain
 + */
 +int kvm_get_pit(kvm_context_t kvm, struct kvm_pit_state *s);
 +
 +/*!
 + * \brief Set in kernel PIT of the virtual domain
 + *
 + * Restore the PIT state.
 + * Timer would be retriggerred after restored.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param s PIT state of the virtual domain
 + */
 +int kvm_set_pit(kvm_context_t kvm, struct kvm_pit_state *s);
 +
 +int kvm_reinject_control(kvm_context_t kvm, int pit_reinject);
 +
 +#ifdef KVM_CAP_PIT_STATE2
 +/*!
 + * \brief Check for kvm support of kvm_pit_state2
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \return 0 on success
 + */
 +int kvm_has_pit_state2(kvm_context_t kvm);
 +
 +/*!
 + * \brief Set in kernel PIT state2 of the virtual domain
 + *
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param ps2 PIT state2 of the virtual domain
 + * \return 0 on success
 + */
 +int kvm_set_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2);
 +
 +/*!
 + * \brief Get in kernel PIT state2 of the virtual domain
 + *
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param ps2 PIT state2 of the virtual domain
 + * \return 0 on success
 + */
 +int kvm_get_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2);
 +
 +#endif
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_VAPIC
 +
 +int kvm_enable_vapic(CPUState *env, uint64_t vapic);
 +
 +#endif
 +
 +#if defined(__s390__)
 +int kvm_s390_initial_reset(kvm_context_t kvm, int slot);
 +int kvm_s390_interrupt(kvm_context_t kvm, int slot,
 +                       struct kvm_s390_interrupt *kvmint);
 +int kvm_s390_set_initial_psw(kvm_context_t kvm, int slot, psw_t psw);
 +int kvm_s390_store_status(kvm_context_t kvm, int slot, unsigned long addr);
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_ASSIGNMENT
 +/*!
 + * \brief Notifies host kernel about a PCI device to be assigned to a guest
 + *
 + * Used for PCI device assignment, this function notifies the host
 + * kernel about the assigning of the physical PCI device to a guest.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_dev Parameters, like bus, devfn number, etc
 + */
 +int kvm_assign_pci_device(kvm_context_t kvm,
 +                          struct kvm_assigned_pci_dev *assigned_dev);
 +
 +/*!
 + * \brief Assign IRQ for an assigned device
 + *
 + * Used for PCI device assignment, this function assigns IRQ numbers for
 + * an physical device and guest IRQ handling.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_irq Parameters, like dev id, host irq, guest irq, etc
 + */
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq);
 +
 +#ifdef KVM_CAP_ASSIGN_DEV_IRQ
 +/*!
 + * \brief Deassign IRQ for an assigned device
 + *
 + * Used for PCI device assignment, this function deassigns IRQ numbers
 + * for an assigned device.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_irq Parameters, like dev id, host irq, guest irq, etc
 + */
 +int kvm_deassign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq);
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_DEASSIGNMENT
 +/*!
 + * \brief Notifies host kernel about a PCI device to be deassigned from a guest
 + *
 + * Used for hot remove PCI device, this function notifies the host
 + * kernel about the deassigning of the physical PCI device from a guest.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_dev Parameters, like bus, devfn number, etc
 + */
 +int kvm_deassign_pci_device(kvm_context_t kvm,
 +                            struct kvm_assigned_pci_dev *assigned_dev);
 +#endif
 +
 +/*!
 + * \brief Determines the number of gsis that can be routed
 + *
 + * Returns the number of distinct gsis that can be routed by kvm.  This is
 + * also the number of distinct routes (if a gsi has two routes, than another
 + * gsi cannot be used...)
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_get_gsi_count(kvm_context_t kvm);
 +
 +/*!
 + * \brief Clears the temporary irq routing table
 + *
 + * Clears the temporary irq routing table.  Nothing is committed to the
 + * running VM.
 + *
 + */
 +int kvm_clear_gsi_routes(void);
 +
 +/*!
 + * \brief Adds an irq route to the temporary irq routing table
 + *
 + * Adds an irq route to the temporary irq routing table.  Nothing is
 + * committed to the running VM.
 + */
 +int kvm_add_irq_route(int gsi, int irqchip, int pin);
 +
 +/*!
 + * \brief Removes an irq route from the temporary irq routing table
 + *
 + * Adds an irq route to the temporary irq routing table.  Nothing is
 + * committed to the running VM.
 + */
 +int kvm_del_irq_route(int gsi, int irqchip, int pin);
 +
 +struct kvm_irq_routing_entry;
 +/*!
 + * \brief Adds a routing entry to the temporary irq routing table
 + *
 + * Adds a filled routing entry to the temporary irq routing table. Nothing is
 + * committed to the running VM.
 + */
 +int kvm_add_routing_entry(struct kvm_irq_routing_entry *entry);
 +
 +/*!
 + * \brief Removes a routing from the temporary irq routing table
 + *
 + * Remove a routing to the temporary irq routing table.  Nothing is
 + * committed to the running VM.
 + */
 +int kvm_del_routing_entry(struct kvm_irq_routing_entry *entry);
 +
 +/*!
 + * \brief Updates a routing in the temporary irq routing table
 + *
 + * Update a routing in the temporary irq routing table
 + * with a new value. entry type and GSI can not be changed.
 + * Nothing is committed to the running VM.
 + */
 +int kvm_update_routing_entry(struct kvm_irq_routing_entry *entry,
 +                             struct kvm_irq_routing_entry *newentry);
 +
 +
 +/*!
 + * \brief Create a file descriptor for injecting interrupts
 + *
 + * Creates an eventfd based file-descriptor that maps to a specific GSI
 + * in the guest.  eventfd compliant signaling (write() from userspace, or
 + * eventfd_signal() from kernelspace) will cause the GSI to inject
 + * itself into the guest at the next available window.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param gsi GSI to assign to this fd
 + * \param flags reserved, must be zero
 + */
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags);
 +
 +#ifdef KVM_CAP_DEVICE_MSIX
 +int kvm_assign_set_msix_nr(kvm_context_t kvm,
 +                           struct kvm_assigned_msix_nr *msix_nr);
 +int kvm_assign_set_msix_entry(kvm_context_t kvm,
 +                              struct kvm_assigned_msix_entry *entry);
 +#endif
 +
 +#else                           /* !CONFIG_KVM */
 +
 +typedef struct kvm_context *kvm_context_t;
 +typedef struct kvm_vcpu_context *kvm_vcpu_context_t;
 +
 +struct kvm_pit_state {
 +};
 +
 +#endif                          /* !CONFIG_KVM */
 +
 +
 +/*!
 + * \brief Create new KVM context
 + *
 + * This creates a new kvm_context. A KVM context is a small area of data that
 + * holds information about the KVM instance that gets created by this call.\n
 + * This should always be your first call to KVM.
 + *
 + * \param opaque Not used
 + * \return NULL on failure
 + */
 +int kvm_init(int smp_cpus);
 +
 +int kvm_main_loop(void);
 +int kvm_init_ap(void);
 +int kvm_vcpu_inited(CPUState *env);
 +void kvm_save_lapic(CPUState *env);
 +void kvm_load_lapic(CPUState *env);
 +
 +void kvm_hpet_enable_kpit(void);
 +void kvm_hpet_disable_kpit(void);
 +
 +int kvm_physical_memory_set_dirty_tracking(int enable);
 +
++void on_vcpu(CPUState *env, void (*func)(void *data), void *data);
 +void qemu_kvm_call_with_env(void (*func)(void *), void *data, CPUState *env);
 +void qemu_kvm_cpuid_on_env(CPUState *env);
 +void kvm_inject_interrupt(CPUState *env, int mask);
 +void kvm_update_after_sipi(CPUState *env);
 +void kvm_update_interrupt_request(CPUState *env);
 +#ifndef CONFIG_USER_ONLY
 +void *kvm_cpu_create_phys_mem(target_phys_addr_t start_addr, unsigned long size,
 +                              int log, int writable);
 +
 +void kvm_cpu_destroy_phys_mem(target_phys_addr_t start_addr,
 +                              unsigned long size);
 +void kvm_qemu_log_memory(target_phys_addr_t start, target_phys_addr_t size,
 +                         int log);
 +#endif
 +int kvm_qemu_create_memory_alias(uint64_t phys_start, uint64_t len,
 +                                 uint64_t target_phys);
 +int kvm_qemu_destroy_memory_alias(uint64_t phys_start);
 +
 +int kvm_arch_qemu_create_context(void);
 +
 +void kvm_arch_save_regs(CPUState *env);
 +void kvm_arch_load_regs(CPUState *env, int level);
 +int kvm_arch_has_work(CPUState *env);
 +void kvm_arch_process_irqchip_events(CPUState *env);
 +int kvm_arch_try_push_interrupts(void *opaque);
 +void kvm_arch_push_nmi(void *opaque);
 +void kvm_arch_cpu_reset(CPUState *env);
 +int kvm_set_boot_cpu_id(uint32_t id);
 +
 +void qemu_kvm_aio_wait_start(void);
 +void qemu_kvm_aio_wait(void);
 +void qemu_kvm_aio_wait_end(void);
 +
 +void kvm_tpr_access_report(CPUState *env, uint64_t rip, int is_write);
 +
 +int kvm_arch_init_irq_routing(void);
 +
 +int kvm_mmio_read(void *opaque, uint64_t addr, uint8_t * data, int len);
 +int kvm_mmio_write(void *opaque, uint64_t addr, uint8_t * data, int len);
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +struct ioperm_data;
 +
 +void kvm_ioperm(CPUState *env, void *data);
 +void kvm_add_ioperm_data(struct ioperm_data *data);
 +void kvm_remove_ioperm_data(unsigned long start_port, unsigned long num);
 +void kvm_arch_do_ioperm(void *_data);
 +#endif
 +
 +#define ALIGN(x, y)  (((x)+(y)-1) & ~((y)-1))
 +#define BITMAP_SIZE(m) (ALIGN(((m)>>TARGET_PAGE_BITS), HOST_LONG_BITS) / 8)
 +
 +#ifdef CONFIG_KVM
 +#include "qemu-queue.h"
 +
 +extern int kvm_irqchip;
 +extern int kvm_pit;
 +extern int kvm_pit_reinject;
 +extern int kvm_nested;
 +extern kvm_context_t kvm_context;
 +
 +struct ioperm_data {
 +    unsigned long start_port;
 +    unsigned long num;
 +    int turn_on;
 +    QLIST_ENTRY(ioperm_data) entries;
 +};
 +
 +void qemu_kvm_cpu_stop(CPUState *env);
 +int kvm_arch_halt(CPUState *env);
 +int handle_tpr_access(void *opaque, CPUState *env, uint64_t rip,
 +                      int is_write);
 +
 +#define qemu_kvm_has_gsi_routing() kvm_has_gsi_routing()
 +#ifdef TARGET_I386
 +#define qemu_kvm_has_pit_state2() kvm_has_pit_state2(kvm_context)
 +#endif
 +#else
 +#define kvm_nested 0
 +#define qemu_kvm_has_gsi_routing() (0)
 +#ifdef TARGET_I386
 +#define qemu_kvm_has_pit_state2() (0)
 +#endif
 +#define qemu_kvm_cpu_stop(env) do {} while(0)
 +#endif
 +
 +#ifdef CONFIG_KVM
 +
 +typedef struct KVMSlot {
 +    target_phys_addr_t start_addr;
 +    ram_addr_t memory_size;
 +    ram_addr_t phys_offset;
 +    int slot;
 +    int flags;
 +} KVMSlot;
 +
 +typedef struct kvm_dirty_log KVMDirtyLog;
 +
 +struct KVMState {
 +    KVMSlot slots[32];
 +    int fd;
 +    int vmfd;
 +    int coalesced_mmio;
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    struct kvm_coalesced_mmio_ring *coalesced_mmio_ring;
 +#endif
 +    int broken_set_mem_region;
 +    int migration_log;
 +    int vcpu_events;
 +    int robust_singlestep;
 +    int debugregs;
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    QTAILQ_HEAD(, kvm_sw_breakpoint) kvm_sw_breakpoints;
 +#endif
 +    int irqchip_in_kernel;
 +    int pit_in_kernel;
 +
 +    struct kvm_context kvm_context;
 +};
 +
 +extern struct KVMState *kvm_state;
 +
 +int kvm_tpr_enable_vapic(CPUState *env);
 +
 +unsigned long kvm_get_thread_id(void);
 +int kvm_cpu_is_stopped(CPUState *env);
 +
 +#endif
 +
 +#endif
diff --cc target-i386/kvm.c
index 9bc9193,0161f6d..211a9b2
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -225,7 -273,15 +273,15 @@@ void kvm_inject_x86_mce(CPUState *cenv
              .mce = &mce,
      };
  
-     run_on_cpu(cenv, kvm_do_inject_x86_mce, &data);
+     if (!cenv->mcg_cap) {
+         fprintf(stderr, "MCE support is not enabled!\n");
+         return;
+     }
+ 
 -    run_on_cpu(cenv, kvm_do_inject_x86_mce, &data);
++    on_vcpu(cenv, kvm_do_inject_x86_mce, &data);
+ #else
+     if (abort_on_error)
+         abort();
  #endif
  }
  
@@@ -1557,4 -1584,121 +1613,123 @@@ bool kvm_arch_stop_on_emulation_error(C
                ((env->segs[R_CS].selector  & 3) != 3);
  }
  
+ static void hardware_memory_error(void)
+ {
+     fprintf(stderr, "Hardware memory error!\n");
+     exit(1);
+ }
+ 
+ int kvm_on_sigbus_vcpu(CPUState *env, int code, void *addr)
+ {
+ #if defined(KVM_CAP_MCE)
+     struct kvm_x86_mce mce = {
+             .bank = 9,
+     };
+     void *vaddr;
+     ram_addr_t ram_addr;
+     target_phys_addr_t paddr;
+     int r;
+ 
+     if ((env->mcg_cap & MCG_SER_P) && addr
+         && (code == BUS_MCEERR_AR
+             || code == BUS_MCEERR_AO)) {
+         if (code == BUS_MCEERR_AR) {
+             /* Fake an Intel architectural Data Load SRAR UCR */
+             mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
+                 | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
+                 | MCI_STATUS_AR | 0x134;
+             mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
+             mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_EIPV;
+         } else {
+             /*
+              * If there is an MCE excpetion being processed, ignore
+              * this SRAO MCE
+              */
+             r = kvm_mce_in_exception(env);
+             if (r == -1) {
+                 fprintf(stderr, "Failed to get MCE status\n");
+             } else if (r) {
+                 return 0;
+             }
+             /* Fake an Intel architectural Memory scrubbing UCR */
+             mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
+                 | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
+                 | 0xc0;
+             mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
+             mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_RIPV;
+         }
+         vaddr = (void *)addr;
+         if (qemu_ram_addr_from_host(vaddr, &ram_addr) ||
+             !kvm_physical_memory_addr_from_ram(env->kvm_state, ram_addr, &paddr)) {
+             fprintf(stderr, "Hardware memory error for memory used by "
+                     "QEMU itself instead of guest system!\n");
+             /* Hope we are lucky for AO MCE */
+             if (code == BUS_MCEERR_AO) {
+                 return 0;
+             } else {
+                 hardware_memory_error();
+             }
+         }
+         mce.addr = paddr;
+         r = kvm_set_mce(env, &mce);
+         if (r < 0) {
+             fprintf(stderr, "kvm_set_mce: %s\n", strerror(errno));
+             abort();
+         }
+     } else
+ #endif
+     {
+         if (code == BUS_MCEERR_AO) {
+             return 0;
+         } else if (code == BUS_MCEERR_AR) {
+             hardware_memory_error();
+         } else {
+             return 1;
+         }
+     }
+     return 0;
+ }
+ 
+ int kvm_on_sigbus(int code, void *addr)
+ {
+ #if defined(KVM_CAP_MCE)
+     if ((first_cpu->mcg_cap & MCG_SER_P) && addr && code == BUS_MCEERR_AO) {
+         uint64_t status;
+         void *vaddr;
+         ram_addr_t ram_addr;
+         target_phys_addr_t paddr;
+         CPUState *cenv;
+ 
+         /* Hope we are lucky for AO MCE */
+         vaddr = addr;
+         if (qemu_ram_addr_from_host(vaddr, &ram_addr) ||
+             !kvm_physical_memory_addr_from_ram(first_cpu->kvm_state, ram_addr, &paddr)) {
+             fprintf(stderr, "Hardware memory error for memory used by "
+                     "QEMU itself instead of guest system!: %p\n", addr);
+             return 0;
+         }
+         status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
+             | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
+             | 0xc0;
+         kvm_inject_x86_mce(first_cpu, 9, status,
+                            MCG_STATUS_MCIP | MCG_STATUS_RIPV, paddr,
+                            (MCM_ADDR_PHYS << 6) | 0xc, 1);
+         for (cenv = first_cpu->next_cpu; cenv != NULL; cenv = cenv->next_cpu) {
+             kvm_inject_x86_mce(cenv, 1, MCI_STATUS_VAL | MCI_STATUS_UC,
+                                MCG_STATUS_MCIP | MCG_STATUS_RIPV, 0, 0, 1);
+         }
+     } else
+ #endif
+     {
+         if (code == BUS_MCEERR_AO) {
+             return 0;
+         } else if (code == BUS_MCEERR_AR) {
+             hardware_memory_error();
+         } else {
+             return 1;
+         }
+     }
+     return 0;
+ }
++
 +#include "qemu-kvm-x86.c"
commit 57c2f8b056a0879236f6e55500eb6569c9a5e7f4
Merge: fe83cfe... 983dfc3...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Oct 20 21:21:46 2010 -0200

    Merge commit '983dfc3b135de0a4808a41a8ca71e1809ba6a62e' into upstream-merge
    
    * commit '983dfc3b135de0a4808a41a8ca71e1809ba6a62e':
      Add RAM -> physical addr mapping in MCE simulation
    
    Conflicts:
    	kvm.h
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc kvm.h
index 74dfa48,b2fb3af..85e85aa
--- a/kvm.h
+++ b/kvm.h
@@@ -182,8 -174,11 +182,10 @@@ static inline void cpu_synchronize_post
      }
  }
  
 -
+ #if !defined(CONFIG_USER_ONLY)
  int kvm_physical_memory_addr_from_ram(KVMState *s, ram_addr_t ram_addr,
                                        target_phys_addr_t *phys_addr);
+ #endif
  
  #endif
  int kvm_set_ioeventfd_mmio_long(int fd, uint32_t adr, uint32_t val, bool assign);
commit fe83cfe7db41a889aa95651750da4d5d9723e853
Merge: 2509686... e890261...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Oct 20 21:19:46 2010 -0200

    Merge commit 'e890261f671a0573efbc024972d8769423fc82fc' into upstream-merge
    
    * commit 'e890261f671a0573efbc024972d8769423fc82fc':
      Export qemu_ram_addr_from_host
    
    Conflicts:
    	cpu-common.h
    	exec.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc exec.c
index dabe8a2,631d8c5..69b8a27
--- a/exec.c
+++ b/exec.c
@@@ -3743,11 -3709,9 +3743,11 @@@ void *cpu_physical_memory_map(target_ph
  void cpu_physical_memory_unmap(void *buffer, target_phys_addr_t len,
                                 int is_write, target_phys_addr_t access_len)
  {
 +    unsigned long flush_len = (unsigned long)access_len;
 +
      if (buffer != bounce.buffer) {
          if (is_write) {
-             ram_addr_t addr1 = qemu_ram_addr_from_host(buffer);
+             ram_addr_t addr1 = qemu_ram_addr_from_host_nofail(buffer);
              while (access_len) {
                  unsigned l;
                  l = TARGET_PAGE_SIZE;
diff --cc qemu-kvm.c
index b14796d,0000000..bac5b86
mode 100644,000000..100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@@ -1,1944 -1,0 +1,1944 @@@
 +/*
 + * qemu/kvm integration
 + *
 + * Copyright (C) 2006-2008 Qumranet Technologies
 + *
 + * Licensed under the terms of the GNU GPL version 2 or higher.
 + */
 +#include "config.h"
 +#include "config-host.h"
 +
 +#include <assert.h>
 +#include <string.h>
 +#include "hw/hw.h"
 +#include "sysemu.h"
 +#include "qemu-common.h"
 +#include "console.h"
 +#include "block.h"
 +#include "compatfd.h"
 +#include "gdbstub.h"
 +#include "monitor.h"
 +
 +#include "qemu-kvm.h"
 +#include "libkvm.h"
 +
 +#include <pthread.h>
 +#include <sys/utsname.h>
 +#include <sys/syscall.h>
 +#include <sys/mman.h>
 +#include <sys/ioctl.h>
 +#include "compatfd.h"
 +#include <sys/prctl.h>
 +
 +#define false 0
 +#define true 1
 +
 +#ifndef PR_MCE_KILL
 +#define PR_MCE_KILL 33
 +#endif
 +
 +#ifndef BUS_MCEERR_AR
 +#define BUS_MCEERR_AR 4
 +#endif
 +#ifndef BUS_MCEERR_AO
 +#define BUS_MCEERR_AO 5
 +#endif
 +
 +#define EXPECTED_KVM_API_VERSION 12
 +
 +#if EXPECTED_KVM_API_VERSION != KVM_API_VERSION
 +#error libkvm: userspace and kernel version mismatch
 +#endif
 +
 +int kvm_irqchip = 1;
 +int kvm_pit = 1;
 +int kvm_pit_reinject = 1;
 +int kvm_nested = 0;
 +
 +
 +KVMState *kvm_state;
 +kvm_context_t kvm_context;
 +
 +pthread_mutex_t qemu_mutex = PTHREAD_MUTEX_INITIALIZER;
 +pthread_cond_t qemu_vcpu_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_system_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_pause_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_work_cond = PTHREAD_COND_INITIALIZER;
 +__thread CPUState *current_env;
 +
 +static int qemu_system_ready;
 +
 +#define SIG_IPI (SIGRTMIN+4)
 +
 +pthread_t io_thread;
 +static int io_thread_sigfd = -1;
 +
 +static CPUState *kvm_debug_cpu_requested;
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +/* The list of ioperm_data */
 +static QLIST_HEAD(, ioperm_data) ioperm_head;
 +#endif
 +
 +#define ALIGN(x, y) (((x)+(y)-1) & ~((y)-1))
 +
 +int kvm_abi = EXPECTED_KVM_API_VERSION;
 +int kvm_page_size;
 +
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +static int kvm_debug(CPUState *env,
 +                     struct kvm_debug_exit_arch *arch_info)
 +{
 +    int handle = kvm_arch_debug(arch_info);
 +
 +    if (handle) {
 +        kvm_debug_cpu_requested = env;
 +        env->stopped = 1;
 +    }
 +    return handle;
 +}
 +#endif
 +
 +static int handle_unhandled(uint64_t reason)
 +{
 +    fprintf(stderr, "kvm: unhandled exit %" PRIx64 "\n", reason);
 +    return -EINVAL;
 +}
 +
 +#define VMX_INVALID_GUEST_STATE 0x80000021
 +
 +static int handle_failed_vmentry(uint64_t reason)
 +{
 +    fprintf(stderr, "kvm: vm entry failed with error 0x%" PRIx64 "\n\n", reason);
 +
 +    /* Perhaps we will need to check if this machine is intel since exit reason 0x21
 +       has a different interpretation on SVM */
 +    if (reason == VMX_INVALID_GUEST_STATE) {
 +        fprintf(stderr, "If you're runnning a guest on an Intel machine without\n");
 +        fprintf(stderr, "unrestricted mode support, the failure can be most likely\n");
 +        fprintf(stderr, "due to the guest entering an invalid state for Intel VT.\n");
 +        fprintf(stderr, "For example, the guest maybe running in big real mode\n");
 +        fprintf(stderr, "which is not supported on less recent Intel processors.\n\n");
 +    }
 +
 +    return -EINVAL;
 +}
 +
 +static inline void set_gsi(kvm_context_t kvm, unsigned int gsi)
 +{
 +    uint32_t *bitmap = kvm->used_gsi_bitmap;
 +
 +    if (gsi < kvm->max_gsi)
 +        bitmap[gsi / 32] |= 1U << (gsi % 32);
 +    else
 +        DPRINTF("Invalid GSI %u\n", gsi);
 +}
 +
 +static inline void clear_gsi(kvm_context_t kvm, unsigned int gsi)
 +{
 +    uint32_t *bitmap = kvm->used_gsi_bitmap;
 +
 +    if (gsi < kvm->max_gsi)
 +        bitmap[gsi / 32] &= ~(1U << (gsi % 32));
 +    else
 +        DPRINTF("Invalid GSI %u\n", gsi);
 +}
 +
 +static int kvm_create_context(void);
 +
 +int kvm_init(int smp_cpus)
 +{
 +    int fd;
 +    int r, gsi_count;
 +
 +
 +    fd = open("/dev/kvm", O_RDWR);
 +    if (fd == -1) {
 +        perror("open /dev/kvm");
 +        return -1;
 +    }
 +    r = ioctl(fd, KVM_GET_API_VERSION, 0);
 +    if (r == -1) {
 +        fprintf(stderr,
 +                "kvm kernel version too old: "
 +                "KVM_GET_API_VERSION ioctl not supported\n");
 +        goto out_close;
 +    }
 +    if (r < EXPECTED_KVM_API_VERSION) {
 +        fprintf(stderr, "kvm kernel version too old: "
 +                "We expect API version %d or newer, but got "
 +                "version %d\n", EXPECTED_KVM_API_VERSION, r);
 +        goto out_close;
 +    }
 +    if (r > EXPECTED_KVM_API_VERSION) {
 +        fprintf(stderr, "kvm userspace version too old\n");
 +        goto out_close;
 +    }
 +    kvm_abi = r;
 +    kvm_page_size = getpagesize();
 +    kvm_state = qemu_mallocz(sizeof(*kvm_state));
 +    kvm_context = &kvm_state->kvm_context;
 +
 +    kvm_state->fd = fd;
 +    kvm_state->vmfd = -1;
 +    kvm_context->opaque = cpu_single_env;
 +    kvm_context->dirty_pages_log_all = 0;
 +    kvm_context->no_irqchip_creation = 0;
 +    kvm_context->no_pit_creation = 0;
 +
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    QTAILQ_INIT(&kvm_state->kvm_sw_breakpoints);
 +#endif
 +
 +    gsi_count = kvm_get_gsi_count(kvm_context);
 +    if (gsi_count > 0) {
 +        int gsi_bits, i;
 +
 +        /* Round up so we can search ints using ffs */
 +        gsi_bits = ALIGN(gsi_count, 32);
 +        kvm_context->used_gsi_bitmap = qemu_mallocz(gsi_bits / 8);
 +        kvm_context->max_gsi = gsi_bits;
 +
 +        /* Mark any over-allocated bits as already in use */
 +        for (i = gsi_count; i < gsi_bits; i++) {
 +            set_gsi(kvm_context, i);
 +        }
 +    }
 +
 +    kvm_cpu_register_phys_memory_client();
 +
 +    pthread_mutex_lock(&qemu_mutex);
 +    return kvm_create_context();
 +
 +  out_close:
 +    close(fd);
 +    return -1;
 +}
 +
 +static void kvm_finalize(KVMState *s)
 +{
 +    /* FIXME
 +       if (kvm->vcpu_fd[0] != -1)
 +           close(kvm->vcpu_fd[0]);
 +       if (kvm->vm_fd != -1)
 +           close(kvm->vm_fd);
 +     */
 +    close(s->fd);
 +    free(s);
 +}
 +
 +void kvm_disable_irqchip_creation(kvm_context_t kvm)
 +{
 +    kvm->no_irqchip_creation = 1;
 +}
 +
 +void kvm_disable_pit_creation(kvm_context_t kvm)
 +{
 +    kvm->no_pit_creation = 1;
 +}
 +
 +static void kvm_reset_vcpu(void *opaque)
 +{
 +    CPUState *env = opaque;
 +
 +    kvm_arch_cpu_reset(env);
 +}
 +
 +static void kvm_create_vcpu(CPUState *env, int id)
 +{
 +    long mmap_size;
 +    int r;
 +    KVMState *s = kvm_state;
 +
 +    r = kvm_vm_ioctl(kvm_state, KVM_CREATE_VCPU, id);
 +    if (r < 0) {
 +        fprintf(stderr, "kvm_create_vcpu: %m\n");
 +        fprintf(stderr, "Failed to create vCPU. Check the -smp parameter.\n");
 +        goto err;
 +    }
 +
 +    env->kvm_fd = r;
 +    env->kvm_state = kvm_state;
 +
 +    mmap_size = kvm_ioctl(kvm_state, KVM_GET_VCPU_MMAP_SIZE, 0);
 +    if (mmap_size < 0) {
 +        fprintf(stderr, "get vcpu mmap size: %m\n");
 +        goto err_fd;
 +    }
 +    env->kvm_run =
 +        mmap(NULL, mmap_size, PROT_READ | PROT_WRITE, MAP_SHARED, env->kvm_fd,
 +             0);
 +    if (env->kvm_run == MAP_FAILED) {
 +        fprintf(stderr, "mmap vcpu area: %m\n");
 +        goto err_fd;
 +    }
 +
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    if (s->coalesced_mmio && !s->coalesced_mmio_ring)
 +        s->coalesced_mmio_ring = (void *) env->kvm_run +
 +               s->coalesced_mmio * PAGE_SIZE;
 +#endif
 +
 +    r = kvm_arch_init_vcpu(env);
 +    if (r == 0) {
 +        qemu_register_reset(kvm_reset_vcpu, env);
 +    }
 +
 +    return;
 +  err_fd:
 +    close(env->kvm_fd);
 +  err:
 +    /* We're no good with semi-broken states. */
 +    abort();
 +}
 +
 +static int kvm_set_boot_vcpu_id(kvm_context_t kvm, uint32_t id)
 +{
 +#ifdef KVM_CAP_SET_BOOT_CPU_ID
 +    int r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_BOOT_CPU_ID);
 +    if (r > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_SET_BOOT_CPU_ID, id);
 +    }
 +    return -ENOSYS;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_create_vm(kvm_context_t kvm)
 +{
 +    int fd;
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm->irq_routes = qemu_mallocz(sizeof(*kvm->irq_routes));
 +    kvm->nr_allocated_irq_routes = 0;
 +#endif
 +
 +    fd = kvm_ioctl(kvm_state, KVM_CREATE_VM, 0);
 +    if (fd < 0) {
 +        fprintf(stderr, "kvm_create_vm: %m\n");
 +        return -1;
 +    }
 +    kvm_state->vmfd = fd;
 +    return 0;
 +}
 +
 +static int kvm_create_default_phys_mem(kvm_context_t kvm,
 +                                       unsigned long phys_mem_bytes,
 +                                       void **vm_mem)
 +{
 +#ifdef KVM_CAP_USER_MEMORY
 +    int r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_USER_MEMORY);
 +    if (r > 0)
 +        return 0;
 +    fprintf(stderr,
 +            "Hypervisor too old: KVM_CAP_USER_MEMORY extension not supported\n");
 +#else
 +#error Hypervisor too old: KVM_CAP_USER_MEMORY extension not supported
 +#endif
 +    return -1;
 +}
 +
 +void kvm_create_irqchip(kvm_context_t kvm)
 +{
 +    int r;
 +
 +    kvm->irqchip_in_kernel = 0;
 +#ifdef KVM_CAP_IRQCHIP
 +    if (!kvm->no_irqchip_creation) {
 +        r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_IRQCHIP);
 +        if (r > 0) {            /* kernel irqchip supported */
 +            r = kvm_vm_ioctl(kvm_state, KVM_CREATE_IRQCHIP);
 +            if (r >= 0) {
 +                kvm->irqchip_inject_ioctl = KVM_IRQ_LINE;
 +#if defined(KVM_CAP_IRQ_INJECT_STATUS) && defined(KVM_IRQ_LINE_STATUS)
 +                r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
 +                              KVM_CAP_IRQ_INJECT_STATUS);
 +                if (r > 0) {
 +                    kvm->irqchip_inject_ioctl = KVM_IRQ_LINE_STATUS;
 +                }
 +#endif
 +                kvm->irqchip_in_kernel = 1;
 +            } else
 +                fprintf(stderr, "Create kernel PIC irqchip failed\n");
 +        }
 +    }
 +#endif
 +    kvm_state->irqchip_in_kernel = kvm->irqchip_in_kernel;
 +}
 +
 +int kvm_create(kvm_context_t kvm, unsigned long phys_mem_bytes, void **vm_mem)
 +{
 +    int r, i;
 +
 +    r = kvm_create_vm(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +    r = kvm_arch_create(kvm, phys_mem_bytes, vm_mem);
 +    if (r < 0) {
 +        return r;
 +    }
 +    for (i = 0; i < ARRAY_SIZE(kvm_state->slots); i++) {
 +        kvm_state->slots[i].slot = i;
 +    }
 +
 +    r = kvm_create_default_phys_mem(kvm, phys_mem_bytes, vm_mem);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    kvm_create_irqchip(kvm);
 +
 +    return 0;
 +}
 +
 +#ifdef KVM_CAP_IRQCHIP
 +
 +int kvm_set_irq_level(kvm_context_t kvm, int irq, int level, int *status)
 +{
 +    struct kvm_irq_level event;
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    event.level = level;
 +    event.irq = irq;
 +    r = kvm_vm_ioctl(kvm_state, kvm->irqchip_inject_ioctl, &event);
 +    if (r < 0) {
 +        perror("kvm_set_irq_level");
 +    }
 +
 +    if (status) {
 +#ifdef KVM_CAP_IRQ_INJECT_STATUS
 +        *status =
 +            (kvm->irqchip_inject_ioctl == KVM_IRQ_LINE) ? 1 : event.status;
 +#else
 +        *status = 1;
 +#endif
 +    }
 +
 +    return 1;
 +}
 +
 +int kvm_get_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip)
 +{
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    r = kvm_vm_ioctl(kvm_state, KVM_GET_IRQCHIP, chip);
 +    if (r < 0) {
 +        perror("kvm_get_irqchip\n");
 +    }
 +    return r;
 +}
 +
 +int kvm_set_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip)
 +{
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    r = kvm_vm_ioctl(kvm_state, KVM_SET_IRQCHIP, chip);
 +    if (r < 0) {
 +        perror("kvm_set_irqchip\n");
 +    }
 +    return r;
 +}
 +
 +#endif
 +
 +static int handle_debug(CPUState *env)
 +{
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    struct kvm_run *run = env->kvm_run;
 +
 +    return kvm_debug(env, &run->debug.arch);
 +#else
 +    return 0;
 +#endif
 +}
 +
 +int kvm_get_regs(CPUState *env, struct kvm_regs *regs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_REGS, regs);
 +}
 +
 +int kvm_set_regs(CPUState *env, struct kvm_regs *regs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_REGS, regs);
 +}
 +
 +int kvm_get_fpu(CPUState *env, struct kvm_fpu *fpu)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_FPU, fpu);
 +}
 +
 +int kvm_set_fpu(CPUState *env, struct kvm_fpu *fpu)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_FPU, fpu);
 +}
 +
 +int kvm_get_sregs(CPUState *env, struct kvm_sregs *sregs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_SREGS, sregs);
 +}
 +
 +int kvm_set_sregs(CPUState *env, struct kvm_sregs *sregs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_SREGS, sregs);
 +}
 +
 +#ifdef KVM_CAP_MP_STATE
 +int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
 +{
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MP_STATE);
 +    if (r > 0) {
 +        return kvm_vcpu_ioctl(env, KVM_GET_MP_STATE, mp_state);
 +    }
 +    return -ENOSYS;
 +}
 +
 +int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
 +{
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MP_STATE);
 +    if (r > 0) {
 +        return kvm_vcpu_ioctl(env, KVM_SET_MP_STATE, mp_state);
 +    }
 +    return -ENOSYS;
 +}
 +#endif
 +
 +#ifdef KVM_CAP_XSAVE
 +int kvm_get_xsave(CPUState *env, struct kvm_xsave *xsave)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_XSAVE, xsave);
 +}
 +
 +int kvm_set_xsave(CPUState *env, struct kvm_xsave *xsave)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_XSAVE, xsave);
 +}
 +#endif
 +
 +#ifdef KVM_CAP_XCRS
 +int kvm_get_xcrs(CPUState *env, struct kvm_xcrs *xcrs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_XCRS, xcrs);
 +}
 +
 +int kvm_set_xcrs(CPUState *env, struct kvm_xcrs *xcrs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_XCRS, xcrs);
 +}
 +#endif
 +
 +static int handle_mmio(CPUState *env)
 +{
 +    unsigned long addr = env->kvm_run->mmio.phys_addr;
 +    struct kvm_run *kvm_run = env->kvm_run;
 +    void *data = kvm_run->mmio.data;
 +
 +    /* hack: Red Hat 7.1 generates these weird accesses. */
 +    if ((addr > 0xa0000 - 4 && addr <= 0xa0000) && kvm_run->mmio.len == 3) {
 +        return 0;
 +    }
 +
 +    cpu_physical_memory_rw(addr, data, kvm_run->mmio.len, kvm_run->mmio.is_write);
 +    return 0;
 +}
 +
 +int handle_io_window(kvm_context_t kvm)
 +{
 +    return 1;
 +}
 +
 +int handle_shutdown(kvm_context_t kvm, CPUState *env)
 +{
 +    /* stop the current vcpu from going back to guest mode */
 +    env->stopped = 1;
 +
 +    qemu_system_reset_request();
 +    return 1;
 +}
 +
 +static inline void push_nmi(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_USER_NMI
 +    kvm_arch_push_nmi(kvm->opaque);
 +#endif                          /* KVM_CAP_USER_NMI */
 +}
 +
 +void post_kvm_run(kvm_context_t kvm, CPUState *env)
 +{
 +    pthread_mutex_lock(&qemu_mutex);
 +    kvm_arch_post_run(env, env->kvm_run);
 +    cpu_single_env = env;
 +}
 +
 +int pre_kvm_run(kvm_context_t kvm, CPUState *env)
 +{
 +    kvm_arch_pre_run(env, env->kvm_run);
 +
 +    pthread_mutex_unlock(&qemu_mutex);
 +    return 0;
 +}
 +
 +int kvm_is_ready_for_interrupt_injection(CPUState *env)
 +{
 +    return env->kvm_run->ready_for_interrupt_injection;
 +}
 +
 +int kvm_run(CPUState *env)
 +{
 +    int r;
 +    kvm_context_t kvm = &env->kvm_state->kvm_context;
 +    struct kvm_run *run = env->kvm_run;
 +    int fd = env->kvm_fd;
 +
 +  again:
 +    if (env->kvm_vcpu_dirty) {
 +        kvm_arch_load_regs(env, KVM_PUT_RUNTIME_STATE);
 +        env->kvm_vcpu_dirty = 0;
 +    }
 +    push_nmi(kvm);
 +#if !defined(__s390__)
 +    if (!kvm->irqchip_in_kernel) {
 +        run->request_interrupt_window = kvm_arch_try_push_interrupts(env);
 +    }
 +#endif
 +
 +    r = pre_kvm_run(kvm, env);
 +    if (r) {
 +        return r;
 +    }
 +    if (env->exit_request) {
 +        env->exit_request = 0;
 +        pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +    }
 +    r = ioctl(fd, KVM_RUN, 0);
 +
 +    if (r == -1 && errno != EINTR && errno != EAGAIN) {
 +        r = -errno;
 +        post_kvm_run(kvm, env);
 +        fprintf(stderr, "kvm_run: %s\n", strerror(-r));
 +        return r;
 +    }
 +
 +    post_kvm_run(kvm, env);
 +
 +    kvm_flush_coalesced_mmio_buffer();
 +
 +#if !defined(__s390__)
 +    if (r == -1) {
 +        r = handle_io_window(kvm);
 +        goto more;
 +    }
 +#endif
 +    if (1) {
 +        switch (run->exit_reason) {
 +        case KVM_EXIT_UNKNOWN:
 +            r = handle_unhandled(run->hw.hardware_exit_reason);
 +            break;
 +        case KVM_EXIT_FAIL_ENTRY:
 +            r = handle_failed_vmentry(run->fail_entry.hardware_entry_failure_reason);
 +            break;
 +        case KVM_EXIT_EXCEPTION:
 +            fprintf(stderr, "exception %d (%x)\n", run->ex.exception,
 +                    run->ex.error_code);
 +            kvm_show_regs(env);
 +            kvm_show_code(env);
 +            abort();
 +            break;
 +        case KVM_EXIT_IO:
 +            r = kvm_handle_io(run->io.port,
 +                                (uint8_t *)run + run->io.data_offset,
 +                                run->io.direction,
 +                                run->io.size,
 +                                run->io.count);
 +            r = 0;
 +            break;
 +        case KVM_EXIT_DEBUG:
 +            r = handle_debug(env);
 +            break;
 +        case KVM_EXIT_MMIO:
 +            r = handle_mmio(env);
 +            break;
 +        case KVM_EXIT_HLT:
 +            r = kvm_arch_halt(env);
 +            break;
 +        case KVM_EXIT_IRQ_WINDOW_OPEN:
 +            break;
 +        case KVM_EXIT_SHUTDOWN:
 +            r = handle_shutdown(kvm, env);
 +            break;
 +#if defined(__s390__)
 +        case KVM_EXIT_S390_SIEIC:
 +            r = kvm_s390_handle_intercept(kvm, env, run);
 +            break;
 +        case KVM_EXIT_S390_RESET:
 +            r = kvm_s390_handle_reset(kvm, env, run);
 +            break;
 +#endif
 +	case KVM_EXIT_INTERNAL_ERROR:
 +            kvm_handle_internal_error(env, run);
 +            r = 1;
 +	    break;
 +        default:
 +            if (kvm_arch_run(env)) {
 +                fprintf(stderr, "unhandled vm exit: 0x%x\n", run->exit_reason);
 +                kvm_show_regs(env);
 +                abort();
 +            }
 +            break;
 +        }
 +    }
 +more:
 +    if (!r) {
 +        goto again;
 +    }
 +    return r;
 +}
 +
 +int kvm_inject_irq(CPUState *env, unsigned irq)
 +{
 +    struct kvm_interrupt intr;
 +
 +    intr.irq = irq;
 +    return kvm_vcpu_ioctl(env, KVM_INTERRUPT, &intr);
 +}
 +
 +int kvm_inject_nmi(CPUState *env)
 +{
 +#ifdef KVM_CAP_USER_NMI
 +    return kvm_vcpu_ioctl(env, KVM_NMI);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_init_coalesced_mmio(kvm_context_t kvm)
 +{
 +    int r = 0;
 +    kvm_state->coalesced_mmio = 0;
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_COALESCED_MMIO);
 +    if (r > 0) {
 +        kvm_state->coalesced_mmio = r;
 +        return 0;
 +    }
 +#endif
 +    return r;
 +}
 +
 +#ifdef KVM_CAP_DEVICE_ASSIGNMENT
 +int kvm_assign_pci_device(kvm_context_t kvm,
 +                          struct kvm_assigned_pci_dev *assigned_dev)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_PCI_DEVICE, assigned_dev);
 +}
 +
 +static int kvm_old_assign_irq(kvm_context_t kvm,
 +                              struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_IRQ, assigned_irq);
 +}
 +
 +#ifdef KVM_CAP_ASSIGN_DEV_IRQ
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    int ret;
 +
 +    ret = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_ASSIGN_DEV_IRQ);
 +    if (ret > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_DEV_IRQ, assigned_irq);
 +    }
 +
 +    return kvm_old_assign_irq(kvm, assigned_irq);
 +}
 +
 +int kvm_deassign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_DEASSIGN_DEV_IRQ, assigned_irq);
 +}
 +#else
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_old_assign_irq(kvm, assigned_irq);
 +}
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_DEASSIGNMENT
 +int kvm_deassign_pci_device(kvm_context_t kvm,
 +                            struct kvm_assigned_pci_dev *assigned_dev)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_DEASSIGN_PCI_DEVICE, assigned_dev);
 +}
 +#endif
 +
 +int kvm_reinject_control(kvm_context_t kvm, int pit_reinject)
 +{
 +#ifdef KVM_CAP_REINJECT_CONTROL
 +    int r;
 +    struct kvm_reinject_control control;
 +
 +    control.pit_reinject = pit_reinject;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_REINJECT_CONTROL);
 +    if (r > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_REINJECT_CONTROL, &control);
 +    }
 +#endif
 +    return -ENOSYS;
 +}
 +
 +int kvm_has_gsi_routing(void)
 +{
 +    int r = 0;
 +
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    r = kvm_check_extension(kvm_state, KVM_CAP_IRQ_ROUTING);
 +#endif
 +    return r;
 +}
 +
 +int kvm_get_gsi_count(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    return kvm_check_extension(kvm_state, KVM_CAP_IRQ_ROUTING);
 +#else
 +    return -EINVAL;
 +#endif
 +}
 +
 +int kvm_clear_gsi_routes(void)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +
 +    kvm->irq_routes->nr = 0;
 +    return 0;
 +#else
 +    return -EINVAL;
 +#endif
 +}
 +
 +int kvm_add_routing_entry(struct kvm_irq_routing_entry *entry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing *z;
 +    struct kvm_irq_routing_entry *new;
 +    int n, size;
 +
 +    if (kvm->irq_routes->nr == kvm->nr_allocated_irq_routes) {
 +        n = kvm->nr_allocated_irq_routes * 2;
 +        if (n < 64) {
 +            n = 64;
 +        }
 +        size = sizeof(struct kvm_irq_routing);
 +        size += n * sizeof(*new);
 +        z = realloc(kvm->irq_routes, size);
 +        if (!z) {
 +            return -ENOMEM;
 +        }
 +        kvm->nr_allocated_irq_routes = n;
 +        kvm->irq_routes = z;
 +    }
 +    n = kvm->irq_routes->nr++;
 +    new = &kvm->irq_routes->entries[n];
 +    memset(new, 0, sizeof(*new));
 +    new->gsi = entry->gsi;
 +    new->type = entry->type;
 +    new->flags = entry->flags;
 +    new->u = entry->u;
 +
 +    set_gsi(kvm, entry->gsi);
 +
 +    return 0;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_add_irq_route(int gsi, int irqchip, int pin)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing_entry e;
 +
 +    e.gsi = gsi;
 +    e.type = KVM_IRQ_ROUTING_IRQCHIP;
 +    e.flags = 0;
 +    e.u.irqchip.irqchip = irqchip;
 +    e.u.irqchip.pin = pin;
 +    return kvm_add_routing_entry(&e);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_del_routing_entry(struct kvm_irq_routing_entry *entry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing_entry *e, *p;
 +    int i, gsi, found = 0;
 +
 +    gsi = entry->gsi;
 +
 +    for (i = 0; i < kvm->irq_routes->nr; ++i) {
 +        e = &kvm->irq_routes->entries[i];
 +        if (e->type == entry->type && e->gsi == gsi) {
 +            switch (e->type) {
 +            case KVM_IRQ_ROUTING_IRQCHIP:{
 +                    if (e->u.irqchip.irqchip ==
 +                        entry->u.irqchip.irqchip
 +                        && e->u.irqchip.pin == entry->u.irqchip.pin) {
 +                        p = &kvm->irq_routes->entries[--kvm->irq_routes->nr];
 +                        *e = *p;
 +                        found = 1;
 +                    }
 +                    break;
 +                }
 +            case KVM_IRQ_ROUTING_MSI:{
 +                    if (e->u.msi.address_lo ==
 +                        entry->u.msi.address_lo
 +                        && e->u.msi.address_hi ==
 +                        entry->u.msi.address_hi
 +                        && e->u.msi.data == entry->u.msi.data) {
 +                        p = &kvm->irq_routes->entries[--kvm->irq_routes->nr];
 +                        *e = *p;
 +                        found = 1;
 +                    }
 +                    break;
 +                }
 +            default:
 +                break;
 +            }
 +            if (found) {
 +                /* If there are no other users of this GSI
 +                 * mark it available in the bitmap */
 +                for (i = 0; i < kvm->irq_routes->nr; i++) {
 +                    e = &kvm->irq_routes->entries[i];
 +                    if (e->gsi == gsi)
 +                        break;
 +                }
 +                if (i == kvm->irq_routes->nr) {
 +                    clear_gsi(kvm, gsi);
 +                }
 +
 +                return 0;
 +            }
 +        }
 +    }
 +    return -ESRCH;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_update_routing_entry(struct kvm_irq_routing_entry *entry,
 +                             struct kvm_irq_routing_entry *newentry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing_entry *e;
 +    int i;
 +
 +    if (entry->gsi != newentry->gsi || entry->type != newentry->type) {
 +        return -EINVAL;
 +    }
 +
 +    for (i = 0; i < kvm->irq_routes->nr; ++i) {
 +        e = &kvm->irq_routes->entries[i];
 +        if (e->type != entry->type || e->gsi != entry->gsi) {
 +            continue;
 +        }
 +        switch (e->type) {
 +        case KVM_IRQ_ROUTING_IRQCHIP:
 +            if (e->u.irqchip.irqchip == entry->u.irqchip.irqchip &&
 +                e->u.irqchip.pin == entry->u.irqchip.pin) {
 +                memcpy(&e->u.irqchip, &newentry->u.irqchip,
 +                       sizeof e->u.irqchip);
 +                return 0;
 +            }
 +            break;
 +        case KVM_IRQ_ROUTING_MSI:
 +            if (e->u.msi.address_lo == entry->u.msi.address_lo &&
 +                e->u.msi.address_hi == entry->u.msi.address_hi &&
 +                e->u.msi.data == entry->u.msi.data) {
 +                memcpy(&e->u.msi, &newentry->u.msi, sizeof e->u.msi);
 +                return 0;
 +            }
 +            break;
 +        default:
 +            break;
 +        }
 +    }
 +    return -ESRCH;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_del_irq_route(int gsi, int irqchip, int pin)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing_entry e;
 +
 +    e.gsi = gsi;
 +    e.type = KVM_IRQ_ROUTING_IRQCHIP;
 +    e.flags = 0;
 +    e.u.irqchip.irqchip = irqchip;
 +    e.u.irqchip.pin = pin;
 +    return kvm_del_routing_entry(&e);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_commit_irq_routes(void)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +
 +    kvm->irq_routes->flags = 0;
 +    return kvm_vm_ioctl(kvm_state, KVM_SET_GSI_ROUTING, kvm->irq_routes);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_get_irq_route_gsi(void)
 +{
 +    kvm_context_t kvm = kvm_context;
 +    int i, bit;
 +    uint32_t *buf = kvm->used_gsi_bitmap;
 +
 +    /* Return the lowest unused GSI in the bitmap */
 +    for (i = 0; i < kvm->max_gsi / 32; i++) {
 +        bit = ffs(~buf[i]);
 +        if (!bit) {
 +            continue;
 +        }
 +
 +        return bit - 1 + i * 32;
 +    }
 +
 +    return -ENOSPC;
 +}
 +
 +static void kvm_msix_routing_entry(struct kvm_irq_routing_entry *e,
 +                                   uint32_t gsi, uint32_t addr_lo,
 +                                   uint32_t addr_hi, uint32_t data)
 +
 +{
 +    e->gsi = gsi;
 +    e->type = KVM_IRQ_ROUTING_MSI;
 +    e->flags = 0;
 +    e->u.msi.address_lo = addr_lo;
 +    e->u.msi.address_hi = addr_hi;
 +    e->u.msi.data = data;
 +}
 +
 +int kvm_add_msix(uint32_t gsi, uint32_t addr_lo,
 +                        uint32_t addr_hi, uint32_t data)
 +{
 +    struct kvm_irq_routing_entry e;
 +
 +    kvm_msix_routing_entry(&e, gsi, addr_lo, addr_hi, data);
 +    return kvm_add_routing_entry(&e);
 +}
 +
 +int kvm_del_msix(uint32_t gsi, uint32_t addr_lo,
 +                        uint32_t addr_hi, uint32_t data)
 +{
 +    struct kvm_irq_routing_entry e;
 +
 +    kvm_msix_routing_entry(&e, gsi, addr_lo, addr_hi, data);
 +    return kvm_del_routing_entry(&e);
 +}
 +
 +int kvm_update_msix(uint32_t old_gsi, uint32_t old_addr_lo,
 +                    uint32_t old_addr_hi, uint32_t old_data,
 +                    uint32_t new_gsi, uint32_t new_addr_lo,
 +                    uint32_t new_addr_hi, uint32_t new_data)
 +{
 +    struct kvm_irq_routing_entry e1, e2;
 +
 +    kvm_msix_routing_entry(&e1, old_gsi, old_addr_lo, old_addr_hi, old_data);
 +    kvm_msix_routing_entry(&e2, new_gsi, new_addr_lo, new_addr_hi, new_data);
 +    return kvm_update_routing_entry(&e1, &e2);
 +}
 +
 +
 +#ifdef KVM_CAP_DEVICE_MSIX
 +int kvm_assign_set_msix_nr(kvm_context_t kvm,
 +                           struct kvm_assigned_msix_nr *msix_nr)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_SET_MSIX_NR, msix_nr);
 +}
 +
 +int kvm_assign_set_msix_entry(kvm_context_t kvm,
 +                              struct kvm_assigned_msix_entry *entry)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_SET_MSIX_ENTRY, entry);
 +}
 +#endif
 +
 +#if defined(KVM_CAP_IRQFD) && defined(CONFIG_EVENTFD)
 +
 +#include <sys/eventfd.h>
 +
 +static int _kvm_irqfd(kvm_context_t kvm, int fd, int gsi, int flags)
 +{
 +    struct kvm_irqfd data = {
 +        .fd = fd,
 +        .gsi = gsi,
 +        .flags = flags,
 +    };
 +
 +    return kvm_vm_ioctl(kvm_state, KVM_IRQFD, &data);
 +}
 +
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags)
 +{
 +    int r;
 +    int fd;
 +
 +    if (!kvm_check_extension(kvm_state, KVM_CAP_IRQFD))
 +        return -ENOENT;
 +
 +    fd = eventfd(0, 0);
 +    if (fd < 0) {
 +        return -errno;
 +    }
 +
 +    r = _kvm_irqfd(kvm, fd, gsi, 0);
 +    if (r < 0) {
 +        close(fd);
 +        return -errno;
 +    }
 +
 +    return fd;
 +}
 +
 +#else                           /* KVM_CAP_IRQFD */
 +
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags)
 +{
 +    return -ENOSYS;
 +}
 +
 +#endif                          /* KVM_CAP_IRQFD */
 +unsigned long kvm_get_thread_id(void)
 +{
 +    return syscall(SYS_gettid);
 +}
 +
 +static void qemu_cond_wait(pthread_cond_t *cond)
 +{
 +    CPUState *env = cpu_single_env;
 +
 +    pthread_cond_wait(cond, &qemu_mutex);
 +    cpu_single_env = env;
 +}
 +
 +static void sig_ipi_handler(int n)
 +{
 +}
 +
 +static void hardware_memory_error(void)
 +{
 +    fprintf(stderr, "Hardware memory error!\n");
 +    exit(1);
 +}
 +
 +static void sigbus_reraise(void)
 +{
 +    sigset_t set;
 +    struct sigaction action;
 +
 +    memset(&action, 0, sizeof(action));
 +    action.sa_handler = SIG_DFL;
 +    if (!sigaction(SIGBUS, &action, NULL)) {
 +        raise(SIGBUS);
 +        sigemptyset(&set);
 +        sigaddset(&set, SIGBUS);
 +        sigprocmask(SIG_UNBLOCK, &set, NULL);
 +    }
 +    perror("Failed to re-raise SIGBUS!\n");
 +    abort();
 +}
 +
 +static void sigbus_handler(int n, struct qemu_signalfd_siginfo *siginfo,
 +                           void *ctx)
 +{
 +#if defined(KVM_CAP_MCE) && defined(TARGET_I386)
 +    if ((first_cpu->mcg_cap & MCG_SER_P) && siginfo->ssi_addr
 +        && siginfo->ssi_code == BUS_MCEERR_AO) {
 +        uint64_t status;
 +        void *vaddr;
 +        ram_addr_t ram_addr;
 +        unsigned long paddr;
 +        //CPUState *cenv;
 +
 +        /* Hope we are lucky for AO MCE */
 +        vaddr = (void *)(intptr_t)siginfo->ssi_addr;
-         if (do_qemu_ram_addr_from_host(vaddr, &ram_addr) ||
++        if (qemu_ram_addr_from_host(vaddr, &ram_addr) ||
 +            !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, (target_phys_addr_t *)&paddr)) {
 +            fprintf(stderr, "Hardware memory error for memory used by "
 +                    "QEMU itself instead of guest system!: %llx\n",
 +                    (unsigned long long)siginfo->ssi_addr);
 +            return;
 +        }
 +        status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
 +            | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
 +            | 0xc0;
 +#if 0
 +        kvm_inject_x86_mce(first_cpu, 9, status,
 +                           MCG_STATUS_MCIP | MCG_STATUS_RIPV, paddr,
 +                           (MCM_ADDR_PHYS << 6) | 0xc, 1);
 +        for (cenv = first_cpu->next_cpu; cenv != NULL; cenv = cenv->next_cpu) {
 +            kvm_inject_x86_mce(cenv, 1, MCI_STATUS_VAL | MCI_STATUS_UC,
 +                               MCG_STATUS_MCIP | MCG_STATUS_RIPV, 0, 0, 1);
 +        }
 +#endif
 +    } else
 +#endif
 +    {
 +        if (siginfo->ssi_code == BUS_MCEERR_AO) {
 +            return;
 +        } else if (siginfo->ssi_code == BUS_MCEERR_AR) {
 +            hardware_memory_error();
 +        } else {
 +            sigbus_reraise();
 +        }
 +    }
 +}
 +
 +static void on_vcpu(CPUState *env, void (*func)(void *data), void *data)
 +{
 +    struct qemu_work_item wi;
 +
 +    if (env == current_env) {
 +        func(data);
 +        return;
 +    }
 +
 +    wi.func = func;
 +    wi.data = data;
 +    if (!env->kvm_cpu_state.queued_work_first) {
 +        env->kvm_cpu_state.queued_work_first = &wi;
 +    } else {
 +        env->kvm_cpu_state.queued_work_last->next = &wi;
 +    }
 +    env->kvm_cpu_state.queued_work_last = &wi;
 +    wi.next = NULL;
 +    wi.done = false;
 +
 +    pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +    while (!wi.done) {
 +        qemu_cond_wait(&qemu_work_cond);
 +    }
 +}
 +
 +static void do_kvm_cpu_synchronize_state(void *_env)
 +{
 +    CPUState *env = _env;
 +
 +    if (!env->kvm_vcpu_dirty) {
 +        kvm_arch_save_regs(env);
 +        env->kvm_vcpu_dirty = 1;
 +    }
 +}
 +
 +void kvm_cpu_synchronize_state(CPUState *env)
 +{
 +    if (!env->kvm_vcpu_dirty) {
 +        on_vcpu(env, do_kvm_cpu_synchronize_state, env);
 +    }
 +}
 +
 +void kvm_cpu_synchronize_post_reset(CPUState *env)
 +{
 +    kvm_arch_load_regs(env, KVM_PUT_RESET_STATE);
 +    env->kvm_vcpu_dirty = 0;
 +}
 +
 +void kvm_cpu_synchronize_post_init(CPUState *env)
 +{
 +    kvm_arch_load_regs(env, KVM_PUT_FULL_STATE);
 +    env->kvm_vcpu_dirty = 0;
 +}
 +
 +static void inject_interrupt(void *data)
 +{
 +    cpu_interrupt(current_env, (long) data);
 +}
 +
 +void kvm_inject_interrupt(CPUState *env, int mask)
 +{
 +    on_vcpu(env, inject_interrupt, (void *) (long) mask);
 +}
 +
 +void kvm_update_interrupt_request(CPUState *env)
 +{
 +    int signal = 0;
 +
 +    if (env) {
 +        if (!current_env || !current_env->created) {
 +            signal = 1;
 +        }
 +        /*
 +         * Testing for created here is really redundant
 +         */
 +        if (current_env && current_env->created &&
 +            env != current_env && !env->kvm_cpu_state.signalled) {
 +            signal = 1;
 +        }
 +
 +        if (signal) {
 +            env->kvm_cpu_state.signalled = 1;
 +            if (env->kvm_cpu_state.thread) {
 +                pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +            }
 +        }
 +    }
 +}
 +
 +int kvm_cpu_exec(CPUState *env)
 +{
 +    int r;
 +
 +    r = kvm_run(env);
 +    if (r < 0) {
 +        printf("kvm_run returned %d\n", r);
 +        vm_stop(0);
 +    }
 +
 +    return 0;
 +}
 +
 +int kvm_cpu_is_stopped(CPUState *env)
 +{
 +    return !vm_running || env->stopped;
 +}
 +
 +static void flush_queued_work(CPUState *env)
 +{
 +    struct qemu_work_item *wi;
 +
 +    if (!env->kvm_cpu_state.queued_work_first) {
 +        return;
 +    }
 +
 +    while ((wi = env->kvm_cpu_state.queued_work_first)) {
 +        env->kvm_cpu_state.queued_work_first = wi->next;
 +        wi->func(wi->data);
 +        wi->done = true;
 +    }
 +    env->kvm_cpu_state.queued_work_last = NULL;
 +    pthread_cond_broadcast(&qemu_work_cond);
 +}
 +
 +static int kvm_mce_in_exception(CPUState *env)
 +{
 +    struct kvm_msr_entry msr_mcg_status = {
 +        .index = MSR_MCG_STATUS,
 +    };
 +    int r;
 +
 +    r = kvm_get_msrs(env, &msr_mcg_status, 1);
 +    if (r == -1 || r == 0) {
 +        return -1;
 +    }
 +    return !!(msr_mcg_status.data & MCG_STATUS_MCIP);
 +}
 +
 +static void kvm_on_sigbus(CPUState *env, siginfo_t *siginfo)
 +{
 +#if defined(KVM_CAP_MCE) && defined(TARGET_I386)
 +    struct kvm_x86_mce mce = {
 +            .bank = 9,
 +    };
 +    void *vaddr;
 +    ram_addr_t ram_addr;
 +    unsigned long paddr;
 +    int r;
 +
 +    if ((env->mcg_cap & MCG_SER_P) && siginfo->si_addr
 +        && (siginfo->si_code == BUS_MCEERR_AR
 +            || siginfo->si_code == BUS_MCEERR_AO)) {
 +        if (siginfo->si_code == BUS_MCEERR_AR) {
 +            /* Fake an Intel architectural Data Load SRAR UCR */
 +            mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
 +                | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
 +                | MCI_STATUS_AR | 0x134;
 +            mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
 +            mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_EIPV;
 +        } else {
 +            /*
 +             * If there is an MCE excpetion being processed, ignore
 +             * this SRAO MCE
 +             */
 +            r = kvm_mce_in_exception(env);
 +            if (r == -1) {
 +                fprintf(stderr, "Failed to get MCE status\n");
 +            } else if (r) {
 +                return;
 +            }
 +            /* Fake an Intel architectural Memory scrubbing UCR */
 +            mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
 +                | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
 +                | 0xc0;
 +            mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
 +            mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_RIPV;
 +        }
 +        vaddr = (void *)siginfo->si_addr;
-         if (do_qemu_ram_addr_from_host(vaddr, &ram_addr) ||
++        if (qemu_ram_addr_from_host(vaddr, &ram_addr) ||
 +            !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, (target_phys_addr_t *)&paddr)) {
 +            fprintf(stderr, "Hardware memory error for memory used by "
 +                    "QEMU itself instead of guest system!\n");
 +            /* Hope we are lucky for AO MCE */
 +            if (siginfo->si_code == BUS_MCEERR_AO) {
 +                return;
 +            } else {
 +                hardware_memory_error();
 +            }
 +        }
 +        mce.addr = paddr;
 +//      r = kvm_set_mce(env, &mce);
 +	r = 0;
 +        if (r < 0) {
 +            fprintf(stderr, "kvm_set_mce: %s\n", strerror(errno));
 +            abort();
 +        }
 +    } else
 +#endif
 +    {
 +        if (siginfo->si_code == BUS_MCEERR_AO) {
 +            return;
 +        } else if (siginfo->si_code == BUS_MCEERR_AR) {
 +            hardware_memory_error();
 +        } else {
 +            sigbus_reraise();
 +        }
 +    }
 +}
 +
 +static void kvm_main_loop_wait(CPUState *env, int timeout)
 +{
 +    struct timespec ts;
 +    int r, e;
 +    siginfo_t siginfo;
 +    sigset_t waitset;
 +    sigset_t chkset;
 +
 +    ts.tv_sec = timeout / 1000;
 +    ts.tv_nsec = (timeout % 1000) * 1000000;
 +    sigemptyset(&waitset);
 +    sigaddset(&waitset, SIG_IPI);
 +    sigaddset(&waitset, SIGBUS);
 +
 +    do {
 +        pthread_mutex_unlock(&qemu_mutex);
 +
 +        r = sigtimedwait(&waitset, &siginfo, &ts);
 +        e = errno;
 +
 +        pthread_mutex_lock(&qemu_mutex);
 +
 +        if (r == -1 && !(e == EAGAIN || e == EINTR)) {
 +            printf("sigtimedwait: %s\n", strerror(e));
 +            exit(1);
 +        }
 +
 +        switch (r) {
 +        case SIGBUS:
 +            kvm_on_sigbus(env, &siginfo);
 +            break;
 +        default:
 +            break;
 +        }
 +
 +        r = sigpending(&chkset);
 +        if (r == -1) {
 +            printf("sigpending: %s\n", strerror(e));
 +            exit(1);
 +        }
 +    } while (sigismember(&chkset, SIG_IPI) || sigismember(&chkset, SIGBUS));
 +
 +    cpu_single_env = env;
 +    flush_queued_work(env);
 +
 +    if (env->stop) {
 +        env->stop = 0;
 +        env->stopped = 1;
 +        pthread_cond_signal(&qemu_pause_cond);
 +    }
 +
 +    env->kvm_cpu_state.signalled = 0;
 +}
 +
 +static int all_threads_paused(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    while (penv) {
 +        if (penv->stop) {
 +            return 0;
 +        }
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +
 +    return 1;
 +}
 +
 +static void pause_all_threads(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    while (penv) {
 +        if (penv != cpu_single_env) {
 +            penv->stop = 1;
 +            pthread_kill(penv->kvm_cpu_state.thread, SIG_IPI);
 +        } else {
 +            penv->stop = 0;
 +            penv->stopped = 1;
 +            cpu_exit(penv);
 +        }
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +
 +    while (!all_threads_paused()) {
 +        qemu_cond_wait(&qemu_pause_cond);
 +    }
 +}
 +
 +static void resume_all_threads(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    assert(!cpu_single_env);
 +
 +    while (penv) {
 +        penv->stop = 0;
 +        penv->stopped = 0;
 +        pthread_kill(penv->kvm_cpu_state.thread, SIG_IPI);
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +}
 +
 +static void kvm_vm_state_change_handler(void *context, int running, int reason)
 +{
 +    if (running) {
 +        resume_all_threads();
 +    } else {
 +        pause_all_threads();
 +    }
 +}
 +
 +static void setup_kernel_sigmask(CPUState *env)
 +{
 +    sigset_t set;
 +
 +    sigemptyset(&set);
 +    sigaddset(&set, SIGUSR2);
 +    sigaddset(&set, SIGIO);
 +    sigaddset(&set, SIGALRM);
 +    sigprocmask(SIG_BLOCK, &set, NULL);
 +
 +    sigprocmask(SIG_BLOCK, NULL, &set);
 +    sigdelset(&set, SIG_IPI);
 +    sigdelset(&set, SIGBUS);
 +
 +    kvm_set_signal_mask(env, &set);
 +}
 +
 +static void qemu_kvm_system_reset(void)
 +{
 +    pause_all_threads();
 +
 +    qemu_system_reset();
 +
 +    resume_all_threads();
 +}
 +
 +static void process_irqchip_events(CPUState *env)
 +{
 +    kvm_arch_process_irqchip_events(env);
 +    if (kvm_arch_has_work(env))
 +        env->halted = 0;
 +}
 +
 +static int kvm_main_loop_cpu(CPUState *env)
 +{
 +    while (1) {
 +        int run_cpu = !kvm_cpu_is_stopped(env);
 +        if (run_cpu && !kvm_irqchip_in_kernel()) {
 +            process_irqchip_events(env);
 +            run_cpu = !env->halted;
 +        }
 +        if (run_cpu) {
 +            kvm_cpu_exec(env);
 +            kvm_main_loop_wait(env, 0);
 +        } else {
 +            kvm_main_loop_wait(env, 1000);
 +        }
 +    }
 +    pthread_mutex_unlock(&qemu_mutex);
 +    return 0;
 +}
 +
 +static void *ap_main_loop(void *_env)
 +{
 +    CPUState *env = _env;
 +    sigset_t signals;
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +    struct ioperm_data *data = NULL;
 +#endif
 +
 +    current_env = env;
 +    env->thread_id = kvm_get_thread_id();
 +    sigfillset(&signals);
 +    sigprocmask(SIG_BLOCK, &signals, NULL);
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +    /* do ioperm for io ports of assigned devices */
 +    QLIST_FOREACH(data, &ioperm_head, entries)
 +        on_vcpu(env, kvm_arch_do_ioperm, data);
 +#endif
 +
 +    pthread_mutex_lock(&qemu_mutex);
 +    cpu_single_env = env;
 +
 +    kvm_create_vcpu(env, env->cpu_index);
 +    setup_kernel_sigmask(env);
 +
 +    /* signal VCPU creation */
 +    current_env->created = 1;
 +    pthread_cond_signal(&qemu_vcpu_cond);
 +
 +    /* and wait for machine initialization */
 +    while (!qemu_system_ready) {
 +        qemu_cond_wait(&qemu_system_cond);
 +    }
 +
 +    /* re-initialize cpu_single_env after re-acquiring qemu_mutex */
 +    cpu_single_env = env;
 +
 +    kvm_main_loop_cpu(env);
 +    return NULL;
 +}
 +
 +int kvm_init_vcpu(CPUState *env)
 +{
 +    pthread_create(&env->kvm_cpu_state.thread, NULL, ap_main_loop, env);
 +
 +    while (env->created == 0) {
 +        qemu_cond_wait(&qemu_vcpu_cond);
 +    }
 +
 +    return 0;
 +}
 +
 +int kvm_vcpu_inited(CPUState *env)
 +{
 +    return env->created;
 +}
 +
 +#ifdef TARGET_I386
 +void kvm_hpet_disable_kpit(void)
 +{
 +    struct kvm_pit_state2 ps2;
 +
 +    kvm_get_pit2(kvm_context, &ps2);
 +    ps2.flags |= KVM_PIT_FLAGS_HPET_LEGACY;
 +    kvm_set_pit2(kvm_context, &ps2);
 +}
 +
 +void kvm_hpet_enable_kpit(void)
 +{
 +    struct kvm_pit_state2 ps2;
 +
 +    kvm_get_pit2(kvm_context, &ps2);
 +    ps2.flags &= ~KVM_PIT_FLAGS_HPET_LEGACY;
 +    kvm_set_pit2(kvm_context, &ps2);
 +}
 +#endif
 +
 +int kvm_init_ap(void)
 +{
 +    struct sigaction action;
 +
 +    qemu_add_vm_change_state_handler(kvm_vm_state_change_handler, NULL);
 +
 +    signal(SIG_IPI, sig_ipi_handler);
 +
 +    memset(&action, 0, sizeof(action));
 +    action.sa_flags = SA_SIGINFO;
 +    action.sa_sigaction = (void (*)(int, siginfo_t*, void*))sigbus_handler;
 +    sigaction(SIGBUS, &action, NULL);
 +    prctl(PR_MCE_KILL, 1, 1, 0, 0);
 +    return 0;
 +}
 +
 +/* If we have signalfd, we mask out the signals we want to handle and then
 + * use signalfd to listen for them.  We rely on whatever the current signal
 + * handler is to dispatch the signals when we receive them.
 + */
 +
 +static void sigfd_handler(void *opaque)
 +{
 +    int fd = (unsigned long) opaque;
 +    struct qemu_signalfd_siginfo info;
 +    struct sigaction action;
 +    ssize_t len;
 +
 +    while (1) {
 +        do {
 +            len = read(fd, &info, sizeof(info));
 +        } while (len == -1 && errno == EINTR);
 +
 +        if (len == -1 && errno == EAGAIN) {
 +            break;
 +        }
 +
 +        if (len != sizeof(info)) {
 +            printf("read from sigfd returned %zd: %m\n", len);
 +            return;
 +        }
 +
 +        sigaction(info.ssi_signo, NULL, &action);
 +        if ((action.sa_flags & SA_SIGINFO) && action.sa_sigaction) {
 +            action.sa_sigaction(info.ssi_signo,
 +                                (siginfo_t *)&info, NULL);
 +        } else if (action.sa_handler) {
 +            action.sa_handler(info.ssi_signo);
 +        }
 +    }
 +}
 +
 +int kvm_main_loop(void)
 +{
 +    sigset_t mask;
 +    int sigfd;
 +
 +    io_thread = pthread_self();
 +    qemu_system_ready = 1;
 +
 +    sigemptyset(&mask);
 +    sigaddset(&mask, SIGIO);
 +    sigaddset(&mask, SIGALRM);
 +    sigaddset(&mask, SIGBUS);
 +    sigprocmask(SIG_BLOCK, &mask, NULL);
 +
 +    sigfd = qemu_signalfd(&mask);
 +    if (sigfd == -1) {
 +        fprintf(stderr, "failed to create signalfd\n");
 +        return -errno;
 +    }
 +
 +    fcntl(sigfd, F_SETFL, O_NONBLOCK);
 +
 +    qemu_set_fd_handler2(sigfd, NULL, sigfd_handler, NULL,
 +                         (void *)(unsigned long) sigfd);
 +
 +    pthread_cond_broadcast(&qemu_system_cond);
 +
 +    io_thread_sigfd = sigfd;
 +    cpu_single_env = NULL;
 +
 +    while (1) {
 +        main_loop_wait(0);
 +        if (qemu_shutdown_requested()) {
 +            monitor_protocol_event(QEVENT_SHUTDOWN, NULL);
 +            if (qemu_no_shutdown()) {
 +                vm_stop(0);
 +            } else {
 +                break;
 +            }
 +        } else if (qemu_powerdown_requested()) {
 +            monitor_protocol_event(QEVENT_POWERDOWN, NULL);
 +            qemu_irq_raise(qemu_system_powerdown);
 +        } else if (qemu_reset_requested()) {
 +            qemu_kvm_system_reset();
 +        } else if (kvm_debug_cpu_requested) {
 +            gdb_set_stop_cpu(kvm_debug_cpu_requested);
 +            vm_stop(EXCP_DEBUG);
 +            kvm_debug_cpu_requested = NULL;
 +        }
 +    }
 +
 +    pause_all_threads();
 +    pthread_mutex_unlock(&qemu_mutex);
 +
 +    return 0;
 +}
 +
 +#if !defined(TARGET_I386)
 +int kvm_arch_init_irq_routing(void)
 +{
 +    return 0;
 +}
 +#endif
 +
 +extern int no_hpet;
 +
 +static int kvm_create_context(void)
 +{
 +    static const char upgrade_note[] =
 +    "Please upgrade to at least kernel 2.6.29 or recent kvm-kmod\n"
 +    "(see http://sourceforge.net/projects/kvm).\n";
 +
 +    int r;
 +
 +    if (!kvm_irqchip) {
 +        kvm_disable_irqchip_creation(kvm_context);
 +    }
 +    if (!kvm_pit) {
 +        kvm_disable_pit_creation(kvm_context);
 +    }
 +    if (kvm_create(kvm_context, 0, NULL) < 0) {
 +        kvm_finalize(kvm_state);
 +        return -1;
 +    }
 +    r = kvm_arch_qemu_create_context();
 +    if (r < 0) {
 +        kvm_finalize(kvm_state);
 +        return -1;
 +    }
 +    if (kvm_pit && !kvm_pit_reinject) {
 +        if (kvm_reinject_control(kvm_context, 0)) {
 +            fprintf(stderr, "failure to disable in-kernel PIT reinjection\n");
 +            return -1;
 +        }
 +    }
 +
 +    /* There was a nasty bug in < kvm-80 that prevents memory slots from being
 +     * destroyed properly.  Since we rely on this capability, refuse to work
 +     * with any kernel without this capability. */
 +    if (!kvm_check_extension(kvm_state, KVM_CAP_DESTROY_MEMORY_REGION_WORKS)) {
 +        fprintf(stderr,
 +                "KVM kernel module broken (DESTROY_MEMORY_REGION).\n%s",
 +                upgrade_note);
 +        return -EINVAL;
 +    }
 +
 +    r = kvm_arch_init_irq_routing();
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    kvm_state->vcpu_events = 0;
 +#ifdef KVM_CAP_VCPU_EVENTS
 +    kvm_state->vcpu_events = kvm_check_extension(kvm_state, KVM_CAP_VCPU_EVENTS);
 +#endif
 +
 +    kvm_state->debugregs = 0;
 +#ifdef KVM_CAP_DEBUGREGS
 +    kvm_state->debugregs = kvm_check_extension(kvm_state, KVM_CAP_DEBUGREGS);
 +#endif
 +
 +    kvm_init_ap();
 +    if (kvm_irqchip) {
 +        if (!qemu_kvm_has_gsi_routing()) {
 +            irq0override = 0;
 +#ifdef TARGET_I386
 +            /* if kernel can't do irq routing, interrupt source
 +             * override 0->2 can not be set up as required by hpet,
 +             * so disable hpet.
 +             */
 +            no_hpet = 1;
 +        } else if (!qemu_kvm_has_pit_state2()) {
 +            no_hpet = 1;
 +        }
 +#else
 +        }
 +#endif
 +    }
 +
 +    return 0;
 +}
 +
 +#ifdef KVM_CAP_IRQCHIP
 +
 +int kvm_set_irq(int irq, int level, int *status)
 +{
 +    return kvm_set_irq_level(kvm_context, irq, level, status);
 +}
 +
 +#endif
 +
 +static void kvm_mutex_unlock(void)
 +{
 +    assert(!cpu_single_env);
 +    pthread_mutex_unlock(&qemu_mutex);
 +}
 +
 +static void kvm_mutex_lock(void)
 +{
 +    pthread_mutex_lock(&qemu_mutex);
 +    cpu_single_env = NULL;
 +}
 +
 +void qemu_mutex_unlock_iothread(void)
 +{
 +    if (kvm_enabled()) {
 +        kvm_mutex_unlock();
 +    }
 +}
 +
 +void qemu_mutex_lock_iothread(void)
 +{
 +    if (kvm_enabled()) {
 +        kvm_mutex_lock();
 +    }
 +}
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +void kvm_add_ioperm_data(struct ioperm_data *data)
 +{
 +    QLIST_INSERT_HEAD(&ioperm_head, data, entries);
 +}
 +
 +void kvm_remove_ioperm_data(unsigned long start_port, unsigned long num)
 +{
 +    struct ioperm_data *data;
 +
 +    data = QLIST_FIRST(&ioperm_head);
 +    while (data) {
 +        struct ioperm_data *next = QLIST_NEXT(data, entries);
 +
 +        if (data->start_port == start_port && data->num == num) {
 +            QLIST_REMOVE(data, entries);
 +            qemu_free(data);
 +        }
 +
 +        data = next;
 +    }
 +}
 +
 +void kvm_ioperm(CPUState *env, void *data)
 +{
 +    if (kvm_enabled() && qemu_system_ready) {
 +        on_vcpu(env, kvm_arch_do_ioperm, data);
 +    }
 +}
 +
 +#endif
 +
 +int kvm_set_boot_cpu_id(uint32_t id)
 +{
 +    return kvm_set_boot_vcpu_id(kvm_context, id);
 +}
 +
commit 250968666b4984f5f6e91bd3358f21187aea8ad8
Merge: b4f09f6... e770182...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Oct 20 21:16:24 2010 -0200

    Merge commit 'e7701825e17d74913b0f1585d523cedaf1d6632a' into upstream-merge
    
    * commit 'e7701825e17d74913b0f1585d523cedaf1d6632a':
      kvm: x86: add mce support
      iothread: use signalfd
      signalfd compatibility
    
    Conflicts:
    	target-i386/kvm.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc qemu-kvm-x86.c
index 59aacd0,0000000..129356c
mode 100644,000000..100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@@ -1,1415 -1,0 +1,1359 @@@
 +/*
 + * qemu/kvm integration, x86 specific code
 + *
 + * Copyright (C) 2006-2008 Qumranet Technologies
 + *
 + * Licensed under the terms of the GNU GPL version 2 or higher.
 + */
 +
 +#include "config.h"
 +#include "config-host.h"
 +
 +#include <string.h>
 +#include "hw/hw.h"
 +#include "gdbstub.h"
 +#include <sys/io.h>
 +
 +#include "qemu-kvm.h"
 +#include "libkvm.h"
 +#include <pthread.h>
 +#include <sys/utsname.h>
 +#include <linux/kvm_para.h>
 +#include <sys/ioctl.h>
 +
 +#include "kvm.h"
 +#include "hw/apic.h"
 +
 +#define MSR_IA32_TSC            0x10
 +
 +static struct kvm_msr_list *kvm_msr_list;
 +extern unsigned int kvm_shadow_memory;
 +static int kvm_has_msr_star;
 +static int kvm_has_vm_hsave_pa;
 +
 +static int lm_capable_kernel;
 +
 +int kvm_set_tss_addr(kvm_context_t kvm, unsigned long addr)
 +{
 +    int r;
 +    /*
 +     * Tell fw_cfg to notify the BIOS to reserve the range.
 +     */
 +    if (e820_add_entry(addr, 0x4000, E820_RESERVED) < 0) {
 +        perror("e820_add_entry() table is full");
 +        exit(1);
 +    }
 +
 +    r = kvm_vm_ioctl(kvm_state, KVM_SET_TSS_ADDR, addr);
 +    if (r < 0) {
 +        fprintf(stderr, "kvm_set_tss_addr: %m\n");
 +        return r;
 +    }
 +    return 0;
 +}
 +
 +static int kvm_init_tss(kvm_context_t kvm)
 +{
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_TSS_ADDR);
 +    if (r > 0) {
 +        /*
 +         * this address is 3 pages before the bios, and the bios should present
 +         * as unavaible memory
 +         */
 +        r = kvm_set_tss_addr(kvm, 0xfeffd000);
 +        if (r < 0) {
 +            fprintf(stderr, "kvm_init_tss: unable to set tss addr\n");
 +            return r;
 +        }
 +    } else {
 +        fprintf(stderr, "kvm does not support KVM_CAP_SET_TSS_ADDR\n");
 +    }
 +    return 0;
 +}
 +
 +static int kvm_set_identity_map_addr(kvm_context_t kvm, uint64_t addr)
 +{
 +#ifdef KVM_CAP_SET_IDENTITY_MAP_ADDR
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_IDENTITY_MAP_ADDR);
 +    if (r > 0) {
 +        r = kvm_vm_ioctl(kvm_state, KVM_SET_IDENTITY_MAP_ADDR, &addr);
 +        if (r == -1) {
 +            fprintf(stderr, "kvm_set_identity_map_addr: %m\n");
 +            return -errno;
 +        }
 +        return 0;
 +    }
 +#endif
 +    return -ENOSYS;
 +}
 +
 +static int kvm_init_identity_map_page(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_SET_IDENTITY_MAP_ADDR
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_IDENTITY_MAP_ADDR);
 +    if (r > 0) {
 +        /*
 +         * this address is 4 pages before the bios, and the bios should present
 +         * as unavaible memory
 +         */
 +        r = kvm_set_identity_map_addr(kvm, 0xfeffc000);
 +        if (r < 0) {
 +            fprintf(stderr, "kvm_init_identity_map_page: "
 +                    "unable to set identity mapping addr\n");
 +            return r;
 +        }
 +    }
 +#endif
 +    return 0;
 +}
 +
 +static int kvm_create_pit(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_PIT
 +    int r;
 +
 +    kvm_state->pit_in_kernel = 0;
 +    if (!kvm->no_pit_creation) {
 +        r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_PIT);
 +        if (r > 0) {
 +            r = kvm_vm_ioctl(kvm_state, KVM_CREATE_PIT);
 +            if (r >= 0) {
 +                kvm_state->pit_in_kernel = 1;
 +            } else {
 +                fprintf(stderr, "Create kernel PIC irqchip failed\n");
 +                return r;
 +            }
 +        }
 +    }
 +#endif
 +    return 0;
 +}
 +
 +int kvm_arch_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
 +                        void **vm_mem)
 +{
 +    int r = 0;
 +
 +    r = kvm_init_tss(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    r = kvm_init_identity_map_page(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    r = kvm_create_pit(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    r = kvm_init_coalesced_mmio(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    return 0;
 +}
 +
 +#ifdef KVM_EXIT_TPR_ACCESS
 +
 +static int kvm_handle_tpr_access(CPUState *env)
 +{
 +    struct kvm_run *run = env->kvm_run;
 +    kvm_tpr_access_report(env,
 +                          run->tpr_access.rip,
 +                          run->tpr_access.is_write);
 +    return 0;
 +}
 +
 +
 +int kvm_enable_vapic(CPUState *env, uint64_t vapic)
 +{
 +    struct kvm_vapic_addr va = {
 +        .vapic_addr = vapic,
 +    };
 +
 +    return kvm_vcpu_ioctl(env, KVM_SET_VAPIC_ADDR, &va);
 +}
 +
 +#endif
 +
 +int kvm_arch_run(CPUState *env)
 +{
 +    int r = 0;
 +    struct kvm_run *run = env->kvm_run;
 +
 +    switch (run->exit_reason) {
 +#ifdef KVM_EXIT_SET_TPR
 +    case KVM_EXIT_SET_TPR:
 +        break;
 +#endif
 +#ifdef KVM_EXIT_TPR_ACCESS
 +    case KVM_EXIT_TPR_ACCESS:
 +        r = kvm_handle_tpr_access(env);
 +        break;
 +#endif
 +    default:
 +        r = 1;
 +        break;
 +    }
 +
 +    return r;
 +}
 +
 +#ifdef KVM_CAP_IRQCHIP
 +
 +int kvm_get_lapic(CPUState *env, struct kvm_lapic_state *s)
 +{
 +    int r = 0;
 +
 +    if (!kvm_irqchip_in_kernel()) {
 +        return r;
 +    }
 +
 +    r = kvm_vcpu_ioctl(env, KVM_GET_LAPIC, s);
 +    if (r < 0) {
 +        fprintf(stderr, "KVM_GET_LAPIC failed\n");
 +    }
 +    return r;
 +}
 +
 +int kvm_set_lapic(CPUState *env, struct kvm_lapic_state *s)
 +{
 +    int r = 0;
 +
 +    if (!kvm_irqchip_in_kernel()) {
 +        return 0;
 +    }
 +
 +    r = kvm_vcpu_ioctl(env, KVM_SET_LAPIC, s);
 +
 +    if (r < 0) {
 +        fprintf(stderr, "KVM_SET_LAPIC failed\n");
 +    }
 +    return r;
 +}
 +
 +#endif
 +
 +#ifdef KVM_CAP_PIT
 +
 +int kvm_get_pit(kvm_context_t kvm, struct kvm_pit_state *s)
 +{
 +    if (!kvm_pit_in_kernel()) {
 +        return 0;
 +    }
 +    return kvm_vm_ioctl(kvm_state, KVM_GET_PIT, s);
 +}
 +
 +int kvm_set_pit(kvm_context_t kvm, struct kvm_pit_state *s)
 +{
 +    if (!kvm_pit_in_kernel()) {
 +        return 0;
 +    }
 +    return kvm_vm_ioctl(kvm_state, KVM_SET_PIT, s);
 +}
 +
 +#ifdef KVM_CAP_PIT_STATE2
 +int kvm_get_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2)
 +{
 +    if (!kvm_pit_in_kernel()) {
 +        return 0;
 +    }
 +    return kvm_vm_ioctl(kvm_state, KVM_GET_PIT2, ps2);
 +}
 +
 +int kvm_set_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2)
 +{
 +    if (!kvm_pit_in_kernel()) {
 +        return 0;
 +    }
 +    return kvm_vm_ioctl(kvm_state, KVM_SET_PIT2, ps2);
 +}
 +
 +#endif
 +#endif
 +
 +int kvm_has_pit_state2(kvm_context_t kvm)
 +{
 +    int r = 0;
 +
 +#ifdef KVM_CAP_PIT_STATE2
 +    r = kvm_check_extension(kvm_state, KVM_CAP_PIT_STATE2);
 +#endif
 +    return r;
 +}
 +
 +void kvm_show_code(CPUState *env)
 +{
 +#define SHOW_CODE_LEN 50
 +    struct kvm_regs regs;
 +    struct kvm_sregs sregs;
 +    int r, n;
 +    int back_offset;
 +    unsigned char code;
 +    char code_str[SHOW_CODE_LEN * 3 + 1];
 +    unsigned long rip;
 +
 +    r = kvm_vcpu_ioctl(env, KVM_GET_SREGS, &sregs);
 +    if (r < 0 ) {
 +        perror("KVM_GET_SREGS");
 +        return;
 +    }
 +    r = kvm_vcpu_ioctl(env, KVM_GET_REGS, &regs);
 +    if (r < 0) {
 +        perror("KVM_GET_REGS");
 +        return;
 +    }
 +    rip = sregs.cs.base + regs.rip;
 +    back_offset = regs.rip;
 +    if (back_offset > 20) {
 +        back_offset = 20;
 +    }
 +    *code_str = 0;
 +    for (n = -back_offset; n < SHOW_CODE_LEN-back_offset; ++n) {
 +        if (n == 0) {
 +            strcat(code_str, " -->");
 +        }
 +        cpu_physical_memory_rw(rip + n, &code, 1, 1);
 +        sprintf(code_str + strlen(code_str), " %02x", code);
 +    }
 +    fprintf(stderr, "code:%s\n", code_str);
 +}
 +
 +
 +/*
 + * Returns available msr list.  User must free.
 + */
 +static struct kvm_msr_list *kvm_get_msr_list(void)
 +{
 +    struct kvm_msr_list sizer, *msrs;
 +    int r;
 +
 +    sizer.nmsrs = 0;
 +    r = kvm_ioctl(kvm_state, KVM_GET_MSR_INDEX_LIST, &sizer);
 +    if (r < 0 && r != -E2BIG) {
 +        return NULL;
 +    }
 +    /* Old kernel modules had a bug and could write beyond the provided
 +       memory. Allocate at least a safe amount of 1K. */
 +    msrs = qemu_malloc(MAX(1024, sizeof(*msrs) +
 +                           sizer.nmsrs * sizeof(*msrs->indices)));
 +
 +    msrs->nmsrs = sizer.nmsrs;
 +    r = kvm_ioctl(kvm_state, KVM_GET_MSR_INDEX_LIST, msrs);
 +    if (r < 0) {
 +        free(msrs);
 +        errno = r;
 +        return NULL;
 +    }
 +    return msrs;
 +}
 +
 +int kvm_get_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n)
 +{
 +    struct kvm_msrs *kmsrs = qemu_malloc(sizeof *kmsrs + n * sizeof *msrs);
 +    int r;
 +
 +    kmsrs->nmsrs = n;
 +    memcpy(kmsrs->entries, msrs, n * sizeof *msrs);
 +    r = kvm_vcpu_ioctl(env, KVM_GET_MSRS, kmsrs);
 +    memcpy(msrs, kmsrs->entries, n * sizeof *msrs);
 +    free(kmsrs);
 +    return r;
 +}
 +
 +int kvm_set_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n)
 +{
 +    struct kvm_msrs *kmsrs = qemu_malloc(sizeof *kmsrs + n * sizeof *msrs);
 +    int r;
 +
 +    kmsrs->nmsrs = n;
 +    memcpy(kmsrs->entries, msrs, n * sizeof *msrs);
 +    r = kvm_vcpu_ioctl(env, KVM_SET_MSRS, kmsrs);
 +    free(kmsrs);
 +    return r;
 +}
 +
- int kvm_get_mce_cap_supported(kvm_context_t kvm, uint64_t *mce_cap,
-                               int *max_banks)
- {
- #ifdef KVM_CAP_MCE
-     int r;
- 
-     r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MCE);
-     if (r > 0) {
-         *max_banks = r;
-         return kvm_ioctl(kvm_state, KVM_X86_GET_MCE_CAP_SUPPORTED, mce_cap);
-     }
- #endif
-     return -ENOSYS;
- }
- 
- int kvm_setup_mce(CPUState *env, uint64_t *mcg_cap)
- {
- #ifdef KVM_CAP_MCE
-     return kvm_vcpu_ioctl(env, KVM_X86_SETUP_MCE, mcg_cap);
- #else
-     return -ENOSYS;
- #endif
- }
- 
- int kvm_set_mce(CPUState *env, struct kvm_x86_mce *m)
- {
- #ifdef KVM_CAP_MCE
-     return kvm_vcpu_ioctl(env, KVM_X86_SET_MCE, m);
- #else
-     return -ENOSYS;
- #endif
- }
- 
 +static void print_seg(FILE *file, const char *name, struct kvm_segment *seg)
 +{
 +    fprintf(stderr,
 +            "%s %04x (%08llx/%08x p %d dpl %d db %d s %d type %x l %d"
 +            " g %d avl %d)\n",
 +            name, seg->selector, seg->base, seg->limit, seg->present,
 +            seg->dpl, seg->db, seg->s, seg->type, seg->l, seg->g,
 +            seg->avl);
 +}
 +
 +static void print_dt(FILE *file, const char *name, struct kvm_dtable *dt)
 +{
 +    fprintf(stderr, "%s %llx/%x\n", name, dt->base, dt->limit);
 +}
 +
 +void kvm_show_regs(CPUState *env)
 +{
 +    struct kvm_regs regs;
 +    struct kvm_sregs sregs;
 +    int r;
 +
 +    r = kvm_vcpu_ioctl(env, KVM_GET_REGS, &regs);
 +    if (r < 0) {
 +        perror("KVM_GET_REGS");
 +        return;
 +    }
 +    fprintf(stderr,
 +            "rax %016llx rbx %016llx rcx %016llx rdx %016llx\n"
 +            "rsi %016llx rdi %016llx rsp %016llx rbp %016llx\n"
 +            "r8  %016llx r9  %016llx r10 %016llx r11 %016llx\n"
 +            "r12 %016llx r13 %016llx r14 %016llx r15 %016llx\n"
 +            "rip %016llx rflags %08llx\n",
 +            regs.rax, regs.rbx, regs.rcx, regs.rdx,
 +            regs.rsi, regs.rdi, regs.rsp, regs.rbp,
 +            regs.r8,  regs.r9,  regs.r10, regs.r11,
 +            regs.r12, regs.r13, regs.r14, regs.r15,
 +            regs.rip, regs.rflags);
 +    r = kvm_vcpu_ioctl(env, KVM_GET_SREGS, &sregs);
 +    if (r < 0) {
 +        perror("KVM_GET_SREGS");
 +        return;
 +    }
 +    print_seg(stderr, "cs", &sregs.cs);
 +    print_seg(stderr, "ds", &sregs.ds);
 +    print_seg(stderr, "es", &sregs.es);
 +    print_seg(stderr, "ss", &sregs.ss);
 +    print_seg(stderr, "fs", &sregs.fs);
 +    print_seg(stderr, "gs", &sregs.gs);
 +    print_seg(stderr, "tr", &sregs.tr);
 +    print_seg(stderr, "ldt", &sregs.ldt);
 +    print_dt(stderr, "gdt", &sregs.gdt);
 +    print_dt(stderr, "idt", &sregs.idt);
 +    fprintf(stderr, "cr0 %llx cr2 %llx cr3 %llx cr4 %llx cr8 %llx"
 +            " efer %llx\n",
 +            sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4, sregs.cr8,
 +            sregs.efer);
 +}
 +
 +static void kvm_set_cr8(CPUState *env, uint64_t cr8)
 +{
 +    env->kvm_run->cr8 = cr8;
 +}
 +
 +int kvm_setup_cpuid(CPUState *env, int nent,
 +                    struct kvm_cpuid_entry *entries)
 +{
 +    struct kvm_cpuid *cpuid;
 +    int r;
 +
 +    cpuid = qemu_malloc(sizeof(*cpuid) + nent * sizeof(*entries));
 +
 +    cpuid->nent = nent;
 +    memcpy(cpuid->entries, entries, nent * sizeof(*entries));
 +    r = kvm_vcpu_ioctl(env, KVM_SET_CPUID, cpuid);
 +
 +    free(cpuid);
 +    return r;
 +}
 +
 +int kvm_setup_cpuid2(CPUState *env, int nent,
 +                     struct kvm_cpuid_entry2 *entries)
 +{
 +    struct kvm_cpuid2 *cpuid;
 +    int r;
 +
 +    cpuid = qemu_malloc(sizeof(*cpuid) + nent * sizeof(*entries));
 +
 +    cpuid->nent = nent;
 +    memcpy(cpuid->entries, entries, nent * sizeof(*entries));
 +    r = kvm_vcpu_ioctl(env, KVM_SET_CPUID2, cpuid);
 +    free(cpuid);
 +    return r;
 +}
 +
 +int kvm_set_shadow_pages(kvm_context_t kvm, unsigned int nrshadow_pages)
 +{
 +#ifdef KVM_CAP_MMU_SHADOW_CACHE_CONTROL
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
 +                  KVM_CAP_MMU_SHADOW_CACHE_CONTROL);
 +    if (r > 0) {
 +        r = kvm_vm_ioctl(kvm_state, KVM_SET_NR_MMU_PAGES, nrshadow_pages);
 +        if (r < 0) {
 +            fprintf(stderr, "kvm_set_shadow_pages: %m\n");
 +            return r;
 +        }
 +        return 0;
 +    }
 +#endif
 +    return -1;
 +}
 +
 +int kvm_get_shadow_pages(kvm_context_t kvm, unsigned int *nrshadow_pages)
 +{
 +#ifdef KVM_CAP_MMU_SHADOW_CACHE_CONTROL
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
 +                  KVM_CAP_MMU_SHADOW_CACHE_CONTROL);
 +    if (r > 0) {
 +        *nrshadow_pages = kvm_vm_ioctl(kvm_state, KVM_GET_NR_MMU_PAGES);
 +        return 0;
 +    }
 +#endif
 +    return -1;
 +}
 +
 +#ifdef KVM_CAP_VAPIC
 +static int kvm_enable_tpr_access_reporting(CPUState *env)
 +{
 +    int r;
 +    struct kvm_tpr_access_ctl tac = { .enabled = 1 };
 +
 +    r = kvm_ioctl(env->kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_VAPIC);
 +    if (r <= 0) {
 +        return -ENOSYS;
 +    }
 +    return kvm_vcpu_ioctl(env, KVM_TPR_ACCESS_REPORTING, &tac);
 +}
 +#endif
 +
 +#ifdef KVM_CAP_ADJUST_CLOCK
 +static struct kvm_clock_data kvmclock_data;
 +
 +static void kvmclock_pre_save(void *opaque)
 +{
 +    struct kvm_clock_data *cl = opaque;
 +
 +    kvm_vm_ioctl(kvm_state, KVM_GET_CLOCK, cl);
 +}
 +
 +static int kvmclock_post_load(void *opaque, int version_id)
 +{
 +    struct kvm_clock_data *cl = opaque;
 +
 +    return kvm_vm_ioctl(kvm_state, KVM_SET_CLOCK, cl);
 +}
 +
 +static const VMStateDescription vmstate_kvmclock= {
 +    .name = "kvmclock",
 +    .version_id = 1,
 +    .minimum_version_id = 1,
 +    .minimum_version_id_old = 1,
 +    .pre_save = kvmclock_pre_save,
 +    .post_load = kvmclock_post_load,
 +    .fields      = (VMStateField []) {
 +        VMSTATE_U64(clock, struct kvm_clock_data),
 +        VMSTATE_END_OF_LIST()
 +    }
 +};
 +#endif
 +
 +int kvm_arch_qemu_create_context(void)
 +{
 +    int i, r;
 +    struct utsname utsname;
 +
 +    uname(&utsname);
 +    lm_capable_kernel = strcmp(utsname.machine, "x86_64") == 0;
 +
 +    if (kvm_shadow_memory) {
 +        kvm_set_shadow_pages(kvm_context, kvm_shadow_memory);
 +    }
 +
 +    kvm_msr_list = kvm_get_msr_list();
 +    if (!kvm_msr_list) {
 +        return -1;
 +    }
 +    for (i = 0; i < kvm_msr_list->nmsrs; ++i) {
 +        if (kvm_msr_list->indices[i] == MSR_STAR) {
 +            kvm_has_msr_star = 1;
 +        }
 +        if (kvm_msr_list->indices[i] == MSR_VM_HSAVE_PA) {
 +            kvm_has_vm_hsave_pa = 1;
 +        }
 +    }
 +
 +#ifdef KVM_CAP_ADJUST_CLOCK
 +    if (kvm_check_extension(kvm_state, KVM_CAP_ADJUST_CLOCK)) {
 +        vmstate_register(NULL, 0, &vmstate_kvmclock, &kvmclock_data);
 +    }
 +#endif
 +
 +    r = kvm_set_boot_cpu_id(0);
 +    if (r < 0 && r != -ENOSYS) {
 +        return r;
 +    }
 +
 +    return 0;
 +}
 +
 +/* returns 0 on success, non-0 on failure */
 +static int get_msr_entry(struct kvm_msr_entry *entry, CPUState *env)
 +{
 +    switch (entry->index) {
 +    case MSR_IA32_SYSENTER_CS:
 +        env->sysenter_cs  = entry->data;
 +        break;
 +    case MSR_IA32_SYSENTER_ESP:
 +        env->sysenter_esp = entry->data;
 +        break;
 +    case MSR_IA32_SYSENTER_EIP:
 +        env->sysenter_eip = entry->data;
 +        break;
 +    case MSR_STAR:
 +        env->star         = entry->data;
 +        break;
 +#ifdef TARGET_X86_64
 +    case MSR_CSTAR:
 +        env->cstar        = entry->data;
 +        break;
 +    case MSR_KERNELGSBASE:
 +        env->kernelgsbase = entry->data;
 +        break;
 +    case MSR_FMASK:
 +        env->fmask        = entry->data;
 +        break;
 +    case MSR_LSTAR:
 +        env->lstar        = entry->data;
 +        break;
 +#endif
 +    case MSR_IA32_TSC:
 +        env->tsc          = entry->data;
 +        break;
 +    case MSR_VM_HSAVE_PA:
 +        env->vm_hsave     = entry->data;
 +        break;
 +    case MSR_KVM_SYSTEM_TIME:
 +        env->system_time_msr = entry->data;
 +        break;
 +    case MSR_KVM_WALL_CLOCK:
 +        env->wall_clock_msr = entry->data;
 +        break;
 +#ifdef KVM_CAP_MCE
 +    case MSR_MCG_STATUS:
 +        env->mcg_status = entry->data;
 +        break;
 +    case MSR_MCG_CTL:
 +        env->mcg_ctl = entry->data;
 +        break;
 +#endif
 +    default:
 +#ifdef KVM_CAP_MCE
 +        if (entry->index >= MSR_MC0_CTL &&
 +            entry->index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) {
 +            env->mce_banks[entry->index - MSR_MC0_CTL] = entry->data;
 +            break;
 +        }
 +#endif
 +        printf("Warning unknown msr index 0x%x\n", entry->index);
 +        return 1;
 +    }
 +    return 0;
 +}
 +
 +static void kvm_arch_save_mpstate(CPUState *env)
 +{
 +#ifdef KVM_CAP_MP_STATE
 +    int r;
 +    struct kvm_mp_state mp_state;
 +
 +    r = kvm_get_mpstate(env, &mp_state);
 +    if (r < 0) {
 +        env->mp_state = -1;
 +    } else {
 +        env->mp_state = mp_state.mp_state;
 +        if (kvm_irqchip_in_kernel()) {
 +            env->halted = (env->mp_state == KVM_MP_STATE_HALTED);
 +        }
 +    }
 +#else
 +    env->mp_state = -1;
 +#endif
 +}
 +
 +static void kvm_arch_load_mpstate(CPUState *env)
 +{
 +#ifdef KVM_CAP_MP_STATE
 +    struct kvm_mp_state mp_state;
 +
 +    /*
 +     * -1 indicates that the host did not support GET_MP_STATE ioctl,
 +     *  so don't touch it.
 +     */
 +    if (env->mp_state != -1) {
 +        mp_state.mp_state = env->mp_state;
 +        kvm_set_mpstate(env, &mp_state);
 +    }
 +#endif
 +}
 +
 +static void kvm_reset_mpstate(CPUState *env)
 +{
 +#ifdef KVM_CAP_MP_STATE
 +    if (kvm_check_extension(kvm_state, KVM_CAP_MP_STATE)) {
 +        if (kvm_irqchip_in_kernel()) {
 +            env->mp_state = cpu_is_bsp(env) ? KVM_MP_STATE_RUNNABLE :
 +                                              KVM_MP_STATE_UNINITIALIZED;
 +        } else {
 +            env->mp_state = KVM_MP_STATE_RUNNABLE;
 +        }
 +    }
 +#endif
 +}
 +
 +static void set_v8086_seg(struct kvm_segment *lhs, const SegmentCache *rhs)
 +{
 +    lhs->selector = rhs->selector;
 +    lhs->base = rhs->base;
 +    lhs->limit = rhs->limit;
 +    lhs->type = 3;
 +    lhs->present = 1;
 +    lhs->dpl = 3;
 +    lhs->db = 0;
 +    lhs->s = 1;
 +    lhs->l = 0;
 +    lhs->g = 0;
 +    lhs->avl = 0;
 +    lhs->unusable = 0;
 +}
 +
 +static void set_seg(struct kvm_segment *lhs, const SegmentCache *rhs)
 +{
 +    unsigned flags = rhs->flags;
 +    lhs->selector = rhs->selector;
 +    lhs->base = rhs->base;
 +    lhs->limit = rhs->limit;
 +    lhs->type = (flags >> DESC_TYPE_SHIFT) & 15;
 +    lhs->present = (flags & DESC_P_MASK) != 0;
 +    lhs->dpl = rhs->selector & 3;
 +    lhs->db = (flags >> DESC_B_SHIFT) & 1;
 +    lhs->s = (flags & DESC_S_MASK) != 0;
 +    lhs->l = (flags >> DESC_L_SHIFT) & 1;
 +    lhs->g = (flags & DESC_G_MASK) != 0;
 +    lhs->avl = (flags & DESC_AVL_MASK) != 0;
 +    lhs->unusable = 0;
 +}
 +
 +static void get_seg(SegmentCache *lhs, const struct kvm_segment *rhs)
 +{
 +    lhs->selector = rhs->selector;
 +    lhs->base = rhs->base;
 +    lhs->limit = rhs->limit;
 +    lhs->flags =
 +        (rhs->type << DESC_TYPE_SHIFT)
 +        | (rhs->present * DESC_P_MASK)
 +        | (rhs->dpl << DESC_DPL_SHIFT)
 +        | (rhs->db << DESC_B_SHIFT)
 +        | (rhs->s * DESC_S_MASK)
 +        | (rhs->l << DESC_L_SHIFT)
 +        | (rhs->g * DESC_G_MASK)
 +        | (rhs->avl * DESC_AVL_MASK);
 +}
 +
 +#define XSAVE_CWD_RIP     2
 +#define XSAVE_CWD_RDP     4
 +#define XSAVE_MXCSR       6
 +#define XSAVE_ST_SPACE    8
 +#define XSAVE_XMM_SPACE   40
 +#define XSAVE_XSTATE_BV   128
 +#define XSAVE_YMMH_SPACE  144
 +
 +void kvm_arch_load_regs(CPUState *env, int level)
 +{
 +    struct kvm_regs regs;
 +    struct kvm_fpu fpu;
 +    struct kvm_sregs sregs;
 +    struct kvm_msr_entry msrs[100];
 +    int rc, n, i;
 +
 +    assert(kvm_cpu_is_stopped(env) || env->thread_id == kvm_get_thread_id());
 +
 +    regs.rax = env->regs[R_EAX];
 +    regs.rbx = env->regs[R_EBX];
 +    regs.rcx = env->regs[R_ECX];
 +    regs.rdx = env->regs[R_EDX];
 +    regs.rsi = env->regs[R_ESI];
 +    regs.rdi = env->regs[R_EDI];
 +    regs.rsp = env->regs[R_ESP];
 +    regs.rbp = env->regs[R_EBP];
 +#ifdef TARGET_X86_64
 +    regs.r8 = env->regs[8];
 +    regs.r9 = env->regs[9];
 +    regs.r10 = env->regs[10];
 +    regs.r11 = env->regs[11];
 +    regs.r12 = env->regs[12];
 +    regs.r13 = env->regs[13];
 +    regs.r14 = env->regs[14];
 +    regs.r15 = env->regs[15];
 +#endif
 +
 +    regs.rflags = env->eflags;
 +    regs.rip = env->eip;
 +
 +    kvm_set_regs(env, &regs);
 +
 +#ifdef KVM_CAP_XSAVE
 +    if (kvm_check_extension(kvm_state, KVM_CAP_XSAVE)) {
 +        struct kvm_xsave* xsave;
 +
 +        uint16_t cwd, swd, twd, fop;
 +
 +        xsave = qemu_memalign(4096, sizeof(struct kvm_xsave));
 +        memset(xsave, 0, sizeof(struct kvm_xsave));
 +        cwd = swd = twd = fop = 0;
 +        swd = env->fpus & ~(7 << 11);
 +        swd |= (env->fpstt & 7) << 11;
 +        cwd = env->fpuc;
 +        for (i = 0; i < 8; ++i) {
 +            twd |= (!env->fptags[i]) << i;
 +        }
 +        xsave->region[0] = (uint32_t)(swd << 16) + cwd;
 +        xsave->region[1] = (uint32_t)(fop << 16) + twd;
 +        memcpy(&xsave->region[XSAVE_ST_SPACE], env->fpregs,
 +               sizeof env->fpregs);
 +        memcpy(&xsave->region[XSAVE_XMM_SPACE], env->xmm_regs,
 +               sizeof env->xmm_regs);
 +        xsave->region[XSAVE_MXCSR] = env->mxcsr;
 +        *(uint64_t *)&xsave->region[XSAVE_XSTATE_BV] = env->xstate_bv;
 +        memcpy(&xsave->region[XSAVE_YMMH_SPACE], env->ymmh_regs,
 +               sizeof env->ymmh_regs);
 +        kvm_set_xsave(env, xsave);
 +        if (kvm_check_extension(kvm_state, KVM_CAP_XCRS)) {
 +            struct kvm_xcrs xcrs;
 +
 +            xcrs.nr_xcrs = 1;
 +            xcrs.flags = 0;
 +            xcrs.xcrs[0].xcr = 0;
 +            xcrs.xcrs[0].value = env->xcr0;
 +            kvm_set_xcrs(env, &xcrs);
 +        }
 +        qemu_free(xsave);
 +    } else {
 +#endif
 +        memset(&fpu, 0, sizeof fpu);
 +        fpu.fsw = env->fpus & ~(7 << 11);
 +        fpu.fsw |= (env->fpstt & 7) << 11;
 +        fpu.fcw = env->fpuc;
 +        for (i = 0; i < 8; ++i) {
 +            fpu.ftwx |= (!env->fptags[i]) << i;
 +        }
 +        memcpy(fpu.fpr, env->fpregs, sizeof env->fpregs);
 +        memcpy(fpu.xmm, env->xmm_regs, sizeof env->xmm_regs);
 +        fpu.mxcsr = env->mxcsr;
 +        kvm_set_fpu(env, &fpu);
 +#ifdef KVM_CAP_XSAVE
 +    }
 +#endif
 +
 +    memset(sregs.interrupt_bitmap, 0, sizeof(sregs.interrupt_bitmap));
 +    if (env->interrupt_injected >= 0) {
 +        sregs.interrupt_bitmap[env->interrupt_injected / 64] |=
 +                (uint64_t)1 << (env->interrupt_injected % 64);
 +    }
 +
 +    if ((env->eflags & VM_MASK)) {
 +        set_v8086_seg(&sregs.cs, &env->segs[R_CS]);
 +        set_v8086_seg(&sregs.ds, &env->segs[R_DS]);
 +        set_v8086_seg(&sregs.es, &env->segs[R_ES]);
 +        set_v8086_seg(&sregs.fs, &env->segs[R_FS]);
 +        set_v8086_seg(&sregs.gs, &env->segs[R_GS]);
 +        set_v8086_seg(&sregs.ss, &env->segs[R_SS]);
 +    } else {
 +        set_seg(&sregs.cs, &env->segs[R_CS]);
 +        set_seg(&sregs.ds, &env->segs[R_DS]);
 +        set_seg(&sregs.es, &env->segs[R_ES]);
 +        set_seg(&sregs.fs, &env->segs[R_FS]);
 +        set_seg(&sregs.gs, &env->segs[R_GS]);
 +        set_seg(&sregs.ss, &env->segs[R_SS]);
 +
 +        if (env->cr[0] & CR0_PE_MASK) {
 +            /* force ss cpl to cs cpl */
 +            sregs.ss.selector = (sregs.ss.selector & ~3) |
 +                (sregs.cs.selector & 3);
 +            sregs.ss.dpl = sregs.ss.selector & 3;
 +        }
 +    }
 +
 +    set_seg(&sregs.tr, &env->tr);
 +    set_seg(&sregs.ldt, &env->ldt);
 +
 +    sregs.idt.limit = env->idt.limit;
 +    sregs.idt.base = env->idt.base;
 +    sregs.gdt.limit = env->gdt.limit;
 +    sregs.gdt.base = env->gdt.base;
 +
 +    sregs.cr0 = env->cr[0];
 +    sregs.cr2 = env->cr[2];
 +    sregs.cr3 = env->cr[3];
 +    sregs.cr4 = env->cr[4];
 +
 +    sregs.cr8 = cpu_get_apic_tpr(env->apic_state);
 +    sregs.apic_base = cpu_get_apic_base(env->apic_state);
 +
 +    sregs.efer = env->efer;
 +
 +    kvm_set_sregs(env, &sregs);
 +
 +    /* msrs */
 +    n = 0;
 +    /* Remember to increase msrs size if you add new registers below */
 +    kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_CS,  env->sysenter_cs);
 +    kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_ESP, env->sysenter_esp);
 +    kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_EIP, env->sysenter_eip);
 +    if (kvm_has_msr_star) {
 +        kvm_msr_entry_set(&msrs[n++], MSR_STAR,              env->star);
 +    }
 +    if (kvm_has_vm_hsave_pa) {
 +        kvm_msr_entry_set(&msrs[n++], MSR_VM_HSAVE_PA, env->vm_hsave);
 +    }
 +#ifdef TARGET_X86_64
 +    if (lm_capable_kernel) {
 +        kvm_msr_entry_set(&msrs[n++], MSR_CSTAR,             env->cstar);
 +        kvm_msr_entry_set(&msrs[n++], MSR_KERNELGSBASE,      env->kernelgsbase);
 +        kvm_msr_entry_set(&msrs[n++], MSR_FMASK,             env->fmask);
 +        kvm_msr_entry_set(&msrs[n++], MSR_LSTAR  ,           env->lstar);
 +    }
 +#endif
 +    if (level == KVM_PUT_FULL_STATE) {
 +        /*
 +         * KVM is yet unable to synchronize TSC values of multiple VCPUs on
 +         * writeback. Until this is fixed, we only write the offset to SMP
 +         * guests after migration, desynchronizing the VCPUs, but avoiding
 +         * huge jump-backs that would occur without any writeback at all.
 +         */
 +        if (smp_cpus == 1 || env->tsc != 0) {
 +            kvm_msr_entry_set(&msrs[n++], MSR_IA32_TSC, env->tsc);
 +        }
 +        kvm_msr_entry_set(&msrs[n++], MSR_KVM_SYSTEM_TIME, env->system_time_msr);
 +        kvm_msr_entry_set(&msrs[n++], MSR_KVM_WALL_CLOCK, env->wall_clock_msr);
 +    }
 +#ifdef KVM_CAP_MCE
 +    if (env->mcg_cap) {
 +        if (level == KVM_PUT_RESET_STATE) {
 +            kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
 +        } else if (level == KVM_PUT_FULL_STATE) {
 +            kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
 +            kvm_msr_entry_set(&msrs[n++], MSR_MCG_CTL, env->mcg_ctl);
 +            for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++) {
 +                kvm_msr_entry_set(&msrs[n++], MSR_MC0_CTL + i, env->mce_banks[i]);
 +            }
 +        }
 +    }
 +#endif
 +
 +    rc = kvm_set_msrs(env, msrs, n);
 +    if (rc == -1) {
 +        perror("kvm_set_msrs FAILED");
 +    }
 +
 +    if (level >= KVM_PUT_RESET_STATE) {
 +        kvm_arch_load_mpstate(env);
 +        kvm_load_lapic(env);
 +    }
 +    if (level == KVM_PUT_FULL_STATE) {
 +        if (env->kvm_vcpu_update_vapic) {
 +            kvm_tpr_enable_vapic(env);
 +        }
 +    }
 +
 +    kvm_put_vcpu_events(env, level);
 +    kvm_put_debugregs(env);
 +
 +    /* must be last */
 +    kvm_guest_debug_workarounds(env);
 +}
 +
 +void kvm_arch_save_regs(CPUState *env)
 +{
 +    struct kvm_regs regs;
 +    struct kvm_fpu fpu;
 +    struct kvm_sregs sregs;
 +    struct kvm_msr_entry msrs[100];
 +    uint32_t hflags;
 +    uint32_t i, n, rc, bit;
 +
 +    assert(kvm_cpu_is_stopped(env) || env->thread_id == kvm_get_thread_id());
 +
 +    kvm_get_regs(env, &regs);
 +
 +    env->regs[R_EAX] = regs.rax;
 +    env->regs[R_EBX] = regs.rbx;
 +    env->regs[R_ECX] = regs.rcx;
 +    env->regs[R_EDX] = regs.rdx;
 +    env->regs[R_ESI] = regs.rsi;
 +    env->regs[R_EDI] = regs.rdi;
 +    env->regs[R_ESP] = regs.rsp;
 +    env->regs[R_EBP] = regs.rbp;
 +#ifdef TARGET_X86_64
 +    env->regs[8] = regs.r8;
 +    env->regs[9] = regs.r9;
 +    env->regs[10] = regs.r10;
 +    env->regs[11] = regs.r11;
 +    env->regs[12] = regs.r12;
 +    env->regs[13] = regs.r13;
 +    env->regs[14] = regs.r14;
 +    env->regs[15] = regs.r15;
 +#endif
 +
 +    env->eflags = regs.rflags;
 +    env->eip = regs.rip;
 +
 +#ifdef KVM_CAP_XSAVE
 +    if (kvm_check_extension(kvm_state, KVM_CAP_XSAVE)) {
 +        struct kvm_xsave* xsave;
 +        uint16_t cwd, swd, twd, fop;
 +        xsave = qemu_memalign(4096, sizeof(struct kvm_xsave));
 +        kvm_get_xsave(env, xsave);
 +        cwd = (uint16_t)xsave->region[0];
 +        swd = (uint16_t)(xsave->region[0] >> 16);
 +        twd = (uint16_t)xsave->region[1];
 +        fop = (uint16_t)(xsave->region[1] >> 16);
 +        env->fpstt = (swd >> 11) & 7;
 +        env->fpus = swd;
 +        env->fpuc = cwd;
 +        for (i = 0; i < 8; ++i) {
 +            env->fptags[i] = !((twd >> i) & 1);
 +        }
 +        env->mxcsr = xsave->region[XSAVE_MXCSR];
 +        memcpy(env->fpregs, &xsave->region[XSAVE_ST_SPACE],
 +                sizeof env->fpregs);
 +        memcpy(env->xmm_regs, &xsave->region[XSAVE_XMM_SPACE],
 +                sizeof env->xmm_regs);
 +        env->xstate_bv = *(uint64_t *)&xsave->region[XSAVE_XSTATE_BV];
 +        memcpy(env->ymmh_regs, &xsave->region[XSAVE_YMMH_SPACE],
 +                sizeof env->ymmh_regs);
 +        if (kvm_check_extension(kvm_state, KVM_CAP_XCRS)) {
 +            struct kvm_xcrs xcrs;
 +
 +            kvm_get_xcrs(env, &xcrs);
 +            if (xcrs.xcrs[0].xcr == 0) {
 +                env->xcr0 = xcrs.xcrs[0].value;
 +            }
 +        }
 +        qemu_free(xsave);
 +    } else {
 +#endif
 +        kvm_get_fpu(env, &fpu);
 +        env->fpstt = (fpu.fsw >> 11) & 7;
 +        env->fpus = fpu.fsw;
 +        env->fpuc = fpu.fcw;
 +        for (i = 0; i < 8; ++i) {
 +            env->fptags[i] = !((fpu.ftwx >> i) & 1);
 +        }
 +        memcpy(env->fpregs, fpu.fpr, sizeof env->fpregs);
 +        memcpy(env->xmm_regs, fpu.xmm, sizeof env->xmm_regs);
 +        env->mxcsr = fpu.mxcsr;
 +#ifdef KVM_CAP_XSAVE
 +    }
 +#endif
 +
 +    kvm_get_sregs(env, &sregs);
 +
 +    /* There can only be one pending IRQ set in the bitmap at a time, so try
 +       to find it and save its number instead (-1 for none). */
 +    env->interrupt_injected = -1;
 +    for (i = 0; i < ARRAY_SIZE(sregs.interrupt_bitmap); i++) {
 +        if (sregs.interrupt_bitmap[i]) {
 +            bit = ctz64(sregs.interrupt_bitmap[i]);
 +            env->interrupt_injected = i * 64 + bit;
 +            break;
 +        }
 +    }
 +
 +    get_seg(&env->segs[R_CS], &sregs.cs);
 +    get_seg(&env->segs[R_DS], &sregs.ds);
 +    get_seg(&env->segs[R_ES], &sregs.es);
 +    get_seg(&env->segs[R_FS], &sregs.fs);
 +    get_seg(&env->segs[R_GS], &sregs.gs);
 +    get_seg(&env->segs[R_SS], &sregs.ss);
 +
 +    get_seg(&env->tr, &sregs.tr);
 +    get_seg(&env->ldt, &sregs.ldt);
 +
 +    env->idt.limit = sregs.idt.limit;
 +    env->idt.base = sregs.idt.base;
 +    env->gdt.limit = sregs.gdt.limit;
 +    env->gdt.base = sregs.gdt.base;
 +
 +    env->cr[0] = sregs.cr0;
 +    env->cr[2] = sregs.cr2;
 +    env->cr[3] = sregs.cr3;
 +    env->cr[4] = sregs.cr4;
 +
 +    cpu_set_apic_base(env->apic_state, sregs.apic_base);
 +
 +    env->efer = sregs.efer;
 +    //cpu_set_apic_tpr(env, sregs.cr8);
 +
 +#define HFLAG_COPY_MASK ~(                                              \
 +        HF_CPL_MASK | HF_PE_MASK | HF_MP_MASK | HF_EM_MASK |            \
 +        HF_TS_MASK | HF_TF_MASK | HF_VM_MASK | HF_IOPL_MASK |           \
 +        HF_OSFXSR_MASK | HF_LMA_MASK | HF_CS32_MASK |                   \
 +        HF_SS32_MASK | HF_CS64_MASK | HF_ADDSEG_MASK)
 +
 +    hflags = (env->segs[R_CS].flags >> DESC_DPL_SHIFT) & HF_CPL_MASK;
 +    hflags |= (env->cr[0] & CR0_PE_MASK) << (HF_PE_SHIFT - CR0_PE_SHIFT);
 +    hflags |= (env->cr[0] << (HF_MP_SHIFT - CR0_MP_SHIFT)) &
 +            (HF_MP_MASK | HF_EM_MASK | HF_TS_MASK);
 +    hflags |= (env->eflags & (HF_TF_MASK | HF_VM_MASK | HF_IOPL_MASK));
 +    hflags |= (env->cr[4] & CR4_OSFXSR_MASK) <<
 +            (HF_OSFXSR_SHIFT - CR4_OSFXSR_SHIFT);
 +
 +    if (env->efer & MSR_EFER_LMA) {
 +        hflags |= HF_LMA_MASK;
 +    }
 +
 +    if ((hflags & HF_LMA_MASK) && (env->segs[R_CS].flags & DESC_L_MASK)) {
 +        hflags |= HF_CS32_MASK | HF_SS32_MASK | HF_CS64_MASK;
 +    } else {
 +        hflags |= (env->segs[R_CS].flags & DESC_B_MASK) >>
 +                (DESC_B_SHIFT - HF_CS32_SHIFT);
 +        hflags |= (env->segs[R_SS].flags & DESC_B_MASK) >>
 +                (DESC_B_SHIFT - HF_SS32_SHIFT);
 +        if (!(env->cr[0] & CR0_PE_MASK) ||
 +            (env->eflags & VM_MASK) ||
 +            !(hflags & HF_CS32_MASK)) {
 +            hflags |= HF_ADDSEG_MASK;
 +        } else {
 +            hflags |= ((env->segs[R_DS].base |
 +                        env->segs[R_ES].base |
 +                        env->segs[R_SS].base) != 0) <<
 +                HF_ADDSEG_SHIFT;
 +        }
 +    }
 +    env->hflags = (env->hflags & HFLAG_COPY_MASK) | hflags;
 +
 +    /* msrs */
 +    n = 0;
 +    /* Remember to increase msrs size if you add new registers below */
 +    msrs[n++].index = MSR_IA32_SYSENTER_CS;
 +    msrs[n++].index = MSR_IA32_SYSENTER_ESP;
 +    msrs[n++].index = MSR_IA32_SYSENTER_EIP;
 +    if (kvm_has_msr_star) {
 +        msrs[n++].index = MSR_STAR;
 +    }
 +    msrs[n++].index = MSR_IA32_TSC;
 +    if (kvm_has_vm_hsave_pa)
 +        msrs[n++].index = MSR_VM_HSAVE_PA;
 +#ifdef TARGET_X86_64
 +    if (lm_capable_kernel) {
 +        msrs[n++].index = MSR_CSTAR;
 +        msrs[n++].index = MSR_KERNELGSBASE;
 +        msrs[n++].index = MSR_FMASK;
 +        msrs[n++].index = MSR_LSTAR;
 +    }
 +#endif
 +    msrs[n++].index = MSR_KVM_SYSTEM_TIME;
 +    msrs[n++].index = MSR_KVM_WALL_CLOCK;
 +
 +#ifdef KVM_CAP_MCE
 +    if (env->mcg_cap) {
 +        msrs[n++].index = MSR_MCG_STATUS;
 +        msrs[n++].index = MSR_MCG_CTL;
 +        for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++)
 +            msrs[n++].index = MSR_MC0_CTL + i;
 +    }
 +#endif
 +
 +    rc = kvm_get_msrs(env, msrs, n);
 +    if (rc == -1) {
 +        perror("kvm_get_msrs FAILED");
 +    } else {
 +        n = rc; /* actual number of MSRs */
 +        for (i=0 ; i<n; i++) {
 +            if (get_msr_entry(&msrs[i], env)) {
 +                return;
 +            }
 +        }
 +    }
 +    kvm_arch_save_mpstate(env);
 +    kvm_save_lapic(env);
 +    kvm_get_vcpu_events(env);
 +    kvm_get_debugregs(env);
 +}
 +
 +static int _kvm_arch_init_vcpu(CPUState *env)
 +{
 +    kvm_arch_reset_vcpu(env);
 +
- #ifdef KVM_CAP_MCE
-     if (((env->cpuid_version >> 8)&0xF) >= 6
-         && (env->cpuid_features&(CPUID_MCE|CPUID_MCA)) == (CPUID_MCE|CPUID_MCA)
-         && kvm_check_extension(kvm_state, KVM_CAP_MCE) > 0) {
-         uint64_t mcg_cap;
-         int banks;
- 
-         if (kvm_get_mce_cap_supported(kvm_context, &mcg_cap, &banks)) {
-             perror("kvm_get_mce_cap_supported FAILED");
-         } else {
-             if (banks > MCE_BANKS_DEF)
-                 banks = MCE_BANKS_DEF;
-             mcg_cap &= MCE_CAP_DEF;
-             mcg_cap |= banks;
-             if (kvm_setup_mce(env, &mcg_cap)) {
-                 perror("kvm_setup_mce FAILED");
-             } else {
-                 env->mcg_cap = mcg_cap;
-             }
-         }
-     }
- #endif
- 
 +#ifdef KVM_EXIT_TPR_ACCESS
 +    kvm_enable_tpr_access_reporting(env);
 +#endif
 +    kvm_reset_mpstate(env);
 +    return 0;
 +}
 +
 +int kvm_arch_halt(CPUState *env)
 +{
 +
 +    if (!((env->interrupt_request & CPU_INTERRUPT_HARD) &&
 +          (env->eflags & IF_MASK)) &&
 +        !(env->interrupt_request & CPU_INTERRUPT_NMI)) {
 +        env->halted = 1;
 +    }
 +    return 1;
 +}
 +
 +int kvm_arch_pre_run(CPUState *env, struct kvm_run *run)
 +{
 +    if (!kvm_irqchip_in_kernel()) {
 +        kvm_set_cr8(env, cpu_get_apic_tpr(env->apic_state));
 +    }
 +    return 0;
 +}
 +
 +int kvm_arch_has_work(CPUState *env)
 +{
 +    if (((env->interrupt_request & CPU_INTERRUPT_HARD) &&
 +         (env->eflags & IF_MASK)) ||
 +        (env->interrupt_request & CPU_INTERRUPT_NMI)) {
 +        return 1;
 +    }
 +    return 0;
 +}
 +
 +int kvm_arch_try_push_interrupts(void *opaque)
 +{
 +    CPUState *env = cpu_single_env;
 +    int r, irq;
 +
 +    if (kvm_is_ready_for_interrupt_injection(env) &&
 +        (env->interrupt_request & CPU_INTERRUPT_HARD) &&
 +        (env->eflags & IF_MASK)) {
 +        env->interrupt_request &= ~CPU_INTERRUPT_HARD;
 +        irq = cpu_get_pic_interrupt(env);
 +        if (irq >= 0) {
 +            r = kvm_inject_irq(env, irq);
 +            if (r < 0) {
 +                printf("cpu %d fail inject %x\n", env->cpu_index, irq);
 +            }
 +        }
 +    }
 +
 +    return (env->interrupt_request & CPU_INTERRUPT_HARD) != 0;
 +}
 +
 +#ifdef KVM_CAP_USER_NMI
 +void kvm_arch_push_nmi(void *opaque)
 +{
 +    CPUState *env = cpu_single_env;
 +    int r;
 +
 +    if (likely(!(env->interrupt_request & CPU_INTERRUPT_NMI))) {
 +        return;
 +    }
 +
 +    env->interrupt_request &= ~CPU_INTERRUPT_NMI;
 +    r = kvm_inject_nmi(env);
 +    if (r < 0) {
 +        printf("cpu %d fail inject NMI\n", env->cpu_index);
 +    }
 +}
 +#endif /* KVM_CAP_USER_NMI */
 +
 +static int kvm_reset_msrs(CPUState *env)
 +{
 +    struct {
 +        struct kvm_msrs info;
 +        struct kvm_msr_entry entries[100];
 +    } msr_data;
 +    int n;
 +    struct kvm_msr_entry *msrs = msr_data.entries;
 +    uint32_t index;
 +    uint64_t data;
 +
 +    if (!kvm_msr_list) {
 +        return -1;
 +    }
 +
 +    for (n = 0; n < kvm_msr_list->nmsrs; n++) {
 +        index = kvm_msr_list->indices[n];
 +        switch (index) {
 +        case MSR_PAT:
 +            data = 0x0007040600070406ULL;
 +            break;
 +        default:
 +            data = 0;
 +        }
 +        kvm_msr_entry_set(&msrs[n], kvm_msr_list->indices[n], data);
 +    }
 +
 +    msr_data.info.nmsrs = n;
 +
 +    return kvm_vcpu_ioctl(env, KVM_SET_MSRS, &msr_data);
 +}
 +
 +
 +void kvm_arch_cpu_reset(CPUState *env)
 +{
 +    kvm_reset_msrs(env);
 +    kvm_arch_reset_vcpu(env);
 +    kvm_reset_mpstate(env);
 +}
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +void kvm_arch_do_ioperm(void *_data)
 +{
 +    struct ioperm_data *data = _data;
 +    ioperm(data->start_port, data->num, data->turn_on);
 +}
 +#endif
 +
 +/*
 + * Setup x86 specific IRQ routing
 + */
 +int kvm_arch_init_irq_routing(void)
 +{
 +    int i, r;
 +
 +    if (kvm_irqchip && kvm_has_gsi_routing()) {
 +        kvm_clear_gsi_routes();
 +        for (i = 0; i < 8; ++i) {
 +            if (i == 2) {
 +                continue;
 +            }
 +            r = kvm_add_irq_route(i, KVM_IRQCHIP_PIC_MASTER, i);
 +            if (r < 0) {
 +                return r;
 +            }
 +        }
 +        for (i = 8; i < 16; ++i) {
 +            r = kvm_add_irq_route(i, KVM_IRQCHIP_PIC_SLAVE, i - 8);
 +            if (r < 0) {
 +                return r;
 +            }
 +        }
 +        for (i = 0; i < 24; ++i) {
 +            if (i == 0 && irq0override) {
 +                r = kvm_add_irq_route(i, KVM_IRQCHIP_IOAPIC, 2);
 +            } else if (i != 2 || !irq0override) {
 +                r = kvm_add_irq_route(i, KVM_IRQCHIP_IOAPIC, i);
 +            }
 +            if (r < 0) {
 +                return r;
 +            }
 +        }
 +        kvm_commit_irq_routes();
 +    }
 +    return 0;
 +}
 +
 +void kvm_arch_process_irqchip_events(CPUState *env)
 +{
 +    if (env->interrupt_request & CPU_INTERRUPT_INIT) {
 +        kvm_cpu_synchronize_state(env);
 +        do_cpu_init(env);
 +    }
 +    if (env->interrupt_request & CPU_INTERRUPT_SIPI) {
 +        kvm_cpu_synchronize_state(env);
 +        do_cpu_sipi(env);
 +    }
 +}
diff --cc qemu-kvm.c
index 733d0a9,0000000..b14796d
mode 100644,000000..100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@@ -1,2001 -1,0 +1,1944 @@@
 +/*
 + * qemu/kvm integration
 + *
 + * Copyright (C) 2006-2008 Qumranet Technologies
 + *
 + * Licensed under the terms of the GNU GPL version 2 or higher.
 + */
 +#include "config.h"
 +#include "config-host.h"
 +
 +#include <assert.h>
 +#include <string.h>
 +#include "hw/hw.h"
 +#include "sysemu.h"
 +#include "qemu-common.h"
 +#include "console.h"
 +#include "block.h"
 +#include "compatfd.h"
 +#include "gdbstub.h"
 +#include "monitor.h"
 +
 +#include "qemu-kvm.h"
 +#include "libkvm.h"
 +
 +#include <pthread.h>
 +#include <sys/utsname.h>
 +#include <sys/syscall.h>
 +#include <sys/mman.h>
 +#include <sys/ioctl.h>
 +#include "compatfd.h"
 +#include <sys/prctl.h>
 +
 +#define false 0
 +#define true 1
 +
 +#ifndef PR_MCE_KILL
 +#define PR_MCE_KILL 33
 +#endif
 +
 +#ifndef BUS_MCEERR_AR
 +#define BUS_MCEERR_AR 4
 +#endif
 +#ifndef BUS_MCEERR_AO
 +#define BUS_MCEERR_AO 5
 +#endif
 +
 +#define EXPECTED_KVM_API_VERSION 12
 +
 +#if EXPECTED_KVM_API_VERSION != KVM_API_VERSION
 +#error libkvm: userspace and kernel version mismatch
 +#endif
 +
 +int kvm_irqchip = 1;
 +int kvm_pit = 1;
 +int kvm_pit_reinject = 1;
 +int kvm_nested = 0;
 +
 +
 +KVMState *kvm_state;
 +kvm_context_t kvm_context;
 +
 +pthread_mutex_t qemu_mutex = PTHREAD_MUTEX_INITIALIZER;
 +pthread_cond_t qemu_vcpu_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_system_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_pause_cond = PTHREAD_COND_INITIALIZER;
 +pthread_cond_t qemu_work_cond = PTHREAD_COND_INITIALIZER;
 +__thread CPUState *current_env;
 +
 +static int qemu_system_ready;
 +
 +#define SIG_IPI (SIGRTMIN+4)
 +
 +pthread_t io_thread;
 +static int io_thread_sigfd = -1;
 +
 +static CPUState *kvm_debug_cpu_requested;
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +/* The list of ioperm_data */
 +static QLIST_HEAD(, ioperm_data) ioperm_head;
 +#endif
 +
 +#define ALIGN(x, y) (((x)+(y)-1) & ~((y)-1))
 +
 +int kvm_abi = EXPECTED_KVM_API_VERSION;
 +int kvm_page_size;
 +
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +static int kvm_debug(CPUState *env,
 +                     struct kvm_debug_exit_arch *arch_info)
 +{
 +    int handle = kvm_arch_debug(arch_info);
 +
 +    if (handle) {
 +        kvm_debug_cpu_requested = env;
 +        env->stopped = 1;
 +    }
 +    return handle;
 +}
 +#endif
 +
 +static int handle_unhandled(uint64_t reason)
 +{
 +    fprintf(stderr, "kvm: unhandled exit %" PRIx64 "\n", reason);
 +    return -EINVAL;
 +}
 +
 +#define VMX_INVALID_GUEST_STATE 0x80000021
 +
 +static int handle_failed_vmentry(uint64_t reason)
 +{
 +    fprintf(stderr, "kvm: vm entry failed with error 0x%" PRIx64 "\n\n", reason);
 +
 +    /* Perhaps we will need to check if this machine is intel since exit reason 0x21
 +       has a different interpretation on SVM */
 +    if (reason == VMX_INVALID_GUEST_STATE) {
 +        fprintf(stderr, "If you're runnning a guest on an Intel machine without\n");
 +        fprintf(stderr, "unrestricted mode support, the failure can be most likely\n");
 +        fprintf(stderr, "due to the guest entering an invalid state for Intel VT.\n");
 +        fprintf(stderr, "For example, the guest maybe running in big real mode\n");
 +        fprintf(stderr, "which is not supported on less recent Intel processors.\n\n");
 +    }
 +
 +    return -EINVAL;
 +}
 +
 +static inline void set_gsi(kvm_context_t kvm, unsigned int gsi)
 +{
 +    uint32_t *bitmap = kvm->used_gsi_bitmap;
 +
 +    if (gsi < kvm->max_gsi)
 +        bitmap[gsi / 32] |= 1U << (gsi % 32);
 +    else
 +        DPRINTF("Invalid GSI %u\n", gsi);
 +}
 +
 +static inline void clear_gsi(kvm_context_t kvm, unsigned int gsi)
 +{
 +    uint32_t *bitmap = kvm->used_gsi_bitmap;
 +
 +    if (gsi < kvm->max_gsi)
 +        bitmap[gsi / 32] &= ~(1U << (gsi % 32));
 +    else
 +        DPRINTF("Invalid GSI %u\n", gsi);
 +}
 +
 +static int kvm_create_context(void);
 +
 +int kvm_init(int smp_cpus)
 +{
 +    int fd;
 +    int r, gsi_count;
 +
 +
 +    fd = open("/dev/kvm", O_RDWR);
 +    if (fd == -1) {
 +        perror("open /dev/kvm");
 +        return -1;
 +    }
 +    r = ioctl(fd, KVM_GET_API_VERSION, 0);
 +    if (r == -1) {
 +        fprintf(stderr,
 +                "kvm kernel version too old: "
 +                "KVM_GET_API_VERSION ioctl not supported\n");
 +        goto out_close;
 +    }
 +    if (r < EXPECTED_KVM_API_VERSION) {
 +        fprintf(stderr, "kvm kernel version too old: "
 +                "We expect API version %d or newer, but got "
 +                "version %d\n", EXPECTED_KVM_API_VERSION, r);
 +        goto out_close;
 +    }
 +    if (r > EXPECTED_KVM_API_VERSION) {
 +        fprintf(stderr, "kvm userspace version too old\n");
 +        goto out_close;
 +    }
 +    kvm_abi = r;
 +    kvm_page_size = getpagesize();
 +    kvm_state = qemu_mallocz(sizeof(*kvm_state));
 +    kvm_context = &kvm_state->kvm_context;
 +
 +    kvm_state->fd = fd;
 +    kvm_state->vmfd = -1;
 +    kvm_context->opaque = cpu_single_env;
 +    kvm_context->dirty_pages_log_all = 0;
 +    kvm_context->no_irqchip_creation = 0;
 +    kvm_context->no_pit_creation = 0;
 +
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    QTAILQ_INIT(&kvm_state->kvm_sw_breakpoints);
 +#endif
 +
 +    gsi_count = kvm_get_gsi_count(kvm_context);
 +    if (gsi_count > 0) {
 +        int gsi_bits, i;
 +
 +        /* Round up so we can search ints using ffs */
 +        gsi_bits = ALIGN(gsi_count, 32);
 +        kvm_context->used_gsi_bitmap = qemu_mallocz(gsi_bits / 8);
 +        kvm_context->max_gsi = gsi_bits;
 +
 +        /* Mark any over-allocated bits as already in use */
 +        for (i = gsi_count; i < gsi_bits; i++) {
 +            set_gsi(kvm_context, i);
 +        }
 +    }
 +
 +    kvm_cpu_register_phys_memory_client();
 +
 +    pthread_mutex_lock(&qemu_mutex);
 +    return kvm_create_context();
 +
 +  out_close:
 +    close(fd);
 +    return -1;
 +}
 +
 +static void kvm_finalize(KVMState *s)
 +{
 +    /* FIXME
 +       if (kvm->vcpu_fd[0] != -1)
 +           close(kvm->vcpu_fd[0]);
 +       if (kvm->vm_fd != -1)
 +           close(kvm->vm_fd);
 +     */
 +    close(s->fd);
 +    free(s);
 +}
 +
 +void kvm_disable_irqchip_creation(kvm_context_t kvm)
 +{
 +    kvm->no_irqchip_creation = 1;
 +}
 +
 +void kvm_disable_pit_creation(kvm_context_t kvm)
 +{
 +    kvm->no_pit_creation = 1;
 +}
 +
 +static void kvm_reset_vcpu(void *opaque)
 +{
 +    CPUState *env = opaque;
 +
 +    kvm_arch_cpu_reset(env);
 +}
 +
 +static void kvm_create_vcpu(CPUState *env, int id)
 +{
 +    long mmap_size;
 +    int r;
 +    KVMState *s = kvm_state;
 +
 +    r = kvm_vm_ioctl(kvm_state, KVM_CREATE_VCPU, id);
 +    if (r < 0) {
 +        fprintf(stderr, "kvm_create_vcpu: %m\n");
 +        fprintf(stderr, "Failed to create vCPU. Check the -smp parameter.\n");
 +        goto err;
 +    }
 +
 +    env->kvm_fd = r;
 +    env->kvm_state = kvm_state;
 +
 +    mmap_size = kvm_ioctl(kvm_state, KVM_GET_VCPU_MMAP_SIZE, 0);
 +    if (mmap_size < 0) {
 +        fprintf(stderr, "get vcpu mmap size: %m\n");
 +        goto err_fd;
 +    }
 +    env->kvm_run =
 +        mmap(NULL, mmap_size, PROT_READ | PROT_WRITE, MAP_SHARED, env->kvm_fd,
 +             0);
 +    if (env->kvm_run == MAP_FAILED) {
 +        fprintf(stderr, "mmap vcpu area: %m\n");
 +        goto err_fd;
 +    }
 +
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    if (s->coalesced_mmio && !s->coalesced_mmio_ring)
 +        s->coalesced_mmio_ring = (void *) env->kvm_run +
 +               s->coalesced_mmio * PAGE_SIZE;
 +#endif
 +
 +    r = kvm_arch_init_vcpu(env);
 +    if (r == 0) {
 +        qemu_register_reset(kvm_reset_vcpu, env);
 +    }
 +
 +    return;
 +  err_fd:
 +    close(env->kvm_fd);
 +  err:
 +    /* We're no good with semi-broken states. */
 +    abort();
 +}
 +
 +static int kvm_set_boot_vcpu_id(kvm_context_t kvm, uint32_t id)
 +{
 +#ifdef KVM_CAP_SET_BOOT_CPU_ID
 +    int r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_BOOT_CPU_ID);
 +    if (r > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_SET_BOOT_CPU_ID, id);
 +    }
 +    return -ENOSYS;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_create_vm(kvm_context_t kvm)
 +{
 +    int fd;
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm->irq_routes = qemu_mallocz(sizeof(*kvm->irq_routes));
 +    kvm->nr_allocated_irq_routes = 0;
 +#endif
 +
 +    fd = kvm_ioctl(kvm_state, KVM_CREATE_VM, 0);
 +    if (fd < 0) {
 +        fprintf(stderr, "kvm_create_vm: %m\n");
 +        return -1;
 +    }
 +    kvm_state->vmfd = fd;
 +    return 0;
 +}
 +
 +static int kvm_create_default_phys_mem(kvm_context_t kvm,
 +                                       unsigned long phys_mem_bytes,
 +                                       void **vm_mem)
 +{
 +#ifdef KVM_CAP_USER_MEMORY
 +    int r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_USER_MEMORY);
 +    if (r > 0)
 +        return 0;
 +    fprintf(stderr,
 +            "Hypervisor too old: KVM_CAP_USER_MEMORY extension not supported\n");
 +#else
 +#error Hypervisor too old: KVM_CAP_USER_MEMORY extension not supported
 +#endif
 +    return -1;
 +}
 +
 +void kvm_create_irqchip(kvm_context_t kvm)
 +{
 +    int r;
 +
 +    kvm->irqchip_in_kernel = 0;
 +#ifdef KVM_CAP_IRQCHIP
 +    if (!kvm->no_irqchip_creation) {
 +        r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_IRQCHIP);
 +        if (r > 0) {            /* kernel irqchip supported */
 +            r = kvm_vm_ioctl(kvm_state, KVM_CREATE_IRQCHIP);
 +            if (r >= 0) {
 +                kvm->irqchip_inject_ioctl = KVM_IRQ_LINE;
 +#if defined(KVM_CAP_IRQ_INJECT_STATUS) && defined(KVM_IRQ_LINE_STATUS)
 +                r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
 +                              KVM_CAP_IRQ_INJECT_STATUS);
 +                if (r > 0) {
 +                    kvm->irqchip_inject_ioctl = KVM_IRQ_LINE_STATUS;
 +                }
 +#endif
 +                kvm->irqchip_in_kernel = 1;
 +            } else
 +                fprintf(stderr, "Create kernel PIC irqchip failed\n");
 +        }
 +    }
 +#endif
 +    kvm_state->irqchip_in_kernel = kvm->irqchip_in_kernel;
 +}
 +
 +int kvm_create(kvm_context_t kvm, unsigned long phys_mem_bytes, void **vm_mem)
 +{
 +    int r, i;
 +
 +    r = kvm_create_vm(kvm);
 +    if (r < 0) {
 +        return r;
 +    }
 +    r = kvm_arch_create(kvm, phys_mem_bytes, vm_mem);
 +    if (r < 0) {
 +        return r;
 +    }
 +    for (i = 0; i < ARRAY_SIZE(kvm_state->slots); i++) {
 +        kvm_state->slots[i].slot = i;
 +    }
 +
 +    r = kvm_create_default_phys_mem(kvm, phys_mem_bytes, vm_mem);
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    kvm_create_irqchip(kvm);
 +
 +    return 0;
 +}
 +
 +#ifdef KVM_CAP_IRQCHIP
 +
 +int kvm_set_irq_level(kvm_context_t kvm, int irq, int level, int *status)
 +{
 +    struct kvm_irq_level event;
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    event.level = level;
 +    event.irq = irq;
 +    r = kvm_vm_ioctl(kvm_state, kvm->irqchip_inject_ioctl, &event);
 +    if (r < 0) {
 +        perror("kvm_set_irq_level");
 +    }
 +
 +    if (status) {
 +#ifdef KVM_CAP_IRQ_INJECT_STATUS
 +        *status =
 +            (kvm->irqchip_inject_ioctl == KVM_IRQ_LINE) ? 1 : event.status;
 +#else
 +        *status = 1;
 +#endif
 +    }
 +
 +    return 1;
 +}
 +
 +int kvm_get_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip)
 +{
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    r = kvm_vm_ioctl(kvm_state, KVM_GET_IRQCHIP, chip);
 +    if (r < 0) {
 +        perror("kvm_get_irqchip\n");
 +    }
 +    return r;
 +}
 +
 +int kvm_set_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip)
 +{
 +    int r;
 +
 +    if (!kvm->irqchip_in_kernel) {
 +        return 0;
 +    }
 +    r = kvm_vm_ioctl(kvm_state, KVM_SET_IRQCHIP, chip);
 +    if (r < 0) {
 +        perror("kvm_set_irqchip\n");
 +    }
 +    return r;
 +}
 +
 +#endif
 +
 +static int handle_debug(CPUState *env)
 +{
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    struct kvm_run *run = env->kvm_run;
 +
 +    return kvm_debug(env, &run->debug.arch);
 +#else
 +    return 0;
 +#endif
 +}
 +
 +int kvm_get_regs(CPUState *env, struct kvm_regs *regs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_REGS, regs);
 +}
 +
 +int kvm_set_regs(CPUState *env, struct kvm_regs *regs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_REGS, regs);
 +}
 +
 +int kvm_get_fpu(CPUState *env, struct kvm_fpu *fpu)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_FPU, fpu);
 +}
 +
 +int kvm_set_fpu(CPUState *env, struct kvm_fpu *fpu)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_FPU, fpu);
 +}
 +
 +int kvm_get_sregs(CPUState *env, struct kvm_sregs *sregs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_SREGS, sregs);
 +}
 +
 +int kvm_set_sregs(CPUState *env, struct kvm_sregs *sregs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_SREGS, sregs);
 +}
 +
 +#ifdef KVM_CAP_MP_STATE
 +int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
 +{
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MP_STATE);
 +    if (r > 0) {
 +        return kvm_vcpu_ioctl(env, KVM_GET_MP_STATE, mp_state);
 +    }
 +    return -ENOSYS;
 +}
 +
 +int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
 +{
 +    int r;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MP_STATE);
 +    if (r > 0) {
 +        return kvm_vcpu_ioctl(env, KVM_SET_MP_STATE, mp_state);
 +    }
 +    return -ENOSYS;
 +}
 +#endif
 +
 +#ifdef KVM_CAP_XSAVE
 +int kvm_get_xsave(CPUState *env, struct kvm_xsave *xsave)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_XSAVE, xsave);
 +}
 +
 +int kvm_set_xsave(CPUState *env, struct kvm_xsave *xsave)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_XSAVE, xsave);
 +}
 +#endif
 +
 +#ifdef KVM_CAP_XCRS
 +int kvm_get_xcrs(CPUState *env, struct kvm_xcrs *xcrs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_GET_XCRS, xcrs);
 +}
 +
 +int kvm_set_xcrs(CPUState *env, struct kvm_xcrs *xcrs)
 +{
 +    return kvm_vcpu_ioctl(env, KVM_SET_XCRS, xcrs);
 +}
 +#endif
 +
 +static int handle_mmio(CPUState *env)
 +{
 +    unsigned long addr = env->kvm_run->mmio.phys_addr;
 +    struct kvm_run *kvm_run = env->kvm_run;
 +    void *data = kvm_run->mmio.data;
 +
 +    /* hack: Red Hat 7.1 generates these weird accesses. */
 +    if ((addr > 0xa0000 - 4 && addr <= 0xa0000) && kvm_run->mmio.len == 3) {
 +        return 0;
 +    }
 +
 +    cpu_physical_memory_rw(addr, data, kvm_run->mmio.len, kvm_run->mmio.is_write);
 +    return 0;
 +}
 +
 +int handle_io_window(kvm_context_t kvm)
 +{
 +    return 1;
 +}
 +
 +int handle_shutdown(kvm_context_t kvm, CPUState *env)
 +{
 +    /* stop the current vcpu from going back to guest mode */
 +    env->stopped = 1;
 +
 +    qemu_system_reset_request();
 +    return 1;
 +}
 +
 +static inline void push_nmi(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_USER_NMI
 +    kvm_arch_push_nmi(kvm->opaque);
 +#endif                          /* KVM_CAP_USER_NMI */
 +}
 +
 +void post_kvm_run(kvm_context_t kvm, CPUState *env)
 +{
 +    pthread_mutex_lock(&qemu_mutex);
 +    kvm_arch_post_run(env, env->kvm_run);
 +    cpu_single_env = env;
 +}
 +
 +int pre_kvm_run(kvm_context_t kvm, CPUState *env)
 +{
 +    kvm_arch_pre_run(env, env->kvm_run);
 +
 +    pthread_mutex_unlock(&qemu_mutex);
 +    return 0;
 +}
 +
 +int kvm_is_ready_for_interrupt_injection(CPUState *env)
 +{
 +    return env->kvm_run->ready_for_interrupt_injection;
 +}
 +
 +int kvm_run(CPUState *env)
 +{
 +    int r;
 +    kvm_context_t kvm = &env->kvm_state->kvm_context;
 +    struct kvm_run *run = env->kvm_run;
 +    int fd = env->kvm_fd;
 +
 +  again:
 +    if (env->kvm_vcpu_dirty) {
 +        kvm_arch_load_regs(env, KVM_PUT_RUNTIME_STATE);
 +        env->kvm_vcpu_dirty = 0;
 +    }
 +    push_nmi(kvm);
 +#if !defined(__s390__)
 +    if (!kvm->irqchip_in_kernel) {
 +        run->request_interrupt_window = kvm_arch_try_push_interrupts(env);
 +    }
 +#endif
 +
 +    r = pre_kvm_run(kvm, env);
 +    if (r) {
 +        return r;
 +    }
 +    if (env->exit_request) {
 +        env->exit_request = 0;
 +        pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +    }
 +    r = ioctl(fd, KVM_RUN, 0);
 +
 +    if (r == -1 && errno != EINTR && errno != EAGAIN) {
 +        r = -errno;
 +        post_kvm_run(kvm, env);
 +        fprintf(stderr, "kvm_run: %s\n", strerror(-r));
 +        return r;
 +    }
 +
 +    post_kvm_run(kvm, env);
 +
 +    kvm_flush_coalesced_mmio_buffer();
 +
 +#if !defined(__s390__)
 +    if (r == -1) {
 +        r = handle_io_window(kvm);
 +        goto more;
 +    }
 +#endif
 +    if (1) {
 +        switch (run->exit_reason) {
 +        case KVM_EXIT_UNKNOWN:
 +            r = handle_unhandled(run->hw.hardware_exit_reason);
 +            break;
 +        case KVM_EXIT_FAIL_ENTRY:
 +            r = handle_failed_vmentry(run->fail_entry.hardware_entry_failure_reason);
 +            break;
 +        case KVM_EXIT_EXCEPTION:
 +            fprintf(stderr, "exception %d (%x)\n", run->ex.exception,
 +                    run->ex.error_code);
 +            kvm_show_regs(env);
 +            kvm_show_code(env);
 +            abort();
 +            break;
 +        case KVM_EXIT_IO:
 +            r = kvm_handle_io(run->io.port,
 +                                (uint8_t *)run + run->io.data_offset,
 +                                run->io.direction,
 +                                run->io.size,
 +                                run->io.count);
 +            r = 0;
 +            break;
 +        case KVM_EXIT_DEBUG:
 +            r = handle_debug(env);
 +            break;
 +        case KVM_EXIT_MMIO:
 +            r = handle_mmio(env);
 +            break;
 +        case KVM_EXIT_HLT:
 +            r = kvm_arch_halt(env);
 +            break;
 +        case KVM_EXIT_IRQ_WINDOW_OPEN:
 +            break;
 +        case KVM_EXIT_SHUTDOWN:
 +            r = handle_shutdown(kvm, env);
 +            break;
 +#if defined(__s390__)
 +        case KVM_EXIT_S390_SIEIC:
 +            r = kvm_s390_handle_intercept(kvm, env, run);
 +            break;
 +        case KVM_EXIT_S390_RESET:
 +            r = kvm_s390_handle_reset(kvm, env, run);
 +            break;
 +#endif
 +	case KVM_EXIT_INTERNAL_ERROR:
 +            kvm_handle_internal_error(env, run);
 +            r = 1;
 +	    break;
 +        default:
 +            if (kvm_arch_run(env)) {
 +                fprintf(stderr, "unhandled vm exit: 0x%x\n", run->exit_reason);
 +                kvm_show_regs(env);
 +                abort();
 +            }
 +            break;
 +        }
 +    }
 +more:
 +    if (!r) {
 +        goto again;
 +    }
 +    return r;
 +}
 +
 +int kvm_inject_irq(CPUState *env, unsigned irq)
 +{
 +    struct kvm_interrupt intr;
 +
 +    intr.irq = irq;
 +    return kvm_vcpu_ioctl(env, KVM_INTERRUPT, &intr);
 +}
 +
 +int kvm_inject_nmi(CPUState *env)
 +{
 +#ifdef KVM_CAP_USER_NMI
 +    return kvm_vcpu_ioctl(env, KVM_NMI);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_init_coalesced_mmio(kvm_context_t kvm)
 +{
 +    int r = 0;
 +    kvm_state->coalesced_mmio = 0;
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_COALESCED_MMIO);
 +    if (r > 0) {
 +        kvm_state->coalesced_mmio = r;
 +        return 0;
 +    }
 +#endif
 +    return r;
 +}
 +
 +#ifdef KVM_CAP_DEVICE_ASSIGNMENT
 +int kvm_assign_pci_device(kvm_context_t kvm,
 +                          struct kvm_assigned_pci_dev *assigned_dev)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_PCI_DEVICE, assigned_dev);
 +}
 +
 +static int kvm_old_assign_irq(kvm_context_t kvm,
 +                              struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_IRQ, assigned_irq);
 +}
 +
 +#ifdef KVM_CAP_ASSIGN_DEV_IRQ
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    int ret;
 +
 +    ret = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_ASSIGN_DEV_IRQ);
 +    if (ret > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_DEV_IRQ, assigned_irq);
 +    }
 +
 +    return kvm_old_assign_irq(kvm, assigned_irq);
 +}
 +
 +int kvm_deassign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_DEASSIGN_DEV_IRQ, assigned_irq);
 +}
 +#else
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq)
 +{
 +    return kvm_old_assign_irq(kvm, assigned_irq);
 +}
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_DEASSIGNMENT
 +int kvm_deassign_pci_device(kvm_context_t kvm,
 +                            struct kvm_assigned_pci_dev *assigned_dev)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_DEASSIGN_PCI_DEVICE, assigned_dev);
 +}
 +#endif
 +
 +int kvm_reinject_control(kvm_context_t kvm, int pit_reinject)
 +{
 +#ifdef KVM_CAP_REINJECT_CONTROL
 +    int r;
 +    struct kvm_reinject_control control;
 +
 +    control.pit_reinject = pit_reinject;
 +
 +    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_REINJECT_CONTROL);
 +    if (r > 0) {
 +        return kvm_vm_ioctl(kvm_state, KVM_REINJECT_CONTROL, &control);
 +    }
 +#endif
 +    return -ENOSYS;
 +}
 +
 +int kvm_has_gsi_routing(void)
 +{
 +    int r = 0;
 +
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    r = kvm_check_extension(kvm_state, KVM_CAP_IRQ_ROUTING);
 +#endif
 +    return r;
 +}
 +
 +int kvm_get_gsi_count(kvm_context_t kvm)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    return kvm_check_extension(kvm_state, KVM_CAP_IRQ_ROUTING);
 +#else
 +    return -EINVAL;
 +#endif
 +}
 +
 +int kvm_clear_gsi_routes(void)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +
 +    kvm->irq_routes->nr = 0;
 +    return 0;
 +#else
 +    return -EINVAL;
 +#endif
 +}
 +
 +int kvm_add_routing_entry(struct kvm_irq_routing_entry *entry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing *z;
 +    struct kvm_irq_routing_entry *new;
 +    int n, size;
 +
 +    if (kvm->irq_routes->nr == kvm->nr_allocated_irq_routes) {
 +        n = kvm->nr_allocated_irq_routes * 2;
 +        if (n < 64) {
 +            n = 64;
 +        }
 +        size = sizeof(struct kvm_irq_routing);
 +        size += n * sizeof(*new);
 +        z = realloc(kvm->irq_routes, size);
 +        if (!z) {
 +            return -ENOMEM;
 +        }
 +        kvm->nr_allocated_irq_routes = n;
 +        kvm->irq_routes = z;
 +    }
 +    n = kvm->irq_routes->nr++;
 +    new = &kvm->irq_routes->entries[n];
 +    memset(new, 0, sizeof(*new));
 +    new->gsi = entry->gsi;
 +    new->type = entry->type;
 +    new->flags = entry->flags;
 +    new->u = entry->u;
 +
 +    set_gsi(kvm, entry->gsi);
 +
 +    return 0;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_add_irq_route(int gsi, int irqchip, int pin)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing_entry e;
 +
 +    e.gsi = gsi;
 +    e.type = KVM_IRQ_ROUTING_IRQCHIP;
 +    e.flags = 0;
 +    e.u.irqchip.irqchip = irqchip;
 +    e.u.irqchip.pin = pin;
 +    return kvm_add_routing_entry(&e);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_del_routing_entry(struct kvm_irq_routing_entry *entry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing_entry *e, *p;
 +    int i, gsi, found = 0;
 +
 +    gsi = entry->gsi;
 +
 +    for (i = 0; i < kvm->irq_routes->nr; ++i) {
 +        e = &kvm->irq_routes->entries[i];
 +        if (e->type == entry->type && e->gsi == gsi) {
 +            switch (e->type) {
 +            case KVM_IRQ_ROUTING_IRQCHIP:{
 +                    if (e->u.irqchip.irqchip ==
 +                        entry->u.irqchip.irqchip
 +                        && e->u.irqchip.pin == entry->u.irqchip.pin) {
 +                        p = &kvm->irq_routes->entries[--kvm->irq_routes->nr];
 +                        *e = *p;
 +                        found = 1;
 +                    }
 +                    break;
 +                }
 +            case KVM_IRQ_ROUTING_MSI:{
 +                    if (e->u.msi.address_lo ==
 +                        entry->u.msi.address_lo
 +                        && e->u.msi.address_hi ==
 +                        entry->u.msi.address_hi
 +                        && e->u.msi.data == entry->u.msi.data) {
 +                        p = &kvm->irq_routes->entries[--kvm->irq_routes->nr];
 +                        *e = *p;
 +                        found = 1;
 +                    }
 +                    break;
 +                }
 +            default:
 +                break;
 +            }
 +            if (found) {
 +                /* If there are no other users of this GSI
 +                 * mark it available in the bitmap */
 +                for (i = 0; i < kvm->irq_routes->nr; i++) {
 +                    e = &kvm->irq_routes->entries[i];
 +                    if (e->gsi == gsi)
 +                        break;
 +                }
 +                if (i == kvm->irq_routes->nr) {
 +                    clear_gsi(kvm, gsi);
 +                }
 +
 +                return 0;
 +            }
 +        }
 +    }
 +    return -ESRCH;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_update_routing_entry(struct kvm_irq_routing_entry *entry,
 +                             struct kvm_irq_routing_entry *newentry)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +    struct kvm_irq_routing_entry *e;
 +    int i;
 +
 +    if (entry->gsi != newentry->gsi || entry->type != newentry->type) {
 +        return -EINVAL;
 +    }
 +
 +    for (i = 0; i < kvm->irq_routes->nr; ++i) {
 +        e = &kvm->irq_routes->entries[i];
 +        if (e->type != entry->type || e->gsi != entry->gsi) {
 +            continue;
 +        }
 +        switch (e->type) {
 +        case KVM_IRQ_ROUTING_IRQCHIP:
 +            if (e->u.irqchip.irqchip == entry->u.irqchip.irqchip &&
 +                e->u.irqchip.pin == entry->u.irqchip.pin) {
 +                memcpy(&e->u.irqchip, &newentry->u.irqchip,
 +                       sizeof e->u.irqchip);
 +                return 0;
 +            }
 +            break;
 +        case KVM_IRQ_ROUTING_MSI:
 +            if (e->u.msi.address_lo == entry->u.msi.address_lo &&
 +                e->u.msi.address_hi == entry->u.msi.address_hi &&
 +                e->u.msi.data == entry->u.msi.data) {
 +                memcpy(&e->u.msi, &newentry->u.msi, sizeof e->u.msi);
 +                return 0;
 +            }
 +            break;
 +        default:
 +            break;
 +        }
 +    }
 +    return -ESRCH;
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_del_irq_route(int gsi, int irqchip, int pin)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing_entry e;
 +
 +    e.gsi = gsi;
 +    e.type = KVM_IRQ_ROUTING_IRQCHIP;
 +    e.flags = 0;
 +    e.u.irqchip.irqchip = irqchip;
 +    e.u.irqchip.pin = pin;
 +    return kvm_del_routing_entry(&e);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_commit_irq_routes(void)
 +{
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    kvm_context_t kvm = kvm_context;
 +
 +    kvm->irq_routes->flags = 0;
 +    return kvm_vm_ioctl(kvm_state, KVM_SET_GSI_ROUTING, kvm->irq_routes);
 +#else
 +    return -ENOSYS;
 +#endif
 +}
 +
 +int kvm_get_irq_route_gsi(void)
 +{
 +    kvm_context_t kvm = kvm_context;
 +    int i, bit;
 +    uint32_t *buf = kvm->used_gsi_bitmap;
 +
 +    /* Return the lowest unused GSI in the bitmap */
 +    for (i = 0; i < kvm->max_gsi / 32; i++) {
 +        bit = ffs(~buf[i]);
 +        if (!bit) {
 +            continue;
 +        }
 +
 +        return bit - 1 + i * 32;
 +    }
 +
 +    return -ENOSPC;
 +}
 +
 +static void kvm_msix_routing_entry(struct kvm_irq_routing_entry *e,
 +                                   uint32_t gsi, uint32_t addr_lo,
 +                                   uint32_t addr_hi, uint32_t data)
 +
 +{
 +    e->gsi = gsi;
 +    e->type = KVM_IRQ_ROUTING_MSI;
 +    e->flags = 0;
 +    e->u.msi.address_lo = addr_lo;
 +    e->u.msi.address_hi = addr_hi;
 +    e->u.msi.data = data;
 +}
 +
 +int kvm_add_msix(uint32_t gsi, uint32_t addr_lo,
 +                        uint32_t addr_hi, uint32_t data)
 +{
 +    struct kvm_irq_routing_entry e;
 +
 +    kvm_msix_routing_entry(&e, gsi, addr_lo, addr_hi, data);
 +    return kvm_add_routing_entry(&e);
 +}
 +
 +int kvm_del_msix(uint32_t gsi, uint32_t addr_lo,
 +                        uint32_t addr_hi, uint32_t data)
 +{
 +    struct kvm_irq_routing_entry e;
 +
 +    kvm_msix_routing_entry(&e, gsi, addr_lo, addr_hi, data);
 +    return kvm_del_routing_entry(&e);
 +}
 +
 +int kvm_update_msix(uint32_t old_gsi, uint32_t old_addr_lo,
 +                    uint32_t old_addr_hi, uint32_t old_data,
 +                    uint32_t new_gsi, uint32_t new_addr_lo,
 +                    uint32_t new_addr_hi, uint32_t new_data)
 +{
 +    struct kvm_irq_routing_entry e1, e2;
 +
 +    kvm_msix_routing_entry(&e1, old_gsi, old_addr_lo, old_addr_hi, old_data);
 +    kvm_msix_routing_entry(&e2, new_gsi, new_addr_lo, new_addr_hi, new_data);
 +    return kvm_update_routing_entry(&e1, &e2);
 +}
 +
 +
 +#ifdef KVM_CAP_DEVICE_MSIX
 +int kvm_assign_set_msix_nr(kvm_context_t kvm,
 +                           struct kvm_assigned_msix_nr *msix_nr)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_SET_MSIX_NR, msix_nr);
 +}
 +
 +int kvm_assign_set_msix_entry(kvm_context_t kvm,
 +                              struct kvm_assigned_msix_entry *entry)
 +{
 +    return kvm_vm_ioctl(kvm_state, KVM_ASSIGN_SET_MSIX_ENTRY, entry);
 +}
 +#endif
 +
 +#if defined(KVM_CAP_IRQFD) && defined(CONFIG_EVENTFD)
 +
 +#include <sys/eventfd.h>
 +
 +static int _kvm_irqfd(kvm_context_t kvm, int fd, int gsi, int flags)
 +{
 +    struct kvm_irqfd data = {
 +        .fd = fd,
 +        .gsi = gsi,
 +        .flags = flags,
 +    };
 +
 +    return kvm_vm_ioctl(kvm_state, KVM_IRQFD, &data);
 +}
 +
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags)
 +{
 +    int r;
 +    int fd;
 +
 +    if (!kvm_check_extension(kvm_state, KVM_CAP_IRQFD))
 +        return -ENOENT;
 +
 +    fd = eventfd(0, 0);
 +    if (fd < 0) {
 +        return -errno;
 +    }
 +
 +    r = _kvm_irqfd(kvm, fd, gsi, 0);
 +    if (r < 0) {
 +        close(fd);
 +        return -errno;
 +    }
 +
 +    return fd;
 +}
 +
 +#else                           /* KVM_CAP_IRQFD */
 +
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags)
 +{
 +    return -ENOSYS;
 +}
 +
 +#endif                          /* KVM_CAP_IRQFD */
 +unsigned long kvm_get_thread_id(void)
 +{
 +    return syscall(SYS_gettid);
 +}
 +
 +static void qemu_cond_wait(pthread_cond_t *cond)
 +{
 +    CPUState *env = cpu_single_env;
 +
 +    pthread_cond_wait(cond, &qemu_mutex);
 +    cpu_single_env = env;
 +}
 +
 +static void sig_ipi_handler(int n)
 +{
 +}
 +
 +static void hardware_memory_error(void)
 +{
 +    fprintf(stderr, "Hardware memory error!\n");
 +    exit(1);
 +}
 +
 +static void sigbus_reraise(void)
 +{
 +    sigset_t set;
 +    struct sigaction action;
 +
 +    memset(&action, 0, sizeof(action));
 +    action.sa_handler = SIG_DFL;
 +    if (!sigaction(SIGBUS, &action, NULL)) {
 +        raise(SIGBUS);
 +        sigemptyset(&set);
 +        sigaddset(&set, SIGBUS);
 +        sigprocmask(SIG_UNBLOCK, &set, NULL);
 +    }
 +    perror("Failed to re-raise SIGBUS!\n");
 +    abort();
 +}
 +
 +static void sigbus_handler(int n, struct qemu_signalfd_siginfo *siginfo,
 +                           void *ctx)
 +{
 +#if defined(KVM_CAP_MCE) && defined(TARGET_I386)
 +    if ((first_cpu->mcg_cap & MCG_SER_P) && siginfo->ssi_addr
 +        && siginfo->ssi_code == BUS_MCEERR_AO) {
 +        uint64_t status;
 +        void *vaddr;
 +        ram_addr_t ram_addr;
 +        unsigned long paddr;
-         CPUState *cenv;
++        //CPUState *cenv;
 +
 +        /* Hope we are lucky for AO MCE */
 +        vaddr = (void *)(intptr_t)siginfo->ssi_addr;
 +        if (do_qemu_ram_addr_from_host(vaddr, &ram_addr) ||
 +            !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, (target_phys_addr_t *)&paddr)) {
 +            fprintf(stderr, "Hardware memory error for memory used by "
 +                    "QEMU itself instead of guest system!: %llx\n",
 +                    (unsigned long long)siginfo->ssi_addr);
 +            return;
 +        }
 +        status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
 +            | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
 +            | 0xc0;
++#if 0
 +        kvm_inject_x86_mce(first_cpu, 9, status,
 +                           MCG_STATUS_MCIP | MCG_STATUS_RIPV, paddr,
 +                           (MCM_ADDR_PHYS << 6) | 0xc, 1);
 +        for (cenv = first_cpu->next_cpu; cenv != NULL; cenv = cenv->next_cpu) {
 +            kvm_inject_x86_mce(cenv, 1, MCI_STATUS_VAL | MCI_STATUS_UC,
 +                               MCG_STATUS_MCIP | MCG_STATUS_RIPV, 0, 0, 1);
 +        }
++#endif
 +    } else
 +#endif
 +    {
 +        if (siginfo->ssi_code == BUS_MCEERR_AO) {
 +            return;
 +        } else if (siginfo->ssi_code == BUS_MCEERR_AR) {
 +            hardware_memory_error();
 +        } else {
 +            sigbus_reraise();
 +        }
 +    }
 +}
 +
 +static void on_vcpu(CPUState *env, void (*func)(void *data), void *data)
 +{
 +    struct qemu_work_item wi;
 +
 +    if (env == current_env) {
 +        func(data);
 +        return;
 +    }
 +
 +    wi.func = func;
 +    wi.data = data;
 +    if (!env->kvm_cpu_state.queued_work_first) {
 +        env->kvm_cpu_state.queued_work_first = &wi;
 +    } else {
 +        env->kvm_cpu_state.queued_work_last->next = &wi;
 +    }
 +    env->kvm_cpu_state.queued_work_last = &wi;
 +    wi.next = NULL;
 +    wi.done = false;
 +
 +    pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +    while (!wi.done) {
 +        qemu_cond_wait(&qemu_work_cond);
 +    }
 +}
 +
 +static void do_kvm_cpu_synchronize_state(void *_env)
 +{
 +    CPUState *env = _env;
 +
 +    if (!env->kvm_vcpu_dirty) {
 +        kvm_arch_save_regs(env);
 +        env->kvm_vcpu_dirty = 1;
 +    }
 +}
 +
 +void kvm_cpu_synchronize_state(CPUState *env)
 +{
 +    if (!env->kvm_vcpu_dirty) {
 +        on_vcpu(env, do_kvm_cpu_synchronize_state, env);
 +    }
 +}
 +
 +void kvm_cpu_synchronize_post_reset(CPUState *env)
 +{
 +    kvm_arch_load_regs(env, KVM_PUT_RESET_STATE);
 +    env->kvm_vcpu_dirty = 0;
 +}
 +
 +void kvm_cpu_synchronize_post_init(CPUState *env)
 +{
 +    kvm_arch_load_regs(env, KVM_PUT_FULL_STATE);
 +    env->kvm_vcpu_dirty = 0;
 +}
 +
 +static void inject_interrupt(void *data)
 +{
 +    cpu_interrupt(current_env, (long) data);
 +}
 +
 +void kvm_inject_interrupt(CPUState *env, int mask)
 +{
 +    on_vcpu(env, inject_interrupt, (void *) (long) mask);
 +}
 +
 +void kvm_update_interrupt_request(CPUState *env)
 +{
 +    int signal = 0;
 +
 +    if (env) {
 +        if (!current_env || !current_env->created) {
 +            signal = 1;
 +        }
 +        /*
 +         * Testing for created here is really redundant
 +         */
 +        if (current_env && current_env->created &&
 +            env != current_env && !env->kvm_cpu_state.signalled) {
 +            signal = 1;
 +        }
 +
 +        if (signal) {
 +            env->kvm_cpu_state.signalled = 1;
 +            if (env->kvm_cpu_state.thread) {
 +                pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
 +            }
 +        }
 +    }
 +}
 +
 +int kvm_cpu_exec(CPUState *env)
 +{
 +    int r;
 +
 +    r = kvm_run(env);
 +    if (r < 0) {
 +        printf("kvm_run returned %d\n", r);
 +        vm_stop(0);
 +    }
 +
 +    return 0;
 +}
 +
 +int kvm_cpu_is_stopped(CPUState *env)
 +{
 +    return !vm_running || env->stopped;
 +}
 +
 +static void flush_queued_work(CPUState *env)
 +{
 +    struct qemu_work_item *wi;
 +
 +    if (!env->kvm_cpu_state.queued_work_first) {
 +        return;
 +    }
 +
 +    while ((wi = env->kvm_cpu_state.queued_work_first)) {
 +        env->kvm_cpu_state.queued_work_first = wi->next;
 +        wi->func(wi->data);
 +        wi->done = true;
 +    }
 +    env->kvm_cpu_state.queued_work_last = NULL;
 +    pthread_cond_broadcast(&qemu_work_cond);
 +}
 +
 +static int kvm_mce_in_exception(CPUState *env)
 +{
 +    struct kvm_msr_entry msr_mcg_status = {
 +        .index = MSR_MCG_STATUS,
 +    };
 +    int r;
 +
 +    r = kvm_get_msrs(env, &msr_mcg_status, 1);
 +    if (r == -1 || r == 0) {
 +        return -1;
 +    }
 +    return !!(msr_mcg_status.data & MCG_STATUS_MCIP);
 +}
 +
 +static void kvm_on_sigbus(CPUState *env, siginfo_t *siginfo)
 +{
 +#if defined(KVM_CAP_MCE) && defined(TARGET_I386)
 +    struct kvm_x86_mce mce = {
 +            .bank = 9,
 +    };
 +    void *vaddr;
 +    ram_addr_t ram_addr;
 +    unsigned long paddr;
 +    int r;
 +
 +    if ((env->mcg_cap & MCG_SER_P) && siginfo->si_addr
 +        && (siginfo->si_code == BUS_MCEERR_AR
 +            || siginfo->si_code == BUS_MCEERR_AO)) {
 +        if (siginfo->si_code == BUS_MCEERR_AR) {
 +            /* Fake an Intel architectural Data Load SRAR UCR */
 +            mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
 +                | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
 +                | MCI_STATUS_AR | 0x134;
 +            mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
 +            mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_EIPV;
 +        } else {
 +            /*
 +             * If there is an MCE excpetion being processed, ignore
 +             * this SRAO MCE
 +             */
 +            r = kvm_mce_in_exception(env);
 +            if (r == -1) {
 +                fprintf(stderr, "Failed to get MCE status\n");
 +            } else if (r) {
 +                return;
 +            }
 +            /* Fake an Intel architectural Memory scrubbing UCR */
 +            mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
 +                | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
 +                | 0xc0;
 +            mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
 +            mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_RIPV;
 +        }
 +        vaddr = (void *)siginfo->si_addr;
 +        if (do_qemu_ram_addr_from_host(vaddr, &ram_addr) ||
 +            !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, (target_phys_addr_t *)&paddr)) {
 +            fprintf(stderr, "Hardware memory error for memory used by "
 +                    "QEMU itself instead of guest system!\n");
 +            /* Hope we are lucky for AO MCE */
 +            if (siginfo->si_code == BUS_MCEERR_AO) {
 +                return;
 +            } else {
 +                hardware_memory_error();
 +            }
 +        }
 +        mce.addr = paddr;
-         r = kvm_set_mce(env, &mce);
++//      r = kvm_set_mce(env, &mce);
++	r = 0;
 +        if (r < 0) {
 +            fprintf(stderr, "kvm_set_mce: %s\n", strerror(errno));
 +            abort();
 +        }
 +    } else
 +#endif
 +    {
 +        if (siginfo->si_code == BUS_MCEERR_AO) {
 +            return;
 +        } else if (siginfo->si_code == BUS_MCEERR_AR) {
 +            hardware_memory_error();
 +        } else {
 +            sigbus_reraise();
 +        }
 +    }
 +}
 +
 +static void kvm_main_loop_wait(CPUState *env, int timeout)
 +{
 +    struct timespec ts;
 +    int r, e;
 +    siginfo_t siginfo;
 +    sigset_t waitset;
 +    sigset_t chkset;
 +
 +    ts.tv_sec = timeout / 1000;
 +    ts.tv_nsec = (timeout % 1000) * 1000000;
 +    sigemptyset(&waitset);
 +    sigaddset(&waitset, SIG_IPI);
 +    sigaddset(&waitset, SIGBUS);
 +
 +    do {
 +        pthread_mutex_unlock(&qemu_mutex);
 +
 +        r = sigtimedwait(&waitset, &siginfo, &ts);
 +        e = errno;
 +
 +        pthread_mutex_lock(&qemu_mutex);
 +
 +        if (r == -1 && !(e == EAGAIN || e == EINTR)) {
 +            printf("sigtimedwait: %s\n", strerror(e));
 +            exit(1);
 +        }
 +
 +        switch (r) {
 +        case SIGBUS:
 +            kvm_on_sigbus(env, &siginfo);
 +            break;
 +        default:
 +            break;
 +        }
 +
 +        r = sigpending(&chkset);
 +        if (r == -1) {
 +            printf("sigpending: %s\n", strerror(e));
 +            exit(1);
 +        }
 +    } while (sigismember(&chkset, SIG_IPI) || sigismember(&chkset, SIGBUS));
 +
 +    cpu_single_env = env;
 +    flush_queued_work(env);
 +
 +    if (env->stop) {
 +        env->stop = 0;
 +        env->stopped = 1;
 +        pthread_cond_signal(&qemu_pause_cond);
 +    }
 +
 +    env->kvm_cpu_state.signalled = 0;
 +}
 +
 +static int all_threads_paused(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    while (penv) {
 +        if (penv->stop) {
 +            return 0;
 +        }
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +
 +    return 1;
 +}
 +
 +static void pause_all_threads(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    while (penv) {
 +        if (penv != cpu_single_env) {
 +            penv->stop = 1;
 +            pthread_kill(penv->kvm_cpu_state.thread, SIG_IPI);
 +        } else {
 +            penv->stop = 0;
 +            penv->stopped = 1;
 +            cpu_exit(penv);
 +        }
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +
 +    while (!all_threads_paused()) {
 +        qemu_cond_wait(&qemu_pause_cond);
 +    }
 +}
 +
 +static void resume_all_threads(void)
 +{
 +    CPUState *penv = first_cpu;
 +
 +    assert(!cpu_single_env);
 +
 +    while (penv) {
 +        penv->stop = 0;
 +        penv->stopped = 0;
 +        pthread_kill(penv->kvm_cpu_state.thread, SIG_IPI);
 +        penv = (CPUState *) penv->next_cpu;
 +    }
 +}
 +
 +static void kvm_vm_state_change_handler(void *context, int running, int reason)
 +{
 +    if (running) {
 +        resume_all_threads();
 +    } else {
 +        pause_all_threads();
 +    }
 +}
 +
 +static void setup_kernel_sigmask(CPUState *env)
 +{
 +    sigset_t set;
 +
 +    sigemptyset(&set);
 +    sigaddset(&set, SIGUSR2);
 +    sigaddset(&set, SIGIO);
 +    sigaddset(&set, SIGALRM);
 +    sigprocmask(SIG_BLOCK, &set, NULL);
 +
 +    sigprocmask(SIG_BLOCK, NULL, &set);
 +    sigdelset(&set, SIG_IPI);
 +    sigdelset(&set, SIGBUS);
 +
 +    kvm_set_signal_mask(env, &set);
 +}
 +
 +static void qemu_kvm_system_reset(void)
 +{
 +    pause_all_threads();
 +
 +    qemu_system_reset();
 +
 +    resume_all_threads();
 +}
 +
 +static void process_irqchip_events(CPUState *env)
 +{
 +    kvm_arch_process_irqchip_events(env);
 +    if (kvm_arch_has_work(env))
 +        env->halted = 0;
 +}
 +
 +static int kvm_main_loop_cpu(CPUState *env)
 +{
 +    while (1) {
 +        int run_cpu = !kvm_cpu_is_stopped(env);
 +        if (run_cpu && !kvm_irqchip_in_kernel()) {
 +            process_irqchip_events(env);
 +            run_cpu = !env->halted;
 +        }
 +        if (run_cpu) {
 +            kvm_cpu_exec(env);
 +            kvm_main_loop_wait(env, 0);
 +        } else {
 +            kvm_main_loop_wait(env, 1000);
 +        }
 +    }
 +    pthread_mutex_unlock(&qemu_mutex);
 +    return 0;
 +}
 +
 +static void *ap_main_loop(void *_env)
 +{
 +    CPUState *env = _env;
 +    sigset_t signals;
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +    struct ioperm_data *data = NULL;
 +#endif
 +
 +    current_env = env;
 +    env->thread_id = kvm_get_thread_id();
 +    sigfillset(&signals);
 +    sigprocmask(SIG_BLOCK, &signals, NULL);
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +    /* do ioperm for io ports of assigned devices */
 +    QLIST_FOREACH(data, &ioperm_head, entries)
 +        on_vcpu(env, kvm_arch_do_ioperm, data);
 +#endif
 +
 +    pthread_mutex_lock(&qemu_mutex);
 +    cpu_single_env = env;
 +
 +    kvm_create_vcpu(env, env->cpu_index);
 +    setup_kernel_sigmask(env);
 +
 +    /* signal VCPU creation */
 +    current_env->created = 1;
 +    pthread_cond_signal(&qemu_vcpu_cond);
 +
 +    /* and wait for machine initialization */
 +    while (!qemu_system_ready) {
 +        qemu_cond_wait(&qemu_system_cond);
 +    }
 +
 +    /* re-initialize cpu_single_env after re-acquiring qemu_mutex */
 +    cpu_single_env = env;
 +
 +    kvm_main_loop_cpu(env);
 +    return NULL;
 +}
 +
 +int kvm_init_vcpu(CPUState *env)
 +{
 +    pthread_create(&env->kvm_cpu_state.thread, NULL, ap_main_loop, env);
 +
 +    while (env->created == 0) {
 +        qemu_cond_wait(&qemu_vcpu_cond);
 +    }
 +
 +    return 0;
 +}
 +
 +int kvm_vcpu_inited(CPUState *env)
 +{
 +    return env->created;
 +}
 +
 +#ifdef TARGET_I386
 +void kvm_hpet_disable_kpit(void)
 +{
 +    struct kvm_pit_state2 ps2;
 +
 +    kvm_get_pit2(kvm_context, &ps2);
 +    ps2.flags |= KVM_PIT_FLAGS_HPET_LEGACY;
 +    kvm_set_pit2(kvm_context, &ps2);
 +}
 +
 +void kvm_hpet_enable_kpit(void)
 +{
 +    struct kvm_pit_state2 ps2;
 +
 +    kvm_get_pit2(kvm_context, &ps2);
 +    ps2.flags &= ~KVM_PIT_FLAGS_HPET_LEGACY;
 +    kvm_set_pit2(kvm_context, &ps2);
 +}
 +#endif
 +
 +int kvm_init_ap(void)
 +{
 +    struct sigaction action;
 +
 +    qemu_add_vm_change_state_handler(kvm_vm_state_change_handler, NULL);
 +
 +    signal(SIG_IPI, sig_ipi_handler);
 +
 +    memset(&action, 0, sizeof(action));
 +    action.sa_flags = SA_SIGINFO;
 +    action.sa_sigaction = (void (*)(int, siginfo_t*, void*))sigbus_handler;
 +    sigaction(SIGBUS, &action, NULL);
 +    prctl(PR_MCE_KILL, 1, 1, 0, 0);
 +    return 0;
 +}
 +
 +/* If we have signalfd, we mask out the signals we want to handle and then
 + * use signalfd to listen for them.  We rely on whatever the current signal
 + * handler is to dispatch the signals when we receive them.
 + */
 +
 +static void sigfd_handler(void *opaque)
 +{
 +    int fd = (unsigned long) opaque;
 +    struct qemu_signalfd_siginfo info;
 +    struct sigaction action;
 +    ssize_t len;
 +
 +    while (1) {
 +        do {
 +            len = read(fd, &info, sizeof(info));
 +        } while (len == -1 && errno == EINTR);
 +
 +        if (len == -1 && errno == EAGAIN) {
 +            break;
 +        }
 +
 +        if (len != sizeof(info)) {
 +            printf("read from sigfd returned %zd: %m\n", len);
 +            return;
 +        }
 +
 +        sigaction(info.ssi_signo, NULL, &action);
 +        if ((action.sa_flags & SA_SIGINFO) && action.sa_sigaction) {
 +            action.sa_sigaction(info.ssi_signo,
 +                                (siginfo_t *)&info, NULL);
 +        } else if (action.sa_handler) {
 +            action.sa_handler(info.ssi_signo);
 +        }
 +    }
 +}
 +
 +int kvm_main_loop(void)
 +{
 +    sigset_t mask;
 +    int sigfd;
 +
 +    io_thread = pthread_self();
 +    qemu_system_ready = 1;
 +
 +    sigemptyset(&mask);
 +    sigaddset(&mask, SIGIO);
 +    sigaddset(&mask, SIGALRM);
 +    sigaddset(&mask, SIGBUS);
 +    sigprocmask(SIG_BLOCK, &mask, NULL);
 +
 +    sigfd = qemu_signalfd(&mask);
 +    if (sigfd == -1) {
 +        fprintf(stderr, "failed to create signalfd\n");
 +        return -errno;
 +    }
 +
 +    fcntl(sigfd, F_SETFL, O_NONBLOCK);
 +
 +    qemu_set_fd_handler2(sigfd, NULL, sigfd_handler, NULL,
 +                         (void *)(unsigned long) sigfd);
 +
 +    pthread_cond_broadcast(&qemu_system_cond);
 +
 +    io_thread_sigfd = sigfd;
 +    cpu_single_env = NULL;
 +
 +    while (1) {
 +        main_loop_wait(0);
 +        if (qemu_shutdown_requested()) {
 +            monitor_protocol_event(QEVENT_SHUTDOWN, NULL);
 +            if (qemu_no_shutdown()) {
 +                vm_stop(0);
 +            } else {
 +                break;
 +            }
 +        } else if (qemu_powerdown_requested()) {
 +            monitor_protocol_event(QEVENT_POWERDOWN, NULL);
 +            qemu_irq_raise(qemu_system_powerdown);
 +        } else if (qemu_reset_requested()) {
 +            qemu_kvm_system_reset();
 +        } else if (kvm_debug_cpu_requested) {
 +            gdb_set_stop_cpu(kvm_debug_cpu_requested);
 +            vm_stop(EXCP_DEBUG);
 +            kvm_debug_cpu_requested = NULL;
 +        }
 +    }
 +
 +    pause_all_threads();
 +    pthread_mutex_unlock(&qemu_mutex);
 +
 +    return 0;
 +}
 +
 +#if !defined(TARGET_I386)
 +int kvm_arch_init_irq_routing(void)
 +{
 +    return 0;
 +}
 +#endif
 +
 +extern int no_hpet;
 +
 +static int kvm_create_context(void)
 +{
 +    static const char upgrade_note[] =
 +    "Please upgrade to at least kernel 2.6.29 or recent kvm-kmod\n"
 +    "(see http://sourceforge.net/projects/kvm).\n";
 +
 +    int r;
 +
 +    if (!kvm_irqchip) {
 +        kvm_disable_irqchip_creation(kvm_context);
 +    }
 +    if (!kvm_pit) {
 +        kvm_disable_pit_creation(kvm_context);
 +    }
 +    if (kvm_create(kvm_context, 0, NULL) < 0) {
 +        kvm_finalize(kvm_state);
 +        return -1;
 +    }
 +    r = kvm_arch_qemu_create_context();
 +    if (r < 0) {
 +        kvm_finalize(kvm_state);
 +        return -1;
 +    }
 +    if (kvm_pit && !kvm_pit_reinject) {
 +        if (kvm_reinject_control(kvm_context, 0)) {
 +            fprintf(stderr, "failure to disable in-kernel PIT reinjection\n");
 +            return -1;
 +        }
 +    }
 +
 +    /* There was a nasty bug in < kvm-80 that prevents memory slots from being
 +     * destroyed properly.  Since we rely on this capability, refuse to work
 +     * with any kernel without this capability. */
 +    if (!kvm_check_extension(kvm_state, KVM_CAP_DESTROY_MEMORY_REGION_WORKS)) {
 +        fprintf(stderr,
 +                "KVM kernel module broken (DESTROY_MEMORY_REGION).\n%s",
 +                upgrade_note);
 +        return -EINVAL;
 +    }
 +
 +    r = kvm_arch_init_irq_routing();
 +    if (r < 0) {
 +        return r;
 +    }
 +
 +    kvm_state->vcpu_events = 0;
 +#ifdef KVM_CAP_VCPU_EVENTS
 +    kvm_state->vcpu_events = kvm_check_extension(kvm_state, KVM_CAP_VCPU_EVENTS);
 +#endif
 +
 +    kvm_state->debugregs = 0;
 +#ifdef KVM_CAP_DEBUGREGS
 +    kvm_state->debugregs = kvm_check_extension(kvm_state, KVM_CAP_DEBUGREGS);
 +#endif
 +
 +    kvm_init_ap();
 +    if (kvm_irqchip) {
 +        if (!qemu_kvm_has_gsi_routing()) {
 +            irq0override = 0;
 +#ifdef TARGET_I386
 +            /* if kernel can't do irq routing, interrupt source
 +             * override 0->2 can not be set up as required by hpet,
 +             * so disable hpet.
 +             */
 +            no_hpet = 1;
 +        } else if (!qemu_kvm_has_pit_state2()) {
 +            no_hpet = 1;
 +        }
 +#else
 +        }
 +#endif
 +    }
 +
 +    return 0;
 +}
 +
 +#ifdef KVM_CAP_IRQCHIP
 +
 +int kvm_set_irq(int irq, int level, int *status)
 +{
 +    return kvm_set_irq_level(kvm_context, irq, level, status);
 +}
 +
 +#endif
 +
 +static void kvm_mutex_unlock(void)
 +{
 +    assert(!cpu_single_env);
 +    pthread_mutex_unlock(&qemu_mutex);
 +}
 +
 +static void kvm_mutex_lock(void)
 +{
 +    pthread_mutex_lock(&qemu_mutex);
 +    cpu_single_env = NULL;
 +}
 +
 +void qemu_mutex_unlock_iothread(void)
 +{
 +    if (kvm_enabled()) {
 +        kvm_mutex_unlock();
 +    }
 +}
 +
 +void qemu_mutex_lock_iothread(void)
 +{
 +    if (kvm_enabled()) {
 +        kvm_mutex_lock();
 +    }
 +}
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +void kvm_add_ioperm_data(struct ioperm_data *data)
 +{
 +    QLIST_INSERT_HEAD(&ioperm_head, data, entries);
 +}
 +
 +void kvm_remove_ioperm_data(unsigned long start_port, unsigned long num)
 +{
 +    struct ioperm_data *data;
 +
 +    data = QLIST_FIRST(&ioperm_head);
 +    while (data) {
 +        struct ioperm_data *next = QLIST_NEXT(data, entries);
 +
 +        if (data->start_port == start_port && data->num == num) {
 +            QLIST_REMOVE(data, entries);
 +            qemu_free(data);
 +        }
 +
 +        data = next;
 +    }
 +}
 +
 +void kvm_ioperm(CPUState *env, void *data)
 +{
 +    if (kvm_enabled() && qemu_system_ready) {
 +        on_vcpu(env, kvm_arch_do_ioperm, data);
 +    }
 +}
 +
 +#endif
 +
 +int kvm_set_boot_cpu_id(uint32_t id)
 +{
 +    return kvm_set_boot_vcpu_id(kvm_context, id);
 +}
 +
- #ifdef TARGET_I386
- #ifdef KVM_CAP_MCE
- struct kvm_x86_mce_data {
-     CPUState *env;
-     struct kvm_x86_mce *mce;
-     int abort_on_error;
- };
- 
- static void kvm_do_inject_x86_mce(void *_data)
- {
-     struct kvm_x86_mce_data *data = _data;
-     int r;
- 
-     /* If there is an MCE excpetion being processed, ignore this SRAO MCE */
-     r = kvm_mce_in_exception(data->env);
-     if (r == -1) {
-         fprintf(stderr, "Failed to get MCE status\n");
-     } else if (r && !(data->mce->status & MCI_STATUS_AR)) {
-         return;
-     }
-     r = kvm_set_mce(data->env, data->mce);
-     if (r < 0) {
-         perror("kvm_set_mce FAILED");
-         if (data->abort_on_error) {
-             abort();
-         }
-     }
- }
- #endif
- 
- void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
-                         uint64_t mcg_status, uint64_t addr, uint64_t misc,
-                         int abort_on_error)
- {
- #ifdef KVM_CAP_MCE
-     struct kvm_x86_mce mce = {
-         .bank = bank,
-         .status = status,
-         .mcg_status = mcg_status,
-         .addr = addr,
-         .misc = misc,
-     };
-     struct kvm_x86_mce_data data = {
-         .env = cenv,
-         .mce = &mce,
-         .abort_on_error = abort_on_error,
-     };
- 
-     if (!cenv->mcg_cap) {
-         fprintf(stderr, "MCE support is not enabled!\n");
-         return;
-     }
-     on_vcpu(cenv, kvm_do_inject_x86_mce, &data);
- #else
-     if (abort_on_error) {
-         abort();
-     }
- #endif
- }
- #endif
diff --cc qemu-kvm.h
index c6f5632,0000000..5600ca5
mode 100644,000000..100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@@ -1,920 -1,0 +1,890 @@@
 +/*
 + * qemu/kvm integration
 + *
 + * Copyright (C) 2006-2008 Qumranet Technologies
 + *
 + * Licensed under the terms of the GNU GPL version 2 or higher.
 + */
 +#ifndef THE_ORIGINAL_AND_TRUE_QEMU_KVM_H
 +#define THE_ORIGINAL_AND_TRUE_QEMU_KVM_H
 +
 +#include "cpu.h"
 +
 +#include <signal.h>
 +#include <stdlib.h>
 +
 +#ifdef CONFIG_KVM
 +
 +#if defined(__s390__)
 +#include <asm/ptrace.h>
 +#endif
 +
 +#include <stdint.h>
 +
 +#ifndef __user
 +#define __user       /* temporary, until installed via make headers_install */
 +#endif
 +
 +#include <linux/kvm.h>
 +
 +#include <signal.h>
 +
 +/* FIXME: share this number with kvm */
 +/* FIXME: or dynamically alloc/realloc regions */
 +#ifdef __s390__
 +#define KVM_MAX_NUM_MEM_REGIONS 1u
 +#define MAX_VCPUS 64
 +#define LIBKVM_S390_ORIGIN (0UL)
 +#elif defined(__ia64__)
 +#define KVM_MAX_NUM_MEM_REGIONS 32u
 +#define MAX_VCPUS 256
 +#else
 +#define KVM_MAX_NUM_MEM_REGIONS 32u
 +#define MAX_VCPUS 16
 +#endif
 +
 +/* kvm abi verison variable */
 +extern int kvm_abi;
 +
 +/**
 + * \brief The KVM context
 + *
 + * The verbose KVM context
 + */
 +
 +struct kvm_context {
 +    void *opaque;
 +    /// is dirty pages logging enabled for all regions or not
 +    int dirty_pages_log_all;
 +    /// do not create in-kernel irqchip if set
 +    int no_irqchip_creation;
 +    /// in-kernel irqchip status
 +    int irqchip_in_kernel;
 +    /// ioctl to use to inject interrupts
 +    int irqchip_inject_ioctl;
 +    /// do not create in-kernel pit if set
 +    int no_pit_creation;
 +#ifdef KVM_CAP_IRQ_ROUTING
 +    struct kvm_irq_routing *irq_routes;
 +    int nr_allocated_irq_routes;
 +#endif
 +    void *used_gsi_bitmap;
 +    int max_gsi;
 +};
 +
 +typedef struct kvm_context *kvm_context_t;
 +
 +#include "kvm.h"
 +int kvm_alloc_kernel_memory(kvm_context_t kvm, unsigned long memory,
 +                            void **vm_mem);
 +int kvm_alloc_userspace_memory(kvm_context_t kvm, unsigned long memory,
 +                               void **vm_mem);
 +
 +int kvm_arch_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
 +                    void **vm_mem);
 +
 +int kvm_arch_run(CPUState *env);
 +
 +
 +void kvm_show_code(CPUState *env);
 +
 +int handle_halt(CPUState *env);
 +
 +int handle_shutdown(kvm_context_t kvm, CPUState *env);
 +void post_kvm_run(kvm_context_t kvm, CPUState *env);
 +int pre_kvm_run(kvm_context_t kvm, CPUState *env);
 +int handle_io_window(kvm_context_t kvm);
 +int try_push_interrupts(kvm_context_t kvm);
 +
 +#if defined(__x86_64__) || defined(__i386__)
 +int kvm_get_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n);
 +int kvm_set_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n);
- int kvm_get_mce_cap_supported(kvm_context_t, uint64_t *mce_cap,
-                               int *max_banks);
- int kvm_setup_mce(CPUState *env, uint64_t *mcg_cap);
 +struct kvm_x86_mce;
- int kvm_set_mce(CPUState *env, struct kvm_x86_mce *mce);
 +#endif
 +
 +/*!
 + * \brief Disable the in-kernel IRQCHIP creation
 + *
 + * In-kernel irqchip is enabled by default. If userspace irqchip is to be used,
 + * this should be called prior to kvm_create().
 + *
 + * \param kvm Pointer to the kvm_context
 + */
 +void kvm_disable_irqchip_creation(kvm_context_t kvm);
 +
 +/*!
 + * \brief Disable the in-kernel PIT creation
 + *
 + * In-kernel pit is enabled by default. If userspace pit is to be used,
 + * this should be called prior to kvm_create().
 + *
 + *  \param kvm Pointer to the kvm_context
 + */
 +void kvm_disable_pit_creation(kvm_context_t kvm);
 +
 +/*!
 + * \brief Create new virtual machine
 + *
 + * This creates a new virtual machine, maps physical RAM to it, and creates a
 + * virtual CPU for it.\n
 + * \n
 + * Memory gets mapped for addresses 0->0xA0000, 0xC0000->phys_mem_bytes
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param phys_mem_bytes The amount of physical ram you want the VM to have
 + * \param phys_mem This pointer will be set to point to the memory that
 + * kvm_create allocates for physical RAM
 + * \return 0 on success
 + */
 +int kvm_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
 +               void **phys_mem);
 +int kvm_create_vm(kvm_context_t kvm);
 +void kvm_create_irqchip(kvm_context_t kvm);
 +
 +/*!
 + * \brief Start the VCPU
 + *
 + * This starts the VCPU and virtualization is started.\n
 + * \n
 + * This function will not return until any of these conditions are met:
 + * - An IO/MMIO handler does not return "0"
 + * - An exception that neither the guest OS, nor KVM can handle occurs
 + *
 + * \note This function will call the callbacks registered in kvm_init()
 + * to emulate those functions
 + * \note If you at any point want to interrupt the VCPU, kvm_run() will
 + * listen to the EINTR signal. This allows you to simulate external interrupts
 + * and asyncronous IO.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be started
 + * \return 0 on success, but you really shouldn't expect this function to
 + * return except for when an error has occured, or when you have sent it
 + * an EINTR signal.
 + */
 +int kvm_run(CPUState *env);
 +
 +/*!
 + * \brief Check if a vcpu is ready for interrupt injection
 + *
 + * This checks if vcpu interrupts are not masked by mov ss or sti.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \return boolean indicating interrupt injection readiness
 + */
 +int kvm_is_ready_for_interrupt_injection(CPUState *env);
 +
 +/*!
 + * \brief Read VCPU registers
 + *
 + * This gets the GP registers from the VCPU and outputs them
 + * into a kvm_regs structure
 + *
 + * \note This function returns a \b copy of the VCPUs registers.\n
 + * If you wish to modify the VCPUs GP registers, you should call kvm_set_regs()
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param regs Pointer to a kvm_regs which will be populated with the VCPUs
 + * registers values
 + * \return 0 on success
 + */
 +int kvm_get_regs(CPUState *env, struct kvm_regs *regs);
 +
 +/*!
 + * \brief Write VCPU registers
 + *
 + * This sets the GP registers on the VCPU from a kvm_regs structure
 + *
 + * \note When this function returns, the regs pointer and the data it points to
 + * can be discarded
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param regs Pointer to a kvm_regs which will be populated with the VCPUs
 + * registers values
 + * \return 0 on success
 + */
 +int kvm_set_regs(CPUState *env, struct kvm_regs *regs);
 +/*!
 + * \brief Read VCPU fpu registers
 + *
 + * This gets the FPU registers from the VCPU and outputs them
 + * into a kvm_fpu structure
 + *
 + * \note This function returns a \b copy of the VCPUs registers.\n
 + * If you wish to modify the VCPU FPU registers, you should call kvm_set_fpu()
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param fpu Pointer to a kvm_fpu which will be populated with the VCPUs
 + * fpu registers values
 + * \return 0 on success
 + */
 +int kvm_get_fpu(CPUState *env, struct kvm_fpu *fpu);
 +
 +/*!
 + * \brief Write VCPU fpu registers
 + *
 + * This sets the FPU registers on the VCPU from a kvm_fpu structure
 + *
 + * \note When this function returns, the fpu pointer and the data it points to
 + * can be discarded
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param fpu Pointer to a kvm_fpu which holds the new vcpu fpu state
 + * \return 0 on success
 + */
 +int kvm_set_fpu(CPUState *env, struct kvm_fpu *fpu);
 +
 +/*!
 + * \brief Read VCPU system registers
 + *
 + * This gets the non-GP registers from the VCPU and outputs them
 + * into a kvm_sregs structure
 + *
 + * \note This function returns a \b copy of the VCPUs registers.\n
 + * If you wish to modify the VCPUs non-GP registers, you should call
 + * kvm_set_sregs()
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param regs Pointer to a kvm_sregs which will be populated with the VCPUs
 + * registers values
 + * \return 0 on success
 + */
 +int kvm_get_sregs(CPUState *env, struct kvm_sregs *regs);
 +
 +/*!
 + * \brief Write VCPU system registers
 + *
 + * This sets the non-GP registers on the VCPU from a kvm_sregs structure
 + *
 + * \note When this function returns, the regs pointer and the data it points to
 + * can be discarded
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param regs Pointer to a kvm_sregs which will be populated with the VCPUs
 + * registers values
 + * \return 0 on success
 + */
 +int kvm_set_sregs(CPUState *env, struct kvm_sregs *regs);
 +
 +#ifdef KVM_CAP_MP_STATE
 +/*!
 + *  * \brief Read VCPU MP state
 + *
 + */
 +int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
 +
 +/*!
 + *  * \brief Write VCPU MP state
 + *
 + */
 +int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state);
 +#endif
 +
 +#ifdef KVM_CAP_XSAVE
 +/*!
 + *  * \brief Read VCPU xsave state
 + *
 + */
 +int kvm_get_xsave(CPUState *env, struct kvm_xsave *xsave);
 +
 +/*!
 + *  * \brief Write VCPU xsave state
 + *
 + */
 +int kvm_set_xsave(CPUState *env, struct kvm_xsave *xsave);
 +#endif
 +
 +#ifdef KVM_CAP_XCRS
 +/*!
 + *  * \brief Read VCPU XCRs
 + *
 + */
 +int kvm_get_xcrs(CPUState *env, struct kvm_xcrs *xcrs);
 +
 +/*!
 + *  * \brief Write VCPU XCRs
 + *
 + */
 +int kvm_set_xcrs(CPUState *env, struct kvm_xcrs *xcrs);
 +#endif
 +
 +/*!
 + * \brief Simulate an external vectored interrupt
 + *
 + * This allows you to simulate an external vectored interrupt.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \param irq Vector number
 + * \return 0 on success
 + */
 +int kvm_inject_irq(CPUState *env, unsigned irq);
 +
 +#if defined(__i386__) || defined(__x86_64__)
 +/*!
 + * \brief Setup a vcpu's cpuid instruction emulation
 + *
 + * Set up a table of cpuid function to cpuid outputs.\n
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be initialized
 + * \param nent number of entries to be installed
 + * \param entries cpuid function entries table
 + * \return 0 on success, or -errno on error
 + */
 +int kvm_setup_cpuid(CPUState *env, int nent,
 +                    struct kvm_cpuid_entry *entries);
 +
 +/*!
 + * \brief Setup a vcpu's cpuid instruction emulation
 + *
 + * Set up a table of cpuid function to cpuid outputs.
 + * This call replaces the older kvm_setup_cpuid interface by adding a few
 + * parameters to support cpuid functions that have sub-leaf values.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be initialized
 + * \param nent number of entries to be installed
 + * \param entries cpuid function entries table
 + * \return 0 on success, or -errno on error
 + */
 +int kvm_setup_cpuid2(CPUState *env, int nent,
 +                     struct kvm_cpuid_entry2 *entries);
 +
 +/*!
 + * \brief Setting the number of shadow pages to be allocated to the vm
 + *
 + * \param kvm pointer to kvm_context
 + * \param nrshadow_pages number of pages to be allocated
 + */
 +int kvm_set_shadow_pages(kvm_context_t kvm, unsigned int nrshadow_pages);
 +
 +/*!
 + * \brief Getting the number of shadow pages that are allocated to the vm
 + *
 + * \param kvm pointer to kvm_context
 + * \param nrshadow_pages number of pages to be allocated
 + */
 +int kvm_get_shadow_pages(kvm_context_t kvm, unsigned int *nrshadow_pages);
 +
 +#endif
 +
 +/*!
 + * \brief Dump VCPU registers
 + *
 + * This dumps some of the information that KVM has about a virtual CPU, namely:
 + * - GP Registers
 + *
 + * A much more verbose version of this is available as kvm_dump_vcpu()
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \return 0 on success
 + */
 +void kvm_show_regs(CPUState *env);
 +
 +
 +void *kvm_create_phys_mem(kvm_context_t, unsigned long phys_start,
 +                          unsigned long len, int log, int writable);
 +void kvm_destroy_phys_mem(kvm_context_t, unsigned long phys_start,
 +                          unsigned long len);
 +
 +int kvm_is_containing_region(kvm_context_t kvm, unsigned long phys_start,
 +                             unsigned long size);
 +int kvm_register_phys_mem(kvm_context_t kvm, unsigned long phys_start,
 +                          void *userspace_addr, unsigned long len, int log);
 +int kvm_get_dirty_pages_range(kvm_context_t kvm, unsigned long phys_addr,
 +                              unsigned long end_addr, void *opaque,
 +                              int (*cb)(unsigned long start,
 +                                        unsigned long len, void *bitmap,
 +                                        void *opaque));
 +int kvm_register_coalesced_mmio(kvm_context_t kvm, uint64_t addr,
 +                                uint32_t size);
 +int kvm_unregister_coalesced_mmio(kvm_context_t kvm, uint64_t addr,
 +                                  uint32_t size);
 +
 +/*!
 + * \brief Get a bitmap of guest ram pages which are allocated to the guest.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param phys_addr Memory slot phys addr
 + * \param bitmap Long aligned address of a big enough bitmap (one bit per page)
 + */
 +int kvm_get_mem_map(kvm_context_t kvm, unsigned long phys_addr, void *bitmap);
 +int kvm_get_mem_map_range(kvm_context_t kvm, unsigned long phys_addr,
 +                          unsigned long len, void *buf, void *opaque,
 +                          int (*cb)(unsigned long start,
 +                                    unsigned long len, void *bitmap,
 +                                    void *opaque));
 +int kvm_set_irq_level(kvm_context_t kvm, int irq, int level, int *status);
 +
 +int kvm_dirty_pages_log_enable_slot(kvm_context_t kvm, uint64_t phys_start,
 +                                    uint64_t len);
 +int kvm_dirty_pages_log_disable_slot(kvm_context_t kvm, uint64_t phys_start,
 +                                     uint64_t len);
 +/*!
 + * \brief Enable dirty-pages-logging for all memory regions
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_dirty_pages_log_enable_all(kvm_context_t kvm);
 +
 +/*!
 + * \brief Disable dirty-page-logging for some memory regions
 + *
 + * Disable dirty-pages-logging for those memory regions that were
 + * created with dirty-page-logging disabled.
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_dirty_pages_log_reset(kvm_context_t kvm);
 +
 +#ifdef KVM_CAP_IRQCHIP
 +/*!
 + * \brief Dump in kernel IRQCHIP contents
 + *
 + * Dump one of the in kernel irq chip devices, including PIC (master/slave)
 + * and IOAPIC into a kvm_irqchip structure
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param chip The irq chip device to be dumped
 + */
 +int kvm_get_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip);
 +
 +/*!
 + * \brief Set in kernel IRQCHIP contents
 + *
 + * Write one of the in kernel irq chip devices, including PIC (master/slave)
 + * and IOAPIC
 + *
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param chip THe irq chip device to be written
 + */
 +int kvm_set_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip);
 +
 +#if defined(__i386__) || defined(__x86_64__)
 +/*!
 + * \brief Get in kernel local APIC for vcpu
 + *
 + * Save the local apic state including the timer of a virtual CPU
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be accessed
 + * \param s Local apic state of the specific virtual CPU
 + */
 +int kvm_get_lapic(CPUState *env, struct kvm_lapic_state *s);
 +
 +/*!
 + * \brief Set in kernel local APIC for vcpu
 + *
 + * Restore the local apic state including the timer of a virtual CPU
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should be accessed
 + * \param s Local apic state of the specific virtual CPU
 + */
 +int kvm_set_lapic(CPUState *env, struct kvm_lapic_state *s);
 +
 +#endif
 +
 +/*!
 + * \brief Simulate an NMI
 + *
 + * This allows you to simulate a non-maskable interrupt.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param vcpu Which virtual CPU should get dumped
 + * \return 0 on success
 + */
 +int kvm_inject_nmi(CPUState *env);
 +
 +#endif
 +
 +/*!
-  * \brief Simulate an x86 MCE
-  *
-  * This allows you to simulate a x86 MCE.
-  *
-  * \param cenv Which virtual CPU should get MCE injected
-  * \param bank Bank number
-  * \param status MSR_MCI_STATUS
-  * \param mcg_status MSR_MCG_STATUS
-  * \param addr MSR_MCI_ADDR
-  * \param misc MSR_MCI_MISC
-  * \param abort_on_error abort on error
-  */
- void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
-                         uint64_t mcg_status, uint64_t addr, uint64_t misc,
-                         int abort_on_error);
- 
- /*!
 + * \brief Initialize coalesced MMIO
 + *
 + * Check for coalesced MMIO capability and store in context
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_init_coalesced_mmio(kvm_context_t kvm);
 +
 +#ifdef KVM_CAP_PIT
 +
 +#if defined(__i386__) || defined(__x86_64__)
 +/*!
 + * \brief Get in kernel PIT of the virtual domain
 + *
 + * Save the PIT state.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param s PIT state of the virtual domain
 + */
 +int kvm_get_pit(kvm_context_t kvm, struct kvm_pit_state *s);
 +
 +/*!
 + * \brief Set in kernel PIT of the virtual domain
 + *
 + * Restore the PIT state.
 + * Timer would be retriggerred after restored.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param s PIT state of the virtual domain
 + */
 +int kvm_set_pit(kvm_context_t kvm, struct kvm_pit_state *s);
 +
 +int kvm_reinject_control(kvm_context_t kvm, int pit_reinject);
 +
 +#ifdef KVM_CAP_PIT_STATE2
 +/*!
 + * \brief Check for kvm support of kvm_pit_state2
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \return 0 on success
 + */
 +int kvm_has_pit_state2(kvm_context_t kvm);
 +
 +/*!
 + * \brief Set in kernel PIT state2 of the virtual domain
 + *
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param ps2 PIT state2 of the virtual domain
 + * \return 0 on success
 + */
 +int kvm_set_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2);
 +
 +/*!
 + * \brief Get in kernel PIT state2 of the virtual domain
 + *
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param ps2 PIT state2 of the virtual domain
 + * \return 0 on success
 + */
 +int kvm_get_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2);
 +
 +#endif
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_VAPIC
 +
 +int kvm_enable_vapic(CPUState *env, uint64_t vapic);
 +
 +#endif
 +
 +#if defined(__s390__)
 +int kvm_s390_initial_reset(kvm_context_t kvm, int slot);
 +int kvm_s390_interrupt(kvm_context_t kvm, int slot,
 +                       struct kvm_s390_interrupt *kvmint);
 +int kvm_s390_set_initial_psw(kvm_context_t kvm, int slot, psw_t psw);
 +int kvm_s390_store_status(kvm_context_t kvm, int slot, unsigned long addr);
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_ASSIGNMENT
 +/*!
 + * \brief Notifies host kernel about a PCI device to be assigned to a guest
 + *
 + * Used for PCI device assignment, this function notifies the host
 + * kernel about the assigning of the physical PCI device to a guest.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_dev Parameters, like bus, devfn number, etc
 + */
 +int kvm_assign_pci_device(kvm_context_t kvm,
 +                          struct kvm_assigned_pci_dev *assigned_dev);
 +
 +/*!
 + * \brief Assign IRQ for an assigned device
 + *
 + * Used for PCI device assignment, this function assigns IRQ numbers for
 + * an physical device and guest IRQ handling.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_irq Parameters, like dev id, host irq, guest irq, etc
 + */
 +int kvm_assign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq);
 +
 +#ifdef KVM_CAP_ASSIGN_DEV_IRQ
 +/*!
 + * \brief Deassign IRQ for an assigned device
 + *
 + * Used for PCI device assignment, this function deassigns IRQ numbers
 + * for an assigned device.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_irq Parameters, like dev id, host irq, guest irq, etc
 + */
 +int kvm_deassign_irq(kvm_context_t kvm, struct kvm_assigned_irq *assigned_irq);
 +#endif
 +#endif
 +
 +#ifdef KVM_CAP_DEVICE_DEASSIGNMENT
 +/*!
 + * \brief Notifies host kernel about a PCI device to be deassigned from a guest
 + *
 + * Used for hot remove PCI device, this function notifies the host
 + * kernel about the deassigning of the physical PCI device from a guest.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param assigned_dev Parameters, like bus, devfn number, etc
 + */
 +int kvm_deassign_pci_device(kvm_context_t kvm,
 +                            struct kvm_assigned_pci_dev *assigned_dev);
 +#endif
 +
 +/*!
 + * \brief Determines the number of gsis that can be routed
 + *
 + * Returns the number of distinct gsis that can be routed by kvm.  This is
 + * also the number of distinct routes (if a gsi has two routes, than another
 + * gsi cannot be used...)
 + *
 + * \param kvm Pointer to the current kvm_context
 + */
 +int kvm_get_gsi_count(kvm_context_t kvm);
 +
 +/*!
 + * \brief Clears the temporary irq routing table
 + *
 + * Clears the temporary irq routing table.  Nothing is committed to the
 + * running VM.
 + *
 + */
 +int kvm_clear_gsi_routes(void);
 +
 +/*!
 + * \brief Adds an irq route to the temporary irq routing table
 + *
 + * Adds an irq route to the temporary irq routing table.  Nothing is
 + * committed to the running VM.
 + */
 +int kvm_add_irq_route(int gsi, int irqchip, int pin);
 +
 +/*!
 + * \brief Removes an irq route from the temporary irq routing table
 + *
 + * Adds an irq route to the temporary irq routing table.  Nothing is
 + * committed to the running VM.
 + */
 +int kvm_del_irq_route(int gsi, int irqchip, int pin);
 +
 +struct kvm_irq_routing_entry;
 +/*!
 + * \brief Adds a routing entry to the temporary irq routing table
 + *
 + * Adds a filled routing entry to the temporary irq routing table. Nothing is
 + * committed to the running VM.
 + */
 +int kvm_add_routing_entry(struct kvm_irq_routing_entry *entry);
 +
 +/*!
 + * \brief Removes a routing from the temporary irq routing table
 + *
 + * Remove a routing to the temporary irq routing table.  Nothing is
 + * committed to the running VM.
 + */
 +int kvm_del_routing_entry(struct kvm_irq_routing_entry *entry);
 +
 +/*!
 + * \brief Updates a routing in the temporary irq routing table
 + *
 + * Update a routing in the temporary irq routing table
 + * with a new value. entry type and GSI can not be changed.
 + * Nothing is committed to the running VM.
 + */
 +int kvm_update_routing_entry(struct kvm_irq_routing_entry *entry,
 +                             struct kvm_irq_routing_entry *newentry);
 +
 +
 +/*!
 + * \brief Create a file descriptor for injecting interrupts
 + *
 + * Creates an eventfd based file-descriptor that maps to a specific GSI
 + * in the guest.  eventfd compliant signaling (write() from userspace, or
 + * eventfd_signal() from kernelspace) will cause the GSI to inject
 + * itself into the guest at the next available window.
 + *
 + * \param kvm Pointer to the current kvm_context
 + * \param gsi GSI to assign to this fd
 + * \param flags reserved, must be zero
 + */
 +int kvm_irqfd(kvm_context_t kvm, int gsi, int flags);
 +
 +#ifdef KVM_CAP_DEVICE_MSIX
 +int kvm_assign_set_msix_nr(kvm_context_t kvm,
 +                           struct kvm_assigned_msix_nr *msix_nr);
 +int kvm_assign_set_msix_entry(kvm_context_t kvm,
 +                              struct kvm_assigned_msix_entry *entry);
 +#endif
 +
 +#else                           /* !CONFIG_KVM */
 +
 +typedef struct kvm_context *kvm_context_t;
 +typedef struct kvm_vcpu_context *kvm_vcpu_context_t;
 +
 +struct kvm_pit_state {
 +};
 +
- static inline void kvm_inject_x86_mce(CPUState *cenv, int bank,
-                                       uint64_t status, uint64_t mcg_status,
-                                       uint64_t addr, uint64_t misc,
-                                       int abort_on_error)
- {
-     if (abort_on_error)
-         abort();
- }
- 
 +#endif                          /* !CONFIG_KVM */
 +
 +
 +/*!
 + * \brief Create new KVM context
 + *
 + * This creates a new kvm_context. A KVM context is a small area of data that
 + * holds information about the KVM instance that gets created by this call.\n
 + * This should always be your first call to KVM.
 + *
 + * \param opaque Not used
 + * \return NULL on failure
 + */
 +int kvm_init(int smp_cpus);
 +
 +int kvm_main_loop(void);
 +int kvm_init_ap(void);
 +int kvm_vcpu_inited(CPUState *env);
 +void kvm_save_lapic(CPUState *env);
 +void kvm_load_lapic(CPUState *env);
 +
 +void kvm_hpet_enable_kpit(void);
 +void kvm_hpet_disable_kpit(void);
 +
 +int kvm_physical_memory_set_dirty_tracking(int enable);
 +
 +void qemu_kvm_call_with_env(void (*func)(void *), void *data, CPUState *env);
 +void qemu_kvm_cpuid_on_env(CPUState *env);
 +void kvm_inject_interrupt(CPUState *env, int mask);
 +void kvm_update_after_sipi(CPUState *env);
 +void kvm_update_interrupt_request(CPUState *env);
 +#ifndef CONFIG_USER_ONLY
 +void *kvm_cpu_create_phys_mem(target_phys_addr_t start_addr, unsigned long size,
 +                              int log, int writable);
 +
 +void kvm_cpu_destroy_phys_mem(target_phys_addr_t start_addr,
 +                              unsigned long size);
 +void kvm_qemu_log_memory(target_phys_addr_t start, target_phys_addr_t size,
 +                         int log);
 +#endif
 +int kvm_qemu_create_memory_alias(uint64_t phys_start, uint64_t len,
 +                                 uint64_t target_phys);
 +int kvm_qemu_destroy_memory_alias(uint64_t phys_start);
 +
 +int kvm_arch_qemu_create_context(void);
 +
 +void kvm_arch_save_regs(CPUState *env);
 +void kvm_arch_load_regs(CPUState *env, int level);
 +int kvm_arch_has_work(CPUState *env);
 +void kvm_arch_process_irqchip_events(CPUState *env);
 +int kvm_arch_try_push_interrupts(void *opaque);
 +void kvm_arch_push_nmi(void *opaque);
 +void kvm_arch_cpu_reset(CPUState *env);
 +int kvm_set_boot_cpu_id(uint32_t id);
 +
 +void qemu_kvm_aio_wait_start(void);
 +void qemu_kvm_aio_wait(void);
 +void qemu_kvm_aio_wait_end(void);
 +
 +void kvm_tpr_access_report(CPUState *env, uint64_t rip, int is_write);
 +
 +int kvm_arch_init_irq_routing(void);
 +
 +int kvm_mmio_read(void *opaque, uint64_t addr, uint8_t * data, int len);
 +int kvm_mmio_write(void *opaque, uint64_t addr, uint8_t * data, int len);
 +
 +#ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
 +struct ioperm_data;
 +
 +void kvm_ioperm(CPUState *env, void *data);
 +void kvm_add_ioperm_data(struct ioperm_data *data);
 +void kvm_remove_ioperm_data(unsigned long start_port, unsigned long num);
 +void kvm_arch_do_ioperm(void *_data);
 +#endif
 +
 +#define ALIGN(x, y)  (((x)+(y)-1) & ~((y)-1))
 +#define BITMAP_SIZE(m) (ALIGN(((m)>>TARGET_PAGE_BITS), HOST_LONG_BITS) / 8)
 +
 +#ifdef CONFIG_KVM
 +#include "qemu-queue.h"
 +
 +extern int kvm_irqchip;
 +extern int kvm_pit;
 +extern int kvm_pit_reinject;
 +extern int kvm_nested;
 +extern kvm_context_t kvm_context;
 +
 +struct ioperm_data {
 +    unsigned long start_port;
 +    unsigned long num;
 +    int turn_on;
 +    QLIST_ENTRY(ioperm_data) entries;
 +};
 +
 +void qemu_kvm_cpu_stop(CPUState *env);
 +int kvm_arch_halt(CPUState *env);
 +int handle_tpr_access(void *opaque, CPUState *env, uint64_t rip,
 +                      int is_write);
 +
 +#define qemu_kvm_has_gsi_routing() kvm_has_gsi_routing()
 +#ifdef TARGET_I386
 +#define qemu_kvm_has_pit_state2() kvm_has_pit_state2(kvm_context)
 +#endif
 +#else
 +#define kvm_nested 0
 +#define qemu_kvm_has_gsi_routing() (0)
 +#ifdef TARGET_I386
 +#define qemu_kvm_has_pit_state2() (0)
 +#endif
 +#define qemu_kvm_cpu_stop(env) do {} while(0)
 +#endif
 +
 +#ifdef CONFIG_KVM
 +
 +typedef struct KVMSlot {
 +    target_phys_addr_t start_addr;
 +    ram_addr_t memory_size;
 +    ram_addr_t phys_offset;
 +    int slot;
 +    int flags;
 +} KVMSlot;
 +
 +typedef struct kvm_dirty_log KVMDirtyLog;
 +
 +struct KVMState {
 +    KVMSlot slots[32];
 +    int fd;
 +    int vmfd;
 +    int coalesced_mmio;
 +#ifdef KVM_CAP_COALESCED_MMIO
 +    struct kvm_coalesced_mmio_ring *coalesced_mmio_ring;
 +#endif
 +    int broken_set_mem_region;
 +    int migration_log;
 +    int vcpu_events;
 +    int robust_singlestep;
 +    int debugregs;
 +#ifdef KVM_CAP_SET_GUEST_DEBUG
 +    QTAILQ_HEAD(, kvm_sw_breakpoint) kvm_sw_breakpoints;
 +#endif
 +    int irqchip_in_kernel;
 +    int pit_in_kernel;
 +
 +    struct kvm_context kvm_context;
 +};
 +
 +extern struct KVMState *kvm_state;
 +
 +int kvm_tpr_enable_vapic(CPUState *env);
 +
 +unsigned long kvm_get_thread_id(void);
 +int kvm_cpu_is_stopped(CPUState *env);
 +
 +#endif
 +
 +#endif
diff --cc target-i386/helper.c
index a49bb92,4b430dd..82e6cf9
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@@ -27,9 -27,8 +27,10 @@@
  #include "exec-all.h"
  #include "qemu-common.h"
  #include "kvm.h"
+ #include "kvm_x86.h"
  
 +#include "qemu-kvm.h"
 +
  //#define DEBUG_MMU
  
  /* NOTE: must be called outside the CPU execute loop */
@@@ -1029,11 -1028,6 +1030,11 @@@ void cpu_inject_x86_mce(CPUState *cenv
      unsigned bank_num = mcg_cap & 0xff;
      uint64_t *banks = cenv->mce_banks;
  
 +    if (kvm_enabled()) {
-         kvm_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc, 0);
++        kvm_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc);
 +        return;
 +    }
 +
      if (bank >= bank_num || !(status & MCI_STATUS_VAL))
          return;
  
diff --cc target-i386/kvm.c
index 89a075f,343fb02..9bc9193
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@@ -167,11 -168,69 +168,72 @@@ static int get_para_features(CPUState *
  }
  #endif
  
+ #ifdef KVM_CAP_MCE
+ static int kvm_get_mce_cap_supported(KVMState *s, uint64_t *mce_cap,
+                                      int *max_banks)
+ {
+     int r;
+ 
+     r = kvm_ioctl(s, KVM_CHECK_EXTENSION, KVM_CAP_MCE);
+     if (r > 0) {
+         *max_banks = r;
+         return kvm_ioctl(s, KVM_X86_GET_MCE_CAP_SUPPORTED, mce_cap);
+     }
+     return -ENOSYS;
+ }
+ 
+ static int kvm_setup_mce(CPUState *env, uint64_t *mcg_cap)
+ {
+     return kvm_vcpu_ioctl(env, KVM_X86_SETUP_MCE, mcg_cap);
+ }
+ 
+ static int kvm_set_mce(CPUState *env, struct kvm_x86_mce *m)
+ {
+     return kvm_vcpu_ioctl(env, KVM_X86_SET_MCE, m);
+ }
+ 
+ struct kvm_x86_mce_data
+ {
+     CPUState *env;
+     struct kvm_x86_mce *mce;
+ };
+ 
+ static void kvm_do_inject_x86_mce(void *_data)
+ {
+     struct kvm_x86_mce_data *data = _data;
+     int r;
+ 
+     r = kvm_set_mce(data->env, data->mce);
+     if (r < 0)
+         perror("kvm_set_mce FAILED");
+ }
+ #endif
+ 
+ void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
+                         uint64_t mcg_status, uint64_t addr, uint64_t misc)
+ {
+ #ifdef KVM_CAP_MCE
+     struct kvm_x86_mce mce = {
+         .bank = bank,
+         .status = status,
+         .mcg_status = mcg_status,
+         .addr = addr,
+         .misc = misc,
+     };
+     struct kvm_x86_mce_data data = {
+             .env = cenv,
+             .mce = &mce,
+     };
+ 
+     run_on_cpu(cenv, kvm_do_inject_x86_mce, &data);
+ #endif
+ }
+ 
 +static int _kvm_arch_init_vcpu(CPUState *env);
 +
  int kvm_arch_init_vcpu(CPUState *env)
  {
 +    int r;
      struct {
          struct kvm_cpuid2 cpuid;
          struct kvm_cpuid_entry2 entries[100];
commit b4f09f67956e74367d3ba35137985bb9fc314842
Merge: 602b489... 296acb6...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Oct 20 20:54:03 2010 -0200

    Merge commit '296acb643b0f7ec3ab3d8c4a8fc48039d9269818' into upstream-merge
    
    * commit '296acb643b0f7ec3ab3d8c4a8fc48039d9269818':
      Add svm cpuid features
      Set cpuid definition to 0 before initializing it
      configure: Support disabling warnings in $gcc_flags
      tcg: Fix compiler error (comparison of unsigned expression)
      wacom tablet: activate event handlers.
      vmmouse: adapt to mouse handler changes.
      [virtio-9p] Add support to v9fs_string_alloc_printf() for handling %lu.
      [virtio-9p] Use preadv/pwritev instead of readv/writev
      [virtio-9p] Qemu 9p commandline options validity checks
      virtio-9p: Support mapped posix acl
      virtio-9p: Use layered xattr approach
      [virtio-9p] Ignore O_DIRECT hint from client.
      qemu-virtio-9p: Implement TREADLINK operation for 9p2000.L
      [virtio-9p] Introduce server side TFSYNC/RFSYNC for dotl
      qemu-virtio9p: Implement TGETLOCK
      [virto-9p] Implement TLOCK
      [virtio-9p] open should not return EBADF
      trace: improve info trace output
      trace: Format strings must begin/end with double quotes
    
    Conflicts:
    	target-i386/cpuid.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc target-i386/cpuid.c
index d63fdcb,0e0bf60..ae76470
--- a/target-i386/cpuid.c
+++ b/target-i386/cpuid.c
@@@ -1133,32 -1176,6 +1176,31 @@@ void cpu_x86_cpuid(CPUX86State *env, ui
                  *ecx |= 1 << 1;    /* CmpLegacy bit */
              }
          }
- 
 +        if (kvm_enabled()) {
 +            uint32_t h_eax, h_edx;
 +
 +            host_cpuid(index, 0, &h_eax, NULL, NULL, &h_edx);
 +
 +            /* disable CPU features that the host does not support */
 +
 +            /* long mode */
 +            if ((h_edx & 0x20000000) == 0 /* || !lm_capable_kernel */)
 +                *edx &= ~0x20000000;
 +            /* syscall */
 +            if ((h_edx & 0x00000800) == 0)
 +                *edx &= ~0x00000800;
 +            /* nx */
 +            if ((h_edx & 0x00100000) == 0)
 +                *edx &= ~0x00100000;
 +
 +            /* disable CPU features that KVM cannot support */
 +
 +            /* svm */
 +            if (!kvm_nested)
 +                *ecx &= ~CPUID_EXT3_SVM;
 +            /* 3dnow */
 +            *edx &= ~0xc0000000;
 +        }
          break;
      case 0x80000002:
      case 0x80000003:
commit 602b489d8a02f6a870899116703c4b078b9f6f20
Merge: bd8b215... d8023f3...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Oct 20 20:46:05 2010 -0200

    Merge commit 'd8023f311499e06c02b4da7e74388d7ad906ea23' into upstream-merge
    
    * commit 'd8023f311499e06c02b4da7e74388d7ad906ea23':
      apic: convert debug printf statements to tracepoints
      trace: Relax trace-events parsing regex in simpletrace.py
    
    Conflicts:
    	hw/apic.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc hw/apic.c
index fa23afb,63d62c7..1dd94b1
--- a/hw/apic.c
+++ b/hw/apic.c
@@@ -21,25 -21,8 +21,9 @@@
  #include "qemu-timer.h"
  #include "host-utils.h"
  #include "sysbus.h"
+ #include "trace.h"
 +#include "kvm.h"
  
- //#define DEBUG_APIC
- //#define DEBUG_COALESCING
- 
- #ifdef DEBUG_APIC
- #define DPRINTF(fmt, ...)                                       \
-     do { printf("apic: " fmt , ## __VA_ARGS__); } while (0)
- #else
- #define DPRINTF(fmt, ...)
- #endif
- 
- #ifdef DEBUG_COALESCING
- #define DPRINTF_C(fmt, ...)                                     \
-     do { printf("apic: " fmt , ## __VA_ARGS__); } while (0)
- #else
- #define DPRINTF_C(fmt, ...)
- #endif
- 
  /* APIC Local Vector Table */
  #define APIC_LVT_TIMER   0
  #define APIC_LVT_THERMAL 1
@@@ -313,14 -296,12 +297,15 @@@ void cpu_set_apic_base(DeviceState *d, 
  {
      APICState *s = DO_UPCAST(APICState, busdev.qdev, d);
  
-     DPRINTF("cpu_set_apic_base: %016" PRIx64 "\n", val);
+     trace_cpu_set_apic_base(val);
+ 
      if (!s)
          return;
 -    s->apicbase = (val & 0xfffff000) |
 -        (s->apicbase & (MSR_IA32_APICBASE_BSP | MSR_IA32_APICBASE_ENABLE));
 +    if (kvm_enabled() && kvm_irqchip_in_kernel())
 +        s->apicbase = val;
 +    else
 +        s->apicbase = (val & 0xfffff000) |
 +            (s->apicbase & (MSR_IA32_APICBASE_BSP | MSR_IA32_APICBASE_ENABLE));
      /* if disabled, cannot be enabled again */
      if (!(val & MSR_IA32_APICBASE_ENABLE)) {
          s->apicbase &= ~MSR_IA32_APICBASE_ENABLE;
commit 633aa0acfe2c4d3e56acfe28c912796bf54de6d3
Author: Gleb Natapov <gleb at redhat.com>
Date:   Sun Oct 17 11:45:25 2010 +0200

    Fix pci hotplug to generate level triggered interrupt.
    
    SCI is level triggered. pci hotplug should behave appropriately.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index bec42b4..f74f34c 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -107,7 +107,9 @@ static void pm_update_sci(PIIX4PMState *s)
                   (ACPI_BITMASK_RT_CLOCK_ENABLE |
                    ACPI_BITMASK_POWER_BUTTON_ENABLE |
                    ACPI_BITMASK_GLOBAL_LOCK_ENABLE |
-                   ACPI_BITMASK_TIMER_ENABLE)) != 0);
+                   ACPI_BITMASK_TIMER_ENABLE)) != 0) ||
+        (((s->gpe.sts & s->gpe.en) & PIIX4_PCI_HOTPLUG_STATUS) != 0);
+
     qemu_set_irq(s->irq, sci_level);
     /* schedule a timer interruption if needed */
     if ((s->pmen & ACPI_BITMASK_TIMER_ENABLE) &&
@@ -462,7 +464,9 @@ static uint32_t gpe_read_val(uint16_t val, uint32_t addr)
 static uint32_t gpe_readb(void *opaque, uint32_t addr)
 {
     uint32_t val = 0;
-    struct gpe_regs *g = opaque;
+    PIIX4PMState *s = opaque;
+    struct gpe_regs *g = &s->gpe;
+
     switch (addr) {
         case GPE_BASE:
         case GPE_BASE + 1:
@@ -502,7 +506,9 @@ static void gpe_reset_val(uint16_t *cur, int addr, uint32_t val)
 
 static void gpe_writeb(void *opaque, uint32_t addr, uint32_t val)
 {
-    struct gpe_regs *g = opaque;
+    PIIX4PMState *s = opaque;
+    struct gpe_regs *g = &s->gpe;
+
     switch (addr) {
         case GPE_BASE:
         case GPE_BASE + 1:
@@ -514,7 +520,9 @@ static void gpe_writeb(void *opaque, uint32_t addr, uint32_t val)
             break;
         default:
             break;
-   }
+    }
+
+    pm_update_sci(s);
 
     PIIX4_DPRINTF("gpe write %x <== %d\n", addr, val);
 }
@@ -581,11 +589,10 @@ static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev, int state);
 
 static void piix4_acpi_system_hot_add_init(PCIBus *bus, PIIX4PMState *s)
 {
-    struct gpe_regs *gpe = &s->gpe;
     struct pci_status *pci0_status = &s->pci0_status;
 
-    register_ioport_write(GPE_BASE, 4, 1, gpe_writeb, gpe);
-    register_ioport_read(GPE_BASE, 4, 1,  gpe_readb, gpe);
+    register_ioport_write(GPE_BASE, 4, 1, gpe_writeb, s);
+    register_ioport_read(GPE_BASE, 4, 1,  gpe_readb, s);
 
     register_ioport_write(PCI_BASE, 8, 4, pcihotplug_write, pci0_status);
     register_ioport_read(PCI_BASE, 8, 4,  pcihotplug_read, pci0_status);
@@ -621,9 +628,8 @@ static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev, int state)
     } else {
         disable_device(s, slot);
     }
-    if (s->gpe.en & 2) {
-        qemu_set_irq(s->irq, 1);
-        qemu_set_irq(s->irq, 0);
-    }
+
+    pm_update_sci(s);
+
     return 0;
 }
commit 4441a2870a669b9dd0f79a040850412f3d8428ca
Author: Gleb Natapov <gleb at redhat.com>
Date:   Sun Oct 17 11:45:24 2010 +0200

    Use defines instead of numbers for pci hotplug sts bit
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index c8733e5..bec42b4 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -38,6 +38,8 @@
 #define PCI_BASE 0xae00
 #define PCI_EJ_BASE 0xae08
 
+#define PIIX4_PCI_HOTPLUG_STATUS 2
+
 struct gpe_regs {
     uint16_t sts; /* status */
     uint16_t en;  /* enabled */
@@ -596,13 +598,13 @@ static void piix4_acpi_system_hot_add_init(PCIBus *bus, PIIX4PMState *s)
 
 static void enable_device(PIIX4PMState *s, int slot)
 {
-    s->gpe.sts |= 2;
+    s->gpe.sts |= PIIX4_PCI_HOTPLUG_STATUS;
     s->pci0_status.up |= (1 << slot);
 }
 
 static void disable_device(PIIX4PMState *s, int slot)
 {
-    s->gpe.sts |= 2;
+    s->gpe.sts |= PIIX4_PCI_HOTPLUG_STATUS;
     s->pci0_status.down |= (1 << slot);
 }
 
commit 577804958ae8ea40b630bc820b72c33f37b01e81
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 11 15:31:22 2010 -0300

    Add savevm/loadvm support for MCE
    
    Port qemu-kvm's
    
    commit 1bab5d11545d8de5facf46c28630085a2f9651ae
    Author: Huang Ying <ying.huang at intel.com>
    Date:   Wed Mar 3 16:52:46 2010 +0800
    
        Add savevm/loadvm support for MCE
    
        MCE registers are saved/load into/from CPUState in
        kvm_arch_save/load_regs. To simulate the MCG_STATUS clearing upon
        reset, MSR_MCG_STATUS is set to 0 for KVM_PUT_RESET_STATE.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 0161f6d..35daf90 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -777,7 +777,7 @@ static int kvm_put_msrs(CPUState *env, int level)
         struct kvm_msr_entry entries[100];
     } msr_data;
     struct kvm_msr_entry *msrs = msr_data.entries;
-    int n = 0;
+    int i, n = 0;
 
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_CS, env->sysenter_cs);
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_ESP, env->sysenter_esp);
@@ -797,6 +797,18 @@ static int kvm_put_msrs(CPUState *env, int level)
                           env->system_time_msr);
         kvm_msr_entry_set(&msrs[n++], MSR_KVM_WALL_CLOCK, env->wall_clock_msr);
     }
+#ifdef KVM_CAP_MCE
+    if (env->mcg_cap) {
+        if (level == KVM_PUT_RESET_STATE)
+            kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
+        else if (level == KVM_PUT_FULL_STATE) {
+            kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
+            kvm_msr_entry_set(&msrs[n++], MSR_MCG_CTL, env->mcg_ctl);
+            for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++)
+                kvm_msr_entry_set(&msrs[n++], MSR_MC0_CTL + i, env->mce_banks[i]);
+        }
+    }
+#endif
 
     msr_data.info.nmsrs = n;
 
@@ -1004,6 +1016,15 @@ static int kvm_get_msrs(CPUState *env)
     msrs[n++].index = MSR_KVM_SYSTEM_TIME;
     msrs[n++].index = MSR_KVM_WALL_CLOCK;
 
+#ifdef KVM_CAP_MCE
+    if (env->mcg_cap) {
+        msrs[n++].index = MSR_MCG_STATUS;
+        msrs[n++].index = MSR_MCG_CTL;
+        for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++)
+            msrs[n++].index = MSR_MC0_CTL + i;
+    }
+#endif
+
     msr_data.info.nmsrs = n;
     ret = kvm_vcpu_ioctl(env, KVM_GET_MSRS, &msr_data);
     if (ret < 0)
@@ -1046,6 +1067,22 @@ static int kvm_get_msrs(CPUState *env)
         case MSR_KVM_WALL_CLOCK:
             env->wall_clock_msr = msrs[i].data;
             break;
+#ifdef KVM_CAP_MCE
+        case MSR_MCG_STATUS:
+            env->mcg_status = msrs[i].data;
+            break;
+        case MSR_MCG_CTL:
+            env->mcg_ctl = msrs[i].data;
+            break;
+#endif
+        default:
+#ifdef KVM_CAP_MCE
+            if (msrs[i].index >= MSR_MC0_CTL &&
+                msrs[i].index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) {
+                env->mce_banks[msrs[i].index - MSR_MC0_CTL] = msrs[i].data;
+                break;
+            }
+#endif
         }
     }
 
commit c0532a76b407af4b276dc5a62d8178db59857ea6
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 11 15:31:21 2010 -0300

    MCE: Relay UCR MCE to guest
    
    Port qemu-kvm's
    
    commit 4b62fff1101a7ad77553147717a8bd3bf79df7ef
    Author: Huang Ying <ying.huang at intel.com>
    Date:   Mon Sep 21 10:43:25 2009 +0800
    
        MCE: Relay UCR MCE to guest
    
        UCR (uncorrected recovery) MCE is supported in recent Intel CPUs,
        where some hardware error such as some memory error can be reported
        without PCC (processor context corrupted). To recover from such MCE,
        the corresponding memory will be unmapped, and all processes accessing
        the memory will be killed via SIGBUS.
    
        For KVM, if QEMU/KVM is killed, all guest processes will be killed
        too. So we relay SIGBUS from host OS to guest system via a UCR MCE
        injection. Then guest OS can isolate corresponding memory and kill
        necessary guest processes only. SIGBUS sent to main thread (not VCPU
        threads) will be broadcast to all VCPU threads as UCR MCE.
    
    aliguori: fix build
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/cpus.c b/cpus.c
index 3875657..36a6d1f 100644
--- a/cpus.c
+++ b/cpus.c
@@ -34,6 +34,9 @@
 
 #include "cpus.h"
 #include "compatfd.h"
+#ifdef CONFIG_LINUX
+#include <sys/prctl.h>
+#endif
 
 #ifdef SIGRTMIN
 #define SIG_IPI (SIGRTMIN+4)
@@ -41,6 +44,10 @@
 #define SIG_IPI SIGUSR1
 #endif
 
+#ifndef PR_MCE_KILL
+#define PR_MCE_KILL 33
+#endif
+
 static CPUState *next_cpu;
 
 /***********************************************************/
@@ -498,28 +505,77 @@ static void qemu_tcg_wait_io_event(void)
     }
 }
 
+static void sigbus_reraise(void)
+{
+    sigset_t set;
+    struct sigaction action;
+
+    memset(&action, 0, sizeof(action));
+    action.sa_handler = SIG_DFL;
+    if (!sigaction(SIGBUS, &action, NULL)) {
+        raise(SIGBUS);
+        sigemptyset(&set);
+        sigaddset(&set, SIGBUS);
+        sigprocmask(SIG_UNBLOCK, &set, NULL);
+    }
+    perror("Failed to re-raise SIGBUS!\n");
+    abort();
+}
+
+static void sigbus_handler(int n, struct qemu_signalfd_siginfo *siginfo,
+                           void *ctx)
+{
+#if defined(TARGET_I386)
+    if (kvm_on_sigbus(siginfo->ssi_code, (void *)(intptr_t)siginfo->ssi_addr))
+#endif
+        sigbus_reraise();
+}
+
 static void qemu_kvm_eat_signal(CPUState *env, int timeout)
 {
     struct timespec ts;
     int r, e;
     siginfo_t siginfo;
     sigset_t waitset;
+    sigset_t chkset;
 
     ts.tv_sec = timeout / 1000;
     ts.tv_nsec = (timeout % 1000) * 1000000;
 
     sigemptyset(&waitset);
     sigaddset(&waitset, SIG_IPI);
+    sigaddset(&waitset, SIGBUS);
 
-    qemu_mutex_unlock(&qemu_global_mutex);
-    r = sigtimedwait(&waitset, &siginfo, &ts);
-    e = errno;
-    qemu_mutex_lock(&qemu_global_mutex);
+    do {
+        qemu_mutex_unlock(&qemu_global_mutex);
 
-    if (r == -1 && !(e == EAGAIN || e == EINTR)) {
-        fprintf(stderr, "sigtimedwait: %s\n", strerror(e));
-        exit(1);
-    }
+        r = sigtimedwait(&waitset, &siginfo, &ts);
+        e = errno;
+
+        qemu_mutex_lock(&qemu_global_mutex);
+
+        if (r == -1 && !(e == EAGAIN || e == EINTR)) {
+            fprintf(stderr, "sigtimedwait: %s\n", strerror(e));
+            exit(1);
+        }
+
+        switch (r) {
+        case SIGBUS:
+#ifdef TARGET_I386
+            if (kvm_on_sigbus_vcpu(env, siginfo.si_code, siginfo.si_addr))
+#endif
+                sigbus_reraise();
+            break;
+        default:
+            break;
+        }
+
+        r = sigpending(&chkset);
+        if (r == -1) {
+            fprintf(stderr, "sigpending: %s\n", strerror(e));
+            exit(1);
+        }
+    } while (sigismember(&chkset, SIG_IPI) || sigismember(&chkset, SIGBUS));
 }
 
 static void qemu_kvm_wait_io_event(CPUState *env)
@@ -640,6 +696,7 @@ static void kvm_init_ipi(CPUState *env)
 
     pthread_sigmask(SIG_BLOCK, NULL, &set);
     sigdelset(&set, SIG_IPI);
+    sigdelset(&set, SIGBUS);
     r = kvm_set_signal_mask(env, &set);
     if (r) {
         fprintf(stderr, "kvm_set_signal_mask: %s\n", strerror(r));
@@ -650,6 +707,7 @@ static void kvm_init_ipi(CPUState *env)
 static sigset_t block_io_signals(void)
 {
     sigset_t set;
+    struct sigaction action;
 
     /* SIGUSR2 used by posix-aio-compat.c */
     sigemptyset(&set);
@@ -660,8 +718,15 @@ static sigset_t block_io_signals(void)
     sigaddset(&set, SIGIO);
     sigaddset(&set, SIGALRM);
     sigaddset(&set, SIG_IPI);
+    sigaddset(&set, SIGBUS);
     pthread_sigmask(SIG_BLOCK, &set, NULL);
 
+    memset(&action, 0, sizeof(action));
+    action.sa_flags = SA_SIGINFO;
+    action.sa_sigaction = (void (*)(int, siginfo_t*, void*))sigbus_handler;
+    sigaction(SIGBUS, &action, NULL);
+    prctl(PR_MCE_KILL, 1, 1, 0, 0);
+
     return set;
 }
 
diff --git a/kvm-stub.c b/kvm-stub.c
index d45f9fa..5384a4b 100644
--- a/kvm-stub.c
+++ b/kvm-stub.c
@@ -141,3 +141,8 @@ int kvm_set_ioeventfd_mmio_long(int fd, uint32_t adr, uint32_t val, bool assign)
 {
     return -ENOSYS;
 }
+
+int kvm_on_sigbus(int code, void *addr)
+{
+    return 1;
+}
diff --git a/kvm.h b/kvm.h
index b2fb3af..60a9b42 100644
--- a/kvm.h
+++ b/kvm.h
@@ -110,6 +110,9 @@ int kvm_arch_init_vcpu(CPUState *env);
 
 void kvm_arch_reset_vcpu(CPUState *env);
 
+int kvm_on_sigbus_vcpu(CPUState *env, int code, void *addr);
+int kvm_on_sigbus(int code, void *addr);
+
 struct kvm_guest_debug;
 struct kvm_debug_exit_arch;
 
diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index 77eeab1..85ed30f 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -250,16 +250,32 @@
 #define PG_ERROR_RSVD_MASK 0x08
 #define PG_ERROR_I_D_MASK  0x10
 
-#define MCG_CTL_P	(1UL<<8)   /* MCG_CAP register available */
+#define MCG_CTL_P	(1ULL<<8)   /* MCG_CAP register available */
+#define MCG_SER_P	(1ULL<<24) /* MCA recovery/new status bits */
 
-#define MCE_CAP_DEF	MCG_CTL_P
+#define MCE_CAP_DEF	(MCG_CTL_P|MCG_SER_P)
 #define MCE_BANKS_DEF	10
 
+#define MCG_STATUS_RIPV	(1ULL<<0)   /* restart ip valid */
+#define MCG_STATUS_EIPV	(1ULL<<1)   /* ip points to correct instruction */
 #define MCG_STATUS_MCIP	(1ULL<<2)   /* machine check in progress */
 
 #define MCI_STATUS_VAL	(1ULL<<63)  /* valid error */
 #define MCI_STATUS_OVER	(1ULL<<62)  /* previous errors lost */
 #define MCI_STATUS_UC	(1ULL<<61)  /* uncorrected error */
+#define MCI_STATUS_EN	(1ULL<<60)  /* error enabled */
+#define MCI_STATUS_MISCV (1ULL<<59) /* misc error reg. valid */
+#define MCI_STATUS_ADDRV (1ULL<<58) /* addr reg. valid */
+#define MCI_STATUS_PCC	(1ULL<<57)  /* processor context corrupt */
+#define MCI_STATUS_S	(1ULL<<56)  /* Signaled machine check */
+#define MCI_STATUS_AR	(1ULL<<55)  /* Action required */
+
+/* MISC register defines */
+#define MCM_ADDR_SEGOFF	0	/* segment offset */
+#define MCM_ADDR_LINEAR	1	/* linear address */
+#define MCM_ADDR_PHYS	2	/* physical address */
+#define MCM_ADDR_MEM	3	/* memory address */
+#define MCM_ADDR_GENERIC 7	/* generic */
 
 #define MSR_IA32_TSC                    0x10
 #define MSR_IA32_APICBASE               0x1b
diff --git a/target-i386/helper.c b/target-i386/helper.c
index 4b430dd..4fff4a8 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -1032,7 +1032,7 @@ void cpu_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
         return;
 
     if (kvm_enabled()) {
-        kvm_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc);
+        kvm_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc, 0);
         return;
     }
 
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 343fb02..0161f6d 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -46,6 +46,13 @@
 #define MSR_KVM_WALL_CLOCK  0x11
 #define MSR_KVM_SYSTEM_TIME 0x12
 
+#ifndef BUS_MCEERR_AR
+#define BUS_MCEERR_AR 4
+#endif
+#ifndef BUS_MCEERR_AO
+#define BUS_MCEERR_AO 5
+#endif
+
 #ifdef KVM_CAP_EXT_CPUID
 
 static struct kvm_cpuid2 *try_get_cpuid(KVMState *s, int max)
@@ -192,10 +199,39 @@ static int kvm_set_mce(CPUState *env, struct kvm_x86_mce *m)
     return kvm_vcpu_ioctl(env, KVM_X86_SET_MCE, m);
 }
 
+static int kvm_get_msr(CPUState *env, struct kvm_msr_entry *msrs, int n)
+{
+    struct kvm_msrs *kmsrs = qemu_malloc(sizeof *kmsrs + n * sizeof *msrs);
+    int r;
+
+    kmsrs->nmsrs = n;
+    memcpy(kmsrs->entries, msrs, n * sizeof *msrs);
+    r = kvm_vcpu_ioctl(env, KVM_GET_MSRS, kmsrs);
+    memcpy(msrs, kmsrs->entries, n * sizeof *msrs);
+    free(kmsrs);
+    return r;
+}
+
+/* FIXME: kill this and kvm_get_msr, use env->mcg_status instead */
+static int kvm_mce_in_exception(CPUState *env)
+{
+    struct kvm_msr_entry msr_mcg_status = {
+        .index = MSR_MCG_STATUS,
+    };
+    int r;
+
+    r = kvm_get_msr(env, &msr_mcg_status, 1);
+    if (r == -1 || r == 0) {
+        return -1;
+    }
+    return !!(msr_mcg_status.data & MCG_STATUS_MCIP);
+}
+
 struct kvm_x86_mce_data
 {
     CPUState *env;
     struct kvm_x86_mce *mce;
+    int abort_on_error;
 };
 
 static void kvm_do_inject_x86_mce(void *_data)
@@ -203,14 +239,26 @@ static void kvm_do_inject_x86_mce(void *_data)
     struct kvm_x86_mce_data *data = _data;
     int r;
 
+    /* If there is an MCE excpetion being processed, ignore this SRAO MCE */
+    r = kvm_mce_in_exception(data->env);
+    if (r == -1)
+        fprintf(stderr, "Failed to get MCE status\n");
+    else if (r && !(data->mce->status & MCI_STATUS_AR))
+        return;
+
     r = kvm_set_mce(data->env, data->mce);
-    if (r < 0)
+    if (r < 0) {
         perror("kvm_set_mce FAILED");
+        if (data->abort_on_error) {
+            abort();
+        }
+    }
 }
 #endif
 
 void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
-                        uint64_t mcg_status, uint64_t addr, uint64_t misc)
+                        uint64_t mcg_status, uint64_t addr, uint64_t misc,
+                        int abort_on_error)
 {
 #ifdef KVM_CAP_MCE
     struct kvm_x86_mce mce = {
@@ -225,7 +273,15 @@ void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
             .mce = &mce,
     };
 
+    if (!cenv->mcg_cap) {
+        fprintf(stderr, "MCE support is not enabled!\n");
+        return;
+    }
+
     run_on_cpu(cenv, kvm_do_inject_x86_mce, &data);
+#else
+    if (abort_on_error)
+        abort();
 #endif
 }
 
@@ -1528,3 +1584,121 @@ bool kvm_arch_stop_on_emulation_error(CPUState *env)
               ((env->segs[R_CS].selector  & 3) != 3);
 }
 
+static void hardware_memory_error(void)
+{
+    fprintf(stderr, "Hardware memory error!\n");
+    exit(1);
+}
+
+int kvm_on_sigbus_vcpu(CPUState *env, int code, void *addr)
+{
+#if defined(KVM_CAP_MCE)
+    struct kvm_x86_mce mce = {
+            .bank = 9,
+    };
+    void *vaddr;
+    ram_addr_t ram_addr;
+    target_phys_addr_t paddr;
+    int r;
+
+    if ((env->mcg_cap & MCG_SER_P) && addr
+        && (code == BUS_MCEERR_AR
+            || code == BUS_MCEERR_AO)) {
+        if (code == BUS_MCEERR_AR) {
+            /* Fake an Intel architectural Data Load SRAR UCR */
+            mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
+                | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
+                | MCI_STATUS_AR | 0x134;
+            mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
+            mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_EIPV;
+        } else {
+            /*
+             * If there is an MCE excpetion being processed, ignore
+             * this SRAO MCE
+             */
+            r = kvm_mce_in_exception(env);
+            if (r == -1) {
+                fprintf(stderr, "Failed to get MCE status\n");
+            } else if (r) {
+                return 0;
+            }
+            /* Fake an Intel architectural Memory scrubbing UCR */
+            mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
+                | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
+                | 0xc0;
+            mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
+            mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_RIPV;
+        }
+        vaddr = (void *)addr;
+        if (qemu_ram_addr_from_host(vaddr, &ram_addr) ||
+            !kvm_physical_memory_addr_from_ram(env->kvm_state, ram_addr, &paddr)) {
+            fprintf(stderr, "Hardware memory error for memory used by "
+                    "QEMU itself instead of guest system!\n");
+            /* Hope we are lucky for AO MCE */
+            if (code == BUS_MCEERR_AO) {
+                return 0;
+            } else {
+                hardware_memory_error();
+            }
+        }
+        mce.addr = paddr;
+        r = kvm_set_mce(env, &mce);
+        if (r < 0) {
+            fprintf(stderr, "kvm_set_mce: %s\n", strerror(errno));
+            abort();
+        }
+    } else
+#endif
+    {
+        if (code == BUS_MCEERR_AO) {
+            return 0;
+        } else if (code == BUS_MCEERR_AR) {
+            hardware_memory_error();
+        } else {
+            return 1;
+        }
+    }
+    return 0;
+}
+
+int kvm_on_sigbus(int code, void *addr)
+{
+#if defined(KVM_CAP_MCE)
+    if ((first_cpu->mcg_cap & MCG_SER_P) && addr && code == BUS_MCEERR_AO) {
+        uint64_t status;
+        void *vaddr;
+        ram_addr_t ram_addr;
+        target_phys_addr_t paddr;
+        CPUState *cenv;
+
+        /* Hope we are lucky for AO MCE */
+        vaddr = addr;
+        if (qemu_ram_addr_from_host(vaddr, &ram_addr) ||
+            !kvm_physical_memory_addr_from_ram(first_cpu->kvm_state, ram_addr, &paddr)) {
+            fprintf(stderr, "Hardware memory error for memory used by "
+                    "QEMU itself instead of guest system!: %p\n", addr);
+            return 0;
+        }
+        status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
+            | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
+            | 0xc0;
+        kvm_inject_x86_mce(first_cpu, 9, status,
+                           MCG_STATUS_MCIP | MCG_STATUS_RIPV, paddr,
+                           (MCM_ADDR_PHYS << 6) | 0xc, 1);
+        for (cenv = first_cpu->next_cpu; cenv != NULL; cenv = cenv->next_cpu) {
+            kvm_inject_x86_mce(cenv, 1, MCI_STATUS_VAL | MCI_STATUS_UC,
+                               MCG_STATUS_MCIP | MCG_STATUS_RIPV, 0, 0, 1);
+        }
+    } else
+#endif
+    {
+        if (code == BUS_MCEERR_AO) {
+            return 0;
+        } else if (code == BUS_MCEERR_AR) {
+            hardware_memory_error();
+        } else {
+            return 1;
+        }
+    }
+    return 0;
+}
diff --git a/target-i386/kvm_x86.h b/target-i386/kvm_x86.h
index c1ebd24..04932cf 100644
--- a/target-i386/kvm_x86.h
+++ b/target-i386/kvm_x86.h
@@ -16,6 +16,7 @@
 #define __KVM_X86_H__
 
 void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
-                        uint64_t mcg_status, uint64_t addr, uint64_t misc);
+                        uint64_t mcg_status, uint64_t addr, uint64_t misc,
+                        int abort_on_error);
 
 #endif
commit 983dfc3b135de0a4808a41a8ca71e1809ba6a62e
Author: Huang Ying <ying.huang at intel.com>
Date:   Mon Oct 11 15:31:20 2010 -0300

    Add RAM -> physical addr mapping in MCE simulation
    
    In QEMU-KVM, physical address != RAM address. While MCE simulation
    needs physical address instead of RAM address. So
    kvm_physical_memory_addr_from_ram() is implemented to do the
    conversion, and it is invoked before being filled in the IA32_MCi_ADDR
    MSR.
    
    Reported-by: Dean Nelson <dnelson at redhat.com>
    Signed-off-by: Huang Ying <ying.huang at intel.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm-all.c b/kvm-all.c
index 1cc696f..37b99c7 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -137,6 +137,24 @@ static KVMSlot *kvm_lookup_overlapping_slot(KVMState *s,
     return found;
 }
 
+int kvm_physical_memory_addr_from_ram(KVMState *s, ram_addr_t ram_addr,
+                                      target_phys_addr_t *phys_addr)
+{
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(s->slots); i++) {
+        KVMSlot *mem = &s->slots[i];
+
+        if (ram_addr >= mem->phys_offset &&
+            ram_addr < mem->phys_offset + mem->memory_size) {
+            *phys_addr = mem->start_addr + (ram_addr - mem->phys_offset);
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
 static int kvm_set_user_memory_region(KVMState *s, KVMSlot *slot)
 {
     struct kvm_userspace_memory_region mem;
diff --git a/kvm.h b/kvm.h
index 50b6c01..b2fb3af 100644
--- a/kvm.h
+++ b/kvm.h
@@ -174,6 +174,12 @@ static inline void cpu_synchronize_post_init(CPUState *env)
     }
 }
 
+
+#if !defined(CONFIG_USER_ONLY)
+int kvm_physical_memory_addr_from_ram(KVMState *s, ram_addr_t ram_addr,
+                                      target_phys_addr_t *phys_addr);
+#endif
+
 #endif
 int kvm_set_ioeventfd_mmio_long(int fd, uint32_t adr, uint32_t val, bool assign);
 
commit e890261f671a0573efbc024972d8769423fc82fc
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 11 15:31:19 2010 -0300

    Export qemu_ram_addr_from_host
    
    To be used by next patches.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/cpu-common.h b/cpu-common.h
index 0426bc8..a543b5d 100644
--- a/cpu-common.h
+++ b/cpu-common.h
@@ -47,7 +47,8 @@ void qemu_ram_free(ram_addr_t addr);
 /* This should only be used for ram local to a device.  */
 void *qemu_get_ram_ptr(ram_addr_t addr);
 /* This should not be used by devices.  */
-ram_addr_t qemu_ram_addr_from_host(void *ptr);
+int qemu_ram_addr_from_host(void *ptr, ram_addr_t *ram_addr);
+ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr);
 
 int cpu_register_io_memory(CPUReadMemoryFunc * const *mem_read,
                            CPUWriteMemoryFunc * const *mem_write,
diff --git a/exec-all.h b/exec-all.h
index 3a53fe6..c457058 100644
--- a/exec-all.h
+++ b/exec-all.h
@@ -334,7 +334,7 @@ static inline tb_page_addr_t get_page_addr_code(CPUState *env1, target_ulong add
     }
     p = (void *)(unsigned long)addr
         + env1->tlb_table[mmu_idx][page_index].addend;
-    return qemu_ram_addr_from_host(p);
+    return qemu_ram_addr_from_host_nofail(p);
 }
 #endif
 
diff --git a/exec.c b/exec.c
index 1fbe91c..631d8c5 100644
--- a/exec.c
+++ b/exec.c
@@ -2085,7 +2085,7 @@ static inline void tlb_update_dirty(CPUTLBEntry *tlb_entry)
     if ((tlb_entry->addr_write & ~TARGET_PAGE_MASK) == IO_MEM_RAM) {
         p = (void *)(unsigned long)((tlb_entry->addr_write & TARGET_PAGE_MASK)
             + tlb_entry->addend);
-        ram_addr = qemu_ram_addr_from_host(p);
+        ram_addr = qemu_ram_addr_from_host_nofail(p);
         if (!cpu_physical_memory_is_dirty(ram_addr)) {
             tlb_entry->addr_write |= TLB_NOTDIRTY;
         }
@@ -2938,23 +2938,31 @@ void *qemu_get_ram_ptr(ram_addr_t addr)
     return NULL;
 }
 
-/* Some of the softmmu routines need to translate from a host pointer
-   (typically a TLB entry) back to a ram offset.  */
-ram_addr_t qemu_ram_addr_from_host(void *ptr)
+int qemu_ram_addr_from_host(void *ptr, ram_addr_t *ram_addr)
 {
     RAMBlock *block;
     uint8_t *host = ptr;
 
     QLIST_FOREACH(block, &ram_list.blocks, next) {
         if (host - block->host < block->length) {
-            return block->offset + (host - block->host);
+            *ram_addr = block->offset + (host - block->host);
+            return 0;
         }
     }
+    return -1;
+}
 
-    fprintf(stderr, "Bad ram pointer %p\n", ptr);
-    abort();
+/* Some of the softmmu routines need to translate from a host pointer
+   (typically a TLB entry) back to a ram offset.  */
+ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
+{
+    ram_addr_t ram_addr;
 
-    return 0;
+    if (qemu_ram_addr_from_host(ptr, &ram_addr)) {
+        fprintf(stderr, "Bad ram pointer %p\n", ptr);
+        abort();
+    }
+    return ram_addr;
 }
 
 static uint32_t unassigned_mem_readb(void *opaque, target_phys_addr_t addr)
@@ -3703,7 +3711,7 @@ void cpu_physical_memory_unmap(void *buffer, target_phys_addr_t len,
 {
     if (buffer != bounce.buffer) {
         if (is_write) {
-            ram_addr_t addr1 = qemu_ram_addr_from_host(buffer);
+            ram_addr_t addr1 = qemu_ram_addr_from_host_nofail(buffer);
             while (access_len) {
                 unsigned l;
                 l = TARGET_PAGE_SIZE;
commit e7701825e17d74913b0f1585d523cedaf1d6632a
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 11 15:31:18 2010 -0300

    kvm: x86: add mce support
    
    Port qemu-kvm's MCE support
    
    commit c68b2374c9048812f488e00ffb95db66c0bc07a7
    Author: Huang Ying <ying.huang at intel.com>
    Date:   Mon Jul 20 10:00:53 2009 +0800
    
        Add MCE simulation support to qemu/kvm
    
        KVM ioctls are used to initialize MCE simulation and inject MCE. The
        real MCE simulation is implemented in Linux kernel. The Kernel part
        has been merged.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/target-i386/helper.c b/target-i386/helper.c
index e134340..4b430dd 100644
--- a/target-i386/helper.c
+++ b/target-i386/helper.c
@@ -27,6 +27,7 @@
 #include "exec-all.h"
 #include "qemu-common.h"
 #include "kvm.h"
+#include "kvm_x86.h"
 
 //#define DEBUG_MMU
 
@@ -1030,6 +1031,11 @@ void cpu_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
     if (bank >= bank_num || !(status & MCI_STATUS_VAL))
         return;
 
+    if (kvm_enabled()) {
+        kvm_inject_x86_mce(cenv, bank, status, mcg_status, addr, misc);
+        return;
+    }
+
     /*
      * if MSR_MCG_CTL is not all 1s, the uncorrected error
      * reporting is disabled
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 74e7b4f..343fb02 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -27,6 +27,7 @@
 #include "hw/pc.h"
 #include "hw/apic.h"
 #include "ioport.h"
+#include "kvm_x86.h"
 
 #ifdef CONFIG_KVM_PARA
 #include <linux/kvm_para.h>
@@ -167,6 +168,67 @@ static int get_para_features(CPUState *env)
 }
 #endif
 
+#ifdef KVM_CAP_MCE
+static int kvm_get_mce_cap_supported(KVMState *s, uint64_t *mce_cap,
+                                     int *max_banks)
+{
+    int r;
+
+    r = kvm_ioctl(s, KVM_CHECK_EXTENSION, KVM_CAP_MCE);
+    if (r > 0) {
+        *max_banks = r;
+        return kvm_ioctl(s, KVM_X86_GET_MCE_CAP_SUPPORTED, mce_cap);
+    }
+    return -ENOSYS;
+}
+
+static int kvm_setup_mce(CPUState *env, uint64_t *mcg_cap)
+{
+    return kvm_vcpu_ioctl(env, KVM_X86_SETUP_MCE, mcg_cap);
+}
+
+static int kvm_set_mce(CPUState *env, struct kvm_x86_mce *m)
+{
+    return kvm_vcpu_ioctl(env, KVM_X86_SET_MCE, m);
+}
+
+struct kvm_x86_mce_data
+{
+    CPUState *env;
+    struct kvm_x86_mce *mce;
+};
+
+static void kvm_do_inject_x86_mce(void *_data)
+{
+    struct kvm_x86_mce_data *data = _data;
+    int r;
+
+    r = kvm_set_mce(data->env, data->mce);
+    if (r < 0)
+        perror("kvm_set_mce FAILED");
+}
+#endif
+
+void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
+                        uint64_t mcg_status, uint64_t addr, uint64_t misc)
+{
+#ifdef KVM_CAP_MCE
+    struct kvm_x86_mce mce = {
+        .bank = bank,
+        .status = status,
+        .mcg_status = mcg_status,
+        .addr = addr,
+        .misc = misc,
+    };
+    struct kvm_x86_mce_data data = {
+            .env = cenv,
+            .mce = &mce,
+    };
+
+    run_on_cpu(cenv, kvm_do_inject_x86_mce, &data);
+#endif
+}
+
 int kvm_arch_init_vcpu(CPUState *env)
 {
     struct {
@@ -277,6 +339,28 @@ int kvm_arch_init_vcpu(CPUState *env)
 
     cpuid_data.cpuid.nent = cpuid_i;
 
+#ifdef KVM_CAP_MCE
+    if (((env->cpuid_version >> 8)&0xF) >= 6
+        && (env->cpuid_features&(CPUID_MCE|CPUID_MCA)) == (CPUID_MCE|CPUID_MCA)
+        && kvm_check_extension(env->kvm_state, KVM_CAP_MCE) > 0) {
+        uint64_t mcg_cap;
+        int banks;
+
+        if (kvm_get_mce_cap_supported(env->kvm_state, &mcg_cap, &banks))
+            perror("kvm_get_mce_cap_supported FAILED");
+        else {
+            if (banks > MCE_BANKS_DEF)
+                banks = MCE_BANKS_DEF;
+            mcg_cap &= MCE_CAP_DEF;
+            mcg_cap |= banks;
+            if (kvm_setup_mce(env, &mcg_cap))
+                perror("kvm_setup_mce FAILED");
+            else
+                env->mcg_cap = mcg_cap;
+        }
+    }
+#endif
+
     return kvm_vcpu_ioctl(env, KVM_SET_CPUID2, &cpuid_data);
 }
 
diff --git a/target-i386/kvm_x86.h b/target-i386/kvm_x86.h
new file mode 100644
index 0000000..c1ebd24
--- /dev/null
+++ b/target-i386/kvm_x86.h
@@ -0,0 +1,21 @@
+/*
+ * QEMU KVM support
+ *
+ * Copyright (C) 2009 Red Hat Inc.
+ * Copyright IBM, Corp. 2008
+ *
+ * Authors:
+ *  Anthony Liguori   <aliguori at us.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef __KVM_X86_H__
+#define __KVM_X86_H__
+
+void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
+                        uint64_t mcg_status, uint64_t addr, uint64_t misc);
+
+#endif
commit 296acb643b0f7ec3ab3d8c4a8fc48039d9269818
Author: Joerg Roedel <joerg.roedel at amd.com>
Date:   Mon Sep 27 15:16:17 2010 +0200

    Add svm cpuid features
    
    This patch adds the svm cpuid feature flags to the qemu
    intialization path. It also adds the svm features available
    on phenom to its cpu-definition and extends the host cpu
    type to support all svm features KVM can provide.
    
    Signed-off-by: Joerg Roedel <joerg.roedel at amd.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index 1144d4e..77eeab1 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -405,6 +405,17 @@
 #define CPUID_EXT3_IBS     (1 << 10)
 #define CPUID_EXT3_SKINIT  (1 << 12)
 
+#define CPUID_SVM_NPT          (1 << 0)
+#define CPUID_SVM_LBRV         (1 << 1)
+#define CPUID_SVM_SVMLOCK      (1 << 2)
+#define CPUID_SVM_NRIPSAVE     (1 << 3)
+#define CPUID_SVM_TSCSCALE     (1 << 4)
+#define CPUID_SVM_VMCBCLEAN    (1 << 5)
+#define CPUID_SVM_FLUSHASID    (1 << 6)
+#define CPUID_SVM_DECODEASSIST (1 << 7)
+#define CPUID_SVM_PAUSEFILTER  (1 << 10)
+#define CPUID_SVM_PFTHRESHOLD  (1 << 12)
+
 #define CPUID_VENDOR_INTEL_1 0x756e6547 /* "Genu" */
 #define CPUID_VENDOR_INTEL_2 0x49656e69 /* "ineI" */
 #define CPUID_VENDOR_INTEL_3 0x6c65746e /* "ntel" */
@@ -702,6 +713,7 @@ typedef struct CPUX86State {
     uint8_t has_error_code;
     uint32_t sipi_vector;
     uint32_t cpuid_kvm_features;
+    uint32_t cpuid_svm_features;
     
     /* in order to simplify APIC support, we leave this pointer to the
        user */
diff --git a/target-i386/cpuid.c b/target-i386/cpuid.c
index 3fcf78f..0e0bf60 100644
--- a/target-i386/cpuid.c
+++ b/target-i386/cpuid.c
@@ -79,6 +79,17 @@ static const char *kvm_feature_name[] = {
     NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
 };
 
+static const char *svm_feature_name[] = {
+    "npt", "lbrv", "svm_lock", "nrip_save",
+    "tsc_scale", "vmcb_clean",  "flushbyasid", "decodeassists",
+    NULL, NULL, "pause_filter", NULL,
+    "pfthreshold", NULL, NULL, NULL,
+    NULL, NULL, NULL, NULL,
+    NULL, NULL, NULL, NULL,
+    NULL, NULL, NULL, NULL,
+    NULL, NULL, NULL, NULL,
+};
+
 /* collects per-function cpuid data
  */
 typedef struct model_features_t {
@@ -192,13 +203,15 @@ static void add_flagname_to_bitmaps(const char *flagname, uint32_t *features,
                                     uint32_t *ext_features,
                                     uint32_t *ext2_features,
                                     uint32_t *ext3_features,
-                                    uint32_t *kvm_features)
+                                    uint32_t *kvm_features,
+                                    uint32_t *svm_features)
 {
     if (!lookup_feature(features, flagname, NULL, feature_name) &&
         !lookup_feature(ext_features, flagname, NULL, ext_feature_name) &&
         !lookup_feature(ext2_features, flagname, NULL, ext2_feature_name) &&
         !lookup_feature(ext3_features, flagname, NULL, ext3_feature_name) &&
-        !lookup_feature(kvm_features, flagname, NULL, kvm_feature_name))
+        !lookup_feature(kvm_features, flagname, NULL, kvm_feature_name) &&
+        !lookup_feature(svm_features, flagname, NULL, svm_feature_name))
             fprintf(stderr, "CPU feature %s not found\n", flagname);
 }
 
@@ -210,7 +223,8 @@ typedef struct x86_def_t {
     int family;
     int model;
     int stepping;
-    uint32_t features, ext_features, ext2_features, ext3_features, kvm_features;
+    uint32_t features, ext_features, ext2_features, ext3_features;
+    uint32_t kvm_features, svm_features;
     uint32_t xlevel;
     char model_id[48];
     int vendor_override;
@@ -253,6 +267,7 @@ typedef struct x86_def_t {
           CPUID_EXT2_PDPE1GB */
 #define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \
           CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A)
+#define TCG_SVM_FEATURES 0
 
 /* maintains list of cpu model definitions
  */
@@ -305,6 +320,7 @@ static x86_def_t builtin_x86_defs[] = {
                     CPUID_EXT3_OSVW, CPUID_EXT3_IBS */
         .ext3_features = CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM |
             CPUID_EXT3_ABM | CPUID_EXT3_SSE4A,
+        .svm_features = CPUID_SVM_NPT | CPUID_SVM_LBRV,
         .xlevel = 0x8000001A,
         .model_id = "AMD Phenom(tm) 9550 Quad-Core Processor"
     },
@@ -505,6 +521,15 @@ static int cpu_x86_fill_host(x86_def_t *x86_cpu_def)
     cpu_x86_fill_model_id(x86_cpu_def->model_id);
     x86_cpu_def->vendor_override = 0;
 
+
+    /*
+     * Every SVM feature requires emulation support in KVM - so we can't just
+     * read the host features here. KVM might even support SVM features not
+     * available on the host hardware. Just set all bits and mask out the
+     * unsupported ones later.
+     */
+    x86_cpu_def->svm_features = -1;
+
     return 0;
 }
 
@@ -560,8 +585,14 @@ static int cpu_x86_find_by_name(x86_def_t *x86_cpu_def, const char *cpu_model)
 
     char *s = strdup(cpu_model);
     char *featurestr, *name = strtok(s, ",");
-    uint32_t plus_features = 0, plus_ext_features = 0, plus_ext2_features = 0, plus_ext3_features = 0, plus_kvm_features = 0;
-    uint32_t minus_features = 0, minus_ext_features = 0, minus_ext2_features = 0, minus_ext3_features = 0, minus_kvm_features = 0;
+    /* Features to be added*/
+    uint32_t plus_features = 0, plus_ext_features = 0;
+    uint32_t plus_ext2_features = 0, plus_ext3_features = 0;
+    uint32_t plus_kvm_features = 0, plus_svm_features = 0;
+    /* Features to be removed */
+    uint32_t minus_features = 0, minus_ext_features = 0;
+    uint32_t minus_ext2_features = 0, minus_ext3_features = 0;
+    uint32_t minus_kvm_features = 0, minus_svm_features = 0;
     uint32_t numvalue;
 
     for (def = x86_defs; def; def = def->next)
@@ -579,16 +610,22 @@ static int cpu_x86_find_by_name(x86_def_t *x86_cpu_def, const char *cpu_model)
 
     add_flagname_to_bitmaps("hypervisor", &plus_features,
         &plus_ext_features, &plus_ext2_features, &plus_ext3_features,
-        &plus_kvm_features);
+        &plus_kvm_features, &plus_svm_features);
 
     featurestr = strtok(NULL, ",");
 
     while (featurestr) {
         char *val;
         if (featurestr[0] == '+') {
-            add_flagname_to_bitmaps(featurestr + 1, &plus_features, &plus_ext_features, &plus_ext2_features, &plus_ext3_features, &plus_kvm_features);
+            add_flagname_to_bitmaps(featurestr + 1, &plus_features,
+                            &plus_ext_features, &plus_ext2_features,
+                            &plus_ext3_features, &plus_kvm_features,
+                            &plus_svm_features);
         } else if (featurestr[0] == '-') {
-            add_flagname_to_bitmaps(featurestr + 1, &minus_features, &minus_ext_features, &minus_ext2_features, &minus_ext3_features, &minus_kvm_features);
+            add_flagname_to_bitmaps(featurestr + 1, &minus_features,
+                            &minus_ext_features, &minus_ext2_features,
+                            &minus_ext3_features, &minus_kvm_features,
+                            &minus_svm_features);
         } else if ((val = strchr(featurestr, '='))) {
             *val = 0; val++;
             if (!strcmp(featurestr, "family")) {
@@ -670,11 +707,13 @@ static int cpu_x86_find_by_name(x86_def_t *x86_cpu_def, const char *cpu_model)
     x86_cpu_def->ext2_features |= plus_ext2_features;
     x86_cpu_def->ext3_features |= plus_ext3_features;
     x86_cpu_def->kvm_features |= plus_kvm_features;
+    x86_cpu_def->svm_features |= plus_svm_features;
     x86_cpu_def->features &= ~minus_features;
     x86_cpu_def->ext_features &= ~minus_ext_features;
     x86_cpu_def->ext2_features &= ~minus_ext2_features;
     x86_cpu_def->ext3_features &= ~minus_ext3_features;
     x86_cpu_def->kvm_features &= ~minus_kvm_features;
+    x86_cpu_def->svm_features &= ~minus_svm_features;
     if (check_cpuid) {
         if (check_features_against_host(x86_cpu_def) && enforce_cpuid)
             goto error;
@@ -816,6 +855,7 @@ int cpu_x86_register (CPUX86State *env, const char *cpu_model)
     env->cpuid_ext3_features = def->ext3_features;
     env->cpuid_xlevel = def->xlevel;
     env->cpuid_kvm_features = def->kvm_features;
+    env->cpuid_svm_features = def->svm_features;
     if (!kvm_enabled()) {
         env->cpuid_features &= TCG_FEATURES;
         env->cpuid_ext_features &= TCG_EXT_FEATURES;
@@ -825,6 +865,7 @@ int cpu_x86_register (CPUX86State *env, const char *cpu_model)
 #endif
             );
         env->cpuid_ext3_features &= TCG_EXT3_FEATURES;
+        env->cpuid_svm_features &= TCG_SVM_FEATURES;
     }
     {
         const char *model_id = def->model_id;
@@ -1135,11 +1176,6 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
                 *ecx |= 1 << 1;    /* CmpLegacy bit */
             }
         }
-
-        if (kvm_enabled()) {
-            /* Nested SVM not yet supported in upstream QEMU */
-            *ecx &= ~CPUID_EXT3_SVM;
-        }
         break;
     case 0x80000002:
     case 0x80000003:
@@ -1184,10 +1220,17 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
         }
         break;
     case 0x8000000A:
-        *eax = 0x00000001; /* SVM Revision */
-        *ebx = 0x00000010; /* nr of ASIDs */
-        *ecx = 0;
-        *edx = 0; /* optional features */
+	if (env->cpuid_ext3_features & CPUID_EXT3_SVM) {
+		*eax = 0x00000001; /* SVM Revision */
+		*ebx = 0x00000010; /* nr of ASIDs */
+		*ecx = 0;
+		*edx = env->cpuid_svm_features; /* optional features */
+	} else {
+		*eax = 0;
+		*ebx = 0;
+		*ecx = 0;
+		*edx = 0;
+	}
         break;
     default:
         /* reserved values: zero */
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index a33d2fa..74e7b4f 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -192,6 +192,9 @@ int kvm_arch_init_vcpu(CPUState *env)
                                                              0, R_EDX);
     env->cpuid_ext3_features &= kvm_arch_get_supported_cpuid(env, 0x80000001,
                                                              0, R_ECX);
+    env->cpuid_svm_features  &= kvm_arch_get_supported_cpuid(env, 0x8000000A,
+                                                             0, R_EDX);
+
 
     cpuid_i = 0;
 
commit 0f53994f7ad4d34e0a0a4a10cb71b2f936e25e3f
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Tue Oct 19 09:00:34 2010 -0200

    Fix memory leak in register save load due to xsave support
    
    From: Avi Kivity <avi at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 35daf90..512d533 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -660,7 +660,7 @@ static int kvm_put_fpu(CPUState *env)
 static int kvm_put_xsave(CPUState *env)
 {
 #ifdef KVM_CAP_XSAVE
-    int i;
+    int i, r;
     struct kvm_xsave* xsave;
     uint16_t cwd, swd, twd, fop;
 
@@ -685,7 +685,9 @@ static int kvm_put_xsave(CPUState *env)
     *(uint64_t *)&xsave->region[XSAVE_XSTATE_BV] = env->xstate_bv;
     memcpy(&xsave->region[XSAVE_YMMH_SPACE], env->ymmh_regs,
             sizeof env->ymmh_regs);
-    return kvm_vcpu_ioctl(env, KVM_SET_XSAVE, xsave);
+    r = kvm_vcpu_ioctl(env, KVM_SET_XSAVE, xsave);
+    qemu_free(xsave);
+    return r;
 #else
     return kvm_put_fpu(env);
 #endif
@@ -850,8 +852,10 @@ static int kvm_get_xsave(CPUState *env)
 
     xsave = qemu_memalign(4096, sizeof(struct kvm_xsave));
     ret = kvm_vcpu_ioctl(env, KVM_GET_XSAVE, xsave);
-    if (ret < 0)
+    if (ret < 0) {
+        qemu_free(xsave);
         return ret;
+    }
 
     cwd = (uint16_t)xsave->region[0];
     swd = (uint16_t)(xsave->region[0] >> 16);
@@ -870,6 +874,7 @@ static int kvm_get_xsave(CPUState *env)
     env->xstate_bv = *(uint64_t *)&xsave->region[XSAVE_XSTATE_BV];
     memcpy(env->ymmh_regs, &xsave->region[XSAVE_YMMH_SPACE],
             sizeof env->ymmh_regs);
+    qemu_free(xsave);
     return 0;
 #else
     return kvm_get_fpu(env);
commit a8486bc9c91a10c9190bbd577f6f02b9eb515d90
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 11 15:31:16 2010 -0300

    iothread: use signalfd
    
    Block SIGALRM, SIGIO and consume them via signalfd.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/cpus.c b/cpus.c
index b09f5e3..3875657 100644
--- a/cpus.c
+++ b/cpus.c
@@ -33,6 +33,7 @@
 #include "exec-all.h"
 
 #include "cpus.h"
+#include "compatfd.h"
 
 #ifdef SIGRTMIN
 #define SIG_IPI (SIGRTMIN+4)
@@ -329,14 +330,75 @@ static QemuCond qemu_work_cond;
 
 static void tcg_init_ipi(void);
 static void kvm_init_ipi(CPUState *env);
-static void unblock_io_signals(void);
+static sigset_t block_io_signals(void);
+
+/* If we have signalfd, we mask out the signals we want to handle and then
+ * use signalfd to listen for them.  We rely on whatever the current signal
+ * handler is to dispatch the signals when we receive them.
+ */
+static void sigfd_handler(void *opaque)
+{
+    int fd = (unsigned long) opaque;
+    struct qemu_signalfd_siginfo info;
+    struct sigaction action;
+    ssize_t len;
+
+    while (1) {
+        do {
+            len = read(fd, &info, sizeof(info));
+        } while (len == -1 && errno == EINTR);
+
+        if (len == -1 && errno == EAGAIN) {
+            break;
+        }
+
+        if (len != sizeof(info)) {
+            printf("read from sigfd returned %zd: %m\n", len);
+            return;
+        }
+
+        sigaction(info.ssi_signo, NULL, &action);
+        if ((action.sa_flags & SA_SIGINFO) && action.sa_sigaction) {
+            action.sa_sigaction(info.ssi_signo,
+                                (siginfo_t *)&info, NULL);
+        } else if (action.sa_handler) {
+            action.sa_handler(info.ssi_signo);
+        }
+    }
+}
+
+static int qemu_signalfd_init(sigset_t mask)
+{
+    int sigfd;
+
+    sigfd = qemu_signalfd(&mask);
+    if (sigfd == -1) {
+        fprintf(stderr, "failed to create signalfd\n");
+        return -errno;
+    }
+
+    fcntl_setfl(sigfd, O_NONBLOCK);
+
+    qemu_set_fd_handler2(sigfd, NULL, sigfd_handler, NULL,
+                         (void *)(unsigned long) sigfd);
+
+    return 0;
+}
 
 int qemu_init_main_loop(void)
 {
     int ret;
+    sigset_t blocked_signals;
 
     cpu_set_debug_excp_handler(cpu_debug_handler);
 
+    blocked_signals = block_io_signals();
+
+    ret = qemu_signalfd_init(blocked_signals);
+    if (ret)
+        return ret;
+
+    /* Note eventfd must be drained before signalfd handlers run */
     ret = qemu_event_init();
     if (ret)
         return ret;
@@ -347,7 +409,6 @@ int qemu_init_main_loop(void)
     qemu_mutex_init(&qemu_global_mutex);
     qemu_mutex_lock(&qemu_global_mutex);
 
-    unblock_io_signals();
     qemu_thread_self(&io_thread);
 
     return 0;
@@ -586,19 +647,22 @@ static void kvm_init_ipi(CPUState *env)
     }
 }
 
-static void unblock_io_signals(void)
+static sigset_t block_io_signals(void)
 {
     sigset_t set;
 
+    /* SIGUSR2 used by posix-aio-compat.c */
     sigemptyset(&set);
     sigaddset(&set, SIGUSR2);
-    sigaddset(&set, SIGIO);
-    sigaddset(&set, SIGALRM);
     pthread_sigmask(SIG_UNBLOCK, &set, NULL);
 
     sigemptyset(&set);
+    sigaddset(&set, SIGIO);
+    sigaddset(&set, SIGALRM);
     sigaddset(&set, SIG_IPI);
     pthread_sigmask(SIG_BLOCK, &set, NULL);
+
+    return set;
 }
 
 void qemu_mutex_lock_iothread(void)
commit db0ad1ba047b59cb89865008dcd0edd301e84c37
Author: Joerg Roedel <joerg.roedel at amd.com>
Date:   Mon Sep 27 15:16:16 2010 +0200

    Set cpuid definition to 0 before initializing it
    
    This patch cleans the (stack-allocated) cpuid definition to
    0 before actually initializing it.
    
    Signed-off-by: Joerg Roedel <joerg.roedel at amd.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/target-i386/cpuid.c b/target-i386/cpuid.c
index 04ba8d5..3fcf78f 100644
--- a/target-i386/cpuid.c
+++ b/target-i386/cpuid.c
@@ -788,6 +788,8 @@ int cpu_x86_register (CPUX86State *env, const char *cpu_model)
 {
     x86_def_t def1, *def = &def1;
 
+    memset(def, 0, sizeof(*def));
+
     if (cpu_x86_find_by_name(def, cpu_model) < 0)
         return -1;
     if (def->vendor1) {
commit dcc38d1cce61e7d986e74dcd9bff2a5efc53a87c
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 11 15:31:15 2010 -0300

    signalfd compatibility
    
    Port qemu-kvm's signalfd compat code.
    
    commit 5a7fdd0abd7cd24dac205317a4195446ab8748b5
    Author: Anthony Liguori <aliguori at us.ibm.com>
    Date:   Wed May 7 11:55:47 2008 -0500
    
        Use signalfd() in io-thread
    
        This patch reworks the IO thread to use signalfd() instead of sigtimedwait()
        This will eliminate the need to use SIGIO everywhere.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index cd5a24b..6e6f60a 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -125,6 +125,7 @@ common-obj-y += $(addprefix ui/, $(ui-obj-y))
 
 common-obj-y += iov.o acl.o
 common-obj-$(CONFIG_THREAD) += qemu-thread.o
+common-obj-$(CONFIG_IOTHREAD) += compatfd.o
 common-obj-y += notify.o event_notifier.o
 common-obj-y += qemu-timer.o
 
diff --git a/compatfd.c b/compatfd.c
new file mode 100644
index 0000000..a7cebc4
--- /dev/null
+++ b/compatfd.c
@@ -0,0 +1,117 @@
+/*
+ * signalfd/eventfd compatibility
+ *
+ * Copyright IBM, Corp. 2008
+ *
+ * Authors:
+ *  Anthony Liguori   <aliguori at us.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+
+#include "qemu-common.h"
+#include "compatfd.h"
+
+#include <sys/syscall.h>
+#include <pthread.h>
+
+struct sigfd_compat_info
+{
+    sigset_t mask;
+    int fd;
+};
+
+static void *sigwait_compat(void *opaque)
+{
+    struct sigfd_compat_info *info = opaque;
+    int err;
+    sigset_t all;
+
+    sigfillset(&all);
+    sigprocmask(SIG_BLOCK, &all, NULL);
+
+    do {
+        siginfo_t siginfo;
+
+        err = sigwaitinfo(&info->mask, &siginfo);
+        if (err == -1 && errno == EINTR) {
+            err = 0;
+            continue;
+        }
+
+        if (err > 0) {
+            char buffer[128];
+            size_t offset = 0;
+
+            memcpy(buffer, &err, sizeof(err));
+            while (offset < sizeof(buffer)) {
+                ssize_t len;
+
+                len = write(info->fd, buffer + offset,
+                            sizeof(buffer) - offset);
+                if (len == -1 && errno == EINTR)
+                    continue;
+
+                if (len <= 0) {
+                    err = -1;
+                    break;
+                }
+
+                offset += len;
+            }
+        }
+    } while (err >= 0);
+
+    return NULL;
+}
+
+static int qemu_signalfd_compat(const sigset_t *mask)
+{
+    pthread_attr_t attr;
+    pthread_t tid;
+    struct sigfd_compat_info *info;
+    int fds[2];
+
+    info = malloc(sizeof(*info));
+    if (info == NULL) {
+        errno = ENOMEM;
+        return -1;
+    }
+
+    if (pipe(fds) == -1) {
+        free(info);
+        return -1;
+    }
+
+    qemu_set_cloexec(fds[0]);
+    qemu_set_cloexec(fds[1]);
+
+    memcpy(&info->mask, mask, sizeof(*mask));
+    info->fd = fds[1];
+
+    pthread_attr_init(&attr);
+    pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
+
+    pthread_create(&tid, &attr, sigwait_compat, info);
+
+    pthread_attr_destroy(&attr);
+
+    return fds[0];
+}
+
+int qemu_signalfd(const sigset_t *mask)
+{
+#if defined(CONFIG_SIGNALFD)
+    int ret;
+
+    ret = syscall(SYS_signalfd, -1, mask, _NSIG / 8);
+    if (ret != -1) {
+        qemu_set_cloexec(ret);
+        return ret;
+    }
+#endif
+
+    return qemu_signalfd_compat(mask);
+}
diff --git a/compatfd.h b/compatfd.h
new file mode 100644
index 0000000..fc37915
--- /dev/null
+++ b/compatfd.h
@@ -0,0 +1,43 @@
+/*
+ * signalfd/eventfd compatibility
+ *
+ * Copyright IBM, Corp. 2008
+ *
+ * Authors:
+ *  Anthony Liguori   <aliguori at us.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef QEMU_COMPATFD_H
+#define QEMU_COMPATFD_H
+
+#include <signal.h>
+
+struct qemu_signalfd_siginfo {
+    uint32_t ssi_signo;   /* Signal number */
+    int32_t  ssi_errno;   /* Error number (unused) */
+    int32_t  ssi_code;    /* Signal code */
+    uint32_t ssi_pid;     /* PID of sender */
+    uint32_t ssi_uid;     /* Real UID of sender */
+    int32_t  ssi_fd;      /* File descriptor (SIGIO) */
+    uint32_t ssi_tid;     /* Kernel timer ID (POSIX timers) */
+    uint32_t ssi_band;    /* Band event (SIGIO) */
+    uint32_t ssi_overrun; /* POSIX timer overrun count */
+    uint32_t ssi_trapno;  /* Trap number that caused signal */
+    int32_t  ssi_status;  /* Exit status or signal (SIGCHLD) */
+    int32_t  ssi_int;     /* Integer sent by sigqueue(2) */
+    uint64_t ssi_ptr;     /* Pointer sent by sigqueue(2) */
+    uint64_t ssi_utime;   /* User CPU time consumed (SIGCHLD) */
+    uint64_t ssi_stime;   /* System CPU time consumed (SIGCHLD) */
+    uint64_t ssi_addr;    /* Address that generated signal
+                             (for hardware-generated signals) */
+    uint8_t  pad[48];     /* Pad size to 128 bytes (allow for
+                             additional fields in the future) */
+};
+
+int qemu_signalfd(const sigset_t *mask);
+
+#endif
diff --git a/configure b/configure
index 5f4d718..9ed05de 100755
--- a/configure
+++ b/configure
@@ -1957,6 +1957,21 @@ if compile_prog "" "" ; then
   splice=yes
 fi
 
+##########################################
+# signalfd probe
+signalfd="no"
+cat > $TMPC << EOF
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <signal.h>
+int main(void) { return syscall(SYS_signalfd, -1, NULL, _NSIG / 8); }
+EOF
+
+if compile_prog "" "" ; then
+  signalfd=yes
+fi
+
 # check if eventfd is supported
 eventfd=no
 cat > $TMPC << EOF
@@ -2559,6 +2574,9 @@ fi
 if test "$fdt" = "yes" ; then
   echo "CONFIG_FDT=y" >> $config_host_mak
 fi
+if test "$signalfd" = "yes" ; then
+  echo "CONFIG_SIGNALFD=y" >> $config_host_mak
+fi
 if test "$need_offsetof" = "yes" ; then
   echo "CONFIG_NEED_OFFSETOF=y" >> $config_host_mak
 fi
commit 1e027be7e91d854d7a0132e4a32bdf222c33dcfe
Author: Markus Armbruster <armbru at redhat.com>
Date:   Thu Oct 14 11:19:04 2010 +0200

    configure: Support disabling warnings in $gcc_flags
    
    -Wall enables a bunch of warnings at once.  configure puts it after
    $gcc_flags.  This makes it impossible to disable warnings enabled by
    -Wall there.  Fix by putting configured flags last.
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index a079a49..5f4d718 100755
--- a/configure
+++ b/configure
@@ -154,7 +154,7 @@ int main(void) { return 0; }
 EOF
 for flag in $gcc_flags; do
     if compile_prog "-Werror $QEMU_CFLAGS" "-Werror $flag" ; then
-	QEMU_CFLAGS="$flag $QEMU_CFLAGS"
+	QEMU_CFLAGS="$QEMU_CFLAGS $flag"
     fi
 done
 
commit c3b08d0e05f381b0a02647038d454eecf51ae014
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Oct 8 10:32:23 2010 +0200

    tcg: Fix compiler error (comparison of unsigned expression)
    
    When qemu is configured with --enable-debug-tcg,
    gcc throws this warning (or error with -Werror):
    
    tcg/tcg.c:1030: error: comparison of unsigned expression >= 0 is always true
    
    Fix it by removing the >= 0 part.
    The type cast to 'unsigned' catches negative values of op
    (which should never happen).
    
    This is a modification of Hollis Blanchard's patch.
    
    Cc: Hollis Blanchard <hollis at penguinppc.org>
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/tcg/tcg.c b/tcg/tcg.c
index e0a9030..0cdef0d 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -1027,7 +1027,7 @@ void tcg_add_target_add_op_defs(const TCGTargetOpDef *tdefs)
         if (tdefs->op == (TCGOpcode)-1)
             break;
         op = tdefs->op;
-        assert(op >= 0 && op < NB_OPS);
+        assert((unsigned)op < NB_OPS);
         def = &tcg_op_defs[op];
 #if defined(CONFIG_DEBUG_TCG)
         /* Duplicate entry in op definitions? */
commit bd8b215bce453706c3951460cc7e6627ccb90314
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 20 07:09:37 2010 +0200

    msix: fix irqchip breakage
    
    msix.c doesn't include linux kvm header anymore, so
    IRQCHIP macro is never defined, which resulted in
    a broken msix support. As a fix, stub out kvm_set_irq
    and remove the remaining ifdefs.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/msix.c b/hw/msix.c
index f12e4aa..4b6133d 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -509,12 +509,10 @@ void msix_notify(PCIDevice *dev, unsigned vector)
         return;
     }
 
-#ifdef KVM_CAP_IRQCHIP
     if (kvm_enabled() && kvm_irqchip_in_kernel()) {
         kvm_set_irq(dev->msix_irq_entries[vector].gsi, 1, NULL);
         return;
     }
-#endif
 
     address = pci_get_long(table_entry + MSIX_MSG_UPPER_ADDR);
     address = (address << 32) | pci_get_long(table_entry + MSIX_MSG_ADDR);
diff --git a/kvm-stub.c b/kvm-stub.c
index 3c2deec..aeee3c0 100644
--- a/kvm-stub.c
+++ b/kvm-stub.c
@@ -176,3 +176,9 @@ int kvm_commit_irq_routes(void)
 {
     return -ENOSYS;
 }
+
+int kvm_set_irq(int irq, int level, int *status)
+{
+    assert(0);
+    return -ENOSYS;
+}
diff --git a/kvm.h b/kvm.h
index d484a3f..74dfa48 100644
--- a/kvm.h
+++ b/kvm.h
@@ -214,4 +214,6 @@ int kvm_commit_irq_routes(void);
 
 int kvm_irqchip_in_kernel(void);
 
+int kvm_set_irq(int irq, int level, int *status);
+
 #endif
diff --git a/qemu-kvm.h b/qemu-kvm.h
index 9c08ab4..c6f5632 100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@ -785,7 +785,6 @@ void kvm_load_lapic(CPUState *env);
 
 void kvm_hpet_enable_kpit(void);
 void kvm_hpet_disable_kpit(void);
-int kvm_set_irq(int irq, int level, int *status);
 
 int kvm_physical_memory_set_dirty_tracking(int enable);
 
commit 763a04a920f1098e57ad6b46c91c3e531adc961d
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 20 06:50:18 2010 +0200

    msix: fix crash on msix_irq_entries access
    
    Since commit 889e30cc18e21f2091b77267dca8096d7dd34f8b,
    msix.c doesn't include kvm/h anymore, so KVM_IRQCHIP
    is never defined, and msix_irq_entries ends up as NULL.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/msix.c b/hw/msix.c
index 43efbd2..f12e4aa 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -389,12 +389,10 @@ int msix_init(struct PCIDevice *dev, unsigned short nentries,
     if (ret)
         goto err_config;
 
-#ifdef KVM_CAP_IRQCHIP
     if (kvm_enabled() && kvm_irqchip_in_kernel()) {
         dev->msix_irq_entries = qemu_malloc(nentries *
                                             sizeof *dev->msix_irq_entries);
     }
-#endif
 
     dev->cap_present |= QEMU_PCI_CAP_MSIX;
     return 0;
commit b2d4d8329963b13c5cebe5944dcc99f0e9d1b5c7
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Oct 8 12:30:14 2010 +0200

    wacom tablet: activate event handlers.
    
    Add qemu_activate_mouse_event_handler() calls to the usb wavom tablet so
    it actually receives events.  Also make sure we only remove the handler
    if we registered it before.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/usb-wacom.c b/hw/usb-wacom.c
index fe052eb..47f26cd 100644
--- a/hw/usb-wacom.c
+++ b/hw/usb-wacom.c
@@ -160,6 +160,7 @@ static int usb_mouse_poll(USBWacomState *s, uint8_t *buf, int len)
     if (!s->mouse_grabbed) {
         s->eh_entry = qemu_add_mouse_event_handler(usb_mouse_event, s, 0,
                         "QEMU PenPartner tablet");
+        qemu_activate_mouse_event_handler(s->eh_entry);
         s->mouse_grabbed = 1;
     }
 
@@ -197,6 +198,7 @@ static int usb_wacom_poll(USBWacomState *s, uint8_t *buf, int len)
     if (!s->mouse_grabbed) {
         s->eh_entry = qemu_add_mouse_event_handler(usb_wacom_event, s, 1,
                         "QEMU PenPartner tablet");
+        qemu_activate_mouse_event_handler(s->eh_entry);
         s->mouse_grabbed = 1;
     }
 
@@ -334,8 +336,10 @@ static int usb_wacom_handle_control(USBDevice *dev, int request, int value,
         ret = 0;
         break;
     case WACOM_SET_REPORT:
-        qemu_remove_mouse_event_handler(s->eh_entry);
-        s->mouse_grabbed = 0;
+        if (s->mouse_grabbed) {
+            qemu_remove_mouse_event_handler(s->eh_entry);
+            s->mouse_grabbed = 0;
+        }
         s->mode = data[0];
         ret = 0;
         break;
@@ -397,7 +401,10 @@ static void usb_wacom_handle_destroy(USBDevice *dev)
 {
     USBWacomState *s = (USBWacomState *) dev;
 
-    qemu_remove_mouse_event_handler(s->eh_entry);
+    if (s->mouse_grabbed) {
+        qemu_remove_mouse_event_handler(s->eh_entry);
+        s->mouse_grabbed = 0;
+    }
 }
 
 static int usb_wacom_initfn(USBDevice *dev)
commit cd496926155afcb3b6323e70dd720dc118b3a255
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Oct 8 12:30:13 2010 +0200

    vmmouse: adapt to mouse handler changes.
    
    This patch updates the vmmouse handler registration and activation.
    
    Old behavior:
      vmmouse_read_id, vmmouse_request_relative and vmmouse_request_absolute
      unregister the handler and re-register it.
    
    New behavior:
      vmmouse_request_relative and vmmouse_request_absolute will unregister
      the handler in case the mode did change.  Then register and active the
      handler with current mode if needed.
    
    Note that the old code never ever *activates* the handler, so the
    vmmouse doesn't receive events.  This trips up Fedora 14 for example:
    Boot a default install without usb tablet, watch the X-Server activating
    the vmmouse then, enjoy a non-functional mouse.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/vmmouse.c b/hw/vmmouse.c
index f359304..2097119 100644
--- a/hw/vmmouse.c
+++ b/hw/vmmouse.c
@@ -100,16 +100,29 @@ static void vmmouse_mouse_event(void *opaque, int x, int y, int dz, int buttons_
     i8042_isa_mouse_fake_event(s->ps2_mouse);
 }
 
-static void vmmouse_update_handler(VMMouseState *s)
+static void vmmouse_remove_handler(VMMouseState *s)
 {
     if (s->entry) {
         qemu_remove_mouse_event_handler(s->entry);
         s->entry = NULL;
     }
-    if (s->status == 0)
+}
+
+static void vmmouse_update_handler(VMMouseState *s, int absolute)
+{
+    if (s->status != 0) {
+        return;
+    }
+    if (s->absolute != absolute) {
+        s->absolute = absolute;
+        vmmouse_remove_handler(s);
+    }
+    if (s->entry == NULL) {
         s->entry = qemu_add_mouse_event_handler(vmmouse_mouse_event,
                                                 s, s->absolute,
                                                 "vmmouse");
+        qemu_activate_mouse_event_handler(s->entry);
+    }
 }
 
 static void vmmouse_read_id(VMMouseState *s)
@@ -121,28 +134,25 @@ static void vmmouse_read_id(VMMouseState *s)
 
     s->queue[s->nb_queue++] = VMMOUSE_VERSION;
     s->status = 0;
-    vmmouse_update_handler(s);
 }
 
 static void vmmouse_request_relative(VMMouseState *s)
 {
     DPRINTF("vmmouse_request_relative()\n");
-    s->absolute = 0;
-    vmmouse_update_handler(s);
+    vmmouse_update_handler(s, 0);
 }
 
 static void vmmouse_request_absolute(VMMouseState *s)
 {
     DPRINTF("vmmouse_request_absolute()\n");
-    s->absolute = 1;
-    vmmouse_update_handler(s);
+    vmmouse_update_handler(s, 1);
 }
 
 static void vmmouse_disable(VMMouseState *s)
 {
     DPRINTF("vmmouse_disable()\n");
     s->status = 0xffff;
-    vmmouse_update_handler(s);
+    vmmouse_remove_handler(s);
 }
 
 static void vmmouse_data(VMMouseState *s, uint32_t *data, uint32_t size)
@@ -154,7 +164,7 @@ static void vmmouse_data(VMMouseState *s, uint32_t *data, uint32_t size)
     if (size == 0 || size > 6 || size > s->nb_queue) {
         printf("vmmouse: driver requested too much data %d\n", size);
         s->status = 0xffff;
-        vmmouse_update_handler(s);
+        vmmouse_remove_handler(s);
         return;
     }
 
@@ -239,7 +249,8 @@ static int vmmouse_post_load(void *opaque, int version_id)
 {
     VMMouseState *s = opaque;
 
-    vmmouse_update_handler(s);
+    vmmouse_remove_handler(s);
+    vmmouse_update_handler(s, s->absolute);
     return 0;
 }
 
commit 45b23ff8f05d8f145d680476dd08e7f444cef547
Author: Venkateswararao Jujjuri (JV) <jvrao at linux.vnet.ibm.com>
Date:   Wed Oct 6 17:09:42 2010 -0700

    [virtio-9p] Add support to v9fs_string_alloc_printf() for handling %lu.
    
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 0e87722..daade77 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -321,6 +321,14 @@ static int number_to_string(void *arg, char type)
         } while (num);
         break;
     }
+    case 'U': {
+        unsigned long num = *(unsigned long *)arg;
+        do {
+            ret++;
+            num = num/10;
+        } while (num);
+        break;
+    }
     default:
         printf("Number_to_string: Unknown number format\n");
         return -1;
@@ -338,6 +346,7 @@ v9fs_string_alloc_printf(char **strp, const char *fmt, va_list ap)
     int nr_args = 0;
     char *arg_char_ptr;
     unsigned int arg_uint;
+    unsigned long arg_ulong;
 
     /* Find the number of %'s that denotes an argument */
     for (iter = strstr(iter, "%"); iter; iter = strstr(iter, "%")) {
@@ -363,6 +372,14 @@ v9fs_string_alloc_printf(char **strp, const char *fmt, va_list ap)
             arg_uint = va_arg(ap2, unsigned int);
             len += number_to_string((void *)&arg_uint, 'u');
             break;
+        case 'l':
+            if (*++iter == 'u') {
+                arg_ulong = va_arg(ap2, unsigned long);
+                len += number_to_string((void *)&arg_ulong, 'U');
+            } else {
+                return -1;
+            }
+            break;
         case 's':
             arg_char_ptr = va_arg(ap2, char *);
             len += strlen(arg_char_ptr);
commit 56d15a53292c06a9c8c574e368003f57a06522ee
Author: Sanchit Garg <sancgarg at linux.vnet.ibm.com>
Date:   Fri Oct 8 11:30:16 2010 +0530

    [virtio-9p] Use preadv/pwritev instead of readv/writev
    
    readv & writev, read & write respectively from the current offset
    of the file & hence their use has to be preceeded by a call to lseek.
    preadv/writev can be used instead, as they take the offset as an argument.
    This saves one system call( lseek ).
    In case preadv is not supported, it is implemented by an lseek
    followed by a readv. Depending upon the configuration of QEMU, the
    appropriate read & write methods are selected. This patch also fixes the
    zero byte read/write bug & obviates the need to apply a fix for that bug separately.
    
    Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
    Signed-off-by: Sanchit Garg <sancgarg at linux.vnet.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index bf867b9..21d60b5 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -80,9 +80,8 @@ typedef struct FileOperations
     off_t (*telldir)(FsContext *, DIR *);
     struct dirent *(*readdir)(FsContext *, DIR *);
     void (*seekdir)(FsContext *, DIR *, off_t);
-    ssize_t (*readv)(FsContext *, int, const struct iovec *, int);
-    ssize_t (*writev)(FsContext *, int, const struct iovec *, int);
-    off_t (*lseek)(FsContext *, int, off_t, int);
+    ssize_t (*preadv)(FsContext *, int, const struct iovec *, int, off_t);
+    ssize_t (*pwritev)(FsContext *, int, const struct iovec *, int, off_t);
     int (*mkdir)(FsContext *, const char *, FsCred *);
     int (*fstat)(FsContext *, int, struct stat *);
     int (*rename)(FsContext *, const char *, const char *);
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index ee63033..0d52020 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -168,21 +168,34 @@ static void local_seekdir(FsContext *ctx, DIR *dir, off_t off)
     return seekdir(dir, off);
 }
 
-static ssize_t local_readv(FsContext *ctx, int fd, const struct iovec *iov,
-                            int iovcnt)
+static ssize_t local_preadv(FsContext *ctx, int fd, const struct iovec *iov,
+                            int iovcnt, off_t offset)
 {
-    return readv(fd, iov, iovcnt);
-}
-
-static off_t local_lseek(FsContext *ctx, int fd, off_t offset, int whence)
-{
-    return lseek(fd, offset, whence);
+#ifdef CONFIG_PREADV
+    return preadv(fd, iov, iovcnt, offset);
+#else
+    int err = lseek(fd, offset, SEEK_SET);
+    if (err == -1) {
+        return err;
+    } else {
+        return readv(fd, iov, iovcnt);
+    }
+#endif
 }
 
-static ssize_t local_writev(FsContext *ctx, int fd, const struct iovec *iov,
-                            int iovcnt)
+static ssize_t local_pwritev(FsContext *ctx, int fd, const struct iovec *iov,
+                            int iovcnt, off_t offset)
 {
-    return writev(fd, iov, iovcnt);
+#ifdef CONFIG_PREADV
+    return pwritev(fd, iov, iovcnt, offset);
+#else
+    int err = lseek(fd, offset, SEEK_SET);
+    if (err == -1) {
+        return err;
+    } else {
+        return writev(fd, iov, iovcnt);
+    }
+#endif
 }
 
 static int local_chmod(FsContext *fs_ctx, const char *path, FsCred *credp)
@@ -523,9 +536,8 @@ FileOperations local_ops = {
     .telldir = local_telldir,
     .readdir = local_readdir,
     .seekdir = local_seekdir,
-    .readv = local_readv,
-    .lseek = local_lseek,
-    .writev = local_writev,
+    .preadv = local_preadv,
+    .pwritev = local_pwritev,
     .chmod = local_chmod,
     .mknod = local_mknod,
     .mkdir = local_mkdir,
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 867fcfa..0e87722 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -135,21 +135,16 @@ static void v9fs_do_seekdir(V9fsState *s, DIR *dir, off_t off)
     return s->ops->seekdir(&s->ctx, dir, off);
 }
 
-static int v9fs_do_readv(V9fsState *s, int fd, const struct iovec *iov,
-                            int iovcnt)
+static int v9fs_do_preadv(V9fsState *s, int fd, const struct iovec *iov,
+                            int iovcnt, int64_t offset)
 {
-    return s->ops->readv(&s->ctx, fd, iov, iovcnt);
+    return s->ops->preadv(&s->ctx, fd, iov, iovcnt, offset);
 }
 
-static off_t v9fs_do_lseek(V9fsState *s, int fd, off_t offset, int whence)
+static int v9fs_do_pwritev(V9fsState *s, int fd, const struct iovec *iov,
+                       int iovcnt, int64_t offset)
 {
-    return s->ops->lseek(&s->ctx, fd, offset, whence);
-}
-
-static int v9fs_do_writev(V9fsState *s, int fd, const struct iovec *iov,
-                       int iovcnt)
-{
-    return s->ops->writev(&s->ctx, fd, iov, iovcnt);
+    return s->ops->pwritev(&s->ctx, fd, iov, iovcnt, offset);
 }
 
 static int v9fs_do_chmod(V9fsState *s, V9fsString *path, mode_t mode)
@@ -1975,7 +1970,7 @@ static void v9fs_read_post_rewinddir(V9fsState *s, V9fsReadState *vs,
     return;
 }
 
-static void v9fs_read_post_readv(V9fsState *s, V9fsReadState *vs, ssize_t err)
+static void v9fs_read_post_preadv(V9fsState *s, V9fsReadState *vs, ssize_t err)
 {
     if (err  < 0) {
         /* IO error return the error */
@@ -1989,12 +1984,16 @@ static void v9fs_read_post_readv(V9fsState *s, V9fsReadState *vs, ssize_t err)
             if (0) {
                 print_sg(vs->sg, vs->cnt);
             }
-            vs->len = v9fs_do_readv(s, vs->fidp->fs.fd, vs->sg, vs->cnt);
+            vs->len = v9fs_do_preadv(s, vs->fidp->fs.fd, vs->sg, vs->cnt,
+                      vs->off);
+            if (vs->len > 0) {
+                vs->off += vs->len;
+            }
         } while (vs->len == -1 && errno == EINTR);
         if (vs->len == -1) {
             err  = -errno;
         }
-        v9fs_read_post_readv(s, vs, err);
+        v9fs_read_post_preadv(s, vs, err);
         return;
     }
     vs->offset += pdu_marshal(vs->pdu, vs->offset, "d", vs->total);
@@ -2006,32 +2005,6 @@ out:
     qemu_free(vs);
 }
 
-static void v9fs_read_post_lseek(V9fsState *s, V9fsReadState *vs, ssize_t err)
-{
-    if (err == -1) {
-        err = -errno;
-        goto out;
-    }
-    vs->sg = cap_sg(vs->sg, vs->count, &vs->cnt);
-
-    if (vs->total < vs->count) {
-        do {
-            if (0) {
-                print_sg(vs->sg, vs->cnt);
-            }
-            vs->len = v9fs_do_readv(s, vs->fidp->fs.fd, vs->sg, vs->cnt);
-        } while (vs->len == -1 && errno == EINTR);
-        if (vs->len == -1) {
-            err  = -errno;
-        }
-        v9fs_read_post_readv(s, vs, err);
-        return;
-    }
-out:
-    complete_pdu(s, vs->pdu, err);
-    qemu_free(vs);
-}
-
 static void v9fs_xattr_read(V9fsState *s, V9fsReadState *vs)
 {
     ssize_t err = 0;
@@ -2089,8 +2062,16 @@ static void v9fs_read(V9fsState *s, V9fsPDU *pdu)
     } else if (vs->fidp->fid_type == P9_FID_FILE) {
         vs->sg = vs->iov;
         pdu_marshal(vs->pdu, vs->offset + 4, "v", vs->sg, &vs->cnt);
-        err = v9fs_do_lseek(s, vs->fidp->fs.fd, vs->off, SEEK_SET);
-        v9fs_read_post_lseek(s, vs, err);
+        vs->sg = cap_sg(vs->sg, vs->count, &vs->cnt);
+        if (vs->total <= vs->count) {
+            vs->len = v9fs_do_preadv(s, vs->fidp->fs.fd, vs->sg, vs->cnt,
+                                    vs->off);
+            if (vs->len > 0) {
+                vs->off += vs->len;
+            }
+            err = vs->len;
+            v9fs_read_post_preadv(s, vs, err);
+        }
         return;
     } else if (vs->fidp->fid_type == P9_FID_XATTR) {
         v9fs_xattr_read(s, vs);
@@ -2224,7 +2205,7 @@ out:
     return;
 }
 
-static void v9fs_write_post_writev(V9fsState *s, V9fsWriteState *vs,
+static void v9fs_write_post_pwritev(V9fsState *s, V9fsWriteState *vs,
                                    ssize_t err)
 {
     if (err  < 0) {
@@ -2239,49 +2220,25 @@ static void v9fs_write_post_writev(V9fsState *s, V9fsWriteState *vs,
             if (0) {
                 print_sg(vs->sg, vs->cnt);
             }
-            vs->len =  v9fs_do_writev(s, vs->fidp->fs.fd, vs->sg, vs->cnt);
+            vs->len = v9fs_do_pwritev(s, vs->fidp->fs.fd, vs->sg, vs->cnt,
+                      vs->off);
+            if (vs->len > 0) {
+                vs->off += vs->len;
+            }
         } while (vs->len == -1 && errno == EINTR);
         if (vs->len == -1) {
             err  = -errno;
         }
-        v9fs_write_post_writev(s, vs, err);
+        v9fs_write_post_pwritev(s, vs, err);
         return;
     }
     vs->offset += pdu_marshal(vs->pdu, vs->offset, "d", vs->total);
-
     err = vs->offset;
 out:
     complete_pdu(s, vs->pdu, err);
     qemu_free(vs);
 }
 
-static void v9fs_write_post_lseek(V9fsState *s, V9fsWriteState *vs, ssize_t err)
-{
-    if (err == -1) {
-        err = -errno;
-        goto out;
-    }
-    vs->sg = cap_sg(vs->sg, vs->count, &vs->cnt);
-
-    if (vs->total < vs->count) {
-        do {
-            if (0) {
-                print_sg(vs->sg, vs->cnt);
-            }
-            vs->len = v9fs_do_writev(s, vs->fidp->fs.fd, vs->sg, vs->cnt);
-        } while (vs->len == -1 && errno == EINTR);
-        if (vs->len == -1) {
-            err  = -errno;
-        }
-        v9fs_write_post_writev(s, vs, err);
-        return;
-    }
-
-out:
-    complete_pdu(s, vs->pdu, err);
-    qemu_free(vs);
-}
-
 static void v9fs_xattr_write(V9fsState *s, V9fsWriteState *vs)
 {
     int i, to_copy;
@@ -2362,11 +2319,16 @@ static void v9fs_write(V9fsState *s, V9fsPDU *pdu)
         err = -EINVAL;
         goto out;
     }
-    err = v9fs_do_lseek(s, vs->fidp->fs.fd, vs->off, SEEK_SET);
-
-    v9fs_write_post_lseek(s, vs, err);
+    vs->sg = cap_sg(vs->sg, vs->count, &vs->cnt);
+    if (vs->total <= vs->count) {
+        vs->len = v9fs_do_pwritev(s, vs->fidp->fs.fd, vs->sg, vs->cnt, vs->off);
+        if (vs->len > 0) {
+            vs->off += vs->len;
+        }
+        err = vs->len;
+        v9fs_write_post_pwritev(s, vs, err);
+    }
     return;
-
 out:
     complete_pdu(s, vs->pdu, err);
     qemu_free(vs);
commit 9f506893a454ce24263aba49594aa953e9a52853
Author: Harsh Prateek Bora <harsh at linux.vnet.ibm.com>
Date:   Mon Oct 18 15:36:36 2010 +0530

    [virtio-9p] Qemu 9p commandline options validity checks
    
    Signed-off-by: Harsh Prateek Bora <harsh at linux.vnet.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/fsdev/qemu-fsdev.c b/fsdev/qemu-fsdev.c
index 280b8f5..0b33290 100644
--- a/fsdev/qemu-fsdev.c
+++ b/fsdev/qemu-fsdev.c
@@ -29,35 +29,47 @@ int qemu_fsdev_add(QemuOpts *opts)
 {
     struct FsTypeListEntry *fsle;
     int i;
+    const char *fsdev_id = qemu_opts_id(opts);
+    const char *fstype = qemu_opt_get(opts, "fstype");
+    const char *path = qemu_opt_get(opts, "path");
+    const char *sec_model = qemu_opt_get(opts, "security_model");
 
-    if (qemu_opts_id(opts) == NULL) {
+    if (!fsdev_id) {
         fprintf(stderr, "fsdev: No id specified\n");
         return -1;
     }
 
-    for (i = 0; i < ARRAY_SIZE(FsTypes); i++) {
-        if (strcmp(FsTypes[i].name, qemu_opt_get(opts, "fstype")) == 0) {
-            break;
+    if (fstype) {
+        for (i = 0; i < ARRAY_SIZE(FsTypes); i++) {
+            if (strcmp(FsTypes[i].name, fstype) == 0) {
+                break;
+            }
         }
-    }
 
-    if (i == ARRAY_SIZE(FsTypes)) {
-        fprintf(stderr, "fsdev: fstype %s not found\n",
-                    qemu_opt_get(opts, "fstype"));
+        if (i == ARRAY_SIZE(FsTypes)) {
+            fprintf(stderr, "fsdev: fstype %s not found\n", fstype);
+            return -1;
+        }
+    } else {
+        fprintf(stderr, "fsdev: No fstype specified\n");
         return -1;
     }
 
-    if (qemu_opt_get(opts, "security_model") == NULL) {
+    if (!sec_model) {
         fprintf(stderr, "fsdev: No security_model specified.\n");
         return -1;
     }
 
+    if (!path) {
+        fprintf(stderr, "fsdev: No path specified.\n");
+        return -1;
+    }
+
     fsle = qemu_malloc(sizeof(*fsle));
 
-    fsle->fse.fsdev_id = qemu_strdup(qemu_opts_id(opts));
-    fsle->fse.path = qemu_strdup(qemu_opt_get(opts, "path"));
-    fsle->fse.security_model = qemu_strdup(qemu_opt_get(opts,
-                "security_model"));
+    fsle->fse.fsdev_id = qemu_strdup(fsdev_id);
+    fsle->fse.path = qemu_strdup(path);
+    fsle->fse.security_model = qemu_strdup(sec_model);
     fsle->fse.ops = FsTypes[i].ops;
 
     QTAILQ_INSERT_TAIL(&fstype_entries, fsle, next);
@@ -67,11 +79,13 @@ int qemu_fsdev_add(QemuOpts *opts)
 
 FsTypeEntry *get_fsdev_fsentry(char *id)
 {
-    struct FsTypeListEntry *fsle;
+    if (id) {
+        struct FsTypeListEntry *fsle;
 
-    QTAILQ_FOREACH(fsle, &fstype_entries, next) {
-        if (strcmp(fsle->fse.fsdev_id, id) == 0) {
-            return &fsle->fse;
+        QTAILQ_FOREACH(fsle, &fstype_entries, next) {
+            if (strcmp(fsle->fse.fsdev_id, id) == 0) {
+                return &fsle->fse;
+            }
         }
     }
     return NULL;
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 4586cce..867fcfa 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -3697,8 +3697,8 @@ VirtIODevice *virtio_9p_init(DeviceState *dev, V9fsConf *conf)
 
     if (!fse) {
         /* We don't have a fsdev identified by fsdev_id */
-        fprintf(stderr, "Virtio-9p device couldn't find fsdev "
-                    "with the id %s\n", conf->fsdev_id);
+        fprintf(stderr, "Virtio-9p device couldn't find fsdev with the "
+                "id = %s\n", conf->fsdev_id ? conf->fsdev_id : "NULL");
         exit(1);
     }
 
commit 70fc55ebe4fe5e72802468f16ae09169cf323b04
Author: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date:   Mon Oct 18 15:28:16 2010 +0530

    virtio-9p: Support mapped posix acl
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/Makefile.objs b/Makefile.objs
index be4fade..cd5a24b 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -250,7 +250,7 @@ adlib.o fmopl.o: QEMU_CFLAGS += -DBUILD_Y8950=0
 hw-obj-$(CONFIG_SOUND) += $(sound-obj-y)
 
 hw-obj-$(CONFIG_VIRTFS) += virtio-9p-debug.o virtio-9p-local.o virtio-9p-xattr.o
-hw-obj-$(CONFIG_VIRTFS) += virtio-9p-xattr-user.o
+hw-obj-$(CONFIG_VIRTFS) += virtio-9p-xattr-user.o virtio-9p-posix-acl.o
 
 ######################################################################
 # libdis
diff --git a/hw/virtio-9p-posix-acl.c b/hw/virtio-9p-posix-acl.c
new file mode 100644
index 0000000..3978d0c
--- /dev/null
+++ b/hw/virtio-9p-posix-acl.c
@@ -0,0 +1,140 @@
+/*
+ * Virtio 9p system.posix* xattr callback
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * Authors:
+ * Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+
+#include <sys/types.h>
+#include <attr/xattr.h>
+#include "virtio.h"
+#include "virtio-9p.h"
+#include "file-op-9p.h"
+#include "virtio-9p-xattr.h"
+
+#define MAP_ACL_ACCESS "user.virtfs.system.posix_acl_access"
+#define MAP_ACL_DEFAULT "user.virtfs.system.posix_acl_default"
+#define ACL_ACCESS "system.posix_acl_access"
+#define ACL_DEFAULT "system.posix_acl_default"
+
+static ssize_t mp_pacl_getxattr(FsContext *ctx, const char *path,
+                                const char *name, void *value, size_t size)
+{
+    return lgetxattr(rpath(ctx, path), MAP_ACL_ACCESS, value, size);
+}
+
+static ssize_t mp_pacl_listxattr(FsContext *ctx, const char *path,
+                                 char *name, void *value, size_t osize)
+{
+    ssize_t len = sizeof(ACL_ACCESS);
+
+    if (!value) {
+        return len;
+    }
+
+    if (osize < len) {
+        errno = ERANGE;
+        return -1;
+    }
+
+    strncpy(value, ACL_ACCESS, len);
+    return 0;
+}
+
+static int mp_pacl_setxattr(FsContext *ctx, const char *path, const char *name,
+                            void *value, size_t size, int flags)
+{
+    return lsetxattr(rpath(ctx, path), MAP_ACL_ACCESS, value, size, flags);
+}
+
+static int mp_pacl_removexattr(FsContext *ctx,
+                               const char *path, const char *name)
+{
+    int ret;
+    ret  = lremovexattr(rpath(ctx, path), MAP_ACL_ACCESS);
+    if (ret == -1 && errno == ENODATA) {
+        /*
+         * We don't get ENODATA error when trying to remote a
+         * posix acl that is not present. So don't throw the error
+         * even in case of mapped security model
+         */
+        errno = 0;
+        ret = 0;
+    }
+    return ret;
+}
+
+static ssize_t mp_dacl_getxattr(FsContext *ctx, const char *path,
+                                const char *name, void *value, size_t size)
+{
+    return lgetxattr(rpath(ctx, path), MAP_ACL_DEFAULT, value, size);
+}
+
+static ssize_t mp_dacl_listxattr(FsContext *ctx, const char *path,
+                                 char *name, void *value, size_t osize)
+{
+    ssize_t len = sizeof(ACL_DEFAULT);
+
+    if (!value) {
+        return len;
+    }
+
+    if (osize < len) {
+        errno = ERANGE;
+        return -1;
+    }
+
+    strncpy(value, ACL_DEFAULT, len);
+    return 0;
+}
+
+static int mp_dacl_setxattr(FsContext *ctx, const char *path, const char *name,
+                            void *value, size_t size, int flags)
+{
+    return lsetxattr(rpath(ctx, path), MAP_ACL_DEFAULT, value, size, flags);
+}
+
+static int mp_dacl_removexattr(FsContext *ctx,
+                               const char *path, const char *name)
+{
+    return lremovexattr(rpath(ctx, path), MAP_ACL_DEFAULT);
+}
+
+
+XattrOperations mapped_pacl_xattr = {
+    .name = "system.posix_acl_access",
+    .getxattr = mp_pacl_getxattr,
+    .setxattr = mp_pacl_setxattr,
+    .listxattr = mp_pacl_listxattr,
+    .removexattr = mp_pacl_removexattr,
+};
+
+XattrOperations mapped_dacl_xattr = {
+    .name = "system.posix_acl_default",
+    .getxattr = mp_dacl_getxattr,
+    .setxattr = mp_dacl_setxattr,
+    .listxattr = mp_dacl_listxattr,
+    .removexattr = mp_dacl_removexattr,
+};
+
+XattrOperations passthrough_acl_xattr = {
+    .name = "system.posix_acl_",
+    .getxattr = pt_getxattr,
+    .setxattr = pt_setxattr,
+    .listxattr = pt_listxattr,
+    .removexattr = pt_removexattr,
+};
+
+XattrOperations none_acl_xattr = {
+    .name = "system.posix_acl_",
+    .getxattr = notsup_getxattr,
+    .setxattr = notsup_setxattr,
+    .listxattr = notsup_listxattr,
+    .removexattr = notsup_removexattr,
+};
diff --git a/hw/virtio-9p-xattr-user.c b/hw/virtio-9p-xattr-user.c
index b14dbb9..faa02a1 100644
--- a/hw/virtio-9p-xattr-user.c
+++ b/hw/virtio-9p-xattr-user.c
@@ -37,11 +37,19 @@ static ssize_t mp_user_listxattr(FsContext *ctx, const char *path,
 {
     int name_size = strlen(name) + 1;
     if (strncmp(name, "user.virtfs.", 12) == 0) {
-        /*
-         * Don't allow fetch of user.virtfs namesapce
-         * in case of mapped security
-         */
-        return 0;
+
+        /*  check if it is a mapped posix acl */
+        if (strncmp(name, "user.virtfs.system.posix_acl_", 29) == 0) {
+            /* adjust the name and size */
+            name += 12;
+            name_size -= 12;
+        } else {
+            /*
+             * Don't allow fetch of user.virtfs namesapce
+             * in case of mapped security
+             */
+            return 0;
+        }
     }
     if (!value) {
         return name_size;
diff --git a/hw/virtio-9p-xattr.c b/hw/virtio-9p-xattr.c
index 5ddc3c9..175f372 100644
--- a/hw/virtio-9p-xattr.c
+++ b/hw/virtio-9p-xattr.c
@@ -137,16 +137,20 @@ int v9fs_remove_xattr(FsContext *ctx,
 
 XattrOperations *mapped_xattr_ops[] = {
     &mapped_user_xattr,
+    &mapped_pacl_xattr,
+    &mapped_dacl_xattr,
     NULL,
 };
 
 XattrOperations *passthrough_xattr_ops[] = {
     &passthrough_user_xattr,
+    &passthrough_acl_xattr,
     NULL,
 };
 
 /* for .user none model should be same as passthrough */
 XattrOperations *none_xattr_ops[] = {
     &passthrough_user_xattr,
+    &none_acl_xattr,
     NULL,
 };
diff --git a/hw/virtio-9p-xattr.h b/hw/virtio-9p-xattr.h
index 15632f8..a6e31a1 100644
--- a/hw/virtio-9p-xattr.h
+++ b/hw/virtio-9p-xattr.h
@@ -32,6 +32,11 @@ typedef struct xattr_operations
 extern XattrOperations mapped_user_xattr;
 extern XattrOperations passthrough_user_xattr;
 
+extern XattrOperations mapped_pacl_xattr;
+extern XattrOperations mapped_dacl_xattr;
+extern XattrOperations passthrough_acl_xattr;
+extern XattrOperations none_acl_xattr;
+
 extern XattrOperations *mapped_xattr_ops[];
 extern XattrOperations *passthrough_xattr_ops[];
 extern XattrOperations *none_xattr_ops[];
@@ -66,4 +71,33 @@ static inline int pt_removexattr(FsContext *ctx,
     return lremovexattr(rpath(ctx, path), name);
 }
 
+static inline ssize_t notsup_getxattr(FsContext *ctx, const char *path,
+                                      const char *name, void *value,
+                                      size_t size)
+{
+    errno = ENOTSUP;
+    return -1;
+}
+
+static inline int notsup_setxattr(FsContext *ctx, const char *path,
+                                  const char *name, void *value,
+                                  size_t size, int flags)
+{
+    errno = ENOTSUP;
+    return -1;
+}
+
+static inline ssize_t notsup_listxattr(FsContext *ctx, const char *path,
+                                       char *name, void *value, size_t size)
+{
+    return 0;
+}
+
+static inline int notsup_removexattr(FsContext *ctx,
+                                     const char *path, const char *name)
+{
+    errno = ENOTSUP;
+    return -1;
+}
+
 #endif
commit fc22118d9bb56ec71655b936a29513c140e6c289
Author: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date:   Mon Oct 18 15:28:16 2010 +0530

    virtio-9p: Use layered xattr approach
    
    We would need this to make sure we handle the mapped
    security model correctly for different xattr names.
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/Makefile.objs b/Makefile.objs
index 816194a..be4fade 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -249,7 +249,8 @@ sound-obj-$(CONFIG_CS4231A) += cs4231a.o
 adlib.o fmopl.o: QEMU_CFLAGS += -DBUILD_Y8950=0
 hw-obj-$(CONFIG_SOUND) += $(sound-obj-y)
 
-hw-obj-$(CONFIG_VIRTFS) += virtio-9p-debug.o virtio-9p-local.o
+hw-obj-$(CONFIG_VIRTFS) += virtio-9p-debug.o virtio-9p-local.o virtio-9p-xattr.o
+hw-obj-$(CONFIG_VIRTFS) += virtio-9p-xattr-user.o
 
 ######################################################################
 # libdis
diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index d91b7e7..bf867b9 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -47,11 +47,14 @@ typedef struct FsCred
     dev_t   fc_rdev;
 } FsCred;
 
+struct xattr_operations;
+
 typedef struct FsContext
 {
     char *fs_root;
     SecModel fs_sm;
     uid_t uid;
+    struct xattr_operations **xops;
 } FsContext;
 
 extern void cred_init(FsCred *);
@@ -94,4 +97,12 @@ typedef struct FileOperations
     int (*lremovexattr)(FsContext *, const char *, const char *);
     void *opaque;
 } FileOperations;
+
+static inline const char *rpath(FsContext *ctx, const char *path)
+{
+    /* FIXME: so wrong... */
+    static char buffer[4096];
+    snprintf(buffer, sizeof(buffer), "%s/%s", ctx->fs_root, path);
+    return buffer;
+}
 #endif
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 57f9243..ee63033 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -12,6 +12,7 @@
  */
 #include "virtio.h"
 #include "virtio-9p.h"
+#include "virtio-9p-xattr.h"
 #include <arpa/inet.h>
 #include <pwd.h>
 #include <grp.h>
@@ -19,14 +20,6 @@
 #include <sys/un.h>
 #include <attr/xattr.h>
 
-static const char *rpath(FsContext *ctx, const char *path)
-{
-    /* FIXME: so wrong... */
-    static char buffer[4096];
-    snprintf(buffer, sizeof(buffer), "%s/%s", ctx->fs_root, path);
-    return buffer;
-}
-
 
 static int local_lstat(FsContext *fs_ctx, const char *path, struct stat *stbuf)
 {
@@ -497,103 +490,25 @@ static int local_statfs(FsContext *s, const char *path, struct statfs *stbuf)
 static ssize_t local_lgetxattr(FsContext *ctx, const char *path,
                                const char *name, void *value, size_t size)
 {
-    if ((ctx->fs_sm == SM_MAPPED) &&
-        (strncmp(name, "user.virtfs.", 12) == 0)) {
-        /*
-         * Don't allow fetch of user.virtfs namesapce
-         * in case of mapped security
-         */
-        errno = ENOATTR;
-        return -1;
-    }
-
-    return lgetxattr(rpath(ctx, path), name, value, size);
+    return v9fs_get_xattr(ctx, path, name, value, size);
 }
 
 static ssize_t local_llistxattr(FsContext *ctx, const char *path,
                                 void *value, size_t size)
 {
-    ssize_t retval;
-    ssize_t actual_len = 0;
-    char *orig_value, *orig_value_start;
-    char *temp_value, *temp_value_start;
-    ssize_t xattr_len, parsed_len = 0, attr_len;
-
-    if (ctx->fs_sm != SM_MAPPED) {
-        return llistxattr(rpath(ctx, path), value, size);
-    }
-
-    /* Get the actual len */
-    xattr_len = llistxattr(rpath(ctx, path), value, 0);
-
-    /* Now fetch the xattr and find the actual size */
-    orig_value = qemu_malloc(xattr_len);
-    xattr_len = llistxattr(rpath(ctx, path), orig_value, xattr_len);
-
-    /*
-     * For mapped security model drop user.virtfs namespace
-     * from the list
-     */
-    temp_value = qemu_mallocz(xattr_len);
-    temp_value_start = temp_value;
-    orig_value_start = orig_value;
-    while (xattr_len > parsed_len) {
-        attr_len = strlen(orig_value) + 1;
-        if (strncmp(orig_value, "user.virtfs.", 12) != 0) {
-            /* Copy this entry */
-            strcat(temp_value, orig_value);
-            temp_value  += attr_len;
-            actual_len += attr_len;
-        }
-        parsed_len += attr_len;
-        orig_value += attr_len;
-    }
-    if (!size) {
-        retval = actual_len;
-        goto out;
-    } else if (size >= actual_len) {
-        /* now copy the parsed attribute list back */
-        memset(value, 0, size);
-        memcpy(value, temp_value_start, actual_len);
-        retval = actual_len;
-        goto out;
-    }
-    errno = ERANGE;
-    retval = -1;
-out:
-    qemu_free(orig_value_start);
-    qemu_free(temp_value_start);
-    return retval;
+    return v9fs_list_xattr(ctx, path, value, size);
 }
 
 static int local_lsetxattr(FsContext *ctx, const char *path, const char *name,
                            void *value, size_t size, int flags)
 {
-    if ((ctx->fs_sm == SM_MAPPED) &&
-        (strncmp(name, "user.virtfs.", 12) == 0)) {
-        /*
-         * Don't allow fetch of user.virtfs namesapce
-         * in case of mapped security
-         */
-        errno = EACCES;
-        return -1;
-    }
-    return lsetxattr(rpath(ctx, path), name, value, size, flags);
+    return v9fs_set_xattr(ctx, path, name, value, size, flags);
 }
 
 static int local_lremovexattr(FsContext *ctx,
                               const char *path, const char *name)
 {
-    if ((ctx->fs_sm == SM_MAPPED) &&
-        (strncmp(name, "user.virtfs.", 12) == 0)) {
-        /*
-         * Don't allow fetch of user.virtfs namesapce
-         * in case of mapped security
-         */
-        errno = EACCES;
-        return -1;
-    }
-    return lremovexattr(rpath(ctx, path), name);
+    return v9fs_remove_xattr(ctx, path, name);
 }
 
 
diff --git a/hw/virtio-9p-xattr-user.c b/hw/virtio-9p-xattr-user.c
new file mode 100644
index 0000000..b14dbb9
--- /dev/null
+++ b/hw/virtio-9p-xattr-user.c
@@ -0,0 +1,101 @@
+/*
+ * Virtio 9p user. xattr callback
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * Authors:
+ * Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+
+#include <sys/types.h>
+#include "virtio.h"
+#include "virtio-9p.h"
+#include "file-op-9p.h"
+#include "virtio-9p-xattr.h"
+
+
+static ssize_t mp_user_getxattr(FsContext *ctx, const char *path,
+                                const char *name, void *value, size_t size)
+{
+    if (strncmp(name, "user.virtfs.", 12) == 0) {
+        /*
+         * Don't allow fetch of user.virtfs namesapce
+         * in case of mapped security
+         */
+        errno = ENOATTR;
+        return -1;
+    }
+    return lgetxattr(rpath(ctx, path), name, value, size);
+}
+
+static ssize_t mp_user_listxattr(FsContext *ctx, const char *path,
+                                 char *name, void *value, size_t size)
+{
+    int name_size = strlen(name) + 1;
+    if (strncmp(name, "user.virtfs.", 12) == 0) {
+        /*
+         * Don't allow fetch of user.virtfs namesapce
+         * in case of mapped security
+         */
+        return 0;
+    }
+    if (!value) {
+        return name_size;
+    }
+
+    if (size < name_size) {
+        errno = ERANGE;
+        return -1;
+    }
+
+    strncpy(value, name, name_size);
+    return name_size;
+}
+
+static int mp_user_setxattr(FsContext *ctx, const char *path, const char *name,
+                            void *value, size_t size, int flags)
+{
+    if (strncmp(name, "user.virtfs.", 12) == 0) {
+        /*
+         * Don't allow fetch of user.virtfs namesapce
+         * in case of mapped security
+         */
+        errno = EACCES;
+        return -1;
+    }
+    return lsetxattr(rpath(ctx, path), name, value, size, flags);
+}
+
+static int mp_user_removexattr(FsContext *ctx,
+                               const char *path, const char *name)
+{
+    if (strncmp(name, "user.virtfs.", 12) == 0) {
+        /*
+         * Don't allow fetch of user.virtfs namesapce
+         * in case of mapped security
+         */
+        errno = EACCES;
+        return -1;
+    }
+    return lremovexattr(rpath(ctx, path), name);
+}
+
+XattrOperations mapped_user_xattr = {
+    .name = "user.",
+    .getxattr = mp_user_getxattr,
+    .setxattr = mp_user_setxattr,
+    .listxattr = mp_user_listxattr,
+    .removexattr = mp_user_removexattr,
+};
+
+XattrOperations passthrough_user_xattr = {
+    .name = "user.",
+    .getxattr = pt_getxattr,
+    .setxattr = pt_setxattr,
+    .listxattr = pt_listxattr,
+    .removexattr = pt_removexattr,
+};
diff --git a/hw/virtio-9p-xattr.c b/hw/virtio-9p-xattr.c
new file mode 100644
index 0000000..5ddc3c9
--- /dev/null
+++ b/hw/virtio-9p-xattr.c
@@ -0,0 +1,152 @@
+/*
+ * Virtio 9p  xattr callback
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * Authors:
+ * Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+
+#include "virtio.h"
+#include "virtio-9p.h"
+#include "file-op-9p.h"
+#include "virtio-9p-xattr.h"
+
+
+static XattrOperations *get_xattr_operations(XattrOperations **h,
+                                             const char *name)
+{
+    XattrOperations *xops;
+    for (xops = *(h)++; xops != NULL; xops = *(h)++) {
+        if (!strncmp(name, xops->name, strlen(xops->name))) {
+            return xops;
+        }
+    }
+    return NULL;
+}
+
+ssize_t v9fs_get_xattr(FsContext *ctx, const char *path,
+                       const char *name, void *value, size_t size)
+{
+    XattrOperations *xops = get_xattr_operations(ctx->xops, name);
+    if (xops) {
+        return xops->getxattr(ctx, path, name, value, size);
+    }
+    errno = -EOPNOTSUPP;
+    return -1;
+}
+
+ssize_t pt_listxattr(FsContext *ctx, const char *path,
+                     char *name, void *value, size_t size)
+{
+    int name_size = strlen(name) + 1;
+    if (!value) {
+        return name_size;
+    }
+
+    if (size < name_size) {
+        errno = ERANGE;
+        return -1;
+    }
+
+    strncpy(value, name, name_size);
+    return name_size;
+}
+
+
+/*
+ * Get the list and pass to each layer to find out whether
+ * to send the data or not
+ */
+ssize_t v9fs_list_xattr(FsContext *ctx, const char *path,
+                        void *value, size_t vsize)
+{
+    ssize_t size = 0;
+    void *ovalue = value;
+    XattrOperations *xops;
+    char *orig_value, *orig_value_start;
+    ssize_t xattr_len, parsed_len = 0, attr_len;
+
+    /* Get the actual len */
+    xattr_len = llistxattr(rpath(ctx, path), value, 0);
+
+    /* Now fetch the xattr and find the actual size */
+    orig_value = qemu_malloc(xattr_len);
+    xattr_len = llistxattr(rpath(ctx, path), orig_value, xattr_len);
+
+    /* store the orig pointer */
+    orig_value_start = orig_value;
+    while (xattr_len > parsed_len) {
+        xops = get_xattr_operations(ctx->xops, orig_value);
+        if (!xops) {
+            goto next_entry;
+        }
+
+        if (!value) {
+            size += xops->listxattr(ctx, path, orig_value, value, vsize);
+        } else {
+            size = xops->listxattr(ctx, path, orig_value, value, vsize);
+            if (size < 0) {
+                goto err_out;
+            }
+            value += size;
+            vsize -= size;
+        }
+next_entry:
+        /* Got the next entry */
+        attr_len = strlen(orig_value) + 1;
+        parsed_len += attr_len;
+        orig_value += attr_len;
+    }
+    if (value) {
+        size = value - ovalue;
+    }
+
+err_out:
+    qemu_free(orig_value_start);
+    return size;
+}
+
+int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name,
+                   void *value, size_t size, int flags)
+{
+    XattrOperations *xops = get_xattr_operations(ctx->xops, name);
+    if (xops) {
+        return xops->setxattr(ctx, path, name, value, size, flags);
+    }
+    errno = -EOPNOTSUPP;
+    return -1;
+
+}
+
+int v9fs_remove_xattr(FsContext *ctx,
+                      const char *path, const char *name)
+{
+    XattrOperations *xops = get_xattr_operations(ctx->xops, name);
+    if (xops) {
+        return xops->removexattr(ctx, path, name);
+    }
+    errno = -EOPNOTSUPP;
+    return -1;
+
+}
+
+XattrOperations *mapped_xattr_ops[] = {
+    &mapped_user_xattr,
+    NULL,
+};
+
+XattrOperations *passthrough_xattr_ops[] = {
+    &passthrough_user_xattr,
+    NULL,
+};
+
+/* for .user none model should be same as passthrough */
+XattrOperations *none_xattr_ops[] = {
+    &passthrough_user_xattr,
+    NULL,
+};
diff --git a/hw/virtio-9p-xattr.h b/hw/virtio-9p-xattr.h
new file mode 100644
index 0000000..15632f8
--- /dev/null
+++ b/hw/virtio-9p-xattr.h
@@ -0,0 +1,69 @@
+/*
+ * Virtio 9p
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * Authors:
+ *  Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+#ifndef _QEMU_VIRTIO_9P_XATTR_H
+#define _QEMU_VIRTIO_9P_XATTR_H
+
+#include <attr/xattr.h>
+
+typedef struct xattr_operations
+{
+    const char *name;
+    ssize_t (*getxattr)(FsContext *ctx, const char *path,
+                        const char *name, void *value, size_t size);
+    ssize_t (*listxattr)(FsContext *ctx, const char *path,
+                         char *name, void *value, size_t size);
+    int (*setxattr)(FsContext *ctx, const char *path, const char *name,
+                    void *value, size_t size, int flags);
+    int (*removexattr)(FsContext *ctx,
+                       const char *path, const char *name);
+} XattrOperations;
+
+
+extern XattrOperations mapped_user_xattr;
+extern XattrOperations passthrough_user_xattr;
+
+extern XattrOperations *mapped_xattr_ops[];
+extern XattrOperations *passthrough_xattr_ops[];
+extern XattrOperations *none_xattr_ops[];
+
+extern ssize_t v9fs_get_xattr(FsContext *ctx, const char *path,
+                              const char *name, void *value, size_t size);
+extern ssize_t v9fs_list_xattr(FsContext *ctx, const char *path,
+                               void *value, size_t vsize);
+extern int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name,
+                          void *value, size_t size, int flags);
+extern int v9fs_remove_xattr(FsContext *ctx,
+                             const char *path, const char *name);
+extern ssize_t pt_listxattr(FsContext *ctx, const char *path,
+                            char *name, void *value, size_t size);
+
+static inline ssize_t pt_getxattr(FsContext *ctx, const char *path,
+                                  const char *name, void *value, size_t size)
+{
+    return lgetxattr(rpath(ctx, path), name, value, size);
+}
+
+static inline int pt_setxattr(FsContext *ctx, const char *path,
+                              const char *name, void *value,
+                              size_t size, int flags)
+{
+    return lsetxattr(rpath(ctx, path), name, value, size, flags);
+}
+
+static inline int pt_removexattr(FsContext *ctx,
+                                 const char *path, const char *name)
+{
+    return lremovexattr(rpath(ctx, path), name);
+}
+
+#endif
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index cb6366b..4586cce 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -17,6 +17,7 @@
 #include "virtio-9p.h"
 #include "fsdev/qemu-fsdev.h"
 #include "virtio-9p-debug.h"
+#include "virtio-9p-xattr.h"
 
 int debug_9p_pdu;
 
@@ -3712,23 +3713,26 @@ VirtIODevice *virtio_9p_init(DeviceState *dev, V9fsConf *conf)
     if (!strcmp(fse->security_model, "passthrough")) {
         /* Files on the Fileserver set to client user credentials */
         s->ctx.fs_sm = SM_PASSTHROUGH;
+        s->ctx.xops = passthrough_xattr_ops;
     } else if (!strcmp(fse->security_model, "mapped")) {
         /* Files on the fileserver are set to QEMU credentials.
          * Client user credentials are saved in extended attributes.
          */
         s->ctx.fs_sm = SM_MAPPED;
+        s->ctx.xops = mapped_xattr_ops;
     } else if (!strcmp(fse->security_model, "none")) {
         /*
          * Files on the fileserver are set to QEMU credentials.
          */
         s->ctx.fs_sm = SM_NONE;
-
+        s->ctx.xops = none_xattr_ops;
     } else {
         fprintf(stderr, "Default to security_model=none. You may want"
                 " enable advanced security model using "
                 "security option:\n\t security_model=passthrough \n\t "
                 "security_model=mapped\n");
         s->ctx.fs_sm = SM_NONE;
+        s->ctx.xops = none_xattr_ops;
     }
 
     if (lstat(fse->path, &stat)) {
commit 0f8151cb75e09c9a7de24a37f22166e46a9eaf7b
Author: Venkateswararao Jujjuri (JV) <jvrao at linux.vnet.ibm.com>
Date:   Sun Sep 19 10:47:11 2010 -0700

    [virtio-9p] Ignore O_DIRECT hint from client.
    
    The O_DIRECT flag imposes alignment restrictions on the length and address
    of userspace buffers and the file offset of I/Os.
    
    While VirtFS/9P has plans to implement O_DIRECT behavior on the server,
    for now we will stick to a behavior like NFS by bypassing the page cache
    only on the client. Server may still cache the I/O.
    
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 6c80795..cb6366b 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -1704,6 +1704,8 @@ static void v9fs_open_post_lstat(V9fsState *s, V9fsOpenState *vs, int err)
         if (s->proto_version == V9FS_PROTO_2000L) {
             flags = vs->mode;
             flags &= ~(O_NOCTTY | O_ASYNC | O_CREAT);
+            /* Ignore direct disk access hint until the server supports it. */
+            flags &= ~O_DIRECT;
         } else {
             flags = omode_to_uflags(vs->mode);
         }
@@ -1826,6 +1828,9 @@ static void v9fs_lcreate(V9fsState *s, V9fsPDU *pdu)
     v9fs_string_sprintf(&vs->fullname, "%s/%s", vs->fidp->path.data,
              vs->name.data);
 
+    /* Ignore direct disk access hint until the server supports it. */
+    flags &= ~O_DIRECT;
+
     vs->fidp->fs.fd = v9fs_do_open2(s, vs->fullname.data, vs->fidp->uid,
             gid, flags, mode);
     v9fs_lcreate_post_do_open2(s, vs, err);
commit df0973a4650d4889463ff66cb6fbdf0ab8090c70
Author: M. Mohan Kumar <mohan at in.ibm.com>
Date:   Tue Sep 14 15:08:25 2010 +0530

    qemu-virtio-9p: Implement TREADLINK operation for 9p2000.L
    
    Synopsis
    
            size[4] TReadlink tag[2] fid[4]
            size[4] RReadlink tag[2] target[s]
    
    Description
            Readlink is used to return the contents of the symoblic link
            referred by fid. Contents of symboic link is returned as a
            response.
    
            target[s] - Contents of the symbolic link referred by fid.
    
    Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
    Reviewed-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index 8f3c321..cff5b07 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -502,6 +502,14 @@ void pprint_pdu(V9fsPDU *pdu)
         fprintf(llogfile, "RMKNOD: )");
         pprint_qid(pdu, 0, &offset, "qid");
         break;
+    case P9_TREADLINK:
+	fprintf(llogfile, "TREADLINK: (");
+        pprint_int32(pdu, 0, &offset, "fid");
+        break;
+    case P9_RREADLINK:
+	fprintf(llogfile, "RREADLINK: (");
+        pprint_str(pdu, 0, &offset, "target");
+        break;
     case P9_TREAD:
         fprintf(llogfile, "TREAD: (");
         pprint_int32(pdu, 0, &offset, "fid");
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index e8eec7f..6c80795 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -3520,6 +3520,49 @@ out:
     qemu_free(vs);
 }
 
+static void v9fs_readlink_post_readlink(V9fsState *s, V9fsReadLinkState *vs,
+                                                    int err)
+{
+    if (err < 0) {
+        err = -errno;
+        goto out;
+    }
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "s", &vs->target);
+    err = vs->offset;
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->target);
+    qemu_free(vs);
+}
+
+static void v9fs_readlink(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t fid;
+    V9fsReadLinkState *vs;
+    int err = 0;
+    V9fsFidState *fidp;
+
+    vs = qemu_malloc(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    pdu_unmarshal(vs->pdu, vs->offset, "d", &fid);
+
+    fidp = lookup_fid(s, fid);
+    if (fidp == NULL) {
+        err = -ENOENT;
+        goto out;
+    }
+
+    v9fs_string_init(&vs->target);
+    err = v9fs_do_readlink(s, &fidp->path, &vs->target);
+    v9fs_readlink_post_readlink(s, vs, err);
+    return;
+out:
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
 typedef void (pdu_handler_t)(V9fsState *s, V9fsPDU *pdu);
 
 static pdu_handler_t *pdu_handlers[] = {
@@ -3533,6 +3576,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TRENAME] = v9fs_rename,
     [P9_TLOCK] = v9fs_lock,
     [P9_TGETLOCK] = v9fs_getlock,
+    [P9_TREADLINK] = v9fs_readlink,
     [P9_TMKDIR] = v9fs_mkdir,
     [P9_TVERSION] = v9fs_version,
     [P9_TLOPEN] = v9fs_open,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 637cea6..6c23319 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -27,6 +27,8 @@ enum {
     P9_RMKNOD,
     P9_TRENAME = 20,
     P9_RRENAME,
+    P9_TREADLINK = 22,
+    P9_RREADLINK,
     P9_TGETATTR = 24,
     P9_RGETATTR,
     P9_TSETATTR = 26,
@@ -486,6 +488,12 @@ typedef struct V9fsGetlockState
     V9fsGetlock *glock;
 } V9fsGetlockState;
 
+typedef struct V9fsReadLinkState
+{
+    V9fsPDU *pdu;
+    size_t offset;
+    V9fsString target;
+} V9fsReadLinkState;
 
 extern size_t pdu_packunpack(void *addr, struct iovec *sg, int sg_count,
                             size_t offset, size_t size, int pack);
commit b41e95d34877c1917ba9fca7ca8f5d4122d4c619
Author: Venkateswararao Jujjuri (JV) <jvrao at linux.vnet.ibm.com>
Date:   Wed Sep 22 17:18:33 2010 -0700

    [virtio-9p] Introduce server side TFSYNC/RFSYNC for dotl
    
    SYNOPSIS
        size[4] Tfsync tag[2] fid[4]
    
        size[4] Rfsync tag[2]
    
    DESCRIPTION
    
    The Tfsync transaction transfers ("flushes") all modified in-core data of
    file identified by fid to the disk device (or other  permanent  storage
    device)  where that  file  resides.
    
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index 85c9900..8f3c321 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -535,6 +535,13 @@ void pprint_pdu(V9fsPDU *pdu)
     case P9_RCLUNK:
         fprintf(llogfile, "RCLUNK: (");
         break;
+    case P9_TFSYNC:
+        fprintf(llogfile, "TFSYNC: (");
+        pprint_int32(pdu, 0, &offset, "fid");
+        break;
+    case P9_RFSYNC:
+        fprintf(llogfile, "RFSYNC: (");
+        break;
     case P9_TLINK:
         fprintf(llogfile, "TLINK: (");
         pprint_int32(pdu, 0, &offset, "fid");
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 8ae233e..e8eec7f 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -1837,6 +1837,32 @@ out:
     qemu_free(vs);
 }
 
+static void v9fs_post_do_fsync(V9fsState *s, V9fsPDU *pdu, int err)
+{
+    if (err == -1) {
+        err = -errno;
+    }
+    complete_pdu(s, pdu, err);
+}
+
+static void v9fs_fsync(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t fid;
+    size_t offset = 7;
+    V9fsFidState *fidp;
+    int err;
+
+    pdu_unmarshal(pdu, offset, "d", &fid);
+    fidp = lookup_fid(s, fid);
+    if (fidp == NULL) {
+        err = -ENOENT;
+        v9fs_post_do_fsync(s, pdu, err);
+        return;
+    }
+    err = v9fs_do_fsync(s, fidp->fs.fd);
+    v9fs_post_do_fsync(s, pdu, err);
+}
+
 static void v9fs_clunk(V9fsState *s, V9fsPDU *pdu)
 {
     int32_t fid;
@@ -3514,6 +3540,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TSTAT] = v9fs_stat,
     [P9_TWALK] = v9fs_walk,
     [P9_TCLUNK] = v9fs_clunk,
+    [P9_TFSYNC] = v9fs_fsync,
     [P9_TOPEN] = v9fs_open,
     [P9_TREAD] = v9fs_read,
 #if 0
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 6a68895..637cea6 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -37,6 +37,8 @@ enum {
     P9_RXATTRCREATE,
     P9_TREADDIR = 40,
     P9_RREADDIR,
+    P9_TFSYNC = 50,
+    P9_RFSYNC,
     P9_TLOCK = 52,
     P9_RLOCK,
     P9_TGETLOCK = 54,
commit 8f35400358488ffa1147e9eab9e2c9cf0efd5e4e
Author: M. Mohan Kumar <mohan at in.ibm.com>
Date:   Wed Sep 8 02:36:52 2010 +0530

    qemu-virtio9p: Implement TGETLOCK
    
    Synopsis
    
        size[4] TGetlock tag[2] fid[4] getlock[n]
        size[4] RGetlock tag[2] getlock[n]
    
    Description
    
    TGetlock is used to test for the existence of byte range posix locks on
    a file identified by given fid. The reply contains getlock structure. If
    the lock could be placed it returns F_UNLCK in type field of getlock structure.
    Otherwise it returns the details of the conflicting locks in the getlock
    structure
    
        getlock structure:
          type[1] - Type of lock: F_RDLCK, F_WRLCK
          start[8] - Starting offset for lock
          length[8] - Number of bytes to lock
            If length is 0, lock all bytes starting at the location
            'start' through to the end of file
          proc_id[4] - process id that wants to take lock/owns the task
                   in case of reply
          client[4] - Client id of the system that owns the process
    
    Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index 045774f..85c9900 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -602,6 +602,23 @@ void pprint_pdu(V9fsPDU *pdu)
         fprintf(llogfile, "RLOCK: (");
         pprint_int8(pdu, 0, &offset, "status");
         break;
+    case P9_TGETLOCK:
+        fprintf(llogfile, "TGETLOCK: (");
+        pprint_int32(pdu, 0, &offset, "fid");
+        pprint_int8(pdu, 0, &offset, ", type");
+        pprint_int64(pdu, 0, &offset, ", start");
+        pprint_int64(pdu, 0, &offset, ", length");
+        pprint_int32(pdu, 0, &offset, ", proc_id");
+        pprint_str(pdu, 0, &offset, ", client_id");
+        break;
+    case P9_RGETLOCK:
+        fprintf(llogfile, "RGETLOCK: (");
+        pprint_int8(pdu, 0, &offset, "type");
+        pprint_int64(pdu, 0, &offset, ", start");
+        pprint_int64(pdu, 0, &offset, ", length");
+        pprint_int32(pdu, 0, &offset, ", proc_id");
+        pprint_str(pdu, 0, &offset, ", client_id");
+        break;
     default:
         fprintf(llogfile, "unknown(%d): (", pdu->id);
         break;
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 20acb5b..8ae233e 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -3203,6 +3203,46 @@ out:
     qemu_free(vs);
 }
 
+/*
+ * When a TGETLOCK request comes, always return success because all lock
+ * handling is done by client's VFS layer.
+ */
+
+static void v9fs_getlock(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t fid, err = 0;
+    V9fsGetlockState *vs;
+
+    vs = qemu_mallocz(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    vs->glock = qemu_malloc(sizeof(*vs->glock));
+    pdu_unmarshal(vs->pdu, vs->offset, "dbqqds", &fid, &vs->glock->type,
+                &vs->glock->start, &vs->glock->length, &vs->glock->proc_id,
+		&vs->glock->client_id);
+
+    vs->fidp = lookup_fid(s, fid);
+    if (vs->fidp == NULL) {
+        err = -ENOENT;
+        goto out;
+    }
+
+    err = v9fs_do_fstat(s, vs->fidp->fs.fd, &vs->stbuf);
+    if (err < 0) {
+        err = -errno;
+        goto out;
+    }
+    vs->glock->type = F_UNLCK;
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "bqqds", vs->glock->type,
+                vs->glock->start, vs->glock->length, vs->glock->proc_id,
+		&vs->glock->client_id);
+out:
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs->glock);
+    qemu_free(vs);
+}
+
 static void v9fs_mkdir_post_lstat(V9fsState *s, V9fsMkState *vs, int err)
 {
     if (err == -1) {
@@ -3466,6 +3506,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TMKNOD] = v9fs_mknod,
     [P9_TRENAME] = v9fs_rename,
     [P9_TLOCK] = v9fs_lock,
+    [P9_TGETLOCK] = v9fs_getlock,
     [P9_TMKDIR] = v9fs_mkdir,
     [P9_TVERSION] = v9fs_version,
     [P9_TLOPEN] = v9fs_open,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 4555f39..6a68895 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -39,6 +39,8 @@ enum {
     P9_RREADDIR,
     P9_TLOCK = 52,
     P9_RLOCK,
+    P9_TGETLOCK = 54,
+    P9_RGETLOCK,
     P9_TLINK = 70,
     P9_RLINK,
     P9_TMKDIR = 72,
@@ -464,6 +466,25 @@ typedef struct V9fsLockState
     V9fsFlock *flock;
 } V9fsLockState;
 
+typedef struct V9fsGetlock
+{
+    uint8_t type;
+    uint64_t start; /* absolute offset */
+    uint64_t length;
+    uint32_t proc_id;
+    V9fsString client_id;
+} V9fsGetlock;
+
+typedef struct V9fsGetlockState
+{
+    V9fsPDU *pdu;
+    size_t offset;
+    struct stat stbuf;
+    V9fsFidState *fidp;
+    V9fsGetlock *glock;
+} V9fsGetlockState;
+
+
 extern size_t pdu_packunpack(void *addr, struct iovec *sg, int sg_count,
                             size_t offset, size_t size, int pack);
 
commit 82cc3ee88ba238ec3ba96f4673d8a184588b82a4
Author: M. Mohan Kumar <mohan at in.ibm.com>
Date:   Wed Sep 8 02:19:32 2010 +0530

    [virto-9p] Implement TLOCK
    
    Synopsis
    
        size[4] TLock tag[2] fid[4] flock[n]
        size[4] RLock tag[2] status[1]
    
    Description
    
    Tlock is used to acquire/release byte range posix locks on a file
    identified by given fid. The reply contains status of the lock request
    
        flock structure:
            type[1] - Type of lock: F_RDLCK, F_WRLCK, F_UNLCK
            flags[4] - Flags could be either of
              P9_LOCK_FLAGS_BLOCK(1) - Blocked lock request, if there is a
                conflicting lock exists, wait for that lock to be released.
              P9_LOCK_FLAGS_RECLAIM(2) - Reclaim lock request, used when client is
                trying to reclaim a lock after a server restrart (due to crash)
            start[8] - Starting offset for lock
            length[8] - Number of bytes to lock
              If length is 0, lock all bytes starting at the location 'start'
              through to the end of file
            pid[4] - PID of the process that wants to take lock
            client_id[4] - Unique client id
    
            status[1] - Status of the lock request, can be
              P9_LOCK_SUCCESS(0), P9_LOCK_BLOCKED(1), P9_LOCK_ERROR(2) or
              P9_LOCK_GRACE(3)
              P9_LOCK_SUCCESS - Request was successful
              P9_LOCK_BLOCKED - A conflicting lock is held by another process
              P9_LOCK_ERROR - Error while processing the lock request
              P9_LOCK_GRACE - Server is in grace period, it can't accept new lock
                    requests in this period (except locks with
                    P9_LOCK_FLAGS_RECLAIM flag set)
    
    Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index 6f6a0ec..045774f 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -588,6 +588,20 @@ void pprint_pdu(V9fsPDU *pdu)
     case P9_RXATTRCREATE:
         fprintf(llogfile, "RXATTRCREATE: (");
         break;
+    case P9_TLOCK:
+        fprintf(llogfile, "TLOCK: (");
+        pprint_int32(pdu, 0, &offset, "fid");
+        pprint_int8(pdu, 0, &offset, ", type");
+        pprint_int32(pdu, 0, &offset, ", flags");
+        pprint_int64(pdu, 0, &offset, ", start");
+        pprint_int64(pdu, 0, &offset, ", length");
+        pprint_int32(pdu, 0, &offset, ", proc_id");
+        pprint_str(pdu, 0, &offset, ", client_id");
+        break;
+    case P9_RLOCK:
+        fprintf(llogfile, "RLOCK: (");
+        pprint_int8(pdu, 0, &offset, "status");
+        break;
     default:
         fprintf(llogfile, "unknown(%d): (", pdu->id);
         break;
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 3379a30..20acb5b 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -3154,6 +3154,55 @@ out:
     qemu_free(vs);
 }
 
+/*
+ * Implement posix byte range locking code
+ * Server side handling of locking code is very simple, because 9p server in
+ * QEMU can handle only one client. And most of the lock handling
+ * (like conflict, merging) etc is done by the VFS layer itself, so no need to
+ * do any thing in * qemu 9p server side lock code path.
+ * So when a TLOCK request comes, always return success
+ */
+
+static void v9fs_lock(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t fid, err = 0;
+    V9fsLockState *vs;
+
+    vs = qemu_mallocz(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    vs->flock = qemu_malloc(sizeof(*vs->flock));
+    pdu_unmarshal(vs->pdu, vs->offset, "dbdqqds", &fid, &vs->flock->type,
+                &vs->flock->flags, &vs->flock->start, &vs->flock->length,
+                            &vs->flock->proc_id, &vs->flock->client_id);
+
+    vs->status = P9_LOCK_ERROR;
+
+    /* We support only block flag now (that too ignored currently) */
+    if (vs->flock->flags & ~P9_LOCK_FLAGS_BLOCK) {
+        err = -EINVAL;
+        goto out;
+    }
+    vs->fidp = lookup_fid(s, fid);
+    if (vs->fidp == NULL) {
+        err = -ENOENT;
+        goto out;
+    }
+
+    err = v9fs_do_fstat(s, vs->fidp->fs.fd, &vs->stbuf);
+    if (err < 0) {
+        err = -errno;
+        goto out;
+    }
+    vs->status = P9_LOCK_SUCCESS;
+out:
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "b", vs->status);
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs->flock);
+    qemu_free(vs);
+}
+
 static void v9fs_mkdir_post_lstat(V9fsState *s, V9fsMkState *vs, int err)
 {
     if (err == -1) {
@@ -3416,6 +3465,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TXATTRCREATE] = v9fs_xattrcreate,
     [P9_TMKNOD] = v9fs_mknod,
     [P9_TRENAME] = v9fs_rename,
+    [P9_TLOCK] = v9fs_lock,
     [P9_TMKDIR] = v9fs_mkdir,
     [P9_TVERSION] = v9fs_version,
     [P9_TLOPEN] = v9fs_open,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 0816ad6..4555f39 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -37,6 +37,8 @@ enum {
     P9_RXATTRCREATE,
     P9_TREADDIR = 40,
     P9_RREADDIR,
+    P9_TLOCK = 52,
+    P9_RLOCK,
     P9_TLINK = 70,
     P9_RLINK,
     P9_TMKDIR = 72,
@@ -434,6 +436,34 @@ typedef struct V9fsXattrState
     void *value;
 } V9fsXattrState;
 
+#define P9_LOCK_SUCCESS 0
+#define P9_LOCK_BLOCKED 1
+#define P9_LOCK_ERROR 2
+#define P9_LOCK_GRACE 3
+
+#define P9_LOCK_FLAGS_BLOCK 1
+#define P9_LOCK_FLAGS_RECLAIM 2
+
+typedef struct V9fsFlock
+{
+    uint8_t type;
+    uint32_t flags;
+    uint64_t start; /* absolute offset */
+    uint64_t length;
+    uint32_t proc_id;
+    V9fsString client_id;
+} V9fsFlock;
+
+typedef struct V9fsLockState
+{
+    V9fsPDU *pdu;
+    size_t offset;
+    int8_t status;
+    struct stat stbuf;
+    V9fsFidState *fidp;
+    V9fsFlock *flock;
+} V9fsLockState;
+
 extern size_t pdu_packunpack(void *addr, struct iovec *sg, int sg_count,
                             size_t offset, size_t size, int pack);
 
commit ab03b63d7a9c7978d51e56c191f0b86888d121dc
Author: Sripathi Kodi <sripathik at in.ibm.com>
Date:   Mon Sep 20 23:24:29 2010 +0530

    [virtio-9p] open should not return EBADF
    
    When 9P server fails to create a file due to permission problems it should
    return EPERM. However the current 9P2000.L code returns EBADF. EBADF is NOT
    a valid return value from open() call.
    
    The problem is because we do not preserve the errno variable properly. If the
    file open had failed, the call to close() on the fd in v9fs_post_lcreate()
    fails and sets errno to EBADF. We should preserve the errno that we got from
    open() and we should call close() only if we had a valid fd.
    
    Signed-off-by: Sripathi Kodi <sripathik at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 3b2d49c..3379a30 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -1760,8 +1760,10 @@ static void v9fs_post_lcreate(V9fsState *s, V9fsLcreateState *vs, int err)
         err = vs->offset;
     } else {
         vs->fidp->fid_type = P9_FID_NONE;
-        close(vs->fidp->fs.fd);
         err = -errno;
+        if (vs->fidp->fs.fd > 0) {
+            close(vs->fidp->fs.fd);
+        }
     }
 
     complete_pdu(s, vs->pdu, err);
commit a12c668f0a44bbbb7b9bc2b852c62f6864c8b92d
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 20 16:41:36 2010 +0000

    trace: improve info trace output
    
    Use PRI*64 to print full 64 bit data even on ILP32 hosts.
    
    Print also sixth tracepoint parameter.
    
    Acked-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Cc: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/simpletrace.c b/simpletrace.c
index deb1e07..b488d51 100644
--- a/simpletrace.c
+++ b/simpletrace.c
@@ -214,9 +214,11 @@ void st_print_trace(FILE *stream, int (*stream_printf)(FILE *stream, const char
     unsigned int i;
 
     for (i = 0; i < trace_idx; i++) {
-        stream_printf(stream, "Event %lu : %lx %lx %lx %lx %lx\n",
+        stream_printf(stream, "Event %" PRIu64 " : %" PRIx64 " %" PRIx64
+                      " %" PRIx64 " %" PRIx64 " %" PRIx64 " %" PRIx64 "\n",
                       trace_buf[i].event, trace_buf[i].x1, trace_buf[i].x2,
-                      trace_buf[i].x3, trace_buf[i].x4, trace_buf[i].x5);
+                      trace_buf[i].x3, trace_buf[i].x4, trace_buf[i].x5,
+                      trace_buf[i].x6);
     }
 }
 
commit cf85cf8e972f3ad79f203be4edb7968d6e052293
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Wed Oct 20 16:41:31 2010 +0000

    trace: Format strings must begin/end with double quotes
    
    Document the restriction that format strings must begin and end with
    double quotes.  This is for easy parsing since we don't run cpp over
    trace-events.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/docs/tracing.txt b/docs/tracing.txt
index 5504850..963c504 100644
--- a/docs/tracing.txt
+++ b/docs/tracing.txt
@@ -74,7 +74,10 @@ Trace events should use types as follows:
 
 Format strings should reflect the types defined in the trace event.  Take
 special care to use PRId64 and PRIu64 for int64_t and uint64_t types,
-respectively.  This ensures portability between 32- and 64-bit platforms.
+respectively.  This ensures portability between 32- and 64-bit platforms.  Note
+that format strings must begin and end with double quotes.  When using
+portability macros, ensure they are preceded and followed by double quotes:
+"value %"PRIx64"".
 
 === Hints for adding new trace events ===
 
commit d8023f311499e06c02b4da7e74388d7ad906ea23
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 20 16:41:28 2010 +0000

    apic: convert debug printf statements to tracepoints
    
    Replace debug printf statements with tracepoints.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/apic.c b/hw/apic.c
index d686b51..63d62c7 100644
--- a/hw/apic.c
+++ b/hw/apic.c
@@ -21,23 +21,7 @@
 #include "qemu-timer.h"
 #include "host-utils.h"
 #include "sysbus.h"
-
-//#define DEBUG_APIC
-//#define DEBUG_COALESCING
-
-#ifdef DEBUG_APIC
-#define DPRINTF(fmt, ...)                                       \
-    do { printf("apic: " fmt , ## __VA_ARGS__); } while (0)
-#else
-#define DPRINTF(fmt, ...)
-#endif
-
-#ifdef DEBUG_COALESCING
-#define DPRINTF_C(fmt, ...)                                     \
-    do { printf("apic: " fmt , ## __VA_ARGS__); } while (0)
-#else
-#define DPRINTF_C(fmt, ...)
-#endif
+#include "trace.h"
 
 /* APIC Local Vector Table */
 #define APIC_LVT_TIMER   0
@@ -168,8 +152,8 @@ static void apic_local_deliver(APICState *s, int vector)
     uint32_t lvt = s->lvt[vector];
     int trigger_mode;
 
-    DPRINTF("%s: vector %d delivery mode %d\n", __func__, vector,
-            (lvt >> 8) & 7);
+    trace_apic_local_deliver(vector, (lvt >> 8) & 7);
+
     if (lvt & APIC_LVT_MASKED)
         return;
 
@@ -300,9 +284,9 @@ void apic_deliver_irq(uint8_t dest, uint8_t dest_mode,
 {
     uint32_t deliver_bitmask[MAX_APIC_WORDS];
 
-    DPRINTF("%s: dest %d dest_mode %d delivery_mode %d vector %d"
-            " polarity %d trigger_mode %d\n", __func__, dest, dest_mode,
-            delivery_mode, vector_num, polarity, trigger_mode);
+    trace_apic_deliver_irq(dest, dest_mode, delivery_mode, vector_num,
+                           polarity, trigger_mode);
+
     apic_get_delivery_bitmask(deliver_bitmask, dest, dest_mode);
     apic_bus_deliver(deliver_bitmask, delivery_mode, vector_num, polarity,
                      trigger_mode);
@@ -312,7 +296,8 @@ void cpu_set_apic_base(DeviceState *d, uint64_t val)
 {
     APICState *s = DO_UPCAST(APICState, busdev.qdev, d);
 
-    DPRINTF("cpu_set_apic_base: %016" PRIx64 "\n", val);
+    trace_cpu_set_apic_base(val);
+
     if (!s)
         return;
     s->apicbase = (val & 0xfffff000) |
@@ -329,8 +314,8 @@ uint64_t cpu_get_apic_base(DeviceState *d)
 {
     APICState *s = DO_UPCAST(APICState, busdev.qdev, d);
 
-    DPRINTF("cpu_get_apic_base: %016" PRIx64 "\n",
-            s ? (uint64_t)s->apicbase: 0);
+    trace_cpu_get_apic_base(s ? (uint64_t)s->apicbase: 0);
+
     return s ? s->apicbase : 0;
 }
 
@@ -402,20 +387,23 @@ static void apic_update_irq(APICState *s)
 
 void apic_reset_irq_delivered(void)
 {
-    DPRINTF_C("%s: old coalescing %d\n", __func__, apic_irq_delivered);
+    trace_apic_reset_irq_delivered(apic_irq_delivered);
+
     apic_irq_delivered = 0;
 }
 
 int apic_get_irq_delivered(void)
 {
-    DPRINTF_C("%s: returning coalescing %d\n", __func__, apic_irq_delivered);
+    trace_apic_get_irq_delivered(apic_irq_delivered);
+
     return apic_irq_delivered;
 }
 
 static void apic_set_irq(APICState *s, int vector_num, int trigger_mode)
 {
     apic_irq_delivered += !get_bit(s->irr, vector_num);
-    DPRINTF_C("%s: coalescing %d\n", __func__, apic_irq_delivered);
+
+    trace_apic_set_irq(apic_irq_delivered);
 
     set_bit(s->irr, vector_num);
     if (trigger_mode)
@@ -769,7 +757,7 @@ static uint32_t apic_mem_readl(void *opaque, target_phys_addr_t addr)
         val = 0;
         break;
     }
-    DPRINTF("read: " TARGET_FMT_plx " = %08x\n", addr, val);
+    trace_apic_mem_readl(addr, val);
     return val;
 }
 
@@ -805,7 +793,7 @@ static void apic_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
     }
     s = DO_UPCAST(APICState, busdev.qdev, d);
 
-    DPRINTF("write: " TARGET_FMT_plx " = %08x\n", addr, val);
+    trace_apic_mem_writel(addr, val);
 
     switch(index) {
     case 0x02:
diff --git a/trace-events b/trace-events
index 4300178..ed2055e 100644
--- a/trace-events
+++ b/trace-events
@@ -69,3 +69,15 @@ disable cpu_out(unsigned int addr, unsigned int val) "addr %#x value %u"
 # balloon.c
 # Since requests are raised via monitor, not many tracepoints are needed.
 disable balloon_event(void *opaque, unsigned long addr) "opaque %p addr %lu"
+
+# hw/apic.c
+disable apic_local_deliver(int vector, uint32_t lvt) "vector %d delivery mode %d"
+disable apic_deliver_irq(uint8_t dest, uint8_t dest_mode, uint8_t delivery_mode, uint8_t vector_num, uint8_t polarity, uint8_t trigger_mode) "dest %d dest_mode %d delivery_mode %d vector %d polarity %d trigger_mode %d"
+disable cpu_set_apic_base(uint64_t val) "%016"PRIx64""
+disable cpu_get_apic_base(uint64_t val) "%016"PRIx64""
+disable apic_mem_readl(uint64_t addr, uint32_t val)  "%"PRIx64" = %08x"
+disable apic_mem_writel(uint64_t addr, uint32_t val) "%"PRIx64" = %08x"
+# coalescing
+disable apic_reset_irq_delivered(int apic_irq_delivered) "old coalescing %d"
+disable apic_get_irq_delivered(int apic_irq_delivered) "returning coalescing %d"
+disable apic_set_irq(int apic_irq_delivered) "coalescing %d"
commit 6df40080b00ecd004466714c25cb762056036c56
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Oct 18 13:42:54 2010 +0100

    trace: Relax trace-events parsing regex in simpletrace.py
    
    The regular expression to parse trace event definitions assumed the
    format string would be a simple double-quoted string.  However, we now
    use PRI?64 for portability which splits string literals.  The regular
    expression can disregard the format string entirely since simpletrace.py
    never needs to use it.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/simpletrace.py b/simpletrace.py
index c2cf168..553a727 100755
--- a/simpletrace.py
+++ b/simpletrace.py
@@ -19,7 +19,7 @@ header_version  = 0
 
 trace_fmt = '=QQQQQQQQ'
 trace_len = struct.calcsize(trace_fmt)
-event_re  = re.compile(r'(disable\s+)?([a-zA-Z0-9_]+)\(([^)]*)\)\s+"([^"]*)"')
+event_re  = re.compile(r'(disable\s+)?([a-zA-Z0-9_]+)\(([^)]*)\).*')
 
 def err(msg):
     sys.stderr.write(msg + '\n')
@@ -39,7 +39,7 @@ def parse_events(fobj):
         if m is None:
             continue
 
-        disable, name, args, fmt = m.groups()
+        disable, name, args = m.groups()
         events[event_num] = (name,) + get_argnames(args)
         event_num += 1
     return events
commit 48ebf2f90f8fba8c03c0bfdb3bd4fe1e8fd5d61b
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Oct 20 17:18:55 2010 +0900

    x3130: pcie downstream port
    
    Implement TI x3130 pcie downstream port switch.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index b1ef2bb..138e545 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -140,7 +140,7 @@ hw-obj-y =
 hw-obj-y += vl.o loader.o
 hw-obj-y += virtio.o virtio-console.o
 hw-obj-y += fw_cfg.o pci.o pci_host.o pcie_host.o pci_bridge.o
-hw-obj-y += ioh3420.o xio3130_upstream.o
+hw-obj-y += ioh3420.o xio3130_upstream.o xio3130_downstream.o
 hw-obj-y += watchdog.o
 hw-obj-$(CONFIG_ISA_MMIO) += isa_mmio.o
 hw-obj-$(CONFIG_ECC) += ecc.o
diff --git a/hw/xio3130_downstream.c b/hw/xio3130_downstream.c
new file mode 100644
index 0000000..a44e188
--- /dev/null
+++ b/hw/xio3130_downstream.c
@@ -0,0 +1,190 @@
+/*
+ * x3130_downstream.c
+ * TI X3130 pci express downstream port switch
+ *
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "pci_ids.h"
+#include "msi.h"
+#include "pcie.h"
+#include "xio3130_downstream.h"
+
+#define PCI_DEVICE_ID_TI_XIO3130D       0x8233  /* downstream port */
+#define XIO3130_REVISION                0x1
+#define XIO3130_MSI_OFFSET              0x70
+#define XIO3130_MSI_SUPPORTED_FLAGS     PCI_MSI_FLAGS_64BIT
+#define XIO3130_MSI_NR_VECTOR           1
+#define XIO3130_SSVID_OFFSET            0x80
+#define XIO3130_SSVID_SVID              0
+#define XIO3130_SSVID_SSID              0
+#define XIO3130_EXP_OFFSET              0x90
+#define XIO3130_AER_OFFSET              0x100
+
+static void xio3130_downstream_write_config(PCIDevice *d, uint32_t address,
+                                         uint32_t val, int len)
+{
+    uint16_t sltctl =
+        pci_get_word(d->config + d->exp.exp_cap + PCI_EXP_SLTCTL);
+
+    pci_bridge_write_config(d, address, val, len);
+    pcie_cap_flr_write_config(d, address, val, len);
+    pcie_cap_slot_write_config(d, address, val, len, sltctl);
+    msi_write_config(d, address, val, len);
+    /* TODO: AER */
+}
+
+static void xio3130_downstream_reset(DeviceState *qdev)
+{
+    PCIDevice *d = DO_UPCAST(PCIDevice, qdev, qdev);
+    msi_reset(d);
+    pcie_cap_deverr_reset(d);
+    pcie_cap_slot_reset(d);
+    pcie_cap_ari_reset(d);
+    pci_bridge_reset(qdev);
+}
+
+static int xio3130_downstream_initfn(PCIDevice *d)
+{
+    PCIBridge* br = DO_UPCAST(PCIBridge, dev, d);
+    PCIEPort *p = DO_UPCAST(PCIEPort, br, br);
+    PCIESlot *s = DO_UPCAST(PCIESlot, port, p);
+    int rc;
+
+    rc = pci_bridge_initfn(d);
+    if (rc < 0) {
+        return rc;
+    }
+
+    pcie_port_init_reg(d);
+    pci_config_set_vendor_id(d->config, PCI_VENDOR_ID_TI);
+    pci_config_set_device_id(d->config, PCI_DEVICE_ID_TI_XIO3130D);
+    d->config[PCI_REVISION_ID] = XIO3130_REVISION;
+
+    rc = msi_init(d, XIO3130_MSI_OFFSET, XIO3130_MSI_NR_VECTOR,
+                  XIO3130_MSI_SUPPORTED_FLAGS & PCI_MSI_FLAGS_64BIT,
+                  XIO3130_MSI_SUPPORTED_FLAGS & PCI_MSI_FLAGS_MASKBIT);
+    if (rc < 0) {
+        return rc;
+    }
+    rc = pci_bridge_ssvid_init(d, XIO3130_SSVID_OFFSET,
+                               XIO3130_SSVID_SVID, XIO3130_SSVID_SSID);
+    if (rc < 0) {
+        return rc;
+    }
+    rc = pcie_cap_init(d, XIO3130_EXP_OFFSET, PCI_EXP_TYPE_DOWNSTREAM,
+                       p->port);
+    if (rc < 0) {
+        return rc;
+    }
+    pcie_cap_flr_init(d);       /* TODO: implement FLR */
+    pcie_cap_deverr_init(d);
+    pcie_cap_slot_init(d, s->slot);
+    pcie_chassis_create(s->chassis);
+    rc = pcie_chassis_add_slot(s);
+    if (rc < 0) {
+        return rc;
+    }
+    pcie_cap_ari_init(d);
+    /* TODO: AER */
+
+    return 0;
+}
+
+static int xio3130_downstream_exitfn(PCIDevice *d)
+{
+    /* TODO: AER */
+    msi_uninit(d);
+    pcie_cap_exit(d);
+    return pci_bridge_exitfn(d);
+}
+
+PCIESlot *xio3130_downstream_init(PCIBus *bus, int devfn, bool multifunction,
+                                  const char *bus_name, pci_map_irq_fn map_irq,
+                                  uint8_t port, uint8_t chassis,
+                                  uint16_t slot)
+{
+    PCIDevice *d;
+    PCIBridge *br;
+    DeviceState *qdev;
+
+    d = pci_create_multifunction(bus, devfn, multifunction,
+                                 "xio3130-downstream");
+    if (!d) {
+        return NULL;
+    }
+    br = DO_UPCAST(PCIBridge, dev, d);
+
+    qdev = &br->dev.qdev;
+    pci_bridge_map_irq(br, bus_name, map_irq);
+    qdev_prop_set_uint8(qdev, "port", port);
+    qdev_prop_set_uint8(qdev, "chassis", chassis);
+    qdev_prop_set_uint16(qdev, "slot", slot);
+    qdev_init_nofail(qdev);
+
+    return DO_UPCAST(PCIESlot, port, DO_UPCAST(PCIEPort, br, br));
+}
+
+static const VMStateDescription vmstate_xio3130_downstream = {
+    .name = "xio3130-express-downstream-port",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_PCIE_DEVICE(port.br.dev, PCIESlot),
+        /* TODO: AER */
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static PCIDeviceInfo xio3130_downstream_info = {
+    .qdev.name = "xio3130-downstream",
+    .qdev.desc = "TI X3130 Downstream Port of PCI Express Switch",
+    .qdev.size = sizeof(PCIESlot),
+    .qdev.reset = xio3130_downstream_reset,
+    .qdev.vmsd = &vmstate_xio3130_downstream,
+
+    .is_express = 1,
+    .is_bridge = 1,
+    .config_write = xio3130_downstream_write_config,
+    .init = xio3130_downstream_initfn,
+    .exit = xio3130_downstream_exitfn,
+
+    .qdev.props = (Property[]) {
+        DEFINE_PROP_UINT8("port", PCIESlot, port.port, 0),
+        DEFINE_PROP_UINT8("chassis", PCIESlot, chassis, 0),
+        DEFINE_PROP_UINT16("slot", PCIESlot, slot, 0),
+        /* TODO: AER */
+        DEFINE_PROP_END_OF_LIST(),
+    }
+};
+
+static void xio3130_downstream_register(void)
+{
+    pci_qdev_register(&xio3130_downstream_info);
+}
+
+device_init(xio3130_downstream_register);
+
+/*
+ * Local variables:
+ *  c-indent-level: 4
+ *  c-basic-offset: 4
+ *  tab-width: 8
+ *  indent-tab-mode: nil
+ * End:
+ */
diff --git a/hw/xio3130_downstream.h b/hw/xio3130_downstream.h
new file mode 100644
index 0000000..010487f
--- /dev/null
+++ b/hw/xio3130_downstream.h
@@ -0,0 +1,11 @@
+#ifndef QEMU_XIO3130_DOWNSTREAM_H
+#define QEMU_XIO3130_DOWNSTREAM_H
+
+#include "pcie_port.h"
+
+PCIESlot *xio3130_downstream_init(PCIBus *bus, int devfn, bool multifunction,
+                                  const char *bus_name, pci_map_irq_fn map_irq,
+                                  uint8_t port, uint8_t chassis,
+                                  uint16_t slot);
+
+#endif /* QEMU_XIO3130_DOWNSTREAM_H */
commit faf1e708d5b432757d88b7229fc3b5f2e71cfb2e
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Oct 20 17:18:54 2010 +0900

    x3130: pcie upstream port
    
    Implement TI x3130 pcie upstream port switch.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index 3a05322..b1ef2bb 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -140,7 +140,7 @@ hw-obj-y =
 hw-obj-y += vl.o loader.o
 hw-obj-y += virtio.o virtio-console.o
 hw-obj-y += fw_cfg.o pci.o pci_host.o pcie_host.o pci_bridge.o
-hw-obj-y += ioh3420.o
+hw-obj-y += ioh3420.o xio3130_upstream.o
 hw-obj-y += watchdog.o
 hw-obj-$(CONFIG_ISA_MMIO) += isa_mmio.o
 hw-obj-$(CONFIG_ECC) += ecc.o
diff --git a/hw/xio3130_upstream.c b/hw/xio3130_upstream.c
new file mode 100644
index 0000000..d9d637f
--- /dev/null
+++ b/hw/xio3130_upstream.c
@@ -0,0 +1,174 @@
+/*
+ * xio3130_upstream.c
+ * TI X3130 pci express upstream port switch
+ *
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "pci_ids.h"
+#include "msi.h"
+#include "pcie.h"
+#include "xio3130_upstream.h"
+
+#define PCI_DEVICE_ID_TI_XIO3130U       0x8232  /* upstream port */
+#define XIO3130_REVISION                0x2
+#define XIO3130_MSI_OFFSET              0x70
+#define XIO3130_MSI_SUPPORTED_FLAGS     PCI_MSI_FLAGS_64BIT
+#define XIO3130_MSI_NR_VECTOR           1
+#define XIO3130_SSVID_OFFSET            0x80
+#define XIO3130_SSVID_SVID              0
+#define XIO3130_SSVID_SSID              0
+#define XIO3130_EXP_OFFSET              0x90
+#define XIO3130_AER_OFFSET              0x100
+
+static void xio3130_upstream_write_config(PCIDevice *d, uint32_t address,
+                                          uint32_t val, int len)
+{
+    pci_bridge_write_config(d, address, val, len);
+    pcie_cap_flr_write_config(d, address, val, len);
+    msi_write_config(d, address, val, len);
+    /* TODO: AER */
+}
+
+static void xio3130_upstream_reset(DeviceState *qdev)
+{
+    PCIDevice *d = DO_UPCAST(PCIDevice, qdev, qdev);
+    msi_reset(d);
+    pci_bridge_reset(qdev);
+    pcie_cap_deverr_reset(d);
+}
+
+static int xio3130_upstream_initfn(PCIDevice *d)
+{
+    PCIBridge* br = DO_UPCAST(PCIBridge, dev, d);
+    PCIEPort *p = DO_UPCAST(PCIEPort, br, br);
+    int rc;
+
+    rc = pci_bridge_initfn(d);
+    if (rc < 0) {
+        return rc;
+    }
+
+    pcie_port_init_reg(d);
+    pci_config_set_vendor_id(d->config, PCI_VENDOR_ID_TI);
+    pci_config_set_device_id(d->config, PCI_DEVICE_ID_TI_XIO3130U);
+    d->config[PCI_REVISION_ID] = XIO3130_REVISION;
+
+    rc = msi_init(d, XIO3130_MSI_OFFSET, XIO3130_MSI_NR_VECTOR,
+                  XIO3130_MSI_SUPPORTED_FLAGS & PCI_MSI_FLAGS_64BIT,
+                  XIO3130_MSI_SUPPORTED_FLAGS & PCI_MSI_FLAGS_MASKBIT);
+    if (rc < 0) {
+        return rc;
+    }
+    rc = pci_bridge_ssvid_init(d, XIO3130_SSVID_OFFSET,
+                               XIO3130_SSVID_SVID, XIO3130_SSVID_SSID);
+    if (rc < 0) {
+        return rc;
+    }
+    rc = pcie_cap_init(d, XIO3130_EXP_OFFSET, PCI_EXP_TYPE_UPSTREAM,
+                       p->port);
+    if (rc < 0) {
+        return rc;
+    }
+
+    /* TODO: implement FLR */
+    pcie_cap_flr_init(d);
+
+    pcie_cap_deverr_init(d);
+    /* TODO: AER */
+
+    return 0;
+}
+
+static int xio3130_upstream_exitfn(PCIDevice *d)
+{
+    /* TODO: AER */
+    msi_uninit(d);
+    pcie_cap_exit(d);
+    return pci_bridge_exitfn(d);
+}
+
+PCIEPort *xio3130_upstream_init(PCIBus *bus, int devfn, bool multifunction,
+                             const char *bus_name, pci_map_irq_fn map_irq,
+                             uint8_t port)
+{
+    PCIDevice *d;
+    PCIBridge *br;
+    DeviceState *qdev;
+
+    d = pci_create_multifunction(bus, devfn, multifunction, "x3130-upstream");
+    if (!d) {
+        return NULL;
+    }
+    br = DO_UPCAST(PCIBridge, dev, d);
+
+    qdev = &br->dev.qdev;
+    pci_bridge_map_irq(br, bus_name, map_irq);
+    qdev_prop_set_uint8(qdev, "port", port);
+    qdev_init_nofail(qdev);
+
+    return DO_UPCAST(PCIEPort, br, br);
+}
+
+static const VMStateDescription vmstate_xio3130_upstream = {
+    .name = "xio3130-express-upstream-port",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_PCIE_DEVICE(br.dev, PCIEPort),
+        /* TODO: AER */
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static PCIDeviceInfo xio3130_upstream_info = {
+    .qdev.name = "x3130-upstream",
+    .qdev.desc = "TI X3130 Upstream Port of PCI Express Switch",
+    .qdev.size = sizeof(PCIEPort),
+    .qdev.reset = xio3130_upstream_reset,
+    .qdev.vmsd = &vmstate_xio3130_upstream,
+
+    .is_express = 1,
+    .is_bridge = 1,
+    .config_write = xio3130_upstream_write_config,
+    .init = xio3130_upstream_initfn,
+    .exit = xio3130_upstream_exitfn,
+
+    .qdev.props = (Property[]) {
+        DEFINE_PROP_UINT8("port", PCIEPort, port, 0),
+        /* TODO: AER */
+        DEFINE_PROP_END_OF_LIST(),
+    }
+};
+
+static void xio3130_upstream_register(void)
+{
+    pci_qdev_register(&xio3130_upstream_info);
+}
+
+device_init(xio3130_upstream_register);
+
+
+/*
+ * Local variables:
+ *  c-indent-level: 4
+ *  c-basic-offset: 4
+ *  tab-width: 8
+ *  indent-tab-mode: nil
+ * End:
+ */
diff --git a/hw/xio3130_upstream.h b/hw/xio3130_upstream.h
new file mode 100644
index 0000000..e996997
--- /dev/null
+++ b/hw/xio3130_upstream.h
@@ -0,0 +1,10 @@
+#ifndef QEMU_XIO3130_UPSTREAM_H
+#define QEMU_XIO3130_UPSTREAM_H
+
+#include "pcie_port.h"
+
+PCIEPort *xio3130_upstream_init(PCIBus *bus, int devfn, bool multifunction,
+                                const char *bus_name, pci_map_irq_fn map_irq,
+                                uint8_t port);
+
+#endif /* QEMU_XIO3130_H */
commit 8135aeed0f0b370a7978d06a49de20f50181e7b9
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Oct 20 17:18:53 2010 +0900

    ioh3420: pcie root port in X58 ioh
    
    Implements pcie root port switch in intel X58 ioh
    whose device id is 0x3420.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index c73d12b..3a05322 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -140,6 +140,7 @@ hw-obj-y =
 hw-obj-y += vl.o loader.o
 hw-obj-y += virtio.o virtio-console.o
 hw-obj-y += fw_cfg.o pci.o pci_host.o pcie_host.o pci_bridge.o
+hw-obj-y += ioh3420.o
 hw-obj-y += watchdog.o
 hw-obj-$(CONFIG_ISA_MMIO) += isa_mmio.o
 hw-obj-$(CONFIG_ECC) += ecc.o
diff --git a/hw/ioh3420.c b/hw/ioh3420.c
new file mode 100644
index 0000000..1f340d3
--- /dev/null
+++ b/hw/ioh3420.c
@@ -0,0 +1,188 @@
+/*
+ * ioh3420.c
+ * Intel X58 north bridge IOH
+ * PCI Express root port device id 3420
+ *
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "pci_ids.h"
+#include "msi.h"
+#include "pcie.h"
+#include "ioh3420.h"
+
+#define PCI_DEVICE_ID_IOH_EPORT         0x3420  /* D0:F0 express mode */
+#define PCI_DEVICE_ID_IOH_REV           0x2
+#define IOH_EP_SSVID_OFFSET             0x40
+#define IOH_EP_SSVID_SVID               PCI_VENDOR_ID_INTEL
+#define IOH_EP_SSVID_SSID               0
+#define IOH_EP_MSI_OFFSET               0x60
+#define IOH_EP_MSI_SUPPORTED_FLAGS      PCI_MSI_FLAGS_MASKBIT
+#define IOH_EP_MSI_NR_VECTOR            2
+#define IOH_EP_EXP_OFFSET               0x90
+#define IOH_EP_AER_OFFSET               0x100
+
+static void ioh3420_write_config(PCIDevice *d,
+                                   uint32_t address, uint32_t val, int len)
+{
+    uint16_t sltctl =
+        pci_get_word(d->config + d->exp.exp_cap + PCI_EXP_SLTCTL);
+
+    pci_bridge_write_config(d, address, val, len);
+    msi_write_config(d, address, val, len);
+    pcie_cap_slot_write_config(d, address, val, len, sltctl);
+    /* TODO: AER */
+}
+
+static void ioh3420_reset(DeviceState *qdev)
+{
+    PCIDevice *d = DO_UPCAST(PCIDevice, qdev, qdev);
+    msi_reset(d);
+    pcie_cap_root_reset(d);
+    pcie_cap_deverr_reset(d);
+    pcie_cap_slot_reset(d);
+    pci_bridge_reset(qdev);
+    pci_bridge_disable_base_limit(d);
+    /* TODO: AER */
+}
+
+static int ioh3420_initfn(PCIDevice *d)
+{
+    PCIBridge* br = DO_UPCAST(PCIBridge, dev, d);
+    PCIEPort *p = DO_UPCAST(PCIEPort, br, br);
+    PCIESlot *s = DO_UPCAST(PCIESlot, port, p);
+    int rc;
+
+    rc = pci_bridge_initfn(d);
+    if (rc < 0) {
+        return rc;
+    }
+
+    d->config[PCI_REVISION_ID] = PCI_DEVICE_ID_IOH_REV;
+    pcie_port_init_reg(d);
+
+    pci_config_set_vendor_id(d->config, PCI_VENDOR_ID_INTEL);
+    pci_config_set_device_id(d->config, PCI_DEVICE_ID_IOH_EPORT);
+
+    rc = pci_bridge_ssvid_init(d, IOH_EP_SSVID_OFFSET,
+                               IOH_EP_SSVID_SVID, IOH_EP_SSVID_SSID);
+    if (rc < 0) {
+        return rc;
+    }
+    rc = msi_init(d, IOH_EP_MSI_OFFSET, IOH_EP_MSI_NR_VECTOR,
+                  IOH_EP_MSI_SUPPORTED_FLAGS & PCI_MSI_FLAGS_64BIT,
+                  IOH_EP_MSI_SUPPORTED_FLAGS & PCI_MSI_FLAGS_MASKBIT);
+    if (rc < 0) {
+        return rc;
+    }
+    rc = pcie_cap_init(d, IOH_EP_EXP_OFFSET, PCI_EXP_TYPE_ROOT_PORT, p->port);
+    if (rc < 0) {
+        return rc;
+    }
+    pcie_cap_deverr_init(d);
+    pcie_cap_slot_init(d, s->slot);
+    pcie_chassis_create(s->chassis);
+    rc = pcie_chassis_add_slot(s);
+    if (rc < 0) {
+        return rc;
+    }
+    pcie_cap_root_init(d);
+    /* TODO: AER */
+    return 0;
+}
+
+static int ioh3420_exitfn(PCIDevice *d)
+{
+    /* TODO: AER */
+    msi_uninit(d);
+    pcie_cap_exit(d);
+    return pci_bridge_exitfn(d);
+}
+
+PCIESlot *ioh3420_init(PCIBus *bus, int devfn, bool multifunction,
+                         const char *bus_name, pci_map_irq_fn map_irq,
+                         uint8_t port, uint8_t chassis, uint16_t slot)
+{
+    PCIDevice *d;
+    PCIBridge *br;
+    DeviceState *qdev;
+
+    d = pci_create_multifunction(bus, devfn, multifunction, "ioh3420");
+    if (!d) {
+        return NULL;
+    }
+    br = DO_UPCAST(PCIBridge, dev, d);
+
+    qdev = &br->dev.qdev;
+    pci_bridge_map_irq(br, bus_name, map_irq);
+    qdev_prop_set_uint8(qdev, "port", port);
+    qdev_prop_set_uint8(qdev, "chassis", chassis);
+    qdev_prop_set_uint16(qdev, "slot", slot);
+    qdev_init_nofail(qdev);
+
+    return DO_UPCAST(PCIESlot, port, DO_UPCAST(PCIEPort, br, br));
+}
+
+static const VMStateDescription vmstate_ioh3420 = {
+    .name = "ioh-3240-express-root-port",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_PCIE_DEVICE(port.br.dev, PCIESlot),
+        /* TODO: AER */
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static PCIDeviceInfo ioh3420_info = {
+    .qdev.name = "ioh3420",
+    .qdev.desc = "Intel IOH device id 3420 PCIE Root Port",
+    .qdev.size = sizeof(PCIESlot),
+    .qdev.reset = ioh3420_reset,
+    .qdev.vmsd = &vmstate_ioh3420,
+
+    .is_express = 1,
+    .is_bridge = 1,
+    .config_write = ioh3420_write_config,
+    .init = ioh3420_initfn,
+    .exit = ioh3420_exitfn,
+
+    .qdev.props = (Property[]) {
+        DEFINE_PROP_UINT8("port", PCIESlot, port.port, 0),
+        DEFINE_PROP_UINT8("chassis", PCIESlot, chassis, 0),
+        DEFINE_PROP_UINT16("slot", PCIESlot, slot, 0),
+        /* TODO: AER */
+        DEFINE_PROP_END_OF_LIST(),
+    }
+};
+
+static void ioh3420_register(void)
+{
+    pci_qdev_register(&ioh3420_info);
+}
+
+device_init(ioh3420_register);
+
+/*
+ * Local variables:
+ *  c-indent-level: 4
+ *  c-basic-offset: 4
+ *  tab-width: 8
+ *  indent-tab-mode: nil
+ * End:
+ */
diff --git a/hw/ioh3420.h b/hw/ioh3420.h
new file mode 100644
index 0000000..68c523a
--- /dev/null
+++ b/hw/ioh3420.h
@@ -0,0 +1,10 @@
+#ifndef QEMU_IOH3420_H
+#define QEMU_IOH3420_H
+
+#include "pcie_port.h"
+
+PCIESlot *ioh3420_init(PCIBus *bus, int devfn, bool multifunction,
+                       const char *bus_name, pci_map_irq_fn map_irq,
+                       uint8_t port, uint8_t chassis, uint16_t slot);
+
+#endif /* QEMU_IOH3420_H */
commit bc20ba98b1a04c9e60de10f2a5626af2c528422b
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Oct 20 17:18:52 2010 +0900

    pcie port: define struct PCIEPort/PCIESlot and helper functions
    
    define struct PCIEPort which represents common part
    of pci express port.(root, upstream and downstream.)
    add a helper function for pcie port which can be used commonly by
    root/upstream/downstream port.
    define struct PCIESlot which represents common part of
    pcie slot.(root and downstream.) and helper functions for it.
    helper functions for chassis, slot -> PCIESlot conversion.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index eeb5134..c73d12b 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -186,7 +186,7 @@ hw-obj-$(CONFIG_PIIX4) += piix4.o
 # PCI watchdog devices
 hw-obj-y += wdt_i6300esb.o
 
-hw-obj-y += pcie.o
+hw-obj-y += pcie.o pcie_port.o
 hw-obj-y += msix.o msi.o
 
 # PCI network cards
diff --git a/hw/pcie_port.c b/hw/pcie_port.c
new file mode 100644
index 0000000..117de61
--- /dev/null
+++ b/hw/pcie_port.c
@@ -0,0 +1,116 @@
+/*
+ * pcie_port.c
+ *
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "pcie_port.h"
+
+void pcie_port_init_reg(PCIDevice *d)
+{
+    /* Unlike pci bridge,
+       66MHz and fast back to back don't apply to pci express port. */
+    pci_set_word(d->config + PCI_STATUS, 0);
+    pci_set_word(d->config + PCI_SEC_STATUS, 0);
+
+    /* 7.5.3.5 Prefetchable Memory Base Limit
+     * The Prefetchable Memory Base and Prefetchable Memory Limit registers
+     * must indicate that 64-bit addresses are supported, as defined in
+     * PCI-to-PCI Bridge Architecture Specification, Revision 1.2.
+     */
+    pci_word_test_and_set_mask(d->config + PCI_PREF_MEMORY_BASE,
+                               PCI_PREF_RANGE_TYPE_64);
+    pci_word_test_and_set_mask(d->config + PCI_PREF_MEMORY_LIMIT,
+                               PCI_PREF_RANGE_TYPE_64);
+}
+
+/**************************************************************************
+ * (chassis number, pcie physical slot number) -> pcie slot conversion
+ */
+struct PCIEChassis {
+    uint8_t     number;
+
+    QLIST_HEAD(, PCIESlot) slots;
+    QLIST_ENTRY(PCIEChassis) next;
+};
+
+static QLIST_HEAD(, PCIEChassis) chassis = QLIST_HEAD_INITIALIZER(chassis);
+
+static struct PCIEChassis *pcie_chassis_find(uint8_t chassis_number)
+{
+    struct PCIEChassis *c;
+    QLIST_FOREACH(c, &chassis, next) {
+        if (c->number == chassis_number) {
+            break;
+        }
+    }
+    return c;
+}
+
+void pcie_chassis_create(uint8_t chassis_number)
+{
+    struct PCIEChassis *c;
+    c = pcie_chassis_find(chassis_number);
+    if (c) {
+        return;
+    }
+    c = qemu_mallocz(sizeof(*c));
+    c->number = chassis_number;
+    QLIST_INIT(&c->slots);
+    QLIST_INSERT_HEAD(&chassis, c, next);
+}
+
+static PCIESlot *pcie_chassis_find_slot_with_chassis(struct PCIEChassis *c,
+                                                     uint8_t slot)
+{
+    PCIESlot *s;
+    QLIST_FOREACH(s, &c->slots, next) {
+        if (s->slot == slot) {
+            break;
+        }
+    }
+    return s;
+}
+
+PCIESlot *pcie_chassis_find_slot(uint8_t chassis_number, uint16_t slot)
+{
+    struct PCIEChassis *c;
+    c = pcie_chassis_find(chassis_number);
+    if (!c) {
+        return NULL;
+    }
+    return pcie_chassis_find_slot_with_chassis(c, slot);
+}
+
+int pcie_chassis_add_slot(struct PCIESlot *slot)
+{
+    struct PCIEChassis *c;
+    c = pcie_chassis_find(slot->chassis);
+    if (!c) {
+        return -ENODEV;
+    }
+    if (pcie_chassis_find_slot_with_chassis(c, slot->slot)) {
+        return -EBUSY;
+    }
+    QLIST_INSERT_HEAD(&c->slots, slot, next);
+    return 0;
+}
+
+void pcie_chassis_del_slot(PCIESlot *s)
+{
+    QLIST_REMOVE(s, next);
+}
diff --git a/hw/pcie_port.h b/hw/pcie_port.h
new file mode 100644
index 0000000..3709583
--- /dev/null
+++ b/hw/pcie_port.h
@@ -0,0 +1,51 @@
+/*
+ * pcie_port.h
+ *
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef QEMU_PCIE_PORT_H
+#define QEMU_PCIE_PORT_H
+
+#include "pci_bridge.h"
+#include "pci_internals.h"
+
+struct PCIEPort {
+    PCIBridge   br;
+
+    /* pci express switch port */
+    uint8_t     port;
+};
+
+void pcie_port_init_reg(PCIDevice *d);
+
+struct PCIESlot {
+    PCIEPort    port;
+
+    /* pci express switch port with slot */
+    uint8_t     chassis;
+    uint16_t    slot;
+    QLIST_ENTRY(PCIESlot) next;
+};
+
+void pcie_chassis_create(uint8_t chassis_number);
+void pcie_main_chassis_create(void);
+PCIESlot *pcie_chassis_find_slot(uint8_t chassis, uint16_t slot);
+int pcie_chassis_add_slot(struct PCIESlot *slot);
+void pcie_chassis_del_slot(PCIESlot *s);
+
+#endif /* QEMU_PCIE_PORT_H */
diff --git a/qemu-common.h b/qemu-common.h
index 6d9ee26..b97b16e 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -221,6 +221,8 @@ typedef struct PCIBus PCIBus;
 typedef struct PCIDevice PCIDevice;
 typedef struct PCIExpressDevice PCIExpressDevice;
 typedef struct PCIBridge PCIBridge;
+typedef struct PCIEPort PCIEPort;
+typedef struct PCIESlot PCIESlot;
 typedef struct SerialState SerialState;
 typedef struct IRQState *qemu_irq;
 typedef struct PCMCIACardState PCMCIACardState;
commit 0208def1cadd4f72f862e62548c2af268a543b20
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Oct 20 17:18:51 2010 +0900

    pci/bridge: fix pci_bridge_reset()
    
    The lower bits of base/limit registers is RO and shouldn't be zero
    cleared on reset. This patch fixes it.
    In fact, the default value of base/limit registers aren't specified
    in the spec. And some bridges disable forwarding on reset instead of
    zeroing base/limit registers.
    So introduce one function to disable bridge forwarding so that
    such bridges can use it. It will be used later.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci_bridge.c b/hw/pci_bridge.c
index 638e3b3..7e8488a 100644
--- a/hw/pci_bridge.c
+++ b/hw/pci_bridge.c
@@ -151,6 +151,26 @@ void pci_bridge_write_config(PCIDevice *d,
     }
 }
 
+void pci_bridge_disable_base_limit(PCIDevice *dev)
+{
+    uint8_t *conf = dev->config;
+
+    pci_byte_test_and_set_mask(conf + PCI_IO_BASE,
+                               PCI_IO_RANGE_MASK & 0xff);
+    pci_byte_test_and_clear_mask(conf + PCI_IO_LIMIT,
+                                 PCI_IO_RANGE_MASK & 0xff);
+    pci_word_test_and_set_mask(conf + PCI_MEMORY_BASE,
+                               PCI_MEMORY_RANGE_MASK & 0xffff);
+    pci_word_test_and_clear_mask(conf + PCI_MEMORY_LIMIT,
+                                 PCI_MEMORY_RANGE_MASK & 0xffff);
+    pci_word_test_and_set_mask(conf + PCI_PREF_MEMORY_BASE,
+                               PCI_PREF_RANGE_MASK & 0xffff);
+    pci_word_test_and_clear_mask(conf + PCI_PREF_MEMORY_LIMIT,
+                                 PCI_PREF_RANGE_MASK & 0xffff);
+    pci_set_word(conf + PCI_PREF_BASE_UPPER32, 0);
+    pci_set_word(conf + PCI_PREF_LIMIT_UPPER32, 0);
+}
+
 /* reset bridge specific configuration registers */
 void pci_bridge_reset_reg(PCIDevice *dev)
 {
@@ -161,12 +181,28 @@ void pci_bridge_reset_reg(PCIDevice *dev)
     conf[PCI_SUBORDINATE_BUS] = 0;
     conf[PCI_SEC_LATENCY_TIMER] = 0;
 
-    conf[PCI_IO_BASE] = 0;
-    conf[PCI_IO_LIMIT] = 0;
-    pci_set_word(conf + PCI_MEMORY_BASE, 0);
-    pci_set_word(conf + PCI_MEMORY_LIMIT, 0);
-    pci_set_word(conf + PCI_PREF_MEMORY_BASE, 0);
-    pci_set_word(conf + PCI_PREF_MEMORY_LIMIT, 0);
+    /*
+     * the default values for base/limit registers aren't specified
+     * in the PCI-to-PCI-bridge spec. So we don't thouch them here.
+     * Each implementation can override it.
+     * typical implementation does
+     * zero base/limit registers or
+     * disable forwarding: pci_bridge_disable_base_limit()
+     * If disable forwarding is wanted, call pci_bridge_disable_base_limit()
+     * after this function.
+     */
+    pci_byte_test_and_clear_mask(conf + PCI_IO_BASE,
+                                 PCI_IO_RANGE_MASK & 0xff);
+    pci_byte_test_and_clear_mask(conf + PCI_IO_LIMIT,
+                                 PCI_IO_RANGE_MASK & 0xff);
+    pci_word_test_and_clear_mask(conf + PCI_MEMORY_BASE,
+                                 PCI_MEMORY_RANGE_MASK & 0xffff);
+    pci_word_test_and_clear_mask(conf + PCI_MEMORY_LIMIT,
+                                 PCI_MEMORY_RANGE_MASK & 0xffff);
+    pci_word_test_and_clear_mask(conf + PCI_PREF_MEMORY_BASE,
+                                 PCI_PREF_RANGE_MASK & 0xffff);
+    pci_word_test_and_clear_mask(conf + PCI_PREF_MEMORY_LIMIT,
+                                 PCI_PREF_RANGE_MASK & 0xffff);
     pci_set_word(conf + PCI_PREF_BASE_UPPER32, 0);
     pci_set_word(conf + PCI_PREF_LIMIT_UPPER32, 0);
 
diff --git a/hw/pci_bridge.h b/hw/pci_bridge.h
index f6fade0..84411a6 100644
--- a/hw/pci_bridge.h
+++ b/hw/pci_bridge.h
@@ -39,6 +39,7 @@ pcibus_t pci_bridge_get_limit(const PCIDevice *bridge, uint8_t type);
 
 void pci_bridge_write_config(PCIDevice *d,
                              uint32_t address, uint32_t val, int len);
+void pci_bridge_disable_base_limit(PCIDevice *dev);
 void pci_bridge_reset_reg(PCIDevice *dev);
 void pci_bridge_reset(DeviceState *qdev);
 
commit 6da6d29fa63ab7adcc2959355497a44654f3703e
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Oct 20 17:18:50 2010 +0900

    pcie: comment on hpev_intx
    
    document hpev_intx.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pcie.h b/hw/pcie.h
index 68327d8..2871e27 100644
--- a/hw/pcie.h
+++ b/hw/pcie.h
@@ -65,7 +65,15 @@ struct PCIExpressDevice {
     /* TODO FLR */
 
     /* SLOT */
-    unsigned int hpev_intx;     /* INTx for hot plug event */
+    unsigned int hpev_intx;     /* INTx for hot plug event (0-3:INT[A-D]#)
+                                 * default is 0 = INTA#
+                                 * If the chip wants to use other interrupt
+                                 * line, initialize this member with the
+                                 * desired number.
+                                 * If the chip dynamically changes this member,
+                                 * also initialize it when loaded as
+                                 * appropreately.
+                                 */
 };
 
 /* PCI express capability helper functions */
commit 10d3a1449b042de7a18291e2bc27ff4d7dea97eb
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 18 12:05:50 2010 -0200

    qemu-kvm: drop kvm-tpr-opt BIOS region hack
    
    Commit c2333d898b52 changed kvm-tpr-opt.c to use
    cpu_physical_memory_write_rom for BIOS patching.
    
    BIOS map at 0xf0000 can now be registered as IO_MEM_ROM.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/pc.c b/hw/pc.c
index 9c08573..b624873 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -956,10 +956,9 @@ void pc_memory_init(ram_addr_t ram_size,
         isa_bios_size = 128 * 1024;
     cpu_register_physical_memory(0xd0000, (192 * 1024) - isa_bios_size,
                                  IO_MEM_UNASSIGNED);
-    /* kvm tpr optimization needs the bios accessible for write, at least to qemu itself */
     cpu_register_physical_memory(0x100000 - isa_bios_size,
                                  isa_bios_size,
-                                 (bios_offset + bios_size - isa_bios_size) /* | IO_MEM_ROM */);
+                                 (bios_offset + bios_size - isa_bios_size) | IO_MEM_ROM);
 
     if (extboot_drive) {
         option_rom[nb_option_roms++] = qemu_strdup(EXTBOOT_FILENAME);
commit 0428527c621c3edfd258b4d34fc178ef5df41071
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Oct 19 18:06:34 2010 +0900

    pcie: helper functions for pcie capability and extended capability
    
    This patch implements helper functions for pci express capability
    and pci express extended capability allocation.
    NOTE: presence detection depends on pci_qdev_init() change.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index 5f5a4c5..eeb5134 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -186,6 +186,7 @@ hw-obj-$(CONFIG_PIIX4) += piix4.o
 # PCI watchdog devices
 hw-obj-y += wdt_i6300esb.o
 
+hw-obj-y += pcie.o
 hw-obj-y += msix.o msi.o
 
 # PCI network cards
diff --git a/hw/pci.h b/hw/pci.h
index 9e2f27d..d6c522b 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -9,6 +9,8 @@
 /* PCI includes legacy ISA access.  */
 #include "isa.h"
 
+#include "pcie.h"
+
 /* PCI bus */
 
 #define PCI_DEVFN(slot, func)   ((((slot) & 0x1f) << 3) | ((func) & 0x07))
@@ -175,6 +177,9 @@ struct PCIDevice {
     /* Offset of MSI capability in config space */
     uint8_t msi_cap;
 
+    /* PCI Express */
+    PCIExpressDevice exp;
+
     /* Location of option rom */
     char *romfile;
     ram_addr_t rom_offset;
diff --git a/hw/pcie.c b/hw/pcie.c
new file mode 100644
index 0000000..53d1fce
--- /dev/null
+++ b/hw/pcie.c
@@ -0,0 +1,540 @@
+/*
+ * pcie.c
+ *
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sysemu.h"
+#include "pci_bridge.h"
+#include "pcie.h"
+#include "msix.h"
+#include "msi.h"
+#include "pci_internals.h"
+#include "pcie_regs.h"
+
+//#define DEBUG_PCIE
+#ifdef DEBUG_PCIE
+# define PCIE_DPRINTF(fmt, ...)                                         \
+    fprintf(stderr, "%s:%d " fmt, __func__, __LINE__, ## __VA_ARGS__)
+#else
+# define PCIE_DPRINTF(fmt, ...) do {} while (0)
+#endif
+#define PCIE_DEV_PRINTF(dev, fmt, ...)                                  \
+    PCIE_DPRINTF("%s:%x "fmt, (dev)->name, (dev)->devfn, ## __VA_ARGS__)
+
+
+/***************************************************************************
+ * pci express capability helper functions
+ */
+int pcie_cap_init(PCIDevice *dev, uint8_t offset, uint8_t type, uint8_t port)
+{
+    int pos;
+    uint8_t *exp_cap;
+
+    assert(pci_is_express(dev));
+
+    pos = pci_add_capability(dev, PCI_CAP_ID_EXP, offset,
+                                 PCI_EXP_VER2_SIZEOF);
+    if (pos < 0) {
+        return pos;
+    }
+    dev->exp.exp_cap = pos;
+    exp_cap = dev->config + pos;
+
+    /* capability register
+       interrupt message number defaults to 0 */
+    pci_set_word(exp_cap + PCI_EXP_FLAGS,
+                 ((type << PCI_EXP_FLAGS_TYPE_SHIFT) & PCI_EXP_FLAGS_TYPE) |
+                 PCI_EXP_FLAGS_VER2);
+
+    /* device capability register
+     * table 7-12:
+     * roll based error reporting bit must be set by all
+     * Functions conforming to the ECN, PCI Express Base
+     * Specification, Revision 1.1., or subsequent PCI Express Base
+     * Specification revisions.
+     */
+    pci_set_long(exp_cap + PCI_EXP_DEVCAP, PCI_EXP_DEVCAP_RBER);
+
+    pci_set_long(exp_cap + PCI_EXP_LNKCAP,
+                 (port << PCI_EXP_LNKCAP_PN_SHIFT) |
+                 PCI_EXP_LNKCAP_ASPMS_0S |
+                 PCI_EXP_LNK_MLW_1 |
+                 PCI_EXP_LNK_LS_25);
+
+    pci_set_word(exp_cap + PCI_EXP_LNKSTA,
+                 PCI_EXP_LNK_MLW_1 | PCI_EXP_LNK_LS_25);
+
+    pci_set_long(exp_cap + PCI_EXP_DEVCAP2,
+                 PCI_EXP_DEVCAP2_EFF | PCI_EXP_DEVCAP2_EETLPP);
+
+    pci_set_word(dev->wmask + pos, PCI_EXP_DEVCTL2_EETLPPB);
+    return pos;
+}
+
+void pcie_cap_exit(PCIDevice *dev)
+{
+    pci_del_capability(dev, PCI_CAP_ID_EXP, PCI_EXP_VER2_SIZEOF);
+}
+
+uint8_t pcie_cap_get_type(const PCIDevice *dev)
+{
+    uint32_t pos = dev->exp.exp_cap;
+    assert(pos > 0);
+    return (pci_get_word(dev->config + pos + PCI_EXP_FLAGS) &
+            PCI_EXP_FLAGS_TYPE) >> PCI_EXP_FLAGS_TYPE_SHIFT;
+}
+
+/* MSI/MSI-X */
+/* pci express interrupt message number */
+/* 7.8.2 PCI Express Capabilities Register: Interrupt Message Number */
+void pcie_cap_flags_set_vector(PCIDevice *dev, uint8_t vector)
+{
+    uint8_t *exp_cap = dev->config + dev->exp.exp_cap;
+    assert(vector < 32);
+    pci_word_test_and_clear_mask(exp_cap + PCI_EXP_FLAGS, PCI_EXP_FLAGS_IRQ);
+    pci_word_test_and_set_mask(exp_cap + PCI_EXP_FLAGS,
+                               vector << PCI_EXP_FLAGS_IRQ_SHIFT);
+}
+
+uint8_t pcie_cap_flags_get_vector(PCIDevice *dev)
+{
+    return (pci_get_word(dev->config + dev->exp.exp_cap + PCI_EXP_FLAGS) &
+            PCI_EXP_FLAGS_IRQ) >> PCI_EXP_FLAGS_IRQ_SHIFT;
+}
+
+void pcie_cap_deverr_init(PCIDevice *dev)
+{
+    uint32_t pos = dev->exp.exp_cap;
+    pci_long_test_and_set_mask(dev->config + pos + PCI_EXP_DEVCAP,
+                               PCI_EXP_DEVCAP_RBER);
+    pci_long_test_and_set_mask(dev->wmask + pos + PCI_EXP_DEVCTL,
+                               PCI_EXP_DEVCTL_CERE | PCI_EXP_DEVCTL_NFERE |
+                               PCI_EXP_DEVCTL_FERE | PCI_EXP_DEVCTL_URRE);
+    pci_long_test_and_set_mask(dev->w1cmask + pos + PCI_EXP_DEVSTA,
+                               PCI_EXP_DEVSTA_CED | PCI_EXP_DEVSTA_NFED |
+                               PCI_EXP_DEVSTA_URD | PCI_EXP_DEVSTA_URD);
+}
+
+void pcie_cap_deverr_reset(PCIDevice *dev)
+{
+    uint8_t *devctl = dev->config + dev->exp.exp_cap + PCI_EXP_DEVCTL;
+    pci_long_test_and_clear_mask(devctl,
+                                 PCI_EXP_DEVCTL_CERE | PCI_EXP_DEVCTL_NFERE |
+                                 PCI_EXP_DEVCTL_FERE | PCI_EXP_DEVCTL_URRE);
+}
+
+/*
+ * A PCI Express Hot-Plug Event has occured, so update slot status register
+ * and notify OS of the event if necessary.
+ *
+ * 6.7.3 PCI Express Hot-Plug Events
+ * 6.7.3.4 Software Notification of Hot-Plug Events
+ */
+static void pcie_cap_slot_event(PCIDevice *dev, PCIExpressHotPlugEvent event)
+{
+    uint8_t *exp_cap = dev->config + dev->exp.exp_cap;
+    uint16_t sltctl = pci_get_word(exp_cap + PCI_EXP_SLTCTL);
+    uint16_t sltsta = pci_get_word(exp_cap + PCI_EXP_SLTSTA);
+
+    PCIE_DEV_PRINTF(dev,
+                    "sltctl: 0x%02"PRIx16" sltsta: 0x%02"PRIx16" event: %x\n",
+                    sltctl, sltsta, event);
+
+    if (pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA, event)) {
+        return;
+    }
+    sltsta = pci_get_word(exp_cap + PCI_EXP_SLTSTA);
+    PCIE_DEV_PRINTF(dev, "sltsta -> %02"PRIx16"\n", sltsta);
+
+    if ((sltctl & PCI_EXP_SLTCTL_HPIE) &&
+        (sltctl & event & PCI_EXP_HP_EV_SUPPORTED)) {
+        if (pci_msi_enabled(dev)) {
+            pci_msi_notify(dev, pcie_cap_flags_get_vector(dev));
+        } else {
+            qemu_set_irq(dev->irq[dev->exp.hpev_intx], 1);
+        }
+    }
+}
+
+static int pcie_cap_slot_hotplug(DeviceState *qdev,
+                                 PCIDevice *pci_dev, int state)
+{
+    PCIDevice *d = DO_UPCAST(PCIDevice, qdev, qdev);
+    uint8_t *exp_cap = d->config + d->exp.exp_cap;
+    uint16_t sltsta = pci_get_word(exp_cap + PCI_EXP_SLTSTA);
+
+    if (!pci_dev->qdev.hotplugged) {
+        assert(state); /* this case only happens at machine creation. */
+        pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
+                                   PCI_EXP_SLTSTA_PDS);
+        return 0;
+    }
+
+    PCIE_DEV_PRINTF(pci_dev, "hotplug state: %d\n", state);
+    if (sltsta & PCI_EXP_SLTSTA_EIS) {
+        /* the slot is electromechanically locked.
+         * This error is propagated up to qdev and then to HMP/QMP.
+         */
+        return -EBUSY;
+    }
+
+    /* TODO: multifunction hot-plug.
+     * Right now, only a device of function = 0 is allowed to be
+     * hot plugged/unplugged.
+     */
+    assert(PCI_FUNC(pci_dev->devfn) == 0);
+
+    if (state) {
+        pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
+                                   PCI_EXP_SLTSTA_PDS);
+        pcie_cap_slot_event(d, PCI_EXP_HP_EV_PDC);
+    } else {
+        qdev_free(&pci_dev->qdev);
+        pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA,
+                                     PCI_EXP_SLTSTA_PDS);
+        pcie_cap_slot_event(d, PCI_EXP_HP_EV_PDC);
+    }
+    return 0;
+}
+
+/* pci express slot for pci express root/downstream port
+   PCI express capability slot registers */
+void pcie_cap_slot_init(PCIDevice *dev, uint16_t slot)
+{
+    uint32_t pos = dev->exp.exp_cap;
+
+    pci_word_test_and_set_mask(dev->config + pos + PCI_EXP_FLAGS,
+                               PCI_EXP_FLAGS_SLOT);
+
+    pci_long_test_and_clear_mask(dev->config + pos + PCI_EXP_SLTCAP,
+                                 ~PCI_EXP_SLTCAP_PSN);
+    pci_long_test_and_set_mask(dev->config + pos + PCI_EXP_SLTCAP,
+                               (slot << PCI_EXP_SLTCAP_PSN_SHIFT) |
+                               PCI_EXP_SLTCAP_EIP |
+                               PCI_EXP_SLTCAP_HPS |
+                               PCI_EXP_SLTCAP_HPC |
+                               PCI_EXP_SLTCAP_PIP |
+                               PCI_EXP_SLTCAP_AIP |
+                               PCI_EXP_SLTCAP_ABP);
+
+    pci_word_test_and_clear_mask(dev->config + pos + PCI_EXP_SLTCTL,
+                                 PCI_EXP_SLTCTL_PIC |
+                                 PCI_EXP_SLTCTL_AIC);
+    pci_word_test_and_set_mask(dev->config + pos + PCI_EXP_SLTCTL,
+                               PCI_EXP_SLTCTL_PIC_OFF |
+                               PCI_EXP_SLTCTL_AIC_OFF);
+    pci_word_test_and_set_mask(dev->wmask + pos + PCI_EXP_SLTCTL,
+                               PCI_EXP_SLTCTL_PIC |
+                               PCI_EXP_SLTCTL_AIC |
+                               PCI_EXP_SLTCTL_HPIE |
+                               PCI_EXP_SLTCTL_CCIE |
+                               PCI_EXP_SLTCTL_PDCE |
+                               PCI_EXP_SLTCTL_ABPE);
+    /* Although reading PCI_EXP_SLTCTL_EIC returns always 0,
+     * make the bit writable here in order to detect 1b is written.
+     * pcie_cap_slot_write_config() test-and-clear the bit, so
+     * this bit always returns 0 to the guest.
+     */
+    pci_word_test_and_set_mask(dev->wmask + pos + PCI_EXP_SLTCTL,
+                               PCI_EXP_SLTCTL_EIC);
+
+    pci_word_test_and_set_mask(dev->w1cmask + pos + PCI_EXP_SLTSTA,
+                               PCI_EXP_HP_EV_SUPPORTED);
+
+    pci_bus_hotplug(pci_bridge_get_sec_bus(DO_UPCAST(PCIBridge, dev, dev)),
+                    pcie_cap_slot_hotplug, &dev->qdev);
+}
+
+void pcie_cap_slot_reset(PCIDevice *dev)
+{
+    uint8_t *exp_cap = dev->config + dev->exp.exp_cap;
+
+    PCIE_DEV_PRINTF(dev, "reset\n");
+
+    pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTCTL,
+                                 PCI_EXP_SLTCTL_EIC |
+                                 PCI_EXP_SLTCTL_PIC |
+                                 PCI_EXP_SLTCTL_AIC |
+                                 PCI_EXP_SLTCTL_HPIE |
+                                 PCI_EXP_SLTCTL_CCIE |
+                                 PCI_EXP_SLTCTL_PDCE |
+                                 PCI_EXP_SLTCTL_ABPE);
+    pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTCTL,
+                               PCI_EXP_SLTCTL_PIC_OFF |
+                               PCI_EXP_SLTCTL_AIC_OFF);
+
+    pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA,
+                                 PCI_EXP_SLTSTA_EIS |/* on reset,
+                                                        the lock is released */
+                                 PCI_EXP_SLTSTA_CC |
+                                 PCI_EXP_SLTSTA_PDC |
+                                 PCI_EXP_SLTSTA_ABP);
+}
+
+void pcie_cap_slot_write_config(PCIDevice *dev,
+                                uint32_t addr, uint32_t val, int len,
+                                uint16_t sltctl_prev)
+{
+    uint32_t pos = dev->exp.exp_cap;
+    uint8_t *exp_cap = dev->config + pos;
+    uint16_t sltctl = pci_get_word(exp_cap + PCI_EXP_SLTCTL);
+    uint16_t sltsta = pci_get_word(exp_cap + PCI_EXP_SLTSTA);
+
+    PCIE_DEV_PRINTF(dev,
+                    "addr: 0x%"PRIx32" val: 0x%"PRIx32" len: %d\n"
+                    "\tsltctl_prev: 0x%02"PRIx16" sltctl: 0x%02"PRIx16
+                    " sltsta: 0x%02"PRIx16"\n",
+                    addr, val, len, sltctl_prev, sltctl, sltsta);
+
+    /* SLTCTL */
+    if (ranges_overlap(addr, len, pos + PCI_EXP_SLTCTL, 2)) {
+        PCIE_DEV_PRINTF(dev, "sltctl: 0x%02"PRIx16" -> 0x%02"PRIx16"\n",
+                        sltctl_prev, sltctl);
+        if (pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTCTL,
+                                         PCI_EXP_SLTCTL_EIC)) {
+            sltsta ^= PCI_EXP_SLTSTA_EIS; /* toggle PCI_EXP_SLTSTA_EIS bit */
+            pci_set_word(exp_cap + PCI_EXP_SLTSTA, sltsta);
+            PCIE_DEV_PRINTF(dev, "PCI_EXP_SLTCTL_EIC: "
+                            "sltsta -> 0x%02"PRIx16"\n",
+                            sltsta);
+        }
+
+        /*
+         * The events control bits might be enabled or disabled,
+         * Check if the software notificastion condition is satisfied
+         * or disatisfied.
+         *
+         * 6.7.3.4 Software Notification of Hot-plug events
+         */
+        if (pci_msi_enabled(dev)) {
+            bool msi_trigger =
+                (sltctl & PCI_EXP_SLTCTL_HPIE) &&
+                ((sltctl_prev ^ sltctl) & sltctl & /* stlctl: 0 -> 1 */
+                 sltsta & PCI_EXP_HP_EV_SUPPORTED);
+            if (msi_trigger) {
+                pci_msi_notify(dev, pcie_cap_flags_get_vector(dev));
+            }
+        } else {
+            int int_level =
+                (sltctl & PCI_EXP_SLTCTL_HPIE) &&
+                (sltctl & sltsta & PCI_EXP_HP_EV_SUPPORTED);
+            qemu_set_irq(dev->irq[dev->exp.hpev_intx], int_level);
+        }
+
+        if (!((sltctl_prev ^ sltctl) & PCI_EXP_SLTCTL_SUPPORTED)) {
+            PCIE_DEV_PRINTF(dev,
+                            "sprious command completion slctl "
+                            "0x%"PRIx16" -> 0x%"PRIx16"\n",
+                            sltctl_prev, sltctl);
+        }
+
+        /* command completion.
+         * Real hardware might take a while to complete
+         * requested command because physical movement would be involved
+         * like locking the electromechanical lock.
+         * However in our case, command is completed instantaneously above,
+         * so send a command completion event right now.
+         *
+         * 6.7.3.2 Command Completed Events
+         */
+        /* set command completed bit */
+        pcie_cap_slot_event(dev, PCI_EXP_HP_EV_CCI);
+    }
+}
+
+void pcie_cap_slot_push_attention_button(PCIDevice *dev)
+{
+    pcie_cap_slot_event(dev, PCI_EXP_HP_EV_ABP);
+}
+
+/* root control/capabilities/status. PME isn't emulated for now */
+void pcie_cap_root_init(PCIDevice *dev)
+{
+    pci_set_word(dev->wmask + dev->exp.exp_cap + PCI_EXP_RTCTL,
+                 PCI_EXP_RTCTL_SECEE | PCI_EXP_RTCTL_SENFEE |
+                 PCI_EXP_RTCTL_SEFEE);
+}
+
+void pcie_cap_root_reset(PCIDevice *dev)
+{
+    pci_set_word(dev->config + dev->exp.exp_cap + PCI_EXP_RTCTL, 0);
+}
+
+/*
+ * TODO: implement FLR:
+ * Right now sets the bit which indicates FLR is supported.
+ */
+/* function level reset(FLR) */
+void pcie_cap_flr_init(PCIDevice *dev)
+{
+    pci_long_test_and_set_mask(dev->config + dev->exp.exp_cap + PCI_EXP_DEVCAP,
+                               PCI_EXP_DEVCAP_FLR);
+
+    /* Although reading BCR_FLR returns always 0,
+     * the bit is made writable here in order to detect the 1b is written
+     * pcie_cap_flr_write_config() test-and-clear the bit, so
+     * this bit always returns 0 to the guest.
+     */
+    pci_word_test_and_set_mask(dev->wmask + dev->exp.exp_cap + PCI_EXP_DEVCTL,
+                               PCI_EXP_DEVCTL_BCR_FLR);
+}
+
+void pcie_cap_flr_write_config(PCIDevice *dev,
+                               uint32_t addr, uint32_t val, int len)
+{
+    uint8_t *devctl = dev->config + dev->exp.exp_cap + PCI_EXP_DEVCTL;
+    if (pci_word_test_and_clear_mask(devctl, PCI_EXP_DEVCTL_BCR_FLR)) {
+        /* TODO: implement FLR */
+    }
+}
+
+/* Alternative Routing-ID Interpretation (ARI) */
+/* ari forwarding support for down stream port */
+void pcie_cap_ari_init(PCIDevice *dev)
+{
+    uint32_t pos = dev->exp.exp_cap;
+    pci_long_test_and_set_mask(dev->config + pos + PCI_EXP_DEVCAP2,
+                               PCI_EXP_DEVCAP2_ARI);
+    pci_long_test_and_set_mask(dev->wmask + pos + PCI_EXP_DEVCTL2,
+                               PCI_EXP_DEVCTL2_ARI);
+}
+
+void pcie_cap_ari_reset(PCIDevice *dev)
+{
+    uint8_t *devctl2 = dev->config + dev->exp.exp_cap + PCI_EXP_DEVCTL2;
+    pci_long_test_and_clear_mask(devctl2, PCI_EXP_DEVCTL2_ARI);
+}
+
+bool pcie_cap_is_ari_enabled(const PCIDevice *dev)
+{
+    if (!pci_is_express(dev)) {
+        return false;
+    }
+    if (!dev->exp.exp_cap) {
+        return false;
+    }
+
+    return pci_get_long(dev->config + dev->exp.exp_cap + PCI_EXP_DEVCTL2) &
+        PCI_EXP_DEVCTL2_ARI;
+}
+
+/**************************************************************************
+ * pci express extended capability allocation functions
+ * uint16_t ext_cap_id (16 bit)
+ * uint8_t cap_ver (4 bit)
+ * uint16_t cap_offset (12 bit)
+ * uint16_t ext_cap_size
+ */
+
+static uint16_t pcie_find_capability_list(PCIDevice *dev, uint16_t cap_id,
+                                          uint16_t *prev_p)
+{
+    uint16_t prev = 0;
+    uint16_t next;
+    uint32_t header = pci_get_long(dev->config + PCI_CONFIG_SPACE_SIZE);
+
+    if (!header) {
+        /* no extended capability */
+        next = 0;
+        goto out;
+    }
+    for (next = PCI_CONFIG_SPACE_SIZE; next;
+         prev = next, next = PCI_EXT_CAP_NEXT(header)) {
+
+        assert(next >= PCI_CONFIG_SPACE_SIZE);
+        assert(next <= PCIE_CONFIG_SPACE_SIZE - 8);
+
+        header = pci_get_long(dev->config + next);
+        if (PCI_EXT_CAP_ID(header) == cap_id) {
+            break;
+        }
+    }
+
+out:
+    if (prev_p) {
+        *prev_p = prev;
+    }
+    return next;
+}
+
+uint16_t pcie_find_capability(PCIDevice *dev, uint16_t cap_id)
+{
+    return pcie_find_capability_list(dev, cap_id, NULL);
+}
+
+static void pcie_ext_cap_set_next(PCIDevice *dev, uint16_t pos, uint16_t next)
+{
+    uint16_t header = pci_get_long(dev->config + pos);
+    assert(!(next & (PCI_EXT_CAP_ALIGN - 1)));
+    header = (header & ~PCI_EXT_CAP_NEXT_MASK) |
+        ((next << PCI_EXT_CAP_NEXT_SHIFT) & PCI_EXT_CAP_NEXT_MASK);
+    pci_set_long(dev->config + pos, header);
+}
+
+/*
+ * caller must supply valid (offset, size) * such that the range shouldn't
+ * overlap with other capability or other registers.
+ * This function doesn't check it.
+ */
+void pcie_add_capability(PCIDevice *dev,
+                         uint16_t cap_id, uint8_t cap_ver,
+                         uint16_t offset, uint16_t size)
+{
+    uint32_t header;
+    uint16_t next;
+
+    assert(offset >= PCI_CONFIG_SPACE_SIZE);
+    assert(offset < offset + size);
+    assert(offset + size < PCIE_CONFIG_SPACE_SIZE);
+    assert(size >= 8);
+    assert(pci_is_express(dev));
+
+    if (offset == PCI_CONFIG_SPACE_SIZE) {
+        header = pci_get_long(dev->config + offset);
+        next = PCI_EXT_CAP_NEXT(header);
+    } else {
+        uint16_t prev;
+
+        /* 0 is reserved cap id. use internally to find the last capability
+           in the linked list */
+        next = pcie_find_capability_list(dev, 0, &prev);
+
+        assert(prev >= PCI_CONFIG_SPACE_SIZE);
+        assert(next == 0);
+        pcie_ext_cap_set_next(dev, prev, offset);
+    }
+    pci_set_long(dev->config + offset, PCI_EXT_CAP(cap_id, cap_ver, next));
+
+    /* Make capability read-only by default */
+    memset(dev->wmask + offset, 0, size);
+    memset(dev->w1cmask + offset, 0, size);
+    /* Check capability by default */
+    memset(dev->cmask + offset, 0xFF, size);
+}
+
+/**************************************************************************
+ * pci express extended capability helper functions
+ */
+
+/* ARI */
+void pcie_ari_init(PCIDevice *dev, uint16_t offset, uint16_t nextfn)
+{
+    pcie_add_capability(dev, PCI_EXT_CAP_ID_ARI, PCI_ARI_VER,
+                        offset, PCI_ARI_SIZEOF);
+    pci_set_long(dev->config + offset + PCI_ARI_CAP, PCI_ARI_CAP_NFN(nextfn));
+}
diff --git a/hw/pcie.h b/hw/pcie.h
new file mode 100644
index 0000000..68327d8
--- /dev/null
+++ b/hw/pcie.h
@@ -0,0 +1,107 @@
+/*
+ * pcie.h
+ *
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef QEMU_PCIE_H
+#define QEMU_PCIE_H
+
+#include "hw.h"
+#include "pci_regs.h"
+#include "pcie_regs.h"
+
+typedef enum {
+    /* for attention and power indicator */
+    PCI_EXP_HP_IND_RESERVED     = PCI_EXP_SLTCTL_IND_RESERVED,
+    PCI_EXP_HP_IND_ON           = PCI_EXP_SLTCTL_IND_ON,
+    PCI_EXP_HP_IND_BLINK        = PCI_EXP_SLTCTL_IND_BLINK,
+    PCI_EXP_HP_IND_OFF          = PCI_EXP_SLTCTL_IND_OFF,
+} PCIExpressIndicator;
+
+typedef enum {
+    /* these bits must match the bits in Slot Control/Status registers.
+     * PCI_EXP_HP_EV_xxx = PCI_EXP_SLTCTL_xxxE = PCI_EXP_SLTSTA_xxx
+     *
+     * Not all the bits of slot control register match with the ones of
+     * slot status. Not some bits of slot status register is used to
+     * show status, not to report event occurence.
+     * So such bits must be masked out when checking the software
+     * notification condition.
+     */
+    PCI_EXP_HP_EV_ABP           = PCI_EXP_SLTCTL_ABPE,
+                                        /* attention button pressed */
+    PCI_EXP_HP_EV_PDC           = PCI_EXP_SLTCTL_PDCE,
+                                        /* presence detect changed */
+    PCI_EXP_HP_EV_CCI           = PCI_EXP_SLTCTL_CCIE,
+                                        /* command completed */
+
+    PCI_EXP_HP_EV_SUPPORTED     = PCI_EXP_HP_EV_ABP |
+                                  PCI_EXP_HP_EV_PDC |
+                                  PCI_EXP_HP_EV_CCI,
+                                                /* supported event mask  */
+
+    /* events not listed aren't supported */
+} PCIExpressHotPlugEvent;
+
+struct PCIExpressDevice {
+    /* Offset of express capability in config space */
+    uint8_t exp_cap;
+
+    /* TODO FLR */
+
+    /* SLOT */
+    unsigned int hpev_intx;     /* INTx for hot plug event */
+};
+
+/* PCI express capability helper functions */
+int pcie_cap_init(PCIDevice *dev, uint8_t offset, uint8_t type, uint8_t port);
+void pcie_cap_exit(PCIDevice *dev);
+uint8_t pcie_cap_get_type(const PCIDevice *dev);
+void pcie_cap_flags_set_vector(PCIDevice *dev, uint8_t vector);
+uint8_t pcie_cap_flags_get_vector(PCIDevice *dev);
+
+void pcie_cap_deverr_init(PCIDevice *dev);
+void pcie_cap_deverr_reset(PCIDevice *dev);
+
+void pcie_cap_slot_init(PCIDevice *dev, uint16_t slot);
+void pcie_cap_slot_reset(PCIDevice *dev);
+void pcie_cap_slot_write_config(PCIDevice *dev,
+                                uint32_t addr, uint32_t val, int len,
+                                uint16_t sltctl_prev);
+void pcie_cap_slot_push_attention_button(PCIDevice *dev);
+
+void pcie_cap_root_init(PCIDevice *dev);
+void pcie_cap_root_reset(PCIDevice *dev);
+
+void pcie_cap_flr_init(PCIDevice *dev);
+void pcie_cap_flr_write_config(PCIDevice *dev,
+                           uint32_t addr, uint32_t val, int len);
+
+void pcie_cap_ari_init(PCIDevice *dev);
+void pcie_cap_ari_reset(PCIDevice *dev);
+bool pcie_cap_is_ari_enabled(const PCIDevice *dev);
+
+/* PCI express extended capability helper functions */
+uint16_t pcie_find_capability(PCIDevice *dev, uint16_t cap_id);
+void pcie_add_capability(PCIDevice *dev,
+                         uint16_t cap_id, uint8_t cap_ver,
+                         uint16_t offset, uint16_t size);
+
+void pcie_ari_init(PCIDevice *dev, uint16_t offset, uint16_t nextfn);
+
+#endif /* QEMU_PCIE_H */
diff --git a/qemu-common.h b/qemu-common.h
index d735235..6d9ee26 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -219,6 +219,7 @@ typedef struct PCIHostState PCIHostState;
 typedef struct PCIExpressHost PCIExpressHost;
 typedef struct PCIBus PCIBus;
 typedef struct PCIDevice PCIDevice;
+typedef struct PCIExpressDevice PCIExpressDevice;
 typedef struct PCIBridge PCIBridge;
 typedef struct SerialState SerialState;
 typedef struct IRQState *qemu_irq;
commit 08f3dcf13f49dea3106b09c69bef9543e56fa629
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Oct 19 18:06:33 2010 +0900

    pcie: add pcie constants to pcie_regs.h
    
    add pcie constants to pcie_regs.h.
    Those constants should go to Linux pci_regs.h and then the file should
    go away eventually.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pcie_regs.h b/hw/pcie_regs.h
new file mode 100644
index 0000000..3461a1b
--- /dev/null
+++ b/hw/pcie_regs.h
@@ -0,0 +1,154 @@
+/*
+ * constants for pcie configurations space from pci express spec.
+ *
+ * TODO:
+ * Those constants and macros should go to Linux pci_regs.h
+ * Once they're merged, they will go away.
+ */
+#ifndef QEMU_PCIE_REGS_H
+#define QEMU_PCIE_REGS_H
+
+
+/* express capability */
+
+#define PCI_EXP_VER2_SIZEOF             0x3c /* express capability of ver. 2 */
+#define PCI_EXT_CAP_VER_SHIFT           16
+#define PCI_EXT_CAP_NEXT_SHIFT          20
+#define PCI_EXT_CAP_NEXT_MASK           (0xffc << PCI_EXT_CAP_NEXT_SHIFT)
+
+#define PCI_EXT_CAP(id, ver, next)                                      \
+    ((id) |                                                             \
+     ((ver) << PCI_EXT_CAP_VER_SHIFT) |                                 \
+     ((next) << PCI_EXT_CAP_NEXT_SHIFT))
+
+#define PCI_EXT_CAP_ALIGN               4
+#define PCI_EXT_CAP_ALIGNUP(x)                                  \
+    (((x) + PCI_EXT_CAP_ALIGN - 1) & ~(PCI_EXT_CAP_ALIGN - 1))
+
+/* PCI_EXP_FLAGS */
+#define PCI_EXP_FLAGS_VER2              2 /* for now, supports only ver. 2 */
+#define PCI_EXP_FLAGS_IRQ_SHIFT         (ffs(PCI_EXP_FLAGS_IRQ) - 1)
+#define PCI_EXP_FLAGS_TYPE_SHIFT        (ffs(PCI_EXP_FLAGS_TYPE) - 1)
+
+
+/* PCI_EXP_LINK{CAP, STA} */
+/* link speed */
+#define PCI_EXP_LNK_LS_25               1
+
+#define PCI_EXP_LNK_MLW_SHIFT           (ffs(PCI_EXP_LNKCAP_MLW) - 1)
+#define PCI_EXP_LNK_MLW_1               (1 << PCI_EXP_LNK_MLW_SHIFT)
+
+/* PCI_EXP_LINKCAP */
+#define PCI_EXP_LNKCAP_ASPMS_SHIFT      (ffs(PCI_EXP_LNKCAP_ASPMS) - 1)
+#define PCI_EXP_LNKCAP_ASPMS_0S         (1 << PCI_EXP_LNKCAP_ASPMS_SHIFT)
+
+#define PCI_EXP_LNKCAP_PN_SHIFT         (ffs(PCI_EXP_LNKCAP_PN) - 1)
+
+#define PCI_EXP_SLTCAP_PSN_SHIFT        (ffs(PCI_EXP_SLTCAP_PSN) - 1)
+
+#define PCI_EXP_SLTCTL_IND_RESERVED     0x0
+#define PCI_EXP_SLTCTL_IND_ON           0x1
+#define PCI_EXP_SLTCTL_IND_BLINK        0x2
+#define PCI_EXP_SLTCTL_IND_OFF          0x3
+#define PCI_EXP_SLTCTL_AIC_SHIFT        (ffs(PCI_EXP_SLTCTL_AIC) - 1)
+#define PCI_EXP_SLTCTL_AIC_OFF                          \
+    (PCI_EXP_SLTCTL_IND_OFF << PCI_EXP_SLTCTL_AIC_SHIFT)
+
+#define PCI_EXP_SLTCTL_PIC_SHIFT        (ffs(PCI_EXP_SLTCTL_PIC) - 1)
+#define PCI_EXP_SLTCTL_PIC_OFF                          \
+    (PCI_EXP_SLTCTL_IND_OFF << PCI_EXP_SLTCTL_PIC_SHIFT)
+
+#define PCI_EXP_SLTCTL_SUPPORTED        \
+            (PCI_EXP_SLTCTL_ABPE |      \
+             PCI_EXP_SLTCTL_PDCE |      \
+             PCI_EXP_SLTCTL_CCIE |      \
+             PCI_EXP_SLTCTL_HPIE |      \
+             PCI_EXP_SLTCTL_AIC |       \
+             PCI_EXP_SLTCTL_PCC |       \
+             PCI_EXP_SLTCTL_EIC)
+
+#define PCI_EXP_DEVCAP2_EFF             0x100000
+#define PCI_EXP_DEVCAP2_EETLPP          0x200000
+
+#define PCI_EXP_DEVCTL2_EETLPPB         0x80
+
+/* ARI */
+#define PCI_ARI_VER                     1
+#define PCI_ARI_SIZEOF                  8
+
+/* AER */
+#define PCI_ERR_VER                     2
+#define PCI_ERR_SIZEOF                  0x48
+
+#define PCI_ERR_UNC_SDN                 0x00000020      /* surprise down */
+#define PCI_ERR_UNC_ACSV                0x00200000      /* ACS Violation */
+#define PCI_ERR_UNC_INTN                0x00400000      /* Internal Error */
+#define PCI_ERR_UNC_MCBTLP              0x00800000      /* MC Blcoked TLP */
+#define PCI_ERR_UNC_ATOP_EBLOCKED       0x01000000      /* atomic op egress blocked */
+#define PCI_ERR_UNC_TLP_PRF_BLOCKED     0x02000000      /* TLP Prefix Blocked */
+#define PCI_ERR_COR_ADV_NONFATAL        0x00002000      /* Advisory Non-Fatal */
+#define PCI_ERR_COR_INTERNAL            0x00004000      /* Corrected Internal */
+#define PCI_ERR_COR_HL_OVERFLOW         0x00008000      /* Header Long Overflow */
+#define PCI_ERR_CAP_FEP_MASK            0x0000001f
+#define PCI_ERR_CAP_MHRC                0x00000200
+#define PCI_ERR_CAP_MHRE                0x00000400
+#define PCI_ERR_CAP_TLP                 0x00000800
+
+#define PCI_ERR_TLP_PREFIX_LOG          0x38
+
+#define PCI_SEC_STATUS_RCV_SYSTEM_ERROR         0x4000
+
+/* aer root error command/status */
+#define PCI_ERR_ROOT_CMD_EN_MASK        (PCI_ERR_ROOT_CMD_COR_EN |      \
+                                         PCI_ERR_ROOT_CMD_NONFATAL_EN | \
+                                         PCI_ERR_ROOT_CMD_FATAL_EN)
+
+#define PCI_ERR_ROOT_IRQ_MAX            32
+#define PCI_ERR_ROOT_IRQ                0xf8000000
+#define PCI_ERR_ROOT_IRQ_SHIFT          (ffs(PCI_ERR_ROOT_IRQ) - 1)
+#define PCI_ERR_ROOT_STATUS_REPORT_MASK (PCI_ERR_ROOT_COR_RCV |         \
+                                         PCI_ERR_ROOT_MULTI_COR_RCV |   \
+                                         PCI_ERR_ROOT_UNCOR_RCV |       \
+                                         PCI_ERR_ROOT_MULTI_UNCOR_RCV | \
+                                         PCI_ERR_ROOT_FIRST_FATAL |     \
+                                         PCI_ERR_ROOT_NONFATAL_RCV |    \
+                                         PCI_ERR_ROOT_FATAL_RCV)
+
+#define PCI_ERR_UNC_SUPPORTED           (PCI_ERR_UNC_DLP |              \
+                                         PCI_ERR_UNC_SDN |              \
+                                         PCI_ERR_UNC_POISON_TLP |       \
+                                         PCI_ERR_UNC_FCP |              \
+                                         PCI_ERR_UNC_COMP_TIME |        \
+                                         PCI_ERR_UNC_COMP_ABORT |       \
+                                         PCI_ERR_UNC_UNX_COMP |         \
+                                         PCI_ERR_UNC_RX_OVER |          \
+                                         PCI_ERR_UNC_MALF_TLP |         \
+                                         PCI_ERR_UNC_ECRC |             \
+                                         PCI_ERR_UNC_UNSUP |            \
+                                         PCI_ERR_UNC_ACSV |             \
+                                         PCI_ERR_UNC_INTN |             \
+                                         PCI_ERR_UNC_MCBTLP |           \
+                                         PCI_ERR_UNC_ATOP_EBLOCKED |    \
+                                         PCI_ERR_UNC_TLP_PRF_BLOCKED)
+
+#define PCI_ERR_UNC_SEVERITY_DEFAULT    (PCI_ERR_UNC_DLP |              \
+                                         PCI_ERR_UNC_SDN |              \
+                                         PCI_ERR_UNC_FCP |              \
+                                         PCI_ERR_UNC_RX_OVER |          \
+                                         PCI_ERR_UNC_MALF_TLP |         \
+                                         PCI_ERR_UNC_INTN)
+
+#define PCI_ERR_COR_SUPPORTED           (PCI_ERR_COR_RCVR |             \
+                                         PCI_ERR_COR_BAD_TLP |          \
+                                         PCI_ERR_COR_BAD_DLLP |         \
+                                         PCI_ERR_COR_REP_ROLL |         \
+                                         PCI_ERR_COR_REP_TIMER |        \
+                                         PCI_ERR_COR_ADV_NONFATAL |     \
+                                         PCI_ERR_COR_INTERNAL |         \
+                                         PCI_ERR_COR_HL_OVERFLOW)
+
+#define PCI_ERR_COR_MASK_DEFAULT        (PCI_ERR_COR_ADV_NONFATAL |     \
+                                         PCI_ERR_COR_INTERNAL |         \
+                                         PCI_ERR_COR_HL_OVERFLOW)
+
+#endif /* QEMU_PCIE_REGS_H */
commit e4c7d2aef899780f9b9b86343bca4ac34c9e252f
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Oct 19 18:06:32 2010 +0900

    msi: implements msi
    
    implements msi related functions.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index 594894b..5f5a4c5 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -186,7 +186,7 @@ hw-obj-$(CONFIG_PIIX4) += piix4.o
 # PCI watchdog devices
 hw-obj-y += wdt_i6300esb.o
 
-hw-obj-y += msix.o
+hw-obj-y += msix.o msi.o
 
 # PCI network cards
 hw-obj-y += ne2000.o
diff --git a/hw/msi.c b/hw/msi.c
new file mode 100644
index 0000000..a949d82
--- /dev/null
+++ b/hw/msi.c
@@ -0,0 +1,352 @@
+/*
+ * msi.c
+ *
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "msi.h"
+
+/* Eventually those constants should go to Linux pci_regs.h */
+#define PCI_MSI_PENDING_32      0x10
+#define PCI_MSI_PENDING_64      0x14
+
+/* PCI_MSI_ADDRESS_LO */
+#define PCI_MSI_ADDRESS_LO_MASK         (~0x3)
+
+/* If we get rid of cap allocator, we won't need those. */
+#define PCI_MSI_32_SIZEOF       0x0a
+#define PCI_MSI_64_SIZEOF       0x0e
+#define PCI_MSI_32M_SIZEOF      0x14
+#define PCI_MSI_64M_SIZEOF      0x18
+
+#define PCI_MSI_VECTORS_MAX     32
+
+/* If we get rid of cap allocator, we won't need this. */
+static inline uint8_t msi_cap_sizeof(uint16_t flags)
+{
+    switch (flags & (PCI_MSI_FLAGS_MASKBIT | PCI_MSI_FLAGS_64BIT)) {
+    case PCI_MSI_FLAGS_MASKBIT | PCI_MSI_FLAGS_64BIT:
+        return PCI_MSI_64M_SIZEOF;
+    case PCI_MSI_FLAGS_64BIT:
+        return PCI_MSI_64_SIZEOF;
+    case PCI_MSI_FLAGS_MASKBIT:
+        return PCI_MSI_32M_SIZEOF;
+    case 0:
+        return PCI_MSI_32_SIZEOF;
+    default:
+        abort();
+        break;
+    }
+    return 0;
+}
+
+//#define MSI_DEBUG
+
+#ifdef MSI_DEBUG
+# define MSI_DPRINTF(fmt, ...)                                          \
+    fprintf(stderr, "%s:%d " fmt, __func__, __LINE__, ## __VA_ARGS__)
+#else
+# define MSI_DPRINTF(fmt, ...)  do { } while (0)
+#endif
+#define MSI_DEV_PRINTF(dev, fmt, ...)                                   \
+    MSI_DPRINTF("%s:%x " fmt, (dev)->name, (dev)->devfn, ## __VA_ARGS__)
+
+static inline unsigned int msi_nr_vectors(uint16_t flags)
+{
+    return 1U <<
+        ((flags & PCI_MSI_FLAGS_QSIZE) >> (ffs(PCI_MSI_FLAGS_QSIZE) - 1));
+}
+
+static inline uint8_t msi_flags_off(const PCIDevice* dev)
+{
+    return dev->msi_cap + PCI_MSI_FLAGS;
+}
+
+static inline uint8_t msi_address_lo_off(const PCIDevice* dev)
+{
+    return dev->msi_cap + PCI_MSI_ADDRESS_LO;
+}
+
+static inline uint8_t msi_address_hi_off(const PCIDevice* dev)
+{
+    return dev->msi_cap + PCI_MSI_ADDRESS_HI;
+}
+
+static inline uint8_t msi_data_off(const PCIDevice* dev, bool msi64bit)
+{
+    return dev->msi_cap + (msi64bit ? PCI_MSI_DATA_64 : PCI_MSI_DATA_32);
+}
+
+static inline uint8_t msi_mask_off(const PCIDevice* dev, bool msi64bit)
+{
+    return dev->msi_cap + (msi64bit ? PCI_MSI_MASK_64 : PCI_MSI_MASK_32);
+}
+
+static inline uint8_t msi_pending_off(const PCIDevice* dev, bool msi64bit)
+{
+    return dev->msi_cap + (msi64bit ? PCI_MSI_PENDING_64 : PCI_MSI_PENDING_32);
+}
+
+bool msi_enabled(const PCIDevice *dev)
+{
+    return msi_present(dev) &&
+        (pci_get_word(dev->config + msi_flags_off(dev)) &
+         PCI_MSI_FLAGS_ENABLE);
+}
+
+int msi_init(struct PCIDevice *dev, uint8_t offset,
+             unsigned int nr_vectors, bool msi64bit, bool msi_per_vector_mask)
+{
+    unsigned int vectors_order;
+    uint16_t flags;
+    uint8_t cap_size;
+    int config_offset;
+    MSI_DEV_PRINTF(dev,
+                   "init offset: 0x%"PRIx8" vector: %"PRId8
+                   " 64bit %d mask %d\n",
+                   offset, nr_vectors, msi64bit, msi_per_vector_mask);
+
+    assert(!(nr_vectors & (nr_vectors - 1)));   /* power of 2 */
+    assert(nr_vectors > 0);
+    assert(nr_vectors <= PCI_MSI_VECTORS_MAX);
+    /* the nr of MSI vectors is up to 32 */
+    vectors_order = ffs(nr_vectors) - 1;
+
+    flags = vectors_order << (ffs(PCI_MSI_FLAGS_QMASK) - 1);
+    if (msi64bit) {
+        flags |= PCI_MSI_FLAGS_64BIT;
+    }
+    if (msi_per_vector_mask) {
+        flags |= PCI_MSI_FLAGS_MASKBIT;
+    }
+
+    cap_size = msi_cap_sizeof(flags);
+    config_offset = pci_add_capability(dev, PCI_CAP_ID_MSI, offset, cap_size);
+    if (config_offset < 0) {
+        return config_offset;
+    }
+
+    dev->msi_cap = config_offset;
+    dev->cap_present |= QEMU_PCI_CAP_MSI;
+
+    pci_set_word(dev->config + msi_flags_off(dev), flags);
+    pci_set_word(dev->wmask + msi_flags_off(dev),
+                 PCI_MSI_FLAGS_QSIZE | PCI_MSI_FLAGS_ENABLE);
+    pci_set_long(dev->wmask + msi_address_lo_off(dev),
+                 PCI_MSI_ADDRESS_LO_MASK);
+    if (msi64bit) {
+        pci_set_long(dev->wmask + msi_address_hi_off(dev), 0xffffffff);
+    }
+    pci_set_word(dev->wmask + msi_data_off(dev, msi64bit), 0xffff);
+
+    if (msi_per_vector_mask) {
+        pci_set_long(dev->wmask + msi_mask_off(dev, msi64bit),
+                     /* (1U << nr_vectors) - 1 is undefined
+                        when nr_vectors = 32 */
+                     0xffffffff >> (PCI_MSI_VECTORS_MAX - nr_vectors));
+    }
+    return config_offset;
+}
+
+void msi_uninit(struct PCIDevice *dev)
+{
+    uint16_t flags = pci_get_word(dev->config + msi_flags_off(dev));
+    uint8_t cap_size = msi_cap_sizeof(flags);
+    pci_del_capability(dev, PCI_CAP_ID_MSIX, cap_size);
+    MSI_DEV_PRINTF(dev, "uninit\n");
+}
+
+void msi_reset(PCIDevice *dev)
+{
+    uint16_t flags;
+    bool msi64bit;
+
+    flags = pci_get_word(dev->config + msi_flags_off(dev));
+    flags &= ~(PCI_MSI_FLAGS_QSIZE | PCI_MSI_FLAGS_ENABLE);
+    msi64bit = flags & PCI_MSI_FLAGS_64BIT;
+
+    pci_set_word(dev->config + msi_flags_off(dev), flags);
+    pci_set_long(dev->config + msi_address_lo_off(dev), 0);
+    if (msi64bit) {
+        pci_set_long(dev->config + msi_address_hi_off(dev), 0);
+    }
+    pci_set_word(dev->config + msi_data_off(dev, msi64bit), 0);
+    if (flags & PCI_MSI_FLAGS_MASKBIT) {
+        pci_set_long(dev->config + msi_mask_off(dev, msi64bit), 0);
+        pci_set_long(dev->config + msi_pending_off(dev, msi64bit), 0);
+    }
+    MSI_DEV_PRINTF(dev, "reset\n");
+}
+
+static bool msi_is_masked(const PCIDevice *dev, unsigned int vector)
+{
+    uint16_t flags = pci_get_word(dev->config + msi_flags_off(dev));
+    uint32_t mask;
+    assert(vector < PCI_MSI_VECTORS_MAX);
+
+    if (!(flags & PCI_MSI_FLAGS_MASKBIT)) {
+        return false;
+    }
+
+    mask = pci_get_long(dev->config +
+                        msi_mask_off(dev, flags & PCI_MSI_FLAGS_64BIT));
+    return mask & (1U << vector);
+}
+
+void msi_notify(PCIDevice *dev, unsigned int vector)
+{
+    uint16_t flags = pci_get_word(dev->config + msi_flags_off(dev));
+    bool msi64bit = flags & PCI_MSI_FLAGS_64BIT;
+    unsigned int nr_vectors = msi_nr_vectors(flags);
+    uint64_t address;
+    uint32_t data;
+
+    assert(vector < nr_vectors);
+    if (msi_is_masked(dev, vector)) {
+        assert(flags & PCI_MSI_FLAGS_MASKBIT);
+        pci_long_test_and_set_mask(
+            dev->config + msi_pending_off(dev, msi64bit), 1U << vector);
+        MSI_DEV_PRINTF(dev, "pending vector 0x%x\n", vector);
+        return;
+    }
+
+    if (msi64bit){
+        address = pci_get_quad(dev->config + msi_address_lo_off(dev));
+    } else {
+        address = pci_get_long(dev->config + msi_address_lo_off(dev));
+    }
+
+    /* upper bit 31:16 is zero */
+    data = pci_get_word(dev->config + msi_data_off(dev, msi64bit));
+    if (nr_vectors > 1) {
+        data &= ~(nr_vectors - 1);
+        data |= vector;
+    }
+
+    MSI_DEV_PRINTF(dev,
+                   "notify vector 0x%x"
+                   " address: 0x%"PRIx64" data: 0x%"PRIx32"\n",
+                   vector, address, data);
+    stl_phys(address, data);
+}
+
+/* call this function after updating configs by pci_default_write_config(). */
+void msi_write_config(PCIDevice *dev, uint32_t addr, uint32_t val, int len)
+{
+    uint16_t flags = pci_get_word(dev->config + msi_flags_off(dev));
+    bool msi64bit = flags & PCI_MSI_FLAGS_64BIT;
+    bool msi_per_vector_mask = flags & PCI_MSI_FLAGS_MASKBIT;
+    unsigned int nr_vectors;
+    uint8_t log_num_vecs;
+    uint8_t log_max_vecs;
+    unsigned int vector;
+    uint32_t pending;
+    int i;
+
+#ifdef MSI_DEBUG
+    if (ranges_overlap(addr, len, dev->msi_cap, msi_cap_sizeof(flags))) {
+        MSI_DEV_PRINTF(dev, "addr 0x%"PRIx32" val 0x%"PRIx32" len %d\n",
+                       addr, val, len);
+        MSI_DEV_PRINTF(dev, "ctrl: 0x%"PRIx16" address: 0x%"PRIx32,
+                       flags,
+                       pci_get_long(dev->config + msi_address_lo_off(dev)));
+        if (msi64bit) {
+            fprintf(stderr, " addrss-hi: 0x%"PRIx32,
+                    pci_get_long(dev->config + msi_address_hi_off(dev)));
+        }
+        fprintf(stderr, " data: 0x%"PRIx16,
+                pci_get_word(dev->config + msi_data_off(dev, msi64bit)));
+        if (flags & PCI_MSI_FLAGS_MASKBIT) {
+            fprintf(stderr, " mask 0x%"PRIx32" pending 0x%"PRIx32,
+                    pci_get_long(dev->config + msi_mask_off(dev, msi64bit)),
+                    pci_get_long(dev->config + msi_pending_off(dev, msi64bit)));
+        }
+        fprintf(stderr, "\n");
+    }
+#endif
+
+    /* Are we modified? */
+    if (!(ranges_overlap(addr, len, msi_flags_off(dev), 2) ||
+          (msi_per_vector_mask &&
+           ranges_overlap(addr, len, msi_mask_off(dev, msi64bit), 4)))) {
+        return;
+    }
+
+    if (!(flags & PCI_MSI_FLAGS_ENABLE)) {
+        return;
+    }
+
+    /*
+     * Now MSI is enabled, clear INTx# interrupts.
+     * the driver is prohibited from writing enable bit to mask
+     * a service request. But the guest OS could do this.
+     * So we just discard the interrupts as moderate fallback.
+     *
+     * 6.8.3.3. Enabling Operation
+     *   While enabled for MSI or MSI-X operation, a function is prohibited
+     *   from using its INTx# pin (if implemented) to request
+     *   service (MSI, MSI-X, and INTx# are mutually exclusive).
+     */
+    for (i = 0; i < PCI_NUM_PINS; ++i) {
+        qemu_set_irq(dev->irq[i], 0);
+    }
+
+    /*
+     * nr_vectors might be set bigger than capable. So clamp it.
+     * This is not legal by spec, so we can do anything we like,
+     * just don't crash the host
+     */
+    log_num_vecs =
+        (flags & PCI_MSI_FLAGS_QSIZE) >> (ffs(PCI_MSI_FLAGS_QSIZE) - 1);
+    log_max_vecs =
+        (flags & PCI_MSI_FLAGS_QMASK) >> (ffs(PCI_MSI_FLAGS_QMASK) - 1);
+    if (log_num_vecs > log_max_vecs) {
+        flags &= ~PCI_MSI_FLAGS_QSIZE;
+        flags |= log_max_vecs << (ffs(PCI_MSI_FLAGS_QSIZE) - 1);
+        pci_set_word(dev->config + msi_flags_off(dev), flags);
+    }
+
+    if (!msi_per_vector_mask) {
+        /* if per vector masking isn't supported,
+           there is no pending interrupt. */
+        return;
+    }
+
+    nr_vectors = msi_nr_vectors(flags);
+
+    /* This will discard pending interrupts, if any. */
+    pending = pci_get_long(dev->config + msi_pending_off(dev, msi64bit));
+    pending &= 0xffffffff >> (PCI_MSI_VECTORS_MAX - nr_vectors);
+    pci_set_long(dev->config + msi_pending_off(dev, msi64bit), pending);
+
+    /* deliver pending interrupts which are unmasked */
+    for (vector = 0; vector < nr_vectors; ++vector) {
+        if (msi_is_masked(dev, vector) || !(pending & (1U << vector))) {
+            continue;
+        }
+
+        pci_long_test_and_clear_mask(
+            dev->config + msi_pending_off(dev, msi64bit), 1U << vector);
+        msi_notify(dev, vector);
+    }
+}
+
+unsigned int msi_nr_vectors_allocated(const PCIDevice *dev)
+{
+    uint16_t flags = pci_get_word(dev->config + msi_flags_off(dev));
+    return msi_nr_vectors(flags);
+}
diff --git a/hw/msi.h b/hw/msi.h
new file mode 100644
index 0000000..5766018
--- /dev/null
+++ b/hw/msi.h
@@ -0,0 +1,41 @@
+/*
+ * msi.h
+ *
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef QEMU_MSI_H
+#define QEMU_MSI_H
+
+#include "qemu-common.h"
+#include "pci.h"
+
+bool msi_enabled(const PCIDevice *dev);
+int msi_init(struct PCIDevice *dev, uint8_t offset,
+             unsigned int nr_vectors, bool msi64bit, bool msi_per_vector_mask);
+void msi_uninit(struct PCIDevice *dev);
+void msi_reset(PCIDevice *dev);
+void msi_notify(PCIDevice *dev, unsigned int vector);
+void msi_write_config(PCIDevice *dev, uint32_t addr, uint32_t val, int len);
+unsigned int msi_nr_vectors_allocated(const PCIDevice *dev);
+
+static inline bool msi_present(const PCIDevice *dev)
+{
+    return dev->cap_present & QEMU_PCI_CAP_MSI;
+}
+
+#endif /* QEMU_MSI_H */
diff --git a/hw/pci.h b/hw/pci.h
index 3072a5f..9e2f27d 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -109,11 +109,12 @@ typedef struct PCIIORegion {
 
 /* Bits in cap_present field. */
 enum {
-    QEMU_PCI_CAP_MSIX = 0x1,
-    QEMU_PCI_CAP_EXPRESS = 0x2,
+    QEMU_PCI_CAP_MSI = 0x1,
+    QEMU_PCI_CAP_MSIX = 0x2,
+    QEMU_PCI_CAP_EXPRESS = 0x4,
 
     /* multifunction capable device */
-#define QEMU_PCI_CAP_MULTIFUNCTION_BITNR        2
+#define QEMU_PCI_CAP_MULTIFUNCTION_BITNR        3
     QEMU_PCI_CAP_MULTIFUNCTION = (1 << QEMU_PCI_CAP_MULTIFUNCTION_BITNR),
 };
 
@@ -171,6 +172,9 @@ struct PCIDevice {
     /* Version id needed for VMState */
     int32_t version_id;
 
+    /* Offset of MSI capability in config space */
+    uint8_t msi_cap;
+
     /* Location of option rom */
     char *romfile;
     ram_addr_t rom_offset;
commit 99443c21b06aa433d74880f9d2a0e4320631b906
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Oct 19 18:06:30 2010 +0900

    pci: use pci_word_test_and_clear_mask() in pci_device_reset()
    
    use pci_clear_bit_word() in pci_device_reset() where appropriate.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 300079f..409e2c0 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -139,9 +139,8 @@ static void pci_device_reset(PCIDevice *dev)
     dev->irq_state = 0;
     pci_update_irq_status(dev);
     /* Clear all writeable bits */
-    pci_set_word(dev->config + PCI_COMMAND,
-                 pci_get_word(dev->config + PCI_COMMAND) &
-                 ~pci_get_word(dev->wmask + PCI_COMMAND));
+    pci_word_test_and_clear_mask(dev->config + PCI_COMMAND,
+                                 pci_get_word(dev->wmask + PCI_COMMAND));
     dev->config[PCI_CACHE_LINE_SIZE] = 0x0;
     dev->config[PCI_INTERRUPT_LINE] = 0x0;
     for (r = 0; r < PCI_NUM_REGIONS; ++r) {
commit a5d1fd20ccfd1fbe840729378e4adbc3eb0f8306
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Oct 19 18:06:29 2010 +0900

    pci: introduce helper function to handle msi-x and msi.
    
    this patch implements helper functions to handle msi-x and msi
    uniformly.
    They will be used later.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index e3462a9..300079f 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -25,6 +25,8 @@
 #include "pci.h"
 #include "pci_bridge.h"
 #include "pci_internals.h"
+#include "msix.h"
+#include "msi.h"
 #include "monitor.h"
 #include "net.h"
 #include "sysemu.h"
@@ -1034,6 +1036,23 @@ static void pci_set_irq(void *opaque, int irq_num, int level)
     pci_change_irq_level(pci_dev, irq_num, change);
 }
 
+bool pci_msi_enabled(PCIDevice *dev)
+{
+    return msix_enabled(dev) || msi_enabled(dev);
+}
+
+void pci_msi_notify(PCIDevice *dev, unsigned int vector)
+{
+    if (msix_enabled(dev)) {
+        msix_notify(dev, vector);
+    } else if (msi_enabled(dev)) {
+        msi_notify(dev, vector);
+    } else {
+        /* MSI/MSI-X must be enabled */
+        abort();
+    }
+}
+
 /***********************************************************/
 /* monitor info on PCI */
 
diff --git a/hw/pci.h b/hw/pci.h
index 752e652..3072a5f 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -239,6 +239,9 @@ void do_pci_info_print(Monitor *mon, const QObject *data);
 void do_pci_info(Monitor *mon, QObject **ret_data);
 void pci_bridge_update_mappings(PCIBus *b);
 
+bool pci_msi_enabled(PCIDevice *dev);
+void pci_msi_notify(PCIDevice *dev, unsigned int vector);
+
 static inline void
 pci_set_byte(uint8_t *config, uint8_t val)
 {
commit aabcf5266f94e637afd4c38d46d1fc1d1381d99e
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Oct 19 18:06:28 2010 +0900

    pci: introduce helper functions to test-and-{clear, set} mask in configuration space
    
    This patch introduces helper functions to test-and-{clear, set} mask in configuration
    space. pci_{byte, word, long, quad}_test_and_{clear, set}_mask().
    They will be used later.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.h b/hw/pci.h
index d8b399f..752e652 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -323,6 +323,76 @@ pci_config_set_interrupt_pin(uint8_t *pci_config, uint8_t val)
     pci_set_byte(&pci_config[PCI_INTERRUPT_PIN], val);
 }
 
+/*
+ * helper functions to do bit mask operation on configuration space.
+ * Just to set bit, use test-and-set and discard returned value.
+ * Just to clear bit, use test-and-clear and discard returned value.
+ * NOTE: They aren't atomic.
+ */
+static inline uint8_t
+pci_byte_test_and_clear_mask(uint8_t *config, uint8_t mask)
+{
+    uint8_t val = pci_get_byte(config);
+    pci_set_byte(config, val & ~mask);
+    return val & mask;
+}
+
+static inline uint8_t
+pci_byte_test_and_set_mask(uint8_t *config, uint8_t mask)
+{
+    uint8_t val = pci_get_byte(config);
+    pci_set_byte(config, val | mask);
+    return val & mask;
+}
+
+static inline uint16_t
+pci_word_test_and_clear_mask(uint8_t *config, uint16_t mask)
+{
+    uint16_t val = pci_get_word(config);
+    pci_set_word(config, val & ~mask);
+    return val & mask;
+}
+
+static inline uint16_t
+pci_word_test_and_set_mask(uint8_t *config, uint16_t mask)
+{
+    uint16_t val = pci_get_word(config);
+    pci_set_word(config, val | mask);
+    return val & mask;
+}
+
+static inline uint32_t
+pci_long_test_and_clear_mask(uint8_t *config, uint32_t mask)
+{
+    uint32_t val = pci_get_long(config);
+    pci_set_long(config, val & ~mask);
+    return val & mask;
+}
+
+static inline uint32_t
+pci_long_test_and_set_mask(uint8_t *config, uint32_t mask)
+{
+    uint32_t val = pci_get_long(config);
+    pci_set_long(config, val | mask);
+    return val & mask;
+}
+
+static inline uint64_t
+pci_quad_test_and_clear_mask(uint8_t *config, uint64_t mask)
+{
+    uint64_t val = pci_get_quad(config);
+    pci_set_quad(config, val & ~mask);
+    return val & mask;
+}
+
+static inline uint64_t
+pci_quad_test_and_set_mask(uint8_t *config, uint64_t mask)
+{
+    uint64_t val = pci_get_quad(config);
+    pci_set_quad(config, val | mask);
+    return val & mask;
+}
+
 typedef int (*pci_qdev_initfn)(PCIDevice *dev);
 typedef struct {
     DeviceInfo qdev;
commit 244fb1e5824603d3c934f96d5a2f46d98a54e9bd
Merge: 30fe6cb... 9d5b3ab...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 18 15:53:29 2010 -0200

    Merge branch 'upstream-merge'
    
    * upstream-merge: (102 commits)
      issue snd_pcm_start() when capturing audio
      fix 100% CPU load when idle with ALSA
      trace: print a warning if user tries to enable an unknown trace event
      mips: avoid write only variables
      ppc: avoid write only variables
      i386: avoid a write only variable
      vnc: avoid write only variables
      cris: avoid a write only variable
      Delete write only variables
      ppc: remove video.x
      lsi53c895a: avoid a write only variable
      eepro100: initialize a variable in all cases
      cirrus: avoid write only variables
      block: avoid a write only variable
      trace: remove timestamp files when cleaning up
      configure: Send error message from spice check to /dev/null
      win32: Set unbuffered stdout
      .gitignore: Ignore *-timestamp
      acpi: Fix an infinite loop in acpi_table_add
      configure: Remove unneeded defines from checks
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit 9d5b3ab9fdad6d53af301c5fccf0a7201f961ee0
Merge: 9fda9b6... 38cc9b6...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 18 15:50:57 2010 -0200

    Merge commit '38cc9b607f85017b095793cab6c129bc9844f441' into upstream-merge
    
    * commit '38cc9b607f85017b095793cab6c129bc9844f441': (44 commits)
      issue snd_pcm_start() when capturing audio
      fix 100% CPU load when idle with ALSA
      trace: print a warning if user tries to enable an unknown trace event
      mips: avoid write only variables
      ppc: avoid write only variables
      i386: avoid a write only variable
      vnc: avoid write only variables
      cris: avoid a write only variable
      Delete write only variables
      ppc: remove video.x
      lsi53c895a: avoid a write only variable
      eepro100: initialize a variable in all cases
      cirrus: avoid write only variables
      block: avoid a write only variable
      trace: remove timestamp files when cleaning up
      configure: Send error message from spice check to /dev/null
      win32: Set unbuffered stdout
      .gitignore: Ignore *-timestamp
      acpi: Fix an infinite loop in acpi_table_add
      configure: Remove unneeded defines from checks
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc Makefile.target
index c054a7e,c48cbcc..5364555
--- a/Makefile.target
+++ b/Makefile.target
@@@ -333,14 -307,9 +333,14 @@@ obj-s390x-y = s390-virtio-bus.o s390-vi
  
  obj-alpha-y = alpha_palcode.o
  
 +ifeq ($(TARGET_ARCH), ia64)
 +firmware.o: firmware.c
 +	$(CC) $(HELPER_CFLAGS) $(CPPFLAGS) $(BASE_CFLAGS) -c -o $@ $<
 +endif
 +
  main.o: QEMU_CFLAGS+=$(GPROF_CFLAGS)
  
- monitor.o: qemu-monitor.h qmp-commands.h
+ monitor.o: hmp-commands.h qmp-commands.h
  
  $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y): $(GENERATED_HEADERS)
  
diff --cc hmp-commands.hx
index 0000000,81999aa..9406496
mode 000000,100644..100644
--- a/hmp-commands.hx
+++ b/hmp-commands.hx
@@@ -1,0 -1,1216 +1,1229 @@@
+ HXCOMM Use DEFHEADING() to define headings in both help text and texi
+ HXCOMM Text between STEXI and ETEXI are copied to texi version and
+ HXCOMM discarded from C version
+ HXCOMM DEF(command, args, callback, arg_string, help) is used to construct
+ HXCOMM monitor commands
+ HXCOMM HXCOMM can be used for comments, discarded from both texi and C
+ 
+ STEXI
+ @table @option
+ ETEXI
+ 
+     {
+         .name       = "help|?",
+         .args_type  = "name:s?",
+         .params     = "[cmd]",
+         .help       = "show the help",
+         .mhandler.cmd = do_help_cmd,
+     },
+ 
+ STEXI
+ @item help or ? [@var{cmd}]
+ @findex help
+ Show the help for all commands or just for command @var{cmd}.
+ ETEXI
+ 
+     {
+         .name       = "commit",
+         .args_type  = "device:B",
+         .params     = "device|all",
+         .help       = "commit changes to the disk images (if -snapshot is used) or backing files",
+         .mhandler.cmd = do_commit,
+     },
+ 
+ STEXI
+ @item commit
+ @findex commit
+ Commit changes to the disk images (if -snapshot is used) or backing files.
+ ETEXI
+ 
+     {
+         .name       = "q|quit",
+         .args_type  = "",
+         .params     = "",
+         .help       = "quit the emulator",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_quit,
+     },
+ 
+ STEXI
+ @item q or quit
+ @findex quit
+ Quit the emulator.
+ ETEXI
+ 
+     {
+         .name       = "eject",
+         .args_type  = "force:-f,device:B",
+         .params     = "[-f] device",
+         .help       = "eject a removable medium (use -f to force it)",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_eject,
+     },
+ 
+ STEXI
+ @item eject [-f] @var{device}
+ @findex eject
+ Eject a removable medium (use -f to force it).
+ ETEXI
+ 
+     {
+         .name       = "change",
+         .args_type  = "device:B,target:F,arg:s?",
+         .params     = "device filename [format]",
+         .help       = "change a removable medium, optional format",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_change,
+     },
+ 
+ STEXI
+ @item change @var{device} @var{setting}
+ @findex change
+ 
+ Change the configuration of a device.
+ 
+ @table @option
+ @item change @var{diskdevice} @var{filename} [@var{format}]
+ Change the medium for a removable disk device to point to @var{filename}. eg
+ 
+ @example
+ (qemu) change ide1-cd0 /path/to/some.iso
+ @end example
+ 
+ @var{format} is optional.
+ 
+ @item change vnc @var{display}, at var{options}
+ Change the configuration of the VNC server. The valid syntax for @var{display}
+ and @var{options} are described at @ref{sec_invocation}. eg
+ 
+ @example
+ (qemu) change vnc localhost:1
+ @end example
+ 
+ @item change vnc password [@var{password}]
+ 
+ Change the password associated with the VNC server. If the new password is not
+ supplied, the monitor will prompt for it to be entered. VNC passwords are only
+ significant up to 8 letters. eg
+ 
+ @example
+ (qemu) change vnc password
+ Password: ********
+ @end example
+ 
+ @end table
+ ETEXI
+ 
+     {
+         .name       = "screendump",
+         .args_type  = "filename:F",
+         .params     = "filename",
+         .help       = "save screen into PPM image 'filename'",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_screen_dump,
+     },
+ 
+ STEXI
+ @item screendump @var{filename}
+ @findex screendump
+ Save screen into PPM image @var{filename}.
+ ETEXI
+ 
+     {
+         .name       = "logfile",
+         .args_type  = "filename:F",
+         .params     = "filename",
+         .help       = "output logs to 'filename'",
+         .mhandler.cmd = do_logfile,
+     },
+ 
+ STEXI
+ @item logfile @var{filename}
+ @findex logfile
+ Output logs to @var{filename}.
+ ETEXI
+ 
+ #ifdef CONFIG_SIMPLE_TRACE
+     {
+         .name       = "trace-event",
+         .args_type  = "name:s,option:b",
+         .params     = "name on|off",
+         .help       = "changes status of a specific trace event",
+         .mhandler.cmd = do_change_trace_event_state,
+     },
+ 
+ STEXI
+ @item trace-event
+ @findex trace-event
+ changes status of a trace event
+ ETEXI
+ 
+     {
+         .name       = "trace-file",
+         .args_type  = "op:s?,arg:F?",
+         .params     = "on|off|flush|set [arg]",
+         .help       = "open, close, or flush trace file, or set a new file name",
+         .mhandler.cmd = do_trace_file,
+     },
+ 
+ STEXI
+ @item trace-file on|off|flush
+ @findex trace-file
+ Open, close, or flush the trace file.  If no argument is given, the status of the trace file is displayed.
+ ETEXI
+ #endif
+ 
+     {
+         .name       = "log",
+         .args_type  = "items:s",
+         .params     = "item1[,...]",
+         .help       = "activate logging of the specified items to '/tmp/qemu.log'",
+         .mhandler.cmd = do_log,
+     },
+ 
+ STEXI
+ @item log @var{item1}[,...]
+ @findex log
+ Activate logging of the specified items to @file{/tmp/qemu.log}.
+ ETEXI
+ 
+     {
+         .name       = "savevm",
+         .args_type  = "name:s?",
+         .params     = "[tag|id]",
+         .help       = "save a VM snapshot. If no tag or id are provided, a new snapshot is created",
+         .mhandler.cmd = do_savevm,
+     },
+ 
+ STEXI
+ @item savevm [@var{tag}|@var{id}]
+ @findex savevm
+ Create a snapshot of the whole virtual machine. If @var{tag} is
+ provided, it is used as human readable identifier. If there is already
+ a snapshot with the same tag or ID, it is replaced. More info at
+ @ref{vm_snapshots}.
+ ETEXI
+ 
+     {
+         .name       = "loadvm",
+         .args_type  = "name:s",
+         .params     = "tag|id",
+         .help       = "restore a VM snapshot from its tag or id",
+         .mhandler.cmd = do_loadvm,
+     },
+ 
+ STEXI
+ @item loadvm @var{tag}|@var{id}
+ @findex loadvm
+ Set the whole virtual machine to the snapshot identified by the tag
+ @var{tag} or the unique snapshot ID @var{id}.
+ ETEXI
+ 
+     {
+         .name       = "delvm",
+         .args_type  = "name:s",
+         .params     = "tag|id",
+         .help       = "delete a VM snapshot from its tag or id",
+         .mhandler.cmd = do_delvm,
+     },
+ 
+ STEXI
+ @item delvm @var{tag}|@var{id}
+ @findex delvm
+ Delete the snapshot identified by @var{tag} or @var{id}.
+ ETEXI
+ 
+     {
+         .name       = "singlestep",
+         .args_type  = "option:s?",
+         .params     = "[on|off]",
+         .help       = "run emulation in singlestep mode or switch to normal mode",
+         .mhandler.cmd = do_singlestep,
+     },
+ 
+ STEXI
+ @item singlestep [off]
+ @findex singlestep
+ Run the emulation in single step mode.
+ If called with option off, the emulation returns to normal mode.
+ ETEXI
+ 
+     {
+         .name       = "stop",
+         .args_type  = "",
+         .params     = "",
+         .help       = "stop emulation",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_stop,
+     },
+ 
+ STEXI
+ @item stop
+ @findex stop
+ Stop emulation.
+ ETEXI
+ 
+     {
+         .name       = "c|cont",
+         .args_type  = "",
+         .params     = "",
+         .help       = "resume emulation",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_cont,
+     },
+ 
+ STEXI
+ @item c or cont
+ @findex cont
+ Resume emulation.
+ ETEXI
+ 
+     {
+         .name       = "gdbserver",
+         .args_type  = "device:s?",
+         .params     = "[device]",
+         .help       = "start gdbserver on given device (default 'tcp::1234'), stop with 'none'",
+         .mhandler.cmd = do_gdbserver,
+     },
+ 
+ STEXI
+ @item gdbserver [@var{port}]
+ @findex gdbserver
+ Start gdbserver session (default @var{port}=1234)
+ ETEXI
+ 
+     {
+         .name       = "x",
+         .args_type  = "fmt:/,addr:l",
+         .params     = "/fmt addr",
+         .help       = "virtual memory dump starting at 'addr'",
+         .mhandler.cmd = do_memory_dump,
+     },
+ 
+ STEXI
+ @item x/fmt @var{addr}
+ @findex x
+ Virtual memory dump starting at @var{addr}.
+ ETEXI
+ 
+     {
+         .name       = "xp",
+         .args_type  = "fmt:/,addr:l",
+         .params     = "/fmt addr",
+         .help       = "physical memory dump starting at 'addr'",
+         .mhandler.cmd = do_physical_memory_dump,
+     },
+ 
+ STEXI
+ @item xp /@var{fmt} @var{addr}
+ @findex xp
+ Physical memory dump starting at @var{addr}.
+ 
+ @var{fmt} is a format which tells the command how to format the
+ data. Its syntax is: @option{/@{count@}@{format@}@{size@}}
+ 
+ @table @var
+ @item count
+ is the number of items to be dumped.
+ 
+ @item format
+ can be x (hex), d (signed decimal), u (unsigned decimal), o (octal),
+ c (char) or i (asm instruction).
+ 
+ @item size
+ can be b (8 bits), h (16 bits), w (32 bits) or g (64 bits). On x86,
+ @code{h} or @code{w} can be specified with the @code{i} format to
+ respectively select 16 or 32 bit code instruction size.
+ 
+ @end table
+ 
+ Examples:
+ @itemize
+ @item
+ Dump 10 instructions at the current instruction pointer:
+ @example
+ (qemu) x/10i $eip
+ 0x90107063:  ret
+ 0x90107064:  sti
+ 0x90107065:  lea    0x0(%esi,1),%esi
+ 0x90107069:  lea    0x0(%edi,1),%edi
+ 0x90107070:  ret
+ 0x90107071:  jmp    0x90107080
+ 0x90107073:  nop
+ 0x90107074:  nop
+ 0x90107075:  nop
+ 0x90107076:  nop
+ @end example
+ 
+ @item
+ Dump 80 16 bit values at the start of the video memory.
+ @smallexample
+ (qemu) xp/80hx 0xb8000
+ 0x000b8000: 0x0b50 0x0b6c 0x0b65 0x0b78 0x0b38 0x0b36 0x0b2f 0x0b42
+ 0x000b8010: 0x0b6f 0x0b63 0x0b68 0x0b73 0x0b20 0x0b56 0x0b47 0x0b41
+ 0x000b8020: 0x0b42 0x0b69 0x0b6f 0x0b73 0x0b20 0x0b63 0x0b75 0x0b72
+ 0x000b8030: 0x0b72 0x0b65 0x0b6e 0x0b74 0x0b2d 0x0b63 0x0b76 0x0b73
+ 0x000b8040: 0x0b20 0x0b30 0x0b35 0x0b20 0x0b4e 0x0b6f 0x0b76 0x0b20
+ 0x000b8050: 0x0b32 0x0b30 0x0b30 0x0b33 0x0720 0x0720 0x0720 0x0720
+ 0x000b8060: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
+ 0x000b8070: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
+ 0x000b8080: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
+ 0x000b8090: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
+ @end smallexample
+ @end itemize
+ ETEXI
+ 
+     {
+         .name       = "p|print",
+         .args_type  = "fmt:/,val:l",
+         .params     = "/fmt expr",
+         .help       = "print expression value (use $reg for CPU register access)",
+         .mhandler.cmd = do_print,
+     },
+ 
+ STEXI
+ @item p or print/@var{fmt} @var{expr}
+ @findex print
+ 
+ Print expression value. Only the @var{format} part of @var{fmt} is
+ used.
+ ETEXI
+ 
+     {
+         .name       = "i",
+         .args_type  = "fmt:/,addr:i,index:i.",
+         .params     = "/fmt addr",
+         .help       = "I/O port read",
+         .mhandler.cmd = do_ioport_read,
+     },
+ 
+ STEXI
+ Read I/O port.
+ ETEXI
+ 
+     {
+         .name       = "o",
+         .args_type  = "fmt:/,addr:i,val:i",
+         .params     = "/fmt addr value",
+         .help       = "I/O port write",
+         .mhandler.cmd = do_ioport_write,
+     },
+ 
+ STEXI
+ Write to I/O port.
+ ETEXI
+ 
+     {
+         .name       = "sendkey",
+         .args_type  = "string:s,hold_time:i?",
+         .params     = "keys [hold_ms]",
+         .help       = "send keys to the VM (e.g. 'sendkey ctrl-alt-f1', default hold time=100 ms)",
+         .mhandler.cmd = do_sendkey,
+     },
+ 
+ STEXI
+ @item sendkey @var{keys}
+ @findex sendkey
+ 
+ Send @var{keys} to the emulator. @var{keys} could be the name of the
+ key or @code{#} followed by the raw value in either decimal or hexadecimal
+ format. Use @code{-} to press several keys simultaneously. Example:
+ @example
+ sendkey ctrl-alt-f1
+ @end example
+ 
+ This command is useful to send keys that your graphical user interface
+ intercepts at low level, such as @code{ctrl-alt-f1} in X Window.
+ ETEXI
+ 
+     {
+         .name       = "system_reset",
+         .args_type  = "",
+         .params     = "",
+         .help       = "reset the system",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_system_reset,
+     },
+ 
+ STEXI
+ @item system_reset
+ @findex system_reset
+ 
+ Reset the system.
+ ETEXI
+ 
+     {
+         .name       = "system_powerdown",
+         .args_type  = "",
+         .params     = "",
+         .help       = "send system power down event",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_system_powerdown,
+     },
+ 
+ STEXI
+ @item system_powerdown
+ @findex system_powerdown
+ 
+ Power down the system (if supported).
+ ETEXI
+ 
+     {
+         .name       = "sum",
+         .args_type  = "start:i,size:i",
+         .params     = "addr size",
+         .help       = "compute the checksum of a memory region",
+         .mhandler.cmd = do_sum,
+     },
+ 
+ STEXI
+ @item sum @var{addr} @var{size}
+ @findex sum
+ 
+ Compute the checksum of a memory region.
+ ETEXI
+ 
+     {
+         .name       = "usb_add",
+         .args_type  = "devname:s",
+         .params     = "device",
+         .help       = "add USB device (e.g. 'host:bus.addr' or 'host:vendor_id:product_id')",
+         .mhandler.cmd = do_usb_add,
+     },
+ 
+ STEXI
+ @item usb_add @var{devname}
+ @findex usb_add
+ 
+ Add the USB device @var{devname}.  For details of available devices see
+ @ref{usb_devices}
+ ETEXI
+ 
+     {
+         .name       = "usb_del",
+         .args_type  = "devname:s",
+         .params     = "device",
+         .help       = "remove USB device 'bus.addr'",
+         .mhandler.cmd = do_usb_del,
+     },
+ 
+ STEXI
+ @item usb_del @var{devname}
+ @findex usb_del
+ 
+ Remove the USB device @var{devname} from the QEMU virtual USB
+ hub. @var{devname} has the syntax @code{bus.addr}. Use the monitor
+ command @code{info usb} to see the devices you can remove.
+ ETEXI
+ 
+     {
+         .name       = "device_add",
+         .args_type  = "device:O",
+         .params     = "driver[,prop=value][,...]",
+         .help       = "add device, like -device on the command line",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_device_add,
+     },
+ 
+ STEXI
+ @item device_add @var{config}
+ @findex device_add
+ 
+ Add device.
+ ETEXI
+ 
+     {
+         .name       = "device_del",
+         .args_type  = "id:s",
+         .params     = "device",
+         .help       = "remove device",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_device_del,
+     },
+ 
+ STEXI
+ @item device_del @var{id}
+ @findex device_del
+ 
+ Remove device @var{id}.
+ ETEXI
+ 
+     {
+         .name       = "cpu",
+         .args_type  = "index:i",
+         .params     = "index",
+         .help       = "set the default CPU",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_cpu_set,
+     },
+ 
+ STEXI
+ @item cpu @var{index}
+ @findex cpu
+ Set the default CPU.
+ ETEXI
+ 
+     {
+         .name       = "mouse_move",
+         .args_type  = "dx_str:s,dy_str:s,dz_str:s?",
+         .params     = "dx dy [dz]",
+         .help       = "send mouse move events",
+         .mhandler.cmd = do_mouse_move,
+     },
+ 
+ STEXI
+ @item mouse_move @var{dx} @var{dy} [@var{dz}]
+ @findex mouse_move
+ Move the active mouse to the specified coordinates @var{dx} @var{dy}
+ with optional scroll axis @var{dz}.
+ ETEXI
+ 
+     {
+         .name       = "mouse_button",
+         .args_type  = "button_state:i",
+         .params     = "state",
+         .help       = "change mouse button state (1=L, 2=M, 4=R)",
+         .mhandler.cmd = do_mouse_button,
+     },
+ 
+ STEXI
+ @item mouse_button @var{val}
+ @findex mouse_button
+ Change the active mouse button state @var{val} (1=L, 2=M, 4=R).
+ ETEXI
+ 
+     {
+         .name       = "mouse_set",
+         .args_type  = "index:i",
+         .params     = "index",
+         .help       = "set which mouse device receives events",
+         .mhandler.cmd = do_mouse_set,
+     },
+ 
+ STEXI
+ @item mouse_set @var{index}
+ @findex mouse_set
+ Set which mouse device receives events at given @var{index}, index
+ can be obtained with
+ @example
+ info mice
+ @end example
+ ETEXI
+ 
+ #ifdef HAS_AUDIO
+     {
+         .name       = "wavcapture",
+         .args_type  = "path:F,freq:i?,bits:i?,nchannels:i?",
+         .params     = "path [frequency [bits [channels]]]",
+         .help       = "capture audio to a wave file (default frequency=44100 bits=16 channels=2)",
+         .mhandler.cmd = do_wav_capture,
+     },
+ #endif
+ STEXI
+ @item wavcapture @var{filename} [@var{frequency} [@var{bits} [@var{channels}]]]
+ @findex wavcapture
+ Capture audio into @var{filename}. Using sample rate @var{frequency}
+ bits per sample @var{bits} and number of channels @var{channels}.
+ 
+ Defaults:
+ @itemize @minus
+ @item Sample rate = 44100 Hz - CD quality
+ @item Bits = 16
+ @item Number of channels = 2 - Stereo
+ @end itemize
+ ETEXI
+ 
+ #ifdef HAS_AUDIO
+     {
+         .name       = "stopcapture",
+         .args_type  = "n:i",
+         .params     = "capture index",
+         .help       = "stop capture",
+         .mhandler.cmd = do_stop_capture,
+     },
+ #endif
+ STEXI
+ @item stopcapture @var{index}
+ @findex stopcapture
+ Stop capture with a given @var{index}, index can be obtained with
+ @example
+ info capture
+ @end example
+ ETEXI
+ 
+     {
+         .name       = "memsave",
+         .args_type  = "val:l,size:i,filename:s",
+         .params     = "addr size file",
+         .help       = "save to disk virtual memory dump starting at 'addr' of size 'size'",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_memory_save,
+     },
+ 
+ STEXI
+ @item memsave @var{addr} @var{size} @var{file}
+ @findex memsave
+ save to disk virtual memory dump starting at @var{addr} of size @var{size}.
+ ETEXI
+ 
+     {
+         .name       = "pmemsave",
+         .args_type  = "val:l,size:i,filename:s",
+         .params     = "addr size file",
+         .help       = "save to disk physical memory dump starting at 'addr' of size 'size'",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_physical_memory_save,
+     },
+ 
+ STEXI
+ @item pmemsave @var{addr} @var{size} @var{file}
+ @findex pmemsave
+ save to disk physical memory dump starting at @var{addr} of size @var{size}.
+ ETEXI
+ 
+     {
+         .name       = "boot_set",
+         .args_type  = "bootdevice:s",
+         .params     = "bootdevice",
+         .help       = "define new values for the boot device list",
+         .mhandler.cmd = do_boot_set,
+     },
+ 
+ STEXI
+ @item boot_set @var{bootdevicelist}
+ @findex boot_set
+ 
+ Define new values for the boot device list. Those values will override
+ the values specified on the command line through the @code{-boot} option.
+ 
+ The values that can be specified here depend on the machine type, but are
+ the same that can be specified in the @code{-boot} command line option.
+ ETEXI
+ 
+ #if defined(TARGET_I386)
+     {
+         .name       = "nmi",
+         .args_type  = "cpu_index:i",
+         .params     = "cpu",
+         .help       = "inject an NMI on the given CPU",
+         .mhandler.cmd = do_inject_nmi,
+     },
+ #endif
+ STEXI
+ @item nmi @var{cpu}
+ @findex nmi
+ Inject an NMI on the given CPU (x86 only).
+ ETEXI
+ 
+     {
+         .name       = "migrate",
+         .args_type  = "detach:-d,blk:-b,inc:-i,uri:s",
+         .params     = "[-d] [-b] [-i] uri",
+         .help       = "migrate to URI (using -d to not wait for completion)"
+ 		      "\n\t\t\t -b for migration without shared storage with"
+ 		      " full copy of disk\n\t\t\t -i for migration without "
+ 		      "shared storage with incremental copy of disk "
+ 		      "(base image shared between src and destination)",
+         .user_print = monitor_user_noop,	
+ 	.mhandler.cmd_new = do_migrate,
+     },
+ 
+ 
+ STEXI
+ @item migrate [-d] [-b] [-i] @var{uri}
+ @findex migrate
+ Migrate to @var{uri} (using -d to not wait for completion).
+ 	-b for migration with full copy of disk
+ 	-i for migration with incremental copy of disk (base image is shared)
+ ETEXI
+ 
+     {
+         .name       = "migrate_cancel",
+         .args_type  = "",
+         .params     = "",
+         .help       = "cancel the current VM migration",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_migrate_cancel,
+     },
+ 
+ STEXI
+ @item migrate_cancel
+ @findex migrate_cancel
+ Cancel the current VM migration.
+ ETEXI
+ 
+     {
+         .name       = "migrate_set_speed",
+         .args_type  = "value:f",
+         .params     = "value",
+         .help       = "set maximum speed (in bytes) for migrations",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_migrate_set_speed,
+     },
+ 
+ STEXI
+ @item migrate_set_speed @var{value}
+ @findex migrate_set_speed
+ Set maximum speed to @var{value} (in bytes) for migrations.
+ ETEXI
+ 
+     {
+         .name       = "migrate_set_downtime",
+         .args_type  = "value:T",
+         .params     = "value",
+         .help       = "set maximum tolerated downtime (in seconds) for migrations",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_migrate_set_downtime,
+     },
+ 
+ STEXI
+ @item migrate_set_downtime @var{second}
+ @findex migrate_set_downtime
+ Set maximum tolerated downtime (in seconds) for migration.
+ ETEXI
+ 
+ #if defined(TARGET_I386)
+     {
+         .name       = "drive_add",
+         .args_type  = "pci_addr:s,opts:s",
+         .params     = "[[<domain>:]<bus>:]<slot>\n"
+                       "[file=file][,if=type][,bus=n]\n"
+                       "[,unit=m][,media=d][index=i]\n"
+                       "[,cyls=c,heads=h,secs=s[,trans=t]]\n"
+                       "[snapshot=on|off][,cache=on|off]",
+         .help       = "add drive to PCI storage controller",
+         .mhandler.cmd = drive_hot_add,
+     },
+ #endif
+ 
+ STEXI
+ @item drive_add
+ @findex drive_add
+ Add drive to PCI storage controller.
+ ETEXI
+ 
+ #if defined(TARGET_I386)
+     {
+         .name       = "pci_add",
+         .args_type  = "pci_addr:s,type:s,opts:s?",
 -        .params     = "auto|[[<domain>:]<bus>:]<slot> nic|storage [[vlan=n][,macaddr=addr][,model=type]] [file=file][,if=type][,bus=nr]...",
++        .params     = "auto|[[<domain>:]<bus>:]<slot> nic|storage|host [[vlan=n][,macaddr=addr][,model=type]] [file=file][,if=type][,bus=nr]... [host=02:00.0[,name=string][,dma=none]",
+         .help       = "hot-add PCI device",
+         .mhandler.cmd = pci_device_hot_add,
+     },
+ #endif
+ 
+ STEXI
+ @item pci_add
+ @findex pci_add
+ Hot-add PCI device.
+ ETEXI
+ 
+ #if defined(TARGET_I386)
+     {
+         .name       = "pci_del",
+         .args_type  = "pci_addr:s",
+         .params     = "[[<domain>:]<bus>:]<slot>",
+         .help       = "hot remove PCI device",
+         .mhandler.cmd = do_pci_device_hot_remove,
+     },
+ #endif
+ 
+ STEXI
+ @item pci_del
+ @findex pci_del
+ Hot remove PCI device.
+ ETEXI
+ 
+     {
+         .name       = "host_net_add",
+         .args_type  = "device:s,opts:s?",
+         .params     = "tap|user|socket|vde|dump [options]",
+         .help       = "add host VLAN client",
+         .mhandler.cmd = net_host_device_add,
+     },
+ 
+ STEXI
+ @item host_net_add
+ @findex host_net_add
+ Add host VLAN client.
+ ETEXI
+ 
+     {
+         .name       = "host_net_remove",
+         .args_type  = "vlan_id:i,device:s",
+         .params     = "vlan_id name",
+         .help       = "remove host VLAN client",
+         .mhandler.cmd = net_host_device_remove,
+     },
+ 
+ STEXI
+ @item host_net_remove
+ @findex host_net_remove
+ Remove host VLAN client.
+ ETEXI
+ 
+     {
+         .name       = "netdev_add",
+         .args_type  = "netdev:O",
+         .params     = "[user|tap|socket],id=str[,prop=value][,...]",
+         .help       = "add host network device",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_netdev_add,
+     },
+ 
+ STEXI
+ @item netdev_add
+ @findex netdev_add
+ Add host network device.
+ ETEXI
+ 
+     {
+         .name       = "netdev_del",
+         .args_type  = "id:s",
+         .params     = "id",
+         .help       = "remove host network device",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_netdev_del,
+     },
+ 
+ STEXI
+ @item netdev_del
+ @findex netdev_del
+ Remove host network device.
+ ETEXI
+ 
+ #ifdef CONFIG_SLIRP
+     {
+         .name       = "hostfwd_add",
+         .args_type  = "arg1:s,arg2:s?,arg3:s?",
+         .params     = "[vlan_id name] [tcp|udp]:[hostaddr]:hostport-[guestaddr]:guestport",
+         .help       = "redirect TCP or UDP connections from host to guest (requires -net user)",
+         .mhandler.cmd = net_slirp_hostfwd_add,
+     },
+ #endif
+ STEXI
+ @item hostfwd_add
+ @findex hostfwd_add
+ Redirect TCP or UDP connections from host to guest (requires -net user).
+ ETEXI
+ 
+ #ifdef CONFIG_SLIRP
+     {
+         .name       = "hostfwd_remove",
+         .args_type  = "arg1:s,arg2:s?,arg3:s?",
+         .params     = "[vlan_id name] [tcp|udp]:[hostaddr]:hostport",
+         .help       = "remove host-to-guest TCP or UDP redirection",
+         .mhandler.cmd = net_slirp_hostfwd_remove,
+     },
+ 
+ #endif
+ STEXI
+ @item hostfwd_remove
+ @findex hostfwd_remove
+ Remove host-to-guest TCP or UDP redirection.
+ ETEXI
+ 
+     {
+         .name       = "balloon",
+         .args_type  = "value:M",
+         .params     = "target",
+         .help       = "request VM to change its memory allocation (in MB)",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_async = do_balloon,
+         .flags      = MONITOR_CMD_ASYNC,
+     },
+ 
+ STEXI
+ @item balloon @var{value}
+ @findex balloon
+ Request VM to change its memory allocation to @var{value} (in MB).
+ ETEXI
+ 
+     {
+         .name       = "set_link",
+         .args_type  = "name:s,up:b",
+         .params     = "name on|off",
+         .help       = "change the link status of a network adapter",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_set_link,
+     },
+ 
+ STEXI
+ @item set_link @var{name} [on|off]
+ @findex set_link
+ Switch link @var{name} on (i.e. up) or off (i.e. down).
+ ETEXI
+ 
+     {
+         .name       = "watchdog_action",
+         .args_type  = "action:s",
+         .params     = "[reset|shutdown|poweroff|pause|debug|none]",
+         .help       = "change watchdog action",
+         .mhandler.cmd = do_watchdog_action,
+     },
+ 
+ STEXI
+ @item watchdog_action
+ @findex watchdog_action
+ Change watchdog action.
+ ETEXI
+ 
+     {
+         .name       = "acl_show",
+         .args_type  = "aclname:s",
+         .params     = "aclname",
+         .help       = "list rules in the access control list",
+         .mhandler.cmd = do_acl_show,
+     },
+ 
+ STEXI
+ @item acl_show @var{aclname}
+ @findex acl_show
+ List all the matching rules in the access control list, and the default
+ policy. There are currently two named access control lists,
+ @var{vnc.x509dname} and @var{vnc.username} matching on the x509 client
+ certificate distinguished name, and SASL username respectively.
+ ETEXI
+ 
+     {
+         .name       = "acl_policy",
+         .args_type  = "aclname:s,policy:s",
+         .params     = "aclname allow|deny",
+         .help       = "set default access control list policy",
+         .mhandler.cmd = do_acl_policy,
+     },
+ 
+ STEXI
+ @item acl_policy @var{aclname} @code{allow|deny}
+ @findex acl_policy
+ Set the default access control list policy, used in the event that
+ none of the explicit rules match. The default policy at startup is
+ always @code{deny}.
+ ETEXI
+ 
+     {
+         .name       = "acl_add",
+         .args_type  = "aclname:s,match:s,policy:s,index:i?",
+         .params     = "aclname match allow|deny [index]",
+         .help       = "add a match rule to the access control list",
+         .mhandler.cmd = do_acl_add,
+     },
+ 
+ STEXI
+ @item acl_add @var{aclname} @var{match} @code{allow|deny} [@var{index}]
+ @findex acl_add
+ Add a match rule to the access control list, allowing or denying access.
+ The match will normally be an exact username or x509 distinguished name,
+ but can optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to
+ allow all users in the @code{EXAMPLE.COM} kerberos realm. The match will
+ normally be appended to the end of the ACL, but can be inserted
+ earlier in the list if the optional @var{index} parameter is supplied.
+ ETEXI
+ 
+     {
+         .name       = "acl_remove",
+         .args_type  = "aclname:s,match:s",
+         .params     = "aclname match",
+         .help       = "remove a match rule from the access control list",
+         .mhandler.cmd = do_acl_remove,
+     },
+ 
+ STEXI
+ @item acl_remove @var{aclname} @var{match}
+ @findex acl_remove
+ Remove the specified match rule from the access control list.
+ ETEXI
+ 
+     {
+         .name       = "acl_reset",
+         .args_type  = "aclname:s",
+         .params     = "aclname",
+         .help       = "reset the access control list",
+         .mhandler.cmd = do_acl_reset,
+     },
+ 
+ STEXI
+ @item acl_reset @var{aclname}
+ @findex acl_reset
+ Remove all matches from the access control list, and set the default
+ policy back to @code{deny}.
+ ETEXI
+ 
+ #if defined(TARGET_I386)
+ 
+     {
+         .name       = "mce",
+         .args_type  = "cpu_index:i,bank:i,status:l,mcg_status:l,addr:l,misc:l",
+         .params     = "cpu bank status mcgstatus addr misc",
+         .help       = "inject a MCE on the given CPU",
+         .mhandler.cmd = do_inject_mce,
+     },
+ 
+ #endif
+ STEXI
+ @item mce @var{cpu} @var{bank} @var{status} @var{mcgstatus} @var{addr} @var{misc}
+ @findex mce (x86)
+ Inject an MCE on the given CPU (x86 only).
+ ETEXI
+ 
+     {
+         .name       = "getfd",
+         .args_type  = "fdname:s",
+         .params     = "getfd name",
+         .help       = "receive a file descriptor via SCM rights and assign it a name",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_getfd,
+     },
+ 
+ STEXI
+ @item getfd @var{fdname}
+ @findex getfd
+ If a file descriptor is passed alongside this command using the SCM_RIGHTS
+ mechanism on unix sockets, it is stored using the name @var{fdname} for
+ later use by other monitor commands.
+ ETEXI
+ 
+     {
+         .name       = "closefd",
+         .args_type  = "fdname:s",
+         .params     = "closefd name",
+         .help       = "close a file descriptor previously passed via SCM rights",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_closefd,
+     },
+ 
+ STEXI
+ @item closefd @var{fdname}
+ @findex closefd
+ Close the file descriptor previously assigned to @var{fdname} using the
+ @code{getfd} command. This is only needed if the file descriptor was never
+ used by another monitor command.
+ ETEXI
+ 
+     {
+         .name       = "block_passwd",
+         .args_type  = "device:B,password:s",
+         .params     = "block_passwd device password",
+         .help       = "set the password of encrypted block devices",
+         .user_print = monitor_user_noop,
+         .mhandler.cmd_new = do_block_set_passwd,
+     },
+ 
+ STEXI
+ @item block_passwd @var{device} @var{password}
+ @findex block_passwd
+ Set the encrypted device @var{device} password to @var{password}
+ ETEXI
+ 
+     {
++        .name       = "cpu_set",
++        .args_type  = "cpu:i,state:s",
++        .params     = "cpu [online|offline]",
++        .help       = "change cpu state",
++        .mhandler.cmd  = do_cpu_set_nr,
++    },
++
++STEXI
++ at item cpu_set @var{cpu} [online|offline]
++Set CPU @var{cpu} online or offline.
++ETEXI
++
++    {
+         .name       = "info",
+         .args_type  = "item:s?",
+         .params     = "[subcommand]",
+         .help       = "show various information about the system state",
+         .mhandler.cmd = do_info,
+     },
+ 
+ STEXI
+ @item info @var{subcommand}
+ @findex info
+ Show various information about the system state.
+ 
+ @table @option
+ @item info version
+ show the version of QEMU
+ @item info network
+ show the various VLANs and the associated devices
+ @item info chardev
+ show the character devices
+ @item info block
+ show the block devices
+ @item info blockstats
+ show block device statistics
+ @item info registers
+ show the cpu registers
+ @item info cpus
+ show infos for each CPU
+ @item info history
+ show the command line history
+ @item info irq
+ show the interrupts statistics (if available)
+ @item info pic
+ show i8259 (PIC) state
+ @item info pci
+ show emulated PCI device info
+ @item info tlb
+ show virtual to physical memory mappings (i386 only)
+ @item info mem
+ show the active virtual memory mappings (i386 only)
+ @item info jit
+ show dynamic compiler info
+ @item info kvm
+ show KVM information
+ @item info numa
+ show NUMA information
+ @item info kvm
+ show KVM information
+ @item info usb
+ show USB devices plugged on the virtual USB hub
+ @item info usbhost
+ show all USB host devices
+ @item info profile
+ show profiling information
+ @item info capture
+ show information about active capturing
+ @item info snapshots
+ show list of VM snapshots
+ @item info status
+ show the current VM status (running|paused)
+ @item info pcmcia
+ show guest PCMCIA status
+ @item info mice
+ show which guest mouse is receiving events
+ @item info vnc
+ show the vnc server status
+ @item info name
+ show the current VM name
+ @item info uuid
+ show the current VM UUID
+ @item info cpustats
+ show CPU statistics
+ @item info usernet
+ show user network stack connection states
+ @item info migrate
+ show migration status
+ @item info balloon
+ show balloon information
+ @item info qtree
+ show device tree
+ @item info qdm
+ show qdev device model list
+ @item info roms
+ show roms
+ @end table
+ ETEXI
+ 
+ #ifdef CONFIG_SIMPLE_TRACE
+ STEXI
+ @item info trace
+ show contents of trace buffer
+ @item info trace-events
+ show available trace events and their state
+ ETEXI
+ #endif
+ 
+ STEXI
+ @end table
+ ETEXI
commit 9fda9b64c67ba6b87acd485ed25d6f1fa9f233f1
Merge: 9d955a4... 54dd932...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 18 15:48:14 2010 -0200

    Merge commit '54dd932128ae08d6a5a6668551508e30520b0f86' into upstream-merge
    
    * commit '54dd932128ae08d6a5a6668551508e30520b0f86':
      virtio: change set guest notifier to per-device
      eepro100: Add support for multiple individual addresses (multiple IA)
    
    Conflicts:
    	hw/virtio-pci.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit 9d955a47e38d0b479d4670b76da5235d407861a6
Merge: 89ed5c8... afbaa7b...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 18 15:43:46 2010 -0200

    Merge commit 'afbaa7b4382faced3c364606a5e5d5389462147b' into upstream-merge
    
    * commit 'afbaa7b4382faced3c364606a5e5d5389462147b': (24 commits)
      virtio-net: unify vhost-net start/stop
      virtio: invoke set_status callback on reset
      net: delay freeing peer host device
      console: Avoid dereferencing NULL active_console
      exec: Fix compilation error for debug code
      rc4030: Fix compilation error in debug code
      mipsnet: Fix compiler warning in debug code
      block/vvfat: Fix compiler warning in debug code
      virtio-9p: Use GCC_FMT_ATTR and fix a format warning
      blockdev: Use GCC_FMT_ATTR (format checking)
      Use GCC_FMT_ATTR (format checking)
      Replace most gcc format attributes by macro GCC_FMT_ATTR (format checking)
      slirp: Silence warning on Haiku
      tap: Add stub for Haiku
      nbd: Haiku has _IO() in its BSD compatibility layer
      Haiku doesn't have libm
      configure: Don't rely on special pthreads library
      configure: Add basic support for Haiku
      trace: avoid unnecessary recompilation if nothing changed
      Makefile: fix config-devices.mak generation
      ...
    
    Conflicts:
    	hw/virtio-net.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc configure
index f45f59a,e0d34fd..4b7c596
--- a/configure
+++ b/configure
@@@ -330,13 -317,11 +330,14 @@@ guest_base="
  uname_release=""
  io_thread="no"
  mixemu="no"
 +kvm_cap_pit=""
 +kvm_cap_device_assignment=""
  kerneldir=""
  aix="no"
+ haiku="no"
  blobs="yes"
 -pkgversion=""
 +pkgversion=" ($(kvm_version))"
 +cpu_emulation="yes"
  check_utests="no"
  user_pie="no"
  zero_malloc=""
diff --cc qjson.h
index cd60e0b,70d0afb..65b10ea
--- a/qjson.h
+++ b/qjson.h
@@@ -18,12 -18,10 +18,11 @@@
  #include "qobject.h"
  #include "qstring.h"
  
- QObject *qobject_from_json(const char *string);
- QObject *qobject_from_jsonf(const char *string, ...)
-     __attribute__((__format__ (__printf__, 1, 2)));
- QObject *qobject_from_jsonv(const char *string, va_list *ap);
+ QObject *qobject_from_json(const char *string) GCC_FMT_ATTR(1, 0);
+ QObject *qobject_from_jsonf(const char *string, ...) GCC_FMT_ATTR(1, 2);
+ QObject *qobject_from_jsonv(const char *string, va_list *ap) GCC_FMT_ATTR(1, 0);
  
  QString *qobject_to_json(const QObject *obj);
 +QString *qobject_to_json_pretty(const QObject *obj);
  
  #endif /* QJSON_H */
commit 89ed5c8564250d84eb3071abdcc8bba6e326901e
Merge: 90914eb... cd4ec0b...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 18 15:38:43 2010 -0200

    Merge commit 'cd4ec0b4d169faba8cc03a16b361700e32a83bd6' into upstream-merge
    
    * commit 'cd4ec0b4d169faba8cc03a16b361700e32a83bd6':
      add spice into the configure file
    
    Conflicts:
    	configure
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc configure
index f1271e1,695a632..f45f59a
--- a/configure
+++ b/configure
@@@ -654,14 -631,10 +655,18 @@@ for opt d
    ;;
    --enable-kvm) kvm="yes"
    ;;
 +  --disable-kvm-pit) kvm_cap_pit="no"
 +  ;;
 +  --enable-kvm-pit) kvm_cap_pit="yes"
 +  ;;
 +  --disable-kvm-device-assignment) kvm_cap_device_assignment="no"
 +  ;;
 +  --enable-kvm-device-assignment) kvm_cap_device_assignment="yes"
 +  ;;
+   --disable-spice) spice="no"
+   ;;
+   --enable-spice) spice="yes"
+   ;;
    --enable-profiler) profiler="yes"
    ;;
    --enable-cocoa)
@@@ -2663,18 -2512,11 +2694,22 @@@ f
  if test "$fdatasync" = "yes" ; then
    echo "CONFIG_FDATASYNC=y" >> $config_host_mak
  fi
 +if test $cpu_emulation = "yes"; then
 +  echo "CONFIG_CPU_EMULATION=y" >> $config_host_mak
 +else
 +  echo "CONFIG_NO_CPU_EMULATION=y" >> $config_host_mak
 +fi
 +if test "$madvise" = "yes" ; then
 +  echo "CONFIG_MADVISE=y" >> $config_host_mak
 +fi
 +if test "$posix_madvise" = "yes" ; then
 +  echo "CONFIG_POSIX_MADVISE=y" >> $config_host_mak
 +fi
  
+ if test "$spice" = "yes" ; then
+   echo "CONFIG_SPICE=y" >> $config_host_mak
+ fi
+ 
  # XXX: suppress that
  if [ "$bsd" = "yes" ] ; then
    echo "CONFIG_BSD=y" >> $config_host_mak
commit 90914eb4d980cec24acccaa816b1992b7acf47bc
Merge: 4ebd271... da1d85e...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 18 15:33:01 2010 -0200

    Merge commit 'da1d85e339730effd889978be5ae2caadd01bfa9' into upstream-merge
    
    * commit 'da1d85e339730effd889978be5ae2caadd01bfa9':
      configure: add logging
      add pflib: PixelFormat conversion library.
      Use machine_init() to register virtfs config options.
      Use display types for local display only.
    
    Conflicts:
    	configure
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc configure
index e542660,66b1d0b..f1271e1
--- a/configure
+++ b/configure
@@@ -15,12 -15,12 +15,14 @@@ TMPC="${TMPDIR1}/qemu-conf-${RANDOM}-$$
  TMPO="${TMPDIR1}/qemu-conf-${RANDOM}-$$-${RANDOM}.o"
  TMPE="${TMPDIR1}/qemu-conf-${RANDOM}-$$-${RANDOM}.exe"
  
 -trap "rm -f $TMPC $TMPO $TMPE ; exit" EXIT INT QUIT TERM
 +# NB: do not call "exit" in the trap handler; this is buggy with some shells;
 +# see <1285349658-3122-1-git-send-email-loic.minier at linaro.org>
 +trap "rm -f $TMPC $TMPO $TMPE" EXIT INT QUIT TERM
+ rm -f config.log
  
  compile_object() {
-   $cc $QEMU_CFLAGS -c -o $TMPO $TMPC > /dev/null 2> /dev/null
+   echo $cc $QEMU_CFLAGS -c -o $TMPO $TMPC >> config.log
+   $cc $QEMU_CFLAGS -c -o $TMPO $TMPC >> config.log 2>&1
  }
  
  compile_prog() {
commit 4ebd2711c3baa6a78d3a4521b146ac522c238d14
Merge: 32bb25e... 30f5041...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 18 15:16:11 2010 -0200

    Merge commit '30f5041ef1ba534af9308d840bf359a50597ba5d' into upstream-merge
    
    * commit '30f5041ef1ba534af9308d840bf359a50597ba5d': (23 commits)
      Monitor: Drop QMP info from the qemu-monitor.hx file
      QMP: Small cleanup in handle_qmp_command()
      QMP: Simplify do_info_commands()
      QMP: Introduce query commands dispatch table
      QMP: Introduce command dispatch table
      QMP: Introduce qmp_find_cmd()
      Monitor: Introduce the qmp-commands.hx file
      Monitor: Convert do_info() back to HMP
      Monitor: Drop is_async_return()
      Monitor: Drop QMP bits from do_info()
      QMP: Don't use do_info()
      QMP: handle_qmp_command(): Move 'cmd' sanity check
      Monitor: Introduce search_dispatch_table()
      disable guest-provided stats on "info balloon" command
      Add option to turn on JSON pretty printing in monitor
      Add support for JSON pretty printing
      powerpc: Add a virtex5 ml507 refdesign board
      powerpc: Add a ppc-440x5 Xilinx model
      tap: Remove double include of util.h
      pulse-audio: fix bug on updating rpos
      ...
    
    Conflicts:
    	qemu-monitor.hx
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc Makefile.target
index d8a619d,3a1fa7e..d7ec930
--- a/Makefile.target
+++ b/Makefile.target
@@@ -244,9 -222,13 +246,15 @@@ obj-ppc-y += virtex_ml507.
  obj-ppc-$(CONFIG_KVM) += kvm_ppc.o
  obj-ppc-$(CONFIG_FDT) += device_tree.o
  
+ # Xilinx PPC peripherals
+ obj-ppc-y += xilinx_intc.o
+ obj-ppc-y += xilinx_timer.o
+ obj-ppc-y += xilinx_uartlite.o
+ obj-ppc-y += xilinx_ethlite.o
+ 
  obj-mips-y = mips_r4k.o mips_jazz.o mips_malta.o mips_mipssim.o
 +obj-mips-y += pcspk.o i8254.o
 +obj-mips-y += acpi.o acpi_piix4.o
  obj-mips-y += mips_addr.o mips_timer.o mips_int.o
  obj-mips-y += vga.o i8259.o
  obj-mips-y += g364fb.o jazz_led.o
@@@ -323,14 -305,9 +331,14 @@@ obj-s390x-y = s390-virtio-bus.o s390-vi
  
  obj-alpha-y = alpha_palcode.o
  
 +ifeq ($(TARGET_ARCH), ia64)
 +firmware.o: firmware.c
 +	$(CC) $(HELPER_CFLAGS) $(CPPFLAGS) $(BASE_CFLAGS) -c -o $@ $<
 +endif
 +
  main.o: QEMU_CFLAGS+=$(GPROF_CFLAGS)
  
- monitor.o: qemu-monitor.h
+ monitor.o: qemu-monitor.h qmp-commands.h
  
  $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y): $(GENERATED_HEADERS)
  
diff --cc qemu-monitor.hx
index 620f937,81999aa..9406496
--- a/qemu-monitor.hx
+++ b/qemu-monitor.hx
@@@ -1588,81 -1114,8 +1114,21 @@@ STEX
  @findex block_passwd
  Set the encrypted device @var{device} password to @var{password}
  ETEXI
- SQMP
- block_passwd
- ------------
- 
- Set the password of encrypted block devices.
- 
- Arguments:
- 
- - "device": device name (json-string)
- - "password": password (json-string)
- 
- Example:
- 
- -> { "execute": "block_passwd", "arguments": { "device": "ide0-hd0",
-                                                "password": "12345" } }
- <- { "return": {} }
- 
- EQMP
  
      {
 +        .name       = "cpu_set",
 +        .args_type  = "cpu:i,state:s",
 +        .params     = "cpu [online|offline]",
 +        .help       = "change cpu state",
 +        .mhandler.cmd  = do_cpu_set_nr,
 +    },
 +
 +STEXI
 + at item cpu_set @var{cpu} [online|offline]
 +Set CPU @var{cpu} online or offline.
 +ETEXI
 +
 +    {
-         .name       = "qmp_capabilities",
-         .args_type  = "",
-         .params     = "",
-         .help       = "enable QMP capabilities",
-         .user_print = monitor_user_noop,
-         .mhandler.cmd_new = do_qmp_capabilities,
-     },
- 
- STEXI
- @item qmp_capabilities
- @findex qmp_capabilities
- Enable the specified QMP capabilities
- ETEXI
- SQMP
- qmp_capabilities
- ----------------
- 
- Enable QMP capabilities.
- 
- Arguments: None.
- 
- Example:
- 
- -> { "execute": "qmp_capabilities" }
- <- { "return": {} }
- 
- Note: This command must be issued before issuing any other command.
- 
- EQMP
- 
- 
- HXCOMM Keep the 'info' command at the end!
- HXCOMM This is required for the QMP documentation layout.
- 
- SQMP
- 
- 3. Query Commands
- =================
- 
- EQMP
- 
-     {
          .name       = "info",
          .args_type  = "item:s?",
          .params     = "[subcommand]",
commit 32bb25e8792d248db1836ae68edf8815cb1b75e5
Merge: 30fe6cb... e78815a...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 18 14:51:05 2010 -0200

    Merge commit 'e78815a554adaa551d62a71be10ee2fcf128e473' into upstream-merge
    
    * commit 'e78815a554adaa551d62a71be10ee2fcf128e473':
      Introduce qemu_madvise()
      powerpc: Make the decr interrupt type overridable
      powerpc: Improve emulation of the BookE MMU
      fmopl: workaround for -Wempty-body
    
    Conflicts:
    	configure
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc configure
index 91834e2,6a21bf2..ed46d80
--- a/configure
+++ b/configure
@@@ -2620,11 -2505,12 +2647,17 @@@ f
  if test "$fdatasync" = "yes" ; then
    echo "CONFIG_FDATASYNC=y" >> $config_host_mak
  fi
 +if test $cpu_emulation = "yes"; then
 +  echo "CONFIG_CPU_EMULATION=y" >> $config_host_mak
 +else
 +  echo "CONFIG_NO_CPU_EMULATION=y" >> $config_host_mak
 +fi
+ if test "$madvise" = "yes" ; then
+   echo "CONFIG_MADVISE=y" >> $config_host_mak
+ fi
+ if test "$posix_madvise" = "yes" ; then
+   echo "CONFIG_POSIX_MADVISE=y" >> $config_host_mak
+ fi
  
  # XXX: suppress that
  if [ "$bsd" = "yes" ] ; then
commit 30fe6cbfe403f056854c5ca3b7c3b3255de299b2
Merge: ba43f03... 0d797e7...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Oct 18 14:44:53 2010 -0200

    Merge branch 'vhost' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/qemu-kvm
    
    * 'vhost' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/qemu-kvm:
      msix: factor out mask notifier code
      vhost: error code
      vhost: fix up irqfd support
      virtio-net: unify vhost-net start/stop
      virtio: invoke set_status callback on reset
    
    Conflicts:
    	hw/msix.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc hw/msix.c
index f6ab686,5511d00..43efbd2
--- a/hw/msix.c
+++ b/hw/msix.c
@@@ -373,8 -371,12 +370,6 @@@ int msix_init(struct PCIDevice *dev, un
      if (nentries > MSIX_MAX_ENTRIES)
          return -EINVAL;
  
-     dev->msix_mask_notifier_opaque =
-         qemu_mallocz(nentries * sizeof *dev->msix_mask_notifier_opaque);
 -#ifdef KVM_CAP_IRQCHIP
 -    if (kvm_enabled() && kvm_irqchip_in_kernel()) {
 -        dev->msix_irq_entries = qemu_malloc(nentries *
 -                                            sizeof *dev->msix_irq_entries);
 -    }
 -#endif
      dev->msix_mask_notifier = NULL;
      dev->msix_entry_used = qemu_mallocz(MSIX_MAX_ENTRIES *
                                          sizeof *dev->msix_entry_used);
diff --cc hw/pci.h
index 0370e89,820d5b3..334e928
--- a/hw/pci.h
+++ b/hw/pci.h
@@@ -131,15 -131,8 +131,15 @@@ enum 
  #define PCI_CAPABILITY_CONFIG_MSIX_LENGTH 0x10
  
  typedef int (*msix_mask_notifier_func)(PCIDevice *, unsigned vector,
- 				       void *opaque, int masked);
+ 				       int masked);
  
 +struct kvm_msix_message {
 +    uint32_t gsi;
 +    uint32_t addr_lo;
 +    uint32_t addr_hi;
 +    uint32_t data;
 +};
 +
  struct PCIDevice {
      DeviceState qdev;
      /* PCI config space */
@@@ -203,9 -196,8 +203,8 @@@
       * on the rest of the region. */
      target_phys_addr_t msix_page_size;
  
 -    struct kvm_irq_routing_entry *msix_irq_entries;
 +    struct kvm_msix_message *msix_irq_entries;
  
-     void **msix_mask_notifier_opaque;
      msix_mask_notifier_func msix_mask_notifier;
  
      /* Device capability configuration space */
commit 1a4f5971b6f785db7cb2b964754d04103a0d2033
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Mon Oct 18 12:17:42 2010 +0900

    pci: make pci_del_capability() update for w1cmask
    
    Clear w1cmask when deleting a pci capability.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index abddc6d..e3462a9 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1745,6 +1745,7 @@ void pci_del_capability(PCIDevice *pdev, uint8_t cap_id, uint8_t size)
     pdev->config[prev] = pdev->config[offset + PCI_CAP_LIST_NEXT];
     /* Make capability writeable again */
     memset(pdev->wmask + offset, 0xff, size);
+    memset(pdev->w1cmask + offset, 0, size);
     /* Clear cmask as device-specific registers can't be checked */
     memset(pdev->cmask + offset, 0, size);
     memset(pdev->used + offset, 0, size);
commit 38cc9b607f85017b095793cab6c129bc9844f441
Author: Jindrich Makovicka <makovick at gmail.com>
Date:   Sun Oct 17 20:17:19 2010 +0200

    issue snd_pcm_start() when capturing audio
    
    snd_pcm_start() starts the capture process and ensures that the events
    are delivered to the poll handler. Without the call, capture can be started
    only when there is simultaneous playback running.
    
    Signed-off-by: Jindrich Makovicka <makovick at gmail.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/audio/alsaaudio.c b/audio/alsaaudio.c
index 3ca4078..0741203 100644
--- a/audio/alsaaudio.c
+++ b/audio/alsaaudio.c
@@ -843,11 +843,15 @@ static int alsa_init_out (HWVoiceOut *hw, struct audsettings *as)
     return 0;
 }
 
-static int alsa_voice_ctl (snd_pcm_t *handle, const char *typ, int pause)
+#define VOICE_CTL_PAUSE 0
+#define VOICE_CTL_PREPARE 1
+#define VOICE_CTL_START 2
+
+static int alsa_voice_ctl (snd_pcm_t *handle, const char *typ, int ctl)
 {
     int err;
 
-    if (pause) {
+    if (ctl == VOICE_CTL_PAUSE) {
         err = snd_pcm_drop (handle);
         if (err < 0) {
             alsa_logerr (err, "Could not stop %s\n", typ);
@@ -860,6 +864,13 @@ static int alsa_voice_ctl (snd_pcm_t *handle, const char *typ, int pause)
             alsa_logerr (err, "Could not prepare handle for %s\n", typ);
             return -1;
         }
+        if (ctl == VOICE_CTL_START) {
+            err = snd_pcm_start(handle);
+            if (err < 0) {
+                alsa_logerr (err, "Could not start handle for %s\n", typ);
+                return -1;
+            }
+        }
     }
 
     return 0;
@@ -884,7 +895,7 @@ static int alsa_ctl_out (HWVoiceOut *hw, int cmd, ...)
                 poll_mode = 0;
             }
             hw->poll_mode = poll_mode;
-            return alsa_voice_ctl (alsa->handle, "playback", 0);
+            return alsa_voice_ctl (alsa->handle, "playback", VOICE_CTL_PREPARE);
         }
 
     case VOICE_DISABLE:
@@ -893,7 +904,7 @@ static int alsa_ctl_out (HWVoiceOut *hw, int cmd, ...)
             hw->poll_mode = 0;
             alsa_fini_poll (&alsa->pollhlp);
         }
-        return alsa_voice_ctl (alsa->handle, "playback", 1);
+        return alsa_voice_ctl (alsa->handle, "playback", VOICE_CTL_PAUSE);
     }
 
     return -1;
@@ -1106,7 +1117,7 @@ static int alsa_ctl_in (HWVoiceIn *hw, int cmd, ...)
             }
             hw->poll_mode = poll_mode;
 
-            return alsa_voice_ctl (alsa->handle, "capture", 0);
+            return alsa_voice_ctl (alsa->handle, "capture", VOICE_CTL_START);
         }
 
     case VOICE_DISABLE:
@@ -1115,7 +1126,7 @@ static int alsa_ctl_in (HWVoiceIn *hw, int cmd, ...)
             hw->poll_mode = 0;
             alsa_fini_poll (&alsa->pollhlp);
         }
-        return alsa_voice_ctl (alsa->handle, "capture", 1);
+        return alsa_voice_ctl (alsa->handle, "capture", VOICE_CTL_PAUSE);
     }
 
     return -1;
commit 22d948a2d97434192018bdabaf0a50cda7f994be
Author: Jindrich Makovicka <makovick at gmail.com>
Date:   Sun Oct 17 19:28:14 2010 +0200

    fix 100% CPU load when idle with ALSA
    
    Playback control function did not disable polling when playback stops.
    Caused busy spinning of the main loop due to unprocessed events.
    
    Signed-off-by: Jindrich Makovicka <makovick at gmail.com>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/audio/alsaaudio.c b/audio/alsaaudio.c
index f0171f9..3ca4078 100644
--- a/audio/alsaaudio.c
+++ b/audio/alsaaudio.c
@@ -889,6 +889,10 @@ static int alsa_ctl_out (HWVoiceOut *hw, int cmd, ...)
 
     case VOICE_DISABLE:
         ldebug ("disabling voice\n");
+        if (hw->poll_mode) {
+            hw->poll_mode = 0;
+            alsa_fini_poll (&alsa->pollhlp);
+        }
         return alsa_voice_ctl (alsa->handle, "playback", 1);
     }
 
commit ba43f0349fc5fbd44b842b2514e5aa2ad276d534
Author: Avi Kivity <avi at redhat.com>
Date:   Mon Sep 20 15:34:37 2010 +0200

    Move msix.o build back to Makefile.objs
    
    Now that hw/msix.c does not depend on CONFIG_KVM, remove it from
    Makefile.target and put it back in Makefile.objs.
    
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index a814dfe..ca5aebc 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -196,9 +196,7 @@ hw-obj-$(CONFIG_PIIX4) += piix4.o
 # PCI watchdog devices
 hw-obj-y += wdt_i6300esb.o
 
-# MSI-X depends on kvm for interrupt injection,
-# so moved it from Makefile.objs to Makefile.target for now
-# hw-obj-y += msix.o
+hw-obj-y += msix.o
 
 # PCI network cards
 hw-obj-y += ne2000.o
diff --git a/Makefile.target b/Makefile.target
index 2a1349a..d8a619d 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -183,10 +183,6 @@ obj-y += rwhandler.o
 obj-$(CONFIG_KVM) += kvm.o kvm-all.o
 obj-$(CONFIG_NO_KVM) += kvm-stub.o
 
-# MSI-X depends on kvm for interrupt injection,
-# so moved it from Makefile.objs to Makefile.target for now
-obj-y += msix.o
-
 LIBS+=-lz
 
 QEMU_CFLAGS += $(VNC_TLS_CFLAGS)
commit 889e30cc18e21f2091b77267dca8096d7dd34f8b
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Oct 10 15:58:41 2010 +0200

    msix: remove CONFIG_KVM depedency
    
    Now that the kvm support is properly stubbed, we can build the msix/kvm glue
    unconditionally.
    
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/msix.c b/hw/msix.c
index c752e90..f6ab686 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -47,8 +47,6 @@
 /* Flag for interrupt controller to declare MSI-X support */
 int msix_supported;
 
-#ifdef CONFIG_KVM
-
 /* KVM specific MSIX helpers */
 static void kvm_msix_free(PCIDevice *dev)
 {
@@ -158,14 +156,6 @@ static void kvm_msix_del(PCIDevice *dev, unsigned vector)
     kvm_del_msix(kmm->gsi, kmm->addr_lo, kmm->addr_hi, kmm->data);
     kvm_commit_irq_routes();
 }
-#else
-
-static void kvm_msix_free(PCIDevice *dev) {}
-static void kvm_msix_update(PCIDevice *dev, int vector,
-                            int was_masked, int is_masked) {}
-static int kvm_msix_add(PCIDevice *dev, unsigned vector) { return -1; }
-static void kvm_msix_del(PCIDevice *dev, unsigned vector) {}
-#endif
 
 /* Add MSI-X capability to the config space for the device. */
 /* Given a bar and its size, add MSI-X table on top of it
commit 313bcfc3149a3528a1af65bce7df6420013344a4
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Oct 10 16:28:24 2010 +0200

    kvm: allow kvm.h to be included from target independent files
    
    - don't include qemu-kvm.h when NEED_CPU_H not defined
    - move a couple of declarations around
    
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm.h b/kvm.h
index 2f12851..d484a3f 100644
--- a/kvm.h
+++ b/kvm.h
@@ -17,7 +17,9 @@
 #include <errno.h>
 #include "config-host.h"
 #include "qemu-queue.h"
+#ifdef NEED_CPU_H
 #include "qemu-kvm.h"
+#endif
 
 #ifdef CONFIG_KVM
 #include <linux/kvm.h>
@@ -75,7 +77,6 @@ int kvm_set_signal_mask(CPUState *env, const sigset_t *sigset);
 #endif
 
 int kvm_pit_in_kernel(void);
-int kvm_irqchip_in_kernel(void);
 
 /* internal API */
 
@@ -181,6 +182,9 @@ static inline void cpu_synchronize_post_init(CPUState *env)
     }
 }
 
+int kvm_physical_memory_addr_from_ram(KVMState *s, ram_addr_t ram_addr,
+                                      target_phys_addr_t *phys_addr);
+
 #endif
 int kvm_set_ioeventfd_mmio_long(int fd, uint32_t adr, uint32_t val, bool assign);
 
@@ -196,9 +200,6 @@ int kvm_set_irqfd(int gsi, int fd, bool assigned)
 
 int kvm_set_ioeventfd_pio_word(int fd, uint16_t adr, uint16_t val, bool assign);
 
-int kvm_physical_memory_addr_from_ram(KVMState *s, ram_addr_t ram_addr,
-                                      target_phys_addr_t *phys_addr);
-
 int kvm_has_gsi_routing(void);
 int kvm_get_irq_route_gsi(void);
 int kvm_add_msix(uint32_t gsi, uint32_t addr_lo,
@@ -211,4 +212,6 @@ int kvm_update_msix(uint32_t old_gsi, uint32_t old_addr_lo,
                     uint32_t new_addr_hi, uint32_t new_data);
 int kvm_commit_irq_routes(void);
 
+int kvm_irqchip_in_kernel(void);
+
 #endif
commit 37859f054986fab6b4094cd5950266ae56a6ca6a
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Oct 10 15:57:31 2010 +0200

    kvm: Add stubs for msix support code
    
    To allow msix to build without kvm support, add stubs for these functions.
    Move the declarations to kvm.h so they are accessible when kvm support is not
    built.
    
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm-stub.c b/kvm-stub.c
index d45f9fa..3c2deec 100644
--- a/kvm-stub.c
+++ b/kvm-stub.c
@@ -141,3 +141,38 @@ int kvm_set_ioeventfd_mmio_long(int fd, uint32_t adr, uint32_t val, bool assign)
 {
     return -ENOSYS;
 }
+
+int kvm_has_gsi_routing(void)
+{
+    return 0;
+}
+
+int kvm_get_irq_route_gsi(void)
+{
+    return -ENOSYS;
+}
+
+int kvm_add_msix(uint32_t gsi, uint32_t addr_lo,
+                 uint32_t addr_hi, uint32_t data)
+{
+    return -ENOSYS;
+}
+
+int kvm_del_msix(uint32_t gsi, uint32_t addr_lo,
+                 uint32_t addr_hi, uint32_t data)
+{
+    return -ENOSYS;
+}
+
+int kvm_update_msix(uint32_t old_gsi, uint32_t old_addr_lo,
+                    uint32_t old_addr_hi, uint32_t old_data,
+                    uint32_t new_gsi, uint32_t new_addr_lo,
+                    uint32_t new_addr_hi, uint32_t new_data)
+{
+    return -ENOSYS;
+}
+
+int kvm_commit_irq_routes(void)
+{
+    return -ENOSYS;
+}
diff --git a/kvm.h b/kvm.h
index d728836..2f12851 100644
--- a/kvm.h
+++ b/kvm.h
@@ -198,4 +198,17 @@ int kvm_set_ioeventfd_pio_word(int fd, uint16_t adr, uint16_t val, bool assign);
 
 int kvm_physical_memory_addr_from_ram(KVMState *s, ram_addr_t ram_addr,
                                       target_phys_addr_t *phys_addr);
+
+int kvm_has_gsi_routing(void);
+int kvm_get_irq_route_gsi(void);
+int kvm_add_msix(uint32_t gsi, uint32_t addr_lo,
+                 uint32_t addr_hi, uint32_t data);
+int kvm_del_msix(uint32_t gsi, uint32_t addr_lo,
+                 uint32_t addr_hi, uint32_t data);
+int kvm_update_msix(uint32_t old_gsi, uint32_t old_addr_lo,
+                    uint32_t old_addr_hi, uint32_t old_data,
+                    uint32_t new_gsi, uint32_t new_addr_lo,
+                    uint32_t new_addr_hi, uint32_t new_data);
+int kvm_commit_irq_routes(void);
+
 #endif
diff --git a/qemu-kvm.h b/qemu-kvm.h
index 25f71db..9c08ab4 100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@ -661,14 +661,6 @@ int kvm_deassign_pci_device(kvm_context_t kvm,
 #endif
 
 /*!
- * \brief Checks whether the generic irq routing capability is present
- *
- * Checks whether kvm can reroute interrupts among the various interrupt
- * controllers.
- */
-int kvm_has_gsi_routing(void);
-
-/*!
  * \brief Determines the number of gsis that can be routed
  *
  * Returns the number of distinct gsis that can be routed by kvm.  This is
@@ -704,15 +696,6 @@ int kvm_add_irq_route(int gsi, int irqchip, int pin);
  */
 int kvm_del_irq_route(int gsi, int irqchip, int pin);
 
-int kvm_add_msix(uint32_t gsi, uint32_t addr_lo,
-                 uint32_t addr_hi, uint32_t data);
-int kvm_del_msix(uint32_t gsi, uint32_t addr_lo,
-                 uint32_t addr_hi, uint32_t data);
-int kvm_update_msix(uint32_t old_gsi, uint32_t old_addr_lo,
-                    uint32_t old_addr_hi, uint32_t old_data,
-                    uint32_t new_gsi, uint32_t new_addr_lo,
-                    uint32_t new_addr_hi, uint32_t new_data);
-
 struct kvm_irq_routing_entry;
 /*!
  * \brief Adds a routing entry to the temporary irq routing table
@@ -740,23 +723,6 @@ int kvm_del_routing_entry(struct kvm_irq_routing_entry *entry);
 int kvm_update_routing_entry(struct kvm_irq_routing_entry *entry,
                              struct kvm_irq_routing_entry *newentry);
 
-/*!
- * \brief Commit the temporary irq routing table
- *
- * Commit the temporary irq routing table to the running VM.
- *
- * \param kvm Pointer to the current kvm_context
- */
-int kvm_commit_irq_routes(void);
-
-/*!
- * \brief Get unused GSI number for irq routing table
- *
- * Get unused GSI number for irq routing table
- *
- * \param kvm Pointer to the current kvm_context
- */
-int kvm_get_irq_route_gsi(void);
 
 /*!
  * \brief Create a file descriptor for injecting interrupts
commit 4588b981b29544067476bb1963992e4f8bafdcef
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Oct 10 15:50:50 2010 +0200

    Avoid use of kvm_irq_routing_entry in hw/msix.c
    
    kvm_irq_routing_entry cannot be used when CONFIG_KVM is disabled; add a new
    interface to the kvm support code that uses scalars instead.
    
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/msix.c b/hw/msix.c
index e00fc6c..c752e90 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -49,28 +49,16 @@ int msix_supported;
 
 #ifdef CONFIG_KVM
 
-static void kvm_msix_message_to_routing_entry(struct kvm_msix_message *kmm,
-                                              struct kvm_irq_routing_entry *e)
-{
-    e->type = KVM_IRQ_ROUTING_MSI;
-    e->flags = 0;
-    e->u.msi.address_lo = kmm->addr_lo;
-    e->u.msi.address_hi = kmm->addr_hi;
-    e->u.msi.data = kmm->data;
-}
-
 /* KVM specific MSIX helpers */
 static void kvm_msix_free(PCIDevice *dev)
 {
     int vector, changed = 0;
     struct kvm_msix_message *kmm;
-    struct kvm_irq_routing_entry entry;
 
     for (vector = 0; vector < dev->msix_entries_nr; ++vector) {
         if (dev->msix_entry_used[vector]) {
             kmm = &dev->msix_irq_entries[vector];
-            kvm_msix_message_to_routing_entry(kmm, &entry);
-            kvm_del_routing_entry(&entry);
+            kvm_del_msix(kmm->gsi, kmm->addr_lo, kmm->addr_hi, kmm->data);
             changed = 1;
         }
     }
@@ -106,14 +94,13 @@ static void kvm_msix_update(PCIDevice *dev, int vector,
     e.gsi = entry->gsi;
     kvm_msix_message_from_vector(dev, vector, &e);
     if (memcmp(entry, &e, sizeof e) != 0) {
-        struct kvm_irq_routing_entry old, new;
         int r;
 
-        kvm_msix_message_to_routing_entry(entry, &old);
-        kvm_msix_message_to_routing_entry(&e, &new);
-        r = kvm_update_routing_entry(&old, &new);
+        r = kvm_update_msix(entry->gsi, entry->addr_lo,
+                            entry->addr_hi, entry->data,
+                            e.gsi, e.addr_lo, e.addr_hi, e.data);
         if (r) {
-            fprintf(stderr, "%s: kvm_update_routing_entry failed: %s\n", __func__,
+            fprintf(stderr, "%s: kvm_update_msix failed: %s\n", __func__,
 		    strerror(-r));
             exit(1);
         }
@@ -130,7 +117,6 @@ static void kvm_msix_update(PCIDevice *dev, int vector,
 static int kvm_msix_add(PCIDevice *dev, unsigned vector)
 {
     struct kvm_msix_message *kmm = dev->msix_irq_entries + vector;
-    struct kvm_irq_routing_entry entry;
     int r;
 
     if (!kvm_has_gsi_routing()) {
@@ -147,10 +133,9 @@ static int kvm_msix_add(PCIDevice *dev, unsigned vector)
     }
     kmm->gsi = r;
     kvm_msix_message_from_vector(dev, vector, kmm);
-    kvm_msix_message_to_routing_entry(kmm, &entry);
-    r = kvm_add_routing_entry(&entry);
+    r = kvm_add_msix(kmm->gsi, kmm->addr_lo, kmm->addr_hi, kmm->data);
     if (r < 0) {
-        fprintf(stderr, "%s: kvm_add_routing_entry failed: %s\n", __func__, strerror(-r));
+        fprintf(stderr, "%s: kvm_add_msix failed: %s\n", __func__, strerror(-r));
         return r;
     }
 
@@ -164,13 +149,13 @@ static int kvm_msix_add(PCIDevice *dev, unsigned vector)
 
 static void kvm_msix_del(PCIDevice *dev, unsigned vector)
 {
-    struct kvm_irq_routing_entry entry;
+    struct kvm_msix_message *kmm;
 
     if (dev->msix_entry_used[vector]) {
         return;
     }
-    kvm_msix_message_to_routing_entry(&dev->msix_irq_entries[vector], &entry);
-    kvm_del_routing_entry(&entry);
+    kmm = &dev->msix_irq_entries[vector];
+    kvm_del_msix(kmm->gsi, kmm->addr_lo, kmm->addr_hi, kmm->data);
     kvm_commit_irq_routes();
 }
 #else
diff --git a/qemu-kvm.c b/qemu-kvm.c
index 3966523..733d0a9 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -1036,6 +1036,50 @@ int kvm_get_irq_route_gsi(void)
     return -ENOSPC;
 }
 
+static void kvm_msix_routing_entry(struct kvm_irq_routing_entry *e,
+                                   uint32_t gsi, uint32_t addr_lo,
+                                   uint32_t addr_hi, uint32_t data)
+
+{
+    e->gsi = gsi;
+    e->type = KVM_IRQ_ROUTING_MSI;
+    e->flags = 0;
+    e->u.msi.address_lo = addr_lo;
+    e->u.msi.address_hi = addr_hi;
+    e->u.msi.data = data;
+}
+
+int kvm_add_msix(uint32_t gsi, uint32_t addr_lo,
+                        uint32_t addr_hi, uint32_t data)
+{
+    struct kvm_irq_routing_entry e;
+
+    kvm_msix_routing_entry(&e, gsi, addr_lo, addr_hi, data);
+    return kvm_add_routing_entry(&e);
+}
+
+int kvm_del_msix(uint32_t gsi, uint32_t addr_lo,
+                        uint32_t addr_hi, uint32_t data)
+{
+    struct kvm_irq_routing_entry e;
+
+    kvm_msix_routing_entry(&e, gsi, addr_lo, addr_hi, data);
+    return kvm_del_routing_entry(&e);
+}
+
+int kvm_update_msix(uint32_t old_gsi, uint32_t old_addr_lo,
+                    uint32_t old_addr_hi, uint32_t old_data,
+                    uint32_t new_gsi, uint32_t new_addr_lo,
+                    uint32_t new_addr_hi, uint32_t new_data)
+{
+    struct kvm_irq_routing_entry e1, e2;
+
+    kvm_msix_routing_entry(&e1, old_gsi, old_addr_lo, old_addr_hi, old_data);
+    kvm_msix_routing_entry(&e2, new_gsi, new_addr_lo, new_addr_hi, new_data);
+    return kvm_update_routing_entry(&e1, &e2);
+}
+
+
 #ifdef KVM_CAP_DEVICE_MSIX
 int kvm_assign_set_msix_nr(kvm_context_t kvm,
                            struct kvm_assigned_msix_nr *msix_nr)
diff --git a/qemu-kvm.h b/qemu-kvm.h
index 1030a02..25f71db 100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@ -704,6 +704,15 @@ int kvm_add_irq_route(int gsi, int irqchip, int pin);
  */
 int kvm_del_irq_route(int gsi, int irqchip, int pin);
 
+int kvm_add_msix(uint32_t gsi, uint32_t addr_lo,
+                 uint32_t addr_hi, uint32_t data);
+int kvm_del_msix(uint32_t gsi, uint32_t addr_lo,
+                 uint32_t addr_hi, uint32_t data);
+int kvm_update_msix(uint32_t old_gsi, uint32_t old_addr_lo,
+                    uint32_t old_addr_hi, uint32_t old_data,
+                    uint32_t new_gsi, uint32_t new_addr_lo,
+                    uint32_t new_addr_hi, uint32_t new_data);
+
 struct kvm_irq_routing_entry;
 /*!
  * \brief Adds a routing entry to the temporary irq routing table
diff --git a/roms/seabios b/roms/seabios
index 17d3e46..94dc9c4 160000
--- a/roms/seabios
+++ b/roms/seabios
@@ -1 +1 @@
-Subproject commit 17d3e46511aeedc9f09a8216d194d749187b80aa
+Subproject commit 94dc9c49c283cd576c25692d17567035557a2505
commit 68d5b08a361d95c4d674b830455f19a407b9195c
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Oct 10 15:26:49 2010 +0200

    Avoid using kvm_irq_routing_entry in PCIDevice
    
    This structure is not available when !CONFIG_KVM.  While an incomplete type
    works if it's not used, you can't do address arithmetic on it.
    
    Use a new type kvm_msix_message instead.
    
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/msix.c b/hw/msix.c
index 6abf059..e00fc6c 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -48,13 +48,29 @@
 int msix_supported;
 
 #ifdef CONFIG_KVM
+
+static void kvm_msix_message_to_routing_entry(struct kvm_msix_message *kmm,
+                                              struct kvm_irq_routing_entry *e)
+{
+    e->type = KVM_IRQ_ROUTING_MSI;
+    e->flags = 0;
+    e->u.msi.address_lo = kmm->addr_lo;
+    e->u.msi.address_hi = kmm->addr_hi;
+    e->u.msi.data = kmm->data;
+}
+
 /* KVM specific MSIX helpers */
 static void kvm_msix_free(PCIDevice *dev)
 {
     int vector, changed = 0;
+    struct kvm_msix_message *kmm;
+    struct kvm_irq_routing_entry entry;
+
     for (vector = 0; vector < dev->msix_entries_nr; ++vector) {
         if (dev->msix_entry_used[vector]) {
-            kvm_del_routing_entry(&dev->msix_irq_entries[vector]);
+            kmm = &dev->msix_irq_entries[vector];
+            kvm_msix_message_to_routing_entry(kmm, &entry);
+            kvm_del_routing_entry(&entry);
             changed = 1;
         }
     }
@@ -63,21 +79,20 @@ static void kvm_msix_free(PCIDevice *dev)
     }
 }
 
-static void kvm_msix_routing_entry(PCIDevice *dev, unsigned vector,
-                                   struct kvm_irq_routing_entry *entry)
+static void kvm_msix_message_from_vector(PCIDevice *dev, unsigned vector,
+                                         struct kvm_msix_message *kmm)
 {
     uint8_t *table_entry = dev->msix_table_page + vector * MSIX_ENTRY_SIZE;
-    entry->type = KVM_IRQ_ROUTING_MSI;
-    entry->flags = 0;
-    entry->u.msi.address_lo = pci_get_long(table_entry + MSIX_MSG_ADDR);
-    entry->u.msi.address_hi = pci_get_long(table_entry + MSIX_MSG_UPPER_ADDR);
-    entry->u.msi.data = pci_get_long(table_entry + MSIX_MSG_DATA);
+
+    kmm->addr_lo = pci_get_long(table_entry + MSIX_MSG_ADDR);
+    kmm->addr_hi = pci_get_long(table_entry + MSIX_MSG_UPPER_ADDR);
+    kmm->data = pci_get_long(table_entry + MSIX_MSG_DATA);
 }
 
 static void kvm_msix_update(PCIDevice *dev, int vector,
                             int was_masked, int is_masked)
 {
-    struct kvm_irq_routing_entry e = {}, *entry;
+    struct kvm_msix_message e = {}, *entry;
     int mask_cleared = was_masked && !is_masked;
     /* It is only legal to change an entry when it is masked. Therefore, it is
      * enough to update the routing in kernel when mask is being cleared. */
@@ -89,16 +104,20 @@ static void kvm_msix_update(PCIDevice *dev, int vector,
     }
     entry = dev->msix_irq_entries + vector;
     e.gsi = entry->gsi;
-    kvm_msix_routing_entry(dev, vector, &e);
-    if (memcmp(&entry->u.msi, &e.u.msi, sizeof entry->u.msi)) {
+    kvm_msix_message_from_vector(dev, vector, &e);
+    if (memcmp(entry, &e, sizeof e) != 0) {
+        struct kvm_irq_routing_entry old, new;
         int r;
-        r = kvm_update_routing_entry(entry, &e);
+
+        kvm_msix_message_to_routing_entry(entry, &old);
+        kvm_msix_message_to_routing_entry(&e, &new);
+        r = kvm_update_routing_entry(&old, &new);
         if (r) {
             fprintf(stderr, "%s: kvm_update_routing_entry failed: %s\n", __func__,
 		    strerror(-r));
             exit(1);
         }
-        memcpy(&entry->u.msi, &e.u.msi, sizeof entry->u.msi);
+        *entry = e;
         r = kvm_commit_irq_routes();
         if (r) {
             fprintf(stderr, "%s: kvm_commit_irq_routes failed: %s\n", __func__,
@@ -110,7 +129,8 @@ static void kvm_msix_update(PCIDevice *dev, int vector,
 
 static int kvm_msix_add(PCIDevice *dev, unsigned vector)
 {
-    struct kvm_irq_routing_entry *entry = dev->msix_irq_entries + vector;
+    struct kvm_msix_message *kmm = dev->msix_irq_entries + vector;
+    struct kvm_irq_routing_entry entry;
     int r;
 
     if (!kvm_has_gsi_routing()) {
@@ -125,9 +145,10 @@ static int kvm_msix_add(PCIDevice *dev, unsigned vector)
         fprintf(stderr, "%s: kvm_get_irq_route_gsi failed: %s\n", __func__, strerror(-r));
         return r;
     }
-    entry->gsi = r;
-    kvm_msix_routing_entry(dev, vector, entry);
-    r = kvm_add_routing_entry(entry);
+    kmm->gsi = r;
+    kvm_msix_message_from_vector(dev, vector, kmm);
+    kvm_msix_message_to_routing_entry(kmm, &entry);
+    r = kvm_add_routing_entry(&entry);
     if (r < 0) {
         fprintf(stderr, "%s: kvm_add_routing_entry failed: %s\n", __func__, strerror(-r));
         return r;
@@ -143,10 +164,13 @@ static int kvm_msix_add(PCIDevice *dev, unsigned vector)
 
 static void kvm_msix_del(PCIDevice *dev, unsigned vector)
 {
+    struct kvm_irq_routing_entry entry;
+
     if (dev->msix_entry_used[vector]) {
         return;
     }
-    kvm_del_routing_entry(&dev->msix_irq_entries[vector]);
+    kvm_msix_message_to_routing_entry(&dev->msix_irq_entries[vector], &entry);
+    kvm_del_routing_entry(&entry);
     kvm_commit_irq_routes();
 }
 #else
diff --git a/hw/pci.h b/hw/pci.h
index 825ccbe..0370e89 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -133,6 +133,13 @@ enum {
 typedef int (*msix_mask_notifier_func)(PCIDevice *, unsigned vector,
 				       void *opaque, int masked);
 
+struct kvm_msix_message {
+    uint32_t gsi;
+    uint32_t addr_lo;
+    uint32_t addr_hi;
+    uint32_t data;
+};
+
 struct PCIDevice {
     DeviceState qdev;
     /* PCI config space */
@@ -196,7 +203,7 @@ struct PCIDevice {
      * on the rest of the region. */
     target_phys_addr_t msix_page_size;
 
-    struct kvm_irq_routing_entry *msix_irq_entries;
+    struct kvm_msix_message *msix_irq_entries;
 
     void **msix_mask_notifier_opaque;
     msix_mask_notifier_func msix_mask_notifier;
commit b4cf54c95b1a3b16573eaa669ae37537e4d83083
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Oct 10 13:12:38 2010 +0200

    kvm: drop kvm_context parameter from msix-related kvm functions
    
    The kvm_context parameter serves no useful purpose since it's a global (and
    all callers reference that global); on the other hand it prevents the build
    when kvm is not configured in since the kvm_context symbol is not defined.
    
    Remove the parameter and replace it by the global kvm_context in callees.
    
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 26cb797..2605bd1 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -767,7 +767,7 @@ static void free_dev_irq_entries(AssignedDevice *dev)
     int i;
 
     for (i = 0; i < dev->irq_entries_nr; i++)
-        kvm_del_routing_entry(kvm_context, &dev->entry[i]);
+        kvm_del_routing_entry(&dev->entry[i]);
     free(dev->entry);
     dev->entry = NULL;
     dev->irq_entries_nr = 0;
@@ -1080,15 +1080,15 @@ static void assigned_dev_update_msi(PCIDevice *pci_dev, unsigned int ctrl_pos)
         assigned_dev->entry->u.msi.data = *(uint16_t *)(pci_dev->config +
                 pci_dev->cap.start + PCI_MSI_DATA_32);
         assigned_dev->entry->type = KVM_IRQ_ROUTING_MSI;
-        r = kvm_get_irq_route_gsi(kvm_context);
+        r = kvm_get_irq_route_gsi();
         if (r < 0) {
             perror("assigned_dev_update_msi: kvm_get_irq_route_gsi");
             return;
         }
         assigned_dev->entry->gsi = r;
 
-        kvm_add_routing_entry(kvm_context, assigned_dev->entry);
-        if (kvm_commit_irq_routes(kvm_context) < 0) {
+        kvm_add_routing_entry(assigned_dev->entry);
+        if (kvm_commit_irq_routes() < 0) {
             perror("assigned_dev_update_msi: kvm_commit_irq_routes");
             assigned_dev->cap.state &= ~ASSIGNED_DEVICE_MSI_ENABLED;
             return;
@@ -1170,7 +1170,7 @@ static int assigned_dev_update_msix_mmio(PCIDevice *pci_dev)
         memcpy(&msg_addr, va + i * 16, 4);
         memcpy(&msg_upper_addr, va + i * 16 + 4, 4);
 
-        r = kvm_get_irq_route_gsi(kvm_context);
+        r = kvm_get_irq_route_gsi();
         if (r < 0)
             return r;
 
@@ -1181,7 +1181,7 @@ static int assigned_dev_update_msix_mmio(PCIDevice *pci_dev)
         adev->entry[entries_nr].u.msi.address_hi = msg_upper_addr;
         adev->entry[entries_nr].u.msi.data = msg_data;
         DEBUG("MSI-X data 0x%x, MSI-X addr_lo 0x%x\n!", msg_data, msg_addr);
-	kvm_add_routing_entry(kvm_context, &adev->entry[entries_nr]);
+	kvm_add_routing_entry(&adev->entry[entries_nr]);
 
         msix_entry.gsi = adev->entry[entries_nr].gsi;
         msix_entry.entry = i;
@@ -1195,7 +1195,7 @@ static int assigned_dev_update_msix_mmio(PCIDevice *pci_dev)
         entries_nr ++;
     }
 
-    if (r == 0 && kvm_commit_irq_routes(kvm_context) < 0) {
+    if (r == 0 && kvm_commit_irq_routes() < 0) {
 	    perror("assigned_dev_update_msix_mmio: kvm_commit_irq_routes");
 	    return -EINVAL;
     }
diff --git a/hw/msix.c b/hw/msix.c
index 162faa7..6abf059 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -54,12 +54,12 @@ static void kvm_msix_free(PCIDevice *dev)
     int vector, changed = 0;
     for (vector = 0; vector < dev->msix_entries_nr; ++vector) {
         if (dev->msix_entry_used[vector]) {
-            kvm_del_routing_entry(kvm_context, &dev->msix_irq_entries[vector]);
+            kvm_del_routing_entry(&dev->msix_irq_entries[vector]);
             changed = 1;
         }
     }
     if (changed) {
-        kvm_commit_irq_routes(kvm_context);
+        kvm_commit_irq_routes();
     }
 }
 
@@ -92,14 +92,14 @@ static void kvm_msix_update(PCIDevice *dev, int vector,
     kvm_msix_routing_entry(dev, vector, &e);
     if (memcmp(&entry->u.msi, &e.u.msi, sizeof entry->u.msi)) {
         int r;
-        r = kvm_update_routing_entry(kvm_context, entry, &e);
+        r = kvm_update_routing_entry(entry, &e);
         if (r) {
             fprintf(stderr, "%s: kvm_update_routing_entry failed: %s\n", __func__,
 		    strerror(-r));
             exit(1);
         }
         memcpy(&entry->u.msi, &e.u.msi, sizeof entry->u.msi);
-        r = kvm_commit_irq_routes(kvm_context);
+        r = kvm_commit_irq_routes();
         if (r) {
             fprintf(stderr, "%s: kvm_commit_irq_routes failed: %s\n", __func__,
 		    strerror(-r));
@@ -113,27 +113,27 @@ static int kvm_msix_add(PCIDevice *dev, unsigned vector)
     struct kvm_irq_routing_entry *entry = dev->msix_irq_entries + vector;
     int r;
 
-    if (!kvm_has_gsi_routing(kvm_context)) {
+    if (!kvm_has_gsi_routing()) {
         fprintf(stderr, "Warning: no MSI-X support found. "
                 "At least kernel 2.6.30 is required for MSI-X support.\n"
                );
         return -EOPNOTSUPP;
     }
 
-    r = kvm_get_irq_route_gsi(kvm_context);
+    r = kvm_get_irq_route_gsi();
     if (r < 0) {
         fprintf(stderr, "%s: kvm_get_irq_route_gsi failed: %s\n", __func__, strerror(-r));
         return r;
     }
     entry->gsi = r;
     kvm_msix_routing_entry(dev, vector, entry);
-    r = kvm_add_routing_entry(kvm_context, entry);
+    r = kvm_add_routing_entry(entry);
     if (r < 0) {
         fprintf(stderr, "%s: kvm_add_routing_entry failed: %s\n", __func__, strerror(-r));
         return r;
     }
 
-    r = kvm_commit_irq_routes(kvm_context);
+    r = kvm_commit_irq_routes();
     if (r < 0) {
         fprintf(stderr, "%s: kvm_commit_irq_routes failed: %s\n", __func__, strerror(-r));
         return r;
@@ -146,8 +146,8 @@ static void kvm_msix_del(PCIDevice *dev, unsigned vector)
     if (dev->msix_entry_used[vector]) {
         return;
     }
-    kvm_del_routing_entry(kvm_context, &dev->msix_irq_entries[vector]);
-    kvm_commit_irq_routes(kvm_context);
+    kvm_del_routing_entry(&dev->msix_irq_entries[vector]);
+    kvm_commit_irq_routes();
 }
 #else
 
diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index bb09fd8..59aacd0 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -1370,34 +1370,34 @@ int kvm_arch_init_irq_routing(void)
 {
     int i, r;
 
-    if (kvm_irqchip && kvm_has_gsi_routing(kvm_context)) {
-        kvm_clear_gsi_routes(kvm_context);
+    if (kvm_irqchip && kvm_has_gsi_routing()) {
+        kvm_clear_gsi_routes();
         for (i = 0; i < 8; ++i) {
             if (i == 2) {
                 continue;
             }
-            r = kvm_add_irq_route(kvm_context, i, KVM_IRQCHIP_PIC_MASTER, i);
+            r = kvm_add_irq_route(i, KVM_IRQCHIP_PIC_MASTER, i);
             if (r < 0) {
                 return r;
             }
         }
         for (i = 8; i < 16; ++i) {
-            r = kvm_add_irq_route(kvm_context, i, KVM_IRQCHIP_PIC_SLAVE, i - 8);
+            r = kvm_add_irq_route(i, KVM_IRQCHIP_PIC_SLAVE, i - 8);
             if (r < 0) {
                 return r;
             }
         }
         for (i = 0; i < 24; ++i) {
             if (i == 0 && irq0override) {
-                r = kvm_add_irq_route(kvm_context, i, KVM_IRQCHIP_IOAPIC, 2);
+                r = kvm_add_irq_route(i, KVM_IRQCHIP_IOAPIC, 2);
             } else if (i != 2 || !irq0override) {
-                r = kvm_add_irq_route(kvm_context, i, KVM_IRQCHIP_IOAPIC, i);
+                r = kvm_add_irq_route(i, KVM_IRQCHIP_IOAPIC, i);
             }
             if (r < 0) {
                 return r;
             }
         }
-        kvm_commit_irq_routes(kvm_context);
+        kvm_commit_irq_routes();
     }
     return 0;
 }
diff --git a/qemu-kvm.c b/qemu-kvm.c
index e78d850..3966523 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -800,7 +800,7 @@ int kvm_reinject_control(kvm_context_t kvm, int pit_reinject)
     return -ENOSYS;
 }
 
-int kvm_has_gsi_routing(kvm_context_t kvm)
+int kvm_has_gsi_routing(void)
 {
     int r = 0;
 
@@ -819,9 +819,11 @@ int kvm_get_gsi_count(kvm_context_t kvm)
 #endif
 }
 
-int kvm_clear_gsi_routes(kvm_context_t kvm)
+int kvm_clear_gsi_routes(void)
 {
 #ifdef KVM_CAP_IRQ_ROUTING
+    kvm_context_t kvm = kvm_context;
+
     kvm->irq_routes->nr = 0;
     return 0;
 #else
@@ -829,10 +831,10 @@ int kvm_clear_gsi_routes(kvm_context_t kvm)
 #endif
 }
 
-int kvm_add_routing_entry(kvm_context_t kvm,
-                          struct kvm_irq_routing_entry *entry)
+int kvm_add_routing_entry(struct kvm_irq_routing_entry *entry)
 {
 #ifdef KVM_CAP_IRQ_ROUTING
+    kvm_context_t kvm = kvm_context;
     struct kvm_irq_routing *z;
     struct kvm_irq_routing_entry *new;
     int n, size;
@@ -867,7 +869,7 @@ int kvm_add_routing_entry(kvm_context_t kvm,
 #endif
 }
 
-int kvm_add_irq_route(kvm_context_t kvm, int gsi, int irqchip, int pin)
+int kvm_add_irq_route(int gsi, int irqchip, int pin)
 {
 #ifdef KVM_CAP_IRQ_ROUTING
     struct kvm_irq_routing_entry e;
@@ -877,16 +879,16 @@ int kvm_add_irq_route(kvm_context_t kvm, int gsi, int irqchip, int pin)
     e.flags = 0;
     e.u.irqchip.irqchip = irqchip;
     e.u.irqchip.pin = pin;
-    return kvm_add_routing_entry(kvm, &e);
+    return kvm_add_routing_entry(&e);
 #else
     return -ENOSYS;
 #endif
 }
 
-int kvm_del_routing_entry(kvm_context_t kvm,
-                          struct kvm_irq_routing_entry *entry)
+int kvm_del_routing_entry(struct kvm_irq_routing_entry *entry)
 {
 #ifdef KVM_CAP_IRQ_ROUTING
+    kvm_context_t kvm = kvm_context;
     struct kvm_irq_routing_entry *e, *p;
     int i, gsi, found = 0;
 
@@ -943,11 +945,11 @@ int kvm_del_routing_entry(kvm_context_t kvm,
 #endif
 }
 
-int kvm_update_routing_entry(kvm_context_t kvm,
-                             struct kvm_irq_routing_entry *entry,
+int kvm_update_routing_entry(struct kvm_irq_routing_entry *entry,
                              struct kvm_irq_routing_entry *newentry)
 {
 #ifdef KVM_CAP_IRQ_ROUTING
+    kvm_context_t kvm = kvm_context;
     struct kvm_irq_routing_entry *e;
     int i;
 
@@ -987,7 +989,7 @@ int kvm_update_routing_entry(kvm_context_t kvm,
 #endif
 }
 
-int kvm_del_irq_route(kvm_context_t kvm, int gsi, int irqchip, int pin)
+int kvm_del_irq_route(int gsi, int irqchip, int pin)
 {
 #ifdef KVM_CAP_IRQ_ROUTING
     struct kvm_irq_routing_entry e;
@@ -997,15 +999,17 @@ int kvm_del_irq_route(kvm_context_t kvm, int gsi, int irqchip, int pin)
     e.flags = 0;
     e.u.irqchip.irqchip = irqchip;
     e.u.irqchip.pin = pin;
-    return kvm_del_routing_entry(kvm, &e);
+    return kvm_del_routing_entry(&e);
 #else
     return -ENOSYS;
 #endif
 }
 
-int kvm_commit_irq_routes(kvm_context_t kvm)
+int kvm_commit_irq_routes(void)
 {
 #ifdef KVM_CAP_IRQ_ROUTING
+    kvm_context_t kvm = kvm_context;
+
     kvm->irq_routes->flags = 0;
     return kvm_vm_ioctl(kvm_state, KVM_SET_GSI_ROUTING, kvm->irq_routes);
 #else
@@ -1013,8 +1017,9 @@ int kvm_commit_irq_routes(kvm_context_t kvm)
 #endif
 }
 
-int kvm_get_irq_route_gsi(kvm_context_t kvm)
+int kvm_get_irq_route_gsi(void)
 {
+    kvm_context_t kvm = kvm_context;
     int i, bit;
     uint32_t *buf = kvm->used_gsi_bitmap;
 
diff --git a/qemu-kvm.h b/qemu-kvm.h
index 9809574..1030a02 100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@ -665,10 +665,8 @@ int kvm_deassign_pci_device(kvm_context_t kvm,
  *
  * Checks whether kvm can reroute interrupts among the various interrupt
  * controllers.
- *
- * \param kvm Pointer to the current kvm_context
  */
-int kvm_has_gsi_routing(kvm_context_t kvm);
+int kvm_has_gsi_routing(void);
 
 /*!
  * \brief Determines the number of gsis that can be routed
@@ -687,29 +685,24 @@ int kvm_get_gsi_count(kvm_context_t kvm);
  * Clears the temporary irq routing table.  Nothing is committed to the
  * running VM.
  *
- * \param kvm Pointer to the current kvm_context
  */
-int kvm_clear_gsi_routes(kvm_context_t kvm);
+int kvm_clear_gsi_routes(void);
 
 /*!
  * \brief Adds an irq route to the temporary irq routing table
  *
  * Adds an irq route to the temporary irq routing table.  Nothing is
  * committed to the running VM.
- *
- * \param kvm Pointer to the current kvm_context
  */
-int kvm_add_irq_route(kvm_context_t kvm, int gsi, int irqchip, int pin);
+int kvm_add_irq_route(int gsi, int irqchip, int pin);
 
 /*!
  * \brief Removes an irq route from the temporary irq routing table
  *
  * Adds an irq route to the temporary irq routing table.  Nothing is
  * committed to the running VM.
- *
- * \param kvm Pointer to the current kvm_context
  */
-int kvm_del_irq_route(kvm_context_t kvm, int gsi, int irqchip, int pin);
+int kvm_del_irq_route(int gsi, int irqchip, int pin);
 
 struct kvm_irq_routing_entry;
 /*!
@@ -717,22 +710,16 @@ struct kvm_irq_routing_entry;
  *
  * Adds a filled routing entry to the temporary irq routing table. Nothing is
  * committed to the running VM.
- *
- * \param kvm Pointer to the current kvm_context
  */
-int kvm_add_routing_entry(kvm_context_t kvm,
-                          struct kvm_irq_routing_entry *entry);
+int kvm_add_routing_entry(struct kvm_irq_routing_entry *entry);
 
 /*!
  * \brief Removes a routing from the temporary irq routing table
  *
  * Remove a routing to the temporary irq routing table.  Nothing is
  * committed to the running VM.
- *
- * \param kvm Pointer to the current kvm_context
  */
-int kvm_del_routing_entry(kvm_context_t kvm,
-                          struct kvm_irq_routing_entry *entry);
+int kvm_del_routing_entry(struct kvm_irq_routing_entry *entry);
 
 /*!
  * \brief Updates a routing in the temporary irq routing table
@@ -740,11 +727,8 @@ int kvm_del_routing_entry(kvm_context_t kvm,
  * Update a routing in the temporary irq routing table
  * with a new value. entry type and GSI can not be changed.
  * Nothing is committed to the running VM.
- *
- * \param kvm Pointer to the current kvm_context
  */
-int kvm_update_routing_entry(kvm_context_t kvm,
-                             struct kvm_irq_routing_entry *entry,
+int kvm_update_routing_entry(struct kvm_irq_routing_entry *entry,
                              struct kvm_irq_routing_entry *newentry);
 
 /*!
@@ -754,7 +738,7 @@ int kvm_update_routing_entry(kvm_context_t kvm,
  *
  * \param kvm Pointer to the current kvm_context
  */
-int kvm_commit_irq_routes(kvm_context_t kvm);
+int kvm_commit_irq_routes(void);
 
 /*!
  * \brief Get unused GSI number for irq routing table
@@ -763,7 +747,7 @@ int kvm_commit_irq_routes(kvm_context_t kvm);
  *
  * \param kvm Pointer to the current kvm_context
  */
-int kvm_get_irq_route_gsi(kvm_context_t kvm);
+int kvm_get_irq_route_gsi(void);
 
 /*!
  * \brief Create a file descriptor for injecting interrupts
@@ -903,7 +887,7 @@ int kvm_arch_halt(CPUState *env);
 int handle_tpr_access(void *opaque, CPUState *env, uint64_t rip,
                       int is_write);
 
-#define qemu_kvm_has_gsi_routing() kvm_has_gsi_routing(kvm_context)
+#define qemu_kvm_has_gsi_routing() kvm_has_gsi_routing()
 #ifdef TARGET_I386
 #define qemu_kvm_has_pit_state2() kvm_has_pit_state2(kvm_context)
 #endif
commit 4b209b225baa36a5d7c90e45589a75f9a1895df4
Author: Avi Kivity <avi at redhat.com>
Date:   Mon Sep 20 13:07:43 2010 +0200

    msix: avoid leaking kvm data on init failure
    
    Move initialization after we're certain to succeed, so we don't leak
    memory on failure.
    
    Acked-by: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/hw/msix.c b/hw/msix.c
index 9663b17..162faa7 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -374,12 +374,6 @@ int msix_init(struct PCIDevice *dev, unsigned short nentries,
     if (nentries > MSIX_MAX_ENTRIES)
         return -EINVAL;
 
-#ifdef KVM_CAP_IRQCHIP
-    if (kvm_enabled() && kvm_irqchip_in_kernel()) {
-        dev->msix_irq_entries = qemu_malloc(nentries *
-                                            sizeof *dev->msix_irq_entries);
-    }
-#endif
     dev->msix_mask_notifier_opaque =
         qemu_mallocz(nentries * sizeof *dev->msix_mask_notifier_opaque);
     dev->msix_mask_notifier = NULL;
@@ -401,6 +395,13 @@ int msix_init(struct PCIDevice *dev, unsigned short nentries,
     if (ret)
         goto err_config;
 
+#ifdef KVM_CAP_IRQCHIP
+    if (kvm_enabled() && kvm_irqchip_in_kernel()) {
+        dev->msix_irq_entries = qemu_malloc(nentries *
+                                            sizeof *dev->msix_irq_entries);
+    }
+#endif
+
     dev->cap_present |= QEMU_PCI_CAP_MSIX;
     return 0;
 
commit f871d6893a7bf8c14db162f6e75a5f8157e4c2bb
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 13 19:14:29 2010 +0000

    trace: print a warning if user tries to enable an unknown trace event
    
    There was no warning if a bad trace event name was given to
    'trace-event' command, thus the user could think that the command
    was successful even if this was not the case.
    
    Print a warning if the user tries to enable a trace event which is not
    known.
    
    Acked-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/monitor.c b/monitor.c
index fbb678d..260cc02 100644
--- a/monitor.c
+++ b/monitor.c
@@ -549,7 +549,11 @@ static void do_change_trace_event_state(Monitor *mon, const QDict *qdict)
 {
     const char *tp_name = qdict_get_str(qdict, "name");
     bool new_state = qdict_get_bool(qdict, "option");
-    st_change_trace_event_state(tp_name, new_state);
+    int ret = st_change_trace_event_state(tp_name, new_state);
+
+    if (!ret) {
+        monitor_printf(mon, "unknown event name \"%s\"\n", tp_name);
+    }
 }
 
 static void do_trace_file(Monitor *mon, const QDict *qdict)
diff --git a/simpletrace.c b/simpletrace.c
index f849e42..deb1e07 100644
--- a/simpletrace.c
+++ b/simpletrace.c
@@ -246,12 +246,14 @@ static TraceEvent* find_trace_event_by_name(const char *tname)
     return NULL; /* indicates end of list reached without a match */
 }
 
-void st_change_trace_event_state(const char *tname, bool tstate)
+bool st_change_trace_event_state(const char *tname, bool tstate)
 {
     TraceEvent *tp;
 
     tp = find_trace_event_by_name(tname);
     if (tp) {
         tp->state = tstate;
+        return true;
     }
+    return false;
 }
diff --git a/simpletrace.h b/simpletrace.h
index cf35897..72614ec 100644
--- a/simpletrace.h
+++ b/simpletrace.h
@@ -31,7 +31,7 @@ void trace5(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t
 void trace6(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6);
 void st_print_trace(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...));
 void st_print_trace_events(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...));
-void st_change_trace_event_state(const char *tname, bool tstate);
+bool st_change_trace_event_state(const char *tname, bool tstate);
 void st_print_trace_file_status(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...));
 void st_set_trace_file_enabled(bool enable);
 bool st_set_trace_file(const char *file);
commit 2abf314dddcfc1792a981ef6ecda343384b2a1a2
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 13 18:38:08 2010 +0000

    mips: avoid write only variables
    
    Compiling with GCC 4.6.0 20100925 produced a lot of warnings like:
    /src/qemu/target-mips/translate.c: In function 'gen_ld':
    /src/qemu/target-mips/translate.c:1039:17: error: variable 'opn' set but not used [-Werror=unused-but-set-variable]
    
    Fix by adding a dummy cast so that the variable is not unused.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/target-mips/translate.c b/target-mips/translate.c
index 20b66a8..d62c615 100644
--- a/target-mips/translate.c
+++ b/target-mips/translate.c
@@ -1153,6 +1153,7 @@ static void gen_ld (CPUState *env, DisasContext *ctx, uint32_t opc,
         opn = "ll";
         break;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %d(%s)", opn, regnames[rt], offset, regnames[base]);
     tcg_temp_free(t0);
     tcg_temp_free(t1);
@@ -1212,6 +1213,7 @@ static void gen_st (DisasContext *ctx, uint32_t opc, int rt,
         opn = "swr";
         break;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %d(%s)", opn, regnames[rt], offset, regnames[base]);
     tcg_temp_free(t0);
     tcg_temp_free(t1);
@@ -1247,6 +1249,7 @@ static void gen_st_cond (DisasContext *ctx, uint32_t opc, int rt,
         opn = "sc";
         break;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %d(%s)", opn, regnames[rt], offset, regnames[base]);
     tcg_temp_free(t1);
     tcg_temp_free(t0);
@@ -1312,6 +1315,7 @@ static void gen_flt_ldst (DisasContext *ctx, uint32_t opc, int ft,
         generate_exception(ctx, EXCP_RI);
         goto out;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %d(%s)", opn, fregnames[ft], offset, regnames[base]);
  out:
     tcg_temp_free(t0);
@@ -1412,6 +1416,7 @@ static void gen_arith_imm (CPUState *env, DisasContext *ctx, uint32_t opc,
         break;
 #endif
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s, " TARGET_FMT_lx, opn, regnames[rt], regnames[rs], uimm);
 }
 
@@ -1454,6 +1459,7 @@ static void gen_logic_imm (CPUState *env, uint32_t opc, int rt, int rs, int16_t
         opn = "lui";
         break;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s, " TARGET_FMT_lx, opn, regnames[rt], regnames[rs], uimm);
 }
 
@@ -1481,6 +1487,7 @@ static void gen_slt_imm (CPUState *env, uint32_t opc, int rt, int rs, int16_t im
         opn = "sltiu";
         break;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s, " TARGET_FMT_lx, opn, regnames[rt], regnames[rs], uimm);
     tcg_temp_free(t0);
 }
@@ -1572,6 +1579,7 @@ static void gen_shift_imm(CPUState *env, DisasContext *ctx, uint32_t opc,
         break;
 #endif
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s, " TARGET_FMT_lx, opn, regnames[rt], regnames[rs], uimm);
     tcg_temp_free(t0);
 }
@@ -1752,6 +1760,7 @@ static void gen_arith (CPUState *env, DisasContext *ctx, uint32_t opc,
         opn = "mul";
         break;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s, %s", opn, regnames[rd], regnames[rs], regnames[rt]);
 }
 
@@ -1789,6 +1798,7 @@ static void gen_cond_move (CPUState *env, uint32_t opc, int rd, int rs, int rt)
         tcg_gen_movi_tl(cpu_gpr[rd], 0);
     gen_set_label(l1);
 
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s, %s", opn, regnames[rd], regnames[rs], regnames[rt]);
 }
 
@@ -1849,6 +1859,7 @@ static void gen_logic (CPUState *env, uint32_t opc, int rd, int rs, int rt)
         opn = "xor";
         break;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s, %s", opn, regnames[rd], regnames[rs], regnames[rt]);
 }
 
@@ -1878,6 +1889,7 @@ static void gen_slt (CPUState *env, uint32_t opc, int rd, int rs, int rt)
         opn = "sltu";
         break;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s, %s", opn, regnames[rd], regnames[rs], regnames[rt]);
     tcg_temp_free(t0);
     tcg_temp_free(t1);
@@ -1958,6 +1970,7 @@ static void gen_shift (CPUState *env, DisasContext *ctx, uint32_t opc,
         break;
 #endif
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s, %s", opn, regnames[rd], regnames[rs], regnames[rt]);
     tcg_temp_free(t0);
     tcg_temp_free(t1);
@@ -1997,6 +2010,7 @@ static void gen_HILO (DisasContext *ctx, uint32_t opc, int reg)
         opn = "mtlo";
         break;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s", opn, regnames[reg]);
 }
 
@@ -2229,6 +2243,7 @@ static void gen_muldiv (DisasContext *ctx, uint32_t opc,
         generate_exception(ctx, EXCP_RI);
         goto out;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s %s", opn, regnames[rs], regnames[rt]);
  out:
     tcg_temp_free(t0);
@@ -2308,6 +2323,7 @@ static void gen_mul_vr54xx (DisasContext *ctx, uint32_t opc,
         goto out;
     }
     gen_store_gpr(t0, rd);
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s, %s", opn, regnames[rd], regnames[rs], regnames[rt]);
 
  out:
@@ -2348,6 +2364,7 @@ static void gen_cl (DisasContext *ctx, uint32_t opc,
         break;
 #endif
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s", opn, regnames[rd], regnames[rs]);
     tcg_temp_free(t0);
 }
@@ -2561,6 +2578,7 @@ static void gen_loongson_integer (DisasContext *ctx, uint32_t opc,
 #endif
     }
 
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s", opn, regnames[rd], regnames[rs]);
     tcg_temp_free(t0);
     tcg_temp_free(t1);
@@ -3730,6 +3748,7 @@ static void gen_mfc0 (CPUState *env, DisasContext *ctx, TCGv arg, int reg, int s
     default:
        goto die;
     }
+    (void)rn; /* avoid a compiler warning */
     LOG_DISAS("mfc0 %s (reg %d sel %d)\n", rn, reg, sel);
     return;
 
@@ -4320,6 +4339,7 @@ static void gen_mtc0 (CPUState *env, DisasContext *ctx, TCGv arg, int reg, int s
     default:
        goto die;
     }
+    (void)rn; /* avoid a compiler warning */
     LOG_DISAS("mtc0 %s (reg %d sel %d)\n", rn, reg, sel);
     /* For simplicity assume that all writes can cause interrupts.  */
     if (use_icount) {
@@ -4892,6 +4912,7 @@ static void gen_dmfc0 (CPUState *env, DisasContext *ctx, TCGv arg, int reg, int
     default:
         goto die;
     }
+    (void)rn; /* avoid a compiler warning */
     LOG_DISAS("dmfc0 %s (reg %d sel %d)\n", rn, reg, sel);
     return;
 
@@ -5483,6 +5504,7 @@ static void gen_dmtc0 (CPUState *env, DisasContext *ctx, TCGv arg, int reg, int
     default:
         goto die;
     }
+    (void)rn; /* avoid a compiler warning */
     LOG_DISAS("dmtc0 %s (reg %d sel %d)\n", rn, reg, sel);
     /* For simplicity assume that all writes can cause interrupts.  */
     if (use_icount) {
@@ -5943,6 +5965,7 @@ static void gen_cp0 (CPUState *env, DisasContext *ctx, uint32_t opc, int rt, int
         generate_exception(ctx, EXCP_RI);
         return;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s %d", opn, regnames[rt], rd);
 }
 #endif /* !CONFIG_USER_ONLY */
@@ -6052,6 +6075,7 @@ static void gen_compute_branch1 (CPUState *env, DisasContext *ctx, uint32_t op,
         generate_exception (ctx, EXCP_RI);
         goto out;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s: cond %02x target " TARGET_FMT_lx, opn,
                ctx->hflags, btarget);
     ctx->btarget = btarget;
@@ -6281,6 +6305,7 @@ static void gen_cp1 (DisasContext *ctx, uint32_t opc, int rt, int fs)
         generate_exception (ctx, EXCP_RI);
         goto out;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s %s", opn, regnames[rt], fregnames[fs]);
 
  out:
@@ -7608,6 +7633,7 @@ static void gen_farith (DisasContext *ctx, enum fopcode op1,
         generate_exception (ctx, EXCP_RI);
         return;
     }
+    (void)opn; /* avoid a compiler warning */
     switch (optype) {
     case BINOP:
         MIPS_DEBUG("%s %s, %s, %s", opn, fregnames[fd], fregnames[fs], fregnames[ft]);
@@ -7720,6 +7746,7 @@ static void gen_flt3_ldst (DisasContext *ctx, uint32_t opc,
         break;
     }
     tcg_temp_free(t0);
+    (void)opn; (void)store; /* avoid compiler warnings */
     MIPS_DEBUG("%s %s, %s(%s)", opn, fregnames[store ? fs : fd],
                regnames[index], regnames[base]);
 }
@@ -7993,6 +8020,7 @@ static void gen_flt3_arith (DisasContext *ctx, uint32_t opc,
         generate_exception (ctx, EXCP_RI);
         return;
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s %s, %s, %s, %s", opn, fregnames[fd], fregnames[fr],
                fregnames[fs], fregnames[ft]);
 }
@@ -9971,6 +9999,7 @@ static void gen_ldst_pair (DisasContext *ctx, uint32_t opc, int rd,
         break;
 #endif
     }
+    (void)opn; /* avoid a compiler warning */
     MIPS_DEBUG("%s, %s, %d(%s)", opn, regnames[rd], offset, regnames[base]);
     tcg_temp_free(t0);
     tcg_temp_free(t1);
commit 577f25a5eb2b1b3338fe03d31c6e87da5ce29e7c
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 13 18:38:08 2010 +0000

    ppc: avoid write only variables
    
    Compiling with GCC 4.6.0 20100925 produced warnings:
    /src/qemu/target-ppc/op_helper.c: In function 'helper_icbi':
    /src/qemu/target-ppc/op_helper.c:351:14: error: variable 'tmp' set but not used [-Werror=unused-but-set-variable]
    /src/qemu/target-ppc/op_helper.c: In function 'do_6xx_tlb':
    /src/qemu/target-ppc/op_helper.c:3805:28: error: variable 'EPN' set but not used [-Werror=unused-but-set-variable]
    /src/qemu/target-ppc/op_helper.c: In function 'do_74xx_tlb':
    /src/qemu/target-ppc/op_helper.c:3838:28: error: variable 'EPN' set but not used [-Werror=unused-but-set-variable]
    
    Fix by adding a dummy cast so that the variable is not unused. Delete tmp.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/target-ppc/op_helper.c b/target-ppc/op_helper.c
index 45f1655..f32a5ff 100644
--- a/target-ppc/op_helper.c
+++ b/target-ppc/op_helper.c
@@ -348,15 +348,13 @@ void helper_dcbz_970(target_ulong addr)
 
 void helper_icbi(target_ulong addr)
 {
-    uint32_t tmp;
-
     addr &= ~(env->dcache_line_size - 1);
     /* Invalidate one cache line :
      * PowerPC specification says this is to be treated like a load
      * (not a fetch) by the MMU. To be sure it will be so,
      * do the load "by hand".
      */
-    tmp = ldl(addr);
+    ldl(addr);
     tb_invalidate_page_range(addr, addr + env->icache_line_size);
 }
 
@@ -3814,6 +3812,7 @@ static void do_6xx_tlb (target_ulong new_EPN, int is_code)
         EPN = env->spr[SPR_DMISS];
     }
     way = (env->spr[SPR_SRR1] >> 17) & 1;
+    (void)EPN; /* avoid a compiler warning */
     LOG_SWTLB("%s: EPN " TARGET_FMT_lx " " TARGET_FMT_lx " PTE0 " TARGET_FMT_lx
               " PTE1 " TARGET_FMT_lx " way %d\n", __func__, new_EPN, EPN, CMP,
               RPN, way);
@@ -3842,6 +3841,7 @@ static void do_74xx_tlb (target_ulong new_EPN, int is_code)
     CMP = env->spr[SPR_PTEHI];
     EPN = env->spr[SPR_TLBMISS] & ~0x3;
     way = env->spr[SPR_TLBMISS] & 0x3;
+    (void)EPN; /* avoid a compiler warning */
     LOG_SWTLB("%s: EPN " TARGET_FMT_lx " " TARGET_FMT_lx " PTE0 " TARGET_FMT_lx
               " PTE1 " TARGET_FMT_lx " way %d\n", __func__, new_EPN, EPN, CMP,
               RPN, way);
commit 4581cbcdc3c70fa94c729da7e25c6a152936cfd3
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 13 18:38:08 2010 +0000

    i386: avoid a write only variable
    
    Compiling with GCC 4.6.0 20100925 produced warnings:
    /src/qemu/target-i386/op_helper.c: In function 'switch_tss':
    /src/qemu/target-i386/op_helper.c:283:53: error: variable 'new_trap' set but not used [-Werror=unused-but-set-variable]
    
    Fix by adding a dummy cast so that the variable is not unused. Add also
    pointer to docs.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/target-i386/op_helper.c b/target-i386/op_helper.c
index ec6b3e9..43fbd0c 100644
--- a/target-i386/op_helper.c
+++ b/target-i386/op_helper.c
@@ -349,6 +349,10 @@ static void switch_tss(int tss_selector,
         new_segs[R_GS] = 0;
         new_trap = 0;
     }
+    /* XXX: avoid a compiler warning, see
+     http://support.amd.com/us/Processor_TechDocs/24593.pdf
+     chapters 12.2.5 and 13.2.4 on how to implement TSS Trap bit */
+    (void)new_trap;
 
     /* NOTE: we must avoid memory exceptions during the task switch,
        so we make dummy accesses before */
commit 2ded6ad761613e01d4690f290771961ba690d17e
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 13 18:38:08 2010 +0000

    vnc: avoid write only variables
    
    Compiling with GCC 4.6.0 20100925 produced warnings:
    /src/qemu/ui/vnc.c: In function 'vnc_client_cache_auth':
    /src/qemu/ui/vnc.c:217:12: error: variable 'qdict' set but not used [-Werror=unused-but-set-variable]
    /src/qemu/ui/vnc.c: In function 'vnc_display_open':
    /src/qemu/ui/vnc.c:2526:9: error: variable 'acl' set but not used [-Werror=unused-but-set-variable]
    
    Fix by making the variable declarations and their uses also conditional
    to debug definition.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/ui/vnc.c b/ui/vnc.c
index c7a1831..864342e 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -214,13 +214,17 @@ static int vnc_server_info_put(QDict *qdict)
 
 static void vnc_client_cache_auth(VncState *client)
 {
+#if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
     QDict *qdict;
+#endif
 
     if (!client->info) {
         return;
     }
 
+#if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
     qdict = qobject_to_qdict(client->info);
+#endif
 
 #ifdef CONFIG_VNC_TLS
     if (client->tls.session &&
@@ -2523,7 +2527,9 @@ int vnc_display_open(DisplayState *ds, const char *display)
     int sasl = 0;
     int saslErr;
 #endif
+#if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
     int acl = 0;
+#endif
     int lock_key_sync = 1;
 
     if (!vnc_display)
@@ -2581,8 +2587,10 @@ int vnc_display_open(DisplayState *ds, const char *display)
                 return -1;
             }
 #endif
+#if defined(CONFIG_VNC_TLS) || defined(CONFIG_VNC_SASL)
         } else if (strncmp(options, "acl", 3) == 0) {
             acl = 1;
+#endif
         } else if (strncmp(options, "lossy", 5) == 0) {
             vs->lossy = true;
         }
commit 03e654c083e4a26a57423dbaf251f649d3250c92
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 13 18:38:08 2010 +0000

    cris: avoid a write only variable
    
    Compiling with GCC 4.6.0 20100925 produced a warning:
    In file included from /src/qemu/target-cris/translate.c:3154:0:
    /src/qemu/target-cris/translate_v10.c: In function 'dec10_prep_move_m':
    /src/qemu/target-cris/translate_v10.c:111:22: error: variable 'rd' set but not used [-Werror=unused-but-set-variable]
    
    Fix by deleting rd, adjust the only user.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/target-cris/translate_v10.c b/target-cris/translate_v10.c
index 14e590d..6944827 100644
--- a/target-cris/translate_v10.c
+++ b/target-cris/translate_v10.c
@@ -108,16 +108,15 @@ static unsigned int crisv10_post_memaddr(DisasContext *dc, unsigned int size)
 static int dec10_prep_move_m(DisasContext *dc, int s_ext, int memsize,
                            TCGv dst)
 {
-    unsigned int rs, rd;
+    unsigned int rs;
     uint32_t imm;
     int is_imm;
     int insn_len = 0;
 
     rs = dc->src;
-    rd = dc->dst;
     is_imm = rs == 15 && !(dc->tb_flags & PFIX_FLAG);
     LOG_DIS("rs=%d rd=%d is_imm=%d mode=%d pfix=%d\n",
-             rs, rd, is_imm, dc->mode, dc->tb_flags & PFIX_FLAG);
+             rs, dc->dst, is_imm, dc->mode, dc->tb_flags & PFIX_FLAG);
 
     /* Load [$rs] onto T1.  */
     if (is_imm) {
commit 49a2942d9be0b08aed3e63901561745378ea5e4f
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 13 18:41:29 2010 +0000

    Delete write only variables
    
    Compiling with GCC 4.6.0 20100925 produced warnings like:
    /src/qemu/net/tap-win32.c: In function 'tap_win32_open':
    /src/qemu/net/tap-win32.c:582:12: error: variable 'hThread' set but not used [-Werror=unused-but-set-variable]
    
    Fix by removing the unused variables.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/mips_fulong2e.c b/hw/mips_fulong2e.c
index df80ef6..f9723f5 100644
--- a/hw/mips_fulong2e.c
+++ b/hw/mips_fulong2e.c
@@ -265,13 +265,11 @@ static void mips_fulong2e_init(ram_addr_t ram_size, const char *boot_device,
     qemu_irq *cpu_exit_irq;
     int via_devfn;
     PCIBus *pci_bus;
-    ISADevice *isa_dev;
     uint8_t *eeprom_buf;
     i2c_bus *smbus;
     int i;
     DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
     DeviceState *eeprom;
-    ISADevice *rtc_state;
     CPUState *env;
 
     /* init CPUs */
@@ -378,9 +376,9 @@ static void mips_fulong2e_init(ram_addr_t ram_size, const char *boot_device,
     DMA_init(0, cpu_exit_irq);
 
     /* Super I/O */
-    isa_dev = isa_create_simple("i8042");
+    isa_create_simple("i8042");
 
-    rtc_state = rtc_init(2000, NULL);
+    rtc_init(2000, NULL);
 
     for(i = 0; i < MAX_SERIAL_PORTS; i++) {
         if (serial_hds[i]) {
diff --git a/hw/mips_malta.c b/hw/mips_malta.c
index 0969089..8026071 100644
--- a/hw/mips_malta.c
+++ b/hw/mips_malta.c
@@ -784,11 +784,7 @@ void mips_malta_init (ram_addr_t ram_size,
     target_long bios_size;
     int64_t kernel_entry;
     PCIBus *pci_bus;
-    ISADevice *isa_dev;
     CPUState *env;
-    ISADevice *rtc_state;
-    FDCtrl *floppy_controller;
-    MaltaFPGAState *malta_fpga;
     qemu_irq *i8259;
     qemu_irq *cpu_exit_irq;
     int piix4_devfn;
@@ -851,7 +847,7 @@ void mips_malta_init (ram_addr_t ram_size,
     be = 0;
 #endif
     /* FPGA */
-    malta_fpga = malta_fpga_init(0x1f000000LL, env->irq[2], serial_hds[2]);
+    malta_fpga_init(0x1f000000LL, env->irq[2], serial_hds[2]);
 
     /* Load firmware in flash / BIOS unless we boot directly into a kernel. */
     if (kernel_filename) {
@@ -957,9 +953,9 @@ void mips_malta_init (ram_addr_t ram_size,
     DMA_init(0, cpu_exit_irq);
 
     /* Super I/O */
-    isa_dev = isa_create_simple("i8042");
- 
-    rtc_state = rtc_init(2000, NULL);
+    isa_create_simple("i8042");
+
+    rtc_init(2000, NULL);
     serial_isa_init(0, serial_hds[0]);
     serial_isa_init(1, serial_hds[1]);
     if (parallel_hds[0])
@@ -967,7 +963,7 @@ void mips_malta_init (ram_addr_t ram_size,
     for(i = 0; i < MAX_FD; i++) {
         fd[i] = drive_get(IF_FLOPPY, 0, i);
     }
-    floppy_controller = fdctrl_init_isa(fd);
+    fdctrl_init_isa(fd);
 
     /* Sound card */
     audio_init(pci_bus);
diff --git a/hw/mips_r4k.c b/hw/mips_r4k.c
index ca61431..aa34890 100644
--- a/hw/mips_r4k.c
+++ b/hw/mips_r4k.c
@@ -167,7 +167,6 @@ void mips_r4k_init (ram_addr_t ram_size,
     int bios_size;
     CPUState *env;
     ResetData *reset_info;
-    ISADevice *rtc_state;
     int i;
     qemu_irq *i8259;
     DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
@@ -268,7 +267,7 @@ void mips_r4k_init (ram_addr_t ram_size,
     isa_bus_new(NULL);
     isa_bus_irqs(i8259);
 
-    rtc_state = rtc_init(2000, NULL);
+    rtc_init(2000, NULL);
 
     /* Register 64 KB of ISA IO space at 0x14000000 */
 #ifdef TARGET_WORDS_BIGENDIAN
diff --git a/hw/ppc405_boards.c b/hw/ppc405_boards.c
index db8e5ec..c5897a9 100644
--- a/hw/ppc405_boards.c
+++ b/hw/ppc405_boards.c
@@ -501,7 +501,6 @@ static void taihu_405ep_init(ram_addr_t ram_size,
                              const char *cpu_model)
 {
     char *filename;
-    CPUPPCState *env;
     qemu_irq *pic;
     ram_addr_t bios_offset;
     target_phys_addr_t ram_bases[2], ram_sizes[2];
@@ -521,8 +520,8 @@ static void taihu_405ep_init(ram_addr_t ram_size,
 #ifdef DEBUG_BOARD_INIT
     printf("%s: register cpu\n", __func__);
 #endif
-    env = ppc405ep_init(ram_bases, ram_sizes, 33333333, &pic,
-                        kernel_filename == NULL ? 0 : 1);
+    ppc405ep_init(ram_bases, ram_sizes, 33333333, &pic,
+                  kernel_filename == NULL ? 0 : 1);
     /* allocate and load BIOS */
 #ifdef DEBUG_BOARD_INIT
     printf("%s: register BIOS\n", __func__);
diff --git a/hw/ppc405_uc.c b/hw/ppc405_uc.c
index b884ea5..3600737 100644
--- a/hw/ppc405_uc.c
+++ b/hw/ppc405_uc.c
@@ -630,18 +630,11 @@ struct ppc405_dma_t {
 
 static uint32_t dcr_read_dma (void *opaque, int dcrn)
 {
-    ppc405_dma_t *dma;
-
-    dma = opaque;
-
     return 0;
 }
 
 static void dcr_write_dma (void *opaque, int dcrn, uint32_t val)
 {
-    ppc405_dma_t *dma;
-
-    dma = opaque;
 }
 
 static void ppc405_dma_reset (void *opaque)
@@ -739,9 +732,6 @@ struct ppc405_gpio_t {
 
 static uint32_t ppc405_gpio_readb (void *opaque, target_phys_addr_t addr)
 {
-    ppc405_gpio_t *gpio;
-
-    gpio = opaque;
 #ifdef DEBUG_GPIO
     printf("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
 #endif
@@ -752,9 +742,6 @@ static uint32_t ppc405_gpio_readb (void *opaque, target_phys_addr_t addr)
 static void ppc405_gpio_writeb (void *opaque,
                                 target_phys_addr_t addr, uint32_t value)
 {
-    ppc405_gpio_t *gpio;
-
-    gpio = opaque;
 #ifdef DEBUG_GPIO
     printf("%s: addr " TARGET_FMT_plx " val %08" PRIx32 "\n", __func__, addr,
            value);
@@ -763,9 +750,6 @@ static void ppc405_gpio_writeb (void *opaque,
 
 static uint32_t ppc405_gpio_readw (void *opaque, target_phys_addr_t addr)
 {
-    ppc405_gpio_t *gpio;
-
-    gpio = opaque;
 #ifdef DEBUG_GPIO
     printf("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
 #endif
@@ -776,9 +760,6 @@ static uint32_t ppc405_gpio_readw (void *opaque, target_phys_addr_t addr)
 static void ppc405_gpio_writew (void *opaque,
                                 target_phys_addr_t addr, uint32_t value)
 {
-    ppc405_gpio_t *gpio;
-
-    gpio = opaque;
 #ifdef DEBUG_GPIO
     printf("%s: addr " TARGET_FMT_plx " val %08" PRIx32 "\n", __func__, addr,
            value);
@@ -787,9 +768,6 @@ static void ppc405_gpio_writew (void *opaque,
 
 static uint32_t ppc405_gpio_readl (void *opaque, target_phys_addr_t addr)
 {
-    ppc405_gpio_t *gpio;
-
-    gpio = opaque;
 #ifdef DEBUG_GPIO
     printf("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
 #endif
@@ -800,9 +778,6 @@ static uint32_t ppc405_gpio_readl (void *opaque, target_phys_addr_t addr)
 static void ppc405_gpio_writel (void *opaque,
                                 target_phys_addr_t addr, uint32_t value)
 {
-    ppc405_gpio_t *gpio;
-
-    gpio = opaque;
 #ifdef DEBUG_GPIO
     printf("%s: addr " TARGET_FMT_plx " val %08" PRIx32 "\n", __func__, addr,
            value);
@@ -823,9 +798,6 @@ static CPUWriteMemoryFunc * const ppc405_gpio_write[] = {
 
 static void ppc405_gpio_reset (void *opaque)
 {
-    ppc405_gpio_t *gpio;
-
-    gpio = opaque;
 }
 
 static void ppc405_gpio_init(target_phys_addr_t base)
diff --git a/hw/ppc_newworld.c b/hw/ppc_newworld.c
index 9b20dc5..4369337 100644
--- a/hw/ppc_newworld.c
+++ b/hw/ppc_newworld.c
@@ -128,7 +128,7 @@ static void ppc_core99_init (ram_addr_t ram_size,
                              const char *initrd_filename,
                              const char *cpu_model)
 {
-    CPUState *env = NULL, *envs[MAX_CPUS];
+    CPUState *env = NULL;
     char *filename;
     qemu_irq *pic, **openpic_irqs;
     int unin_memory;
@@ -166,7 +166,6 @@ static void ppc_core99_init (ram_addr_t ram_size,
         /* Set time-base frequency to 100 Mhz */
         cpu_ppc_tb_init(env, 100UL * 1000UL * 1000UL);
         qemu_register_reset((QEMUResetHandler*)&cpu_reset, env);
-        envs[i] = env;
     }
 
     /* allocate RAM */
diff --git a/hw/ppc_oldworld.c b/hw/ppc_oldworld.c
index ff0b51d..a2f9ddf 100644
--- a/hw/ppc_oldworld.c
+++ b/hw/ppc_oldworld.c
@@ -66,7 +66,7 @@ static void ppc_heathrow_init (ram_addr_t ram_size,
                                const char *initrd_filename,
                                const char *cpu_model)
 {
-    CPUState *env = NULL, *envs[MAX_CPUS];
+    CPUState *env = NULL;
     char *filename;
     qemu_irq *pic, **heathrow_irqs;
     int linux_boot, i;
@@ -97,7 +97,6 @@ static void ppc_heathrow_init (ram_addr_t ram_size,
         /* Set time-base frequency to 16.6 Mhz */
         cpu_ppc_tb_init(env,  16600000UL);
         qemu_register_reset((QEMUResetHandler*)&cpu_reset, env);
-        envs[i] = env;
     }
 
     /* allocate RAM */
diff --git a/hw/ppc_prep.c b/hw/ppc_prep.c
index 0e5b88c..a6915f7 100644
--- a/hw/ppc_prep.c
+++ b/hw/ppc_prep.c
@@ -565,7 +565,7 @@ static void ppc_prep_init (ram_addr_t ram_size,
                            const char *initrd_filename,
                            const char *cpu_model)
 {
-    CPUState *env = NULL, *envs[MAX_CPUS];
+    CPUState *env = NULL;
     char *filename;
     nvram_t nvram;
     M48t59State *m48t59;
@@ -602,7 +602,6 @@ static void ppc_prep_init (ram_addr_t ram_size,
             cpu_ppc_tb_init(env, 100UL * 1000UL * 1000UL);
         }
         qemu_register_reset((QEMUResetHandler*)&cpu_reset, env);
-        envs[i] = env;
     }
 
     /* allocate RAM */
diff --git a/hw/ppce500_mpc8544ds.c b/hw/ppce500_mpc8544ds.c
index 1422fad..59d20d3 100644
--- a/hw/ppce500_mpc8544ds.c
+++ b/hw/ppce500_mpc8544ds.c
@@ -176,7 +176,6 @@ static void mpc8544ds_init(ram_addr_t ram_size,
     int i=0;
     unsigned int pci_irq_nrs[4] = {1, 2, 3, 4};
     qemu_irq *irqs, *mpic, *pci_irqs;
-    SerialState * serial[2];
 
     /* Setup CPU */
     env = cpu_ppc_init("e500v2_v30");
@@ -200,15 +199,15 @@ static void mpc8544ds_init(ram_addr_t ram_size,
 
     /* Serial */
     if (serial_hds[0]) {
-        serial[0] = serial_mm_init(MPC8544_SERIAL0_REGS_BASE,
-                                   0, mpic[12+26], 399193,
-                                   serial_hds[0], 1, 1);
+        serial_mm_init(MPC8544_SERIAL0_REGS_BASE,
+                       0, mpic[12+26], 399193,
+                       serial_hds[0], 1, 1);
     }
 
     if (serial_hds[1]) {
-        serial[0] = serial_mm_init(MPC8544_SERIAL1_REGS_BASE,
-                                   0, mpic[12+26], 399193,
-                                   serial_hds[0], 1, 1);
+        serial_mm_init(MPC8544_SERIAL1_REGS_BASE,
+                       0, mpic[12+26], 399193,
+                       serial_hds[0], 1, 1);
     }
 
     /* PCI */
diff --git a/hw/tc6393xb_template.h b/hw/tc6393xb_template.h
index 37bf833..1ccf6e8 100644
--- a/hw/tc6393xb_template.h
+++ b/hw/tc6393xb_template.h
@@ -38,12 +38,10 @@
 static void glue(tc6393xb_draw_graphic, BITS)(TC6393xbState *s)
 {
     int i;
-    int w_display;
     uint16_t *data_buffer;
     uint8_t *data_display;
 
     data_buffer = s->vram_ptr;
-    w_display = s->scr_width * BITS / 8;
     data_display = ds_get_data(s->ds);
     for(i = 0; i < s->scr_height; i++) {
 #if (BITS == 16)
diff --git a/hw/virtex_ml507.c b/hw/virtex_ml507.c
index c5bbeda..fa60515 100644
--- a/hw/virtex_ml507.c
+++ b/hw/virtex_ml507.c
@@ -85,7 +85,6 @@ static CPUState *ppc440_init_xilinx(ram_addr_t *ram_size,
                                     uint32_t sysclk)
 {
     CPUState *env;
-    qemu_irq *pic;
     qemu_irq *irqs;
 
     env = cpu_init(cpu_model);
@@ -106,7 +105,7 @@ static CPUState *ppc440_init_xilinx(ram_addr_t *ram_size,
     irqs = qemu_mallocz(sizeof(qemu_irq) * PPCUIC_OUTPUT_NB);
     irqs[PPCUIC_OUTPUT_INT] = ((qemu_irq *)env->irq_inputs)[PPC40x_INPUT_INT];
     irqs[PPCUIC_OUTPUT_CINT] = ((qemu_irq *)env->irq_inputs)[PPC40x_INPUT_CINT];
-    pic = ppcuic_init(env, irqs, 0x0C0, 0, 1);
+    ppcuic_init(env, irqs, 0x0C0, 0, 1);
     return env;
 }
 
@@ -236,13 +235,11 @@ static void virtex_init(ram_addr_t ram_size,
 
     if (kernel_filename) {
         uint64_t entry, low, high;
-        uint32_t base32;
         target_phys_addr_t boot_offset;
 
         /* Boots a kernel elf binary.  */
         kernel_size = load_elf(kernel_filename, NULL, NULL,
                                &entry, &low, &high, 1, ELF_MACHINE, 0);
-        base32 = entry;
         boot_info.bootstrap_pc = entry & 0x00ffffff;
 
         if (kernel_size < 0) {
diff --git a/hw/wm8750.c b/hw/wm8750.c
index ce43c23..c9c6744 100644
--- a/hw/wm8750.c
+++ b/hw/wm8750.c
@@ -171,7 +171,6 @@ static void wm8750_set_format(WM8750State *s)
     int i;
     struct audsettings in_fmt;
     struct audsettings out_fmt;
-    struct audsettings monoout_fmt;
 
     wm8750_out_flush(s);
 
@@ -212,10 +211,6 @@ static void wm8750_set_format(WM8750State *s)
     out_fmt.nchannels = 2;
     out_fmt.freq = s->dac_hz;
     out_fmt.fmt = AUD_FMT_S16;
-    monoout_fmt.endianness = 0;
-    monoout_fmt.nchannels = 1;
-    monoout_fmt.freq = s->rate->dac_hz;
-    monoout_fmt.fmt = AUD_FMT_S16;
 
     s->dac_voice[0] = AUD_open_out(&s->card, s->dac_voice[0],
                     CODEC ".speaker", s, wm8750_audio_out_cb, &out_fmt);
diff --git a/net/tap-win32.c b/net/tap-win32.c
index 9fe4fcd..081904e 100644
--- a/net/tap-win32.c
+++ b/net/tap-win32.c
@@ -579,7 +579,6 @@ static int tap_win32_open(tap_win32_overlapped_t **phandle,
     } version;
     DWORD version_len;
     DWORD idThread;
-    HANDLE hThread;
 
     if (prefered_name != NULL)
         snprintf(name_buffer, sizeof(name_buffer), "%s", prefered_name);
@@ -623,8 +622,8 @@ static int tap_win32_open(tap_win32_overlapped_t **phandle,
 
     *phandle = &tap_overlapped;
 
-    hThread = CreateThread(NULL, 0, tap_win32_thread_entry,
-                           (LPVOID)&tap_overlapped, 0, &idThread);
+    CreateThread(NULL, 0, tap_win32_thread_entry,
+                 (LPVOID)&tap_overlapped, 0, &idThread);
     return 0;
 }
 
diff --git a/savevm.c b/savevm.c
index 6fa7a5f..2d8cadc 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1615,10 +1615,10 @@ static int vmstate_subsection_load(QEMUFile *f, const VMStateDescription *vmsd,
     while (qemu_peek_byte(f) == QEMU_VM_SUBSECTION) {
         char idstr[256];
         int ret;
-        uint8_t version_id, subsection, len;
+        uint8_t version_id, len;
         const VMStateDescription *sub_vmsd;
 
-        subsection = qemu_get_byte(f);
+        qemu_get_byte(f); /* subsection */
         len = qemu_get_byte(f);
         qemu_get_buffer(f, (uint8_t *)idstr, len);
         idstr[len] = 0;
commit ae0bfb79aa0ac411a433433af4d74f1f08255608
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 13 18:38:07 2010 +0000

    ppc: remove video.x
    
    Only Mac-on-Linux stuff used video.x, OpenBIOS does not need it.
    
    Remove video.x MoL hacks.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile b/Makefile
index d9971c3..252c817 100644
--- a/Makefile
+++ b/Makefile
@@ -176,7 +176,7 @@ common  de-ch  es     fo  fr-ca  hu     ja  mk  nl-be      pt  sl     tr
 
 ifdef INSTALL_BLOBS
 BLOBS=bios.bin vgabios.bin vgabios-cirrus.bin ppc_rom.bin \
-video.x openbios-sparc32 openbios-sparc64 openbios-ppc \
+openbios-sparc32 openbios-sparc64 openbios-ppc \
 gpxe-eepro100-80861209.rom \
 gpxe-eepro100-80861229.rom \
 pxe-e1000.bin \
@@ -323,7 +323,6 @@ tarbin:
 	$(datadir)/vgabios.bin \
 	$(datadir)/vgabios-cirrus.bin \
 	$(datadir)/ppc_rom.bin \
-	$(datadir)/video.x \
 	$(datadir)/openbios-sparc32 \
 	$(datadir)/openbios-sparc64 \
 	$(datadir)/openbios-ppc \
diff --git a/configure b/configure
index d303061..a079a49 100755
--- a/configure
+++ b/configure
@@ -3084,7 +3084,7 @@ if test "$source_path_used" = "yes" ; then
     FILES="Makefile tests/Makefile"
     FILES="$FILES tests/cris/Makefile tests/cris/.gdbinit"
     FILES="$FILES tests/test-mmap.c"
-    FILES="$FILES pc-bios/optionrom/Makefile pc-bios/keymaps pc-bios/video.x"
+    FILES="$FILES pc-bios/optionrom/Makefile pc-bios/keymaps"
     FILES="$FILES roms/seabios/Makefile roms/vgabios/Makefile"
     for bios_file in $source_path/pc-bios/*.bin $source_path/pc-bios/*.dtb $source_path/pc-bios/openbios-*; do
         FILES="$FILES pc-bios/`basename $bios_file`"
diff --git a/hw/ppc_mac.h b/hw/ppc_mac.h
index 89f96bb..ea87593 100644
--- a/hw/ppc_mac.h
+++ b/hw/ppc_mac.h
@@ -30,7 +30,6 @@
 
 #define BIOS_SIZE     (1024 * 1024)
 #define BIOS_FILENAME "ppc_rom.bin"
-#define VGABIOS_FILENAME "video.x"
 #define NVRAM_SIZE        0x2000
 #define PROM_FILENAME    "openbios-ppc"
 #define PROM_ADDR         0xfff00000
diff --git a/hw/ppc_newworld.c b/hw/ppc_newworld.c
index fb07c83..9b20dc5 100644
--- a/hw/ppc_newworld.c
+++ b/hw/ppc_newworld.c
@@ -69,7 +69,6 @@
 #include "blockdev.h"
 
 #define MAX_IDE_BUS 2
-#define VGA_BIOS_SIZE 65536
 #define CFG_ADDR 0xf0000510
 
 /* debug UniNorth */
@@ -134,20 +133,19 @@ static void ppc_core99_init (ram_addr_t ram_size,
     qemu_irq *pic, **openpic_irqs;
     int unin_memory;
     int linux_boot, i;
-    ram_addr_t ram_offset, bios_offset, vga_bios_offset;
+    ram_addr_t ram_offset, bios_offset;
     uint32_t kernel_base, initrd_base;
     long kernel_size, initrd_size;
     PCIBus *pci_bus;
     MacIONVRAMState *nvr;
     int nvram_mem_index;
-    int vga_bios_size, bios_size;
+    int bios_size;
     int pic_mem_index, dbdma_mem_index, cuda_mem_index, escc_mem_index;
     int ide_mem_index[3];
     int ppc_boot_device;
     DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
     void *fw_cfg;
     void *dbdma;
-    uint8_t *vga_bios_ptr;
     int machine_arch;
 
     linux_boot = (kernel_filename != NULL);
@@ -167,9 +165,6 @@ static void ppc_core99_init (ram_addr_t ram_size,
         }
         /* Set time-base frequency to 100 Mhz */
         cpu_ppc_tb_init(env, 100UL * 1000UL * 1000UL);
-#if 0
-        env->osi_call = vga_osi_call;
-#endif
         qemu_register_reset((QEMUResetHandler*)&cpu_reset, env);
         envs[i] = env;
     }
@@ -199,36 +194,6 @@ static void ppc_core99_init (ram_addr_t ram_size,
         exit(1);
     }
 
-    /* allocate and load VGA BIOS */
-    vga_bios_offset = qemu_ram_alloc(NULL, "ppc_core99.vbios", VGA_BIOS_SIZE);
-    vga_bios_ptr = qemu_get_ram_ptr(vga_bios_offset);
-    filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, VGABIOS_FILENAME);
-    if (filename) {
-        vga_bios_size = load_image(filename, vga_bios_ptr + 8);
-        qemu_free(filename);
-    } else {
-        vga_bios_size = -1;
-    }
-    if (vga_bios_size < 0) {
-        /* if no bios is present, we can still work */
-        fprintf(stderr, "qemu: warning: could not load VGA bios '%s'\n",
-                VGABIOS_FILENAME);
-        vga_bios_size = 0;
-    } else {
-        /* set a specific header (XXX: find real Apple format for NDRV
-           drivers) */
-        vga_bios_ptr[0] = 'N';
-        vga_bios_ptr[1] = 'D';
-        vga_bios_ptr[2] = 'R';
-        vga_bios_ptr[3] = 'V';
-        cpu_to_be32w((uint32_t *)(vga_bios_ptr + 4), vga_bios_size);
-        vga_bios_size += 8;
-
-        /* Round to page boundary */
-        vga_bios_size = (vga_bios_size + TARGET_PAGE_SIZE - 1) &
-            TARGET_PAGE_MASK;
-    }
-
     if (linux_boot) {
         uint64_t lowaddr = 0;
         int bswap_needed;
@@ -352,7 +317,7 @@ static void ppc_core99_init (ram_addr_t ram_size,
         machine_arch = ARCH_MAC99;
     }
     /* init basic PC hardware */
-    pci_vga_init(pci_bus, vga_bios_offset, vga_bios_size);
+    pci_vga_init(pci_bus, 0, 0);
 
     escc_mem_index = escc_init(0x80013000, pic[0x25], pic[0x24],
                                serial_hds[0], serial_hds[1], ESCC_CLOCK, 4);
diff --git a/hw/ppc_oldworld.c b/hw/ppc_oldworld.c
index a12a812..ff0b51d 100644
--- a/hw/ppc_oldworld.c
+++ b/hw/ppc_oldworld.c
@@ -1,3 +1,4 @@
+
 /*
  * QEMU OldWorld PowerMac (currently ~G3 Beige) hardware System Emulator
  *
@@ -44,79 +45,8 @@
 #include "blockdev.h"
 
 #define MAX_IDE_BUS 2
-#define VGA_BIOS_SIZE 65536
 #define CFG_ADDR 0xf0000510
 
-/* temporary frame buffer OSI calls for the video.x driver. The right
-   solution is to modify the driver to use VGA PCI I/Os */
-/* XXX: to be removed. This is no way related to emulation */
-static int vga_osi_call (CPUState *env)
-{
-    static int vga_vbl_enabled;
-    int linesize;
-
-#if 0
-    printf("osi_call R5=%016" PRIx64 "\n", ppc_dump_gpr(env, 5));
-#endif
-
-    /* same handler as PearPC, coming from the original MOL video
-       driver. */
-    switch(env->gpr[5]) {
-    case 4:
-        break;
-    case 28: /* set_vmode */
-        if (env->gpr[6] != 1 || env->gpr[7] != 0)
-            env->gpr[3] = 1;
-        else
-            env->gpr[3] = 0;
-        break;
-    case 29: /* get_vmode_info */
-        if (env->gpr[6] != 0) {
-            if (env->gpr[6] != 1 || env->gpr[7] != 0) {
-                env->gpr[3] = 1;
-                break;
-            }
-        }
-        env->gpr[3] = 0;
-        env->gpr[4] = (1 << 16) | 1; /* num_vmodes, cur_vmode */
-        env->gpr[5] = (1 << 16) | 0; /* num_depths, cur_depth_mode */
-        env->gpr[6] = (graphic_width << 16) | graphic_height; /* w, h */
-        env->gpr[7] = 85 << 16; /* refresh rate */
-        env->gpr[8] = (graphic_depth + 7) & ~7; /* depth (round to byte) */
-        linesize = ((graphic_depth + 7) >> 3) * graphic_width;
-        linesize = (linesize + 3) & ~3;
-        env->gpr[9] = (linesize << 16) | 0; /* row_bytes, offset */
-        break;
-    case 31: /* set_video power */
-        env->gpr[3] = 0;
-        break;
-    case 39: /* video_ctrl */
-        if (env->gpr[6] == 0 || env->gpr[6] == 1)
-            vga_vbl_enabled = env->gpr[6];
-        env->gpr[3] = 0;
-        break;
-    case 47:
-        break;
-    case 59: /* set_color */
-        /* R6 = index, R7 = RGB */
-        env->gpr[3] = 0;
-        break;
-    case 64: /* get color */
-        /* R6 = index */
-        env->gpr[3] = 0;
-        break;
-    case 116: /* set hwcursor */
-        /* R6 = x, R7 = y, R8 = visible, R9 = data */
-        break;
-    default:
-        fprintf(stderr, "unsupported OSI call R5=%016" PRIx64 "\n",
-                ppc_dump_gpr(env, 5));
-        break;
-    }
-
-    return 1; /* osi_call handled */
-}
-
 static int fw_cfg_boot_set(void *opaque, const char *boot_device)
 {
     fw_cfg_add_i16(opaque, FW_CFG_BOOT_DEVICE, boot_device[0]);
@@ -140,19 +70,18 @@ static void ppc_heathrow_init (ram_addr_t ram_size,
     char *filename;
     qemu_irq *pic, **heathrow_irqs;
     int linux_boot, i;
-    ram_addr_t ram_offset, bios_offset, vga_bios_offset;
+    ram_addr_t ram_offset, bios_offset;
     uint32_t kernel_base, initrd_base;
     int32_t kernel_size, initrd_size;
     PCIBus *pci_bus;
     MacIONVRAMState *nvr;
-    int vga_bios_size, bios_size;
+    int bios_size;
     int pic_mem_index, nvram_mem_index, dbdma_mem_index, cuda_mem_index;
     int escc_mem_index, ide_mem_index[2];
     uint16_t ppc_boot_device;
     DriveInfo *hd[MAX_IDE_BUS * MAX_IDE_DEVS];
     void *fw_cfg;
     void *dbdma;
-    uint8_t *vga_bios_ptr;
 
     linux_boot = (kernel_filename != NULL);
 
@@ -167,7 +96,6 @@ static void ppc_heathrow_init (ram_addr_t ram_size,
         }
         /* Set time-base frequency to 16.6 Mhz */
         cpu_ppc_tb_init(env,  16600000UL);
-        env->osi_call = vga_osi_call;
         qemu_register_reset((QEMUResetHandler*)&cpu_reset, env);
         envs[i] = env;
     }
@@ -203,36 +131,6 @@ static void ppc_heathrow_init (ram_addr_t ram_size,
         exit(1);
     }
 
-    /* allocate and load VGA BIOS */
-    vga_bios_offset = qemu_ram_alloc(NULL, "ppc_heathrow.vbios", VGA_BIOS_SIZE);
-    vga_bios_ptr = qemu_get_ram_ptr(vga_bios_offset);
-    filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, VGABIOS_FILENAME);
-    if (filename) {
-        vga_bios_size = load_image(filename, vga_bios_ptr + 8);
-        qemu_free(filename);
-    } else {
-        vga_bios_size = -1;
-    }
-    if (vga_bios_size < 0) {
-        /* if no bios is present, we can still work */
-        fprintf(stderr, "qemu: warning: could not load VGA bios '%s'\n",
-                VGABIOS_FILENAME);
-        vga_bios_size = 0;
-    } else {
-        /* set a specific header (XXX: find real Apple format for NDRV
-           drivers) */
-        vga_bios_ptr[0] = 'N';
-        vga_bios_ptr[1] = 'D';
-        vga_bios_ptr[2] = 'R';
-        vga_bios_ptr[3] = 'V';
-        cpu_to_be32w((uint32_t *)(vga_bios_ptr + 4), vga_bios_size);
-        vga_bios_size += 8;
-
-        /* Round to page boundary */
-        vga_bios_size = (vga_bios_size + TARGET_PAGE_SIZE - 1) &
-            TARGET_PAGE_MASK;
-    }
-
     if (linux_boot) {
         uint64_t lowaddr = 0;
         int bswap_needed;
@@ -330,7 +228,7 @@ static void ppc_heathrow_init (ram_addr_t ram_size,
     }
     pic = heathrow_pic_init(&pic_mem_index, 1, heathrow_irqs);
     pci_bus = pci_grackle_init(0xfec00000, pic);
-    pci_vga_init(pci_bus, vga_bios_offset, vga_bios_size);
+    pci_vga_init(pci_bus, 0, 0);
 
     escc_mem_index = escc_init(0x80013000, pic[0x0f], pic[0x10], serial_hds[0],
                                serial_hds[1], ESCC_CLOCK, 4);
diff --git a/pc-bios/README b/pc-bios/README
index ec5e2e1..3172cf7 100644
--- a/pc-bios/README
+++ b/pc-bios/README
@@ -7,10 +7,6 @@
 - The PowerPC Open Hack'Ware Open Firmware Compatible BIOS is
   available at http://perso.magic.fr/l_indien/OpenHackWare/index.htm.
 
-- video.x is a PowerMac NDRV compatible driver for a VGA frame
-  buffer. It comes from the Mac-on-Linux project
-  (http://www.maconlinux.org/).
-
 - OpenBIOS (http://www.openbios.org/) is a free (GPL v2) portable
   firmware implementation. The goal is to implement a 100% IEEE
   1275-1994 (referred to as Open Firmware) compliant firmware.
diff --git a/pc-bios/video.x b/pc-bios/video.x
deleted file mode 100644
index 761aa0c..0000000
Binary files a/pc-bios/video.x and /dev/null differ
diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
index bf81941..1334dd1 100644
--- a/target-ppc/cpu.h
+++ b/target-ppc/cpu.h
@@ -700,9 +700,6 @@ struct CPUPPCState {
     int power_mode;
     int (*check_pow)(CPUPPCState *env);
 
-    /* temporary hack to handle OSI calls (only used if non NULL) */
-    int (*osi_call)(struct CPUPPCState *env);
-
 #if !defined(CONFIG_USER_ONLY)
     void *load_info;    /* Holds boot loading state.  */
 #endif
diff --git a/target-ppc/helper.c b/target-ppc/helper.c
index edbdd80..4b49101 100644
--- a/target-ppc/helper.c
+++ b/target-ppc/helper.c
@@ -2226,17 +2226,6 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
             new_msr |= (target_ulong)MSR_HVB;
         goto store_current;
     case POWERPC_EXCP_SYSCALL:   /* System call exception                    */
-        /* NOTE: this is a temporary hack to support graphics OSI
-           calls from the MOL driver */
-        /* XXX: To be removed */
-        if (env->gpr[3] == 0x113724fa && env->gpr[4] == 0x77810f9b &&
-            env->osi_call) {
-            if (env->osi_call(env) != 0) {
-                env->exception_index = POWERPC_EXCP_NONE;
-                env->error_code = 0;
-                return;
-            }
-        }
         dump_syscall(env);
         lev = env->error_code;
         if (lev == 1 || (lpes0 == 0 && lpes1 == 0))
commit f3f5b867259dcb205b1f4fdd93165dec71e89201
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 13 18:38:07 2010 +0000

    lsi53c895a: avoid a write only variable
    
    Compiling with GCC 4.6.0 20100925 produced a warning:
    /src/qemu/hw/lsi53c895a.c: In function 'lsi_do_msgout':
    /src/qemu/hw/lsi53c895a.c:848:9: error: variable 'len' set but not used [-Werror=unused-but-set-variable]
    
    Fix by adding a dummy cast so that the variable is not unused for
    non-debug case.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/lsi53c895a.c b/hw/lsi53c895a.c
index 5eaf69e..f97335e 100644
--- a/hw/lsi53c895a.c
+++ b/hw/lsi53c895a.c
@@ -864,6 +864,7 @@ static void lsi_do_msgout(LSIState *s)
         case 0x01:
             len = lsi_get_msgbyte(s);
             msg = lsi_get_msgbyte(s);
+            (void)len; /* avoid a warning about unused variable*/
             DPRINTF("Extended message 0x%x (len %d)\n", msg, len);
             switch (msg) {
             case 1:
commit ef4760626e88bc3e7a1b46c7370378cbd12d379f
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 13 18:38:07 2010 +0000

    eepro100: initialize a variable in all cases
    
    Compiling with GCC 4.6.0 20100925 produced warnings:
    /src/qemu/hw/eepro100.c: In function 'eepro100_read4':
    /src/qemu/hw/eepro100.c:1351:14: error: 'val' may be used uninitialized in this function [-Werror=uninitialized]
    /src/qemu/hw/eepro100.c: In function 'eepro100_read2':
    /src/qemu/hw/eepro100.c:1328:14: error: 'val' may be used uninitialized in this function [-Werror=uninitialized]
    /src/qemu/hw/eepro100.c: In function 'eepro100_read1':
    /src/qemu/hw/eepro100.c:1285:13: error: 'val' may be used uninitialized in this function [-Werror=uninitialized]
    
    Fix by initializing 'val' at start.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/eepro100.c b/hw/eepro100.c
index 5f6dcb6..218472d 100644
--- a/hw/eepro100.c
+++ b/hw/eepro100.c
@@ -1290,7 +1290,7 @@ static void eepro100_write_port(EEPRO100State * s, uint32_t val)
 
 static uint8_t eepro100_read1(EEPRO100State * s, uint32_t addr)
 {
-    uint8_t val;
+    uint8_t val = 0;
     if (addr <= sizeof(s->mem) - sizeof(val)) {
         memcpy(&val, &s->mem[addr], sizeof(val));
     }
@@ -1333,7 +1333,7 @@ static uint8_t eepro100_read1(EEPRO100State * s, uint32_t addr)
 
 static uint16_t eepro100_read2(EEPRO100State * s, uint32_t addr)
 {
-    uint16_t val;
+    uint16_t val = 0;
     if (addr <= sizeof(s->mem) - sizeof(val)) {
         memcpy(&val, &s->mem[addr], sizeof(val));
     }
@@ -1356,7 +1356,7 @@ static uint16_t eepro100_read2(EEPRO100State * s, uint32_t addr)
 
 static uint32_t eepro100_read4(EEPRO100State * s, uint32_t addr)
 {
-    uint32_t val;
+    uint32_t val = 0;
     if (addr <= sizeof(s->mem) - sizeof(val)) {
         memcpy(&val, &s->mem[addr], sizeof(val));
     }
commit 8c78881f481401ec3cfbdce2267101cf300cd4b1
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 13 18:38:07 2010 +0000

    cirrus: avoid write only variables
    
    Compiling with GCC 4.6.0 20100925 produced a lot of warnings like:
    In file included from /src/qemu/hw/cirrus_vga_rop.h:174:0,
                     from /src/qemu/hw/cirrus_vga.c:284:
    /src/qemu/hw/cirrus_vga_rop2.h: In function 'cirrus_patternfill_0_8':
    /src/qemu/hw/cirrus_vga_rop2.h:48:18: error: variable 'col' set but not used [-Werror=unused-but-set-variable]
    /src/qemu/hw/cirrus_vga_rop2.h: In function 'cirrus_colorexpand_transp_0_8':
    /src/qemu/hw/cirrus_vga_rop2.h:104:18: error: variable 'col' set but not used [-Werror=unused-but-set-variable]
    
    Fix the warnings by introducing an inline function, which avoids
    exposing write-only variables.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index bbd4b08..aadc56f 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -280,63 +280,63 @@ static void cirrus_bitblt_fill_nop(CirrusVGAState *s,
 }
 
 #define ROP_NAME 0
-#define ROP_OP(d, s) d = 0
+#define ROP_FN(d, s) 0
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME src_and_dst
-#define ROP_OP(d, s) d = (s) & (d)
+#define ROP_FN(d, s) (s) & (d)
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME src_and_notdst
-#define ROP_OP(d, s) d = (s) & (~(d))
+#define ROP_FN(d, s) (s) & (~(d))
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME notdst
-#define ROP_OP(d, s) d = ~(d)
+#define ROP_FN(d, s) ~(d)
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME src
-#define ROP_OP(d, s) d = s
+#define ROP_FN(d, s) s
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME 1
-#define ROP_OP(d, s) d = ~0
+#define ROP_FN(d, s) ~0
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME notsrc_and_dst
-#define ROP_OP(d, s) d = (~(s)) & (d)
+#define ROP_FN(d, s) (~(s)) & (d)
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME src_xor_dst
-#define ROP_OP(d, s) d = (s) ^ (d)
+#define ROP_FN(d, s) (s) ^ (d)
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME src_or_dst
-#define ROP_OP(d, s) d = (s) | (d)
+#define ROP_FN(d, s) (s) | (d)
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME notsrc_or_notdst
-#define ROP_OP(d, s) d = (~(s)) | (~(d))
+#define ROP_FN(d, s) (~(s)) | (~(d))
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME src_notxor_dst
-#define ROP_OP(d, s) d = ~((s) ^ (d))
+#define ROP_FN(d, s) ~((s) ^ (d))
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME src_or_notdst
-#define ROP_OP(d, s) d = (s) | (~(d))
+#define ROP_FN(d, s) (s) | (~(d))
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME notsrc
-#define ROP_OP(d, s) d = (~(s))
+#define ROP_FN(d, s) (~(s))
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME notsrc_or_dst
-#define ROP_OP(d, s) d = (~(s)) | (d)
+#define ROP_FN(d, s) (~(s)) | (d)
 #include "cirrus_vga_rop.h"
 
 #define ROP_NAME notsrc_and_notdst
-#define ROP_OP(d, s) d = (~(s)) & (~(d))
+#define ROP_FN(d, s) (~(s)) & (~(d))
 #include "cirrus_vga_rop.h"
 
 static const cirrus_bitblt_rop_t cirrus_fwd_rop[16] = {
diff --git a/hw/cirrus_vga_rop.h b/hw/cirrus_vga_rop.h
index 39a7b72..9c7bb09 100644
--- a/hw/cirrus_vga_rop.h
+++ b/hw/cirrus_vga_rop.h
@@ -22,6 +22,26 @@
  * THE SOFTWARE.
  */
 
+static inline void glue(rop_8_,ROP_NAME)(uint8_t *dst, uint8_t src)
+{
+    *dst = ROP_FN(*dst, src);
+}
+
+static inline void glue(rop_16_,ROP_NAME)(uint16_t *dst, uint16_t src)
+{
+    *dst = ROP_FN(*dst, src);
+}
+
+static inline void glue(rop_32_,ROP_NAME)(uint32_t *dst, uint32_t src)
+{
+    *dst = ROP_FN(*dst, src);
+}
+
+#define ROP_OP(d, s) glue(rop_8_,ROP_NAME)(d, s)
+#define ROP_OP_16(d, s) glue(rop_16_,ROP_NAME)(d, s)
+#define ROP_OP_32(d, s) glue(rop_32_,ROP_NAME)(d, s)
+#undef ROP_FN
+
 static void
 glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
                              uint8_t *dst,const uint8_t *src,
@@ -39,7 +59,7 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
 
     for (y = 0; y < bltheight; y++) {
         for (x = 0; x < bltwidth; x++) {
-            ROP_OP(*dst, *src);
+            ROP_OP(dst, *src);
             dst++;
             src++;
         }
@@ -59,7 +79,7 @@ glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s,
     srcpitch += bltwidth;
     for (y = 0; y < bltheight; y++) {
         for (x = 0; x < bltwidth; x++) {
-            ROP_OP(*dst, *src);
+            ROP_OP(dst, *src);
             dst--;
             src--;
         }
@@ -81,7 +101,7 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
     for (y = 0; y < bltheight; y++) {
         for (x = 0; x < bltwidth; x++) {
 	    p = *dst;
-            ROP_OP(p, *src);
+            ROP_OP(&p, *src);
 	    if (p != s->vga.gr[0x34]) *dst = p;
             dst++;
             src++;
@@ -104,7 +124,7 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
     for (y = 0; y < bltheight; y++) {
         for (x = 0; x < bltwidth; x++) {
 	    p = *dst;
-            ROP_OP(p, *src);
+            ROP_OP(&p, *src);
 	    if (p != s->vga.gr[0x34]) *dst = p;
             dst--;
             src--;
@@ -128,8 +148,8 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
         for (x = 0; x < bltwidth; x+=2) {
 	    p1 = *dst;
 	    p2 = *(dst+1);
-            ROP_OP(p1, *src);
-            ROP_OP(p2, *(src+1));
+            ROP_OP(&p1, *src);
+            ROP_OP(&p2, *(src + 1));
 	    if ((p1 != s->vga.gr[0x34]) || (p2 != s->vga.gr[0x35])) {
 		*dst = p1;
 		*(dst+1) = p2;
@@ -156,8 +176,8 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
         for (x = 0; x < bltwidth; x+=2) {
 	    p1 = *(dst-1);
 	    p2 = *dst;
-            ROP_OP(p1, *(src-1));
-            ROP_OP(p2, *src);
+            ROP_OP(&p1, *(src - 1));
+            ROP_OP(&p2, *src);
 	    if ((p1 != s->vga.gr[0x34]) || (p2 != s->vga.gr[0x35])) {
 		*(dst-1) = p1;
 		*dst = p2;
@@ -184,3 +204,5 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
 
 #undef ROP_NAME
 #undef ROP_OP
+#undef ROP_OP_16
+#undef ROP_OP_32
diff --git a/hw/cirrus_vga_rop2.h b/hw/cirrus_vga_rop2.h
index 81a5b39..d28bcc6 100644
--- a/hw/cirrus_vga_rop2.h
+++ b/hw/cirrus_vga_rop2.h
@@ -23,15 +23,15 @@
  */
 
 #if DEPTH == 8
-#define PUTPIXEL()    ROP_OP(d[0], col)
+#define PUTPIXEL()    ROP_OP(&d[0], col)
 #elif DEPTH == 16
-#define PUTPIXEL()    ROP_OP(((uint16_t *)d)[0], col);
+#define PUTPIXEL()    ROP_OP_16((uint16_t *)&d[0], col)
 #elif DEPTH == 24
-#define PUTPIXEL()    ROP_OP(d[0], col); \
-                      ROP_OP(d[1], (col >> 8)); \
-                      ROP_OP(d[2], (col >> 16))
+#define PUTPIXEL()    ROP_OP(&d[0], col);        \
+                      ROP_OP(&d[1], (col >> 8)); \
+                      ROP_OP(&d[2], (col >> 16))
 #elif DEPTH == 32
-#define PUTPIXEL()    ROP_OP(((uint32_t *)d)[0], col)
+#define PUTPIXEL()    ROP_OP_32(((uint32_t *)&d[0]), col)
 #else
 #error unsupported DEPTH
 #endif
commit 83e3f76c2565a06877dc415ac9f5cf6f1c75614c
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Oct 13 18:38:07 2010 +0000

    block: avoid a write only variable
    
    Compiling with GCC 4.6.0 20100925 produced a warning:
    /src/qemu/block/qcow2-refcount.c: In function 'update_refcount':
    /src/qemu/block/qcow2-refcount.c:552:13: error: variable 'dummy' set but not used [-Werror=unused-but-set-variable]
    
    Fix by adding a dummy cast so that the result is not unused.
    
    Acked-by: Kevin Wolf <kwolf at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 7082601..0efb676 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -551,6 +551,7 @@ fail:
     if (ret < 0) {
         int dummy;
         dummy = update_refcount(bs, offset, cluster_offset - offset, -addend);
+        (void)dummy;
     }
 
     return ret;
commit a2d3f69530b5b16947a8af0f184b3988eb64cadd
Merge: d7489b7... c885212...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Mon Oct 11 15:37:11 2010 -0500

    Merge remote branch 'mst/for_anthony' into staging

commit d7489b72cae6ba5aaf7f3ac868b7fd18c0a59809
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Oct 9 08:24:17 2010 +0000

    trace: remove timestamp files when cleaning up
    
    'make clean' did not remove trace.[ch]-timestamp files,
    only trace.[ch]. But 'make' did not know how to make trace.[ch]
    files if the timestamp files were present.
    
    Fix by removing the timestamp files along with trace.[ch].
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile b/Makefile
index 92c041e..d9971c3 100644
--- a/Makefile
+++ b/Makefile
@@ -153,7 +153,7 @@ clean:
 	rm -f *.o *.d *.a $(TOOLS) TAGS cscope.* *.pod *~ */*~
 	rm -f slirp/*.o slirp/*.d audio/*.o audio/*.d block/*.o block/*.d net/*.o net/*.d fsdev/*.o fsdev/*.d ui/*.o ui/*.d
 	rm -f qemu-img-cmds.h
-	rm -f trace.c trace.h
+	rm -f trace.c trace.h trace.c-timestamp trace.h-timestamp
 	$(MAKE) -C tests clean
 	for d in $(ALL_SUBDIRS) libhw32 libhw64 libuser libdis libdis-user; do \
 	if test -d $$d; then $(MAKE) -C $$d $@ || exit 1; fi; \
commit ba80782912293c9b9828d0cf406f90b76bf4f61b
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Oct 7 21:15:58 2010 +0200

    configure: Send error message from spice check to /dev/null
    
    pkg-config is not always available (e.g. on win32 hosts),
    but we don't want to see the 'command not found' error message.
    
    Redirect stdout and stderr to /dev/null.
    
    v2:
    
    * Removed changes which should not have been here.
    
    Cc: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index b4e9c4c..d303061 100755
--- a/configure
+++ b/configure
@@ -2092,7 +2092,7 @@ int main(void) { spice_server_new(); return 0; }
 EOF
   spice_cflags=$($pkgconfig --cflags spice-protocol spice-server 2>/dev/null)
   spice_libs=$($pkgconfig --libs spice-protocol spice-server 2>/dev/null)
-  if $pkgconfig --atleast-version=0.5.3 spice-server &&\
+  if $pkgconfig --atleast-version=0.5.3 spice-server >/dev/null 2>&1 && \
      compile_prog "$spice_cflags" "$spice_libs" ; then
     spice="yes"
     libs_softmmu="$libs_softmmu $spice_libs"
commit 6650b7100b58d9f81ae5117d03e89dc97f142897
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Oct 7 18:55:48 2010 +0200

    win32: Set unbuffered stdout
    
    Win32 does not support line-buffering, but it allows
    unbuffered output.
    
    Unbuffered output is a good approximation. For typical output
    statements which usually end with '\n', it's even identical.
    
    Buffered output is unusable for program traces because of
    its large delay.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/os-win32.c b/os-win32.c
index dd46bf4..3c6f50f 100644
--- a/os-win32.c
+++ b/os-win32.c
@@ -221,6 +221,12 @@ char *os_find_datadir(const char *argv0)
     return NULL;
 }
 
+void os_set_line_buffering(void)
+{
+    setbuf(stdout, NULL);
+    setbuf(stderr, NULL);
+}
+
 /*
  * Parse OS specific command line options.
  * return 0 if option handled, -1 otherwise
diff --git a/qemu-os-win32.h b/qemu-os-win32.h
index 2ff9f45..c63778d 100644
--- a/qemu-os-win32.h
+++ b/qemu-os-win32.h
@@ -45,8 +45,7 @@ void os_host_main_loop_wait(int *timeout);
 static inline void os_setup_signal_handling(void) {}
 static inline void os_daemonize(void) {}
 static inline void os_setup_post(void) {}
-/* Win32 doesn't support line-buffering and requires size >= 2 */
-static inline void os_set_line_buffering(void) {}
+void os_set_line_buffering(void);
 static inline void os_set_proc_name(const char *dummy) {}
 
 #if !defined(EPROTONOSUPPORT)
commit ea95f15602234c1ff9c9be176ebe8bba55ee4dab
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Thu Oct 7 12:07:15 2010 +0100

    .gitignore: Ignore *-timestamp
    
    Timestamp files were recently added to reduce make churn on source files
    that use tracing.  The timestamp files should never be committed and
    should not be visible in git status.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/.gitignore b/.gitignore
index 72bff98..a43e4d1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,7 @@ config-host.*
 config-target.*
 trace.h
 trace.c
+*-timestamp
 *-softmmu
 *-darwin-user
 *-linux-user
commit b755a4289ea6ab881c63b52c4f7f849edd93a232
Author: Vincent Minet <vincent at vincent-minet.net>
Date:   Tue Oct 5 02:23:12 2010 +0200

    acpi: Fix an infinite loop in acpi_table_add
    
    Commit d729bb9a7700e364b1c5f9893d61f07a9e002bce has a typo, causing an
    infinite loop in acpi_table_add.
    
    Signed-off-by: Vincent Minet <vincent at vincent-minet.net>
    Acked-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/acpi.c b/hw/acpi.c
index 069e05f..8071e7b 100644
--- a/hw/acpi.c
+++ b/hw/acpi.c
@@ -161,7 +161,7 @@ int acpi_table_add(const char *t)
 
         /* off < length is necessary because file size can be changed
            under our foot */
-        while(s.st_size && off < length); {
+        while(s.st_size && off < length) {
             int r;
             r = read(fd, p + off, s.st_size);
             if (r > 0) {
commit 10d554c65a1dbb4dc8cf87f1119883aa1b27cef4
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Wed Oct 6 21:09:17 2010 +0200

    configure: Remove unneeded defines from checks
    
    _GNU_SOURCE is already defined in QEMU_CFLAGS which
    is passed to gcc in shell function compile_prog.
    
    Removing the definition from several checks avoids compiler warnings
    (which are now written to config.log).
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 4f57054..b4e9c4c 100755
--- a/configure
+++ b/configure
@@ -1891,7 +1891,6 @@ fi
 utimens=no
 cat > $TMPC << EOF
 #define _ATFILE_SOURCE
-#define _GNU_SOURCE
 #include <stddef.h>
 #include <fcntl.h>
 
@@ -1909,7 +1908,6 @@ fi
 # check if pipe2 is there
 pipe2=no
 cat > $TMPC << EOF
-#define _GNU_SOURCE
 #include <unistd.h>
 #include <fcntl.h>
 
@@ -1927,7 +1925,6 @@ fi
 # check if accept4 is there
 accept4=no
 cat > $TMPC << EOF
-#define _GNU_SOURCE
 #include <sys/socket.h>
 #include <stddef.h>
 
@@ -1944,7 +1941,6 @@ fi
 # check if tee/splice is there. vmsplice was added same time.
 splice=no
 cat > $TMPC << EOF
-#define _GNU_SOURCE
 #include <unistd.h>
 #include <fcntl.h>
 #include <limits.h>
commit 832ce9c286a907be8e6aab43fb0ae0037268476a
Author: Scott Wood <scottwood at freescale.com>
Date:   Tue Oct 5 14:28:17 2010 -0500

    configure: include stddef.h for NULL
    
    This fixes an observed failure to detect madvise() on Linux.
    
    To avoid similar issues, all other tests that use NULL but don't already
    have stddef.h (or another header that is defined to provide NULL,
    such as stdio.h, unistd.h, or time.h) are also fixed.
    
    Signed-off-by: Scott Wood <scottwood at freescale.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 9e65de0..4f57054 100755
--- a/configure
+++ b/configure
@@ -1329,6 +1329,7 @@ if test "$vnc_png" != "no" ; then
 cat > $TMPC <<EOF
 //#include <stdio.h>
 #include <png.h>
+#include <stddef.h>
 int main(void) {
     png_structp png_ptr;
     png_ptr = png_create_write_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
@@ -1513,6 +1514,7 @@ if test "$brlapi" != "no" ; then
   brlapi_libs="-lbrlapi"
   cat > $TMPC << EOF
 #include <brlapi.h>
+#include <stddef.h>
 int main( void ) { return brlapi__openConnection (NULL, NULL, NULL); }
 EOF
   if compile_prog "" "$brlapi_libs" ; then
@@ -1747,6 +1749,7 @@ if test "$linux_aio" != "no" ; then
   cat > $TMPC <<EOF
 #include <libaio.h>
 #include <sys/eventfd.h>
+#include <stddef.h>
 int main(void) { io_setup(0, NULL); io_set_eventfd(NULL, 0); eventfd(0, 0); return 0; }
 EOF
   if compile_prog "" "-laio" ; then
@@ -2127,6 +2130,7 @@ madvise=no
 cat > $TMPC << EOF
 #include <sys/types.h>
 #include <sys/mman.h>
+#include <stddef.h>
 int main(void) { return madvise(NULL, 0, MADV_DONTNEED); }
 EOF
 if compile_prog "" "" ; then
@@ -2139,6 +2143,7 @@ fi
 posix_madvise=no
 cat > $TMPC << EOF
 #include <sys/mman.h>
+#include <stddef.h>
 int main(void) { return posix_madvise(NULL, 0, POSIX_MADV_DONTNEED); }
 EOF
 if compile_prog "" "" ; then
commit bbf0a440813816410eeee465b71b37100b2ec9ca
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Oct 5 14:28:53 2010 +0100

    trace: Trace bdrv_aio_{readv,writev}
    
    Observing block layer aio readv/writev operations is useful for
    debugging image formats or understanding guest disk I/O patterns.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/block.c b/block.c
index ebbc376..a19374d 100644
--- a/block.c
+++ b/block.c
@@ -1983,6 +1983,8 @@ BlockDriverAIOCB *bdrv_aio_readv(BlockDriverState *bs, int64_t sector_num,
     BlockDriver *drv = bs->drv;
     BlockDriverAIOCB *ret;
 
+    trace_bdrv_aio_readv(bs, sector_num, nb_sectors, opaque);
+
     if (!drv)
         return NULL;
     if (bdrv_check_request(bs, sector_num, nb_sectors))
@@ -2007,6 +2009,8 @@ BlockDriverAIOCB *bdrv_aio_writev(BlockDriverState *bs, int64_t sector_num,
     BlockDriver *drv = bs->drv;
     BlockDriverAIOCB *ret;
 
+    trace_bdrv_aio_writev(bs, sector_num, nb_sectors, opaque);
+
     if (!drv)
         return NULL;
     if (bs->read_only)
diff --git a/trace-events b/trace-events
index b43317e..4300178 100644
--- a/trace-events
+++ b/trace-events
@@ -51,6 +51,8 @@ disable multiwrite_cb(void *mcb, int ret) "mcb %p ret %d"
 disable bdrv_aio_multiwrite(void *mcb, int num_callbacks, int num_reqs) "mcb %p num_callbacks %d num_reqs %d"
 disable bdrv_aio_multiwrite_earlyfail(void *mcb) "mcb %p"
 disable bdrv_aio_multiwrite_latefail(void *mcb, int i) "mcb %p i %d"
+disable bdrv_aio_readv(void *bs, int64_t sector_num, int nb_sectors, void *opaque) "bs %p sector_num %"PRId64" nb_sectors %d opaque %p"
+disable bdrv_aio_writev(void *bs, int64_t sector_num, int nb_sectors, void *opaque) "bs %p sector_num %"PRId64" nb_sectors %d opaque %p"
 
 # hw/virtio-blk.c
 disable virtio_blk_req_complete(void *req, int status) "req %p status %d"
commit ea9c16989b0c814d5dd2a09a576018a6aa320a27
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Oct 5 14:28:52 2010 +0100

    trace: Use TP_PROTO() and TP_ARGS() for LTTng UST
    
    The LTTng UserSpace Tracer formerly used TPPROTO() and TPARGS() instead
    of TP_PROTO() and TP_ARGS() like the kernel uses.  This has been changed
    so QEMU needs to follow.
    
    I am not aware of a graceful way of making the transition but since no
    one complained that the UST build is broken, it should be fine to just
    switch over without compatibility for old UST headers.  The newer UST
    headers are shipping in distro packages so it is realistic to make this
    change now.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/tracetool b/tracetool
index 63e3e29..7010858 100755
--- a/tracetool
+++ b/tracetool
@@ -250,7 +250,7 @@ linetoh_ust()
     argnames=$(get_argnames "$1")
 
     cat <<EOF
-DECLARE_TRACE(ust_$name, TPPROTO($args), TPARGS($argnames));
+DECLARE_TRACE(ust_$name, TP_PROTO($args), TP_ARGS($argnames));
 #define trace_$name trace_ust_$name
 EOF
 }
commit 5eb5527b1eaec0955a91f8532424bb45611b7b0c
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Oct 5 14:28:51 2010 +0100

    trace: Don't strip lines containing '#' arbitrarily
    
    Although comment lines must be skipped, the '#' character can occur in
    valid format strings.  Be more careful when checking for comments.
    Leave comments at the end of the line where they will not interfere with
    other processing.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/tracetool b/tracetool
index 534cc70..63e3e29 100755
--- a/tracetool
+++ b/tracetool
@@ -318,8 +318,7 @@ convert()
 
     while read -r str; do
         # Skip comments and empty lines
-        str=${str%%#*}
-        test -z "$str" && continue
+        test -z "${str%%#*}" && continue
 
         # Process the line.  The nop backend handles disabled lines.
         disable=${str%%disable *}
commit 9a85d3944715c709d740edb987b84bd657b9d7ef
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Oct 5 14:28:50 2010 +0100

    trace: Use portable format strings
    
    It is not portable to use "%ld" for int64_t because int64_t may have
    type long on 64-bit platforms and long long on 32-bit platforms.  Use
    the standard library PRId64 macros to keep format strings portable.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/docs/tracing.txt b/docs/tracing.txt
index ae01ff1..5504850 100644
--- a/docs/tracing.txt
+++ b/docs/tracing.txt
@@ -72,6 +72,10 @@ Trace events should use types as follows:
  * For everything else, use primitive scalar types (char, int, long) with the
    appropriate signedness.
 
+Format strings should reflect the types defined in the trace event.  Take
+special care to use PRId64 and PRIu64 for int64_t and uint64_t types,
+respectively.  This ensures portability between 32- and 64-bit platforms.
+
 === Hints for adding new trace events ===
 
 1. Trace state changes in the code.  Interesting points in the code usually
diff --git a/trace-events b/trace-events
index f32c83f..b43317e 100644
--- a/trace-events
+++ b/trace-events
@@ -55,10 +55,10 @@ disable bdrv_aio_multiwrite_latefail(void *mcb, int i) "mcb %p i %d"
 # hw/virtio-blk.c
 disable virtio_blk_req_complete(void *req, int status) "req %p status %d"
 disable virtio_blk_rw_complete(void *req, int ret) "req %p ret %d"
-disable virtio_blk_handle_write(void *req, unsigned long sector, unsigned long nsectors) "req %p sector %lu nsectors %lu"
+disable virtio_blk_handle_write(void *req, uint64_t sector, size_t nsectors) "req %p sector %"PRIu64" nsectors %zu"
 
 # posix-aio-compat.c
-disable paio_submit(void *acb, void *opaque, unsigned long sector_num, unsigned long nb_sectors, unsigned long type) "acb %p opaque %p sector_num %lu nb_sectors %lu type %lu"
+disable paio_submit(void *acb, void *opaque, int64_t sector_num, int nb_sectors, int type) "acb %p opaque %p sector_num %"PRId64" nb_sectors %d type %d"
 
 # ioport.c
 disable cpu_in(unsigned int addr, unsigned int val) "addr %#x value %u"
commit 85566812a4f8cae721fea0224e05a7e75c08c5dd
Author: Huang Ying <ying.huang at intel.com>
Date:   Fri Oct 8 16:25:14 2010 +0800

    Fix SRAO/SRAR MCE injecting on guest without MCG_SER_P
    
    On real machine, if MCG_SER_P in MSR_MCG_CAP is not set, SRAO/SRAR MCE
    should not be raised by hardware. This patch makes QEMU-KVM to follow
    the same rule.
    
    Reported-and-Reviewed-by: Hidetoshi Seto <seto.hidetoshi at jp.fujitsu.com>
    Signed-off-by: Huang Ying <ying.huang at intel.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm.c b/qemu-kvm.c
index e33fe17..e78d850 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -1134,7 +1134,7 @@ static void sigbus_handler(int n, struct qemu_signalfd_siginfo *siginfo,
                            void *ctx)
 {
 #if defined(KVM_CAP_MCE) && defined(TARGET_I386)
-    if (first_cpu->mcg_cap && siginfo->ssi_addr
+    if ((first_cpu->mcg_cap & MCG_SER_P) && siginfo->ssi_addr
         && siginfo->ssi_code == BUS_MCEERR_AO) {
         uint64_t status;
         void *vaddr;
@@ -1324,7 +1324,7 @@ static void kvm_on_sigbus(CPUState *env, siginfo_t *siginfo)
     unsigned long paddr;
     int r;
 
-    if (env->mcg_cap && siginfo->si_addr
+    if ((env->mcg_cap & MCG_SER_P) && siginfo->si_addr
         && (siginfo->si_code == BUS_MCEERR_AR
             || siginfo->si_code == BUS_MCEERR_AO)) {
         if (siginfo->si_code == BUS_MCEERR_AR) {
@@ -1356,7 +1356,7 @@ static void kvm_on_sigbus(CPUState *env, siginfo_t *siginfo)
         if (do_qemu_ram_addr_from_host(vaddr, &ram_addr) ||
             !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, (target_phys_addr_t *)&paddr)) {
             fprintf(stderr, "Hardware memory error for memory used by "
-                    "QEMU itself instaed of guest system!\n");
+                    "QEMU itself instead of guest system!\n");
             /* Hope we are lucky for AO MCE */
             if (siginfo->si_code == BUS_MCEERR_AO) {
                 return;
commit 84a23f251fe85768338434040257bb96cf555de8
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Aug 30 16:36:53 2010 +0200

    spice: add misc config options
    
    This patch adds a few more options to tweak spice server behavior.
    The documentation update chunk has the details ;)

diff --git a/qemu-config.c b/qemu-config.c
index 5a62ae1..52f18be 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -415,6 +415,15 @@ QemuOptsList qemu_spice_opts = {
         },{
             .name = "zlib-glz-wan-compression",
             .type = QEMU_OPT_STRING,
+        },{
+            .name = "streaming-video",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "agent-mouse",
+            .type = QEMU_OPT_BOOL,
+        },{
+            .name = "playback-compression",
+            .type = QEMU_OPT_BOOL,
         },
         { /* end if list */ }
     },
diff --git a/qemu-options.hx b/qemu-options.hx
index 0410b90..9e38dfb 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -728,6 +728,15 @@ Default is auto_glz.
 Configure wan image compression (lossy for slow links).
 Default is auto.
 
+ at item streaming-video=[off|all|filter]
+Configure video stream detection.  Default is filter.
+
+ at item agent-mouse=[on|off]
+Enable/disable passing mouse events via vdagent.  Default is on.
+
+ at item playback-compression=[on|off]
+Enable/disable audio stream compression (using celt 0.5.1).  Default is on.
+
 @end table
 ETEXI
 
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 6f613c6..6a1cf17 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -169,6 +169,18 @@ static int parse_name(const char *string, const char *optname,
     exit(1);
 }
 
+#if SPICE_SERVER_VERSION >= 0x000600 /* 0.6.0 */
+
+static const char *stream_video_names[] = {
+    [ SPICE_STREAM_VIDEO_OFF ]    = "off",
+    [ SPICE_STREAM_VIDEO_ALL ]    = "all",
+    [ SPICE_STREAM_VIDEO_FILTER ] = "filter",
+};
+#define parse_stream_video(_name) \
+    name2enum(_name, stream_video_names, ARRAY_SIZE(stream_video_names))
+
+#endif /* >= 0.6.0 */
+
 static const char *compression_names[] = {
     [ SPICE_IMAGE_COMPRESS_OFF ]      = "off",
     [ SPICE_IMAGE_COMPRESS_AUTO_GLZ ] = "auto_glz",
@@ -228,7 +240,7 @@ void qemu_spice_init(void)
     char *x509_key_file = NULL,
         *x509_cert_file = NULL,
         *x509_cacert_file = NULL;
-    int port, tls_port, len, addr_flags;
+    int port, tls_port, len, addr_flags, streaming_video;
     spice_image_compression_t compression;
     spice_wan_compression_t wan_compr;
 
@@ -328,6 +340,21 @@ void qemu_spice_init(void)
     }
     spice_server_set_zlib_glz_compression(spice_server, wan_compr);
 
+#if SPICE_SERVER_VERSION >= 0x000600 /* 0.6.0 */
+
+    str = qemu_opt_get(opts, "streaming-video");
+    if (str) {
+        streaming_video = parse_stream_video(str);
+        spice_server_set_streaming_video(spice_server, streaming_video);
+    }
+
+    spice_server_set_agent_mouse
+        (spice_server, qemu_opt_get_bool(opts, "agent-mouse", 1));
+    spice_server_set_playback_compression
+        (spice_server, qemu_opt_get_bool(opts, "playback-compression", 1));
+
+#endif /* >= 0.6.0 */
+
     qemu_opt_foreach(opts, add_channel, NULL, 0);
 
     spice_server_init(spice_server, &core_interface);
commit 333b0eebcc8941b8453e837293eaa1191e967c25
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Aug 27 14:29:16 2010 +0200

    spice: add config options for the listening address
    
    Make listening address configurable.  Also add options to
    force using IPv4 or IPv6.

diff --git a/qemu-config.c b/qemu-config.c
index f52e50c..5a62ae1 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -365,6 +365,15 @@ QemuOptsList qemu_spice_opts = {
             .name = "tls-port",
             .type = QEMU_OPT_NUMBER,
         },{
+            .name = "addr",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "ipv4",
+            .type = QEMU_OPT_BOOL,
+        },{
+            .name = "ipv6",
+            .type = QEMU_OPT_BOOL,
+        },{
             .name = "password",
             .type = QEMU_OPT_STRING,
         },{
diff --git a/qemu-options.hx b/qemu-options.hx
index 5a0d26b..0410b90 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -682,6 +682,13 @@ Enable the spice remote desktop protocol. Valid options are
 @item port=<nr>
 Set the TCP port spice is listening on for plaintext channels.
 
+ at item addr=<addr>
+Set the IP address spice is listening on.  Default is any address.
+
+ at item ipv4
+ at item ipv6
+Force using the specified IP version.
+
 @item password=<secret>
 Set the password you need to authenticate.
 
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 7664ef7..6f613c6 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -221,14 +221,14 @@ static int add_channel(const char *name, const char *value, void *opaque)
 void qemu_spice_init(void)
 {
     QemuOpts *opts = QTAILQ_FIRST(&qemu_spice_opts.head);
-    const char *password, *str, *x509_dir,
+    const char *password, *str, *x509_dir, *addr,
         *x509_key_password = NULL,
         *x509_dh_file = NULL,
         *tls_ciphers = NULL;
     char *x509_key_file = NULL,
         *x509_cert_file = NULL,
         *x509_cacert_file = NULL;
-    int port, tls_port, len;
+    int port, tls_port, len, addr_flags;
     spice_image_compression_t compression;
     spice_wan_compression_t wan_compr;
 
@@ -278,7 +278,16 @@ void qemu_spice_init(void)
         tls_ciphers = qemu_opt_get(opts, "tls-ciphers");
     }
 
+    addr = qemu_opt_get(opts, "addr");
+    addr_flags = 0;
+    if (qemu_opt_get_bool(opts, "ipv4", 0)) {
+        addr_flags |= SPICE_ADDR_FLAG_IPV4_ONLY;
+    } else if (qemu_opt_get_bool(opts, "ipv6", 0)) {
+        addr_flags |= SPICE_ADDR_FLAG_IPV6_ONLY;
+    }
+
     spice_server = spice_server_new();
+    spice_server_set_addr(spice_server, addr ? addr : "", addr_flags);
     if (port) {
         spice_server_set_port(spice_server, port);
     }
commit 17b6dea08bd8c8484bc48dc67add236d2fe002b5
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Aug 27 14:09:56 2010 +0200

    spice: add config options for channel security.
    
    This allows to enforce tls or plaintext usage for certain spice
    channels.
    
    [ v2: code style fixup ]

diff --git a/qemu-config.c b/qemu-config.c
index 8b545b1..f52e50c 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -392,6 +392,12 @@ QemuOptsList qemu_spice_opts = {
             .name = "tls-ciphers",
             .type = QEMU_OPT_STRING,
         },{
+            .name = "tls-channel",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "plaintext-channel",
+            .type = QEMU_OPT_STRING,
+        },{
             .name = "image-compression",
             .type = QEMU_OPT_STRING,
         },{
diff --git a/qemu-options.hx b/qemu-options.hx
index b9edaae..5a0d26b 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -704,6 +704,14 @@ The x509 file names can also be configured individually.
 @item tls-ciphers=<list>
 Specify which ciphers to use.
 
+ at item tls-channel=[main|display|inputs|record|playback|tunnel]
+ at item plaintext-channel=[main|display|inputs|record|playback|tunnel]
+Force specific channel to be used with or without TLS encryption.  The
+options can be specified multiple times to configure multiple
+channels.  The special name "default" can be used to set the default
+mode.  For channels which are not explicitly forced into one mode the
+spice client is allowed to pick tls/plaintext as he pleases.
+
 @item image-compression=[auto_glz|auto_lz|quic|glz|lz|off]
 Configure image compression (lossless).
 Default is auto_glz.
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 1567046..7664ef7 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -192,6 +192,32 @@ static const char *wan_compression_names[] = {
 
 /* functions for the rest of qemu */
 
+static int add_channel(const char *name, const char *value, void *opaque)
+{
+    int security = 0;
+    int rc;
+
+    if (strcmp(name, "tls-channel") == 0) {
+        security = SPICE_CHANNEL_SECURITY_SSL;
+    }
+    if (strcmp(name, "plaintext-channel") == 0) {
+        security = SPICE_CHANNEL_SECURITY_NONE;
+    }
+    if (security == 0) {
+        return 0;
+    }
+    if (strcmp(value, "default") == 0) {
+        rc = spice_server_set_channel_security(spice_server, NULL, security);
+    } else {
+        rc = spice_server_set_channel_security(spice_server, value, security);
+    }
+    if (rc != 0) {
+        fprintf(stderr, "spice: failed to set channel security for %s\n", value);
+        exit(1);
+    }
+    return 0;
+}
+
 void qemu_spice_init(void)
 {
     QemuOpts *opts = QTAILQ_FIRST(&qemu_spice_opts.head);
@@ -293,6 +319,8 @@ void qemu_spice_init(void)
     }
     spice_server_set_zlib_glz_compression(spice_server, wan_compr);
 
+    qemu_opt_foreach(opts, add_channel, NULL, 0);
+
     spice_server_init(spice_server, &core_interface);
     using_spice = 1;
 
commit 9f04e09e36e430dd57c69c88b0532e9dc5061a47
Author: Yonit Halperin <yhalperi at redhat.com>
Date:   Wed Jul 14 13:26:34 2010 +0300

    spice: make compression configurable.
    
    This patch adds options to the -spice command line switch to
    configure image compression.
    
    [ v2: speling fix in the documentation ]

diff --git a/qemu-config.c b/qemu-config.c
index 26748a5..8b545b1 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -391,6 +391,15 @@ QemuOptsList qemu_spice_opts = {
         },{
             .name = "tls-ciphers",
             .type = QEMU_OPT_STRING,
+        },{
+            .name = "image-compression",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "jpeg-wan-compression",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "zlib-glz-wan-compression",
+            .type = QEMU_OPT_STRING,
         },
         { /* end if list */ }
     },
diff --git a/qemu-options.hx b/qemu-options.hx
index 9d3f8ef..b9edaae 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -704,6 +704,15 @@ The x509 file names can also be configured individually.
 @item tls-ciphers=<list>
 Specify which ciphers to use.
 
+ at item image-compression=[auto_glz|auto_lz|quic|glz|lz|off]
+Configure image compression (lossless).
+Default is auto_glz.
+
+ at item jpeg-wan-compression=[auto|never|always]
+ at item zlib-glz-wan-compression=[auto|never|always]
+Configure wan image compression (lossy for slow links).
+Default is auto.
+
 @end table
 ETEXI
 
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 51aa782..1567046 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -137,6 +137,59 @@ static SpiceCoreInterface core_interface = {
     .watch_remove       = watch_remove,
 };
 
+/* config string parsing */
+
+static int name2enum(const char *string, const char *table[], int entries)
+{
+    int i;
+
+    if (string) {
+        for (i = 0; i < entries; i++) {
+            if (!table[i]) {
+                continue;
+            }
+            if (strcmp(string, table[i]) != 0) {
+                continue;
+            }
+            return i;
+        }
+    }
+    return -1;
+}
+
+static int parse_name(const char *string, const char *optname,
+                      const char *table[], int entries)
+{
+    int value = name2enum(string, table, entries);
+
+    if (value != -1) {
+        return value;
+    }
+    fprintf(stderr, "spice: invalid %s: %s\n", optname, string);
+    exit(1);
+}
+
+static const char *compression_names[] = {
+    [ SPICE_IMAGE_COMPRESS_OFF ]      = "off",
+    [ SPICE_IMAGE_COMPRESS_AUTO_GLZ ] = "auto_glz",
+    [ SPICE_IMAGE_COMPRESS_AUTO_LZ ]  = "auto_lz",
+    [ SPICE_IMAGE_COMPRESS_QUIC ]     = "quic",
+    [ SPICE_IMAGE_COMPRESS_GLZ ]      = "glz",
+    [ SPICE_IMAGE_COMPRESS_LZ ]       = "lz",
+};
+#define parse_compression(_name)                                        \
+    parse_name(_name, "image compression",                              \
+               compression_names, ARRAY_SIZE(compression_names))
+
+static const char *wan_compression_names[] = {
+    [ SPICE_WAN_COMPRESSION_AUTO   ] = "auto",
+    [ SPICE_WAN_COMPRESSION_NEVER  ] = "never",
+    [ SPICE_WAN_COMPRESSION_ALWAYS ] = "always",
+};
+#define parse_wan_compression(_name)                                    \
+    parse_name(_name, "wan compression",                                \
+               wan_compression_names, ARRAY_SIZE(wan_compression_names))
+
 /* functions for the rest of qemu */
 
 void qemu_spice_init(void)
@@ -150,6 +203,8 @@ void qemu_spice_init(void)
         *x509_cert_file = NULL,
         *x509_cacert_file = NULL;
     int port, tls_port, len;
+    spice_image_compression_t compression;
+    spice_wan_compression_t wan_compr;
 
     if (!opts) {
         return;
@@ -217,8 +272,26 @@ void qemu_spice_init(void)
         spice_server_set_noauth(spice_server);
     }
 
-    /* TODO: make configurable via cmdline */
-    spice_server_set_image_compression(spice_server, SPICE_IMAGE_COMPRESS_AUTO_GLZ);
+    compression = SPICE_IMAGE_COMPRESS_AUTO_GLZ;
+    str = qemu_opt_get(opts, "image-compression");
+    if (str) {
+        compression = parse_compression(str);
+    }
+    spice_server_set_image_compression(spice_server, compression);
+
+    wan_compr = SPICE_WAN_COMPRESSION_AUTO;
+    str = qemu_opt_get(opts, "jpeg-wan-compression");
+    if (str) {
+        wan_compr = parse_wan_compression(str);
+    }
+    spice_server_set_jpeg_compression(spice_server, wan_compr);
+
+    wan_compr = SPICE_WAN_COMPRESSION_AUTO;
+    str = qemu_opt_get(opts, "zlib-glz-wan-compression");
+    if (str) {
+        wan_compr = parse_wan_compression(str);
+    }
+    spice_server_set_zlib_glz_compression(spice_server, wan_compr);
 
     spice_server_init(spice_server, &core_interface);
     using_spice = 1;
commit c448e8552b0f6135dabddf944a7110f929c08320
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Mar 11 11:13:32 2010 -0300

    spice: tls support
    
    Add options to the -spice command line switch to setup tls.

diff --git a/qemu-config.c b/qemu-config.c
index 32917cb..26748a5 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -362,11 +362,35 @@ QemuOptsList qemu_spice_opts = {
             .name = "port",
             .type = QEMU_OPT_NUMBER,
         },{
+            .name = "tls-port",
+            .type = QEMU_OPT_NUMBER,
+        },{
             .name = "password",
             .type = QEMU_OPT_STRING,
         },{
             .name = "disable-ticketing",
             .type = QEMU_OPT_BOOL,
+        },{
+            .name = "x509-dir",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "x509-key-file",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "x509-key-password",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "x509-cert-file",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "x509-cacert-file",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "x509-dh-key-file",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "tls-ciphers",
+            .type = QEMU_OPT_STRING,
         },
         { /* end if list */ }
     },
diff --git a/qemu-options.hx b/qemu-options.hx
index 718d47a..9d3f8ef 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -680,7 +680,7 @@ Enable the spice remote desktop protocol. Valid options are
 @table @option
 
 @item port=<nr>
-Set the TCP port spice is listening on.
+Set the TCP port spice is listening on for plaintext channels.
 
 @item password=<secret>
 Set the password you need to authenticate.
@@ -688,6 +688,22 @@ Set the password you need to authenticate.
 @item disable-ticketing
 Allow client connects without authentication.
 
+ at item tls-port=<nr>
+Set the TCP port spice is listening on for encrypted channels.
+
+ at item x509-dir=<dir>
+Set the x509 file directory. Expects same filenames as -vnc $display,x509=$dir
+
+ at item x509-key-file=<file>
+ at item x509-key-password=<file>
+ at item x509-cert-file=<file>
+ at item x509-cacert-file=<file>
+ at item x509-dh-key-file=<file>
+The x509 file names can also be configured individually.
+
+ at item tls-ciphers=<list>
+Specify which ciphers to use.
+
 @end table
 ETEXI
 
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 8b5e4a8..51aa782 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -22,6 +22,7 @@
 #include "qemu-spice.h"
 #include "qemu-timer.h"
 #include "qemu-queue.h"
+#include "qemu-x509.h"
 #include "monitor.h"
 
 /* core bits */
@@ -141,20 +142,74 @@ static SpiceCoreInterface core_interface = {
 void qemu_spice_init(void)
 {
     QemuOpts *opts = QTAILQ_FIRST(&qemu_spice_opts.head);
-    const char *password;
-    int port;
+    const char *password, *str, *x509_dir,
+        *x509_key_password = NULL,
+        *x509_dh_file = NULL,
+        *tls_ciphers = NULL;
+    char *x509_key_file = NULL,
+        *x509_cert_file = NULL,
+        *x509_cacert_file = NULL;
+    int port, tls_port, len;
 
     if (!opts) {
         return;
     }
     port = qemu_opt_get_number(opts, "port", 0);
-    if (!port) {
+    tls_port = qemu_opt_get_number(opts, "tls-port", 0);
+    if (!port && !tls_port) {
         return;
     }
     password = qemu_opt_get(opts, "password");
 
+    if (tls_port) {
+        x509_dir = qemu_opt_get(opts, "x509-dir");
+        if (NULL == x509_dir) {
+            x509_dir = ".";
+        }
+        len = strlen(x509_dir) + 32;
+
+        str = qemu_opt_get(opts, "x509-key-file");
+        if (str) {
+            x509_key_file = qemu_strdup(str);
+        } else {
+            x509_key_file = qemu_malloc(len);
+            snprintf(x509_key_file, len, "%s/%s", x509_dir, X509_SERVER_KEY_FILE);
+        }
+
+        str = qemu_opt_get(opts, "x509-cert-file");
+        if (str) {
+            x509_cert_file = qemu_strdup(str);
+        } else {
+            x509_cert_file = qemu_malloc(len);
+            snprintf(x509_cert_file, len, "%s/%s", x509_dir, X509_SERVER_CERT_FILE);
+        }
+
+        str = qemu_opt_get(opts, "x509-cacert-file");
+        if (str) {
+            x509_cacert_file = qemu_strdup(str);
+        } else {
+            x509_cacert_file = qemu_malloc(len);
+            snprintf(x509_cacert_file, len, "%s/%s", x509_dir, X509_CA_CERT_FILE);
+        }
+
+        x509_key_password = qemu_opt_get(opts, "x509-key-password");
+        x509_dh_file = qemu_opt_get(opts, "x509-dh-file");
+        tls_ciphers = qemu_opt_get(opts, "tls-ciphers");
+    }
+
     spice_server = spice_server_new();
-    spice_server_set_port(spice_server, port);
+    if (port) {
+        spice_server_set_port(spice_server, port);
+    }
+    if (tls_port) {
+        spice_server_set_tls(spice_server, tls_port,
+                             x509_cacert_file,
+                             x509_cert_file,
+                             x509_key_file,
+                             x509_key_password,
+                             x509_dh_file,
+                             tls_ciphers);
+    }
     if (password) {
         spice_server_set_ticket(spice_server, password, 0, 0, 0);
     }
@@ -169,6 +224,10 @@ void qemu_spice_init(void)
     using_spice = 1;
 
     qemu_spice_input_init();
+
+    qemu_free(x509_key_file);
+    qemu_free(x509_cert_file);
+    qemu_free(x509_cacert_file);
 }
 
 int qemu_spice_add_interface(SpiceBaseInstance *sin)
commit 3e18c6bf7740e4a75503b803ec7d5dc29a531e4f
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Thu Oct 7 21:20:52 2010 +0200

    cris: Consider the TLB valid bit on writes to the TLB
    
    When updating the guest TLB we only need to flush previous
    mappings from the entry written if the entry was valid.
    
    Also fixes a compiler warning reported by Blue Swirl.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-cris/op_helper.c b/target-cris/op_helper.c
index a60da94..be9eb06 100644
--- a/target-cris/op_helper.c
+++ b/target-cris/op_helper.c
@@ -164,7 +164,9 @@ void helper_movl_sreg_reg (uint32_t sreg, uint32_t reg)
 
 			D_LOG("tlb flush vaddr=%x v=%d pc=%x\n", 
 				  vaddr, tlb_v, env->pc);
-			tlb_flush_page(env, vaddr);
+			if (tlb_v) {
+				tlb_flush_page(env, vaddr);
+			}
 		}
 	}
 #endif
commit 0d797e7ff45efb7034dd889123a52526a1dc50d1
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Thu Oct 7 11:58:08 2010 +0200

    msix: factor out mask notifier code
    
    Move some common code handling msix mask notifiers to a function.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/msix.c b/hw/msix.c
index bc72b02..5511d00 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -584,40 +584,26 @@ void msix_unuse_all_vectors(PCIDevice *dev)
     msix_free_irq_entries(dev);
 }
 
-static int msix_set_mask_notifier_for_vector(PCIDevice *dev, unsigned vector)
+/* Invoke the notifier if vector entry is used and unmasked. */
+static int msix_notify_if_unmasked(PCIDevice *dev, unsigned vector, int masked)
 {
-    int r = 0;
-    if (vector >= dev->msix_entries_nr || !dev->msix_entry_used[vector])
-        return 0;
-
     assert(dev->msix_mask_notifier);
-
-    /* Unmask the new notifier unless vector is masked. */
-    if (!msix_is_masked(dev, vector)) {
-        r = dev->msix_mask_notifier(dev, vector, false);
-        if (r < 0) {
-            return r;
-        }
+    if (!dev->msix_entry_used[vector] || msix_is_masked(dev, vector)) {
+        return 0;
     }
-    return r;
+    return dev->msix_mask_notifier(dev, vector, masked);
 }
 
-static int msix_unset_mask_notifier_for_vector(PCIDevice *dev, unsigned vector)
+static int msix_set_mask_notifier_for_vector(PCIDevice *dev, unsigned vector)
 {
-    int r = 0;
-    if (vector >= dev->msix_entries_nr || !dev->msix_entry_used[vector])
-        return 0;
-
-    assert(dev->msix_mask_notifier);
+	/* Notifier has been set. Invoke it on unmasked vectors. */
+	return msix_notify_if_unmasked(dev, vector, 0);
+}
 
-    /* Mask the old notifier unless it is already masked. */
-    if (!msix_is_masked(dev, vector)) {
-        r = dev->msix_mask_notifier(dev, vector, true);
-        if (r < 0) {
-            return r;
-        }
-    }
-    return r;
+static int msix_unset_mask_notifier_for_vector(PCIDevice *dev, unsigned vector)
+{
+	/* Notifier will be unset. Invoke it to mask unmasked entries. */
+	return msix_notify_if_unmasked(dev, vector, 1);
 }
 
 int msix_set_mask_notifier(PCIDevice *dev, msix_mask_notifier_func f)
commit 77780bc1d1953fb0671f9cac576eeae9dfe6f687
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 6 12:33:00 2010 -0400

    vhost: error code
    
    fix up errors returned to include errno, not just -1
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/vhost.c b/hw/vhost.c
index fb95121..8586f66 100644
--- a/hw/vhost.c
+++ b/hw/vhost.c
@@ -515,12 +515,14 @@ static int vhost_virtqueue_init(struct vhost_dev *dev,
     file.fd = event_notifier_get_fd(virtio_queue_get_host_notifier(vvq));
     r = ioctl(dev->control, VHOST_SET_VRING_KICK, &file);
     if (r) {
+        r = -errno;
         goto fail_kick;
     }
 
     file.fd = event_notifier_get_fd(virtio_queue_get_guest_notifier(vvq));
     r = ioctl(dev->control, VHOST_SET_VRING_CALL, &file);
     if (r) {
+        r = -errno;
         goto fail_call;
     }
 
commit c9646bee60f419f76181ab4d1d094afa193834a3
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 6 07:22:00 2010 +0200

    vhost: fix up irqfd support
    
    vhost irqfd support: case where many vqs are
    mapped to a single msix vector is currently broken.
    Fix it up.
    
    	Includes this patch from qemu.git:
    
    virtio: change set guest notifier to per-device
    
    When using irqfd with vhost-net to inject interrupts,
    a single evenfd might inject multiple interrupts.
    Implementing this is much easier with a single
    per-device callback to set guest notifiers.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/msix.c b/hw/msix.c
index 9663b17..bc72b02 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -301,10 +301,8 @@ static void msix_mmio_writel(void *opaque, target_phys_addr_t addr,
     if (kvm_enabled() && kvm_irqchip_in_kernel()) {
         kvm_msix_update(dev, vector, was_masked, msix_is_masked(dev, vector));
     }
-    if (was_masked != msix_is_masked(dev, vector) &&
-        dev->msix_mask_notifier && dev->msix_mask_notifier_opaque[vector]) {
+    if (was_masked != msix_is_masked(dev, vector) && dev->msix_mask_notifier) {
         int r = dev->msix_mask_notifier(dev, vector,
-					dev->msix_mask_notifier_opaque[vector],
 					msix_is_masked(dev, vector));
         assert(r >= 0);
     }
@@ -352,9 +350,8 @@ static void msix_mask_all(struct PCIDevice *dev, unsigned nentries)
         int was_masked = msix_is_masked(dev, vector);
         dev->msix_table_page[offset] |= MSIX_VECTOR_MASK;
         if (was_masked != msix_is_masked(dev, vector) &&
-            dev->msix_mask_notifier && dev->msix_mask_notifier_opaque[vector]) {
+            dev->msix_mask_notifier) {
             r = dev->msix_mask_notifier(dev, vector,
-                                        dev->msix_mask_notifier_opaque[vector],
                                         msix_is_masked(dev, vector));
             assert(r >= 0);
         }
@@ -380,8 +377,6 @@ int msix_init(struct PCIDevice *dev, unsigned short nentries,
                                             sizeof *dev->msix_irq_entries);
     }
 #endif
-    dev->msix_mask_notifier_opaque =
-        qemu_mallocz(nentries * sizeof *dev->msix_mask_notifier_opaque);
     dev->msix_mask_notifier = NULL;
     dev->msix_entry_used = qemu_mallocz(MSIX_MAX_ENTRIES *
                                         sizeof *dev->msix_entry_used);
@@ -445,8 +440,6 @@ int msix_uninit(PCIDevice *dev)
     dev->msix_entry_used = NULL;
     qemu_free(dev->msix_irq_entries);
     dev->msix_irq_entries = NULL;
-    qemu_free(dev->msix_mask_notifier_opaque);
-    dev->msix_mask_notifier_opaque = NULL;
     dev->cap_present &= ~QEMU_PCI_CAP_MSIX;
     return 0;
 }
@@ -591,46 +584,79 @@ void msix_unuse_all_vectors(PCIDevice *dev)
     msix_free_irq_entries(dev);
 }
 
-int msix_set_mask_notifier(PCIDevice *dev, unsigned vector, void *opaque)
+static int msix_set_mask_notifier_for_vector(PCIDevice *dev, unsigned vector)
 {
     int r = 0;
     if (vector >= dev->msix_entries_nr || !dev->msix_entry_used[vector])
         return 0;
 
     assert(dev->msix_mask_notifier);
-    assert(opaque);
-    assert(!dev->msix_mask_notifier_opaque[vector]);
 
     /* Unmask the new notifier unless vector is masked. */
     if (!msix_is_masked(dev, vector)) {
-        r = dev->msix_mask_notifier(dev, vector, opaque, false);
+        r = dev->msix_mask_notifier(dev, vector, false);
         if (r < 0) {
             return r;
         }
     }
-    dev->msix_mask_notifier_opaque[vector] = opaque;
     return r;
 }
 
-int msix_unset_mask_notifier(PCIDevice *dev, unsigned vector)
+static int msix_unset_mask_notifier_for_vector(PCIDevice *dev, unsigned vector)
 {
     int r = 0;
-    void *opaque;
     if (vector >= dev->msix_entries_nr || !dev->msix_entry_used[vector])
         return 0;
 
-    opaque = dev->msix_mask_notifier_opaque[vector];
-
     assert(dev->msix_mask_notifier);
-    assert(opaque);
 
     /* Mask the old notifier unless it is already masked. */
     if (!msix_is_masked(dev, vector)) {
-        r = dev->msix_mask_notifier(dev, vector, opaque, true);
+        r = dev->msix_mask_notifier(dev, vector, true);
         if (r < 0) {
             return r;
         }
     }
-    dev->msix_mask_notifier_opaque[vector] = NULL;
+    return r;
+}
+
+int msix_set_mask_notifier(PCIDevice *dev, msix_mask_notifier_func f)
+{
+    int r, n;
+    assert(!dev->msix_mask_notifier);
+    dev->msix_mask_notifier = f;
+    for (n = 0; n < dev->msix_entries_nr; ++n) {
+        r = msix_set_mask_notifier_for_vector(dev, n);
+        if (r < 0) {
+            goto undo;
+        }
+    }
+    return 0;
+
+undo:
+    while (--n >= 0) {
+        msix_unset_mask_notifier_for_vector(dev, n);
+    }
+    dev->msix_mask_notifier = NULL;
+    return r;
+}
+
+int msix_unset_mask_notifier(PCIDevice *dev)
+{
+    int r, n;
+    assert(dev->msix_mask_notifier);
+    for (n = 0; n < dev->msix_entries_nr; ++n) {
+        r = msix_unset_mask_notifier_for_vector(dev, n);
+        if (r < 0) {
+            goto undo;
+        }
+    }
+    dev->msix_mask_notifier = NULL;
+    return 0;
+
+undo:
+    while (--n >= 0) {
+        msix_set_mask_notifier_for_vector(dev, n);
+    }
     return r;
 }
diff --git a/hw/msix.h b/hw/msix.h
index 6b21ffb..5a81df5 100644
--- a/hw/msix.h
+++ b/hw/msix.h
@@ -33,6 +33,6 @@ void msix_reset(PCIDevice *dev);
 
 extern int msix_supported;
 
-int msix_set_mask_notifier(PCIDevice *dev, unsigned vector, void *opaque);
-int msix_unset_mask_notifier(PCIDevice *dev, unsigned vector);
+int msix_set_mask_notifier(PCIDevice *dev, msix_mask_notifier_func);
+int msix_unset_mask_notifier(PCIDevice *dev);
 #endif
diff --git a/hw/pci.h b/hw/pci.h
index ed86c57..820d5b3 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -131,7 +131,7 @@ enum {
 #define PCI_CAPABILITY_CONFIG_MSIX_LENGTH 0x10
 
 typedef int (*msix_mask_notifier_func)(PCIDevice *, unsigned vector,
-				       void *opaque, int masked);
+				       int masked);
 
 struct PCIDevice {
     DeviceState qdev;
@@ -198,7 +198,6 @@ struct PCIDevice {
 
     struct kvm_irq_routing_entry *msix_irq_entries;
 
-    void **msix_mask_notifier_opaque;
     msix_mask_notifier_func msix_mask_notifier;
 
     /* Device capability configuration space */
diff --git a/hw/vhost.c b/hw/vhost.c
index 1b8624d..fb95121 100644
--- a/hw/vhost.c
+++ b/hw/vhost.c
@@ -454,11 +454,6 @@ static int vhost_virtqueue_init(struct vhost_dev *dev,
     };
     struct VirtQueue *vvq = virtio_get_queue(vdev, idx);
 
-    if (!vdev->binding->set_guest_notifier) {
-        fprintf(stderr, "binding does not support guest notifiers\n");
-        return -ENOSYS;
-    }
-
     if (!vdev->binding->set_host_notifier) {
         fprintf(stderr, "binding does not support host notifiers\n");
         return -ENOSYS;
@@ -511,12 +506,6 @@ static int vhost_virtqueue_init(struct vhost_dev *dev,
         r = -errno;
         goto fail_alloc;
     }
-    r = vdev->binding->set_guest_notifier(vdev->binding_opaque, idx, true);
-    if (r < 0) {
-        fprintf(stderr, "Error binding guest notifier: %d\n", -r);
-        goto fail_guest_notifier;
-    }
-
     r = vdev->binding->set_host_notifier(vdev->binding_opaque, idx, true);
     if (r < 0) {
         fprintf(stderr, "Error binding host notifier: %d\n", -r);
@@ -541,8 +530,6 @@ fail_call:
 fail_kick:
     vdev->binding->set_host_notifier(vdev->binding_opaque, idx, false);
 fail_host_notifier:
-    vdev->binding->set_guest_notifier(vdev->binding_opaque, idx, false);
-fail_guest_notifier:
 fail_alloc:
     cpu_physical_memory_unmap(vq->ring, virtio_queue_get_ring_size(vdev, idx),
                               0, 0);
@@ -568,13 +555,6 @@ static void vhost_virtqueue_cleanup(struct vhost_dev *dev,
         .index = idx,
     };
     int r;
-    r = vdev->binding->set_guest_notifier(vdev->binding_opaque, idx, false);
-    if (r < 0) {
-        fprintf(stderr, "vhost VQ %d guest cleanup failed: %d\n", idx, r);
-        fflush(stderr);
-    }
-    assert (r >= 0);
-
     r = vdev->binding->set_host_notifier(vdev->binding_opaque, idx, false);
     if (r < 0) {
         fprintf(stderr, "vhost VQ %d host cleanup failed: %d\n", idx, r);
@@ -647,15 +627,26 @@ void vhost_dev_cleanup(struct vhost_dev *hdev)
 int vhost_dev_start(struct vhost_dev *hdev, VirtIODevice *vdev)
 {
     int i, r;
+    if (!vdev->binding->set_guest_notifiers) {
+        fprintf(stderr, "binding does not support guest notifiers\n");
+        r = -ENOSYS;
+        goto fail;
+    }
+
+    r = vdev->binding->set_guest_notifiers(vdev->binding_opaque, true);
+    if (r < 0) {
+        fprintf(stderr, "Error binding guest notifier: %d\n", -r);
+        goto fail_notifiers;
+    }
 
     r = vhost_dev_set_features(hdev, hdev->log_enabled);
     if (r < 0) {
-        goto fail;
+        goto fail_features;
     }
     r = ioctl(hdev->control, VHOST_SET_MEM_TABLE, hdev->mem);
     if (r < 0) {
         r = -errno;
-        goto fail;
+        goto fail_mem;
     }
     for (i = 0; i < hdev->nvqs; ++i) {
         r = vhost_virtqueue_init(hdev,
@@ -675,13 +666,14 @@ int vhost_dev_start(struct vhost_dev *hdev, VirtIODevice *vdev)
                   (uint64_t)(unsigned long)hdev->log);
         if (r < 0) {
             r = -errno;
-            goto fail_vq;
+            goto fail_log;
         }
     }
 
     hdev->started = true;
 
     return 0;
+fail_log:
 fail_vq:
     while (--i >= 0) {
         vhost_virtqueue_cleanup(hdev,
@@ -689,13 +681,18 @@ fail_vq:
                                 hdev->vqs + i,
                                 i);
     }
+fail_mem:
+fail_features:
+    vdev->binding->set_guest_notifiers(vdev->binding_opaque, false);
+fail_notifiers:
 fail:
     return r;
 }
 
 void vhost_dev_stop(struct vhost_dev *hdev, VirtIODevice *vdev)
 {
-    int i;
+    int i, r;
+
     for (i = 0; i < hdev->nvqs; ++i) {
         vhost_virtqueue_cleanup(hdev,
                                 vdev,
@@ -704,6 +701,13 @@ void vhost_dev_stop(struct vhost_dev *hdev, VirtIODevice *vdev)
     }
     vhost_client_sync_dirty_bitmap(&hdev->client, 0,
                                    (target_phys_addr_t)~0x0ull);
+    r = vdev->binding->set_guest_notifiers(vdev->binding_opaque, false);
+    if (r < 0) {
+        fprintf(stderr, "vhost guest notifier cleanup failed: %d\n", r);
+        fflush(stderr);
+    }
+    assert (r >= 0);
+
     hdev->started = false;
     qemu_free(hdev->log);
     hdev->log_size = 0;
diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index bc9ad94..2d78ca6 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -429,11 +429,10 @@ static void virtio_pci_guest_notifier_read(void *opaque)
     }
 }
 
-static int virtio_pci_mask_notifier(PCIDevice *dev, unsigned vector,
-                                    void *opaque, int masked)
+static int virtio_pci_mask_vq(PCIDevice *dev, unsigned vector,
+                              VirtQueue *vq, int masked)
 {
 #ifdef CONFIG_KVM
-    VirtQueue *vq = opaque;
     EventNotifier *notifier = virtio_queue_get_guest_notifier(vq);
     int r = kvm_set_irqfd(dev->msix_irq_entries[vector].gsi,
                           event_notifier_get_fd(notifier),
@@ -454,6 +453,34 @@ static int virtio_pci_mask_notifier(PCIDevice *dev, unsigned vector,
 #endif
 }
 
+static int virtio_pci_mask_notifier(PCIDevice *dev, unsigned vector,
+                                    int masked)
+{
+    VirtIOPCIProxy *proxy = container_of(dev, VirtIOPCIProxy, pci_dev);
+    VirtIODevice *vdev = proxy->vdev;
+    int r, n;
+
+    for (n = 0; n < VIRTIO_PCI_QUEUE_MAX; n++) {
+        if (!virtio_queue_get_num(vdev, n)) {
+            break;
+        }
+        if (virtio_queue_vector(vdev, n) != vector) {
+            continue;
+        }
+        r = virtio_pci_mask_vq(dev, vector, virtio_get_queue(vdev, n), masked);
+        if (r < 0) {
+            goto undo;
+        }
+    }
+    return 0;
+undo:
+    while (--n >= 0) {
+        virtio_pci_mask_vq(dev, vector, virtio_get_queue(vdev, n), !masked);
+    }
+    return r;
+}
+
+
 static int virtio_pci_set_guest_notifier(void *opaque, int n, bool assign)
 {
     VirtIOPCIProxy *proxy = opaque;
@@ -467,11 +494,7 @@ static int virtio_pci_set_guest_notifier(void *opaque, int n, bool assign)
         }
         qemu_set_fd_handler(event_notifier_get_fd(notifier),
                             virtio_pci_guest_notifier_read, NULL, vq);
-        msix_set_mask_notifier(&proxy->pci_dev,
-                               virtio_queue_vector(proxy->vdev, n), vq);
     } else {
-        msix_unset_mask_notifier(&proxy->pci_dev,
-				 virtio_queue_vector(proxy->vdev, n));
         qemu_set_fd_handler(event_notifier_get_fd(notifier),
                             NULL, NULL, NULL);
         /* Test and clear notifier before closing it,
@@ -483,6 +506,50 @@ static int virtio_pci_set_guest_notifier(void *opaque, int n, bool assign)
     return 0;
 }
 
+static int virtio_pci_set_guest_notifiers(void *opaque, bool assign)
+{
+    VirtIOPCIProxy *proxy = opaque;
+    VirtIODevice *vdev = proxy->vdev;
+    int r, n;
+
+    /* Must unset mask notifier while guest notifier
+     * is still assigned */
+    if (!assign) {
+	    r = msix_unset_mask_notifier(&proxy->pci_dev);
+            assert(r >= 0);
+    }
+
+    for (n = 0; n < VIRTIO_PCI_QUEUE_MAX; n++) {
+        if (!virtio_queue_get_num(vdev, n)) {
+            break;
+        }
+
+        r = virtio_pci_set_guest_notifier(opaque, n, assign);
+        if (r < 0) {
+            goto assign_error;
+        }
+    }
+
+    /* Must set mask notifier after guest notifier
+     * has been assigned */
+    if (assign) {
+        r = msix_set_mask_notifier(&proxy->pci_dev,
+                                   virtio_pci_mask_notifier);
+        if (r < 0) {
+            goto assign_error;
+        }
+    }
+
+    return 0;
+
+assign_error:
+    /* We get here on assignment failure. Recover by undoing for VQs 0 .. n. */
+    while (--n >= 0) {
+        virtio_pci_set_guest_notifier(opaque, n, !assign);
+    }
+    return r;
+}
+
 static int virtio_pci_set_host_notifier(void *opaque, int n, bool assign)
 {
     VirtIOPCIProxy *proxy = opaque;
@@ -520,7 +587,7 @@ static const VirtIOBindings virtio_pci_bindings = {
     .load_queue = virtio_pci_load_queue,
     .get_features = virtio_pci_get_features,
     .set_host_notifier = virtio_pci_set_host_notifier,
-    .set_guest_notifier = virtio_pci_set_guest_notifier,
+    .set_guest_notifiers = virtio_pci_set_guest_notifiers,
 };
 
 static void virtio_init_pci(VirtIOPCIProxy *proxy, VirtIODevice *vdev,
@@ -558,8 +625,6 @@ static void virtio_init_pci(VirtIOPCIProxy *proxy, VirtIODevice *vdev,
 
     proxy->pci_dev.config_write = virtio_write_config;
 
-    proxy->pci_dev.msix_mask_notifier = virtio_pci_mask_notifier;
-
     size = VIRTIO_PCI_REGION_SIZE(&proxy->pci_dev) + vdev->config_len;
     if (size & (size-1))
         size = 1 << qemu_fls(size);
diff --git a/hw/virtio.h b/hw/virtio.h
index 96514e6..02fa312 100644
--- a/hw/virtio.h
+++ b/hw/virtio.h
@@ -93,7 +93,7 @@ typedef struct {
     int (*load_config)(void * opaque, QEMUFile *f);
     int (*load_queue)(void * opaque, int n, QEMUFile *f);
     unsigned (*get_features)(void * opaque);
-    int (*set_guest_notifier)(void * opaque, int n, bool assigned);
+    int (*set_guest_notifiers)(void * opaque, bool assigned);
     int (*set_host_notifier)(void * opaque, int n, bool assigned);
 } VirtIOBindings;
 
commit df2bda4e858a176ff9335e1e391fbc4213cfe062
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Sep 27 18:20:23 2010 +0200

    virtio-net: unify vhost-net start/stop
    
    Move all of vhost-net start/stop logic to a single routine,
    and call it from everywhere.
    
    Additionally, start/stop vhost-net on link up/down:
    we should not transmit anything if user asked us to
    put the link down.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index 0a9cae2..4366143 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -54,6 +54,7 @@ typedef struct VirtIONet
     uint8_t nouni;
     uint8_t nobcast;
     uint8_t vhost_started;
+    bool vm_running;
     VMChangeStateEntry *vmstate;
     struct {
         int in_use;
@@ -98,6 +99,38 @@ static void virtio_net_set_config(VirtIODevice *vdev, const uint8_t *config)
     }
 }
 
+static void virtio_net_set_status(struct VirtIODevice *vdev, uint8_t status)
+{
+    VirtIONet *n = to_virtio_net(vdev);
+    if (!n->nic->nc.peer) {
+        return;
+    }
+    if (n->nic->nc.peer->info->type != NET_CLIENT_TYPE_TAP) {
+        return;
+    }
+
+    if (!tap_get_vhost_net(n->nic->nc.peer)) {
+        return;
+    }
+    if (!!n->vhost_started == ((status & VIRTIO_CONFIG_S_DRIVER_OK) &&
+			       (n->status & VIRTIO_NET_S_LINK_UP) &&
+			       n->vm_running)) {
+        return;
+    }
+    if (!n->vhost_started) {
+        int r = vhost_net_start(tap_get_vhost_net(n->nic->nc.peer), &n->vdev);
+        if (r < 0) {
+            fprintf(stderr, "unable to start vhost net: %d: "
+                    "falling back on userspace virtio\n", -r);
+        } else {
+            n->vhost_started = 1;
+        }
+    } else {
+        vhost_net_stop(tap_get_vhost_net(n->nic->nc.peer), &n->vdev);
+        n->vhost_started = 0;
+    }
+}
+
 static void virtio_net_set_link_status(VLANClientState *nc)
 {
     VirtIONet *n = DO_UPCAST(NICState, nc, nc)->opaque;
@@ -110,6 +143,8 @@ static void virtio_net_set_link_status(VLANClientState *nc)
 
     if (n->status != old_status)
         virtio_notify_config(&n->vdev);
+
+    virtio_net_set_status(&n->vdev, n->vdev.status);
 }
 
 static void virtio_net_reset(VirtIODevice *vdev)
@@ -123,10 +158,6 @@ static void virtio_net_reset(VirtIODevice *vdev)
     n->nomulti = 0;
     n->nouni = 0;
     n->nobcast = 0;
-    if (n->vhost_started) {
-        vhost_net_stop(tap_get_vhost_net(n->nic->nc.peer), vdev);
-        n->vhost_started = 0;
-    }
 
     /* Flush any MAC and VLAN filter table state */
     n->mac_table.in_use = 0;
@@ -783,12 +814,9 @@ static void virtio_net_save(QEMUFile *f, void *opaque)
 {
     VirtIONet *n = opaque;
 
-    if (n->vhost_started) {
-        /* TODO: should we really stop the backend?
-         * If we don't, it might keep writing to memory. */
-        vhost_net_stop(tap_get_vhost_net(n->nic->nc.peer), &n->vdev);
-        n->vhost_started = 0;
-    }
+    /* At this point, backend must be stopped, otherwise
+     * it might keep writing to memory. */
+    assert(!n->vhost_started);
     virtio_save(&n->vdev, f);
 
     qemu_put_buffer(f, n->mac, ETH_ALEN);
@@ -924,44 +952,14 @@ static NetClientInfo net_virtio_info = {
     .link_status_changed = virtio_net_set_link_status,
 };
 
-static void virtio_net_set_status(struct VirtIODevice *vdev, uint8_t status)
-{
-    VirtIONet *n = to_virtio_net(vdev);
-    if (!n->nic->nc.peer) {
-        return;
-    }
-    if (n->nic->nc.peer->info->type != NET_CLIENT_TYPE_TAP) {
-        return;
-    }
-
-    if (!tap_get_vhost_net(n->nic->nc.peer)) {
-        return;
-    }
-    if (!!n->vhost_started == !!(status & VIRTIO_CONFIG_S_DRIVER_OK)) {
-        return;
-    }
-    if (status & VIRTIO_CONFIG_S_DRIVER_OK) {
-        int r = vhost_net_start(tap_get_vhost_net(n->nic->nc.peer), vdev);
-        if (r < 0) {
-            fprintf(stderr, "unable to start vhost net: %d: "
-                    "falling back on userspace virtio\n", -r);
-        } else {
-            n->vhost_started = 1;
-        }
-    } else {
-        vhost_net_stop(tap_get_vhost_net(n->nic->nc.peer), vdev);
-        n->vhost_started = 0;
-    }
-}
-
 static void virtio_net_vmstate_change(void *opaque, int running, int reason)
 {
     VirtIONet *n = opaque;
-    uint8_t status = running ? VIRTIO_CONFIG_S_DRIVER_OK : 0;
+    n->vm_running = running;
     /* This is called when vm is started/stopped,
-     * it will start/stop vhost backend if * appropriate
+     * it will start/stop vhost backend if appropriate
      * e.g. after migration. */
-    virtio_net_set_status(&n->vdev, n->vdev.status & status);
+    virtio_net_set_status(&n->vdev, n->vdev.status);
 }
 
 VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
@@ -1028,9 +1026,8 @@ void virtio_net_exit(VirtIODevice *vdev)
     VirtIONet *n = DO_UPCAST(VirtIONet, vdev, vdev);
     qemu_del_vm_change_state_handler(n->vmstate);
 
-    if (n->vhost_started) {
-        vhost_net_stop(tap_get_vhost_net(n->nic->nc.peer), vdev);
-    }
+    /* This will stop vhost backend if appropriate. */
+    virtio_net_set_status(vdev, 0);
 
     qemu_purge_queued_packets(&n->nic->nc);
 
commit 8624fdd8806c3cbd56163533b1578e1c9a78f543
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Sep 27 18:18:52 2010 +0200

    virtio: invoke set_status callback on reset
    
    As status is set to 0 on reset, invoke the
    relevant callback. This makes for a cleaner
    code in devices as they don't need to
    duplicate the code in their reset routine,
    as well as excercises this path a little more.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/virtio.c b/hw/virtio.c
index fbef788..c8a0fc6 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -458,6 +458,8 @@ void virtio_reset(void *opaque)
     VirtIODevice *vdev = opaque;
     int i;
 
+    virtio_set_status(vdev, 0);
+
     if (vdev->reset)
         vdev->reset(vdev);
 
commit 54dd932128ae08d6a5a6668551508e30520b0f86
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 6 15:20:17 2010 +0200

    virtio: change set guest notifier to per-device
    
    When using irqfd with vhost-net to inject interrupts,
    a single evenfd might inject multiple interrupts.
    Implementing this is much easier with a single
    per-device callback to set guest notifiers.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/vhost.c b/hw/vhost.c
index 1b8624d..fb95121 100644
--- a/hw/vhost.c
+++ b/hw/vhost.c
@@ -454,11 +454,6 @@ static int vhost_virtqueue_init(struct vhost_dev *dev,
     };
     struct VirtQueue *vvq = virtio_get_queue(vdev, idx);
 
-    if (!vdev->binding->set_guest_notifier) {
-        fprintf(stderr, "binding does not support guest notifiers\n");
-        return -ENOSYS;
-    }
-
     if (!vdev->binding->set_host_notifier) {
         fprintf(stderr, "binding does not support host notifiers\n");
         return -ENOSYS;
@@ -511,12 +506,6 @@ static int vhost_virtqueue_init(struct vhost_dev *dev,
         r = -errno;
         goto fail_alloc;
     }
-    r = vdev->binding->set_guest_notifier(vdev->binding_opaque, idx, true);
-    if (r < 0) {
-        fprintf(stderr, "Error binding guest notifier: %d\n", -r);
-        goto fail_guest_notifier;
-    }
-
     r = vdev->binding->set_host_notifier(vdev->binding_opaque, idx, true);
     if (r < 0) {
         fprintf(stderr, "Error binding host notifier: %d\n", -r);
@@ -541,8 +530,6 @@ fail_call:
 fail_kick:
     vdev->binding->set_host_notifier(vdev->binding_opaque, idx, false);
 fail_host_notifier:
-    vdev->binding->set_guest_notifier(vdev->binding_opaque, idx, false);
-fail_guest_notifier:
 fail_alloc:
     cpu_physical_memory_unmap(vq->ring, virtio_queue_get_ring_size(vdev, idx),
                               0, 0);
@@ -568,13 +555,6 @@ static void vhost_virtqueue_cleanup(struct vhost_dev *dev,
         .index = idx,
     };
     int r;
-    r = vdev->binding->set_guest_notifier(vdev->binding_opaque, idx, false);
-    if (r < 0) {
-        fprintf(stderr, "vhost VQ %d guest cleanup failed: %d\n", idx, r);
-        fflush(stderr);
-    }
-    assert (r >= 0);
-
     r = vdev->binding->set_host_notifier(vdev->binding_opaque, idx, false);
     if (r < 0) {
         fprintf(stderr, "vhost VQ %d host cleanup failed: %d\n", idx, r);
@@ -647,15 +627,26 @@ void vhost_dev_cleanup(struct vhost_dev *hdev)
 int vhost_dev_start(struct vhost_dev *hdev, VirtIODevice *vdev)
 {
     int i, r;
+    if (!vdev->binding->set_guest_notifiers) {
+        fprintf(stderr, "binding does not support guest notifiers\n");
+        r = -ENOSYS;
+        goto fail;
+    }
+
+    r = vdev->binding->set_guest_notifiers(vdev->binding_opaque, true);
+    if (r < 0) {
+        fprintf(stderr, "Error binding guest notifier: %d\n", -r);
+        goto fail_notifiers;
+    }
 
     r = vhost_dev_set_features(hdev, hdev->log_enabled);
     if (r < 0) {
-        goto fail;
+        goto fail_features;
     }
     r = ioctl(hdev->control, VHOST_SET_MEM_TABLE, hdev->mem);
     if (r < 0) {
         r = -errno;
-        goto fail;
+        goto fail_mem;
     }
     for (i = 0; i < hdev->nvqs; ++i) {
         r = vhost_virtqueue_init(hdev,
@@ -675,13 +666,14 @@ int vhost_dev_start(struct vhost_dev *hdev, VirtIODevice *vdev)
                   (uint64_t)(unsigned long)hdev->log);
         if (r < 0) {
             r = -errno;
-            goto fail_vq;
+            goto fail_log;
         }
     }
 
     hdev->started = true;
 
     return 0;
+fail_log:
 fail_vq:
     while (--i >= 0) {
         vhost_virtqueue_cleanup(hdev,
@@ -689,13 +681,18 @@ fail_vq:
                                 hdev->vqs + i,
                                 i);
     }
+fail_mem:
+fail_features:
+    vdev->binding->set_guest_notifiers(vdev->binding_opaque, false);
+fail_notifiers:
 fail:
     return r;
 }
 
 void vhost_dev_stop(struct vhost_dev *hdev, VirtIODevice *vdev)
 {
-    int i;
+    int i, r;
+
     for (i = 0; i < hdev->nvqs; ++i) {
         vhost_virtqueue_cleanup(hdev,
                                 vdev,
@@ -704,6 +701,13 @@ void vhost_dev_stop(struct vhost_dev *hdev, VirtIODevice *vdev)
     }
     vhost_client_sync_dirty_bitmap(&hdev->client, 0,
                                    (target_phys_addr_t)~0x0ull);
+    r = vdev->binding->set_guest_notifiers(vdev->binding_opaque, false);
+    if (r < 0) {
+        fprintf(stderr, "vhost guest notifier cleanup failed: %d\n", r);
+        fflush(stderr);
+    }
+    assert (r >= 0);
+
     hdev->started = false;
     qemu_free(hdev->log);
     hdev->log_size = 0;
diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 86e6b0a..729917d 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -451,6 +451,33 @@ static int virtio_pci_set_guest_notifier(void *opaque, int n, bool assign)
     return 0;
 }
 
+static int virtio_pci_set_guest_notifiers(void *opaque, bool assign)
+{
+    VirtIOPCIProxy *proxy = opaque;
+    VirtIODevice *vdev = proxy->vdev;
+    int r, n;
+
+    for (n = 0; n < VIRTIO_PCI_QUEUE_MAX; n++) {
+        if (!virtio_queue_get_num(vdev, n)) {
+            break;
+        }
+
+        r = virtio_pci_set_guest_notifier(opaque, n, assign);
+        if (r < 0) {
+            goto assign_error;
+        }
+    }
+
+    return 0;
+
+assign_error:
+    /* We get here on assignment failure. Recover by undoing for VQs 0 .. n. */
+    while (--n >= 0) {
+        virtio_pci_set_guest_notifier(opaque, n, !assign);
+    }
+    return r;
+}
+
 static int virtio_pci_set_host_notifier(void *opaque, int n, bool assign)
 {
     VirtIOPCIProxy *proxy = opaque;
@@ -488,7 +515,7 @@ static const VirtIOBindings virtio_pci_bindings = {
     .load_queue = virtio_pci_load_queue,
     .get_features = virtio_pci_get_features,
     .set_host_notifier = virtio_pci_set_host_notifier,
-    .set_guest_notifier = virtio_pci_set_guest_notifier,
+    .set_guest_notifiers = virtio_pci_set_guest_notifiers,
 };
 
 static void virtio_init_pci(VirtIOPCIProxy *proxy, VirtIODevice *vdev,
diff --git a/hw/virtio.h b/hw/virtio.h
index 96514e6..02fa312 100644
--- a/hw/virtio.h
+++ b/hw/virtio.h
@@ -93,7 +93,7 @@ typedef struct {
     int (*load_config)(void * opaque, QEMUFile *f);
     int (*load_queue)(void * opaque, int n, QEMUFile *f);
     unsigned (*get_features)(void * opaque);
-    int (*set_guest_notifier)(void * opaque, int n, bool assigned);
+    int (*set_guest_notifiers)(void * opaque, bool assigned);
     int (*set_host_notifier)(void * opaque, int n, bool assigned);
 } VirtIOBindings;
 
commit afbaa7b4382faced3c364606a5e5d5389462147b
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Sep 27 18:41:30 2010 +0200

    virtio-net: unify vhost-net start/stop
    
    Move all of vhost-net start/stop logic to a single routine,
    and call it from everywhere.
    
    Additionally, start/stop vhost-net on link up/down:
    we should not transmit anything if user asked us to
    put the link down.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Acked-by: Alex Williamson <alex.williamson at redhat.com>

diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index 0a9cae2..7e1688c 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -54,6 +54,7 @@ typedef struct VirtIONet
     uint8_t nouni;
     uint8_t nobcast;
     uint8_t vhost_started;
+    bool vm_running;
     VMChangeStateEntry *vmstate;
     struct {
         int in_use;
@@ -98,6 +99,38 @@ static void virtio_net_set_config(VirtIODevice *vdev, const uint8_t *config)
     }
 }
 
+static void virtio_net_set_status(struct VirtIODevice *vdev, uint8_t status)
+{
+    VirtIONet *n = to_virtio_net(vdev);
+    if (!n->nic->nc.peer) {
+        return;
+    }
+    if (n->nic->nc.peer->info->type != NET_CLIENT_TYPE_TAP) {
+        return;
+    }
+
+    if (!tap_get_vhost_net(n->nic->nc.peer)) {
+        return;
+    }
+    if (!!n->vhost_started == ((status & VIRTIO_CONFIG_S_DRIVER_OK) &&
+                               (n->status & VIRTIO_NET_S_LINK_UP) &&
+                               n->vm_running)) {
+        return;
+    }
+    if (!n->vhost_started) {
+        int r = vhost_net_start(tap_get_vhost_net(n->nic->nc.peer), &n->vdev);
+        if (r < 0) {
+            fprintf(stderr, "unable to start vhost net: %d: "
+                    "falling back on userspace virtio\n", -r);
+        } else {
+            n->vhost_started = 1;
+        }
+    } else {
+        vhost_net_stop(tap_get_vhost_net(n->nic->nc.peer), &n->vdev);
+        n->vhost_started = 0;
+    }
+}
+
 static void virtio_net_set_link_status(VLANClientState *nc)
 {
     VirtIONet *n = DO_UPCAST(NICState, nc, nc)->opaque;
@@ -110,6 +143,8 @@ static void virtio_net_set_link_status(VLANClientState *nc)
 
     if (n->status != old_status)
         virtio_notify_config(&n->vdev);
+
+    virtio_net_set_status(&n->vdev, n->vdev.status);
 }
 
 static void virtio_net_reset(VirtIODevice *vdev)
@@ -123,10 +158,6 @@ static void virtio_net_reset(VirtIODevice *vdev)
     n->nomulti = 0;
     n->nouni = 0;
     n->nobcast = 0;
-    if (n->vhost_started) {
-        vhost_net_stop(tap_get_vhost_net(n->nic->nc.peer), vdev);
-        n->vhost_started = 0;
-    }
 
     /* Flush any MAC and VLAN filter table state */
     n->mac_table.in_use = 0;
@@ -783,12 +814,9 @@ static void virtio_net_save(QEMUFile *f, void *opaque)
 {
     VirtIONet *n = opaque;
 
-    if (n->vhost_started) {
-        /* TODO: should we really stop the backend?
-         * If we don't, it might keep writing to memory. */
-        vhost_net_stop(tap_get_vhost_net(n->nic->nc.peer), &n->vdev);
-        n->vhost_started = 0;
-    }
+    /* At this point, backend must be stopped, otherwise
+     * it might keep writing to memory. */
+    assert(!n->vhost_started);
     virtio_save(&n->vdev, f);
 
     qemu_put_buffer(f, n->mac, ETH_ALEN);
@@ -924,44 +952,14 @@ static NetClientInfo net_virtio_info = {
     .link_status_changed = virtio_net_set_link_status,
 };
 
-static void virtio_net_set_status(struct VirtIODevice *vdev, uint8_t status)
-{
-    VirtIONet *n = to_virtio_net(vdev);
-    if (!n->nic->nc.peer) {
-        return;
-    }
-    if (n->nic->nc.peer->info->type != NET_CLIENT_TYPE_TAP) {
-        return;
-    }
-
-    if (!tap_get_vhost_net(n->nic->nc.peer)) {
-        return;
-    }
-    if (!!n->vhost_started == !!(status & VIRTIO_CONFIG_S_DRIVER_OK)) {
-        return;
-    }
-    if (status & VIRTIO_CONFIG_S_DRIVER_OK) {
-        int r = vhost_net_start(tap_get_vhost_net(n->nic->nc.peer), vdev);
-        if (r < 0) {
-            fprintf(stderr, "unable to start vhost net: %d: "
-                    "falling back on userspace virtio\n", -r);
-        } else {
-            n->vhost_started = 1;
-        }
-    } else {
-        vhost_net_stop(tap_get_vhost_net(n->nic->nc.peer), vdev);
-        n->vhost_started = 0;
-    }
-}
-
 static void virtio_net_vmstate_change(void *opaque, int running, int reason)
 {
     VirtIONet *n = opaque;
-    uint8_t status = running ? VIRTIO_CONFIG_S_DRIVER_OK : 0;
+    n->vm_running = running;
     /* This is called when vm is started/stopped,
-     * it will start/stop vhost backend if * appropriate
+     * it will start/stop vhost backend if appropriate
      * e.g. after migration. */
-    virtio_net_set_status(&n->vdev, n->vdev.status & status);
+    virtio_net_set_status(&n->vdev, n->vdev.status);
 }
 
 VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
@@ -1028,9 +1026,8 @@ void virtio_net_exit(VirtIODevice *vdev)
     VirtIONet *n = DO_UPCAST(VirtIONet, vdev, vdev);
     qemu_del_vm_change_state_handler(n->vmstate);
 
-    if (n->vhost_started) {
-        vhost_net_stop(tap_get_vhost_net(n->nic->nc.peer), vdev);
-    }
+    /* This will stop vhost backend if appropriate. */
+    virtio_net_set_status(vdev, 0);
 
     qemu_purge_queued_packets(&n->nic->nc);
 
commit c885212109b0ad79888ced410c2ff0d0e883cb15
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Wed Oct 6 15:20:28 2010 +0200

    vhost: error code
    
    fix up errors returned to include errno, not just -1
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/vhost.c b/hw/vhost.c
index fb95121..8586f66 100644
--- a/hw/vhost.c
+++ b/hw/vhost.c
@@ -515,12 +515,14 @@ static int vhost_virtqueue_init(struct vhost_dev *dev,
     file.fd = event_notifier_get_fd(virtio_queue_get_host_notifier(vvq));
     r = ioctl(dev->control, VHOST_SET_VRING_KICK, &file);
     if (r) {
+        r = -errno;
         goto fail_kick;
     }
 
     file.fd = event_notifier_get_fd(virtio_queue_get_guest_notifier(vvq));
     r = ioctl(dev->control, VHOST_SET_VRING_CALL, &file);
     if (r) {
+        r = -errno;
         goto fail_call;
     }
 
commit 010ec6293409f10b88631c36145944b9c3277ce1
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Wed Sep 29 21:59:55 2010 +0200

    eepro100: Add support for multiple individual addresses (multiple IA)
    
    I reviewed the latest sources of Linux, FreeBSD and NetBSD.
    They all reset the multiple IA bit (multi_ia in BSD) to zero,
    but I did not find code which sets this bit to one
    (like it is done by some routers).
    
    Running Windows guests also did not set this bit.
    
    Intel's Open Source Software Developer Manual does not
    give much information on the semantics related to this bit,
    so I had to guess how it works. The guess was good enough
    to make the router emulation work.
    
    Related changes in this patch:
    * Update naming and documentation of the internal hash register.
      It is not limited to multicast, but also used for multiple IA.
    * Dump complete configuration register when debug traces are enabled.
    * Debug output when multiple IA bit is set during CmdConfigure.
    * Debug output when frames are received because multiple IA bit is set,
      or when they are ignored although it is set.
    
    Cc: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/eepro100.c b/hw/eepro100.c
index 2b75c8f..5f6dcb6 100644
--- a/hw/eepro100.c
+++ b/hw/eepro100.c
@@ -219,7 +219,8 @@ typedef enum {
 
 typedef struct {
     PCIDevice dev;
-    uint8_t mult[8];            /* multicast mask array */
+    /* Hash register (multicast mask array, multiple individual addresses). */
+    uint8_t mult[8];
     int mmio_index;
     NICState *nic;
     NICConf conf;
@@ -599,7 +600,7 @@ static void nic_reset(void *opaque)
 {
     EEPRO100State *s = opaque;
     TRACE(OTHER, logout("%p\n", s));
-    /* TODO: Clearing of multicast table for selective reset, too? */
+    /* TODO: Clearing of hash register for selective reset, too? */
     memset(&s->mult[0], 0, sizeof(s->mult));
     nic_selective_reset(s);
 }
@@ -851,7 +852,14 @@ static void action_command(EEPRO100State *s)
         case CmdConfigure:
             cpu_physical_memory_read(s->cb_address + 8, &s->configuration[0],
                                      sizeof(s->configuration));
-            TRACE(OTHER, logout("configuration: %s\n", nic_dump(&s->configuration[0], 16)));
+            TRACE(OTHER, logout("configuration: %s\n",
+                                nic_dump(&s->configuration[0], 16)));
+            TRACE(OTHER, logout("configuration: %s\n",
+                                nic_dump(&s->configuration[16],
+                                ARRAY_SIZE(s->configuration) - 16)));
+            if (s->configuration[20] & BIT(6)) {
+                TRACE(OTHER, logout("Multiple IA bit\n"));
+            }
             break;
         case CmdMulticastList:
             set_multicast_list(s);
@@ -1647,12 +1655,6 @@ static ssize_t nic_receive(VLANClientState *nc, const uint8_t * buf, size_t size
     static const uint8_t broadcast_macaddr[6] =
         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
 
-    /* TODO: check multiple IA bit. */
-    if (s->configuration[20] & BIT(6)) {
-        missing("Multiple IA bit");
-        return -1;
-    }
-
     if (s->configuration[8] & 0x80) {
         /* CSMA is disabled. */
         logout("%p received while CSMA is disabled\n", s);
@@ -1702,6 +1704,16 @@ static ssize_t nic_receive(VLANClientState *nc, const uint8_t * buf, size_t size
         /* Promiscuous: receive all. */
         TRACE(RXTX, logout("%p received frame in promiscuous mode, len=%zu\n", s, size));
         rfd_status |= 0x0004;
+    } else if (s->configuration[20] & BIT(6)) {
+        /* Multiple IA bit set. */
+        unsigned mcast_idx = compute_mcast_idx(buf);
+        assert(mcast_idx < 64);
+        if (s->mult[mcast_idx >> 3] & (1 << (mcast_idx & 7))) {
+            TRACE(RXTX, logout("%p accepted, multiple IA bit set\n", s));
+        } else {
+            TRACE(RXTX, logout("%p frame ignored, multiple IA bit set\n", s));
+            return -1;
+        }
     } else {
         TRACE(RXTX, logout("%p received frame, ignored, len=%zu,%s\n", s, size,
               nic_dump(buf, size)));
commit e0c472d8c2795e523b0f9006dbe5bc22545c8300
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Sep 27 18:32:52 2010 +0200

    virtio: invoke set_status callback on reset
    
    As status is set to 0 on reset, invoke the relevant callback. This makes
    for a cleaner code in devices as they don't need to duplicate the code
    in their reset routine, as well as excercises this path a little more.
    
    In particular this makes it possible to unify
    vhost-net handling code with the following patch.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/virtio.c b/hw/virtio.c
index fbef788..c8a0fc6 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -458,6 +458,8 @@ void virtio_reset(void *opaque)
     VirtIODevice *vdev = opaque;
     int i;
 
+    virtio_set_status(vdev, 0);
+
     if (vdev->reset)
         vdev->reset(vdev);
 
commit 576af1b5f5524ca0d6587ae43e395313c14059bb
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Mon Oct 4 15:26:30 2010 -0600

    device-assignment: Allow PCI to manage the option ROM
    
    We don't need to duplicate PCI code for mapping and managing the
    option ROM for an assigned device.  We're already using an in-memory
    copy of the ROM, so we can simply fill the contents from the physical
    device and pass the rest off to PCI.  As a benefit, we can now make
    use of the rombar and romfile options, which allow us to either hide
    the ROM BAR, or load it from an external file, such as we can do
    with emulated devices.  This is useful if you want to pass through
    and boot from devices that are either missing a physical option ROM
    or don't supply a valid option ROM.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/device-assignment.c b/hw/device-assignment.c
index 87f7418..26cb797 100644
--- a/hw/device-assignment.c
+++ b/hw/device-assignment.c
@@ -233,8 +233,6 @@ static CPUReadMemoryFunc * const slow_bar_read[] = {
     &slow_bar_readl
 };
 
-static CPUWriteMemoryFunc * const slow_bar_null_write[] = {NULL, NULL, NULL};
-
 static void assigned_dev_iomem_map_slow(PCIDevice *pci_dev, int region_num,
                                         pcibus_t e_phys, pcibus_t e_size,
                                         int type)
@@ -245,10 +243,7 @@ static void assigned_dev_iomem_map_slow(PCIDevice *pci_dev, int region_num,
     int m;
 
     DEBUG("%s", "slow map\n");
-    if (region_num == PCI_ROM_SLOT)
-        m = cpu_register_io_memory(slow_bar_read, slow_bar_null_write, region);
-    else
-        m = cpu_register_io_memory(slow_bar_read, slow_bar_write, region);
+    m = cpu_register_io_memory(slow_bar_read, slow_bar_write, region);
     cpu_register_physical_memory(e_phys, e_size, m);
 
     /* MSI-X MMIO page */
@@ -268,7 +263,7 @@ static void assigned_dev_iomem_map(PCIDevice *pci_dev, int region_num,
     AssignedDevice *r_dev = container_of(pci_dev, AssignedDevice, dev);
     AssignedDevRegion *region = &r_dev->v_addrs[region_num];
     PCIRegion *real_region = &r_dev->real_device.regions[region_num];
-    int ret = 0, flags = 0;
+    int ret = 0;
 
     DEBUG("e_phys=%08" FMT_PCIBUS " r_virt=%p type=%d len=%08" FMT_PCIBUS " region_num=%d \n",
           e_phys, region->u.r_virtbase, type, e_size, region_num);
@@ -277,11 +272,7 @@ static void assigned_dev_iomem_map(PCIDevice *pci_dev, int region_num,
     region->e_size = e_size;
 
     if (e_size > 0) {
-
-        if (region_num == PCI_ROM_SLOT)
-            flags |= IO_MEM_ROM;
-
-        cpu_register_physical_memory(e_phys, e_size, region->memory_index | flags);
+        cpu_register_physical_memory(e_phys, e_size, region->memory_index);
 
         /* deal with MSI-X MMIO page */
         if (real_region->base_addr <= r_dev->msix_table_addr &&
@@ -527,35 +518,22 @@ static int assigned_dev_register_regions(PCIRegion *io_regions,
                 : PCI_BASE_ADDRESS_SPACE_MEMORY;
 
             if (cur_region->size & 0xFFF) {
-                if (i != PCI_ROM_SLOT) {
-                    fprintf(stderr, "PCI region %d at address 0x%llx "
-                            "has size 0x%x, which is not a multiple of 4K. "
-                            "You might experience some performance hit "
-                            "due to that.\n",
-                            i, (unsigned long long)cur_region->base_addr,
-                            cur_region->size);
-                }
+                fprintf(stderr, "PCI region %d at address 0x%llx "
+                        "has size 0x%x, which is not a multiple of 4K. "
+                        "You might experience some performance hit "
+                        "due to that.\n",
+                        i, (unsigned long long)cur_region->base_addr,
+                        cur_region->size);
                 slow_map = 1;
             }
 
             /* map physical memory */
             pci_dev->v_addrs[i].e_physbase = cur_region->base_addr;
-            if (i == PCI_ROM_SLOT) {
-                /* KVM doesn't support read-only mappings, use slow map */
-                slow_map = 1;
-                pci_dev->v_addrs[i].u.r_virtbase =
-                    mmap(NULL,
-                         cur_region->size,
-                         PROT_WRITE | PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE,
-                         0, (off_t) 0);
-
-            } else {
-                pci_dev->v_addrs[i].u.r_virtbase =
-                    mmap(NULL,
-                         cur_region->size,
-                         PROT_WRITE | PROT_READ, MAP_SHARED,
-                         cur_region->resource_fd, (off_t) 0);
-            }
+            pci_dev->v_addrs[i].u.r_virtbase = mmap(NULL, cur_region->size,
+                                                    PROT_WRITE | PROT_READ,
+                                                    MAP_SHARED,
+                                                    cur_region->resource_fd,
+                                                    (off_t)0);
 
             if (pci_dev->v_addrs[i].u.r_virtbase == MAP_FAILED) {
                 pci_dev->v_addrs[i].u.r_virtbase = NULL;
@@ -565,11 +543,6 @@ static int assigned_dev_register_regions(PCIRegion *io_regions,
                 return -1;
             }
 
-            if (i == PCI_ROM_SLOT) {
-                memset(pci_dev->v_addrs[i].u.r_virtbase, 0,
-                       (cur_region->size + 0xFFF) & 0xFFFFF000);
-            }
-
             pci_dev->v_addrs[i].r_size = cur_region->size;
             pci_dev->v_addrs[i].e_size = 0;
 
@@ -712,6 +685,12 @@ again:
         fprintf(stderr, "%s: read failed, errno = %d\n", __func__, errno);
     }
 
+    /* Clear host resource mapping info.  If we choose not to register a
+     * BAR, such as might be the case with the option ROM, we can get
+     * confusing, unwritable, residual addresses from the host here. */
+    memset(&pci_dev->dev.config[PCI_BASE_ADDRESS_0], 0, 24);
+    memset(&pci_dev->dev.config[PCI_ROM_ADDRESS], 0, 4);
+
     snprintf(name, sizeof(name), "%sresource", dir);
 
     f = fopen(name, "r");
@@ -720,7 +699,7 @@ again:
         return 1;
     }
 
-    for (r = 0; r < PCI_NUM_REGIONS; r++) {
+    for (r = 0; r < PCI_ROM_SLOT; r++) {
 	if (fscanf(f, "%lli %lli %lli\n", &start, &end, &flags) != 3)
 	    break;
 
@@ -736,13 +715,11 @@ again:
         } else {
             flags &= ~IORESOURCE_PREFETCH;
         }
-        if (r != PCI_ROM_SLOT) {
-            snprintf(name, sizeof(name), "%sresource%d", dir, r);
-            fd = open(name, O_RDWR);
-            if (fd == -1)
-                continue;
-            rp->resource_fd = fd;
-        }
+        snprintf(name, sizeof(name), "%sresource%d", dir, r);
+        fd = open(name, O_RDWR);
+        if (fd == -1)
+            continue;
+        rp->resource_fd = fd;
 
         rp->type = flags;
         rp->valid = 1;
@@ -1644,58 +1621,64 @@ void add_assigned_devices(PCIBus *bus, const char **devices, int n_devices)
  */
 static void assigned_dev_load_option_rom(AssignedDevice *dev)
 {
-    int size, len, ret;
-    void *buf;
+    char name[32], rom_file[64];
     FILE *fp;
-    uint8_t i = 1;
-    char rom_file[64];
+    uint8_t val;
+    struct stat st;
+    void *ptr;
+
+    /* If loading ROM from file, pci handles it */
+    if (dev->dev.romfile || !dev->dev.rom_bar)
+        return;
 
     snprintf(rom_file, sizeof(rom_file),
              "/sys/bus/pci/devices/%04x:%02x:%02x.%01x/rom",
              dev->host.seg, dev->host.bus, dev->host.dev, dev->host.func);
 
-    if (access(rom_file, F_OK))
+    if (stat(rom_file, &st)) {
         return;
+    }
 
-    /* Write something to the ROM file to enable it */
-    fp = fopen(rom_file, "wb");
-    if (fp == NULL)
-        return;
-    len = fwrite(&i, 1, 1, fp);
-    fclose(fp);
-    if (len != 1)
+    if (access(rom_file, F_OK)) {
+        fprintf(stderr, "pci-assign: Insufficient privileges for %s\n",
+                rom_file);
         return;
+    }
 
-    /* The file has to be closed and reopened, otherwise it won't work */
-    fp = fopen(rom_file, "rb");
-    if (fp == NULL)
+    /* Write "1" to the ROM file to enable it */
+    fp = fopen(rom_file, "r+");
+    if (fp == NULL) {
         return;
-
-    fseek(fp, 0, SEEK_END);
-    size = ftell(fp);
+    }
+    val = 1;
+    if (fwrite(&val, 1, 1, fp) != 1) {
+        goto close_rom;
+    }
     fseek(fp, 0, SEEK_SET);
 
-    buf = malloc(size);
-    if (buf == NULL) {
-        fclose(fp);
-        return;
+    snprintf(name, sizeof(name), "%s.rom", dev->dev.qdev.info->name);
+    dev->dev.rom_offset = qemu_ram_alloc(&dev->dev.qdev, name, st.st_size);
+    ptr = qemu_get_ram_ptr(dev->dev.rom_offset);
+    memset(ptr, 0xff, st.st_size);
+
+    if (!fread(ptr, 1, st.st_size, fp)) {
+        fprintf(stderr, "pci-assign: Cannot read from host %s\n"
+                "\tDevice option ROM contents are probably invalid "
+                "(check dmesg).\n\tSkip option ROM probe with rombar=0, "
+                "or load from file with romfile=\n", rom_file);
+        qemu_ram_free(dev->dev.rom_offset);
+        dev->dev.rom_offset = 0;
+        goto close_rom;
     }
 
-    if (!(ret = fread(buf, 1, size, fp))) {
-        free(buf);
-        fclose(fp);
-        return;
+    pci_register_bar(&dev->dev, PCI_ROM_SLOT,
+                     st.st_size, 0, pci_map_option_rom);
+close_rom:
+    /* Write "0" to disable ROM */
+    fseek(fp, 0, SEEK_SET);
+    val = 0;
+    if (!fwrite(&val, 1, 1, fp)) {
+        DEBUG("%s\n", "Failed to disable pci-sysfs rom file");
     }
     fclose(fp);
-
-    /* The number of bytes read is often much smaller than the BAR size */
-    size = ret;
-
-    /* Copy ROM contents into the space backing the ROM BAR */
-    if (dev->v_addrs[PCI_ROM_SLOT].r_size >= size &&
-        dev->v_addrs[PCI_ROM_SLOT].u.r_virtbase) {
-        memcpy(dev->v_addrs[PCI_ROM_SLOT].u.r_virtbase, buf, size);
-    }
-
-    free(buf);
 }
diff --git a/hw/device-assignment.h b/hw/device-assignment.h
index 9a3ea12..2f5fa17 100644
--- a/hw/device-assignment.h
+++ b/hw/device-assignment.h
@@ -57,7 +57,7 @@ typedef struct {
     uint16_t region_number; /* number of active regions */
 
     /* Port I/O or MMIO Regions */
-    PCIRegion regions[PCI_NUM_REGIONS];
+    PCIRegion regions[PCI_NUM_REGIONS - 1];
     int config_fd;
 } PCIDevRegions;
 
@@ -80,7 +80,7 @@ typedef struct AssignedDevice {
     uint32_t use_iommu;
     int intpin;
     uint8_t debug_flags;
-    AssignedDevRegion v_addrs[PCI_NUM_REGIONS];
+    AssignedDevRegion v_addrs[PCI_NUM_REGIONS - 1];
     PCIDevRegions real_device;
     int run;
     int girq;
commit 4b785d9624c1127b358d71933bb5ec476a39db25
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Mon Oct 4 15:26:24 2010 -0600

    PCI: Export pci_map_option_rom()
    
    Allow it to be referenced outside of hw/pci.c so we can register
    option ROM BARs using the default mapping routine.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Acked-by: Chris Wright <chrisw at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 9b1b7a1..e203b9e 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1968,7 +1968,7 @@ static uint8_t pci_find_capability_list(PCIDevice *pdev, uint8_t cap_id,
     return next;
 }
 
-static void pci_map_option_rom(PCIDevice *pdev, int region_num, pcibus_t addr, pcibus_t size, int type)
+void pci_map_option_rom(PCIDevice *pdev, int region_num, pcibus_t addr, pcibus_t size, int type)
 {
     cpu_register_physical_memory(addr, size, pdev->rom_offset);
 }
diff --git a/hw/pci.h b/hw/pci.h
index ed86c57..825ccbe 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -219,6 +219,9 @@ void pci_register_bar(PCIDevice *pci_dev, int region_num,
                             pcibus_t size, int type,
                             PCIMapIORegionFunc *map_func);
 
+void pci_map_option_rom(PCIDevice *pdev, int region_num, pcibus_t addr,
+                        pcibus_t size, int type);
+
 int pci_enable_capability_support(PCIDevice *pci_dev,
                                   uint32_t config_start,
                                   PCICapConfigReadFunc *config_read,
commit 6574f651de4e7bf3ce47d598c1966a55357a7acf
Author: Dean Nelson <dnelson at redhat.com>
Date:   Wed Oct 6 10:08:19 2010 -0400

    qemu-kvm: Fix calculation of number of entries based on number of mce_banks
    
    The number of mce_banks needs to be multiplied by 4 in order to actually
    reference all of the entries.
    
    Signed-off-by: Dean Nelson <dnelson at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index e35c234..bb09fd8 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -975,7 +975,7 @@ void kvm_arch_load_regs(CPUState *env, int level)
         } else if (level == KVM_PUT_FULL_STATE) {
             kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
             kvm_msr_entry_set(&msrs[n++], MSR_MCG_CTL, env->mcg_ctl);
-            for (i = 0; i < (env->mcg_cap & 0xff); i++) {
+            for (i = 0; i < (env->mcg_cap & 0xff) * 4; i++) {
                 kvm_msr_entry_set(&msrs[n++], MSR_MC0_CTL + i, env->mce_banks[i]);
             }
         }
commit a083a89d7277f3268a251ce635d9aae5559242bd
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Mon Sep 20 18:08:41 2010 +0200

    net: delay freeing peer host device
    
    With -netdev, virtio devices present offload
    features to guest, depending on the backend used.
    Thus, removing host netdev peer while guest is
    active leads to guest-visible inconsistency and/or crashes.
    
    As a solution, while guest (NIC) peer device exists,
    we prevent the host peer from being deleted.
    This patch does this by adding peer_deleted flag in nic state:
    if host device is going away while guest device
    is around, set this flag and keep a shell of
    the host device around for as long as guest device exists.
    
    The link is put down so all packets will get discarded.
    
    At the moment, management can detect that device deletion
    is delayed by doing info net. As a next step, we shall add
    commands that control hotplug/unplug without
    removing the device, and an event to report that
    guest has responded to the hotplug event.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
    Acked-by: Alex Williamson <alex.williamson at redhat.com>

diff --git a/net.c b/net.c
index 3d0fde7..ed74c7f 100644
--- a/net.c
+++ b/net.c
@@ -281,29 +281,64 @@ NICState *qemu_new_nic(NetClientInfo *info,
     return nic;
 }
 
-void qemu_del_vlan_client(VLANClientState *vc)
+static void qemu_cleanup_vlan_client(VLANClientState *vc)
 {
     if (vc->vlan) {
         QTAILQ_REMOVE(&vc->vlan->clients, vc, next);
     } else {
-        if (vc->send_queue) {
-            qemu_del_net_queue(vc->send_queue);
-        }
         QTAILQ_REMOVE(&non_vlan_clients, vc, next);
-        if (vc->peer) {
-            vc->peer->peer = NULL;
-        }
     }
 
     if (vc->info->cleanup) {
         vc->info->cleanup(vc);
     }
+}
 
+static void qemu_free_vlan_client(VLANClientState *vc)
+{
+    if (!vc->vlan) {
+        if (vc->send_queue) {
+            qemu_del_net_queue(vc->send_queue);
+        }
+        if (vc->peer) {
+            vc->peer->peer = NULL;
+        }
+    }
     qemu_free(vc->name);
     qemu_free(vc->model);
     qemu_free(vc);
 }
 
+void qemu_del_vlan_client(VLANClientState *vc)
+{
+    /* If there is a peer NIC, delete and cleanup client, but do not free. */
+    if (!vc->vlan && vc->peer && vc->peer->info->type == NET_CLIENT_TYPE_NIC) {
+        NICState *nic = DO_UPCAST(NICState, nc, vc->peer);
+        if (nic->peer_deleted) {
+            return;
+        }
+        nic->peer_deleted = true;
+        /* Let NIC know peer is gone. */
+        vc->peer->link_down = true;
+        if (vc->peer->info->link_status_changed) {
+            vc->peer->info->link_status_changed(vc->peer);
+        }
+        qemu_cleanup_vlan_client(vc);
+        return;
+    }
+
+    /* If this is a peer NIC and peer has already been deleted, free it now. */
+    if (!vc->vlan && vc->peer && vc->info->type == NET_CLIENT_TYPE_NIC) {
+        NICState *nic = DO_UPCAST(NICState, nc, vc);
+        if (nic->peer_deleted) {
+            qemu_free_vlan_client(vc->peer);
+        }
+    }
+
+    qemu_cleanup_vlan_client(vc);
+    qemu_free_vlan_client(vc);
+}
+
 VLANClientState *
 qemu_find_vlan_client_by_name(Monitor *mon, int vlan_id,
                               const char *client_str)
diff --git a/net.h b/net.h
index 518cf9c..44c31a9 100644
--- a/net.h
+++ b/net.h
@@ -72,6 +72,7 @@ typedef struct NICState {
     VLANClientState nc;
     NICConf *conf;
     void *opaque;
+    bool peer_deleted;
 } NICState;
 
 struct VLANState {
commit 4447d609688e75a40a10b559e3b6ae83843e3095
Merge: 48f5704... 869564a...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Oct 5 14:14:19 2010 -0500

    Merge remote branch 'spice/submit.6' into staging
    
    Conflicts:
    	configure
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --cc Makefile.objs
index 9c13bb3,a3113d8..816194a
--- a/Makefile.objs
+++ b/Makefile.objs
@@@ -87,8 -87,9 +88,10 @@@ common-obj-y += pflib.
  
  common-obj-$(CONFIG_BRLAPI) += baum.o
  common-obj-$(CONFIG_POSIX) += migration-exec.o migration-unix.o migration-fd.o
 +common-obj-$(CONFIG_WIN32) += version.o
  
+ common-obj-$(CONFIG_SPICE) += ui/spice-core.o ui/spice-input.o ui/spice-display.o
+ 
  audio-obj-y = audio.o noaudio.o wavaudio.o mixeng.o
  audio-obj-$(CONFIG_SDL) += sdlaudio.o
  audio-obj-$(CONFIG_OSS) += ossaudio.o
diff --cc configure
index e0d34fd,695a632..9e65de0
--- a/configure
+++ b/configure
@@@ -15,12 -15,12 +15,14 @@@ TMPC="${TMPDIR1}/qemu-conf-${RANDOM}-$$
  TMPO="${TMPDIR1}/qemu-conf-${RANDOM}-$$-${RANDOM}.o"
  TMPE="${TMPDIR1}/qemu-conf-${RANDOM}-$$-${RANDOM}.exe"
  
 -trap "rm -f $TMPC $TMPO $TMPE ; exit" EXIT INT QUIT TERM
 +# NB: do not call "exit" in the trap handler; this is buggy with some shells;
 +# see <1285349658-3122-1-git-send-email-loic.minier at linaro.org>
 +trap "rm -f $TMPC $TMPO $TMPE" EXIT INT QUIT TERM
+ rm -f config.log
  
  compile_object() {
-   $cc $QEMU_CFLAGS -c -o $TMPO $TMPC > /dev/null 2> /dev/null
+   echo $cc $QEMU_CFLAGS -c -o $TMPO $TMPC >> config.log
+   $cc $QEMU_CFLAGS -c -o $TMPO $TMPC >> config.log 2>&1
  }
  
  compile_prog() {
@@@ -2533,13 -2512,11 +2567,17 @@@ f
  if test "$fdatasync" = "yes" ; then
    echo "CONFIG_FDATASYNC=y" >> $config_host_mak
  fi
 +if test "$madvise" = "yes" ; then
 +  echo "CONFIG_MADVISE=y" >> $config_host_mak
 +fi
 +if test "$posix_madvise" = "yes" ; then
 +  echo "CONFIG_POSIX_MADVISE=y" >> $config_host_mak
 +fi
  
+ if test "$spice" = "yes" ; then
+   echo "CONFIG_SPICE=y" >> $config_host_mak
+ fi
+ 
  # XXX: suppress that
  if [ "$bsd" = "yes" ] ; then
    echo "CONFIG_BSD=y" >> $config_host_mak
commit 48f57044e6a826329ebcac5d5a76d776a14e5d43
Merge: e0c8a79... a18b2ce...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Oct 5 13:54:49 2010 -0500

    Merge remote branch 'qmp/for-anthony' into staging

diff --cc qjson.h
index 70d0afb,cd60e0b..65b10ea
--- a/qjson.h
+++ b/qjson.h
@@@ -18,10 -18,12 +18,11 @@@
  #include "qobject.h"
  #include "qstring.h"
  
 -QObject *qobject_from_json(const char *string);
 -QObject *qobject_from_jsonf(const char *string, ...)
 -    __attribute__((__format__ (__printf__, 1, 2)));
 -QObject *qobject_from_jsonv(const char *string, va_list *ap);
 +QObject *qobject_from_json(const char *string) GCC_FMT_ATTR(1, 0);
 +QObject *qobject_from_jsonf(const char *string, ...) GCC_FMT_ATTR(1, 2);
 +QObject *qobject_from_jsonv(const char *string, va_list *ap) GCC_FMT_ATTR(1, 0);
  
  QString *qobject_to_json(const QObject *obj);
+ QString *qobject_to_json_pretty(const QObject *obj);
  
  #endif /* QJSON_H */
commit e0c8a796d522b80c21b005a19610829c4be2154f
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Sep 24 18:30:35 2010 +0200

    linux-user: Fix typo m86k -> m68k
    
    Replace m86k_sim_stat by m68k_sim_stat.
    
    Cc: Riku Voipio <riku.voipio at iki.fi>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>

diff --git a/linux-user/m68k-sim.c b/linux-user/m68k-sim.c
index 64d3b23..d5926ee 100644
--- a/linux-user/m68k-sim.c
+++ b/linux-user/m68k-sim.c
@@ -38,7 +38,7 @@
 #define SYS_ISATTY      29
 #define SYS_LSEEK       199
 
-struct m86k_sim_stat {
+struct m68k_sim_stat {
     uint16_t sim_st_dev;
     uint16_t sim_st_ino;
     uint32_t sim_st_mode;
@@ -138,10 +138,10 @@ void do_m68k_simcall(CPUM68KState *env, int nr)
         {
             struct stat s;
             int rc;
-            struct m86k_sim_stat *p;
+            struct m68k_sim_stat *p;
             rc = check_err(env, fstat(ARG(0), &s));
             if (rc == 0) {
-                p = (struct m86k_sim_stat *)(unsigned long)ARG(1);
+                p = (struct m68k_sim_stat *)(unsigned long)ARG(1);
                 p->sim_st_dev = tswap16(s.st_dev);
                 p->sim_st_ino = tswap16(s.st_ino);
                 p->sim_st_mode = tswap32(s.st_mode);
commit b0cd712cc37bc532b26d9935953cf347e025fc7a
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Fri Aug 6 21:53:45 2010 +0200

    Fix spelling in comments
    
    multifuction -> multifunction
    successfull -> successful.
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>

diff --git a/hw/pci.c b/hw/pci.c
index 6d0934d..1280d4d 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -604,7 +604,7 @@ static int pci_init_multifunction(PCIBus *bus, PCIDevice *dev)
     }
 
     /*
-     * multifuction bit is interpreted in two ways as follows.
+     * multifunction bit is interpreted in two ways as follows.
      *   - all functions must set the bit to 1.
      *     Example: Intel X53
      *   - function 0 must set the bit, but the rest function (> 0)
diff --git a/posix-aio-compat.c b/posix-aio-compat.c
index 842f1a2..7b862b5 100644
--- a/posix-aio-compat.c
+++ b/posix-aio-compat.c
@@ -128,7 +128,7 @@ static ssize_t handle_aiocb_ioctl(struct qemu_paiocb *aiocb)
 
     /*
      * This looks weird, but the aio code only consideres a request
-     * successfull if it has written the number full number of bytes.
+     * successful if it has written the number full number of bytes.
      *
      * Now we overload aio_nbytes as aio_ioctl_cmd for the ioctl command,
      * so in fact we return the ioctl command here to make posix_aio_read()
diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
index 971bced..af45edd 100644
--- a/ui/vnc-enc-tight.c
+++ b/ui/vnc-enc-tight.c
@@ -641,7 +641,7 @@ DEFINE_GRADIENT_FILTER_FUNCTION(32)
 /*
  * Check if a rectangle is all of the same color. If needSameColor is
  * set to non-zero, then also check that its color equals to the
- * *colorPtr value. The result is 1 if the test is successfull, and in
+ * *colorPtr value. The result is 1 if the test is successful, and in
  * that case new color will be stored in *colorPtr.
  */
 
commit dda5336eac4ff7a5393cf516ec87692a7d700978
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Sun Aug 1 13:43:18 2010 +0200

    docs: Improve documentation
    
    Fix some inconsistencies (tabs and punctuation)
    and try to improve grammar and spelling.
    
    Cc: Juan Quintela <quintela at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>

diff --git a/docs/migration.txt b/docs/migration.txt
index 69d5383..4848c1e 100644
--- a/docs/migration.txt
+++ b/docs/migration.txt
@@ -1,21 +1,21 @@
 = Migration =
 
 QEMU has code to load/save the state of the guest that it is running.
-This are two complementary operations.  Saving the state just does
+These are two complementary operations.  Saving the state just does
 that, saves the state for each device that the guest is running.
 Restoring a guest is just the opposite operation: we need to load the
 state of each device.
 
-For this to work, QEMU has to be launch with the same arguments the
+For this to work, QEMU has to be launched with the same arguments the
 two times.  I.e. it can only restore the state in one guest that has
 the same devices that the one it was saved (this last requirement can
-be relaxed a bit, but for now we can consider that configuration have
+be relaxed a bit, but for now we can consider that configuration has
 to be exactly the same).
 
 Once that we are able to save/restore a guest, a new functionality is
 requested: migration.  This means that QEMU is able to start in one
-machine and being "migrated" to other machine.  I.e. being moved to
-other machine.
+machine and being "migrated" to another machine.  I.e. being moved to
+another machine.
 
 Next was the "live migration" functionality.  This is important
 because some guests run with a lot of state (specially RAM), and it
@@ -24,7 +24,7 @@ migration allows the guest to continue running while the state is
 transferred.  Only while the last part of the state is transferred has
 the guest to be stopped.  Typically the time that the guest is
 unresponsive during live migration is the low hundred of milliseconds
-(notice that this depends on lot of things).
+(notice that this depends on a lot of things).
 
 === Types of migration ===
 
@@ -35,9 +35,9 @@ to do migration:
 - unix migration: do the migration using unix sockets
 - exec migration: do the migration using the stdin/stdout through a process.
 - fd migration: do the migration using an file descriptor that is
-  passed to QEMU.  QEMU don't cares how this file descriptor is opened.
+  passed to QEMU.  QEMU doesn't care how this file descriptor is opened.
 
-All this four migration protocols use the same infrastructure to
+All these four migration protocols use the same infrastructure to
 save/restore state devices.  This infrastructure is shared with the
 savevm/loadvm functionality.
 
@@ -49,21 +49,21 @@ This is used for RAM and block devices.  It is not yet ported to vmstate.
 === What is the common infrastructure ===
 
 QEMU uses a QEMUFile abstraction to be able to do migration.  Any type
-of migration that what to use QEMU infrastructure has to create a
+of migration that wants to use QEMU infrastructure has to create a
 QEMUFile with:
 
 QEMUFile *qemu_fopen_ops(void *opaque,
-	 		 QEMUFilePutBufferFunc *put_buffer,
+                         QEMUFilePutBufferFunc *put_buffer,
                          QEMUFileGetBufferFunc *get_buffer,
                          QEMUFileCloseFunc *close,
                          QEMUFileRateLimit *rate_limit,
                          QEMUFileSetRateLimit *set_rate_limit,
-			 QEMUFileGetRateLimit *get_rate_limit);
+                         QEMUFileGetRateLimit *get_rate_limit);
 
 The functions have the following functionality:
 
 This function writes a chunk of data to a file at the given position.
-The pos argument can be ignored if the file is only being used for
+The pos argument can be ignored if the file is only used for
 streaming.  The handler should try to write all of the data it can.
 
 typedef int (QEMUFilePutBufferFunc)(void *opaque, const uint8_t *buf,
@@ -76,18 +76,18 @@ bytes actually read should be returned.
 typedef int (QEMUFileGetBufferFunc)(void *opaque, uint8_t *buf,
                                     int64_t pos, int size);
 
-Close a file and return an error code
+Close a file and return an error code.
 
 typedef int (QEMUFileCloseFunc)(void *opaque);
 
-Called to determine if the file has exceeded it's bandwidth allocation.  The
+Called to determine if the file has exceeded its bandwidth allocation.  The
 bandwidth capping is a soft limit, not a hard limit.
 
 typedef int (QEMUFileRateLimit)(void *opaque);
 
 Called to change the current bandwidth allocation. This function must return
 the new actual bandwidth. It should be new_rate if everything goes OK, and
-the old rate otherwise
+the old rate otherwise.
 
 typedef size_t (QEMUFileSetRateLimit)(void *opaque, size_t new_rate);
 typedef size_t (QEMUFileGetRateLimit)(void *opaque);
@@ -111,8 +111,8 @@ version.  When we migrate a device, we save/load the state as a series
 of fields.  Some times, due to bugs or new functionality, we need to
 change the state to store more/different information.  We use the
 version to identify each time that we do a change.  Each version is
-associated with a series of fields saved.  The save_state always save
-the state as the newer version.  But load_state some times is able to
+associated with a series of fields saved.  The save_state always saves
+the state as the newer version.  But load_state sometimes is able to
 load state from an older version.
 
  === Legacy way ===
@@ -135,14 +135,14 @@ typedef int LoadStateHandler(QEMUFile *f, void *opaque, int version_id);
 
 The important functions for the device state format are the save_state
 and load_state.  Notice that load_state receives a version_id
-parameter to know what state format is receiving.  save_state don't
-have a version_id parameter because it uses always the latest version.
+parameter to know what state format is receiving.  save_state doesn't
+have a version_id parameter because it always uses the latest version.
 
 === VMState ===
 
 The legacy way of saving/loading state of the device had the problem
-that we have to maintain in sync two functions.  If we did one change
-in one of them and not on the other, we got a failed migration.
+that we have to maintain two functions in sync.  If we did one change
+in one of them and not in the other, we would get a failed migration.
 
 VMState changed the way that state is saved/loaded.  Instead of using
 a function to save the state and another to load it, it was changed to
@@ -173,7 +173,7 @@ We registered this with:
 
     vmstate_register(NULL, 0, &vmstate_kbd, s);
 
-Note: talk about how vmstate <-> qdev interact, and what the instance id's mean.
+Note: talk about how vmstate <-> qdev interact, and what the instance ids mean.
 
 You can search for VMSTATE_* macros for lots of types used in QEMU in
 hw/hw.h.
@@ -182,7 +182,7 @@ hw/hw.h.
 
 You can see that there are several version fields:
 
-- version_id: the maximum version_id supported by VMState for that device
+- version_id: the maximum version_id supported by VMState for that device.
 - minimum_version_id: the minimum version_id that VMState is able to understand
   for that device.
 - minimum_version_id_old: For devices that were not able to port to vmstate, we can
@@ -195,7 +195,7 @@ deprecated and will be removed when no more users are left.
 
 ===  Massaging functions ===
 
-Some times, it is not enough to be able to save the state directly
+Sometimes, it is not enough to be able to save the state directly
 from one structure, we need to fill the correct values there.  One
 example is when we are using kvm.  Before saving the cpu state, we
 need to ask kvm to copy to QEMU the state that it is using.  And the
@@ -227,14 +227,14 @@ makes very complicated to fix bugs in stable branches.  If we need to
 add anything to the state to fix a bug, we have to disable migration
 to older versions that don't have that bug-fix (i.e. a new field).
 
-But some time, that bug-fix is only needed sometimes, not always.  For
+But sometimes, that bug-fix is only needed sometimes, not always.  For
 instance, if the device is in the middle of a DMA operation, it is
 using a specific functionality, ....
 
 It is impossible to create a way to make migration from any version to
-any other version to work.  But we can do better that only allowing
+any other version to work.  But we can do better than only allowing
 migration from older versions no newer ones.  For that fields that are
-only needed sometimes, we add the idea of subsections.  a subsection
+only needed sometimes, we add the idea of subsections.  A subsection
 is "like" a device vmstate, but with a particularity, it has a Boolean
 function that tells if that values are needed to be sent or not.  If
 this functions returns false, the subsection is not sent.
@@ -266,7 +266,7 @@ const VMStateDescription vmstate_ide_drive_pio_state = {
     .fields      = (VMStateField []) {
         VMSTATE_INT32(req_nb_sectors, IDEState),
         VMSTATE_VARRAY_INT32(io_buffer, IDEState, io_buffer_total_len, 1,
-			     vmstate_info_uint8, uint8_t),
+                             vmstate_info_uint8, uint8_t),
         VMSTATE_INT32(cur_io_buffer_offset, IDEState),
         VMSTATE_INT32(cur_io_buffer_len, IDEState),
         VMSTATE_UINT8(end_transfer_fn_idx, IDEState),
commit f66724c99a322ec147b0297cba4334c589883b47
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Jul 15 22:28:02 2010 +0200

    Add new user mode option -ignore-environment
    
    An empty environment is sometimes useful in user mode.
    The new option provides it for linux-user and bsd-user
    (darwin-user still has no environment related options).
    
    The patch also adds the documentation for other
    environment related options.
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>

diff --git a/bsd-user/main.c b/bsd-user/main.c
index aff9f13..6b12f8b 100644
--- a/bsd-user/main.c
+++ b/bsd-user/main.c
@@ -795,6 +795,12 @@ int main(int argc, char **argv)
             r = argv[optind++];
             if (envlist_setenv(envlist, r) != 0)
                 usage();
+        } else if (!strcmp(r, "ignore-environment")) {
+            envlist_free(envlist);
+            if ((envlist = envlist_create()) == NULL) {
+                (void) fprintf(stderr, "Unable to allocate envlist\n");
+                exit(1);
+            }
         } else if (!strcmp(r, "U")) {
             r = argv[optind++];
             if (envlist_unsetenv(envlist, r) != 0)
diff --git a/linux-user/main.c b/linux-user/main.c
index 69d050f..dbba8be 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -2790,6 +2790,12 @@ int main(int argc, char **argv, char **envp)
             r = argv[optind++];
             if (envlist_setenv(envlist, r) != 0)
                 usage();
+        } else if (!strcmp(r, "ignore-environment")) {
+            envlist_free(envlist);
+            if ((envlist = envlist_create()) == NULL) {
+                (void) fprintf(stderr, "Unable to allocate envlist\n");
+                exit(1);
+            }
         } else if (!strcmp(r, "U")) {
             r = argv[optind++];
             if (envlist_unsetenv(envlist, r) != 0)
diff --git a/qemu-doc.texi b/qemu-doc.texi
index d7d760f..c376529 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -2186,6 +2186,13 @@ Set the x86 elf interpreter prefix (default=/usr/local/qemu-i386)
 Set the x86 stack size in bytes (default=524288)
 @item -cpu model
 Select CPU model (-cpu ? for list and additional feature selection)
+ at item -ignore-environment
+Start with an empty environment. Without this option,
+the inital environment is a copy of the caller's environment.
+ at item -E @var{var}=@var{value}
+Set environment @var{var} to @var{value}.
+ at item -U @var{var}
+Remove @var{var} from the environment.
 @item -B offset
 Offset guest address by the specified number of bytes.  This is useful when
 the address region required by guest applications is reserved on the host.
@@ -2409,6 +2416,13 @@ Print the help
 Set the library root path (default=/)
 @item -s size
 Set the stack size in bytes (default=524288)
+ at item -ignore-environment
+Start with an empty environment. Without this option,
+the inital environment is a copy of the caller's environment.
+ at item -E @var{var}=@var{value}
+Set environment @var{var} to @var{value}.
+ at item -U @var{var}
+Remove @var{var} from the environment.
 @item -bsd type
 Set the type of the emulated BSD Operating system. Valid values are
 FreeBSD, NetBSD and OpenBSD (default).
commit 999fa40e431626121cdee7d244aadfd0c8f2597b
Author: John Clark <clarkjc at runbox.com>
Date:   Tue Oct 5 18:38:55 2010 +0200

    ppc: Minor 40x MMU fixes
    
    * Fix swapped reading of tlblo/hi.
    * Fix tlb exec permissions
    
    Signed-off-by: John Clark <clarkjc at runbox.com>
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-ppc/helper.c b/target-ppc/helper.c
index 3bc8a34..edbdd80 100644
--- a/target-ppc/helper.c
+++ b/target-ppc/helper.c
@@ -1172,9 +1172,7 @@ static int mmu40x_get_physical_address (CPUState *env, mmu_ctx_t *ctx,
         case 0x1:
         check_perms:
             /* Check from TLB entry */
-            /* XXX: there is a problem here or in the TLB fill code... */
             ctx->prot = tlb->prot;
-            ctx->prot |= PAGE_EXEC;
             ret = check_prot(ctx->prot, rw, access_type);
             if (ret == -2)
                 env->spr[SPR_40x_ESR] = 0;
diff --git a/target-ppc/op_helper.c b/target-ppc/op_helper.c
index 3e6db85..45f1655 100644
--- a/target-ppc/op_helper.c
+++ b/target-ppc/op_helper.c
@@ -3929,37 +3929,56 @@ static inline int booke_page_size_to_tlb(target_ulong page_size)
 }
 
 /* Helpers for 4xx TLB management */
-target_ulong helper_4xx_tlbre_lo (target_ulong entry)
+#define PPC4XX_TLB_ENTRY_MASK       0x0000003f  /* Mask for 64 TLB entries */
+
+#define PPC4XX_TLBHI_V              0x00000040
+#define PPC4XX_TLBHI_E              0x00000020
+#define PPC4XX_TLBHI_SIZE_MIN       0
+#define PPC4XX_TLBHI_SIZE_MAX       7
+#define PPC4XX_TLBHI_SIZE_DEFAULT   1
+#define PPC4XX_TLBHI_SIZE_SHIFT     7
+#define PPC4XX_TLBHI_SIZE_MASK      0x00000007
+
+#define PPC4XX_TLBLO_EX             0x00000200
+#define PPC4XX_TLBLO_WR             0x00000100
+#define PPC4XX_TLBLO_ATTR_MASK      0x000000FF
+#define PPC4XX_TLBLO_RPN_MASK       0xFFFFFC00
+
+target_ulong helper_4xx_tlbre_hi (target_ulong entry)
 {
     ppcemb_tlb_t *tlb;
     target_ulong ret;
     int size;
 
-    entry &= 0x3F;
+    entry &= PPC4XX_TLB_ENTRY_MASK;
     tlb = &env->tlb[entry].tlbe;
     ret = tlb->EPN;
-    if (tlb->prot & PAGE_VALID)
-        ret |= 0x400;
+    if (tlb->prot & PAGE_VALID) {
+        ret |= PPC4XX_TLBHI_V;
+    }
     size = booke_page_size_to_tlb(tlb->size);
-    if (size < 0 || size > 0x7)
-        size = 1;
-    ret |= size << 7;
+    if (size < PPC4XX_TLBHI_SIZE_MIN || size > PPC4XX_TLBHI_SIZE_MAX) {
+        size = PPC4XX_TLBHI_SIZE_DEFAULT;
+    }
+    ret |= size << PPC4XX_TLBHI_SIZE_SHIFT;
     env->spr[SPR_40x_PID] = tlb->PID;
     return ret;
 }
 
-target_ulong helper_4xx_tlbre_hi (target_ulong entry)
+target_ulong helper_4xx_tlbre_lo (target_ulong entry)
 {
     ppcemb_tlb_t *tlb;
     target_ulong ret;
 
-    entry &= 0x3F;
+    entry &= PPC4XX_TLB_ENTRY_MASK;
     tlb = &env->tlb[entry].tlbe;
     ret = tlb->RPN;
-    if (tlb->prot & PAGE_EXEC)
-        ret |= 0x200;
-    if (tlb->prot & PAGE_WRITE)
-        ret |= 0x100;
+    if (tlb->prot & PAGE_EXEC) {
+        ret |= PPC4XX_TLBLO_EX;
+    }
+    if (tlb->prot & PAGE_WRITE) {
+        ret |= PPC4XX_TLBLO_WR;
+    }
     return ret;
 }
 
@@ -3970,30 +3989,32 @@ void helper_4xx_tlbwe_hi (target_ulong entry, target_ulong val)
 
     LOG_SWTLB("%s entry %d val " TARGET_FMT_lx "\n", __func__, (int)entry,
               val);
-    entry &= 0x3F;
+    entry &= PPC4XX_TLB_ENTRY_MASK;
     tlb = &env->tlb[entry].tlbe;
     /* Invalidate previous TLB (if it's valid) */
     if (tlb->prot & PAGE_VALID) {
         end = tlb->EPN + tlb->size;
         LOG_SWTLB("%s: invalidate old TLB %d start " TARGET_FMT_lx " end "
                   TARGET_FMT_lx "\n", __func__, (int)entry, tlb->EPN, end);
-        for (page = tlb->EPN; page < end; page += TARGET_PAGE_SIZE)
+        for (page = tlb->EPN; page < end; page += TARGET_PAGE_SIZE) {
             tlb_flush_page(env, page);
+        }
     }
-    tlb->size = booke_tlb_to_page_size((val >> 7) & 0x7);
+    tlb->size = booke_tlb_to_page_size((val >> PPC4XX_TLBHI_SIZE_SHIFT)
+                                       & PPC4XX_TLBHI_SIZE_MASK);
     /* We cannot handle TLB size < TARGET_PAGE_SIZE.
      * If this ever occurs, one should use the ppcemb target instead
      * of the ppc or ppc64 one
      */
-    if ((val & 0x40) && tlb->size < TARGET_PAGE_SIZE) {
+    if ((val & PPC4XX_TLBHI_V) && tlb->size < TARGET_PAGE_SIZE) {
         cpu_abort(env, "TLB size " TARGET_FMT_lu " < %u "
                   "are not supported (%d)\n",
                   tlb->size, TARGET_PAGE_SIZE, (int)((val >> 7) & 0x7));
     }
     tlb->EPN = val & ~(tlb->size - 1);
-    if (val & 0x40) {
+    if (val & PPC4XX_TLBHI_V) {
         tlb->prot |= PAGE_VALID;
-        if (val & 0x20) {
+        if (val & PPC4XX_TLBHI_E) {
             /* XXX: TO BE FIXED */
             cpu_abort(env,
                       "Little-endian TLB entries are not supported by now\n");
@@ -4014,8 +4035,9 @@ void helper_4xx_tlbwe_hi (target_ulong entry, target_ulong val)
         end = tlb->EPN + tlb->size;
         LOG_SWTLB("%s: invalidate TLB %d start " TARGET_FMT_lx " end "
                   TARGET_FMT_lx "\n", __func__, (int)entry, tlb->EPN, end);
-        for (page = tlb->EPN; page < end; page += TARGET_PAGE_SIZE)
+        for (page = tlb->EPN; page < end; page += TARGET_PAGE_SIZE) {
             tlb_flush_page(env, page);
+        }
     }
 }
 
@@ -4025,15 +4047,17 @@ void helper_4xx_tlbwe_lo (target_ulong entry, target_ulong val)
 
     LOG_SWTLB("%s entry %i val " TARGET_FMT_lx "\n", __func__, (int)entry,
               val);
-    entry &= 0x3F;
+    entry &= PPC4XX_TLB_ENTRY_MASK;
     tlb = &env->tlb[entry].tlbe;
-    tlb->attr = val & 0xFF;
-    tlb->RPN = val & 0xFFFFFC00;
+    tlb->attr = val & PPC4XX_TLBLO_ATTR_MASK;
+    tlb->RPN = val & PPC4XX_TLBLO_RPN_MASK;
     tlb->prot = PAGE_READ;
-    if (val & 0x200)
+    if (val & PPC4XX_TLBLO_EX) {
         tlb->prot |= PAGE_EXEC;
-    if (val & 0x100)
+    }
+    if (val & PPC4XX_TLBLO_WR) {
         tlb->prot |= PAGE_WRITE;
+    }
     LOG_SWTLB("%s: set up TLB %d RPN " TARGET_FMT_plx " EPN " TARGET_FMT_lx
               " size " TARGET_FMT_lx " prot %c%c%c%c PID %d\n", __func__,
               (int)entry, tlb->RPN, tlb->EPN, tlb->size,
commit c2333d898b52a9d64845522f18fd083534dc0a5b
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Oct 5 15:02:34 2010 +0200

    kvm: allow tpr patching to write to write-protected vapic option rom
    
    Now that we allow the bios to write protect option roms, we need to allow
    the tpr patching code to write to this write protected memory.  This means
    using cpu_physical_memory_write_rom() instead of the usual APIs.
    
    Fixes Windows XP without flexpriority.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm-tpr-opt.c b/kvm-tpr-opt.c
index 46890e2..c929fc8 100644
--- a/kvm-tpr-opt.c
+++ b/kvm-tpr-opt.c
@@ -73,7 +73,7 @@ static uint8_t read_byte_virt(CPUState *env, target_ulong virt)
 
 static void write_byte_virt(CPUState *env, target_ulong virt, uint8_t b)
 {
-    stb_phys(map_addr(env, virt, NULL), b);
+    cpu_physical_memory_write_rom(map_addr(env, virt, NULL), &b, 1);
 }
 
 struct vapic_bios {
@@ -107,7 +107,7 @@ static void update_vbios_real_tpr(void)
     cpu_physical_memory_rw(vbios_desc_phys, (void *)&vapic_bios, sizeof vapic_bios, 0);
     vapic_bios.real_tpr = real_tpr;
     vapic_bios.vcpu_shift = 7;
-    cpu_physical_memory_rw(vbios_desc_phys, (void *)&vapic_bios, sizeof vapic_bios, 1);
+    cpu_physical_memory_write_rom(vbios_desc_phys, (void *)&vapic_bios, sizeof vapic_bios);
 }
 
 static unsigned modrm_reg(uint8_t modrm)
@@ -174,6 +174,7 @@ static int bios_is_mapped(CPUState *env, uint64_t rip)
     unsigned perms;
     uint32_t i;
     uint32_t offset, fixup, start = vapic_bios_addr ? : 0xe0000;
+    uint32_t patch;
 
     if (bios_enabled)
 	return 1;
@@ -198,7 +199,8 @@ static int bios_is_mapped(CPUState *env, uint64_t rip)
     for (i = vapic_bios.fixup_start; i < vapic_bios.fixup_end; i += 4) {
 	offset = ldl_phys(phys + i - vapic_bios.virt_base);
 	fixup = phys + offset;
-	stl_phys(fixup, ldl_phys(fixup) + bios_addr - vapic_bios.virt_base);
+        patch = ldl_phys(fixup) + bios_addr - vapic_bios.virt_base;
+        cpu_physical_memory_write_rom(fixup, (uint8_t *)&patch, 4);
     }
     vapic_phys = vapic_bios.vapic - vapic_bios.virt_base + phys;
     return 1;
@@ -225,7 +227,7 @@ int kvm_tpr_enable_vapic(CPUState *env)
 	    return 0;
 
     kvm_enable_vapic(env, vapic_phys + (pcr_cpu << 7));
-    cpu_physical_memory_rw(vapic_phys + (pcr_cpu << 7) + 4, &one, 1, 1);
+    cpu_physical_memory_write_rom(vapic_phys + (pcr_cpu << 7) + 4, &one, 1);
     env->kvm_vcpu_update_vapic = 0;
     bios_enabled = 1;
     return 1;
commit 74bcdb1c883012291e5c8faead5c6310a735e52d
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Oct 3 12:01:13 2010 +0200

    Revert "p2v monitor command: translate guest physical address to host virtual address"
    
    This reverts commit c3fe515c911b9828d6e3e659ac794cb7dc76cd66; needs to go
    through qemu.git.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/monitor.c b/monitor.c
index df0cb33..9072c06 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2301,18 +2301,6 @@ static void do_inject_mce(Monitor *mon, const QDict *qdict)
 }
 #endif
 
-static void do_p2v(Monitor *mon, const QDict *qdict)
-{
-    target_phys_addr_t size = TARGET_PAGE_SIZE;
-    target_phys_addr_t addr = qdict_get_int(qdict, "addr");
-    void *vaddr;
-
-    vaddr = cpu_physical_memory_map(addr, &size, 0);
-    monitor_printf(mon, "Guest physical address %p is mapped at "
-                   "host virtual address %p\n", (void *)addr, vaddr);
-    cpu_physical_memory_unmap(vaddr, size, 0, 0);
-}
-
 static int do_getfd(Monitor *mon, const QDict *qdict, QObject **ret_data)
 {
     const char *fdname = qdict_get_str(qdict, "fdname");
diff --git a/qemu-monitor.hx b/qemu-monitor.hx
index 2698a42..620f937 100644
--- a/qemu-monitor.hx
+++ b/qemu-monitor.hx
@@ -459,19 +459,6 @@ Start gdbserver session (default @var{port}=1234)
 ETEXI
 
     {
-        .name       = "p2v",
-        .args_type  = "fmt:/,addr:l",
-        .params     = "/fmt addr",
-        .help       = "translate guest physical 'addr' to host virtual address",
-        .mhandler.cmd = do_p2v,
-    },
-STEXI
- at item p2v @var{addr}
- at findex mce
-Translate guest physical @var{addr} to host virtual address.
-ETEXI
-
-    {
         .name       = "x",
         .args_type  = "fmt:/,addr:l",
         .params     = "/fmt addr",
commit 358664cc6d1b5f7c36004be0179b36011b81c49d
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon Sep 20 14:11:19 2010 +0100

    console: Avoid dereferencing NULL active_console
    
    The console_select() function does not check that active_console is
    non-NULL before dereferencing it.  When invoked with qemu -nodefaults it
    is possible to hit this case.
    
    This patch checks that active_console is non-NULL before stashing away
    the old console dimensions in console_select().
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Acked-by: Gerd Hoffmann <kraxel at redhat.com>
    Acked-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/console.c b/console.c
index 698bc10..c1728b1 100644
--- a/console.c
+++ b/console.c
@@ -1060,8 +1060,10 @@ void console_select(unsigned int index)
 
     if (index >= MAX_CONSOLES)
         return;
-    active_console->g_width = ds_get_width(active_console->ds);
-    active_console->g_height = ds_get_height(active_console->ds);
+    if (active_console) {
+        active_console->g_width = ds_get_width(active_console->ds);
+        active_console->g_height = ds_get_height(active_console->ds);
+    }
     s = consoles[index];
     if (s) {
         DisplayState *ds = s->ds;
commit 7fd3f494409775b491ca08f9026c45da13852a6d
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Sep 30 22:39:51 2010 +0200

    exec: Fix compilation error for debug code
    
    is_softmmu was removed with commit
    d4c430a80f000d722bb70287af4d4c184a8d7006,
    so remove it now from debug code, too.
    
    Fix also the format specifier for paddr
    in the same line of code.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/exec.c b/exec.c
index 9b5464f..1fbe91c 100644
--- a/exec.c
+++ b/exec.c
@@ -2173,8 +2173,9 @@ void tlb_set_page(CPUState *env, target_ulong vaddr,
         pd = p->phys_offset;
     }
 #if defined(DEBUG_TLB)
-    printf("tlb_set_page: vaddr=" TARGET_FMT_lx " paddr=0x%08x prot=%x idx=%d smmu=%d pd=0x%08lx\n",
-           vaddr, (int)paddr, prot, mmu_idx, is_softmmu, pd);
+    printf("tlb_set_page: vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx
+           " prot=%x idx=%d pd=0x%08lx\n",
+           vaddr, paddr, prot, mmu_idx, pd);
 #endif
 
     address = vaddr;
commit b832134d8ab6cb455bf182c99e5610803d8d2500
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Sep 30 22:05:42 2010 +0200

    rc4030: Fix compilation error in debug code
    
    min was unknown here, so avoid it.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/rc4030.c b/hw/rc4030.c
index 2231373..abbc3eb 100644
--- a/hw/rc4030.c
+++ b/hw/rc4030.c
@@ -749,7 +749,10 @@ static void rc4030_do_dma(void *opaque, int n, uint8_t *buf, int len, int is_wri
         printf("rc4030 dma: Copying %d bytes %s host %p\n",
             len, is_write ? "from" : "to", buf);
         for (i = 0; i < len; i += 16) {
-            int n = min(16, len - i);
+            int n = 16;
+            if (n > len - i) {
+                n = len - i;
+            }
             for (j = 0; j < n; j++)
                 printf("%02x ", buf[i + j]);
             while (j++ < 16)
commit a4a77677d790c07759ae5219110de2e472a6b0a9
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Sep 30 21:33:15 2010 +0200

    mipsnet: Fix compiler warning in debug code
    
    size_t needs a different format specifier, so fix this.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/mipsnet.c b/hw/mipsnet.c
index a95b3ce..c5e54ff 100644
--- a/hw/mipsnet.c
+++ b/hw/mipsnet.c
@@ -81,7 +81,7 @@ static ssize_t mipsnet_receive(VLANClientState *nc, const uint8_t *buf, size_t s
     MIPSnetState *s = DO_UPCAST(NICState, nc, nc)->opaque;
 
 #ifdef DEBUG_MIPSNET_RECEIVE
-    printf("mipsnet: receiving len=%d\n", size);
+    printf("mipsnet: receiving len=%zu\n", size);
 #endif
     if (!mipsnet_can_receive(nc))
         return -1;
commit d523d5d69409a2bb3b5a2c53179d190d2a8c06b2
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Sep 30 21:15:39 2010 +0200

    block/vvfat: Fix compiler warning in debug code
    
    Fix this compiler warning:
    ./block/vvfat.c:2285: error: comparison of unsigned expression >= 0 is always true
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Cc: Kevin Wolf <kwolf at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/block/vvfat.c b/block/vvfat.c
index 53e57bf..26dd474 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -2282,7 +2282,6 @@ static void check1(BDRVVVFATState* s)
 	    fprintf(stderr, "deleted\n");
 	    continue;
 	}
-	assert(mapping->dir_index >= 0);
 	assert(mapping->dir_index < s->directory.next);
 	direntry_t* direntry = array_get(&(s->directory), mapping->dir_index);
 	assert(mapping->begin == begin_of_direntry(direntry) || mapping->first_mapping_index >= 0);
commit c9ba47dc5d8679efa4d5425aa27e0f8132920fb5
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Mon Sep 27 18:45:47 2010 +0200

    virtio-9p: Use GCC_FMT_ATTR and fix a format warning
    
    With the new gcc format warnings, gcc detected this:
    
    /qemu/hw/virtio-9p.c:1040: error: format ‘%u’ expects type ‘unsigned int’, but argument 4 has type ‘__nlink_t’
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 32fa3bc..3b2d49c 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -333,7 +333,8 @@ static int number_to_string(void *arg, char type)
     return ret;
 }
 
-static int v9fs_string_alloc_printf(char **strp, const char *fmt, va_list ap)
+static int GCC_FMT_ATTR(2, 0)
+v9fs_string_alloc_printf(char **strp, const char *fmt, va_list ap)
 {
     va_list ap2;
     char *iter = (char *)fmt;
@@ -387,7 +388,8 @@ alloc_print:
     return vsprintf(*strp, fmt, ap);
 }
 
-static void v9fs_string_sprintf(V9fsString *str, const char *fmt, ...)
+static void GCC_FMT_ATTR(2, 3)
+v9fs_string_sprintf(V9fsString *str, const char *fmt, ...)
 {
     va_list ap;
     int err;
@@ -1034,8 +1036,8 @@ static int stat_to_v9stat(V9fsState *s, V9fsString *name,
                 S_ISCHR(stbuf->st_mode) ? 'c' : 'b',
                 major(stbuf->st_rdev), minor(stbuf->st_rdev));
     } else if (S_ISDIR(stbuf->st_mode) || S_ISREG(stbuf->st_mode)) {
-        v9fs_string_sprintf(&v9stat->extension, "%s %u",
-                "HARDLINKCOUNT", stbuf->st_nlink);
+        v9fs_string_sprintf(&v9stat->extension, "%s %lu",
+                "HARDLINKCOUNT", (unsigned long)stbuf->st_nlink);
     }
 
     str = strrchr(name->data, '/');
commit 6ea421fee15f5f2d32c2b471cb2336463d4e316b
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Sep 23 20:47:32 2010 +0200

    blockdev: Use GCC_FMT_ATTR (format checking)
    
    Additional changes:
    
    * Removed 'extern' from drive_add (avoids too long line).
    * Removed 'extern' from other functions (makes declarations
      consistent with others in same header file).
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Cc: Kevin Wolf <kwolf at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/blockdev.h b/blockdev.h
index 89dcd9a..653affc 100644
--- a/blockdev.h
+++ b/blockdev.h
@@ -34,14 +34,13 @@ struct DriveInfo {
 #define MAX_IDE_DEVS	2
 #define MAX_SCSI_DEVS	7
 
-extern DriveInfo *drive_get(BlockInterfaceType type, int bus, int unit);
-extern int drive_get_max_bus(BlockInterfaceType type);
-extern void drive_uninit(DriveInfo *dinfo);
-extern DriveInfo *drive_get_by_blockdev(BlockDriverState *bs);
-
-extern QemuOpts *drive_add(const char *file, const char *fmt, ...);
-extern DriveInfo *drive_init(QemuOpts *arg, int default_to_scsi,
-                             int *fatal_error);
+DriveInfo *drive_get(BlockInterfaceType type, int bus, int unit);
+int drive_get_max_bus(BlockInterfaceType type);
+void drive_uninit(DriveInfo *dinfo);
+DriveInfo *drive_get_by_blockdev(BlockDriverState *bs);
+
+QemuOpts *drive_add(const char *file, const char *fmt, ...) GCC_FMT_ATTR(2, 3);
+DriveInfo *drive_init(QemuOpts *arg, int default_to_scsi, int *fatal_error);
 
 /* device-hotplug */
 
commit 8b7968f7c4ac8c07cad6a1a0891d38cf239a2839
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Sep 23 21:28:05 2010 +0200

    Use GCC_FMT_ATTR (format checking)
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/audio/audio.h b/audio/audio.h
index 39a0631..a70fda9 100644
--- a/audio/audio.h
+++ b/audio/audio.h
@@ -86,7 +86,7 @@ typedef struct QEMUAudioTimeStamp {
     uint64_t old_ts;
 } QEMUAudioTimeStamp;
 
-void AUD_vlog (const char *cap, const char *fmt, va_list ap);
+void AUD_vlog (const char *cap, const char *fmt, va_list ap) GCC_FMT_ATTR(2, 0);
 void AUD_log (const char *cap, const char *fmt, ...) GCC_FMT_ATTR(2, 3);
 
 void AUD_help (void);
diff --git a/disas.c b/disas.c
index 79a98de..afe331f 100644
--- a/disas.c
+++ b/disas.c
@@ -349,7 +349,8 @@ monitor_read_memory (bfd_vma memaddr, bfd_byte *myaddr, int length,
     return 0;
 }
 
-static int monitor_fprintf(FILE *stream, const char *fmt, ...)
+static int GCC_FMT_ATTR(2, 3)
+monitor_fprintf(FILE *stream, const char *fmt, ...)
 {
     va_list ap;
     va_start(ap, fmt);
diff --git a/hw/mips_fulong2e.c b/hw/mips_fulong2e.c
index 61ca9c4..df80ef6 100644
--- a/hw/mips_fulong2e.c
+++ b/hw/mips_fulong2e.c
@@ -76,7 +76,8 @@ static struct _loaderparams {
     const char *initrd_filename;
 } loaderparams;
 
-static void prom_set(uint32_t* prom_buf, int index, const char *string, ...)
+static void GCC_FMT_ATTR(3, 4) prom_set(uint32_t* prom_buf, int index,
+                                        const char *string, ...)
 {
     va_list ap;
     int32_t table_addr;
diff --git a/hw/mips_malta.c b/hw/mips_malta.c
index 1cb7880..0969089 100644
--- a/hw/mips_malta.c
+++ b/hw/mips_malta.c
@@ -654,7 +654,8 @@ static void write_bootloader (CPUState *env, uint8_t *base,
 
 }
 
-static void prom_set(uint32_t* prom_buf, int index, const char *string, ...)
+static void GCC_FMT_ATTR(3, 4) prom_set(uint32_t* prom_buf, int index,
+                                        const char *string, ...)
 {
     va_list ap;
     int32_t table_addr;
diff --git a/json-parser.c b/json-parser.c
index 70b9b6f..6c06ef9 100644
--- a/json-parser.c
+++ b/json-parser.c
@@ -91,7 +91,8 @@ static int token_is_escape(QObject *obj, const char *value)
 /**
  * Error handler
  */
-static void parse_error(JSONParserContext *ctxt, QObject *token, const char *msg, ...)
+static void GCC_FMT_ATTR(3, 4) parse_error(JSONParserContext *ctxt,
+                                           QObject *token, const char *msg, ...)
 {
     va_list ap;
     va_start(ap, msg);
diff --git a/monitor.c b/monitor.c
index e602480..377ab37 100644
--- a/monitor.c
+++ b/monitor.c
@@ -316,7 +316,8 @@ void monitor_print_filename(Monitor *mon, const char *filename)
     }
 }
 
-static int monitor_fprintf(FILE *stream, const char *fmt, ...)
+static int GCC_FMT_ATTR(2, 3) monitor_fprintf(FILE *stream,
+                                              const char *fmt, ...)
 {
     va_list ap;
     va_start(ap, fmt);
diff --git a/monitor.h b/monitor.h
index 185cc3e..4a6cf82 100644
--- a/monitor.h
+++ b/monitor.h
@@ -49,7 +49,8 @@ int monitor_read_bdrv_key_start(Monitor *mon, BlockDriverState *bs,
 
 int monitor_get_fd(Monitor *mon, const char *fdname);
 
-void monitor_vprintf(Monitor *mon, const char *fmt, va_list ap);
+void monitor_vprintf(Monitor *mon, const char *fmt, va_list ap)
+    GCC_FMT_ATTR(2, 0);
 void monitor_printf(Monitor *mon, const char *fmt, ...) GCC_FMT_ATTR(2, 3);
 void monitor_print_filename(Monitor *mon, const char *filename);
 void monitor_flush(Monitor *mon);
diff --git a/qemu-char.h b/qemu-char.h
index 6ea01ba..18ad12b 100644
--- a/qemu-char.h
+++ b/qemu-char.h
@@ -76,7 +76,8 @@ CharDriverState *qemu_chr_open_opts(QemuOpts *opts,
                                     void (*init)(struct CharDriverState *s));
 CharDriverState *qemu_chr_open(const char *label, const char *filename, void (*init)(struct CharDriverState *s));
 void qemu_chr_close(CharDriverState *chr);
-void qemu_chr_printf(CharDriverState *s, const char *fmt, ...);
+void qemu_chr_printf(CharDriverState *s, const char *fmt, ...)
+    GCC_FMT_ATTR(2, 3);
 int qemu_chr_write(CharDriverState *s, const uint8_t *buf, int len);
 void qemu_chr_send_event(CharDriverState *s, int event);
 void qemu_chr_add_handlers(CharDriverState *s,
diff --git a/qemu-error.h b/qemu-error.h
index 531ec63..4d5c537 100644
--- a/qemu-error.h
+++ b/qemu-error.h
@@ -30,7 +30,7 @@ void loc_set_none(void);
 void loc_set_cmdline(char **argv, int idx, int cnt);
 void loc_set_file(const char *fname, int lno);
 
-void error_vprintf(const char *fmt, va_list ap);
+void error_vprintf(const char *fmt, va_list ap) GCC_FMT_ATTR(1, 0);
 void error_printf(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
 void error_printf_unless_qmp(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
 void error_print_loc(void);
diff --git a/qemu-img.c b/qemu-img.c
index 4e035e4..578b8eb 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -39,7 +39,7 @@ typedef struct img_cmd_t {
 /* Default to cache=writeback as data integrity is not important for qemu-tcg. */
 #define BDRV_O_FLAGS BDRV_O_CACHE_WB
 
-static void error(const char *fmt, ...)
+static void GCC_FMT_ATTR(1, 2) error(const char *fmt, ...)
 {
     va_list ap;
     va_start(ap, fmt);
diff --git a/qerror.c b/qerror.c
index 0af3ab3..ac2cdaf 100644
--- a/qerror.c
+++ b/qerror.c
@@ -218,7 +218,8 @@ QError *qerror_new(void)
     return qerr;
 }
 
-static void qerror_abort(const QError *qerr, const char *fmt, ...)
+static void GCC_FMT_ATTR(2, 3) qerror_abort(const QError *qerr,
+                                            const char *fmt, ...)
 {
     va_list ap;
 
@@ -233,7 +234,8 @@ static void qerror_abort(const QError *qerr, const char *fmt, ...)
     abort();
 }
 
-static void qerror_set_data(QError *qerr, const char *fmt, va_list *va)
+static void GCC_FMT_ATTR(2, 0) qerror_set_data(QError *qerr,
+                                               const char *fmt, va_list *va)
 {
     QObject *obj;
 
diff --git a/qerror.h b/qerror.h
index f2984dd..943a24b 100644
--- a/qerror.h
+++ b/qerror.h
@@ -34,7 +34,7 @@ typedef struct QError {
 
 QError *qerror_new(void);
 QError *qerror_from_info(const char *file, int linenr, const char *func,
-                         const char *fmt, va_list *va);
+                         const char *fmt, va_list *va) GCC_FMT_ATTR(4, 0);
 QString *qerror_human(const QError *qerror);
 void qerror_print(QError *qerror);
 void qerror_report_internal(const char *file, int linenr, const char *func,
diff --git a/qjson.h b/qjson.h
index 7eef357..70d0afb 100644
--- a/qjson.h
+++ b/qjson.h
@@ -18,9 +18,9 @@
 #include "qobject.h"
 #include "qstring.h"
 
-QObject *qobject_from_json(const char *string);
+QObject *qobject_from_json(const char *string) GCC_FMT_ATTR(1, 0);
 QObject *qobject_from_jsonf(const char *string, ...) GCC_FMT_ATTR(1, 2);
-QObject *qobject_from_jsonv(const char *string, va_list *ap);
+QObject *qobject_from_jsonv(const char *string, va_list *ap) GCC_FMT_ATTR(1, 0);
 
 QString *qobject_to_json(const QObject *obj);
 
diff --git a/slirp/slirp.h b/slirp/slirp.h
index 6c7488c..462292d 100644
--- a/slirp/slirp.h
+++ b/slirp/slirp.h
@@ -263,7 +263,7 @@ void if_start(struct ttys *);
  long gethostid(void);
 #endif
 
-void lprint(const char *, ...);
+void lprint(const char *, ...) GCC_FMT_ATTR(1, 2);
 
 #ifndef _WIN32
 #include <netdb.h>
commit e5924d8980e0bd027f2f12fa702ec1c555538230
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Thu Sep 23 21:28:03 2010 +0200

    Replace most gcc format attributes by macro GCC_FMT_ATTR (format checking)
    
    Since version 4.4.x, gcc supports additional format attributes.
        __attribute__ ((format (gnu_printf, 1, 2)))
    should be used instead of
        __attribute__ ((format (printf, 1, 2))
    because QEMU always uses standard format strings (even with mingw32).
    
    The patch replaces format attribute printf / __printf__ by macro
    GCC_FMT_ATTR which uses gnu_printf if supported.
    
    It also removes an #ifdef __GNUC__ (not needed any longer).
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/audio/audio.h b/audio/audio.h
index 454ade2..39a0631 100644
--- a/audio/audio.h
+++ b/audio/audio.h
@@ -87,11 +87,7 @@ typedef struct QEMUAudioTimeStamp {
 } QEMUAudioTimeStamp;
 
 void AUD_vlog (const char *cap, const char *fmt, va_list ap);
-void AUD_log (const char *cap, const char *fmt, ...)
-#ifdef __GNUC__
-    __attribute__ ((__format__ (__printf__, 2, 3)))
-#endif
-    ;
+void AUD_log (const char *cap, const char *fmt, ...) GCC_FMT_ATTR(2, 3);
 
 void AUD_help (void);
 void AUD_register_card (const char *name, QEMUSoundCard *card);
diff --git a/bsd-user/qemu.h b/bsd-user/qemu.h
index 554ff8b..9763616 100644
--- a/bsd-user/qemu.h
+++ b/bsd-user/qemu.h
@@ -139,7 +139,7 @@ abi_long do_netbsd_syscall(void *cpu_env, int num, abi_long arg1,
 abi_long do_openbsd_syscall(void *cpu_env, int num, abi_long arg1,
                             abi_long arg2, abi_long arg3, abi_long arg4,
                             abi_long arg5, abi_long arg6);
-void gemu_log(const char *fmt, ...) __attribute__((format(printf,1,2)));
+void gemu_log(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
 extern THREAD CPUState *thread_env;
 void cpu_loop(CPUState *env);
 char *target_strerror(int err);
diff --git a/darwin-user/qemu.h b/darwin-user/qemu.h
index 462bbda..0c5081b 100644
--- a/darwin-user/qemu.h
+++ b/darwin-user/qemu.h
@@ -99,7 +99,7 @@ int do_sigaction(int sig, const struct sigaction *act,
                  struct sigaction *oact);
 int do_sigaltstack(const struct sigaltstack *ss, struct sigaltstack *oss);
 
-void gemu_log(const char *fmt, ...) __attribute__((format(printf,1,2)));
+void gemu_log(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
 void qerror(const char *fmt, ...);
 
 void write_dt(void *ptr, unsigned long addr, unsigned long limit, int flags);
diff --git a/hw/xen_backend.h b/hw/xen_backend.h
index 292126d..1b428e3 100644
--- a/hw/xen_backend.h
+++ b/hw/xen_backend.h
@@ -84,7 +84,7 @@ int xen_be_bind_evtchn(struct XenDevice *xendev);
 void xen_be_unbind_evtchn(struct XenDevice *xendev);
 int xen_be_send_notify(struct XenDevice *xendev);
 void xen_be_printf(struct XenDevice *xendev, int msg_level, const char *fmt, ...)
-    __attribute__ ((format(printf, 3, 4)));
+    GCC_FMT_ATTR(3, 4);
 
 /* actual backend drivers */
 extern struct XenDevOps xen_console_ops;      /* xen_console.c     */
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 794fe49..708021e 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -186,7 +186,7 @@ void syscall_init(void);
 abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
                     abi_long arg2, abi_long arg3, abi_long arg4,
                     abi_long arg5, abi_long arg6);
-void gemu_log(const char *fmt, ...) __attribute__((format(printf,1,2)));
+void gemu_log(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
 extern THREAD CPUState *thread_env;
 void cpu_loop(CPUState *env);
 char *target_strerror(int err);
diff --git a/monitor.h b/monitor.h
index 38b22a4..185cc3e 100644
--- a/monitor.h
+++ b/monitor.h
@@ -50,8 +50,7 @@ int monitor_read_bdrv_key_start(Monitor *mon, BlockDriverState *bs,
 int monitor_get_fd(Monitor *mon, const char *fdname);
 
 void monitor_vprintf(Monitor *mon, const char *fmt, va_list ap);
-void monitor_printf(Monitor *mon, const char *fmt, ...)
-    __attribute__ ((__format__ (__printf__, 2, 3)));
+void monitor_printf(Monitor *mon, const char *fmt, ...) GCC_FMT_ATTR(2, 3);
 void monitor_print_filename(Monitor *mon, const char *filename);
 void monitor_flush(Monitor *mon);
 
diff --git a/qemu-common.h b/qemu-common.h
index 88c5207..81aafa0 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -196,8 +196,7 @@ int qemu_pipe(int pipefd[2]);
 
 /* Error handling.  */
 
-void QEMU_NORETURN hw_error(const char *fmt, ...)
-    __attribute__ ((__format__ (__printf__, 1, 2)));
+void QEMU_NORETURN hw_error(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
 
 /* IO callbacks.  */
 typedef void IOReadHandler(void *opaque, const uint8_t *buf, int size);
diff --git a/qemu-error.h b/qemu-error.h
index a45609f..531ec63 100644
--- a/qemu-error.h
+++ b/qemu-error.h
@@ -31,11 +31,10 @@ void loc_set_cmdline(char **argv, int idx, int cnt);
 void loc_set_file(const char *fname, int lno);
 
 void error_vprintf(const char *fmt, va_list ap);
-void error_printf(const char *fmt, ...) __attribute__ ((format(printf, 1, 2)));
-void error_printf_unless_qmp(const char *fmt, ...)
-    __attribute__ ((format(printf, 1, 2)));
+void error_printf(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
+void error_printf_unless_qmp(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
 void error_print_loc(void);
 void error_set_progname(const char *argv0);
-void error_report(const char *fmt, ...) __attribute__ ((format(printf, 1, 2)));
+void error_report(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
 
 #endif
diff --git a/qerror.h b/qerror.h
index 62802ea..f2984dd 100644
--- a/qerror.h
+++ b/qerror.h
@@ -38,8 +38,7 @@ QError *qerror_from_info(const char *file, int linenr, const char *func,
 QString *qerror_human(const QError *qerror);
 void qerror_print(QError *qerror);
 void qerror_report_internal(const char *file, int linenr, const char *func,
-                            const char *fmt, ...)
-    __attribute__ ((format(printf, 4, 5)));
+                            const char *fmt, ...) GCC_FMT_ATTR(4, 5);
 #define qerror_report(fmt, ...) \
     qerror_report_internal(__FILE__, __LINE__, __func__, fmt, ## __VA_ARGS__)
 QError *qobject_to_qerror(const QObject *obj);
diff --git a/qjson.h b/qjson.h
index 7afec2e..7eef357 100644
--- a/qjson.h
+++ b/qjson.h
@@ -19,8 +19,7 @@
 #include "qstring.h"
 
 QObject *qobject_from_json(const char *string);
-QObject *qobject_from_jsonf(const char *string, ...)
-    __attribute__((__format__ (__printf__, 1, 2)));
+QObject *qobject_from_jsonf(const char *string, ...) GCC_FMT_ATTR(1, 2);
 QObject *qobject_from_jsonv(const char *string, va_list *ap);
 
 QString *qobject_to_json(const QObject *obj);
commit 4a2b39d3232fea40d3e396a683f27f5e378ae46e
Author: Andreas Färber <andreas.faerber at web.de>
Date:   Mon Sep 20 00:50:48 2010 +0200

    slirp: Silence warning on Haiku
    
    Haiku has O_BINARY in fcntl.h.
    
    Signed-off-by: Andreas Färber <andreas.faerber at web.de>
    Cc: Jan Kiszka <jan.kiszka at web.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/slirp/slirp.h b/slirp/slirp.h
index 3a5d592..6c7488c 100644
--- a/slirp/slirp.h
+++ b/slirp/slirp.h
@@ -24,7 +24,9 @@ typedef char *caddr_t;
 #else
 # define ioctlsocket ioctl
 # define closesocket(s) close(s)
-# define O_BINARY 0
+# if !defined(__HAIKU__)
+#  define O_BINARY 0
+# endif
 #endif
 
 #include <sys/types.h>
commit 3ee66dfa529e36e0dab130ace2abc94f0bd65156
Author: Andreas Färber <andreas.faerber at web.de>
Date:   Mon Sep 20 00:50:47 2010 +0200

    tap: Add stub for Haiku
    
    Adapted from AIX code.
    
    Signed-off-by: Andreas Färber <andreas.faerber at web.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile.objs b/Makefile.objs
index dde3ba9..9c13bb3 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -31,6 +31,7 @@ net-nested-$(CONFIG_WIN32) += tap-win32.o
 net-nested-$(CONFIG_BSD) += tap-bsd.o
 net-nested-$(CONFIG_SOLARIS) += tap-solaris.o
 net-nested-$(CONFIG_AIX) += tap-aix.o
+net-nested-$(CONFIG_HAIKU) += tap-haiku.o
 net-nested-$(CONFIG_SLIRP) += slirp.o
 net-nested-$(CONFIG_VDE) += vde.o
 net-obj-y += $(addprefix net/, $(net-nested-y))
diff --git a/net/tap-haiku.c b/net/tap-haiku.c
new file mode 100644
index 0000000..91dda8e
--- /dev/null
+++ b/net/tap-haiku.c
@@ -0,0 +1,61 @@
+/*
+ * QEMU System Emulator
+ *
+ * Copyright (c) 2003-2008 Fabrice Bellard
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "net/tap.h"
+#include <stdio.h>
+
+int tap_open(char *ifname, int ifname_size, int *vnet_hdr, int vnet_hdr_required)
+{
+    fprintf(stderr, "no tap on Haiku\n");
+    return -1;
+}
+
+int tap_set_sndbuf(int fd, QemuOpts *opts)
+{
+    return 0;
+}
+
+int tap_probe_vnet_hdr(int fd)
+{
+    return 0;
+}
+
+int tap_probe_has_ufo(int fd)
+{
+    return 0;
+}
+
+int tap_probe_vnet_hdr_len(int fd, int len)
+{
+    return 0;
+}
+
+void tap_fd_set_vnet_hdr_len(int fd, int len)
+{
+}
+
+void tap_fd_set_offload(int fd, int csum, int tso4,
+                        int tso6, int ecn, int ufo)
+{
+}
commit 5dc2eec957a67fc3250dc437175265636cd36c2a
Author: Andreas Färber <andreas.faerber at web.de>
Date:   Mon Sep 20 00:50:46 2010 +0200

    nbd: Haiku has _IO() in its BSD compatibility layer
    
    Signed-off-by: Andreas Färber <andreas.faerber at web.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/nbd.c b/nbd.c
index 4bf2eb7..d8ebc42 100644
--- a/nbd.c
+++ b/nbd.c
@@ -23,7 +23,7 @@
 #ifndef _WIN32
 #include <sys/ioctl.h>
 #endif
-#ifdef __sun__
+#if defined(__sun__) || defined(__HAIKU__)
 #include <sys/ioccom.h>
 #endif
 #include <ctype.h>
commit aff447c9164f23d72154a487c6dac9de001d9f63
Author: Andreas Färber <andreas.faerber at web.de>
Date:   Mon Sep 20 00:50:45 2010 +0200

    Haiku doesn't have libm
    
    Math functions are integrated into Haiku's libroot.
    
    Signed-off-by: Andreas Färber <andreas.faerber at web.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile.target b/Makefile.target
index 91d0381..4b2558a 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -31,7 +31,9 @@ endif
 
 PROGS=$(QEMU_PROG)
 
+ifndef CONFIG_HAIKU
 LIBS+=-lm
+endif
 
 kvm.o kvm-all.o vhost.o vhost_net.o: QEMU_CFLAGS+=$(KVM_CFLAGS)
 
commit bd00d539d36520e8a50821b40c72d3f9311c1fc5
Author: Andreas Färber <andreas.faerber at web.de>
Date:   Mon Sep 20 00:50:44 2010 +0200

    configure: Don't rely on special pthreads library
    
    Haiku has pthreads integrated into its libroot.so library. No linker arguments
    are needed for it, so don't fail if -lpthread and similar don't link.
    
    Signed-off-by: Andreas Färber <andreas.faerber at web.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 6b086c5..e0d34fd 100755
--- a/configure
+++ b/configure
@@ -1710,13 +1710,17 @@ cat > $TMPC << EOF
 #include <pthread.h>
 int main(void) { pthread_create(0,0,0,0); return 0; }
 EOF
-for pthread_lib in $PTHREADLIBS_LIST; do
-  if compile_prog "" "$pthread_lib" ; then
-    pthread=yes
-    LIBS="$pthread_lib $LIBS"
-    break
-  fi
-done
+if compile_prog "" "" ; then
+  pthread=yes
+else
+  for pthread_lib in $PTHREADLIBS_LIST; do
+    if compile_prog "" "$pthread_lib" ; then
+      pthread=yes
+      LIBS="$pthread_lib $LIBS"
+      break
+    fi
+  done
+fi
 
 if test "$mingw32" != yes -a "$pthread" = no; then
   echo
commit 179cf40000d91ea69f30b7337fa055a775523bf5
Author: Andreas Färber <andreas.faerber>
Date:   Mon Sep 20 00:50:43 2010 +0200

    configure: Add basic support for Haiku
    
    For compatibility with BeOS, Haiku's error codes are negative whereas recent
    POSIX versions require them to be positive. As spotted by François, some
    parts of QEMU code rely on this, so use a mapper library to convert them
    to positive ones.
    
    Cc: François Revol <revol at free.fr>
    Cc: Ingo Weinhold <ingo_weinhold at gmx.de>
    
    Haiku has network functions in libnetwork.so. It doesn't ship libutil.so.
    
    Signed-off-by: Andreas Färber <andreas.faerber at web.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 8fe4bbe..6b086c5 100755
--- a/configure
+++ b/configure
@@ -319,6 +319,7 @@ io_thread="no"
 mixemu="no"
 kerneldir=""
 aix="no"
+haiku="no"
 blobs="yes"
 pkgversion=""
 check_utests="no"
@@ -336,6 +337,8 @@ elif check_define __OpenBSD__ ; then
   targetos='OpenBSD'
 elif check_define __sun__ ; then
   targetos='SunOS'
+elif check_define __HAIKU__ ; then
+  targetos='Haiku'
 else
   targetos=`uname -s`
 fi
@@ -451,6 +454,11 @@ AIX)
   aix="yes"
   make="gmake"
 ;;
+Haiku)
+  haiku="yes"
+  QEMU_CFLAGS="-DB_USE_POSITIVE_POSIX_ERRORS $QEMU_CFLAGS"
+  LIBS="-lposix_error_mapper -lnetwork $LIBS"
+;;
 *)
   audio_drv_list="oss"
   audio_possible_drivers="oss alsa sdl esd pa"
@@ -2030,7 +2038,7 @@ elif compile_prog "" "-lrt" ; then
 fi
 
 if test "$darwin" != "yes" -a "$mingw32" != "yes" -a "$solaris" != yes -a \
-        "$aix" != "yes" ; then
+        "$aix" != "yes" -a "$haiku" != "yes" ; then
     libs_softmmu="-lutil $libs_softmmu"
 fi
 
@@ -2353,6 +2361,9 @@ if test "$solaris" = "yes" ; then
     echo "CONFIG_NEEDS_LIBSUNMATH=y" >> $config_host_mak
   fi
 fi
+if test "$haiku" = "yes" ; then
+  echo "CONFIG_HAIKU=y" >> $config_host_mak
+fi
 if test "$static" = "yes" ; then
   echo "CONFIG_STATIC=y" >> $config_host_mak
 fi
commit a82cdd58fd9ffa8c651f51de8d855f6baf708681
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Oct 2 14:28:12 2010 +0000

    trace: avoid unnecessary recompilation if nothing changed
    
    Add logic to detect changes in generated files. If the old
    and new files are identical, don't touch the generated file.
    This avoids a lot of churn since many files depend on trace.h.
    
    Based on suggestion by Paolo Bonzini.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile b/Makefile
index 7c71c83..04ce07d 100644
--- a/Makefile
+++ b/Makefile
@@ -106,11 +106,15 @@ ui/vnc.o: QEMU_CFLAGS += $(VNC_TLS_CFLAGS)
 
 bt-host.o: QEMU_CFLAGS += $(BLUEZ_CFLAGS)
 
-trace.h: $(SRC_PATH)/trace-events config-host.mak
-	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -h < $< > $@,"  GEN   $@")
-
-trace.c: $(SRC_PATH)/trace-events config-host.mak
-	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -c < $< > $@,"  GEN   $@")
+trace.h: trace.h-timestamp
+trace.h-timestamp: $(SRC_PATH)/trace-events config-host.mak
+	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -h < $< > $@,"  GEN   trace.h")
+	@cmp -s $@ trace.h || cp $@ trace.h
+
+trace.c: trace.c-timestamp
+trace.c-timestamp: $(SRC_PATH)/trace-events config-host.mak
+	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -c < $< > $@,"  GEN   trace.c")
+	@cmp -s $@ trace.c || cp $@ trace.c
 
 trace.o: trace.c $(GENERATED_HEADERS)
 
commit 904fe1fbd10388f384c9930fa2d8a25113b7e7aa
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Oct 2 14:28:08 2010 +0000

    Makefile: fix config-devices.mak generation
    
    The logic of detecting changes in default-configs/*.mak is
    flawed as can be demonstrated by 'touch default-configs/*.mak'
    followed by make. This results in a message claiming that user
    made changes to the */config-devices.mak files.
    
    Fix by separating the detection of changes made by the user and
    changes in the default-configs.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile b/Makefile
index fca1e7a..7c71c83 100644
--- a/Makefile
+++ b/Makefile
@@ -43,9 +43,11 @@ config-all-devices.mak: $(SUBDIR_DEVICES_MAK)
 %/config-devices.mak: default-configs/%.mak
 	$(call quiet-command,cat $< > $@.tmp, "  GEN   $@")
 	@if test -f $@; then \
-	  if cmp -s $@.old $@ || cmp -s $@ $@.tmp; then \
-	    mv $@.tmp $@; \
-	    cp -p $@ $@.old; \
+	  if cmp -s $@.old $@; then \
+	    if ! cmp -s $@ $@.tmp; then \
+	      mv $@.tmp $@; \
+	      cp -p $@ $@.old; \
+	    fi; \
 	  else \
 	    if test -f $@.old; then \
 	      echo "WARNING: $@ (user modified) out of date.";\
commit 3f7132d1a35040331ae4541f010713b835be75e3
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Oct 2 14:27:41 2010 +0000

    sysbus: fix address truncation
    
    Fix address truncation in sysbus by using a wider type.
    
    Reported-by: Artyom Tarasenko <atar4qemu at googlemail.com>
    Tested-by: Andreas Färber <andreas.faerber at web.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/sysbus.c b/hw/sysbus.c
index 1f7f138..d817721 100644
--- a/hw/sysbus.c
+++ b/hw/sysbus.c
@@ -82,7 +82,8 @@ void sysbus_pass_irq(SysBusDevice *dev, SysBusDevice *target)
     }
 }
 
-void sysbus_init_mmio(SysBusDevice *dev, target_phys_addr_t size, int iofunc)
+void sysbus_init_mmio(SysBusDevice *dev, target_phys_addr_t size,
+                      ram_addr_t iofunc)
 {
     int n;
 
diff --git a/hw/sysbus.h b/hw/sysbus.h
index 1a8f289..5980901 100644
--- a/hw/sysbus.h
+++ b/hw/sysbus.h
@@ -21,7 +21,7 @@ struct SysBusDevice {
         target_phys_addr_t addr;
         target_phys_addr_t size;
         mmio_mapfunc cb;
-        int iofunc;
+        ram_addr_t iofunc;
     } mmio[QDEV_MAX_MMIO];
 };
 
@@ -39,7 +39,8 @@ typedef struct {
 void sysbus_register_dev(const char *name, size_t size, sysbus_initfn init);
 void sysbus_register_withprop(SysBusDeviceInfo *info);
 void *sysbus_new(void);
-void sysbus_init_mmio(SysBusDevice *dev, target_phys_addr_t size, int iofunc);
+void sysbus_init_mmio(SysBusDevice *dev, target_phys_addr_t size,
+                      ram_addr_t iofunc);
 void sysbus_init_mmio_cb(SysBusDevice *dev, target_phys_addr_t size,
                             mmio_mapfunc cb);
 void sysbus_init_irq(SysBusDevice *dev, qemu_irq *p);
commit 211ecdc0e4226e86c406b0ce91ed355fdde021ab
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Sat Oct 2 12:41:03 2010 +0200

    target-cris: Use %td for ptrdiff_t arguments in debug message
    
    According to ISO/IEC 9899:1999 7.19.6.1,
    the correct length modifier for ptrdiff_t is 't', not 'z'.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Cc: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-cris/translate.c b/target-cris/translate.c
index 45c7682..8361369 100644
--- a/target-cris/translate.c
+++ b/target-cris/translate.c
@@ -3409,7 +3409,7 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
 	if (qemu_loglevel_mask(CPU_LOG_TB_IN_ASM)) {
 		log_target_disas(pc_start, dc->pc - pc_start,
                                  dc->env->pregs[PR_VR]);
-		qemu_log("\nisize=%d osize=%zd\n",
+		qemu_log("\nisize=%d osize=%td\n",
 			dc->pc - pc_start, gen_opc_ptr - gen_opc_buf);
 	}
 #endif
commit e6aa0f11edd3251d58bb0e5072aeab9b8713f5c6
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Sat Oct 2 12:41:04 2010 +0200

    target-microblaze: Use %td for ptrdiff_t arguments in debug message
    
    According to ISO/IEC 9899:1999 7.19.6.1,
    the correct length modifier for ptrdiff_t is 't', not 'z'.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Cc: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index 6c305d4..38149bb 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -1516,7 +1516,7 @@ gen_intermediate_code_internal(CPUState *env, TranslationBlock *tb,
 #if DISAS_GNU
         log_target_disas(pc_start, dc->pc - pc_start, 0);
 #endif
-        qemu_log("\nisize=%d osize=%zd\n",
+        qemu_log("\nisize=%d osize=%td\n",
             dc->pc - pc_start, gen_opc_ptr - gen_opc_buf);
     }
 #endif
commit 3b2e3dc939f289323a3f83b1ad64faa0865bf42b
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Sat Oct 2 13:04:49 2010 +0200

    virtex: Add braces
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/hw/virtex_ml507.c b/hw/virtex_ml507.c
index 2af3b81..c5bbeda 100644
--- a/hw/virtex_ml507.c
+++ b/hw/virtex_ml507.c
@@ -157,8 +157,9 @@ static int xilinx_load_device_tree(target_phys_addr_t addr,
             fdt = load_device_tree(path, &fdt_size);
             qemu_free(path);
         }
-        if (!fdt)
+        if (!fdt) {
             return 0;
+        }
     }
 
     r = qemu_devtree_setprop_string(fdt, "/chosen", "bootargs", kernel_cmdline);
commit c3fe515c911b9828d6e3e659ac794cb7dc76cd66
Author: Max Asbock <masbock at linux.vnet.ibm.com>
Date:   Fri Oct 1 09:52:25 2010 +0800

    p2v monitor command: translate guest physical address to host virtual address
    
    Add command p2v to translate guest physical address to host virtual
    address.
    
    The p2v command provides one step in a chain of translations from
    guest virtual to guest physical to host virtual to host physical. Host
    physical is then used to inject a machine check error. As a
    consequence the HWPOISON code on the host and the MCE injection code
    in qemu-kvm are exercised.
    
    Signed-off-by: Max Asbock <masbock at linux.vnet.ibm.com>
    Signed-off-by: Jiajia Zheng <jiajia.zheng at intel.com>
    Signed-off-by: Huang Ying <ying.huang at intel.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/monitor.c b/monitor.c
index 9072c06..df0cb33 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2301,6 +2301,18 @@ static void do_inject_mce(Monitor *mon, const QDict *qdict)
 }
 #endif
 
+static void do_p2v(Monitor *mon, const QDict *qdict)
+{
+    target_phys_addr_t size = TARGET_PAGE_SIZE;
+    target_phys_addr_t addr = qdict_get_int(qdict, "addr");
+    void *vaddr;
+
+    vaddr = cpu_physical_memory_map(addr, &size, 0);
+    monitor_printf(mon, "Guest physical address %p is mapped at "
+                   "host virtual address %p\n", (void *)addr, vaddr);
+    cpu_physical_memory_unmap(vaddr, size, 0, 0);
+}
+
 static int do_getfd(Monitor *mon, const QDict *qdict, QObject **ret_data)
 {
     const char *fdname = qdict_get_str(qdict, "fdname");
diff --git a/qemu-monitor.hx b/qemu-monitor.hx
index 620f937..2698a42 100644
--- a/qemu-monitor.hx
+++ b/qemu-monitor.hx
@@ -459,6 +459,19 @@ Start gdbserver session (default @var{port}=1234)
 ETEXI
 
     {
+        .name       = "p2v",
+        .args_type  = "fmt:/,addr:l",
+        .params     = "/fmt addr",
+        .help       = "translate guest physical 'addr' to host virtual address",
+        .mhandler.cmd = do_p2v,
+    },
+STEXI
+ at item p2v @var{addr}
+ at findex mce
+Translate guest physical @var{addr} to host virtual address.
+ETEXI
+
+    {
         .name       = "x",
         .args_type  = "fmt:/,addr:l",
         .params     = "/fmt addr",
commit a18b2ce2ed9dc747c2ebab5a220517624e4ff3df
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Fri Sep 10 14:05:23 2010 -0300

    QMP/README: Update QMP homepage address
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/QMP/README b/QMP/README
index 7e2b51a..80503f2 100644
--- a/QMP/README
+++ b/QMP/README
@@ -88,4 +88,4 @@ doing any code change. This is so because:
 Homepage
 --------
 
-http://www.linux-kvm.org/page/MonitorProtocol
+http://wiki.qemu.org/QMP
commit acd0a09337c51d1cd6861f68add45e94361c8974
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Thu Sep 30 16:00:22 2010 -0300

    Monitor: Rename the qemu-monitor.hx file
    
    Let's be consistent and call it hmp-commands.hx, so that we have
    qmp-commands.hx for QMP and hmp-commands.hx for HMP.
    
    Please, note that this commit doesn't touch qemu-monitor.texi. All
    texi files have the qemu- prefix and I don't think it's worth
    changing that.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/Makefile b/Makefile
index 938d88b..3f42fe2 100644
--- a/Makefile
+++ b/Makefile
@@ -249,7 +249,7 @@ TEXIFLAG=$(if $(V),,--quiet)
 qemu-options.texi: $(SRC_PATH)/qemu-options.hx
 	$(call quiet-command,sh $(SRC_PATH)/hxtool -t < $< > $@,"  GEN   $@")
 
-qemu-monitor.texi: $(SRC_PATH)/qemu-monitor.hx
+qemu-monitor.texi: $(SRC_PATH)/hmp-commands.hx
 	$(call quiet-command,sh $(SRC_PATH)/hxtool -t < $< > $@,"  GEN   $@")
 
 QMP/qmp-commands.txt: $(SRC_PATH)/qmp-commands.hx
diff --git a/Makefile.target b/Makefile.target
index 3a1fa7e..518ea27 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -307,7 +307,7 @@ obj-alpha-y = alpha_palcode.o
 
 main.o: QEMU_CFLAGS+=$(GPROF_CFLAGS)
 
-monitor.o: qemu-monitor.h qmp-commands.h
+monitor.o: hmp-commands.h qmp-commands.h
 
 $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y): $(GENERATED_HEADERS)
 
@@ -328,7 +328,7 @@ $(QEMU_PROG): $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y)
 gdbstub-xml.c: $(TARGET_XML_FILES) $(SRC_PATH)/feature_to_c.sh
 	$(call quiet-command,rm -f $@ && $(SHELL) $(SRC_PATH)/feature_to_c.sh $@ $(TARGET_XML_FILES),"  GEN   $(TARGET_DIR)$@")
 
-qemu-monitor.h: $(SRC_PATH)/qemu-monitor.hx
+hmp-commands.h: $(SRC_PATH)/hmp-commands.hx
 	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $(TARGET_DIR)$@")
 
 qmp-commands.h: $(SRC_PATH)/qmp-commands.hx
@@ -337,7 +337,7 @@ qmp-commands.h: $(SRC_PATH)/qmp-commands.hx
 clean:
 	rm -f *.o *.a *~ $(PROGS) nwfpe/*.o fpu/*.o
 	rm -f *.d */*.d tcg/*.o ide/*.o
-	rm -f qemu-monitor.h qmp-commands.h gdbstub-xml.c
+	rm -f hmp-commands.h qmp-commands.h gdbstub-xml.c
 
 install: all
 ifneq ($(PROGS),)
diff --git a/hmp-commands.hx b/hmp-commands.hx
new file mode 100644
index 0000000..81999aa
--- /dev/null
+++ b/hmp-commands.hx
@@ -0,0 +1,1216 @@
+HXCOMM Use DEFHEADING() to define headings in both help text and texi
+HXCOMM Text between STEXI and ETEXI are copied to texi version and
+HXCOMM discarded from C version
+HXCOMM DEF(command, args, callback, arg_string, help) is used to construct
+HXCOMM monitor commands
+HXCOMM HXCOMM can be used for comments, discarded from both texi and C
+
+STEXI
+ at table @option
+ETEXI
+
+    {
+        .name       = "help|?",
+        .args_type  = "name:s?",
+        .params     = "[cmd]",
+        .help       = "show the help",
+        .mhandler.cmd = do_help_cmd,
+    },
+
+STEXI
+ at item help or ? [@var{cmd}]
+ at findex help
+Show the help for all commands or just for command @var{cmd}.
+ETEXI
+
+    {
+        .name       = "commit",
+        .args_type  = "device:B",
+        .params     = "device|all",
+        .help       = "commit changes to the disk images (if -snapshot is used) or backing files",
+        .mhandler.cmd = do_commit,
+    },
+
+STEXI
+ at item commit
+ at findex commit
+Commit changes to the disk images (if -snapshot is used) or backing files.
+ETEXI
+
+    {
+        .name       = "q|quit",
+        .args_type  = "",
+        .params     = "",
+        .help       = "quit the emulator",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_quit,
+    },
+
+STEXI
+ at item q or quit
+ at findex quit
+Quit the emulator.
+ETEXI
+
+    {
+        .name       = "eject",
+        .args_type  = "force:-f,device:B",
+        .params     = "[-f] device",
+        .help       = "eject a removable medium (use -f to force it)",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_eject,
+    },
+
+STEXI
+ at item eject [-f] @var{device}
+ at findex eject
+Eject a removable medium (use -f to force it).
+ETEXI
+
+    {
+        .name       = "change",
+        .args_type  = "device:B,target:F,arg:s?",
+        .params     = "device filename [format]",
+        .help       = "change a removable medium, optional format",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_change,
+    },
+
+STEXI
+ at item change @var{device} @var{setting}
+ at findex change
+
+Change the configuration of a device.
+
+ at table @option
+ at item change @var{diskdevice} @var{filename} [@var{format}]
+Change the medium for a removable disk device to point to @var{filename}. eg
+
+ at example
+(qemu) change ide1-cd0 /path/to/some.iso
+ at end example
+
+ at var{format} is optional.
+
+ at item change vnc @var{display}, at var{options}
+Change the configuration of the VNC server. The valid syntax for @var{display}
+and @var{options} are described at @ref{sec_invocation}. eg
+
+ at example
+(qemu) change vnc localhost:1
+ at end example
+
+ at item change vnc password [@var{password}]
+
+Change the password associated with the VNC server. If the new password is not
+supplied, the monitor will prompt for it to be entered. VNC passwords are only
+significant up to 8 letters. eg
+
+ at example
+(qemu) change vnc password
+Password: ********
+ at end example
+
+ at end table
+ETEXI
+
+    {
+        .name       = "screendump",
+        .args_type  = "filename:F",
+        .params     = "filename",
+        .help       = "save screen into PPM image 'filename'",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_screen_dump,
+    },
+
+STEXI
+ at item screendump @var{filename}
+ at findex screendump
+Save screen into PPM image @var{filename}.
+ETEXI
+
+    {
+        .name       = "logfile",
+        .args_type  = "filename:F",
+        .params     = "filename",
+        .help       = "output logs to 'filename'",
+        .mhandler.cmd = do_logfile,
+    },
+
+STEXI
+ at item logfile @var{filename}
+ at findex logfile
+Output logs to @var{filename}.
+ETEXI
+
+#ifdef CONFIG_SIMPLE_TRACE
+    {
+        .name       = "trace-event",
+        .args_type  = "name:s,option:b",
+        .params     = "name on|off",
+        .help       = "changes status of a specific trace event",
+        .mhandler.cmd = do_change_trace_event_state,
+    },
+
+STEXI
+ at item trace-event
+ at findex trace-event
+changes status of a trace event
+ETEXI
+
+    {
+        .name       = "trace-file",
+        .args_type  = "op:s?,arg:F?",
+        .params     = "on|off|flush|set [arg]",
+        .help       = "open, close, or flush trace file, or set a new file name",
+        .mhandler.cmd = do_trace_file,
+    },
+
+STEXI
+ at item trace-file on|off|flush
+ at findex trace-file
+Open, close, or flush the trace file.  If no argument is given, the status of the trace file is displayed.
+ETEXI
+#endif
+
+    {
+        .name       = "log",
+        .args_type  = "items:s",
+        .params     = "item1[,...]",
+        .help       = "activate logging of the specified items to '/tmp/qemu.log'",
+        .mhandler.cmd = do_log,
+    },
+
+STEXI
+ at item log @var{item1}[,...]
+ at findex log
+Activate logging of the specified items to @file{/tmp/qemu.log}.
+ETEXI
+
+    {
+        .name       = "savevm",
+        .args_type  = "name:s?",
+        .params     = "[tag|id]",
+        .help       = "save a VM snapshot. If no tag or id are provided, a new snapshot is created",
+        .mhandler.cmd = do_savevm,
+    },
+
+STEXI
+ at item savevm [@var{tag}|@var{id}]
+ at findex savevm
+Create a snapshot of the whole virtual machine. If @var{tag} is
+provided, it is used as human readable identifier. If there is already
+a snapshot with the same tag or ID, it is replaced. More info at
+ at ref{vm_snapshots}.
+ETEXI
+
+    {
+        .name       = "loadvm",
+        .args_type  = "name:s",
+        .params     = "tag|id",
+        .help       = "restore a VM snapshot from its tag or id",
+        .mhandler.cmd = do_loadvm,
+    },
+
+STEXI
+ at item loadvm @var{tag}|@var{id}
+ at findex loadvm
+Set the whole virtual machine to the snapshot identified by the tag
+ at var{tag} or the unique snapshot ID @var{id}.
+ETEXI
+
+    {
+        .name       = "delvm",
+        .args_type  = "name:s",
+        .params     = "tag|id",
+        .help       = "delete a VM snapshot from its tag or id",
+        .mhandler.cmd = do_delvm,
+    },
+
+STEXI
+ at item delvm @var{tag}|@var{id}
+ at findex delvm
+Delete the snapshot identified by @var{tag} or @var{id}.
+ETEXI
+
+    {
+        .name       = "singlestep",
+        .args_type  = "option:s?",
+        .params     = "[on|off]",
+        .help       = "run emulation in singlestep mode or switch to normal mode",
+        .mhandler.cmd = do_singlestep,
+    },
+
+STEXI
+ at item singlestep [off]
+ at findex singlestep
+Run the emulation in single step mode.
+If called with option off, the emulation returns to normal mode.
+ETEXI
+
+    {
+        .name       = "stop",
+        .args_type  = "",
+        .params     = "",
+        .help       = "stop emulation",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_stop,
+    },
+
+STEXI
+ at item stop
+ at findex stop
+Stop emulation.
+ETEXI
+
+    {
+        .name       = "c|cont",
+        .args_type  = "",
+        .params     = "",
+        .help       = "resume emulation",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_cont,
+    },
+
+STEXI
+ at item c or cont
+ at findex cont
+Resume emulation.
+ETEXI
+
+    {
+        .name       = "gdbserver",
+        .args_type  = "device:s?",
+        .params     = "[device]",
+        .help       = "start gdbserver on given device (default 'tcp::1234'), stop with 'none'",
+        .mhandler.cmd = do_gdbserver,
+    },
+
+STEXI
+ at item gdbserver [@var{port}]
+ at findex gdbserver
+Start gdbserver session (default @var{port}=1234)
+ETEXI
+
+    {
+        .name       = "x",
+        .args_type  = "fmt:/,addr:l",
+        .params     = "/fmt addr",
+        .help       = "virtual memory dump starting at 'addr'",
+        .mhandler.cmd = do_memory_dump,
+    },
+
+STEXI
+ at item x/fmt @var{addr}
+ at findex x
+Virtual memory dump starting at @var{addr}.
+ETEXI
+
+    {
+        .name       = "xp",
+        .args_type  = "fmt:/,addr:l",
+        .params     = "/fmt addr",
+        .help       = "physical memory dump starting at 'addr'",
+        .mhandler.cmd = do_physical_memory_dump,
+    },
+
+STEXI
+ at item xp /@var{fmt} @var{addr}
+ at findex xp
+Physical memory dump starting at @var{addr}.
+
+ at var{fmt} is a format which tells the command how to format the
+data. Its syntax is: @option{/@{count@}@{format@}@{size@}}
+
+ at table @var
+ at item count
+is the number of items to be dumped.
+
+ at item format
+can be x (hex), d (signed decimal), u (unsigned decimal), o (octal),
+c (char) or i (asm instruction).
+
+ at item size
+can be b (8 bits), h (16 bits), w (32 bits) or g (64 bits). On x86,
+ at code{h} or @code{w} can be specified with the @code{i} format to
+respectively select 16 or 32 bit code instruction size.
+
+ at end table
+
+Examples:
+ at itemize
+ at item
+Dump 10 instructions at the current instruction pointer:
+ at example
+(qemu) x/10i $eip
+0x90107063:  ret
+0x90107064:  sti
+0x90107065:  lea    0x0(%esi,1),%esi
+0x90107069:  lea    0x0(%edi,1),%edi
+0x90107070:  ret
+0x90107071:  jmp    0x90107080
+0x90107073:  nop
+0x90107074:  nop
+0x90107075:  nop
+0x90107076:  nop
+ at end example
+
+ at item
+Dump 80 16 bit values at the start of the video memory.
+ at smallexample
+(qemu) xp/80hx 0xb8000
+0x000b8000: 0x0b50 0x0b6c 0x0b65 0x0b78 0x0b38 0x0b36 0x0b2f 0x0b42
+0x000b8010: 0x0b6f 0x0b63 0x0b68 0x0b73 0x0b20 0x0b56 0x0b47 0x0b41
+0x000b8020: 0x0b42 0x0b69 0x0b6f 0x0b73 0x0b20 0x0b63 0x0b75 0x0b72
+0x000b8030: 0x0b72 0x0b65 0x0b6e 0x0b74 0x0b2d 0x0b63 0x0b76 0x0b73
+0x000b8040: 0x0b20 0x0b30 0x0b35 0x0b20 0x0b4e 0x0b6f 0x0b76 0x0b20
+0x000b8050: 0x0b32 0x0b30 0x0b30 0x0b33 0x0720 0x0720 0x0720 0x0720
+0x000b8060: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
+0x000b8070: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
+0x000b8080: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
+0x000b8090: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
+ at end smallexample
+ at end itemize
+ETEXI
+
+    {
+        .name       = "p|print",
+        .args_type  = "fmt:/,val:l",
+        .params     = "/fmt expr",
+        .help       = "print expression value (use $reg for CPU register access)",
+        .mhandler.cmd = do_print,
+    },
+
+STEXI
+ at item p or print/@var{fmt} @var{expr}
+ at findex print
+
+Print expression value. Only the @var{format} part of @var{fmt} is
+used.
+ETEXI
+
+    {
+        .name       = "i",
+        .args_type  = "fmt:/,addr:i,index:i.",
+        .params     = "/fmt addr",
+        .help       = "I/O port read",
+        .mhandler.cmd = do_ioport_read,
+    },
+
+STEXI
+Read I/O port.
+ETEXI
+
+    {
+        .name       = "o",
+        .args_type  = "fmt:/,addr:i,val:i",
+        .params     = "/fmt addr value",
+        .help       = "I/O port write",
+        .mhandler.cmd = do_ioport_write,
+    },
+
+STEXI
+Write to I/O port.
+ETEXI
+
+    {
+        .name       = "sendkey",
+        .args_type  = "string:s,hold_time:i?",
+        .params     = "keys [hold_ms]",
+        .help       = "send keys to the VM (e.g. 'sendkey ctrl-alt-f1', default hold time=100 ms)",
+        .mhandler.cmd = do_sendkey,
+    },
+
+STEXI
+ at item sendkey @var{keys}
+ at findex sendkey
+
+Send @var{keys} to the emulator. @var{keys} could be the name of the
+key or @code{#} followed by the raw value in either decimal or hexadecimal
+format. Use @code{-} to press several keys simultaneously. Example:
+ at example
+sendkey ctrl-alt-f1
+ at end example
+
+This command is useful to send keys that your graphical user interface
+intercepts at low level, such as @code{ctrl-alt-f1} in X Window.
+ETEXI
+
+    {
+        .name       = "system_reset",
+        .args_type  = "",
+        .params     = "",
+        .help       = "reset the system",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_system_reset,
+    },
+
+STEXI
+ at item system_reset
+ at findex system_reset
+
+Reset the system.
+ETEXI
+
+    {
+        .name       = "system_powerdown",
+        .args_type  = "",
+        .params     = "",
+        .help       = "send system power down event",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_system_powerdown,
+    },
+
+STEXI
+ at item system_powerdown
+ at findex system_powerdown
+
+Power down the system (if supported).
+ETEXI
+
+    {
+        .name       = "sum",
+        .args_type  = "start:i,size:i",
+        .params     = "addr size",
+        .help       = "compute the checksum of a memory region",
+        .mhandler.cmd = do_sum,
+    },
+
+STEXI
+ at item sum @var{addr} @var{size}
+ at findex sum
+
+Compute the checksum of a memory region.
+ETEXI
+
+    {
+        .name       = "usb_add",
+        .args_type  = "devname:s",
+        .params     = "device",
+        .help       = "add USB device (e.g. 'host:bus.addr' or 'host:vendor_id:product_id')",
+        .mhandler.cmd = do_usb_add,
+    },
+
+STEXI
+ at item usb_add @var{devname}
+ at findex usb_add
+
+Add the USB device @var{devname}.  For details of available devices see
+ at ref{usb_devices}
+ETEXI
+
+    {
+        .name       = "usb_del",
+        .args_type  = "devname:s",
+        .params     = "device",
+        .help       = "remove USB device 'bus.addr'",
+        .mhandler.cmd = do_usb_del,
+    },
+
+STEXI
+ at item usb_del @var{devname}
+ at findex usb_del
+
+Remove the USB device @var{devname} from the QEMU virtual USB
+hub. @var{devname} has the syntax @code{bus.addr}. Use the monitor
+command @code{info usb} to see the devices you can remove.
+ETEXI
+
+    {
+        .name       = "device_add",
+        .args_type  = "device:O",
+        .params     = "driver[,prop=value][,...]",
+        .help       = "add device, like -device on the command line",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_device_add,
+    },
+
+STEXI
+ at item device_add @var{config}
+ at findex device_add
+
+Add device.
+ETEXI
+
+    {
+        .name       = "device_del",
+        .args_type  = "id:s",
+        .params     = "device",
+        .help       = "remove device",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_device_del,
+    },
+
+STEXI
+ at item device_del @var{id}
+ at findex device_del
+
+Remove device @var{id}.
+ETEXI
+
+    {
+        .name       = "cpu",
+        .args_type  = "index:i",
+        .params     = "index",
+        .help       = "set the default CPU",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_cpu_set,
+    },
+
+STEXI
+ at item cpu @var{index}
+ at findex cpu
+Set the default CPU.
+ETEXI
+
+    {
+        .name       = "mouse_move",
+        .args_type  = "dx_str:s,dy_str:s,dz_str:s?",
+        .params     = "dx dy [dz]",
+        .help       = "send mouse move events",
+        .mhandler.cmd = do_mouse_move,
+    },
+
+STEXI
+ at item mouse_move @var{dx} @var{dy} [@var{dz}]
+ at findex mouse_move
+Move the active mouse to the specified coordinates @var{dx} @var{dy}
+with optional scroll axis @var{dz}.
+ETEXI
+
+    {
+        .name       = "mouse_button",
+        .args_type  = "button_state:i",
+        .params     = "state",
+        .help       = "change mouse button state (1=L, 2=M, 4=R)",
+        .mhandler.cmd = do_mouse_button,
+    },
+
+STEXI
+ at item mouse_button @var{val}
+ at findex mouse_button
+Change the active mouse button state @var{val} (1=L, 2=M, 4=R).
+ETEXI
+
+    {
+        .name       = "mouse_set",
+        .args_type  = "index:i",
+        .params     = "index",
+        .help       = "set which mouse device receives events",
+        .mhandler.cmd = do_mouse_set,
+    },
+
+STEXI
+ at item mouse_set @var{index}
+ at findex mouse_set
+Set which mouse device receives events at given @var{index}, index
+can be obtained with
+ at example
+info mice
+ at end example
+ETEXI
+
+#ifdef HAS_AUDIO
+    {
+        .name       = "wavcapture",
+        .args_type  = "path:F,freq:i?,bits:i?,nchannels:i?",
+        .params     = "path [frequency [bits [channels]]]",
+        .help       = "capture audio to a wave file (default frequency=44100 bits=16 channels=2)",
+        .mhandler.cmd = do_wav_capture,
+    },
+#endif
+STEXI
+ at item wavcapture @var{filename} [@var{frequency} [@var{bits} [@var{channels}]]]
+ at findex wavcapture
+Capture audio into @var{filename}. Using sample rate @var{frequency}
+bits per sample @var{bits} and number of channels @var{channels}.
+
+Defaults:
+ at itemize @minus
+ at item Sample rate = 44100 Hz - CD quality
+ at item Bits = 16
+ at item Number of channels = 2 - Stereo
+ at end itemize
+ETEXI
+
+#ifdef HAS_AUDIO
+    {
+        .name       = "stopcapture",
+        .args_type  = "n:i",
+        .params     = "capture index",
+        .help       = "stop capture",
+        .mhandler.cmd = do_stop_capture,
+    },
+#endif
+STEXI
+ at item stopcapture @var{index}
+ at findex stopcapture
+Stop capture with a given @var{index}, index can be obtained with
+ at example
+info capture
+ at end example
+ETEXI
+
+    {
+        .name       = "memsave",
+        .args_type  = "val:l,size:i,filename:s",
+        .params     = "addr size file",
+        .help       = "save to disk virtual memory dump starting at 'addr' of size 'size'",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_memory_save,
+    },
+
+STEXI
+ at item memsave @var{addr} @var{size} @var{file}
+ at findex memsave
+save to disk virtual memory dump starting at @var{addr} of size @var{size}.
+ETEXI
+
+    {
+        .name       = "pmemsave",
+        .args_type  = "val:l,size:i,filename:s",
+        .params     = "addr size file",
+        .help       = "save to disk physical memory dump starting at 'addr' of size 'size'",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_physical_memory_save,
+    },
+
+STEXI
+ at item pmemsave @var{addr} @var{size} @var{file}
+ at findex pmemsave
+save to disk physical memory dump starting at @var{addr} of size @var{size}.
+ETEXI
+
+    {
+        .name       = "boot_set",
+        .args_type  = "bootdevice:s",
+        .params     = "bootdevice",
+        .help       = "define new values for the boot device list",
+        .mhandler.cmd = do_boot_set,
+    },
+
+STEXI
+ at item boot_set @var{bootdevicelist}
+ at findex boot_set
+
+Define new values for the boot device list. Those values will override
+the values specified on the command line through the @code{-boot} option.
+
+The values that can be specified here depend on the machine type, but are
+the same that can be specified in the @code{-boot} command line option.
+ETEXI
+
+#if defined(TARGET_I386)
+    {
+        .name       = "nmi",
+        .args_type  = "cpu_index:i",
+        .params     = "cpu",
+        .help       = "inject an NMI on the given CPU",
+        .mhandler.cmd = do_inject_nmi,
+    },
+#endif
+STEXI
+ at item nmi @var{cpu}
+ at findex nmi
+Inject an NMI on the given CPU (x86 only).
+ETEXI
+
+    {
+        .name       = "migrate",
+        .args_type  = "detach:-d,blk:-b,inc:-i,uri:s",
+        .params     = "[-d] [-b] [-i] uri",
+        .help       = "migrate to URI (using -d to not wait for completion)"
+		      "\n\t\t\t -b for migration without shared storage with"
+		      " full copy of disk\n\t\t\t -i for migration without "
+		      "shared storage with incremental copy of disk "
+		      "(base image shared between src and destination)",
+        .user_print = monitor_user_noop,	
+	.mhandler.cmd_new = do_migrate,
+    },
+
+
+STEXI
+ at item migrate [-d] [-b] [-i] @var{uri}
+ at findex migrate
+Migrate to @var{uri} (using -d to not wait for completion).
+	-b for migration with full copy of disk
+	-i for migration with incremental copy of disk (base image is shared)
+ETEXI
+
+    {
+        .name       = "migrate_cancel",
+        .args_type  = "",
+        .params     = "",
+        .help       = "cancel the current VM migration",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_migrate_cancel,
+    },
+
+STEXI
+ at item migrate_cancel
+ at findex migrate_cancel
+Cancel the current VM migration.
+ETEXI
+
+    {
+        .name       = "migrate_set_speed",
+        .args_type  = "value:f",
+        .params     = "value",
+        .help       = "set maximum speed (in bytes) for migrations",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_migrate_set_speed,
+    },
+
+STEXI
+ at item migrate_set_speed @var{value}
+ at findex migrate_set_speed
+Set maximum speed to @var{value} (in bytes) for migrations.
+ETEXI
+
+    {
+        .name       = "migrate_set_downtime",
+        .args_type  = "value:T",
+        .params     = "value",
+        .help       = "set maximum tolerated downtime (in seconds) for migrations",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_migrate_set_downtime,
+    },
+
+STEXI
+ at item migrate_set_downtime @var{second}
+ at findex migrate_set_downtime
+Set maximum tolerated downtime (in seconds) for migration.
+ETEXI
+
+#if defined(TARGET_I386)
+    {
+        .name       = "drive_add",
+        .args_type  = "pci_addr:s,opts:s",
+        .params     = "[[<domain>:]<bus>:]<slot>\n"
+                      "[file=file][,if=type][,bus=n]\n"
+                      "[,unit=m][,media=d][index=i]\n"
+                      "[,cyls=c,heads=h,secs=s[,trans=t]]\n"
+                      "[snapshot=on|off][,cache=on|off]",
+        .help       = "add drive to PCI storage controller",
+        .mhandler.cmd = drive_hot_add,
+    },
+#endif
+
+STEXI
+ at item drive_add
+ at findex drive_add
+Add drive to PCI storage controller.
+ETEXI
+
+#if defined(TARGET_I386)
+    {
+        .name       = "pci_add",
+        .args_type  = "pci_addr:s,type:s,opts:s?",
+        .params     = "auto|[[<domain>:]<bus>:]<slot> nic|storage [[vlan=n][,macaddr=addr][,model=type]] [file=file][,if=type][,bus=nr]...",
+        .help       = "hot-add PCI device",
+        .mhandler.cmd = pci_device_hot_add,
+    },
+#endif
+
+STEXI
+ at item pci_add
+ at findex pci_add
+Hot-add PCI device.
+ETEXI
+
+#if defined(TARGET_I386)
+    {
+        .name       = "pci_del",
+        .args_type  = "pci_addr:s",
+        .params     = "[[<domain>:]<bus>:]<slot>",
+        .help       = "hot remove PCI device",
+        .mhandler.cmd = do_pci_device_hot_remove,
+    },
+#endif
+
+STEXI
+ at item pci_del
+ at findex pci_del
+Hot remove PCI device.
+ETEXI
+
+    {
+        .name       = "host_net_add",
+        .args_type  = "device:s,opts:s?",
+        .params     = "tap|user|socket|vde|dump [options]",
+        .help       = "add host VLAN client",
+        .mhandler.cmd = net_host_device_add,
+    },
+
+STEXI
+ at item host_net_add
+ at findex host_net_add
+Add host VLAN client.
+ETEXI
+
+    {
+        .name       = "host_net_remove",
+        .args_type  = "vlan_id:i,device:s",
+        .params     = "vlan_id name",
+        .help       = "remove host VLAN client",
+        .mhandler.cmd = net_host_device_remove,
+    },
+
+STEXI
+ at item host_net_remove
+ at findex host_net_remove
+Remove host VLAN client.
+ETEXI
+
+    {
+        .name       = "netdev_add",
+        .args_type  = "netdev:O",
+        .params     = "[user|tap|socket],id=str[,prop=value][,...]",
+        .help       = "add host network device",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_netdev_add,
+    },
+
+STEXI
+ at item netdev_add
+ at findex netdev_add
+Add host network device.
+ETEXI
+
+    {
+        .name       = "netdev_del",
+        .args_type  = "id:s",
+        .params     = "id",
+        .help       = "remove host network device",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_netdev_del,
+    },
+
+STEXI
+ at item netdev_del
+ at findex netdev_del
+Remove host network device.
+ETEXI
+
+#ifdef CONFIG_SLIRP
+    {
+        .name       = "hostfwd_add",
+        .args_type  = "arg1:s,arg2:s?,arg3:s?",
+        .params     = "[vlan_id name] [tcp|udp]:[hostaddr]:hostport-[guestaddr]:guestport",
+        .help       = "redirect TCP or UDP connections from host to guest (requires -net user)",
+        .mhandler.cmd = net_slirp_hostfwd_add,
+    },
+#endif
+STEXI
+ at item hostfwd_add
+ at findex hostfwd_add
+Redirect TCP or UDP connections from host to guest (requires -net user).
+ETEXI
+
+#ifdef CONFIG_SLIRP
+    {
+        .name       = "hostfwd_remove",
+        .args_type  = "arg1:s,arg2:s?,arg3:s?",
+        .params     = "[vlan_id name] [tcp|udp]:[hostaddr]:hostport",
+        .help       = "remove host-to-guest TCP or UDP redirection",
+        .mhandler.cmd = net_slirp_hostfwd_remove,
+    },
+
+#endif
+STEXI
+ at item hostfwd_remove
+ at findex hostfwd_remove
+Remove host-to-guest TCP or UDP redirection.
+ETEXI
+
+    {
+        .name       = "balloon",
+        .args_type  = "value:M",
+        .params     = "target",
+        .help       = "request VM to change its memory allocation (in MB)",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_async = do_balloon,
+        .flags      = MONITOR_CMD_ASYNC,
+    },
+
+STEXI
+ at item balloon @var{value}
+ at findex balloon
+Request VM to change its memory allocation to @var{value} (in MB).
+ETEXI
+
+    {
+        .name       = "set_link",
+        .args_type  = "name:s,up:b",
+        .params     = "name on|off",
+        .help       = "change the link status of a network adapter",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_set_link,
+    },
+
+STEXI
+ at item set_link @var{name} [on|off]
+ at findex set_link
+Switch link @var{name} on (i.e. up) or off (i.e. down).
+ETEXI
+
+    {
+        .name       = "watchdog_action",
+        .args_type  = "action:s",
+        .params     = "[reset|shutdown|poweroff|pause|debug|none]",
+        .help       = "change watchdog action",
+        .mhandler.cmd = do_watchdog_action,
+    },
+
+STEXI
+ at item watchdog_action
+ at findex watchdog_action
+Change watchdog action.
+ETEXI
+
+    {
+        .name       = "acl_show",
+        .args_type  = "aclname:s",
+        .params     = "aclname",
+        .help       = "list rules in the access control list",
+        .mhandler.cmd = do_acl_show,
+    },
+
+STEXI
+ at item acl_show @var{aclname}
+ at findex acl_show
+List all the matching rules in the access control list, and the default
+policy. There are currently two named access control lists,
+ at var{vnc.x509dname} and @var{vnc.username} matching on the x509 client
+certificate distinguished name, and SASL username respectively.
+ETEXI
+
+    {
+        .name       = "acl_policy",
+        .args_type  = "aclname:s,policy:s",
+        .params     = "aclname allow|deny",
+        .help       = "set default access control list policy",
+        .mhandler.cmd = do_acl_policy,
+    },
+
+STEXI
+ at item acl_policy @var{aclname} @code{allow|deny}
+ at findex acl_policy
+Set the default access control list policy, used in the event that
+none of the explicit rules match. The default policy at startup is
+always @code{deny}.
+ETEXI
+
+    {
+        .name       = "acl_add",
+        .args_type  = "aclname:s,match:s,policy:s,index:i?",
+        .params     = "aclname match allow|deny [index]",
+        .help       = "add a match rule to the access control list",
+        .mhandler.cmd = do_acl_add,
+    },
+
+STEXI
+ at item acl_add @var{aclname} @var{match} @code{allow|deny} [@var{index}]
+ at findex acl_add
+Add a match rule to the access control list, allowing or denying access.
+The match will normally be an exact username or x509 distinguished name,
+but can optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to
+allow all users in the @code{EXAMPLE.COM} kerberos realm. The match will
+normally be appended to the end of the ACL, but can be inserted
+earlier in the list if the optional @var{index} parameter is supplied.
+ETEXI
+
+    {
+        .name       = "acl_remove",
+        .args_type  = "aclname:s,match:s",
+        .params     = "aclname match",
+        .help       = "remove a match rule from the access control list",
+        .mhandler.cmd = do_acl_remove,
+    },
+
+STEXI
+ at item acl_remove @var{aclname} @var{match}
+ at findex acl_remove
+Remove the specified match rule from the access control list.
+ETEXI
+
+    {
+        .name       = "acl_reset",
+        .args_type  = "aclname:s",
+        .params     = "aclname",
+        .help       = "reset the access control list",
+        .mhandler.cmd = do_acl_reset,
+    },
+
+STEXI
+ at item acl_reset @var{aclname}
+ at findex acl_reset
+Remove all matches from the access control list, and set the default
+policy back to @code{deny}.
+ETEXI
+
+#if defined(TARGET_I386)
+
+    {
+        .name       = "mce",
+        .args_type  = "cpu_index:i,bank:i,status:l,mcg_status:l,addr:l,misc:l",
+        .params     = "cpu bank status mcgstatus addr misc",
+        .help       = "inject a MCE on the given CPU",
+        .mhandler.cmd = do_inject_mce,
+    },
+
+#endif
+STEXI
+ at item mce @var{cpu} @var{bank} @var{status} @var{mcgstatus} @var{addr} @var{misc}
+ at findex mce (x86)
+Inject an MCE on the given CPU (x86 only).
+ETEXI
+
+    {
+        .name       = "getfd",
+        .args_type  = "fdname:s",
+        .params     = "getfd name",
+        .help       = "receive a file descriptor via SCM rights and assign it a name",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_getfd,
+    },
+
+STEXI
+ at item getfd @var{fdname}
+ at findex getfd
+If a file descriptor is passed alongside this command using the SCM_RIGHTS
+mechanism on unix sockets, it is stored using the name @var{fdname} for
+later use by other monitor commands.
+ETEXI
+
+    {
+        .name       = "closefd",
+        .args_type  = "fdname:s",
+        .params     = "closefd name",
+        .help       = "close a file descriptor previously passed via SCM rights",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_closefd,
+    },
+
+STEXI
+ at item closefd @var{fdname}
+ at findex closefd
+Close the file descriptor previously assigned to @var{fdname} using the
+ at code{getfd} command. This is only needed if the file descriptor was never
+used by another monitor command.
+ETEXI
+
+    {
+        .name       = "block_passwd",
+        .args_type  = "device:B,password:s",
+        .params     = "block_passwd device password",
+        .help       = "set the password of encrypted block devices",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_block_set_passwd,
+    },
+
+STEXI
+ at item block_passwd @var{device} @var{password}
+ at findex block_passwd
+Set the encrypted device @var{device} password to @var{password}
+ETEXI
+
+    {
+        .name       = "info",
+        .args_type  = "item:s?",
+        .params     = "[subcommand]",
+        .help       = "show various information about the system state",
+        .mhandler.cmd = do_info,
+    },
+
+STEXI
+ at item info @var{subcommand}
+ at findex info
+Show various information about the system state.
+
+ at table @option
+ at item info version
+show the version of QEMU
+ at item info network
+show the various VLANs and the associated devices
+ at item info chardev
+show the character devices
+ at item info block
+show the block devices
+ at item info blockstats
+show block device statistics
+ at item info registers
+show the cpu registers
+ at item info cpus
+show infos for each CPU
+ at item info history
+show the command line history
+ at item info irq
+show the interrupts statistics (if available)
+ at item info pic
+show i8259 (PIC) state
+ at item info pci
+show emulated PCI device info
+ at item info tlb
+show virtual to physical memory mappings (i386 only)
+ at item info mem
+show the active virtual memory mappings (i386 only)
+ at item info jit
+show dynamic compiler info
+ at item info kvm
+show KVM information
+ at item info numa
+show NUMA information
+ at item info kvm
+show KVM information
+ at item info usb
+show USB devices plugged on the virtual USB hub
+ at item info usbhost
+show all USB host devices
+ at item info profile
+show profiling information
+ at item info capture
+show information about active capturing
+ at item info snapshots
+show list of VM snapshots
+ at item info status
+show the current VM status (running|paused)
+ at item info pcmcia
+show guest PCMCIA status
+ at item info mice
+show which guest mouse is receiving events
+ at item info vnc
+show the vnc server status
+ at item info name
+show the current VM name
+ at item info uuid
+show the current VM UUID
+ at item info cpustats
+show CPU statistics
+ at item info usernet
+show user network stack connection states
+ at item info migrate
+show migration status
+ at item info balloon
+show balloon information
+ at item info qtree
+show device tree
+ at item info qdm
+show qdev device model list
+ at item info roms
+show roms
+ at end table
+ETEXI
+
+#ifdef CONFIG_SIMPLE_TRACE
+STEXI
+ at item info trace
+show contents of trace buffer
+ at item info trace-events
+show available trace events and their state
+ETEXI
+#endif
+
+STEXI
+ at end table
+ETEXI
diff --git a/monitor.c b/monitor.c
index 3f3c9bf..4148dd9 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2332,11 +2332,11 @@ int monitor_get_fd(Monitor *mon, const char *fdname)
 }
 
 static const mon_cmd_t mon_cmds[] = {
-#include "qemu-monitor.h"
+#include "hmp-commands.h"
     { NULL, NULL, },
 };
 
-/* Please update qemu-monitor.hx when adding or changing commands */
+/* Please update hmp-commands.hx when adding or changing commands */
 static const mon_cmd_t info_cmds[] = {
     {
         .name       = "version",
diff --git a/qemu-monitor.hx b/qemu-monitor.hx
deleted file mode 100644
index 81999aa..0000000
--- a/qemu-monitor.hx
+++ /dev/null
@@ -1,1216 +0,0 @@
-HXCOMM Use DEFHEADING() to define headings in both help text and texi
-HXCOMM Text between STEXI and ETEXI are copied to texi version and
-HXCOMM discarded from C version
-HXCOMM DEF(command, args, callback, arg_string, help) is used to construct
-HXCOMM monitor commands
-HXCOMM HXCOMM can be used for comments, discarded from both texi and C
-
-STEXI
- at table @option
-ETEXI
-
-    {
-        .name       = "help|?",
-        .args_type  = "name:s?",
-        .params     = "[cmd]",
-        .help       = "show the help",
-        .mhandler.cmd = do_help_cmd,
-    },
-
-STEXI
- at item help or ? [@var{cmd}]
- at findex help
-Show the help for all commands or just for command @var{cmd}.
-ETEXI
-
-    {
-        .name       = "commit",
-        .args_type  = "device:B",
-        .params     = "device|all",
-        .help       = "commit changes to the disk images (if -snapshot is used) or backing files",
-        .mhandler.cmd = do_commit,
-    },
-
-STEXI
- at item commit
- at findex commit
-Commit changes to the disk images (if -snapshot is used) or backing files.
-ETEXI
-
-    {
-        .name       = "q|quit",
-        .args_type  = "",
-        .params     = "",
-        .help       = "quit the emulator",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_quit,
-    },
-
-STEXI
- at item q or quit
- at findex quit
-Quit the emulator.
-ETEXI
-
-    {
-        .name       = "eject",
-        .args_type  = "force:-f,device:B",
-        .params     = "[-f] device",
-        .help       = "eject a removable medium (use -f to force it)",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_eject,
-    },
-
-STEXI
- at item eject [-f] @var{device}
- at findex eject
-Eject a removable medium (use -f to force it).
-ETEXI
-
-    {
-        .name       = "change",
-        .args_type  = "device:B,target:F,arg:s?",
-        .params     = "device filename [format]",
-        .help       = "change a removable medium, optional format",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_change,
-    },
-
-STEXI
- at item change @var{device} @var{setting}
- at findex change
-
-Change the configuration of a device.
-
- at table @option
- at item change @var{diskdevice} @var{filename} [@var{format}]
-Change the medium for a removable disk device to point to @var{filename}. eg
-
- at example
-(qemu) change ide1-cd0 /path/to/some.iso
- at end example
-
- at var{format} is optional.
-
- at item change vnc @var{display}, at var{options}
-Change the configuration of the VNC server. The valid syntax for @var{display}
-and @var{options} are described at @ref{sec_invocation}. eg
-
- at example
-(qemu) change vnc localhost:1
- at end example
-
- at item change vnc password [@var{password}]
-
-Change the password associated with the VNC server. If the new password is not
-supplied, the monitor will prompt for it to be entered. VNC passwords are only
-significant up to 8 letters. eg
-
- at example
-(qemu) change vnc password
-Password: ********
- at end example
-
- at end table
-ETEXI
-
-    {
-        .name       = "screendump",
-        .args_type  = "filename:F",
-        .params     = "filename",
-        .help       = "save screen into PPM image 'filename'",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_screen_dump,
-    },
-
-STEXI
- at item screendump @var{filename}
- at findex screendump
-Save screen into PPM image @var{filename}.
-ETEXI
-
-    {
-        .name       = "logfile",
-        .args_type  = "filename:F",
-        .params     = "filename",
-        .help       = "output logs to 'filename'",
-        .mhandler.cmd = do_logfile,
-    },
-
-STEXI
- at item logfile @var{filename}
- at findex logfile
-Output logs to @var{filename}.
-ETEXI
-
-#ifdef CONFIG_SIMPLE_TRACE
-    {
-        .name       = "trace-event",
-        .args_type  = "name:s,option:b",
-        .params     = "name on|off",
-        .help       = "changes status of a specific trace event",
-        .mhandler.cmd = do_change_trace_event_state,
-    },
-
-STEXI
- at item trace-event
- at findex trace-event
-changes status of a trace event
-ETEXI
-
-    {
-        .name       = "trace-file",
-        .args_type  = "op:s?,arg:F?",
-        .params     = "on|off|flush|set [arg]",
-        .help       = "open, close, or flush trace file, or set a new file name",
-        .mhandler.cmd = do_trace_file,
-    },
-
-STEXI
- at item trace-file on|off|flush
- at findex trace-file
-Open, close, or flush the trace file.  If no argument is given, the status of the trace file is displayed.
-ETEXI
-#endif
-
-    {
-        .name       = "log",
-        .args_type  = "items:s",
-        .params     = "item1[,...]",
-        .help       = "activate logging of the specified items to '/tmp/qemu.log'",
-        .mhandler.cmd = do_log,
-    },
-
-STEXI
- at item log @var{item1}[,...]
- at findex log
-Activate logging of the specified items to @file{/tmp/qemu.log}.
-ETEXI
-
-    {
-        .name       = "savevm",
-        .args_type  = "name:s?",
-        .params     = "[tag|id]",
-        .help       = "save a VM snapshot. If no tag or id are provided, a new snapshot is created",
-        .mhandler.cmd = do_savevm,
-    },
-
-STEXI
- at item savevm [@var{tag}|@var{id}]
- at findex savevm
-Create a snapshot of the whole virtual machine. If @var{tag} is
-provided, it is used as human readable identifier. If there is already
-a snapshot with the same tag or ID, it is replaced. More info at
- at ref{vm_snapshots}.
-ETEXI
-
-    {
-        .name       = "loadvm",
-        .args_type  = "name:s",
-        .params     = "tag|id",
-        .help       = "restore a VM snapshot from its tag or id",
-        .mhandler.cmd = do_loadvm,
-    },
-
-STEXI
- at item loadvm @var{tag}|@var{id}
- at findex loadvm
-Set the whole virtual machine to the snapshot identified by the tag
- at var{tag} or the unique snapshot ID @var{id}.
-ETEXI
-
-    {
-        .name       = "delvm",
-        .args_type  = "name:s",
-        .params     = "tag|id",
-        .help       = "delete a VM snapshot from its tag or id",
-        .mhandler.cmd = do_delvm,
-    },
-
-STEXI
- at item delvm @var{tag}|@var{id}
- at findex delvm
-Delete the snapshot identified by @var{tag} or @var{id}.
-ETEXI
-
-    {
-        .name       = "singlestep",
-        .args_type  = "option:s?",
-        .params     = "[on|off]",
-        .help       = "run emulation in singlestep mode or switch to normal mode",
-        .mhandler.cmd = do_singlestep,
-    },
-
-STEXI
- at item singlestep [off]
- at findex singlestep
-Run the emulation in single step mode.
-If called with option off, the emulation returns to normal mode.
-ETEXI
-
-    {
-        .name       = "stop",
-        .args_type  = "",
-        .params     = "",
-        .help       = "stop emulation",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_stop,
-    },
-
-STEXI
- at item stop
- at findex stop
-Stop emulation.
-ETEXI
-
-    {
-        .name       = "c|cont",
-        .args_type  = "",
-        .params     = "",
-        .help       = "resume emulation",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_cont,
-    },
-
-STEXI
- at item c or cont
- at findex cont
-Resume emulation.
-ETEXI
-
-    {
-        .name       = "gdbserver",
-        .args_type  = "device:s?",
-        .params     = "[device]",
-        .help       = "start gdbserver on given device (default 'tcp::1234'), stop with 'none'",
-        .mhandler.cmd = do_gdbserver,
-    },
-
-STEXI
- at item gdbserver [@var{port}]
- at findex gdbserver
-Start gdbserver session (default @var{port}=1234)
-ETEXI
-
-    {
-        .name       = "x",
-        .args_type  = "fmt:/,addr:l",
-        .params     = "/fmt addr",
-        .help       = "virtual memory dump starting at 'addr'",
-        .mhandler.cmd = do_memory_dump,
-    },
-
-STEXI
- at item x/fmt @var{addr}
- at findex x
-Virtual memory dump starting at @var{addr}.
-ETEXI
-
-    {
-        .name       = "xp",
-        .args_type  = "fmt:/,addr:l",
-        .params     = "/fmt addr",
-        .help       = "physical memory dump starting at 'addr'",
-        .mhandler.cmd = do_physical_memory_dump,
-    },
-
-STEXI
- at item xp /@var{fmt} @var{addr}
- at findex xp
-Physical memory dump starting at @var{addr}.
-
- at var{fmt} is a format which tells the command how to format the
-data. Its syntax is: @option{/@{count@}@{format@}@{size@}}
-
- at table @var
- at item count
-is the number of items to be dumped.
-
- at item format
-can be x (hex), d (signed decimal), u (unsigned decimal), o (octal),
-c (char) or i (asm instruction).
-
- at item size
-can be b (8 bits), h (16 bits), w (32 bits) or g (64 bits). On x86,
- at code{h} or @code{w} can be specified with the @code{i} format to
-respectively select 16 or 32 bit code instruction size.
-
- at end table
-
-Examples:
- at itemize
- at item
-Dump 10 instructions at the current instruction pointer:
- at example
-(qemu) x/10i $eip
-0x90107063:  ret
-0x90107064:  sti
-0x90107065:  lea    0x0(%esi,1),%esi
-0x90107069:  lea    0x0(%edi,1),%edi
-0x90107070:  ret
-0x90107071:  jmp    0x90107080
-0x90107073:  nop
-0x90107074:  nop
-0x90107075:  nop
-0x90107076:  nop
- at end example
-
- at item
-Dump 80 16 bit values at the start of the video memory.
- at smallexample
-(qemu) xp/80hx 0xb8000
-0x000b8000: 0x0b50 0x0b6c 0x0b65 0x0b78 0x0b38 0x0b36 0x0b2f 0x0b42
-0x000b8010: 0x0b6f 0x0b63 0x0b68 0x0b73 0x0b20 0x0b56 0x0b47 0x0b41
-0x000b8020: 0x0b42 0x0b69 0x0b6f 0x0b73 0x0b20 0x0b63 0x0b75 0x0b72
-0x000b8030: 0x0b72 0x0b65 0x0b6e 0x0b74 0x0b2d 0x0b63 0x0b76 0x0b73
-0x000b8040: 0x0b20 0x0b30 0x0b35 0x0b20 0x0b4e 0x0b6f 0x0b76 0x0b20
-0x000b8050: 0x0b32 0x0b30 0x0b30 0x0b33 0x0720 0x0720 0x0720 0x0720
-0x000b8060: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
-0x000b8070: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
-0x000b8080: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
-0x000b8090: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
- at end smallexample
- at end itemize
-ETEXI
-
-    {
-        .name       = "p|print",
-        .args_type  = "fmt:/,val:l",
-        .params     = "/fmt expr",
-        .help       = "print expression value (use $reg for CPU register access)",
-        .mhandler.cmd = do_print,
-    },
-
-STEXI
- at item p or print/@var{fmt} @var{expr}
- at findex print
-
-Print expression value. Only the @var{format} part of @var{fmt} is
-used.
-ETEXI
-
-    {
-        .name       = "i",
-        .args_type  = "fmt:/,addr:i,index:i.",
-        .params     = "/fmt addr",
-        .help       = "I/O port read",
-        .mhandler.cmd = do_ioport_read,
-    },
-
-STEXI
-Read I/O port.
-ETEXI
-
-    {
-        .name       = "o",
-        .args_type  = "fmt:/,addr:i,val:i",
-        .params     = "/fmt addr value",
-        .help       = "I/O port write",
-        .mhandler.cmd = do_ioport_write,
-    },
-
-STEXI
-Write to I/O port.
-ETEXI
-
-    {
-        .name       = "sendkey",
-        .args_type  = "string:s,hold_time:i?",
-        .params     = "keys [hold_ms]",
-        .help       = "send keys to the VM (e.g. 'sendkey ctrl-alt-f1', default hold time=100 ms)",
-        .mhandler.cmd = do_sendkey,
-    },
-
-STEXI
- at item sendkey @var{keys}
- at findex sendkey
-
-Send @var{keys} to the emulator. @var{keys} could be the name of the
-key or @code{#} followed by the raw value in either decimal or hexadecimal
-format. Use @code{-} to press several keys simultaneously. Example:
- at example
-sendkey ctrl-alt-f1
- at end example
-
-This command is useful to send keys that your graphical user interface
-intercepts at low level, such as @code{ctrl-alt-f1} in X Window.
-ETEXI
-
-    {
-        .name       = "system_reset",
-        .args_type  = "",
-        .params     = "",
-        .help       = "reset the system",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_system_reset,
-    },
-
-STEXI
- at item system_reset
- at findex system_reset
-
-Reset the system.
-ETEXI
-
-    {
-        .name       = "system_powerdown",
-        .args_type  = "",
-        .params     = "",
-        .help       = "send system power down event",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_system_powerdown,
-    },
-
-STEXI
- at item system_powerdown
- at findex system_powerdown
-
-Power down the system (if supported).
-ETEXI
-
-    {
-        .name       = "sum",
-        .args_type  = "start:i,size:i",
-        .params     = "addr size",
-        .help       = "compute the checksum of a memory region",
-        .mhandler.cmd = do_sum,
-    },
-
-STEXI
- at item sum @var{addr} @var{size}
- at findex sum
-
-Compute the checksum of a memory region.
-ETEXI
-
-    {
-        .name       = "usb_add",
-        .args_type  = "devname:s",
-        .params     = "device",
-        .help       = "add USB device (e.g. 'host:bus.addr' or 'host:vendor_id:product_id')",
-        .mhandler.cmd = do_usb_add,
-    },
-
-STEXI
- at item usb_add @var{devname}
- at findex usb_add
-
-Add the USB device @var{devname}.  For details of available devices see
- at ref{usb_devices}
-ETEXI
-
-    {
-        .name       = "usb_del",
-        .args_type  = "devname:s",
-        .params     = "device",
-        .help       = "remove USB device 'bus.addr'",
-        .mhandler.cmd = do_usb_del,
-    },
-
-STEXI
- at item usb_del @var{devname}
- at findex usb_del
-
-Remove the USB device @var{devname} from the QEMU virtual USB
-hub. @var{devname} has the syntax @code{bus.addr}. Use the monitor
-command @code{info usb} to see the devices you can remove.
-ETEXI
-
-    {
-        .name       = "device_add",
-        .args_type  = "device:O",
-        .params     = "driver[,prop=value][,...]",
-        .help       = "add device, like -device on the command line",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_device_add,
-    },
-
-STEXI
- at item device_add @var{config}
- at findex device_add
-
-Add device.
-ETEXI
-
-    {
-        .name       = "device_del",
-        .args_type  = "id:s",
-        .params     = "device",
-        .help       = "remove device",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_device_del,
-    },
-
-STEXI
- at item device_del @var{id}
- at findex device_del
-
-Remove device @var{id}.
-ETEXI
-
-    {
-        .name       = "cpu",
-        .args_type  = "index:i",
-        .params     = "index",
-        .help       = "set the default CPU",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_cpu_set,
-    },
-
-STEXI
- at item cpu @var{index}
- at findex cpu
-Set the default CPU.
-ETEXI
-
-    {
-        .name       = "mouse_move",
-        .args_type  = "dx_str:s,dy_str:s,dz_str:s?",
-        .params     = "dx dy [dz]",
-        .help       = "send mouse move events",
-        .mhandler.cmd = do_mouse_move,
-    },
-
-STEXI
- at item mouse_move @var{dx} @var{dy} [@var{dz}]
- at findex mouse_move
-Move the active mouse to the specified coordinates @var{dx} @var{dy}
-with optional scroll axis @var{dz}.
-ETEXI
-
-    {
-        .name       = "mouse_button",
-        .args_type  = "button_state:i",
-        .params     = "state",
-        .help       = "change mouse button state (1=L, 2=M, 4=R)",
-        .mhandler.cmd = do_mouse_button,
-    },
-
-STEXI
- at item mouse_button @var{val}
- at findex mouse_button
-Change the active mouse button state @var{val} (1=L, 2=M, 4=R).
-ETEXI
-
-    {
-        .name       = "mouse_set",
-        .args_type  = "index:i",
-        .params     = "index",
-        .help       = "set which mouse device receives events",
-        .mhandler.cmd = do_mouse_set,
-    },
-
-STEXI
- at item mouse_set @var{index}
- at findex mouse_set
-Set which mouse device receives events at given @var{index}, index
-can be obtained with
- at example
-info mice
- at end example
-ETEXI
-
-#ifdef HAS_AUDIO
-    {
-        .name       = "wavcapture",
-        .args_type  = "path:F,freq:i?,bits:i?,nchannels:i?",
-        .params     = "path [frequency [bits [channels]]]",
-        .help       = "capture audio to a wave file (default frequency=44100 bits=16 channels=2)",
-        .mhandler.cmd = do_wav_capture,
-    },
-#endif
-STEXI
- at item wavcapture @var{filename} [@var{frequency} [@var{bits} [@var{channels}]]]
- at findex wavcapture
-Capture audio into @var{filename}. Using sample rate @var{frequency}
-bits per sample @var{bits} and number of channels @var{channels}.
-
-Defaults:
- at itemize @minus
- at item Sample rate = 44100 Hz - CD quality
- at item Bits = 16
- at item Number of channels = 2 - Stereo
- at end itemize
-ETEXI
-
-#ifdef HAS_AUDIO
-    {
-        .name       = "stopcapture",
-        .args_type  = "n:i",
-        .params     = "capture index",
-        .help       = "stop capture",
-        .mhandler.cmd = do_stop_capture,
-    },
-#endif
-STEXI
- at item stopcapture @var{index}
- at findex stopcapture
-Stop capture with a given @var{index}, index can be obtained with
- at example
-info capture
- at end example
-ETEXI
-
-    {
-        .name       = "memsave",
-        .args_type  = "val:l,size:i,filename:s",
-        .params     = "addr size file",
-        .help       = "save to disk virtual memory dump starting at 'addr' of size 'size'",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_memory_save,
-    },
-
-STEXI
- at item memsave @var{addr} @var{size} @var{file}
- at findex memsave
-save to disk virtual memory dump starting at @var{addr} of size @var{size}.
-ETEXI
-
-    {
-        .name       = "pmemsave",
-        .args_type  = "val:l,size:i,filename:s",
-        .params     = "addr size file",
-        .help       = "save to disk physical memory dump starting at 'addr' of size 'size'",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_physical_memory_save,
-    },
-
-STEXI
- at item pmemsave @var{addr} @var{size} @var{file}
- at findex pmemsave
-save to disk physical memory dump starting at @var{addr} of size @var{size}.
-ETEXI
-
-    {
-        .name       = "boot_set",
-        .args_type  = "bootdevice:s",
-        .params     = "bootdevice",
-        .help       = "define new values for the boot device list",
-        .mhandler.cmd = do_boot_set,
-    },
-
-STEXI
- at item boot_set @var{bootdevicelist}
- at findex boot_set
-
-Define new values for the boot device list. Those values will override
-the values specified on the command line through the @code{-boot} option.
-
-The values that can be specified here depend on the machine type, but are
-the same that can be specified in the @code{-boot} command line option.
-ETEXI
-
-#if defined(TARGET_I386)
-    {
-        .name       = "nmi",
-        .args_type  = "cpu_index:i",
-        .params     = "cpu",
-        .help       = "inject an NMI on the given CPU",
-        .mhandler.cmd = do_inject_nmi,
-    },
-#endif
-STEXI
- at item nmi @var{cpu}
- at findex nmi
-Inject an NMI on the given CPU (x86 only).
-ETEXI
-
-    {
-        .name       = "migrate",
-        .args_type  = "detach:-d,blk:-b,inc:-i,uri:s",
-        .params     = "[-d] [-b] [-i] uri",
-        .help       = "migrate to URI (using -d to not wait for completion)"
-		      "\n\t\t\t -b for migration without shared storage with"
-		      " full copy of disk\n\t\t\t -i for migration without "
-		      "shared storage with incremental copy of disk "
-		      "(base image shared between src and destination)",
-        .user_print = monitor_user_noop,	
-	.mhandler.cmd_new = do_migrate,
-    },
-
-
-STEXI
- at item migrate [-d] [-b] [-i] @var{uri}
- at findex migrate
-Migrate to @var{uri} (using -d to not wait for completion).
-	-b for migration with full copy of disk
-	-i for migration with incremental copy of disk (base image is shared)
-ETEXI
-
-    {
-        .name       = "migrate_cancel",
-        .args_type  = "",
-        .params     = "",
-        .help       = "cancel the current VM migration",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_migrate_cancel,
-    },
-
-STEXI
- at item migrate_cancel
- at findex migrate_cancel
-Cancel the current VM migration.
-ETEXI
-
-    {
-        .name       = "migrate_set_speed",
-        .args_type  = "value:f",
-        .params     = "value",
-        .help       = "set maximum speed (in bytes) for migrations",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_migrate_set_speed,
-    },
-
-STEXI
- at item migrate_set_speed @var{value}
- at findex migrate_set_speed
-Set maximum speed to @var{value} (in bytes) for migrations.
-ETEXI
-
-    {
-        .name       = "migrate_set_downtime",
-        .args_type  = "value:T",
-        .params     = "value",
-        .help       = "set maximum tolerated downtime (in seconds) for migrations",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_migrate_set_downtime,
-    },
-
-STEXI
- at item migrate_set_downtime @var{second}
- at findex migrate_set_downtime
-Set maximum tolerated downtime (in seconds) for migration.
-ETEXI
-
-#if defined(TARGET_I386)
-    {
-        .name       = "drive_add",
-        .args_type  = "pci_addr:s,opts:s",
-        .params     = "[[<domain>:]<bus>:]<slot>\n"
-                      "[file=file][,if=type][,bus=n]\n"
-                      "[,unit=m][,media=d][index=i]\n"
-                      "[,cyls=c,heads=h,secs=s[,trans=t]]\n"
-                      "[snapshot=on|off][,cache=on|off]",
-        .help       = "add drive to PCI storage controller",
-        .mhandler.cmd = drive_hot_add,
-    },
-#endif
-
-STEXI
- at item drive_add
- at findex drive_add
-Add drive to PCI storage controller.
-ETEXI
-
-#if defined(TARGET_I386)
-    {
-        .name       = "pci_add",
-        .args_type  = "pci_addr:s,type:s,opts:s?",
-        .params     = "auto|[[<domain>:]<bus>:]<slot> nic|storage [[vlan=n][,macaddr=addr][,model=type]] [file=file][,if=type][,bus=nr]...",
-        .help       = "hot-add PCI device",
-        .mhandler.cmd = pci_device_hot_add,
-    },
-#endif
-
-STEXI
- at item pci_add
- at findex pci_add
-Hot-add PCI device.
-ETEXI
-
-#if defined(TARGET_I386)
-    {
-        .name       = "pci_del",
-        .args_type  = "pci_addr:s",
-        .params     = "[[<domain>:]<bus>:]<slot>",
-        .help       = "hot remove PCI device",
-        .mhandler.cmd = do_pci_device_hot_remove,
-    },
-#endif
-
-STEXI
- at item pci_del
- at findex pci_del
-Hot remove PCI device.
-ETEXI
-
-    {
-        .name       = "host_net_add",
-        .args_type  = "device:s,opts:s?",
-        .params     = "tap|user|socket|vde|dump [options]",
-        .help       = "add host VLAN client",
-        .mhandler.cmd = net_host_device_add,
-    },
-
-STEXI
- at item host_net_add
- at findex host_net_add
-Add host VLAN client.
-ETEXI
-
-    {
-        .name       = "host_net_remove",
-        .args_type  = "vlan_id:i,device:s",
-        .params     = "vlan_id name",
-        .help       = "remove host VLAN client",
-        .mhandler.cmd = net_host_device_remove,
-    },
-
-STEXI
- at item host_net_remove
- at findex host_net_remove
-Remove host VLAN client.
-ETEXI
-
-    {
-        .name       = "netdev_add",
-        .args_type  = "netdev:O",
-        .params     = "[user|tap|socket],id=str[,prop=value][,...]",
-        .help       = "add host network device",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_netdev_add,
-    },
-
-STEXI
- at item netdev_add
- at findex netdev_add
-Add host network device.
-ETEXI
-
-    {
-        .name       = "netdev_del",
-        .args_type  = "id:s",
-        .params     = "id",
-        .help       = "remove host network device",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_netdev_del,
-    },
-
-STEXI
- at item netdev_del
- at findex netdev_del
-Remove host network device.
-ETEXI
-
-#ifdef CONFIG_SLIRP
-    {
-        .name       = "hostfwd_add",
-        .args_type  = "arg1:s,arg2:s?,arg3:s?",
-        .params     = "[vlan_id name] [tcp|udp]:[hostaddr]:hostport-[guestaddr]:guestport",
-        .help       = "redirect TCP or UDP connections from host to guest (requires -net user)",
-        .mhandler.cmd = net_slirp_hostfwd_add,
-    },
-#endif
-STEXI
- at item hostfwd_add
- at findex hostfwd_add
-Redirect TCP or UDP connections from host to guest (requires -net user).
-ETEXI
-
-#ifdef CONFIG_SLIRP
-    {
-        .name       = "hostfwd_remove",
-        .args_type  = "arg1:s,arg2:s?,arg3:s?",
-        .params     = "[vlan_id name] [tcp|udp]:[hostaddr]:hostport",
-        .help       = "remove host-to-guest TCP or UDP redirection",
-        .mhandler.cmd = net_slirp_hostfwd_remove,
-    },
-
-#endif
-STEXI
- at item hostfwd_remove
- at findex hostfwd_remove
-Remove host-to-guest TCP or UDP redirection.
-ETEXI
-
-    {
-        .name       = "balloon",
-        .args_type  = "value:M",
-        .params     = "target",
-        .help       = "request VM to change its memory allocation (in MB)",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_async = do_balloon,
-        .flags      = MONITOR_CMD_ASYNC,
-    },
-
-STEXI
- at item balloon @var{value}
- at findex balloon
-Request VM to change its memory allocation to @var{value} (in MB).
-ETEXI
-
-    {
-        .name       = "set_link",
-        .args_type  = "name:s,up:b",
-        .params     = "name on|off",
-        .help       = "change the link status of a network adapter",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_set_link,
-    },
-
-STEXI
- at item set_link @var{name} [on|off]
- at findex set_link
-Switch link @var{name} on (i.e. up) or off (i.e. down).
-ETEXI
-
-    {
-        .name       = "watchdog_action",
-        .args_type  = "action:s",
-        .params     = "[reset|shutdown|poweroff|pause|debug|none]",
-        .help       = "change watchdog action",
-        .mhandler.cmd = do_watchdog_action,
-    },
-
-STEXI
- at item watchdog_action
- at findex watchdog_action
-Change watchdog action.
-ETEXI
-
-    {
-        .name       = "acl_show",
-        .args_type  = "aclname:s",
-        .params     = "aclname",
-        .help       = "list rules in the access control list",
-        .mhandler.cmd = do_acl_show,
-    },
-
-STEXI
- at item acl_show @var{aclname}
- at findex acl_show
-List all the matching rules in the access control list, and the default
-policy. There are currently two named access control lists,
- at var{vnc.x509dname} and @var{vnc.username} matching on the x509 client
-certificate distinguished name, and SASL username respectively.
-ETEXI
-
-    {
-        .name       = "acl_policy",
-        .args_type  = "aclname:s,policy:s",
-        .params     = "aclname allow|deny",
-        .help       = "set default access control list policy",
-        .mhandler.cmd = do_acl_policy,
-    },
-
-STEXI
- at item acl_policy @var{aclname} @code{allow|deny}
- at findex acl_policy
-Set the default access control list policy, used in the event that
-none of the explicit rules match. The default policy at startup is
-always @code{deny}.
-ETEXI
-
-    {
-        .name       = "acl_add",
-        .args_type  = "aclname:s,match:s,policy:s,index:i?",
-        .params     = "aclname match allow|deny [index]",
-        .help       = "add a match rule to the access control list",
-        .mhandler.cmd = do_acl_add,
-    },
-
-STEXI
- at item acl_add @var{aclname} @var{match} @code{allow|deny} [@var{index}]
- at findex acl_add
-Add a match rule to the access control list, allowing or denying access.
-The match will normally be an exact username or x509 distinguished name,
-but can optionally include wildcard globs. eg @code{*@@EXAMPLE.COM} to
-allow all users in the @code{EXAMPLE.COM} kerberos realm. The match will
-normally be appended to the end of the ACL, but can be inserted
-earlier in the list if the optional @var{index} parameter is supplied.
-ETEXI
-
-    {
-        .name       = "acl_remove",
-        .args_type  = "aclname:s,match:s",
-        .params     = "aclname match",
-        .help       = "remove a match rule from the access control list",
-        .mhandler.cmd = do_acl_remove,
-    },
-
-STEXI
- at item acl_remove @var{aclname} @var{match}
- at findex acl_remove
-Remove the specified match rule from the access control list.
-ETEXI
-
-    {
-        .name       = "acl_reset",
-        .args_type  = "aclname:s",
-        .params     = "aclname",
-        .help       = "reset the access control list",
-        .mhandler.cmd = do_acl_reset,
-    },
-
-STEXI
- at item acl_reset @var{aclname}
- at findex acl_reset
-Remove all matches from the access control list, and set the default
-policy back to @code{deny}.
-ETEXI
-
-#if defined(TARGET_I386)
-
-    {
-        .name       = "mce",
-        .args_type  = "cpu_index:i,bank:i,status:l,mcg_status:l,addr:l,misc:l",
-        .params     = "cpu bank status mcgstatus addr misc",
-        .help       = "inject a MCE on the given CPU",
-        .mhandler.cmd = do_inject_mce,
-    },
-
-#endif
-STEXI
- at item mce @var{cpu} @var{bank} @var{status} @var{mcgstatus} @var{addr} @var{misc}
- at findex mce (x86)
-Inject an MCE on the given CPU (x86 only).
-ETEXI
-
-    {
-        .name       = "getfd",
-        .args_type  = "fdname:s",
-        .params     = "getfd name",
-        .help       = "receive a file descriptor via SCM rights and assign it a name",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_getfd,
-    },
-
-STEXI
- at item getfd @var{fdname}
- at findex getfd
-If a file descriptor is passed alongside this command using the SCM_RIGHTS
-mechanism on unix sockets, it is stored using the name @var{fdname} for
-later use by other monitor commands.
-ETEXI
-
-    {
-        .name       = "closefd",
-        .args_type  = "fdname:s",
-        .params     = "closefd name",
-        .help       = "close a file descriptor previously passed via SCM rights",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_closefd,
-    },
-
-STEXI
- at item closefd @var{fdname}
- at findex closefd
-Close the file descriptor previously assigned to @var{fdname} using the
- at code{getfd} command. This is only needed if the file descriptor was never
-used by another monitor command.
-ETEXI
-
-    {
-        .name       = "block_passwd",
-        .args_type  = "device:B,password:s",
-        .params     = "block_passwd device password",
-        .help       = "set the password of encrypted block devices",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_block_set_passwd,
-    },
-
-STEXI
- at item block_passwd @var{device} @var{password}
- at findex block_passwd
-Set the encrypted device @var{device} password to @var{password}
-ETEXI
-
-    {
-        .name       = "info",
-        .args_type  = "item:s?",
-        .params     = "[subcommand]",
-        .help       = "show various information about the system state",
-        .mhandler.cmd = do_info,
-    },
-
-STEXI
- at item info @var{subcommand}
- at findex info
-Show various information about the system state.
-
- at table @option
- at item info version
-show the version of QEMU
- at item info network
-show the various VLANs and the associated devices
- at item info chardev
-show the character devices
- at item info block
-show the block devices
- at item info blockstats
-show block device statistics
- at item info registers
-show the cpu registers
- at item info cpus
-show infos for each CPU
- at item info history
-show the command line history
- at item info irq
-show the interrupts statistics (if available)
- at item info pic
-show i8259 (PIC) state
- at item info pci
-show emulated PCI device info
- at item info tlb
-show virtual to physical memory mappings (i386 only)
- at item info mem
-show the active virtual memory mappings (i386 only)
- at item info jit
-show dynamic compiler info
- at item info kvm
-show KVM information
- at item info numa
-show NUMA information
- at item info kvm
-show KVM information
- at item info usb
-show USB devices plugged on the virtual USB hub
- at item info usbhost
-show all USB host devices
- at item info profile
-show profiling information
- at item info capture
-show information about active capturing
- at item info snapshots
-show list of VM snapshots
- at item info status
-show the current VM status (running|paused)
- at item info pcmcia
-show guest PCMCIA status
- at item info mice
-show which guest mouse is receiving events
- at item info vnc
-show the vnc server status
- at item info name
-show the current VM name
- at item info uuid
-show the current VM UUID
- at item info cpustats
-show CPU statistics
- at item info usernet
-show user network stack connection states
- at item info migrate
-show migration status
- at item info balloon
-show balloon information
- at item info qtree
-show device tree
- at item info qdm
-show qdev device model list
- at item info roms
-show roms
- at end table
-ETEXI
-
-#ifdef CONFIG_SIMPLE_TRACE
-STEXI
- at item info trace
-show contents of trace buffer
- at item info trace-events
-show available trace events and their state
-ETEXI
-#endif
-
-STEXI
- at end table
-ETEXI
commit fc29df759e7499446220349809a920ed2dfbc466
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Thu Sep 16 11:11:18 2010 -0300

    QMP: Introduce qmp_call_cmd()
    
    Calls a QObject handler and emits the QMP response, also drops
    monitor_call_handler() which is now unused.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 03f3c18..3f3c9bf 100644
--- a/monitor.c
+++ b/monitor.c
@@ -3880,29 +3880,6 @@ static void handler_audit(Monitor *mon, const mon_cmd_t *cmd, int ret)
     }
 }
 
-static void monitor_call_handler(Monitor *mon, const mon_cmd_t *cmd,
-                                 const QDict *params)
-{
-    int ret;
-    QObject *data = NULL;
-
-    mon_print_count_init(mon);
-
-    ret = cmd->mhandler.cmd_new(mon, params, &data);
-    handler_audit(mon, cmd, ret);
-
-    if (monitor_ctrl_mode(mon)) {
-        /* Monitor Protocol */
-        monitor_protocol_emitter(mon, data);
-    } else {
-        /* User Protocol */
-         if (data)
-            cmd->user_print(mon, data);
-    }
-
-    qobject_decref(data);
-}
-
 static void handle_user_command(Monitor *mon, const char *cmdline)
 {
     QDict *qdict;
@@ -4433,6 +4410,20 @@ static void qmp_call_query_cmd(Monitor *mon, const mon_cmd_t *cmd)
     }
 }
 
+static void qmp_call_cmd(Monitor *mon, const mon_cmd_t *cmd,
+                         const QDict *params)
+{
+    int ret;
+    QObject *data = NULL;
+
+    mon_print_count_init(mon);
+
+    ret = cmd->mhandler.cmd_new(mon, params, &data);
+    handler_audit(mon, cmd, ret);
+    monitor_protocol_emitter(mon, data);
+    qobject_decref(data);
+}
+
 static void handle_qmp_command(JSONMessageParser *parser, QList *tokens)
 {
     int err;
@@ -4500,7 +4491,7 @@ static void handle_qmp_command(JSONMessageParser *parser, QList *tokens)
             goto err_out;
         }
     } else {
-        monitor_call_handler(mon, cmd, args);
+        qmp_call_cmd(mon, cmd, args);
     }
 
     goto out;
commit de79ba6f53fa78a6132a67c7ff134014dc8479e7
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Thu Sep 16 11:06:11 2010 -0300

    Monitor: Directly call QObject handlers
    
    This avoids handle_user_command() calling monitor_call_handler(),
    which is currently shared with QMP.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 7959504..03f3c18 100644
--- a/monitor.c
+++ b/monitor.c
@@ -3917,7 +3917,15 @@ static void handle_user_command(Monitor *mon, const char *cmdline)
     if (handler_is_async(cmd)) {
         user_async_cmd_handler(mon, cmd, qdict);
     } else if (handler_is_qobject(cmd)) {
-        monitor_call_handler(mon, cmd, qdict);
+        QObject *data = NULL;
+
+        /* XXX: ignores the error code */
+        cmd->mhandler.cmd_new(mon, qdict, &data);
+        assert(!monitor_has_error(mon));
+        if (data) {
+            cmd->user_print(mon, data);
+            qobject_decref(data);
+        }
     } else {
         cmd->mhandler.cmd(mon, qdict);
     }
commit 4903de0cebb6306e8c660dc0ce3e66fe3b5c35f9
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Thu Sep 16 11:01:32 2010 -0300

    Monitor: Rename monitor_handler_is_async()
    
    Let's follow the convention introduced by the previous commit and
    call it handler_is_async().
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index b9dab78..7959504 100644
--- a/monitor.c
+++ b/monitor.c
@@ -335,7 +335,7 @@ static inline int handler_is_qobject(const mon_cmd_t *cmd)
     return cmd->user_print != NULL;
 }
 
-static inline bool monitor_handler_is_async(const mon_cmd_t *cmd)
+static inline bool handler_is_async(const mon_cmd_t *cmd)
 {
     return cmd->flags & MONITOR_CMD_ASYNC;
 }
@@ -652,7 +652,7 @@ static void do_info(Monitor *mon, const QDict *qdict)
         goto help;
     }
 
-    if (monitor_handler_is_async(cmd)) {
+    if (handler_is_async(cmd)) {
         user_async_info_handler(mon, cmd);
     } else if (handler_is_qobject(cmd)) {
         QObject *info_data = NULL;
@@ -3914,7 +3914,7 @@ static void handle_user_command(Monitor *mon, const char *cmdline)
     if (!cmd)
         goto out;
 
-    if (monitor_handler_is_async(cmd)) {
+    if (handler_is_async(cmd)) {
         user_async_cmd_handler(mon, cmd, qdict);
     } else if (handler_is_qobject(cmd)) {
         monitor_call_handler(mon, cmd, qdict);
@@ -4411,7 +4411,7 @@ static void qmp_call_query_cmd(Monitor *mon, const mon_cmd_t *cmd)
 {
     QObject *ret_data = NULL;
 
-    if (monitor_handler_is_async(cmd)) {
+    if (handler_is_async(cmd)) {
         qmp_async_info_handler(mon, cmd);
         if (monitor_has_error(mon)) {
             monitor_protocol_emitter(mon, NULL);
@@ -4485,7 +4485,7 @@ static void handle_qmp_command(JSONMessageParser *parser, QList *tokens)
 
     if (query_cmd) {
         qmp_call_query_cmd(mon, cmd);
-    } else if (monitor_handler_is_async(cmd)) {
+    } else if (handler_is_async(cmd)) {
         err = qmp_async_cmd_handler(mon, cmd, args);
         if (err) {
             /* emit the error response */
commit 30f5041ef1ba534af9308d840bf359a50597ba5d
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Mon Sep 13 15:34:56 2010 -0300

    Monitor: Drop QMP info from the qemu-monitor.hx file
    
    QMP has its own dispatch table and documentation file
    (qmp-commands.hx), we can now drop the following QMP specific info
    from qemu-monitor.hx:
    
        o SQMP/EQMP sections
        o The qmp_capabilities command
        o The query-commands command
    
    However, note that QObject handlers entries are not being removed.
    This will only happen when we introduce a proper QMP call interface.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 6e62643..b43277e 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2352,14 +2352,6 @@ static const mon_cmd_t info_cmds[] = {
         .mhandler.info_new = do_info_version,
     },
     {
-        .name       = "commands",
-        .args_type  = "",
-        .params     = "",
-        .help       = "list QMP available commands",
-        .user_print = monitor_user_noop,
-        .mhandler.info_new = do_info_commands,
-    },
-    {
         .name       = "network",
         .args_type  = "",
         .params     = "",
diff --git a/qemu-monitor.hx b/qemu-monitor.hx
index 57d28ac..81999aa 100644
--- a/qemu-monitor.hx
+++ b/qemu-monitor.hx
@@ -1,70 +1,10 @@
 HXCOMM Use DEFHEADING() to define headings in both help text and texi
 HXCOMM Text between STEXI and ETEXI are copied to texi version and
 HXCOMM discarded from C version
-HXCOMM Text between SQMP and EQMP is copied to the QMP documention file and
-HXCOMM does not show up in the other formats.
 HXCOMM DEF(command, args, callback, arg_string, help) is used to construct
 HXCOMM monitor commands
 HXCOMM HXCOMM can be used for comments, discarded from both texi and C
 
-SQMP
-                        QMP Supported Commands
-                        ----------------------
-
-This document describes all commands currently supported by QMP.
-
-Most of the time their usage is exactly the same as in the user Monitor, this
-means that any other document which also describe commands (the manpage,
-QEMU's manual, etc) can and should be consulted.
-
-QMP has two types of commands: regular and query commands. Regular commands
-usually change the Virtual Machine's state someway, while query commands just
-return information. The sections below are divided accordingly.
-
-It's important to observe that all communication examples are formatted in
-a reader-friendly way, so that they're easier to understand. However, in real
-protocol usage, they're emitted as a single line.
-
-Also, the following notation is used to denote data flow:
-
--> data issued by the Client
-<- Server data response
-
-Please, refer to the QMP specification (QMP/qmp-spec.txt) for detailed
-information on the Server command and response formats.
-
-NOTE: This document is temporary and will be replaced soon.
-
-1. Stability Considerations
-===========================
-
-The current QMP command set (described in this file) may be useful for a
-number of use cases, however it's limited and several commands have bad
-defined semantics, specially with regard to command completion.
-
-These problems are going to be solved incrementally in the next QEMU releases
-and we're going to establish a deprecation policy for badly defined commands.
-
-If you're planning to adopt QMP, please observe the following:
-
-    1. The deprecation policy will take efect and be documented soon, please
-       check the documentation of each used command as soon as a new release of
-       QEMU is available
-
-    2. DO NOT rely on anything which is not explicit documented
-
-    3. Errors, in special, are not documented. Applications should NOT check
-       for specific errors classes or data (it's strongly recommended to only
-       check for the "error" key)
-
-2. Regular Commands
-===================
-
-Server's responses in the examples below are always a success response, please
-refer to the QMP specification for more details on error responses.
-
-EQMP
-
 STEXI
 @table @option
 ETEXI
@@ -111,20 +51,6 @@ STEXI
 @findex quit
 Quit the emulator.
 ETEXI
-SQMP
-quit
-----
-
-Quit the emulator.
-
-Arguments: None.
-
-Example:
-
--> { "execute": "quit" }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "eject",
@@ -140,25 +66,6 @@ STEXI
 @findex eject
 Eject a removable medium (use -f to force it).
 ETEXI
-SQMP
-eject
------
-
-Eject a removable medium.
-
-Arguments: 
-
-- force: force ejection (json-bool, optional)
-- device: device name (json-string)
-
-Example:
-
--> { "execute": "eject", "arguments": { "device": "ide1-cd0" } }
-<- { "return": {} }
-
-Note: The "force" argument defaults to false.
-
-EQMP
 
     {
         .name       = "change",
@@ -206,35 +113,6 @@ Password: ********
 
 @end table
 ETEXI
-SQMP
-change
-------
-
-Change a removable medium or VNC configuration.
-
-Arguments:
-
-- "device": device name (json-string)
-- "target": filename or item (json-string)
-- "arg": additional argument (json-string, optional)
-
-Examples:
-
-1. Change a removable medium
-
--> { "execute": "change",
-             "arguments": { "device": "ide1-cd0",
-                            "target": "/srv/images/Fedora-12-x86_64-DVD.iso" } }
-<- { "return": {} }
-
-2. Change VNC password
-
--> { "execute": "change",
-             "arguments": { "device": "vnc", "target": "password",
-                            "arg": "foobar1" } }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "screendump",
@@ -250,22 +128,6 @@ STEXI
 @findex screendump
 Save screen into PPM image @var{filename}.
 ETEXI
-SQMP
-screendump
-----------
-
-Save screen into PPM image.
-
-Arguments:
-
-- "filename": file path (json-string)
-
-Example:
-
--> { "execute": "screendump", "arguments": { "filename": "/tmp/image" } }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "logfile",
@@ -400,20 +262,6 @@ STEXI
 @findex stop
 Stop emulation.
 ETEXI
-SQMP
-stop
-----
-
-Stop the emulator.
-
-Arguments: None.
-
-Example:
-
--> { "execute": "stop" }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "c|cont",
@@ -429,20 +277,6 @@ STEXI
 @findex cont
 Resume emulation.
 ETEXI
-SQMP
-cont
-----
-
-Resume emulation.
-
-Arguments: None.
-
-Example:
-
--> { "execute": "cont" }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "gdbserver",
@@ -617,20 +451,6 @@ STEXI
 
 Reset the system.
 ETEXI
-SQMP
-system_reset
-------------
-
-Reset the system.
-
-Arguments: None.
-
-Example:
-
--> { "execute": "system_reset" }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "system_powerdown",
@@ -647,20 +467,6 @@ STEXI
 
 Power down the system (if supported).
 ETEXI
-SQMP
-system_powerdown
-----------------
-
-Send system power down event.
-
-Arguments: None.
-
-Example:
-
--> { "execute": "system_powerdown" }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "sum",
@@ -725,33 +531,6 @@ STEXI
 
 Add device.
 ETEXI
-SQMP
-device_add
-----------
-
-Add a device.
-
-Arguments:
-
-- "driver": the name of the new device's driver (json-string)
-- "bus": the device's parent bus (device tree path, json-string, optional)
-- "id": the device's ID, must be unique (json-string)
-- device properties
-
-Example:
-
--> { "execute": "device_add", "arguments": { "driver": "e1000", "id": "net1" } }
-<- { "return": {} }
-
-Notes:
-
-(1) For detailed information about this command, please refer to the
-    'docs/qdev-device-use.txt' file.
-
-(2) It's possible to list device properties by running QEMU with the
-    "-device DEVICE,\?" command-line argument, where DEVICE is the device's name
-
-EQMP
 
     {
         .name       = "device_del",
@@ -768,22 +547,6 @@ STEXI
 
 Remove device @var{id}.
 ETEXI
-SQMP
-device_del
-----------
-
-Remove a device.
-
-Arguments:
-
-- "id": the device's ID (json-string)
-
-Example:
-
--> { "execute": "device_del", "arguments": { "id": "net1" } }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "cpu",
@@ -799,24 +562,6 @@ STEXI
 @findex cpu
 Set the default CPU.
 ETEXI
-SQMP
-cpu
----
-
-Set the default CPU.
-
-Arguments:
-
-- "index": the CPU's index (json-int)
-
-Example:
-
--> { "execute": "cpu", "arguments": { "index": 0 } }
-<- { "return": {} }
-
-Note: CPUs' indexes are obtained with the 'query-cpus' command.
-
-EQMP
 
     {
         .name       = "mouse_move",
@@ -920,29 +665,6 @@ STEXI
 @findex memsave
 save to disk virtual memory dump starting at @var{addr} of size @var{size}.
 ETEXI
-SQMP
-memsave
--------
-
-Save to disk virtual memory dump starting at 'val' of size 'size'.
-
-Arguments:
-
-- "val": the starting address (json-int)
-- "size": the memory size, in bytes (json-int)
-- "filename": file path (json-string)
-
-Example:
-
--> { "execute": "memsave",
-             "arguments": { "val": 10,
-                            "size": 100,
-                            "filename": "/tmp/virtual-mem-dump" } }
-<- { "return": {} }
-
-Note: Depends on the current CPU.
-
-EQMP
 
     {
         .name       = "pmemsave",
@@ -958,27 +680,6 @@ STEXI
 @findex pmemsave
 save to disk physical memory dump starting at @var{addr} of size @var{size}.
 ETEXI
-SQMP
-pmemsave
---------
-
-Save to disk physical memory dump starting at 'val' of size 'size'.
-
-Arguments:
-
-- "val": the starting address (json-int)
-- "size": the memory size, in bytes (json-int)
-- "filename": file path (json-string)
-
-Example:
-
--> { "execute": "pmemsave",
-             "arguments": { "val": 10,
-                            "size": 100,
-                            "filename": "/tmp/physical-mem-dump" } }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "boot_set",
@@ -1035,32 +736,6 @@ Migrate to @var{uri} (using -d to not wait for completion).
 	-b for migration with full copy of disk
 	-i for migration with incremental copy of disk (base image is shared)
 ETEXI
-SQMP
-migrate
--------
-
-Migrate to URI.
-
-Arguments:
-
-- "blk": block migration, full disk copy (json-bool, optional)
-- "inc": incremental disk copy (json-bool, optional)
-- "uri": Destination URI (json-string)
-
-Example:
-
--> { "execute": "migrate", "arguments": { "uri": "tcp:0:4446" } }
-<- { "return": {} }
-
-Notes:
-
-(1) The 'query-migrate' command should be used to check migration's progress
-    and final result (this information is provided by the 'status' member)
-(2) All boolean arguments default to false
-(3) The user Monitor's "detach" argument is invalid in QMP and should not
-    be used
-
-EQMP
 
     {
         .name       = "migrate_cancel",
@@ -1076,20 +751,6 @@ STEXI
 @findex migrate_cancel
 Cancel the current VM migration.
 ETEXI
-SQMP
-migrate_cancel
---------------
-
-Cancel the current migration.
-
-Arguments: None.
-
-Example:
-
--> { "execute": "migrate_cancel" }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "migrate_set_speed",
@@ -1105,22 +766,6 @@ STEXI
 @findex migrate_set_speed
 Set maximum speed to @var{value} (in bytes) for migrations.
 ETEXI
-SQMP
-migrate_set_speed
------------------
-
-Set maximum speed for migrations.
-
-Arguments:
-
-- "value": maximum speed, in bytes per second (json-number)
-
-Example:
-
--> { "execute": "migrate_set_speed", "arguments": { "value": 1024 } }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "migrate_set_downtime",
@@ -1136,22 +781,6 @@ STEXI
 @findex migrate_set_downtime
 Set maximum tolerated downtime (in seconds) for migration.
 ETEXI
-SQMP
-migrate_set_downtime
---------------------
-
-Set maximum tolerated downtime (in seconds) for migrations.
-
-Arguments:
-
-- "value": maximum downtime (json-number)
-
-Example:
-
--> { "execute": "migrate_set_downtime", "arguments": { "value": 0.1 } }
-<- { "return": {} }
-
-EQMP
 
 #if defined(TARGET_I386)
     {
@@ -1247,28 +876,6 @@ STEXI
 @findex netdev_add
 Add host network device.
 ETEXI
-SQMP
-netdev_add
-----------
-
-Add host network device.
-
-Arguments:
-
-- "type": the device type, "tap", "user", ... (json-string)
-- "id": the device's ID, must be unique (json-string)
-- device options
-
-Example:
-
--> { "execute": "netdev_add", "arguments": { "type": "user", "id": "netdev1" } }
-<- { "return": {} }
-
-Note: The supported device options are the same ones supported by the '-net'
-      command-line argument, which are listed in the '-help' output or QEMU's
-      manual
-
-EQMP
 
     {
         .name       = "netdev_del",
@@ -1284,22 +891,6 @@ STEXI
 @findex netdev_del
 Remove host network device.
 ETEXI
-SQMP
-netdev_del
-----------
-
-Remove host network device.
-
-Arguments:
-
-- "id": the device's ID, must be unique (json-string)
-
-Example:
-
--> { "execute": "netdev_del", "arguments": { "id": "netdev1" } }
-<- { "return": {} }
-
-EQMP
 
 #ifdef CONFIG_SLIRP
     {
@@ -1347,22 +938,6 @@ STEXI
 @findex balloon
 Request VM to change its memory allocation to @var{value} (in MB).
 ETEXI
-SQMP
-balloon
--------
-
-Request VM to change its memory allocation (in bytes).
-
-Arguments:
-
-- "value": New memory allocation (json-int)
-
-Example:
-
--> { "execute": "balloon", "arguments": { "value": 536870912 } }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "set_link",
@@ -1378,23 +953,6 @@ STEXI
 @findex set_link
 Switch link @var{name} on (i.e. up) or off (i.e. down).
 ETEXI
-SQMP
-set_link
---------
-
-Change the link status of a network adapter.
-
-Arguments:
-
-- "name": network device name (json-string)
-- "up": status is up (json-bool)
-
-Example:
-
--> { "execute": "set_link", "arguments": { "name": "e1000.0", "up": false } }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "watchdog_action",
@@ -1524,22 +1082,6 @@ If a file descriptor is passed alongside this command using the SCM_RIGHTS
 mechanism on unix sockets, it is stored using the name @var{fdname} for
 later use by other monitor commands.
 ETEXI
-SQMP
-getfd
------
-
-Receive a file descriptor via SCM rights and assign it a name.
-
-Arguments:
-
-- "fdname": file descriptor name (json-string)
-
-Example:
-
--> { "execute": "getfd", "arguments": { "fdname": "fd1" } }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "closefd",
@@ -1557,22 +1099,6 @@ Close the file descriptor previously assigned to @var{fdname} using the
 @code{getfd} command. This is only needed if the file descriptor was never
 used by another monitor command.
 ETEXI
-SQMP
-closefd
--------
-
-Close a file descriptor previously passed via SCM rights.
-
-Arguments:
-
-- "fdname": file descriptor name (json-string)
-
-Example:
-
--> { "execute": "closefd", "arguments": { "fdname": "fd1" } }
-<- { "return": {} }
-
-EQMP
 
     {
         .name       = "block_passwd",
@@ -1588,66 +1114,6 @@ STEXI
 @findex block_passwd
 Set the encrypted device @var{device} password to @var{password}
 ETEXI
-SQMP
-block_passwd
-------------
-
-Set the password of encrypted block devices.
-
-Arguments:
-
-- "device": device name (json-string)
-- "password": password (json-string)
-
-Example:
-
--> { "execute": "block_passwd", "arguments": { "device": "ide0-hd0",
-                                               "password": "12345" } }
-<- { "return": {} }
-
-EQMP
-
-    {
-        .name       = "qmp_capabilities",
-        .args_type  = "",
-        .params     = "",
-        .help       = "enable QMP capabilities",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_qmp_capabilities,
-    },
-
-STEXI
- at item qmp_capabilities
- at findex qmp_capabilities
-Enable the specified QMP capabilities
-ETEXI
-SQMP
-qmp_capabilities
-----------------
-
-Enable QMP capabilities.
-
-Arguments: None.
-
-Example:
-
--> { "execute": "qmp_capabilities" }
-<- { "return": {} }
-
-Note: This command must be issued before issuing any other command.
-
-EQMP
-
-
-HXCOMM Keep the 'info' command at the end!
-HXCOMM This is required for the QMP documentation layout.
-
-SQMP
-
-3. Query Commands
-=================
-
-EQMP
 
     {
         .name       = "info",
@@ -1665,579 +1131,38 @@ Show various information about the system state.
 @table @option
 @item info version
 show the version of QEMU
-ETEXI
-SQMP
-query-version
--------------
-
-Show QEMU version.
-
-Return a json-object with the following information:
-
-- "qemu": A json-object containing three integer values:
-    - "major": QEMU's major version (json-int)
-    - "minor": QEMU's minor version (json-int)
-    - "micro": QEMU's micro version (json-int)
-- "package": package's version (json-string)
-
-Example:
-
--> { "execute": "query-version" }
-<- {
-      "return":{
-         "qemu":{
-            "major":0,
-            "minor":11,
-            "micro":5
-         },
-         "package":""
-      }
-   }
-
-EQMP
-
-STEXI
- at item info commands
-list QMP available commands
-ETEXI
-SQMP
-query-commands
---------------
-
-List QMP available commands.
-
-Each command is represented by a json-object, the returned value is a json-array
-of all commands.
-
-Each json-object contain:
-
-- "name": command's name (json-string)
-
-Example:
-
--> { "execute": "query-commands" }
-<- {
-      "return":[
-         {
-            "name":"query-balloon"
-         },
-         {
-            "name":"system_powerdown"
-         }
-      ]
-   }
-
-Note: This example has been shortened as the real response is too long.
-
-EQMP
-
-STEXI
 @item info network
 show the various VLANs and the associated devices
-ETEXI
-
-STEXI
 @item info chardev
 show the character devices
-ETEXI
-SQMP
-query-chardev
--------------
-
-Each device is represented by a json-object. The returned value is a json-array
-of all devices.
-
-Each json-object contain the following:
-
-- "label": device's label (json-string)
-- "filename": device's file (json-string)
-
-Example:
-
--> { "execute": "query-chardev" }
-<- {
-      "return":[
-         {
-            "label":"monitor",
-            "filename":"stdio"
-         },
-         {
-            "label":"serial0",
-            "filename":"vc"
-         }
-      ]
-   }
-
-EQMP
-
-STEXI
 @item info block
 show the block devices
-ETEXI
-SQMP
-query-block
------------
-
-Show the block devices.
-
-Each block device information is stored in a json-object and the returned value
-is a json-array of all devices.
-
-Each json-object contain the following:
-
-- "device": device name (json-string)
-- "type": device type (json-string)
-         - Possible values: "hd", "cdrom", "floppy", "unknown"
-- "removable": true if the device is removable, false otherwise (json-bool)
-- "locked": true if the device is locked, false otherwise (json-bool)
-- "inserted": only present if the device is inserted, it is a json-object
-   containing the following:
-         - "file": device file name (json-string)
-         - "ro": true if read-only, false otherwise (json-bool)
-         - "drv": driver format name (json-string)
-             - Possible values: "blkdebug", "bochs", "cloop", "cow", "dmg",
-                                "file", "file", "ftp", "ftps", "host_cdrom",
-                                "host_device", "host_floppy", "http", "https",
-                                "nbd", "parallels", "qcow", "qcow2", "raw",
-                                "tftp", "vdi", "vmdk", "vpc", "vvfat"
-         - "backing_file": backing file name (json-string, optional)
-         - "encrypted": true if encrypted, false otherwise (json-bool)
-
-Example:
-
--> { "execute": "query-block" }
-<- {
-      "return":[
-         {
-            "device":"ide0-hd0",
-            "locked":false,
-            "removable":false,
-            "inserted":{
-               "ro":false,
-               "drv":"qcow2",
-               "encrypted":false,
-               "file":"disks/test.img"
-            },
-            "type":"hd"
-         },
-         {
-            "device":"ide1-cd0",
-            "locked":false,
-            "removable":true,
-            "type":"cdrom"
-         },
-         {
-            "device":"floppy0",
-            "locked":false,
-            "removable":true,
-            "type": "floppy"
-         },
-         {
-            "device":"sd0",
-            "locked":false,
-            "removable":true,
-            "type":"floppy"
-         }
-      ]
-   }
-
-EQMP
-
-STEXI
 @item info blockstats
 show block device statistics
-ETEXI
-SQMP
-query-blockstats
-----------------
-
-Show block device statistics.
-
-Each device statistic information is stored in a json-object and the returned
-value is a json-array of all devices.
-
-Each json-object contain the following:
-
-- "device": device name (json-string)
-- "stats": A json-object with the statistics information, it contains:
-    - "rd_bytes": bytes read (json-int)
-    - "wr_bytes": bytes written (json-int)
-    - "rd_operations": read operations (json-int)
-    - "wr_operations": write operations (json-int)
-    - "wr_highest_offset": Highest offset of a sector written since the
-                           BlockDriverState has been opened (json-int)
-- "parent": Contains recursively the statistics of the underlying
-            protocol (e.g. the host file for a qcow2 image). If there is
-            no underlying protocol, this field is omitted
-            (json-object, optional)
-
-Example:
-
--> { "execute": "query-blockstats" }
-<- {
-      "return":[
-         {
-            "device":"ide0-hd0",
-            "parent":{
-               "stats":{
-                  "wr_highest_offset":3686448128,
-                  "wr_bytes":9786368,
-                  "wr_operations":751,
-                  "rd_bytes":122567168,
-                  "rd_operations":36772
-               }
-            },
-            "stats":{
-               "wr_highest_offset":2821110784,
-               "wr_bytes":9786368,
-               "wr_operations":692,
-               "rd_bytes":122739200,
-               "rd_operations":36604
-            }
-         },
-         {
-            "device":"ide1-cd0",
-            "stats":{
-               "wr_highest_offset":0,
-               "wr_bytes":0,
-               "wr_operations":0,
-               "rd_bytes":0,
-               "rd_operations":0
-            }
-         },
-         {
-            "device":"floppy0",
-            "stats":{
-               "wr_highest_offset":0,
-               "wr_bytes":0,
-               "wr_operations":0,
-               "rd_bytes":0,
-               "rd_operations":0
-            }
-         },
-         {
-            "device":"sd0",
-            "stats":{
-               "wr_highest_offset":0,
-               "wr_bytes":0,
-               "wr_operations":0,
-               "rd_bytes":0,
-               "rd_operations":0
-            }
-         }
-      ]
-   }
-
-EQMP
-
-STEXI
 @item info registers
 show the cpu registers
 @item info cpus
 show infos for each CPU
-ETEXI
-SQMP
-query-cpus
-----------
-
-Show CPU information.
-
-Return a json-array. Each CPU is represented by a json-object, which contains:
-
-- "CPU": CPU index (json-int)
-- "current": true if this is the current CPU, false otherwise (json-bool)
-- "halted": true if the cpu is halted, false otherwise (json-bool)
-- Current program counter. The key's name depends on the architecture:
-     "pc": i386/x86_64 (json-int)
-     "nip": PPC (json-int)
-     "pc" and "npc": sparc (json-int)
-     "PC": mips (json-int)
-
-Example:
-
--> { "execute": "query-cpus" }
-<- {
-      "return":[
-         {
-            "CPU":0,
-            "current":true,
-            "halted":false,
-            "pc":3227107138
-         },
-         {
-            "CPU":1,
-            "current":false,
-            "halted":true,
-            "pc":7108165
-         }
-      ]
-   }
-
-EQMP
-
-STEXI
 @item info history
 show the command line history
 @item info irq
 show the interrupts statistics (if available)
 @item info pic
 show i8259 (PIC) state
-ETEXI
-
-STEXI
 @item info pci
 show emulated PCI device info
-ETEXI
-SQMP
-query-pci
----------
-
-PCI buses and devices information.
-
-The returned value is a json-array of all buses. Each bus is represented by
-a json-object, which has a key with a json-array of all PCI devices attached
-to it. Each device is represented by a json-object.
-
-The bus json-object contains the following:
-
-- "bus": bus number (json-int)
-- "devices": a json-array of json-objects, each json-object represents a
-             PCI device
-
-The PCI device json-object contains the following:
-
-- "bus": identical to the parent's bus number (json-int)
-- "slot": slot number (json-int)
-- "function": function number (json-int)
-- "class_info": a json-object containing:
-     - "desc": device class description (json-string, optional)
-     - "class": device class number (json-int)
-- "id": a json-object containing:
-     - "device": device ID (json-int)
-     - "vendor": vendor ID (json-int)
-- "irq": device's IRQ if assigned (json-int, optional)
-- "qdev_id": qdev id string (json-string)
-- "pci_bridge": It's a json-object, only present if this device is a
-                PCI bridge, contains:
-     - "bus": bus number (json-int)
-     - "secondary": secondary bus number (json-int)
-     - "subordinate": subordinate bus number (json-int)
-     - "io_range": I/O memory range information, a json-object with the
-                   following members:
-                 - "base": base address, in bytes (json-int)
-                 - "limit": limit address, in bytes (json-int)
-     - "memory_range": memory range information, a json-object with the
-                       following members:
-                 - "base": base address, in bytes (json-int)
-                 - "limit": limit address, in bytes (json-int)
-     - "prefetchable_range": Prefetchable memory range information, a
-                             json-object with the following members:
-                 - "base": base address, in bytes (json-int)
-                 - "limit": limit address, in bytes (json-int)
-     - "devices": a json-array of PCI devices if there's any attached, each
-                  each element is represented by a json-object, which contains
-                  the same members of the 'PCI device json-object' described
-                  above (optional)
-- "regions": a json-array of json-objects, each json-object represents a
-             memory region of this device
-
-The memory range json-object contains the following:
-
-- "base": base memory address (json-int)
-- "limit": limit value (json-int)
-
-The region json-object can be an I/O region or a memory region, an I/O region
-json-object contains the following:
-
-- "type": "io" (json-string, fixed)
-- "bar": BAR number (json-int)
-- "address": memory address (json-int)
-- "size": memory size (json-int)
-
-A memory region json-object contains the following:
-
-- "type": "memory" (json-string, fixed)
-- "bar": BAR number (json-int)
-- "address": memory address (json-int)
-- "size": memory size (json-int)
-- "mem_type_64": true or false (json-bool)
-- "prefetch": true or false (json-bool)
-
-Example:
-
--> { "execute": "query-pci" }
-<- {
-      "return":[
-         {
-            "bus":0,
-            "devices":[
-               {
-                  "bus":0,
-                  "qdev_id":"",
-                  "slot":0,
-                  "class_info":{
-                     "class":1536,
-                     "desc":"Host bridge"
-                  },
-                  "id":{
-                     "device":32902,
-                     "vendor":4663
-                  },
-                  "function":0,
-                  "regions":[
-   
-                  ]
-               },
-               {
-                  "bus":0,
-                  "qdev_id":"",
-                  "slot":1,
-                  "class_info":{
-                     "class":1537,
-                     "desc":"ISA bridge"
-                  },
-                  "id":{
-                     "device":32902,
-                     "vendor":28672
-                  },
-                  "function":0,
-                  "regions":[
-   
-                  ]
-               },
-               {
-                  "bus":0,
-                  "qdev_id":"",
-                  "slot":1,
-                  "class_info":{
-                     "class":257,
-                     "desc":"IDE controller"
-                  },
-                  "id":{
-                     "device":32902,
-                     "vendor":28688
-                  },
-                  "function":1,
-                  "regions":[
-                     {
-                        "bar":4,
-                        "size":16,
-                        "address":49152,
-                        "type":"io"
-                     }
-                  ]
-               },
-               {
-                  "bus":0,
-                  "qdev_id":"",
-                  "slot":2,
-                  "class_info":{
-                     "class":768,
-                     "desc":"VGA controller"
-                  },
-                  "id":{
-                     "device":4115,
-                     "vendor":184
-                  },
-                  "function":0,
-                  "regions":[
-                     {
-                        "prefetch":true,
-                        "mem_type_64":false,
-                        "bar":0,
-                        "size":33554432,
-                        "address":4026531840,
-                        "type":"memory"
-                     },
-                     {
-                        "prefetch":false,
-                        "mem_type_64":false,
-                        "bar":1,
-                        "size":4096,
-                        "address":4060086272,
-                        "type":"memory"
-                     },
-                     {
-                        "prefetch":false,
-                        "mem_type_64":false,
-                        "bar":6,
-                        "size":65536,
-                        "address":-1,
-                        "type":"memory"
-                     }
-                  ]
-               },
-               {
-                  "bus":0,
-                  "qdev_id":"",
-                  "irq":11,
-                  "slot":4,
-                  "class_info":{
-                     "class":1280,
-                     "desc":"RAM controller"
-                  },
-                  "id":{
-                     "device":6900,
-                     "vendor":4098
-                  },
-                  "function":0,
-                  "regions":[
-                     {
-                        "bar":0,
-                        "size":32,
-                        "address":49280,
-                        "type":"io"
-                     }
-                  ]
-               }
-            ]
-         }
-      ]
-   }
-
-Note: This example has been shortened as the real response is too long.
-
-EQMP
-
-STEXI
 @item info tlb
 show virtual to physical memory mappings (i386 only)
 @item info mem
 show the active virtual memory mappings (i386 only)
-ETEXI
-
-STEXI
 @item info jit
 show dynamic compiler info
 @item info kvm
 show KVM information
 @item info numa
 show NUMA information
-ETEXI
-
-STEXI
 @item info kvm
 show KVM information
-ETEXI
-SQMP
-query-kvm
----------
-
-Show KVM information.
-
-Return a json-object with the following information:
-
-- "enabled": true if KVM support is enabled, false otherwise (json-bool)
-- "present": true if QEMU has KVM support, false otherwise (json-bool)
-
-Example:
-
--> { "execute": "query-kvm" }
-<- { "return": { "enabled": true, "present": true } }
-
-EQMP
-
-STEXI
 @item info usb
 show USB devices plugged on the virtual USB hub
 @item info usbhost
@@ -2248,307 +1173,26 @@ show profiling information
 show information about active capturing
 @item info snapshots
 show list of VM snapshots
-ETEXI
-
-STEXI
 @item info status
 show the current VM status (running|paused)
-ETEXI
-SQMP
-query-status
-------------
-
-Return a json-object with the following information:
-
-- "running": true if the VM is running, or false if it is paused (json-bool)
-- "singlestep": true if the VM is in single step mode,
-                false otherwise (json-bool)
-
-Example:
-
--> { "execute": "query-status" }
-<- { "return": { "running": true, "singlestep": false } }
-
-EQMP
-
-STEXI
 @item info pcmcia
 show guest PCMCIA status
-ETEXI
-
-STEXI
 @item info mice
 show which guest mouse is receiving events
-ETEXI
-SQMP
-query-mice
-----------
-
-Show VM mice information.
-
-Each mouse is represented by a json-object, the returned value is a json-array
-of all mice.
-
-The mouse json-object contains the following:
-
-- "name": mouse's name (json-string)
-- "index": mouse's index (json-int)
-- "current": true if this mouse is receiving events, false otherwise (json-bool)
-- "absolute": true if the mouse generates absolute input events (json-bool)
-
-Example:
-
--> { "execute": "query-mice" }
-<- {
-      "return":[
-         {
-            "name":"QEMU Microsoft Mouse",
-            "index":0,
-            "current":false,
-            "absolute":false
-         },
-         {
-            "name":"QEMU PS/2 Mouse",
-            "index":1,
-            "current":true,
-            "absolute":true
-         }
-      ]
-   }
-
-EQMP
-
-STEXI
 @item info vnc
 show the vnc server status
-ETEXI
-SQMP
-query-vnc
----------
-
-Show VNC server information.
-
-Return a json-object with server information. Connected clients are returned
-as a json-array of json-objects.
-
-The main json-object contains the following:
-
-- "enabled": true or false (json-bool)
-- "host": server's IP address (json-string)
-- "family": address family (json-string)
-         - Possible values: "ipv4", "ipv6", "unix", "unknown"
-- "service": server's port number (json-string)
-- "auth": authentication method (json-string)
-         - Possible values: "invalid", "none", "ra2", "ra2ne", "sasl", "tight",
-                            "tls", "ultra", "unknown", "vencrypt", "vencrypt",
-                            "vencrypt+plain", "vencrypt+tls+none",
-                            "vencrypt+tls+plain", "vencrypt+tls+sasl",
-                            "vencrypt+tls+vnc", "vencrypt+x509+none",
-                            "vencrypt+x509+plain", "vencrypt+x509+sasl",
-                            "vencrypt+x509+vnc", "vnc"
-- "clients": a json-array of all connected clients
-
-Clients are described by a json-object, each one contain the following:
-
-- "host": client's IP address (json-string)
-- "family": address family (json-string)
-         - Possible values: "ipv4", "ipv6", "unix", "unknown"
-- "service": client's port number (json-string)
-- "x509_dname": TLS dname (json-string, optional)
-- "sasl_username": SASL username (json-string, optional)
-
-Example:
-
--> { "execute": "query-vnc" }
-<- {
-      "return":{
-         "enabled":true,
-         "host":"0.0.0.0",
-         "service":"50402",
-         "auth":"vnc",
-         "family":"ipv4",
-         "clients":[
-            {
-               "host":"127.0.0.1",
-               "service":"50401",
-               "family":"ipv4"
-            }
-         ]
-      }
-   }
-
-EQMP
-
-STEXI
 @item info name
 show the current VM name
-ETEXI
-SQMP
-query-name
-----------
-
-Show VM name.
-
-Return a json-object with the following information:
-
-- "name": VM's name (json-string, optional)
-
-Example:
-
--> { "execute": "query-name" }
-<- { "return": { "name": "qemu-name" } }
-
-EQMP
-
-STEXI
 @item info uuid
 show the current VM UUID
-ETEXI
-SQMP
-query-uuid
-----------
-
-Show VM UUID.
-
-Return a json-object with the following information:
-
-- "UUID": Universally Unique Identifier (json-string)
-
-Example:
-
--> { "execute": "query-uuid" }
-<- { "return": { "UUID": "550e8400-e29b-41d4-a716-446655440000" } }
-
-EQMP
-
-STEXI
 @item info cpustats
 show CPU statistics
 @item info usernet
 show user network stack connection states
-ETEXI
-
-STEXI
 @item info migrate
 show migration status
-ETEXI
-SQMP
-query-migrate
--------------
-
-Migration status.
-
-Return a json-object. If migration is active there will be another json-object
-with RAM migration status and if block migration is active another one with
-block migration status.
-
-The main json-object contains the following:
-
-- "status": migration status (json-string)
-     - Possible values: "active", "completed", "failed", "cancelled"
-- "ram": only present if "status" is "active", it is a json-object with the
-  following RAM information (in bytes):
-         - "transferred": amount transferred (json-int)
-         - "remaining": amount remaining (json-int)
-         - "total": total (json-int)
-- "disk": only present if "status" is "active" and it is a block migration,
-  it is a json-object with the following disk information (in bytes):
-         - "transferred": amount transferred (json-int)
-         - "remaining": amount remaining (json-int)
-         - "total": total (json-int)
-
-Examples:
-
-1. Before the first migration
-
--> { "execute": "query-migrate" }
-<- { "return": {} }
-
-2. Migration is done and has succeeded
-
--> { "execute": "query-migrate" }
-<- { "return": { "status": "completed" } }
-
-3. Migration is done and has failed
-
--> { "execute": "query-migrate" }
-<- { "return": { "status": "failed" } }
-
-4. Migration is being performed and is not a block migration:
-
--> { "execute": "query-migrate" }
-<- {
-      "return":{
-         "status":"active",
-         "ram":{
-            "transferred":123,
-            "remaining":123,
-            "total":246
-         }
-      }
-   }
-
-5. Migration is being performed and is a block migration:
-
--> { "execute": "query-migrate" }
-<- {
-      "return":{
-         "status":"active",
-         "ram":{
-            "total":1057024,
-            "remaining":1053304,
-            "transferred":3720
-         },
-         "disk":{
-            "total":20971520,
-            "remaining":20880384,
-            "transferred":91136
-         }
-      }
-   }
-
-EQMP
-
-STEXI
 @item info balloon
 show balloon information
-ETEXI
-SQMP
-query-balloon
--------------
-
-Show balloon information.
-
-Make an asynchronous request for balloon info. When the request completes a
-json-object will be returned containing the following data:
-
-- "actual": current balloon value in bytes (json-int)
-- "mem_swapped_in": Amount of memory swapped in bytes (json-int, optional)
-- "mem_swapped_out": Amount of memory swapped out in bytes (json-int, optional)
-- "major_page_faults": Number of major faults (json-int, optional)
-- "minor_page_faults": Number of minor faults (json-int, optional)
-- "free_mem": Total amount of free and unused memory in
-              bytes (json-int, optional)
-- "total_mem": Total amount of available memory in bytes (json-int, optional)
-
-Example:
-
--> { "execute": "query-balloon" }
-<- {
-      "return":{
-         "actual":1073741824,
-         "mem_swapped_in":0,
-         "mem_swapped_out":0,
-         "major_page_faults":142,
-         "minor_page_faults":239245,
-         "free_mem":1014185984,
-         "total_mem":1044668416
-      }
-   }
-
-EQMP
-
-STEXI
 @item info qtree
 show device tree
 @item info qdm
@@ -2567,8 +1211,6 @@ show available trace events and their state
 ETEXI
 #endif
 
-HXCOMM DO NOT add new commands after 'info', move your addition before it!
-
 STEXI
 @end table
 ETEXI
commit 9e80721effc4457c1fca38d3b3e9de6a32d5bcd7
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Thu Sep 16 10:58:59 2010 -0300

    Monitor: Rename monitor_handler_ported()
    
    That name makes no sense anymore, as dispatch tables have been split,
    a better name is handler_is_qobject(), which really communicates
    the handler's type.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 8f90250..b9dab78 100644
--- a/monitor.c
+++ b/monitor.c
@@ -330,7 +330,7 @@ static int monitor_fprintf(FILE *stream, const char *fmt, ...)
 
 static void monitor_user_noop(Monitor *mon, const QObject *data) { }
 
-static inline int monitor_handler_ported(const mon_cmd_t *cmd)
+static inline int handler_is_qobject(const mon_cmd_t *cmd)
 {
     return cmd->user_print != NULL;
 }
@@ -654,7 +654,7 @@ static void do_info(Monitor *mon, const QDict *qdict)
 
     if (monitor_handler_is_async(cmd)) {
         user_async_info_handler(mon, cmd);
-    } else if (monitor_handler_ported(cmd)) {
+    } else if (handler_is_qobject(cmd)) {
         QObject *info_data = NULL;
 
         cmd->mhandler.info_new(mon, &info_data);
@@ -3916,7 +3916,7 @@ static void handle_user_command(Monitor *mon, const char *cmdline)
 
     if (monitor_handler_is_async(cmd)) {
         user_async_cmd_handler(mon, cmd, qdict);
-    } else if (monitor_handler_ported(cmd)) {
+    } else if (handler_is_qobject(cmd)) {
         monitor_call_handler(mon, cmd, qdict);
     } else {
         cmd->mhandler.cmd(mon, qdict);
commit d1249eaa4b5af2a66b56ceb59b484c6337c3e3c7
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Mon Sep 13 14:44:27 2010 -0300

    QMP: Small cleanup in handle_qmp_command()
    
    QMP has its own dispatch tables, we can now drop the following
    checks:
    
        o 'info' command: this command doesn't exist in QMP's
           dispatch table, the right thing will happen when it's
           issued by a client (ie. command not found error)
    
        o monitor_handler_ported(): all QMP handlers are 'ported', no
          need to check for that
    
        o monitor_cmd_user_only(): no HMP handler will exist in QMP's
          dispatch tables, that's why we have split them after all :-)
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 612ee56..6e62643 100644
--- a/monitor.c
+++ b/monitor.c
@@ -4472,19 +4472,13 @@ static void handle_qmp_command(JSONMessageParser *parser, QList *tokens)
         goto err_out;
     }
 
-    /*
-     * XXX: We need this special case until QMP has its own dispatch table
-     */
-    if (compare_cmd(cmd_name, "info")) {
-        qerror_report(QERR_COMMAND_NOT_FOUND, cmd_name);
-        goto err_out;
-    } else if (strstart(cmd_name, "query-", &query_cmd)) {
+    if (strstart(cmd_name, "query-", &query_cmd)) {
         cmd = qmp_find_query_cmd(query_cmd);
     } else {
         cmd = qmp_find_cmd(cmd_name);
     }
 
-    if (!cmd || !monitor_handler_ported(cmd) || monitor_cmd_user_only(cmd)) {
+    if (!cmd) {
         qerror_report(QERR_COMMAND_NOT_FOUND, cmd_name);
         goto err_out;
     }
commit 0e19a62770a7a0876869432c69a5a5f2d7646e12
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Thu Sep 16 10:47:54 2010 -0300

    Monitor: Drop monitor_cmd_user_only()
    
    This function was only needed when QMP and HMP were sharing dispatch
    tables, this is no longer true so just drop it.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index b43277e..8f90250 100644
--- a/monitor.c
+++ b/monitor.c
@@ -340,11 +340,6 @@ static inline bool monitor_handler_is_async(const mon_cmd_t *cmd)
     return cmd->flags & MONITOR_CMD_ASYNC;
 }
 
-static inline bool monitor_cmd_user_only(const mon_cmd_t *cmd)
-{
-    return (cmd->flags & MONITOR_CMD_USER_ONLY);
-}
-
 static inline int monitor_has_error(const Monitor *mon)
 {
     return mon->error != NULL;
diff --git a/monitor.h b/monitor.h
index f2122b5..44c3625 100644
--- a/monitor.h
+++ b/monitor.h
@@ -18,7 +18,6 @@ extern Monitor *default_mon;
 
 /* flags for monitor commands */
 #define MONITOR_CMD_ASYNC       0x0001
-#define MONITOR_CMD_USER_ONLY   0x0002
 
 /* QMP events */
 typedef enum MonitorEvent {
commit 2e061a7c86d77c599676d89c3461f8efe9c275b1
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Thu Sep 16 10:36:54 2010 -0300

    QMP: Simplify do_info_commands()
    
    We now iterate over QMP's dispatch tables, no need to check for
    QMP-only handlers anymore.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index bf5da50..612ee56 100644
--- a/monitor.c
+++ b/monitor.c
@@ -749,18 +749,13 @@ static void do_info_commands(Monitor *mon, QObject **ret_data)
     cmd_list = qlist_new();
 
     for (cmd = qmp_cmds; cmd->name != NULL; cmd++) {
-        if (monitor_handler_ported(cmd) && !monitor_cmd_user_only(cmd) &&
-            !compare_cmd(cmd->name, "info")) {
-            qlist_append_obj(cmd_list, get_cmd_dict(cmd->name));
-        }
+        qlist_append_obj(cmd_list, get_cmd_dict(cmd->name));
     }
 
     for (cmd = qmp_query_cmds; cmd->name != NULL; cmd++) {
-        if (monitor_handler_ported(cmd) && !monitor_cmd_user_only(cmd)) {
-            char buf[128];
-            snprintf(buf, sizeof(buf), "query-%s", cmd->name);
-            qlist_append_obj(cmd_list, get_cmd_dict(buf));
-        }
+        char buf[128];
+        snprintf(buf, sizeof(buf), "query-%s", cmd->name);
+        qlist_append_obj(cmd_list, get_cmd_dict(buf));
     }
 
     *ret_data = QOBJECT(cmd_list);
commit 3e12a751edcced7ad40c3b87d9784ffcfe941dcc
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Wed Sep 15 17:20:33 2010 -0300

    QMP: Introduce query commands dispatch table
    
    The new table is a copy of HMP's table, containing only QObject
    handlers.
    
    In the near future HMP will be making QMP calls and then we will
    be able to drop QObject handlers from HMP's table.
    
    From now on, QMP and HMP have different query command dispatch
    tables.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 06141a5..bf5da50 100644
--- a/monitor.c
+++ b/monitor.c
@@ -190,6 +190,7 @@ static const mon_cmd_t mon_cmds[];
 static const mon_cmd_t info_cmds[];
 
 static const mon_cmd_t qmp_cmds[];
+static const mon_cmd_t qmp_query_cmds[];
 
 Monitor *cur_mon;
 Monitor *default_mon;
@@ -754,7 +755,7 @@ static void do_info_commands(Monitor *mon, QObject **ret_data)
         }
     }
 
-    for (cmd = info_cmds; cmd->name != NULL; cmd++) {
+    for (cmd = qmp_query_cmds; cmd->name != NULL; cmd++) {
         if (monitor_handler_ported(cmd) && !monitor_cmd_user_only(cmd)) {
             char buf[128];
             snprintf(buf, sizeof(buf), "query-%s", cmd->name);
@@ -2642,6 +2643,131 @@ static const mon_cmd_t qmp_cmds[] = {
     { /* NULL */ },
 };
 
+static const mon_cmd_t qmp_query_cmds[] = {
+    {
+        .name       = "version",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show the version of QEMU",
+        .user_print = do_info_version_print,
+        .mhandler.info_new = do_info_version,
+    },
+    {
+        .name       = "commands",
+        .args_type  = "",
+        .params     = "",
+        .help       = "list QMP available commands",
+        .user_print = monitor_user_noop,
+        .mhandler.info_new = do_info_commands,
+    },
+    {
+        .name       = "chardev",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show the character devices",
+        .user_print = qemu_chr_info_print,
+        .mhandler.info_new = qemu_chr_info,
+    },
+    {
+        .name       = "block",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show the block devices",
+        .user_print = bdrv_info_print,
+        .mhandler.info_new = bdrv_info,
+    },
+    {
+        .name       = "blockstats",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show block device statistics",
+        .user_print = bdrv_stats_print,
+        .mhandler.info_new = bdrv_info_stats,
+    },
+    {
+        .name       = "cpus",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show infos for each CPU",
+        .user_print = monitor_print_cpus,
+        .mhandler.info_new = do_info_cpus,
+    },
+    {
+        .name       = "pci",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show PCI info",
+        .user_print = do_pci_info_print,
+        .mhandler.info_new = do_pci_info,
+    },
+    {
+        .name       = "kvm",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show KVM information",
+        .user_print = do_info_kvm_print,
+        .mhandler.info_new = do_info_kvm,
+    },
+    {
+        .name       = "status",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show the current VM status (running|paused)",
+        .user_print = do_info_status_print,
+        .mhandler.info_new = do_info_status,
+    },
+    {
+        .name       = "mice",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show which guest mouse is receiving events",
+        .user_print = do_info_mice_print,
+        .mhandler.info_new = do_info_mice,
+    },
+    {
+        .name       = "vnc",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show the vnc server status",
+        .user_print = do_info_vnc_print,
+        .mhandler.info_new = do_info_vnc,
+    },
+    {
+        .name       = "name",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show the current VM name",
+        .user_print = do_info_name_print,
+        .mhandler.info_new = do_info_name,
+    },
+    {
+        .name       = "uuid",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show the current VM UUID",
+        .user_print = do_info_uuid_print,
+        .mhandler.info_new = do_info_uuid,
+    },
+    {
+        .name       = "migrate",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show migration status",
+        .user_print = do_info_migrate_print,
+        .mhandler.info_new = do_info_migrate,
+    },
+    {
+        .name       = "balloon",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show balloon information",
+        .user_print = monitor_print_balloon,
+        .mhandler.info_async = do_info_balloon,
+        .flags      = MONITOR_CMD_ASYNC,
+    },
+    { /* NULL */ },
+};
+
 /*******************************************************************/
 
 static const char *pch;
@@ -3369,7 +3495,7 @@ static const mon_cmd_t *monitor_find_command(const char *cmdname)
 
 static const mon_cmd_t *qmp_find_query_cmd(const char *info_item)
 {
-    return search_dispatch_table(info_cmds, info_item);
+    return search_dispatch_table(qmp_query_cmds, info_item);
 }
 
 static const mon_cmd_t *qmp_find_cmd(const char *cmdname)
commit f36b4afba9fe6ab5adefef9ca67521a5f677fccc
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Wed Sep 15 17:17:45 2010 -0300

    QMP: Introduce command dispatch table
    
    Also update QMP functions to use it. The table is generated
    from the qmp-commands.hx file.
    
    From now on, QMP and HMP have different command dispatch
    tables.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/Makefile.target b/Makefile.target
index 91d0381..3a1fa7e 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -307,7 +307,7 @@ obj-alpha-y = alpha_palcode.o
 
 main.o: QEMU_CFLAGS+=$(GPROF_CFLAGS)
 
-monitor.o: qemu-monitor.h
+monitor.o: qemu-monitor.h qmp-commands.h
 
 $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y): $(GENERATED_HEADERS)
 
@@ -331,10 +331,13 @@ gdbstub-xml.c: $(TARGET_XML_FILES) $(SRC_PATH)/feature_to_c.sh
 qemu-monitor.h: $(SRC_PATH)/qemu-monitor.hx
 	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $(TARGET_DIR)$@")
 
+qmp-commands.h: $(SRC_PATH)/qmp-commands.hx
+	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $(TARGET_DIR)$@")
+
 clean:
 	rm -f *.o *.a *~ $(PROGS) nwfpe/*.o fpu/*.o
 	rm -f *.d */*.d tcg/*.o ide/*.o
-	rm -f qemu-monitor.h gdbstub-xml.c
+	rm -f qemu-monitor.h qmp-commands.h gdbstub-xml.c
 
 install: all
 ifneq ($(PROGS),)
diff --git a/monitor.c b/monitor.c
index f62c34a..06141a5 100644
--- a/monitor.c
+++ b/monitor.c
@@ -189,6 +189,8 @@ static QLIST_HEAD(mon_list, Monitor) mon_list;
 static const mon_cmd_t mon_cmds[];
 static const mon_cmd_t info_cmds[];
 
+static const mon_cmd_t qmp_cmds[];
+
 Monitor *cur_mon;
 Monitor *default_mon;
 
@@ -745,7 +747,7 @@ static void do_info_commands(Monitor *mon, QObject **ret_data)
 
     cmd_list = qlist_new();
 
-    for (cmd = mon_cmds; cmd->name != NULL; cmd++) {
+    for (cmd = qmp_cmds; cmd->name != NULL; cmd++) {
         if (monitor_handler_ported(cmd) && !monitor_cmd_user_only(cmd) &&
             !compare_cmd(cmd->name, "info")) {
             qlist_append_obj(cmd_list, get_cmd_dict(cmd->name));
@@ -2635,6 +2637,11 @@ static const mon_cmd_t info_cmds[] = {
     },
 };
 
+static const mon_cmd_t qmp_cmds[] = {
+#include "qmp-commands.h"
+    { /* NULL */ },
+};
+
 /*******************************************************************/
 
 static const char *pch;
@@ -3367,7 +3374,7 @@ static const mon_cmd_t *qmp_find_query_cmd(const char *info_item)
 
 static const mon_cmd_t *qmp_find_cmd(const char *cmdname)
 {
-    return search_dispatch_table(mon_cmds, cmdname);
+    return search_dispatch_table(qmp_cmds, cmdname);
 }
 
 static const mon_cmd_t *monitor_parse_command(Monitor *mon,
commit bead3ce139025797a7e970f7d2c43e61a60a7c48
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Wed Sep 15 17:08:39 2010 -0300

    QMP: Introduce qmp_find_cmd()
    
    Next commit needs this new function: it will introduce the
    the QMP's command dispatch table and qmp_find_cmd() will be
    used to search on it.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index f0854c4..f62c34a 100644
--- a/monitor.c
+++ b/monitor.c
@@ -3365,6 +3365,11 @@ static const mon_cmd_t *qmp_find_query_cmd(const char *info_item)
     return search_dispatch_table(info_cmds, info_item);
 }
 
+static const mon_cmd_t *qmp_find_cmd(const char *cmdname)
+{
+    return search_dispatch_table(mon_cmds, cmdname);
+}
+
 static const mon_cmd_t *monitor_parse_command(Monitor *mon,
                                               const char *cmdline,
                                               QDict *qdict)
@@ -4348,7 +4353,7 @@ static void handle_qmp_command(JSONMessageParser *parser, QList *tokens)
     } else if (strstart(cmd_name, "query-", &query_cmd)) {
         cmd = qmp_find_query_cmd(query_cmd);
     } else {
-        cmd = monitor_find_command(cmd_name);
+        cmd = qmp_find_cmd(cmd_name);
     }
 
     if (!cmd || !monitor_handler_ported(cmd) || monitor_cmd_user_only(cmd)) {
commit 82a56f0d83d4bca92bbe8b0546cb70292c1dc65d
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Mon Sep 13 12:26:00 2010 -0300

    Monitor: Introduce the qmp-commands.hx file
    
    This file contains a copy of the following information from the
    qemu-monitor.hx file:
    
        o QObject handlers entries
        o QMP documentation (all SQMP/EQMP sections)
    
    Right now it's only used to generate the QMP docs in QMP/, but
    next commits will turn this into QMP's command dispatch table.
    
    It's important to note that QObject handlers entries are going
    to get duplicated: they will exist in both QMP's and HMP's
    dispatch tables.
    
    This will be fixed in the near future, when we add a proper
    QMP call interface and HMP is converted to use it. This way we
    can completely drop QObject handlers entries from HMP's tables.
    
    NOTE: HMP specific constructions, like "q|quit", have been dropped.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/Makefile b/Makefile
index fca1e7a..938d88b 100644
--- a/Makefile
+++ b/Makefile
@@ -252,7 +252,7 @@ qemu-options.texi: $(SRC_PATH)/qemu-options.hx
 qemu-monitor.texi: $(SRC_PATH)/qemu-monitor.hx
 	$(call quiet-command,sh $(SRC_PATH)/hxtool -t < $< > $@,"  GEN   $@")
 
-QMP/qmp-commands.txt: $(SRC_PATH)/qemu-monitor.hx
+QMP/qmp-commands.txt: $(SRC_PATH)/qmp-commands.hx
 	$(call quiet-command,sh $(SRC_PATH)/hxtool -q < $< > $@,"  GEN   $@")
 
 qemu-img-cmds.texi: $(SRC_PATH)/qemu-img-cmds.hx
diff --git a/QMP/README b/QMP/README
index 948d445..7e2b51a 100644
--- a/QMP/README
+++ b/QMP/README
@@ -82,7 +82,7 @@ doing any code change. This is so because:
   2. Review can improve your interface.  Letting that happen before
      you implement it can save you work.
 
-* The qmp-commands.txt file is generated from the qemu-monitor.hx one, which
+* The qmp-commands.txt file is generated from the qmp-commands.hx one, which
   is the file that should be edited.
 
 Homepage
diff --git a/qmp-commands.hx b/qmp-commands.hx
new file mode 100644
index 0000000..793cf1c
--- /dev/null
+++ b/qmp-commands.hx
@@ -0,0 +1,1541 @@
+HXCOMM QMP dispatch table and documentation
+HXCOMM Text between SQMP and EQMP is copied to the QMP documention file and
+HXCOMM does not show up in the other formats.
+
+SQMP
+                        QMP Supported Commands
+                        ----------------------
+
+This document describes all commands currently supported by QMP.
+
+Most of the time their usage is exactly the same as in the user Monitor, this
+means that any other document which also describe commands (the manpage,
+QEMU's manual, etc) can and should be consulted.
+
+QMP has two types of commands: regular and query commands. Regular commands
+usually change the Virtual Machine's state someway, while query commands just
+return information. The sections below are divided accordingly.
+
+It's important to observe that all communication examples are formatted in
+a reader-friendly way, so that they're easier to understand. However, in real
+protocol usage, they're emitted as a single line.
+
+Also, the following notation is used to denote data flow:
+
+-> data issued by the Client
+<- Server data response
+
+Please, refer to the QMP specification (QMP/qmp-spec.txt) for detailed
+information on the Server command and response formats.
+
+NOTE: This document is temporary and will be replaced soon.
+
+1. Stability Considerations
+===========================
+
+The current QMP command set (described in this file) may be useful for a
+number of use cases, however it's limited and several commands have bad
+defined semantics, specially with regard to command completion.
+
+These problems are going to be solved incrementally in the next QEMU releases
+and we're going to establish a deprecation policy for badly defined commands.
+
+If you're planning to adopt QMP, please observe the following:
+
+    1. The deprecation policy will take efect and be documented soon, please
+       check the documentation of each used command as soon as a new release of
+       QEMU is available
+
+    2. DO NOT rely on anything which is not explicit documented
+
+    3. Errors, in special, are not documented. Applications should NOT check
+       for specific errors classes or data (it's strongly recommended to only
+       check for the "error" key)
+
+2. Regular Commands
+===================
+
+Server's responses in the examples below are always a success response, please
+refer to the QMP specification for more details on error responses.
+
+EQMP
+
+    {
+        .name       = "quit",
+        .args_type  = "",
+        .params     = "",
+        .help       = "quit the emulator",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_quit,
+    },
+
+SQMP
+quit
+----
+
+Quit the emulator.
+
+Arguments: None.
+
+Example:
+
+-> { "execute": "quit" }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "eject",
+        .args_type  = "force:-f,device:B",
+        .params     = "[-f] device",
+        .help       = "eject a removable medium (use -f to force it)",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_eject,
+    },
+
+SQMP
+eject
+-----
+
+Eject a removable medium.
+
+Arguments: 
+
+- force: force ejection (json-bool, optional)
+- device: device name (json-string)
+
+Example:
+
+-> { "execute": "eject", "arguments": { "device": "ide1-cd0" } }
+<- { "return": {} }
+
+Note: The "force" argument defaults to false.
+
+EQMP
+
+    {
+        .name       = "change",
+        .args_type  = "device:B,target:F,arg:s?",
+        .params     = "device filename [format]",
+        .help       = "change a removable medium, optional format",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_change,
+    },
+
+SQMP
+change
+------
+
+Change a removable medium or VNC configuration.
+
+Arguments:
+
+- "device": device name (json-string)
+- "target": filename or item (json-string)
+- "arg": additional argument (json-string, optional)
+
+Examples:
+
+1. Change a removable medium
+
+-> { "execute": "change",
+             "arguments": { "device": "ide1-cd0",
+                            "target": "/srv/images/Fedora-12-x86_64-DVD.iso" } }
+<- { "return": {} }
+
+2. Change VNC password
+
+-> { "execute": "change",
+             "arguments": { "device": "vnc", "target": "password",
+                            "arg": "foobar1" } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "screendump",
+        .args_type  = "filename:F",
+        .params     = "filename",
+        .help       = "save screen into PPM image 'filename'",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_screen_dump,
+    },
+
+SQMP
+screendump
+----------
+
+Save screen into PPM image.
+
+Arguments:
+
+- "filename": file path (json-string)
+
+Example:
+
+-> { "execute": "screendump", "arguments": { "filename": "/tmp/image" } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "stop",
+        .args_type  = "",
+        .params     = "",
+        .help       = "stop emulation",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_stop,
+    },
+
+SQMP
+stop
+----
+
+Stop the emulator.
+
+Arguments: None.
+
+Example:
+
+-> { "execute": "stop" }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "cont",
+        .args_type  = "",
+        .params     = "",
+        .help       = "resume emulation",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_cont,
+    },
+
+SQMP
+cont
+----
+
+Resume emulation.
+
+Arguments: None.
+
+Example:
+
+-> { "execute": "cont" }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "system_reset",
+        .args_type  = "",
+        .params     = "",
+        .help       = "reset the system",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_system_reset,
+    },
+
+SQMP
+system_reset
+------------
+
+Reset the system.
+
+Arguments: None.
+
+Example:
+
+-> { "execute": "system_reset" }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "system_powerdown",
+        .args_type  = "",
+        .params     = "",
+        .help       = "send system power down event",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_system_powerdown,
+    },
+
+SQMP
+system_powerdown
+----------------
+
+Send system power down event.
+
+Arguments: None.
+
+Example:
+
+-> { "execute": "system_powerdown" }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "device_add",
+        .args_type  = "device:O",
+        .params     = "driver[,prop=value][,...]",
+        .help       = "add device, like -device on the command line",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_device_add,
+    },
+
+SQMP
+device_add
+----------
+
+Add a device.
+
+Arguments:
+
+- "driver": the name of the new device's driver (json-string)
+- "bus": the device's parent bus (device tree path, json-string, optional)
+- "id": the device's ID, must be unique (json-string)
+- device properties
+
+Example:
+
+-> { "execute": "device_add", "arguments": { "driver": "e1000", "id": "net1" } }
+<- { "return": {} }
+
+Notes:
+
+(1) For detailed information about this command, please refer to the
+    'docs/qdev-device-use.txt' file.
+
+(2) It's possible to list device properties by running QEMU with the
+    "-device DEVICE,\?" command-line argument, where DEVICE is the device's name
+
+EQMP
+
+    {
+        .name       = "device_del",
+        .args_type  = "id:s",
+        .params     = "device",
+        .help       = "remove device",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_device_del,
+    },
+
+SQMP
+device_del
+----------
+
+Remove a device.
+
+Arguments:
+
+- "id": the device's ID (json-string)
+
+Example:
+
+-> { "execute": "device_del", "arguments": { "id": "net1" } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "cpu",
+        .args_type  = "index:i",
+        .params     = "index",
+        .help       = "set the default CPU",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_cpu_set,
+    },
+
+SQMP
+cpu
+---
+
+Set the default CPU.
+
+Arguments:
+
+- "index": the CPU's index (json-int)
+
+Example:
+
+-> { "execute": "cpu", "arguments": { "index": 0 } }
+<- { "return": {} }
+
+Note: CPUs' indexes are obtained with the 'query-cpus' command.
+
+EQMP
+
+    {
+        .name       = "memsave",
+        .args_type  = "val:l,size:i,filename:s",
+        .params     = "addr size file",
+        .help       = "save to disk virtual memory dump starting at 'addr' of size 'size'",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_memory_save,
+    },
+
+SQMP
+memsave
+-------
+
+Save to disk virtual memory dump starting at 'val' of size 'size'.
+
+Arguments:
+
+- "val": the starting address (json-int)
+- "size": the memory size, in bytes (json-int)
+- "filename": file path (json-string)
+
+Example:
+
+-> { "execute": "memsave",
+             "arguments": { "val": 10,
+                            "size": 100,
+                            "filename": "/tmp/virtual-mem-dump" } }
+<- { "return": {} }
+
+Note: Depends on the current CPU.
+
+EQMP
+
+    {
+        .name       = "pmemsave",
+        .args_type  = "val:l,size:i,filename:s",
+        .params     = "addr size file",
+        .help       = "save to disk physical memory dump starting at 'addr' of size 'size'",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_physical_memory_save,
+    },
+
+SQMP
+pmemsave
+--------
+
+Save to disk physical memory dump starting at 'val' of size 'size'.
+
+Arguments:
+
+- "val": the starting address (json-int)
+- "size": the memory size, in bytes (json-int)
+- "filename": file path (json-string)
+
+Example:
+
+-> { "execute": "pmemsave",
+             "arguments": { "val": 10,
+                            "size": 100,
+                            "filename": "/tmp/physical-mem-dump" } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "migrate",
+        .args_type  = "detach:-d,blk:-b,inc:-i,uri:s",
+        .params     = "[-d] [-b] [-i] uri",
+        .help       = "migrate to URI (using -d to not wait for completion)"
+		      "\n\t\t\t -b for migration without shared storage with"
+		      " full copy of disk\n\t\t\t -i for migration without "
+		      "shared storage with incremental copy of disk "
+		      "(base image shared between src and destination)",
+        .user_print = monitor_user_noop,	
+	.mhandler.cmd_new = do_migrate,
+    },
+
+SQMP
+migrate
+-------
+
+Migrate to URI.
+
+Arguments:
+
+- "blk": block migration, full disk copy (json-bool, optional)
+- "inc": incremental disk copy (json-bool, optional)
+- "uri": Destination URI (json-string)
+
+Example:
+
+-> { "execute": "migrate", "arguments": { "uri": "tcp:0:4446" } }
+<- { "return": {} }
+
+Notes:
+
+(1) The 'query-migrate' command should be used to check migration's progress
+    and final result (this information is provided by the 'status' member)
+(2) All boolean arguments default to false
+(3) The user Monitor's "detach" argument is invalid in QMP and should not
+    be used
+
+EQMP
+
+    {
+        .name       = "migrate_cancel",
+        .args_type  = "",
+        .params     = "",
+        .help       = "cancel the current VM migration",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_migrate_cancel,
+    },
+
+SQMP
+migrate_cancel
+--------------
+
+Cancel the current migration.
+
+Arguments: None.
+
+Example:
+
+-> { "execute": "migrate_cancel" }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "migrate_set_speed",
+        .args_type  = "value:f",
+        .params     = "value",
+        .help       = "set maximum speed (in bytes) for migrations",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_migrate_set_speed,
+    },
+
+SQMP
+migrate_set_speed
+-----------------
+
+Set maximum speed for migrations.
+
+Arguments:
+
+- "value": maximum speed, in bytes per second (json-number)
+
+Example:
+
+-> { "execute": "migrate_set_speed", "arguments": { "value": 1024 } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "migrate_set_downtime",
+        .args_type  = "value:T",
+        .params     = "value",
+        .help       = "set maximum tolerated downtime (in seconds) for migrations",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_migrate_set_downtime,
+    },
+
+SQMP
+migrate_set_downtime
+--------------------
+
+Set maximum tolerated downtime (in seconds) for migrations.
+
+Arguments:
+
+- "value": maximum downtime (json-number)
+
+Example:
+
+-> { "execute": "migrate_set_downtime", "arguments": { "value": 0.1 } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "netdev_add",
+        .args_type  = "netdev:O",
+        .params     = "[user|tap|socket],id=str[,prop=value][,...]",
+        .help       = "add host network device",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_netdev_add,
+    },
+
+SQMP
+netdev_add
+----------
+
+Add host network device.
+
+Arguments:
+
+- "type": the device type, "tap", "user", ... (json-string)
+- "id": the device's ID, must be unique (json-string)
+- device options
+
+Example:
+
+-> { "execute": "netdev_add", "arguments": { "type": "user", "id": "netdev1" } }
+<- { "return": {} }
+
+Note: The supported device options are the same ones supported by the '-net'
+      command-line argument, which are listed in the '-help' output or QEMU's
+      manual
+
+EQMP
+
+    {
+        .name       = "netdev_del",
+        .args_type  = "id:s",
+        .params     = "id",
+        .help       = "remove host network device",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_netdev_del,
+    },
+
+SQMP
+netdev_del
+----------
+
+Remove host network device.
+
+Arguments:
+
+- "id": the device's ID, must be unique (json-string)
+
+Example:
+
+-> { "execute": "netdev_del", "arguments": { "id": "netdev1" } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "balloon",
+        .args_type  = "value:M",
+        .params     = "target",
+        .help       = "request VM to change its memory allocation (in MB)",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_async = do_balloon,
+        .flags      = MONITOR_CMD_ASYNC,
+    },
+
+SQMP
+balloon
+-------
+
+Request VM to change its memory allocation (in bytes).
+
+Arguments:
+
+- "value": New memory allocation (json-int)
+
+Example:
+
+-> { "execute": "balloon", "arguments": { "value": 536870912 } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "set_link",
+        .args_type  = "name:s,up:b",
+        .params     = "name on|off",
+        .help       = "change the link status of a network adapter",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_set_link,
+    },
+
+SQMP
+set_link
+--------
+
+Change the link status of a network adapter.
+
+Arguments:
+
+- "name": network device name (json-string)
+- "up": status is up (json-bool)
+
+Example:
+
+-> { "execute": "set_link", "arguments": { "name": "e1000.0", "up": false } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "getfd",
+        .args_type  = "fdname:s",
+        .params     = "getfd name",
+        .help       = "receive a file descriptor via SCM rights and assign it a name",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_getfd,
+    },
+
+SQMP
+getfd
+-----
+
+Receive a file descriptor via SCM rights and assign it a name.
+
+Arguments:
+
+- "fdname": file descriptor name (json-string)
+
+Example:
+
+-> { "execute": "getfd", "arguments": { "fdname": "fd1" } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "closefd",
+        .args_type  = "fdname:s",
+        .params     = "closefd name",
+        .help       = "close a file descriptor previously passed via SCM rights",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_closefd,
+    },
+
+SQMP
+closefd
+-------
+
+Close a file descriptor previously passed via SCM rights.
+
+Arguments:
+
+- "fdname": file descriptor name (json-string)
+
+Example:
+
+-> { "execute": "closefd", "arguments": { "fdname": "fd1" } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "block_passwd",
+        .args_type  = "device:B,password:s",
+        .params     = "block_passwd device password",
+        .help       = "set the password of encrypted block devices",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_block_set_passwd,
+    },
+
+SQMP
+block_passwd
+------------
+
+Set the password of encrypted block devices.
+
+Arguments:
+
+- "device": device name (json-string)
+- "password": password (json-string)
+
+Example:
+
+-> { "execute": "block_passwd", "arguments": { "device": "ide0-hd0",
+                                               "password": "12345" } }
+<- { "return": {} }
+
+EQMP
+
+    {
+        .name       = "qmp_capabilities",
+        .args_type  = "",
+        .params     = "",
+        .help       = "enable QMP capabilities",
+        .user_print = monitor_user_noop,
+        .mhandler.cmd_new = do_qmp_capabilities,
+    },
+
+SQMP
+qmp_capabilities
+----------------
+
+Enable QMP capabilities.
+
+Arguments: None.
+
+Example:
+
+-> { "execute": "qmp_capabilities" }
+<- { "return": {} }
+
+Note: This command must be issued before issuing any other command.
+
+3. Query Commands
+=================
+
+HXCOMM Each query command below is inside a SQMP/EQMP section, do NOT change
+HXCOMM this! We will possibly move query commands definitions inside those
+HXCOMM sections, just like regular commands.
+
+EQMP
+
+SQMP
+query-version
+-------------
+
+Show QEMU version.
+
+Return a json-object with the following information:
+
+- "qemu": A json-object containing three integer values:
+    - "major": QEMU's major version (json-int)
+    - "minor": QEMU's minor version (json-int)
+    - "micro": QEMU's micro version (json-int)
+- "package": package's version (json-string)
+
+Example:
+
+-> { "execute": "query-version" }
+<- {
+      "return":{
+         "qemu":{
+            "major":0,
+            "minor":11,
+            "micro":5
+         },
+         "package":""
+      }
+   }
+
+EQMP
+
+SQMP
+query-commands
+--------------
+
+List QMP available commands.
+
+Each command is represented by a json-object, the returned value is a json-array
+of all commands.
+
+Each json-object contain:
+
+- "name": command's name (json-string)
+
+Example:
+
+-> { "execute": "query-commands" }
+<- {
+      "return":[
+         {
+            "name":"query-balloon"
+         },
+         {
+            "name":"system_powerdown"
+         }
+      ]
+   }
+
+Note: This example has been shortened as the real response is too long.
+
+EQMP
+
+SQMP
+query-chardev
+-------------
+
+Each device is represented by a json-object. The returned value is a json-array
+of all devices.
+
+Each json-object contain the following:
+
+- "label": device's label (json-string)
+- "filename": device's file (json-string)
+
+Example:
+
+-> { "execute": "query-chardev" }
+<- {
+      "return":[
+         {
+            "label":"monitor",
+            "filename":"stdio"
+         },
+         {
+            "label":"serial0",
+            "filename":"vc"
+         }
+      ]
+   }
+
+EQMP
+
+SQMP
+query-block
+-----------
+
+Show the block devices.
+
+Each block device information is stored in a json-object and the returned value
+is a json-array of all devices.
+
+Each json-object contain the following:
+
+- "device": device name (json-string)
+- "type": device type (json-string)
+         - Possible values: "hd", "cdrom", "floppy", "unknown"
+- "removable": true if the device is removable, false otherwise (json-bool)
+- "locked": true if the device is locked, false otherwise (json-bool)
+- "inserted": only present if the device is inserted, it is a json-object
+   containing the following:
+         - "file": device file name (json-string)
+         - "ro": true if read-only, false otherwise (json-bool)
+         - "drv": driver format name (json-string)
+             - Possible values: "blkdebug", "bochs", "cloop", "cow", "dmg",
+                                "file", "file", "ftp", "ftps", "host_cdrom",
+                                "host_device", "host_floppy", "http", "https",
+                                "nbd", "parallels", "qcow", "qcow2", "raw",
+                                "tftp", "vdi", "vmdk", "vpc", "vvfat"
+         - "backing_file": backing file name (json-string, optional)
+         - "encrypted": true if encrypted, false otherwise (json-bool)
+
+Example:
+
+-> { "execute": "query-block" }
+<- {
+      "return":[
+         {
+            "device":"ide0-hd0",
+            "locked":false,
+            "removable":false,
+            "inserted":{
+               "ro":false,
+               "drv":"qcow2",
+               "encrypted":false,
+               "file":"disks/test.img"
+            },
+            "type":"hd"
+         },
+         {
+            "device":"ide1-cd0",
+            "locked":false,
+            "removable":true,
+            "type":"cdrom"
+         },
+         {
+            "device":"floppy0",
+            "locked":false,
+            "removable":true,
+            "type": "floppy"
+         },
+         {
+            "device":"sd0",
+            "locked":false,
+            "removable":true,
+            "type":"floppy"
+         }
+      ]
+   }
+
+EQMP
+
+SQMP
+query-blockstats
+----------------
+
+Show block device statistics.
+
+Each device statistic information is stored in a json-object and the returned
+value is a json-array of all devices.
+
+Each json-object contain the following:
+
+- "device": device name (json-string)
+- "stats": A json-object with the statistics information, it contains:
+    - "rd_bytes": bytes read (json-int)
+    - "wr_bytes": bytes written (json-int)
+    - "rd_operations": read operations (json-int)
+    - "wr_operations": write operations (json-int)
+    - "wr_highest_offset": Highest offset of a sector written since the
+                           BlockDriverState has been opened (json-int)
+- "parent": Contains recursively the statistics of the underlying
+            protocol (e.g. the host file for a qcow2 image). If there is
+            no underlying protocol, this field is omitted
+            (json-object, optional)
+
+Example:
+
+-> { "execute": "query-blockstats" }
+<- {
+      "return":[
+         {
+            "device":"ide0-hd0",
+            "parent":{
+               "stats":{
+                  "wr_highest_offset":3686448128,
+                  "wr_bytes":9786368,
+                  "wr_operations":751,
+                  "rd_bytes":122567168,
+                  "rd_operations":36772
+               }
+            },
+            "stats":{
+               "wr_highest_offset":2821110784,
+               "wr_bytes":9786368,
+               "wr_operations":692,
+               "rd_bytes":122739200,
+               "rd_operations":36604
+            }
+         },
+         {
+            "device":"ide1-cd0",
+            "stats":{
+               "wr_highest_offset":0,
+               "wr_bytes":0,
+               "wr_operations":0,
+               "rd_bytes":0,
+               "rd_operations":0
+            }
+         },
+         {
+            "device":"floppy0",
+            "stats":{
+               "wr_highest_offset":0,
+               "wr_bytes":0,
+               "wr_operations":0,
+               "rd_bytes":0,
+               "rd_operations":0
+            }
+         },
+         {
+            "device":"sd0",
+            "stats":{
+               "wr_highest_offset":0,
+               "wr_bytes":0,
+               "wr_operations":0,
+               "rd_bytes":0,
+               "rd_operations":0
+            }
+         }
+      ]
+   }
+
+EQMP
+
+SQMP
+query-cpus
+----------
+
+Show CPU information.
+
+Return a json-array. Each CPU is represented by a json-object, which contains:
+
+- "CPU": CPU index (json-int)
+- "current": true if this is the current CPU, false otherwise (json-bool)
+- "halted": true if the cpu is halted, false otherwise (json-bool)
+- Current program counter. The key's name depends on the architecture:
+     "pc": i386/x86_64 (json-int)
+     "nip": PPC (json-int)
+     "pc" and "npc": sparc (json-int)
+     "PC": mips (json-int)
+
+Example:
+
+-> { "execute": "query-cpus" }
+<- {
+      "return":[
+         {
+            "CPU":0,
+            "current":true,
+            "halted":false,
+            "pc":3227107138
+         },
+         {
+            "CPU":1,
+            "current":false,
+            "halted":true,
+            "pc":7108165
+         }
+      ]
+   }
+
+EQMP
+
+SQMP
+query-pci
+---------
+
+PCI buses and devices information.
+
+The returned value is a json-array of all buses. Each bus is represented by
+a json-object, which has a key with a json-array of all PCI devices attached
+to it. Each device is represented by a json-object.
+
+The bus json-object contains the following:
+
+- "bus": bus number (json-int)
+- "devices": a json-array of json-objects, each json-object represents a
+             PCI device
+
+The PCI device json-object contains the following:
+
+- "bus": identical to the parent's bus number (json-int)
+- "slot": slot number (json-int)
+- "function": function number (json-int)
+- "class_info": a json-object containing:
+     - "desc": device class description (json-string, optional)
+     - "class": device class number (json-int)
+- "id": a json-object containing:
+     - "device": device ID (json-int)
+     - "vendor": vendor ID (json-int)
+- "irq": device's IRQ if assigned (json-int, optional)
+- "qdev_id": qdev id string (json-string)
+- "pci_bridge": It's a json-object, only present if this device is a
+                PCI bridge, contains:
+     - "bus": bus number (json-int)
+     - "secondary": secondary bus number (json-int)
+     - "subordinate": subordinate bus number (json-int)
+     - "io_range": I/O memory range information, a json-object with the
+                   following members:
+                 - "base": base address, in bytes (json-int)
+                 - "limit": limit address, in bytes (json-int)
+     - "memory_range": memory range information, a json-object with the
+                       following members:
+                 - "base": base address, in bytes (json-int)
+                 - "limit": limit address, in bytes (json-int)
+     - "prefetchable_range": Prefetchable memory range information, a
+                             json-object with the following members:
+                 - "base": base address, in bytes (json-int)
+                 - "limit": limit address, in bytes (json-int)
+     - "devices": a json-array of PCI devices if there's any attached, each
+                  each element is represented by a json-object, which contains
+                  the same members of the 'PCI device json-object' described
+                  above (optional)
+- "regions": a json-array of json-objects, each json-object represents a
+             memory region of this device
+
+The memory range json-object contains the following:
+
+- "base": base memory address (json-int)
+- "limit": limit value (json-int)
+
+The region json-object can be an I/O region or a memory region, an I/O region
+json-object contains the following:
+
+- "type": "io" (json-string, fixed)
+- "bar": BAR number (json-int)
+- "address": memory address (json-int)
+- "size": memory size (json-int)
+
+A memory region json-object contains the following:
+
+- "type": "memory" (json-string, fixed)
+- "bar": BAR number (json-int)
+- "address": memory address (json-int)
+- "size": memory size (json-int)
+- "mem_type_64": true or false (json-bool)
+- "prefetch": true or false (json-bool)
+
+Example:
+
+-> { "execute": "query-pci" }
+<- {
+      "return":[
+         {
+            "bus":0,
+            "devices":[
+               {
+                  "bus":0,
+                  "qdev_id":"",
+                  "slot":0,
+                  "class_info":{
+                     "class":1536,
+                     "desc":"Host bridge"
+                  },
+                  "id":{
+                     "device":32902,
+                     "vendor":4663
+                  },
+                  "function":0,
+                  "regions":[
+   
+                  ]
+               },
+               {
+                  "bus":0,
+                  "qdev_id":"",
+                  "slot":1,
+                  "class_info":{
+                     "class":1537,
+                     "desc":"ISA bridge"
+                  },
+                  "id":{
+                     "device":32902,
+                     "vendor":28672
+                  },
+                  "function":0,
+                  "regions":[
+   
+                  ]
+               },
+               {
+                  "bus":0,
+                  "qdev_id":"",
+                  "slot":1,
+                  "class_info":{
+                     "class":257,
+                     "desc":"IDE controller"
+                  },
+                  "id":{
+                     "device":32902,
+                     "vendor":28688
+                  },
+                  "function":1,
+                  "regions":[
+                     {
+                        "bar":4,
+                        "size":16,
+                        "address":49152,
+                        "type":"io"
+                     }
+                  ]
+               },
+               {
+                  "bus":0,
+                  "qdev_id":"",
+                  "slot":2,
+                  "class_info":{
+                     "class":768,
+                     "desc":"VGA controller"
+                  },
+                  "id":{
+                     "device":4115,
+                     "vendor":184
+                  },
+                  "function":0,
+                  "regions":[
+                     {
+                        "prefetch":true,
+                        "mem_type_64":false,
+                        "bar":0,
+                        "size":33554432,
+                        "address":4026531840,
+                        "type":"memory"
+                     },
+                     {
+                        "prefetch":false,
+                        "mem_type_64":false,
+                        "bar":1,
+                        "size":4096,
+                        "address":4060086272,
+                        "type":"memory"
+                     },
+                     {
+                        "prefetch":false,
+                        "mem_type_64":false,
+                        "bar":6,
+                        "size":65536,
+                        "address":-1,
+                        "type":"memory"
+                     }
+                  ]
+               },
+               {
+                  "bus":0,
+                  "qdev_id":"",
+                  "irq":11,
+                  "slot":4,
+                  "class_info":{
+                     "class":1280,
+                     "desc":"RAM controller"
+                  },
+                  "id":{
+                     "device":6900,
+                     "vendor":4098
+                  },
+                  "function":0,
+                  "regions":[
+                     {
+                        "bar":0,
+                        "size":32,
+                        "address":49280,
+                        "type":"io"
+                     }
+                  ]
+               }
+            ]
+         }
+      ]
+   }
+
+Note: This example has been shortened as the real response is too long.
+
+EQMP
+
+SQMP
+query-kvm
+---------
+
+Show KVM information.
+
+Return a json-object with the following information:
+
+- "enabled": true if KVM support is enabled, false otherwise (json-bool)
+- "present": true if QEMU has KVM support, false otherwise (json-bool)
+
+Example:
+
+-> { "execute": "query-kvm" }
+<- { "return": { "enabled": true, "present": true } }
+
+EQMP
+
+SQMP
+query-status
+------------
+
+Return a json-object with the following information:
+
+- "running": true if the VM is running, or false if it is paused (json-bool)
+- "singlestep": true if the VM is in single step mode,
+                false otherwise (json-bool)
+
+Example:
+
+-> { "execute": "query-status" }
+<- { "return": { "running": true, "singlestep": false } }
+
+EQMP
+
+SQMP
+query-mice
+----------
+
+Show VM mice information.
+
+Each mouse is represented by a json-object, the returned value is a json-array
+of all mice.
+
+The mouse json-object contains the following:
+
+- "name": mouse's name (json-string)
+- "index": mouse's index (json-int)
+- "current": true if this mouse is receiving events, false otherwise (json-bool)
+- "absolute": true if the mouse generates absolute input events (json-bool)
+
+Example:
+
+-> { "execute": "query-mice" }
+<- {
+      "return":[
+         {
+            "name":"QEMU Microsoft Mouse",
+            "index":0,
+            "current":false,
+            "absolute":false
+         },
+         {
+            "name":"QEMU PS/2 Mouse",
+            "index":1,
+            "current":true,
+            "absolute":true
+         }
+      ]
+   }
+
+EQMP
+
+SQMP
+query-vnc
+---------
+
+Show VNC server information.
+
+Return a json-object with server information. Connected clients are returned
+as a json-array of json-objects.
+
+The main json-object contains the following:
+
+- "enabled": true or false (json-bool)
+- "host": server's IP address (json-string)
+- "family": address family (json-string)
+         - Possible values: "ipv4", "ipv6", "unix", "unknown"
+- "service": server's port number (json-string)
+- "auth": authentication method (json-string)
+         - Possible values: "invalid", "none", "ra2", "ra2ne", "sasl", "tight",
+                            "tls", "ultra", "unknown", "vencrypt", "vencrypt",
+                            "vencrypt+plain", "vencrypt+tls+none",
+                            "vencrypt+tls+plain", "vencrypt+tls+sasl",
+                            "vencrypt+tls+vnc", "vencrypt+x509+none",
+                            "vencrypt+x509+plain", "vencrypt+x509+sasl",
+                            "vencrypt+x509+vnc", "vnc"
+- "clients": a json-array of all connected clients
+
+Clients are described by a json-object, each one contain the following:
+
+- "host": client's IP address (json-string)
+- "family": address family (json-string)
+         - Possible values: "ipv4", "ipv6", "unix", "unknown"
+- "service": client's port number (json-string)
+- "x509_dname": TLS dname (json-string, optional)
+- "sasl_username": SASL username (json-string, optional)
+
+Example:
+
+-> { "execute": "query-vnc" }
+<- {
+      "return":{
+         "enabled":true,
+         "host":"0.0.0.0",
+         "service":"50402",
+         "auth":"vnc",
+         "family":"ipv4",
+         "clients":[
+            {
+               "host":"127.0.0.1",
+               "service":"50401",
+               "family":"ipv4"
+            }
+         ]
+      }
+   }
+
+EQMP
+
+SQMP
+query-name
+----------
+
+Show VM name.
+
+Return a json-object with the following information:
+
+- "name": VM's name (json-string, optional)
+
+Example:
+
+-> { "execute": "query-name" }
+<- { "return": { "name": "qemu-name" } }
+
+EQMP
+
+SQMP
+query-uuid
+----------
+
+Show VM UUID.
+
+Return a json-object with the following information:
+
+- "UUID": Universally Unique Identifier (json-string)
+
+Example:
+
+-> { "execute": "query-uuid" }
+<- { "return": { "UUID": "550e8400-e29b-41d4-a716-446655440000" } }
+
+EQMP
+
+SQMP
+query-migrate
+-------------
+
+Migration status.
+
+Return a json-object. If migration is active there will be another json-object
+with RAM migration status and if block migration is active another one with
+block migration status.
+
+The main json-object contains the following:
+
+- "status": migration status (json-string)
+     - Possible values: "active", "completed", "failed", "cancelled"
+- "ram": only present if "status" is "active", it is a json-object with the
+  following RAM information (in bytes):
+         - "transferred": amount transferred (json-int)
+         - "remaining": amount remaining (json-int)
+         - "total": total (json-int)
+- "disk": only present if "status" is "active" and it is a block migration,
+  it is a json-object with the following disk information (in bytes):
+         - "transferred": amount transferred (json-int)
+         - "remaining": amount remaining (json-int)
+         - "total": total (json-int)
+
+Examples:
+
+1. Before the first migration
+
+-> { "execute": "query-migrate" }
+<- { "return": {} }
+
+2. Migration is done and has succeeded
+
+-> { "execute": "query-migrate" }
+<- { "return": { "status": "completed" } }
+
+3. Migration is done and has failed
+
+-> { "execute": "query-migrate" }
+<- { "return": { "status": "failed" } }
+
+4. Migration is being performed and is not a block migration:
+
+-> { "execute": "query-migrate" }
+<- {
+      "return":{
+         "status":"active",
+         "ram":{
+            "transferred":123,
+            "remaining":123,
+            "total":246
+         }
+      }
+   }
+
+5. Migration is being performed and is a block migration:
+
+-> { "execute": "query-migrate" }
+<- {
+      "return":{
+         "status":"active",
+         "ram":{
+            "total":1057024,
+            "remaining":1053304,
+            "transferred":3720
+         },
+         "disk":{
+            "total":20971520,
+            "remaining":20880384,
+            "transferred":91136
+         }
+      }
+   }
+
+EQMP
+
+SQMP
+query-balloon
+-------------
+
+Show balloon information.
+
+Make an asynchronous request for balloon info. When the request completes a
+json-object will be returned containing the following data:
+
+- "actual": current balloon value in bytes (json-int)
+- "mem_swapped_in": Amount of memory swapped in bytes (json-int, optional)
+- "mem_swapped_out": Amount of memory swapped out in bytes (json-int, optional)
+- "major_page_faults": Number of major faults (json-int, optional)
+- "minor_page_faults": Number of minor faults (json-int, optional)
+- "free_mem": Total amount of free and unused memory in
+              bytes (json-int, optional)
+- "total_mem": Total amount of available memory in bytes (json-int, optional)
+
+Example:
+
+-> { "execute": "query-balloon" }
+<- {
+      "return":{
+         "actual":1073741824,
+         "mem_swapped_in":0,
+         "mem_swapped_out":0,
+         "major_page_faults":142,
+         "minor_page_faults":239245,
+         "free_mem":1014185984,
+         "total_mem":1044668416
+      }
+   }
+
+EQMP
+
commit 1162daa6c163ca022165a9bcb3078c2e16f32674
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Mon Sep 13 12:15:26 2010 -0300

    Monitor: Convert do_info() back to HMP
    
    This is a HMP specific handler, it makes no sense to have it
    under QMP.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 7f2af49..f0854c4 100644
--- a/monitor.c
+++ b/monitor.c
@@ -636,7 +636,7 @@ static void user_async_info_handler(Monitor *mon, const mon_cmd_t *cmd)
     }
 }
 
-static int do_info(Monitor *mon, const QDict *qdict, QObject **ret_data)
+static void do_info(Monitor *mon, const QDict *qdict)
 {
     const mon_cmd_t *cmd;
     const char *item = qdict_get_try_str(qdict, "item");
@@ -668,11 +668,10 @@ static int do_info(Monitor *mon, const QDict *qdict, QObject **ret_data)
         cmd->mhandler.info(mon);
     }
 
-    return 0;
+    return;
 
 help:
     help_cmd(mon, "info");
-    return 0;
 }
 
 static void do_info_version_print(Monitor *mon, const QObject *data)
diff --git a/qemu-monitor.hx b/qemu-monitor.hx
index 49bcd8d..57d28ac 100644
--- a/qemu-monitor.hx
+++ b/qemu-monitor.hx
@@ -1654,8 +1654,7 @@ EQMP
         .args_type  = "item:s?",
         .params     = "[subcommand]",
         .help       = "show various information about the system state",
-        .user_print = monitor_user_noop,
-        .mhandler.cmd_new = do_info,
+        .mhandler.cmd = do_info,
     },
 
 STEXI
commit d4551293d68a1876df87400be6c71c657756d0bb
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Wed Sep 15 16:56:48 2010 -0300

    Monitor: Drop is_async_return()
    
    If I understood it correcty, the is_async_return() logic was only
    used to prevent QMP from issuing duplicated success responses
    for asynchronous handlers.
    
    However, QMP doesn't use do_info() anymore so this is dead logic
    and (hopefully) can be safely dropped.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 4fc0ad3..7f2af49 100644
--- a/monitor.c
+++ b/monitor.c
@@ -656,12 +656,6 @@ static int do_info(Monitor *mon, const QDict *qdict, QObject **ret_data)
 
     if (monitor_handler_is_async(cmd)) {
         user_async_info_handler(mon, cmd);
-        /*
-         * Indicate that this command is asynchronous and will not return any
-         * data (not even empty).  Instead, the data will be returned via a
-         * completion callback.
-         */
-        *ret_data = qobject_from_jsonf("{ '__mon_async': 'return' }");
     } else if (monitor_handler_ported(cmd)) {
         QObject *info_data = NULL;
 
@@ -3720,15 +3714,6 @@ void monitor_set_error(Monitor *mon, QError *qerror)
     }
 }
 
-static int is_async_return(const QObject *data)
-{
-    if (data && qobject_type(data) == QTYPE_QDICT) {
-        return qdict_haskey(qobject_to_qdict(data), "__mon_async");
-    }
-
-    return 0;
-}
-
 static void handler_audit(Monitor *mon, const mon_cmd_t *cmd, int ret)
 {
     if (monitor_ctrl_mode(mon)) {
@@ -3787,15 +3772,7 @@ static void monitor_call_handler(Monitor *mon, const mon_cmd_t *cmd,
     ret = cmd->mhandler.cmd_new(mon, params, &data);
     handler_audit(mon, cmd, ret);
 
-    if (is_async_return(data)) {
-        /*
-         * Asynchronous commands have no initial return data but they can
-         * generate errors.  Data is returned via the async completion handler.
-         */
-        if (monitor_ctrl_mode(mon) && monitor_has_error(mon)) {
-            monitor_protocol_emitter(mon, NULL);
-        }
-    } else if (monitor_ctrl_mode(mon)) {
+    if (monitor_ctrl_mode(mon)) {
         /* Monitor Protocol */
         monitor_protocol_emitter(mon, data);
     } else {
commit 1dcbd6f6b79d5cae4d11572ce945653ca93291cc
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Fri Sep 10 17:00:16 2010 -0300

    Monitor: Drop QMP bits from do_info()
    
    As of last commit, QMP doesn't use do_info() anymore. Simplify it.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index ff65f38..4fc0ad3 100644
--- a/monitor.c
+++ b/monitor.c
@@ -642,7 +642,6 @@ static int do_info(Monitor *mon, const QDict *qdict, QObject **ret_data)
     const char *item = qdict_get_try_str(qdict, "item");
 
     if (!item) {
-        assert(monitor_ctrl_mode(mon) == 0);
         goto help;
     }
 
@@ -652,24 +651,11 @@ static int do_info(Monitor *mon, const QDict *qdict, QObject **ret_data)
     }
 
     if (cmd->name == NULL) {
-        if (monitor_ctrl_mode(mon)) {
-            qerror_report(QERR_COMMAND_NOT_FOUND, item);
-            return -1;
-        }
         goto help;
     }
 
-    if (monitor_ctrl_mode(mon) && monitor_cmd_user_only(cmd)) {
-        qerror_report(QERR_COMMAND_NOT_FOUND, item);
-        return -1;
-    }
-
     if (monitor_handler_is_async(cmd)) {
-        if (monitor_ctrl_mode(mon)) {
-            qmp_async_info_handler(mon, cmd);
-        } else {
-            user_async_info_handler(mon, cmd);
-        }
+        user_async_info_handler(mon, cmd);
         /*
          * Indicate that this command is asynchronous and will not return any
          * data (not even empty).  Instead, the data will be returned via a
@@ -677,24 +663,15 @@ static int do_info(Monitor *mon, const QDict *qdict, QObject **ret_data)
          */
         *ret_data = qobject_from_jsonf("{ '__mon_async': 'return' }");
     } else if (monitor_handler_ported(cmd)) {
-        cmd->mhandler.info_new(mon, ret_data);
+        QObject *info_data = NULL;
 
-        if (!monitor_ctrl_mode(mon)) {
-            /*
-             * User Protocol function is called here, Monitor Protocol is
-             * handled by monitor_call_handler()
-             */
-            if (*ret_data)
-                cmd->user_print(mon, *ret_data);
+        cmd->mhandler.info_new(mon, &info_data);
+        if (info_data) {
+            cmd->user_print(mon, info_data);
+            qobject_decref(info_data);
         }
     } else {
-        if (monitor_ctrl_mode(mon)) {
-            /* handler not converted yet */
-            qerror_report(QERR_COMMAND_NOT_FOUND, item);
-            return -1;
-        } else {
-            cmd->mhandler.info(mon);
-        }
+        cmd->mhandler.info(mon);
     }
 
     return 0;
commit 030db6e89d052fbf689b632d74026030bdf7a02a
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Fri Sep 10 16:03:38 2010 -0300

    QMP: Don't use do_info()
    
    Since its inception, QMP has been using HMP's do_info() function
    to run query commands.
    
    This was a bad choice, as it made do_info() more complex and
    contributed to couple QMP and HMP.
    
    This commit fixes that by doing the following changes:
    
      1. Introduce qmp_find_query_cmd() and use it to directly lookup
         the info_cmds table
    
      2. Introduce qmp_call_query_cmd() so that QMP code is able
         to call query handlers without using do_info()
    
      3. Drop do_info() usage (via monitor_find_command("info"))
    
    We need all the three changes in one shot so that we don't break
    the calling of query commands in QMP.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index 2efff8a..ff65f38 100644
--- a/monitor.c
+++ b/monitor.c
@@ -3390,6 +3390,11 @@ static const mon_cmd_t *monitor_find_command(const char *cmdname)
     return search_dispatch_table(mon_cmds, cmdname);
 }
 
+static const mon_cmd_t *qmp_find_query_cmd(const char *info_item)
+{
+    return search_dispatch_table(info_cmds, info_item);
+}
+
 static const mon_cmd_t *monitor_parse_command(Monitor *mon,
                                               const char *cmdline,
                                               QDict *qdict)
@@ -4329,6 +4334,24 @@ static QDict *qmp_check_input_obj(QObject *input_obj)
     return input_dict;
 }
 
+static void qmp_call_query_cmd(Monitor *mon, const mon_cmd_t *cmd)
+{
+    QObject *ret_data = NULL;
+
+    if (monitor_handler_is_async(cmd)) {
+        qmp_async_info_handler(mon, cmd);
+        if (monitor_has_error(mon)) {
+            monitor_protocol_emitter(mon, NULL);
+        }
+    } else {
+        cmd->mhandler.info_new(mon, &ret_data);
+        if (ret_data) {
+            monitor_protocol_emitter(mon, ret_data);
+            qobject_decref(ret_data);
+        }
+    }
+}
+
 static void handle_qmp_command(JSONMessageParser *parser, QList *tokens)
 {
     int err;
@@ -4336,8 +4359,9 @@ static void handle_qmp_command(JSONMessageParser *parser, QList *tokens)
     QDict *input, *args;
     const mon_cmd_t *cmd;
     Monitor *mon = cur_mon;
-    const char *cmd_name, *info_item;
+    const char *cmd_name, *query_cmd;
 
+    query_cmd = NULL;
     args = input = NULL;
 
     obj = json_parser_parse(tokens, NULL);
@@ -4363,16 +4387,13 @@ static void handle_qmp_command(JSONMessageParser *parser, QList *tokens)
     }
 
     /*
-     * XXX: We need this special case until we get info handlers
-     * converted into 'query-' commands
+     * XXX: We need this special case until QMP has its own dispatch table
      */
     if (compare_cmd(cmd_name, "info")) {
         qerror_report(QERR_COMMAND_NOT_FOUND, cmd_name);
         goto err_out;
-    } else if (strstart(cmd_name, "query-", &info_item)) {
-        cmd = monitor_find_command("info");
-        qdict_put_obj(input, "arguments",
-                      qobject_from_jsonf("{ 'item': %s }", info_item));
+    } else if (strstart(cmd_name, "query-", &query_cmd)) {
+        cmd = qmp_find_query_cmd(query_cmd);
     } else {
         cmd = monitor_find_command(cmd_name);
     }
@@ -4395,7 +4416,9 @@ static void handle_qmp_command(JSONMessageParser *parser, QList *tokens)
         goto err_out;
     }
 
-    if (monitor_handler_is_async(cmd)) {
+    if (query_cmd) {
+        qmp_call_query_cmd(mon, cmd);
+    } else if (monitor_handler_is_async(cmd)) {
         err = qmp_async_cmd_handler(mon, cmd, args);
         if (err) {
             /* emit the error response */
commit 0fb88582e60e16e809c1aabc2c4b3e1f0832e267
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Wed Sep 15 10:56:17 2010 -0300

    QMP: handle_qmp_command(): Move 'cmd' sanity check
    
    Next commit will change how query commands are handled in a
    way that the 'cmd' sanity check is also going to be needed
    for query commands handling.
    
    Let's move it out of the else body then.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index da76eab..2efff8a 100644
--- a/monitor.c
+++ b/monitor.c
@@ -4375,11 +4375,11 @@ static void handle_qmp_command(JSONMessageParser *parser, QList *tokens)
                       qobject_from_jsonf("{ 'item': %s }", info_item));
     } else {
         cmd = monitor_find_command(cmd_name);
-        if (!cmd || !monitor_handler_ported(cmd)
-            || monitor_cmd_user_only(cmd)) {
-            qerror_report(QERR_COMMAND_NOT_FOUND, cmd_name);
-            goto err_out;
-        }
+    }
+
+    if (!cmd || !monitor_handler_ported(cmd) || monitor_cmd_user_only(cmd)) {
+        qerror_report(QERR_COMMAND_NOT_FOUND, cmd_name);
+        goto err_out;
     }
 
     obj = qdict_get(input, "arguments");
commit 945c5ac8d3c792bab36dc0990f11ca55f6eb3148
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Mon Sep 13 13:17:58 2010 -0300

    Monitor: Introduce search_dispatch_table()
    
    It's a generic version of monitor_find_command() which searches
    the dispatch table passed as an argument.
    
    Future commits will introduce new dispatch tables, so we need
    common code to search them.
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index a33cdc2..da76eab 100644
--- a/monitor.c
+++ b/monitor.c
@@ -3371,11 +3371,12 @@ static int is_valid_option(const char *c, const char *typestr)
     return (typestr != NULL);
 }
 
-static const mon_cmd_t *monitor_find_command(const char *cmdname)
+static const mon_cmd_t *search_dispatch_table(const mon_cmd_t *disp_table,
+                                              const char *cmdname)
 {
     const mon_cmd_t *cmd;
 
-    for (cmd = mon_cmds; cmd->name != NULL; cmd++) {
+    for (cmd = disp_table; cmd->name != NULL; cmd++) {
         if (compare_cmd(cmdname, cmd->name)) {
             return cmd;
         }
@@ -3384,6 +3385,11 @@ static const mon_cmd_t *monitor_find_command(const char *cmdname)
     return NULL;
 }
 
+static const mon_cmd_t *monitor_find_command(const char *cmdname)
+{
+    return search_dispatch_table(mon_cmds, cmdname);
+}
+
 static const mon_cmd_t *monitor_parse_command(Monitor *mon,
                                               const char *cmdline,
                                               QDict *qdict)
commit 07b0403dfc2b2ac179ae5b48105096cc2d03375a
Author: Eduardo Habkost <ehabkost at redhat.com>
Date:   Tue Sep 14 13:43:39 2010 -0300

    disable guest-provided stats on "info balloon" command
    
    The addition of memory stats reporting to the virtio balloon causes
    the 'info balloon' command to become asynchronous.  This is a regression
    because in some cases it can hang the user monitor.
    
    This is an alternative to Adam Litke's patch. Adam's patch disabled the
    corresponding (guest-visible) virtio feature bit, causing issues for migration.
    Original discussion is available at:
    http://marc.info/?l=qemu-devel&m=128448124328314&w=2
    
    Signed-off-by: Eduardo Habkost <ehabkost at redhat.com>
    Acked-by: Adam Litke <agl at us.ibm.com
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/hw/virtio-balloon.c b/hw/virtio-balloon.c
index 1e74674..8adddea 100644
--- a/hw/virtio-balloon.c
+++ b/hw/virtio-balloon.c
@@ -29,6 +29,10 @@
 #include <sys/mman.h>
 #endif
 
+/* Disable guest-provided stats by now (https://bugzilla.redhat.com/show_bug.cgi?id=623903) */
+#define ENABLE_GUEST_STATS   0
+
+
 typedef struct VirtIOBalloon
 {
     VirtIODevice vdev;
@@ -83,12 +87,14 @@ static QObject *get_stats_qobject(VirtIOBalloon *dev)
                                   VIRTIO_BALLOON_PFN_SHIFT);
 
     stat_put(dict, "actual", actual);
+#if ENABLE_GUEST_STATS
     stat_put(dict, "mem_swapped_in", dev->stats[VIRTIO_BALLOON_S_SWAP_IN]);
     stat_put(dict, "mem_swapped_out", dev->stats[VIRTIO_BALLOON_S_SWAP_OUT]);
     stat_put(dict, "major_page_faults", dev->stats[VIRTIO_BALLOON_S_MAJFLT]);
     stat_put(dict, "minor_page_faults", dev->stats[VIRTIO_BALLOON_S_MINFLT]);
     stat_put(dict, "free_mem", dev->stats[VIRTIO_BALLOON_S_MEMFREE]);
     stat_put(dict, "total_mem", dev->stats[VIRTIO_BALLOON_S_MEMTOT]);
+#endif
 
     return QOBJECT(dict);
 }
@@ -214,7 +220,7 @@ static void virtio_balloon_to_target(void *opaque, ram_addr_t target,
         }
         dev->stats_callback = cb;
         dev->stats_opaque_callback_data = cb_data; 
-        if (dev->vdev.guest_features & (1 << VIRTIO_BALLOON_F_STATS_VQ)) {
+        if (ENABLE_GUEST_STATS && (dev->vdev.guest_features & (1 << VIRTIO_BALLOON_F_STATS_VQ))) {
             virtqueue_push(dev->svq, &dev->stats_vq_elem, dev->stats_vq_offset);
             virtio_notify(&dev->vdev, dev->svq);
         } else {
commit 39eaab9ac2a82f5370758e8aeb8b7196f34fdabf
Author: Daniel P. Berrange <berrange at redhat.com>
Date:   Mon Jun 7 15:42:31 2010 +0100

    Add option to turn on JSON pretty printing in monitor
    
    Expaned '-mon' arg to allow a 'pretty=on' flag. This makes the
    monitor pretty print its replies to easy human debugging / reading
    
    Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/monitor.c b/monitor.c
index e602480..a33cdc2 100644
--- a/monitor.c
+++ b/monitor.c
@@ -351,7 +351,10 @@ static void monitor_json_emitter(Monitor *mon, const QObject *data)
 {
     QString *json;
 
-    json = qobject_to_json(data);
+    if (mon->flags & MONITOR_USE_PRETTY)
+	json = qobject_to_json_pretty(data);
+    else
+	json = qobject_to_json(data);
     assert(json != NULL);
 
     qstring_append_chr(json, '\n');
diff --git a/monitor.h b/monitor.h
index 38b22a4..f2122b5 100644
--- a/monitor.h
+++ b/monitor.h
@@ -14,6 +14,7 @@ extern Monitor *default_mon;
 #define MONITOR_IS_DEFAULT    0x01
 #define MONITOR_USE_READLINE  0x02
 #define MONITOR_USE_CONTROL   0x04
+#define MONITOR_USE_PRETTY    0x08
 
 /* flags for monitor commands */
 #define MONITOR_CMD_ASYNC       0x0001
diff --git a/qemu-config.c b/qemu-config.c
index e3b746c..6052a28 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -283,6 +283,9 @@ static QemuOptsList qemu_mon_opts = {
         },{
             .name = "default",
             .type = QEMU_OPT_BOOL,
+        },{
+            .name = "pretty",
+            .type = QEMU_OPT_BOOL,
         },
         { /* end of list */ }
     },
diff --git a/vl.c b/vl.c
index d352d18..939ee87 100644
--- a/vl.c
+++ b/vl.c
@@ -1562,6 +1562,9 @@ static int mon_init_func(QemuOpts *opts, void *opaque)
         exit(1);
     }
 
+    if (qemu_opt_get_bool(opts, "pretty", 0))
+        flags |= MONITOR_USE_PRETTY;
+
     if (qemu_opt_get_bool(opts, "default", 0))
         flags |= MONITOR_IS_DEFAULT;
 
commit 212b6008686369b288a2b71e4f1b25f07d854763
Author: Daniel P. Berrange <berrange at redhat.com>
Date:   Mon Jun 7 15:42:14 2010 +0100

    Add support for JSON pretty printing
    
    The monitor does not pretty-print JSON output, so that everything
    will be on a single line reply. When JSON docs get large this is
    quite unpleasant to read. For the future command line capabilities
    query ability, huge JSON docs will be available. This needs the
    ability to pretty-print.
    
    This introduces a new API qobject_to_json_pretty() that does
    a minimal indentation of list and dict members. As an example,
    this makes
    
      {"QMP": {"version": {"micro": 50, "minor": 12, "package": "", "major": 0}, "capabilities": []}}
    
    Output as
    
      {
          "QMP": {
              "version": {
                  "micro": 50,
                  "minor": 12,
                  "package": "",
                  "major": 0
              },
              "capabilities": [
              ]
          }
      }
    
    NB: this is not turned on for the QMP monitor.
    
    Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>

diff --git a/qjson.c b/qjson.c
index e4ee433..f9c8e77 100644
--- a/qjson.c
+++ b/qjson.c
@@ -72,43 +72,57 @@ QObject *qobject_from_jsonf(const char *string, ...)
 
 typedef struct ToJsonIterState
 {
+    int indent;
+    int pretty;
     int count;
     QString *str;
 } ToJsonIterState;
 
-static void to_json(const QObject *obj, QString *str);
+static void to_json(const QObject *obj, QString *str, int pretty, int indent);
 
 static void to_json_dict_iter(const char *key, QObject *obj, void *opaque)
 {
     ToJsonIterState *s = opaque;
     QString *qkey;
+    int j;
 
-    if (s->count) {
+    if (s->count)
         qstring_append(s->str, ", ");
+
+    if (s->pretty) {
+        qstring_append(s->str, "\n");
+        for (j = 0 ; j < s->indent ; j++)
+            qstring_append(s->str, "    ");
     }
 
     qkey = qstring_from_str(key);
-    to_json(QOBJECT(qkey), s->str);
+    to_json(QOBJECT(qkey), s->str, s->pretty, s->indent);
     QDECREF(qkey);
 
     qstring_append(s->str, ": ");
-    to_json(obj, s->str);
+    to_json(obj, s->str, s->pretty, s->indent);
     s->count++;
 }
 
 static void to_json_list_iter(QObject *obj, void *opaque)
 {
     ToJsonIterState *s = opaque;
+    int j;
 
-    if (s->count) {
+    if (s->count)
         qstring_append(s->str, ", ");
+
+    if (s->pretty) {
+        qstring_append(s->str, "\n");
+        for (j = 0 ; j < s->indent ; j++)
+            qstring_append(s->str, "    ");
     }
 
-    to_json(obj, s->str);
+    to_json(obj, s->str, s->pretty, s->indent);
     s->count++;
 }
 
-static void to_json(const QObject *obj, QString *str)
+static void to_json(const QObject *obj, QString *str, int pretty, int indent)
 {
     switch (qobject_type(obj)) {
     case QTYPE_QINT: {
@@ -193,8 +207,16 @@ static void to_json(const QObject *obj, QString *str)
 
         s.count = 0;
         s.str = str;
+        s.indent = indent + 1;
+        s.pretty = pretty;
         qstring_append(str, "{");
         qdict_iter(val, to_json_dict_iter, &s);
+        if (pretty) {
+            int j;
+            qstring_append(str, "\n");
+            for (j = 0 ; j < indent ; j++)
+                qstring_append(str, "    ");
+        }
         qstring_append(str, "}");
         break;
     }
@@ -204,8 +226,16 @@ static void to_json(const QObject *obj, QString *str)
 
         s.count = 0;
         s.str = str;
+        s.indent = indent + 1;
+        s.pretty = pretty;
         qstring_append(str, "[");
         qlist_iter(val, (void *)to_json_list_iter, &s);
+        if (pretty) {
+            int j;
+            qstring_append(str, "\n");
+            for (j = 0 ; j < indent ; j++)
+                qstring_append(str, "    ");
+        }
         qstring_append(str, "]");
         break;
     }
@@ -249,7 +279,16 @@ QString *qobject_to_json(const QObject *obj)
 {
     QString *str = qstring_new();
 
-    to_json(obj, str);
+    to_json(obj, str, 0, 0);
+
+    return str;
+}
+
+QString *qobject_to_json_pretty(const QObject *obj)
+{
+    QString *str = qstring_new();
+
+    to_json(obj, str, 1, 0);
 
     return str;
 }
diff --git a/qjson.h b/qjson.h
index 7afec2e..cd60e0b 100644
--- a/qjson.h
+++ b/qjson.h
@@ -24,5 +24,6 @@ QObject *qobject_from_jsonf(const char *string, ...)
 QObject *qobject_from_jsonv(const char *string, va_list *ap);
 
 QString *qobject_to_json(const QObject *obj);
+QString *qobject_to_json_pretty(const QObject *obj);
 
 #endif /* QJSON_H */
commit 2c50e26efdb7e405ecacf89e6a57a60179226dd8
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Wed Sep 29 15:31:44 2010 +0200

    powerpc: Add a virtex5 ml507 refdesign board
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>
    Signed-off-by: Alexander Graf <agraf at suse.de>

diff --git a/Makefile.target b/Makefile.target
index a4e80b1..91d0381 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -217,9 +217,17 @@ obj-ppc-y += ppc4xx_devs.o ppc4xx_pci.o ppc405_uc.o ppc405_boards.o
 obj-ppc-y += ppc440.o ppc440_bamboo.o
 # PowerPC E500 boards
 obj-ppc-y += ppce500_mpc8544ds.o
+# PowerPC 440 Xilinx ML507 reference board.
+obj-ppc-y += virtex_ml507.o
 obj-ppc-$(CONFIG_KVM) += kvm_ppc.o
 obj-ppc-$(CONFIG_FDT) += device_tree.o
 
+# Xilinx PPC peripherals
+obj-ppc-y += xilinx_intc.o
+obj-ppc-y += xilinx_timer.o
+obj-ppc-y += xilinx_uartlite.o
+obj-ppc-y += xilinx_ethlite.o
+
 obj-mips-y = mips_r4k.o mips_jazz.o mips_malta.o mips_mipssim.o
 obj-mips-y += mips_addr.o mips_timer.o mips_int.o
 obj-mips-y += vga.o i8259.o
diff --git a/default-configs/ppc-softmmu.mak b/default-configs/ppc-softmmu.mak
index c026bbb..940f4bf 100644
--- a/default-configs/ppc-softmmu.mak
+++ b/default-configs/ppc-softmmu.mak
@@ -32,4 +32,6 @@ CONFIG_IDE_MACIO=y
 CONFIG_NE2000_ISA=y
 CONFIG_SOUND=y
 CONFIG_VIRTIO_PCI=y
+CONFIG_PFLASH_CFI01=y
 CONFIG_PFLASH_CFI02=y
+CONFIG_PTIMER=y
diff --git a/default-configs/ppc64-softmmu.mak b/default-configs/ppc64-softmmu.mak
index 0101a28..e1bc6b8 100644
--- a/default-configs/ppc64-softmmu.mak
+++ b/default-configs/ppc64-softmmu.mak
@@ -32,4 +32,6 @@ CONFIG_IDE_MACIO=y
 CONFIG_NE2000_ISA=y
 CONFIG_SOUND=y
 CONFIG_VIRTIO_PCI=y
+CONFIG_PFLASH_CFI01=y
 CONFIG_PFLASH_CFI02=y
+CONFIG_PTIMER=y
diff --git a/default-configs/ppcemb-softmmu.mak b/default-configs/ppcemb-softmmu.mak
index 8ba9ac1..8f1cc09 100644
--- a/default-configs/ppcemb-softmmu.mak
+++ b/default-configs/ppcemb-softmmu.mak
@@ -32,4 +32,6 @@ CONFIG_IDE_MACIO=y
 CONFIG_NE2000_ISA=y
 CONFIG_SOUND=y
 CONFIG_VIRTIO_PCI=y
+CONFIG_PFLASH_CFI01=y
 CONFIG_PFLASH_CFI02=y
+CONFIG_PTIMER=y
diff --git a/hw/virtex_ml507.c b/hw/virtex_ml507.c
new file mode 100644
index 0000000..2af3b81
--- /dev/null
+++ b/hw/virtex_ml507.c
@@ -0,0 +1,278 @@
+/*
+ * Model of Xilinx Virtex5 ML507 PPC-440 refdesign.
+ *
+ * Copyright (c) 2010 Edgar E. Iglesias.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "sysbus.h"
+#include "hw.h"
+#include "pc.h"
+#include "net.h"
+#include "flash.h"
+#include "sysemu.h"
+#include "devices.h"
+#include "boards.h"
+#include "device_tree.h"
+#include "loader.h"
+#include "elf.h"
+#include "qemu-log.h"
+
+#include "ppc.h"
+#include "ppc4xx.h"
+#include "ppc440.h"
+#include "ppc405.h"
+
+#include "blockdev.h"
+#include "xilinx.h"
+
+#define EPAPR_MAGIC    (0x45504150)
+#define FLASH_SIZE     (16 * 1024 * 1024)
+
+static struct boot_info
+{
+    uint32_t bootstrap_pc;
+    uint32_t cmdline;
+    uint32_t fdt;
+    uint32_t ima_size;
+    void *vfdt;
+} boot_info;
+
+/* Create reset TLB entries for BookE, spanning the 32bit addr space.  */
+static void mmubooke_create_initial_mapping(CPUState *env,
+                                     target_ulong va,
+                                     target_phys_addr_t pa)
+{
+    ppcemb_tlb_t *tlb = &env->tlb[0].tlbe;
+
+    tlb->attr = 0;
+    tlb->prot = PAGE_VALID | ((PAGE_READ | PAGE_WRITE | PAGE_EXEC) << 4);
+    tlb->size = 1 << 31; /* up to 0x80000000  */
+    tlb->EPN = va & TARGET_PAGE_MASK;
+    tlb->RPN = pa & TARGET_PAGE_MASK;
+    tlb->PID = 0;
+
+    tlb = &env->tlb[1].tlbe;
+    tlb->attr = 0;
+    tlb->prot = PAGE_VALID | ((PAGE_READ | PAGE_WRITE | PAGE_EXEC) << 4);
+    tlb->size = 1 << 31; /* up to 0xffffffff  */
+    tlb->EPN = 0x80000000 & TARGET_PAGE_MASK;
+    tlb->RPN = 0x80000000 & TARGET_PAGE_MASK;
+    tlb->PID = 0;
+}
+
+static CPUState *ppc440_init_xilinx(ram_addr_t *ram_size,
+                                    int do_init,
+                                    const char *cpu_model,
+                                    clk_setup_t *cpu_clk, clk_setup_t *tb_clk,
+                                    uint32_t sysclk)
+{
+    CPUState *env;
+    qemu_irq *pic;
+    qemu_irq *irqs;
+
+    env = cpu_init(cpu_model);
+    if (!env) {
+        fprintf(stderr, "Unable to initialize CPU!\n");
+        exit(1);
+    }
+
+    cpu_clk->cb = NULL; /* We don't care about CPU clock frequency changes */
+    cpu_clk->opaque = env;
+    /* Set time-base frequency to sysclk */
+    tb_clk->cb = ppc_emb_timers_init(env, sysclk, PPC_INTERRUPT_DECR);
+    tb_clk->opaque = env;
+
+    ppc_dcr_init(env, NULL, NULL);
+
+    /* interrupt controller */
+    irqs = qemu_mallocz(sizeof(qemu_irq) * PPCUIC_OUTPUT_NB);
+    irqs[PPCUIC_OUTPUT_INT] = ((qemu_irq *)env->irq_inputs)[PPC40x_INPUT_INT];
+    irqs[PPCUIC_OUTPUT_CINT] = ((qemu_irq *)env->irq_inputs)[PPC40x_INPUT_CINT];
+    pic = ppcuic_init(env, irqs, 0x0C0, 0, 1);
+    return env;
+}
+
+static void main_cpu_reset(void *opaque)
+{
+    CPUState *env = opaque;
+    struct boot_info *bi = env->load_info;
+
+    cpu_reset(env);
+    /* Linux Kernel Parameters (passing device tree):
+       *   r3: pointer to the fdt
+       *   r4: 0
+       *   r5: 0
+       *   r6: epapr magic
+       *   r7: size of IMA in bytes
+       *   r8: 0
+       *   r9: 0
+    */
+    env->gpr[1] = (16<<20) - 8;
+    /* Provide a device-tree.  */
+    env->gpr[3] = bi->fdt;
+    env->nip = bi->bootstrap_pc;
+
+    /* Create a mapping for the kernel.  */
+    mmubooke_create_initial_mapping(env, 0, 0);
+    env->gpr[6] = tswap32(EPAPR_MAGIC);
+    env->gpr[7] = bi->ima_size;
+}
+
+#define BINARY_DEVICE_TREE_FILE "virtex-ml507.dtb"
+static int xilinx_load_device_tree(target_phys_addr_t addr,
+                                      uint32_t ramsize,
+                                      target_phys_addr_t initrd_base,
+                                      target_phys_addr_t initrd_size,
+                                      const char *kernel_cmdline)
+{
+    char *path;
+    int fdt_size;
+#ifdef CONFIG_FDT
+    void *fdt;
+    int r;
+
+    /* Try the local "ppc.dtb" override.  */
+    fdt = load_device_tree("ppc.dtb", &fdt_size);
+    if (!fdt) {
+        path = qemu_find_file(QEMU_FILE_TYPE_BIOS, BINARY_DEVICE_TREE_FILE);
+        if (path) {
+            fdt = load_device_tree(path, &fdt_size);
+            qemu_free(path);
+        }
+        if (!fdt)
+            return 0;
+    }
+
+    r = qemu_devtree_setprop_string(fdt, "/chosen", "bootargs", kernel_cmdline);
+    if (r < 0)
+        fprintf(stderr, "couldn't set /chosen/bootargs\n");
+    cpu_physical_memory_write (addr, (void *)fdt, fdt_size);
+#else
+    /* We lack libfdt so we cannot manipulate the fdt. Just pass on the blob
+       to the kernel.  */
+    fdt_size = load_image_targphys("ppc.dtb", addr, 0x10000);
+    if (fdt_size < 0) {
+        path = qemu_find_file(QEMU_FILE_TYPE_BIOS, BINARY_DEVICE_TREE_FILE);
+        if (path) {
+            fdt_size = load_image_targphys(path, addr, 0x10000);
+            qemu_free(path);
+        }
+    }
+
+    if (kernel_cmdline) {
+        fprintf(stderr,
+                "Warning: missing libfdt, cannot pass cmdline to kernel!\n");
+    }
+#endif
+    return fdt_size;
+}
+
+static void virtex_init(ram_addr_t ram_size,
+                        const char *boot_device,
+                        const char *kernel_filename,
+                        const char *kernel_cmdline,
+                        const char *initrd_filename, const char *cpu_model)
+{
+    DeviceState *dev;
+    CPUState *env;
+    target_phys_addr_t ram_base = 0;
+    DriveInfo *dinfo;
+    ram_addr_t phys_ram;
+    ram_addr_t phys_flash;
+    qemu_irq irq[32], *cpu_irq;
+    clk_setup_t clk_setup[7];
+    int kernel_size;
+    int i;
+
+    /* init CPUs */
+    if (cpu_model == NULL) {
+        cpu_model = "440-Xilinx";
+    }
+
+    memset(clk_setup, 0, sizeof(clk_setup));
+    env = ppc440_init_xilinx(&ram_size, 1, cpu_model, &clk_setup[0],
+                             &clk_setup[1], 400000000);
+    qemu_register_reset(main_cpu_reset, env);
+
+    phys_ram = qemu_ram_alloc(NULL, "ram", ram_size);
+    cpu_register_physical_memory(ram_base, ram_size, phys_ram | IO_MEM_RAM);
+
+    phys_flash = qemu_ram_alloc(NULL, "virtex.flash", FLASH_SIZE);
+    dinfo = drive_get(IF_PFLASH, 0, 0);
+    pflash_cfi01_register(0xfc000000, phys_flash,
+                          dinfo ? dinfo->bdrv : NULL, (64 * 1024),
+                          FLASH_SIZE >> 16,
+                          1, 0x89, 0x18, 0x0000, 0x0, 1);
+
+    cpu_irq = (qemu_irq *) &env->irq_inputs[PPC40x_INPUT_INT];
+    dev = xilinx_intc_create(0x81800000, cpu_irq[0], 0);
+    for (i = 0; i < 32; i++) {
+        irq[i] = qdev_get_gpio_in(dev, i);
+    }
+
+    serial_mm_init(0x83e01003ULL, 2, irq[9], 115200, serial_hds[0], 1, 0);
+
+    /* 2 timers at irq 2 @ 62 Mhz.  */
+    xilinx_timer_create(0x83c00000, irq[3], 2, 62 * 1000000);
+
+    if (kernel_filename) {
+        uint64_t entry, low, high;
+        uint32_t base32;
+        target_phys_addr_t boot_offset;
+
+        /* Boots a kernel elf binary.  */
+        kernel_size = load_elf(kernel_filename, NULL, NULL,
+                               &entry, &low, &high, 1, ELF_MACHINE, 0);
+        base32 = entry;
+        boot_info.bootstrap_pc = entry & 0x00ffffff;
+
+        if (kernel_size < 0) {
+            boot_offset = 0x1200000;
+            /* If we failed loading ELF's try a raw image.  */
+            kernel_size = load_image_targphys(kernel_filename,
+                                              boot_offset,
+                                              ram_size);
+            boot_info.bootstrap_pc = boot_offset;
+            high = boot_info.bootstrap_pc + kernel_size + 8192;
+        }
+
+        boot_info.ima_size = kernel_size;
+
+        /* Provide a device-tree.  */
+        boot_info.fdt = high + (8192 * 2);
+        boot_info.fdt &= ~8191;
+        xilinx_load_device_tree(boot_info.fdt, ram_size, 0, 0, kernel_cmdline);
+    }
+    env->load_info = &boot_info;
+}
+
+static QEMUMachine virtex_machine = {
+    .name = "virtex-ml507",
+    .desc = "Xilinx Virtex ML507 reference design",
+    .init = virtex_init,
+};
+
+static void virtex_machine_init(void)
+{
+    qemu_register_machine(&virtex_machine);
+}
+
+machine_init(virtex_machine_init);
diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
index dc1f4b8..bf81941 100644
--- a/target-ppc/cpu.h
+++ b/target-ppc/cpu.h
@@ -702,6 +702,10 @@ struct CPUPPCState {
 
     /* temporary hack to handle OSI calls (only used if non NULL) */
     int (*osi_call)(struct CPUPPCState *env);
+
+#if !defined(CONFIG_USER_ONLY)
+    void *load_info;    /* Holds boot loading state.  */
+#endif
 };
 
 #if !defined(CONFIG_USER_ONLY)
commit 95070372f7477f44add9af9b55970ae1b92c3100
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Sat Sep 11 15:29:01 2010 +0200

    powerpc: Add a ppc-440x5 Xilinx model
    
    Add a powerpc 440x5 with the model ID on the Xilinx virtex5.
    Connect the 440x5 to the 40x interrupt logic.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>
    Signed-off-by: Alexander Graf <agraf at suse.de>

diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index 2bd8b00..05ffe95 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -3596,7 +3596,6 @@ static void init_proc_440x4 (CPUPPCState *env)
                               POWERPC_FLAG_DE | POWERPC_FLAG_BUS_CLK)
 #define check_pow_440x5      check_pow_nocheck
 
-__attribute__ (( unused ))
 static void init_proc_440x5 (CPUPPCState *env)
 {
     /* Time base */
@@ -3656,7 +3655,7 @@ static void init_proc_440x5 (CPUPPCState *env)
     init_excp_BookE(env);
     env->dcache_line_size = 32;
     env->icache_line_size = 32;
-    /* XXX: TODO: allocate internal IRQ controller */
+    ppc40x_irq_init(env);
 }
 
 /* PowerPC 460 (guessed)                                                     */
@@ -6536,6 +6535,7 @@ enum {
 #if 0
     CPU_POWERPC_440A4              = xxx,
 #endif
+    CPU_POWERPC_440_XILINX         = 0x7ff21910,
 #if 0
     CPU_POWERPC_440A5              = xxx,
 #endif
@@ -7464,6 +7464,8 @@ static const ppc_def_t ppc_defs[] = {
     /* PowerPC 440 A4                                                        */
     POWERPC_DEF("440A4",         CPU_POWERPC_440A4,                  440x4),
 #endif
+    /* PowerPC 440 Xilinx 5                                                  */
+    POWERPC_DEF("440-Xilinx",    CPU_POWERPC_440_XILINX,             440x5),
 #if defined (TODO)
     /* PowerPC 440 A5                                                        */
     POWERPC_DEF("440A5",         CPU_POWERPC_440A5,                  440x5),
commit 6c8578617ed01c915da793ae98017ebd1244a4e1
Author: Shan Hai <haishan.bai at gmail.com>
Date:   Sun Sep 26 17:37:53 2010 +0800

    qemu-kvm: explicit type conversion to avoid compilation failure
    
    The compilation failed using GCC-4.4.1 on mismatched types
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm.c b/qemu-kvm.c
index d747ed8..e33fe17 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -1145,7 +1145,7 @@ static void sigbus_handler(int n, struct qemu_signalfd_siginfo *siginfo,
         /* Hope we are lucky for AO MCE */
         vaddr = (void *)(intptr_t)siginfo->ssi_addr;
         if (do_qemu_ram_addr_from_host(vaddr, &ram_addr) ||
-            !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, &paddr)) {
+            !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, (target_phys_addr_t *)&paddr)) {
             fprintf(stderr, "Hardware memory error for memory used by "
                     "QEMU itself instead of guest system!: %llx\n",
                     (unsigned long long)siginfo->ssi_addr);
@@ -1354,7 +1354,7 @@ static void kvm_on_sigbus(CPUState *env, siginfo_t *siginfo)
         }
         vaddr = (void *)siginfo->si_addr;
         if (do_qemu_ram_addr_from_host(vaddr, &ram_addr) ||
-            !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, &paddr)) {
+            !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, (target_phys_addr_t *)&paddr)) {
             fprintf(stderr, "Hardware memory error for memory used by "
                     "QEMU itself instaed of guest system!\n");
             /* Hope we are lucky for AO MCE */
commit 1dc3bcc45cd3eb0f878b18f4d04401cb9b035b07
Author: Eduardo Habkost <ehabkost at redhat.com>
Date:   Fri Sep 24 14:03:04 2010 -0300

    make-release: don't use --mtime and --transform tar options
    
    Those options are not available on older systems.
    
    Instead of --transform, just create the file inside the expected directory.
    
    Instead of --mtime, use 'touch' to set file mtime before running tar.
    
    Signed-off-by: Eduardo Habkost <ehabkost at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/kvm/scripts/make-release b/kvm/scripts/make-release
index c5f8c92..56302c3 100755
--- a/kvm/scripts/make-release
+++ b/kvm/scripts/make-release
@@ -52,20 +52,22 @@ mkdir -p "$(dirname "$tarball")"
 git archive --prefix="$name/" --format=tar "$commit" > "$tarball"
 
 mtime=`git show --format=%ct "$commit""^{commit}" --`
-tarargs="--owner=root --group=root --mtime=@$mtime"
+tarargs="--owner=root --group=root"
 
-mkdir -p "$tmpdir"
+mkdir -p "$tmpdir/$name"
 git cat-file -p "${commit}:roms" | awk ' { print $4, $3 } ' \
-    > "$tmpdir/EXTERNAL_DEPENDENCIES"
-tar -rf "$tarball" --transform "s,^,$name/," -C "$tmpdir" \
+    > "$tmpdir/$name/EXTERNAL_DEPENDENCIES"
+touch -d "@$mtime" "$tmpdir/$name/EXTERNAL_DEPENDENCIES"
+tar -rf "$tarball" -C "$tmpdir" \
     $tarargs \
-    "EXTERNAL_DEPENDENCIES"
+    "$name/EXTERNAL_DEPENDENCIES"
 rm -rf "$tmpdir"
 
 if [[ -n "$formal" ]]; then
-    mkdir -p "$tmpdir"
-    echo "$name" > "$tmpdir/KVM_VERSION"
-    tar -rf "$tarball" --transform "s,^,$name/," -C "$tmpdir" "KVM_VERSION" \
+    mkdir -p "$tmpdir/$name"
+    echo "$name" > "$tmpdir/$name/KVM_VERSION"
+    touch -d "@$mtime" "$tmpdir/$name/KVM_VERSION"
+    tar -rf "$tarball" -C "$tmpdir" "$name/KVM_VERSION" \
         $tarargs
     rm -rf "$tmpdir"
 fi
commit c85acba492da6dbe4e1d5c0b97b3558fcb1d1ccd
Author: Eduardo Habkost <ehabkost at redhat.com>
Date:   Fri Sep 24 14:03:03 2010 -0300

    make-release: don't use --tmpdir mktemp option
    
    This allows the script to work on older systems, where 'mktemp --tmpdir' is not
    available.
    
    Signed-off-by: Eduardo Habkost <ehabkost at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/kvm/scripts/make-release b/kvm/scripts/make-release
index 64e77f9..c5f8c92 100755
--- a/kvm/scripts/make-release
+++ b/kvm/scripts/make-release
@@ -12,7 +12,7 @@ formal=
 
 releasedir=~/sf-release
 [[ -z "$TMP" ]] && TMP="/tmp"
-tmpdir=`mktemp -d --tmpdir="$TMP" qemu-kvm-make-release.XXXXXXXXXX`
+tmpdir=`mktemp -d "$TMP/qemu-kvm-make-release.XXXXXXXXXX"`
 while [[ "$1" = -* ]]; do
     opt="$1"
     shift
commit fd6bfef3d49a62b36092f131690de3e34f84662d
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Tue Sep 14 15:51:40 2010 +0200

    qemu-kvm-x86: consider the irq0override flag in kvm_arch_init_irq_routing
    
    The setting of the irq0override flag must be also passed properly
    to the KVM_IRQCHIP_IOAPIC.
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index fd974b3..e35c234 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -1388,9 +1388,9 @@ int kvm_arch_init_irq_routing(void)
             }
         }
         for (i = 0; i < 24; ++i) {
-            if (i == 0) {
+            if (i == 0 && irq0override) {
                 r = kvm_add_irq_route(kvm_context, i, KVM_IRQCHIP_IOAPIC, 2);
-            } else if (i != 2) {
+            } else if (i != 2 || !irq0override) {
                 r = kvm_add_irq_route(kvm_context, i, KVM_IRQCHIP_IOAPIC, i);
             }
             if (r < 0) {
commit 5251d6add68f343d7e47b5ef0e44694e98605503
Author: Andreas Färber <andreas.faerber at web.de>
Date:   Tue Sep 28 23:48:42 2010 +0200

    tap: Remove double include of util.h
    
    If neither of __FreeBSD__, __FreeBSD_kernel__ and __DragonFly__ is defined,
    util.h is included from tap-bsd.c.
    Don't include it again if __OpenBSD__ is defined.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Andreas Färber <andreas.faerber at web.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/net/tap-bsd.c b/net/tap-bsd.c
index 3513075..efccfe0 100644
--- a/net/tap-bsd.c
+++ b/net/tap-bsd.c
@@ -37,10 +37,6 @@
 #include <util.h>
 #endif
 
-#if defined(__OpenBSD__)
-#include <util.h>
-#endif
-
 int tap_open(char *ifname, int ifname_size, int *vnet_hdr, int vnet_hdr_required)
 {
     int fd;
commit fd5723b385557bc77b93dfe5ab591813407686c0
Author: Wu Fengguang <fengguang.wu at intel.com>
Date:   Wed Sep 29 12:18:41 2010 +0800

    pulse-audio: fix bug on updating rpos
    
    Fix a rpos coordination bug between qpa_run_out() and qpa_thread_out(),
    which shows up as playback noises.
    
    	qpa_run_out()
    			qpa_thread_out loop N critical section 1
    	qpa_run_out()   qpa_thread_out loop N doing pa_simple_write()
    	qpa_run_out()	qpa_thread_out loop N doing pa_simple_write()
    			qpa_thread_out loop N critical section 2
    			qpa_thread_out loop N+1 critical section 1
    	qpa_run_out()	qpa_thread_out loop N+1 doing pa_simple_write()
    
    In the above scheme, "qpa_thread_out loop N+1 critical section 1" will
    get the same rpos as the one used by "qpa_thread_out loop N critical
    section 1". So it will be reading dead samples from the old rpos.
    
    The rpos can only be updated back to qpa_thread_out when there is a
    qpa_run_out() run between two qpa_thread_out loops.
    
    normal sequence:
    	qpa_thread_out:
    			hw->rpos (X0) => local rpos => pa->rpos (X1)
    	qpa_run_out:
    			pa->rpos (X1) => hw->rpos (X1)
    	qpa_thread_out:
    			hw->rpos (X1) => local rpos => pa->rpos (X2)
    
    buggy sequence:
    	qpa_thread_out:
    			hw->rpos (X0) => local rpos => pa->rpos (X1)
    	qpa_thread_out:
    			hw->rpos (X0) => local rpos => pa->rpos (X1')
    
    Obviously qpa_run_out() shall be called at least once between any two
    qpa_thread_out loops (after pa->rpos is set), in order for the new
    qpa_thread_out loop to see the updated rpos.
    
    Setting pa->live to 0 does the trick. The next loop will have to wait
    for one qpa_run_out() invocation in order to get a non-zero pa->live
    and proceed.
    
    Signed-off-by: malc <av1474 at comtv.ru>
    Signed-off-by: Wu Fengguang <fengguang.wu at intel.com>

diff --git a/audio/paaudio.c b/audio/paaudio.c
index 9118ece..ff71dac 100644
--- a/audio/paaudio.c
+++ b/audio/paaudio.c
@@ -110,8 +110,8 @@ static void *qpa_thread_out (void *arg)
             return NULL;
         }
 
+        pa->live = 0;
         pa->rpos = rpos;
-        pa->live -= decr;
         pa->decr += decr;
     }
 
commit 575c153f4f5cc23442e194619874de8ad4e6dd9c
Author: malc <av1474 at comtv.ru>
Date:   Tue Sep 28 08:54:24 2010 +0400

    audio: Fix memory size for resampling buffer in DAC case
    
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/audio/audio_template.h b/audio/audio_template.h
index 2f5224b..fd4469e 100644
--- a/audio/audio_template.h
+++ b/audio/audio_template.h
@@ -108,11 +108,7 @@ static int glue (audio_pcm_sw_alloc_resources_, TYPE) (SW *sw)
 {
     int samples;
 
-#ifdef DAC
-    samples = sw->hw->samples;
-#else
     samples = ((int64_t) sw->hw->samples << 32) / sw->ratio;
-#endif
 
     sw->buf = audio_calloc (AUDIO_FUNC, samples, sizeof (struct st_sample));
     if (!sw->buf) {
commit 9fe6de944930985885510f8e95d14104437d7c32
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Sep 26 16:07:57 2010 +0000

    mingw: add version information to the executables
    
    Add QEMU version information to the executables, based on earlier
    work by C. W. Betts and Robert Riebisch.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile b/Makefile
index 090d632..fca1e7a 100644
--- a/Makefile
+++ b/Makefile
@@ -114,16 +114,20 @@ trace.o: trace.c $(GENERATED_HEADERS)
 
 simpletrace.o: simpletrace.c $(GENERATED_HEADERS)
 
+version.o: $(SRC_PATH)/version.rc config-host.mak
+	$(call quiet-command,$(WINDRES) -I. -o $@ $<,"  RC    $(TARGET_DIR)$@")
+
+version-obj-$(CONFIG_WIN32) += version.o
 ######################################################################
 
 qemu-img.o: qemu-img-cmds.h
 qemu-img.o qemu-tool.o qemu-nbd.o qemu-io.o: $(GENERATED_HEADERS)
 
-qemu-img$(EXESUF): qemu-img.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y)
+qemu-img$(EXESUF): qemu-img.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y)
 
-qemu-nbd$(EXESUF): qemu-nbd.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y)
+qemu-nbd$(EXESUF): qemu-nbd.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y)
 
-qemu-io$(EXESUF): qemu-io.o cmd.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y)
+qemu-io$(EXESUF): qemu-io.o cmd.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y) $(version-obj-y)
 
 qemu-img-cmds.h: $(SRC_PATH)/qemu-img-cmds.hx
 	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $@")
diff --git a/Makefile.objs b/Makefile.objs
index dad4593..dde3ba9 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -86,6 +86,7 @@ common-obj-y += block-migration.o
 
 common-obj-$(CONFIG_BRLAPI) += baum.o
 common-obj-$(CONFIG_POSIX) += migration-exec.o migration-unix.o migration-fd.o
+common-obj-$(CONFIG_WIN32) += version.o
 
 audio-obj-y = audio.o noaudio.o wavaudio.o mixeng.o
 audio-obj-$(CONFIG_SDL) += sdlaudio.o
diff --git a/configure b/configure
index 02bda64..8fe4bbe 100755
--- a/configure
+++ b/configure
@@ -83,6 +83,7 @@ install="install"
 objcopy="objcopy"
 ld="ld"
 strip="strip"
+windres="windres"
 helper_cflags=""
 libs_softmmu=""
 libs_tools=""
@@ -129,6 +130,7 @@ ar="${cross_prefix}${ar}"
 objcopy="${cross_prefix}${objcopy}"
 ld="${cross_prefix}${ld}"
 strip="${cross_prefix}${strip}"
+windres="${cross_prefix}${windres}"
 
 # default flags for all hosts
 QEMU_CFLAGS="-fno-strict-aliasing $QEMU_CFLAGS"
@@ -2319,6 +2321,15 @@ fi
 echo "HOST_LONG_BITS=$hostlongbits" >> $config_host_mak
 if test "$mingw32" = "yes" ; then
   echo "CONFIG_WIN32=y" >> $config_host_mak
+  rc_version=`cat $source_path/VERSION`
+  version_major=${rc_version%%.*}
+  rc_version=${rc_version#*.}
+  version_minor=${rc_version%%.*}
+  rc_version=${rc_version#*.}
+  version_subminor=${rc_version%%.*}
+  version_micro=0
+  echo "CONFIG_FILEVERSION=$version_major,$version_minor,$version_subminor,$version_micro" >> $config_host_mak
+  echo "CONFIG_PRODUCTVERSION=$version_major,$version_minor,$version_subminor,$version_micro" >> $config_host_mak
 else
   echo "CONFIG_POSIX=y" >> $config_host_mak
 fi
@@ -2565,6 +2576,7 @@ fi
 echo "AR=$ar" >> $config_host_mak
 echo "OBJCOPY=$objcopy" >> $config_host_mak
 echo "LD=$ld" >> $config_host_mak
+echo "WINDRES=$windres" >> $config_host_mak
 echo "CFLAGS=$CFLAGS" >> $config_host_mak
 echo "QEMU_CFLAGS=$QEMU_CFLAGS" >> $config_host_mak
 echo "HELPER_CFLAGS=$helper_cflags" >> $config_host_mak
diff --git a/version.rc b/version.rc
new file mode 100644
index 0000000..82e10ec
--- /dev/null
+++ b/version.rc
@@ -0,0 +1,28 @@
+#include <winver.h>
+#include "config-host.h"
+
+VS_VERSION_INFO VERSIONINFO
+FILEVERSION CONFIG_FILEVERSION
+PRODUCTVERSION CONFIG_PRODUCTVERSION
+FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+FILEOS VOS_NT_WINDOWS32
+FILETYPE VFT_APP
+FILESUBTYPE VFT2_UNKNOWN
+{
+  BLOCK "StringFileInfo"
+  {
+    BLOCK "040904E4"
+    {
+      VALUE "CompanyName", "http://www.qemu.org"
+      VALUE "FileDescription", "QEMU machine emulators and tools"
+      VALUE "FileVersion", QEMU_VERSION
+      VALUE "LegalCopyright", "Copyright various authors. Released under the GNU General Public License."
+      VALUE "LegalTrademarks", "QEMU is a trademark of Fabrice Bellard."
+      VALUE "ProductName", "QEMU"
+    }
+  }
+  BLOCK "VarFileInfo"
+  {
+    VALUE "Translation", 0x0409, 1252
+  }
+}
commit 0ba8681eee36af77109505c34b5e29da52fa51ba
Author: Loïc Minier <loic.minier at linaro.org>
Date:   Sat Sep 25 21:52:30 2010 +0200

    Avoid exit in trap as it breaks with some shells
    
    Don't call exit in the trap handler as it causes the return code to be
    zero with some buggy shells (dash and pdksh at least) and is useless
    here anyway.
    
    Signed-off-by: Loïc Minier <loic.minier at linaro.org>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 6a21bf2..02bda64 100755
--- a/configure
+++ b/configure
@@ -15,7 +15,9 @@ TMPC="${TMPDIR1}/qemu-conf-${RANDOM}-$$-${RANDOM}.c"
 TMPO="${TMPDIR1}/qemu-conf-${RANDOM}-$$-${RANDOM}.o"
 TMPE="${TMPDIR1}/qemu-conf-${RANDOM}-$$-${RANDOM}.exe"
 
-trap "rm -f $TMPC $TMPO $TMPE ; exit" EXIT INT QUIT TERM
+# NB: do not call "exit" in the trap handler; this is buggy with some shells;
+# see <1285349658-3122-1-git-send-email-loic.minier at linaro.org>
+trap "rm -f $TMPC $TMPO $TMPE" EXIT INT QUIT TERM
 
 compile_object() {
   $cc $QEMU_CFLAGS -c -o $TMPO $TMPC > /dev/null 2> /dev/null
commit e78815a554adaa551d62a71be10ee2fcf128e473
Author: Andreas Färber <afaerber at opensolaris.org>
Date:   Sat Sep 25 11:26:05 2010 +0000

    Introduce qemu_madvise()
    
    vl.c has a Sun-specific hack to supply a prototype for madvise(),
    but the call site has apparently moved to arch_init.c.
    
    Haiku doesn't implement madvise() in favor of posix_madvise().
    OpenBSD and Solaris 10 don't implement posix_madvise() but madvise().
    MinGW implements neither.
    
    Check for madvise() and posix_madvise() in configure and supply qemu_madvise()
    as wrapper. Prefer madvise() over posix_madvise() due to flag availability.
    Convert all callers to use qemu_madvise() and QEMU_MADV_*.
    
    Note that on Solaris the warning is fixed by moving the madvise() prototype,
    not by qemu_madvise() itself. It helps with porting though, and it simplifies
    most call sites.
    
    v7 -> v8:
    * Some versions of MinGW have no sys/mman.h header. Reported by Blue Swirl.
    
    v6 -> v7:
    * Adopt madvise() rather than posix_madvise() semantics for returning errors.
    * Use EINVAL in place of ENOTSUP.
    
    v5 -> v6:
    * Replace two leftover instances of POSIX_MADV_NORMAL with QEMU_MADV_INVALID.
      Spotted by Blue Swirl.
    
    v4 -> v5:
    * Introduce QEMU_MADV_INVALID, suggested by Alexander Graf.
      Note that this relies on -1 not being a valid advice value.
    
    v3 -> v4:
    * Eliminate #ifdefs at qemu_advise() call sites. Requested by Blue Swirl.
      This will currently break the check in kvm-all.c by calling madvise() with
      a supported flag, which will not fail. Ideas/patches welcome.
    
    v2 -> v3:
    * Reuse the *_MADV_* defines for QEMU_MADV_*. Suggested by Alexander Graf.
    * Add configure check for madvise(), too.
      Add defines to Makefile, not QEMU_CFLAGS.
      Convert all callers, untested. Suggested by Blue Swirl.
    * Keep Solaris' madvise() prototype around. Pointed out by Alexander Graf.
    * Display configure check results.
    
    v1 -> v2:
    * Don't rely on posix_madvise() availability, add qemu_madvise().
      Suggested by Blue Swirl.
    
    Signed-off-by: Andreas Färber <afaerber at opensolaris.org>
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Cc: Alexander Graf <agraf at suse.de>
    Cc: Andrea Arcangeli <aarcange at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/arch_init.c b/arch_init.c
index e468c0c..a910033 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -396,7 +396,7 @@ int ram_load(QEMUFile *f, void *opaque, int version_id)
 #ifndef _WIN32
             if (ch == 0 &&
                 (!kvm_enabled() || kvm_has_sync_mmu())) {
-                madvise(host, TARGET_PAGE_SIZE, MADV_DONTNEED);
+                qemu_madvise(host, TARGET_PAGE_SIZE, QEMU_MADV_DONTNEED);
             }
 #endif
         } else if (flags & RAM_SAVE_FLAG_PAGE) {
diff --git a/configure b/configure
index 3bfc5e9..6a21bf2 100755
--- a/configure
+++ b/configure
@@ -2072,6 +2072,31 @@ if compile_prog "" "" ; then
 fi
 
 ##########################################
+# check if we have madvise
+
+madvise=no
+cat > $TMPC << EOF
+#include <sys/types.h>
+#include <sys/mman.h>
+int main(void) { return madvise(NULL, 0, MADV_DONTNEED); }
+EOF
+if compile_prog "" "" ; then
+    madvise=yes
+fi
+
+##########################################
+# check if we have posix_madvise
+
+posix_madvise=no
+cat > $TMPC << EOF
+#include <sys/mman.h>
+int main(void) { return posix_madvise(NULL, 0, POSIX_MADV_DONTNEED); }
+EOF
+if compile_prog "" "" ; then
+    posix_madvise=yes
+fi
+
+##########################################
 # check if trace backend exists
 
 sh "$source_path/tracetool" "--$trace_backend" --check-backend > /dev/null 2> /dev/null
@@ -2238,6 +2263,8 @@ echo "KVM support       $kvm"
 echo "fdt support       $fdt"
 echo "preadv support    $preadv"
 echo "fdatasync         $fdatasync"
+echo "madvise           $madvise"
+echo "posix_madvise     $posix_madvise"
 echo "uuid support      $uuid"
 echo "vhost-net support $vhost_net"
 echo "Trace backend     $trace_backend"
@@ -2478,6 +2505,12 @@ fi
 if test "$fdatasync" = "yes" ; then
   echo "CONFIG_FDATASYNC=y" >> $config_host_mak
 fi
+if test "$madvise" = "yes" ; then
+  echo "CONFIG_MADVISE=y" >> $config_host_mak
+fi
+if test "$posix_madvise" = "yes" ; then
+  echo "CONFIG_POSIX_MADVISE=y" >> $config_host_mak
+fi
 
 # XXX: suppress that
 if [ "$bsd" = "yes" ] ; then
diff --git a/exec.c b/exec.c
index 380dab5..9b5464f 100644
--- a/exec.c
+++ b/exec.c
@@ -2841,9 +2841,7 @@ ram_addr_t qemu_ram_alloc_from_ptr(DeviceState *dev, const char *name,
             new_block->host = file_ram_alloc(new_block, size, mem_path);
             if (!new_block->host) {
                 new_block->host = qemu_vmalloc(size);
-#ifdef MADV_MERGEABLE
-                madvise(new_block->host, size, MADV_MERGEABLE);
-#endif
+                qemu_madvise(new_block->host, size, QEMU_MADV_MERGEABLE);
             }
 #else
             fprintf(stderr, "-mem-path option unsupported\n");
@@ -2858,9 +2856,7 @@ ram_addr_t qemu_ram_alloc_from_ptr(DeviceState *dev, const char *name,
 #else
             new_block->host = qemu_vmalloc(size);
 #endif
-#ifdef MADV_MERGEABLE
-            madvise(new_block->host, size, MADV_MERGEABLE);
-#endif
+            qemu_madvise(new_block->host, size, QEMU_MADV_MERGEABLE);
         }
     }
 
diff --git a/hw/virtio-balloon.c b/hw/virtio-balloon.c
index 9fe3886..1e74674 100644
--- a/hw/virtio-balloon.c
+++ b/hw/virtio-balloon.c
@@ -51,8 +51,8 @@ static void balloon_page(void *addr, int deflate)
 {
 #if defined(__linux__)
     if (!kvm_enabled() || kvm_has_sync_mmu())
-        madvise(addr, TARGET_PAGE_SIZE,
-                deflate ? MADV_WILLNEED : MADV_DONTNEED);
+        qemu_madvise(addr, TARGET_PAGE_SIZE,
+                deflate ? QEMU_MADV_WILLNEED : QEMU_MADV_DONTNEED);
 #endif
 }
 
diff --git a/kvm-all.c b/kvm-all.c
index 58b0404..1cc696f 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -1031,18 +1031,14 @@ int kvm_has_xcrs(void)
 void kvm_setup_guest_memory(void *start, size_t size)
 {
     if (!kvm_has_sync_mmu()) {
-#ifdef MADV_DONTFORK
-        int ret = madvise(start, size, MADV_DONTFORK);
+        int ret = qemu_madvise(start, size, QEMU_MADV_DONTFORK);
 
         if (ret) {
-            perror("madvice");
+            perror("qemu_madvise");
+            fprintf(stderr,
+                    "Need MADV_DONTFORK in absence of synchronous KVM MMU\n");
             exit(1);
         }
-#else
-        fprintf(stderr,
-                "Need MADV_DONTFORK in absence of synchronous KVM MMU\n");
-        exit(1);
-#endif
     }
 }
 
diff --git a/osdep.c b/osdep.c
index 30426ff..2e05b21 100644
--- a/osdep.c
+++ b/osdep.c
@@ -32,9 +32,16 @@
 /* Needed early for CONFIG_BSD etc. */
 #include "config-host.h"
 
+#if defined(CONFIG_MADVISE) || defined(CONFIG_POSIX_MADVISE)
+#include <sys/mman.h>
+#endif
+
 #ifdef CONFIG_SOLARIS
 #include <sys/types.h>
 #include <sys/statvfs.h>
+/* See MySQL bug #7156 (http://bugs.mysql.com/bug.php?id=7156) for
+   discussion about Solaris header problems */
+extern int madvise(caddr_t, size_t, int);
 #endif
 
 #ifdef CONFIG_EVENTFD
@@ -139,6 +146,22 @@ void qemu_vfree(void *ptr)
 
 #endif
 
+int qemu_madvise(void *addr, size_t len, int advice)
+{
+    if (advice == QEMU_MADV_INVALID) {
+        errno = EINVAL;
+        return -1;
+    }
+#if defined(CONFIG_MADVISE)
+    return madvise(addr, len, advice);
+#elif defined(CONFIG_POSIX_MADVISE)
+    return posix_madvise(addr, len, advice);
+#else
+    errno = EINVAL;
+    return -1;
+#endif
+}
+
 int qemu_create_pidfile(const char *filename)
 {
     char buffer[128];
diff --git a/osdep.h b/osdep.h
index 1cdc7e2..6716281 100644
--- a/osdep.h
+++ b/osdep.h
@@ -90,6 +90,41 @@ void *qemu_memalign(size_t alignment, size_t size);
 void *qemu_vmalloc(size_t size);
 void qemu_vfree(void *ptr);
 
+#define QEMU_MADV_INVALID -1
+
+#if defined(CONFIG_MADVISE)
+
+#define QEMU_MADV_WILLNEED  MADV_WILLNEED
+#define QEMU_MADV_DONTNEED  MADV_DONTNEED
+#ifdef MADV_DONTFORK
+#define QEMU_MADV_DONTFORK  MADV_DONTFORK
+#else
+#define QEMU_MADV_DONTFORK  QEMU_MADV_INVALID
+#endif
+#ifdef MADV_MERGEABLE
+#define QEMU_MADV_MERGEABLE MADV_MERGEABLE
+#else
+#define QEMU_MADV_MERGEABLE QEMU_MADV_INVALID
+#endif
+
+#elif defined(CONFIG_POSIX_MADVISE)
+
+#define QEMU_MADV_WILLNEED  POSIX_MADV_WILLNEED
+#define QEMU_MADV_DONTNEED  POSIX_MADV_DONTNEED
+#define QEMU_MADV_DONTFORK  QEMU_MADV_INVALID
+#define QEMU_MADV_MERGEABLE QEMU_MADV_INVALID
+
+#else /* no-op */
+
+#define QEMU_MADV_WILLNEED  QEMU_MADV_INVALID
+#define QEMU_MADV_DONTNEED  QEMU_MADV_INVALID
+#define QEMU_MADV_DONTFORK  QEMU_MADV_INVALID
+#define QEMU_MADV_MERGEABLE QEMU_MADV_INVALID
+
+#endif
+
+int qemu_madvise(void *addr, size_t len, int advice);
+
 int qemu_create_pidfile(const char *filename);
 
 #ifdef _WIN32
diff --git a/vl.c b/vl.c
index 3f45aa9..d352d18 100644
--- a/vl.c
+++ b/vl.c
@@ -80,9 +80,6 @@
 #include <net/if.h>
 #include <syslog.h>
 #include <stropts.h>
-/* See MySQL bug #7156 (http://bugs.mysql.com/bug.php?id=7156) for
-   discussion about Solaris header problems */
-extern int madvise(caddr_t, size_t, int);
 #endif
 #endif
 #endif
commit d63cb48db9016328a7a69f3a1c2938cd3dfc9d1a
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Mon Sep 20 19:08:42 2010 +0200

    powerpc: Make the decr interrupt type overridable
    
    Make it possible for boards to override the kind of interrupt
    to be signaled when the decr timer hits. The 405's signal PIT
    interrupts while the 440's signal DECR.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/hw/ppc.c b/hw/ppc.c
index 55e3808..968aec1 100644
--- a/hw/ppc.c
+++ b/hw/ppc.c
@@ -769,6 +769,9 @@ struct ppcemb_timer_t {
     struct QEMUTimer *fit_timer;
     uint64_t wdt_next;    /* Tick for next WDT interrupt  */
     struct QEMUTimer *wdt_timer;
+
+    /* 405 have the PIT, 440 have a DECR.  */
+    unsigned int decr_excp;
 };
 
 /* Fixed interval timer */
@@ -851,7 +854,7 @@ static void cpu_4xx_pit_cb (void *opaque)
     ppcemb_timer = tb_env->opaque;
     env->spr[SPR_40x_TSR] |= 1 << 27;
     if ((env->spr[SPR_40x_TCR] >> 26) & 0x1)
-        ppc_set_irq(env, PPC_INTERRUPT_PIT, 1);
+        ppc_set_irq(env, ppcemb_timer->decr_excp, 1);
     start_stop_pit(env, tb_env, 1);
     LOG_TB("%s: ar %d ir %d TCR " TARGET_FMT_lx " TSR " TARGET_FMT_lx " "
            "%016" PRIx64 "\n", __func__,
@@ -948,10 +951,15 @@ target_ulong load_40x_pit (CPUState *env)
 
 void store_booke_tsr (CPUState *env, target_ulong val)
 {
+    ppc_tb_t *tb_env = env->tb_env;
+    ppcemb_timer_t *ppcemb_timer;
+
+    ppcemb_timer = tb_env->opaque;
+
     LOG_TB("%s: val " TARGET_FMT_lx "\n", __func__, val);
     env->spr[SPR_40x_TSR] &= ~(val & 0xFC000000);
     if (val & 0x80000000)
-        ppc_set_irq(env, PPC_INTERRUPT_PIT, 0);
+        ppc_set_irq(env, ppcemb_timer->decr_excp, 0);
 }
 
 void store_booke_tcr (CPUState *env, target_ulong val)
@@ -977,7 +985,8 @@ static void ppc_emb_set_tb_clk (void *opaque, uint32_t freq)
     /* XXX: we should also update all timers */
 }
 
-clk_setup_cb ppc_emb_timers_init (CPUState *env, uint32_t freq)
+clk_setup_cb ppc_emb_timers_init (CPUState *env, uint32_t freq,
+                                  unsigned int decr_excp)
 {
     ppc_tb_t *tb_env;
     ppcemb_timer_t *ppcemb_timer;
@@ -996,6 +1005,7 @@ clk_setup_cb ppc_emb_timers_init (CPUState *env, uint32_t freq)
             qemu_new_timer(vm_clock, &cpu_4xx_fit_cb, env);
         ppcemb_timer->wdt_timer =
             qemu_new_timer(vm_clock, &cpu_4xx_wdt_cb, env);
+        ppcemb_timer->decr_excp = decr_excp;
     }
 
     return &ppc_emb_set_tb_clk;
diff --git a/hw/ppc.h b/hw/ppc.h
index 1251932..34f54cf 100644
--- a/hw/ppc.h
+++ b/hw/ppc.h
@@ -19,7 +19,9 @@ int ppc_dcr_init (CPUState *env, int (*dcr_read_error)(int dcrn),
                   int (*dcr_write_error)(int dcrn));
 int ppc_dcr_register (CPUState *env, int dcrn, void *opaque,
                       dcr_read_cb drc_read, dcr_write_cb dcr_write);
-clk_setup_cb ppc_emb_timers_init (CPUState *env, uint32_t freq);
+clk_setup_cb ppc_emb_timers_init (CPUState *env, uint32_t freq,
+                                  unsigned int decr_excp);
+
 /* Embedded PowerPC reset */
 void ppc40x_core_reset (CPUState *env);
 void ppc40x_chip_reset (CPUState *env);
diff --git a/hw/ppc4xx_devs.c b/hw/ppc4xx_devs.c
index 7f698b8..5f581fe 100644
--- a/hw/ppc4xx_devs.c
+++ b/hw/ppc4xx_devs.c
@@ -56,7 +56,7 @@ CPUState *ppc4xx_init (const char *cpu_model,
     cpu_clk->cb = NULL; /* We don't care about CPU clock frequency changes */
     cpu_clk->opaque = env;
     /* Set time-base frequency to sysclk */
-    tb_clk->cb = ppc_emb_timers_init(env, sysclk);
+    tb_clk->cb = ppc_emb_timers_init(env, sysclk, PPC_INTERRUPT_PIT);
     tb_clk->opaque = env;
     ppc_dcr_init(env, NULL, NULL);
     /* Register qemu callbacks */
commit a586e548fb41afa21291bcc96f0a657d5ceaad59
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Mon Sep 20 19:06:32 2010 +0200

    powerpc: Improve emulation of the BookE MMU
    
    Improve the emulation of the BookE MMU to be able to boot linux
    on virtex5 boards.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
index 9c8d774..dc1f4b8 100644
--- a/target-ppc/cpu.h
+++ b/target-ppc/cpu.h
@@ -453,6 +453,9 @@ struct ppc_slb_t {
 #endif
 #endif
 
+/* Exception state register bits definition                                  */
+#define ESR_ST    23    /* Exception was caused by a store type access.      */
+
 enum {
     POWERPC_FLAG_NONE     = 0x00000000,
     /* Flag for MSR bit 25 signification (VRE/SPE)                           */
diff --git a/target-ppc/helper.c b/target-ppc/helper.c
index f865d7a..3bc8a34 100644
--- a/target-ppc/helper.c
+++ b/target-ppc/helper.c
@@ -1325,8 +1325,15 @@ int get_physical_address (CPUState *env, mmu_ctx_t *ctx, target_ulong eaddr,
 #endif
     if ((access_type == ACCESS_CODE && msr_ir == 0) ||
         (access_type != ACCESS_CODE && msr_dr == 0)) {
-        /* No address translation */
-        ret = check_physical(env, ctx, eaddr, rw);
+        if (env->mmu_model == POWERPC_MMU_BOOKE) {
+            /* The BookE MMU always performs address translation. The
+               IS and DS bits only affect the address space.  */
+            ret = mmubooke_get_physical_address(env, ctx, eaddr,
+                                                rw, access_type);
+        } else {
+            /* No address translation.  */
+            ret = check_physical(env, ctx, eaddr, rw);
+        }
     } else {
         ret = -1;
         switch (env->mmu_model) {
@@ -1444,8 +1451,9 @@ int cpu_ppc_handle_mmu_fault (CPUState *env, target_ulong address, int rw,
                     env->error_code = 0x40000000;
                     break;
                 case POWERPC_MMU_BOOKE:
-                    /* XXX: TODO */
-                    cpu_abort(env, "BookE MMU model is not implemented\n");
+                    env->exception_index = POWERPC_EXCP_ITLB;
+                    env->error_code = 0;
+                    env->spr[SPR_BOOKE_DEAR] = address;
                     return -1;
                 case POWERPC_MMU_BOOKE_FSL:
                     /* XXX: TODO */
@@ -1471,6 +1479,9 @@ int cpu_ppc_handle_mmu_fault (CPUState *env, target_ulong address, int rw,
                 break;
             case -3:
                 /* No execute protection violation */
+                if (env->mmu_model == POWERPC_MMU_BOOKE) {
+                    env->spr[SPR_BOOKE_ESR] = 0x00000000;
+                }
                 env->exception_index = POWERPC_EXCP_ISI;
                 env->error_code = 0x10000000;
                 break;
@@ -1556,8 +1567,10 @@ int cpu_ppc_handle_mmu_fault (CPUState *env, target_ulong address, int rw,
                     cpu_abort(env, "MPC8xx MMU model is not implemented\n");
                     break;
                 case POWERPC_MMU_BOOKE:
-                    /* XXX: TODO */
-                    cpu_abort(env, "BookE MMU model is not implemented\n");
+                    env->exception_index = POWERPC_EXCP_DTLB;
+                    env->error_code = 0;
+                    env->spr[SPR_BOOKE_DEAR] = address;
+                    env->spr[SPR_BOOKE_ESR] = rw ? 1 << ESR_ST : 0;
                     return -1;
                 case POWERPC_MMU_BOOKE_FSL:
                     /* XXX: TODO */
@@ -1582,6 +1595,9 @@ int cpu_ppc_handle_mmu_fault (CPUState *env, target_ulong address, int rw,
                     if (rw) {
                         env->spr[SPR_40x_ESR] |= 0x00800000;
                     }
+                } else if (env->mmu_model == POWERPC_MMU_BOOKE) {
+                    env->spr[SPR_BOOKE_DEAR] = address;
+                    env->spr[SPR_BOOKE_ESR] = rw ? 1 << ESR_ST : 0;
                 } else {
                     env->spr[SPR_DAR] = address;
                     if (rw == 1) {
@@ -1848,8 +1864,7 @@ void ppc_tlb_invalidate_all (CPUPPCState *env)
         cpu_abort(env, "MPC8xx MMU model is not implemented\n");
         break;
     case POWERPC_MMU_BOOKE:
-        /* XXX: TODO */
-        cpu_abort(env, "BookE MMU model is not implemented\n");
+        tlb_flush(env, 1);
         break;
     case POWERPC_MMU_BOOKE_FSL:
         /* XXX: TODO */
@@ -2607,6 +2622,13 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
     /* Reset exception state */
     env->exception_index = POWERPC_EXCP_NONE;
     env->error_code = 0;
+
+    if (env->mmu_model == POWERPC_MMU_BOOKE) {
+        /* XXX: The BookE changes address space when switching modes,
+                we should probably implement that as different MMU indexes,
+                but for the moment we do it the slow way and flush all.  */
+        tlb_flush(env, 1);
+    }
 }
 
 void do_interrupt (CPUState *env)
commit c973a36d178510790c148f88104b85016f59235a
Author: malc <av1474 at comtv.ru>
Date:   Thu Sep 23 22:16:15 2010 +0400

    fmopl: workaround for -Wempty-body
    
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/hw/fmopl.c b/hw/fmopl.c
index d1161f8..3df1806 100644
--- a/hw/fmopl.c
+++ b/hw/fmopl.c
@@ -1342,8 +1342,9 @@ unsigned char OPLRead(FM_OPL *OPL,int a)
 		{
 			if(OPL->keyboardhandler_r)
 				return OPL->keyboardhandler_r(OPL->keyboard_param);
-			else
+			else {
 				LOG(LOG_WAR,("OPL:read unmapped KEYBOARD port\n"));
+			}
 		}
 		return 0;
 #if 0
@@ -1355,8 +1356,9 @@ unsigned char OPLRead(FM_OPL *OPL,int a)
 		{
 			if(OPL->porthandler_r)
 				return OPL->porthandler_r(OPL->port_param);
-			else
+			else {
 				LOG(LOG_WAR,("OPL:read unmapped I/O port\n"));
+			}
 		}
 		return 0;
 	case 0x1a: /* PCM-DATA    */
commit dd67374ebb2f404b1b4b8e1abb1d189a7aff7f4c
Merge: aa85bd8... 09cc819...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Sep 23 18:16:26 2010 -0300

    Merge branch 'upstream-merge'
    
    * upstream-merge: (154 commits)
      Move macros GCC_ATTR and GCC_FMT_ATTR to common header file
      Fix OpenBSD build
      block-verify: fix 32-bit build
      Fix compilation error (missing include statement)
      mips_malta: Fix format strings
      mips_fulong2e: Fix format strings
      trace: Fix user emulator dependency on trace objects
      blkverify: Add block driver for verifying I/O
      scsi_bus: fix length and xfer_mode for RESERVE and RELEASE commands
      scsi-generic: add missing reset handler
      qcow2: Avoid bounce buffers for AIO write requests
      qcow2: Avoid bounce buffers for AIO read requests
      cutils: qemu_iovec_copy and qemu_iovec_memset
      ide: propagate the required alignment
      scsi-disk: propagate the required alignment
      virtio-blk: propagate the required alignment
      qcow2: Get rid of additional sync on COW
      qcow2: Move sync out of qcow2_alloc_clusters
      qcow2: Move sync out of update_refcount
      qcow2: Move sync out of write_refcount_block_entries
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit 09cc81988ff2ce037522e18f1b524afd2c938bb6
Merge: e1484cd... 9c9e7d5...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Sep 23 18:15:28 2010 -0300

    Merge commit '9c9e7d51bf01afdd4902bc9832c4a6ec19f68d0b' into upstream-merge
    
    * commit '9c9e7d51bf01afdd4902bc9832c4a6ec19f68d0b': (31 commits)
      Move macros GCC_ATTR and GCC_FMT_ATTR to common header file
      Fix OpenBSD build
      block-verify: fix 32-bit build
      Fix compilation error (missing include statement)
      mips_malta: Fix format strings
      mips_fulong2e: Fix format strings
      trace: Fix user emulator dependency on trace objects
      blkverify: Add block driver for verifying I/O
      scsi_bus: fix length and xfer_mode for RESERVE and RELEASE commands
      scsi-generic: add missing reset handler
      qcow2: Avoid bounce buffers for AIO write requests
      qcow2: Avoid bounce buffers for AIO read requests
      cutils: qemu_iovec_copy and qemu_iovec_memset
      ide: propagate the required alignment
      scsi-disk: propagate the required alignment
      virtio-blk: propagate the required alignment
      qcow2: Get rid of additional sync on COW
      qcow2: Move sync out of qcow2_alloc_clusters
      qcow2: Move sync out of update_refcount
      qcow2: Move sync out of write_refcount_block_entries
      ...
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit e1484cdeae83253e1ae743855710c1d2ced75ec6
Merge: ecc7eb8... 6b37c87...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Sep 23 18:12:04 2010 -0300

    Merge commit '6b37c87c96a5b148685e8e6bf09d0aca953cb1a8' into upstream-merge
    
    * commit '6b37c87c96a5b148685e8e6bf09d0aca953cb1a8':
      vhost: fix infinite loop on error path
    
    Conflicts:
    	hw/vhost_net.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

commit ecc7eb87fb3a26131df8b0687a5dc5d726428080
Merge: 222f989... 0b65b9e...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Sep 23 18:08:43 2010 -0300

    Merge commit '0b65b9e105ce5bc29d9412e0df476fd0cef3b8e2' into upstream-merge
    
    * commit '0b65b9e105ce5bc29d9412e0df476fd0cef3b8e2':
      Use gcc warning flag -Wnested-externs
      Use gcc warning flag -Wempty-body
      Use a few more gcc warning flags
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc hw/i8259.c
index 11060d3,a8dbee6..986dcf5
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@@ -224,31 -221,15 +224,31 @@@ static inline void pic_intack(PicState 
      /* We don't clear a level sensitive interrupt here */
      if (!(s->elcr & (1 << irq)))
          s->irr &= ~(1 << irq);
 +
  }
  
 +extern int time_drift_fix;
++extern int64_t timer_acks, timer_ints_to_push;
 +
  int pic_read_irq(PicState2 *s)
  {
      int irq, irq2, intno;
  
      irq = pic_get_irq(&s->pics[0]);
      if (irq >= 0) {
 +
          pic_intack(&s->pics[0], irq);
 +#ifdef TARGET_I386
 +	if (time_drift_fix && irq == 0) {
- 	    extern int64_t timer_acks, timer_ints_to_push;
 +	    timer_acks++;
 +	    if (timer_ints_to_push > 0) {
 +		timer_ints_to_push--;
 +                /* simulate an edge irq0, like the one generated by i8254 */
 +                pic_set_irq1(&s->pics[0], 0, 0);
 +                pic_set_irq1(&s->pics[0], 0, 1);
 +	    }
 +	}
 +#endif
          if (irq == 2) {
              irq2 = pic_get_irq(&s->pics[1]);
              if (irq2 >= 0) {
diff --cc hw/testdev.c
index a8c49a3,0000000..d1abf59
mode 100644,000000..100644
--- a/hw/testdev.c
+++ b/hw/testdev.c
@@@ -1,129 -1,0 +1,129 @@@
 +#include "hw.h"
 +#include "qdev.h"
 +#include "isa.h"
 +
 +struct testdev {
 +    ISADevice dev;
 +    CharDriverState *chr;
 +};
 +
 +static void test_device_serial_write(void *opaque, uint32_t addr, uint32_t data)
 +{
 +    struct testdev *dev = opaque;
 +    uint8_t buf[1] = { data };
 +
 +    if (dev->chr) {
 +        qemu_chr_write(dev->chr, buf, 1);
 +    }
 +}
 +
 +static void test_device_exit(void *opaque, uint32_t addr, uint32_t data)
 +{
 +    exit(data);
 +}
 +
 +static uint32_t test_device_memsize_read(void *opaque, uint32_t addr)
 +{
 +    return ram_size;
 +}
 +
++extern qemu_irq *ioapic_irq_hack;
++
 +static void test_device_irq_line(void *opaque, uint32_t addr, uint32_t data)
 +{
-     extern qemu_irq *ioapic_irq_hack;
- 
 +    qemu_set_irq(ioapic_irq_hack[addr - 0x2000], !!data);
 +}
 +
 +static uint32 test_device_ioport_data;
 +
 +static void test_device_ioport_write(void *opaque, uint32_t addr, uint32_t data)
 +{
 +    test_device_ioport_data = data;
 +}
 +
 +static uint32_t test_device_ioport_read(void *opaque, uint32_t addr)
 +{
 +    return test_device_ioport_data;
 +}
 +
 +static char *iomem_buf;
 +
 +static uint32_t test_iomem_readb(void *opaque, target_phys_addr_t addr)
 +{
 +    return iomem_buf[addr];
 +}
 +
 +static uint32_t test_iomem_readw(void *opaque, target_phys_addr_t addr)
 +{
 +    return *(uint16_t*)(iomem_buf + addr);
 +}
 +
 +static uint32_t test_iomem_readl(void *opaque, target_phys_addr_t addr)
 +{
 +    return *(uint32_t*)(iomem_buf + addr);
 +}
 +
 +static void test_iomem_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
 +{
 +    iomem_buf[addr] = val;
 +}
 +
 +static void test_iomem_writew(void *opaque, target_phys_addr_t addr, uint32_t val)
 +{
 +    *(uint16_t*)(iomem_buf + addr) = val;
 +}
 +
 +static void test_iomem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
 +{
 +    *(uint32_t*)(iomem_buf + addr) = val;
 +}
 +
 +static CPUReadMemoryFunc * const test_iomem_read[3] = {
 +    test_iomem_readb,
 +    test_iomem_readw,
 +    test_iomem_readl,
 +};
 +
 +static CPUWriteMemoryFunc * const test_iomem_write[3] = {
 +    test_iomem_writeb,
 +    test_iomem_writew,
 +    test_iomem_writel,
 +};
 +
 +static int init_test_device(ISADevice *isa)
 +{
 +    struct testdev *dev = DO_UPCAST(struct testdev, dev, isa);
 +    int iomem;
 +
 +    register_ioport_write(0xf1, 1, 1, test_device_serial_write, dev);
 +    register_ioport_write(0xf4, 1, 4, test_device_exit, dev);
 +    register_ioport_read(0xd1, 1, 4, test_device_memsize_read, dev);
 +    register_ioport_read(0xe0, 1, 1, test_device_ioport_read, dev);
 +    register_ioport_write(0xe0, 1, 1, test_device_ioport_write, dev);
 +    register_ioport_read(0xe0, 1, 2, test_device_ioport_read, dev);
 +    register_ioport_write(0xe0, 1, 2, test_device_ioport_write, dev);
 +    register_ioport_read(0xe0, 1, 4, test_device_ioport_read, dev);
 +    register_ioport_write(0xe0, 1, 4, test_device_ioport_write, dev);
 +    register_ioport_write(0x2000, 24, 1, test_device_irq_line, NULL);
 +    iomem_buf = qemu_mallocz(0x10000);
 +    iomem = cpu_register_io_memory(test_iomem_read, test_iomem_write, NULL);
 +    cpu_register_physical_memory(0xff000000, 0x10000, iomem);
 +    return 0;
 +}
 +
 +static ISADeviceInfo testdev_info = {
 +    .qdev.name  = "testdev",
 +    .qdev.size  = sizeof(struct testdev),
 +    .init       = init_test_device,
 +    .qdev.props = (Property[]) {
 +        DEFINE_PROP_CHR("chardev", struct testdev, chr),
 +        DEFINE_PROP_END_OF_LIST(),
 +    },
 +};
 +
 +static void testdev_register_devices(void)
 +{
 +    isa_qdev_register(&testdev_info);
 +}
 +
 +device_init(testdev_register_devices)
commit 222f9893f46f194a7183ae1621cb8c39ba8f339d
Merge: 325e233... 6e15cb5...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Sep 23 17:39:08 2010 -0300

    Merge commit '6e15cb5f6d87d0039b4c1590d1577ae14db17b50' into upstream-merge
    
    * commit '6e15cb5f6d87d0039b4c1590d1577ae14db17b50':
      Use gcc warning flag -Wtype-limits
      pxa2xx: fix SSSR TFN logic
      MIPS: fix yield handling
      PPC: Suppress gcc warnings with -Wtype-limits
      blkdebug: fix enum comparison
      pxa2xx: remove useless checks
      Use range_covers_byte
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc hw/vhost_net.c
index 4a7b819,4a7b819..e35ed0f
--- a/hw/vhost_net.c
+++ b/hw/vhost_net.c
@@@ -151,7 -151,7 +151,8 @@@ int vhost_net_start(struct vhost_net *n
      return 0;
  fail:
      file.fd = -1;
--    while (--file.index >= 0) {
++    while (file.index) {
++        file.index--;
          int r = ioctl(net->dev.control, VHOST_NET_SET_BACKEND, &file);
          assert(r >= 0);
      }
commit 325e23349d22e6c020dde4f75f93d457dafe1ae6
Merge: 1be764b... bf1b007...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Sep 23 17:25:09 2010 -0300

    Merge commit 'bf1b00712375bea65f2254dea8281fa646eebbd5' into upstream-merge
    
    * commit 'bf1b00712375bea65f2254dea8281fa646eebbd5': (36 commits)
      Introduce range.h
      linux-user: improve flatload error checking
      linux-user: fix types in a comparison
      linux-user: fix socklen_t comparisons
      Check for errors during BIOS or kernel load
      Make ARP replies at least 64 bytes long
      Accept packets with TTL=1
      cris: Avoid spurios hw_abort on recursive bus faults
      PPC: Redesign interrupt trigger path
      PPC: Enable hint bits for lwarx/ldarx
      serial: Update parameters after load
      Remove wrong semicolon in macro definition
      serial: Wrap debug prints around a DPRINTF macro
      ESP: fix ESP DMA access when DMA is not enabled
      powerpc: Avoid TLB related log spamming
      trace: fix a regex portability problem
      trace: fix a typo
      HACKING: add rules for printf-like functions
      HACKING: add string management rules
      HACKING: add memory management rules
      ...
    
    Conflicts:
    	hw/msix.c
    	hw/piix_pci.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc hw/msix.c
index 3dd0456,b3bb92d..9663b17
--- a/hw/msix.c
+++ b/hw/msix.c
@@@ -14,7 -14,7 +14,8 @@@
  #include "hw.h"
  #include "msix.h"
  #include "pci.h"
+ #include "range.h"
 +#include "kvm.h"
  
  /* MSI-X capability structure */
  #define MSIX_TABLE_OFFSET 4
diff --cc hw/pci.c
index 70dbace,6d0934d..9b1b7a1
--- a/hw/pci.c
+++ b/hw/pci.c
@@@ -27,10 -27,8 +27,11 @@@
  #include "net.h"
  #include "sysemu.h"
  #include "loader.h"
 +#include "qemu-kvm.h"
 +#include "hw/pc.h"
 +#include "device-assignment.h"
  #include "qemu-objects.h"
+ #include "range.h"
  
  //#define DEBUG_PCI
  #ifdef DEBUG_PCI
diff --cc hw/piix_pci.c
index f224ce7,b5589b9..00060f3
--- a/hw/piix_pci.c
+++ b/hw/piix_pci.c
@@@ -28,7 -28,7 +28,8 @@@
  #include "pci_host.h"
  #include "isa.h"
  #include "sysbus.h"
+ #include "range.h"
 +#include "kvm.h"
  
  /*
   * I440FX chipset data sheet.
diff --cc posix-aio-compat.c
index 79da853,10f1f03..a75a43a
--- a/posix-aio-compat.c
+++ b/posix-aio-compat.c
@@@ -25,8 -25,8 +25,9 @@@
  #include "qemu-queue.h"
  #include "osdep.h"
  #include "qemu-common.h"
+ #include "trace.h"
  #include "block_int.h"
 +#include "compatfd.h"
  
  #include "block/raw-posix-aio.h"
  
diff --cc qemu-options.hx
index 2006726,a0b5ae9..5e5676a
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@@ -2232,36 -2230,18 +2232,47 @@@ Normally QEMU loads a configuration fil
  @var{sysconfdir}/target- at var{ARCH}.conf on startup.  The @code{-nodefconfig}
  option will prevent QEMU from loading these configuration files at startup.
  ETEXI
+ #ifdef CONFIG_SIMPLE_TRACE
+ DEF("trace", HAS_ARG, QEMU_OPTION_trace,
+     "-trace\n"
+     "                Specify a trace file to log traces to\n",
+     QEMU_ARCH_ALL)
+ STEXI
+ @item -trace
+ @findex -trace
+ Specify a trace file to log output traces to.
+ ETEXI
+ #endif
  
 +DEF("no-kvm", 0, QEMU_OPTION_no_kvm,
 +    "-no-kvm         disable KVM hardware virtualization\n",
 +    QEMU_ARCH_ALL)
 +DEF("no-kvm-irqchip", 0, QEMU_OPTION_no_kvm_irqchip,
 +    "-no-kvm-irqchip disable KVM kernel mode PIC/IOAPIC/LAPIC\n",
 +    QEMU_ARCH_I386)
 +DEF("no-kvm-pit", 0, QEMU_OPTION_no_kvm_pit,
 +    "-no-kvm-pit     disable KVM kernel mode PIT\n",
 +    QEMU_ARCH_I386)
 +DEF("no-kvm-pit-reinjection", 0, QEMU_OPTION_no_kvm_pit_reinjection,
 +    "-no-kvm-pit-reinjection\n"
 +    "                disable KVM kernel mode PIT interrupt reinjection\n",
 +    QEMU_ARCH_I386)
 +DEF("pcidevice", HAS_ARG, QEMU_OPTION_pcidevice,
 +    "-pcidevice host=[seg:]bus:dev.func[,dma=none][,name=string]\n"
 +    "                expose a PCI device to the guest OS\n"
 +    "                dma=none: don't perform any dma translations (default is to use an iommu)\n"
 +    "                'string' is used in log output\n", QEMU_ARCH_I386)
 +DEF("enable-nesting", 0, QEMU_OPTION_enable_nesting,
 +    "-enable-nesting enable support for running a VM inside the VM (AMD only)\n", QEMU_ARCH_I386)
 +DEF("nvram", HAS_ARG, QEMU_OPTION_nvram,
 +    "-nvram FILE     provide ia64 nvram contents\n", QEMU_ARCH_ALL)
 +DEF("tdf", 0, QEMU_OPTION_tdf,
 +    "-tdf            enable guest time drift compensation\n", QEMU_ARCH_ALL)
 +DEF("kvm-shadow-memory", HAS_ARG, QEMU_OPTION_kvm_shadow_memory,
 +    "-kvm-shadow-memory MEGABYTES\n"
 +    "                allocate MEGABYTES for kvm mmu shadowing\n",
 +    QEMU_ARCH_I386)
 +
  HXCOMM This is the last statement. Insert new options before this line!
  STEXI
  @end table
commit 1be764b0d34f7e1f169296fd27e5567a5e208849
Merge: aa85bd8... 22890ab...
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Sep 23 17:21:16 2010 -0300

    Merge commit '22890ab5e825601f4c3d5a1a6b4197904e5d1fee' into upstream-merge
    
    * commit '22890ab5e825601f4c3d5a1a6b4197904e5d1fee': (76 commits)
      trace: Support for dynamically enabling/disabling trace events
      trace: Add simple built-in tracing backend
      trace: Add trace-events file for declaring trace events
      microblaze: Add support for fcmp.un
      elf: Calculate symbol size if needed
      Fix OpenBSD build warning
      microblaze: User-mode emulation of hw-excp signals
      microblaze: Add basic FPU emulation
      microblaze: Add definitions for FSR reg fields
      Revert "Make default invocation of block drivers safer (v3)"
      Revert "PPC: Qdev'ify e500 pci"
      Revert "PPC: Make e500 pci byte swap config data"
      virtio-9p: Change handling of flags in open() path for 9P2000.L
      [virtio-9p] This patch implements TLERROR/RLERROR on the qemu 9P server.
      [virtio-9p] Remove all instances of unnecessary dotu variable.
      virtio-9p: Add support for removing xattr
      virtio-9p: Fix the memset usage
      virtio-9p: Use lchown which won't follow symlink
      virtio-9p: Add SM_NONE security model
      virtio-9p: Hide user.virtfs xattr in case of mapped security.
      ...
    
    Conflicts:
    	monitor.c
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --cc monitor.c
index bec227d,0e69bc8..4054b53
--- a/monitor.c
+++ b/monitor.c
@@@ -56,7 -56,9 +56,10 @@@
  #include "json-parser.h"
  #include "osdep.h"
  #include "exec-all.h"
+ #ifdef CONFIG_SIMPLE_TRACE
+ #include "trace.h"
+ #endif
 +#include "qemu-kvm.h"
  
  //#define DEBUG
  //#define DEBUG_COMPLETION
commit 9c9e7d51bf01afdd4902bc9832c4a6ec19f68d0b
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Tue Sep 21 22:27:49 2010 +0200

    Move macros GCC_ATTR and GCC_FMT_ATTR to common header file
    
    By moving the definition of GCC_ATTR and GCC_FMT_ATTR
    from audio_int.h to qemu-common.h these macros are
    now generally available for further patches which add
    the gcc format attribute.
    
    Newer gcc versions support format gnu_printf which is
    better suited for use in QEMU than format printf
    (QEMU always uses standard format strings (even with mingw32)).
    
    V2: Use correct operator '==' (instead of '=')
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/audio/audio_int.h b/audio/audio_int.h
index 06e313f..d8560b6 100644
--- a/audio/audio_int.h
+++ b/audio/audio_int.h
@@ -236,14 +236,6 @@ static inline int audio_ring_dist (int dst, int src, int len)
     return (dst >= src) ? (dst - src) : (len - src + dst);
 }
 
-#if defined __GNUC__
-#define GCC_ATTR __attribute__ ((__unused__, __format__ (__printf__, 1, 2)))
-#define GCC_FMT_ATTR(n, m) __attribute__ ((__format__ (__printf__, n, m)))
-#else
-#define GCC_ATTR /**/
-#define GCC_FMT_ATTR(n, m)
-#endif
-
 static void GCC_ATTR dolog (const char *fmt, ...)
 {
     va_list ap;
diff --git a/qemu-common.h b/qemu-common.h
index 5544ffd..88c5207 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -70,6 +70,22 @@ struct iovec {
 #include <sys/uio.h>
 #endif
 
+#if defined __GNUC__
+# if (__GNUC__ < 4) || \
+     defined(__GNUC_MINOR__) && (__GNUC__ == 4) && (__GNUC_MINOR__ < 4)
+   /* gcc versions before 4.4.x don't support gnu_printf, so use printf. */
+#  define GCC_ATTR __attribute__((__unused__, format(printf, 1, 2)))
+#  define GCC_FMT_ATTR(n, m) __attribute__((format(printf, n, m)))
+# else
+   /* Use gnu_printf when supported (qemu uses standard format strings). */
+#  define GCC_ATTR __attribute__((__unused__, format(gnu_printf, 1, 2)))
+#  define GCC_FMT_ATTR(n, m) __attribute__((format(gnu_printf, n, m)))
+# endif
+#else
+#define GCC_ATTR /**/
+#define GCC_FMT_ATTR(n, m)
+#endif
+
 #ifdef _WIN32
 #define fsync _commit
 #define lseek _lseeki64
commit 80bb8cba0af8a77341ef91ff9d5a2d84cad1880f
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Wed Sep 22 19:51:33 2010 +0300

    Fix OpenBSD build
    
    Add #include <sys/types.h>, needed by #include <sys/socket.h>.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu_socket.h b/qemu_socket.h
index 164ae3e..897a8ae 100644
--- a/qemu_socket.h
+++ b/qemu_socket.h
@@ -17,6 +17,7 @@ int inet_aton(const char *cp, struct in_addr *ia);
 
 #else
 
+#include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <netinet/tcp.h>
commit 687db4ed2ecd5fd74c94fbb420482823cca4ab7e
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Sep 22 14:46:33 2010 -0500

    block-verify: fix 32-bit build
    
    Reported-by: Peter Lemenkov <lemenkov at gmail.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/block/blkverify.c b/block/blkverify.c
index 4202685..8083464 100644
--- a/block/blkverify.c
+++ b/block/blkverify.c
@@ -58,7 +58,7 @@ static void blkverify_err(BlkverifyAIOCB *acb, const char *fmt, ...)
     va_list ap;
 
     va_start(ap, fmt);
-    fprintf(stderr, "blkverify: %s sector_num=%ld nb_sectors=%d ",
+    fprintf(stderr, "blkverify: %s sector_num=%" PRId64 " nb_sectors=%d ",
             acb->is_write ? "write" : "read", acb->sector_num,
             acb->nb_sectors);
     vfprintf(stderr, fmt, ap);
commit 879f0655579a1f94fab2cd20a1597aef9a3117ef
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Wed Sep 22 20:56:35 2010 +0200

    Fix compilation error (missing include statement)
    
    ./hw/sd.c: In function ‘sd_init’:
    ./hw/sd.c:443: error: implicit declaration of function ‘qemu_blockalign’
    ./hw/sd.c:443: error: nested extern declaration of ‘qemu_blockalign’
    ./hw/sd.c:443: error: assignment makes pointer from integer without a cast
    
    Cc: Christoph Hellwig <hch at lst.de>
    Cc: Kevin Wolf <kwolf at redhat.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/sd.c b/hw/sd.c
index 4bcf1c0..601545b 100644
--- a/hw/sd.c
+++ b/hw/sd.c
@@ -31,6 +31,7 @@
 
 #include "hw.h"
 #include "block.h"
+#include "block_int.h"
 #include "sd.h"
 
 //#define DEBUG_SD 1
commit e1bb0a1a6c7c6d51443856ca90bd538b1ef5feeb
Merge: f36d53e... d9d3341...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Tue Sep 21 17:50:58 2010 -0500

    Merge remote branch 'kwolf/for-anthony' into staging

commit aa85bd8b64ee49f99961e6c4d5ed9e0fcb913ac1
Author: Gleb Natapov <gleb at redhat.com>
Date:   Tue Sep 21 14:31:42 2010 +0200

    support piix PAM registers in KVM
    
    Without this BIOS fails to remap 0xf0000 memory from ROM to RAM so writes
    to F-segment modify ROM content instead of memory copy. Since QEMU does
    not reloads ROMs during reset on next boot modified copy of BIOS is used.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/piix_pci.c b/hw/piix_pci.c
index 933ad86..f224ce7 100644
--- a/hw/piix_pci.c
+++ b/hw/piix_pci.c
@@ -99,10 +99,6 @@ static void i440fx_update_memory_mappings(PCII440FXState *d)
     int i, r;
     uint32_t smram, addr;
 
-    if (kvm_enabled()) {
-        /* FIXME: Support remappings and protection changes. */
-        return;
-    }
     update_pam(d, 0xf0000, 0x100000, (d->dev.config[I440FX_PAM] >> 4) & 3);
     for(i = 0; i < 12; i++) {
         r = (d->dev.config[(i >> 1) + (I440FX_PAM + 1)] >> ((i & 1) * 4)) & 3;
commit f36d53ef6cb848d5cf204b0854b12e0359f0fd7e
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Mon Sep 20 22:18:01 2010 +0200

    mips_malta: Fix format strings
    
    Fix two compiler warnings (when format attribute is applied).
    
    Cc: Aurelien Jarno <aurelien at aurel32.net>
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/mips_malta.c b/hw/mips_malta.c
index ec95cd8..1cb7880 100644
--- a/hw/mips_malta.c
+++ b/hw/mips_malta.c
@@ -728,13 +728,13 @@ static int64_t load_kernel (void)
     prom_size = ENVP_NB_ENTRIES * (sizeof(int32_t) + ENVP_ENTRY_SIZE);
     prom_buf = qemu_malloc(prom_size);
 
-    prom_set(prom_buf, prom_index++, loaderparams.kernel_filename);
+    prom_set(prom_buf, prom_index++, "%s", loaderparams.kernel_filename);
     if (initrd_size > 0) {
         prom_set(prom_buf, prom_index++, "rd_start=0x%" PRIx64 " rd_size=%li %s",
                  cpu_mips_phys_to_kseg0(NULL, initrd_offset), initrd_size,
                  loaderparams.kernel_cmdline);
     } else {
-        prom_set(prom_buf, prom_index++, loaderparams.kernel_cmdline);
+        prom_set(prom_buf, prom_index++, "%s", loaderparams.kernel_cmdline);
     }
 
     prom_set(prom_buf, prom_index++, "memsize");
commit 1ed1139dc4772d0cc692a21fefb2ad598932d2be
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Mon Sep 20 22:18:00 2010 +0200

    mips_fulong2e: Fix format strings
    
    Fix two compiler warnings (when format attribute is applied)
    and one error (missing %) in format strings.
    
    Cc: Aurelien Jarno <aurelien at aurel32.net>
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/mips_fulong2e.c b/hw/mips_fulong2e.c
index ac82067..61ca9c4 100644
--- a/hw/mips_fulong2e.c
+++ b/hw/mips_fulong2e.c
@@ -141,13 +141,13 @@ static int64_t load_kernel (CPUState *env)
     prom_size = ENVP_NB_ENTRIES * (sizeof(int32_t) + ENVP_ENTRY_SIZE);
     prom_buf = qemu_malloc(prom_size);
 
-    prom_set(prom_buf, index++, loaderparams.kernel_filename);
+    prom_set(prom_buf, index++, "%s", loaderparams.kernel_filename);
     if (initrd_size > 0) {
-        prom_set(prom_buf, index++, "rd_start=0x" PRIx64 " rd_size=%li %s",
+        prom_set(prom_buf, index++, "rd_start=0x%" PRIx64 " rd_size=%li %s",
                  cpu_mips_phys_to_kseg0(NULL, initrd_offset), initrd_size,
                  loaderparams.kernel_cmdline);
     } else {
-        prom_set(prom_buf, index++, loaderparams.kernel_cmdline);
+        prom_set(prom_buf, index++, "%s", loaderparams.kernel_cmdline);
     }
 
     /* Setup minimum environment variables */
commit 91f169004d9e9febbf9134c8fc068d6e04613b9c
Author: Andreas Färber <andreas.faerber at web.de>
Date:   Sun Sep 12 17:21:36 2010 +0200

    trace: Fix user emulator dependency on trace objects
    
    On a clean build, after generating trace.h, make would recurse into *-*-user
    without a clue how to build ../trace.o (added to $(obj-y) in Makefile.target)
    since its generation rule is in the main Makefile.
    The softmmus are seemingly unaffected because the $(TOOLS), which each have
    a dependency on $(trace-obj-y), are built first for the build-all target.
    
    Add a dependency on $(trace-obj-y) for %-user, as done for the qemu-* tools.
    
    Let's be paranoid and do the same for %-softmmu while at it, just in case
    someone messes with $(TOOLS) or calls the Makefile target directly.
    
    Signed-off-by: Andreas Färber <andreas.faerber at web.de>
    Acked-by: Stefan Weil <weil at mail.berlios.de>
    Cc: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Cc: Prerna Saxena <prerna at linux.vnet.ibm.com>
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Cc: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/Makefile b/Makefile
index ab91d42..090d632 100644
--- a/Makefile
+++ b/Makefile
@@ -80,9 +80,9 @@ include $(SRC_PATH)/Makefile.objs
 endif
 
 $(common-obj-y): $(GENERATED_HEADERS)
-$(filter %-softmmu,$(SUBDIR_RULES)): $(common-obj-y) subdir-libdis
+$(filter %-softmmu,$(SUBDIR_RULES)): $(trace-obj-y) $(common-obj-y) subdir-libdis
 
-$(filter %-user,$(SUBDIR_RULES)): $(GENERATED_HEADERS) subdir-libdis-user subdir-libuser
+$(filter %-user,$(SUBDIR_RULES)): $(GENERATED_HEADERS) $(trace-obj-y) subdir-libdis-user subdir-libuser
 
 ROMSUBDIR_RULES=$(patsubst %,romsubdir-%, $(ROMS))
 romsubdir-%:
commit 869564a9c0f78b1972e1ac51e69cb2016af3b060
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Apr 13 09:05:03 2010 +0200

    spice: add tablet support
    
    Add support for the spice tablet interface.  The tablet interface will
    be registered (and then used by the spice client) as soon as a absolute
    pointing device is available and used by the guest, i.e. you'll have to
    configure your guest with '-usbdevice tablet'.

diff --git a/ui/spice-display.c b/ui/spice-display.c
index 0bc230e..6702dfd 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -180,7 +180,7 @@ void qemu_spice_create_host_primary(SimpleSpiceDisplay *ssd)
     surface.width      = ds_get_width(ssd->ds);
     surface.height     = ds_get_height(ssd->ds);
     surface.stride     = -surface.width * 4;
-    surface.mouse_mode = 0;
+    surface.mouse_mode = true;
     surface.flags      = 0;
     surface.type       = 0;
     surface.mem        = (intptr_t)ssd->buf;
diff --git a/ui/spice-input.c b/ui/spice-input.c
index 91cf18d..37c8578 100644
--- a/ui/spice-input.c
+++ b/ui/spice-input.c
@@ -17,6 +17,7 @@
 
 #include <stdlib.h>
 #include <stdio.h>
+#include <stdbool.h>
 #include <string.h>
 
 #include <spice.h>
@@ -76,9 +77,13 @@ static void kbd_leds(void *opaque, int ledstate)
 
 /* mouse bits */
 
-typedef struct QemuSpiceMouse {
-    SpiceMouseInstance sin;
-} QemuSpiceMouse;
+typedef struct QemuSpicePointer {
+    SpiceMouseInstance  mouse;
+    SpiceTabletInstance tablet;
+    int width, height, x, y;
+    Notifier mouse_mode;
+    bool absolute;
+} QemuSpicePointer;
 
 static int map_buttons(int spice_buttons)
 {
@@ -121,17 +126,92 @@ static const SpiceMouseInterface mouse_interface = {
     .buttons            = mouse_buttons,
 };
 
+static void tablet_set_logical_size(SpiceTabletInstance* sin, int width, int height)
+{
+    QemuSpicePointer *pointer = container_of(sin, QemuSpicePointer, tablet);
+
+    if (height < 16) {
+        height = 16;
+    }
+    if (width < 16) {
+        width = 16;
+    }
+    pointer->width  = width;
+    pointer->height = height;
+}
+
+static void tablet_position(SpiceTabletInstance* sin, int x, int y,
+                            uint32_t buttons_state)
+{
+    QemuSpicePointer *pointer = container_of(sin, QemuSpicePointer, tablet);
+
+    pointer->x = x * 0x7FFF / (pointer->width - 1);
+    pointer->y = y * 0x7FFF / (pointer->height - 1);
+    kbd_mouse_event(pointer->x, pointer->y, 0, map_buttons(buttons_state));
+}
+
+
+static void tablet_wheel(SpiceTabletInstance* sin, int wheel,
+                         uint32_t buttons_state)
+{
+    QemuSpicePointer *pointer = container_of(sin, QemuSpicePointer, tablet);
+
+    kbd_mouse_event(pointer->x, pointer->y, wheel, map_buttons(buttons_state));
+}
+
+static void tablet_buttons(SpiceTabletInstance *sin,
+                           uint32_t buttons_state)
+{
+    QemuSpicePointer *pointer = container_of(sin, QemuSpicePointer, tablet);
+
+    kbd_mouse_event(pointer->x, pointer->y, 0, map_buttons(buttons_state));
+}
+
+static const SpiceTabletInterface tablet_interface = {
+    .base.type          = SPICE_INTERFACE_TABLET,
+    .base.description   = "tablet",
+    .base.major_version = SPICE_INTERFACE_TABLET_MAJOR,
+    .base.minor_version = SPICE_INTERFACE_TABLET_MINOR,
+    .set_logical_size   = tablet_set_logical_size,
+    .position           = tablet_position,
+    .wheel              = tablet_wheel,
+    .buttons            = tablet_buttons,
+};
+
+static void mouse_mode_notifier(Notifier *notifier)
+{
+    QemuSpicePointer *pointer = container_of(notifier, QemuSpicePointer, mouse_mode);
+    bool is_absolute  = kbd_mouse_is_absolute();
+
+    if (pointer->absolute == is_absolute) {
+        return;
+    }
+
+    if (is_absolute) {
+        qemu_spice_add_interface(&pointer->tablet.base);
+    } else {
+        spice_server_remove_interface(&pointer->tablet.base);
+    }
+    pointer->absolute = is_absolute;
+}
+
 void qemu_spice_input_init(void)
 {
     QemuSpiceKbd *kbd;
-    QemuSpiceMouse *mouse;
+    QemuSpicePointer *pointer;
 
     kbd = qemu_mallocz(sizeof(*kbd));
     kbd->sin.base.sif = &kbd_interface.base;
     qemu_spice_add_interface(&kbd->sin.base);
     qemu_add_led_event_handler(kbd_leds, kbd);
 
-    mouse = qemu_mallocz(sizeof(*mouse));
-    mouse->sin.base.sif = &mouse_interface.base;
-    qemu_spice_add_interface(&mouse->sin.base);
+    pointer = qemu_mallocz(sizeof(*pointer));
+    pointer->mouse.base.sif  = &mouse_interface.base;
+    pointer->tablet.base.sif = &tablet_interface.base;
+    qemu_spice_add_interface(&pointer->mouse.base);
+
+    pointer->absolute = false;
+    pointer->mouse_mode.notify = mouse_mode_notifier;
+    qemu_add_mouse_mode_change_notifier(&pointer->mouse_mode);
+    mouse_mode_notifier(&pointer->mouse_mode);
 }
commit a3e2226031496f479b5fe4a069ec1acd68a17e8d
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Aug 25 15:32:06 2010 +0200

    spice: simple display
    
    With that patch applied you'll actually see the guests screen in the
    spice client.  This does *not* bring qxl and full spice support though.
    This is basically the qxl vga mode made more generic, so it plays
    together with any qemu-emulated gfx card.  You can display stdvga or
    cirrus via spice client.  You can have both vnc and spice enabled and
    clients connected at the same time.

diff --git a/Makefile.objs b/Makefile.objs
index a95106f..a3113d8 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -88,7 +88,7 @@ common-obj-y += pflib.o
 common-obj-$(CONFIG_BRLAPI) += baum.o
 common-obj-$(CONFIG_POSIX) += migration-exec.o migration-unix.o migration-fd.o
 
-common-obj-$(CONFIG_SPICE) += ui/spice-core.o ui/spice-input.o
+common-obj-$(CONFIG_SPICE) += ui/spice-core.o ui/spice-input.o ui/spice-display.o
 
 audio-obj-y = audio.o noaudio.o wavaudio.o mixeng.o
 audio-obj-$(CONFIG_SDL) += sdlaudio.o
diff --git a/ui/qemu-spice.h b/ui/qemu-spice.h
index 175c961..063c7dc 100644
--- a/ui/qemu-spice.h
+++ b/ui/qemu-spice.h
@@ -29,6 +29,7 @@ extern int using_spice;
 
 void qemu_spice_init(void);
 void qemu_spice_input_init(void);
+void qemu_spice_display_init(DisplayState *ds);
 int qemu_spice_add_interface(SpiceBaseInstance *sin);
 
 #else  /* CONFIG_SPICE */
diff --git a/ui/spice-display.c b/ui/spice-display.c
new file mode 100644
index 0000000..0bc230e
--- /dev/null
+++ b/ui/spice-display.c
@@ -0,0 +1,412 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 or
+ * (at your option) version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <pthread.h>
+
+#include "qemu-common.h"
+#include "qemu-spice.h"
+#include "qemu-timer.h"
+#include "qemu-queue.h"
+#include "monitor.h"
+#include "console.h"
+#include "sysemu.h"
+
+#include "spice-display.h"
+
+static int debug = 0;
+
+static void __attribute__((format(printf,2,3)))
+dprint(int level, const char *fmt, ...)
+{
+    va_list args;
+
+    if (level <= debug) {
+        va_start(args, fmt);
+        vfprintf(stderr, fmt, args);
+        va_end(args);
+    }
+}
+
+int qemu_spice_rect_is_empty(const QXLRect* r)
+{
+    return r->top == r->bottom || r->left == r->right;
+}
+
+void qemu_spice_rect_union(QXLRect *dest, const QXLRect *r)
+{
+    if (qemu_spice_rect_is_empty(r)) {
+        return;
+    }
+
+    if (qemu_spice_rect_is_empty(dest)) {
+        *dest = *r;
+        return;
+    }
+
+    dest->top = MIN(dest->top, r->top);
+    dest->left = MIN(dest->left, r->left);
+    dest->bottom = MAX(dest->bottom, r->bottom);
+    dest->right = MAX(dest->right, r->right);
+}
+
+/*
+ * Called from spice server thread context (via interface_get_command).
+ * We do *not* hold the global qemu mutex here, so extra care is needed
+ * when calling qemu functions.  Qemu interfaces used:
+ *    - pflib (is re-entrant).
+ *    - qemu_malloc (underlying glibc malloc is re-entrant).
+ */
+SimpleSpiceUpdate *qemu_spice_create_update(SimpleSpiceDisplay *ssd)
+{
+    SimpleSpiceUpdate *update;
+    QXLDrawable *drawable;
+    QXLImage *image;
+    QXLCommand *cmd;
+    uint8_t *src, *dst;
+    int by, bw, bh;
+
+    if (qemu_spice_rect_is_empty(&ssd->dirty)) {
+        return NULL;
+    };
+
+    pthread_mutex_lock(&ssd->lock);
+    dprint(2, "%s: lr %d -> %d,  tb -> %d -> %d\n", __FUNCTION__,
+           ssd->dirty.left, ssd->dirty.right,
+           ssd->dirty.top, ssd->dirty.bottom);
+
+    update   = qemu_mallocz(sizeof(*update));
+    drawable = &update->drawable;
+    image    = &update->image;
+    cmd      = &update->ext.cmd;
+
+    bw       = ssd->dirty.right - ssd->dirty.left;
+    bh       = ssd->dirty.bottom - ssd->dirty.top;
+    update->bitmap = qemu_malloc(bw * bh * 4);
+
+    drawable->bbox            = ssd->dirty;
+    drawable->clip.type       = SPICE_CLIP_TYPE_NONE;
+    drawable->effect          = QXL_EFFECT_OPAQUE;
+    drawable->release_info.id = (intptr_t)update;
+    drawable->type            = QXL_DRAW_COPY;
+    drawable->surfaces_dest[0] = -1;
+    drawable->surfaces_dest[1] = -1;
+    drawable->surfaces_dest[2] = -1;
+
+    drawable->u.copy.rop_descriptor  = SPICE_ROPD_OP_PUT;
+    drawable->u.copy.src_bitmap      = (intptr_t)image;
+    drawable->u.copy.src_area.right  = bw;
+    drawable->u.copy.src_area.bottom = bh;
+
+    QXL_SET_IMAGE_ID(image, QXL_IMAGE_GROUP_DEVICE, ssd->unique++);
+    image->descriptor.type   = SPICE_IMAGE_TYPE_BITMAP;
+    image->bitmap.flags      = QXL_BITMAP_DIRECT | QXL_BITMAP_TOP_DOWN;
+    image->bitmap.stride     = bw * 4;
+    image->descriptor.width  = image->bitmap.x = bw;
+    image->descriptor.height = image->bitmap.y = bh;
+    image->bitmap.data = (intptr_t)(update->bitmap);
+    image->bitmap.palette = 0;
+    image->bitmap.format = SPICE_BITMAP_FMT_32BIT;
+
+    if (ssd->conv == NULL) {
+        PixelFormat dst = qemu_default_pixelformat(32);
+        ssd->conv = qemu_pf_conv_get(&dst, &ssd->ds->surface->pf);
+        assert(ssd->conv);
+    }
+
+    src = ds_get_data(ssd->ds) +
+        ssd->dirty.top * ds_get_linesize(ssd->ds) +
+        ssd->dirty.left * ds_get_bytes_per_pixel(ssd->ds);
+    dst = update->bitmap;
+    for (by = 0; by < bh; by++) {
+        qemu_pf_conv_run(ssd->conv, dst, src, bw);
+        src += ds_get_linesize(ssd->ds);
+        dst += image->bitmap.stride;
+    }
+
+    cmd->type = QXL_CMD_DRAW;
+    cmd->data = (intptr_t)drawable;
+
+    memset(&ssd->dirty, 0, sizeof(ssd->dirty));
+    pthread_mutex_unlock(&ssd->lock);
+    return update;
+}
+
+/*
+ * Called from spice server thread context (via interface_release_ressource)
+ * We do *not* hold the global qemu mutex here, so extra care is needed
+ * when calling qemu functions.  Qemu interfaces used:
+ *    - qemu_free (underlying glibc free is re-entrant).
+ */
+void qemu_spice_destroy_update(SimpleSpiceDisplay *sdpy, SimpleSpiceUpdate *update)
+{
+    qemu_free(update->bitmap);
+    qemu_free(update);
+}
+
+void qemu_spice_create_host_memslot(SimpleSpiceDisplay *ssd)
+{
+    QXLDevMemSlot memslot;
+
+    dprint(1, "%s:\n", __FUNCTION__);
+
+    memset(&memslot, 0, sizeof(memslot));
+    memslot.slot_group_id = MEMSLOT_GROUP_HOST;
+    memslot.virt_end = ~0;
+    ssd->worker->add_memslot(ssd->worker, &memslot);
+}
+
+void qemu_spice_create_host_primary(SimpleSpiceDisplay *ssd)
+{
+    QXLDevSurfaceCreate surface;
+
+    dprint(1, "%s: %dx%d\n", __FUNCTION__,
+           ds_get_width(ssd->ds), ds_get_height(ssd->ds));
+
+    surface.format     = SPICE_SURFACE_FMT_32_xRGB;
+    surface.width      = ds_get_width(ssd->ds);
+    surface.height     = ds_get_height(ssd->ds);
+    surface.stride     = -surface.width * 4;
+    surface.mouse_mode = 0;
+    surface.flags      = 0;
+    surface.type       = 0;
+    surface.mem        = (intptr_t)ssd->buf;
+    surface.group_id   = MEMSLOT_GROUP_HOST;
+    ssd->worker->create_primary_surface(ssd->worker, 0, &surface);
+}
+
+void qemu_spice_destroy_host_primary(SimpleSpiceDisplay *ssd)
+{
+    dprint(1, "%s:\n", __FUNCTION__);
+
+    ssd->worker->destroy_primary_surface(ssd->worker, 0);
+}
+
+void qemu_spice_vm_change_state_handler(void *opaque, int running, int reason)
+{
+    SimpleSpiceDisplay *ssd = opaque;
+
+    if (running) {
+        ssd->worker->start(ssd->worker);
+    } else {
+        ssd->worker->stop(ssd->worker);
+    }
+    ssd->running = running;
+}
+
+/* display listener callbacks */
+
+void qemu_spice_display_update(SimpleSpiceDisplay *ssd,
+                               int x, int y, int w, int h)
+{
+    QXLRect update_area;
+
+    dprint(2, "%s: x %d y %d w %d h %d\n", __FUNCTION__, x, y, w, h);
+    update_area.left = x,
+    update_area.right = x + w;
+    update_area.top = y;
+    update_area.bottom = y + h;
+
+    pthread_mutex_lock(&ssd->lock);
+    if (qemu_spice_rect_is_empty(&ssd->dirty)) {
+        ssd->notify++;
+    }
+    qemu_spice_rect_union(&ssd->dirty, &update_area);
+    pthread_mutex_unlock(&ssd->lock);
+}
+
+void qemu_spice_display_resize(SimpleSpiceDisplay *ssd)
+{
+    dprint(1, "%s:\n", __FUNCTION__);
+
+    pthread_mutex_lock(&ssd->lock);
+    memset(&ssd->dirty, 0, sizeof(ssd->dirty));
+    qemu_pf_conv_put(ssd->conv);
+    ssd->conv = NULL;
+    pthread_mutex_unlock(&ssd->lock);
+
+    qemu_spice_destroy_host_primary(ssd);
+    qemu_spice_create_host_primary(ssd);
+
+    pthread_mutex_lock(&ssd->lock);
+    memset(&ssd->dirty, 0, sizeof(ssd->dirty));
+    ssd->notify++;
+    pthread_mutex_unlock(&ssd->lock);
+}
+
+void qemu_spice_display_refresh(SimpleSpiceDisplay *ssd)
+{
+    dprint(3, "%s:\n", __FUNCTION__);
+    vga_hw_update();
+    if (ssd->notify) {
+        ssd->notify = 0;
+        ssd->worker->wakeup(ssd->worker);
+        dprint(2, "%s: notify\n", __FUNCTION__);
+    }
+}
+
+/* spice display interface callbacks */
+
+static void interface_attach_worker(QXLInstance *sin, QXLWorker *qxl_worker)
+{
+    SimpleSpiceDisplay *ssd = container_of(sin, SimpleSpiceDisplay, qxl);
+
+    dprint(1, "%s:\n", __FUNCTION__);
+    ssd->worker = qxl_worker;
+}
+
+static void interface_set_compression_level(QXLInstance *sin, int level)
+{
+    dprint(1, "%s:\n", __FUNCTION__);
+    /* nothing to do */
+}
+
+static void interface_set_mm_time(QXLInstance *sin, uint32_t mm_time)
+{
+    dprint(3, "%s:\n", __FUNCTION__);
+    /* nothing to do */
+}
+
+static void interface_get_init_info(QXLInstance *sin, QXLDevInitInfo *info)
+{
+    SimpleSpiceDisplay *ssd = container_of(sin, SimpleSpiceDisplay, qxl);
+
+    info->memslot_gen_bits = MEMSLOT_GENERATION_BITS;
+    info->memslot_id_bits  = MEMSLOT_SLOT_BITS;
+    info->num_memslots = NUM_MEMSLOTS;
+    info->num_memslots_groups = NUM_MEMSLOTS_GROUPS;
+    info->internal_groupslot_id = 0;
+    info->qxl_ram_size = ssd->bufsize;
+    info->n_surfaces = NUM_SURFACES;
+}
+
+static int interface_get_command(QXLInstance *sin, struct QXLCommandExt *ext)
+{
+    SimpleSpiceDisplay *ssd = container_of(sin, SimpleSpiceDisplay, qxl);
+    SimpleSpiceUpdate *update;
+
+    dprint(3, "%s:\n", __FUNCTION__);
+    update = qemu_spice_create_update(ssd);
+    if (update == NULL) {
+        return false;
+    }
+    *ext = update->ext;
+    return true;
+}
+
+static int interface_req_cmd_notification(QXLInstance *sin)
+{
+    dprint(1, "%s:\n", __FUNCTION__);
+    return 1;
+}
+
+static void interface_release_resource(QXLInstance *sin,
+                                       struct QXLReleaseInfoExt ext)
+{
+    SimpleSpiceDisplay *ssd = container_of(sin, SimpleSpiceDisplay, qxl);
+    uintptr_t id;
+
+    dprint(2, "%s:\n", __FUNCTION__);
+    id = ext.info->id;
+    qemu_spice_destroy_update(ssd, (void*)id);
+}
+
+static int interface_get_cursor_command(QXLInstance *sin, struct QXLCommandExt *ext)
+{
+    dprint(3, "%s:\n", __FUNCTION__);
+    return false;
+}
+
+static int interface_req_cursor_notification(QXLInstance *sin)
+{
+    dprint(1, "%s:\n", __FUNCTION__);
+    return 1;
+}
+
+static void interface_notify_update(QXLInstance *sin, uint32_t update_id)
+{
+    fprintf(stderr, "%s: abort()\n", __FUNCTION__);
+    abort();
+}
+
+static int interface_flush_resources(QXLInstance *sin)
+{
+    fprintf(stderr, "%s: abort()\n", __FUNCTION__);
+    abort();
+    return 0;
+}
+
+static const QXLInterface dpy_interface = {
+    .base.type               = SPICE_INTERFACE_QXL,
+    .base.description        = "qemu simple display",
+    .base.major_version      = SPICE_INTERFACE_QXL_MAJOR,
+    .base.minor_version      = SPICE_INTERFACE_QXL_MINOR,
+
+    .attache_worker          = interface_attach_worker,
+    .set_compression_level   = interface_set_compression_level,
+    .set_mm_time             = interface_set_mm_time,
+    .get_init_info           = interface_get_init_info,
+
+    /* the callbacks below are called from spice server thread context */
+    .get_command             = interface_get_command,
+    .req_cmd_notification    = interface_req_cmd_notification,
+    .release_resource        = interface_release_resource,
+    .get_cursor_command      = interface_get_cursor_command,
+    .req_cursor_notification = interface_req_cursor_notification,
+    .notify_update           = interface_notify_update,
+    .flush_resources         = interface_flush_resources,
+};
+
+static SimpleSpiceDisplay sdpy;
+
+static void display_update(struct DisplayState *ds, int x, int y, int w, int h)
+{
+    qemu_spice_display_update(&sdpy, x, y, w, h);
+}
+
+static void display_resize(struct DisplayState *ds)
+{
+    qemu_spice_display_resize(&sdpy);
+}
+
+static void display_refresh(struct DisplayState *ds)
+{
+    qemu_spice_display_refresh(&sdpy);
+}
+
+static DisplayChangeListener display_listener = {
+    .dpy_update  = display_update,
+    .dpy_resize  = display_resize,
+    .dpy_refresh = display_refresh,
+};
+
+void qemu_spice_display_init(DisplayState *ds)
+{
+    assert(sdpy.ds == NULL);
+    sdpy.ds = ds;
+    sdpy.bufsize = (16 * 1024 * 1024);
+    sdpy.buf = qemu_malloc(sdpy.bufsize);
+    pthread_mutex_init(&sdpy.lock, NULL);
+    register_displaychangelistener(ds, &display_listener);
+
+    sdpy.qxl.base.sif = &dpy_interface.base;
+    qemu_spice_add_interface(&sdpy.qxl.base);
+    assert(sdpy.worker);
+
+    qemu_add_vm_change_state_handler(qemu_spice_vm_change_state_handler, &sdpy);
+    qemu_spice_create_host_memslot(&sdpy);
+    qemu_spice_create_host_primary(&sdpy);
+}
diff --git a/ui/spice-display.h b/ui/spice-display.h
new file mode 100644
index 0000000..e17671c
--- /dev/null
+++ b/ui/spice-display.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 or
+ * (at your option) version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <spice/ipc_ring.h>
+#include <spice/enums.h>
+#include <spice/qxl_dev.h>
+
+#include "pflib.h"
+
+#define NUM_MEMSLOTS 8
+#define MEMSLOT_GENERATION_BITS 8
+#define MEMSLOT_SLOT_BITS 8
+
+#define MEMSLOT_GROUP_HOST  0
+#define MEMSLOT_GROUP_GUEST 1
+#define NUM_MEMSLOTS_GROUPS 2
+
+#define NUM_SURFACES 1024
+
+typedef struct SimpleSpiceDisplay {
+    DisplayState *ds;
+    void *buf;
+    int bufsize;
+    QXLWorker *worker;
+    QXLInstance qxl;
+    uint32_t unique;
+    QemuPfConv *conv;
+
+    pthread_mutex_t lock;
+    QXLRect dirty;
+    int notify;
+    int running;
+} SimpleSpiceDisplay;
+
+typedef struct SimpleSpiceUpdate {
+    QXLDrawable drawable;
+    QXLImage image;
+    QXLCommandExt ext;
+    uint8_t *bitmap;
+} SimpleSpiceUpdate;
+
+int qemu_spice_rect_is_empty(const QXLRect* r);
+void qemu_spice_rect_union(QXLRect *dest, const QXLRect *r);
+
+SimpleSpiceUpdate *qemu_spice_create_update(SimpleSpiceDisplay *sdpy);
+void qemu_spice_destroy_update(SimpleSpiceDisplay *sdpy, SimpleSpiceUpdate *update);
+void qemu_spice_create_host_memslot(SimpleSpiceDisplay *ssd);
+void qemu_spice_create_host_primary(SimpleSpiceDisplay *ssd);
+void qemu_spice_destroy_host_primary(SimpleSpiceDisplay *ssd);
+void qemu_spice_vm_change_state_handler(void *opaque, int running, int reason);
+
+void qemu_spice_display_update(SimpleSpiceDisplay *ssd,
+                               int x, int y, int w, int h);
+void qemu_spice_display_resize(SimpleSpiceDisplay *ssd);
+void qemu_spice_display_refresh(SimpleSpiceDisplay *ssd);
diff --git a/vl.c b/vl.c
index 27d9392..ee4f8c8 100644
--- a/vl.c
+++ b/vl.c
@@ -2931,6 +2931,8 @@ int main(int argc, char **argv, char **envp)
     /* just use the first displaystate for the moment */
     ds = get_displaystate();
 
+    if (using_spice)
+        display_remote++;
     if (display_type == DT_DEFAULT && !display_remote) {
 #if defined(CONFIG_SDL) || defined(CONFIG_COCOA)
         display_type = DT_SDL;
@@ -2973,6 +2975,11 @@ int main(int argc, char **argv, char **envp)
             printf("VNC server running on `%s'\n", vnc_display_local_addr(ds));
         }
     }
+#ifdef CONFIG_SPICE
+    if (using_spice) {
+        qemu_spice_display_init(ds);
+    }
+#endif
 
     /* display setup */
     dpy_resize(ds);
commit cd4ec0b4d169faba8cc03a16b361700e32a83bd6
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Mar 24 10:26:51 2010 +0100

    add spice into the configure file

diff --git a/configure b/configure
index 66b1d0b..695a632 100755
--- a/configure
+++ b/configure
@@ -325,6 +325,7 @@ user_pie="no"
 zero_malloc=""
 trace_backend="nop"
 trace_file="trace"
+spice=""
 
 # OS specific
 if check_define __linux__ ; then
@@ -630,6 +631,10 @@ for opt do
   ;;
   --enable-kvm) kvm="yes"
   ;;
+  --disable-spice) spice="no"
+  ;;
+  --enable-spice) spice="yes"
+  ;;
   --enable-profiler) profiler="yes"
   ;;
   --enable-cocoa)
@@ -912,6 +917,8 @@ echo "  --enable-vhost-net       enable vhost-net acceleration support"
 echo "  --trace-backend=B        Trace backend nop simple ust"
 echo "  --trace-file=NAME        Full PATH,NAME of file to store traces"
 echo "                           Default:trace-<pid>"
+echo "  --disable-spice          disable spice"
+echo "  --enable-spice           enable spice"
 echo ""
 echo "NOTE: The object files are built at the place where configure is launched"
 exit 1
@@ -2062,6 +2069,29 @@ if compile_prog "" ""; then
     gcc_attribute_warn_unused_result=yes
 fi
 
+# spice probe
+if test "$spice" != "no" ; then
+  cat > $TMPC << EOF
+#include <spice.h>
+int main(void) { spice_server_new(); return 0; }
+EOF
+  spice_cflags=$($pkgconfig --cflags spice-protocol spice-server 2>/dev/null)
+  spice_libs=$($pkgconfig --libs spice-protocol spice-server 2>/dev/null)
+  if $pkgconfig --atleast-version=0.5.3 spice-server &&\
+     compile_prog "$spice_cflags" "$spice_libs" ; then
+    spice="yes"
+    libs_softmmu="$libs_softmmu $spice_libs"
+    QEMU_CFLAGS="$QEMU_CFLAGS $spice_cflags"
+  else
+    if test "$spice" = "yes" ; then
+      feature_not_found "spice"
+    fi
+    spice="no"
+  fi
+fi
+
+##########################################
+
 ##########################################
 # check if we have fdatasync
 
@@ -2245,6 +2275,7 @@ echo "uuid support      $uuid"
 echo "vhost-net support $vhost_net"
 echo "Trace backend     $trace_backend"
 echo "Trace output file $trace_file-<pid>"
+echo "spice support     $spice"
 
 if test $sdl_too_old = "yes"; then
 echo "-> Your SDL version is too old - please upgrade to have SDL support"
@@ -2482,6 +2513,10 @@ if test "$fdatasync" = "yes" ; then
   echo "CONFIG_FDATASYNC=y" >> $config_host_mak
 fi
 
+if test "$spice" = "yes" ; then
+  echo "CONFIG_SPICE=y" >> $config_host_mak
+fi
+
 # XXX: suppress that
 if [ "$bsd" = "yes" ] ; then
   echo "CONFIG_BSD=y" >> $config_host_mak
commit 78dd9ac1ca5130ae144a6abe8361a59483a5464b
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Mar 11 11:13:29 2010 -0300

    spice: add mouse
    
    Open mouse channel.  Now you can move the guests mouse pointer.
    No tablet / absolute positioning (yet) though.

diff --git a/ui/spice-input.c b/ui/spice-input.c
index 5538a79..91cf18d 100644
--- a/ui/spice-input.c
+++ b/ui/spice-input.c
@@ -74,12 +74,64 @@ static void kbd_leds(void *opaque, int ledstate)
     spice_server_kbd_leds(&kbd->sin, ledstate);
 }
 
+/* mouse bits */
+
+typedef struct QemuSpiceMouse {
+    SpiceMouseInstance sin;
+} QemuSpiceMouse;
+
+static int map_buttons(int spice_buttons)
+{
+    int qemu_buttons = 0;
+
+    /*
+     * Note: SPICE_MOUSE_BUTTON_* specifies the wire protocol but this
+     * isn't what we get passed in via interface callbacks for the
+     * middle and right button ...
+     */
+    if (spice_buttons & SPICE_MOUSE_BUTTON_MASK_LEFT) {
+        qemu_buttons |= MOUSE_EVENT_LBUTTON;
+    }
+    if (spice_buttons & 0x04 /* SPICE_MOUSE_BUTTON_MASK_MIDDLE */) {
+        qemu_buttons |= MOUSE_EVENT_MBUTTON;
+    }
+    if (spice_buttons & 0x02 /* SPICE_MOUSE_BUTTON_MASK_RIGHT */) {
+        qemu_buttons |= MOUSE_EVENT_RBUTTON;
+    }
+    return qemu_buttons;
+}
+
+static void mouse_motion(SpiceMouseInstance *sin, int dx, int dy, int dz,
+                         uint32_t buttons_state)
+{
+    kbd_mouse_event(dx, dy, dz, map_buttons(buttons_state));
+}
+
+static void mouse_buttons(SpiceMouseInstance *sin, uint32_t buttons_state)
+{
+    kbd_mouse_event(0, 0, 0, map_buttons(buttons_state));
+}
+
+static const SpiceMouseInterface mouse_interface = {
+    .base.type          = SPICE_INTERFACE_MOUSE,
+    .base.description   = "mouse",
+    .base.major_version = SPICE_INTERFACE_MOUSE_MAJOR,
+    .base.minor_version = SPICE_INTERFACE_MOUSE_MINOR,
+    .motion             = mouse_motion,
+    .buttons            = mouse_buttons,
+};
+
 void qemu_spice_input_init(void)
 {
     QemuSpiceKbd *kbd;
+    QemuSpiceMouse *mouse;
 
     kbd = qemu_mallocz(sizeof(*kbd));
     kbd->sin.base.sif = &kbd_interface.base;
     qemu_spice_add_interface(&kbd->sin.base);
     qemu_add_led_event_handler(kbd_leds, kbd);
+
+    mouse = qemu_mallocz(sizeof(*mouse));
+    mouse->sin.base.sif = &mouse_interface.base;
+    qemu_spice_add_interface(&mouse->sin.base);
 }
commit 864401c2a709bcb66182c02372fb60a30055a4d7
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Mar 11 11:13:28 2010 -0300

    spice: add keyboard
    
    Open keyboard channel.  Now you can type into the spice client and the
    keyboard events are sent to your guest.  You'll need some other display
    like vnc to actually see the guest responding to them though.

diff --git a/Makefile.objs b/Makefile.objs
index 2b58109..a95106f 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -88,7 +88,7 @@ common-obj-y += pflib.o
 common-obj-$(CONFIG_BRLAPI) += baum.o
 common-obj-$(CONFIG_POSIX) += migration-exec.o migration-unix.o migration-fd.o
 
-common-obj-$(CONFIG_SPICE) += ui/spice-core.o
+common-obj-$(CONFIG_SPICE) += ui/spice-core.o ui/spice-input.o
 
 audio-obj-y = audio.o noaudio.o wavaudio.o mixeng.o
 audio-obj-$(CONFIG_SDL) += sdlaudio.o
diff --git a/ui/qemu-spice.h b/ui/qemu-spice.h
index 50faefb..175c961 100644
--- a/ui/qemu-spice.h
+++ b/ui/qemu-spice.h
@@ -28,6 +28,7 @@
 extern int using_spice;
 
 void qemu_spice_init(void);
+void qemu_spice_input_init(void);
 int qemu_spice_add_interface(SpiceBaseInstance *sin);
 
 #else  /* CONFIG_SPICE */
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 006604b..8b5e4a8 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -167,6 +167,8 @@ void qemu_spice_init(void)
 
     spice_server_init(spice_server, &core_interface);
     using_spice = 1;
+
+    qemu_spice_input_init();
 }
 
 int qemu_spice_add_interface(SpiceBaseInstance *sin)
diff --git a/ui/spice-input.c b/ui/spice-input.c
new file mode 100644
index 0000000..5538a79
--- /dev/null
+++ b/ui/spice-input.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 or
+ * (at your option) version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <spice.h>
+#include <spice/enums.h>
+
+#include "qemu-common.h"
+#include "qemu-spice.h"
+#include "console.h"
+
+/* keyboard bits */
+
+typedef struct QemuSpiceKbd {
+    SpiceKbdInstance sin;
+    int ledstate;
+} QemuSpiceKbd;
+
+static void kbd_push_key(SpiceKbdInstance *sin, uint8_t frag);
+static uint8_t kbd_get_leds(SpiceKbdInstance *sin);
+static void kbd_leds(void *opaque, int l);
+
+static const SpiceKbdInterface kbd_interface = {
+    .base.type          = SPICE_INTERFACE_KEYBOARD,
+    .base.description   = "qemu keyboard",
+    .base.major_version = SPICE_INTERFACE_KEYBOARD_MAJOR,
+    .base.minor_version = SPICE_INTERFACE_KEYBOARD_MINOR,
+    .push_scan_freg     = kbd_push_key,
+    .get_leds           = kbd_get_leds,
+};
+
+static void kbd_push_key(SpiceKbdInstance *sin, uint8_t frag)
+{
+    kbd_put_keycode(frag);
+}
+
+static uint8_t kbd_get_leds(SpiceKbdInstance *sin)
+{
+    QemuSpiceKbd *kbd = container_of(sin, QemuSpiceKbd, sin);
+    return kbd->ledstate;
+}
+
+static void kbd_leds(void *opaque, int ledstate)
+{
+    QemuSpiceKbd *kbd = opaque;
+
+    kbd->ledstate = 0;
+    if (ledstate & QEMU_SCROLL_LOCK_LED) {
+        kbd->ledstate |= SPICE_KEYBOARD_MODIFIER_FLAGS_SCROLL_LOCK;
+    }
+    if (ledstate & QEMU_NUM_LOCK_LED) {
+        kbd->ledstate |= SPICE_KEYBOARD_MODIFIER_FLAGS_NUM_LOCK;
+    }
+    if (ledstate & QEMU_CAPS_LOCK_LED) {
+        kbd->ledstate |= SPICE_KEYBOARD_MODIFIER_FLAGS_CAPS_LOCK;
+    }
+    spice_server_kbd_leds(&kbd->sin, ledstate);
+}
+
+void qemu_spice_input_init(void)
+{
+    QemuSpiceKbd *kbd;
+
+    kbd = qemu_mallocz(sizeof(*kbd));
+    kbd->sin.base.sif = &kbd_interface.base;
+    qemu_spice_add_interface(&kbd->sin.base);
+    qemu_add_led_event_handler(kbd_leds, kbd);
+}
commit 29b0040be6371c403dae0fef7fec36b814e300e8
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Mar 11 11:13:27 2010 -0300

    spice: core bits
    
    Add -spice command line switch.  Has support setting passwd and port for
    now.  With this patch applied the spice client can successfully connect
    to qemu.  You can't do anything useful yet though.

diff --git a/Makefile.objs b/Makefile.objs
index 8268574..2b58109 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -88,6 +88,8 @@ common-obj-y += pflib.o
 common-obj-$(CONFIG_BRLAPI) += baum.o
 common-obj-$(CONFIG_POSIX) += migration-exec.o migration-unix.o migration-fd.o
 
+common-obj-$(CONFIG_SPICE) += ui/spice-core.o
+
 audio-obj-y = audio.o noaudio.o wavaudio.o mixeng.o
 audio-obj-$(CONFIG_SDL) += sdlaudio.o
 audio-obj-$(CONFIG_OSS) += ossaudio.o
diff --git a/qemu-config.c b/qemu-config.c
index e3b746c..5c6ae63 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -351,6 +351,24 @@ static QemuOptsList qemu_cpudef_opts = {
     },
 };
 
+QemuOptsList qemu_spice_opts = {
+    .name = "spice",
+    .head = QTAILQ_HEAD_INITIALIZER(qemu_spice_opts.head),
+    .desc = {
+        {
+            .name = "port",
+            .type = QEMU_OPT_NUMBER,
+        },{
+            .name = "password",
+            .type = QEMU_OPT_STRING,
+        },{
+            .name = "disable-ticketing",
+            .type = QEMU_OPT_BOOL,
+        },
+        { /* end if list */ }
+    },
+};
+
 static QemuOptsList *vm_config_groups[32] = {
     &qemu_drive_opts,
     &qemu_chardev_opts,
diff --git a/qemu-config.h b/qemu-config.h
index 533a049..20d707f 100644
--- a/qemu-config.h
+++ b/qemu-config.h
@@ -3,6 +3,7 @@
 
 extern QemuOptsList qemu_fsdev_opts;
 extern QemuOptsList qemu_virtfs_opts;
+extern QemuOptsList qemu_spice_opts;
 
 QemuOptsList *qemu_find_opts(const char *group);
 void qemu_add_opts(QemuOptsList *list);
diff --git a/qemu-options.hx b/qemu-options.hx
index a0b5ae9..718d47a 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -670,6 +670,27 @@ STEXI
 Enable SDL.
 ETEXI
 
+DEF("spice", HAS_ARG, QEMU_OPTION_spice,
+    "-spice <args>   enable spice\n", QEMU_ARCH_ALL)
+STEXI
+ at item -spice @var{option}[, at var{option}[,...]]
+ at findex -spice
+Enable the spice remote desktop protocol. Valid options are
+
+ at table @option
+
+ at item port=<nr>
+Set the TCP port spice is listening on.
+
+ at item password=<secret>
+Set the password you need to authenticate.
+
+ at item disable-ticketing
+Allow client connects without authentication.
+
+ at end table
+ETEXI
+
 DEF("portrait", 0, QEMU_OPTION_portrait,
     "-portrait       rotate graphical output 90 deg left (only PXA LCD)\n",
     QEMU_ARCH_ALL)
diff --git a/ui/qemu-spice.h b/ui/qemu-spice.h
new file mode 100644
index 0000000..50faefb
--- /dev/null
+++ b/ui/qemu-spice.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 or
+ * (at your option) version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef QEMU_SPICE_H
+#define QEMU_SPICE_H
+
+#ifdef CONFIG_SPICE
+
+#include <spice.h>
+
+#include "qemu-option.h"
+#include "qemu-config.h"
+
+extern int using_spice;
+
+void qemu_spice_init(void);
+int qemu_spice_add_interface(SpiceBaseInstance *sin);
+
+#else  /* CONFIG_SPICE */
+
+#define using_spice 0
+
+#endif /* CONFIG_SPICE */
+
+#endif /* QEMU_SPICE_H */
diff --git a/ui/spice-core.c b/ui/spice-core.c
new file mode 100644
index 0000000..006604b
--- /dev/null
+++ b/ui/spice-core.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 or
+ * (at your option) version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <spice.h>
+#include <spice-experimental.h>
+
+#include "qemu-common.h"
+#include "qemu-spice.h"
+#include "qemu-timer.h"
+#include "qemu-queue.h"
+#include "monitor.h"
+
+/* core bits */
+
+static SpiceServer *spice_server;
+int using_spice = 0;
+
+struct SpiceTimer {
+    QEMUTimer *timer;
+    QTAILQ_ENTRY(SpiceTimer) next;
+};
+static QTAILQ_HEAD(, SpiceTimer) timers = QTAILQ_HEAD_INITIALIZER(timers);
+
+static SpiceTimer *timer_add(SpiceTimerFunc func, void *opaque)
+{
+    SpiceTimer *timer;
+
+    timer = qemu_mallocz(sizeof(*timer));
+    timer->timer = qemu_new_timer(rt_clock, func, opaque);
+    QTAILQ_INSERT_TAIL(&timers, timer, next);
+    return timer;
+}
+
+static void timer_start(SpiceTimer *timer, uint32_t ms)
+{
+    qemu_mod_timer(timer->timer, qemu_get_clock(rt_clock) + ms);
+}
+
+static void timer_cancel(SpiceTimer *timer)
+{
+    qemu_del_timer(timer->timer);
+}
+
+static void timer_remove(SpiceTimer *timer)
+{
+    qemu_del_timer(timer->timer);
+    qemu_free_timer(timer->timer);
+    QTAILQ_REMOVE(&timers, timer, next);
+    qemu_free(timer);
+}
+
+struct SpiceWatch {
+    int fd;
+    int event_mask;
+    SpiceWatchFunc func;
+    void *opaque;
+    QTAILQ_ENTRY(SpiceWatch) next;
+};
+static QTAILQ_HEAD(, SpiceWatch) watches = QTAILQ_HEAD_INITIALIZER(watches);
+
+static void watch_read(void *opaque)
+{
+    SpiceWatch *watch = opaque;
+    watch->func(watch->fd, SPICE_WATCH_EVENT_READ, watch->opaque);
+}
+
+static void watch_write(void *opaque)
+{
+    SpiceWatch *watch = opaque;
+    watch->func(watch->fd, SPICE_WATCH_EVENT_WRITE, watch->opaque);
+}
+
+static void watch_update_mask(SpiceWatch *watch, int event_mask)
+{
+    IOHandler *on_read = NULL;
+    IOHandler *on_write = NULL;
+
+    watch->event_mask = event_mask;
+    if (watch->event_mask & SPICE_WATCH_EVENT_READ) {
+        on_read = watch_read;
+    }
+    if (watch->event_mask & SPICE_WATCH_EVENT_WRITE) {
+        on_read = watch_write;
+    }
+    qemu_set_fd_handler(watch->fd, on_read, on_write, watch);
+}
+
+static SpiceWatch *watch_add(int fd, int event_mask, SpiceWatchFunc func, void *opaque)
+{
+    SpiceWatch *watch;
+
+    watch = qemu_mallocz(sizeof(*watch));
+    watch->fd     = fd;
+    watch->func   = func;
+    watch->opaque = opaque;
+    QTAILQ_INSERT_TAIL(&watches, watch, next);
+
+    watch_update_mask(watch, event_mask);
+    return watch;
+}
+
+static void watch_remove(SpiceWatch *watch)
+{
+    watch_update_mask(watch, 0);
+    QTAILQ_REMOVE(&watches, watch, next);
+    qemu_free(watch);
+}
+
+static SpiceCoreInterface core_interface = {
+    .base.type          = SPICE_INTERFACE_CORE,
+    .base.description   = "qemu core services",
+    .base.major_version = SPICE_INTERFACE_CORE_MAJOR,
+    .base.minor_version = SPICE_INTERFACE_CORE_MINOR,
+
+    .timer_add          = timer_add,
+    .timer_start        = timer_start,
+    .timer_cancel       = timer_cancel,
+    .timer_remove       = timer_remove,
+
+    .watch_add          = watch_add,
+    .watch_update_mask  = watch_update_mask,
+    .watch_remove       = watch_remove,
+};
+
+/* functions for the rest of qemu */
+
+void qemu_spice_init(void)
+{
+    QemuOpts *opts = QTAILQ_FIRST(&qemu_spice_opts.head);
+    const char *password;
+    int port;
+
+    if (!opts) {
+        return;
+    }
+    port = qemu_opt_get_number(opts, "port", 0);
+    if (!port) {
+        return;
+    }
+    password = qemu_opt_get(opts, "password");
+
+    spice_server = spice_server_new();
+    spice_server_set_port(spice_server, port);
+    if (password) {
+        spice_server_set_ticket(spice_server, password, 0, 0, 0);
+    }
+    if (qemu_opt_get_bool(opts, "disable-ticketing", 0)) {
+        spice_server_set_noauth(spice_server);
+    }
+
+    /* TODO: make configurable via cmdline */
+    spice_server_set_image_compression(spice_server, SPICE_IMAGE_COMPRESS_AUTO_GLZ);
+
+    spice_server_init(spice_server, &core_interface);
+    using_spice = 1;
+}
+
+int qemu_spice_add_interface(SpiceBaseInstance *sin)
+{
+    return spice_server_add_interface(spice_server, sin);
+}
+
+static void spice_register_config(void)
+{
+    qemu_add_opts(&qemu_spice_opts);
+}
+machine_init(spice_register_config);
+
+static void spice_initialize(void)
+{
+    qemu_spice_init();
+}
+device_init(spice_initialize);
diff --git a/vl.c b/vl.c
index 2edc853..27d9392 100644
--- a/vl.c
+++ b/vl.c
@@ -165,6 +165,8 @@ int main(int argc, char **argv)
 #include "cpus.h"
 #include "arch_init.h"
 
+#include "ui/qemu-spice.h"
+
 //#define DEBUG_NET
 //#define DEBUG_SLIRP
 
@@ -2616,6 +2618,18 @@ int main(int argc, char **argv, char **envp)
                     }
                     break;
                 }
+            case QEMU_OPTION_spice:
+                olist = qemu_find_opts("spice");
+                if (!olist) {
+                    fprintf(stderr, "spice is not supported by this qemu build.\n");
+                    exit(1);
+                }
+                opts = qemu_opts_parse(olist, optarg, 0);
+                if (!opts) {
+                    fprintf(stderr, "parse error: %s\n", optarg);
+                    exit(1);
+                }
+                break;
             case QEMU_OPTION_writeconfig:
                 {
                     FILE *fp;
commit da1d85e339730effd889978be5ae2caadd01bfa9
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Apr 23 13:44:10 2010 +0200

    configure: add logging
    
    Write compile commands and messages to config.log.
    Useful for debugging configure.

diff --git a/configure b/configure
index 3bfc5e9..66b1d0b 100755
--- a/configure
+++ b/configure
@@ -16,15 +16,18 @@ TMPO="${TMPDIR1}/qemu-conf-${RANDOM}-$$-${RANDOM}.o"
 TMPE="${TMPDIR1}/qemu-conf-${RANDOM}-$$-${RANDOM}.exe"
 
 trap "rm -f $TMPC $TMPO $TMPE ; exit" EXIT INT QUIT TERM
+rm -f config.log
 
 compile_object() {
-  $cc $QEMU_CFLAGS -c -o $TMPO $TMPC > /dev/null 2> /dev/null
+  echo $cc $QEMU_CFLAGS -c -o $TMPO $TMPC >> config.log
+  $cc $QEMU_CFLAGS -c -o $TMPO $TMPC >> config.log 2>&1
 }
 
 compile_prog() {
   local_cflags="$1"
   local_ldflags="$2"
-  $cc $QEMU_CFLAGS $local_cflags -o $TMPE $TMPC $LDFLAGS $local_ldflags > /dev/null 2> /dev/null
+  echo $cc $QEMU_CFLAGS $local_cflags -o $TMPE $TMPC $LDFLAGS $local_ldflags >> config.log
+  $cc $QEMU_CFLAGS $local_cflags -o $TMPE $TMPC $LDFLAGS $local_ldflags >> config.log 2>&1
 }
 
 # check whether a command is available to this shell (may be either an
commit d6d94fc327af7e7c1343c091317e1ed8786906ad
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Jun 14 09:54:27 2010 +0200

    add pflib: PixelFormat conversion library.

diff --git a/Makefile.objs b/Makefile.objs
index 3ef6d80..8268574 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -83,6 +83,7 @@ common-obj-y += qemu-char.o savevm.o #aio.o
 common-obj-y += msmouse.o ps2.o
 common-obj-y += qdev.o qdev-properties.o
 common-obj-y += block-migration.o
+common-obj-y += pflib.o
 
 common-obj-$(CONFIG_BRLAPI) += baum.o
 common-obj-$(CONFIG_POSIX) += migration-exec.o migration-unix.o migration-fd.o
diff --git a/pflib.c b/pflib.c
new file mode 100644
index 0000000..1154d0c
--- /dev/null
+++ b/pflib.c
@@ -0,0 +1,213 @@
+/*
+ * PixelFormat conversion library.
+ *
+ * Author: Gerd Hoffmann <kraxel at redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+#include "qemu-common.h"
+#include "console.h"
+#include "pflib.h"
+
+typedef struct QemuPixel QemuPixel;
+
+typedef void (*pf_convert)(QemuPfConv *conv,
+                           void *dst, void *src, uint32_t cnt);
+typedef void (*pf_convert_from)(PixelFormat *pf,
+                                QemuPixel *dst, void *src, uint32_t cnt);
+typedef void (*pf_convert_to)(PixelFormat *pf,
+                              void *dst, QemuPixel *src, uint32_t cnt);
+
+struct QemuPfConv {
+    pf_convert        convert;
+    PixelFormat       src;
+    PixelFormat       dst;
+
+    /* for copy_generic() */
+    pf_convert_from   conv_from;
+    pf_convert_to     conv_to;
+    QemuPixel         *conv_buf;
+    uint32_t          conv_cnt;
+};
+
+struct QemuPixel {
+    uint8_t red;
+    uint8_t green;
+    uint8_t blue;
+    uint8_t alpha;
+};
+
+/* ----------------------------------------------------------------------- */
+/* PixelFormat -> QemuPixel conversions                                    */
+
+static void conv_16_to_pixel(PixelFormat *pf,
+                             QemuPixel *dst, void *src, uint32_t cnt)
+{
+    uint16_t *src16 = src;
+
+    while (cnt > 0) {
+        dst->red   = ((*src16 & pf->rmask) >> pf->rshift) << (8 - pf->rbits);
+        dst->green = ((*src16 & pf->gmask) >> pf->gshift) << (8 - pf->gbits);
+        dst->blue  = ((*src16 & pf->bmask) >> pf->bshift) << (8 - pf->bbits);
+        dst->alpha = ((*src16 & pf->amask) >> pf->ashift) << (8 - pf->abits);
+        dst++, src16++, cnt--;
+    }
+}
+
+/* assumes pf->{r,g,b,a}bits == 8 */
+static void conv_32_to_pixel_fast(PixelFormat *pf,
+                                  QemuPixel *dst, void *src, uint32_t cnt)
+{
+    uint32_t *src32 = src;
+
+    while (cnt > 0) {
+        dst->red   = (*src32 & pf->rmask) >> pf->rshift;
+        dst->green = (*src32 & pf->gmask) >> pf->gshift;
+        dst->blue  = (*src32 & pf->bmask) >> pf->bshift;
+        dst->alpha = (*src32 & pf->amask) >> pf->ashift;
+        dst++, src32++, cnt--;
+    }
+}
+
+static void conv_32_to_pixel_generic(PixelFormat *pf,
+                                     QemuPixel *dst, void *src, uint32_t cnt)
+{
+    uint32_t *src32 = src;
+
+    while (cnt > 0) {
+        if (pf->rbits < 8) {
+            dst->red   = ((*src32 & pf->rmask) >> pf->rshift) << (8 - pf->rbits);
+        } else {
+            dst->red   = ((*src32 & pf->rmask) >> pf->rshift) >> (pf->rbits - 8);
+        }
+        if (pf->gbits < 8) {
+            dst->green = ((*src32 & pf->gmask) >> pf->gshift) << (8 - pf->gbits);
+        } else {
+            dst->green = ((*src32 & pf->gmask) >> pf->gshift) >> (pf->gbits - 8);
+        }
+        if (pf->bbits < 8) {
+            dst->blue  = ((*src32 & pf->bmask) >> pf->bshift) << (8 - pf->bbits);
+        } else {
+            dst->blue  = ((*src32 & pf->bmask) >> pf->bshift) >> (pf->bbits - 8);
+        }
+        if (pf->abits < 8) {
+            dst->alpha = ((*src32 & pf->amask) >> pf->ashift) << (8 - pf->abits);
+        } else {
+            dst->alpha = ((*src32 & pf->amask) >> pf->ashift) >> (pf->abits - 8);
+        }
+        dst++, src32++, cnt--;
+    }
+}
+
+/* ----------------------------------------------------------------------- */
+/* QemuPixel -> PixelFormat conversions                                    */
+
+static void conv_pixel_to_16(PixelFormat *pf,
+                             void *dst, QemuPixel *src, uint32_t cnt)
+{
+    uint16_t *dst16 = dst;
+
+    while (cnt > 0) {
+        *dst16  = ((uint16_t)src->red   >> (8 - pf->rbits)) << pf->rshift;
+        *dst16 |= ((uint16_t)src->green >> (8 - pf->gbits)) << pf->gshift;
+        *dst16 |= ((uint16_t)src->blue  >> (8 - pf->bbits)) << pf->bshift;
+        *dst16 |= ((uint16_t)src->alpha >> (8 - pf->abits)) << pf->ashift;
+        dst16++, src++, cnt--;
+    }
+}
+
+static void conv_pixel_to_32(PixelFormat *pf,
+                             void *dst, QemuPixel *src, uint32_t cnt)
+{
+    uint32_t *dst32 = dst;
+
+    while (cnt > 0) {
+        *dst32  = ((uint32_t)src->red   >> (8 - pf->rbits)) << pf->rshift;
+        *dst32 |= ((uint32_t)src->green >> (8 - pf->gbits)) << pf->gshift;
+        *dst32 |= ((uint32_t)src->blue  >> (8 - pf->bbits)) << pf->bshift;
+        *dst32 |= ((uint32_t)src->alpha >> (8 - pf->abits)) << pf->ashift;
+        dst32++, src++, cnt--;
+    }
+}
+
+/* ----------------------------------------------------------------------- */
+/* PixelFormat -> PixelFormat conversions                                  */
+
+static void convert_copy(QemuPfConv *conv, void *dst, void *src, uint32_t cnt)
+{
+    uint32_t bytes = cnt * conv->src.bytes_per_pixel;
+    memcpy(dst, src, bytes);
+}
+
+static void convert_generic(QemuPfConv *conv, void *dst, void *src, uint32_t cnt)
+{
+    if (conv->conv_cnt < cnt) {
+        conv->conv_cnt = cnt;
+        conv->conv_buf = qemu_realloc(conv->conv_buf, sizeof(QemuPixel) * conv->conv_cnt);
+    }
+    conv->conv_from(&conv->src, conv->conv_buf, src, cnt);
+    conv->conv_to(&conv->dst, dst, conv->conv_buf, cnt);
+}
+
+/* ----------------------------------------------------------------------- */
+/* public interface                                                        */
+
+QemuPfConv *qemu_pf_conv_get(PixelFormat *dst, PixelFormat *src)
+{
+    QemuPfConv *conv = qemu_mallocz(sizeof(QemuPfConv));
+
+    conv->src = *src;
+    conv->dst = *dst;
+
+    if (memcmp(&conv->src, &conv->dst, sizeof(PixelFormat)) == 0) {
+        /* formats identical, can simply copy */
+        conv->convert = convert_copy;
+    } else {
+        /* generic two-step conversion: src -> QemuPixel -> dst  */
+        switch (conv->src.bytes_per_pixel) {
+        case 2:
+            conv->conv_from = conv_16_to_pixel;
+            break;
+        case 4:
+            if (conv->src.rbits == 8 && conv->src.gbits == 8 && conv->src.bbits == 8) {
+                conv->conv_from = conv_32_to_pixel_fast;
+            } else {
+                conv->conv_from = conv_32_to_pixel_generic;
+            }
+            break;
+        default:
+            goto err;
+        }
+        switch (conv->dst.bytes_per_pixel) {
+        case 2:
+            conv->conv_to = conv_pixel_to_16;
+            break;
+        case 4:
+            conv->conv_to = conv_pixel_to_32;
+            break;
+        default:
+            goto err;
+        }
+        conv->convert = convert_generic;
+    }
+    return conv;
+
+err:
+    qemu_free(conv);
+    return NULL;
+}
+
+void qemu_pf_conv_run(QemuPfConv *conv, void *dst, void *src, uint32_t cnt)
+{
+    conv->convert(conv, dst, src, cnt);
+}
+
+void qemu_pf_conv_put(QemuPfConv *conv)
+{
+    if (conv) {
+        qemu_free(conv->conv_buf);
+        qemu_free(conv);
+    }
+}
diff --git a/pflib.h b/pflib.h
new file mode 100644
index 0000000..b70c313
--- /dev/null
+++ b/pflib.h
@@ -0,0 +1,20 @@
+#ifndef __QEMU_PFLIB_H
+#define __QEMU_PFLIB_H
+
+/*
+ * PixelFormat conversion library.
+ *
+ * Author: Gerd Hoffmann <kraxel at redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+
+typedef struct QemuPfConv QemuPfConv;
+
+QemuPfConv *qemu_pf_conv_get(PixelFormat *dst, PixelFormat *src);
+void qemu_pf_conv_run(QemuPfConv *conv, void *dst, void *src, uint32_t cnt);
+void qemu_pf_conv_put(QemuPfConv *conv);
+
+#endif
commit 526c523781fd3684a1902322b1d67785eae15f5b
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Aug 25 12:19:49 2010 +0200

    Use machine_init() to register virtfs config options.

diff --git a/fsdev/qemu-fsdev.c b/fsdev/qemu-fsdev.c
index ad69b0e..280b8f5 100644
--- a/fsdev/qemu-fsdev.c
+++ b/fsdev/qemu-fsdev.c
@@ -16,6 +16,7 @@
 #include "qemu-queue.h"
 #include "osdep.h"
 #include "qemu-common.h"
+#include "qemu-config.h"
 
 static QTAILQ_HEAD(FsTypeEntry_head, FsTypeListEntry) fstype_entries =
     QTAILQ_HEAD_INITIALIZER(fstype_entries);
@@ -75,3 +76,11 @@ FsTypeEntry *get_fsdev_fsentry(char *id)
     }
     return NULL;
 }
+
+static void fsdev_register_config(void)
+{
+    qemu_add_opts(&qemu_fsdev_opts);
+    qemu_add_opts(&qemu_virtfs_opts);
+}
+machine_init(fsdev_register_config);
+
diff --git a/vl.c b/vl.c
index f434193..2edc853 100644
--- a/vl.c
+++ b/vl.c
@@ -1863,11 +1863,6 @@ int main(int argc, char **argv, char **envp)
     tb_size = 0;
     autostart= 1;
 
-#ifdef CONFIG_VIRTFS
-    qemu_add_opts(&qemu_fsdev_opts);
-    qemu_add_opts(&qemu_virtfs_opts);
-#endif
-
     /* first pass of option parsing */
     optind = 1;
     while (optind < argc) {
commit 6b62dc2dd7d590815a3b7713633ce59ef64a17d4
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Aug 25 10:51:06 2010 +0200

    Use display types for local display only.
    
    This patch drops DT_VNC.  The display types are only used to select
    select the local display (i.e. curses, sdl, coca, ...).  Remote
    displays (for now only vnc, spice will follow) can be enabled
    independently.

diff --git a/sysemu.h b/sysemu.h
index a1f6466..b81a70e 100644
--- a/sysemu.h
+++ b/sysemu.h
@@ -94,7 +94,6 @@ typedef enum DisplayType
     DT_DEFAULT,
     DT_CURSES,
     DT_SDL,
-    DT_VNC,
     DT_NOGRAPHIC,
 } DisplayType;
 
diff --git a/vl.c b/vl.c
index 3f45aa9..f434193 100644
--- a/vl.c
+++ b/vl.c
@@ -176,6 +176,7 @@ static const char *data_dir;
 const char *bios_name = NULL;
 enum vga_retrace_method vga_retrace_method = VGA_RETRACE_DUMB;
 DisplayType display_type = DT_DEFAULT;
+int display_remote = 0;
 const char* keyboard_layout = NULL;
 ram_addr_t ram_size;
 const char *mem_path = NULL;
@@ -2477,7 +2478,7 @@ int main(int argc, char **argv, char **envp)
                 }
                 break;
 	    case QEMU_OPTION_vnc:
-                display_type = DT_VNC;
+                display_remote++;
 		vnc_display = optarg;
 		break;
             case QEMU_OPTION_no_acpi:
@@ -2921,17 +2922,17 @@ int main(int argc, char **argv, char **envp)
     /* just use the first displaystate for the moment */
     ds = get_displaystate();
 
-    if (display_type == DT_DEFAULT) {
+    if (display_type == DT_DEFAULT && !display_remote) {
 #if defined(CONFIG_SDL) || defined(CONFIG_COCOA)
         display_type = DT_SDL;
 #else
-        display_type = DT_VNC;
         vnc_display = "localhost:0,to=99";
         show_vnc_port = 1;
 #endif
     }
         
 
+    /* init local displays */
     switch (display_type) {
     case DT_NOGRAPHIC:
         break;
@@ -2949,7 +2950,12 @@ int main(int argc, char **argv, char **envp)
         cocoa_display_init(ds, full_screen);
         break;
 #endif
-    case DT_VNC:
+    default:
+        break;
+    }
+
+    /* init remote displays */
+    if (vnc_display) {
         vnc_display_init(ds);
         if (vnc_display_open(ds, vnc_display) < 0)
             exit(1);
@@ -2957,12 +2963,10 @@ int main(int argc, char **argv, char **envp)
         if (show_vnc_port) {
             printf("VNC server running on `%s'\n", vnc_display_local_addr(ds));
         }
-        break;
-    default:
-        break;
     }
-    dpy_resize(ds);
 
+    /* display setup */
+    dpy_resize(ds);
     dcl = ds->listeners;
     while (dcl != NULL) {
         if (dcl->dpy_refresh != NULL) {
@@ -2972,12 +2976,10 @@ int main(int argc, char **argv, char **envp)
         }
         dcl = dcl->next;
     }
-
-    if (display_type == DT_NOGRAPHIC || display_type == DT_VNC) {
+    if (ds->gui_timer == NULL) {
         nographic_timer = qemu_new_timer(rt_clock, nographic_update, NULL);
         qemu_mod_timer(nographic_timer, qemu_get_clock(rt_clock));
     }
-
     text_consoles_set_display(ds);
 
     if (gdbstub_dev && gdbserver_start(gdbstub_dev) < 0) {
commit d9d334176c5dba23b47be07192f431b0c030928d
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Sep 21 15:43:03 2010 +0100

    blkverify: Add block driver for verifying I/O
    
    The blkverify block driver makes investigating image format data
    corruption much easier.  A raw image initialized with the same contents
    as the test image (e.g. qcow2 file) must be provided.  The raw image
    mirrors read/write operations and is used to verify that data read from
    the test image is correct.
    
    See docs/blkverify.txt for more information.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index 3ef6d80..dad4593 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -14,7 +14,7 @@ block-obj-$(CONFIG_LINUX_AIO) += linux-aio.o
 
 block-nested-y += raw.o cow.o qcow.o vdi.o vmdk.o cloop.o dmg.o bochs.o vpc.o vvfat.o
 block-nested-y += qcow2.o qcow2-refcount.o qcow2-cluster.o qcow2-snapshot.o
-block-nested-y += parallels.o nbd.o blkdebug.o sheepdog.o
+block-nested-y += parallels.o nbd.o blkdebug.o sheepdog.o blkverify.o
 block-nested-$(CONFIG_WIN32) += raw-win32.o
 block-nested-$(CONFIG_POSIX) += raw-posix.o
 block-nested-$(CONFIG_CURL) += curl.o
diff --git a/block/blkverify.c b/block/blkverify.c
new file mode 100644
index 0000000..4202685
--- /dev/null
+++ b/block/blkverify.c
@@ -0,0 +1,382 @@
+/*
+ * Block protocol for block driver correctness testing
+ *
+ * Copyright (C) 2010 IBM, Corp.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <stdarg.h>
+#include "qemu_socket.h" /* for EINPROGRESS on Windows */
+#include "block_int.h"
+
+typedef struct {
+    BlockDriverState *test_file;
+} BDRVBlkverifyState;
+
+typedef struct BlkverifyAIOCB BlkverifyAIOCB;
+struct BlkverifyAIOCB {
+    BlockDriverAIOCB common;
+    QEMUBH *bh;
+
+    /* Request metadata */
+    bool is_write;
+    int64_t sector_num;
+    int nb_sectors;
+
+    int ret;                    /* first completed request's result */
+    unsigned int done;          /* completion counter */
+    bool *finished;             /* completion signal for cancel */
+
+    QEMUIOVector *qiov;         /* user I/O vector */
+    QEMUIOVector raw_qiov;      /* cloned I/O vector for raw file */
+    void *buf;                  /* buffer for raw file I/O */
+
+    void (*verify)(BlkverifyAIOCB *acb);
+};
+
+static void blkverify_aio_cancel(BlockDriverAIOCB *blockacb)
+{
+    BlkverifyAIOCB *acb = (BlkverifyAIOCB *)blockacb;
+    bool finished = false;
+
+    /* Wait until request completes, invokes its callback, and frees itself */
+    acb->finished = &finished;
+    while (!finished) {
+        qemu_aio_wait();
+    }
+}
+
+static AIOPool blkverify_aio_pool = {
+    .aiocb_size         = sizeof(BlkverifyAIOCB),
+    .cancel             = blkverify_aio_cancel,
+};
+
+static void blkverify_err(BlkverifyAIOCB *acb, const char *fmt, ...)
+{
+    va_list ap;
+
+    va_start(ap, fmt);
+    fprintf(stderr, "blkverify: %s sector_num=%ld nb_sectors=%d ",
+            acb->is_write ? "write" : "read", acb->sector_num,
+            acb->nb_sectors);
+    vfprintf(stderr, fmt, ap);
+    fprintf(stderr, "\n");
+    va_end(ap);
+    exit(1);
+}
+
+/* Valid blkverify filenames look like blkverify:path/to/raw_image:path/to/image */
+static int blkverify_open(BlockDriverState *bs, const char *filename, int flags)
+{
+    BDRVBlkverifyState *s = bs->opaque;
+    int ret;
+    char *raw, *c;
+
+    /* Parse the blkverify: prefix */
+    if (strncmp(filename, "blkverify:", strlen("blkverify:"))) {
+        return -EINVAL;
+    }
+    filename += strlen("blkverify:");
+
+    /* Parse the raw image filename */
+    c = strchr(filename, ':');
+    if (c == NULL) {
+        return -EINVAL;
+    }
+
+    raw = strdup(filename);
+    raw[c - filename] = '\0';
+    ret = bdrv_file_open(&bs->file, raw, flags);
+    free(raw);
+    if (ret < 0) {
+        return ret;
+    }
+    filename = c + 1;
+
+    /* Open the test file */
+    s->test_file = bdrv_new("");
+    ret = bdrv_open(s->test_file, filename, flags, NULL);
+    if (ret < 0) {
+        bdrv_delete(s->test_file);
+        s->test_file = NULL;
+        return ret;
+    }
+
+    return 0;
+}
+
+static void blkverify_close(BlockDriverState *bs)
+{
+    BDRVBlkverifyState *s = bs->opaque;
+
+    bdrv_delete(s->test_file);
+    s->test_file = NULL;
+}
+
+static void blkverify_flush(BlockDriverState *bs)
+{
+    BDRVBlkverifyState *s = bs->opaque;
+
+    /* Only flush test file, the raw file is not important */
+    bdrv_flush(s->test_file);
+}
+
+static int64_t blkverify_getlength(BlockDriverState *bs)
+{
+    BDRVBlkverifyState *s = bs->opaque;
+
+    return bdrv_getlength(s->test_file);
+}
+
+/**
+ * Check that I/O vector contents are identical
+ *
+ * @a:          I/O vector
+ * @b:          I/O vector
+ * @ret:        Offset to first mismatching byte or -1 if match
+ */
+static ssize_t blkverify_iovec_compare(QEMUIOVector *a, QEMUIOVector *b)
+{
+    int i;
+    ssize_t offset = 0;
+
+    assert(a->niov == b->niov);
+    for (i = 0; i < a->niov; i++) {
+        size_t len = 0;
+        uint8_t *p = (uint8_t *)a->iov[i].iov_base;
+        uint8_t *q = (uint8_t *)b->iov[i].iov_base;
+
+        assert(a->iov[i].iov_len == b->iov[i].iov_len);
+        while (len < a->iov[i].iov_len && *p++ == *q++) {
+            len++;
+        }
+
+        offset += len;
+
+        if (len != a->iov[i].iov_len) {
+            return offset;
+        }
+    }
+    return -1;
+}
+
+typedef struct {
+    int src_index;
+    struct iovec *src_iov;
+    void *dest_base;
+} IOVectorSortElem;
+
+static int sortelem_cmp_src_base(const void *a, const void *b)
+{
+    const IOVectorSortElem *elem_a = a;
+    const IOVectorSortElem *elem_b = b;
+
+    /* Don't overflow */
+    if (elem_a->src_iov->iov_base < elem_b->src_iov->iov_base) {
+        return -1;
+    } else if (elem_a->src_iov->iov_base > elem_b->src_iov->iov_base) {
+        return 1;
+    } else {
+        return 0;
+    }
+}
+
+static int sortelem_cmp_src_index(const void *a, const void *b)
+{
+    const IOVectorSortElem *elem_a = a;
+    const IOVectorSortElem *elem_b = b;
+
+    return elem_a->src_index - elem_b->src_index;
+}
+
+/**
+ * Copy contents of I/O vector
+ *
+ * The relative relationships of overlapping iovecs are preserved.  This is
+ * necessary to ensure identical semantics in the cloned I/O vector.
+ */
+static void blkverify_iovec_clone(QEMUIOVector *dest, const QEMUIOVector *src,
+                                  void *buf)
+{
+    IOVectorSortElem sortelems[src->niov];
+    void *last_end;
+    int i;
+
+    /* Sort by source iovecs by base address */
+    for (i = 0; i < src->niov; i++) {
+        sortelems[i].src_index = i;
+        sortelems[i].src_iov = &src->iov[i];
+    }
+    qsort(sortelems, src->niov, sizeof(sortelems[0]), sortelem_cmp_src_base);
+
+    /* Allocate buffer space taking into account overlapping iovecs */
+    last_end = NULL;
+    for (i = 0; i < src->niov; i++) {
+        struct iovec *cur = sortelems[i].src_iov;
+        ptrdiff_t rewind = 0;
+
+        /* Detect overlap */
+        if (last_end && last_end > cur->iov_base) {
+            rewind = last_end - cur->iov_base;
+        }
+
+        sortelems[i].dest_base = buf - rewind;
+        buf += cur->iov_len - MIN(rewind, cur->iov_len);
+        last_end = MAX(cur->iov_base + cur->iov_len, last_end);
+    }
+
+    /* Sort by source iovec index and build destination iovec */
+    qsort(sortelems, src->niov, sizeof(sortelems[0]), sortelem_cmp_src_index);
+    for (i = 0; i < src->niov; i++) {
+        qemu_iovec_add(dest, sortelems[i].dest_base, src->iov[i].iov_len);
+    }
+}
+
+static BlkverifyAIOCB *blkverify_aio_get(BlockDriverState *bs, bool is_write,
+                                         int64_t sector_num, QEMUIOVector *qiov,
+                                         int nb_sectors,
+                                         BlockDriverCompletionFunc *cb,
+                                         void *opaque)
+{
+    BlkverifyAIOCB *acb = qemu_aio_get(&blkverify_aio_pool, bs, cb, opaque);
+
+    acb->bh = NULL;
+    acb->is_write = is_write;
+    acb->sector_num = sector_num;
+    acb->nb_sectors = nb_sectors;
+    acb->ret = -EINPROGRESS;
+    acb->done = 0;
+    acb->qiov = qiov;
+    acb->buf = NULL;
+    acb->verify = NULL;
+    acb->finished = NULL;
+    return acb;
+}
+
+static void blkverify_aio_bh(void *opaque)
+{
+    BlkverifyAIOCB *acb = opaque;
+
+    qemu_bh_delete(acb->bh);
+    if (acb->buf) {
+        qemu_iovec_destroy(&acb->raw_qiov);
+        qemu_vfree(acb->buf);
+    }
+    acb->common.cb(acb->common.opaque, acb->ret);
+    if (acb->finished) {
+        *acb->finished = true;
+    }
+    qemu_aio_release(acb);
+}
+
+static void blkverify_aio_cb(void *opaque, int ret)
+{
+    BlkverifyAIOCB *acb = opaque;
+
+    switch (++acb->done) {
+    case 1:
+        acb->ret = ret;
+        break;
+
+    case 2:
+        if (acb->ret != ret) {
+            blkverify_err(acb, "return value mismatch %d != %d", acb->ret, ret);
+        }
+
+        if (acb->verify) {
+            acb->verify(acb);
+        }
+
+        acb->bh = qemu_bh_new(blkverify_aio_bh, acb);
+        qemu_bh_schedule(acb->bh);
+        break;
+    }
+}
+
+static void blkverify_verify_readv(BlkverifyAIOCB *acb)
+{
+    ssize_t offset = blkverify_iovec_compare(acb->qiov, &acb->raw_qiov);
+    if (offset != -1) {
+        blkverify_err(acb, "contents mismatch in sector %ld",
+                      acb->sector_num + (offset / BDRV_SECTOR_SIZE));
+    }
+}
+
+static BlockDriverAIOCB *blkverify_aio_readv(BlockDriverState *bs,
+        int64_t sector_num, QEMUIOVector *qiov, int nb_sectors,
+        BlockDriverCompletionFunc *cb, void *opaque)
+{
+    BDRVBlkverifyState *s = bs->opaque;
+    BlkverifyAIOCB *acb = blkverify_aio_get(bs, false, sector_num, qiov,
+                                            nb_sectors, cb, opaque);
+
+    acb->verify = blkverify_verify_readv;
+    acb->buf = qemu_blockalign(bs->file, qiov->size);
+    qemu_iovec_init(&acb->raw_qiov, acb->qiov->niov);
+    blkverify_iovec_clone(&acb->raw_qiov, qiov, acb->buf);
+
+    if (!bdrv_aio_readv(s->test_file, sector_num, qiov, nb_sectors,
+                        blkverify_aio_cb, acb)) {
+        blkverify_aio_cb(acb, -EIO);
+    }
+    if (!bdrv_aio_readv(bs->file, sector_num, &acb->raw_qiov, nb_sectors,
+                        blkverify_aio_cb, acb)) {
+        blkverify_aio_cb(acb, -EIO);
+    }
+    return &acb->common;
+}
+
+static BlockDriverAIOCB *blkverify_aio_writev(BlockDriverState *bs,
+        int64_t sector_num, QEMUIOVector *qiov, int nb_sectors,
+        BlockDriverCompletionFunc *cb, void *opaque)
+{
+    BDRVBlkverifyState *s = bs->opaque;
+    BlkverifyAIOCB *acb = blkverify_aio_get(bs, true, sector_num, qiov,
+                                            nb_sectors, cb, opaque);
+
+    if (!bdrv_aio_writev(s->test_file, sector_num, qiov, nb_sectors,
+                         blkverify_aio_cb, acb)) {
+        blkverify_aio_cb(acb, -EIO);
+    }
+    if (!bdrv_aio_writev(bs->file, sector_num, qiov, nb_sectors,
+                         blkverify_aio_cb, acb)) {
+        blkverify_aio_cb(acb, -EIO);
+    }
+    return &acb->common;
+}
+
+static BlockDriverAIOCB *blkverify_aio_flush(BlockDriverState *bs,
+                                             BlockDriverCompletionFunc *cb,
+                                             void *opaque)
+{
+    BDRVBlkverifyState *s = bs->opaque;
+
+    /* Only flush test file, the raw file is not important */
+    return bdrv_aio_flush(s->test_file, cb, opaque);
+}
+
+static BlockDriver bdrv_blkverify = {
+    .format_name        = "blkverify",
+    .protocol_name      = "blkverify",
+
+    .instance_size      = sizeof(BDRVBlkverifyState),
+
+    .bdrv_getlength     = blkverify_getlength,
+
+    .bdrv_file_open     = blkverify_open,
+    .bdrv_close         = blkverify_close,
+    .bdrv_flush         = blkverify_flush,
+
+    .bdrv_aio_readv     = blkverify_aio_readv,
+    .bdrv_aio_writev    = blkverify_aio_writev,
+    .bdrv_aio_flush     = blkverify_aio_flush,
+};
+
+static void bdrv_blkverify_init(void)
+{
+    bdrv_register(&bdrv_blkverify);
+}
+
+block_init(bdrv_blkverify_init);
diff --git a/docs/blkverify.txt b/docs/blkverify.txt
new file mode 100644
index 0000000..d556dc4
--- /dev/null
+++ b/docs/blkverify.txt
@@ -0,0 +1,69 @@
+= Block driver correctness testing with blkverify =
+
+== Introduction ==
+
+This document describes how to use the blkverify protocol to test that a block
+driver is operating correctly.
+
+It is difficult to test and debug block drivers against real guests.  Often
+processes inside the guest will crash because corrupt sectors were read as part
+of the executable.  Other times obscure errors are raised by a program inside
+the guest.  These issues are extremely hard to trace back to bugs in the block
+driver.
+
+Blkverify solves this problem by catching data corruption inside QEMU the first
+time bad data is read and reporting the disk sector that is corrupted.
+
+== How it works ==
+
+The blkverify protocol has two child block devices, the "test" device and the
+"raw" device.  Read/write operations are mirrored to both devices so their
+state should always be in sync.
+
+The "raw" device is a raw image, a flat file, that has identical starting
+contents to the "test" image.  The idea is that the "raw" device will handle
+read/write operations correctly and not corrupt data.  It can be used as a
+reference for comparison against the "test" device.
+
+After a mirrored read operation completes, blkverify will compare the data and
+raise an error if it is not identical.  This makes it possible to catch the
+first instance where corrupt data is read.
+
+== Example ==
+
+Imagine raw.img has 0xcd repeated throughout its first sector:
+
+    $ ./qemu-io -c 'read -v 0 512' raw.img
+    00000000:  cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd  ................
+    00000010:  cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd  ................
+    [...]
+    000001e0:  cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd  ................
+    000001f0:  cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd  ................
+    read 512/512 bytes at offset 0
+    512.000000 bytes, 1 ops; 0.0000 sec (97.656 MiB/sec and 200000.0000 ops/sec)
+
+And test.img is corrupt, its first sector is zeroed when it shouldn't be:
+
+    $ ./qemu-io -c 'read -v 0 512' test.img
+    00000000:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+    00000010:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+    [...]
+    000001e0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+    000001f0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+    read 512/512 bytes at offset 0
+    512.000000 bytes, 1 ops; 0.0000 sec (81.380 MiB/sec and 166666.6667 ops/sec)
+
+This error is caught by blkverify:
+
+    $ ./qemu-io -c 'read 0 512' blkverify:a.img:b.img
+    blkverify: read sector_num=0 nb_sectors=4 contents mismatch in sector 0
+
+A more realistic scenario is verifying the installation of a guest OS:
+
+    $ ./qemu-img create raw.img 16G
+    $ ./qemu-img create -f qcow2 test.qcow2 16G
+    $ x86_64-softmmu/qemu-system-x86_64 -cdrom debian.iso \
+                                        -drive file=blkverify:raw.img:test.qcow2
+
+If the installation is aborted when blkverify detects corruption, use qemu-io
+to explore the contents of the disk image at the sector in question.
commit a5e3d9ef4dcca9b709999a98f6b37b9506c93ad3
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Mon Sep 6 16:58:44 2010 +0200

    scsi_bus: fix length and xfer_mode for RESERVE and RELEASE commands
    
    For the RESERVE and RELEASE commands the length must be zero
    and xfer_mode must be SCSI_XFER_NONE.
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 7aa0bcd..5a3fd4b 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -208,6 +208,8 @@ static int scsi_req_length(SCSIRequest *req, uint8_t *cmd)
     case SEEK_6:
     case WRITE_FILEMARKS:
     case SPACE:
+    case RESERVE:
+    case RELEASE:
     case ERASE:
     case ALLOW_MEDIUM_REMOVAL:
     case VERIFY:
@@ -319,7 +321,6 @@ static void scsi_req_xfer_mode(SCSIRequest *req)
     case WRITE_BUFFER:
     case FORMAT_UNIT:
     case REASSIGN_BLOCKS:
-    case RESERVE:
     case SEARCH_EQUAL:
     case SEARCH_HIGH:
     case SEARCH_LOW:
commit f8b6d67251cfafed930d5f8be402fb0adac61299
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Mon Sep 6 16:07:33 2010 +0200

    scsi-generic: add missing reset handler
    
    Ensure that pending requests of a SCSI generic device are purged on
    system reset. This also avoids calling a NULL function in lsi53c895a.
    The lsi code was recently changed to call the .qdev.reset function.
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-generic.c b/hw/scsi-generic.c
index 9538027..7212091 100644
--- a/hw/scsi-generic.c
+++ b/hw/scsi-generic.c
@@ -455,15 +455,31 @@ static int get_stream_blocksize(BlockDriverState *bdrv)
     return (buf[9] << 16) | (buf[10] << 8) | buf[11];
 }
 
-static void scsi_destroy(SCSIDevice *d)
+static void scsi_generic_purge_requests(SCSIGenericState *s)
 {
-    SCSIGenericState *s = DO_UPCAST(SCSIGenericState, qdev, d);
     SCSIGenericReq *r;
 
     while (!QTAILQ_EMPTY(&s->qdev.requests)) {
         r = DO_UPCAST(SCSIGenericReq, req, QTAILQ_FIRST(&s->qdev.requests));
+        if (r->req.aiocb) {
+            bdrv_aio_cancel(r->req.aiocb);
+        }
         scsi_remove_request(r);
     }
+}
+
+static void scsi_generic_reset(DeviceState *dev)
+{
+    SCSIGenericState *s = DO_UPCAST(SCSIGenericState, qdev.qdev, dev);
+
+    scsi_generic_purge_requests(s);
+}
+
+static void scsi_destroy(SCSIDevice *d)
+{
+    SCSIGenericState *s = DO_UPCAST(SCSIGenericState, qdev, d);
+
+    scsi_generic_purge_requests(s);
     blockdev_mark_auto_del(s->qdev.conf.bs);
 }
 
@@ -537,6 +553,7 @@ static SCSIDeviceInfo scsi_generic_info = {
     .qdev.name    = "scsi-generic",
     .qdev.desc    = "pass through generic scsi device (/dev/sg*)",
     .qdev.size    = sizeof(SCSIGenericState),
+    .qdev.reset   = scsi_generic_reset,
     .init         = scsi_generic_initfn,
     .destroy      = scsi_destroy,
     .send_command = scsi_send_command,
commit 6f5f060b736cedc2d962114d20805fdd2889513a
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Sep 13 18:24:10 2010 +0200

    qcow2: Avoid bounce buffers for AIO write requests
    
    qcow2 used to use bounce buffers for any AIO requests. This does not only imply
    unnecessary copying, but also unbounded allocations which should be avoided.
    
    This patch removes bounce buffers from the normal AIO write path. Encrypted
    images continue to use a bounce buffer, however with constant size.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2.c b/block/qcow2.c
index 4a688b4..ee3481b 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -331,15 +331,12 @@ typedef struct QCowAIOCB {
     BlockDriverAIOCB common;
     int64_t sector_num;
     QEMUIOVector *qiov;
-    uint8_t *buf;
-    void *orig_buf;
     int remaining_sectors;
     int cur_nr_sectors;	/* number of sectors in current iteration */
     uint64_t bytes_done;
     uint64_t cluster_offset;
     uint8_t *cluster_data;
     BlockDriverAIOCB *hd_aiocb;
-    struct iovec hd_iov;
     QEMUIOVector hd_qiov;
     QEMUBH *bh;
     QCowL2Meta l2meta;
@@ -530,14 +527,7 @@ static QCowAIOCB *qcow_aio_setup(BlockDriverState *bs,
     acb->sector_num = sector_num;
     acb->qiov = qiov;
 
-    if (!is_write) {
-        qemu_iovec_init(&acb->hd_qiov, qiov->niov);
-    } else if (qiov->niov == 1) {
-        acb->buf = (uint8_t *)qiov->iov->iov_base;
-    } else {
-        acb->buf = acb->orig_buf = qemu_blockalign(bs, qiov->size);
-        qemu_iovec_to_buffer(qiov, acb->buf);
-    }
+    qemu_iovec_init(&acb->hd_qiov, qiov->niov);
 
     acb->bytes_done = 0;
     acb->remaining_sectors = nb_sectors;
@@ -589,7 +579,6 @@ static void qcow_aio_write_cb(void *opaque, int ret)
     BlockDriverState *bs = acb->common.bs;
     BDRVQcowState *s = bs->opaque;
     int index_in_cluster;
-    const uint8_t *src_buf;
     int n_end;
 
     acb->hd_aiocb = NULL;
@@ -605,7 +594,7 @@ static void qcow_aio_write_cb(void *opaque, int ret)
 
     acb->remaining_sectors -= acb->cur_nr_sectors;
     acb->sector_num += acb->cur_nr_sectors;
-    acb->buf += acb->cur_nr_sectors * 512;
+    acb->bytes_done += acb->cur_nr_sectors * 512;
 
     if (acb->remaining_sectors == 0) {
         /* request completed */
@@ -636,20 +625,27 @@ static void qcow_aio_write_cb(void *opaque, int ret)
 
     assert((acb->cluster_offset & 511) == 0);
 
+    qemu_iovec_reset(&acb->hd_qiov);
+    qemu_iovec_copy(&acb->hd_qiov, acb->qiov, acb->bytes_done,
+        acb->cur_nr_sectors * 512);
+
     if (s->crypt_method) {
         if (!acb->cluster_data) {
             acb->cluster_data = qemu_mallocz(QCOW_MAX_CRYPT_CLUSTERS *
                                              s->cluster_size);
         }
-        qcow2_encrypt_sectors(s, acb->sector_num, acb->cluster_data, acb->buf,
-                        acb->cur_nr_sectors, 1, &s->aes_encrypt_key);
-        src_buf = acb->cluster_data;
-    } else {
-        src_buf = acb->buf;
+
+        assert(acb->hd_qiov.size <= QCOW_MAX_CRYPT_CLUSTERS * s->cluster_size);
+        qemu_iovec_to_buffer(&acb->hd_qiov, acb->cluster_data);
+
+        qcow2_encrypt_sectors(s, acb->sector_num, acb->cluster_data,
+            acb->cluster_data, acb->cur_nr_sectors, 1, &s->aes_encrypt_key);
+
+        qemu_iovec_reset(&acb->hd_qiov);
+        qemu_iovec_add(&acb->hd_qiov, acb->cluster_data,
+            acb->cur_nr_sectors * 512);
     }
-    acb->hd_iov.iov_base = (void *)src_buf;
-    acb->hd_iov.iov_len = acb->cur_nr_sectors * 512;
-    qemu_iovec_init_external(&acb->hd_qiov, &acb->hd_iov, 1);
+
     BLKDBG_EVENT(bs->file, BLKDBG_WRITE_AIO);
     acb->hd_aiocb = bdrv_aio_writev(bs->file,
                                     (acb->cluster_offset >> 9) + index_in_cluster,
@@ -667,9 +663,8 @@ fail:
         QLIST_REMOVE(&acb->l2meta, next_in_flight);
     }
 done:
-    if (acb->qiov->niov > 1)
-        qemu_vfree(acb->orig_buf);
     acb->common.cb(acb->common.opaque, ret);
+    qemu_iovec_destroy(&acb->hd_qiov);
     qemu_aio_release(acb);
 }
 
commit bd28f835652e396841bb73080a07bcc08fe21bf0
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Sep 13 18:08:52 2010 +0200

    qcow2: Avoid bounce buffers for AIO read requests
    
    qcow2 used to use bounce buffers for any AIO requests. This does not only imply
    unnecessary copying, but also unbounded allocations which should be avoided.
    
    This patch removes bounce buffers from the normal AIO read path, and constrains
    them to a constant size for encrypted images.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index cb2e33f..fb4224a 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -350,6 +350,8 @@ static int qcow_read(BlockDriverState *bs, int64_t sector_num,
     BDRVQcowState *s = bs->opaque;
     int ret, index_in_cluster, n, n1;
     uint64_t cluster_offset;
+    struct iovec iov;
+    QEMUIOVector qiov;
 
     while (nb_sectors > 0) {
         n = nb_sectors;
@@ -364,7 +366,11 @@ static int qcow_read(BlockDriverState *bs, int64_t sector_num,
         if (!cluster_offset) {
             if (bs->backing_hd) {
                 /* read from the base image */
-                n1 = qcow2_backing_read1(bs->backing_hd, sector_num, buf, n);
+                iov.iov_base = buf;
+                iov.iov_len = n * 512;
+                qemu_iovec_init_external(&qiov, &iov, 1);
+
+                n1 = qcow2_backing_read1(bs->backing_hd, &qiov, sector_num, n);
                 if (n1 > 0) {
                     BLKDBG_EVENT(bs->file, BLKDBG_READ_BACKING);
                     ret = bdrv_read(bs->backing_hd, sector_num, buf, n1);
diff --git a/block/qcow2.c b/block/qcow2.c
index a53014d..4a688b4 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -311,8 +311,8 @@ static int qcow_is_allocated(BlockDriverState *bs, int64_t sector_num,
 }
 
 /* handle reading after the end of the backing file */
-int qcow2_backing_read1(BlockDriverState *bs,
-                  int64_t sector_num, uint8_t *buf, int nb_sectors)
+int qcow2_backing_read1(BlockDriverState *bs, QEMUIOVector *qiov,
+                  int64_t sector_num, int nb_sectors)
 {
     int n1;
     if ((sector_num + nb_sectors) <= bs->total_sectors)
@@ -321,7 +321,9 @@ int qcow2_backing_read1(BlockDriverState *bs,
         n1 = 0;
     else
         n1 = bs->total_sectors - sector_num;
-    memset(buf + n1 * 512, 0, 512 * (nb_sectors - n1));
+
+    qemu_iovec_memset(qiov, 0, 512 * (nb_sectors - n1));
+
     return n1;
 }
 
@@ -333,6 +335,7 @@ typedef struct QCowAIOCB {
     void *orig_buf;
     int remaining_sectors;
     int cur_nr_sectors;	/* number of sectors in current iteration */
+    uint64_t bytes_done;
     uint64_t cluster_offset;
     uint8_t *cluster_data;
     BlockDriverAIOCB *hd_aiocb;
@@ -397,15 +400,19 @@ static void qcow_aio_read_cb(void *opaque, int ret)
         /* nothing to do */
     } else {
         if (s->crypt_method) {
-            qcow2_encrypt_sectors(s, acb->sector_num, acb->buf, acb->buf,
-                            acb->cur_nr_sectors, 0,
-                            &s->aes_decrypt_key);
+            qcow2_encrypt_sectors(s, acb->sector_num,  acb->cluster_data,
+                acb->cluster_data, acb->cur_nr_sectors, 0, &s->aes_decrypt_key);
+            qemu_iovec_reset(&acb->hd_qiov);
+            qemu_iovec_copy(&acb->hd_qiov, acb->qiov, acb->bytes_done,
+                acb->cur_nr_sectors * 512);
+            qemu_iovec_from_buffer(&acb->hd_qiov, acb->cluster_data,
+                512 * acb->cur_nr_sectors);
         }
     }
 
     acb->remaining_sectors -= acb->cur_nr_sectors;
     acb->sector_num += acb->cur_nr_sectors;
-    acb->buf += acb->cur_nr_sectors * 512;
+    acb->bytes_done += acb->cur_nr_sectors * 512;
 
     if (acb->remaining_sectors == 0) {
         /* request completed */
@@ -415,6 +422,11 @@ static void qcow_aio_read_cb(void *opaque, int ret)
 
     /* prepare next AIO request */
     acb->cur_nr_sectors = acb->remaining_sectors;
+    if (s->crypt_method) {
+        acb->cur_nr_sectors = MIN(acb->cur_nr_sectors,
+            QCOW_MAX_CRYPT_CLUSTERS * s->cluster_sectors);
+    }
+
     ret = qcow2_get_cluster_offset(bs, acb->sector_num << 9,
         &acb->cur_nr_sectors, &acb->cluster_offset);
     if (ret < 0) {
@@ -423,15 +435,17 @@ static void qcow_aio_read_cb(void *opaque, int ret)
 
     index_in_cluster = acb->sector_num & (s->cluster_sectors - 1);
 
+    qemu_iovec_reset(&acb->hd_qiov);
+    qemu_iovec_copy(&acb->hd_qiov, acb->qiov, acb->bytes_done,
+        acb->cur_nr_sectors * 512);
+
     if (!acb->cluster_offset) {
+
         if (bs->backing_hd) {
             /* read from the base image */
-            n1 = qcow2_backing_read1(bs->backing_hd, acb->sector_num,
-                               acb->buf, acb->cur_nr_sectors);
+            n1 = qcow2_backing_read1(bs->backing_hd, &acb->hd_qiov,
+                acb->sector_num, acb->cur_nr_sectors);
             if (n1 > 0) {
-                acb->hd_iov.iov_base = (void *)acb->buf;
-                acb->hd_iov.iov_len = acb->cur_nr_sectors * 512;
-                qemu_iovec_init_external(&acb->hd_qiov, &acb->hd_iov, 1);
                 BLKDBG_EVENT(bs->file, BLKDBG_READ_BACKING_AIO);
                 acb->hd_aiocb = bdrv_aio_readv(bs->backing_hd, acb->sector_num,
                                     &acb->hd_qiov, acb->cur_nr_sectors,
@@ -445,7 +459,7 @@ static void qcow_aio_read_cb(void *opaque, int ret)
             }
         } else {
             /* Note: in this case, no need to wait */
-            memset(acb->buf, 0, 512 * acb->cur_nr_sectors);
+            qemu_iovec_memset(&acb->hd_qiov, 0, 512 * acb->cur_nr_sectors);
             ret = qcow_schedule_bh(qcow_aio_read_bh, acb);
             if (ret < 0)
                 goto done;
@@ -454,8 +468,11 @@ static void qcow_aio_read_cb(void *opaque, int ret)
         /* add AIO support for compressed blocks ? */
         if (qcow2_decompress_cluster(bs, acb->cluster_offset) < 0)
             goto done;
-        memcpy(acb->buf, s->cluster_cache + index_in_cluster * 512,
-               512 * acb->cur_nr_sectors);
+
+        qemu_iovec_from_buffer(&acb->hd_qiov,
+            s->cluster_cache + index_in_cluster * 512,
+            512 * acb->cur_nr_sectors);
+
         ret = qcow_schedule_bh(qcow_aio_read_bh, acb);
         if (ret < 0)
             goto done;
@@ -465,9 +482,23 @@ static void qcow_aio_read_cb(void *opaque, int ret)
             goto done;
         }
 
-        acb->hd_iov.iov_base = (void *)acb->buf;
-        acb->hd_iov.iov_len = acb->cur_nr_sectors * 512;
-        qemu_iovec_init_external(&acb->hd_qiov, &acb->hd_iov, 1);
+        if (s->crypt_method) {
+            /*
+             * For encrypted images, read everything into a temporary
+             * contiguous buffer on which the AES functions can work.
+             */
+            if (!acb->cluster_data) {
+                acb->cluster_data =
+                    qemu_mallocz(QCOW_MAX_CRYPT_CLUSTERS * s->cluster_size);
+            }
+
+            assert(acb->cur_nr_sectors <=
+                QCOW_MAX_CRYPT_CLUSTERS * s->cluster_sectors);
+            qemu_iovec_reset(&acb->hd_qiov);
+            qemu_iovec_add(&acb->hd_qiov, acb->cluster_data,
+                512 * acb->cur_nr_sectors);
+        }
+
         BLKDBG_EVENT(bs->file, BLKDBG_READ_AIO);
         acb->hd_aiocb = bdrv_aio_readv(bs->file,
                             (acb->cluster_offset >> 9) + index_in_cluster,
@@ -481,11 +512,8 @@ static void qcow_aio_read_cb(void *opaque, int ret)
 
     return;
 done:
-    if (acb->qiov->niov > 1) {
-        qemu_iovec_from_buffer(acb->qiov, acb->orig_buf, acb->qiov->size);
-        qemu_vfree(acb->orig_buf);
-    }
     acb->common.cb(acb->common.opaque, ret);
+    qemu_iovec_destroy(&acb->hd_qiov);
     qemu_aio_release(acb);
 }
 
@@ -501,13 +529,17 @@ static QCowAIOCB *qcow_aio_setup(BlockDriverState *bs,
     acb->hd_aiocb = NULL;
     acb->sector_num = sector_num;
     acb->qiov = qiov;
-    if (qiov->niov > 1) {
-        acb->buf = acb->orig_buf = qemu_blockalign(bs, qiov->size);
-        if (is_write)
-            qemu_iovec_to_buffer(qiov, acb->buf);
-    } else {
+
+    if (!is_write) {
+        qemu_iovec_init(&acb->hd_qiov, qiov->niov);
+    } else if (qiov->niov == 1) {
         acb->buf = (uint8_t *)qiov->iov->iov_base;
+    } else {
+        acb->buf = acb->orig_buf = qemu_blockalign(bs, qiov->size);
+        qemu_iovec_to_buffer(qiov, acb->buf);
     }
+
+    acb->bytes_done = 0;
     acb->remaining_sectors = nb_sectors;
     acb->cur_nr_sectors = 0;
     acb->cluster_offset = 0;
diff --git a/block/qcow2.h b/block/qcow2.h
index 3ff162e..356a34a 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -166,8 +166,8 @@ static inline int64_t align_offset(int64_t offset, int n)
 // FIXME Need qcow2_ prefix to global functions
 
 /* qcow2.c functions */
-int qcow2_backing_read1(BlockDriverState *bs,
-                  int64_t sector_num, uint8_t *buf, int nb_sectors);
+int qcow2_backing_read1(BlockDriverState *bs, QEMUIOVector *qiov,
+                  int64_t sector_num, int nb_sectors);
 
 /* qcow2-refcount.c functions */
 int qcow2_refcount_init(BlockDriverState *bs);
commit b8a83a4f79ca4cd0689117b119ffaa1a91b00d52
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Mon Sep 13 18:06:11 2010 +0200

    cutils: qemu_iovec_copy and qemu_iovec_memset
    
    This adds two functions that work on QEMUIOVectors and will be used by the next
    qcow2 patches.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/cutils.c b/cutils.c
index 036ae3c..5883737 100644
--- a/cutils.c
+++ b/cutils.c
@@ -168,30 +168,50 @@ void qemu_iovec_add(QEMUIOVector *qiov, void *base, size_t len)
 }
 
 /*
- * Copies iovecs from src to the end dst until src is completely copied or the
- * total size of the copied iovec reaches size. The size of the last copied
- * iovec is changed in order to fit the specified total size if it isn't a
- * perfect fit already.
+ * Copies iovecs from src to the end of dst. It starts copying after skipping
+ * the given number of bytes in src and copies until src is completely copied
+ * or the total size of the copied iovec reaches size.The size of the last
+ * copied iovec is changed in order to fit the specified total size if it isn't
+ * a perfect fit already.
  */
-void qemu_iovec_concat(QEMUIOVector *dst, QEMUIOVector *src, size_t size)
+void qemu_iovec_copy(QEMUIOVector *dst, QEMUIOVector *src, uint64_t skip,
+    size_t size)
 {
     int i;
     size_t done;
+    void *iov_base;
+    uint64_t iov_len;
 
     assert(dst->nalloc != -1);
 
     done = 0;
     for (i = 0; (i < src->niov) && (done != size); i++) {
-        if (done + src->iov[i].iov_len > size) {
-            qemu_iovec_add(dst, src->iov[i].iov_base, size - done);
+        if (skip >= src->iov[i].iov_len) {
+            /* Skip the whole iov */
+            skip -= src->iov[i].iov_len;
+            continue;
+        } else {
+            /* Skip only part (or nothing) of the iov */
+            iov_base = (uint8_t*) src->iov[i].iov_base + skip;
+            iov_len = src->iov[i].iov_len - skip;
+            skip = 0;
+        }
+
+        if (done + iov_len > size) {
+            qemu_iovec_add(dst, iov_base, size - done);
             break;
         } else {
-            qemu_iovec_add(dst, src->iov[i].iov_base, src->iov[i].iov_len);
+            qemu_iovec_add(dst, iov_base, iov_len);
         }
-        done += src->iov[i].iov_len;
+        done += iov_len;
     }
 }
 
+void qemu_iovec_concat(QEMUIOVector *dst, QEMUIOVector *src, size_t size)
+{
+    qemu_iovec_copy(dst, src, 0, size);
+}
+
 void qemu_iovec_destroy(QEMUIOVector *qiov)
 {
     assert(qiov->nalloc != -1);
@@ -234,6 +254,18 @@ void qemu_iovec_from_buffer(QEMUIOVector *qiov, const void *buf, size_t count)
     }
 }
 
+void qemu_iovec_memset(QEMUIOVector *qiov, int c, size_t count)
+{
+    size_t n;
+    int i;
+
+    for (i = 0; i < qiov->niov && count; ++i) {
+        n = MIN(count, qiov->iov[i].iov_len);
+        memset(qiov->iov[i].iov_base, c, n);
+        count -= n;
+    }
+}
+
 #ifndef _WIN32
 /* Sets a specific flag */
 int fcntl_setfl(int fd, int flag)
diff --git a/qemu-common.h b/qemu-common.h
index dfd3dc0..5544ffd 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -278,11 +278,14 @@ typedef struct QEMUIOVector {
 void qemu_iovec_init(QEMUIOVector *qiov, int alloc_hint);
 void qemu_iovec_init_external(QEMUIOVector *qiov, struct iovec *iov, int niov);
 void qemu_iovec_add(QEMUIOVector *qiov, void *base, size_t len);
+void qemu_iovec_copy(QEMUIOVector *dst, QEMUIOVector *src, uint64_t skip,
+    size_t size);
 void qemu_iovec_concat(QEMUIOVector *dst, QEMUIOVector *src, size_t size);
 void qemu_iovec_destroy(QEMUIOVector *qiov);
 void qemu_iovec_reset(QEMUIOVector *qiov);
 void qemu_iovec_to_buffer(QEMUIOVector *qiov, void *buf);
 void qemu_iovec_from_buffer(QEMUIOVector *qiov, const void *buf, size_t count);
+void qemu_iovec_memset(QEMUIOVector *qiov, int c, size_t count);
 
 struct Monitor;
 typedef struct Monitor Monitor;
commit 1b2adf28030ee3a570ba3a22401d44da2b18fe01
Author: Christoph Hellwig <hch at lst.de>
Date:   Sun Sep 12 23:44:00 2010 +0200

    ide: propagate the required alignment
    
    IDE is a bit ugly in this respect.  For one it doesn't really keep track
    of a sector size - most of the protocol is in units of 512 bytes, and we
    assume 2048 bytes for CDROMs which is correct most of the time.
    
    Second IDE allocates an I/O buffer long before we know if we're dealing
    with a CDROM or not, so increase the alignment for the io_buffer
    unconditionally.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 1e466d1..06b6e14 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2645,6 +2645,7 @@ int ide_init_drive(IDEState *s, BlockDriverState *bs,
     if (bdrv_get_type_hint(bs) == BDRV_TYPE_CDROM) {
         s->drive_kind = IDE_CD;
         bdrv_set_change_cb(bs, cdrom_change_cb, s);
+        bs->buffer_alignment = 2048;
     } else {
         if (!bdrv_is_inserted(s->bs)) {
             error_report("Device needs media, but drive is empty");
@@ -2679,7 +2680,8 @@ static void ide_init1(IDEBus *bus, int unit)
     s->bus = bus;
     s->unit = unit;
     s->drive_serial = drive_serial++;
-    s->io_buffer = qemu_blockalign(s->bs, IDE_DMA_BUF_SECTORS*512 + 4);
+    /* we need at least 2k alignment for accessing CDROMs using O_DIRECT */
+    s->io_buffer = qemu_memalign(2048, IDE_DMA_BUF_SECTORS*512 + 4);
     s->io_buffer_total_len = IDE_DMA_BUF_SECTORS*512 + 4;
     s->smart_selftest_data = qemu_blockalign(s->bs, 512);
     s->sector_write_timer = qemu_new_timer(vm_clock,
commit 73fdb1e1956c6ac10e76882a2e8426d794e02bb2
Author: Christoph Hellwig <hch at lst.de>
Date:   Sun Sep 12 23:43:50 2010 +0200

    scsi-disk: propagate the required alignment
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index ee20e8f..9628b39 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -1178,6 +1178,7 @@ static int scsi_disk_initfn(SCSIDevice *dev)
         s->qdev.blocksize = s->qdev.conf.logical_block_size;
     }
     s->cluster_size = s->qdev.blocksize / 512;
+    s->bs->buffer_alignment = s->qdev.blocksize;
 
     s->qdev.type = TYPE_DISK;
     qemu_add_vm_change_state_handler(scsi_dma_restart_cb, s);
commit 316a7af35029d52c971f5df044eb69901d6f16ff
Author: Christoph Hellwig <hch at lst.de>
Date:   Sun Sep 12 23:43:39 2010 +0200

    virtio-blk: propagate the required alignment
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
index bd6bbe6..a1df26d 100644
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -540,6 +540,7 @@ VirtIODevice *virtio_blk_init(DeviceState *dev, BlockConf *conf)
     register_savevm(dev, "virtio-blk", virtio_blk_id++, 2,
                     virtio_blk_save, virtio_blk_load, s);
     bdrv_set_removable(s->bs, 0);
+    s->bs->buffer_alignment = conf->logical_block_size;
 
     return &s->vdev;
 }
commit 9f8e668eb1826434f61a63ff260d6c8b466e483a
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Sep 17 17:02:09 2010 +0200

    qcow2: Get rid of additional sync on COW
    
    We always have a sync for the refcount update when a new cluster is
    allocated. If we move this past the COW, we can save an additional sync.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 818c0db..cb2e33f 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -415,7 +415,7 @@ static int copy_sectors(BlockDriverState *bs, uint64_t start_sect,
                         &s->aes_encrypt_key);
     }
     BLKDBG_EVENT(bs->file, BLKDBG_COW_WRITE);
-    ret = bdrv_write_sync(bs->file, (cluster_offset >> 9) + n_start,
+    ret = bdrv_write(bs->file, (cluster_offset >> 9) + n_start,
         s->cluster_data, n);
     if (ret < 0)
         return ret;
@@ -714,6 +714,13 @@ int qcow2_alloc_cluster_link_l2(BlockDriverState *bs, QCowL2Meta *m)
                     (i << s->cluster_bits)) | QCOW_OFLAG_COPIED);
      }
 
+    /*
+     * Before we update the L2 table to actually point to the new cluster, we
+     * need to be sure that the refcounts have been increased and COW was
+     * handled.
+     */
+    bdrv_flush(bs->file);
+
     ret = write_l2_entries(bs, l2_table, l2_offset, l2_index, m->nb_clusters);
     if (ret < 0) {
         qcow2_l2_cache_reset(bs);
@@ -865,7 +872,6 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
         QLIST_REMOVE(m, next_in_flight);
         return cluster_offset;
     }
-    bdrv_flush(bs->file);
 
     /* save info needed for meta data update */
     m->offset = offset;
commit 29216ed14f0bae35d1d9bb114a1aee7ee6837670
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Sep 17 16:57:48 2010 +0200

    qcow2: Move sync out of qcow2_alloc_clusters
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index f562b16..818c0db 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -60,6 +60,7 @@ int qcow2_grow_l1_table(BlockDriverState *bs, int min_size)
         qemu_free(new_l1_table);
         return new_l1_table_offset;
     }
+    bdrv_flush(bs->file);
 
     BLKDBG_EVENT(bs->file, BLKDBG_L1_GROW_WRITE_TABLE);
     for(i = 0; i < s->l1_size; i++)
@@ -243,6 +244,7 @@ static int l2_allocate(BlockDriverState *bs, int l1_index, uint64_t **table)
     if (l2_offset < 0) {
         return l2_offset;
     }
+    bdrv_flush(bs->file);
 
     /* allocate a new entry in the l2 cache */
 
@@ -863,6 +865,7 @@ int qcow2_alloc_cluster_offset(BlockDriverState *bs, uint64_t offset,
         QLIST_REMOVE(m, next_in_flight);
         return cluster_offset;
     }
+    bdrv_flush(bs->file);
 
     /* save info needed for meta data update */
     m->offset = offset;
diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 4fc3f80..7082601 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -629,8 +629,6 @@ int64_t qcow2_alloc_clusters(BlockDriverState *bs, int64_t size)
         return ret;
     }
 
-    bdrv_flush(bs->file);
-
     return offset;
 }
 
@@ -678,6 +676,8 @@ int64_t qcow2_alloc_bytes(BlockDriverState *bs, int size)
             goto redo;
         }
     }
+
+    bdrv_flush(bs->file);
     return offset;
 }
 
diff --git a/block/qcow2-snapshot.c b/block/qcow2-snapshot.c
index 6228612..bbfcaaa 100644
--- a/block/qcow2-snapshot.c
+++ b/block/qcow2-snapshot.c
@@ -138,6 +138,7 @@ static int qcow_write_snapshots(BlockDriverState *bs)
     snapshots_size = offset;
 
     snapshots_offset = qcow2_alloc_clusters(bs, snapshots_size);
+    bdrv_flush(bs->file);
     offset = snapshots_offset;
     if (offset < 0) {
         return offset;
@@ -271,6 +272,7 @@ int qcow2_snapshot_create(BlockDriverState *bs, QEMUSnapshotInfo *sn_info)
     if (l1_table_offset < 0) {
         goto fail;
     }
+    bdrv_flush(bs->file);
 
     sn->l1_table_offset = l1_table_offset;
     sn->l1_size = s->l1_size;
commit 1c4c28149fff77b8c983fdabe4e76bdc8cadd572
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Sep 17 16:36:58 2010 +0200

    qcow2: Move sync out of update_refcount
    
    Note that the flush is omitted intentionally in qcow2_free_clusters. If
    anything, we can leak clusters here if we lose the writes.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 7dc75d1..4fc3f80 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -261,6 +261,8 @@ static int64_t alloc_refcount_block(BlockDriverState *bs, int64_t cluster_index)
             goto fail_block;
         }
 
+        bdrv_flush(bs->file);
+
         /* Initialize the new refcount block only after updating its refcount,
          * update_refcount uses the refcount cache itself */
         memset(s->refcount_block_cache, 0, s->cluster_size);
@@ -551,8 +553,6 @@ fail:
         dummy = update_refcount(bs, offset, cluster_offset - offset, -addend);
     }
 
-    bdrv_flush(bs->file);
-
     return ret;
 }
 
@@ -575,6 +575,8 @@ static int update_cluster_refcount(BlockDriverState *bs,
         return ret;
     }
 
+    bdrv_flush(bs->file);
+
     return get_refcount(bs, cluster_index);
 }
 
@@ -626,6 +628,9 @@ int64_t qcow2_alloc_clusters(BlockDriverState *bs, int64_t size)
     if (ret < 0) {
         return ret;
     }
+
+    bdrv_flush(bs->file);
+
     return offset;
 }
 
@@ -803,6 +808,10 @@ int qcow2_update_snapshot_refcount(BlockDriverState *bs,
                             if (ret < 0) {
                                 goto fail;
                             }
+
+                            /* TODO Flushing once for the whole function should
+                             * be enough */
+                            bdrv_flush(bs->file);
                         }
                         /* compressed clusters are never modified */
                         refcount = 2;
commit c01828fb518561235812d1035804e6efca31182a
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Fri Sep 17 16:31:03 2010 +0200

    qcow2: Move sync out of write_refcount_block_entries
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c
index 4c19e7e..7dc75d1 100644
--- a/block/qcow2-refcount.c
+++ b/block/qcow2-refcount.c
@@ -444,7 +444,7 @@ static int write_refcount_block_entries(BlockDriverState *bs,
     size = (last_index - first_index) << REFCOUNT_SHIFT;
 
     BLKDBG_EVENT(bs->file, BLKDBG_REFBLOCK_UPDATE_PART);
-    ret = bdrv_pwrite_sync(bs->file,
+    ret = bdrv_pwrite(bs->file,
         refcount_block_offset + (first_index << REFCOUNT_SHIFT),
         &s->refcount_block_cache[first_index], size);
     if (ret < 0) {
@@ -551,6 +551,8 @@ fail:
         dummy = update_refcount(bs, offset, cluster_offset - offset, -addend);
     }
 
+    bdrv_flush(bs->file);
+
     return ret;
 }
 
commit c2e2872bf49884d2b2382613891ce979e95c11ca
Author: Laurent Vivier <laurent at vivier.eu>
Date:   Fri Sep 17 20:37:25 2010 +0200

    nbd: correctly manage default port
    
    block/nbd.c: use default port number when none is specified
    qemu-nbd.c:  use IANA-assigned port number: 10809
    
    Signed-off-by: Laurent Vivier <laurent at vivier.eu>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/nbd.c b/block/nbd.c
index 5e9d6cb..c8dc763 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -95,8 +95,6 @@ static int nbd_open(BlockDriverState *bs, const char* filename, int flags)
             if (r == p) {
                 goto out;
             }
-        } else if (name == NULL) {
-            goto out;
         }
 
         sock = tcp_socket_outgoing(hostname, port);
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 923a3bf..99f1d22 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -44,7 +44,7 @@ static void usage(const char *name)
 "Usage: %s [OPTIONS] FILE\n"
 "QEMU Disk Network Block Device Server\n"
 "\n"
-"  -p, --port=PORT      port to listen on (default `1024')\n"
+"  -p, --port=PORT      port to listen on (default `%d')\n"
 "  -o, --offset=OFFSET  offset into the image\n"
 "  -b, --bind=IFACE     interface to bind to (default `0.0.0.0')\n"
 "  -k, --socket=PATH    path to the unix socket\n"
@@ -62,7 +62,7 @@ static void usage(const char *name)
 "  -V, --version        output version information and exit\n"
 "\n"
 "Report bugs to <anthony at codemonkey.ws>\n"
-    , name, "DEVICE");
+    , name, NBD_DEFAULT_PORT, "DEVICE");
 }
 
 static void version(const char *name)
@@ -188,7 +188,7 @@ int main(int argc, char **argv)
     bool readonly = false;
     bool disconnect = false;
     const char *bindto = "0.0.0.0";
-    int port = 1024;
+    int port = NBD_DEFAULT_PORT;
     struct sockaddr_in addr;
     socklen_t addr_len = sizeof(addr);
     off_t fd_size;
commit 5fe16888d33af7aca0d613d888c161af68c755c3
Author: Laurent Vivier <laurent at vivier.eu>
Date:   Fri Sep 17 18:13:57 2010 +0200

    Improve qemu-nbd performance by 4400 %
    
    This patch allows to reduce the boot time from an NBD server from 225 seconds to
    5 seconds (time between the "boot cd:0" and the kernel init) for the
    following command lines:
    
    ./qemu-nbd -t ../ISO/debian-500-powerpc-netinst.iso
    and
    ./ppc-softmmu/qemu-system-ppc -cdrom nbd:localhost:1024
    
    This patch combines the reply header and payload send operation.
    
    Signed-off-by: Laurent Vivier <laurent at vivier.eu>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/nbd.c b/nbd.c
index 011b50f..4bf2eb7 100644
--- a/nbd.c
+++ b/nbd.c
@@ -49,6 +49,7 @@
 
 /* This is all part of the "official" NBD API */
 
+#define NBD_REPLY_SIZE		(4 + 4 + 8)
 #define NBD_REQUEST_MAGIC       0x25609513
 #define NBD_REPLY_MAGIC         0x67446698
 
@@ -588,7 +589,7 @@ static int nbd_receive_request(int csock, struct nbd_request *request)
 
 int nbd_receive_reply(int csock, struct nbd_reply *reply)
 {
-	uint8_t buf[4 + 4 + 8];
+	uint8_t buf[NBD_REPLY_SIZE];
 	uint32_t magic;
 
 	memset(buf, 0xAA, sizeof(buf));
@@ -655,9 +656,9 @@ int nbd_trip(BlockDriverState *bs, int csock, off_t size, uint64_t dev_offset,
 	if (nbd_receive_request(csock, &request) == -1)
 		return -1;
 
-	if (request.len > data_size) {
+	if (request.len + NBD_REPLY_SIZE > data_size) {
 		LOG("len (%u) is larger than max len (%u)",
-		    request.len, data_size);
+		    request.len + NBD_REPLY_SIZE, data_size);
 		errno = EINVAL;
 		return -1;
 	}
@@ -687,7 +688,8 @@ int nbd_trip(BlockDriverState *bs, int csock, off_t size, uint64_t dev_offset,
 	case NBD_CMD_READ:
 		TRACE("Request type is READ");
 
-		if (bdrv_read(bs, (request.from + dev_offset) / 512, data,
+		if (bdrv_read(bs, (request.from + dev_offset) / 512,
+			      data + NBD_REPLY_SIZE,
 			      request.len / 512) == -1) {
 			LOG("reading from file failed");
 			errno = EINVAL;
@@ -697,12 +699,21 @@ int nbd_trip(BlockDriverState *bs, int csock, off_t size, uint64_t dev_offset,
 
 		TRACE("Read %u byte(s)", request.len);
 
-		if (nbd_send_reply(csock, &reply) == -1)
-			return -1;
+		/* Reply
+		   [ 0 ..  3]    magic   (NBD_REPLY_MAGIC)
+		   [ 4 ..  7]    error   (0 == no error)
+		   [ 7 .. 15]    handle
+		 */
+
+		cpu_to_be32w((uint32_t*)data, NBD_REPLY_MAGIC);
+		cpu_to_be32w((uint32_t*)(data + 4), reply.error);
+		cpu_to_be64w((uint64_t*)(data + 8), reply.handle);
 
 		TRACE("Sending data to client");
 
-		if (write_sync(csock, data, request.len) != request.len) {
+		if (write_sync(csock, data,
+			       request.len + NBD_REPLY_SIZE) !=
+			       request.len + NBD_REPLY_SIZE) {
 			LOG("writing to socket failed");
 			errno = EINVAL;
 			return -1;
commit 581b9e29f36eec5de0779c3dbade980e4405d92e
Author: Christoph Hellwig <hch at lst.de>
Date:   Sun Sep 12 23:43:21 2010 +0200

    raw-posix: handle > 512 byte alignment correctly
    
    Replace the hardcoded handling of 512 byte alignment with bs->buffer_alignment
    to handle larger sector size devices correctly.
    
    Note that we can not rely on it to be initialize in bdrv_open, so deal
    with the worst case there.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/raw-posix.c b/block/raw-posix.c
index 813372a..a5cbb7e 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -97,12 +97,12 @@
 #define FTYPE_CD     1
 #define FTYPE_FD     2
 
-#define ALIGNED_BUFFER_SIZE (32 * 512)
-
 /* if the FD is not accessed during that time (in ms), we try to
    reopen it to see if the disk has been changed */
 #define FD_OPEN_TIMEOUT 1000
 
+#define MAX_BLOCKSIZE	4096
+
 typedef struct BDRVRawState {
     int fd;
     int type;
@@ -118,7 +118,8 @@ typedef struct BDRVRawState {
     int use_aio;
     void *aio_ctx;
 #endif
-    uint8_t* aligned_buf;
+    uint8_t *aligned_buf;
+    unsigned aligned_buf_size;
 } BDRVRawState;
 
 static int fd_open(BlockDriverState *bs);
@@ -161,7 +162,12 @@ static int raw_open_common(BlockDriverState *bs, const char *filename,
     s->aligned_buf = NULL;
 
     if ((bdrv_flags & BDRV_O_NOCACHE)) {
-        s->aligned_buf = qemu_blockalign(bs, ALIGNED_BUFFER_SIZE);
+        /*
+         * Allocate a buffer for read/modify/write cycles.  Chose the size
+         * pessimistically as we don't know the block size yet.
+         */
+        s->aligned_buf_size = 32 * MAX_BLOCKSIZE;
+        s->aligned_buf = qemu_memalign(MAX_BLOCKSIZE, s->aligned_buf_size);
         if (s->aligned_buf == NULL) {
             goto out_close;
         }
@@ -278,8 +284,9 @@ static int raw_pread_aligned(BlockDriverState *bs, int64_t offset,
 }
 
 /*
- * offset and count are in bytes, but must be multiples of 512 for files
- * opened with O_DIRECT. buf must be aligned to 512 bytes then.
+ * offset and count are in bytes, but must be multiples of the sector size
+ * for files opened with O_DIRECT. buf must be aligned to sector size bytes
+ * then.
  *
  * This function may be called without alignment if the caller ensures
  * that O_DIRECT is not in effect.
@@ -316,24 +323,25 @@ static int raw_pread(BlockDriverState *bs, int64_t offset,
                      uint8_t *buf, int count)
 {
     BDRVRawState *s = bs->opaque;
+    unsigned sector_mask = bs->buffer_alignment - 1;
     int size, ret, shift, sum;
 
     sum = 0;
 
     if (s->aligned_buf != NULL)  {
 
-        if (offset & 0x1ff) {
-            /* align offset on a 512 bytes boundary */
+        if (offset & sector_mask) {
+            /* align offset on a sector size bytes boundary */
 
-            shift = offset & 0x1ff;
-            size = (shift + count + 0x1ff) & ~0x1ff;
-            if (size > ALIGNED_BUFFER_SIZE)
-                size = ALIGNED_BUFFER_SIZE;
+            shift = offset & sector_mask;
+            size = (shift + count + sector_mask) & ~sector_mask;
+            if (size > s->aligned_buf_size)
+                size = s->aligned_buf_size;
             ret = raw_pread_aligned(bs, offset - shift, s->aligned_buf, size);
             if (ret < 0)
                 return ret;
 
-            size = 512 - shift;
+            size = bs->buffer_alignment - shift;
             if (size > count)
                 size = count;
             memcpy(buf, s->aligned_buf + shift, size);
@@ -346,15 +354,15 @@ static int raw_pread(BlockDriverState *bs, int64_t offset,
             if (count == 0)
                 return sum;
         }
-        if (count & 0x1ff || (uintptr_t) buf & 0x1ff) {
+        if (count & sector_mask || (uintptr_t) buf & sector_mask) {
 
             /* read on aligned buffer */
 
             while (count) {
 
-                size = (count + 0x1ff) & ~0x1ff;
-                if (size > ALIGNED_BUFFER_SIZE)
-                    size = ALIGNED_BUFFER_SIZE;
+                size = (count + sector_mask) & ~sector_mask;
+                if (size > s->aligned_buf_size)
+                    size = s->aligned_buf_size;
 
                 ret = raw_pread_aligned(bs, offset, s->aligned_buf, size);
                 if (ret < 0) {
@@ -404,25 +412,28 @@ static int raw_pwrite(BlockDriverState *bs, int64_t offset,
                       const uint8_t *buf, int count)
 {
     BDRVRawState *s = bs->opaque;
+    unsigned sector_mask = bs->buffer_alignment - 1;
     int size, ret, shift, sum;
 
     sum = 0;
 
     if (s->aligned_buf != NULL) {
 
-        if (offset & 0x1ff) {
-            /* align offset on a 512 bytes boundary */
-            shift = offset & 0x1ff;
-            ret = raw_pread_aligned(bs, offset - shift, s->aligned_buf, 512);
+        if (offset & sector_mask) {
+            /* align offset on a sector size bytes boundary */
+            shift = offset & sector_mask;
+            ret = raw_pread_aligned(bs, offset - shift, s->aligned_buf,
+                                    bs->buffer_alignment);
             if (ret < 0)
                 return ret;
 
-            size = 512 - shift;
+            size = bs->buffer_alignment - shift;
             if (size > count)
                 size = count;
             memcpy(s->aligned_buf + shift, buf, size);
 
-            ret = raw_pwrite_aligned(bs, offset - shift, s->aligned_buf, 512);
+            ret = raw_pwrite_aligned(bs, offset - shift, s->aligned_buf,
+                                     bs->buffer_alignment);
             if (ret < 0)
                 return ret;
 
@@ -434,12 +445,12 @@ static int raw_pwrite(BlockDriverState *bs, int64_t offset,
             if (count == 0)
                 return sum;
         }
-        if (count & 0x1ff || (uintptr_t) buf & 0x1ff) {
+        if (count & sector_mask || (uintptr_t) buf & sector_mask) {
 
-            while ((size = (count & ~0x1ff)) != 0) {
+            while ((size = (count & ~sector_mask)) != 0) {
 
-                if (size > ALIGNED_BUFFER_SIZE)
-                    size = ALIGNED_BUFFER_SIZE;
+                if (size > s->aligned_buf_size)
+                    size = s->aligned_buf_size;
 
                 memcpy(s->aligned_buf, buf, size);
 
@@ -452,14 +463,16 @@ static int raw_pwrite(BlockDriverState *bs, int64_t offset,
                 count -= ret;
                 sum += ret;
             }
-            /* here, count < 512 because (count & ~0x1ff) == 0 */
+            /* here, count < 512 because (count & ~sector_mask) == 0 */
             if (count) {
-                ret = raw_pread_aligned(bs, offset, s->aligned_buf, 512);
+                ret = raw_pread_aligned(bs, offset, s->aligned_buf,
+                                     bs->buffer_alignment);
                 if (ret < 0)
                     return ret;
                  memcpy(s->aligned_buf, buf, count);
 
-                 ret = raw_pwrite_aligned(bs, offset, s->aligned_buf, 512);
+                 ret = raw_pwrite_aligned(bs, offset, s->aligned_buf,
+                                     bs->buffer_alignment);
                  if (ret < 0)
                      return ret;
                  if (count < ret)
@@ -487,12 +500,12 @@ static int raw_write(BlockDriverState *bs, int64_t sector_num,
 /*
  * Check if all memory in this vector is sector aligned.
  */
-static int qiov_is_aligned(QEMUIOVector *qiov)
+static int qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov)
 {
     int i;
 
     for (i = 0; i < qiov->niov; i++) {
-        if ((uintptr_t) qiov->iov[i].iov_base % BDRV_SECTOR_SIZE) {
+        if ((uintptr_t) qiov->iov[i].iov_base % bs->buffer_alignment) {
             return 0;
         }
     }
@@ -515,7 +528,7 @@ static BlockDriverAIOCB *raw_aio_submit(BlockDriverState *bs,
      * driver that it needs to copy the buffer.
      */
     if (s->aligned_buf) {
-        if (!qiov_is_aligned(qiov)) {
+        if (!qiov_is_aligned(bs, qiov)) {
             type |= QEMU_AIO_MISALIGNED;
 #ifdef CONFIG_LINUX_AIO
         } else if (s->use_aio) {
commit 72aef7318f54f0ec8c84c2bf2bb8edc5702d7dd0
Author: Christoph Hellwig <hch at lst.de>
Date:   Sun Sep 12 23:42:56 2010 +0200

    use qemu_blockalign consistently
    
    Use qemu_blockalign for all allocations in the block layer.  This allows
    increasing the required alignment, which is need to support O_DIRECT on
    devices with large block sizes.
    
    Signed-off-by: Christoph Hellwig <hch at lst.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 1446ca6..ee20e8f 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -70,14 +70,15 @@ struct SCSIDiskState
     char *serial;
 };
 
-static SCSIDiskReq *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun)
+static SCSIDiskReq *scsi_new_request(SCSIDiskState *s, uint32_t tag,
+        uint32_t lun)
 {
     SCSIRequest *req;
     SCSIDiskReq *r;
 
-    req = scsi_req_alloc(sizeof(SCSIDiskReq), d, tag, lun);
+    req = scsi_req_alloc(sizeof(SCSIDiskReq), &s->qdev, tag, lun);
     r = DO_UPCAST(SCSIDiskReq, req, req);
-    r->iov.iov_base = qemu_memalign(512, SCSI_DMA_BUF_SIZE);
+    r->iov.iov_base = qemu_blockalign(s->bs, SCSI_DMA_BUF_SIZE);
     return r;
 }
 
@@ -939,7 +940,7 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
     }
     /* ??? Tags are not unique for different luns.  We only implement a
        single lun, so this should not matter.  */
-    r = scsi_new_request(d, tag, lun);
+    r = scsi_new_request(s, tag, lun);
     outbuf = (uint8_t *)r->iov.iov_base;
     is_write = 0;
     DPRINTF("Command: lun=%d tag=0x%x data=0x%02x", lun, tag, buf[0]);
diff --git a/hw/sd.c b/hw/sd.c
index c928120..4bcf1c0 100644
--- a/hw/sd.c
+++ b/hw/sd.c
@@ -440,7 +440,7 @@ SDState *sd_init(BlockDriverState *bs, int is_spi)
     SDState *sd;
 
     sd = (SDState *) qemu_mallocz(sizeof(SDState));
-    sd->buf = qemu_memalign(512, 512);
+    sd->buf = qemu_blockalign(bs, 512);
     sd->spi = is_spi;
     sd->enable = 1;
     sd_reset(sd, bs);
diff --git a/posix-aio-compat.c b/posix-aio-compat.c
index 10f1f03..842f1a2 100644
--- a/posix-aio-compat.c
+++ b/posix-aio-compat.c
@@ -270,7 +270,7 @@ static ssize_t handle_aiocb_rw(struct qemu_paiocb *aiocb)
      * Ok, we have to do it the hard way, copy all segments into
      * a single aligned buffer.
      */
-    buf = qemu_memalign(512, aiocb->aio_nbytes);
+    buf = qemu_blockalign(aiocb->common.bs, aiocb->aio_nbytes);
     if (aiocb->aio_type & QEMU_AIO_WRITE) {
         char *p = buf;
         int i;
diff --git a/qemu-io.c b/qemu-io.c
index bd3bd16..b4e5cc8 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -61,7 +61,7 @@ static void *qemu_io_alloc(size_t len, int pattern)
 
 	if (misalign)
 		len += MISALIGN_OFFSET;
-	buf = qemu_memalign(512, len);
+	buf = qemu_blockalign(bs, len);
 	memset(buf, pattern, len);
 	if (misalign)
 		buf += MISALIGN_OFFSET;
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 91b569f..923a3bf 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -446,7 +446,7 @@ int main(int argc, char **argv)
     max_fd = sharing_fds[0];
     nb_fds++;
 
-    data = qemu_memalign(512, NBD_BUFFER_SIZE);
+    data = qemu_blockalign(bs, NBD_BUFFER_SIZE);
     if (data == NULL)
         errx(EXIT_FAILURE, "Cannot allocate data buffer");
 
commit a655211ac6d379c5b0813761e5d11415780f41fd
Author: Kevin Wolf <mail at kevin-wolf.de>
Date:   Fri Sep 10 12:27:04 2010 +0200

    vvfat: Use cache=unsafe
    
    The qcow file used for write support in vvfat is a temporary file,
    so we can use cache=unsafe there. Without this, write support is just
    too slow to be of any use.
    
    Signed-off-by: Kevin Wolf <mail at kevin-wolf.de>

diff --git a/block/vvfat.c b/block/vvfat.c
index 0772037..53e57bf 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -2788,6 +2788,7 @@ static int enable_write_target(BDRVVVFATState *s)
 {
     BlockDriver *bdrv_qcow;
     QEMUOptionParameter *options;
+    int ret;
     int size = sector2cluster(s, s->sector_count);
     s->used_clusters = calloc(size, 1);
 
@@ -2803,11 +2804,16 @@ static int enable_write_target(BDRVVVFATState *s)
 
     if (bdrv_create(bdrv_qcow, s->qcow_filename, options) < 0)
 	return -1;
+
     s->qcow = bdrv_new("");
-    if (s->qcow == NULL ||
-        bdrv_open(s->qcow, s->qcow_filename, BDRV_O_RDWR, bdrv_qcow) < 0)
-    {
-	return -1;
+    if (s->qcow == NULL) {
+        return -1;
+    }
+
+    ret = bdrv_open(s->qcow, s->qcow_filename,
+            BDRV_O_RDWR | BDRV_O_CACHE_WB | BDRV_O_NO_FLUSH, bdrv_qcow);
+    if (ret < 0) {
+	return ret;
     }
 
 #ifndef _WIN32
commit 9217e26f43df4aab7deaea35b21caacc1f1f854b
Author: Kevin Wolf <mail at kevin-wolf.de>
Date:   Fri Sep 10 12:27:03 2010 +0200

    vvfat: Fix double free for opening the image rw
    
    Allocation and deallocation of bs->opaque is not in the control of a
    block driver. Therefore it should not set bs->opaque to a data structure
    used by another bs, or closing the image will lead to a double free.
    
    Signed-off-by: Kevin Wolf <mail at kevin-wolf.de>

diff --git a/block/vvfat.c b/block/vvfat.c
index 5898d66..0772037 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -2768,12 +2768,12 @@ static int vvfat_is_allocated(BlockDriverState *bs,
 
 static int write_target_commit(BlockDriverState *bs, int64_t sector_num,
 	const uint8_t* buffer, int nb_sectors) {
-    BDRVVVFATState* s = bs->opaque;
+    BDRVVVFATState* s = *((BDRVVVFATState**) bs->opaque);
     return try_commit(s);
 }
 
 static void write_target_close(BlockDriverState *bs) {
-    BDRVVVFATState* s = bs->opaque;
+    BDRVVVFATState* s = *((BDRVVVFATState**) bs->opaque);
     bdrv_delete(s->qcow);
     free(s->qcow_filename);
 }
@@ -2816,7 +2816,8 @@ static int enable_write_target(BDRVVVFATState *s)
 
     s->bs->backing_hd = calloc(sizeof(BlockDriverState), 1);
     s->bs->backing_hd->drv = &vvfat_write_target;
-    s->bs->backing_hd->opaque = s;
+    s->bs->backing_hd->opaque = qemu_malloc(sizeof(void*));
+    *(void**)s->bs->backing_hd->opaque = s;
 
     return 0;
 }
commit ac48e389d073bf2c8703745eef4824fabe0427ba
Author: Kevin Wolf <mail at kevin-wolf.de>
Date:   Fri Sep 10 12:27:02 2010 +0200

    vvfat: Fix segfault on write to read-only disk
    
    vvfat tries to set the readonly flag in its open function, but nowadays
    this is overwritted with the readonly=... command line option. Check in
    bdrv_write if the vvfat was opened read-only and return an error in this
    case.
    
    Without this check, vvfat tries to access the qcow bs, which is NULL
    without enabled write support.
    
    Signed-off-by: Kevin Wolf <mail at kevin-wolf.de>

diff --git a/block/vvfat.c b/block/vvfat.c
index 365332a..5898d66 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -2665,6 +2665,11 @@ static int vvfat_write(BlockDriverState *bs, int64_t sector_num,
 
 DLOG(checkpoint());
 
+    /* Check if we're operating in read-only mode */
+    if (s->qcow == NULL) {
+        return -EACCES;
+    }
+
     vvfat_close_current_file(s);
 
     /*
commit ee8a3368702909a85d78a9e1a140ad20ef99e071
Author: Avi Kivity <avi at redhat.com>
Date:   Mon Sep 20 13:01:50 2010 +0200

    Remove qemu-kvm-helper.c
    
    No longer used.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/Makefile.target b/Makefile.target
index 9bec218..5c1eec4 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -60,7 +60,6 @@ endif
 libobj-$(CONFIG_NEED_MMU) += mmu.o
 
 libobj-$(CONFIG_KVM) += kvm-tpr-opt.o
-libobj-$(CONFIG_KVM) += qemu-kvm-helper.o
 
 libobj-$(TARGET_ARM) += neon_helper.o iwmmxt_helper.o
 
diff --git a/qemu-kvm-helper.c b/qemu-kvm-helper.c
deleted file mode 100644
index 915d664..0000000
--- a/qemu-kvm-helper.c
+++ /dev/null
@@ -1,35 +0,0 @@
-
-#include "config.h"
-#include "config-host.h"
-
-#include "exec.h"
-
-#include "qemu-kvm.h"
-
-void qemu_kvm_call_with_env(void (*func)(void *), void *data, CPUState *newenv)
-{
-    host_reg_t saved_env_reg;
-    CPUState *oldenv;
-
-    oldenv = newenv;
-
-    saved_env_reg = (host_reg_t) env;
-    env = newenv;
-
-    func(data);
-
-    env = oldenv;
-    asm("");
-    env = (void *) saved_env_reg;
-}
-
-static void call_helper_cpuid(void *junk)
-{
-    helper_cpuid();
-}
-
-void qemu_kvm_cpuid_on_env(CPUState *env)
-{
-    qemu_kvm_call_with_env(call_helper_cpuid, NULL, env);
-}
-
commit a287916c712b0c57a97cd35c663c5e7ba061bc7e
Merge: 952afb7... 78aeb23...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Mon Sep 20 13:22:20 2010 -0500

    Merge remote branch 'mst/for_anthony' into staging

commit 57c6db2e2dec77a60bcfe6f93d756653f444a1f2
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Sep 15 14:38:26 2010 +0900

    msix: clear not only INTA, but all INTx when MSI-X is enabled.
    
    clear not only INTA, but all INTx when MSI-X is enabled.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/msix.c b/hw/msix.c
index 7ce63eb..b202ff7 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -158,6 +158,7 @@ void msix_write_config(PCIDevice *dev, uint32_t addr,
 {
     unsigned enable_pos = dev->msix_cap + MSIX_CONTROL_OFFSET;
     int vector;
+    int i;
 
     if (!range_covers_byte(addr, len, enable_pos)) {
         return;
@@ -167,7 +168,9 @@ void msix_write_config(PCIDevice *dev, uint32_t addr,
         return;
     }
 
-    qemu_set_irq(dev->irq[0], 0);
+    for (i = 0; i < PCI_NUM_PINS; ++i) {
+        qemu_set_irq(dev->irq[i], 0);
+    }
 
     if (msix_function_masked(dev)) {
         return;
commit 92ba5f51c305911cbfc0fcff9f259b0604681222
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Sep 15 14:38:15 2010 +0900

    pci: implement RW1C register framework.
    
    Implement RW1C register framework.
    With this patch, it would be easy to implement
    W1C(Write 1 to Clear) register by just setting w1cmask.
    Later RW1C register will be used by pcie.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index 97a7b23..abddc6d 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -627,6 +627,7 @@ static void pci_config_alloc(PCIDevice *pci_dev)
     pci_dev->config = qemu_mallocz(config_size);
     pci_dev->cmask = qemu_mallocz(config_size);
     pci_dev->wmask = qemu_mallocz(config_size);
+    pci_dev->w1cmask = qemu_mallocz(config_size);
     pci_dev->used = qemu_mallocz(config_size);
 }
 
@@ -635,6 +636,7 @@ static void pci_config_free(PCIDevice *pci_dev)
     qemu_free(pci_dev->config);
     qemu_free(pci_dev->cmask);
     qemu_free(pci_dev->wmask);
+    qemu_free(pci_dev->w1cmask);
     qemu_free(pci_dev->used);
 }
 
@@ -997,7 +999,10 @@ void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val, int l)
 
     for (i = 0; i < l && addr + i < config_size; val >>= 8, ++i) {
         uint8_t wmask = d->wmask[addr + i];
+        uint8_t w1cmask = d->w1cmask[addr + i];
+        assert(!(wmask & w1cmask));
         d->config[addr + i] = (d->config[addr + i] & ~wmask) | (val & wmask);
+        d->config[addr + i] &= ~(val & w1cmask); /* W1C: Write 1 to Clear */
     }
     if (ranges_overlap(addr, l, PCI_BASE_ADDRESS_0, 24) ||
         ranges_overlap(addr, l, PCI_ROM_ADDRESS, 4) ||
diff --git a/hw/pci.h b/hw/pci.h
index 1c6075e..d8b399f 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -129,6 +129,9 @@ struct PCIDevice {
     /* Used to implement R/W bytes */
     uint8_t *wmask;
 
+    /* Used to implement RW1C(Write 1 to Clear) bytes */
+    uint8_t *w1cmask;
+
     /* Used to allocate config space for capabilities. */
     uint8_t *used;
 
commit 78aeb23eded2d0b765bf9145c71f80025b568acd
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Sat Sep 18 21:43:45 2010 +0100

    e1000: Pad short frames to minimum size (60 bytes)
    
    The OpenIndiana (Solaris) e1000g driver drops frames that are too long
    or too short.  It expects to receive frames of at least the Ethernet
    minimum size.  ARP requests in particular are small and will be dropped
    if they are not padded appropriately, preventing a Solaris VM from
    becoming visible on the network.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/e1000.c b/hw/e1000.c
index 7d7d140..532efdc 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -55,6 +55,7 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
 
 #define IOPORT_SIZE       0x40
 #define PNPMMIO_SIZE      0x20000
+#define MIN_BUF_SIZE      60 /* Min. octets in an ethernet frame sans FCS */
 
 /*
  * HW models:
@@ -635,10 +636,19 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
     uint32_t rdh_start;
     uint16_t vlan_special = 0;
     uint8_t vlan_status = 0, vlan_offset = 0;
+    uint8_t min_buf[MIN_BUF_SIZE];
 
     if (!(s->mac_reg[RCTL] & E1000_RCTL_EN))
         return -1;
 
+    /* Pad to minimum Ethernet frame length */
+    if (size < sizeof(min_buf)) {
+        memcpy(min_buf, buf, size);
+        memset(&min_buf[size], 0, sizeof(min_buf) - size);
+        buf = min_buf;
+        size = sizeof(min_buf);
+    }
+
     if (size > s->rxbuf_size) {
         DBGOUT(RX, "packet too large for buffers (%lu > %d)\n",
                (unsigned long)size, s->rxbuf_size);
commit a05684e367d4eb6809a25eaaea8d83eb6f8cf6c2
Author: Huang Ying <ying.huang at intel.com>
Date:   Sun Sep 19 09:00:33 2010 +0800

    Add RAM -> physical addr mapping in MCE simulation
    
    In QEMU-KVM, physical address != RAM address. While MCE simulation
    needs physical address instead of RAM address. So
    kvm_physical_memory_addr_from_ram() is implemented to do the
    conversion, and it is invoked before being filled in the IA32_MCi_ADDR
    MSR.
    
    Reported-by: Dean Nelson <dnelson at redhat.com>
    Signed-off-by: Huang Ying <ying.huang at intel.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/kvm-all.c b/kvm-all.c
index d4b0861..c28d91e 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -141,6 +141,24 @@ static KVMSlot *kvm_lookup_overlapping_slot(KVMState *s,
     return found;
 }
 
+int kvm_physical_memory_addr_from_ram(KVMState *s, ram_addr_t ram_addr,
+                                      target_phys_addr_t *phys_addr)
+{
+    int i;
+
+    for (i = 0; i < ARRAY_SIZE(s->slots); i++) {
+        KVMSlot *mem = &s->slots[i];
+
+        if (ram_addr >= mem->phys_offset &&
+            ram_addr < mem->phys_offset + mem->memory_size) {
+            *phys_addr = mem->start_addr + (ram_addr - mem->phys_offset);
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
 static int kvm_set_user_memory_region(KVMState *s, KVMSlot *slot)
 {
     struct kvm_userspace_memory_region mem;
diff --git a/kvm.h b/kvm.h
index 56236ae..d728836 100644
--- a/kvm.h
+++ b/kvm.h
@@ -195,4 +195,7 @@ int kvm_set_irqfd(int gsi, int fd, bool assigned)
 #endif
 
 int kvm_set_ioeventfd_pio_word(int fd, uint16_t adr, uint16_t val, bool assign);
+
+int kvm_physical_memory_addr_from_ram(KVMState *s, ram_addr_t ram_addr,
+                                      target_phys_addr_t *phys_addr);
 #endif
diff --git a/qemu-kvm.c b/qemu-kvm.c
index 060c47d..d747ed8 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -1137,12 +1137,15 @@ static void sigbus_handler(int n, struct qemu_signalfd_siginfo *siginfo,
     if (first_cpu->mcg_cap && siginfo->ssi_addr
         && siginfo->ssi_code == BUS_MCEERR_AO) {
         uint64_t status;
+        void *vaddr;
+        ram_addr_t ram_addr;
         unsigned long paddr;
         CPUState *cenv;
 
         /* Hope we are lucky for AO MCE */
-        if (do_qemu_ram_addr_from_host((void *)(intptr_t)siginfo->ssi_addr,
-				       &paddr)) {
+        vaddr = (void *)(intptr_t)siginfo->ssi_addr;
+        if (do_qemu_ram_addr_from_host(vaddr, &ram_addr) ||
+            !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, &paddr)) {
             fprintf(stderr, "Hardware memory error for memory used by "
                     "QEMU itself instead of guest system!: %llx\n",
                     (unsigned long long)siginfo->ssi_addr);
@@ -1316,6 +1319,8 @@ static void kvm_on_sigbus(CPUState *env, siginfo_t *siginfo)
     struct kvm_x86_mce mce = {
             .bank = 9,
     };
+    void *vaddr;
+    ram_addr_t ram_addr;
     unsigned long paddr;
     int r;
 
@@ -1347,7 +1352,9 @@ static void kvm_on_sigbus(CPUState *env, siginfo_t *siginfo)
             mce.misc = (MCM_ADDR_PHYS << 6) | 0xc;
             mce.mcg_status = MCG_STATUS_MCIP | MCG_STATUS_RIPV;
         }
-        if (do_qemu_ram_addr_from_host((void *)siginfo->si_addr, &paddr)) {
+        vaddr = (void *)siginfo->si_addr;
+        if (do_qemu_ram_addr_from_host(vaddr, &ram_addr) ||
+            !kvm_physical_memory_addr_from_ram(kvm_state, ram_addr, &paddr)) {
             fprintf(stderr, "Hardware memory error for memory used by "
                     "QEMU itself instaed of guest system!\n");
             /* Hope we are lucky for AO MCE */
commit 952afb719f3c965bae12b5bd5f0f0f7ed0251cb8
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Sep 19 08:36:34 2010 +0000

    mingw: use ASLR, no-SEH and DEP if available
    
    If the linker supports the flags --dynamicbase, --no-seh,
    or --nxcompat, use them.
    
    Tested on Windows Vista: Process Explorer reports that ASLR and DEP
    are in use. No effect seen on Wine or Windows XP.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 232ba74..3bfc5e9 100755
--- a/configure
+++ b/configure
@@ -2141,6 +2141,15 @@ if test "$solaris" = "no" ; then
     fi
 fi
 
+# Use ASLR, no-SEH and DEP if available
+if test "$mingw32" = "yes" ; then
+    for flag in --dynamicbase --no-seh --nxcompat; do
+        if $ld --help 2>/dev/null | grep ".$flag" >/dev/null 2>/dev/null ; then
+            LDFLAGS="-Wl,$flag $LDFLAGS"
+        fi
+    done
+fi
+
 confdir=$sysconfdir$confsuffix
 
 tools=
commit ebab1720f6998dbd4a0c485eacf0cb542492be87
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Sun Sep 19 00:30:25 2010 +0200

    cris: Fix watchdog resets
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-cris/cpu.h b/target-cris/cpu.h
index fce0804..e1d48ed 100644
--- a/target-cris/cpu.h
+++ b/target-cris/cpu.h
@@ -155,9 +155,10 @@ typedef struct CPUCRISState {
 		uint32_t lo;
 	} tlbsets[2][4][16];
 
-	void *load_info;
-
 	CPU_COMMON
+
+	/* Members after CPU_COMMON are preserved across resets.  */
+	void *load_info;
 } CPUCRISState;
 
 CPUCRISState *cpu_cris_init(const char *cpu_model);
commit 58aebb946acff82c62383f350cab593e55cc13dc
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Sat Sep 18 12:34:59 2010 +0200

    cris: Fix TLB exec bit protection
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-cris/helper.c b/target-cris/helper.c
index 83b25c1..2a4403b 100644
--- a/target-cris/helper.c
+++ b/target-cris/helper.c
@@ -101,7 +101,7 @@ int cpu_cris_handle_mmu_fault (CPUState *env, target_ulong address, int rw,
 		phy = res.phy & ~0x80000000;
 		prot = res.prot;
 		tlb_set_page(env, address & TARGET_PAGE_MASK, phy,
-                             prot | PAGE_EXEC, mmu_idx, TARGET_PAGE_SIZE);
+                             prot, mmu_idx, TARGET_PAGE_SIZE);
                 r = 0;
 	}
 	if (r > 0)
diff --git a/target-cris/mmu.c b/target-cris/mmu.c
index 3f290ba..1243745 100644
--- a/target-cris/mmu.c
+++ b/target-cris/mmu.c
@@ -251,7 +251,7 @@ static int cris_mmu_translate_page(struct cris_mmu_result *res,
 			res->prot |= PAGE_READ;
 			if (tlb_w)
 				res->prot |= PAGE_WRITE;
-			if (tlb_x)
+			if (mmu == 0 && (cfg_x || tlb_x))
 				res->prot |= PAGE_EXEC;
 		}
 		else
commit 0b65b9e105ce5bc29d9412e0df476fd0cef3b8e2
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 07:02:16 2010 +0000

    Use gcc warning flag -Wnested-externs
    
    If the compiler supports the warning flag -Wnested-externs, use it.
    
    Avoid the only warning by moving the declaration of xml_builtin to a
    more proper place.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 80497aa..232ba74 100755
--- a/configure
+++ b/configure
@@ -140,7 +140,7 @@ LDFLAGS="-g $LDFLAGS"
 
 gcc_flags="-Wold-style-declaration -Wold-style-definition -Wtype-limits"
 gcc_flags="-Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers $gcc_flags"
-gcc_flags="-Wmissing-include-dirs -Wempty-body $gcc_flags"
+gcc_flags="-Wmissing-include-dirs -Wempty-body -Wnested-externs $gcc_flags"
 gcc_flags="-fstack-protector-all $gcc_flags"
 cat > $TMPC << EOF
 int main(void) { return 0; }
diff --git a/feature_to_c.sh b/feature_to_c.sh
index dbf9f19..0994d95 100644
--- a/feature_to_c.sh
+++ b/feature_to_c.sh
@@ -63,7 +63,6 @@ for input; do
 done
 
 echo >> $output
-echo "extern const char *const xml_builtin[][2];" >> $output
 echo "const char *const xml_builtin[][2] = {" >> $output
 
 for input; do
diff --git a/gdbstub.c b/gdbstub.c
index 2b03ef2..0aa081b 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -1504,7 +1504,6 @@ static int memtox(char *buf, const char *mem, int len)
 
 static const char *get_feature_xml(const char *p, const char **newp)
 {
-    extern const char *const xml_builtin[][2];
     size_t len;
     int i;
     const char *name;
diff --git a/gdbstub.h b/gdbstub.h
index 219abda..ce5fdcc 100644
--- a/gdbstub.h
+++ b/gdbstub.h
@@ -38,4 +38,7 @@ int gdbserver_start(int);
 int gdbserver_start(const char *port);
 #endif
 
+/* in gdbstub-xml.c, generated by feature_to_c.sh */
+extern const char *const xml_builtin[][2];
+
 #endif
commit 3ffd710e12ce64478abc027e92fe94e1089ac91c
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 07:01:48 2010 +0000

    Use gcc warning flag -Wempty-body
    
    If the compiler supports the warning flag -Wempty-body, use it.
    
    Adjust the code to avoid the warnings.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 506f29c..80497aa 100755
--- a/configure
+++ b/configure
@@ -140,7 +140,7 @@ LDFLAGS="-g $LDFLAGS"
 
 gcc_flags="-Wold-style-declaration -Wold-style-definition -Wtype-limits"
 gcc_flags="-Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers $gcc_flags"
-gcc_flags="-Wmissing-include-dirs $gcc_flags"
+gcc_flags="-Wmissing-include-dirs -Wempty-body $gcc_flags"
 gcc_flags="-fstack-protector-all $gcc_flags"
 cat > $TMPC << EOF
 int main(void) { return 0; }
diff --git a/hw/omap_i2c.c b/hw/omap_i2c.c
index d7c1888..d133977 100644
--- a/hw/omap_i2c.c
+++ b/hw/omap_i2c.c
@@ -190,8 +190,9 @@ static uint32_t omap_i2c_read(void *opaque, target_phys_addr_t addr)
             if (s->rxlen > 2)
                 s->fifo >>= 16;
             s->rxlen -= 2;
-        } else
-            /* XXX: remote access (qualifier) error - what's that?  */;
+        } else {
+            /* XXX: remote access (qualifier) error - what's that?  */
+        }
         if (!s->rxlen) {
             s->stat &= ~(1 << 3);				/* RRDY */
             if (((s->control >> 10) & 1) &&			/* MST */
diff --git a/hw/omap_mmc.c b/hw/omap_mmc.c
index 15cbf06..9d167ff 100644
--- a/hw/omap_mmc.c
+++ b/hw/omap_mmc.c
@@ -559,8 +559,9 @@ static void omap_mmc_cover_cb(void *opaque, int line, int level)
     if (!host->cdet_state && level) {
         host->status |= 0x0002;
         omap_mmc_interrupts_update(host);
-        if (host->cdet_wakeup)
-            /* TODO: Assert wake-up */;
+        if (host->cdet_wakeup) {
+            /* TODO: Assert wake-up */
+        }
     }
 
     if (host->cdet_state != level) {
diff --git a/hw/pxa2xx.c b/hw/pxa2xx.c
index 88f61c0..6e04645 100644
--- a/hw/pxa2xx.c
+++ b/hw/pxa2xx.c
@@ -1877,8 +1877,9 @@ static void pxa2xx_fir_write(void *opaque, target_phys_addr_t addr,
         s->control[0] = value;
         if (!(value & (1 << 4)))			/* RXE */
             s->rx_len = s->rx_start = 0;
-        if (!(value & (1 << 3)))			/* TXE */
-            /* Nop */;
+        if (!(value & (1 << 3))) {                      /* TXE */
+            /* Nop */
+        }
         s->enable = value & 1;				/* ITR */
         if (!s->enable)
             s->status[0] = 0;
diff --git a/hw/soc_dma.c b/hw/soc_dma.c
index e116e63..23ec516 100644
--- a/hw/soc_dma.c
+++ b/hw/soc_dma.c
@@ -192,12 +192,13 @@ static void soc_dma_ch_freq_update(struct dma_s *s)
     if (s->enabled_count)
         /* We completely ignore channel priorities and stuff */
         s->channel_freq = s->soc.freq / s->enabled_count;
-    else
+    else {
         /* TODO: Signal that we want to disable the functional clock and let
          * the platform code decide what to do with it, i.e. check that
          * auto-idle is enabled in the clock controller and if we are stopping
          * the clock, do the same with any parent clocks that had only one
-         * user keeping them on and auto-idle enabled.  */;
+         * user keeping them on and auto-idle enabled.  */
+    }
 }
 
 void soc_dma_set_request(struct soc_dma_ch_s *ch, int level)
diff --git a/target-cris/mmu.c b/target-cris/mmu.c
index 773438e..3f290ba 100644
--- a/target-cris/mmu.c
+++ b/target-cris/mmu.c
@@ -33,7 +33,7 @@
 #define D(x) x
 #define D_LOG(...) qemu_log(__VA_ARGS__)
 #else
-#define D(x)
+#define D(x) do { } while (0)
 #define D_LOG(...) do { } while (0)
 #endif
 
commit a21493e00952e5d7cd948951f2677b0d0e465ccd
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 07:01:05 2010 +0000

    Use a few more gcc warning flags
    
    If the compiler supports the following warning flags, use them:
    
    -Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers
    -Wmissing-include-dirs
    
    Currently, these flags don't produce any warnings.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 29d3548..506f29c 100755
--- a/configure
+++ b/configure
@@ -138,7 +138,10 @@ QEMU_CFLAGS="-D_FORTIFY_SOURCE=2 $QEMU_CFLAGS"
 QEMU_CFLAGS="-I. -I\$(SRC_PATH) $QEMU_CFLAGS"
 LDFLAGS="-g $LDFLAGS"
 
-gcc_flags="-Wold-style-declaration -Wold-style-definition -Wtype-limits -fstack-protector-all"
+gcc_flags="-Wold-style-declaration -Wold-style-definition -Wtype-limits"
+gcc_flags="-Wformat-security -Wformat-y2k -Winit-self -Wignored-qualifiers $gcc_flags"
+gcc_flags="-Wmissing-include-dirs $gcc_flags"
+gcc_flags="-fstack-protector-all $gcc_flags"
 cat > $TMPC << EOF
 int main(void) { return 0; }
 EOF
commit 6e15cb5f6d87d0039b4c1590d1577ae14db17b50
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:15 2010 +0000

    Use gcc warning flag -Wtype-limits
    
    If the compiler supports the warning flag -Wtype-limits, use it.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/configure b/configure
index 4061cb7..29d3548 100755
--- a/configure
+++ b/configure
@@ -138,7 +138,7 @@ QEMU_CFLAGS="-D_FORTIFY_SOURCE=2 $QEMU_CFLAGS"
 QEMU_CFLAGS="-I. -I\$(SRC_PATH) $QEMU_CFLAGS"
 LDFLAGS="-g $LDFLAGS"
 
-gcc_flags="-Wold-style-declaration -Wold-style-definition -fstack-protector-all"
+gcc_flags="-Wold-style-declaration -Wold-style-definition -Wtype-limits -fstack-protector-all"
 cat > $TMPC << EOF
 int main(void) { return 0; }
 EOF
commit 7d1476898fd58d6ae5c054e6afddf18c335d9d89
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:15 2010 +0000

    pxa2xx: fix SSSR TFN logic
    
    Fix SSSR TFN logic: TX FIFO is never filled, so it is always in
    underrun condition if SSP is enabled.
    
    This also avoids a gcc warning with -Wtype-limits.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/pxa2xx.c b/hw/pxa2xx.c
index faa3d95..88f61c0 100644
--- a/hw/pxa2xx.c
+++ b/hw/pxa2xx.c
@@ -636,6 +636,7 @@ static void pxa2xx_ssp_fifo_update(PXA2xxSSPState *s)
 {
     s->sssr &= ~(0xf << 12);	/* Clear RFL */
     s->sssr &= ~(0xf << 8);	/* Clear TFL */
+    s->sssr &= ~SSSR_TFS;
     s->sssr &= ~SSSR_TNF;
     if (s->enable) {
         s->sssr |= ((s->rx_level - 1) & 0xf) << 12;
@@ -643,14 +644,13 @@ static void pxa2xx_ssp_fifo_update(PXA2xxSSPState *s)
             s->sssr |= SSSR_RFS;
         else
             s->sssr &= ~SSSR_RFS;
-        if (0 <= SSCR1_TFT(s->sscr[1]))
-            s->sssr |= SSSR_TFS;
-        else
-            s->sssr &= ~SSSR_TFS;
         if (s->rx_level)
             s->sssr |= SSSR_RNE;
         else
             s->sssr &= ~SSSR_RNE;
+        /* TX FIFO is never filled, so it is always in underrun
+           condition if SSP is enabled */
+        s->sssr |= SSSR_TFS;
         s->sssr |= SSSR_TNF;
     }
 
commit 1c7242da851cc65a2cc93fbc6defa964084a2826
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:15 2010 +0000

    MIPS: fix yield handling
    
    The parameter for yield should be handled as a signed integer
    for the comparisons to have any effect.
    
    This also avoids a gcc warning with -Wtype-limits.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/target-mips/op_helper.c b/target-mips/op_helper.c
index 50c65bd..41abd57 100644
--- a/target-mips/op_helper.c
+++ b/target-mips/op_helper.c
@@ -1598,8 +1598,10 @@ void helper_fork(target_ulong arg1, target_ulong arg2)
     // TODO: store to TC register
 }
 
-target_ulong helper_yield(target_ulong arg1)
+target_ulong helper_yield(target_ulong arg)
 {
+    target_long arg1 = arg;
+
     if (arg1 < 0) {
         /* No scheduling policy implemented. */
         if (arg1 != -2) {
commit d62d28630dde50b436ca19afc9279ce449170121
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:15 2010 +0000

    PPC: Suppress gcc warnings with -Wtype-limits
    
    The hack added by c5b76b381081680633e2e0a91216507430409fb2 was not
    enough to avoid warnings with gcc flag -Wtype-limits. Add a new macro
    to fix both problems.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/target-ppc/op_helper.c b/target-ppc/op_helper.c
index 8cf34d4..3e6db85 100644
--- a/target-ppc/op_helper.c
+++ b/target-ppc/op_helper.c
@@ -1955,14 +1955,14 @@ target_ulong helper_dlmzb (target_ulong high, target_ulong low, uint32_t update_
     DO_HANDLE_NAN(result, x) DO_HANDLE_NAN(result, y) DO_HANDLE_NAN(result, z)
 
 /* Saturating arithmetic helpers.  */
-#define SATCVT(from, to, from_type, to_type, min, max, use_min, use_max) \
+#define SATCVT(from, to, from_type, to_type, min, max)                  \
     static inline to_type cvt##from##to(from_type x, int *sat)          \
     {                                                                   \
         to_type r;                                                      \
-        if (use_min && x < min) {                                       \
+        if (x < (from_type)min) {                                       \
             r = min;                                                    \
             *sat = 1;                                                   \
-        } else if (use_max && x > max) {                                \
+        } else if (x > (from_type)max) {                                \
             r = max;                                                    \
             *sat = 1;                                                   \
         } else {                                                        \
@@ -1970,30 +1970,30 @@ target_ulong helper_dlmzb (target_ulong high, target_ulong low, uint32_t update_
         }                                                               \
         return r;                                                       \
     }
-SATCVT(sh, sb, int16_t, int8_t, INT8_MIN, INT8_MAX, 1, 1)
-SATCVT(sw, sh, int32_t, int16_t, INT16_MIN, INT16_MAX, 1, 1)
-SATCVT(sd, sw, int64_t, int32_t, INT32_MIN, INT32_MAX, 1, 1)
-
-/* Work around gcc problems with the macro version */
-static inline uint8_t cvtuhub(uint16_t x, int *sat)
-{
-    uint8_t r;
-
-    if (x > UINT8_MAX) {
-        r = UINT8_MAX;
-        *sat = 1;
-    } else {
-        r = x;
+#define SATCVTU(from, to, from_type, to_type, min, max)                 \
+    static inline to_type cvt##from##to(from_type x, int *sat)          \
+    {                                                                   \
+        to_type r;                                                      \
+        if (x > (from_type)max) {                                       \
+            r = max;                                                    \
+            *sat = 1;                                                   \
+        } else {                                                        \
+            r = x;                                                      \
+        }                                                               \
+        return r;                                                       \
     }
-    return r;
-}
-//SATCVT(uh, ub, uint16_t, uint8_t, 0, UINT8_MAX, 0, 1)
-SATCVT(uw, uh, uint32_t, uint16_t, 0, UINT16_MAX, 0, 1)
-SATCVT(ud, uw, uint64_t, uint32_t, 0, UINT32_MAX, 0, 1)
-SATCVT(sh, ub, int16_t, uint8_t, 0, UINT8_MAX, 1, 1)
-SATCVT(sw, uh, int32_t, uint16_t, 0, UINT16_MAX, 1, 1)
-SATCVT(sd, uw, int64_t, uint32_t, 0, UINT32_MAX, 1, 1)
+SATCVT(sh, sb, int16_t, int8_t, INT8_MIN, INT8_MAX)
+SATCVT(sw, sh, int32_t, int16_t, INT16_MIN, INT16_MAX)
+SATCVT(sd, sw, int64_t, int32_t, INT32_MIN, INT32_MAX)
+
+SATCVTU(uh, ub, uint16_t, uint8_t, 0, UINT8_MAX)
+SATCVTU(uw, uh, uint32_t, uint16_t, 0, UINT16_MAX)
+SATCVTU(ud, uw, uint64_t, uint32_t, 0, UINT32_MAX)
+SATCVT(sh, ub, int16_t, uint8_t, 0, UINT8_MAX)
+SATCVT(sw, uh, int32_t, uint16_t, 0, UINT16_MAX)
+SATCVT(sd, uw, int64_t, uint32_t, 0, UINT32_MAX)
 #undef SATCVT
+#undef SATCVTU
 
 #define LVE(name, access, swap, element)                        \
     void helper_##name (ppc_avr_t *r, target_ulong addr)        \
commit 95ee3914bfd551aeec49932a400530141865acad
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:15 2010 +0000

    blkdebug: fix enum comparison
    
    The signedness of enum types depend on the compiler implementation.
    Therefore the check for negative values may or may not be meaningful.
    
    Fix by explicitly casting to a signed integer.
    
    Since the values are also checked earlier against event_names
    table, this is an internal error. Change the 'if' to 'assert'.
    
    This also avoids a warning with GCC flag -Wtype-limits.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/block/blkdebug.c b/block/blkdebug.c
index 2a63df9..4d6ff0a 100644
--- a/block/blkdebug.c
+++ b/block/blkdebug.c
@@ -439,9 +439,7 @@ static void blkdebug_debug_event(BlockDriverState *bs, BlkDebugEvent event)
     struct BlkdebugRule *rule;
     BlkdebugVars old_vars = s->vars;
 
-    if (event < 0 || event >= BLKDBG_EVENT_MAX) {
-        return;
-    }
+    assert((int)event >= 0 && event < BLKDBG_EVENT_MAX);
 
     QLIST_FOREACH(rule, &s->rules[event], next) {
         process_rule(bs, rule, &old_vars);
commit 603ff77610d82d81d2071fd8d981241b5e288598
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:15 2010 +0000

    pxa2xx: remove useless checks
    
    Remove checks which were made useless by r5849,
    8da3ff180974732fc4272cb4433fef85c1822961.
    
    This also avoids a warning with GCC flag -Wtype-limits.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/pxa2xx.c b/hw/pxa2xx.c
index 26b9205..faa3d95 100644
--- a/hw/pxa2xx.c
+++ b/hw/pxa2xx.c
@@ -125,7 +125,7 @@ static void pxa2xx_pm_write(void *opaque, target_phys_addr_t addr,
         break;
 
     default:	/* Read-write registers */
-        if (addr >= PMCR && addr <= PCMD31 && !(addr & 3)) {
+        if (!(addr & 3)) {
             s->pm_regs[addr >> 2] = value;
             break;
         }
commit bf1b00712375bea65f2254dea8281fa646eebbd5
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:14 2010 +0000

    Introduce range.h
    
    Extract range functions from pci.h. These will be used by later patches
    by non-PCI devices. Adjust current users.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index bfa1d9a..c8733e5 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -22,6 +22,7 @@
 #include "pci.h"
 #include "acpi.h"
 #include "sysemu.h"
+#include "range.h"
 
 //#define DEBUG
 
diff --git a/hw/msix.c b/hw/msix.c
index d99403a..b3bb92d 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -14,6 +14,7 @@
 #include "hw.h"
 #include "msix.h"
 #include "pci.h"
+#include "range.h"
 
 /* MSI-X capability structure */
 #define MSIX_TABLE_OFFSET 4
diff --git a/hw/pci.c b/hw/pci.c
index a98d6f3..6d0934d 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -28,6 +28,7 @@
 #include "sysemu.h"
 #include "loader.h"
 #include "qemu-objects.h"
+#include "range.h"
 
 //#define DEBUG_PCI
 #ifdef DEBUG_PCI
diff --git a/hw/pci.h b/hw/pci.h
index 1eab7e7..3d23f03 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -365,33 +365,4 @@ static inline uint32_t pci_config_size(const PCIDevice *d)
     return pci_is_express(d) ? PCIE_CONFIG_SPACE_SIZE : PCI_CONFIG_SPACE_SIZE;
 }
 
-/* These are not pci specific. Should move into a separate header.
- * Only pci.c uses them, so keep them here for now.
- */
-
-/* Get last byte of a range from offset + length.
- * Undefined for ranges that wrap around 0. */
-static inline uint64_t range_get_last(uint64_t offset, uint64_t len)
-{
-    return offset + len - 1;
-}
-
-/* Check whether a given range covers a given byte. */
-static inline int range_covers_byte(uint64_t offset, uint64_t len,
-                                    uint64_t byte)
-{
-    return offset <= byte && byte <= range_get_last(offset, len);
-}
-
-/* Check whether 2 given ranges overlap.
- * Undefined if ranges that wrap around 0. */
-static inline int ranges_overlap(uint64_t first1, uint64_t len1,
-                                 uint64_t first2, uint64_t len2)
-{
-    uint64_t last1 = range_get_last(first1, len1);
-    uint64_t last2 = range_get_last(first2, len2);
-
-    return !(last2 < first1 || last1 < first2);
-}
-
 #endif
diff --git a/hw/piix_pci.c b/hw/piix_pci.c
index f152a0f..b5589b9 100644
--- a/hw/piix_pci.c
+++ b/hw/piix_pci.c
@@ -28,6 +28,7 @@
 #include "pci_host.h"
 #include "isa.h"
 #include "sysbus.h"
+#include "range.h"
 
 /*
  * I440FX chipset data sheet.
diff --git a/hw/vhost.c b/hw/vhost.c
index 34c4745..1b8624d 100644
--- a/hw/vhost.c
+++ b/hw/vhost.c
@@ -13,8 +13,7 @@
 #include <sys/ioctl.h>
 #include "vhost.h"
 #include "hw/hw.h"
-/* For range_get_last */
-#include "pci.h"
+#include "range.h"
 #include <linux/vhost.h>
 
 static void vhost_dev_sync_region(struct vhost_dev *dev,
diff --git a/range.h b/range.h
new file mode 100644
index 0000000..3502372
--- /dev/null
+++ b/range.h
@@ -0,0 +1,29 @@
+#ifndef QEMU_RANGE_H
+#define QEMU_RANGE_H
+
+/* Get last byte of a range from offset + length.
+ * Undefined for ranges that wrap around 0. */
+static inline uint64_t range_get_last(uint64_t offset, uint64_t len)
+{
+    return offset + len - 1;
+}
+
+/* Check whether a given range covers a given byte. */
+static inline int range_covers_byte(uint64_t offset, uint64_t len,
+                                    uint64_t byte)
+{
+    return offset <= byte && byte <= range_get_last(offset, len);
+}
+
+/* Check whether 2 given ranges overlap.
+ * Undefined if ranges that wrap around 0. */
+static inline int ranges_overlap(uint64_t first1, uint64_t len1,
+                                 uint64_t first2, uint64_t len2)
+{
+    uint64_t last1 = range_get_last(first1, len1);
+    uint64_t last2 = range_get_last(first2, len2);
+
+    return !(last2 < first1 || last1 < first2);
+}
+
+#endif
commit 45416789e8ccced568a4984af61974adfbfa0f62
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:14 2010 +0000

    Use range_covers_byte
    
    Use range_covers_byte() instead of comparisons.
    
    This avoids some warnings with GCC flag -Wtype-limits.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/omap1.c b/hw/omap1.c
index 1ee5514..f4966f7 100644
--- a/hw/omap1.c
+++ b/hw/omap1.c
@@ -26,6 +26,7 @@
 /* We use pc-style serial ports.  */
 #include "pc.h"
 #include "blockdev.h"
+#include "range.h"
 
 /* Should signal the TCMI/GPMC */
 uint32_t omap_badwidth_read8(void *opaque, target_phys_addr_t addr)
@@ -3669,37 +3670,38 @@ static const struct dma_irq_map omap1_dma_irq_map[] = {
 static int omap_validate_emiff_addr(struct omap_mpu_state_s *s,
                 target_phys_addr_t addr)
 {
-    return addr >= OMAP_EMIFF_BASE && addr < OMAP_EMIFF_BASE + s->sdram_size;
+    return range_covers_byte(OMAP_EMIFF_BASE, s->sdram_size, addr);
 }
 
 static int omap_validate_emifs_addr(struct omap_mpu_state_s *s,
                 target_phys_addr_t addr)
 {
-    return addr >= OMAP_EMIFS_BASE && addr < OMAP_EMIFF_BASE;
+    return range_covers_byte(OMAP_EMIFS_BASE, OMAP_EMIFF_BASE - OMAP_EMIFS_BASE,
+                             addr);
 }
 
 static int omap_validate_imif_addr(struct omap_mpu_state_s *s,
                 target_phys_addr_t addr)
 {
-    return addr >= OMAP_IMIF_BASE && addr < OMAP_IMIF_BASE + s->sram_size;
+    return range_covers_byte(OMAP_IMIF_BASE, s->sram_size, addr);
 }
 
 static int omap_validate_tipb_addr(struct omap_mpu_state_s *s,
                 target_phys_addr_t addr)
 {
-    return addr >= 0xfffb0000 && addr < 0xffff0000;
+    return range_covers_byte(0xfffb0000, 0xffff0000 - 0xfffb0000, addr);
 }
 
 static int omap_validate_local_addr(struct omap_mpu_state_s *s,
                 target_phys_addr_t addr)
 {
-    return addr >= OMAP_LOCALBUS_BASE && addr < OMAP_LOCALBUS_BASE + 0x1000000;
+    return range_covers_byte(OMAP_LOCALBUS_BASE, 0x1000000, addr);
 }
 
 static int omap_validate_tipb_mpui_addr(struct omap_mpu_state_s *s,
                 target_phys_addr_t addr)
 {
-    return addr >= 0xe1010000 && addr < 0xe1020004;
+    return range_covers_byte(0xe1010000, 0xe1020004 - 0xe1010000, addr);
 }
 
 struct omap_mpu_state_s *omap310_mpu_init(unsigned long sdram_size,
diff --git a/hw/sm501.c b/hw/sm501.c
index 8e6932d..705e0a5 100644
--- a/hw/sm501.c
+++ b/hw/sm501.c
@@ -29,6 +29,7 @@
 #include "devices.h"
 #include "sysbus.h"
 #include "qdev-addr.h"
+#include "range.h"
 
 /*
  * Status: 2010/05/07
@@ -814,7 +815,7 @@ static uint32_t sm501_palette_read(void *opaque, target_phys_addr_t addr)
     /* TODO : consider BYTE/WORD access */
     /* TODO : consider endian */
 
-    assert(0 <= addr && addr < 0x400 * 3);
+    assert(range_covers_byte(0, 0x400 * 3, addr));
     return *(uint32_t*)&s->dc_palette[addr];
 }
 
@@ -828,7 +829,7 @@ static void sm501_palette_write(void *opaque,
     /* TODO : consider BYTE/WORD access */
     /* TODO : consider endian */
 
-    assert(0 <= addr && addr < 0x400 * 3);
+    assert(range_covers_byte(0, 0x400 * 3, addr));
     *(uint32_t*)&s->dc_palette[addr] = value;
 }
 
commit f562e716c962451af359e5a59ee9dbbd66b9fee8
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:14 2010 +0000

    linux-user: improve flatload error checking
    
    Because of the use of unsigned type, possible errors during
    load were ignored.
    
    Fix by using a signed type.
    
    This also avoids a warning with GCC flag -Wtype-limits.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/linux-user/flatload.c b/linux-user/flatload.c
index 8ad130a..8f9f4a5 100644
--- a/linux-user/flatload.c
+++ b/linux-user/flatload.c
@@ -383,7 +383,8 @@ static int load_flat_file(struct linux_binprm * bprm,
 		struct lib_info *libinfo, int id, abi_ulong *extra_stack)
 {
     struct flat_hdr * hdr;
-    abi_ulong textpos = 0, datapos = 0, result;
+    abi_ulong textpos = 0, datapos = 0;
+    abi_long result;
     abi_ulong realdatastart = 0;
     abi_ulong text_len, data_len, bss_len, stack_len, flags;
     abi_ulong memp = 0; /* for finding the brk area */
commit d0b3e4f5f4a29d48250887e5c0b3c65bc4dc6d13
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:14 2010 +0000

    linux-user: fix types in a comparison
    
    -1ul is unsigned long, which does not necessarily match abi_ulong
    type.
    
    Fix by using abi_long instead.
    
    This also avoids a warning with GCC flag -Wtype-limits.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index e10a6ef..035dfbd 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -342,7 +342,7 @@ abi_ulong mmap_find_vma(abi_ulong start, abi_ulong size)
         munmap(ptr, size);
 
         /* ENOMEM if we checked the whole of the target address space.  */
-        if (addr == -1ul) {
+        if (addr == (abi_ulong)-1) {
             return (abi_ulong)-1;
         } else if (addr == 0) {
             if (wrapped) {
commit 3872425343439555e543cd606c44a79dbcc168d4
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:14 2010 +0000

    linux-user: fix socklen_t comparisons
    
    On many systems, socklen_t is defined as unsigned. This means that
    checks for negative values are not meaningful.
    
    Fix by explicitly casting to a signed integer.
    
    This also avoids some warnings with GCC flag -Wtype-limits.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 0ebe7e1..d44f512 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -1551,8 +1551,9 @@ static abi_long do_bind(int sockfd, abi_ulong target_addr,
     void *addr;
     abi_long ret;
 
-    if (addrlen < 0)
+    if ((int)addrlen < 0) {
         return -TARGET_EINVAL;
+    }
 
     addr = alloca(addrlen+1);
 
@@ -1570,8 +1571,9 @@ static abi_long do_connect(int sockfd, abi_ulong target_addr,
     void *addr;
     abi_long ret;
 
-    if (addrlen < 0)
+    if ((int)addrlen < 0) {
         return -TARGET_EINVAL;
+    }
 
     addr = alloca(addrlen);
 
@@ -1656,8 +1658,9 @@ static abi_long do_accept(int fd, abi_ulong target_addr,
     if (get_user_u32(addrlen, target_addrlen_addr))
         return -TARGET_EINVAL;
 
-    if (addrlen < 0)
+    if ((int)addrlen < 0) {
         return -TARGET_EINVAL;
+    }
 
     if (!access_ok(VERIFY_WRITE, target_addr, addrlen))
         return -TARGET_EINVAL;
@@ -1684,8 +1687,9 @@ static abi_long do_getpeername(int fd, abi_ulong target_addr,
     if (get_user_u32(addrlen, target_addrlen_addr))
         return -TARGET_EFAULT;
 
-    if (addrlen < 0)
+    if ((int)addrlen < 0) {
         return -TARGET_EINVAL;
+    }
 
     if (!access_ok(VERIFY_WRITE, target_addr, addrlen))
         return -TARGET_EFAULT;
@@ -1712,8 +1716,9 @@ static abi_long do_getsockname(int fd, abi_ulong target_addr,
     if (get_user_u32(addrlen, target_addrlen_addr))
         return -TARGET_EFAULT;
 
-    if (addrlen < 0)
+    if ((int)addrlen < 0) {
         return -TARGET_EINVAL;
+    }
 
     if (!access_ok(VERIFY_WRITE, target_addr, addrlen))
         return -TARGET_EFAULT;
@@ -1753,8 +1758,9 @@ static abi_long do_sendto(int fd, abi_ulong msg, size_t len, int flags,
     void *host_msg;
     abi_long ret;
 
-    if (addrlen < 0)
+    if ((int)addrlen < 0) {
         return -TARGET_EINVAL;
+    }
 
     host_msg = lock_user(VERIFY_READ, msg, len, 1);
     if (!host_msg)
@@ -1792,7 +1798,7 @@ static abi_long do_recvfrom(int fd, abi_ulong msg, size_t len, int flags,
             ret = -TARGET_EFAULT;
             goto fail;
         }
-        if (addrlen < 0) {
+        if ((int)addrlen < 0) {
             ret = -TARGET_EINVAL;
             goto fail;
         }
commit 093209cd681fe9fb65bd8a1c2ff711b8168bbfcd
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 18 05:53:14 2010 +0000

    Check for errors during BIOS or kernel load
    
    Because of the use of unsigned types, possible errors during
    BIOS or kernel load were ignored.
    
    Fix by using a signed type.
    
    This also avoids some warnings with GCC flag -Wtype-limits.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/mips_fulong2e.c b/hw/mips_fulong2e.c
index cbe7156..ac82067 100644
--- a/hw/mips_fulong2e.c
+++ b/hw/mips_fulong2e.c
@@ -258,7 +258,7 @@ static void mips_fulong2e_init(ram_addr_t ram_size, const char *boot_device,
 {
     char *filename;
     unsigned long ram_offset, bios_offset;
-    unsigned long bios_size;
+    long bios_size;
     int64_t kernel_entry;
     qemu_irq *i8259;
     qemu_irq *cpu_exit_irq;
diff --git a/hw/ppc405_boards.c b/hw/ppc405_boards.c
index 662d7c4..db8e5ec 100644
--- a/hw/ppc405_boards.c
+++ b/hw/ppc405_boards.c
@@ -182,10 +182,12 @@ static void ref405ep_init (ram_addr_t ram_size,
     qemu_irq *pic;
     ram_addr_t sram_offset, bios_offset, bdloc;
     target_phys_addr_t ram_bases[2], ram_sizes[2];
-    target_ulong sram_size, bios_size;
+    target_ulong sram_size;
+    long bios_size;
     //int phy_addr = 0;
     //static int phy_addr = 1;
-    target_ulong kernel_base, kernel_size, initrd_base, initrd_size;
+    target_ulong kernel_base, initrd_base;
+    long kernel_size, initrd_size;
     int linux_boot;
     int fl_idx, fl_sectors, len;
     DriveInfo *dinfo;
@@ -221,8 +223,8 @@ static void ref405ep_init (ram_addr_t ram_size,
         bios_offset = qemu_ram_alloc(NULL, "ef405ep.bios", bios_size);
         fl_sectors = (bios_size + 65535) >> 16;
 #ifdef DEBUG_BOARD_INIT
-        printf("Register parallel flash %d size " TARGET_FMT_lx
-               " at offset %08lx addr " TARGET_FMT_lx " '%s' %d\n",
+        printf("Register parallel flash %d size %lx"
+               " at offset %08lx addr %lx '%s' %d\n",
                fl_idx, bios_size, bios_offset, -bios_size,
                bdrv_get_device_name(dinfo->bdrv), fl_sectors);
 #endif
@@ -308,7 +310,7 @@ static void ref405ep_init (ram_addr_t ram_size,
                     kernel_filename);
             exit(1);
         }
-        printf("Load kernel size " TARGET_FMT_ld " at " TARGET_FMT_lx,
+        printf("Load kernel size %ld at " TARGET_FMT_lx,
                kernel_size, kernel_base);
         /* load initrd */
         if (initrd_filename) {
@@ -503,8 +505,9 @@ static void taihu_405ep_init(ram_addr_t ram_size,
     qemu_irq *pic;
     ram_addr_t bios_offset;
     target_phys_addr_t ram_bases[2], ram_sizes[2];
-    target_ulong bios_size;
-    target_ulong kernel_base, kernel_size, initrd_base, initrd_size;
+    long bios_size;
+    target_ulong kernel_base, initrd_base;
+    long kernel_size, initrd_size;
     int linux_boot;
     int fl_idx, fl_sectors;
     DriveInfo *dinfo;
@@ -534,8 +537,8 @@ static void taihu_405ep_init(ram_addr_t ram_size,
         fl_sectors = (bios_size + 65535) >> 16;
         bios_offset = qemu_ram_alloc(NULL, "taihu_405ep.bios", bios_size);
 #ifdef DEBUG_BOARD_INIT
-        printf("Register parallel flash %d size " TARGET_FMT_lx
-               " at offset %08lx addr " TARGET_FMT_lx " '%s' %d\n",
+        printf("Register parallel flash %d size %lx"
+               " at offset %08lx addr %lx '%s' %d\n",
                fl_idx, bios_size, bios_offset, -bios_size,
                bdrv_get_device_name(dinfo->bdrv), fl_sectors);
 #endif
@@ -576,7 +579,7 @@ static void taihu_405ep_init(ram_addr_t ram_size,
         bios_size = 32 * 1024 * 1024;
         fl_sectors = (bios_size + 65535) >> 16;
 #ifdef DEBUG_BOARD_INIT
-        printf("Register parallel flash %d size " TARGET_FMT_lx
+        printf("Register parallel flash %d size %lx"
                " at offset %08lx  addr " TARGET_FMT_lx " '%s'\n",
                fl_idx, bios_size, bios_offset, (target_ulong)0xfc000000,
                bdrv_get_device_name(dinfo->bdrv));
diff --git a/hw/ppc_newworld.c b/hw/ppc_newworld.c
index 809a1cf..fb07c83 100644
--- a/hw/ppc_newworld.c
+++ b/hw/ppc_newworld.c
@@ -135,7 +135,8 @@ static void ppc_core99_init (ram_addr_t ram_size,
     int unin_memory;
     int linux_boot, i;
     ram_addr_t ram_offset, bios_offset, vga_bios_offset;
-    uint32_t kernel_base, kernel_size, initrd_base, initrd_size;
+    uint32_t kernel_base, initrd_base;
+    long kernel_size, initrd_size;
     PCIBus *pci_bus;
     MacIONVRAMState *nvr;
     int nvram_mem_index;
diff --git a/hw/ppc_prep.c b/hw/ppc_prep.c
index 52fa9b6..0e5b88c 100644
--- a/hw/ppc_prep.c
+++ b/hw/ppc_prep.c
@@ -572,7 +572,8 @@ static void ppc_prep_init (ram_addr_t ram_size,
     int PPC_io_memory;
     int linux_boot, i, nb_nics1, bios_size;
     ram_addr_t ram_offset, bios_offset;
-    uint32_t kernel_base, kernel_size, initrd_base, initrd_size;
+    uint32_t kernel_base, initrd_base;
+    long kernel_size, initrd_size;
     PCIBus *pci_bus;
     qemu_irq *i8259;
     qemu_irq *cpu_exit_irq;
commit dbf3c4b4baceb91eb64d09f787cbe92d65188813
Author: Hervé Poussineau <hpoussin at reactos.org>
Date:   Wed Sep 15 22:33:26 2010 +0200

    Make ARP replies at least 64 bytes long
    
    IEEE 802.3 standard requires Ethernet frames to be at least 64 bytes long.
    If it is not the case, they will be considered as runt frames, and may be ignored by netcard and/or OS
    
    Signed-off-by: Hervé Poussineau <hpoussin at reactos.org>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/slirp/slirp.c b/slirp/slirp.c
index 82fd9b4..332d83b 100644
--- a/slirp/slirp.c
+++ b/slirp/slirp.c
@@ -599,7 +599,7 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
 {
     struct ethhdr *eh = (struct ethhdr *)pkt;
     struct arphdr *ah = (struct arphdr *)(pkt + ETH_HLEN);
-    uint8_t arp_reply[ETH_HLEN + sizeof(struct arphdr)];
+    uint8_t arp_reply[max(ETH_HLEN + sizeof(struct arphdr), 64)];
     struct ethhdr *reh = (struct ethhdr *)arp_reply;
     struct arphdr *rah = (struct arphdr *)(arp_reply + ETH_HLEN);
     int ar_op;
@@ -619,6 +619,7 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
             }
             return;
         arp_ok:
+            memset(arp_reply, 0, sizeof(arp_reply));
             /* XXX: make an ARP request to have the client address */
             memcpy(slirp->client_ethaddr, eh->h_source, ETH_ALEN);
 
commit 0d491754d00a70c6af675312b9de8e382240a8bb
Author: Hervé Poussineau <hpoussin at reactos.org>
Date:   Mon Sep 13 23:01:30 2010 +0200

    Accept packets with TTL=1
    
    Packets with TTL=1 may be directed to local network (DHCP/DNS servers for example), so don't discard them
    This is required by old versions of NetBSD which send DHCP DISCOVER packets with TTL=1
    
    Signed-off-by: Hervé Poussineau <hpoussin at reactos.org>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/slirp/ip_input.c b/slirp/ip_input.c
index 0fe0ff7..768ab0c 100644
--- a/slirp/ip_input.c
+++ b/slirp/ip_input.c
@@ -144,7 +144,7 @@ ip_input(struct mbuf *m)
 	   m_adj(m, ip->ip_len - m->m_len);
 
 	/* check ip_ttl for a correct ICMP reply */
-	if(ip->ip_ttl==0 || ip->ip_ttl==1) {
+	if(ip->ip_ttl==0) {
 	  icmp_error(m, ICMP_TIMXCEED,ICMP_TIMXCEED_INTRANS, 0,"ttl");
 	  goto bad;
 	}
commit abdfd9500e07fab7d6ffd4385fa30a065c329a39
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Thu Sep 16 15:40:27 2010 +0200

    cris: Avoid spurios hw_abort on recursive bus faults
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-cris/helper.c b/target-cris/helper.c
index 053ed4a..83b25c1 100644
--- a/target-cris/helper.c
+++ b/target-cris/helper.c
@@ -235,9 +235,15 @@ void do_interrupt(CPUState *env)
 	/* Apply the CRIS CCS shift. Clears U if set.  */
 	cris_shift_ccs(env);
 
-	/* Now that we are in kernel mode, load the handlers address.  */
+	/* Now that we are in kernel mode, load the handlers address.
+	   This load may not fault, real hw leaves that behaviour as
+	   undefined.  */
 	env->pc = ldl_code(env->pregs[PR_EBP] + ex_vec * 4);
 
+	/* Clear the excption_index to avoid spurios hw_aborts for recursive
+	   bus faults.  */
+	env->exception_index = -1;
+
 	D_LOG("%s isr=%x vec=%x ccs=%x pid=%d erp=%x\n",
 		   __func__, env->pc, ex_vec,
 		   env->pregs[PR_CCS],
commit 41557447d30eeb944e42069513df13585f5e6c7f
Author: Alexander Graf <agraf at suse.de>
Date:   Fri Sep 10 15:08:34 2010 +0000

    PPC: Redesign interrupt trigger path
    
    According to the Book3S spec, the interrupt context starts with an MSR
    value that is rather simple. If we leave out the HV case, it's almost
    always 0.
    
    To reflect this, let's redesign the way that MSR value gets calculated.
    Using this, we also squash the bug where MSR_POW can slip through into
    the interrupt handler MSR.
    
    Reported-by: Thomas Monjalon <thomas.monjalon at openwide.fr>
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-ppc/helper.c b/target-ppc/helper.c
index a7ec1f4..f865d7a 100644
--- a/target-ppc/helper.c
+++ b/target-ppc/helper.c
@@ -2073,18 +2073,24 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
 
     qemu_log_mask(CPU_LOG_INT, "Raise exception at " TARGET_FMT_lx
                   " => %08x (%02x)\n", env->nip, excp, env->error_code);
-    msr = env->msr;
-    new_msr = msr;
+
+    /* new srr1 value excluding must-be-zero bits */
+    msr = env->msr & ~0x783f0000ULL;
+
+    /* new interrupt handler msr */
+    new_msr = env->msr & ((target_ulong)1 << MSR_ME);
+
+    /* target registers */
     srr0 = SPR_SRR0;
     srr1 = SPR_SRR1;
     asrr0 = -1;
     asrr1 = -1;
+
     switch (excp) {
     case POWERPC_EXCP_NONE:
         /* Should never happen */
         return;
     case POWERPC_EXCP_CRITICAL:    /* Critical input                         */
-        new_msr &= ~((target_ulong)1 << MSR_RI); /* XXX: check this */
         switch (excp_model) {
         case POWERPC_EXCP_40x:
             srr0 = SPR_40x_SRR2;
@@ -2115,12 +2121,14 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
             env->halted = 1;
             env->interrupt_request |= CPU_INTERRUPT_EXITTB;
         }
-        new_msr &= ~((target_ulong)1 << MSR_RI);
-        new_msr &= ~((target_ulong)1 << MSR_ME);
         if (0) {
             /* XXX: find a suitable condition to enable the hypervisor mode */
             new_msr |= (target_ulong)MSR_HVB;
         }
+
+        /* machine check exceptions don't have ME set */
+        new_msr &= ~((target_ulong)1 << MSR_ME);
+
         /* XXX: should also have something loaded in DAR / DSISR */
         switch (excp_model) {
         case POWERPC_EXCP_40x:
@@ -2140,25 +2148,21 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
     case POWERPC_EXCP_DSI:       /* Data storage exception                   */
         LOG_EXCP("DSI exception: DSISR=" TARGET_FMT_lx" DAR=" TARGET_FMT_lx
                  "\n", env->spr[SPR_DSISR], env->spr[SPR_DAR]);
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         if (lpes1 == 0)
             new_msr |= (target_ulong)MSR_HVB;
         goto store_next;
     case POWERPC_EXCP_ISI:       /* Instruction storage exception            */
         LOG_EXCP("ISI exception: msr=" TARGET_FMT_lx ", nip=" TARGET_FMT_lx
                  "\n", msr, env->nip);
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         if (lpes1 == 0)
             new_msr |= (target_ulong)MSR_HVB;
         msr |= env->error_code;
         goto store_next;
     case POWERPC_EXCP_EXTERNAL:  /* External input                           */
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         if (lpes0 == 1)
             new_msr |= (target_ulong)MSR_HVB;
         goto store_next;
     case POWERPC_EXCP_ALIGN:     /* Alignment exception                      */
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         if (lpes1 == 0)
             new_msr |= (target_ulong)MSR_HVB;
         /* XXX: this is false */
@@ -2174,7 +2178,6 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
                 env->error_code = 0;
                 return;
             }
-            new_msr &= ~((target_ulong)1 << MSR_RI);
             if (lpes1 == 0)
                 new_msr |= (target_ulong)MSR_HVB;
             msr |= 0x00100000;
@@ -2184,19 +2187,16 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
             break;
         case POWERPC_EXCP_INVAL:
             LOG_EXCP("Invalid instruction at " TARGET_FMT_lx "\n", env->nip);
-            new_msr &= ~((target_ulong)1 << MSR_RI);
             if (lpes1 == 0)
                 new_msr |= (target_ulong)MSR_HVB;
             msr |= 0x00080000;
             break;
         case POWERPC_EXCP_PRIV:
-            new_msr &= ~((target_ulong)1 << MSR_RI);
             if (lpes1 == 0)
                 new_msr |= (target_ulong)MSR_HVB;
             msr |= 0x00040000;
             break;
         case POWERPC_EXCP_TRAP:
-            new_msr &= ~((target_ulong)1 << MSR_RI);
             if (lpes1 == 0)
                 new_msr |= (target_ulong)MSR_HVB;
             msr |= 0x00020000;
@@ -2209,7 +2209,6 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
         }
         goto store_current;
     case POWERPC_EXCP_FPU:       /* Floating-point unavailable exception     */
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         if (lpes1 == 0)
             new_msr |= (target_ulong)MSR_HVB;
         goto store_current;
@@ -2226,23 +2225,19 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
             }
         }
         dump_syscall(env);
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         lev = env->error_code;
         if (lev == 1 || (lpes0 == 0 && lpes1 == 0))
             new_msr |= (target_ulong)MSR_HVB;
         goto store_next;
     case POWERPC_EXCP_APU:       /* Auxiliary processor unavailable          */
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         goto store_current;
     case POWERPC_EXCP_DECR:      /* Decrementer exception                    */
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         if (lpes1 == 0)
             new_msr |= (target_ulong)MSR_HVB;
         goto store_next;
     case POWERPC_EXCP_FIT:       /* Fixed-interval timer interrupt           */
         /* FIT on 4xx */
         LOG_EXCP("FIT exception\n");
-        new_msr &= ~((target_ulong)1 << MSR_RI); /* XXX: check this */
         goto store_next;
     case POWERPC_EXCP_WDT:       /* Watchdog timer interrupt                 */
         LOG_EXCP("WDT exception\n");
@@ -2254,13 +2249,10 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
         default:
             break;
         }
-        new_msr &= ~((target_ulong)1 << MSR_RI); /* XXX: check this */
         goto store_next;
     case POWERPC_EXCP_DTLB:      /* Data TLB error                           */
-        new_msr &= ~((target_ulong)1 << MSR_RI); /* XXX: check this */
         goto store_next;
     case POWERPC_EXCP_ITLB:      /* Instruction TLB error                    */
-        new_msr &= ~((target_ulong)1 << MSR_RI); /* XXX: check this */
         goto store_next;
     case POWERPC_EXCP_DEBUG:     /* Debug interrupt                          */
         switch (excp_model) {
@@ -2277,7 +2269,6 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
         cpu_abort(env, "Debug exception is not implemented yet !\n");
         goto store_next;
     case POWERPC_EXCP_SPEU:      /* SPE/embedded floating-point unavailable  */
-        new_msr &= ~((target_ulong)1 << MSR_RI); /* XXX: check this */
         goto store_current;
     case POWERPC_EXCP_EFPDI:     /* Embedded floating-point data interrupt   */
         /* XXX: TODO */
@@ -2290,7 +2281,6 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
                   "is not implemented yet !\n");
         goto store_next;
     case POWERPC_EXCP_EPERFM:    /* Embedded performance monitor interrupt   */
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         /* XXX: TODO */
         cpu_abort(env,
                   "Performance counter exception is not implemented yet !\n");
@@ -2314,19 +2304,23 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
                   "is not implemented yet !\n");
         goto store_next;
     case POWERPC_EXCP_RESET:     /* System reset exception                   */
-        new_msr &= ~((target_ulong)1 << MSR_RI);
+        if (msr_pow) {
+            /* indicate that we resumed from power save mode */
+            msr |= 0x10000;
+        } else {
+            new_msr &= ~((target_ulong)1 << MSR_ME);
+        }
+
         if (0) {
             /* XXX: find a suitable condition to enable the hypervisor mode */
             new_msr |= (target_ulong)MSR_HVB;
         }
         goto store_next;
     case POWERPC_EXCP_DSEG:      /* Data segment exception                   */
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         if (lpes1 == 0)
             new_msr |= (target_ulong)MSR_HVB;
         goto store_next;
     case POWERPC_EXCP_ISEG:      /* Instruction segment exception            */
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         if (lpes1 == 0)
             new_msr |= (target_ulong)MSR_HVB;
         goto store_next;
@@ -2334,9 +2328,9 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
         srr0 = SPR_HSRR0;
         srr1 = SPR_HSRR1;
         new_msr |= (target_ulong)MSR_HVB;
+        new_msr |= env->msr & ((target_ulong)1 << MSR_RI);
         goto store_next;
     case POWERPC_EXCP_TRACE:     /* Trace exception                          */
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         if (lpes1 == 0)
             new_msr |= (target_ulong)MSR_HVB;
         goto store_next;
@@ -2344,30 +2338,32 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
         srr0 = SPR_HSRR0;
         srr1 = SPR_HSRR1;
         new_msr |= (target_ulong)MSR_HVB;
+        new_msr |= env->msr & ((target_ulong)1 << MSR_RI);
         goto store_next;
     case POWERPC_EXCP_HISI:      /* Hypervisor instruction storage exception */
         srr0 = SPR_HSRR0;
         srr1 = SPR_HSRR1;
         new_msr |= (target_ulong)MSR_HVB;
+        new_msr |= env->msr & ((target_ulong)1 << MSR_RI);
         goto store_next;
     case POWERPC_EXCP_HDSEG:     /* Hypervisor data segment exception        */
         srr0 = SPR_HSRR0;
         srr1 = SPR_HSRR1;
         new_msr |= (target_ulong)MSR_HVB;
+        new_msr |= env->msr & ((target_ulong)1 << MSR_RI);
         goto store_next;
     case POWERPC_EXCP_HISEG:     /* Hypervisor instruction segment exception */
         srr0 = SPR_HSRR0;
         srr1 = SPR_HSRR1;
         new_msr |= (target_ulong)MSR_HVB;
+        new_msr |= env->msr & ((target_ulong)1 << MSR_RI);
         goto store_next;
     case POWERPC_EXCP_VPU:       /* Vector unavailable exception             */
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         if (lpes1 == 0)
             new_msr |= (target_ulong)MSR_HVB;
         goto store_current;
     case POWERPC_EXCP_PIT:       /* Programmable interval timer interrupt    */
         LOG_EXCP("PIT exception\n");
-        new_msr &= ~((target_ulong)1 << MSR_RI); /* XXX: check this */
         goto store_next;
     case POWERPC_EXCP_IO:        /* IO error exception                       */
         /* XXX: TODO */
@@ -2383,7 +2379,6 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
                   "is not implemented yet !\n");
         goto store_next;
     case POWERPC_EXCP_IFTLB:     /* Instruction fetch TLB error              */
-        new_msr &= ~((target_ulong)1 << MSR_RI); /* XXX: check this */
         if (lpes1 == 0) /* XXX: check this */
             new_msr |= (target_ulong)MSR_HVB;
         switch (excp_model) {
@@ -2402,7 +2397,6 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
         }
         break;
     case POWERPC_EXCP_DLTLB:     /* Data load TLB miss                       */
-        new_msr &= ~((target_ulong)1 << MSR_RI); /* XXX: check this */
         if (lpes1 == 0) /* XXX: check this */
             new_msr |= (target_ulong)MSR_HVB;
         switch (excp_model) {
@@ -2421,7 +2415,6 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
         }
         break;
     case POWERPC_EXCP_DSTLB:     /* Data store TLB miss                      */
-        new_msr &= ~((target_ulong)1 << MSR_RI); /* XXX: check this */
         if (lpes1 == 0) /* XXX: check this */
             new_msr |= (target_ulong)MSR_HVB;
         switch (excp_model) {
@@ -2525,7 +2518,6 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
                   "is not implemented yet !\n");
         goto store_next;
     case POWERPC_EXCP_PERFM:     /* Embedded performance monitor interrupt   */
-        new_msr &= ~((target_ulong)1 << MSR_RI);
         if (lpes1 == 0)
             new_msr |= (target_ulong)MSR_HVB;
         /* XXX: TODO */
@@ -2579,23 +2571,11 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
     /* If we disactivated any translation, flush TLBs */
     if (new_msr & ((1 << MSR_IR) | (1 << MSR_DR)))
         tlb_flush(env, 1);
-    /* reload MSR with correct bits */
-    new_msr &= ~((target_ulong)1 << MSR_EE);
-    new_msr &= ~((target_ulong)1 << MSR_PR);
-    new_msr &= ~((target_ulong)1 << MSR_FP);
-    new_msr &= ~((target_ulong)1 << MSR_FE0);
-    new_msr &= ~((target_ulong)1 << MSR_SE);
-    new_msr &= ~((target_ulong)1 << MSR_BE);
-    new_msr &= ~((target_ulong)1 << MSR_FE1);
-    new_msr &= ~((target_ulong)1 << MSR_IR);
-    new_msr &= ~((target_ulong)1 << MSR_DR);
-#if 0 /* Fix this: not on all targets */
-    new_msr &= ~((target_ulong)1 << MSR_PMM);
-#endif
-    if (msr_ile)
+
+    if (msr_ile) {
         new_msr |= (target_ulong)1 << MSR_LE;
-    else
-        new_msr &= ~((target_ulong)1 << MSR_LE);
+    }
+
     /* Jump to handler */
     vector = env->excp_vectors[excp];
     if (vector == (target_ulong)-1ULL) {
@@ -2606,14 +2586,12 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
 #if defined(TARGET_PPC64)
     if (excp_model == POWERPC_EXCP_BOOKE) {
         if (!msr_icm) {
-            new_msr &= ~((target_ulong)1 << MSR_CM);
             vector = (uint32_t)vector;
         } else {
             new_msr |= (target_ulong)1 << MSR_CM;
         }
     } else {
         if (!msr_isf && !(env->mmu_model & POWERPC_MMU_64)) {
-            new_msr &= ~((target_ulong)1 << MSR_SF);
             vector = (uint32_t)vector;
         } else {
             new_msr |= (target_ulong)1 << MSR_SF;
commit f844c817d726cd2bdb431aa41c8217891ede2eaf
Author: Alexander Graf <agraf at suse.de>
Date:   Fri Sep 10 15:08:33 2010 +0000

    PPC: Enable hint bits for lwarx/ldarx
    
    The lwarx and ldarx instructions have a bit to give some hint to the
    CPU which is safe to ignore. We currently refuse to accept any instruction
    with that bit set, as it used to be declared MBZ.
    
    Let's remove the reserved bit and make the instruction work as expected.
    This fixes Linux boot for ppc64.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Reviewed-by: Andreas Färber <andreas.faerber at web.de>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-ppc/translate.c b/target-ppc/translate.c
index 95ab0a1..fd06861 100644
--- a/target-ppc/translate.c
+++ b/target-ppc/translate.c
@@ -8048,10 +8048,10 @@ GEN_HANDLER(stswi, 0x1F, 0x15, 0x16, 0x00000001, PPC_STRING),
 GEN_HANDLER(stswx, 0x1F, 0x15, 0x14, 0x00000001, PPC_STRING),
 GEN_HANDLER(eieio, 0x1F, 0x16, 0x1A, 0x03FFF801, PPC_MEM_EIEIO),
 GEN_HANDLER(isync, 0x13, 0x16, 0x04, 0x03FFF801, PPC_MEM),
-GEN_HANDLER(lwarx, 0x1F, 0x14, 0x00, 0x00000001, PPC_RES),
+GEN_HANDLER(lwarx, 0x1F, 0x14, 0x00, 0x00000000, PPC_RES),
 GEN_HANDLER2(stwcx_, "stwcx.", 0x1F, 0x16, 0x04, 0x00000000, PPC_RES),
 #if defined(TARGET_PPC64)
-GEN_HANDLER(ldarx, 0x1F, 0x14, 0x02, 0x00000001, PPC_64B),
+GEN_HANDLER(ldarx, 0x1F, 0x14, 0x02, 0x00000000, PPC_64B),
 GEN_HANDLER2(stdcx_, "stdcx.", 0x1F, 0x16, 0x06, 0x00000000, PPC_64B),
 #endif
 GEN_HANDLER(sync, 0x1F, 0x16, 0x12, 0x039FF801, PPC_MEM_SYNC),
commit 9a7c4878427dba2fbbd080fb21ba66d5daf21b8e
Author: Michal Novotny <minovotn at redhat.com>
Date:   Wed Sep 15 15:35:53 2010 +0200

    serial: Update parameters after load
    
    This is the patch to update serial port parameters after guest is
    already loaded.
    
    Signed-off-by: Michal Novotny <minovotn at redhat.com>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/hw/serial.c b/hw/serial.c
index f09ce0a..9ebc452 100644
--- a/hw/serial.c
+++ b/hw/serial.c
@@ -674,6 +674,7 @@ static int serial_post_load(void *opaque, int version_id)
     }
     /* Initialize fcr via setter to perform essential side-effects */
     serial_ioport_write(s, 0x02, s->fcr_vmstate);
+    serial_update_parameters(s);
     return 0;
 }
 
commit 6b37c87c96a5b148685e8e6bf09d0aca953cb1a8
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Tue Sep 14 13:48:17 2010 +0200

    vhost: fix infinite loop on error path
    
    file.index is unsigned, hence 'while (--file.index >= 0)'
    will loop > forever. Change to while (file.index-- > 0).
    
    Reported-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/vhost_net.c b/hw/vhost_net.c
index 4a7b819..c068be1 100644
--- a/hw/vhost_net.c
+++ b/hw/vhost_net.c
@@ -151,7 +151,7 @@ int vhost_net_start(struct vhost_net *net,
     return 0;
 fail:
     file.fd = -1;
-    while (--file.index >= 0) {
+    while (file.index-- > 0) {
         int r = ioctl(net->dev.control, VHOST_NET_SET_BACKEND, &file);
         assert(r >= 0);
     }
commit 46411f863c26ff85c48b97939502007610c95398
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Mon Sep 13 21:21:57 2010 +0200

    Remove wrong semicolon in macro definition
    
    Macros normally should not end with a semicolon,
    otherwise their usage results in two statements
    where only one statement was expected.
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/hw/serial.c b/hw/serial.c
index 49431b2..f09ce0a 100644
--- a/hw/serial.c
+++ b/hw/serial.c
@@ -101,10 +101,10 @@
 
 #ifdef DEBUG_SERIAL
 #define DPRINTF(fmt, ...) \
-do { fprintf(stderr, "serial: " fmt , ## __VA_ARGS__); } while (0);
+do { fprintf(stderr, "serial: " fmt , ## __VA_ARGS__); } while (0)
 #else
 #define DPRINTF(fmt, ...) \
-do {} while(0);
+do {} while (0)
 #endif
 
 typedef struct SerialFIFO {
diff --git a/tests/cris/check_swap.c b/tests/cris/check_swap.c
index 743cfc5..824a685 100644
--- a/tests/cris/check_swap.c
+++ b/tests/cris/check_swap.c
@@ -41,7 +41,7 @@ do {                                                    \
         cris_tst_mov_cc(n, z);                          \
 	if (r != expected)                              \
 		err();                                  \
-} while(0);
+} while(0)
 
 void check_swap(void)
 {
commit 0bb750ef9e897ba5f4d9899ddc7e222e809bcbbd
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Thu Sep 9 11:48:57 2010 +0900

    pci: improve signature of pci_register_bar().
    
    Make type uint8_t from int because PCIIORegion::type is uint8_t.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>

diff --git a/hw/pci.c b/hw/pci.c
index 8f48d9b..97a7b23 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -758,7 +758,7 @@ static int pci_unregister_device(DeviceState *dev)
 }
 
 void pci_register_bar(PCIDevice *pci_dev, int region_num,
-                            pcibus_t size, int type,
+                            pcibus_t size, uint8_t type,
                             PCIMapIORegionFunc *map_func)
 {
     PCIIORegion *r;
diff --git a/hw/pci.h b/hw/pci.h
index 2b4c318..1c6075e 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -180,7 +180,7 @@ PCIDevice *pci_register_device(PCIBus *bus, const char *name,
                                PCIConfigWriteFunc *config_write);
 
 void pci_register_bar(PCIDevice *pci_dev, int region_num,
-                            pcibus_t size, int type,
+                            pcibus_t size, uint8_t type,
                             PCIMapIORegionFunc *map_func);
 
 int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
commit 2bbb9c2f7f36d0457cda5f27d7e4422219b3acd8
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Thu Sep 9 11:48:56 2010 +0900

    pci: don't ignore invalid parameter for pci_register_bar().
    
    Abort when invalid value for region_num is passed to pci_register_bar.
    That is caller's bug. Abort instead of silently ignoring invalid value.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index c28b8a1..8f48d9b 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -765,9 +765,8 @@ void pci_register_bar(PCIDevice *pci_dev, int region_num,
     uint32_t addr;
     uint64_t wmask;
 
-    if ((unsigned int)region_num >= PCI_NUM_REGIONS)
-        return;
-
+    assert(region_num >= 0);
+    assert(region_num < PCI_NUM_REGIONS);
     if (size & (size-1)) {
         fprintf(stderr, "ERROR: PCI region size must be pow2 "
                     "type=0x%x, size=0x%"FMT_PCIBUS"\n", type, size);
commit 5a9ff3819a1023b63b94ad4fb82da973f93f65d0
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Thu Sep 9 11:48:55 2010 +0900

    pci: sorting out type confusion in pci_register_bar().
    
    This patch sorts out invalid use of pcibus_t.
    
    In pci_register_bar(), pcibus_t wmask is used.  It should,
    however, be uint64_t because it is used to set
    pci configuration space value(PCIDevice::wmask)
    by pci_set_quad() or pci_set_long().
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index f03b83e..c28b8a1 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -763,7 +763,7 @@ void pci_register_bar(PCIDevice *pci_dev, int region_num,
 {
     PCIIORegion *r;
     uint32_t addr;
-    pcibus_t wmask;
+    uint64_t wmask;
 
     if ((unsigned int)region_num >= PCI_NUM_REGIONS)
         return;
commit cf4c01fde264416dc8b1a1904bc9068a4af78cb7
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Mon Sep 6 16:46:20 2010 +0900

    pci_ids.h: add vendor id of Texas Intesruments
    
    add vendor id of Texas Intesruments.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci_ids.h b/hw/pci_ids.h
index 39e9f1d..82cba7e 100644
--- a/hw/pci_ids.h
+++ b/hw/pci_ids.h
@@ -57,6 +57,8 @@
 #define PCI_VENDOR_ID_AMD                0x1022
 #define PCI_DEVICE_ID_AMD_LANCE          0x2000
 
+#define PCI_VENDOR_ID_TI                 0x104c
+
 #define PCI_VENDOR_ID_MOTOROLA           0x1057
 #define PCI_DEVICE_ID_MOTOROLA_MPC106    0x0002
 #define PCI_DEVICE_ID_MOTOROLA_RAVEN     0x4801
commit 2f48918f8aaedcd6ab2b637f63927077973a54c7
Author: Avi Kivity <avi at redhat.com>
Date:   Mon Sep 13 19:52:39 2010 +0200

    Rename KVM_UPSTREAM to OBSOLETE_KVM_IMPL
    
    The symbol KVM_UPSTREAM is used to mark sections of code that are part of
    the upstream kvm implemetation that is not used in qemu-kvm.  However the
    name becomes ambiguous if qemu-kvm is merged upstream.
    
    Rename the symbol to avoid confusion.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/cpus.c b/cpus.c
index c545a62..99c04d1 100644
--- a/cpus.c
+++ b/cpus.c
@@ -299,7 +299,7 @@ void qemu_notify_event(void)
     }
 }
 
-#if defined(KVM_UPSTREAM) || !defined(CONFIG_KVM)
+#if defined(OBSOLETE_KVM_IMPL) || !defined(CONFIG_KVM)
 void qemu_mutex_lock_iothread(void) {}
 void qemu_mutex_unlock_iothread(void) {}
 #endif
diff --git a/kvm-all.c b/kvm-all.c
index 4ff75c4..d4b0861 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -41,7 +41,7 @@
     do { } while (0)
 #endif
 
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 
 typedef struct KVMSlot
 {
@@ -156,7 +156,7 @@ static int kvm_set_user_memory_region(KVMState *s, KVMSlot *slot)
     return kvm_vm_ioctl(s, KVM_SET_USER_MEMORY_REGION, &mem);
 }
 
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 static void kvm_reset_vcpu(void *opaque)
 {
     CPUState *env = opaque;
@@ -176,7 +176,7 @@ int kvm_pit_in_kernel(void)
 }
 
 
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 int kvm_init_vcpu(CPUState *env)
 {
     KVMState *s = kvm_state;
@@ -594,7 +594,7 @@ void kvm_cpu_register_phys_memory_client(void)
     cpu_register_phys_memory_client(&kvm_cpu_phys_memory_client);
 }
 
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 
 int kvm_init(int smp_cpus)
 {
@@ -816,7 +816,7 @@ void kvm_flush_coalesced_mmio_buffer(void)
 #endif
 }
 
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 
 static void do_kvm_cpu_synchronize_state(void *_env)
 {
@@ -1038,7 +1038,7 @@ int kvm_has_debugregs(void)
     return kvm_state->debugregs;
 }
 
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 int kvm_has_xsave(void)
 {
     return kvm_state->xsave;
@@ -1069,10 +1069,10 @@ void kvm_setup_guest_memory(void *start, size_t size)
 }
 
 #ifdef KVM_CAP_SET_GUEST_DEBUG
-#ifndef KVM_UPSTREAM
+#ifndef OBSOLETE_KVM_IMPL
 #define run_on_cpu on_vcpu
 static void on_vcpu(CPUState *env, void (*func)(void *data), void *data);
-#endif /* !KVM_UPSTREAM */
+#endif /* !OBSOLETE_KVM_IMPL */
 
 struct kvm_sw_breakpoint *kvm_find_sw_breakpoint(CPUState *env,
                                                  target_ulong pc)
diff --git a/kvm.h b/kvm.h
index d321fce..56236ae 100644
--- a/kvm.h
+++ b/kvm.h
@@ -31,13 +31,13 @@ extern int kvm_allowed;
 #define kvm_enabled() (0)
 #endif
 
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 struct kvm_run;
 
 /* external API */
 
 int kvm_init(int smp_cpus);
-#endif /* KVM_UPSTREAM */
+#endif /* OBSOLETE_KVM_IMPL */
 
 int kvm_has_sync_mmu(void);
 int kvm_has_vcpu_events(void);
@@ -96,7 +96,7 @@ int kvm_arch_handle_exit(CPUState *env, struct kvm_run *run);
 
 int kvm_arch_pre_run(CPUState *env, struct kvm_run *run);
 
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 int kvm_arch_process_irqchip_events(CPUState *env);
 #endif
 
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index b00e80d..f4fc063 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -188,7 +188,7 @@ int kvm_arch_init_vcpu(CPUState *env)
         return r;
     }
 
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 
     env->mp_state = KVM_MP_STATE_RUNNABLE;
 
@@ -304,7 +304,7 @@ void kvm_arch_reset_vcpu(CPUState *env)
         env->mp_state = KVM_MP_STATE_RUNNABLE;
     }
 }
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 
 static int kvm_has_msr_star(CPUState *env)
 {
@@ -644,7 +644,7 @@ static void kvm_msr_entry_set(struct kvm_msr_entry *entry,
     entry->data = value;
 }
 
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 static int kvm_put_msrs(CPUState *env, int level)
 {
     struct {
@@ -1104,7 +1104,7 @@ static int kvm_get_debugregs(CPUState *env)
     return 0;
 }
 
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 int kvm_arch_put_registers(CPUState *env, int level)
 {
     int ret;
@@ -1242,7 +1242,7 @@ int kvm_arch_post_run(CPUState *env, struct kvm_run *run)
     return 0;
 }
 
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
 
 int kvm_arch_process_irqchip_events(CPUState *env)
 {
diff --git a/vl.c b/vl.c
index 22a3616..378a176 100644
--- a/vl.c
+++ b/vl.c
@@ -2466,7 +2466,7 @@ int main(int argc, char **argv, char **envp)
             case QEMU_OPTION_smbios:
                 do_smbios_option(optarg);
                 break;
-#ifdef KVM_UPSTREAM
+#ifdef OBSOLETE_KVM_IMPL
             case QEMU_OPTION_enable_kvm:
                 kvm_allowed = 1;
 #endif
@@ -2803,7 +2803,7 @@ int main(int argc, char **argv, char **envp)
     if (kvm_allowed) {
         int ret = kvm_init(smp_cpus);
         if (ret < 0) {
-#if defined(KVM_UPSTREAM) || defined(CONFIG_NO_CPU_EMULATION)
+#if defined(OBSOLETE_KVM_IMPL) || defined(CONFIG_NO_CPU_EMULATION)
             if (!kvm_available()) {
                 printf("KVM not supported for this target\n");
             } else {
commit 945b6fa1a023e6eb858489bd58e7d786fdc53a32
Author: Avi Kivity <avi at redhat.com>
Date:   Mon Sep 13 19:42:25 2010 +0200

    Remove kvm/doxygen.conf
    
    Unused.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/doxygen.conf b/kvm/doxygen.conf
deleted file mode 100644
index 21a04c0..0000000
--- a/kvm/doxygen.conf
+++ /dev/null
@@ -1,1252 +0,0 @@
-# Doxyfile 1.5.1
-
-# This file describes the settings to be used by the documentation system
-# doxygen (www.doxygen.org) for a project
-#
-# All text after a hash (#) is considered a comment and will be ignored
-# The format is:
-#       TAG = value [value, ...]
-# For lists items can also be appended using:
-#       TAG += value [value, ...]
-# Values that contain spaces should be placed between quotes (" ")
-
-#---------------------------------------------------------------------------
-# Project related configuration options
-#---------------------------------------------------------------------------
-
-# The PROJECT_NAME tag is a single word (or a sequence of words surrounded 
-# by quotes) that should identify the project.
-
-PROJECT_NAME           = KVM
-
-# The PROJECT_NUMBER tag can be used to enter a project or revision number. 
-# This could be handy for archiving the generated documentation or 
-# if some version control system is used.
-
-PROJECT_NUMBER         = Release 7
-
-# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
-# base path where the generated documentation will be put. 
-# If a relative path is entered, it will be relative to the location 
-# where doxygen was started. If left blank the current directory will be used.
-
-OUTPUT_DIRECTORY       = docs
-
-# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 
-# 4096 sub-directories (in 2 levels) under the output directory of each output 
-# format and will distribute the generated files over these directories. 
-# Enabling this option can be useful when feeding doxygen a huge amount of 
-# source files, where putting all generated files in the same directory would 
-# otherwise cause performance problems for the file system.
-
-CREATE_SUBDIRS         = NO
-
-# The OUTPUT_LANGUAGE tag is used to specify the language in which all 
-# documentation generated by doxygen is written. Doxygen will use this 
-# information to generate all constant output in the proper language. 
-# The default language is English, other supported languages are: 
-# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, 
-# Croatian, Czech, Danish, Dutch, Finnish, French, German, Greek, Hungarian, 
-# Italian, Japanese, Japanese-en (Japanese with English messages), Korean, 
-# Korean-en, Lithuanian, Norwegian, Polish, Portuguese, Romanian, Russian, 
-# Serbian, Slovak, Slovene, Spanish, Swedish, and Ukrainian.
-
-OUTPUT_LANGUAGE        = English
-
-# This tag can be used to specify the encoding used in the generated output. 
-# The encoding is not always determined by the language that is chosen, 
-# but also whether or not the output is meant for Windows or non-Windows users. 
-# In case there is a difference, setting the USE_WINDOWS_ENCODING tag to YES 
-# forces the Windows encoding (this is the default for the Windows binary), 
-# whereas setting the tag to NO uses a Unix-style encoding (the default for 
-# all platforms other than Windows).
-
-USE_WINDOWS_ENCODING   = NO
-
-# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will 
-# include brief member descriptions after the members that are listed in 
-# the file and class documentation (similar to JavaDoc). 
-# Set to NO to disable this.
-
-BRIEF_MEMBER_DESC      = YES
-
-# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend 
-# the brief description of a member or function before the detailed description. 
-# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the 
-# brief descriptions will be completely suppressed.
-
-REPEAT_BRIEF           = YES
-
-# This tag implements a quasi-intelligent brief description abbreviator 
-# that is used to form the text in various listings. Each string 
-# in this list, if found as the leading text of the brief description, will be 
-# stripped from the text and the result after processing the whole list, is 
-# used as the annotated text. Otherwise, the brief description is used as-is. 
-# If left blank, the following values are used ("$name" is automatically 
-# replaced with the name of the entity): "The $name class" "The $name widget" 
-# "The $name file" "is" "provides" "specifies" "contains" 
-# "represents" "a" "an" "the"
-
-ABBREVIATE_BRIEF       = 
-
-# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then 
-# Doxygen will generate a detailed section even if there is only a brief 
-# description.
-
-ALWAYS_DETAILED_SEC    = NO
-
-# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all 
-# inherited members of a class in the documentation of that class as if those 
-# members were ordinary class members. Constructors, destructors and assignment 
-# operators of the base classes will not be shown.
-
-INLINE_INHERITED_MEMB  = NO
-
-# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full 
-# path before files name in the file list and in the header files. If set 
-# to NO the shortest path that makes the file name unique will be used.
-
-FULL_PATH_NAMES        = YES
-
-# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag 
-# can be used to strip a user-defined part of the path. Stripping is 
-# only done if one of the specified strings matches the left-hand part of 
-# the path. The tag can be used to show relative paths in the file list. 
-# If left blank the directory from which doxygen is run is used as the 
-# path to strip.
-
-STRIP_FROM_PATH        = 
-
-# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of 
-# the path mentioned in the documentation of a class, which tells 
-# the reader which header file to include in order to use a class. 
-# If left blank only the name of the header file containing the class 
-# definition is used. Otherwise one should specify the include paths that 
-# are normally passed to the compiler using the -I flag.
-
-STRIP_FROM_INC_PATH    = 
-
-# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter 
-# (but less readable) file names. This can be useful is your file systems 
-# doesn't support long names like on DOS, Mac, or CD-ROM.
-
-SHORT_NAMES            = NO
-
-# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen 
-# will interpret the first line (until the first dot) of a JavaDoc-style 
-# comment as the brief description. If set to NO, the JavaDoc 
-# comments will behave just like the Qt-style comments (thus requiring an 
-# explicit @brief command for a brief description.
-
-JAVADOC_AUTOBRIEF      = NO
-
-# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen 
-# treat a multi-line C++ special comment block (i.e. a block of //! or /// 
-# comments) as a brief description. This used to be the default behaviour. 
-# The new default is to treat a multi-line C++ comment block as a detailed 
-# description. Set this tag to YES if you prefer the old behaviour instead.
-
-MULTILINE_CPP_IS_BRIEF = NO
-
-# If the DETAILS_AT_TOP tag is set to YES then Doxygen 
-# will output the detailed description near the top, like JavaDoc.
-# If set to NO, the detailed description appears after the member 
-# documentation.
-
-DETAILS_AT_TOP         = YES
-
-# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented 
-# member inherits the documentation from any documented member that it 
-# re-implements.
-
-INHERIT_DOCS           = YES
-
-# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce 
-# a new page for each member. If set to NO, the documentation of a member will 
-# be part of the file/class/namespace that contains it.
-
-SEPARATE_MEMBER_PAGES  = NO
-
-# The TAB_SIZE tag can be used to set the number of spaces in a tab. 
-# Doxygen uses this value to replace tabs by spaces in code fragments.
-
-TAB_SIZE               = 8
-
-# This tag can be used to specify a number of aliases that acts 
-# as commands in the documentation. An alias has the form "name=value". 
-# For example adding "sideeffect=\par Side Effects:\n" will allow you to 
-# put the command \sideeffect (or @sideeffect) in the documentation, which 
-# will result in a user-defined paragraph with heading "Side Effects:". 
-# You can put \n's in the value part of an alias to insert newlines.
-
-ALIASES                = 
-
-# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C 
-# sources only. Doxygen will then generate output that is more tailored for C. 
-# For instance, some of the names that are used will be different. The list 
-# of all members will be omitted, etc.
-
-OPTIMIZE_OUTPUT_FOR_C  = YES
-
-# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java 
-# sources only. Doxygen will then generate output that is more tailored for Java. 
-# For instance, namespaces will be presented as packages, qualified scopes 
-# will look different, etc.
-
-OPTIMIZE_OUTPUT_JAVA   = NO
-
-# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want to 
-# include (a tag file for) the STL sources as input, then you should 
-# set this tag to YES in order to let doxygen match functions declarations and 
-# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. 
-# func(std::string) {}). This also make the inheritance and collaboration 
-# diagrams that involve STL classes more complete and accurate.
-
-BUILTIN_STL_SUPPORT    = NO
-
-# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC 
-# tag is set to YES, then doxygen will reuse the documentation of the first 
-# member in the group (if any) for the other members of the group. By default 
-# all members of a group must be documented explicitly.
-
-DISTRIBUTE_GROUP_DOC   = NO
-
-# Set the SUBGROUPING tag to YES (the default) to allow class member groups of 
-# the same type (for instance a group of public functions) to be put as a 
-# subgroup of that type (e.g. under the Public Functions section). Set it to 
-# NO to prevent subgrouping. Alternatively, this can be done per class using 
-# the \nosubgrouping command.
-
-SUBGROUPING            = YES
-
-#---------------------------------------------------------------------------
-# Build related configuration options
-#---------------------------------------------------------------------------
-
-# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in 
-# documentation are documented, even if no documentation was available. 
-# Private class members and static file members will be hidden unless 
-# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
-
-EXTRACT_ALL            = NO
-
-# If the EXTRACT_PRIVATE tag is set to YES all private members of a class 
-# will be included in the documentation.
-
-EXTRACT_PRIVATE        = NO
-
-# If the EXTRACT_STATIC tag is set to YES all static members of a file 
-# will be included in the documentation.
-
-EXTRACT_STATIC         = NO
-
-# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) 
-# defined locally in source files will be included in the documentation. 
-# If set to NO only classes defined in header files are included.
-
-EXTRACT_LOCAL_CLASSES  = YES
-
-# This flag is only useful for Objective-C code. When set to YES local 
-# methods, which are defined in the implementation section but not in 
-# the interface are included in the documentation. 
-# If set to NO (the default) only methods in the interface are included.
-
-EXTRACT_LOCAL_METHODS  = NO
-
-# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all 
-# undocumented members of documented classes, files or namespaces. 
-# If set to NO (the default) these members will be included in the 
-# various overviews, but no documentation section is generated. 
-# This option has no effect if EXTRACT_ALL is enabled.
-
-HIDE_UNDOC_MEMBERS     = NO
-
-# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all 
-# undocumented classes that are normally visible in the class hierarchy. 
-# If set to NO (the default) these classes will be included in the various 
-# overviews. This option has no effect if EXTRACT_ALL is enabled.
-
-HIDE_UNDOC_CLASSES     = NO
-
-# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all 
-# friend (class|struct|union) declarations. 
-# If set to NO (the default) these declarations will be included in the 
-# documentation.
-
-HIDE_FRIEND_COMPOUNDS  = NO
-
-# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any 
-# documentation blocks found inside the body of a function. 
-# If set to NO (the default) these blocks will be appended to the 
-# function's detailed documentation block.
-
-HIDE_IN_BODY_DOCS      = NO
-
-# The INTERNAL_DOCS tag determines if documentation 
-# that is typed after a \internal command is included. If the tag is set 
-# to NO (the default) then the documentation will be excluded. 
-# Set it to YES to include the internal documentation.
-
-INTERNAL_DOCS          = NO
-
-# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate 
-# file names in lower-case letters. If set to YES upper-case letters are also 
-# allowed. This is useful if you have classes or files whose names only differ 
-# in case and if your file system supports case sensitive file names. Windows 
-# and Mac users are advised to set this option to NO.
-
-CASE_SENSE_NAMES       = YES
-
-# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen 
-# will show members with their full class and namespace scopes in the 
-# documentation. If set to YES the scope will be hidden.
-
-HIDE_SCOPE_NAMES       = NO
-
-# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen 
-# will put a list of the files that are included by a file in the documentation 
-# of that file.
-
-SHOW_INCLUDE_FILES     = YES
-
-# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] 
-# is inserted in the documentation for inline members.
-
-INLINE_INFO            = YES
-
-# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen 
-# will sort the (detailed) documentation of file and class members 
-# alphabetically by member name. If set to NO the members will appear in 
-# declaration order.
-
-SORT_MEMBER_DOCS       = YES
-
-# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the 
-# brief documentation of file, namespace and class members alphabetically 
-# by member name. If set to NO (the default) the members will appear in 
-# declaration order.
-
-SORT_BRIEF_DOCS        = NO
-
-# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be 
-# sorted by fully-qualified names, including namespaces. If set to 
-# NO (the default), the class list will be sorted only by class name, 
-# not including the namespace part. 
-# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
-# Note: This option applies only to the class list, not to the 
-# alphabetical list.
-
-SORT_BY_SCOPE_NAME     = NO
-
-# The GENERATE_TODOLIST tag can be used to enable (YES) or 
-# disable (NO) the todo list. This list is created by putting \todo 
-# commands in the documentation.
-
-GENERATE_TODOLIST      = YES
-
-# The GENERATE_TESTLIST tag can be used to enable (YES) or 
-# disable (NO) the test list. This list is created by putting \test 
-# commands in the documentation.
-
-GENERATE_TESTLIST      = YES
-
-# The GENERATE_BUGLIST tag can be used to enable (YES) or 
-# disable (NO) the bug list. This list is created by putting \bug 
-# commands in the documentation.
-
-GENERATE_BUGLIST       = YES
-
-# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or 
-# disable (NO) the deprecated list. This list is created by putting 
-# \deprecated commands in the documentation.
-
-GENERATE_DEPRECATEDLIST= YES
-
-# The ENABLED_SECTIONS tag can be used to enable conditional 
-# documentation sections, marked by \if sectionname ... \endif.
-
-ENABLED_SECTIONS       = 
-
-# The MAX_INITIALIZER_LINES tag determines the maximum number of lines 
-# the initial value of a variable or define consists of for it to appear in 
-# the documentation. If the initializer consists of more lines than specified 
-# here it will be hidden. Use a value of 0 to hide initializers completely. 
-# The appearance of the initializer of individual variables and defines in the 
-# documentation can be controlled using \showinitializer or \hideinitializer 
-# command in the documentation regardless of this setting.
-
-MAX_INITIALIZER_LINES  = 30
-
-# Set the SHOW_USED_FILES tag to NO to disable the list of files generated 
-# at the bottom of the documentation of classes and structs. If set to YES the 
-# list will mention the files that were used to generate the documentation.
-
-SHOW_USED_FILES        = YES
-
-# If the sources in your project are distributed over multiple directories 
-# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy 
-# in the documentation. The default is NO.
-
-SHOW_DIRECTORIES       = NO
-
-# The FILE_VERSION_FILTER tag can be used to specify a program or script that 
-# doxygen should invoke to get the current version for each file (typically from the 
-# version control system). Doxygen will invoke the program by executing (via 
-# popen()) the command <command> <input-file>, where <command> is the value of 
-# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file 
-# provided by doxygen. Whatever the program writes to standard output 
-# is used as the file version. See the manual for examples.
-
-FILE_VERSION_FILTER    = 
-
-#---------------------------------------------------------------------------
-# configuration options related to warning and progress messages
-#---------------------------------------------------------------------------
-
-# The QUIET tag can be used to turn on/off the messages that are generated 
-# by doxygen. Possible values are YES and NO. If left blank NO is used.
-
-QUIET                  = YES
-
-# The WARNINGS tag can be used to turn on/off the warning messages that are 
-# generated by doxygen. Possible values are YES and NO. If left blank 
-# NO is used.
-
-WARNINGS               = NO
-
-# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings 
-# for undocumented members. If EXTRACT_ALL is set to YES then this flag will 
-# automatically be disabled.
-
-WARN_IF_UNDOCUMENTED   = NO
-
-# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for 
-# potential errors in the documentation, such as not documenting some 
-# parameters in a documented function, or documenting parameters that 
-# don't exist or using markup commands wrongly.
-
-WARN_IF_DOC_ERROR      = YES
-
-# This WARN_NO_PARAMDOC option can be abled to get warnings for 
-# functions that are documented, but have no documentation for their parameters 
-# or return value. If set to NO (the default) doxygen will only warn about 
-# wrong or incomplete parameter documentation, but not about the absence of 
-# documentation.
-
-WARN_NO_PARAMDOC       = NO
-
-# The WARN_FORMAT tag determines the format of the warning messages that 
-# doxygen can produce. The string should contain the $file, $line, and $text 
-# tags, which will be replaced by the file and line number from which the 
-# warning originated and the warning text. Optionally the format may contain 
-# $version, which will be replaced by the version of the file (if it could 
-# be obtained via FILE_VERSION_FILTER)
-
-WARN_FORMAT            = "$file:$line: $text"
-
-# The WARN_LOGFILE tag can be used to specify a file to which warning 
-# and error messages should be written. If left blank the output is written 
-# to stderr.
-
-WARN_LOGFILE           = 
-
-#---------------------------------------------------------------------------
-# configuration options related to the input files
-#---------------------------------------------------------------------------
-
-# The INPUT tag can be used to specify the files and/or directories that contain 
-# documented source files. You may enter file names like "myfile.cpp" or 
-# directories like "/usr/src/myproject". Separate the files or directories 
-# with spaces.
-
-INPUT                  = user/ kernel/
-
-# If the value of the INPUT tag contains directories, you can use the 
-# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
-# and *.h) to filter out the source-files in the directories. If left 
-# blank the following patterns are tested: 
-# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx 
-# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py
-
-FILE_PATTERNS          = 
-
-# The RECURSIVE tag can be used to turn specify whether or not subdirectories 
-# should be searched for input files as well. Possible values are YES and NO. 
-# If left blank NO is used.
-
-RECURSIVE              = YES
-
-# The EXCLUDE tag can be used to specify files and/or directories that should 
-# excluded from the INPUT source files. This way you can easily exclude a 
-# subdirectory from a directory tree whose root is specified with the INPUT tag.
-
-EXCLUDE                = 
-
-# The EXCLUDE_SYMLINKS tag can be used select whether or not files or 
-# directories that are symbolic links (a Unix filesystem feature) are excluded 
-# from the input.
-
-EXCLUDE_SYMLINKS       = NO
-
-# If the value of the INPUT tag contains directories, you can use the 
-# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude 
-# certain files from those directories. Note that the wildcards are matched 
-# against the file with absolute path, so to exclude all test directories 
-# for example use the pattern */test/*
-
-EXCLUDE_PATTERNS       = 
-
-# The EXAMPLE_PATH tag can be used to specify one or more files or 
-# directories that contain example code fragments that are included (see 
-# the \include command).
-
-EXAMPLE_PATH           = 
-
-# If the value of the EXAMPLE_PATH tag contains directories, you can use the 
-# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
-# and *.h) to filter out the source-files in the directories. If left 
-# blank all files are included.
-
-EXAMPLE_PATTERNS       = 
-
-# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be 
-# searched for input files to be used with the \include or \dontinclude 
-# commands irrespective of the value of the RECURSIVE tag. 
-# Possible values are YES and NO. If left blank NO is used.
-
-EXAMPLE_RECURSIVE      = NO
-
-# The IMAGE_PATH tag can be used to specify one or more files or 
-# directories that contain image that are included in the documentation (see 
-# the \image command).
-
-IMAGE_PATH             = 
-
-# The INPUT_FILTER tag can be used to specify a program that doxygen should 
-# invoke to filter for each input file. Doxygen will invoke the filter program 
-# by executing (via popen()) the command <filter> <input-file>, where <filter> 
-# is the value of the INPUT_FILTER tag, and <input-file> is the name of an 
-# input file. Doxygen will then use the output that the filter program writes 
-# to standard output.  If FILTER_PATTERNS is specified, this tag will be 
-# ignored.
-
-INPUT_FILTER           = 
-
-# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern 
-# basis.  Doxygen will compare the file name with each pattern and apply the 
-# filter if there is a match.  The filters are a list of the form: 
-# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further 
-# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER 
-# is applied to all files.
-
-FILTER_PATTERNS        = 
-
-# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using 
-# INPUT_FILTER) will be used to filter the input files when producing source 
-# files to browse (i.e. when SOURCE_BROWSER is set to YES).
-
-FILTER_SOURCE_FILES    = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to source browsing
-#---------------------------------------------------------------------------
-
-# If the SOURCE_BROWSER tag is set to YES then a list of source files will 
-# be generated. Documented entities will be cross-referenced with these sources. 
-# Note: To get rid of all source code in the generated output, make sure also 
-# VERBATIM_HEADERS is set to NO.
-
-SOURCE_BROWSER         = NO
-
-# Setting the INLINE_SOURCES tag to YES will include the body 
-# of functions and classes directly in the documentation.
-
-INLINE_SOURCES         = NO
-
-# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct 
-# doxygen to hide any special comment blocks from generated source code 
-# fragments. Normal C and C++ comments will always remain visible.
-
-STRIP_CODE_COMMENTS    = YES
-
-# If the REFERENCED_BY_RELATION tag is set to YES (the default) 
-# then for each documented function all documented 
-# functions referencing it will be listed.
-
-REFERENCED_BY_RELATION = YES
-
-# If the REFERENCES_RELATION tag is set to YES (the default) 
-# then for each documented function all documented entities 
-# called/used by that function will be listed.
-
-REFERENCES_RELATION    = YES
-
-# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
-# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
-# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
-# link to the source code.  Otherwise they will link to the documentstion.
-
-REFERENCES_LINK_SOURCE = NO
-
-# If the USE_HTAGS tag is set to YES then the references to source code 
-# will point to the HTML generated by the htags(1) tool instead of doxygen 
-# built-in source browser. The htags tool is part of GNU's global source 
-# tagging system (see http://www.gnu.org/software/global/global.html). You 
-# will need version 4.8.6 or higher.
-
-USE_HTAGS              = NO
-
-# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen 
-# will generate a verbatim copy of the header file for each class for 
-# which an include is specified. Set to NO to disable this.
-
-VERBATIM_HEADERS       = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to the alphabetical class index
-#---------------------------------------------------------------------------
-
-# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index 
-# of all compounds will be generated. Enable this if the project 
-# contains a lot of classes, structs, unions or interfaces.
-
-ALPHABETICAL_INDEX     = NO
-
-# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then 
-# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns 
-# in which this list will be split (can be a number in the range [1..20])
-
-COLS_IN_ALPHA_INDEX    = 5
-
-# In case all classes in a project start with a common prefix, all 
-# classes will be put under the same header in the alphabetical index. 
-# The IGNORE_PREFIX tag can be used to specify one or more prefixes that 
-# should be ignored while generating the index headers.
-
-IGNORE_PREFIX          = 
-
-#---------------------------------------------------------------------------
-# configuration options related to the HTML output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_HTML tag is set to YES (the default) Doxygen will 
-# generate HTML output.
-
-GENERATE_HTML          = YES
-
-# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
-# put in front of it. If left blank `html' will be used as the default path.
-
-HTML_OUTPUT            = html
-
-# The HTML_FILE_EXTENSION tag can be used to specify the file extension for 
-# each generated HTML page (for example: .htm,.php,.asp). If it is left blank 
-# doxygen will generate files with .html extension.
-
-HTML_FILE_EXTENSION    = .html
-
-# The HTML_HEADER tag can be used to specify a personal HTML header for 
-# each generated HTML page. If it is left blank doxygen will generate a 
-# standard header.
-
-HTML_HEADER            = 
-
-# The HTML_FOOTER tag can be used to specify a personal HTML footer for 
-# each generated HTML page. If it is left blank doxygen will generate a 
-# standard footer.
-
-HTML_FOOTER            = 
-
-# The HTML_STYLESHEET tag can be used to specify a user-defined cascading 
-# style sheet that is used by each HTML page. It can be used to 
-# fine-tune the look of the HTML output. If the tag is left blank doxygen 
-# will generate a default style sheet. Note that doxygen will try to copy 
-# the style sheet file to the HTML output directory, so don't put your own 
-# stylesheet in the HTML output directory as well, or it will be erased!
-
-HTML_STYLESHEET        = 
-
-# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, 
-# files or namespaces will be aligned in HTML using tables. If set to 
-# NO a bullet list will be used.
-
-HTML_ALIGN_MEMBERS     = YES
-
-# If the GENERATE_HTMLHELP tag is set to YES, additional index files 
-# will be generated that can be used as input for tools like the 
-# Microsoft HTML help workshop to generate a compressed HTML help file (.chm) 
-# of the generated HTML documentation.
-
-GENERATE_HTMLHELP      = NO
-
-# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can 
-# be used to specify the file name of the resulting .chm file. You 
-# can add a path in front of the file if the result should not be 
-# written to the html output directory.
-
-CHM_FILE               = 
-
-# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can 
-# be used to specify the location (absolute path including file name) of 
-# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run 
-# the HTML help compiler on the generated index.hhp.
-
-HHC_LOCATION           = 
-
-# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag 
-# controls if a separate .chi index file is generated (YES) or that 
-# it should be included in the master .chm file (NO).
-
-GENERATE_CHI           = NO
-
-# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag 
-# controls whether a binary table of contents is generated (YES) or a 
-# normal table of contents (NO) in the .chm file.
-
-BINARY_TOC             = NO
-
-# The TOC_EXPAND flag can be set to YES to add extra items for group members 
-# to the contents of the HTML help documentation and to the tree view.
-
-TOC_EXPAND             = NO
-
-# The DISABLE_INDEX tag can be used to turn on/off the condensed index at 
-# top of each HTML page. The value NO (the default) enables the index and 
-# the value YES disables it.
-
-DISABLE_INDEX          = NO
-
-# This tag can be used to set the number of enum values (range [1..20]) 
-# that doxygen will group on one line in the generated HTML documentation.
-
-ENUM_VALUES_PER_LINE   = 4
-
-# If the GENERATE_TREEVIEW tag is set to YES, a side panel will be
-# generated containing a tree-like index structure (just like the one that 
-# is generated for HTML Help). For this to work a browser that supports 
-# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, 
-# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are 
-# probably better off using the HTML help feature.
-
-GENERATE_TREEVIEW      = NO
-
-# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be 
-# used to set the initial width (in pixels) of the frame in which the tree 
-# is shown.
-
-TREEVIEW_WIDTH         = 250
-
-#---------------------------------------------------------------------------
-# configuration options related to the LaTeX output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will 
-# generate Latex output.
-
-GENERATE_LATEX         = NO
-
-# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
-# put in front of it. If left blank `latex' will be used as the default path.
-
-LATEX_OUTPUT           = latex
-
-# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be 
-# invoked. If left blank `latex' will be used as the default command name.
-
-LATEX_CMD_NAME         = latex
-
-# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to 
-# generate index for LaTeX. If left blank `makeindex' will be used as the 
-# default command name.
-
-MAKEINDEX_CMD_NAME     = makeindex
-
-# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact 
-# LaTeX documents. This may be useful for small projects and may help to 
-# save some trees in general.
-
-COMPACT_LATEX          = NO
-
-# The PAPER_TYPE tag can be used to set the paper type that is used 
-# by the printer. Possible values are: a4, a4wide, letter, legal and 
-# executive. If left blank a4wide will be used.
-
-PAPER_TYPE             = a4wide
-
-# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX 
-# packages that should be included in the LaTeX output.
-
-EXTRA_PACKAGES         = 
-
-# The LATEX_HEADER tag can be used to specify a personal LaTeX header for 
-# the generated latex document. The header should contain everything until 
-# the first chapter. If it is left blank doxygen will generate a 
-# standard header. Notice: only use this tag if you know what you are doing!
-
-LATEX_HEADER           = 
-
-# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated 
-# is prepared for conversion to pdf (using ps2pdf). The pdf file will 
-# contain links (just like the HTML output) instead of page references 
-# This makes the output suitable for online browsing using a pdf viewer.
-
-PDF_HYPERLINKS         = NO
-
-# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of 
-# plain latex in the generated Makefile. Set this option to YES to get a 
-# higher quality PDF documentation.
-
-USE_PDFLATEX           = NO
-
-# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. 
-# command to the generated LaTeX files. This will instruct LaTeX to keep 
-# running if errors occur, instead of asking the user for help. 
-# This option is also used when generating formulas in HTML.
-
-LATEX_BATCHMODE        = NO
-
-# If LATEX_HIDE_INDICES is set to YES then doxygen will not 
-# include the index chapters (such as File Index, Compound Index, etc.) 
-# in the output.
-
-LATEX_HIDE_INDICES     = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to the RTF output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output 
-# The RTF output is optimized for Word 97 and may not look very pretty with 
-# other RTF readers or editors.
-
-GENERATE_RTF           = NO
-
-# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
-# put in front of it. If left blank `rtf' will be used as the default path.
-
-RTF_OUTPUT             = rtf
-
-# If the COMPACT_RTF tag is set to YES Doxygen generates more compact 
-# RTF documents. This may be useful for small projects and may help to 
-# save some trees in general.
-
-COMPACT_RTF            = NO
-
-# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated 
-# will contain hyperlink fields. The RTF file will 
-# contain links (just like the HTML output) instead of page references. 
-# This makes the output suitable for online browsing using WORD or other 
-# programs which support those fields. 
-# Note: wordpad (write) and others do not support links.
-
-RTF_HYPERLINKS         = NO
-
-# Load stylesheet definitions from file. Syntax is similar to doxygen's 
-# config file, i.e. a series of assignments. You only have to provide 
-# replacements, missing definitions are set to their default value.
-
-RTF_STYLESHEET_FILE    = 
-
-# Set optional variables used in the generation of an rtf document. 
-# Syntax is similar to doxygen's config file.
-
-RTF_EXTENSIONS_FILE    = 
-
-#---------------------------------------------------------------------------
-# configuration options related to the man page output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_MAN tag is set to YES (the default) Doxygen will 
-# generate man pages
-
-GENERATE_MAN           = NO
-
-# The MAN_OUTPUT tag is used to specify where the man pages will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
-# put in front of it. If left blank `man' will be used as the default path.
-
-MAN_OUTPUT             = man
-
-# The MAN_EXTENSION tag determines the extension that is added to 
-# the generated man pages (default is the subroutine's section .3)
-
-MAN_EXTENSION          = .3
-
-# If the MAN_LINKS tag is set to YES and Doxygen generates man output, 
-# then it will generate one additional man file for each entity 
-# documented in the real man page(s). These additional files 
-# only source the real man page, but without them the man command 
-# would be unable to find the correct page. The default is NO.
-
-MAN_LINKS              = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to the XML output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_XML tag is set to YES Doxygen will 
-# generate an XML file that captures the structure of 
-# the code including all documentation.
-
-GENERATE_XML           = NO
-
-# The XML_OUTPUT tag is used to specify where the XML pages will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
-# put in front of it. If left blank `xml' will be used as the default path.
-
-XML_OUTPUT             = xml
-
-# The XML_SCHEMA tag can be used to specify an XML schema, 
-# which can be used by a validating XML parser to check the 
-# syntax of the XML files.
-
-XML_SCHEMA             = 
-
-# The XML_DTD tag can be used to specify an XML DTD, 
-# which can be used by a validating XML parser to check the 
-# syntax of the XML files.
-
-XML_DTD                = 
-
-# If the XML_PROGRAMLISTING tag is set to YES Doxygen will 
-# dump the program listings (including syntax highlighting 
-# and cross-referencing information) to the XML output. Note that 
-# enabling this will significantly increase the size of the XML output.
-
-XML_PROGRAMLISTING     = YES
-
-#---------------------------------------------------------------------------
-# configuration options for the AutoGen Definitions output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will 
-# generate an AutoGen Definitions (see autogen.sf.net) file 
-# that captures the structure of the code including all 
-# documentation. Note that this feature is still experimental 
-# and incomplete at the moment.
-
-GENERATE_AUTOGEN_DEF   = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to the Perl module output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_PERLMOD tag is set to YES Doxygen will 
-# generate a Perl module file that captures the structure of 
-# the code including all documentation. Note that this 
-# feature is still experimental and incomplete at the 
-# moment.
-
-GENERATE_PERLMOD       = NO
-
-# If the PERLMOD_LATEX tag is set to YES Doxygen will generate 
-# the necessary Makefile rules, Perl scripts and LaTeX code to be able 
-# to generate PDF and DVI output from the Perl module output.
-
-PERLMOD_LATEX          = NO
-
-# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be 
-# nicely formatted so it can be parsed by a human reader.  This is useful 
-# if you want to understand what is going on.  On the other hand, if this 
-# tag is set to NO the size of the Perl module output will be much smaller 
-# and Perl will parse it just the same.
-
-PERLMOD_PRETTY         = YES
-
-# The names of the make variables in the generated doxyrules.make file 
-# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. 
-# This is useful so different doxyrules.make files included by the same 
-# Makefile don't overwrite each other's variables.
-
-PERLMOD_MAKEVAR_PREFIX = 
-
-#---------------------------------------------------------------------------
-# Configuration options related to the preprocessor   
-#---------------------------------------------------------------------------
-
-# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will 
-# evaluate all C-preprocessor directives found in the sources and include 
-# files.
-
-ENABLE_PREPROCESSING   = YES
-
-# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro 
-# names in the source code. If set to NO (the default) only conditional 
-# compilation will be performed. Macro expansion can be done in a controlled 
-# way by setting EXPAND_ONLY_PREDEF to YES.
-
-MACRO_EXPANSION        = NO
-
-# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES 
-# then the macro expansion is limited to the macros specified with the 
-# PREDEFINED and EXPAND_AS_DEFINED tags.
-
-EXPAND_ONLY_PREDEF     = NO
-
-# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files 
-# in the INCLUDE_PATH (see below) will be search if a #include is found.
-
-SEARCH_INCLUDES        = YES
-
-# The INCLUDE_PATH tag can be used to specify one or more directories that 
-# contain include files that are not input files but should be processed by 
-# the preprocessor.
-
-INCLUDE_PATH           = 
-
-# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard 
-# patterns (like *.h and *.hpp) to filter out the header-files in the 
-# directories. If left blank, the patterns specified with FILE_PATTERNS will 
-# be used.
-
-INCLUDE_FILE_PATTERNS  = 
-
-# The PREDEFINED tag can be used to specify one or more macro names that 
-# are defined before the preprocessor is started (similar to the -D option of 
-# gcc). The argument of the tag is a list of macros of the form: name 
-# or name=definition (no spaces). If the definition and the = are 
-# omitted =1 is assumed. To prevent a macro definition from being 
-# undefined via #undef or recursively expanded use the := operator 
-# instead of the = operator.
-
-PREDEFINED             = 
-
-# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then 
-# this tag can be used to specify a list of macro names that should be expanded. 
-# The macro definition that is found in the sources will be used. 
-# Use the PREDEFINED tag if you want to use a different macro definition.
-
-EXPAND_AS_DEFINED      = 
-
-# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then 
-# doxygen's preprocessor will remove all function-like macros that are alone 
-# on a line, have an all uppercase name, and do not end with a semicolon. Such 
-# function macros are typically used for boiler-plate code, and will confuse 
-# the parser if not removed.
-
-SKIP_FUNCTION_MACROS   = YES
-
-#---------------------------------------------------------------------------
-# Configuration::additions related to external references   
-#---------------------------------------------------------------------------
-
-# The TAGFILES option can be used to specify one or more tagfiles. 
-# Optionally an initial location of the external documentation 
-# can be added for each tagfile. The format of a tag file without 
-# this location is as follows: 
-#   TAGFILES = file1 file2 ... 
-# Adding location for the tag files is done as follows: 
-#   TAGFILES = file1=loc1 "file2 = loc2" ... 
-# where "loc1" and "loc2" can be relative or absolute paths or 
-# URLs. If a location is present for each tag, the installdox tool 
-# does not have to be run to correct the links.
-# Note that each tag file must have a unique name
-# (where the name does NOT include the path)
-# If a tag file is not located in the directory in which doxygen 
-# is run, you must also specify the path to the tagfile here.
-
-TAGFILES               = 
-
-# When a file name is specified after GENERATE_TAGFILE, doxygen will create 
-# a tag file that is based on the input files it reads.
-
-GENERATE_TAGFILE       = 
-
-# If the ALLEXTERNALS tag is set to YES all external classes will be listed 
-# in the class index. If set to NO only the inherited external classes 
-# will be listed.
-
-ALLEXTERNALS           = NO
-
-# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed 
-# in the modules index. If set to NO, only the current project's groups will 
-# be listed.
-
-EXTERNAL_GROUPS        = YES
-
-# The PERL_PATH should be the absolute path and name of the perl script 
-# interpreter (i.e. the result of `which perl').
-
-PERL_PATH              = /usr/bin/perl
-
-#---------------------------------------------------------------------------
-# Configuration options related to the dot tool   
-#---------------------------------------------------------------------------
-
-# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will 
-# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base 
-# or super classes. Setting the tag to NO turns the diagrams off. Note that 
-# this option is superseded by the HAVE_DOT option below. This is only a 
-# fallback. It is recommended to install and use dot, since it yields more 
-# powerful graphs.
-
-CLASS_DIAGRAMS         = YES
-
-# If set to YES, the inheritance and collaboration graphs will hide 
-# inheritance and usage relations if the target is undocumented 
-# or is not a class.
-
-HIDE_UNDOC_RELATIONS   = YES
-
-# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is 
-# available from the path. This tool is part of Graphviz, a graph visualization 
-# toolkit from AT&T and Lucent Bell Labs. The other options in this section 
-# have no effect if this option is set to NO (the default)
-
-HAVE_DOT               = NO
-
-# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen 
-# will generate a graph for each documented class showing the direct and 
-# indirect inheritance relations. Setting this tag to YES will force the 
-# the CLASS_DIAGRAMS tag to NO.
-
-CLASS_GRAPH            = YES
-
-# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen 
-# will generate a graph for each documented class showing the direct and 
-# indirect implementation dependencies (inheritance, containment, and 
-# class references variables) of the class with other documented classes.
-
-COLLABORATION_GRAPH    = YES
-
-# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen 
-# will generate a graph for groups, showing the direct groups dependencies
-
-GROUP_GRAPHS           = YES
-
-# If the UML_LOOK tag is set to YES doxygen will generate inheritance and 
-# collaboration diagrams in a style similar to the OMG's Unified Modeling 
-# Language.
-
-UML_LOOK               = NO
-
-# If set to YES, the inheritance and collaboration graphs will show the 
-# relations between templates and their instances.
-
-TEMPLATE_RELATIONS     = NO
-
-# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT 
-# tags are set to YES then doxygen will generate a graph for each documented 
-# file showing the direct and indirect include dependencies of the file with 
-# other documented files.
-
-INCLUDE_GRAPH          = YES
-
-# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and 
-# HAVE_DOT tags are set to YES then doxygen will generate a graph for each 
-# documented header file showing the documented files that directly or 
-# indirectly include this file.
-
-INCLUDED_BY_GRAPH      = YES
-
-# If the CALL_GRAPH and HAVE_DOT tags are set to YES then doxygen will 
-# generate a call dependency graph for every global function or class method. 
-# Note that enabling this option will significantly increase the time of a run. 
-# So in most cases it will be better to enable call graphs for selected 
-# functions only using the \callgraph command.
-
-CALL_GRAPH             = NO
-
-# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then doxygen will 
-# generate a caller dependency graph for every global function or class method. 
-# Note that enabling this option will significantly increase the time of a run. 
-# So in most cases it will be better to enable caller graphs for selected 
-# functions only using the \callergraph command.
-
-CALLER_GRAPH           = NO
-
-# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen 
-# will graphical hierarchy of all classes instead of a textual one.
-
-GRAPHICAL_HIERARCHY    = YES
-
-# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES 
-# then doxygen will show the dependencies a directory has on other directories 
-# in a graphical way. The dependency relations are determined by the #include
-# relations between the files in the directories.
-
-DIRECTORY_GRAPH        = YES
-
-# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images 
-# generated by dot. Possible values are png, jpg, or gif
-# If left blank png will be used.
-
-DOT_IMAGE_FORMAT       = png
-
-# The tag DOT_PATH can be used to specify the path where the dot tool can be 
-# found. If left blank, it is assumed the dot tool can be found in the path.
-
-DOT_PATH               = 
-
-# The DOTFILE_DIRS tag can be used to specify one or more directories that 
-# contain dot files that are included in the documentation (see the 
-# \dotfile command).
-
-DOTFILE_DIRS           = 
-
-# The MAX_DOT_GRAPH_WIDTH tag can be used to set the maximum allowed width 
-# (in pixels) of the graphs generated by dot. If a graph becomes larger than 
-# this value, doxygen will try to truncate the graph, so that it fits within 
-# the specified constraint. Beware that most browsers cannot cope with very 
-# large images.
-
-MAX_DOT_GRAPH_WIDTH    = 1024
-
-# The MAX_DOT_GRAPH_HEIGHT tag can be used to set the maximum allows height 
-# (in pixels) of the graphs generated by dot. If a graph becomes larger than 
-# this value, doxygen will try to truncate the graph, so that it fits within 
-# the specified constraint. Beware that most browsers cannot cope with very 
-# large images.
-
-MAX_DOT_GRAPH_HEIGHT   = 1024
-
-# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the 
-# graphs generated by dot. A depth value of 3 means that only nodes reachable 
-# from the root by following a path via at most 3 edges will be shown. Nodes 
-# that lay further from the root node will be omitted. Note that setting this 
-# option to 1 or 2 may greatly reduce the computation time needed for large 
-# code bases. Also note that a graph may be further truncated if the graph's 
-# image dimensions are not sufficient to fit the graph (see MAX_DOT_GRAPH_WIDTH 
-# and MAX_DOT_GRAPH_HEIGHT). If 0 is used for the depth value (the default), 
-# the graph is not depth-constrained.
-
-MAX_DOT_GRAPH_DEPTH    = 0
-
-# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent 
-# background. This is disabled by default, which results in a white background. 
-# Warning: Depending on the platform used, enabling this option may lead to 
-# badly anti-aliased labels on the edges of a graph (i.e. they become hard to 
-# read).
-
-DOT_TRANSPARENT        = NO
-
-# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output 
-# files in one run (i.e. multiple -o and -T options on the command line). This 
-# makes dot run faster, but since only newer versions of dot (>1.8.10) 
-# support this, this feature is disabled by default.
-
-DOT_MULTI_TARGETS      = NO
-
-# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will 
-# generate a legend page explaining the meaning of the various boxes and 
-# arrows in the dot generated graphs.
-
-GENERATE_LEGEND        = YES
-
-# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will 
-# remove the intermediate dot files that are used to generate 
-# the various graphs.
-
-DOT_CLEANUP            = YES
-
-#---------------------------------------------------------------------------
-# Configuration::additions related to the search engine   
-#---------------------------------------------------------------------------
-
-# The SEARCHENGINE tag specifies whether or not a search engine should be 
-# used. If set to NO the values of all tags below this one will be ignored.
-
-SEARCHENGINE           = NO
commit b6601141cd2a170dfe773987b06f716a190ea7e0
Author: Michal Novotny <minovotn at redhat.com>
Date:   Mon Sep 13 14:32:32 2010 +0200

    serial: Wrap debug prints around a DPRINTF macro
    
    Signed-off-by: Michal Novotny <minovotn at redhat.com>
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/hw/serial.c b/hw/serial.c
index b66d13a..49431b2 100644
--- a/hw/serial.c
+++ b/hw/serial.c
@@ -99,6 +99,14 @@
 #define RECV_FIFO           1
 #define MAX_XMIT_RETRY      4
 
+#ifdef DEBUG_SERIAL
+#define DPRINTF(fmt, ...) \
+do { fprintf(stderr, "serial: " fmt , ## __VA_ARGS__); } while (0);
+#else
+#define DPRINTF(fmt, ...) \
+do {} while(0);
+#endif
+
 typedef struct SerialFIFO {
     uint8_t data[UART_FIFO_LENGTH];
     uint8_t count;
@@ -267,10 +275,9 @@ static void serial_update_parameters(SerialState *s)
     ssp.stop_bits = stop_bits;
     s->char_transmit_time =  (get_ticks_per_sec() / speed) * frame_size;
     qemu_chr_ioctl(s->chr, CHR_IOCTL_SERIAL_SET_PARAMS, &ssp);
-#if 0
-    printf("speed=%d parity=%c data=%d stop=%d\n",
+
+    DPRINTF("speed=%d parity=%c data=%d stop=%d\n",
            speed, parity, data_bits, stop_bits);
-#endif
 }
 
 static void serial_update_msl(SerialState *s)
@@ -360,9 +367,7 @@ static void serial_ioport_write(void *opaque, uint32_t addr, uint32_t val)
     SerialState *s = opaque;
 
     addr &= 7;
-#ifdef DEBUG_SERIAL
-    printf("serial: write addr=0x%02x val=0x%02x\n", addr, val);
-#endif
+    DPRINTF("write addr=0x%02x val=0x%02x\n", addr, val);
     switch(addr) {
     default:
     case 0:
@@ -583,9 +588,7 @@ static uint32_t serial_ioport_read(void *opaque, uint32_t addr)
         ret = s->scr;
         break;
     }
-#ifdef DEBUG_SERIAL
-    printf("serial: read addr=0x%02x val=0x%02x\n", addr, ret);
-#endif
+    DPRINTF("read addr=0x%02x val=0x%02x\n", addr, ret);
     return ret;
 }
 
@@ -651,9 +654,7 @@ static void serial_receive1(void *opaque, const uint8_t *buf, int size)
 static void serial_event(void *opaque, int event)
 {
     SerialState *s = opaque;
-#ifdef DEBUG_SERIAL
-    printf("serial: event %x\n", event);
-#endif
+    DPRINTF("event %x\n", event);
     if (event == CHR_EVENT_BREAK)
         serial_receive_break(s);
 }
commit 6ab42e983a73de460159f6dbf0c340dc5724d643
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Sep 12 09:50:56 2010 +0200

    Don't launch guest if -no-kvm when tcg is not configured in
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/vl.c b/vl.c
index 2a32cc5..22a3616 100644
--- a/vl.c
+++ b/vl.c
@@ -2473,6 +2473,10 @@ int main(int argc, char **argv, char **envp)
                 break;
 	    case QEMU_OPTION_no_kvm:
 		kvm_allowed = 0;
+#ifdef CONFIG_NO_CPU_EMULATION
+                fprintf(stderr, "cpu emulation not configured\n");
+                exit(1);
+#endif
 		break;
 #ifdef CONFIG_KVM
 	    case QEMU_OPTION_no_kvm_irqchip: {
commit bd27a32d82f7ae06a9053d16273ca5ef4b4f13c9
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Sep 12 09:46:51 2010 +0200

    Add missing tcg_prologue_init() for --disable-cpu-emulation build
    
    Add missing tcg_prologue_init() and tcg_ctx, remove code_gen_max_block_size.
    
    Fixes ./configure --disable-cpu-emulation.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/target-i386/fake-exec.c b/target-i386/fake-exec.c
index dfa202d..e6f8363 100644
--- a/target-i386/fake-exec.c
+++ b/target-i386/fake-exec.c
@@ -12,22 +12,20 @@
  */
 #include "exec.h"
 #include "cpu.h"
+#include "tcg.h"
 
 int code_copy_enabled = 0;
 
 CCTable cc_table[CC_OP_NB];
 
+TCGContext tcg_ctx;
+
 void cpu_dump_statistics (CPUState *env, FILE*f,
                           int (*cpu_fprintf)(FILE *f, const char *fmt, ...),
                           int flags)
 {
 }
 
-unsigned long code_gen_max_block_size(void)
-{
-    return 32;
-}
-
 void cpu_gen_init(void)
 {
 }
@@ -48,3 +46,7 @@ int cpu_x86_gen_code(CPUState *env, TranslationBlock *tb, int *gen_code_size_ptr
 void optimize_flags_init(void)
 {
 }
+
+void tcg_prologue_init(TCGContext *ctx)
+{
+}
commit 73d7434279e390505164afd02360eebe4b43c7fa
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 11 16:38:33 2010 +0000

    ESP: fix ESP DMA access when DMA is not enabled
    
    Sending ESP a command caused it to trigger DMA immediately
    even if DMA was not enabled at the DMA controller.
    
    Add a signal from DMA controller to ESP to tell ESP about changes in
    DMA enable bit. Also use the correct function for setting up GPIO outputs.
    
    This fixes NetBSD 1.6.1 through 3.0 boot.
    
    Thanks to Artyom Tarasenko for extensive debugging of the problem.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/esp.c b/hw/esp.c
index 349052a..910fd31 100644
--- a/hw/esp.c
+++ b/hw/esp.c
@@ -80,6 +80,8 @@ struct ESPState {
     ESPDMAMemoryReadWriteFunc dma_memory_read;
     ESPDMAMemoryReadWriteFunc dma_memory_write;
     void *dma_opaque;
+    int dma_enabled;
+    void (*dma_cb)(ESPState *s);
 };
 
 #define ESP_TCLO   0x0
@@ -167,6 +169,24 @@ static void esp_lower_irq(ESPState *s)
     }
 }
 
+static void esp_dma_enable(void *opaque, int irq, int level)
+{
+    DeviceState *d = opaque;
+    ESPState *s = container_of(d, ESPState, busdev.qdev);
+
+    if (level) {
+        s->dma_enabled = 1;
+        DPRINTF("Raise enable\n");
+        if (s->dma_cb) {
+            s->dma_cb(s);
+            s->dma_cb = NULL;
+        }
+    } else {
+        DPRINTF("Lower enable\n");
+        s->dma_enabled = 0;
+    }
+}
+
 static uint32_t get_cmd(ESPState *s, uint8_t *buf)
 {
     uint32_t dmalen;
@@ -243,6 +263,10 @@ static void handle_satn(ESPState *s)
     uint8_t buf[32];
     int len;
 
+    if (!s->dma_enabled) {
+        s->dma_cb = handle_satn;
+        return;
+    }
     len = get_cmd(s, buf);
     if (len)
         do_cmd(s, buf);
@@ -253,6 +277,10 @@ static void handle_s_without_atn(ESPState *s)
     uint8_t buf[32];
     int len;
 
+    if (!s->dma_enabled) {
+        s->dma_cb = handle_s_without_atn;
+        return;
+    }
     len = get_cmd(s, buf);
     if (len) {
         do_busid_cmd(s, buf, 0);
@@ -261,6 +289,10 @@ static void handle_s_without_atn(ESPState *s)
 
 static void handle_satn_stop(ESPState *s)
 {
+    if (!s->dma_enabled) {
+        s->dma_cb = handle_satn_stop;
+        return;
+    }
     s->cmdlen = get_cmd(s, s->cmdbuf);
     if (s->cmdlen) {
         DPRINTF("Set ATN & Stop: cmdlen %d\n", s->cmdlen);
@@ -431,6 +463,7 @@ static void esp_hard_reset(DeviceState *d)
     s->ti_wptr = 0;
     s->dma = 0;
     s->do_cmd = 0;
+    s->dma_cb = NULL;
 
     s->rregs[ESP_CFG1] = 7;
 }
@@ -450,6 +483,18 @@ static void parent_esp_reset(void *opaque, int irq, int level)
     }
 }
 
+static void esp_gpio_demux(void *opaque, int irq, int level)
+{
+    switch (irq) {
+    case 0:
+        parent_esp_reset(opaque, irq, level);
+        break;
+    case 1:
+        esp_dma_enable(opaque, irq, level);
+        break;
+    }
+}
+
 static uint32_t esp_mem_readb(void *opaque, target_phys_addr_t addr)
 {
     ESPState *s = opaque;
@@ -646,7 +691,8 @@ static const VMStateDescription vmstate_esp = {
 void esp_init(target_phys_addr_t espaddr, int it_shift,
               ESPDMAMemoryReadWriteFunc dma_memory_read,
               ESPDMAMemoryReadWriteFunc dma_memory_write,
-              void *dma_opaque, qemu_irq irq, qemu_irq *reset)
+              void *dma_opaque, qemu_irq irq, qemu_irq *reset,
+              qemu_irq *dma_enable)
 {
     DeviceState *dev;
     SysBusDevice *s;
@@ -658,11 +704,14 @@ void esp_init(target_phys_addr_t espaddr, int it_shift,
     esp->dma_memory_write = dma_memory_write;
     esp->dma_opaque = dma_opaque;
     esp->it_shift = it_shift;
+    /* XXX for now until rc4030 has been changed to use DMA enable signal */
+    esp->dma_enabled = 1;
     qdev_init_nofail(dev);
     s = sysbus_from_qdev(dev);
     sysbus_connect_irq(s, 0, irq);
     sysbus_mmio_map(s, 0, espaddr);
     *reset = qdev_get_gpio_in(dev, 0);
+    *dma_enable = qdev_get_gpio_in(dev, 1);
 }
 
 static int esp_init1(SysBusDevice *dev)
@@ -676,7 +725,7 @@ static int esp_init1(SysBusDevice *dev)
     esp_io_memory = cpu_register_io_memory(esp_mem_read, esp_mem_write, s);
     sysbus_init_mmio(dev, ESP_REGS << s->it_shift, esp_io_memory);
 
-    qdev_init_gpio_in(&dev->qdev, parent_esp_reset, 1);
+    qdev_init_gpio_in(&dev->qdev, esp_gpio_demux, 2);
 
     scsi_bus_new(&s->bus, &dev->qdev, 0, ESP_MAX_DEVS, esp_command_complete);
     return scsi_bus_legacy_handle_cmdline(&s->bus);
diff --git a/hw/esp.h b/hw/esp.h
index 605f953..62bfd4d 100644
--- a/hw/esp.h
+++ b/hw/esp.h
@@ -7,6 +7,7 @@ typedef void (*ESPDMAMemoryReadWriteFunc)(void *opaque, uint8_t *buf, int len);
 void esp_init(target_phys_addr_t espaddr, int it_shift,
               ESPDMAMemoryReadWriteFunc dma_memory_read,
               ESPDMAMemoryReadWriteFunc dma_memory_write,
-              void *dma_opaque, qemu_irq irq, qemu_irq *reset);
+              void *dma_opaque, qemu_irq irq, qemu_irq *reset,
+              qemu_irq *dma_enable);
 
 #endif
diff --git a/hw/mips_jazz.c b/hw/mips_jazz.c
index 5d5305a..66397c0 100644
--- a/hw/mips_jazz.c
+++ b/hw/mips_jazz.c
@@ -137,7 +137,7 @@ void mips_jazz_init (ram_addr_t ram_size,
     NICInfo *nd;
     PITState *pit;
     DriveInfo *fds[MAX_FD];
-    qemu_irq esp_reset;
+    qemu_irq esp_reset, dma_enable;
     qemu_irq *cpu_exit_irq;
     ram_addr_t ram_offset;
     ram_addr_t bios_offset;
@@ -245,7 +245,7 @@ void mips_jazz_init (ram_addr_t ram_size,
     /* SCSI adapter */
     esp_init(0x80002000, 0,
              rc4030_dma_read, rc4030_dma_write, dmas[0],
-             rc4030[5], &esp_reset);
+             rc4030[5], &esp_reset, &dma_enable);
 
     /* Floppy */
     if (drive_get_max_bus(IF_FLOPPY) >= MAX_FD) {
diff --git a/hw/sparc32_dma.c b/hw/sparc32_dma.c
index b521707..984ffc3 100644
--- a/hw/sparc32_dma.c
+++ b/hw/sparc32_dma.c
@@ -58,6 +58,7 @@
 #define DMA_INTR 1
 #define DMA_INTREN 0x10
 #define DMA_WRITE_MEM 0x100
+#define DMA_EN 0x200
 #define DMA_LOADED 0x04000000
 #define DMA_DRAIN_FIFO 0x40
 #define DMA_RESET 0x80
@@ -72,7 +73,12 @@ struct DMAState {
     uint32_t dmaregs[DMA_REGS];
     qemu_irq irq;
     void *iommu;
-    qemu_irq dev_reset;
+    qemu_irq gpio[2];
+};
+
+enum {
+    GPIO_RESET = 0,
+    GPIO_DMA,
 };
 
 /* Note: on sparc, the lance 16 bit bus is swapped */
@@ -201,12 +207,21 @@ static void dma_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
             }
         }
         if (val & DMA_RESET) {
-            qemu_irq_raise(s->dev_reset);
-            qemu_irq_lower(s->dev_reset);
+            qemu_irq_raise(s->gpio[GPIO_RESET]);
+            qemu_irq_lower(s->gpio[GPIO_RESET]);
         } else if (val & DMA_DRAIN_FIFO) {
             val &= ~DMA_DRAIN_FIFO;
         } else if (val == 0)
             val = DMA_DRAIN_FIFO;
+
+        if (val & DMA_EN && !(s->dmaregs[0] & DMA_EN)) {
+            DPRINTF("Raise DMA enable\n");
+            qemu_irq_raise(s->gpio[GPIO_DMA]);
+        } else if (!(val & DMA_EN) && !!(s->dmaregs[0] & DMA_EN)) {
+            DPRINTF("Lower DMA enable\n");
+            qemu_irq_lower(s->gpio[GPIO_DMA]);
+        }
+
         val &= ~DMA_CSR_RO_MASK;
         val |= DMA_VER;
         s->dmaregs[0] = (s->dmaregs[0] & DMA_CSR_RO_MASK) | val;
@@ -262,7 +277,7 @@ static int sparc32_dma_init1(SysBusDevice *dev)
     sysbus_init_mmio(dev, DMA_SIZE, dma_io_memory);
 
     qdev_init_gpio_in(&dev->qdev, dma_set_irq, 1);
-    qdev_init_gpio_out(&dev->qdev, &s->dev_reset, 1);
+    qdev_init_gpio_out(&dev->qdev, s->gpio, 2);
 
     return 0;
 }
diff --git a/hw/sun4m.c b/hw/sun4m.c
index 7d7a7df..0392109 100644
--- a/hw/sun4m.c
+++ b/hw/sun4m.c
@@ -810,7 +810,7 @@ static void sun4m_hw_init(const struct sun4m_hwdef *hwdef, ram_addr_t RAM_size,
     void *iommu, *espdma, *ledma, *nvram;
     qemu_irq *cpu_irqs[MAX_CPUS], slavio_irq[32], slavio_cpu_irq[MAX_CPUS],
         espdma_irq, ledma_irq;
-    qemu_irq esp_reset;
+    qemu_irq esp_reset, dma_enable;
     qemu_irq fdc_tc;
     qemu_irq *cpu_halt;
     unsigned long kernel_size;
@@ -930,11 +930,12 @@ static void sun4m_hw_init(const struct sun4m_hwdef *hwdef, ram_addr_t RAM_size,
         exit(1);
     }
 
-    esp_reset = qdev_get_gpio_in(espdma, 0);
     esp_init(hwdef->esp_base, 2,
              espdma_memory_read, espdma_memory_write,
-             espdma, espdma_irq, &esp_reset);
+             espdma, espdma_irq, &esp_reset, &dma_enable);
 
+    qdev_connect_gpio_out(espdma, 0, esp_reset);
+    qdev_connect_gpio_out(espdma, 1, dma_enable);
 
     if (hwdef->cs_base) {
         sysbus_create_simple("SUNW,CS4231", hwdef->cs_base,
@@ -1494,7 +1495,7 @@ static void sun4d_hw_init(const struct sun4d_hwdef *hwdef, ram_addr_t RAM_size,
     void *iounits[MAX_IOUNITS], *espdma, *ledma, *nvram;
     qemu_irq *cpu_irqs[MAX_CPUS], sbi_irq[32], sbi_cpu_irq[MAX_CPUS],
         espdma_irq, ledma_irq;
-    qemu_irq esp_reset;
+    qemu_irq esp_reset, dma_enable;
     unsigned long kernel_size;
     void *fw_cfg;
     DeviceState *dev;
@@ -1561,10 +1562,12 @@ static void sun4d_hw_init(const struct sun4d_hwdef *hwdef, ram_addr_t RAM_size,
         exit(1);
     }
 
-    esp_reset = qdev_get_gpio_in(espdma, 0);
     esp_init(hwdef->esp_base, 2,
              espdma_memory_read, espdma_memory_write,
-             espdma, espdma_irq, &esp_reset);
+             espdma, espdma_irq, &esp_reset, &dma_enable);
+
+    qdev_connect_gpio_out(espdma, 0, esp_reset);
+    qdev_connect_gpio_out(espdma, 1, dma_enable);
 
     kernel_size = sun4m_load_kernel(kernel_filename, initrd_filename,
                                     RAM_size);
@@ -1683,7 +1686,7 @@ static void sun4c_hw_init(const struct sun4c_hwdef *hwdef, ram_addr_t RAM_size,
 {
     void *iommu, *espdma, *ledma, *nvram;
     qemu_irq *cpu_irqs, slavio_irq[8], espdma_irq, ledma_irq;
-    qemu_irq esp_reset;
+    qemu_irq esp_reset, dma_enable;
     qemu_irq fdc_tc;
     unsigned long kernel_size;
     DriveInfo *fd[MAX_FD];
@@ -1751,10 +1754,12 @@ static void sun4c_hw_init(const struct sun4c_hwdef *hwdef, ram_addr_t RAM_size,
         exit(1);
     }
 
-    esp_reset = qdev_get_gpio_in(espdma, 0);
     esp_init(hwdef->esp_base, 2,
              espdma_memory_read, espdma_memory_write,
-             espdma, espdma_irq, &esp_reset);
+             espdma, espdma_irq, &esp_reset, &dma_enable);
+
+    qdev_connect_gpio_out(espdma, 0, esp_reset);
+    qdev_connect_gpio_out(espdma, 1, dma_enable);
 
     kernel_size = sun4m_load_kernel(kernel_filename, initrd_filename,
                                     RAM_size);
commit 24e0e38b83616ee7b540a270d8c4f24edf94f802
Author: Edgar E. Iglesias <edgar.iglesias at gmail.com>
Date:   Sat Sep 11 14:29:07 2010 +0200

    powerpc: Avoid TLB related log spamming
    
    Invalid TLB entries are normal and should not spam the log.
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at gmail.com>

diff --git a/target-ppc/helper.c b/target-ppc/helper.c
index d342b09..a7ec1f4 100644
--- a/target-ppc/helper.c
+++ b/target-ppc/helper.c
@@ -1050,7 +1050,6 @@ static inline int ppcemb_tlb_check(CPUState *env, ppcemb_tlb_t *tlb,
 
     /* Check valid flag */
     if (!(tlb->prot & PAGE_VALID)) {
-        qemu_log("%s: TLB %d not valid\n", __func__, i);
         return -1;
     }
     mask = ~(tlb->size - 1);
commit 2184d75b4a6a253e8b1e002b3dbcc85c20ba6041
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Sep 11 10:43:39 2010 +0000

    trace: fix a regex portability problem
    
    The /bin/sh in Milax has problems with the regex:
    Error: invalid trace backend
    Please choose a supported trace backend.
    
    Fix it by escaping ')' like the regexes with '('.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/tracetool b/tracetool
index b74b630..534cc70 100755
--- a/tracetool
+++ b/tracetool
@@ -39,7 +39,7 @@ get_args()
 {
     local args
     args=${1#*\(}
-    args=${args%)*}
+    args=${args%\)*}
     echo "$args"
 }
 
commit dda8521197fa4b5e5bfdd932da54e2567fcff94e
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Fri Sep 10 23:54:56 2010 +0300

    trace: fix a typo
    
    There is no qemu_valloc() but qemu_vmalloc().
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/trace-events b/trace-events
index c5fa0aa..f32c83f 100644
--- a/trace-events
+++ b/trace-events
@@ -35,7 +35,7 @@ disable qemu_free(void *ptr) "ptr %p"
 
 # osdep.c
 disable qemu_memalign(size_t alignment, size_t size, void *ptr) "alignment %zu size %zu ptr %p"
-disable qemu_valloc(size_t size, void *ptr) "size %zu ptr %p"
+disable qemu_vmalloc(size_t size, void *ptr) "size %zu ptr %p"
 disable qemu_vfree(void *ptr) "ptr %p"
 
 # hw/virtio.c
commit 876f256bde4ff5263b435412d698ed15cad584d9
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Fri Sep 10 18:53:11 2010 +0000

    HACKING: add rules for printf-like functions
    
    Add rules for printf-like functions, based on libvirt HACKING.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/HACKING b/HACKING
index 3ad87aa..6ba9d7e 100644
--- a/HACKING
+++ b/HACKING
@@ -110,3 +110,16 @@ so instead of e.g. isalnum you should use qemu_isalnum.
 
 Because of the memory management rules, you must use qemu_strdup/qemu_strndup
 instead of plain strdup/strndup.
+
+5. Printf-style functions
+
+Whenever you add a new printf-style function, i.e., one with a format
+string argument and following "..." in its prototype, be sure to use
+gcc's printf attribute directive in the prototype.
+
+This makes it so gcc's -Wformat and -Wformat-security options can do
+their jobs and cross-check format strings with the number and types
+of arguments.
+
+Currently many functions in QEMU are not following this rule but
+patches to add the attribute would be very much appreciated.
commit d241f143c95861f46f7b75de96a8a3276517a14f
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Fri Sep 10 18:53:05 2010 +0000

    HACKING: add string management rules
    
    Add string management rules, somewhat like libvirt HACKING.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/HACKING b/HACKING
index da0c1e8..3ad87aa 100644
--- a/HACKING
+++ b/HACKING
@@ -86,3 +86,27 @@ that qemu_malloc() call with zero size is not allowed.
 Memory allocated by qemu_vmalloc or qemu_memalign must be freed with
 qemu_vfree, since breaking this will cause problems on Win32 and user
 emulators.
+
+4. String manipulation
+
+Do not use the strncpy function.  According to the man page, it does
+*not* guarantee a NULL-terminated buffer, which makes it extremely dangerous
+to use.  Instead, use functionally equivalent function:
+void pstrcpy(char *buf, int buf_size, const char *str)
+
+Don't use strcat because it can't check for buffer overflows, but:
+char *pstrcat(char *buf, int buf_size, const char *s)
+
+The same limitation exists with sprintf and vsprintf, so use snprintf and
+vsnprintf.
+
+QEMU provides other useful string functions:
+int strstart(const char *str, const char *val, const char **ptr)
+int stristart(const char *str, const char *val, const char **ptr)
+int qemu_strnlen(const char *s, int max_len)
+
+There are also replacement character processing macros for isxyz and toxyz,
+so instead of e.g. isalnum you should use qemu_isalnum.
+
+Because of the memory management rules, you must use qemu_strdup/qemu_strndup
+instead of plain strdup/strndup.
commit 54b2cc50307097e903579a3fb61855c889c78ee9
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Fri Sep 10 18:52:52 2010 +0000

    HACKING: add memory management rules
    
    Add memory management rules, somewhat like libvirt HACKING.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/HACKING b/HACKING
index 0c8fad5..da0c1e8 100644
--- a/HACKING
+++ b/HACKING
@@ -72,3 +72,17 @@ Typedefs are used to eliminate the redundant 'struct' keyword.
 2.4. Reserved namespaces in C and POSIX
 Underscore capital, double underscore, and underscore 't' suffixes should be
 avoided.
+
+3. Low level memory management
+
+Use of the malloc/free/realloc/calloc/valloc/memalign/posix_memalign
+APIs is not allowed in the QEMU codebase. Instead of these routines,
+use the replacement qemu_malloc/qemu_mallocz/qemu_realloc/qemu_free or
+qemu_vmalloc/qemu_memalign/qemu_vfree APIs.
+
+Please note that NULL check for the qemu_malloc result is redundant and
+that qemu_malloc() call with zero size is not allowed.
+
+Memory allocated by qemu_vmalloc or qemu_memalign must be freed with
+qemu_vfree, since breaking this will cause problems on Win32 and user
+emulators.
commit 84174436a6cd948c3bac22bc02df5d2404ff641d
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Fri Sep 10 18:47:31 2010 +0000

    HACKING: add C type rules
    
    Add C type rules, adapted from libvirt HACKING. Also include
    a description of special QEMU scalar types.
    
    Move typedef rule from CODING_STYLE rule 3 to HACKING rule 6
    where it belongs.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/CODING_STYLE b/CODING_STYLE
index 92036f3..2c8268d 100644
--- a/CODING_STYLE
+++ b/CODING_STYLE
@@ -46,9 +46,6 @@ names are lower_case_with_underscores_ending_with_a_t, like the POSIX
 uint64_t and family.  Note that this last convention contradicts POSIX
 and is therefore likely to be changed.
 
-Typedefs are used to eliminate the redundant 'struct' keyword.  It is the
-QEMU coding style.
-
 When wrapping standard library functions, use the prefix qemu_ to alert
 readers that they are seeing a wrapped version; otherwise avoid this prefix.
 
diff --git a/HACKING b/HACKING
index 4211d15..0c8fad5 100644
--- a/HACKING
+++ b/HACKING
@@ -4,3 +4,71 @@ For variadic macros, stick with this C99-like syntax:
 
 #define DPRINTF(fmt, ...)                                       \
     do { printf("IRQ: " fmt, ## __VA_ARGS__); } while (0)
+
+2. C types
+
+It should be common sense to use the right type, but we have collected
+a few useful guidelines here.
+
+2.1. Scalars
+
+If you're using "int" or "long", odds are good that there's a better type.
+If a variable is counting something, it should be declared with an
+unsigned type.
+
+If it's host memory-size related, size_t should be a good choice (use
+ssize_t only if required). Guest RAM memory offsets must use ram_addr_t,
+but only for RAM, it may not cover whole guest address space.
+
+If it's file-size related, use off_t.
+If it's file-offset related (i.e., signed), use off_t.
+If it's just counting small numbers use "unsigned int";
+(on all but oddball embedded systems, you can assume that that
+type is at least four bytes wide).
+
+In the event that you require a specific width, use a standard type
+like int32_t, uint32_t, uint64_t, etc.  The specific types are
+mandatory for VMState fields.
+
+Don't use Linux kernel internal types like u32, __u32 or __le32.
+
+Use target_phys_addr_t for guest physical addresses except pcibus_t
+for PCI addresses.  In addition, ram_addr_t is a QEMU internal address
+space that maps guest RAM physical addresses into an intermediate
+address space that can map to host virtual address spaces.  Generally
+speaking, the size of guest memory can always fit into ram_addr_t but
+it would not be correct to store an actual guest physical address in a
+ram_addr_t.
+
+Use target_ulong (or abi_ulong) for CPU virtual addresses, however
+devices should not need to use target_ulong.
+
+Of course, take all of the above with a grain of salt.  If you're about
+to use some system interface that requires a type like size_t, pid_t or
+off_t, use matching types for any corresponding variables.
+
+Also, if you try to use e.g., "unsigned int" as a type, and that
+conflicts with the signedness of a related variable, sometimes
+it's best just to use the *wrong* type, if "pulling the thread"
+and fixing all related variables would be too invasive.
+
+Finally, while using descriptive types is important, be careful not to
+go overboard.  If whatever you're doing causes warnings, or requires
+casts, then reconsider or ask for help.
+
+2.2. Pointers
+
+Ensure that all of your pointers are "const-correct".
+Unless a pointer is used to modify the pointed-to storage,
+give it the "const" attribute.  That way, the reader knows
+up-front that this is a read-only pointer.  Perhaps more
+importantly, if we're diligent about this, when you see a non-const
+pointer, you're guaranteed that it is used to modify the storage
+it points to, or it is aliased to another pointer that is.
+
+2.3. Typedefs
+Typedefs are used to eliminate the redundant 'struct' keyword.
+
+2.4. Reserved namespaces in C and POSIX
+Underscore capital, double underscore, and underscore 't' suffixes should be
+avoided.
commit 45fad878d7fd2e7bff78e677c34ca59fe24b7e94
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Fri Sep 10 18:46:00 2010 +0000

    HACKING: add preprocessor rules
    
    Add a new file, HACKING, in order to collect recurring
    issues with submitted patches.
    
    Start with preprocessor rules, adapted from libvirt HACKING.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/HACKING b/HACKING
new file mode 100644
index 0000000..4211d15
--- /dev/null
+++ b/HACKING
@@ -0,0 +1,6 @@
+1. Preprocessor
+
+For variadic macros, stick with this C99-like syntax:
+
+#define DPRINTF(fmt, ...)                                       \
+    do { printf("IRQ: " fmt, ## __VA_ARGS__); } while (0)
commit 9f810beb5c692949a69707c72b61d8a473ed834e
Author: Andrzej Zaborowski <balrog at zabor.org>
Date:   Fri Sep 10 02:30:04 2010 +0200

    vmware_vga: Replace the few tab-indents with spaces (clean-up).
    
    Use 4 spaces instead of 2, too.

diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index b3c0a82..3d25c14 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -622,9 +622,9 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             cursor.bpp = vmsvga_fifo_read(s);
 
             args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
-	    if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
-		SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image)
-		    goto badcmd;
+            if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+                SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image)
+                    goto badcmd;
 
             len -= args;
             if (len < 0)
@@ -857,11 +857,11 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
         s->invalidated = 1;
         s->vga.invalidate(&s->vga);
         if (s->enable) {
-	  s->fb_size = ((s->depth + 7) >> 3) * s->new_width * s->new_height;
-	  vga_dirty_log_stop(&s->vga);
-	} else {
-	  vga_dirty_log_start(&s->vga);
-	}
+            s->fb_size = ((s->depth + 7) >> 3) * s->new_width * s->new_height;
+            vga_dirty_log_stop(&s->vga);
+        } else {
+            vga_dirty_log_start(&s->vga);
+        }
         break;
 
     case SVGA_REG_WIDTH:
@@ -1303,7 +1303,7 @@ static int pci_vmsvga_initfn(PCIDevice *dev)
                     PCI_BASE_ADDRESS_MEM_PREFETCH, pci_vmsvga_map_mem);
 
     pci_register_bar(&s->card, 2, SVGA_FIFO_SIZE,
-		     PCI_BASE_ADDRESS_MEM_PREFETCH, pci_vmsvga_map_fifo);
+                    PCI_BASE_ADDRESS_MEM_PREFETCH, pci_vmsvga_map_fifo);
 
     vmsvga_init(&s->chip, VGA_RAM_SIZE);
 
commit 4dedc07ffbbc66002e0fd2b97d5516fe6aca5eea
Author: Andrzej Zaborowski <balrog at zabor.org>
Date:   Fri Sep 10 02:23:31 2010 +0200

    vmware_vga: Add checks to deal with non-atomic fifo writes.
    
    Janne Huttunen noticed that the FIFO end pointer is updated by the
    guest after writing each word to the FIFO, at least the X.org driver
    which is open does this.  This means that there's no way for the
    host to know if the guest is in the middle a write operation.  Qemu
    thus needs to read the beginning of the command up to when it's able
    to tell how many words are expected for the given command.  It will
    abort reading and rewind the FIFO if there aren't enough words yet,
    this should be relatively rare but it is suspected to have been the
    cause of the occasional FIFO overrun that killed the display.

diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index 12bff48..b3c0a82 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -519,11 +519,15 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
 
 #define CMD(f)	le32_to_cpu(s->cmd->f)
 
-static inline int vmsvga_fifo_empty(struct vmsvga_state_s *s)
+static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
 {
+    int num;
     if (!s->config || !s->enable)
-        return 1;
-    return (s->cmd->next_cmd == s->cmd->stop);
+        return 0;
+    num = CMD(next_cmd) - CMD(stop);
+    if (num < 0)
+        num += CMD(max) - CMD(min);
+    return num >> 2;
 }
 
 static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
@@ -543,13 +547,23 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
 static void vmsvga_fifo_run(struct vmsvga_state_s *s)
 {
     uint32_t cmd, colour;
-    int args = 0;
+    int args, len;
     int x, y, dx, dy, width, height;
     struct vmsvga_cursor_definition_s cursor;
-    while (!vmsvga_fifo_empty(s))
+    uint32_t cmd_start;
+
+    len = vmsvga_fifo_length(s);
+    while (len > 0) {
+        /* May need to go back to the start of the command if incomplete */
+        cmd_start = s->cmd->stop;
+
         switch (cmd = vmsvga_fifo_read(s)) {
         case SVGA_CMD_UPDATE:
         case SVGA_CMD_UPDATE_VERBOSE:
+            len -= 5;
+            if (len < 0)
+                goto rewind;
+
             x = vmsvga_fifo_read(s);
             y = vmsvga_fifo_read(s);
             width = vmsvga_fifo_read(s);
@@ -558,6 +572,10 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             break;
 
         case SVGA_CMD_RECT_FILL:
+            len -= 6;
+            if (len < 0)
+                goto rewind;
+
             colour = vmsvga_fifo_read(s);
             x = vmsvga_fifo_read(s);
             y = vmsvga_fifo_read(s);
@@ -567,10 +585,15 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             vmsvga_fill_rect(s, colour, x, y, width, height);
             break;
 #else
+            args = 0;
             goto badcmd;
 #endif
 
         case SVGA_CMD_RECT_COPY:
+            len -= 7;
+            if (len < 0)
+                goto rewind;
+
             x = vmsvga_fifo_read(s);
             y = vmsvga_fifo_read(s);
             dx = vmsvga_fifo_read(s);
@@ -581,10 +604,15 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             vmsvga_copy_rect(s, x, y, dx, dy, width, height);
             break;
 #else
+            args = 0;
             goto badcmd;
 #endif
 
         case SVGA_CMD_DEFINE_CURSOR:
+            len -= 8;
+            if (len < 0)
+                goto rewind;
+
             cursor.id = vmsvga_fifo_read(s);
             cursor.hot_x = vmsvga_fifo_read(s);
             cursor.hot_y = vmsvga_fifo_read(s);
@@ -593,11 +621,14 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             vmsvga_fifo_read(s);
             cursor.bpp = vmsvga_fifo_read(s);
 
+            args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
 	    if (SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
-		SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
-		    args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
+		SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image)
 		    goto badcmd;
-	    }
+
+            len -= args;
+            if (len < 0)
+                goto rewind;
 
             for (args = 0; args < SVGA_BITMAP_SIZE(x, y); args ++)
                 cursor.mask[args] = vmsvga_fifo_read_raw(s);
@@ -616,6 +647,10 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
          * for so we can avoid FIFO desync if driver uses them illegally.
          */
         case SVGA_CMD_DEFINE_ALPHA_CURSOR:
+            len -= 6;
+            if (len < 0)
+                goto rewind;
+
             vmsvga_fifo_read(s);
             vmsvga_fifo_read(s);
             vmsvga_fifo_read(s);
@@ -630,6 +665,10 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             args = 7;
             goto badcmd;
         case SVGA_CMD_DRAW_GLYPH_CLIPPED:
+            len -= 4;
+            if (len < 0)
+                goto rewind;
+
             vmsvga_fifo_read(s);
             vmsvga_fifo_read(s);
             args = 7 + (vmsvga_fifo_read(s) >> 2);
@@ -650,13 +689,22 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
             break; /* Nop */
 
         default:
+            args = 0;
         badcmd:
+            len -= args;
+            if (len < 0)
+                goto rewind;
             while (args --)
                 vmsvga_fifo_read(s);
             printf("%s: Unknown command 0x%02x in SVGA command FIFO\n",
                             __FUNCTION__, cmd);
             break;
+
+        rewind:
+            s->cmd->stop = cmd_start;
+            break;
         }
+    }
 
     s->syncing = 0;
 }
commit 6a8aabd3c132188ee8e0e82ef4aba09f782cbe96
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Sun Aug 8 14:09:26 2010 +0200

    hw/omap: Fix default setup for OMAP UART devices
    
    Character devices created by qemu_chr_open don't
    allow duplicate device names, so naming all
    UART devices "null" no longer works.
    
    Running "qemu-system-arm -M n800" (and some other machines)
    results in this error message:
    
    	qemu-system-arm: Duplicate ID 'null' for chardev
    	Can't create serial device, empty char device
    
    This is fixed by setting a default label "uart1",
    "uart2" or "uart3".
    
    Cc: Andrzej Zaborowski <andrew.zaborowski at intel.com>
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>

diff --git a/hw/omap.h b/hw/omap.h
index 18eb72b..fe32ca5 100644
--- a/hw/omap.h
+++ b/hw/omap.h
@@ -664,10 +664,12 @@ void omap_synctimer_reset(struct omap_synctimer_s *s);
 struct omap_uart_s;
 struct omap_uart_s *omap_uart_init(target_phys_addr_t base,
                 qemu_irq irq, omap_clk fclk, omap_clk iclk,
-                qemu_irq txdma, qemu_irq rxdma, CharDriverState *chr);
+                qemu_irq txdma, qemu_irq rxdma,
+                const char *label, CharDriverState *chr);
 struct omap_uart_s *omap2_uart_init(struct omap_target_agent_s *ta,
                 qemu_irq irq, omap_clk fclk, omap_clk iclk,
-                qemu_irq txdma, qemu_irq rxdma, CharDriverState *chr);
+                qemu_irq txdma, qemu_irq rxdma,
+                const char *label, CharDriverState *chr);
 void omap_uart_reset(struct omap_uart_s *s);
 void omap_uart_attach(struct omap_uart_s *s, CharDriverState *chr);
 
diff --git a/hw/omap1.c b/hw/omap1.c
index 06370b6..1ee5514 100644
--- a/hw/omap1.c
+++ b/hw/omap1.c
@@ -3809,16 +3809,19 @@ struct omap_mpu_state_s *omap310_mpu_init(unsigned long sdram_size,
                     omap_findclk(s, "uart1_ck"),
                     omap_findclk(s, "uart1_ck"),
                     s->drq[OMAP_DMA_UART1_TX], s->drq[OMAP_DMA_UART1_RX],
+                    "uart1",
                     serial_hds[0]);
     s->uart[1] = omap_uart_init(0xfffb0800, s->irq[1][OMAP_INT_UART2],
                     omap_findclk(s, "uart2_ck"),
                     omap_findclk(s, "uart2_ck"),
                     s->drq[OMAP_DMA_UART2_TX], s->drq[OMAP_DMA_UART2_RX],
+                    "uart2",
                     serial_hds[0] ? serial_hds[1] : NULL);
     s->uart[2] = omap_uart_init(0xfffb9800, s->irq[0][OMAP_INT_UART3],
                     omap_findclk(s, "uart3_ck"),
                     omap_findclk(s, "uart3_ck"),
                     s->drq[OMAP_DMA_UART3_TX], s->drq[OMAP_DMA_UART3_RX],
+                    "uart3",
                     serial_hds[0] && serial_hds[1] ? serial_hds[2] : NULL);
 
     omap_dpll_init(&s->dpll[0], 0xfffecf00, omap_findclk(s, "dpll1"));
diff --git a/hw/omap2.c b/hw/omap2.c
index 179075e..e35a56e 100644
--- a/hw/omap2.c
+++ b/hw/omap2.c
@@ -2291,13 +2291,16 @@ struct omap_mpu_state_s *omap2420_mpu_init(unsigned long sdram_size,
                     omap_findclk(s, "uart1_fclk"),
                     omap_findclk(s, "uart1_iclk"),
                     s->drq[OMAP24XX_DMA_UART1_TX],
-                    s->drq[OMAP24XX_DMA_UART1_RX], serial_hds[0]);
+                    s->drq[OMAP24XX_DMA_UART1_RX],
+                    "uart1",
+                    serial_hds[0]);
     s->uart[1] = omap2_uart_init(omap_l4ta(s->l4, 20),
                     s->irq[0][OMAP_INT_24XX_UART2_IRQ],
                     omap_findclk(s, "uart2_fclk"),
                     omap_findclk(s, "uart2_iclk"),
                     s->drq[OMAP24XX_DMA_UART2_TX],
                     s->drq[OMAP24XX_DMA_UART2_RX],
+                    "uart2",
                     serial_hds[0] ? serial_hds[1] : NULL);
     s->uart[2] = omap2_uart_init(omap_l4ta(s->l4, 21),
                     s->irq[0][OMAP_INT_24XX_UART3_IRQ],
@@ -2305,6 +2308,7 @@ struct omap_mpu_state_s *omap2420_mpu_init(unsigned long sdram_size,
                     omap_findclk(s, "uart3_iclk"),
                     s->drq[OMAP24XX_DMA_UART3_TX],
                     s->drq[OMAP24XX_DMA_UART3_RX],
+                    "uart3",
                     serial_hds[0] && serial_hds[1] ? serial_hds[2] : NULL);
 
     s->gptimer[0] = omap_gp_timer_init(omap_l4ta(s->l4, 7),
diff --git a/hw/omap_uart.c b/hw/omap_uart.c
index 395bf0c..cc66cd9 100644
--- a/hw/omap_uart.c
+++ b/hw/omap_uart.c
@@ -51,7 +51,8 @@ void omap_uart_reset(struct omap_uart_s *s)
 
 struct omap_uart_s *omap_uart_init(target_phys_addr_t base,
                 qemu_irq irq, omap_clk fclk, omap_clk iclk,
-                qemu_irq txdma, qemu_irq rxdma, CharDriverState *chr)
+                qemu_irq txdma, qemu_irq rxdma,
+                const char *label, CharDriverState *chr)
 {
     struct omap_uart_s *s = (struct omap_uart_s *)
             qemu_mallocz(sizeof(struct omap_uart_s));
@@ -61,11 +62,11 @@ struct omap_uart_s *omap_uart_init(target_phys_addr_t base,
     s->irq = irq;
 #ifdef TARGET_WORDS_BIGENDIAN
     s->serial = serial_mm_init(base, 2, irq, omap_clk_getrate(fclk)/16,
-                               chr ?: qemu_chr_open("null", "null", NULL), 1,
+                               chr ?: qemu_chr_open(label, "null", NULL), 1,
                                1);
 #else
     s->serial = serial_mm_init(base, 2, irq, omap_clk_getrate(fclk)/16,
-                               chr ?: qemu_chr_open("null", "null", NULL), 1,
+                               chr ?: qemu_chr_open(label, "null", NULL), 1,
                                0);
 #endif
     return s;
@@ -162,11 +163,12 @@ static CPUWriteMemoryFunc * const omap_uart_writefn[] = {
 
 struct omap_uart_s *omap2_uart_init(struct omap_target_agent_s *ta,
                 qemu_irq irq, omap_clk fclk, omap_clk iclk,
-                qemu_irq txdma, qemu_irq rxdma, CharDriverState *chr)
+                qemu_irq txdma, qemu_irq rxdma,
+                const char *label, CharDriverState *chr)
 {
     target_phys_addr_t base = omap_l4_attach(ta, 0, 0);
     struct omap_uart_s *s = omap_uart_init(base, irq,
-                    fclk, iclk, txdma, rxdma, chr);
+                    fclk, iclk, txdma, rxdma, label, chr);
     int iomemtype = cpu_register_io_memory(omap_uart_readfn,
                     omap_uart_writefn, s);
 
commit 62dd89dea25b08796fcb83beeac3aea5f5a89c95
Author: Prerna Saxena <prerna at linux.vnet.ibm.com>
Date:   Wed Aug 11 17:16:03 2010 +0530

    trace: Trace entry point of balloon request handler
    
    Signed-off-by: Prerna Saxena <prerna at linux.vnet.ibm.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/balloon.c b/balloon.c
index 8e0b7f1..0021fef 100644
--- a/balloon.c
+++ b/balloon.c
@@ -29,6 +29,7 @@
 #include "cpu-common.h"
 #include "kvm.h"
 #include "balloon.h"
+#include "trace.h"
 
 
 static QEMUBalloonEvent *qemu_balloon_event;
@@ -43,6 +44,7 @@ void qemu_add_balloon_handler(QEMUBalloonEvent *func, void *opaque)
 int qemu_balloon(ram_addr_t target, MonitorCompletion cb, void *opaque)
 {
     if (qemu_balloon_event) {
+        trace_balloon_event(qemu_balloon_event_opaque, target);
         qemu_balloon_event(qemu_balloon_event_opaque, target, cb, opaque);
         return 1;
     } else {
diff --git a/trace-events b/trace-events
index b2c7f10..c5fa0aa 100644
--- a/trace-events
+++ b/trace-events
@@ -63,3 +63,7 @@ disable paio_submit(void *acb, void *opaque, unsigned long sector_num, unsigned
 # ioport.c
 disable cpu_in(unsigned int addr, unsigned int val) "addr %#x value %u"
 disable cpu_out(unsigned int addr, unsigned int val) "addr %#x value %u"
+
+# balloon.c
+# Since requests are raised via monitor, not many tracepoints are needed.
+disable balloon_event(void *opaque, unsigned long addr) "opaque %p addr %lu"
commit bd3c9aa5319ba2656a0dd8faae2c68b7feb39d1c
Author: Prerna Saxena <prerna at linux.vnet.ibm.com>
Date:   Wed Aug 11 17:15:11 2010 +0530

    trace: Trace port IO
    
    Signed-off-by: Prerna Saxena <prerna at linux.vnet.ibm.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/ioport.c b/ioport.c
index 53dd87a..ec3dc65 100644
--- a/ioport.c
+++ b/ioport.c
@@ -26,6 +26,7 @@
  */
 
 #include "ioport.h"
+#include "trace.h"
 
 /***********************************************************/
 /* IO Port */
@@ -195,18 +196,21 @@ void isa_unassign_ioport(pio_addr_t start, int length)
 void cpu_outb(pio_addr_t addr, uint8_t val)
 {
     LOG_IOPORT("outb: %04"FMT_pioaddr" %02"PRIx8"\n", addr, val);
+    trace_cpu_out(addr, val);
     ioport_write(0, addr, val);
 }
 
 void cpu_outw(pio_addr_t addr, uint16_t val)
 {
     LOG_IOPORT("outw: %04"FMT_pioaddr" %04"PRIx16"\n", addr, val);
+    trace_cpu_out(addr, val);
     ioport_write(1, addr, val);
 }
 
 void cpu_outl(pio_addr_t addr, uint32_t val)
 {
     LOG_IOPORT("outl: %04"FMT_pioaddr" %08"PRIx32"\n", addr, val);
+    trace_cpu_out(addr, val);
     ioport_write(2, addr, val);
 }
 
@@ -214,6 +218,7 @@ uint8_t cpu_inb(pio_addr_t addr)
 {
     uint8_t val;
     val = ioport_read(0, addr);
+    trace_cpu_in(addr, val);
     LOG_IOPORT("inb : %04"FMT_pioaddr" %02"PRIx8"\n", addr, val);
     return val;
 }
@@ -222,6 +227,7 @@ uint16_t cpu_inw(pio_addr_t addr)
 {
     uint16_t val;
     val = ioport_read(1, addr);
+    trace_cpu_in(addr, val);
     LOG_IOPORT("inw : %04"FMT_pioaddr" %04"PRIx16"\n", addr, val);
     return val;
 }
@@ -230,6 +236,7 @@ uint32_t cpu_inl(pio_addr_t addr)
 {
     uint32_t val;
     val = ioport_read(2, addr);
+    trace_cpu_in(addr, val);
     LOG_IOPORT("inl : %04"FMT_pioaddr" %08"PRIx32"\n", addr, val);
     return val;
 }
diff --git a/trace-events b/trace-events
index 29580a5..b2c7f10 100644
--- a/trace-events
+++ b/trace-events
@@ -59,3 +59,7 @@ disable virtio_blk_handle_write(void *req, unsigned long sector, unsigned long n
 
 # posix-aio-compat.c
 disable paio_submit(void *acb, void *opaque, unsigned long sector_num, unsigned long nb_sectors, unsigned long type) "acb %p opaque %p sector_num %lu nb_sectors %lu type %lu"
+
+# ioport.c
+disable cpu_in(unsigned int addr, unsigned int val) "addr %#x value %u"
+disable cpu_out(unsigned int addr, unsigned int val) "addr %#x value %u"
commit 64979a4d611f0bd19031bbb9ecbd869e6d2ecb48
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon May 24 13:19:21 2010 +0100

    trace: Trace virtqueue operations
    
    This patch adds trace events for virtqueue operations including
    adding/removing buffers, notifying the guest, and receiving a notify
    from the guest.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/hw/virtio.c b/hw/virtio.c
index 85312b3..fbef788 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -13,6 +13,7 @@
 
 #include <inttypes.h>
 
+#include "trace.h"
 #include "virtio.h"
 #include "sysemu.h"
 
@@ -205,6 +206,8 @@ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
     unsigned int offset;
     int i;
 
+    trace_virtqueue_fill(vq, elem, len, idx);
+
     offset = 0;
     for (i = 0; i < elem->in_num; i++) {
         size_t size = MIN(len - offset, elem->in_sg[i].iov_len);
@@ -232,6 +235,7 @@ void virtqueue_flush(VirtQueue *vq, unsigned int count)
 {
     /* Make sure buffer is written before we update index. */
     wmb();
+    trace_virtqueue_flush(vq, count);
     vring_used_idx_increment(vq, count);
     vq->inuse -= count;
 }
@@ -432,6 +436,7 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
 
     vq->inuse++;
 
+    trace_virtqueue_pop(vq, elem, elem->in_num, elem->out_num);
     return elem->in_num + elem->out_num;
 }
 
@@ -570,6 +575,7 @@ int virtio_queue_get_num(VirtIODevice *vdev, int n)
 void virtio_queue_notify(VirtIODevice *vdev, int n)
 {
     if (n < VIRTIO_PCI_QUEUE_MAX && vdev->vq[n].vring.desc) {
+        trace_virtio_queue_notify(vdev, n, &vdev->vq[n]);
         vdev->vq[n].handle_output(vdev, &vdev->vq[n]);
     }
 }
@@ -607,6 +613,7 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size,
 
 void virtio_irq(VirtQueue *vq)
 {
+    trace_virtio_irq(vq);
     vq->vdev->isr |= 0x01;
     virtio_notify_vector(vq->vdev, vq->vector);
 }
@@ -619,6 +626,7 @@ void virtio_notify(VirtIODevice *vdev, VirtQueue *vq)
          (vq->inuse || vring_avail_idx(vq) != vq->last_avail_idx)))
         return;
 
+    trace_virtio_notify(vdev, vq);
     vdev->isr |= 0x01;
     virtio_notify_vector(vdev, vq->vector);
 }
diff --git a/trace-events b/trace-events
index de6479e..29580a5 100644
--- a/trace-events
+++ b/trace-events
@@ -38,6 +38,14 @@ disable qemu_memalign(size_t alignment, size_t size, void *ptr) "alignment %zu s
 disable qemu_valloc(size_t size, void *ptr) "size %zu ptr %p"
 disable qemu_vfree(void *ptr) "ptr %p"
 
+# hw/virtio.c
+disable virtqueue_fill(void *vq, const void *elem, unsigned int len, unsigned int idx) "vq %p elem %p len %u idx %u"
+disable virtqueue_flush(void *vq, unsigned int count) "vq %p count %u"
+disable virtqueue_pop(void *vq, void *elem, unsigned int in_num, unsigned int out_num) "vq %p elem %p in_num %u out_num %u"
+disable virtio_queue_notify(void *vdev, int n, void *vq) "vdev %p n %d vq %p"
+disable virtio_irq(void *vq) "vq %p"
+disable virtio_notify(void *vdev, void *vq) "vdev %p vq %p"
+
 # block.c
 disable multiwrite_cb(void *mcb, int ret) "mcb %p ret %d"
 disable bdrv_aio_multiwrite(void *mcb, int num_callbacks, int num_reqs) "mcb %p num_callbacks %d num_reqs %d"
commit 6d519a5f95960176039baf0af8799fa289915534
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Sat May 22 18:15:08 2010 +0100

    trace: Trace virtio-blk, multiwrite, and paio_submit
    
    This patch adds trace events that make it possible to observe
    virtio-blk.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/block.c b/block.c
index 66bba87..ebbc376 100644
--- a/block.c
+++ b/block.c
@@ -23,6 +23,7 @@
  */
 #include "config-host.h"
 #include "qemu-common.h"
+#include "trace.h"
 #include "monitor.h"
 #include "block_int.h"
 #include "module.h"
@@ -2063,6 +2064,8 @@ static void multiwrite_cb(void *opaque, int ret)
 {
     MultiwriteCB *mcb = opaque;
 
+    trace_multiwrite_cb(mcb, ret);
+
     if (ret < 0 && !mcb->error) {
         mcb->error = ret;
     }
@@ -2203,6 +2206,8 @@ int bdrv_aio_multiwrite(BlockDriverState *bs, BlockRequest *reqs, int num_reqs)
     // Check for mergable requests
     num_reqs = multiwrite_merge(bs, reqs, num_reqs, mcb);
 
+    trace_bdrv_aio_multiwrite(mcb, mcb->num_callbacks, num_reqs);
+
     /*
      * Run the aio requests. As soon as one request can't be submitted
      * successfully, fail all requests that are not yet submitted (we must
@@ -2224,6 +2229,7 @@ int bdrv_aio_multiwrite(BlockDriverState *bs, BlockRequest *reqs, int num_reqs)
      */
     mcb->num_requests = 1;
 
+    // Run the aio requests
     for (i = 0; i < num_reqs; i++) {
         mcb->num_requests++;
         acb = bdrv_aio_writev(bs, reqs[i].sector, reqs[i].qiov,
@@ -2234,8 +2240,10 @@ int bdrv_aio_multiwrite(BlockDriverState *bs, BlockRequest *reqs, int num_reqs)
             // submitted yet. Otherwise we'll wait for the submitted AIOs to
             // complete and report the error in the callback.
             if (i == 0) {
+                trace_bdrv_aio_multiwrite_earlyfail(mcb);
                 goto fail;
             } else {
+                trace_bdrv_aio_multiwrite_latefail(mcb, i);
                 multiwrite_cb(mcb, -EIO);
                 break;
             }
diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
index 395eb9a..bd6bbe6 100644
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -13,6 +13,7 @@
 
 #include <qemu-common.h>
 #include "qemu-error.h"
+#include "trace.h"
 #include "blockdev.h"
 #include "virtio-blk.h"
 #ifdef __linux__
@@ -52,6 +53,8 @@ static void virtio_blk_req_complete(VirtIOBlockReq *req, int status)
 {
     VirtIOBlock *s = req->dev;
 
+    trace_virtio_blk_req_complete(req, status);
+
     req->in->status = status;
     virtqueue_push(s->vq, &req->elem, req->qiov.size + sizeof(*req->in));
     virtio_notify(&s->vdev, s->vq);
@@ -88,6 +91,8 @@ static void virtio_blk_rw_complete(void *opaque, int ret)
 {
     VirtIOBlockReq *req = opaque;
 
+    trace_virtio_blk_rw_complete(req, ret);
+
     if (ret) {
         int is_read = !(req->out->type & VIRTIO_BLK_T_OUT);
         if (virtio_blk_handle_rw_error(req, -ret, is_read))
@@ -270,6 +275,8 @@ static void virtio_blk_handle_write(VirtIOBlockReq *req, MultiReqBuffer *mrb)
 {
     BlockRequest *blkreq;
 
+    trace_virtio_blk_handle_write(req, req->out->sector, req->qiov.size / 512);
+
     if (req->out->sector & req->dev->sector_mask) {
         virtio_blk_rw_complete(req, -EIO);
         return;
diff --git a/posix-aio-compat.c b/posix-aio-compat.c
index efc5968..10f1f03 100644
--- a/posix-aio-compat.c
+++ b/posix-aio-compat.c
@@ -25,6 +25,7 @@
 #include "qemu-queue.h"
 #include "osdep.h"
 #include "qemu-common.h"
+#include "trace.h"
 #include "block_int.h"
 
 #include "block/raw-posix-aio.h"
@@ -583,6 +584,7 @@ BlockDriverAIOCB *paio_submit(BlockDriverState *bs, int fd,
     acb->next = posix_aio_state->first_aio;
     posix_aio_state->first_aio = acb;
 
+    trace_paio_submit(acb, opaque, sector_num, nb_sectors, type);
     qemu_paio_submit(acb);
     return &acb->common;
 }
diff --git a/trace-events b/trace-events
index d2f2bbc..de6479e 100644
--- a/trace-events
+++ b/trace-events
@@ -37,3 +37,17 @@ disable qemu_free(void *ptr) "ptr %p"
 disable qemu_memalign(size_t alignment, size_t size, void *ptr) "alignment %zu size %zu ptr %p"
 disable qemu_valloc(size_t size, void *ptr) "size %zu ptr %p"
 disable qemu_vfree(void *ptr) "ptr %p"
+
+# block.c
+disable multiwrite_cb(void *mcb, int ret) "mcb %p ret %d"
+disable bdrv_aio_multiwrite(void *mcb, int num_callbacks, int num_reqs) "mcb %p num_callbacks %d num_reqs %d"
+disable bdrv_aio_multiwrite_earlyfail(void *mcb) "mcb %p"
+disable bdrv_aio_multiwrite_latefail(void *mcb, int i) "mcb %p i %d"
+
+# hw/virtio-blk.c
+disable virtio_blk_req_complete(void *req, int status) "req %p status %d"
+disable virtio_blk_rw_complete(void *req, int ret) "req %p ret %d"
+disable virtio_blk_handle_write(void *req, unsigned long sector, unsigned long nsectors) "req %p sector %lu nsectors %lu"
+
+# posix-aio-compat.c
+disable paio_submit(void *acb, void *opaque, unsigned long sector_num, unsigned long nb_sectors, unsigned long type) "acb %p opaque %p sector_num %lu nb_sectors %lu type %lu"
commit cd245a19329edfcd968b00d05ad92de7a0e2daa1
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Sat May 22 18:09:25 2010 +0100

    trace: Trace qemu_malloc() and qemu_vmalloc()
    
    It is often useful to instrument memory management functions in order to
    find leaks or performance problems.  This patch adds trace events for
    the memory allocation primitives.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/osdep.c b/osdep.c
index dbf872a..30426ff 100644
--- a/osdep.c
+++ b/osdep.c
@@ -50,6 +50,7 @@
 #endif
 
 #include "qemu-common.h"
+#include "trace.h"
 #include "sysemu.h"
 #include "qemu_socket.h"
 
@@ -71,25 +72,34 @@ static void *oom_check(void *ptr)
 #if defined(_WIN32)
 void *qemu_memalign(size_t alignment, size_t size)
 {
+    void *ptr;
+
     if (!size) {
         abort();
     }
-    return oom_check(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
+    ptr = oom_check(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
+    trace_qemu_memalign(alignment, size, ptr);
+    return ptr;
 }
 
 void *qemu_vmalloc(size_t size)
 {
+    void *ptr;
+
     /* FIXME: this is not exactly optimal solution since VirtualAlloc
        has 64Kb granularity, but at least it guarantees us that the
        memory is page aligned. */
     if (!size) {
         abort();
     }
-    return oom_check(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
+    ptr = oom_check(VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_READWRITE));
+    trace_qemu_vmalloc(size, ptr);
+    return ptr;
 }
 
 void qemu_vfree(void *ptr)
 {
+    trace_qemu_vfree(ptr);
     VirtualFree(ptr, 0, MEM_RELEASE);
 }
 
@@ -97,21 +107,22 @@ void qemu_vfree(void *ptr)
 
 void *qemu_memalign(size_t alignment, size_t size)
 {
+    void *ptr;
 #if defined(_POSIX_C_SOURCE) && !defined(__sun__)
     int ret;
-    void *ptr;
     ret = posix_memalign(&ptr, alignment, size);
     if (ret != 0) {
         fprintf(stderr, "Failed to allocate %zu B: %s\n",
                 size, strerror(ret));
         abort();
     }
-    return ptr;
 #elif defined(CONFIG_BSD)
-    return oom_check(valloc(size));
+    ptr = oom_check(valloc(size));
 #else
-    return oom_check(memalign(alignment, size));
+    ptr = oom_check(memalign(alignment, size));
 #endif
+    trace_qemu_memalign(alignment, size, ptr);
+    return ptr;
 }
 
 /* alloc shared memory pages */
@@ -122,6 +133,7 @@ void *qemu_vmalloc(size_t size)
 
 void qemu_vfree(void *ptr)
 {
+    trace_qemu_vfree(ptr);
     free(ptr);
 }
 
diff --git a/qemu-malloc.c b/qemu-malloc.c
index 36b0b36..ecffb67 100644
--- a/qemu-malloc.c
+++ b/qemu-malloc.c
@@ -22,6 +22,7 @@
  * THE SOFTWARE.
  */
 #include "qemu-common.h"
+#include "trace.h"
 #include <stdlib.h>
 
 static void *oom_check(void *ptr)
@@ -34,6 +35,7 @@ static void *oom_check(void *ptr)
 
 void qemu_free(void *ptr)
 {
+    trace_qemu_free(ptr);
     free(ptr);
 }
 
@@ -48,18 +50,24 @@ static int allow_zero_malloc(void)
 
 void *qemu_malloc(size_t size)
 {
+    void *ptr;
     if (!size && !allow_zero_malloc()) {
         abort();
     }
-    return oom_check(malloc(size ? size : 1));
+    ptr = oom_check(malloc(size ? size : 1));
+    trace_qemu_malloc(size, ptr);
+    return ptr;
 }
 
 void *qemu_realloc(void *ptr, size_t size)
 {
+    void *newptr;
     if (!size && !allow_zero_malloc()) {
         abort();
     }
-    return oom_check(realloc(ptr, size ? size : 1));
+    newptr = oom_check(realloc(ptr, size ? size : 1));
+    trace_qemu_realloc(ptr, size, newptr);
+    return newptr;
 }
 
 void *qemu_mallocz(size_t size)
diff --git a/trace-events b/trace-events
index 2a986ec..d2f2bbc 100644
--- a/trace-events
+++ b/trace-events
@@ -27,3 +27,13 @@
 # system may not have the necessary headers included.
 #
 # The <format-string> should be a sprintf()-compatible format string.
+
+# qemu-malloc.c
+disable qemu_malloc(size_t size, void *ptr) "size %zu ptr %p"
+disable qemu_realloc(void *ptr, size_t size, void *newptr) "ptr %p size %zu newptr %p"
+disable qemu_free(void *ptr) "ptr %p"
+
+# osdep.c
+disable qemu_memalign(size_t alignment, size_t size, void *ptr) "alignment %zu size %zu ptr %p"
+disable qemu_valloc(size_t size, void *ptr) "size %zu ptr %p"
+disable qemu_vfree(void *ptr) "ptr %p"
commit 22890ab5e825601f4c3d5a1a6b4197904e5d1fee
Author: Prerna Saxena <prerna at linux.vnet.ibm.com>
Date:   Thu Jun 24 17:04:53 2010 +0530

    trace: Support for dynamically enabling/disabling trace events
    
    This patch adds support for dynamically enabling/disabling of trace events.
    This is done by internally maintaining each trace event's state, and
    permitting logging of data from a trace event only if it is in an
    'active' state.
    
    Monitor commands added :
    1) info trace-events 		: to view all available trace events and
    				  their state.
    2) trace-event NAME on|off 	: to enable/disable data logging from a
    				  given trace event.
    				  Eg, trace-event paio_submit off
    				  	disables logging of data when
    					paio_submit is hit.
    
    By default, all trace-events are disabled. One can enable desired trace-events
    via the monitor.
    
    Signed-off-by: Prerna Saxena <prerna at linux.vnet.ibm.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    
    trace: Monitor command 'info trace'
    
    Monitor command 'info trace' to display contents of trace buffer
    
    Signed-off-by: Prerna Saxena <prerna at linux.vnet.ibm.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    
    trace: Remove monitor.h dependency from simpletrace
    
    User-mode targets don't have a monitor so the simple trace backend
    currently does not build on those targets.  This patch abstracts the
    monitor printing interface so there is no direct coupling between
    simpletrace and the monitor.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/configure b/configure
index 6729dbe..5afb3b5 100755
--- a/configure
+++ b/configure
@@ -2468,6 +2468,9 @@ bsd)
 esac
 
 echo "TRACE_BACKEND=$trace_backend" >> $config_host_mak
+if test "$trace_backend" = "simple"; then
+  echo "CONFIG_SIMPLE_TRACE=y" >> $config_host_mak
+fi
 echo "TOOLS=$tools" >> $config_host_mak
 echo "ROMS=$roms" >> $config_host_mak
 echo "MAKE=$make" >> $config_host_mak
diff --git a/monitor.c b/monitor.c
index e27f8d8..0e69bc8 100644
--- a/monitor.c
+++ b/monitor.c
@@ -56,6 +56,9 @@
 #include "json-parser.h"
 #include "osdep.h"
 #include "exec-all.h"
+#ifdef CONFIG_SIMPLE_TRACE
+#include "trace.h"
+#endif
 
 //#define DEBUG
 //#define DEBUG_COMPLETION
@@ -539,6 +542,15 @@ static void do_help_cmd(Monitor *mon, const QDict *qdict)
     help_cmd(mon, qdict_get_try_str(qdict, "name"));
 }
 
+#ifdef CONFIG_SIMPLE_TRACE
+static void do_change_trace_event_state(Monitor *mon, const QDict *qdict)
+{
+    const char *tp_name = qdict_get_str(qdict, "name");
+    bool new_state = qdict_get_bool(qdict, "option");
+    st_change_trace_event_state(tp_name, new_state);
+}
+#endif
+
 static void user_monitor_complete(void *opaque, QObject *ret_data)
 {
     MonitorCompletionData *data = (MonitorCompletionData *)opaque; 
@@ -938,6 +950,18 @@ static void do_info_cpu_stats(Monitor *mon)
 }
 #endif
 
+#if defined(CONFIG_SIMPLE_TRACE)
+static void do_info_trace(Monitor *mon)
+{
+    st_print_trace((FILE *)mon, &monitor_fprintf);
+}
+
+static void do_info_trace_events(Monitor *mon)
+{
+    st_print_trace_events((FILE *)mon, &monitor_fprintf);
+}
+#endif
+
 /**
  * do_quit(): Quit QEMU execution
  */
@@ -2594,6 +2618,22 @@ static const mon_cmd_t info_cmds[] = {
         .help       = "show roms",
         .mhandler.info = do_info_roms,
     },
+#if defined(CONFIG_SIMPLE_TRACE)
+    {
+        .name       = "trace",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show current contents of trace buffer",
+        .mhandler.info = do_info_trace,
+    },
+    {
+        .name       = "trace-events",
+        .args_type  = "",
+        .params     = "",
+        .help       = "show available trace-events & their state",
+        .mhandler.info = do_info_trace_events,
+    },
+#endif
     {
         .name       = NULL,
     },
diff --git a/qemu-monitor.hx b/qemu-monitor.hx
index 5c1da33..c264c7d 100644
--- a/qemu-monitor.hx
+++ b/qemu-monitor.hx
@@ -281,6 +281,22 @@ STEXI
 Output logs to @var{filename}.
 ETEXI
 
+#ifdef CONFIG_SIMPLE_TRACE
+    {
+        .name       = "trace-event",
+        .args_type  = "name:s,option:b",
+        .params     = "name on|off",
+        .help       = "changes status of a specific trace event",
+        .mhandler.cmd = do_change_trace_event_state,
+    },
+
+STEXI
+ at item trace-event
+ at findex trace-event
+changes status of a trace event
+ETEXI
+#endif
+
     {
         .name       = "log",
         .args_type  = "items:s",
@@ -2529,6 +2545,15 @@ show roms
 @end table
 ETEXI
 
+#ifdef CONFIG_SIMPLE_TRACE
+STEXI
+ at item info trace
+show contents of trace buffer
+ at item info trace-events
+show available trace events and their state
+ETEXI
+#endif
+
 HXCOMM DO NOT add new commands after 'info', move your addition before it!
 
 STEXI
diff --git a/simpletrace.c b/simpletrace.c
index 4777308..688959a 100644
--- a/simpletrace.c
+++ b/simpletrace.c
@@ -101,6 +101,10 @@ static void trace(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3,
      */
     clock_gettime(CLOCK_MONOTONIC, &ts);
 
+    if (!trace_list[event].state) {
+        return;
+    }
+
     rec->event = event;
     rec->timestamp_ns = ts.tv_sec * 1000000000LL + ts.tv_nsec;
     rec->x1 = x1;
@@ -157,3 +161,50 @@ static void __attribute__((constructor)) st_init(void)
 {
     atexit(st_flush_trace_buffer);
 }
+
+void st_print_trace(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...))
+{
+    unsigned int i;
+
+    for (i = 0; i < trace_idx; i++) {
+        stream_printf(stream, "Event %lu : %lx %lx %lx %lx %lx\n",
+                      trace_buf[i].event, trace_buf[i].x1, trace_buf[i].x2,
+                      trace_buf[i].x3, trace_buf[i].x4, trace_buf[i].x5);
+    }
+}
+
+void st_print_trace_events(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...))
+{
+    unsigned int i;
+
+    for (i = 0; i < NR_TRACE_EVENTS; i++) {
+        stream_printf(stream, "%s [Event ID %u] : state %u\n",
+                      trace_list[i].tp_name, i, trace_list[i].state);
+    }
+}
+
+static TraceEvent* find_trace_event_by_name(const char *tname)
+{
+    unsigned int i;
+
+    if (!tname) {
+        return NULL;
+    }
+
+    for (i = 0; i < NR_TRACE_EVENTS; i++) {
+        if (!strcmp(trace_list[i].tp_name, tname)) {
+            return &trace_list[i];
+        }
+    }
+    return NULL; /* indicates end of list reached without a match */
+}
+
+void st_change_trace_event_state(const char *tname, bool tstate)
+{
+    TraceEvent *tp;
+
+    tp = find_trace_event_by_name(tname);
+    if (tp) {
+        tp->state = tstate;
+    }
+}
diff --git a/simpletrace.h b/simpletrace.h
index 7d0661b..b0161d1 100644
--- a/simpletrace.h
+++ b/simpletrace.h
@@ -12,9 +12,16 @@
 #define SIMPLETRACE_H
 
 #include <stdint.h>
+#include <stdbool.h>
+#include <stdio.h>
 
 typedef uint64_t TraceEventID;
 
+typedef struct {
+    const char *tp_name;
+    bool state;
+} TraceEvent;
+
 void trace0(TraceEventID event);
 void trace1(TraceEventID event, uint64_t x1);
 void trace2(TraceEventID event, uint64_t x1, uint64_t x2);
@@ -22,5 +29,8 @@ void trace3(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3);
 void trace4(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4);
 void trace5(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5);
 void trace6(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6);
+void st_print_trace(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...));
+void st_print_trace_events(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...));
+void st_change_trace_event_state(const char *tname, bool tstate);
 
 #endif /* SIMPLETRACE_H */
diff --git a/tracetool b/tracetool
index 19b1659..2e2e37d 100755
--- a/tracetool
+++ b/tracetool
@@ -169,22 +169,38 @@ EOF
 
 linetoh_end_simple()
 {
-    return
+    cat <<EOF
+#define NR_TRACE_EVENTS $simple_event_num
+extern TraceEvent trace_list[NR_TRACE_EVENTS];
+EOF
 }
 
 linetoc_begin_simple()
 {
-    return
+    cat <<EOF
+#include "trace.h"
+
+TraceEvent trace_list[] = {
+EOF
+    simple_event_num=0
+
 }
 
 linetoc_simple()
 {
-    return
+    local name
+    name=$(get_name "$1")
+    cat <<EOF
+{.tp_name = "$name", .state=0},
+EOF
+    simple_event_num=$((simple_event_num + 1))
 }
 
 linetoc_end_simple()
 {
-    return
+    cat <<EOF
+};
+EOF
 }
 
 # Process stdin by calling begin, line, and end functions for the backend
commit 81a97d9d9786f54c613efaee9950f037a9229f1f
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Jun 22 15:07:09 2010 +0100

    trace: Add user documentation
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/docs/tracing.txt b/docs/tracing.txt
new file mode 100644
index 0000000..ae01ff1
--- /dev/null
+++ b/docs/tracing.txt
@@ -0,0 +1,177 @@
+= Tracing =
+
+== Introduction ==
+
+This document describes the tracing infrastructure in QEMU and how to use it
+for debugging, profiling, and observing execution.
+
+== Quickstart ==
+
+1. Build with the 'simple' trace backend:
+
+    ./configure --trace-backend=simple
+    make
+
+2. Enable trace events you are interested in:
+
+    $EDITOR trace-events  # remove "disable" from events you want
+
+3. Run the virtual machine to produce a trace file:
+
+    qemu ... # your normal QEMU invocation
+
+4. Pretty-print the binary trace file:
+
+    ./simpletrace.py trace-events trace-*
+
+== Trace events ==
+
+There is a set of static trace events declared in the trace-events source
+file.  Each trace event declaration names the event, its arguments, and the
+format string which can be used for pretty-printing:
+
+    qemu_malloc(size_t size, void *ptr) "size %zu ptr %p"
+    qemu_free(void *ptr) "ptr %p"
+
+The trace-events file is processed by the tracetool script during build to
+generate code for the trace events.  Trace events are invoked directly from
+source code like this:
+
+    #include "trace.h"  /* needed for trace event prototype */
+
+    void *qemu_malloc(size_t size)
+    {
+        void *ptr;
+        if (!size && !allow_zero_malloc()) {
+            abort();
+        }
+        ptr = oom_check(malloc(size ? size : 1));
+        trace_qemu_malloc(size, ptr);  /* <-- trace event */
+        return ptr;
+    }
+
+=== Declaring trace events ===
+
+The tracetool script produces the trace.h header file which is included by
+every source file that uses trace events.  Since many source files include
+trace.h, it uses a minimum of types and other header files included to keep
+the namespace clean and compile times and dependencies down.
+
+Trace events should use types as follows:
+
+ * Use stdint.h types for fixed-size types.  Most offsets and guest memory
+   addresses are best represented with uint32_t or uint64_t.  Use fixed-size
+   types over primitive types whose size may change depending on the host
+   (32-bit versus 64-bit) so trace events don't truncate values or break
+   the build.
+
+ * Use void * for pointers to structs or for arrays.  The trace.h header
+   cannot include all user-defined struct declarations and it is therefore
+   necessary to use void * for pointers to structs.
+
+ * For everything else, use primitive scalar types (char, int, long) with the
+   appropriate signedness.
+
+=== Hints for adding new trace events ===
+
+1. Trace state changes in the code.  Interesting points in the code usually
+   involve a state change like starting, stopping, allocating, freeing.  State
+   changes are good trace events because they can be used to understand the
+   execution of the system.
+
+2. Trace guest operations.  Guest I/O accesses like reading device registers
+   are good trace events because they can be used to understand guest
+   interactions.
+
+3. Use correlator fields so the context of an individual line of trace output
+   can be understood.  For example, trace the pointer returned by malloc and
+   used as an argument to free.  This way mallocs and frees can be matched up.
+   Trace events with no context are not very useful.
+
+4. Name trace events after their function.  If there are multiple trace events
+   in one function, append a unique distinguisher at the end of the name.
+
+5. Declare trace events with the "disable" keyword.  Some trace events can
+   produce a lot of output and users are typically only interested in a subset
+   of trace events.  Marking trace events disabled by default saves the user
+   from having to manually disable noisy trace events.
+
+== Trace backends ==
+
+The tracetool script automates tedious trace event code generation and also
+keeps the trace event declarations independent of the trace backend.  The trace
+events are not tightly coupled to a specific trace backend, such as LTTng or
+SystemTap.  Support for trace backends can be added by extending the tracetool
+script.
+
+The trace backend is chosen at configure time and only one trace backend can
+be built into the binary:
+
+    ./configure --trace-backend=simple
+
+For a list of supported trace backends, try ./configure --help or see below.
+
+The following subsections describe the supported trace backends.
+
+=== Nop ===
+
+The "nop" backend generates empty trace event functions so that the compiler
+can optimize out trace events completely.  This is the default and imposes no
+performance penalty.
+
+=== Simpletrace ===
+
+The "simple" backend supports common use cases and comes as part of the QEMU
+source tree.  It may not be as powerful as platform-specific or third-party
+trace backends but it is portable.  This is the recommended trace backend
+unless you have specific needs for more advanced backends.
+
+==== Monitor commands ====
+
+* info trace
+  Display the contents of trace buffer.  This command dumps the trace buffer
+  with simple formatting.  For full pretty-printing, use the simpletrace.py
+  script on a binary trace file.
+
+  The trace buffer is written into until full.  The full trace buffer is
+  flushed and emptied.  This means the 'info trace' will display few or no
+  entries if the buffer has just been flushed.
+
+* info trace-events
+  View available trace events and their state.  State 1 means enabled, state 0
+  means disabled.
+
+* trace-event NAME on|off
+  Enable/disable a given trace event.
+
+* trace-file on|off|flush|set <path>
+  Enable/disable/flush the trace file or set the trace file name.
+
+==== Enabling/disabling trace events programmatically ====
+
+The st_change_trace_event_state() function can be used to enable or disable trace
+events at runtime inside QEMU:
+
+    #include "trace.h"
+    
+    st_change_trace_event_state("virtio_irq", true); /* enable */
+    [...]
+    st_change_trace_event_state("virtio_irq", false); /* disable */
+
+==== Analyzing trace files ====
+
+The "simple" backend produces binary trace files that can be formatted with the
+simpletrace.py script.  The script takes the trace-events file and the binary
+trace:
+
+    ./simpletrace.py trace-events trace-12345
+
+You must ensure that the same trace-events file was used to build QEMU,
+otherwise trace event declarations may have changed and output will not be
+consistent.
+
+=== LTTng Userspace Tracer ===
+
+The "ust" backend uses the LTTng Userspace Tracer library.  There are no
+monitor commands built into QEMU, instead UST utilities should be used to list,
+enable/disable, and dump traces.
commit 26f7227bfe9a9abee3fe5190cbfc35dd876e06d9
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Sat May 22 19:24:51 2010 +0100

    trace: Add simple built-in tracing backend
    
    This patch adds a simple tracer which produces binary trace files.  To
    try out the simple backend:
    
    $ ./configure --trace-backend=simple
    $ make
    
    After running QEMU you can pretty-print the trace:
    
    $ ./simpletrace.py trace-events trace.log
    
    The output of simpletrace.py looks like this:
    
      qemu_realloc 0.699 ptr=0x24363f0 size=0x3 newptr=0x24363f0
      qemu_free 0.768 ptr=0x24363f0
      ^           ^---- timestamp delta (us)
      |____ trace event name
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    
    trace: Make trace record fields 64-bit
    
    Explicitly use 64-bit fields in trace records so that timestamps and
    magic numbers work for 32-bit host builds.
    
    Includes fixes from Prerna Saxena <prerna at linux.vnet.ibm.com>.
    
    Signed-off-by: Prerna Saxena <prerna at linux.vnet.ibm.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/.gitignore b/.gitignore
index f3f2bb7..72bff98 100644
--- a/.gitignore
+++ b/.gitignore
@@ -42,6 +42,7 @@ QMP/qmp-commands.txt
 *.log
 *.pdf
 *.pg
+*.pyc
 *.toc
 *.tp
 *.vr
diff --git a/Makefile b/Makefile
index 3c5e6a0..ab91d42 100644
--- a/Makefile
+++ b/Makefile
@@ -112,6 +112,8 @@ trace.c: $(SRC_PATH)/trace-events config-host.mak
 
 trace.o: trace.c $(GENERATED_HEADERS)
 
+simpletrace.o: simpletrace.c $(GENERATED_HEADERS)
+
 ######################################################################
 
 qemu-img.o: qemu-img-cmds.h
diff --git a/Makefile.objs b/Makefile.objs
index c61332d..3ef6d80 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -269,6 +269,9 @@ libdis-$(CONFIG_SPARC_DIS) += sparc-dis.o
 # trace
 
 trace-obj-y = trace.o
+ifeq ($(TRACE_BACKEND),simple)
+trace-obj-y += simpletrace.o
+endif
 
 vl.o: QEMU_CFLAGS+=$(GPROF_CFLAGS)
 
diff --git a/configure b/configure
index 38613c3..6729dbe 100755
--- a/configure
+++ b/configure
@@ -900,7 +900,7 @@ echo "  --enable-docs            enable documentation build"
 echo "  --disable-docs           disable documentation build"
 echo "  --disable-vhost-net      disable vhost-net acceleration support"
 echo "  --enable-vhost-net       enable vhost-net acceleration support"
-echo "  --trace-backend=B        Trace backend nop"
+echo "  --trace-backend=B        Trace backend nop simple"
 echo ""
 echo "NOTE: The object files are built at the place where configure is launched"
 exit 1
diff --git a/simpletrace.c b/simpletrace.c
new file mode 100644
index 0000000..4777308
--- /dev/null
+++ b/simpletrace.c
@@ -0,0 +1,159 @@
+/*
+ * Simple trace backend
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <time.h>
+#include "trace.h"
+
+/** Trace file header event ID */
+#define HEADER_EVENT_ID (~(uint64_t)0) /* avoids conflicting with TraceEventIDs */
+
+/** Trace file magic number */
+#define HEADER_MAGIC 0xf2b177cb0aa429b4ULL
+
+/** Trace file version number, bump if format changes */
+#define HEADER_VERSION 0
+
+/** Trace buffer entry */
+typedef struct {
+    uint64_t event;
+    uint64_t timestamp_ns;
+    uint64_t x1;
+    uint64_t x2;
+    uint64_t x3;
+    uint64_t x4;
+    uint64_t x5;
+    uint64_t x6;
+} TraceRecord;
+
+enum {
+    TRACE_BUF_LEN = 64 * 1024 / sizeof(TraceRecord),
+};
+
+static TraceRecord trace_buf[TRACE_BUF_LEN];
+static unsigned int trace_idx;
+static FILE *trace_fp;
+
+static bool write_header(FILE *fp)
+{
+    static const TraceRecord header = {
+        .event = HEADER_EVENT_ID,
+        .timestamp_ns = HEADER_MAGIC,
+        .x1 = HEADER_VERSION,
+    };
+
+    return fwrite(&header, sizeof header, 1, fp) == 1;
+}
+
+static void flush_trace_buffer(void)
+{
+    if (!trace_fp) {
+        trace_fp = fopen("trace.log", "w");
+        if (trace_fp) {
+            write_header(trace_fp);
+        }
+    }
+    if (trace_fp) {
+        size_t unused; /* for when fwrite(3) is declared warn_unused_result */
+        unused = fwrite(trace_buf, trace_idx * sizeof(trace_buf[0]), 1, trace_fp);
+    }
+
+    /* Discard written trace records */
+    trace_idx = 0;
+}
+
+void st_set_trace_file_enabled(bool enable)
+{
+    if (enable == trace_file_enabled) {
+        return; /* no change */
+    }
+
+    /* Flush/discard trace buffer */
+    st_flush_trace_buffer();
+
+    /* To disable, close trace file */
+    if (!enable) {
+        fclose(trace_fp);
+        trace_fp = NULL;
+    }
+
+    trace_file_enabled = enable;
+}
+
+static void trace(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3,
+                  uint64_t x4, uint64_t x5, uint64_t x6)
+{
+    TraceRecord *rec = &trace_buf[trace_idx];
+    struct timespec ts;
+
+    /* TODO Windows?  It would be good to use qemu-timer here but that isn't
+     * linked into qemu-tools.  Also we should avoid recursion in the tracing
+     * code, therefore it is useful to be self-contained.
+     */
+    clock_gettime(CLOCK_MONOTONIC, &ts);
+
+    rec->event = event;
+    rec->timestamp_ns = ts.tv_sec * 1000000000LL + ts.tv_nsec;
+    rec->x1 = x1;
+    rec->x2 = x2;
+    rec->x3 = x3;
+    rec->x4 = x4;
+    rec->x5 = x5;
+    rec->x6 = x6;
+
+    if (++trace_idx == TRACE_BUF_LEN) {
+        flush_trace_buffer();
+    }
+}
+
+void trace0(TraceEventID event)
+{
+    trace(event, 0, 0, 0, 0, 0, 0);
+}
+
+void trace1(TraceEventID event, uint64_t x1)
+{
+    trace(event, x1, 0, 0, 0, 0, 0);
+}
+
+void trace2(TraceEventID event, uint64_t x1, uint64_t x2)
+{
+    trace(event, x1, x2, 0, 0, 0, 0);
+}
+
+void trace3(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3)
+{
+    trace(event, x1, x2, x3, 0, 0, 0);
+}
+
+void trace4(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4)
+{
+    trace(event, x1, x2, x3, x4, 0, 0);
+}
+
+void trace5(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5)
+{
+    trace(event, x1, x2, x3, x4, x5, 0);
+}
+
+void trace6(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6)
+{
+    trace(event, x1, x2, x3, x4, x5, x6);
+}
+
+/**
+ * Flush the trace buffer on exit
+ */
+static void __attribute__((constructor)) st_init(void)
+{
+    atexit(st_flush_trace_buffer);
+}
diff --git a/simpletrace.h b/simpletrace.h
new file mode 100644
index 0000000..7d0661b
--- /dev/null
+++ b/simpletrace.h
@@ -0,0 +1,26 @@
+/*
+ * Simple trace backend
+ *
+ * Copyright IBM, Corp. 2010
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef SIMPLETRACE_H
+#define SIMPLETRACE_H
+
+#include <stdint.h>
+
+typedef uint64_t TraceEventID;
+
+void trace0(TraceEventID event);
+void trace1(TraceEventID event, uint64_t x1);
+void trace2(TraceEventID event, uint64_t x1, uint64_t x2);
+void trace3(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3);
+void trace4(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4);
+void trace5(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5);
+void trace6(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, uint64_t x5, uint64_t x6);
+
+#endif /* SIMPLETRACE_H */
diff --git a/simpletrace.py b/simpletrace.py
new file mode 100755
index 0000000..c2cf168
--- /dev/null
+++ b/simpletrace.py
@@ -0,0 +1,93 @@
+#!/usr/bin/env python
+#
+# Pretty-printer for simple trace backend binary trace files
+#
+# Copyright IBM, Corp. 2010
+#
+# This work is licensed under the terms of the GNU GPL, version 2.  See
+# the COPYING file in the top-level directory.
+#
+# For help see docs/tracing.txt
+
+import sys
+import struct
+import re
+
+header_event_id = 0xffffffffffffffff
+header_magic    = 0xf2b177cb0aa429b4
+header_version  = 0
+
+trace_fmt = '=QQQQQQQQ'
+trace_len = struct.calcsize(trace_fmt)
+event_re  = re.compile(r'(disable\s+)?([a-zA-Z0-9_]+)\(([^)]*)\)\s+"([^"]*)"')
+
+def err(msg):
+    sys.stderr.write(msg + '\n')
+    sys.exit(1)
+
+def parse_events(fobj):
+    """Parse a trace-events file."""
+
+    def get_argnames(args):
+        """Extract argument names from a parameter list."""
+        return tuple(arg.split()[-1].lstrip('*') for arg in args.split(','))
+
+    events = {}
+    event_num = 0
+    for line in fobj:
+        m = event_re.match(line.strip())
+        if m is None:
+            continue
+
+        disable, name, args, fmt = m.groups()
+        events[event_num] = (name,) + get_argnames(args)
+        event_num += 1
+    return events
+
+def read_record(fobj):
+    """Deserialize a trace record from a file."""
+    s = fobj.read(trace_len)
+    if len(s) != trace_len:
+        return None
+    return struct.unpack(trace_fmt, s)
+
+def read_trace_file(fobj):
+    """Deserialize trace records from a file."""
+    header = read_record(fobj)
+    if header is None or \
+       header[0] != header_event_id or \
+       header[1] != header_magic or \
+       header[2] != header_version:
+        err('not a trace file or incompatible version')
+
+    while True:
+        rec = read_record(fobj)
+        if rec is None:
+            break
+
+        yield rec
+
+class Formatter(object):
+    def __init__(self, events):
+        self.events = events
+        self.last_timestamp = None
+
+    def format_record(self, rec):
+        if self.last_timestamp is None:
+            self.last_timestamp = rec[1]
+        delta_ns = rec[1] - self.last_timestamp
+        self.last_timestamp = rec[1]
+
+        event = self.events[rec[0]]
+        fields = [event[0], '%0.3f' % (delta_ns / 1000.0)]
+        for i in xrange(1, len(event)):
+            fields.append('%s=0x%x' % (event[i], rec[i + 1]))
+        return ' '.join(fields)
+
+if len(sys.argv) != 3:
+    err('usage: %s <trace-events> <trace-file>' % sys.argv[0])
+
+events = parse_events(open(sys.argv[1], 'r'))
+formatter = Formatter(events)
+for rec in read_trace_file(open(sys.argv[2], 'rb')):
+    print formatter.format_record(rec)
diff --git a/tracetool b/tracetool
index 01de580..19b1659 100755
--- a/tracetool
+++ b/tracetool
@@ -13,11 +13,12 @@ set -f
 usage()
 {
     cat >&2 <<EOF
-usage: $0 --nop [-h | -c]
+usage: $0 [--nop | --simple] [-h | -c]
 Generate tracing code for a file on stdin.
 
 Backends:
-  --nop Tracing disabled
+  --nop     Tracing disabled
+  --simple  Simple built-in backend
 
 Output formats:
   -h    Generate .h file
@@ -66,6 +67,17 @@ get_argnames()
     fi
 }
 
+# Get the number of arguments to a trace event
+get_argc()
+{
+    local name argc
+    argc=0
+    for name in $(get_argnames "$1"); do
+        argc=$((argc + 1))
+    done
+    echo $argc
+}
+
 # Get the format string for a trace event
 get_fmt()
 {
@@ -115,6 +127,66 @@ linetoc_end_nop()
     return
 }
 
+linetoh_begin_simple()
+{
+    cat <<EOF
+#include "simpletrace.h"
+EOF
+
+    simple_event_num=0
+}
+
+cast_args_to_uint64_t()
+{
+    local arg
+    for arg in $(get_argnames "$1"); do
+        printf "%s" "(uint64_t)(uintptr_t)$arg"
+    done
+}
+
+linetoh_simple()
+{
+    local name args argc trace_args
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    argc=$(get_argc "$1")
+
+    trace_args="$simple_event_num"
+    if [ "$argc" -gt 0 ]
+    then
+        trace_args="$trace_args, $(cast_args_to_uint64_t "$1")"
+    fi
+
+    cat <<EOF
+static inline void trace_$name($args)
+{
+    trace$argc($trace_args);
+}
+EOF
+
+    simple_event_num=$((simple_event_num + 1))
+}
+
+linetoh_end_simple()
+{
+    return
+}
+
+linetoc_begin_simple()
+{
+    return
+}
+
+linetoc_simple()
+{
+    return
+}
+
+linetoc_end_simple()
+{
+    return
+}
+
 # Process stdin by calling begin, line, and end functions for the backend
 convert()
 {
@@ -160,7 +232,7 @@ tracetoc()
 
 # Choose backend
 case "$1" in
-"--nop") backend="${1#--}" ;;
+"--nop" | "--simple") backend="${1#--}" ;;
 *) usage ;;
 esac
 shift
commit 7e24e92a0615ee6be036743f2a035554d2ceac56
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Sat May 22 21:11:33 2010 +0100

    trace: Add LTTng Userspace Tracer backend
    
    This patch adds LTTng Userspace Tracer (UST) backend support.  The UST
    system requires no kernel support but libust and liburcu must be
    installed.
    
    $ ./configure --trace-backend ust
    $ make
    
    Start the UST daemon:
    $ ustd &
    
    List available tracepoints and enable some:
    $ ustctl --list-markers $(pgrep qemu)
    [...]
    {PID: 5458, channel/marker: ust/paio_submit, state: 0, fmt: "acb %p
    opaque %p sector_num %lu nb_sectors %lu type %lu" 0x4b32ba}
    $ ustctl --enable-marker "ust/paio_submit" $(pgrep qemu)
    
    Run the trace:
    $ ustctl --create-trace $(pgrep qemu)
    $ ustctl --start-trace $(pgrep qemu)
    [...]
    $ ustctl --stop-trace $(pgrep qemu)
    $ ustctl --destroy-trace $(pgrep qemu)
    
    Trace results can be viewed using lttv-gui.
    
    More information about UST:
    http://lttng.org/ust
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    
    trace: Check for LTTng Userspace Tracer headers
    
    When using the 'ust' backend, check if the relevant headers are
    available at host.
    
    Signed-off-by: Prerna Saxena <prerna at linux.vnet.ibm.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/configure b/configure
index 234e75b..4061cb7 100755
--- a/configure
+++ b/configure
@@ -903,7 +903,7 @@ echo "  --enable-docs            enable documentation build"
 echo "  --disable-docs           disable documentation build"
 echo "  --disable-vhost-net      disable vhost-net acceleration support"
 echo "  --enable-vhost-net       enable vhost-net acceleration support"
-echo "  --trace-backend=B        Trace backend nop simple"
+echo "  --trace-backend=B        Trace backend nop simple ust"
 echo "  --trace-file=NAME        Full PATH,NAME of file to store traces"
 echo "                           Default:trace-<pid>"
 echo ""
@@ -2080,6 +2080,24 @@ if test "$?" -ne 0 ; then
   exit 1
 fi
 
+##########################################
+# For 'ust' backend, test if ust headers are present
+if test "$trace_backend" = "ust"; then
+  cat > $TMPC << EOF
+#include <ust/tracepoint.h>
+#include <ust/marker.h>
+int main(void) { return 0; }
+EOF
+  if compile_prog "" "" ; then
+    LIBS="-lust $LIBS"
+  else
+    echo
+    echo "Error: Trace backend 'ust' missing libust header files"
+    echo
+    exit 1
+  fi
+fi
+##########################################
 # End of CC checks
 # After here, no more $cc or $ld runs
 
diff --git a/tracetool b/tracetool
index 8aeac48..b74b630 100755
--- a/tracetool
+++ b/tracetool
@@ -13,12 +13,13 @@ set -f
 usage()
 {
     cat >&2 <<EOF
-usage: $0 [--nop | --simple] [-h | -c]
+usage: $0 [--nop | --simple | --ust] [-h | -c]
 Generate tracing code for a file on stdin.
 
 Backends:
   --nop     Tracing disabled
   --simple  Simple built-in backend
+  --ust     LTTng User Space Tracing backend
 
 Output formats:
   -h    Generate .h file
@@ -225,6 +226,86 @@ linetoc_end_simple()
 EOF
 }
 
+# Clean up after UST headers which pollute the namespace
+ust_clean_namespace() {
+    cat <<EOF
+#undef mutex_lock
+#undef mutex_unlock
+#undef inline
+#undef wmb
+EOF
+}
+
+linetoh_begin_ust()
+{
+    echo "#include <ust/tracepoint.h>"
+    ust_clean_namespace
+}
+
+linetoh_ust()
+{
+    local name args argnames
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    argnames=$(get_argnames "$1")
+
+    cat <<EOF
+DECLARE_TRACE(ust_$name, TPPROTO($args), TPARGS($argnames));
+#define trace_$name trace_ust_$name
+EOF
+}
+
+linetoh_end_ust()
+{
+    return
+}
+
+linetoc_begin_ust()
+{
+    cat <<EOF
+#include <ust/marker.h>
+$(ust_clean_namespace)
+#include "trace.h"
+EOF
+}
+
+linetoc_ust()
+{
+    local name args argnames fmt
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+    argnames=$(get_argnames "$1")
+    fmt=$(get_fmt "$1")
+
+    cat <<EOF
+DEFINE_TRACE(ust_$name);
+
+static void ust_${name}_probe($args)
+{
+    trace_mark(ust, $name, "$fmt", $argnames);
+}
+EOF
+
+    # Collect names for later
+    names="$names $name"
+}
+
+linetoc_end_ust()
+{
+    cat <<EOF
+static void __attribute__((constructor)) trace_init(void)
+{
+EOF
+
+    for name in $names; do
+        cat <<EOF
+    register_trace_ust_$name(ust_${name}_probe);
+EOF
+    done
+
+    echo "}"
+}
+
 # Process stdin by calling begin, line, and end functions for the backend
 convert()
 {
@@ -282,7 +363,7 @@ tracetoc()
 
 # Choose backend
 case "$1" in
-"--nop" | "--simple") backend="${1#--}" ;;
+"--nop" | "--simple" | "--ust") backend="${1#--}" ;;
 *) usage ;;
 esac
 shift
commit 94a420b170b3e997a185a4148accc87bdcd18156
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Sat May 22 17:52:39 2010 +0100

    trace: Add trace-events file for declaring trace events
    
    This patch introduces the trace-events file where trace events can be
    declared like so:
    
    qemu_malloc(size_t size) "size %zu"
    qemu_free(void *ptr) "ptr %p"
    
    These trace event declarations are processed by a new tool called
    tracetool to generate code for the trace events.  Trace event
    declarations are independent of the backend tracing system (LTTng User
    Space Tracing, ftrace markers, DTrace).
    
    The default "nop" backend generates empty trace event functions.
    Therefore trace events are disabled by default.
    
    The trace-events file serves two purposes:
    
    1. Adding trace events is easy.  It is not necessary to understand the
       details of a backend tracing system.  The trace-events file is a
       single location where trace events can be declared without code
       duplication.
    
    2. QEMU is not tightly coupled to one particular backend tracing system.
       In order to support tracing across QEMU host platforms and to
       anticipate new backend tracing systems that are currently maturing,
       it is important to be flexible and not tied to one system.
    
    This commit includes fixes from Prerna Saxena
    <prerna at linux.vnet.ibm.com> and Blue Swirl <blauwirbel at gmail.com>.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/.gitignore b/.gitignore
index ec6f89f..f3f2bb7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,8 @@ config-devices.*
 config-all-devices.*
 config-host.*
 config-target.*
+trace.h
+trace.c
 *-softmmu
 *-darwin-user
 *-linux-user
diff --git a/Makefile b/Makefile
index f95cc2f..3c5e6a0 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 # Makefile for QEMU.
 
-GENERATED_HEADERS = config-host.h
+GENERATED_HEADERS = config-host.h trace.h
 
 ifneq ($(wildcard config-host.mak),)
 # Put the all: rule here so that config-host.mak can contain dependencies.
@@ -104,16 +104,24 @@ ui/vnc.o: QEMU_CFLAGS += $(VNC_TLS_CFLAGS)
 
 bt-host.o: QEMU_CFLAGS += $(BLUEZ_CFLAGS)
 
+trace.h: $(SRC_PATH)/trace-events config-host.mak
+	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -h < $< > $@,"  GEN   $@")
+
+trace.c: $(SRC_PATH)/trace-events config-host.mak
+	$(call quiet-command,sh $(SRC_PATH)/tracetool --$(TRACE_BACKEND) -c < $< > $@,"  GEN   $@")
+
+trace.o: trace.c $(GENERATED_HEADERS)
+
 ######################################################################
 
 qemu-img.o: qemu-img-cmds.h
 qemu-img.o qemu-tool.o qemu-nbd.o qemu-io.o: $(GENERATED_HEADERS)
 
-qemu-img$(EXESUF): qemu-img.o qemu-tool.o qemu-error.o $(block-obj-y) $(qobject-obj-y)
+qemu-img$(EXESUF): qemu-img.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y)
 
-qemu-nbd$(EXESUF): qemu-nbd.o qemu-tool.o qemu-error.o $(block-obj-y) $(qobject-obj-y)
+qemu-nbd$(EXESUF): qemu-nbd.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y)
 
-qemu-io$(EXESUF): qemu-io.o cmd.o qemu-tool.o qemu-error.o $(block-obj-y) $(qobject-obj-y)
+qemu-io$(EXESUF): qemu-io.o cmd.o qemu-tool.o qemu-error.o $(trace-obj-y) $(block-obj-y) $(qobject-obj-y)
 
 qemu-img-cmds.h: $(SRC_PATH)/qemu-img-cmds.hx
 	$(call quiet-command,sh $(SRC_PATH)/hxtool -h < $< > $@,"  GEN   $@")
@@ -133,6 +141,7 @@ clean:
 	rm -f *.o *.d *.a $(TOOLS) TAGS cscope.* *.pod *~ */*~
 	rm -f slirp/*.o slirp/*.d audio/*.o audio/*.d block/*.o block/*.d net/*.o net/*.d fsdev/*.o fsdev/*.d ui/*.o ui/*.d
 	rm -f qemu-img-cmds.h
+	rm -f trace.c trace.h
 	$(MAKE) -C tests clean
 	for d in $(ALL_SUBDIRS) libhw32 libhw64 libuser libdis libdis-user; do \
 	if test -d $$d; then $(MAKE) -C $$d $@ || exit 1; fi; \
diff --git a/Makefile.objs b/Makefile.objs
index 4a1eaa1..c61332d 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -265,6 +265,11 @@ libdis-$(CONFIG_S390_DIS) += s390-dis.o
 libdis-$(CONFIG_SH4_DIS) += sh4-dis.o
 libdis-$(CONFIG_SPARC_DIS) += sparc-dis.o
 
+######################################################################
+# trace
+
+trace-obj-y = trace.o
+
 vl.o: QEMU_CFLAGS+=$(GPROF_CFLAGS)
 
 vl.o: QEMU_CFLAGS+=$(SDL_CFLAGS)
diff --git a/Makefile.target b/Makefile.target
index 18826bb..a4e80b1 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -310,6 +310,7 @@ obj-y += $(addprefix $(HWDIR)/, $(hw-obj-y))
 
 endif # CONFIG_SOFTMMU
 
+obj-y += $(addprefix ../, $(trace-obj-y))
 obj-$(CONFIG_GDBSTUB_XML) += gdbstub-xml.o
 
 $(QEMU_PROG): $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y)
diff --git a/configure b/configure
index 146dac0..38613c3 100755
--- a/configure
+++ b/configure
@@ -317,6 +317,7 @@ pkgversion=""
 check_utests="no"
 user_pie="no"
 zero_malloc=""
+trace_backend="nop"
 
 # OS specific
 if check_define __linux__ ; then
@@ -519,6 +520,8 @@ for opt do
   ;;
   --target-list=*) target_list="$optarg"
   ;;
+  --trace-backend=*) trace_backend="$optarg"
+  ;;
   --enable-gprof) gprof="yes"
   ;;
   --static)
@@ -897,6 +900,7 @@ echo "  --enable-docs            enable documentation build"
 echo "  --disable-docs           disable documentation build"
 echo "  --disable-vhost-net      disable vhost-net acceleration support"
 echo "  --enable-vhost-net       enable vhost-net acceleration support"
+echo "  --trace-backend=B        Trace backend nop"
 echo ""
 echo "NOTE: The object files are built at the place where configure is launched"
 exit 1
@@ -2059,6 +2063,18 @@ if compile_prog "" "" ; then
     fdatasync=yes
 fi
 
+##########################################
+# check if trace backend exists
+
+sh "$source_path/tracetool" "--$trace_backend" --check-backend > /dev/null 2> /dev/null
+if test "$?" -ne 0 ; then
+  echo
+  echo "Error: invalid trace backend"
+  echo "Please choose a supported trace backend."
+  echo
+  exit 1
+fi
+
 # End of CC checks
 # After here, no more $cc or $ld runs
 
@@ -2189,6 +2205,7 @@ echo "preadv support    $preadv"
 echo "fdatasync         $fdatasync"
 echo "uuid support      $uuid"
 echo "vhost-net support $vhost_net"
+echo "Trace backend     $trace_backend"
 
 if test $sdl_too_old = "yes"; then
 echo "-> Your SDL version is too old - please upgrade to have SDL support"
@@ -2450,6 +2467,7 @@ bsd)
 ;;
 esac
 
+echo "TRACE_BACKEND=$trace_backend" >> $config_host_mak
 echo "TOOLS=$tools" >> $config_host_mak
 echo "ROMS=$roms" >> $config_host_mak
 echo "MAKE=$make" >> $config_host_mak
diff --git a/trace-events b/trace-events
new file mode 100644
index 0000000..a37d3cc
--- /dev/null
+++ b/trace-events
@@ -0,0 +1,24 @@
+# Trace events for debugging and performance instrumentation
+#
+# This file is processed by the tracetool script during the build.
+#
+# To add a new trace event:
+#
+# 1. Choose a name for the trace event.  Declare its arguments and format
+#    string.
+#
+# 2. Call the trace event from code using trace_##name, e.g. multiwrite_cb() ->
+#    trace_multiwrite_cb().  The source file must #include "trace.h".
+#
+# Format of a trace event:
+#
+# <name>(<type1> <arg1>[, <type2> <arg2>] ...) "<format-string>"
+#
+# Example: qemu_malloc(size_t size) "size %zu"
+#
+# The <name> must be a valid as a C function name.
+#
+# Types should be standard C types.  Use void * for pointers because the trace
+# system may not have the necessary headers included.
+#
+# The <format-string> should be a sprintf()-compatible format string.
diff --git a/tracetool b/tracetool
new file mode 100755
index 0000000..01de580
--- /dev/null
+++ b/tracetool
@@ -0,0 +1,175 @@
+#!/bin/sh
+#
+# Code generator for trace events
+#
+# Copyright IBM, Corp. 2010
+#
+# This work is licensed under the terms of the GNU GPL, version 2.  See
+# the COPYING file in the top-level directory.
+
+# Disable pathname expansion, makes processing text with '*' characters simpler
+set -f
+
+usage()
+{
+    cat >&2 <<EOF
+usage: $0 --nop [-h | -c]
+Generate tracing code for a file on stdin.
+
+Backends:
+  --nop Tracing disabled
+
+Output formats:
+  -h    Generate .h file
+  -c    Generate .c file
+EOF
+    exit 1
+}
+
+# Get the name of a trace event
+get_name()
+{
+    echo ${1%%\(*}
+}
+
+# Get the argument list of a trace event, including types and names
+get_args()
+{
+    local args
+    args=${1#*\(}
+    args=${args%)*}
+    echo "$args"
+}
+
+# Get the argument name list of a trace event
+get_argnames()
+{
+    local nfields field name
+    nfields=0
+    for field in $(get_args "$1"); do
+        nfields=$((nfields + 1))
+
+        # Drop pointer star
+        field=${field#\*}
+
+        # Only argument names have commas at the end
+        name=${field%,}
+        test "$field" = "$name" && continue
+
+        printf "%s" "$name, "
+    done
+
+    # Last argument name
+    if [ "$nfields" -gt 1 ]
+    then
+        printf "%s" "$name"
+    fi
+}
+
+# Get the format string for a trace event
+get_fmt()
+{
+    local fmt
+    fmt=${1#*\"}
+    fmt=${fmt%\"*}
+    echo "$fmt"
+}
+
+linetoh_begin_nop()
+{
+    return
+}
+
+linetoh_nop()
+{
+    local name args
+    name=$(get_name "$1")
+    args=$(get_args "$1")
+
+    # Define an empty function for the trace event
+    cat <<EOF
+static inline void trace_$name($args)
+{
+}
+EOF
+}
+
+linetoh_end_nop()
+{
+    return
+}
+
+linetoc_begin_nop()
+{
+    return
+}
+
+linetoc_nop()
+{
+    # No need for function definitions in nop backend
+    return
+}
+
+linetoc_end_nop()
+{
+    return
+}
+
+# Process stdin by calling begin, line, and end functions for the backend
+convert()
+{
+    local begin process_line end
+    begin="lineto$1_begin_$backend"
+    process_line="lineto$1_$backend"
+    end="lineto$1_end_$backend"
+
+    "$begin"
+
+    while read -r str; do
+        # Skip comments and empty lines
+        str=${str%%#*}
+        test -z "$str" && continue
+
+        echo
+        "$process_line" "$str"
+    done
+
+    echo
+    "$end"
+}
+
+tracetoh()
+{
+    cat <<EOF
+#ifndef TRACE_H
+#define TRACE_H
+
+/* This file is autogenerated by tracetool, do not edit. */
+
+#include "qemu-common.h"
+EOF
+    convert h
+    echo "#endif /* TRACE_H */"
+}
+
+tracetoc()
+{
+    echo "/* This file is autogenerated by tracetool, do not edit. */"
+    convert c
+}
+
+# Choose backend
+case "$1" in
+"--nop") backend="${1#--}" ;;
+*) usage ;;
+esac
+shift
+
+case "$1" in
+"-h") tracetoh ;;
+"-c") tracetoc ;;
+"--check-backend") exit 0 ;; # used by ./configure to test for backend
+*) usage ;;
+esac
+
+exit 0
commit ab6540d55e8d57609c1e0c18b40269b05e231ce7
Author: Prerna Saxena <prerna at linux.vnet.ibm.com>
Date:   Mon Aug 9 11:48:32 2010 +0100

    trace: Add trace file name command-line option
    
    This patch adds an optional command line switch '-trace' to specify the
    filename to write traces to, when qemu starts.
    Eg, If compiled with the 'simple' trace backend,
    [temp at system]$ qemu -trace FILENAME IMAGE
    Allows the binary traces to be written to FILENAME instead of the option
    set at config-time.
    
    Signed-off-by: Prerna Saxena <prerna at linux.vnet.ibm.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/qemu-config.c b/qemu-config.c
index 1efdbec..e3b746c 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -288,6 +288,21 @@ static QemuOptsList qemu_mon_opts = {
     },
 };
 
+#ifdef CONFIG_SIMPLE_TRACE
+static QemuOptsList qemu_trace_opts = {
+    .name = "trace",
+    .implied_opt_name = "trace",
+    .head = QTAILQ_HEAD_INITIALIZER(qemu_trace_opts.head),
+    .desc = {
+        {
+            .name = "file",
+            .type = QEMU_OPT_STRING,
+        },
+        { /* end if list */ }
+    },
+};
+#endif
+
 static QemuOptsList qemu_cpudef_opts = {
     .name = "cpudef",
     .head = QTAILQ_HEAD_INITIALIZER(qemu_cpudef_opts.head),
@@ -346,6 +361,9 @@ static QemuOptsList *vm_config_groups[32] = {
     &qemu_global_opts,
     &qemu_mon_opts,
     &qemu_cpudef_opts,
+#ifdef CONFIG_SIMPLE_TRACE
+    &qemu_trace_opts,
+#endif
     NULL,
 };
 
diff --git a/qemu-options.hx b/qemu-options.hx
index 368bf96..a0b5ae9 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2230,6 +2230,17 @@ Normally QEMU loads a configuration file from @var{sysconfdir}/qemu.conf and
 @var{sysconfdir}/target- at var{ARCH}.conf on startup.  The @code{-nodefconfig}
 option will prevent QEMU from loading these configuration files at startup.
 ETEXI
+#ifdef CONFIG_SIMPLE_TRACE
+DEF("trace", HAS_ARG, QEMU_OPTION_trace,
+    "-trace\n"
+    "                Specify a trace file to log traces to\n",
+    QEMU_ARCH_ALL)
+STEXI
+ at item -trace
+ at findex -trace
+Specify a trace file to log output traces to.
+ETEXI
+#endif
 
 HXCOMM This is the last statement. Insert new options before this line!
 STEXI
diff --git a/vl.c b/vl.c
index df11ab3..3f45aa9 100644
--- a/vl.c
+++ b/vl.c
@@ -47,6 +47,10 @@
 #include <dirent.h>
 #include <netdb.h>
 #include <sys/select.h>
+#ifdef CONFIG_SIMPLE_TRACE
+#include "trace.h"
+#endif
+
 #ifdef CONFIG_BSD
 #include <sys/stat.h>
 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__DragonFly__)
@@ -1823,6 +1827,9 @@ int main(int argc, char **argv, char **envp)
     int show_vnc_port = 0;
     int defconfig = 1;
 
+#ifdef CONFIG_SIMPLE_TRACE
+    const char *trace_file = NULL;
+#endif
     atexit(qemu_run_exit_notifiers);
     error_set_progname(argv[0]);
 
@@ -2595,6 +2602,14 @@ int main(int argc, char **argv, char **envp)
                 }
                 xen_mode = XEN_ATTACH;
                 break;
+#ifdef CONFIG_SIMPLE_TRACE
+            case QEMU_OPTION_trace:
+                opts = qemu_opts_parse(qemu_find_opts("trace"), optarg, 0);
+                if (opts) {
+                    trace_file = qemu_opt_get(opts, "file");
+                }
+                break;
+#endif
             case QEMU_OPTION_readconfig:
                 {
                     int ret = qemu_read_config_file(optarg);
@@ -2638,6 +2653,12 @@ int main(int argc, char **argv, char **envp)
         data_dir = CONFIG_QEMU_DATADIR;
     }
 
+#ifdef CONFIG_SIMPLE_TRACE
+    /*
+     * Set the trace file name, if specified.
+     */
+    st_set_trace_file(trace_file);
+#endif
     /*
      * Default to max_cpus = smp_cpus, in case the user doesn't
      * specify a max_cpus value.
commit c5ceb523fa6fc168d3f51e306fee3def458e047e
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Jul 13 09:26:33 2010 +0100

    trace: Add trace-file command to open/close/flush trace file
    
    This patch adds the trace-file command:
    
      trace-file [on|off|flush]
    
      Open, close, or flush the trace file.  If no argument is given,
      the status of the trace file is displayed.
    
    The trace file is turned on by default but is only written out when the
    trace buffer becomes full.  The flush operation can be used to force
    write out at any time.
    
    Turning off the trace file does not change the state of trace events;
    tracing will continue to the trace buffer.  When the trace file is off,
    use "info trace" to display the contents of the trace buffer in memory.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    
    This commit also contains the trace-file sub-command from the following
    commit:
    
    commit 5ce8d1a957afae2c52ad748944ce72848ccf57bd
    Author: Prerna Saxena <prerna at linux.vnet.ibm.com>
    Date:   Wed Aug 4 16:23:54 2010 +0530
    
        trace: Add options to specify trace file name at startup and runtime
    
        This patch adds an optional command line switch '-trace' to specify the
        filename to write traces to, when qemu starts.
        Eg, If compiled with the 'simple' trace backend,
        [temp at system]$ qemu -trace FILENAME IMAGE
        Allows the binary traces to be written to FILENAME instead of the option
        set at config-time.
    
        Also, this adds monitor sub-command 'set' to trace-file commands to
        dynamically change trace log file at runtime.
        Eg,
        (qemu)trace-file set FILENAME
        This allows one to set trace outputs to FILENAME from the default
        specified at startup.
    
        Signed-off-by: Prerna Saxena <prerna at linux.vnet.ibm.com>
        Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/monitor.c b/monitor.c
index 0e69bc8..e602480 100644
--- a/monitor.c
+++ b/monitor.c
@@ -549,6 +549,29 @@ static void do_change_trace_event_state(Monitor *mon, const QDict *qdict)
     bool new_state = qdict_get_bool(qdict, "option");
     st_change_trace_event_state(tp_name, new_state);
 }
+
+static void do_trace_file(Monitor *mon, const QDict *qdict)
+{
+    const char *op = qdict_get_try_str(qdict, "op");
+    const char *arg = qdict_get_try_str(qdict, "arg");
+
+    if (!op) {
+        st_print_trace_file_status((FILE *)mon, &monitor_fprintf);
+    } else if (!strcmp(op, "on")) {
+        st_set_trace_file_enabled(true);
+    } else if (!strcmp(op, "off")) {
+        st_set_trace_file_enabled(false);
+    } else if (!strcmp(op, "flush")) {
+        st_flush_trace_buffer();
+    } else if (!strcmp(op, "set")) {
+        if (arg) {
+            st_set_trace_file(arg);
+        }
+    } else {
+        monitor_printf(mon, "unexpected argument \"%s\"\n", op);
+        help_cmd(mon, "trace-file");
+    }
+}
 #endif
 
 static void user_monitor_complete(void *opaque, QObject *ret_data)
diff --git a/qemu-monitor.hx b/qemu-monitor.hx
index c264c7d..49bcd8d 100644
--- a/qemu-monitor.hx
+++ b/qemu-monitor.hx
@@ -295,6 +295,20 @@ STEXI
 @findex trace-event
 changes status of a trace event
 ETEXI
+
+    {
+        .name       = "trace-file",
+        .args_type  = "op:s?,arg:F?",
+        .params     = "on|off|flush|set [arg]",
+        .help       = "open, close, or flush trace file, or set a new file name",
+        .mhandler.cmd = do_trace_file,
+    },
+
+STEXI
+ at item trace-file on|off|flush
+ at findex trace-file
+Open, close, or flush the trace file.  If no argument is given, the status of the trace file is displayed.
+ETEXI
 #endif
 
     {
diff --git a/simpletrace.c b/simpletrace.c
index 97045a6..f849e42 100644
--- a/simpletrace.c
+++ b/simpletrace.c
@@ -42,6 +42,14 @@ enum {
 static TraceRecord trace_buf[TRACE_BUF_LEN];
 static unsigned int trace_idx;
 static FILE *trace_fp;
+static char *trace_file_name = NULL;
+static bool trace_file_enabled = false;
+
+void st_print_trace_file_status(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...))
+{
+    stream_printf(stream, "Trace file \"%s\" %s.\n",
+                  trace_file_name, trace_file_enabled ? "on" : "off");
+}
 
 static bool write_header(FILE *fp)
 {
@@ -54,31 +62,57 @@ static bool write_header(FILE *fp)
     return fwrite(&header, sizeof header, 1, fp) == 1;
 }
 
-static bool open_trace_file(void)
+/**
+ * set_trace_file : To set the name of a trace file.
+ * @file : pointer to the name to be set.
+ *         If NULL, set to the default name-<pid> set at config time.
+ */
+bool st_set_trace_file(const char *file)
 {
-    char *filename;
+    st_set_trace_file_enabled(false);
 
-    if (asprintf(&filename, CONFIG_TRACE_FILE, getpid()) < 0) {
-        return false;
-    }
+    free(trace_file_name);
 
-    trace_fp = fopen(filename, "w");
-    free(filename);
-    if (!trace_fp) {
-        return false;
+    if (!file) {
+        if (asprintf(&trace_file_name, CONFIG_TRACE_FILE, getpid()) < 0) {
+            trace_file_name = NULL;
+            return false;
+        }
+    } else {
+        if (asprintf(&trace_file_name, "%s", file) < 0) {
+            trace_file_name = NULL;
+            return false;
+        }
     }
-    return write_header(trace_fp);
+
+    st_set_trace_file_enabled(true);
+    return true;
 }
 
-static void flush_trace_buffer(void)
+static void flush_trace_file(void)
 {
+    /* If the trace file is not open yet, open it now */
     if (!trace_fp) {
-        open_trace_file();
+        trace_fp = fopen(trace_file_name, "w");
+        if (!trace_fp) {
+            /* Avoid repeatedly trying to open file on failure */
+            trace_file_enabled = false;
+            return;
+        }
+        write_header(trace_fp);
     }
+
     if (trace_fp) {
         size_t unused; /* for when fwrite(3) is declared warn_unused_result */
         unused = fwrite(trace_buf, trace_idx * sizeof(trace_buf[0]), 1, trace_fp);
     }
+}
+
+void st_flush_trace_buffer(void)
+{
+    if (trace_file_enabled) {
+        flush_trace_file();
+    }
 
     /* Discard written trace records */
     trace_idx = 0;
@@ -128,7 +162,7 @@ static void trace(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3,
     rec->x6 = x6;
 
     if (++trace_idx == TRACE_BUF_LEN) {
-        flush_trace_buffer();
+        st_flush_trace_buffer();
     }
 }
 
diff --git a/simpletrace.h b/simpletrace.h
index b0161d1..cf35897 100644
--- a/simpletrace.h
+++ b/simpletrace.h
@@ -32,5 +32,9 @@ void trace6(TraceEventID event, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t
 void st_print_trace(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...));
 void st_print_trace_events(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...));
 void st_change_trace_event_state(const char *tname, bool tstate);
+void st_print_trace_file_status(FILE *stream, int (*stream_printf)(FILE *stream, const char *fmt, ...));
+void st_set_trace_file_enabled(bool enable);
+bool st_set_trace_file(const char *file);
+void st_flush_trace_buffer(void);
 
 #endif /* SIMPLETRACE_H */
commit 9410b56c82a107ed48c1f40aa6820c03094d97e9
Author: Prerna Saxena <prerna at linux.vnet.ibm.com>
Date:   Tue Jul 13 09:26:32 2010 +0100

    trace: Specify trace file name
    
    Allow users to specify a file for trace-outputs at configuration.
    Also, allow trace files to be annotated by <pid> so each qemu instance has
    unique traces.
    
    The trace file name can be passed as a config option:
    --trace-file=/path/to/file
    (Default: trace )
    At runtime, the pid of the qemu process is appended to the filename so
    that mutiple qemu instances do not have overlapping logs.
    
    Eg : trace-1234 for qemu launched with pid 1234.
    
    I have yet to test this on windows. getpid() is used at many places
    in code(including vnc.c), so I'm hoping this would be okay too.
    
    Edited-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/configure b/configure
index 5afb3b5..234e75b 100755
--- a/configure
+++ b/configure
@@ -318,6 +318,7 @@ check_utests="no"
 user_pie="no"
 zero_malloc=""
 trace_backend="nop"
+trace_file="trace"
 
 # OS specific
 if check_define __linux__ ; then
@@ -522,6 +523,8 @@ for opt do
   ;;
   --trace-backend=*) trace_backend="$optarg"
   ;;
+  --trace-file=*) trace_file="$optarg"
+  ;;
   --enable-gprof) gprof="yes"
   ;;
   --static)
@@ -901,6 +904,8 @@ echo "  --disable-docs           disable documentation build"
 echo "  --disable-vhost-net      disable vhost-net acceleration support"
 echo "  --enable-vhost-net       enable vhost-net acceleration support"
 echo "  --trace-backend=B        Trace backend nop simple"
+echo "  --trace-file=NAME        Full PATH,NAME of file to store traces"
+echo "                           Default:trace-<pid>"
 echo ""
 echo "NOTE: The object files are built at the place where configure is launched"
 exit 1
@@ -2206,6 +2211,7 @@ echo "fdatasync         $fdatasync"
 echo "uuid support      $uuid"
 echo "vhost-net support $vhost_net"
 echo "Trace backend     $trace_backend"
+echo "Trace output file $trace_file-<pid>"
 
 if test $sdl_too_old = "yes"; then
 echo "-> Your SDL version is too old - please upgrade to have SDL support"
@@ -2471,6 +2477,12 @@ echo "TRACE_BACKEND=$trace_backend" >> $config_host_mak
 if test "$trace_backend" = "simple"; then
   echo "CONFIG_SIMPLE_TRACE=y" >> $config_host_mak
 fi
+# Set the appropriate trace file.
+if test "$trace_backend" = "simple"; then
+  trace_file="\"$trace_file-%u\""
+fi
+echo "CONFIG_TRACE_FILE=$trace_file" >> $config_host_mak
+
 echo "TOOLS=$tools" >> $config_host_mak
 echo "ROMS=$roms" >> $config_host_mak
 echo "MAKE=$make" >> $config_host_mak
diff --git a/simpletrace.c b/simpletrace.c
index 688959a..97045a6 100644
--- a/simpletrace.c
+++ b/simpletrace.c
@@ -54,13 +54,26 @@ static bool write_header(FILE *fp)
     return fwrite(&header, sizeof header, 1, fp) == 1;
 }
 
+static bool open_trace_file(void)
+{
+    char *filename;
+
+    if (asprintf(&filename, CONFIG_TRACE_FILE, getpid()) < 0) {
+        return false;
+    }
+
+    trace_fp = fopen(filename, "w");
+    free(filename);
+    if (!trace_fp) {
+        return false;
+    }
+    return write_header(trace_fp);
+}
+
 static void flush_trace_buffer(void)
 {
     if (!trace_fp) {
-        trace_fp = fopen("trace.log", "w");
-        if (trace_fp) {
-            write_header(trace_fp);
-        }
+        open_trace_file();
     }
     if (trace_fp) {
         size_t unused; /* for when fwrite(3) is declared warn_unused_result */
commit 1e2cf2bc455622f9e0903a360cdaf6b89ec949a2
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Mon May 24 11:32:09 2010 +0100

    trace: Support disabled events in trace-events
    
    Sometimes it is useful to disable a trace event.  Removing the event
    from trace-events is not enough since source code will call the
    trace_*() function for the event.
    
    This patch makes it easy to build without specific trace events by
    marking them disabled in trace-events:
    
    disable multiwrite_cb(void *mcb, int ret) "mcb %p ret %d"
    
    This builds without the multiwrite_cb trace event.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    
    trace: Allow bulk enabling/disabling of trace events at compile time
    
    For 'simple' trace backend, allow bulk enabling/disabling of trace
    events at compile time.  Trace events that are preceded by 'disable'
    keyword are compiled in, but turned off by default. These can
    individually be turned on using the monitor.  All other trace events are
    enabled by default.
    
    TODO :
    This could be enhanced when the trace-event namespace is partitioned into a
    group and an ID within that group. In such a case, marking a group as enabled
    would automatically enable all trace-events listed under it.
    
    Signed-off-by: Prerna Saxena <prerna at linux.vnet.ibm.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/trace-events b/trace-events
index a37d3cc..2a986ec 100644
--- a/trace-events
+++ b/trace-events
@@ -12,10 +12,15 @@
 #
 # Format of a trace event:
 #
-# <name>(<type1> <arg1>[, <type2> <arg2>] ...) "<format-string>"
+# [disable] <name>(<type1> <arg1>[, <type2> <arg2>] ...) "<format-string>"
 #
 # Example: qemu_malloc(size_t size) "size %zu"
 #
+# The "disable" keyword will build without the trace event.
+# In case of 'simple' trace backend, it will allow the trace event to be
+# compiled, but this would be turned off by default. It can be toggled on via
+# the monitor.
+#
 # The <name> must be a valid as a C function name.
 #
 # Types should be standard C types.  Use void * for pointers because the trace
diff --git a/tracetool b/tracetool
index 2e2e37d..8aeac48 100755
--- a/tracetool
+++ b/tracetool
@@ -87,6 +87,20 @@ get_fmt()
     echo "$fmt"
 }
 
+# Get the state of a trace event
+get_state()
+{
+    local str disable state
+    str=$(get_name "$1")
+    disable=${str##disable }
+    if [ "$disable" = "$str" ] ; then
+        state=1
+    else
+        state=0
+    fi
+    echo "$state"
+}
+
 linetoh_begin_nop()
 {
     return
@@ -146,10 +160,14 @@ cast_args_to_uint64_t()
 
 linetoh_simple()
 {
-    local name args argc trace_args
+    local name args argc trace_args state
     name=$(get_name "$1")
     args=$(get_args "$1")
     argc=$(get_argc "$1")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ]; then
+        name=${name##disable }
+    fi
 
     trace_args="$simple_event_num"
     if [ "$argc" -gt 0 ]
@@ -188,10 +206,14 @@ EOF
 
 linetoc_simple()
 {
-    local name
+    local name state
     name=$(get_name "$1")
+    state=$(get_state "$1")
+    if [ "$state" = "0" ] ; then
+        name=${name##disable }
+    fi
     cat <<EOF
-{.tp_name = "$name", .state=0},
+{.tp_name = "$name", .state=$state},
 EOF
     simple_event_num=$((simple_event_num + 1))
 }
@@ -206,7 +228,7 @@ EOF
 # Process stdin by calling begin, line, and end functions for the backend
 convert()
 {
-    local begin process_line end
+    local begin process_line end str disable
     begin="lineto$1_begin_$backend"
     process_line="lineto$1_$backend"
     end="lineto$1_end_$backend"
@@ -218,8 +240,20 @@ convert()
         str=${str%%#*}
         test -z "$str" && continue
 
+        # Process the line.  The nop backend handles disabled lines.
+        disable=${str%%disable *}
         echo
-        "$process_line" "$str"
+        if test -z "$disable"; then
+            # Pass the disabled state as an arg to lineto$1_simple().
+            # For all other cases, call lineto$1_nop()
+            if [ $backend = "simple" ]; then
+                "$process_line" "$str"
+            else
+                "lineto$1_nop" "${str##disable }"
+            fi
+        else
+            "$process_line" "$str"
+        fi
     done
 
     echo
commit ef9d48da598691ca97bb3588f8bf625717f65418
Author: Edgar E. Iglesias <edgar.iglesias at petalogix.com>
Date:   Thu Sep 9 22:05:48 2010 +0200

    microblaze: Add support for fcmp.un
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at petalogix.com>

diff --git a/target-microblaze/op_helper.c b/target-microblaze/op_helper.c
index 294e08c..3d2b313 100644
--- a/target-microblaze/op_helper.c
+++ b/target-microblaze/op_helper.c
@@ -297,8 +297,22 @@ uint32_t helper_fdiv(uint32_t a, uint32_t b)
 
 uint32_t helper_fcmp_un(uint32_t a, uint32_t b)
 {
-    cpu_abort(env, "Unsupported fcmp.un\n");
-    return 0;
+    CPU_FloatU fa, fb;
+    uint32_t r = 0;
+
+    fa.l = a;
+    fb.l = b;
+
+    if (float32_is_signaling_nan(fa.f) || float32_is_signaling_nan(fb.f)) {
+        update_fpu_flags(float_flag_invalid);
+        r = 1;
+    }
+
+    if (float32_is_nan(fa.f) || float32_is_nan(fb.f)) {
+        r = 1;
+    }
+
+    return r;
 }
 
 uint32_t helper_fcmp_lt(uint32_t a, uint32_t b)
commit e403e433c1a30568a019cac9ba7301f8d5d7a382
Author: Stefan Weil <weil at mail.berlios.de>
Date:   Mon Aug 9 16:43:53 2010 +0200

    elf: Calculate symbol size if needed
    
    Symbols with a size of 0 are unusable for the disassembler.
    
    Example:
    
    While running an arm linux kernel, no symbolic names are
    used in qemu.log when the cpu is executing an assembler function.
    
    Assume that the size of such symbols is the difference to the
    next symbol value.
    
    Signed-off-by: Stefan Weil <weil at mail.berlios.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/elf_ops.h b/hw/elf_ops.h
index 27d1ab9..0bd7235 100644
--- a/hw/elf_ops.h
+++ b/hw/elf_ops.h
@@ -153,6 +153,11 @@ static int glue(load_symbols, SZ)(struct elfhdr *ehdr, int fd, int must_swab,
         syms = qemu_realloc(syms, nsyms * sizeof(*syms));
 
         qsort(syms, nsyms, sizeof(*syms), glue(symcmp, SZ));
+        for (i = 0; i < nsyms - 1; i++) {
+            if (syms[i].st_size == 0) {
+                syms[i].st_size = syms[i + 1].st_value - syms[i].st_value;
+            }
+        }
     } else {
         qemu_free(syms);
         syms = NULL;
commit a98963d6a64c0208077a4b296a49ee3756e396b4
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Thu Sep 9 16:16:38 2010 -0300

    Revert "qemu-kvm: drop posix-aio-compat.cs signalfd usage"
    
    This reverts commit cb375ad1a62ba9de0207d144d0ad8ca1bee09d33.
    
    Breaks FC8 32/64 install.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/posix-aio-compat.c b/posix-aio-compat.c
index a67ffe3..c05c77b 100644
--- a/posix-aio-compat.c
+++ b/posix-aio-compat.c
@@ -26,6 +26,7 @@
 #include "osdep.h"
 #include "qemu-common.h"
 #include "block_int.h"
+#include "compatfd.h"
 
 #include "block/raw-posix-aio.h"
 
@@ -53,7 +54,7 @@ struct qemu_paiocb {
 };
 
 typedef struct PosixAioState {
-    int rfd, wfd;
+    int fd;
     struct qemu_paiocb *first_aio;
 } PosixAioState;
 
@@ -472,18 +473,29 @@ static int posix_aio_process_queue(void *opaque)
 static void posix_aio_read(void *opaque)
 {
     PosixAioState *s = opaque;
-    ssize_t len;
+    union {
+        struct qemu_signalfd_siginfo siginfo;
+        char buf[128];
+    } sig;
+    size_t offset;
 
-    /* read all bytes from signal pipe */
-    for (;;) {
-        char bytes[16];
+    /* try to read from signalfd, don't freak out if we can't read anything */
+    offset = 0;
+    while (offset < 128) {
+        ssize_t len;
 
-        len = read(s->rfd, bytes, sizeof(bytes));
+        len = read(s->fd, sig.buf + offset, 128 - offset);
         if (len == -1 && errno == EINTR)
-            continue; /* try again */
-        if (len == sizeof(bytes))
-            continue; /* more to read */
-        break;
+            continue;
+        if (len == -1 && errno == EAGAIN) {
+            /* there is no natural reason for this to happen,
+             * so we'll spin hard until we get everything just
+             * to be on the safe side. */
+            if (offset > 0)
+                continue;
+        }
+
+        offset += len;
     }
 
     posix_aio_process_queue(s);
@@ -497,20 +509,6 @@ static int posix_aio_flush(void *opaque)
 
 static PosixAioState *posix_aio_state;
 
-static void aio_signal_handler(int signum)
-{
-    if (posix_aio_state) {
-        char byte = 0;
-        ssize_t ret;
-
-        ret = write(posix_aio_state->wfd, &byte, sizeof(byte));
-        if (ret < 0 && errno != EAGAIN)
-            die("write()");
-    }
-
-    qemu_service_io();
-}
-
 static void paio_remove(struct qemu_paiocb *acb)
 {
     struct qemu_paiocb **pacb;
@@ -612,9 +610,8 @@ BlockDriverAIOCB *paio_ioctl(BlockDriverState *bs, int fd,
 
 int paio_init(void)
 {
-    struct sigaction act;
+    sigset_t mask;
     PosixAioState *s;
-    int fds[2];
     int ret;
 
     if (posix_aio_state)
@@ -622,24 +619,21 @@ int paio_init(void)
 
     s = qemu_malloc(sizeof(PosixAioState));
 
-    sigfillset(&act.sa_mask);
-    act.sa_flags = 0; /* do not restart syscalls to interrupt select() */
-    act.sa_handler = aio_signal_handler;
-    sigaction(SIGUSR2, &act, NULL);
+    /* Make sure to block AIO signal */
+    sigemptyset(&mask);
+    sigaddset(&mask, SIGUSR2);
+    sigprocmask(SIG_BLOCK, &mask, NULL);
 
     s->first_aio = NULL;
-    if (qemu_pipe(fds) == -1) {
-        fprintf(stderr, "failed to create pipe\n");
+    s->fd = qemu_signalfd(&mask);
+    if (s->fd == -1) {
+        fprintf(stderr, "failed to create signalfd\n");
         return -1;
     }
 
-    s->rfd = fds[0];
-    s->wfd = fds[1];
-
-    fcntl(s->rfd, F_SETFL, O_NONBLOCK);
-    fcntl(s->wfd, F_SETFL, O_NONBLOCK);
+    fcntl(s->fd, F_SETFL, O_NONBLOCK);
 
-    qemu_aio_set_fd_handler(s->rfd, posix_aio_read, NULL, posix_aio_flush,
+    qemu_aio_set_fd_handler(s->fd, posix_aio_read, NULL, posix_aio_flush,
         posix_aio_process_queue, s);
 
     ret = pthread_attr_init(&attr);
diff --git a/qemu-kvm.c b/qemu-kvm.c
index 2fb927c..060c47d 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -1680,7 +1680,6 @@ int kvm_main_loop(void)
     sigemptyset(&mask);
     sigaddset(&mask, SIGIO);
     sigaddset(&mask, SIGALRM);
-    sigaddset(&mask, SIGUSR2);
     sigaddset(&mask, SIGBUS);
     sigprocmask(SIG_BLOCK, &mask, NULL);
 
commit d7d9b528b105b9e27d9ffa5dd1f773d484a559b4
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Thu Sep 9 19:13:04 2010 +0000

    Fix OpenBSD build warning
    
    Fix this warning:
      CC    savevm.o
    /src/qemu/savevm.c: In function `do_savevm':
    /src/qemu/savevm.c:1900: warning: passing arg 1 of `localtime_r' from incompatible pointer type
    
    It looks like on OpenBSD the type of tv_sec in struct timeval is still
    'long' instead of time_t as in most other OS. Fix by adding a cast.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/savevm.c b/savevm.c
index 4d9f822..6fa7a5f 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1897,7 +1897,8 @@ void do_savevm(Monitor *mon, const QDict *qdict)
         ptm = localtime(&tb.time);
         strftime(sn->name, sizeof(sn->name), "vm-%Y%m%d%H%M%S", ptm);
 #else
-        localtime_r(&tv.tv_sec, &tm);
+        /* cast below needed for OpenBSD where tv_sec is still 'long' */
+        localtime_r((const time_t *)&tv.tv_sec, &tm);
         strftime(sn->name, sizeof(sn->name), "vm-%Y%m%d%H%M%S", &tm);
 #endif
     }
commit b76da7e376954ff25e7f9b6e9313f40b8300bf19
Author: Edgar E. Iglesias <edgar.iglesias at petalogix.com>
Date:   Thu Sep 9 10:24:01 2010 +0200

    microblaze: User-mode emulation of hw-excp signals
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at petalogix.com>

diff --git a/linux-user/main.c b/linux-user/main.c
index fa29d77..69d050f 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -2233,6 +2233,37 @@ void cpu_loop (CPUState *env)
             env->regs[3] = ret;
             env->sregs[SR_PC] = env->regs[14];
             break;
+        case EXCP_HW_EXCP:
+            env->regs[17] = env->sregs[SR_PC] + 4;
+            if (env->iflags & D_FLAG) {
+                env->sregs[SR_ESR] |= 1 << 12;
+                env->sregs[SR_PC] -= 4;
+                /* FIXME: if branch was immed, replay the imm aswell.  */
+            }
+
+            env->iflags &= ~(IMM_FLAG | D_FLAG);
+
+            switch (env->sregs[SR_ESR] & 31) {
+                case ESR_EC_FPU:
+                    info.si_signo = SIGFPE;
+                    info.si_errno = 0;
+                    if (env->sregs[SR_FSR] & FSR_IO) {
+                        info.si_code = TARGET_FPE_FLTINV;
+                    }
+                    if (env->sregs[SR_FSR] & FSR_DZ) {
+                        info.si_code = TARGET_FPE_FLTDIV;
+                    }
+                    info._sifields._sigfault._addr = 0;
+                    queue_signal(env, info.si_signo, &info);
+                    break;
+                default:
+                    printf ("Unhandled hw-exception: 0x%x\n",
+                            env->sregs[SR_ESR] & 5);
+                    cpu_dump_state(env, stderr, fprintf, 0);
+                    exit (1);
+                    break;
+            }
+            break;
         case EXCP_DEBUG:
             {
                 int sig;
commit 97694c57d73b150296c5f5333960eb4d56225cd7
Author: Edgar E. Iglesias <edgar.iglesias at petalogix.com>
Date:   Thu Sep 9 10:20:17 2010 +0200

    microblaze: Add basic FPU emulation
    
    Missing:
    * fcmp.un insn
    * Denormalized exceptions
    * Exception model is not accurate
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at petalogix.com>

diff --git a/target-microblaze/cpu.h b/target-microblaze/cpu.h
index dfcf25a..3aa28bf 100644
--- a/target-microblaze/cpu.h
+++ b/target-microblaze/cpu.h
@@ -24,6 +24,7 @@
 #define CPUState struct CPUMBState
 
 #include "cpu-defs.h"
+#include "softfloat.h"
 struct CPUMBState;
 #if !defined(CONFIG_USER_ONLY)
 #include "mmu.h"
@@ -215,6 +216,7 @@ typedef struct CPUMBState {
     uint32_t imm;
     uint32_t regs[33];
     uint32_t sregs[24];
+    float_status fp_status;
 
     /* Internal flags.  */
 #define IMM_FLAG	4
diff --git a/target-microblaze/helper.h b/target-microblaze/helper.h
index 28f251c..11ad1b6 100644
--- a/target-microblaze/helper.h
+++ b/target-microblaze/helper.h
@@ -10,6 +10,22 @@ DEF_HELPER_2(cmpu, i32, i32, i32)
 DEF_HELPER_2(divs, i32, i32, i32)
 DEF_HELPER_2(divu, i32, i32, i32)
 
+DEF_HELPER_2(fadd, i32, i32, i32)
+DEF_HELPER_2(frsub, i32, i32, i32)
+DEF_HELPER_2(fmul, i32, i32, i32)
+DEF_HELPER_2(fdiv, i32, i32, i32)
+DEF_HELPER_1(flt, i32, i32)
+DEF_HELPER_1(fint, i32, i32)
+DEF_HELPER_1(fsqrt, i32, i32)
+
+DEF_HELPER_2(fcmp_un, i32, i32, i32)
+DEF_HELPER_2(fcmp_lt, i32, i32, i32)
+DEF_HELPER_2(fcmp_eq, i32, i32, i32)
+DEF_HELPER_2(fcmp_le, i32, i32, i32)
+DEF_HELPER_2(fcmp_gt, i32, i32, i32)
+DEF_HELPER_2(fcmp_ne, i32, i32, i32)
+DEF_HELPER_2(fcmp_ge, i32, i32, i32)
+
 DEF_HELPER_FLAGS_2(pcmpbf, TCG_CALL_PURE | TCG_CALL_CONST, i32, i32, i32)
 #if !defined(CONFIG_USER_ONLY)
 DEF_HELPER_1(mmu_read, i32, i32)
diff --git a/target-microblaze/op_helper.c b/target-microblaze/op_helper.c
index be0c829..294e08c 100644
--- a/target-microblaze/op_helper.c
+++ b/target-microblaze/op_helper.c
@@ -202,6 +202,236 @@ uint32_t helper_divu(uint32_t a, uint32_t b)
     return a / b;
 }
 
+/* raise FPU exception.  */
+static void raise_fpu_exception(void)
+{
+    env->sregs[SR_ESR] = ESR_EC_FPU;
+    helper_raise_exception(EXCP_HW_EXCP);
+}
+
+static void update_fpu_flags(int flags)
+{
+    int raise = 0;
+
+    if (flags & float_flag_invalid) {
+        env->sregs[SR_FSR] |= FSR_IO;
+        raise = 1;
+    }
+    if (flags & float_flag_divbyzero) {
+        env->sregs[SR_FSR] |= FSR_DZ;
+        raise = 1;
+    }
+    if (flags & float_flag_overflow) {
+        env->sregs[SR_FSR] |= FSR_OF;
+        raise = 1;
+    }
+    if (flags & float_flag_underflow) {
+        env->sregs[SR_FSR] |= FSR_UF;
+        raise = 1;
+    }
+    if (raise
+        && (env->pvr.regs[2] & PVR2_FPU_EXC_MASK)
+        && (env->sregs[SR_MSR] & MSR_EE)) {
+        raise_fpu_exception();
+    }
+}
+
+uint32_t helper_fadd(uint32_t a, uint32_t b)
+{
+    CPU_FloatU fd, fa, fb;
+    int flags;
+
+    set_float_exception_flags(0, &env->fp_status);
+    fa.l = a;
+    fb.l = b;
+    fd.f = float32_add(fa.f, fb.f, &env->fp_status);
+
+    flags = get_float_exception_flags(&env->fp_status);
+    update_fpu_flags(flags);
+    return fd.l;
+}
+
+uint32_t helper_frsub(uint32_t a, uint32_t b)
+{
+    CPU_FloatU fd, fa, fb;
+    int flags;
+
+    set_float_exception_flags(0, &env->fp_status);
+    fa.l = a;
+    fb.l = b;
+    fd.f = float32_sub(fb.f, fa.f, &env->fp_status);
+    flags = get_float_exception_flags(&env->fp_status);
+    update_fpu_flags(flags);
+    return fd.l;
+}
+
+uint32_t helper_fmul(uint32_t a, uint32_t b)
+{
+    CPU_FloatU fd, fa, fb;
+    int flags;
+
+    set_float_exception_flags(0, &env->fp_status);
+    fa.l = a;
+    fb.l = b;
+    fd.f = float32_mul(fa.f, fb.f, &env->fp_status);
+    flags = get_float_exception_flags(&env->fp_status);
+    update_fpu_flags(flags);
+
+    return fd.l;
+}
+
+uint32_t helper_fdiv(uint32_t a, uint32_t b)
+{
+    CPU_FloatU fd, fa, fb;
+    int flags;
+
+    set_float_exception_flags(0, &env->fp_status);
+    fa.l = a;
+    fb.l = b;
+    fd.f = float32_div(fb.f, fa.f, &env->fp_status);
+    flags = get_float_exception_flags(&env->fp_status);
+    update_fpu_flags(flags);
+
+    return fd.l;
+}
+
+uint32_t helper_fcmp_un(uint32_t a, uint32_t b)
+{
+    cpu_abort(env, "Unsupported fcmp.un\n");
+    return 0;
+}
+
+uint32_t helper_fcmp_lt(uint32_t a, uint32_t b)
+{
+    CPU_FloatU fa, fb;
+    int r;
+    int flags;
+
+    set_float_exception_flags(0, &env->fp_status);
+    fa.l = a;
+    fb.l = b;
+    r = float32_lt(fb.f, fa.f, &env->fp_status);
+    flags = get_float_exception_flags(&env->fp_status);
+    update_fpu_flags(flags & float_flag_invalid);
+
+    return r;
+}
+
+uint32_t helper_fcmp_eq(uint32_t a, uint32_t b)
+{
+    CPU_FloatU fa, fb;
+    int flags;
+    int r;
+
+    set_float_exception_flags(0, &env->fp_status);
+    fa.l = a;
+    fb.l = b;
+    r = float32_eq(fa.f, fb.f, &env->fp_status);
+    flags = get_float_exception_flags(&env->fp_status);
+    update_fpu_flags(flags & float_flag_invalid);
+
+    return r;
+}
+
+uint32_t helper_fcmp_le(uint32_t a, uint32_t b)
+{
+    CPU_FloatU fa, fb;
+    int flags;
+    int r;
+
+    fa.l = a;
+    fb.l = b;
+    set_float_exception_flags(0, &env->fp_status);
+    r = float32_le(fa.f, fb.f, &env->fp_status);
+    flags = get_float_exception_flags(&env->fp_status);
+    update_fpu_flags(flags & float_flag_invalid);
+
+
+    return r;
+}
+
+uint32_t helper_fcmp_gt(uint32_t a, uint32_t b)
+{
+    CPU_FloatU fa, fb;
+    int flags, r;
+
+    fa.l = a;
+    fb.l = b;
+    set_float_exception_flags(0, &env->fp_status);
+    r = float32_lt(fa.f, fb.f, &env->fp_status);
+    flags = get_float_exception_flags(&env->fp_status);
+    update_fpu_flags(flags & float_flag_invalid);
+    return r;
+}
+
+uint32_t helper_fcmp_ne(uint32_t a, uint32_t b)
+{
+    CPU_FloatU fa, fb;
+    int flags, r;
+
+    fa.l = a;
+    fb.l = b;
+    set_float_exception_flags(0, &env->fp_status);
+    r = !float32_eq(fa.f, fb.f, &env->fp_status);
+    flags = get_float_exception_flags(&env->fp_status);
+    update_fpu_flags(flags & float_flag_invalid);
+
+    return r;
+}
+
+uint32_t helper_fcmp_ge(uint32_t a, uint32_t b)
+{
+    CPU_FloatU fa, fb;
+    int flags, r;
+
+    fa.l = a;
+    fb.l = b;
+    set_float_exception_flags(0, &env->fp_status);
+    r = !float32_lt(fa.f, fb.f, &env->fp_status);
+    flags = get_float_exception_flags(&env->fp_status);
+    update_fpu_flags(flags & float_flag_invalid);
+
+    return r;
+}
+
+uint32_t helper_flt(uint32_t a)
+{
+    CPU_FloatU fd, fa;
+
+    fa.l = a;
+    fd.f = int32_to_float32(fa.l, &env->fp_status);
+    return fd.l;
+}
+
+uint32_t helper_fint(uint32_t a)
+{
+    CPU_FloatU fa;
+    uint32_t r;
+    int flags;
+
+    set_float_exception_flags(0, &env->fp_status);
+    fa.l = a;
+    r = float32_to_int32(fa.f, &env->fp_status);
+    flags = get_float_exception_flags(&env->fp_status);
+    update_fpu_flags(flags);
+
+    return r;
+}
+
+uint32_t helper_fsqrt(uint32_t a)
+{
+    CPU_FloatU fd, fa;
+    int flags;
+
+    set_float_exception_flags(0, &env->fp_status);
+    fa.l = a;
+    fd.l = float32_sqrt(fa.f, &env->fp_status);
+    flags = get_float_exception_flags(&env->fp_status);
+    update_fpu_flags(flags);
+
+    return fd.l;
+}
+
 uint32_t helper_pcmpbf(uint32_t a, uint32_t b)
 {
     unsigned int i;
diff --git a/target-microblaze/translate.c b/target-microblaze/translate.c
index f618290..6c305d4 100644
--- a/target-microblaze/translate.c
+++ b/target-microblaze/translate.c
@@ -457,7 +457,7 @@ static void dec_msr(DisasContext *dc)
                 tcg_gen_mov_tl(cpu_SR[SR_ESR], cpu_R[dc->ra]);
                 break;
             case 0x7:
-                /* Ignored at the moment.  */
+                tcg_gen_andi_tl(cpu_SR[SR_FSR], cpu_R[dc->ra], 31);
                 break;
             default:
                 cpu_abort(dc->env, "unknown mts reg %x\n", sr);
@@ -480,7 +480,7 @@ static void dec_msr(DisasContext *dc)
                 tcg_gen_mov_tl(cpu_R[dc->rd], cpu_SR[SR_ESR]);
                 break;
              case 0x7:
-                tcg_gen_movi_tl(cpu_R[dc->rd], 0);
+                tcg_gen_mov_tl(cpu_R[dc->rd], cpu_SR[SR_FSR]);
                 break;
             case 0xb:
                 tcg_gen_mov_tl(cpu_R[dc->rd], cpu_SR[SR_BTR]);
@@ -1134,18 +1134,115 @@ static void dec_rts(DisasContext *dc)
     tcg_gen_add_tl(env_btarget, cpu_R[dc->ra], *(dec_alu_op_b(dc)));
 }
 
+static int dec_check_fpuv2(DisasContext *dc)
+{
+    int r;
+
+    r = dc->env->pvr.regs[2] & PVR2_USE_FPU2_MASK;
+
+    if (!r && (dc->tb_flags & MSR_EE_FLAG)) {
+        tcg_gen_movi_tl(cpu_SR[SR_ESR], ESR_EC_FPU);
+        t_gen_raise_exception(dc, EXCP_HW_EXCP);
+    }
+    return r;
+}
+
 static void dec_fpu(DisasContext *dc)
 {
+    unsigned int fpu_insn;
+
     if ((dc->tb_flags & MSR_EE_FLAG)
           && (dc->env->pvr.regs[2] & PVR2_ILL_OPCODE_EXC_MASK)
           && !((dc->env->pvr.regs[2] & PVR2_USE_FPU_MASK))) {
-        tcg_gen_movi_tl(cpu_SR[SR_ESR], ESR_EC_FPU);
+        tcg_gen_movi_tl(cpu_SR[SR_ESR], ESR_EC_ILLEGAL_OP);
         t_gen_raise_exception(dc, EXCP_HW_EXCP);
         return;
     }
 
-    qemu_log ("unimplemented FPU insn pc=%x opc=%x\n", dc->pc, dc->opcode);
-    dc->abort_at_next_insn = 1;
+    fpu_insn = (dc->ir >> 7) & 7;
+
+    switch (fpu_insn) {
+        case 0:
+            gen_helper_fadd(cpu_R[dc->rd], cpu_R[dc->ra], cpu_R[dc->rb]);
+            break;
+
+        case 1:
+            gen_helper_frsub(cpu_R[dc->rd], cpu_R[dc->ra], cpu_R[dc->rb]);
+            break;
+
+        case 2:
+            gen_helper_fmul(cpu_R[dc->rd], cpu_R[dc->ra], cpu_R[dc->rb]);
+            break;
+
+        case 3:
+            gen_helper_fdiv(cpu_R[dc->rd], cpu_R[dc->ra], cpu_R[dc->rb]);
+            break;
+
+        case 4:
+            switch ((dc->ir >> 4) & 7) {
+                case 0:
+                    gen_helper_fcmp_un(cpu_R[dc->rd],
+                                       cpu_R[dc->ra], cpu_R[dc->rb]);
+                    break;
+                case 1:
+                    gen_helper_fcmp_lt(cpu_R[dc->rd],
+                                       cpu_R[dc->ra], cpu_R[dc->rb]);
+                    break;
+                case 2:
+                    gen_helper_fcmp_eq(cpu_R[dc->rd],
+                                       cpu_R[dc->ra], cpu_R[dc->rb]);
+                    break;
+                case 3:
+                    gen_helper_fcmp_le(cpu_R[dc->rd],
+                                       cpu_R[dc->ra], cpu_R[dc->rb]);
+                    break;
+                case 4:
+                    gen_helper_fcmp_gt(cpu_R[dc->rd],
+                                       cpu_R[dc->ra], cpu_R[dc->rb]);
+                    break;
+                case 5:
+                    gen_helper_fcmp_ne(cpu_R[dc->rd],
+                                       cpu_R[dc->ra], cpu_R[dc->rb]);
+                    break;
+                case 6:
+                    gen_helper_fcmp_ge(cpu_R[dc->rd],
+                                       cpu_R[dc->ra], cpu_R[dc->rb]);
+                    break;
+                default:
+                    qemu_log ("unimplemented fcmp fpu_insn=%x pc=%x opc=%x\n",
+                              fpu_insn, dc->pc, dc->opcode);
+                    dc->abort_at_next_insn = 1;
+                    break;
+            }
+            break;
+
+        case 5:
+            if (!dec_check_fpuv2(dc)) {
+                return;
+            }
+            gen_helper_flt(cpu_R[dc->rd], cpu_R[dc->ra]);
+            break;
+
+        case 6:
+            if (!dec_check_fpuv2(dc)) {
+                return;
+            }
+            gen_helper_fint(cpu_R[dc->rd], cpu_R[dc->ra]);
+            break;
+
+        case 7:
+            if (!dec_check_fpuv2(dc)) {
+                return;
+            }
+            gen_helper_fsqrt(cpu_R[dc->rd], cpu_R[dc->ra]);
+            break;
+
+        default:
+            qemu_log ("unimplemented FPU insn fpu_insn=%x pc=%x opc=%x\n",
+                      fpu_insn, dc->pc, dc->opcode);
+            dc->abort_at_next_insn = 1;
+            break;
+    }
 }
 
 static void dec_null(DisasContext *dc)
@@ -1448,9 +1545,9 @@ void cpu_dump_state (CPUState *env, FILE *f,
 
     cpu_fprintf(f, "IN: PC=%x %s\n",
                 env->sregs[SR_PC], lookup_symbol(env->sregs[SR_PC]));
-    cpu_fprintf(f, "rmsr=%x resr=%x rear=%x debug[%x] imm=%x iflags=%x\n",
+    cpu_fprintf(f, "rmsr=%x resr=%x rear=%x debug=%x imm=%x iflags=%x fsr=%x\n",
              env->sregs[SR_MSR], env->sregs[SR_ESR], env->sregs[SR_EAR],
-             env->debug, env->imm, env->iflags);
+             env->debug, env->imm, env->iflags, env->sregs[SR_FSR]);
     cpu_fprintf(f, "btaken=%d btarget=%x mode=%s(saved=%s) eip=%d ie=%d\n",
              env->btaken, env->btarget,
              (env->sregs[SR_MSR] & MSR_UM) ? "user" : "kernel",
@@ -1476,7 +1573,7 @@ CPUState *cpu_mb_init (const char *cpu_model)
 
     cpu_exec_init(env);
     cpu_reset(env);
-
+    set_float_rounding_mode(float_round_nearest_even, &env->fp_status);
 
     if (tcg_initialized)
         return env;
@@ -1545,15 +1642,19 @@ void cpu_reset (CPUState *env)
                         | PVR2_USE_DIV_MASK \
                         | PVR2_USE_HW_MUL_MASK \
                         | PVR2_USE_MUL64_MASK \
+                        | PVR2_USE_FPU_MASK \
+                        | PVR2_USE_FPU2_MASK \
+                        | PVR2_FPU_EXC_MASK \
                         | 0;
     env->pvr.regs[10] = 0x0c000000; /* Default to spartan 3a dsp family.  */
     env->pvr.regs[11] = PVR11_USE_MMU | (16 << 17);
 
-    env->sregs[SR_MSR] = 0;
 #if defined(CONFIG_USER_ONLY)
     /* start in user mode with interrupts enabled.  */
+    env->sregs[SR_MSR] = MSR_EE | MSR_IE | MSR_VM | MSR_UM;
     env->pvr.regs[10] = 0x0c000000; /* Spartan 3a dsp.  */
 #else
+    env->sregs[SR_MSR] = 0;
     mmu_init(&env->mmu);
     env->mmu.c_mmu = 3;
     env->mmu.c_mmu_tlb_access = 3;
commit bdc0bf29c65dbd4f7d5119435e0d05da5de2b5c4
Author: Edgar E. Iglesias <edgar.iglesias at petalogix.com>
Date:   Thu Sep 9 09:58:35 2010 +0200

    microblaze: Add definitions for FSR reg fields
    
    Signed-off-by: Edgar E. Iglesias <edgar.iglesias at petalogix.com>

diff --git a/target-microblaze/cpu.h b/target-microblaze/cpu.h
index 360ac0a..dfcf25a 100644
--- a/target-microblaze/cpu.h
+++ b/target-microblaze/cpu.h
@@ -91,6 +91,13 @@ struct CPUMBState;
 #define          ESR_EC_DATA_TLB        10
 #define          ESR_EC_INSN_TLB        11
 
+/* Floating Point Status Register (FSR) Bits */
+#define FSR_IO          (1<<4) /* Invalid operation */
+#define FSR_DZ          (1<<3) /* Divide-by-zero */
+#define FSR_OF          (1<<2) /* Overflow */
+#define FSR_UF          (1<<1) /* Underflow */
+#define FSR_DO          (1<<0) /* Denormalized operand error */
+
 /* Version reg.  */
 /* Basic PVR mask */
 #define PVR0_PVR_FULL_MASK              0x80000000
commit 8b33d9eeba91422ee2d73b6936ad57262d18cf5a
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Sep 8 17:09:15 2010 -0500

    Revert "Make default invocation of block drivers safer (v3)"
    
    This reverts commit 79368c81bf8cf93864d7afc88b81b05d8f0a2c90.
    
    Conflicts:
    
    	block.c
    
    I haven't been able to come up with a solution yet for the corruption caused by
    unaligned requests from the IDE disk so revert until a solution can be written.
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/block.c b/block.c
index a5514e3..66bba87 100644
--- a/block.c
+++ b/block.c
@@ -523,7 +523,6 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
               BlockDriver *drv)
 {
     int ret;
-    int probed = 0;
 
     if (flags & BDRV_O_SNAPSHOT) {
         BlockDriverState *bs1;
@@ -584,7 +583,6 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
     /* Find the right image format driver */
     if (!drv) {
         ret = find_image_format(filename, &drv);
-        probed = 1;
     }
 
     if (!drv) {
@@ -597,8 +595,6 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags,
         goto unlink_and_fail;
     }
 
-    bs->probed = probed;
-
     /* If there is a backing file, use it */
     if ((flags & BDRV_O_NO_BACKING) == 0 && bs->backing_file[0] != '\0') {
         char backing_filename[PATH_MAX];
diff --git a/block/raw.c b/block/raw.c
index 61e6748..9108779 100644
--- a/block/raw.c
+++ b/block/raw.c
@@ -9,82 +9,15 @@ static int raw_open(BlockDriverState *bs, int flags)
     return 0;
 }
 
-/* check for the user attempting to write something that looks like a
-   block format header to the beginning of the image and fail out.
-*/
-static int check_for_block_signature(BlockDriverState *bs, const uint8_t *buf)
-{
-    static const uint8_t signatures[][4] = {
-        { 'Q', 'F', 'I', 0xfb }, /* qcow/qcow2 */
-        { 'C', 'O', 'W', 'D' }, /* VMDK3 */
-        { 'V', 'M', 'D', 'K' }, /* VMDK4 */
-        { 'O', 'O', 'O', 'M' }, /* UML COW */
-        {}
-    };
-    int i;
-
-    for (i = 0; signatures[i][0] != 0; i++) {
-        if (memcmp(buf, signatures[i], 4) == 0) {
-            return 1;
-        }
-    }
-
-    return 0;
-}
-
-static int check_write_unsafe(BlockDriverState *bs, int64_t sector_num,
-                              const uint8_t *buf, int nb_sectors)
-{
-    /* assume that if the user specifies the format explicitly, then assume
-       that they will continue to do so and provide no safety net */
-    if (!bs->probed) {
-        return 0;
-    }
-
-    if (sector_num == 0 && nb_sectors > 0) {
-        return check_for_block_signature(bs, buf);
-    }
-
-    return 0;
-}
-
 static int raw_read(BlockDriverState *bs, int64_t sector_num,
                     uint8_t *buf, int nb_sectors)
 {
     return bdrv_read(bs->file, sector_num, buf, nb_sectors);
 }
 
-static int raw_write_scrubbed_bootsect(BlockDriverState *bs,
-                                       const uint8_t *buf)
-{
-    uint8_t bootsect[512];
-
-    /* scrub the dangerous signature */
-    memcpy(bootsect, buf, 512);
-    memset(bootsect, 0, 4);
-
-    return bdrv_write(bs->file, 0, bootsect, 1);
-}
-
 static int raw_write(BlockDriverState *bs, int64_t sector_num,
                      const uint8_t *buf, int nb_sectors)
 {
-    if (check_write_unsafe(bs, sector_num, buf, nb_sectors)) {
-        int ret;
-
-        ret = raw_write_scrubbed_bootsect(bs, buf);
-        if (ret < 0) {
-            return ret;
-        }
-
-        ret = bdrv_write(bs->file, 1, buf + 512, nb_sectors - 1);
-        if (ret < 0) {
-            return ret;
-        }
-
-        return ret + 512;
-    }
-
     return bdrv_write(bs->file, sector_num, buf, nb_sectors);
 }
 
@@ -95,73 +28,10 @@ static BlockDriverAIOCB *raw_aio_readv(BlockDriverState *bs,
     return bdrv_aio_readv(bs->file, sector_num, qiov, nb_sectors, cb, opaque);
 }
 
-typedef struct RawScrubberBounce
-{
-    BlockDriverCompletionFunc *cb;
-    void *opaque;
-    QEMUIOVector qiov;
-} RawScrubberBounce;
-
-static void raw_aio_writev_scrubbed(void *opaque, int ret)
-{
-    RawScrubberBounce *b = opaque;
-
-    if (ret < 0) {
-        b->cb(b->opaque, ret);
-    } else {
-        b->cb(b->opaque, ret + 512);
-    }
-
-    qemu_iovec_destroy(&b->qiov);
-    qemu_free(b);
-}
-
 static BlockDriverAIOCB *raw_aio_writev(BlockDriverState *bs,
     int64_t sector_num, QEMUIOVector *qiov, int nb_sectors,
     BlockDriverCompletionFunc *cb, void *opaque)
 {
-    const uint8_t *first_buf;
-    int first_buf_index = 0, i;
-
-    /* This is probably being paranoid, but handle cases of zero size
-       vectors. */
-    for (i = 0; i < qiov->niov; i++) {
-        if (qiov->iov[i].iov_len) {
-            assert(qiov->iov[i].iov_len >= 512);
-            first_buf_index = i;
-            break;
-        }
-    }
-
-    first_buf = qiov->iov[first_buf_index].iov_base;
-
-    if (check_write_unsafe(bs, sector_num, first_buf, nb_sectors)) {
-        RawScrubberBounce *b;
-        int ret;
-
-        /* write the first sector using sync I/O */
-        ret = raw_write_scrubbed_bootsect(bs, first_buf);
-        if (ret < 0) {
-            return NULL;
-        }
-
-        /* adjust request to be everything but first sector */
-
-        b = qemu_malloc(sizeof(*b));
-        b->cb = cb;
-        b->opaque = opaque;
-
-        qemu_iovec_init(&b->qiov, qiov->nalloc);
-        qemu_iovec_concat(&b->qiov, qiov, qiov->size);
-
-        b->qiov.size -= 512;
-        b->qiov.iov[first_buf_index].iov_base += 512;
-        b->qiov.iov[first_buf_index].iov_len -= 512;
-
-        return bdrv_aio_writev(bs->file, sector_num + 1, &b->qiov,
-                               nb_sectors - 1, raw_aio_writev_scrubbed, b);
-    }
-
     return bdrv_aio_writev(bs->file, sector_num, qiov, nb_sectors, cb, opaque);
 }
 
diff --git a/block_int.h b/block_int.h
index b863451..e8e7156 100644
--- a/block_int.h
+++ b/block_int.h
@@ -148,7 +148,6 @@ struct BlockDriverState {
     int encrypted; /* if true, the media is encrypted */
     int valid_key; /* if true, a valid encryption key has been set */
     int sg;        /* if true, the device is a /dev/sg* */
-    int probed;    /* if true, format was probed automatically */
     /* event callback when inserting/removing */
     void (*change_cb)(void *opaque);
     void *change_opaque;
commit b19159e8b9124e5c407c68b301471471b4a6c4d9
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Sep 8 14:55:19 2010 -0500

    Revert "PPC: Qdev'ify e500 pci"
    
    This reverts commit 13b7fdeffa68e3382231a70308593ae6a75d96c3.
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
index 3fa42d2..8ac99f2 100644
--- a/hw/ppce500_pci.c
+++ b/hw/ppce500_pci.c
@@ -73,11 +73,11 @@ struct pci_inbound {
 };
 
 struct PPCE500PCIState {
-    PCIHostState pci_state;
     struct pci_outbound pob[PPCE500_PCI_NR_POBS];
     struct pci_inbound pib[PPCE500_PCI_NR_PIBS];
     uint32_t gasket_time;
-    uint64_t base_addr;
+    PCIHostState pci_state;
+    PCIDevice *pci_dev;
 };
 
 typedef struct PPCE500PCIState PPCE500PCIState;
@@ -221,7 +221,7 @@ static void ppce500_pci_save(QEMUFile *f, void *opaque)
     PPCE500PCIState *controller = opaque;
     int i;
 
-    /* pci_device_save(controller->pci_dev, f); */
+    pci_device_save(controller->pci_dev, f);
 
     for (i = 0; i < PPCE500_PCI_NR_POBS; i++) {
         qemu_put_be32s(f, &controller->pob[i].potar);
@@ -247,7 +247,7 @@ static int ppce500_pci_load(QEMUFile *f, void *opaque, int version_id)
     if (version_id != 1)
         return -EINVAL;
 
-    /* pci_device_load(controller->pci_dev, f); */
+    pci_device_load(controller->pci_dev, f);
 
     for (i = 0; i < PPCE500_PCI_NR_POBS; i++) {
         qemu_get_be32s(f, &controller->pob[i].potar);
@@ -269,95 +269,55 @@ static int ppce500_pci_load(QEMUFile *f, void *opaque, int version_id)
 
 PCIBus *ppce500_pci_init(qemu_irq pci_irqs[4], target_phys_addr_t registers)
 {
-    DeviceState *dev;
-    PCIBus *b;
-    PCIHostState *h;
-    PPCE500PCIState *s;
+    PPCE500PCIState *controller;
     PCIDevice *d;
+    int index;
     static int ppce500_pci_id;
 
-    dev = qdev_create(NULL, "e500-pcihost");
-    h = FROM_SYSBUS(PCIHostState, sysbus_from_qdev(dev));
-    s = DO_UPCAST(PPCE500PCIState, pci_state, h);
-
-    qdev_prop_set_uint64(dev, "base_addr", registers);
-    b = pci_register_bus(&s->pci_state.busdev.qdev, NULL, mpc85xx_pci_set_irq,
-                         mpc85xx_pci_map_irq, pci_irqs, PCI_DEVFN(0x11, 0), 4);
-
-    s->pci_state.bus = b;
-    qdev_init_nofail(dev);
-    d = pci_create_simple(b, 0, "e500-host-bridge");
-
-    /* XXX load/save code not tested. */
-    register_savevm(&d->qdev, "ppce500_pci", ppce500_pci_id++,
-                    1, ppce500_pci_save, ppce500_pci_load, s);
+    controller = qemu_mallocz(sizeof(PPCE500PCIState));
 
-    return b;
-}
+    controller->pci_state.bus = pci_register_bus(NULL, "pci",
+                                                 mpc85xx_pci_set_irq,
+                                                 mpc85xx_pci_map_irq,
+                                                 pci_irqs, PCI_DEVFN(0x11, 0),
+                                                 4);
+    d = pci_register_device(controller->pci_state.bus,
+                            "host bridge", sizeof(PCIDevice),
+                            0, NULL, NULL);
 
-static int e500_pcihost_initfn(SysBusDevice *dev)
-{
-    PCIHostState *h;
-    PPCE500PCIState *s;
-    target_phys_addr_t registers;
-    int index;
+    pci_config_set_vendor_id(d->config, PCI_VENDOR_ID_FREESCALE);
+    pci_config_set_device_id(d->config, PCI_DEVICE_ID_MPC8533E);
+    pci_config_set_class(d->config, PCI_CLASS_PROCESSOR_POWERPC);
 
-    h = FROM_SYSBUS(PCIHostState, sysbus_from_qdev(dev));
-    s = DO_UPCAST(PPCE500PCIState, pci_state, h);
-    registers = (target_phys_addr_t)s->base_addr;
+    controller->pci_dev = d;
 
     /* CFGADDR */
-    index = pci_host_conf_register_mmio(&s->pci_state, 0);
+    index = pci_host_conf_register_mmio(&controller->pci_state, 0);
     if (index < 0)
-        return -1;
+        goto free;
     cpu_register_physical_memory(registers + PCIE500_CFGADDR, 4, index);
 
     /* CFGDATA */
-    index = pci_host_data_register_mmio(&s->pci_state, 0);
+    index = pci_host_data_register_mmio(&controller->pci_state, 0);
     if (index < 0)
-        return -1;
+        goto free;
     cpu_register_physical_memory(registers + PCIE500_CFGDATA, 4, index);
 
     index = cpu_register_io_memory(e500_pci_reg_read,
-                                   e500_pci_reg_write, s);
+                                   e500_pci_reg_write, controller);
     if (index < 0)
-        return -1;
+        goto free;
     cpu_register_physical_memory(registers + PCIE500_REG_BASE,
                                    PCIE500_REG_SIZE, index);
-    return 0;
-}
-
-static int e500_host_bridge_initfn(PCIDevice *dev)
-{
-    pci_config_set_vendor_id(dev->config, PCI_VENDOR_ID_FREESCALE);
-    pci_config_set_device_id(dev->config, PCI_DEVICE_ID_MPC8533E);
-    pci_config_set_class(dev->config, PCI_CLASS_PROCESSOR_POWERPC);
-
-    return 0;
-}
 
-static PCIDeviceInfo e500_host_bridge_info = {
-    .qdev.name    = "e500-host-bridge",
-    .qdev.desc    = "Host bridge",
-    .qdev.size    = sizeof(PCIDevice),
-    .qdev.no_user = 1,
-    .init         = e500_host_bridge_initfn,
-};
+    /* XXX load/save code not tested. */
+    register_savevm(&d->qdev, "ppce500_pci", ppce500_pci_id++,
+                    1, ppce500_pci_save, ppce500_pci_load, controller);
 
-static SysBusDeviceInfo e500_pcihost_info = {
-    .init         = e500_pcihost_initfn,
-    .qdev.name    = "e500-pcihost",
-    .qdev.size    = sizeof(PPCE500PCIState),
-    .qdev.no_user = 1,
-    .qdev.props = (Property[]) {
-        DEFINE_PROP_UINT64("base_addr", PPCE500PCIState, base_addr, 0),
-        DEFINE_PROP_END_OF_LIST(),
-    }
-};
+    return controller->pci_state.bus;
 
-static void e500_pci_register(void)
-{
-    sysbus_register_withprop(&e500_pcihost_info);
-    pci_qdev_register(&e500_host_bridge_info);
+free:
+    printf("%s error\n", __func__);
+    qemu_free(controller);
+    return NULL;
 }
-device_init(e500_pci_register);
commit 031c0c55bb6472348b0a47d99693cc4961b72175
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Sep 8 14:54:58 2010 -0500

    Revert "PPC: Make e500 pci byte swap config data"
    
    This reverts commit cfb207e643d94e3e96d456b1df14c5e36f6aa9e5.
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
index 629b242..3fa42d2 100644
--- a/hw/ppce500_pci.c
+++ b/hw/ppce500_pci.c
@@ -313,7 +313,7 @@ static int e500_pcihost_initfn(SysBusDevice *dev)
     cpu_register_physical_memory(registers + PCIE500_CFGADDR, 4, index);
 
     /* CFGDATA */
-    index = pci_host_data_register_mmio(&s->pci_state, 1);
+    index = pci_host_data_register_mmio(&s->pci_state, 0);
     if (index < 0)
         return -1;
     cpu_register_physical_memory(registers + PCIE500_CFGDATA, 4, index);
commit 53462f4aeb869aef90a571eeb22e423688bf5ba4
Merge: aab2e8f... 42a8765...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Sep 8 14:29:13 2010 -0500

    Merge remote branch 'agraf/ppc-next' into staging

commit aab2e8f79ad253c760787ff3ce4d64967fed0003
Merge: dccbe6f... 7ec5e6a...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Sep 8 14:26:57 2010 -0500

    Merge remote branch 'kwolf/for-anthony' into staging

commit dccbe6fbab47c9a2589f436e0592933b47cbe40b
Merge: 630c268... a697a33...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Sep 8 14:26:14 2010 -0500

    Merge remote branch 'mst/for_anthony' into staging

commit 073e16b6207cc85f1f419e9a90474bbded03bef0
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Wed Sep 8 14:45:21 2010 -0300

    Fix "kvm: reset MSR_IA32_CR_PAT correctly" thinkos
    
    Missing break & wrong parameter.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index 016dcf1..fd974b3 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -1335,10 +1335,11 @@ static int kvm_reset_msrs(CPUState *env)
         switch (index) {
         case MSR_PAT:
             data = 0x0007040600070406ULL;
+            break;
         default:
             data = 0;
         }
-        kvm_msr_entry_set(&msrs[n], kvm_msr_list->indices[n], 0);
+        kvm_msr_entry_set(&msrs[n], kvm_msr_list->indices[n], data);
     }
 
     msr_data.info.nmsrs = n;
commit 630c26893d6dc7713c0fcfc3c09d6bfe536a6ce3
Author: Sripathi Kodi <sripathik at in.ibm.com>
Date:   Fri Aug 20 16:17:47 2010 +0530

    virtio-9p: Change handling of flags in open() path for 9P2000.L
    
    This patch applies on top of 9P2000.L patches that we have on the list.
    I took a look at how 9P server is handling open() flags in 9P2000.L path.
    I think we can do away with the valid_flags() function and simplify the
    code. The reasoning is as follows:
    
    O_NOCTTY: (If the file is a terminal, don't make it the controlling
    terminal of the process even though the process does not have a controlling
    terminal) By the time the control reaches 9P client it is clear that what
    we have is not a terminal device. Hence it does not matter what we do with
    this flag. In any case 9P server can filter this flag out before making the
    syscall.
    
    O_NONBLOCK: (Don't block if i) Can't read/write to the file ii) Can't get
    locks) This has an impact on FIFOs, but also on file locks. Hence we can
    pass it down to the system call.
    
    O_ASYNC: From the manpage:
    
       O_ASYNC
              Enable signal-driven I/O: generate a signal (SIGIO by default,  but
              this  can be changed via fcntl(2)) when input or output becomes pos-
              sible on this file descriptor.  This feature is only available  for
              terminals,  pseudo-terminals,  sockets,  and (since Linux 2.6) pipes
              and FIFOs.  See fcntl(2) for further details.
    
    Again, this does not make any impact on regular files handled by 9P. Also,
    we don't want 9P server to receive SIGIO. Hence I think 9P server can
    filter this flag out before making the syscall.
    
    O_CLOEXEC: This flag makes sense only on the client. If guest user space
    sets this flag the guest VFS will take care of calling close() on the fd if
    an exec() happens. Hence 9P client need not be bothered with this flag.
    Also I think QEMU will not do an exec, but if it does, it makes sense to
    close these fds. Hence we can pass this flag down to the syscall.
    
    O_CREAT: Since we are in open() path it means we have confirmed that the file
    exists. Hence there is no need to pass O_CREAT flag down to the system. In fact
    on some versions of glibc this causes problems, because we pass O_CREAT flag,
    but don't have permission bits. Hence we can just mask this flag out.
    
    So in summary:
    
    Mask out:
    O_NOCTTY
    O_ASYNC
    O_CREAT
    
    Pass-through:
    O_NONBLOCK
    O_CLOEXEC
    
    Signed-off-by: Sripathi Kodi <sripathik at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 4b15ce7..32fa3bc 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -1684,15 +1684,6 @@ out:
     qemu_free(vs);
 }
 
-static inline int valid_flags(int flag)
-{
-    if (flag & O_NOCTTY || flag & O_NONBLOCK || flag & O_ASYNC ||
-            flag & O_CLOEXEC)
-        return 0;
-    else
-        return 1;
-}
-
 static void v9fs_open_post_lstat(V9fsState *s, V9fsOpenState *vs, int err)
 {
     int flags;
@@ -1709,11 +1700,8 @@ static void v9fs_open_post_lstat(V9fsState *s, V9fsOpenState *vs, int err)
         v9fs_open_post_opendir(s, vs, err);
     } else {
         if (s->proto_version == V9FS_PROTO_2000L) {
-            if (!valid_flags(vs->mode)) {
-                err = -EINVAL;
-                goto out;
-            }
             flags = vs->mode;
+            flags &= ~(O_NOCTTY | O_ASYNC | O_CREAT);
         } else {
             flags = omode_to_uflags(vs->mode);
         }
commit 8f4d1ca58fb7e1b9d6109a93bdab891b92cfd940
Author: Arun R Bharadwaj <arun at linux.vnet.ibm.com>
Date:   Wed Jul 28 14:10:22 2010 +0530

    [virtio-9p] This patch implements TLERROR/RLERROR on the qemu 9P server.
    
    Signed-off-by: Arun R Bharadwaj <arun at linux.vnet.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 60a40b9..4b15ce7 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -844,17 +844,24 @@ static void complete_pdu(V9fsState *s, V9fsPDU *pdu, ssize_t len)
     int8_t id = pdu->id + 1; /* Response */
 
     if (len < 0) {
-        V9fsString str;
         int err = -len;
+        len = 7;
 
-        str.data = strerror(err);
-        str.size = strlen(str.data);
+        if (s->proto_version != V9FS_PROTO_2000L) {
+            V9fsString str;
+
+            str.data = strerror(err);
+            str.size = strlen(str.data);
+
+            len += pdu_marshal(pdu, len, "s", &str);
+            id = P9_RERROR;
+        }
 
-        len = 7;
-        len += pdu_marshal(pdu, len, "s", &str);
         len += pdu_marshal(pdu, len, "d", err);
 
-        id = P9_RERROR;
+        if (s->proto_version == V9FS_PROTO_2000L) {
+            id = P9_RLERROR;
+        }
     }
 
     /* fill out the header */
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 016ba1d..0816ad6 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -13,6 +13,8 @@
 #define VIRTIO_9P_MOUNT_TAG 0
 
 enum {
+    P9_TLERROR = 6,
+    P9_RLERROR,
     P9_TSTATFS = 8,
     P9_RSTATFS,
     P9_TLOPEN = 12,
commit cf03eb2c18019e484ce1f436373e90e18835fb77
Author: Arun R Bharadwaj <arun at linux.vnet.ibm.com>
Date:   Wed Jul 28 13:55:05 2010 +0530

    [virtio-9p] Remove all instances of unnecessary dotu variable.
    
    Signed-off-by: Arun R Bharadwaj <arun at linux.vnet.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index ad68054..6f6a0ec 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -169,12 +169,10 @@ static void pprint_stat(V9fsPDU *pdu, int rx, size_t *offsetp, const char *name)
     pprint_str(pdu, rx, offsetp, ", uid");
     pprint_str(pdu, rx, offsetp, ", gid");
     pprint_str(pdu, rx, offsetp, ", muid");
-    if (dotu) {
-        pprint_str(pdu, rx, offsetp, ", extension");
-        pprint_int32(pdu, rx, offsetp, ", uid");
-        pprint_int32(pdu, rx, offsetp, ", gid");
-        pprint_int32(pdu, rx, offsetp, ", muid");
-    }
+    pprint_str(pdu, rx, offsetp, ", extension");
+    pprint_int32(pdu, rx, offsetp, ", uid");
+    pprint_int32(pdu, rx, offsetp, ", gid");
+    pprint_int32(pdu, rx, offsetp, ", muid");
     fprintf(llogfile, "}");
 }
 
@@ -401,9 +399,7 @@ void pprint_pdu(V9fsPDU *pdu)
         pprint_int32(pdu, 0, &offset, "afid");
         pprint_str(pdu, 0, &offset, ", uname");
         pprint_str(pdu, 0, &offset, ", aname");
-        if (dotu) {
-            pprint_int32(pdu, 0, &offset, ", n_uname");
-        }
+        pprint_int32(pdu, 0, &offset, ", n_uname");
         break;
     case P9_RAUTH:
         fprintf(llogfile, "RAUTH: (");
@@ -415,9 +411,7 @@ void pprint_pdu(V9fsPDU *pdu)
         pprint_int32(pdu, 0, &offset, ", afid");
         pprint_str(pdu, 0, &offset, ", uname");
         pprint_str(pdu, 0, &offset, ", aname");
-        if (dotu) {
-            pprint_int32(pdu, 0, &offset, ", n_uname");
-        }
+        pprint_int32(pdu, 0, &offset, ", n_uname");
         break;
     case P9_RATTACH:
         fprintf(llogfile, "RATTACH: (");
@@ -429,9 +423,7 @@ void pprint_pdu(V9fsPDU *pdu)
     case P9_RERROR:
         fprintf(llogfile, "RERROR: (");
         pprint_str(pdu, 1, &offset, "ename");
-        if (dotu) {
-            pprint_int32(pdu, 1, &offset, ", ecode");
-        }
+        pprint_int32(pdu, 1, &offset, ", ecode");
         break;
     case P9_TFLUSH:
         fprintf(llogfile, "TFLUSH: (");
@@ -466,9 +458,7 @@ void pprint_pdu(V9fsPDU *pdu)
         pprint_str(pdu, 0, &offset, ", name");
         pprint_int32(pdu, 0, &offset, ", perm");
         pprint_int8(pdu, 0, &offset, ", mode");
-        if (dotu) {
-            pprint_str(pdu, 0, &offset, ", extension");
-        }
+        pprint_str(pdu, 0, &offset, ", extension");
         break;
     case P9_RCREATE:
         fprintf(llogfile, "RCREATE: (");
diff --git a/hw/virtio-9p-debug.h b/hw/virtio-9p-debug.h
index 0104be5..d9a2491 100644
--- a/hw/virtio-9p-debug.h
+++ b/hw/virtio-9p-debug.h
@@ -1,7 +1,6 @@
 #ifndef _QEMU_VIRTIO_9P_DEBUG_H
 #define _QEMU_VIRTIO_9P_DEBUG_H
 
-extern int dotu;
 void pprint_pdu(V9fsPDU *pdu);
 
 #endif
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index eb7ae01..60a40b9 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -18,7 +18,6 @@
 #include "fsdev/qemu-fsdev.h"
 #include "virtio-9p-debug.h"
 
-int dotu = 1;
 int debug_9p_pdu;
 
 enum {
@@ -853,9 +852,7 @@ static void complete_pdu(V9fsState *s, V9fsPDU *pdu, ssize_t len)
 
         len = 7;
         len += pdu_marshal(pdu, len, "s", &str);
-        if (dotu) {
-            len += pdu_marshal(pdu, len, "d", err);
-        }
+        len += pdu_marshal(pdu, len, "d", err);
 
         id = P9_RERROR;
     }
@@ -885,22 +882,20 @@ static mode_t v9mode_to_mode(uint32_t mode, V9fsString *extension)
         ret |= S_IFDIR;
     }
 
-    if (dotu) {
-        if (mode & P9_STAT_MODE_SYMLINK) {
-            ret |= S_IFLNK;
-        }
-        if (mode & P9_STAT_MODE_SOCKET) {
-            ret |= S_IFSOCK;
-        }
-        if (mode & P9_STAT_MODE_NAMED_PIPE) {
-            ret |= S_IFIFO;
-        }
-        if (mode & P9_STAT_MODE_DEVICE) {
-            if (extension && extension->data[0] == 'c') {
-                ret |= S_IFCHR;
-            } else {
-                ret |= S_IFBLK;
-            }
+    if (mode & P9_STAT_MODE_SYMLINK) {
+        ret |= S_IFLNK;
+    }
+    if (mode & P9_STAT_MODE_SOCKET) {
+        ret |= S_IFSOCK;
+    }
+    if (mode & P9_STAT_MODE_NAMED_PIPE) {
+        ret |= S_IFIFO;
+    }
+    if (mode & P9_STAT_MODE_DEVICE) {
+        if (extension && extension->data[0] == 'c') {
+            ret |= S_IFCHR;
+        } else {
+            ret |= S_IFBLK;
         }
     }
 
@@ -963,34 +958,32 @@ static uint32_t stat_to_v9mode(const struct stat *stbuf)
         mode |= P9_STAT_MODE_DIR;
     }
 
-    if (dotu) {
-        if (S_ISLNK(stbuf->st_mode)) {
-            mode |= P9_STAT_MODE_SYMLINK;
-        }
+    if (S_ISLNK(stbuf->st_mode)) {
+        mode |= P9_STAT_MODE_SYMLINK;
+    }
 
-        if (S_ISSOCK(stbuf->st_mode)) {
-            mode |= P9_STAT_MODE_SOCKET;
-        }
+    if (S_ISSOCK(stbuf->st_mode)) {
+        mode |= P9_STAT_MODE_SOCKET;
+    }
 
-        if (S_ISFIFO(stbuf->st_mode)) {
-            mode |= P9_STAT_MODE_NAMED_PIPE;
-        }
+    if (S_ISFIFO(stbuf->st_mode)) {
+        mode |= P9_STAT_MODE_NAMED_PIPE;
+    }
 
-        if (S_ISBLK(stbuf->st_mode) || S_ISCHR(stbuf->st_mode)) {
-            mode |= P9_STAT_MODE_DEVICE;
-        }
+    if (S_ISBLK(stbuf->st_mode) || S_ISCHR(stbuf->st_mode)) {
+        mode |= P9_STAT_MODE_DEVICE;
+    }
 
-        if (stbuf->st_mode & S_ISUID) {
-            mode |= P9_STAT_MODE_SETUID;
-        }
+    if (stbuf->st_mode & S_ISUID) {
+        mode |= P9_STAT_MODE_SETUID;
+    }
 
-        if (stbuf->st_mode & S_ISGID) {
-            mode |= P9_STAT_MODE_SETGID;
-        }
+    if (stbuf->st_mode & S_ISGID) {
+        mode |= P9_STAT_MODE_SETGID;
+    }
 
-        if (stbuf->st_mode & S_ISVTX) {
-            mode |= P9_STAT_MODE_SETVTX;
-        }
+    if (stbuf->st_mode & S_ISVTX) {
+        mode |= P9_STAT_MODE_SETVTX;
     }
 
     return mode;
@@ -1015,29 +1008,27 @@ static int stat_to_v9stat(V9fsState *s, V9fsString *name,
     v9fs_string_null(&v9stat->gid);
     v9fs_string_null(&v9stat->muid);
 
-    if (dotu) {
-        v9stat->n_uid = stbuf->st_uid;
-        v9stat->n_gid = stbuf->st_gid;
-        v9stat->n_muid = 0;
+    v9stat->n_uid = stbuf->st_uid;
+    v9stat->n_gid = stbuf->st_gid;
+    v9stat->n_muid = 0;
 
-        v9fs_string_null(&v9stat->extension);
+    v9fs_string_null(&v9stat->extension);
 
-        if (v9stat->mode & P9_STAT_MODE_SYMLINK) {
-            err = v9fs_do_readlink(s, name, &v9stat->extension);
-            if (err == -1) {
-                err = -errno;
-                return err;
-            }
-            v9stat->extension.data[err] = 0;
-            v9stat->extension.size = err;
-        } else if (v9stat->mode & P9_STAT_MODE_DEVICE) {
-            v9fs_string_sprintf(&v9stat->extension, "%c %u %u",
-                    S_ISCHR(stbuf->st_mode) ? 'c' : 'b',
-                    major(stbuf->st_rdev), minor(stbuf->st_rdev));
-        } else if (S_ISDIR(stbuf->st_mode) || S_ISREG(stbuf->st_mode)) {
-            v9fs_string_sprintf(&v9stat->extension, "%s %u",
-                    "HARDLINKCOUNT", stbuf->st_nlink);
-        }
+    if (v9stat->mode & P9_STAT_MODE_SYMLINK) {
+        err = v9fs_do_readlink(s, name, &v9stat->extension);
+        if (err == -1) {
+            err = -errno;
+            return err;
+        }
+        v9stat->extension.data[err] = 0;
+        v9stat->extension.size = err;
+    } else if (v9stat->mode & P9_STAT_MODE_DEVICE) {
+        v9fs_string_sprintf(&v9stat->extension, "%c %u %u",
+                S_ISCHR(stbuf->st_mode) ? 'c' : 'b',
+                major(stbuf->st_rdev), minor(stbuf->st_rdev));
+    } else if (S_ISDIR(stbuf->st_mode) || S_ISREG(stbuf->st_mode)) {
+        v9fs_string_sprintf(&v9stat->extension, "%s %u",
+                "HARDLINKCOUNT", stbuf->st_nlink);
     }
 
     str = strrchr(name->data, '/');
commit 9ed3ef26e6503c39ca8b68fb8894c62824e4f3b9
Author: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date:   Thu Aug 26 11:15:23 2010 +0530

    virtio-9p: Add support for removing xattr
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index 017183d..d91b7e7 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -91,6 +91,7 @@ typedef struct FileOperations
     ssize_t (*llistxattr)(FsContext *, const char *, void *, size_t);
     int (*lsetxattr)(FsContext *, const char *,
                      const char *, void *, size_t, int);
+    int (*lremovexattr)(FsContext *, const char *, const char *);
     void *opaque;
 } FileOperations;
 #endif
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 132816e..57f9243 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -581,6 +581,22 @@ static int local_lsetxattr(FsContext *ctx, const char *path, const char *name,
     return lsetxattr(rpath(ctx, path), name, value, size, flags);
 }
 
+static int local_lremovexattr(FsContext *ctx,
+                              const char *path, const char *name)
+{
+    if ((ctx->fs_sm == SM_MAPPED) &&
+        (strncmp(name, "user.virtfs.", 12) == 0)) {
+        /*
+         * Don't allow fetch of user.virtfs namesapce
+         * in case of mapped security
+         */
+        errno = EACCES;
+        return -1;
+    }
+    return lremovexattr(rpath(ctx, path), name);
+}
+
+
 FileOperations local_ops = {
     .lstat = local_lstat,
     .readlink = local_readlink,
@@ -612,4 +628,5 @@ FileOperations local_ops = {
     .lgetxattr = local_lgetxattr,
     .llistxattr = local_llistxattr,
     .lsetxattr = local_lsetxattr,
+    .lremovexattr = local_lremovexattr,
 };
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index a53b222..eb7ae01 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -286,6 +286,14 @@ static int v9fs_do_lsetxattr(V9fsState *s, V9fsString *path,
                              xattr_name->data, value, size, flags);
 }
 
+static int v9fs_do_lremovexattr(V9fsState *s, V9fsString *path,
+                                V9fsString *xattr_name)
+{
+    return s->ops->lremovexattr(&s->ctx, path->data,
+                                xattr_name->data);
+}
+
+
 static void v9fs_string_init(V9fsString *str)
 {
     str->data = NULL;
@@ -456,10 +464,14 @@ static int v9fs_xattr_fid_clunk(V9fsState *s, V9fsFidState *fidp)
         retval = -EINVAL;
         goto free_out;
     }
-    retval = v9fs_do_lsetxattr(s, &fidp->path, &fidp->fs.xattr.name,
-                               fidp->fs.xattr.value,
-                               fidp->fs.xattr.len,
-                               fidp->fs.xattr.flags);
+    if (fidp->fs.xattr.len) {
+        retval = v9fs_do_lsetxattr(s, &fidp->path, &fidp->fs.xattr.name,
+                                   fidp->fs.xattr.value,
+                                   fidp->fs.xattr.len,
+                                   fidp->fs.xattr.flags);
+    } else {
+        retval = v9fs_do_lremovexattr(s, &fidp->path, &fidp->fs.xattr.name);
+    }
 free_out:
     v9fs_string_free(&fidp->fs.xattr.name);
 free_value:
@@ -3392,7 +3404,10 @@ static void v9fs_xattrcreate(V9fsState *s, V9fsPDU *pdu)
     vs->xattr_fidp->fs.xattr.flags = flags;
     v9fs_string_init(&vs->xattr_fidp->fs.xattr.name);
     v9fs_string_copy(&vs->xattr_fidp->fs.xattr.name, &vs->name);
-    vs->xattr_fidp->fs.xattr.value = qemu_malloc(vs->size);
+    if (vs->size)
+        vs->xattr_fidp->fs.xattr.value = qemu_malloc(vs->size);
+    else
+        vs->xattr_fidp->fs.xattr.value = NULL;
 
 out:
     complete_pdu(s, vs->pdu, err);
commit 783f04e1d419f730639755e6bd4e7026ad6f2a3f
Author: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date:   Thu Sep 2 11:09:07 2010 +0530

    virtio-9p: Fix the memset usage
    
    The arguments are wrong. Use qemu_mallocz directly
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 4127439..a53b222 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -2823,8 +2823,7 @@ static void v9fs_wstat_post_chown(V9fsState *s, V9fsWstatState *vs, int err)
     if (vs->v9stat.name.size != 0) {
         V9fsRenameState *vr;
 
-        vr = qemu_malloc(sizeof(V9fsRenameState));
-        memset(vr, sizeof(*vr), 0);
+        vr = qemu_mallocz(sizeof(V9fsRenameState));
         vr->newdirfid = -1;
         vr->pdu = vs->pdu;
         vr->fidp = vs->fidp;
commit 5c0f255dd4c8b8f3349b6ed14233f77948c5a9a6
Author: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date:   Thu Sep 2 11:09:07 2010 +0530

    virtio-9p: Use lchown which won't follow symlink
    
    We should always use functions which don't follow
    symlink on the server
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 58e7647..132816e 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -101,7 +101,7 @@ static int local_post_create_passthrough(FsContext *fs_ctx, const char *path,
     if (chmod(rpath(fs_ctx, path), credp->fc_mode & 07777) < 0) {
         return -1;
     }
-    if (chown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid) < 0) {
+    if (lchown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid) < 0) {
         /*
          * If we fail to change ownership and if we are
          * using security model none. Ignore the error
commit 12848bfc5d719bad536c5448205a3226be1fda47
Author: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date:   Thu Sep 2 11:09:07 2010 +0530

    virtio-9p: Add SM_NONE security model
    
    This is equivalent to SM_PASSTHROUGH security model.
    The only exception is, failure of privilige operation like chown
    are ignored. This makes a passthrough like security model usable
    for people who runs kvm as non root
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index e54f358..017183d 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -24,8 +24,19 @@
 
 typedef enum
 {
-    SM_PASSTHROUGH = 1, /* uid/gid set on fileserver files */
-    SM_MAPPED,  /* uid/gid part of xattr */
+    /*
+     * Server will try to set uid/gid.
+     * On failure ignore the error.
+     */
+    SM_NONE = 0,
+    /*
+     * uid/gid set on fileserver files
+     */
+    SM_PASSTHROUGH = 1,
+    /*
+     * uid/gid part of xattr
+     */
+    SM_MAPPED,
 } SecModel;
 
 typedef struct FsCred
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 3fc1712..58e7647 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -102,7 +102,13 @@ static int local_post_create_passthrough(FsContext *fs_ctx, const char *path,
         return -1;
     }
     if (chown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid) < 0) {
-        return -1;
+        /*
+         * If we fail to change ownership and if we are
+         * using security model none. Ignore the error
+         */
+        if (fs_ctx->fs_sm != SM_NONE) {
+            return -1;
+        }
     }
     return 0;
 }
@@ -122,7 +128,8 @@ static ssize_t local_readlink(FsContext *fs_ctx, const char *path,
         } while (tsize == -1 && errno == EINTR);
         close(fd);
         return tsize;
-    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+    } else if ((fs_ctx->fs_sm == SM_PASSTHROUGH) ||
+               (fs_ctx->fs_sm == SM_NONE)) {
         tsize = readlink(rpath(fs_ctx, path), buf, bufsz);
     }
     return tsize;
@@ -189,7 +196,8 @@ static int local_chmod(FsContext *fs_ctx, const char *path, FsCred *credp)
 {
     if (fs_ctx->fs_sm == SM_MAPPED) {
         return local_set_xattr(rpath(fs_ctx, path), credp);
-    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+    } else if ((fs_ctx->fs_sm == SM_PASSTHROUGH) ||
+               (fs_ctx->fs_sm == SM_NONE)) {
         return chmod(rpath(fs_ctx, path), credp->fc_mode);
     }
     return -1;
@@ -211,7 +219,8 @@ static int local_mknod(FsContext *fs_ctx, const char *path, FsCred *credp)
             serrno = errno;
             goto err_end;
         }
-    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+    } else if ((fs_ctx->fs_sm == SM_PASSTHROUGH) ||
+               (fs_ctx->fs_sm == SM_NONE)) {
         err = mknod(rpath(fs_ctx, path), credp->fc_mode, credp->fc_rdev);
         if (err == -1) {
             return err;
@@ -247,7 +256,8 @@ static int local_mkdir(FsContext *fs_ctx, const char *path, FsCred *credp)
             serrno = errno;
             goto err_end;
         }
-    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+    } else if ((fs_ctx->fs_sm == SM_PASSTHROUGH) ||
+               (fs_ctx->fs_sm == SM_NONE)) {
         err = mkdir(rpath(fs_ctx, path), credp->fc_mode);
         if (err == -1) {
             return err;
@@ -316,7 +326,8 @@ static int local_open2(FsContext *fs_ctx, const char *path, int flags,
             serrno = errno;
             goto err_end;
         }
-    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+    } else if ((fs_ctx->fs_sm == SM_PASSTHROUGH) ||
+               (fs_ctx->fs_sm == SM_NONE)) {
         fd = open(rpath(fs_ctx, path), flags, credp->fc_mode);
         if (fd == -1) {
             return fd;
@@ -372,15 +383,23 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath,
             serrno = errno;
             goto err_end;
         }
-    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+    } else if ((fs_ctx->fs_sm == SM_PASSTHROUGH) ||
+               (fs_ctx->fs_sm == SM_NONE)) {
         err = symlink(oldpath, rpath(fs_ctx, newpath));
         if (err) {
             return err;
         }
         err = lchown(rpath(fs_ctx, newpath), credp->fc_uid, credp->fc_gid);
         if (err == -1) {
-            serrno = errno;
-            goto err_end;
+            /*
+             * If we fail to change ownership and if we are
+             * using security model none. Ignore the error
+             */
+            if (fs_ctx->fs_sm != SM_NONE) {
+                serrno = errno;
+                goto err_end;
+            } else
+                err = 0;
         }
     }
     return err;
@@ -447,7 +466,8 @@ static int local_chown(FsContext *fs_ctx, const char *path, FsCred *credp)
         return lchown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid);
     } else if (fs_ctx->fs_sm == SM_MAPPED) {
         return local_set_xattr(rpath(fs_ctx, path), credp);
-    } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
+    } else if ((fs_ctx->fs_sm == SM_PASSTHROUGH) ||
+               (fs_ctx->fs_sm == SM_NONE)) {
         return lchown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid);
     }
     return -1;
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index a2ca422..4127439 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -3546,12 +3546,18 @@ VirtIODevice *virtio_9p_init(DeviceState *dev, V9fsConf *conf)
          * Client user credentials are saved in extended attributes.
          */
         s->ctx.fs_sm = SM_MAPPED;
+    } else if (!strcmp(fse->security_model, "none")) {
+        /*
+         * Files on the fileserver are set to QEMU credentials.
+         */
+        s->ctx.fs_sm = SM_NONE;
+
     } else {
-        /* user haven't specified a correct security option */
-        fprintf(stderr, "one of the following must be specified as the"
+        fprintf(stderr, "Default to security_model=none. You may want"
+                " enable advanced security model using "
                 "security option:\n\t security_model=passthrough \n\t "
                 "security_model=mapped\n");
-        return NULL;
+        s->ctx.fs_sm = SM_NONE;
     }
 
     if (lstat(fse->path, &stat)) {
diff --git a/qemu-options.hx b/qemu-options.hx
index 453f129..368bf96 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -485,7 +485,7 @@ ETEXI
 DEFHEADING(File system options:)
 
 DEF("fsdev", HAS_ARG, QEMU_OPTION_fsdev,
-    "-fsdev local,id=id,path=path,security_model=[mapped|passthrough]\n",
+    "-fsdev local,id=id,path=path,security_model=[mapped|passthrough|none]\n",
     QEMU_ARCH_ALL)
 
 STEXI
@@ -518,7 +518,7 @@ ETEXI
 DEFHEADING(Virtual File system pass-through options:)
 
 DEF("virtfs", HAS_ARG, QEMU_OPTION_virtfs,
-    "-virtfs local,path=path,mount_tag=tag,security_model=[mapped|passthrough]\n",
+    "-virtfs local,path=path,mount_tag=tag,security_model=[mapped|passthrough|none]\n",
     QEMU_ARCH_ALL)
 
 STEXI
diff --git a/vl.c b/vl.c
index fd491ba..df11ab3 100644
--- a/vl.c
+++ b/vl.c
@@ -2320,7 +2320,7 @@ int main(int argc, char **argv, char **envp)
                         qemu_opt_get(opts, "path") == NULL ||
                         qemu_opt_get(opts, "security_model") == NULL) {
                     fprintf(stderr, "Usage: -virtfs fstype,path=/share_path/,"
-                            "security_model=[mapped|passthrough],"
+                            "security_model=[mapped|passthrough|none],"
                             "mnt_tag=tag.\n");
                     exit(1);
                 }
commit 61b6c4994a6e4a8adf3bd0950fc4f6a2d23c0c1f
Author: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date:   Thu Sep 2 11:09:07 2010 +0530

    virtio-9p: Hide user.virtfs xattr in case of mapped security.
    
    With mapped security mode we use "user.virtfs" namespace is used
    to store the virtFs related attributes. So hide it from user.
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 6c39256..3fc1712 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -477,18 +477,87 @@ static int local_statfs(FsContext *s, const char *path, struct statfs *stbuf)
 static ssize_t local_lgetxattr(FsContext *ctx, const char *path,
                                const char *name, void *value, size_t size)
 {
+    if ((ctx->fs_sm == SM_MAPPED) &&
+        (strncmp(name, "user.virtfs.", 12) == 0)) {
+        /*
+         * Don't allow fetch of user.virtfs namesapce
+         * in case of mapped security
+         */
+        errno = ENOATTR;
+        return -1;
+    }
+
     return lgetxattr(rpath(ctx, path), name, value, size);
 }
 
 static ssize_t local_llistxattr(FsContext *ctx, const char *path,
                                 void *value, size_t size)
 {
-    return llistxattr(rpath(ctx, path), value, size);
+    ssize_t retval;
+    ssize_t actual_len = 0;
+    char *orig_value, *orig_value_start;
+    char *temp_value, *temp_value_start;
+    ssize_t xattr_len, parsed_len = 0, attr_len;
+
+    if (ctx->fs_sm != SM_MAPPED) {
+        return llistxattr(rpath(ctx, path), value, size);
+    }
+
+    /* Get the actual len */
+    xattr_len = llistxattr(rpath(ctx, path), value, 0);
+
+    /* Now fetch the xattr and find the actual size */
+    orig_value = qemu_malloc(xattr_len);
+    xattr_len = llistxattr(rpath(ctx, path), orig_value, xattr_len);
+
+    /*
+     * For mapped security model drop user.virtfs namespace
+     * from the list
+     */
+    temp_value = qemu_mallocz(xattr_len);
+    temp_value_start = temp_value;
+    orig_value_start = orig_value;
+    while (xattr_len > parsed_len) {
+        attr_len = strlen(orig_value) + 1;
+        if (strncmp(orig_value, "user.virtfs.", 12) != 0) {
+            /* Copy this entry */
+            strcat(temp_value, orig_value);
+            temp_value  += attr_len;
+            actual_len += attr_len;
+        }
+        parsed_len += attr_len;
+        orig_value += attr_len;
+    }
+    if (!size) {
+        retval = actual_len;
+        goto out;
+    } else if (size >= actual_len) {
+        /* now copy the parsed attribute list back */
+        memset(value, 0, size);
+        memcpy(value, temp_value_start, actual_len);
+        retval = actual_len;
+        goto out;
+    }
+    errno = ERANGE;
+    retval = -1;
+out:
+    qemu_free(orig_value_start);
+    qemu_free(temp_value_start);
+    return retval;
 }
 
 static int local_lsetxattr(FsContext *ctx, const char *path, const char *name,
                            void *value, size_t size, int flags)
 {
+    if ((ctx->fs_sm == SM_MAPPED) &&
+        (strncmp(name, "user.virtfs.", 12) == 0)) {
+        /*
+         * Don't allow fetch of user.virtfs namesapce
+         * in case of mapped security
+         */
+        errno = EACCES;
+        return -1;
+    }
     return lsetxattr(rpath(ctx, path), name, value, size, flags);
 }
 
commit 10b468bdc5335b58f610817215f30847c1429f24
Author: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date:   Thu Sep 2 11:09:07 2010 +0530

    virtio-9p: Implement TXATTRCREATE
    
    TXATTRCREATE:  Prepare a fid for setting xattr value on a file system object.
    
     size[4] TXATTRCREATE tag[2] fid[4] name[s] attr_size[8] flags[4]
     size[4] RXATTRWALK tag[2]
    
    txattrcreate gets a fid pointing to xattr. This fid can later be
    used to get set the xattr value.
    
    flag value is derived from set Linux setxattr. The manpage says
    "The flags parameter can be used to refine the semantics of the operation.
    XATTR_CREATE specifies a pure create, which fails if the named attribute
    exists already. XATTR_REPLACE specifies a pure replace operation, which
    fails if the named attribute does not already exist. By default (no flags),
    the extended attribute will be created if need be, or will simply replace
    the value if the attribute exists."
    
    The actual setxattr operation happens when the fid is clunked. At that point
    the written byte count and the attr_size specified in TXATTRCREATE should be
    same otherwise an error will be returned.
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index 3a21cbe..e54f358 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -78,6 +78,8 @@ typedef struct FileOperations
     ssize_t (*lgetxattr)(FsContext *, const char *,
                          const char *, void *, size_t);
     ssize_t (*llistxattr)(FsContext *, const char *, void *, size_t);
+    int (*lsetxattr)(FsContext *, const char *,
+                     const char *, void *, size_t, int);
     void *opaque;
 } FileOperations;
 #endif
diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index 4554eb6..ad68054 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -588,6 +588,15 @@ void pprint_pdu(V9fsPDU *pdu)
     case P9_RXATTRWALK:
         fprintf(llogfile, "RXATTRWALK: (");
         pprint_int64(pdu, 1, &offset, "xattrsize");
+    case P9_TXATTRCREATE:
+        fprintf(llogfile, "TXATTRCREATE: (");
+        pprint_int32(pdu, 0, &offset, "fid");
+        pprint_str(pdu, 0, &offset, ", name");
+        pprint_int64(pdu, 0, &offset, ", xattrsize");
+        pprint_int32(pdu, 0, &offset, ", flags");
+        break;
+    case P9_RXATTRCREATE:
+        fprintf(llogfile, "RXATTRCREATE: (");
         break;
     default:
         fprintf(llogfile, "unknown(%d): (", pdu->id);
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index a6b5e66..6c39256 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -486,6 +486,12 @@ static ssize_t local_llistxattr(FsContext *ctx, const char *path,
     return llistxattr(rpath(ctx, path), value, size);
 }
 
+static int local_lsetxattr(FsContext *ctx, const char *path, const char *name,
+                           void *value, size_t size, int flags)
+{
+    return lsetxattr(rpath(ctx, path), name, value, size, flags);
+}
+
 FileOperations local_ops = {
     .lstat = local_lstat,
     .readlink = local_readlink,
@@ -516,4 +522,5 @@ FileOperations local_ops = {
     .statfs = local_statfs,
     .lgetxattr = local_lgetxattr,
     .llistxattr = local_llistxattr,
+    .lsetxattr = local_lsetxattr,
 };
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 656c721..a2ca422 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -278,6 +278,14 @@ static ssize_t v9fs_do_llistxattr(V9fsState *s, V9fsString *path,
                               value, size);
 }
 
+static int v9fs_do_lsetxattr(V9fsState *s, V9fsString *path,
+                             V9fsString *xattr_name,
+                             void *value, size_t size, int flags)
+{
+    return s->ops->lsetxattr(&s->ctx, path->data,
+                             xattr_name->data, value, size, flags);
+}
+
 static void v9fs_string_init(V9fsString *str)
 {
     str->data = NULL;
@@ -431,8 +439,39 @@ static V9fsFidState *alloc_fid(V9fsState *s, int32_t fid)
     return f;
 }
 
+static int v9fs_xattr_fid_clunk(V9fsState *s, V9fsFidState *fidp)
+{
+    int retval = 0;
+
+    if (fidp->fs.xattr.copied_len == -1) {
+        /* getxattr/listxattr fid */
+        goto free_value;
+    }
+    /*
+     * if this is fid for setxattr. clunk should
+     * result in setxattr localcall
+     */
+    if (fidp->fs.xattr.len != fidp->fs.xattr.copied_len) {
+        /* clunk after partial write */
+        retval = -EINVAL;
+        goto free_out;
+    }
+    retval = v9fs_do_lsetxattr(s, &fidp->path, &fidp->fs.xattr.name,
+                               fidp->fs.xattr.value,
+                               fidp->fs.xattr.len,
+                               fidp->fs.xattr.flags);
+free_out:
+    v9fs_string_free(&fidp->fs.xattr.name);
+free_value:
+    if (fidp->fs.xattr.value) {
+        qemu_free(fidp->fs.xattr.value);
+    }
+    return retval;
+}
+
 static int free_fid(V9fsState *s, int32_t fid)
 {
+    int retval = 0;
     V9fsFidState **fidpp, *fidp;
 
     for (fidpp = &s->fid_list; *fidpp; fidpp = &(*fidpp)->next) {
@@ -453,14 +492,12 @@ static int free_fid(V9fsState *s, int32_t fid)
     } else if (fidp->fid_type == P9_FID_DIR) {
         v9fs_do_closedir(s, fidp->fs.dir);
     } else if (fidp->fid_type == P9_FID_XATTR) {
-        if (fidp->fs.xattr.value) {
-            qemu_free(fidp->fs.xattr.value);
-        }
+        retval = v9fs_xattr_fid_clunk(s, fidp);
     }
     v9fs_string_free(&fidp->path);
     qemu_free(fidp);
 
-    return 0;
+    return retval;
 }
 
 #define P9_QID_TYPE_DIR         0x80
@@ -2211,6 +2248,48 @@ out:
     qemu_free(vs);
 }
 
+static void v9fs_xattr_write(V9fsState *s, V9fsWriteState *vs)
+{
+    int i, to_copy;
+    ssize_t err = 0;
+    int write_count;
+    int64_t xattr_len;
+
+    xattr_len = vs->fidp->fs.xattr.len;
+    write_count = xattr_len - vs->off;
+    if (write_count > vs->count) {
+        write_count = vs->count;
+    } else if (write_count < 0) {
+        /*
+         * write beyond XATTR value len specified in
+         * xattrcreate
+         */
+        err = -ENOSPC;
+        goto out;
+    }
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "d", write_count);
+    err = vs->offset;
+    vs->fidp->fs.xattr.copied_len += write_count;
+    /*
+     * Now copy the content from sg list
+     */
+    for (i = 0; i < vs->cnt; i++) {
+        if (write_count > vs->sg[i].iov_len) {
+            to_copy = vs->sg[i].iov_len;
+        } else {
+            to_copy = write_count;
+        }
+        memcpy((char *)vs->fidp->fs.xattr.value + vs->off,
+               vs->sg[i].iov_base, to_copy);
+        /* updating vs->off since we are not using below */
+        vs->off += to_copy;
+        write_count -= to_copy;
+    }
+out:
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
 static void v9fs_write(V9fsState *s, V9fsPDU *pdu)
 {
     int32_t fid;
@@ -2226,7 +2305,7 @@ static void v9fs_write(V9fsState *s, V9fsPDU *pdu)
     vs->len = 0;
 
     pdu_unmarshal(vs->pdu, vs->offset, "dqdv", &fid, &vs->off, &vs->count,
-                    vs->sg, &vs->cnt);
+                  vs->sg, &vs->cnt);
 
     vs->fidp = lookup_fid(s, fid);
     if (vs->fidp == NULL) {
@@ -2234,11 +2313,21 @@ static void v9fs_write(V9fsState *s, V9fsPDU *pdu)
         goto out;
     }
 
-    if (vs->fidp->fs.fd == -1) {
+    if (vs->fidp->fid_type == P9_FID_FILE) {
+        if (vs->fidp->fs.fd == -1) {
+            err = -EINVAL;
+            goto out;
+        }
+    } else if (vs->fidp->fid_type == P9_FID_XATTR) {
+        /*
+         * setxattr operation
+         */
+        v9fs_xattr_write(s, vs);
+        return;
+    } else {
         err = -EINVAL;
         goto out;
     }
-
     err = v9fs_do_lseek(s, vs->fidp->fs.fd, vs->off, SEEK_SET);
 
     v9fs_write_post_lseek(s, vs, err);
@@ -3276,6 +3365,41 @@ out:
     qemu_free(vs);
 }
 
+static void v9fs_xattrcreate(V9fsState *s, V9fsPDU *pdu)
+{
+    int flags;
+    int32_t fid;
+    ssize_t err = 0;
+    V9fsXattrState *vs;
+
+    vs = qemu_malloc(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    pdu_unmarshal(vs->pdu, vs->offset, "dsqd",
+                  &fid, &vs->name, &vs->size, &flags);
+
+    vs->file_fidp = lookup_fid(s, fid);
+    if (vs->file_fidp == NULL) {
+        err = -EINVAL;
+        goto out;
+    }
+
+    /* Make the file fid point to xattr */
+    vs->xattr_fidp = vs->file_fidp;
+    vs->xattr_fidp->fid_type = P9_FID_XATTR;
+    vs->xattr_fidp->fs.xattr.copied_len = 0;
+    vs->xattr_fidp->fs.xattr.len = vs->size;
+    vs->xattr_fidp->fs.xattr.flags = flags;
+    v9fs_string_init(&vs->xattr_fidp->fs.xattr.name);
+    v9fs_string_copy(&vs->xattr_fidp->fs.xattr.name, &vs->name);
+    vs->xattr_fidp->fs.xattr.value = qemu_malloc(vs->size);
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+}
 
 typedef void (pdu_handler_t)(V9fsState *s, V9fsPDU *pdu);
 
@@ -3285,6 +3409,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TGETATTR] = v9fs_getattr,
     [P9_TSETATTR] = v9fs_setattr,
     [P9_TXATTRWALK] = v9fs_xattrwalk,
+    [P9_TXATTRCREATE] = v9fs_xattrcreate,
     [P9_TMKNOD] = v9fs_mknod,
     [P9_TRENAME] = v9fs_rename,
     [P9_TMKDIR] = v9fs_mkdir,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 005df49..016ba1d 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -31,6 +31,8 @@ enum {
     P9_RSETATTR,
     P9_TXATTRWALK = 30,
     P9_RXATTRWALK,
+    P9_TXATTRCREATE = 32,
+    P9_RXATTRCREATE,
     P9_TREADDIR = 40,
     P9_RREADDIR,
     P9_TLINK = 70,
commit fa32ef88792a21b68f06c506c079560151fb5847
Author: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date:   Thu Sep 2 11:09:06 2010 +0530

    virtio-9p: Implement TXATTRWALK
    
    TXATTRWALK: Descend a ATTR namespace
    
     size[4] TXATTRWALK tag[2] fid[4] newfid[4] name[s]
     size[4] RXATTRWALK tag[2] size[8]
    
    txattrwalk gets a fid pointing to xattr. This fid can later be
    used to get read the xattr value. If name is NULL the fid returned
    can be used to get the list of extended attribute associated to
    the file system object.
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index 120c803..3a21cbe 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -75,6 +75,9 @@ typedef struct FileOperations
     int (*truncate)(FsContext *, const char *, off_t);
     int (*fsync)(FsContext *, int);
     int (*statfs)(FsContext *s, const char *path, struct statfs *stbuf);
+    ssize_t (*lgetxattr)(FsContext *, const char *,
+                         const char *, void *, size_t);
+    ssize_t (*llistxattr)(FsContext *, const char *, void *, size_t);
     void *opaque;
 } FileOperations;
 #endif
diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index 949a4bf..4554eb6 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -579,6 +579,16 @@ void pprint_pdu(V9fsPDU *pdu)
     case P9_RWSTAT:
         fprintf(llogfile, "RWSTAT: (");
         break;
+    case P9_TXATTRWALK:
+        fprintf(llogfile, "TXATTRWALK: (");
+        pprint_int32(pdu, 0, &offset, "fid");
+        pprint_int32(pdu, 0, &offset, ", newfid");
+        pprint_str(pdu, 0, &offset, ", xattr name");
+        break;
+    case P9_RXATTRWALK:
+        fprintf(llogfile, "RXATTRWALK: (");
+        pprint_int64(pdu, 1, &offset, "xattrsize");
+        break;
     default:
         fprintf(llogfile, "unknown(%d): (", pdu->id);
         break;
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 269fc62..a6b5e66 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -474,6 +474,18 @@ static int local_statfs(FsContext *s, const char *path, struct statfs *stbuf)
    return statfs(rpath(s, path), stbuf);
 }
 
+static ssize_t local_lgetxattr(FsContext *ctx, const char *path,
+                               const char *name, void *value, size_t size)
+{
+    return lgetxattr(rpath(ctx, path), name, value, size);
+}
+
+static ssize_t local_llistxattr(FsContext *ctx, const char *path,
+                                void *value, size_t size)
+{
+    return llistxattr(rpath(ctx, path), value, size);
+}
+
 FileOperations local_ops = {
     .lstat = local_lstat,
     .readlink = local_readlink,
@@ -502,4 +514,6 @@ FileOperations local_ops = {
     .remove = local_remove,
     .fsync = local_fsync,
     .statfs = local_statfs,
+    .lgetxattr = local_lgetxattr,
+    .llistxattr = local_llistxattr,
 };
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 8fae85f..656c721 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -263,6 +263,21 @@ static int v9fs_do_statfs(V9fsState *s, V9fsString *path, struct statfs *stbuf)
     return s->ops->statfs(&s->ctx, path->data, stbuf);
 }
 
+static ssize_t v9fs_do_lgetxattr(V9fsState *s, V9fsString *path,
+                             V9fsString *xattr_name,
+                             void *value, size_t size)
+{
+    return s->ops->lgetxattr(&s->ctx, path->data,
+                             xattr_name->data, value, size);
+}
+
+static ssize_t v9fs_do_llistxattr(V9fsState *s, V9fsString *path,
+                              void *value, size_t size)
+{
+    return s->ops->llistxattr(&s->ctx, path->data,
+                              value, size);
+}
+
 static void v9fs_string_init(V9fsString *str)
 {
     str->data = NULL;
@@ -1946,6 +1961,31 @@ out:
     qemu_free(vs);
 }
 
+static void v9fs_xattr_read(V9fsState *s, V9fsReadState *vs)
+{
+    ssize_t err = 0;
+    int read_count;
+    int64_t xattr_len;
+
+    xattr_len = vs->fidp->fs.xattr.len;
+    read_count = xattr_len - vs->off;
+    if (read_count > vs->count) {
+        read_count = vs->count;
+    } else if (read_count < 0) {
+        /*
+         * read beyond XATTR value
+         */
+        read_count = 0;
+    }
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "d", read_count);
+    vs->offset += pdu_pack(vs->pdu, vs->offset,
+                           ((char *)vs->fidp->fs.xattr.value) + vs->off,
+                           read_count);
+    err = vs->offset;
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
 static void v9fs_read(V9fsState *s, V9fsPDU *pdu)
 {
     int32_t fid;
@@ -1967,7 +2007,7 @@ static void v9fs_read(V9fsState *s, V9fsPDU *pdu)
         goto out;
     }
 
-    if (vs->fidp->fs.dir) {
+    if (vs->fidp->fid_type == P9_FID_DIR) {
         vs->max_count = vs->count;
         vs->count = 0;
         if (vs->off == 0) {
@@ -1975,12 +2015,15 @@ static void v9fs_read(V9fsState *s, V9fsPDU *pdu)
         }
         v9fs_read_post_rewinddir(s, vs, err);
         return;
-    } else if (vs->fidp->fs.fd != -1) {
+    } else if (vs->fidp->fid_type == P9_FID_FILE) {
         vs->sg = vs->iov;
         pdu_marshal(vs->pdu, vs->offset + 4, "v", vs->sg, &vs->cnt);
         err = v9fs_do_lseek(s, vs->fidp->fs.fd, vs->off, SEEK_SET);
         v9fs_read_post_lseek(s, vs, err);
         return;
+    } else if (vs->fidp->fid_type == P9_FID_XATTR) {
+        v9fs_xattr_read(s, vs);
+        return;
     } else {
         err = -EINVAL;
     }
@@ -3090,6 +3133,150 @@ out:
     qemu_free(vs);
 }
 
+static void v9fs_post_xattr_getvalue(V9fsState *s, V9fsXattrState *vs, int err)
+{
+
+    if (err < 0) {
+        err = -errno;
+        free_fid(s, vs->xattr_fidp->fid);
+        goto out;
+    }
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "q", vs->size);
+    err = vs->offset;
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+    return;
+}
+
+static void v9fs_post_xattr_check(V9fsState *s, V9fsXattrState *vs, ssize_t err)
+{
+    if (err < 0) {
+        err = -errno;
+        free_fid(s, vs->xattr_fidp->fid);
+        goto out;
+    }
+    /*
+     * Read the xattr value
+     */
+    vs->xattr_fidp->fs.xattr.len = vs->size;
+    vs->xattr_fidp->fid_type = P9_FID_XATTR;
+    vs->xattr_fidp->fs.xattr.copied_len = -1;
+    if (vs->size) {
+        vs->xattr_fidp->fs.xattr.value = qemu_malloc(vs->size);
+        err = v9fs_do_lgetxattr(s, &vs->xattr_fidp->path,
+                                &vs->name, vs->xattr_fidp->fs.xattr.value,
+                                vs->xattr_fidp->fs.xattr.len);
+    }
+    v9fs_post_xattr_getvalue(s, vs, err);
+    return;
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+}
+
+static void v9fs_post_lxattr_getvalue(V9fsState *s,
+                                      V9fsXattrState *vs, int err)
+{
+    if (err < 0) {
+        err = -errno;
+        free_fid(s, vs->xattr_fidp->fid);
+        goto out;
+    }
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "q", vs->size);
+    err = vs->offset;
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+    return;
+}
+
+static void v9fs_post_lxattr_check(V9fsState *s,
+                                   V9fsXattrState *vs, ssize_t err)
+{
+    if (err < 0) {
+        err = -errno;
+        free_fid(s, vs->xattr_fidp->fid);
+        goto out;
+    }
+    /*
+     * Read the xattr value
+     */
+    vs->xattr_fidp->fs.xattr.len = vs->size;
+    vs->xattr_fidp->fid_type = P9_FID_XATTR;
+    vs->xattr_fidp->fs.xattr.copied_len = -1;
+    if (vs->size) {
+        vs->xattr_fidp->fs.xattr.value = qemu_malloc(vs->size);
+        err = v9fs_do_llistxattr(s, &vs->xattr_fidp->path,
+                                 vs->xattr_fidp->fs.xattr.value,
+                                 vs->xattr_fidp->fs.xattr.len);
+    }
+    v9fs_post_lxattr_getvalue(s, vs, err);
+    return;
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+}
+
+static void v9fs_xattrwalk(V9fsState *s, V9fsPDU *pdu)
+{
+    ssize_t err = 0;
+    V9fsXattrState *vs;
+    int32_t fid, newfid;
+
+    vs = qemu_malloc(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    pdu_unmarshal(vs->pdu, vs->offset, "dds", &fid, &newfid, &vs->name);
+    vs->file_fidp = lookup_fid(s, fid);
+    if (vs->file_fidp == NULL) {
+        err = -ENOENT;
+        goto out;
+    }
+
+    vs->xattr_fidp = alloc_fid(s, newfid);
+    if (vs->xattr_fidp == NULL) {
+        err = -EINVAL;
+        goto out;
+    }
+
+    v9fs_string_copy(&vs->xattr_fidp->path, &vs->file_fidp->path);
+    if (vs->name.data[0] == 0) {
+        /*
+         * listxattr request. Get the size first
+         */
+        vs->size = v9fs_do_llistxattr(s, &vs->xattr_fidp->path,
+                                      NULL, 0);
+        if (vs->size < 0) {
+            err = vs->size;
+        }
+        v9fs_post_lxattr_check(s, vs, err);
+        return;
+    } else {
+        /*
+         * specific xattr fid. We check for xattr
+         * presence also collect the xattr size
+         */
+        vs->size = v9fs_do_lgetxattr(s, &vs->xattr_fidp->path,
+                                     &vs->name, NULL, 0);
+        if (vs->size < 0) {
+            err = vs->size;
+        }
+        v9fs_post_xattr_check(s, vs, err);
+        return;
+    }
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+}
+
+
 typedef void (pdu_handler_t)(V9fsState *s, V9fsPDU *pdu);
 
 static pdu_handler_t *pdu_handlers[] = {
@@ -3097,6 +3284,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TSTATFS] = v9fs_statfs,
     [P9_TGETATTR] = v9fs_getattr,
     [P9_TSETATTR] = v9fs_setattr,
+    [P9_TXATTRWALK] = v9fs_xattrwalk,
     [P9_TMKNOD] = v9fs_mknod,
     [P9_TRENAME] = v9fs_rename,
     [P9_TMKDIR] = v9fs_mkdir,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index faca6b2..005df49 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -29,6 +29,8 @@ enum {
     P9_RGETATTR,
     P9_TSETATTR = 26,
     P9_RSETATTR,
+    P9_TXATTRWALK = 30,
+    P9_RXATTRWALK,
     P9_TREADDIR = 40,
     P9_RREADDIR,
     P9_TLINK = 70,
@@ -416,6 +418,18 @@ typedef struct V9fsRenameState {
     V9fsString name;
 } V9fsRenameState;
 
+typedef struct V9fsXattrState
+{
+    V9fsPDU *pdu;
+    size_t offset;
+    V9fsFidState *file_fidp;
+    V9fsFidState *xattr_fidp;
+    V9fsString name;
+    int64_t size;
+    int flags;
+    void *value;
+} V9fsXattrState;
+
 extern size_t pdu_packunpack(void *addr, struct iovec *sg, int sg_count,
                             size_t offset, size_t size, int pack);
 
commit d62dbb51f76ddcec95822fe196813edd46ef35b9
Author: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date:   Thu Sep 2 11:09:06 2010 +0530

    virtio-9p: Add fidtype so that we can do type specific operation
    
    We want to add type specific operation during read/write
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index deeacbd..8fae85f 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -408,8 +408,7 @@ static V9fsFidState *alloc_fid(V9fsState *s, int32_t fid)
     f = qemu_mallocz(sizeof(V9fsFidState));
 
     f->fid = fid;
-    f->fd = -1;
-    f->dir = NULL;
+    f->fid_type = P9_FID_NONE;
 
     f->next = s->fid_list;
     s->fid_list = f;
@@ -434,11 +433,14 @@ static int free_fid(V9fsState *s, int32_t fid)
     fidp = *fidpp;
     *fidpp = fidp->next;
 
-    if (fidp->fd != -1) {
-        v9fs_do_close(s, fidp->fd);
-    }
-    if (fidp->dir) {
-        v9fs_do_closedir(s, fidp->dir);
+    if (fidp->fid_type == P9_FID_FILE) {
+        v9fs_do_close(s, fidp->fs.fd);
+    } else if (fidp->fid_type == P9_FID_DIR) {
+        v9fs_do_closedir(s, fidp->fs.dir);
+    } else if (fidp->fid_type == P9_FID_XATTR) {
+        if (fidp->fs.xattr.value) {
+            qemu_free(fidp->fs.xattr.value);
+        }
     }
     v9fs_string_free(&fidp->path);
     qemu_free(fidp);
@@ -1519,8 +1521,7 @@ static void v9fs_walk(V9fsState *s, V9fsPDU *pdu)
     /* FIXME: is this really valid? */
     if (fid == newfid) {
 
-        BUG_ON(vs->fidp->fd != -1);
-        BUG_ON(vs->fidp->dir);
+        BUG_ON(vs->fidp->fid_type != P9_FID_NONE);
         v9fs_string_init(&vs->path);
         vs->name_idx = 0;
 
@@ -1584,11 +1585,11 @@ static int32_t get_iounit(V9fsState *s, V9fsString *name)
 
 static void v9fs_open_post_opendir(V9fsState *s, V9fsOpenState *vs, int err)
 {
-    if (vs->fidp->dir == NULL) {
+    if (vs->fidp->fs.dir == NULL) {
         err = -errno;
         goto out;
     }
-
+    vs->fidp->fid_type = P9_FID_DIR;
     vs->offset += pdu_marshal(vs->pdu, vs->offset, "Qd", &vs->qid, 0);
     err = vs->offset;
 out:
@@ -1608,11 +1609,11 @@ static void v9fs_open_post_getiounit(V9fsState *s, V9fsOpenState *vs)
 
 static void v9fs_open_post_open(V9fsState *s, V9fsOpenState *vs, int err)
 {
-    if (vs->fidp->fd == -1) {
+    if (vs->fidp->fs.fd == -1) {
         err = -errno;
         goto out;
     }
-
+    vs->fidp->fid_type = P9_FID_FILE;
     vs->iounit = get_iounit(s, &vs->fidp->path);
     v9fs_open_post_getiounit(s, vs);
     return;
@@ -1642,7 +1643,7 @@ static void v9fs_open_post_lstat(V9fsState *s, V9fsOpenState *vs, int err)
     stat_to_qid(&vs->stbuf, &vs->qid);
 
     if (S_ISDIR(vs->stbuf.st_mode)) {
-        vs->fidp->dir = v9fs_do_opendir(s, &vs->fidp->path);
+        vs->fidp->fs.dir = v9fs_do_opendir(s, &vs->fidp->path);
         v9fs_open_post_opendir(s, vs, err);
     } else {
         if (s->proto_version == V9FS_PROTO_2000L) {
@@ -1654,7 +1655,7 @@ static void v9fs_open_post_lstat(V9fsState *s, V9fsOpenState *vs, int err)
         } else {
             flags = omode_to_uflags(vs->mode);
         }
-        vs->fidp->fd = v9fs_do_open(s, &vs->fidp->path, flags);
+        vs->fidp->fs.fd = v9fs_do_open(s, &vs->fidp->path, flags);
         v9fs_open_post_open(s, vs, err);
     }
     return;
@@ -1686,8 +1687,7 @@ static void v9fs_open(V9fsState *s, V9fsPDU *pdu)
         goto out;
     }
 
-    BUG_ON(vs->fidp->fd != -1);
-    BUG_ON(vs->fidp->dir);
+    BUG_ON(vs->fidp->fid_type != P9_FID_NONE);
 
     err = v9fs_do_lstat(s, &vs->fidp->path, &vs->stbuf);
 
@@ -1707,6 +1707,8 @@ static void v9fs_post_lcreate(V9fsState *s, V9fsLcreateState *vs, int err)
                 &vs->iounit);
         err = vs->offset;
     } else {
+        vs->fidp->fid_type = P9_FID_NONE;
+        close(vs->fidp->fs.fd);
         err = -errno;
     }
 
@@ -1732,10 +1734,11 @@ out:
 static void v9fs_lcreate_post_do_open2(V9fsState *s, V9fsLcreateState *vs,
         int err)
 {
-    if (vs->fidp->fd == -1) {
+    if (vs->fidp->fs.fd == -1) {
         err = -errno;
         goto out;
     }
+    vs->fidp->fid_type = P9_FID_FILE;
     vs->iounit =  get_iounit(s, &vs->fullname);
     v9fs_lcreate_post_get_iounit(s, vs, err);
     return;
@@ -1769,7 +1772,7 @@ static void v9fs_lcreate(V9fsState *s, V9fsPDU *pdu)
     v9fs_string_sprintf(&vs->fullname, "%s/%s", vs->fidp->path.data,
              vs->name.data);
 
-    vs->fidp->fd = v9fs_do_open2(s, vs->fullname.data, vs->fidp->uid,
+    vs->fidp->fs.fd = v9fs_do_open2(s, vs->fullname.data, vs->fidp->uid,
             gid, flags, mode);
     v9fs_lcreate_post_do_open2(s, vs, err);
     return;
@@ -1833,7 +1836,7 @@ static void v9fs_read_post_dir_lstat(V9fsState *s, V9fsReadState *vs,
                             &vs->v9stat);
     if ((vs->len != (vs->v9stat.size + 2)) ||
             ((vs->count + vs->len) > vs->max_count)) {
-        v9fs_do_seekdir(s, vs->fidp->dir, vs->dir_pos);
+        v9fs_do_seekdir(s, vs->fidp->fs.dir, vs->dir_pos);
         v9fs_read_post_seekdir(s, vs, err);
         return;
     }
@@ -1841,11 +1844,11 @@ static void v9fs_read_post_dir_lstat(V9fsState *s, V9fsReadState *vs,
     v9fs_stat_free(&vs->v9stat);
     v9fs_string_free(&vs->name);
     vs->dir_pos = vs->dent->d_off;
-    vs->dent = v9fs_do_readdir(s, vs->fidp->dir);
+    vs->dent = v9fs_do_readdir(s, vs->fidp->fs.dir);
     v9fs_read_post_readdir(s, vs, err);
     return;
 out:
-    v9fs_do_seekdir(s, vs->fidp->dir, vs->dir_pos);
+    v9fs_do_seekdir(s, vs->fidp->fs.dir, vs->dir_pos);
     v9fs_read_post_seekdir(s, vs, err);
     return;
 
@@ -1873,7 +1876,7 @@ static void v9fs_read_post_readdir(V9fsState *s, V9fsReadState *vs, ssize_t err)
 
 static void v9fs_read_post_telldir(V9fsState *s, V9fsReadState *vs, ssize_t err)
 {
-    vs->dent = v9fs_do_readdir(s, vs->fidp->dir);
+    vs->dent = v9fs_do_readdir(s, vs->fidp->fs.dir);
     v9fs_read_post_readdir(s, vs, err);
     return;
 }
@@ -1881,7 +1884,7 @@ static void v9fs_read_post_telldir(V9fsState *s, V9fsReadState *vs, ssize_t err)
 static void v9fs_read_post_rewinddir(V9fsState *s, V9fsReadState *vs,
                                        ssize_t err)
 {
-    vs->dir_pos = v9fs_do_telldir(s, vs->fidp->dir);
+    vs->dir_pos = v9fs_do_telldir(s, vs->fidp->fs.dir);
     v9fs_read_post_telldir(s, vs, err);
     return;
 }
@@ -1900,7 +1903,7 @@ static void v9fs_read_post_readv(V9fsState *s, V9fsReadState *vs, ssize_t err)
             if (0) {
                 print_sg(vs->sg, vs->cnt);
             }
-            vs->len = v9fs_do_readv(s, vs->fidp->fd, vs->sg, vs->cnt);
+            vs->len = v9fs_do_readv(s, vs->fidp->fs.fd, vs->sg, vs->cnt);
         } while (vs->len == -1 && errno == EINTR);
         if (vs->len == -1) {
             err  = -errno;
@@ -1930,7 +1933,7 @@ static void v9fs_read_post_lseek(V9fsState *s, V9fsReadState *vs, ssize_t err)
             if (0) {
                 print_sg(vs->sg, vs->cnt);
             }
-            vs->len = v9fs_do_readv(s, vs->fidp->fd, vs->sg, vs->cnt);
+            vs->len = v9fs_do_readv(s, vs->fidp->fs.fd, vs->sg, vs->cnt);
         } while (vs->len == -1 && errno == EINTR);
         if (vs->len == -1) {
             err  = -errno;
@@ -1964,18 +1967,18 @@ static void v9fs_read(V9fsState *s, V9fsPDU *pdu)
         goto out;
     }
 
-    if (vs->fidp->dir) {
+    if (vs->fidp->fs.dir) {
         vs->max_count = vs->count;
         vs->count = 0;
         if (vs->off == 0) {
-            v9fs_do_rewinddir(s, vs->fidp->dir);
+            v9fs_do_rewinddir(s, vs->fidp->fs.dir);
         }
         v9fs_read_post_rewinddir(s, vs, err);
         return;
-    } else if (vs->fidp->fd != -1) {
+    } else if (vs->fidp->fs.fd != -1) {
         vs->sg = vs->iov;
         pdu_marshal(vs->pdu, vs->offset + 4, "v", vs->sg, &vs->cnt);
-        err = v9fs_do_lseek(s, vs->fidp->fd, vs->off, SEEK_SET);
+        err = v9fs_do_lseek(s, vs->fidp->fs.fd, vs->off, SEEK_SET);
         v9fs_read_post_lseek(s, vs, err);
         return;
     } else {
@@ -2024,7 +2027,7 @@ static void v9fs_readdir_post_readdir(V9fsState *s, V9fsReadDirState *vs)
 
         if ((vs->count + V9_READDIR_DATA_SZ) > vs->max_count) {
             /* Ran out of buffer. Set dir back to old position and return */
-            v9fs_do_seekdir(s, vs->fidp->dir, vs->saved_dir_pos);
+            v9fs_do_seekdir(s, vs->fidp->fs.dir, vs->saved_dir_pos);
             v9fs_readdir_post_seekdir(s, vs);
             return;
         }
@@ -2045,7 +2048,7 @@ static void v9fs_readdir_post_readdir(V9fsState *s, V9fsReadDirState *vs)
         vs->count += len;
         v9fs_string_free(&vs->name);
         vs->saved_dir_pos = vs->dent->d_off;
-        vs->dent = v9fs_do_readdir(s, vs->fidp->dir);
+        vs->dent = v9fs_do_readdir(s, vs->fidp->fs.dir);
         v9fs_readdir_post_readdir(s, vs);
         return;
     }
@@ -2059,14 +2062,14 @@ static void v9fs_readdir_post_readdir(V9fsState *s, V9fsReadDirState *vs)
 
 static void v9fs_readdir_post_telldir(V9fsState *s, V9fsReadDirState *vs)
 {
-    vs->dent = v9fs_do_readdir(s, vs->fidp->dir);
+    vs->dent = v9fs_do_readdir(s, vs->fidp->fs.dir);
     v9fs_readdir_post_readdir(s, vs);
     return;
 }
 
 static void v9fs_readdir_post_setdir(V9fsState *s, V9fsReadDirState *vs)
 {
-    vs->saved_dir_pos = v9fs_do_telldir(s, vs->fidp->dir);
+    vs->saved_dir_pos = v9fs_do_telldir(s, vs->fidp->fs.dir);
     v9fs_readdir_post_telldir(s, vs);
     return;
 }
@@ -2087,15 +2090,15 @@ static void v9fs_readdir(V9fsState *s, V9fsPDU *pdu)
                                                         &vs->max_count);
 
     vs->fidp = lookup_fid(s, fid);
-    if (vs->fidp == NULL || !(vs->fidp->dir)) {
+    if (vs->fidp == NULL || !(vs->fidp->fs.dir)) {
         err = -EINVAL;
         goto out;
     }
 
     if (vs->initial_offset == 0) {
-        v9fs_do_rewinddir(s, vs->fidp->dir);
+        v9fs_do_rewinddir(s, vs->fidp->fs.dir);
     } else {
-        v9fs_do_seekdir(s, vs->fidp->dir, vs->initial_offset);
+        v9fs_do_seekdir(s, vs->fidp->fs.dir, vs->initial_offset);
     }
 
     v9fs_readdir_post_setdir(s, vs);
@@ -2122,7 +2125,7 @@ static void v9fs_write_post_writev(V9fsState *s, V9fsWriteState *vs,
             if (0) {
                 print_sg(vs->sg, vs->cnt);
             }
-            vs->len =  v9fs_do_writev(s, vs->fidp->fd, vs->sg, vs->cnt);
+            vs->len =  v9fs_do_writev(s, vs->fidp->fs.fd, vs->sg, vs->cnt);
         } while (vs->len == -1 && errno == EINTR);
         if (vs->len == -1) {
             err  = -errno;
@@ -2151,7 +2154,7 @@ static void v9fs_write_post_lseek(V9fsState *s, V9fsWriteState *vs, ssize_t err)
             if (0) {
                 print_sg(vs->sg, vs->cnt);
             }
-            vs->len = v9fs_do_writev(s, vs->fidp->fd, vs->sg, vs->cnt);
+            vs->len = v9fs_do_writev(s, vs->fidp->fs.fd, vs->sg, vs->cnt);
         } while (vs->len == -1 && errno == EINTR);
         if (vs->len == -1) {
             err  = -errno;
@@ -2188,12 +2191,12 @@ static void v9fs_write(V9fsState *s, V9fsPDU *pdu)
         goto out;
     }
 
-    if (vs->fidp->fd == -1) {
+    if (vs->fidp->fs.fd == -1) {
         err = -EINVAL;
         goto out;
     }
 
-    err = v9fs_do_lseek(s, vs->fidp->fd, vs->off, SEEK_SET);
+    err = v9fs_do_lseek(s, vs->fidp->fs.fd, vs->off, SEEK_SET);
 
     v9fs_write_post_lseek(s, vs, err);
     return;
@@ -2245,9 +2248,10 @@ static void v9fs_create_post_perms(V9fsState *s, V9fsCreateState *vs, int err)
 static void v9fs_create_post_opendir(V9fsState *s, V9fsCreateState *vs,
                                                                     int err)
 {
-    if (!vs->fidp->dir) {
+    if (!vs->fidp->fs.dir) {
         err = -errno;
     }
+    vs->fidp->fid_type = P9_FID_DIR;
     v9fs_post_create(s, vs, err);
 }
 
@@ -2259,7 +2263,7 @@ static void v9fs_create_post_dir_lstat(V9fsState *s, V9fsCreateState *vs,
         goto out;
     }
 
-    vs->fidp->dir = v9fs_do_opendir(s, &vs->fullname);
+    vs->fidp->fs.dir = v9fs_do_opendir(s, &vs->fullname);
     v9fs_create_post_opendir(s, vs, err);
     return;
 
@@ -2285,22 +2289,22 @@ out:
 static void v9fs_create_post_fstat(V9fsState *s, V9fsCreateState *vs, int err)
 {
     if (err) {
-        vs->fidp->fd = -1;
+        vs->fidp->fid_type = P9_FID_NONE;
+        close(vs->fidp->fs.fd);
         err = -errno;
     }
-
     v9fs_post_create(s, vs, err);
     return;
 }
 
 static void v9fs_create_post_open2(V9fsState *s, V9fsCreateState *vs, int err)
 {
-    if (vs->fidp->fd == -1) {
+    if (vs->fidp->fs.fd == -1) {
         err = -errno;
         goto out;
     }
-
-    err = v9fs_do_fstat(s, vs->fidp->fd, &vs->stbuf);
+    vs->fidp->fid_type = P9_FID_FILE;
+    err = v9fs_do_fstat(s, vs->fidp->fs.fd, &vs->stbuf);
     v9fs_create_post_fstat(s, vs, err);
 
     return;
@@ -2371,7 +2375,7 @@ static void v9fs_create_post_lstat(V9fsState *s, V9fsCreateState *vs, int err)
                 0, vs->fidp->uid, -1);
         v9fs_post_create(s, vs, err);
     } else {
-        vs->fidp->fd = v9fs_do_open2(s, vs->fullname.data, vs->fidp->uid,
+        vs->fidp->fs.fd = v9fs_do_open2(s, vs->fullname.data, vs->fidp->uid,
                 -1, omode_to_uflags(vs->mode)|O_CREAT, vs->perm);
 
         v9fs_create_post_open2(s, vs, err);
@@ -2615,8 +2619,7 @@ static int v9fs_complete_rename(V9fsState *s, V9fsRenameState *vs)
             goto out;
         }
 
-        BUG_ON(dirfidp->fd != -1);
-        BUG_ON(dirfidp->dir);
+        BUG_ON(dirfidp->fid_type != P9_FID_NONE);
 
         new_name = qemu_mallocz(dirfidp->path.size + vs->name.size + 2);
 
@@ -2727,8 +2730,7 @@ static void v9fs_rename(V9fsState *s, V9fsPDU *pdu)
         goto out;
     }
 
-    BUG_ON(vs->fidp->fd != -1);
-    BUG_ON(vs->fidp->dir);
+    BUG_ON(vs->fidp->fid_type != P9_FID_NONE);
 
     err = v9fs_complete_rename(s, vs);
     v9fs_rename_post_rename(s, vs, err);
@@ -2855,7 +2857,7 @@ static void v9fs_wstat(V9fsState *s, V9fsPDU *pdu)
 
     /* do we need to sync the file? */
     if (donttouch_stat(&vs->v9stat)) {
-        err = v9fs_do_fsync(s, vs->fidp->fd);
+        err = v9fs_do_fsync(s, vs->fidp->fs.fd);
         v9fs_wstat_post_fsync(s, vs, err);
         return;
     }
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index cd7c67e..faca6b2 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -155,12 +155,32 @@ typedef struct V9fsStat
     int32_t n_muid;
 } V9fsStat;
 
+enum {
+    P9_FID_NONE = 0,
+    P9_FID_FILE,
+    P9_FID_DIR,
+    P9_FID_XATTR,
+};
+
+typedef struct V9fsXattr
+{
+    int64_t copied_len;
+    int64_t len;
+    void *value;
+    V9fsString name;
+    int flags;
+} V9fsXattr;
+
 struct V9fsFidState
 {
+    int fid_type;
     int32_t fid;
     V9fsString path;
-    int fd;
-    DIR *dir;
+    union {
+	int fd;
+	DIR *dir;
+	V9fsXattr xattr;
+    } fs;
     uid_t uid;
     V9fsFidState *next;
 };
commit 771e9d4c1cd9ade4bd9b46a9c4367997d1b95fd3
Author: M. Mohan Kumar <mohan at in.ibm.com>
Date:   Tue Jun 22 19:47:04 2010 +0530

    [virtio-9p] qemu: virtio-9p: Implement LOPEN
    
    Implement 9p2000.L version of open(LOPEN) interface in qemu 9p server.
    
    For LOPEN, no need to convert the flags to and from 9p mode to VFS mode.
    
    Synopsis:
    
        size[4] Tlopen tag[2] fid[4] mode[4]
    
        size[4] Rlopen tag[2] qid[13] iounit[4]
    
    Current qemu 9p server does not support following flags:
        O_NOCTTY, O_NONBLOCK, O_ASYNC & O_CLOEXEC
    
    [Fix mode format - jvrao at linux.vnet.ibm.com]
    
    Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 88dd496..deeacbd 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -1621,8 +1621,19 @@ out:
     qemu_free(vs);
 }
 
+static inline int valid_flags(int flag)
+{
+    if (flag & O_NOCTTY || flag & O_NONBLOCK || flag & O_ASYNC ||
+            flag & O_CLOEXEC)
+        return 0;
+    else
+        return 1;
+}
+
 static void v9fs_open_post_lstat(V9fsState *s, V9fsOpenState *vs, int err)
 {
+    int flags;
+
     if (err) {
         err = -errno;
         goto out;
@@ -1634,8 +1645,16 @@ static void v9fs_open_post_lstat(V9fsState *s, V9fsOpenState *vs, int err)
         vs->fidp->dir = v9fs_do_opendir(s, &vs->fidp->path);
         v9fs_open_post_opendir(s, vs, err);
     } else {
-        vs->fidp->fd = v9fs_do_open(s, &vs->fidp->path,
-                                    omode_to_uflags(vs->mode));
+        if (s->proto_version == V9FS_PROTO_2000L) {
+            if (!valid_flags(vs->mode)) {
+                err = -EINVAL;
+                goto out;
+            }
+            flags = vs->mode;
+        } else {
+            flags = omode_to_uflags(vs->mode);
+        }
+        vs->fidp->fd = v9fs_do_open(s, &vs->fidp->path, flags);
         v9fs_open_post_open(s, vs, err);
     }
     return;
@@ -1650,12 +1669,16 @@ static void v9fs_open(V9fsState *s, V9fsPDU *pdu)
     V9fsOpenState *vs;
     ssize_t err = 0;
 
-
     vs = qemu_malloc(sizeof(*vs));
     vs->pdu = pdu;
     vs->offset = 7;
+    vs->mode = 0;
 
-    pdu_unmarshal(vs->pdu, vs->offset, "db", &fid, &vs->mode);
+    if (s->proto_version == V9FS_PROTO_2000L) {
+        pdu_unmarshal(vs->pdu, vs->offset, "dd", &fid, &vs->mode);
+    } else {
+        pdu_unmarshal(vs->pdu, vs->offset, "db", &fid, &vs->mode);
+    }
 
     vs->fidp = lookup_fid(s, fid);
     if (vs->fidp == NULL) {
@@ -3076,6 +3099,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TRENAME] = v9fs_rename,
     [P9_TMKDIR] = v9fs_mkdir,
     [P9_TVERSION] = v9fs_version,
+    [P9_TLOPEN] = v9fs_open,
     [P9_TATTACH] = v9fs_attach,
     [P9_TSTAT] = v9fs_stat,
     [P9_TWALK] = v9fs_walk,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 4d179b7..cd7c67e 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -15,6 +15,8 @@
 enum {
     P9_TSTATFS = 8,
     P9_RSTATFS,
+    P9_TLOPEN = 12,
+    P9_RLOPEN,
     P9_TLCREATE = 14,
     P9_RLCREATE,
     P9_TSYMLINK = 16,
@@ -259,7 +261,7 @@ typedef struct V9fsWalkState {
 typedef struct V9fsOpenState {
     V9fsPDU *pdu;
     size_t offset;
-    int8_t mode;
+    int32_t mode;
     V9fsFidState *fidp;
     V9fsQID qid;
     struct stat stbuf;
commit c7b4b0b302709928b84582881a7b4fb6c1e39e2b
Author: M. Mohan Kumar <mohan at in.ibm.com>
Date:   Tue Jun 22 12:29:41 2010 +0530

    rename - change name of file or directory
    
    size[4] Trename tag[2] fid[4] newdirfid[4] name[s]
    size[4] Rrename tag[2]
    
    Implement the 2000.L rename operation. A new function
    v9fs_complete_rename is introduced that acts as a common entry point
    for 2000.L rename operation and 2000.U rename opearation (via wstat).
    As part of this change the field 'nname' (used only for rename) is
    removed from the structure V9fsWstatState. Instead a new structure
    V9fsRenameState is used for rename operations both by 2000.U and 2000.L
    code paths. Both 2000.U and 2000.L rename code paths construct the
    V9fsRenameState structure and passes that to v9fs_complete_rename
    function.
    
    Changes from previous version:
     Use qemu_mallocz to initialize
     Use strcpy,strcat functions instead of memcpy
     Changed the variable name to newdirfid
     Introduced post rename function
     Error checking
     Removed nname field from V9fsWstatState
    
    Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 7ea0e96..88dd496 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -2563,11 +2563,6 @@ static void v9fs_wstat_post_rename(V9fsState *s, V9fsWstatState *vs, int err)
     if (err < 0) {
         goto out;
     }
-
-    if (vs->v9stat.name.size != 0) {
-        v9fs_string_free(&vs->nname);
-    }
-
     if (vs->v9stat.length != -1) {
         if (v9fs_do_truncate(s, &vs->fidp->path, vs->v9stat.length) < 0) {
             err = -errno;
@@ -2582,17 +2577,30 @@ out:
     qemu_free(vs);
 }
 
-static void v9fs_wstat_post_chown(V9fsState *s, V9fsWstatState *vs, int err)
+static int v9fs_complete_rename(V9fsState *s, V9fsRenameState *vs)
 {
-    V9fsFidState *fidp;
-    if (err < 0) {
-        goto out;
-    }
+    int err = 0;
+    char *old_name, *new_name;
+    char *end;
 
-    if (vs->v9stat.name.size != 0) {
-        char *old_name, *new_name;
-        char *end;
+    if (vs->newdirfid != -1) {
+        V9fsFidState *dirfidp;
+        dirfidp = lookup_fid(s, vs->newdirfid);
+
+        if (dirfidp == NULL) {
+            err = -ENOENT;
+            goto out;
+        }
+
+        BUG_ON(dirfidp->fd != -1);
+        BUG_ON(dirfidp->dir);
 
+        new_name = qemu_mallocz(dirfidp->path.size + vs->name.size + 2);
+
+        strcpy(new_name, dirfidp->path.data);
+        strcat(new_name, "/");
+        strcat(new_name + dirfidp->path.size, vs->name.data);
+    } else {
         old_name = vs->fidp->path.data;
         end = strrchr(old_name, '/');
         if (end) {
@@ -2600,43 +2608,75 @@ static void v9fs_wstat_post_chown(V9fsState *s, V9fsWstatState *vs, int err)
         } else {
             end = old_name;
         }
+        new_name = qemu_mallocz(end - old_name + vs->name.size + 1);
 
-        new_name = qemu_mallocz(end - old_name + vs->v9stat.name.size + 1);
+        strncat(new_name, old_name, end - old_name);
+        strncat(new_name + (end - old_name), vs->name.data, vs->name.size);
+    }
 
-        memcpy(new_name, old_name, end - old_name);
-        memcpy(new_name + (end - old_name), vs->v9stat.name.data,
-                vs->v9stat.name.size);
-        vs->nname.data = new_name;
-        vs->nname.size = strlen(new_name);
+    v9fs_string_free(&vs->name);
+    vs->name.data = qemu_strdup(new_name);
+    vs->name.size = strlen(new_name);
 
-        if (strcmp(new_name, vs->fidp->path.data) != 0) {
-            if (v9fs_do_rename(s, &vs->fidp->path, &vs->nname)) {
-                err = -errno;
-            } else {
-                /*
-                 * Fixup fid's pointing to the old name to
-                 * start pointing to the new name
-                 */
-                for (fidp = s->fid_list; fidp; fidp = fidp->next) {
-
-                    if (vs->fidp == fidp) {
-                        /*
-                         * we replace name of this fid towards the end
-                         * so that our below strcmp will work
-                         */
-                        continue;
-                    }
-                    if (!strncmp(vs->fidp->path.data, fidp->path.data,
-                                 strlen(vs->fidp->path.data))) {
-                        /* replace the name */
-                        v9fs_fix_path(&fidp->path, &vs->nname,
-                                      strlen(vs->fidp->path.data));
-                    }
+    if (strcmp(new_name, vs->fidp->path.data) != 0) {
+        if (v9fs_do_rename(s, &vs->fidp->path, &vs->name)) {
+            err = -errno;
+        } else {
+            V9fsFidState *fidp;
+            /*
+            * Fixup fid's pointing to the old name to
+            * start pointing to the new name
+            */
+            for (fidp = s->fid_list; fidp; fidp = fidp->next) {
+                if (vs->fidp == fidp) {
+                    /*
+                    * we replace name of this fid towards the end
+                    * so that our below strcmp will work
+                    */
+                    continue;
+                }
+                if (!strncmp(vs->fidp->path.data, fidp->path.data,
+                    strlen(vs->fidp->path.data))) {
+                    /* replace the name */
+                    v9fs_fix_path(&fidp->path, &vs->name,
+                                  strlen(vs->fidp->path.data));
                 }
-                v9fs_string_copy(&vs->fidp->path, &vs->nname);
             }
+            v9fs_string_copy(&vs->fidp->path, &vs->name);
         }
     }
+out:
+    v9fs_string_free(&vs->name);
+    return err;
+}
+
+static void v9fs_rename_post_rename(V9fsState *s, V9fsRenameState *vs, int err)
+{
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
+static void v9fs_wstat_post_chown(V9fsState *s, V9fsWstatState *vs, int err)
+{
+    if (err < 0) {
+        goto out;
+    }
+
+    if (vs->v9stat.name.size != 0) {
+        V9fsRenameState *vr;
+
+        vr = qemu_malloc(sizeof(V9fsRenameState));
+        memset(vr, sizeof(*vr), 0);
+        vr->newdirfid = -1;
+        vr->pdu = vs->pdu;
+        vr->fidp = vs->fidp;
+        vr->offset = vs->offset;
+        vr->name.size = vs->v9stat.name.size;
+        vr->name.data = qemu_strdup(vs->v9stat.name.data);
+
+        err = v9fs_complete_rename(s, vr);
+        qemu_free(vr);
+    }
     v9fs_wstat_post_rename(s, vs, err);
     return;
 
@@ -2646,6 +2686,35 @@ out:
     qemu_free(vs);
 }
 
+static void v9fs_rename(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t fid;
+    V9fsRenameState *vs;
+    ssize_t err = 0;
+
+    vs = qemu_malloc(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    pdu_unmarshal(vs->pdu, vs->offset, "dds", &fid, &vs->newdirfid, &vs->name);
+
+    vs->fidp = lookup_fid(s, fid);
+    if (vs->fidp == NULL) {
+        err = -ENOENT;
+        goto out;
+    }
+
+    BUG_ON(vs->fidp->fd != -1);
+    BUG_ON(vs->fidp->dir);
+
+    err = v9fs_complete_rename(s, vs);
+    v9fs_rename_post_rename(s, vs, err);
+    return;
+out:
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
 static void v9fs_wstat_post_utime(V9fsState *s, V9fsWstatState *vs, int err)
 {
     if (err < 0) {
@@ -3004,6 +3073,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TGETATTR] = v9fs_getattr,
     [P9_TSETATTR] = v9fs_setattr,
     [P9_TMKNOD] = v9fs_mknod,
+    [P9_TRENAME] = v9fs_rename,
     [P9_TMKDIR] = v9fs_mkdir,
     [P9_TVERSION] = v9fs_version,
     [P9_TATTACH] = v9fs_attach,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 91cc0ae..4d179b7 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -21,6 +21,8 @@ enum {
     P9_RSYMLINK,
     P9_TMKNOD = 18,
     P9_RMKNOD,
+    P9_TRENAME = 20,
+    P9_RRENAME,
     P9_TGETATTR = 24,
     P9_RGETATTR,
     P9_TSETATTR = 26,
@@ -310,7 +312,6 @@ typedef struct V9fsWstatState
     V9fsStat v9stat;
     V9fsFidState *fidp;
     struct stat stbuf;
-    V9fsString nname;
 } V9fsWstatState;
 
 typedef struct V9fsSymlinkState
@@ -385,6 +386,14 @@ typedef struct V9fsMkState {
     V9fsString fullname;
 } V9fsMkState;
 
+typedef struct V9fsRenameState {
+    V9fsPDU *pdu;
+    V9fsFidState *fidp;
+    size_t offset;
+    int32_t newdirfid;
+    V9fsString name;
+} V9fsRenameState;
+
 extern size_t pdu_packunpack(void *addr, struct iovec *sg, int sg_count,
                             size_t offset, size_t size, int pack);
 
commit b67592ea567dd8d19c4274eb35580e5922783c89
Author: M. Mohan Kumar <mohan at in.ibm.com>
Date:   Tue Jun 22 12:25:22 2010 +0530

    qemu: virtio-9p: Implement TMKDIR
    
    Synopsis
    
        size[4] Tmkdir tag[2] fid[4] name[s] mode[4] gid[4]
    
        size[4] Rmkdir tag[2] qid[13]
    
    Description
    
        mkdir asks the file server to create a directory with given name,
        mode and gid. The qid for the new directory is returned with
        the mkdir reply message.
    
    Note: 72 is selected as the opcode for TMKDIR from the reserved list.
    
    Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
    [jvrao at linux.vnet.ibm.com: Fix perm handling when creating directory]
    
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index 6a527ce..949a4bf 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -367,6 +367,17 @@ void pprint_pdu(V9fsPDU *pdu)
         pprint_data(pdu, 1, &offset, ", data");
 #endif
         break;
+    case P9_TMKDIR:
+        fprintf(llogfile, "TMKDIR: (");
+        pprint_int32(pdu, 0, &offset, "fid");
+        pprint_str(pdu, 0, &offset, "name");
+        pprint_int32(pdu, 0, &offset, "mode");
+        pprint_int32(pdu, 0, &offset, "gid");
+        break;
+    case P9_RMKDIR:
+        fprintf(llogfile, "RMKDIR: (");
+        pprint_qid(pdu, 0, &offset, "qid");
+        break;
     case P9_TVERSION:
         fprintf(llogfile, "TVERSION: (");
         pprint_int32(pdu, 0, &offset, "msize");
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 41be585..7ea0e96 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -172,15 +172,17 @@ static int v9fs_do_mknod(V9fsState *s, char *name,
     return s->ops->mknod(&s->ctx, name, &cred);
 }
 
-static int v9fs_do_mkdir(V9fsState *s, V9fsCreateState *vs)
+static int v9fs_do_mkdir(V9fsState *s, char *name, mode_t mode,
+                uid_t uid, gid_t gid)
 {
     FsCred cred;
 
     cred_init(&cred);
-    cred.fc_uid = vs->fidp->uid;
-    cred.fc_mode = vs->perm & 0777;
+    cred.fc_uid = uid;
+    cred.fc_gid = gid;
+    cred.fc_mode = mode;
 
-    return s->ops->mkdir(&s->ctx, vs->fullname.data, &cred);
+    return s->ops->mkdir(&s->ctx, name, &cred);
 }
 
 static int v9fs_do_fstat(V9fsState *s, int fd, struct stat *stbuf)
@@ -2294,7 +2296,8 @@ static void v9fs_create_post_lstat(V9fsState *s, V9fsCreateState *vs, int err)
     }
 
     if (vs->perm & P9_STAT_MODE_DIR) {
-        err = v9fs_do_mkdir(s, vs);
+        err = v9fs_do_mkdir(s, vs->fullname.data, vs->perm & 0777,
+                vs->fidp->uid, -1);
         v9fs_create_post_mkdir(s, vs, err);
     } else if (vs->perm & P9_STAT_MODE_SYMLINK) {
         err = v9fs_do_symlink(s, vs->fidp, vs->extension.data,
@@ -2924,6 +2927,75 @@ out:
     qemu_free(vs);
 }
 
+static void v9fs_mkdir_post_lstat(V9fsState *s, V9fsMkState *vs, int err)
+{
+    if (err == -1) {
+        err = -errno;
+        goto out;
+    }
+
+    stat_to_qid(&vs->stbuf, &vs->qid);
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "Q", &vs->qid);
+    err = vs->offset;
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->fullname);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+}
+
+static void v9fs_mkdir_post_mkdir(V9fsState *s, V9fsMkState *vs, int err)
+{
+    if (err == -1) {
+        err = -errno;
+        goto out;
+    }
+
+    err = v9fs_do_lstat(s, &vs->fullname, &vs->stbuf);
+    v9fs_mkdir_post_lstat(s, vs, err);
+    return;
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->fullname);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+}
+
+static void v9fs_mkdir(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t fid;
+    V9fsMkState *vs;
+    int err = 0;
+    V9fsFidState *fidp;
+    gid_t gid;
+    int mode;
+
+    vs = qemu_malloc(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    v9fs_string_init(&vs->fullname);
+    pdu_unmarshal(vs->pdu, vs->offset, "dsdd", &fid, &vs->name, &mode,
+        &gid);
+
+    fidp = lookup_fid(s, fid);
+    if (fidp == NULL) {
+        err = -ENOENT;
+        goto out;
+    }
+
+    v9fs_string_sprintf(&vs->fullname, "%s/%s", fidp->path.data, vs->name.data);
+    err = v9fs_do_mkdir(s, vs->fullname.data, mode, fidp->uid, gid);
+    v9fs_mkdir_post_mkdir(s, vs, err);
+    return;
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->fullname);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+}
+
 typedef void (pdu_handler_t)(V9fsState *s, V9fsPDU *pdu);
 
 static pdu_handler_t *pdu_handlers[] = {
@@ -2932,6 +3004,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TGETATTR] = v9fs_getattr,
     [P9_TSETATTR] = v9fs_setattr,
     [P9_TMKNOD] = v9fs_mknod,
+    [P9_TMKDIR] = v9fs_mkdir,
     [P9_TVERSION] = v9fs_version,
     [P9_TATTACH] = v9fs_attach,
     [P9_TSTAT] = v9fs_stat,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 8ba45ac..91cc0ae 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -29,6 +29,8 @@ enum {
     P9_RREADDIR,
     P9_TLINK = 70,
     P9_RLINK,
+    P9_TMKDIR = 72,
+    P9_RMKDIR,
     P9_TVERSION = 100,
     P9_RVERSION,
     P9_TAUTH = 102,
commit 5268cecc6d02b52f4aad92d418abce13edcfa579
Author: M. Mohan Kumar <mohan at in.ibm.com>
Date:   Tue Jun 22 12:24:09 2010 +0530

    qemu: virtio-9p: Implement TMKNOD
    
    Implement TMKNOD as part of 2000.L Work
    
    Synopsis
    
        size[4] Tmknod tag[2] fid[4] name[s] mode[4] major[4] minor[4] gid[4]
    
        size[4] Rmknod tag[2] qid[13]
    
    Description
    
        mknod asks the file server to create a device node with given device
        type, mode and gid. The qid for the new device node is returned with
        the mknod reply message.
    
    Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index a8abdd2..6a527ce 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -488,6 +488,19 @@ void pprint_pdu(V9fsPDU *pdu)
         pprint_qid(pdu, 1, &offset, "qid");
         pprint_int32(pdu, 1, &offset, ", iounit");
         break;
+    case P9_TMKNOD:
+	fprintf(llogfile, "TMKNOD: (");
+        pprint_int32(pdu, 0, &offset, "fid");
+        pprint_str(pdu, 0, &offset, "name");
+        pprint_int32(pdu, 0, &offset, "mode");
+        pprint_int32(pdu, 0, &offset, "major");
+        pprint_int32(pdu, 0, &offset, "minor");
+        pprint_int32(pdu, 0, &offset, "gid");
+        break;
+    case P9_RMKNOD:
+        fprintf(llogfile, "RMKNOD: )");
+        pprint_qid(pdu, 0, &offset, "qid");
+        break;
     case P9_TREAD:
         fprintf(llogfile, "TREAD: (");
         pprint_int32(pdu, 0, &offset, "fid");
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 39f7071..41be585 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -160,15 +160,16 @@ static int v9fs_do_chmod(V9fsState *s, V9fsString *path, mode_t mode)
     return s->ops->chmod(&s->ctx, path->data, &cred);
 }
 
-static int v9fs_do_mknod(V9fsState *s, V9fsCreateState *vs, mode_t mode,
-        dev_t dev)
+static int v9fs_do_mknod(V9fsState *s, char *name,
+        mode_t mode, dev_t dev, uid_t uid, gid_t gid)
 {
     FsCred cred;
     cred_init(&cred);
-    cred.fc_uid = vs->fidp->uid;
+    cred.fc_uid = uid;
+    cred.fc_gid = gid;
     cred.fc_mode = mode;
     cred.fc_rdev = dev;
-    return s->ops->mknod(&s->ctx, vs->fullname.data, &cred);
+    return s->ops->mknod(&s->ctx, name, &cred);
 }
 
 static int v9fs_do_mkdir(V9fsState *s, V9fsCreateState *vs)
@@ -2332,13 +2333,16 @@ static void v9fs_create_post_lstat(V9fsState *s, V9fsCreateState *vs, int err)
         }
 
         nmode |= vs->perm & 0777;
-        err = v9fs_do_mknod(s, vs, nmode, makedev(major, minor));
+        err = v9fs_do_mknod(s, vs->fullname.data, nmode,
+                makedev(major, minor), vs->fidp->uid, -1);
         v9fs_create_post_perms(s, vs, err);
     } else if (vs->perm & P9_STAT_MODE_NAMED_PIPE) {
-        err = v9fs_do_mknod(s, vs, S_IFIFO | (vs->perm & 0777), 0);
+        err = v9fs_do_mknod(s, vs->fullname.data, S_IFIFO | (vs->perm & 0777),
+                0, vs->fidp->uid, -1);
         v9fs_post_create(s, vs, err);
     } else if (vs->perm & P9_STAT_MODE_SOCKET) {
-        err = v9fs_do_mknod(s, vs, S_IFSOCK | (vs->perm & 0777), 0);
+        err = v9fs_do_mknod(s, vs->fullname.data, S_IFSOCK | (vs->perm & 0777),
+                0, vs->fidp->uid, -1);
         v9fs_post_create(s, vs, err);
     } else {
         vs->fidp->fd = v9fs_do_open2(s, vs->fullname.data, vs->fidp->uid,
@@ -2849,6 +2853,77 @@ out:
     qemu_free(vs);
 }
 
+static void v9fs_mknod_post_lstat(V9fsState *s, V9fsMkState *vs, int err)
+{
+    if (err == -1) {
+        err = -errno;
+        goto out;
+    }
+
+    stat_to_qid(&vs->stbuf, &vs->qid);
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "Q", &vs->qid);
+    err = vs->offset;
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->fullname);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+}
+
+static void v9fs_mknod_post_mknod(V9fsState *s, V9fsMkState *vs, int err)
+{
+    if (err == -1) {
+        err = -errno;
+        goto out;
+    }
+
+    err = v9fs_do_lstat(s, &vs->fullname, &vs->stbuf);
+    v9fs_mknod_post_lstat(s, vs, err);
+    return;
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->fullname);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+}
+
+static void v9fs_mknod(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t fid;
+    V9fsMkState *vs;
+    int err = 0;
+    V9fsFidState *fidp;
+    gid_t gid;
+    int mode;
+    int major, minor;
+
+    vs = qemu_malloc(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    v9fs_string_init(&vs->fullname);
+    pdu_unmarshal(vs->pdu, vs->offset, "dsdddd", &fid, &vs->name, &mode,
+        &major, &minor, &gid);
+
+    fidp = lookup_fid(s, fid);
+    if (fidp == NULL) {
+        err = -ENOENT;
+        goto out;
+    }
+
+    v9fs_string_sprintf(&vs->fullname, "%s/%s", fidp->path.data, vs->name.data);
+    err = v9fs_do_mknod(s, vs->fullname.data, mode, makedev(major, minor),
+        fidp->uid, gid);
+    v9fs_mknod_post_mknod(s, vs, err);
+    return;
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->fullname);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+}
+
 typedef void (pdu_handler_t)(V9fsState *s, V9fsPDU *pdu);
 
 static pdu_handler_t *pdu_handlers[] = {
@@ -2856,6 +2931,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TSTATFS] = v9fs_statfs,
     [P9_TGETATTR] = v9fs_getattr,
     [P9_TSETATTR] = v9fs_setattr,
+    [P9_TMKNOD] = v9fs_mknod,
     [P9_TVERSION] = v9fs_version,
     [P9_TATTACH] = v9fs_attach,
     [P9_TSTAT] = v9fs_stat,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index ad4d216..8ba45ac 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -19,6 +19,8 @@ enum {
     P9_RLCREATE,
     P9_TSYMLINK = 16,
     P9_RSYMLINK,
+    P9_TMKNOD = 18,
+    P9_RMKNOD,
     P9_TGETATTR = 24,
     P9_RGETATTR,
     P9_TSETATTR = 26,
@@ -372,6 +374,15 @@ typedef struct V9fsStatfsState {
     struct statfs stbuf;
 } V9fsStatfsState;
 
+typedef struct V9fsMkState {
+    V9fsPDU *pdu;
+    size_t offset;
+    V9fsQID qid;
+    struct stat stbuf;
+    V9fsString name;
+    V9fsString fullname;
+} V9fsMkState;
+
 extern size_t pdu_packunpack(void *addr, struct iovec *sg, int sg_count,
                             size_t offset, size_t size, int pack);
 
commit c1568af597d71b2171c9b2ffffb336c2fdee205e
Author: Venkateswararao Jujjuri (JV) <jvrao at linux.vnet.ibm.com>
Date:   Thu Jun 17 18:27:24 2010 -0700

    [virtio-9p]  This patch implements TLCREATE for 9p2000.L protocol.
    
    SYNOPSIS
    
        size[4] Tlcreate tag[2] fid[4] name[s] flags[4] mode[4] gid[4]
    
        size[4] Rlcreate tag[2] qid[13] iounit[4]
    
    DESCRIPTION
    
    The Tlreate request asks the file server to create a new regular file with the
    name supplied, in the directory (dir) represented by fid.
    The mode argument specifies the permissions to use. New file is created with
    the uid if the fid and with supplied gid.
    
    The flags argument represent Linux access mode flags with which the caller
    is requesting to open the file with. Protocol allows all the Linux access
    modes but it is upto the server to allow/disallow any of these acess modes.
    If the server doesn't support any of the access mode, it is expected to
    return error.
    
    To start with we will not restricit/limit any Linux flags on this server.
    If needed, We can start restricting as we move forward with various use cases.
    
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index 54179aa..a8abdd2 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -475,6 +475,19 @@ void pprint_pdu(V9fsPDU *pdu)
         fprintf(llogfile, "RSYMLINK: (");
         pprint_qid(pdu, 1, &offset, "qid");
         break;
+    case P9_TLCREATE:
+        fprintf(llogfile, "TLCREATE: (");
+        pprint_int32(pdu, 0, &offset, "dfid");
+        pprint_str(pdu, 0, &offset, ", name");
+        pprint_int32(pdu, 0, &offset, ", flags");
+        pprint_int32(pdu, 0, &offset, ", mode");
+        pprint_int32(pdu, 0, &offset, ", gid");
+        break;
+    case P9_RLCREATE:
+        fprintf(llogfile, "RLCREATE: (");
+        pprint_qid(pdu, 1, &offset, "qid");
+        pprint_int32(pdu, 1, &offset, ", iounit");
+        break;
     case P9_TREAD:
         fprintf(llogfile, "TREAD: (");
         pprint_int32(pdu, 0, &offset, "fid");
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 1036b49..39f7071 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -187,17 +187,18 @@ static int v9fs_do_fstat(V9fsState *s, int fd, struct stat *stbuf)
     return s->ops->fstat(&s->ctx, fd, stbuf);
 }
 
-static int v9fs_do_open2(V9fsState *s, V9fsCreateState *vs)
+static int v9fs_do_open2(V9fsState *s, char *fullname, uid_t uid, gid_t gid,
+        int flags, int mode)
 {
     FsCred cred;
-    int flags;
 
     cred_init(&cred);
-    cred.fc_uid = vs->fidp->uid;
-    cred.fc_mode = vs->perm & 0777;
-    flags = omode_to_uflags(vs->mode) | O_CREAT;
+    cred.fc_uid = uid;
+    cred.fc_gid = gid;
+    cred.fc_mode = mode & 07777;
+    flags = flags;
 
-    return s->ops->open2(&s->ctx, vs->fullname.data, flags, &cred);
+    return s->ops->open2(&s->ctx, fullname, flags, &cred);
 }
 
 static int v9fs_do_symlink(V9fsState *s, V9fsFidState *fidp,
@@ -1671,6 +1672,88 @@ out:
     qemu_free(vs);
 }
 
+static void v9fs_post_lcreate(V9fsState *s, V9fsLcreateState *vs, int err)
+{
+    if (err == 0) {
+        v9fs_string_copy(&vs->fidp->path, &vs->fullname);
+        stat_to_qid(&vs->stbuf, &vs->qid);
+        vs->offset += pdu_marshal(vs->pdu, vs->offset, "Qd", &vs->qid,
+                &vs->iounit);
+        err = vs->offset;
+    } else {
+        err = -errno;
+    }
+
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->name);
+    v9fs_string_free(&vs->fullname);
+    qemu_free(vs);
+}
+
+static void v9fs_lcreate_post_get_iounit(V9fsState *s, V9fsLcreateState *vs,
+        int err)
+{
+    if (err) {
+        err = -errno;
+        goto out;
+    }
+    err = v9fs_do_lstat(s, &vs->fullname, &vs->stbuf);
+
+out:
+    v9fs_post_lcreate(s, vs, err);
+}
+
+static void v9fs_lcreate_post_do_open2(V9fsState *s, V9fsLcreateState *vs,
+        int err)
+{
+    if (vs->fidp->fd == -1) {
+        err = -errno;
+        goto out;
+    }
+    vs->iounit =  get_iounit(s, &vs->fullname);
+    v9fs_lcreate_post_get_iounit(s, vs, err);
+    return;
+
+out:
+    v9fs_post_lcreate(s, vs, err);
+}
+
+static void v9fs_lcreate(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t dfid, flags, mode;
+    gid_t gid;
+    V9fsLcreateState *vs;
+    ssize_t err = 0;
+
+    vs = qemu_malloc(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    v9fs_string_init(&vs->fullname);
+
+    pdu_unmarshal(vs->pdu, vs->offset, "dsddd", &dfid, &vs->name, &flags,
+            &mode, &gid);
+
+    vs->fidp = lookup_fid(s, dfid);
+    if (vs->fidp == NULL) {
+        err = -ENOENT;
+        goto out;
+    }
+
+    v9fs_string_sprintf(&vs->fullname, "%s/%s", vs->fidp->path.data,
+             vs->name.data);
+
+    vs->fidp->fd = v9fs_do_open2(s, vs->fullname.data, vs->fidp->uid,
+            gid, flags, mode);
+    v9fs_lcreate_post_do_open2(s, vs, err);
+    return;
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->name);
+    qemu_free(vs);
+}
+
 static void v9fs_clunk(V9fsState *s, V9fsPDU *pdu)
 {
     int32_t fid;
@@ -2258,7 +2341,9 @@ static void v9fs_create_post_lstat(V9fsState *s, V9fsCreateState *vs, int err)
         err = v9fs_do_mknod(s, vs, S_IFSOCK | (vs->perm & 0777), 0);
         v9fs_post_create(s, vs, err);
     } else {
-        vs->fidp->fd = v9fs_do_open2(s, vs);
+        vs->fidp->fd = v9fs_do_open2(s, vs->fullname.data, vs->fidp->uid,
+                -1, omode_to_uflags(vs->mode)|O_CREAT, vs->perm);
+
         v9fs_create_post_open2(s, vs, err);
     }
 
@@ -2785,6 +2870,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TLINK] = v9fs_link,
     [P9_TSYMLINK] = v9fs_symlink,
     [P9_TCREATE] = v9fs_create,
+    [P9_TLCREATE] = v9fs_lcreate,
     [P9_TWRITE] = v9fs_write,
     [P9_TWSTAT] = v9fs_wstat,
     [P9_TREMOVE] = v9fs_remove,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 3671863..ad4d216 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -15,6 +15,8 @@
 enum {
     P9_TSTATFS = 8,
     P9_RSTATFS,
+    P9_TLCREATE = 14,
+    P9_RLCREATE,
     P9_TSYMLINK = 16,
     P9_RSYMLINK,
     P9_TGETATTR = 24,
@@ -185,6 +187,17 @@ typedef struct V9fsCreateState {
     int iounit;
 } V9fsCreateState;
 
+typedef struct V9fsLcreateState {
+    V9fsPDU *pdu;
+    size_t offset;
+    V9fsFidState *fidp;
+    V9fsQID qid;
+    int32_t iounit;
+    struct stat stbuf;
+    V9fsString name;
+    V9fsString fullname;
+} V9fsLcreateState;
+
 typedef struct V9fsStatState {
     V9fsPDU *pdu;
     size_t offset;
commit 08c60fc9cd5823a1660b3e3cd50c8f019e6cc1ac
Author: Venkateswararao Jujjuri (JV) <jvrao at linux.vnet.ibm.com>
Date:   Wed Jun 9 14:02:08 2010 -0700

    [virtio-9p] Define and implement TSYMLINK for 9P2000.L
    
    This patch implements creating a symlink for TSYMLINK request
    and responds with RSYMLINK. In the case of error, we return RERROR.
    
    SYNOPSIS
    
        size[4] Tsymlink tag[2] fid[4] name[s] symtgt[s] gid[4]
    
        size[4] Rsymlink tag[2] qid[13]
    
        DESCRIPTION
    
        Create a symbolic link named 'name' pointing to 'symtgt'.
        gid represents the effective group id of the caller.
        The  permissions of a symbolic link are irrelevant hence it is omitted
        from the protocol.
    
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index 2e61e9d..54179aa 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -464,6 +464,17 @@ void pprint_pdu(V9fsPDU *pdu)
         pprint_qid(pdu, 1, &offset, "qid");
         pprint_int32(pdu, 1, &offset, ", iounit");
         break;
+    case P9_TSYMLINK:
+        fprintf(llogfile, "TSYMLINK: (");
+        pprint_int32(pdu, 0, &offset, "fid");
+        pprint_str(pdu, 0, &offset, ", name");
+        pprint_str(pdu, 0, &offset, ", symname");
+        pprint_int32(pdu, 0, &offset, ", gid");
+        break;
+    case P9_RSYMLINK:
+        fprintf(llogfile, "RSYMLINK: (");
+        pprint_qid(pdu, 1, &offset, "qid");
+        break;
     case P9_TREAD:
         fprintf(llogfile, "TREAD: (");
         pprint_int32(pdu, 0, &offset, "fid");
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index d1c3cf8..1036b49 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -200,15 +200,16 @@ static int v9fs_do_open2(V9fsState *s, V9fsCreateState *vs)
     return s->ops->open2(&s->ctx, vs->fullname.data, flags, &cred);
 }
 
-static int v9fs_do_symlink(V9fsState *s, V9fsCreateState *vs)
+static int v9fs_do_symlink(V9fsState *s, V9fsFidState *fidp,
+        const char *oldpath, const char *newpath, gid_t gid)
 {
     FsCred cred;
     cred_init(&cred);
-    cred.fc_uid = vs->fidp->uid;
-    cred.fc_mode = vs->perm | 0777;
+    cred.fc_uid = fidp->uid;
+    cred.fc_gid = gid;
+    cred.fc_mode = 0777;
 
-    return s->ops->symlink(&s->ctx, vs->extension.data, vs->fullname.data,
-            &cred);
+    return s->ops->symlink(&s->ctx, oldpath, newpath, &cred);
 }
 
 static int v9fs_do_link(V9fsState *s, V9fsString *oldpath, V9fsString *newpath)
@@ -2212,7 +2213,8 @@ static void v9fs_create_post_lstat(V9fsState *s, V9fsCreateState *vs, int err)
         err = v9fs_do_mkdir(s, vs);
         v9fs_create_post_mkdir(s, vs, err);
     } else if (vs->perm & P9_STAT_MODE_SYMLINK) {
-        err = v9fs_do_symlink(s, vs);
+        err = v9fs_do_symlink(s, vs->fidp, vs->extension.data,
+                vs->fullname.data, -1);
         v9fs_create_post_perms(s, vs, err);
     } else if (vs->perm & P9_STAT_MODE_LINK) {
         int32_t nfid = atoi(vs->extension.data);
@@ -2301,6 +2303,69 @@ out:
     qemu_free(vs);
 }
 
+static void v9fs_post_symlink(V9fsState *s, V9fsSymlinkState *vs, int err)
+{
+    if (err == 0) {
+        stat_to_qid(&vs->stbuf, &vs->qid);
+        vs->offset += pdu_marshal(vs->pdu, vs->offset, "Q", &vs->qid);
+        err = vs->offset;
+    } else {
+        err = -errno;
+    }
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->name);
+    v9fs_string_free(&vs->symname);
+    v9fs_string_free(&vs->fullname);
+    qemu_free(vs);
+}
+
+static void v9fs_symlink_post_do_symlink(V9fsState *s, V9fsSymlinkState *vs,
+        int err)
+{
+    if (err) {
+        goto out;
+    }
+    err = v9fs_do_lstat(s, &vs->fullname, &vs->stbuf);
+out:
+    v9fs_post_symlink(s, vs, err);
+}
+
+static void v9fs_symlink(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t dfid;
+    V9fsSymlinkState *vs;
+    int err = 0;
+    gid_t gid;
+
+    vs = qemu_malloc(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    v9fs_string_init(&vs->fullname);
+
+    pdu_unmarshal(vs->pdu, vs->offset, "dssd", &dfid, &vs->name,
+            &vs->symname, &gid);
+
+    vs->dfidp = lookup_fid(s, dfid);
+    if (vs->dfidp == NULL) {
+        err = -EINVAL;
+        goto out;
+    }
+
+    v9fs_string_sprintf(&vs->fullname, "%s/%s", vs->dfidp->path.data,
+            vs->name.data);
+    err = v9fs_do_symlink(s, vs->dfidp, vs->symname.data,
+            vs->fullname.data, gid);
+    v9fs_symlink_post_do_symlink(s, vs, err);
+    return;
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->name);
+    v9fs_string_free(&vs->symname);
+    qemu_free(vs);
+}
+
 static void v9fs_flush(V9fsState *s, V9fsPDU *pdu)
 {
     /* A nop call with no return */
@@ -2718,6 +2783,7 @@ static pdu_handler_t *pdu_handlers[] = {
 #endif
     [P9_TFLUSH] = v9fs_flush,
     [P9_TLINK] = v9fs_link,
+    [P9_TSYMLINK] = v9fs_symlink,
     [P9_TCREATE] = v9fs_create,
     [P9_TWRITE] = v9fs_write,
     [P9_TWSTAT] = v9fs_wstat,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index d48776f..3671863 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -15,6 +15,8 @@
 enum {
     P9_TSTATFS = 8,
     P9_RSTATFS,
+    P9_TSYMLINK = 16,
+    P9_RSYMLINK,
     P9_TGETATTR = 24,
     P9_RGETATTR,
     P9_TSETATTR = 26,
@@ -294,6 +296,18 @@ typedef struct V9fsWstatState
     V9fsString nname;
 } V9fsWstatState;
 
+typedef struct V9fsSymlinkState
+{
+    V9fsPDU *pdu;
+    size_t offset;
+    V9fsString name;
+    V9fsString symname;
+    V9fsString fullname;
+    V9fsFidState *dfidp;
+    V9fsQID qid;
+    struct stat stbuf;
+} V9fsSymlinkState;
+
 typedef struct V9fsIattr
 {
     int32_t valid;
commit b2c224be1941200e87df73bd937925f3bdf8cddc
Author: Venkateswararao Jujjuri (JV) <jvrao at linux.vnet.ibm.com>
Date:   Wed Jun 9 11:21:15 2010 -0700

    [virtio-9p] Implement TLINK for 9P2000.L
    
    Create a Hardlink.
    
    SYNOPSIS
    
    size[4] Tlink tag[2] dfid[4] oldfid[4] newpath[s]
    
    size[4] Rlink tag[2]
    
    DESCRIPTION
    
    Create a link 'newpath' in directory pointed by dfid linking to oldfid path.
    
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index a880b13..2e61e9d 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -497,6 +497,15 @@ void pprint_pdu(V9fsPDU *pdu)
     case P9_RCLUNK:
         fprintf(llogfile, "RCLUNK: (");
         break;
+    case P9_TLINK:
+        fprintf(llogfile, "TLINK: (");
+        pprint_int32(pdu, 0, &offset, "fid");
+        pprint_str(pdu, 0, &offset, ", oldpath");
+        pprint_str(pdu, 0, &offset, ", newpath");
+        break;
+    case P9_RLINK:
+        fprintf(llogfile, "RLINK: (");
+        break;
     case P9_TREMOVE:
         fprintf(llogfile, "TREMOVE: (");
         pprint_int32(pdu, 0, &offset, "fid");
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 39e63cb..d1c3cf8 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -2307,6 +2307,43 @@ static void v9fs_flush(V9fsState *s, V9fsPDU *pdu)
     complete_pdu(s, pdu, 7);
 }
 
+static void v9fs_link(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t dfid, oldfid;
+    V9fsFidState *dfidp, *oldfidp;
+    V9fsString name, fullname;
+    size_t offset = 7;
+    int err = 0;
+
+    v9fs_string_init(&fullname);
+
+    pdu_unmarshal(pdu, offset, "dds", &dfid, &oldfid, &name);
+
+    dfidp = lookup_fid(s, dfid);
+    if (dfidp == NULL) {
+        err = -errno;
+        goto out;
+    }
+
+    oldfidp = lookup_fid(s, oldfid);
+    if (oldfidp == NULL) {
+        err = -errno;
+        goto out;
+    }
+
+    v9fs_string_sprintf(&fullname, "%s/%s", dfidp->path.data, name.data);
+    err = offset;
+    err = v9fs_do_link(s, &oldfidp->path, &fullname);
+    if (err) {
+        err = -errno;
+    }
+    v9fs_string_free(&fullname);
+
+out:
+    v9fs_string_free(&name);
+    complete_pdu(s, pdu, err);
+}
+
 static void v9fs_remove_post_remove(V9fsState *s, V9fsRemoveState *vs,
                                                                 int err)
 {
@@ -2680,6 +2717,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TAUTH] = v9fs_auth,
 #endif
     [P9_TFLUSH] = v9fs_flush,
+    [P9_TLINK] = v9fs_link,
     [P9_TCREATE] = v9fs_create,
     [P9_TWRITE] = v9fs_write,
     [P9_TWSTAT] = v9fs_wstat,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index ebf44a7..d48776f 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -21,6 +21,8 @@ enum {
     P9_RSETATTR,
     P9_TREADDIR = 40,
     P9_RREADDIR,
+    P9_TLINK = 70,
+    P9_RLINK,
     P9_TVERSION = 100,
     P9_RVERSION,
     P9_TAUTH = 102,
commit c79ce737478bbc419bd107c0bb369c473effef1e
Author: Sripathi Kodi <sripathik at in.ibm.com>
Date:   Thu Jun 17 18:18:47 2010 +0530

    virtio-9p: Implement server side of setattr for 9P2000.L protocol.
    
    SYNOPSIS
    
          size[4] Tsetattr tag[2] attr[n]
    
          size[4] Rsetattr tag[2]
    
       DESCRIPTION
    
          The setattr command changes some of the file status information.
          attr resembles the iattr structure used in Linux kernel. It
          specifies which status parameter is to be changed and to what
          value. It is laid out as follows:
    
             valid[4]
                specifies which status information is to be changed. Possible
                values are:
                ATTR_MODE       (1 << 0)
                ATTR_UID        (1 << 1)
                ATTR_GID        (1 << 2)
                ATTR_SIZE       (1 << 3)
                ATTR_ATIME      (1 << 4)
                ATTR_MTIME      (1 << 5)
                ATTR_CTIME      (1 << 5)
                ATTR_ATIME_SET  (1 << 7)
                ATTR_MTIME_SET  (1 << 8)
    
                The last two bits represent whether the time information
                is being sent by the client's user space. In the absense
                of these bits the server always uses server's time.
    
             mode[4]
                File permission bits
    
             uid[4]
                Owner id of file
    
             gid[4]
                Group id of the file
    
             size[8]
                File size
    
             atime_sec[8]
                Time of last file access, seconds
    
             atime_nsec[8]
                Time of last file access, nanoseconds
    
             mtime_sec[8]
                Time of last file modification, seconds
    
             mtime_nsec[8]
                Time of last file modification, nanoseconds
    
    Explanation of the patches:
    --------------------------
    
    *) The kernel just copies relevent contents of iattr structure to p9_iattr_dotl
       structure and passes it down to the client. The only check it has is calling
       inode_change_ok()
    *) The p9_iattr_dotl structure does not have ctime and ia_file parameters because
       I don't think these are needed in our case. The client user space can request
       updating just ctime by calling chown(fd, -1, -1). This is handled on server
       side without a need for putting ctime on the wire.
    *) The server currently supports changing mode, time, ownership and size of the
       file.
    *) 9P RFC says "Either all the changes in wstat request happen, or none of them
       does: if the request succeeds, all changes were made; if it fails, none were."
       I have not done anything to implement this specifically because I don't see
       a reason.
    
    [jvrao at linux.vnet.ibm.com: Parts of code for handling chown(-1,-1)
    
    Signed-off-by: Sripathi Kodi <sripathik at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index dd7277b..269fc62 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -442,7 +442,10 @@ static int local_rename(FsContext *ctx, const char *oldpath,
 
 static int local_chown(FsContext *fs_ctx, const char *path, FsCred *credp)
 {
-    if (fs_ctx->fs_sm == SM_MAPPED) {
+    if ((credp->fc_uid == -1 && credp->fc_gid == -1) ||
+            (fs_ctx->fs_sm == SM_PASSTHROUGH)) {
+        return lchown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid);
+    } else if (fs_ctx->fs_sm == SM_MAPPED) {
         return local_set_xattr(rpath(fs_ctx, path), credp);
     } else if (fs_ctx->fs_sm == SM_PASSTHROUGH) {
         return lchown(rpath(fs_ctx, path), credp->fc_uid, credp->fc_gid);
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 687f63d..39e63cb 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -665,6 +665,15 @@ static size_t pdu_unmarshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...)
                         &statp->n_muid);
             break;
         }
+        case 'I': {
+            V9fsIattr *iattr = va_arg(ap, V9fsIattr *);
+            offset += pdu_unmarshal(pdu, offset, "ddddqqqqq",
+                        &iattr->valid, &iattr->mode,
+                        &iattr->uid, &iattr->gid, &iattr->size,
+                        &iattr->atime_sec, &iattr->atime_nsec,
+                        &iattr->mtime_sec, &iattr->mtime_nsec);
+            break;
+        }
         default:
             break;
         }
@@ -1240,6 +1249,151 @@ out:
     qemu_free(vs);
 }
 
+/* From Linux kernel code */
+#define ATTR_MODE    (1 << 0)
+#define ATTR_UID     (1 << 1)
+#define ATTR_GID     (1 << 2)
+#define ATTR_SIZE    (1 << 3)
+#define ATTR_ATIME   (1 << 4)
+#define ATTR_MTIME   (1 << 5)
+#define ATTR_CTIME   (1 << 6)
+#define ATTR_MASK    127
+#define ATTR_ATIME_SET  (1 << 7)
+#define ATTR_MTIME_SET  (1 << 8)
+
+static void v9fs_setattr_post_truncate(V9fsState *s, V9fsSetattrState *vs,
+                                                                  int err)
+{
+    if (err == -1) {
+        err = -errno;
+        goto out;
+    }
+    err = vs->offset;
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
+static void v9fs_setattr_post_chown(V9fsState *s, V9fsSetattrState *vs, int err)
+{
+    if (err == -1) {
+        err = -errno;
+        goto out;
+    }
+
+    if (vs->v9iattr.valid & (ATTR_SIZE)) {
+        err = v9fs_do_truncate(s, &vs->fidp->path, vs->v9iattr.size);
+    }
+    v9fs_setattr_post_truncate(s, vs, err);
+    return;
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
+static void v9fs_setattr_post_utimensat(V9fsState *s, V9fsSetattrState *vs,
+                                                                   int err)
+{
+    if (err == -1) {
+        err = -errno;
+        goto out;
+    }
+
+    /* If the only valid entry in iattr is ctime we can call
+     * chown(-1,-1) to update the ctime of the file
+     */
+    if ((vs->v9iattr.valid & (ATTR_UID | ATTR_GID)) ||
+            ((vs->v9iattr.valid & ATTR_CTIME)
+            && !((vs->v9iattr.valid & ATTR_MASK) & ~ATTR_CTIME))) {
+        if (!(vs->v9iattr.valid & ATTR_UID)) {
+            vs->v9iattr.uid = -1;
+        }
+        if (!(vs->v9iattr.valid & ATTR_GID)) {
+            vs->v9iattr.gid = -1;
+        }
+        err = v9fs_do_chown(s, &vs->fidp->path, vs->v9iattr.uid,
+                                                vs->v9iattr.gid);
+    }
+    v9fs_setattr_post_chown(s, vs, err);
+    return;
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
+static void v9fs_setattr_post_chmod(V9fsState *s, V9fsSetattrState *vs, int err)
+{
+    if (err == -1) {
+        err = -errno;
+        goto out;
+    }
+
+    if (vs->v9iattr.valid & (ATTR_ATIME | ATTR_MTIME)) {
+        struct timespec times[2];
+        if (vs->v9iattr.valid & ATTR_ATIME) {
+            if (vs->v9iattr.valid & ATTR_ATIME_SET) {
+                times[0].tv_sec = vs->v9iattr.atime_sec;
+                times[0].tv_nsec = vs->v9iattr.atime_nsec;
+            } else {
+                times[0].tv_nsec = UTIME_NOW;
+            }
+        } else {
+            times[0].tv_nsec = UTIME_OMIT;
+        }
+
+        if (vs->v9iattr.valid & ATTR_MTIME) {
+            if (vs->v9iattr.valid & ATTR_MTIME_SET) {
+                times[1].tv_sec = vs->v9iattr.mtime_sec;
+                times[1].tv_nsec = vs->v9iattr.mtime_nsec;
+            } else {
+                times[1].tv_nsec = UTIME_NOW;
+            }
+        } else {
+            times[1].tv_nsec = UTIME_OMIT;
+        }
+        err = v9fs_do_utimensat(s, &vs->fidp->path, times);
+    }
+    v9fs_setattr_post_utimensat(s, vs, err);
+    return;
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
+static void v9fs_setattr(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t fid;
+    V9fsSetattrState *vs;
+    int err = 0;
+
+    vs = qemu_malloc(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    pdu_unmarshal(pdu, vs->offset, "dI", &fid, &vs->v9iattr);
+
+    vs->fidp = lookup_fid(s, fid);
+    if (vs->fidp == NULL) {
+        err = -EINVAL;
+        goto out;
+    }
+
+    if (vs->v9iattr.valid & ATTR_MODE) {
+        err = v9fs_do_chmod(s, &vs->fidp->path, vs->v9iattr.mode);
+    }
+
+    v9fs_setattr_post_chmod(s, vs, err);
+    return;
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
 static void v9fs_walk_complete(V9fsState *s, V9fsWalkState *vs, int err)
 {
     complete_pdu(s, vs->pdu, err);
@@ -2514,6 +2668,7 @@ static pdu_handler_t *pdu_handlers[] = {
     [P9_TREADDIR] = v9fs_readdir,
     [P9_TSTATFS] = v9fs_statfs,
     [P9_TGETATTR] = v9fs_getattr,
+    [P9_TSETATTR] = v9fs_setattr,
     [P9_TVERSION] = v9fs_version,
     [P9_TATTACH] = v9fs_attach,
     [P9_TSTAT] = v9fs_stat,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 1feed82..ebf44a7 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -17,6 +17,8 @@ enum {
     P9_RSTATFS,
     P9_TGETATTR = 24,
     P9_RGETATTR,
+    P9_TSETATTR = 26,
+    P9_RSETATTR,
     P9_TREADDIR = 40,
     P9_RREADDIR,
     P9_TVERSION = 100,
@@ -290,6 +292,27 @@ typedef struct V9fsWstatState
     V9fsString nname;
 } V9fsWstatState;
 
+typedef struct V9fsIattr
+{
+    int32_t valid;
+    int32_t mode;
+    int32_t uid;
+    int32_t gid;
+    int64_t size;
+    int64_t atime_sec;
+    int64_t atime_nsec;
+    int64_t mtime_sec;
+    int64_t mtime_nsec;
+} V9fsIattr;
+
+typedef struct V9fsSetattrState
+{
+    V9fsPDU *pdu;
+    size_t offset;
+    V9fsIattr v9iattr;
+    V9fsFidState *fidp;
+} V9fsSetattrState;
+
 struct virtio_9p_config
 {
     /* number of characters in tag */
commit 8fc39ae4bd9026c8293764f71b9c309d076d7afc
Author: Sripathi Kodi <sripathik at in.ibm.com>
Date:   Wed Jun 9 19:14:38 2010 +0530

    [virtio-9p] Make v9fs_do_utimensat accept timespec structures instead of v9stat.
    
    Currently v9fs_do_utimensat takes a V9fsStat argument and builds
    timespec structures. It sets tv_nsec values to 0 by default. Instead
    of this it should take struct timespec[2] and pass it down to the
    system directly. This will make it more generic and useful
    elsewhere.
    
    Signed-off-by: Sripathi Kodi <sripathik at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index bd6cba9..687f63d 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -237,25 +237,10 @@ static int v9fs_do_chown(V9fsState *s, V9fsString *path, uid_t uid, gid_t gid)
     return s->ops->chown(&s->ctx, path->data, &cred);
 }
 
-static int v9fs_do_utimensat(V9fsState *s, V9fsString *path, V9fsStat v9stat)
+static int v9fs_do_utimensat(V9fsState *s, V9fsString *path,
+                                           const struct timespec times[2])
 {
-    struct timespec ts[2];
-
-    if (v9stat.atime != -1) {
-        ts[0].tv_sec = v9stat.atime;
-        ts[0].tv_nsec = 0;
-    } else {
-        ts[0].tv_nsec = UTIME_OMIT;
-    }
-
-    if (v9stat.mtime != -1) {
-        ts[1].tv_sec = v9stat.mtime;
-        ts[1].tv_nsec = 0;
-    } else {
-        ts[1].tv_nsec = UTIME_OMIT;
-    }
-
-    return s->ops->utimensat(&s->ctx, path->data, ts);
+    return s->ops->utimensat(&s->ctx, path->data, times);
 }
 
 static int v9fs_do_remove(V9fsState *s, V9fsString *path)
@@ -2341,7 +2326,21 @@ static void v9fs_wstat_post_chmod(V9fsState *s, V9fsWstatState *vs, int err)
     }
 
     if (vs->v9stat.mtime != -1 || vs->v9stat.atime != -1) {
-        if (v9fs_do_utimensat(s, &vs->fidp->path, vs->v9stat)) {
+        struct timespec times[2];
+        if (vs->v9stat.atime != -1) {
+            times[0].tv_sec = vs->v9stat.atime;
+            times[0].tv_nsec = 0;
+        } else {
+            times[0].tv_nsec = UTIME_OMIT;
+        }
+        if (vs->v9stat.mtime != -1) {
+            times[1].tv_sec = vs->v9stat.mtime;
+            times[1].tv_nsec = 0;
+        } else {
+            times[1].tv_nsec = UTIME_OMIT;
+        }
+
+        if (v9fs_do_utimensat(s, &vs->fidp->path, times)) {
             err = -errno;
         }
     }
commit 74bc02b2d2272dc88fb98d43e631eb154717f517
Author: M. Mohan Kumar <mohan at in.ibm.com>
Date:   Wed Jun 9 19:14:38 2010 +0530

    virtio-9p: Do not reset atime
    
        Current code resets file's atime to 0 when there is a change in mtime.
        This results in resetting the atime to "1970-01-01 05:30:00". For
        example, truncate -s 0 filename results in changing the mtime to the
        truncate time, but resets the atime to "1970-01-01 05:30:00". utime
        system call does not have any provision to set only mtime or atime. So
        change v9fs_wstat_post_chmod function to use utimensat function to change
        the atime and mtime fields. If tv_nsec field is set to the special value
        "UTIME_OMIT", corresponding file time stamp is not updated.
    
    Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index dd82ac7..120c803 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -52,7 +52,7 @@ typedef struct FileOperations
     int (*chmod)(FsContext *, const char *, FsCred *);
     int (*chown)(FsContext *, const char *, FsCred *);
     int (*mknod)(FsContext *, const char *, FsCred *);
-    int (*utime)(FsContext *, const char *, const struct utimbuf *);
+    int (*utimensat)(FsContext *, const char *, const struct timespec *);
     int (*remove)(FsContext *, const char *);
     int (*symlink)(FsContext *, const char *, const char *, FsCred *);
     int (*link)(FsContext *, const char *, const char *);
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 82f41c6..dd7277b 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -450,10 +450,10 @@ static int local_chown(FsContext *fs_ctx, const char *path, FsCred *credp)
     return -1;
 }
 
-static int local_utime(FsContext *ctx, const char *path,
-                        const struct utimbuf *buf)
+static int local_utimensat(FsContext *s, const char *path,
+		       const struct timespec *buf)
 {
-    return utime(rpath(ctx, path), buf);
+    return utimensat(AT_FDCWD, rpath(s, path), buf, AT_SYMLINK_NOFOLLOW);
 }
 
 static int local_remove(FsContext *ctx, const char *path)
@@ -495,7 +495,7 @@ FileOperations local_ops = {
     .truncate = local_truncate,
     .rename = local_rename,
     .chown = local_chown,
-    .utime = local_utime,
+    .utimensat = local_utimensat,
     .remove = local_remove,
     .fsync = local_fsync,
     .statfs = local_statfs,
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index a8f1735..bd6cba9 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -237,10 +237,25 @@ static int v9fs_do_chown(V9fsState *s, V9fsString *path, uid_t uid, gid_t gid)
     return s->ops->chown(&s->ctx, path->data, &cred);
 }
 
-static int v9fs_do_utime(V9fsState *s, V9fsString *path,
-                            const struct utimbuf *buf)
+static int v9fs_do_utimensat(V9fsState *s, V9fsString *path, V9fsStat v9stat)
 {
-    return s->ops->utime(&s->ctx, path->data, buf);
+    struct timespec ts[2];
+
+    if (v9stat.atime != -1) {
+        ts[0].tv_sec = v9stat.atime;
+        ts[0].tv_nsec = 0;
+    } else {
+        ts[0].tv_nsec = UTIME_OMIT;
+    }
+
+    if (v9stat.mtime != -1) {
+        ts[1].tv_sec = v9stat.mtime;
+        ts[1].tv_nsec = 0;
+    } else {
+        ts[1].tv_nsec = UTIME_OMIT;
+    }
+
+    return s->ops->utimensat(&s->ctx, path->data, ts);
 }
 
 static int v9fs_do_remove(V9fsState *s, V9fsString *path)
@@ -2325,11 +2340,8 @@ static void v9fs_wstat_post_chmod(V9fsState *s, V9fsWstatState *vs, int err)
         goto out;
     }
 
-    if (vs->v9stat.mtime != -1) {
-        struct utimbuf tb;
-        tb.actime = 0;
-        tb.modtime = vs->v9stat.mtime;
-        if (v9fs_do_utime(s, &vs->fidp->path, &tb)) {
+    if (vs->v9stat.mtime != -1 || vs->v9stat.atime != -1) {
+        if (v9fs_do_utimensat(s, &vs->fidp->path, vs->v9stat)) {
             err = -errno;
         }
     }
commit 00ede4c2529b317cf396c02817cadd5ec43953eb
Author: Sripathi Kodi <sripathi at sripathi.in.ibm.com>
Date:   Tue Jul 20 11:44:41 2010 +0530

    virtio-9p: getattr server implementation for 9P2000.L protocol.
    
               SYNOPSIS
    
                  size[4] Tgetattr tag[2] fid[4] request_mask[8]
    
                  size[4] Rgetattr tag[2] lstat[n]
    
               DESCRIPTION
    
                  The getattr transaction inquires about the file identified by fid.
                  request_mask is a bit mask that specifies which fields of the
                  stat structure is the client interested in.
    
                  The reply will contain a machine-independent directory entry,
                  laid out as follows:
    
                     st_result_mask[8]
                        Bit mask that indicates which fields in the stat structure
                        have been populated by the server
    
                     qid.type[1]
                        the type of the file (directory, etc.), represented as a bit
                        vector corresponding to the high 8 bits of the file's mode
                        word.
    
                     qid.vers[4]
                        version number for given path
    
                     qid.path[8]
                        the file server's unique identification for the file
    
                     st_mode[4]
                        Permission and flags
    
                     st_uid[4]
                        User id of owner
    
                     st_gid[4]
                        Group ID of owner
    
                     st_nlink[8]
                        Number of hard links
    
                     st_rdev[8]
                        Device ID (if special file)
    
                     st_size[8]
                        Size, in bytes
    
                     st_blksize[8]
                        Block size for file system IO
    
                     st_blocks[8]
                        Number of file system blocks allocated
    
                     st_atime_sec[8]
                        Time of last access, seconds
    
                     st_atime_nsec[8]
                        Time of last access, nanoseconds
    
                     st_mtime_sec[8]
                        Time of last modification, seconds
    
                     st_mtime_nsec[8]
                        Time of last modification, nanoseconds
    
                     st_ctime_sec[8]
                        Time of last status change, seconds
    
                     st_ctime_nsec[8]
                        Time of last status change, nanoseconds
    
                     st_btime_sec[8]
                        Time of creation (birth) of file, seconds
    
                     st_btime_nsec[8]
                        Time of creation (birth) of file, nanoseconds
    
                     st_gen[8]
                        Inode generation
    
                     st_data_version[8]
                        Data version number
    
                  request_mask and result_mask bit masks contain the following bits
                     #define P9_STATS_MODE          0x00000001ULL
                     #define P9_STATS_NLINK         0x00000002ULL
                     #define P9_STATS_UID           0x00000004ULL
                     #define P9_STATS_GID           0x00000008ULL
                     #define P9_STATS_RDEV          0x00000010ULL
                     #define P9_STATS_ATIME         0x00000020ULL
                     #define P9_STATS_MTIME         0x00000040ULL
                     #define P9_STATS_CTIME         0x00000080ULL
                     #define P9_STATS_INO           0x00000100ULL
                     #define P9_STATS_SIZE          0x00000200ULL
                     #define P9_STATS_BLOCKS        0x00000400ULL
    
                     #define P9_STATS_BTIME         0x00000800ULL
                     #define P9_STATS_GEN           0x00001000ULL
                     #define P9_STATS_DATA_VERSION  0x00002000ULL
    
                     #define P9_STATS_BASIC         0x000007ffULL
                     #define P9_STATS_ALL           0x00003fffULL
    
            This patch implements the client side of getattr implementation for 9P2000.L.
            It introduces a new structure p9_stat_dotl for getting Linux stat information
            along with QID. The data layout is similar to stat structure in Linux user
            space with the following major differences:
    
            inode (st_ino) is not part of data. Instead qid is.
    
            device (st_dev) is not part of data because this doesn't make sense on the
            client.
    
            All time variables are 64 bit wide on the wire. The kernel seems to use
            32 bit variables for these variables. However, some of the architectures
            have used 64 bit variables and glibc exposes 64 bit variables to user
            space on some architectures. Hence to be on the safer side we have made
            these 64 bit in the protocol. Refer to the comments in
            include/asm-generic/stat.h
    
            There are some additional fields: st_btime_sec, st_btime_nsec, st_gen,
            st_data_version apart from the bitmask, st_result_mask. The bit mask
            is filled by the server to indicate which stat fields have been
            populated by the server. Currently there is no clean way for the
            server to obtain these additional fields, so it sends back just the
            basic fields.
    
            Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
            Signed-off-by: Sripathi Kodi <sripathik at in.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index 240bec8..a880b13 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -178,6 +178,30 @@ static void pprint_stat(V9fsPDU *pdu, int rx, size_t *offsetp, const char *name)
     fprintf(llogfile, "}");
 }
 
+static void pprint_stat_dotl(V9fsPDU *pdu, int rx, size_t *offsetp,
+                                                  const char *name)
+{
+    fprintf(llogfile, "%s={", name);
+    pprint_qid(pdu, rx, offsetp, "qid");
+    pprint_int32(pdu, rx, offsetp, ", st_mode");
+    pprint_int64(pdu, rx, offsetp, ", st_nlink");
+    pprint_int32(pdu, rx, offsetp, ", st_uid");
+    pprint_int32(pdu, rx, offsetp, ", st_gid");
+    pprint_int64(pdu, rx, offsetp, ", st_rdev");
+    pprint_int64(pdu, rx, offsetp, ", st_size");
+    pprint_int64(pdu, rx, offsetp, ", st_blksize");
+    pprint_int64(pdu, rx, offsetp, ", st_blocks");
+    pprint_int64(pdu, rx, offsetp, ", atime");
+    pprint_int64(pdu, rx, offsetp, ", atime_nsec");
+    pprint_int64(pdu, rx, offsetp, ", mtime");
+    pprint_int64(pdu, rx, offsetp, ", mtime_nsec");
+    pprint_int64(pdu, rx, offsetp, ", ctime");
+    pprint_int64(pdu, rx, offsetp, ", ctime_nsec");
+    fprintf(llogfile, "}");
+}
+
+
+
 static void pprint_strs(V9fsPDU *pdu, int rx, size_t *offsetp, const char *name)
 {
     int sg_count = get_sg_count(pdu, rx);
@@ -353,6 +377,14 @@ void pprint_pdu(V9fsPDU *pdu)
         pprint_int32(pdu, 1, &offset, "msize");
         pprint_str(pdu, 1, &offset, ", version");
         break;
+    case P9_TGETATTR:
+        fprintf(llogfile, "TGETATTR: (");
+        pprint_int32(pdu, 0, &offset, "fid");
+        break;
+    case P9_RGETATTR:
+        fprintf(llogfile, "RGETATTR: (");
+        pprint_stat_dotl(pdu, 1, &offset, "getattr");
+        break;
     case P9_TAUTH:
         fprintf(llogfile, "TAUTH: (");
         pprint_int32(pdu, 0, &offset, "afid");
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index f6eb0f3..a8f1735 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -736,6 +736,21 @@ static size_t pdu_marshal(V9fsPDU *pdu, size_t offset, const char *fmt, ...)
                         statp->n_gid, statp->n_muid);
             break;
         }
+        case 'A': {
+            V9fsStatDotl *statp = va_arg(ap, V9fsStatDotl *);
+            offset += pdu_marshal(pdu, offset, "qQdddqqqqqqqqqqqqqqq",
+                        statp->st_result_mask,
+                        &statp->qid, statp->st_mode,
+                        statp->st_uid, statp->st_gid,
+                        statp->st_nlink, statp->st_rdev,
+                        statp->st_size, statp->st_blksize, statp->st_blocks,
+                        statp->st_atime_sec, statp->st_atime_nsec,
+                        statp->st_mtime_sec, statp->st_mtime_nsec,
+                        statp->st_ctime_sec, statp->st_ctime_nsec,
+                        statp->st_btime_sec, statp->st_btime_nsec,
+                        statp->st_gen, statp->st_data_version);
+            break;
+        }
         default:
             break;
         }
@@ -963,6 +978,51 @@ static int stat_to_v9stat(V9fsState *s, V9fsString *name,
     return 0;
 }
 
+#define P9_STATS_MODE          0x00000001ULL
+#define P9_STATS_NLINK         0x00000002ULL
+#define P9_STATS_UID           0x00000004ULL
+#define P9_STATS_GID           0x00000008ULL
+#define P9_STATS_RDEV          0x00000010ULL
+#define P9_STATS_ATIME         0x00000020ULL
+#define P9_STATS_MTIME         0x00000040ULL
+#define P9_STATS_CTIME         0x00000080ULL
+#define P9_STATS_INO           0x00000100ULL
+#define P9_STATS_SIZE          0x00000200ULL
+#define P9_STATS_BLOCKS        0x00000400ULL
+
+#define P9_STATS_BTIME         0x00000800ULL
+#define P9_STATS_GEN           0x00001000ULL
+#define P9_STATS_DATA_VERSION  0x00002000ULL
+
+#define P9_STATS_BASIC         0x000007ffULL /* Mask for fields up to BLOCKS */
+#define P9_STATS_ALL           0x00003fffULL /* Mask for All fields above */
+
+
+static void stat_to_v9stat_dotl(V9fsState *s, const struct stat *stbuf,
+                            V9fsStatDotl *v9lstat)
+{
+    memset(v9lstat, 0, sizeof(*v9lstat));
+
+    v9lstat->st_mode = stbuf->st_mode;
+    v9lstat->st_nlink = stbuf->st_nlink;
+    v9lstat->st_uid = stbuf->st_uid;
+    v9lstat->st_gid = stbuf->st_gid;
+    v9lstat->st_rdev = stbuf->st_rdev;
+    v9lstat->st_size = stbuf->st_size;
+    v9lstat->st_blksize = stbuf->st_blksize;
+    v9lstat->st_blocks = stbuf->st_blocks;
+    v9lstat->st_atime_sec = stbuf->st_atime;
+    v9lstat->st_atime_nsec = stbuf->st_atim.tv_nsec;
+    v9lstat->st_mtime_sec = stbuf->st_mtime;
+    v9lstat->st_mtime_nsec = stbuf->st_mtim.tv_nsec;
+    v9lstat->st_ctime_sec = stbuf->st_ctime;
+    v9lstat->st_ctime_nsec = stbuf->st_ctim.tv_nsec;
+    /* Currently we only support BASIC fields in stat */
+    v9lstat->st_result_mask = P9_STATS_BASIC;
+
+    stat_to_qid(stbuf, &v9lstat->qid);
+}
+
 static struct iovec *adjust_sg(struct iovec *sg, int len, int *iovcnt)
 {
     while (len && *iovcnt) {
@@ -1129,6 +1189,57 @@ out:
     qemu_free(vs);
 }
 
+static void v9fs_getattr_post_lstat(V9fsState *s, V9fsStatStateDotl *vs,
+                                                                int err)
+{
+    if (err == -1) {
+        err = -errno;
+        goto out;
+    }
+
+    stat_to_v9stat_dotl(s, &vs->stbuf, &vs->v9stat_dotl);
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "A", &vs->v9stat_dotl);
+    err = vs->offset;
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
+static void v9fs_getattr(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t fid;
+    V9fsStatStateDotl *vs;
+    ssize_t err = 0;
+    V9fsFidState *fidp;
+    uint64_t request_mask;
+
+    vs = qemu_malloc(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    memset(&vs->v9stat_dotl, 0, sizeof(vs->v9stat_dotl));
+
+    pdu_unmarshal(vs->pdu, vs->offset, "dq", &fid, &request_mask);
+
+    fidp = lookup_fid(s, fid);
+    if (fidp == NULL) {
+        err = -ENOENT;
+        goto out;
+    }
+
+    /* Currently we only support BASIC fields in stat, so there is no
+     * need to look at request_mask.
+     */
+    err = v9fs_do_lstat(s, &fidp->path, &vs->stbuf);
+    v9fs_getattr_post_lstat(s, vs, err);
+    return;
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
 static void v9fs_walk_complete(V9fsState *s, V9fsWalkState *vs, int err)
 {
     complete_pdu(s, vs->pdu, err);
@@ -2391,6 +2502,7 @@ typedef void (pdu_handler_t)(V9fsState *s, V9fsPDU *pdu);
 static pdu_handler_t *pdu_handlers[] = {
     [P9_TREADDIR] = v9fs_readdir,
     [P9_TSTATFS] = v9fs_statfs,
+    [P9_TGETATTR] = v9fs_getattr,
     [P9_TVERSION] = v9fs_version,
     [P9_TATTACH] = v9fs_attach,
     [P9_TSTAT] = v9fs_stat,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 4ee3830..1feed82 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -15,6 +15,8 @@
 enum {
     P9_TSTATFS = 8,
     P9_RSTATFS,
+    P9_TGETATTR = 24,
+    P9_RGETATTR,
     P9_TREADDIR = 40,
     P9_RREADDIR,
     P9_TVERSION = 100,
@@ -185,6 +187,37 @@ typedef struct V9fsStatState {
     struct stat stbuf;
 } V9fsStatState;
 
+typedef struct V9fsStatDotl {
+    uint64_t st_result_mask;
+    V9fsQID qid;
+    uint32_t st_mode;
+    uint32_t st_uid;
+    uint32_t st_gid;
+    uint64_t st_nlink;
+    uint64_t st_rdev;
+    uint64_t st_size;
+    uint64_t st_blksize;
+    uint64_t st_blocks;
+    uint64_t st_atime_sec;
+    uint64_t st_atime_nsec;
+    uint64_t st_mtime_sec;
+    uint64_t st_mtime_nsec;
+    uint64_t st_ctime_sec;
+    uint64_t st_ctime_nsec;
+    uint64_t st_btime_sec;
+    uint64_t st_btime_nsec;
+    uint64_t st_gen;
+    uint64_t st_data_version;
+} V9fsStatDotl;
+
+typedef struct V9fsStatStateDotl {
+    V9fsPDU *pdu;
+    size_t offset;
+    V9fsStatDotl v9stat_dotl;
+    struct stat stbuf;
+} V9fsStatStateDotl;
+
+
 typedef struct V9fsWalkState {
     V9fsPDU *pdu;
     size_t offset;
commit 5e94c103a0321ca47deb81643839c44a03047416
Author: M. Mohan Kumar <mohan at in.ibm.com>
Date:   Wed Jun 9 19:14:28 2010 +0530

    virtio-9p: Compute iounit based on host filesystem block size
    
    Compute iounit based on the host filesystem block size and pass it to
    client with open/create response. Also return iounit as statfs's f_bsize
    for optimal block size transfers.
    
    Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
    Reviewd-by: Sripathi Kodi <sripathik at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 78387b8..f6eb0f3 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -253,6 +253,11 @@ static int v9fs_do_fsync(V9fsState *s, int fd)
     return s->ops->fsync(&s->ctx, fd);
 }
 
+static int v9fs_do_statfs(V9fsState *s, V9fsString *path, struct statfs *stbuf)
+{
+    return s->ops->statfs(&s->ctx, path->data, stbuf);
+}
+
 static void v9fs_string_init(V9fsString *str)
 {
     str->data = NULL;
@@ -1019,11 +1024,10 @@ static void v9fs_fix_path(V9fsString *dst, V9fsString *src, int len)
 
 static void v9fs_version(V9fsState *s, V9fsPDU *pdu)
 {
-    int32_t msize;
     V9fsString version;
     size_t offset = 7;
 
-    pdu_unmarshal(pdu, offset, "ds", &msize, &version);
+    pdu_unmarshal(pdu, offset, "ds", &s->msize, &version);
 
     if (!strcmp(version.data, "9P2000.u")) {
         s->proto_version = V9FS_PROTO_2000U;
@@ -1033,7 +1037,7 @@ static void v9fs_version(V9fsState *s, V9fsPDU *pdu)
         v9fs_string_sprintf(&version, "unknown");
     }
 
-    offset += pdu_marshal(pdu, offset, "ds", msize, &version);
+    offset += pdu_marshal(pdu, offset, "ds", s->msize, &version);
     complete_pdu(s, pdu, offset);
 
     v9fs_string_free(&version);
@@ -1288,6 +1292,26 @@ out:
     v9fs_walk_complete(s, vs, err);
 }
 
+static int32_t get_iounit(V9fsState *s, V9fsString *name)
+{
+    struct statfs stbuf;
+    int32_t iounit = 0;
+
+    /*
+     * iounit should be multiples of f_bsize (host filesystem block size
+     * and as well as less than (client msize - P9_IOHDRSZ))
+     */
+    if (!v9fs_do_statfs(s, name, &stbuf)) {
+        iounit = stbuf.f_bsize;
+        iounit *= (s->msize - P9_IOHDRSZ)/stbuf.f_bsize;
+    }
+
+    if (!iounit) {
+        iounit = s->msize - P9_IOHDRSZ;
+    }
+    return iounit;
+}
+
 static void v9fs_open_post_opendir(V9fsState *s, V9fsOpenState *vs, int err)
 {
     if (vs->fidp->dir == NULL) {
@@ -1303,6 +1327,15 @@ out:
 
 }
 
+static void v9fs_open_post_getiounit(V9fsState *s, V9fsOpenState *vs)
+{
+    int err;
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "Qd", &vs->qid, vs->iounit);
+    err = vs->offset;
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
 static void v9fs_open_post_open(V9fsState *s, V9fsOpenState *vs, int err)
 {
     if (vs->fidp->fd == -1) {
@@ -1310,8 +1343,9 @@ static void v9fs_open_post_open(V9fsState *s, V9fsOpenState *vs, int err)
         goto out;
     }
 
-    vs->offset += pdu_marshal(vs->pdu, vs->offset, "Qd", &vs->qid, 0);
-    err = vs->offset;
+    vs->iounit = get_iounit(s, &vs->fidp->path);
+    v9fs_open_post_getiounit(s, vs);
+    return;
 out:
     complete_pdu(s, vs->pdu, err);
     qemu_free(vs);
@@ -1794,15 +1828,28 @@ out:
     qemu_free(vs);
 }
 
-static void v9fs_post_create(V9fsState *s, V9fsCreateState *vs, int err)
+static void v9fs_create_post_getiounit(V9fsState *s, V9fsCreateState *vs)
 {
-    if (err == 0) {
-        v9fs_string_copy(&vs->fidp->path, &vs->fullname);
-        stat_to_qid(&vs->stbuf, &vs->qid);
+    int err;
+    v9fs_string_copy(&vs->fidp->path, &vs->fullname);
+    stat_to_qid(&vs->stbuf, &vs->qid);
 
-        vs->offset += pdu_marshal(vs->pdu, vs->offset, "Qd", &vs->qid, 0);
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "Qd", &vs->qid, vs->iounit);
+    err = vs->offset;
 
-        err = vs->offset;
+    complete_pdu(s, vs->pdu, err);
+    v9fs_string_free(&vs->name);
+    v9fs_string_free(&vs->extension);
+    v9fs_string_free(&vs->fullname);
+    qemu_free(vs);
+}
+
+static void v9fs_post_create(V9fsState *s, V9fsCreateState *vs, int err)
+{
+    if (err == 0) {
+        vs->iounit = get_iounit(s, &vs->fidp->path);
+        v9fs_create_post_getiounit(s, vs);
+        return;
     }
 
     complete_pdu(s, vs->pdu, err);
@@ -2266,23 +2313,34 @@ out:
     qemu_free(vs);
 }
 
-static int v9fs_do_statfs(V9fsState *s, V9fsString *path, struct statfs *stbuf)
-{
-    return s->ops->statfs(&s->ctx, path->data, stbuf);
-}
-
 static void v9fs_statfs_post_statfs(V9fsState *s, V9fsStatfsState *vs, int err)
 {
+    int32_t bsize_factor;
+
     if (err) {
         err = -errno;
         goto out;
     }
 
+    /*
+     * compute bsize factor based on host file system block size
+     * and client msize
+     */
+    bsize_factor = (s->msize - P9_IOHDRSZ)/vs->stbuf.f_bsize;
+    if (!bsize_factor) {
+        bsize_factor = 1;
+    }
     vs->v9statfs.f_type = vs->stbuf.f_type;
     vs->v9statfs.f_bsize = vs->stbuf.f_bsize;
-    vs->v9statfs.f_blocks = vs->stbuf.f_blocks;
-    vs->v9statfs.f_bfree = vs->stbuf.f_bfree;
-    vs->v9statfs.f_bavail = vs->stbuf.f_bavail;
+    vs->v9statfs.f_bsize *= bsize_factor;
+    /*
+     * f_bsize is adjusted(multiplied) by bsize factor, so we need to
+     * adjust(divide) the number of blocks, free blocks and available
+     * blocks by bsize factor
+     */
+    vs->v9statfs.f_blocks = vs->stbuf.f_blocks/bsize_factor;
+    vs->v9statfs.f_bfree = vs->stbuf.f_bfree/bsize_factor;
+    vs->v9statfs.f_bavail = vs->stbuf.f_bavail/bsize_factor;
     vs->v9statfs.f_files = vs->stbuf.f_files;
     vs->v9statfs.f_ffree = vs->stbuf.f_ffree;
     vs->v9statfs.fsid_val = (unsigned int) vs->stbuf.f_fsid.__val[0] |
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 9773659..4ee3830 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -70,6 +70,12 @@ enum p9_proto_version {
 #define P9_NOFID    (u32)(~0)
 #define P9_MAXWELEM 16
 
+/*
+ * ample room for Twrite/Rread header
+ * size[4] Tread/Twrite tag[2] fid[4] offset[8] count[4]
+ */
+#define P9_IOHDRSZ 24
+
 typedef struct V9fsPDU V9fsPDU;
 
 struct V9fsPDU
@@ -154,6 +160,7 @@ typedef struct V9fsState
     uint8_t *tag;
     size_t config_size;
     enum p9_proto_version proto_version;
+    int32_t msize;
 } V9fsState;
 
 typedef struct V9fsCreateState {
@@ -167,6 +174,7 @@ typedef struct V9fsCreateState {
     V9fsString name;
     V9fsString extension;
     V9fsString fullname;
+    int iounit;
 } V9fsCreateState;
 
 typedef struct V9fsStatState {
@@ -197,6 +205,7 @@ typedef struct V9fsOpenState {
     V9fsFidState *fidp;
     V9fsQID qid;
     struct stat stbuf;
+    int iounit;
 } V9fsOpenState;
 
 typedef struct V9fsReadState {
commit c18e2f9431dab6ae02195e3b4b8ba61d0dbd2cb8
Author: Sripathi Kodi <sripathik at in.ibm.com>
Date:   Wed Jun 9 14:57:57 2010 +0530

    [V4] virtio-9p: readdir implementation for 9p2000.L
    
    This patch implements the server part of readdir() implementation for
    9p2000.L
    
        SYNOPSIS
    
        size[4] Treaddir tag[2] fid[4] offset[8] count[4]
        size[4] Rreaddir tag[2] count[4] data[count]
    
        DESCRIPTION
    
        The readdir request asks the server to read the directory specified by 'fid'
        at an offset specified by 'offset' and return as many dirent structures as
        possible that fit into count bytes. Each dirent structure is laid out as
        follows.
    
                qid.type[1]
                  the type of the file (directory, etc.), represented as a bit
                  vector corresponding to the high 8 bits of the file's mode
                  word.
    
                qid.vers[4]
                  version number for given path
    
                qid.path[8]
                  the file server's unique identification for the file
    
                offset[8]
                  offset into the next dirent.
    
                type[1]
                  type of this directory entry.
    
                name[256]
                  name of this directory entry.
    
    Signed-off-by: Sripathi Kodi <sripathik at in.ibm.com>
    Reviewed-by: M. Mohan Kumar <mohan at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p-debug.c b/hw/virtio-9p-debug.c
index c1b0e6f..240bec8 100644
--- a/hw/virtio-9p-debug.c
+++ b/hw/virtio-9p-debug.c
@@ -330,6 +330,19 @@ void pprint_pdu(V9fsPDU *pdu)
     BUG_ON(!llogfile);
 
     switch (pdu->id) {
+    case P9_TREADDIR:
+        fprintf(llogfile, "TREADDIR: (");
+        pprint_int32(pdu, 0, &offset, "fid");
+        pprint_int64(pdu, 0, &offset, ", initial offset");
+        pprint_int32(pdu, 0, &offset, ", max count");
+        break;
+    case P9_RREADDIR:
+        fprintf(llogfile, "RREADDIR: (");
+        pprint_int32(pdu, 1, &offset, "count");
+#ifdef DEBUG_DATA
+        pprint_data(pdu, 1, &offset, ", data");
+#endif
+        break;
     case P9_TVERSION:
         fprintf(llogfile, "TVERSION: (");
         pprint_int32(pdu, 0, &offset, "msize");
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index cea3935..78387b8 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -1577,6 +1577,127 @@ out:
     qemu_free(vs);
 }
 
+typedef struct V9fsReadDirState {
+    V9fsPDU *pdu;
+    V9fsFidState *fidp;
+    V9fsQID qid;
+    off_t saved_dir_pos;
+    struct dirent *dent;
+    int32_t count;
+    int32_t max_count;
+    size_t offset;
+    int64_t initial_offset;
+    V9fsString name;
+} V9fsReadDirState;
+
+static void v9fs_readdir_post_seekdir(V9fsState *s, V9fsReadDirState *vs)
+{
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "d", vs->count);
+    vs->offset += vs->count;
+    complete_pdu(s, vs->pdu, vs->offset);
+    qemu_free(vs);
+    return;
+}
+
+/* Size of each dirent on the wire: size of qid (13) + size of offset (8)
+ * size of type (1) + size of name.size (2) + strlen(name.data)
+ */
+#define V9_READDIR_DATA_SZ (24 + strlen(vs->name.data))
+
+static void v9fs_readdir_post_readdir(V9fsState *s, V9fsReadDirState *vs)
+{
+    int len;
+    size_t size;
+
+    if (vs->dent) {
+        v9fs_string_init(&vs->name);
+        v9fs_string_sprintf(&vs->name, "%s", vs->dent->d_name);
+
+        if ((vs->count + V9_READDIR_DATA_SZ) > vs->max_count) {
+            /* Ran out of buffer. Set dir back to old position and return */
+            v9fs_do_seekdir(s, vs->fidp->dir, vs->saved_dir_pos);
+            v9fs_readdir_post_seekdir(s, vs);
+            return;
+        }
+
+        /* Fill up just the path field of qid because the client uses
+         * only that. To fill the entire qid structure we will have
+         * to stat each dirent found, which is expensive
+         */
+        size = MIN(sizeof(vs->dent->d_ino), sizeof(vs->qid.path));
+        memcpy(&vs->qid.path, &vs->dent->d_ino, size);
+        /* Fill the other fields with dummy values */
+        vs->qid.type = 0;
+        vs->qid.version = 0;
+
+        len = pdu_marshal(vs->pdu, vs->offset+4+vs->count, "Qqbs",
+                              &vs->qid, vs->dent->d_off,
+                              vs->dent->d_type, &vs->name);
+        vs->count += len;
+        v9fs_string_free(&vs->name);
+        vs->saved_dir_pos = vs->dent->d_off;
+        vs->dent = v9fs_do_readdir(s, vs->fidp->dir);
+        v9fs_readdir_post_readdir(s, vs);
+        return;
+    }
+
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "d", vs->count);
+    vs->offset += vs->count;
+    complete_pdu(s, vs->pdu, vs->offset);
+    qemu_free(vs);
+    return;
+}
+
+static void v9fs_readdir_post_telldir(V9fsState *s, V9fsReadDirState *vs)
+{
+    vs->dent = v9fs_do_readdir(s, vs->fidp->dir);
+    v9fs_readdir_post_readdir(s, vs);
+    return;
+}
+
+static void v9fs_readdir_post_setdir(V9fsState *s, V9fsReadDirState *vs)
+{
+    vs->saved_dir_pos = v9fs_do_telldir(s, vs->fidp->dir);
+    v9fs_readdir_post_telldir(s, vs);
+    return;
+}
+
+static void v9fs_readdir(V9fsState *s, V9fsPDU *pdu)
+{
+    int32_t fid;
+    V9fsReadDirState *vs;
+    ssize_t err = 0;
+    size_t offset = 7;
+
+    vs = qemu_malloc(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+    vs->count = 0;
+
+    pdu_unmarshal(vs->pdu, offset, "dqd", &fid, &vs->initial_offset,
+                                                        &vs->max_count);
+
+    vs->fidp = lookup_fid(s, fid);
+    if (vs->fidp == NULL || !(vs->fidp->dir)) {
+        err = -EINVAL;
+        goto out;
+    }
+
+    if (vs->initial_offset == 0) {
+        v9fs_do_rewinddir(s, vs->fidp->dir);
+    } else {
+        v9fs_do_seekdir(s, vs->fidp->dir, vs->initial_offset);
+    }
+
+    v9fs_readdir_post_setdir(s, vs);
+    return;
+
+out:
+    complete_pdu(s, pdu, err);
+    qemu_free(vs);
+    return;
+}
+
 static void v9fs_write_post_writev(V9fsState *s, V9fsWriteState *vs,
                                    ssize_t err)
 {
@@ -2210,6 +2331,7 @@ out:
 typedef void (pdu_handler_t)(V9fsState *s, V9fsPDU *pdu);
 
 static pdu_handler_t *pdu_handlers[] = {
+    [P9_TREADDIR] = v9fs_readdir,
     [P9_TSTATFS] = v9fs_statfs,
     [P9_TVERSION] = v9fs_version,
     [P9_TATTACH] = v9fs_attach,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 992c765..9773659 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -15,6 +15,8 @@
 enum {
     P9_TSTATFS = 8,
     P9_RSTATFS,
+    P9_TREADDIR = 40,
+    P9_RREADDIR,
     P9_TVERSION = 100,
     P9_RVERSION,
     P9_TAUTH = 102,
commit 926487b70be7cfd0303168a68a092bc6faf122ca
Author: Sripathi Kodi <sripathik at in.ibm.com>
Date:   Wed Jun 9 14:33:22 2010 +0530

    virtio-9p: Return correct error from v9fs_remove
    
    Signed-off-by: Sripathi Kodi <sripathik at in.ibm.com>
    
    In v9fs_remove_post_remove() we currently ignore the error returned by
    the previous call to remove() and return an error only if freeing the
    fid fails. However, the client expects to see the error from remove().
    Currently the client falsely thinks that the remove call has always
    succeeded. For example, doing rmdir on a non-empty directory does
    not return ENOTEMPTY.
    
    With this patch we ignore the error from free_fid(). The client cannot
    use this error value anyway.
    
    Signed-off-by: Sripathi Kodi <sripathik at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index f385183..cea3935 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -1877,14 +1877,15 @@ static void v9fs_flush(V9fsState *s, V9fsPDU *pdu)
 static void v9fs_remove_post_remove(V9fsState *s, V9fsRemoveState *vs,
                                                                 int err)
 {
-    /* For TREMOVE we need to clunk the fid even on failed remove */
-    err = free_fid(s, vs->fidp->fid);
     if (err < 0) {
-        goto out;
+        err = -errno;
+    } else {
+        err = vs->offset;
     }
 
-    err = vs->offset;
-out:
+    /* For TREMOVE we need to clunk the fid even on failed remove */
+    free_fid(s, vs->fidp->fid);
+
     complete_pdu(s, vs->pdu, err);
     qemu_free(vs);
 }
commit be940c8716d4d7783b1649f5f286b4c0187f9f6d
Author: M. Mohan Kumar <mohan at in.ibm.com>
Date:   Mon May 10 12:11:03 2010 +0530

    qemu: virtio-9p: Implement statfs support in server
    
    Implement statfs support in qemu server based on Sripathi's
    initial statfs patch.
    
    Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
    Signed-off-by: Sripathi Kodi <sripathik at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/file-op-9p.h b/hw/file-op-9p.h
index a741c93..dd82ac7 100644
--- a/hw/file-op-9p.h
+++ b/hw/file-op-9p.h
@@ -74,6 +74,7 @@ typedef struct FileOperations
     int (*rename)(FsContext *, const char *, const char *);
     int (*truncate)(FsContext *, const char *, off_t);
     int (*fsync)(FsContext *, int);
+    int (*statfs)(FsContext *s, const char *path, struct statfs *stbuf);
     void *opaque;
 } FileOperations;
 #endif
diff --git a/hw/virtio-9p-local.c b/hw/virtio-9p-local.c
index 43c03c1..82f41c6 100644
--- a/hw/virtio-9p-local.c
+++ b/hw/virtio-9p-local.c
@@ -466,6 +466,11 @@ static int local_fsync(FsContext *ctx, int fd)
     return fsync(fd);
 }
 
+static int local_statfs(FsContext *s, const char *path, struct statfs *stbuf)
+{
+   return statfs(rpath(s, path), stbuf);
+}
+
 FileOperations local_ops = {
     .lstat = local_lstat,
     .readlink = local_readlink,
@@ -493,4 +498,5 @@ FileOperations local_ops = {
     .utime = local_utime,
     .remove = local_remove,
     .fsync = local_fsync,
+    .statfs = local_statfs,
 };
diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 107a66c..f385183 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -2144,9 +2144,72 @@ out:
     qemu_free(vs);
 }
 
+static int v9fs_do_statfs(V9fsState *s, V9fsString *path, struct statfs *stbuf)
+{
+    return s->ops->statfs(&s->ctx, path->data, stbuf);
+}
+
+static void v9fs_statfs_post_statfs(V9fsState *s, V9fsStatfsState *vs, int err)
+{
+    if (err) {
+        err = -errno;
+        goto out;
+    }
+
+    vs->v9statfs.f_type = vs->stbuf.f_type;
+    vs->v9statfs.f_bsize = vs->stbuf.f_bsize;
+    vs->v9statfs.f_blocks = vs->stbuf.f_blocks;
+    vs->v9statfs.f_bfree = vs->stbuf.f_bfree;
+    vs->v9statfs.f_bavail = vs->stbuf.f_bavail;
+    vs->v9statfs.f_files = vs->stbuf.f_files;
+    vs->v9statfs.f_ffree = vs->stbuf.f_ffree;
+    vs->v9statfs.fsid_val = (unsigned int) vs->stbuf.f_fsid.__val[0] |
+			(unsigned long long)vs->stbuf.f_fsid.__val[1] << 32;
+    vs->v9statfs.f_namelen = vs->stbuf.f_namelen;
+
+    vs->offset += pdu_marshal(vs->pdu, vs->offset, "ddqqqqqqd",
+         vs->v9statfs.f_type, vs->v9statfs.f_bsize, vs->v9statfs.f_blocks,
+         vs->v9statfs.f_bfree, vs->v9statfs.f_bavail, vs->v9statfs.f_files,
+         vs->v9statfs.f_ffree, vs->v9statfs.fsid_val,
+         vs->v9statfs.f_namelen);
+
+out:
+    complete_pdu(s, vs->pdu, vs->offset);
+    qemu_free(vs);
+}
+
+static void v9fs_statfs(V9fsState *s, V9fsPDU *pdu)
+{
+    V9fsStatfsState *vs;
+    ssize_t err = 0;
+
+    vs = qemu_malloc(sizeof(*vs));
+    vs->pdu = pdu;
+    vs->offset = 7;
+
+    memset(&vs->v9statfs, 0, sizeof(vs->v9statfs));
+
+    pdu_unmarshal(vs->pdu, vs->offset, "d", &vs->fid);
+
+    vs->fidp = lookup_fid(s, vs->fid);
+    if (vs->fidp == NULL) {
+        err = -ENOENT;
+        goto out;
+    }
+
+    err = v9fs_do_statfs(s, &vs->fidp->path, &vs->stbuf);
+    v9fs_statfs_post_statfs(s, vs, err);
+    return;
+
+out:
+    complete_pdu(s, vs->pdu, err);
+    qemu_free(vs);
+}
+
 typedef void (pdu_handler_t)(V9fsState *s, V9fsPDU *pdu);
 
 static pdu_handler_t *pdu_handlers[] = {
+    [P9_TSTATFS] = v9fs_statfs,
     [P9_TVERSION] = v9fs_version,
     [P9_TATTACH] = v9fs_attach,
     [P9_TSTAT] = v9fs_stat,
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 9286f59..992c765 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -13,6 +13,8 @@
 #define VIRTIO_9P_MOUNT_TAG 0
 
 enum {
+    P9_TSTATFS = 8,
+    P9_RSTATFS,
     P9_TVERSION = 100,
     P9_RVERSION,
     P9_TAUTH = 102,
@@ -252,6 +254,28 @@ struct virtio_9p_config
     uint8_t tag[0];
 } __attribute__((packed));
 
+typedef struct V9fsStatfs
+{
+    uint32_t f_type;
+    uint32_t f_bsize;
+    uint64_t f_blocks;
+    uint64_t f_bfree;
+    uint64_t f_bavail;
+    uint64_t f_files;
+    uint64_t f_ffree;
+    uint64_t fsid_val;
+    uint32_t f_namelen;
+} V9fsStatfs;
+
+typedef struct V9fsStatfsState {
+    V9fsPDU *pdu;
+    size_t offset;
+    int32_t fid;
+    V9fsStatfs v9statfs;
+    V9fsFidState *fidp;
+    struct statfs stbuf;
+} V9fsStatfsState;
+
 extern size_t pdu_packunpack(void *addr, struct iovec *sg, int sg_count,
                             size_t offset, size_t size, int pack);
 
commit 84151514e488c70caa2c2c0ca10c76156c3b4e14
Author: M. Mohan Kumar <mohan at in.ibm.com>
Date:   Thu May 27 13:57:29 2010 +0530

    qemu: virtio-9p: Recognize 9P2000.L protocol
    
    Make 9P server recognize 9P2000.L protocol version
    
    Signed-off-by: M. Mohan Kumar <mohan at in.ibm.com>
    Signed-off-by: Venkateswararao Jujjuri <jvrao at linux.vnet.ibm.com>

diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 047c7ea..107a66c 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -1025,7 +1025,11 @@ static void v9fs_version(V9fsState *s, V9fsPDU *pdu)
 
     pdu_unmarshal(pdu, offset, "ds", &msize, &version);
 
-    if (strcmp(version.data, "9P2000.u")) {
+    if (!strcmp(version.data, "9P2000.u")) {
+        s->proto_version = V9FS_PROTO_2000U;
+    } else if (!strcmp(version.data, "9P2000.L")) {
+        s->proto_version = V9FS_PROTO_2000L;
+    } else {
         v9fs_string_sprintf(&version, "unknown");
     }
 
diff --git a/hw/virtio-9p.h b/hw/virtio-9p.h
index 67f8087..9286f59 100644
--- a/hw/virtio-9p.h
+++ b/hw/virtio-9p.h
@@ -57,6 +57,11 @@ enum {
     P9_QTFILE = 0x00,
 };
 
+enum p9_proto_version {
+    V9FS_PROTO_2000U = 0x01,
+    V9FS_PROTO_2000L = 0x02,
+};
+
 #define P9_NOTAG    (u16)(~0)
 #define P9_NOFID    (u32)(~0)
 #define P9_MAXWELEM 16
@@ -144,6 +149,7 @@ typedef struct V9fsState
     uint16_t tag_len;
     uint8_t *tag;
     size_t config_size;
+    enum p9_proto_version proto_version;
 } V9fsState;
 
 typedef struct V9fsCreateState {
commit 7ec5e6a4ca43494949465f9f9f3d9e4c7c620503
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Wed Sep 1 12:40:52 2010 +0200

    qcow2: Remove unnecessary flush after L2 write
    
    When a new cluster was allocated, we only need a flush after the write to the
    L2 table if it was a COW and we need to decrease the refcounts of the old
    clusters.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2-cluster.c b/block/qcow2-cluster.c
index 166922f..f562b16 100644
--- a/block/qcow2-cluster.c
+++ b/block/qcow2-cluster.c
@@ -655,7 +655,7 @@ static int write_l2_entries(BlockDriverState *bs, uint64_t *l2_table,
     int ret;
 
     BLKDBG_EVENT(bs->file, BLKDBG_L2_UPDATE);
-    ret = bdrv_pwrite_sync(bs->file, l2_offset + start_offset,
+    ret = bdrv_pwrite(bs->file, l2_offset + start_offset,
         &l2_table[l2_start_index], len);
     if (ret < 0) {
         return ret;
@@ -718,9 +718,17 @@ int qcow2_alloc_cluster_link_l2(BlockDriverState *bs, QCowL2Meta *m)
         goto err;
     }
 
-    for (i = 0; i < j; i++)
-        qcow2_free_any_clusters(bs,
-            be64_to_cpu(old_cluster[i]) & ~QCOW_OFLAG_COPIED, 1);
+    /*
+     * If this was a COW, we need to decrease the refcount of the old cluster.
+     * Also flush bs->file to get the right order for L2 and refcount update.
+     */
+    if (j != 0) {
+        bdrv_flush(bs->file);
+        for (i = 0; i < j; i++) {
+            qcow2_free_any_clusters(bs,
+                be64_to_cpu(old_cluster[i]) & ~QCOW_OFLAG_COPIED, 1);
+        }
+    }
 
     ret = 0;
 err:
commit ceb25e5c7554255931f7f5647d3ad9df36111f53
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Tue Aug 31 15:08:03 2010 +0200

    block: Fix BDRV_O_CACHE_MASK
    
    BDRV_O_CACHE_MASK should have been extended when cache=unsafe introduced a new
    flag BDRV_O_NO_FLUSH. There are currently no users that would change their
    behaviour because of this, but let's clean it up before things break.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.h b/block.h
index db131a3..5f64380 100644
--- a/block.h
+++ b/block.h
@@ -35,7 +35,7 @@ typedef struct QEMUSnapshotInfo {
 #define BDRV_O_NO_BACKING  0x0100 /* don't open the backing file */
 #define BDRV_O_NO_FLUSH    0x0200 /* disable flushing on this disk */
 
-#define BDRV_O_CACHE_MASK  (BDRV_O_NOCACHE | BDRV_O_CACHE_WB)
+#define BDRV_O_CACHE_MASK  (BDRV_O_NOCACHE | BDRV_O_CACHE_WB | BDRV_O_NO_FLUSH)
 
 #define BDRV_SECTOR_BITS   9
 #define BDRV_SECTOR_SIZE   (1ULL << BDRV_SECTOR_BITS)
commit 1bd8e175580a87c7b9e6791faca7626f9bc3ceeb
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Tue Aug 31 13:44:25 2010 +0200

    qemu-img convert: Use cache=unsafe for output image
    
    If qemu-img crashes during the conversion, the user will throw away the broken
    output file anyway and start over. So no need to be too cautious.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index d2a978b..4e035e4 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -783,7 +783,8 @@ static int img_convert(int argc, char **argv)
         goto out;
     }
 
-    out_bs = bdrv_new_open(out_filename, out_fmt, BDRV_O_FLAGS | BDRV_O_RDWR);
+    out_bs = bdrv_new_open(out_filename, out_fmt,
+        BDRV_O_FLAGS | BDRV_O_RDWR | BDRV_O_NO_FLUSH);
     if (!out_bs) {
         ret = -1;
         goto out;
commit 05acda4d1660591ea317619699f6aa7c659a90f1
Author: Bernhard Kohl <bernhard.kohl at gmx.net>
Date:   Mon Sep 6 17:06:02 2010 +0200

    raw-posix: improve detection of scsi-generic devices
    
    Allow symbolic links which point to /dev/sgX devices.
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/raw-posix.c b/block/raw-posix.c
index 0fce449..813372a 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -48,6 +48,7 @@
 #endif
 #ifdef __linux__
 #include <sys/ioctl.h>
+#include <sys/param.h>
 #include <linux/cdrom.h>
 #include <linux/fd.h>
 #endif
@@ -868,8 +869,13 @@ static int hdev_open(BlockDriverState *bs, const char *filename, int flags)
 
     s->type = FTYPE_FILE;
 #if defined(__linux__)
-    if (strstart(filename, "/dev/sg", NULL)) {
-        bs->sg = 1;
+    {
+        char resolved_path[ MAXPATHLEN ], *temp;
+
+        temp = realpath(filename, resolved_path);
+        if (temp && strstart(temp, "/dev/sg", NULL)) {
+            bs->sg = 1;
+        }
     }
 #endif
 
commit ebef0bbb1a8b5420a50e887972cc6bf0d150f9b7
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Mon Sep 6 11:50:55 2010 +0200

    scsi-disk: add some optional scsi commands
    
    I use a legacy OS which depends on some optional SCSI commands.
    In fact this implementation does nothing special, but provides minimum
    support for the following commands:
    
    REZERO UNIT
    WRITE AND VERIFY(10)
    WRITE AND VERIFY(12)
    WRITE AND VERIFY(16)
    MODE SELECT(6)
    MODE SELECT(10)
    SEEK(6)
    SEEK(10)
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index b80c9bd..1446ca6 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -892,6 +892,12 @@ static int scsi_disk_emulate_command(SCSIRequest *req, uint8_t *outbuf)
         break;
     case VERIFY:
         break;
+    case REZERO_UNIT:
+        DPRINTF("Rezero Unit\n");
+        if (!bdrv_is_inserted(s->bs)) {
+            goto not_ready;
+        }
+        break;
     default:
         goto illegal_request;
     }
@@ -1011,6 +1017,7 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
     case SERVICE_ACTION_IN:
     case REPORT_LUNS:
     case VERIFY:
+    case REZERO_UNIT:
         rc = scsi_disk_emulate_command(&r->req, outbuf);
         if (rc > 0) {
             r->iov.iov_len = rc;
@@ -1034,13 +1041,40 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
     case WRITE_10:
     case WRITE_12:
     case WRITE_16:
-        DPRINTF("Write (sector %" PRId64 ", count %d)\n", lba, len);
+    case WRITE_VERIFY:
+    case WRITE_VERIFY_12:
+    case WRITE_VERIFY_16:
+        DPRINTF("Write %s(sector %" PRId64 ", count %d)\n",
+                (command & 0xe) == 0xe ? "And Verify " : "", lba, len);
         if (lba > s->max_lba)
             goto illegal_lba;
         r->sector = lba * s->cluster_size;
         r->sector_count = len * s->cluster_size;
         is_write = 1;
         break;
+    case MODE_SELECT:
+        DPRINTF("Mode Select(6) (len %d)\n", len);
+        /* We don't support mode parameter changes.
+           Allow the mode parameter header + block descriptors only. */
+        if (len > 12) {
+            goto fail;
+        }
+        break;
+    case MODE_SELECT_10:
+        DPRINTF("Mode Select(10) (len %d)\n", len);
+        /* We don't support mode parameter changes.
+           Allow the mode parameter header + block descriptors only. */
+        if (len > 16) {
+            goto fail;
+        }
+        break;
+    case SEEK_6:
+    case SEEK_10:
+        DPRINTF("Seek(%d) (sector %" PRId64 ")\n", command == SEEK_6 ? 6 : 10, lba);
+        if (lba > s->max_lba) {
+            goto illegal_lba;
+        }
+        break;
     default:
 	DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);
     fail:
commit 79d1d3311319f3390f540f547becaba9d957f84c
Author: Jonathan A. Kollasch <jakllsch at kollasch.net>
Date:   Fri Sep 3 07:57:46 2010 -0500

    Improve ATA IDENTIFY word 64 contents.
    
    Fill in word 64 of IDENTIFY data to indicate support for PIO modes 3 and 4.
    This allows NetBSD guests to use UltraDMA modes instead of just PIO mode 0.
    
    Signed-off-by: Jonathan A. Kollasch <jakllsch at kollasch.net>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/core.c b/hw/ide/core.c
index 3651d2b..1e466d1 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -139,6 +139,7 @@ static void ide_identify(IDEState *s)
     put_le16(p + 61, s->nb_sectors >> 16);
     put_le16(p + 62, 0x07); /* single word dma0-2 supported */
     put_le16(p + 63, 0x07); /* mdma0-2 supported */
+    put_le16(p + 64, 0x03); /* pio3-4 supported */
     put_le16(p + 65, 120);
     put_le16(p + 66, 120);
     put_le16(p + 67, 120);
@@ -199,13 +200,12 @@ static void ide_atapi_identify(IDEState *s)
     put_le16(p + 53, 7); /* words 64-70, 54-58, 88 valid */
     put_le16(p + 62, 7);  /* single word dma0-2 supported */
     put_le16(p + 63, 7);  /* mdma0-2 supported */
-    put_le16(p + 64, 0x3f); /* PIO modes supported */
 #else
     put_le16(p + 49, 1 << 9); /* LBA supported, no DMA */
     put_le16(p + 53, 3); /* words 64-70, 54-58 valid */
     put_le16(p + 63, 0x103); /* DMA modes XXX: may be incorrect */
-    put_le16(p + 64, 1); /* PIO modes */
 #endif
+    put_le16(p + 64, 3); /* pio3-4 supported */
     put_le16(p + 65, 0xb4); /* minimum DMA multiword tx cycle time */
     put_le16(p + 66, 0xb4); /* recommended DMA multiword tx cycle time */
     put_le16(p + 67, 0x12c); /* minimum PIO cycle time without flow control */
commit 897804d6299af372a43110799cbe1d6804d5e1bc
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Thu Sep 2 17:48:32 2010 +0200

    raw-posix: Don't use file name for host_cdrom detection on Linux
    
    On Linux, we have code to detect CD-ROMs using an ioctl. We shouldn't lose
    anything but false positives by removing the check for a /dev/cd* path.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/raw-posix.c b/block/raw-posix.c
index 72fb8ce..0fce449 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -1154,9 +1154,6 @@ static int cdrom_probe_device(const char *filename)
     int fd, ret;
     int prio = 0;
 
-    if (strstart(filename, "/dev/cd", NULL))
-        prio = 50;
-
     fd = open(filename, O_RDONLY | O_NONBLOCK);
     if (fd < 0) {
         goto out;
commit b407a81e70306e8199315e39576939dc7ac925d5
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Thu Sep 2 10:38:03 2010 +0100

    qemu-io: Make alloc output useful when nb_sectors=1
    
    There is no indication whether or not the sector is allocated when
    nb_sectors=1:
    
      sector allocated at offset 64 KiB
    
    This message is produced whether or not the sector is allocated.
    
    Simply use the same message as the plural case, I don't think the
    English is so broken that we need special case output here:
    
      0/1 sectors allocated at offset 64 KiB
    
    This change does not affect qemu-iotests since nb_sectors=1 is not used
    there.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-io.c b/qemu-io.c
index 2dbe20f..bd3bd16 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -1427,11 +1427,8 @@ alloc_f(int argc, char **argv)
 
 	cvtstr(offset, s1, sizeof(s1));
 
-	if (nb_sectors == 1)
-		printf("sector allocated at offset %s\n", s1);
-	else
-		printf("%d/%d sectors allocated at offset %s\n",
-			sum_alloc, nb_sectors, s1);
+	printf("%d/%d sectors allocated at offset %s\n",
+	       sum_alloc, nb_sectors, s1);
 	return 0;
 }
 
commit aa2b1e8908271a2d7f31b73106cb83b8b4c49dfc
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Wed Sep 1 16:33:21 2010 +0200

    scsi: fix and improve debug prints
    
    Some of them are not compile clean.
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/lsi53c895a.c b/hw/lsi53c895a.c
index bd7b661..5eaf69e 100644
--- a/hw/lsi53c895a.c
+++ b/hw/lsi53c895a.c
@@ -600,7 +600,7 @@ static void lsi_queue_command(LSIState *s)
 {
     lsi_request *p = s->current;
 
-    DPRINTF("Queueing tag=0x%x\n", s->current_tag);
+    DPRINTF("Queueing tag=0x%x\n", p->tag);
     assert(s->current != NULL);
     assert(s->current->dma_len == 0);
     QTAILQ_INSERT_TAIL(&s->queue, s->current, next);
@@ -880,7 +880,7 @@ static void lsi_do_msgout(LSIState *s)
             break;
         case 0x20: /* SIMPLE queue */
             s->select_tag |= lsi_get_msgbyte(s) | LSI_TAG_VALID;
-            DPRINTF("SIMPLE queue tag=0x%x\n", s->current_tag & 0xff);
+            DPRINTF("SIMPLE queue tag=0x%x\n", s->select_tag & 0xff);
             break;
         case 0x21: /* HEAD of queue */
             BADF("HEAD queue not implemented\n");
diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 0c90c77..b80c9bd 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -135,7 +135,7 @@ static void scsi_read_complete(void * opaque, int ret)
         scsi_command_complete(r, CHECK_CONDITION, NO_SENSE);
         return;
     }
-    DPRINTF("Data ready tag=0x%x len=%" PRId64 "\n", r->req.tag, r->iov.iov_len);
+    DPRINTF("Data ready tag=0x%x len=%zd\n", r->req.tag, r->iov.iov_len);
 
     r->req.bus->complete(r->req.bus, SCSI_REASON_DATA, r->req.tag, r->iov.iov_len);
 }
@@ -155,7 +155,7 @@ static void scsi_read_data(SCSIDevice *d, uint32_t tag)
         return;
     }
     if (r->sector_count == (uint32_t)-1) {
-        DPRINTF("Read buf_len=%" PRId64 "\n", r->iov.iov_len);
+        DPRINTF("Read buf_len=%zd\n", r->iov.iov_len);
         r->sector_count = 0;
         r->req.bus->complete(r->req.bus, SCSI_REASON_DATA, r->req.tag, r->iov.iov_len);
         return;
@@ -631,8 +631,8 @@ static int scsi_disk_emulate_mode_sense(SCSIRequest *req, uint8_t *outbuf)
     dbd = req->cmd.buf[1]  & 0x8;
     page = req->cmd.buf[2] & 0x3f;
     page_control = (req->cmd.buf[2] & 0xc0) >> 6;
-    DPRINTF("Mode Sense(%d) (page %d, len %d, page_control %d)\n",
-        (req->cmd.buf[0] == MODE_SENSE) ? 6 : 10, page, len, page_control);
+    DPRINTF("Mode Sense(%d) (page %d, xfer %zd, page_control %d)\n",
+        (req->cmd.buf[0] == MODE_SENSE) ? 6 : 10, page, req->cmd.xfer, page_control);
     memset(outbuf, 0, req->cmd.xfer);
     p = outbuf;
 
diff --git a/hw/scsi-generic.c b/hw/scsi-generic.c
index aa4f62a..9538027 100644
--- a/hw/scsi-generic.c
+++ b/hw/scsi-generic.c
@@ -164,7 +164,7 @@ static void scsi_read_complete(void * opaque, int ret)
     int len;
 
     if (ret) {
-        DPRINTF("IO error\n");
+        DPRINTF("IO error ret %d\n", ret);
         scsi_command_complete(r, ret);
         return;
     }
@@ -236,7 +236,7 @@ static void scsi_write_complete(void * opaque, int ret)
     if (r->req.cmd.buf[0] == MODE_SELECT && r->req.cmd.buf[4] == 12 &&
         s->qdev.type == TYPE_TAPE) {
         s->qdev.blocksize = (r->buf[9] << 16) | (r->buf[10] << 8) | r->buf[11];
-        DPRINTF("block size %d\n", s->blocksize);
+        DPRINTF("block size %d\n", s->qdev.blocksize);
     }
 
     scsi_command_complete(r, ret);
@@ -351,8 +351,18 @@ static int32_t scsi_send_command(SCSIDevice *d, uint32_t tag,
     }
     scsi_req_fixup(&r->req);
 
-    DPRINTF("Command: lun=%d tag=0x%x data=0x%02x len %d\n", lun, tag,
-            cmd[0], r->req.cmd.xfer);
+    DPRINTF("Command: lun=%d tag=0x%x len %zd data=0x%02x", lun, tag,
+            r->req.cmd.xfer, cmd[0]);
+
+#ifdef DEBUG_SCSI
+    {
+        int i;
+        for (i = 1; i < r->req.cmd.len; i++) {
+            printf(" 0x%02x", cmd[i]);
+        }
+        printf("\n");
+    }
+#endif
 
     if (r->req.cmd.xfer == 0) {
         if (r->buf != NULL)
commit 333d50fe3d9a1ff0a6a1a44ef42a0d3a2a7f2abe
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Tue Aug 31 14:08:27 2010 +0200

    scsi-disk: fix the check of the DBD bit in the MODE SENSE command
    
    The DBD bit does not work as expected.
    
    SCSI-Spec:
    http://ldkelley.com/SCSI2/SCSI2/SCSI2-08.html#8.2.10
    "A disable block descriptors (DBD) bit of zero indicates that the target
    may return zero or more block descriptors in the returned MODE SENSE
    data (see 8.3.3), at the target's discretion. A DBD bit of one
    specifies that the target shall not return any block descriptors in the
    returned MODE SENSE data."
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 44f99b0..0c90c77 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -655,7 +655,7 @@ static int scsi_disk_emulate_mode_sense(SCSIRequest *req, uint8_t *outbuf)
     }
 
     bdrv_get_geometry(s->bs, &nb_sectors);
-    if ((~dbd) & nb_sectors) {
+    if (!dbd && nb_sectors) {
         if (req->cmd.buf[0] == MODE_SENSE) {
             outbuf[3] = 8; /* Block descriptor length  */
         } else { /* MODE_SENSE_10 */
commit a9c17b2bf3639662fbdeb736289ebabfda9fa21a
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Tue Aug 31 14:08:26 2010 +0200

    scsi-disk: return CHECK CONDITION for unknown page codes in the MODE SENSE command
    
    SCSI-Spec:
    http://ldkelley.com/SCSI2/SCSI2/SCSI2-08.html#8.2.10
    "An initiator may request any one or all of the supported mode pages
    from a target. If an initiator issues a MODE SENSE command with a
    page code value not implemented by the target, the target shall return
    CHECK CONDITION status and shall set the sense key to ILLEGAL REQUEST
    and the additional sense code to INVALID FIELD IN CDB."
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index e085d5b..44f99b0 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -690,6 +690,8 @@ static int scsi_disk_emulate_mode_sense(SCSIRequest *req, uint8_t *outbuf)
         p += mode_sense_page(req, 0x08, p, page_control);
         p += mode_sense_page(req, 0x2a, p, page_control);
         break;
+    default:
+        return -1; /* ILLEGAL_REQUEST */
     }
 
     buflen = p - outbuf;
commit 2488b74081650a5312fe1515660b6cb095244c34
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Tue Aug 31 14:08:25 2010 +0200

    scsi-disk: fix the block descriptor returned by the MODE SENSE command
    
    The block descriptor contains the number of blocks, not the highest LBA.
    Real hard disks return 0 if the number of blocks exceed the maximum 0xFFFFFF.
    
    SCSI-Spec:
    http://ldkelley.com/SCSI2/SCSI2/SCSI2-08.html#8.3.3
    "The number of blocks field specifies the number of logical blocks on the
    medium to which the density code and block length fields apply. A value
    of zero indicates that all of the remaining logical blocks of the logical
    unit shall have the medium characteristics specified."
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 1287cab..e085d5b 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -662,9 +662,8 @@ static int scsi_disk_emulate_mode_sense(SCSIRequest *req, uint8_t *outbuf)
             outbuf[7] = 8; /* Block descriptor length  */
         }
         nb_sectors /= s->cluster_size;
-        nb_sectors--;
         if (nb_sectors > 0xffffff)
-            nb_sectors = 0xffffff;
+            nb_sectors = 0;
         p[0] = 0; /* media density code */
         p[1] = (nb_sectors >> 16) & 0xff;
         p[2] = (nb_sectors >> 8) & 0xff;
commit 282ab04eb1e6f4faa6c5d2827e3209c4a1eec40e
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Tue Aug 31 14:08:24 2010 +0200

    scsi-disk: respect the page control (PC) field in the MODE SENSE command
    
    The page control (PC) field defines the type of mode parameter values
    to be returned in the mode pages:
    
    PC=0 : Current values
    PC=1 : Changeable values
    PC=2 : Default values
    PC=3 : Saved values
    
    The current implementation always returns the same type of parameters.
    This is OK for Current and Default values as we don't support changes
    to be done by the MODE SELECT command.
    
    For Saved values the following applies (implemented by this patch):
    "A PC field value of 3h requests that the target return the saved
    values of the mode parameters. Implementation of saved page parameters
    is optional. Mode parameters not supported by the target shall be set
    to zero. If saved values are not implemented, the command shall be
    terminated with CHECK CONDITION status, the sense key set to
    ILLEGAL REQUEST and the additional sense code set to
    SAVING PARAMETERS NOT SUPPORTED."
    
    For Changeable values the following applies (implemented by this patch):
    "A PC field value of 1h requests that the target return a mask denoting
    those mode parameters that are changeable. In the mask, the fields of
    the mode parameters that are changeable shall be set to all one bits and
    the fields of the mode parameters that are non-changeable (i.e. defined
    by the target) shall be set to all zero bits."
    
    In newer versions of the SCSI-2 spec the following clause was added.
    "If the logical unit does not implement changeable parameters mode pages
    and the device server receives a MODE SENSE command with 01b in the PC
    field, then the command shall be terminated with CHECK CONDITION status,
    with the sense key set to ILLEGAL REQUEST, and the additional sense code
    set to INVALID FIELD IN CDB."
    
    This was not yet included in the SCSI-2 Working Drafts from 1986-1993.
    I assume that the variant to return CHECK CONDITION for PC=1 is not
    widely implemented by real devices. I have a legacy OS which fails,
    if MODE_SENSE returns non GOOD for PC=1. So for highest compatibility I
    implemented the former variant with this patch.
    
    The last Working Draft X3T9.2 Rev. 10L 7-SEP-93 can be found here:
    http://ldkelley.com/SCSI2/SCSI2/SCSI2-08.html#8.2.10
    
    In mode_sense_page() this patch also avoids multiple hard coded
    definitions of the same mode page length. Instead I use the varable
    p[1]. In fact the returned length of the mode pages 4 and 5 were wrong
    (2 bytes less).
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 3e727b9..1287cab 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -486,16 +486,26 @@ static int scsi_disk_emulate_inquiry(SCSIRequest *req, uint8_t *outbuf)
     return buflen;
 }
 
-static int mode_sense_page(SCSIRequest *req, int page, uint8_t *p)
+static int mode_sense_page(SCSIRequest *req, int page, uint8_t *p,
+                           int page_control)
 {
     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
     BlockDriverState *bdrv = s->bs;
     int cylinders, heads, secs;
 
+    /*
+     * If Changeable Values are requested, a mask denoting those mode parameters
+     * that are changeable shall be returned. As we currently don't support
+     * parameter changes via MODE_SELECT all bits are returned set to zero.
+     * The buffer was already menset to zero by the caller of this function.
+     */
     switch (page) {
     case 4: /* Rigid disk device geometry page. */
         p[0] = 4;
         p[1] = 0x16;
+        if (page_control == 1) { /* Changeable Values */
+            return p[1] + 2;
+        }
         /* if a geometry hint is available, use it */
         bdrv_get_geometry_hint(bdrv, &cylinders, &heads, &secs);
         p[2] = (cylinders >> 16) & 0xff;
@@ -520,11 +530,14 @@ static int mode_sense_page(SCSIRequest *req, int page, uint8_t *p)
         /* Medium rotation rate [rpm], 5400 rpm */
         p[20] = (5400 >> 8) & 0xff;
         p[21] = 5400 & 0xff;
-        return 0x16;
+        return p[1] + 2;
 
     case 5: /* Flexible disk device geometry page. */
         p[0] = 5;
         p[1] = 0x1e;
+        if (page_control == 1) { /* Changeable Values */
+            return p[1] + 2;
+        }
         /* Transfer rate [kbit/s], 5Mbit/s */
         p[2] = 5000 >> 8;
         p[3] = 5000 & 0xff;
@@ -556,21 +569,27 @@ static int mode_sense_page(SCSIRequest *req, int page, uint8_t *p)
         /* Medium rotation rate [rpm], 5400 rpm */
         p[28] = (5400 >> 8) & 0xff;
         p[29] = 5400 & 0xff;
-        return 0x1e;
+        return p[1] + 2;
 
     case 8: /* Caching page.  */
         p[0] = 8;
         p[1] = 0x12;
+        if (page_control == 1) { /* Changeable Values */
+            return p[1] + 2;
+        }
         if (bdrv_enable_write_cache(s->bs)) {
             p[2] = 4; /* WCE */
         }
-        return 20;
+        return p[1] + 2;
 
     case 0x2a: /* CD Capabilities and Mechanical Status page. */
         if (bdrv_get_type_hint(bdrv) != BDRV_TYPE_CDROM)
             return 0;
         p[0] = 0x2a;
         p[1] = 0x14;
+        if (page_control == 1) { /* Changeable Values */
+            return p[1] + 2;
+        }
         p[2] = 3; // CD-R & CD-RW read
         p[3] = 0; // Writing not supported
         p[4] = 0x7f; /* Audio, composite, digital out,
@@ -594,7 +613,7 @@ static int mode_sense_page(SCSIRequest *req, int page, uint8_t *p)
         p[19] = (16 * 176) & 0xff;
         p[20] = (16 * 176) >> 8; // 16x write speed current
         p[21] = (16 * 176) & 0xff;
-        return 22;
+        return p[1] + 2;
 
     default:
         return 0;
@@ -605,13 +624,15 @@ static int scsi_disk_emulate_mode_sense(SCSIRequest *req, uint8_t *outbuf)
 {
     SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, req->dev);
     uint64_t nb_sectors;
-    int page, dbd, buflen;
+    int page, dbd, buflen, page_control;
     uint8_t *p;
     uint8_t dev_specific_param;
 
     dbd = req->cmd.buf[1]  & 0x8;
     page = req->cmd.buf[2] & 0x3f;
-    DPRINTF("Mode Sense (page %d, len %zd)\n", page, req->cmd.xfer);
+    page_control = (req->cmd.buf[2] & 0xc0) >> 6;
+    DPRINTF("Mode Sense(%d) (page %d, len %d, page_control %d)\n",
+        (req->cmd.buf[0] == MODE_SENSE) ? 6 : 10, page, len, page_control);
     memset(outbuf, 0, req->cmd.xfer);
     p = outbuf;
 
@@ -655,16 +676,20 @@ static int scsi_disk_emulate_mode_sense(SCSIRequest *req, uint8_t *outbuf)
         p += 8;
     }
 
+    if (page_control == 3) { /* Saved Values */
+        return -1; /* ILLEGAL_REQUEST */
+    }
+
     switch (page) {
     case 0x04:
     case 0x05:
     case 0x08:
     case 0x2a:
-        p += mode_sense_page(req, page, p);
+        p += mode_sense_page(req, page, p, page_control);
         break;
     case 0x3f:
-        p += mode_sense_page(req, 0x08, p);
-        p += mode_sense_page(req, 0x2a, p);
+        p += mode_sense_page(req, 0x08, p, page_control);
+        p += mode_sense_page(req, 0x2a, p, page_control);
         break;
     }
 
commit ce512ee115b20bfc8a562d528a3f14eeff9ddf64
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Tue Aug 31 14:08:23 2010 +0200

    scsi-disk: fix the mode data header returned by the MODE SENSE(10) command
    
    The header for the  MODE SENSE(10) command is 8 bytes long.
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index b627ffe..3e727b9 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -607,6 +607,7 @@ static int scsi_disk_emulate_mode_sense(SCSIRequest *req, uint8_t *outbuf)
     uint64_t nb_sectors;
     int page, dbd, buflen;
     uint8_t *p;
+    uint8_t dev_specific_param;
 
     dbd = req->cmd.buf[1]  & 0x8;
     page = req->cmd.buf[2] & 0x3f;
@@ -614,16 +615,31 @@ static int scsi_disk_emulate_mode_sense(SCSIRequest *req, uint8_t *outbuf)
     memset(outbuf, 0, req->cmd.xfer);
     p = outbuf;
 
-    p[1] = 0; /* Default media type.  */
-    p[3] = 0; /* Block descriptor length.  */
     if (bdrv_is_read_only(s->bs)) {
-        p[2] = 0x80; /* Readonly.  */
+        dev_specific_param = 0x80; /* Readonly.  */
+    } else {
+        dev_specific_param = 0x00;
+    }
+
+    if (req->cmd.buf[0] == MODE_SENSE) {
+        p[1] = 0; /* Default media type.  */
+        p[2] = dev_specific_param;
+        p[3] = 0; /* Block descriptor length.  */
+        p += 4;
+    } else { /* MODE_SENSE_10 */
+        p[2] = 0; /* Default media type.  */
+        p[3] = dev_specific_param;
+        p[6] = p[7] = 0; /* Block descriptor length.  */
+        p += 8;
     }
-    p += 4;
 
     bdrv_get_geometry(s->bs, &nb_sectors);
     if ((~dbd) & nb_sectors) {
-        outbuf[3] = 8; /* Block descriptor length  */
+        if (req->cmd.buf[0] == MODE_SENSE) {
+            outbuf[3] = 8; /* Block descriptor length  */
+        } else { /* MODE_SENSE_10 */
+            outbuf[7] = 8; /* Block descriptor length  */
+        }
         nb_sectors /= s->cluster_size;
         nb_sectors--;
         if (nb_sectors > 0xffffff)
@@ -653,7 +669,17 @@ static int scsi_disk_emulate_mode_sense(SCSIRequest *req, uint8_t *outbuf)
     }
 
     buflen = p - outbuf;
-    outbuf[0] = buflen - 1;
+    /*
+     * The mode data length field specifies the length in bytes of the
+     * following data that is available to be transferred. The mode data
+     * length does not include itself.
+     */
+    if (req->cmd.buf[0] == MODE_SENSE) {
+        outbuf[0] = buflen - 1;
+    } else { /* MODE_SENSE_10 */
+        outbuf[0] = ((buflen - 2) >> 8) & 0xff;
+        outbuf[1] = (buflen - 2) & 0xff;
+    }
     if (buflen > req->cmd.xfer)
         buflen = req->cmd.xfer;
     return buflen;
commit 78e70c30612833fd0017cfa5b519bc23df808927
Author: Bernhard Kohl <bernhard.kohl at nsn.com>
Date:   Tue Aug 31 11:22:29 2010 +0200

    scsi-disk: fix the mode data length field returned by the MODE SENSE command
    
    The MODE DATA LENGTH field indicates the length in bytes of the following
    data that is available to be transferred. The mode data length does not include
    the number of bytes in the MODE DATA LENGTH field.
    
    Signed-off-by: Bernhard Kohl <bernhard.kohl at nsn.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 07a6d86..b627ffe 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -653,7 +653,7 @@ static int scsi_disk_emulate_mode_sense(SCSIRequest *req, uint8_t *outbuf)
     }
 
     buflen = p - outbuf;
-    outbuf[0] = buflen - 4;
+    outbuf[0] = buflen - 1;
     if (buflen > req->cmd.xfer)
         buflen = req->cmd.xfer;
     return buflen;
commit 4c54cb89e163362b4c0fdb64ca20c5c766f08da8
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Sep 7 16:21:22 2010 +0300

    kvm: reset MSR_IA32_CR_PAT correctly
    
    The power-on value of MSR_IA32_CR_PAT is not 0 - that disables cacheing and
    makes everything dog slow.
    
    Fix to reset MSR_IA32_CR_PAT to the correct value.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index 46257d6..016dcf1 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -1323,12 +1323,21 @@ static int kvm_reset_msrs(CPUState *env)
     } msr_data;
     int n;
     struct kvm_msr_entry *msrs = msr_data.entries;
+    uint32_t index;
+    uint64_t data;
 
     if (!kvm_msr_list) {
         return -1;
     }
 
     for (n = 0; n < kvm_msr_list->nmsrs; n++) {
+        index = kvm_msr_list->indices[n];
+        switch (index) {
+        case MSR_PAT:
+            data = 0x0007040600070406ULL;
+        default:
+            data = 0;
+        }
         kvm_msr_entry_set(&msrs[n], kvm_msr_list->indices[n], 0);
     }
 
commit cb375ad1a62ba9de0207d144d0ad8ca1bee09d33
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Sep 6 17:20:17 2010 -0300

    qemu-kvm: drop posix-aio-compat.cs signalfd usage
    
    Block SIGUSR2, which makes the signal be handled through qemu-kvm.c's
    signalfd.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/posix-aio-compat.c b/posix-aio-compat.c
index c05c77b..a67ffe3 100644
--- a/posix-aio-compat.c
+++ b/posix-aio-compat.c
@@ -26,7 +26,6 @@
 #include "osdep.h"
 #include "qemu-common.h"
 #include "block_int.h"
-#include "compatfd.h"
 
 #include "block/raw-posix-aio.h"
 
@@ -54,7 +53,7 @@ struct qemu_paiocb {
 };
 
 typedef struct PosixAioState {
-    int fd;
+    int rfd, wfd;
     struct qemu_paiocb *first_aio;
 } PosixAioState;
 
@@ -473,29 +472,18 @@ static int posix_aio_process_queue(void *opaque)
 static void posix_aio_read(void *opaque)
 {
     PosixAioState *s = opaque;
-    union {
-        struct qemu_signalfd_siginfo siginfo;
-        char buf[128];
-    } sig;
-    size_t offset;
+    ssize_t len;
 
-    /* try to read from signalfd, don't freak out if we can't read anything */
-    offset = 0;
-    while (offset < 128) {
-        ssize_t len;
+    /* read all bytes from signal pipe */
+    for (;;) {
+        char bytes[16];
 
-        len = read(s->fd, sig.buf + offset, 128 - offset);
+        len = read(s->rfd, bytes, sizeof(bytes));
         if (len == -1 && errno == EINTR)
-            continue;
-        if (len == -1 && errno == EAGAIN) {
-            /* there is no natural reason for this to happen,
-             * so we'll spin hard until we get everything just
-             * to be on the safe side. */
-            if (offset > 0)
-                continue;
-        }
-
-        offset += len;
+            continue; /* try again */
+        if (len == sizeof(bytes))
+            continue; /* more to read */
+        break;
     }
 
     posix_aio_process_queue(s);
@@ -509,6 +497,20 @@ static int posix_aio_flush(void *opaque)
 
 static PosixAioState *posix_aio_state;
 
+static void aio_signal_handler(int signum)
+{
+    if (posix_aio_state) {
+        char byte = 0;
+        ssize_t ret;
+
+        ret = write(posix_aio_state->wfd, &byte, sizeof(byte));
+        if (ret < 0 && errno != EAGAIN)
+            die("write()");
+    }
+
+    qemu_service_io();
+}
+
 static void paio_remove(struct qemu_paiocb *acb)
 {
     struct qemu_paiocb **pacb;
@@ -610,8 +612,9 @@ BlockDriverAIOCB *paio_ioctl(BlockDriverState *bs, int fd,
 
 int paio_init(void)
 {
-    sigset_t mask;
+    struct sigaction act;
     PosixAioState *s;
+    int fds[2];
     int ret;
 
     if (posix_aio_state)
@@ -619,21 +622,24 @@ int paio_init(void)
 
     s = qemu_malloc(sizeof(PosixAioState));
 
-    /* Make sure to block AIO signal */
-    sigemptyset(&mask);
-    sigaddset(&mask, SIGUSR2);
-    sigprocmask(SIG_BLOCK, &mask, NULL);
+    sigfillset(&act.sa_mask);
+    act.sa_flags = 0; /* do not restart syscalls to interrupt select() */
+    act.sa_handler = aio_signal_handler;
+    sigaction(SIGUSR2, &act, NULL);
 
     s->first_aio = NULL;
-    s->fd = qemu_signalfd(&mask);
-    if (s->fd == -1) {
-        fprintf(stderr, "failed to create signalfd\n");
+    if (qemu_pipe(fds) == -1) {
+        fprintf(stderr, "failed to create pipe\n");
         return -1;
     }
 
-    fcntl(s->fd, F_SETFL, O_NONBLOCK);
+    s->rfd = fds[0];
+    s->wfd = fds[1];
+
+    fcntl(s->rfd, F_SETFL, O_NONBLOCK);
+    fcntl(s->wfd, F_SETFL, O_NONBLOCK);
 
-    qemu_aio_set_fd_handler(s->fd, posix_aio_read, NULL, posix_aio_flush,
+    qemu_aio_set_fd_handler(s->rfd, posix_aio_read, NULL, posix_aio_flush,
         posix_aio_process_queue, s);
 
     ret = pthread_attr_init(&attr);
diff --git a/qemu-kvm.c b/qemu-kvm.c
index 060c47d..2fb927c 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -1680,6 +1680,7 @@ int kvm_main_loop(void)
     sigemptyset(&mask);
     sigaddset(&mask, SIGIO);
     sigaddset(&mask, SIGALRM);
+    sigaddset(&mask, SIGUSR2);
     sigaddset(&mask, SIGBUS);
     sigprocmask(SIG_BLOCK, &mask, NULL);
 
commit 2a0620db650cc12b5a3c932152e43461ad55c5f1
Author: Marcelo Tosatti <mtosatti at redhat.com>
Date:   Mon Sep 6 17:20:16 2010 -0300

    qemu-kvm: use usptream eventfd code
    
    Upstream code is equivalent.
    
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/cpus.c b/cpus.c
index 8319d4e..c545a62 100644
--- a/cpus.c
+++ b/cpus.c
@@ -290,11 +290,6 @@ void qemu_notify_event(void)
 {
     CPUState *env = cpu_single_env;
 
-    if (kvm_enabled()) {
-        qemu_kvm_notify_work();
-        return;
-    }
-
     qemu_event_increment ();
     if (env) {
         cpu_exit(env);
diff --git a/qemu-kvm.c b/qemu-kvm.c
index 36f3a2e..060c47d 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -71,7 +71,6 @@ static int qemu_system_ready;
 #define SIG_IPI (SIGRTMIN+4)
 
 pthread_t io_thread;
-static int io_thread_fd = -1;
 static int io_thread_sigfd = -1;
 
 static CPUState *kvm_debug_cpu_requested;
@@ -1634,28 +1633,6 @@ int kvm_init_ap(void)
     return 0;
 }
 
-void qemu_kvm_notify_work(void)
-{
-    /* Write 8 bytes to be compatible with eventfd.  */
-    static uint64_t val = 1;
-    ssize_t ret;
-
-    if (io_thread_fd == -1) {
-        return;
-    }
-
-    do {
-        ret = write(io_thread_fd, &val, sizeof(val));
-    } while (ret < 0 && errno == EINTR);
-
-    /* EAGAIN is fine in case we have a pipe.  */
-    if (ret < 0 && errno != EAGAIN) {
-         fprintf(stderr, "qemu_kvm_notify_work: write() filed: %s\n",
-                 strerror(errno));
-         exit (1);
-    }
-}
-
 /* If we have signalfd, we mask out the signals we want to handle and then
  * use signalfd to listen for them.  We rely on whatever the current signal
  * handler is to dispatch the signals when we receive them.
@@ -1692,41 +1669,14 @@ static void sigfd_handler(void *opaque)
     }
 }
 
-/* Used to break IO thread out of select */
-static void io_thread_wakeup(void *opaque)
-{
-    int fd = (unsigned long) opaque;
-    ssize_t len;
-    char buffer[512];
-
-    /* Drain the notify pipe.  For eventfd, only 8 bytes will be read.  */
-    do {
-        len = read(fd, buffer, sizeof(buffer));
-    } while ((len == -1 && errno == EINTR) || len == sizeof(buffer));
-}
-
 int kvm_main_loop(void)
 {
-    int fds[2];
     sigset_t mask;
     int sigfd;
 
     io_thread = pthread_self();
     qemu_system_ready = 1;
 
-    if (qemu_eventfd(fds) == -1) {
-        fprintf(stderr, "failed to create eventfd\n");
-        return -errno;
-    }
-
-    fcntl(fds[0], F_SETFL, O_NONBLOCK);
-    fcntl(fds[1], F_SETFL, O_NONBLOCK);
-
-    qemu_set_fd_handler2(fds[0], NULL, io_thread_wakeup, NULL,
-                         (void *)(unsigned long) fds[0]);
-
-    io_thread_fd = fds[1];
-
     sigemptyset(&mask);
     sigaddset(&mask, SIGIO);
     sigaddset(&mask, SIGALRM);
diff --git a/qemu-kvm.h b/qemu-kvm.h
index 42c990d..9809574 100644
--- a/qemu-kvm.h
+++ b/qemu-kvm.h
@@ -863,8 +863,6 @@ void qemu_kvm_aio_wait_start(void);
 void qemu_kvm_aio_wait(void);
 void qemu_kvm_aio_wait_end(void);
 
-void qemu_kvm_notify_work(void);
-
 void kvm_tpr_access_report(CPUState *env, uint64_t rip, int is_write);
 
 int kvm_arch_init_irq_routing(void);
commit a697a334b3c4d3250e6420f5d38550ea10eb5319
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Thu Sep 2 09:01:10 2010 -0600

    virtio-net: Introduce a new bottom half packet TX
    
    Based on a patch from Mark McLoughlin, this patch introduces a new
    bottom half packet transmitter that avoids the latency imposed by
    the tx_timer approach.  Rather than scheduling a timer when a TX
    packet comes in, schedule a bottom half to be run from the iothread.
    The bottom half handler first attempts to flush the queue with
    notification disabled (this is where we could race with a guest
    without txburst).  If we flush a full burst, reschedule immediately.
    If we send short of a full burst, try to re-enable notification.
    To avoid a race with TXs that may have occurred, we must then
    flush again.  If we find some packets to send, the guest it probably
    active, so we can reschedule again.
    
    tx_timer and tx_bh are mutually exclusive, so we can re-use the
    tx_waiting flag to indicate one or the other needs to be setup.
    This allows us to seamlessly migrate between timer and bh TX
    handling.
    
    The bottom half handler becomes the new default and we add a new
    tx= option to virtio-net-pci.  Usage:
    
    -device virtio-net-pci,tx=timer # select timer mitigation vs "bh"
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/s390-virtio-bus.c b/hw/s390-virtio-bus.c
index 092e65f..784dc01 100644
--- a/hw/s390-virtio-bus.c
+++ b/hw/s390-virtio-bus.c
@@ -332,6 +332,7 @@ static VirtIOS390DeviceInfo s390_virtio_net = {
                            net.txtimer, TX_TIMER_INTERVAL),
         DEFINE_PROP_INT32("x-txburst", VirtIOS390Device,
                           net.txburst, TX_BURST),
+        DEFINE_PROP_STRING("tx", VirtIOS390Device, net.tx),
         DEFINE_PROP_END_OF_LIST(),
     },
 };
diff --git a/hw/syborg_virtio.c b/hw/syborg_virtio.c
index 3c3f3b0..4dfd1a8 100644
--- a/hw/syborg_virtio.c
+++ b/hw/syborg_virtio.c
@@ -300,6 +300,7 @@ static SysBusDeviceInfo syborg_virtio_net_info = {
                            net.txtimer, TX_TIMER_INTERVAL),
         DEFINE_PROP_INT32("x-txburst", SyborgVirtIOProxy,
                           net.txburst, TX_BURST),
+        DEFINE_PROP_STRING("tx", SyborgVirtIOProxy, net.tx),
         DEFINE_PROP_END_OF_LIST(),
     }
 };
diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index 1a4ba21..0a9cae2 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -36,6 +36,7 @@ typedef struct VirtIONet
     VirtQueue *ctrl_vq;
     NICState *nic;
     QEMUTimer *tx_timer;
+    QEMUBH *tx_bh;
     uint32_t tx_timeout;
     int32_t tx_burst;
     int tx_waiting;
@@ -700,7 +701,7 @@ static int32_t virtio_net_flush_tx(VirtIONet *n, VirtQueue *vq)
     return num_packets;
 }
 
-static void virtio_net_handle_tx(VirtIODevice *vdev, VirtQueue *vq)
+static void virtio_net_handle_tx_timer(VirtIODevice *vdev, VirtQueue *vq)
 {
     VirtIONet *n = to_virtio_net(vdev);
 
@@ -717,6 +718,18 @@ static void virtio_net_handle_tx(VirtIODevice *vdev, VirtQueue *vq)
     }
 }
 
+static void virtio_net_handle_tx_bh(VirtIODevice *vdev, VirtQueue *vq)
+{
+    VirtIONet *n = to_virtio_net(vdev);
+
+    if (unlikely(n->tx_waiting)) {
+        return;
+    }
+    virtio_queue_set_notification(vq, 0);
+    qemu_bh_schedule(n->tx_bh);
+    n->tx_waiting = 1;
+}
+
 static void virtio_net_tx_timer(void *opaque)
 {
     VirtIONet *n = opaque;
@@ -731,6 +744,41 @@ static void virtio_net_tx_timer(void *opaque)
     virtio_net_flush_tx(n, n->tx_vq);
 }
 
+static void virtio_net_tx_bh(void *opaque)
+{
+    VirtIONet *n = opaque;
+    int32_t ret;
+
+    n->tx_waiting = 0;
+
+    /* Just in case the driver is not ready on more */
+    if (unlikely(!(n->vdev.status & VIRTIO_CONFIG_S_DRIVER_OK)))
+        return;
+
+    ret = virtio_net_flush_tx(n, n->tx_vq);
+    if (ret == -EBUSY) {
+        return; /* Notification re-enable handled by tx_complete */
+    }
+
+    /* If we flush a full burst of packets, assume there are
+     * more coming and immediately reschedule */
+    if (ret >= n->tx_burst) {
+        qemu_bh_schedule(n->tx_bh);
+        n->tx_waiting = 1;
+        return;
+    }
+
+    /* If less than a full burst, re-enable notification and flush
+     * anything that may have come in while we weren't looking.  If
+     * we find something, assume the guest is still active and reschedule */
+    virtio_queue_set_notification(n->tx_vq, 1);
+    if (virtio_net_flush_tx(n, n->tx_vq) > 0) {
+        virtio_queue_set_notification(n->tx_vq, 0);
+        qemu_bh_schedule(n->tx_bh);
+        n->tx_waiting = 1;
+    }
+}
+
 static void virtio_net_save(QEMUFile *f, void *opaque)
 {
     VirtIONet *n = opaque;
@@ -850,8 +898,12 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
     n->mac_table.first_multi = i;
 
     if (n->tx_waiting) {
-        qemu_mod_timer(n->tx_timer,
-                       qemu_get_clock(vm_clock) + n->tx_timeout);
+        if (n->tx_timer) {
+            qemu_mod_timer(n->tx_timer,
+                           qemu_get_clock(vm_clock) + n->tx_timeout);
+        } else {
+            qemu_bh_schedule(n->tx_bh);
+        }
     }
     return 0;
 }
@@ -929,7 +981,22 @@ VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
     n->vdev.reset = virtio_net_reset;
     n->vdev.set_status = virtio_net_set_status;
     n->rx_vq = virtio_add_queue(&n->vdev, 256, virtio_net_handle_rx);
-    n->tx_vq = virtio_add_queue(&n->vdev, 256, virtio_net_handle_tx);
+
+    if (net->tx && strcmp(net->tx, "timer") && strcmp(net->tx, "bh")) {
+        fprintf(stderr, "virtio-net: "
+                "Unknown option tx=%s, valid options: \"timer\" \"bh\"\n",
+                net->tx);
+        fprintf(stderr, "Defaulting to \"bh\"\n");
+    }
+
+    if (net->tx && !strcmp(net->tx, "timer")) {
+        n->tx_vq = virtio_add_queue(&n->vdev, 256, virtio_net_handle_tx_timer);
+        n->tx_timer = qemu_new_timer(vm_clock, virtio_net_tx_timer, n);
+        n->tx_timeout = net->txtimer;
+    } else {
+        n->tx_vq = virtio_add_queue(&n->vdev, 256, virtio_net_handle_tx_bh);
+        n->tx_bh = qemu_bh_new(virtio_net_tx_bh, n);
+    }
     n->ctrl_vq = virtio_add_queue(&n->vdev, 64, virtio_net_handle_ctrl);
     qemu_macaddr_default_if_unset(&conf->macaddr);
     memcpy(&n->mac[0], &conf->macaddr, sizeof(n->mac));
@@ -939,9 +1006,7 @@ VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
 
     qemu_format_nic_info_str(&n->nic->nc, conf->macaddr.a);
 
-    n->tx_timer = qemu_new_timer(vm_clock, virtio_net_tx_timer, n);
     n->tx_waiting = 0;
-    n->tx_timeout = net->txtimer;
     n->tx_burst = net->txburst;
     n->mergeable_rx_bufs = 0;
     n->promisc = 1; /* for compatibility */
@@ -974,8 +1039,12 @@ void virtio_net_exit(VirtIODevice *vdev)
     qemu_free(n->mac_table.macs);
     qemu_free(n->vlans);
 
-    qemu_del_timer(n->tx_timer);
-    qemu_free_timer(n->tx_timer);
+    if (n->tx_timer) {
+        qemu_del_timer(n->tx_timer);
+        qemu_free_timer(n->tx_timer);
+    } else {
+        qemu_bh_delete(n->tx_bh);
+    }
 
     virtio_cleanup(&n->vdev);
     qemu_del_vlan_client(&n->nic->nc);
diff --git a/hw/virtio-net.h b/hw/virtio-net.h
index a2d1545..8af9a1c 100644
--- a/hw/virtio-net.h
+++ b/hw/virtio-net.h
@@ -60,6 +60,7 @@ typedef struct virtio_net_conf
 {
     uint32_t txtimer;
     int32_t txburst;
+    char *tx;
 } virtio_net_conf;
 
 /* Maximum packet size we can receive from tap device: header + 64k */
diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 3a5b3e6..86e6b0a 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -695,6 +695,7 @@ static PCIDeviceInfo virtio_info[] = {
                                net.txtimer, TX_TIMER_INTERVAL),
             DEFINE_PROP_INT32("x-txburst", VirtIOPCIProxy,
                               net.txburst, TX_BURST),
+            DEFINE_PROP_STRING("tx", VirtIOPCIProxy, net.tx),
             DEFINE_PROP_END_OF_LIST(),
         },
         .qdev.reset = virtio_pci_reset,
commit 4b4b8d361c21209bd6414c369fe93eb70c5ff50d
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Thu Sep 2 09:01:04 2010 -0600

    virtio-net: Rename tx_timer_active to tx_waiting
    
    De-couple this from the timer since we might want to use
    different backends to send the packet.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index 55f3d94..1a4ba21 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -38,7 +38,7 @@ typedef struct VirtIONet
     QEMUTimer *tx_timer;
     uint32_t tx_timeout;
     int32_t tx_burst;
-    int tx_timer_active;
+    int tx_waiting;
     uint32_t has_vnet_hdr;
     uint8_t has_ufo;
     struct {
@@ -704,15 +704,15 @@ static void virtio_net_handle_tx(VirtIODevice *vdev, VirtQueue *vq)
 {
     VirtIONet *n = to_virtio_net(vdev);
 
-    if (n->tx_timer_active) {
+    if (n->tx_waiting) {
         virtio_queue_set_notification(vq, 1);
         qemu_del_timer(n->tx_timer);
-        n->tx_timer_active = 0;
+        n->tx_waiting = 0;
         virtio_net_flush_tx(n, vq);
     } else {
         qemu_mod_timer(n->tx_timer,
                        qemu_get_clock(vm_clock) + n->tx_timeout);
-        n->tx_timer_active = 1;
+        n->tx_waiting = 1;
         virtio_queue_set_notification(vq, 0);
     }
 }
@@ -721,7 +721,7 @@ static void virtio_net_tx_timer(void *opaque)
 {
     VirtIONet *n = opaque;
 
-    n->tx_timer_active = 0;
+    n->tx_waiting = 0;
 
     /* Just in case the driver is not ready on more */
     if (!(n->vdev.status & VIRTIO_CONFIG_S_DRIVER_OK))
@@ -744,7 +744,7 @@ static void virtio_net_save(QEMUFile *f, void *opaque)
     virtio_save(&n->vdev, f);
 
     qemu_put_buffer(f, n->mac, ETH_ALEN);
-    qemu_put_be32(f, n->tx_timer_active);
+    qemu_put_be32(f, n->tx_waiting);
     qemu_put_be32(f, n->mergeable_rx_bufs);
     qemu_put_be16(f, n->status);
     qemu_put_byte(f, n->promisc);
@@ -773,7 +773,7 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
     virtio_load(&n->vdev, f);
 
     qemu_get_buffer(f, n->mac, ETH_ALEN);
-    n->tx_timer_active = qemu_get_be32(f);
+    n->tx_waiting = qemu_get_be32(f);
     n->mergeable_rx_bufs = qemu_get_be32(f);
 
     if (version_id >= 3)
@@ -849,7 +849,7 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
     }
     n->mac_table.first_multi = i;
 
-    if (n->tx_timer_active) {
+    if (n->tx_waiting) {
         qemu_mod_timer(n->tx_timer,
                        qemu_get_clock(vm_clock) + n->tx_timeout);
     }
@@ -940,7 +940,7 @@ VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
     qemu_format_nic_info_str(&n->nic->nc, conf->macaddr.a);
 
     n->tx_timer = qemu_new_timer(vm_clock, virtio_net_tx_timer, n);
-    n->tx_timer_active = 0;
+    n->tx_waiting = 0;
     n->tx_timeout = net->txtimer;
     n->tx_burst = net->txburst;
     n->mergeable_rx_bufs = 0;
commit e3f30488e5f802547b3a60e40cebaef3b4ec16a3
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Thu Sep 2 09:00:57 2010 -0600

    virtio-net: Limit number of packets sent per TX flush
    
    If virtio_net_flush_tx() is called with notification disabled, we can
    race with the guest, processing packets at the same rate as they
    get produced.  The trouble is that this means we have no guaranteed
    exit condition from the function and can spend minutes in there.
    Currently flush_tx is only called with notification on, which seems
    to limit us to one pass through the queue per call.  An upcoming
    patch changes this.
    
    Also add an option to set this value on the command line as different
    workloads may wish to use different values.  We can't necessarily
    support any random value, so this is a developer option: x-txburst=
    Usage:
    
    -device virtio-net-pci,x-txburst=64 # 64 packets per tx flush
    
    One pass through the queue (256) seems to be a good default value
    for this, balancing latency with throughput.  We use a signed int
    for x-txburst because 2^31 packets in a burst would take many, many
    minutes to process and it allows us to easily return a negative
    value value from virtio_net_flush_tx() to indicate a back-off
    or error condition.
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/s390-virtio-bus.c b/hw/s390-virtio-bus.c
index d5cb24e..092e65f 100644
--- a/hw/s390-virtio-bus.c
+++ b/hw/s390-virtio-bus.c
@@ -330,6 +330,8 @@ static VirtIOS390DeviceInfo s390_virtio_net = {
         DEFINE_NIC_PROPERTIES(VirtIOS390Device, nic),
         DEFINE_PROP_UINT32("x-txtimer", VirtIOS390Device,
                            net.txtimer, TX_TIMER_INTERVAL),
+        DEFINE_PROP_INT32("x-txburst", VirtIOS390Device,
+                          net.txburst, TX_BURST),
         DEFINE_PROP_END_OF_LIST(),
     },
 };
diff --git a/hw/syborg_virtio.c b/hw/syborg_virtio.c
index 5665189..3c3f3b0 100644
--- a/hw/syborg_virtio.c
+++ b/hw/syborg_virtio.c
@@ -298,6 +298,8 @@ static SysBusDeviceInfo syborg_virtio_net_info = {
         DEFINE_VIRTIO_NET_FEATURES(SyborgVirtIOProxy, host_features),
         DEFINE_PROP_UINT32("x-txtimer", SyborgVirtIOProxy,
                            net.txtimer, TX_TIMER_INTERVAL),
+        DEFINE_PROP_INT32("x-txburst", SyborgVirtIOProxy,
+                          net.txburst, TX_BURST),
         DEFINE_PROP_END_OF_LIST(),
     }
 };
diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index d5b03ab..55f3d94 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -37,6 +37,7 @@ typedef struct VirtIONet
     NICState *nic;
     QEMUTimer *tx_timer;
     uint32_t tx_timeout;
+    int32_t tx_burst;
     int tx_timer_active;
     uint32_t has_vnet_hdr;
     uint8_t has_ufo;
@@ -620,7 +621,7 @@ static ssize_t virtio_net_receive(VLANClientState *nc, const uint8_t *buf, size_
     return size;
 }
 
-static void virtio_net_flush_tx(VirtIONet *n, VirtQueue *vq);
+static int32_t virtio_net_flush_tx(VirtIONet *n, VirtQueue *vq);
 
 static void virtio_net_tx_complete(VLANClientState *nc, ssize_t len)
 {
@@ -636,16 +637,18 @@ static void virtio_net_tx_complete(VLANClientState *nc, ssize_t len)
 }
 
 /* TX */
-static void virtio_net_flush_tx(VirtIONet *n, VirtQueue *vq)
+static int32_t virtio_net_flush_tx(VirtIONet *n, VirtQueue *vq)
 {
     VirtQueueElement elem;
+    int32_t num_packets = 0;
 
-    if (!(n->vdev.status & VIRTIO_CONFIG_S_DRIVER_OK))
-        return;
+    if (!(n->vdev.status & VIRTIO_CONFIG_S_DRIVER_OK)) {
+        return num_packets;
+    }
 
     if (n->async_tx.elem.out_num) {
         virtio_queue_set_notification(n->tx_vq, 0);
-        return;
+        return num_packets;
     }
 
     while (virtqueue_pop(vq, &elem)) {
@@ -682,14 +685,19 @@ static void virtio_net_flush_tx(VirtIONet *n, VirtQueue *vq)
             virtio_queue_set_notification(n->tx_vq, 0);
             n->async_tx.elem = elem;
             n->async_tx.len  = len;
-            return;
+            return -EBUSY;
         }
 
         len += ret;
 
         virtqueue_push(vq, &elem, len);
         virtio_notify(&n->vdev, vq);
+
+        if (++num_packets >= n->tx_burst) {
+            break;
+        }
     }
+    return num_packets;
 }
 
 static void virtio_net_handle_tx(VirtIODevice *vdev, VirtQueue *vq)
@@ -934,6 +942,7 @@ VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
     n->tx_timer = qemu_new_timer(vm_clock, virtio_net_tx_timer, n);
     n->tx_timer_active = 0;
     n->tx_timeout = net->txtimer;
+    n->tx_burst = net->txburst;
     n->mergeable_rx_bufs = 0;
     n->promisc = 1; /* for compatibility */
 
diff --git a/hw/virtio-net.h b/hw/virtio-net.h
index 46a2e1c..a2d1545 100644
--- a/hw/virtio-net.h
+++ b/hw/virtio-net.h
@@ -49,9 +49,17 @@
 
 #define TX_TIMER_INTERVAL 150000 /* 150 us */
 
+/* Limit the number of packets that can be sent via a single flush
+ * of the TX queue.  This gives us a guaranteed exit condition and
+ * ensures fairness in the io path.  256 conveniently matches the
+ * length of the TX queue and shows a good balance of performance
+ * and latency. */
+#define TX_BURST 256
+
 typedef struct virtio_net_conf
 {
     uint32_t txtimer;
+    int32_t txburst;
 } virtio_net_conf;
 
 /* Maximum packet size we can receive from tap device: header + 64k */
diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 1af48e2..3a5b3e6 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -693,6 +693,8 @@ static PCIDeviceInfo virtio_info[] = {
             DEFINE_NIC_PROPERTIES(VirtIOPCIProxy, nic),
             DEFINE_PROP_UINT32("x-txtimer", VirtIOPCIProxy,
                                net.txtimer, TX_TIMER_INTERVAL),
+            DEFINE_PROP_INT32("x-txburst", VirtIOPCIProxy,
+                              net.txburst, TX_BURST),
             DEFINE_PROP_END_OF_LIST(),
         },
         .qdev.reset = virtio_pci_reset,
commit f0c07c7c7b4fe4f9b63c88341fd32707def5a058
Author: Alex Williamson <alex.williamson at redhat.com>
Date:   Thu Sep 2 09:00:50 2010 -0600

    virtio-net: Make tx_timer timeout configurable
    
    Add an option to make the TX mitigation timer adjustable as a device
    option.  The 150us hard coded default used currently is reasonable,
    but may not be suitable for all workloads, this gives us a way to
    adjust it using a single binary.  We can't support any random option
    though, so use the "x-" prefix to indicate this is a developer
    option.  Usage:
    
    -device virtio-net-pci,x-txtimer=500000,... # .5ms timeout
    
    Signed-off-by: Alex Williamson <alex.williamson at redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/s390-virtio-bus.c b/hw/s390-virtio-bus.c
index fe6884d..d5cb24e 100644
--- a/hw/s390-virtio-bus.c
+++ b/hw/s390-virtio-bus.c
@@ -27,6 +27,7 @@
 #include "elf.h"
 #include "hw/virtio.h"
 #include "hw/virtio-serial.h"
+#include "hw/virtio-net.h"
 #include "hw/sysbus.h"
 #include "kvm.h"
 
@@ -110,7 +111,7 @@ static int s390_virtio_net_init(VirtIOS390Device *dev)
 {
     VirtIODevice *vdev;
 
-    vdev = virtio_net_init((DeviceState *)dev, &dev->nic);
+    vdev = virtio_net_init((DeviceState *)dev, &dev->nic, &dev->net);
     if (!vdev) {
         return -1;
     }
@@ -327,6 +328,8 @@ static VirtIOS390DeviceInfo s390_virtio_net = {
     .qdev.size = sizeof(VirtIOS390Device),
     .qdev.props = (Property[]) {
         DEFINE_NIC_PROPERTIES(VirtIOS390Device, nic),
+        DEFINE_PROP_UINT32("x-txtimer", VirtIOS390Device,
+                           net.txtimer, TX_TIMER_INTERVAL),
         DEFINE_PROP_END_OF_LIST(),
     },
 };
diff --git a/hw/s390-virtio-bus.h b/hw/s390-virtio-bus.h
index 333fea8..41558c9 100644
--- a/hw/s390-virtio-bus.h
+++ b/hw/s390-virtio-bus.h
@@ -43,6 +43,7 @@ typedef struct VirtIOS390Device {
     uint32_t host_features;
     /* Max. number of ports we can have for a the virtio-serial device */
     uint32_t max_virtserial_ports;
+    virtio_net_conf net;
 } VirtIOS390Device;
 
 typedef struct VirtIOS390Bus {
diff --git a/hw/syborg_virtio.c b/hw/syborg_virtio.c
index abf0370..5665189 100644
--- a/hw/syborg_virtio.c
+++ b/hw/syborg_virtio.c
@@ -68,6 +68,7 @@ typedef struct {
     uint32_t id;
     NICConf nic;
     uint32_t host_features;
+    virtio_net_conf net;
 } SyborgVirtIOProxy;
 
 static uint32_t syborg_virtio_readl(void *opaque, target_phys_addr_t offset)
@@ -284,7 +285,7 @@ static int syborg_virtio_net_init(SysBusDevice *dev)
     VirtIODevice *vdev;
     SyborgVirtIOProxy *proxy = FROM_SYSBUS(SyborgVirtIOProxy, dev);
 
-    vdev = virtio_net_init(&dev->qdev, &proxy->nic);
+    vdev = virtio_net_init(&dev->qdev, &proxy->nic, &proxy->net);
     return syborg_virtio_init(proxy, vdev);
 }
 
@@ -295,6 +296,8 @@ static SysBusDeviceInfo syborg_virtio_net_info = {
     .qdev.props = (Property[]) {
         DEFINE_NIC_PROPERTIES(SyborgVirtIOProxy, nic),
         DEFINE_VIRTIO_NET_FEATURES(SyborgVirtIOProxy, host_features),
+        DEFINE_PROP_UINT32("x-txtimer", SyborgVirtIOProxy,
+                           net.txtimer, TX_TIMER_INTERVAL),
         DEFINE_PROP_END_OF_LIST(),
     }
 };
diff --git a/hw/virtio-net.c b/hw/virtio-net.c
index 075f72d..d5b03ab 100644
--- a/hw/virtio-net.c
+++ b/hw/virtio-net.c
@@ -36,6 +36,7 @@ typedef struct VirtIONet
     VirtQueue *ctrl_vq;
     NICState *nic;
     QEMUTimer *tx_timer;
+    uint32_t tx_timeout;
     int tx_timer_active;
     uint32_t has_vnet_hdr;
     uint8_t has_ufo;
@@ -702,7 +703,7 @@ static void virtio_net_handle_tx(VirtIODevice *vdev, VirtQueue *vq)
         virtio_net_flush_tx(n, vq);
     } else {
         qemu_mod_timer(n->tx_timer,
-                       qemu_get_clock(vm_clock) + TX_TIMER_INTERVAL);
+                       qemu_get_clock(vm_clock) + n->tx_timeout);
         n->tx_timer_active = 1;
         virtio_queue_set_notification(vq, 0);
     }
@@ -842,7 +843,7 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
 
     if (n->tx_timer_active) {
         qemu_mod_timer(n->tx_timer,
-                       qemu_get_clock(vm_clock) + TX_TIMER_INTERVAL);
+                       qemu_get_clock(vm_clock) + n->tx_timeout);
     }
     return 0;
 }
@@ -903,7 +904,8 @@ static void virtio_net_vmstate_change(void *opaque, int running, int reason)
     virtio_net_set_status(&n->vdev, n->vdev.status & status);
 }
 
-VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf)
+VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
+                              virtio_net_conf *net)
 {
     VirtIONet *n;
 
@@ -931,6 +933,7 @@ VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf)
 
     n->tx_timer = qemu_new_timer(vm_clock, virtio_net_tx_timer, n);
     n->tx_timer_active = 0;
+    n->tx_timeout = net->txtimer;
     n->mergeable_rx_bufs = 0;
     n->promisc = 1; /* for compatibility */
 
diff --git a/hw/virtio-net.h b/hw/virtio-net.h
index 235f1a9..46a2e1c 100644
--- a/hw/virtio-net.h
+++ b/hw/virtio-net.h
@@ -49,6 +49,11 @@
 
 #define TX_TIMER_INTERVAL 150000 /* 150 us */
 
+typedef struct virtio_net_conf
+{
+    uint32_t txtimer;
+} virtio_net_conf;
+
 /* Maximum packet size we can receive from tap device: header + 64k */
 #define VIRTIO_NET_MAX_BUFSIZE (sizeof(struct virtio_net_hdr) + (64 << 10))
 
diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 6e8f88a..1af48e2 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -107,6 +107,7 @@ typedef struct {
 #endif
     /* Max. number of ports we can have for a the virtio-serial device */
     uint32_t max_virtserial_ports;
+    virtio_net_conf net;
 } VirtIOPCIProxy;
 
 /* virtio device */
@@ -613,7 +614,7 @@ static int virtio_net_init_pci(PCIDevice *pci_dev)
     VirtIOPCIProxy *proxy = DO_UPCAST(VirtIOPCIProxy, pci_dev, pci_dev);
     VirtIODevice *vdev;
 
-    vdev = virtio_net_init(&pci_dev->qdev, &proxy->nic);
+    vdev = virtio_net_init(&pci_dev->qdev, &proxy->nic, &proxy->net);
 
     vdev->nvectors = proxy->nvectors;
     virtio_init_pci(proxy, vdev,
@@ -690,6 +691,8 @@ static PCIDeviceInfo virtio_info[] = {
             DEFINE_PROP_UINT32("vectors", VirtIOPCIProxy, nvectors, 3),
             DEFINE_VIRTIO_NET_FEATURES(VirtIOPCIProxy, host_features),
             DEFINE_NIC_PROPERTIES(VirtIOPCIProxy, nic),
+            DEFINE_PROP_UINT32("x-txtimer", VirtIOPCIProxy,
+                               net.txtimer, TX_TIMER_INTERVAL),
             DEFINE_PROP_END_OF_LIST(),
         },
         .qdev.reset = virtio_pci_reset,
diff --git a/hw/virtio.h b/hw/virtio.h
index 5836ab6..a60d735 100644
--- a/hw/virtio.h
+++ b/hw/virtio.h
@@ -185,7 +185,9 @@ void virtio_bind_device(VirtIODevice *vdev, const VirtIOBindings *binding,
 
 /* Base devices.  */
 VirtIODevice *virtio_blk_init(DeviceState *dev, BlockConf *conf);
-VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf);
+struct virtio_net_conf;
+VirtIODevice *virtio_net_init(DeviceState *dev, NICConf *conf,
+                              struct virtio_net_conf *net);
 VirtIODevice *virtio_serial_init(DeviceState *dev, uint32_t max_nr_ports);
 VirtIODevice *virtio_balloon_init(DeviceState *dev);
 #ifdef CONFIG_LINUX
commit ca736c8e748e3bf77abe401231a412b9cdccb9d3
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Fri Jul 16 11:43:43 2010 +0300

    vhost_net: mergeable buffers support
    
    use the new tap APIs to set header length
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/vhost_net.c b/hw/vhost_net.c
index 0c00de2..4a7b819 100644
--- a/hw/vhost_net.c
+++ b/hw/vhost_net.c
@@ -50,7 +50,9 @@ unsigned vhost_net_get_features(struct vhost_net *net, unsigned features)
     if (!(net->dev.features & (1 << VIRTIO_RING_F_INDIRECT_DESC))) {
         features &= ~(1 << VIRTIO_RING_F_INDIRECT_DESC);
     }
-    features &= ~(1 << VIRTIO_NET_F_MRG_RXBUF);
+    if (!(net->dev.features & (1 << VIRTIO_NET_F_MRG_RXBUF))) {
+        features &= ~(1 << VIRTIO_NET_F_MRG_RXBUF);
+    }
     return features;
 }
 
@@ -63,6 +65,9 @@ void vhost_net_ack_features(struct vhost_net *net, unsigned features)
     if (features & (1 << VIRTIO_RING_F_INDIRECT_DESC)) {
         net->dev.acked_features |= (1 << VIRTIO_RING_F_INDIRECT_DESC);
     }
+    if (features & (1 << VIRTIO_NET_F_MRG_RXBUF)) {
+        net->dev.acked_features |= (1 << VIRTIO_NET_F_MRG_RXBUF);
+    }
 }
 
 static int vhost_net_get_fd(VLANClientState *backend)
@@ -97,6 +102,10 @@ struct vhost_net *vhost_net_init(VLANClientState *backend, int devfd)
     if (r < 0) {
         goto fail;
     }
+    if (!tap_has_vnet_hdr_len(backend,
+                              sizeof(struct virtio_net_hdr_mrg_rxbuf))) {
+        net->dev.features &= ~(1 << VIRTIO_NET_F_MRG_RXBUF);
+    }
     if (~net->dev.features & net->dev.backend_features) {
         fprintf(stderr, "vhost lacks feature mask %" PRIu64 " for backend\n",
                 (uint64_t)(~net->dev.features & net->dev.backend_features));
@@ -117,6 +126,10 @@ int vhost_net_start(struct vhost_net *net,
 {
     struct vhost_vring_file file = { };
     int r;
+    if (net->dev.acked_features & (1 << VIRTIO_NET_F_MRG_RXBUF)) {
+        tap_set_vnet_hdr_len(net->vc,
+                             sizeof(struct virtio_net_hdr_mrg_rxbuf));
+    }
 
     net->dev.nvqs = 2;
     net->dev.vqs = net->vqs;
@@ -144,6 +157,9 @@ fail:
     }
     net->vc->info->poll(net->vc, true);
     vhost_dev_stop(&net->dev, dev);
+    if (net->dev.acked_features & (1 << VIRTIO_NET_F_MRG_RXBUF)) {
+        tap_set_vnet_hdr_len(net->vc, sizeof(struct virtio_net_hdr));
+    }
     return r;
 }
 
@@ -158,11 +174,17 @@ void vhost_net_stop(struct vhost_net *net,
     }
     net->vc->info->poll(net->vc, true);
     vhost_dev_stop(&net->dev, dev);
+    if (net->dev.acked_features & (1 << VIRTIO_NET_F_MRG_RXBUF)) {
+        tap_set_vnet_hdr_len(net->vc, sizeof(struct virtio_net_hdr));
+    }
 }
 
 void vhost_net_cleanup(struct vhost_net *net)
 {
     vhost_dev_cleanup(&net->dev);
+    if (net->dev.acked_features & (1 << VIRTIO_NET_F_MRG_RXBUF)) {
+        tap_set_vnet_hdr_len(net->vc, sizeof(struct virtio_net_hdr));
+    }
     qemu_free(net);
 }
 #else
commit 445d892f43e6a6031cd1aac292df433f821aa830
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Fri Jul 16 11:16:06 2010 +0300

    tap: add APIs for vnet header length
    
    Add APIs to control host header length. First user
    will be vhost-net.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/net/tap-aix.c b/net/tap-aix.c
index 4bc9f2f..e19aaba 100644
--- a/net/tap-aix.c
+++ b/net/tap-aix.c
@@ -46,6 +46,15 @@ int tap_probe_has_ufo(int fd)
     return 0;
 }
 
+int tap_probe_vnet_hdr_len(int fd, int len)
+{
+    return 0;
+}
+
+void tap_fd_set_vnet_hdr_len(int fd, int len)
+{
+}
+
 void tap_fd_set_offload(int fd, int csum, int tso4,
                         int tso6, int ecn, int ufo)
 {
diff --git a/net/tap-bsd.c b/net/tap-bsd.c
index 3773d5d..3513075 100644
--- a/net/tap-bsd.c
+++ b/net/tap-bsd.c
@@ -116,6 +116,15 @@ int tap_probe_has_ufo(int fd)
     return 0;
 }
 
+int tap_probe_vnet_hdr_len(int fd, int len)
+{
+    return 0;
+}
+
+void tap_fd_set_vnet_hdr_len(int fd, int len)
+{
+}
+
 void tap_fd_set_offload(int fd, int csum, int tso4,
                         int tso6, int ecn, int ufo)
 {
diff --git a/net/tap-linux.c b/net/tap-linux.c
index c92983c..f7aa904 100644
--- a/net/tap-linux.c
+++ b/net/tap-linux.c
@@ -129,6 +129,35 @@ int tap_probe_has_ufo(int fd)
     return 1;
 }
 
+/* Verify that we can assign given length */
+int tap_probe_vnet_hdr_len(int fd, int len)
+{
+    int orig;
+    if (ioctl(fd, TUNGETVNETHDRSZ, &orig) == -1) {
+        return 0;
+    }
+    if (ioctl(fd, TUNSETVNETHDRSZ, &len) == -1) {
+        return 0;
+    }
+    /* Restore original length: we can't handle failure. */
+    if (ioctl(fd, TUNSETVNETHDRSZ, &orig) == -1) {
+        fprintf(stderr, "TUNGETVNETHDRSZ ioctl() failed: %s. Exiting.\n",
+                strerror(errno));
+        assert(0);
+        return -errno;
+    }
+    return 1;
+}
+
+void tap_fd_set_vnet_hdr_len(int fd, int len)
+{
+    if (ioctl(fd, TUNSETVNETHDRSZ, &len) == -1) {
+        fprintf(stderr, "TUNSETVNETHDRSZ ioctl() failed: %s. Exiting.\n",
+                strerror(errno));
+        assert(0);
+    }
+}
+
 void tap_fd_set_offload(int fd, int csum, int tso4,
                         int tso6, int ecn, int ufo)
 {
diff --git a/net/tap-linux.h b/net/tap-linux.h
index 727fcf5..659e981 100644
--- a/net/tap-linux.h
+++ b/net/tap-linux.h
@@ -27,6 +27,8 @@
 #define TUNSETOFFLOAD  _IOW('T', 208, unsigned int)
 #define TUNGETIFF      _IOR('T', 210, unsigned int)
 #define TUNSETSNDBUF   _IOW('T', 212, int)
+#define TUNGETVNETHDRSZ _IOR('T', 215, int)
+#define TUNSETVNETHDRSZ _IOW('T', 216, int)
 
 #endif
 
diff --git a/net/tap-solaris.c b/net/tap-solaris.c
index 4ac61d2..c216d28 100644
--- a/net/tap-solaris.c
+++ b/net/tap-solaris.c
@@ -212,6 +212,15 @@ int tap_probe_has_ufo(int fd)
     return 0;
 }
 
+int tap_probe_vnet_hdr_len(int fd, int len)
+{
+    return 0;
+}
+
+void tap_fd_set_vnet_hdr_len(int fd, int len)
+{
+}
+
 void tap_fd_set_offload(int fd, int csum, int tso4,
                         int tso6, int ecn, int ufo)
 {
diff --git a/net/tap-win32.c b/net/tap-win32.c
index 74348da..9fe4fcd 100644
--- a/net/tap-win32.c
+++ b/net/tap-win32.c
@@ -728,6 +728,15 @@ int tap_has_vnet_hdr(VLANClientState *vc)
     return 0;
 }
 
+int tap_probe_vnet_hdr_len(int fd, int len)
+{
+    return 0;
+}
+
+void tap_fd_set_vnet_hdr_len(int fd, int len)
+{
+}
+
 void tap_using_vnet_hdr(VLANClientState *vc, int using_vnet_hdr)
 {
 }
diff --git a/net/tap.c b/net/tap.c
index 2866ff4..4afb314 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -232,6 +232,27 @@ int tap_has_vnet_hdr(VLANClientState *nc)
     return !!s->host_vnet_hdr_len;
 }
 
+int tap_has_vnet_hdr_len(VLANClientState *nc, int len)
+{
+    TAPState *s = DO_UPCAST(TAPState, nc, nc);
+
+    assert(nc->info->type == NET_CLIENT_TYPE_TAP);
+
+    return tap_probe_vnet_hdr_len(s->fd, len);
+}
+
+void tap_set_vnet_hdr_len(VLANClientState *nc, int len)
+{
+    TAPState *s = DO_UPCAST(TAPState, nc, nc);
+
+    assert(nc->info->type == NET_CLIENT_TYPE_TAP);
+    assert(len == sizeof(struct virtio_net_hdr_mrg_rxbuf) ||
+           len == sizeof(struct virtio_net_hdr));
+
+    tap_fd_set_vnet_hdr_len(s->fd, len);
+    s->host_vnet_hdr_len = len;
+}
+
 void tap_using_vnet_hdr(VLANClientState *nc, int using_vnet_hdr)
 {
     TAPState *s = DO_UPCAST(TAPState, nc, nc);
diff --git a/net/tap.h b/net/tap.h
index b8cec83..e44bd2b 100644
--- a/net/tap.h
+++ b/net/tap.h
@@ -40,13 +40,17 @@ ssize_t tap_read_packet(int tapfd, uint8_t *buf, int maxlen);
 
 int tap_has_ufo(VLANClientState *vc);
 int tap_has_vnet_hdr(VLANClientState *vc);
+int tap_has_vnet_hdr_len(VLANClientState *vc, int len);
 void tap_using_vnet_hdr(VLANClientState *vc, int using_vnet_hdr);
 void tap_set_offload(VLANClientState *vc, int csum, int tso4, int tso6, int ecn, int ufo);
+void tap_set_vnet_hdr_len(VLANClientState *vc, int len);
 
 int tap_set_sndbuf(int fd, QemuOpts *opts);
 int tap_probe_vnet_hdr(int fd);
+int tap_probe_vnet_hdr_len(int fd, int len);
 int tap_probe_has_ufo(int fd);
 void tap_fd_set_offload(int fd, int csum, int tso4, int tso6, int ecn, int ufo);
+void tap_fd_set_vnet_hdr_len(int fd, int len);
 
 int tap_get_fd(VLANClientState *vc);
 
commit ef4252b149cf238480c45c06dcbd567d41ee7d76
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Tue Jul 13 17:55:31 2010 +0300

    tap: generalize code for different vnet header len
    
    Make host vnet header length a structure field in
    preparation for using this support in linux kernel.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/net/tap-linux.h b/net/tap-linux.h
index 9f94358..727fcf5 100644
--- a/net/tap-linux.h
+++ b/net/tap-linux.h
@@ -52,4 +52,10 @@ struct virtio_net_hdr
     uint16_t csum_offset;
 };
 
+struct virtio_net_hdr_mrg_rxbuf
+{
+    struct virtio_net_hdr hdr;
+    uint16_t num_buffers;   /* Number of merged rx buffers */
+};
+
 #endif /* QEMU_TAP_H */
diff --git a/net/tap.c b/net/tap.c
index 0147dab..2866ff4 100644
--- a/net/tap.c
+++ b/net/tap.c
@@ -57,10 +57,10 @@ typedef struct TAPState {
     uint8_t buf[TAP_BUFSIZE];
     unsigned int read_poll : 1;
     unsigned int write_poll : 1;
-    unsigned int has_vnet_hdr : 1;
     unsigned int using_vnet_hdr : 1;
     unsigned int has_ufo: 1;
     VHostNetState *vhost_net;
+    unsigned host_vnet_hdr_len;
 } TAPState;
 
 static int launch_script(const char *setup_script, const char *ifname, int fd);
@@ -121,11 +121,11 @@ static ssize_t tap_receive_iov(VLANClientState *nc, const struct iovec *iov,
     TAPState *s = DO_UPCAST(TAPState, nc, nc);
     const struct iovec *iovp = iov;
     struct iovec iov_copy[iovcnt + 1];
-    struct virtio_net_hdr hdr = { 0, };
+    struct virtio_net_hdr_mrg_rxbuf hdr = { };
 
-    if (s->has_vnet_hdr && !s->using_vnet_hdr) {
+    if (s->host_vnet_hdr_len && !s->using_vnet_hdr) {
         iov_copy[0].iov_base = &hdr;
-        iov_copy[0].iov_len =  sizeof(hdr);
+        iov_copy[0].iov_len =  s->host_vnet_hdr_len;
         memcpy(&iov_copy[1], iov, iovcnt * sizeof(*iov));
         iovp = iov_copy;
         iovcnt++;
@@ -139,11 +139,11 @@ static ssize_t tap_receive_raw(VLANClientState *nc, const uint8_t *buf, size_t s
     TAPState *s = DO_UPCAST(TAPState, nc, nc);
     struct iovec iov[2];
     int iovcnt = 0;
-    struct virtio_net_hdr hdr = { 0, };
+    struct virtio_net_hdr_mrg_rxbuf hdr = { };
 
-    if (s->has_vnet_hdr) {
+    if (s->host_vnet_hdr_len) {
         iov[iovcnt].iov_base = &hdr;
-        iov[iovcnt].iov_len  = sizeof(hdr);
+        iov[iovcnt].iov_len  = s->host_vnet_hdr_len;
         iovcnt++;
     }
 
@@ -159,7 +159,7 @@ static ssize_t tap_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
     TAPState *s = DO_UPCAST(TAPState, nc, nc);
     struct iovec iov[1];
 
-    if (s->has_vnet_hdr && !s->using_vnet_hdr) {
+    if (s->host_vnet_hdr_len && !s->using_vnet_hdr) {
         return tap_receive_raw(nc, buf, size);
     }
 
@@ -202,9 +202,9 @@ static void tap_send(void *opaque)
             break;
         }
 
-        if (s->has_vnet_hdr && !s->using_vnet_hdr) {
-            buf  += sizeof(struct virtio_net_hdr);
-            size -= sizeof(struct virtio_net_hdr);
+        if (s->host_vnet_hdr_len && !s->using_vnet_hdr) {
+            buf  += s->host_vnet_hdr_len;
+            size -= s->host_vnet_hdr_len;
         }
 
         size = qemu_send_packet_async(&s->nc, buf, size, tap_send_completed);
@@ -229,7 +229,7 @@ int tap_has_vnet_hdr(VLANClientState *nc)
 
     assert(nc->info->type == NET_CLIENT_TYPE_TAP);
 
-    return s->has_vnet_hdr;
+    return !!s->host_vnet_hdr_len;
 }
 
 void tap_using_vnet_hdr(VLANClientState *nc, int using_vnet_hdr)
@@ -239,7 +239,7 @@ void tap_using_vnet_hdr(VLANClientState *nc, int using_vnet_hdr)
     using_vnet_hdr = using_vnet_hdr != 0;
 
     assert(nc->info->type == NET_CLIENT_TYPE_TAP);
-    assert(s->has_vnet_hdr == using_vnet_hdr);
+    assert(!!s->host_vnet_hdr_len == using_vnet_hdr);
 
     s->using_vnet_hdr = using_vnet_hdr;
 }
@@ -310,7 +310,7 @@ static TAPState *net_tap_fd_init(VLANState *vlan,
     s = DO_UPCAST(TAPState, nc, nc);
 
     s->fd = fd;
-    s->has_vnet_hdr = vnet_hdr != 0;
+    s->host_vnet_hdr_len = vnet_hdr ? sizeof(struct virtio_net_hdr) : 0;
     s->using_vnet_hdr = 0;
     s->has_ufo = tap_probe_has_ufo(s->fd);
     tap_set_offload(&s->nc, 0, 0, 0, 0, 0);
commit 43c945f16a172f07145ca1f30abb958070228690
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Mon Sep 6 16:46:19 2010 +0900

    pci: make pci_parse_devfn() aware of func.
    
    make pci_parse_devfn() aware of func. With func = NULL it behave as before.
    This will be used later.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index bb9ddea..f03b83e 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -424,15 +424,18 @@ static void pci_set_default_subsystem_id(PCIDevice *pci_dev)
 }
 
 /*
- * Parse [[<domain>:]<bus>:]<slot>, return -1 on error
+ * Parse [[<domain>:]<bus>:]<slot>, return -1 on error if funcp == NULL
+ *       [[<domain>:]<bus>:]<slot>.<func>, return -1 on error
  */
-static int pci_parse_devaddr(const char *addr, int *domp, int *busp, unsigned *slotp)
+int pci_parse_devaddr(const char *addr, int *domp, int *busp,
+                      unsigned int *slotp, unsigned int *funcp)
 {
     const char *p;
     char *e;
     unsigned long val;
     unsigned long dom = 0, bus = 0;
-    unsigned slot = 0;
+    unsigned int slot = 0;
+    unsigned int func = 0;
 
     p = addr;
     val = strtoul(p, &e, 16);
@@ -454,11 +457,24 @@ static int pci_parse_devaddr(const char *addr, int *domp, int *busp, unsigned *s
 	}
     }
 
-    if (dom > 0xffff || bus > 0xff || val > 0x1f)
-	return -1;
-
     slot = val;
 
+    if (funcp != NULL) {
+        if (*e != '.')
+            return -1;
+
+        p = e + 1;
+        val = strtoul(p, &e, 16);
+        if (e == p)
+            return -1;
+
+        func = val;
+    }
+
+    /* if funcp == NULL func is 0 */
+    if (dom > 0xffff || bus > 0xff || slot > 0x1f || func > 7)
+	return -1;
+
     if (*e)
 	return -1;
 
@@ -469,6 +485,8 @@ static int pci_parse_devaddr(const char *addr, int *domp, int *busp, unsigned *s
     *domp = dom;
     *busp = bus;
     *slotp = slot;
+    if (funcp != NULL)
+        *funcp = func;
     return 0;
 }
 
@@ -479,7 +497,7 @@ int pci_read_devaddr(Monitor *mon, const char *addr, int *domp, int *busp,
     if (!strncmp(addr, "pci_addr=", 9)) {
         addr += 9;
     }
-    if (pci_parse_devaddr(addr, domp, busp, slotp)) {
+    if (pci_parse_devaddr(addr, domp, busp, slotp, NULL)) {
         monitor_printf(mon, "Invalid pci address\n");
         return -1;
     }
@@ -496,7 +514,7 @@ PCIBus *pci_get_bus_devfn(int *devfnp, const char *devaddr)
         return pci_find_bus(pci_find_root_bus(0), 0);
     }
 
-    if (pci_parse_devaddr(devaddr, &dom, &bus, &slot) < 0) {
+    if (pci_parse_devaddr(devaddr, &dom, &bus, &slot, NULL) < 0) {
         return NULL;
     }
 
diff --git a/hw/pci.h b/hw/pci.h
index 2ddba59..2b4c318 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -227,6 +227,8 @@ PCIBus *pci_find_bus(PCIBus *bus, int bus_num);
 PCIDevice *pci_find_device(PCIBus *bus, int bus_num, int slot, int function);
 PCIBus *pci_get_bus_devfn(int *devfnp, const char *devaddr);
 
+int pci_parse_devaddr(const char *addr, int *domp, int *busp,
+                      unsigned int *slotp, unsigned int *funcp);
 int pci_read_devaddr(Monitor *mon, const char *addr, int *domp, int *busp,
                      unsigned *slotp);
 
commit ca77089d2d8e73283bfc73f03d954504561e1ce8
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Mon Sep 6 16:46:16 2010 +0900

    pci: consolidate pci_add_capability_at_offset() into pci_add_capability().
    
    By making pci_add_capability() the special case of
    pci_add_capability_at_offset() of offset = 0,
    consolidate pci_add_capability_at_offset() into pci_add_capability().
    
    Cc: Stefan Weil <weil at mail.berlios.de>
    Cc: Michael S. Tsirkin <mst at redhat.com>
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/eepro100.c b/hw/eepro100.c
index 2b75c8f..8cbc3aa 100644
--- a/hw/eepro100.c
+++ b/hw/eepro100.c
@@ -539,8 +539,8 @@ static void e100_pci_reset(EEPRO100State * s, E100PCIDeviceInfo *e100_device)
     if (e100_device->power_management) {
         /* Power Management Capabilities */
         int cfg_offset = 0xdc;
-        int r = pci_add_capability_at_offset(&s->dev, PCI_CAP_ID_PM,
-                                             cfg_offset, PCI_PM_SIZEOF);
+        int r = pci_add_capability(&s->dev, PCI_CAP_ID_PM,
+                                   cfg_offset, PCI_PM_SIZEOF);
         assert(r >= 0);
         pci_set_word(pci_conf + cfg_offset + PCI_PM_PMC, 0x7e21);
 #if 0 /* TODO: replace dummy code for power management emulation. */
diff --git a/hw/msix.c b/hw/msix.c
index d99403a..7ce63eb 100644
--- a/hw/msix.c
+++ b/hw/msix.c
@@ -73,7 +73,8 @@ static int msix_add_config(struct PCIDevice *pdev, unsigned short nentries,
     }
 
     pdev->msix_bar_size = new_size;
-    config_offset = pci_add_capability(pdev, PCI_CAP_ID_MSIX, MSIX_CAP_LENGTH);
+    config_offset = pci_add_capability(pdev, PCI_CAP_ID_MSIX,
+                                       0, MSIX_CAP_LENGTH);
     if (config_offset < 0)
         return config_offset;
     config = pdev->config + config_offset;
diff --git a/hw/pci.c b/hw/pci.c
index 2dc1577..754ffb3 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1682,11 +1682,25 @@ static void pci_del_option_rom(PCIDevice *pdev)
     pdev->rom_offset = 0;
 }
 
-/* Reserve space and add capability to the linked list in pci config space */
-int pci_add_capability_at_offset(PCIDevice *pdev, uint8_t cap_id,
-                                 uint8_t offset, uint8_t size)
+/*
+ * if !offset
+ * Reserve space and add capability to the linked list in pci config space
+ *
+ * if offset = 0,
+ * Find and reserve space and add capability to the linked list
+ * in pci config space */
+int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
+                       uint8_t offset, uint8_t size)
 {
-    uint8_t *config = pdev->config + offset;
+    uint8_t *config;
+    if (!offset) {
+        offset = pci_find_space(pdev, size);
+        if (!offset) {
+            return -ENOSPC;
+        }
+    }
+
+    config = pdev->config + offset;
     config[PCI_CAP_LIST_ID] = cap_id;
     config[PCI_CAP_LIST_NEXT] = pdev->config[PCI_CAPABILITY_LIST];
     pdev->config[PCI_CAPABILITY_LIST] = offset;
@@ -1699,17 +1713,6 @@ int pci_add_capability_at_offset(PCIDevice *pdev, uint8_t cap_id,
     return offset;
 }
 
-/* Find and reserve space and add capability to the linked list
- * in pci config space */
-int pci_add_capability(PCIDevice *pdev, uint8_t cap_id, uint8_t size)
-{
-    uint8_t offset = pci_find_space(pdev, size);
-    if (!offset) {
-        return -ENOSPC;
-    }
-    return pci_add_capability_at_offset(pdev, cap_id, offset, size);
-}
-
 /* Unlink capability from the pci config space. */
 void pci_del_capability(PCIDevice *pdev, uint8_t cap_id, uint8_t size)
 {
diff --git a/hw/pci.h b/hw/pci.h
index c551f96..2ddba59 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -183,9 +183,8 @@ void pci_register_bar(PCIDevice *pci_dev, int region_num,
                             pcibus_t size, int type,
                             PCIMapIORegionFunc *map_func);
 
-int pci_add_capability(PCIDevice *pci_dev, uint8_t cap_id, uint8_t cap_size);
-int pci_add_capability_at_offset(PCIDevice *pci_dev, uint8_t cap_id,
-                                 uint8_t cap_offset, uint8_t cap_size);
+int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
+                       uint8_t offset, uint8_t size);
 
 void pci_del_capability(PCIDevice *pci_dev, uint8_t cap_id, uint8_t cap_size);
 
commit 5beb8ad503c88a76f2b8106c3b74b4ce485a60e1
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Mon Sep 6 16:46:18 2010 +0900

    pci: call hotplug callback even when not hotplug case for later use.
    
    call hotplug callback even when not hotplug case for later use.
    And move hotplug check into hotplug callback.
    PCIE slot needs this for card presence detection.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index bfa1d9a..24dfcf2 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -611,6 +611,9 @@ static int piix4_device_hotplug(DeviceState *qdev, PCIDevice *dev, int state)
     PIIX4PMState *s = DO_UPCAST(PIIX4PMState, dev,
                                 DO_UPCAST(PCIDevice, qdev, qdev));
 
+    if (!dev->qdev.hotplugged)
+        return 0;
+
     s->pci0_status.up = 0;
     s->pci0_status.down = 0;
     if (state) {
diff --git a/hw/pci.c b/hw/pci.c
index 754ffb3..bb9ddea 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -1514,7 +1514,8 @@ static int pci_qdev_init(DeviceState *qdev, DeviceInfo *base)
         pci_dev->romfile = qemu_strdup(info->romfile);
     pci_add_option_rom(pci_dev);
 
-    if (qdev->hotplugged) {
+    if (bus->hotplug) {
+        /* lower layer must check qdev->hotplugged */
         rc = bus->hotplug(bus->hotplug_qdev, pci_dev, 1);
         if (rc != 0) {
             int r = pci_unregister_device(&pci_dev->qdev);
commit f4c817e000e50e9a0db8f95ce6496628bd70733d
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Mon Sep 6 16:46:17 2010 +0900

    pci bridge: add helper function for ssvid capability.
    
    helper function to add ssvid capability.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci_bridge.c b/hw/pci_bridge.c
index 198c3c7..638e3b3 100644
--- a/hw/pci_bridge.c
+++ b/hw/pci_bridge.c
@@ -32,6 +32,25 @@
 #include "pci_bridge.h"
 #include "pci_internals.h"
 
+/* PCI bridge subsystem vendor ID helper functions */
+#define PCI_SSVID_SIZEOF        8
+#define PCI_SSVID_SVID          4
+#define PCI_SSVID_SSID          6
+
+int pci_bridge_ssvid_init(PCIDevice *dev, uint8_t offset,
+                          uint16_t svid, uint16_t ssid)
+{
+    int pos;
+    pos = pci_add_capability(dev, PCI_CAP_ID_SSVID, offset, PCI_SSVID_SIZEOF);
+    if (pos < 0) {
+        return pos;
+    }
+
+    pci_set_word(dev->config + pos + PCI_SSVID_SVID, svid);
+    pci_set_word(dev->config + pos + PCI_SSVID_SSID, ssid);
+    return pos;
+}
+
 /* Accessor function to get parent bridge device from pci bus. */
 PCIDevice *pci_bridge_get_device(PCIBus *bus)
 {
diff --git a/hw/pci_bridge.h b/hw/pci_bridge.h
index 63ada19..f6fade0 100644
--- a/hw/pci_bridge.h
+++ b/hw/pci_bridge.h
@@ -28,6 +28,9 @@
 
 #include "pci.h"
 
+int pci_bridge_ssvid_init(PCIDevice *dev, uint8_t offset,
+                          uint16_t svid, uint16_t ssid);
+
 PCIDevice *pci_bridge_get_device(PCIBus *bus);
 PCIBus *pci_bridge_get_sec_bus(PCIBridge *br);
 
commit 68f799944b72387c0ef9535612a212a5ea492059
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Jul 13 13:01:42 2010 +0900

    pci_bridge: introduce pci bridge library.
    
    introduce pci bridge library.
    convert apb bridge and dec p2p bridge to use new pci bridge library.
    save/restore is supported as a side effect.
    This is also preparation for pci express root/upstream/downstream port.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/apb_pci.c b/hw/apb_pci.c
index 88ee4a9..c619112 100644
--- a/hw/apb_pci.c
+++ b/hw/apb_pci.c
@@ -30,6 +30,7 @@
 #include "pci.h"
 #include "pci_host.h"
 #include "pci_bridge.h"
+#include "pci_internals.h"
 #include "rwhandler.h"
 #include "apb_pci.h"
 #include "sysemu.h"
@@ -294,9 +295,17 @@ static void pci_apb_set_irq(void *opaque, int irq_num, int level)
     }
 }
 
-static void apb_pci_bridge_init(PCIBus *b)
+static int apb_pci_bridge_initfn(PCIDevice *dev)
 {
-    PCIDevice *dev = pci_bridge_get_device(b);
+    int rc;
+
+    rc = pci_bridge_initfn(dev);
+    if (rc < 0) {
+        return rc;
+    }
+
+    pci_config_set_vendor_id(dev->config, PCI_VENDOR_ID_SUN);
+    pci_config_set_device_id(dev->config, PCI_DEVICE_ID_SUN_SIMBA);
 
     /*
      * command register:
@@ -313,6 +322,7 @@ static void apb_pci_bridge_init(PCIBus *b)
                  PCI_STATUS_FAST_BACK | PCI_STATUS_66MHZ |
                  PCI_STATUS_DEVSEL_MEDIUM);
     pci_set_byte(dev->config + PCI_REVISION_ID, 0x11);
+    return 0;
 }
 
 PCIBus *pci_apb_init(target_phys_addr_t special_base,
@@ -323,6 +333,8 @@ PCIBus *pci_apb_init(target_phys_addr_t special_base,
     SysBusDevice *s;
     APBState *d;
     unsigned int i;
+    PCIDevice *pci_dev;
+    PCIBridge *br;
 
     /* Ultrasparc PBM main bus */
     dev = qdev_create(NULL, "pbm");
@@ -348,17 +360,21 @@ PCIBus *pci_apb_init(target_phys_addr_t special_base,
     pci_create_simple(d->bus, 0, "pbm");
 
     /* APB secondary busses */
-    *bus2 = pci_bridge_init(d->bus, PCI_DEVFN(1, 0), true,
-                            PCI_VENDOR_ID_SUN, PCI_DEVICE_ID_SUN_SIMBA,
-                            pci_apb_map_irq,
-                            "Advanced PCI Bus secondary bridge 1");
-    apb_pci_bridge_init(*bus2);
-
-    *bus3 = pci_bridge_init(d->bus, PCI_DEVFN(1, 1), true,
-                            PCI_VENDOR_ID_SUN, PCI_DEVICE_ID_SUN_SIMBA,
-                            pci_apb_map_irq,
-                            "Advanced PCI Bus secondary bridge 2");
-    apb_pci_bridge_init(*bus3);
+    pci_dev = pci_create_multifunction(d->bus, PCI_DEVFN(1, 0), true,
+                                   "pbm-bridge");
+    br = DO_UPCAST(PCIBridge, dev, pci_dev);
+    pci_bridge_map_irq(br, "Advanced PCI Bus secondary bridge 1",
+                       pci_apb_map_irq);
+    qdev_init_nofail(&pci_dev->qdev);
+    *bus2 = pci_bridge_get_sec_bus(br);
+
+    pci_dev = pci_create_multifunction(d->bus, PCI_DEVFN(1, 1), true,
+                                   "pbm-bridge");
+    br = DO_UPCAST(PCIBridge, dev, pci_dev);
+    pci_bridge_map_irq(br, "Advanced PCI Bus secondary bridge 2",
+                       pci_apb_map_irq);
+    qdev_init_nofail(&pci_dev->qdev);
+    *bus3 = pci_bridge_get_sec_bus(br);
 
     return d->bus;
 }
@@ -441,10 +457,23 @@ static SysBusDeviceInfo pbm_host_info = {
     .qdev.reset = pci_pbm_reset,
     .init = pci_pbm_init_device,
 };
+
+static PCIDeviceInfo pbm_pci_bridge_info = {
+    .qdev.name = "pbm-bridge",
+    .qdev.size = sizeof(PCIBridge),
+    .qdev.vmsd = &vmstate_pci_device,
+    .qdev.reset = pci_bridge_reset,
+    .init = apb_pci_bridge_initfn,
+    .exit = pci_bridge_exitfn,
+    .config_write = pci_bridge_write_config,
+    .is_bridge = 1,
+};
+
 static void pbm_register_devices(void)
 {
     sysbus_register_withprop(&pbm_host_info);
     pci_qdev_register(&pbm_pci_host_info);
+    pci_qdev_register(&pbm_pci_bridge_info);
 }
 
 device_init(pbm_register_devices)
diff --git a/hw/dec_pci.c b/hw/dec_pci.c
index f7a9cdc..aa07ab7 100644
--- a/hw/dec_pci.c
+++ b/hw/dec_pci.c
@@ -28,6 +28,7 @@
 #include "pci.h"
 #include "pci_host.h"
 #include "pci_bridge.h"
+#include "pci_internals.h"
 
 /* debug DEC */
 //#define DEBUG_DEC
@@ -49,18 +50,43 @@ static int dec_map_irq(PCIDevice *pci_dev, int irq_num)
     return irq_num;
 }
 
-PCIBus *pci_dec_21154_init(PCIBus *parent_bus, int devfn)
+static int dec_21154_initfn(PCIDevice *dev)
 {
-    DeviceState *dev;
-    PCIBus *ret;
+    int rc;
+
+    rc = pci_bridge_initfn(dev);
+    if (rc < 0) {
+        return rc;
+    }
+
+    pci_config_set_vendor_id(dev->config, PCI_VENDOR_ID_DEC);
+    pci_config_set_device_id(dev->config, PCI_DEVICE_ID_DEC_21154);
+    return 0;
+}
 
-    dev = qdev_create(NULL, "dec-21154");
-    qdev_init_nofail(dev);
-    ret = pci_bridge_init(parent_bus, devfn, false,
-                          PCI_VENDOR_ID_DEC, PCI_DEVICE_ID_DEC_21154,
-                          dec_map_irq, "DEC 21154 PCI-PCI bridge");
+static PCIDeviceInfo dec_21154_pci_bridge_info = {
+    .qdev.name = "dec-21154-p2p-bridge",
+    .qdev.desc = "DEC 21154 PCI-PCI bridge",
+    .qdev.size = sizeof(PCIBridge),
+    .qdev.vmsd = &vmstate_pci_device,
+    .qdev.reset = pci_bridge_reset,
+    .init = dec_21154_initfn,
+    .exit = pci_bridge_exitfn,
+    .config_write = pci_bridge_write_config,
+    .is_bridge = 1,
+};
+
+PCIBus *pci_dec_21154_init(PCIBus *parent_bus, int devfn)
+{
+    PCIDevice *dev;
+    PCIBridge *br;
 
-    return ret;
+    dev = pci_create_multifunction(parent_bus, devfn, false,
+                                   "dec-21154-p2p-bridge");
+    br = DO_UPCAST(PCIBridge, dev, dev);
+    pci_bridge_map_irq(br, "DEC 21154 PCI-PCI bridge", dec_map_irq);
+    qdev_init_nofail(&dev->qdev);
+    return pci_bridge_get_sec_bus(br);
 }
 
 static int pci_dec_21154_init_device(SysBusDevice *dev)
@@ -99,6 +125,7 @@ static void dec_register_devices(void)
     sysbus_register_dev("dec-21154", sizeof(DECState),
                         pci_dec_21154_init_device);
     pci_qdev_register(&dec_21154_pci_host_info);
+    pci_qdev_register(&dec_21154_pci_bridge_info);
 }
 
 device_init(dec_register_devices)
diff --git a/hw/pci_bridge.c b/hw/pci_bridge.c
index 2f13c7d..198c3c7 100644
--- a/hw/pci_bridge.c
+++ b/hw/pci_bridge.c
@@ -32,12 +32,19 @@
 #include "pci_bridge.h"
 #include "pci_internals.h"
 
+/* Accessor function to get parent bridge device from pci bus. */
 PCIDevice *pci_bridge_get_device(PCIBus *bus)
 {
     return bus->parent_dev;
 }
 
-static uint32_t pci_config_get_io_base(PCIDevice *d,
+/* Accessor function to get secondary bus from pci-to-pci bridge device */
+PCIBus *pci_bridge_get_sec_bus(PCIBridge *br)
+{
+    return &br->sec_bus;
+}
+
+static uint32_t pci_config_get_io_base(const PCIDevice *d,
                                        uint32_t base, uint32_t base_upper16)
 {
     uint32_t val;
@@ -49,13 +56,13 @@ static uint32_t pci_config_get_io_base(PCIDevice *d,
     return val;
 }
 
-static pcibus_t pci_config_get_memory_base(PCIDevice *d, uint32_t base)
+static pcibus_t pci_config_get_memory_base(const PCIDevice *d, uint32_t base)
 {
     return ((pcibus_t)pci_get_word(d->config + base) & PCI_MEMORY_RANGE_MASK)
         << 16;
 }
 
-static pcibus_t pci_config_get_pref_base(PCIDevice *d,
+static pcibus_t pci_config_get_pref_base(const PCIDevice *d,
                                          uint32_t base, uint32_t upper)
 {
     pcibus_t tmp;
@@ -69,7 +76,8 @@ static pcibus_t pci_config_get_pref_base(PCIDevice *d,
     return val;
 }
 
-pcibus_t pci_bridge_get_base(PCIDevice *bridge, uint8_t type)
+/* accessor function to get bridge filtering base address */
+pcibus_t pci_bridge_get_base(const PCIDevice *bridge, uint8_t type)
 {
     pcibus_t base;
     if (type & PCI_BASE_ADDRESS_SPACE_IO) {
@@ -87,7 +95,8 @@ pcibus_t pci_bridge_get_base(PCIDevice *bridge, uint8_t type)
     return base;
 }
 
-pcibus_t pci_bridge_get_limit(PCIDevice *bridge, uint8_t type)
+/* accessor funciton to get bridge filtering limit */
+pcibus_t pci_bridge_get_limit(const PCIDevice *bridge, uint8_t type)
 {
     pcibus_t limit;
     if (type & PCI_BASE_ADDRESS_SPACE_IO) {
@@ -106,7 +115,8 @@ pcibus_t pci_bridge_get_limit(PCIDevice *bridge, uint8_t type)
     return limit;
 }
 
-static void pci_bridge_write_config(PCIDevice *d,
+/* default write_config function for PCI-to-PCI bridge */
+void pci_bridge_write_config(PCIDevice *d,
                              uint32_t address, uint32_t val, int len)
 {
     pci_default_write_config(d, address, val, len);
@@ -122,12 +132,41 @@ static void pci_bridge_write_config(PCIDevice *d,
     }
 }
 
-static int pci_bridge_initfn(PCIDevice *dev)
+/* reset bridge specific configuration registers */
+void pci_bridge_reset_reg(PCIDevice *dev)
+{
+    uint8_t *conf = dev->config;
+
+    conf[PCI_PRIMARY_BUS] = 0;
+    conf[PCI_SECONDARY_BUS] = 0;
+    conf[PCI_SUBORDINATE_BUS] = 0;
+    conf[PCI_SEC_LATENCY_TIMER] = 0;
+
+    conf[PCI_IO_BASE] = 0;
+    conf[PCI_IO_LIMIT] = 0;
+    pci_set_word(conf + PCI_MEMORY_BASE, 0);
+    pci_set_word(conf + PCI_MEMORY_LIMIT, 0);
+    pci_set_word(conf + PCI_PREF_MEMORY_BASE, 0);
+    pci_set_word(conf + PCI_PREF_MEMORY_LIMIT, 0);
+    pci_set_word(conf + PCI_PREF_BASE_UPPER32, 0);
+    pci_set_word(conf + PCI_PREF_LIMIT_UPPER32, 0);
+
+    pci_set_word(conf + PCI_BRIDGE_CONTROL, 0);
+}
+
+/* default reset function for PCI-to-PCI bridge */
+void pci_bridge_reset(DeviceState *qdev)
 {
-    PCIBridge *s = DO_UPCAST(PCIBridge, dev, dev);
+    PCIDevice *dev = DO_UPCAST(PCIDevice, qdev, qdev);
+    pci_bridge_reset_reg(dev);
+}
 
-    pci_config_set_vendor_id(s->dev.config, s->vid);
-    pci_config_set_device_id(s->dev.config, s->did);
+/* default qdev initialization function for PCI-to-PCI bridge */
+int pci_bridge_initfn(PCIDevice *dev)
+{
+    PCIBus *parent = dev->bus;
+    PCIBridge *br = DO_UPCAST(PCIBridge, dev, dev);
+    PCIBus *sec_bus = &br->sec_bus;
 
     pci_set_word(dev->config + PCI_STATUS,
                  PCI_STATUS_66MHZ | PCI_STATUS_FAST_BACK);
@@ -137,58 +176,35 @@ static int pci_bridge_initfn(PCIDevice *dev)
         PCI_HEADER_TYPE_BRIDGE;
     pci_set_word(dev->config + PCI_SEC_STATUS,
                  PCI_STATUS_66MHZ | PCI_STATUS_FAST_BACK);
+
+    qbus_create_inplace(&sec_bus->qbus, &pci_bus_info, &dev->qdev,
+                        br->bus_name);
+    sec_bus->parent_dev = dev;
+    sec_bus->map_irq = br->map_irq;
+
+    QLIST_INIT(&sec_bus->child);
+    QLIST_INSERT_HEAD(&parent->child, sec_bus, sibling);
     return 0;
 }
 
-static int pci_bridge_exitfn(PCIDevice *pci_dev)
+/* default qdev clean up function for PCI-to-PCI bridge */
+int pci_bridge_exitfn(PCIDevice *pci_dev)
 {
     PCIBridge *s = DO_UPCAST(PCIBridge, dev, pci_dev);
     assert(QLIST_EMPTY(&s->sec_bus.child));
     QLIST_REMOVE(&s->sec_bus, sibling);
+    /* qbus_free() is called automatically by qdev_free() */
     return 0;
 }
 
-PCIBus *pci_bridge_init(PCIBus *bus, int devfn, bool multifunction,
-                        uint16_t vid, uint16_t did,
-                        pci_map_irq_fn map_irq, const char *name)
-{
-    PCIDevice *dev;
-    PCIBridge *s;
-    PCIBus *sec_bus;
-
-    dev = pci_create_multifunction(bus, devfn, multifunction, "pci-bridge");
-    qdev_prop_set_uint32(&dev->qdev, "vendorid", vid);
-    qdev_prop_set_uint32(&dev->qdev, "deviceid", did);
-    qdev_init_nofail(&dev->qdev);
-
-    s = DO_UPCAST(PCIBridge, dev, dev);
-    sec_bus = &s->sec_bus;
-    qbus_create_inplace(&sec_bus->qbus, &pci_bus_info, &dev->qdev, name);
-    sec_bus->parent_dev = dev;
-    sec_bus->map_irq = map_irq;
-
-    QLIST_INIT(&sec_bus->child);
-    QLIST_INSERT_HEAD(&bus->child, sec_bus, sibling);
-    return &s->sec_bus;
-}
-
-static PCIDeviceInfo bridge_info = {
-    .qdev.name    = "pci-bridge",
-    .qdev.size    = sizeof(PCIBridge),
-    .init         = pci_bridge_initfn,
-    .exit         = pci_bridge_exitfn,
-    .config_write = pci_bridge_write_config,
-    .is_bridge    = 1,
-    .qdev.props   = (Property[]) {
-        DEFINE_PROP_HEX32("vendorid", PCIBridge, vid, 0),
-        DEFINE_PROP_HEX32("deviceid", PCIBridge, did, 0),
-        DEFINE_PROP_END_OF_LIST(),
-    }
-};
-
-static void pci_register_devices(void)
+/*
+ * before qdev initialization(qdev_init()), this function sets bus_name and
+ * map_irq callback which are necessry for pci_bridge_initfn() to
+ * initialize bus.
+ */
+void pci_bridge_map_irq(PCIBridge *br, const char* bus_name,
+                        pci_map_irq_fn map_irq)
 {
-    pci_qdev_register(&bridge_info);
+    br->map_irq = map_irq;
+    br->bus_name = bus_name;
 }
-
-device_init(pci_register_devices)
diff --git a/hw/pci_bridge.h b/hw/pci_bridge.h
index ddb2c82..63ada19 100644
--- a/hw/pci_bridge.h
+++ b/hw/pci_bridge.h
@@ -29,13 +29,27 @@
 #include "pci.h"
 
 PCIDevice *pci_bridge_get_device(PCIBus *bus);
+PCIBus *pci_bridge_get_sec_bus(PCIBridge *br);
 
-pcibus_t pci_bridge_get_base(PCIDevice *bridge, uint8_t type);
-pcibus_t pci_bridge_get_limit(PCIDevice *bridge, uint8_t type);
+pcibus_t pci_bridge_get_base(const PCIDevice *bridge, uint8_t type);
+pcibus_t pci_bridge_get_limit(const PCIDevice *bridge, uint8_t type);
 
-PCIBus *pci_bridge_init(PCIBus *bus, int devfn, bool multifunction,
-                        uint16_t vid, uint16_t did,
-                        pci_map_irq_fn map_irq, const char *name);
+void pci_bridge_write_config(PCIDevice *d,
+                             uint32_t address, uint32_t val, int len);
+void pci_bridge_reset_reg(PCIDevice *dev);
+void pci_bridge_reset(DeviceState *qdev);
+
+int pci_bridge_initfn(PCIDevice *pci_dev);
+int pci_bridge_exitfn(PCIDevice *pci_dev);
+
+
+/*
+ * before qdev initialization(qdev_init()), this function sets bus_name and
+ * map_irq callback which are necessry for pci_bridge_initfn() to
+ * initialize bus.
+ */
+void pci_bridge_map_irq(PCIBridge *br, const char* bus_name,
+                        pci_map_irq_fn map_irq);
 
 #endif  /* QEMU_PCI_BRIDGE_H */
 /*
diff --git a/hw/pci_internals.h b/hw/pci_internals.h
index fa844ab..e3c93a3 100644
--- a/hw/pci_internals.h
+++ b/hw/pci_internals.h
@@ -5,6 +5,11 @@
  * This header files is private to pci.c and pci_bridge.c
  * So following structures are opaque to others and shouldn't be
  * accessed.
+ *
+ * For pci-to-pci bridge needs to include this header file to embed
+ * PCIBridge in its structure or to get sizeof(PCIBridge),
+ * However, they shouldn't access those following members directly.
+ * Use accessor function in pci.h, pci_bridge.h
  */
 
 extern struct BusInfo pci_bus_info;
@@ -30,11 +35,13 @@ struct PCIBus {
     int *irq_count;
 };
 
-typedef struct {
+struct PCIBridge {
     PCIDevice dev;
+
+    /* private member */
     PCIBus sec_bus;
-    uint32_t vid;
-    uint32_t did;
-} PCIBridge;
+    pci_map_irq_fn map_irq;
+    const char *bus_name;
+};
 
 #endif /* QEMU_PCI_INTERNALS_H */
diff --git a/qemu-common.h b/qemu-common.h
index 3fb2f0b..d735235 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -219,6 +219,7 @@ typedef struct PCIHostState PCIHostState;
 typedef struct PCIExpressHost PCIExpressHost;
 typedef struct PCIBus PCIBus;
 typedef struct PCIDevice PCIDevice;
+typedef struct PCIBridge PCIBridge;
 typedef struct SerialState SerialState;
 typedef struct IRQState *qemu_irq;
 typedef struct PCMCIACardState PCMCIACardState;
commit 42a876582906b1765db1c97152c967bc15401f84
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Sep 7 13:46:15 2010 +0200

    PPC: Change PPC maintainer
    
    Since nobody else seems interested in maintaining PPC, let's change the
    maintainer to myself. I keep a staging tree anyways and am probably the
    person touching most of that code these days.
    
    This changes the maintainer entry for working ppc targets to myself.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>

diff --git a/MAINTAINERS b/MAINTAINERS
index 1dca65e..e5165fb 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -14,7 +14,7 @@ x86                Fabrice Bellard
 ARM                Paul Brook
 SPARC              Blue Swirl
 MIPS               ?
-PowerPC            ?
+PowerPC            Alexander Graf
 M68K               Paul Brook
 SH4                ?
 CRIS               Edgar E. Iglesias
@@ -48,9 +48,9 @@ MIPS
   mips_mipssim.c          ?
 PowerPC
   ppc_prep.c              ?
-  ppc_oldworld.c          Fabrice Bellard
-  ppc_chrp.c              Fabrice Bellard
-  ppc405_boards.c         ?
+  ppc_oldworld.c          Alexander Graf
+  ppc_newworld.c          Alexander Graf
+  ppc405_boards.c         Alexander Graf
 M86K
   mcf5208.c               Paul Brook
   an5206.c                Paul Brook
commit cff69a4962b19ee99cb95382b6b94fbf2c281539
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Sep 5 15:13:57 2010 +0300

    qemu-kvm.c: add braces where appropriate
    
    Adjust to comply with CODING_STYLE, at least where braces are concerned.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm.c b/qemu-kvm.c
index c9818de..36f3a2e 100644
--- a/qemu-kvm.c
+++ b/qemu-kvm.c
@@ -201,8 +201,9 @@ int kvm_init(int smp_cpus)
         kvm_context->max_gsi = gsi_bits;
 
         /* Mark any over-allocated bits as already in use */
-        for (i = gsi_count; i < gsi_bits; i++)
+        for (i = gsi_count; i < gsi_bits; i++) {
             set_gsi(kvm_context, i);
+        }
     }
 
     kvm_cpu_register_phys_memory_client();
@@ -296,8 +297,9 @@ static int kvm_set_boot_vcpu_id(kvm_context_t kvm, uint32_t id)
 {
 #ifdef KVM_CAP_SET_BOOT_CPU_ID
     int r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_BOOT_CPU_ID);
-    if (r > 0)
+    if (r > 0) {
         return kvm_vm_ioctl(kvm_state, KVM_SET_BOOT_CPU_ID, id);
+    }
     return -ENOSYS;
 #else
     return -ENOSYS;
@@ -352,8 +354,9 @@ void kvm_create_irqchip(kvm_context_t kvm)
 #if defined(KVM_CAP_IRQ_INJECT_STATUS) && defined(KVM_IRQ_LINE_STATUS)
                 r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
                               KVM_CAP_IRQ_INJECT_STATUS);
-                if (r > 0)
+                if (r > 0) {
                     kvm->irqchip_inject_ioctl = KVM_IRQ_LINE_STATUS;
+                }
 #endif
                 kvm->irqchip_in_kernel = 1;
             } else
@@ -369,17 +372,22 @@ int kvm_create(kvm_context_t kvm, unsigned long phys_mem_bytes, void **vm_mem)
     int r, i;
 
     r = kvm_create_vm(kvm);
-    if (r < 0)
+    if (r < 0) {
         return r;
+    }
     r = kvm_arch_create(kvm, phys_mem_bytes, vm_mem);
-    if (r < 0)
+    if (r < 0) {
         return r;
-    for (i = 0; i < ARRAY_SIZE(kvm_state->slots); i++)
+    }
+    for (i = 0; i < ARRAY_SIZE(kvm_state->slots); i++) {
         kvm_state->slots[i].slot = i;
+    }
 
     r = kvm_create_default_phys_mem(kvm, phys_mem_bytes, vm_mem);
-    if (r < 0)
+    if (r < 0) {
         return r;
+    }
+
     kvm_create_irqchip(kvm);
 
     return 0;
@@ -392,13 +400,15 @@ int kvm_set_irq_level(kvm_context_t kvm, int irq, int level, int *status)
     struct kvm_irq_level event;
     int r;
 
-    if (!kvm->irqchip_in_kernel)
+    if (!kvm->irqchip_in_kernel) {
         return 0;
+    }
     event.level = level;
     event.irq = irq;
     r = kvm_vm_ioctl(kvm_state, kvm->irqchip_inject_ioctl, &event);
-    if (r < 0)
+    if (r < 0) {
         perror("kvm_set_irq_level");
+    }
 
     if (status) {
 #ifdef KVM_CAP_IRQ_INJECT_STATUS
@@ -416,8 +426,9 @@ int kvm_get_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip)
 {
     int r;
 
-    if (!kvm->irqchip_in_kernel)
+    if (!kvm->irqchip_in_kernel) {
         return 0;
+    }
     r = kvm_vm_ioctl(kvm_state, KVM_GET_IRQCHIP, chip);
     if (r < 0) {
         perror("kvm_get_irqchip\n");
@@ -429,8 +440,9 @@ int kvm_set_irqchip(kvm_context_t kvm, struct kvm_irqchip *chip)
 {
     int r;
 
-    if (!kvm->irqchip_in_kernel)
+    if (!kvm->irqchip_in_kernel) {
         return 0;
+    }
     r = kvm_vm_ioctl(kvm_state, KVM_SET_IRQCHIP, chip);
     if (r < 0) {
         perror("kvm_set_irqchip\n");
@@ -487,8 +499,9 @@ int kvm_get_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
     int r;
 
     r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MP_STATE);
-    if (r > 0)
+    if (r > 0) {
         return kvm_vcpu_ioctl(env, KVM_GET_MP_STATE, mp_state);
+    }
     return -ENOSYS;
 }
 
@@ -497,8 +510,9 @@ int kvm_set_mpstate(CPUState *env, struct kvm_mp_state *mp_state)
     int r;
 
     r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_MP_STATE);
-    if (r > 0)
+    if (r > 0) {
         return kvm_vcpu_ioctl(env, KVM_SET_MP_STATE, mp_state);
+    }
     return -ENOSYS;
 }
 #endif
@@ -534,8 +548,9 @@ static int handle_mmio(CPUState *env)
     void *data = kvm_run->mmio.data;
 
     /* hack: Red Hat 7.1 generates these weird accesses. */
-    if ((addr > 0xa0000 - 4 && addr <= 0xa0000) && kvm_run->mmio.len == 3)
+    if ((addr > 0xa0000 - 4 && addr <= 0xa0000) && kvm_run->mmio.len == 3) {
         return 0;
+    }
 
     cpu_physical_memory_rw(addr, data, kvm_run->mmio.len, kvm_run->mmio.is_write);
     return 0;
@@ -596,13 +611,15 @@ int kvm_run(CPUState *env)
     }
     push_nmi(kvm);
 #if !defined(__s390__)
-    if (!kvm->irqchip_in_kernel)
+    if (!kvm->irqchip_in_kernel) {
         run->request_interrupt_window = kvm_arch_try_push_interrupts(env);
+    }
 #endif
 
     r = pre_kvm_run(kvm, env);
-    if (r)
+    if (r) {
         return r;
+    }
     if (env->exit_request) {
         env->exit_request = 0;
         pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
@@ -684,9 +701,10 @@ int kvm_run(CPUState *env)
             break;
         }
     }
-  more:
-    if (!r)
+more:
+    if (!r) {
         goto again;
+    }
     return r;
 }
 
@@ -822,13 +840,15 @@ int kvm_add_routing_entry(kvm_context_t kvm,
 
     if (kvm->irq_routes->nr == kvm->nr_allocated_irq_routes) {
         n = kvm->nr_allocated_irq_routes * 2;
-        if (n < 64)
+        if (n < 64) {
             n = 64;
+        }
         size = sizeof(struct kvm_irq_routing);
         size += n * sizeof(*new);
         z = realloc(kvm->irq_routes, size);
-        if (!z)
+        if (!z) {
             return -ENOMEM;
+        }
         kvm->nr_allocated_irq_routes = n;
         kvm->irq_routes = z;
     }
@@ -910,8 +930,9 @@ int kvm_del_routing_entry(kvm_context_t kvm,
                     if (e->gsi == gsi)
                         break;
                 }
-                if (i == kvm->irq_routes->nr)
+                if (i == kvm->irq_routes->nr) {
                     clear_gsi(kvm, gsi);
+                }
 
                 return 0;
             }
@@ -1001,8 +1022,9 @@ int kvm_get_irq_route_gsi(kvm_context_t kvm)
     /* Return the lowest unused GSI in the bitmap */
     for (i = 0; i < kvm->max_gsi / 32; i++) {
         bit = ffs(~buf[i]);
-        if (!bit)
+        if (!bit) {
             continue;
+        }
 
         return bit - 1 + i * 32;
     }
@@ -1048,8 +1070,9 @@ int kvm_irqfd(kvm_context_t kvm, int gsi, int flags)
         return -ENOENT;
 
     fd = eventfd(0, 0);
-    if (fd < 0)
+    if (fd < 0) {
         return -errno;
+    }
 
     r = _kvm_irqfd(kvm, fd, gsi, 0);
     if (r < 0) {
@@ -1132,18 +1155,20 @@ static void sigbus_handler(int n, struct qemu_signalfd_siginfo *siginfo,
         kvm_inject_x86_mce(first_cpu, 9, status,
                            MCG_STATUS_MCIP | MCG_STATUS_RIPV, paddr,
                            (MCM_ADDR_PHYS << 6) | 0xc, 1);
-        for (cenv = first_cpu->next_cpu; cenv != NULL; cenv = cenv->next_cpu)
+        for (cenv = first_cpu->next_cpu; cenv != NULL; cenv = cenv->next_cpu) {
             kvm_inject_x86_mce(cenv, 1, MCI_STATUS_VAL | MCI_STATUS_UC,
                                MCG_STATUS_MCIP | MCG_STATUS_RIPV, 0, 0, 1);
+        }
     } else
 #endif
     {
-        if (siginfo->ssi_code == BUS_MCEERR_AO)
+        if (siginfo->ssi_code == BUS_MCEERR_AO) {
             return;
-        else if (siginfo->ssi_code == BUS_MCEERR_AR)
+        } else if (siginfo->ssi_code == BUS_MCEERR_AR) {
             hardware_memory_error();
-        else
+        } else {
             sigbus_reraise();
+        }
     }
 }
 
@@ -1158,17 +1183,19 @@ static void on_vcpu(CPUState *env, void (*func)(void *data), void *data)
 
     wi.func = func;
     wi.data = data;
-    if (!env->kvm_cpu_state.queued_work_first)
+    if (!env->kvm_cpu_state.queued_work_first) {
         env->kvm_cpu_state.queued_work_first = &wi;
-    else
+    } else {
         env->kvm_cpu_state.queued_work_last->next = &wi;
+    }
     env->kvm_cpu_state.queued_work_last = &wi;
     wi.next = NULL;
     wi.done = false;
 
     pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
-    while (!wi.done)
+    while (!wi.done) {
         qemu_cond_wait(&qemu_work_cond);
+    }
 }
 
 static void do_kvm_cpu_synchronize_state(void *_env)
@@ -1183,8 +1210,9 @@ static void do_kvm_cpu_synchronize_state(void *_env)
 
 void kvm_cpu_synchronize_state(CPUState *env)
 {
-    if (!env->kvm_vcpu_dirty)
+    if (!env->kvm_vcpu_dirty) {
         on_vcpu(env, do_kvm_cpu_synchronize_state, env);
+    }
 }
 
 void kvm_cpu_synchronize_post_reset(CPUState *env)
@@ -1214,19 +1242,22 @@ void kvm_update_interrupt_request(CPUState *env)
     int signal = 0;
 
     if (env) {
-        if (!current_env || !current_env->created)
+        if (!current_env || !current_env->created) {
             signal = 1;
+        }
         /*
          * Testing for created here is really redundant
          */
         if (current_env && current_env->created &&
-            env != current_env && !env->kvm_cpu_state.signalled)
+            env != current_env && !env->kvm_cpu_state.signalled) {
             signal = 1;
+        }
 
         if (signal) {
             env->kvm_cpu_state.signalled = 1;
-            if (env->kvm_cpu_state.thread)
+            if (env->kvm_cpu_state.thread) {
                 pthread_kill(env->kvm_cpu_state.thread, SIG_IPI);
+            }
         }
     }
 }
@@ -1253,8 +1284,9 @@ static void flush_queued_work(CPUState *env)
 {
     struct qemu_work_item *wi;
 
-    if (!env->kvm_cpu_state.queued_work_first)
+    if (!env->kvm_cpu_state.queued_work_first) {
         return;
+    }
 
     while ((wi = env->kvm_cpu_state.queued_work_first)) {
         env->kvm_cpu_state.queued_work_first = wi->next;
@@ -1273,8 +1305,9 @@ static int kvm_mce_in_exception(CPUState *env)
     int r;
 
     r = kvm_get_msrs(env, &msr_mcg_status, 1);
-    if (r == -1 || r == 0)
+    if (r == -1 || r == 0) {
         return -1;
+    }
     return !!(msr_mcg_status.data & MCG_STATUS_MCIP);
 }
 
@@ -1303,10 +1336,11 @@ static void kvm_on_sigbus(CPUState *env, siginfo_t *siginfo)
              * this SRAO MCE
              */
             r = kvm_mce_in_exception(env);
-            if (r == -1)
+            if (r == -1) {
                 fprintf(stderr, "Failed to get MCE status\n");
-            else if (r)
+            } else if (r) {
                 return;
+            }
             /* Fake an Intel architectural Memory scrubbing UCR */
             mce.status = MCI_STATUS_VAL | MCI_STATUS_UC | MCI_STATUS_EN
                 | MCI_STATUS_MISCV | MCI_STATUS_ADDRV | MCI_STATUS_S
@@ -1318,10 +1352,11 @@ static void kvm_on_sigbus(CPUState *env, siginfo_t *siginfo)
             fprintf(stderr, "Hardware memory error for memory used by "
                     "QEMU itself instaed of guest system!\n");
             /* Hope we are lucky for AO MCE */
-            if (siginfo->si_code == BUS_MCEERR_AO)
+            if (siginfo->si_code == BUS_MCEERR_AO) {
                 return;
-            else
+            } else {
                 hardware_memory_error();
+            }
         }
         mce.addr = paddr;
         r = kvm_set_mce(env, &mce);
@@ -1332,12 +1367,13 @@ static void kvm_on_sigbus(CPUState *env, siginfo_t *siginfo)
     } else
 #endif
     {
-        if (siginfo->si_code == BUS_MCEERR_AO)
+        if (siginfo->si_code == BUS_MCEERR_AO) {
             return;
-        else if (siginfo->si_code == BUS_MCEERR_AR)
+        } else if (siginfo->si_code == BUS_MCEERR_AR) {
             hardware_memory_error();
-        else
+        } else {
             sigbus_reraise();
+        }
     }
 }
 
@@ -1400,8 +1436,9 @@ static int all_threads_paused(void)
     CPUState *penv = first_cpu;
 
     while (penv) {
-        if (penv->stop)
+        if (penv->stop) {
             return 0;
+        }
         penv = (CPUState *) penv->next_cpu;
     }
 
@@ -1424,8 +1461,9 @@ static void pause_all_threads(void)
         penv = (CPUState *) penv->next_cpu;
     }
 
-    while (!all_threads_paused())
+    while (!all_threads_paused()) {
         qemu_cond_wait(&qemu_pause_cond);
+    }
 }
 
 static void resume_all_threads(void)
@@ -1444,10 +1482,11 @@ static void resume_all_threads(void)
 
 static void kvm_vm_state_change_handler(void *context, int running, int reason)
 {
-    if (running)
+    if (running) {
         resume_all_threads();
-    else
+    } else {
         pause_all_threads();
+    }
 }
 
 static void setup_kernel_sigmask(CPUState *env)
@@ -1532,8 +1571,9 @@ static void *ap_main_loop(void *_env)
     pthread_cond_signal(&qemu_vcpu_cond);
 
     /* and wait for machine initialization */
-    while (!qemu_system_ready)
+    while (!qemu_system_ready) {
         qemu_cond_wait(&qemu_system_cond);
+    }
 
     /* re-initialize cpu_single_env after re-acquiring qemu_mutex */
     cpu_single_env = env;
@@ -1546,8 +1586,9 @@ int kvm_init_vcpu(CPUState *env)
 {
     pthread_create(&env->kvm_cpu_state.thread, NULL, ap_main_loop, env);
 
-    while (env->created == 0)
+    while (env->created == 0) {
         qemu_cond_wait(&qemu_vcpu_cond);
+    }
 
     return 0;
 }
@@ -1599,8 +1640,9 @@ void qemu_kvm_notify_work(void)
     static uint64_t val = 1;
     ssize_t ret;
 
-    if (io_thread_fd == -1)
+    if (io_thread_fd == -1) {
         return;
+    }
 
     do {
         ret = write(io_thread_fd, &val, sizeof(val));
@@ -1631,8 +1673,9 @@ static void sigfd_handler(void *opaque)
             len = read(fd, &info, sizeof(info));
         } while (len == -1 && errno == EINTR);
 
-        if (len == -1 && errno == EAGAIN)
+        if (len == -1 && errno == EAGAIN) {
             break;
+        }
 
         if (len != sizeof(info)) {
             printf("read from sigfd returned %zd: %m\n", len);
@@ -1640,12 +1683,12 @@ static void sigfd_handler(void *opaque)
         }
 
         sigaction(info.ssi_signo, NULL, &action);
-        if ((action.sa_flags & SA_SIGINFO) && action.sa_sigaction)
+        if ((action.sa_flags & SA_SIGINFO) && action.sa_sigaction) {
             action.sa_sigaction(info.ssi_signo,
                                 (siginfo_t *)&info, NULL);
-	else if (action.sa_handler)
+        } else if (action.sa_handler) {
             action.sa_handler(info.ssi_signo);
-
+        }
     }
 }
 
@@ -1712,8 +1755,9 @@ int kvm_main_loop(void)
             monitor_protocol_event(QEVENT_SHUTDOWN, NULL);
             if (qemu_no_shutdown()) {
                 vm_stop(0);
-            } else
+            } else {
                 break;
+            }
         } else if (qemu_powerdown_requested()) {
             monitor_protocol_event(QEVENT_POWERDOWN, NULL);
             qemu_irq_raise(qemu_system_powerdown);
@@ -1840,14 +1884,16 @@ static void kvm_mutex_lock(void)
 
 void qemu_mutex_unlock_iothread(void)
 {
-    if (kvm_enabled())
+    if (kvm_enabled()) {
         kvm_mutex_unlock();
+    }
 }
 
 void qemu_mutex_lock_iothread(void)
 {
-    if (kvm_enabled())
+    if (kvm_enabled()) {
         kvm_mutex_lock();
+    }
 }
 
 #ifdef CONFIG_KVM_DEVICE_ASSIGNMENT
@@ -1875,8 +1921,9 @@ void kvm_remove_ioperm_data(unsigned long start_port, unsigned long num)
 
 void kvm_ioperm(CPUState *env, void *data)
 {
-    if (kvm_enabled() && qemu_system_ready)
+    if (kvm_enabled() && qemu_system_ready) {
         on_vcpu(env, kvm_arch_do_ioperm, data);
+    }
 }
 
 #endif
@@ -1901,15 +1948,17 @@ static void kvm_do_inject_x86_mce(void *_data)
 
     /* If there is an MCE excpetion being processed, ignore this SRAO MCE */
     r = kvm_mce_in_exception(data->env);
-    if (r == -1)
+    if (r == -1) {
         fprintf(stderr, "Failed to get MCE status\n");
-    else if (r && !(data->mce->status & MCI_STATUS_AR))
+    } else if (r && !(data->mce->status & MCI_STATUS_AR)) {
         return;
+    }
     r = kvm_set_mce(data->env, data->mce);
     if (r < 0) {
         perror("kvm_set_mce FAILED");
-        if (data->abort_on_error)
+        if (data->abort_on_error) {
             abort();
+        }
     }
 }
 #endif
@@ -1938,8 +1987,9 @@ void kvm_inject_x86_mce(CPUState *cenv, int bank, uint64_t status,
     }
     on_vcpu(cenv, kvm_do_inject_x86_mce, &data);
 #else
-    if (abort_on_error)
+    if (abort_on_error) {
         abort();
+    }
 #endif
 }
 #endif
commit e11607909b9e6d9e279a451f1ec37ddd9a7c6db3
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Sep 5 15:13:56 2010 +0300

    qemu-kvm-x86.c: add braces where appropriate
    
    Adjust to comply with CODING_STYLE, at least where braces are concerned.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index c5d44e0..46257d6 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -123,9 +123,9 @@ static int kvm_create_pit(kvm_context_t kvm)
         r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_PIT);
         if (r > 0) {
             r = kvm_vm_ioctl(kvm_state, KVM_CREATE_PIT);
-            if (r >= 0)
+            if (r >= 0) {
                 kvm_state->pit_in_kernel = 1;
-            else {
+            } else {
                 fprintf(stderr, "Create kernel PIC irqchip failed\n");
                 return r;
             }
@@ -141,20 +141,24 @@ int kvm_arch_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
     int r = 0;
 
     r = kvm_init_tss(kvm);
-    if (r < 0)
+    if (r < 0) {
         return r;
+    }
 
     r = kvm_init_identity_map_page(kvm);
-    if (r < 0)
+    if (r < 0) {
         return r;
+    }
 
     r = kvm_create_pit(kvm);
-    if (r < 0)
+    if (r < 0) {
         return r;
+    }
 
     r = kvm_init_coalesced_mmio(kvm);
-    if (r < 0)
+    if (r < 0) {
         return r;
+    }
 
     return 0;
 }
@@ -211,12 +215,14 @@ int kvm_get_lapic(CPUState *env, struct kvm_lapic_state *s)
 {
     int r = 0;
 
-    if (!kvm_irqchip_in_kernel())
+    if (!kvm_irqchip_in_kernel()) {
         return r;
+    }
 
     r = kvm_vcpu_ioctl(env, KVM_GET_LAPIC, s);
-    if (r < 0)
+    if (r < 0) {
         fprintf(stderr, "KVM_GET_LAPIC failed\n");
+    }
     return r;
 }
 
@@ -224,13 +230,15 @@ int kvm_set_lapic(CPUState *env, struct kvm_lapic_state *s)
 {
     int r = 0;
 
-    if (!kvm_irqchip_in_kernel())
+    if (!kvm_irqchip_in_kernel()) {
         return 0;
+    }
 
     r = kvm_vcpu_ioctl(env, KVM_SET_LAPIC, s);
 
-    if (r < 0)
+    if (r < 0) {
         fprintf(stderr, "KVM_SET_LAPIC failed\n");
+    }
     return r;
 }
 
@@ -240,30 +248,34 @@ int kvm_set_lapic(CPUState *env, struct kvm_lapic_state *s)
 
 int kvm_get_pit(kvm_context_t kvm, struct kvm_pit_state *s)
 {
-    if (!kvm_pit_in_kernel())
+    if (!kvm_pit_in_kernel()) {
         return 0;
+    }
     return kvm_vm_ioctl(kvm_state, KVM_GET_PIT, s);
 }
 
 int kvm_set_pit(kvm_context_t kvm, struct kvm_pit_state *s)
 {
-    if (!kvm_pit_in_kernel())
+    if (!kvm_pit_in_kernel()) {
         return 0;
+    }
     return kvm_vm_ioctl(kvm_state, KVM_SET_PIT, s);
 }
 
 #ifdef KVM_CAP_PIT_STATE2
 int kvm_get_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2)
 {
-    if (!kvm_pit_in_kernel())
+    if (!kvm_pit_in_kernel()) {
         return 0;
+    }
     return kvm_vm_ioctl(kvm_state, KVM_GET_PIT2, ps2);
 }
 
 int kvm_set_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2)
 {
-    if (!kvm_pit_in_kernel())
+    if (!kvm_pit_in_kernel()) {
         return 0;
+    }
     return kvm_vm_ioctl(kvm_state, KVM_SET_PIT2, ps2);
 }
 
@@ -303,12 +315,14 @@ void kvm_show_code(CPUState *env)
     }
     rip = sregs.cs.base + regs.rip;
     back_offset = regs.rip;
-    if (back_offset > 20)
+    if (back_offset > 20) {
         back_offset = 20;
+    }
     *code_str = 0;
     for (n = -back_offset; n < SHOW_CODE_LEN-back_offset; ++n) {
-        if (n == 0)
+        if (n == 0) {
             strcat(code_str, " -->");
+        }
         cpu_physical_memory_rw(rip + n, &code, 1, 1);
         sprintf(code_str + strlen(code_str), " %02x", code);
     }
@@ -326,8 +340,9 @@ static struct kvm_msr_list *kvm_get_msr_list(void)
 
     sizer.nmsrs = 0;
     r = kvm_ioctl(kvm_state, KVM_GET_MSR_INDEX_LIST, &sizer);
-    if (r < 0 && r != -E2BIG)
+    if (r < 0 && r != -E2BIG) {
         return NULL;
+    }
     /* Old kernel modules had a bug and could write beyond the provided
        memory. Allocate at least a safe amount of 1K. */
     msrs = qemu_malloc(MAX(1024, sizeof(*msrs) +
@@ -536,8 +551,9 @@ static int kvm_enable_tpr_access_reporting(CPUState *env)
     struct kvm_tpr_access_ctl tac = { .enabled = 1 };
 
     r = kvm_ioctl(env->kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_VAPIC);
-    if (r <= 0)
+    if (r <= 0) {
         return -ENOSYS;
+    }
     return kvm_vcpu_ioctl(env, KVM_TPR_ACCESS_REPORTING, &tac);
 }
 #endif
@@ -581,22 +597,27 @@ int kvm_arch_qemu_create_context(void)
     uname(&utsname);
     lm_capable_kernel = strcmp(utsname.machine, "x86_64") == 0;
 
-    if (kvm_shadow_memory)
+    if (kvm_shadow_memory) {
         kvm_set_shadow_pages(kvm_context, kvm_shadow_memory);
+    }
 
     kvm_msr_list = kvm_get_msr_list();
-    if (!kvm_msr_list)
+    if (!kvm_msr_list) {
         return -1;
+    }
     for (i = 0; i < kvm_msr_list->nmsrs; ++i) {
-        if (kvm_msr_list->indices[i] == MSR_STAR)
+        if (kvm_msr_list->indices[i] == MSR_STAR) {
             kvm_has_msr_star = 1;
-        if (kvm_msr_list->indices[i] == MSR_VM_HSAVE_PA)
+        }
+        if (kvm_msr_list->indices[i] == MSR_VM_HSAVE_PA) {
             kvm_has_vm_hsave_pa = 1;
+        }
     }
 
 #ifdef KVM_CAP_ADJUST_CLOCK
-    if (kvm_check_extension(kvm_state, KVM_CAP_ADJUST_CLOCK))
+    if (kvm_check_extension(kvm_state, KVM_CAP_ADJUST_CLOCK)) {
         vmstate_register(NULL, 0, &vmstate_kvmclock, &kvmclock_data);
+    }
 #endif
 
     r = kvm_set_boot_cpu_id(0);
@@ -824,8 +845,9 @@ void kvm_arch_load_regs(CPUState *env, int level)
         swd = env->fpus & ~(7 << 11);
         swd |= (env->fpstt & 7) << 11;
         cwd = env->fpuc;
-        for (i = 0; i < 8; ++i)
+        for (i = 0; i < 8; ++i) {
             twd |= (!env->fptags[i]) << i;
+        }
         xsave->region[0] = (uint32_t)(swd << 16) + cwd;
         xsave->region[1] = (uint32_t)(fop << 16) + twd;
         memcpy(&xsave->region[XSAVE_ST_SPACE], env->fpregs,
@@ -853,8 +875,9 @@ void kvm_arch_load_regs(CPUState *env, int level)
         fpu.fsw = env->fpus & ~(7 << 11);
         fpu.fsw |= (env->fpstt & 7) << 11;
         fpu.fcw = env->fpuc;
-        for (i = 0; i < 8; ++i)
+        for (i = 0; i < 8; ++i) {
             fpu.ftwx |= (!env->fptags[i]) << i;
+        }
         memcpy(fpu.fpr, env->fpregs, sizeof env->fpregs);
         memcpy(fpu.xmm, env->xmm_regs, sizeof env->xmm_regs);
         fpu.mxcsr = env->mxcsr;
@@ -918,10 +941,12 @@ void kvm_arch_load_regs(CPUState *env, int level)
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_CS,  env->sysenter_cs);
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_ESP, env->sysenter_esp);
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_EIP, env->sysenter_eip);
-    if (kvm_has_msr_star)
+    if (kvm_has_msr_star) {
         kvm_msr_entry_set(&msrs[n++], MSR_STAR,              env->star);
-    if (kvm_has_vm_hsave_pa)
+    }
+    if (kvm_has_vm_hsave_pa) {
         kvm_msr_entry_set(&msrs[n++], MSR_VM_HSAVE_PA, env->vm_hsave);
+    }
 #ifdef TARGET_X86_64
     if (lm_capable_kernel) {
         kvm_msr_entry_set(&msrs[n++], MSR_CSTAR,             env->cstar);
@@ -945,28 +970,31 @@ void kvm_arch_load_regs(CPUState *env, int level)
     }
 #ifdef KVM_CAP_MCE
     if (env->mcg_cap) {
-        if (level == KVM_PUT_RESET_STATE)
+        if (level == KVM_PUT_RESET_STATE) {
             kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
-        else if (level == KVM_PUT_FULL_STATE) {
+        } else if (level == KVM_PUT_FULL_STATE) {
             kvm_msr_entry_set(&msrs[n++], MSR_MCG_STATUS, env->mcg_status);
             kvm_msr_entry_set(&msrs[n++], MSR_MCG_CTL, env->mcg_ctl);
-            for (i = 0; i < (env->mcg_cap & 0xff); i++)
+            for (i = 0; i < (env->mcg_cap & 0xff); i++) {
                 kvm_msr_entry_set(&msrs[n++], MSR_MC0_CTL + i, env->mce_banks[i]);
+            }
         }
     }
 #endif
 
     rc = kvm_set_msrs(env, msrs, n);
-    if (rc == -1)
+    if (rc == -1) {
         perror("kvm_set_msrs FAILED");
+    }
 
     if (level >= KVM_PUT_RESET_STATE) {
         kvm_arch_load_mpstate(env);
         kvm_load_lapic(env);
     }
     if (level == KVM_PUT_FULL_STATE) {
-        if (env->kvm_vcpu_update_vapic)
+        if (env->kvm_vcpu_update_vapic) {
             kvm_tpr_enable_vapic(env);
+        }
     }
 
     kvm_put_vcpu_events(env, level);
@@ -1024,8 +1052,9 @@ void kvm_arch_save_regs(CPUState *env)
         env->fpstt = (swd >> 11) & 7;
         env->fpus = swd;
         env->fpuc = cwd;
-        for (i = 0; i < 8; ++i)
+        for (i = 0; i < 8; ++i) {
             env->fptags[i] = !((twd >> i) & 1);
+        }
         env->mxcsr = xsave->region[XSAVE_MXCSR];
         memcpy(env->fpregs, &xsave->region[XSAVE_ST_SPACE],
                 sizeof env->fpregs);
@@ -1038,8 +1067,9 @@ void kvm_arch_save_regs(CPUState *env)
             struct kvm_xcrs xcrs;
 
             kvm_get_xcrs(env, &xcrs);
-            if (xcrs.xcrs[0].xcr == 0)
+            if (xcrs.xcrs[0].xcr == 0) {
                 env->xcr0 = xcrs.xcrs[0].value;
+            }
         }
         qemu_free(xsave);
     } else {
@@ -1048,8 +1078,9 @@ void kvm_arch_save_regs(CPUState *env)
         env->fpstt = (fpu.fsw >> 11) & 7;
         env->fpus = fpu.fsw;
         env->fpuc = fpu.fcw;
-        for (i = 0; i < 8; ++i)
+        for (i = 0; i < 8; ++i) {
             env->fptags[i] = !((fpu.ftwx >> i) & 1);
+        }
         memcpy(env->fpregs, fpu.fpr, sizeof env->fpregs);
         memcpy(env->xmm_regs, fpu.xmm, sizeof env->xmm_regs);
         env->mxcsr = fpu.mxcsr;
@@ -1139,8 +1170,9 @@ void kvm_arch_save_regs(CPUState *env)
     msrs[n++].index = MSR_IA32_SYSENTER_CS;
     msrs[n++].index = MSR_IA32_SYSENTER_ESP;
     msrs[n++].index = MSR_IA32_SYSENTER_EIP;
-    if (kvm_has_msr_star)
+    if (kvm_has_msr_star) {
         msrs[n++].index = MSR_STAR;
+    }
     msrs[n++].index = MSR_IA32_TSC;
     if (kvm_has_vm_hsave_pa)
         msrs[n++].index = MSR_VM_HSAVE_PA;
@@ -1167,12 +1199,12 @@ void kvm_arch_save_regs(CPUState *env)
     rc = kvm_get_msrs(env, msrs, n);
     if (rc == -1) {
         perror("kvm_get_msrs FAILED");
-    }
-    else {
+    } else {
         n = rc; /* actual number of MSRs */
         for (i=0 ; i<n; i++) {
-            if (get_msr_entry(&msrs[i], env))
+            if (get_msr_entry(&msrs[i], env)) {
                 return;
+            }
         }
     }
     kvm_arch_save_mpstate(env);
@@ -1192,17 +1224,18 @@ static int _kvm_arch_init_vcpu(CPUState *env)
         uint64_t mcg_cap;
         int banks;
 
-        if (kvm_get_mce_cap_supported(kvm_context, &mcg_cap, &banks))
+        if (kvm_get_mce_cap_supported(kvm_context, &mcg_cap, &banks)) {
             perror("kvm_get_mce_cap_supported FAILED");
-        else {
+        } else {
             if (banks > MCE_BANKS_DEF)
                 banks = MCE_BANKS_DEF;
             mcg_cap &= MCE_CAP_DEF;
             mcg_cap |= banks;
-            if (kvm_setup_mce(env, &mcg_cap))
+            if (kvm_setup_mce(env, &mcg_cap)) {
                 perror("kvm_setup_mce FAILED");
-            else
+            } else {
                 env->mcg_cap = mcg_cap;
+            }
         }
     }
 #endif
@@ -1227,8 +1260,9 @@ int kvm_arch_halt(CPUState *env)
 
 int kvm_arch_pre_run(CPUState *env, struct kvm_run *run)
 {
-    if (!kvm_irqchip_in_kernel())
+    if (!kvm_irqchip_in_kernel()) {
         kvm_set_cr8(env, cpu_get_apic_tpr(env->apic_state));
+    }
     return 0;
 }
 
@@ -1236,8 +1270,9 @@ int kvm_arch_has_work(CPUState *env)
 {
     if (((env->interrupt_request & CPU_INTERRUPT_HARD) &&
          (env->eflags & IF_MASK)) ||
-        (env->interrupt_request & CPU_INTERRUPT_NMI))
+        (env->interrupt_request & CPU_INTERRUPT_NMI)) {
         return 1;
+    }
     return 0;
 }
 
@@ -1253,8 +1288,9 @@ int kvm_arch_try_push_interrupts(void *opaque)
         irq = cpu_get_pic_interrupt(env);
         if (irq >= 0) {
             r = kvm_inject_irq(env, irq);
-            if (r < 0)
+            if (r < 0) {
                 printf("cpu %d fail inject %x\n", env->cpu_index, irq);
+            }
         }
     }
 
@@ -1267,13 +1303,15 @@ void kvm_arch_push_nmi(void *opaque)
     CPUState *env = cpu_single_env;
     int r;
 
-    if (likely(!(env->interrupt_request & CPU_INTERRUPT_NMI)))
+    if (likely(!(env->interrupt_request & CPU_INTERRUPT_NMI))) {
         return;
+    }
 
     env->interrupt_request &= ~CPU_INTERRUPT_NMI;
     r = kvm_inject_nmi(env);
-    if (r < 0)
+    if (r < 0) {
         printf("cpu %d fail inject NMI\n", env->cpu_index);
+    }
 }
 #endif /* KVM_CAP_USER_NMI */
 
@@ -1286,8 +1324,9 @@ static int kvm_reset_msrs(CPUState *env)
     int n;
     struct kvm_msr_entry *msrs = msr_data.entries;
 
-    if (!kvm_msr_list)
+    if (!kvm_msr_list) {
         return -1;
+    }
 
     for (n = 0; n < kvm_msr_list->nmsrs; n++) {
         kvm_msr_entry_set(&msrs[n], kvm_msr_list->indices[n], 0);
@@ -1324,16 +1363,19 @@ int kvm_arch_init_irq_routing(void)
     if (kvm_irqchip && kvm_has_gsi_routing(kvm_context)) {
         kvm_clear_gsi_routes(kvm_context);
         for (i = 0; i < 8; ++i) {
-            if (i == 2)
+            if (i == 2) {
                 continue;
+            }
             r = kvm_add_irq_route(kvm_context, i, KVM_IRQCHIP_PIC_MASTER, i);
-            if (r < 0)
+            if (r < 0) {
                 return r;
+            }
         }
         for (i = 8; i < 16; ++i) {
             r = kvm_add_irq_route(kvm_context, i, KVM_IRQCHIP_PIC_SLAVE, i - 8);
-            if (r < 0)
+            if (r < 0) {
                 return r;
+            }
         }
         for (i = 0; i < 24; ++i) {
             if (i == 0) {
@@ -1341,8 +1383,9 @@ int kvm_arch_init_irq_routing(void)
             } else if (i != 2) {
                 r = kvm_add_irq_route(kvm_context, i, KVM_IRQCHIP_IOAPIC, i);
             }
-            if (r < 0)
+            if (r < 0) {
                 return r;
+            }
         }
         kvm_commit_irq_routes(kvm_context);
     }
commit 93572fe6d62bcf733e139f41a3a8fa36232d4d08
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Sep 5 15:13:55 2010 +0300

    qemu-kvm-x86.c: remove extraneous line continuation
    
    Signed-off-by: Avi Kivity <avi at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index f2c81f0..c5d44e0 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -659,7 +659,7 @@ static int get_msr_entry(struct kvm_msr_entry *entry, CPUState *env)
 #endif
     default:
 #ifdef KVM_CAP_MCE
-        if (entry->index >= MSR_MC0_CTL &&                              \
+        if (entry->index >= MSR_MC0_CTL &&
             entry->index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) {
             env->mce_banks[entry->index - MSR_MC0_CTL] = entry->data;
             break;
commit c7ba1ae2721c2059111cdebd0def6898423aea6e
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Sep 5 15:13:54 2010 +0300

    qemu-kvm-x86.c: reindent
    
    Reindent qemu-kvm-x86.c according to CODING_STYLE.  The original used a mix
    of qemu and linux indentation styles.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index 4c32771..f2c81f0 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -24,7 +24,7 @@
 #include "kvm.h"
 #include "hw/apic.h"
 
-#define MSR_IA32_TSC		0x10
+#define MSR_IA32_TSC            0x10
 
 static struct kvm_msr_list *kvm_msr_list;
 extern unsigned int kvm_shadow_memory;
@@ -35,205 +35,203 @@ static int lm_capable_kernel;
 
 int kvm_set_tss_addr(kvm_context_t kvm, unsigned long addr)
 {
-	int r;
-        /*
-         * Tell fw_cfg to notify the BIOS to reserve the range.
-         */
-        if (e820_add_entry(addr, 0x4000, E820_RESERVED) < 0) {
-            perror("e820_add_entry() table is full");
-            exit(1);
-        }
+    int r;
+    /*
+     * Tell fw_cfg to notify the BIOS to reserve the range.
+     */
+    if (e820_add_entry(addr, 0x4000, E820_RESERVED) < 0) {
+        perror("e820_add_entry() table is full");
+        exit(1);
+    }
 
-	r = kvm_vm_ioctl(kvm_state, KVM_SET_TSS_ADDR, addr);
-	if (r < 0) {
-		fprintf(stderr, "kvm_set_tss_addr: %m\n");
-		return r;
-	}
-	return 0;
+    r = kvm_vm_ioctl(kvm_state, KVM_SET_TSS_ADDR, addr);
+    if (r < 0) {
+        fprintf(stderr, "kvm_set_tss_addr: %m\n");
+        return r;
+    }
+    return 0;
 }
 
 static int kvm_init_tss(kvm_context_t kvm)
 {
-	int r;
-
-	r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_TSS_ADDR);
-	if (r > 0) {
-		/*
-		 * this address is 3 pages before the bios, and the bios should present
-		 * as unavaible memory
-		 */
-		r = kvm_set_tss_addr(kvm, 0xfeffd000);
-		if (r < 0) {
-			fprintf(stderr, "kvm_init_tss: unable to set tss addr\n");
-			return r;
-		}
-	} else {
-		fprintf(stderr, "kvm does not support KVM_CAP_SET_TSS_ADDR\n");
-	}
-	return 0;
+    int r;
+
+    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_TSS_ADDR);
+    if (r > 0) {
+        /*
+         * this address is 3 pages before the bios, and the bios should present
+         * as unavaible memory
+         */
+        r = kvm_set_tss_addr(kvm, 0xfeffd000);
+        if (r < 0) {
+            fprintf(stderr, "kvm_init_tss: unable to set tss addr\n");
+            return r;
+        }
+    } else {
+        fprintf(stderr, "kvm does not support KVM_CAP_SET_TSS_ADDR\n");
+    }
+    return 0;
 }
 
 static int kvm_set_identity_map_addr(kvm_context_t kvm, uint64_t addr)
 {
 #ifdef KVM_CAP_SET_IDENTITY_MAP_ADDR
-	int r;
-
-	r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_IDENTITY_MAP_ADDR);
-	if (r > 0) {
-		r = kvm_vm_ioctl(kvm_state, KVM_SET_IDENTITY_MAP_ADDR, &addr);
-		if (r == -1) {
-			fprintf(stderr, "kvm_set_identity_map_addr: %m\n");
-			return -errno;
-		}
-		return 0;
-	}
+    int r;
+
+    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_IDENTITY_MAP_ADDR);
+    if (r > 0) {
+        r = kvm_vm_ioctl(kvm_state, KVM_SET_IDENTITY_MAP_ADDR, &addr);
+        if (r == -1) {
+            fprintf(stderr, "kvm_set_identity_map_addr: %m\n");
+            return -errno;
+        }
+        return 0;
+    }
 #endif
-	return -ENOSYS;
+    return -ENOSYS;
 }
 
 static int kvm_init_identity_map_page(kvm_context_t kvm)
 {
 #ifdef KVM_CAP_SET_IDENTITY_MAP_ADDR
-	int r;
-
-	r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_IDENTITY_MAP_ADDR);
-	if (r > 0) {
-		/*
-		 * this address is 4 pages before the bios, and the bios should present
-		 * as unavaible memory
-		 */
-		r = kvm_set_identity_map_addr(kvm, 0xfeffc000);
-		if (r < 0) {
-			fprintf(stderr, "kvm_init_identity_map_page: "
-				"unable to set identity mapping addr\n");
-			return r;
-		}
-
-	}
+    int r;
+
+    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_SET_IDENTITY_MAP_ADDR);
+    if (r > 0) {
+        /*
+         * this address is 4 pages before the bios, and the bios should present
+         * as unavaible memory
+         */
+        r = kvm_set_identity_map_addr(kvm, 0xfeffc000);
+        if (r < 0) {
+            fprintf(stderr, "kvm_init_identity_map_page: "
+                    "unable to set identity mapping addr\n");
+            return r;
+        }
+    }
 #endif
-	return 0;
+    return 0;
 }
 
 static int kvm_create_pit(kvm_context_t kvm)
 {
 #ifdef KVM_CAP_PIT
-	int r;
-
-	kvm_state->pit_in_kernel = 0;
-	if (!kvm->no_pit_creation) {
-		r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_PIT);
-		if (r > 0) {
-			r = kvm_vm_ioctl(kvm_state, KVM_CREATE_PIT);
-			if (r >= 0)
-				kvm_state->pit_in_kernel = 1;
-			else {
-				fprintf(stderr, "Create kernel PIC irqchip failed\n");
-				return r;
-			}
-		}
-	}
+    int r;
+
+    kvm_state->pit_in_kernel = 0;
+    if (!kvm->no_pit_creation) {
+        r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION, KVM_CAP_PIT);
+        if (r > 0) {
+            r = kvm_vm_ioctl(kvm_state, KVM_CREATE_PIT);
+            if (r >= 0)
+                kvm_state->pit_in_kernel = 1;
+            else {
+                fprintf(stderr, "Create kernel PIC irqchip failed\n");
+                return r;
+            }
+        }
+    }
 #endif
-	return 0;
+    return 0;
 }
 
 int kvm_arch_create(kvm_context_t kvm, unsigned long phys_mem_bytes,
-			void **vm_mem)
+                        void **vm_mem)
 {
-	int r = 0;
+    int r = 0;
 
-	r = kvm_init_tss(kvm);
-	if (r < 0)
-		return r;
+    r = kvm_init_tss(kvm);
+    if (r < 0)
+        return r;
 
-	r = kvm_init_identity_map_page(kvm);
-	if (r < 0)
-		return r;
+    r = kvm_init_identity_map_page(kvm);
+    if (r < 0)
+        return r;
 
-	r = kvm_create_pit(kvm);
-	if (r < 0)
-		return r;
+    r = kvm_create_pit(kvm);
+    if (r < 0)
+        return r;
 
-	r = kvm_init_coalesced_mmio(kvm);
-	if (r < 0)
-		return r;
+    r = kvm_init_coalesced_mmio(kvm);
+    if (r < 0)
+        return r;
 
-	return 0;
+    return 0;
 }
 
 #ifdef KVM_EXIT_TPR_ACCESS
 
 static int kvm_handle_tpr_access(CPUState *env)
 {
-	struct kvm_run *run = env->kvm_run;
-	kvm_tpr_access_report(env,
-                         run->tpr_access.rip,
-                         run->tpr_access.is_write);
+    struct kvm_run *run = env->kvm_run;
+    kvm_tpr_access_report(env,
+                          run->tpr_access.rip,
+                          run->tpr_access.is_write);
     return 0;
 }
 
 
 int kvm_enable_vapic(CPUState *env, uint64_t vapic)
 {
-	struct kvm_vapic_addr va = {
-		.vapic_addr = vapic,
-	};
+    struct kvm_vapic_addr va = {
+        .vapic_addr = vapic,
+    };
 
-	return kvm_vcpu_ioctl(env, KVM_SET_VAPIC_ADDR, &va);
+    return kvm_vcpu_ioctl(env, KVM_SET_VAPIC_ADDR, &va);
 }
 
 #endif
 
 int kvm_arch_run(CPUState *env)
 {
-	int r = 0;
-	struct kvm_run *run = env->kvm_run;
-
+    int r = 0;
+    struct kvm_run *run = env->kvm_run;
 
-	switch (run->exit_reason) {
+    switch (run->exit_reason) {
 #ifdef KVM_EXIT_SET_TPR
-		case KVM_EXIT_SET_TPR:
-			break;
+    case KVM_EXIT_SET_TPR:
+        break;
 #endif
 #ifdef KVM_EXIT_TPR_ACCESS
-		case KVM_EXIT_TPR_ACCESS:
-			r = kvm_handle_tpr_access(env);
-			break;
+    case KVM_EXIT_TPR_ACCESS:
+        r = kvm_handle_tpr_access(env);
+        break;
 #endif
-		default:
-			r = 1;
-			break;
-	}
+    default:
+        r = 1;
+        break;
+    }
 
-	return r;
+    return r;
 }
 
 #ifdef KVM_CAP_IRQCHIP
 
 int kvm_get_lapic(CPUState *env, struct kvm_lapic_state *s)
 {
-	int r = 0;
+    int r = 0;
 
-	if (!kvm_irqchip_in_kernel())
-		return r;
+    if (!kvm_irqchip_in_kernel())
+        return r;
 
-	r = kvm_vcpu_ioctl(env, KVM_GET_LAPIC, s);
-	if (r < 0)
-		fprintf(stderr, "KVM_GET_LAPIC failed\n");
-	return r;
+    r = kvm_vcpu_ioctl(env, KVM_GET_LAPIC, s);
+    if (r < 0)
+        fprintf(stderr, "KVM_GET_LAPIC failed\n");
+    return r;
 }
 
 int kvm_set_lapic(CPUState *env, struct kvm_lapic_state *s)
 {
-	int r = 0;
+    int r = 0;
 
-	if (!kvm_irqchip_in_kernel())
-		return 0;
+    if (!kvm_irqchip_in_kernel())
+        return 0;
 
-	r = kvm_vcpu_ioctl(env, KVM_SET_LAPIC, s);
+    r = kvm_vcpu_ioctl(env, KVM_SET_LAPIC, s);
 
-	if (r < 0)
-		fprintf(stderr, "KVM_SET_LAPIC failed\n");
-	return r;
+    if (r < 0)
+        fprintf(stderr, "KVM_SET_LAPIC failed\n");
+    return r;
 }
 
 #endif
@@ -242,31 +240,31 @@ int kvm_set_lapic(CPUState *env, struct kvm_lapic_state *s)
 
 int kvm_get_pit(kvm_context_t kvm, struct kvm_pit_state *s)
 {
-	if (!kvm_pit_in_kernel())
-		return 0;
-	return kvm_vm_ioctl(kvm_state, KVM_GET_PIT, s);
+    if (!kvm_pit_in_kernel())
+        return 0;
+    return kvm_vm_ioctl(kvm_state, KVM_GET_PIT, s);
 }
 
 int kvm_set_pit(kvm_context_t kvm, struct kvm_pit_state *s)
 {
-	if (!kvm_pit_in_kernel())
-		return 0;
-	return kvm_vm_ioctl(kvm_state, KVM_SET_PIT, s);
+    if (!kvm_pit_in_kernel())
+        return 0;
+    return kvm_vm_ioctl(kvm_state, KVM_SET_PIT, s);
 }
 
 #ifdef KVM_CAP_PIT_STATE2
 int kvm_get_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2)
 {
-	if (!kvm_pit_in_kernel())
-		return 0;
-	return kvm_vm_ioctl(kvm_state, KVM_GET_PIT2, ps2);
+    if (!kvm_pit_in_kernel())
+        return 0;
+    return kvm_vm_ioctl(kvm_state, KVM_GET_PIT2, ps2);
 }
 
 int kvm_set_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2)
 {
-	if (!kvm_pit_in_kernel())
-		return 0;
-	return kvm_vm_ioctl(kvm_state, KVM_SET_PIT2, ps2);
+    if (!kvm_pit_in_kernel())
+        return 0;
+    return kvm_vm_ioctl(kvm_state, KVM_SET_PIT2, ps2);
 }
 
 #endif
@@ -274,47 +272,47 @@ int kvm_set_pit2(kvm_context_t kvm, struct kvm_pit_state2 *ps2)
 
 int kvm_has_pit_state2(kvm_context_t kvm)
 {
-	int r = 0;
+    int r = 0;
 
 #ifdef KVM_CAP_PIT_STATE2
-	r = kvm_check_extension(kvm_state, KVM_CAP_PIT_STATE2);
+    r = kvm_check_extension(kvm_state, KVM_CAP_PIT_STATE2);
 #endif
-	return r;
+    return r;
 }
 
 void kvm_show_code(CPUState *env)
 {
 #define SHOW_CODE_LEN 50
-	struct kvm_regs regs;
-	struct kvm_sregs sregs;
-	int r, n;
-	int back_offset;
-	unsigned char code;
-	char code_str[SHOW_CODE_LEN * 3 + 1];
-	unsigned long rip;
-
-	r = kvm_vcpu_ioctl(env, KVM_GET_SREGS, &sregs);
-	if (r < 0 ) {
-		perror("KVM_GET_SREGS");
-		return;
-	}
-	r = kvm_vcpu_ioctl(env, KVM_GET_REGS, &regs);
-	if (r < 0) {
-		perror("KVM_GET_REGS");
-		return;
-	}
-	rip = sregs.cs.base + regs.rip;
-	back_offset = regs.rip;
-	if (back_offset > 20)
-	    back_offset = 20;
-	*code_str = 0;
-	for (n = -back_offset; n < SHOW_CODE_LEN-back_offset; ++n) {
-		if (n == 0)
-			strcat(code_str, " -->");
-		cpu_physical_memory_rw(rip + n, &code, 1, 1);
-		sprintf(code_str + strlen(code_str), " %02x", code);
-	}
-	fprintf(stderr, "code:%s\n", code_str);
+    struct kvm_regs regs;
+    struct kvm_sregs sregs;
+    int r, n;
+    int back_offset;
+    unsigned char code;
+    char code_str[SHOW_CODE_LEN * 3 + 1];
+    unsigned long rip;
+
+    r = kvm_vcpu_ioctl(env, KVM_GET_SREGS, &sregs);
+    if (r < 0 ) {
+        perror("KVM_GET_SREGS");
+        return;
+    }
+    r = kvm_vcpu_ioctl(env, KVM_GET_REGS, &regs);
+    if (r < 0) {
+        perror("KVM_GET_REGS");
+        return;
+    }
+    rip = sregs.cs.base + regs.rip;
+    back_offset = regs.rip;
+    if (back_offset > 20)
+        back_offset = 20;
+    *code_str = 0;
+    for (n = -back_offset; n < SHOW_CODE_LEN-back_offset; ++n) {
+        if (n == 0)
+            strcat(code_str, " -->");
+        cpu_physical_memory_rw(rip + n, &code, 1, 1);
+        sprintf(code_str + strlen(code_str), " %02x", code);
+    }
+    fprintf(stderr, "code:%s\n", code_str);
 }
 
 
@@ -323,26 +321,26 @@ void kvm_show_code(CPUState *env)
  */
 static struct kvm_msr_list *kvm_get_msr_list(void)
 {
-	struct kvm_msr_list sizer, *msrs;
-	int r;
-
-	sizer.nmsrs = 0;
-	r = kvm_ioctl(kvm_state, KVM_GET_MSR_INDEX_LIST, &sizer);
-	if (r < 0 && r != -E2BIG)
-		return NULL;
-	/* Old kernel modules had a bug and could write beyond the provided
-	   memory. Allocate at least a safe amount of 1K. */
-	msrs = qemu_malloc(MAX(1024, sizeof(*msrs) +
-				       sizer.nmsrs * sizeof(*msrs->indices)));
-
-	msrs->nmsrs = sizer.nmsrs;
-	r = kvm_ioctl(kvm_state, KVM_GET_MSR_INDEX_LIST, msrs);
-	if (r < 0) {
-		free(msrs);
-		errno = r;
-		return NULL;
-	}
-	return msrs;
+    struct kvm_msr_list sizer, *msrs;
+    int r;
+
+    sizer.nmsrs = 0;
+    r = kvm_ioctl(kvm_state, KVM_GET_MSR_INDEX_LIST, &sizer);
+    if (r < 0 && r != -E2BIG)
+        return NULL;
+    /* Old kernel modules had a bug and could write beyond the provided
+       memory. Allocate at least a safe amount of 1K. */
+    msrs = qemu_malloc(MAX(1024, sizeof(*msrs) +
+                           sizer.nmsrs * sizeof(*msrs->indices)));
+
+    msrs->nmsrs = sizer.nmsrs;
+    r = kvm_ioctl(kvm_state, KVM_GET_MSR_INDEX_LIST, msrs);
+    if (r < 0) {
+        free(msrs);
+        errno = r;
+        return NULL;
+    }
+    return msrs;
 }
 
 int kvm_get_msrs(CPUState *env, struct kvm_msr_entry *msrs, int n)
@@ -405,130 +403,130 @@ int kvm_set_mce(CPUState *env, struct kvm_x86_mce *m)
 
 static void print_seg(FILE *file, const char *name, struct kvm_segment *seg)
 {
-	fprintf(stderr,
-		"%s %04x (%08llx/%08x p %d dpl %d db %d s %d type %x l %d"
-		" g %d avl %d)\n",
-		name, seg->selector, seg->base, seg->limit, seg->present,
-		seg->dpl, seg->db, seg->s, seg->type, seg->l, seg->g,
-		seg->avl);
+    fprintf(stderr,
+            "%s %04x (%08llx/%08x p %d dpl %d db %d s %d type %x l %d"
+            " g %d avl %d)\n",
+            name, seg->selector, seg->base, seg->limit, seg->present,
+            seg->dpl, seg->db, seg->s, seg->type, seg->l, seg->g,
+            seg->avl);
 }
 
 static void print_dt(FILE *file, const char *name, struct kvm_dtable *dt)
 {
-	fprintf(stderr, "%s %llx/%x\n", name, dt->base, dt->limit);
+    fprintf(stderr, "%s %llx/%x\n", name, dt->base, dt->limit);
 }
 
 void kvm_show_regs(CPUState *env)
 {
-	struct kvm_regs regs;
-	struct kvm_sregs sregs;
-	int r;
-
-	r = kvm_vcpu_ioctl(env, KVM_GET_REGS, &regs);
-	if (r < 0) {
-		perror("KVM_GET_REGS");
-		return;
-	}
-	fprintf(stderr,
-		"rax %016llx rbx %016llx rcx %016llx rdx %016llx\n"
-		"rsi %016llx rdi %016llx rsp %016llx rbp %016llx\n"
-		"r8  %016llx r9  %016llx r10 %016llx r11 %016llx\n"
-		"r12 %016llx r13 %016llx r14 %016llx r15 %016llx\n"
-		"rip %016llx rflags %08llx\n",
-		regs.rax, regs.rbx, regs.rcx, regs.rdx,
-		regs.rsi, regs.rdi, regs.rsp, regs.rbp,
-		regs.r8,  regs.r9,  regs.r10, regs.r11,
-		regs.r12, regs.r13, regs.r14, regs.r15,
-		regs.rip, regs.rflags);
-	r = kvm_vcpu_ioctl(env, KVM_GET_SREGS, &sregs);
-	if (r < 0) {
-		perror("KVM_GET_SREGS");
-		return;
-	}
-	print_seg(stderr, "cs", &sregs.cs);
-	print_seg(stderr, "ds", &sregs.ds);
-	print_seg(stderr, "es", &sregs.es);
-	print_seg(stderr, "ss", &sregs.ss);
-	print_seg(stderr, "fs", &sregs.fs);
-	print_seg(stderr, "gs", &sregs.gs);
-	print_seg(stderr, "tr", &sregs.tr);
-	print_seg(stderr, "ldt", &sregs.ldt);
-	print_dt(stderr, "gdt", &sregs.gdt);
-	print_dt(stderr, "idt", &sregs.idt);
-	fprintf(stderr, "cr0 %llx cr2 %llx cr3 %llx cr4 %llx cr8 %llx"
-		" efer %llx\n",
-		sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4, sregs.cr8,
-		sregs.efer);
+    struct kvm_regs regs;
+    struct kvm_sregs sregs;
+    int r;
+
+    r = kvm_vcpu_ioctl(env, KVM_GET_REGS, &regs);
+    if (r < 0) {
+        perror("KVM_GET_REGS");
+        return;
+    }
+    fprintf(stderr,
+            "rax %016llx rbx %016llx rcx %016llx rdx %016llx\n"
+            "rsi %016llx rdi %016llx rsp %016llx rbp %016llx\n"
+            "r8  %016llx r9  %016llx r10 %016llx r11 %016llx\n"
+            "r12 %016llx r13 %016llx r14 %016llx r15 %016llx\n"
+            "rip %016llx rflags %08llx\n",
+            regs.rax, regs.rbx, regs.rcx, regs.rdx,
+            regs.rsi, regs.rdi, regs.rsp, regs.rbp,
+            regs.r8,  regs.r9,  regs.r10, regs.r11,
+            regs.r12, regs.r13, regs.r14, regs.r15,
+            regs.rip, regs.rflags);
+    r = kvm_vcpu_ioctl(env, KVM_GET_SREGS, &sregs);
+    if (r < 0) {
+        perror("KVM_GET_SREGS");
+        return;
+    }
+    print_seg(stderr, "cs", &sregs.cs);
+    print_seg(stderr, "ds", &sregs.ds);
+    print_seg(stderr, "es", &sregs.es);
+    print_seg(stderr, "ss", &sregs.ss);
+    print_seg(stderr, "fs", &sregs.fs);
+    print_seg(stderr, "gs", &sregs.gs);
+    print_seg(stderr, "tr", &sregs.tr);
+    print_seg(stderr, "ldt", &sregs.ldt);
+    print_dt(stderr, "gdt", &sregs.gdt);
+    print_dt(stderr, "idt", &sregs.idt);
+    fprintf(stderr, "cr0 %llx cr2 %llx cr3 %llx cr4 %llx cr8 %llx"
+            " efer %llx\n",
+            sregs.cr0, sregs.cr2, sregs.cr3, sregs.cr4, sregs.cr8,
+            sregs.efer);
 }
 
 static void kvm_set_cr8(CPUState *env, uint64_t cr8)
 {
-	env->kvm_run->cr8 = cr8;
+    env->kvm_run->cr8 = cr8;
 }
 
 int kvm_setup_cpuid(CPUState *env, int nent,
-		    struct kvm_cpuid_entry *entries)
+                    struct kvm_cpuid_entry *entries)
 {
-	struct kvm_cpuid *cpuid;
-	int r;
+    struct kvm_cpuid *cpuid;
+    int r;
 
-	cpuid = qemu_malloc(sizeof(*cpuid) + nent * sizeof(*entries));
+    cpuid = qemu_malloc(sizeof(*cpuid) + nent * sizeof(*entries));
 
-	cpuid->nent = nent;
-	memcpy(cpuid->entries, entries, nent * sizeof(*entries));
-	r = kvm_vcpu_ioctl(env, KVM_SET_CPUID, cpuid);
+    cpuid->nent = nent;
+    memcpy(cpuid->entries, entries, nent * sizeof(*entries));
+    r = kvm_vcpu_ioctl(env, KVM_SET_CPUID, cpuid);
 
-	free(cpuid);
-	return r;
+    free(cpuid);
+    return r;
 }
 
 int kvm_setup_cpuid2(CPUState *env, int nent,
-		     struct kvm_cpuid_entry2 *entries)
+                     struct kvm_cpuid_entry2 *entries)
 {
-	struct kvm_cpuid2 *cpuid;
-	int r;
+    struct kvm_cpuid2 *cpuid;
+    int r;
 
-	cpuid = qemu_malloc(sizeof(*cpuid) + nent * sizeof(*entries));
+    cpuid = qemu_malloc(sizeof(*cpuid) + nent * sizeof(*entries));
 
-	cpuid->nent = nent;
-	memcpy(cpuid->entries, entries, nent * sizeof(*entries));
-	r = kvm_vcpu_ioctl(env, KVM_SET_CPUID2, cpuid);
-	free(cpuid);
-	return r;
+    cpuid->nent = nent;
+    memcpy(cpuid->entries, entries, nent * sizeof(*entries));
+    r = kvm_vcpu_ioctl(env, KVM_SET_CPUID2, cpuid);
+    free(cpuid);
+    return r;
 }
 
 int kvm_set_shadow_pages(kvm_context_t kvm, unsigned int nrshadow_pages)
 {
 #ifdef KVM_CAP_MMU_SHADOW_CACHE_CONTROL
-	int r;
-
-	r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
-		  KVM_CAP_MMU_SHADOW_CACHE_CONTROL);
-	if (r > 0) {
-		r = kvm_vm_ioctl(kvm_state, KVM_SET_NR_MMU_PAGES, nrshadow_pages);
-		if (r < 0) {
-			fprintf(stderr, "kvm_set_shadow_pages: %m\n");
-			return r;
-		}
-		return 0;
-	}
+    int r;
+
+    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
+                  KVM_CAP_MMU_SHADOW_CACHE_CONTROL);
+    if (r > 0) {
+        r = kvm_vm_ioctl(kvm_state, KVM_SET_NR_MMU_PAGES, nrshadow_pages);
+        if (r < 0) {
+            fprintf(stderr, "kvm_set_shadow_pages: %m\n");
+            return r;
+        }
+        return 0;
+    }
 #endif
-	return -1;
+    return -1;
 }
 
 int kvm_get_shadow_pages(kvm_context_t kvm, unsigned int *nrshadow_pages)
 {
 #ifdef KVM_CAP_MMU_SHADOW_CACHE_CONTROL
-	int r;
-
-	r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
-		  KVM_CAP_MMU_SHADOW_CACHE_CONTROL);
-	if (r > 0) {
-		*nrshadow_pages = kvm_vm_ioctl(kvm_state, KVM_GET_NR_MMU_PAGES);
-		return 0;
-	}
+    int r;
+
+    r = kvm_ioctl(kvm_state, KVM_CHECK_EXTENSION,
+                  KVM_CAP_MMU_SHADOW_CACHE_CONTROL);
+    if (r > 0) {
+        *nrshadow_pages = kvm_vm_ioctl(kvm_state, KVM_GET_NR_MMU_PAGES);
+        return 0;
+    }
 #endif
-	return -1;
+    return -1;
 }
 
 #ifdef KVM_CAP_VAPIC
@@ -588,10 +586,10 @@ int kvm_arch_qemu_create_context(void)
 
     kvm_msr_list = kvm_get_msr_list();
     if (!kvm_msr_list)
-		return -1;
+        return -1;
     for (i = 0; i < kvm_msr_list->nmsrs; ++i) {
-	if (kvm_msr_list->indices[i] == MSR_STAR)
-	    kvm_has_msr_star = 1;
+        if (kvm_msr_list->indices[i] == MSR_STAR)
+            kvm_has_msr_star = 1;
         if (kvm_msr_list->indices[i] == MSR_VM_HSAVE_PA)
             kvm_has_vm_hsave_pa = 1;
     }
@@ -612,65 +610,65 @@ int kvm_arch_qemu_create_context(void)
 /* returns 0 on success, non-0 on failure */
 static int get_msr_entry(struct kvm_msr_entry *entry, CPUState *env)
 {
-        switch (entry->index) {
-        case MSR_IA32_SYSENTER_CS:
-            env->sysenter_cs  = entry->data;
-            break;
-        case MSR_IA32_SYSENTER_ESP:
-            env->sysenter_esp = entry->data;
-            break;
-        case MSR_IA32_SYSENTER_EIP:
-            env->sysenter_eip = entry->data;
-            break;
-        case MSR_STAR:
-            env->star         = entry->data;
-            break;
+    switch (entry->index) {
+    case MSR_IA32_SYSENTER_CS:
+        env->sysenter_cs  = entry->data;
+        break;
+    case MSR_IA32_SYSENTER_ESP:
+        env->sysenter_esp = entry->data;
+        break;
+    case MSR_IA32_SYSENTER_EIP:
+        env->sysenter_eip = entry->data;
+        break;
+    case MSR_STAR:
+        env->star         = entry->data;
+        break;
 #ifdef TARGET_X86_64
-        case MSR_CSTAR:
-            env->cstar        = entry->data;
-            break;
-        case MSR_KERNELGSBASE:
-            env->kernelgsbase = entry->data;
-            break;
-        case MSR_FMASK:
-            env->fmask        = entry->data;
-            break;
-        case MSR_LSTAR:
-            env->lstar        = entry->data;
-            break;
+    case MSR_CSTAR:
+        env->cstar        = entry->data;
+        break;
+    case MSR_KERNELGSBASE:
+        env->kernelgsbase = entry->data;
+        break;
+    case MSR_FMASK:
+        env->fmask        = entry->data;
+        break;
+    case MSR_LSTAR:
+        env->lstar        = entry->data;
+        break;
 #endif
-        case MSR_IA32_TSC:
-            env->tsc          = entry->data;
-            break;
-        case MSR_VM_HSAVE_PA:
-            env->vm_hsave     = entry->data;
-            break;
-        case MSR_KVM_SYSTEM_TIME:
-            env->system_time_msr = entry->data;
-            break;
-        case MSR_KVM_WALL_CLOCK:
-            env->wall_clock_msr = entry->data;
-            break;
+    case MSR_IA32_TSC:
+        env->tsc          = entry->data;
+        break;
+    case MSR_VM_HSAVE_PA:
+        env->vm_hsave     = entry->data;
+        break;
+    case MSR_KVM_SYSTEM_TIME:
+        env->system_time_msr = entry->data;
+        break;
+    case MSR_KVM_WALL_CLOCK:
+        env->wall_clock_msr = entry->data;
+        break;
 #ifdef KVM_CAP_MCE
-        case MSR_MCG_STATUS:
-            env->mcg_status = entry->data;
-            break;
-        case MSR_MCG_CTL:
-            env->mcg_ctl = entry->data;
-            break;
+    case MSR_MCG_STATUS:
+        env->mcg_status = entry->data;
+        break;
+    case MSR_MCG_CTL:
+        env->mcg_ctl = entry->data;
+        break;
 #endif
-        default:
+    default:
 #ifdef KVM_CAP_MCE
-            if (entry->index >= MSR_MC0_CTL && \
-                entry->index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) {
-                env->mce_banks[entry->index - MSR_MC0_CTL] = entry->data;
-                break;
-            }
-#endif
-            printf("Warning unknown msr index 0x%x\n", entry->index);
-            return 1;
+        if (entry->index >= MSR_MC0_CTL &&                              \
+            entry->index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) {
+            env->mce_banks[entry->index - MSR_MC0_CTL] = entry->data;
+            break;
         }
-        return 0;
+#endif
+        printf("Warning unknown msr index 0x%x\n", entry->index);
+        return 1;
+    }
+    return 0;
 }
 
 static void kvm_arch_save_mpstate(CPUState *env)
@@ -762,14 +760,14 @@ static void get_seg(SegmentCache *lhs, const struct kvm_segment *rhs)
     lhs->base = rhs->base;
     lhs->limit = rhs->limit;
     lhs->flags =
-	(rhs->type << DESC_TYPE_SHIFT)
-	| (rhs->present * DESC_P_MASK)
-	| (rhs->dpl << DESC_DPL_SHIFT)
-	| (rhs->db << DESC_B_SHIFT)
-	| (rhs->s * DESC_S_MASK)
-	| (rhs->l << DESC_L_SHIFT)
-	| (rhs->g * DESC_G_MASK)
-	| (rhs->avl * DESC_AVL_MASK);
+        (rhs->type << DESC_TYPE_SHIFT)
+        | (rhs->present * DESC_P_MASK)
+        | (rhs->dpl << DESC_DPL_SHIFT)
+        | (rhs->db << DESC_B_SHIFT)
+        | (rhs->s * DESC_S_MASK)
+        | (rhs->l << DESC_L_SHIFT)
+        | (rhs->g * DESC_G_MASK)
+        | (rhs->avl * DESC_AVL_MASK);
 }
 
 #define XSAVE_CWD_RIP     2
@@ -831,13 +829,13 @@ void kvm_arch_load_regs(CPUState *env, int level)
         xsave->region[0] = (uint32_t)(swd << 16) + cwd;
         xsave->region[1] = (uint32_t)(fop << 16) + twd;
         memcpy(&xsave->region[XSAVE_ST_SPACE], env->fpregs,
-                sizeof env->fpregs);
+               sizeof env->fpregs);
         memcpy(&xsave->region[XSAVE_XMM_SPACE], env->xmm_regs,
-                sizeof env->xmm_regs);
+               sizeof env->xmm_regs);
         xsave->region[XSAVE_MXCSR] = env->mxcsr;
         *(uint64_t *)&xsave->region[XSAVE_XSTATE_BV] = env->xstate_bv;
         memcpy(&xsave->region[XSAVE_YMMH_SPACE], env->ymmh_regs,
-                sizeof env->ymmh_regs);
+               sizeof env->ymmh_regs);
         kvm_set_xsave(env, xsave);
         if (kvm_check_extension(kvm_state, KVM_CAP_XCRS)) {
             struct kvm_xcrs xcrs;
@@ -872,26 +870,26 @@ void kvm_arch_load_regs(CPUState *env, int level)
     }
 
     if ((env->eflags & VM_MASK)) {
-	    set_v8086_seg(&sregs.cs, &env->segs[R_CS]);
-	    set_v8086_seg(&sregs.ds, &env->segs[R_DS]);
-	    set_v8086_seg(&sregs.es, &env->segs[R_ES]);
-	    set_v8086_seg(&sregs.fs, &env->segs[R_FS]);
-	    set_v8086_seg(&sregs.gs, &env->segs[R_GS]);
-	    set_v8086_seg(&sregs.ss, &env->segs[R_SS]);
+        set_v8086_seg(&sregs.cs, &env->segs[R_CS]);
+        set_v8086_seg(&sregs.ds, &env->segs[R_DS]);
+        set_v8086_seg(&sregs.es, &env->segs[R_ES]);
+        set_v8086_seg(&sregs.fs, &env->segs[R_FS]);
+        set_v8086_seg(&sregs.gs, &env->segs[R_GS]);
+        set_v8086_seg(&sregs.ss, &env->segs[R_SS]);
     } else {
-	    set_seg(&sregs.cs, &env->segs[R_CS]);
-	    set_seg(&sregs.ds, &env->segs[R_DS]);
-	    set_seg(&sregs.es, &env->segs[R_ES]);
-	    set_seg(&sregs.fs, &env->segs[R_FS]);
-	    set_seg(&sregs.gs, &env->segs[R_GS]);
-	    set_seg(&sregs.ss, &env->segs[R_SS]);
-
-	    if (env->cr[0] & CR0_PE_MASK) {
-		/* force ss cpl to cs cpl */
-		sregs.ss.selector = (sregs.ss.selector & ~3) |
-			(sregs.cs.selector & 3);
-		sregs.ss.dpl = sregs.ss.selector & 3;
-	    }
+        set_seg(&sregs.cs, &env->segs[R_CS]);
+        set_seg(&sregs.ds, &env->segs[R_DS]);
+        set_seg(&sregs.es, &env->segs[R_ES]);
+        set_seg(&sregs.fs, &env->segs[R_FS]);
+        set_seg(&sregs.gs, &env->segs[R_GS]);
+        set_seg(&sregs.ss, &env->segs[R_SS]);
+
+        if (env->cr[0] & CR0_PE_MASK) {
+            /* force ss cpl to cs cpl */
+            sregs.ss.selector = (sregs.ss.selector & ~3) |
+                (sregs.cs.selector & 3);
+            sregs.ss.dpl = sregs.ss.selector & 3;
+        }
     }
 
     set_seg(&sregs.tr, &env->tr);
@@ -921,7 +919,7 @@ void kvm_arch_load_regs(CPUState *env, int level)
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_ESP, env->sysenter_esp);
     kvm_msr_entry_set(&msrs[n++], MSR_IA32_SYSENTER_EIP, env->sysenter_eip);
     if (kvm_has_msr_star)
-	kvm_msr_entry_set(&msrs[n++], MSR_STAR,              env->star);
+        kvm_msr_entry_set(&msrs[n++], MSR_STAR,              env->star);
     if (kvm_has_vm_hsave_pa)
         kvm_msr_entry_set(&msrs[n++], MSR_VM_HSAVE_PA, env->vm_hsave);
 #ifdef TARGET_X86_64
@@ -1097,21 +1095,19 @@ void kvm_arch_save_regs(CPUState *env)
     env->efer = sregs.efer;
     //cpu_set_apic_tpr(env, sregs.cr8);
 
-#define HFLAG_COPY_MASK ~( \
-			HF_CPL_MASK | HF_PE_MASK | HF_MP_MASK | HF_EM_MASK | \
-			HF_TS_MASK | HF_TF_MASK | HF_VM_MASK | HF_IOPL_MASK | \
-			HF_OSFXSR_MASK | HF_LMA_MASK | HF_CS32_MASK | \
-			HF_SS32_MASK | HF_CS64_MASK | HF_ADDSEG_MASK)
-
-
+#define HFLAG_COPY_MASK ~(                                              \
+        HF_CPL_MASK | HF_PE_MASK | HF_MP_MASK | HF_EM_MASK |            \
+        HF_TS_MASK | HF_TF_MASK | HF_VM_MASK | HF_IOPL_MASK |           \
+        HF_OSFXSR_MASK | HF_LMA_MASK | HF_CS32_MASK |                   \
+        HF_SS32_MASK | HF_CS64_MASK | HF_ADDSEG_MASK)
 
     hflags = (env->segs[R_CS].flags >> DESC_DPL_SHIFT) & HF_CPL_MASK;
     hflags |= (env->cr[0] & CR0_PE_MASK) << (HF_PE_SHIFT - CR0_PE_SHIFT);
     hflags |= (env->cr[0] << (HF_MP_SHIFT - CR0_MP_SHIFT)) &
-	    (HF_MP_MASK | HF_EM_MASK | HF_TS_MASK);
+            (HF_MP_MASK | HF_EM_MASK | HF_TS_MASK);
     hflags |= (env->eflags & (HF_TF_MASK | HF_VM_MASK | HF_IOPL_MASK));
     hflags |= (env->cr[4] & CR4_OSFXSR_MASK) <<
-	    (HF_OSFXSR_SHIFT - CR4_OSFXSR_SHIFT);
+            (HF_OSFXSR_SHIFT - CR4_OSFXSR_SHIFT);
 
     if (env->efer & MSR_EFER_LMA) {
         hflags |= HF_LMA_MASK;
@@ -1121,19 +1117,19 @@ void kvm_arch_save_regs(CPUState *env)
         hflags |= HF_CS32_MASK | HF_SS32_MASK | HF_CS64_MASK;
     } else {
         hflags |= (env->segs[R_CS].flags & DESC_B_MASK) >>
-		(DESC_B_SHIFT - HF_CS32_SHIFT);
+                (DESC_B_SHIFT - HF_CS32_SHIFT);
         hflags |= (env->segs[R_SS].flags & DESC_B_MASK) >>
-		(DESC_B_SHIFT - HF_SS32_SHIFT);
+                (DESC_B_SHIFT - HF_SS32_SHIFT);
         if (!(env->cr[0] & CR0_PE_MASK) ||
-                   (env->eflags & VM_MASK) ||
-                   !(hflags & HF_CS32_MASK)) {
-                hflags |= HF_ADDSEG_MASK;
-            } else {
-                hflags |= ((env->segs[R_DS].base |
-                                env->segs[R_ES].base |
-                                env->segs[R_SS].base) != 0) <<
-                    HF_ADDSEG_SHIFT;
-            }
+            (env->eflags & VM_MASK) ||
+            !(hflags & HF_CS32_MASK)) {
+            hflags |= HF_ADDSEG_MASK;
+        } else {
+            hflags |= ((env->segs[R_DS].base |
+                        env->segs[R_ES].base |
+                        env->segs[R_SS].base) != 0) <<
+                HF_ADDSEG_SHIFT;
+        }
     }
     env->hflags = (env->hflags & HFLAG_COPY_MASK) | hflags;
 
@@ -1144,7 +1140,7 @@ void kvm_arch_save_regs(CPUState *env)
     msrs[n++].index = MSR_IA32_SYSENTER_ESP;
     msrs[n++].index = MSR_IA32_SYSENTER_EIP;
     if (kvm_has_msr_star)
-	msrs[n++].index = MSR_STAR;
+        msrs[n++].index = MSR_STAR;
     msrs[n++].index = MSR_IA32_TSC;
     if (kvm_has_vm_hsave_pa)
         msrs[n++].index = MSR_VM_HSAVE_PA;
@@ -1222,9 +1218,9 @@ int kvm_arch_halt(CPUState *env)
 {
 
     if (!((env->interrupt_request & CPU_INTERRUPT_HARD) &&
-	  (env->eflags & IF_MASK)) &&
-	!(env->interrupt_request & CPU_INTERRUPT_NMI)) {
-            env->halted = 1;
+          (env->eflags & IF_MASK)) &&
+        !(env->interrupt_request & CPU_INTERRUPT_NMI)) {
+        env->halted = 1;
     }
     return 1;
 }
@@ -1232,16 +1228,16 @@ int kvm_arch_halt(CPUState *env)
 int kvm_arch_pre_run(CPUState *env, struct kvm_run *run)
 {
     if (!kvm_irqchip_in_kernel())
-	kvm_set_cr8(env, cpu_get_apic_tpr(env->apic_state));
+        kvm_set_cr8(env, cpu_get_apic_tpr(env->apic_state));
     return 0;
 }
 
 int kvm_arch_has_work(CPUState *env)
 {
     if (((env->interrupt_request & CPU_INTERRUPT_HARD) &&
-	 (env->eflags & IF_MASK)) ||
-	(env->interrupt_request & CPU_INTERRUPT_NMI))
-	return 1;
+         (env->eflags & IF_MASK)) ||
+        (env->interrupt_request & CPU_INTERRUPT_NMI))
+        return 1;
     return 0;
 }
 
@@ -1253,13 +1249,13 @@ int kvm_arch_try_push_interrupts(void *opaque)
     if (kvm_is_ready_for_interrupt_injection(env) &&
         (env->interrupt_request & CPU_INTERRUPT_HARD) &&
         (env->eflags & IF_MASK)) {
-            env->interrupt_request &= ~CPU_INTERRUPT_HARD;
-	    irq = cpu_get_pic_interrupt(env);
-	    if (irq >= 0) {
-		r = kvm_inject_irq(env, irq);
-		if (r < 0)
-		    printf("cpu %d fail inject %x\n", env->cpu_index, irq);
-	    }
+        env->interrupt_request &= ~CPU_INTERRUPT_HARD;
+        irq = cpu_get_pic_interrupt(env);
+        if (irq >= 0) {
+            r = kvm_inject_irq(env, irq);
+            if (r < 0)
+                printf("cpu %d fail inject %x\n", env->cpu_index, irq);
+        }
     }
 
     return (env->interrupt_request & CPU_INTERRUPT_HARD) != 0;
commit a05e8a6e90c82cec67d16fed24da0fd04ec00f32
Author: Michael S. Tsirkin <mst at redhat.com>
Date:   Thu Sep 2 17:47:43 2010 +0300

    qemu: e1000 fix TOR math
    
    Patch b0b900070c7cb29bbefb732ec00397abe5de6d73 made
    TOR valuer incorrect: the spec says it should always
    include the CRC field.
    No one seems to use this field, but better to stick to spec.
    
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/e1000.c b/hw/e1000.c
index 80b78bc..7d7d140 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -345,7 +345,7 @@ is_vlan_txd(uint32_t txd_lower)
 
 /* FCS aka Ethernet CRC-32. We don't get it from backends and can't
  * fill it in, just pad descriptor length by 4 bytes unless guest
- * told us to trip it off the packet. */
+ * told us to strip it off the packet. */
 static inline int
 fcs_len(E1000State *s)
 {
@@ -690,9 +690,14 @@ e1000_receive(VLANClientState *nc, const uint8_t *buf, size_t size)
 
     s->mac_reg[GPRC]++;
     s->mac_reg[TPR]++;
-    n = s->mac_reg[TORL];
-    if ((s->mac_reg[TORL] += size) < n)
+    /* TOR - Total Octets Received:
+     * This register includes bytes received in a packet from the <Destination
+     * Address> field through the <CRC> field, inclusively.
+     */
+    n = s->mac_reg[TORL] + size + /* Always include FCS length. */ 4;
+    if (n < s->mac_reg[TORL])
         s->mac_reg[TORH]++;
+    s->mac_reg[TORL] = n;
 
     n = E1000_ICS_RXT0;
     if ((rdt = s->mac_reg[RDT]) < s->mac_reg[RDH])
commit cfb207e643d94e3e96d456b1df14c5e36f6aa9e5
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Aug 31 00:22:50 2010 +0200

    PPC: Make e500 pci byte swap config data
    
    The config data field on the e500 pci controller is in little endian, so we need
    to enable byte swap there.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>

diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
index 3fa42d2..629b242 100644
--- a/hw/ppce500_pci.c
+++ b/hw/ppce500_pci.c
@@ -313,7 +313,7 @@ static int e500_pcihost_initfn(SysBusDevice *dev)
     cpu_register_physical_memory(registers + PCIE500_CFGADDR, 4, index);
 
     /* CFGDATA */
-    index = pci_host_data_register_mmio(&s->pci_state, 0);
+    index = pci_host_data_register_mmio(&s->pci_state, 1);
     if (index < 0)
         return -1;
     cpu_register_physical_memory(registers + PCIE500_CFGDATA, 4, index);
commit 13b7fdeffa68e3382231a70308593ae6a75d96c3
Author: Alexander Graf <agraf at suse.de>
Date:   Tue Aug 31 00:22:28 2010 +0200

    PPC: Qdev'ify e500 pci
    
    The e500 PCI controller isn't qdev'ified yet. This leads to severe issues
    when running with -drive.
    
    To be able to use a virtio disk with an e500 VM, let's convert the PCI
    controller over to qdev.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>

diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
index 8ac99f2..3fa42d2 100644
--- a/hw/ppce500_pci.c
+++ b/hw/ppce500_pci.c
@@ -73,11 +73,11 @@ struct pci_inbound {
 };
 
 struct PPCE500PCIState {
+    PCIHostState pci_state;
     struct pci_outbound pob[PPCE500_PCI_NR_POBS];
     struct pci_inbound pib[PPCE500_PCI_NR_PIBS];
     uint32_t gasket_time;
-    PCIHostState pci_state;
-    PCIDevice *pci_dev;
+    uint64_t base_addr;
 };
 
 typedef struct PPCE500PCIState PPCE500PCIState;
@@ -221,7 +221,7 @@ static void ppce500_pci_save(QEMUFile *f, void *opaque)
     PPCE500PCIState *controller = opaque;
     int i;
 
-    pci_device_save(controller->pci_dev, f);
+    /* pci_device_save(controller->pci_dev, f); */
 
     for (i = 0; i < PPCE500_PCI_NR_POBS; i++) {
         qemu_put_be32s(f, &controller->pob[i].potar);
@@ -247,7 +247,7 @@ static int ppce500_pci_load(QEMUFile *f, void *opaque, int version_id)
     if (version_id != 1)
         return -EINVAL;
 
-    pci_device_load(controller->pci_dev, f);
+    /* pci_device_load(controller->pci_dev, f); */
 
     for (i = 0; i < PPCE500_PCI_NR_POBS; i++) {
         qemu_get_be32s(f, &controller->pob[i].potar);
@@ -269,55 +269,95 @@ static int ppce500_pci_load(QEMUFile *f, void *opaque, int version_id)
 
 PCIBus *ppce500_pci_init(qemu_irq pci_irqs[4], target_phys_addr_t registers)
 {
-    PPCE500PCIState *controller;
+    DeviceState *dev;
+    PCIBus *b;
+    PCIHostState *h;
+    PPCE500PCIState *s;
     PCIDevice *d;
-    int index;
     static int ppce500_pci_id;
 
-    controller = qemu_mallocz(sizeof(PPCE500PCIState));
+    dev = qdev_create(NULL, "e500-pcihost");
+    h = FROM_SYSBUS(PCIHostState, sysbus_from_qdev(dev));
+    s = DO_UPCAST(PPCE500PCIState, pci_state, h);
+
+    qdev_prop_set_uint64(dev, "base_addr", registers);
+    b = pci_register_bus(&s->pci_state.busdev.qdev, NULL, mpc85xx_pci_set_irq,
+                         mpc85xx_pci_map_irq, pci_irqs, PCI_DEVFN(0x11, 0), 4);
+
+    s->pci_state.bus = b;
+    qdev_init_nofail(dev);
+    d = pci_create_simple(b, 0, "e500-host-bridge");
+
+    /* XXX load/save code not tested. */
+    register_savevm(&d->qdev, "ppce500_pci", ppce500_pci_id++,
+                    1, ppce500_pci_save, ppce500_pci_load, s);
 
-    controller->pci_state.bus = pci_register_bus(NULL, "pci",
-                                                 mpc85xx_pci_set_irq,
-                                                 mpc85xx_pci_map_irq,
-                                                 pci_irqs, PCI_DEVFN(0x11, 0),
-                                                 4);
-    d = pci_register_device(controller->pci_state.bus,
-                            "host bridge", sizeof(PCIDevice),
-                            0, NULL, NULL);
+    return b;
+}
 
-    pci_config_set_vendor_id(d->config, PCI_VENDOR_ID_FREESCALE);
-    pci_config_set_device_id(d->config, PCI_DEVICE_ID_MPC8533E);
-    pci_config_set_class(d->config, PCI_CLASS_PROCESSOR_POWERPC);
+static int e500_pcihost_initfn(SysBusDevice *dev)
+{
+    PCIHostState *h;
+    PPCE500PCIState *s;
+    target_phys_addr_t registers;
+    int index;
 
-    controller->pci_dev = d;
+    h = FROM_SYSBUS(PCIHostState, sysbus_from_qdev(dev));
+    s = DO_UPCAST(PPCE500PCIState, pci_state, h);
+    registers = (target_phys_addr_t)s->base_addr;
 
     /* CFGADDR */
-    index = pci_host_conf_register_mmio(&controller->pci_state, 0);
+    index = pci_host_conf_register_mmio(&s->pci_state, 0);
     if (index < 0)
-        goto free;
+        return -1;
     cpu_register_physical_memory(registers + PCIE500_CFGADDR, 4, index);
 
     /* CFGDATA */
-    index = pci_host_data_register_mmio(&controller->pci_state, 0);
+    index = pci_host_data_register_mmio(&s->pci_state, 0);
     if (index < 0)
-        goto free;
+        return -1;
     cpu_register_physical_memory(registers + PCIE500_CFGDATA, 4, index);
 
     index = cpu_register_io_memory(e500_pci_reg_read,
-                                   e500_pci_reg_write, controller);
+                                   e500_pci_reg_write, s);
     if (index < 0)
-        goto free;
+        return -1;
     cpu_register_physical_memory(registers + PCIE500_REG_BASE,
                                    PCIE500_REG_SIZE, index);
+    return 0;
+}
 
-    /* XXX load/save code not tested. */
-    register_savevm(&d->qdev, "ppce500_pci", ppce500_pci_id++,
-                    1, ppce500_pci_save, ppce500_pci_load, controller);
+static int e500_host_bridge_initfn(PCIDevice *dev)
+{
+    pci_config_set_vendor_id(dev->config, PCI_VENDOR_ID_FREESCALE);
+    pci_config_set_device_id(dev->config, PCI_DEVICE_ID_MPC8533E);
+    pci_config_set_class(dev->config, PCI_CLASS_PROCESSOR_POWERPC);
+
+    return 0;
+}
+
+static PCIDeviceInfo e500_host_bridge_info = {
+    .qdev.name    = "e500-host-bridge",
+    .qdev.desc    = "Host bridge",
+    .qdev.size    = sizeof(PCIDevice),
+    .qdev.no_user = 1,
+    .init         = e500_host_bridge_initfn,
+};
 
-    return controller->pci_state.bus;
+static SysBusDeviceInfo e500_pcihost_info = {
+    .init         = e500_pcihost_initfn,
+    .qdev.name    = "e500-pcihost",
+    .qdev.size    = sizeof(PPCE500PCIState),
+    .qdev.no_user = 1,
+    .qdev.props = (Property[]) {
+        DEFINE_PROP_UINT64("base_addr", PPCE500PCIState, base_addr, 0),
+        DEFINE_PROP_END_OF_LIST(),
+    }
+};
 
-free:
-    printf("%s error\n", __func__);
-    qemu_free(controller);
-    return NULL;
+static void e500_pci_register(void)
+{
+    sysbus_register_withprop(&e500_pcihost_info);
+    pci_qdev_register(&e500_host_bridge_info);
 }
+device_init(e500_pci_register);
commit fc87e185302a96c2675a1c3a86ca47c6a2d657ff
Author: Alexander Graf <agraf at suse.de>
Date:   Mon Aug 30 13:49:15 2010 +0200

    KVM: PPC: Add level based interrupt logic
    
    KVM on PowerPC used to have completely broken interrupt logic. Usually,
    interrupts work by having a PIC that pulls a line up/down, so the CPU knows
    that an interrupt is active. This line stays active until some action is
    done to the PIC to release the line.
    
    On KVM for PPC, we just checked if there was an interrupt pending and pulled
    a line in the kernel module. We never released it though, hoping that kernel
    space would just declare an interrupt as released when injected - which is
    wrong.
    
    To fix this, we need to completely redesign the interrupt injection logic.
    Whenever an interrupt line gets triggered, we need to notify kernel space
    that the line is up. Whenever it gets released, we do the same. This way
    we can assure that the interrupt state is always known to kernel space.
    
    This fixes random stalls in KVM guests on PowerPC that were waiting for
    an interrupt while everyone else thought they received it already.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>

diff --git a/hw/ppc.c b/hw/ppc.c
index 2a77eb9..55e3808 100644
--- a/hw/ppc.c
+++ b/hw/ppc.c
@@ -28,6 +28,8 @@
 #include "nvram.h"
 #include "qemu-log.h"
 #include "loader.h"
+#include "kvm.h"
+#include "kvm_ppc.h"
 
 //#define PPC_DEBUG_IRQ
 //#define PPC_DEBUG_TB
@@ -50,6 +52,8 @@ static void cpu_ppc_tb_start (CPUState *env);
 
 static void ppc_set_irq (CPUState *env, int n_IRQ, int level)
 {
+    unsigned int old_pending = env->pending_interrupts;
+
     if (level) {
         env->pending_interrupts |= 1 << n_IRQ;
         cpu_interrupt(env, CPU_INTERRUPT_HARD);
@@ -58,6 +62,13 @@ static void ppc_set_irq (CPUState *env, int n_IRQ, int level)
         if (env->pending_interrupts == 0)
             cpu_reset_interrupt(env, CPU_INTERRUPT_HARD);
     }
+
+    if (old_pending != env->pending_interrupts) {
+#ifdef CONFIG_KVM
+        kvmppc_set_interrupt(env, n_IRQ, level);
+#endif
+    }
+
     LOG_IRQ("%s: %p n_IRQ %d level %d => pending %08" PRIx32
                 "req %08x\n", __func__, env, n_IRQ, level,
                 env->pending_interrupts, env->interrupt_request);
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
index 14d6365..5cacef7 100644
--- a/target-ppc/kvm.c
+++ b/target-ppc/kvm.c
@@ -37,6 +37,9 @@
     do { } while (0)
 #endif
 
+static int cap_interrupt_unset = false;
+static int cap_interrupt_level = false;
+
 /* XXX We have a race condition where we actually have a level triggered
  *     interrupt, but the infrastructure can't expose that yet, so the guest
  *     takes but ignores it, goes to sleep and never gets notified that there's
@@ -55,6 +58,18 @@ static void kvm_kick_env(void *env)
 
 int kvm_arch_init(KVMState *s, int smp_cpus)
 {
+#ifdef KVM_CAP_PPC_UNSET_IRQ
+    cap_interrupt_unset = kvm_check_extension(s, KVM_CAP_PPC_UNSET_IRQ);
+#endif
+#ifdef KVM_CAP_PPC_IRQ_LEVEL
+    cap_interrupt_level = kvm_check_extension(s, KVM_CAP_PPC_IRQ_LEVEL);
+#endif
+
+    if (!cap_interrupt_level) {
+        fprintf(stderr, "KVM: Couldn't find level irq capability. Expect the "
+                        "VM to stall at times!\n");
+    }
+
     return 0;
 }
 
@@ -178,6 +193,23 @@ int kvm_arch_get_registers(CPUState *env)
     return 0;
 }
 
+int kvmppc_set_interrupt(CPUState *env, int irq, int level)
+{
+    unsigned virq = level ? KVM_INTERRUPT_SET_LEVEL : KVM_INTERRUPT_UNSET;
+
+    if (irq != PPC_INTERRUPT_EXT) {
+        return 0;
+    }
+
+    if (!kvm_enabled() || !cap_interrupt_unset || !cap_interrupt_level) {
+        return 0;
+    }
+
+    kvm_vcpu_ioctl(env, KVM_INTERRUPT, &virq);
+
+    return 0;
+}
+
 #if defined(TARGET_PPCEMB)
 #define PPC_INPUT_INT PPC40x_INPUT_INT
 #elif defined(TARGET_PPC64)
@@ -193,7 +225,8 @@ int kvm_arch_pre_run(CPUState *env, struct kvm_run *run)
 
     /* PowerPC Qemu tracks the various core input pins (interrupt, critical
      * interrupt, reset, etc) in PPC-specific env->irq_input_state. */
-    if (run->ready_for_interrupt_injection &&
+    if (!cap_interrupt_level &&
+        run->ready_for_interrupt_injection &&
         (env->interrupt_request & CPU_INTERRUPT_HARD) &&
         (env->irq_input_state & (1<<PPC_INPUT_INT)))
     {
@@ -201,7 +234,7 @@ int kvm_arch_pre_run(CPUState *env, struct kvm_run *run)
          * future KVM could cache it in-kernel to avoid a heavyweight exit
          * when reading the UIC.
          */
-        irq = -1U;
+        irq = KVM_INTERRUPT_SET;
 
         dprintf("injected interrupt %d\n", irq);
         r = kvm_vcpu_ioctl(env, KVM_INTERRUPT, &irq);
diff --git a/target-ppc/kvm_ppc.h b/target-ppc/kvm_ppc.h
index 65e31c9..911b19e 100644
--- a/target-ppc/kvm_ppc.h
+++ b/target-ppc/kvm_ppc.h
@@ -16,5 +16,18 @@ int kvmppc_read_host_property(const char *node_path, const char *prop,
 
 uint32_t kvmppc_get_tbfreq(void);
 int kvmppc_get_hypercall(CPUState *env, uint8_t *buf, int buf_len);
+int kvmppc_set_interrupt(CPUState *env, int irq, int level);
+
+#ifndef KVM_INTERRUPT_SET
+#define KVM_INTERRUPT_SET -1
+#endif
+
+#ifndef KVM_INTERRUPT_UNSET
+#define KVM_INTERRUPT_UNSET -2
+#endif
+
+#ifndef KVM_INTERRUPT_SET_LEVEL
+#define KVM_INTERRUPT_SET_LEVEL -3
+#endif
 
 #endif /* __KVM_PPC_H__ */
commit 6ee63ef38696aa3b0518f6aa6b85bc111ba7ca4e
Merge: 6d41777... ba5e7f8...
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Sep 5 11:23:00 2010 +0300

    Merge branch 'master' of git://git.sv.gnu.org/qemu into next
    
    * 'master' of git://git.sv.gnu.org/qemu:
      vnc: use bswapNN() rather than bswap_NN()
      vnc: tight: remove unused variable
      Fix ivshmem build on 32-bit hosts
      virtio-9p: Make sure -virtfs option works correctly
      hw/ivshmem.c don't check for negative values on unsigned data types
      load_multiboot(): get_image_size() returns int
      Change DPRINTF() to do{}while(0) to avoid compiler warning
      size_t is unsigned, change to ssize_t to handle errors from tight_compress_data()
      Fix repeated typo: was "end if list" instead of "end of list"
      Respect return value from nbd_client()
      Remove unused argument for nbd_client()
      Fix OpenBSD linker warning
      acpi: fix file size check with -acpitable.
      isapc: fix segfault.
      Fix segfault in mmio subpage handling code.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --cc qemu-config.c
index 0d5d25c,1efdbec..40c642a
--- a/qemu-config.c
+++ b/qemu-config.c
@@@ -79,12 -79,8 +79,12 @@@ static QemuOptsList qemu_drive_opts = 
          },{
              .name = "readonly",
              .type = QEMU_OPT_BOOL,
 +        },{
 +            .name = "boot",
 +            .type = QEMU_OPT_BOOL,
 +            .help = "make this a boot drive",
          },
-         { /* end if list */ }
+         { /* end of list */ }
      },
  };
  
commit ba5e7f82169f32ab8163c707d97c799ca09f8924
Author: Izumi Tsutsui <tsutsui at ceres.dti.ne.jp>
Date:   Sun Aug 8 18:54:05 2010 +0900

    vnc: use bswapNN() rather than bswap_NN()
    
    bswap_NN() variants are not always available in CONFIG_MACHINE_BSWAP_H case
    and bswapNN() are public APIs in "bswap.h".
    
    Signed-off-by: Izumi Tsutsui <tsutsui at ceres.dti.ne.jp>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
index e3db8e9..971bced 100644
--- a/ui/vnc-enc-tight.c
+++ b/ui/vnc-enc-tight.c
@@ -209,7 +209,7 @@ tight_detect_smooth_image24(VncState *vs, int w, int h)
                      d < w - x - VNC_TIGHT_DETECT_SUBROW_WIDTH; d++) {  \
                 pix = ((uint##bpp##_t *)buf)[(y+d)*w+x+d];              \
                 if (endian) {                                           \
-                    pix = bswap_##bpp(pix);                             \
+                    pix = bswap##bpp(pix);                              \
                 }                                                       \
                 for (c = 0; c < 3; c++) {                               \
                     left[c] = (int)(pix >> shift[c] & max[c]);          \
@@ -218,7 +218,7 @@ tight_detect_smooth_image24(VncState *vs, int w, int h)
                      dx++) {                                            \
                     pix = ((uint##bpp##_t *)buf)[(y+d)*w+x+d+dx];       \
                     if (endian) {                                       \
-                        pix = bswap_##bpp(pix);                         \
+                        pix = bswap##bpp(pix);                          \
                     }                                                   \
                     sum = 0;                                            \
                     for (c = 0; c < 3; c++) {                           \
@@ -608,7 +608,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
             for (x = 0; x < w; x++) {                                   \
                 pix = *buf;                                             \
                 if (endian) {                                           \
-                    pix = bswap_##bpp(pix);                             \
+                    pix = bswap##bpp(pix);                              \
                 }                                                       \
                 diff = 0;                                               \
                 for (c = 0; c < 3; c++) {                               \
@@ -628,7 +628,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
                         << shift[c];                                    \
                 }                                                       \
                 if (endian) {                                           \
-                    diff = bswap_##bpp(diff);                           \
+                    diff = bswap##bpp(diff);                            \
                 }                                                       \
                 *buf++ = diff;                                          \
             }                                                           \
commit 49e3fcc24922074f51830eec7d472787e58af673
Author: Serge Ziryukin <ftrvxmtrx at gmail.com>
Date:   Sat Aug 28 23:24:33 2010 +0300

    vnc: tight: remove unused variable
    
    Signed-off-by: Serge Ziryukin <ftrvxmtrx at gmail.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
index c942bb7..e3db8e9 100644
--- a/ui/vnc-enc-tight.c
+++ b/ui/vnc-enc-tight.c
@@ -1351,7 +1351,6 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
     png_structp png_ptr;
     png_infop info_ptr;
     png_colorp png_palette = NULL;
-    size_t offset;
     int level = tight_png_conf[vs->tight.compression].png_zlib_level;
     int filters = tight_png_conf[vs->tight.compression].png_filters;
     uint8_t *buf;
@@ -1396,7 +1395,6 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
 
         png_set_PLTE(png_ptr, info_ptr, png_palette, palette_size(palette));
 
-        offset = vs->tight.tight.offset;
         if (vs->clientds.pf.bytes_per_pixel == 4) {
             tight_encode_indexed_rect32(vs->tight.tight.buffer, w * h, palette);
         } else {
commit ad0a4ac1c0e1859eb0c67900dba696cc459b42a7
Author: Avi Kivity <avi at redhat.com>
Date:   Sun Aug 29 12:43:15 2010 +0300

    Fix ivshmem build on 32-bit hosts
    
    stat() fields can be more or less anything depending on configuration, cast
    explicitly to uint64_t to avoid printf() format mismatches.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/ivshmem.c b/hw/ivshmem.c
index afebbc3..06dce70 100644
--- a/hw/ivshmem.c
+++ b/hw/ivshmem.c
@@ -351,9 +351,10 @@ static int check_shm_size(IVShmemState *s, int fd) {
     fstat(fd, &buf);
 
     if (s->ivshmem_size > buf.st_size) {
-        fprintf(stderr, "IVSHMEM ERROR: Requested memory size greater");
-        fprintf(stderr, " than shared object size (%" PRIu64 " > %ld)\n",
-                                          s->ivshmem_size, buf.st_size);
+        fprintf(stderr,
+                "IVSHMEM ERROR: Requested memory size greater"
+                " than shared object size (%" PRIu64 " > %" PRIu64")\n",
+                s->ivshmem_size, (uint64_t)buf.st_size);
         return -1;
     } else {
         return 0;
commit c93031e56a7fe0f22dd4ece50d25d5f3af221cfa
Author: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date:   Thu Sep 2 21:47:59 2010 +0530

    virtio-9p: Make sure -virtfs option works correctly
    
    When making copy of arguments we were doing partial copy
    
    Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/vl.c b/vl.c
index bd05e39..fd491ba 100644
--- a/vl.c
+++ b/vl.c
@@ -2332,7 +2332,7 @@ int main(int argc, char **argv, char **envp)
                 len += strlen(qemu_opt_get(opts, "security_model"));
                 arg_fsdev = qemu_malloc((len + 1) * sizeof(*arg_fsdev));
 
-                snprintf(arg_fsdev, len * sizeof(*arg_fsdev),
+                snprintf(arg_fsdev, (len + 1) * sizeof(*arg_fsdev),
                          "%s,id=%s,path=%s,security_model=%s",
                          qemu_opt_get(opts, "fstype"),
                          qemu_opt_get(opts, "mount_tag"),
@@ -2343,7 +2343,7 @@ int main(int argc, char **argv, char **envp)
                 len += 2*strlen(qemu_opt_get(opts, "mount_tag"));
                 arg_9p = qemu_malloc((len + 1) * sizeof(*arg_9p));
 
-                snprintf(arg_9p, len * sizeof(*arg_9p),
+                snprintf(arg_9p, (len + 1) * sizeof(*arg_9p),
                          "virtio-9p-pci,fsdev=%s,mount_tag=%s",
                          qemu_opt_get(opts, "mount_tag"),
                          qemu_opt_get(opts, "mount_tag"));
commit 1b27d7a1e8609b2eeb6238f2c629eb82217523f6
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Mon Aug 30 12:31:33 2010 +0200

    hw/ivshmem.c don't check for negative values on unsigned data types
    
    There is no need to check for dest < 0 or vector >= 0 as both are
    uint16_t.
    
    This should fix problems with broken build with aggressive compiler
    flags. Reported by Xudong Hao <xudong.hao at intel.com>
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Acked-by: Cam Macdonell <cam at cs.ualberta.ca>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/ivshmem.c b/hw/ivshmem.c
index bbb5cba..afebbc3 100644
--- a/hw/ivshmem.c
+++ b/hw/ivshmem.c
@@ -199,13 +199,13 @@ static void ivshmem_io_writel(void *opaque, target_phys_addr_t addr,
 
         case DOORBELL:
             /* check that dest VM ID is reasonable */
-            if ((dest < 0) || (dest > s->max_peer)) {
+            if (dest > s->max_peer) {
                 IVSHMEM_DPRINTF("Invalid destination VM ID (%d)\n", dest);
                 break;
             }
 
             /* check doorbell range */
-            if ((vector >= 0) && (vector < s->peers[dest].nb_eventfds)) {
+            if (vector < s->peers[dest].nb_eventfds) {
                 IVSHMEM_DPRINTF("Writing %" PRId64 " to VM %d on vector %d\n",
                                                     write_one, dest, vector);
                 if (write(s->peers[dest].eventfds[vector],
commit 37a05af069e14d435fe8fb2cd8c7a8b2f16d137f
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Aug 31 09:30:38 2010 +0200

    load_multiboot(): get_image_size() returns int
    
    Do not store return of get_image_size() in a uint32_t as it makes it
    impossible to detect error returns from get_image_size.
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/multiboot.c b/hw/multiboot.c
index dc980e6..f9097a2 100644
--- a/hw/multiboot.c
+++ b/hw/multiboot.c
@@ -252,7 +252,7 @@ int load_multiboot(void *fw_cfg,
 
         do {
             char *next_space;
-            uint32_t mb_mod_length;
+            int mb_mod_length;
             uint32_t offs = mbs.mb_buf_size;
 
             next_initrd = strchr(initrd_filename, ',');
commit 7390cdfbf768617b80f570e17aa2e6c1c7b92592
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Aug 31 09:30:37 2010 +0200

    Change DPRINTF() to do{}while(0) to avoid compiler warning
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/slirp/bootp.c b/slirp/bootp.c
index 3e4e881..41460ff 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -33,7 +33,7 @@ static const uint8_t rfc1533_cookie[] = { RFC1533_COOKIE };
 #define DPRINTF(fmt, ...) \
 do if (slirp_debug & DBG_CALL) { fprintf(dfd, fmt, ##  __VA_ARGS__); fflush(dfd); } while (0)
 #else
-#define DPRINTF(fmt, ...)
+#define DPRINTF(fmt, ...) do{}while(0)
 #endif
 
 static BOOTPClient *get_new_addr(Slirp *slirp, struct in_addr *paddr,
commit 2116eff93c57d3a9e5d0d3bc9e359d124e762a7d
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Aug 31 09:30:36 2010 +0200

    size_t is unsigned, change to ssize_t to handle errors from tight_compress_data()
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
index c4c9c3b..c942bb7 100644
--- a/ui/vnc-enc-tight.c
+++ b/ui/vnc-enc-tight.c
@@ -905,7 +905,7 @@ static void tight_pack24(VncState *vs, uint8_t *buf, size_t count, size_t *ret)
 static int send_full_color_rect(VncState *vs, int x, int y, int w, int h)
 {
     int stream = 0;
-    size_t bytes;
+    ssize_t bytes;
 
 #ifdef CONFIG_VNC_PNG
     if (tight_can_send_png_rect(vs, w, h)) {
@@ -949,7 +949,7 @@ static int send_solid_rect(VncState *vs)
 static int send_mono_rect(VncState *vs, int x, int y,
                           int w, int h, uint32_t bg, uint32_t fg)
 {
-    size_t bytes;
+    ssize_t bytes;
     int stream = 1;
     int level = tight_conf[vs->tight.compression].mono_zlib_level;
 
@@ -1029,7 +1029,7 @@ static bool send_gradient_rect(VncState *vs, int x, int y, int w, int h)
 {
     int stream = 3;
     int level = tight_conf[vs->tight.compression].gradient_zlib_level;
-    size_t bytes;
+    ssize_t bytes;
 
     if (vs->clientds.pf.bytes_per_pixel == 1)
         return send_full_color_rect(vs, x, y, w, h);
@@ -1066,7 +1066,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
     int stream = 2;
     int level = tight_conf[vs->tight.compression].idx_zlib_level;
     int colors;
-    size_t bytes;
+    ssize_t bytes;
 
 #ifdef CONFIG_VNC_PNG
     if (tight_can_send_png_rect(vs, w, h)) {
commit 26056e0c7599d311f5f39b9b31d643d23983f035
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Aug 31 09:30:35 2010 +0200

    Fix repeated typo: was "end if list" instead of "end of list"
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu-config.c b/qemu-config.c
index 3abe655..1efdbec 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -80,7 +80,7 @@ static QemuOptsList qemu_drive_opts = {
             .name = "readonly",
             .type = QEMU_OPT_BOOL,
         },
-        { /* end if list */ }
+        { /* end of list */ }
     },
 };
 
@@ -147,7 +147,7 @@ static QemuOptsList qemu_chardev_opts = {
             .name = "signal",
             .type = QEMU_OPT_BOOL,
         },
-        { /* end if list */ }
+        { /* end of list */ }
     },
 };
 
@@ -203,7 +203,7 @@ static QemuOptsList qemu_device_opts = {
          * sanity checking will happen later
          * when setting device properties
          */
-        { /* end if list */ }
+        { /* end of list */ }
     },
 };
 
@@ -247,7 +247,7 @@ static QemuOptsList qemu_rtc_opts = {
             .name = "driftfix",
             .type = QEMU_OPT_STRING,
         },
-        { /* end if list */ }
+        { /* end of list */ }
     },
 };
 
@@ -265,7 +265,7 @@ static QemuOptsList qemu_global_opts = {
             .name = "value",
             .type = QEMU_OPT_STRING,
         },
-        { /* end if list */ }
+        { /* end of list */ }
     },
 };
 
@@ -284,7 +284,7 @@ static QemuOptsList qemu_mon_opts = {
             .name = "default",
             .type = QEMU_OPT_BOOL,
         },
-        { /* end if list */ }
+        { /* end of list */ }
     },
 };
 
commit e301b13d6a7291d43450f4e83435c3a3eeca8629
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Aug 31 09:30:34 2010 +0200

    Respect return value from nbd_client()
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/qemu-nbd.c b/qemu-nbd.c
index 9cc8f47..67ce50b 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -417,7 +417,10 @@ int main(int argc, char **argv)
 
             show_parts(device);
 
-            nbd_client(fd);
+            ret = nbd_client(fd);
+            if (ret) {
+                ret = 1;
+            }
             close(fd);
  out:
             kill(pid, SIGTERM);
commit 0a4eb864e354d650ac9ff6aea62873a6cd07e9ca
Author: Jes Sorensen <Jes.Sorensen at redhat.com>
Date:   Tue Aug 31 09:30:33 2010 +0200

    Remove unused argument for nbd_client()
    
    Signed-off-by: Jes Sorensen <Jes.Sorensen at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/nbd.c b/nbd.c
index a9f295f..7049998 100644
--- a/nbd.c
+++ b/nbd.c
@@ -393,7 +393,7 @@ int nbd_disconnect(int fd)
 	return 0;
 }
 
-int nbd_client(int fd, int csock)
+int nbd_client(int fd)
 {
 	int ret;
 	int serrno;
@@ -427,7 +427,7 @@ int nbd_disconnect(int fd)
     return -1;
 }
 
-int nbd_client(int fd, int csock)
+int nbd_client(int fd)
 {
     errno = ENOTSUP;
     return -1;
diff --git a/nbd.h b/nbd.h
index 5a1fbdf..f103c3c 100644
--- a/nbd.h
+++ b/nbd.h
@@ -55,7 +55,7 @@ int nbd_send_request(int csock, struct nbd_request *request);
 int nbd_receive_reply(int csock, struct nbd_reply *reply);
 int nbd_trip(BlockDriverState *bs, int csock, off_t size, uint64_t dev_offset,
              off_t *offset, bool readonly, uint8_t *data, int data_size);
-int nbd_client(int fd, int csock);
+int nbd_client(int fd);
 int nbd_disconnect(int fd);
 
 #endif
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 4e607cf..9cc8f47 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -417,7 +417,7 @@ int main(int argc, char **argv)
 
             show_parts(device);
 
-            nbd_client(fd, sock);
+            nbd_client(fd);
             close(fd);
  out:
             kill(pid, SIGTERM);
commit 6d417770a5e1c039a5df98828b5a3877afaaaed6
Author: Avi Kivity <avi at redhat.com>
Date:   Thu Sep 2 16:40:20 2010 +0300

    kvm_stat: increase nfiles resource limit
    
    kvm_stat uses a huge number of files for perf_events, increase resource
    limit so we don't fail.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/kvm_stat b/kvm/kvm_stat
index a2033fe..f8a1399 100755
--- a/kvm/kvm_stat
+++ b/kvm/kvm_stat
@@ -223,6 +223,9 @@ class TracepointProvider(object):
         self.cpus = [int(re.match(cpure, x).group(1))
                      for x in os.listdir('/sys/devices/system/cpu')
                      if re.match(cpure, x)]
+        import resource
+        nfiles = len(self.cpus) * 1000
+        resource.setrlimit(resource.RLIMIT_NOFILE, (nfiles, nfiles))
         fds = []
         self.group_leaders = []
         for cpu in self.cpus:
commit 94f964d08ebdcc74999d4cff74bc5f7aee84fc55
Author: Avi Kivity <avi at redhat.com>
Date:   Thu Sep 2 14:22:40 2010 +0300

    kvm_stat: determine online cpus dynamically
    
    Instead of hardcoding [0, 1].
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/kvm_stat b/kvm/kvm_stat
index d373c60..a2033fe 100755
--- a/kvm/kvm_stat
+++ b/kvm/kvm_stat
@@ -219,7 +219,10 @@ class TracepointProvider(object):
         return self._fields
     def select(self, _fields):
         self._fields = _fields
-        self.cpus = [0, 1]
+        cpure = r'cpu([0-9]+)'
+        self.cpus = [int(re.match(cpure, x).group(1))
+                     for x in os.listdir('/sys/devices/system/cpu')
+                     if re.match(cpure, x)]
         fds = []
         self.group_leaders = []
         for cpu in self.cpus:
commit 5bd5f131b50cb373ff4e2a3632c6dad00a1f0b55
Author: Avi Kivity <avi at redhat.com>
Date:   Wed Sep 1 10:16:54 2010 +0300

    kvm_stat: ignore events that have never occured
    
    Less cluttered display.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/kvm_stat b/kvm/kvm_stat
index 4a16277..d373c60 100755
--- a/kvm/kvm_stat
+++ b/kvm/kvm_stat
@@ -315,6 +315,8 @@ def tui(screen, stats):
             if row >= screen.getmaxyx()[0]:
                 break
             values = s[key]
+            if not values[0] and not values[1]:
+                break
             col = 1
             screen.addstr(row, col, key)
             col += label_width
commit 6965dde18716c35f1a870ae02d4b5fa6d985eb61
Author: Avi Kivity <avi at redhat.com>
Date:   Wed Sep 1 10:13:50 2010 +0300

    kvm_stat: use total count as a secondary sort key
    
    This shows events with history in preference to events with none.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/kvm_stat b/kvm/kvm_stat
index e32df14..4a16277 100755
--- a/kvm/kvm_stat
+++ b/kvm/kvm_stat
@@ -308,9 +308,9 @@ def tui(screen, stats):
         s = stats.get()
         def sortkey(x):
             if s[x][1]:
-                return -s[x][1]
+                return (-s[x][1], -s[x][0])
             else:
-                return x
+                return (0, -s[x][0])
         for key in sorted(s.keys(), key = sortkey):
             if row >= screen.getmaxyx()[0]:
                 break
commit d17e452575767705cddee81542e279ca4e913296
Author: Avi Kivity <avi at redhat.com>
Date:   Wed Sep 1 10:01:27 2010 +0300

    kvm_stat: scale delta column to make it a rate
    
    Scale the delta column by 1/sleeptime, so its units are
    events per second.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/kvm_stat b/kvm/kvm_stat
index b031d48..e32df14 100755
--- a/kvm/kvm_stat
+++ b/kvm/kvm_stat
@@ -301,7 +301,7 @@ number_width = 10
 def tui(screen, stats):
     curses.use_default_colors()
     curses.noecho()
-    def refresh():
+    def refresh(sleeptime):
         screen.erase()
         screen.addstr(0, 0, 'kvm statistics')
         row = 2
@@ -321,13 +321,13 @@ def tui(screen, stats):
             screen.addstr(row, col, '%10d' % (values[0],))
             col += number_width
             if values[1] is not None:
-                screen.addstr(row, col, '%8d' % (values[1],))
+                screen.addstr(row, col, '%8d' % (values[1] / sleeptime,))
             row += 1
         screen.refresh()
 
     sleeptime = 0.25
     while True:
-        refresh()
+        refresh(sleeptime)
         curses.halfdelay(int(sleeptime * 10))
         sleeptime = 3
         try:
commit ee4461a3d2d3d67dbc938d7d77c874ce80d7d47a
Author: Avi Kivity <avi at redhat.com>
Date:   Wed Sep 1 09:59:50 2010 +0300

    kvm_stat: make the initial sleep shorter
    
    So we can see results faster
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/kvm_stat b/kvm/kvm_stat
index e68ca4e..b031d48 100755
--- a/kvm/kvm_stat
+++ b/kvm/kvm_stat
@@ -325,9 +325,11 @@ def tui(screen, stats):
             row += 1
         screen.refresh()
 
+    sleeptime = 0.25
     while True:
         refresh()
-        curses.halfdelay(30)
+        curses.halfdelay(int(sleeptime * 10))
+        sleeptime = 3
         try:
             c = screen.getkey()
             if c == 'q':
commit cb93bbdd7db92e50ff5e60a346b23df68acae46b
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Tue Aug 31 20:16:59 2010 +0000

    Fix OpenBSD linker warning
    
    Fix a warning from OpenBSD linker:
    ../libhw32/vl.o(.text+0x5c3c): In function `main':
    /src/qemu/vl.c:2335: warning: sprintf() is often misused, please use snprintf()
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/vl.c b/vl.c
index 91d1684..bd05e39 100644
--- a/vl.c
+++ b/vl.c
@@ -2332,19 +2332,21 @@ int main(int argc, char **argv, char **envp)
                 len += strlen(qemu_opt_get(opts, "security_model"));
                 arg_fsdev = qemu_malloc((len + 1) * sizeof(*arg_fsdev));
 
-                sprintf(arg_fsdev, "%s,id=%s,path=%s,security_model=%s",
-                                qemu_opt_get(opts, "fstype"),
-                                qemu_opt_get(opts, "mount_tag"),
-                                qemu_opt_get(opts, "path"),
-                                qemu_opt_get(opts, "security_model"));
+                snprintf(arg_fsdev, len * sizeof(*arg_fsdev),
+                         "%s,id=%s,path=%s,security_model=%s",
+                         qemu_opt_get(opts, "fstype"),
+                         qemu_opt_get(opts, "mount_tag"),
+                         qemu_opt_get(opts, "path"),
+                         qemu_opt_get(opts, "security_model"));
 
                 len = strlen("virtio-9p-pci,fsdev=,mount_tag=");
                 len += 2*strlen(qemu_opt_get(opts, "mount_tag"));
                 arg_9p = qemu_malloc((len + 1) * sizeof(*arg_9p));
 
-                sprintf(arg_9p, "virtio-9p-pci,fsdev=%s,mount_tag=%s",
-                                qemu_opt_get(opts, "mount_tag"),
-                                qemu_opt_get(opts, "mount_tag"));
+                snprintf(arg_9p, len * sizeof(*arg_9p),
+                         "virtio-9p-pci,fsdev=%s,mount_tag=%s",
+                         qemu_opt_get(opts, "mount_tag"),
+                         qemu_opt_get(opts, "mount_tag"));
 
                 if (!qemu_opts_parse(qemu_find_opts("fsdev"), arg_fsdev, 1)) {
                     fprintf(stderr, "parse error [fsdev]: %s\n", optarg);
commit c1169dfff7014b6cc2a548c19d2875e8d550e575
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Aug 31 16:22:25 2010 +0300

    kvm_stat: be slower
    
    More information is displayed, so more time is need to process the information.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/kvm_stat b/kvm/kvm_stat
index b7bc846..e68ca4e 100755
--- a/kvm/kvm_stat
+++ b/kvm/kvm_stat
@@ -327,7 +327,7 @@ def tui(screen, stats):
 
     while True:
         refresh()
-        curses.halfdelay(10)
+        curses.halfdelay(30)
         try:
             c = screen.getkey()
             if c == 'q':
commit 0aff501d80e0820e19518fc7b0a3019db335b4cd
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Aug 31 16:21:49 2010 +0300

    kvm_stat: increase label width
    
    With kvm_exit drill down, labels are pretty large.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/kvm_stat b/kvm/kvm_stat
index c55bf88..b7bc846 100755
--- a/kvm/kvm_stat
+++ b/kvm/kvm_stat
@@ -295,7 +295,7 @@ if not os.access('/sys/kernel/debug/kvm', os.F_OK):
     print "and ensure the kvm modules are loaded"
     sys.exit(1)
 
-label_width = 20
+label_width = 40
 number_width = 10
 
 def tui(screen, stats):
commit d47d837df169e7cf94f1dd0c3d572bd1a35b9ea0
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Aug 31 16:20:18 2010 +0300

    kvm_stat: sort tui output according to highest occurence
    
    With plenty of counters and wide, short screens it's hard to see what's on
    the top.  So sort the output.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/kvm_stat b/kvm/kvm_stat
index 677683a..c55bf88 100755
--- a/kvm/kvm_stat
+++ b/kvm/kvm_stat
@@ -306,7 +306,12 @@ def tui(screen, stats):
         screen.addstr(0, 0, 'kvm statistics')
         row = 2
         s = stats.get()
-        for key in sorted(s.keys()):
+        def sortkey(x):
+            if s[x][1]:
+                return -s[x][1]
+            else:
+                return x
+        for key in sorted(s.keys(), key = sortkey):
             if row >= screen.getmaxyx()[0]:
                 break
             values = s[key]
commit 7fcaebc9704009ef56bd7aec10c1c198281771db
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Aug 31 16:13:44 2010 +0300

    kvm_stat: provide detailed kvm_exit:exit_reason display
    
    In addition to displaying kvm_exit as an aggregate counter, use perf_event's
    filter capability to count individual exit reasons.
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/kvm_stat b/kvm/kvm_stat
index 9b0392b..677683a 100755
--- a/kvm/kvm_stat
+++ b/kvm/kvm_stat
@@ -16,6 +16,143 @@ class DebugfsProvider(object):
             return int(file(self.base + '/' + key).read())
         return dict([(key, val(key)) for key in self._fields])
 
+vmx_exit_reasons = {
+    0: 'EXCEPTION_NMI',
+    1: 'EXTERNAL_INTERRUPT',
+    2: 'TRIPLE_FAULT',
+    7: 'PENDING_INTERRUPT',
+    8: 'NMI_WINDOW',
+    9: 'TASK_SWITCH',
+    10: 'CPUID',
+    12: 'HLT',
+    14: 'INVLPG',
+    15: 'RDPMC',
+    16: 'RDTSC',
+    18: 'VMCALL',
+    19: 'VMCLEAR',
+    20: 'VMLAUNCH',
+    21: 'VMPTRLD',
+    22: 'VMPTRST',
+    23: 'VMREAD',
+    24: 'VMRESUME',
+    25: 'VMWRITE',
+    26: 'VMOFF',
+    27: 'VMON',
+    28: 'CR_ACCESS',
+    29: 'DR_ACCESS',
+    30: 'IO_INSTRUCTION',
+    31: 'MSR_READ',
+    32: 'MSR_WRITE',
+    33: 'INVALID_STATE',
+    36: 'MWAIT_INSTRUCTION',
+    39: 'MONITOR_INSTRUCTION',
+    40: 'PAUSE_INSTRUCTION',
+    41: 'MCE_DURING_VMENTRY',
+    43: 'TPR_BELOW_THRESHOLD',
+    44: 'APIC_ACCESS',
+    48: 'EPT_VIOLATION',
+    49: 'EPT_MISCONFIG',
+    54: 'WBINVD',
+    55: 'XSETBV',
+}
+
+svm_exit_reasons = {
+    0x000: 'READ_CR0',
+    0x003: 'READ_CR3',
+    0x004: 'READ_CR4',
+    0x008: 'READ_CR8',
+    0x010: 'WRITE_CR0',
+    0x013: 'WRITE_CR3',
+    0x014: 'WRITE_CR4',
+    0x018: 'WRITE_CR8',
+    0x020: 'READ_DR0',
+    0x021: 'READ_DR1',
+    0x022: 'READ_DR2',
+    0x023: 'READ_DR3',
+    0x024: 'READ_DR4',
+    0x025: 'READ_DR5',
+    0x026: 'READ_DR6',
+    0x027: 'READ_DR7',
+    0x030: 'WRITE_DR0',
+    0x031: 'WRITE_DR1',
+    0x032: 'WRITE_DR2',
+    0x033: 'WRITE_DR3',
+    0x034: 'WRITE_DR4',
+    0x035: 'WRITE_DR5',
+    0x036: 'WRITE_DR6',
+    0x037: 'WRITE_DR7',
+    0x040: 'EXCP_BASE',
+    0x060: 'INTR',
+    0x061: 'NMI',
+    0x062: 'SMI',
+    0x063: 'INIT',
+    0x064: 'VINTR',
+    0x065: 'CR0_SEL_WRITE',
+    0x066: 'IDTR_READ',
+    0x067: 'GDTR_READ',
+    0x068: 'LDTR_READ',
+    0x069: 'TR_READ',
+    0x06a: 'IDTR_WRITE',
+    0x06b: 'GDTR_WRITE',
+    0x06c: 'LDTR_WRITE',
+    0x06d: 'TR_WRITE',
+    0x06e: 'RDTSC',
+    0x06f: 'RDPMC',
+    0x070: 'PUSHF',
+    0x071: 'POPF',
+    0x072: 'CPUID',
+    0x073: 'RSM',
+    0x074: 'IRET',
+    0x075: 'SWINT',
+    0x076: 'INVD',
+    0x077: 'PAUSE',
+    0x078: 'HLT',
+    0x079: 'INVLPG',
+    0x07a: 'INVLPGA',
+    0x07b: 'IOIO',
+    0x07c: 'MSR',
+    0x07d: 'TASK_SWITCH',
+    0x07e: 'FERR_FREEZE',
+    0x07f: 'SHUTDOWN',
+    0x080: 'VMRUN',
+    0x081: 'VMMCALL',
+    0x082: 'VMLOAD',
+    0x083: 'VMSAVE',
+    0x084: 'STGI',
+    0x085: 'CLGI',
+    0x086: 'SKINIT',
+    0x087: 'RDTSCP',
+    0x088: 'ICEBP',
+    0x089: 'WBINVD',
+    0x08a: 'MONITOR',
+    0x08b: 'MWAIT',
+    0x08c: 'MWAIT_COND',
+    0x400: 'NPF',
+}
+
+vendor_exit_reasons = {
+    'vmx': vmx_exit_reasons,
+    'svm': svm_exit_reasons,
+}
+
+exit_reasons = None
+
+for line in file('/proc/cpuinfo').readlines():
+    if line.startswith('flags'):
+        for flag in line.split():
+            if flag in vendor_exit_reasons:
+                exit_reasons = vendor_exit_reasons[flag]
+
+filters = {
+    'kvm_exit': ('exit_reason', exit_reasons)
+}
+
+def invert(d):
+    return dict((x[1], x[0]) for x in d.iteritems())
+
+for f in filters:
+    filters[f] = (filters[f][0], invert(filters[f][1]))
+
 import ctypes, struct, array
 
 libc = ctypes.CDLL('libc.so.6')
@@ -62,6 +199,7 @@ PERF_FORMAT_TOTAL_TIME_RUNNING		= 1 << 1
 PERF_FORMAT_ID				= 1 << 2
 PERF_FORMAT_GROUP			= 1 << 3
 
+import re
 
 class TracepointProvider(object):
     def __init__(self):
@@ -69,6 +207,13 @@ class TracepointProvider(object):
         fields = [f
                   for f in os.listdir(self.base)
                   if os.path.isdir(self.base + '/' + f)]
+        extra = []
+        for f in fields:
+            if f in filters:
+                subfield, values = filters[f]
+                for name, number in values.iteritems():
+                    extra.append(f + '(' + name + ')')
+        fields += extra
         self.select(fields)
     def fields(self):
         return self._fields
@@ -80,10 +225,14 @@ class TracepointProvider(object):
         for cpu in self.cpus:
             group_leader = -1
             for f in _fields:
+                fbase, sub = f, None
+                m = re.match(r'(.*)\((.*)\)', f)
+                if m:
+                    fbase, sub = m.groups()
                 attr = perf_event_attr()
                 attr.type = PERF_TYPE_TRACEPOINT
                 attr.size = ctypes.sizeof(attr)
-                id = int(file(self.base + f + '/id').read())
+                id = int(file(self.base + fbase + '/id').read())
                 attr.config = id
                 attr.sample_type = (PERF_SAMPLE_RAW
                                     | PERF_SAMPLE_TIME
@@ -93,6 +242,11 @@ class TracepointProvider(object):
                 fd = _perf_event_open(attr, -1, cpu, group_leader, 0)
                 if fd == -1:
                     raise Exception('perf_event_open failed')
+                if sub:
+                    import fcntl
+                    filter = '%s==%d\0' % (filters[fbase][0],
+                                         filters[fbase][1][sub])
+                    fcntl.ioctl(fd, 0x40082406, filter)
                 if group_leader == -1:
                     group_leader = fd
                     fds.append(fd)
commit 7f99e80afafdc790a0f467c6c722d8b5e6270845
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Aug 31 14:08:26 2010 +0300

    kvm_stat: implement tracepoint stats provider
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/kvm_stat b/kvm/kvm_stat
index 75424fc..9b0392b 100755
--- a/kvm/kvm_stat
+++ b/kvm/kvm_stat
@@ -16,6 +16,100 @@ class DebugfsProvider(object):
             return int(file(self.base + '/' + key).read())
         return dict([(key, val(key)) for key in self._fields])
 
+import ctypes, struct, array
+
+libc = ctypes.CDLL('libc.so.6')
+syscall = libc.syscall
+class perf_event_attr(ctypes.Structure):
+    _fields_ = [('type', ctypes.c_uint32),
+                ('size', ctypes.c_uint32),
+                ('config', ctypes.c_uint64),
+                ('sample_freq', ctypes.c_uint64),
+                ('sample_type', ctypes.c_uint64),
+                ('read_format', ctypes.c_uint64),
+                ('flags', ctypes.c_uint64),
+                ('wakeup_events', ctypes.c_uint32),
+                ('bp_type', ctypes.c_uint32),
+                ('bp_addr', ctypes.c_uint64),
+                ('bp_len', ctypes.c_uint64),
+                ]
+def _perf_event_open(attr, pid, cpu, group_fd, flags):
+    return syscall(298, ctypes.pointer(attr), ctypes.c_int(pid),
+                   ctypes.c_int(cpu), ctypes.c_int(group_fd),
+                   ctypes.c_long(flags))
+
+PERF_TYPE_HARDWARE			= 0
+PERF_TYPE_SOFTWARE			= 1
+PERF_TYPE_TRACEPOINT			= 2
+PERF_TYPE_HW_CACHE			= 3
+PERF_TYPE_RAW				= 4
+PERF_TYPE_BREAKPOINT			= 5
+
+PERF_SAMPLE_IP				= 1 << 0
+PERF_SAMPLE_TID				= 1 << 1
+PERF_SAMPLE_TIME			= 1 << 2
+PERF_SAMPLE_ADDR			= 1 << 3
+PERF_SAMPLE_READ			= 1 << 4
+PERF_SAMPLE_CALLCHAIN			= 1 << 5
+PERF_SAMPLE_ID				= 1 << 6
+PERF_SAMPLE_CPU				= 1 << 7
+PERF_SAMPLE_PERIOD			= 1 << 8
+PERF_SAMPLE_STREAM_ID			= 1 << 9
+PERF_SAMPLE_RAW				= 1 << 10
+
+PERF_FORMAT_TOTAL_TIME_ENABLED		= 1 << 0
+PERF_FORMAT_TOTAL_TIME_RUNNING		= 1 << 1
+PERF_FORMAT_ID				= 1 << 2
+PERF_FORMAT_GROUP			= 1 << 3
+
+
+class TracepointProvider(object):
+    def __init__(self):
+        self.base = '/sys/kernel/debug/tracing/events/kvm/'
+        fields = [f
+                  for f in os.listdir(self.base)
+                  if os.path.isdir(self.base + '/' + f)]
+        self.select(fields)
+    def fields(self):
+        return self._fields
+    def select(self, _fields):
+        self._fields = _fields
+        self.cpus = [0, 1]
+        fds = []
+        self.group_leaders = []
+        for cpu in self.cpus:
+            group_leader = -1
+            for f in _fields:
+                attr = perf_event_attr()
+                attr.type = PERF_TYPE_TRACEPOINT
+                attr.size = ctypes.sizeof(attr)
+                id = int(file(self.base + f + '/id').read())
+                attr.config = id
+                attr.sample_type = (PERF_SAMPLE_RAW
+                                    | PERF_SAMPLE_TIME
+                                    | PERF_SAMPLE_CPU)
+                attr.sample_period = 1
+                attr.read_format = PERF_FORMAT_GROUP
+                fd = _perf_event_open(attr, -1, cpu, group_leader, 0)
+                if fd == -1:
+                    raise Exception('perf_event_open failed')
+                if group_leader == -1:
+                    group_leader = fd
+                    fds.append(fd)
+            self.group_leaders.append(group_leader)
+        self.fds = fds
+        self.files = [os.fdopen(group_leader)
+                      for group_leader in self.group_leaders]
+    def read(self):
+        ret = dict([(f, 0) for f in self._fields])
+        bytes = 8 * (1 + len(self._fields))
+        fmt = 'xxxxxxxx' + 'q' * len(self._fields)
+        for file in self.files:
+            a = struct.unpack(fmt, file.read(bytes))
+            for field, val in zip(self._fields, a):
+                ret[field] += val
+        return ret
+
 class Stats:
     def __init__(self, provider, fields = None):
         def wanted(key):
@@ -133,7 +227,12 @@ options.add_option('-f', '--fields',
                    )
 (options, args) = options.parse_args(sys.argv)
 
-stats = Stats(provider = DebugfsProvider(), fields = options.fields)
+try:
+    provider = TracepointProvider()
+except:
+    provider = DebugfsProvider()
+
+stats = Stats(provider, fields = options.fields)
 
 if options.log:
     log(stats)
commit e0f709582fe88e341438c2828a364060f020761c
Author: Avi Kivity <avi at redhat.com>
Date:   Tue Aug 31 11:35:36 2010 +0300

    kvm_stat: refactor to separate stats provider from difference engine
    
    Signed-off-by: Avi Kivity <avi at redhat.com>

diff --git a/kvm/kvm_stat b/kvm/kvm_stat
index 21aff5b..75424fc 100755
--- a/kvm/kvm_stat
+++ b/kvm/kvm_stat
@@ -3,21 +3,36 @@
 import curses
 import sys, os, time, optparse
 
+class DebugfsProvider(object):
+    def __init__(self):
+        self.base = '/sys/kernel/debug/kvm'
+        self._fields = os.listdir(self.base)
+    def fields(self):
+        return self._fields
+    def select(self, fields):
+        self._fields = fields
+    def read(self):
+        def val(key):
+            return int(file(self.base + '/' + key).read())
+        return dict([(key, val(key)) for key in self._fields])
+
 class Stats:
-    def __init__(self, fields = None):
+    def __init__(self, provider, fields = None):
         def wanted(key):
             import re
             if not fields:
                 return True
             return re.match(fields, key) != None
-        self.base = '/sys/kernel/debug/kvm'
-        self.values = {}
-        for key in os.listdir(self.base):
-            if wanted(key):
-                self.values[key] = None
+        self.provider = provider
+        self.values = dict([(key, None)
+                            for key in provider.fields()
+                            if wanted(key)])
+        self.provider.select(self.values.keys())
     def get(self):
-        for key, oldval in self.values.iteritems():
-            newval = int(file(self.base + '/' + key).read())
+        new = self.provider.read()
+        for key in self.provider.fields():
+            oldval = self.values[key]
+            newval = new[key]
             newdelta = None
             if oldval is not None:
                 newdelta = newval - oldval[0]
@@ -118,7 +133,7 @@ options.add_option('-f', '--fields',
                    )
 (options, args) = options.parse_args(sys.argv)
 
-stats = Stats(fields = options.fields)
+stats = Stats(provider = DebugfsProvider(), fields = options.fields)
 
 if options.log:
     log(stats)
commit d729bb9a7700e364b1c5f9893d61f07a9e002bce
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Jul 28 23:08:42 2010 +0000

    acpi: fix file size check with -acpitable.
    
    acpi table file can be modified during load so file size check
    should be more strict.
    pointer calculation should be after qemu_realloc(). not before realloc().
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/acpi.c b/hw/acpi.c
index c7044b1..069e05f 100644
--- a/hw/acpi.c
+++ b/hw/acpi.c
@@ -50,6 +50,8 @@ int acpi_table_add(const char *t)
     char buf[1024], *p, *f;
     struct acpi_table_header acpi_hdr;
     unsigned long val;
+    uint32_t length;
+    struct acpi_table_header *acpi_hdr_p;
     size_t off;
 
     memset(&acpi_hdr, 0, sizeof(acpi_hdr));
@@ -108,7 +110,7 @@ int acpi_table_add(const char *t)
          buf[0] = '\0';
     }
 
-    acpi_hdr.length = sizeof(acpi_hdr);
+    length = sizeof(acpi_hdr);
 
     f = buf;
     while (buf[0]) {
@@ -120,7 +122,7 @@ int acpi_table_add(const char *t)
             fprintf(stderr, "Can't stat file '%s': %s\n", f, strerror(errno));
             goto out;
         }
-        acpi_hdr.length += s.st_size;
+        length += s.st_size;
         if (!n)
             break;
         *n = ':';
@@ -131,12 +133,12 @@ int acpi_table_add(const char *t)
         acpi_tables_len = sizeof(uint16_t);
         acpi_tables = qemu_mallocz(acpi_tables_len);
     }
+    acpi_tables = qemu_realloc(acpi_tables,
+                               acpi_tables_len + sizeof(uint16_t) + length);
     p = acpi_tables + acpi_tables_len;
-    acpi_tables_len += sizeof(uint16_t) + acpi_hdr.length;
-    acpi_tables = qemu_realloc(acpi_tables, acpi_tables_len);
+    acpi_tables_len += sizeof(uint16_t) + length;
 
-    acpi_hdr.length = cpu_to_le32(acpi_hdr.length);
-    *(uint16_t*)p = acpi_hdr.length;
+    *(uint16_t*)p = cpu_to_le32(length);
     p += sizeof(uint16_t);
     memcpy(p, &acpi_hdr, sizeof(acpi_hdr));
     off = sizeof(acpi_hdr);
@@ -157,7 +159,9 @@ int acpi_table_add(const char *t)
             goto out;
         }
 
-        do {
+        /* off < length is necessary because file size can be changed
+           under our foot */
+        while(s.st_size && off < length); {
             int r;
             r = read(fd, p + off, s.st_size);
             if (r > 0) {
@@ -167,15 +171,21 @@ int acpi_table_add(const char *t)
                 close(fd);
                 goto out;
             }
-        } while(s.st_size);
+        }
 
         close(fd);
         if (!n)
             break;
         f = n + 1;
     }
+    if (off < length) {
+        /* don't pass random value in process to guest */
+        memset(p + off, 0, length - off);
+    }
 
-    ((struct acpi_table_header*)p)->checksum = acpi_checksum((uint8_t*)p, off);
+    acpi_hdr_p = (struct acpi_table_header*)p;
+    acpi_hdr_p->length = cpu_to_le32(length);
+    acpi_hdr_p->checksum = acpi_checksum((uint8_t*)p, length);
     /* increase number of tables */
     (*(uint16_t*)acpi_tables) =
 	    cpu_to_le32(le32_to_cpu(*(uint16_t*)acpi_tables) + 1);
commit 7d631a116ad8fe07001e2cc4c559a06aac82745f
Author: Miguel Di Ciurcio Filho <miguel.filho at gmail.com>
Date:   Wed Aug 4 14:55:49 2010 -0300

    savevm: Generate a name when run without one
    
    When savevm is run without a name, the name stays blank and the snapshot is
    saved anyway.
    
    The new behavior is when savevm is run without parameters a name will be
    created automaticaly, so the snapshot is accessible to the user without needing
    the id when loadvm is run.
    
    (qemu) savevm
    (qemu) info snapshots
    ID        TAG                 VM SIZE                DATE       VM CLOCK
    1         vm-20100728134640      978K 2010-07-28 13:46:40   00:00:08.603
    
    We use a name with the format 'vm-YYYYMMDDHHMMSS'.
    
    This is a first step to hide the internal id, because I don't see a reason to
    expose this kind of internals to the user.
    
    Signed-off-by: Miguel Di Ciurcio Filho <miguel.filho at gmail.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/savevm.c b/savevm.c
index d286592..4d9f822 100644
--- a/savevm.c
+++ b/savevm.c
@@ -1837,8 +1837,10 @@ void do_savevm(Monitor *mon, const QDict *qdict)
     uint32_t vm_state_size;
 #ifdef _WIN32
     struct _timeb tb;
+    struct tm *ptm;
 #else
     struct timeval tv;
+    struct tm tm;
 #endif
     const char *name = qdict_get_try_str(qdict, "name");
 
@@ -1869,15 +1871,6 @@ void do_savevm(Monitor *mon, const QDict *qdict)
     vm_stop(0);
 
     memset(sn, 0, sizeof(*sn));
-    if (name) {
-        ret = bdrv_snapshot_find(bs, old_sn, name);
-        if (ret >= 0) {
-            pstrcpy(sn->name, sizeof(sn->name), old_sn->name);
-            pstrcpy(sn->id_str, sizeof(sn->id_str), old_sn->id_str);
-        } else {
-            pstrcpy(sn->name, sizeof(sn->name), name);
-        }
-    }
 
     /* fill auxiliary fields */
 #ifdef _WIN32
@@ -1891,6 +1884,24 @@ void do_savevm(Monitor *mon, const QDict *qdict)
 #endif
     sn->vm_clock_nsec = qemu_get_clock(vm_clock);
 
+    if (name) {
+        ret = bdrv_snapshot_find(bs, old_sn, name);
+        if (ret >= 0) {
+            pstrcpy(sn->name, sizeof(sn->name), old_sn->name);
+            pstrcpy(sn->id_str, sizeof(sn->id_str), old_sn->id_str);
+        } else {
+            pstrcpy(sn->name, sizeof(sn->name), name);
+        }
+    } else {
+#ifdef _WIN32
+        ptm = localtime(&tb.time);
+        strftime(sn->name, sizeof(sn->name), "vm-%Y%m%d%H%M%S", ptm);
+#else
+        localtime_r(&tv.tv_sec, &tm);
+        strftime(sn->name, sizeof(sn->name), "vm-%Y%m%d%H%M%S", &tm);
+#endif
+    }
+
     /* Delete old snapshots of the same name */
     if (name && del_existing_snapshots(mon, name) < 0) {
         goto the_end;
commit f920991574357a9b4c560d551f1d92bb6c6a6333
Author: Miguel Di Ciurcio Filho <miguel.filho at gmail.com>
Date:   Wed Aug 4 14:55:48 2010 -0300

    monitor: make 'info snapshots' show only fully available snapshots
    
    The output generated by 'info snapshots' shows only snapshots that exist on the
    block device that saves the VM state. This output can cause an user to
    erroneously try to load an snapshot that is not available on all block devices.
    
    $ qemu-img snapshot -l xxtest.qcow2
    Snapshot list:
    ID        TAG                 VM SIZE                DATE       VM CLOCK
    1                                1.5M 2010-07-26 16:51:52   00:00:08.599
    2                                1.5M 2010-07-26 16:51:53   00:00:09.719
    3                                1.5M 2010-07-26 17:26:49   00:00:13.245
    4                                1.5M 2010-07-26 19:01:00   00:00:46.763
    
    $ qemu-img snapshot -l xxtest2.qcow2
    Snapshot list:
    ID        TAG                 VM SIZE                DATE       VM CLOCK
    3                                   0 2010-07-26 17:26:49   00:00:13.245
    4                                   0 2010-07-26 19:01:00   00:00:46.763
    
    Current output:
    $ qemu -hda xxtest.qcow2 -hdb xxtest2.qcow2 -monitor stdio -vnc :0
    QEMU 0.12.4 monitor - type 'help' for more information
    (qemu) info snapshots
    Snapshot devices: ide0-hd0
    Snapshot list (from ide0-hd0):
    ID        TAG                 VM SIZE                DATE       VM CLOCK
    1                                1.5M 2010-07-26 16:51:52   00:00:08.599
    2                                1.5M 2010-07-26 16:51:53   00:00:09.719
    3                                1.5M 2010-07-26 17:26:49   00:00:13.245
    4                                1.5M 2010-07-26 19:01:00   00:00:46.763
    
    Snapshots 1 and 2 do not exist on xxtest2.qcow, but they are displayed anyway.
    
    This patch sumarizes the output to only show fully available snapshots.
    
    New output:
    (qemu) info snapshots
    ID        TAG                 VM SIZE                DATE       VM CLOCK
    3                                1.5M 2010-07-26 17:26:49   00:00:13.245
    4                                1.5M 2010-07-26 19:01:00   00:00:46.763
    
    Signed-off-by: Miguel Di Ciurcio Filho <miguel.filho at gmail.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/savevm.c b/savevm.c
index 99e4949..d286592 100644
--- a/savevm.c
+++ b/savevm.c
@@ -2039,8 +2039,10 @@ void do_delvm(Monitor *mon, const QDict *qdict)
 void do_info_snapshots(Monitor *mon)
 {
     BlockDriverState *bs, *bs1;
-    QEMUSnapshotInfo *sn_tab, *sn;
-    int nb_sns, i;
+    QEMUSnapshotInfo *sn_tab, *sn, s, *sn_info = &s;
+    int nb_sns, i, ret, available;
+    int total;
+    int *available_snapshots;
     char buf[256];
 
     bs = bdrv_snapshots();
@@ -2048,27 +2050,52 @@ void do_info_snapshots(Monitor *mon)
         monitor_printf(mon, "No available block device supports snapshots\n");
         return;
     }
-    monitor_printf(mon, "Snapshot devices:");
-    bs1 = NULL;
-    while ((bs1 = bdrv_next(bs1))) {
-        if (bdrv_can_snapshot(bs1)) {
-            if (bs == bs1)
-                monitor_printf(mon, " %s", bdrv_get_device_name(bs1));
-        }
-    }
-    monitor_printf(mon, "\n");
 
     nb_sns = bdrv_snapshot_list(bs, &sn_tab);
     if (nb_sns < 0) {
         monitor_printf(mon, "bdrv_snapshot_list: error %d\n", nb_sns);
         return;
     }
-    monitor_printf(mon, "Snapshot list (from %s):\n",
-                   bdrv_get_device_name(bs));
-    monitor_printf(mon, "%s\n", bdrv_snapshot_dump(buf, sizeof(buf), NULL));
-    for(i = 0; i < nb_sns; i++) {
+
+    if (nb_sns == 0) {
+        monitor_printf(mon, "There is no snapshot available.\n");
+        return;
+    }
+
+    available_snapshots = qemu_mallocz(sizeof(int) * nb_sns);
+    total = 0;
+    for (i = 0; i < nb_sns; i++) {
         sn = &sn_tab[i];
-        monitor_printf(mon, "%s\n", bdrv_snapshot_dump(buf, sizeof(buf), sn));
+        available = 1;
+        bs1 = NULL;
+
+        while ((bs1 = bdrv_next(bs1))) {
+            if (bdrv_can_snapshot(bs1) && bs1 != bs) {
+                ret = bdrv_snapshot_find(bs1, sn_info, sn->id_str);
+                if (ret < 0) {
+                    available = 0;
+                    break;
+                }
+            }
+        }
+
+        if (available) {
+            available_snapshots[total] = i;
+            total++;
+        }
     }
+
+    if (total > 0) {
+        monitor_printf(mon, "%s\n", bdrv_snapshot_dump(buf, sizeof(buf), NULL));
+        for (i = 0; i < total; i++) {
+            sn = &sn_tab[available_snapshots[i]];
+            monitor_printf(mon, "%s\n", bdrv_snapshot_dump(buf, sizeof(buf), sn));
+        }
+    } else {
+        monitor_printf(mon, "There is no suitable snapshot available\n");
+    }
+
     qemu_free(sn_tab);
+    qemu_free(available_snapshots);
+
 }
commit 34cf0081294513bc734896c9051c20ca6c19c3db
Author: Andrew de Quincey <adq at lidskialf.net>
Date:   Sun Aug 8 21:04:50 2010 +0100

    posix-aio-compat: Fix async_conmtext for ioctl
    
    Set the async_context_id field when queuing an async ioctl call
    
    Signed-off-by: Andrew de Quincey <adq at lidskialf.net>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/posix-aio-compat.c b/posix-aio-compat.c
index a67ffe3..efc5968 100644
--- a/posix-aio-compat.c
+++ b/posix-aio-compat.c
@@ -599,6 +599,7 @@ BlockDriverAIOCB *paio_ioctl(BlockDriverState *bs, int fd,
     acb->aio_type = QEMU_AIO_IOCTL;
     acb->aio_fildes = fd;
     acb->ev_signo = SIGUSR2;
+    acb->async_context_id = get_async_context_id();
     acb->aio_offset = 0;
     acb->aio_ioctl_buf = buf;
     acb->aio_ioctl_cmd = req;
commit 1d45f8b542f6b80b24c44533ef0dd9e1a3b17ea5
Author: Laurent Vivier <laurent at vivier.eu>
Date:   Wed Aug 25 22:48:33 2010 +0200

    nbd: Introduce NBD named exports.
    
    This patch allows to connect Qemu using NBD protocol to an nbd-server
    using named exports.
    
    For instance, if on the host "isoserver", in /etc/nbd-server/config, you have:
    
    [generic]
    [debian-500-ppc-netinst]
            exportname = /ISO/debian-500-powerpc-netinst.iso
    [Fedora-10-ppc-netinst]
            exportname = /ISO/Fedora-10-ppc-netinst.iso
    
    You can connect to it, using:
    
        qemu -cdrom nbd:isoserver:exportname=debian-500-ppc-netinst
        qemu -cdrom nbd:isoserver:exportname=Fedora-10-ppc-netinst
    
    NOTE: you need at least nbd-server 2.9.18
    
    Signed-off-by: Laurent Vivier <laurent at vivier.eu>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/nbd.c b/block/nbd.c
index a1ec123..5e9d6cb 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -33,6 +33,8 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#define EN_OPTSTR ":exportname="
+
 typedef struct BDRVNBDState {
     int sock;
     off_t size;
@@ -42,55 +44,83 @@ typedef struct BDRVNBDState {
 static int nbd_open(BlockDriverState *bs, const char* filename, int flags)
 {
     BDRVNBDState *s = bs->opaque;
+    uint32_t nbdflags;
+
+    char *file;
+    char *name;
     const char *host;
     const char *unixpath;
     int sock;
     off_t size;
     size_t blocksize;
     int ret;
+    int err = -EINVAL;
+
+    file = qemu_strdup(filename);
 
-    if (!strstart(filename, "nbd:", &host))
-        return -EINVAL;
+    name = strstr(file, EN_OPTSTR);
+    if (name) {
+        if (name[strlen(EN_OPTSTR)] == 0) {
+            goto out;
+        }
+        name[0] = 0;
+        name += strlen(EN_OPTSTR);
+    }
+
+    if (!strstart(file, "nbd:", &host)) {
+        goto out;
+    }
 
     if (strstart(host, "unix:", &unixpath)) {
 
-        if (unixpath[0] != '/')
-            return -EINVAL;
+        if (unixpath[0] != '/') {
+            goto out;
+        }
 
         sock = unix_socket_outgoing(unixpath);
 
     } else {
-        uint16_t port;
+        uint16_t port = NBD_DEFAULT_PORT;
         char *p, *r;
         char hostname[128];
 
         pstrcpy(hostname, 128, host);
 
         p = strchr(hostname, ':');
-        if (p == NULL)
-            return -EINVAL;
+        if (p != NULL) {
+            *p = '\0';
+            p++;
+
+            port = strtol(p, &r, 0);
+            if (r == p) {
+                goto out;
+            }
+        } else if (name == NULL) {
+            goto out;
+        }
 
-        *p = '\0';
-        p++;
-
-        port = strtol(p, &r, 0);
-        if (r == p)
-            return -EINVAL;
         sock = tcp_socket_outgoing(hostname, port);
     }
 
-    if (sock == -1)
-        return -errno;
+    if (sock == -1) {
+        err = -errno;
+        goto out;
+    }
 
-    ret = nbd_receive_negotiate(sock, &size, &blocksize);
-    if (ret == -1)
-        return -errno;
+    ret = nbd_receive_negotiate(sock, name, &nbdflags, &size, &blocksize);
+    if (ret == -1) {
+        err = -errno;
+        goto out;
+    }
 
     s->sock = sock;
     s->size = size;
     s->blocksize = blocksize;
+    err = 0;
 
-    return 0;
+out:
+    qemu_free(file);
+    return err;
 }
 
 static int nbd_read(BlockDriverState *bs, int64_t sector_num,
diff --git a/nbd.c b/nbd.c
index a9f295f..30dec8d 100644
--- a/nbd.c
+++ b/nbd.c
@@ -62,6 +62,8 @@
 #define NBD_SET_SIZE_BLOCKS	_IO(0xab, 7)
 #define NBD_DISCONNECT          _IO(0xab, 8)
 
+#define NBD_OPT_EXPORT_NAME	(1 << 0)
+
 /* That's all folks */
 
 #define read_sync(fd, buffer, size) nbd_wr_sync(fd, buffer, size, true)
@@ -296,22 +298,27 @@ int nbd_negotiate(int csock, off_t size)
 	return 0;
 }
 
-int nbd_receive_negotiate(int csock, off_t *size, size_t *blocksize)
+int nbd_receive_negotiate(int csock, const char *name, uint32_t *flags,
+                          off_t *size, size_t *blocksize)
 {
-	char buf[8 + 8 + 8 + 128];
-	uint64_t magic;
+	char buf[256];
+	uint64_t magic, s;
+	uint16_t tmp;
 
 	TRACE("Receiving negotation.");
 
-	if (read_sync(csock, buf, sizeof(buf)) != sizeof(buf)) {
+	if (read_sync(csock, buf, 8) != 8) {
 		LOG("read failed");
 		errno = EINVAL;
 		return -1;
 	}
 
-	magic = be64_to_cpup((uint64_t*)(buf + 8));
-	*size = be64_to_cpup((uint64_t*)(buf + 16));
-	*blocksize = 1024;
+	buf[8] = '\0';
+	if (strlen(buf) == 0) {
+		LOG("server connection closed");
+		errno = EINVAL;
+		return -1;
+	}
 
 	TRACE("Magic is %c%c%c%c%c%c%c%c",
 	      qemu_isprint(buf[0]) ? buf[0] : '.',
@@ -322,8 +329,6 @@ int nbd_receive_negotiate(int csock, off_t *size, size_t *blocksize)
 	      qemu_isprint(buf[5]) ? buf[5] : '.',
 	      qemu_isprint(buf[6]) ? buf[6] : '.',
 	      qemu_isprint(buf[7]) ? buf[7] : '.');
-	TRACE("Magic is 0x%" PRIx64, magic);
-	TRACE("Size is %" PRIu64, *size);
 
 	if (memcmp(buf, "NBDMAGIC", 8) != 0) {
 		LOG("Invalid magic received");
@@ -331,10 +336,99 @@ int nbd_receive_negotiate(int csock, off_t *size, size_t *blocksize)
 		return -1;
 	}
 
-	TRACE("Checking magic");
+	if (read_sync(csock, &magic, sizeof(magic)) != sizeof(magic)) {
+		LOG("read failed");
+		errno = EINVAL;
+		return -1;
+	}
+	magic = be64_to_cpu(magic);
+	TRACE("Magic is 0x%" PRIx64, magic);
+
+	if (name) {
+		uint32_t reserved = 0;
+		uint32_t opt;
+		uint32_t namesize;
+
+		TRACE("Checking magic (opts_magic)");
+		if (magic != 0x49484156454F5054LL) {
+			LOG("Bad magic received");
+			errno = EINVAL;
+			return -1;
+		}
+		if (read_sync(csock, &tmp, sizeof(tmp)) != sizeof(tmp)) {
+			LOG("flags read failed");
+			errno = EINVAL;
+			return -1;
+		}
+		*flags = be16_to_cpu(tmp) << 16;
+		/* reserved for future use */
+		if (write_sync(csock, &reserved, sizeof(reserved)) !=
+		    sizeof(reserved)) {
+			LOG("write failed (reserved)");
+			errno = EINVAL;
+			return -1;
+		}
+		/* write the export name */
+		magic = cpu_to_be64(magic);
+		if (write_sync(csock, &magic, sizeof(magic)) != sizeof(magic)) {
+			LOG("write failed (magic)");
+			errno = EINVAL;
+			return -1;
+		}
+		opt = cpu_to_be32(NBD_OPT_EXPORT_NAME);
+		if (write_sync(csock, &opt, sizeof(opt)) != sizeof(opt)) {
+			LOG("write failed (opt)");
+			errno = EINVAL;
+			return -1;
+		}
+		namesize = cpu_to_be32(strlen(name));
+		if (write_sync(csock, &namesize, sizeof(namesize)) !=
+		    sizeof(namesize)) {
+			LOG("write failed (namesize)");
+			errno = EINVAL;
+			return -1;
+		}
+		if (write_sync(csock, (char*)name, strlen(name)) != strlen(name)) {
+			LOG("write failed (name)");
+			errno = EINVAL;
+			return -1;
+		}
+	} else {
+		TRACE("Checking magic (cli_magic)");
+
+		if (magic != 0x00420281861253LL) {
+			LOG("Bad magic received");
+			errno = EINVAL;
+			return -1;
+		}
+	}
+
+	if (read_sync(csock, &s, sizeof(s)) != sizeof(s)) {
+		LOG("read failed");
+		errno = EINVAL;
+		return -1;
+	}
+	*size = be64_to_cpu(s);
+	*blocksize = 1024;
+	TRACE("Size is %" PRIu64, *size);
 
-	if (magic != 0x00420281861253LL) {
-		LOG("Bad magic received");
+	if (!name) {
+		if (read_sync(csock, flags, sizeof(*flags)) != sizeof(*flags)) {
+			LOG("read failed (flags)");
+			errno = EINVAL;
+			return -1;
+		}
+		*flags = be32_to_cpup(flags);
+	} else {
+		if (read_sync(csock, &tmp, sizeof(tmp)) != sizeof(tmp)) {
+			LOG("read failed (tmp)");
+			errno = EINVAL;
+			return -1;
+		}
+		*flags |= be32_to_cpu(tmp);
+	}
+	if (read_sync(csock, &buf, 124) != 124) {
+		LOG("read failed (buf)");
 		errno = EINVAL;
 		return -1;
 	}
diff --git a/nbd.h b/nbd.h
index 5a1fbdf..8ff65a1 100644
--- a/nbd.h
+++ b/nbd.h
@@ -42,6 +42,8 @@ enum {
     NBD_CMD_DISC = 2
 };
 
+#define NBD_DEFAULT_PORT	10809
+
 size_t nbd_wr_sync(int fd, void *buffer, size_t size, bool do_read);
 int tcp_socket_outgoing(const char *address, uint16_t port);
 int tcp_socket_incoming(const char *address, uint16_t port);
@@ -49,7 +51,8 @@ int unix_socket_outgoing(const char *path);
 int unix_socket_incoming(const char *path);
 
 int nbd_negotiate(int csock, off_t size);
-int nbd_receive_negotiate(int csock, off_t *size, size_t *blocksize);
+int nbd_receive_negotiate(int csock, const char *name, uint32_t *flags,
+                          off_t *size, size_t *blocksize);
 int nbd_init(int fd, int csock, off_t size, size_t blocksize);
 int nbd_send_request(int csock, struct nbd_request *request);
 int nbd_receive_reply(int csock, struct nbd_reply *reply);
diff --git a/qemu-doc.texi b/qemu-doc.texi
index 55a966f..d7d760f 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -620,6 +620,13 @@ qemu linux1.img -hdb nbd:unix:/tmp/my_socket
 qemu linux2.img -hdb nbd:unix:/tmp/my_socket
 @end example
 
+If the nbd-server uses named exports (since NBD 2.9.18), you must use the
+"exportname" option:
+ at example
+qemu -cdrom nbd:localhost:exportname=debian-500-ppc-netinst
+qemu -cdrom nbd:localhost:exportname=openSUSE-11.1-ppc-netinst
+ at end example
+
 @node pcsys_network
 @section Network emulation
 
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 4e607cf..41e5c5d 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -230,6 +230,7 @@ int main(int argc, char **argv)
     int nb_fds = 0;
     int max_fd;
     int persistent = 0;
+    uint32_t nbdflags;
 
     while ((ch = getopt_long(argc, argv, sopt, lopt, &opt_ind)) != -1) {
         switch (ch) {
@@ -398,7 +399,8 @@ int main(int argc, char **argv)
                 goto out;
             }
 
-            ret = nbd_receive_negotiate(sock, &size, &blocksize);
+            ret = nbd_receive_negotiate(sock, NULL, &nbdflags,
+					&size, &blocksize);
             if (ret == -1) {
                 ret = 1;
                 goto out;
commit 2aa326be0d2039f51192707bdb2fc935d0e87c21
Author: Loïc Minier <loic.minier at linaro.org>
Date:   Sun Aug 22 00:47:23 2010 +0200

    vvfat: fat_chksum(): fix access above array bounds
    
    Signed-off-by: Loïc Minier <loic.minier at linaro.org>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/vvfat.c b/block/vvfat.c
index 6d61c2e..365332a 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -512,7 +512,7 @@ static inline uint8_t fat_chksum(const direntry_t* entry)
     for(i=0;i<11;i++) {
         unsigned char c;
 
-        c = (i <= 8) ? entry->name[i] : entry->extension[i-8];
+        c = (i < 8) ? entry->name[i] : entry->extension[i-8];
         chksum=(((chksum&0xfe)>>1)|((chksum&0x01)?0x80:0)) + c;
     }
 
commit cdbae85169c384d1641aa1ae86cdeefe16285745
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Tue Aug 17 18:58:55 2010 +0200

    qemu-img rebase: Open new backing file read-only
    
    We never write to a backing file, so opening rw is useless. It just means that
    you can't rebase on top of a file for which you don't have write permissions.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-img.c b/qemu-img.c
index e300f91..d2a978b 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -1286,7 +1286,7 @@ static int img_rebase(int argc, char **argv)
         }
 
         bs_new_backing = bdrv_new("new_backing");
-        ret = bdrv_open(bs_new_backing, out_baseimg, BDRV_O_FLAGS | BDRV_O_RDWR,
+        ret = bdrv_open(bs_new_backing, out_baseimg, BDRV_O_FLAGS,
                         new_backing_drv);
         if (ret) {
             error("Could not open new backing file '%s'", out_baseimg);
commit 010cb2b314f2fa629b6b0b8f2f73c9d562fff49f
Author: Izumi Tsutsui <tsutsui at ceres.dti.ne.jp>
Date:   Sun Aug 8 18:31:04 2010 +0900

    sheepdog: remove unnecessary includes
    
    "qemu_socket.h" includes all necessary files and
    including <netinet/tcp.h> without <netinet/in.h>
    could cause errors on some systems.
    
    Signed-off-by: Izumi Tsutsui <tsutsui at ceres.dti.ne.jp>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/sheepdog.c b/block/sheepdog.c
index 81aa564..e62820a 100644
--- a/block/sheepdog.c
+++ b/block/sheepdog.c
@@ -8,16 +8,6 @@
  * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
-#ifdef _WIN32
-#include <windows.h>
-#include <winsock2.h>
-#include <ws2tcpip.h>
-#else
-#include <netdb.h>
-#include <netinet/tcp.h>
-
-#define closesocket(s) close(s)
-#endif
 
 #include "qemu-common.h"
 #include "qemu-error.h"
commit ee1811965fd15e0b41f8d508b951a8ab826ae3a7
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Thu Aug 5 13:05:22 2010 +0200

    block: Fix image re-open in bdrv_commit
    
    Arguably we should re-open the backing file with the backing file format and
    not with the format of the snapshot image.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index da70f29..a5514e3 100644
--- a/block.c
+++ b/block.c
@@ -745,6 +745,7 @@ int bdrv_check(BlockDriverState *bs, BdrvCheckResult *res)
 int bdrv_commit(BlockDriverState *bs)
 {
     BlockDriver *drv = bs->drv;
+    BlockDriver *backing_drv;
     int64_t sector, total_sectors;
     int n, ro, open_flags;
     int ret = 0, rw_ret = 0;
@@ -762,7 +763,8 @@ int bdrv_commit(BlockDriverState *bs)
     if (bs->backing_hd->keep_read_only) {
         return -EACCES;
     }
-    
+
+    backing_drv = bs->backing_hd->drv;
     ro = bs->backing_hd->read_only;
     strncpy(filename, bs->backing_hd->filename, sizeof(filename));
     open_flags =  bs->backing_hd->open_flags;
@@ -772,12 +774,14 @@ int bdrv_commit(BlockDriverState *bs)
         bdrv_delete(bs->backing_hd);
         bs->backing_hd = NULL;
         bs_rw = bdrv_new("");
-        rw_ret = bdrv_open(bs_rw, filename, open_flags | BDRV_O_RDWR, drv);
+        rw_ret = bdrv_open(bs_rw, filename, open_flags | BDRV_O_RDWR,
+            backing_drv);
         if (rw_ret < 0) {
             bdrv_delete(bs_rw);
             /* try to re-open read-only */
             bs_ro = bdrv_new("");
-            ret = bdrv_open(bs_ro, filename, open_flags & ~BDRV_O_RDWR, drv);
+            ret = bdrv_open(bs_ro, filename, open_flags & ~BDRV_O_RDWR,
+                backing_drv);
             if (ret < 0) {
                 bdrv_delete(bs_ro);
                 /* drive not functional anymore */
@@ -828,7 +832,8 @@ ro_cleanup:
         bdrv_delete(bs->backing_hd);
         bs->backing_hd = NULL;
         bs_ro = bdrv_new("");
-        ret = bdrv_open(bs_ro, filename, open_flags & ~BDRV_O_RDWR, drv);
+        ret = bdrv_open(bs_ro, filename, open_flags & ~BDRV_O_RDWR,
+            backing_drv);
         if (ret < 0) {
             bdrv_delete(bs_ro);
             /* drive not functional anymore */
commit b6a4805b55b409134dc712677fdc4f6a8795e965
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Tue Aug 3 16:57:02 2010 +0200

    virtio-blk: Fix migration of queued requests
    
    in_sg[].iovec and out_sg[].ioved are pointer to (source) host memory and
    therefore invalid after migration. When loading the device state we must
    create a new mapping on the destination host.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/virtio-blk.c b/hw/virtio-blk.c
index c3a7343..395eb9a 100644
--- a/hw/virtio-blk.c
+++ b/hw/virtio-blk.c
@@ -481,6 +481,11 @@ static int virtio_blk_load(QEMUFile *f, void *opaque, int version_id)
         qemu_get_buffer(f, (unsigned char*)&req->elem, sizeof(req->elem));
         req->next = s->rq;
         s->rq = req;
+
+        virtqueue_map_sg(req->elem.in_sg, req->elem.in_addr,
+            req->elem.in_num, 1);
+        virtqueue_map_sg(req->elem.out_sg, req->elem.out_addr,
+            req->elem.out_num, 0);
     }
 
     return 0;
commit 42fb2e0720511fa1da2f8e751be393f851b71d80
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Tue Aug 3 16:54:38 2010 +0200

    virtio: Factor virtqueue_map_sg out
    
    Separate the mapping of requests to host memory from the descriptor iteration.
    The next patch will make use of it in a different context.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/virtio.c b/hw/virtio.c
index 4475bb3..85312b3 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -360,11 +360,26 @@ int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes)
     return 0;
 }
 
+void virtqueue_map_sg(struct iovec *sg, target_phys_addr_t *addr,
+    size_t num_sg, int is_write)
+{
+    unsigned int i;
+    target_phys_addr_t len;
+
+    for (i = 0; i < num_sg; i++) {
+        len = sg[i].iov_len;
+        sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
+        if (sg[i].iov_base == NULL || len != sg[i].iov_len) {
+            fprintf(stderr, "virtio: trying to map MMIO memory\n");
+            exit(1);
+        }
+    }
+}
+
 int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
 {
     unsigned int i, head, max;
     target_phys_addr_t desc_pa = vq->vring.desc;
-    target_phys_addr_t len;
 
     if (!virtqueue_num_heads(vq, vq->last_avail_idx))
         return 0;
@@ -388,28 +403,19 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
         i = 0;
     }
 
+    /* Collect all the descriptors */
     do {
         struct iovec *sg;
-        int is_write = 0;
 
         if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_WRITE) {
             elem->in_addr[elem->in_num] = vring_desc_addr(desc_pa, i);
             sg = &elem->in_sg[elem->in_num++];
-            is_write = 1;
-        } else
+        } else {
+            elem->out_addr[elem->out_num] = vring_desc_addr(desc_pa, i);
             sg = &elem->out_sg[elem->out_num++];
+        }
 
-        /* Grab the first descriptor, and check it's OK. */
         sg->iov_len = vring_desc_len(desc_pa, i);
-        len = sg->iov_len;
-
-        sg->iov_base = cpu_physical_memory_map(vring_desc_addr(desc_pa, i),
-                                               &len, is_write);
-
-        if (sg->iov_base == NULL || len != sg->iov_len) {
-            fprintf(stderr, "virtio: trying to map MMIO memory\n");
-            exit(1);
-        }
 
         /* If we've got too many, that implies a descriptor loop. */
         if ((elem->in_num + elem->out_num) > max) {
@@ -418,6 +424,10 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
         }
     } while ((i = virtqueue_next_desc(desc_pa, i, max)) != max);
 
+    /* Now map what we have collected */
+    virtqueue_map_sg(elem->in_sg, elem->in_addr, elem->in_num, 1);
+    virtqueue_map_sg(elem->out_sg, elem->out_addr, elem->out_num, 0);
+
     elem->index = head;
 
     vq->inuse++;
diff --git a/hw/virtio.h b/hw/virtio.h
index 5836ab6..1deeb2c 100644
--- a/hw/virtio.h
+++ b/hw/virtio.h
@@ -81,6 +81,7 @@ typedef struct VirtQueueElement
     unsigned int out_num;
     unsigned int in_num;
     target_phys_addr_t in_addr[VIRTQUEUE_MAX_SIZE];
+    target_phys_addr_t out_addr[VIRTQUEUE_MAX_SIZE];
     struct iovec in_sg[VIRTQUEUE_MAX_SIZE];
     struct iovec out_sg[VIRTQUEUE_MAX_SIZE];
 } VirtQueueElement;
@@ -142,6 +143,8 @@ void virtqueue_flush(VirtQueue *vq, unsigned int count);
 void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem,
                     unsigned int len, unsigned int idx);
 
+void virtqueue_map_sg(struct iovec *sg, target_phys_addr_t *addr,
+    size_t num_sg, int is_write);
 int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem);
 int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes);
 
commit 02a89b219039621c940863aa5a9da4fec81a1546
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Wed Aug 4 17:43:20 2010 +0900

    isapc: fix segfault.
    
    https://bugs.launchpad.net/bugs/611646
    reports that ./i386-softmmu/qemu -M isapc segfaults.
    This patch fixes the segfault introduced by
    f885f1eaa8711c06033ceb1599e3750fb37c306f
    
    It's because i440fx_state in pc_init1() isn't initialized.
    
    > Core was generated by `./i386-softmmu/qemu -M isapc'.
    > Program terminated with signal 11, Segmentation fault.
    > [New process 19686]
    >     at qemu/hw/piix_pci.c:136
    > (gdb) where
    >     at qemu/hw/piix_pci.c:136
    >     boot_device=0x7fffe1f5b040 "cad", kernel_filename=0x0,
    >     kernel_cmdline=0x6469bf "", initrd_filename=0x0,
    >     cpu_model=0x654d10 "486", pci_enabled=0)
    >     at qemu/hw/pc_piix.c:178
    >     boot_device=0x7fffe1f5b040 "cad", kernel_filename=0x0,
    >     kernel_cmdline=0x6469bf "", initrd_filename=0x0, cpu_model=0x654d10 "486")
    >     at qemu/hw/pc_piix.c:207
    >     envp=0x7fffe1f5b188)
    >     at qemu/vl.c:2871
    
    Signed-off-by: Markus Armbruster <armbru at redhat.com>
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index 32a1057..12359a7 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -104,6 +104,7 @@ static void pc_init1(ram_addr_t ram_size,
         pci_bus = i440fx_init(&i440fx_state, &piix3_devfn, isa_irq, ram_size);
     } else {
         pci_bus = NULL;
+        i440fx_state = NULL;
         isa_bus_new(NULL);
     }
     isa_bus_irqs(isa_irq);
commit 95c318f5e1f88d7e5bcc6deac17330fd4806a2d3
Author: Gleb Natapov <gleb at redhat.com>
Date:   Thu Jul 29 10:41:45 2010 +0300

    Fix segfault in mmio subpage handling code.
    
    It is possible that subpage mmio is registered over existing memory
    page. When this happens "memory" will have real memory address and not
    index into io_mem array so next access to the page will generate
    segfault. It is uncommon to have some part of a page to be accessed as
    memory and some as mmio, but qemu shouldn't crash even when guest does
    stupid things. So lets just pretend that the rest of the page is
    unassigned if guest configure part of the memory page as mmio.
    
    Signed-off-by: Gleb Natapov <gleb at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/exec.c b/exec.c
index 82bfffc..380dab5 100644
--- a/exec.c
+++ b/exec.c
@@ -3293,6 +3293,8 @@ static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end,
     printf("%s: %p start %08x end %08x idx %08x eidx %08x mem %ld\n", __func__,
            mmio, start, end, idx, eidx, memory);
 #endif
+    if ((memory & ~TARGET_PAGE_MASK) == IO_MEM_RAM)
+        memory = IO_MEM_UNASSIGNED;
     memory = (memory >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
     for (; idx <= eidx; idx++) {
         mmio->sub_io_index[idx] = memory;
commit 51a92333f8eb6d0fe685544f20ad56fc9af702f5
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Jul 13 13:01:41 2010 +0900

    pci_bridge: clean up: remove pci_{register, unregister}_secondary_bus()
    
    Remove pci_{register, unregister}_secondary_bus() by open code.
    They are old stype API and aren't used any more by others. So eliminate it.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci_bridge.c b/hw/pci_bridge.c
index 63052fe..2f13c7d 100644
--- a/hw/pci_bridge.c
+++ b/hw/pci_bridge.c
@@ -37,26 +37,6 @@ PCIDevice *pci_bridge_get_device(PCIBus *bus)
     return bus->parent_dev;
 }
 
-static void pci_register_secondary_bus(PCIBus *parent,
-                                       PCIBus *bus,
-                                       PCIDevice *dev,
-                                       pci_map_irq_fn map_irq,
-                                       const char *name)
-{
-    qbus_create_inplace(&bus->qbus, &pci_bus_info, &dev->qdev, name);
-    bus->map_irq = map_irq;
-    bus->parent_dev = dev;
-
-    QLIST_INIT(&bus->child);
-    QLIST_INSERT_HEAD(&parent->child, bus, sibling);
-}
-
-static void pci_unregister_secondary_bus(PCIBus *bus)
-{
-    assert(QLIST_EMPTY(&bus->child));
-    QLIST_REMOVE(bus, sibling);
-}
-
 static uint32_t pci_config_get_io_base(PCIDevice *d,
                                        uint32_t base, uint32_t base_upper16)
 {
@@ -163,7 +143,8 @@ static int pci_bridge_initfn(PCIDevice *dev)
 static int pci_bridge_exitfn(PCIDevice *pci_dev)
 {
     PCIBridge *s = DO_UPCAST(PCIBridge, dev, pci_dev);
-    pci_unregister_secondary_bus(&s->sec_bus);
+    assert(QLIST_EMPTY(&s->sec_bus.child));
+    QLIST_REMOVE(&s->sec_bus, sibling);
     return 0;
 }
 
@@ -173,6 +154,7 @@ PCIBus *pci_bridge_init(PCIBus *bus, int devfn, bool multifunction,
 {
     PCIDevice *dev;
     PCIBridge *s;
+    PCIBus *sec_bus;
 
     dev = pci_create_multifunction(bus, devfn, multifunction, "pci-bridge");
     qdev_prop_set_uint32(&dev->qdev, "vendorid", vid);
@@ -180,7 +162,13 @@ PCIBus *pci_bridge_init(PCIBus *bus, int devfn, bool multifunction,
     qdev_init_nofail(&dev->qdev);
 
     s = DO_UPCAST(PCIBridge, dev, dev);
-    pci_register_secondary_bus(bus, &s->sec_bus, &s->dev, map_irq, name);
+    sec_bus = &s->sec_bus;
+    qbus_create_inplace(&sec_bus->qbus, &pci_bus_info, &dev->qdev, name);
+    sec_bus->parent_dev = dev;
+    sec_bus->map_irq = map_irq;
+
+    QLIST_INIT(&sec_bus->child);
+    QLIST_INSERT_HEAD(&bus->child, sec_bus, sibling);
     return &s->sec_bus;
 }
 
commit 7e98e3af4e7454d53707b7b4d16b6e9bd5c21334
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Jul 13 13:01:40 2010 +0900

    pci_bridge: rename PCIBridge::bus -> PCIBridge::sec_bus.
    
    To avoid confusion of primary bus with secondary bus,
    rename PCIBridge::bus to PCIBridge::sec_bus.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci_bridge.c b/hw/pci_bridge.c
index 7f27870..63052fe 100644
--- a/hw/pci_bridge.c
+++ b/hw/pci_bridge.c
@@ -138,8 +138,7 @@ static void pci_bridge_write_config(PCIDevice *d,
            io base/limit upper 16 */
         ranges_overlap(address, len, PCI_MEMORY_BASE, 20)) {
         PCIBridge *s = container_of(d, PCIBridge, dev);
-        PCIBus *secondary_bus = &s->bus;
-        pci_bridge_update_mappings(secondary_bus);
+        pci_bridge_update_mappings(&s->sec_bus);
     }
 }
 
@@ -164,8 +163,7 @@ static int pci_bridge_initfn(PCIDevice *dev)
 static int pci_bridge_exitfn(PCIDevice *pci_dev)
 {
     PCIBridge *s = DO_UPCAST(PCIBridge, dev, pci_dev);
-    PCIBus *bus = &s->bus;
-    pci_unregister_secondary_bus(bus);
+    pci_unregister_secondary_bus(&s->sec_bus);
     return 0;
 }
 
@@ -182,8 +180,8 @@ PCIBus *pci_bridge_init(PCIBus *bus, int devfn, bool multifunction,
     qdev_init_nofail(&dev->qdev);
 
     s = DO_UPCAST(PCIBridge, dev, dev);
-    pci_register_secondary_bus(bus, &s->bus, &s->dev, map_irq, name);
-    return &s->bus;
+    pci_register_secondary_bus(bus, &s->sec_bus, &s->dev, map_irq, name);
+    return &s->sec_bus;
 }
 
 static PCIDeviceInfo bridge_info = {
diff --git a/hw/pci_internals.h b/hw/pci_internals.h
index 8a3026b..fa844ab 100644
--- a/hw/pci_internals.h
+++ b/hw/pci_internals.h
@@ -32,7 +32,7 @@ struct PCIBus {
 
 typedef struct {
     PCIDevice dev;
-    PCIBus bus;
+    PCIBus sec_bus;
     uint32_t vid;
     uint32_t did;
 } PCIBridge;
commit 783753fd53fe513d37fbbfe6694c0c1ab9701fd1
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Tue Jul 13 13:01:39 2010 +0900

    pci/bridge: split out pci bridge code into pci_bridge.c from pci.c
    
    Move pci bridge related code into pci_bridge.c from pci.c
    for further enhancement. pci.c is big enough now, so split it out.
    No code change but exporting some accesser functions.
    
    In fact, few pci bridge functions stays in pci.c.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/Makefile.objs b/Makefile.objs
index 67f1b21..594894b 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -139,7 +139,7 @@ user-obj-y += cutils.o cache-utils.o
 hw-obj-y =
 hw-obj-y += vl.o loader.o
 hw-obj-y += virtio.o virtio-console.o
-hw-obj-y += fw_cfg.o pci.o pci_host.o pcie_host.o
+hw-obj-y += fw_cfg.o pci.o pci_host.o pcie_host.o pci_bridge.o
 hw-obj-y += watchdog.o
 hw-obj-$(CONFIG_ISA_MMIO) += isa_mmio.o
 hw-obj-$(CONFIG_ECC) += ecc.o
diff --git a/hw/apb_pci.c b/hw/apb_pci.c
index 0ecac55..88ee4a9 100644
--- a/hw/apb_pci.c
+++ b/hw/apb_pci.c
@@ -29,6 +29,7 @@
 #include "sysbus.h"
 #include "pci.h"
 #include "pci_host.h"
+#include "pci_bridge.h"
 #include "rwhandler.h"
 #include "apb_pci.h"
 #include "sysemu.h"
diff --git a/hw/dec_pci.c b/hw/dec_pci.c
index ee49d5a..f7a9cdc 100644
--- a/hw/dec_pci.c
+++ b/hw/dec_pci.c
@@ -27,6 +27,7 @@
 #include "sysbus.h"
 #include "pci.h"
 #include "pci_host.h"
+#include "pci_bridge.h"
 
 /* debug DEC */
 //#define DEBUG_DEC
diff --git a/hw/pci.c b/hw/pci.c
index 9c83d74..2dc1577 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -23,6 +23,7 @@
  */
 #include "hw.h"
 #include "pci.h"
+#include "pci_bridge.h"
 #include "pci_internals.h"
 #include "monitor.h"
 #include "net.h"
@@ -272,26 +273,6 @@ PCIBus *pci_register_bus(DeviceState *parent, const char *name,
     return bus;
 }
 
-static void pci_register_secondary_bus(PCIBus *parent,
-                                       PCIBus *bus,
-                                       PCIDevice *dev,
-                                       pci_map_irq_fn map_irq,
-                                       const char *name)
-{
-    qbus_create_inplace(&bus->qbus, &pci_bus_info, &dev->qdev, name);
-    bus->map_irq = map_irq;
-    bus->parent_dev = dev;
-
-    QLIST_INIT(&bus->child);
-    QLIST_INSERT_HEAD(&parent->child, bus, sibling);
-}
-
-static void pci_unregister_secondary_bus(PCIBus *bus)
-{
-    assert(QLIST_EMPTY(&bus->child));
-    QLIST_REMOVE(bus, sibling);
-}
-
 int pci_bus_num(PCIBus *s)
 {
     if (!s->parent_dev)
@@ -799,75 +780,6 @@ void pci_register_bar(PCIDevice *pci_dev, int region_num,
     }
 }
 
-static uint32_t pci_config_get_io_base(PCIDevice *d,
-                                       uint32_t base, uint32_t base_upper16)
-{
-    uint32_t val;
-
-    val = ((uint32_t)d->config[base] & PCI_IO_RANGE_MASK) << 8;
-    if (d->config[base] & PCI_IO_RANGE_TYPE_32) {
-        val |= (uint32_t)pci_get_word(d->config + base_upper16) << 16;
-    }
-    return val;
-}
-
-static pcibus_t pci_config_get_memory_base(PCIDevice *d, uint32_t base)
-{
-    return ((pcibus_t)pci_get_word(d->config + base) & PCI_MEMORY_RANGE_MASK)
-        << 16;
-}
-
-static pcibus_t pci_config_get_pref_base(PCIDevice *d,
-                                         uint32_t base, uint32_t upper)
-{
-    pcibus_t tmp;
-    pcibus_t val;
-
-    tmp = (pcibus_t)pci_get_word(d->config + base);
-    val = (tmp & PCI_PREF_RANGE_MASK) << 16;
-    if (tmp & PCI_PREF_RANGE_TYPE_64) {
-        val |= (pcibus_t)pci_get_long(d->config + upper) << 32;
-    }
-    return val;
-}
-
-static pcibus_t pci_bridge_get_base(PCIDevice *bridge, uint8_t type)
-{
-    pcibus_t base;
-    if (type & PCI_BASE_ADDRESS_SPACE_IO) {
-        base = pci_config_get_io_base(bridge,
-                                      PCI_IO_BASE, PCI_IO_BASE_UPPER16);
-    } else {
-        if (type & PCI_BASE_ADDRESS_MEM_PREFETCH) {
-            base = pci_config_get_pref_base(
-                bridge, PCI_PREF_MEMORY_BASE, PCI_PREF_BASE_UPPER32);
-        } else {
-            base = pci_config_get_memory_base(bridge, PCI_MEMORY_BASE);
-        }
-    }
-
-    return base;
-}
-
-static pcibus_t pci_bridge_get_limit(PCIDevice *bridge, uint8_t type)
-{
-    pcibus_t limit;
-    if (type & PCI_BASE_ADDRESS_SPACE_IO) {
-        limit = pci_config_get_io_base(bridge,
-                                      PCI_IO_LIMIT, PCI_IO_LIMIT_UPPER16);
-        limit |= 0xfff;         /* PCI bridge spec 3.2.5.6. */
-    } else {
-        if (type & PCI_BASE_ADDRESS_MEM_PREFETCH) {
-            limit = pci_config_get_pref_base(
-                bridge, PCI_PREF_MEMORY_LIMIT, PCI_PREF_LIMIT_UPPER32);
-        } else {
-            limit = pci_config_get_memory_base(bridge, PCI_MEMORY_LIMIT);
-        }
-        limit |= 0xfffff;       /* PCI bridge spec 3.2.5.{1, 8}. */
-    }
-    return limit;
-}
-
 static void pci_bridge_filter(PCIDevice *d, pcibus_t *addr, pcibus_t *size,
                               uint8_t type)
 {
@@ -1518,7 +1430,7 @@ static void pci_bridge_update_mappings_fn(PCIBus *b, PCIDevice *d)
     pci_update_mappings(d);
 }
 
-static void pci_bridge_update_mappings(PCIBus *b)
+void pci_bridge_update_mappings(PCIBus *b)
 {
     PCIBus *child;
 
@@ -1529,23 +1441,6 @@ static void pci_bridge_update_mappings(PCIBus *b)
     }
 }
 
-static void pci_bridge_write_config(PCIDevice *d,
-                             uint32_t address, uint32_t val, int len)
-{
-    pci_default_write_config(d, address, val, len);
-
-    if (/* io base/limit */
-        ranges_overlap(address, len, PCI_IO_BASE, 2) ||
-
-        /* memory base/limit, prefetchable base/limit and
-           io base/limit upper 16 */
-        ranges_overlap(address, len, PCI_MEMORY_BASE, 20)) {
-        PCIBridge *s = container_of(d, PCIBridge, dev);
-        PCIBus *secondary_bus = &s->bus;
-        pci_bridge_update_mappings(secondary_bus);
-    }
-}
-
 PCIBus *pci_find_bus(PCIBus *bus, int bus_num)
 {
     PCIBus *sec;
@@ -1589,54 +1484,6 @@ PCIDevice *pci_find_device(PCIBus *bus, int bus_num, int slot, int function)
     return bus->devices[PCI_DEVFN(slot, function)];
 }
 
-static int pci_bridge_initfn(PCIDevice *dev)
-{
-    PCIBridge *s = DO_UPCAST(PCIBridge, dev, dev);
-
-    pci_config_set_vendor_id(s->dev.config, s->vid);
-    pci_config_set_device_id(s->dev.config, s->did);
-
-    pci_set_word(dev->config + PCI_STATUS,
-                 PCI_STATUS_66MHZ | PCI_STATUS_FAST_BACK);
-    pci_config_set_class(dev->config, PCI_CLASS_BRIDGE_PCI);
-    dev->config[PCI_HEADER_TYPE] =
-        (dev->config[PCI_HEADER_TYPE] & PCI_HEADER_TYPE_MULTI_FUNCTION) |
-        PCI_HEADER_TYPE_BRIDGE;
-    pci_set_word(dev->config + PCI_SEC_STATUS,
-                 PCI_STATUS_66MHZ | PCI_STATUS_FAST_BACK);
-    return 0;
-}
-
-static int pci_bridge_exitfn(PCIDevice *pci_dev)
-{
-    PCIBridge *s = DO_UPCAST(PCIBridge, dev, pci_dev);
-    PCIBus *bus = &s->bus;
-    pci_unregister_secondary_bus(bus);
-    return 0;
-}
-
-PCIBus *pci_bridge_init(PCIBus *bus, int devfn, bool multifunction,
-                        uint16_t vid, uint16_t did,
-                        pci_map_irq_fn map_irq, const char *name)
-{
-    PCIDevice *dev;
-    PCIBridge *s;
-
-    dev = pci_create_multifunction(bus, devfn, multifunction, "pci-bridge");
-    qdev_prop_set_uint32(&dev->qdev, "vendorid", vid);
-    qdev_prop_set_uint32(&dev->qdev, "deviceid", did);
-    qdev_init_nofail(&dev->qdev);
-
-    s = DO_UPCAST(PCIBridge, dev, dev);
-    pci_register_secondary_bus(bus, &s->bus, &s->dev, map_irq, name);
-    return &s->bus;
-}
-
-PCIDevice *pci_bridge_get_device(PCIBus *bus)
-{
-    return bus->parent_dev;
-}
-
 static int pci_qdev_init(DeviceState *qdev, DeviceInfo *base)
 {
     PCIDevice *pci_dev = (PCIDevice *)qdev;
@@ -1942,23 +1789,3 @@ static char *pcibus_get_dev_path(DeviceState *dev)
     return strdup(path);
 }
 
-static PCIDeviceInfo bridge_info = {
-    .qdev.name    = "pci-bridge",
-    .qdev.size    = sizeof(PCIBridge),
-    .init         = pci_bridge_initfn,
-    .exit         = pci_bridge_exitfn,
-    .config_write = pci_bridge_write_config,
-    .is_bridge    = 1,
-    .qdev.props   = (Property[]) {
-        DEFINE_PROP_HEX32("vendorid", PCIBridge, vid, 0),
-        DEFINE_PROP_HEX32("deviceid", PCIBridge, did, 0),
-        DEFINE_PROP_END_OF_LIST(),
-    }
-};
-
-static void pci_register_devices(void)
-{
-    pci_qdev_register(&bridge_info);
-}
-
-device_init(pci_register_devices)
diff --git a/hw/pci.h b/hw/pci.h
index 1eab7e7..c551f96 100644
--- a/hw/pci.h
+++ b/hw/pci.h
@@ -233,10 +233,7 @@ int pci_read_devaddr(Monitor *mon, const char *addr, int *domp, int *busp,
 
 void do_pci_info_print(Monitor *mon, const QObject *data);
 void do_pci_info(Monitor *mon, QObject **ret_data);
-PCIBus *pci_bridge_init(PCIBus *bus, int devfn, bool multifunction,
-                        uint16_t vid, uint16_t did,
-                        pci_map_irq_fn map_irq, const char *name);
-PCIDevice *pci_bridge_get_device(PCIBus *bus);
+void pci_bridge_update_mappings(PCIBus *b);
 
 static inline void
 pci_set_byte(uint8_t *config, uint8_t val)
diff --git a/hw/pci_bridge.c b/hw/pci_bridge.c
new file mode 100644
index 0000000..7f27870
--- /dev/null
+++ b/hw/pci_bridge.c
@@ -0,0 +1,208 @@
+/*
+ * QEMU PCI bus manager
+ *
+ * Copyright (c) 2004 Fabrice Bellard
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to dea
+
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM
+
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+/*
+ * split out from pci.c
+ * Copyright (c) 2010 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ */
+
+#include "pci_bridge.h"
+#include "pci_internals.h"
+
+PCIDevice *pci_bridge_get_device(PCIBus *bus)
+{
+    return bus->parent_dev;
+}
+
+static void pci_register_secondary_bus(PCIBus *parent,
+                                       PCIBus *bus,
+                                       PCIDevice *dev,
+                                       pci_map_irq_fn map_irq,
+                                       const char *name)
+{
+    qbus_create_inplace(&bus->qbus, &pci_bus_info, &dev->qdev, name);
+    bus->map_irq = map_irq;
+    bus->parent_dev = dev;
+
+    QLIST_INIT(&bus->child);
+    QLIST_INSERT_HEAD(&parent->child, bus, sibling);
+}
+
+static void pci_unregister_secondary_bus(PCIBus *bus)
+{
+    assert(QLIST_EMPTY(&bus->child));
+    QLIST_REMOVE(bus, sibling);
+}
+
+static uint32_t pci_config_get_io_base(PCIDevice *d,
+                                       uint32_t base, uint32_t base_upper16)
+{
+    uint32_t val;
+
+    val = ((uint32_t)d->config[base] & PCI_IO_RANGE_MASK) << 8;
+    if (d->config[base] & PCI_IO_RANGE_TYPE_32) {
+        val |= (uint32_t)pci_get_word(d->config + base_upper16) << 16;
+    }
+    return val;
+}
+
+static pcibus_t pci_config_get_memory_base(PCIDevice *d, uint32_t base)
+{
+    return ((pcibus_t)pci_get_word(d->config + base) & PCI_MEMORY_RANGE_MASK)
+        << 16;
+}
+
+static pcibus_t pci_config_get_pref_base(PCIDevice *d,
+                                         uint32_t base, uint32_t upper)
+{
+    pcibus_t tmp;
+    pcibus_t val;
+
+    tmp = (pcibus_t)pci_get_word(d->config + base);
+    val = (tmp & PCI_PREF_RANGE_MASK) << 16;
+    if (tmp & PCI_PREF_RANGE_TYPE_64) {
+        val |= (pcibus_t)pci_get_long(d->config + upper) << 32;
+    }
+    return val;
+}
+
+pcibus_t pci_bridge_get_base(PCIDevice *bridge, uint8_t type)
+{
+    pcibus_t base;
+    if (type & PCI_BASE_ADDRESS_SPACE_IO) {
+        base = pci_config_get_io_base(bridge,
+                                      PCI_IO_BASE, PCI_IO_BASE_UPPER16);
+    } else {
+        if (type & PCI_BASE_ADDRESS_MEM_PREFETCH) {
+            base = pci_config_get_pref_base(
+                bridge, PCI_PREF_MEMORY_BASE, PCI_PREF_BASE_UPPER32);
+        } else {
+            base = pci_config_get_memory_base(bridge, PCI_MEMORY_BASE);
+        }
+    }
+
+    return base;
+}
+
+pcibus_t pci_bridge_get_limit(PCIDevice *bridge, uint8_t type)
+{
+    pcibus_t limit;
+    if (type & PCI_BASE_ADDRESS_SPACE_IO) {
+        limit = pci_config_get_io_base(bridge,
+                                      PCI_IO_LIMIT, PCI_IO_LIMIT_UPPER16);
+        limit |= 0xfff;         /* PCI bridge spec 3.2.5.6. */
+    } else {
+        if (type & PCI_BASE_ADDRESS_MEM_PREFETCH) {
+            limit = pci_config_get_pref_base(
+                bridge, PCI_PREF_MEMORY_LIMIT, PCI_PREF_LIMIT_UPPER32);
+        } else {
+            limit = pci_config_get_memory_base(bridge, PCI_MEMORY_LIMIT);
+        }
+        limit |= 0xfffff;       /* PCI bridge spec 3.2.5.{1, 8}. */
+    }
+    return limit;
+}
+
+static void pci_bridge_write_config(PCIDevice *d,
+                             uint32_t address, uint32_t val, int len)
+{
+    pci_default_write_config(d, address, val, len);
+
+    if (/* io base/limit */
+        ranges_overlap(address, len, PCI_IO_BASE, 2) ||
+
+        /* memory base/limit, prefetchable base/limit and
+           io base/limit upper 16 */
+        ranges_overlap(address, len, PCI_MEMORY_BASE, 20)) {
+        PCIBridge *s = container_of(d, PCIBridge, dev);
+        PCIBus *secondary_bus = &s->bus;
+        pci_bridge_update_mappings(secondary_bus);
+    }
+}
+
+static int pci_bridge_initfn(PCIDevice *dev)
+{
+    PCIBridge *s = DO_UPCAST(PCIBridge, dev, dev);
+
+    pci_config_set_vendor_id(s->dev.config, s->vid);
+    pci_config_set_device_id(s->dev.config, s->did);
+
+    pci_set_word(dev->config + PCI_STATUS,
+                 PCI_STATUS_66MHZ | PCI_STATUS_FAST_BACK);
+    pci_config_set_class(dev->config, PCI_CLASS_BRIDGE_PCI);
+    dev->config[PCI_HEADER_TYPE] =
+        (dev->config[PCI_HEADER_TYPE] & PCI_HEADER_TYPE_MULTI_FUNCTION) |
+        PCI_HEADER_TYPE_BRIDGE;
+    pci_set_word(dev->config + PCI_SEC_STATUS,
+                 PCI_STATUS_66MHZ | PCI_STATUS_FAST_BACK);
+    return 0;
+}
+
+static int pci_bridge_exitfn(PCIDevice *pci_dev)
+{
+    PCIBridge *s = DO_UPCAST(PCIBridge, dev, pci_dev);
+    PCIBus *bus = &s->bus;
+    pci_unregister_secondary_bus(bus);
+    return 0;
+}
+
+PCIBus *pci_bridge_init(PCIBus *bus, int devfn, bool multifunction,
+                        uint16_t vid, uint16_t did,
+                        pci_map_irq_fn map_irq, const char *name)
+{
+    PCIDevice *dev;
+    PCIBridge *s;
+
+    dev = pci_create_multifunction(bus, devfn, multifunction, "pci-bridge");
+    qdev_prop_set_uint32(&dev->qdev, "vendorid", vid);
+    qdev_prop_set_uint32(&dev->qdev, "deviceid", did);
+    qdev_init_nofail(&dev->qdev);
+
+    s = DO_UPCAST(PCIBridge, dev, dev);
+    pci_register_secondary_bus(bus, &s->bus, &s->dev, map_irq, name);
+    return &s->bus;
+}
+
+static PCIDeviceInfo bridge_info = {
+    .qdev.name    = "pci-bridge",
+    .qdev.size    = sizeof(PCIBridge),
+    .init         = pci_bridge_initfn,
+    .exit         = pci_bridge_exitfn,
+    .config_write = pci_bridge_write_config,
+    .is_bridge    = 1,
+    .qdev.props   = (Property[]) {
+        DEFINE_PROP_HEX32("vendorid", PCIBridge, vid, 0),
+        DEFINE_PROP_HEX32("deviceid", PCIBridge, did, 0),
+        DEFINE_PROP_END_OF_LIST(),
+    }
+};
+
+static void pci_register_devices(void)
+{
+    pci_qdev_register(&bridge_info);
+}
+
+device_init(pci_register_devices)
diff --git a/hw/pci_bridge.h b/hw/pci_bridge.h
new file mode 100644
index 0000000..ddb2c82
--- /dev/null
+++ b/hw/pci_bridge.h
@@ -0,0 +1,48 @@
+/*
+ * QEMU PCI bridge
+ *
+ * Copyright (c) 2004 Fabrice Bellard
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ * split out pci bus specific stuff from pci.[hc] to pci_bridge.[hc]
+ * Copyright (c) 2009 Isaku Yamahata <yamahata at valinux co jp>
+ *                    VA Linux Systems Japan K.K.
+ *
+ */
+
+#ifndef QEMU_PCI_BRIDGE_H
+#define QEMU_PCI_BRIDGE_H
+
+#include "pci.h"
+
+PCIDevice *pci_bridge_get_device(PCIBus *bus);
+
+pcibus_t pci_bridge_get_base(PCIDevice *bridge, uint8_t type);
+pcibus_t pci_bridge_get_limit(PCIDevice *bridge, uint8_t type);
+
+PCIBus *pci_bridge_init(PCIBus *bus, int devfn, bool multifunction,
+                        uint16_t vid, uint16_t did,
+                        pci_map_irq_fn map_irq, const char *name);
+
+#endif  /* QEMU_PCI_BRIDGE_H */
+/*
+ * Local variables:
+ *  c-indent-level: 4
+ *  c-basic-offset: 4
+ *  tab-width: 8
+ *  indent-tab-mode: nil
+ * End:
+ */
commit cfb0a50a06825a0bee349cae3fa94f96242e83a5
Author: Isaku Yamahata <yamahata at valinux.co.jp>
Date:   Mon Jul 12 19:36:40 2010 +0900

    pci: move out pci internal structures, PCIBus, PCIBridge, and pci_bus_info.
    
    move out pci internal structures, PCIBus, PCIBridge and pci_bus_info into
    private header file, pci_internals.h.
    This is a preparation. Later pci bridge implementation will be
    split out form pci.c into pci_bridge.c.
    
    Signed-off-by: Isaku Yamahata <yamahata at valinux.co.jp>
    Signed-off-by: Michael S. Tsirkin <mst at redhat.com>

diff --git a/hw/pci.c b/hw/pci.c
index a98d6f3..9c83d74 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -23,6 +23,7 @@
  */
 #include "hw.h"
 #include "pci.h"
+#include "pci_internals.h"
 #include "monitor.h"
 #include "net.h"
 #include "sysemu.h"
@@ -36,31 +37,10 @@
 # define PCI_DPRINTF(format, ...)       do { } while (0)
 #endif
 
-struct PCIBus {
-    BusState qbus;
-    int devfn_min;
-    pci_set_irq_fn set_irq;
-    pci_map_irq_fn map_irq;
-    pci_hotplug_fn hotplug;
-    DeviceState *hotplug_qdev;
-    void *irq_opaque;
-    PCIDevice *devices[256];
-    PCIDevice *parent_dev;
-    target_phys_addr_t mem_base;
-
-    QLIST_HEAD(, PCIBus) child; /* this will be replaced by qdev later */
-    QLIST_ENTRY(PCIBus) sibling;/* this will be replaced by qdev later */
-
-    /* The bus IRQ state is the logical OR of the connected devices.
-       Keep a count of the number of devices with raised IRQs.  */
-    int nirq;
-    int *irq_count;
-};
-
 static void pcibus_dev_print(Monitor *mon, DeviceState *dev, int indent);
 static char *pcibus_get_dev_path(DeviceState *dev);
 
-static struct BusInfo pci_bus_info = {
+struct BusInfo pci_bus_info = {
     .name       = "PCI",
     .size       = sizeof(PCIBus),
     .print_dev  = pcibus_dev_print,
@@ -1533,14 +1513,6 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd, const char *default_model,
     return res;
 }
 
-typedef struct {
-    PCIDevice dev;
-    PCIBus bus;
-    uint32_t vid;
-    uint32_t did;
-} PCIBridge;
-
-
 static void pci_bridge_update_mappings_fn(PCIBus *b, PCIDevice *d)
 {
     pci_update_mappings(d);
diff --git a/hw/pci_internals.h b/hw/pci_internals.h
new file mode 100644
index 0000000..8a3026b
--- /dev/null
+++ b/hw/pci_internals.h
@@ -0,0 +1,40 @@
+#ifndef QEMU_PCI_INTERNALS_H
+#define QEMU_PCI_INTERNALS_H
+
+/*
+ * This header files is private to pci.c and pci_bridge.c
+ * So following structures are opaque to others and shouldn't be
+ * accessed.
+ */
+
+extern struct BusInfo pci_bus_info;
+
+struct PCIBus {
+    BusState qbus;
+    int devfn_min;
+    pci_set_irq_fn set_irq;
+    pci_map_irq_fn map_irq;
+    pci_hotplug_fn hotplug;
+    DeviceState *hotplug_qdev;
+    void *irq_opaque;
+    PCIDevice *devices[256];
+    PCIDevice *parent_dev;
+    target_phys_addr_t mem_base;
+
+    QLIST_HEAD(, PCIBus) child; /* this will be replaced by qdev later */
+    QLIST_ENTRY(PCIBus) sibling;/* this will be replaced by qdev later */
+
+    /* The bus IRQ state is the logical OR of the connected devices.
+       Keep a count of the number of devices with raised IRQs.  */
+    int nirq;
+    int *irq_count;
+};
+
+typedef struct {
+    PCIDevice dev;
+    PCIBus bus;
+    uint32_t vid;
+    uint32_t did;
+} PCIBridge;
+
+#endif /* QEMU_PCI_INTERNALS_H */


More information about the Spice-commits mailing list