[Spice-commits] 496 commits - .gitignore CODING_STYLE MAINTAINERS Makefile Makefile.hw Makefile.objs Makefile.target QMP/qmp-events.txt aio.c arch_init.c block-migration.c block.c block.h block/blkdebug.c block/blkverify.c block/iscsi.c block/qcow.c block/qcow2.c block/qcow2.h block/qed.c block/qed.h block/raw-posix-aio.h block/rbd.c block/sheepdog.c block/stream.c block/vdi.c block/vpc.c block/vvfat.c block_int.h blockdev.c blockdev.h bt-host.c buffered_file.c compatfd.c compiler.h configure console.h coroutine-ucontext.c cpu-exec.c cpus.c cutils.c default-configs/alpha-softmmu.mak default-configs/arm-softmmu.mak default-configs/i386-softmmu.mak default-configs/mips-softmmu.mak default-configs/mips64-linux-user.mak default-configs/mips64-softmmu.mak default-configs/mips64el-linux-user.mak default-configs/mips64el-softmmu.mak default-configs/mipsel-softmmu.mak default-configs/mipsn32-linux-user.mak default-configs/mipsn32el-linux-user.mak default-configs/pci.mak default-configs/ppc- softmmu.mak default-configs/ppc64-softmmu.mak default-configs/ppcemb-softmmu.mak default-configs/sparc64-softmmu.mak default-configs/x86_64-softmmu.mak docs/live-block-ops.txt docs/writing-qmp-commands.txt event_notifier.c event_notifier.h exec-obsolete.h exec.c fsdev/file-op-9p.h fsdev/virtfs-proxy-helper.c hmp-commands.hx hmp.c hmp.h hw/9pfs hw/a15mpcore.c hw/a9mpcore.c hw/ac97.c hw/acpi.c hw/acpi_piix4.c hw/adlib.c hw/ads7846.c hw/alpha_dp264.c hw/alpha_pci.c hw/alpha_typhoon.c hw/apb_pci.c hw/apic.c hw/apic.h hw/apic_common.c hw/apic_internal.h hw/apm.c hw/applesmc.c hw/arm-misc.h hw/arm11mpcore.c hw/arm_boot.c hw/arm_gic.c hw/arm_l2x0.c hw/arm_mptimer.c hw/arm_sysctl.c hw/arm_timer.c hw/armv7m.c hw/armv7m_nvic.c hw/bitbang_i2c.c hw/boards.h hw/bonito.c hw/ccid-card-emulated.c hw/ccid-card-passthru.c hw/ccid.h hw/cirrus_vga.c hw/cirrus_vga_template.h hw/collie.c hw/container.c hw/cs4231.c hw/cs4231a.c hw/debugcon.c hw/dec_pci.c hw/ds1225y.c hw/ds1338.c hw/e1000.c hw/ecc. c hw/eccmemctl.c hw/eepro100.c hw/empty_slot.c hw/es1370.c hw/escc.c hw/esp.c hw/etraxfs_eth.c hw/etraxfs_pic.c hw/etraxfs_ser.c hw/etraxfs_timer.c hw/exynos4210.c hw/exynos4210.h hw/exynos4210_combiner.c hw/exynos4210_fimd.c hw/exynos4210_gic.c hw/exynos4210_mct.c hw/exynos4210_pmu.c hw/exynos4210_pwm.c hw/exynos4210_uart.c hw/exynos4_boards.c hw/fdc.c hw/fmopl.c hw/framebuffer.c hw/fw_cfg.c hw/g364fb.c hw/grackle_pci.c hw/grlib_apbuart.c hw/grlib_gptimer.c hw/grlib_irqmp.c hw/gt64xxx.c hw/gumstix.c hw/gus.c hw/hda-audio.c hw/hid.h hw/highbank.c hw/hpet.c hw/hpet_emul.h hw/hw.h hw/i2c.c hw/i2c.h hw/i82374.c hw/i82378.c hw/i8254.c hw/i8254.h hw/i8259.c hw/i8259_common.c hw/i8259_internal.h hw/ide hw/integratorcp.c hw/intel-hda.c hw/intel-hda.h hw/ioapic.c hw/ioapic_common.c hw/ioapic_internal.h hw/ioh3420.c hw/isa-bus.c hw/isa.h hw/ivshmem.c hw/kvm hw/kvmclock.c hw/kvmclock.h hw/lan9118.c hw/lance.c hw/leon3.c hw/lm32_juart.c hw/lm32_pic.c hw/lm32_sys.c hw/lm32_timer.c hw/lm 32_uart.c hw/lm832x.c hw/loader.c hw/lsi53c895a.c hw/m48t59.c hw/macio.c hw/mainstone.c hw/marvell_88w8618_audio.c hw/max111x.c hw/max7310.c hw/mc146818rtc.c hw/mcf5206.c hw/mcf5208.c hw/milkymist-ac97.c hw/milkymist-hpdmc.c hw/milkymist-memcard.c hw/milkymist-minimac2.c hw/milkymist-pfpu.c hw/milkymist-softusb.c hw/milkymist-sysctl.c hw/milkymist-tmu2.c hw/milkymist-uart.c hw/milkymist-vgafb.c hw/milkymist-vgafb_template.h hw/mips_fulong2e.c hw/mips_jazz.c hw/mips_malta.c hw/mips_r4k.c hw/mipsnet.c hw/mpc8544_guts.c hw/msi.c hw/msi.h hw/msix.c hw/msix.h hw/mst_fpga.c hw/musicpal.c hw/nand.c hw/ne2000-isa.c hw/ne2000.c hw/nseries.c hw/omap_dss.c hw/omap_gpio.c hw/omap_intc.c hw/onenand.c hw/opencores_eth.c hw/openpic.c hw/openpic.h hw/parallel.c hw/pc.c hw/pc.h hw/pc_piix.c hw/pci.c hw/pci.h hw/pci_bridge.c hw/pci_ids.h hw/pcie.c hw/pcie.h hw/pckbd.c hw/pcnet-pci.c hw/pcnet.c hw/pcspk.c hw/pcspk.h hw/pflash_cfi02.c hw/piix4.c hw/piix_pci.c hw/pl011.c hw/pl022.c hw/pl031.c hw /pl041.c hw/pl050.c hw/pl061.c hw/pl080.c hw/pl110.c hw/pl181.c hw/pl190.c hw/ppc440.c hw/ppc440.h hw/ppc440_bamboo.c hw/ppc4xx_pci.c hw/ppc_newworld.c hw/ppc_prep.c hw/ppce500_pci.c hw/ppce500_spin.c hw/prep_pci.c hw/prep_pci.h hw/primecell.h hw/ptimer.c hw/ptimer.h hw/pxa2xx.c hw/pxa2xx_dma.c hw/pxa2xx_gpio.c hw/pxa2xx_keypad.c hw/pxa2xx_lcd.c hw/pxa2xx_mmci.c hw/pxa2xx_pcmcia.c hw/pxa2xx_pic.c hw/pxa2xx_timer.c hw/qdev-addr.c hw/qdev-monitor.c hw/qdev-properties.c hw/qdev.c hw/qdev.h hw/qxl.c hw/realview.c hw/realview_gic.c hw/rtl8139.c hw/s390-virtio-bus.c hw/s390-virtio-bus.h hw/s390-virtio.c hw/sb16.c hw/sbi.c hw/scsi-bus.c hw/scsi-disk.c hw/scsi-generic.c hw/scsi.h hw/serial.c hw/sga.c hw/sh_pci.c hw/sh_timer.c hw/slavio_intctl.c hw/slavio_misc.c hw/slavio_timer.c hw/sm501.c hw/smbios.c hw/smbus.c hw/smbus.h hw/smbus_eeprom.c hw/smc91c111.c hw/spapr.c hw/spapr_hcall.c hw/spapr_llan.c hw/spapr_pci.c hw/spapr_rtas.c hw/spapr_vio.c hw/spapr_vio.h hw/spapr_vscsi.c hw/spap r_vty.c hw/sparc32_dma.c hw/spitz.c hw/ssd0303.c hw/ssd0323.c hw/ssi-sd.c hw/ssi.c hw/ssi.h hw/stellaris.c hw/stellaris_enet.c hw/strongarm.c hw/sun4c_intctl.c hw/sun4m.c hw/sun4m_iommu.c hw/sun4u.c hw/sysbus.c hw/sysbus.h hw/tc6393xb.c hw/tcx.c hw/tmp105.c hw/tosa.c hw/tusb6010.c hw/twl92230.c hw/unin_pci.c hw/usb-audio.c hw/usb-bt.c hw/usb-bus.c hw/usb-ccid.c hw/usb-desc.c hw/usb-desc.h hw/usb-ehci.c hw/usb-hid.c hw/usb-hub.c hw/usb-msd.c hw/usb-musb.c hw/usb-net.c hw/usb-ohci.c hw/usb-serial.c hw/usb-uhci.c hw/usb-wacom.c hw/usb-xhci.c hw/usb.c hw/usb.h hw/versatile_pci.c hw/versatilepb.c hw/vexpress.c hw/vga-isa.c hw/vga-pci.c hw/vga.c hw/vga.h hw/vga_int.h hw/vga_template.h hw/vhost.c hw/vhost_net.c hw/virtex_ml507.c hw/virtio-blk.c hw/virtio-console.c hw/virtio-net.c hw/virtio-pci.c hw/virtio-serial-bus.c hw/virtio-serial.h hw/virtio.c hw/vmmouse.c hw/vmport.c hw/vmware_vga.c hw/vmware_vga.h hw/vt82c686.c hw/wdt_i6300esb.c hw/wdt_ib700.c hw/wm8750.c hw/xen_backend.c hw /xen_disk.c hw/xen_nic.c hw/xen_platform.c hw/xgmac.c hw/xilinx_axidma.c hw/xilinx_axienet.c hw/xilinx_ethlite.c hw/xilinx_intc.c hw/xilinx_timer.c hw/xilinx_uartlite.c hw/xio3130_downstream.c hw/xio3130_upstream.c hw/z2.c hw/zaurus.c include/qemu input.c iov.c json-lexer.c kvm-all.c kvm-stub.c kvm.h libcacard/Makefile linux-headers/asm-powerpc linux-headers/asm-s390 linux-headers/asm-x86 linux-headers/linux linux-user/elfload.c linux-user/main.c linux-user/mips64 linux-user/mipsn32 linux-user/qemu.h linux-user/signal.c linux-user/strace.c linux-user/syscall.c linux-user/syscall_defs.h main-loop.c main-loop.h memory.c memory.h migration-exec.c migration-fd.c migration-tcp.c migration-unix.c migration.c module.c module.h monitor.c monitor.h net.c net.h net/checksum.c net/socket.c net/tap.c net/tap.h notify.c notify.h os-posix.c pc-bios/README pc-bios/bamboo.dtb pc-bios/bamboo.dts pc-bios/bios.bin pc-bios/optionrom pc-bios/slof.bin pflib.c posix-aio-compat.c qapi-schema.json q emu-bridge-helper.c qemu-char.c qemu-char.h qemu-common.h qemu-config.c qemu-coroutine-int.h qemu-coroutine-sleep.c qemu-coroutine.h qemu-doc.texi qemu-file.h qemu-ga.c qemu-img.c qemu-io.c qemu-nbd.c qemu-option.c qemu-option.h qemu-options.hx qemu-queue.h qemu-thread-win32.c qemu-timer.c qemu-timer.h qemu-tool.c qerror.c qerror.h qmp-commands.hx qmp.c qom/Makefile qom/container.c qom/object.c qom/qom-qobject.c roms/SLOF roms/seabios scripts/check-qerror.sh slirp/ip_icmp.c slirp/misc.c sysemu.h target-arm/cpu.h target-arm/helper.c target-arm/machine.c target-arm/translate.c target-i386/cpuid.c target-i386/hyperv.c target-i386/hyperv.h target-i386/kvm.c target-i386/translate.c target-ppc/cpu.h target-ppc/helper.c target-ppc/helper.h target-ppc/kvm.c target-ppc/op_helper.c target-ppc/translate.c target-ppc/translate_init.c target-sparc/vis_helper.c tcg/arm test-qmp-input-visitor.c tests/Makefile tests/tcg trace-events ui/sdl.c ui/spice-core.c ui/vnc.c ui/vnc.h usb-bsd.c usb-l inux.c usb-redir.c vl.c vmstate.h xen-all.c xen-mapcache.c xen-stub.c

Gerd Hoffmann kraxel at kemper.freedesktop.org
Tue Feb 21 02:53:42 PST 2012


 .gitignore                               |    4 
 CODING_STYLE                             |    3 
 MAINTAINERS                              |   50 
 Makefile                                 |   18 
 Makefile.hw                              |    2 
 Makefile.objs                            |   19 
 Makefile.target                          |   46 
 QMP/qmp-events.txt                       |   53 
 aio.c                                    |    2 
 arch_init.c                              |   38 
 block-migration.c                        |    2 
 block.c                                  |  186 +
 block.h                                  |   12 
 block/blkdebug.c                         |    4 
 block/blkverify.c                        |    4 
 block/iscsi.c                            |  139 +
 block/qcow.c                             |  104 -
 block/qcow2.c                            |  194 +-
 block/qcow2.h                            |    9 
 block/qed.c                              |  125 +
 block/qed.h                              |    7 
 block/raw-posix-aio.h                    |    2 
 block/rbd.c                              |   24 
 block/sheepdog.c                         |    6 
 block/stream.c                           |  269 ++
 block/vdi.c                              |    8 
 block/vpc.c                              |  282 ++
 block/vvfat.c                            |    3 
 block_int.h                              |   55 
 blockdev.c                               |  359 +++
 blockdev.h                               |    8 
 bt-host.c                                |    1 
 buffered_file.c                          |    2 
 compatfd.c                               |    2 
 compiler.h                               |    4 
 configure                                |   87 
 console.h                                |    3 
 coroutine-ucontext.c                     |   10 
 cpu-exec.c                               |   10 
 cpus.c                                   |    6 
 cutils.c                                 |   35 
 default-configs/alpha-softmmu.mak        |    2 
 default-configs/arm-softmmu.mak          |    1 
 default-configs/i386-softmmu.mak         |    2 
 default-configs/mips-softmmu.mak         |    2 
 default-configs/mips64-linux-user.mak    |    1 
 default-configs/mips64-softmmu.mak       |    2 
 default-configs/mips64el-linux-user.mak  |    1 
 default-configs/mips64el-softmmu.mak     |    2 
 default-configs/mipsel-softmmu.mak       |    2 
 default-configs/mipsn32-linux-user.mak   |    1 
 default-configs/mipsn32el-linux-user.mak |    1 
 default-configs/pci.mak                  |    1 
 default-configs/ppc-softmmu.mak          |    4 
 default-configs/ppc64-softmmu.mak        |    1 
 default-configs/ppcemb-softmmu.mak       |    1 
 default-configs/sparc64-softmmu.mak      |    2 
 default-configs/x86_64-softmmu.mak       |    2 
 docs/live-block-ops.txt                  |   58 
 docs/writing-qmp-commands.txt            |    2 
 event_notifier.c                         |    4 
 event_notifier.h                         |   12 
 exec-obsolete.h                          |   46 
 exec.c                                   |   30 
 fsdev/file-op-9p.h                       |   12 
 fsdev/virtfs-proxy-helper.c              |   29 
 hmp-commands.hx                          |   56 
 hmp.c                                    |  180 +
 hmp.h                                    |    9 
 hw/9pfs/cofile.c                         |   14 
 hw/9pfs/virtio-9p-device.c               |   61 
 hw/9pfs/virtio-9p-handle.c               |    4 
 hw/9pfs/virtio-9p-local.c                |  357 +++
 hw/9pfs/virtio-9p.c                      |    3 
 hw/a15mpcore.c                           |  103 +
 hw/a9mpcore.c                            |   50 
 hw/ac97.c                                |   94 
 hw/acpi.c                                |    3 
 hw/acpi_piix4.c                          |   70 
 hw/adlib.c                               |    2 
 hw/ads7846.c                             |   27 
 hw/alpha_dp264.c                         |    3 
 hw/alpha_pci.c                           |    6 
 hw/alpha_typhoon.c                       |   26 
 hw/apb_pci.c                             |   88 
 hw/apic.c                                |  369 ---
 hw/apic.h                                |    1 
 hw/apic_common.c                         |  326 +++
 hw/apic_internal.h                       |  122 +
 hw/apm.c                                 |    3 
 hw/applesmc.c                            |   38 
 hw/arm-misc.h                            |   20 
 hw/arm11mpcore.c                         |   79 
 hw/arm_boot.c                            |   92 
 hw/arm_gic.c                             |   68 
 hw/arm_l2x0.c                            |   39 
 hw/arm_mptimer.c                         |   39 
 hw/arm_sysctl.c                          |   45 
 hw/arm_timer.c                           |   59 
 hw/armv7m.c                              |   33 
 hw/armv7m_nvic.c                         |   46 
 hw/bitbang_i2c.c                         |   28 
 hw/boards.h                              |    1 
 hw/bonito.c                              |   63 
 hw/ccid-card-emulated.c                  |   52 
 hw/ccid-card-passthru.c                  |   45 
 hw/ccid.h                                |   27 
 hw/cirrus_vga.c                          |  115 -
 hw/cirrus_vga_template.h                 |  102 +
 hw/collie.c                              |    3 
 hw/container.c                           |   20 
 hw/cs4231.c                              |   35 
 hw/cs4231a.c                             |   55 
 hw/debugcon.c                            |   36 
 hw/dec_pci.c                             |   86 
 hw/ds1225y.c                             |   37 
 hw/ds1338.c                              |   41 
 hw/e1000.c                               |   61 
 hw/ecc.c                                 |    3 
 hw/eccmemctl.c                           |   37 
 hw/eepro100.c                            |  211 +-
 hw/empty_slot.c                          |   22 
 hw/es1370.c                              |   79 
 hw/escc.c                                |   51 
 hw/esp.c                                 |   35 
 hw/etraxfs_eth.c                         |   41 
 hw/etraxfs_pic.c                         |   33 
 hw/etraxfs_ser.c                         |   27 
 hw/etraxfs_timer.c                       |   22 
 hw/exynos4210.c                          |  270 ++
 hw/exynos4210.h                          |  131 +
 hw/exynos4210_combiner.c                 |  469 ++++
 hw/exynos4210_fimd.c                     | 1928 ++++++++++++++++++++
 hw/exynos4210_gic.c                      |  458 ++++
 hw/exynos4210_mct.c                      | 1488 +++++++++++++++
 hw/exynos4210_pmu.c                      |  499 +++++
 hw/exynos4210_pwm.c                      |  422 ++++
 hw/exynos4210_uart.c                     |  676 +++++++
 hw/exynos4_boards.c                      |  177 +
 hw/fdc.c                                 |  114 -
 hw/fmopl.c                               |    4 
 hw/framebuffer.c                         |   12 
 hw/fw_cfg.c                              |   41 
 hw/g364fb.c                              |   55 
 hw/grackle_pci.c                         |   53 
 hw/grlib_apbuart.c                       |  138 +
 hw/grlib_gptimer.c                       |   40 
 hw/grlib_irqmp.c                         |   37 
 hw/gt64xxx.c                             |   47 
 hw/gumstix.c                             |    3 
 hw/gus.c                                 |   63 
 hw/hda-audio.c                           |   69 
 hw/hid.h                                 |   23 
 hw/highbank.c                            |  338 +++
 hw/hpet.c                                |  109 -
 hw/hpet_emul.h                           |    3 
 hw/hw.h                                  |  893 ---------
 hw/i2c.c                                 |  116 -
 hw/i2c.h                                 |   57 
 hw/i82374.c                              |  165 +
 hw/i82378.c                              |  277 ++
 hw/i8254.c                               |  131 -
 hw/i8254.h                               |   57 
 hw/i8259.c                               |  179 -
 hw/i8259_common.c                        |  161 +
 hw/i8259_internal.h                      |   82 
 hw/ide/ahci.c                            |   60 
 hw/ide/cmd646.c                          |   48 
 hw/ide/ich.c                             |   43 
 hw/ide/internal.h                        |   20 
 hw/ide/isa.c                             |   40 
 hw/ide/pci.c                             |    6 
 hw/ide/piix.c                            |  106 -
 hw/ide/qdev.c                            |  139 -
 hw/ide/via.c                             |   36 
 hw/integratorcp.c                        |   50 
 hw/intel-hda.c                           |  109 -
 hw/intel-hda.h                           |   25 
 hw/ioapic.c                              |  153 -
 hw/ioapic_common.c                       |  120 +
 hw/ioapic_internal.h                     |  102 +
 hw/ioh3420.c                             |   67 
 hw/isa-bus.c                             |   67 
 hw/isa.h                                 |   21 
 hw/ivshmem.c                             |   58 
 hw/kvm/apic.c                            |  147 +
 hw/kvm/clock.c                           |  129 +
 hw/kvm/clock.h                           |   24 
 hw/kvm/i8259.c                           |  138 +
 hw/kvm/ioapic.c                          |  125 +
 hw/kvmclock.c                            |  118 -
 hw/kvmclock.h                            |   24 
 hw/lan9118.c                             |  291 ++-
 hw/lance.c                               |   42 
 hw/leon3.c                               |    1 
 hw/lm32_juart.c                          |   29 
 hw/lm32_pic.c                            |   27 
 hw/lm32_sys.c                            |   37 
 hw/lm32_timer.c                          |   40 
 hw/lm32_uart.c                           |   29 
 hw/lm832x.c                              |   41 
 hw/loader.c                              |    6 
 hw/lsi53c895a.c                          |   40 
 hw/m48t59.c                              |   79 
 hw/macio.c                               |   51 
 hw/mainstone.c                           |    3 
 hw/marvell_88w8618_audio.c               |   46 
 hw/max111x.c                             |   47 
 hw/max7310.c                             |   43 
 hw/mc146818rtc.c                         |  110 -
 hw/mcf5206.c                             |    1 
 hw/mcf5208.c                             |    1 
 hw/milkymist-ac97.c                      |   27 
 hw/milkymist-hpdmc.c                     |   27 
 hw/milkymist-memcard.c                   |   27 
 hw/milkymist-minimac2.c                  |   45 
 hw/milkymist-pfpu.c                      |   27 
 hw/milkymist-softusb.c                   |   51 
 hw/milkymist-sysctl.c                    |   52 
 hw/milkymist-tmu2.c                      |   27 
 hw/milkymist-uart.c                      |   29 
 hw/milkymist-vgafb.c                     |   39 
 hw/milkymist-vgafb_template.h            |    2 
 hw/mips_fulong2e.c                       |    6 
 hw/mips_jazz.c                           |    6 
 hw/mips_malta.c                          |   34 
 hw/mips_r4k.c                            |    3 
 hw/mipsnet.c                             |   41 
 hw/mpc8544_guts.c                        |   23 
 hw/msi.c                                 |    8 
 hw/msi.h                                 |    2 
 hw/msix.c                                |   12 
 hw/msix.h                                |    2 
 hw/mst_fpga.c                            |   31 
 hw/musicpal.c                            |  190 +-
 hw/nand.c                                |   44 
 hw/ne2000-isa.c                          |   38 
 hw/ne2000.c                              |   45 
 hw/nseries.c                             |    2 
 hw/omap_dss.c                            |    4 
 hw/omap_gpio.c                           |   82 
 hw/omap_intc.c                           |   74 
 hw/onenand.c                             |   43 
 hw/opencores_eth.c                       |   39 
 hw/openpic.c                             |   30 
 hw/openpic.h                             |    2 
 hw/parallel.c                            |   38 
 hw/pc.c                                  |   75 
 hw/pc.h                                  |   38 
 hw/pc_piix.c                             |   93 
 hw/pci.c                                 |  179 -
 hw/pci.h                                 |  102 -
 hw/pci_bridge.c                          |    2 
 hw/pci_ids.h                             |    4 
 hw/pcie.c                                |    2 
 hw/pcie.h                                |   11 
 hw/pckbd.c                               |   27 
 hw/pcnet-pci.c                           |   47 
 hw/pcnet.c                               |    6 
 hw/pcspk.c                               |   84 
 hw/pcspk.h                               |   45 
 hw/pflash_cfi02.c                        |    1 
 hw/piix4.c                               |   42 
 hw/piix_pci.c                            |  145 -
 hw/pl011.c                               |   44 
 hw/pl022.c                               |   21 
 hw/pl031.c                               |   31 
 hw/pl041.c                               |   42 
 hw/pl050.c                               |   46 
 hw/pl061.c                               |   46 
 hw/pl080.c                               |   50 
 hw/pl110.c                               |   73 
 hw/pl181.c                               |   29 
 hw/pl190.c                               |   29 
 hw/ppc440.c                              |  106 -
 hw/ppc440.h                              |   21 
 hw/ppc440_bamboo.c                       |  154 +
 hw/ppc4xx_pci.c                          |  148 -
 hw/ppc_newworld.c                        |    2 
 hw/ppc_prep.c                            |   82 
 hw/ppce500_pci.c                         |   51 
 hw/ppce500_spin.c                        |   23 
 hw/prep_pci.c                            |  184 +
 hw/prep_pci.h                            |   11 
 hw/primecell.h                           |    6 
 hw/ptimer.c                              |    1 
 hw/ptimer.h                              |   39 
 hw/pxa2xx.c                              |  112 -
 hw/pxa2xx_dma.c                          |   38 
 hw/pxa2xx_gpio.c                         |   38 
 hw/pxa2xx_keypad.c                       |   75 
 hw/pxa2xx_lcd.c                          |   67 
 hw/pxa2xx_mmci.c                         |    3 
 hw/pxa2xx_pcmcia.c                       |    3 
 hw/pxa2xx_pic.c                          |   28 
 hw/pxa2xx_timer.c                        |   79 
 hw/qdev-addr.c                           |   13 
 hw/qdev-monitor.c                        |  594 ++++++
 hw/qdev-properties.c                     |  560 +++--
 hw/qdev.c                                | 1119 +----------
 hw/qdev.h                                |  396 ----
 hw/qxl.c                                 |   81 
 hw/realview.c                            |   36 
 hw/realview_gic.c                        |   28 
 hw/rtl8139.c                             |   51 
 hw/s390-virtio-bus.c                     |  163 +
 hw/s390-virtio-bus.h                     |   19 
 hw/s390-virtio.c                         |    1 
 hw/sb16.c                                |  145 -
 hw/sbi.c                                 |   27 
 hw/scsi-bus.c                            |  104 -
 hw/scsi-disk.c                           |  190 +-
 hw/scsi-generic.c                        |   46 
 hw/scsi.h                                |   30 
 hw/serial.c                              |   40 
 hw/sga.c                                 |   25 
 hw/sh_pci.c                              |   45 
 hw/sh_timer.c                            |    1 
 hw/slavio_intctl.c                       |   27 
 hw/slavio_misc.c                         |   45 
 hw/slavio_timer.c                        |   38 
 hw/sm501.c                               |   11 
 hw/smbios.c                              |    2 
 hw/smbus.c                               |   85 
 hw/smbus.h                               |   40 
 hw/smbus_eeprom.c                        |   43 
 hw/smc91c111.c                           |   39 
 hw/spapr.c                               |  136 -
 hw/spapr_hcall.c                         |    5 
 hw/spapr_llan.c                          |   48 
 hw/spapr_pci.c                           |  212 --
 hw/spapr_rtas.c                          |    5 
 hw/spapr_vio.c                           |   89 
 hw/spapr_vio.h                           |   34 
 hw/spapr_vscsi.c                         |   44 
 hw/spapr_vty.c                           |   44 
 hw/sparc32_dma.c                         |   39 
 hw/spitz.c                               |  117 -
 hw/ssd0303.c                             |   41 
 hw/ssd0323.c                             |   24 
 hw/ssi-sd.c                              |   27 
 hw/ssi.c                                 |   42 
 hw/ssi.h                                 |   18 
 hw/stellaris.c                           |   75 
 hw/stellaris_enet.c                      |   35 
 hw/strongarm.c                           |  156 +
 hw/sun4c_intctl.c                        |   27 
 hw/sun4m.c                               |   97 -
 hw/sun4m_iommu.c                         |   37 
 hw/sun4u.c                               |   85 
 hw/sysbus.c                              |   50 
 hw/sysbus.h                              |   25 
 hw/tc6393xb.c                            |    3 
 hw/tcx.c                                 |   78 
 hw/tmp105.c                              |   45 
 hw/tosa.c                                |   61 
 hw/tusb6010.c                            |   25 
 hw/twl92230.c                            |   64 
 hw/unin_pci.c                            |  224 +-
 hw/usb-audio.c                           |  714 +++++++
 hw/usb-bt.c                              |   65 
 hw/usb-bus.c                             |  196 +-
 hw/usb-ccid.c                            |  152 +
 hw/usb-desc.c                            |  161 +
 hw/usb-desc.h                            |    5 
 hw/usb-ehci.c                            |  164 -
 hw/usb-hid.c                             |  133 -
 hw/usb-hub.c                             |  119 -
 hw/usb-msd.c                             |   72 
 hw/usb-musb.c                            |   17 
 hw/usb-net.c                             |   76 
 hw/usb-ohci.c                            |  162 -
 hw/usb-serial.c                          |  108 -
 hw/usb-uhci.c                            |  298 +--
 hw/usb-wacom.c                           |   52 
 hw/usb-xhci.c                            | 2934 +++++++++++++++++++++++++++++++
 hw/usb.c                                 |  371 ++-
 hw/usb.h                                 |  157 +
 hw/versatile_pci.c                       |   62 
 hw/versatilepb.c                         |   30 
 hw/vexpress.c                            |  412 +++-
 hw/vga-isa.c                             |   27 
 hw/vga-pci.c                             |   36 
 hw/vga.c                                 |  398 ++--
 hw/vga.h                                 |  159 +
 hw/vga_int.h                             |   16 
 hw/vga_template.h                        |   74 
 hw/vhost.c                               |    5 
 hw/vhost_net.c                           |    3 
 hw/virtex_ml507.c                        |    1 
 hw/virtio-blk.c                          |    8 
 hw/virtio-console.c                      |   94 
 hw/virtio-net.c                          |    2 
 hw/virtio-pci.c                          |  248 +-
 hw/virtio-serial-bus.c                   |   80 
 hw/virtio-serial.h                       |   85 
 hw/virtio.c                              |   15 
 hw/vmmouse.c                             |   41 
 hw/vmport.c                              |   25 
 hw/vmware_vga.c                          |   43 
 hw/vmware_vga.h                          |    8 
 hw/vt82c686.c                            |  146 -
 hw/wdt_i6300esb.c                        |   41 
 hw/wdt_ib700.c                           |   26 
 hw/wm8750.c                              |   45 
 hw/xen_backend.c                         |    3 
 hw/xen_disk.c                            |    3 
 hw/xen_nic.c                             |    3 
 hw/xen_platform.c                        |   42 
 hw/xgmac.c                               |  433 ++++
 hw/xilinx_axidma.c                       |   36 
 hw/xilinx_axienet.c                      |   44 
 hw/xilinx_ethlite.c                      |   39 
 hw/xilinx_intc.c                         |   33 
 hw/xilinx_timer.c                        |   36 
 hw/xilinx_uartlite.c                     |   23 
 hw/xio3130_downstream.c                  |   67 
 hw/xio3130_upstream.c                    |   61 
 hw/z2.c                                  |   63 
 hw/zaurus.c                              |   36 
 include/qemu/object.h                    |  855 +++++++++
 include/qemu/qom-qobject.h               |   42 
 input.c                                  |    8 
 iov.c                                    |    3 
 json-lexer.c                             |    1 
 kvm-all.c                                |  179 +
 kvm-stub.c                               |   10 
 kvm.h                                    |   22 
 libcacard/Makefile                       |    2 
 linux-headers/asm-powerpc/kvm.h          |   11 
 linux-headers/asm-powerpc/kvm_para.h     |   41 
 linux-headers/asm-s390/kvm.h             |    9 
 linux-headers/asm-x86/hyperv.h           |    1 
 linux-headers/asm-x86/kvm.h              |    4 
 linux-headers/linux/kvm.h                |   78 
 linux-headers/linux/kvm_para.h           |    1 
 linux-headers/linux/virtio_ring.h        |    6 
 linux-user/elfload.c                     |   15 
 linux-user/main.c                        |    7 
 linux-user/mips64/syscall.h              |    3 
 linux-user/mipsn32/syscall.h             |    3 
 linux-user/qemu.h                        |    3 
 linux-user/signal.c                      |    8 
 linux-user/strace.c                      |   19 
 linux-user/syscall.c                     |  328 +++
 linux-user/syscall_defs.h                |    6 
 main-loop.c                              |    7 
 main-loop.h                              |   12 
 memory.c                                 |   62 
 memory.h                                 |   40 
 migration-exec.c                         |    2 
 migration-fd.c                           |    2 
 migration-tcp.c                          |    2 
 migration-unix.c                         |    2 
 migration.c                              |    4 
 module.c                                 |    2 
 module.h                                 |    4 
 monitor.c                                |  192 --
 monitor.h                                |    7 
 net.c                                    |   36 
 net.h                                    |   16 
 net/checksum.c                           |    2 
 net/socket.c                             |    8 
 net/tap.c                                |  204 ++
 net/tap.h                                |    3 
 notify.c                                 |   12 
 notify.h                                 |    8 
 os-posix.c                               |    2 
 pc-bios/README                           |    2 
 pc-bios/bamboo.dtb                       |binary
 pc-bios/bamboo.dts                       |  128 -
 pc-bios/bios.bin                         |binary
 pc-bios/optionrom/Makefile               |    3 
 pc-bios/slof.bin                         |binary
 pflib.c                                  |    2 
 posix-aio-compat.c                       |    2 
 qapi-schema.json                         |  333 +++
 qemu-bridge-helper.c                     |  410 ++++
 qemu-char.c                              |   10 
 qemu-char.h                              |    2 
 qemu-common.h                            |   10 
 qemu-config.c                            |   36 
 qemu-coroutine-int.h                     |    2 
 qemu-coroutine-sleep.c                   |   38 
 qemu-coroutine.h                         |    9 
 qemu-doc.texi                            |   54 
 qemu-file.h                              |  238 ++
 qemu-ga.c                                |    2 
 qemu-img.c                               |   46 
 qemu-io.c                                |  129 +
 qemu-nbd.c                               |   42 
 qemu-option.c                            |   69 
 qemu-option.h                            |    3 
 qemu-options.hx                          |  128 +
 qemu-queue.h                             |  192 --
 qemu-thread-win32.c                      |    9 
 qemu-timer.c                             |   31 
 qemu-timer.h                             |   13 
 qemu-tool.c                              |    9 
 qerror.c                                 |  113 -
 qerror.h                                 |   90 
 qmp-commands.hx                          |   60 
 qmp.c                                    |  225 ++
 qom/Makefile                             |    1 
 qom/container.c                          |   27 
 qom/object.c                             | 1138 ++++++++++++
 qom/qom-qobject.c                        |   44 
 roms/SLOF                                |    2 
 roms/seabios                             |    2 
 scripts/check-qerror.sh                  |   22 
 slirp/ip_icmp.c                          |    5 
 slirp/misc.c                             |   67 
 sysemu.h                                 |    2 
 target-arm/cpu.h                         |    5 
 target-arm/helper.c                      |  102 -
 target-arm/machine.c                     |    2 
 target-arm/translate.c                   |    8 
 target-i386/cpuid.c                      |   14 
 target-i386/hyperv.c                     |   64 
 target-i386/hyperv.h                     |   45 
 target-i386/kvm.c                        |  127 +
 target-i386/translate.c                  |    3 
 target-ppc/cpu.h                         |   59 
 target-ppc/helper.c                      |   35 
 target-ppc/helper.h                      |    5 
 target-ppc/kvm.c                         |   10 
 target-ppc/op_helper.c                   |  159 +
 target-ppc/translate.c                   |   75 
 target-ppc/translate_init.c              |   64 
 target-sparc/vis_helper.c                |    2 
 tcg/arm/tcg-target.c                     |    2 
 test-qmp-input-visitor.c                 |    7 
 tests/Makefile                           |    2 
 tests/tcg/cris/Makefile                  |   10 
 trace-events                             |   20 
 ui/sdl.c                                 |   60 
 ui/spice-core.c                          |    5 
 ui/vnc.c                                 |  157 +
 ui/vnc.h                                 |   16 
 usb-bsd.c                                |   36 
 usb-linux.c                              |  554 +----
 usb-redir.c                              |  284 ++-
 vl.c                                     |  144 +
 vmstate.h                                |  618 ++++++
 xen-all.c                                |    5 
 xen-mapcache.c                           |    2 
 xen-stub.c                               |    2 
 547 files changed, 35198 insertions(+), 11395 deletions(-)

New commits:
commit 99c7f87826337fa81f2f0f9baa9ca0a44faf90e9
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Feb 15 09:15:37 2012 +0100

    input: send kbd+mouse events only to running guests.
    
    Trying to interact with a stopped guest will queue up the events,
    then send them all at once when the guest continues running, with
    a high chance to have them cause unwanted actions.
    
    Avoid that by only injecting the input events only when the guest
    is in running state.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/input.c b/input.c
index b618ea4..6b5c2c3 100644
--- a/input.c
+++ b/input.c
@@ -130,6 +130,9 @@ void qemu_remove_led_event_handler(QEMUPutLEDEntry *entry)
 
 void kbd_put_keycode(int keycode)
 {
+    if (!runstate_is_running()) {
+        return;
+    }
     if (qemu_put_kbd_event) {
         qemu_put_kbd_event(qemu_put_kbd_event_opaque, keycode);
     }
@@ -151,6 +154,9 @@ void kbd_mouse_event(int dx, int dy, int dz, int buttons_state)
     void *mouse_event_opaque;
     int width, height;
 
+    if (!runstate_is_running()) {
+        return;
+    }
     if (QTAILQ_EMPTY(&mouse_handlers)) {
         return;
     }
commit aa24822bdc7c4e74afbc6fa1324b01cf067da7cb
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Tue Jan 24 16:29:29 2012 +0100

    i8259: Do not clear level-triggered lines in IRR on init
    
    When an input line is handled as level-triggered, it will immediately
    raise an IRQ on the output of a PIC again that goes through an init
    reset. So only clear the edge-triggered inputs from IRR in that
    scenario.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/i8259.c b/hw/i8259.c
index 1a4b1ab..53daf78 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -231,8 +231,8 @@ static void pic_reset(DeviceState *dev)
 {
     PICCommonState *s = DO_UPCAST(PICCommonState, dev.qdev, dev);
 
-    pic_init_reset(s);
     s->elcr = 0;
+    pic_init_reset(s);
 }
 
 static void pic_ioport_write(void *opaque, target_phys_addr_t addr64,
diff --git a/hw/i8259_common.c b/hw/i8259_common.c
index 775fda4..ab3d98b 100644
--- a/hw/i8259_common.c
+++ b/hw/i8259_common.c
@@ -28,7 +28,7 @@
 void pic_reset_common(PICCommonState *s)
 {
     s->last_irr = 0;
-    s->irr = 0;
+    s->irr &= s->elcr;
     s->imr = 0;
     s->isr = 0;
     s->priority_add = 0;
diff --git a/hw/kvm/i8259.c b/hw/kvm/i8259.c
index eb98889..94d1b9a 100644
--- a/hw/kvm/i8259.c
+++ b/hw/kvm/i8259.c
@@ -84,8 +84,8 @@ static void kvm_pic_reset(DeviceState *dev)
 {
     PICCommonState *s = DO_UPCAST(PICCommonState, dev.qdev, dev);
 
-    pic_reset_common(s);
     s->elcr = 0;
+    pic_reset_common(s);
 
     kvm_pic_put(s);
 }
commit 4aa5d2853a69d95f5e05bd02200dfc6f47cab9de
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Wed Feb 1 20:31:43 2012 +0100

    i8254: Factor out pit_get_channel_info
    
    Instead of providing 4 individual query functions for mode, gate, output
    and initial counter state, introduce a service that queries all
    information at once. This comes with tiny additional costs for
    pcspk_callback but with a much cleaner interface. Also, it will simplify
    the implementation of the KVM in-kernel PIT model.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/i8254.c b/hw/i8254.c
index 3d39630..f30396a 100644
--- a/hw/i8254.c
+++ b/hw/i8254.c
@@ -90,7 +90,7 @@ static int pit_get_count(PITChannelState *s)
 }
 
 /* get pit output bit */
-static int pit_get_out1(PITChannelState *s, int64_t current_time)
+static int pit_get_out(PITChannelState *s, int64_t current_time)
 {
     uint64_t d;
     int out;
@@ -122,13 +122,6 @@ static int pit_get_out1(PITChannelState *s, int64_t current_time)
     return out;
 }
 
-int pit_get_out(ISADevice *dev, int channel, int64_t current_time)
-{
-    PITState *pit = DO_UPCAST(PITState, dev, dev);
-    PITChannelState *s = &pit->channels[channel];
-    return pit_get_out1(s, current_time);
-}
-
 /* return -1 if no transition will occur.  */
 static int64_t pit_get_next_transition_time(PITChannelState *s,
                                             int64_t current_time)
@@ -215,25 +208,15 @@ void pit_set_gate(ISADevice *dev, int channel, int val)
     s->gate = val;
 }
 
-int pit_get_gate(ISADevice *dev, int channel)
-{
-    PITState *pit = DO_UPCAST(PITState, dev, dev);
-    PITChannelState *s = &pit->channels[channel];
-    return s->gate;
-}
-
-int pit_get_initial_count(ISADevice *dev, int channel)
+void pit_get_channel_info(ISADevice *dev, int channel, PITChannelInfo *info)
 {
     PITState *pit = DO_UPCAST(PITState, dev, dev);
     PITChannelState *s = &pit->channels[channel];
-    return s->count;
-}
 
-int pit_get_mode(ISADevice *dev, int channel)
-{
-    PITState *pit = DO_UPCAST(PITState, dev, dev);
-    PITChannelState *s = &pit->channels[channel];
-    return s->mode;
+    info->gate = s->gate;
+    info->mode = s->mode;
+    info->initial_count = s->count;
+    info->out = pit_get_out(s, qemu_get_clock_ns(vm_clock));
 }
 
 static inline void pit_load_count(PITChannelState *s, int val)
@@ -274,7 +257,9 @@ static void pit_ioport_write(void *opaque, uint32_t addr, uint32_t val)
                     if (!(val & 0x10) && !s->status_latched) {
                         /* status latch */
                         /* XXX: add BCD and null count */
-                        s->status =  (pit_get_out1(s, qemu_get_clock_ns(vm_clock)) << 7) |
+                        s->status =
+                            (pit_get_out(s,
+                                         qemu_get_clock_ns(vm_clock)) << 7) |
                             (s->rw_mode << 4) |
                             (s->mode << 1) |
                             s->bcd;
@@ -381,7 +366,7 @@ static void pit_irq_timer_update(PITChannelState *s, int64_t current_time)
         return;
     }
     expire_time = pit_get_next_transition_time(s, current_time);
-    irq_level = pit_get_out1(s, current_time);
+    irq_level = pit_get_out(s, current_time);
     qemu_set_irq(s->irq, irq_level);
 #ifdef DEBUG_PIT
     printf("irq_level=%d next_delay=%f\n",
diff --git a/hw/i8254.h b/hw/i8254.h
index 8ad8e07..a1d2e98 100644
--- a/hw/i8254.h
+++ b/hw/i8254.h
@@ -30,6 +30,13 @@
 
 #define PIT_FREQ 1193182
 
+typedef struct PITChannelInfo {
+    int gate;
+    int mode;
+    int initial_count;
+    int out;
+} PITChannelInfo;
+
 static inline ISADevice *pit_init(ISABus *bus, int base, int isa_irq,
                                   qemu_irq alt_irq)
 {
@@ -45,9 +52,6 @@ static inline ISADevice *pit_init(ISABus *bus, int base, int isa_irq,
 }
 
 void pit_set_gate(ISADevice *dev, int channel, int val);
-int pit_get_gate(ISADevice *dev, int channel);
-int pit_get_initial_count(ISADevice *dev, int channel);
-int pit_get_mode(ISADevice *dev, int channel);
-int pit_get_out(ISADevice *dev, int channel, int64_t current_time);
+void pit_get_channel_info(ISADevice *dev, int channel, PITChannelInfo *info);
 
 #endif /* !HW_I8254_H */
diff --git a/hw/pcspk.c b/hw/pcspk.c
index 49dd969..e430324 100644
--- a/hw/pcspk.c
+++ b/hw/pcspk.c
@@ -75,12 +75,16 @@ static inline void generate_samples(PCSpkState *s)
 static void pcspk_callback(void *opaque, int free)
 {
     PCSpkState *s = opaque;
+    PITChannelInfo ch;
     unsigned int n;
 
-    if (pit_get_mode(s->pit, 2) != 3)
+    pit_get_channel_info(s->pit, 2, &ch);
+
+    if (ch.mode != 3) {
         return;
+    }
 
-    n = pit_get_initial_count(s->pit, 2);
+    n = ch.initial_count;
     /* avoid frequencies that are not reproducible with sample rate */
     if (n < PCSPK_MIN_COUNT)
         n = 0;
@@ -121,12 +125,14 @@ static uint64_t pcspk_io_read(void *opaque, target_phys_addr_t addr,
                               unsigned size)
 {
     PCSpkState *s = opaque;
-    int out;
+    PITChannelInfo ch;
+
+    pit_get_channel_info(s->pit, 2, &ch);
 
     s->dummy_refresh_clock ^= (1 << 4);
-    out = pit_get_out(s->pit, 2, qemu_get_clock_ns(vm_clock)) << 5;
 
-    return pit_get_gate(s->pit, 2) | (s->data_on << 1) | s->dummy_refresh_clock | out;
+    return ch.gate | (s->data_on << 1) | s->dummy_refresh_clock |
+       (ch.out << 5);
 }
 
 static void pcspk_io_write(void *opaque, target_phys_addr_t addr, uint64_t val,
commit 302fe51b5900c5ca5be921269b61f4862e0634ce
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Feb 17 11:24:34 2012 +0100

    pcspk: Convert to qdev
    
    Convert the PC speaker device to a qdev ISA model. Move the public
    interface to a dedicated header file at this chance.
    
    CC: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/arch_init.c b/arch_init.c
index 699bdd1..a95ef49 100644
--- a/arch_init.c
+++ b/arch_init.c
@@ -42,6 +42,7 @@
 #include "gdbstub.h"
 #include "hw/smbios.h"
 #include "exec-memory.h"
+#include "hw/pcspk.h"
 
 #ifdef TARGET_SPARC
 int graphic_width = 1024;
diff --git a/hw/i82378.c b/hw/i82378.c
index cc41564..faad1a3 100644
--- a/hw/i82378.c
+++ b/hw/i82378.c
@@ -20,6 +20,7 @@
 #include "pci.h"
 #include "pc.h"
 #include "i8254.h"
+#include "pcspk.h"
 
 //#define DEBUG_I82378
 
@@ -195,7 +196,7 @@ static void i82378_init(DeviceState *dev, I82378State *s)
     pit = pit_init(isabus, 0x40, 0, NULL);
 
     /* speaker */
-    pcspk_init(pit);
+    pcspk_init(isabus, pit);
 
     /* 2 82C37 (dma) */
     DMA_init(1, &s->out[1]);
diff --git a/hw/mips_jazz.c b/hw/mips_jazz.c
index b61b218..65608dc 100644
--- a/hw/mips_jazz.c
+++ b/hw/mips_jazz.c
@@ -37,6 +37,7 @@
 #include "loader.h"
 #include "mc146818rtc.h"
 #include "i8254.h"
+#include "pcspk.h"
 #include "blockdev.h"
 #include "sysbus.h"
 #include "exec-memory.h"
@@ -193,7 +194,7 @@ static void mips_jazz_init(MemoryRegion *address_space,
     cpu_exit_irq = qemu_allocate_irqs(cpu_request_exit, NULL, 1);
     DMA_init(0, cpu_exit_irq);
     pit = pit_init(isa_bus, 0x40, 0, NULL);
-    pcspk_init(pit);
+    pcspk_init(isa_bus, pit);
 
     /* ISA IO space at 0x90000000 */
     isa_mmio_init(0x90000000, 0x01000000);
diff --git a/hw/pc.c b/hw/pc.c
index 8e26563..5746129 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -37,6 +37,7 @@
 #include "multiboot.h"
 #include "mc146818rtc.h"
 #include "i8254.h"
+#include "pcspk.h"
 #include "msi.h"
 #include "sysbus.h"
 #include "sysemu.h"
@@ -1172,7 +1173,7 @@ void pc_basic_device_init(ISABus *isa_bus, qemu_irq *gsi,
         /* connect PIT to output control line of the HPET */
         qdev_connect_gpio_out(hpet, 0, qdev_get_gpio_in(&pit->qdev, 0));
     }
-    pcspk_init(pit);
+    pcspk_init(isa_bus, pit);
 
     for(i = 0; i < MAX_SERIAL_PORTS; i++) {
         if (serial_hds[i]) {
diff --git a/hw/pc.h b/hw/pc.h
index b08708d..1b47bbd 100644
--- a/hw/pc.h
+++ b/hw/pc.h
@@ -149,10 +149,6 @@ void piix4_smbus_register_device(SMBusDevice *dev, uint8_t addr);
 /* hpet.c */
 extern int no_hpet;
 
-/* pcspk.c */
-void pcspk_init(ISADevice *pit);
-int pcspk_audio_init(ISABus *bus);
-
 /* piix_pci.c */
 struct PCII440FXState;
 typedef struct PCII440FXState PCII440FXState;
diff --git a/hw/pcspk.c b/hw/pcspk.c
index 43df818..49dd969 100644
--- a/hw/pcspk.c
+++ b/hw/pcspk.c
@@ -28,6 +28,7 @@
 #include "audio/audio.h"
 #include "qemu-timer.h"
 #include "i8254.h"
+#include "pcspk.h"
 
 #define PCSPK_BUF_LEN 1792
 #define PCSPK_SAMPLE_RATE 32000
@@ -35,10 +36,13 @@
 #define PCSPK_MIN_COUNT ((PIT_FREQ + PCSPK_MAX_FREQ - 1) / PCSPK_MAX_FREQ)
 
 typedef struct {
+    ISADevice dev;
+    MemoryRegion ioport;
+    uint32_t iobase;
     uint8_t sample_buf[PCSPK_BUF_LEN];
     QEMUSoundCard card;
     SWVoiceOut *voice;
-    ISADevice *pit;
+    void *pit;
     unsigned int pit_count;
     unsigned int samples;
     unsigned int play_pos;
@@ -47,7 +51,7 @@ typedef struct {
 } PCSpkState;
 
 static const char *s_spk = "pcspk";
-static PCSpkState pcspk_state;
+static PCSpkState *pcspk_state;
 
 static inline void generate_samples(PCSpkState *s)
 {
@@ -99,7 +103,7 @@ static void pcspk_callback(void *opaque, int free)
 
 int pcspk_audio_init(ISABus *bus)
 {
-    PCSpkState *s = &pcspk_state;
+    PCSpkState *s = pcspk_state;
     struct audsettings as = {PCSPK_SAMPLE_RATE, 1, AUD_FMT_U8, 0};
 
     AUD_register_card(s_spk, &s->card);
@@ -113,7 +117,8 @@ int pcspk_audio_init(ISABus *bus)
     return 0;
 }
 
-static uint32_t pcspk_ioport_read(void *opaque, uint32_t addr)
+static uint64_t pcspk_io_read(void *opaque, target_phys_addr_t addr,
+                              unsigned size)
 {
     PCSpkState *s = opaque;
     int out;
@@ -124,7 +129,8 @@ static uint32_t pcspk_ioport_read(void *opaque, uint32_t addr)
     return pit_get_gate(s->pit, 2) | (s->data_on << 1) | s->dummy_refresh_clock | out;
 }
 
-static void pcspk_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+static void pcspk_io_write(void *opaque, target_phys_addr_t addr, uint64_t val,
+                           unsigned size)
 {
     PCSpkState *s = opaque;
     const int gate = val & 1;
@@ -138,11 +144,52 @@ static void pcspk_ioport_write(void *opaque, uint32_t addr, uint32_t val)
     }
 }
 
-void pcspk_init(ISADevice *pit)
+static const MemoryRegionOps pcspk_io_ops = {
+    .read = pcspk_io_read,
+    .write = pcspk_io_write,
+    .impl = {
+        .min_access_size = 1,
+        .max_access_size = 1,
+    },
+};
+
+static int pcspk_initfn(ISADevice *dev)
 {
-    PCSpkState *s = &pcspk_state;
+    PCSpkState *s = DO_UPCAST(PCSpkState, dev, dev);
+
+    memory_region_init_io(&s->ioport, &pcspk_io_ops, s, "elcr", 1);
+    isa_register_ioport(dev, &s->ioport, s->iobase);
+
+    pcspk_state = s;
+
+    return 0;
+}
+
+static Property pcspk_properties[] = {
+    DEFINE_PROP_HEX32("iobase", PCSpkState, iobase,  -1),
+    DEFINE_PROP_PTR("pit", PCSpkState, pit),
+    DEFINE_PROP_END_OF_LIST(),
+};
 
-    s->pit = pit;
-    register_ioport_read(0x61, 1, 1, pcspk_ioport_read, s);
-    register_ioport_write(0x61, 1, 1, pcspk_ioport_write, s);
+static void pcspk_class_initfn(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    ISADeviceClass *ic = ISA_DEVICE_CLASS(klass);
+
+    ic->init = pcspk_initfn;
+    dc->no_user = 1;
+    dc->props = pcspk_properties;
+}
+
+static TypeInfo pcspk_info = {
+    .name           = "isa-pcspk",
+    .parent         = TYPE_ISA_DEVICE,
+    .instance_size  = sizeof(PCSpkState),
+    .class_init     = pcspk_class_initfn,
+};
+
+static void pcspk_register(void)
+{
+    type_register_static(&pcspk_info);
 }
+type_init(pcspk_register)
diff --git a/hw/pcspk.h b/hw/pcspk.h
new file mode 100644
index 0000000..7f42bac
--- /dev/null
+++ b/hw/pcspk.h
@@ -0,0 +1,45 @@
+/*
+ * QEMU PC speaker emulation
+ *
+ * Copyright (c) 2006 Joachim Henke
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef HW_PCSPK_H
+#define HW_PCSPK_H
+
+#include "hw.h"
+#include "isa.h"
+
+static inline ISADevice *pcspk_init(ISABus *bus, ISADevice *pit)
+{
+    ISADevice *dev;
+
+    dev = isa_create(bus, "isa-pcspk");
+    qdev_prop_set_uint32(&dev->qdev, "iobase", 0x61);
+    qdev_prop_set_ptr(&dev->qdev, "pit", pit);
+    qdev_init_nofail(&dev->qdev);
+
+    return dev;
+}
+
+int pcspk_audio_init(ISABus *bus);
+
+#endif /* !HW_PCSPK_H */
commit ce967e2f33861b0e17753f97fa4527b5943c94b6
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Wed Feb 1 20:31:41 2012 +0100

    i8254: Rework & fix interaction with HPET in legacy mode
    
    When the HPET enters legacy mode, the IRQ output of the PIT is
    suppressed and replaced by the HPET timer 0. But the current code to
    emulate this was broken in many ways. It reset the PIT state after
    re-enabling, it worked against a stale static PIT structure, and it did
    not properly saved/restored the IRQ output mask in the PIT vmstate.
    
    This patch solves the PIT IRQ control in a different way. On x86, it
    both redirects the PIT IRQ to the HPET, just like the RTC. But it also
    keeps the control line from the HPET to the PIT. This allows to disable
    the PIT QEMU timer when it is not needed. The PIT's view on the control
    line state is now saved in the same format that qemu-kvm is already
    using.
    
    Note that, in contrast to the suppressed RTC IRQ line, we do not need to
    save/restore the PIT line state in the HPET. As we trigger a PIT IRQ
    update via the control line, the line state is reconstructed on mode
    switch.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/hpet.c b/hw/hpet.c
index 16833fa..fd3ddca 100644
--- a/hw/hpet.c
+++ b/hw/hpet.c
@@ -65,6 +65,7 @@ typedef struct HPETState {
     qemu_irq irqs[HPET_NUM_IRQ_ROUTES];
     uint32_t flags;
     uint8_t rtc_irq_level;
+    qemu_irq pit_enabled;
     uint8_t num_timers;
     HPETTimer timer[HPET_MAX_TIMERS];
 
@@ -573,12 +574,15 @@ static void hpet_ram_write(void *opaque, target_phys_addr_t addr,
                     hpet_del_timer(&s->timer[i]);
                 }
             }
-            /* i8254 and RTC are disabled when HPET is in legacy mode */
+            /* i8254 and RTC output pins are disabled
+             * when HPET is in legacy mode */
             if (activating_bit(old_val, new_val, HPET_CFG_LEGACY)) {
-                hpet_pit_disable();
+                qemu_set_irq(s->pit_enabled, 0);
+                qemu_irq_lower(s->irqs[0]);
                 qemu_irq_lower(s->irqs[RTC_ISA_IRQ]);
             } else if (deactivating_bit(old_val, new_val, HPET_CFG_LEGACY)) {
-                hpet_pit_enable();
+                qemu_irq_lower(s->irqs[0]);
+                qemu_set_irq(s->pit_enabled, 1);
                 qemu_set_irq(s->irqs[RTC_ISA_IRQ], s->rtc_irq_level);
             }
             break;
@@ -632,7 +636,6 @@ static void hpet_reset(DeviceState *d)
 {
     HPETState *s = FROM_SYSBUS(HPETState, sysbus_from_qdev(d));
     int i;
-    static int count = 0;
 
     for (i = 0; i < s->num_timers; i++) {
         HPETTimer *timer = &s->timer[i];
@@ -649,32 +652,30 @@ static void hpet_reset(DeviceState *d)
         timer->wrap_flag = 0;
     }
 
+    qemu_set_irq(s->pit_enabled, 1);
     s->hpet_counter = 0ULL;
     s->hpet_offset = 0ULL;
     s->config = 0ULL;
-    if (count > 0) {
-        /* we don't enable pit when hpet_reset is first called (by hpet_init)
-         * because hpet is taking over for pit here. On subsequent invocations,
-         * hpet_reset is called due to system reset. At this point control must
-         * be returned to pit until SW reenables hpet.
-         */
-        hpet_pit_enable();
-    }
     hpet_cfg.hpet[s->hpet_id].event_timer_block_id = (uint32_t)s->capability;
     hpet_cfg.hpet[s->hpet_id].address = sysbus_from_qdev(d)->mmio[0].addr;
-    count = 1;
 
     /* to document that the RTC lowers its output on reset as well */
     s->rtc_irq_level = 0;
 }
 
-static void hpet_handle_rtc_irq(void *opaque, int n, int level)
+static void hpet_handle_legacy_irq(void *opaque, int n, int level)
 {
     HPETState *s = FROM_SYSBUS(HPETState, opaque);
 
-    s->rtc_irq_level = level;
-    if (!hpet_in_legacy_mode(s)) {
-        qemu_set_irq(s->irqs[RTC_ISA_IRQ], level);
+    if (n == HPET_LEGACY_PIT_INT) {
+        if (!hpet_in_legacy_mode(s)) {
+            qemu_set_irq(s->irqs[0], level);
+        }
+    } else {
+        s->rtc_irq_level = level;
+        if (!hpet_in_legacy_mode(s)) {
+            qemu_set_irq(s->irqs[RTC_ISA_IRQ], level);
+        }
     }
 }
 
@@ -717,7 +718,8 @@ static int hpet_init(SysBusDevice *dev)
     s->capability |= (s->num_timers - 1) << HPET_ID_NUM_TIM_SHIFT;
     s->capability |= ((HPET_CLK_PERIOD) << 32);
 
-    qdev_init_gpio_in(&dev->qdev, hpet_handle_rtc_irq, 1);
+    qdev_init_gpio_in(&dev->qdev, hpet_handle_legacy_irq, 2);
+    qdev_init_gpio_out(&dev->qdev, &s->pit_enabled, 1);
 
     /* HPET Area */
     memory_region_init_io(&s->iomem, &hpet_ram_ops, s, "hpet", 0x400);
diff --git a/hw/hpet_emul.h b/hw/hpet_emul.h
index 6128702..757f79f 100644
--- a/hw/hpet_emul.h
+++ b/hw/hpet_emul.h
@@ -22,6 +22,9 @@
 
 #define HPET_NUM_IRQ_ROUTES     32
 
+#define HPET_LEGACY_PIT_INT     0
+#define HPET_LEGACY_RTC_INT     1
+
 #define HPET_CFG_ENABLE 0x001
 #define HPET_CFG_LEGACY 0x002
 
diff --git a/hw/i8254.c b/hw/i8254.c
index aa7e9fc..3d39630 100644
--- a/hw/i8254.c
+++ b/hw/i8254.c
@@ -52,6 +52,7 @@ typedef struct PITChannelState {
     int64_t next_transition_time;
     QEMUTimer *irq_timer;
     qemu_irq irq;
+    uint32_t irq_disabled;
 } PITChannelState;
 
 typedef struct PITState {
@@ -61,8 +62,6 @@ typedef struct PITState {
     PITChannelState channels[3];
 } PITState;
 
-static PITState pit_state;
-
 static void pit_irq_timer_update(PITChannelState *s, int64_t current_time);
 
 static int pit_get_count(PITChannelState *s)
@@ -378,8 +377,9 @@ static void pit_irq_timer_update(PITChannelState *s, int64_t current_time)
     int64_t expire_time;
     int irq_level;
 
-    if (!s->irq_timer)
+    if (!s->irq_timer || s->irq_disabled) {
         return;
+    }
     expire_time = pit_get_next_transition_time(s, current_time);
     irq_level = pit_get_out1(s, current_time);
     qemu_set_irq(s->irq, irq_level);
@@ -450,6 +450,7 @@ static int pit_load_old(QEMUFile *f, void *opaque, int version_id)
         qemu_get_8s(f, &s->bcd);
         qemu_get_8s(f, &s->gate);
         s->count_load_time=qemu_get_be64(f);
+        s->irq_disabled = 0;
         if (s->irq_timer) {
             s->next_transition_time=qemu_get_be64(f);
             qemu_get_timer(f, s->irq_timer);
@@ -460,11 +461,12 @@ static int pit_load_old(QEMUFile *f, void *opaque, int version_id)
 
 static const VMStateDescription vmstate_pit = {
     .name = "i8254",
-    .version_id = 2,
+    .version_id = 3,
     .minimum_version_id = 2,
     .minimum_version_id_old = 1,
     .load_state_old = pit_load_old,
     .fields      = (VMStateField []) {
+        VMSTATE_UINT32_V(channels[0].irq_disabled, PITState, 3),
         VMSTATE_STRUCT_ARRAY(channels, PITState, 3, 2, vmstate_pit_channel, PITChannelState),
         VMSTATE_TIMER(channels[0].irq_timer, PITState),
         VMSTATE_END_OF_LIST()
@@ -483,7 +485,7 @@ static void pit_reset(DeviceState *dev)
         s->gate = (i != 2);
         s->count_load_time = qemu_get_clock_ns(vm_clock);
         s->count = 0x10000;
-        if (i == 0) {
+        if (i == 0 && !s->irq_disabled) {
             s->next_transition_time =
                 pit_get_next_transition_time(s, s->count_load_time);
             qemu_mod_timer(s->irq_timer, s->next_transition_time);
@@ -491,26 +493,20 @@ static void pit_reset(DeviceState *dev)
     }
 }
 
-/* When HPET is operating in legacy mode, i8254 timer0 is disabled */
-void hpet_pit_disable(void) {
-    PITChannelState *s;
-    s = &pit_state.channels[0];
-    if (s->irq_timer)
-        qemu_del_timer(s->irq_timer);
-}
-
-/* When HPET is reset or leaving legacy mode, it must reenable i8254
- * timer 0
- */
-
-void hpet_pit_enable(void)
+/* When HPET is operating in legacy mode, suppress the ignored timer IRQ,
+ * reenable it when legacy mode is left again. */
+static void pit_irq_control(void *opaque, int n, int enable)
 {
-    PITState *pit = &pit_state;
-    PITChannelState *s;
-    s = &pit->channels[0];
-    s->mode = 3;
-    s->gate = 1;
-    pit_load_count(s, 0);
+    PITState *pit = opaque;
+    PITChannelState *s = &pit->channels[0];
+
+    if (enable) {
+        s->irq_disabled = 0;
+        pit_irq_timer_update(s, qemu_get_clock_ns(vm_clock));
+    } else {
+        s->irq_disabled = 1;
+        qemu_del_timer(s->irq_timer);
+    }
 }
 
 static const MemoryRegionPortio pit_portio[] = {
@@ -536,6 +532,8 @@ static int pit_initfn(ISADevice *dev)
     memory_region_init_io(&pit->ioports, &pit_ioport_ops, pit, "pit", 4);
     isa_register_ioport(dev, &pit->ioports, pit->iobase);
 
+    qdev_init_gpio_in(&dev->qdev, pit_irq_control, 1);
+
     qdev_set_legacy_instance_id(&dev->qdev, pit->iobase, 2);
 
     return 0;
diff --git a/hw/i8254.h b/hw/i8254.h
index fc64a63..8ad8e07 100644
--- a/hw/i8254.h
+++ b/hw/i8254.h
@@ -50,7 +50,4 @@ int pit_get_initial_count(ISADevice *dev, int channel);
 int pit_get_mode(ISADevice *dev, int channel);
 int pit_get_out(ISADevice *dev, int channel, int64_t current_time);
 
-void hpet_pit_disable(void);
-void hpet_pit_enable(void);
-
 #endif /* !HW_I8254_H */
diff --git a/hw/pc.c b/hw/pc.c
index ad65a5d..8e26563 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -1139,6 +1139,9 @@ void pc_basic_device_init(ISABus *isa_bus, qemu_irq *gsi,
 {
     int i;
     DriveInfo *fd[MAX_FD];
+    DeviceState *hpet = NULL;
+    int pit_isa_irq = 0;
+    qemu_irq pit_alt_irq = NULL;
     qemu_irq rtc_irq = NULL;
     qemu_irq *a20_line;
     ISADevice *i8042, *port92, *vmmouse, *pit;
@@ -1149,20 +1152,26 @@ void pc_basic_device_init(ISABus *isa_bus, qemu_irq *gsi,
     register_ioport_write(0xf0, 1, 1, ioportF0_write, NULL);
 
     if (!no_hpet) {
-        DeviceState *hpet = sysbus_try_create_simple("hpet", HPET_BASE, NULL);
+        hpet = sysbus_try_create_simple("hpet", HPET_BASE, NULL);
 
         if (hpet) {
             for (i = 0; i < GSI_NUM_PINS; i++) {
                 sysbus_connect_irq(sysbus_from_qdev(hpet), i, gsi[i]);
             }
-            rtc_irq = qdev_get_gpio_in(hpet, 0);
+            pit_isa_irq = -1;
+            pit_alt_irq = qdev_get_gpio_in(hpet, HPET_LEGACY_PIT_INT);
+            rtc_irq = qdev_get_gpio_in(hpet, HPET_LEGACY_RTC_INT);
         }
     }
     *rtc_state = rtc_init(isa_bus, 2000, rtc_irq);
 
     qemu_register_boot_set(pc_boot_set, *rtc_state);
 
-    pit = pit_init(isa_bus, 0x40, 0, NULL);
+    pit = pit_init(isa_bus, 0x40, pit_isa_irq, pit_alt_irq);
+    if (hpet) {
+        /* connect PIT to output control line of the HPET */
+        qdev_connect_gpio_out(hpet, 0, qdev_get_gpio_in(&pit->qdev, 0));
+    }
     pcspk_init(pit);
 
     for(i = 0; i < MAX_SERIAL_PORTS; i++) {
commit 319ba9f52737fc79de5c2c6abd059933398b72d5
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Wed Feb 1 20:31:40 2012 +0100

    i8254: Pass alternative IRQ output object on initialization
    
    HPET legacy emulation will require control over the PIT IRQ output. To
    enable this, add support for an alternative IRQ output object to the PIT
    factory function. If the isa_irq number is < 0, this object will be
    used.
    
    This also removes the IRQ number property from the PIT class as we now
    use a generic GPIO output pin that is connected by the factory function.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/alpha_dp264.c b/hw/alpha_dp264.c
index 4c0efd3..ea0fd95 100644
--- a/hw/alpha_dp264.c
+++ b/hw/alpha_dp264.c
@@ -73,7 +73,7 @@ static void clipper_init(ram_addr_t ram_size,
                            clipper_pci_map_irq);
 
     rtc_init(isa_bus, 1980, rtc_irq);
-    pit_init(isa_bus, 0x40, 0);
+    pit_init(isa_bus, 0x40, 0, NULL);
     isa_create_simple(isa_bus, "i8042");
 
     /* VGA setup.  Don't bother loading the bios.  */
diff --git a/hw/i82378.c b/hw/i82378.c
index d3c4ac5..cc41564 100644
--- a/hw/i82378.c
+++ b/hw/i82378.c
@@ -192,7 +192,7 @@ static void i82378_init(DeviceState *dev, I82378State *s)
     isa_bus_irqs(isabus, s->i8259);
 
     /* 1 82C54 (pit) */
-    pit = pit_init(isabus, 0x40, 0);
+    pit = pit_init(isabus, 0x40, 0, NULL);
 
     /* speaker */
     pcspk_init(pit);
diff --git a/hw/i8254.c b/hw/i8254.c
index 71ea849..aa7e9fc 100644
--- a/hw/i8254.c
+++ b/hw/i8254.c
@@ -57,7 +57,6 @@ typedef struct PITChannelState {
 typedef struct PITState {
     ISADevice dev;
     MemoryRegion ioports;
-    uint32_t irq;
     uint32_t iobase;
     PITChannelState channels[3];
 } PITState;
@@ -532,7 +531,7 @@ static int pit_initfn(ISADevice *dev)
     s = &pit->channels[0];
     /* the timer 0 is connected to an IRQ */
     s->irq_timer = qemu_new_timer_ns(vm_clock, pit_irq_timer, s);
-    s->irq = isa_get_irq(dev, pit->irq);
+    qdev_init_gpio_out(&dev->qdev, &s->irq, 1);
 
     memory_region_init_io(&pit->ioports, &pit_ioport_ops, pit, "pit", 4);
     isa_register_ioport(dev, &pit->ioports, pit->iobase);
@@ -543,7 +542,6 @@ static int pit_initfn(ISADevice *dev)
 }
 
 static Property pit_properties[] = {
-    DEFINE_PROP_UINT32("irq", PITState, irq,  -1),
     DEFINE_PROP_HEX32("iobase", PITState, iobase,  -1),
     DEFINE_PROP_END_OF_LIST(),
 };
diff --git a/hw/i8254.h b/hw/i8254.h
index cd3111c..fc64a63 100644
--- a/hw/i8254.h
+++ b/hw/i8254.h
@@ -30,14 +30,16 @@
 
 #define PIT_FREQ 1193182
 
-static inline ISADevice *pit_init(ISABus *bus, int base, int irq)
+static inline ISADevice *pit_init(ISABus *bus, int base, int isa_irq,
+                                  qemu_irq alt_irq)
 {
     ISADevice *dev;
 
     dev = isa_create(bus, "isa-pit");
     qdev_prop_set_uint32(&dev->qdev, "iobase", base);
-    qdev_prop_set_uint32(&dev->qdev, "irq", irq);
     qdev_init_nofail(&dev->qdev);
+    qdev_connect_gpio_out(&dev->qdev, 0,
+                          isa_irq >= 0 ? isa_get_irq(dev, isa_irq) : alt_irq);
 
     return dev;
 }
diff --git a/hw/mips_fulong2e.c b/hw/mips_fulong2e.c
index ead72ae..e3ba9dd 100644
--- a/hw/mips_fulong2e.c
+++ b/hw/mips_fulong2e.c
@@ -364,7 +364,7 @@ static void mips_fulong2e_init(ram_addr_t ram_size, const char *boot_device,
     smbus_eeprom_init(smbus, 1, eeprom_spd, sizeof(eeprom_spd));
 
     /* init other devices */
-    pit = pit_init(isa_bus, 0x40, 0);
+    pit = pit_init(isa_bus, 0x40, 0, NULL);
     cpu_exit_irq = qemu_allocate_irqs(cpu_request_exit, NULL, 1);
     DMA_init(0, cpu_exit_irq);
 
diff --git a/hw/mips_jazz.c b/hw/mips_jazz.c
index 61dee4d..b61b218 100644
--- a/hw/mips_jazz.c
+++ b/hw/mips_jazz.c
@@ -192,7 +192,7 @@ static void mips_jazz_init(MemoryRegion *address_space,
     isa_bus_irqs(isa_bus, i8259);
     cpu_exit_irq = qemu_allocate_irqs(cpu_request_exit, NULL, 1);
     DMA_init(0, cpu_exit_irq);
-    pit = pit_init(isa_bus, 0x40, 0);
+    pit = pit_init(isa_bus, 0x40, 0, NULL);
     pcspk_init(pit);
 
     /* ISA IO space at 0x90000000 */
diff --git a/hw/mips_malta.c b/hw/mips_malta.c
index 692f79b..86a5fbb 100644
--- a/hw/mips_malta.c
+++ b/hw/mips_malta.c
@@ -970,7 +970,7 @@ void mips_malta_init (ram_addr_t ram_size,
                           isa_get_irq(NULL, 9), NULL, NULL, 0);
     /* TODO: Populate SPD eeprom data.  */
     smbus_eeprom_init(smbus, 8, NULL, 0);
-    pit = pit_init(isa_bus, 0x40, 0);
+    pit = pit_init(isa_bus, 0x40, 0, NULL);
     cpu_exit_irq = qemu_allocate_irqs(cpu_request_exit, NULL, 1);
     DMA_init(0, cpu_exit_irq);
 
diff --git a/hw/mips_r4k.c b/hw/mips_r4k.c
index 1b3ec2d..83401f0 100644
--- a/hw/mips_r4k.c
+++ b/hw/mips_r4k.c
@@ -270,7 +270,7 @@ void mips_r4k_init (ram_addr_t ram_size,
     isa_mmio_init(0x14000000, 0x00010000);
     isa_mem_base = 0x10000000;
 
-    pit = pit_init(isa_bus, 0x40, 0);
+    pit = pit_init(isa_bus, 0x40, 0, NULL);
 
     for(i = 0; i < MAX_SERIAL_PORTS; i++) {
         if (serial_hds[i]) {
diff --git a/hw/pc.c b/hw/pc.c
index 435fe4d..ad65a5d 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -1162,7 +1162,7 @@ void pc_basic_device_init(ISABus *isa_bus, qemu_irq *gsi,
 
     qemu_register_boot_set(pc_boot_set, *rtc_state);
 
-    pit = pit_init(isa_bus, 0x40, 0);
+    pit = pit_init(isa_bus, 0x40, 0, NULL);
     pcspk_init(pit);
 
     for(i = 0; i < MAX_SERIAL_PORTS; i++) {
commit b1277b03d46b2aeb22f0829aaa1c0f5fe6dd38fe
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Wed Feb 1 20:31:39 2012 +0100

    i8254: Factor out interface header
    
    Move the public interface of the PIT into its own header file and update
    all users.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/alpha_dp264.c b/hw/alpha_dp264.c
index 876335a..4c0efd3 100644
--- a/hw/alpha_dp264.c
+++ b/hw/alpha_dp264.c
@@ -14,6 +14,7 @@
 #include "sysemu.h"
 #include "mc146818rtc.h"
 #include "ide.h"
+#include "i8254.h"
 
 #define MAX_IDE_BUS 2
 
diff --git a/hw/hpet.c b/hw/hpet.c
index 76769d5..16833fa 100644
--- a/hw/hpet.c
+++ b/hw/hpet.c
@@ -31,6 +31,7 @@
 #include "hpet_emul.h"
 #include "sysbus.h"
 #include "mc146818rtc.h"
+#include "i8254.h"
 
 //#define HPET_DEBUG
 #ifdef HPET_DEBUG
diff --git a/hw/i82378.c b/hw/i82378.c
index 3929c04..d3c4ac5 100644
--- a/hw/i82378.c
+++ b/hw/i82378.c
@@ -19,6 +19,7 @@
 
 #include "pci.h"
 #include "pc.h"
+#include "i8254.h"
 
 //#define DEBUG_I82378
 
diff --git a/hw/i8254.c b/hw/i8254.c
index d55b221..71ea849 100644
--- a/hw/i8254.c
+++ b/hw/i8254.c
@@ -25,6 +25,7 @@
 #include "pc.h"
 #include "isa.h"
 #include "qemu-timer.h"
+#include "i8254.h"
 
 //#define DEBUG_PIT
 
diff --git a/hw/i8254.h b/hw/i8254.h
new file mode 100644
index 0000000..cd3111c
--- /dev/null
+++ b/hw/i8254.h
@@ -0,0 +1,54 @@
+/*
+ * QEMU 8253/8254 interval timer emulation
+ *
+ * Copyright (c) 2003-2004 Fabrice Bellard
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef HW_I8254_H
+#define HW_I8254_H
+
+#include "hw.h"
+#include "isa.h"
+
+#define PIT_FREQ 1193182
+
+static inline ISADevice *pit_init(ISABus *bus, int base, int irq)
+{
+    ISADevice *dev;
+
+    dev = isa_create(bus, "isa-pit");
+    qdev_prop_set_uint32(&dev->qdev, "iobase", base);
+    qdev_prop_set_uint32(&dev->qdev, "irq", irq);
+    qdev_init_nofail(&dev->qdev);
+
+    return dev;
+}
+
+void pit_set_gate(ISADevice *dev, int channel, int val);
+int pit_get_gate(ISADevice *dev, int channel);
+int pit_get_initial_count(ISADevice *dev, int channel);
+int pit_get_mode(ISADevice *dev, int channel);
+int pit_get_out(ISADevice *dev, int channel, int64_t current_time);
+
+void hpet_pit_disable(void);
+void hpet_pit_enable(void);
+
+#endif /* !HW_I8254_H */
diff --git a/hw/mips_fulong2e.c b/hw/mips_fulong2e.c
index 163a668..ead72ae 100644
--- a/hw/mips_fulong2e.c
+++ b/hw/mips_fulong2e.c
@@ -40,6 +40,7 @@
 #include "elf.h"
 #include "vt82c686.h"
 #include "mc146818rtc.h"
+#include "i8254.h"
 #include "blockdev.h"
 #include "exec-memory.h"
 
diff --git a/hw/mips_jazz.c b/hw/mips_jazz.c
index 63165b9..61dee4d 100644
--- a/hw/mips_jazz.c
+++ b/hw/mips_jazz.c
@@ -36,6 +36,7 @@
 #include "mips-bios.h"
 #include "loader.h"
 #include "mc146818rtc.h"
+#include "i8254.h"
 #include "blockdev.h"
 #include "sysbus.h"
 #include "exec-memory.h"
diff --git a/hw/mips_malta.c b/hw/mips_malta.c
index ffecefd..692f79b 100644
--- a/hw/mips_malta.c
+++ b/hw/mips_malta.c
@@ -45,6 +45,7 @@
 #include "loader.h"
 #include "elf.h"
 #include "mc146818rtc.h"
+#include "i8254.h"
 #include "blockdev.h"
 #include "exec-memory.h"
 #include "sysbus.h"             /* SysBusDevice */
diff --git a/hw/mips_r4k.c b/hw/mips_r4k.c
index 1c0615c..1b3ec2d 100644
--- a/hw/mips_r4k.c
+++ b/hw/mips_r4k.c
@@ -22,6 +22,7 @@
 #include "loader.h"
 #include "elf.h"
 #include "mc146818rtc.h"
+#include "i8254.h"
 #include "blockdev.h"
 #include "exec-memory.h"
 
diff --git a/hw/pc.c b/hw/pc.c
index ab94d72..435fe4d 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -36,6 +36,7 @@
 #include "elf.h"
 #include "multiboot.h"
 #include "mc146818rtc.h"
+#include "i8254.h"
 #include "msi.h"
 #include "sysbus.h"
 #include "sysemu.h"
diff --git a/hw/pc.h b/hw/pc.h
index c666ec9..b08708d 100644
--- a/hw/pc.h
+++ b/hw/pc.h
@@ -81,31 +81,6 @@ typedef struct GSIState {
 
 void gsi_handler(void *opaque, int n, int level);
 
-/* i8254.c */
-
-#define PIT_FREQ 1193182
-
-static inline ISADevice *pit_init(ISABus *bus, int base, int irq)
-{
-    ISADevice *dev;
-
-    dev = isa_create(bus, "isa-pit");
-    qdev_prop_set_uint32(&dev->qdev, "iobase", base);
-    qdev_prop_set_uint32(&dev->qdev, "irq", irq);
-    qdev_init_nofail(&dev->qdev);
-
-    return dev;
-}
-
-void pit_set_gate(ISADevice *dev, int channel, int val);
-int pit_get_gate(ISADevice *dev, int channel);
-int pit_get_initial_count(ISADevice *dev, int channel);
-int pit_get_mode(ISADevice *dev, int channel);
-int pit_get_out(ISADevice *dev, int channel, int64_t current_time);
-
-void hpet_pit_disable(void);
-void hpet_pit_enable(void);
-
 /* vmport.c */
 static inline void vmport_init(ISABus *bus)
 {
diff --git a/hw/pcspk.c b/hw/pcspk.c
index acb0167..43df818 100644
--- a/hw/pcspk.c
+++ b/hw/pcspk.c
@@ -27,6 +27,7 @@
 #include "isa.h"
 #include "audio/audio.h"
 #include "qemu-timer.h"
+#include "i8254.h"
 
 #define PCSPK_BUF_LEN 1792
 #define PCSPK_SAMPLE_RATE 32000
commit 5904ae4eba0928c35845720f9a630c19e48c2131
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Wed Feb 1 20:31:38 2012 +0100

    hpet: Save/restore cached RTC IRQ level
    
    In legacy mode, the HPET suppresses the RTC interrupt delivery via IRQ
    8 but keeps track of the RTC output level and applies it when legacy
    mode is turned off again. This value has to be preserved across save/
    restore as it cannot be reconstructed otherwise.
    
    To document that a raised rtc_irq_level won't survive a vmload without
    a hpet/rtc_irq_level subsection, add an explicit clearing to the reset
    handler.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/hpet.c b/hw/hpet.c
index ba36e10..76769d5 100644
--- a/hw/hpet.c
+++ b/hw/hpet.c
@@ -240,6 +240,24 @@ static int hpet_post_load(void *opaque, int version_id)
     return 0;
 }
 
+static bool hpet_rtc_irq_level_needed(void *opaque)
+{
+    HPETState *s = opaque;
+
+    return s->rtc_irq_level != 0;
+}
+
+static const VMStateDescription vmstate_hpet_rtc_irq_level = {
+    .name = "hpet/rtc_irq_level",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields      = (VMStateField[]) {
+        VMSTATE_UINT8(rtc_irq_level, HPETState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 static const VMStateDescription vmstate_hpet_timer = {
     .name = "hpet_timer",
     .version_id = 1,
@@ -273,6 +291,14 @@ static const VMStateDescription vmstate_hpet = {
         VMSTATE_STRUCT_VARRAY_UINT8(timer, HPETState, num_timers, 0,
                                     vmstate_hpet_timer, HPETTimer),
         VMSTATE_END_OF_LIST()
+    },
+    .subsections = (VMStateSubsection[]) {
+        {
+            .vmsd = &vmstate_hpet_rtc_irq_level,
+            .needed = hpet_rtc_irq_level_needed,
+        }, {
+            /* empty */
+        }
     }
 };
 
@@ -636,6 +662,9 @@ static void hpet_reset(DeviceState *d)
     hpet_cfg.hpet[s->hpet_id].event_timer_block_id = (uint32_t)s->capability;
     hpet_cfg.hpet[s->hpet_id].address = sysbus_from_qdev(d)->mmio[0].addr;
     count = 1;
+
+    /* to document that the RTC lowers its output on reset as well */
+    s->rtc_irq_level = 0;
 }
 
 static void hpet_handle_rtc_irq(void *opaque, int n, int level)
commit 61b7b67df2ed10ff5ab0dcc649080bca782fdc5e
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Wed Feb 1 20:31:37 2012 +0100

    i8254: Do not raise IRQ level on reset
    
    Avoid changing the IRQ level to high on reset as it may trigger spurious
    events. Instead, open-code the effects of pit_load_count(0) in the reset
    handler.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/i8254.c b/hw/i8254.c
index 481fc7b..d55b221 100644
--- a/hw/i8254.c
+++ b/hw/i8254.c
@@ -481,7 +481,13 @@ static void pit_reset(DeviceState *dev)
         s = &pit->channels[i];
         s->mode = 3;
         s->gate = (i != 2);
-        pit_load_count(s, 0);
+        s->count_load_time = qemu_get_clock_ns(vm_clock);
+        s->count = 0x10000;
+        if (i == 0) {
+            s->next_transition_time =
+                pit_get_next_transition_time(s, s->count_load_time);
+            qemu_mod_timer(s->irq_timer, s->next_transition_time);
+        }
     }
 }
 
commit 7dfbfc7927c1f7ab9f6910768ed6d966645b5866
Author: Daniel P. Berrange <berrange at redhat.com>
Date:   Tue Feb 14 12:37:29 2012 +0000

    vnc: Don't demote authentication scheme when changing password/disabling login
    
    Currently when disabling login in VNC, the password is cleared out and the
    authentication protocol is forced to AUTH_VNC.  If you're using a stronger
    authentication protocol, this has the effect of downgrading your security
    protocol.
    
    Fix this by only changing the authentication protocol if the current
    authentication protocol is AUTH_NONE.  That ensures we're never downgrading.
    
    Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
    --
    NB. This patch is derived from one posted by Anthony last year, which got
    accidentally lost after Luiz took over the QMP series work
    
      https://lists.gnu.org/archive/html/qemu-devel/2011-09/msg00392.html
    
     v1 -> v2
     - Make sure to not demote when changing password (Daniel)
     v2 -> v3
     - Rebase to latest GIT master wrt QMP changes

diff --git a/ui/vnc.c b/ui/vnc.c
index 02b71bc..8ee39bc 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2794,7 +2794,9 @@ int vnc_display_disable_login(DisplayState *ds)
     }
 
     vs->password = NULL;
-    vs->auth = VNC_AUTH_VNC;
+    if (vs->auth == VNC_AUTH_NONE) {
+        vs->auth = VNC_AUTH_VNC;
+    }
 
     return 0;
 }
@@ -2818,7 +2820,9 @@ int vnc_display_password(DisplayState *ds, const char *password)
         vs->password = NULL;
     }
     vs->password = g_strdup(password);
-    vs->auth = VNC_AUTH_VNC;
+    if (vs->auth == VNC_AUTH_NONE) {
+        vs->auth = VNC_AUTH_VNC;
+    }
 
     return 0;
 }
commit 4ed658ca925249021789d6a51fd6f99f68213f28
Author: Andreas Färber <afaerber at suse.de>
Date:   Fri Feb 17 02:47:44 2012 +0100

    qdev: Fix qdev_try_create() semantics
    
    Since QOM'ification, qdev_try_create() uses object_new() internally,
    which asserts "type != NULL" when the type is not registered.
    This was revealed by the combination of kvmclock's kvm_enabled() check
    and early QOM type registration.
    
    Check whether the class exists before calling object_new(), so that
    the caller (e.g., qdev_create) can fail gracefully, telling us which
    device could not be created.
    
    Signed-off-by: Andreas Färber <afaerber at suse.de>
    Cc: Anthony Liguori <aliguori at codemonkey.ws>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/qdev.c b/hw/qdev.c
index f0eb3a7..ee21d90 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -117,6 +117,9 @@ DeviceState *qdev_try_create(BusState *bus, const char *name)
 {
     DeviceState *dev;
 
+    if (object_class_by_name(name) == NULL) {
+        return NULL;
+    }
     dev = DEVICE(object_new(name));
     if (!dev) {
         return NULL;
commit 438e1c79f196f0bc9411ef8183f9906e0efbd578
Author: Andreas Färber <afaerber at suse.de>
Date:   Thu Feb 16 18:03:19 2012 +0100

    qom: Fix identifiers in documentation
    
    Fixes gtk-doc warnings.
    
    Signed-off-by: Andreas Färber <afaerber at suse.de>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/include/qemu/object.h b/include/qemu/object.h
index c871254..5179c0c 100644
--- a/include/qemu/object.h
+++ b/include/qemu/object.h
@@ -486,7 +486,7 @@ void object_finalize(void *obj);
 Object *object_dynamic_cast(Object *obj, const char *typename);
 
 /**
- * @object_dynamic_cast_assert:
+ * object_dynamic_cast_assert:
  *
  * See object_dynamic_cast() for a description of the parameters of this
  * function.  The only difference in behavior is that this function asserts
@@ -730,7 +730,7 @@ void object_property_set(Object *obj, struct Visitor *v, const char *name,
                          struct Error **errp);
 
 /**
- * @object_property_get_type:
+ * object_property_get_type:
  * @obj: the object
  * @name: the name of the property
  * @errp: returns an error if this function fails
commit a0dbf4083452cbbc8703f309c6b1f89abfa7cebe
Author: Andreas Färber <afaerber at suse.de>
Date:   Thu Feb 16 18:03:18 2012 +0100

    qom: Fix typo in Object's documentation
    
    Fixes a warning from gtk-doc.
    
    Signed-off-by: Andreas Färber <afaerber at suse.de>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/include/qemu/object.h b/include/qemu/object.h
index 69cc2ab..c871254 100644
--- a/include/qemu/object.h
+++ b/include/qemu/object.h
@@ -330,7 +330,7 @@ struct TypeInfo
 
 /**
  * OBJECT_CLASS:
- * @class: A derivative of #ObjectClas.
+ * @class: A derivative of #ObjectClass.
  *
  * Converts a class to an #ObjectClass.  Since all objects are #Objects,
  * this function will always succeed.
commit 4dcc3f5876fa638d5c35bd47be3b717ea74cc2e7
Author: Brad Smith <brad at comstyle.com>
Date:   Fri Feb 10 15:59:38 2012 -0500

    configure: Remove OpenBSD workaround for curses probe
    
    Remove the OpenBSD workaround for the curses probe. This has not been
    necessary for 5 releases now.
    
    Signed-off-by: Brad Smith <brad at comstyle.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/configure b/configure
index 9e0fdfb..037f7f7 100755
--- a/configure
+++ b/configure
@@ -1900,9 +1900,6 @@ if test "$curses" != "no" ; then
   curses_found=no
   cat > $TMPC << EOF
 #include <curses.h>
-#ifdef __OpenBSD__
-#define resize_term resizeterm
-#endif
 int main(void) {
   const char *s = curses_version();
   resize_term(0, 0);
commit ad4cf3f6b72b736ab3a41a8f4ed7c0bd4c32352f
Author: Paul Brook <paul at codesourcery.com>
Date:   Thu Feb 9 19:05:29 2012 +0000

    libcacard configure fixes
    
    libcacard is only used by system emulation.
    Only define libcacard_libs/cflags once.
    
    Signed-off-by: Paul Brook <paul at codesourcery.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/configure b/configure
index 68f9ee6..9e0fdfb 100755
--- a/configure
+++ b/configure
@@ -2569,7 +2569,7 @@ EOF
           compile_prog "$smartcard_cflags $libcacard_cflags" "$libcacard_libs"; then
             smartcard_nss="yes"
             QEMU_CFLAGS="$QEMU_CFLAGS $smartcard_cflags $libcacard_cflags"
-            LIBS="$libcacard_libs $LIBS"
+            libs_softmmu="$libcacard_libs $libs_softmmu"
         else
             if test "$smartcard_nss" = "yes"; then
                 feature_not_found "nss"
@@ -3209,6 +3209,8 @@ fi
 
 if test "$smartcard_nss" = "yes" ; then
   echo "CONFIG_SMARTCARD_NSS=y" >> $config_host_mak
+  echo "libcacard_libs=$libcacard_libs" >> $config_host_mak
+  echo "libcacard_cflags=$libcacard_cflags" >> $config_host_mak
 fi
 
 if test "$usb_redir" = "yes" ; then
@@ -3628,6 +3630,9 @@ if test "$target_softmmu" = "yes" ; then
   echo "LIBS+=$libs_softmmu $target_libs_softmmu" >> $config_target_mak
   echo "HWDIR=../libhw$target_phys_bits" >> $config_target_mak
   echo "subdir-$target: subdir-libhw$target_phys_bits" >> $config_host_mak
+  if test "$smartcard_nss" = "yes" ; then
+    echo "subdir-$target: subdir-libcacard" >> $config_host_mak
+  fi
 fi
 if test "$target_user_only" = "yes" ; then
   echo "CONFIG_USER_ONLY=y" >> $config_target_mak
@@ -3639,11 +3644,6 @@ fi
 if test "$target_darwin_user" = "yes" ; then
   echo "CONFIG_DARWIN_USER=y" >> $config_target_mak
 fi
-if test "$smartcard_nss" = "yes" ; then
-  echo "subdir-$target: subdir-libcacard" >> $config_host_mak
-  echo "libcacard_libs=$libcacard_libs" >> $config_host_mak
-  echo "libcacard_cflags=$libcacard_cflags" >> $config_host_mak
-fi
 list=""
 if test ! -z "$gdb_xml_files" ; then
   for x in $gdb_xml_files; do
commit 1bbbdabd568fb62125cf214327b4fb5c5d49c694
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Jan 13 17:34:04 2012 +0100

    coroutine: switch to QSLIST
    
    QSLIST can be used for a free list, do it.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/coroutine-ucontext.c b/coroutine-ucontext.c
index 3d01075..5f43083 100644
--- a/coroutine-ucontext.c
+++ b/coroutine-ucontext.c
@@ -36,7 +36,7 @@ enum {
 };
 
 /** Free list to speed up creation */
-static QLIST_HEAD(, Coroutine) pool = QLIST_HEAD_INITIALIZER(pool);
+static QSLIST_HEAD(, Coroutine) pool = QSLIST_HEAD_INITIALIZER(pool);
 static unsigned int pool_size;
 
 typedef struct {
@@ -92,7 +92,7 @@ static void __attribute__((destructor)) coroutine_cleanup(void)
     Coroutine *co;
     Coroutine *tmp;
 
-    QLIST_FOREACH_SAFE(co, &pool, pool_next, tmp) {
+    QSLIST_FOREACH_SAFE(co, &pool, pool_next, tmp) {
         g_free(DO_UPCAST(CoroutineUContext, base, co)->stack);
         g_free(co);
     }
@@ -175,9 +175,9 @@ Coroutine *qemu_coroutine_new(void)
 {
     Coroutine *co;
 
-    co = QLIST_FIRST(&pool);
+    co = QSLIST_FIRST(&pool);
     if (co) {
-        QLIST_REMOVE(co, pool_next);
+        QSLIST_REMOVE_HEAD(&pool, pool_next);
         pool_size--;
     } else {
         co = coroutine_new();
@@ -190,7 +190,7 @@ void qemu_coroutine_delete(Coroutine *co_)
     CoroutineUContext *co = DO_UPCAST(CoroutineUContext, base, co_);
 
     if (pool_size < POOL_MAX_SIZE) {
-        QLIST_INSERT_HEAD(&pool, &co->base, pool_next);
+        QSLIST_INSERT_HEAD(&pool, &co->base, pool_next);
         co->base.caller = NULL;
         pool_size++;
         return;
diff --git a/qemu-coroutine-int.h b/qemu-coroutine-int.h
index d495615..0f1bd80 100644
--- a/qemu-coroutine-int.h
+++ b/qemu-coroutine-int.h
@@ -37,7 +37,7 @@ struct Coroutine {
     CoroutineEntry *entry;
     void *entry_arg;
     Coroutine *caller;
-    QLIST_ENTRY(Coroutine) pool_next;
+    QSLIST_ENTRY(Coroutine) pool_next;
     QTAILQ_ENTRY(Coroutine) co_queue_next;
 };
 
commit cf904cfa7cf8fcd54ca4ad756e26997d1e7383fb
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Jan 13 17:34:03 2012 +0100

    qemu-queue: drop QCIRCLEQ
    
    The main advantage of circular lists (the fact that the head node
    has the same memory layout as any other node) is completely negated
    by the implementation in qemu-queue.h.  Not surprisingly, nobody
    uses QCIRCLEQ.  While this might change if RCU is ever adopted by
    QEMU, the QLIST is also RCU-friendly and in fact it is used in a
    RCU-like manner by 9pfs already.  So, just kill QCIRCLEQ.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/qemu-queue.h b/qemu-queue.h
index a8ecfaa..74d7122 100644
--- a/qemu-queue.h
+++ b/qemu-queue.h
@@ -3,7 +3,7 @@
 /*
  * Qemu version: Copy from netbsd, removed debug code, removed some of
  * the implementations.  Left in singly-linked lists, lists, simple
- * queues, tail queues and circular queues.
+ * queues, and tail queues.
  */
 
 /*
@@ -41,8 +41,8 @@
 #define QEMU_SYS_QUEUE_H_
 
 /*
- * This file defines five types of data structures: singly-linked lists,
- * lists, simple queues, tail queues, and circular queues.
+ * This file defines four types of data structures: singly-linked lists,
+ * lists, simple queues, and tail queues.
  *
  * A singly-linked list is headed by a single forward pointer. The
  * elements are singly linked for minimum space and pointer manipulation
@@ -75,14 +75,6 @@
  * after an existing element, at the head of the list, or at the end of
  * the list. A tail queue may be traversed in either direction.
  *
- * A circle queue is headed by a pair of pointers, one to the head of the
- * list and the other to the tail of the list. The elements are doubly
- * linked so that an arbitrary element can be removed without a need to
- * traverse the list. New elements can be added to the list before or after
- * an existing element, at the head of the list, or at the end of the list.
- * A circle queue may be traversed in either direction, but has a more
- * complex end of list detection.
- *
  * For details on the use of these macros, see the queue(3) manual page.
  */
 
@@ -419,112 +411,4 @@ struct {                                                                \
 #define QTAILQ_PREV(elm, headname, field) \
         (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
 
-
-/*
- * Circular queue definitions.
- */
-#define QCIRCLEQ_HEAD(name, type)                                       \
-struct name {                                                           \
-        struct type *cqh_first;         /* first element */             \
-        struct type *cqh_last;          /* last element */              \
-}
-
-#define QCIRCLEQ_HEAD_INITIALIZER(head)                                 \
-        { (void *)&head, (void *)&head }
-
-#define QCIRCLEQ_ENTRY(type)                                            \
-struct {                                                                \
-        struct type *cqe_next;          /* next element */              \
-        struct type *cqe_prev;          /* previous element */          \
-}
-
-/*
- * Circular queue functions.
- */
-#define QCIRCLEQ_INIT(head) do {                                        \
-        (head)->cqh_first = (void *)(head);                             \
-        (head)->cqh_last = (void *)(head);                              \
-} while (/*CONSTCOND*/0)
-
-#define QCIRCLEQ_INSERT_AFTER(head, listelm, elm, field) do {           \
-        (elm)->field.cqe_next = (listelm)->field.cqe_next;              \
-        (elm)->field.cqe_prev = (listelm);                              \
-        if ((listelm)->field.cqe_next == (void *)(head))                \
-                (head)->cqh_last = (elm);                               \
-        else                                                            \
-                (listelm)->field.cqe_next->field.cqe_prev = (elm);      \
-        (listelm)->field.cqe_next = (elm);                              \
-} while (/*CONSTCOND*/0)
-
-#define QCIRCLEQ_INSERT_BEFORE(head, listelm, elm, field) do {          \
-        (elm)->field.cqe_next = (listelm);                              \
-        (elm)->field.cqe_prev = (listelm)->field.cqe_prev;              \
-        if ((listelm)->field.cqe_prev == (void *)(head))                \
-                (head)->cqh_first = (elm);                              \
-        else                                                            \
-                (listelm)->field.cqe_prev->field.cqe_next = (elm);      \
-        (listelm)->field.cqe_prev = (elm);                              \
-} while (/*CONSTCOND*/0)
-
-#define QCIRCLEQ_INSERT_HEAD(head, elm, field) do {                     \
-        (elm)->field.cqe_next = (head)->cqh_first;                      \
-        (elm)->field.cqe_prev = (void *)(head);                         \
-        if ((head)->cqh_last == (void *)(head))                         \
-                (head)->cqh_last = (elm);                               \
-        else                                                            \
-                (head)->cqh_first->field.cqe_prev = (elm);              \
-        (head)->cqh_first = (elm);                                      \
-} while (/*CONSTCOND*/0)
-
-#define QCIRCLEQ_INSERT_TAIL(head, elm, field) do {                     \
-        (elm)->field.cqe_next = (void *)(head);                         \
-        (elm)->field.cqe_prev = (head)->cqh_last;                       \
-        if ((head)->cqh_first == (void *)(head))                        \
-                (head)->cqh_first = (elm);                              \
-        else                                                            \
-                (head)->cqh_last->field.cqe_next = (elm);               \
-        (head)->cqh_last = (elm);                                       \
-} while (/*CONSTCOND*/0)
-
-#define QCIRCLEQ_REMOVE(head, elm, field) do {                          \
-        if ((elm)->field.cqe_next == (void *)(head))                    \
-                (head)->cqh_last = (elm)->field.cqe_prev;               \
-        else                                                            \
-                (elm)->field.cqe_next->field.cqe_prev =                 \
-                    (elm)->field.cqe_prev;                              \
-        if ((elm)->field.cqe_prev == (void *)(head))                    \
-                (head)->cqh_first = (elm)->field.cqe_next;              \
-        else                                                            \
-                (elm)->field.cqe_prev->field.cqe_next =                 \
-                    (elm)->field.cqe_next;                              \
-} while (/*CONSTCOND*/0)
-
-#define QCIRCLEQ_FOREACH(var, head, field)                              \
-        for ((var) = ((head)->cqh_first);                               \
-                (var) != (const void *)(head);                          \
-                (var) = ((var)->field.cqe_next))
-
-#define QCIRCLEQ_FOREACH_REVERSE(var, head, field)                      \
-        for ((var) = ((head)->cqh_last);                                \
-                (var) != (const void *)(head);                          \
-                (var) = ((var)->field.cqe_prev))
-
-/*
- * Circular queue access methods.
- */
-#define QCIRCLEQ_EMPTY(head)             ((head)->cqh_first == (void *)(head))
-#define QCIRCLEQ_FIRST(head)             ((head)->cqh_first)
-#define QCIRCLEQ_LAST(head)              ((head)->cqh_last)
-#define QCIRCLEQ_NEXT(elm, field)        ((elm)->field.cqe_next)
-#define QCIRCLEQ_PREV(elm, field)        ((elm)->field.cqe_prev)
-
-#define QCIRCLEQ_LOOP_NEXT(head, elm, field)                            \
-        (((elm)->field.cqe_next == (void *)(head))                      \
-            ? ((head)->cqh_first)                                       \
-            : (elm->field.cqe_next))
-#define QCIRCLEQ_LOOP_PREV(head, elm, field)                            \
-        (((elm)->field.cqe_prev == (void *)(head))                      \
-            ? ((head)->cqh_last)                                        \
-            : (elm->field.cqe_prev))
-
 #endif  /* !QEMU_SYS_QUEUE_H_ */
commit 6095aa88e4cec8ea0af3944ffc0e667d04d47362
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Jan 13 17:34:02 2012 +0100

    qemu-queue: add QSLIST
    
    Based on http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/sys/queue.h?rev=1.53
    with only the prefix change.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/qemu-queue.h b/qemu-queue.h
index 2214230..a8ecfaa 100644
--- a/qemu-queue.h
+++ b/qemu-queue.h
@@ -2,8 +2,8 @@
 
 /*
  * Qemu version: Copy from netbsd, removed debug code, removed some of
- * the implementations.  Left in lists, simple queues, tail queues and
- * circular queues.
+ * the implementations.  Left in singly-linked lists, lists, simple
+ * queues, tail queues and circular queues.
  */
 
 /*
@@ -41,9 +41,19 @@
 #define QEMU_SYS_QUEUE_H_
 
 /*
- * This file defines four types of data structures:
+ * This file defines five types of data structures: singly-linked lists,
  * lists, simple queues, tail queues, and circular queues.
  *
+ * A singly-linked list is headed by a single forward pointer. The
+ * elements are singly linked for minimum space and pointer manipulation
+ * overhead at the expense of O(n) removal for arbitrary elements. New
+ * elements can be added to the list after an existing element or at the
+ * head of the list.  Elements being removed from the head of the list
+ * should use the explicit macro for this purpose for optimum
+ * efficiency. A singly-linked list may only be traversed in the forward
+ * direction.  Singly-linked lists are ideal for applications with large
+ * datasets and few or no removals or for implementing a LIFO queue.
+ *
  * A list is headed by a single forward pointer (or an array of forward
  * pointers for a hash table header). The elements are doubly linked
  * so that an arbitrary element can be removed without a need to
@@ -161,6 +171,64 @@ struct {                                                                \
 
 
 /*
+ * Singly-linked List definitions.
+ */
+#define QSLIST_HEAD(name, type)                                          \
+struct name {                                                           \
+        struct type *slh_first; /* first element */                     \
+}
+
+#define QSLIST_HEAD_INITIALIZER(head)                                    \
+        { NULL }
+
+#define QSLIST_ENTRY(type)                                               \
+struct {                                                                \
+        struct type *sle_next;  /* next element */                      \
+}
+
+/*
+ * Singly-linked List functions.
+ */
+#define QSLIST_INIT(head) do {                                           \
+        (head)->slh_first = NULL;                                       \
+} while (/*CONSTCOND*/0)
+
+#define QSLIST_INSERT_AFTER(slistelm, elm, field) do {                   \
+        (elm)->field.sle_next = (slistelm)->field.sle_next;             \
+        (slistelm)->field.sle_next = (elm);                             \
+} while (/*CONSTCOND*/0)
+
+#define QSLIST_INSERT_HEAD(head, elm, field) do {                        \
+        (elm)->field.sle_next = (head)->slh_first;                      \
+        (head)->slh_first = (elm);                                      \
+} while (/*CONSTCOND*/0)
+
+#define QSLIST_REMOVE_HEAD(head, field) do {                             \
+        (head)->slh_first = (head)->slh_first->field.sle_next;          \
+} while (/*CONSTCOND*/0)
+
+#define QSLIST_REMOVE_AFTER(slistelm, field) do {                        \
+        (slistelm)->field.sle_next =                                    \
+            QSLIST_NEXT(QSLIST_NEXT((slistelm), field), field);           \
+} while (/*CONSTCOND*/0)
+
+#define QSLIST_FOREACH(var, head, field)                                 \
+        for((var) = (head)->slh_first; (var); (var) = (var)->field.sle_next)
+
+#define QSLIST_FOREACH_SAFE(var, head, field, tvar)                      \
+        for ((var) = QSLIST_FIRST((head));                               \
+            (var) && ((tvar) = QSLIST_NEXT((var), field), 1);            \
+            (var) = (tvar))
+
+/*
+ * Singly-linked List access methods.
+ */
+#define QSLIST_EMPTY(head)       ((head)->slh_first == NULL)
+#define QSLIST_FIRST(head)       ((head)->slh_first)
+#define QSLIST_NEXT(elm, field)  ((elm)->field.sle_next)
+
+
+/*
  * Simple queue definitions.
  */
 #define QSIMPLEQ_HEAD(name, type)                                       \
commit 31552529a7eba5011dac74bab18a852860c45c9d
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Jan 13 17:34:01 2012 +0100

    notifier: switch to QLIST
    
    Notifiers do not need to access both ends of the list, and using
    a QLIST also simplifies the API.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/input.c b/input.c
index 9ade63f..b618ea4 100644
--- a/input.c
+++ b/input.c
@@ -268,5 +268,5 @@ void qemu_add_mouse_mode_change_notifier(Notifier *notify)
 
 void qemu_remove_mouse_mode_change_notifier(Notifier *notify)
 {
-    notifier_list_remove(&mouse_mode_notifiers, notify);
+    notifier_remove(notify);
 }
diff --git a/migration.c b/migration.c
index 37af438..00fa1e3 100644
--- a/migration.c
+++ b/migration.c
@@ -335,7 +335,7 @@ void add_migration_state_change_notifier(Notifier *notify)
 
 void remove_migration_state_change_notifier(Notifier *notify)
 {
-    notifier_list_remove(&migration_state_notifiers, notify);
+    notifier_remove(notify);
 }
 
 bool migration_is_active(MigrationState *s)
diff --git a/notify.c b/notify.c
index c104495..12282a6 100644
--- a/notify.c
+++ b/notify.c
@@ -18,24 +18,24 @@
 
 void notifier_list_init(NotifierList *list)
 {
-    QTAILQ_INIT(&list->notifiers);
+    QLIST_INIT(&list->notifiers);
 }
 
 void notifier_list_add(NotifierList *list, Notifier *notifier)
 {
-    QTAILQ_INSERT_HEAD(&list->notifiers, notifier, node);
+    QLIST_INSERT_HEAD(&list->notifiers, notifier, node);
 }
 
-void notifier_list_remove(NotifierList *list, Notifier *notifier)
+void notifier_remove(Notifier *notifier)
 {
-    QTAILQ_REMOVE(&list->notifiers, notifier, node);
+    QLIST_REMOVE(notifier, node);
 }
 
 void notifier_list_notify(NotifierList *list, void *data)
 {
     Notifier *notifier, *next;
 
-    QTAILQ_FOREACH_SAFE(notifier, &list->notifiers, node, next) {
+    QLIST_FOREACH_SAFE(notifier, &list->notifiers, node, next) {
         notifier->notify(notifier, data);
     }
 }
diff --git a/notify.h b/notify.h
index 54fc57c..03cf26c 100644
--- a/notify.h
+++ b/notify.h
@@ -21,22 +21,22 @@ typedef struct Notifier Notifier;
 struct Notifier
 {
     void (*notify)(Notifier *notifier, void *data);
-    QTAILQ_ENTRY(Notifier) node;
+    QLIST_ENTRY(Notifier) node;
 };
 
 typedef struct NotifierList
 {
-    QTAILQ_HEAD(, Notifier) notifiers;
+    QLIST_HEAD(, Notifier) notifiers;
 } NotifierList;
 
 #define NOTIFIER_LIST_INITIALIZER(head) \
-    { QTAILQ_HEAD_INITIALIZER((head).notifiers) }
+    { QLIST_HEAD_INITIALIZER((head).notifiers) }
 
 void notifier_list_init(NotifierList *list);
 
 void notifier_list_add(NotifierList *list, Notifier *notifier);
 
-void notifier_list_remove(NotifierList *list, Notifier *notifier);
+void notifier_remove(Notifier *notifier);
 
 void notifier_list_notify(NotifierList *list, void *data);
 
diff --git a/qemu-timer.c b/qemu-timer.c
index a22f27e..d7f56e5 100644
--- a/qemu-timer.c
+++ b/qemu-timer.c
@@ -453,7 +453,7 @@ void qemu_register_clock_reset_notifier(QEMUClock *clock, Notifier *notifier)
 
 void qemu_unregister_clock_reset_notifier(QEMUClock *clock, Notifier *notifier)
 {
-    notifier_list_remove(&clock->reset_notifiers, notifier);
+    notifier_remove(notifier);
 }
 
 void init_clocks(void)
diff --git a/vl.c b/vl.c
index 9609d2b..d8a521a 100644
--- a/vl.c
+++ b/vl.c
@@ -2093,7 +2093,7 @@ void qemu_add_exit_notifier(Notifier *notify)
 
 void qemu_remove_exit_notifier(Notifier *notify)
 {
-    notifier_list_remove(&exit_notifiers, notify);
+    notifier_remove(notify);
 }
 
 static void qemu_run_exit_notifiers(void)
commit c77de088b1067fc0e0df322e5bac60a3a26a0613
Merge: 3d7f572... e595079...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Fri Feb 17 06:50:58 2012 -0600

    Merge remote-tracking branch 'bonzini/nbd-for-anthony' into staging
    
    * bonzini/nbd-for-anthony:
      nbd: add git tree to MAINTAINERS
      open /dev/nbd in nbd_client_thread
      do not chdir(/) in qemu-nbd before opening all files

commit 3d7f5721409d10d33f03891addf67e0984cf319e
Merge: a19255a... 13a16f1...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Fri Feb 17 06:50:07 2012 -0600

    Merge remote-tracking branch 'pmaydell/arm-devs.for-upstream' into staging
    
    * pmaydell/arm-devs.for-upstream: (22 commits)
      hw/pl031: Actually raise interrupt on timer expiry
      MAINTAINERS: Add hw/highbank.c maintainer
      Remove unnecessary includes of primecell.h
      hw/primecell.h: Remove obsolete pl080_init() declaration
      hw/arm_sysctl: Drop legacy init function
      hw/vexpress.c: Add vexpress-a15 machine
      arm_boot: Pass base address of GIC CPU interface, not whole GIC
      hw/vexpress.c: Instantiate the motherboard CLCD
      hw/vexpress.c: Factor out daughterboard-specific initialization
      hw/vexpress.c: Move secondary CPU boot code to SRAM
      hw/vexpress.c: Make motherboard peripheral memory map table-driven
      hw/a15mpcore.c: Add Cortex-A15 private peripheral model
      MAINTAINERS: Add maintainers for Exynos SOC.
      Exynos4210: added display controller implementation
      hw/exynos4210.c: Add LAN support for SMDKC210.
      hw/lan9118: Add basic 16-bit mode support.
      ARM: exynos4210: MCT support.
      ARM: exynos4210: basic Power Management Unit implementation
      ARM: exynos4210: PWM support.
      ARM: exynos4210: UART support
      ...

commit a19255a369f0ef34dfbbc1ed2631e68fbbebb8ce
Merge: 9de36b1... 3a0c6c4...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Fri Feb 17 06:48:47 2012 -0600

    Merge remote-tracking branch 'stefanha/trivial-patches' into staging
    
    * stefanha/trivial-patches:
      linux-user: brk() debugging
      virtio: Remove unneeded g_free() check in virtio_cleanup()
      net: remove extra spaces in help messages
      fmopl: Fix typo in function name
      vl.c: Fix typo in variable name
      ide: fix compilation errors when DEBUG_IDE is set
      cpu-exec.c: Correct comment about this file and indentation cleanup
      CODING_STYLE: Clarify style for enum and function type names
      linux-user: fail execve() if env/args too big

commit e5950790cb8c447867752faa62d8471d55298d58
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Wed Jan 18 12:48:19 2012 +0100

    nbd: add git tree to MAINTAINERS
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/MAINTAINERS b/MAINTAINERS
index 173e893..6a9c981 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -510,6 +510,7 @@ S: Odd Fixes
 F: block/nbd.c
 F: nbd.*
 F: qemu-nbd.c
+T: git://github.com/bonzini/qemu.git nbd-next
 
 SLIRP
 M: Jan Kiszka <jan.kiszka at siemens.com>
commit a6ac2313a83a6c3ed69c221ef8bed91676f078e9
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Tue Dec 6 09:07:00 2011 +0100

    open /dev/nbd in nbd_client_thread
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/qemu-nbd.c b/qemu-nbd.c
index e189cf8..d4e7041 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -37,7 +37,6 @@
 
 static NBDExport *exp;
 static int verbose;
-static char *device;
 static char *srcpath;
 static char *sockpath;
 static bool sigterm_reported;
@@ -178,6 +177,7 @@ static void termsig_handler(int signum)
 
 static void *show_parts(void *arg)
 {
+    char *device = arg;
     int nbd;
 
     /* linux just needs an open() to trigger
@@ -194,11 +194,11 @@ static void *show_parts(void *arg)
 
 static void *nbd_client_thread(void *arg)
 {
-    int fd = *(int *)arg;
+    char *device = arg;
     off_t size;
     size_t blocksize;
     uint32_t nbdflags;
-    int sock;
+    int fd, sock;
     int ret;
     pthread_t show_parts_thread;
 
@@ -213,13 +213,20 @@ static void *nbd_client_thread(void *arg)
         goto out;
     }
 
+    fd = open(device, O_RDWR);
+    if (fd == -1) {
+        /* Linux-only, we can use %m in printf.  */
+        fprintf(stderr, "Failed to open %s: %m", device);
+        goto out;
+    }
+
     ret = nbd_init(fd, sock, nbdflags, size, blocksize);
     if (ret == -1) {
         goto out;
     }
 
     /* update partition table */
-    pthread_create(&show_parts_thread, NULL, show_parts, NULL);
+    pthread_create(&show_parts_thread, NULL, show_parts, device);
 
     if (verbose) {
         fprintf(stderr, "NBD device %s is now connected to %s\n",
@@ -273,6 +280,7 @@ int main(int argc, char **argv)
     uint32_t nbdflags = 0;
     bool disconnect = false;
     const char *bindto = "0.0.0.0";
+    char *device = NULL;
     int port = NBD_DEFAULT_PORT;
     off_t fd_size;
     const char *sopt = "hVb:o:p:rsnP:c:dvk:e:t";
@@ -466,19 +474,9 @@ int main(int argc, char **argv)
         }
     }
 
-    if (device) {
-        /* Open before spawning new threads.  In the future, we may
-         * drop privileges after opening.
-         */
-        fd = open(device, O_RDWR);
-        if (fd == -1) {
-            err(EXIT_FAILURE, "Failed to open %s", device);
-        }
-
-        if (sockpath == NULL) {
-            sockpath = g_malloc(128);
-            snprintf(sockpath, 128, SOCKET_PATH, basename(device));
-        }
+    if (device != NULL && sockpath == NULL) {
+        sockpath = g_malloc(128);
+        snprintf(sockpath, 128, SOCKET_PATH, basename(device));
     }
 
     bdrv_init();
@@ -513,7 +511,7 @@ int main(int argc, char **argv)
     if (device) {
         int ret;
 
-        ret = pthread_create(&client_thread, NULL, nbd_client_thread, &fd);
+        ret = pthread_create(&client_thread, NULL, nbd_client_thread, device);
         if (ret != 0) {
             errx(EXIT_FAILURE, "Failed to create client thread: %s",
                  strerror(ret));
commit 9faf31b68f049ca6432a1ef086a76344ff2a2357
Author: Michael Tokarev <mjt at tls.msk.ru>
Date:   Mon Jan 16 18:37:44 2012 +0400

    do not chdir(/) in qemu-nbd before opening all files
    
    When qemu-nbd becomes a daemon it calls daemon(3) with
    nochdir=0, so daemon(3) changes current directory to /.
    But at this time, qemu-nbd did not open any user-specified
    files yet, so by changing current directory, all non-absolute
    paths becomes wrong.  The solution is to pass nochdir=1 to
    daemon(3) function, and to chdir("/") after all init has
    been performed, before entering the main loop, -- just like
    a good daemon should do.
    
    This patch is applicable for -stable.
    
    Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/qemu-nbd.c b/qemu-nbd.c
index eb61c33..e189cf8 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -429,7 +429,7 @@ int main(int argc, char **argv)
         pid = fork();
         if (pid == 0) {
             close(stderr_fd[0]);
-            ret = qemu_daemon(0, 0);
+            ret = qemu_daemon(1, 0);
 
             /* Temporarily redirect stderr to the parent's pipe...  */
             dup2(stderr_fd[1], STDERR_FILENO);
@@ -527,6 +527,12 @@ int main(int argc, char **argv)
     qemu_set_fd_handler2(fd, nbd_can_accept, nbd_accept, NULL,
                          (void *)(uintptr_t)fd);
 
+    /* now when the initialization is (almost) complete, chdir("/")
+     * to free any busy filesystems */
+    if (chdir("/") < 0) {
+        err(EXIT_FAILURE, "Could not chdir to root directory");
+    }
+
     do {
         main_loop_wait(false);
     } while (!sigterm_reported && (persistent || !nbd_started || nb_fds > 0));
commit 13a16f1d91fc7a46b65b22a33f6ffea1b826a097
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 16 09:56:10 2012 +0000

    hw/pl031: Actually raise interrupt on timer expiry
    
    Fix a typo in pl031_interrupt() which meant we were setting a bit
    in the interrupt mask rather than the interrupt status register
    and thus not actually raising an interrupt. This fix allows the
    rtctest program from the kernel's Documentation/rtc.txt to pass
    rather than hanging.
    
    Reported-by: Daniel Forsgren <daniel.forsgren at enea.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Acked-by: Andreas Färber <afaerber at suse.de>

diff --git a/hw/pl031.c b/hw/pl031.c
index 05b5b11..69abc4f 100644
--- a/hw/pl031.c
+++ b/hw/pl031.c
@@ -76,7 +76,7 @@ static void pl031_interrupt(void * opaque)
 {
     pl031_state *s = (pl031_state *)opaque;
 
-    s->im = 1;
+    s->is = 1;
     DPRINTF("Alarm raised\n");
     pl031_update(s);
 }
commit 766fd09fb3d8c51cdca70b703f9ce16fb1f855a4
Author: Mark Langsdorf <mark.langsdorf at calxeda.com>
Date:   Thu Feb 16 09:56:10 2012 +0000

    MAINTAINERS: Add hw/highbank.c maintainer
    
    Signed-off-by: Mark Langsdorf <mark.langsdorf at calxeda.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/MAINTAINERS b/MAINTAINERS
index e55ea0f..8eb80ea 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -191,6 +191,12 @@ M: Dmitry Solodkiy <d.solodkiy at samsung.com>
 S: Maintained
 F: hw/exynos*
 
+Calxeda Highbank
+M: Mark Langsdorf <mark.langsdorf at calxeda.com>
+S: Supported
+F: hw/highbank.c
+F: hw/xgmac.c
+
 Gumstix
 M: qemu-devel at nongnu.org
 S: Orphan
commit 22168e666033c78977d5864e808375ea256b2882
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 16 09:56:10 2012 +0000

    Remove unnecessary includes of primecell.h
    
    The primecell.h header now only has the definitions of constants
    indicating the usage of the arm_sysctl GPIO lines; remove obsolete
    includes of it from source files which don't care about those GPIO
    lines.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/hw/highbank.c b/hw/highbank.c
index b28b464..489c00e 100644
--- a/hw/highbank.c
+++ b/hw/highbank.c
@@ -19,7 +19,6 @@
 
 #include "sysbus.h"
 #include "arm-misc.h"
-#include "primecell.h"
 #include "devices.h"
 #include "loader.h"
 #include "net.h"
diff --git a/hw/integratorcp.c b/hw/integratorcp.c
index 294d7da..5b06c81 100644
--- a/hw/integratorcp.c
+++ b/hw/integratorcp.c
@@ -8,7 +8,6 @@
  */
 
 #include "sysbus.h"
-#include "primecell.h"
 #include "devices.h"
 #include "boards.h"
 #include "arm-misc.h"
diff --git a/hw/pl022.c b/hw/pl022.c
index 03bf63c..60e35da 100644
--- a/hw/pl022.c
+++ b/hw/pl022.c
@@ -9,7 +9,6 @@
 
 #include "sysbus.h"
 #include "ssi.h"
-#include "primecell.h"
 
 //#define DEBUG_PL022 1
 
diff --git a/hw/versatilepb.c b/hw/versatilepb.c
index 1903db6..b9102f4 100644
--- a/hw/versatilepb.c
+++ b/hw/versatilepb.c
@@ -9,7 +9,6 @@
 
 #include "sysbus.h"
 #include "arm-misc.h"
-#include "primecell.h"
 #include "devices.h"
 #include "net.h"
 #include "sysemu.h"
commit 2a9577034acf77300ce3aa58c3ebffc5949ce96d
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 16 09:56:10 2012 +0000

    hw/primecell.h: Remove obsolete pl080_init() declaration
    
    Remove an obsolete declaration of pl080_init(), which has been
    incorrect since the conversion of pl080 to qdev back in 2009.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/hw/primecell.h b/hw/primecell.h
index e709ad3..7337c3b 100644
--- a/hw/primecell.h
+++ b/hw/primecell.h
@@ -5,9 +5,6 @@
 /* Also includes some devices that are currently only used by the
    ARM boards.  */
 
-/* pl080.c */
-void *pl080_init(uint32_t base, qemu_irq irq, int nchannels);
-
 /* arm_sysctl GPIO lines */
 #define ARM_SYSCTL_GPIO_MMC_WPROT 0
 #define ARM_SYSCTL_GPIO_MMC_CARDIN 1
commit 54de1e5b3a8f02ba5c89606023f6351261068894
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 16 09:56:09 2012 +0000

    hw/arm_sysctl: Drop legacy init function
    
    Drop the legacy init function arm_sysctl_init(), since it has no
    users left any more. This allows us to drop the awkward '1' from
    the actual device init function.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Acked-by: Andreas Färber <afaerber at suse.de>

diff --git a/hw/arm_sysctl.c b/hw/arm_sysctl.c
index 149c639..5f1237b 100644
--- a/hw/arm_sysctl.c
+++ b/hw/arm_sysctl.c
@@ -378,7 +378,7 @@ static void arm_sysctl_gpio_set(void *opaque, int line, int level)
     }
 }
 
-static int arm_sysctl_init1(SysBusDevice *dev)
+static int arm_sysctl_init(SysBusDevice *dev)
 {
     arm_sysctl_state *s = FROM_SYSBUS(arm_sysctl_state, dev);
 
@@ -389,18 +389,6 @@ static int arm_sysctl_init1(SysBusDevice *dev)
     return 0;
 }
 
-/* Legacy helper function.  */
-void arm_sysctl_init(uint32_t base, uint32_t sys_id, uint32_t proc_id)
-{
-    DeviceState *dev;
-
-    dev = qdev_create(NULL, "realview_sysctl");
-    qdev_prop_set_uint32(dev, "sys_id", sys_id);
-    qdev_init_nofail(dev);
-    qdev_prop_set_uint32(dev, "proc_id", proc_id);
-    sysbus_mmio_map(sysbus_from_qdev(dev), 0, base);
-}
-
 static Property arm_sysctl_properties[] = {
     DEFINE_PROP_UINT32("sys_id", arm_sysctl_state, sys_id, 0),
     DEFINE_PROP_UINT32("proc_id", arm_sysctl_state, proc_id, 0),
@@ -412,7 +400,7 @@ static void arm_sysctl_class_init(ObjectClass *klass, void *data)
     DeviceClass *dc = DEVICE_CLASS(klass);
     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
 
-    k->init = arm_sysctl_init1;
+    k->init = arm_sysctl_init;
     dc->reset = arm_sysctl_reset;
     dc->vmsd = &vmstate_arm_sysctl;
     dc->props = arm_sysctl_properties;
diff --git a/hw/primecell.h b/hw/primecell.h
index de7d6f2..e709ad3 100644
--- a/hw/primecell.h
+++ b/hw/primecell.h
@@ -8,9 +8,6 @@
 /* pl080.c */
 void *pl080_init(uint32_t base, qemu_irq irq, int nchannels);
 
-/* arm_sysctl.c */
-void arm_sysctl_init(uint32_t base, uint32_t sys_id, uint32_t proc_id);
-
 /* arm_sysctl GPIO lines */
 #define ARM_SYSCTL_GPIO_MMC_WPROT 0
 #define ARM_SYSCTL_GPIO_MMC_CARDIN 1
commit 961f195e6c874de0473a23344be18d567d25dc39
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 16 09:56:09 2012 +0000

    hw/vexpress.c: Add vexpress-a15 machine
    
    Add the vexpress-a15 machine, and the A-Series memory map it uses.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Andreas Färber <afaerber at suse.de>

diff --git a/hw/vexpress.c b/hw/vexpress.c
index aae9d81..b9aafec 100644
--- a/hw/vexpress.c
+++ b/hw/vexpress.c
@@ -103,6 +103,41 @@ static target_phys_addr_t motherboard_legacy_map[] = {
     [VE_USB] = 0x4f000000,
 };
 
+static target_phys_addr_t motherboard_aseries_map[] = {
+    /* CS0: 0x00000000 .. 0x0c000000 */
+    [VE_NORFLASH0] = 0x00000000,
+    [VE_NORFLASH0ALIAS] = 0x08000000,
+    /* CS4: 0x0c000000 .. 0x10000000 */
+    [VE_NORFLASH1] = 0x0c000000,
+    /* CS5: 0x10000000 .. 0x14000000 */
+    /* CS1: 0x14000000 .. 0x18000000 */
+    [VE_SRAM] = 0x14000000,
+    /* CS2: 0x18000000 .. 0x1c000000 */
+    [VE_VIDEORAM] = 0x18000000,
+    [VE_ETHERNET] = 0x1a000000,
+    [VE_USB] = 0x1b000000,
+    /* CS3: 0x1c000000 .. 0x20000000 */
+    [VE_DAPROM] = 0x1c000000,
+    [VE_SYSREGS] = 0x1c010000,
+    [VE_SP810] = 0x1c020000,
+    [VE_SERIALPCI] = 0x1c030000,
+    [VE_PL041] = 0x1c040000,
+    [VE_MMCI] = 0x1c050000,
+    [VE_KMI0] = 0x1c060000,
+    [VE_KMI1] = 0x1c070000,
+    [VE_UART0] = 0x1c090000,
+    [VE_UART1] = 0x1c0a0000,
+    [VE_UART2] = 0x1c0b0000,
+    [VE_UART3] = 0x1c0c0000,
+    [VE_WDT] = 0x1c0f0000,
+    [VE_TIMER01] = 0x1c110000,
+    [VE_TIMER23] = 0x1c120000,
+    [VE_SERIALDVI] = 0x1c160000,
+    [VE_RTC] = 0x1c170000,
+    [VE_COMPACTFLASH] = 0x1c1a0000,
+    [VE_CLCD] = 0x1c1f0000,
+};
+
 /* Structure defining the peculiarities of a specific daughterboard */
 
 typedef struct VEDBoardInfo VEDBoardInfo;
@@ -218,6 +253,91 @@ static const VEDBoardInfo a9_daughterboard = {
     .init = a9_daughterboard_init,
 };
 
+static void a15_daughterboard_init(const VEDBoardInfo *daughterboard,
+                                   ram_addr_t ram_size,
+                                   const char *cpu_model,
+                                   qemu_irq *pic, uint32_t *proc_id)
+{
+    int n;
+    CPUState *env = NULL;
+    MemoryRegion *sysmem = get_system_memory();
+    MemoryRegion *ram = g_new(MemoryRegion, 1);
+    MemoryRegion *sram = g_new(MemoryRegion, 1);
+    qemu_irq cpu_irq[4];
+    DeviceState *dev;
+    SysBusDevice *busdev;
+
+    if (!cpu_model) {
+        cpu_model = "cortex-a15";
+    }
+
+    *proc_id = 0x14000217;
+
+    for (n = 0; n < smp_cpus; n++) {
+        qemu_irq *irqp;
+        env = cpu_init(cpu_model);
+        if (!env) {
+            fprintf(stderr, "Unable to find CPU definition\n");
+            exit(1);
+        }
+        irqp = arm_pic_init_cpu(env);
+        cpu_irq[n] = irqp[ARM_PIC_CPU_IRQ];
+    }
+
+    if (ram_size > 0x80000000) {
+        fprintf(stderr, "vexpress-a15: cannot model more than 2GB RAM\n");
+        exit(1);
+    }
+
+    memory_region_init_ram(ram, "vexpress.highmem", ram_size);
+    vmstate_register_ram_global(ram);
+    /* RAM is from 0x80000000 upwards; there is no low-memory alias for it. */
+    memory_region_add_subregion(sysmem, 0x80000000, ram);
+
+    /* 0x2c000000 A15MPCore private memory region (GIC) */
+    dev = qdev_create(NULL, "a15mpcore_priv");
+    qdev_prop_set_uint32(dev, "num-cpu", smp_cpus);
+    qdev_init_nofail(dev);
+    busdev = sysbus_from_qdev(dev);
+    sysbus_mmio_map(busdev, 0, 0x2c000000);
+    for (n = 0; n < smp_cpus; n++) {
+        sysbus_connect_irq(busdev, n, cpu_irq[n]);
+    }
+    /* Interrupts [42:0] are from the motherboard;
+     * [47:43] are reserved; [63:48] are daughterboard
+     * peripherals. Note that some documentation numbers
+     * external interrupts starting from 32 (because there
+     * are internal interrupts 0..31).
+     */
+    for (n = 0; n < 64; n++) {
+        pic[n] = qdev_get_gpio_in(dev, n);
+    }
+
+    /* A15 daughterboard peripherals: */
+
+    /* 0x20000000: CoreSight interfaces: not modelled */
+    /* 0x2a000000: PL301 AXI interconnect: not modelled */
+    /* 0x2a420000: SCC: not modelled */
+    /* 0x2a430000: system counter: not modelled */
+    /* 0x2b000000: HDLCD controller: not modelled */
+    /* 0x2b060000: SP805 watchdog: not modelled */
+    /* 0x2b0a0000: PL341 dynamic memory controller: not modelled */
+    /* 0x2e000000: system SRAM */
+    memory_region_init_ram(sram, "vexpress.a15sram", 0x10000);
+    vmstate_register_ram_global(sram);
+    memory_region_add_subregion(sysmem, 0x2e000000, sram);
+
+    /* 0x7ffb0000: DMA330 DMA controller: not modelled */
+    /* 0x7ffd0000: PL354 static memory controller: not modelled */
+}
+
+static const VEDBoardInfo a15_daughterboard = {
+    .motherboard_map = motherboard_aseries_map,
+    .loader_start = 0x80000000,
+    .gic_cpu_if_addr = 0x2c002000,
+    .init = a15_daughterboard_init,
+};
+
 static void vexpress_common_init(const VEDBoardInfo *daughterboard,
                                  ram_addr_t ram_size,
                                  const char *boot_device,
@@ -333,6 +453,18 @@ static void vexpress_a9_init(ram_addr_t ram_size,
                          kernel_cmdline, initrd_filename, cpu_model);
 }
 
+static void vexpress_a15_init(ram_addr_t ram_size,
+                              const char *boot_device,
+                              const char *kernel_filename,
+                              const char *kernel_cmdline,
+                              const char *initrd_filename,
+                              const char *cpu_model)
+{
+    vexpress_common_init(&a15_daughterboard,
+                         ram_size, boot_device, kernel_filename,
+                         kernel_cmdline, initrd_filename, cpu_model);
+}
+
 static QEMUMachine vexpress_a9_machine = {
     .name = "vexpress-a9",
     .desc = "ARM Versatile Express for Cortex-A9",
@@ -341,9 +473,18 @@ static QEMUMachine vexpress_a9_machine = {
     .max_cpus = 4,
 };
 
+static QEMUMachine vexpress_a15_machine = {
+    .name = "vexpress-a15",
+    .desc = "ARM Versatile Express for Cortex-A15",
+    .init = vexpress_a15_init,
+    .use_scsi = 1,
+    .max_cpus = 4,
+};
+
 static void vexpress_machine_init(void)
 {
     qemu_register_machine(&vexpress_a9_machine);
+    qemu_register_machine(&vexpress_a15_machine);
 }
 
 machine_init(vexpress_machine_init);
commit 96eacf641346bc1c432281575a265f6348a8f5c6
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 16 09:56:09 2012 +0000

    arm_boot: Pass base address of GIC CPU interface, not whole GIC
    
    The arm_boot secondary boot loader code needs the address of
    the GIC CPU interface. Obtaining this from the base address
    of the private peripheral region was possible for A9 and 11MPcore,
    but the A15 puts the GIC CPU interface in a different place.
    So make boards pass in the GIC CPU interface address directly.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/hw/arm-misc.h b/hw/arm-misc.h
index 5e5204b..306013a 100644
--- a/hw/arm-misc.h
+++ b/hw/arm-misc.h
@@ -37,7 +37,7 @@ struct arm_boot_info {
      */
     target_phys_addr_t smp_loader_start;
     target_phys_addr_t smp_bootreg_addr;
-    target_phys_addr_t smp_priv_base;
+    target_phys_addr_t gic_cpu_if_addr;
     int nb_cpus;
     int board_id;
     int (*atag_board)(const struct arm_boot_info *info, void *p);
diff --git a/hw/arm_boot.c b/hw/arm_boot.c
index 34a8739..2ef25ca 100644
--- a/hw/arm_boot.c
+++ b/hw/arm_boot.c
@@ -43,16 +43,16 @@ static uint32_t bootloader[] = {
  * location for the kernel secondary CPU entry point.
  */
 static uint32_t smpboot[] = {
-  0xe59f201c, /* ldr r2, privbase */
+  0xe59f201c, /* ldr r2, gic_cpu_if */
   0xe59f001c, /* ldr r0, startaddr */
   0xe3a01001, /* mov r1, #1 */
-  0xe5821100, /* str r1, [r2, #256] */
+  0xe5821000, /* str r1, [r2] */
   0xe320f003, /* wfi */
   0xe5901000, /* ldr     r1, [r0] */
   0xe1110001, /* tst     r1, r1 */
   0x0afffffb, /* beq     <wfi> */
   0xe12fff11, /* bx      r1 */
-  0,          /* privbase: Private memory region base address.  */
+  0,          /* gic_cpu_if: base address of GIC CPU interface */
   0           /* bootreg: Boot register address is held here */
 };
 
@@ -61,7 +61,7 @@ static void default_write_secondary(CPUState *env,
 {
     int n;
     smpboot[ARRAY_SIZE(smpboot) - 1] = info->smp_bootreg_addr;
-    smpboot[ARRAY_SIZE(smpboot) - 2] = info->smp_priv_base;
+    smpboot[ARRAY_SIZE(smpboot) - 2] = info->gic_cpu_if_addr;
     for (n = 0; n < ARRAY_SIZE(smpboot); n++) {
         smpboot[n] = tswap32(smpboot[n]);
     }
diff --git a/hw/exynos4_boards.c b/hw/exynos4_boards.c
index 329efbe..553a02b 100644
--- a/hw/exynos4_boards.c
+++ b/hw/exynos4_boards.c
@@ -112,7 +112,8 @@ static Exynos4210State *exynos4_boards_init_common(
     exynos4_board_binfo.kernel_filename = kernel_filename;
     exynos4_board_binfo.initrd_filename = initrd_filename;
     exynos4_board_binfo.kernel_cmdline = kernel_cmdline;
-    exynos4_board_binfo.smp_priv_base = EXYNOS4210_SMP_PRIVATE_BASE_ADDR;
+    exynos4_board_binfo.gic_cpu_if_addr =
+            EXYNOS4210_SMP_PRIVATE_BASE_ADDR + 0x100;
 
     PRINT_DEBUG("\n ram_size: %luMiB [0x%08lx]\n"
             " kernel_filename: %s\n"
diff --git a/hw/realview.c b/hw/realview.c
index bcf982f..ae1bbcd 100644
--- a/hw/realview.c
+++ b/hw/realview.c
@@ -222,21 +222,23 @@ static void realview_init(ram_addr_t ram_size,
     sysbus_mmio_map(sysbus_from_qdev(sysctl), 0, 0x10000000);
 
     if (is_mpcore) {
+        target_phys_addr_t periphbase;
         dev = qdev_create(NULL, is_pb ? "a9mpcore_priv": "realview_mpcore");
         qdev_prop_set_uint32(dev, "num-cpu", smp_cpus);
         qdev_init_nofail(dev);
         busdev = sysbus_from_qdev(dev);
         if (is_pb) {
-            realview_binfo.smp_priv_base = 0x1f000000;
+            periphbase = 0x1f000000;
         } else {
-            realview_binfo.smp_priv_base = 0x10100000;
+            periphbase = 0x10100000;
         }
-        sysbus_mmio_map(busdev, 0, realview_binfo.smp_priv_base);
+        sysbus_mmio_map(busdev, 0, periphbase);
         for (n = 0; n < smp_cpus; n++) {
             sysbus_connect_irq(busdev, n, cpu_irq[n]);
         }
-        sysbus_create_varargs("l2x0", realview_binfo.smp_priv_base + 0x2000,
-                              NULL);
+        sysbus_create_varargs("l2x0", periphbase + 0x2000, NULL);
+        /* Both A9 and 11MPCore put the GIC CPU i/f at base + 0x100 */
+        realview_binfo.gic_cpu_if_addr = periphbase + 0x100;
     } else {
         uint32_t gic_addr = is_pb ? 0x1e000000 : 0x10040000;
         /* For now just create the nIRQ GIC, and ignore the others.  */
diff --git a/hw/vexpress.c b/hw/vexpress.c
index 43ad206..aae9d81 100644
--- a/hw/vexpress.c
+++ b/hw/vexpress.c
@@ -115,6 +115,7 @@ typedef void DBoardInitFn(const VEDBoardInfo *daughterboard,
 struct VEDBoardInfo {
     const target_phys_addr_t *motherboard_map;
     target_phys_addr_t loader_start;
+    const target_phys_addr_t gic_cpu_if_addr;
     DBoardInitFn *init;
 };
 
@@ -175,8 +176,7 @@ static void a9_daughterboard_init(const VEDBoardInfo *daughterboard,
     qdev_prop_set_uint32(dev, "num-cpu", smp_cpus);
     qdev_init_nofail(dev);
     busdev = sysbus_from_qdev(dev);
-    vexpress_binfo.smp_priv_base = 0x1e000000;
-    sysbus_mmio_map(busdev, 0, vexpress_binfo.smp_priv_base);
+    sysbus_mmio_map(busdev, 0, 0x1e000000);
     for (n = 0; n < smp_cpus; n++) {
         sysbus_connect_irq(busdev, n, cpu_irq[n]);
     }
@@ -214,6 +214,7 @@ static void a9_daughterboard_init(const VEDBoardInfo *daughterboard,
 static const VEDBoardInfo a9_daughterboard = {
     .motherboard_map = motherboard_legacy_map,
     .loader_start = 0x60000000,
+    .gic_cpu_if_addr = 0x1e000100,
     .init = a9_daughterboard_init,
 };
 
@@ -316,6 +317,7 @@ static void vexpress_common_init(const VEDBoardInfo *daughterboard,
     vexpress_binfo.loader_start = daughterboard->loader_start;
     vexpress_binfo.smp_loader_start = map[VE_SRAM];
     vexpress_binfo.smp_bootreg_addr = map[VE_SYSREGS] + 0x30;
+    vexpress_binfo.gic_cpu_if_addr = daughterboard->gic_cpu_if_addr;
     arm_load_kernel(first_cpu, &vexpress_binfo);
 }
 
commit b7206878680f1e77031dacb420ef2c630a6b6257
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 16 09:56:09 2012 +0000

    hw/vexpress.c: Instantiate the motherboard CLCD
    
    Instantiate the CLCD on the vexpress motherboard as well as one on
    the daughterboard -- the A15 daughterboard does not have a CLCD
    and so relies on the motherboard one.
    
    At the moment QEMU doesn't provide infrastructure for selecting
    which display device gets to actually show graphics -- the first
    one registered is it. Fortunately this works for the major use
    case (Linux): if the daughterboard has a CLCD it will come first
    and be used, otherwise we fall back to the motherboard CLCD.
    So we don't (currently) need to implement the control register
    which allows software to tell the mux which video output to pass
    through to the outside world.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Andreas Färber <afaerber at suse.de>

diff --git a/hw/vexpress.c b/hw/vexpress.c
index 8239ea1..43ad206 100644
--- a/hw/vexpress.c
+++ b/hw/vexpress.c
@@ -282,7 +282,7 @@ static void vexpress_common_init(const VEDBoardInfo *daughterboard,
 
     /* VE_COMPACTFLASH: not modelled */
 
-    /* VE_CLCD: not modelled (we use the daughterboard CLCD only) */
+    sysbus_create_simple("pl111", map[VE_CLCD], pic[14]);
 
     /* VE_NORFLASH0: not modelled */
     /* VE_NORFLASH0ALIAS: not modelled */
commit 4c3b29b8ad22857b1bb8e28cb17eabd108d9b978
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 16 09:56:09 2012 +0000

    hw/vexpress.c: Factor out daughterboard-specific initialization
    
    Factor out daughterboard specifics into a data structure and
    daughterboard initialization function, in preparation for adding
    vexpress-a15 support.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/hw/vexpress.c b/hw/vexpress.c
index 6d8eee2..8239ea1 100644
--- a/hw/vexpress.c
+++ b/hw/vexpress.c
@@ -103,32 +103,43 @@ static target_phys_addr_t motherboard_legacy_map[] = {
     [VE_USB] = 0x4f000000,
 };
 
-static void vexpress_a9_init(ram_addr_t ram_size,
-                     const char *boot_device,
-                     const char *kernel_filename, const char *kernel_cmdline,
-                     const char *initrd_filename, const char *cpu_model)
+/* Structure defining the peculiarities of a specific daughterboard */
+
+typedef struct VEDBoardInfo VEDBoardInfo;
+
+typedef void DBoardInitFn(const VEDBoardInfo *daughterboard,
+                          ram_addr_t ram_size,
+                          const char *cpu_model,
+                          qemu_irq *pic, uint32_t *proc_id);
+
+struct VEDBoardInfo {
+    const target_phys_addr_t *motherboard_map;
+    target_phys_addr_t loader_start;
+    DBoardInitFn *init;
+};
+
+static void a9_daughterboard_init(const VEDBoardInfo *daughterboard,
+                                  ram_addr_t ram_size,
+                                  const char *cpu_model,
+                                  qemu_irq *pic, uint32_t *proc_id)
 {
     CPUState *env = NULL;
     MemoryRegion *sysmem = get_system_memory();
     MemoryRegion *ram = g_new(MemoryRegion, 1);
     MemoryRegion *lowram = g_new(MemoryRegion, 1);
-    MemoryRegion *vram = g_new(MemoryRegion, 1);
-    MemoryRegion *sram = g_new(MemoryRegion, 1);
-    DeviceState *dev, *sysctl, *pl041;
+    DeviceState *dev;
     SysBusDevice *busdev;
     qemu_irq *irqp;
-    qemu_irq pic[64];
     int n;
     qemu_irq cpu_irq[4];
-    uint32_t proc_id;
-    uint32_t sys_id;
-    ram_addr_t low_ram_size, vram_size, sram_size;
-    target_phys_addr_t *map = motherboard_legacy_map;
+    ram_addr_t low_ram_size;
 
     if (!cpu_model) {
         cpu_model = "cortex-a9";
     }
 
+    *proc_id = 0x0c000191;
+
     for (n = 0; n < smp_cpus; n++) {
         env = cpu_init(cpu_model);
         if (!env) {
@@ -141,7 +152,7 @@ static void vexpress_a9_init(ram_addr_t ram_size,
 
     if (ram_size > 0x40000000) {
         /* 1GB is the maximum the address space permits */
-        fprintf(stderr, "vexpress: cannot model more than 1GB RAM\n");
+        fprintf(stderr, "vexpress-a9: cannot model more than 1GB RAM\n");
         exit(1);
     }
 
@@ -179,12 +190,58 @@ static void vexpress_a9_init(ram_addr_t ram_size,
         pic[n] = qdev_get_gpio_in(dev, n);
     }
 
+    /* Daughterboard peripherals : 0x10020000 .. 0x20000000 */
+
+    /* 0x10020000 PL111 CLCD (daughterboard) */
+    sysbus_create_simple("pl111", 0x10020000, pic[44]);
+
+    /* 0x10060000 AXI RAM */
+    /* 0x100e0000 PL341 Dynamic Memory Controller */
+    /* 0x100e1000 PL354 Static Memory Controller */
+    /* 0x100e2000 System Configuration Controller */
+
+    sysbus_create_simple("sp804", 0x100e4000, pic[48]);
+    /* 0x100e5000 SP805 Watchdog module */
+    /* 0x100e6000 BP147 TrustZone Protection Controller */
+    /* 0x100e9000 PL301 'Fast' AXI matrix */
+    /* 0x100ea000 PL301 'Slow' AXI matrix */
+    /* 0x100ec000 TrustZone Address Space Controller */
+    /* 0x10200000 CoreSight debug APB */
+    /* 0x1e00a000 PL310 L2 Cache Controller */
+    sysbus_create_varargs("l2x0", 0x1e00a000, NULL);
+}
+
+static const VEDBoardInfo a9_daughterboard = {
+    .motherboard_map = motherboard_legacy_map,
+    .loader_start = 0x60000000,
+    .init = a9_daughterboard_init,
+};
+
+static void vexpress_common_init(const VEDBoardInfo *daughterboard,
+                                 ram_addr_t ram_size,
+                                 const char *boot_device,
+                                 const char *kernel_filename,
+                                 const char *kernel_cmdline,
+                                 const char *initrd_filename,
+                                 const char *cpu_model)
+{
+    DeviceState *dev, *sysctl, *pl041;
+    qemu_irq pic[64];
+    uint32_t proc_id;
+    uint32_t sys_id;
+    ram_addr_t vram_size, sram_size;
+    MemoryRegion *sysmem = get_system_memory();
+    MemoryRegion *vram = g_new(MemoryRegion, 1);
+    MemoryRegion *sram = g_new(MemoryRegion, 1);
+    const target_phys_addr_t *map = daughterboard->motherboard_map;
+
+    daughterboard->init(daughterboard, ram_size, cpu_model, pic, &proc_id);
+
     /* Motherboard peripherals: the wiring is the same but the
      * addresses vary between the legacy and A-Series memory maps.
      */
 
     sys_id = 0x1190f500;
-    proc_id = 0x0c000191;
 
     sysctl = qdev_create(NULL, "realview_sysctl");
     qdev_prop_set_uint32(sysctl, "sys_id", sys_id);
@@ -227,26 +284,6 @@ static void vexpress_a9_init(ram_addr_t ram_size,
 
     /* VE_CLCD: not modelled (we use the daughterboard CLCD only) */
 
-    /* Daughterboard peripherals : 0x10020000 .. 0x20000000 */
-
-    /* 0x10020000 PL111 CLCD (daughterboard) */
-    sysbus_create_simple("pl111", 0x10020000, pic[44]);
-
-    /* 0x10060000 AXI RAM */
-    /* 0x100e0000 PL341 Dynamic Memory Controller */
-    /* 0x100e1000 PL354 Static Memory Controller */
-    /* 0x100e2000 System Configuration Controller */
-
-    sysbus_create_simple("sp804", 0x100e4000, pic[48]);
-    /* 0x100e5000 SP805 Watchdog module */
-    /* 0x100e6000 BP147 TrustZone Protection Controller */
-    /* 0x100e9000 PL301 'Fast' AXI matrix */
-    /* 0x100ea000 PL301 'Slow' AXI matrix */
-    /* 0x100ec000 TrustZone Address Space Controller */
-    /* 0x10200000 CoreSight debug APB */
-    /* 0x1e00a000 PL310 L2 Cache Controller */
-    sysbus_create_varargs("l2x0", 0x1e00a000, NULL);
-
     /* VE_NORFLASH0: not modelled */
     /* VE_NORFLASH0ALIAS: not modelled */
     /* VE_NORFLASH1: not modelled */
@@ -276,12 +313,23 @@ static void vexpress_a9_init(ram_addr_t ram_size,
     vexpress_binfo.initrd_filename = initrd_filename;
     vexpress_binfo.nb_cpus = smp_cpus;
     vexpress_binfo.board_id = VEXPRESS_BOARD_ID;
-    vexpress_binfo.loader_start = 0x60000000;
+    vexpress_binfo.loader_start = daughterboard->loader_start;
     vexpress_binfo.smp_loader_start = map[VE_SRAM];
     vexpress_binfo.smp_bootreg_addr = map[VE_SYSREGS] + 0x30;
     arm_load_kernel(first_cpu, &vexpress_binfo);
 }
 
+static void vexpress_a9_init(ram_addr_t ram_size,
+                             const char *boot_device,
+                             const char *kernel_filename,
+                             const char *kernel_cmdline,
+                             const char *initrd_filename,
+                             const char *cpu_model)
+{
+    vexpress_common_init(&a9_daughterboard,
+                         ram_size, boot_device, kernel_filename,
+                         kernel_cmdline, initrd_filename, cpu_model);
+}
 
 static QEMUMachine vexpress_a9_machine = {
     .name = "vexpress-a9",
commit aac1e02c1d4b6d02f35a199a454fd46416380ff5
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 16 09:56:08 2012 +0000

    hw/vexpress.c: Move secondary CPU boot code to SRAM
    
    On real Versatile Express hardware, the boot ROM puts the secondary
    CPU bootcode/holding pen in SRAM. We can therefore rely on Linux not
    trashing this memory until secondary CPUs have booted up, and can
    put our QEMU-specific pen code in the same place. This allows us to
    drop the odd "hack" RAM page we were using before.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/hw/vexpress.c b/hw/vexpress.c
index 38ae05f..6d8eee2 100644
--- a/hw/vexpress.c
+++ b/hw/vexpress.c
@@ -30,13 +30,9 @@
 #include "boards.h"
 #include "exec-memory.h"
 
-#define SMP_BOOT_ADDR 0xe0000000
-
 #define VEXPRESS_BOARD_ID 0x8e0
 
-static struct arm_boot_info vexpress_binfo = {
-    .smp_loader_start = SMP_BOOT_ADDR,
-};
+static struct arm_boot_info vexpress_binfo;
 
 /* Address maps for peripherals:
  * the Versatile Express motherboard has two possible maps,
@@ -118,7 +114,6 @@ static void vexpress_a9_init(ram_addr_t ram_size,
     MemoryRegion *lowram = g_new(MemoryRegion, 1);
     MemoryRegion *vram = g_new(MemoryRegion, 1);
     MemoryRegion *sram = g_new(MemoryRegion, 1);
-    MemoryRegion *hackram = g_new(MemoryRegion, 1);
     DeviceState *dev, *sysctl, *pl041;
     SysBusDevice *busdev;
     qemu_irq *irqp;
@@ -275,14 +270,6 @@ static void vexpress_a9_init(ram_addr_t ram_size,
 
     /* VE_DAPROM: not modelled */
 
-    /* ??? Hack to map an additional page of ram for the secondary CPU
-       startup code.  I guess this works on real hardware because the
-       BootROM happens to be in ROM/flash or in memory that isn't clobbered
-       until after Linux boots the secondary CPUs.  */
-    memory_region_init_ram(hackram, "vexpress.hack", 0x1000);
-    vmstate_register_ram_global(hackram);
-    memory_region_add_subregion(sysmem, SMP_BOOT_ADDR, hackram);
-
     vexpress_binfo.ram_size = ram_size;
     vexpress_binfo.kernel_filename = kernel_filename;
     vexpress_binfo.kernel_cmdline = kernel_cmdline;
@@ -290,6 +277,7 @@ static void vexpress_a9_init(ram_addr_t ram_size,
     vexpress_binfo.nb_cpus = smp_cpus;
     vexpress_binfo.board_id = VEXPRESS_BOARD_ID;
     vexpress_binfo.loader_start = 0x60000000;
+    vexpress_binfo.smp_loader_start = map[VE_SRAM];
     vexpress_binfo.smp_bootreg_addr = map[VE_SYSREGS] + 0x30;
     arm_load_kernel(first_cpu, &vexpress_binfo);
 }
commit 2558e0a67b5573cfd29c9346350ac5d5dc6f866f
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 16 09:56:08 2012 +0000

    hw/vexpress.c: Make motherboard peripheral memory map table-driven
    
    Pull the addresses used for mapping motherboard peripherals into
    memory out into a table. This will allow us to simply provide a
    second table to implement the "Cortex-A Series" memory map used by
    the A15 variant of Versatile Express, as well as the current
    "Legacy" map used by A9.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Andreas Färber <afaerber at suse.de>

diff --git a/hw/vexpress.c b/hw/vexpress.c
index 43f47a6..38ae05f 100644
--- a/hw/vexpress.c
+++ b/hw/vexpress.c
@@ -31,13 +31,80 @@
 #include "exec-memory.h"
 
 #define SMP_BOOT_ADDR 0xe0000000
-#define SMP_BOOTREG_ADDR 0x10000030
 
 #define VEXPRESS_BOARD_ID 0x8e0
 
 static struct arm_boot_info vexpress_binfo = {
     .smp_loader_start = SMP_BOOT_ADDR,
-    .smp_bootreg_addr = SMP_BOOTREG_ADDR,
+};
+
+/* Address maps for peripherals:
+ * the Versatile Express motherboard has two possible maps,
+ * the "legacy" one (used for A9) and the "Cortex-A Series"
+ * map (used for newer cores).
+ * Individual daughterboards can also have different maps for
+ * their peripherals.
+ */
+
+enum {
+    VE_SYSREGS,
+    VE_SP810,
+    VE_SERIALPCI,
+    VE_PL041,
+    VE_MMCI,
+    VE_KMI0,
+    VE_KMI1,
+    VE_UART0,
+    VE_UART1,
+    VE_UART2,
+    VE_UART3,
+    VE_WDT,
+    VE_TIMER01,
+    VE_TIMER23,
+    VE_SERIALDVI,
+    VE_RTC,
+    VE_COMPACTFLASH,
+    VE_CLCD,
+    VE_NORFLASH0,
+    VE_NORFLASH0ALIAS,
+    VE_NORFLASH1,
+    VE_SRAM,
+    VE_VIDEORAM,
+    VE_ETHERNET,
+    VE_USB,
+    VE_DAPROM,
+};
+
+static target_phys_addr_t motherboard_legacy_map[] = {
+    /* CS7: 0x10000000 .. 0x10020000 */
+    [VE_SYSREGS] = 0x10000000,
+    [VE_SP810] = 0x10001000,
+    [VE_SERIALPCI] = 0x10002000,
+    [VE_PL041] = 0x10004000,
+    [VE_MMCI] = 0x10005000,
+    [VE_KMI0] = 0x10006000,
+    [VE_KMI1] = 0x10007000,
+    [VE_UART0] = 0x10009000,
+    [VE_UART1] = 0x1000a000,
+    [VE_UART2] = 0x1000b000,
+    [VE_UART3] = 0x1000c000,
+    [VE_WDT] = 0x1000f000,
+    [VE_TIMER01] = 0x10011000,
+    [VE_TIMER23] = 0x10012000,
+    [VE_SERIALDVI] = 0x10016000,
+    [VE_RTC] = 0x10017000,
+    [VE_COMPACTFLASH] = 0x1001a000,
+    [VE_CLCD] = 0x1001f000,
+    /* CS0: 0x40000000 .. 0x44000000 */
+    [VE_NORFLASH0] = 0x40000000,
+    /* CS1: 0x44000000 .. 0x48000000 */
+    [VE_NORFLASH1] = 0x44000000,
+    /* CS2: 0x48000000 .. 0x4a000000 */
+    [VE_SRAM] = 0x48000000,
+    /* CS3: 0x4c000000 .. 0x50000000 */
+    [VE_VIDEORAM] = 0x4c000000,
+    [VE_ETHERNET] = 0x4e000000,
+    [VE_USB] = 0x4f000000,
 };
 
 static void vexpress_a9_init(ram_addr_t ram_size,
@@ -61,6 +128,7 @@ static void vexpress_a9_init(ram_addr_t ram_size,
     uint32_t proc_id;
     uint32_t sys_id;
     ram_addr_t low_ram_size, vram_size, sram_size;
+    target_phys_addr_t *map = motherboard_legacy_map;
 
     if (!cpu_model) {
         cpu_model = "cortex-a9";
@@ -116,53 +184,53 @@ static void vexpress_a9_init(ram_addr_t ram_size,
         pic[n] = qdev_get_gpio_in(dev, n);
     }
 
-    /* Motherboard peripherals CS7 : 0x10000000 .. 0x10020000 */
+    /* Motherboard peripherals: the wiring is the same but the
+     * addresses vary between the legacy and A-Series memory maps.
+     */
+
     sys_id = 0x1190f500;
     proc_id = 0x0c000191;
 
-    /* 0x10000000 System registers */
     sysctl = qdev_create(NULL, "realview_sysctl");
     qdev_prop_set_uint32(sysctl, "sys_id", sys_id);
     qdev_prop_set_uint32(sysctl, "proc_id", proc_id);
     qdev_init_nofail(sysctl);
-    sysbus_mmio_map(sysbus_from_qdev(sysctl), 0, 0x10000000);
+    sysbus_mmio_map(sysbus_from_qdev(sysctl), 0, map[VE_SYSREGS]);
+
+    /* VE_SP810: not modelled */
+    /* VE_SERIALPCI: not modelled */
 
-    /* 0x10001000 SP810 system control */
-    /* 0x10002000 serial bus PCI */
-    /* 0x10004000 PL041 audio */
     pl041 = qdev_create(NULL, "pl041");
     qdev_prop_set_uint32(pl041, "nc_fifo_depth", 512);
     qdev_init_nofail(pl041);
-    sysbus_mmio_map(sysbus_from_qdev(pl041), 0, 0x10004000);
+    sysbus_mmio_map(sysbus_from_qdev(pl041), 0, map[VE_PL041]);
     sysbus_connect_irq(sysbus_from_qdev(pl041), 0, pic[11]);
 
-    dev = sysbus_create_varargs("pl181", 0x10005000, pic[9], pic[10], NULL);
+    dev = sysbus_create_varargs("pl181", map[VE_MMCI], pic[9], pic[10], NULL);
     /* Wire up MMC card detect and read-only signals */
     qdev_connect_gpio_out(dev, 0,
                           qdev_get_gpio_in(sysctl, ARM_SYSCTL_GPIO_MMC_WPROT));
     qdev_connect_gpio_out(dev, 1,
                           qdev_get_gpio_in(sysctl, ARM_SYSCTL_GPIO_MMC_CARDIN));
 
-    sysbus_create_simple("pl050_keyboard", 0x10006000, pic[12]);
-    sysbus_create_simple("pl050_mouse", 0x10007000, pic[13]);
-
-    sysbus_create_simple("pl011", 0x10009000, pic[5]);
-    sysbus_create_simple("pl011", 0x1000a000, pic[6]);
-    sysbus_create_simple("pl011", 0x1000b000, pic[7]);
-    sysbus_create_simple("pl011", 0x1000c000, pic[8]);
+    sysbus_create_simple("pl050_keyboard", map[VE_KMI0], pic[12]);
+    sysbus_create_simple("pl050_mouse", map[VE_KMI1], pic[13]);
 
-    /* 0x1000f000 SP805 WDT */
+    sysbus_create_simple("pl011", map[VE_UART0], pic[5]);
+    sysbus_create_simple("pl011", map[VE_UART1], pic[6]);
+    sysbus_create_simple("pl011", map[VE_UART2], pic[7]);
+    sysbus_create_simple("pl011", map[VE_UART3], pic[8]);
 
-    sysbus_create_simple("sp804", 0x10011000, pic[2]);
-    sysbus_create_simple("sp804", 0x10012000, pic[3]);
+    sysbus_create_simple("sp804", map[VE_TIMER01], pic[2]);
+    sysbus_create_simple("sp804", map[VE_TIMER23], pic[3]);
 
-    /* 0x10016000 Serial Bus DVI */
+    /* VE_SERIALDVI: not modelled */
 
-    sysbus_create_simple("pl031", 0x10017000, pic[4]); /* RTC */
+    sysbus_create_simple("pl031", map[VE_RTC], pic[4]); /* RTC */
 
-    /* 0x1001a000 Compact Flash */
+    /* VE_COMPACTFLASH: not modelled */
 
-    /* 0x1001f000 PL111 CLCD (motherboard) */
+    /* VE_CLCD: not modelled (we use the daughterboard CLCD only) */
 
     /* Daughterboard peripherals : 0x10020000 .. 0x20000000 */
 
@@ -184,28 +252,28 @@ static void vexpress_a9_init(ram_addr_t ram_size,
     /* 0x1e00a000 PL310 L2 Cache Controller */
     sysbus_create_varargs("l2x0", 0x1e00a000, NULL);
 
-    /* CS0: NOR0 flash          : 0x40000000 .. 0x44000000 */
-    /* CS4: NOR1 flash          : 0x44000000 .. 0x48000000 */
-    /* CS2: SRAM                : 0x48000000 .. 0x4a000000 */
+    /* VE_NORFLASH0: not modelled */
+    /* VE_NORFLASH0ALIAS: not modelled */
+    /* VE_NORFLASH1: not modelled */
+
     sram_size = 0x2000000;
     memory_region_init_ram(sram, "vexpress.sram", sram_size);
     vmstate_register_ram_global(sram);
-    memory_region_add_subregion(sysmem, 0x48000000, sram);
-
-    /* CS3: USB, ethernet, VRAM : 0x4c000000 .. 0x50000000 */
+    memory_region_add_subregion(sysmem, map[VE_SRAM], sram);
 
-    /* 0x4c000000 Video RAM */
     vram_size = 0x800000;
     memory_region_init_ram(vram, "vexpress.vram", vram_size);
     vmstate_register_ram_global(vram);
-    memory_region_add_subregion(sysmem, 0x4c000000, vram);
+    memory_region_add_subregion(sysmem, map[VE_VIDEORAM], vram);
 
     /* 0x4e000000 LAN9118 Ethernet */
     if (nd_table[0].vlan) {
-        lan9118_init(&nd_table[0], 0x4e000000, pic[15]);
+        lan9118_init(&nd_table[0], map[VE_ETHERNET], pic[15]);
     }
 
-    /* 0x4f000000 ISP1761 USB */
+    /* VE_USB: not modelled */
+
+    /* VE_DAPROM: not modelled */
 
     /* ??? Hack to map an additional page of ram for the secondary CPU
        startup code.  I guess this works on real hardware because the
@@ -222,6 +290,7 @@ static void vexpress_a9_init(ram_addr_t ram_size,
     vexpress_binfo.nb_cpus = smp_cpus;
     vexpress_binfo.board_id = VEXPRESS_BOARD_ID;
     vexpress_binfo.loader_start = 0x60000000;
+    vexpress_binfo.smp_bootreg_addr = map[VE_SYSREGS] + 0x30;
     arm_load_kernel(first_cpu, &vexpress_binfo);
 }
 
commit 5d782e0805b4d216909b21883dcd513c3061aa3d
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 16 09:56:07 2012 +0000

    hw/a15mpcore.c: Add Cortex-A15 private peripheral model
    
    Add a model of the Cortex-A15 memory mapped private peripheral
    space. This is fairly simple because the only memory mapped
    bit of the A15 is the GIC.
    
    Note that we don't currently model a VGIC and therefore don't
    map the VGIC related bits of the GIC.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/Makefile.target b/Makefile.target
index 2defdc4..651500e 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -348,7 +348,7 @@ obj-arm-y += exynos4210_gic.o exynos4210_combiner.o exynos4210.o
 obj-arm-y += exynos4_boards.o exynos4210_uart.o exynos4210_pwm.o
 obj-arm-y += exynos4210_pmu.o exynos4210_mct.o exynos4210_fimd.o
 obj-arm-y += arm_l2x0.o
-obj-arm-y += arm_mptimer.o
+obj-arm-y += arm_mptimer.o a15mpcore.o
 obj-arm-y += armv7m.o armv7m_nvic.o stellaris.o pl022.o stellaris_enet.o
 obj-arm-y += highbank.o
 obj-arm-y += pl061.o
diff --git a/hw/a15mpcore.c b/hw/a15mpcore.c
new file mode 100644
index 0000000..71142e5
--- /dev/null
+++ b/hw/a15mpcore.c
@@ -0,0 +1,103 @@
+/*
+ * Cortex-A15MPCore internal peripheral emulation.
+ *
+ * Copyright (c) 2012 Linaro Limited.
+ * Written by Peter Maydell.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sysbus.h"
+
+/* Configuration for arm_gic.c:
+ * max number of CPUs, how to ID current CPU
+ */
+#define NCPU 4
+
+static inline int gic_get_current_cpu(void)
+{
+  return cpu_single_env->cpu_index;
+}
+
+#include "arm_gic.c"
+
+/* A15MP private memory region.  */
+
+typedef struct A15MPPrivState {
+    gic_state gic;
+    uint32_t num_cpu;
+    uint32_t num_irq;
+    MemoryRegion container;
+} A15MPPrivState;
+
+static int a15mp_priv_init(SysBusDevice *dev)
+{
+    A15MPPrivState *s = FROM_SYSBUSGIC(A15MPPrivState, dev);
+
+    if (s->num_cpu > NCPU) {
+        hw_error("a15mp_priv_init: num-cpu may not be more than %d\n", NCPU);
+    }
+
+    gic_init(&s->gic, s->num_cpu, s->num_irq);
+
+    /* Memory map (addresses are offsets from PERIPHBASE):
+     *  0x0000-0x0fff -- reserved
+     *  0x1000-0x1fff -- GIC Distributor
+     *  0x2000-0x2fff -- GIC CPU interface
+     *  0x4000-0x4fff -- GIC virtual interface control (not modelled)
+     *  0x5000-0x5fff -- GIC virtual interface control (not modelled)
+     *  0x6000-0x7fff -- GIC virtual CPU interface (not modelled)
+     */
+    memory_region_init(&s->container, "a15mp-priv-container", 0x8000);
+    memory_region_add_subregion(&s->container, 0x1000, &s->gic.iomem);
+    memory_region_add_subregion(&s->container, 0x2000, &s->gic.cpuiomem[0]);
+
+    sysbus_init_mmio(dev, &s->container);
+    return 0;
+}
+
+static Property a15mp_priv_properties[] = {
+    DEFINE_PROP_UINT32("num-cpu", A15MPPrivState, num_cpu, 1),
+    /* The Cortex-A15MP may have anything from 0 to 224 external interrupt
+     * IRQ lines (with another 32 internal). We default to 64+32, which
+     * is the number provided by the Cortex-A15MP test chip in the
+     * Versatile Express A15 development board.
+     * Other boards may differ and should set this property appropriately.
+     */
+    DEFINE_PROP_UINT32("num-irq", A15MPPrivState, num_irq, 96),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static void a15mp_priv_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+    k->init = a15mp_priv_init;
+    dc->props = a15mp_priv_properties;
+    /* We currently have no savable state outside the common GIC state */
+}
+
+static TypeInfo a15mp_priv_info = {
+    .name  = "a15mpcore_priv",
+    .parent = TYPE_SYS_BUS_DEVICE,
+    .instance_size  = sizeof(A15MPPrivState),
+    .class_init = a15mp_priv_class_init,
+};
+
+static void a15mp_register_types(void)
+{
+    type_register_static(&a15mp_priv_info);
+}
+
+type_init(a15mp_register_types)
commit fc63dcff46a2979ad998ff67c982f69d49691b7d
Author: Evgeny Voevodin <e.voevodin at samsung.com>
Date:   Thu Feb 16 09:56:06 2012 +0000

    MAINTAINERS: Add maintainers for Exynos SOC.
    
    Signed-off-by: Evgeny Voevodin <e.voevodin at samsung.com>
    Acked-by: Andreas Färber <afaerber at suse.de>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/MAINTAINERS b/MAINTAINERS
index 173e893..e55ea0f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -183,6 +183,14 @@ F: *win32*
 
 ARM Machines
 ------------
+Exynos
+M: Evgeny Voevodin <e.voevodin at samsung.com>
+M: Maksim Kozlov <m.kozlov at samsung.com>
+M: Igor Mitsyanko <i.mitsyanko at samsung.com>
+M: Dmitry Solodkiy <d.solodkiy at samsung.com>
+S: Maintained
+F: hw/exynos*
+
 Gumstix
 M: qemu-devel at nongnu.org
 S: Orphan
commit 30628cb12de2e35d87cb04194113341b6a8922b2
Author: Mitsyanko Igor <i.mitsyanko at samsung.com>
Date:   Thu Feb 16 09:56:06 2012 +0000

    Exynos4210: added display controller implementation
    
    Exynos4210 display controller (FIMD) has 5 hardware windows with alpha and
    chroma key blending functions.
    
    Signed-off-by: Mitsyanko Igor <i.mitsyanko at samsung.com>
    Signed-off-by: Evgeny Voevodin <e.voevodin at samsung.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/Makefile.target b/Makefile.target
index 6ceff54..2defdc4 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -346,7 +346,7 @@ obj-arm-y += versatile_pci.o
 obj-arm-y += realview_gic.o realview.o arm_sysctl.o arm11mpcore.o a9mpcore.o
 obj-arm-y += exynos4210_gic.o exynos4210_combiner.o exynos4210.o
 obj-arm-y += exynos4_boards.o exynos4210_uart.o exynos4210_pwm.o
-obj-arm-y += exynos4210_pmu.o exynos4210_mct.o
+obj-arm-y += exynos4210_pmu.o exynos4210_mct.o exynos4210_fimd.o
 obj-arm-y += arm_l2x0.o
 obj-arm-y += arm_mptimer.o
 obj-arm-y += armv7m.o armv7m_nvic.o stellaris.o pl022.o stellaris_enet.o
diff --git a/hw/exynos4210.c b/hw/exynos4210.c
index 558f669..f904370 100644
--- a/hw/exynos4210.c
+++ b/hw/exynos4210.c
@@ -58,6 +58,9 @@
 /* PMU SFR base address */
 #define EXYNOS4210_PMU_BASE_ADDR            0x10020000
 
+/* Display controllers (FIMD) */
+#define EXYNOS4210_FIMD0_BASE_ADDR          0x11C00000
+
 static uint8_t chipid_and_omr[] = { 0x11, 0x02, 0x21, 0x43,
                                     0x09, 0x00, 0x00, 0x00 };
 
@@ -256,5 +259,12 @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem,
                            EXYNOS4210_UART3_FIFO_SIZE, 3, NULL,
                   s->irq_table[exynos4210_get_irq(EXYNOS4210_UART_INT_GRP, 3)]);
 
+    /*** Display controller (FIMD) ***/
+    sysbus_create_varargs("exynos4210.fimd", EXYNOS4210_FIMD0_BASE_ADDR,
+            s->irq_table[exynos4210_get_irq(11, 0)],
+            s->irq_table[exynos4210_get_irq(11, 1)],
+            s->irq_table[exynos4210_get_irq(11, 2)],
+            NULL);
+
     return s;
 }
diff --git a/hw/exynos4210_fimd.c b/hw/exynos4210_fimd.c
new file mode 100644
index 0000000..3313f00
--- /dev/null
+++ b/hw/exynos4210_fimd.c
@@ -0,0 +1,1928 @@
+/*
+ * Samsung exynos4210 Display Controller (FIMD)
+ *
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd.
+ * All rights reserved.
+ * Based on LCD controller for Samsung S5PC1xx-based board emulation
+ * by Kirill Batuzov <batuzovk at ispras.ru>
+ *
+ * Contributed by Mitsyanko Igor <i.mitsyanko at samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "qemu-common.h"
+#include "cpu-all.h"
+#include "sysbus.h"
+#include "console.h"
+#include "pixel_ops.h"
+#include "bswap.h"
+
+/* Debug messages configuration */
+#define EXYNOS4210_FIMD_DEBUG              0
+#define EXYNOS4210_FIMD_MODE_TRACE         0
+
+#if EXYNOS4210_FIMD_DEBUG == 0
+    #define DPRINT_L1(fmt, args...)       do { } while (0)
+    #define DPRINT_L2(fmt, args...)       do { } while (0)
+    #define DPRINT_ERROR(fmt, args...)    do { } while (0)
+#elif EXYNOS4210_FIMD_DEBUG == 1
+    #define DPRINT_L1(fmt, args...) \
+        do {fprintf(stderr, "QEMU FIMD: "fmt, ## args); } while (0)
+    #define DPRINT_L2(fmt, args...)       do { } while (0)
+    #define DPRINT_ERROR(fmt, args...)  \
+        do {fprintf(stderr, "QEMU FIMD ERROR: "fmt, ## args); } while (0)
+#else
+    #define DPRINT_L1(fmt, args...) \
+        do {fprintf(stderr, "QEMU FIMD: "fmt, ## args); } while (0)
+    #define DPRINT_L2(fmt, args...) \
+        do {fprintf(stderr, "QEMU FIMD: "fmt, ## args); } while (0)
+    #define DPRINT_ERROR(fmt, args...)  \
+        do {fprintf(stderr, "QEMU FIMD ERROR: "fmt, ## args); } while (0)
+#endif
+
+#if EXYNOS4210_FIMD_MODE_TRACE == 0
+    #define DPRINT_TRACE(fmt, args...)        do { } while (0)
+#else
+    #define DPRINT_TRACE(fmt, args...)        \
+        do {fprintf(stderr, "QEMU FIMD: "fmt, ## args); } while (0)
+#endif
+
+#define NUM_OF_WINDOWS              5
+#define FIMD_REGS_SIZE              0x4114
+
+/* Video main control registers */
+#define FIMD_VIDCON0                0x0000
+#define FIMD_VIDCON1                0x0004
+#define FIMD_VIDCON2                0x0008
+#define FIMD_VIDCON3                0x000C
+#define FIMD_VIDCON0_ENVID_F        (1 << 0)
+#define FIMD_VIDCON0_ENVID          (1 << 1)
+#define FIMD_VIDCON0_ENVID_MASK     ((1 << 0) | (1 << 1))
+#define FIMD_VIDCON1_ROMASK         0x07FFE000
+
+/* Video time control registers */
+#define FIMD_VIDTCON_START          0x10
+#define FIMD_VIDTCON_END            0x1C
+#define FIMD_VIDTCON2_SIZE_MASK     0x07FF
+#define FIMD_VIDTCON2_HOR_SHIFT     0
+#define FIMD_VIDTCON2_VER_SHIFT     11
+
+/* Window control registers */
+#define FIMD_WINCON_START           0x0020
+#define FIMD_WINCON_END             0x0030
+#define FIMD_WINCON_ROMASK          0x82200000
+#define FIMD_WINCON_ENWIN           (1 << 0)
+#define FIMD_WINCON_BLD_PIX         (1 << 6)
+#define FIMD_WINCON_ALPHA_MUL       (1 << 7)
+#define FIMD_WINCON_ALPHA_SEL       (1 << 1)
+#define FIMD_WINCON_SWAP            0x078000
+#define FIMD_WINCON_SWAP_SHIFT      15
+#define FIMD_WINCON_SWAP_WORD       0x1
+#define FIMD_WINCON_SWAP_HWORD      0x2
+#define FIMD_WINCON_SWAP_BYTE       0x4
+#define FIMD_WINCON_SWAP_BITS       0x8
+#define FIMD_WINCON_BUFSTAT_L       (1 << 21)
+#define FIMD_WINCON_BUFSTAT_H       (1 << 31)
+#define FIMD_WINCON_BUFSTATUS       ((1 << 21) | (1 << 31))
+#define FIMD_WINCON_BUF0_STAT       ((0 << 21) | (0 << 31))
+#define FIMD_WINCON_BUF1_STAT       ((1 << 21) | (0 << 31))
+#define FIMD_WINCON_BUF2_STAT       ((0 << 21) | (1 << 31))
+#define FIMD_WINCON_BUFSELECT       ((1 << 20) | (1 << 30))
+#define FIMD_WINCON_BUF0_SEL        ((0 << 20) | (0 << 30))
+#define FIMD_WINCON_BUF1_SEL        ((1 << 20) | (0 << 30))
+#define FIMD_WINCON_BUF2_SEL        ((0 << 20) | (1 << 30))
+#define FIMD_WINCON_BUFMODE         (1 << 14)
+#define IS_PALETTIZED_MODE(w)       (w->wincon & 0xC)
+#define PAL_MODE_WITH_ALPHA(x)       ((x) == 7)
+#define WIN_BPP_MODE(w)             ((w->wincon >> 2) & 0xF)
+#define WIN_BPP_MODE_WITH_ALPHA(w)     \
+    (WIN_BPP_MODE(w) == 0xD || WIN_BPP_MODE(w) == 0xE)
+
+/* Shadow control register */
+#define FIMD_SHADOWCON              0x0034
+#define FIMD_WINDOW_PROTECTED(s, w) ((s) & (1 << (10 + (w))))
+/* Channel mapping control register */
+#define FIMD_WINCHMAP               0x003C
+
+/* Window position control registers */
+#define FIMD_VIDOSD_START           0x0040
+#define FIMD_VIDOSD_END             0x0088
+#define FIMD_VIDOSD_COORD_MASK      0x07FF
+#define FIMD_VIDOSD_HOR_SHIFT       11
+#define FIMD_VIDOSD_VER_SHIFT       0
+#define FIMD_VIDOSD_ALPHA_AEN0      0xFFF000
+#define FIMD_VIDOSD_AEN0_SHIFT      12
+#define FIMD_VIDOSD_ALPHA_AEN1      0x000FFF
+
+/* Frame buffer address registers */
+#define FIMD_VIDWADD0_START         0x00A0
+#define FIMD_VIDWADD0_END           0x00C4
+#define FIMD_VIDWADD0_END           0x00C4
+#define FIMD_VIDWADD1_START         0x00D0
+#define FIMD_VIDWADD1_END           0x00F4
+#define FIMD_VIDWADD2_START         0x0100
+#define FIMD_VIDWADD2_END           0x0110
+#define FIMD_VIDWADD2_PAGEWIDTH     0x1FFF
+#define FIMD_VIDWADD2_OFFSIZE       0x1FFF
+#define FIMD_VIDWADD2_OFFSIZE_SHIFT 13
+#define FIMD_VIDW0ADD0_B2           0x20A0
+#define FIMD_VIDW4ADD0_B2           0x20C0
+
+/* Video interrupt control registers */
+#define FIMD_VIDINTCON0             0x130
+#define FIMD_VIDINTCON1             0x134
+
+/* Window color key registers */
+#define FIMD_WKEYCON_START          0x140
+#define FIMD_WKEYCON_END            0x15C
+#define FIMD_WKEYCON0_COMPKEY       0x00FFFFFF
+#define FIMD_WKEYCON0_CTL_SHIFT     24
+#define FIMD_WKEYCON0_DIRCON        (1 << 24)
+#define FIMD_WKEYCON0_KEYEN         (1 << 25)
+#define FIMD_WKEYCON0_KEYBLEN       (1 << 26)
+/* Window color key alpha control register */
+#define FIMD_WKEYALPHA_START        0x160
+#define FIMD_WKEYALPHA_END          0x16C
+
+/* Dithering control register */
+#define FIMD_DITHMODE               0x170
+
+/* Window alpha control registers */
+#define FIMD_VIDALPHA_ALPHA_LOWER   0x000F0F0F
+#define FIMD_VIDALPHA_ALPHA_UPPER   0x00F0F0F0
+#define FIMD_VIDWALPHA_START        0x21C
+#define FIMD_VIDWALPHA_END          0x240
+
+/* Window color map registers */
+#define FIMD_WINMAP_START           0x180
+#define FIMD_WINMAP_END             0x190
+#define FIMD_WINMAP_EN              (1 << 24)
+#define FIMD_WINMAP_COLOR_MASK      0x00FFFFFF
+
+/* Window palette control registers */
+#define FIMD_WPALCON_HIGH           0x019C
+#define FIMD_WPALCON_LOW            0x01A0
+#define FIMD_WPALCON_UPDATEEN       (1 << 9)
+#define FIMD_WPAL_W0PAL_L           0x07
+#define FIMD_WPAL_W0PAL_L_SHT        0
+#define FIMD_WPAL_W1PAL_L           0x07
+#define FIMD_WPAL_W1PAL_L_SHT       3
+#define FIMD_WPAL_W2PAL_L           0x01
+#define FIMD_WPAL_W2PAL_L_SHT       6
+#define FIMD_WPAL_W2PAL_H           0x06
+#define FIMD_WPAL_W2PAL_H_SHT       8
+#define FIMD_WPAL_W3PAL_L           0x01
+#define FIMD_WPAL_W3PAL_L_SHT       7
+#define FIMD_WPAL_W3PAL_H           0x06
+#define FIMD_WPAL_W3PAL_H_SHT       12
+#define FIMD_WPAL_W4PAL_L           0x01
+#define FIMD_WPAL_W4PAL_L_SHT       8
+#define FIMD_WPAL_W4PAL_H           0x06
+#define FIMD_WPAL_W4PAL_H_SHT       16
+
+/* Trigger control registers */
+#define FIMD_TRIGCON                0x01A4
+#define FIMD_TRIGCON_ROMASK         0x00000004
+
+/* LCD I80 Interface Control */
+#define FIMD_I80IFCON_START         0x01B0
+#define FIMD_I80IFCON_END           0x01BC
+/* Color gain control register */
+#define FIMD_COLORGAINCON           0x01C0
+/* LCD i80 Interface Command Control */
+#define FIMD_LDI_CMDCON0            0x01D0
+#define FIMD_LDI_CMDCON1            0x01D4
+/* I80 System Interface Manual Command Control */
+#define FIMD_SIFCCON0               0x01E0
+#define FIMD_SIFCCON2               0x01E8
+
+/* Hue Control Registers */
+#define FIMD_HUECOEFCR_START        0x01EC
+#define FIMD_HUECOEFCR_END          0x01F4
+#define FIMD_HUECOEFCB_START        0x01FC
+#define FIMD_HUECOEFCB_END          0x0208
+#define FIMD_HUEOFFSET              0x020C
+
+/* Video interrupt control registers */
+#define FIMD_VIDINT_INTFIFOPEND     (1 << 0)
+#define FIMD_VIDINT_INTFRMPEND      (1 << 1)
+#define FIMD_VIDINT_INTI80PEND      (1 << 2)
+#define FIMD_VIDINT_INTEN           (1 << 0)
+#define FIMD_VIDINT_INTFIFOEN       (1 << 1)
+#define FIMD_VIDINT_INTFRMEN        (1 << 12)
+#define FIMD_VIDINT_I80IFDONE       (1 << 17)
+
+/* Window blend equation control registers */
+#define FIMD_BLENDEQ_START          0x0244
+#define FIMD_BLENDEQ_END            0x0250
+#define FIMD_BLENDCON               0x0260
+#define FIMD_ALPHA_8BIT             (1 << 0)
+#define FIMD_BLENDEQ_COEF_MASK      0xF
+
+/* Window RTQOS Control Registers */
+#define FIMD_WRTQOSCON_START        0x0264
+#define FIMD_WRTQOSCON_END          0x0274
+
+/* LCD I80 Interface Command */
+#define FIMD_I80IFCMD_START         0x0280
+#define FIMD_I80IFCMD_END           0x02AC
+
+/* Shadow windows control registers */
+#define FIMD_SHD_ADD0_START         0x40A0
+#define FIMD_SHD_ADD0_END           0x40C0
+#define FIMD_SHD_ADD1_START         0x40D0
+#define FIMD_SHD_ADD1_END           0x40F0
+#define FIMD_SHD_ADD2_START         0x4100
+#define FIMD_SHD_ADD2_END           0x4110
+
+/* Palette memory */
+#define FIMD_PAL_MEM_START          0x2400
+#define FIMD_PAL_MEM_END            0x37FC
+/* Palette memory aliases for windows 0 and 1 */
+#define FIMD_PALMEM_AL_START        0x0400
+#define FIMD_PALMEM_AL_END          0x0BFC
+
+typedef struct {
+    uint8_t r, g, b;
+    /* D[31..24]dummy, D[23..16]rAlpha, D[15..8]gAlpha, D[7..0]bAlpha */
+    uint32_t a;
+} rgba;
+#define RGBA_SIZE  7
+
+typedef void pixel_to_rgb_func(uint32_t pixel, rgba *p);
+typedef struct Exynos4210fimdWindow Exynos4210fimdWindow;
+
+struct Exynos4210fimdWindow {
+    uint32_t wincon;        /* Window control register */
+    uint32_t buf_start[3];  /* Start address for video frame buffer */
+    uint32_t buf_end[3];    /* End address for video frame buffer */
+    uint32_t keycon[2];     /* Window color key registers */
+    uint32_t keyalpha;      /* Color key alpha control register */
+    uint32_t winmap;        /* Window color map register */
+    uint32_t blendeq;       /* Window blending equation control register */
+    uint32_t rtqoscon;      /* Window RTQOS Control Registers */
+    uint32_t palette[256];  /* Palette RAM */
+    uint32_t shadow_buf_start;      /* Start address of shadow frame buffer */
+    uint32_t shadow_buf_end;        /* End address of shadow frame buffer */
+    uint32_t shadow_buf_size;       /* Virtual shadow screen width */
+
+    pixel_to_rgb_func *pixel_to_rgb;
+    void (*draw_line)(Exynos4210fimdWindow *w, uint8_t *src, uint8_t *dst,
+            bool blend);
+    uint32_t (*get_alpha)(Exynos4210fimdWindow *w, uint32_t pix_a);
+    uint16_t lefttop_x, lefttop_y;   /* VIDOSD0 register */
+    uint16_t rightbot_x, rightbot_y; /* VIDOSD1 register */
+    uint32_t osdsize;                /* VIDOSD2&3 register */
+    uint32_t alpha_val[2];           /* VIDOSD2&3, VIDWALPHA registers */
+    uint16_t virtpage_width;         /* VIDWADD2 register */
+    uint16_t virtpage_offsize;       /* VIDWADD2 register */
+    MemoryRegionSection mem_section; /* RAM fragment containing framebuffer */
+    uint8_t *host_fb_addr;           /* Host pointer to window's framebuffer */
+    target_phys_addr_t fb_len;       /* Framebuffer length */
+};
+
+typedef struct {
+    SysBusDevice busdev;
+    MemoryRegion iomem;
+    DisplayState *console;
+    qemu_irq irq[3];
+
+    uint32_t vidcon[4];     /* Video main control registers 0-3 */
+    uint32_t vidtcon[4];    /* Video time control registers 0-3 */
+    uint32_t shadowcon;     /* Window shadow control register */
+    uint32_t winchmap;      /* Channel mapping control register */
+    uint32_t vidintcon[2];  /* Video interrupt control registers */
+    uint32_t dithmode;      /* Dithering control register */
+    uint32_t wpalcon[2];    /* Window palette control registers */
+    uint32_t trigcon;       /* Trigger control register */
+    uint32_t i80ifcon[4];   /* I80 interface control registers */
+    uint32_t colorgaincon;  /* Color gain control register */
+    uint32_t ldi_cmdcon[2]; /* LCD I80 interface command control */
+    uint32_t sifccon[3];    /* I80 System Interface Manual Command Control */
+    uint32_t huecoef_cr[4]; /* Hue control registers */
+    uint32_t huecoef_cb[4]; /* Hue control registers */
+    uint32_t hueoffset;     /* Hue offset control register */
+    uint32_t blendcon;      /* Blending control register */
+    uint32_t i80ifcmd[12];  /* LCD I80 Interface Command */
+
+    Exynos4210fimdWindow window[5];    /* Window-specific registers */
+    uint8_t *ifb;           /* Internal frame buffer */
+    bool invalidate;        /* Image needs to be redrawn */
+    bool enabled;           /* Display controller is enabled */
+} Exynos4210fimdState;
+
+/* Perform byte/halfword/word swap of data according to WINCON */
+static inline void fimd_swap_data(unsigned int swap_ctl, uint64_t *data)
+{
+    int i;
+    uint64_t res;
+    uint64_t x = *data;
+
+    if (swap_ctl & FIMD_WINCON_SWAP_BITS) {
+        res = 0;
+        for (i = 0; i < 64; i++) {
+            if (x & (1ULL << (64 - i))) {
+                res |= (1ULL << i);
+            }
+        }
+        x = res;
+    }
+
+    if (swap_ctl & FIMD_WINCON_SWAP_BYTE) {
+        x = bswap64(x);
+    }
+
+    if (swap_ctl & FIMD_WINCON_SWAP_HWORD) {
+        x = ((x & 0x000000000000FFFFULL) << 48) |
+            ((x & 0x00000000FFFF0000ULL) << 16) |
+            ((x & 0x0000FFFF00000000ULL) >> 16) |
+            ((x & 0xFFFF000000000000ULL) >> 48);
+    }
+
+    if (swap_ctl & FIMD_WINCON_SWAP_WORD) {
+        x = ((x & 0x00000000FFFFFFFFULL) << 32) |
+            ((x & 0xFFFFFFFF00000000ULL) >> 32);
+    }
+
+    *data = x;
+}
+
+/* Conversion routines of Pixel data from frame buffer area to internal RGBA
+ * pixel representation.
+ * Every color component internally represented as 8-bit value. If original
+ * data has less than 8 bit for component, data is extended to 8 bit. For
+ * example, if blue component has only two possible values 0 and 1 it will be
+ * extended to 0 and 0xFF */
+
+/* One bit for alpha representation */
+#define DEF_PIXEL_TO_RGB_A1(N, R, G, B) \
+static void N(uint32_t pixel, rgba *p) \
+{ \
+    p->b = ((pixel & ((1 << (B)) - 1)) << (8 - (B))) | \
+           ((pixel >> (2 * (B) - 8)) & ((1 << (8 - (B))) - 1)); \
+    pixel >>= (B); \
+    p->g = (pixel & ((1 << (G)) - 1)) << (8 - (G)) | \
+           ((pixel >> (2 * (G) - 8)) & ((1 << (8 - (G))) - 1)); \
+    pixel >>= (G); \
+    p->r = (pixel & ((1 << (R)) - 1)) << (8 - (R)) | \
+           ((pixel >> (2 * (R) - 8)) & ((1 << (8 - (R))) - 1)); \
+    pixel >>= (R); \
+    p->a = (pixel & 0x1); \
+}
+
+DEF_PIXEL_TO_RGB_A1(pixel_a444_to_rgb, 4, 4, 4)
+DEF_PIXEL_TO_RGB_A1(pixel_a555_to_rgb, 5, 5, 5)
+DEF_PIXEL_TO_RGB_A1(pixel_a666_to_rgb, 6, 6, 6)
+DEF_PIXEL_TO_RGB_A1(pixel_a665_to_rgb, 6, 6, 5)
+DEF_PIXEL_TO_RGB_A1(pixel_a888_to_rgb, 8, 8, 8)
+DEF_PIXEL_TO_RGB_A1(pixel_a887_to_rgb, 8, 8, 7)
+
+/* Alpha component is always zero */
+#define DEF_PIXEL_TO_RGB_A0(N, R, G, B) \
+static void N(uint32_t pixel, rgba *p) \
+{ \
+    p->b = ((pixel & ((1 << (B)) - 1)) << (8 - (B))) | \
+           ((pixel >> (2 * (B) - 8)) & ((1 << (8 - (B))) - 1)); \
+    pixel >>= (B); \
+    p->g = (pixel & ((1 << (G)) - 1)) << (8 - (G)) | \
+           ((pixel >> (2 * (G) - 8)) & ((1 << (8 - (G))) - 1)); \
+    pixel >>= (G); \
+    p->r = (pixel & ((1 << (R)) - 1)) << (8 - (R)) | \
+           ((pixel >> (2 * (R) - 8)) & ((1 << (8 - (R))) - 1)); \
+    p->a = 0x0; \
+}
+
+DEF_PIXEL_TO_RGB_A0(pixel_565_to_rgb,  5, 6, 5)
+DEF_PIXEL_TO_RGB_A0(pixel_555_to_rgb,  5, 5, 5)
+DEF_PIXEL_TO_RGB_A0(pixel_666_to_rgb,  6, 6, 6)
+DEF_PIXEL_TO_RGB_A0(pixel_888_to_rgb,  8, 8, 8)
+
+/* Alpha component has some meaningful value */
+#define DEF_PIXEL_TO_RGB_A(N, R, G, B, A) \
+static void N(uint32_t pixel, rgba *p) \
+{ \
+    p->b = ((pixel & ((1 << (B)) - 1)) << (8 - (B))) | \
+           ((pixel >> (2 * (B) - 8)) & ((1 << (8 - (B))) - 1)); \
+    pixel >>= (B); \
+    p->g = (pixel & ((1 << (G)) - 1)) << (8 - (G)) | \
+           ((pixel >> (2 * (G) - 8)) & ((1 << (8 - (G))) - 1)); \
+    pixel >>= (G); \
+    p->r = (pixel & ((1 << (R)) - 1)) << (8 - (R)) | \
+           ((pixel >> (2 * (R) - 8)) & ((1 << (8 - (R))) - 1)); \
+    pixel >>= (R); \
+    p->a = (pixel & ((1 << (A)) - 1)) << (8 - (A)) | \
+           ((pixel >> (2 * (A) - 8)) & ((1 << (8 - (A))) - 1)); \
+    p->a = p->a | (p->a << 8) | (p->a << 16); \
+}
+
+DEF_PIXEL_TO_RGB_A(pixel_4444_to_rgb, 4, 4, 4, 4)
+DEF_PIXEL_TO_RGB_A(pixel_8888_to_rgb, 8, 8, 8, 8)
+
+/* Lookup table to extent 2-bit color component to 8 bit */
+static const uint8_t pixel_lutable_2b[4] = {
+     0x0, 0x55, 0xAA, 0xFF
+};
+/* Lookup table to extent 3-bit color component to 8 bit */
+static const uint8_t pixel_lutable_3b[8] = {
+     0x0, 0x24, 0x49, 0x6D, 0x92, 0xB6, 0xDB, 0xFF
+};
+/* Special case for a232 bpp mode */
+static void pixel_a232_to_rgb(uint32_t pixel, rgba *p)
+{
+    p->b = pixel_lutable_2b[(pixel & 0x3)];
+    pixel >>= 2;
+    p->g = pixel_lutable_3b[(pixel & 0x7)];
+    pixel >>= 3;
+    p->r = pixel_lutable_2b[(pixel & 0x3)];
+    pixel >>= 2;
+    p->a = (pixel & 0x1);
+}
+
+/* Special case for (5+1, 5+1, 5+1) mode. Data bit 15 is common LSB
+ * for all three color components */
+static void pixel_1555_to_rgb(uint32_t pixel, rgba *p)
+{
+    uint8_t comm = (pixel >> 15) & 1;
+    p->b = ((((pixel & 0x1F) << 1) | comm) << 2) | ((pixel >> 3) & 0x3);
+    pixel >>= 5;
+    p->g = ((((pixel & 0x1F) << 1) | comm) << 2) | ((pixel >> 3) & 0x3);
+    pixel >>= 5;
+    p->r = ((((pixel & 0x1F) << 1) | comm) << 2) | ((pixel >> 3) & 0x3);
+    p->a = 0x0;
+}
+
+/* Put/get pixel to/from internal LCD Controller framebuffer */
+
+static int put_pixel_ifb(const rgba p, uint8_t *d)
+{
+    *(uint8_t *)d++ = p.r;
+    *(uint8_t *)d++ = p.g;
+    *(uint8_t *)d++ = p.b;
+    *(uint32_t *)d = p.a;
+    return RGBA_SIZE;
+}
+
+static int get_pixel_ifb(const uint8_t *s, rgba *p)
+{
+    p->r = *(uint8_t *)s++;
+    p->g = *(uint8_t *)s++;
+    p->b = *(uint8_t *)s++;
+    p->a = (*(uint32_t *)s) & 0x00FFFFFF;
+    return RGBA_SIZE;
+}
+
+static pixel_to_rgb_func *palette_data_format[8] = {
+    [0] = pixel_565_to_rgb,
+    [1] = pixel_a555_to_rgb,
+    [2] = pixel_666_to_rgb,
+    [3] = pixel_a665_to_rgb,
+    [4] = pixel_a666_to_rgb,
+    [5] = pixel_888_to_rgb,
+    [6] = pixel_a888_to_rgb,
+    [7] = pixel_8888_to_rgb
+};
+
+/* Returns Index in palette data formats table for given window number WINDOW */
+static uint32_t
+exynos4210_fimd_palette_format(Exynos4210fimdState *s, int window)
+{
+    uint32_t ret;
+
+    switch (window) {
+    case 0:
+        ret = (s->wpalcon[1] >> FIMD_WPAL_W0PAL_L_SHT) & FIMD_WPAL_W0PAL_L;
+        if (ret != 7) {
+            ret = 6 - ret;
+        }
+        break;
+    case 1:
+        ret = (s->wpalcon[1] >> FIMD_WPAL_W1PAL_L_SHT) & FIMD_WPAL_W1PAL_L;
+        if (ret != 7) {
+            ret = 6 - ret;
+        }
+        break;
+    case 2:
+        ret = ((s->wpalcon[0] >> FIMD_WPAL_W2PAL_H_SHT) & FIMD_WPAL_W2PAL_H) |
+            ((s->wpalcon[1] >> FIMD_WPAL_W2PAL_L_SHT) & FIMD_WPAL_W2PAL_L);
+        break;
+    case 3:
+        ret = ((s->wpalcon[0] >> FIMD_WPAL_W3PAL_H_SHT) & FIMD_WPAL_W3PAL_H) |
+            ((s->wpalcon[1] >> FIMD_WPAL_W3PAL_L_SHT) & FIMD_WPAL_W3PAL_L);
+        break;
+    case 4:
+        ret = ((s->wpalcon[0] >> FIMD_WPAL_W4PAL_H_SHT) & FIMD_WPAL_W4PAL_H) |
+            ((s->wpalcon[1] >> FIMD_WPAL_W4PAL_L_SHT) & FIMD_WPAL_W4PAL_L);
+        break;
+    default:
+        hw_error("exynos4210.fimd: incorrect window number %d\n", window);
+        ret = 0;
+        break;
+    }
+    return ret;
+}
+
+#define FIMD_1_MINUS_COLOR(x)    \
+            ((0xFF - ((x) & 0xFF)) | (0xFF00 - ((x) & 0xFF00)) | \
+                                  (0xFF0000 - ((x) & 0xFF0000)))
+#define EXTEND_LOWER_HALFBYTE(x) (((x) & 0xF0F0F) | (((x) << 4) & 0xF0F0F0))
+#define EXTEND_UPPER_HALFBYTE(x) (((x) & 0xF0F0F0) | (((x) >> 4) & 0xF0F0F))
+
+/* Multiply three lower bytes of two 32-bit words with each other.
+ * Each byte with values 0-255 is considered as a number with possible values
+ * in a range [0 - 1] */
+static inline uint32_t fimd_mult_each_byte(uint32_t a, uint32_t b)
+{
+    uint32_t tmp;
+    uint32_t ret;
+
+    ret = ((tmp = (((a & 0xFF) * (b & 0xFF)) / 0xFF)) > 0xFF) ? 0xFF : tmp;
+    ret |= ((tmp = ((((a >> 8) & 0xFF) * ((b >> 8) & 0xFF)) / 0xFF)) > 0xFF) ?
+            0xFF00 : tmp << 8;
+    ret |= ((tmp = ((((a >> 16) & 0xFF) * ((b >> 16) & 0xFF)) / 0xFF)) > 0xFF) ?
+            0xFF0000 : tmp << 16;
+    return ret;
+}
+
+/* For each corresponding bytes of two 32-bit words: (a*b + c*d)
+ * Byte values 0-255 are mapped to a range [0 .. 1] */
+static inline uint32_t
+fimd_mult_and_sum_each_byte(uint32_t a, uint32_t b, uint32_t c, uint32_t d)
+{
+    uint32_t tmp;
+    uint32_t ret;
+
+    ret = ((tmp = (((a & 0xFF) * (b & 0xFF) + (c & 0xFF) * (d & 0xFF)) / 0xFF))
+            > 0xFF) ? 0xFF : tmp;
+    ret |= ((tmp = ((((a >> 8) & 0xFF) * ((b >> 8) & 0xFF) + ((c >> 8) & 0xFF) *
+            ((d >> 8) & 0xFF)) / 0xFF)) > 0xFF) ? 0xFF00 : tmp << 8;
+    ret |= ((tmp = ((((a >> 16) & 0xFF) * ((b >> 16) & 0xFF) +
+            ((c >> 16) & 0xFF) * ((d >> 16) & 0xFF)) / 0xFF)) > 0xFF) ?
+                    0xFF0000 : tmp << 16;
+    return ret;
+}
+
+/* These routines cover all possible sources of window's transparent factor
+ * used in blending equation. Choice of routine is affected by WPALCON
+ * registers, BLENDCON register and window's WINCON register */
+
+static uint32_t fimd_get_alpha_pix(Exynos4210fimdWindow *w, uint32_t pix_a)
+{
+    return pix_a;
+}
+
+static uint32_t
+fimd_get_alpha_pix_extlow(Exynos4210fimdWindow *w, uint32_t pix_a)
+{
+    return EXTEND_LOWER_HALFBYTE(pix_a);
+}
+
+static uint32_t
+fimd_get_alpha_pix_exthigh(Exynos4210fimdWindow *w, uint32_t pix_a)
+{
+    return EXTEND_UPPER_HALFBYTE(pix_a);
+}
+
+static uint32_t fimd_get_alpha_mult(Exynos4210fimdWindow *w, uint32_t pix_a)
+{
+    return fimd_mult_each_byte(pix_a, w->alpha_val[0]);
+}
+
+static uint32_t fimd_get_alpha_mult_ext(Exynos4210fimdWindow *w, uint32_t pix_a)
+{
+    return fimd_mult_each_byte(EXTEND_LOWER_HALFBYTE(pix_a),
+            EXTEND_UPPER_HALFBYTE(w->alpha_val[0]));
+}
+
+static uint32_t fimd_get_alpha_aen(Exynos4210fimdWindow *w, uint32_t pix_a)
+{
+    return w->alpha_val[pix_a];
+}
+
+static uint32_t fimd_get_alpha_aen_ext(Exynos4210fimdWindow *w, uint32_t pix_a)
+{
+    return EXTEND_UPPER_HALFBYTE(w->alpha_val[pix_a]);
+}
+
+static uint32_t fimd_get_alpha_sel(Exynos4210fimdWindow *w, uint32_t pix_a)
+{
+    return w->alpha_val[(w->wincon & FIMD_WINCON_ALPHA_SEL) ? 1 : 0];
+}
+
+static uint32_t fimd_get_alpha_sel_ext(Exynos4210fimdWindow *w, uint32_t pix_a)
+{
+    return EXTEND_UPPER_HALFBYTE(w->alpha_val[(w->wincon &
+            FIMD_WINCON_ALPHA_SEL) ? 1 : 0]);
+}
+
+/* Updates currently active alpha value get function for specified window */
+static void fimd_update_get_alpha(Exynos4210fimdState *s, int win)
+{
+    Exynos4210fimdWindow *w = &s->window[win];
+    const bool alpha_is_8bit = s->blendcon & FIMD_ALPHA_8BIT;
+
+    if (w->wincon & FIMD_WINCON_BLD_PIX) {
+        if ((w->wincon & FIMD_WINCON_ALPHA_SEL) && WIN_BPP_MODE_WITH_ALPHA(w)) {
+            /* In this case, alpha component contains meaningful value */
+            if (w->wincon & FIMD_WINCON_ALPHA_MUL) {
+                w->get_alpha = alpha_is_8bit ?
+                        fimd_get_alpha_mult : fimd_get_alpha_mult_ext;
+            } else {
+                w->get_alpha = alpha_is_8bit ?
+                        fimd_get_alpha_pix : fimd_get_alpha_pix_extlow;
+            }
+        } else {
+            if (IS_PALETTIZED_MODE(w) &&
+                  PAL_MODE_WITH_ALPHA(exynos4210_fimd_palette_format(s, win))) {
+                /* Alpha component has 8-bit numeric value */
+                w->get_alpha = alpha_is_8bit ?
+                        fimd_get_alpha_pix : fimd_get_alpha_pix_exthigh;
+            } else {
+                /* Alpha has only two possible values (AEN) */
+                w->get_alpha = alpha_is_8bit ?
+                        fimd_get_alpha_aen : fimd_get_alpha_aen_ext;
+            }
+        }
+    } else {
+        w->get_alpha = alpha_is_8bit ? fimd_get_alpha_sel :
+                fimd_get_alpha_sel_ext;
+    }
+}
+
+/* Blends current window's (w) pixel (foreground pixel *ret) with background
+ * window (w_blend) pixel p_bg according to formula:
+ * NEW_COLOR = a_coef x FG_PIXEL_COLOR + b_coef x BG_PIXEL_COLOR
+ * NEW_ALPHA = p_coef x FG_ALPHA + q_coef x BG_ALPHA
+ */
+static void
+exynos4210_fimd_blend_pixel(Exynos4210fimdWindow *w, rgba p_bg, rgba *ret)
+{
+    rgba p_fg = *ret;
+    uint32_t bg_color = ((p_bg.r & 0xFF) << 16) | ((p_bg.g & 0xFF) << 8) |
+            (p_bg.b & 0xFF);
+    uint32_t fg_color = ((p_fg.r & 0xFF) << 16) | ((p_fg.g & 0xFF) << 8) |
+            (p_fg.b & 0xFF);
+    uint32_t alpha_fg = p_fg.a;
+    int i;
+    /* It is possible that blending equation parameters a and b do not
+     * depend on window BLENEQ register. Account for this with first_coef */
+    enum { A_COEF = 0, B_COEF = 1, P_COEF = 2, Q_COEF = 3, COEF_NUM = 4};
+    uint32_t first_coef = A_COEF;
+    uint32_t blend_param[COEF_NUM];
+
+    if (w->keycon[0] & FIMD_WKEYCON0_KEYEN) {
+        uint32_t colorkey = (w->keycon[1] &
+              ~(w->keycon[0] & FIMD_WKEYCON0_COMPKEY)) & FIMD_WKEYCON0_COMPKEY;
+
+        if ((w->keycon[0] & FIMD_WKEYCON0_DIRCON) &&
+            (bg_color & ~(w->keycon[0] & FIMD_WKEYCON0_COMPKEY)) == colorkey) {
+            /* Foreground pixel is displayed */
+            if (w->keycon[0] & FIMD_WKEYCON0_KEYBLEN) {
+                alpha_fg = w->keyalpha;
+                blend_param[A_COEF] = alpha_fg;
+                blend_param[B_COEF] = FIMD_1_MINUS_COLOR(alpha_fg);
+            } else {
+                alpha_fg = 0;
+                blend_param[A_COEF] = 0xFFFFFF;
+                blend_param[B_COEF] = 0x0;
+            }
+            first_coef = P_COEF;
+        } else if ((w->keycon[0] & FIMD_WKEYCON0_DIRCON) == 0 &&
+            (fg_color & ~(w->keycon[0] & FIMD_WKEYCON0_COMPKEY)) == colorkey) {
+            /* Background pixel is displayed */
+            if (w->keycon[0] & FIMD_WKEYCON0_KEYBLEN) {
+                alpha_fg = w->keyalpha;
+                blend_param[A_COEF] = alpha_fg;
+                blend_param[B_COEF] = FIMD_1_MINUS_COLOR(alpha_fg);
+            } else {
+                alpha_fg = 0;
+                blend_param[A_COEF] = 0x0;
+                blend_param[B_COEF] = 0xFFFFFF;
+            }
+            first_coef = P_COEF;
+        }
+    }
+
+    for (i = first_coef; i < COEF_NUM; i++) {
+        switch ((w->blendeq >> i * 6) & FIMD_BLENDEQ_COEF_MASK) {
+        case 0:
+            blend_param[i] = 0;
+            break;
+        case 1:
+            blend_param[i] = 0xFFFFFF;
+            break;
+        case 2:
+            blend_param[i] = alpha_fg;
+            break;
+        case 3:
+            blend_param[i] = FIMD_1_MINUS_COLOR(alpha_fg);
+            break;
+        case 4:
+            blend_param[i] = p_bg.a;
+            break;
+        case 5:
+            blend_param[i] = FIMD_1_MINUS_COLOR(p_bg.a);
+            break;
+        case 6:
+            blend_param[i] = w->alpha_val[0];
+            break;
+        case 10:
+            blend_param[i] = fg_color;
+            break;
+        case 11:
+            blend_param[i] = FIMD_1_MINUS_COLOR(fg_color);
+            break;
+        case 12:
+            blend_param[i] = bg_color;
+            break;
+        case 13:
+            blend_param[i] = FIMD_1_MINUS_COLOR(bg_color);
+            break;
+        default:
+            hw_error("exynos4210.fimd: blend equation coef illegal value\n");
+            break;
+        }
+    }
+
+    fg_color = fimd_mult_and_sum_each_byte(bg_color, blend_param[B_COEF],
+            fg_color, blend_param[A_COEF]);
+    ret->b = fg_color & 0xFF;
+    fg_color >>= 8;
+    ret->g = fg_color & 0xFF;
+    fg_color >>= 8;
+    ret->r = fg_color & 0xFF;
+    ret->a = fimd_mult_and_sum_each_byte(alpha_fg, blend_param[P_COEF],
+            p_bg.a, blend_param[Q_COEF]);
+}
+
+/* These routines read data from video frame buffer in system RAM, convert
+ * this data to display controller internal representation, if necessary,
+ * perform pixel blending with data, currently presented in internal buffer.
+ * Result is stored in display controller internal frame buffer. */
+
+/* Draw line with index in palette table in RAM frame buffer data */
+#define DEF_DRAW_LINE_PALETTE(N) \
+static void glue(draw_line_palette_, N)(Exynos4210fimdWindow *w, uint8_t *src, \
+               uint8_t *dst, bool blend) \
+{ \
+    int width = w->rightbot_x - w->lefttop_x + 1; \
+    uint8_t *ifb = dst; \
+    uint8_t swap = (w->wincon & FIMD_WINCON_SWAP) >> FIMD_WINCON_SWAP_SHIFT; \
+    uint64_t data; \
+    rgba p, p_old; \
+    int i; \
+    do { \
+        data = ldq_raw((void *)src); \
+        src += 8; \
+        fimd_swap_data(swap, &data); \
+        for (i = (64 / (N) - 1); i >= 0; i--) { \
+            w->pixel_to_rgb(w->palette[(data >> ((N) * i)) & \
+                                   ((1ULL << (N)) - 1)], &p); \
+            p.a = w->get_alpha(w, p.a); \
+            if (blend) { \
+                ifb +=  get_pixel_ifb(ifb, &p_old); \
+                exynos4210_fimd_blend_pixel(w, p_old, &p); \
+            } \
+            dst += put_pixel_ifb(p, dst); \
+        } \
+        width -= (64 / (N)); \
+    } while (width > 0); \
+}
+
+/* Draw line with direct color value in RAM frame buffer data */
+#define DEF_DRAW_LINE_NOPALETTE(N) \
+static void glue(draw_line_, N)(Exynos4210fimdWindow *w, uint8_t *src, \
+                    uint8_t *dst, bool blend) \
+{ \
+    int width = w->rightbot_x - w->lefttop_x + 1; \
+    uint8_t *ifb = dst; \
+    uint8_t swap = (w->wincon & FIMD_WINCON_SWAP) >> FIMD_WINCON_SWAP_SHIFT; \
+    uint64_t data; \
+    rgba p, p_old; \
+    int i; \
+    do { \
+        data = ldq_raw((void *)src); \
+        src += 8; \
+        fimd_swap_data(swap, &data); \
+        for (i = (64 / (N) - 1); i >= 0; i--) { \
+            w->pixel_to_rgb((data >> ((N) * i)) & ((1ULL << (N)) - 1), &p); \
+            p.a = w->get_alpha(w, p.a); \
+            if (blend) { \
+                ifb += get_pixel_ifb(ifb, &p_old); \
+                exynos4210_fimd_blend_pixel(w, p_old, &p); \
+            } \
+            dst += put_pixel_ifb(p, dst); \
+        } \
+        width -= (64 / (N)); \
+    } while (width > 0); \
+}
+
+DEF_DRAW_LINE_PALETTE(1)
+DEF_DRAW_LINE_PALETTE(2)
+DEF_DRAW_LINE_PALETTE(4)
+DEF_DRAW_LINE_PALETTE(8)
+DEF_DRAW_LINE_NOPALETTE(8)  /* 8bpp mode has palette and non-palette versions */
+DEF_DRAW_LINE_NOPALETTE(16)
+DEF_DRAW_LINE_NOPALETTE(32)
+
+/* Special draw line routine for window color map case */
+static void draw_line_mapcolor(Exynos4210fimdWindow *w, uint8_t *src,
+                       uint8_t *dst, bool blend)
+{
+    rgba p, p_old;
+    uint8_t *ifb = dst;
+    int width = w->rightbot_x - w->lefttop_x + 1;
+    uint32_t map_color = w->winmap & FIMD_WINMAP_COLOR_MASK;
+
+    do {
+        pixel_888_to_rgb(map_color, &p);
+        p.a = w->get_alpha(w, p.a);
+        if (blend) {
+            ifb += get_pixel_ifb(ifb, &p_old);
+            exynos4210_fimd_blend_pixel(w, p_old, &p);
+        }
+        dst += put_pixel_ifb(p, dst);
+    } while (--width);
+}
+
+/* Write RGB to QEMU's GraphicConsole framebuffer */
+
+static int put_to_qemufb_pixel8(const rgba p, uint8_t *d)
+{
+    uint32_t pixel = rgb_to_pixel8(p.r, p.g, p.b);
+    *(uint8_t *)d = pixel;
+    return 1;
+}
+
+static int put_to_qemufb_pixel15(const rgba p, uint8_t *d)
+{
+    uint32_t pixel = rgb_to_pixel15(p.r, p.g, p.b);
+    *(uint16_t *)d = pixel;
+    return 2;
+}
+
+static int put_to_qemufb_pixel16(const rgba p, uint8_t *d)
+{
+    uint32_t pixel = rgb_to_pixel16(p.r, p.g, p.b);
+    *(uint16_t *)d = pixel;
+    return 2;
+}
+
+static int put_to_qemufb_pixel24(const rgba p, uint8_t *d)
+{
+    uint32_t pixel = rgb_to_pixel24(p.r, p.g, p.b);
+    *(uint8_t *)d++ = (pixel >>  0) & 0xFF;
+    *(uint8_t *)d++ = (pixel >>  8) & 0xFF;
+    *(uint8_t *)d++ = (pixel >> 16) & 0xFF;
+    return 3;
+}
+
+static int put_to_qemufb_pixel32(const rgba p, uint8_t *d)
+{
+    uint32_t pixel = rgb_to_pixel24(p.r, p.g, p.b);
+    *(uint32_t *)d = pixel;
+    return 4;
+}
+
+/* Routine to copy pixel from internal buffer to QEMU buffer */
+static int (*put_pixel_toqemu)(const rgba p, uint8_t *pixel);
+static inline void fimd_update_putpix_qemu(int bpp)
+{
+    switch (bpp) {
+    case 8:
+        put_pixel_toqemu = put_to_qemufb_pixel8;
+        break;
+    case 15:
+        put_pixel_toqemu = put_to_qemufb_pixel15;
+        break;
+    case 16:
+        put_pixel_toqemu = put_to_qemufb_pixel16;
+        break;
+    case 24:
+        put_pixel_toqemu = put_to_qemufb_pixel24;
+        break;
+    case 32:
+        put_pixel_toqemu = put_to_qemufb_pixel32;
+        break;
+    default:
+        hw_error("exynos4210.fimd: unsupported BPP (%d)", bpp);
+        break;
+    }
+}
+
+/* Routine to copy a line from internal frame buffer to QEMU display */
+static void fimd_copy_line_toqemu(int width, uint8_t *src, uint8_t *dst)
+{
+    rgba p;
+
+    do {
+        src += get_pixel_ifb(src, &p);
+        dst += put_pixel_toqemu(p, dst);
+    } while (--width);
+}
+
+/* Parse BPPMODE_F = WINCON1[5:2] bits */
+static void exynos4210_fimd_update_win_bppmode(Exynos4210fimdState *s, int win)
+{
+    Exynos4210fimdWindow *w = &s->window[win];
+
+    if (w->winmap & FIMD_WINMAP_EN) {
+        w->draw_line = draw_line_mapcolor;
+        return;
+    }
+
+    switch (WIN_BPP_MODE(w)) {
+    case 0:
+        w->draw_line = draw_line_palette_1;
+        w->pixel_to_rgb =
+                palette_data_format[exynos4210_fimd_palette_format(s, win)];
+        break;
+    case 1:
+        w->draw_line = draw_line_palette_2;
+        w->pixel_to_rgb =
+                palette_data_format[exynos4210_fimd_palette_format(s, win)];
+        break;
+    case 2:
+        w->draw_line = draw_line_palette_4;
+        w->pixel_to_rgb =
+                palette_data_format[exynos4210_fimd_palette_format(s, win)];
+        break;
+    case 3:
+        w->draw_line = draw_line_palette_8;
+        w->pixel_to_rgb =
+                palette_data_format[exynos4210_fimd_palette_format(s, win)];
+        break;
+    case 4:
+        w->draw_line = draw_line_8;
+        w->pixel_to_rgb = pixel_a232_to_rgb;
+        break;
+    case 5:
+        w->draw_line = draw_line_16;
+        w->pixel_to_rgb = pixel_565_to_rgb;
+        break;
+    case 6:
+        w->draw_line = draw_line_16;
+        w->pixel_to_rgb = pixel_a555_to_rgb;
+        break;
+    case 7:
+        w->draw_line = draw_line_16;
+        w->pixel_to_rgb = pixel_1555_to_rgb;
+        break;
+    case 8:
+        w->draw_line = draw_line_32;
+        w->pixel_to_rgb = pixel_666_to_rgb;
+        break;
+    case 9:
+        w->draw_line = draw_line_32;
+        w->pixel_to_rgb = pixel_a665_to_rgb;
+        break;
+    case 10:
+        w->draw_line = draw_line_32;
+        w->pixel_to_rgb = pixel_a666_to_rgb;
+        break;
+    case 11:
+        w->draw_line = draw_line_32;
+        w->pixel_to_rgb = pixel_888_to_rgb;
+        break;
+    case 12:
+        w->draw_line = draw_line_32;
+        w->pixel_to_rgb = pixel_a887_to_rgb;
+        break;
+    case 13:
+        w->draw_line = draw_line_32;
+        if ((w->wincon & FIMD_WINCON_BLD_PIX) && (w->wincon &
+                FIMD_WINCON_ALPHA_SEL)) {
+            w->pixel_to_rgb = pixel_8888_to_rgb;
+        } else {
+            w->pixel_to_rgb = pixel_a888_to_rgb;
+        }
+        break;
+    case 14:
+        w->draw_line = draw_line_16;
+        if ((w->wincon & FIMD_WINCON_BLD_PIX) && (w->wincon &
+                FIMD_WINCON_ALPHA_SEL)) {
+            w->pixel_to_rgb = pixel_4444_to_rgb;
+        } else {
+            w->pixel_to_rgb = pixel_a444_to_rgb;
+        }
+        break;
+    case 15:
+        w->draw_line = draw_line_16;
+        w->pixel_to_rgb = pixel_555_to_rgb;
+        break;
+    }
+}
+
+#if EXYNOS4210_FIMD_MODE_TRACE > 0
+static const char *exynos4210_fimd_get_bppmode(int mode_code)
+{
+    switch (mode_code) {
+    case 0:
+        return "1 bpp";
+    case 1:
+        return "2 bpp";
+    case 2:
+        return "4 bpp";
+    case 3:
+        return "8 bpp (palettized)";
+    case 4:
+        return "8 bpp (non-palettized, A: 1-R:2-G:3-B:2)";
+    case 5:
+        return "16 bpp (non-palettized, R:5-G:6-B:5)";
+    case 6:
+        return "16 bpp (non-palettized, A:1-R:5-G:5-B:5)";
+    case 7:
+        return "16 bpp (non-palettized, I :1-R:5-G:5-B:5)";
+    case 8:
+        return "Unpacked 18 bpp (non-palettized, R:6-G:6-B:6)";
+    case 9:
+        return "Unpacked 18bpp (non-palettized,A:1-R:6-G:6-B:5)";
+    case 10:
+        return "Unpacked 19bpp (non-palettized,A:1-R:6-G:6-B:6)";
+    case 11:
+        return "Unpacked 24 bpp (non-palettized R:8-G:8-B:8)";
+    case 12:
+        return "Unpacked 24 bpp (non-palettized A:1-R:8-G:8-B:7)";
+    case 13:
+        return "Unpacked 25 bpp (non-palettized A:1-R:8-G:8-B:8)";
+    case 14:
+        return "Unpacked 13 bpp (non-palettized A:1-R:4-G:4-B:4)";
+    case 15:
+        return "Unpacked 15 bpp (non-palettized R:5-G:5-B:5)";
+    default:
+        return "Non-existing bpp mode";
+    }
+}
+
+static inline void exynos4210_fimd_trace_bppmode(Exynos4210fimdState *s,
+                int win_num, uint32_t val)
+{
+    Exynos4210fimdWindow *w = &s->window[win_num];
+
+    if (w->winmap & FIMD_WINMAP_EN) {
+        printf("QEMU FIMD: Window %d is mapped with MAPCOLOR=0x%x\n",
+                win_num, w->winmap & 0xFFFFFF);
+        return;
+    }
+
+    if ((val != 0xFFFFFFFF) && ((w->wincon >> 2) & 0xF) == ((val >> 2) & 0xF)) {
+        return;
+    }
+    printf("QEMU FIMD: Window %d BPP mode set to %s\n", win_num,
+        exynos4210_fimd_get_bppmode((val >> 2) & 0xF));
+}
+#else
+static inline void exynos4210_fimd_trace_bppmode(Exynos4210fimdState *s,
+        int win_num, uint32_t val)
+{
+
+}
+#endif
+
+static inline int fimd_get_buffer_id(Exynos4210fimdWindow *w)
+{
+    switch (w->wincon & FIMD_WINCON_BUFSTATUS) {
+    case FIMD_WINCON_BUF0_STAT:
+        return 0;
+    case FIMD_WINCON_BUF1_STAT:
+        return 1;
+    case FIMD_WINCON_BUF2_STAT:
+        return 2;
+    default:
+        DPRINT_ERROR("Non-existent buffer index\n");
+        return 0;
+    }
+}
+
+/* Updates specified window's MemorySection based on values of WINCON,
+ * VIDOSDA, VIDOSDB, VIDWADDx and SHADOWCON registers */
+static void fimd_update_memory_section(Exynos4210fimdState *s, unsigned win)
+{
+    Exynos4210fimdWindow *w = &s->window[win];
+    target_phys_addr_t fb_start_addr, fb_mapped_len;
+
+    if (!s->enabled || !(w->wincon & FIMD_WINCON_ENWIN) ||
+            FIMD_WINDOW_PROTECTED(s->shadowcon, win)) {
+        return;
+    }
+
+    if (w->host_fb_addr) {
+        cpu_physical_memory_unmap(w->host_fb_addr, w->fb_len, 0, 0);
+        w->host_fb_addr = NULL;
+        w->fb_len = 0;
+    }
+
+    fb_start_addr = w->buf_start[fimd_get_buffer_id(w)];
+    /* Total number of bytes of virtual screen used by current window */
+    w->fb_len = fb_mapped_len = (w->virtpage_width + w->virtpage_offsize) *
+            (w->rightbot_y - w->lefttop_y + 1);
+    w->mem_section = memory_region_find(sysbus_address_space(&s->busdev),
+            fb_start_addr, w->fb_len);
+    assert(w->mem_section.mr);
+    assert(w->mem_section.offset_within_address_space == fb_start_addr);
+    DPRINT_TRACE("Window %u framebuffer changed: address=0x%08x, len=0x%x\n",
+            win, fb_start_addr, w->fb_len);
+
+    if (w->mem_section.size != w->fb_len ||
+            !memory_region_is_ram(w->mem_section.mr)) {
+        DPRINT_ERROR("Failed to find window %u framebuffer region\n", win);
+        goto error_return;
+    }
+
+    w->host_fb_addr = cpu_physical_memory_map(fb_start_addr, &fb_mapped_len, 0);
+    if (!w->host_fb_addr) {
+        DPRINT_ERROR("Failed to map window %u framebuffer\n", win);
+        goto error_return;
+    }
+
+    if (fb_mapped_len != w->fb_len) {
+        DPRINT_ERROR("Window %u mapped framebuffer length is less then "
+                "expected\n", win);
+        cpu_physical_memory_unmap(w->host_fb_addr, fb_mapped_len, 0, 0);
+        goto error_return;
+    }
+    return;
+
+error_return:
+    w->mem_section.mr = NULL;
+    w->mem_section.size = 0;
+    w->host_fb_addr = NULL;
+    w->fb_len = 0;
+}
+
+static void exynos4210_fimd_enable(Exynos4210fimdState *s, bool enabled)
+{
+    if (enabled && !s->enabled) {
+        unsigned w;
+        s->enabled = true;
+        for (w = 0; w < NUM_OF_WINDOWS; w++) {
+            fimd_update_memory_section(s, w);
+        }
+    }
+    s->enabled = enabled;
+    DPRINT_TRACE("display controller %s\n", enabled ? "enabled" : "disabled");
+}
+
+static inline uint32_t unpack_upper_4(uint32_t x)
+{
+    return ((x & 0xF00) << 12) | ((x & 0xF0) << 8) | ((x & 0xF) << 4);
+}
+
+static inline uint32_t pack_upper_4(uint32_t x)
+{
+    return (((x & 0xF00000) >> 12) | ((x & 0xF000) >> 8) |
+            ((x & 0xF0) >> 4)) & 0xFFF;
+}
+
+static void exynos4210_fimd_update_irq(Exynos4210fimdState *s)
+{
+    if (!(s->vidintcon[0] & FIMD_VIDINT_INTEN)) {
+        qemu_irq_lower(s->irq[0]);
+        qemu_irq_lower(s->irq[1]);
+        qemu_irq_lower(s->irq[2]);
+        return;
+    }
+    if ((s->vidintcon[0] & FIMD_VIDINT_INTFIFOEN) &&
+            (s->vidintcon[1] & FIMD_VIDINT_INTFIFOPEND)) {
+        qemu_irq_raise(s->irq[0]);
+    } else {
+        qemu_irq_lower(s->irq[0]);
+    }
+    if ((s->vidintcon[0] & FIMD_VIDINT_INTFRMEN) &&
+            (s->vidintcon[1] & FIMD_VIDINT_INTFRMPEND)) {
+        qemu_irq_raise(s->irq[1]);
+    } else {
+        qemu_irq_lower(s->irq[1]);
+    }
+    if ((s->vidintcon[0] & FIMD_VIDINT_I80IFDONE) &&
+            (s->vidintcon[1] & FIMD_VIDINT_INTI80PEND)) {
+        qemu_irq_raise(s->irq[2]);
+    } else {
+        qemu_irq_lower(s->irq[2]);
+    }
+}
+
+static void exynos4210_fimd_invalidate(void *opaque)
+{
+    Exynos4210fimdState *s = (Exynos4210fimdState *)opaque;
+    s->invalidate = true;
+}
+
+static void exynos4210_update_resolution(Exynos4210fimdState *s)
+{
+    /* LCD resolution is stored in VIDEO TIME CONTROL REGISTER 2 */
+    uint32_t width = ((s->vidtcon[2] >> FIMD_VIDTCON2_HOR_SHIFT) &
+            FIMD_VIDTCON2_SIZE_MASK) + 1;
+    uint32_t height = ((s->vidtcon[2] >> FIMD_VIDTCON2_VER_SHIFT) &
+            FIMD_VIDTCON2_SIZE_MASK) + 1;
+
+    if (s->ifb == NULL || ds_get_width(s->console) != width ||
+            ds_get_height(s->console) != height) {
+        DPRINT_L1("Resolution changed from %ux%u to %ux%u\n",
+           ds_get_width(s->console), ds_get_height(s->console), width, height);
+        qemu_console_resize(s->console, width, height);
+        s->ifb = g_realloc(s->ifb, width * height * RGBA_SIZE + 1);
+        memset(s->ifb, 0, width * height * RGBA_SIZE + 1);
+        exynos4210_fimd_invalidate(s);
+    }
+}
+
+static void exynos4210_fimd_update(void *opaque)
+{
+    Exynos4210fimdState *s = (Exynos4210fimdState *)opaque;
+    Exynos4210fimdWindow *w;
+    int i, line;
+    target_phys_addr_t fb_line_addr, inc_size;
+    int scrn_height;
+    int first_line = -1, last_line = -1, scrn_width;
+    bool blend = false;
+    uint8_t *host_fb_addr;
+    bool is_dirty = false;
+    const int global_width = (s->vidtcon[2] & FIMD_VIDTCON2_SIZE_MASK) + 1;
+    const int global_height = ((s->vidtcon[2] >> FIMD_VIDTCON2_VER_SHIFT) &
+            FIMD_VIDTCON2_SIZE_MASK) + 1;
+
+    if (!s || !s->console || !ds_get_bits_per_pixel(s->console) ||
+            !s->enabled) {
+        return;
+    }
+    exynos4210_update_resolution(s);
+
+    for (i = 0; i < NUM_OF_WINDOWS; i++) {
+        w = &s->window[i];
+        if ((w->wincon & FIMD_WINCON_ENWIN) && w->host_fb_addr) {
+            scrn_height = w->rightbot_y - w->lefttop_y + 1;
+            scrn_width = w->virtpage_width;
+            /* Total width of virtual screen page in bytes */
+            inc_size = scrn_width + w->virtpage_offsize;
+            memory_region_sync_dirty_bitmap(w->mem_section.mr);
+            host_fb_addr = w->host_fb_addr;
+            fb_line_addr = w->mem_section.offset_within_region;
+
+            for (line = 0; line < scrn_height; line++) {
+                is_dirty = memory_region_get_dirty(w->mem_section.mr,
+                            fb_line_addr, scrn_width, DIRTY_MEMORY_VGA);
+
+                if (s->invalidate || is_dirty) {
+                    if (first_line == -1) {
+                        first_line = line;
+                    }
+                    last_line = line;
+                    w->draw_line(w, host_fb_addr, s->ifb +
+                        w->lefttop_x * RGBA_SIZE + (w->lefttop_y + line) *
+                        global_width * RGBA_SIZE, blend);
+                }
+                host_fb_addr += inc_size;
+                fb_line_addr += inc_size;
+                is_dirty = false;
+            }
+            memory_region_reset_dirty(w->mem_section.mr,
+                w->mem_section.offset_within_region,
+                w->fb_len, DIRTY_MEMORY_VGA);
+            blend = true;
+        }
+    }
+
+    /* Copy resulting image to QEMU_CONSOLE. */
+    if (first_line >= 0) {
+        uint8_t *d;
+        int bpp;
+
+        bpp = ds_get_bits_per_pixel(s->console);
+        fimd_update_putpix_qemu(bpp);
+        bpp = (bpp + 1) >> 3;
+        d = ds_get_data(s->console);
+        for (line = first_line; line <= last_line; line++) {
+            fimd_copy_line_toqemu(global_width, s->ifb + global_width * line *
+                    RGBA_SIZE, d + global_width * line * bpp);
+        }
+        dpy_update(s->console, 0, 0, global_width, global_height);
+    }
+    s->invalidate = false;
+    s->vidintcon[1] |= FIMD_VIDINT_INTFRMPEND;
+    if ((s->vidcon[0] & FIMD_VIDCON0_ENVID_F) == 0) {
+        exynos4210_fimd_enable(s, false);
+    }
+    exynos4210_fimd_update_irq(s);
+}
+
+static void exynos4210_fimd_reset(DeviceState *d)
+{
+    Exynos4210fimdState *s = DO_UPCAST(Exynos4210fimdState, busdev.qdev, d);
+    unsigned w;
+
+    DPRINT_TRACE("Display controller reset\n");
+    /* Set all display controller registers to 0 */
+    memset(&s->vidcon, 0, (uint8_t *)&s->window - (uint8_t *)&s->vidcon);
+    for (w = 0; w < NUM_OF_WINDOWS; w++) {
+        memset(&s->window[w], 0, sizeof(Exynos4210fimdWindow));
+        s->window[w].blendeq = 0xC2;
+        exynos4210_fimd_update_win_bppmode(s, w);
+        exynos4210_fimd_trace_bppmode(s, w, 0xFFFFFFFF);
+        fimd_update_get_alpha(s, w);
+    }
+
+    if (s->ifb != NULL) {
+        g_free(s->ifb);
+    }
+    s->ifb = NULL;
+
+    exynos4210_fimd_invalidate(s);
+    exynos4210_fimd_enable(s, false);
+    /* Some registers have non-zero initial values */
+    s->winchmap = 0x7D517D51;
+    s->colorgaincon = 0x10040100;
+    s->huecoef_cr[0] = s->huecoef_cr[3] = 0x01000100;
+    s->huecoef_cb[0] = s->huecoef_cb[3] = 0x01000100;
+    s->hueoffset = 0x01800080;
+}
+
+static void exynos4210_fimd_write(void *opaque, target_phys_addr_t offset,
+                              uint64_t val, unsigned size)
+{
+    Exynos4210fimdState *s = (Exynos4210fimdState *)opaque;
+    unsigned w, i;
+    uint32_t old_value;
+
+    DPRINT_L2("write offset 0x%08x, value=%llu(0x%08llx)\n", offset,
+            (long long unsigned int)val, (long long unsigned int)val);
+
+    switch (offset) {
+    case FIMD_VIDCON0:
+        if ((val & FIMD_VIDCON0_ENVID_MASK) == FIMD_VIDCON0_ENVID_MASK) {
+            exynos4210_fimd_enable(s, true);
+        } else {
+            if ((val & FIMD_VIDCON0_ENVID) == 0) {
+                exynos4210_fimd_enable(s, false);
+            }
+        }
+        s->vidcon[0] = val;
+        break;
+    case FIMD_VIDCON1:
+        /* Leave read-only bits as is */
+        val = (val & (~FIMD_VIDCON1_ROMASK)) |
+                (s->vidcon[1] & FIMD_VIDCON1_ROMASK);
+        s->vidcon[1] = val;
+        break;
+    case FIMD_VIDCON2 ... FIMD_VIDCON3:
+        s->vidcon[(offset) >> 2] = val;
+        break;
+    case FIMD_VIDTCON_START ... FIMD_VIDTCON_END:
+        s->vidtcon[(offset - FIMD_VIDTCON_START) >> 2] = val;
+        break;
+    case FIMD_WINCON_START ... FIMD_WINCON_END:
+        w = (offset - FIMD_WINCON_START) >> 2;
+        /* Window's current buffer ID */
+        i = fimd_get_buffer_id(&s->window[w]);
+        old_value = s->window[w].wincon;
+        val = (val & ~FIMD_WINCON_ROMASK) |
+                (s->window[w].wincon & FIMD_WINCON_ROMASK);
+        if (w == 0) {
+            /* Window 0 wincon ALPHA_MUL bit must always be 0 */
+            val &= ~FIMD_WINCON_ALPHA_MUL;
+        }
+        exynos4210_fimd_trace_bppmode(s, w, val);
+        switch (val & FIMD_WINCON_BUFSELECT) {
+        case FIMD_WINCON_BUF0_SEL:
+            val &= ~FIMD_WINCON_BUFSTATUS;
+            break;
+        case FIMD_WINCON_BUF1_SEL:
+            val = (val & ~FIMD_WINCON_BUFSTAT_H) | FIMD_WINCON_BUFSTAT_L;
+            break;
+        case FIMD_WINCON_BUF2_SEL:
+            if (val & FIMD_WINCON_BUFMODE) {
+                val = (val & ~FIMD_WINCON_BUFSTAT_L) | FIMD_WINCON_BUFSTAT_H;
+            }
+            break;
+        default:
+            break;
+        }
+        s->window[w].wincon = val;
+        exynos4210_fimd_update_win_bppmode(s, w);
+        fimd_update_get_alpha(s, w);
+        if ((i != fimd_get_buffer_id(&s->window[w])) ||
+                (!(old_value & FIMD_WINCON_ENWIN) && (s->window[w].wincon &
+                        FIMD_WINCON_ENWIN))) {
+            fimd_update_memory_section(s, w);
+        }
+        break;
+    case FIMD_SHADOWCON:
+        old_value = s->shadowcon;
+        s->shadowcon = val;
+        for (w = 0; w < NUM_OF_WINDOWS; w++) {
+            if (FIMD_WINDOW_PROTECTED(old_value, w) &&
+                    !FIMD_WINDOW_PROTECTED(s->shadowcon, w)) {
+                fimd_update_memory_section(s, w);
+            }
+        }
+        break;
+    case FIMD_WINCHMAP:
+        s->winchmap = val;
+        break;
+    case FIMD_VIDOSD_START ... FIMD_VIDOSD_END:
+        w = (offset - FIMD_VIDOSD_START) >> 4;
+        i = ((offset - FIMD_VIDOSD_START) & 0xF) >> 2;
+        switch (i) {
+        case 0:
+            old_value = s->window[w].lefttop_y;
+            s->window[w].lefttop_x = (val >> FIMD_VIDOSD_HOR_SHIFT) &
+                                      FIMD_VIDOSD_COORD_MASK;
+            s->window[w].lefttop_y = (val >> FIMD_VIDOSD_VER_SHIFT) &
+                                      FIMD_VIDOSD_COORD_MASK;
+            if (s->window[w].lefttop_y != old_value) {
+                fimd_update_memory_section(s, w);
+            }
+            break;
+        case 1:
+            old_value = s->window[w].rightbot_y;
+            s->window[w].rightbot_x = (val >> FIMD_VIDOSD_HOR_SHIFT) &
+                                       FIMD_VIDOSD_COORD_MASK;
+            s->window[w].rightbot_y = (val >> FIMD_VIDOSD_VER_SHIFT) &
+                                       FIMD_VIDOSD_COORD_MASK;
+            if (s->window[w].rightbot_y != old_value) {
+                fimd_update_memory_section(s, w);
+            }
+            break;
+        case 2:
+            if (w == 0) {
+                s->window[w].osdsize = val;
+            } else {
+                s->window[w].alpha_val[0] =
+                    unpack_upper_4((val & FIMD_VIDOSD_ALPHA_AEN0) >>
+                    FIMD_VIDOSD_AEN0_SHIFT) |
+                    (s->window[w].alpha_val[0] & FIMD_VIDALPHA_ALPHA_LOWER);
+                s->window[w].alpha_val[1] =
+                    unpack_upper_4(val & FIMD_VIDOSD_ALPHA_AEN1) |
+                    (s->window[w].alpha_val[1] & FIMD_VIDALPHA_ALPHA_LOWER);
+            }
+            break;
+        case 3:
+            if (w != 1 && w != 2) {
+                DPRINT_ERROR("Bad write offset 0x%08x\n", offset);
+                return;
+            }
+            s->window[w].osdsize = val;
+            break;
+        }
+        break;
+    case FIMD_VIDWADD0_START ... FIMD_VIDWADD0_END:
+        w = (offset - FIMD_VIDWADD0_START) >> 3;
+        i = ((offset - FIMD_VIDWADD0_START) >> 2) & 1;
+        if (i == fimd_get_buffer_id(&s->window[w]) &&
+                s->window[w].buf_start[i] != val) {
+            s->window[w].buf_start[i] = val;
+            fimd_update_memory_section(s, w);
+            break;
+        }
+        s->window[w].buf_start[i] = val;
+        break;
+    case FIMD_VIDWADD1_START ... FIMD_VIDWADD1_END:
+        w = (offset - FIMD_VIDWADD1_START) >> 3;
+        i = ((offset - FIMD_VIDWADD1_START) >> 2) & 1;
+        s->window[w].buf_end[i] = val;
+        break;
+    case FIMD_VIDWADD2_START ... FIMD_VIDWADD2_END:
+        w = (offset - FIMD_VIDWADD2_START) >> 2;
+        if (((val & FIMD_VIDWADD2_PAGEWIDTH) != s->window[w].virtpage_width) ||
+            (((val >> FIMD_VIDWADD2_OFFSIZE_SHIFT) & FIMD_VIDWADD2_OFFSIZE) !=
+                        s->window[w].virtpage_offsize)) {
+            s->window[w].virtpage_width = val & FIMD_VIDWADD2_PAGEWIDTH;
+            s->window[w].virtpage_offsize =
+                (val >> FIMD_VIDWADD2_OFFSIZE_SHIFT) & FIMD_VIDWADD2_OFFSIZE;
+            fimd_update_memory_section(s, w);
+        }
+        break;
+    case FIMD_VIDINTCON0:
+        s->vidintcon[0] = val;
+        break;
+    case FIMD_VIDINTCON1:
+        s->vidintcon[1] &= ~(val & 7);
+        exynos4210_fimd_update_irq(s);
+        break;
+    case FIMD_WKEYCON_START ... FIMD_WKEYCON_END:
+        w = ((offset - FIMD_WKEYCON_START) >> 3) + 1;
+        i = ((offset - FIMD_WKEYCON_START) >> 2) & 1;
+        s->window[w].keycon[i] = val;
+        break;
+    case FIMD_WKEYALPHA_START ... FIMD_WKEYALPHA_END:
+        w = ((offset - FIMD_WKEYALPHA_START) >> 2) + 1;
+        s->window[w].keyalpha = val;
+        break;
+    case FIMD_DITHMODE:
+        s->dithmode = val;
+        break;
+    case FIMD_WINMAP_START ... FIMD_WINMAP_END:
+        w = (offset - FIMD_WINMAP_START) >> 2;
+        old_value = s->window[w].winmap;
+        s->window[w].winmap = val;
+        if ((val & FIMD_WINMAP_EN) ^ (old_value & FIMD_WINMAP_EN)) {
+            exynos4210_fimd_invalidate(s);
+            exynos4210_fimd_update_win_bppmode(s, w);
+            exynos4210_fimd_trace_bppmode(s, w, 0xFFFFFFFF);
+            exynos4210_fimd_update(s);
+        }
+        break;
+    case FIMD_WPALCON_HIGH ... FIMD_WPALCON_LOW:
+        i = (offset - FIMD_WPALCON_HIGH) >> 2;
+        s->wpalcon[i] = val;
+        if (s->wpalcon[1] & FIMD_WPALCON_UPDATEEN) {
+            for (w = 0; w < NUM_OF_WINDOWS; w++) {
+                exynos4210_fimd_update_win_bppmode(s, w);
+                fimd_update_get_alpha(s, w);
+            }
+        }
+        break;
+    case FIMD_TRIGCON:
+        val = (val & ~FIMD_TRIGCON_ROMASK) | (s->trigcon & FIMD_TRIGCON_ROMASK);
+        s->trigcon = val;
+        break;
+    case FIMD_I80IFCON_START ... FIMD_I80IFCON_END:
+        s->i80ifcon[(offset - FIMD_I80IFCON_START) >> 2] = val;
+        break;
+    case FIMD_COLORGAINCON:
+        s->colorgaincon = val;
+        break;
+    case FIMD_LDI_CMDCON0 ... FIMD_LDI_CMDCON1:
+        s->ldi_cmdcon[(offset - FIMD_LDI_CMDCON0) >> 2] = val;
+        break;
+    case FIMD_SIFCCON0 ... FIMD_SIFCCON2:
+        i = (offset - FIMD_SIFCCON0) >> 2;
+        if (i != 2) {
+            s->sifccon[i] = val;
+        }
+        break;
+    case FIMD_HUECOEFCR_START ... FIMD_HUECOEFCR_END:
+        i = (offset - FIMD_HUECOEFCR_START) >> 2;
+        s->huecoef_cr[i] = val;
+        break;
+    case FIMD_HUECOEFCB_START ... FIMD_HUECOEFCB_END:
+        i = (offset - FIMD_HUECOEFCB_START) >> 2;
+        s->huecoef_cb[i] = val;
+        break;
+    case FIMD_HUEOFFSET:
+        s->hueoffset = val;
+        break;
+    case FIMD_VIDWALPHA_START ... FIMD_VIDWALPHA_END:
+        w = ((offset - FIMD_VIDWALPHA_START) >> 3);
+        i = ((offset - FIMD_VIDWALPHA_START) >> 2) & 1;
+        if (w == 0) {
+            s->window[w].alpha_val[i] = val;
+        } else {
+            s->window[w].alpha_val[i] = (val & FIMD_VIDALPHA_ALPHA_LOWER) |
+                (s->window[w].alpha_val[i] & FIMD_VIDALPHA_ALPHA_UPPER);
+        }
+        break;
+    case FIMD_BLENDEQ_START ... FIMD_BLENDEQ_END:
+        s->window[(offset - FIMD_BLENDEQ_START) >> 2].blendeq = val;
+        break;
+    case FIMD_BLENDCON:
+        old_value = s->blendcon;
+        s->blendcon = val;
+        if ((s->blendcon & FIMD_ALPHA_8BIT) != (old_value & FIMD_ALPHA_8BIT)) {
+            for (w = 0; w < NUM_OF_WINDOWS; w++) {
+                fimd_update_get_alpha(s, w);
+            }
+        }
+        break;
+    case FIMD_WRTQOSCON_START ... FIMD_WRTQOSCON_END:
+        s->window[(offset - FIMD_WRTQOSCON_START) >> 2].rtqoscon = val;
+        break;
+    case FIMD_I80IFCMD_START ... FIMD_I80IFCMD_END:
+        s->i80ifcmd[(offset - FIMD_I80IFCMD_START) >> 2] = val;
+        break;
+    case FIMD_VIDW0ADD0_B2 ... FIMD_VIDW4ADD0_B2:
+        if (offset & 0x0004) {
+            DPRINT_ERROR("bad write offset 0x%08x\n", offset);
+            break;
+        }
+        w = (offset - FIMD_VIDW0ADD0_B2) >> 3;
+        if (fimd_get_buffer_id(&s->window[w]) == 2 &&
+                s->window[w].buf_start[2] != val) {
+            s->window[w].buf_start[2] = val;
+            fimd_update_memory_section(s, w);
+            break;
+        }
+        s->window[w].buf_start[2] = val;
+        break;
+    case FIMD_SHD_ADD0_START ... FIMD_SHD_ADD0_END:
+        if (offset & 0x0004) {
+            DPRINT_ERROR("bad write offset 0x%08x\n", offset);
+            break;
+        }
+        s->window[(offset - FIMD_SHD_ADD0_START) >> 3].shadow_buf_start = val;
+        break;
+    case FIMD_SHD_ADD1_START ... FIMD_SHD_ADD1_END:
+        if (offset & 0x0004) {
+            DPRINT_ERROR("bad write offset 0x%08x\n", offset);
+            break;
+        }
+        s->window[(offset - FIMD_SHD_ADD1_START) >> 3].shadow_buf_end = val;
+        break;
+    case FIMD_SHD_ADD2_START ... FIMD_SHD_ADD2_END:
+        s->window[(offset - FIMD_SHD_ADD2_START) >> 2].shadow_buf_size = val;
+        break;
+    case FIMD_PAL_MEM_START ... FIMD_PAL_MEM_END:
+        w = (offset - FIMD_PAL_MEM_START) >> 10;
+        i = ((offset - FIMD_PAL_MEM_START) >> 2) & 0xFF;
+        s->window[w].palette[i] = val;
+        break;
+    case FIMD_PALMEM_AL_START ... FIMD_PALMEM_AL_END:
+        /* Palette memory aliases for windows 0 and 1 */
+        w = (offset - FIMD_PALMEM_AL_START) >> 10;
+        i = ((offset - FIMD_PALMEM_AL_START) >> 2) & 0xFF;
+        s->window[w].palette[i] = val;
+        break;
+    default:
+        DPRINT_ERROR("bad write offset 0x%08x\n", offset);
+        break;
+    }
+}
+
+static uint64_t exynos4210_fimd_read(void *opaque, target_phys_addr_t offset,
+                                  unsigned size)
+{
+    Exynos4210fimdState *s = (Exynos4210fimdState *)opaque;
+    int w, i;
+    uint32_t ret = 0;
+
+    DPRINT_L2("read offset 0x%08x\n", offset);
+
+    switch (offset) {
+    case FIMD_VIDCON0 ... FIMD_VIDCON3:
+        return s->vidcon[(offset - FIMD_VIDCON0) >> 2];
+    case FIMD_VIDTCON_START ... FIMD_VIDTCON_END:
+        return s->vidtcon[(offset - FIMD_VIDTCON_START) >> 2];
+    case FIMD_WINCON_START ... FIMD_WINCON_END:
+        return s->window[(offset - FIMD_WINCON_START) >> 2].wincon;
+    case FIMD_SHADOWCON:
+        return s->shadowcon;
+    case FIMD_WINCHMAP:
+        return s->winchmap;
+    case FIMD_VIDOSD_START ... FIMD_VIDOSD_END:
+        w = (offset - FIMD_VIDOSD_START) >> 4;
+        i = ((offset - FIMD_VIDOSD_START) & 0xF) >> 2;
+        switch (i) {
+        case 0:
+            ret = ((s->window[w].lefttop_x & FIMD_VIDOSD_COORD_MASK) <<
+            FIMD_VIDOSD_HOR_SHIFT) |
+            (s->window[w].lefttop_y & FIMD_VIDOSD_COORD_MASK);
+            break;
+        case 1:
+            ret = ((s->window[w].rightbot_x & FIMD_VIDOSD_COORD_MASK) <<
+                FIMD_VIDOSD_HOR_SHIFT) |
+                (s->window[w].rightbot_y & FIMD_VIDOSD_COORD_MASK);
+            break;
+        case 2:
+            if (w == 0) {
+                ret = s->window[w].osdsize;
+            } else {
+                ret = (pack_upper_4(s->window[w].alpha_val[0]) <<
+                    FIMD_VIDOSD_AEN0_SHIFT) |
+                    pack_upper_4(s->window[w].alpha_val[1]);
+            }
+            break;
+        case 3:
+            if (w != 1 && w != 2) {
+                DPRINT_ERROR("bad read offset 0x%08x\n", offset);
+                return 0xBAADBAAD;
+            }
+            ret = s->window[w].osdsize;
+            break;
+        }
+        return ret;
+    case FIMD_VIDWADD0_START ... FIMD_VIDWADD0_END:
+        w = (offset - FIMD_VIDWADD0_START) >> 3;
+        i = ((offset - FIMD_VIDWADD0_START) >> 2) & 1;
+        return s->window[w].buf_start[i];
+    case FIMD_VIDWADD1_START ... FIMD_VIDWADD1_END:
+        w = (offset - FIMD_VIDWADD1_START) >> 3;
+        i = ((offset - FIMD_VIDWADD1_START) >> 2) & 1;
+        return s->window[w].buf_end[i];
+    case FIMD_VIDWADD2_START ... FIMD_VIDWADD2_END:
+        w = (offset - FIMD_VIDWADD2_START) >> 2;
+        return s->window[w].virtpage_width | (s->window[w].virtpage_offsize <<
+            FIMD_VIDWADD2_OFFSIZE_SHIFT);
+    case FIMD_VIDINTCON0 ... FIMD_VIDINTCON1:
+        return s->vidintcon[(offset - FIMD_VIDINTCON0) >> 2];
+    case FIMD_WKEYCON_START ... FIMD_WKEYCON_END:
+        w = ((offset - FIMD_WKEYCON_START) >> 3) + 1;
+        i = ((offset - FIMD_WKEYCON_START) >> 2) & 1;
+        return s->window[w].keycon[i];
+    case FIMD_WKEYALPHA_START ... FIMD_WKEYALPHA_END:
+        w = ((offset - FIMD_WKEYALPHA_START) >> 2) + 1;
+        return s->window[w].keyalpha;
+    case FIMD_DITHMODE:
+        return s->dithmode;
+    case FIMD_WINMAP_START ... FIMD_WINMAP_END:
+        return s->window[(offset - FIMD_WINMAP_START) >> 2].winmap;
+    case FIMD_WPALCON_HIGH ... FIMD_WPALCON_LOW:
+        return s->wpalcon[(offset - FIMD_WPALCON_HIGH) >> 2];
+    case FIMD_TRIGCON:
+        return s->trigcon;
+    case FIMD_I80IFCON_START ... FIMD_I80IFCON_END:
+        return s->i80ifcon[(offset - FIMD_I80IFCON_START) >> 2];
+    case FIMD_COLORGAINCON:
+        return s->colorgaincon;
+    case FIMD_LDI_CMDCON0 ... FIMD_LDI_CMDCON1:
+        return s->ldi_cmdcon[(offset - FIMD_LDI_CMDCON0) >> 2];
+    case FIMD_SIFCCON0 ... FIMD_SIFCCON2:
+        i = (offset - FIMD_SIFCCON0) >> 2;
+        return s->sifccon[i];
+    case FIMD_HUECOEFCR_START ... FIMD_HUECOEFCR_END:
+        i = (offset - FIMD_HUECOEFCR_START) >> 2;
+        return s->huecoef_cr[i];
+    case FIMD_HUECOEFCB_START ... FIMD_HUECOEFCB_END:
+        i = (offset - FIMD_HUECOEFCB_START) >> 2;
+        return s->huecoef_cb[i];
+    case FIMD_HUEOFFSET:
+        return s->hueoffset;
+    case FIMD_VIDWALPHA_START ... FIMD_VIDWALPHA_END:
+        w = ((offset - FIMD_VIDWALPHA_START) >> 3);
+        i = ((offset - FIMD_VIDWALPHA_START) >> 2) & 1;
+        return s->window[w].alpha_val[i] &
+                (w == 0 ? 0xFFFFFF : FIMD_VIDALPHA_ALPHA_LOWER);
+    case FIMD_BLENDEQ_START ... FIMD_BLENDEQ_END:
+        return s->window[(offset - FIMD_BLENDEQ_START) >> 2].blendeq;
+    case FIMD_BLENDCON:
+        return s->blendcon;
+    case FIMD_WRTQOSCON_START ... FIMD_WRTQOSCON_END:
+        return s->window[(offset - FIMD_WRTQOSCON_START) >> 2].rtqoscon;
+    case FIMD_I80IFCMD_START ... FIMD_I80IFCMD_END:
+        return s->i80ifcmd[(offset - FIMD_I80IFCMD_START) >> 2];
+    case FIMD_VIDW0ADD0_B2 ... FIMD_VIDW4ADD0_B2:
+        if (offset & 0x0004) {
+            break;
+        }
+        return s->window[(offset - FIMD_VIDW0ADD0_B2) >> 3].buf_start[2];
+    case FIMD_SHD_ADD0_START ... FIMD_SHD_ADD0_END:
+        if (offset & 0x0004) {
+            break;
+        }
+        return s->window[(offset - FIMD_SHD_ADD0_START) >> 3].shadow_buf_start;
+    case FIMD_SHD_ADD1_START ... FIMD_SHD_ADD1_END:
+        if (offset & 0x0004) {
+            break;
+        }
+        return s->window[(offset - FIMD_SHD_ADD1_START) >> 3].shadow_buf_end;
+    case FIMD_SHD_ADD2_START ... FIMD_SHD_ADD2_END:
+        return s->window[(offset - FIMD_SHD_ADD2_START) >> 2].shadow_buf_size;
+    case FIMD_PAL_MEM_START ... FIMD_PAL_MEM_END:
+        w = (offset - FIMD_PAL_MEM_START) >> 10;
+        i = ((offset - FIMD_PAL_MEM_START) >> 2) & 0xFF;
+        return s->window[w].palette[i];
+    case FIMD_PALMEM_AL_START ... FIMD_PALMEM_AL_END:
+        /* Palette aliases for win 0,1 */
+        w = (offset - FIMD_PALMEM_AL_START) >> 10;
+        i = ((offset - FIMD_PALMEM_AL_START) >> 2) & 0xFF;
+        return s->window[w].palette[i];
+    }
+
+    DPRINT_ERROR("bad read offset 0x%08x\n", offset);
+    return 0xBAADBAAD;
+}
+
+static const MemoryRegionOps exynos4210_fimd_mmio_ops = {
+    .read = exynos4210_fimd_read,
+    .write = exynos4210_fimd_write,
+    .valid = {
+        .min_access_size = 4,
+        .max_access_size = 4,
+        .unaligned = false
+    },
+    .endianness = DEVICE_NATIVE_ENDIAN,
+};
+
+static int exynos4210_fimd_load(void *opaque, int version_id)
+{
+    Exynos4210fimdState *s = (Exynos4210fimdState *)opaque;
+    int w;
+
+    if (version_id != 1) {
+        return -EINVAL;
+    }
+
+    for (w = 0; w < NUM_OF_WINDOWS; w++) {
+        exynos4210_fimd_update_win_bppmode(s, w);
+        fimd_update_get_alpha(s, w);
+        fimd_update_memory_section(s, w);
+    }
+
+    /* Redraw the whole screen */
+    exynos4210_update_resolution(s);
+    exynos4210_fimd_invalidate(s);
+    exynos4210_fimd_enable(s, (s->vidcon[0] & FIMD_VIDCON0_ENVID_MASK) ==
+            FIMD_VIDCON0_ENVID_MASK);
+    return 0;
+}
+
+static const VMStateDescription exynos4210_fimd_window_vmstate = {
+    .name = "exynos4210.fimd_window",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields      = (VMStateField[]) {
+        VMSTATE_UINT32(wincon, Exynos4210fimdWindow),
+        VMSTATE_UINT32_ARRAY(buf_start, Exynos4210fimdWindow, 3),
+        VMSTATE_UINT32_ARRAY(buf_end, Exynos4210fimdWindow, 3),
+        VMSTATE_UINT32_ARRAY(keycon, Exynos4210fimdWindow, 2),
+        VMSTATE_UINT32(keyalpha, Exynos4210fimdWindow),
+        VMSTATE_UINT32(winmap, Exynos4210fimdWindow),
+        VMSTATE_UINT32(blendeq, Exynos4210fimdWindow),
+        VMSTATE_UINT32(rtqoscon, Exynos4210fimdWindow),
+        VMSTATE_UINT32_ARRAY(palette, Exynos4210fimdWindow, 256),
+        VMSTATE_UINT32(shadow_buf_start, Exynos4210fimdWindow),
+        VMSTATE_UINT32(shadow_buf_end, Exynos4210fimdWindow),
+        VMSTATE_UINT32(shadow_buf_size, Exynos4210fimdWindow),
+        VMSTATE_UINT16(lefttop_x, Exynos4210fimdWindow),
+        VMSTATE_UINT16(lefttop_y, Exynos4210fimdWindow),
+        VMSTATE_UINT16(rightbot_x, Exynos4210fimdWindow),
+        VMSTATE_UINT16(rightbot_y, Exynos4210fimdWindow),
+        VMSTATE_UINT32(osdsize, Exynos4210fimdWindow),
+        VMSTATE_UINT32_ARRAY(alpha_val, Exynos4210fimdWindow, 2),
+        VMSTATE_UINT16(virtpage_width, Exynos4210fimdWindow),
+        VMSTATE_UINT16(virtpage_offsize, Exynos4210fimdWindow),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription exynos4210_fimd_vmstate = {
+    .name = "exynos4210.fimd",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .post_load = exynos4210_fimd_load,
+    .fields      = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(vidcon, Exynos4210fimdState, 4),
+        VMSTATE_UINT32_ARRAY(vidtcon, Exynos4210fimdState, 4),
+        VMSTATE_UINT32(shadowcon, Exynos4210fimdState),
+        VMSTATE_UINT32(winchmap, Exynos4210fimdState),
+        VMSTATE_UINT32_ARRAY(vidintcon, Exynos4210fimdState, 2),
+        VMSTATE_UINT32(dithmode, Exynos4210fimdState),
+        VMSTATE_UINT32_ARRAY(wpalcon, Exynos4210fimdState, 2),
+        VMSTATE_UINT32(trigcon, Exynos4210fimdState),
+        VMSTATE_UINT32_ARRAY(i80ifcon, Exynos4210fimdState, 4),
+        VMSTATE_UINT32(colorgaincon, Exynos4210fimdState),
+        VMSTATE_UINT32_ARRAY(ldi_cmdcon, Exynos4210fimdState, 2),
+        VMSTATE_UINT32_ARRAY(sifccon, Exynos4210fimdState, 3),
+        VMSTATE_UINT32_ARRAY(huecoef_cr, Exynos4210fimdState, 4),
+        VMSTATE_UINT32_ARRAY(huecoef_cb, Exynos4210fimdState, 4),
+        VMSTATE_UINT32(hueoffset, Exynos4210fimdState),
+        VMSTATE_UINT32_ARRAY(i80ifcmd, Exynos4210fimdState, 12),
+        VMSTATE_UINT32(blendcon, Exynos4210fimdState),
+        VMSTATE_STRUCT_ARRAY(window, Exynos4210fimdState, 5, 1,
+                exynos4210_fimd_window_vmstate, Exynos4210fimdWindow),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static int exynos4210_fimd_init(SysBusDevice *dev)
+{
+    Exynos4210fimdState *s = FROM_SYSBUS(Exynos4210fimdState, dev);
+
+    s->ifb = NULL;
+
+    sysbus_init_irq(dev, &s->irq[0]);
+    sysbus_init_irq(dev, &s->irq[1]);
+    sysbus_init_irq(dev, &s->irq[2]);
+
+    memory_region_init_io(&s->iomem, &exynos4210_fimd_mmio_ops, s,
+            "exynos4210.fimd", FIMD_REGS_SIZE);
+    sysbus_init_mmio(dev, &s->iomem);
+    s->console = graphic_console_init(exynos4210_fimd_update,
+                                  exynos4210_fimd_invalidate, NULL, NULL, s);
+
+    return 0;
+}
+
+static void exynos4210_fimd_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+
+    dc->vmsd = &exynos4210_fimd_vmstate;
+    dc->reset = exynos4210_fimd_reset;
+    k->init = exynos4210_fimd_init;
+}
+
+static TypeInfo exynos4210_fimd_info = {
+    .name = "exynos4210.fimd",
+    .parent = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(Exynos4210fimdState),
+    .class_init = exynos4210_fimd_class_init,
+};
+
+static void exynos4210_fimd_register_types(void)
+{
+    type_register_static(&exynos4210_fimd_info);
+}
+
+type_init(exynos4210_fimd_register_types)
commit 2c2c6496f83b1746a118dbcb2a0e4f8c0305c2a8
Author: Evgeny Voevodin <e.voevodin at samsung.com>
Date:   Thu Feb 16 09:56:06 2012 +0000

    hw/exynos4210.c: Add LAN support for SMDKC210.
    
    SMDKC210 uses lan9215 chip, but lan9118 in 16-bit mode seems to
    be enough.
    
    Signed-off-by: Evgeny Voevodin <e.voevodin at samsung.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/hw/exynos4_boards.c b/hw/exynos4_boards.c
index 767dc45..329efbe 100644
--- a/hw/exynos4_boards.c
+++ b/hw/exynos4_boards.c
@@ -23,6 +23,7 @@
 
 #include "sysemu.h"
 #include "sysbus.h"
+#include "net.h"
 #include "arm-misc.h"
 #include "exec-memory.h"
 #include "exynos4210.h"
@@ -42,6 +43,8 @@
     #define  PRINT_DEBUG(fmt, args...)  do {} while (0)
 #endif
 
+#define SMDK_LAN9118_BASE_ADDR      0x05000000
+
 typedef enum Exynos4BoardType {
     EXYNOS4_BOARD_NURI,
     EXYNOS4_BOARD_SMDKC210,
@@ -71,6 +74,24 @@ static struct arm_boot_info exynos4_board_binfo = {
 
 static QEMUMachine exynos4_machines[EXYNOS4_NUM_OF_BOARDS];
 
+static void lan9215_init(uint32_t base, qemu_irq irq)
+{
+    DeviceState *dev;
+    SysBusDevice *s;
+
+    /* This should be a 9215 but the 9118 is close enough */
+    if (nd_table[0].vlan) {
+        qemu_check_nic_model(&nd_table[0], "lan9118");
+        dev = qdev_create(NULL, "lan9118");
+        qdev_set_nic_properties(dev, &nd_table[0]);
+        qdev_prop_set_uint32(dev, "mode_16bit", 1);
+        qdev_init_nofail(dev);
+        s = sysbus_from_qdev(dev);
+        sysbus_mmio_map(s, 0, base);
+        sysbus_connect_irq(s, 0, irq);
+    }
+}
+
 static Exynos4210State *exynos4_boards_init_common(
         const char *kernel_filename,
         const char *kernel_cmdline,
@@ -123,9 +144,11 @@ static void smdkc210_init(ram_addr_t ram_size,
         const char *kernel_filename, const char *kernel_cmdline,
         const char *initrd_filename, const char *cpu_model)
 {
-    exynos4_boards_init_common(kernel_filename, kernel_cmdline,
-                initrd_filename, EXYNOS4_BOARD_SMDKC210);
+    Exynos4210State *s = exynos4_boards_init_common(kernel_filename,
+            kernel_cmdline, initrd_filename, EXYNOS4_BOARD_SMDKC210);
 
+    lan9215_init(SMDK_LAN9118_BASE_ADDR,
+            qemu_irq_invert(s->irq_table[exynos4210_get_irq(37, 1)]));
     arm_load_kernel(first_cpu, &exynos4_board_binfo);
 }
 
commit 1248f8d4cbc3cd7b7956510f9d72188b5cd37287
Author: Evgeny Voevodin <e.voevodin at samsung.com>
Date:   Thu Feb 16 09:56:06 2012 +0000

    hw/lan9118: Add basic 16-bit mode support.
    
    Signed-off-by: Evgeny Voevodin <e.voevodin at samsung.com>
    Reviewed-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/hw/lan9118.c b/hw/lan9118.c
index aeb0c39..7b4fe87 100644
--- a/hw/lan9118.c
+++ b/hw/lan9118.c
@@ -235,11 +235,21 @@ typedef struct {
     int32_t rxp_offset;
     int32_t rxp_size;
     int32_t rxp_pad;
+
+    uint32_t write_word_prev_offset;
+    uint32_t write_word_n;
+    uint16_t write_word_l;
+    uint16_t write_word_h;
+    uint32_t read_word_prev_offset;
+    uint32_t read_word_n;
+    uint32_t read_long;
+
+    uint32_t mode_16bit;
 } lan9118_state;
 
 static const VMStateDescription vmstate_lan9118 = {
     .name = "lan9118",
-    .version_id = 1,
+    .version_id = 2,
     .minimum_version_id = 1,
     .fields = (VMStateField[]) {
         VMSTATE_PTIMER(timer, lan9118_state),
@@ -294,6 +304,14 @@ static const VMStateDescription vmstate_lan9118 = {
         VMSTATE_INT32(rxp_offset, lan9118_state),
         VMSTATE_INT32(rxp_size, lan9118_state),
         VMSTATE_INT32(rxp_pad, lan9118_state),
+        VMSTATE_UINT32_V(write_word_prev_offset, lan9118_state, 2),
+        VMSTATE_UINT32_V(write_word_n, lan9118_state, 2),
+        VMSTATE_UINT16_V(write_word_l, lan9118_state, 2),
+        VMSTATE_UINT16_V(write_word_h, lan9118_state, 2),
+        VMSTATE_UINT32_V(read_word_prev_offset, lan9118_state, 2),
+        VMSTATE_UINT32_V(read_word_n, lan9118_state, 2),
+        VMSTATE_UINT32_V(read_long, lan9118_state, 2),
+        VMSTATE_UINT32_V(mode_16bit, lan9118_state, 2),
         VMSTATE_END_OF_LIST()
     }
 };
@@ -390,7 +408,7 @@ static void lan9118_reset(DeviceState *d)
     s->fifo_int = 0x48000000;
     s->rx_cfg = 0;
     s->tx_cfg = 0;
-    s->hw_cfg = 0x00050000;
+    s->hw_cfg = s->mode_16bit ? 0x00050000 : 0x00050004;
     s->pmt_ctrl &= 0x45;
     s->gpio_cfg = 0;
     s->txp->fifo_used = 0;
@@ -429,6 +447,9 @@ static void lan9118_reset(DeviceState *d)
     s->mac_mii_data = 0;
     s->mac_flow = 0;
 
+    s->read_word_n = 0;
+    s->write_word_n = 0;
+
     phy_reset(s);
 
     s->eeprom_writable = 0;
@@ -984,7 +1005,7 @@ static void lan9118_writel(void *opaque, target_phys_addr_t offset,
 {
     lan9118_state *s = (lan9118_state *)opaque;
     offset &= 0xff;
-    
+
     //DPRINTF("Write reg 0x%02x = 0x%08x\n", (int)offset, val);
     if (offset >= 0x20 && offset < 0x40) {
         /* TX FIFO */
@@ -1034,7 +1055,7 @@ static void lan9118_writel(void *opaque, target_phys_addr_t offset,
             /* SRST */
             lan9118_reset(&s->busdev.qdev);
         } else {
-            s->hw_cfg = val & 0x003f300;
+            s->hw_cfg = (val & 0x003f300) | (s->hw_cfg & 0x4);
         }
         break;
     case CSR_RX_DP_CTRL:
@@ -1113,6 +1134,46 @@ static void lan9118_writel(void *opaque, target_phys_addr_t offset,
     lan9118_update(s);
 }
 
+static void lan9118_writew(void *opaque, target_phys_addr_t offset,
+                           uint32_t val)
+{
+    lan9118_state *s = (lan9118_state *)opaque;
+    offset &= 0xff;
+
+    if (s->write_word_prev_offset != (offset & ~0x3)) {
+        /* New offset, reset word counter */
+        s->write_word_n = 0;
+        s->write_word_prev_offset = offset & ~0x3;
+    }
+
+    if (offset & 0x2) {
+        s->write_word_h = val;
+    } else {
+        s->write_word_l = val;
+    }
+
+    //DPRINTF("Writew reg 0x%02x = 0x%08x\n", (int)offset, val);
+    s->write_word_n++;
+    if (s->write_word_n == 2) {
+        s->write_word_n = 0;
+        lan9118_writel(s, offset & ~3, s->write_word_l +
+                (s->write_word_h << 16), 4);
+    }
+}
+
+static void lan9118_16bit_mode_write(void *opaque, target_phys_addr_t offset,
+                                     uint64_t val, unsigned size)
+{
+    switch (size) {
+    case 2:
+        return lan9118_writew(opaque, offset, (uint32_t)val);
+    case 4:
+        return lan9118_writel(opaque, offset, val, size);
+    }
+
+    hw_error("lan9118_write: Bad size 0x%x\n", size);
+}
+
 static uint64_t lan9118_readl(void *opaque, target_phys_addr_t offset,
                               unsigned size)
 {
@@ -1149,7 +1210,7 @@ static uint64_t lan9118_readl(void *opaque, target_phys_addr_t offset,
     case CSR_TX_CFG:
         return s->tx_cfg;
     case CSR_HW_CFG:
-        return s->hw_cfg | 0x4;
+        return s->hw_cfg;
     case CSR_RX_DP_CTRL:
         return 0;
     case CSR_RX_FIFO_INF:
@@ -1187,12 +1248,60 @@ static uint64_t lan9118_readl(void *opaque, target_phys_addr_t offset,
     return 0;
 }
 
+static uint32_t lan9118_readw(void *opaque, target_phys_addr_t offset)
+{
+    lan9118_state *s = (lan9118_state *)opaque;
+    uint32_t val;
+
+    if (s->read_word_prev_offset != (offset & ~0x3)) {
+        /* New offset, reset word counter */
+        s->read_word_n = 0;
+        s->read_word_prev_offset = offset & ~0x3;
+    }
+
+    s->read_word_n++;
+    if (s->read_word_n == 1) {
+        s->read_long = lan9118_readl(s, offset & ~3, 4);
+    } else {
+        s->read_word_n = 0;
+    }
+
+    if (offset & 2) {
+        val = s->read_long >> 16;
+    } else {
+        val = s->read_long & 0xFFFF;
+    }
+
+    //DPRINTF("Readw reg 0x%02x, val 0x%x\n", (int)offset, val);
+    return val;
+}
+
+static uint64_t lan9118_16bit_mode_read(void *opaque, target_phys_addr_t offset,
+                                        unsigned size)
+{
+    switch (size) {
+    case 2:
+        return lan9118_readw(opaque, offset);
+    case 4:
+        return lan9118_readl(opaque, offset, size);
+    }
+
+    hw_error("lan9118_read: Bad size 0x%x\n", size);
+    return 0;
+}
+
 static const MemoryRegionOps lan9118_mem_ops = {
     .read = lan9118_readl,
     .write = lan9118_writel,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
+static const MemoryRegionOps lan9118_16bit_mem_ops = {
+    .read = lan9118_16bit_mode_read,
+    .write = lan9118_16bit_mode_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+};
+
 static void lan9118_cleanup(VLANClientState *nc)
 {
     lan9118_state *s = DO_UPCAST(NICState, nc, nc)->opaque;
@@ -1214,8 +1323,10 @@ static int lan9118_init1(SysBusDevice *dev)
     lan9118_state *s = FROM_SYSBUS(lan9118_state, dev);
     QEMUBH *bh;
     int i;
+    const MemoryRegionOps *mem_ops =
+            s->mode_16bit ? &lan9118_16bit_mem_ops : &lan9118_mem_ops;
 
-    memory_region_init_io(&s->mmio, &lan9118_mem_ops, s, "lan9118-mmio", 0x100);
+    memory_region_init_io(&s->mmio, mem_ops, s, "lan9118-mmio", 0x100);
     sysbus_init_mmio(dev, &s->mmio);
     sysbus_init_irq(dev, &s->irq);
     qemu_macaddr_default_if_unset(&s->conf.macaddr);
@@ -1240,6 +1351,7 @@ static int lan9118_init1(SysBusDevice *dev)
 
 static Property lan9118_properties[] = {
     DEFINE_NIC_PROPERTIES(lan9118_state, conf),
+    DEFINE_PROP_UINT32("mode_16bit", lan9118_state, mode_16bit, 0),
     DEFINE_PROP_END_OF_LIST(),
 };
 
commit 12c775db14c037715e31079e2c17899abd0a2aa6
Author: Evgeny Voevodin <e.voevodin at samsung.com>
Date:   Thu Feb 16 09:56:05 2012 +0000

    ARM: exynos4210: MCT support.
    
    Signed-off-by: Evgeny Voevodin <e.voevodin at samsung.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/Makefile.target b/Makefile.target
index 8a7b4d2..6ceff54 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -346,7 +346,7 @@ obj-arm-y += versatile_pci.o
 obj-arm-y += realview_gic.o realview.o arm_sysctl.o arm11mpcore.o a9mpcore.o
 obj-arm-y += exynos4210_gic.o exynos4210_combiner.o exynos4210.o
 obj-arm-y += exynos4_boards.o exynos4210_uart.o exynos4210_pwm.o
-obj-arm-y += exynos4210_pmu.o
+obj-arm-y += exynos4210_pmu.o exynos4210_mct.o
 obj-arm-y += arm_l2x0.o
 obj-arm-y += arm_mptimer.o
 obj-arm-y += armv7m.o armv7m_nvic.o stellaris.o pl022.o stellaris_enet.o
diff --git a/hw/exynos4210.c b/hw/exynos4210.c
index f922f55..558f669 100644
--- a/hw/exynos4210.c
+++ b/hw/exynos4210.c
@@ -32,6 +32,9 @@
 /* PWM */
 #define EXYNOS4210_PWM_BASE_ADDR       0x139D0000
 
+/* MCT */
+#define EXYNOS4210_MCT_BASE_ADDR       0x10050000
+
 /* UART's definitions */
 #define EXYNOS4210_UART0_BASE_ADDR     0x13800000
 #define EXYNOS4210_UART1_BASE_ADDR     0x13810000
@@ -220,6 +223,22 @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem,
                           s->irq_table[exynos4210_get_irq(22, 4)],
                           NULL);
 
+    /* Multi Core Timer */
+    dev = qdev_create(NULL, "exynos4210.mct");
+    qdev_init_nofail(dev);
+    busdev = sysbus_from_qdev(dev);
+    for (n = 0; n < 4; n++) {
+        /* Connect global timer interrupts to Combiner gpio_in */
+        sysbus_connect_irq(busdev, n,
+                s->irq_table[exynos4210_get_irq(1, 4 + n)]);
+    }
+    /* Connect local timer interrupts to Combiner gpio_in */
+    sysbus_connect_irq(busdev, 4,
+            s->irq_table[exynos4210_get_irq(51, 0)]);
+    sysbus_connect_irq(busdev, 5,
+            s->irq_table[exynos4210_get_irq(35, 3)]);
+    sysbus_mmio_map(busdev, 0, EXYNOS4210_MCT_BASE_ADDR);
+
     /*** UARTs ***/
     exynos4210_uart_create(EXYNOS4210_UART0_BASE_ADDR,
                            EXYNOS4210_UART0_FIFO_SIZE, 0, NULL,
diff --git a/hw/exynos4210_mct.c b/hw/exynos4210_mct.c
new file mode 100644
index 0000000..01e3fb8
--- /dev/null
+++ b/hw/exynos4210_mct.c
@@ -0,0 +1,1488 @@
+/*
+ * Samsung exynos4210 Multi Core timer
+ *
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd.
+ * All rights reserved.
+ *
+ * Evgeny Voevodin <e.voevodin at samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * Global Timer:
+ *
+ * Consists of two timers. First represents Free Running Counter and second
+ * is used to measure interval from FRC to nearest comparator.
+ *
+ *        0                                                           UINT64_MAX
+ *        |                              timer0                             |
+ *        | <-------------------------------------------------------------- |
+ *        | --------------------------------------------frc---------------> |
+ *        |______________________________________________|__________________|
+ *                CMP0          CMP1             CMP2    |           CMP3
+ *                                                     __|            |_
+ *                                                     |     timer1     |
+ *                                                     | -------------> |
+ *                                                    frc              CMPx
+ *
+ * Problem: when implementing global timer as is, overflow arises.
+ * next_time = cur_time + period * count;
+ * period and count are 64 bits width.
+ * Lets arm timer for MCT_GT_COUNTER_STEP count and update internal G_CNT
+ * register during each event.
+ *
+ * Problem: both timers need to be implemented using MCT_XT_COUNTER_STEP because
+ * local timer contains two counters: TCNT and ICNT. TCNT == 0 -> ICNT--.
+ * IRQ is generated when ICNT riches zero. Implementation where TCNT == 0
+ * generates IRQs suffers from too frequently events. Better to have one
+ * uint64_t counter equal to TCNT*ICNT and arm ptimer.c for a minimum(TCNT*ICNT,
+ * MCT_GT_COUNTER_STEP); (yes, if target tunes ICNT * TCNT to be too low values,
+ * there is no way to avoid frequently events).
+ */
+
+#include "sysbus.h"
+#include "qemu-timer.h"
+#include "qemu-common.h"
+#include "ptimer.h"
+
+#include "exynos4210.h"
+
+//#define DEBUG_MCT
+
+#ifdef DEBUG_MCT
+#define DPRINTF(fmt, ...) \
+        do { fprintf(stdout, "MCT: [%24s:%5d] " fmt, __func__, __LINE__, \
+                     ## __VA_ARGS__); } while (0)
+#else
+#define DPRINTF(fmt, ...) do {} while (0)
+#endif
+
+#define    MCT_CFG          0x000
+#define    G_CNT_L          0x100
+#define    G_CNT_U          0x104
+#define    G_CNT_WSTAT      0x110
+#define    G_COMP0_L        0x200
+#define    G_COMP0_U        0x204
+#define    G_COMP0_ADD_INCR 0x208
+#define    G_COMP1_L        0x210
+#define    G_COMP1_U        0x214
+#define    G_COMP1_ADD_INCR 0x218
+#define    G_COMP2_L        0x220
+#define    G_COMP2_U        0x224
+#define    G_COMP2_ADD_INCR 0x228
+#define    G_COMP3_L        0x230
+#define    G_COMP3_U        0x234
+#define    G_COMP3_ADD_INCR 0x238
+#define    G_TCON           0x240
+#define    G_INT_CSTAT      0x244
+#define    G_INT_ENB        0x248
+#define    G_WSTAT          0x24C
+#define    L0_TCNTB         0x300
+#define    L0_TCNTO         0x304
+#define    L0_ICNTB         0x308
+#define    L0_ICNTO         0x30C
+#define    L0_FRCNTB        0x310
+#define    L0_FRCNTO        0x314
+#define    L0_TCON          0x320
+#define    L0_INT_CSTAT     0x330
+#define    L0_INT_ENB       0x334
+#define    L0_WSTAT         0x340
+#define    L1_TCNTB         0x400
+#define    L1_TCNTO         0x404
+#define    L1_ICNTB         0x408
+#define    L1_ICNTO         0x40C
+#define    L1_FRCNTB        0x410
+#define    L1_FRCNTO        0x414
+#define    L1_TCON          0x420
+#define    L1_INT_CSTAT     0x430
+#define    L1_INT_ENB       0x434
+#define    L1_WSTAT         0x440
+
+#define MCT_CFG_GET_PRESCALER(x)    ((x) & 0xFF)
+#define MCT_CFG_GET_DIVIDER(x)      (1 << ((x) >> 8 & 7))
+
+#define GET_G_COMP_IDX(offset)          (((offset) - G_COMP0_L) / 0x10)
+#define GET_G_COMP_ADD_INCR_IDX(offset) (((offset) - G_COMP0_ADD_INCR) / 0x10)
+
+#define G_COMP_L(x) (G_COMP0_L + (x) * 0x10)
+#define G_COMP_U(x) (G_COMP0_U + (x) * 0x10)
+
+#define G_COMP_ADD_INCR(x)  (G_COMP0_ADD_INCR + (x) * 0x10)
+
+/* MCT bits */
+#define G_TCON_COMP_ENABLE(x)   (1 << 2 * (x))
+#define G_TCON_AUTO_ICREMENT(x) (1 << (2 * (x) + 1))
+#define G_TCON_TIMER_ENABLE     (1 << 8)
+
+#define G_INT_ENABLE(x)         (1 << (x))
+#define G_INT_CSTAT_COMP(x)     (1 << (x))
+
+#define G_CNT_WSTAT_L           1
+#define G_CNT_WSTAT_U           2
+
+#define G_WSTAT_COMP_L(x)       (1 << 4 * (x))
+#define G_WSTAT_COMP_U(x)       (1 << ((4 * (x)) + 1))
+#define G_WSTAT_COMP_ADDINCR(x) (1 << ((4 * (x)) + 2))
+#define G_WSTAT_TCON_WRITE      (1 << 16)
+
+#define GET_L_TIMER_IDX(offset) ((((offset) & 0xF00) - L0_TCNTB) / 0x100)
+#define GET_L_TIMER_CNT_REG_IDX(offset, lt_i) \
+        (((offset) - (L0_TCNTB + 0x100 * (lt_i))) >> 2)
+
+#define L_ICNTB_MANUAL_UPDATE   (1 << 31)
+
+#define L_TCON_TICK_START       (1)
+#define L_TCON_INT_START        (1 << 1)
+#define L_TCON_INTERVAL_MODE    (1 << 2)
+#define L_TCON_FRC_START        (1 << 3)
+
+#define L_INT_CSTAT_INTCNT      (1 << 0)
+#define L_INT_CSTAT_FRCCNT      (1 << 1)
+
+#define L_INT_INTENB_ICNTEIE    (1 << 0)
+#define L_INT_INTENB_FRCEIE     (1 << 1)
+
+#define L_WSTAT_TCNTB_WRITE     (1 << 0)
+#define L_WSTAT_ICNTB_WRITE     (1 << 1)
+#define L_WSTAT_FRCCNTB_WRITE   (1 << 2)
+#define L_WSTAT_TCON_WRITE      (1 << 3)
+
+enum LocalTimerRegCntIndexes {
+    L_REG_CNT_TCNTB,
+    L_REG_CNT_TCNTO,
+    L_REG_CNT_ICNTB,
+    L_REG_CNT_ICNTO,
+    L_REG_CNT_FRCCNTB,
+    L_REG_CNT_FRCCNTO,
+
+    L_REG_CNT_AMOUNT
+};
+
+#define MCT_NIRQ                6
+#define MCT_SFR_SIZE            0x444
+
+#define MCT_GT_CMP_NUM          4
+
+#define MCT_GT_MAX_VAL          UINT64_MAX
+
+#define MCT_GT_COUNTER_STEP     0x100000000ULL
+#define MCT_LT_COUNTER_STEP     0x100000000ULL
+#define MCT_LT_CNT_LOW_LIMIT    0x100
+
+/* global timer */
+typedef struct {
+    qemu_irq  irq[MCT_GT_CMP_NUM];
+
+    struct gregs {
+        uint64_t cnt;
+        uint32_t cnt_wstat;
+        uint32_t tcon;
+        uint32_t int_cstat;
+        uint32_t int_enb;
+        uint32_t wstat;
+        uint64_t comp[MCT_GT_CMP_NUM];
+        uint32_t comp_add_incr[MCT_GT_CMP_NUM];
+    } reg;
+
+    uint64_t count;            /* Value FRC was armed with */
+    int32_t curr_comp;             /* Current comparator FRC is running to */
+
+    ptimer_state *ptimer_frc;                   /* FRC timer */
+
+} Exynos4210MCTGT;
+
+/* local timer */
+typedef struct {
+    int         id;             /* timer id */
+    qemu_irq    irq;            /* local timer irq */
+
+    struct tick_timer {
+        uint32_t cnt_run;           /* cnt timer is running */
+        uint32_t int_run;           /* int timer is running */
+
+        uint32_t last_icnto;
+        uint32_t last_tcnto;
+        uint32_t tcntb;             /* initial value for TCNTB */
+        uint32_t icntb;             /* initial value for ICNTB */
+
+        /* for step mode */
+        uint64_t    distance;       /* distance to count to the next event */
+        uint64_t    progress;       /* progress when counting by steps */
+        uint64_t    count;          /* count to arm timer with */
+
+        ptimer_state *ptimer_tick;  /* timer for tick counter */
+    } tick_timer;
+
+    /* use ptimer.c to represent count down timer */
+
+    ptimer_state *ptimer_frc;   /* timer for free running counter */
+
+    /* registers */
+    struct lregs {
+        uint32_t    cnt[L_REG_CNT_AMOUNT];
+        uint32_t    tcon;
+        uint32_t    int_cstat;
+        uint32_t    int_enb;
+        uint32_t    wstat;
+    } reg;
+
+} Exynos4210MCTLT;
+
+typedef struct Exynos4210MCTState {
+    SysBusDevice busdev;
+    MemoryRegion iomem;
+
+    /* Registers */
+    uint32_t    reg_mct_cfg;
+
+    Exynos4210MCTLT l_timer[2];
+    Exynos4210MCTGT g_timer;
+
+    uint32_t    freq;                   /* all timers tick frequency, TCLK */
+} Exynos4210MCTState;
+
+/*** VMState ***/
+static const VMStateDescription vmstate_tick_timer = {
+    .name = "exynos4210.mct.tick_timer",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(cnt_run, struct tick_timer),
+        VMSTATE_UINT32(int_run, struct tick_timer),
+        VMSTATE_UINT32(last_icnto, struct tick_timer),
+        VMSTATE_UINT32(last_tcnto, struct tick_timer),
+        VMSTATE_UINT32(tcntb, struct tick_timer),
+        VMSTATE_UINT32(icntb, struct tick_timer),
+        VMSTATE_UINT64(distance, struct tick_timer),
+        VMSTATE_UINT64(progress, struct tick_timer),
+        VMSTATE_UINT64(count, struct tick_timer),
+        VMSTATE_PTIMER(ptimer_tick, struct tick_timer),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_lregs = {
+    .name = "exynos4210.mct.lregs",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(cnt, struct lregs, L_REG_CNT_AMOUNT),
+        VMSTATE_UINT32(tcon, struct lregs),
+        VMSTATE_UINT32(int_cstat, struct lregs),
+        VMSTATE_UINT32(int_enb, struct lregs),
+        VMSTATE_UINT32(wstat, struct lregs),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_exynos4210_mct_lt = {
+    .name = "exynos4210.mct.lt",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_INT32(id, Exynos4210MCTLT),
+        VMSTATE_STRUCT(tick_timer, Exynos4210MCTLT, 0,
+                vmstate_tick_timer,
+                struct tick_timer),
+        VMSTATE_PTIMER(ptimer_frc, Exynos4210MCTLT),
+        VMSTATE_STRUCT(reg, Exynos4210MCTLT, 0,
+                vmstate_lregs,
+                struct lregs),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_gregs = {
+    .name = "exynos4210.mct.lregs",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT64(cnt, struct gregs),
+        VMSTATE_UINT32(cnt_wstat, struct gregs),
+        VMSTATE_UINT32(tcon, struct gregs),
+        VMSTATE_UINT32(int_cstat, struct gregs),
+        VMSTATE_UINT32(int_enb, struct gregs),
+        VMSTATE_UINT32(wstat, struct gregs),
+        VMSTATE_UINT64_ARRAY(comp, struct gregs, MCT_GT_CMP_NUM),
+        VMSTATE_UINT32_ARRAY(comp_add_incr, struct gregs,
+                MCT_GT_CMP_NUM),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_exynos4210_mct_gt = {
+    .name = "exynos4210.mct.lt",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_STRUCT(reg, Exynos4210MCTGT, 0, vmstate_gregs,
+                struct gregs),
+        VMSTATE_UINT64(count, Exynos4210MCTGT),
+        VMSTATE_INT32(curr_comp, Exynos4210MCTGT),
+        VMSTATE_PTIMER(ptimer_frc, Exynos4210MCTGT),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_exynos4210_mct_state = {
+    .name = "exynos4210.mct",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(reg_mct_cfg, Exynos4210MCTState),
+        VMSTATE_STRUCT_ARRAY(l_timer, Exynos4210MCTState, 2, 0,
+            vmstate_exynos4210_mct_lt, Exynos4210MCTLT),
+        VMSTATE_STRUCT(g_timer, Exynos4210MCTState, 0,
+            vmstate_exynos4210_mct_gt, Exynos4210MCTGT),
+        VMSTATE_UINT32(freq, Exynos4210MCTState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static void exynos4210_mct_update_freq(Exynos4210MCTState *s);
+
+/*
+ * Set counter of FRC global timer.
+ */
+static void exynos4210_gfrc_set_count(Exynos4210MCTGT *s, uint64_t count)
+{
+    s->count = count;
+    DPRINTF("global timer frc set count 0x%llx\n", count);
+    ptimer_set_count(s->ptimer_frc, count);
+}
+
+/*
+ * Get counter of FRC global timer.
+ */
+static uint64_t exynos4210_gfrc_get_count(Exynos4210MCTGT *s)
+{
+    uint64_t count = 0;
+    count = ptimer_get_count(s->ptimer_frc);
+    if (!count) {
+        /* Timer event was generated and s->reg.cnt holds adequate value */
+        return s->reg.cnt;
+    }
+    count = s->count - count;
+    return s->reg.cnt + count;
+}
+
+/*
+ * Stop global FRC timer
+ */
+static void exynos4210_gfrc_stop(Exynos4210MCTGT *s)
+{
+    DPRINTF("global timer frc stop\n");
+
+    ptimer_stop(s->ptimer_frc);
+}
+
+/*
+ * Start global FRC timer
+ */
+static void exynos4210_gfrc_start(Exynos4210MCTGT *s)
+{
+    DPRINTF("global timer frc start\n");
+
+    ptimer_run(s->ptimer_frc, 1);
+}
+
+/*
+ * Find next nearest Comparator. If current Comparator value equals to other
+ * Comparator value, skip them both
+ */
+static int32_t exynos4210_gcomp_find(Exynos4210MCTState *s)
+{
+    int res;
+    int i;
+    int enabled;
+    uint64_t min;
+    int min_comp_i;
+    uint64_t gfrc;
+    uint64_t distance;
+    uint64_t distance_min;
+    int comp_i;
+
+    /* get gfrc count */
+    gfrc = exynos4210_gfrc_get_count(&s->g_timer);
+
+    min = UINT64_MAX;
+    distance_min = UINT64_MAX;
+    comp_i = MCT_GT_CMP_NUM;
+    min_comp_i = MCT_GT_CMP_NUM;
+    enabled = 0;
+
+    /* lookup for nearest comparator */
+    for (i = 0; i < MCT_GT_CMP_NUM; i++) {
+
+        if (s->g_timer.reg.tcon & G_TCON_COMP_ENABLE(i)) {
+
+            enabled = 1;
+
+            if (s->g_timer.reg.comp[i] > gfrc) {
+                /* Comparator is upper then FRC */
+                distance = s->g_timer.reg.comp[i] - gfrc;
+
+                if (distance <= distance_min) {
+                    distance_min = distance;
+                    comp_i = i;
+                }
+            } else {
+                /* Comparator is below FRC, find the smallest */
+
+                if (s->g_timer.reg.comp[i] <= min) {
+                    min = s->g_timer.reg.comp[i];
+                    min_comp_i = i;
+                }
+            }
+        }
+    }
+
+    if (!enabled) {
+        /* All Comparators disabled */
+        res = -1;
+    } else if (comp_i < MCT_GT_CMP_NUM) {
+        /* Found upper Comparator */
+        res = comp_i;
+    } else {
+        /* All Comparators are below or equal to FRC  */
+        res = min_comp_i;
+    }
+
+    DPRINTF("found comparator %d: comp 0x%llx distance 0x%llx, gfrc 0x%llx\n",
+            res,
+            s->g_timer.reg.comp[res],
+            distance_min,
+            gfrc);
+
+    return res;
+}
+
+/*
+ * Get distance to nearest Comparator
+ */
+static uint64_t exynos4210_gcomp_get_distance(Exynos4210MCTState *s, int32_t id)
+{
+    if (id == -1) {
+        /* no enabled Comparators, choose max distance */
+        return MCT_GT_COUNTER_STEP;
+    }
+    if (s->g_timer.reg.comp[id] - s->g_timer.reg.cnt < MCT_GT_COUNTER_STEP) {
+        return s->g_timer.reg.comp[id] - s->g_timer.reg.cnt;
+    } else {
+        return MCT_GT_COUNTER_STEP;
+    }
+}
+
+/*
+ * Restart global FRC timer
+ */
+static void exynos4210_gfrc_restart(Exynos4210MCTState *s)
+{
+    uint64_t distance;
+
+    exynos4210_gfrc_stop(&s->g_timer);
+
+    s->g_timer.curr_comp = exynos4210_gcomp_find(s);
+
+    distance = exynos4210_gcomp_get_distance(s, s->g_timer.curr_comp);
+
+    if (distance > MCT_GT_COUNTER_STEP || !distance) {
+        distance = MCT_GT_COUNTER_STEP;
+    }
+
+    exynos4210_gfrc_set_count(&s->g_timer, distance);
+    exynos4210_gfrc_start(&s->g_timer);
+}
+
+/*
+ * Raise global timer CMP IRQ
+ */
+static void exynos4210_gcomp_raise_irq(void *opaque, uint32_t id)
+{
+    Exynos4210MCTGT *s = opaque;
+
+    /* If CSTAT is pending and IRQ is enabled */
+    if ((s->reg.int_cstat & G_INT_CSTAT_COMP(id)) &&
+            (s->reg.int_enb & G_INT_ENABLE(id))) {
+        DPRINTF("gcmp timer[%d] IRQ\n", id);
+        qemu_irq_raise(s->irq[id]);
+    }
+}
+
+/*
+ * Lower global timer CMP IRQ
+ */
+static void exynos4210_gcomp_lower_irq(void *opaque, uint32_t id)
+{
+    Exynos4210MCTGT *s = opaque;
+    qemu_irq_lower(s->irq[id]);
+}
+
+/*
+ * Global timer FRC event handler.
+ * Each event occurs when internal counter reaches counter + MCT_GT_COUNTER_STEP
+ * Every time we arm global FRC timer to count for MCT_GT_COUNTER_STEP value
+ */
+static void exynos4210_gfrc_event(void *opaque)
+{
+    Exynos4210MCTState *s = (Exynos4210MCTState *)opaque;
+    int i;
+    uint64_t distance;
+
+    DPRINTF("\n");
+
+    s->g_timer.reg.cnt += s->g_timer.count;
+
+    /* Process all comparators */
+    for (i = 0; i < MCT_GT_CMP_NUM; i++) {
+
+        if (s->g_timer.reg.cnt == s->g_timer.reg.comp[i]) {
+            /* reached nearest comparator */
+
+            s->g_timer.reg.int_cstat |= G_INT_CSTAT_COMP(i);
+
+            /* Auto increment */
+            if (s->g_timer.reg.tcon & G_TCON_AUTO_ICREMENT(i)) {
+                s->g_timer.reg.comp[i] += s->g_timer.reg.comp_add_incr[i];
+            }
+
+            /* IRQ */
+            exynos4210_gcomp_raise_irq(&s->g_timer, i);
+        }
+    }
+
+    /* Reload FRC to reach nearest comparator */
+    s->g_timer.curr_comp = exynos4210_gcomp_find(s);
+    distance = exynos4210_gcomp_get_distance(s, s->g_timer.curr_comp);
+    if (distance > MCT_GT_COUNTER_STEP) {
+        distance = MCT_GT_COUNTER_STEP;
+    }
+    exynos4210_gfrc_set_count(&s->g_timer, distance);
+
+    exynos4210_gfrc_start(&s->g_timer);
+
+    return;
+}
+
+/*
+ * Get counter of FRC local timer.
+ */
+static uint64_t exynos4210_lfrc_get_count(Exynos4210MCTLT *s)
+{
+    return ptimer_get_count(s->ptimer_frc);
+}
+
+/*
+ * Set counter of FRC local timer.
+ */
+static void exynos4210_lfrc_update_count(Exynos4210MCTLT *s)
+{
+    if (!s->reg.cnt[L_REG_CNT_FRCCNTB]) {
+        ptimer_set_count(s->ptimer_frc, MCT_LT_COUNTER_STEP);
+    } else {
+        ptimer_set_count(s->ptimer_frc, s->reg.cnt[L_REG_CNT_FRCCNTB]);
+    }
+}
+
+/*
+ * Start local FRC timer
+ */
+static void exynos4210_lfrc_start(Exynos4210MCTLT *s)
+{
+    ptimer_run(s->ptimer_frc, 1);
+}
+
+/*
+ * Stop local FRC timer
+ */
+static void exynos4210_lfrc_stop(Exynos4210MCTLT *s)
+{
+    ptimer_stop(s->ptimer_frc);
+}
+
+/*
+ * Local timer free running counter tick handler
+ */
+static void exynos4210_lfrc_event(void *opaque)
+{
+    Exynos4210MCTLT * s = (Exynos4210MCTLT *)opaque;
+
+    /* local frc expired */
+
+    DPRINTF("\n");
+
+    s->reg.int_cstat |= L_INT_CSTAT_FRCCNT;
+
+    /* update frc counter */
+    exynos4210_lfrc_update_count(s);
+
+    /* raise irq */
+    if (s->reg.int_enb & L_INT_INTENB_FRCEIE) {
+        qemu_irq_raise(s->irq);
+    }
+
+    /*  we reached here, this means that timer is enabled */
+    exynos4210_lfrc_start(s);
+}
+
+static uint32_t exynos4210_ltick_int_get_cnto(struct tick_timer *s);
+static uint32_t exynos4210_ltick_cnt_get_cnto(struct tick_timer *s);
+static void exynos4210_ltick_recalc_count(struct tick_timer *s);
+
+/*
+ * Action on enabling local tick int timer
+ */
+static void exynos4210_ltick_int_start(struct tick_timer *s)
+{
+    if (!s->int_run) {
+        s->int_run = 1;
+    }
+}
+
+/*
+ * Action on disabling local tick int timer
+ */
+static void exynos4210_ltick_int_stop(struct tick_timer *s)
+{
+    if (s->int_run) {
+        s->last_icnto = exynos4210_ltick_int_get_cnto(s);
+        s->int_run = 0;
+    }
+}
+
+/*
+ * Get count for INT timer
+ */
+static uint32_t exynos4210_ltick_int_get_cnto(struct tick_timer *s)
+{
+    uint32_t icnto;
+    uint64_t remain;
+    uint64_t count;
+    uint64_t counted;
+    uint64_t cur_progress;
+
+    count = ptimer_get_count(s->ptimer_tick);
+    if (count) {
+        /* timer is still counting, called not from event */
+        counted = s->count - ptimer_get_count(s->ptimer_tick);
+        cur_progress = s->progress + counted;
+    } else {
+        /* timer expired earlier */
+        cur_progress = s->progress;
+    }
+
+    remain = s->distance - cur_progress;
+
+    if (!s->int_run) {
+        /* INT is stopped. */
+        icnto = s->last_icnto;
+    } else {
+        /* Both are counting */
+        icnto = remain / s->tcntb;
+    }
+
+    return icnto;
+}
+
+/*
+ * Start local tick cnt timer.
+ */
+static void exynos4210_ltick_cnt_start(struct tick_timer *s)
+{
+    if (!s->cnt_run) {
+
+        exynos4210_ltick_recalc_count(s);
+        ptimer_set_count(s->ptimer_tick, s->count);
+        ptimer_run(s->ptimer_tick, 1);
+
+        s->cnt_run = 1;
+    }
+}
+
+/*
+ * Stop local tick cnt timer.
+ */
+static void exynos4210_ltick_cnt_stop(struct tick_timer *s)
+{
+    if (s->cnt_run) {
+
+        s->last_tcnto = exynos4210_ltick_cnt_get_cnto(s);
+
+        if (s->int_run) {
+            exynos4210_ltick_int_stop(s);
+        }
+
+        ptimer_stop(s->ptimer_tick);
+
+        s->cnt_run = 0;
+    }
+}
+
+/*
+ * Get counter for CNT timer
+ */
+static uint32_t exynos4210_ltick_cnt_get_cnto(struct tick_timer *s)
+{
+    uint32_t tcnto;
+    uint32_t icnto;
+    uint64_t remain;
+    uint64_t counted;
+    uint64_t count;
+    uint64_t cur_progress;
+
+    count = ptimer_get_count(s->ptimer_tick);
+    if (count) {
+        /* timer is still counting, called not from event */
+        counted = s->count - ptimer_get_count(s->ptimer_tick);
+        cur_progress = s->progress + counted;
+    } else {
+        /* timer expired earlier */
+        cur_progress = s->progress;
+    }
+
+    remain = s->distance - cur_progress;
+
+    if (!s->cnt_run) {
+        /* Both are stopped. */
+        tcnto = s->last_tcnto;
+    } else if (!s->int_run) {
+        /* INT counter is stopped, progress is by CNT timer */
+        tcnto = remain % s->tcntb;
+    } else {
+        /* Both are counting */
+        icnto = remain / s->tcntb;
+        if (icnto) {
+            tcnto = remain % (icnto * s->tcntb);
+        } else {
+            tcnto = remain % s->tcntb;
+        }
+    }
+
+    return tcnto;
+}
+
+/*
+ * Set new values of counters for CNT and INT timers
+ */
+static void exynos4210_ltick_set_cntb(struct tick_timer *s, uint32_t new_cnt,
+        uint32_t new_int)
+{
+    uint32_t cnt_stopped = 0;
+    uint32_t int_stopped = 0;
+
+    if (s->cnt_run) {
+        exynos4210_ltick_cnt_stop(s);
+        cnt_stopped = 1;
+    }
+
+    if (s->int_run) {
+        exynos4210_ltick_int_stop(s);
+        int_stopped = 1;
+    }
+
+    s->tcntb = new_cnt + 1;
+    s->icntb = new_int + 1;
+
+    if (cnt_stopped) {
+        exynos4210_ltick_cnt_start(s);
+    }
+    if (int_stopped) {
+        exynos4210_ltick_int_start(s);
+    }
+
+}
+
+/*
+ * Calculate new counter value for tick timer
+ */
+static void exynos4210_ltick_recalc_count(struct tick_timer *s)
+{
+    uint64_t to_count;
+
+    if ((s->cnt_run && s->last_tcnto) || (s->int_run && s->last_icnto)) {
+        /*
+         * one or both timers run and not counted to the end;
+         * distance is not passed, recalculate with last_tcnto * last_icnto
+         */
+
+        if (s->last_tcnto) {
+            to_count = s->last_tcnto * s->last_icnto;
+        } else {
+            to_count = s->last_icnto;
+        }
+    } else {
+        /* distance is passed, recalculate with tcnto * icnto */
+        if (s->icntb) {
+            s->distance = s->tcntb * s->icntb;
+        } else {
+            s->distance = s->tcntb;
+        }
+
+        to_count = s->distance;
+        s->progress = 0;
+    }
+
+    if (to_count > MCT_LT_COUNTER_STEP) {
+        /* count by step */
+        s->count = MCT_LT_COUNTER_STEP;
+    } else {
+        s->count = to_count;
+    }
+}
+
+/*
+ * Initialize tick_timer
+ */
+static void exynos4210_ltick_timer_init(struct tick_timer *s)
+{
+    exynos4210_ltick_int_stop(s);
+    exynos4210_ltick_cnt_stop(s);
+
+    s->count = 0;
+    s->distance = 0;
+    s->progress = 0;
+    s->icntb = 0;
+    s->tcntb = 0;
+}
+
+/*
+ * tick_timer event.
+ * Raises when abstract tick_timer expires.
+ */
+static void exynos4210_ltick_timer_event(struct tick_timer *s)
+{
+    s->progress += s->count;
+}
+
+/*
+ * Local timer tick counter handler.
+ * Don't use reloaded timers. If timer counter = zero
+ * then handler called but after handler finished no
+ * timer reload occurs.
+ */
+static void exynos4210_ltick_event(void *opaque)
+{
+    Exynos4210MCTLT * s = (Exynos4210MCTLT *)opaque;
+    uint32_t tcnto;
+    uint32_t icnto;
+#ifdef DEBUG_MCT
+    static uint64_t time1[2] = {0};
+    static uint64_t time2[2] = {0};
+#endif
+
+    /* Call tick_timer event handler, it will update it's tcntb and icntb */
+    exynos4210_ltick_timer_event(&s->tick_timer);
+
+    /* get tick_timer cnt */
+    tcnto = exynos4210_ltick_cnt_get_cnto(&s->tick_timer);
+
+    /* get tick_timer int */
+    icnto = exynos4210_ltick_int_get_cnto(&s->tick_timer);
+
+    /* raise IRQ if needed */
+    if (!icnto && s->reg.tcon & L_TCON_INT_START) {
+        /* INT counter enabled and expired */
+
+        s->reg.int_cstat |= L_INT_CSTAT_INTCNT;
+
+        /* raise interrupt if enabled */
+        if (s->reg.int_enb & L_INT_INTENB_ICNTEIE) {
+#ifdef DEBUG_MCT
+            time2[s->id] = qemu_get_clock_ns(vm_clock);
+            DPRINTF("local timer[%d] IRQ: %llx\n", s->id,
+                    time2[s->id] - time1[s->id]);
+            time1[s->id] = time2[s->id];
+#endif
+            qemu_irq_raise(s->irq);
+        }
+
+        /* reload ICNTB */
+        if (s->reg.tcon & L_TCON_INTERVAL_MODE) {
+            exynos4210_ltick_set_cntb(&s->tick_timer,
+                    s->reg.cnt[L_REG_CNT_TCNTB],
+                    s->reg.cnt[L_REG_CNT_ICNTB]);
+        }
+    } else {
+        /* reload TCNTB */
+        if (!tcnto) {
+            exynos4210_ltick_set_cntb(&s->tick_timer,
+                    s->reg.cnt[L_REG_CNT_TCNTB],
+                    icnto);
+        }
+    }
+
+    /* start tick_timer cnt */
+    exynos4210_ltick_cnt_start(&s->tick_timer);
+
+    /* start tick_timer int */
+    exynos4210_ltick_int_start(&s->tick_timer);
+}
+
+/* update timer frequency */
+static void exynos4210_mct_update_freq(Exynos4210MCTState *s)
+{
+    uint32_t freq = s->freq;
+    s->freq = 24000000 /
+            ((MCT_CFG_GET_PRESCALER(s->reg_mct_cfg)+1) *
+                    MCT_CFG_GET_DIVIDER(s->reg_mct_cfg));
+
+    if (freq != s->freq) {
+        DPRINTF("freq=%dHz\n", s->freq);
+
+        /* global timer */
+        ptimer_set_freq(s->g_timer.ptimer_frc, s->freq);
+
+        /* local timer */
+        ptimer_set_freq(s->l_timer[0].tick_timer.ptimer_tick, s->freq);
+        ptimer_set_freq(s->l_timer[0].ptimer_frc, s->freq);
+        ptimer_set_freq(s->l_timer[1].tick_timer.ptimer_tick, s->freq);
+        ptimer_set_freq(s->l_timer[1].ptimer_frc, s->freq);
+    }
+}
+
+/* set defaul_timer values for all fields */
+static void exynos4210_mct_reset(DeviceState *d)
+{
+    Exynos4210MCTState *s = (Exynos4210MCTState *)d;
+    uint32_t i;
+
+    s->reg_mct_cfg = 0;
+
+    /* global timer */
+    memset(&s->g_timer.reg, 0, sizeof(s->g_timer.reg));
+    exynos4210_gfrc_stop(&s->g_timer);
+
+    /* local timer */
+    memset(s->l_timer[0].reg.cnt, 0, sizeof(s->l_timer[0].reg.cnt));
+    memset(s->l_timer[1].reg.cnt, 0, sizeof(s->l_timer[1].reg.cnt));
+    for (i = 0; i < 2; i++) {
+        s->l_timer[i].reg.int_cstat = 0;
+        s->l_timer[i].reg.int_enb = 0;
+        s->l_timer[i].reg.tcon = 0;
+        s->l_timer[i].reg.wstat = 0;
+        s->l_timer[i].tick_timer.count = 0;
+        s->l_timer[i].tick_timer.distance = 0;
+        s->l_timer[i].tick_timer.progress = 0;
+        ptimer_stop(s->l_timer[i].ptimer_frc);
+
+        exynos4210_ltick_timer_init(&s->l_timer[i].tick_timer);
+    }
+
+    exynos4210_mct_update_freq(s);
+
+}
+
+/* Multi Core Timer read */
+static uint64_t exynos4210_mct_read(void *opaque, target_phys_addr_t offset,
+        unsigned size)
+{
+    Exynos4210MCTState *s = (Exynos4210MCTState *)opaque;
+    int index;
+    int shift;
+    uint64_t count;
+    uint32_t value;
+    int lt_i;
+
+    switch (offset) {
+
+    case MCT_CFG:
+        value = s->reg_mct_cfg;
+        break;
+
+    case G_CNT_L: case G_CNT_U:
+        shift = 8 * (offset & 0x4);
+        count = exynos4210_gfrc_get_count(&s->g_timer);
+        value = UINT32_MAX & (count >> shift);
+        DPRINTF("read FRC=0x%llx\n", count);
+        break;
+
+    case G_CNT_WSTAT:
+        value = s->g_timer.reg.cnt_wstat;
+        break;
+
+    case G_COMP_L(0): case G_COMP_L(1): case G_COMP_L(2): case G_COMP_L(3):
+    case G_COMP_U(0): case G_COMP_U(1): case G_COMP_U(2): case G_COMP_U(3):
+    index = GET_G_COMP_IDX(offset);
+    shift = 8 * (offset & 0x4);
+    value = UINT32_MAX & (s->g_timer.reg.comp[index] >> shift);
+    break;
+
+    case G_TCON:
+        value = s->g_timer.reg.tcon;
+        break;
+
+    case G_INT_CSTAT:
+        value = s->g_timer.reg.int_cstat;
+        break;
+
+    case G_INT_ENB:
+        value = s->g_timer.reg.int_enb;
+        break;
+        break;
+    case G_WSTAT:
+        value = s->g_timer.reg.wstat;
+        break;
+
+    case G_COMP0_ADD_INCR: case G_COMP1_ADD_INCR:
+    case G_COMP2_ADD_INCR: case G_COMP3_ADD_INCR:
+        value = s->g_timer.reg.comp_add_incr[GET_G_COMP_ADD_INCR_IDX(offset)];
+        break;
+
+        /* Local timers */
+    case L0_TCNTB: case L0_ICNTB: case L0_FRCNTB:
+    case L1_TCNTB: case L1_ICNTB: case L1_FRCNTB:
+        lt_i = GET_L_TIMER_IDX(offset);
+        index = GET_L_TIMER_CNT_REG_IDX(offset, lt_i);
+        value = s->l_timer[lt_i].reg.cnt[index];
+        break;
+
+    case L0_TCNTO: case L1_TCNTO:
+        lt_i = GET_L_TIMER_IDX(offset);
+
+        value = exynos4210_ltick_cnt_get_cnto(&s->l_timer[lt_i].tick_timer);
+        DPRINTF("local timer[%d] read TCNTO %x\n", lt_i, value);
+        break;
+
+    case L0_ICNTO: case L1_ICNTO:
+        lt_i = GET_L_TIMER_IDX(offset);
+
+        value = exynos4210_ltick_int_get_cnto(&s->l_timer[lt_i].tick_timer);
+        DPRINTF("local timer[%d] read ICNTO %x\n", lt_i, value);
+        break;
+
+    case L0_FRCNTO: case L1_FRCNTO:
+        lt_i = GET_L_TIMER_IDX(offset);
+
+        value = exynos4210_lfrc_get_count(&s->l_timer[lt_i]);
+
+        break;
+
+    case L0_TCON: case L1_TCON:
+        lt_i = ((offset & 0xF00) - L0_TCNTB) / 0x100;
+        value = s->l_timer[lt_i].reg.tcon;
+        break;
+
+    case L0_INT_CSTAT: case L1_INT_CSTAT:
+        lt_i = ((offset & 0xF00) - L0_TCNTB) / 0x100;
+        value = s->l_timer[lt_i].reg.int_cstat;
+        break;
+
+    case L0_INT_ENB: case L1_INT_ENB:
+        lt_i = ((offset & 0xF00) - L0_TCNTB) / 0x100;
+        value = s->l_timer[lt_i].reg.int_enb;
+        break;
+
+    case L0_WSTAT: case L1_WSTAT:
+        lt_i = ((offset & 0xF00) - L0_TCNTB) / 0x100;
+        value = s->l_timer[lt_i].reg.wstat;
+        break;
+
+    default:
+        hw_error("exynos4210.mct: bad read offset "
+                TARGET_FMT_plx "\n", offset);
+        break;
+    }
+    return value;
+}
+
+/* MCT write */
+static void exynos4210_mct_write(void *opaque, target_phys_addr_t offset,
+        uint64_t value, unsigned size)
+{
+    Exynos4210MCTState *s = (Exynos4210MCTState *)opaque;
+    int index;  /* index in buffer which represents register set */
+    int shift;
+    int lt_i;
+    uint64_t new_frc;
+    uint32_t i;
+    uint32_t old_val;
+#ifdef DEBUG_MCT
+    static uint32_t icntb_max[2] = {0};
+    static uint32_t icntb_min[2] = {UINT32_MAX, UINT32_MAX};
+    static uint32_t tcntb_max[2] = {0};
+    static uint32_t tcntb_min[2] = {UINT32_MAX, UINT32_MAX};
+#endif
+
+    new_frc = s->g_timer.reg.cnt;
+
+    switch (offset) {
+
+    case MCT_CFG:
+        s->reg_mct_cfg = value;
+        exynos4210_mct_update_freq(s);
+        break;
+
+    case G_CNT_L:
+    case G_CNT_U:
+        if (offset == G_CNT_L) {
+
+            DPRINTF("global timer write to reg.cntl %llx\n", value);
+
+            new_frc = (s->g_timer.reg.cnt & (uint64_t)UINT32_MAX << 32) + value;
+            s->g_timer.reg.cnt_wstat |= G_CNT_WSTAT_L;
+        }
+        if (offset == G_CNT_U) {
+
+            DPRINTF("global timer write to reg.cntu %llx\n", value);
+
+            new_frc = (s->g_timer.reg.cnt & UINT32_MAX) +
+                    ((uint64_t)value << 32);
+            s->g_timer.reg.cnt_wstat |= G_CNT_WSTAT_U;
+        }
+
+        s->g_timer.reg.cnt = new_frc;
+        exynos4210_gfrc_restart(s);
+        break;
+
+    case G_CNT_WSTAT:
+        s->g_timer.reg.cnt_wstat &= ~(value);
+        break;
+
+    case G_COMP_L(0): case G_COMP_L(1): case G_COMP_L(2): case G_COMP_L(3):
+    case G_COMP_U(0): case G_COMP_U(1): case G_COMP_U(2): case G_COMP_U(3):
+    index = GET_G_COMP_IDX(offset);
+    shift = 8 * (offset & 0x4);
+    s->g_timer.reg.comp[index] =
+            (s->g_timer.reg.comp[index] &
+            (((uint64_t)UINT32_MAX << 32) >> shift)) +
+            (value << shift);
+
+    DPRINTF("comparator %d write 0x%llx val << %d\n", index, value, shift);
+
+    if (offset&0x4) {
+        s->g_timer.reg.wstat |= G_WSTAT_COMP_U(index);
+    } else {
+        s->g_timer.reg.wstat |= G_WSTAT_COMP_L(index);
+    }
+
+    exynos4210_gfrc_restart(s);
+    break;
+
+    case G_TCON:
+        old_val = s->g_timer.reg.tcon;
+        s->g_timer.reg.tcon = value;
+        s->g_timer.reg.wstat |= G_WSTAT_TCON_WRITE;
+
+        DPRINTF("global timer write to reg.g_tcon %llx\n", value);
+
+        /* Start FRC if transition from disabled to enabled */
+        if ((value & G_TCON_TIMER_ENABLE) > (old_val &
+                G_TCON_TIMER_ENABLE)) {
+            exynos4210_gfrc_start(&s->g_timer);
+        }
+        if ((value & G_TCON_TIMER_ENABLE) < (old_val &
+                G_TCON_TIMER_ENABLE)) {
+            exynos4210_gfrc_stop(&s->g_timer);
+        }
+
+        /* Start CMP if transition from disabled to enabled */
+        for (i = 0; i < MCT_GT_CMP_NUM; i++) {
+            if ((value & G_TCON_COMP_ENABLE(i)) != (old_val &
+                    G_TCON_COMP_ENABLE(i))) {
+                exynos4210_gfrc_restart(s);
+            }
+        }
+        break;
+
+    case G_INT_CSTAT:
+        s->g_timer.reg.int_cstat &= ~(value);
+        for (i = 0; i < MCT_GT_CMP_NUM; i++) {
+            if (value & G_INT_CSTAT_COMP(i)) {
+                exynos4210_gcomp_lower_irq(&s->g_timer, i);
+            }
+        }
+        break;
+
+    case G_INT_ENB:
+
+        /* Raise IRQ if transition from disabled to enabled and CSTAT pending */
+        for (i = 0; i < MCT_GT_CMP_NUM; i++) {
+            if ((value & G_INT_ENABLE(i)) > (s->g_timer.reg.tcon &
+                    G_INT_ENABLE(i))) {
+                if (s->g_timer.reg.int_cstat & G_INT_CSTAT_COMP(i)) {
+                    exynos4210_gcomp_raise_irq(&s->g_timer, i);
+                }
+            }
+
+            if ((value & G_INT_ENABLE(i)) < (s->g_timer.reg.tcon &
+                    G_INT_ENABLE(i))) {
+                exynos4210_gcomp_lower_irq(&s->g_timer, i);
+            }
+        }
+
+        DPRINTF("global timer INT enable %llx\n", value);
+        s->g_timer.reg.int_enb = value;
+        break;
+
+    case G_WSTAT:
+        s->g_timer.reg.wstat &= ~(value);
+        break;
+
+    case G_COMP0_ADD_INCR: case G_COMP1_ADD_INCR:
+    case G_COMP2_ADD_INCR: case G_COMP3_ADD_INCR:
+        index = GET_G_COMP_ADD_INCR_IDX(offset);
+        s->g_timer.reg.comp_add_incr[index] = value;
+        s->g_timer.reg.wstat |= G_WSTAT_COMP_ADDINCR(index);
+        break;
+
+        /* Local timers */
+    case L0_TCON: case L1_TCON:
+        lt_i = GET_L_TIMER_IDX(offset);
+        old_val = s->l_timer[lt_i].reg.tcon;
+
+        s->l_timer[lt_i].reg.wstat |= L_WSTAT_TCON_WRITE;
+        s->l_timer[lt_i].reg.tcon = value;
+
+        /* Stop local CNT */
+        if ((value & L_TCON_TICK_START) <
+                (old_val & L_TCON_TICK_START)) {
+            DPRINTF("local timer[%d] stop cnt\n", lt_i);
+            exynos4210_ltick_cnt_stop(&s->l_timer[lt_i].tick_timer);
+        }
+
+        /* Stop local INT */
+        if ((value & L_TCON_INT_START) <
+                (old_val & L_TCON_INT_START)) {
+            DPRINTF("local timer[%d] stop int\n", lt_i);
+            exynos4210_ltick_int_stop(&s->l_timer[lt_i].tick_timer);
+        }
+
+        /* Start local CNT */
+        if ((value & L_TCON_TICK_START) >
+        (old_val & L_TCON_TICK_START)) {
+            DPRINTF("local timer[%d] start cnt\n", lt_i);
+            exynos4210_ltick_cnt_start(&s->l_timer[lt_i].tick_timer);
+        }
+
+        /* Start local INT */
+        if ((value & L_TCON_INT_START) >
+        (old_val & L_TCON_INT_START)) {
+            DPRINTF("local timer[%d] start int\n", lt_i);
+            exynos4210_ltick_int_start(&s->l_timer[lt_i].tick_timer);
+        }
+
+        /* Start or Stop local FRC if TCON changed */
+        if ((value & L_TCON_FRC_START) >
+        (s->l_timer[lt_i].reg.tcon & L_TCON_FRC_START)) {
+            DPRINTF("local timer[%d] start frc\n", lt_i);
+            exynos4210_lfrc_start(&s->l_timer[lt_i]);
+        }
+        if ((value & L_TCON_FRC_START) <
+                (s->l_timer[lt_i].reg.tcon & L_TCON_FRC_START)) {
+            DPRINTF("local timer[%d] stop frc\n", lt_i);
+            exynos4210_lfrc_stop(&s->l_timer[lt_i]);
+        }
+        break;
+
+    case L0_TCNTB: case L1_TCNTB:
+
+        lt_i = GET_L_TIMER_IDX(offset);
+        index = GET_L_TIMER_CNT_REG_IDX(offset, lt_i);
+
+        /*
+         * TCNTB is updated to internal register only after CNT expired.
+         * Due to this we should reload timer to nearest moment when CNT is
+         * expired and then in event handler update tcntb to new TCNTB value.
+         */
+        exynos4210_ltick_set_cntb(&s->l_timer[lt_i].tick_timer, value,
+                s->l_timer[lt_i].tick_timer.icntb);
+
+        s->l_timer[lt_i].reg.wstat |= L_WSTAT_TCNTB_WRITE;
+        s->l_timer[lt_i].reg.cnt[L_REG_CNT_TCNTB] = value;
+
+#ifdef DEBUG_MCT
+        if (tcntb_min[lt_i] > value) {
+            tcntb_min[lt_i] = value;
+        }
+        if (tcntb_max[lt_i] < value) {
+            tcntb_max[lt_i] = value;
+        }
+        DPRINTF("local timer[%d] TCNTB write %llx; max=%x, min=%x\n",
+                lt_i, value, tcntb_max[lt_i], tcntb_min[lt_i]);
+#endif
+        break;
+
+    case L0_ICNTB: case L1_ICNTB:
+
+        lt_i = GET_L_TIMER_IDX(offset);
+        index = GET_L_TIMER_CNT_REG_IDX(offset, lt_i);
+
+        s->l_timer[lt_i].reg.wstat |= L_WSTAT_ICNTB_WRITE;
+        s->l_timer[lt_i].reg.cnt[L_REG_CNT_ICNTB] = value &
+                ~L_ICNTB_MANUAL_UPDATE;
+
+        /*
+         * We need to avoid too small values for TCNTB*ICNTB. If not, IRQ event
+         * could raise too fast disallowing QEMU to execute target code.
+         */
+        if (s->l_timer[lt_i].reg.cnt[L_REG_CNT_ICNTB] *
+            s->l_timer[lt_i].reg.cnt[L_REG_CNT_TCNTB] < MCT_LT_CNT_LOW_LIMIT) {
+            if (!s->l_timer[lt_i].reg.cnt[L_REG_CNT_TCNTB]) {
+                s->l_timer[lt_i].reg.cnt[L_REG_CNT_ICNTB] =
+                        MCT_LT_CNT_LOW_LIMIT;
+            } else {
+                s->l_timer[lt_i].reg.cnt[L_REG_CNT_ICNTB] =
+                        MCT_LT_CNT_LOW_LIMIT /
+                        s->l_timer[lt_i].reg.cnt[L_REG_CNT_TCNTB];
+            }
+        }
+
+        if (value & L_ICNTB_MANUAL_UPDATE) {
+            exynos4210_ltick_set_cntb(&s->l_timer[lt_i].tick_timer,
+                    s->l_timer[lt_i].tick_timer.tcntb,
+                    s->l_timer[lt_i].reg.cnt[L_REG_CNT_ICNTB]);
+        }
+
+#ifdef DEBUG_MCT
+        if (icntb_min[lt_i] > value) {
+            icntb_min[lt_i] = value;
+        }
+        if (icntb_max[lt_i] < value) {
+            icntb_max[lt_i] = value;
+        }
+DPRINTF("local timer[%d] ICNTB write %llx; max=%x, min=%x\n\n",
+        lt_i, value, icntb_max[lt_i], icntb_min[lt_i]);
+#endif
+break;
+
+    case L0_FRCNTB: case L1_FRCNTB:
+
+        lt_i = GET_L_TIMER_IDX(offset);
+        index = GET_L_TIMER_CNT_REG_IDX(offset, lt_i);
+
+        DPRINTF("local timer[%d] FRCNTB write %llx\n", lt_i, value);
+
+        s->l_timer[lt_i].reg.wstat |= L_WSTAT_FRCCNTB_WRITE;
+        s->l_timer[lt_i].reg.cnt[L_REG_CNT_FRCCNTB] = value;
+
+        break;
+
+    case L0_TCNTO: case L1_TCNTO:
+    case L0_ICNTO: case L1_ICNTO:
+    case L0_FRCNTO: case L1_FRCNTO:
+        fprintf(stderr, "\n[exynos4210.mct: write to RO register "
+                TARGET_FMT_plx "]\n\n", offset);
+        break;
+
+    case L0_INT_CSTAT: case L1_INT_CSTAT:
+        lt_i = GET_L_TIMER_IDX(offset);
+
+        DPRINTF("local timer[%d] CSTAT write %llx\n", lt_i, value);
+
+        s->l_timer[lt_i].reg.int_cstat &= ~value;
+        if (!s->l_timer[lt_i].reg.int_cstat) {
+            qemu_irq_lower(s->l_timer[lt_i].irq);
+        }
+        break;
+
+    case L0_INT_ENB: case L1_INT_ENB:
+        lt_i = GET_L_TIMER_IDX(offset);
+        old_val = s->l_timer[lt_i].reg.int_enb;
+
+        /* Raise Local timer IRQ if cstat is pending */
+        if ((value & L_INT_INTENB_ICNTEIE) > (old_val & L_INT_INTENB_ICNTEIE)) {
+            if (s->l_timer[lt_i].reg.int_cstat & L_INT_CSTAT_INTCNT) {
+                qemu_irq_raise(s->l_timer[lt_i].irq);
+            }
+        }
+
+        s->l_timer[lt_i].reg.int_enb = value;
+
+        break;
+
+    case L0_WSTAT: case L1_WSTAT:
+        lt_i = GET_L_TIMER_IDX(offset);
+
+        s->l_timer[lt_i].reg.wstat &= ~value;
+        break;
+
+    default:
+        hw_error("exynos4210.mct: bad write offset "
+                TARGET_FMT_plx "\n", offset);
+        break;
+    }
+}
+
+static const MemoryRegionOps exynos4210_mct_ops = {
+    .read = exynos4210_mct_read,
+    .write = exynos4210_mct_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+};
+
+/* MCT init */
+static int exynos4210_mct_init(SysBusDevice *dev)
+{
+    int i;
+    Exynos4210MCTState *s = FROM_SYSBUS(Exynos4210MCTState, dev);
+    QEMUBH *bh[2];
+
+    /* Global timer */
+    bh[0] = qemu_bh_new(exynos4210_gfrc_event, s);
+    s->g_timer.ptimer_frc = ptimer_init(bh[0]);
+    memset(&s->g_timer.reg, 0, sizeof(struct gregs));
+
+    /* Local timers */
+    for (i = 0; i < 2; i++) {
+        bh[0] = qemu_bh_new(exynos4210_ltick_event, &s->l_timer[i]);
+        bh[1] = qemu_bh_new(exynos4210_lfrc_event, &s->l_timer[i]);
+        s->l_timer[i].tick_timer.ptimer_tick = ptimer_init(bh[0]);
+        s->l_timer[i].ptimer_frc = ptimer_init(bh[1]);
+        s->l_timer[i].id = i;
+    }
+
+    /* IRQs */
+    for (i = 0; i < MCT_GT_CMP_NUM; i++) {
+        sysbus_init_irq(dev, &s->g_timer.irq[i]);
+    }
+    for (i = 0; i < 2; i++) {
+        sysbus_init_irq(dev, &s->l_timer[i].irq);
+    }
+
+    memory_region_init_io(&s->iomem, &exynos4210_mct_ops, s, "exynos4210-mct",
+            MCT_SFR_SIZE);
+    sysbus_init_mmio(dev, &s->iomem);
+
+    return 0;
+}
+
+static void exynos4210_mct_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+
+    k->init = exynos4210_mct_init;
+    dc->reset = exynos4210_mct_reset;
+    dc->vmsd = &vmstate_exynos4210_mct_state;
+}
+
+static TypeInfo exynos4210_mct_info = {
+    .name          = "exynos4210.mct",
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(Exynos4210MCTState),
+    .class_init    = exynos4210_mct_class_init,
+};
+
+static void exynos4210_mct_register_types(void)
+{
+    type_register_static(&exynos4210_mct_info);
+}
+
+type_init(exynos4210_mct_register_types)
commit df91b48f64075595e25a269befed5e4fe75501cb
Author: Maksim Kozlov <m.kozlov at samsung.com>
Date:   Thu Feb 16 09:56:05 2012 +0000

    ARM: exynos4210: basic Power Management Unit implementation
    
    Patch adds basic model for Exynos4210 SoC PMU.
    This model implements PMU registers just as a bulk of memory. Currently,
    the only reason this device exists is that secondary CPU boot loader
    uses PMU INFORM5 register as a holding pen.
    
    Signed-off-by: Maksim Kozlov <m.kozlov at samsung.com>
    Signed-off-by: Evgeny Voevodin <e.voevodin at samsung.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/Makefile.target b/Makefile.target
index bbcee06..8a7b4d2 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -346,6 +346,7 @@ obj-arm-y += versatile_pci.o
 obj-arm-y += realview_gic.o realview.o arm_sysctl.o arm11mpcore.o a9mpcore.o
 obj-arm-y += exynos4210_gic.o exynos4210_combiner.o exynos4210.o
 obj-arm-y += exynos4_boards.o exynos4210_uart.o exynos4210_pwm.o
+obj-arm-y += exynos4210_pmu.o
 obj-arm-y += arm_l2x0.o
 obj-arm-y += arm_mptimer.o
 obj-arm-y += armv7m.o armv7m_nvic.o stellaris.o pl022.o stellaris_enet.o
diff --git a/hw/exynos4210.c b/hw/exynos4210.c
index 8ebe5df..f922f55 100644
--- a/hw/exynos4210.c
+++ b/hw/exynos4210.c
@@ -52,6 +52,9 @@
 #define EXYNOS4210_EXT_COMBINER_BASE_ADDR   0x10440000
 #define EXYNOS4210_INT_COMBINER_BASE_ADDR   0x10448000
 
+/* PMU SFR base address */
+#define EXYNOS4210_PMU_BASE_ADDR            0x10020000
+
 static uint8_t chipid_and_omr[] = { 0x11, 0x02, 0x21, 0x43,
                                     0x09, 0x00, 0x00, 0x00 };
 
@@ -202,6 +205,12 @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem,
     memory_region_add_subregion(system_mem, EXYNOS4210_DRAM0_BASE_ADDR,
             &s->dram0_mem);
 
+   /* PMU.
+    * The only reason of existence at the moment is that secondary CPU boot
+    * loader uses PMU INFORM5 register as a holding pen.
+    */
+    sysbus_create_simple("exynos4210.pmu", EXYNOS4210_PMU_BASE_ADDR, NULL);
+
     /* PWM */
     sysbus_create_varargs("exynos4210.pwm", EXYNOS4210_PWM_BASE_ADDR,
                           s->irq_table[exynos4210_get_irq(22, 0)],
diff --git a/hw/exynos4210_pmu.c b/hw/exynos4210_pmu.c
new file mode 100644
index 0000000..c12d750
--- /dev/null
+++ b/hw/exynos4210_pmu.c
@@ -0,0 +1,499 @@
+/*
+ *  Exynos4210 Power Management Unit (PMU) Emulation
+ *
+ *  Copyright (C) 2011 Samsung Electronics Co Ltd.
+ *    Maksim Kozlov <m.kozlov at samsung.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify it
+ *  under the terms of the GNU General Public License as published by the
+ *  Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful, but WITHOUT
+ *  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ *  FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ *  for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * This model implements PMU registers just as a bulk of memory. Currently,
+ * the only reason this device exists is that secondary CPU boot loader
+ * uses PMU INFORM5 register as a holding pen.
+ */
+
+#include "sysbus.h"
+
+#ifndef DEBUG_PMU
+#define DEBUG_PMU           0
+#endif
+
+#ifndef DEBUG_PMU_EXTEND
+#define DEBUG_PMU_EXTEND    0
+#endif
+
+#if DEBUG_PMU
+#define  PRINT_DEBUG(fmt, args...)  \
+        do { \
+            fprintf(stderr, "  [%s:%d]   "fmt, __func__, __LINE__, ##args); \
+        } while (0)
+
+#if DEBUG_PMU_EXTEND
+#define  PRINT_DEBUG_EXTEND(fmt, args...) \
+        do { \
+            fprintf(stderr, "  [%s:%d]   "fmt, __func__, __LINE__, ##args); \
+        } while (0)
+#else
+#define  PRINT_DEBUG_EXTEND(fmt, args...)  do {} while (0)
+#endif /* EXTEND */
+
+#else
+#define  PRINT_DEBUG(fmt, args...)   do {} while (0)
+#define  PRINT_DEBUG_EXTEND(fmt, args...)  do {} while (0)
+#endif
+
+/*
+ *  Offsets for PMU registers
+ */
+#define OM_STAT                  0x0000 /* OM status register */
+#define RTC_CLKO_SEL             0x000C /* Controls RTCCLKOUT */
+#define GNSS_RTC_OUT_CTRL        0x0010 /* Controls GNSS_RTC_OUT */
+/* Decides whether system-level low-power mode is used. */
+#define SYSTEM_POWER_DOWN_CTRL   0x0200
+/* Sets control options for CENTRAL_SEQ */
+#define SYSTEM_POWER_DOWN_OPTION 0x0208
+#define SWRESET                  0x0400 /* Generate software reset */
+#define RST_STAT                 0x0404 /* Reset status register */
+#define WAKEUP_STAT              0x0600 /* Wakeup status register  */
+#define EINT_WAKEUP_MASK         0x0604 /* Configure External INTerrupt mask */
+#define WAKEUP_MASK              0x0608 /* Configure wakeup source mask */
+#define HDMI_PHY_CONTROL         0x0700 /* HDMI PHY control register */
+#define USBDEVICE_PHY_CONTROL    0x0704 /* USB Device PHY control register */
+#define USBHOST_PHY_CONTROL      0x0708 /* USB HOST PHY control register */
+#define DAC_PHY_CONTROL          0x070C /* DAC control register  */
+#define MIPI_PHY0_CONTROL        0x0710 /* MIPI PHY control register */
+#define MIPI_PHY1_CONTROL        0x0714 /* MIPI PHY control register */
+#define ADC_PHY_CONTROL          0x0718 /* TS-ADC control register */
+#define PCIe_PHY_CONTROL         0x071C /* TS-PCIe control register */
+#define SATA_PHY_CONTROL         0x0720 /* TS-SATA control register */
+#define INFORM0                  0x0800 /* Information register 0  */
+#define INFORM1                  0x0804 /* Information register 1  */
+#define INFORM2                  0x0808 /* Information register 2  */
+#define INFORM3                  0x080C /* Information register 3  */
+#define INFORM4                  0x0810 /* Information register 4  */
+#define INFORM5                  0x0814 /* Information register 5  */
+#define INFORM6                  0x0818 /* Information register 6  */
+#define INFORM7                  0x081C /* Information register 7  */
+#define PMU_DEBUG                0x0A00 /* PMU debug register */
+/* Registers to set system-level low-power option */
+#define ARM_CORE0_SYS_PWR_REG              0x1000
+#define ARM_CORE1_SYS_PWR_REG              0x1010
+#define ARM_COMMON_SYS_PWR_REG             0x1080
+#define ARM_CPU_L2_0_SYS_PWR_REG           0x10C0
+#define ARM_CPU_L2_1_SYS_PWR_REG           0x10C4
+#define CMU_ACLKSTOP_SYS_PWR_REG           0x1100
+#define CMU_SCLKSTOP_SYS_PWR_REG           0x1104
+#define CMU_RESET_SYS_PWR_REG              0x110C
+#define APLL_SYSCLK_SYS_PWR_REG            0x1120
+#define MPLL_SYSCLK_SYS_PWR_REG            0x1124
+#define VPLL_SYSCLK_SYS_PWR_REG            0x1128
+#define EPLL_SYSCLK_SYS_PWR_REG            0x112C
+#define CMU_CLKSTOP_GPS_ALIVE_SYS_PWR_REG  0x1138
+#define CMU_RESET_GPS_ALIVE_SYS_PWR_REG    0x113C
+#define CMU_CLKSTOP_CAM_SYS_PWR_REG        0x1140
+#define CMU_CLKSTOP_TV_SYS_PWR_REG         0x1144
+#define CMU_CLKSTOP_MFC_SYS_PWR_REG        0x1148
+#define CMU_CLKSTOP_G3D_SYS_PWR_REG        0x114C
+#define CMU_CLKSTOP_LCD0_SYS_PWR_REG       0x1150
+#define CMU_CLKSTOP_LCD1_SYS_PWR_REG       0x1154
+#define CMU_CLKSTOP_MAUDIO_SYS_PWR_REG     0x1158
+#define CMU_CLKSTOP_GPS_SYS_PWR_REG        0x115C
+#define CMU_RESET_CAM_SYS_PWR_REG          0x1160
+#define CMU_RESET_TV_SYS_PWR_REG           0x1164
+#define CMU_RESET_MFC_SYS_PWR_REG          0x1168
+#define CMU_RESET_G3D_SYS_PWR_REG          0x116C
+#define CMU_RESET_LCD0_SYS_PWR_REG         0x1170
+#define CMU_RESET_LCD1_SYS_PWR_REG         0x1174
+#define CMU_RESET_MAUDIO_SYS_PWR_REG       0x1178
+#define CMU_RESET_GPS_SYS_PWR_REG          0x117C
+#define TOP_BUS_SYS_PWR_REG                0x1180
+#define TOP_RETENTION_SYS_PWR_REG          0x1184
+#define TOP_PWR_SYS_PWR_REG                0x1188
+#define LOGIC_RESET_SYS_PWR_REG            0x11A0
+#define OneNANDXL_MEM_SYS_PWR_REG          0x11C0
+#define MODEMIF_MEM_SYS_PWR_REG            0x11C4
+#define USBDEVICE_MEM_SYS_PWR_REG          0x11CC
+#define SDMMC_MEM_SYS_PWR_REG              0x11D0
+#define CSSYS_MEM_SYS_PWR_REG              0x11D4
+#define SECSS_MEM_SYS_PWR_REG              0x11D8
+#define PCIe_MEM_SYS_PWR_REG               0x11E0
+#define SATA_MEM_SYS_PWR_REG               0x11E4
+#define PAD_RETENTION_DRAM_SYS_PWR_REG     0x1200
+#define PAD_RETENTION_MAUDIO_SYS_PWR_REG   0x1204
+#define PAD_RETENTION_GPIO_SYS_PWR_REG     0x1220
+#define PAD_RETENTION_UART_SYS_PWR_REG     0x1224
+#define PAD_RETENTION_MMCA_SYS_PWR_REG     0x1228
+#define PAD_RETENTION_MMCB_SYS_PWR_REG     0x122C
+#define PAD_RETENTION_EBIA_SYS_PWR_REG     0x1230
+#define PAD_RETENTION_EBIB_SYS_PWR_REG     0x1234
+#define PAD_ISOLATION_SYS_PWR_REG          0x1240
+#define PAD_ALV_SEL_SYS_PWR_REG            0x1260
+#define XUSBXTI_SYS_PWR_REG                0x1280
+#define XXTI_SYS_PWR_REG                   0x1284
+#define EXT_REGULATOR_SYS_PWR_REG          0x12C0
+#define GPIO_MODE_SYS_PWR_REG              0x1300
+#define GPIO_MODE_MAUDIO_SYS_PWR_REG       0x1340
+#define CAM_SYS_PWR_REG                    0x1380
+#define TV_SYS_PWR_REG                     0x1384
+#define MFC_SYS_PWR_REG                    0x1388
+#define G3D_SYS_PWR_REG                    0x138C
+#define LCD0_SYS_PWR_REG                   0x1390
+#define LCD1_SYS_PWR_REG                   0x1394
+#define MAUDIO_SYS_PWR_REG                 0x1398
+#define GPS_SYS_PWR_REG                    0x139C
+#define GPS_ALIVE_SYS_PWR_REG              0x13A0
+#define ARM_CORE0_CONFIGURATION 0x2000 /* Configure power mode of ARM_CORE0 */
+#define ARM_CORE0_STATUS        0x2004 /* Check power mode of ARM_CORE0 */
+#define ARM_CORE0_OPTION        0x2008 /* Sets control options for ARM_CORE0 */
+#define ARM_CORE1_CONFIGURATION 0x2080 /* Configure power mode of ARM_CORE1 */
+#define ARM_CORE1_STATUS        0x2084 /* Check power mode of ARM_CORE1 */
+#define ARM_CORE1_OPTION        0x2088 /* Sets control options for ARM_CORE0 */
+#define ARM_COMMON_OPTION       0x2408 /* Sets control options for ARM_COMMON */
+/* Configure power mode of ARM_CPU_L2_0 */
+#define ARM_CPU_L2_0_CONFIGURATION 0x2600
+#define ARM_CPU_L2_0_STATUS        0x2604 /* Check power mode of ARM_CPU_L2_0 */
+/* Configure power mode of ARM_CPU_L2_1 */
+#define ARM_CPU_L2_1_CONFIGURATION 0x2620
+#define ARM_CPU_L2_1_STATUS        0x2624 /* Check power mode of ARM_CPU_L2_1 */
+/* Sets control options for PAD_RETENTION_MAUDIO */
+#define PAD_RETENTION_MAUDIO_OPTION 0x3028
+/* Sets control options for PAD_RETENTION_GPIO */
+#define PAD_RETENTION_GPIO_OPTION   0x3108
+/* Sets control options for PAD_RETENTION_UART */
+#define PAD_RETENTION_UART_OPTION   0x3128
+/* Sets control options for PAD_RETENTION_MMCA */
+#define PAD_RETENTION_MMCA_OPTION   0x3148
+/* Sets control options for PAD_RETENTION_MMCB */
+#define PAD_RETENTION_MMCB_OPTION   0x3168
+/* Sets control options for PAD_RETENTION_EBIA */
+#define PAD_RETENTION_EBIA_OPTION   0x3188
+/* Sets control options for PAD_RETENTION_EBIB */
+#define PAD_RETENTION_EBIB_OPTION   0x31A8
+#define PS_HOLD_CONTROL         0x330C /* PS_HOLD control register */
+#define XUSBXTI_CONFIGURATION   0x3400 /* Configure the pad of XUSBXTI */
+#define XUSBXTI_STATUS          0x3404 /* Check the pad of XUSBXTI */
+/* Sets time required for XUSBXTI to be stabilized */
+#define XUSBXTI_DURATION        0x341C
+#define XXTI_CONFIGURATION      0x3420 /* Configure the pad of XXTI */
+#define XXTI_STATUS             0x3424 /* Check the pad of XXTI */
+/* Sets time required for XXTI to be stabilized */
+#define XXTI_DURATION           0x343C
+/* Sets time required for EXT_REGULATOR to be stabilized */
+#define EXT_REGULATOR_DURATION  0x361C
+#define CAM_CONFIGURATION       0x3C00 /* Configure power mode of CAM */
+#define CAM_STATUS              0x3C04 /* Check power mode of CAM */
+#define CAM_OPTION              0x3C08 /* Sets control options for CAM */
+#define TV_CONFIGURATION        0x3C20 /* Configure power mode of TV */
+#define TV_STATUS               0x3C24 /* Check power mode of TV */
+#define TV_OPTION               0x3C28 /* Sets control options for TV */
+#define MFC_CONFIGURATION       0x3C40 /* Configure power mode of MFC */
+#define MFC_STATUS              0x3C44 /* Check power mode of MFC */
+#define MFC_OPTION              0x3C48 /* Sets control options for MFC */
+#define G3D_CONFIGURATION       0x3C60 /* Configure power mode of G3D */
+#define G3D_STATUS              0x3C64 /* Check power mode of G3D */
+#define G3D_OPTION              0x3C68 /* Sets control options for G3D */
+#define LCD0_CONFIGURATION      0x3C80 /* Configure power mode of LCD0 */
+#define LCD0_STATUS             0x3C84 /* Check power mode of LCD0 */
+#define LCD0_OPTION             0x3C88 /* Sets control options for LCD0 */
+#define LCD1_CONFIGURATION      0x3CA0 /* Configure power mode of LCD1 */
+#define LCD1_STATUS             0x3CA4 /* Check power mode of LCD1 */
+#define LCD1_OPTION             0x3CA8 /* Sets control options for LCD1 */
+#define GPS_CONFIGURATION       0x3CE0 /* Configure power mode of GPS */
+#define GPS_STATUS              0x3CE4 /* Check power mode of GPS */
+#define GPS_OPTION              0x3CE8 /* Sets control options for GPS */
+#define GPS_ALIVE_CONFIGURATION 0x3D00 /* Configure power mode of GPS */
+#define GPS_ALIVE_STATUS        0x3D04 /* Check power mode of GPS */
+#define GPS_ALIVE_OPTION        0x3D08 /* Sets control options for GPS */
+
+#define EXYNOS4210_PMU_REGS_MEM_SIZE 0x3d0c
+
+typedef struct Exynos4210PmuReg {
+    const char  *name; /* for debug only */
+    uint32_t     offset;
+    uint32_t     reset_value;
+} Exynos4210PmuReg;
+
+static const Exynos4210PmuReg exynos4210_pmu_regs[] = {
+    {"OM_STAT", OM_STAT, 0x00000000},
+    {"RTC_CLKO_SEL", RTC_CLKO_SEL, 0x00000000},
+    {"GNSS_RTC_OUT_CTRL", GNSS_RTC_OUT_CTRL, 0x00000001},
+    {"SYSTEM_POWER_DOWN_CTRL", SYSTEM_POWER_DOWN_CTRL, 0x00010000},
+    {"SYSTEM_POWER_DOWN_OPTION", SYSTEM_POWER_DOWN_OPTION, 0x03030000},
+    {"SWRESET", SWRESET, 0x00000000},
+    {"RST_STAT", RST_STAT, 0x00000000},
+    {"WAKEUP_STAT", WAKEUP_STAT, 0x00000000},
+    {"EINT_WAKEUP_MASK", EINT_WAKEUP_MASK, 0x00000000},
+    {"WAKEUP_MASK", WAKEUP_MASK, 0x00000000},
+    {"HDMI_PHY_CONTROL", HDMI_PHY_CONTROL, 0x00960000},
+    {"USBDEVICE_PHY_CONTROL", USBDEVICE_PHY_CONTROL, 0x00000000},
+    {"USBHOST_PHY_CONTROL", USBHOST_PHY_CONTROL, 0x00000000},
+    {"DAC_PHY_CONTROL", DAC_PHY_CONTROL, 0x00000000},
+    {"MIPI_PHY0_CONTROL", MIPI_PHY0_CONTROL, 0x00000000},
+    {"MIPI_PHY1_CONTROL", MIPI_PHY1_CONTROL, 0x00000000},
+    {"ADC_PHY_CONTROL", ADC_PHY_CONTROL, 0x00000001},
+    {"PCIe_PHY_CONTROL", PCIe_PHY_CONTROL, 0x00000000},
+    {"SATA_PHY_CONTROL", SATA_PHY_CONTROL, 0x00000000},
+    {"INFORM0", INFORM0, 0x00000000},
+    {"INFORM1", INFORM1, 0x00000000},
+    {"INFORM2", INFORM2, 0x00000000},
+    {"INFORM3", INFORM3, 0x00000000},
+    {"INFORM4", INFORM4, 0x00000000},
+    {"INFORM5", INFORM5, 0x00000000},
+    {"INFORM6", INFORM6, 0x00000000},
+    {"INFORM7", INFORM7, 0x00000000},
+    {"PMU_DEBUG", PMU_DEBUG, 0x00000000},
+    {"ARM_CORE0_SYS_PWR_REG", ARM_CORE0_SYS_PWR_REG, 0xFFFFFFFF},
+    {"ARM_CORE1_SYS_PWR_REG", ARM_CORE1_SYS_PWR_REG, 0xFFFFFFFF},
+    {"ARM_COMMON_SYS_PWR_REG", ARM_COMMON_SYS_PWR_REG, 0xFFFFFFFF},
+    {"ARM_CPU_L2_0_SYS_PWR_REG", ARM_CPU_L2_0_SYS_PWR_REG, 0xFFFFFFFF},
+    {"ARM_CPU_L2_1_SYS_PWR_REG", ARM_CPU_L2_1_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_ACLKSTOP_SYS_PWR_REG", CMU_ACLKSTOP_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_SCLKSTOP_SYS_PWR_REG", CMU_SCLKSTOP_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_RESET_SYS_PWR_REG", CMU_RESET_SYS_PWR_REG, 0xFFFFFFFF},
+    {"APLL_SYSCLK_SYS_PWR_REG", APLL_SYSCLK_SYS_PWR_REG, 0xFFFFFFFF},
+    {"MPLL_SYSCLK_SYS_PWR_REG", MPLL_SYSCLK_SYS_PWR_REG, 0xFFFFFFFF},
+    {"VPLL_SYSCLK_SYS_PWR_REG", VPLL_SYSCLK_SYS_PWR_REG, 0xFFFFFFFF},
+    {"EPLL_SYSCLK_SYS_PWR_REG", EPLL_SYSCLK_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_CLKSTOP_GPS_ALIVE_SYS_PWR_REG", CMU_CLKSTOP_GPS_ALIVE_SYS_PWR_REG,
+            0xFFFFFFFF},
+    {"CMU_RESET_GPS_ALIVE_SYS_PWR_REG", CMU_RESET_GPS_ALIVE_SYS_PWR_REG,
+            0xFFFFFFFF},
+    {"CMU_CLKSTOP_CAM_SYS_PWR_REG", CMU_CLKSTOP_CAM_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_CLKSTOP_TV_SYS_PWR_REG", CMU_CLKSTOP_TV_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_CLKSTOP_MFC_SYS_PWR_REG", CMU_CLKSTOP_MFC_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_CLKSTOP_G3D_SYS_PWR_REG", CMU_CLKSTOP_G3D_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_CLKSTOP_LCD0_SYS_PWR_REG", CMU_CLKSTOP_LCD0_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_CLKSTOP_LCD1_SYS_PWR_REG", CMU_CLKSTOP_LCD1_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_CLKSTOP_MAUDIO_SYS_PWR_REG", CMU_CLKSTOP_MAUDIO_SYS_PWR_REG,
+            0xFFFFFFFF},
+    {"CMU_CLKSTOP_GPS_SYS_PWR_REG", CMU_CLKSTOP_GPS_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_RESET_CAM_SYS_PWR_REG", CMU_RESET_CAM_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_RESET_TV_SYS_PWR_REG", CMU_RESET_TV_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_RESET_MFC_SYS_PWR_REG", CMU_RESET_MFC_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_RESET_G3D_SYS_PWR_REG", CMU_RESET_G3D_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_RESET_LCD0_SYS_PWR_REG", CMU_RESET_LCD0_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_RESET_LCD1_SYS_PWR_REG", CMU_RESET_LCD1_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_RESET_MAUDIO_SYS_PWR_REG", CMU_RESET_MAUDIO_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CMU_RESET_GPS_SYS_PWR_REG", CMU_RESET_GPS_SYS_PWR_REG, 0xFFFFFFFF},
+    {"TOP_BUS_SYS_PWR_REG", TOP_BUS_SYS_PWR_REG, 0xFFFFFFFF},
+    {"TOP_RETENTION_SYS_PWR_REG", TOP_RETENTION_SYS_PWR_REG, 0xFFFFFFFF},
+    {"TOP_PWR_SYS_PWR_REG", TOP_PWR_SYS_PWR_REG, 0xFFFFFFFF},
+    {"LOGIC_RESET_SYS_PWR_REG", LOGIC_RESET_SYS_PWR_REG, 0xFFFFFFFF},
+    {"OneNANDXL_MEM_SYS_PWR_REG", OneNANDXL_MEM_SYS_PWR_REG, 0xFFFFFFFF},
+    {"MODEMIF_MEM_SYS_PWR_REG", MODEMIF_MEM_SYS_PWR_REG, 0xFFFFFFFF},
+    {"USBDEVICE_MEM_SYS_PWR_REG", USBDEVICE_MEM_SYS_PWR_REG, 0xFFFFFFFF},
+    {"SDMMC_MEM_SYS_PWR_REG", SDMMC_MEM_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CSSYS_MEM_SYS_PWR_REG", CSSYS_MEM_SYS_PWR_REG, 0xFFFFFFFF},
+    {"SECSS_MEM_SYS_PWR_REG", SECSS_MEM_SYS_PWR_REG, 0xFFFFFFFF},
+    {"PCIe_MEM_SYS_PWR_REG", PCIe_MEM_SYS_PWR_REG, 0xFFFFFFFF},
+    {"SATA_MEM_SYS_PWR_REG", SATA_MEM_SYS_PWR_REG, 0xFFFFFFFF},
+    {"PAD_RETENTION_DRAM_SYS_PWR_REG", PAD_RETENTION_DRAM_SYS_PWR_REG,
+            0xFFFFFFFF},
+    {"PAD_RETENTION_MAUDIO_SYS_PWR_REG", PAD_RETENTION_MAUDIO_SYS_PWR_REG,
+            0xFFFFFFFF},
+    {"PAD_RETENTION_GPIO_SYS_PWR_REG", PAD_RETENTION_GPIO_SYS_PWR_REG,
+            0xFFFFFFFF},
+    {"PAD_RETENTION_UART_SYS_PWR_REG", PAD_RETENTION_UART_SYS_PWR_REG,
+            0xFFFFFFFF},
+    {"PAD_RETENTION_MMCA_SYS_PWR_REG", PAD_RETENTION_MMCA_SYS_PWR_REG,
+            0xFFFFFFFF},
+    {"PAD_RETENTION_MMCB_SYS_PWR_REG", PAD_RETENTION_MMCB_SYS_PWR_REG,
+            0xFFFFFFFF},
+    {"PAD_RETENTION_EBIA_SYS_PWR_REG", PAD_RETENTION_EBIA_SYS_PWR_REG,
+            0xFFFFFFFF},
+    {"PAD_RETENTION_EBIB_SYS_PWR_REG", PAD_RETENTION_EBIB_SYS_PWR_REG,
+            0xFFFFFFFF},
+    {"PAD_ISOLATION_SYS_PWR_REG", PAD_ISOLATION_SYS_PWR_REG, 0xFFFFFFFF},
+    {"PAD_ALV_SEL_SYS_PWR_REG", PAD_ALV_SEL_SYS_PWR_REG, 0xFFFFFFFF},
+    {"XUSBXTI_SYS_PWR_REG", XUSBXTI_SYS_PWR_REG, 0xFFFFFFFF},
+    {"XXTI_SYS_PWR_REG", XXTI_SYS_PWR_REG, 0xFFFFFFFF},
+    {"EXT_REGULATOR_SYS_PWR_REG", EXT_REGULATOR_SYS_PWR_REG, 0xFFFFFFFF},
+    {"GPIO_MODE_SYS_PWR_REG", GPIO_MODE_SYS_PWR_REG, 0xFFFFFFFF},
+    {"GPIO_MODE_MAUDIO_SYS_PWR_REG", GPIO_MODE_MAUDIO_SYS_PWR_REG, 0xFFFFFFFF},
+    {"CAM_SYS_PWR_REG", CAM_SYS_PWR_REG, 0xFFFFFFFF},
+    {"TV_SYS_PWR_REG", TV_SYS_PWR_REG, 0xFFFFFFFF},
+    {"MFC_SYS_PWR_REG", MFC_SYS_PWR_REG, 0xFFFFFFFF},
+    {"G3D_SYS_PWR_REG", G3D_SYS_PWR_REG, 0xFFFFFFFF},
+    {"LCD0_SYS_PWR_REG", LCD0_SYS_PWR_REG, 0xFFFFFFFF},
+    {"LCD1_SYS_PWR_REG", LCD1_SYS_PWR_REG, 0xFFFFFFFF},
+    {"MAUDIO_SYS_PWR_REG", MAUDIO_SYS_PWR_REG, 0xFFFFFFFF},
+    {"GPS_SYS_PWR_REG", GPS_SYS_PWR_REG, 0xFFFFFFFF},
+    {"GPS_ALIVE_SYS_PWR_REG", GPS_ALIVE_SYS_PWR_REG, 0xFFFFFFFF},
+    {"ARM_CORE0_CONFIGURATION", ARM_CORE0_CONFIGURATION, 0x00000003},
+    {"ARM_CORE0_STATUS", ARM_CORE0_STATUS, 0x00030003},
+    {"ARM_CORE0_OPTION", ARM_CORE0_OPTION, 0x01010001},
+    {"ARM_CORE1_CONFIGURATION", ARM_CORE1_CONFIGURATION, 0x00000003},
+    {"ARM_CORE1_STATUS", ARM_CORE1_STATUS, 0x00030003},
+    {"ARM_CORE1_OPTION", ARM_CORE1_OPTION, 0x01010001},
+    {"ARM_COMMON_OPTION", ARM_COMMON_OPTION, 0x00000001},
+    {"ARM_CPU_L2_0_CONFIGURATION", ARM_CPU_L2_0_CONFIGURATION, 0x00000003},
+    {"ARM_CPU_L2_0_STATUS", ARM_CPU_L2_0_STATUS, 0x00000003},
+    {"ARM_CPU_L2_1_CONFIGURATION", ARM_CPU_L2_1_CONFIGURATION, 0x00000003},
+    {"ARM_CPU_L2_1_STATUS", ARM_CPU_L2_1_STATUS, 0x00000003},
+    {"PAD_RETENTION_MAUDIO_OPTION", PAD_RETENTION_MAUDIO_OPTION, 0x00000000},
+    {"PAD_RETENTION_GPIO_OPTION", PAD_RETENTION_GPIO_OPTION, 0x00000000},
+    {"PAD_RETENTION_UART_OPTION", PAD_RETENTION_UART_OPTION, 0x00000000},
+    {"PAD_RETENTION_MMCA_OPTION", PAD_RETENTION_MMCA_OPTION, 0x00000000},
+    {"PAD_RETENTION_MMCB_OPTION", PAD_RETENTION_MMCB_OPTION, 0x00000000},
+    {"PAD_RETENTION_EBIA_OPTION", PAD_RETENTION_EBIA_OPTION, 0x00000000},
+    {"PAD_RETENTION_EBIB_OPTION", PAD_RETENTION_EBIB_OPTION, 0x00000000},
+    {"PS_HOLD_CONTROL", PS_HOLD_CONTROL, 0x00005200},
+    {"XUSBXTI_CONFIGURATION", XUSBXTI_CONFIGURATION, 0x00000001},
+    {"XUSBXTI_STATUS", XUSBXTI_STATUS, 0x00000001},
+    {"XUSBXTI_DURATION", XUSBXTI_DURATION, 0xFFF00000},
+    {"XXTI_CONFIGURATION", XXTI_CONFIGURATION, 0x00000001},
+    {"XXTI_STATUS", XXTI_STATUS, 0x00000001},
+    {"XXTI_DURATION", XXTI_DURATION, 0xFFF00000},
+    {"EXT_REGULATOR_DURATION", EXT_REGULATOR_DURATION, 0xFFF03FFF},
+    {"CAM_CONFIGURATION", CAM_CONFIGURATION, 0x00000007},
+    {"CAM_STATUS", CAM_STATUS, 0x00060007},
+    {"CAM_OPTION", CAM_OPTION, 0x00000001},
+    {"TV_CONFIGURATION", TV_CONFIGURATION, 0x00000007},
+    {"TV_STATUS", TV_STATUS, 0x00060007},
+    {"TV_OPTION", TV_OPTION, 0x00000001},
+    {"MFC_CONFIGURATION", MFC_CONFIGURATION, 0x00000007},
+    {"MFC_STATUS", MFC_STATUS, 0x00060007},
+    {"MFC_OPTION", MFC_OPTION, 0x00000001},
+    {"G3D_CONFIGURATION", G3D_CONFIGURATION, 0x00000007},
+    {"G3D_STATUS", G3D_STATUS, 0x00060007},
+    {"G3D_OPTION", G3D_OPTION, 0x00000001},
+    {"LCD0_CONFIGURATION", LCD0_CONFIGURATION, 0x00000007},
+    {"LCD0_STATUS", LCD0_STATUS, 0x00060007},
+    {"LCD0_OPTION", LCD0_OPTION, 0x00000001},
+    {"LCD1_CONFIGURATION", LCD1_CONFIGURATION, 0x00000007},
+    {"LCD1_STATUS", LCD1_STATUS, 0x00060007},
+    {"LCD1_OPTION", LCD1_OPTION, 0x00000001},
+    {"GPS_CONFIGURATION", GPS_CONFIGURATION, 0x00000007},
+    {"GPS_STATUS", GPS_STATUS, 0x00060007},
+    {"GPS_OPTION", GPS_OPTION, 0x00000001},
+    {"GPS_ALIVE_CONFIGURATION", GPS_ALIVE_CONFIGURATION, 0x00000007},
+    {"GPS_ALIVE_STATUS", GPS_ALIVE_STATUS, 0x00060007},
+    {"GPS_ALIVE_OPTION", GPS_ALIVE_OPTION, 0x00000001},
+};
+
+#define PMU_NUM_OF_REGISTERS     \
+    (sizeof(exynos4210_pmu_regs) / sizeof(Exynos4210PmuReg))
+
+typedef struct Exynos4210PmuState {
+    SysBusDevice busdev;
+    MemoryRegion iomem;
+    uint32_t reg[PMU_NUM_OF_REGISTERS];
+} Exynos4210PmuState;
+
+static uint64_t exynos4210_pmu_read(void *opaque, target_phys_addr_t offset,
+                                    unsigned size)
+{
+    Exynos4210PmuState *s = (Exynos4210PmuState *)opaque;
+    unsigned i;
+    const Exynos4210PmuReg *reg_p = exynos4210_pmu_regs;
+
+    for (i = 0; i < PMU_NUM_OF_REGISTERS; i++) {
+        if (reg_p->offset == offset) {
+            PRINT_DEBUG_EXTEND("%s [0x%04x] -> 0x%04x\n", reg_p->name,
+                                   (uint32_t)offset, s->reg[i]);
+            return s->reg[i];
+        }
+        reg_p++;
+    }
+    PRINT_DEBUG("QEMU PMU ERROR: bad read offset 0x%04x\n", (uint32_t)offset);
+    return 0;
+}
+
+static void exynos4210_pmu_write(void *opaque, target_phys_addr_t offset,
+                                 uint64_t val, unsigned size)
+{
+    Exynos4210PmuState *s = (Exynos4210PmuState *)opaque;
+    unsigned i;
+    const Exynos4210PmuReg *reg_p = exynos4210_pmu_regs;
+
+    for (i = 0; i < PMU_NUM_OF_REGISTERS; i++) {
+        if (reg_p->offset == offset) {
+            PRINT_DEBUG_EXTEND("%s <0x%04x> <- 0x%04x\n", reg_p->name,
+                    (uint32_t)offset, (uint32_t)val);
+            s->reg[i] = val;
+            return;
+        }
+        reg_p++;
+    }
+    PRINT_DEBUG("QEMU PMU ERROR: bad write offset 0x%04x\n", (uint32_t)offset);
+}
+
+static const MemoryRegionOps exynos4210_pmu_ops = {
+    .read = exynos4210_pmu_read,
+    .write = exynos4210_pmu_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+    .valid = {
+        .min_access_size = 4,
+        .max_access_size = 4,
+        .unaligned = false
+    }
+};
+
+static void exynos4210_pmu_reset(DeviceState *dev)
+{
+    Exynos4210PmuState *s =
+            container_of(dev, Exynos4210PmuState, busdev.qdev);
+    unsigned i;
+
+    /* Set default values for registers */
+    for (i = 0; i < PMU_NUM_OF_REGISTERS; i++) {
+        s->reg[i] = exynos4210_pmu_regs[i].reset_value;
+    }
+}
+
+static int exynos4210_pmu_init(SysBusDevice *dev)
+{
+    Exynos4210PmuState *s = FROM_SYSBUS(Exynos4210PmuState, dev);
+
+    /* memory mapping */
+    memory_region_init_io(&s->iomem, &exynos4210_pmu_ops, s, "exynos4210.pmu",
+                          EXYNOS4210_PMU_REGS_MEM_SIZE);
+    sysbus_init_mmio(dev, &s->iomem);
+    return 0;
+}
+
+static const VMStateDescription exynos4210_pmu_vmstate = {
+    .name = "exynos4210.pmu",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields      = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(reg, Exynos4210PmuState, PMU_NUM_OF_REGISTERS),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static void exynos4210_pmu_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+
+    k->init = exynos4210_pmu_init;
+    dc->reset = exynos4210_pmu_reset;
+    dc->vmsd = &exynos4210_pmu_vmstate;
+}
+
+static TypeInfo exynos4210_pmu_info = {
+    .name          = "exynos4210.pmu",
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(Exynos4210PmuState),
+    .class_init    = exynos4210_pmu_class_init,
+};
+
+static void exynos4210_pmu_register(void)
+{
+    type_register_static(&exynos4210_pmu_info);
+}
+
+type_init(exynos4210_pmu_register)
commit 62db8bf39b8a0e3edb631a3d0e5bde840c780fcf
Author: Evgeny Voevodin <e.voevodin at samsung.com>
Date:   Thu Feb 16 09:56:05 2012 +0000

    ARM: exynos4210: PWM support.
    
    Signed-off-by: Evgeny Voevodin <e.voevodin at samsung.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/Makefile.target b/Makefile.target
index f501d33..bbcee06 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -345,7 +345,7 @@ obj-arm-y += arm_boot.o pl011.o pl031.o pl050.o pl080.o pl110.o pl181.o pl190.o
 obj-arm-y += versatile_pci.o
 obj-arm-y += realview_gic.o realview.o arm_sysctl.o arm11mpcore.o a9mpcore.o
 obj-arm-y += exynos4210_gic.o exynos4210_combiner.o exynos4210.o
-obj-arm-y += exynos4_boards.o exynos4210_uart.o
+obj-arm-y += exynos4_boards.o exynos4210_uart.o exynos4210_pwm.o
 obj-arm-y += arm_l2x0.o
 obj-arm-y += arm_mptimer.o
 obj-arm-y += armv7m.o armv7m_nvic.o stellaris.o pl022.o stellaris_enet.o
diff --git a/hw/exynos4210.c b/hw/exynos4210.c
index 555adc0..8ebe5df 100644
--- a/hw/exynos4210.c
+++ b/hw/exynos4210.c
@@ -29,6 +29,9 @@
 
 #define EXYNOS4210_CHIPID_ADDR         0x10000000
 
+/* PWM */
+#define EXYNOS4210_PWM_BASE_ADDR       0x139D0000
+
 /* UART's definitions */
 #define EXYNOS4210_UART0_BASE_ADDR     0x13800000
 #define EXYNOS4210_UART1_BASE_ADDR     0x13810000
@@ -199,6 +202,15 @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem,
     memory_region_add_subregion(system_mem, EXYNOS4210_DRAM0_BASE_ADDR,
             &s->dram0_mem);
 
+    /* PWM */
+    sysbus_create_varargs("exynos4210.pwm", EXYNOS4210_PWM_BASE_ADDR,
+                          s->irq_table[exynos4210_get_irq(22, 0)],
+                          s->irq_table[exynos4210_get_irq(22, 1)],
+                          s->irq_table[exynos4210_get_irq(22, 2)],
+                          s->irq_table[exynos4210_get_irq(22, 3)],
+                          s->irq_table[exynos4210_get_irq(22, 4)],
+                          NULL);
+
     /*** UARTs ***/
     exynos4210_uart_create(EXYNOS4210_UART0_BASE_ADDR,
                            EXYNOS4210_UART0_FIFO_SIZE, 0, NULL,
diff --git a/hw/exynos4210_pwm.c b/hw/exynos4210_pwm.c
new file mode 100644
index 0000000..6243e59
--- /dev/null
+++ b/hw/exynos4210_pwm.c
@@ -0,0 +1,422 @@
+/*
+ * Samsung exynos4210 Pulse Width Modulation Timer
+ *
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd.
+ * All rights reserved.
+ *
+ * Evgeny Voevodin <e.voevodin at samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sysbus.h"
+#include "qemu-timer.h"
+#include "qemu-common.h"
+#include "ptimer.h"
+
+#include "exynos4210.h"
+
+//#define DEBUG_PWM
+
+#ifdef DEBUG_PWM
+#define DPRINTF(fmt, ...) \
+        do { fprintf(stdout, "PWM: [%24s:%5d] " fmt, __func__, __LINE__, \
+                ## __VA_ARGS__); } while (0)
+#else
+#define DPRINTF(fmt, ...) do {} while (0)
+#endif
+
+#define     EXYNOS4210_PWM_TIMERS_NUM      5
+#define     EXYNOS4210_PWM_REG_MEM_SIZE    0x50
+
+#define     TCFG0        0x0000
+#define     TCFG1        0x0004
+#define     TCON         0x0008
+#define     TCNTB0       0x000C
+#define     TCMPB0       0x0010
+#define     TCNTO0       0x0014
+#define     TCNTB1       0x0018
+#define     TCMPB1       0x001C
+#define     TCNTO1       0x0020
+#define     TCNTB2       0x0024
+#define     TCMPB2       0x0028
+#define     TCNTO2       0x002C
+#define     TCNTB3       0x0030
+#define     TCMPB3       0x0034
+#define     TCNTO3       0x0038
+#define     TCNTB4       0x003C
+#define     TCNTO4       0x0040
+#define     TINT_CSTAT   0x0044
+
+#define     TCNTB(x)    (0xC * (x))
+#define     TCMPB(x)    (0xC * (x) + 1)
+#define     TCNTO(x)    (0xC * (x) + 2)
+
+#define GET_PRESCALER(reg, x) (((reg) & (0xFF << (8 * (x)))) >> 8 * (x))
+#define GET_DIVIDER(reg, x) (1 << (((reg) & (0xF << (4 * (x)))) >> (4 * (x))))
+
+/*
+ * Attention! Timer4 doesn't have OUTPUT_INVERTER,
+ * so Auto Reload bit is not accessible by macros!
+ */
+#define     TCON_TIMER_BASE(x)          (((x) ? 1 : 0) * 4 + 4 * (x))
+#define     TCON_TIMER_START(x)         (1 << (TCON_TIMER_BASE(x) + 0))
+#define     TCON_TIMER_MANUAL_UPD(x)    (1 << (TCON_TIMER_BASE(x) + 1))
+#define     TCON_TIMER_OUTPUT_INV(x)    (1 << (TCON_TIMER_BASE(x) + 2))
+#define     TCON_TIMER_AUTO_RELOAD(x)   (1 << (TCON_TIMER_BASE(x) + 3))
+#define     TCON_TIMER4_AUTO_RELOAD     (1 << 22)
+
+#define     TINT_CSTAT_STATUS(x)        (1 << (5 + (x)))
+#define     TINT_CSTAT_ENABLE(x)        (1 << (x))
+
+/* timer struct */
+typedef struct {
+    uint32_t    id;             /* timer id */
+    qemu_irq    irq;            /* local timer irq */
+    uint32_t    freq;           /* timer frequency */
+
+    /* use ptimer.c to represent count down timer */
+    ptimer_state *ptimer;       /* timer  */
+
+    /* registers */
+    uint32_t    reg_tcntb;      /* counter register buffer */
+    uint32_t    reg_tcmpb;      /* compare register buffer */
+
+    struct Exynos4210PWMState *parent;
+
+} Exynos4210PWM;
+
+
+typedef struct Exynos4210PWMState {
+    SysBusDevice busdev;
+    MemoryRegion iomem;
+
+    uint32_t    reg_tcfg[2];
+    uint32_t    reg_tcon;
+    uint32_t    reg_tint_cstat;
+
+    Exynos4210PWM timer[EXYNOS4210_PWM_TIMERS_NUM];
+
+} Exynos4210PWMState;
+
+/*** VMState ***/
+static const VMStateDescription vmstate_exynos4210_pwm = {
+    .name = "exynos4210.pwm.pwm",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(id, Exynos4210PWM),
+        VMSTATE_UINT32(freq, Exynos4210PWM),
+        VMSTATE_PTIMER(ptimer, Exynos4210PWM),
+        VMSTATE_UINT32(reg_tcntb, Exynos4210PWM),
+        VMSTATE_UINT32(reg_tcmpb, Exynos4210PWM),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_exynos4210_pwm_state = {
+    .name = "exynos4210.pwm",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(reg_tcfg, Exynos4210PWMState, 2),
+        VMSTATE_UINT32(reg_tcon, Exynos4210PWMState),
+        VMSTATE_UINT32(reg_tint_cstat, Exynos4210PWMState),
+        VMSTATE_STRUCT_ARRAY(timer, Exynos4210PWMState,
+            EXYNOS4210_PWM_TIMERS_NUM, 0,
+        vmstate_exynos4210_pwm, Exynos4210PWM),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+/*
+ * PWM update frequency
+ */
+static void exynos4210_pwm_update_freq(Exynos4210PWMState *s, uint32_t id)
+{
+    uint32_t freq;
+    freq = s->timer[id].freq;
+    if (id > 1) {
+        s->timer[id].freq = 24000000 /
+        ((GET_PRESCALER(s->reg_tcfg[0], 1) + 1) *
+                (GET_DIVIDER(s->reg_tcfg[1], id)));
+    } else {
+        s->timer[id].freq = 24000000 /
+        ((GET_PRESCALER(s->reg_tcfg[0], 0) + 1) *
+                (GET_DIVIDER(s->reg_tcfg[1], id)));
+    }
+
+    if (freq != s->timer[id].freq) {
+        ptimer_set_freq(s->timer[id].ptimer, s->timer[id].freq);
+        DPRINTF("freq=%dHz\n", s->timer[id].freq);
+    }
+}
+
+/*
+ * Counter tick handler
+ */
+static void exynos4210_pwm_tick(void *opaque)
+{
+    Exynos4210PWM *s = (Exynos4210PWM *)opaque;
+    Exynos4210PWMState *p = (Exynos4210PWMState *)s->parent;
+    uint32_t id = s->id;
+    bool cmp;
+
+    DPRINTF("timer %d tick\n", id);
+
+    /* set irq status */
+    p->reg_tint_cstat |= TINT_CSTAT_STATUS(id);
+
+    /* raise IRQ */
+    if (p->reg_tint_cstat & TINT_CSTAT_ENABLE(id)) {
+        DPRINTF("timer %d IRQ\n", id);
+        qemu_irq_raise(p->timer[id].irq);
+    }
+
+    /* reload timer */
+    if (id != 4) {
+        cmp = p->reg_tcon & TCON_TIMER_AUTO_RELOAD(id);
+    } else {
+        cmp = p->reg_tcon & TCON_TIMER4_AUTO_RELOAD;
+    }
+
+    if (cmp) {
+        DPRINTF("auto reload timer %d count to %x\n", id,
+                p->timer[id].reg_tcntb);
+        ptimer_set_count(p->timer[id].ptimer, p->timer[id].reg_tcntb);
+        ptimer_run(p->timer[id].ptimer, 1);
+    } else {
+        /* stop timer, set status to STOP, see Basic Timer Operation */
+        p->reg_tcon = ~TCON_TIMER_START(id);
+        ptimer_stop(p->timer[id].ptimer);
+    }
+}
+
+/*
+ * PWM Read
+ */
+static uint64_t exynos4210_pwm_read(void *opaque, target_phys_addr_t offset,
+        unsigned size)
+{
+    Exynos4210PWMState *s = (Exynos4210PWMState *)opaque;
+    uint32_t value = 0;
+    int index;
+
+    switch (offset) {
+    case TCFG0: case TCFG1:
+        index = (offset - TCFG0) >> 2;
+        value = s->reg_tcfg[index];
+        break;
+
+    case TCON:
+        value = s->reg_tcon;
+        break;
+
+    case TCNTB0: case TCNTB1:
+    case TCNTB2: case TCNTB3: case TCNTB4:
+        index = (offset - TCNTB0) / 0xC;
+        value = s->timer[index].reg_tcntb;
+        break;
+
+    case TCMPB0: case TCMPB1:
+    case TCMPB2: case TCMPB3:
+        index = (offset - TCMPB0) / 0xC;
+        value = s->timer[index].reg_tcmpb;
+        break;
+
+    case TCNTO0: case TCNTO1:
+    case TCNTO2: case TCNTO3: case TCNTO4:
+        index = (offset == TCNTO4) ? 4 : (offset - TCNTO0) / 0xC;
+        value = ptimer_get_count(s->timer[index].ptimer);
+        break;
+
+    case TINT_CSTAT:
+        value = s->reg_tint_cstat;
+        break;
+
+    default:
+        fprintf(stderr,
+                "[exynos4210.pwm: bad read offset " TARGET_FMT_plx "]\n",
+                offset);
+        break;
+    }
+    return value;
+}
+
+/*
+ * PWM Write
+ */
+static void exynos4210_pwm_write(void *opaque, target_phys_addr_t offset,
+        uint64_t value, unsigned size)
+{
+    Exynos4210PWMState *s = (Exynos4210PWMState *)opaque;
+    int index;
+    uint32_t new_val;
+    int i;
+
+    switch (offset) {
+    case TCFG0: case TCFG1:
+        index = (offset - TCFG0) >> 2;
+        s->reg_tcfg[index] = value;
+
+        /* update timers frequencies */
+        for (i = 0; i < EXYNOS4210_PWM_TIMERS_NUM; i++) {
+            exynos4210_pwm_update_freq(s, s->timer[i].id);
+        }
+        break;
+
+    case TCON:
+        for (i = 0; i < EXYNOS4210_PWM_TIMERS_NUM; i++) {
+            if ((value & TCON_TIMER_MANUAL_UPD(i)) >
+            (s->reg_tcon & TCON_TIMER_MANUAL_UPD(i))) {
+                /*
+                 * TCNTB and TCMPB are loaded into TCNT and TCMP.
+                 * Update timers.
+                 */
+
+                /* this will start timer to run, this ok, because
+                 * during processing start bit timer will be stopped
+                 * if needed */
+                ptimer_set_count(s->timer[i].ptimer, s->timer[i].reg_tcntb);
+                DPRINTF("set timer %d count to %x\n", i,
+                        s->timer[i].reg_tcntb);
+            }
+
+            if ((value & TCON_TIMER_START(i)) >
+            (s->reg_tcon & TCON_TIMER_START(i))) {
+                /* changed to start */
+                ptimer_run(s->timer[i].ptimer, 1);
+                DPRINTF("run timer %d\n", i);
+            }
+
+            if ((value & TCON_TIMER_START(i)) <
+                    (s->reg_tcon & TCON_TIMER_START(i))) {
+                /* changed to stop */
+                ptimer_stop(s->timer[i].ptimer);
+                DPRINTF("stop timer %d\n", i);
+            }
+        }
+        s->reg_tcon = value;
+        break;
+
+    case TCNTB0: case TCNTB1:
+    case TCNTB2: case TCNTB3: case TCNTB4:
+        index = (offset - TCNTB0) / 0xC;
+        s->timer[index].reg_tcntb = value;
+        break;
+
+    case TCMPB0: case TCMPB1:
+    case TCMPB2: case TCMPB3:
+        index = (offset - TCMPB0) / 0xC;
+        s->timer[index].reg_tcmpb = value;
+        break;
+
+    case TINT_CSTAT:
+        new_val = (s->reg_tint_cstat & 0x3E0) + (0x1F & value);
+        new_val &= ~(0x3E0 & value);
+
+        for (i = 0; i < EXYNOS4210_PWM_TIMERS_NUM; i++) {
+            if ((new_val & TINT_CSTAT_STATUS(i)) <
+                    (s->reg_tint_cstat & TINT_CSTAT_STATUS(i))) {
+                qemu_irq_lower(s->timer[i].irq);
+            }
+        }
+
+        s->reg_tint_cstat = new_val;
+        break;
+
+    default:
+        fprintf(stderr,
+                "[exynos4210.pwm: bad write offset " TARGET_FMT_plx "]\n",
+                offset);
+        break;
+
+    }
+}
+
+/*
+ * Set default values to timer fields and registers
+ */
+static void exynos4210_pwm_reset(DeviceState *d)
+{
+    Exynos4210PWMState *s = (Exynos4210PWMState *)d;
+    int i;
+    s->reg_tcfg[0] = 0x0101;
+    s->reg_tcfg[1] = 0x0;
+    s->reg_tcon = 0;
+    s->reg_tint_cstat = 0;
+    for (i = 0; i < EXYNOS4210_PWM_TIMERS_NUM; i++) {
+        s->timer[i].reg_tcmpb = 0;
+        s->timer[i].reg_tcntb = 0;
+
+        exynos4210_pwm_update_freq(s, s->timer[i].id);
+        ptimer_stop(s->timer[i].ptimer);
+    }
+}
+
+static const MemoryRegionOps exynos4210_pwm_ops = {
+    .read = exynos4210_pwm_read,
+    .write = exynos4210_pwm_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+};
+
+/*
+ * PWM timer initialization
+ */
+static int exynos4210_pwm_init(SysBusDevice *dev)
+{
+    Exynos4210PWMState *s = FROM_SYSBUS(Exynos4210PWMState, dev);
+    int i;
+    QEMUBH *bh;
+
+    for (i = 0; i < EXYNOS4210_PWM_TIMERS_NUM; i++) {
+        bh = qemu_bh_new(exynos4210_pwm_tick, &s->timer[i]);
+        sysbus_init_irq(dev, &s->timer[i].irq);
+        s->timer[i].ptimer = ptimer_init(bh);
+        s->timer[i].id = i;
+        s->timer[i].parent = s;
+    }
+
+    memory_region_init_io(&s->iomem, &exynos4210_pwm_ops, s, "exynos4210-pwm",
+            EXYNOS4210_PWM_REG_MEM_SIZE);
+    sysbus_init_mmio(dev, &s->iomem);
+
+    return 0;
+}
+
+static void exynos4210_pwm_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+
+    k->init = exynos4210_pwm_init;
+    dc->reset = exynos4210_pwm_reset;
+    dc->vmsd = &vmstate_exynos4210_pwm_state;
+}
+
+static TypeInfo exynos4210_pwm_info = {
+    .name          = "exynos4210.pwm",
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(Exynos4210PWMState),
+    .class_init    = exynos4210_pwm_class_init,
+};
+
+static void exynos4210_pwm_register_types(void)
+{
+    type_register_static(&exynos4210_pwm_info);
+}
+
+type_init(exynos4210_pwm_register_types)
commit e5a4914efc75c8880d7088dc0871766e5b73673f
Author: Maksim Kozlov <m.kozlov at samsung.com>
Date:   Thu Feb 16 09:56:05 2012 +0000

    ARM: exynos4210: UART support
    
    Add basic support of exynos4210 UART
    
    Signed-off-by: Maksim Kozlov <m.kozlov at samsung.com>
    Signed-off-by: Evgeny Voevodin <e.voevodin at samsung.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/Makefile.target b/Makefile.target
index c9afbd3..f501d33 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -345,7 +345,7 @@ obj-arm-y += arm_boot.o pl011.o pl031.o pl050.o pl080.o pl110.o pl181.o pl190.o
 obj-arm-y += versatile_pci.o
 obj-arm-y += realview_gic.o realview.o arm_sysctl.o arm11mpcore.o a9mpcore.o
 obj-arm-y += exynos4210_gic.o exynos4210_combiner.o exynos4210.o
-obj-arm-y += exynos4_boards.o
+obj-arm-y += exynos4_boards.o exynos4210_uart.o
 obj-arm-y += arm_l2x0.o
 obj-arm-y += arm_mptimer.o
 obj-arm-y += armv7m.o armv7m_nvic.o stellaris.o pl022.o stellaris_enet.o
diff --git a/hw/exynos4210.c b/hw/exynos4210.c
index 5b1e24c..555adc0 100644
--- a/hw/exynos4210.c
+++ b/hw/exynos4210.c
@@ -29,6 +29,18 @@
 
 #define EXYNOS4210_CHIPID_ADDR         0x10000000
 
+/* UART's definitions */
+#define EXYNOS4210_UART0_BASE_ADDR     0x13800000
+#define EXYNOS4210_UART1_BASE_ADDR     0x13810000
+#define EXYNOS4210_UART2_BASE_ADDR     0x13820000
+#define EXYNOS4210_UART3_BASE_ADDR     0x13830000
+#define EXYNOS4210_UART0_FIFO_SIZE     256
+#define EXYNOS4210_UART1_FIFO_SIZE     64
+#define EXYNOS4210_UART2_FIFO_SIZE     16
+#define EXYNOS4210_UART3_FIFO_SIZE     16
+/* Interrupt Group of External Interrupt Combiner for UART */
+#define EXYNOS4210_UART_INT_GRP        26
+
 /* External GIC */
 #define EXYNOS4210_EXT_GIC_CPU_BASE_ADDR    0x10480000
 #define EXYNOS4210_EXT_GIC_DIST_BASE_ADDR   0x10490000
@@ -187,5 +199,22 @@ Exynos4210State *exynos4210_init(MemoryRegion *system_mem,
     memory_region_add_subregion(system_mem, EXYNOS4210_DRAM0_BASE_ADDR,
             &s->dram0_mem);
 
+    /*** UARTs ***/
+    exynos4210_uart_create(EXYNOS4210_UART0_BASE_ADDR,
+                           EXYNOS4210_UART0_FIFO_SIZE, 0, NULL,
+                  s->irq_table[exynos4210_get_irq(EXYNOS4210_UART_INT_GRP, 0)]);
+
+    exynos4210_uart_create(EXYNOS4210_UART1_BASE_ADDR,
+                           EXYNOS4210_UART1_FIFO_SIZE, 1, NULL,
+                  s->irq_table[exynos4210_get_irq(EXYNOS4210_UART_INT_GRP, 1)]);
+
+    exynos4210_uart_create(EXYNOS4210_UART2_BASE_ADDR,
+                           EXYNOS4210_UART2_FIFO_SIZE, 2, NULL,
+                  s->irq_table[exynos4210_get_irq(EXYNOS4210_UART_INT_GRP, 2)]);
+
+    exynos4210_uart_create(EXYNOS4210_UART3_BASE_ADDR,
+                           EXYNOS4210_UART3_FIFO_SIZE, 3, NULL,
+                  s->irq_table[exynos4210_get_irq(EXYNOS4210_UART_INT_GRP, 3)]);
+
     return s;
 }
diff --git a/hw/exynos4210.h b/hw/exynos4210.h
index 0026a52..e7522f8 100644
--- a/hw/exynos4210.h
+++ b/hw/exynos4210.h
@@ -119,4 +119,13 @@ uint32_t exynos4210_get_irq(uint32_t grp, uint32_t bit);
 void exynos4210_combiner_get_gpioin(Exynos4210Irq *irqs, DeviceState *dev,
         int ext);
 
+/*
+ * exynos4210 UART
+ */
+DeviceState *exynos4210_uart_create(target_phys_addr_t addr,
+                                    int fifo_size,
+                                    int channel,
+                                    CharDriverState *chr,
+                                    qemu_irq irq);
+
 #endif /* EXYNOS4210_H_ */
diff --git a/hw/exynos4210_uart.c b/hw/exynos4210_uart.c
new file mode 100644
index 0000000..73a9c18
--- /dev/null
+++ b/hw/exynos4210_uart.c
@@ -0,0 +1,676 @@
+/*
+ *  Exynos4210 UART Emulation
+ *
+ *  Copyright (C) 2011 Samsung Electronics Co Ltd.
+ *    Maksim Kozlov, <m.kozlov at samsung.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify it
+ *  under the terms of the GNU General Public License as published by the
+ *  Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful, but WITHOUT
+ *  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ *  FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ *  for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "sysbus.h"
+#include "sysemu.h"
+#include "qemu-char.h"
+
+#include "exynos4210.h"
+
+#undef DEBUG_UART
+#undef DEBUG_UART_EXTEND
+#undef DEBUG_IRQ
+#undef DEBUG_Rx_DATA
+#undef DEBUG_Tx_DATA
+
+#define DEBUG_UART            0
+#define DEBUG_UART_EXTEND     0
+#define DEBUG_IRQ             0
+#define DEBUG_Rx_DATA         0
+#define DEBUG_Tx_DATA         0
+
+#if DEBUG_UART
+#define  PRINT_DEBUG(fmt, args...)  \
+        do { \
+            fprintf(stderr, "  [%s:%d]   "fmt, __func__, __LINE__, ##args); \
+        } while (0)
+
+#if DEBUG_UART_EXTEND
+#define  PRINT_DEBUG_EXTEND(fmt, args...) \
+        do { \
+            fprintf(stderr, "  [%s:%d]   "fmt, __func__, __LINE__, ##args); \
+        } while (0)
+#else
+#define  PRINT_DEBUG_EXTEND(fmt, args...) \
+        do {} while (0)
+#endif /* EXTEND */
+
+#else
+#define  PRINT_DEBUG(fmt, args...)  \
+        do {} while (0)
+#define  PRINT_DEBUG_EXTEND(fmt, args...) \
+        do {} while (0)
+#endif
+
+#define  PRINT_ERROR(fmt, args...) \
+        do { \
+            fprintf(stderr, "  [%s:%d]   "fmt, __func__, __LINE__, ##args); \
+        } while (0)
+
+/*
+ *  Offsets for UART registers relative to SFR base address
+ *  for UARTn
+ *
+ */
+#define ULCON      0x0000 /* Line Control             */
+#define UCON       0x0004 /* Control                  */
+#define UFCON      0x0008 /* FIFO Control             */
+#define UMCON      0x000C /* Modem Control            */
+#define UTRSTAT    0x0010 /* Tx/Rx Status             */
+#define UERSTAT    0x0014 /* UART Error Status        */
+#define UFSTAT     0x0018 /* FIFO Status              */
+#define UMSTAT     0x001C /* Modem Status             */
+#define UTXH       0x0020 /* Transmit Buffer          */
+#define URXH       0x0024 /* Receive Buffer           */
+#define UBRDIV     0x0028 /* Baud Rate Divisor        */
+#define UFRACVAL   0x002C /* Divisor Fractional Value */
+#define UINTP      0x0030 /* Interrupt Pending        */
+#define UINTSP     0x0034 /* Interrupt Source Pending */
+#define UINTM      0x0038 /* Interrupt Mask           */
+
+/*
+ * for indexing register in the uint32_t array
+ *
+ * 'reg' - register offset (see offsets definitions above)
+ *
+ */
+#define I_(reg) (reg / sizeof(uint32_t))
+
+typedef struct Exynos4210UartReg {
+    const char         *name; /* the only reason is the debug output */
+    target_phys_addr_t  offset;
+    uint32_t            reset_value;
+} Exynos4210UartReg;
+
+static Exynos4210UartReg exynos4210_uart_regs[] = {
+    {"ULCON",    ULCON,    0x00000000},
+    {"UCON",     UCON,     0x00003000},
+    {"UFCON",    UFCON,    0x00000000},
+    {"UMCON",    UMCON,    0x00000000},
+    {"UTRSTAT",  UTRSTAT,  0x00000006}, /* RO */
+    {"UERSTAT",  UERSTAT,  0x00000000}, /* RO */
+    {"UFSTAT",   UFSTAT,   0x00000000}, /* RO */
+    {"UMSTAT",   UMSTAT,   0x00000000}, /* RO */
+    {"UTXH",     UTXH,     0x5c5c5c5c}, /* WO, undefined reset value*/
+    {"URXH",     URXH,     0x00000000}, /* RO */
+    {"UBRDIV",   UBRDIV,   0x00000000},
+    {"UFRACVAL", UFRACVAL, 0x00000000},
+    {"UINTP",    UINTP,    0x00000000},
+    {"UINTSP",   UINTSP,   0x00000000},
+    {"UINTM",    UINTM,    0x00000000},
+};
+
+#define EXYNOS4210_UART_REGS_MEM_SIZE    0x3C
+
+/* UART FIFO Control */
+#define UFCON_FIFO_ENABLE                    0x1
+#define UFCON_Rx_FIFO_RESET                  0x2
+#define UFCON_Tx_FIFO_RESET                  0x4
+#define UFCON_Tx_FIFO_TRIGGER_LEVEL_SHIFT    8
+#define UFCON_Tx_FIFO_TRIGGER_LEVEL (7 << UFCON_Tx_FIFO_TRIGGER_LEVEL_SHIFT)
+#define UFCON_Rx_FIFO_TRIGGER_LEVEL_SHIFT    4
+#define UFCON_Rx_FIFO_TRIGGER_LEVEL (7 << UFCON_Rx_FIFO_TRIGGER_LEVEL_SHIFT)
+
+/* Uart FIFO Status */
+#define UFSTAT_Rx_FIFO_COUNT        0xff
+#define UFSTAT_Rx_FIFO_FULL         0x100
+#define UFSTAT_Rx_FIFO_ERROR        0x200
+#define UFSTAT_Tx_FIFO_COUNT_SHIFT  16
+#define UFSTAT_Tx_FIFO_COUNT        (0xff << UFSTAT_Tx_FIFO_COUNT_SHIFT)
+#define UFSTAT_Tx_FIFO_FULL_SHIFT   24
+#define UFSTAT_Tx_FIFO_FULL         (1 << UFSTAT_Tx_FIFO_FULL_SHIFT)
+
+/* UART Interrupt Source Pending */
+#define UINTSP_RXD      0x1 /* Receive interrupt  */
+#define UINTSP_ERROR    0x2 /* Error interrupt    */
+#define UINTSP_TXD      0x4 /* Transmit interrupt */
+#define UINTSP_MODEM    0x8 /* Modem interrupt    */
+
+/* UART Line Control */
+#define ULCON_IR_MODE_SHIFT   6
+#define ULCON_PARITY_SHIFT    3
+#define ULCON_STOP_BIT_SHIFT  1
+
+/* UART Tx/Rx Status */
+#define UTRSTAT_TRANSMITTER_EMPTY       0x4
+#define UTRSTAT_Tx_BUFFER_EMPTY         0x2
+#define UTRSTAT_Rx_BUFFER_DATA_READY    0x1
+
+/* UART Error Status */
+#define UERSTAT_OVERRUN  0x1
+#define UERSTAT_PARITY   0x2
+#define UERSTAT_FRAME    0x4
+#define UERSTAT_BREAK    0x8
+
+typedef struct {
+    uint8_t    *data;
+    uint32_t    sp, rp; /* store and retrieve pointers */
+    uint32_t    size;
+} Exynos4210UartFIFO;
+
+typedef struct {
+    SysBusDevice busdev;
+    MemoryRegion iomem;
+
+    uint32_t             reg[EXYNOS4210_UART_REGS_MEM_SIZE / sizeof(uint32_t)];
+    Exynos4210UartFIFO   rx;
+    Exynos4210UartFIFO   tx;
+
+    CharDriverState  *chr;
+    qemu_irq          irq;
+
+    uint32_t channel;
+
+} Exynos4210UartState;
+
+
+#if DEBUG_UART
+/* Used only for debugging inside PRINT_DEBUG_... macros */
+static const char *exynos4210_uart_regname(target_phys_addr_t  offset)
+{
+
+    int regs_number = sizeof(exynos4210_uart_regs) / sizeof(Exynos4210UartReg);
+    int i;
+
+    for (i = 0; i < regs_number; i++) {
+        if (offset == exynos4210_uart_regs[i].offset) {
+            return exynos4210_uart_regs[i].name;
+        }
+    }
+
+    return NULL;
+}
+#endif
+
+
+static void fifo_store(Exynos4210UartFIFO *q, uint8_t ch)
+{
+    q->data[q->sp] = ch;
+    q->sp = (q->sp + 1) % q->size;
+}
+
+static uint8_t fifo_retrieve(Exynos4210UartFIFO *q)
+{
+    uint8_t ret = q->data[q->rp];
+    q->rp = (q->rp + 1) % q->size;
+    return  ret;
+}
+
+static int fifo_elements_number(Exynos4210UartFIFO *q)
+{
+    if (q->sp < q->rp) {
+        return q->size - q->rp + q->sp;
+    }
+
+    return q->sp - q->rp;
+}
+
+static int fifo_empty_elements_number(Exynos4210UartFIFO *q)
+{
+    return q->size - fifo_elements_number(q);
+}
+
+static void fifo_reset(Exynos4210UartFIFO *q)
+{
+    if (q->data != NULL) {
+        g_free(q->data);
+        q->data = NULL;
+    }
+
+    q->data = (uint8_t *)g_malloc0(q->size);
+
+    q->sp = 0;
+    q->rp = 0;
+}
+
+static uint32_t exynos4210_uart_Tx_FIFO_trigger_level(Exynos4210UartState *s)
+{
+    uint32_t level = 0;
+    uint32_t reg;
+
+    reg = (s->reg[I_(UFCON)] && UFCON_Tx_FIFO_TRIGGER_LEVEL) >>
+            UFCON_Tx_FIFO_TRIGGER_LEVEL_SHIFT;
+
+    switch (s->channel) {
+    case 0:
+        level = reg * 32;
+        break;
+    case 1:
+    case 4:
+        level = reg * 8;
+        break;
+    case 2:
+    case 3:
+        level = reg * 2;
+        break;
+    default:
+        level = 0;
+        PRINT_ERROR("Wrong UART channel number: %d\n", s->channel);
+    }
+
+    return level;
+}
+
+static void exynos4210_uart_update_irq(Exynos4210UartState *s)
+{
+    /*
+     * The Tx interrupt is always requested if the number of data in the
+     * transmit FIFO is smaller than the trigger level.
+     */
+    if (s->reg[I_(UFCON)] && UFCON_FIFO_ENABLE) {
+
+        uint32_t count = (s->reg[I_(UFSTAT)] && UFSTAT_Tx_FIFO_COUNT) >>
+                UFSTAT_Tx_FIFO_COUNT_SHIFT;
+
+        if (count <= exynos4210_uart_Tx_FIFO_trigger_level(s)) {
+            s->reg[I_(UINTSP)] |= UINTSP_TXD;
+        }
+    }
+
+    s->reg[I_(UINTP)] = s->reg[I_(UINTSP)] & ~s->reg[I_(UINTM)];
+
+    if (s->reg[I_(UINTP)]) {
+        qemu_irq_raise(s->irq);
+
+#if DEBUG_IRQ
+        fprintf(stderr, "UART%d: IRQ has been raised: %08x\n",
+                s->channel, s->reg[I_(UINTP)]);
+#endif
+
+    } else {
+        qemu_irq_lower(s->irq);
+    }
+}
+
+static void exynos4210_uart_update_parameters(Exynos4210UartState *s)
+{
+    int speed, parity, data_bits, stop_bits, frame_size;
+    QEMUSerialSetParams ssp;
+    uint64_t uclk_rate;
+
+    if (s->reg[I_(UBRDIV)] == 0) {
+        return;
+    }
+
+    frame_size = 1; /* start bit */
+    if (s->reg[I_(ULCON)] & 0x20) {
+        frame_size++; /* parity bit */
+        if (s->reg[I_(ULCON)] & 0x28) {
+            parity = 'E';
+        } else {
+            parity = 'O';
+        }
+    } else {
+        parity = 'N';
+    }
+
+    if (s->reg[I_(ULCON)] & 0x4) {
+        stop_bits = 2;
+    } else {
+        stop_bits = 1;
+    }
+
+    data_bits = (s->reg[I_(ULCON)] & 0x3) + 5;
+
+    frame_size += data_bits + stop_bits;
+
+    uclk_rate = 24000000;
+
+    speed = uclk_rate / ((16 * (s->reg[I_(UBRDIV)]) & 0xffff) +
+            (s->reg[I_(UFRACVAL)] & 0x7) + 16);
+
+    ssp.speed     = speed;
+    ssp.parity    = parity;
+    ssp.data_bits = data_bits;
+    ssp.stop_bits = stop_bits;
+
+    qemu_chr_fe_ioctl(s->chr, CHR_IOCTL_SERIAL_SET_PARAMS, &ssp);
+
+    PRINT_DEBUG("UART%d: speed: %d, parity: %c, data: %d, stop: %d\n",
+                s->channel, speed, parity, data_bits, stop_bits);
+}
+
+static void exynos4210_uart_write(void *opaque, target_phys_addr_t offset,
+                               uint64_t val, unsigned size)
+{
+    Exynos4210UartState *s = (Exynos4210UartState *)opaque;
+    uint8_t ch;
+
+    PRINT_DEBUG_EXTEND("UART%d: <0x%04x> %s <- 0x%08llx\n", s->channel,
+        offset, exynos4210_uart_regname(offset), (long long unsigned int)val);
+
+    switch (offset) {
+    case ULCON:
+    case UBRDIV:
+    case UFRACVAL:
+        s->reg[I_(offset)] = val;
+        exynos4210_uart_update_parameters(s);
+        break;
+    case UFCON:
+        s->reg[I_(UFCON)] = val;
+        if (val & UFCON_Rx_FIFO_RESET) {
+            fifo_reset(&s->rx);
+            s->reg[I_(UFCON)] &= ~UFCON_Rx_FIFO_RESET;
+            PRINT_DEBUG("UART%d: Rx FIFO Reset\n", s->channel);
+        }
+        if (val & UFCON_Tx_FIFO_RESET) {
+            fifo_reset(&s->tx);
+            s->reg[I_(UFCON)] &= ~UFCON_Tx_FIFO_RESET;
+            PRINT_DEBUG("UART%d: Tx FIFO Reset\n", s->channel);
+        }
+        break;
+
+    case UTXH:
+        if (s->chr) {
+            s->reg[I_(UTRSTAT)] &= ~(UTRSTAT_TRANSMITTER_EMPTY |
+                    UTRSTAT_Tx_BUFFER_EMPTY);
+            ch = (uint8_t)val;
+            qemu_chr_fe_write(s->chr, &ch, 1);
+#if DEBUG_Tx_DATA
+            fprintf(stderr, "%c", ch);
+#endif
+            s->reg[I_(UTRSTAT)] |= UTRSTAT_TRANSMITTER_EMPTY |
+                    UTRSTAT_Tx_BUFFER_EMPTY;
+            s->reg[I_(UINTSP)]  |= UINTSP_TXD;
+            exynos4210_uart_update_irq(s);
+        }
+        break;
+
+    case UINTP:
+        s->reg[I_(UINTP)] &= ~val;
+        s->reg[I_(UINTSP)] &= ~val;
+        PRINT_DEBUG("UART%d: UINTP [%04x] have been cleared: %08x\n",
+                    s->channel, offset, s->reg[I_(UINTP)]);
+        exynos4210_uart_update_irq(s);
+        break;
+    case UTRSTAT:
+    case UERSTAT:
+    case UFSTAT:
+    case UMSTAT:
+    case URXH:
+        PRINT_DEBUG("UART%d: Trying to write into RO register: %s [%04x]\n",
+                    s->channel, exynos4210_uart_regname(offset), offset);
+        break;
+    case UINTSP:
+        s->reg[I_(UINTSP)]  &= ~val;
+        break;
+    case UINTM:
+        s->reg[I_(UINTM)] = val;
+        exynos4210_uart_update_irq(s);
+        break;
+    case UCON:
+    case UMCON:
+    default:
+        s->reg[I_(offset)] = val;
+        break;
+    }
+}
+static uint64_t exynos4210_uart_read(void *opaque, target_phys_addr_t offset,
+                                  unsigned size)
+{
+    Exynos4210UartState *s = (Exynos4210UartState *)opaque;
+    uint32_t res;
+
+    switch (offset) {
+    case UERSTAT: /* Read Only */
+        res = s->reg[I_(UERSTAT)];
+        s->reg[I_(UERSTAT)] = 0;
+        return res;
+    case UFSTAT: /* Read Only */
+        s->reg[I_(UFSTAT)] = fifo_elements_number(&s->rx) & 0xff;
+        if (fifo_empty_elements_number(&s->rx) == 0) {
+            s->reg[I_(UFSTAT)] |= UFSTAT_Rx_FIFO_FULL;
+            s->reg[I_(UFSTAT)] &= ~0xff;
+        }
+        return s->reg[I_(UFSTAT)];
+    case URXH:
+        if (s->reg[I_(UFCON)] & UFCON_FIFO_ENABLE) {
+            if (fifo_elements_number(&s->rx)) {
+                res = fifo_retrieve(&s->rx);
+#if DEBUG_Rx_DATA
+                fprintf(stderr, "%c", res);
+#endif
+                if (!fifo_elements_number(&s->rx)) {
+                    s->reg[I_(UTRSTAT)] &= ~UTRSTAT_Rx_BUFFER_DATA_READY;
+                } else {
+                    s->reg[I_(UTRSTAT)] |= UTRSTAT_Rx_BUFFER_DATA_READY;
+                }
+            } else {
+                s->reg[I_(UINTSP)] |= UINTSP_ERROR;
+                exynos4210_uart_update_irq(s);
+                res = 0;
+            }
+        } else {
+            s->reg[I_(UTRSTAT)] &= ~UTRSTAT_Rx_BUFFER_DATA_READY;
+            res = s->reg[I_(URXH)];
+        }
+        return res;
+    case UTXH:
+        PRINT_DEBUG("UART%d: Trying to read from WO register: %s [%04x]\n",
+                    s->channel, exynos4210_uart_regname(offset), offset);
+        break;
+    default:
+        return s->reg[I_(offset)];
+    }
+
+    return 0;
+}
+
+static const MemoryRegionOps exynos4210_uart_ops = {
+    .read = exynos4210_uart_read,
+    .write = exynos4210_uart_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+    .valid = {
+        .max_access_size = 4,
+        .unaligned = false
+    },
+};
+
+static int exynos4210_uart_can_receive(void *opaque)
+{
+    Exynos4210UartState *s = (Exynos4210UartState *)opaque;
+
+    return fifo_empty_elements_number(&s->rx);
+}
+
+
+static void exynos4210_uart_receive(void *opaque, const uint8_t *buf, int size)
+{
+    Exynos4210UartState *s = (Exynos4210UartState *)opaque;
+    int i;
+
+    if (s->reg[I_(UFCON)] & UFCON_FIFO_ENABLE) {
+        if (fifo_empty_elements_number(&s->rx) < size) {
+            for (i = 0; i < fifo_empty_elements_number(&s->rx); i++) {
+                fifo_store(&s->rx, buf[i]);
+            }
+            s->reg[I_(UINTSP)] |= UINTSP_ERROR;
+            s->reg[I_(UTRSTAT)] |= UTRSTAT_Rx_BUFFER_DATA_READY;
+        } else {
+            for (i = 0; i < size; i++) {
+                fifo_store(&s->rx, buf[i]);
+            }
+            s->reg[I_(UTRSTAT)] |= UTRSTAT_Rx_BUFFER_DATA_READY;
+        }
+        /* XXX: Around here we maybe should check Rx trigger level */
+        s->reg[I_(UINTSP)] |= UINTSP_RXD;
+    } else {
+        s->reg[I_(URXH)] = buf[0];
+        s->reg[I_(UINTSP)] |= UINTSP_RXD;
+        s->reg[I_(UTRSTAT)] |= UTRSTAT_Rx_BUFFER_DATA_READY;
+    }
+
+    exynos4210_uart_update_irq(s);
+}
+
+
+static void exynos4210_uart_event(void *opaque, int event)
+{
+    Exynos4210UartState *s = (Exynos4210UartState *)opaque;
+
+    if (event == CHR_EVENT_BREAK) {
+        /* When the RxDn is held in logic 0, then a null byte is pushed into the
+         * fifo */
+        fifo_store(&s->rx, '\0');
+        s->reg[I_(UERSTAT)] |= UERSTAT_BREAK;
+        exynos4210_uart_update_irq(s);
+    }
+}
+
+
+static void exynos4210_uart_reset(DeviceState *dev)
+{
+    Exynos4210UartState *s =
+            container_of(dev, Exynos4210UartState, busdev.qdev);
+    int regs_number = sizeof(exynos4210_uart_regs)/sizeof(Exynos4210UartReg);
+    int i;
+
+    for (i = 0; i < regs_number; i++) {
+        s->reg[I_(exynos4210_uart_regs[i].offset)] =
+                exynos4210_uart_regs[i].reset_value;
+    }
+
+    fifo_reset(&s->rx);
+    fifo_reset(&s->tx);
+
+    PRINT_DEBUG("UART%d: Rx FIFO size: %d\n", s->channel, s->rx.size);
+}
+
+static const VMStateDescription vmstate_exynos4210_uart_fifo = {
+    .name = "exynos4210.uart.fifo",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32(sp, Exynos4210UartFIFO),
+        VMSTATE_UINT32(rp, Exynos4210UartFIFO),
+        VMSTATE_VBUFFER_UINT32(data, Exynos4210UartFIFO, 1, NULL, 0, size),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_exynos4210_uart = {
+    .name = "exynos4210.uart",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_STRUCT(rx, Exynos4210UartState, 1,
+                       vmstate_exynos4210_uart_fifo, Exynos4210UartFIFO),
+        VMSTATE_UINT32_ARRAY(reg, Exynos4210UartState,
+                             EXYNOS4210_UART_REGS_MEM_SIZE / sizeof(uint32_t)),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+DeviceState *exynos4210_uart_create(target_phys_addr_t addr,
+                                 int fifo_size,
+                                 int channel,
+                                 CharDriverState *chr,
+                                 qemu_irq irq)
+{
+    DeviceState  *dev;
+    SysBusDevice *bus;
+
+    const char chr_name[] = "serial";
+    char label[ARRAY_SIZE(chr_name) + 1];
+
+    dev = qdev_create(NULL, "exynos4210.uart");
+
+    if (!chr) {
+        if (channel >= MAX_SERIAL_PORTS) {
+            hw_error("Only %d serial ports are supported by QEMU.\n",
+                     MAX_SERIAL_PORTS);
+        }
+        chr = serial_hds[channel];
+        if (!chr) {
+            snprintf(label, ARRAY_SIZE(label), "%s%d", chr_name, channel);
+            chr = qemu_chr_new(label, "null", NULL);
+            if (!(chr)) {
+                hw_error("Can't assign serial port to UART%d.\n", channel);
+            }
+        }
+    }
+
+    qdev_prop_set_chr(dev, "chardev", chr);
+    qdev_prop_set_uint32(dev, "channel", channel);
+    qdev_prop_set_uint32(dev, "rx-size", fifo_size);
+    qdev_prop_set_uint32(dev, "tx-size", fifo_size);
+
+    bus = sysbus_from_qdev(dev);
+    qdev_init_nofail(dev);
+    if (addr != (target_phys_addr_t)-1) {
+        sysbus_mmio_map(bus, 0, addr);
+    }
+    sysbus_connect_irq(bus, 0, irq);
+
+    return dev;
+}
+
+static int exynos4210_uart_init(SysBusDevice *dev)
+{
+    Exynos4210UartState *s = FROM_SYSBUS(Exynos4210UartState, dev);
+
+    /* memory mapping */
+    memory_region_init_io(&s->iomem, &exynos4210_uart_ops, s, "exynos4210.uart",
+                          EXYNOS4210_UART_REGS_MEM_SIZE);
+    sysbus_init_mmio(dev, &s->iomem);
+
+    sysbus_init_irq(dev, &s->irq);
+
+    qemu_chr_add_handlers(s->chr, exynos4210_uart_can_receive,
+                          exynos4210_uart_receive, exynos4210_uart_event, s);
+
+    return 0;
+}
+
+static Property exynos4210_uart_properties[] = {
+    DEFINE_PROP_CHR("chardev", Exynos4210UartState, chr),
+    DEFINE_PROP_UINT32("channel", Exynos4210UartState, channel, 0),
+    DEFINE_PROP_UINT32("rx-size", Exynos4210UartState, rx.size, 16),
+    DEFINE_PROP_UINT32("tx-size", Exynos4210UartState, tx.size, 16),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static void exynos4210_uart_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+
+    k->init = exynos4210_uart_init;
+    dc->reset = exynos4210_uart_reset;
+    dc->props = exynos4210_uart_properties;
+    dc->vmsd = &vmstate_exynos4210_uart;
+}
+
+static TypeInfo exynos4210_uart_info = {
+    .name          = "exynos4210.uart",
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(Exynos4210UartState),
+    .class_init    = exynos4210_uart_class_init,
+};
+
+static void exynos4210_uart_register(void)
+{
+    type_register_static(&exynos4210_uart_info);
+}
+
+type_init(exynos4210_uart_register)
commit 0caa711335a676225041d014d49e65992f9f269f
Author: Evgeny Voevodin <e.voevodin at samsung.com>
Date:   Thu Feb 16 09:56:05 2012 +0000

    ARM: Samsung exynos4210-based boards emulation
    
    Add initial support of NURI and SMDKC210 boards
    
    Signed-off-by: Evgeny Voevodin <e.voevodin at samsung.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/Makefile.target b/Makefile.target
index 2b16c0f..c9afbd3 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -344,7 +344,8 @@ obj-arm-y = integratorcp.o versatilepb.o arm_pic.o arm_timer.o
 obj-arm-y += arm_boot.o pl011.o pl031.o pl050.o pl080.o pl110.o pl181.o pl190.o
 obj-arm-y += versatile_pci.o
 obj-arm-y += realview_gic.o realview.o arm_sysctl.o arm11mpcore.o a9mpcore.o
-obj-arm-y += exynos4210_gic.o exynos4210_combiner.o
+obj-arm-y += exynos4210_gic.o exynos4210_combiner.o exynos4210.o
+obj-arm-y += exynos4_boards.o
 obj-arm-y += arm_l2x0.o
 obj-arm-y += arm_mptimer.o
 obj-arm-y += armv7m.o armv7m_nvic.o stellaris.o pl022.o stellaris_enet.o
diff --git a/hw/exynos4210.c b/hw/exynos4210.c
new file mode 100644
index 0000000..5b1e24c
--- /dev/null
+++ b/hw/exynos4210.c
@@ -0,0 +1,191 @@
+/*
+ *  Samsung exynos4210 SoC emulation
+ *
+ *  Copyright (c) 2011 Samsung Electronics Co., Ltd. All rights reserved.
+ *    Maksim Kozlov <m.kozlov at samsung.com>
+ *    Evgeny Voevodin <e.voevodin at samsung.com>
+ *    Igor Mitsyanko  <i.mitsyanko at samsung.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify it
+ *  under the terms of the GNU General Public License as published by the
+ *  Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful, but WITHOUT
+ *  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ *  FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ *  for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "boards.h"
+#include "sysemu.h"
+#include "sysbus.h"
+#include "arm-misc.h"
+#include "exynos4210.h"
+
+#define EXYNOS4210_CHIPID_ADDR         0x10000000
+
+/* External GIC */
+#define EXYNOS4210_EXT_GIC_CPU_BASE_ADDR    0x10480000
+#define EXYNOS4210_EXT_GIC_DIST_BASE_ADDR   0x10490000
+
+/* Combiner */
+#define EXYNOS4210_EXT_COMBINER_BASE_ADDR   0x10440000
+#define EXYNOS4210_INT_COMBINER_BASE_ADDR   0x10448000
+
+static uint8_t chipid_and_omr[] = { 0x11, 0x02, 0x21, 0x43,
+                                    0x09, 0x00, 0x00, 0x00 };
+
+Exynos4210State *exynos4210_init(MemoryRegion *system_mem,
+        unsigned long ram_size)
+{
+    qemu_irq cpu_irq[4];
+    int n;
+    Exynos4210State *s = g_new(Exynos4210State, 1);
+    qemu_irq *irqp;
+    qemu_irq gate_irq[EXYNOS4210_IRQ_GATE_NINPUTS];
+    unsigned long mem_size;
+    DeviceState *dev;
+    SysBusDevice *busdev;
+
+    for (n = 0; n < EXYNOS4210_NCPUS; n++) {
+        s->env[n] = cpu_init("cortex-a9");
+        if (!s->env[n]) {
+            fprintf(stderr, "Unable to find CPU %d definition\n", n);
+            exit(1);
+        }
+        /* Create PIC controller for each processor instance */
+        irqp = arm_pic_init_cpu(s->env[n]);
+
+        /*
+         * Get GICs gpio_in cpu_irq to connect a combiner to them later.
+         * Use only IRQ for a while.
+         */
+        cpu_irq[n] = irqp[ARM_PIC_CPU_IRQ];
+    }
+
+    /*** IRQs ***/
+
+    s->irq_table = exynos4210_init_irq(&s->irqs);
+
+    /* IRQ Gate */
+    dev = qdev_create(NULL, "exynos4210.irq_gate");
+    qdev_init_nofail(dev);
+    /* Get IRQ Gate input in gate_irq */
+    for (n = 0; n < EXYNOS4210_IRQ_GATE_NINPUTS; n++) {
+        gate_irq[n] = qdev_get_gpio_in(dev, n);
+    }
+    busdev = sysbus_from_qdev(dev);
+    /* Connect IRQ Gate output to cpu_irq */
+    for (n = 0; n < EXYNOS4210_NCPUS; n++) {
+        sysbus_connect_irq(busdev, n, cpu_irq[n]);
+    }
+
+    /* Private memory region and Internal GIC */
+    dev = qdev_create(NULL, "a9mpcore_priv");
+    qdev_prop_set_uint32(dev, "num-cpu", EXYNOS4210_NCPUS);
+    qdev_init_nofail(dev);
+    busdev = sysbus_from_qdev(dev);
+    sysbus_mmio_map(busdev, 0, EXYNOS4210_SMP_PRIVATE_BASE_ADDR);
+    for (n = 0; n < EXYNOS4210_NCPUS; n++) {
+        sysbus_connect_irq(busdev, n, gate_irq[n * 2]);
+    }
+    for (n = 0; n < EXYNOS4210_INT_GIC_NIRQ; n++) {
+        s->irqs.int_gic_irq[n] = qdev_get_gpio_in(dev, n);
+    }
+
+    /* Cache controller */
+    sysbus_create_simple("l2x0", EXYNOS4210_L2X0_BASE_ADDR, NULL);
+
+    /* External GIC */
+    dev = qdev_create(NULL, "exynos4210.gic");
+    qdev_prop_set_uint32(dev, "num-cpu", EXYNOS4210_NCPUS);
+    qdev_init_nofail(dev);
+    busdev = sysbus_from_qdev(dev);
+    /* Map CPU interface */
+    sysbus_mmio_map(busdev, 0, EXYNOS4210_EXT_GIC_CPU_BASE_ADDR);
+    /* Map Distributer interface */
+    sysbus_mmio_map(busdev, 1, EXYNOS4210_EXT_GIC_DIST_BASE_ADDR);
+    for (n = 0; n < EXYNOS4210_NCPUS; n++) {
+        sysbus_connect_irq(busdev, n, gate_irq[n * 2 + 1]);
+    }
+    for (n = 0; n < EXYNOS4210_EXT_GIC_NIRQ; n++) {
+        s->irqs.ext_gic_irq[n] = qdev_get_gpio_in(dev, n);
+    }
+
+    /* Internal Interrupt Combiner */
+    dev = qdev_create(NULL, "exynos4210.combiner");
+    qdev_init_nofail(dev);
+    busdev = sysbus_from_qdev(dev);
+    for (n = 0; n < EXYNOS4210_MAX_INT_COMBINER_OUT_IRQ; n++) {
+        sysbus_connect_irq(busdev, n, s->irqs.int_gic_irq[n]);
+    }
+    exynos4210_combiner_get_gpioin(&s->irqs, dev, 0);
+    sysbus_mmio_map(busdev, 0, EXYNOS4210_INT_COMBINER_BASE_ADDR);
+
+    /* External Interrupt Combiner */
+    dev = qdev_create(NULL, "exynos4210.combiner");
+    qdev_prop_set_uint32(dev, "external", 1);
+    qdev_init_nofail(dev);
+    busdev = sysbus_from_qdev(dev);
+    for (n = 0; n < EXYNOS4210_MAX_INT_COMBINER_OUT_IRQ; n++) {
+        sysbus_connect_irq(busdev, n, s->irqs.ext_gic_irq[n]);
+    }
+    exynos4210_combiner_get_gpioin(&s->irqs, dev, 1);
+    sysbus_mmio_map(busdev, 0, EXYNOS4210_EXT_COMBINER_BASE_ADDR);
+
+    /* Initialize board IRQs. */
+    exynos4210_init_board_irqs(&s->irqs);
+
+    /*** Memory ***/
+
+    /* Chip-ID and OMR */
+    memory_region_init_ram_ptr(&s->chipid_mem, "exynos4210.chipid",
+            sizeof(chipid_and_omr), chipid_and_omr);
+    memory_region_set_readonly(&s->chipid_mem, true);
+    memory_region_add_subregion(system_mem, EXYNOS4210_CHIPID_ADDR,
+                                &s->chipid_mem);
+
+    /* Internal ROM */
+    memory_region_init_ram(&s->irom_mem, "exynos4210.irom",
+                           EXYNOS4210_IROM_SIZE);
+    memory_region_set_readonly(&s->irom_mem, true);
+    memory_region_add_subregion(system_mem, EXYNOS4210_IROM_BASE_ADDR,
+                                &s->irom_mem);
+    /* mirror of iROM */
+    memory_region_init_alias(&s->irom_alias_mem, "exynos4210.irom_alias",
+                             &s->irom_mem,
+                             EXYNOS4210_IROM_BASE_ADDR,
+                             EXYNOS4210_IROM_SIZE);
+    memory_region_set_readonly(&s->irom_alias_mem, true);
+    memory_region_add_subregion(system_mem, EXYNOS4210_IROM_MIRROR_BASE_ADDR,
+                                &s->irom_alias_mem);
+
+    /* Internal RAM */
+    memory_region_init_ram(&s->iram_mem, "exynos4210.iram",
+                           EXYNOS4210_IRAM_SIZE);
+    vmstate_register_ram_global(&s->iram_mem);
+    memory_region_add_subregion(system_mem, EXYNOS4210_IRAM_BASE_ADDR,
+                                &s->iram_mem);
+
+    /* DRAM */
+    mem_size = ram_size;
+    if (mem_size > EXYNOS4210_DRAM_MAX_SIZE) {
+        memory_region_init_ram(&s->dram1_mem, "exynos4210.dram1",
+                mem_size - EXYNOS4210_DRAM_MAX_SIZE);
+        vmstate_register_ram_global(&s->dram1_mem);
+        memory_region_add_subregion(system_mem, EXYNOS4210_DRAM1_BASE_ADDR,
+                &s->dram1_mem);
+        mem_size = EXYNOS4210_DRAM_MAX_SIZE;
+    }
+    memory_region_init_ram(&s->dram0_mem, "exynos4210.dram0", mem_size);
+    vmstate_register_ram_global(&s->dram0_mem);
+    memory_region_add_subregion(system_mem, EXYNOS4210_DRAM0_BASE_ADDR,
+            &s->dram0_mem);
+
+    return s;
+}
diff --git a/hw/exynos4210.h b/hw/exynos4210.h
index ef4732f..0026a52 100644
--- a/hw/exynos4210.h
+++ b/hw/exynos4210.h
@@ -31,6 +31,28 @@
 
 #define EXYNOS4210_NCPUS                    2
 
+#define EXYNOS4210_DRAM0_BASE_ADDR          0x40000000
+#define EXYNOS4210_DRAM1_BASE_ADDR          0xa0000000
+#define EXYNOS4210_DRAM_MAX_SIZE            0x60000000  /* 1.5 GB */
+
+#define EXYNOS4210_IROM_BASE_ADDR           0x00000000
+#define EXYNOS4210_IROM_SIZE                0x00010000  /* 64 KB */
+#define EXYNOS4210_IROM_MIRROR_BASE_ADDR    0x02000000
+#define EXYNOS4210_IROM_MIRROR_SIZE         0x00010000  /* 64 KB */
+
+#define EXYNOS4210_IRAM_BASE_ADDR           0x02020000
+#define EXYNOS4210_IRAM_SIZE                0x00020000  /* 128 KB */
+
+/* Secondary CPU startup code is in IROM memory */
+#define EXYNOS4210_SMP_BOOT_ADDR            EXYNOS4210_IROM_BASE_ADDR
+#define EXYNOS4210_SMP_BOOT_SIZE            0x1000
+#define EXYNOS4210_BASE_BOOT_ADDR           EXYNOS4210_DRAM0_BASE_ADDR
+/* Secondary CPU polling address to get loader start from */
+#define EXYNOS4210_SECOND_CPU_BOOTREG       0x10020814
+
+#define EXYNOS4210_SMP_PRIVATE_BASE_ADDR    0x10500000
+#define EXYNOS4210_L2X0_BASE_ADDR           0x10502000
+
 /*
  * exynos4210 IRQ subsystem stub definitions.
  */
@@ -60,6 +82,24 @@ typedef struct Exynos4210Irq {
     qemu_irq board_irqs[EXYNOS4210_MAX_INT_COMBINER_IN_IRQ];
 } Exynos4210Irq;
 
+typedef struct Exynos4210State {
+    CPUState * env[EXYNOS4210_NCPUS];
+    Exynos4210Irq irqs;
+    qemu_irq *irq_table;
+
+    MemoryRegion chipid_mem;
+    MemoryRegion iram_mem;
+    MemoryRegion irom_mem;
+    MemoryRegion irom_alias_mem;
+    MemoryRegion dram0_mem;
+    MemoryRegion dram1_mem;
+    MemoryRegion boot_secondary;
+    MemoryRegion bootreg_mem;
+} Exynos4210State;
+
+Exynos4210State *exynos4210_init(MemoryRegion *system_mem,
+        unsigned long ram_size);
+
 /* Initialize exynos4210 IRQ subsystem stub */
 qemu_irq *exynos4210_init_irq(Exynos4210Irq *env);
 
diff --git a/hw/exynos4_boards.c b/hw/exynos4_boards.c
new file mode 100644
index 0000000..767dc45
--- /dev/null
+++ b/hw/exynos4_boards.c
@@ -0,0 +1,153 @@
+/*
+ *  Samsung exynos4 SoC based boards emulation
+ *
+ *  Copyright (c) 2011 Samsung Electronics Co., Ltd. All rights reserved.
+ *    Maksim Kozlov <m.kozlov at samsung.com>
+ *    Evgeny Voevodin <e.voevodin at samsung.com>
+ *    Igor Mitsyanko  <i.mitsyanko at samsung.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify it
+ *  under the terms of the GNU General Public License as published by the
+ *  Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful, but WITHOUT
+ *  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ *  FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ *  for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "sysemu.h"
+#include "sysbus.h"
+#include "arm-misc.h"
+#include "exec-memory.h"
+#include "exynos4210.h"
+#include "boards.h"
+
+#undef DEBUG
+
+//#define DEBUG
+
+#ifdef DEBUG
+    #undef PRINT_DEBUG
+    #define  PRINT_DEBUG(fmt, args...) \
+        do { \
+            fprintf(stderr, "  [%s:%d]   "fmt, __func__, __LINE__, ##args); \
+        } while (0)
+#else
+    #define  PRINT_DEBUG(fmt, args...)  do {} while (0)
+#endif
+
+typedef enum Exynos4BoardType {
+    EXYNOS4_BOARD_NURI,
+    EXYNOS4_BOARD_SMDKC210,
+    EXYNOS4_NUM_OF_BOARDS
+} Exynos4BoardType;
+
+static int exynos4_board_id[EXYNOS4_NUM_OF_BOARDS] = {
+    [EXYNOS4_BOARD_NURI]     = 0xD33,
+    [EXYNOS4_BOARD_SMDKC210] = 0xB16,
+};
+
+static int exynos4_board_smp_bootreg_addr[EXYNOS4_NUM_OF_BOARDS] = {
+    [EXYNOS4_BOARD_NURI]     = EXYNOS4210_SECOND_CPU_BOOTREG,
+    [EXYNOS4_BOARD_SMDKC210] = EXYNOS4210_SECOND_CPU_BOOTREG,
+};
+
+static unsigned long exynos4_board_ram_size[EXYNOS4_NUM_OF_BOARDS] = {
+    [EXYNOS4_BOARD_NURI]     = 0x40000000,
+    [EXYNOS4_BOARD_SMDKC210] = 0x40000000,
+};
+
+static struct arm_boot_info exynos4_board_binfo = {
+    .loader_start     = EXYNOS4210_BASE_BOOT_ADDR,
+    .smp_loader_start = EXYNOS4210_SMP_BOOT_ADDR,
+    .nb_cpus          = EXYNOS4210_NCPUS,
+};
+
+static QEMUMachine exynos4_machines[EXYNOS4_NUM_OF_BOARDS];
+
+static Exynos4210State *exynos4_boards_init_common(
+        const char *kernel_filename,
+        const char *kernel_cmdline,
+        const char *initrd_filename,
+        Exynos4BoardType board_type)
+{
+    if (smp_cpus != EXYNOS4210_NCPUS) {
+        fprintf(stderr, "%s board supports only %d CPU cores. Ignoring smp_cpus"
+                " value.\n",
+                exynos4_machines[board_type].name,
+                exynos4_machines[board_type].max_cpus);
+    }
+
+    exynos4_board_binfo.ram_size = exynos4_board_ram_size[board_type];
+    exynos4_board_binfo.board_id = exynos4_board_id[board_type];
+    exynos4_board_binfo.smp_bootreg_addr =
+            exynos4_board_smp_bootreg_addr[board_type];
+    exynos4_board_binfo.kernel_filename = kernel_filename;
+    exynos4_board_binfo.initrd_filename = initrd_filename;
+    exynos4_board_binfo.kernel_cmdline = kernel_cmdline;
+    exynos4_board_binfo.smp_priv_base = EXYNOS4210_SMP_PRIVATE_BASE_ADDR;
+
+    PRINT_DEBUG("\n ram_size: %luMiB [0x%08lx]\n"
+            " kernel_filename: %s\n"
+            " kernel_cmdline: %s\n"
+            " initrd_filename: %s\n",
+            exynos4_board_ram_size[board_type] / 1048576,
+            exynos4_board_ram_size[board_type],
+            kernel_filename,
+            kernel_cmdline,
+            initrd_filename);
+
+    return exynos4210_init(get_system_memory(),
+            exynos4_board_ram_size[board_type]);
+}
+
+static void nuri_init(ram_addr_t ram_size,
+        const char *boot_device,
+        const char *kernel_filename, const char *kernel_cmdline,
+        const char *initrd_filename, const char *cpu_model)
+{
+    exynos4_boards_init_common(kernel_filename, kernel_cmdline,
+                initrd_filename, EXYNOS4_BOARD_NURI);
+
+    arm_load_kernel(first_cpu, &exynos4_board_binfo);
+}
+
+static void smdkc210_init(ram_addr_t ram_size,
+        const char *boot_device,
+        const char *kernel_filename, const char *kernel_cmdline,
+        const char *initrd_filename, const char *cpu_model)
+{
+    exynos4_boards_init_common(kernel_filename, kernel_cmdline,
+                initrd_filename, EXYNOS4_BOARD_SMDKC210);
+
+    arm_load_kernel(first_cpu, &exynos4_board_binfo);
+}
+
+static QEMUMachine exynos4_machines[EXYNOS4_NUM_OF_BOARDS] = {
+    [EXYNOS4_BOARD_NURI] = {
+        .name = "nuri",
+        .desc = "Samsung NURI board (Exynos4210)",
+        .init = nuri_init,
+        .max_cpus = EXYNOS4210_NCPUS,
+    },
+    [EXYNOS4_BOARD_SMDKC210] = {
+        .name = "smdkc210",
+        .desc = "Samsung SMDKC210 board (Exynos4210)",
+        .init = smdkc210_init,
+        .max_cpus = EXYNOS4210_NCPUS,
+    },
+};
+
+static void exynos4_machine_init(void)
+{
+    qemu_register_machine(&exynos4_machines[EXYNOS4_BOARD_NURI]);
+    qemu_register_machine(&exynos4_machines[EXYNOS4_BOARD_SMDKC210]);
+}
+
+machine_init(exynos4_machine_init);
commit 8e03cf1eeb1f9e06d281db1d93f92eb25f346f15
Author: Evgeny Voevodin <e.voevodin at samsung.com>
Date:   Thu Feb 16 09:56:04 2012 +0000

    ARM: exynos4210: IRQ subsystem support.
    
    Signed-off-by: Evgeny Voevodin <e.voevodin at samsung.com>
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/Makefile.target b/Makefile.target
index 29fde6e..2b16c0f 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -344,6 +344,7 @@ obj-arm-y = integratorcp.o versatilepb.o arm_pic.o arm_timer.o
 obj-arm-y += arm_boot.o pl011.o pl031.o pl050.o pl080.o pl110.o pl181.o pl190.o
 obj-arm-y += versatile_pci.o
 obj-arm-y += realview_gic.o realview.o arm_sysctl.o arm11mpcore.o a9mpcore.o
+obj-arm-y += exynos4210_gic.o exynos4210_combiner.o
 obj-arm-y += arm_l2x0.o
 obj-arm-y += arm_mptimer.o
 obj-arm-y += armv7m.o armv7m_nvic.o stellaris.o pl022.o stellaris_enet.o
diff --git a/hw/exynos4210.h b/hw/exynos4210.h
new file mode 100644
index 0000000..ef4732f
--- /dev/null
+++ b/hw/exynos4210.h
@@ -0,0 +1,82 @@
+/*
+ *  Samsung exynos4210 SoC emulation
+ *
+ *  Copyright (c) 2011 Samsung Electronics Co., Ltd. All rights reserved.
+ *    Maksim Kozlov <m.kozlov at samsung.com>
+ *    Evgeny Voevodin <e.voevodin at samsung.com>
+ *    Igor Mitsyanko <i.mitsyanko at samsung.com>
+ *
+ *
+ *  This program is free software; you can redistribute it and/or modify it
+ *  under the terms of the GNU General Public License as published by the
+ *  Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful, but WITHOUT
+ *  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ *  FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ *  for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+#ifndef EXYNOS4210_H_
+#define EXYNOS4210_H_
+
+#include "qemu-common.h"
+#include "memory.h"
+
+#define EXYNOS4210_NCPUS                    2
+
+/*
+ * exynos4210 IRQ subsystem stub definitions.
+ */
+#define EXYNOS4210_IRQ_GATE_NINPUTS 8
+
+#define EXYNOS4210_MAX_INT_COMBINER_OUT_IRQ  64
+#define EXYNOS4210_MAX_EXT_COMBINER_OUT_IRQ  16
+#define EXYNOS4210_MAX_INT_COMBINER_IN_IRQ   \
+    (EXYNOS4210_MAX_INT_COMBINER_OUT_IRQ * 8)
+#define EXYNOS4210_MAX_EXT_COMBINER_IN_IRQ   \
+    (EXYNOS4210_MAX_EXT_COMBINER_OUT_IRQ * 8)
+
+#define EXYNOS4210_COMBINER_GET_IRQ_NUM(grp, bit)  ((grp)*8 + (bit))
+#define EXYNOS4210_COMBINER_GET_GRP_NUM(irq)       ((irq) / 8)
+#define EXYNOS4210_COMBINER_GET_BIT_NUM(irq) \
+    ((irq) - 8 * EXYNOS4210_COMBINER_GET_GRP_NUM(irq))
+
+/* IRQs number for external and internal GIC */
+#define EXYNOS4210_EXT_GIC_NIRQ     (160-32)
+#define EXYNOS4210_INT_GIC_NIRQ     64
+
+typedef struct Exynos4210Irq {
+    qemu_irq int_combiner_irq[EXYNOS4210_MAX_INT_COMBINER_IN_IRQ];
+    qemu_irq ext_combiner_irq[EXYNOS4210_MAX_EXT_COMBINER_IN_IRQ];
+    qemu_irq int_gic_irq[EXYNOS4210_INT_GIC_NIRQ];
+    qemu_irq ext_gic_irq[EXYNOS4210_EXT_GIC_NIRQ];
+    qemu_irq board_irqs[EXYNOS4210_MAX_INT_COMBINER_IN_IRQ];
+} Exynos4210Irq;
+
+/* Initialize exynos4210 IRQ subsystem stub */
+qemu_irq *exynos4210_init_irq(Exynos4210Irq *env);
+
+/* Initialize board IRQs.
+ * These IRQs contain splitted Int/External Combiner and External Gic IRQs */
+void exynos4210_init_board_irqs(Exynos4210Irq *s);
+
+/* Get IRQ number from exynos4210 IRQ subsystem stub.
+ * To identify IRQ source use internal combiner group and bit number
+ *  grp - group number
+ *  bit - bit number inside group */
+uint32_t exynos4210_get_irq(uint32_t grp, uint32_t bit);
+
+/*
+ * Get Combiner input GPIO into irqs structure
+ */
+void exynos4210_combiner_get_gpioin(Exynos4210Irq *irqs, DeviceState *dev,
+        int ext);
+
+#endif /* EXYNOS4210_H_ */
diff --git a/hw/exynos4210_combiner.c b/hw/exynos4210_combiner.c
new file mode 100644
index 0000000..6110c19
--- /dev/null
+++ b/hw/exynos4210_combiner.c
@@ -0,0 +1,469 @@
+/*
+ * Samsung exynos4210 Interrupt Combiner
+ *
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd.
+ * All rights reserved.
+ *
+ * Evgeny Voevodin <e.voevodin at samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * Exynos4210 Combiner represents an OR gate for SOC's IRQ lines. It combines
+ * IRQ sources into groups and provides signal output to GIC from each group. It
+ * is driven by common mask and enable/disable logic. Take a note that not all
+ * IRQs are passed to GIC through Combiner.
+ */
+
+#include "sysbus.h"
+
+#include "exynos4210.h"
+
+//#define DEBUG_COMBINER
+
+#ifdef DEBUG_COMBINER
+#define DPRINTF(fmt, ...) \
+        do { fprintf(stdout, "COMBINER: [%s:%d] " fmt, __func__ , __LINE__, \
+                ## __VA_ARGS__); } while (0)
+#else
+#define DPRINTF(fmt, ...) do {} while (0)
+#endif
+
+#define    IIC_NGRP        64            /* Internal Interrupt Combiner
+                                            Groups number */
+#define    IIC_NIRQ        (IIC_NGRP * 8)/* Internal Interrupt Combiner
+                                            Interrupts number */
+#define IIC_REGION_SIZE    0x108         /* Size of memory mapped region */
+#define IIC_REGSET_SIZE    0x41
+
+/*
+ * State for each output signal of internal combiner
+ */
+typedef struct CombinerGroupState {
+    uint8_t src_mask;            /* 1 - source enabled, 0 - disabled */
+    uint8_t src_pending;        /* Pending source interrupts before masking */
+} CombinerGroupState;
+
+typedef struct Exynos4210CombinerState {
+    SysBusDevice busdev;
+    MemoryRegion iomem;
+
+    struct CombinerGroupState group[IIC_NGRP];
+    uint32_t reg_set[IIC_REGSET_SIZE];
+    uint32_t icipsr[2];
+    uint32_t external;          /* 1 means that this combiner is external */
+
+    qemu_irq output_irq[IIC_NGRP];
+} Exynos4210CombinerState;
+
+static const VMStateDescription vmstate_exynos4210_combiner_group_state = {
+    .name = "exynos4210.combiner.groupstate",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT8(src_mask, CombinerGroupState),
+        VMSTATE_UINT8(src_pending, CombinerGroupState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+static const VMStateDescription vmstate_exynos4210_combiner = {
+    .name = "exynos4210.combiner",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_STRUCT_ARRAY(group, Exynos4210CombinerState, IIC_NGRP, 0,
+                vmstate_exynos4210_combiner_group_state, CombinerGroupState),
+        VMSTATE_UINT32_ARRAY(reg_set, Exynos4210CombinerState,
+                IIC_REGSET_SIZE),
+        VMSTATE_UINT32_ARRAY(icipsr, Exynos4210CombinerState, 2),
+        VMSTATE_UINT32(external, Exynos4210CombinerState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+/*
+ * Get Combiner input GPIO into irqs structure
+ */
+void exynos4210_combiner_get_gpioin(Exynos4210Irq *irqs, DeviceState *dev,
+        int ext)
+{
+    int n;
+    int bit;
+    int max;
+    qemu_irq *irq;
+
+    max = ext ? EXYNOS4210_MAX_EXT_COMBINER_IN_IRQ :
+        EXYNOS4210_MAX_INT_COMBINER_IN_IRQ;
+    irq = ext ? irqs->ext_combiner_irq : irqs->int_combiner_irq;
+
+    /*
+     * Some IRQs of Int/External Combiner are going to two Combiners groups,
+     * so let split them.
+     */
+    for (n = 0; n < max; n++) {
+
+        bit = EXYNOS4210_COMBINER_GET_BIT_NUM(n);
+
+        switch (n) {
+        /* MDNIE_LCD1 INTG1 */
+        case EXYNOS4210_COMBINER_GET_IRQ_NUM(1, 0) ...
+             EXYNOS4210_COMBINER_GET_IRQ_NUM(1, 3):
+            irq[n] = qemu_irq_split(qdev_get_gpio_in(dev, n),
+                    irq[EXYNOS4210_COMBINER_GET_IRQ_NUM(0, bit + 4)]);
+            continue;
+
+        /* TMU INTG3 */
+        case EXYNOS4210_COMBINER_GET_IRQ_NUM(3, 4):
+            irq[n] = qemu_irq_split(qdev_get_gpio_in(dev, n),
+                    irq[EXYNOS4210_COMBINER_GET_IRQ_NUM(2, bit)]);
+            continue;
+
+        /* LCD1 INTG12 */
+        case EXYNOS4210_COMBINER_GET_IRQ_NUM(12, 0) ...
+             EXYNOS4210_COMBINER_GET_IRQ_NUM(12, 3):
+            irq[n] = qemu_irq_split(qdev_get_gpio_in(dev, n),
+                    irq[EXYNOS4210_COMBINER_GET_IRQ_NUM(11, bit + 4)]);
+            continue;
+
+        /* Multi-Core Timer INTG12 */
+        case EXYNOS4210_COMBINER_GET_IRQ_NUM(12, 4) ...
+             EXYNOS4210_COMBINER_GET_IRQ_NUM(12, 8):
+               irq[n] = qemu_irq_split(qdev_get_gpio_in(dev, n),
+                       irq[EXYNOS4210_COMBINER_GET_IRQ_NUM(1, bit + 4)]);
+            continue;
+
+        /* Multi-Core Timer INTG35 */
+        case EXYNOS4210_COMBINER_GET_IRQ_NUM(35, 4) ...
+             EXYNOS4210_COMBINER_GET_IRQ_NUM(35, 8):
+            irq[n] = qemu_irq_split(qdev_get_gpio_in(dev, n),
+                    irq[EXYNOS4210_COMBINER_GET_IRQ_NUM(1, bit + 4)]);
+            continue;
+
+        /* Multi-Core Timer INTG51 */
+        case EXYNOS4210_COMBINER_GET_IRQ_NUM(51, 4) ...
+             EXYNOS4210_COMBINER_GET_IRQ_NUM(51, 8):
+            irq[n] = qemu_irq_split(qdev_get_gpio_in(dev, n),
+                    irq[EXYNOS4210_COMBINER_GET_IRQ_NUM(1, bit + 4)]);
+            continue;
+
+        /* Multi-Core Timer INTG53 */
+        case EXYNOS4210_COMBINER_GET_IRQ_NUM(53, 4) ...
+             EXYNOS4210_COMBINER_GET_IRQ_NUM(53, 8):
+            irq[n] = qemu_irq_split(qdev_get_gpio_in(dev, n),
+                    irq[EXYNOS4210_COMBINER_GET_IRQ_NUM(1, bit + 4)]);
+            continue;
+        }
+
+        irq[n] = qdev_get_gpio_in(dev, n);
+    }
+}
+
+static uint64_t
+exynos4210_combiner_read(void *opaque, target_phys_addr_t offset, unsigned size)
+{
+    struct Exynos4210CombinerState *s =
+            (struct Exynos4210CombinerState *)opaque;
+    uint32_t req_quad_base_n;    /* Base of registers quad. Multiply it by 4 and
+                                   get a start of corresponding group quad */
+    uint32_t grp_quad_base_n;    /* Base of group quad */
+    uint32_t reg_n;              /* Register number inside the quad */
+    uint32_t val;
+
+    if (s->external && (offset > 0x3c && offset != 0x100)) {
+        hw_error("exynos4210.combiner: unallowed read access at offset 0x"
+                TARGET_FMT_plx "\n", offset);
+    }
+
+    req_quad_base_n = offset >> 4;
+    grp_quad_base_n = req_quad_base_n << 2;
+    reg_n = (offset - (req_quad_base_n << 4)) >> 2;
+
+    if (req_quad_base_n >= IIC_NGRP) {
+        /* Read of ICIPSR register */
+        return s->icipsr[reg_n];
+    }
+
+    val = 0;
+
+    switch (reg_n) {
+    /* IISTR */
+    case 2:
+        val |= s->group[grp_quad_base_n].src_pending;
+        val |= s->group[grp_quad_base_n + 1].src_pending << 8;
+        val |= s->group[grp_quad_base_n + 2].src_pending << 16;
+        val |= s->group[grp_quad_base_n + 3].src_pending << 24;
+        break;
+    /* IIMSR */
+    case 3:
+        val |= s->group[grp_quad_base_n].src_mask &
+        s->group[grp_quad_base_n].src_pending;
+        val |= (s->group[grp_quad_base_n + 1].src_mask &
+                s->group[grp_quad_base_n + 1].src_pending) << 8;
+        val |= (s->group[grp_quad_base_n + 2].src_mask &
+                s->group[grp_quad_base_n + 2].src_pending) << 16;
+        val |= (s->group[grp_quad_base_n + 3].src_mask &
+                s->group[grp_quad_base_n + 3].src_pending) << 24;
+        break;
+    default:
+        if (offset >> 2 >= IIC_REGSET_SIZE) {
+            hw_error("exynos4210.combiner: overflow of reg_set by 0x"
+                    TARGET_FMT_plx "offset\n", offset);
+        }
+        val = s->reg_set[offset >> 2];
+        return 0;
+    }
+    return val;
+}
+
+static void exynos4210_combiner_update(void *opaque, uint8_t group_n)
+{
+    struct Exynos4210CombinerState *s =
+            (struct Exynos4210CombinerState *)opaque;
+
+    /* Send interrupt if needed */
+    if (s->group[group_n].src_mask & s->group[group_n].src_pending) {
+#ifdef DEBUG_COMBINER
+        if (group_n != 26) {
+            /* skip uart */
+            DPRINTF("%s raise IRQ[%d]\n", s->external ? "EXT" : "INT", group_n);
+        }
+#endif
+
+        /* Set Combiner interrupt pending status after masking */
+        if (group_n >= 32) {
+            s->icipsr[1] |= 1 << (group_n - 32);
+        } else {
+            s->icipsr[0] |= 1 << group_n;
+        }
+
+        qemu_irq_raise(s->output_irq[group_n]);
+    } else {
+#ifdef DEBUG_COMBINER
+        if (group_n != 26) {
+            /* skip uart */
+            DPRINTF("%s lower IRQ[%d]\n", s->external ? "EXT" : "INT", group_n);
+        }
+#endif
+
+        /* Set Combiner interrupt pending status after masking */
+        if (group_n >= 32) {
+            s->icipsr[1] &= ~(1 << (group_n - 32));
+        } else {
+            s->icipsr[0] &= ~(1 << group_n);
+        }
+
+        qemu_irq_lower(s->output_irq[group_n]);
+    }
+}
+
+static void exynos4210_combiner_write(void *opaque, target_phys_addr_t offset,
+        uint64_t val, unsigned size)
+{
+    struct Exynos4210CombinerState *s =
+            (struct Exynos4210CombinerState *)opaque;
+    uint32_t req_quad_base_n;    /* Base of registers quad. Multiply it by 4 and
+                                   get a start of corresponding group quad */
+    uint32_t grp_quad_base_n;    /* Base of group quad */
+    uint32_t reg_n;              /* Register number inside the quad */
+
+    if (s->external && (offset > 0x3c && offset != 0x100)) {
+        hw_error("exynos4210.combiner: unallowed write access at offset 0x"
+                TARGET_FMT_plx "\n", offset);
+    }
+
+    req_quad_base_n = offset >> 4;
+    grp_quad_base_n = req_quad_base_n << 2;
+    reg_n = (offset - (req_quad_base_n << 4)) >> 2;
+
+    if (req_quad_base_n >= IIC_NGRP) {
+        hw_error("exynos4210.combiner: unallowed write access at offset 0x"
+                TARGET_FMT_plx "\n", offset);
+        return;
+    }
+
+    if (reg_n > 1) {
+        hw_error("exynos4210.combiner: unallowed write access at offset 0x"
+                TARGET_FMT_plx "\n", offset);
+        return;
+    }
+
+    if (offset >> 2 >= IIC_REGSET_SIZE) {
+        hw_error("exynos4210.combiner: overflow of reg_set by 0x"
+                TARGET_FMT_plx "offset\n", offset);
+    }
+    s->reg_set[offset >> 2] = val;
+
+    switch (reg_n) {
+    /* IIESR */
+    case 0:
+        /* FIXME: what if irq is pending, allowed by mask, and we allow it
+         * again. Interrupt will rise again! */
+
+        DPRINTF("%s enable IRQ for groups %d, %d, %d, %d\n",
+                s->external ? "EXT" : "INT",
+                grp_quad_base_n,
+                grp_quad_base_n + 1,
+                grp_quad_base_n + 2,
+                grp_quad_base_n + 3);
+
+        /* Enable interrupt sources */
+        s->group[grp_quad_base_n].src_mask |= val & 0xFF;
+        s->group[grp_quad_base_n + 1].src_mask |= (val & 0xFF00) >> 8;
+        s->group[grp_quad_base_n + 2].src_mask |= (val & 0xFF0000) >> 16;
+        s->group[grp_quad_base_n + 3].src_mask |= (val & 0xFF000000) >> 24;
+
+        exynos4210_combiner_update(s, grp_quad_base_n);
+        exynos4210_combiner_update(s, grp_quad_base_n + 1);
+        exynos4210_combiner_update(s, grp_quad_base_n + 2);
+        exynos4210_combiner_update(s, grp_quad_base_n + 3);
+        break;
+        /* IIECR */
+    case 1:
+        DPRINTF("%s disable IRQ for groups %d, %d, %d, %d\n",
+                s->external ? "EXT" : "INT",
+                grp_quad_base_n,
+                grp_quad_base_n + 1,
+                grp_quad_base_n + 2,
+                grp_quad_base_n + 3);
+
+        /* Disable interrupt sources */
+        s->group[grp_quad_base_n].src_mask &= ~(val & 0xFF);
+        s->group[grp_quad_base_n + 1].src_mask &= ~((val & 0xFF00) >> 8);
+        s->group[grp_quad_base_n + 2].src_mask &= ~((val & 0xFF0000) >> 16);
+        s->group[grp_quad_base_n + 3].src_mask &= ~((val & 0xFF000000) >> 24);
+
+        exynos4210_combiner_update(s, grp_quad_base_n);
+        exynos4210_combiner_update(s, grp_quad_base_n + 1);
+        exynos4210_combiner_update(s, grp_quad_base_n + 2);
+        exynos4210_combiner_update(s, grp_quad_base_n + 3);
+        break;
+    default:
+        hw_error("exynos4210.combiner: unallowed write access at offset 0x"
+                TARGET_FMT_plx "\n", offset);
+        break;
+    }
+
+    return;
+}
+
+/* Get combiner group and bit from irq number */
+static uint8_t get_combiner_group_and_bit(int irq, uint8_t *bit)
+{
+    *bit = irq - ((irq >> 3) << 3);
+    return irq >> 3;
+}
+
+/* Process a change in an external IRQ input.  */
+static void exynos4210_combiner_handler(void *opaque, int irq, int level)
+{
+    struct Exynos4210CombinerState *s =
+            (struct Exynos4210CombinerState *)opaque;
+    uint8_t bit_n, group_n;
+
+    group_n = get_combiner_group_and_bit(irq, &bit_n);
+
+    if (s->external && group_n >= EXYNOS4210_MAX_EXT_COMBINER_OUT_IRQ) {
+        DPRINTF("%s unallowed IRQ group 0x%x\n", s->external ? "EXT" : "INT"
+                , group_n);
+        return;
+    }
+
+    if (level) {
+        s->group[group_n].src_pending |= 1 << bit_n;
+    } else {
+        s->group[group_n].src_pending &= ~(1 << bit_n);
+    }
+
+    exynos4210_combiner_update(s, group_n);
+
+    return;
+}
+
+static void exynos4210_combiner_reset(DeviceState *d)
+{
+    struct Exynos4210CombinerState *s = (struct Exynos4210CombinerState *)d;
+
+    memset(&s->group, 0, sizeof(s->group));
+    memset(&s->reg_set, 0, sizeof(s->reg_set));
+
+    s->reg_set[0xC0 >> 2] = 0x01010101;
+    s->reg_set[0xC4 >> 2] = 0x01010101;
+    s->reg_set[0xD0 >> 2] = 0x01010101;
+    s->reg_set[0xD4 >> 2] = 0x01010101;
+}
+
+static const MemoryRegionOps exynos4210_combiner_ops = {
+    .read = exynos4210_combiner_read,
+    .write = exynos4210_combiner_write,
+    .endianness = DEVICE_NATIVE_ENDIAN,
+};
+
+/*
+ * Internal Combiner initialization.
+ */
+static int exynos4210_combiner_init(SysBusDevice *dev)
+{
+    unsigned int i;
+    struct Exynos4210CombinerState *s =
+            FROM_SYSBUS(struct Exynos4210CombinerState, dev);
+
+    /* Allocate general purpose input signals and connect a handler to each of
+     * them */
+    qdev_init_gpio_in(&s->busdev.qdev, exynos4210_combiner_handler, IIC_NIRQ);
+
+    /* Connect SysBusDev irqs to device specific irqs */
+    for (i = 0; i < IIC_NIRQ; i++) {
+        sysbus_init_irq(dev, &s->output_irq[i]);
+    }
+
+    memory_region_init_io(&s->iomem, &exynos4210_combiner_ops, s,
+            "exynos4210-combiner", IIC_REGION_SIZE);
+    sysbus_init_mmio(dev, &s->iomem);
+
+    return 0;
+}
+
+static Property exynos4210_combiner_properties[] = {
+    DEFINE_PROP_UINT32("external", Exynos4210CombinerState, external, 0),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static void exynos4210_combiner_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+
+    k->init = exynos4210_combiner_init;
+    dc->reset = exynos4210_combiner_reset;
+    dc->props = exynos4210_combiner_properties;
+    dc->vmsd = &vmstate_exynos4210_combiner;
+}
+
+static TypeInfo exynos4210_combiner_info = {
+    .name          = "exynos4210.combiner",
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(Exynos4210CombinerState),
+    .class_init    = exynos4210_combiner_class_init,
+};
+
+static void exynos4210_combiner_register_types(void)
+{
+    type_register_static(&exynos4210_combiner_info);
+}
+
+type_init(exynos4210_combiner_register_types)
diff --git a/hw/exynos4210_gic.c b/hw/exynos4210_gic.c
new file mode 100644
index 0000000..ec13140
--- /dev/null
+++ b/hw/exynos4210_gic.c
@@ -0,0 +1,458 @@
+/*
+ * Samsung exynos4210 GIC implementation. Based on hw/arm_gic.c
+ *
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd.
+ * All rights reserved.
+ *
+ * Evgeny Voevodin <e.voevodin at samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sysbus.h"
+#include "qemu-common.h"
+#include "irq.h"
+#include "exynos4210.h"
+
+enum ExtGicId {
+    EXT_GIC_ID_MDMA_LCD0 = 66,
+    EXT_GIC_ID_PDMA0,
+    EXT_GIC_ID_PDMA1,
+    EXT_GIC_ID_TIMER0,
+    EXT_GIC_ID_TIMER1,
+    EXT_GIC_ID_TIMER2,
+    EXT_GIC_ID_TIMER3,
+    EXT_GIC_ID_TIMER4,
+    EXT_GIC_ID_MCT_L0,
+    EXT_GIC_ID_WDT,
+    EXT_GIC_ID_RTC_ALARM,
+    EXT_GIC_ID_RTC_TIC,
+    EXT_GIC_ID_GPIO_XB,
+    EXT_GIC_ID_GPIO_XA,
+    EXT_GIC_ID_MCT_L1,
+    EXT_GIC_ID_IEM_APC,
+    EXT_GIC_ID_IEM_IEC,
+    EXT_GIC_ID_NFC,
+    EXT_GIC_ID_UART0,
+    EXT_GIC_ID_UART1,
+    EXT_GIC_ID_UART2,
+    EXT_GIC_ID_UART3,
+    EXT_GIC_ID_UART4,
+    EXT_GIC_ID_MCT_G0,
+    EXT_GIC_ID_I2C0,
+    EXT_GIC_ID_I2C1,
+    EXT_GIC_ID_I2C2,
+    EXT_GIC_ID_I2C3,
+    EXT_GIC_ID_I2C4,
+    EXT_GIC_ID_I2C5,
+    EXT_GIC_ID_I2C6,
+    EXT_GIC_ID_I2C7,
+    EXT_GIC_ID_SPI0,
+    EXT_GIC_ID_SPI1,
+    EXT_GIC_ID_SPI2,
+    EXT_GIC_ID_MCT_G1,
+    EXT_GIC_ID_USB_HOST,
+    EXT_GIC_ID_USB_DEVICE,
+    EXT_GIC_ID_MODEMIF,
+    EXT_GIC_ID_HSMMC0,
+    EXT_GIC_ID_HSMMC1,
+    EXT_GIC_ID_HSMMC2,
+    EXT_GIC_ID_HSMMC3,
+    EXT_GIC_ID_SDMMC,
+    EXT_GIC_ID_MIPI_CSI_4LANE,
+    EXT_GIC_ID_MIPI_DSI_4LANE,
+    EXT_GIC_ID_MIPI_CSI_2LANE,
+    EXT_GIC_ID_MIPI_DSI_2LANE,
+    EXT_GIC_ID_ONENAND_AUDI,
+    EXT_GIC_ID_ROTATOR,
+    EXT_GIC_ID_FIMC0,
+    EXT_GIC_ID_FIMC1,
+    EXT_GIC_ID_FIMC2,
+    EXT_GIC_ID_FIMC3,
+    EXT_GIC_ID_JPEG,
+    EXT_GIC_ID_2D,
+    EXT_GIC_ID_PCIe,
+    EXT_GIC_ID_MIXER,
+    EXT_GIC_ID_HDMI,
+    EXT_GIC_ID_HDMI_I2C,
+    EXT_GIC_ID_MFC,
+    EXT_GIC_ID_TVENC,
+};
+
+enum ExtInt {
+    EXT_GIC_ID_EXTINT0 = 48,
+    EXT_GIC_ID_EXTINT1,
+    EXT_GIC_ID_EXTINT2,
+    EXT_GIC_ID_EXTINT3,
+    EXT_GIC_ID_EXTINT4,
+    EXT_GIC_ID_EXTINT5,
+    EXT_GIC_ID_EXTINT6,
+    EXT_GIC_ID_EXTINT7,
+    EXT_GIC_ID_EXTINT8,
+    EXT_GIC_ID_EXTINT9,
+    EXT_GIC_ID_EXTINT10,
+    EXT_GIC_ID_EXTINT11,
+    EXT_GIC_ID_EXTINT12,
+    EXT_GIC_ID_EXTINT13,
+    EXT_GIC_ID_EXTINT14,
+    EXT_GIC_ID_EXTINT15
+};
+
+/*
+ * External GIC sources which are not from External Interrupt Combiner or
+ * External Interrupts are starting from EXYNOS4210_MAX_EXT_COMBINER_OUT_IRQ,
+ * which is INTG16 in Internal Interrupt Combiner.
+ */
+
+static uint32_t
+combiner_grp_to_gic_id[64-EXYNOS4210_MAX_EXT_COMBINER_OUT_IRQ][8] = {
+    /* int combiner groups 16-19 */
+    { }, { }, { }, { },
+    /* int combiner group 20 */
+    { 0, EXT_GIC_ID_MDMA_LCD0 },
+    /* int combiner group 21 */
+    { EXT_GIC_ID_PDMA0, EXT_GIC_ID_PDMA1 },
+    /* int combiner group 22 */
+    { EXT_GIC_ID_TIMER0, EXT_GIC_ID_TIMER1, EXT_GIC_ID_TIMER2,
+            EXT_GIC_ID_TIMER3, EXT_GIC_ID_TIMER4 },
+    /* int combiner group 23 */
+    { EXT_GIC_ID_RTC_ALARM, EXT_GIC_ID_RTC_TIC },
+    /* int combiner group 24 */
+    { EXT_GIC_ID_GPIO_XB, EXT_GIC_ID_GPIO_XA },
+    /* int combiner group 25 */
+    { EXT_GIC_ID_IEM_APC, EXT_GIC_ID_IEM_IEC },
+    /* int combiner group 26 */
+    { EXT_GIC_ID_UART0, EXT_GIC_ID_UART1, EXT_GIC_ID_UART2, EXT_GIC_ID_UART3,
+            EXT_GIC_ID_UART4 },
+    /* int combiner group 27 */
+    { EXT_GIC_ID_I2C0, EXT_GIC_ID_I2C1, EXT_GIC_ID_I2C2, EXT_GIC_ID_I2C3,
+            EXT_GIC_ID_I2C4, EXT_GIC_ID_I2C5, EXT_GIC_ID_I2C6,
+            EXT_GIC_ID_I2C7 },
+    /* int combiner group 28 */
+    { EXT_GIC_ID_SPI0, EXT_GIC_ID_SPI1, EXT_GIC_ID_SPI2 },
+    /* int combiner group 29 */
+    { EXT_GIC_ID_HSMMC0, EXT_GIC_ID_HSMMC1, EXT_GIC_ID_HSMMC2,
+     EXT_GIC_ID_HSMMC3, EXT_GIC_ID_SDMMC },
+    /* int combiner group 30 */
+    { EXT_GIC_ID_MIPI_CSI_4LANE, EXT_GIC_ID_MIPI_CSI_2LANE },
+    /* int combiner group 31 */
+    { EXT_GIC_ID_MIPI_DSI_4LANE, EXT_GIC_ID_MIPI_DSI_2LANE },
+    /* int combiner group 32 */
+    { EXT_GIC_ID_FIMC0, EXT_GIC_ID_FIMC1 },
+    /* int combiner group 33 */
+    { EXT_GIC_ID_FIMC2, EXT_GIC_ID_FIMC3 },
+    /* int combiner group 34 */
+    { EXT_GIC_ID_ONENAND_AUDI, EXT_GIC_ID_NFC },
+    /* int combiner group 35 */
+    { 0, 0, 0, EXT_GIC_ID_MCT_L1, EXT_GIC_ID_MCT_G0, EXT_GIC_ID_MCT_G1 },
+    /* int combiner group 36 */
+    { EXT_GIC_ID_MIXER },
+    /* int combiner group 37 */
+    { EXT_GIC_ID_EXTINT4, EXT_GIC_ID_EXTINT5, EXT_GIC_ID_EXTINT6,
+     EXT_GIC_ID_EXTINT7 },
+    /* groups 38-50 */
+    { }, { }, { }, { }, { }, { }, { }, { }, { }, { }, { }, { }, { },
+    /* int combiner group 51 */
+    { EXT_GIC_ID_MCT_L0, 0, 0, 0, EXT_GIC_ID_MCT_G0, EXT_GIC_ID_MCT_G1 },
+    /* group 52 */
+    { },
+    /* int combiner group 53 */
+    { EXT_GIC_ID_WDT, 0, 0, 0, EXT_GIC_ID_MCT_G0, EXT_GIC_ID_MCT_G1 },
+    /* groups 54-63 */
+    { }, { }, { }, { }, { }, { }, { }, { }, { }, { }
+};
+
+#define EXYNOS4210_GIC_NIRQ 160
+#define NCPU                EXYNOS4210_NCPUS
+
+#define EXYNOS4210_EXT_GIC_CPU_REGION_SIZE     0x10000
+#define EXYNOS4210_EXT_GIC_DIST_REGION_SIZE    0x10000
+
+#define EXYNOS4210_EXT_GIC_PER_CPU_OFFSET      0x8000
+#define EXYNOS4210_EXT_GIC_CPU_GET_OFFSET(n) \
+    ((n) * EXYNOS4210_EXT_GIC_PER_CPU_OFFSET)
+#define EXYNOS4210_EXT_GIC_DIST_GET_OFFSET(n) \
+    ((n) * EXYNOS4210_EXT_GIC_PER_CPU_OFFSET)
+
+#define EXYNOS4210_GIC_CPU_REGION_SIZE  0x100
+#define EXYNOS4210_GIC_DIST_REGION_SIZE 0x1000
+
+static void exynos4210_irq_handler(void *opaque, int irq, int level)
+{
+    Exynos4210Irq *s = (Exynos4210Irq *)opaque;
+
+    /* Bypass */
+    qemu_set_irq(s->board_irqs[irq], level);
+
+    return;
+}
+
+/*
+ * Initialize exynos4210 IRQ subsystem stub.
+ */
+qemu_irq *exynos4210_init_irq(Exynos4210Irq *s)
+{
+    return qemu_allocate_irqs(exynos4210_irq_handler, s,
+            EXYNOS4210_MAX_INT_COMBINER_IN_IRQ);
+}
+
+/*
+ * Initialize board IRQs.
+ * These IRQs contain splitted Int/External Combiner and External Gic IRQs.
+ */
+void exynos4210_init_board_irqs(Exynos4210Irq *s)
+{
+    uint32_t grp, bit, irq_id, n;
+
+    for (n = 0; n < EXYNOS4210_MAX_EXT_COMBINER_IN_IRQ; n++) {
+        s->board_irqs[n] = qemu_irq_split(s->int_combiner_irq[n],
+                s->ext_combiner_irq[n]);
+
+        irq_id = 0;
+        if (n == EXYNOS4210_COMBINER_GET_IRQ_NUM(1, 4) ||
+                n == EXYNOS4210_COMBINER_GET_IRQ_NUM(12, 4)) {
+            /* MCT_G0 is passed to External GIC */
+            irq_id = EXT_GIC_ID_MCT_G0;
+        }
+        if (n == EXYNOS4210_COMBINER_GET_IRQ_NUM(1, 5) ||
+                n == EXYNOS4210_COMBINER_GET_IRQ_NUM(12, 5)) {
+            /* MCT_G1 is passed to External and GIC */
+            irq_id = EXT_GIC_ID_MCT_G1;
+        }
+        if (irq_id) {
+            s->board_irqs[n] = qemu_irq_split(s->int_combiner_irq[n],
+                    s->ext_gic_irq[irq_id-32]);
+        }
+
+    }
+    for (; n < EXYNOS4210_MAX_INT_COMBINER_IN_IRQ; n++) {
+        /* these IDs are passed to Internal Combiner and External GIC */
+        grp = EXYNOS4210_COMBINER_GET_GRP_NUM(n);
+        bit = EXYNOS4210_COMBINER_GET_BIT_NUM(n);
+        irq_id = combiner_grp_to_gic_id[grp -
+                     EXYNOS4210_MAX_EXT_COMBINER_OUT_IRQ][bit];
+
+        if (irq_id) {
+            s->board_irqs[n] = qemu_irq_split(s->int_combiner_irq[n],
+                    s->ext_gic_irq[irq_id-32]);
+        }
+    }
+}
+
+/*
+ * Get IRQ number from exynos4210 IRQ subsystem stub.
+ * To identify IRQ source use internal combiner group and bit number
+ *  grp - group number
+ *  bit - bit number inside group
+ */
+uint32_t exynos4210_get_irq(uint32_t grp, uint32_t bit)
+{
+    return EXYNOS4210_COMBINER_GET_IRQ_NUM(grp, bit);
+}
+
+/********* GIC part *********/
+
+static inline int
+gic_get_current_cpu(void)
+{
+    return cpu_single_env->cpu_index;
+}
+
+#include "arm_gic.c"
+
+typedef struct {
+    gic_state gic;
+    MemoryRegion cpu_container;
+    MemoryRegion dist_container;
+    MemoryRegion cpu_alias[NCPU];
+    MemoryRegion dist_alias[NCPU];
+    uint32_t num_cpu;
+} Exynos4210GicState;
+
+static int exynos4210_gic_init(SysBusDevice *dev)
+{
+    Exynos4210GicState *s = FROM_SYSBUSGIC(Exynos4210GicState, dev);
+    uint32_t i;
+    const char cpu_prefix[] = "exynos4210-gic-alias_cpu";
+    const char dist_prefix[] = "exynos4210-gic-alias_dist";
+    char cpu_alias_name[sizeof(cpu_prefix) + 3];
+    char dist_alias_name[sizeof(cpu_prefix) + 3];
+
+    gic_init(&s->gic, s->num_cpu, EXYNOS4210_GIC_NIRQ);
+
+    memory_region_init(&s->cpu_container, "exynos4210-cpu-container",
+            EXYNOS4210_EXT_GIC_CPU_REGION_SIZE);
+    memory_region_init(&s->dist_container, "exynos4210-dist-container",
+            EXYNOS4210_EXT_GIC_DIST_REGION_SIZE);
+
+    for (i = 0; i < s->num_cpu; i++) {
+        /* Map CPU interface per SMP Core */
+        sprintf(cpu_alias_name, "%s%x", cpu_prefix, i);
+        memory_region_init_alias(&s->cpu_alias[i],
+                                 cpu_alias_name,
+                                 &s->gic.cpuiomem[0],
+                                 0,
+                                 EXYNOS4210_GIC_CPU_REGION_SIZE);
+        memory_region_add_subregion(&s->cpu_container,
+                EXYNOS4210_EXT_GIC_CPU_GET_OFFSET(i), &s->cpu_alias[i]);
+
+        /* Map Distributor per SMP Core */
+        sprintf(dist_alias_name, "%s%x", dist_prefix, i);
+        memory_region_init_alias(&s->dist_alias[i],
+                                 dist_alias_name,
+                                 &s->gic.iomem,
+                                 0,
+                                 EXYNOS4210_GIC_DIST_REGION_SIZE);
+        memory_region_add_subregion(&s->dist_container,
+                EXYNOS4210_EXT_GIC_DIST_GET_OFFSET(i), &s->dist_alias[i]);
+    }
+
+    sysbus_init_mmio(dev, &s->cpu_container);
+    sysbus_init_mmio(dev, &s->dist_container);
+
+    gic_cpu_write(&s->gic, 1, 0, 1);
+
+    return 0;
+}
+
+static Property exynos4210_gic_properties[] = {
+    DEFINE_PROP_UINT32("num-cpu", Exynos4210GicState, num_cpu, 1),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static void exynos4210_gic_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+
+    k->init = exynos4210_gic_init;
+    dc->props = exynos4210_gic_properties;
+}
+
+static TypeInfo exynos4210_gic_info = {
+    .name          = "exynos4210.gic",
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(Exynos4210GicState),
+    .class_init    = exynos4210_gic_class_init,
+};
+
+static void exynos4210_gic_register_types(void)
+{
+    type_register_static(&exynos4210_gic_info);
+}
+
+type_init(exynos4210_gic_register_types)
+
+/*
+ * IRQGate struct.
+ * IRQ Gate represents OR gate between GICs to pass IRQ to PIC.
+ */
+typedef struct {
+    SysBusDevice busdev;
+
+    qemu_irq pic_irq[NCPU]; /* output IRQs to PICs */
+    uint32_t gpio_level[EXYNOS4210_IRQ_GATE_NINPUTS]; /* Input levels */
+} Exynos4210IRQGateState;
+
+static const VMStateDescription vmstate_exynos4210_irq_gate = {
+    .name = "exynos4210.irq_gate",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .minimum_version_id_old = 1,
+    .fields = (VMStateField[]) {
+        VMSTATE_UINT32_ARRAY(gpio_level, Exynos4210IRQGateState,
+                EXYNOS4210_IRQ_GATE_NINPUTS),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+/* Process a change in an external IRQ input.  */
+static void exynos4210_irq_gate_handler(void *opaque, int irq, int level)
+{
+    Exynos4210IRQGateState *s =
+            (Exynos4210IRQGateState *)opaque;
+    uint32_t odd, even;
+
+    if (irq & 1) {
+        odd = irq;
+        even = irq & ~1;
+    } else {
+        even = irq;
+        odd = irq | 1;
+    }
+
+    assert(irq < EXYNOS4210_IRQ_GATE_NINPUTS);
+    s->gpio_level[irq] = level;
+
+    if (s->gpio_level[odd] >= 1 || s->gpio_level[even] >= 1) {
+        qemu_irq_raise(s->pic_irq[even >> 1]);
+    } else {
+        qemu_irq_lower(s->pic_irq[even >> 1]);
+    }
+
+    return;
+}
+
+static void exynos4210_irq_gate_reset(DeviceState *d)
+{
+    Exynos4210IRQGateState *s = (Exynos4210IRQGateState *)d;
+
+    memset(&s->gpio_level, 0, sizeof(s->gpio_level));
+}
+
+/*
+ * IRQ Gate initialization.
+ */
+static int exynos4210_irq_gate_init(SysBusDevice *dev)
+{
+    unsigned int i;
+    Exynos4210IRQGateState *s =
+            FROM_SYSBUS(Exynos4210IRQGateState, dev);
+
+    /* Allocate general purpose input signals and connect a handler to each of
+     * them */
+    qdev_init_gpio_in(&s->busdev.qdev, exynos4210_irq_gate_handler,
+            EXYNOS4210_IRQ_GATE_NINPUTS);
+
+    /* Connect SysBusDev irqs to device specific irqs */
+    for (i = 0; i < NCPU; i++) {
+        sysbus_init_irq(dev, &s->pic_irq[i]);
+    }
+
+    return 0;
+}
+
+static void exynos4210_irq_gate_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+
+    k->init = exynos4210_irq_gate_init;
+    dc->reset = exynos4210_irq_gate_reset;
+    dc->vmsd = &vmstate_exynos4210_irq_gate;
+}
+
+static TypeInfo exynos4210_irq_gate_info = {
+    .name          = "exynos4210.irq_gate",
+    .parent        = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(Exynos4210IRQGateState),
+    .class_init    = exynos4210_irq_gate_class_init,
+};
+
+static void exynos4210_irq_gate_register_types(void)
+{
+    type_register_static(&exynos4210_irq_gate_info);
+}
+
+type_init(exynos4210_irq_gate_register_types)
commit 9de36b1a7cf61aa8be365f13c81668b3e19fbc7f
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Wed Feb 8 05:41:38 2012 +0000

    Make -machine/-enable-kvm options merge into a single list
    
    Make the "machine" option list use list merging, so that multiple
    -machine arguments (and the -enable-kvm argument) all merge together
    into a single list. Drop the calls to qemu_opts_reset() which meant
    that only the last -machine or -enable-kvm option had any effect.
    
    This fixes the bug where "-enable-kvm -machine foo" would ignore
    the '-enable-kvm' option, and "-machine foo -enable-kvm" would
    ignore the '-machine foo' option.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>

diff --git a/qemu-config.c b/qemu-config.c
index 12f5c27..c9763e0 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -547,6 +547,7 @@ QemuOptsList qemu_option_rom_opts = {
 static QemuOptsList qemu_machine_opts = {
     .name = "machine",
     .implied_opt_name = "type",
+    .merge_lists = true,
     .head = QTAILQ_HEAD_INITIALIZER(qemu_machine_opts.head),
     .desc = {
         {
diff --git a/vl.c b/vl.c
index 0e8425e..37f2f96 100644
--- a/vl.c
+++ b/vl.c
@@ -2882,12 +2882,10 @@ int main(int argc, char **argv, char **envp)
                 break;
             case QEMU_OPTION_enable_kvm:
                 olist = qemu_find_opts("machine");
-                qemu_opts_reset(olist);
                 qemu_opts_parse(olist, "accel=kvm", 0);
                 break;
             case QEMU_OPTION_machine:
                 olist = qemu_find_opts("machine");
-                qemu_opts_reset(olist);
                 opts = qemu_opts_parse(olist, optarg, 1);
                 if (!opts) {
                     fprintf(stderr, "parse error: %s\n", optarg);
commit da93318a9f0ff83e4a93e8755fa92291f9b8cc1b
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Wed Feb 8 05:41:37 2012 +0000

    qemu-option: Add support for merged QemuOptsLists
    
    Add support for option lists which are merged together, so that
    "-listname foo=bar -listname bar=baz" is equivalent to "-listname
    foo=bar,bar=baz" rather than generating two separate lists of options.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>

diff --git a/qemu-option.c b/qemu-option.c
index 4626ccf..35cd609 100644
--- a/qemu-option.c
+++ b/qemu-option.c
@@ -741,13 +741,18 @@ QemuOpts *qemu_opts_create(QemuOptsList *list, const char *id, int fail_if_exist
         }
         opts = qemu_opts_find(list, id);
         if (opts != NULL) {
-            if (fail_if_exists) {
+            if (fail_if_exists && !list->merge_lists) {
                 qerror_report(QERR_DUPLICATE_ID, id, list->name);
                 return NULL;
             } else {
                 return opts;
             }
         }
+    } else if (list->merge_lists) {
+        opts = qemu_opts_find(list, NULL);
+        if (opts) {
+            return opts;
+        }
     }
     opts = g_malloc0(sizeof(*opts));
     if (id) {
diff --git a/qemu-option.h b/qemu-option.h
index e6f61e6..3ca00c3 100644
--- a/qemu-option.h
+++ b/qemu-option.h
@@ -100,6 +100,7 @@ typedef struct QemuOptDesc {
 struct QemuOptsList {
     const char *name;
     const char *implied_opt_name;
+    bool merge_lists;  /* Merge multiple uses of option into a single list? */
     QTAILQ_HEAD(, QemuOpts) head;
     QemuOptDesc desc[];
 };
commit a84fac1426acd56f6dff4f6023611c1aefe748de
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Wed Feb 1 17:23:04 2012 +0000

    target-arm/helper.c: tb_flush() on CPU reset
    
    Since target-arm has some CPUState fields for which we take the approach
    of baking assumptions about them into translated code and then calling
    tb_flush() when the fields change, we must also tb_flush on CPU reset,
    because reset is a change of those fields.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index 34b226e..4929372 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -344,6 +344,11 @@ void cpu_reset(CPUARMState *env)
     set_float_detect_tininess(float_tininess_before_rounding,
                               &env->vfp.standard_fp_status);
     tlb_flush(env, 1);
+    /* Reset is a state change for some CPUState fields which we
+     * bake assumptions about into translated code, so we need to
+     * tb_flush().
+     */
+    tb_flush(env);
 }
 
 static int vfp_gdb_get_reg(CPUState *env, uint8_t *buf, int reg)
commit 761c9eb0fafa59821e3ded9e4d5b33d5ab8a0e9e
Author: Stefan Weil <sw at weilnetz.de>
Date:   Sun Jan 29 08:52:15 2012 +0100

    hw/arm: Remove redundant arguments from set_kernel_args*
    
    The parameters initrd_size and base are already included
    in the info parameter, so there is no need to pass them
    separately.
    
    Signed-off-by: Stefan Weil <sw at weilnetz.de>
    Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>,

diff --git a/hw/arm_boot.c b/hw/arm_boot.c
index 5f163fd..34a8739 100644
--- a/hw/arm_boot.c
+++ b/hw/arm_boot.c
@@ -81,9 +81,10 @@ static void default_reset_secondary(CPUState *env,
     p += 4;                       \
 } while (0)
 
-static void set_kernel_args(const struct arm_boot_info *info,
-                int initrd_size, target_phys_addr_t base)
+static void set_kernel_args(const struct arm_boot_info *info)
 {
+    int initrd_size = info->initrd_size;
+    target_phys_addr_t base = info->loader_start;
     target_phys_addr_t p;
 
     p = base + KERNEL_ARGS_ADDR;
@@ -134,12 +135,12 @@ static void set_kernel_args(const struct arm_boot_info *info,
     WRITE_WORD(p, 0);
 }
 
-static void set_kernel_args_old(const struct arm_boot_info *info,
-                int initrd_size, target_phys_addr_t base)
+static void set_kernel_args_old(const struct arm_boot_info *info)
 {
     target_phys_addr_t p;
     const char *s;
-
+    int initrd_size = info->initrd_size;
+    target_phys_addr_t base = info->loader_start;
 
     /* see linux/include/asm-arm/setup.h */
     p = base + KERNEL_ARGS_ADDR;
@@ -222,11 +223,9 @@ static void do_cpu_reset(void *opaque)
             if (env == first_cpu) {
                 env->regs[15] = info->loader_start;
                 if (old_param) {
-                    set_kernel_args_old(info, info->initrd_size,
-                                        info->loader_start);
+                    set_kernel_args_old(info);
                 } else {
-                    set_kernel_args(info, info->initrd_size,
-                                    info->loader_start);
+                    set_kernel_args(info);
                 }
             } else {
                 info->secondary_cpu_reset_hook(env, info);
commit 4f56da61b907ef33fedeed78cf9299f6219c45e2
Author: Vasily Khoruzhick <anarsoul at gmail.com>
Date:   Tue Jan 24 22:32:30 2012 +0300

    pxa2xx_lcd: SRAM is valid location for the framebuffer
    
    Signed-off-by: Vasily Khoruzhick <anarsoul at gmail.com>
    Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>

diff --git a/hw/pxa2xx_lcd.c b/hw/pxa2xx_lcd.c
index 4e9f7b4..9495226 100644
--- a/hw/pxa2xx_lcd.c
+++ b/hw/pxa2xx_lcd.c
@@ -308,9 +308,12 @@ static void pxa2xx_descriptor_load(PXA2xxLCDState *s)
         } else
             descptr = s->dma_ch[i].descriptor;
 
-        if (!(descptr >= PXA2XX_SDRAM_BASE && descptr +
-                    sizeof(desc) <= PXA2XX_SDRAM_BASE + ram_size))
+        if (!((descptr >= PXA2XX_SDRAM_BASE && descptr +
+                 sizeof(desc) <= PXA2XX_SDRAM_BASE + ram_size) ||
+                (descptr >= PXA2XX_INTERNAL_BASE && descptr + sizeof(desc) <=
+                 PXA2XX_INTERNAL_BASE + PXA2XX_INTERNAL_SIZE))) {
             continue;
+        }
 
         cpu_physical_memory_read(descptr, (void *)&desc, sizeof(desc));
         s->dma_ch[i].descriptor = tswap32(desc.fdaddr);
@@ -830,8 +833,10 @@ static void pxa2xx_update_display(void *opaque)
                 continue;
             }
             fbptr = s->dma_ch[ch].source;
-            if (!(fbptr >= PXA2XX_SDRAM_BASE &&
-                    fbptr <= PXA2XX_SDRAM_BASE + ram_size)) {
+            if (!((fbptr >= PXA2XX_SDRAM_BASE &&
+                     fbptr <= PXA2XX_SDRAM_BASE + ram_size) ||
+                    (fbptr >= PXA2XX_INTERNAL_BASE &&
+                     fbptr <= PXA2XX_INTERNAL_BASE + PXA2XX_INTERNAL_SIZE))) {
                 pxa2xx_dma_ber_set(s, ch);
                 continue;
             }
commit 2d2624a001010548e3e170d812e0f116b78501aa
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Feb 7 17:56:57 2012 +0000

    target-arm/helper.c: Correct FPSID value for Cortex-A9
    
    The correct FPSID for the Cortex-A9 (according to the TRM) is
    0x41033090 for the r0p0 that we claim to model.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>

diff --git a/target-arm/helper.c b/target-arm/helper.c
index ea4f35f..34b226e 100644
--- a/target-arm/helper.c
+++ b/target-arm/helper.c
@@ -157,7 +157,7 @@ static void cpu_reset_model_id(CPUARMState *env, uint32_t id)
          * and valid configurations; we don't model A9UP).
          */
         set_feature(env, ARM_FEATURE_V7MP);
-        env->vfp.xregs[ARM_VFP_FPSID] = 0x41034000; /* Guess */
+        env->vfp.xregs[ARM_VFP_FPSID] = 0x41033090;
         env->vfp.xregs[ARM_VFP_MVFR0] = 0x11110222;
         env->vfp.xregs[ARM_VFP_MVFR1] = 0x01111111;
         memcpy(env->cp15.c0_c1, cortexa9_cp15_c0_c1, 8 * sizeof(uint32_t));
commit dd4427a6194eb4efd38542737a053ca474039a76
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Jan 20 12:10:34 2012 +0100

    nseries: attach monitor powerdown request to menelaus
    
    I noticed some unused code in the twl92230, probably from before
    qdev-ification.  This patch makes the machine use the chip's pwrbtn
    signal.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Andrzej Zaborowski <andrew.zaborowski at intel.com>

diff --git a/hw/nseries.c b/hw/nseries.c
index d429dbd..c5b3184 100644
--- a/hw/nseries.c
+++ b/hw/nseries.c
@@ -204,6 +204,8 @@ static void n8x0_i2c_setup(struct n800_s *s)
                           qdev_get_gpio_in(s->cpu->ih[0],
                                            OMAP_INT_24XX_SYS_NIRQ));
 
+    qemu_system_powerdown = qdev_get_gpio_in(dev, 3);
+
     /* Attach a TMP105 PM chip (A0 wired to ground) */
     dev = i2c_create_slave(s->i2c, "tmp105", N8X0_TMP105_ADDR);
     qdev_connect_gpio_out(dev, 0, tmp_irq);
diff --git a/hw/twl92230.c b/hw/twl92230.c
index 873dc8f..22da6f8 100644
--- a/hw/twl92230.c
+++ b/hw/twl92230.c
@@ -61,9 +61,7 @@ typedef struct {
     } rtc;
     uint16_t rtc_next_vmstate;
     qemu_irq out[4];
-    qemu_irq *in;
     uint8_t pwrbtn_state;
-    qemu_irq pwrbtn;
 } MenelausState;
 
 static inline void menelaus_update(MenelausState *s)
@@ -186,14 +184,12 @@ static void menelaus_gpio_set(void *opaque, int line, int level)
 {
     MenelausState *s = (MenelausState *) opaque;
 
-    /* No interrupt generated */
-    s->inputs &= ~(1 << line);
-    s->inputs |= level << line;
-}
-
-static void menelaus_pwrbtn_set(void *opaque, int line, int level)
-{
-    MenelausState *s = (MenelausState *) opaque;
+    if (line < 3) {
+        /* No interrupt generated */
+        s->inputs &= ~(1 << line);
+        s->inputs |= level << line;
+        return;
+    }
 
     if (!s->pwrbtn_state && level) {
         s->status |= 1 << 11;					/* PSHBTN */
@@ -849,8 +845,9 @@ static int twl92230_init(I2CSlave *i2c)
     s->rtc.hz_tm = qemu_new_timer_ms(rt_clock, menelaus_rtc_hz, s);
     /* Three output pins plus one interrupt pin.  */
     qdev_init_gpio_out(&i2c->qdev, s->out, 4);
-    qdev_init_gpio_in(&i2c->qdev, menelaus_gpio_set, 3);
-    s->pwrbtn = qemu_allocate_irqs(menelaus_pwrbtn_set, s, 1)[0];
+
+    /* Three input pins plus one power-button pin.  */
+    qdev_init_gpio_in(&i2c->qdev, menelaus_gpio_set, 4);
 
     menelaus_reset(&s->i2c);
 
commit 6c263e26a5c162a8cd79e32bb82422697db5c57c
Merge: cf5cfe0... a4aecd2...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Feb 15 18:41:28 2012 -0600

    Merge remote-tracking branch 'qemu-kvm/uq/master' into staging
    
    * qemu-kvm/uq/master:
      apic: Fix legacy vmstate loading for KVM
      kvm: Implement kvm_irqchip_in_kernel like kvm_enabled
      kvm: Allow to set shadow MMU size

commit cf5cfe0471eb3693401f390bc467413d14dce368
Merge: 006c891... 7bc9318...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Feb 15 18:40:53 2012 -0600

    Merge remote-tracking branch 'kraxel/vnc.2' into staging
    
    * kraxel/vnc.2:
      vnc: lift modifier keys on client disconnect.
      vnc: implement shared flag handling.
      vnc: fix ctrl key in vnc terminal emulation
      Fix vnc memory corruption with width = 1400

commit 006c891fc9d4f044ad3f41b6e019442523b45a54
Merge: 7718564... 6612db1...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Feb 15 18:40:26 2012 -0600

    Merge remote-tracking branch 'kiszka/queues/slirp' into staging
    
    * kiszka/queues/slirp:
      slirp: Prevent sending ICMP error replies to source-only addresses
      slirp: Remove unused variable and unused code

commit 7718564ba1295f35188a5fb3ac8633c29d43b166
Merge: 65b31cc... 7c605a2...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Feb 15 17:25:25 2012 -0600

    Merge remote-tracking branch 'kraxel/usb.38' into staging
    
    * kraxel/usb.38: (28 commits)
      xhci: handle USB_RET_NAK
      xhci: remote wakeup support
      xhci: kill port arg from xhci_setup_packet
      xhci: stop on errors
      xhci: add trb type name lookup support.
      xhci: signal low- and fullspeed support
      usb: add USBBusOps->wakeup_endpoint
      usb: pass USBEndpoint to usb_wakeup
      usb: maintain async packet list per endpoint
      usb: Set USBEndpoint in usb_packet_setup().
      usb: add USBEndpoint->{nr,pid}
      usb: USBPacket: add status, rename owner -> ep
      usb: fold usb_generic_handle_packet into usb_handle_packet
      usb: kill handle_packet callback
      usb-xhci: switch to usb_find_device()
      usb-musb: switch to usb_find_device()
      usb-ohci: switch to usb_find_device()
      usb-ehci: switch to usb_find_device()
      usb-uhci: switch to usb_find_device()
      usb: handle dev == NULL in usb_handle_packet()
      ...

commit 65b31cc207b8ab949033870acf55bb124d12848e
Merge: b2d4b3f... b867672...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Feb 15 17:18:04 2012 -0600

    Merge remote-tracking branch 'kwolf/for-anthony' into staging
    
    * kwolf/for-anthony:
      AHCI: Masking of IRQs actually masks them
      sheepdog: fix co_recv coroutine context
      AHCI: Fix port reset race
      rewrite QEMU_BUILD_BUG_ON
      qcow2: Keep unknown header extension when rewriting header
      qcow2: Update whole header at once
      vpc: Round up image size during fixed image creation
      vpc: Add support for Fixed Disk type
      iSCSI: add configuration variables for iSCSI
      qemu-io: add write -z option for bdrv_co_write_zeroes
      qed: add .bdrv_co_write_zeroes() support
      qed: replace is_write with flags field
      block: perform zero-detection during copy-on-read
      block: add .bdrv_co_write_zeroes() interface
      cutils: extract buffer_is_zero() from qemu-img.c

commit b2d4b3f7b8c8ad0519c4705a3b850446068e6946
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Sun Feb 12 11:36:24 2012 -0600

    device_add: don't add a /peripheral link until init is complete
    
    Otherwise we end up with a dangling reference which causes qdev_free() to fail.
    
    Reported-by: Michael Tsirkin <mst at redhat.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/qdev-monitor.c b/hw/qdev-monitor.c
index 49f13ca..a310cc7 100644
--- a/hw/qdev-monitor.c
+++ b/hw/qdev-monitor.c
@@ -457,6 +457,16 @@ DeviceState *qdev_device_add(QemuOpts *opts)
     id = qemu_opts_id(opts);
     if (id) {
         qdev->id = id;
+    }
+    if (qemu_opt_foreach(opts, set_property, qdev, 1) != 0) {
+        qdev_free(qdev);
+        return NULL;
+    }
+    if (qdev_init(qdev) < 0) {
+        qerror_report(QERR_DEVICE_INIT_FAILED, driver);
+        return NULL;
+    }
+    if (qdev->id) {
         object_property_add_child(qdev_get_peripheral(), qdev->id,
                                   OBJECT(qdev), NULL);
     } else {
@@ -466,14 +476,6 @@ DeviceState *qdev_device_add(QemuOpts *opts)
                                   OBJECT(qdev), NULL);
         g_free(name);
     }        
-    if (qemu_opt_foreach(opts, set_property, qdev, 1) != 0) {
-        qdev_free(qdev);
-        return NULL;
-    }
-    if (qdev_init(qdev) < 0) {
-        qerror_report(QERR_DEVICE_INIT_FAILED, driver);
-        return NULL;
-    }
     qdev->opts = opts;
     return qdev;
 }
commit 83f7d43a9ef70b1b91e465173e18c845420e931e
Author: Andreas Färber <afaerber at suse.de>
Date:   Thu Feb 9 15:20:55 2012 +0100

    qom: Unify type registration
    
    Replace device_init() with generalized type_init().
    
    While at it, unify naming convention: type_init([$prefix_]register_types)
    Also, type_init() is a function, so add preceding blank line where
    necessary and don't put a semicolon after the closing brace.
    
    Signed-off-by: Andreas Färber <afaerber at suse.de>
    Cc: Anthony Liguori <anthony at codemonkey.ws>
    Cc: malc <av1474 at comtv.ru>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/9pfs/virtio-9p-device.c b/hw/9pfs/virtio-9p-device.c
index 791a557..b8220ab 100644
--- a/hw/9pfs/virtio-9p-device.c
+++ b/hw/9pfs/virtio-9p-device.c
@@ -184,10 +184,10 @@ static TypeInfo virtio_9p_info = {
     .class_init    = virtio_9p_class_init,
 };
 
-static void virtio_9p_register_devices(void)
+static void virtio_9p_register_types(void)
 {
     type_register_static(&virtio_9p_info);
     virtio_9p_set_fd_limit();
 }
 
-device_init(virtio_9p_register_devices)
+type_init(virtio_9p_register_types)
diff --git a/hw/a9mpcore.c b/hw/a9mpcore.c
index 19de12b..03b128c 100644
--- a/hw/a9mpcore.c
+++ b/hw/a9mpcore.c
@@ -238,9 +238,9 @@ static TypeInfo a9mp_priv_info = {
     .class_init    = a9mp_priv_class_init,
 };
 
-static void a9mp_register_devices(void)
+static void a9mp_register_types(void)
 {
     type_register_static(&a9mp_priv_info);
 }
 
-device_init(a9mp_register_devices)
+type_init(a9mp_register_types)
diff --git a/hw/ac97.c b/hw/ac97.c
index 7bf9171..c0fd019 100644
--- a/hw/ac97.c
+++ b/hw/ac97.c
@@ -1372,9 +1372,9 @@ static TypeInfo ac97_info = {
     .class_init    = ac97_class_init,
 };
 
-static void ac97_register (void)
+static void ac97_register_types (void)
 {
     type_register_static (&ac97_info);
 }
-device_init (ac97_register);
 
+type_init (ac97_register_types)
diff --git a/hw/acpi_piix4.c b/hw/acpi_piix4.c
index 21484ae..d959f49 100644
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -426,12 +426,12 @@ static TypeInfo piix4_pm_info = {
     .class_init    = piix4_pm_class_init,
 };
 
-static void piix4_pm_register(void)
+static void piix4_pm_register_types(void)
 {
     type_register_static(&piix4_pm_info);
 }
 
-device_init(piix4_pm_register);
+type_init(piix4_pm_register_types)
 
 static uint32_t gpe_readb(void *opaque, uint32_t addr)
 {
diff --git a/hw/ads7846.c b/hw/ads7846.c
index 3cfdecb..41c7f10 100644
--- a/hw/ads7846.c
+++ b/hw/ads7846.c
@@ -168,9 +168,9 @@ static TypeInfo ads7846_info = {
     .class_init    = ads7846_class_init,
 };
 
-static void ads7846_register_devices(void)
+static void ads7846_register_types(void)
 {
     type_register_static(&ads7846_info);
 }
 
-device_init(ads7846_register_devices)
+type_init(ads7846_register_types)
diff --git a/hw/alpha_typhoon.c b/hw/alpha_typhoon.c
index 736c28a..b539416 100644
--- a/hw/alpha_typhoon.c
+++ b/hw/alpha_typhoon.c
@@ -824,8 +824,9 @@ static TypeInfo typhoon_pcihost_info = {
     .class_init    = typhoon_pcihost_class_init,
 };
 
-static void typhoon_register(void)
+static void typhoon_register_types(void)
 {
     type_register_static(&typhoon_pcihost_info);
 }
-device_init(typhoon_register);
+
+type_init(typhoon_register_types)
diff --git a/hw/apb_pci.c b/hw/apb_pci.c
index c7aaa72..1d25da8 100644
--- a/hw/apb_pci.c
+++ b/hw/apb_pci.c
@@ -493,11 +493,11 @@ static TypeInfo pbm_pci_bridge_info = {
     .class_init    = pbm_pci_bridge_class_init,
 };
 
-static void pbm_register_devices(void)
+static void pbm_register_types(void)
 {
     type_register_static(&pbm_host_info);
     type_register_static(&pbm_pci_host_info);
     type_register_static(&pbm_pci_bridge_info);
 }
 
-device_init(pbm_register_devices)
+type_init(pbm_register_types)
diff --git a/hw/apic.c b/hw/apic.c
index 086c544..ff9d24e 100644
--- a/hw/apic.c
+++ b/hw/apic.c
@@ -781,9 +781,9 @@ static TypeInfo apic_info = {
     .class_init    = apic_class_init,
 };
 
-static void apic_register_devices(void)
+static void apic_register_types(void)
 {
     type_register_static(&apic_info);
 }
 
-device_init(apic_register_devices)
+type_init(apic_register_types)
diff --git a/hw/apic_common.c b/hw/apic_common.c
index 26991b4..a440ea8 100644
--- a/hw/apic_common.c
+++ b/hw/apic_common.c
@@ -313,9 +313,9 @@ static TypeInfo apic_common_type = {
     .abstract = true,
 };
 
-static void register_devices(void)
+static void register_types(void)
 {
     type_register_static(&apic_common_type);
 }
 
-device_init(register_devices);
+type_init(register_types)
diff --git a/hw/applesmc.c b/hw/applesmc.c
index b06487f..8bedaad 100644
--- a/hw/applesmc.c
+++ b/hw/applesmc.c
@@ -243,9 +243,9 @@ static TypeInfo applesmc_isa_info = {
     .class_init    = qdev_applesmc_class_init,
 };
 
-static void applesmc_register_devices(void)
+static void applesmc_register_types(void)
 {
     type_register_static(&applesmc_isa_info);
 }
 
-device_init(applesmc_register_devices)
+type_init(applesmc_register_types)
diff --git a/hw/arm11mpcore.c b/hw/arm11mpcore.c
index 3c0839c..102348b 100644
--- a/hw/arm11mpcore.c
+++ b/hw/arm11mpcore.c
@@ -252,10 +252,10 @@ static TypeInfo mpcore_priv_info = {
     .class_init    = mpcore_priv_class_init,
 };
 
-static void arm11mpcore_register_devices(void)
+static void arm11mpcore_register_types(void)
 {
     type_register_static(&mpcore_rirq_info);
     type_register_static(&mpcore_priv_info);
 }
 
-device_init(arm11mpcore_register_devices)
+type_init(arm11mpcore_register_types)
diff --git a/hw/arm_l2x0.c b/hw/arm_l2x0.c
index ba26abc..09f290c 100644
--- a/hw/arm_l2x0.c
+++ b/hw/arm_l2x0.c
@@ -184,9 +184,9 @@ static TypeInfo l2x0_info = {
     .class_init = l2x0_class_init,
 };
 
-static void l2x0_register_device(void)
+static void l2x0_register_types(void)
 {
     type_register_static(&l2x0_info);
 }
 
-device_init(l2x0_register_device)
+type_init(l2x0_register_types)
diff --git a/hw/arm_mptimer.c b/hw/arm_mptimer.c
index 5a02365..361e887 100644
--- a/hw/arm_mptimer.c
+++ b/hw/arm_mptimer.c
@@ -335,9 +335,9 @@ static TypeInfo arm_mptimer_info = {
     .class_init    = arm_mptimer_class_init,
 };
 
-static void arm_mptimer_register_devices(void)
+static void arm_mptimer_register_types(void)
 {
     type_register_static(&arm_mptimer_info);
 }
 
-device_init(arm_mptimer_register_devices)
+type_init(arm_mptimer_register_types)
diff --git a/hw/arm_sysctl.c b/hw/arm_sysctl.c
index 9d25799..149c639 100644
--- a/hw/arm_sysctl.c
+++ b/hw/arm_sysctl.c
@@ -425,9 +425,9 @@ static TypeInfo arm_sysctl_info = {
     .class_init    = arm_sysctl_class_init,
 };
 
-static void arm_sysctl_register_devices(void)
+static void arm_sysctl_register_types(void)
 {
     type_register_static(&arm_sysctl_info);
 }
 
-device_init(arm_sysctl_register_devices)
+type_init(arm_sysctl_register_types)
diff --git a/hw/arm_timer.c b/hw/arm_timer.c
index 1019d41..e3ecce2 100644
--- a/hw/arm_timer.c
+++ b/hw/arm_timer.c
@@ -383,10 +383,10 @@ static TypeInfo sp804_info = {
     .class_init    = sp804_class_init,
 };
 
-static void arm_timer_register_devices(void)
+static void arm_timer_register_types(void)
 {
     type_register_static(&icp_pit_info);
     type_register_static(&sp804_info);
 }
 
-device_init(arm_timer_register_devices)
+type_init(arm_timer_register_types)
diff --git a/hw/armv7m.c b/hw/armv7m.c
index de3d7e0..6b80579 100644
--- a/hw/armv7m.c
+++ b/hw/armv7m.c
@@ -266,9 +266,9 @@ static TypeInfo bitband_info = {
     .class_init    = bitband_class_init,
 };
 
-static void armv7m_register_devices(void)
+static void armv7m_register_types(void)
 {
     type_register_static(&bitband_info);
 }
 
-device_init(armv7m_register_devices)
+type_init(armv7m_register_types)
diff --git a/hw/armv7m_nvic.c b/hw/armv7m_nvic.c
index 1ed0abc..3210129 100644
--- a/hw/armv7m_nvic.c
+++ b/hw/armv7m_nvic.c
@@ -417,9 +417,9 @@ static TypeInfo armv7m_nvic_info = {
     .class_init    = armv7m_nvic_class_init,
 };
 
-static void armv7m_nvic_register_devices(void)
+static void armv7m_nvic_register_types(void)
 {
     type_register_static(&armv7m_nvic_info);
 }
 
-device_init(armv7m_nvic_register_devices)
+type_init(armv7m_nvic_register_types)
diff --git a/hw/bitbang_i2c.c b/hw/bitbang_i2c.c
index c9c1182..44ed7f4 100644
--- a/hw/bitbang_i2c.c
+++ b/hw/bitbang_i2c.c
@@ -237,9 +237,9 @@ static TypeInfo gpio_i2c_info = {
     .class_init    = gpio_i2c_class_init,
 };
 
-static void bitbang_i2c_register(void)
+static void bitbang_i2c_register_types(void)
 {
     type_register_static(&gpio_i2c_info);
 }
 
-device_init(bitbang_i2c_register)
+type_init(bitbang_i2c_register_types)
diff --git a/hw/bonito.c b/hw/bonito.c
index 7350a4f..77786f8 100644
--- a/hw/bonito.c
+++ b/hw/bonito.c
@@ -804,9 +804,10 @@ static TypeInfo bonito_pcihost_info = {
     .class_init    = bonito_pcihost_class_init,
 };
 
-static void bonito_register(void)
+static void bonito_register_types(void)
 {
     type_register_static(&bonito_pcihost_info);
     type_register_static(&bonito_info);
 }
-device_init(bonito_register);
+
+type_init(bonito_register_types)
diff --git a/hw/ccid-card-emulated.c b/hw/ccid-card-emulated.c
index 9510ed4..f4a6da4 100644
--- a/hw/ccid-card-emulated.c
+++ b/hw/ccid-card-emulated.c
@@ -594,9 +594,9 @@ static TypeInfo emulated_card_info = {
     .class_init    = emulated_class_initfn,
 };
 
-static void ccid_card_emulated_register_devices(void)
+static void ccid_card_emulated_register_types(void)
 {
     type_register_static(&emulated_card_info);
 }
 
-device_init(ccid_card_emulated_register_devices)
+type_init(ccid_card_emulated_register_types)
diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
index a7006ca..bd6c777 100644
--- a/hw/ccid-card-passthru.c
+++ b/hw/ccid-card-passthru.c
@@ -343,9 +343,9 @@ static TypeInfo passthru_card_info = {
     .class_init    = passthru_class_initfn,
 };
 
-static void ccid_card_passthru_register_devices(void)
+static void ccid_card_passthru_register_types(void)
 {
     type_register_static(&passthru_card_info);
 }
 
-device_init(ccid_card_passthru_register_devices)
+type_init(ccid_card_passthru_register_types)
diff --git a/hw/cirrus_vga.c b/hw/cirrus_vga.c
index a8e8ab7..4edcb94 100644
--- a/hw/cirrus_vga.c
+++ b/hw/cirrus_vga.c
@@ -2923,12 +2923,6 @@ static TypeInfo isa_cirrus_vga_info = {
     .class_init = isa_cirrus_vga_class_init,
 };
 
-static void isa_cirrus_vga_register(void)
-{
-    type_register_static(&isa_cirrus_vga_info);
-}
-device_init(isa_cirrus_vga_register)
-
 /***************************************
  *
  *  PCI bus support
@@ -2996,8 +2990,10 @@ static TypeInfo cirrus_vga_info = {
     .class_init    = cirrus_vga_class_init,
 };
 
-static void cirrus_vga_register(void)
+static void cirrus_vga_register_types(void)
 {
+    type_register_static(&isa_cirrus_vga_info);
     type_register_static(&cirrus_vga_info);
 }
-device_init(cirrus_vga_register);
+
+type_init(cirrus_vga_register_types)
diff --git a/hw/cs4231.c b/hw/cs4231.c
index c0badbf..cfec1d9 100644
--- a/hw/cs4231.c
+++ b/hw/cs4231.c
@@ -173,9 +173,9 @@ static TypeInfo cs4231_info = {
     .class_init    = cs4231_class_init,
 };
 
-static void cs4231_register_devices(void)
+static void cs4231_register_types(void)
 {
     type_register_static(&cs4231_info);
 }
 
-device_init(cs4231_register_devices)
+type_init(cs4231_register_types)
diff --git a/hw/cs4231a.c b/hw/cs4231a.c
index ad04ad6..e07b9d6 100644
--- a/hw/cs4231a.c
+++ b/hw/cs4231a.c
@@ -689,8 +689,9 @@ static TypeInfo cs4231a_info = {
     .class_init    = cs4231a_class_initfn,
 };
 
-static void cs4231a_register (void)
+static void cs4231a_register_types (void)
 {
     type_register_static (&cs4231a_info);
 }
-device_init (cs4231a_register)
+
+type_init (cs4231a_register_types)
diff --git a/hw/debugcon.c b/hw/debugcon.c
index 3903b26..14ab326 100644
--- a/hw/debugcon.c
+++ b/hw/debugcon.c
@@ -109,9 +109,9 @@ static TypeInfo debugcon_isa_info = {
     .class_init    = debugcon_isa_class_initfn,
 };
 
-static void debugcon_register_devices(void)
+static void debugcon_register_types(void)
 {
     type_register_static(&debugcon_isa_info);
 }
 
-device_init(debugcon_register_devices)
+type_init(debugcon_register_types)
diff --git a/hw/dec_pci.c b/hw/dec_pci.c
index a40fbcf..37337bf 100644
--- a/hw/dec_pci.c
+++ b/hw/dec_pci.c
@@ -140,11 +140,11 @@ static TypeInfo pci_dec_21154_device_info = {
     .class_init    = pci_dec_21154_device_class_init,
 };
 
-static void dec_register_devices(void)
+static void dec_register_types(void)
 {
     type_register_static(&pci_dec_21154_device_info);
     type_register_static(&dec_21154_pci_host_info);
     type_register_static(&dec_21154_pci_bridge_info);
 }
 
-device_init(dec_register_devices)
+type_init(dec_register_types)
diff --git a/hw/ds1225y.c b/hw/ds1225y.c
index 539bceb..2cd355b 100644
--- a/hw/ds1225y.c
+++ b/hw/ds1225y.c
@@ -157,9 +157,9 @@ static TypeInfo nvram_sysbus_info = {
     .class_init    = nvram_sysbus_class_init,
 };
 
-static void nvram_register(void)
+static void nvram_register_types(void)
 {
     type_register_static(&nvram_sysbus_info);
 }
 
-device_init(nvram_register)
+type_init(nvram_register_types)
diff --git a/hw/ds1338.c b/hw/ds1338.c
index b137e13..6397f0a 100644
--- a/hw/ds1338.c
+++ b/hw/ds1338.c
@@ -135,9 +135,9 @@ static TypeInfo ds1338_info = {
     .class_init    = ds1338_class_init,
 };
 
-static void ds1338_register_devices(void)
+static void ds1338_register_types(void)
 {
     type_register_static(&ds1338_info);
 }
 
-device_init(ds1338_register_devices)
+type_init(ds1338_register_types)
diff --git a/hw/e1000.c b/hw/e1000.c
index 751f79d..7babc0b 100644
--- a/hw/e1000.c
+++ b/hw/e1000.c
@@ -1227,9 +1227,9 @@ static TypeInfo e1000_info = {
     .class_init    = e1000_class_init,
 };
 
-static void e1000_register_devices(void)
+static void e1000_register_types(void)
 {
     type_register_static(&e1000_info);
 }
 
-device_init(e1000_register_devices)
+type_init(e1000_register_types)
diff --git a/hw/eccmemctl.c b/hw/eccmemctl.c
index 1cf2090..fe1cd90 100644
--- a/hw/eccmemctl.c
+++ b/hw/eccmemctl.c
@@ -332,9 +332,9 @@ static TypeInfo ecc_info = {
 };
 
 
-static void ecc_register_devices(void)
+static void ecc_register_types(void)
 {
     type_register_static(&ecc_info);
 }
 
-device_init(ecc_register_devices)
+type_init(ecc_register_types)
diff --git a/hw/eepro100.c b/hw/eepro100.c
index 843610c..e3ba719 100644
--- a/hw/eepro100.c
+++ b/hw/eepro100.c
@@ -2089,7 +2089,7 @@ static void eepro100_class_init(ObjectClass *klass, void *data)
     k->subsystem_id = info->subsystem_id;
 }
 
-static void eepro100_register_devices(void)
+static void eepro100_register_types(void)
 {
     size_t i;
     for (i = 0; i < ARRAY_SIZE(e100_devices); i++) {
@@ -2105,4 +2105,4 @@ static void eepro100_register_devices(void)
     }
 }
 
-device_init(eepro100_register_devices)
+type_init(eepro100_register_types)
diff --git a/hw/empty_slot.c b/hw/empty_slot.c
index 1bc1815..099c85e 100644
--- a/hw/empty_slot.c
+++ b/hw/empty_slot.c
@@ -90,9 +90,9 @@ static TypeInfo empty_slot_info = {
     .class_init    = empty_slot_class_init,
 };
 
-static void empty_slot_register_devices(void)
+static void empty_slot_register_types(void)
 {
     type_register_static(&empty_slot_info);
 }
 
-device_init(empty_slot_register_devices);
+type_init(empty_slot_register_types)
diff --git a/hw/es1370.c b/hw/es1370.c
index e377c48..f19cef3 100644
--- a/hw/es1370.c
+++ b/hw/es1370.c
@@ -1054,9 +1054,10 @@ static TypeInfo es1370_info = {
     .class_init    = es1370_class_init,
 };
 
-static void es1370_register (void)
+static void es1370_register_types (void)
 {
     type_register_static (&es1370_info);
 }
-device_init (es1370_register);
+
+type_init (es1370_register_types)
 
diff --git a/hw/escc.c b/hw/escc.c
index 9fe282f..4d8a8e8 100644
--- a/hw/escc.c
+++ b/hw/escc.c
@@ -931,9 +931,9 @@ static TypeInfo escc_info = {
     .class_init    = escc_class_init,
 };
 
-static void escc_register_devices(void)
+static void escc_register_types(void)
 {
     type_register_static(&escc_info);
 }
 
-device_init(escc_register_devices)
+type_init(escc_register_types)
diff --git a/hw/esp.c b/hw/esp.c
index 2f44386..2dda8e3 100644
--- a/hw/esp.c
+++ b/hw/esp.c
@@ -775,9 +775,9 @@ static TypeInfo esp_info = {
     .class_init    = esp_class_init,
 };
 
-static void esp_register_devices(void)
+static void esp_register_types(void)
 {
     type_register_static(&esp_info);
 }
 
-device_init(esp_register_devices)
+type_init(esp_register_types)
diff --git a/hw/etraxfs_eth.c b/hw/etraxfs_eth.c
index aefd577..16a0637 100644
--- a/hw/etraxfs_eth.c
+++ b/hw/etraxfs_eth.c
@@ -637,9 +637,9 @@ static TypeInfo etraxfs_eth_info = {
     .class_init    = etraxfs_eth_class_init,
 };
 
-static void etraxfs_eth_register(void)
+static void etraxfs_eth_register_types(void)
 {
     type_register_static(&etraxfs_eth_info);
 }
 
-device_init(etraxfs_eth_register)
+type_init(etraxfs_eth_register_types)
diff --git a/hw/etraxfs_pic.c b/hw/etraxfs_pic.c
index 33541fc..dc27f88 100644
--- a/hw/etraxfs_pic.c
+++ b/hw/etraxfs_pic.c
@@ -172,9 +172,9 @@ static TypeInfo etraxfs_pic_info = {
     .class_init    = etraxfs_pic_class_init,
 };
 
-static void etraxfs_pic_register(void)
+static void etraxfs_pic_register_types(void)
 {
     type_register_static(&etraxfs_pic_info);
 }
 
-device_init(etraxfs_pic_register)
+type_init(etraxfs_pic_register_types)
diff --git a/hw/etraxfs_ser.c b/hw/etraxfs_ser.c
index 567cb8c..cecd819 100644
--- a/hw/etraxfs_ser.c
+++ b/hw/etraxfs_ser.c
@@ -240,9 +240,9 @@ static TypeInfo etraxfs_ser_info = {
     .class_init    = etraxfs_ser_class_init,
 };
 
-static void etraxfs_serial_register(void)
+static void etraxfs_serial_register_types(void)
 {
     type_register_static(&etraxfs_ser_info);
 }
 
-device_init(etraxfs_serial_register)
+type_init(etraxfs_serial_register_types)
diff --git a/hw/etraxfs_timer.c b/hw/etraxfs_timer.c
index b71c5ee..9076a49 100644
--- a/hw/etraxfs_timer.c
+++ b/hw/etraxfs_timer.c
@@ -343,9 +343,9 @@ static TypeInfo etraxfs_timer_info = {
     .class_init    = etraxfs_timer_class_init,
 };
 
-static void etraxfs_timer_register(void)
+static void etraxfs_timer_register_types(void)
 {
     type_register_static(&etraxfs_timer_info);
 }
 
-device_init(etraxfs_timer_register)
+type_init(etraxfs_timer_register_types)
diff --git a/hw/fdc.c b/hw/fdc.c
index f575a2c..38fad58 100644
--- a/hw/fdc.c
+++ b/hw/fdc.c
@@ -2043,11 +2043,11 @@ static TypeInfo sun4m_fdc_info = {
     .class_init    = sun4m_fdc_class_init,
 };
 
-static void fdc_register_devices(void)
+static void fdc_register_types(void)
 {
     type_register_static(&isa_fdc_info);
     type_register_static(&sysbus_fdc_info);
     type_register_static(&sun4m_fdc_info);
 }
 
-device_init(fdc_register_devices)
+type_init(fdc_register_types)
diff --git a/hw/fw_cfg.c b/hw/fw_cfg.c
index 6b2f7d1..7b3b576 100644
--- a/hw/fw_cfg.c
+++ b/hw/fw_cfg.c
@@ -556,9 +556,9 @@ static TypeInfo fw_cfg_info = {
     .class_init    = fw_cfg_class_init,
 };
 
-static void fw_cfg_register_devices(void)
+static void fw_cfg_register_types(void)
 {
     type_register_static(&fw_cfg_info);
 }
 
-device_init(fw_cfg_register_devices)
+type_init(fw_cfg_register_types)
diff --git a/hw/g364fb.c b/hw/g364fb.c
index 66d0044..9c63bdd 100644
--- a/hw/g364fb.c
+++ b/hw/g364fb.c
@@ -574,9 +574,9 @@ static TypeInfo g364fb_sysbus_info = {
     .class_init    = g364fb_sysbus_class_init,
 };
 
-static void g364fb_register(void)
+static void g364fb_register_types(void)
 {
     type_register_static(&g364fb_sysbus_info);
 }
 
-device_init(g364fb_register);
+type_init(g364fb_register_types)
diff --git a/hw/grackle_pci.c b/hw/grackle_pci.c
index 8122baf..81ff3a3 100644
--- a/hw/grackle_pci.c
+++ b/hw/grackle_pci.c
@@ -157,10 +157,10 @@ static TypeInfo grackle_pci_host_info = {
     .class_init    = pci_grackle_class_init,
 };
 
-static void grackle_register_devices(void)
+static void grackle_register_types(void)
 {
     type_register_static(&grackle_pci_info);
     type_register_static(&grackle_pci_host_info);
 }
 
-device_init(grackle_register_devices)
+type_init(grackle_register_types)
diff --git a/hw/grlib_apbuart.c b/hw/grlib_apbuart.c
index 89de2d8..73fc989 100644
--- a/hw/grlib_apbuart.c
+++ b/hw/grlib_apbuart.c
@@ -263,9 +263,9 @@ static TypeInfo grlib_gptimer_info = {
     .class_init    = grlib_gptimer_class_init,
 };
 
-static void grlib_gptimer_register(void)
+static void grlib_gptimer_register_types(void)
 {
     type_register_static(&grlib_gptimer_info);
 }
 
-device_init(grlib_gptimer_register)
+type_init(grlib_gptimer_register_types)
diff --git a/hw/grlib_gptimer.c b/hw/grlib_gptimer.c
index fb0b236..41770a9 100644
--- a/hw/grlib_gptimer.c
+++ b/hw/grlib_gptimer.c
@@ -396,9 +396,9 @@ static TypeInfo grlib_gptimer_info = {
     .class_init    = grlib_gptimer_class_init,
 };
 
-static void grlib_gptimer_register(void)
+static void grlib_gptimer_register_types(void)
 {
     type_register_static(&grlib_gptimer_info);
 }
 
-device_init(grlib_gptimer_register)
+type_init(grlib_gptimer_register_types)
diff --git a/hw/grlib_irqmp.c b/hw/grlib_irqmp.c
index 1e5ad82..0f6e65c 100644
--- a/hw/grlib_irqmp.c
+++ b/hw/grlib_irqmp.c
@@ -377,9 +377,9 @@ static TypeInfo grlib_irqmp_info = {
     .class_init    = grlib_irqmp_class_init,
 };
 
-static void grlib_irqmp_register(void)
+static void grlib_irqmp_register_types(void)
 {
     type_register_static(&grlib_irqmp_info);
 }
 
-device_init(grlib_irqmp_register)
+type_init(grlib_irqmp_register_types)
diff --git a/hw/gt64xxx.c b/hw/gt64xxx.c
index e8cd59c..a2d0e5a 100644
--- a/hw/gt64xxx.c
+++ b/hw/gt64xxx.c
@@ -1168,10 +1168,10 @@ static TypeInfo gt64120_info = {
     .class_init    = gt64120_class_init,
 };
 
-static void gt64120_pci_register_devices(void)
+static void gt64120_pci_register_types(void)
 {
     type_register_static(&gt64120_info);
     type_register_static(&gt64120_pci_info);
 }
 
-device_init(gt64120_pci_register_devices)
+type_init(gt64120_pci_register_types)
diff --git a/hw/gus.c b/hw/gus.c
index 2054707..840d098 100644
--- a/hw/gus.c
+++ b/hw/gus.c
@@ -324,8 +324,9 @@ static TypeInfo gus_info = {
     .class_init    = gus_class_initfn,
 };
 
-static void gus_register (void)
+static void gus_register_types (void)
 {
     type_register_static (&gus_info);
 }
-device_init (gus_register)
+
+type_init (gus_register_types)
diff --git a/hw/hda-audio.c b/hw/hda-audio.c
index 152f8e6..8995519 100644
--- a/hw/hda-audio.c
+++ b/hw/hda-audio.c
@@ -948,9 +948,10 @@ static TypeInfo hda_audio_duplex_info = {
     .class_init    = hda_audio_duplex_class_init,
 };
 
-static void hda_audio_register(void)
+static void hda_audio_register_types(void)
 {
     type_register_static(&hda_audio_output_info);
     type_register_static(&hda_audio_duplex_info);
 }
-device_init(hda_audio_register);
+
+type_init(hda_audio_register_types)
diff --git a/hw/highbank.c b/hw/highbank.c
index 684178e..b28b464 100644
--- a/hw/highbank.c
+++ b/hw/highbank.c
@@ -177,12 +177,12 @@ static TypeInfo highbank_regs_info = {
     .class_init    = highbank_regs_class_init,
 };
 
-static void highbank_regs_register_device(void)
+static void highbank_regs_register_types(void)
 {
     type_register_static(&highbank_regs_info);
 }
 
-device_init(highbank_regs_register_device)
+type_init(highbank_regs_register_types)
 
 static struct arm_boot_info highbank_binfo;
 
diff --git a/hw/hpet.c b/hw/hpet.c
index b6ace4e..ba36e10 100644
--- a/hw/hpet.c
+++ b/hw/hpet.c
@@ -720,9 +720,9 @@ static TypeInfo hpet_device_info = {
     .class_init    = hpet_device_class_init,
 };
 
-static void hpet_register_device(void)
+static void hpet_register_types(void)
 {
     type_register_static(&hpet_device_info);
 }
 
-device_init(hpet_register_device)
+type_init(hpet_register_types)
diff --git a/hw/i2c.c b/hw/i2c.c
index 8ae4aaa..23dfccb 100644
--- a/hw/i2c.c
+++ b/hw/i2c.c
@@ -230,9 +230,9 @@ static TypeInfo i2c_slave_type_info = {
     .class_init = i2c_slave_class_init,
 };
 
-static void i2c_slave_register_devices(void)
+static void i2c_slave_register_types(void)
 {
     type_register_static(&i2c_slave_type_info);
 }
 
-device_init(i2c_slave_register_devices);
+type_init(i2c_slave_register_types)
diff --git a/hw/i82374.c b/hw/i82374.c
index 220e8cc..67298a3 100644
--- a/hw/i82374.c
+++ b/hw/i82374.c
@@ -157,9 +157,9 @@ static TypeInfo i82374_isa_info = {
     .class_init = i82374_class_init,
 };
 
-static void i82374_register_devices(void)
+static void i82374_register_types(void)
 {
     type_register_static(&i82374_isa_info);
 }
 
-device_init(i82374_register_devices)
+type_init(i82374_register_types)
diff --git a/hw/i82378.c b/hw/i82378.c
index 9c3efe8..3929c04 100644
--- a/hw/i82378.c
+++ b/hw/i82378.c
@@ -267,9 +267,9 @@ static TypeInfo pci_i82378_info = {
     .class_init = pci_i82378_class_init,
 };
 
-static void i82378_register_devices(void)
+static void i82378_register_types(void)
 {
     type_register_static(&pci_i82378_info);
 }
 
-device_init(i82378_register_devices)
+type_init(i82378_register_types)
diff --git a/hw/i8254.c b/hw/i8254.c
index 522fed8..481fc7b 100644
--- a/hw/i8254.c
+++ b/hw/i8254.c
@@ -559,8 +559,9 @@ static TypeInfo pit_info = {
     .class_init    = pit_class_initfn,
 };
 
-static void pit_register(void)
+static void pit_register_types(void)
 {
     type_register_static(&pit_info);
 }
-device_init(pit_register)
+
+type_init(pit_register_types)
diff --git a/hw/i8259.c b/hw/i8259.c
index 7ae5380..1a4b1ab 100644
--- a/hw/i8259.c
+++ b/hw/i8259.c
@@ -488,9 +488,9 @@ static TypeInfo i8259_info = {
     .class_init = i8259_class_init,
 };
 
-static void pic_register(void)
+static void pic_register_types(void)
 {
     type_register_static(&i8259_info);
 }
 
-device_init(pic_register)
+type_init(pic_register_types)
diff --git a/hw/i8259_common.c b/hw/i8259_common.c
index 9f150bc..775fda4 100644
--- a/hw/i8259_common.c
+++ b/hw/i8259_common.c
@@ -153,9 +153,9 @@ static TypeInfo pic_common_type = {
     .abstract = true,
 };
 
-static void register_devices(void)
+static void register_types(void)
 {
     type_register_static(&pic_common_type);
 }
 
-device_init(register_devices);
+type_init(register_types);
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index c87a6ca..c360399 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1261,9 +1261,9 @@ static TypeInfo sysbus_ahci_info = {
     .class_init    = sysbus_ahci_class_init,
 };
 
-static void sysbus_ahci_register(void)
+static void sysbus_ahci_register_types(void)
 {
     type_register_static(&sysbus_ahci_info);
 }
 
-device_init(sysbus_ahci_register);
+type_init(sysbus_ahci_register_types)
diff --git a/hw/ide/cmd646.c b/hw/ide/cmd646.c
index a119500..743ec02 100644
--- a/hw/ide/cmd646.c
+++ b/hw/ide/cmd646.c
@@ -351,8 +351,9 @@ static TypeInfo cmd646_ide_info = {
     .class_init    = cmd646_ide_class_init,
 };
 
-static void cmd646_ide_register(void)
+static void cmd646_ide_register_types(void)
 {
     type_register_static(&cmd646_ide_info);
 }
-device_init(cmd646_ide_register);
+
+type_init(cmd646_ide_register_types)
diff --git a/hw/ide/ich.c b/hw/ide/ich.c
index 5cdaa99..560ae37 100644
--- a/hw/ide/ich.c
+++ b/hw/ide/ich.c
@@ -168,8 +168,9 @@ static TypeInfo ich_ahci_info = {
     .class_init    = ich_ahci_class_init,
 };
 
-static void ich_ahci_register(void)
+static void ich_ahci_register_types(void)
 {
     type_register_static(&ich_ahci_info);
 }
-device_init(ich_ahci_register);
+
+type_init(ich_ahci_register_types)
diff --git a/hw/ide/isa.c b/hw/ide/isa.c
index a0bcb43..8ab2718 100644
--- a/hw/ide/isa.c
+++ b/hw/ide/isa.c
@@ -118,9 +118,9 @@ static TypeInfo isa_ide_info = {
     .class_init    = isa_ide_class_initfn,
 };
 
-static void isa_ide_register_devices(void)
+static void isa_ide_register_types(void)
 {
     type_register_static(&isa_ide_info);
 }
 
-device_init(isa_ide_register_devices)
+type_init(isa_ide_register_types)
diff --git a/hw/ide/piix.c b/hw/ide/piix.c
index bf4465b..aee60aa 100644
--- a/hw/ide/piix.c
+++ b/hw/ide/piix.c
@@ -299,10 +299,11 @@ static TypeInfo piix4_ide_info = {
     .class_init    = piix4_ide_class_init,
 };
 
-static void piix_ide_register(void)
+static void piix_ide_register_types(void)
 {
     type_register_static(&piix3_ide_info);
     type_register_static(&piix3_ide_xen_info);
     type_register_static(&piix4_ide_info);
 }
-device_init(piix_ide_register);
+
+type_init(piix_ide_register_types)
diff --git a/hw/ide/qdev.c b/hw/ide/qdev.c
index 1640616..f6a4896 100644
--- a/hw/ide/qdev.c
+++ b/hw/ide/qdev.c
@@ -257,11 +257,12 @@ static TypeInfo ide_device_type_info = {
     .class_init = ide_device_class_init,
 };
 
-static void ide_dev_register(void)
+static void ide_register_types(void)
 {
     type_register_static(&ide_hd_info);
     type_register_static(&ide_cd_info);
     type_register_static(&ide_drive_info);
     type_register_static(&ide_device_type_info);
 }
-device_init(ide_dev_register);
+
+type_init(ide_register_types)
diff --git a/hw/ide/via.c b/hw/ide/via.c
index b4ca6f2..2886bc6 100644
--- a/hw/ide/via.c
+++ b/hw/ide/via.c
@@ -234,8 +234,9 @@ static TypeInfo via_ide_info = {
     .class_init    = via_ide_class_init,
 };
 
-static void via_ide_register(void)
+static void via_ide_register_types(void)
 {
     type_register_static(&via_ide_info);
 }
-device_init(via_ide_register);
+
+type_init(via_ide_register_types)
diff --git a/hw/integratorcp.c b/hw/integratorcp.c
index 6dbd649..294d7da 100644
--- a/hw/integratorcp.c
+++ b/hw/integratorcp.c
@@ -553,10 +553,10 @@ static TypeInfo icp_pic_info = {
     .class_init    = icp_pic_class_init,
 };
 
-static void integratorcp_register_devices(void)
+static void integratorcp_register_types(void)
 {
     type_register_static(&icp_pic_info);
     type_register_static(&core_info);
 }
 
-device_init(integratorcp_register_devices)
+type_init(integratorcp_register_types)
diff --git a/hw/intel-hda.c b/hw/intel-hda.c
index 83c42d5..bb11af2 100644
--- a/hw/intel-hda.c
+++ b/hw/intel-hda.c
@@ -1287,12 +1287,13 @@ static TypeInfo hda_codec_device_type_info = {
     .class_init = hda_codec_device_class_init,
 };
 
-static void intel_hda_register(void)
+static void intel_hda_register_types(void)
 {
     type_register_static(&intel_hda_info);
     type_register_static(&hda_codec_device_type_info);
 }
-device_init(intel_hda_register);
+
+type_init(intel_hda_register_types)
 
 /*
  * create intel hda controller with codec attached to it,
diff --git a/hw/ioapic.c b/hw/ioapic.c
index 79549f8..3fee011 100644
--- a/hw/ioapic.c
+++ b/hw/ioapic.c
@@ -251,9 +251,9 @@ static TypeInfo ioapic_info = {
     .class_init    = ioapic_class_init,
 };
 
-static void ioapic_register_devices(void)
+static void ioapic_register_types(void)
 {
     type_register_static(&ioapic_info);
 }
 
-device_init(ioapic_register_devices)
+type_init(ioapic_register_types)
diff --git a/hw/ioapic_common.c b/hw/ioapic_common.c
index f932700..653eef2 100644
--- a/hw/ioapic_common.c
+++ b/hw/ioapic_common.c
@@ -112,10 +112,9 @@ static TypeInfo ioapic_common_type = {
     .abstract = true,
 };
 
-static void register_devices(void)
+static void register_types(void)
 {
     type_register_static(&ioapic_common_type);
 }
 
-device_init(register_devices);
-
+type_init(register_types)
diff --git a/hw/ioh3420.c b/hw/ioh3420.c
index 1c60123..1632d31 100644
--- a/hw/ioh3420.c
+++ b/hw/ioh3420.c
@@ -237,12 +237,12 @@ static TypeInfo ioh3420_info = {
     .class_init    = ioh3420_class_init,
 };
 
-static void ioh3420_register(void)
+static void ioh3420_register_types(void)
 {
     type_register_static(&ioh3420_info);
 }
 
-device_init(ioh3420_register);
+type_init(ioh3420_register_types)
 
 /*
  * Local variables:
diff --git a/hw/isa-bus.c b/hw/isa-bus.c
index d03f828..5a43f03 100644
--- a/hw/isa-bus.c
+++ b/hw/isa-bus.c
@@ -210,7 +210,7 @@ static TypeInfo isa_device_type_info = {
     .class_init = isa_device_class_init,
 };
 
-static void isabus_register_devices(void)
+static void isabus_register_types(void)
 {
     type_register_static(&isabus_bridge_info);
     type_register_static(&isa_device_type_info);
@@ -235,4 +235,4 @@ MemoryRegion *isa_address_space(ISADevice *dev)
     return get_system_memory();
 }
 
-device_init(isabus_register_devices)
+type_init(isabus_register_types)
diff --git a/hw/ivshmem.c b/hw/ivshmem.c
index 6f017d4..64e1cd9 100644
--- a/hw/ivshmem.c
+++ b/hw/ivshmem.c
@@ -798,9 +798,9 @@ static TypeInfo ivshmem_info = {
     .class_init    = ivshmem_class_init,
 };
 
-static void ivshmem_register_devices(void)
+static void ivshmem_register_types(void)
 {
     type_register_static(&ivshmem_info);
 }
 
-device_init(ivshmem_register_devices)
+type_init(ivshmem_register_types)
diff --git a/hw/kvm/apic.c b/hw/kvm/apic.c
index dfc2ab3..5bb0a4b 100644
--- a/hw/kvm/apic.c
+++ b/hw/kvm/apic.c
@@ -139,9 +139,9 @@ static TypeInfo kvm_apic_info = {
     .class_init = kvm_apic_class_init,
 };
 
-static void kvm_apic_register_device(void)
+static void kvm_apic_register_types(void)
 {
     type_register_static(&kvm_apic_info);
 }
 
-device_init(kvm_apic_register_device)
+type_init(kvm_apic_register_types)
diff --git a/hw/kvm/clock.c b/hw/kvm/clock.c
index d5a5386..2157340 100644
--- a/hw/kvm/clock.c
+++ b/hw/kvm/clock.c
@@ -119,11 +119,11 @@ void kvmclock_create(void)
     }
 }
 
-static void kvmclock_register_device(void)
+static void kvmclock_register_types(void)
 {
     if (kvm_enabled()) {
     type_register_static(&kvmclock_info);
     }
 }
 
-device_init(kvmclock_register_device);
+type_init(kvmclock_register_types)
diff --git a/hw/kvm/i8259.c b/hw/kvm/i8259.c
index 14bd427..eb98889 100644
--- a/hw/kvm/i8259.c
+++ b/hw/kvm/i8259.c
@@ -130,9 +130,9 @@ static TypeInfo kvm_i8259_info = {
     .class_init = kvm_i8259_class_init,
 };
 
-static void kvm_pic_register(void)
+static void kvm_pic_register_types(void)
 {
     type_register_static(&kvm_i8259_info);
 }
 
-device_init(kvm_pic_register)
+type_init(kvm_pic_register_types)
diff --git a/hw/kvm/ioapic.c b/hw/kvm/ioapic.c
index b316933..3ae3175 100644
--- a/hw/kvm/ioapic.c
+++ b/hw/kvm/ioapic.c
@@ -117,9 +117,9 @@ static TypeInfo kvm_ioapic_info = {
     .class_init = kvm_ioapic_class_init,
 };
 
-static void kvm_ioapic_register_device(void)
+static void kvm_ioapic_register_types(void)
 {
     type_register_static(&kvm_ioapic_info);
 }
 
-device_init(kvm_ioapic_register_device)
+type_init(kvm_ioapic_register_types)
diff --git a/hw/lan9118.c b/hw/lan9118.c
index 78777c7..aeb0c39 100644
--- a/hw/lan9118.c
+++ b/hw/lan9118.c
@@ -1261,7 +1261,7 @@ static TypeInfo lan9118_info = {
     .class_init    = lan9118_class_init,
 };
 
-static void lan9118_register_devices(void)
+static void lan9118_register_types(void)
 {
     type_register_static(&lan9118_info);
 }
@@ -1282,4 +1282,4 @@ void lan9118_init(NICInfo *nd, uint32_t base, qemu_irq irq)
     sysbus_connect_irq(s, 0, irq);
 }
 
-device_init(lan9118_register_devices)
+type_init(lan9118_register_types)
diff --git a/hw/lance.c b/hw/lance.c
index 519720b..ce3d46c 100644
--- a/hw/lance.c
+++ b/hw/lance.c
@@ -162,8 +162,9 @@ static TypeInfo lance_info = {
     .class_init    = lance_class_init,
 };
 
-static void lance_register_devices(void)
+static void lance_register_types(void)
 {
     type_register_static(&lance_info);
 }
-device_init(lance_register_devices)
+
+type_init(lance_register_types)
diff --git a/hw/lm32_juart.c b/hw/lm32_juart.c
index 38dd282..f07ed39 100644
--- a/hw/lm32_juart.c
+++ b/hw/lm32_juart.c
@@ -151,9 +151,9 @@ static TypeInfo lm32_juart_info = {
     .class_init    = lm32_juart_class_init,
 };
 
-static void lm32_juart_register(void)
+static void lm32_juart_register_types(void)
 {
     type_register_static(&lm32_juart_info);
 }
 
-device_init(lm32_juart_register)
+type_init(lm32_juart_register_types)
diff --git a/hw/lm32_pic.c b/hw/lm32_pic.c
index 7be6d0d..32f65db 100644
--- a/hw/lm32_pic.c
+++ b/hw/lm32_pic.c
@@ -191,9 +191,9 @@ static TypeInfo lm32_pic_info = {
     .class_init    = lm32_pic_class_init,
 };
 
-static void lm32_pic_register(void)
+static void lm32_pic_register_types(void)
 {
     type_register_static(&lm32_pic_info);
 }
 
-device_init(lm32_pic_register)
+type_init(lm32_pic_register_types)
diff --git a/hw/lm32_sys.c b/hw/lm32_sys.c
index ba6f4ac..bbe03c4 100644
--- a/hw/lm32_sys.c
+++ b/hw/lm32_sys.c
@@ -164,9 +164,9 @@ static TypeInfo lm32_sys_info = {
     .class_init    = lm32_sys_class_init,
 };
 
-static void lm32_sys_register(void)
+static void lm32_sys_register_types(void)
 {
     type_register_static(&lm32_sys_info);
 }
 
-device_init(lm32_sys_register)
+type_init(lm32_sys_register_types)
diff --git a/hw/lm32_timer.c b/hw/lm32_timer.c
index 3cb4e0a..e9450a0 100644
--- a/hw/lm32_timer.c
+++ b/hw/lm32_timer.c
@@ -222,9 +222,9 @@ static TypeInfo lm32_timer_info = {
     .class_init    = lm32_timer_class_init,
 };
 
-static void lm32_timer_register(void)
+static void lm32_timer_register_types(void)
 {
     type_register_static(&lm32_timer_info);
 }
 
-device_init(lm32_timer_register)
+type_init(lm32_timer_register_types)
diff --git a/hw/lm32_uart.c b/hw/lm32_uart.c
index 630ccb7..57066e2 100644
--- a/hw/lm32_uart.c
+++ b/hw/lm32_uart.c
@@ -288,9 +288,9 @@ static TypeInfo lm32_uart_info = {
     .class_init    = lm32_uart_class_init,
 };
 
-static void lm32_uart_register(void)
+static void lm32_uart_register_types(void)
 {
     type_register_static(&lm32_uart_info);
 }
 
-device_init(lm32_uart_register)
+type_init(lm32_uart_register_types)
diff --git a/hw/lm832x.c b/hw/lm832x.c
index 895d306..8e09f9b 100644
--- a/hw/lm832x.c
+++ b/hw/lm832x.c
@@ -513,9 +513,9 @@ static TypeInfo lm8323_info = {
     .class_init    = lm8323_class_init,
 };
 
-static void lm832x_register_devices(void)
+static void lm832x_register_types(void)
 {
     type_register_static(&lm8323_info);
 }
 
-device_init(lm832x_register_devices)
+type_init(lm832x_register_types)
diff --git a/hw/lsi53c895a.c b/hw/lsi53c895a.c
index 9a7ffe3..0acd1d0 100644
--- a/hw/lsi53c895a.c
+++ b/hw/lsi53c895a.c
@@ -2142,9 +2142,9 @@ static TypeInfo lsi_info = {
     .class_init    = lsi_class_init,
 };
 
-static void lsi53c895a_register_devices(void)
+static void lsi53c895a_register_types(void)
 {
     type_register_static(&lsi_info);
 }
 
-device_init(lsi53c895a_register_devices);
+type_init(lsi53c895a_register_types)
diff --git a/hw/m48t59.c b/hw/m48t59.c
index c35867d..60bbb00 100644
--- a/hw/m48t59.c
+++ b/hw/m48t59.c
@@ -768,10 +768,10 @@ static TypeInfo m48t59_info = {
     .class_init    = m48t59_class_init,
 };
 
-static void m48t59_register_devices(void)
+static void m48t59_register_types(void)
 {
     type_register_static(&m48t59_info);
     type_register_static(&m48t59_isa_info);
 }
 
-device_init(m48t59_register_devices)
+type_init(m48t59_register_types)
diff --git a/hw/macio.c b/hw/macio.c
index 3d648e9..eb15b89 100644
--- a/hw/macio.c
+++ b/hw/macio.c
@@ -97,12 +97,12 @@ static TypeInfo macio_info = {
     .class_init    = macio_class_init,
 };
 
-static void macio_register(void)
+static void macio_register_types(void)
 {
     type_register_static(&macio_info);
 }
 
-device_init(macio_register);
+type_init(macio_register_types)
 
 void macio_init (PCIBus *bus, int device_id, int is_oldworld,
                  MemoryRegion *pic_mem, MemoryRegion *dbdma_mem,
diff --git a/hw/marvell_88w8618_audio.c b/hw/marvell_88w8618_audio.c
index b628f17..f6f1937 100644
--- a/hw/marvell_88w8618_audio.c
+++ b/hw/marvell_88w8618_audio.c
@@ -295,9 +295,9 @@ static TypeInfo mv88w8618_audio_info = {
     .class_init    = mv88w8618_audio_class_init,
 };
 
-static void mv88w8618_register_devices(void)
+static void mv88w8618_register_types(void)
 {
     type_register_static(&mv88w8618_audio_info);
 }
 
-device_init(mv88w8618_register_devices)
+type_init(mv88w8618_register_types)
diff --git a/hw/max111x.c b/hw/max111x.c
index 9d61aa9..706d89f 100644
--- a/hw/max111x.c
+++ b/hw/max111x.c
@@ -183,10 +183,10 @@ static TypeInfo max1111_info = {
     .class_init    = max1111_class_init,
 };
 
-static void max111x_register_devices(void)
+static void max111x_register_types(void)
 {
     type_register_static(&max1110_info);
     type_register_static(&max1111_info);
 }
 
-device_init(max111x_register_devices)
+type_init(max111x_register_types)
diff --git a/hw/max7310.c b/hw/max7310.c
index 3a6bb96..1ed18ba 100644
--- a/hw/max7310.c
+++ b/hw/max7310.c
@@ -205,9 +205,9 @@ static TypeInfo max7310_info = {
     .class_init    = max7310_class_init,
 };
 
-static void max7310_register_devices(void)
+static void max7310_register_types(void)
 {
     type_register_static(&max7310_info);
 }
 
-device_init(max7310_register_devices)
+type_init(max7310_register_types)
diff --git a/hw/mc146818rtc.c b/hw/mc146818rtc.c
index 4a43225..6c1ad38 100644
--- a/hw/mc146818rtc.c
+++ b/hw/mc146818rtc.c
@@ -733,8 +733,9 @@ static TypeInfo mc146818rtc_info = {
     .class_init    = rtc_class_initfn,
 };
 
-static void mc146818rtc_register(void)
+static void mc146818rtc_register_types(void)
 {
     type_register_static(&mc146818rtc_info);
 }
-device_init(mc146818rtc_register)
+
+type_init(mc146818rtc_register_types)
diff --git a/hw/milkymist-ac97.c b/hw/milkymist-ac97.c
index 0881643..4414f39 100644
--- a/hw/milkymist-ac97.c
+++ b/hw/milkymist-ac97.c
@@ -336,9 +336,9 @@ static TypeInfo milkymist_ac97_info = {
     .class_init    = milkymist_ac97_class_init,
 };
 
-static void milkymist_ac97_register(void)
+static void milkymist_ac97_register_types(void)
 {
     type_register_static(&milkymist_ac97_info);
 }
 
-device_init(milkymist_ac97_register)
+type_init(milkymist_ac97_register_types)
diff --git a/hw/milkymist-hpdmc.c b/hw/milkymist-hpdmc.c
index b5122af..2da0293 100644
--- a/hw/milkymist-hpdmc.c
+++ b/hw/milkymist-hpdmc.c
@@ -162,9 +162,9 @@ static TypeInfo milkymist_hpdmc_info = {
     .class_init    = milkymist_hpdmc_class_init,
 };
 
-static void milkymist_hpdmc_register(void)
+static void milkymist_hpdmc_register_types(void)
 {
     type_register_static(&milkymist_hpdmc_info);
 }
 
-device_init(milkymist_hpdmc_register)
+type_init(milkymist_hpdmc_register_types)
diff --git a/hw/milkymist-memcard.c b/hw/milkymist-memcard.c
index 3c1c68a..3515c3c 100644
--- a/hw/milkymist-memcard.c
+++ b/hw/milkymist-memcard.c
@@ -295,9 +295,9 @@ static TypeInfo milkymist_memcard_info = {
     .class_init    = milkymist_memcard_class_init,
 };
 
-static void milkymist_memcard_register(void)
+static void milkymist_memcard_register_types(void)
 {
     type_register_static(&milkymist_memcard_info);
 }
 
-device_init(milkymist_memcard_register)
+type_init(milkymist_memcard_register_types)
diff --git a/hw/milkymist-minimac2.c b/hw/milkymist-minimac2.c
index b9b553f..70bf336 100644
--- a/hw/milkymist-minimac2.c
+++ b/hw/milkymist-minimac2.c
@@ -542,9 +542,9 @@ static TypeInfo milkymist_minimac2_info = {
     .class_init    = milkymist_minimac2_class_init,
 };
 
-static void milkymist_minimac2_register(void)
+static void milkymist_minimac2_register_types(void)
 {
     type_register_static(&milkymist_minimac2_info);
 }
 
-device_init(milkymist_minimac2_register)
+type_init(milkymist_minimac2_register_types)
diff --git a/hw/milkymist-pfpu.c b/hw/milkymist-pfpu.c
index 1b73a46..0f9ff4a 100644
--- a/hw/milkymist-pfpu.c
+++ b/hw/milkymist-pfpu.c
@@ -536,9 +536,9 @@ static TypeInfo milkymist_pfpu_info = {
     .class_init    = milkymist_pfpu_class_init,
 };
 
-static void milkymist_pfpu_register(void)
+static void milkymist_pfpu_register_types(void)
 {
     type_register_static(&milkymist_pfpu_info);
 }
 
-device_init(milkymist_pfpu_register)
+type_init(milkymist_pfpu_register_types)
diff --git a/hw/milkymist-softusb.c b/hw/milkymist-softusb.c
index 5d496cb..ecc2be9 100644
--- a/hw/milkymist-softusb.c
+++ b/hw/milkymist-softusb.c
@@ -323,9 +323,9 @@ static TypeInfo milkymist_softusb_info = {
     .class_init    = milkymist_softusb_class_init,
 };
 
-static void milkymist_softusb_register(void)
+static void milkymist_softusb_register_types(void)
 {
     type_register_static(&milkymist_softusb_info);
 }
 
-device_init(milkymist_softusb_register)
+type_init(milkymist_softusb_register_types)
diff --git a/hw/milkymist-sysctl.c b/hw/milkymist-sysctl.c
index 18171f6..a88548e 100644
--- a/hw/milkymist-sysctl.c
+++ b/hw/milkymist-sysctl.c
@@ -322,9 +322,9 @@ static TypeInfo milkymist_sysctl_info = {
     .class_init    = milkymist_sysctl_class_init,
 };
 
-static void milkymist_sysctl_register(void)
+static void milkymist_sysctl_register_types(void)
 {
     type_register_static(&milkymist_sysctl_info);
 }
 
-device_init(milkymist_sysctl_register)
+type_init(milkymist_sysctl_register_types)
diff --git a/hw/milkymist-tmu2.c b/hw/milkymist-tmu2.c
index 474eae0..210ceed 100644
--- a/hw/milkymist-tmu2.c
+++ b/hw/milkymist-tmu2.c
@@ -482,9 +482,9 @@ static TypeInfo milkymist_tmu2_info = {
     .class_init    = milkymist_tmu2_class_init,
 };
 
-static void milkymist_tmu2_register(void)
+static void milkymist_tmu2_register_types(void)
 {
     type_register_static(&milkymist_tmu2_info);
 }
 
-device_init(milkymist_tmu2_register)
+type_init(milkymist_tmu2_register_types)
diff --git a/hw/milkymist-uart.c b/hw/milkymist-uart.c
index f9a229c..291fe3c 100644
--- a/hw/milkymist-uart.c
+++ b/hw/milkymist-uart.c
@@ -235,9 +235,9 @@ static TypeInfo milkymist_uart_info = {
     .class_init    = milkymist_uart_class_init,
 };
 
-static void milkymist_uart_register(void)
+static void milkymist_uart_register_types(void)
 {
     type_register_static(&milkymist_uart_info);
 }
 
-device_init(milkymist_uart_register)
+type_init(milkymist_uart_register_types)
diff --git a/hw/milkymist-vgafb.c b/hw/milkymist-vgafb.c
index 92ad02f..69afd72 100644
--- a/hw/milkymist-vgafb.c
+++ b/hw/milkymist-vgafb.c
@@ -323,9 +323,9 @@ static TypeInfo milkymist_vgafb_info = {
     .class_init    = milkymist_vgafb_class_init,
 };
 
-static void milkymist_vgafb_register(void)
+static void milkymist_vgafb_register_types(void)
 {
     type_register_static(&milkymist_vgafb_info);
 }
 
-device_init(milkymist_vgafb_register)
+type_init(milkymist_vgafb_register_types)
diff --git a/hw/mips_malta.c b/hw/mips_malta.c
index d232630..ffecefd 100644
--- a/hw/mips_malta.c
+++ b/hw/mips_malta.c
@@ -1029,7 +1029,7 @@ static QEMUMachine mips_malta_machine = {
     .is_default = 1,
 };
 
-static void mips_malta_device_init(void)
+static void mips_malta_register_types(void)
 {
     type_register_static(&mips_malta_device);
 }
@@ -1039,5 +1039,5 @@ static void mips_malta_machine_init(void)
     qemu_register_machine(&mips_malta_machine);
 }
 
-device_init(mips_malta_device_init);
+type_init(mips_malta_register_types)
 machine_init(mips_malta_machine_init);
diff --git a/hw/mipsnet.c b/hw/mipsnet.c
index a0e6c9f..50d92f8 100644
--- a/hw/mipsnet.c
+++ b/hw/mipsnet.c
@@ -276,9 +276,9 @@ static TypeInfo mipsnet_info = {
     .class_init    = mipsnet_class_init,
 };
 
-static void mipsnet_register_devices(void)
+static void mipsnet_register_types(void)
 {
     type_register_static(&mipsnet_info);
 }
 
-device_init(mipsnet_register_devices)
+type_init(mipsnet_register_types)
diff --git a/hw/mpc8544_guts.c b/hw/mpc8544_guts.c
index 28cd60d..aeb2de7 100644
--- a/hw/mpc8544_guts.c
+++ b/hw/mpc8544_guts.c
@@ -135,8 +135,9 @@ static TypeInfo mpc8544_guts_info = {
     .class_init    = mpc8544_guts_class_init,
 };
 
-static void mpc8544_guts_register(void)
+static void mpc8544_guts_register_types(void)
 {
     type_register_static(&mpc8544_guts_info);
 }
-device_init(mpc8544_guts_register);
+
+type_init(mpc8544_guts_register_types)
diff --git a/hw/mst_fpga.c b/hw/mst_fpga.c
index 1729db0..024192d 100644
--- a/hw/mst_fpga.c
+++ b/hw/mst_fpga.c
@@ -255,8 +255,9 @@ static TypeInfo mst_fpga_info = {
     .class_init    = mst_fpga_class_init,
 };
 
-static void mst_fpga_register(void)
+static void mst_fpga_register_types(void)
 {
     type_register_static(&mst_fpga_info);
 }
-device_init(mst_fpga_register);
+
+type_init(mst_fpga_register_types)
diff --git a/hw/musicpal.c b/hw/musicpal.c
index ac90924..187a1ae 100644
--- a/hw/musicpal.c
+++ b/hw/musicpal.c
@@ -1681,7 +1681,7 @@ static TypeInfo mv88w8618_wlan_info = {
     .class_init    = mv88w8618_wlan_class_init,
 };
 
-static void musicpal_register_devices(void)
+static void musicpal_register_types(void)
 {
     type_register_static(&mv88w8618_pic_info);
     type_register_static(&mv88w8618_pit_info);
@@ -1693,4 +1693,4 @@ static void musicpal_register_devices(void)
     type_register_static(&musicpal_key_info);
 }
 
-device_init(musicpal_register_devices)
+type_init(musicpal_register_types)
diff --git a/hw/nand.c b/hw/nand.c
index 5d947b1..e9501ae 100644
--- a/hw/nand.c
+++ b/hw/nand.c
@@ -442,7 +442,7 @@ static TypeInfo nand_info = {
     .class_init    = nand_class_init,
 };
 
-static void nand_create_device(void)
+static void nand_register_types(void)
 {
     type_register_static(&nand_info);
 }
@@ -635,7 +635,7 @@ DeviceState *nand_init(BlockDriverState *bdrv, int manf_id, int chip_id)
     return dev;
 }
 
-device_init(nand_create_device)
+type_init(nand_register_types)
 
 #else
 
diff --git a/hw/ne2000-isa.c b/hw/ne2000-isa.c
index 1352282..a4a783a 100644
--- a/hw/ne2000-isa.c
+++ b/hw/ne2000-isa.c
@@ -104,9 +104,9 @@ static TypeInfo ne2000_isa_info = {
     .class_init    = isa_ne2000_class_initfn,
 };
 
-static void ne2000_isa_register_devices(void)
+static void ne2000_isa_register_types(void)
 {
     type_register_static(&ne2000_isa_info);
 }
 
-device_init(ne2000_isa_register_devices)
+type_init(ne2000_isa_register_types)
diff --git a/hw/ne2000.c b/hw/ne2000.c
index 080811e..bb84fd1 100644
--- a/hw/ne2000.c
+++ b/hw/ne2000.c
@@ -812,9 +812,9 @@ static TypeInfo ne2000_info = {
     .class_init    = ne2000_class_init,
 };
 
-static void ne2000_register_devices(void)
+static void ne2000_register_types(void)
 {
     type_register_static(&ne2000_info);
 }
 
-device_init(ne2000_register_devices)
+type_init(ne2000_register_types)
diff --git a/hw/omap_gpio.c b/hw/omap_gpio.c
index 9a9a8e1..201ff77 100644
--- a/hw/omap_gpio.c
+++ b/hw/omap_gpio.c
@@ -783,10 +783,10 @@ static TypeInfo omap2_gpio_info = {
     .class_init    = omap2_gpio_class_init,
 };
 
-static void omap_gpio_register_device(void)
+static void omap_gpio_register_types(void)
 {
     type_register_static(&omap_gpio_info);
     type_register_static(&omap2_gpio_info);
 }
 
-device_init(omap_gpio_register_device)
+type_init(omap_gpio_register_types)
diff --git a/hw/omap_intc.c b/hw/omap_intc.c
index 5aa98a8..5076e07 100644
--- a/hw/omap_intc.c
+++ b/hw/omap_intc.c
@@ -640,10 +640,10 @@ static TypeInfo omap2_intc_info = {
     .class_init    = omap2_intc_class_init,
 };
 
-static void omap_intc_register_device(void)
+static void omap_intc_register_types(void)
 {
     type_register_static(&omap_intc_info);
     type_register_static(&omap2_intc_info);
 }
 
-device_init(omap_intc_register_device)
+type_init(omap_intc_register_types)
diff --git a/hw/onenand.c b/hw/onenand.c
index 8744b04..db6af68 100644
--- a/hw/onenand.c
+++ b/hw/onenand.c
@@ -828,7 +828,7 @@ static TypeInfo onenand_info = {
     .class_init    = onenand_class_init,
 };
 
-static void onenand_register_device(void)
+static void onenand_register_types(void)
 {
     type_register_static(&onenand_info);
 }
@@ -838,4 +838,4 @@ void *onenand_raw_otp(DeviceState *onenand_device)
     return FROM_SYSBUS(OneNANDState, sysbus_from_qdev(onenand_device))->otp;
 }
 
-device_init(onenand_register_device)
+type_init(onenand_register_types)
diff --git a/hw/opencores_eth.c b/hw/opencores_eth.c
index 09f2757..9b036cb 100644
--- a/hw/opencores_eth.c
+++ b/hw/opencores_eth.c
@@ -750,9 +750,9 @@ static TypeInfo open_eth_info = {
     .class_init    = open_eth_class_init,
 };
 
-static void open_eth_register_devices(void)
+static void open_eth_register_types(void)
 {
     type_register_static(&open_eth_info);
 }
 
-device_init(open_eth_register_devices)
+type_init(open_eth_register_types)
diff --git a/hw/parallel.c b/hw/parallel.c
index 484d727..219f384 100644
--- a/hw/parallel.c
+++ b/hw/parallel.c
@@ -606,9 +606,9 @@ static TypeInfo parallel_isa_info = {
     .class_init    = parallel_isa_class_initfn,
 };
 
-static void parallel_register_devices(void)
+static void parallel_register_types(void)
 {
     type_register_static(&parallel_isa_info);
 }
 
-device_init(parallel_register_devices)
+type_init(parallel_register_types)
diff --git a/hw/pc.c b/hw/pc.c
index 7f3aa65..8d8f59b 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -514,11 +514,12 @@ static TypeInfo port92_info = {
     .class_init    = port92_class_initfn,
 };
 
-static void port92_register(void)
+static void port92_register_types(void)
 {
     type_register_static(&port92_info);
 }
-device_init(port92_register)
+
+type_init(port92_register_types)
 
 static void handle_a20_line_change(void *opaque, int irq, int level)
 {
diff --git a/hw/pci.c b/hw/pci.c
index 5f4f80e..678a8c1 100644
--- a/hw/pci.c
+++ b/hw/pci.c
@@ -2003,9 +2003,9 @@ static TypeInfo pci_device_type_info = {
     .class_init = pci_device_class_init,
 };
 
-static void pci_register_devices(void)
+static void pci_register_types(void)
 {
     type_register_static(&pci_device_type_info);
 }
 
-device_init(pci_register_devices);
+type_init(pci_register_types)
diff --git a/hw/pckbd.c b/hw/pckbd.c
index b4c53be..69857ba 100644
--- a/hw/pckbd.c
+++ b/hw/pckbd.c
@@ -513,8 +513,9 @@ static TypeInfo i8042_info = {
     .class_init    = i8042_class_initfn,
 };
 
-static void i8042_register(void)
+static void i8042_register_types(void)
 {
     type_register_static(&i8042_info);
 }
-device_init(i8042_register)
+
+type_init(i8042_register_types)
diff --git a/hw/pcnet-pci.c b/hw/pcnet-pci.c
index 439f32c..3682609 100644
--- a/hw/pcnet-pci.c
+++ b/hw/pcnet-pci.c
@@ -376,9 +376,9 @@ static TypeInfo pcnet_info = {
     .class_init    = pcnet_class_init,
 };
 
-static void pci_pcnet_register_devices(void)
+static void pci_pcnet_register_types(void)
 {
     type_register_static(&pcnet_info);
 }
 
-device_init(pci_pcnet_register_devices)
+type_init(pci_pcnet_register_types)
diff --git a/hw/piix4.c b/hw/piix4.c
index 4e7a237..ce4eb0d 100644
--- a/hw/piix4.c
+++ b/hw/piix4.c
@@ -124,8 +124,9 @@ static TypeInfo piix4_info = {
     .class_init    = piix4_class_init,
 };
 
-static void piix4_register(void)
+static void piix4_register_types(void)
 {
     type_register_static(&piix4_info);
 }
-device_init(piix4_register);
+
+type_init(piix4_register_types)
diff --git a/hw/piix_pci.c b/hw/piix_pci.c
index 1906427..e0268fe 100644
--- a/hw/piix_pci.c
+++ b/hw/piix_pci.c
@@ -589,11 +589,12 @@ static TypeInfo i440fx_pcihost_info = {
     .class_init    = i440fx_pcihost_class_init,
 };
 
-static void i440fx_register(void)
+static void i440fx_register_types(void)
 {
     type_register_static(&i440fx_info);
     type_register_static(&piix3_info);
     type_register_static(&piix3_xen_info);
     type_register_static(&i440fx_pcihost_info);
 }
-device_init(i440fx_register);
+
+type_init(i440fx_register_types)
diff --git a/hw/pl011.c b/hw/pl011.c
index 752cbf9..8a5a8f5 100644
--- a/hw/pl011.c
+++ b/hw/pl011.c
@@ -316,10 +316,10 @@ static TypeInfo pl011_luminary_info = {
     .class_init    = pl011_luminary_class_init,
 };
 
-static void pl011_register_devices(void)
+static void pl011_register_types(void)
 {
     type_register_static(&pl011_arm_info);
     type_register_static(&pl011_luminary_info);
 }
 
-device_init(pl011_register_devices)
+type_init(pl011_register_types)
diff --git a/hw/pl022.c b/hw/pl022.c
index 30bd344..03bf63c 100644
--- a/hw/pl022.c
+++ b/hw/pl022.c
@@ -299,9 +299,9 @@ static TypeInfo pl022_info = {
     .class_init    = pl022_class_init,
 };
 
-static void pl022_register_devices(void)
+static void pl022_register_types(void)
 {
     type_register_static(&pl022_info);
 }
 
-device_init(pl022_register_devices)
+type_init(pl022_register_types)
diff --git a/hw/pl031.c b/hw/pl031.c
index 8416a60..05b5b11 100644
--- a/hw/pl031.c
+++ b/hw/pl031.c
@@ -230,9 +230,9 @@ static TypeInfo pl031_info = {
     .class_init    = pl031_class_init,
 };
 
-static void pl031_register_devices(void)
+static void pl031_register_types(void)
 {
     type_register_static(&pl031_info);
 }
 
-device_init(pl031_register_devices)
+type_init(pl031_register_types)
diff --git a/hw/pl041.c b/hw/pl041.c
index 6d99c9c..b6723be 100644
--- a/hw/pl041.c
+++ b/hw/pl041.c
@@ -638,9 +638,9 @@ static TypeInfo pl041_device_info = {
     .class_init    = pl041_device_class_init,
 };
 
-static void pl041_register_device(void)
+static void pl041_register_types(void)
 {
     type_register_static(&pl041_device_info);
 }
 
-device_init(pl041_register_device)
+type_init(pl041_register_types)
diff --git a/hw/pl050.c b/hw/pl050.c
index b0094ac..b13924a 100644
--- a/hw/pl050.c
+++ b/hw/pl050.c
@@ -189,10 +189,10 @@ static TypeInfo pl050_mouse_info = {
     .class_init    = pl050_mouse_class_init,
 };
 
-static void pl050_register_devices(void)
+static void pl050_register_types(void)
 {
     type_register_static(&pl050_kbd_info);
     type_register_static(&pl050_mouse_info);
 }
 
-device_init(pl050_register_devices)
+type_init(pl050_register_types)
diff --git a/hw/pl061.c b/hw/pl061.c
index 3136c99..2aac7e8 100644
--- a/hw/pl061.c
+++ b/hw/pl061.c
@@ -325,10 +325,10 @@ static TypeInfo pl061_luminary_info = {
     .class_init    = pl061_luminary_class_init,
 };
 
-static void pl061_register_devices(void)
+static void pl061_register_types(void)
 {
     type_register_static(&pl061_info);
     type_register_static(&pl061_luminary_info);
 }
 
-device_init(pl061_register_devices)
+type_init(pl061_register_types)
diff --git a/hw/pl080.c b/hw/pl080.c
index 4405d18..b3cf651 100644
--- a/hw/pl080.c
+++ b/hw/pl080.c
@@ -409,10 +409,10 @@ static TypeInfo pl081_info = {
 
 /* The PL080 and PL081 are the same except for the number of channels
    they implement (8 and 2 respectively).  */
-static void pl080_register_devices(void)
+static void pl080_register_types(void)
 {
     type_register_static(&pl080_info);
     type_register_static(&pl081_info);
 }
 
-device_init(pl080_register_devices)
+type_init(pl080_register_types)
diff --git a/hw/pl110.c b/hw/pl110.c
index 86e95a3..f94608c 100644
--- a/hw/pl110.c
+++ b/hw/pl110.c
@@ -520,11 +520,11 @@ static TypeInfo pl111_info = {
     .class_init    = pl111_class_init,
 };
 
-static void pl110_register_devices(void)
+static void pl110_register_types(void)
 {
     type_register_static(&pl110_info);
     type_register_static(&pl110_versatile_info);
     type_register_static(&pl111_info);
 }
 
-device_init(pl110_register_devices)
+type_init(pl110_register_types)
diff --git a/hw/pl181.c b/hw/pl181.c
index ae636e2..7d91fbb 100644
--- a/hw/pl181.c
+++ b/hw/pl181.c
@@ -505,9 +505,9 @@ static TypeInfo pl181_info = {
     .class_init    = pl181_class_init,
 };
 
-static void pl181_register_devices(void)
+static void pl181_register_types(void)
 {
     type_register_static(&pl181_info);
 }
 
-device_init(pl181_register_devices)
+type_init(pl181_register_types)
diff --git a/hw/pl190.c b/hw/pl190.c
index 956ab21..cb50afb 100644
--- a/hw/pl190.c
+++ b/hw/pl190.c
@@ -273,9 +273,9 @@ static TypeInfo pl190_info = {
     .class_init    = pl190_class_init,
 };
 
-static void pl190_register_devices(void)
+static void pl190_register_types(void)
 {
     type_register_static(&pl190_info);
 }
 
-device_init(pl190_register_devices)
+type_init(pl190_register_types)
diff --git a/hw/ppc4xx_pci.c b/hw/ppc4xx_pci.c
index d11f120..203c3cd 100644
--- a/hw/ppc4xx_pci.c
+++ b/hw/ppc4xx_pci.c
@@ -400,9 +400,10 @@ static TypeInfo ppc4xx_pcihost_info = {
     .class_init    = ppc4xx_pcihost_class_init,
 };
 
-static void ppc4xx_pci_register(void)
+static void ppc4xx_pci_register_types(void)
 {
     type_register_static(&ppc4xx_pcihost_info);
     type_register_static(&ppc4xx_host_bridge_info);
 }
-device_init(ppc4xx_pci_register);
+
+type_init(ppc4xx_pci_register_types)
diff --git a/hw/ppce500_pci.c b/hw/ppce500_pci.c
index d5bce71..0f60b24 100644
--- a/hw/ppce500_pci.c
+++ b/hw/ppce500_pci.c
@@ -373,9 +373,10 @@ static TypeInfo e500_pcihost_info = {
     .class_init    = e500_pcihost_class_init,
 };
 
-static void e500_pci_register(void)
+static void e500_pci_register_types(void)
 {
     type_register_static(&e500_pcihost_info);
     type_register_static(&e500_host_bridge_info);
 }
-device_init(e500_pci_register);
+
+type_init(e500_pci_register_types)
diff --git a/hw/ppce500_spin.c b/hw/ppce500_spin.c
index 9d648ec..6b8a189 100644
--- a/hw/ppce500_spin.c
+++ b/hw/ppce500_spin.c
@@ -217,8 +217,9 @@ static TypeInfo ppce500_spin_info = {
     .class_init    = ppce500_spin_class_init,
 };
 
-static void ppce500_spin_register(void)
+static void ppce500_spin_register_types(void)
 {
     type_register_static(&ppce500_spin_info);
 }
-device_init(ppce500_spin_register);
+
+type_init(ppce500_spin_register_types)
diff --git a/hw/prep_pci.c b/hw/prep_pci.c
index 40b8bb0..8b29da9 100644
--- a/hw/prep_pci.c
+++ b/hw/prep_pci.c
@@ -173,10 +173,10 @@ static TypeInfo raven_pcihost_info = {
     .class_init = raven_pcihost_class_init,
 };
 
-static void raven_register_devices(void)
+static void raven_register_types(void)
 {
     type_register_static(&raven_pcihost_info);
     type_register_static(&raven_info);
 }
 
-device_init(raven_register_devices)
+type_init(raven_register_types)
diff --git a/hw/pxa2xx.c b/hw/pxa2xx.c
index 244c614..1ab2701 100644
--- a/hw/pxa2xx.c
+++ b/hw/pxa2xx.c
@@ -2330,7 +2330,7 @@ static TypeInfo pxa2xx_ssp_info = {
     .class_init    = pxa2xx_ssp_class_init,
 };
 
-static void pxa2xx_register_devices(void)
+static void pxa2xx_register_types(void)
 {
     type_register_static(&pxa2xx_i2c_slave_info);
     type_register_static(&pxa2xx_ssp_info);
@@ -2338,4 +2338,4 @@ static void pxa2xx_register_devices(void)
     type_register_static(&pxa2xx_rtc_sysbus_info);
 }
 
-device_init(pxa2xx_register_devices)
+type_init(pxa2xx_register_types)
diff --git a/hw/pxa2xx_dma.c b/hw/pxa2xx_dma.c
index 2d61565..8ced0dd 100644
--- a/hw/pxa2xx_dma.c
+++ b/hw/pxa2xx_dma.c
@@ -566,8 +566,9 @@ static TypeInfo pxa2xx_dma_info = {
     .class_init    = pxa2xx_dma_class_init,
 };
 
-static void pxa2xx_dma_register(void)
+static void pxa2xx_dma_register_types(void)
 {
     type_register_static(&pxa2xx_dma_info);
 }
-device_init(pxa2xx_dma_register);
+
+type_init(pxa2xx_dma_register_types)
diff --git a/hw/pxa2xx_gpio.c b/hw/pxa2xx_gpio.c
index 67fd17c..d5f5716 100644
--- a/hw/pxa2xx_gpio.c
+++ b/hw/pxa2xx_gpio.c
@@ -340,8 +340,9 @@ static TypeInfo pxa2xx_gpio_info = {
     .class_init    = pxa2xx_gpio_class_init,
 };
 
-static void pxa2xx_gpio_register(void)
+static void pxa2xx_gpio_register_types(void)
 {
     type_register_static(&pxa2xx_gpio_info);
 }
-device_init(pxa2xx_gpio_register);
+
+type_init(pxa2xx_gpio_register_types)
diff --git a/hw/pxa2xx_pic.c b/hw/pxa2xx_pic.c
index ca85743..6b2bdb0 100644
--- a/hw/pxa2xx_pic.c
+++ b/hw/pxa2xx_pic.c
@@ -313,8 +313,9 @@ static TypeInfo pxa2xx_pic_info = {
     .class_init    = pxa2xx_pic_class_init,
 };
 
-static void pxa2xx_pic_register(void)
+static void pxa2xx_pic_register_types(void)
 {
     type_register_static(&pxa2xx_pic_info);
 }
-device_init(pxa2xx_pic_register);
+
+type_init(pxa2xx_pic_register_types)
diff --git a/hw/pxa2xx_timer.c b/hw/pxa2xx_timer.c
index 9080075..77b033b 100644
--- a/hw/pxa2xx_timer.c
+++ b/hw/pxa2xx_timer.c
@@ -527,9 +527,10 @@ static TypeInfo pxa27x_timer_dev_info = {
     .class_init    = pxa27x_timer_dev_class_init,
 };
 
-static void pxa2xx_timer_register(void)
+static void pxa2xx_timer_register_types(void)
 {
     type_register_static(&pxa25x_timer_dev_info);
     type_register_static(&pxa27x_timer_dev_info);
-};
-device_init(pxa2xx_timer_register);
+}
+
+type_init(pxa2xx_timer_register_types)
diff --git a/hw/qdev.c b/hw/qdev.c
index 8a413ef..f0eb3a7 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -665,9 +665,9 @@ static TypeInfo device_type_info = {
     .class_size = sizeof(DeviceClass),
 };
 
-static void init_qdev(void)
+static void qdev_register_types(void)
 {
     type_register_static(&device_type_info);
 }
 
-device_init(init_qdev);
+type_init(qdev_register_types)
diff --git a/hw/qxl.c b/hw/qxl.c
index bc03c1d..ac69125 100644
--- a/hw/qxl.c
+++ b/hw/qxl.c
@@ -1870,10 +1870,10 @@ static TypeInfo qxl_secondary_info = {
     .class_init    = qxl_secondary_class_init,
 };
 
-static void qxl_register(void)
+static void qxl_register_types(void)
 {
     type_register_static(&qxl_primary_info);
     type_register_static(&qxl_secondary_info);
 }
 
-device_init(qxl_register);
+type_init(qxl_register_types)
diff --git a/hw/realview.c b/hw/realview.c
index 8b0b03d..bcf982f 100644
--- a/hw/realview.c
+++ b/hw/realview.c
@@ -96,7 +96,7 @@ static TypeInfo realview_i2c_info = {
     .class_init    = realview_i2c_class_init,
 };
 
-static void realview_register_devices(void)
+static void realview_register_types(void)
 {
     type_register_static(&realview_i2c_info);
 }
@@ -491,4 +491,4 @@ static void realview_machine_init(void)
 }
 
 machine_init(realview_machine_init);
-device_init(realview_register_devices)
+type_init(realview_register_types)
diff --git a/hw/realview_gic.c b/hw/realview_gic.c
index 4121502..071ef13 100644
--- a/hw/realview_gic.c
+++ b/hw/realview_gic.c
@@ -60,9 +60,9 @@ static TypeInfo realview_gic_info = {
     .class_init    = realview_gic_class_init,
 };
 
-static void realview_gic_register_devices(void)
+static void realview_gic_register_types(void)
 {
     type_register_static(&realview_gic_info);
 }
 
-device_init(realview_gic_register_devices)
+type_init(realview_gic_register_types)
diff --git a/hw/rtl8139.c b/hw/rtl8139.c
index 1668390..05b8e1e 100644
--- a/hw/rtl8139.c
+++ b/hw/rtl8139.c
@@ -3523,9 +3523,9 @@ static TypeInfo rtl8139_info = {
     .class_init    = rtl8139_class_init,
 };
 
-static void rtl8139_register_devices(void)
+static void rtl8139_register_types(void)
 {
     type_register_static(&rtl8139_info);
 }
 
-device_init(rtl8139_register_devices)
+type_init(rtl8139_register_types)
diff --git a/hw/s390-virtio-bus.c b/hw/s390-virtio-bus.c
index 49140f8..9d48056 100644
--- a/hw/s390-virtio-bus.c
+++ b/hw/s390-virtio-bus.c
@@ -433,15 +433,6 @@ static TypeInfo virtio_s390_device_info = {
     .abstract = true,
 };
 
-static void s390_virtio_register(void)
-{
-    type_register_static(&virtio_s390_device_info);
-    type_register_static(&s390_virtio_serial);
-    type_register_static(&s390_virtio_blk);
-    type_register_static(&s390_virtio_net);
-}
-device_init(s390_virtio_register);
-
 
 /***************** S390 Virtio Bus Bridge Device *******************/
 /* Only required to have the virtio bus as child in the system bus */
@@ -468,9 +459,13 @@ static TypeInfo s390_virtio_bridge_info = {
     .class_init    = s390_virtio_bridge_class_init,
 };
 
-static void s390_virtio_register_devices(void)
+static void s390_virtio_register_types(void)
 {
+    type_register_static(&virtio_s390_device_info);
+    type_register_static(&s390_virtio_serial);
+    type_register_static(&s390_virtio_blk);
+    type_register_static(&s390_virtio_net);
     type_register_static(&s390_virtio_bridge_info);
 }
 
-device_init(s390_virtio_register_devices)
+type_init(s390_virtio_register_types)
diff --git a/hw/sb16.c b/hw/sb16.c
index db8929b..c81455d 100644
--- a/hw/sb16.c
+++ b/hw/sb16.c
@@ -1417,8 +1417,9 @@ static TypeInfo sb16_info = {
     .class_init    = sb16_class_initfn,
 };
 
-static void sb16_register (void)
+static void sb16_register_types (void)
 {
     type_register_static (&sb16_info);
 }
-device_init (sb16_register)
+
+type_init (sb16_register_types)
diff --git a/hw/sbi.c b/hw/sbi.c
index 847a4dd..52982a9 100644
--- a/hw/sbi.c
+++ b/hw/sbi.c
@@ -148,9 +148,9 @@ static TypeInfo sbi_info = {
     .class_init    = sbi_class_init,
 };
 
-static void sbi_register_devices(void)
+static void sbi_register_types(void)
 {
     type_register_static(&sbi_info);
 }
 
-device_init(sbi_register_devices)
+type_init(sbi_register_types)
diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 0ee50a8..b3e97ce 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -1431,9 +1431,9 @@ static TypeInfo scsi_device_type_info = {
     .class_init = scsi_device_class_init,
 };
 
-static void scsi_register_devices(void)
+static void scsi_register_types(void)
 {
     type_register_static(&scsi_device_type_info);
 }
 
-device_init(scsi_register_devices);
+type_init(scsi_register_types)
diff --git a/hw/scsi-disk.c b/hw/scsi-disk.c
index 399e51e..c12e3a6 100644
--- a/hw/scsi-disk.c
+++ b/hw/scsi-disk.c
@@ -1823,7 +1823,7 @@ static TypeInfo scsi_disk_info = {
     .class_init    = scsi_disk_class_initfn,
 };
 
-static void scsi_disk_register_devices(void)
+static void scsi_disk_register_types(void)
 {
     type_register_static(&scsi_hd_info);
     type_register_static(&scsi_cd_info);
@@ -1832,4 +1832,5 @@ static void scsi_disk_register_devices(void)
 #endif
     type_register_static(&scsi_disk_info);
 }
-device_init(scsi_disk_register_devices)
+
+type_init(scsi_disk_register_types)
diff --git a/hw/scsi-generic.c b/hw/scsi-generic.c
index 4859212..86014aa 100644
--- a/hw/scsi-generic.c
+++ b/hw/scsi-generic.c
@@ -483,10 +483,11 @@ static TypeInfo scsi_generic_info = {
     .class_init    = scsi_generic_class_initfn,
 };
 
-static void scsi_generic_register_devices(void)
+static void scsi_generic_register_types(void)
 {
     type_register_static(&scsi_generic_info);
 }
-device_init(scsi_generic_register_devices)
+
+type_init(scsi_generic_register_types)
 
 #endif /* __linux__ */
diff --git a/hw/serial.c b/hw/serial.c
index 82917e2..144d1b3 100644
--- a/hw/serial.c
+++ b/hw/serial.c
@@ -903,9 +903,9 @@ static TypeInfo serial_isa_info = {
     .class_init    = serial_isa_class_initfn,
 };
 
-static void serial_register_devices(void)
+static void serial_register_types(void)
 {
     type_register_static(&serial_isa_info);
 }
 
-device_init(serial_register_devices)
+type_init(serial_register_types)
diff --git a/hw/sga.c b/hw/sga.c
index b08e3c5..a666349 100644
--- a/hw/sga.c
+++ b/hw/sga.c
@@ -55,9 +55,9 @@ static TypeInfo sga_info = {
     .class_init    = sga_class_initfn,
 };
 
-static void sga_register(void)
+static void sga_register_types(void)
 {
     type_register_static(&sga_info);
 }
 
-device_init(sga_register);
+type_init(sga_register_types)
diff --git a/hw/sh_pci.c b/hw/sh_pci.c
index 4234d93..0cfac46 100644
--- a/hw/sh_pci.c
+++ b/hw/sh_pci.c
@@ -177,10 +177,10 @@ static TypeInfo sh_pci_device_info = {
     .class_init    = sh_pci_device_class_init,
 };
 
-static void sh_pci_register_devices(void)
+static void sh_pci_register_types(void)
 {
     type_register_static(&sh_pci_device_info);
     type_register_static(&sh_pci_host_info);
 }
 
-device_init(sh_pci_register_devices)
+type_init(sh_pci_register_types)
diff --git a/hw/slavio_intctl.c b/hw/slavio_intctl.c
index e3701c7..7fdc3be 100644
--- a/hw/slavio_intctl.c
+++ b/hw/slavio_intctl.c
@@ -463,9 +463,9 @@ static TypeInfo slavio_intctl_info = {
     .class_init    = slavio_intctl_class_init,
 };
 
-static void slavio_intctl_register_devices(void)
+static void slavio_intctl_register_types(void)
 {
     type_register_static(&slavio_intctl_info);
 }
 
-device_init(slavio_intctl_register_devices)
+type_init(slavio_intctl_register_types)
diff --git a/hw/slavio_misc.c b/hw/slavio_misc.c
index 5a02518..944835e 100644
--- a/hw/slavio_misc.c
+++ b/hw/slavio_misc.c
@@ -499,10 +499,10 @@ static TypeInfo apc_info = {
     .class_init    = apc_class_init,
 };
 
-static void slavio_misc_register_devices(void)
+static void slavio_misc_register_types(void)
 {
     type_register_static(&slavio_misc_info);
     type_register_static(&apc_info);
 }
 
-device_init(slavio_misc_register_devices)
+type_init(slavio_misc_register_types)
diff --git a/hw/slavio_timer.c b/hw/slavio_timer.c
index 3878f6f..97edebb 100644
--- a/hw/slavio_timer.c
+++ b/hw/slavio_timer.c
@@ -427,9 +427,9 @@ static TypeInfo slavio_timer_info = {
     .class_init    = slavio_timer_class_init,
 };
 
-static void slavio_timer_register_devices(void)
+static void slavio_timer_register_types(void)
 {
     type_register_static(&slavio_timer_info);
 }
 
-device_init(slavio_timer_register_devices)
+type_init(slavio_timer_register_types)
diff --git a/hw/smbus.c b/hw/smbus.c
index 77626f3..e3cf6a2 100644
--- a/hw/smbus.c
+++ b/hw/smbus.c
@@ -327,9 +327,9 @@ static TypeInfo smbus_device_type_info = {
     .class_init = smbus_device_class_init,
 };
 
-static void smbus_device_register_devices(void)
+static void smbus_device_register_types(void)
 {
     type_register_static(&smbus_device_type_info);
 }
 
-device_init(smbus_device_register_devices);
+type_init(smbus_device_register_types)
diff --git a/hw/smbus_eeprom.c b/hw/smbus_eeprom.c
index 9d96cbe..11adab0 100644
--- a/hw/smbus_eeprom.c
+++ b/hw/smbus_eeprom.c
@@ -130,12 +130,12 @@ static TypeInfo smbus_eeprom_info = {
     .class_init    = smbus_eeprom_class_initfn,
 };
 
-static void smbus_eeprom_register_devices(void)
+static void smbus_eeprom_register_types(void)
 {
     type_register_static(&smbus_eeprom_info);
 }
 
-device_init(smbus_eeprom_register_devices)
+type_init(smbus_eeprom_register_types)
 
 void smbus_eeprom_init(i2c_bus *smbus, int nb_eeprom,
                        const uint8_t *eeprom_spd, int eeprom_spd_size)
diff --git a/hw/smc91c111.c b/hw/smc91c111.c
index 1bf2901..1a5213f 100644
--- a/hw/smc91c111.c
+++ b/hw/smc91c111.c
@@ -781,7 +781,7 @@ static TypeInfo smc91c111_info = {
     .class_init    = smc91c111_class_init,
 };
 
-static void smc91c111_register_devices(void)
+static void smc91c111_register_types(void)
 {
     type_register_static(&smc91c111_info);
 }
@@ -802,4 +802,4 @@ void smc91c111_init(NICInfo *nd, uint32_t base, qemu_irq irq)
     sysbus_connect_irq(s, 0, irq);
 }
 
-device_init(smc91c111_register_devices)
+type_init(smc91c111_register_types)
diff --git a/hw/spapr_hcall.c b/hw/spapr_hcall.c
index 84281be..6ac7384 100644
--- a/hw/spapr_hcall.c
+++ b/hw/spapr_hcall.c
@@ -672,7 +672,7 @@ target_ulong spapr_hypercall(CPUState *env, target_ulong opcode,
     return H_FUNCTION;
 }
 
-static void hypercall_init(void)
+static void hypercall_register_types(void)
 {
     /* hcall-pft */
     spapr_register_hypercall(H_ENTER, h_enter);
@@ -704,4 +704,5 @@ static void hypercall_init(void)
     /* qemu/KVM-PPC specific hcalls */
     spapr_register_hypercall(KVMPPC_H_RTAS, h_rtas);
 }
-device_init(hypercall_init);
+
+type_init(hypercall_register_types)
diff --git a/hw/spapr_llan.c b/hw/spapr_llan.c
index 79b3941..77d4047 100644
--- a/hw/spapr_llan.c
+++ b/hw/spapr_llan.c
@@ -501,7 +501,7 @@ static TypeInfo spapr_vlan_info = {
     .class_init    = spapr_vlan_class_init,
 };
 
-static void spapr_vlan_register(void)
+static void spapr_vlan_register_types(void)
 {
     spapr_register_hypercall(H_REGISTER_LOGICAL_LAN, h_register_logical_lan);
     spapr_register_hypercall(H_FREE_LOGICAL_LAN, h_free_logical_lan);
@@ -511,4 +511,5 @@ static void spapr_vlan_register(void)
     spapr_register_hypercall(H_MULTICAST_CTRL, h_multicast_ctrl);
     type_register_static(&spapr_vlan_info);
 }
-device_init(spapr_vlan_register);
+
+type_init(spapr_vlan_register_types)
diff --git a/hw/spapr_pci.c b/hw/spapr_pci.c
index ed2e4b3..cfdd9dd 100644
--- a/hw/spapr_pci.c
+++ b/hw/spapr_pci.c
@@ -242,13 +242,13 @@ static TypeInfo spapr_phb_info = {
     .class_init    = spapr_phb_class_init,
 };
 
-static void spapr_register_devices(void)
+static void spapr_register_types(void)
 {
     type_register_static(&spapr_phb_info);
     type_register_static(&spapr_main_pci_host_info);
 }
 
-device_init(spapr_register_devices)
+type_init(spapr_register_types)
 
 static uint64_t spapr_io_read(void *opaque, target_phys_addr_t addr,
                               unsigned size)
diff --git a/hw/spapr_rtas.c b/hw/spapr_rtas.c
index d1ac74c..c0723b3 100644
--- a/hw/spapr_rtas.c
+++ b/hw/spapr_rtas.c
@@ -288,7 +288,7 @@ int spapr_rtas_device_tree_setup(void *fdt, target_phys_addr_t rtas_addr,
     return 0;
 }
 
-static void register_core_rtas(void)
+static void core_rtas_register_types(void)
 {
     spapr_rtas_register("display-character", rtas_display_character);
     spapr_rtas_register("get-time-of-day", rtas_get_time_of_day);
@@ -298,4 +298,5 @@ static void register_core_rtas(void)
                         rtas_query_cpu_stopped_state);
     spapr_rtas_register("start-cpu", rtas_start_cpu);
 }
-device_init(register_core_rtas);
+
+type_init(core_rtas_register_types)
diff --git a/hw/spapr_vio.c b/hw/spapr_vio.c
index 64f0009..ea317ef 100644
--- a/hw/spapr_vio.c
+++ b/hw/spapr_vio.c
@@ -778,13 +778,13 @@ static TypeInfo spapr_vio_type_info = {
     .class_init = vio_spapr_device_class_init,
 };
 
-static void spapr_vio_register_devices(void)
+static void spapr_vio_register_types(void)
 {
     type_register_static(&spapr_vio_bridge_info);
     type_register_static(&spapr_vio_type_info);
 }
 
-device_init(spapr_vio_register_devices)
+type_init(spapr_vio_register_types)
 
 #ifdef CONFIG_FDT
 static int compare_reg(const void *p1, const void *p2)
diff --git a/hw/spapr_vscsi.c b/hw/spapr_vscsi.c
index 9cfce19..ffce261 100644
--- a/hw/spapr_vscsi.c
+++ b/hw/spapr_vscsi.c
@@ -973,8 +973,9 @@ static TypeInfo spapr_vscsi_info = {
     .class_init    = spapr_vscsi_class_init,
 };
 
-static void spapr_vscsi_register(void)
+static void spapr_vscsi_register_types(void)
 {
     type_register_static(&spapr_vscsi_info);
 }
-device_init(spapr_vscsi_register);
+
+type_init(spapr_vscsi_register_types)
diff --git a/hw/spapr_vty.c b/hw/spapr_vty.c
index a954e7d..3efe242 100644
--- a/hw/spapr_vty.c
+++ b/hw/spapr_vty.c
@@ -212,10 +212,11 @@ static VIOsPAPRDevice *vty_lookup(sPAPREnvironment *spapr, target_ulong reg)
     return sdev;
 }
 
-static void spapr_vty_register(void)
+static void spapr_vty_register_types(void)
 {
     spapr_register_hypercall(H_PUT_TERM_CHAR, h_put_term_char);
     spapr_register_hypercall(H_GET_TERM_CHAR, h_get_term_char);
     type_register_static(&spapr_vty_info);
 }
-device_init(spapr_vty_register);
+
+type_init(spapr_vty_register_types)
diff --git a/hw/sparc32_dma.c b/hw/sparc32_dma.c
index f07cc6f..1dbf69e 100644
--- a/hw/sparc32_dma.c
+++ b/hw/sparc32_dma.c
@@ -307,9 +307,9 @@ static TypeInfo sparc32_dma_info = {
     .class_init    = sparc32_dma_class_init,
 };
 
-static void sparc32_dma_register_devices(void)
+static void sparc32_dma_register_types(void)
 {
     type_register_static(&sparc32_dma_info);
 }
 
-device_init(sparc32_dma_register_devices)
+type_init(sparc32_dma_register_types)
diff --git a/hw/spitz.c b/hw/spitz.c
index 4e6540d..1d6d2b0 100644
--- a/hw/spitz.c
+++ b/hw/spitz.c
@@ -1138,7 +1138,7 @@ static TypeInfo spitz_lcdtg_info = {
     .class_init    = spitz_lcdtg_class_init,
 };
 
-static void spitz_register_devices(void)
+static void spitz_register_types(void)
 {
     type_register_static(&corgi_ssp_info);
     type_register_static(&spitz_lcdtg_info);
@@ -1146,4 +1146,4 @@ static void spitz_register_devices(void)
     type_register_static(&sl_nand_info);
 }
 
-device_init(spitz_register_devices)
+type_init(spitz_register_types)
diff --git a/hw/ssd0303.c b/hw/ssd0303.c
index 685602a..4e1ee6e 100644
--- a/hw/ssd0303.c
+++ b/hw/ssd0303.c
@@ -313,9 +313,9 @@ static TypeInfo ssd0303_info = {
     .class_init    = ssd0303_class_init,
 };
 
-static void ssd0303_register_devices(void)
+static void ssd0303_register_types(void)
 {
     type_register_static(&ssd0303_info);
 }
 
-device_init(ssd0303_register_devices)
+type_init(ssd0303_register_types)
diff --git a/hw/ssd0323.c b/hw/ssd0323.c
index 3c43738..b0b2e94 100644
--- a/hw/ssd0323.c
+++ b/hw/ssd0323.c
@@ -355,9 +355,9 @@ static TypeInfo ssd0323_info = {
     .class_init    = ssd0323_class_init,
 };
 
-static void ssd03232_register_devices(void)
+static void ssd03232_register_types(void)
 {
     type_register_static(&ssd0323_info);
 }
 
-device_init(ssd03232_register_devices)
+type_init(ssd03232_register_types)
diff --git a/hw/ssi-sd.c b/hw/ssi-sd.c
index f2e6cec..b519bdb 100644
--- a/hw/ssi-sd.c
+++ b/hw/ssi-sd.c
@@ -259,9 +259,9 @@ static TypeInfo ssi_sd_info = {
     .class_init    = ssi_sd_class_init,
 };
 
-static void ssi_sd_register_devices(void)
+static void ssi_sd_register_types(void)
 {
     type_register_static(&ssi_sd_info);
 }
 
-device_init(ssi_sd_register_devices)
+type_init(ssi_sd_register_types)
diff --git a/hw/ssi.c b/hw/ssi.c
index ead446c..8f2d9bc 100644
--- a/hw/ssi.c
+++ b/hw/ssi.c
@@ -80,9 +80,9 @@ uint32_t ssi_transfer(SSIBus *bus, uint32_t val)
     return ssc->transfer(slave, val);
 }
 
-static void register_ssi_slave(void)
+static void ssi_slave_register_types(void)
 {
     type_register_static(&ssi_slave_info);
 }
 
-device_init(register_ssi_slave);
+type_init(ssi_slave_register_types)
diff --git a/hw/stellaris.c b/hw/stellaris.c
index 31a65cf..562fbbf 100644
--- a/hw/stellaris.c
+++ b/hw/stellaris.c
@@ -1451,7 +1451,7 @@ static TypeInfo stellaris_adc_info = {
     .class_init    = stellaris_adc_class_init,
 };
 
-static void stellaris_register_devices(void)
+static void stellaris_register_types(void)
 {
     type_register_static(&stellaris_i2c_info);
     type_register_static(&stellaris_gptm_info);
@@ -1459,4 +1459,4 @@ static void stellaris_register_devices(void)
     type_register_static(&stellaris_ssi_bus_info);
 }
 
-device_init(stellaris_register_devices)
+type_init(stellaris_register_types)
diff --git a/hw/stellaris_enet.c b/hw/stellaris_enet.c
index 9b1be8d..fbe99cb 100644
--- a/hw/stellaris_enet.c
+++ b/hw/stellaris_enet.c
@@ -441,9 +441,9 @@ static TypeInfo stellaris_enet_info = {
     .class_init    = stellaris_enet_class_init,
 };
 
-static void stellaris_enet_register_devices(void)
+static void stellaris_enet_register_types(void)
 {
     type_register_static(&stellaris_enet_info);
 }
 
-device_init(stellaris_enet_register_devices)
+type_init(stellaris_enet_register_types)
diff --git a/hw/strongarm.c b/hw/strongarm.c
index 8d2e7eb..4d5b60f 100644
--- a/hw/strongarm.c
+++ b/hw/strongarm.c
@@ -1609,7 +1609,7 @@ StrongARMState *sa1110_init(MemoryRegion *sysmem,
     return s;
 }
 
-static void strongarm_register_devices(void)
+static void strongarm_register_types(void)
 {
     type_register_static(&strongarm_pic_info);
     type_register_static(&strongarm_rtc_sysbus_info);
@@ -1618,4 +1618,5 @@ static void strongarm_register_devices(void)
     type_register_static(&strongarm_uart_info);
     type_register_static(&strongarm_ssp_info);
 }
-device_init(strongarm_register_devices)
+
+type_init(strongarm_register_types)
diff --git a/hw/sun4c_intctl.c b/hw/sun4c_intctl.c
index 081d6cc..8dfa5ec 100644
--- a/hw/sun4c_intctl.c
+++ b/hw/sun4c_intctl.c
@@ -223,9 +223,9 @@ static TypeInfo sun4c_intctl_info = {
     .class_init    = sun4c_intctl_class_init,
 };
 
-static void sun4c_intctl_register_devices(void)
+static void sun4c_intctl_register_types(void)
 {
     type_register_static(&sun4c_intctl_info);
 }
 
-device_init(sun4c_intctl_register_devices)
+type_init(sun4c_intctl_register_types)
diff --git a/hw/sun4m.c b/hw/sun4m.c
index b79d14c..99fb219 100644
--- a/hw/sun4m.c
+++ b/hw/sun4m.c
@@ -623,13 +623,6 @@ static TypeInfo idreg_info = {
     .class_init    = idreg_class_init,
 };
 
-static void idreg_register_devices(void)
-{
-    type_register_static(&idreg_info);
-}
-
-device_init(idreg_register_devices);
-
 typedef struct AFXState {
     SysBusDevice busdev;
     MemoryRegion mem;
@@ -672,13 +665,6 @@ static TypeInfo afx_info = {
     .class_init    = afx_class_init,
 };
 
-static void afx_register_devices(void)
-{
-    type_register_static(&afx_info);
-}
-
-device_init(afx_register_devices);
-
 typedef struct PROMState {
     SysBusDevice busdev;
     MemoryRegion prom;
@@ -756,13 +742,6 @@ static TypeInfo prom_info = {
     .class_init    = prom_class_init,
 };
 
-static void prom_register_devices(void)
-{
-    type_register_static(&prom_info);
-}
-
-device_init(prom_register_devices);
-
 typedef struct RamDevice
 {
     SysBusDevice busdev;
@@ -827,13 +806,6 @@ static TypeInfo ram_info = {
     .class_init    = ram_class_init,
 };
 
-static void ram_register_devices(void)
-{
-    type_register_static(&ram_info);
-}
-
-device_init(ram_register_devices);
-
 static void cpu_devinit(const char *cpu_model, unsigned int id,
                         uint64_t prom_addr, qemu_irq **cpu_irqs)
 {
@@ -1865,6 +1837,14 @@ static QEMUMachine ss2_machine = {
     .use_scsi = 1,
 };
 
+static void sun4m_register_types(void)
+{
+    type_register_static(&idreg_info);
+    type_register_static(&afx_info);
+    type_register_static(&prom_info);
+    type_register_static(&ram_info);
+}
+
 static void ss2_machine_init(void)
 {
     qemu_register_machine(&ss5_machine);
@@ -1881,4 +1861,5 @@ static void ss2_machine_init(void)
     qemu_register_machine(&ss2_machine);
 }
 
+type_init(sun4m_register_types)
 machine_init(ss2_machine_init);
diff --git a/hw/sun4m_iommu.c b/hw/sun4m_iommu.c
index 727532c..ebefa91 100644
--- a/hw/sun4m_iommu.c
+++ b/hw/sun4m_iommu.c
@@ -380,9 +380,9 @@ static TypeInfo iommu_info = {
     .class_init    = iommu_class_init,
 };
 
-static void iommu_register_devices(void)
+static void iommu_register_types(void)
 {
     type_register_static(&iommu_info);
 }
 
-device_init(iommu_register_devices)
+type_init(iommu_register_types)
diff --git a/hw/sun4u.c b/hw/sun4u.c
index 79bbd49..423108f 100644
--- a/hw/sun4u.c
+++ b/hw/sun4u.c
@@ -580,13 +580,6 @@ static TypeInfo ebus_info = {
     .class_init    = ebus_class_init,
 };
 
-static void pci_ebus_register(void)
-{
-    type_register_static(&ebus_info);
-}
-
-device_init(pci_ebus_register);
-
 typedef struct PROMState {
     SysBusDevice busdev;
     MemoryRegion prom;
@@ -664,13 +657,6 @@ static TypeInfo prom_info = {
     .class_init    = prom_class_init,
 };
 
-static void prom_register_devices(void)
-{
-    type_register_static(&prom_info);
-}
-
-device_init(prom_register_devices);
-
 
 typedef struct RamDevice
 {
@@ -728,13 +714,6 @@ static TypeInfo ram_info = {
     .class_init    = ram_class_init,
 };
 
-static void ram_register_devices(void)
-{
-    type_register_static(&ram_info);
-}
-
-device_init(ram_register_devices);
-
 static CPUState *cpu_devinit(const char *cpu_model, const struct hwdef *hwdef)
 {
     CPUState *env;
@@ -957,6 +936,13 @@ static QEMUMachine niagara_machine = {
     .max_cpus = 1, // XXX for now
 };
 
+static void sun4u_register_types(void)
+{
+    type_register_static(&ebus_info);
+    type_register_static(&prom_info);
+    type_register_static(&ram_info);
+}
+
 static void sun4u_machine_init(void)
 {
     qemu_register_machine(&sun4u_machine);
@@ -964,4 +950,5 @@ static void sun4u_machine_init(void)
     qemu_register_machine(&niagara_machine);
 }
 
+type_init(sun4u_register_types)
 machine_init(sun4u_machine_init);
diff --git a/hw/sysbus.c b/hw/sysbus.c
index 282060a..db4efcc 100644
--- a/hw/sysbus.c
+++ b/hw/sysbus.c
@@ -256,9 +256,9 @@ static TypeInfo sysbus_device_type_info = {
     .class_init = sysbus_device_class_init,
 };
 
-static void sysbus_register(void)
+static void sysbus_register_types(void)
 {
     type_register_static(&sysbus_device_type_info);
 }
 
-device_init(sysbus_register);
+type_init(sysbus_register_types)
diff --git a/hw/tcx.c b/hw/tcx.c
index ceb94c7..2b66d86 100644
--- a/hw/tcx.c
+++ b/hw/tcx.c
@@ -664,9 +664,9 @@ static TypeInfo tcx_info = {
     .class_init    = tcx_class_init,
 };
 
-static void tcx_register_devices(void)
+static void tcx_register_types(void)
 {
     type_register_static(&tcx_info);
 }
 
-device_init(tcx_register_devices)
+type_init(tcx_register_types)
diff --git a/hw/tmp105.c b/hw/tmp105.c
index a3bdd91..8e8dbd9 100644
--- a/hw/tmp105.c
+++ b/hw/tmp105.c
@@ -245,9 +245,9 @@ static TypeInfo tmp105_info = {
     .class_init    = tmp105_class_init,
 };
 
-static void tmp105_register_devices(void)
+static void tmp105_register_types(void)
 {
     type_register_static(&tmp105_info);
 }
 
-device_init(tmp105_register_devices)
+type_init(tmp105_register_types)
diff --git a/hw/tosa.c b/hw/tosa.c
index c0d4017..6baa17d 100644
--- a/hw/tosa.c
+++ b/hw/tosa.c
@@ -291,10 +291,10 @@ static TypeInfo tosa_ssp_info = {
     .class_init    = tosa_ssp_class_init,
 };
 
-static void tosa_register_devices(void)
+static void tosa_register_types(void)
 {
     type_register_static(&tosa_dac_info);
     type_register_static(&tosa_ssp_info);
 }
 
-device_init(tosa_register_devices)
+type_init(tosa_register_types)
diff --git a/hw/tusb6010.c b/hw/tusb6010.c
index 0ade670..5ba8da6 100644
--- a/hw/tusb6010.c
+++ b/hw/tusb6010.c
@@ -805,9 +805,9 @@ static TypeInfo tusb6010_info = {
     .class_init    = tusb6010_class_init,
 };
 
-static void tusb6010_register_device(void)
+static void tusb6010_register_types(void)
 {
     type_register_static(&tusb6010_info);
 }
 
-device_init(tusb6010_register_device)
+type_init(tusb6010_register_types)
diff --git a/hw/twl92230.c b/hw/twl92230.c
index 03fdccc..873dc8f 100644
--- a/hw/twl92230.c
+++ b/hw/twl92230.c
@@ -876,9 +876,9 @@ static TypeInfo twl92230_info = {
     .class_init    = twl92230_class_init,
 };
 
-static void twl92230_register_devices(void)
+static void twl92230_register_types(void)
 {
     type_register_static(&twl92230_info);
 }
 
-device_init(twl92230_register_devices)
+type_init(twl92230_register_types)
diff --git a/hw/unin_pci.c b/hw/unin_pci.c
index 17d86aa..409bcd4 100644
--- a/hw/unin_pci.c
+++ b/hw/unin_pci.c
@@ -467,7 +467,7 @@ static TypeInfo pci_unin_internal_info = {
     .class_init    = pci_unin_internal_class_init,
 };
 
-static void unin_register_devices(void)
+static void unin_register_types(void)
 {
     type_register_static(&unin_main_pci_host_info);
     type_register_static(&u3_agp_pci_host_info);
@@ -480,4 +480,4 @@ static void unin_register_devices(void)
     type_register_static(&pci_unin_internal_info);
 }
 
-device_init(unin_register_devices)
+type_init(unin_register_types)
diff --git a/hw/usb-audio.c b/hw/usb-audio.c
index cd589b7..0cdfd91 100644
--- a/hw/usb-audio.c
+++ b/hw/usb-audio.c
@@ -706,10 +706,10 @@ static TypeInfo usb_audio_info = {
     .class_init    = usb_audio_class_init,
 };
 
-static void usb_audio_register_devices(void)
+static void usb_audio_register_types(void)
 {
     type_register_static(&usb_audio_info);
     usb_legacy_register("usb-audio", "audio", NULL);
 }
 
-device_init(usb_audio_register_devices)
+type_init(usb_audio_register_types)
diff --git a/hw/usb-bt.c b/hw/usb-bt.c
index 90c3b0e..a836de3 100644
--- a/hw/usb-bt.c
+++ b/hw/usb-bt.c
@@ -550,8 +550,9 @@ static TypeInfo bt_info = {
     .class_init    = usb_bt_class_initfn,
 };
 
-static void usb_bt_register_devices(void)
+static void usb_bt_register_types(void)
 {
     type_register_static(&bt_info);
 }
-device_init(usb_bt_register_devices)
+
+type_init(usb_bt_register_types)
diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index b753834..e97fb6a 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -586,9 +586,9 @@ static TypeInfo usb_device_type_info = {
     .class_init = usb_device_class_init,
 };
 
-static void usb_register_devices(void)
+static void usb_register_types(void)
 {
     type_register_static(&usb_device_type_info);
 }
 
-device_init(usb_register_devices);
+type_init(usb_register_types)
diff --git a/hw/usb-ccid.c b/hw/usb-ccid.c
index 881da30..893d0a0 100644
--- a/hw/usb-ccid.c
+++ b/hw/usb-ccid.c
@@ -1354,10 +1354,11 @@ static TypeInfo ccid_card_type_info = {
     .class_init = ccid_card_class_init,
 };
 
-static void ccid_register_devices(void)
+static void ccid_register_types(void)
 {
     type_register_static(&ccid_card_type_info);
     type_register_static(&ccid_info);
     usb_legacy_register(CCID_DEV_NAME, "ccid", NULL);
 }
-device_init(ccid_register_devices)
+
+type_init(ccid_register_types)
diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
index 75ef71e..4395ca2 100644
--- a/hw/usb-ehci.c
+++ b/hw/usb-ehci.c
@@ -2376,12 +2376,13 @@ static int usb_ehci_initfn(PCIDevice *dev)
     return 0;
 }
 
-static void ehci_register(void)
+static void ehci_register_types(void)
 {
     type_register_static(&ehci_info);
     type_register_static(&ich9_ehci_info);
 }
-device_init(ehci_register);
+
+type_init(ehci_register_types)
 
 /*
  * vim: expandtab ts=4
diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 3c4e45d..8820abd 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -621,7 +621,7 @@ static TypeInfo usb_keyboard_info = {
     .class_init    = usb_keyboard_class_initfn,
 };
 
-static void usb_hid_register_devices(void)
+static void usb_hid_register_types(void)
 {
     type_register_static(&usb_tablet_info);
     usb_legacy_register("usb-tablet", "tablet", NULL);
@@ -630,4 +630,5 @@ static void usb_hid_register_devices(void)
     type_register_static(&usb_keyboard_info);
     usb_legacy_register("usb-kbd", "keyboard", NULL);
 }
-device_init(usb_hid_register_devices)
+
+type_init(usb_hid_register_types)
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 956b020..7604730 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -557,8 +557,9 @@ static TypeInfo hub_info = {
     .class_init    = usb_hub_class_initfn,
 };
 
-static void usb_hub_register_devices(void)
+static void usb_hub_register_types(void)
 {
     type_register_static(&hub_info);
 }
-device_init(usb_hub_register_devices)
+
+type_init(usb_hub_register_types)
diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 6153376..5ed009d 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -669,9 +669,10 @@ static TypeInfo msd_info = {
     .class_init    = usb_msd_class_initfn,
 };
 
-static void usb_msd_register_devices(void)
+static void usb_msd_register_types(void)
 {
     type_register_static(&msd_info);
     usb_legacy_register("usb-storage", "disk", usb_msd_init);
 }
-device_init(usb_msd_register_devices)
+
+type_init(usb_msd_register_types)
diff --git a/hw/usb-net.c b/hw/usb-net.c
index e211141..77e3278 100644
--- a/hw/usb-net.c
+++ b/hw/usb-net.c
@@ -1415,9 +1415,10 @@ static TypeInfo net_info = {
     .class_init    = usb_net_class_initfn,
 };
 
-static void usb_net_register_devices(void)
+static void usb_net_register_types(void)
 {
     type_register_static(&net_info);
     usb_legacy_register("usb-net", "net", usb_net_init);
 }
-device_init(usb_net_register_devices)
+
+type_init(usb_net_register_types)
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index 425030f..da04c63 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -1886,9 +1886,10 @@ static TypeInfo ohci_sysbus_info = {
     .class_init    = ohci_sysbus_class_init,
 };
 
-static void ohci_register(void)
+static void ohci_register_types(void)
 {
     type_register_static(&ohci_pci_info);
     type_register_static(&ohci_sysbus_info);
 }
-device_init(ohci_register);
+
+type_init(ohci_register_types)
diff --git a/hw/usb-serial.c b/hw/usb-serial.c
index c2cb6d2..f726a0a 100644
--- a/hw/usb-serial.c
+++ b/hw/usb-serial.c
@@ -628,11 +628,12 @@ static TypeInfo braille_info = {
     .class_init    = usb_braille_class_initfn,
 };
 
-static void usb_serial_register_devices(void)
+static void usb_serial_register_types(void)
 {
     type_register_static(&serial_info);
     usb_legacy_register("usb-serial", "serial", usb_serial_init);
     type_register_static(&braille_info);
     usb_legacy_register("usb-braille", "braille", usb_braille_init);
 }
-device_init(usb_serial_register_devices)
+
+type_init(usb_serial_register_types)
diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index cddcc89..6f6ebf1 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -1321,7 +1321,7 @@ static TypeInfo ich9_uhci3_info = {
     .class_init    = ich9_uhci3_class_init,
 };
 
-static void uhci_register(void)
+static void uhci_register_types(void)
 {
     type_register_static(&piix3_uhci_info);
     type_register_static(&piix4_uhci_info);
@@ -1330,7 +1330,8 @@ static void uhci_register(void)
     type_register_static(&ich9_uhci2_info);
     type_register_static(&ich9_uhci3_info);
 }
-device_init(uhci_register);
+
+type_init(uhci_register_types)
 
 void usb_uhci_piix3_init(PCIBus *bus, int devfn)
 {
diff --git a/hw/usb-wacom.c b/hw/usb-wacom.c
index 14de14d..6504e5e 100644
--- a/hw/usb-wacom.c
+++ b/hw/usb-wacom.c
@@ -373,9 +373,10 @@ static TypeInfo wacom_info = {
     .class_init    = usb_wacom_class_init,
 };
 
-static void usb_wacom_register_devices(void)
+static void usb_wacom_register_types(void)
 {
     type_register_static(&wacom_info);
     usb_legacy_register("usb-wacom-tablet", "wacom-tablet", NULL);
 }
-device_init(usb_wacom_register_devices)
+
+type_init(usb_wacom_register_types)
diff --git a/hw/usb-xhci.c b/hw/usb-xhci.c
index 37e887c..750531f 100644
--- a/hw/usb-xhci.c
+++ b/hw/usb-xhci.c
@@ -2752,8 +2752,9 @@ static TypeInfo xhci_info = {
     .class_init    = xhci_class_init,
 };
 
-static void xhci_register(void)
+static void xhci_register_types(void)
 {
     type_register_static(&xhci_info);
 }
-device_init(xhci_register);
+
+type_init(xhci_register_types)
diff --git a/hw/versatile_pci.c b/hw/versatile_pci.c
index c4105e9..ae53a8b 100644
--- a/hw/versatile_pci.c
+++ b/hw/versatile_pci.c
@@ -154,11 +154,11 @@ static TypeInfo pci_realview_info = {
     .class_init    = pci_realview_class_init,
 };
 
-static void versatile_pci_register_devices(void)
+static void versatile_pci_register_types(void)
 {
     type_register_static(&pci_vpb_info);
     type_register_static(&pci_realview_info);
     type_register_static(&versatile_pci_host_info);
 }
 
-device_init(versatile_pci_register_devices)
+type_init(versatile_pci_register_types)
diff --git a/hw/versatilepb.c b/hw/versatilepb.c
index 6ea0ce5..1903db6 100644
--- a/hw/versatilepb.c
+++ b/hw/versatilepb.c
@@ -382,9 +382,9 @@ static TypeInfo vpb_sic_info = {
     .class_init    = vpb_sic_class_init,
 };
 
-static void versatilepb_register_devices(void)
+static void versatilepb_register_types(void)
 {
     type_register_static(&vpb_sic_info);
 }
 
-device_init(versatilepb_register_devices)
+type_init(versatilepb_register_types)
diff --git a/hw/vga-isa.c b/hw/vga-isa.c
index 8d3ff0d..4bcc4db 100644
--- a/hw/vga-isa.c
+++ b/hw/vga-isa.c
@@ -85,8 +85,9 @@ static TypeInfo vga_info = {
     .class_init    = vga_class_initfn,
 };
 
-static void vga_register(void)
+static void vga_register_types(void)
 {
     type_register_static(&vga_info);
 }
-device_init(vga_register)
+
+type_init(vga_register_types)
diff --git a/hw/vga-pci.c b/hw/vga-pci.c
index 974a7a9..465b643 100644
--- a/hw/vga-pci.c
+++ b/hw/vga-pci.c
@@ -96,8 +96,9 @@ static TypeInfo vga_info = {
     .class_init    = vga_class_init,
 };
 
-static void vga_register(void)
+static void vga_register_types(void)
 {
     type_register_static(&vga_info);
 }
-device_init(vga_register);
+
+type_init(vga_register_types)
diff --git a/hw/virtio-console.c b/hw/virtio-console.c
index 4f2c3e4..cffee3d 100644
--- a/hw/virtio-console.c
+++ b/hw/virtio-console.c
@@ -149,12 +149,6 @@ static TypeInfo virtconsole_info = {
     .class_init    = virtconsole_class_init,
 };
 
-static void virtconsole_register(void)
-{
-    type_register_static(&virtconsole_info);
-}
-device_init(virtconsole_register)
-
 static Property virtserialport_properties[] = {
     DEFINE_PROP_CHR("chardev", VirtConsole, chr),
     DEFINE_PROP_END_OF_LIST(),
@@ -179,8 +173,10 @@ static TypeInfo virtserialport_info = {
     .class_init    = virtserialport_class_init,
 };
 
-static void virtserialport_register(void)
+static void virtconsole_register_types(void)
 {
+    type_register_static(&virtconsole_info);
     type_register_static(&virtserialport_info);
 }
-device_init(virtserialport_register)
+
+type_init(virtconsole_register_types)
diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 93fff54..907b52a 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -930,7 +930,7 @@ static TypeInfo virtio_balloon_info = {
     .class_init    = virtio_balloon_class_init,
 };
 
-static void virtio_pci_register_devices(void)
+static void virtio_pci_register_types(void)
 {
     type_register_static(&virtio_blk_info);
     type_register_static(&virtio_net_info);
@@ -938,4 +938,4 @@ static void virtio_pci_register_devices(void)
     type_register_static(&virtio_balloon_info);
 }
 
-device_init(virtio_pci_register_devices)
+type_init(virtio_pci_register_types)
diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
index 6117629..e22940e 100644
--- a/hw/virtio-serial-bus.c
+++ b/hw/virtio-serial-bus.c
@@ -949,9 +949,9 @@ static TypeInfo virtio_serial_port_type_info = {
     .class_init = virtio_serial_port_class_init,
 };
 
-static void virtio_serial_register_devices(void)
+static void virtio_serial_register_types(void)
 {
     type_register_static(&virtio_serial_port_type_info);
 }
 
-device_init(virtio_serial_register_devices);
+type_init(virtio_serial_register_types)
diff --git a/hw/vmmouse.c b/hw/vmmouse.c
index fda4f89..6338efa 100644
--- a/hw/vmmouse.c
+++ b/hw/vmmouse.c
@@ -294,8 +294,9 @@ static TypeInfo vmmouse_info = {
     .class_init    = vmmouse_class_initfn,
 };
 
-static void vmmouse_dev_register(void)
+static void vmmouse_register_types(void)
 {
     type_register_static(&vmmouse_info);
 }
-device_init(vmmouse_dev_register)
+
+type_init(vmmouse_register_types)
diff --git a/hw/vmport.c b/hw/vmport.c
index a2c45e1..9373be9 100644
--- a/hw/vmport.c
+++ b/hw/vmport.c
@@ -159,8 +159,9 @@ static TypeInfo vmport_info = {
     .class_init    = vmport_class_initfn,
 };
 
-static void vmport_dev_register(void)
+static void vmport_register_types(void)
 {
     type_register_static(&vmport_info);
 }
-device_init(vmport_dev_register)
+
+type_init(vmport_register_types)
diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c
index 3f3eb21..f8afa3c 100644
--- a/hw/vmware_vga.c
+++ b/hw/vmware_vga.c
@@ -1223,8 +1223,9 @@ static TypeInfo vmsvga_info = {
     .class_init    = vmsvga_class_init,
 };
 
-static void vmsvga_register(void)
+static void vmsvga_register_types(void)
 {
     type_register_static(&vmsvga_info);
 }
-device_init(vmsvga_register);
+
+type_init(vmsvga_register_types)
diff --git a/hw/vt82c686.c b/hw/vt82c686.c
index aa0954f..fbab0bb 100644
--- a/hw/vt82c686.c
+++ b/hw/vt82c686.c
@@ -366,13 +366,6 @@ static TypeInfo via_ac97_info = {
     .class_init    = via_ac97_class_init,
 };
 
-static void vt82c686b_ac97_register(void)
-{
-    type_register_static(&via_ac97_info);
-}
-
-device_init(vt82c686b_ac97_register);
-
 static int vt82c686b_mc97_initfn(PCIDevice *dev)
 {
     VT686MC97State *s = DO_UPCAST(VT686MC97State, dev, dev);
@@ -414,13 +407,6 @@ static TypeInfo via_mc97_info = {
     .class_init    = via_mc97_class_init,
 };
 
-static void vt82c686b_mc97_register(void)
-{
-    type_register_static(&via_mc97_info);
-}
-
-device_init(vt82c686b_mc97_register);
-
 /* vt82c686 pm init */
 static int vt82c686b_pm_initfn(PCIDevice *dev)
 {
@@ -497,13 +483,6 @@ static TypeInfo via_pm_info = {
     .class_init    = via_pm_class_init,
 };
 
-static void vt82c686b_pm_register(void)
-{
-    type_register_static(&via_pm_info);
-}
-
-device_init(vt82c686b_pm_register);
-
 static const VMStateDescription vmstate_via = {
     .name = "vt82c686b",
     .version_id = 1,
@@ -571,8 +550,12 @@ static TypeInfo via_info = {
     .class_init    = via_class_init,
 };
 
-static void vt82c686b_register(void)
+static void vt82c686b_register_types(void)
 {
+    type_register_static(&via_ac97_info);
+    type_register_static(&via_mc97_info);
+    type_register_static(&via_pm_info);
     type_register_static(&via_info);
 }
-device_init(vt82c686b_register);
+
+type_init(vt82c686b_register_types)
diff --git a/hw/wdt_i6300esb.c b/hw/wdt_i6300esb.c
index 41325f0..15c69db 100644
--- a/hw/wdt_i6300esb.c
+++ b/hw/wdt_i6300esb.c
@@ -448,10 +448,10 @@ static TypeInfo i6300esb_info = {
     .class_init    = i6300esb_class_init,
 };
 
-static void i6300esb_register_devices(void)
+static void i6300esb_register_types(void)
 {
     watchdog_add_model(&model);
     type_register_static(&i6300esb_info);
 }
 
-device_init(i6300esb_register_devices);
+type_init(i6300esb_register_types)
diff --git a/hw/wdt_ib700.c b/hw/wdt_ib700.c
index 8faa231..7f6c21d 100644
--- a/hw/wdt_ib700.c
+++ b/hw/wdt_ib700.c
@@ -136,10 +136,10 @@ static TypeInfo wdt_ib700_info = {
     .class_init    = wdt_ib700_class_init,
 };
 
-static void wdt_ib700_register_devices(void)
+static void wdt_ib700_register_types(void)
 {
     watchdog_add_model(&model);
     type_register_static(&wdt_ib700_info);
 }
 
-device_init(wdt_ib700_register_devices);
+type_init(wdt_ib700_register_types)
diff --git a/hw/wm8750.c b/hw/wm8750.c
index 18afa4c..11bcec3 100644
--- a/hw/wm8750.c
+++ b/hw/wm8750.c
@@ -708,9 +708,9 @@ static TypeInfo wm8750_info = {
     .class_init    = wm8750_class_init,
 };
 
-static void wm8750_register_devices(void)
+static void wm8750_register_types(void)
 {
     type_register_static(&wm8750_info);
 }
 
-device_init(wm8750_register_devices)
+type_init(wm8750_register_types)
diff --git a/hw/xen_platform.c b/hw/xen_platform.c
index e757102..5a7c4cc 100644
--- a/hw/xen_platform.c
+++ b/hw/xen_platform.c
@@ -396,9 +396,9 @@ static TypeInfo xen_platform_info = {
     .class_init    = xen_platform_class_init,
 };
 
-static void xen_platform_register(void)
+static void xen_platform_register_types(void)
 {
     type_register_static(&xen_platform_info);
 }
 
-device_init(xen_platform_register);
+type_init(xen_platform_register_types)
diff --git a/hw/xgmac.c b/hw/xgmac.c
index d395b1c..dd4bdc4 100644
--- a/hw/xgmac.c
+++ b/hw/xgmac.c
@@ -425,9 +425,9 @@ static TypeInfo xgmac_enet_info = {
     .class_init    = xgmac_enet_class_init,
 };
 
-static void xgmac_enet_register(void)
+static void xgmac_enet_register_types(void)
 {
     type_register_static(&xgmac_enet_info);
 }
 
-device_init(xgmac_enet_register)
+type_init(xgmac_enet_register_types)
diff --git a/hw/xilinx_axidma.c b/hw/xilinx_axidma.c
index e8a5312..85dfcbf 100644
--- a/hw/xilinx_axidma.c
+++ b/hw/xilinx_axidma.c
@@ -508,9 +508,9 @@ static TypeInfo axidma_info = {
     .class_init    = axidma_class_init,
 };
 
-static void xilinx_axidma_register(void)
+static void xilinx_axidma_register_types(void)
 {
     type_register_static(&axidma_info);
 }
 
-device_init(xilinx_axidma_register)
+type_init(xilinx_axidma_register_types)
diff --git a/hw/xilinx_axienet.c b/hw/xilinx_axienet.c
index 1ce2db4..7526273 100644
--- a/hw/xilinx_axienet.c
+++ b/hw/xilinx_axienet.c
@@ -894,9 +894,10 @@ static TypeInfo xilinx_enet_info = {
     .instance_size = sizeof(struct XilinxAXIEnet),
     .class_init    = xilinx_enet_class_init,
 };
-static void xilinx_enet_register(void)
+
+static void xilinx_enet_register_types(void)
 {
     type_register_static(&xilinx_enet_info);
 }
 
-device_init(xilinx_enet_register)
+type_init(xilinx_enet_register_types)
diff --git a/hw/xilinx_ethlite.c b/hw/xilinx_ethlite.c
index 499feef..857b33d 100644
--- a/hw/xilinx_ethlite.c
+++ b/hw/xilinx_ethlite.c
@@ -249,9 +249,9 @@ static TypeInfo xilinx_ethlite_info = {
     .class_init    = xilinx_ethlite_class_init,
 };
 
-static void xilinx_ethlite_register(void)
+static void xilinx_ethlite_register_types(void)
 {
     type_register_static(&xilinx_ethlite_info);
 }
 
-device_init(xilinx_ethlite_register)
+type_init(xilinx_ethlite_register_types)
diff --git a/hw/xilinx_intc.c b/hw/xilinx_intc.c
index 73eed6d..553f848 100644
--- a/hw/xilinx_intc.c
+++ b/hw/xilinx_intc.c
@@ -182,9 +182,9 @@ static TypeInfo xilinx_intc_info = {
     .class_init    = xilinx_intc_class_init,
 };
 
-static void xilinx_intc_register(void)
+static void xilinx_intc_register_types(void)
 {
     type_register_static(&xilinx_intc_info);
 }
 
-device_init(xilinx_intc_register)
+type_init(xilinx_intc_register_types)
diff --git a/hw/xilinx_timer.c b/hw/xilinx_timer.c
index c8236d2..3ab2f2b 100644
--- a/hw/xilinx_timer.c
+++ b/hw/xilinx_timer.c
@@ -241,9 +241,9 @@ static TypeInfo xilinx_timer_info = {
     .class_init    = xilinx_timer_class_init,
 };
 
-static void xilinx_timer_register(void)
+static void xilinx_timer_register_types(void)
 {
     type_register_static(&xilinx_timer_info);
 }
 
-device_init(xilinx_timer_register)
+type_init(xilinx_timer_register_types)
diff --git a/hw/xilinx_uartlite.c b/hw/xilinx_uartlite.c
index 1c2b908..aa0170d 100644
--- a/hw/xilinx_uartlite.c
+++ b/hw/xilinx_uartlite.c
@@ -225,9 +225,9 @@ static TypeInfo xilinx_uartlite_info = {
     .class_init    = xilinx_uartlite_class_init,
 };
 
-static void xilinx_uart_register(void)
+static void xilinx_uart_register_types(void)
 {
     type_register_static(&xilinx_uartlite_info);
 }
 
-device_init(xilinx_uart_register)
+type_init(xilinx_uart_register_types)
diff --git a/hw/xio3130_downstream.c b/hw/xio3130_downstream.c
index 07e4fc1..319624f 100644
--- a/hw/xio3130_downstream.c
+++ b/hw/xio3130_downstream.c
@@ -203,12 +203,12 @@ static TypeInfo xio3130_downstream_info = {
     .class_init    = xio3130_downstream_class_init,
 };
 
-static void xio3130_downstream_register(void)
+static void xio3130_downstream_register_types(void)
 {
     type_register_static(&xio3130_downstream_info);
 }
 
-device_init(xio3130_downstream_register);
+type_init(xio3130_downstream_register_types)
 
 /*
  * Local variables:
diff --git a/hw/xio3130_upstream.c b/hw/xio3130_upstream.c
index 7887c92..34a99bb 100644
--- a/hw/xio3130_upstream.c
+++ b/hw/xio3130_upstream.c
@@ -177,12 +177,12 @@ static TypeInfo xio3130_upstream_info = {
     .class_init    = xio3130_upstream_class_init,
 };
 
-static void xio3130_upstream_register(void)
+static void xio3130_upstream_register_types(void)
 {
     type_register_static(&xio3130_upstream_info);
 }
 
-device_init(xio3130_upstream_register);
+type_init(xio3130_upstream_register_types)
 
 
 /*
diff --git a/hw/zaurus.c b/hw/zaurus.c
index 055df9b..72838ec 100644
--- a/hw/zaurus.c
+++ b/hw/zaurus.c
@@ -243,11 +243,12 @@ static TypeInfo scoop_sysbus_info = {
     .class_init    = scoop_sysbus_class_init,
 };
 
-static void scoop_register(void)
+static void scoop_register_types(void)
 {
     type_register_static(&scoop_sysbus_info);
 }
-device_init(scoop_register);
+
+type_init(scoop_register_types)
 
 /* Write the bootloader parameters memory area.  */
 
diff --git a/include/qemu/object.h b/include/qemu/object.h
index 7d50da9..69cc2ab 100644
--- a/include/qemu/object.h
+++ b/include/qemu/object.h
@@ -71,12 +71,12 @@ typedef struct InterfaceInfo InterfaceInfo;
  *     .instance_size = sizeof(MyDevice),
  * };
  *
- * static void my_device_module_init(void)
+ * static void my_device_register_types(void)
  * {
  *     type_register_static(&my_device_info);
  * }
  *
- * device_init(my_device_module_init);
+ * type_init(my_device_register_types)
  *   </programlisting>
  * </example>
  *
diff --git a/module.h b/module.h
index ef66730..c4ccd57 100644
--- a/module.h
+++ b/module.h
@@ -22,16 +22,16 @@ static void __attribute__((constructor)) do_qemu_init_ ## function(void) {  \
 
 typedef enum {
     MODULE_INIT_BLOCK,
-    MODULE_INIT_DEVICE,
     MODULE_INIT_MACHINE,
     MODULE_INIT_QAPI,
+    MODULE_INIT_QOM,
     MODULE_INIT_MAX
 } module_init_type;
 
 #define block_init(function) module_init(function, MODULE_INIT_BLOCK)
-#define device_init(function) module_init(function, MODULE_INIT_DEVICE)
 #define machine_init(function) module_init(function, MODULE_INIT_MACHINE)
 #define qapi_init(function) module_init(function, MODULE_INIT_QAPI)
+#define type_init(function) module_init(function, MODULE_INIT_QOM)
 
 void register_module_init(void (*fn)(void), module_init_type type);
 
diff --git a/qom/container.c b/qom/container.c
index 946cbff..f107208 100644
--- a/qom/container.c
+++ b/qom/container.c
@@ -19,9 +19,9 @@ static TypeInfo container_info = {
     .parent        = TYPE_OBJECT,
 };
 
-static void container_init(void)
+static void container_register_types(void)
 {
     type_register_static(&container_info);
 }
 
-device_init(container_init);
+type_init(container_register_types)
diff --git a/qom/object.c b/qom/object.c
index 5e5b261..0cbd9bb 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -444,7 +444,7 @@ Object *object_dynamic_cast(Object *obj, const char *typename)
 }
 
 
-static void register_interface(void)
+static void register_types(void)
 {
     static TypeInfo interface_info = {
         .name = TYPE_INTERFACE,
@@ -455,7 +455,7 @@ static void register_interface(void)
     type_interface = type_register_static(&interface_info);
 }
 
-device_init(register_interface);
+type_init(register_types)
 
 Object *object_dynamic_cast_assert(Object *obj, const char *typename)
 {
diff --git a/ui/spice-core.c b/ui/spice-core.c
index 5639c6f..b4629f8 100644
--- a/ui/spice-core.c
+++ b/ui/spice-core.c
@@ -753,8 +753,9 @@ static void spice_register_config(void)
 }
 machine_init(spice_register_config);
 
-static void spice_initialize(void)
+static void spice_register_types(void)
 {
     qemu_spice_init();
 }
-device_init(spice_initialize);
+
+type_init(spice_register_types)
diff --git a/usb-bsd.c b/usb-bsd.c
index fc722b3..0fd12a2 100644
--- a/usb-bsd.c
+++ b/usb-bsd.c
@@ -417,11 +417,12 @@ static TypeInfo usb_host_dev_info = {
     .class_init    = usb_host_class_initfn,
 };
 
-static void usb_host_register_devices(void)
+static void usb_host_register_types(void)
 {
     type_register_static(&usb_host_dev_info);
 }
-device_init(usb_host_register_devices)
+
+type_init(usb_host_register_types)
 
 static int usb_host_scan(void *opaque, USBScanFunc *func)
 {
diff --git a/usb-linux.c b/usb-linux.c
index e7fc9ec..5e95be6 100644
--- a/usb-linux.c
+++ b/usb-linux.c
@@ -1436,12 +1436,13 @@ static TypeInfo usb_host_dev_info = {
     .class_init    = usb_host_class_initfn,
 };
 
-static void usb_host_register_devices(void)
+static void usb_host_register_types(void)
 {
     type_register_static(&usb_host_dev_info);
     usb_legacy_register("usb-host", "host", usb_host_device_open);
 }
-device_init(usb_host_register_devices)
+
+type_init(usb_host_register_types)
 
 USBDevice *usb_host_device_open(const char *devname)
 {
diff --git a/usb-redir.c b/usb-redir.c
index 303292a..82e7e21 100644
--- a/usb-redir.c
+++ b/usb-redir.c
@@ -1344,8 +1344,9 @@ static TypeInfo usbredir_dev_info = {
     .class_init    = usbredir_class_initfn,
 };
 
-static void usbredir_register_devices(void)
+static void usbredir_register_types(void)
 {
     type_register_static(&usbredir_dev_info);
 }
-device_init(usbredir_register_devices);
+
+type_init(usbredir_register_types)
diff --git a/vl.c b/vl.c
index 63dd725..9b7ddfe 100644
--- a/vl.c
+++ b/vl.c
@@ -3361,7 +3361,7 @@ int main(int argc, char **argv, char **envp)
     if (foreach_device_config(DEV_DEBUGCON, debugcon_parse) < 0)
         exit(1);
 
-    module_call_init(MODULE_INIT_DEVICE);
+    module_call_init(MODULE_INIT_QOM);
 
     /* must be after qdev registration but before machine init */
     if (vga_model) {
commit 59f971d451fbabee3194bb565f40846398ee6e6f
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Tue Feb 14 10:19:53 2012 +0100

    qdev: print error message before aborting
    
    qdev_prop_set_* functions are always called by machine init functions
    that should know what they're doing, so they abort on error.  Still,
    an assert(!errp) does not aid debugging.  Print an error before aborting.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index 6f09a35..7b74dd5 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -1072,49 +1072,49 @@ void qdev_prop_set_bit(DeviceState *dev, const char *name, bool value)
 {
     Error *errp = NULL;
     object_property_set_bool(OBJECT(dev), value, name, &errp);
-    assert(!errp);
+    assert_no_error(errp);
 }
 
 void qdev_prop_set_uint8(DeviceState *dev, const char *name, uint8_t value)
 {
     Error *errp = NULL;
     object_property_set_int(OBJECT(dev), value, name, &errp);
-    assert(!errp);
+    assert_no_error(errp);
 }
 
 void qdev_prop_set_uint16(DeviceState *dev, const char *name, uint16_t value)
 {
     Error *errp = NULL;
     object_property_set_int(OBJECT(dev), value, name, &errp);
-    assert(!errp);
+    assert_no_error(errp);
 }
 
 void qdev_prop_set_uint32(DeviceState *dev, const char *name, uint32_t value)
 {
     Error *errp = NULL;
     object_property_set_int(OBJECT(dev), value, name, &errp);
-    assert(!errp);
+    assert_no_error(errp);
 }
 
 void qdev_prop_set_int32(DeviceState *dev, const char *name, int32_t value)
 {
     Error *errp = NULL;
     object_property_set_int(OBJECT(dev), value, name, &errp);
-    assert(!errp);
+    assert_no_error(errp);
 }
 
 void qdev_prop_set_uint64(DeviceState *dev, const char *name, uint64_t value)
 {
     Error *errp = NULL;
     object_property_set_int(OBJECT(dev), value, name, &errp);
-    assert(!errp);
+    assert_no_error(errp);
 }
 
 void qdev_prop_set_string(DeviceState *dev, const char *name, char *value)
 {
     Error *errp = NULL;
     object_property_set_str(OBJECT(dev), value, name, &errp);
-    assert(!errp);
+    assert_no_error(errp);
 }
 
 int qdev_prop_set_drive(DeviceState *dev, const char *name, BlockDriverState *value)
@@ -1143,7 +1143,7 @@ void qdev_prop_set_chr(DeviceState *dev, const char *name, CharDriverState *valu
     assert(!value || value->label);
     object_property_set_str(OBJECT(dev),
                             value ? value->label : "", name, &errp);
-    assert(!errp);
+    assert_no_error(errp);
 }
 
 void qdev_prop_set_netdev(DeviceState *dev, const char *name, VLANClientState *value)
@@ -1152,14 +1152,14 @@ void qdev_prop_set_netdev(DeviceState *dev, const char *name, VLANClientState *v
     assert(!value || value->name);
     object_property_set_str(OBJECT(dev),
                             value ? value->name : "", name, &errp);
-    assert(!errp);
+    assert_no_error(errp);
 }
 
 void qdev_prop_set_vlan(DeviceState *dev, const char *name, VLANState *value)
 {
     Error *errp = NULL;
     object_property_set_int(OBJECT(dev), value ? value->id : -1, name, &errp);
-    assert(!errp);
+    assert_no_error(errp);
 }
 
 void qdev_prop_set_macaddr(DeviceState *dev, const char *name, uint8_t *value)
@@ -1170,7 +1170,7 @@ void qdev_prop_set_macaddr(DeviceState *dev, const char *name, uint8_t *value)
              value[0], value[1], value[2], value[3], value[4], value[5]);
 
     object_property_set_str(OBJECT(dev), str, name, &errp);
-    assert(!errp);
+    assert_no_error(errp);
 }
 
 void qdev_prop_set_enum(DeviceState *dev, const char *name, int value)
@@ -1181,7 +1181,7 @@ void qdev_prop_set_enum(DeviceState *dev, const char *name, int value)
     prop = qdev_prop_find(dev, name);
     object_property_set_str(OBJECT(dev), prop->info->enum_table[value],
                             name, &errp);
-    assert(!errp);
+    assert_no_error(errp);
 }
 
 void qdev_prop_set_ptr(DeviceState *dev, const char *name, void *value)
@@ -1213,7 +1213,7 @@ void qdev_prop_set_defaults(DeviceState *dev, Property *props)
         } else if (props->qtype == QTYPE_QINT) {
             object_property_set_int(obj, props->defval, props->name, &errp);
         }
-        assert(!errp);
+        assert_no_error(errp);
     }
 }
 
diff --git a/qerror.c b/qerror.c
index 8e6efaf..f55d435 100644
--- a/qerror.c
+++ b/qerror.c
@@ -572,6 +572,14 @@ void qerror_report_err(Error *err)
     }
 }
 
+void assert_no_error(Error *err)
+{
+    if (err) {
+        qerror_report_err(err);
+        abort();
+    }
+}
+
 /**
  * qobject_to_qerror(): Convert a QObject into a QError
  */
diff --git a/qerror.h b/qerror.h
index e8718bf..e26c635 100644
--- a/qerror.h
+++ b/qerror.h
@@ -41,6 +41,7 @@ void qerror_print(QError *qerror);
 void qerror_report_internal(const char *file, int linenr, const char *func,
                             const char *fmt, ...) GCC_FMT_ATTR(4, 5);
 void qerror_report_err(Error *err);
+void assert_no_error(Error *err);
 QString *qerror_format(const char *fmt, QDict *error);
 #define qerror_report(fmt, ...) \
     qerror_report_internal(__FILE__, __LINE__, __func__, fmt, ## __VA_ARGS__)
commit 0a54a0ce3e7659d7804274fcb058154d52fb8d82
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Tue Feb 14 10:19:52 2012 +0100

    qdev: allow setting properties to NULL
    
    SPARC and PPC set properties to NULL.  This can be done with an
    empty string value.
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index b6d6fcf..6f09a35 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -613,7 +613,7 @@ static void set_pointer(Object *obj, Visitor *v, Property *prop,
     }
     if (!*str) {
         g_free(str);
-        error_set_from_qdev_prop_error(errp, EINVAL, dev, prop, str);
+        *ptr = NULL;
         return;
     }
     ret = parse(dev, str, ptr);
@@ -1120,7 +1120,8 @@ void qdev_prop_set_string(DeviceState *dev, const char *name, char *value)
 int qdev_prop_set_drive(DeviceState *dev, const char *name, BlockDriverState *value)
 {
     Error *errp = NULL;
-    object_property_set_str(OBJECT(dev), bdrv_get_device_name(value),
+    const char *bdrv_name = value ? bdrv_get_device_name(value) : "";
+    object_property_set_str(OBJECT(dev), bdrv_name,
                             name, &errp);
     if (errp) {
         qerror_report_err(errp);
@@ -1139,16 +1140,18 @@ void qdev_prop_set_drive_nofail(DeviceState *dev, const char *name, BlockDriverS
 void qdev_prop_set_chr(DeviceState *dev, const char *name, CharDriverState *value)
 {
     Error *errp = NULL;
-    assert(value->label);
-    object_property_set_str(OBJECT(dev), value->label, name, &errp);
+    assert(!value || value->label);
+    object_property_set_str(OBJECT(dev),
+                            value ? value->label : "", name, &errp);
     assert(!errp);
 }
 
 void qdev_prop_set_netdev(DeviceState *dev, const char *name, VLANClientState *value)
 {
     Error *errp = NULL;
-    assert(value->name);
-    object_property_set_str(OBJECT(dev), value->name, name, &errp);
+    assert(!value || value->name);
+    object_property_set_str(OBJECT(dev),
+                            value ? value->name : "", name, &errp);
     assert(!errp);
 }
 
commit 9d4df9c02866f39d3eef105033091f367cc7c29e
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Feb 4 11:47:17 2012 +0000

    ppc: remove unused variables
    
    Fix this error:
    /src/qemu/target-ppc/helper.c: In function 'booke206_tlb_to_page_size':
    /src/qemu/target-ppc/helper.c:1296:14: error: variable 'tlbncfg' set but not used [-Werror=unused-but-set-variable]
    
    Tested-by: Andreas Färber <afaerber at suse.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/target-ppc/helper.c b/target-ppc/helper.c
index e56fac8..928fbcf 100644
--- a/target-ppc/helper.c
+++ b/target-ppc/helper.c
@@ -1293,11 +1293,8 @@ void booke206_flush_tlb(CPUState *env, int flags, const int check_iprot)
 
 target_phys_addr_t booke206_tlb_to_page_size(CPUState *env, ppcmas_tlb_t *tlb)
 {
-    uint32_t tlbncfg;
-    int tlbn = booke206_tlbm_to_tlbn(env, tlb);
     int tlbm_size;
 
-    tlbncfg = env->spr[SPR_BOOKE_TLB0CFG + tlbn];
     tlbm_size = (tlb->mas1 & MAS1_TSIZE_MASK) >> MAS1_TSIZE_SHIFT;
 
     return 1024ULL << tlbm_size;
commit bda254daf8016ef474afb51122c5c2d6cfc3b80e
Author: Jan Kiszka <jan.kiszka at web.de>
Date:   Sat Feb 4 15:58:02 2012 +0100

    cfi02: Fix lazy ROMD switching - once again
    
    The conversion to memory regions broke lazy ROMD switching by forgetting
    to update the rom_mode state variable.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at web.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/pflash_cfi02.c b/hw/pflash_cfi02.c
index a9e88b9..2ca0fd4 100644
--- a/hw/pflash_cfi02.c
+++ b/hw/pflash_cfi02.c
@@ -102,6 +102,7 @@ static void pflash_setup_mappings(pflash_t *pfl)
 static void pflash_register_memory(pflash_t *pfl, int rom_mode)
 {
     memory_region_rom_device_set_readable(&pfl->orig_mem, rom_mode);
+    pfl->rom_mode = rom_mode;
 }
 
 static void pflash_timer (void *opaque)
commit 4896d74b844b1845de32c29743fe09e4145f0601
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Sat Feb 4 16:25:42 2012 +0100

    memory-region: Report if region is read-only or write-only on info mtree
    
    Helpful to understand guest configurations of things like the i440FX's
    PAM or the state of ROM devices.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/memory.c b/memory.c
index 5e77d8a..22816e2 100644
--- a/memory.c
+++ b/memory.c
@@ -1609,23 +1609,31 @@ static void mtree_print_mr(fprintf_function mon_printf, void *f,
             ml->printed = false;
             QTAILQ_INSERT_TAIL(alias_print_queue, ml, queue);
         }
-        mon_printf(f, TARGET_FMT_plx "-" TARGET_FMT_plx " (prio %d): alias %s @%s "
-                   TARGET_FMT_plx "-" TARGET_FMT_plx "\n",
+        mon_printf(f, TARGET_FMT_plx "-" TARGET_FMT_plx
+                   " (prio %d, %c%c): alias %s @%s " TARGET_FMT_plx
+                   "-" TARGET_FMT_plx "\n",
                    base + mr->addr,
                    base + mr->addr
                    + (target_phys_addr_t)int128_get64(mr->size) - 1,
                    mr->priority,
+                   mr->readable ? 'R' : '-',
+                   !mr->readonly && !(mr->rom_device && mr->readable) ? 'W'
+                                                                      : '-',
                    mr->name,
                    mr->alias->name,
                    mr->alias_offset,
                    mr->alias_offset
                    + (target_phys_addr_t)int128_get64(mr->size) - 1);
     } else {
-        mon_printf(f, TARGET_FMT_plx "-" TARGET_FMT_plx " (prio %d): %s\n",
+        mon_printf(f,
+                   TARGET_FMT_plx "-" TARGET_FMT_plx " (prio %d, %c%c): %s\n",
                    base + mr->addr,
                    base + mr->addr
                    + (target_phys_addr_t)int128_get64(mr->size) - 1,
                    mr->priority,
+                   mr->readable ? 'R' : '-',
+                   !mr->readonly && !(mr->rom_device && mr->readable) ? 'W'
+                                                                      : '-',
                    mr->name);
     }
 
commit 734781c9a03745a28fba3e538d33d4e39c5e4ff5
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Tue Feb 7 16:03:24 2012 +0100

    vga: Fix full updates in graphic mode
    
    This fixes the regression introduced by cd7a45c95e: We lost the or'ing
    with the full_update flag.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/vga.c b/hw/vga.c
index d27700d..c1029db 100644
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -1777,10 +1777,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
         if (!(s->cr[VGA_CRTC_MODE] & 2)) {
             addr = (addr & ~0x8000) | ((y1 & 2) << 14);
         }
+        update = full_update;
         page0 = addr;
         page1 = addr + bwidth - 1;
-        update = memory_region_get_dirty(&s->vram, page0, page1 - page0,
-                                         DIRTY_MEMORY_VGA);
+        update |= memory_region_get_dirty(&s->vram, page0, page1 - page0,
+                                          DIRTY_MEMORY_VGA);
         /* explicit invalidation for the hardware cursor */
         update |= (s->invalidated_y_table[y >> 5] >> (y & 0x1f)) & 1;
         if (update) {
commit d1f3dd343c163d0e1d188b964b7d635692bac7d8
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Feb 4 17:09:14 2012 +0000

    Fix memory dirty getting API change fallout
    
    Fix confusion in length calculation in commit
    cd7a45c95ecf2404810f3c6becb7cb83c5010ad8.
    
    Reported-by: Jan Kiszka <jan.kiszka at web.de>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/framebuffer.c b/hw/framebuffer.c
index ea122fb..f4747cd 100644
--- a/hw/framebuffer.c
+++ b/hw/framebuffer.c
@@ -87,7 +87,7 @@ void framebuffer_update_display(
     dest += i * dest_row_pitch;
 
     for (; i < rows; i++) {
-        dirty = memory_region_get_dirty(mem, addr, addr + src_width,
+        dirty = memory_region_get_dirty(mem, addr, src_width,
                                              DIRTY_MEMORY_VGA);
         if (dirty || invalidate) {
             fn(opaque, dest, src, cols, dest_col_pitch);
diff --git a/hw/sm501.c b/hw/sm501.c
index 94c0abf..786e076 100644
--- a/hw/sm501.c
+++ b/hw/sm501.c
@@ -1327,8 +1327,8 @@ static void sm501_draw_crt(SM501State * s)
         ram_addr_t page1 = offset + width * src_bpp - 1;
 
 	/* check dirty flags for each line */
-        update = memory_region_get_dirty(&s->local_mem_region, page0, page1,
-                                         DIRTY_MEMORY_VGA);
+        update = memory_region_get_dirty(&s->local_mem_region, page0,
+                                         page1 - page0, DIRTY_MEMORY_VGA);
 
 	/* draw line and change status */
 	if (update) {
diff --git a/hw/vga.c b/hw/vga.c
index d87c4f9..d27700d 100644
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -1779,7 +1779,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
         }
         page0 = addr;
         page1 = addr + bwidth - 1;
-        update = memory_region_get_dirty(&s->vram, page0, page1,
+        update = memory_region_get_dirty(&s->vram, page0, page1 - page0,
                                          DIRTY_MEMORY_VGA);
         /* explicit invalidation for the hardware cursor */
         update |= (s->invalidated_y_table[y >> 5] >> (y & 0x1f)) & 1;
commit 7c605a23b2c7606f5f06b7d83d8927b1dc111478
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Jan 20 13:29:16 2012 +0100

    xhci: handle USB_RET_NAK
    
    Add a field to XHCITransfer to correctly keep track of NAK'ed usb
    packets.  Retry transfers when the endpoint is kicked again.  Implement
    wakeup_endpoint bus op so we can kick the endpoint when needed.
    
    With this patch applied the emulated hid devices are working correctly
    when hooked up to xhci.  usb-tabled without polling, yay!
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-xhci.c b/hw/usb-xhci.c
index 3026edb..ac7b12b 100644
--- a/hw/usb-xhci.c
+++ b/hw/usb-xhci.c
@@ -307,7 +307,8 @@ typedef struct XHCIState XHCIState;
 typedef struct XHCITransfer {
     XHCIState *xhci;
     USBPacket packet;
-    bool running;
+    bool running_async;
+    bool running_retry;
     bool cancelled;
     bool complete;
     bool backgrounded;
@@ -338,6 +339,7 @@ typedef struct XHCIEPContext {
     unsigned int next_xfer;
     unsigned int comp_xfer;
     XHCITransfer transfers[TD_QUEUE];
+    XHCITransfer *retry;
     bool bg_running;
     bool bg_updating;
     unsigned int next_bg;
@@ -915,12 +917,17 @@ static int xhci_ep_nuke_xfers(XHCIState *xhci, unsigned int slotid,
     xferi = epctx->next_xfer;
     for (i = 0; i < TD_QUEUE; i++) {
         XHCITransfer *t = &epctx->transfers[xferi];
-        if (t->running) {
+        if (t->running_async) {
+            usb_cancel_packet(&t->packet);
+            t->running_async = 0;
             t->cancelled = 1;
-            /* libusb_cancel_transfer(t->usbxfer) */
             DPRINTF("xhci: cancelling transfer %d, waiting for it to complete...\n", i);
             killed++;
         }
+        if (t->running_retry) {
+            t->running_retry = 0;
+            epctx->retry = NULL;
+        }
         if (t->backgrounded) {
             t->backgrounded = 0;
         }
@@ -941,9 +948,10 @@ static int xhci_ep_nuke_xfers(XHCIState *xhci, unsigned int slotid,
         xferi = epctx->next_bg;
         for (i = 0; i < BG_XFERS; i++) {
             XHCITransfer *t = &epctx->bg_transfers[xferi];
-            if (t->running) {
+            if (t->running_async) {
+                usb_cancel_packet(&t->packet);
+                t->running_async = 0;
                 t->cancelled = 1;
-                /* libusb_cancel_transfer(t->usbxfer); */
                 DPRINTF("xhci: cancelling bg transfer %d, waiting for it to complete...\n", i);
                 killed++;
             }
@@ -1409,12 +1417,20 @@ static int xhci_setup_packet(XHCITransfer *xfer, USBDevice *dev)
 static int xhci_complete_packet(XHCITransfer *xfer, int ret)
 {
     if (ret == USB_RET_ASYNC) {
-        xfer->running = 1;
+        xfer->running_async = 1;
+        xfer->running_retry = 0;
+        xfer->complete = 0;
+        xfer->cancelled = 0;
+        return 0;
+    } else if (ret == USB_RET_NAK) {
+        xfer->running_async = 0;
+        xfer->running_retry = 1;
         xfer->complete = 0;
         xfer->cancelled = 0;
         return 0;
     } else {
-        xfer->running = 0;
+        xfer->running_async = 0;
+        xfer->running_retry = 0;
         xfer->complete = 1;
     }
 
@@ -1529,7 +1545,7 @@ static int xhci_fire_ctl_transfer(XHCIState *xhci, XHCITransfer *xfer)
                                     wValue, wIndex, wLength, xfer->data);
 
     xhci_complete_packet(xfer, ret);
-    if (!xfer->running) {
+    if (!xfer->running_async && !xfer->running_retry) {
         xhci_kick_ep(xhci, xfer->slotid, xfer->epid);
     }
     return 0;
@@ -1596,7 +1612,7 @@ static int xhci_submit(XHCIState *xhci, XHCITransfer *xfer, XHCIEPContext *epctx
     ret = usb_handle_packet(dev, &xfer->packet);
 
     xhci_complete_packet(xfer, ret);
-    if (!xfer->running) {
+    if (!xfer->running_async && !xfer->running_retry) {
         xhci_kick_ep(xhci, xfer->slotid, xfer->epid);
     }
     return 0;
@@ -1667,6 +1683,25 @@ static void xhci_kick_ep(XHCIState *xhci, unsigned int slotid, unsigned int epid
         return;
     }
 
+    if (epctx->retry) {
+        /* retry nak'ed transfer */
+        XHCITransfer *xfer = epctx->retry;
+        int result;
+
+        DPRINTF("xhci: retry nack'ed transfer ...\n");
+        assert(xfer->running_retry);
+        xhci_setup_packet(xfer, xfer->packet.ep->dev);
+        result = usb_handle_packet(xfer->packet.ep->dev, &xfer->packet);
+        if (result == USB_RET_NAK) {
+            DPRINTF("xhci: ... xfer still nacked\n");
+            return;
+        }
+        DPRINTF("xhci: ... result %d\n", result);
+        xhci_complete_packet(xfer, result);
+        assert(!xfer->running_retry);
+        epctx->retry = NULL;
+    }
+
     if (epctx->state == EP_HALTED) {
         DPRINTF("xhci: ep halted, not running schedule\n");
         return;
@@ -1676,9 +1711,13 @@ static void xhci_kick_ep(XHCIState *xhci, unsigned int slotid, unsigned int epid
 
     while (1) {
         XHCITransfer *xfer = &epctx->transfers[epctx->next_xfer];
-        if (xfer->running || xfer->backgrounded) {
-            DPRINTF("xhci: ep is busy\n");
+        if (xfer->running_async || xfer->running_retry || xfer->backgrounded) {
+            DPRINTF("xhci: ep is busy (#%d,%d,%d,%d)\n",
+                    epctx->next_xfer, xfer->running_async,
+                    xfer->running_retry, xfer->backgrounded);
             break;
+        } else {
+            DPRINTF("xhci: ep: using #%d\n", epctx->next_xfer);
         }
         length = xhci_ring_chain_length(xhci, &epctx->ring);
         if (length < 0) {
@@ -1725,6 +1764,11 @@ static void xhci_kick_ep(XHCIState *xhci, unsigned int slotid, unsigned int epid
             DPRINTF("xhci: ep halted, stopping schedule\n");
             break;
         }
+        if (xfer->running_retry) {
+            DPRINTF("xhci: xfer nacked, stopping schedule\n");
+            epctx->retry = xfer;
+            break;
+        }
 
         /*
          * Qemu usb can't handle multiple in-flight xfers.
@@ -2739,7 +2783,48 @@ static USBPortOps xhci_port_ops = {
     .child_detach = xhci_child_detach,
 };
 
+static int xhci_find_slotid(XHCIState *xhci, USBDevice *dev)
+{
+    XHCISlot *slot;
+    int slotid;
+
+    for (slotid = 1; slotid <= MAXSLOTS; slotid++) {
+        slot = &xhci->slots[slotid-1];
+        if (slot->devaddr == dev->addr) {
+            return slotid;
+        }
+    }
+    return 0;
+}
+
+static int xhci_find_epid(USBEndpoint *ep)
+{
+    if (ep->nr == 0) {
+        return 1;
+    }
+    if (ep->pid == USB_TOKEN_IN) {
+        return ep->nr * 2 + 1;
+    } else {
+        return ep->nr * 2;
+    }
+}
+
+static void xhci_wakeup_endpoint(USBBus *bus, USBEndpoint *ep)
+{
+    XHCIState *xhci = container_of(bus, XHCIState, bus);
+    int slotid;
+
+    DPRINTF("%s\n", __func__);
+    slotid = xhci_find_slotid(xhci, ep->dev);
+    if (slotid == 0 || !xhci->slots[slotid-1].enabled) {
+        DPRINTF("%s: oops, no slot for dev %d\n", __func__, ep->dev->addr);
+        return;
+    }
+    xhci_kick_ep(xhci, slotid, xhci_find_epid(ep));
+}
+
 static USBBusOps xhci_bus_ops = {
+    .wakeup_endpoint = xhci_wakeup_endpoint,
 };
 
 static void usb_xhci_init(XHCIState *xhci, DeviceState *dev)
commit 8c735e431d384663137a709c8207f4ada3146205
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Jan 20 17:09:58 2012 +0100

    xhci: remote wakeup support
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-xhci.c b/hw/usb-xhci.c
index 65214af..3026edb 100644
--- a/hw/usb-xhci.c
+++ b/hw/usb-xhci.c
@@ -2698,6 +2698,26 @@ static void xhci_detach(USBPort *usbport)
     xhci_update_port(xhci, port, 1);
 }
 
+static void xhci_wakeup(USBPort *usbport)
+{
+    XHCIState *xhci = usbport->opaque;
+    XHCIPort *port = &xhci->ports[usbport->index];
+    int nr = port->port.index + 1;
+    XHCIEvent ev = { ER_PORT_STATUS_CHANGE, CC_SUCCESS, nr << 24};
+    uint32_t pls;
+
+    pls = (port->portsc >> PORTSC_PLS_SHIFT) & PORTSC_PLS_MASK;
+    if (pls != 3) {
+        return;
+    }
+    port->portsc |= 0xf << PORTSC_PLS_SHIFT;
+    if (port->portsc & PORTSC_PLC) {
+        return;
+    }
+    port->portsc |= PORTSC_PLC;
+    xhci_event(xhci, &ev);
+}
+
 static void xhci_complete(USBPort *port, USBPacket *packet)
 {
     XHCITransfer *xfer = container_of(packet, XHCITransfer, packet);
@@ -2714,6 +2734,7 @@ static void xhci_child_detach(USBPort *port, USBDevice *child)
 static USBPortOps xhci_port_ops = {
     .attach   = xhci_attach,
     .detach   = xhci_detach,
+    .wakeup   = xhci_wakeup,
     .complete = xhci_complete,
     .child_detach = xhci_child_detach,
 };
commit b819d7169a8f026c7b9174b7cbce8ab50fc7908a
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Jan 20 15:25:16 2012 +0100

    xhci: kill port arg from xhci_setup_packet
    
    Unused argument, remove it.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-xhci.c b/hw/usb-xhci.c
index 7682126..65214af 100644
--- a/hw/usb-xhci.c
+++ b/hw/usb-xhci.c
@@ -1392,7 +1392,7 @@ static int xhci_hle_control(XHCIState *xhci, XHCITransfer *xfer,
 }
 #endif
 
-static int xhci_setup_packet(XHCITransfer *xfer, XHCIPort *port, USBDevice *dev)
+static int xhci_setup_packet(XHCITransfer *xfer, USBDevice *dev)
 {
     USBEndpoint *ep;
     int dir;
@@ -1520,7 +1520,7 @@ static int xhci_fire_ctl_transfer(XHCIState *xhci, XHCITransfer *xfer)
     xfer->in_xfer = bmRequestType & USB_DIR_IN;
     xfer->iso_xfer = false;
 
-    xhci_setup_packet(xfer, port, dev);
+    xhci_setup_packet(xfer, dev);
     if (!xfer->in_xfer) {
         xhci_xfer_data(xfer, xfer->data, wLength, 0, 1, 0);
     }
@@ -1571,7 +1571,7 @@ static int xhci_submit(XHCIState *xhci, XHCITransfer *xfer, XHCIEPContext *epctx
         return -1;
     }
 
-    xhci_setup_packet(xfer, port, dev);
+    xhci_setup_packet(xfer, dev);
 
     switch(epctx->type) {
     case ET_INTR_OUT:
commit 3c4866e07ed17c7d64c2fd30738f68276ca353d9
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Jan 17 13:25:13 2012 +0100

    xhci: stop on errors
    
    When some error happened we'll have to stop processing the endpoint.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-xhci.c b/hw/usb-xhci.c
index 5e618f0..7682126 100644
--- a/hw/usb-xhci.c
+++ b/hw/usb-xhci.c
@@ -1721,10 +1721,14 @@ static void xhci_kick_ep(XHCIState *xhci, unsigned int slotid, unsigned int epid
             }
         }
 
+        if (epctx->state == EP_HALTED) {
+            DPRINTF("xhci: ep halted, stopping schedule\n");
+            break;
+        }
+
         /*
          * Qemu usb can't handle multiple in-flight xfers.
-         * Also xfers might be finished here already,
-         * possibly with an error.  Stop here for now.
+         * Stop here for now.
          */
         break;
     }
commit f10de44e7eb8304406d42a2a7242887c08282c4a
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Jan 17 11:21:06 2012 +0100

    xhci: add trb type name lookup support.
    
    When logging TRBs add a the type name for more readable debug output.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-xhci.c b/hw/usb-xhci.c
index 27bdc2b..5e618f0 100644
--- a/hw/usb-xhci.c
+++ b/hw/usb-xhci.c
@@ -420,6 +420,60 @@ typedef struct XHCIEvRingSeg {
     uint32_t rsvd;
 } XHCIEvRingSeg;
 
+#ifdef DEBUG_XHCI
+static const char *TRBType_names[] = {
+    [TRB_RESERVED]                     = "TRB_RESERVED",
+    [TR_NORMAL]                        = "TR_NORMAL",
+    [TR_SETUP]                         = "TR_SETUP",
+    [TR_DATA]                          = "TR_DATA",
+    [TR_STATUS]                        = "TR_STATUS",
+    [TR_ISOCH]                         = "TR_ISOCH",
+    [TR_LINK]                          = "TR_LINK",
+    [TR_EVDATA]                        = "TR_EVDATA",
+    [TR_NOOP]                          = "TR_NOOP",
+    [CR_ENABLE_SLOT]                   = "CR_ENABLE_SLOT",
+    [CR_DISABLE_SLOT]                  = "CR_DISABLE_SLOT",
+    [CR_ADDRESS_DEVICE]                = "CR_ADDRESS_DEVICE",
+    [CR_CONFIGURE_ENDPOINT]            = "CR_CONFIGURE_ENDPOINT",
+    [CR_EVALUATE_CONTEXT]              = "CR_EVALUATE_CONTEXT",
+    [CR_RESET_ENDPOINT]                = "CR_RESET_ENDPOINT",
+    [CR_STOP_ENDPOINT]                 = "CR_STOP_ENDPOINT",
+    [CR_SET_TR_DEQUEUE]                = "CR_SET_TR_DEQUEUE",
+    [CR_RESET_DEVICE]                  = "CR_RESET_DEVICE",
+    [CR_FORCE_EVENT]                   = "CR_FORCE_EVENT",
+    [CR_NEGOTIATE_BW]                  = "CR_NEGOTIATE_BW",
+    [CR_SET_LATENCY_TOLERANCE]         = "CR_SET_LATENCY_TOLERANCE",
+    [CR_GET_PORT_BANDWIDTH]            = "CR_GET_PORT_BANDWIDTH",
+    [CR_FORCE_HEADER]                  = "CR_FORCE_HEADER",
+    [CR_NOOP]                          = "CR_NOOP",
+    [ER_TRANSFER]                      = "ER_TRANSFER",
+    [ER_COMMAND_COMPLETE]              = "ER_COMMAND_COMPLETE",
+    [ER_PORT_STATUS_CHANGE]            = "ER_PORT_STATUS_CHANGE",
+    [ER_BANDWIDTH_REQUEST]             = "ER_BANDWIDTH_REQUEST",
+    [ER_DOORBELL]                      = "ER_DOORBELL",
+    [ER_HOST_CONTROLLER]               = "ER_HOST_CONTROLLER",
+    [ER_DEVICE_NOTIFICATION]           = "ER_DEVICE_NOTIFICATION",
+    [ER_MFINDEX_WRAP]                  = "ER_MFINDEX_WRAP",
+    [CR_VENDOR_VIA_CHALLENGE_RESPONSE] = "CR_VENDOR_VIA_CHALLENGE_RESPONSE",
+    [CR_VENDOR_NEC_FIRMWARE_REVISION]  = "CR_VENDOR_NEC_FIRMWARE_REVISION",
+    [CR_VENDOR_NEC_CHALLENGE_RESPONSE] = "CR_VENDOR_NEC_CHALLENGE_RESPONSE",
+};
+
+static const char *lookup_name(uint32_t index, const char **list, uint32_t llen)
+{
+    if (index >= llen || list[index] == NULL) {
+        return "???";
+    }
+    return list[index];
+}
+
+static const char *trb_name(XHCITRB *trb)
+{
+    return lookup_name(TRB_TYPE(*trb), TRBType_names,
+                       ARRAY_SIZE(TRBType_names));
+}
+#endif
+
 static void xhci_kick_ep(XHCIState *xhci, unsigned int slotid,
                          unsigned int epid);
 
@@ -487,8 +541,9 @@ static void xhci_write_event(XHCIState *xhci, XHCIEvent *event)
     }
     ev_trb.control = cpu_to_le32(ev_trb.control);
 
-    DPRINTF("xhci_write_event(): [%d] %016"PRIx64" %08x %08x\n",
-            xhci->er_ep_idx, ev_trb.parameter, ev_trb.status, ev_trb.control);
+    DPRINTF("xhci_write_event(): [%d] %016"PRIx64" %08x %08x %s\n",
+            xhci->er_ep_idx, ev_trb.parameter, ev_trb.status, ev_trb.control,
+            trb_name(&ev_trb));
 
     addr = xhci->er_start + TRB_SIZE*xhci->er_ep_idx;
     cpu_physical_memory_write(addr, (uint8_t *) &ev_trb, TRB_SIZE);
@@ -649,8 +704,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
         le32_to_cpus(&trb->control);
 
         DPRINTF("xhci: TRB fetched [" TARGET_FMT_plx "]: "
-                "%016" PRIx64 " %08x %08x\n",
-                ring->dequeue, trb->parameter, trb->status, trb->control);
+                "%016" PRIx64 " %08x %08x %s\n",
+                ring->dequeue, trb->parameter, trb->status, trb->control,
+                trb_name(trb));
 
         if ((trb->control & TRB_C) != ring->ccs) {
             return 0;
commit 606352b735eb98ce0b1f3786e0b4b313bd2e1a35
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Jan 13 17:06:18 2012 +0100

    xhci: signal low- and fullspeed support
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-xhci.c b/hw/usb-xhci.c
index b274b80..27bdc2b 100644
--- a/hw/usb-xhci.c
+++ b/hw/usb-xhci.c
@@ -2672,7 +2672,10 @@ static void usb_xhci_init(XHCIState *xhci, DeviceState *dev)
     for (i = 0; i < MAXPORTS; i++) {
         memset(&xhci->ports[i], 0, sizeof(xhci->ports[i]));
         usb_register_port(&xhci->bus, &xhci->ports[i].port, xhci, i,
-                          &xhci_port_ops, USB_SPEED_MASK_HIGH);
+                          &xhci_port_ops,
+                          USB_SPEED_MASK_LOW  |
+                          USB_SPEED_MASK_FULL |
+                          USB_SPEED_MASK_HIGH);
     }
     for (i = 0; i < MAXSLOTS; i++) {
         xhci->slots[i].enabled = 0;
commit 37f32f0fdd3ed589266d159abb69f3a1bae20ec5
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Jan 20 13:29:53 2012 +0100

    usb: add USBBusOps->wakeup_endpoint
    
    Add usb bus op which is called whenever a usb endpoint becomes ready,
    so the host adapter emulation can react on that event.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb.c b/hw/usb.c
index 0572547..e5b8f33 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -73,10 +73,14 @@ void usb_device_reset(USBDevice *dev)
 void usb_wakeup(USBEndpoint *ep)
 {
     USBDevice *dev = ep->dev;
+    USBBus *bus = usb_bus_from_device(dev);
 
     if (dev->remote_wakeup && dev->port && dev->port->ops->wakeup) {
         dev->port->ops->wakeup(dev->port);
     }
+    if (bus->ops->wakeup_endpoint) {
+        bus->ops->wakeup_endpoint(bus, ep);
+    }
 }
 
 /**********************/
diff --git a/hw/usb.h b/hw/usb.h
index b2caa77..4470ea8 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -425,6 +425,7 @@ struct USBBus {
 struct USBBusOps {
     int (*register_companion)(USBBus *bus, USBPort *ports[],
                               uint32_t portcount, uint32_t firstport);
+    void (*wakeup_endpoint)(USBBus *bus, USBEndpoint *ep);
 };
 
 void usb_bus_new(USBBus *bus, USBBusOps *ops, DeviceState *host);
commit 7567b51fbe92e1300a672eaddd413c4a7e807d90
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Jan 17 13:25:46 2012 +0100

    usb: pass USBEndpoint to usb_wakeup
    
    Devices must specify which endpoint has data to transfer now.
    The plan is to use the usb_wakeup() not only for remove wakeup support,
    but for "data ready" signaling in general, so we can move away from
    constant polling to event driven usb device emulation.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-ccid.c b/hw/usb-ccid.c
index 8c0c717..fda2d92 100644
--- a/hw/usb-ccid.c
+++ b/hw/usb-ccid.c
@@ -267,6 +267,7 @@ typedef struct CCIDBus {
  */
 typedef struct USBCCIDState {
     USBDevice dev;
+    USBEndpoint *intr;
     CCIDBus bus;
     CCIDCardState *card;
     BulkIn bulk_in_pending[BULK_IN_PENDING_NUM]; /* circular */
@@ -839,7 +840,7 @@ static void ccid_on_slot_change(USBCCIDState *s, bool full)
         s->bmSlotICCState |= SLOT_0_CHANGED_MASK;
     }
     s->notify_slot_change = true;
-    usb_wakeup(&s->dev);
+    usb_wakeup(s->intr);
 }
 
 static void ccid_write_data_block_error(
@@ -1190,6 +1191,7 @@ static int ccid_initfn(USBDevice *dev)
 
     usb_desc_init(dev);
     qbus_create_inplace(&s->bus.qbus, &ccid_bus_info, &dev->qdev, NULL);
+    s->intr = usb_ep_get(dev, USB_TOKEN_IN, CCID_INT_IN_EP);
     s->bus.qbus.allow_hotplug = 1;
     s->card = NULL;
     s->migration_state = MIGRATION_NONE;
diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 4d00c28..53353d3 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -44,6 +44,7 @@
 
 typedef struct USBHIDState {
     USBDevice dev;
+    USBEndpoint *intr;
     HIDState hid;
 } USBHIDState;
 
@@ -360,7 +361,7 @@ static void usb_hid_changed(HIDState *hs)
 {
     USBHIDState *us = container_of(hs, USBHIDState, hid);
 
-    usb_wakeup(&us->dev);
+    usb_wakeup(us->intr);
 }
 
 static void usb_hid_handle_reset(USBDevice *dev)
@@ -501,6 +502,7 @@ static int usb_hid_initfn(USBDevice *dev, int kind)
     USBHIDState *us = DO_UPCAST(USBHIDState, dev, dev);
 
     usb_desc_init(dev);
+    us->intr = usb_ep_get(dev, USB_TOKEN_IN, 1);
     hid_init(&us->hid, kind, usb_hid_changed);
     return 0;
 }
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 940e211..6d1ce06 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -37,6 +37,7 @@ typedef struct USBHubPort {
 
 typedef struct USBHubState {
     USBDevice dev;
+    USBEndpoint *intr;
     USBHubPort ports[NUM_PORTS];
 } USBHubState;
 
@@ -163,7 +164,7 @@ static void usb_hub_attach(USBPort *port1)
     } else {
         port->wPortStatus &= ~PORT_STAT_LOW_SPEED;
     }
-    usb_wakeup(&s->dev);
+    usb_wakeup(s->intr);
 }
 
 static void usb_hub_detach(USBPort *port1)
@@ -171,7 +172,7 @@ static void usb_hub_detach(USBPort *port1)
     USBHubState *s = port1->opaque;
     USBHubPort *port = &s->ports[port1->index];
 
-    usb_wakeup(&s->dev);
+    usb_wakeup(s->intr);
 
     /* Let upstream know the device on this port is gone */
     s->dev.port->ops->child_detach(s->dev.port, port1->dev);
@@ -199,7 +200,7 @@ static void usb_hub_wakeup(USBPort *port1)
 
     if (port->wPortStatus & PORT_STAT_SUSPEND) {
         port->wPortChange |= PORT_STAT_C_SUSPEND;
-        usb_wakeup(&s->dev);
+        usb_wakeup(s->intr);
     }
 }
 
@@ -481,6 +482,7 @@ static int usb_hub_initfn(USBDevice *dev)
     int i;
 
     usb_desc_init(dev);
+    s->intr = usb_ep_get(dev, USB_TOKEN_IN, 1);
     for (i = 0; i < NUM_PORTS; i++) {
         port = &s->ports[i];
         usb_register_port(usb_bus_from_device(dev),
diff --git a/hw/usb.c b/hw/usb.c
index 712bdd4..0572547 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -70,8 +70,10 @@ void usb_device_reset(USBDevice *dev)
     usb_device_handle_reset(dev);
 }
 
-void usb_wakeup(USBDevice *dev)
+void usb_wakeup(USBEndpoint *ep)
 {
+    USBDevice *dev = ep->dev;
+
     if (dev->remote_wakeup && dev->port && dev->port->ops->wakeup) {
         dev->port->ops->wakeup(dev->port);
     }
diff --git a/hw/usb.h b/hw/usb.h
index 6545b69..b2caa77 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -368,7 +368,7 @@ void usb_attach(USBPort *port);
 void usb_detach(USBPort *port);
 void usb_port_reset(USBPort *port);
 void usb_device_reset(USBDevice *dev);
-void usb_wakeup(USBDevice *dev);
+void usb_wakeup(USBEndpoint *ep);
 void usb_generic_async_ctrl_complete(USBDevice *s, USBPacket *p);
 int set_usb_string(uint8_t *buf, const char *str);
 
commit db4be873d312576c6971da15a38e056017a406b8
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Jan 12 14:26:13 2012 +0100

    usb: maintain async packet list per endpoint
    
    Maintain a list of async packets per endpoint.  With the current code
    the list will never receive more than a single item.  I think you can
    guess what the future plan is though ;)
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb.c b/hw/usb.c
index 240f24b..712bdd4 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -279,6 +279,28 @@ USBDevice *usb_find_device(USBPort *port, uint8_t addr)
     return usb_device_find_device(dev, addr);
 }
 
+static int usb_process_one(USBPacket *p)
+{
+    USBDevice *dev = p->ep->dev;
+
+    if (p->ep->nr == 0) {
+        /* control pipe */
+        switch (p->pid) {
+        case USB_TOKEN_SETUP:
+            return do_token_setup(dev, p);
+        case USB_TOKEN_IN:
+            return do_token_in(dev, p);
+        case USB_TOKEN_OUT:
+            return do_token_out(dev, p);
+        default:
+            return USB_RET_STALL;
+        }
+    } else {
+        /* data pipe */
+        return usb_device_handle_data(dev, p);
+    }
+}
+
 /* Hand over a packet to a device for processing.  Return value
    USB_RET_ASYNC indicates the processing isn't finished yet, the
    driver will call usb_packet_complete() when done processing it. */
@@ -292,30 +314,21 @@ int usb_handle_packet(USBDevice *dev, USBPacket *p)
     assert(dev == p->ep->dev);
     assert(dev->state == USB_STATE_DEFAULT);
     assert(p->state == USB_PACKET_SETUP);
+    assert(p->ep != NULL);
 
-    if (p->ep->nr == 0) {
-        /* control pipe */
-        switch (p->pid) {
-        case USB_TOKEN_SETUP:
-            ret = do_token_setup(dev, p);
-            break;
-        case USB_TOKEN_IN:
-            ret = do_token_in(dev, p);
-            break;
-        case USB_TOKEN_OUT:
-            ret = do_token_out(dev, p);
-            break;
-        default:
-            ret = USB_RET_STALL;
-            break;
+    if (QTAILQ_EMPTY(&p->ep->queue)) {
+        ret = usb_process_one(p);
+        if (ret == USB_RET_ASYNC) {
+            usb_packet_set_state(p, USB_PACKET_ASYNC);
+            QTAILQ_INSERT_TAIL(&p->ep->queue, p, queue);
+        } else {
+            p->result = ret;
+            usb_packet_set_state(p, USB_PACKET_COMPLETE);
         }
     } else {
-        /* data pipe */
-        ret = usb_device_handle_data(dev, p);
-    }
-
-    if (ret == USB_RET_ASYNC) {
-        p->state = USB_PACKET_ASYNC;
+        ret = USB_RET_ASYNC;
+        usb_packet_set_state(p, USB_PACKET_QUEUED);
+        QTAILQ_INSERT_TAIL(&p->ep->queue, p, queue);
     }
     return ret;
 }
@@ -325,9 +338,28 @@ int usb_handle_packet(USBDevice *dev, USBPacket *p)
    handle_packet. */
 void usb_packet_complete(USBDevice *dev, USBPacket *p)
 {
+    USBEndpoint *ep = p->ep;
+    int ret;
+
     assert(p->state == USB_PACKET_ASYNC);
-    p->state = USB_PACKET_COMPLETE;
+    assert(QTAILQ_FIRST(&ep->queue) == p);
+    usb_packet_set_state(p, USB_PACKET_COMPLETE);
+    QTAILQ_REMOVE(&ep->queue, p, queue);
     dev->port->ops->complete(dev->port, p);
+
+    while (!QTAILQ_EMPTY(&ep->queue)) {
+        p = QTAILQ_FIRST(&ep->queue);
+        assert(p->state == USB_PACKET_QUEUED);
+        ret = usb_process_one(p);
+        if (ret == USB_RET_ASYNC) {
+            usb_packet_set_state(p, USB_PACKET_ASYNC);
+            break;
+        }
+        p->result = ret;
+        usb_packet_set_state(p, USB_PACKET_COMPLETE);
+        QTAILQ_REMOVE(&ep->queue, p, queue);
+        dev->port->ops->complete(dev->port, p);
+    }
 }
 
 /* Cancel an active packet.  The packed must have been deferred by
@@ -335,9 +367,13 @@ void usb_packet_complete(USBDevice *dev, USBPacket *p)
    completed.  */
 void usb_cancel_packet(USBPacket * p)
 {
-    assert(p->state == USB_PACKET_ASYNC);
-    p->state = USB_PACKET_CANCELED;
-    usb_device_cancel_packet(p->ep->dev, p);
+    bool callback = (p->state == USB_PACKET_ASYNC);
+    assert(usb_packet_is_inflight(p));
+    usb_packet_set_state(p, USB_PACKET_CANCELED);
+    QTAILQ_REMOVE(&p->ep->queue, p, queue);
+    if (callback) {
+        usb_device_cancel_packet(p->ep->dev, p);
+    }
 }
 
 
@@ -346,14 +382,50 @@ void usb_packet_init(USBPacket *p)
     qemu_iovec_init(&p->iov, 1);
 }
 
+void usb_packet_set_state(USBPacket *p, USBPacketState state)
+{
+#ifdef DEBUG
+    static const char *name[] = {
+        [USB_PACKET_UNDEFINED] = "undef",
+        [USB_PACKET_SETUP]     = "setup",
+        [USB_PACKET_QUEUED]    = "queued",
+        [USB_PACKET_ASYNC]     = "async",
+        [USB_PACKET_COMPLETE]  = "complete",
+        [USB_PACKET_CANCELED]  = "canceled",
+    };
+    static const char *rets[] = {
+        [-USB_RET_NODEV]  = "NODEV",
+        [-USB_RET_NAK]    = "NAK",
+        [-USB_RET_STALL]  = "STALL",
+        [-USB_RET_BABBLE] = "BABBLE",
+        [-USB_RET_ASYNC]  = "ASYNC",
+    };
+    char add[16] = "";
+
+    if (state == USB_PACKET_COMPLETE) {
+        if (p->result < 0) {
+            snprintf(add, sizeof(add), " - %s", rets[-p->result]);
+        } else {
+            snprintf(add, sizeof(add), " - %d", p->result);
+        }
+    }
+    fprintf(stderr, "bus %s, port %s, dev %d, ep %d: packet %p: %s -> %s%s\n",
+            p->ep->dev->qdev.parent_bus->name,
+            p->ep->dev->port->path,
+            p->ep->dev->addr, p->ep->nr,
+            p, name[p->state], name[state], add);
+#endif
+    p->state = state;
+}
+
 void usb_packet_setup(USBPacket *p, int pid, USBEndpoint *ep)
 {
     assert(!usb_packet_is_inflight(p));
-    p->state = USB_PACKET_SETUP;
     p->pid = pid;
     p->ep = ep;
     p->result = 0;
     qemu_iovec_reset(&p->iov);
+    usb_packet_set_state(p, USB_PACKET_SETUP);
 }
 
 void usb_packet_addbuf(USBPacket *p, void *ptr, size_t len)
@@ -404,6 +476,7 @@ void usb_ep_init(USBDevice *dev)
     dev->ep_ctl.type = USB_ENDPOINT_XFER_CONTROL;
     dev->ep_ctl.ifnum = 0;
     dev->ep_ctl.dev = dev;
+    QTAILQ_INIT(&dev->ep_ctl.queue);
     for (ep = 0; ep < USB_MAX_ENDPOINTS; ep++) {
         dev->ep_in[ep].nr = ep + 1;
         dev->ep_out[ep].nr = ep + 1;
@@ -415,6 +488,8 @@ void usb_ep_init(USBDevice *dev)
         dev->ep_out[ep].ifnum = 0;
         dev->ep_in[ep].dev = dev;
         dev->ep_out[ep].dev = dev;
+        QTAILQ_INIT(&dev->ep_in[ep].queue);
+        QTAILQ_INIT(&dev->ep_out[ep].queue);
     }
 }
 
diff --git a/hw/usb.h b/hw/usb.h
index a80fe8f..6545b69 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -177,6 +177,7 @@ struct USBEndpoint {
     uint8_t ifnum;
     int max_packet_size;
     USBDevice *dev;
+    QTAILQ_HEAD(, USBPacket) queue;
 };
 
 /* definition of a USB device */
@@ -309,15 +310,16 @@ struct USBPort {
 
 typedef void USBCallback(USBPacket * packet, void *opaque);
 
-/* Structure used to hold information about an active USB packet.  */
 typedef enum USBPacketState {
     USB_PACKET_UNDEFINED = 0,
     USB_PACKET_SETUP,
+    USB_PACKET_QUEUED,
     USB_PACKET_ASYNC,
     USB_PACKET_COMPLETE,
     USB_PACKET_CANCELED,
 } USBPacketState;
 
+/* Structure used to hold information about an active USB packet.  */
 struct USBPacket {
     /* Data fields for use by the driver.  */
     int pid;
@@ -326,9 +328,11 @@ struct USBPacket {
     int result; /* transfer length or USB_RET_* status code */
     /* Internal use by the USB layer.  */
     USBPacketState state;
+    QTAILQ_ENTRY(USBPacket) queue;
 };
 
 void usb_packet_init(USBPacket *p);
+void usb_packet_set_state(USBPacket *p, USBPacketState state);
 void usb_packet_setup(USBPacket *p, int pid, USBEndpoint *ep);
 void usb_packet_addbuf(USBPacket *p, void *ptr, size_t len);
 int usb_packet_map(USBPacket *p, QEMUSGList *sgl);
@@ -339,7 +343,8 @@ void usb_packet_cleanup(USBPacket *p);
 
 static inline bool usb_packet_is_inflight(USBPacket *p)
 {
-    return p->state == USB_PACKET_ASYNC;
+    return (p->state == USB_PACKET_QUEUED ||
+            p->state == USB_PACKET_ASYNC);
 }
 
 USBDevice *usb_find_device(USBPort *port, uint8_t addr);
commit 3a0c6c4ad6f97931f1d9a729322cb1612218ed96
Author: Paul Brook <paul at codesourcery.com>
Date:   Thu Feb 9 19:04:27 2012 +0000

    linux-user: brk() debugging
    
    Fix format type mismatches in do_brk debug printfs.
    
    Signed-off-by: Paul Brook <paul at codesourcery.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index e868ec6..8a11213 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -756,14 +756,15 @@ abi_long do_brk(abi_ulong new_brk)
     abi_long mapped_addr;
     int	new_alloc_size;
 
-    DEBUGF_BRK("do_brk(%#010x) -> ", new_brk);
+    DEBUGF_BRK("do_brk(" TARGET_ABI_FMT_lx ") -> ", new_brk);
 
     if (!new_brk) {
-        DEBUGF_BRK("%#010x (!new_brk)\n", target_brk);
+        DEBUGF_BRK(TARGET_ABI_FMT_lx " (!new_brk)\n", target_brk);
         return target_brk;
     }
     if (new_brk < target_original_brk) {
-        DEBUGF_BRK("%#010x (new_brk < target_original_brk)\n", target_brk);
+        DEBUGF_BRK(TARGET_ABI_FMT_lx " (new_brk < target_original_brk)\n",
+                   target_brk);
         return target_brk;
     }
 
@@ -776,7 +777,7 @@ abi_long do_brk(abi_ulong new_brk)
             memset(g2h(target_brk), 0, new_brk - target_brk);
         }
 	target_brk = new_brk;
-        DEBUGF_BRK("%#010x (new_brk <= brk_page)\n", target_brk);
+        DEBUGF_BRK(TARGET_ABI_FMT_lx " (new_brk <= brk_page)\n", target_brk);
     	return target_brk;
     }
 
@@ -803,7 +804,8 @@ abi_long do_brk(abi_ulong new_brk)
 
         target_brk = new_brk;
         brk_page = HOST_PAGE_ALIGN(target_brk);
-        DEBUGF_BRK("%#010x (mapped_addr == brk_page)\n", target_brk);
+        DEBUGF_BRK(TARGET_ABI_FMT_lx " (mapped_addr == brk_page)\n",
+            target_brk);
         return target_brk;
     } else if (mapped_addr != -1) {
         /* Mapped but at wrong address, meaning there wasn't actually
@@ -811,10 +813,10 @@ abi_long do_brk(abi_ulong new_brk)
          */
         target_munmap(mapped_addr, new_alloc_size);
         mapped_addr = -1;
-        DEBUGF_BRK("%#010x (mapped_addr != -1)\n", target_brk);
+        DEBUGF_BRK(TARGET_ABI_FMT_lx " (mapped_addr != -1)\n", target_brk);
     }
     else {
-        DEBUGF_BRK("%#010x (otherwise)\n", target_brk);
+        DEBUGF_BRK(TARGET_ABI_FMT_lx " (otherwise)\n", target_brk);
     }
 
 #if defined(TARGET_ALPHA)
commit 6f79e06b35b26a1beda6f6dc4dd02588887597e9
Author: Luiz Capitulino <lcapitulino at redhat.com>
Date:   Thu Feb 9 11:29:42 2012 -0200

    virtio: Remove unneeded g_free() check in virtio_cleanup()
    
    Signed-off-by: Luiz Capitulino <lcapitulino at redhat.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/hw/virtio.c b/hw/virtio.c
index 74cc038..064aecf 100644
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -845,8 +845,7 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
 void virtio_cleanup(VirtIODevice *vdev)
 {
     qemu_del_vm_change_state_handler(vdev->vmstate);
-    if (vdev->config)
-        g_free(vdev->config);
+    g_free(vdev->config);
     g_free(vdev->vq);
     g_free(vdev);
 }
commit da8d605733c9b368230a716cc71c7915902387db
Author: Benjamin MARSILI <mlspirat42 at gmail.com>
Date:   Mon Jan 23 03:42:38 2012 +0900

    net: remove extra spaces in help messages
    
    Signed-off-by: Benjamin MARSILI <mlspirat42 at gmail.com>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/net/socket.c b/net/socket.c
index d4c2002..0bcf229 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -664,8 +664,8 @@ int net_init_socket(QemuOpts *opts,
             qemu_opt_get(opts, "connect") ||
             qemu_opt_get(opts, "listen") ||
             qemu_opt_get(opts, "mcast")) {
-            error_report("fd=, connect=, listen=\
-                         and mcast= is invalid with udp=");
+            error_report("fd=, connect=, listen="
+                         " and mcast= is invalid with udp=");
             return -1;
         }
 
@@ -680,8 +680,8 @@ int net_init_socket(QemuOpts *opts,
             return -1;
         }
     } else {
-        error_report("-socket requires fd=, listen=, \
-                     connect=, mcast= or udp=");
+        error_report("-socket requires fd=, listen=,"
+                     " connect=, mcast= or udp=");
         return -1;
     }
     return 0;
commit 31de83140d23ccc0e290bc0de609ba2b1aff674a
Author: Stefan Weil <sw at weilnetz.de>
Date:   Tue Feb 7 22:26:29 2012 +0100

    fmopl: Fix typo in function name
    
    Fix a typo in a local function name.
    
    Signed-off-by: Stefan Weil <sw at weilnetz.de>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/hw/fmopl.c b/hw/fmopl.c
index 734d2f4..f0a0234 100644
--- a/hw/fmopl.c
+++ b/hw/fmopl.c
@@ -733,7 +733,7 @@ INLINE void CSMKeyControll(OPL_CH *CH)
 }
 
 /* ---------- opl initialize ---------- */
-static void OPL_initalize(FM_OPL *OPL)
+static void OPL_initialize(FM_OPL *OPL)
 {
 	int fn;
 
@@ -1239,7 +1239,7 @@ FM_OPL *OPLCreate(int type, int clock, int rate)
 	OPL->rate  = rate;
 	OPL->max_ch = max_ch;
 	/* init grobal tables */
-	OPL_initalize(OPL);
+	OPL_initialize(OPL);
 	/* reset chip */
 	OPLResetChip(OPL);
 #ifdef OPL_OUTPUT_LOG
commit 1b785a975830993fff988028d90f2b55b2ab41f0
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Tue Feb 7 20:57:27 2012 +0000

    vl.c: Fix typo in variable name
    
    Fix a typo in a local variable name.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Reviewed-by: Stefan Weil <sw at weilnetz.de>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/vl.c b/vl.c
index 63dd725..c4b3aab 100644
--- a/vl.c
+++ b/vl.c
@@ -2030,7 +2030,7 @@ static int configure_accelerator(void)
     const char *p = NULL;
     char buf[10];
     int i, ret;
-    bool accel_initalised = 0;
+    bool accel_initialised = 0;
     bool init_failed = 0;
 
     QemuOptsList *list = qemu_find_opts("machine");
@@ -2043,7 +2043,7 @@ static int configure_accelerator(void)
         p = "tcg";
     }
 
-    while (!accel_initalised && *p != '\0') {
+    while (!accel_initialised && *p != '\0') {
         if (*p == ':') {
             p++;
         }
@@ -2064,7 +2064,7 @@ static int configure_accelerator(void)
                     }
                     *(accel_list[i].allowed) = 0;
                 } else {
-                    accel_initalised = 1;
+                    accel_initialised = 1;
                 }
                 break;
             }
@@ -2074,7 +2074,7 @@ static int configure_accelerator(void)
         }
     }
 
-    if (!accel_initalised) {
+    if (!accel_initialised) {
         fprintf(stderr, "No accelerator found!\n");
         exit(1);
     }
@@ -2083,7 +2083,7 @@ static int configure_accelerator(void)
         fprintf(stderr, "Back to %s accelerator.\n", accel_list[i].name);
     }
 
-    return !accel_initalised;
+    return !accel_initialised;
 }
 
 void qemu_add_exit_notifier(Notifier *notify)
commit cb67be85a612e8b9ab25edb68976c0fa203d12ba
Author: Hervé Poussineau <hpoussin at reactos.org>
Date:   Mon Feb 6 22:19:42 2012 +0100

    ide: fix compilation errors when DEBUG_IDE is set
    
    Signed-off-by: Hervé Poussineau <hpoussin at reactos.org>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/hw/ide/pci.c b/hw/ide/pci.c
index 246dd57..88c0942 100644
--- a/hw/ide/pci.c
+++ b/hw/ide/pci.c
@@ -336,7 +336,7 @@ static uint64_t bmdma_addr_read(void *opaque, target_phys_addr_t addr,
 
     data = (bm->addr >> (addr * 8)) & mask;
 #ifdef DEBUG_IDE
-    printf("%s: 0x%08x\n", __func__, (unsigned)*data);
+    printf("%s: 0x%08x\n", __func__, (unsigned)data);
 #endif
     return data;
 }
diff --git a/hw/ide/piix.c b/hw/ide/piix.c
index bf4465b..76cf209 100644
--- a/hw/ide/piix.c
+++ b/hw/ide/piix.c
@@ -53,7 +53,7 @@ static uint64_t bmdma_read(void *opaque, target_phys_addr_t addr, unsigned size)
         break;
     }
 #ifdef DEBUG_IDE
-    printf("bmdma: readb 0x%02x : 0x%02x\n", addr, val);
+    printf("bmdma: readb 0x%02x : 0x%02x\n", (uint8_t)addr, val);
 #endif
     return val;
 }
@@ -68,7 +68,7 @@ static void bmdma_write(void *opaque, target_phys_addr_t addr,
     }
 
 #ifdef DEBUG_IDE
-    printf("bmdma: writeb 0x%02x : 0x%02x\n", addr, val);
+    printf("bmdma: writeb 0x%02x : 0x%02x\n", (uint8_t)addr, (uint8_t)val);
 #endif
     switch(addr & 3) {
     case 0:
commit e965fc380703110e967febf8d5b2ecd7db53b5d2
Author: 陳韋任 <chenwj at iis.sinica.edu.tw>
Date:   Mon Feb 6 14:02:55 2012 +0800

    cpu-exec.c: Correct comment about this file and indentation cleanup
    
    Each target uses the #define macro (in target-xxx/cpu.h) to rename
    cpu_exec (cpu-exec.c) to cpu_xxx_exec, then defines its own cpu_loop
    which calls cpu_xxx_exec. So basically, cpu-exec.c is not only the i386
    emulator main execution loop. This patch corrects the comment of this
    file and does indentation cleanup.
    
    Signed-off-by: Chen Wei-Ren (陳韋任) <chenwj at iis.sinica.edu.tw>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/cpu-exec.c b/cpu-exec.c
index a9fa608..2c2d24e 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -1,5 +1,5 @@
 /*
- *  i386 emulator main execution loop
+ *  emulator main execution loop
  *
  *  Copyright (c) 2003-2005 Fabrice Bellard
  *
@@ -304,7 +304,7 @@ int cpu_exec(CPUState *env)
                             env->hflags2 |= HF2_NMI_MASK;
                             do_interrupt_x86_hardirq(env, EXCP02_NMI, 1);
                             next_tb = 0;
-			} else if (interrupt_request & CPU_INTERRUPT_MCE) {
+                        } else if (interrupt_request & CPU_INTERRUPT_MCE) {
                             env->interrupt_request &= ~CPU_INTERRUPT_MCE;
                             do_interrupt_x86_hardirq(env, EXCP12_MCHK, 0);
                             next_tb = 0;
@@ -390,7 +390,7 @@ int cpu_exec(CPUState *env)
                                 next_tb = 0;
                             }
                         }
-		    }
+                    }
 #elif defined(TARGET_ARM)
                     if (interrupt_request & CPU_INTERRUPT_FIQ
                         && !(env->uncached_cpsr & CPSR_F)) {
@@ -429,7 +429,7 @@ int cpu_exec(CPUState *env)
                     {
                         int idx = -1;
                         /* ??? This hard-codes the OSF/1 interrupt levels.  */
-		        switch (env->pal_mode ? 7 : env->ps & PS_INT_MASK) {
+                        switch (env->pal_mode ? 7 : env->ps & PS_INT_MASK) {
                         case 0 ... 3:
                             if (interrupt_request & CPU_INTERRUPT_HARD) {
                                 idx = EXCP_DEV_INTERRUPT;
@@ -562,7 +562,7 @@ int cpu_exec(CPUState *env)
                 barrier();
                 if (likely(!env->exit_request)) {
                     tc_ptr = tb->tc_ptr;
-                /* execute the generated code */
+                    /* execute the generated code */
                     next_tb = tcg_qemu_tb_exec(env, tc_ptr);
                     if ((next_tb & 3) == 2) {
                         /* Instruction counter expired.  */
commit e3c52bf2e59a1caa7a8f4d1eb069cc1406075d10
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Fri Jan 13 20:29:49 2012 +0000

    CODING_STYLE: Clarify style for enum and function type names
    
    Clarify that enum type names and function type names should follow
    the CamelCase style used for structured type names.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/CODING_STYLE b/CODING_STYLE
index 6e61c49..7c82d4d 100644
--- a/CODING_STYLE
+++ b/CODING_STYLE
@@ -44,7 +44,8 @@ Rationale:
 3. Naming
 
 Variables are lower_case_with_underscores; easy to type and read.  Structured
-type names are in CamelCase; harder to type but standing out.  Scalar type
+type names are in CamelCase; harder to type but standing out.  Enum type
+names and function type names should also be in CamelCase.  Scalar type
 names are lower_case_with_underscores_ending_with_a_t, like the POSIX
 uint64_t and family.  Note that this last convention contradicts POSIX
 and is therefore likely to be changed.
commit a6f79cc9a5efc34c5b751b2e866a4977259f3f63
Author: Ulrich Hecht <uli at suse.de>
Date:   Tue Jan 31 12:43:16 2012 +0100

    linux-user: fail execve() if env/args too big
    
    If the host's page size is equal to or smaller than the target's, native
    execve() will fail appropriately with E2BIG if called with too big an
    environment for the target to handle. It may falsely succeed, however, if
    the host's page size is bigger, and feed the executed target process an
    environment that is too big for it to handle, at which point QEMU barfs and
    exits, confusing procmail's autoconf script and causing the build to fail.
    
    This patch makes sure that execve() will return E2BIG if the environment is
    too large for the target.
    
    Signed-off-by: Ulrich Hecht <uli at suse.de>
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index ee8899e..e868ec6 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -4949,6 +4949,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
             abi_ulong guest_envp;
             abi_ulong addr;
             char **q;
+            int total_size = 0;
 
             argc = 0;
             guest_argp = arg2;
@@ -4980,6 +4981,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
                     break;
                 if (!(*q = lock_user_string(addr)))
                     goto execve_efault;
+                total_size += strlen(*q) + 1;
             }
             *q = NULL;
 
@@ -4991,9 +4993,16 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
                     break;
                 if (!(*q = lock_user_string(addr)))
                     goto execve_efault;
+                total_size += strlen(*q) + 1;
             }
             *q = NULL;
 
+            /* This case will not be caught by the host's execve() if its
+               page size is bigger than the target's. */
+            if (total_size > MAX_ARG_PAGES * TARGET_PAGE_SIZE) {
+                ret = -TARGET_E2BIG;
+                goto execve_end;
+            }
             if (!(p = lock_user_string(arg1)))
                 goto execve_efault;
             ret = get_errno(execve(p, argp, envp));
commit 079d0b7f1eedcc634c371fe05b617fdc55c8b762
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Jan 12 13:23:01 2012 +0100

    usb: Set USBEndpoint in usb_packet_setup().
    
    With the separation of the device lookup (via usb_find_device) and
    packet processing we can lookup device and endpoint before setting up
    the usb packet.  So we can initialize USBPacket->ep early and keep it
    valid for the whole lifecycle of the USBPacket.  Also the devaddr and
    devep fields are not needed any more.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-audio.c b/hw/usb-audio.c
index a4ea0b0..c60aaff 100644
--- a/hw/usb-audio.c
+++ b/hw/usb-audio.c
@@ -607,7 +607,7 @@ static int usb_audio_handle_data(USBDevice *dev, USBPacket *p)
 
     switch (p->pid) {
     case USB_TOKEN_OUT:
-        switch (p->devep) {
+        switch (p->ep->nr) {
         case 1:
             ret = usb_audio_handle_dataout(s, p);
             break;
@@ -624,7 +624,7 @@ fail:
     if (ret == USB_RET_STALL && s->debug) {
         fprintf(stderr, "usb-audio: failed data transaction: "
                         "pid 0x%x ep 0x%x len 0x%zx\n",
-                        p->pid, p->devep, p->iov.size);
+                        p->pid, p->ep->nr, p->iov.size);
     }
     return ret;
 }
diff --git a/hw/usb-bt.c b/hw/usb-bt.c
index 58b247e..ea6a5a0 100644
--- a/hw/usb-bt.c
+++ b/hw/usb-bt.c
@@ -423,7 +423,7 @@ static int usb_bt_handle_data(USBDevice *dev, USBPacket *p)
 
     switch (p->pid) {
     case USB_TOKEN_IN:
-        switch (p->devep & 0xf) {
+        switch (p->ep->nr) {
         case USB_EVT_EP:
             ret = usb_bt_fifo_dequeue(&s->evt, p);
             break;
@@ -442,7 +442,7 @@ static int usb_bt_handle_data(USBDevice *dev, USBPacket *p)
         break;
 
     case USB_TOKEN_OUT:
-        switch (p->devep & 0xf) {
+        switch (p->ep->nr) {
         case USB_ACL_EP:
             usb_bt_fifo_out_enqueue(s, &s->outacl, s->hci->acl_send,
                             usb_bt_hci_acl_complete, p);
diff --git a/hw/usb-ccid.c b/hw/usb-ccid.c
index b3bcfeb..8c0c717 100644
--- a/hw/usb-ccid.c
+++ b/hw/usb-ccid.c
@@ -995,7 +995,7 @@ static int ccid_handle_data(USBDevice *dev, USBPacket *p)
         break;
 
     case USB_TOKEN_IN:
-        switch (p->devep & 0xf) {
+        switch (p->ep->nr) {
         case CCID_BULK_IN_EP:
             if (!p->iov.size) {
                 ret = USB_RET_NAK;
diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
index f0213ad..6c01ca9 100644
--- a/hw/usb-ehci.c
+++ b/hw/usb-ehci.c
@@ -1357,6 +1357,7 @@ err:
 static int ehci_execute(EHCIQueue *q)
 {
     USBDevice *dev;
+    USBEndpoint *ep;
     int ret;
     int endp;
     int devadr;
@@ -1387,13 +1388,13 @@ static int ehci_execute(EHCIQueue *q)
     endp = get_field(q->qh.epchar, QH_EPCHAR_EP);
     devadr = get_field(q->qh.epchar, QH_EPCHAR_DEVADDR);
 
-    ret = USB_RET_NODEV;
+    /* TODO: associating device with ehci port */
+    dev = ehci_find_device(q->ehci, devadr);
+    ep = usb_ep_get(dev, q->pid, endp);
 
-    usb_packet_setup(&q->packet, q->pid, devadr, endp);
+    usb_packet_setup(&q->packet, q->pid, ep);
     usb_packet_map(&q->packet, &q->sgl);
 
-    // TO-DO: associating device with ehci port
-    dev = ehci_find_device(q->ehci, q->packet.devaddr);
     ret = usb_handle_packet(dev, &q->packet);
     DPRINTF("submit: qh %x next %x qtd %x pid %x len %zd "
             "(total %d) endp %x ret %d\n",
@@ -1415,6 +1416,7 @@ static int ehci_process_itd(EHCIState *ehci,
                             EHCIitd *itd)
 {
     USBDevice *dev;
+    USBEndpoint *ep;
     int ret;
     uint32_t i, len, pid, dir, devaddr, endp;
     uint32_t pg, off, ptr1, ptr2, max, mult;
@@ -1454,10 +1456,11 @@ static int ehci_process_itd(EHCIState *ehci,
 
             pid = dir ? USB_TOKEN_IN : USB_TOKEN_OUT;
 
-            usb_packet_setup(&ehci->ipacket, pid, devaddr, endp);
+            dev = ehci_find_device(ehci, devaddr);
+            ep = usb_ep_get(dev, pid, endp);
+            usb_packet_setup(&ehci->ipacket, pid, ep);
             usb_packet_map(&ehci->ipacket, &ehci->isgl);
 
-            dev = ehci_find_device(ehci, ehci->ipacket.devaddr);
             ret = usb_handle_packet(dev, &ehci->ipacket);
 
             usb_packet_unmap(&ehci->ipacket);
diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index c648980..4d00c28 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -463,7 +463,7 @@ static int usb_hid_handle_data(USBDevice *dev, USBPacket *p)
 
     switch (p->pid) {
     case USB_TOKEN_IN:
-        if (p->devep == 1) {
+        if (p->ep->nr == 1) {
             int64_t curtime = qemu_get_clock_ns(vm_clock);
             if (!hid_has_events(hs) &&
                 (!hs->idle || hs->next_idle_clock - curtime > 0)) {
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 2256256..940e211 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -416,7 +416,7 @@ static int usb_hub_handle_data(USBDevice *dev, USBPacket *p)
 
     switch(p->pid) {
     case USB_TOKEN_IN:
-        if (p->devep == 1) {
+        if (p->ep->nr == 1) {
             USBHubPort *port;
             unsigned int status;
             uint8_t buf[4];
diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index c34cad5..aac1181 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -341,7 +341,7 @@ static int usb_msd_handle_data(USBDevice *dev, USBPacket *p)
     uint32_t tag;
     int ret = 0;
     struct usb_msd_cbw cbw;
-    uint8_t devep = p->devep;
+    uint8_t devep = p->ep->nr;
 
     switch (p->pid) {
     case USB_TOKEN_OUT:
diff --git a/hw/usb-musb.c b/hw/usb-musb.c
index f4e52f1..820907a 100644
--- a/hw/usb-musb.c
+++ b/hw/usb-musb.c
@@ -606,6 +606,7 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
                 int epnum, int pid, int len, USBCallback cb, int dir)
 {
     USBDevice *dev;
+    USBEndpoint *uep;
     int ret;
     int idx = epnum && dir;
     int ttype;
@@ -623,13 +624,13 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
     ep->delayed_cb[dir] = cb;
 
     /* A wild guess on the FADDR semantics... */
-    usb_packet_setup(&ep->packey[dir].p, pid, ep->faddr[idx],
-                     ep->type[idx] & 0xf);
+    dev = usb_find_device(&s->port, ep->faddr[idx]);
+    uep = usb_ep_get(dev, pid, ep->type[idx] & 0xf);
+    usb_packet_setup(&ep->packey[dir].p, pid, uep);
     usb_packet_addbuf(&ep->packey[dir].p, ep->buf[idx], len);
     ep->packey[dir].ep = ep;
     ep->packey[dir].dir = dir;
 
-    dev = usb_find_device(&s->port, ep->packey[dir].p.devaddr);
     ret = usb_handle_packet(dev, &ep->packey[dir].p);
 
     if (ret == USB_RET_ASYNC) {
diff --git a/hw/usb-net.c b/hw/usb-net.c
index f00e854..72c9185 100644
--- a/hw/usb-net.c
+++ b/hw/usb-net.c
@@ -1210,7 +1210,7 @@ static int usb_net_handle_data(USBDevice *dev, USBPacket *p)
 
     switch(p->pid) {
     case USB_TOKEN_IN:
-        switch (p->devep) {
+        switch (p->ep->nr) {
         case 1:
             ret = usb_net_handle_statusin(s, p);
             break;
@@ -1225,7 +1225,7 @@ static int usb_net_handle_data(USBDevice *dev, USBPacket *p)
         break;
 
     case USB_TOKEN_OUT:
-        switch (p->devep) {
+        switch (p->ep->nr) {
         case 2:
             ret = usb_net_handle_dataout(s, p);
             break;
@@ -1243,7 +1243,7 @@ static int usb_net_handle_data(USBDevice *dev, USBPacket *p)
     if (ret == USB_RET_STALL)
         fprintf(stderr, "usbnet: failed data transaction: "
                         "pid 0x%x ep 0x%x len 0x%zx\n",
-                        p->pid, p->devep, p->iov.size);
+                        p->pid, p->ep->nr, p->iov.size);
     return ret;
 }
 
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index 8a8f3bc..ba7231f 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -657,6 +657,7 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
     int ret;
     int i;
     USBDevice *dev;
+    USBEndpoint *ep;
     struct ohci_iso_td iso_td;
     uint32_t addr;
     uint16_t starting_frame;
@@ -796,11 +797,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
     if (completion) {
         ret = ohci->usb_packet.result;
     } else {
-        usb_packet_setup(&ohci->usb_packet, pid,
-                         OHCI_BM(ed->flags, ED_FA),
-                         OHCI_BM(ed->flags, ED_EN));
+        dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
+        ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
+        usb_packet_setup(&ohci->usb_packet, pid, ep);
         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, len);
-        dev = ohci_find_device(ohci, ohci->usb_packet.devaddr);
         ret = usb_handle_packet(dev, &ohci->usb_packet);
         if (ret == USB_RET_ASYNC) {
             return 1;
@@ -889,6 +889,7 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
     int ret;
     int i;
     USBDevice *dev;
+    USBEndpoint *ep;
     struct ohci_td td;
     uint32_t addr;
     int flag_r;
@@ -992,11 +993,10 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
 #endif
             return 1;
         }
-        usb_packet_setup(&ohci->usb_packet, pid,
-                         OHCI_BM(ed->flags, ED_FA),
-                         OHCI_BM(ed->flags, ED_EN));
+        dev = ohci_find_device(ohci, OHCI_BM(ed->flags, ED_FA));
+        ep = usb_ep_get(dev, pid, OHCI_BM(ed->flags, ED_EN));
+        usb_packet_setup(&ohci->usb_packet, pid, ep);
         usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, pktlen);
-        dev = ohci_find_device(ohci, ohci->usb_packet.devaddr);
         ret = usb_handle_packet(dev, &ohci->usb_packet);
 #ifdef DEBUG_PACKET
         DPRINTF("ret=%d\n", ret);
diff --git a/hw/usb-serial.c b/hw/usb-serial.c
index cf83cf2..1cfb551 100644
--- a/hw/usb-serial.c
+++ b/hw/usb-serial.c
@@ -353,7 +353,7 @@ static int usb_serial_handle_data(USBDevice *dev, USBPacket *p)
 {
     USBSerialState *s = (USBSerialState *)dev;
     int i, ret = 0;
-    uint8_t devep = p->devep;
+    uint8_t devep = p->ep->nr;
     struct iovec *iov;
     uint8_t header[2];
     int first_len, len;
diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index ef08145..ab64be6 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -761,6 +761,8 @@ static int uhci_handle_td(UHCIState *s, uint32_t addr, UHCI_TD *td, uint32_t *in
     int len = 0, max_len;
     uint8_t pid, isoc;
     uint32_t token;
+    USBDevice *dev;
+    USBEndpoint *ep;
 
     /* Is active ? */
     if (!(td->ctrl & TD_CTRL_ACTIVE))
@@ -805,23 +807,22 @@ static int uhci_handle_td(UHCIState *s, uint32_t addr, UHCI_TD *td, uint32_t *in
     max_len = ((td->token >> 21) + 1) & 0x7ff;
     pid = td->token & 0xff;
 
-    usb_packet_setup(&async->packet, pid, (td->token >> 8) & 0x7f,
-                     (td->token >> 15) & 0xf);
+    dev = uhci_find_device(s, (td->token >> 8) & 0x7f);
+    ep = usb_ep_get(dev, pid, (td->token >> 15) & 0xf);
+    usb_packet_setup(&async->packet, pid, ep);
     qemu_sglist_add(&async->sgl, td->buffer, max_len);
     usb_packet_map(&async->packet, &async->sgl);
 
     switch(pid) {
     case USB_TOKEN_OUT:
     case USB_TOKEN_SETUP:
-        len = usb_handle_packet(uhci_find_device(s, async->packet.devaddr),
-                                &async->packet);
+        len = usb_handle_packet(dev, &async->packet);
         if (len >= 0)
             len = max_len;
         break;
 
     case USB_TOKEN_IN:
-        len = usb_handle_packet(uhci_find_device(s, async->packet.devaddr),
-                                &async->packet);
+        len = usb_handle_packet(dev, &async->packet);
         break;
 
     default:
diff --git a/hw/usb-wacom.c b/hw/usb-wacom.c
index 46b8010..73ff241 100644
--- a/hw/usb-wacom.c
+++ b/hw/usb-wacom.c
@@ -306,7 +306,7 @@ static int usb_wacom_handle_data(USBDevice *dev, USBPacket *p)
 
     switch (p->pid) {
     case USB_TOKEN_IN:
-        if (p->devep == 1) {
+        if (p->ep->nr == 1) {
             if (!(s->changed || s->idle))
                 return USB_RET_NAK;
             s->changed = 0;
diff --git a/hw/usb-xhci.c b/hw/usb-xhci.c
index aa236c9..b274b80 100644
--- a/hw/usb-xhci.c
+++ b/hw/usb-xhci.c
@@ -1336,15 +1336,17 @@ static int xhci_hle_control(XHCIState *xhci, XHCITransfer *xfer,
 }
 #endif
 
-static int xhci_setup_packet(XHCITransfer *xfer, XHCIPort *port, int ep)
+static int xhci_setup_packet(XHCITransfer *xfer, XHCIPort *port, USBDevice *dev)
 {
-    usb_packet_setup(&xfer->packet,
-                     xfer->in_xfer ? USB_TOKEN_IN : USB_TOKEN_OUT,
-                     xfer->xhci->slots[xfer->slotid-1].devaddr,
-                     ep & 0x7f);
+    USBEndpoint *ep;
+    int dir;
+
+    dir = xfer->in_xfer ? USB_TOKEN_IN : USB_TOKEN_OUT;
+    ep = usb_ep_get(dev, dir, xfer->epid >> 1);
+    usb_packet_setup(&xfer->packet, dir, ep);
     usb_packet_addbuf(&xfer->packet, xfer->data, xfer->data_length);
     DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
-            xfer->packet.pid, xfer->packet.devaddr, xfer->packet.devep);
+            xfer->packet.pid, dev->addr, ep->nr);
     return 0;
 }
 
@@ -1462,7 +1464,7 @@ static int xhci_fire_ctl_transfer(XHCIState *xhci, XHCITransfer *xfer)
     xfer->in_xfer = bmRequestType & USB_DIR_IN;
     xfer->iso_xfer = false;
 
-    xhci_setup_packet(xfer, port, 0);
+    xhci_setup_packet(xfer, port, dev);
     if (!xfer->in_xfer) {
         xhci_xfer_data(xfer, xfer->data, wLength, 0, 1, 0);
     }
@@ -1484,12 +1486,8 @@ static int xhci_submit(XHCIState *xhci, XHCITransfer *xfer, XHCIEPContext *epctx
     int ret;
 
     DPRINTF("xhci_submit(slotid=%d,epid=%d)\n", xfer->slotid, xfer->epid);
-    uint8_t ep = xfer->epid>>1;
 
     xfer->in_xfer = epctx->type>>2;
-    if (xfer->in_xfer) {
-        ep |= 0x80;
-    }
 
     if (xfer->data && xfer->data_alloced < xfer->data_length) {
         xfer->data_alloced = 0;
@@ -1517,7 +1515,7 @@ static int xhci_submit(XHCIState *xhci, XHCITransfer *xfer, XHCIEPContext *epctx
         return -1;
     }
 
-    xhci_setup_packet(xfer, port, ep);
+    xhci_setup_packet(xfer, port, dev);
 
     switch(epctx->type) {
     case ET_INTR_OUT:
@@ -1530,8 +1528,9 @@ static int xhci_submit(XHCIState *xhci, XHCITransfer *xfer, XHCIEPContext *epctx
         FIXME();
         break;
     default:
-        fprintf(stderr, "xhci: unknown or unhandled EP type %d (ep %02x)\n",
-                epctx->type, ep);
+        fprintf(stderr, "xhci: unknown or unhandled EP "
+                "(type %d, in %d, ep %02x)\n",
+                epctx->type, xfer->in_xfer, xfer->epid);
         return -1;
     }
 
diff --git a/hw/usb.c b/hw/usb.c
index 8bd1222..240f24b 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -140,7 +140,7 @@ static int do_token_in(USBDevice *s, USBPacket *p)
     int request, value, index;
     int ret = 0;
 
-    assert(p->devep == 0);
+    assert(p->ep->nr == 0);
 
     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
@@ -186,7 +186,7 @@ static int do_token_in(USBDevice *s, USBPacket *p)
 
 static int do_token_out(USBDevice *s, USBPacket *p)
 {
-    assert(p->devep == 0);
+    assert(p->ep->nr == 0);
 
     switch(s->setup_state) {
     case SETUP_STATE_ACK:
@@ -289,11 +289,11 @@ int usb_handle_packet(USBDevice *dev, USBPacket *p)
     if (dev == NULL) {
         return USB_RET_NODEV;
     }
-    assert(dev->addr == p->devaddr);
+    assert(dev == p->ep->dev);
     assert(dev->state == USB_STATE_DEFAULT);
     assert(p->state == USB_PACKET_SETUP);
 
-    if (p->devep == 0) {
+    if (p->ep->nr == 0) {
         /* control pipe */
         switch (p->pid) {
         case USB_TOKEN_SETUP:
@@ -315,7 +315,6 @@ int usb_handle_packet(USBDevice *dev, USBPacket *p)
     }
 
     if (ret == USB_RET_ASYNC) {
-        p->ep = usb_ep_get(dev, p->pid, p->devep);
         p->state = USB_PACKET_ASYNC;
     }
     return ret;
@@ -347,13 +346,12 @@ void usb_packet_init(USBPacket *p)
     qemu_iovec_init(&p->iov, 1);
 }
 
-void usb_packet_setup(USBPacket *p, int pid, uint8_t addr, uint8_t ep)
+void usb_packet_setup(USBPacket *p, int pid, USBEndpoint *ep)
 {
     assert(!usb_packet_is_inflight(p));
     p->state = USB_PACKET_SETUP;
     p->pid = pid;
-    p->devaddr = addr;
-    p->devep = ep;
+    p->ep = ep;
     p->result = 0;
     qemu_iovec_reset(&p->iov);
 }
@@ -464,7 +462,12 @@ void usb_ep_dump(USBDevice *dev)
 
 struct USBEndpoint *usb_ep_get(USBDevice *dev, int pid, int ep)
 {
-    struct USBEndpoint *eps = pid == USB_TOKEN_IN ? dev->ep_in : dev->ep_out;
+    struct USBEndpoint *eps;
+
+    if (dev == NULL) {
+        return NULL;
+    }
+    eps = (pid == USB_TOKEN_IN) ? dev->ep_in : dev->ep_out;
     if (ep == 0) {
         return &dev->ep_ctl;
     }
diff --git a/hw/usb.h b/hw/usb.h
index 1e629af..a80fe8f 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -321,8 +321,6 @@ typedef enum USBPacketState {
 struct USBPacket {
     /* Data fields for use by the driver.  */
     int pid;
-    uint8_t devaddr;
-    uint8_t devep;
     USBEndpoint *ep;
     QEMUIOVector iov;
     int result; /* transfer length or USB_RET_* status code */
@@ -331,7 +329,7 @@ struct USBPacket {
 };
 
 void usb_packet_init(USBPacket *p);
-void usb_packet_setup(USBPacket *p, int pid, uint8_t addr, uint8_t ep);
+void usb_packet_setup(USBPacket *p, int pid, USBEndpoint *ep);
 void usb_packet_addbuf(USBPacket *p, void *ptr, size_t len);
 int usb_packet_map(USBPacket *p, QEMUSGList *sgl);
 void usb_packet_unmap(USBPacket *p);
diff --git a/usb-bsd.c b/usb-bsd.c
index ca9a1bd..e4c01d3 100644
--- a/usb-bsd.c
+++ b/usb-bsd.c
@@ -214,7 +214,7 @@ static int usb_host_handle_data(USBDevice *dev, USBPacket *p)
     int ret, fd, mode;
     int one = 1, shortpacket = 0, timeout = 50;
     sigset_t new_mask, old_mask;
-    uint8_t devep = p->devep;
+    uint8_t devep = p->ep->nr;
 
     /* protect data transfers from SIGALRM signal */
     sigemptyset(&new_mask);
diff --git a/usb-linux.c b/usb-linux.c
index afb13c4..cf074ec 100644
--- a/usb-linux.c
+++ b/usb-linux.c
@@ -137,7 +137,7 @@ static int usb_host_usbfs_type(USBHostDevice *s, USBPacket *p)
         [USB_ENDPOINT_XFER_BULK]    = USBDEVFS_URB_TYPE_BULK,
         [USB_ENDPOINT_XFER_INT]     = USBDEVFS_URB_TYPE_INTERRUPT,
     };
-    uint8_t type = usb_ep_get_type(&s->dev, p->pid, p->devep);
+    uint8_t type = p->ep->type;
     assert(type < ARRAY_SIZE(usbfs));
     return usbfs[type];
 }
@@ -360,7 +360,7 @@ static void async_complete(void *opaque)
                 break;
 
             case -EPIPE:
-                set_halt(s, p->pid, p->devep);
+                set_halt(s, p->pid, p->ep->nr);
                 p->result = USB_RET_STALL;
                 break;
 
@@ -733,16 +733,16 @@ static int usb_host_handle_iso_data(USBHostDevice *s, USBPacket *p, int in)
     int i, j, ret, max_packet_size, offset, len = 0;
     uint8_t *buf;
 
-    max_packet_size = usb_ep_get_max_packet_size(&s->dev, p->pid, p->devep);
+    max_packet_size = p->ep->max_packet_size;
     if (max_packet_size == 0)
         return USB_RET_NAK;
 
-    aurb = get_iso_urb(s, p->pid, p->devep);
+    aurb = get_iso_urb(s, p->pid, p->ep->nr);
     if (!aurb) {
-        aurb = usb_host_alloc_iso(s, p->pid, p->devep);
+        aurb = usb_host_alloc_iso(s, p->pid, p->ep->nr);
     }
 
-    i = get_iso_urb_idx(s, p->pid, p->devep);
+    i = get_iso_urb_idx(s, p->pid, p->ep->nr);
     j = aurb[i].iso_frame_idx;
     if (j >= 0 && j < ISO_FRAME_DESC_PER_URB) {
         if (in) {
@@ -769,7 +769,7 @@ static int usb_host_handle_iso_data(USBHostDevice *s, USBPacket *p, int in)
             }
         } else {
             len = p->iov.size;
-            offset = (j == 0) ? 0 : get_iso_buffer_used(s, p->pid, p->devep);
+            offset = (j == 0) ? 0 : get_iso_buffer_used(s, p->pid, p->ep->nr);
 
             /* Check the frame fits */
             if (len > max_packet_size) {
@@ -781,27 +781,27 @@ static int usb_host_handle_iso_data(USBHostDevice *s, USBPacket *p, int in)
             usb_packet_copy(p, aurb[i].urb.buffer + offset, len);
             aurb[i].urb.iso_frame_desc[j].length = len;
             offset += len;
-            set_iso_buffer_used(s, p->pid, p->devep, offset);
+            set_iso_buffer_used(s, p->pid, p->ep->nr, offset);
 
             /* Start the stream once we have buffered enough data */
-            if (!is_iso_started(s, p->pid, p->devep) && i == 1 && j == 8) {
-                set_iso_started(s, p->pid, p->devep);
+            if (!is_iso_started(s, p->pid, p->ep->nr) && i == 1 && j == 8) {
+                set_iso_started(s, p->pid, p->ep->nr);
             }
         }
         aurb[i].iso_frame_idx++;
         if (aurb[i].iso_frame_idx == ISO_FRAME_DESC_PER_URB) {
             i = (i + 1) % s->iso_urb_count;
-            set_iso_urb_idx(s, p->pid, p->devep, i);
+            set_iso_urb_idx(s, p->pid, p->ep->nr, i);
         }
     } else {
         if (in) {
-            set_iso_started(s, p->pid, p->devep);
+            set_iso_started(s, p->pid, p->ep->nr);
         } else {
             DPRINTF("hubs: iso out error no free buffer, dropping packet\n");
         }
     }
 
-    if (is_iso_started(s, p->pid, p->devep)) {
+    if (is_iso_started(s, p->pid, p->ep->nr)) {
         /* (Re)-submit all fully consumed / filled urbs */
         for (i = 0; i < s->iso_urb_count; i++) {
             if (aurb[i].iso_frame_idx == ISO_FRAME_DESC_PER_URB) {
@@ -821,7 +821,7 @@ static int usb_host_handle_iso_data(USBHostDevice *s, USBPacket *p, int in)
                     break;
                 }
                 aurb[i].iso_frame_idx = -1;
-                change_iso_inflight(s, p->pid, p->devep, 1);
+                change_iso_inflight(s, p->pid, p->ep->nr, 1);
             }
         }
     }
@@ -840,20 +840,20 @@ static int usb_host_handle_data(USBDevice *dev, USBPacket *p)
 
     trace_usb_host_req_data(s->bus_num, s->addr,
                             p->pid == USB_TOKEN_IN,
-                            p->devep, p->iov.size);
+                            p->ep->nr, p->iov.size);
 
-    if (!is_valid(s, p->pid, p->devep)) {
+    if (!is_valid(s, p->pid, p->ep->nr)) {
         trace_usb_host_req_complete(s->bus_num, s->addr, USB_RET_NAK);
         return USB_RET_NAK;
     }
 
     if (p->pid == USB_TOKEN_IN) {
-        ep = p->devep | 0x80;
+        ep = p->ep->nr | 0x80;
     } else {
-        ep = p->devep;
+        ep = p->ep->nr;
     }
 
-    if (is_halted(s, p->pid, p->devep)) {
+    if (is_halted(s, p->pid, p->ep->nr)) {
         unsigned int arg = ep;
         ret = ioctl(s->fd, USBDEVFS_CLEAR_HALT, &arg);
         if (ret < 0) {
@@ -861,10 +861,10 @@ static int usb_host_handle_data(USBDevice *dev, USBPacket *p)
             trace_usb_host_req_complete(s->bus_num, s->addr, USB_RET_NAK);
             return USB_RET_NAK;
         }
-        clear_halt(s, p->pid, p->devep);
+        clear_halt(s, p->pid, p->ep->nr);
     }
 
-    if (is_isoc(s, p->pid, p->devep)) {
+    if (is_isoc(s, p->pid, p->ep->nr)) {
         return usb_host_handle_iso_data(s, p, p->pid == USB_TOKEN_IN);
     }
 
@@ -1057,7 +1057,7 @@ static int usb_host_handle_control(USBDevice *dev, USBPacket *p,
     urb = &aurb->urb;
 
     urb->type     = USBDEVFS_URB_TYPE_CONTROL;
-    urb->endpoint = p->devep;
+    urb->endpoint = p->ep->nr;
 
     urb->buffer        = &dev->setup_buf;
     urb->buffer_length = length + 8;
diff --git a/usb-redir.c b/usb-redir.c
index d2769a8..15e2b12 100644
--- a/usb-redir.c
+++ b/usb-redir.c
@@ -610,7 +610,7 @@ static int usbredir_handle_data(USBDevice *udev, USBPacket *p)
     USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
     uint8_t ep;
 
-    ep = p->devep;
+    ep = p->ep->nr;
     if (p->pid == USB_TOKEN_IN) {
         ep |= USB_DIR_IN;
     }
commit 63095ab54c1ce554b1fc825fc678394ccb129e5b
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Jan 12 13:24:22 2012 +0100

    usb: add USBEndpoint->{nr,pid}
    
    Add a "nr" and "pid" fields to USBEndpoint so you can easily figure the
    endpoint number and direction of any given endpoint.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb.c b/hw/usb.c
index 8584db0..8bd1222 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -402,10 +402,15 @@ void usb_ep_init(USBDevice *dev)
 {
     int ep;
 
+    dev->ep_ctl.nr = 0;
     dev->ep_ctl.type = USB_ENDPOINT_XFER_CONTROL;
     dev->ep_ctl.ifnum = 0;
     dev->ep_ctl.dev = dev;
     for (ep = 0; ep < USB_MAX_ENDPOINTS; ep++) {
+        dev->ep_in[ep].nr = ep + 1;
+        dev->ep_out[ep].nr = ep + 1;
+        dev->ep_in[ep].pid = USB_TOKEN_IN;
+        dev->ep_out[ep].pid = USB_TOKEN_OUT;
         dev->ep_in[ep].type = USB_ENDPOINT_XFER_INVALID;
         dev->ep_out[ep].type = USB_ENDPOINT_XFER_INVALID;
         dev->ep_in[ep].ifnum = 0;
diff --git a/hw/usb.h b/hw/usb.h
index 4e878d3..1e629af 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -171,6 +171,8 @@ struct USBDescString {
 #define USB_MAX_INTERFACES 16
 
 struct USBEndpoint {
+    uint8_t nr;
+    uint8_t pid;
     uint8_t type;
     uint8_t ifnum;
     int max_packet_size;
commit f53c398aa603cea135ee58fd15249aeff7b9c7ea
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Jan 12 12:51:48 2012 +0100

    usb: USBPacket: add status, rename owner -> ep
    
    Add enum to track the status of USBPackets, use that instead of the
    owner pointer to figure whenever a usb packet is currently in flight
    or not.  Add some more packet status sanity checks.  Also rename the
    USBEndpoint pointer from "owner" to "ep".
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
index 8f7b3c4..f0213ad 100644
--- a/hw/usb-ehci.c
+++ b/hw/usb-ehci.c
@@ -715,8 +715,8 @@ static void ehci_queues_rip_device(EHCIState *ehci, USBDevice *dev)
     EHCIQueue *q, *tmp;
 
     QTAILQ_FOREACH_SAFE(q, &ehci->queues, next, tmp) {
-        if (q->packet.owner == NULL ||
-            q->packet.owner->dev != dev) {
+        if (!usb_packet_is_inflight(&q->packet) ||
+            q->packet.ep->dev != dev) {
             continue;
         }
         ehci_free_queue(q);
diff --git a/hw/usb-musb.c b/hw/usb-musb.c
index ecac631..f4e52f1 100644
--- a/hw/usb-musb.c
+++ b/hw/usb-musb.c
@@ -811,8 +811,8 @@ static void musb_async_cancel_device(MUSBState *s, USBDevice *dev)
 
     for (ep = 0; ep < 16; ep++) {
         for (dir = 0; dir < 2; dir++) {
-            if (s->ep[ep].packey[dir].p.owner == NULL ||
-                s->ep[ep].packey[dir].p.owner->dev != dev) {
+            if (!usb_packet_is_inflight(&s->ep[ep].packey[dir].p) ||
+                s->ep[ep].packey[dir].p.ep->dev != dev) {
                 continue;
             }
             usb_cancel_packet(&s->ep[ep].packey[dir].p);
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index ba854c7..8a8f3bc 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -1709,8 +1709,8 @@ static void ohci_mem_write(void *opaque,
 static void ohci_async_cancel_device(OHCIState *ohci, USBDevice *dev)
 {
     if (ohci->async_td &&
-        ohci->usb_packet.owner != NULL &&
-        ohci->usb_packet.owner->dev == dev) {
+        usb_packet_is_inflight(&ohci->usb_packet) &&
+        ohci->usb_packet.ep->dev == dev) {
         usb_cancel_packet(&ohci->usb_packet);
         ohci->async_td = 0;
     }
diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index a1f597a..ef08145 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -236,8 +236,8 @@ static void uhci_async_cancel_device(UHCIState *s, USBDevice *dev)
     UHCIAsync *curr, *n;
 
     QTAILQ_FOREACH_SAFE(curr, &s->async_pending, next, n) {
-        if (curr->packet.owner == NULL ||
-            curr->packet.owner->dev != dev) {
+        if (!usb_packet_is_inflight(&curr->packet) ||
+            curr->packet.ep->dev != dev) {
             continue;
         }
         uhci_async_unlink(s, curr);
diff --git a/hw/usb.c b/hw/usb.c
index 91107f9..8584db0 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -291,7 +291,7 @@ int usb_handle_packet(USBDevice *dev, USBPacket *p)
     }
     assert(dev->addr == p->devaddr);
     assert(dev->state == USB_STATE_DEFAULT);
-    assert(p->owner == NULL);
+    assert(p->state == USB_PACKET_SETUP);
 
     if (p->devep == 0) {
         /* control pipe */
@@ -315,7 +315,8 @@ int usb_handle_packet(USBDevice *dev, USBPacket *p)
     }
 
     if (ret == USB_RET_ASYNC) {
-        p->owner = usb_ep_get(dev, p->pid, p->devep);
+        p->ep = usb_ep_get(dev, p->pid, p->devep);
+        p->state = USB_PACKET_ASYNC;
     }
     return ret;
 }
@@ -325,8 +326,8 @@ int usb_handle_packet(USBDevice *dev, USBPacket *p)
    handle_packet. */
 void usb_packet_complete(USBDevice *dev, USBPacket *p)
 {
-    assert(p->owner != NULL);
-    p->owner = NULL;
+    assert(p->state == USB_PACKET_ASYNC);
+    p->state = USB_PACKET_COMPLETE;
     dev->port->ops->complete(dev->port, p);
 }
 
@@ -335,9 +336,9 @@ void usb_packet_complete(USBDevice *dev, USBPacket *p)
    completed.  */
 void usb_cancel_packet(USBPacket * p)
 {
-    assert(p->owner != NULL);
-    usb_device_cancel_packet(p->owner->dev, p);
-    p->owner = NULL;
+    assert(p->state == USB_PACKET_ASYNC);
+    p->state = USB_PACKET_CANCELED;
+    usb_device_cancel_packet(p->ep->dev, p);
 }
 
 
@@ -348,6 +349,8 @@ void usb_packet_init(USBPacket *p)
 
 void usb_packet_setup(USBPacket *p, int pid, uint8_t addr, uint8_t ep)
 {
+    assert(!usb_packet_is_inflight(p));
+    p->state = USB_PACKET_SETUP;
     p->pid = pid;
     p->devaddr = addr;
     p->devep = ep;
@@ -391,6 +394,7 @@ void usb_packet_skip(USBPacket *p, size_t bytes)
 
 void usb_packet_cleanup(USBPacket *p)
 {
+    assert(!usb_packet_is_inflight(p));
     qemu_iovec_destroy(&p->iov);
 }
 
diff --git a/hw/usb.h b/hw/usb.h
index 294c33d..4e878d3 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -289,8 +289,7 @@ typedef struct USBPortOps {
     void (*wakeup)(USBPort *port);
     /*
      * Note that port->dev will be different then the device from which
-     * the packet originated when a hub is involved, if you want the orginating
-     * device use p->owner
+     * the packet originated when a hub is involved.
      */
     void (*complete)(USBPort *port, USBPacket *p);
 } USBPortOps;
@@ -309,15 +308,24 @@ struct USBPort {
 typedef void USBCallback(USBPacket * packet, void *opaque);
 
 /* Structure used to hold information about an active USB packet.  */
+typedef enum USBPacketState {
+    USB_PACKET_UNDEFINED = 0,
+    USB_PACKET_SETUP,
+    USB_PACKET_ASYNC,
+    USB_PACKET_COMPLETE,
+    USB_PACKET_CANCELED,
+} USBPacketState;
+
 struct USBPacket {
     /* Data fields for use by the driver.  */
     int pid;
     uint8_t devaddr;
     uint8_t devep;
+    USBEndpoint *ep;
     QEMUIOVector iov;
     int result; /* transfer length or USB_RET_* status code */
     /* Internal use by the USB layer.  */
-    USBEndpoint *owner;
+    USBPacketState state;
 };
 
 void usb_packet_init(USBPacket *p);
@@ -329,6 +337,11 @@ void usb_packet_copy(USBPacket *p, void *ptr, size_t bytes);
 void usb_packet_skip(USBPacket *p, size_t bytes);
 void usb_packet_cleanup(USBPacket *p);
 
+static inline bool usb_packet_is_inflight(USBPacket *p)
+{
+    return p->state == USB_PACKET_ASYNC;
+}
+
 USBDevice *usb_find_device(USBPort *port, uint8_t addr);
 
 int usb_handle_packet(USBDevice *dev, USBPacket *p);
commit 1977f93dacf60466cd23b562ae498446b77d3b48
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Jan 11 12:14:02 2012 +0100

    usb: fold usb_generic_handle_packet into usb_handle_packet
    
    There is no reason to have a separate usb_generic_handle_packet function
    any more, fold it into usb_handle_packet().  Also call the do_token_*
    functions which handle control transfer emulation for control pipe
    packets only.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb.c b/hw/usb.c
index 638a339..91107f9 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -140,8 +140,7 @@ static int do_token_in(USBDevice *s, USBPacket *p)
     int request, value, index;
     int ret = 0;
 
-    if (p->devep != 0)
-        return usb_device_handle_data(s, p);
+    assert(p->devep == 0);
 
     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
@@ -187,8 +186,7 @@ static int do_token_in(USBDevice *s, USBPacket *p)
 
 static int do_token_out(USBDevice *s, USBPacket *p)
 {
-    if (p->devep != 0)
-        return usb_device_handle_data(s, p);
+    assert(p->devep == 0);
 
     switch(s->setup_state) {
     case SETUP_STATE_ACK:
@@ -221,33 +219,6 @@ static int do_token_out(USBDevice *s, USBPacket *p)
     }
 }
 
-/*
- * Generic packet handler.
- * Called by the HC (host controller).
- *
- * Returns length of the transaction or one of the USB_RET_XXX codes.
- */
-static int usb_generic_handle_packet(USBDevice *s, USBPacket *p)
-{
-    /* Rest of the PIDs must match our address */
-    if (s->state < USB_STATE_DEFAULT || p->devaddr != s->addr)
-        return USB_RET_NODEV;
-
-    switch (p->pid) {
-    case USB_TOKEN_SETUP:
-        return do_token_setup(s, p);
-
-    case USB_TOKEN_IN:
-        return do_token_in(s, p);
-
-    case USB_TOKEN_OUT:
-        return do_token_out(s, p);
- 
-    default:
-        return USB_RET_STALL;
-    }
-}
-
 /* ctrl complete function for devices which use usb_generic_handle_packet and
    may return USB_RET_ASYNC from their handle_control callback. Device code
    which does this *must* call this function instead of the normal
@@ -319,9 +290,30 @@ int usb_handle_packet(USBDevice *dev, USBPacket *p)
         return USB_RET_NODEV;
     }
     assert(dev->addr == p->devaddr);
-
+    assert(dev->state == USB_STATE_DEFAULT);
     assert(p->owner == NULL);
-    ret = usb_generic_handle_packet(dev, p);
+
+    if (p->devep == 0) {
+        /* control pipe */
+        switch (p->pid) {
+        case USB_TOKEN_SETUP:
+            ret = do_token_setup(dev, p);
+            break;
+        case USB_TOKEN_IN:
+            ret = do_token_in(dev, p);
+            break;
+        case USB_TOKEN_OUT:
+            ret = do_token_out(dev, p);
+            break;
+        default:
+            ret = USB_RET_STALL;
+            break;
+        }
+    } else {
+        /* data pipe */
+        ret = usb_device_handle_data(dev, p);
+    }
+
     if (ret == USB_RET_ASYNC) {
         p->owner = usb_ep_get(dev, p->pid, p->devep);
     }
commit 7f74a56b1416a759c1da0a280e99242662f350c5
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Jan 11 11:16:20 2012 +0100

    usb: kill handle_packet callback
    
    All drivers except usb-hub use usb_generic_handle_packet.  The only
    reason the usb hub has its own function is that it used to be called
    with packets which are intended for downstream devices.  With the new,
    separate device lookup step this doesn't happen any more, so the need
    for a different handle_packet callback is gone.
    
    So we can kill the handle_packet callback and just call
    usb_generic_handle_packet directly.  The special hub handling in
    usb_handle_packet() can go away for the same reason.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-audio.c b/hw/usb-audio.c
index cd589b7..a4ea0b0 100644
--- a/hw/usb-audio.c
+++ b/hw/usb-audio.c
@@ -691,7 +691,6 @@ static void usb_audio_class_init(ObjectClass *klass, void *data)
     k->product_desc   = "QEMU USB Audio Interface";
     k->usb_desc       = &desc_audio;
     k->init           = usb_audio_initfn;
-    k->handle_packet  = usb_generic_handle_packet;
     k->handle_reset   = usb_audio_handle_reset;
     k->handle_control = usb_audio_handle_control;
     k->handle_data    = usb_audio_handle_data;
diff --git a/hw/usb-bt.c b/hw/usb-bt.c
index 90c3b0e..58b247e 100644
--- a/hw/usb-bt.c
+++ b/hw/usb-bt.c
@@ -535,7 +535,6 @@ static void usb_bt_class_initfn(ObjectClass *klass, void *data)
     uc->init           = usb_bt_initfn;
     uc->product_desc   = "QEMU BT dongle";
     uc->usb_desc       = &desc_bluetooth;
-    uc->handle_packet  = usb_generic_handle_packet;
     uc->handle_reset   = usb_bt_handle_reset;
     uc->handle_control = usb_bt_handle_control;
     uc->handle_data    = usb_bt_handle_data;
diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index 5c05ed5..e907d0d 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -91,15 +91,6 @@ static void usb_device_handle_destroy(USBDevice *dev)
     }
 }
 
-int usb_device_handle_packet(USBDevice *dev, USBPacket *p)
-{
-    USBDeviceClass *klass = USB_DEVICE_GET_CLASS(dev);
-    if (klass->handle_packet) {
-        return klass->handle_packet(dev, p);
-    }
-    return -ENOSYS;
-}
-
 void usb_device_cancel_packet(USBDevice *dev, USBPacket *p)
 {
     USBDeviceClass *klass = USB_DEVICE_GET_CLASS(dev);
diff --git a/hw/usb-ccid.c b/hw/usb-ccid.c
index 881da30..b3bcfeb 100644
--- a/hw/usb-ccid.c
+++ b/hw/usb-ccid.c
@@ -1320,7 +1320,6 @@ static void ccid_class_initfn(ObjectClass *klass, void *data)
     uc->init           = ccid_initfn;
     uc->product_desc   = "QEMU USB CCID";
     uc->usb_desc       = &desc_ccid;
-    uc->handle_packet  = usb_generic_handle_packet;
     uc->handle_reset   = ccid_handle_reset;
     uc->handle_control = ccid_handle_control;
     uc->handle_data    = ccid_handle_data;
diff --git a/hw/usb-hid.c b/hw/usb-hid.c
index 3c4e45d..c648980 100644
--- a/hw/usb-hid.c
+++ b/hw/usb-hid.c
@@ -557,7 +557,6 @@ static void usb_hid_class_initfn(ObjectClass *klass, void *data)
 {
     USBDeviceClass *uc = USB_DEVICE_CLASS(klass);
 
-    uc->handle_packet  = usb_generic_handle_packet;
     uc->handle_reset   = usb_hid_handle_reset;
     uc->handle_control = usb_hid_handle_control;
     uc->handle_data    = usb_hid_handle_data;
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index bd7641c..2256256 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -455,44 +455,6 @@ static int usb_hub_handle_data(USBDevice *dev, USBPacket *p)
     return ret;
 }
 
-static int usb_hub_broadcast_packet(USBHubState *s, USBPacket *p)
-{
-    USBHubPort *port;
-    USBDevice *dev;
-    int i, ret;
-
-    for(i = 0; i < NUM_PORTS; i++) {
-        port = &s->ports[i];
-        dev = port->port.dev;
-        if (dev && dev->attached && (port->wPortStatus & PORT_STAT_ENABLE)) {
-            ret = usb_handle_packet(dev, p);
-            if (ret != USB_RET_NODEV) {
-                return ret;
-            }
-        }
-    }
-    return USB_RET_NODEV;
-}
-
-static int usb_hub_handle_packet(USBDevice *dev, USBPacket *p)
-{
-    USBHubState *s = (USBHubState *)dev;
-
-#if defined(DEBUG) && 0
-    printf("usb_hub: pid=0x%x\n", pid);
-#endif
-    if (dev->state == USB_STATE_DEFAULT &&
-        dev->addr != 0 &&
-        p->devaddr != dev->addr &&
-        (p->pid == USB_TOKEN_SETUP ||
-         p->pid == USB_TOKEN_OUT ||
-         p->pid == USB_TOKEN_IN)) {
-        /* broadcast the packet to the devices */
-        return usb_hub_broadcast_packet(s, p);
-    }
-    return usb_generic_handle_packet(dev, p);
-}
-
 static void usb_hub_handle_destroy(USBDevice *dev)
 {
     USBHubState *s = (USBHubState *)dev;
@@ -562,7 +524,6 @@ static void usb_hub_class_initfn(ObjectClass *klass, void *data)
     uc->product_desc   = "QEMU USB Hub";
     uc->usb_desc       = &desc_hub;
     uc->find_device    = usb_hub_find_device;
-    uc->handle_packet  = usb_hub_handle_packet;
     uc->handle_reset   = usb_hub_handle_reset;
     uc->handle_control = usb_hub_handle_control;
     uc->handle_data    = usb_hub_handle_data;
diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 6153376..c34cad5 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -651,7 +651,6 @@ static void usb_msd_class_initfn(ObjectClass *klass, void *data)
     uc->init           = usb_msd_initfn;
     uc->product_desc   = "QEMU USB MSD";
     uc->usb_desc       = &desc;
-    uc->handle_packet  = usb_generic_handle_packet;
     uc->cancel_packet  = usb_msd_cancel_io;
     uc->handle_attach  = usb_desc_attach;
     uc->handle_reset   = usb_msd_handle_reset;
diff --git a/hw/usb-net.c b/hw/usb-net.c
index e211141..f00e854 100644
--- a/hw/usb-net.c
+++ b/hw/usb-net.c
@@ -1398,7 +1398,6 @@ static void usb_net_class_initfn(ObjectClass *klass, void *data)
     uc->init           = usb_net_initfn;
     uc->product_desc   = "QEMU USB Network Interface";
     uc->usb_desc       = &desc_net;
-    uc->handle_packet  = usb_generic_handle_packet;
     uc->handle_reset   = usb_net_handle_reset;
     uc->handle_control = usb_net_handle_control;
     uc->handle_data    = usb_net_handle_data;
diff --git a/hw/usb-serial.c b/hw/usb-serial.c
index c2cb6d2..cf83cf2 100644
--- a/hw/usb-serial.c
+++ b/hw/usb-serial.c
@@ -583,7 +583,6 @@ static void usb_serial_class_initfn(ObjectClass *klass, void *data)
     uc->init = usb_serial_initfn;
     uc->product_desc   = "QEMU USB Serial";
     uc->usb_desc       = &desc_serial;
-    uc->handle_packet  = usb_generic_handle_packet;
     uc->handle_reset   = usb_serial_handle_reset;
     uc->handle_control = usb_serial_handle_control;
     uc->handle_data    = usb_serial_handle_data;
@@ -612,7 +611,6 @@ static void usb_braille_class_initfn(ObjectClass *klass, void *data)
     uc->init           = usb_serial_initfn;
     uc->product_desc   = "QEMU USB Braille";
     uc->usb_desc       = &desc_braille;
-    uc->handle_packet  = usb_generic_handle_packet;
     uc->handle_reset   = usb_serial_handle_reset;
     uc->handle_control = usb_serial_handle_control;
     uc->handle_data    = usb_serial_handle_data;
diff --git a/hw/usb-wacom.c b/hw/usb-wacom.c
index 14de14d..46b8010 100644
--- a/hw/usb-wacom.c
+++ b/hw/usb-wacom.c
@@ -357,7 +357,6 @@ static void usb_wacom_class_init(ObjectClass *klass, void *data)
     uc->product_desc   = "QEMU PenPartner Tablet";
     uc->usb_desc       = &desc_wacom;
     uc->init           = usb_wacom_initfn;
-    uc->handle_packet  = usb_generic_handle_packet;
     uc->handle_reset   = usb_wacom_handle_reset;
     uc->handle_control = usb_wacom_handle_control;
     uc->handle_data    = usb_wacom_handle_data;
diff --git a/hw/usb.c b/hw/usb.c
index 9976f81..638a339 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -227,7 +227,7 @@ static int do_token_out(USBDevice *s, USBPacket *p)
  *
  * Returns length of the transaction or one of the USB_RET_XXX codes.
  */
-int usb_generic_handle_packet(USBDevice *s, USBPacket *p)
+static int usb_generic_handle_packet(USBDevice *s, USBPacket *p)
 {
     /* Rest of the PIDs must match our address */
     if (s->state < USB_STATE_DEFAULT || p->devaddr != s->addr)
@@ -318,18 +318,12 @@ int usb_handle_packet(USBDevice *dev, USBPacket *p)
     if (dev == NULL) {
         return USB_RET_NODEV;
     }
+    assert(dev->addr == p->devaddr);
 
     assert(p->owner == NULL);
-    ret = usb_device_handle_packet(dev, p);
+    ret = usb_generic_handle_packet(dev, p);
     if (ret == USB_RET_ASYNC) {
-        if (p->owner == NULL) {
-            p->owner = usb_ep_get(dev, p->pid, p->devep);
-        } else {
-            /* We'll end up here when usb_handle_packet is called
-             * recursively due to a hub being in the chain.  Nothing
-             * to do.  Leave p->owner pointing to the device, not the
-             * hub. */;
-        }
+        p->owner = usb_ep_get(dev, p->pid, p->devep);
     }
     return ret;
 }
@@ -339,7 +333,6 @@ int usb_handle_packet(USBDevice *dev, USBPacket *p)
    handle_packet. */
 void usb_packet_complete(USBDevice *dev, USBPacket *p)
 {
-    /* Note: p->owner != dev is possible in case dev is a hub */
     assert(p->owner != NULL);
     p->owner = NULL;
     dev->port->ops->complete(dev->port, p);
diff --git a/hw/usb.h b/hw/usb.h
index 1beb4b3..294c33d 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -235,15 +235,6 @@ typedef struct USBDeviceClass {
     USBDevice *(*find_device)(USBDevice *dev, uint8_t addr);
 
     /*
-     * Process USB packet.
-     * Called by the HC (Host Controller).
-     *
-     * Returns length of the transaction
-     * or one of the USB_RET_XXX codes.
-     */
-    int (*handle_packet)(USBDevice *dev, USBPacket *p);
-
-    /*
      * Called when a packet is canceled.
      */
     void (*cancel_packet)(USBDevice *dev, USBPacket *p);
@@ -360,7 +351,6 @@ void usb_detach(USBPort *port);
 void usb_port_reset(USBPort *port);
 void usb_device_reset(USBDevice *dev);
 void usb_wakeup(USBDevice *dev);
-int usb_generic_handle_packet(USBDevice *s, USBPacket *p);
 void usb_generic_async_ctrl_complete(USBDevice *s, USBPacket *p);
 int set_usb_string(uint8_t *buf, const char *str);
 
@@ -456,8 +446,6 @@ extern const VMStateDescription vmstate_usb_device;
 
 USBDevice *usb_device_find_device(USBDevice *dev, uint8_t addr);
 
-int usb_device_handle_packet(USBDevice *dev, USBPacket *p);
-
 void usb_device_cancel_packet(USBDevice *dev, USBPacket *p);
 
 void usb_device_handle_attach(USBDevice *dev);
diff --git a/usb-bsd.c b/usb-bsd.c
index fc722b3..ca9a1bd 100644
--- a/usb-bsd.c
+++ b/usb-bsd.c
@@ -403,7 +403,6 @@ static void usb_host_class_initfn(ObjectClass *klass, void *data)
 
     uc->product_desc   = "USB Host Device";
     uc->init           = usb_host_initfn;
-    uc->handle_packet  = usb_generic_handle_packet;
     uc->handle_reset   = usb_host_handle_reset;
     uc->handle_control = usb_host_handle_control;
     uc->handle_data    = usb_host_handle_data;
diff --git a/usb-linux.c b/usb-linux.c
index e7fc9ec..afb13c4 100644
--- a/usb-linux.c
+++ b/usb-linux.c
@@ -1419,7 +1419,6 @@ static void usb_host_class_initfn(ObjectClass *klass, void *data)
 
     uc->init           = usb_host_initfn;
     uc->product_desc   = "USB Host Device";
-    uc->handle_packet  = usb_generic_handle_packet;
     uc->cancel_packet  = usb_host_async_cancel;
     uc->handle_data    = usb_host_handle_data;
     uc->handle_control = usb_host_handle_control;
diff --git a/usb-redir.c b/usb-redir.c
index 0a92951..d2769a8 100644
--- a/usb-redir.c
+++ b/usb-redir.c
@@ -1424,7 +1424,6 @@ static void usbredir_class_initfn(ObjectClass *klass, void *data)
     uc->init           = usbredir_initfn;
     uc->product_desc   = "USB Redirection Device";
     uc->handle_destroy = usbredir_handle_destroy;
-    uc->handle_packet  = usb_generic_handle_packet;
     uc->cancel_packet  = usbredir_cancel_packet;
     uc->handle_reset   = usbredir_handle_reset;
     uc->handle_data    = usbredir_handle_data;
commit e74495e3ade61ceabc5a00713900d8295e4042f4
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Jan 10 18:05:22 2012 +0100

    usb-xhci: switch to usb_find_device()
    
    Switch over xHCI to use the new usb_find_device()
    function for device lookup.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-xhci.c b/hw/usb-xhci.c
index 7028338..aa236c9 100644
--- a/hw/usb-xhci.c
+++ b/hw/usb-xhci.c
@@ -1385,6 +1385,14 @@ static int xhci_complete_packet(XHCITransfer *xfer, int ret)
     return 0;
 }
 
+static USBDevice *xhci_find_device(XHCIPort *port, uint8_t addr)
+{
+    if (!(port->portsc & PORTSC_PED)) {
+        return NULL;
+    }
+    return usb_find_device(&port->port, addr);
+}
+
 static int xhci_fire_ctl_transfer(XHCIState *xhci, XHCITransfer *xfer)
 {
     XHCITRB *trb_setup, *trb_status;
@@ -1444,7 +1452,7 @@ static int xhci_fire_ctl_transfer(XHCIState *xhci, XHCITransfer *xfer)
     xfer->data_length = wLength;
 
     port = &xhci->ports[xhci->slots[xfer->slotid-1].port-1];
-    dev = port->port.dev;
+    dev = xhci_find_device(port, xhci->slots[xfer->slotid-1].devaddr);
     if (!dev) {
         fprintf(stderr, "xhci: slot %d port %d has no device\n", xfer->slotid,
                 xhci->slots[xfer->slotid-1].port);
@@ -1502,7 +1510,7 @@ static int xhci_submit(XHCIState *xhci, XHCITransfer *xfer, XHCIEPContext *epctx
     }
 
     port = &xhci->ports[xhci->slots[xfer->slotid-1].port-1];
-    dev = port->port.dev;
+    dev = xhci_find_device(port, xhci->slots[xfer->slotid-1].devaddr);
     if (!dev) {
         fprintf(stderr, "xhci: slot %d port %d has no device\n", xfer->slotid,
                 xhci->slots[xfer->slotid-1].port);
commit 87e043f17e9b3781b3c29c02ff32abc23ac15708
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Jan 10 17:59:33 2012 +0100

    usb-musb: switch to usb_find_device()
    
    Switch over musb to use the new usb_find_device()
    function for device lookup.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-musb.c b/hw/usb-musb.c
index c2753c9..ecac631 100644
--- a/hw/usb-musb.c
+++ b/hw/usb-musb.c
@@ -605,6 +605,7 @@ static int musb_timeout(int ttype, int speed, int val)
 static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
                 int epnum, int pid, int len, USBCallback cb, int dir)
 {
+    USBDevice *dev;
     int ret;
     int idx = epnum && dir;
     int ttype;
@@ -628,10 +629,8 @@ static void musb_packet(MUSBState *s, MUSBEndPoint *ep,
     ep->packey[dir].ep = ep;
     ep->packey[dir].dir = dir;
 
-    if (s->port.dev)
-        ret = usb_handle_packet(s->port.dev, &ep->packey[dir].p);
-    else
-        ret = USB_RET_NODEV;
+    dev = usb_find_device(&s->port, ep->packey[dir].p.devaddr);
+    ret = usb_handle_packet(dev, &ep->packey[dir].p);
 
     if (ret == USB_RET_ASYNC) {
         ep->status[dir] = len;
commit 993048bb6bf6b74bbf6b7dae8e7c2db523cfcecf
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Jan 10 17:56:17 2012 +0100

    usb-ohci: switch to usb_find_device()
    
    Switch over OHCI to use the new usb_find_device()
    function for device lookup.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index 70f0f08..ba854c7 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -408,6 +408,23 @@ static void ohci_child_detach(USBPort *port1, USBDevice *child)
     ohci_async_cancel_device(s, child);
 }
 
+static USBDevice *ohci_find_device(OHCIState *ohci, uint8_t addr)
+{
+    USBDevice *dev;
+    int i;
+
+    for (i = 0; i < ohci->num_ports; i++) {
+        if ((ohci->rhport[i].ctrl & OHCI_PORT_PES) == 0) {
+            continue;
+        }
+        dev = usb_find_device(&ohci->rhport[i].port, addr);
+        if (dev != NULL) {
+            return dev;
+        }
+    }
+    return NULL;
+}
+
 /* Reset the controller */
 static void ohci_reset(void *opaque)
 {
@@ -779,20 +796,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
     if (completion) {
         ret = ohci->usb_packet.result;
     } else {
-        ret = USB_RET_NODEV;
-        for (i = 0; i < ohci->num_ports; i++) {
-            dev = ohci->rhport[i].port.dev;
-            if ((ohci->rhport[i].ctrl & OHCI_PORT_PES) == 0)
-                continue;
-            usb_packet_setup(&ohci->usb_packet, pid,
-                             OHCI_BM(ed->flags, ED_FA),
-                             OHCI_BM(ed->flags, ED_EN));
-            usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, len);
-            ret = usb_handle_packet(dev, &ohci->usb_packet);
-            if (ret != USB_RET_NODEV)
-                break;
-        }
-    
+        usb_packet_setup(&ohci->usb_packet, pid,
+                         OHCI_BM(ed->flags, ED_FA),
+                         OHCI_BM(ed->flags, ED_EN));
+        usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, len);
+        dev = ohci_find_device(ohci, ohci->usb_packet.devaddr);
+        ret = usb_handle_packet(dev, &ohci->usb_packet);
         if (ret == USB_RET_ASYNC) {
             return 1;
         }
@@ -972,31 +981,23 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
         ohci->async_td = 0;
         ohci->async_complete = 0;
     } else {
-        ret = USB_RET_NODEV;
-        for (i = 0; i < ohci->num_ports; i++) {
-            dev = ohci->rhport[i].port.dev;
-            if ((ohci->rhport[i].ctrl & OHCI_PORT_PES) == 0)
-                continue;
-
-            if (ohci->async_td) {
-                /* ??? The hardware should allow one active packet per
-                   endpoint.  We only allow one active packet per controller.
-                   This should be sufficient as long as devices respond in a
-                   timely manner.
-                 */
+        if (ohci->async_td) {
+            /* ??? The hardware should allow one active packet per
+               endpoint.  We only allow one active packet per controller.
+               This should be sufficient as long as devices respond in a
+               timely manner.
+            */
 #ifdef DEBUG_PACKET
-                DPRINTF("Too many pending packets\n");
+            DPRINTF("Too many pending packets\n");
 #endif
-                return 1;
-            }
-            usb_packet_setup(&ohci->usb_packet, pid,
-                             OHCI_BM(ed->flags, ED_FA),
-                             OHCI_BM(ed->flags, ED_EN));
-            usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, pktlen);
-            ret = usb_handle_packet(dev, &ohci->usb_packet);
-            if (ret != USB_RET_NODEV)
-                break;
+            return 1;
         }
+        usb_packet_setup(&ohci->usb_packet, pid,
+                         OHCI_BM(ed->flags, ED_FA),
+                         OHCI_BM(ed->flags, ED_EN));
+        usb_packet_addbuf(&ohci->usb_packet, ohci->usb_buf, pktlen);
+        dev = ohci_find_device(ohci, ohci->usb_packet.devaddr);
+        ret = usb_handle_packet(dev, &ohci->usb_packet);
 #ifdef DEBUG_PACKET
         DPRINTF("ret=%d\n", ret);
 #endif
commit 828143c621d8fd1030b5fd07d7ed340b82a5b763
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Jan 10 17:46:15 2012 +0100

    usb-ehci: switch to usb_find_device()
    
    Switch over EHCI to use the new usb_find_device()
    function for device lookup.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
index 487214d..8f7b3c4 100644
--- a/hw/usb-ehci.c
+++ b/hw/usb-ehci.c
@@ -850,6 +850,26 @@ static int ehci_register_companion(USBBus *bus, USBPort *ports[],
     return 0;
 }
 
+static USBDevice *ehci_find_device(EHCIState *ehci, uint8_t addr)
+{
+    USBDevice *dev;
+    USBPort *port;
+    int i;
+
+    for (i = 0; i < NB_PORTS; i++) {
+        port = &ehci->ports[i];
+        if (!(ehci->portsc[i] & PORTSC_PED)) {
+            DPRINTF("Port %d not enabled\n", i);
+            continue;
+        }
+        dev = usb_find_device(port, addr);
+        if (dev != NULL) {
+            return dev;
+        }
+    }
+    return NULL;
+}
+
 /* 4.1 host controller initialization */
 static void ehci_reset(void *opaque)
 {
@@ -1336,10 +1356,8 @@ err:
 
 static int ehci_execute(EHCIQueue *q)
 {
-    USBPort *port;
     USBDevice *dev;
     int ret;
-    int i;
     int endp;
     int devadr;
 
@@ -1375,27 +1393,12 @@ static int ehci_execute(EHCIQueue *q)
     usb_packet_map(&q->packet, &q->sgl);
 
     // TO-DO: associating device with ehci port
-    for(i = 0; i < NB_PORTS; i++) {
-        port = &q->ehci->ports[i];
-        dev = port->dev;
-
-        if (!(q->ehci->portsc[i] &(PORTSC_CONNECT))) {
-            DPRINTF("Port %d, no exec, not connected(%08X)\n",
-                    i, q->ehci->portsc[i]);
-            continue;
-        }
-
-        ret = usb_handle_packet(dev, &q->packet);
-
-        DPRINTF("submit: qh %x next %x qtd %x pid %x len %zd "
-                "(total %d) endp %x ret %d\n",
-                q->qhaddr, q->qh.next, q->qtdaddr, q->pid,
-                q->packet.iov.size, q->tbytes, endp, ret);
-
-        if (ret != USB_RET_NODEV) {
-            break;
-        }
-    }
+    dev = ehci_find_device(q->ehci, q->packet.devaddr);
+    ret = usb_handle_packet(dev, &q->packet);
+    DPRINTF("submit: qh %x next %x qtd %x pid %x len %zd "
+            "(total %d) endp %x ret %d\n",
+            q->qhaddr, q->qh.next, q->qtdaddr, q->pid,
+            q->packet.iov.size, q->tbytes, endp, ret);
 
     if (ret > BUFF_SIZE) {
         fprintf(stderr, "ret from usb_handle_packet > BUFF_SIZE\n");
@@ -1411,10 +1414,9 @@ static int ehci_execute(EHCIQueue *q)
 static int ehci_process_itd(EHCIState *ehci,
                             EHCIitd *itd)
 {
-    USBPort *port;
     USBDevice *dev;
     int ret;
-    uint32_t i, j, len, pid, dir, devaddr, endp;
+    uint32_t i, len, pid, dir, devaddr, endp;
     uint32_t pg, off, ptr1, ptr2, max, mult;
 
     dir =(itd->bufptr[1] & ITD_BUFPTR_DIRECTION);
@@ -1455,21 +1457,8 @@ static int ehci_process_itd(EHCIState *ehci,
             usb_packet_setup(&ehci->ipacket, pid, devaddr, endp);
             usb_packet_map(&ehci->ipacket, &ehci->isgl);
 
-            ret = USB_RET_NODEV;
-            for (j = 0; j < NB_PORTS; j++) {
-                port = &ehci->ports[j];
-                dev = port->dev;
-
-                if (!(ehci->portsc[j] &(PORTSC_CONNECT))) {
-                    continue;
-                }
-
-                ret = usb_handle_packet(dev, &ehci->ipacket);
-
-                if (ret != USB_RET_NODEV) {
-                    break;
-                }
-            }
+            dev = ehci_find_device(ehci, ehci->ipacket.devaddr);
+            ret = usb_handle_packet(dev, &ehci->ipacket);
 
             usb_packet_unmap(&ehci->ipacket);
             qemu_sglist_destroy(&ehci->isgl);
commit 461700c1dc006600d7a955ee67184ced6084fd19
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Jan 10 17:34:24 2012 +0100

    usb-uhci: switch to usb_find_device()
    
    Switch over UHCI to use the new usb_find_device()
    function for device lookup.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index 407e0f3..a1f597a 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -94,15 +94,6 @@ static const char *pid2str(int pid)
 #define DPRINTF(...)
 #endif
 
-#ifdef DEBUG_DUMP_DATA
-static void dump_data(USBPacket *p, int ret)
-{
-    iov_hexdump(p->iov.iov, p->iov.niov, stderr, "uhci", ret);
-}
-#else
-static void dump_data(USBPacket *p, int ret) {}
-#endif
-
 typedef struct UHCIState UHCIState;
 
 /* 
@@ -643,30 +634,22 @@ static void uhci_wakeup(USBPort *port1)
     }
 }
 
-static int uhci_broadcast_packet(UHCIState *s, USBPacket *p)
+static USBDevice *uhci_find_device(UHCIState *s, uint8_t addr)
 {
-    int i, ret;
-
-    DPRINTF("uhci: packet enter. pid %s addr 0x%02x ep %d len %zd\n",
-           pid2str(p->pid), p->devaddr, p->devep, p->iov.size);
-    if (p->pid == USB_TOKEN_OUT || p->pid == USB_TOKEN_SETUP)
-        dump_data(p, 0);
+    USBDevice *dev;
+    int i;
 
-    ret = USB_RET_NODEV;
-    for (i = 0; i < NB_PORTS && ret == USB_RET_NODEV; i++) {
+    for (i = 0; i < NB_PORTS; i++) {
         UHCIPort *port = &s->ports[i];
-        USBDevice *dev = port->port.dev;
-
-        if (dev && dev->attached && (port->ctrl & UHCI_PORT_EN)) {
-            ret = usb_handle_packet(dev, p);
+        if (!(port->ctrl & UHCI_PORT_EN)) {
+            continue;
+        }
+        dev = usb_find_device(&port->port, addr);
+        if (dev != NULL) {
+            return dev;
         }
     }
-
-    DPRINTF("uhci: packet exit. ret %d len %zd\n", ret, p->iov.size);
-    if (p->pid == USB_TOKEN_IN && ret > 0)
-        dump_data(p, ret);
-
-    return ret;
+    return NULL;
 }
 
 static void uhci_async_complete(USBPort *port, USBPacket *packet);
@@ -830,13 +813,15 @@ static int uhci_handle_td(UHCIState *s, uint32_t addr, UHCI_TD *td, uint32_t *in
     switch(pid) {
     case USB_TOKEN_OUT:
     case USB_TOKEN_SETUP:
-        len = uhci_broadcast_packet(s, &async->packet);
+        len = usb_handle_packet(uhci_find_device(s, async->packet.devaddr),
+                                &async->packet);
         if (len >= 0)
             len = max_len;
         break;
 
     case USB_TOKEN_IN:
-        len = uhci_broadcast_packet(s, &async->packet);
+        len = usb_handle_packet(uhci_find_device(s, async->packet.devaddr),
+                                &async->packet);
         break;
 
     default:
commit 98861f512bbd8789bd7935a75316d3278be23a0a
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Jan 10 17:33:02 2012 +0100

    usb: handle dev == NULL in usb_handle_packet()
    
    Allow passing in a NULL pointer, return USB_RET_NODEV in that case.
    Removes the burden to to a NULL pointer check from the callers.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb.c b/hw/usb.c
index bacdc81..9976f81 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -315,6 +315,10 @@ int usb_handle_packet(USBDevice *dev, USBPacket *p)
 {
     int ret;
 
+    if (dev == NULL) {
+        return USB_RET_NODEV;
+    }
+
     assert(p->owner == NULL);
     ret = usb_device_handle_packet(dev, p);
     if (ret == USB_RET_ASYNC) {
commit 06c750888c57bdc374feaa097f6cbc720210b834
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Jan 10 17:08:13 2012 +0100

    usb-hub: implement find_device
    
    Implement the find_device callback for the usb hub.  It'll loop over all
    ports, calling usb_find_device for all enabled ports until it finds a
    matching device.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 0f3b2dd..bd7641c 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -220,6 +220,26 @@ static void usb_hub_complete(USBPort *port, USBPacket *packet)
     s->dev.port->ops->complete(s->dev.port, packet);
 }
 
+static USBDevice *usb_hub_find_device(USBDevice *dev, uint8_t addr)
+{
+    USBHubState *s = DO_UPCAST(USBHubState, dev, dev);
+    USBHubPort *port;
+    USBDevice *downstream;
+    int i;
+
+    for (i = 0; i < NUM_PORTS; i++) {
+        port = &s->ports[i];
+        if (!(port->wPortStatus & PORT_STAT_ENABLE)) {
+            continue;
+        }
+        downstream = usb_find_device(&port->port, addr);
+        if (downstream != NULL) {
+            return downstream;
+        }
+    }
+    return NULL;
+}
+
 static void usb_hub_handle_reset(USBDevice *dev)
 {
     USBHubState *s = DO_UPCAST(USBHubState, dev, dev);
@@ -541,6 +561,7 @@ static void usb_hub_class_initfn(ObjectClass *klass, void *data)
     uc->init           = usb_hub_initfn;
     uc->product_desc   = "QEMU USB Hub";
     uc->usb_desc       = &desc_hub;
+    uc->find_device    = usb_hub_find_device;
     uc->handle_packet  = usb_hub_handle_packet;
     uc->handle_reset   = usb_hub_handle_reset;
     uc->handle_control = usb_hub_handle_control;
commit 73796fe6228ae1e294b4946c6c90337141cacc42
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Jan 10 16:59:28 2012 +0100

    usb: add usb_find_device()
    
    Add usb_find_device().  This function will check whenever a device with
    a specific address is connected to the specified port.  Usually this
    will just check state and address of the device hooked up to the port,
    but in case of a hub it will ask the hub to check all hub ports for a
    matching device.
    
    This patch doesn't put the code into use yet, see the following patches
    for details.
    
    The master plan is to separate device lookup and packet processing.
    Right now the usb code simply walks all devices, calls
    usb_handle_packet() on each until one accepts the packet (by returning
    something different that USB_RET_NODEV).  I want to have a device lookup
    first, then call usb_handle_packet() once, for the device which actually
    processes the packet.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index b753834..5c05ed5 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -74,6 +74,15 @@ static int usb_device_init(USBDevice *dev)
     return 0;
 }
 
+USBDevice *usb_device_find_device(USBDevice *dev, uint8_t addr)
+{
+    USBDeviceClass *klass = USB_DEVICE_GET_CLASS(dev);
+    if (klass->find_device) {
+        return klass->find_device(dev, addr);
+    }
+    return NULL;
+}
+
 static void usb_device_handle_destroy(USBDevice *dev)
 {
     USBDeviceClass *klass = USB_DEVICE_GET_CLASS(dev);
diff --git a/hw/usb.c b/hw/usb.c
index 0c26164..bacdc81 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -295,6 +295,19 @@ int set_usb_string(uint8_t *buf, const char *str)
     return q - buf;
 }
 
+USBDevice *usb_find_device(USBPort *port, uint8_t addr)
+{
+    USBDevice *dev = port->dev;
+
+    if (dev == NULL || !dev->attached || dev->state != USB_STATE_DEFAULT) {
+        return NULL;
+    }
+    if (dev->addr == addr) {
+        return dev;
+    }
+    return usb_device_find_device(dev, addr);
+}
+
 /* Hand over a packet to a device for processing.  Return value
    USB_RET_ASYNC indicates the processing isn't finished yet, the
    driver will call usb_packet_complete() when done processing it. */
diff --git a/hw/usb.h b/hw/usb.h
index 6127176..1beb4b3 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -229,6 +229,12 @@ typedef struct USBDeviceClass {
     int (*init)(USBDevice *dev);
 
     /*
+     * Walk (enabled) downstream ports, check for a matching device.
+     * Only hubs implement this.
+     */
+    USBDevice *(*find_device)(USBDevice *dev, uint8_t addr);
+
+    /*
      * Process USB packet.
      * Called by the HC (Host Controller).
      *
@@ -332,6 +338,8 @@ void usb_packet_copy(USBPacket *p, void *ptr, size_t bytes);
 void usb_packet_skip(USBPacket *p, size_t bytes);
 void usb_packet_cleanup(USBPacket *p);
 
+USBDevice *usb_find_device(USBPort *port, uint8_t addr);
+
 int usb_handle_packet(USBDevice *dev, USBPacket *p);
 void usb_packet_complete(USBDevice *dev, USBPacket *p);
 void usb_cancel_packet(USBPacket * p);
@@ -446,6 +454,8 @@ extern const VMStateDescription vmstate_usb_device;
     .offset     = vmstate_offset_value(_state, _field, USBDevice),   \
 }
 
+USBDevice *usb_device_find_device(USBDevice *dev, uint8_t addr);
+
 int usb_device_handle_packet(USBDevice *dev, USBPacket *p);
 
 void usb_device_cancel_packet(USBDevice *dev, USBPacket *p);
commit 70fc20d4dc7c8990a508411db1ee441ae9ee5034
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Jan 6 15:31:38 2012 +0100

    usb: kill usb_send_msg
    
    No users left.  Zap it.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb.c b/hw/usb.c
index c8e6be4..0c26164 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -295,19 +295,6 @@ int set_usb_string(uint8_t *buf, const char *str)
     return q - buf;
 }
 
-/* Send an internal message to a USB device.  */
-void usb_send_msg(USBDevice *dev, int msg)
-{
-    USBPacket p;
-    int ret;
-
-    memset(&p, 0, sizeof(p));
-    p.pid = msg;
-    ret = usb_handle_packet(dev, &p);
-    /* This _must_ be synchronous */
-    assert(ret != USB_RET_ASYNC);
-}
-
 /* Hand over a packet to a device for processing.  Return value
    USB_RET_ASYNC indicates the processing isn't finished yet, the
    driver will call usb_packet_complete() when done processing it. */
diff --git a/hw/usb.h b/hw/usb.h
index b56e812..6127176 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -355,7 +355,6 @@ void usb_wakeup(USBDevice *dev);
 int usb_generic_handle_packet(USBDevice *s, USBPacket *p);
 void usb_generic_async_ctrl_complete(USBDevice *s, USBPacket *p);
 int set_usb_string(uint8_t *buf, const char *str);
-void usb_send_msg(USBDevice *dev, int msg);
 
 /* usb-linux.c */
 USBDevice *usb_host_device_open(const char *devname);
commit d28f4e2d86317f7ef7398651e8a1d493e4bf8c88
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Jan 6 15:23:10 2012 +0100

    usb: kill USB_MSG_RESET
    
    The USB subsystem pipes internal reset notifications through
    usb_handle_packet() with a special magic PID.  This indirection
    is a pretty pointless excercise as it ends up being handled by
    usb_generic_handle_packet anyway.
    
    Replace the USB_MSG_RESET with a usb_device_reset() function
    which can be called directly.  Also rename the existing usb_reset()
    function to usb_port_reset() to avoid confusion.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
index cdd7415..487214d 100644
--- a/hw/usb-ehci.c
+++ b/hw/usb-ehci.c
@@ -888,7 +888,7 @@ static void ehci_reset(void *opaque)
         }
         if (devs[i] && devs[i]->attached) {
             usb_attach(&s->ports[i]);
-            usb_send_msg(devs[i], USB_MSG_RESET);
+            usb_device_reset(devs[i]);
         }
     }
     ehci_queues_rip_all(s);
@@ -987,7 +987,7 @@ static void handle_port_status_write(EHCIState *s, int port, uint32_t val)
     if (!(val & PORTSC_PRESET) &&(*portsc & PORTSC_PRESET)) {
         trace_usb_ehci_port_reset(port, 0);
         if (dev && dev->attached) {
-            usb_reset(&s->ports[port]);
+            usb_port_reset(&s->ports[port]);
             *portsc &= ~PORTSC_CSC;
         }
 
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 956b020..0f3b2dd 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -305,7 +305,7 @@ static int usb_hub_handle_control(USBDevice *dev, USBPacket *p,
                 break;
             case PORT_RESET:
                 if (dev && dev->attached) {
-                    usb_send_msg(dev, USB_MSG_RESET);
+                    usb_device_reset(dev);
                     port->wPortChange |= PORT_STAT_C_RESET;
                     /* set enable bit */
                     port->wPortStatus |= PORT_STAT_ENABLE;
diff --git a/hw/usb-musb.c b/hw/usb-musb.c
index 4f528d2..c2753c9 100644
--- a/hw/usb-musb.c
+++ b/hw/usb-musb.c
@@ -1310,7 +1310,7 @@ static void musb_writeb(void *opaque, target_phys_addr_t addr, uint32_t value)
         s->power = (value & 0xef) | (s->power & 0x10);
         /* MGC_M_POWER_RESET is also read-only in Peripheral Mode */
         if ((value & MGC_M_POWER_RESET) && s->port.dev) {
-            usb_send_msg(s->port.dev, USB_MSG_RESET);
+            usb_device_reset(s->port.dev);
             /* Negotiate high-speed operation if MGC_M_POWER_HSENAB is set.  */
             if ((value & MGC_M_POWER_HSENAB) &&
                             s->port.dev->speed == USB_SPEED_HIGH)
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
index 425030f..70f0f08 100644
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -449,7 +449,7 @@ static void ohci_reset(void *opaque)
         port = &ohci->rhport[i];
         port->ctrl = 0;
         if (port->port.dev && port->port.dev->attached) {
-            usb_reset(&port->port);
+            usb_port_reset(&port->port);
         }
       }
     if (ohci->async_td) {
@@ -1435,7 +1435,7 @@ static void ohci_port_set_status(OHCIState *ohci, int portnum, uint32_t val)
 
     if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PRS)) {
         DPRINTF("usb-ohci: port %d: RESET\n", portnum);
-        usb_send_msg(port->port.dev, USB_MSG_RESET);
+        usb_device_reset(port->port.dev);
         port->ctrl &= ~OHCI_PORT_PRS;
         /* ??? Should this also set OHCI_PORT_PESC.  */
         port->ctrl |= OHCI_PORT_PES | OHCI_PORT_PRSC;
diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index e0c7dbb..407e0f3 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -342,7 +342,7 @@ static void uhci_reset(void *opaque)
         port = &s->ports[i];
         port->ctrl = 0x0080;
         if (port->port.dev && port->port.dev->attached) {
-            usb_reset(&port->port);
+            usb_port_reset(&port->port);
         }
     }
 
@@ -440,16 +440,12 @@ static void uhci_ioport_writew(void *opaque, uint32_t addr, uint32_t val)
         }
         if (val & UHCI_CMD_GRESET) {
             UHCIPort *port;
-            USBDevice *dev;
             int i;
 
             /* send reset on the USB bus */
             for(i = 0; i < NB_PORTS; i++) {
                 port = &s->ports[i];
-                dev = port->port.dev;
-                if (dev && dev->attached) {
-                    usb_send_msg(dev, USB_MSG_RESET);
-                }
+                usb_device_reset(port->port.dev);
             }
             uhci_reset(s);
             return;
@@ -491,7 +487,7 @@ static void uhci_ioport_writew(void *opaque, uint32_t addr, uint32_t val)
                 /* port reset */
                 if ( (val & UHCI_PORT_RESET) &&
                      !(port->ctrl & UHCI_PORT_RESET) ) {
-                    usb_send_msg(dev, USB_MSG_RESET);
+                    usb_device_reset(dev);
                 }
             }
             port->ctrl &= UHCI_PORT_READ_ONLY;
diff --git a/hw/usb-xhci.c b/hw/usb-xhci.c
index 37e887c..7028338 100644
--- a/hw/usb-xhci.c
+++ b/hw/usb-xhci.c
@@ -2346,9 +2346,7 @@ static void xhci_port_write(XHCIState *xhci, uint32_t reg, uint32_t val)
         /* write-1-to-start bits */
         if (val & PORTSC_PR) {
             DPRINTF("xhci: port %d reset\n", port);
-            if (xhci->ports[port].port.dev) {
-                usb_send_msg(xhci->ports[port].port.dev, USB_MSG_RESET);
-            }
+            usb_device_reset(xhci->ports[port].port.dev);
             portsc |= PORTSC_PRC | PORTSC_PED;
         }
         xhci->ports[port].portsc = portsc;
diff --git a/hw/usb.c b/hw/usb.c
index 800dd83..c8e6be4 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -49,14 +49,25 @@ void usb_detach(USBPort *port)
     dev->state = USB_STATE_NOTATTACHED;
 }
 
-void usb_reset(USBPort *port)
+void usb_port_reset(USBPort *port)
 {
     USBDevice *dev = port->dev;
 
     assert(dev != NULL);
     usb_detach(port);
     usb_attach(port);
-    usb_send_msg(dev, USB_MSG_RESET);
+    usb_device_reset(dev);
+}
+
+void usb_device_reset(USBDevice *dev)
+{
+    if (dev == NULL || !dev->attached) {
+        return;
+    }
+    dev->remote_wakeup = 0;
+    dev->addr = 0;
+    dev->state = USB_STATE_DEFAULT;
+    usb_device_handle_reset(dev);
 }
 
 void usb_wakeup(USBDevice *dev)
@@ -218,15 +229,6 @@ static int do_token_out(USBDevice *s, USBPacket *p)
  */
 int usb_generic_handle_packet(USBDevice *s, USBPacket *p)
 {
-    switch(p->pid) {
-    case USB_MSG_RESET:
-        s->remote_wakeup = 0;
-        s->addr = 0;
-        s->state = USB_STATE_DEFAULT;
-        usb_device_handle_reset(s);
-        return 0;
-    }
-
     /* Rest of the PIDs must match our address */
     if (s->state < USB_STATE_DEFAULT || p->devaddr != s->addr)
         return USB_RET_NODEV;
diff --git a/hw/usb.h b/hw/usb.h
index 0bd9098..b56e812 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -39,9 +39,6 @@
 #define USB_TOKEN_IN    0x69 /* device -> host */
 #define USB_TOKEN_OUT   0xe1 /* host -> device */
 
-/* specific usb messages, also sent in the 'pid' parameter */
-#define USB_MSG_RESET    0x102
-
 #define USB_RET_NODEV  (-1)
 #define USB_RET_NAK    (-2)
 #define USB_RET_STALL  (-3)
@@ -352,7 +349,8 @@ int usb_ep_get_max_packet_size(USBDevice *dev, int pid, int ep);
 
 void usb_attach(USBPort *port);
 void usb_detach(USBPort *port);
-void usb_reset(USBPort *port);
+void usb_port_reset(USBPort *port);
+void usb_device_reset(USBDevice *dev);
 void usb_wakeup(USBDevice *dev);
 int usb_generic_handle_packet(USBDevice *s, USBPacket *p);
 void usb_generic_async_ctrl_complete(USBDevice *s, USBPacket *p);
commit d1f8b53618b3daa93a113ba02520cd1bd34c254b
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Fri Jan 6 15:13:34 2012 +0100

    usb: kill USB_MSG_{ATTACH,DETACH}
    
    The USB subsystem pipes internal attach/detach notifications through
    usb_handle_packet() with a special magic PID.  This indirection is a
    pretty pointless excercise as it ends up being handled by
    usb_generic_handle_packet anyway.  Remove it.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb.c b/hw/usb.c
index c3ff5b7..800dd83 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -35,7 +35,8 @@ void usb_attach(USBPort *port)
     assert(dev->attached);
     assert(dev->state == USB_STATE_NOTATTACHED);
     port->ops->attach(port);
-    usb_send_msg(dev, USB_MSG_ATTACH);
+    dev->state = USB_STATE_ATTACHED;
+    usb_device_handle_attach(dev);
 }
 
 void usb_detach(USBPort *port)
@@ -45,7 +46,7 @@ void usb_detach(USBPort *port)
     assert(dev != NULL);
     assert(dev->state != USB_STATE_NOTATTACHED);
     port->ops->detach(port);
-    usb_send_msg(dev, USB_MSG_DETACH);
+    dev->state = USB_STATE_NOTATTACHED;
 }
 
 void usb_reset(USBPort *port)
@@ -218,15 +219,6 @@ static int do_token_out(USBDevice *s, USBPacket *p)
 int usb_generic_handle_packet(USBDevice *s, USBPacket *p)
 {
     switch(p->pid) {
-    case USB_MSG_ATTACH:
-        s->state = USB_STATE_ATTACHED;
-        usb_device_handle_attach(s);
-        return 0;
-
-    case USB_MSG_DETACH:
-        s->state = USB_STATE_NOTATTACHED;
-        return 0;
-
     case USB_MSG_RESET:
         s->remote_wakeup = 0;
         s->addr = 0;
diff --git a/hw/usb.h b/hw/usb.h
index 13e7c8e..0bd9098 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -40,8 +40,6 @@
 #define USB_TOKEN_OUT   0xe1 /* host -> device */
 
 /* specific usb messages, also sent in the 'pid' parameter */
-#define USB_MSG_ATTACH   0x100
-#define USB_MSG_DETACH   0x101
 #define USB_MSG_RESET    0x102
 
 #define USB_RET_NODEV  (-1)
commit 6af165892cf900291046f1d25f95416f379504c2
Author: Hans de Goede <hdegoede at redhat.com>
Date:   Wed Jan 25 09:50:39 2012 +0100

    usb-redir: Add the posibility to filter out certain devices from redirecion
    
    This patch adds the posibility to filter out certain devices from redirecion.
    To use this pass the filter property to -device usb-redir.  The filter
    property takes a string consisting of filter rules, the format for a rule is:
    <class>:<vendor>:<product>:<version>:<allow>
    
    -1 can be used to allow any value for a field.
    
    Muliple rules can be concatonated using | as a separator. Note that if
    a device matches none of the passed in rules, redirecting it will not be
    allowed!
    
    Example:
    -device usb-redir,filter='-1:0x0781:0x5567:-1:0|0x08:-1:-1:-1:1'
    
    This example will deny the Sandisk Cruzer Blade being redirected, as it
    has a usb id of 0781:5567, it will allow any other usb mass storage devices,
    and it will deny any other devices (the default for devices not matching any
    of the rules.
    
    Signed-off-by: Hans de Goede <hdegoede at redhat.com>
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/configure b/configure
index 763db24..68f9ee6 100755
--- a/configure
+++ b/configure
@@ -2584,7 +2584,7 @@ fi
 
 # check for usbredirparser for usb network redirection support
 if test "$usb_redir" != "no" ; then
-    if $pkg_config libusbredirparser >/dev/null 2>&1 ; then
+    if $pkg_config --atleast-version=0.3.3 libusbredirparser >/dev/null 2>&1 ; then
         usb_redir="yes"
         usb_redir_cflags=$($pkg_config --cflags libusbredirparser 2>/dev/null)
         usb_redir_libs=$($pkg_config --libs libusbredirparser 2>/dev/null)
diff --git a/usb-redir.c b/usb-redir.c
index 303292a..0a92951 100644
--- a/usb-redir.c
+++ b/usb-redir.c
@@ -34,6 +34,7 @@
 #include <sys/ioctl.h>
 #include <signal.h>
 #include <usbredirparser.h>
+#include <usbredirfilter.h>
 
 #include "hw/usb.h"
 
@@ -72,6 +73,7 @@ struct USBRedirDevice {
     /* Properties */
     CharDriverState *cs;
     uint8_t debug;
+    char *filter_str;
     /* Data passed from chardev the fd_read cb to the usbredirparser read cb */
     const uint8_t *read_buf;
     int read_buf_size;
@@ -84,6 +86,11 @@ struct USBRedirDevice {
     struct endp_data endpoint[MAX_ENDPOINTS];
     uint32_t packet_id;
     QTAILQ_HEAD(, AsyncURB) asyncq;
+    /* Data for device filtering */
+    struct usb_redir_device_connect_header device_info;
+    struct usb_redir_interface_info_header interface_info;
+    struct usbredirfilter_rule *filter_rules;
+    int filter_rules_count;
 };
 
 struct AsyncURB {
@@ -780,6 +787,7 @@ static int usbredir_handle_control(USBDevice *udev, USBPacket *p,
 static void usbredir_open_close_bh(void *opaque)
 {
     USBRedirDevice *dev = opaque;
+    uint32_t caps[USB_REDIR_CAPS_SIZE] = { 0, };
 
     usbredir_device_disconnect(dev);
 
@@ -810,7 +818,9 @@ static void usbredir_open_close_bh(void *opaque)
         dev->parser->interrupt_packet_func = usbredir_interrupt_packet;
         dev->read_buf = NULL;
         dev->read_buf_size = 0;
-        usbredirparser_init(dev->parser, VERSION, NULL, 0, 0);
+
+        usbredirparser_caps_set_cap(caps, usb_redir_cap_connect_device_version);
+        usbredirparser_init(dev->parser, VERSION, caps, USB_REDIR_CAPS_SIZE, 0);
         usbredirparser_do_write(dev->parser);
     }
 }
@@ -880,6 +890,17 @@ static int usbredir_initfn(USBDevice *udev)
         return -1;
     }
 
+    if (dev->filter_str) {
+        i = usbredirfilter_string_to_rules(dev->filter_str, ":", "|",
+                                           &dev->filter_rules,
+                                           &dev->filter_rules_count);
+        if (i) {
+            qerror_report(QERR_INVALID_PARAMETER_VALUE, "filter",
+                          "a usb device filter string");
+            return -1;
+        }
+    }
+
     dev->open_close_bh = qemu_bh_new(usbredir_open_close_bh, dev);
     dev->attach_timer = qemu_new_timer_ms(vm_clock, usbredir_do_attach, dev);
 
@@ -929,6 +950,44 @@ static void usbredir_handle_destroy(USBDevice *udev)
     if (dev->parser) {
         usbredirparser_destroy(dev->parser);
     }
+
+    free(dev->filter_rules);
+}
+
+static int usbredir_check_filter(USBRedirDevice *dev)
+{
+    if (dev->interface_info.interface_count == 0) {
+        ERROR("No interface info for device\n");
+        return -1;
+    }
+
+    if (dev->filter_rules) {
+        if (!usbredirparser_peer_has_cap(dev->parser,
+                                    usb_redir_cap_connect_device_version)) {
+            ERROR("Device filter specified and peer does not have the "
+                  "connect_device_version capability\n");
+            return -1;
+        }
+
+        if (usbredirfilter_check(
+                dev->filter_rules,
+                dev->filter_rules_count,
+                dev->device_info.device_class,
+                dev->device_info.device_subclass,
+                dev->device_info.device_protocol,
+                dev->interface_info.interface_class,
+                dev->interface_info.interface_subclass,
+                dev->interface_info.interface_protocol,
+                dev->interface_info.interface_count,
+                dev->device_info.vendor_id,
+                dev->device_info.product_id,
+                dev->device_info.device_version_bcd,
+                0) != 0) {
+            return -1;
+        }
+    }
+
+    return 0;
 }
 
 /*
@@ -957,6 +1016,7 @@ static void usbredir_device_connect(void *priv,
     struct usb_redir_device_connect_header *device_connect)
 {
     USBRedirDevice *dev = priv;
+    const char *speed;
 
     if (qemu_timer_pending(dev->attach_timer) || dev->dev.attached) {
         ERROR("Received device connect while already connected\n");
@@ -965,26 +1025,48 @@ static void usbredir_device_connect(void *priv,
 
     switch (device_connect->speed) {
     case usb_redir_speed_low:
-        DPRINTF("attaching low speed device\n");
+        speed = "low speed";
         dev->dev.speed = USB_SPEED_LOW;
         break;
     case usb_redir_speed_full:
-        DPRINTF("attaching full speed device\n");
+        speed = "full speed";
         dev->dev.speed = USB_SPEED_FULL;
         break;
     case usb_redir_speed_high:
-        DPRINTF("attaching high speed device\n");
+        speed = "high speed";
         dev->dev.speed = USB_SPEED_HIGH;
         break;
     case usb_redir_speed_super:
-        DPRINTF("attaching super speed device\n");
+        speed = "super speed";
         dev->dev.speed = USB_SPEED_SUPER;
         break;
     default:
-        DPRINTF("attaching unknown speed device, assuming full speed\n");
+        speed = "unknown speed";
         dev->dev.speed = USB_SPEED_FULL;
     }
+
+    if (usbredirparser_peer_has_cap(dev->parser,
+                                    usb_redir_cap_connect_device_version)) {
+        INFO("attaching %s device %04x:%04x version %d.%d class %02x\n",
+             speed, device_connect->vendor_id, device_connect->product_id,
+             device_connect->device_version_bcd >> 8,
+             device_connect->device_version_bcd & 0xff,
+             device_connect->device_class);
+    } else {
+        INFO("attaching %s device %04x:%04x class %02x\n", speed,
+             device_connect->vendor_id, device_connect->product_id,
+             device_connect->device_class);
+    }
+
     dev->dev.speedmask = (1 << dev->dev.speed);
+    dev->device_info = *device_connect;
+
+    if (usbredir_check_filter(dev)) {
+        WARNING("Device %04x:%04x rejected by device filter, not attaching\n",
+                device_connect->vendor_id, device_connect->product_id);
+        return;
+    }
+
     qemu_mod_timer(dev->attach_timer, dev->next_attach_time);
 }
 
@@ -1011,15 +1093,27 @@ static void usbredir_device_disconnect(void *priv)
     for (i = 0; i < MAX_ENDPOINTS; i++) {
         QTAILQ_INIT(&dev->endpoint[i].bufpq);
     }
+    dev->interface_info.interface_count = 0;
 }
 
 static void usbredir_interface_info(void *priv,
     struct usb_redir_interface_info_header *interface_info)
 {
-    /* The intention is to allow specifying acceptable interface classes
-       for redirection on the cmdline and in the future verify this here,
-       and disconnect (or never connect) the device if a not accepted
-       interface class is detected */
+    USBRedirDevice *dev = priv;
+
+    dev->interface_info = *interface_info;
+
+    /*
+     * If we receive interface info after the device has already been
+     * connected (ie on a set_config), re-check the filter.
+     */
+    if (qemu_timer_pending(dev->attach_timer) || dev->dev.attached) {
+        if (usbredir_check_filter(dev)) {
+            ERROR("Device no longer matches filter after interface info "
+                  "change, disconnecting!\n");
+            usbredir_device_disconnect(dev);
+        }
+    }
 }
 
 static void usbredir_ep_info(void *priv,
@@ -1318,6 +1412,7 @@ static void usbredir_interrupt_packet(void *priv, uint32_t id,
 static Property usbredir_properties[] = {
     DEFINE_PROP_CHR("chardev", USBRedirDevice, cs),
     DEFINE_PROP_UINT8("debug", USBRedirDevice, debug, 0),
+    DEFINE_PROP_STRING("filter", USBRedirDevice, filter_str),
     DEFINE_PROP_END_OF_LIST(),
 };
 
commit f76e1d814241794467366d70d3d77849a6fd5ab0
Author: Hans de Goede <hdegoede at redhat.com>
Date:   Fri Jan 13 14:28:56 2012 +0100

    usb-ehci: Clear the portstatus powner bit on device disconnect
    
    According to the EHCI spec port ownership should revert to the EHCI controller
    on device disconnect. This fixes the problem of a port getting stuck on USB 1
    when using redirection and plugging in a USB 2 device after a USB 1 device
    has been redirected.
    
    Signed-off-by: Hans de Goede <hdegoede at redhat.com>
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
index 75ef71e..cdd7415 100644
--- a/hw/usb-ehci.c
+++ b/hw/usb-ehci.c
@@ -765,6 +765,11 @@ static void ehci_detach(USBPort *port)
         USBPort *companion = s->companion_ports[port->index];
         companion->ops->detach(companion);
         companion->dev = NULL;
+        /*
+         * EHCI spec 4.2.2: "When a disconnect occurs... On the event,
+         * the port ownership is returned immediately to the EHCI controller."
+         */
+        *portsc &= ~PORTSC_POWNER;
         return;
     }
 
commit 3200d1085df5f368885428e33d9439f55c7f1a47
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Jan 26 13:57:40 2012 +0100

    usb-uhci: implement bandwidth management
    
    The OS is allowed to make the UHCI Controller run in circles.  That is
    usually done to serve multiple connected USB devices in a robin-round
    fashion, so the available USB bandwidth is evenly distributed between
    devices.
    
    The uhci emulation handles this in a very poor way though.  When it
    figures it runs in circles it stops processing unconditionally, so
    it usually processes at most a single transfer desriptor per queue,
    even if there are multiple transfer descriptors are queued up.
    
    This patch makes uhci act in a more sophisticated way.  It keeps track
    of successful processed transfer descriptors and transfered bytes.  Then
    it will stop processing when there is nothing to do (no transfer
    descriptor was completed the last round) or when the transfered data
    reaches the usb bandwidth limit.
    
    Result is that the usb-storage devices connected to uhci are ten times
    faster, mkfs.vfat time for a 64M stick goes down from five seconds to
    a half second.  Reason for this is that we are now processing up to 20
    transfer descriptors (with 64 bytes each) per frame instead of a single
    one.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/hw/usb-uhci.c b/hw/usb-uhci.c
index cddcc89..e0c7dbb 100644
--- a/hw/usb-uhci.c
+++ b/hw/usb-uhci.c
@@ -73,7 +73,7 @@
 
 #define FRAME_TIMER_FREQ 1000
 
-#define FRAME_MAX_LOOPS  100
+#define FRAME_MAX_LOOPS  256
 
 #define NB_PORTS 2
 
@@ -942,7 +942,7 @@ static int qhdb_insert(QhDb *db, uint32_t addr)
 static void uhci_process_frame(UHCIState *s)
 {
     uint32_t frame_addr, link, old_td_ctrl, val, int_mask;
-    uint32_t curr_qh;
+    uint32_t curr_qh, td_count = 0, bytes_count = 0;
     int cnt, ret;
     UHCI_TD td;
     UHCI_QH qh;
@@ -967,13 +967,26 @@ static void uhci_process_frame(UHCIState *s)
             if (qhdb_insert(&qhdb, link)) {
                 /*
                  * We're going in circles. Which is not a bug because
-                 * HCD is allowed to do that as part of the BW management. 
-                 * In our case though it makes no sense to spin here. Sync transations 
-                 * are already done, and async completion handler will re-process 
-                 * the frame when something is ready.
+                 * HCD is allowed to do that as part of the BW management.
+                 *
+                 * Stop processing here if
+                 *  (a) no transaction has been done since we've been
+                 *      here last time, or
+                 *  (b) we've reached the usb 1.1 bandwidth, which is
+                 *      1280 bytes/frame.
                  */
                 DPRINTF("uhci: detected loop. qh 0x%x\n", link);
-                break;
+                if (td_count == 0) {
+                    DPRINTF("uhci: no transaction last round, stop\n");
+                    break;
+                } else if (bytes_count >= 1280) {
+                    DPRINTF("uhci: bandwidth limit reached, stop\n");
+                    break;
+                } else {
+                    td_count = 0;
+                    qhdb_reset(&qhdb);
+                    qhdb_insert(&qhdb, link);
+                }
             }
 
             pci_dma_read(&s->dev, link & ~0xf, &qh, sizeof(qh));
@@ -1033,6 +1046,8 @@ static void uhci_process_frame(UHCIState *s)
                 link, td.link, td.ctrl, td.token, curr_qh);
 
         link = td.link;
+        td_count++;
+        bytes_count += (td.ctrl & 0x7ff) + 1;
 
         if (curr_qh) {
 	    /* update QH element link */
commit 7bc9318bfb68b2d773449a55d4fa800d0fdb0918
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Feb 8 13:18:37 2012 +0100

    vnc: lift modifier keys on client disconnect.
    
    For any modifier key (shift, ctrl, alt) still pressed on disconnect
    inject a key-up event into the guest.  The vnc client is gone, it will
    not do that, so qemu has to do it instead.
    
    Without this keys will get stuck, making the guest act in weird ways
    after reconnecting.  Reproducer: exit vnc client via Alt-F4, guest
    continues to see the pressed alt key and will not react to key events
    in any useful way until you tap the alt key once to unstuck it.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/ui/vnc.c b/ui/vnc.c
index 83a9b15..02b71bc 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -46,6 +46,7 @@ static VncDisplay *vnc_display; /* needed for info vnc */
 static DisplayChangeListener *dcl;
 
 static int vnc_cursor_define(VncState *vs);
+static void vnc_release_modifiers(VncState *vs);
 
 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
 {
@@ -1051,6 +1052,7 @@ static void vnc_disconnect_finish(VncState *vs)
     vnc_sasl_client_cleanup(vs);
 #endif /* CONFIG_VNC_SASL */
     audio_del(vs);
+    vnc_release_modifiers(vs);
 
     QTAILQ_REMOVE(&vs->vd->clients, vs, next);
 
@@ -1679,6 +1681,29 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
     }
 }
 
+static void vnc_release_modifiers(VncState *vs)
+{
+    static const int keycodes[] = {
+        /* shift, control, alt keys, both left & right */
+        0x2a, 0x36, 0x1d, 0x9d, 0x38, 0xb8,
+    };
+    int i, keycode;
+
+    if (!is_graphic_console()) {
+        return;
+    }
+    for (i = 0; i < ARRAY_SIZE(keycodes); i++) {
+        keycode = keycodes[i];
+        if (!vs->modifiers_state[keycode]) {
+            continue;
+        }
+        if (keycode & SCANCODE_GREY) {
+            kbd_put_keycode(SCANCODE_EMUL0);
+        }
+        kbd_put_keycode(keycode | SCANCODE_UP);
+    }
+}
+
 static void key_event(VncState *vs, int down, uint32_t sym)
 {
     int keycode;
commit 8cf364898cfe4ae761f2253e91a040633d6f87be
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Thu Nov 24 18:10:49 2011 +0100

    vnc: implement shared flag handling.
    
    VNC clients send a shared flag in the client init message.  Up to now
    qemu completely ignores this.  This patch implements shared flag
    handling.  It comes with three policies:  By default qemu behaves as one
    would expect:  Asking for a exclusive access grants exclusive access to
    the client connecting.  There is also a desktop sharing mode which
    disallows exclusive connects (so one forgetting -shared wouldn't drop
    everybody else) and a compatibility mode which mimics the traditional
    (but non-conforming) qemu behavior.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/qemu-options.hx b/qemu-options.hx
index f577cc8..4bb3617 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1095,6 +1095,19 @@ This can be really helpful to save bandwidth when playing videos. Disabling
 adaptive encodings allows to restore the original static behavior of encodings
 like Tight.
 
+ at item share=[allow-exclusive|force-shared|ignore]
+
+Set display sharing policy.  'allow-exclusive' allows clients to ask
+for exclusive access.  As suggested by the rfb spec this is
+implemented by dropping other connections.  Connecting multiple
+clients in parallel requires all clients asking for a shared session
+(vncviewer: -shared switch).  This is the default.  'force-shared'
+disables exclusive client access.  Useful for shared desktop sessions,
+where you don't want someone forgetting specify -shared disconnect
+everybody else.  'ignore' completely ignores the shared flag and
+allows everybody connect unconditionally.  Doesn't conform to the rfb
+spec but is traditional qemu behavior.
+
 @end table
 ETEXI
 
diff --git a/ui/vnc.c b/ui/vnc.c
index 810582b..83a9b15 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -47,6 +47,29 @@ static DisplayChangeListener *dcl;
 
 static int vnc_cursor_define(VncState *vs);
 
+static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
+{
+#ifdef _VNC_DEBUG
+    static const char *mn[] = {
+        [0]                           = "undefined",
+        [VNC_SHARE_MODE_CONNECTING]   = "connecting",
+        [VNC_SHARE_MODE_SHARED]       = "shared",
+        [VNC_SHARE_MODE_EXCLUSIVE]    = "exclusive",
+        [VNC_SHARE_MODE_DISCONNECTED] = "disconnected",
+    };
+    fprintf(stderr, "%s/%d: %s -> %s\n", __func__,
+            vs->csock, mn[vs->share_mode], mn[mode]);
+#endif
+
+    if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
+        vs->vd->num_exclusive--;
+    }
+    vs->share_mode = mode;
+    if (vs->share_mode == VNC_SHARE_MODE_EXCLUSIVE) {
+        vs->vd->num_exclusive++;
+    }
+}
+
 static char *addr_to_string(const char *format,
                             struct sockaddr_storage *sa,
                             socklen_t salen) {
@@ -997,6 +1020,7 @@ static void vnc_disconnect_start(VncState *vs)
 {
     if (vs->csock == -1)
         return;
+    vnc_set_share_mode(vs, VNC_SHARE_MODE_DISCONNECTED);
     qemu_set_fd_handler2(vs->csock, NULL, NULL, NULL, NULL);
     closesocket(vs->csock);
     vs->csock = -1;
@@ -2054,8 +2078,67 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
 static int protocol_client_init(VncState *vs, uint8_t *data, size_t len)
 {
     char buf[1024];
+    VncShareMode mode;
     int size;
 
+    mode = data[0] ? VNC_SHARE_MODE_SHARED : VNC_SHARE_MODE_EXCLUSIVE;
+    switch (vs->vd->share_policy) {
+    case VNC_SHARE_POLICY_IGNORE:
+        /*
+         * Ignore the shared flag.  Nothing to do here.
+         *
+         * Doesn't conform to the rfb spec but is traditional qemu
+         * behavior, thus left here as option for compatibility
+         * reasons.
+         */
+        break;
+    case VNC_SHARE_POLICY_ALLOW_EXCLUSIVE:
+        /*
+         * Policy: Allow clients ask for exclusive access.
+         *
+         * Implementation: When a client asks for exclusive access,
+         * disconnect all others. Shared connects are allowed as long
+         * as no exclusive connection exists.
+         *
+         * This is how the rfb spec suggests to handle the shared flag.
+         */
+        if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
+            VncState *client;
+            QTAILQ_FOREACH(client, &vs->vd->clients, next) {
+                if (vs == client) {
+                    continue;
+                }
+                if (client->share_mode != VNC_SHARE_MODE_EXCLUSIVE &&
+                    client->share_mode != VNC_SHARE_MODE_SHARED) {
+                    continue;
+                }
+                vnc_disconnect_start(client);
+            }
+        }
+        if (mode == VNC_SHARE_MODE_SHARED) {
+            if (vs->vd->num_exclusive > 0) {
+                vnc_disconnect_start(vs);
+                return 0;
+            }
+        }
+        break;
+    case VNC_SHARE_POLICY_FORCE_SHARED:
+        /*
+         * Policy: Shared connects only.
+         * Implementation: Disallow clients asking for exclusive access.
+         *
+         * Useful for shared desktop sessions where you don't want
+         * someone forgetting to say -shared when running the vnc
+         * client disconnect everybody else.
+         */
+        if (mode == VNC_SHARE_MODE_EXCLUSIVE) {
+            vnc_disconnect_start(vs);
+            return 0;
+        }
+        break;
+    }
+    vnc_set_share_mode(vs, mode);
+
     vs->client_width = ds_get_width(vs->ds);
     vs->client_height = ds_get_height(vs->ds);
     vnc_write_u16(vs, vs->client_width);
@@ -2562,6 +2645,7 @@ static void vnc_connect(VncDisplay *vd, int csock, int skipauth)
 
     vnc_client_cache_addr(vs);
     vnc_qmp_event(vs, QEVENT_VNC_CONNECTED);
+    vnc_set_share_mode(vs, VNC_SHARE_MODE_CONNECTING);
 
     vs->vd = vd;
     vs->ds = vd->ds;
@@ -2755,6 +2839,7 @@ int vnc_display_open(DisplayState *ds, const char *display)
 
     if (!(vs->display = strdup(display)))
         return -1;
+    vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
 
     options = display;
     while ((options = strchr(options, ','))) {
@@ -2810,6 +2895,19 @@ int vnc_display_open(DisplayState *ds, const char *display)
             vs->lossy = true;
         } else if (strncmp(options, "non-adapative", 13) == 0) {
             vs->non_adaptive = true;
+        } else if (strncmp(options, "share=", 6) == 0) {
+            if (strncmp(options+6, "ignore", 6) == 0) {
+                vs->share_policy = VNC_SHARE_POLICY_IGNORE;
+            } else if (strncmp(options+6, "allow-exclusive", 15) == 0) {
+                vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
+            } else if (strncmp(options+6, "force-shared", 12) == 0) {
+                vs->share_policy = VNC_SHARE_POLICY_FORCE_SHARED;
+            } else {
+                fprintf(stderr, "unknown vnc share= option\n");
+                g_free(vs->display);
+                vs->display = NULL;
+                return -1;
+            }
         }
     }
 
diff --git a/ui/vnc.h b/ui/vnc.h
index 66689f1..0bd1fc6 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -122,9 +122,24 @@ struct VncSurface
     DisplaySurface *ds;
 };
 
+typedef enum VncShareMode {
+    VNC_SHARE_MODE_CONNECTING = 1,
+    VNC_SHARE_MODE_SHARED,
+    VNC_SHARE_MODE_EXCLUSIVE,
+    VNC_SHARE_MODE_DISCONNECTED,
+} VncShareMode;
+
+typedef enum VncSharePolicy {
+    VNC_SHARE_POLICY_IGNORE = 1,
+    VNC_SHARE_POLICY_ALLOW_EXCLUSIVE,
+    VNC_SHARE_POLICY_FORCE_SHARED,
+} VncSharePolicy;
+
 struct VncDisplay
 {
     QTAILQ_HEAD(, VncState) clients;
+    int num_exclusive;
+    VncSharePolicy share_policy;
     QEMUTimer *timer;
     int timer_interval;
     int lsock;
@@ -250,6 +265,7 @@ struct VncState
     int last_y;
     int client_width;
     int client_height;
+    VncShareMode share_mode;
 
     uint32_t vnc_encoding;
 
commit e26437c2d4a7f6cbbc0bbd51b08a2dcce84bb93b
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Nov 8 10:02:16 2011 +0100

    vnc: fix ctrl key in vnc terminal emulation
    
    Make the control keys for terminals on the vnc display
    (i.e. qemu -vnc :0 -serial vc) work.  Makes the terminals
    alot more usable as typing Ctrl-C in your serial console
    actually has the desired effect ;)
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/ui/vnc.c b/ui/vnc.c
index 5752bf8..810582b 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1552,9 +1552,11 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
         else
             kbd_put_keycode(keycode | SCANCODE_UP);
     } else {
+        bool numlock = vs->modifiers_state[0x45];
+        bool control = (vs->modifiers_state[0x1d] ||
+                        vs->modifiers_state[0x9d]);
         /* QEMU console emulation */
         if (down) {
-            int numlock = vs->modifiers_state[0x45];
             switch (keycode) {
             case 0x2a:                          /* Left Shift */
             case 0x36:                          /* Right Shift */
@@ -1642,7 +1644,11 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
                 break;
 
             default:
-                kbd_put_keysym(sym);
+                if (control) {
+                    kbd_put_keysym(sym & 0x1f);
+                } else {
+                    kbd_put_keysym(sym);
+                }
                 break;
             }
         }
commit ce3e14175ea36d851aede808fc8891313b91ec27
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Mon Jun 14 12:28:23 2010 +0200

    Fix vnc memory corruption with width = 1400
    
    vnc assumes that the screen width is a multiple of 16 in several places.
    If this is not the case vnc will overrun buffers, corrupt memory, make
    qemu crash.
    
    This is the minimum fix for this bug. It makes sure we don't overrun the
    scanline, thereby fixing the segfault.  The rendering is *not* correct
    though, there is a black border at the right side of the screen, 8
    pixels wide because 1400 % 16 == 8.
    
    Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>

diff --git a/ui/vnc.c b/ui/vnc.c
index 16b79ec..5752bf8 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2445,7 +2445,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
             guest_ptr  = guest_row;
             server_ptr = server_row;
 
-            for (x = 0; x < vd->guest.ds->width;
+            for (x = 0; x + 15 < vd->guest.ds->width;
                     x += 16, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) {
                 if (!test_and_clear_bit((x / 16), vd->guest.dirty[y]))
                     continue;
commit 57c83dacfe179bf061b8fa79d9553ebabe4d2ff4
Author: Stefan Weil <sw at weilnetz.de>
Date:   Wed Feb 8 22:41:37 2012 +0100

    make: Remove duplicate use of GLIB_CFLAGS
    
    Makefile, Makefile.hw, Makefile.target and libcacard/Makefile
    added GLIB_CFLAGS to QEMU_CFLAGS.
    
    Makefile.objs does this, too, and is included by all other
    Makefiles, so GLIB_CFLAGS were added twice (reported by malc).
    
    Signed-off-by: Stefan Weil <sw at weilnetz.de>
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/Makefile b/Makefile
index 47acf3d..e66e885 100644
--- a/Makefile
+++ b/Makefile
@@ -114,8 +114,6 @@ audio/audio.o audio/fmodaudio.o: QEMU_CFLAGS += $(FMOD_CFLAGS)
 
 QEMU_CFLAGS+=$(CURL_CFLAGS)
 
-QEMU_CFLAGS+=$(GLIB_CFLAGS)
-
 QEMU_CFLAGS += -I$(SRC_PATH)/include
 
 ui/cocoa.o: ui/cocoa.m
diff --git a/Makefile.hw b/Makefile.hw
index 7b8d068..33f1ab0 100644
--- a/Makefile.hw
+++ b/Makefile.hw
@@ -10,7 +10,6 @@ include $(SRC_PATH)/rules.mak
 $(call set-vpath, $(SRC_PATH):$(SRC_PATH)/hw)
 
 QEMU_CFLAGS+=-I..
-QEMU_CFLAGS += $(GLIB_CFLAGS)
 QEMU_CFLAGS += -I$(SRC_PATH)/include
 
 include $(SRC_PATH)/Makefile.objs
diff --git a/Makefile.objs b/Makefile.objs
index ec35320..391e524 100644
--- a/Makefile.objs
+++ b/Makefile.objs
@@ -323,8 +323,6 @@ hw-obj-$(CONFIG_SOUND) += $(sound-obj-y)
 9pfs-nested-$(CONFIG_VIRTFS) += virtio-9p-proxy.o
 
 hw-obj-$(CONFIG_REALLY_VIRTFS) += $(addprefix 9pfs/, $(9pfs-nested-y))
-$(addprefix 9pfs/, $(9pfs-nested-y)): QEMU_CFLAGS+=$(GLIB_CFLAGS)
-
 
 ######################################################################
 # libdis
diff --git a/Makefile.target b/Makefile.target
index 7ed4979..29fde6e 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -215,7 +215,6 @@ QEMU_CFLAGS += $(VNC_TLS_CFLAGS)
 QEMU_CFLAGS += $(VNC_SASL_CFLAGS)
 QEMU_CFLAGS += $(VNC_JPEG_CFLAGS)
 QEMU_CFLAGS += $(VNC_PNG_CFLAGS)
-QEMU_CFLAGS += $(GLIB_CFLAGS)
 
 # xen support
 obj-$(CONFIG_XEN) += xen-all.o xen_machine_pv.o xen_domainbuild.o xen-mapcache.o
diff --git a/libcacard/Makefile b/libcacard/Makefile
index a145569..c6a896a 100644
--- a/libcacard/Makefile
+++ b/libcacard/Makefile
@@ -15,8 +15,6 @@ QEMU_OBJS_LIB=$(addsuffix .lo,$(basename $(QEMU_OBJS)))
 
 QEMU_CFLAGS+=-I../
 
-QEMU_CFLAGS+=$(GLIB_CFLAGS)
-
 libcacard.lib-y=$(addsuffix .lo,$(basename $(libcacard-y)))
 
 vscclient: $(libcacard-y) $(QEMU_OBJS) vscclient.o
commit b867672884afc39b6537a8aa6aa2f20a5154bf4f
Author: Alexander Graf <agraf at suse.de>
Date:   Mon Jan 30 23:29:48 2012 +0100

    AHCI: Masking of IRQs actually masks them
    
    When masking IRQ lines, we should actually mask them out and not declare
    them active anymore. Once we mask them in again, they are allowed to trigger
    again.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index caff7bc..f7ef114 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -146,6 +146,7 @@ static void ahci_check_irq(AHCIState *s)
 
     DPRINTF(-1, "check irq %#x\n", s->control_regs.irqstatus);
 
+    s->control_regs.irqstatus = 0;
     for (i = 0; i < s->ports; i++) {
         AHCIPortRegs *pr = &s->dev[i].port_regs;
         if (pr->irq_stat & pr->irq_mask) {
@@ -216,6 +217,7 @@ static void  ahci_port_write(AHCIState *s, int port, int offset, uint32_t val)
             break;
         case PORT_IRQ_STAT:
             pr->irq_stat &= ~val;
+            ahci_check_irq(s);
             break;
         case PORT_IRQ_MASK:
             pr->irq_mask = val & 0xfdc000ff;
commit 6d1acda8f16d1f2d0b05cfbf9ce54d05849cb016
Author: MORITA Kazutaka <morita.kazutaka at lab.ntt.co.jp>
Date:   Tue Jan 31 02:10:06 2012 +0900

    sheepdog: fix co_recv coroutine context
    
    The co_recv coroutine has two things that will try to enter it:
    
      1. The select(2) read callback on the sheepdog socket.
      2. The aio_add_request() blocking operations, including a coroutine
         mutex.
    
    This patch fixes it by setting NULL to co_recv before sending data.
    
    In future, we should make the sheepdog driver fully coroutine-based
    and simplify request handling.
    
    Signed-off-by: MORITA Kazutaka <morita.kazutaka at lab.ntt.co.jp>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/sheepdog.c b/block/sheepdog.c
index 9416400..00276f6 100644
--- a/block/sheepdog.c
+++ b/block/sheepdog.c
@@ -629,6 +629,9 @@ static void coroutine_fn aio_read_response(void *opaque)
 
     switch (acb->aiocb_type) {
     case AIOCB_WRITE_UDATA:
+        /* this coroutine context is no longer suitable for co_recv
+         * because we may send data to update vdi objects */
+        s->co_recv = NULL;
         if (!is_data_obj(aio_req->oid)) {
             break;
         }
commit c9b308d20b642c106048f088ccc31f2aa7cf59ba
Author: Alexander Graf <agraf at suse.de>
Date:   Mon Jan 30 23:29:47 2012 +0100

    AHCI: Fix port reset race
    
    bdrv_aio_cancel() can trigger bdrv_aio_flush() which makes all aio
    that is currently in flight finish. So what we do is:
    
      port reset
      detect ncq in flight
      cancel ncq
      delete ncq sg list
    
    at which point we have double freed the sg list. Instead, with this
    patch we do:
    
      port reset
      detect ncq in flight
      cancel ncq
      check if we are really still in flight
      delete ncq sg list
    
    which makes things work and gets rid of the race.
    
    Signed-off-by: Alexander Graf <agraf at suse.de>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index c87a6ca..caff7bc 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -560,6 +560,11 @@ static void ahci_reset_port(AHCIState *s, int port)
             ncq_tfs->aiocb = NULL;
         }
 
+        /* Maybe we just finished the request thanks to bdrv_aio_cancel() */
+        if (!ncq_tfs->used) {
+            continue;
+        }
+
         qemu_sglist_destroy(&ncq_tfs->sglist);
         ncq_tfs->used = 0;
     }
commit ea8f978ffef325ab2fd0edcf5f24b6dcec6078f3
Author: Dong Xu Wang <wdongxu at linux.vnet.ibm.com>
Date:   Tue Dec 20 17:03:47 2011 +0800

    rewrite QEMU_BUILD_BUG_ON
    
    On some platforms, __LINE__ will not expand to real number in QEMU_BUILD_BUG_ON,
    so if using QEMU_BUILD_BUG_ON twice, compiler will report errors. This patch will
    fix it.
    
    BTW, I got error message on RHEL 6.1/gcc 4.4.5.
    
    Signed-off-by: Dong Xu Wang <wdongxu at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/compiler.h b/compiler.h
index a1c0794..736e770 100644
--- a/compiler.h
+++ b/compiler.h
@@ -30,8 +30,10 @@
 # define QEMU_PACKED __attribute__((packed))
 #endif
 
+#define cat(x,y) x ## y
+#define cat2(x,y) cat(x,y)
 #define QEMU_BUILD_BUG_ON(x) \
-    typedef char qemu_build_bug_on__##__LINE__[(x)?-1:1];
+    typedef char cat2(qemu_build_bug_on__,__LINE__)[(x)?-1:1];
 
 #if defined __GNUC__
 # if !QEMU_GNUC_PREREQ(4, 4)
commit 75bab85ca01876f912caf46f5fcb4ca8d9a50584
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Thu Feb 2 14:52:08 2012 +0100

    qcow2: Keep unknown header extension when rewriting header
    
    If we want header extensions to work as compatible extensions, we can't
    destroy yet unknown header extensions when rewriting the header (e.g.
    for changing the backing file). Save all unknown header extensions in a
    list of blobs and include them in a new header.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2.c b/block/qcow2.c
index 9f8c2de..3692b45 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -77,8 +77,10 @@ static int qcow2_probe(const uint8_t *buf, int buf_size, const char *filename)
 static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
                                  uint64_t end_offset)
 {
+    BDRVQcowState *s = bs->opaque;
     QCowExtension ext;
     uint64_t offset;
+    int ret;
 
 #ifdef DEBUG_EXT
     printf("qcow2_read_extensions: start=%ld end=%ld\n", start_offset, end_offset);
@@ -129,8 +131,22 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
             break;
 
         default:
-            /* unknown magic -- just skip it */
-            offset = ((offset + ext.len + 7) & ~7);
+            /* unknown magic - save it in case we need to rewrite the header */
+            {
+                Qcow2UnknownHeaderExtension *uext;
+
+                uext = g_malloc0(sizeof(*uext)  + ext.len);
+                uext->magic = ext.magic;
+                uext->len = ext.len;
+                QLIST_INSERT_HEAD(&s->unknown_header_ext, uext, next);
+
+                ret = bdrv_pread(bs->file, offset , uext->data, uext->len);
+                if (ret < 0) {
+                    return ret;
+                }
+
+                offset = ((offset + ext.len + 7) & ~7);
+            }
             break;
         }
     }
@@ -138,6 +154,16 @@ static int qcow2_read_extensions(BlockDriverState *bs, uint64_t start_offset,
     return 0;
 }
 
+static void cleanup_unknown_header_ext(BlockDriverState *bs)
+{
+    BDRVQcowState *s = bs->opaque;
+    Qcow2UnknownHeaderExtension *uext, *next;
+
+    QLIST_FOREACH_SAFE(uext, &s->unknown_header_ext, next, next) {
+        QLIST_REMOVE(uext, next);
+        g_free(uext);
+    }
+}
 
 static int qcow2_open(BlockDriverState *bs, int flags)
 {
@@ -291,6 +317,7 @@ static int qcow2_open(BlockDriverState *bs, int flags)
     return ret;
 
  fail:
+    cleanup_unknown_header_ext(bs);
     qcow2_free_snapshots(bs);
     qcow2_refcount_close(bs);
     g_free(s->l1_table);
@@ -632,6 +659,7 @@ static void qcow2_close(BlockDriverState *bs)
     qcow2_cache_destroy(bs, s->l2_table_cache);
     qcow2_cache_destroy(bs, s->refcount_block_cache);
 
+    cleanup_unknown_header_ext(bs);
     g_free(s->cluster_cache);
     qemu_vfree(s->cluster_data);
     qcow2_refcount_close(bs);
@@ -705,6 +733,7 @@ int qcow2_update_header(BlockDriverState *bs)
     int ret;
     uint64_t total_size;
     uint32_t refcount_table_clusters;
+    Qcow2UnknownHeaderExtension *uext;
 
     buf = qemu_blockalign(bs, buflen);
     memset(buf, 0, s->cluster_size);
@@ -752,6 +781,17 @@ int qcow2_update_header(BlockDriverState *bs)
         buflen -= ret;
     }
 
+    /* Keep unknown header extensions */
+    QLIST_FOREACH(uext, &s->unknown_header_ext, next) {
+        ret = header_ext_add(buf, uext->magic, uext->data, uext->len, buflen);
+        if (ret < 0) {
+            goto fail;
+        }
+
+        buf += ret;
+        buflen -= ret;
+    }
+
     /* End of header extensions */
     ret = header_ext_add(buf, QCOW2_EXT_MAGIC_END, NULL, 0, buflen);
     if (ret < 0) {
diff --git a/block/qcow2.h b/block/qcow2.h
index aae5f89..fc35838 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -87,6 +87,13 @@ typedef struct QCowSnapshot {
 struct Qcow2Cache;
 typedef struct Qcow2Cache Qcow2Cache;
 
+typedef struct Qcow2UnknownHeaderExtension {
+    uint32_t magic;
+    uint32_t len;
+    QLIST_ENTRY(Qcow2UnknownHeaderExtension) next;
+    uint8_t data[];
+} Qcow2UnknownHeaderExtension;
+
 typedef struct BDRVQcowState {
     int cluster_bits;
     int cluster_size;
@@ -127,6 +134,7 @@ typedef struct BDRVQcowState {
     QCowSnapshot *snapshots;
 
     int flags;
+    QLIST_HEAD(, Qcow2UnknownHeaderExtension) unknown_header_ext;
 } BDRVQcowState;
 
 /* XXX: use std qcow open function ? */
commit e24e49e6194626e4ec9f1aecce6d6a6847320bce
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Thu Feb 2 12:32:31 2012 +0100

    qcow2: Update whole header at once
    
    In order to switch the backing file, qcow2 issues multiple write
    requests that only changed a part of the image header. Any failure after
    the first one would leave the header in an corrupted state. With this
    patch, the whole header is written at once, so we can't fail in the
    middle.
    
    At the same time, this gives us a reusable functions that updates all
    fields of the qcow2 header and not only the backing file.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qcow2.c b/block/qcow2.c
index aa32e8d..9f8c2de 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -669,103 +669,137 @@ static void qcow2_invalidate_cache(BlockDriverState *bs)
     }
 }
 
+static size_t header_ext_add(char *buf, uint32_t magic, const void *s,
+    size_t len, size_t buflen)
+{
+    QCowExtension *ext_backing_fmt = (QCowExtension*) buf;
+    size_t ext_len = sizeof(QCowExtension) + ((len + 7) & ~7);
+
+    if (buflen < ext_len) {
+        return -ENOSPC;
+    }
+
+    *ext_backing_fmt = (QCowExtension) {
+        .magic  = cpu_to_be32(magic),
+        .len    = cpu_to_be32(len),
+    };
+    memcpy(buf + sizeof(QCowExtension), s, len);
+
+    return ext_len;
+}
+
 /*
- * Updates the variable length parts of the qcow2 header, i.e. the backing file
- * name and all extensions. qcow2 was not designed to allow such changes, so if
- * we run out of space (we can only use the first cluster) this function may
- * fail.
+ * Updates the qcow2 header, including the variable length parts of it, i.e.
+ * the backing file name and all extensions. qcow2 was not designed to allow
+ * such changes, so if we run out of space (we can only use the first cluster)
+ * this function may fail.
  *
  * Returns 0 on success, -errno in error cases.
  */
-static int qcow2_update_ext_header(BlockDriverState *bs,
-    const char *backing_file, const char *backing_fmt)
+int qcow2_update_header(BlockDriverState *bs)
 {
-    size_t backing_file_len = 0;
-    size_t backing_fmt_len = 0;
     BDRVQcowState *s = bs->opaque;
-    QCowExtension ext_backing_fmt = {0, 0};
+    QCowHeader *header;
+    char *buf;
+    size_t buflen = s->cluster_size;
     int ret;
+    uint64_t total_size;
+    uint32_t refcount_table_clusters;
 
-    /* Backing file format doesn't make sense without a backing file */
-    if (backing_fmt && !backing_file) {
-        return -EINVAL;
-    }
-
-    /* Prepare the backing file format extension if needed */
-    if (backing_fmt) {
-        ext_backing_fmt.len = cpu_to_be32(strlen(backing_fmt));
-        ext_backing_fmt.magic = cpu_to_be32(QCOW2_EXT_MAGIC_BACKING_FORMAT);
-        backing_fmt_len = ((sizeof(ext_backing_fmt)
-            + strlen(backing_fmt) + 7) & ~7);
-    }
+    buf = qemu_blockalign(bs, buflen);
+    memset(buf, 0, s->cluster_size);
 
-    /* Check if we can fit the new header into the first cluster */
-    if (backing_file) {
-        backing_file_len = strlen(backing_file);
-    }
+    /* Header structure */
+    header = (QCowHeader*) buf;
 
-    size_t header_size = sizeof(QCowHeader) + backing_file_len
-        + backing_fmt_len;
-
-    if (header_size > s->cluster_size) {
-        return -ENOSPC;
+    if (buflen < sizeof(*header)) {
+        ret = -ENOSPC;
+        goto fail;
     }
 
-    /* Rewrite backing file name and qcow2 extensions */
-    size_t ext_size = header_size - sizeof(QCowHeader);
-    uint8_t buf[ext_size];
-    size_t offset = 0;
-    size_t backing_file_offset = 0;
-
-    if (backing_file) {
-        if (backing_fmt) {
-            int padding = backing_fmt_len -
-                (sizeof(ext_backing_fmt) + strlen(backing_fmt));
-
-            memcpy(buf + offset, &ext_backing_fmt, sizeof(ext_backing_fmt));
-            offset += sizeof(ext_backing_fmt);
+    total_size = bs->total_sectors * BDRV_SECTOR_SIZE;
+    refcount_table_clusters = s->refcount_table_size >> (s->cluster_bits - 3);
+
+    *header = (QCowHeader) {
+        .magic                  = cpu_to_be32(QCOW_MAGIC),
+        .version                = cpu_to_be32(QCOW_VERSION),
+        .backing_file_offset    = 0,
+        .backing_file_size      = 0,
+        .cluster_bits           = cpu_to_be32(s->cluster_bits),
+        .size                   = cpu_to_be64(total_size),
+        .crypt_method           = cpu_to_be32(s->crypt_method_header),
+        .l1_size                = cpu_to_be32(s->l1_size),
+        .l1_table_offset        = cpu_to_be64(s->l1_table_offset),
+        .refcount_table_offset  = cpu_to_be64(s->refcount_table_offset),
+        .refcount_table_clusters = cpu_to_be32(refcount_table_clusters),
+        .nb_snapshots           = cpu_to_be32(s->nb_snapshots),
+        .snapshots_offset       = cpu_to_be64(s->snapshots_offset),
+    };
 
-            memcpy(buf + offset, backing_fmt, strlen(backing_fmt));
-            offset += strlen(backing_fmt);
+    buf += sizeof(*header);
+    buflen -= sizeof(*header);
 
-            memset(buf + offset, 0, padding);
-            offset += padding;
+    /* Backing file format header extension */
+    if (*bs->backing_format) {
+        ret = header_ext_add(buf, QCOW2_EXT_MAGIC_BACKING_FORMAT,
+                             bs->backing_format, strlen(bs->backing_format),
+                             buflen);
+        if (ret < 0) {
+            goto fail;
         }
 
-        memcpy(buf + offset, backing_file, backing_file_len);
-        backing_file_offset = sizeof(QCowHeader) + offset;
+        buf += ret;
+        buflen -= ret;
     }
 
-    ret = bdrv_pwrite_sync(bs->file, sizeof(QCowHeader), buf, ext_size);
+    /* End of header extensions */
+    ret = header_ext_add(buf, QCOW2_EXT_MAGIC_END, NULL, 0, buflen);
     if (ret < 0) {
         goto fail;
     }
 
-    /* Update header fields */
-    uint64_t be_backing_file_offset = cpu_to_be64(backing_file_offset);
-    uint32_t be_backing_file_size = cpu_to_be32(backing_file_len);
+    buf += ret;
+    buflen -= ret;
 
-    ret = bdrv_pwrite_sync(bs->file, offsetof(QCowHeader, backing_file_offset),
-        &be_backing_file_offset, sizeof(uint64_t));
-    if (ret < 0) {
-        goto fail;
+    /* Backing file name */
+    if (*bs->backing_file) {
+        size_t backing_file_len = strlen(bs->backing_file);
+
+        if (buflen < backing_file_len) {
+            ret = -ENOSPC;
+            goto fail;
+        }
+
+        strncpy(buf, bs->backing_file, buflen);
+
+        header->backing_file_offset = cpu_to_be64(buf - ((char*) header));
+        header->backing_file_size   = cpu_to_be32(backing_file_len);
     }
 
-    ret = bdrv_pwrite_sync(bs->file, offsetof(QCowHeader, backing_file_size),
-        &be_backing_file_size, sizeof(uint32_t));
+    /* Write the new header */
+    ret = bdrv_pwrite(bs->file, 0, header, s->cluster_size);
     if (ret < 0) {
         goto fail;
     }
 
     ret = 0;
 fail:
+    qemu_vfree(header);
     return ret;
 }
 
 static int qcow2_change_backing_file(BlockDriverState *bs,
     const char *backing_file, const char *backing_fmt)
 {
-    return qcow2_update_ext_header(bs, backing_file, backing_fmt);
+    /* Backing file format doesn't make sense without a backing file */
+    if (backing_fmt && !backing_file) {
+        return -EINVAL;
+    }
+
+    pstrcpy(bs->backing_file, sizeof(bs->backing_file), backing_file ?: "");
+    pstrcpy(bs->backing_format, sizeof(bs->backing_format), backing_fmt ?: "");
+
+    return qcow2_update_header(bs);
 }
 
 static int preallocate(BlockDriverState *bs)
diff --git a/block/qcow2.h b/block/qcow2.h
index 99e4536..aae5f89 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -178,6 +178,7 @@ static inline int64_t align_offset(int64_t offset, int n)
 /* qcow2.c functions */
 int qcow2_backing_read1(BlockDriverState *bs, QEMUIOVector *qiov,
                   int64_t sector_num, int nb_sectors);
+int qcow2_update_header(BlockDriverState *bs);
 
 /* qcow2-refcount.c functions */
 int qcow2_refcount_init(BlockDriverState *bs);
commit ecd880d9eeb59a0148d4761698448245ec4306e0
Author: Kevin Wolf <kwolf at redhat.com>
Date:   Tue Feb 7 10:15:47 2012 +0100

    vpc: Round up image size during fixed image creation
    
    The geometry calculation algorithm from the VHD spec rounds the image
    size down if it doesn't exactly match a geometry. During image
    conversion, this causes the image to be truncated. For dynamic images,
    we already have code in place to round up instead, let's do the same for
    fixed images.
    
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/vpc.c b/block/vpc.c
index db6b14b..6b4816f 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -685,24 +685,21 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options)
         return -EIO;
     }
 
+    /*
+     * Calculate matching total_size and geometry. Increase the number of
+     * sectors requested until we get enough (or fail). This ensures that
+     * qemu-img convert doesn't truncate images, but rather rounds up.
+     */
     total_sectors = total_size / BDRV_SECTOR_SIZE;
-    if (disk_type == VHD_DYNAMIC) {
-        /* Calculate matching total_size and geometry. Increase the number of
-           sectors requested until we get enough (or fail). */
-        for (i = 0; total_sectors > (int64_t)cyls * heads * secs_per_cyl;
-             i++) {
-            if (calculate_geometry(total_sectors + i,
-                                   &cyls, &heads, &secs_per_cyl)) {
-                ret = -EFBIG;
-                goto fail;
-            }
-        }
-    } else {
-        if (calculate_geometry(total_sectors, &cyls, &heads, &secs_per_cyl)) {
+    for (i = 0; total_sectors > (int64_t)cyls * heads * secs_per_cyl; i++) {
+        if (calculate_geometry(total_sectors + i, &cyls, &heads,
+                               &secs_per_cyl))
+        {
             ret = -EFBIG;
             goto fail;
         }
     }
+
     total_sectors = (int64_t) cyls * heads * secs_per_cyl;
 
     /* Prepare the Hard Disk Footer */
commit 24da78dbb54b61fa299919c89709270fad5e682d
Author: Charles Arnold <carnold at suse.com>
Date:   Mon Feb 6 09:22:30 2012 -0700

    vpc: Add support for Fixed Disk type
    
    The Virtual Hard Disk Image Format Specification allows for three
    types of hard disk formats, Fixed, Dynamic, and Differencing.  Qemu
    currently only supports Dynamic disks.  This patch adds support for
    the Fixed Disk format.
    
    Usage:
        Example 1: qemu-img create -f vpc -o type=fixed <filename> [size]
        Example 2: qemu-img convert -O vpc -o type=fixed <input filename> <output filename>
    
    While it is also allowed to specify '-o type=dynamic', the default disk type
    remains Dynamic and is what is used when the type is left unspecified.
    
    Signed-off-by: Charles Arnold <carnold at suse.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/vpc.c b/block/vpc.c
index 89a5ee2..db6b14b 100644
--- a/block/vpc.c
+++ b/block/vpc.c
@@ -161,13 +161,27 @@ static int vpc_open(BlockDriverState *bs, int flags)
     uint8_t buf[HEADER_SIZE];
     uint32_t checksum;
     int err = -1;
+    int disk_type = VHD_DYNAMIC;
 
     if (bdrv_pread(bs->file, 0, s->footer_buf, HEADER_SIZE) != HEADER_SIZE)
         goto fail;
 
     footer = (struct vhd_footer*) s->footer_buf;
-    if (strncmp(footer->creator, "conectix", 8))
-        goto fail;
+    if (strncmp(footer->creator, "conectix", 8)) {
+        int64_t offset = bdrv_getlength(bs->file);
+        if (offset < HEADER_SIZE) {
+            goto fail;
+        }
+        /* If a fixed disk, the footer is found only at the end of the file */
+        if (bdrv_pread(bs->file, offset-HEADER_SIZE, s->footer_buf, HEADER_SIZE)
+                != HEADER_SIZE) {
+            goto fail;
+        }
+        if (strncmp(footer->creator, "conectix", 8)) {
+            goto fail;
+        }
+        disk_type = VHD_FIXED;
+    }
 
     checksum = be32_to_cpu(footer->checksum);
     footer->checksum = 0;
@@ -186,49 +200,54 @@ static int vpc_open(BlockDriverState *bs, int flags)
         goto fail;
     }
 
-    if (bdrv_pread(bs->file, be64_to_cpu(footer->data_offset), buf, HEADER_SIZE)
-            != HEADER_SIZE)
-        goto fail;
-
-    dyndisk_header = (struct vhd_dyndisk_header*) buf;
+    if (disk_type == VHD_DYNAMIC) {
+        if (bdrv_pread(bs->file, be64_to_cpu(footer->data_offset), buf,
+                HEADER_SIZE) != HEADER_SIZE) {
+            goto fail;
+        }
 
-    if (strncmp(dyndisk_header->magic, "cxsparse", 8))
-        goto fail;
+        dyndisk_header = (struct vhd_dyndisk_header *) buf;
 
+        if (strncmp(dyndisk_header->magic, "cxsparse", 8)) {
+            goto fail;
+        }
 
-    s->block_size = be32_to_cpu(dyndisk_header->block_size);
-    s->bitmap_size = ((s->block_size / (8 * 512)) + 511) & ~511;
+        s->block_size = be32_to_cpu(dyndisk_header->block_size);
+        s->bitmap_size = ((s->block_size / (8 * 512)) + 511) & ~511;
 
-    s->max_table_entries = be32_to_cpu(dyndisk_header->max_table_entries);
-    s->pagetable = g_malloc(s->max_table_entries * 4);
+        s->max_table_entries = be32_to_cpu(dyndisk_header->max_table_entries);
+        s->pagetable = g_malloc(s->max_table_entries * 4);
 
-    s->bat_offset = be64_to_cpu(dyndisk_header->table_offset);
-    if (bdrv_pread(bs->file, s->bat_offset, s->pagetable,
-            s->max_table_entries * 4) != s->max_table_entries * 4)
-	    goto fail;
+        s->bat_offset = be64_to_cpu(dyndisk_header->table_offset);
+        if (bdrv_pread(bs->file, s->bat_offset, s->pagetable,
+                s->max_table_entries * 4) != s->max_table_entries * 4) {
+            goto fail;
+        }
 
-    s->free_data_block_offset =
-        (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511;
+        s->free_data_block_offset =
+            (s->bat_offset + (s->max_table_entries * 4) + 511) & ~511;
 
-    for (i = 0; i < s->max_table_entries; i++) {
-        be32_to_cpus(&s->pagetable[i]);
-        if (s->pagetable[i] != 0xFFFFFFFF) {
-            int64_t next = (512 * (int64_t) s->pagetable[i]) +
-                s->bitmap_size + s->block_size;
+        for (i = 0; i < s->max_table_entries; i++) {
+            be32_to_cpus(&s->pagetable[i]);
+            if (s->pagetable[i] != 0xFFFFFFFF) {
+                int64_t next = (512 * (int64_t) s->pagetable[i]) +
+                    s->bitmap_size + s->block_size;
 
-            if (next> s->free_data_block_offset)
-                s->free_data_block_offset = next;
+                if (next > s->free_data_block_offset) {
+                    s->free_data_block_offset = next;
+                }
+            }
         }
-    }
 
-    s->last_bitmap_offset = (int64_t) -1;
+        s->last_bitmap_offset = (int64_t) -1;
 
 #ifdef CACHE
-    s->pageentry_u8 = g_malloc(512);
-    s->pageentry_u32 = s->pageentry_u8;
-    s->pageentry_u16 = s->pageentry_u8;
-    s->last_pagetable = -1;
+        s->pageentry_u8 = g_malloc(512);
+        s->pageentry_u32 = s->pageentry_u8;
+        s->pageentry_u16 = s->pageentry_u8;
+        s->last_pagetable = -1;
 #endif
+    }
 
     qemu_co_mutex_init(&s->lock);
 
@@ -395,7 +414,11 @@ static int vpc_read(BlockDriverState *bs, int64_t sector_num,
     int ret;
     int64_t offset;
     int64_t sectors, sectors_per_block;
+    struct vhd_footer *footer = (struct vhd_footer *) s->footer_buf;
 
+    if (cpu_to_be32(footer->type) == VHD_FIXED) {
+        return bdrv_read(bs->file, sector_num, buf, nb_sectors);
+    }
     while (nb_sectors > 0) {
         offset = get_sector_offset(bs, sector_num, 0);
 
@@ -440,7 +463,11 @@ static int vpc_write(BlockDriverState *bs, int64_t sector_num,
     int64_t offset;
     int64_t sectors, sectors_per_block;
     int ret;
+    struct vhd_footer *footer =  (struct vhd_footer *) s->footer_buf;
 
+    if (cpu_to_be32(footer->type) == VHD_FIXED) {
+        return bdrv_write(bs->file, sector_num, buf, nb_sectors);
+    }
     while (nb_sectors > 0) {
         offset = get_sector_offset(bs, sector_num, 1);
 
@@ -533,70 +560,14 @@ static int calculate_geometry(int64_t total_sectors, uint16_t* cyls,
     return 0;
 }
 
-static int vpc_create(const char *filename, QEMUOptionParameter *options)
+static int create_dynamic_disk(int fd, uint8_t *buf, int64_t total_sectors)
 {
-    uint8_t buf[1024];
-    struct vhd_footer* footer = (struct vhd_footer*) buf;
     struct vhd_dyndisk_header* dyndisk_header =
         (struct vhd_dyndisk_header*) buf;
-    int fd, i;
-    uint16_t cyls = 0;
-    uint8_t heads = 0;
-    uint8_t secs_per_cyl = 0;
     size_t block_size, num_bat_entries;
-    int64_t total_sectors = 0;
+    int i;
     int ret = -EIO;
 
-    // Read out options
-    total_sectors = get_option_parameter(options, BLOCK_OPT_SIZE)->value.n /
-                    BDRV_SECTOR_SIZE;
-
-    // Create the file
-    fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644);
-    if (fd < 0)
-        return -EIO;
-
-    /* Calculate matching total_size and geometry. Increase the number of
-       sectors requested until we get enough (or fail). */
-    for (i = 0; total_sectors > (int64_t)cyls * heads * secs_per_cyl; i++) {
-        if (calculate_geometry(total_sectors + i,
-                               &cyls, &heads, &secs_per_cyl)) {
-            ret = -EFBIG;
-            goto fail;
-        }
-    }
-    total_sectors = (int64_t) cyls * heads * secs_per_cyl;
-
-    // Prepare the Hard Disk Footer
-    memset(buf, 0, 1024);
-
-    memcpy(footer->creator, "conectix", 8);
-    // TODO Check if "qemu" creator_app is ok for VPC
-    memcpy(footer->creator_app, "qemu", 4);
-    memcpy(footer->creator_os, "Wi2k", 4);
-
-    footer->features = be32_to_cpu(0x02);
-    footer->version = be32_to_cpu(0x00010000);
-    footer->data_offset = be64_to_cpu(HEADER_SIZE);
-    footer->timestamp = be32_to_cpu(time(NULL) - VHD_TIMESTAMP_BASE);
-
-    // Version of Virtual PC 2007
-    footer->major = be16_to_cpu(0x0005);
-    footer->minor =be16_to_cpu(0x0003);
-
-    footer->orig_size = be64_to_cpu(total_sectors * 512);
-    footer->size = be64_to_cpu(total_sectors * 512);
-
-    footer->cyls = be16_to_cpu(cyls);
-    footer->heads = heads;
-    footer->secs_per_cyl = secs_per_cyl;
-
-    footer->type = be32_to_cpu(VHD_DYNAMIC);
-
-    // TODO uuid is missing
-
-    footer->checksum = be32_to_cpu(vpc_checksum(buf, HEADER_SIZE));
-
     // Write the footer (twice: at the beginning and at the end)
     block_size = 0x200000;
     num_bat_entries = (total_sectors + block_size / 512) / (block_size / 512);
@@ -624,7 +595,6 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options)
         }
     }
 
-
     // Prepare the Dynamic Disk Header
     memset(buf, 0, 1024);
 
@@ -653,6 +623,132 @@ static int vpc_create(const char *filename, QEMUOptionParameter *options)
     ret = 0;
 
  fail:
+    return ret;
+}
+
+static int create_fixed_disk(int fd, uint8_t *buf, int64_t total_size)
+{
+    int ret = -EIO;
+
+    /* Add footer to total size */
+    total_size += 512;
+    if (ftruncate(fd, total_size) != 0) {
+        ret = -errno;
+        goto fail;
+    }
+    if (lseek(fd, -512, SEEK_END) < 0) {
+        goto fail;
+    }
+    if (write(fd, buf, HEADER_SIZE) != HEADER_SIZE) {
+        goto fail;
+    }
+
+    ret = 0;
+
+ fail:
+    return ret;
+}
+
+static int vpc_create(const char *filename, QEMUOptionParameter *options)
+{
+    uint8_t buf[1024];
+    struct vhd_footer *footer = (struct vhd_footer *) buf;
+    QEMUOptionParameter *disk_type_param;
+    int fd, i;
+    uint16_t cyls = 0;
+    uint8_t heads = 0;
+    uint8_t secs_per_cyl = 0;
+    int64_t total_sectors;
+    int64_t total_size;
+    int disk_type;
+    int ret = -EIO;
+
+    /* Read out options */
+    total_size = get_option_parameter(options, BLOCK_OPT_SIZE)->value.n;
+
+    disk_type_param = get_option_parameter(options, BLOCK_OPT_SUBFMT);
+    if (disk_type_param && disk_type_param->value.s) {
+        if (!strcmp(disk_type_param->value.s, "dynamic")) {
+            disk_type = VHD_DYNAMIC;
+        } else if (!strcmp(disk_type_param->value.s, "fixed")) {
+            disk_type = VHD_FIXED;
+        } else {
+            return -EINVAL;
+        }
+    } else {
+        disk_type = VHD_DYNAMIC;
+    }
+
+    /* Create the file */
+    fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, 0644);
+    if (fd < 0) {
+        return -EIO;
+    }
+
+    total_sectors = total_size / BDRV_SECTOR_SIZE;
+    if (disk_type == VHD_DYNAMIC) {
+        /* Calculate matching total_size and geometry. Increase the number of
+           sectors requested until we get enough (or fail). */
+        for (i = 0; total_sectors > (int64_t)cyls * heads * secs_per_cyl;
+             i++) {
+            if (calculate_geometry(total_sectors + i,
+                                   &cyls, &heads, &secs_per_cyl)) {
+                ret = -EFBIG;
+                goto fail;
+            }
+        }
+    } else {
+        if (calculate_geometry(total_sectors, &cyls, &heads, &secs_per_cyl)) {
+            ret = -EFBIG;
+            goto fail;
+        }
+    }
+    total_sectors = (int64_t) cyls * heads * secs_per_cyl;
+
+    /* Prepare the Hard Disk Footer */
+    memset(buf, 0, 1024);
+
+    memcpy(footer->creator, "conectix", 8);
+    /* TODO Check if "qemu" creator_app is ok for VPC */
+    memcpy(footer->creator_app, "qemu", 4);
+    memcpy(footer->creator_os, "Wi2k", 4);
+
+    footer->features = be32_to_cpu(0x02);
+    footer->version = be32_to_cpu(0x00010000);
+    if (disk_type == VHD_DYNAMIC) {
+        footer->data_offset = be64_to_cpu(HEADER_SIZE);
+    } else {
+        footer->data_offset = be64_to_cpu(0xFFFFFFFFFFFFFFFFULL);
+    }
+    footer->timestamp = be32_to_cpu(time(NULL) - VHD_TIMESTAMP_BASE);
+
+    /* Version of Virtual PC 2007 */
+    footer->major = be16_to_cpu(0x0005);
+    footer->minor = be16_to_cpu(0x0003);
+    if (disk_type == VHD_DYNAMIC) {
+        footer->orig_size = be64_to_cpu(total_sectors * 512);
+        footer->size = be64_to_cpu(total_sectors * 512);
+    } else {
+        footer->orig_size = be64_to_cpu(total_size);
+        footer->size = be64_to_cpu(total_size);
+    }
+    footer->cyls = be16_to_cpu(cyls);
+    footer->heads = heads;
+    footer->secs_per_cyl = secs_per_cyl;
+
+    footer->type = be32_to_cpu(disk_type);
+
+    /* TODO uuid is missing */
+
+    footer->checksum = be32_to_cpu(vpc_checksum(buf, HEADER_SIZE));
+
+    if (disk_type == VHD_DYNAMIC) {
+        ret = create_dynamic_disk(fd, buf, total_sectors);
+    } else {
+        ret = create_fixed_disk(fd, buf, total_size);
+    }
+
+ fail:
     close(fd);
     return ret;
 }
@@ -675,6 +771,13 @@ static QEMUOptionParameter vpc_create_options[] = {
         .type = OPT_SIZE,
         .help = "Virtual disk size"
     },
+    {
+        .name = BLOCK_OPT_SUBFMT,
+        .type = OPT_STRING,
+        .help =
+            "Type of virtual hard disk format. Supported formats are "
+            "{dynamic (default) | fixed} "
+    },
     { NULL }
 };
 
commit f9dadc9855ae1554a98c53a10a3a962859992865
Author: Ronnie Sahlberg <ronniesahlberg at gmail.com>
Date:   Thu Jan 26 09:39:02 2012 +1100

    iSCSI: add configuration variables for iSCSI
    
    This patch adds configuration variables for iSCSI to set
    initiator-name to use when logging in to the target,
    which type of header-digest to negotiate with the target
    and username and password for CHAP authentication.
    
    This allows specifying a initiator-name either from the command line
    -iscsi initiator-name=iqn.2004-01.com.example:test
    or from a configuration file included with -readconfig
        [iscsi]
          initiator-name = iqn.2004-01.com.example:test
          header-digest = CRC32C|CRC32C-NONE|NONE-CRC32C|NONE
          user = CHAP username
          password = CHAP password
    
    If you use several different targets, you can also configure this on a per
    target basis by using a group name:
        [iscsi "iqn.target.name"]
        ...
    
    The configuration file can be read using -readconfig.
    Example :
    qemu-system-i386 -drive file=iscsi://127.0.0.1/iqn.ronnie.test/1
     -readconfig iscsi.conf
    
    Signed-off-by: Ronnie Sahlberg <ronniesahlberg at gmail.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/iscsi.c b/block/iscsi.c
index 938c568..bd3ca11 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -455,6 +455,109 @@ iscsi_connect_cb(struct iscsi_context *iscsi, int status, void *command_data,
     }
 }
 
+static int parse_chap(struct iscsi_context *iscsi, const char *target)
+{
+    QemuOptsList *list;
+    QemuOpts *opts;
+    const char *user = NULL;
+    const char *password = NULL;
+
+    list = qemu_find_opts("iscsi");
+    if (!list) {
+        return 0;
+    }
+
+    opts = qemu_opts_find(list, target);
+    if (opts == NULL) {
+        opts = QTAILQ_FIRST(&list->head);
+        if (!opts) {
+            return 0;
+        }
+    }
+
+    user = qemu_opt_get(opts, "user");
+    if (!user) {
+        return 0;
+    }
+
+    password = qemu_opt_get(opts, "password");
+    if (!password) {
+        error_report("CHAP username specified but no password was given");
+        return -1;
+    }
+
+    if (iscsi_set_initiator_username_pwd(iscsi, user, password)) {
+        error_report("Failed to set initiator username and password");
+        return -1;
+    }
+
+    return 0;
+}
+
+static void parse_header_digest(struct iscsi_context *iscsi, const char *target)
+{
+    QemuOptsList *list;
+    QemuOpts *opts;
+    const char *digest = NULL;
+
+    list = qemu_find_opts("iscsi");
+    if (!list) {
+        return;
+    }
+
+    opts = qemu_opts_find(list, target);
+    if (opts == NULL) {
+        opts = QTAILQ_FIRST(&list->head);
+        if (!opts) {
+            return;
+        }
+    }
+
+    digest = qemu_opt_get(opts, "header-digest");
+    if (!digest) {
+        return;
+    }
+
+    if (!strcmp(digest, "CRC32C")) {
+        iscsi_set_header_digest(iscsi, ISCSI_HEADER_DIGEST_CRC32C);
+    } else if (!strcmp(digest, "NONE")) {
+        iscsi_set_header_digest(iscsi, ISCSI_HEADER_DIGEST_NONE);
+    } else if (!strcmp(digest, "CRC32C-NONE")) {
+        iscsi_set_header_digest(iscsi, ISCSI_HEADER_DIGEST_CRC32C_NONE);
+    } else if (!strcmp(digest, "NONE-CRC32C")) {
+        iscsi_set_header_digest(iscsi, ISCSI_HEADER_DIGEST_NONE_CRC32C);
+    } else {
+        error_report("Invalid header-digest setting : %s", digest);
+    }
+}
+
+static char *parse_initiator_name(const char *target)
+{
+    QemuOptsList *list;
+    QemuOpts *opts;
+    const char *name = NULL;
+
+    list = qemu_find_opts("iscsi");
+    if (!list) {
+        return g_strdup("iqn.2008-11.org.linux-kvm");
+    }
+
+    opts = qemu_opts_find(list, target);
+    if (opts == NULL) {
+        opts = QTAILQ_FIRST(&list->head);
+        if (!opts) {
+            return g_strdup("iqn.2008-11.org.linux-kvm");
+        }
+    }
+
+    name = qemu_opt_get(opts, "initiator-name");
+    if (!name) {
+        return g_strdup("iqn.2008-11.org.linux-kvm");
+    }
+
+    return g_strdup(name);
+}
+
 /*
  * We support iscsi url's on the form
  * iscsi://[<username>%<password>@]<host>[:<port>]/<targetname>/<lun>
@@ -465,6 +568,7 @@ static int iscsi_open(BlockDriverState *bs, const char *filename, int flags)
     struct iscsi_context *iscsi = NULL;
     struct iscsi_url *iscsi_url = NULL;
     struct IscsiTask task;
+    char *initiator_name = NULL;
     int ret;
 
     if ((BDRV_SECTOR_SIZE % 512) != 0) {
@@ -474,16 +578,6 @@ static int iscsi_open(BlockDriverState *bs, const char *filename, int flags)
         return -EINVAL;
     }
 
-    memset(iscsilun, 0, sizeof(IscsiLun));
-
-    /* Should really append the KVM name after the ':' here */
-    iscsi = iscsi_create_context("iqn.2008-11.org.linux-kvm:");
-    if (iscsi == NULL) {
-        error_report("iSCSI: Failed to create iSCSI context.");
-        ret = -ENOMEM;
-        goto failed;
-    }
-
     iscsi_url = iscsi_parse_full_url(iscsi, filename);
     if (iscsi_url == NULL) {
         error_report("Failed to parse URL : %s %s", filename,
@@ -492,6 +586,17 @@ static int iscsi_open(BlockDriverState *bs, const char *filename, int flags)
         goto failed;
     }
 
+    memset(iscsilun, 0, sizeof(IscsiLun));
+
+    initiator_name = parse_initiator_name(iscsi_url->target);
+
+    iscsi = iscsi_create_context(initiator_name);
+    if (iscsi == NULL) {
+        error_report("iSCSI: Failed to create iSCSI context.");
+        ret = -ENOMEM;
+        goto failed;
+    }
+
     if (iscsi_set_targetname(iscsi, iscsi_url->target)) {
         error_report("iSCSI: Failed to set target name.");
         ret = -EINVAL;
@@ -507,6 +612,14 @@ static int iscsi_open(BlockDriverState *bs, const char *filename, int flags)
             goto failed;
         }
     }
+
+    /* check if we got CHAP username/password via the options */
+    if (parse_chap(iscsi, iscsi_url->target) != 0) {
+        error_report("iSCSI: Failed to set CHAP user/password");
+        ret = -EINVAL;
+        goto failed;
+    }
+
     if (iscsi_set_session_type(iscsi, ISCSI_SESSION_NORMAL) != 0) {
         error_report("iSCSI: Failed to set session type to normal.");
         ret = -EINVAL;
@@ -515,6 +628,9 @@ static int iscsi_open(BlockDriverState *bs, const char *filename, int flags)
 
     iscsi_set_header_digest(iscsi, ISCSI_HEADER_DIGEST_NONE_CRC32C);
 
+    /* check if we got HEADER_DIGEST via the options */
+    parse_header_digest(iscsi, iscsi_url->target);
+
     task.iscsilun = iscsilun;
     task.status = 0;
     task.complete = 0;
@@ -548,6 +664,9 @@ static int iscsi_open(BlockDriverState *bs, const char *filename, int flags)
     return 0;
 
 failed:
+    if (initiator_name != NULL) {
+        g_free(initiator_name);
+    }
     if (iscsi_url != NULL) {
         iscsi_destroy_url(iscsi_url);
     }
diff --git a/qemu-config.c b/qemu-config.c
index b030205..e980fd6 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -118,6 +118,32 @@ static QemuOptsList qemu_drive_opts = {
     },
 };
 
+static QemuOptsList qemu_iscsi_opts = {
+    .name = "iscsi",
+    .head = QTAILQ_HEAD_INITIALIZER(qemu_iscsi_opts.head),
+    .desc = {
+        {
+            .name = "user",
+            .type = QEMU_OPT_STRING,
+            .help = "username for CHAP authentication to target",
+        },{
+            .name = "password",
+            .type = QEMU_OPT_STRING,
+            .help = "password for CHAP authentication to target",
+        },{
+            .name = "header-digest",
+            .type = QEMU_OPT_STRING,
+            .help = "HeaderDigest setting. "
+                    "{CRC32C|CRC32C-NONE|NONE-CRC32C|NONE}",
+        },{
+            .name = "initiator-name",
+            .type = QEMU_OPT_STRING,
+            .help = "Initiator iqn name to use when connecting",
+        },
+        { /* end of list */ }
+    },
+};
+
 static QemuOptsList qemu_chardev_opts = {
     .name = "chardev",
     .implied_opt_name = "backend",
@@ -580,6 +606,7 @@ static QemuOptsList *vm_config_groups[32] = {
     &qemu_option_rom_opts,
     &qemu_machine_opts,
     &qemu_boot_opts,
+    &qemu_iscsi_opts,
     NULL,
 };
 
diff --git a/qemu-doc.texi b/qemu-doc.texi
index 11f4166..83b2ad5 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -730,6 +730,57 @@ export LIBISCSI_CHAP_PASSWORD=<password>
 iscsi://<host>/<target-iqn-name>/<lun>
 @end example
 
+Various session related parameters can be set via special options, either
+in a configuration file provided via '-readconfig' or directly on the
+command line.
+
+ at example
+Setting a specific initiator name to use when logging in to the target
+-iscsi initiator-name=iqn.qemu.test:my-initiator
+ at end example
+
+ at example
+Controlling which type of header digest to negotiate with the target
+-iscsi header-digest=CRC32C|CRC32C-NONE|NONE-CRC32C|NONE
+ at end example
+
+These can also be set via a configuration file
+ at example
+[iscsi]
+  user = "CHAP username"
+  password = "CHAP password"
+  initiator-name = "iqn.qemu.test:my-initiator"
+  # header digest is one of CRC32C|CRC32C-NONE|NONE-CRC32C|NONE
+  header-digest = "CRC32C"
+ at end example
+
+
+Setting the target name allows different options for different targets
+ at example
+[iscsi "iqn.target.name"]
+  user = "CHAP username"
+  password = "CHAP password"
+  initiator-name = "iqn.qemu.test:my-initiator"
+  # header digest is one of CRC32C|CRC32C-NONE|NONE-CRC32C|NONE
+  header-digest = "CRC32C"
+ at end example
+
+
+Howto use a configuration file to set iSCSI configuration options:
+ at example
+cat >iscsi.conf <<EOF
+[iscsi]
+  user = "me"
+  password = "my password"
+  initiator-name = "iqn.qemu.test:my-initiator"
+  header-digest = "CRC32C"
+EOF
+
+qemu-system-i386 -drive file=iscsi://127.0.0.1/iqn.qemu.test/1 \
+    -readconfig iscsi.conf
+ at end example
+
+
 Howto set up a simple iSCSI target on loopback and accessing it via QEMU:
 @example
 This example shows how to set up an iSCSI target with one CDROM and one DISK
@@ -744,7 +795,8 @@ tgtadm --lld iscsi --mode logicalunit --op new --tid 1 --lun 2 \
     -b /IMAGES/cd.iso --device-type=cd
 tgtadm --lld iscsi --op bind --mode target --tid 1 -I ALL
 
-qemu-system-i386 -boot d -drive file=iscsi://127.0.0.1/iqn.qemu.test/1 \
+qemu-system-i386 -iscsi initiator-name=iqn.qemu.test:my-initiator \
+    -boot d -drive file=iscsi://127.0.0.1/iqn.qemu.test/1 \
     -cdrom iscsi://127.0.0.1/iqn.qemu.test/2
 @end example
 
diff --git a/qemu-options.hx b/qemu-options.hx
index f577cc8..42d22ae 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -1829,24 +1829,32 @@ Syntax for specifying iSCSI LUNs is
 
 Example (without authentication):
 @example
-qemu -cdrom iscsi://192.0.2.1/iqn.2001-04.com.example/2 \
---drive file=iscsi://192.0.2.1/iqn.2001-04.com.example/1
+qemu -iscsi initiator-name=iqn.2001-04.com.example:my-initiator \
+-cdrom iscsi://192.0.2.1/iqn.2001-04.com.example/2 \
+-drive file=iscsi://192.0.2.1/iqn.2001-04.com.example/1
 @end example
 
 Example (CHAP username/password via URL):
 @example
-qemu --drive file=iscsi://user%password@@192.0.2.1/iqn.2001-04.com.example/1
+qemu -drive file=iscsi://user%password@@192.0.2.1/iqn.2001-04.com.example/1
 @end example
 
 Example (CHAP username/password via environment variables):
 @example
 LIBISCSI_CHAP_USERNAME="user" \
 LIBISCSI_CHAP_PASSWORD="password" \
-qemu --drive file=iscsi://192.0.2.1/iqn.2001-04.com.example/1
+qemu -drive file=iscsi://192.0.2.1/iqn.2001-04.com.example/1
 @end example
 
 iSCSI support is an optional feature of QEMU and only available when
 compiled and linked against libiscsi.
+ETEXI
+DEF("iscsi", HAS_ARG, QEMU_OPTION_iscsi,
+    "-iscsi [user=user][,password=password]\n"
+    "       [,header-digest=CRC32C|CR32C-NONE|NONE-CRC32C|NONE\n"
+    "       [,initiator-name=iqn]\n"
+    "                iSCSI session parameters\n", QEMU_ARCH_ALL)
+STEXI
 
 @item NBD
 QEMU supports NBD (Network Block Devices) both using TCP protocol as well
diff --git a/vl.c b/vl.c
index 63dd725..0c66071 100644
--- a/vl.c
+++ b/vl.c
@@ -2529,6 +2529,14 @@ int main(int argc, char **argv, char **envp)
                     exit(1);
                 }
                 break;
+#ifdef CONFIG_LIBISCSI
+            case QEMU_OPTION_iscsi:
+                opts = qemu_opts_parse(qemu_find_opts("iscsi"), optarg, 0);
+                if (!opts) {
+                    exit(1);
+                }
+                break;
+#endif
 #ifdef CONFIG_SLIRP
             case QEMU_OPTION_tftp:
                 legacy_tftp_prefix = optarg;
commit 71b58b82dac1e1dc5e08a005a14bbcafecbd9e2a
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Feb 7 13:27:29 2012 +0000

    qemu-io: add write -z option for bdrv_co_write_zeroes
    
    Extend the qemu-io write command with the -z option to call
    bdrv_co_write_zeroes().  Exposing the zero write interface from qemu-io
    allows us to write tests that exercise this new block layer interface.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/qemu-io.c b/qemu-io.c
index d4a5fcb..0249be4 100644
--- a/qemu-io.c
+++ b/qemu-io.c
@@ -218,6 +218,51 @@ static int do_pwrite(char *buf, int64_t offset, int count, int *total)
     return 1;
 }
 
+typedef struct {
+    int64_t offset;
+    int count;
+    int *total;
+    int ret;
+    bool done;
+} CoWriteZeroes;
+
+static void coroutine_fn co_write_zeroes_entry(void *opaque)
+{
+    CoWriteZeroes *data = opaque;
+
+    data->ret = bdrv_co_write_zeroes(bs, data->offset / BDRV_SECTOR_SIZE,
+                                     data->count / BDRV_SECTOR_SIZE);
+    data->done = true;
+    if (data->ret < 0) {
+        *data->total = data->ret;
+        return;
+    }
+
+    *data->total = data->count;
+}
+
+static int do_co_write_zeroes(int64_t offset, int count, int *total)
+{
+    Coroutine *co;
+    CoWriteZeroes data = {
+        .offset = offset,
+        .count  = count,
+        .total  = total,
+        .done   = false,
+    };
+
+    co = qemu_coroutine_create(co_write_zeroes_entry);
+    qemu_coroutine_enter(co, &data);
+    while (!data.done) {
+        qemu_aio_wait();
+    }
+    if (data.ret < 0) {
+        return data.ret;
+    } else {
+        return 1;
+    }
+}
+
 static int do_load_vmstate(char *buf, int64_t offset, int count, int *total)
 {
     *total = bdrv_load_vmstate(bs, (uint8_t *)buf, offset, count);
@@ -643,6 +688,7 @@ static void write_help(void)
 " -P, -- use different pattern to fill file\n"
 " -C, -- report statistics in a machine parsable format\n"
 " -q, -- quiet mode, do not show I/O statistics\n"
+" -z, -- write zeroes using bdrv_co_write_zeroes\n"
 "\n");
 }
 
@@ -654,7 +700,7 @@ static const cmdinfo_t write_cmd = {
     .cfunc      = write_f,
     .argmin     = 2,
     .argmax     = -1,
-    .args       = "[-abCpq] [-P pattern ] off len",
+    .args       = "[-bCpqz] [-P pattern ] off len",
     .oneline    = "writes a number of bytes at a specified offset",
     .help       = write_help,
 };
@@ -662,16 +708,16 @@ static const cmdinfo_t write_cmd = {
 static int write_f(int argc, char **argv)
 {
     struct timeval t1, t2;
-    int Cflag = 0, pflag = 0, qflag = 0, bflag = 0;
+    int Cflag = 0, pflag = 0, qflag = 0, bflag = 0, Pflag = 0, zflag = 0;
     int c, cnt;
-    char *buf;
+    char *buf = NULL;
     int64_t offset;
     int count;
     /* Some compilers get confused and warn if this is not initialized.  */
     int total = 0;
     int pattern = 0xcd;
 
-    while ((c = getopt(argc, argv, "bCpP:q")) != EOF) {
+    while ((c = getopt(argc, argv, "bCpP:qz")) != EOF) {
         switch (c) {
         case 'b':
             bflag = 1;
@@ -683,6 +729,7 @@ static int write_f(int argc, char **argv)
             pflag = 1;
             break;
         case 'P':
+            Pflag = 1;
             pattern = parse_pattern(optarg);
             if (pattern < 0) {
                 return 0;
@@ -691,6 +738,9 @@ static int write_f(int argc, char **argv)
         case 'q':
             qflag = 1;
             break;
+        case 'z':
+            zflag = 1;
+            break;
         default:
             return command_usage(&write_cmd);
         }
@@ -700,8 +750,13 @@ static int write_f(int argc, char **argv)
         return command_usage(&write_cmd);
     }
 
-    if (bflag && pflag) {
-        printf("-b and -p cannot be specified at the same time\n");
+    if (bflag + pflag + zflag > 1) {
+        printf("-b, -p, or -z cannot be specified at the same time\n");
+        return 0;
+    }
+
+    if (zflag && Pflag) {
+        printf("-z and -P cannot be specified at the same time\n");
         return 0;
     }
 
@@ -732,13 +787,17 @@ static int write_f(int argc, char **argv)
         }
     }
 
-    buf = qemu_io_alloc(count, pattern);
+    if (!zflag) {
+        buf = qemu_io_alloc(count, pattern);
+    }
 
     gettimeofday(&t1, NULL);
     if (pflag) {
         cnt = do_pwrite(buf, offset, count, &total);
     } else if (bflag) {
         cnt = do_save_vmstate(buf, offset, count, &total);
+    } else if (zflag) {
+        cnt = do_co_write_zeroes(offset, count, &total);
     } else {
         cnt = do_write(buf, offset, count, &total);
     }
@@ -758,7 +817,9 @@ static int write_f(int argc, char **argv)
     print_report("wrote", &t2, offset, count, total, cnt, Cflag);
 
 out:
-    qemu_io_free(buf);
+    if (!zflag) {
+        qemu_io_free(buf);
+    }
 
     return 0;
 }
commit 0e71be1932adfad27d564675f89a468fc8b92b1f
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Feb 7 13:27:28 2012 +0000

    qed: add .bdrv_co_write_zeroes() support
    
    Zero writes are a dedicated interface for writing regions of zeroes into
    the image file.  If clusters are not yet allocated it is possible to use
    an efficient metadata representation which keeps the image file compact
    and does not store individual zero bytes.
    
    Implementing this for the QED image format is fairly straightforward.
    The only issue is that when a zero write touches an existing cluster we
    have to allocate a bounce buffer and perform a regular write.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qed.c b/block/qed.c
index b66dd17..a041d31 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -875,6 +875,12 @@ static void qed_aio_complete(QEDAIOCB *acb, int ret)
     qemu_iovec_destroy(&acb->cur_qiov);
     qed_unref_l2_cache_entry(acb->request.l2_table);
 
+    /* Free the buffer we may have allocated for zero writes */
+    if (acb->flags & QED_AIOCB_ZERO) {
+        qemu_vfree(acb->qiov->iov[0].iov_base);
+        acb->qiov->iov[0].iov_base = NULL;
+    }
+
     /* Arrange for a bh to invoke the completion function */
     acb->bh_ret = ret;
     acb->bh = qemu_bh_new(qed_aio_complete_bh, acb);
@@ -941,9 +947,8 @@ static void qed_aio_write_l1_update(void *opaque, int ret)
 /**
  * Update L2 table with new cluster offsets and write them out
  */
-static void qed_aio_write_l2_update(void *opaque, int ret)
+static void qed_aio_write_l2_update(QEDAIOCB *acb, int ret, uint64_t offset)
 {
-    QEDAIOCB *acb = opaque;
     BDRVQEDState *s = acb_to_s(acb);
     bool need_alloc = acb->find_cluster_ret == QED_CLUSTER_L1;
     int index;
@@ -959,7 +964,7 @@ static void qed_aio_write_l2_update(void *opaque, int ret)
 
     index = qed_l2_index(s, acb->cur_pos);
     qed_update_l2_table(s, acb->request.l2_table->table, index, acb->cur_nclusters,
-                         acb->cur_cluster);
+                         offset);
 
     if (need_alloc) {
         /* Write out the whole new L2 table */
@@ -976,6 +981,12 @@ err:
     qed_aio_complete(acb, ret);
 }
 
+static void qed_aio_write_l2_update_cb(void *opaque, int ret)
+{
+    QEDAIOCB *acb = opaque;
+    qed_aio_write_l2_update(acb, ret, acb->cur_cluster);
+}
+
 /**
  * Flush new data clusters before updating the L2 table
  *
@@ -990,7 +1001,7 @@ static void qed_aio_write_flush_before_l2_update(void *opaque, int ret)
     QEDAIOCB *acb = opaque;
     BDRVQEDState *s = acb_to_s(acb);
 
-    if (!bdrv_aio_flush(s->bs->file, qed_aio_write_l2_update, opaque)) {
+    if (!bdrv_aio_flush(s->bs->file, qed_aio_write_l2_update_cb, opaque)) {
         qed_aio_complete(acb, -EIO);
     }
 }
@@ -1019,7 +1030,7 @@ static void qed_aio_write_main(void *opaque, int ret)
         if (s->bs->backing_hd) {
             next_fn = qed_aio_write_flush_before_l2_update;
         } else {
-            next_fn = qed_aio_write_l2_update;
+            next_fn = qed_aio_write_l2_update_cb;
         }
     }
 
@@ -1081,6 +1092,18 @@ static bool qed_should_set_need_check(BDRVQEDState *s)
     return !(s->header.features & QED_F_NEED_CHECK);
 }
 
+static void qed_aio_write_zero_cluster(void *opaque, int ret)
+{
+    QEDAIOCB *acb = opaque;
+
+    if (ret) {
+        qed_aio_complete(acb, ret);
+        return;
+    }
+
+    qed_aio_write_l2_update(acb, 0, 1);
+}
+
 /**
  * Write new data cluster
  *
@@ -1092,6 +1115,7 @@ static bool qed_should_set_need_check(BDRVQEDState *s)
 static void qed_aio_write_alloc(QEDAIOCB *acb, size_t len)
 {
     BDRVQEDState *s = acb_to_s(acb);
+    BlockDriverCompletionFunc *cb;
 
     /* Cancel timer when the first allocating request comes in */
     if (QSIMPLEQ_EMPTY(&s->allocating_write_reqs)) {
@@ -1109,14 +1133,26 @@ static void qed_aio_write_alloc(QEDAIOCB *acb, size_t len)
 
     acb->cur_nclusters = qed_bytes_to_clusters(s,
             qed_offset_into_cluster(s, acb->cur_pos) + len);
-    acb->cur_cluster = qed_alloc_clusters(s, acb->cur_nclusters);
     qemu_iovec_copy(&acb->cur_qiov, acb->qiov, acb->qiov_offset, len);
 
+    if (acb->flags & QED_AIOCB_ZERO) {
+        /* Skip ahead if the clusters are already zero */
+        if (acb->find_cluster_ret == QED_CLUSTER_ZERO) {
+            qed_aio_next_io(acb, 0);
+            return;
+        }
+
+        cb = qed_aio_write_zero_cluster;
+    } else {
+        cb = qed_aio_write_prefill;
+        acb->cur_cluster = qed_alloc_clusters(s, acb->cur_nclusters);
+    }
+
     if (qed_should_set_need_check(s)) {
         s->header.features |= QED_F_NEED_CHECK;
-        qed_write_header(s, qed_aio_write_prefill, acb);
+        qed_write_header(s, cb, acb);
     } else {
-        qed_aio_write_prefill(acb, 0);
+        cb(acb, 0);
     }
 }
 
@@ -1131,6 +1167,16 @@ static void qed_aio_write_alloc(QEDAIOCB *acb, size_t len)
  */
 static void qed_aio_write_inplace(QEDAIOCB *acb, uint64_t offset, size_t len)
 {
+    /* Allocate buffer for zero writes */
+    if (acb->flags & QED_AIOCB_ZERO) {
+        struct iovec *iov = acb->qiov->iov;
+
+        if (!iov->iov_base) {
+            iov->iov_base = qemu_blockalign(acb->common.bs, iov->iov_len);
+            memset(iov->iov_base, 0, iov->iov_len);
+        }
+    }
+
     /* Calculate the I/O vector */
     acb->cur_cluster = offset;
     qemu_iovec_copy(&acb->cur_qiov, acb->qiov, acb->qiov_offset, len);
@@ -1311,6 +1357,53 @@ static BlockDriverAIOCB *bdrv_qed_aio_flush(BlockDriverState *bs,
     return bdrv_aio_flush(bs->file, cb, opaque);
 }
 
+typedef struct {
+    Coroutine *co;
+    int ret;
+    bool done;
+} QEDWriteZeroesCB;
+
+static void coroutine_fn qed_co_write_zeroes_cb(void *opaque, int ret)
+{
+    QEDWriteZeroesCB *cb = opaque;
+
+    cb->done = true;
+    cb->ret = ret;
+    if (cb->co) {
+        qemu_coroutine_enter(cb->co, NULL);
+    }
+}
+
+static int coroutine_fn bdrv_qed_co_write_zeroes(BlockDriverState *bs,
+                                                 int64_t sector_num,
+                                                 int nb_sectors)
+{
+    BlockDriverAIOCB *blockacb;
+    QEDWriteZeroesCB cb = { .done = false };
+    QEMUIOVector qiov;
+    struct iovec iov;
+
+    /* Zero writes start without an I/O buffer.  If a buffer becomes necessary
+     * then it will be allocated during request processing.
+     */
+    iov.iov_base = NULL,
+    iov.iov_len  = nb_sectors * BDRV_SECTOR_SIZE,
+
+    qemu_iovec_init_external(&qiov, &iov, 1);
+    blockacb = qed_aio_setup(bs, sector_num, &qiov, nb_sectors,
+                             qed_co_write_zeroes_cb, &cb,
+                             QED_AIOCB_WRITE | QED_AIOCB_ZERO);
+    if (!blockacb) {
+        return -EIO;
+    }
+    if (!cb.done) {
+        cb.co = qemu_coroutine_self();
+        qemu_coroutine_yield();
+    }
+    assert(cb.done);
+    return cb.ret;
+}
+
 static int bdrv_qed_truncate(BlockDriverState *bs, int64_t offset)
 {
     BDRVQEDState *s = bs->opaque;
@@ -1470,6 +1563,7 @@ static BlockDriver bdrv_qed = {
     .bdrv_aio_readv           = bdrv_qed_aio_readv,
     .bdrv_aio_writev          = bdrv_qed_aio_writev,
     .bdrv_aio_flush           = bdrv_qed_aio_flush,
+    .bdrv_co_write_zeroes     = bdrv_qed_co_write_zeroes,
     .bdrv_truncate            = bdrv_qed_truncate,
     .bdrv_getlength           = bdrv_qed_getlength,
     .bdrv_get_info            = bdrv_qed_get_info,
diff --git a/block/qed.h b/block/qed.h
index abed147..62624a1 100644
--- a/block/qed.h
+++ b/block/qed.h
@@ -125,6 +125,7 @@ typedef struct QEDRequest {
 
 enum {
     QED_AIOCB_WRITE = 0x0001,       /* read or write? */
+    QED_AIOCB_ZERO  = 0x0002,       /* zero write, used with QED_AIOCB_WRITE */
 };
 
 typedef struct QEDAIOCB {
commit 6e4f59bd0d69f0a7aa4010b49a5c49a01987b9d8
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Feb 7 13:27:27 2012 +0000

    qed: replace is_write with flags field
    
    Per-request attributes like read/write are currently implemented as bool
    fields in the QEDAIOCB struct.  This becomes unwiedly as the number of
    attributes grows.  For example, the qed_aio_setup() function would have
    to take multiple bool arguments and at call sites it would be hard to
    distinguish the meaning of each bool.
    
    Instead use a flags field with bitmask constants.  This will be used
    when zero write support is added.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block/qed.c b/block/qed.c
index 8da3ebe..b66dd17 100644
--- a/block/qed.c
+++ b/block/qed.c
@@ -1233,8 +1233,8 @@ static void qed_aio_next_io(void *opaque, int ret)
 {
     QEDAIOCB *acb = opaque;
     BDRVQEDState *s = acb_to_s(acb);
-    QEDFindClusterFunc *io_fn =
-        acb->is_write ? qed_aio_write_data : qed_aio_read_data;
+    QEDFindClusterFunc *io_fn = (acb->flags & QED_AIOCB_WRITE) ?
+                                qed_aio_write_data : qed_aio_read_data;
 
     trace_qed_aio_next_io(s, acb, ret, acb->cur_pos + acb->cur_qiov.size);
 
@@ -1264,14 +1264,14 @@ static BlockDriverAIOCB *qed_aio_setup(BlockDriverState *bs,
                                        int64_t sector_num,
                                        QEMUIOVector *qiov, int nb_sectors,
                                        BlockDriverCompletionFunc *cb,
-                                       void *opaque, bool is_write)
+                                       void *opaque, int flags)
 {
     QEDAIOCB *acb = qemu_aio_get(&qed_aio_pool, bs, cb, opaque);
 
     trace_qed_aio_setup(bs->opaque, acb, sector_num, nb_sectors,
-                         opaque, is_write);
+                        opaque, flags);
 
-    acb->is_write = is_write;
+    acb->flags = flags;
     acb->finished = NULL;
     acb->qiov = qiov;
     acb->qiov_offset = 0;
@@ -1291,7 +1291,7 @@ static BlockDriverAIOCB *bdrv_qed_aio_readv(BlockDriverState *bs,
                                             BlockDriverCompletionFunc *cb,
                                             void *opaque)
 {
-    return qed_aio_setup(bs, sector_num, qiov, nb_sectors, cb, opaque, false);
+    return qed_aio_setup(bs, sector_num, qiov, nb_sectors, cb, opaque, 0);
 }
 
 static BlockDriverAIOCB *bdrv_qed_aio_writev(BlockDriverState *bs,
@@ -1300,7 +1300,8 @@ static BlockDriverAIOCB *bdrv_qed_aio_writev(BlockDriverState *bs,
                                              BlockDriverCompletionFunc *cb,
                                              void *opaque)
 {
-    return qed_aio_setup(bs, sector_num, qiov, nb_sectors, cb, opaque, true);
+    return qed_aio_setup(bs, sector_num, qiov, nb_sectors, cb,
+                         opaque, QED_AIOCB_WRITE);
 }
 
 static BlockDriverAIOCB *bdrv_qed_aio_flush(BlockDriverState *bs,
diff --git a/block/qed.h b/block/qed.h
index 62cbd3b..abed147 100644
--- a/block/qed.h
+++ b/block/qed.h
@@ -123,12 +123,16 @@ typedef struct QEDRequest {
     CachedL2Table *l2_table;
 } QEDRequest;
 
+enum {
+    QED_AIOCB_WRITE = 0x0001,       /* read or write? */
+};
+
 typedef struct QEDAIOCB {
     BlockDriverAIOCB common;
     QEMUBH *bh;
     int bh_ret;                     /* final return status for completion bh */
     QSIMPLEQ_ENTRY(QEDAIOCB) next;  /* next request */
-    bool is_write;                  /* false - read, true - write */
+    int flags;                      /* QED_AIOCB_* bits ORed together */
     bool *finished;                 /* signal for cancel completion */
     uint64_t end_pos;               /* request end on block device, in bytes */
 
diff --git a/trace-events b/trace-events
index 3372087..9b26ce2 100644
--- a/trace-events
+++ b/trace-events
@@ -321,7 +321,7 @@ qed_need_check_timer_cb(void *s) "s %p"
 qed_start_need_check_timer(void *s) "s %p"
 qed_cancel_need_check_timer(void *s) "s %p"
 qed_aio_complete(void *s, void *acb, int ret) "s %p acb %p ret %d"
-qed_aio_setup(void *s, void *acb, int64_t sector_num, int nb_sectors, void *opaque, int is_write) "s %p acb %p sector_num %"PRId64" nb_sectors %d opaque %p is_write %d"
+qed_aio_setup(void *s, void *acb, int64_t sector_num, int nb_sectors, void *opaque, int flags) "s %p acb %p sector_num %"PRId64" nb_sectors %d opaque %p flags %#x"
 qed_aio_next_io(void *s, void *acb, int ret, uint64_t cur_pos) "s %p acb %p ret %d cur_pos %"PRIu64
 qed_aio_read_data(void *s, void *acb, int ret, uint64_t offset, size_t len) "s %p acb %p ret %d offset %"PRIu64" len %zu"
 qed_aio_write_data(void *s, void *acb, int ret, uint64_t offset, size_t len) "s %p acb %p ret %d offset %"PRIu64" len %zu"
commit 79c053bde9fa40595670ae274d047da07f1df88c
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Feb 7 13:27:26 2012 +0000

    block: perform zero-detection during copy-on-read
    
    Copy-on-Read populates the image file with data read from a backing
    image.  In order to avoid bloating the image file when all zeroes are
    read we should scan the buffer and perform an optimized zero write
    operation.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index c9fa5c1..ae297bb 100644
--- a/block.c
+++ b/block.c
@@ -1517,6 +1517,7 @@ static int coroutine_fn bdrv_co_do_copy_on_readv(BlockDriverState *bs,
      */
     void *bounce_buffer;
 
+    BlockDriver *drv = bs->drv;
     struct iovec iov;
     QEMUIOVector bounce_qiov;
     int64_t cluster_sector_num;
@@ -1537,14 +1538,21 @@ static int coroutine_fn bdrv_co_do_copy_on_readv(BlockDriverState *bs,
     iov.iov_base = bounce_buffer = qemu_blockalign(bs, iov.iov_len);
     qemu_iovec_init_external(&bounce_qiov, &iov, 1);
 
-    ret = bs->drv->bdrv_co_readv(bs, cluster_sector_num, cluster_nb_sectors,
-                                 &bounce_qiov);
+    ret = drv->bdrv_co_readv(bs, cluster_sector_num, cluster_nb_sectors,
+                             &bounce_qiov);
     if (ret < 0) {
         goto err;
     }
 
-    ret = bs->drv->bdrv_co_writev(bs, cluster_sector_num, cluster_nb_sectors,
+    if (drv->bdrv_co_write_zeroes &&
+        buffer_is_zero(bounce_buffer, iov.iov_len)) {
+        ret = drv->bdrv_co_write_zeroes(bs, cluster_sector_num,
+                                        cluster_nb_sectors);
+    } else {
+        ret = drv->bdrv_co_writev(bs, cluster_sector_num, cluster_nb_sectors,
                                   &bounce_qiov);
+    }
+
     if (ret < 0) {
         /* It might be okay to ignore write errors for guest requests.  If this
          * is a deliberate copy-on-read then we don't want to ignore the error.
commit f08f2ddae078e8a7683f8b16da8e0cc3029c7b89
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Feb 7 13:27:25 2012 +0000

    block: add .bdrv_co_write_zeroes() interface
    
    The ability to zero regions of an image file is a useful primitive for
    higher-level features such as image streaming or zero write detection.
    
    Image formats may support an optimized metadata representation instead
    of writing zeroes into the image file.  This allows zero writes to be
    potentially faster than regular write operations and also preserve
    sparseness of the image file.
    
    The .bdrv_co_write_zeroes() interface should be implemented by block
    drivers that wish to provide efficient zeroing.
    
    Note that this operation is different from the discard operation, which
    may leave the contents of the region indeterminate.  That means
    discarded blocks are not guaranteed to contain zeroes and may contain
    junk data instead.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/block.c b/block.c
index 3621d11..c9fa5c1 100644
--- a/block.c
+++ b/block.c
@@ -50,6 +50,7 @@
 
 typedef enum {
     BDRV_REQ_COPY_ON_READ = 0x1,
+    BDRV_REQ_ZERO_WRITE   = 0x2,
 } BdrvRequestFlags;
 
 static void bdrv_dev_change_media_cb(BlockDriverState *bs, bool load);
@@ -69,7 +70,8 @@ static int coroutine_fn bdrv_co_do_readv(BlockDriverState *bs,
     int64_t sector_num, int nb_sectors, QEMUIOVector *qiov,
     BdrvRequestFlags flags);
 static int coroutine_fn bdrv_co_do_writev(BlockDriverState *bs,
-    int64_t sector_num, int nb_sectors, QEMUIOVector *qiov);
+    int64_t sector_num, int nb_sectors, QEMUIOVector *qiov,
+    BdrvRequestFlags flags);
 static BlockDriverAIOCB *bdrv_co_aio_rw_vector(BlockDriverState *bs,
                                                int64_t sector_num,
                                                QEMUIOVector *qiov,
@@ -1300,7 +1302,7 @@ static void coroutine_fn bdrv_rw_co_entry(void *opaque)
                                      rwco->nb_sectors, rwco->qiov, 0);
     } else {
         rwco->ret = bdrv_co_do_writev(rwco->bs, rwco->sector_num,
-                                      rwco->nb_sectors, rwco->qiov);
+                                      rwco->nb_sectors, rwco->qiov, 0);
     }
 }
 
@@ -1639,11 +1641,37 @@ int coroutine_fn bdrv_co_copy_on_readv(BlockDriverState *bs,
                             BDRV_REQ_COPY_ON_READ);
 }
 
+static int coroutine_fn bdrv_co_do_write_zeroes(BlockDriverState *bs,
+    int64_t sector_num, int nb_sectors)
+{
+    BlockDriver *drv = bs->drv;
+    QEMUIOVector qiov;
+    struct iovec iov;
+    int ret;
+
+    /* First try the efficient write zeroes operation */
+    if (drv->bdrv_co_write_zeroes) {
+        return drv->bdrv_co_write_zeroes(bs, sector_num, nb_sectors);
+    }
+
+    /* Fall back to bounce buffer if write zeroes is unsupported */
+    iov.iov_len  = nb_sectors * BDRV_SECTOR_SIZE;
+    iov.iov_base = qemu_blockalign(bs, iov.iov_len);
+    memset(iov.iov_base, 0, iov.iov_len);
+    qemu_iovec_init_external(&qiov, &iov, 1);
+
+    ret = drv->bdrv_co_writev(bs, sector_num, nb_sectors, &qiov);
+
+    qemu_vfree(iov.iov_base);
+    return ret;
+}
+
 /*
  * Handle a write request in coroutine context
  */
 static int coroutine_fn bdrv_co_do_writev(BlockDriverState *bs,
-    int64_t sector_num, int nb_sectors, QEMUIOVector *qiov)
+    int64_t sector_num, int nb_sectors, QEMUIOVector *qiov,
+    BdrvRequestFlags flags)
 {
     BlockDriver *drv = bs->drv;
     BdrvTrackedRequest req;
@@ -1670,7 +1698,11 @@ static int coroutine_fn bdrv_co_do_writev(BlockDriverState *bs,
 
     tracked_request_begin(&req, bs, sector_num, nb_sectors, true);
 
-    ret = drv->bdrv_co_writev(bs, sector_num, nb_sectors, qiov);
+    if (flags & BDRV_REQ_ZERO_WRITE) {
+        ret = bdrv_co_do_write_zeroes(bs, sector_num, nb_sectors);
+    } else {
+        ret = drv->bdrv_co_writev(bs, sector_num, nb_sectors, qiov);
+    }
 
     if (bs->dirty_bitmap) {
         set_dirty_bitmap(bs, sector_num, nb_sectors, 1);
@@ -1690,7 +1722,16 @@ int coroutine_fn bdrv_co_writev(BlockDriverState *bs, int64_t sector_num,
 {
     trace_bdrv_co_writev(bs, sector_num, nb_sectors);
 
-    return bdrv_co_do_writev(bs, sector_num, nb_sectors, qiov);
+    return bdrv_co_do_writev(bs, sector_num, nb_sectors, qiov, 0);
+}
+
+int coroutine_fn bdrv_co_write_zeroes(BlockDriverState *bs,
+                                      int64_t sector_num, int nb_sectors)
+{
+    trace_bdrv_co_write_zeroes(bs, sector_num, nb_sectors);
+
+    return bdrv_co_do_writev(bs, sector_num, nb_sectors, NULL,
+                             BDRV_REQ_ZERO_WRITE);
 }
 
 /**
@@ -3192,7 +3233,7 @@ static void coroutine_fn bdrv_co_do_rw(void *opaque)
             acb->req.nb_sectors, acb->req.qiov, 0);
     } else {
         acb->req.error = bdrv_co_do_writev(bs, acb->req.sector,
-            acb->req.nb_sectors, acb->req.qiov);
+            acb->req.nb_sectors, acb->req.qiov, 0);
     }
 
     acb->bh = qemu_bh_new(bdrv_co_em_bh, acb);
diff --git a/block.h b/block.h
index cae289b..60ea730 100644
--- a/block.h
+++ b/block.h
@@ -146,6 +146,14 @@ int coroutine_fn bdrv_co_copy_on_readv(BlockDriverState *bs,
     int64_t sector_num, int nb_sectors, QEMUIOVector *qiov);
 int coroutine_fn bdrv_co_writev(BlockDriverState *bs, int64_t sector_num,
     int nb_sectors, QEMUIOVector *qiov);
+/*
+ * Efficiently zero a region of the disk image.  Note that this is a regular
+ * I/O request like read or write and should have a reasonable size.  This
+ * function is not suitable for zeroing the entire image in a single request
+ * because it may allocate memory for the entire region.
+ */
+int coroutine_fn bdrv_co_write_zeroes(BlockDriverState *bs, int64_t sector_num,
+    int nb_sectors);
 int coroutine_fn bdrv_co_is_allocated(BlockDriverState *bs, int64_t sector_num,
     int nb_sectors, int *pnum);
 BlockDriverState *bdrv_find_backing_image(BlockDriverState *bs,
diff --git a/block_int.h b/block_int.h
index 7be2988..7946cf6 100644
--- a/block_int.h
+++ b/block_int.h
@@ -131,6 +131,14 @@ struct BlockDriver {
         int64_t sector_num, int nb_sectors, QEMUIOVector *qiov);
     int coroutine_fn (*bdrv_co_writev)(BlockDriverState *bs,
         int64_t sector_num, int nb_sectors, QEMUIOVector *qiov);
+    /*
+     * Efficiently zero a region of the disk image.  Typically an image format
+     * would use a compact metadata representation to implement this.  This
+     * function pointer may be NULL and .bdrv_co_writev() will be called
+     * instead.
+     */
+    int coroutine_fn (*bdrv_co_write_zeroes)(BlockDriverState *bs,
+        int64_t sector_num, int nb_sectors);
     int coroutine_fn (*bdrv_co_discard)(BlockDriverState *bs,
         int64_t sector_num, int nb_sectors);
     int coroutine_fn (*bdrv_co_is_allocated)(BlockDriverState *bs,
diff --git a/trace-events b/trace-events
index 5d05749..3372087 100644
--- a/trace-events
+++ b/trace-events
@@ -67,6 +67,7 @@ bdrv_lock_medium(void *bs, bool locked) "bs %p locked %d"
 bdrv_co_readv(void *bs, int64_t sector_num, int nb_sector) "bs %p sector_num %"PRId64" nb_sectors %d"
 bdrv_co_copy_on_readv(void *bs, int64_t sector_num, int nb_sector) "bs %p sector_num %"PRId64" nb_sectors %d"
 bdrv_co_writev(void *bs, int64_t sector_num, int nb_sector) "bs %p sector_num %"PRId64" nb_sectors %d"
+bdrv_co_write_zeroes(void *bs, int64_t sector_num, int nb_sector) "bs %p sector_num %"PRId64" nb_sectors %d"
 bdrv_co_io_em(void *bs, int64_t sector_num, int nb_sectors, int is_write, void *acb) "bs %p sector_num %"PRId64" nb_sectors %d is_write %d acb %p"
 bdrv_co_do_copy_on_readv(void *bs, int64_t sector_num, int nb_sectors, int64_t cluster_sector_num, int cluster_nb_sectors) "bs %p sector_num %"PRId64" nb_sectors %d cluster_sector_num %"PRId64" cluster_nb_sectors %d"
 
commit 1a6d39fd71ddf90c5b76026cac4d5ff51fbaf8d8
Author: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
Date:   Tue Feb 7 13:27:24 2012 +0000

    cutils: extract buffer_is_zero() from qemu-img.c
    
    The qemu-img.c:is_not_zero() function checks if a buffer contains all
    zeroes.  This function will come in handy for zero-detection in the
    block layer, so clean it up and move it to cutils.c.
    
    Note that the function now returns true if the buffer is all zeroes.
    This avoids the double-negatives (i.e. !is_not_zero()) that the old
    function can cause in callers.
    
    Signed-off-by: Stefan Hajnoczi <stefanha at linux.vnet.ibm.com>
    Signed-off-by: Kevin Wolf <kwolf at redhat.com>

diff --git a/cutils.c b/cutils.c
index a6ffd46..af308cd 100644
--- a/cutils.c
+++ b/cutils.c
@@ -303,6 +303,41 @@ void qemu_iovec_memset_skip(QEMUIOVector *qiov, int c, size_t count,
     }
 }
 
+/*
+ * Checks if a buffer is all zeroes
+ *
+ * Attention! The len must be a multiple of 4 * sizeof(long) due to
+ * restriction of optimizations in this function.
+ */
+bool buffer_is_zero(const void *buf, size_t len)
+{
+    /*
+     * Use long as the biggest available internal data type that fits into the
+     * CPU register and unroll the loop to smooth out the effect of memory
+     * latency.
+     */
+
+    size_t i;
+    long d0, d1, d2, d3;
+    const long * const data = buf;
+
+    assert(len % (4 * sizeof(long)) == 0);
+    len /= sizeof(long);
+
+    for (i = 0; i < len; i += 4) {
+        d0 = data[i + 0];
+        d1 = data[i + 1];
+        d2 = data[i + 2];
+        d3 = data[i + 3];
+
+        if (d0 || d1 || d2 || d3) {
+            return false;
+        }
+    }
+
+    return true;
+}
+
 #ifndef _WIN32
 /* Sets a specific flag */
 int fcntl_setfl(int fd, int flag)
diff --git a/qemu-common.h b/qemu-common.h
index 9b997f8..c5e9cad 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -335,6 +335,8 @@ void qemu_iovec_memset(QEMUIOVector *qiov, int c, size_t count);
 void qemu_iovec_memset_skip(QEMUIOVector *qiov, int c, size_t count,
                             size_t skip);
 
+bool buffer_is_zero(const void *buf, size_t len);
+
 void qemu_progress_init(int enabled, float min_skip);
 void qemu_progress_end(void);
 void qemu_progress_print(float delta, int max);
diff --git a/qemu-img.c b/qemu-img.c
index 01cc0d3..c4bcf41 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -515,40 +515,6 @@ static int img_commit(int argc, char **argv)
 }
 
 /*
- * Checks whether the sector is not a zero sector.
- *
- * Attention! The len must be a multiple of 4 * sizeof(long) due to
- * restriction of optimizations in this function.
- */
-static int is_not_zero(const uint8_t *sector, int len)
-{
-    /*
-     * Use long as the biggest available internal data type that fits into the
-     * CPU register and unroll the loop to smooth out the effect of memory
-     * latency.
-     */
-
-    int i;
-    long d0, d1, d2, d3;
-    const long * const data = (const long *) sector;
-
-    len /= sizeof(long);
-
-    for(i = 0; i < len; i += 4) {
-        d0 = data[i + 0];
-        d1 = data[i + 1];
-        d2 = data[i + 2];
-        d3 = data[i + 3];
-
-        if (d0 || d1 || d2 || d3) {
-            return 1;
-        }
-    }
-
-    return 0;
-}
-
-/*
  * Returns true iff the first sector pointed to by 'buf' contains at least
  * a non-NUL byte.
  *
@@ -557,20 +523,22 @@ static int is_not_zero(const uint8_t *sector, int len)
  */
 static int is_allocated_sectors(const uint8_t *buf, int n, int *pnum)
 {
-    int v, i;
+    bool is_zero;
+    int i;
 
     if (n <= 0) {
         *pnum = 0;
         return 0;
     }
-    v = is_not_zero(buf, 512);
+    is_zero = buffer_is_zero(buf, 512);
     for(i = 1; i < n; i++) {
         buf += 512;
-        if (v != is_not_zero(buf, 512))
+        if (is_zero != buffer_is_zero(buf, 512)) {
             break;
+        }
     }
     *pnum = i;
-    return v;
+    return !is_zero;
 }
 
 /*
@@ -955,7 +923,7 @@ static int img_convert(int argc, char **argv)
             if (n < cluster_sectors) {
                 memset(buf + n * 512, 0, cluster_size - n * 512);
             }
-            if (is_not_zero(buf, cluster_size)) {
+            if (!buffer_is_zero(buf, cluster_size)) {
                 ret = bdrv_write_compressed(out_bs, sector_num, buf,
                                             cluster_sectors);
                 if (ret != 0) {
commit 7a65c8cc315c76bde6d692845c12e7ba06f44f89
Author: Peter Maydell <peter.maydell at linaro.org>
Date:   Thu Feb 9 06:11:16 2012 +0000

    ARM devboards: Set arm_sysctl properties before init, not after
    
    The ARM devboard models (vexpress-a9, realview, versatilepb, etc)
    were accidentally trying to set one of the arm_sysctl properties
    after device init. This has now become a fatal error; set the property
    before device init where it should be done instead.
    
    Signed-off-by: Peter Maydell <peter.maydell at linaro.org>

diff --git a/hw/realview.c b/hw/realview.c
index 821e627..8b0b03d 100644
--- a/hw/realview.c
+++ b/hw/realview.c
@@ -217,8 +217,8 @@ static void realview_init(ram_addr_t ram_size,
     sys_id = is_pb ? 0x01780500 : 0xc1400400;
     sysctl = qdev_create(NULL, "realview_sysctl");
     qdev_prop_set_uint32(sysctl, "sys_id", sys_id);
-    qdev_init_nofail(sysctl);
     qdev_prop_set_uint32(sysctl, "proc_id", proc_id);
+    qdev_init_nofail(sysctl);
     sysbus_mmio_map(sysbus_from_qdev(sysctl), 0, 0x10000000);
 
     if (is_mpcore) {
diff --git a/hw/versatilepb.c b/hw/versatilepb.c
index 6e28e78..6ea0ce5 100644
--- a/hw/versatilepb.c
+++ b/hw/versatilepb.c
@@ -198,8 +198,8 @@ static void versatile_init(ram_addr_t ram_size,
 
     sysctl = qdev_create(NULL, "realview_sysctl");
     qdev_prop_set_uint32(sysctl, "sys_id", 0x41007004);
-    qdev_init_nofail(sysctl);
     qdev_prop_set_uint32(sysctl, "proc_id", 0x02000000);
+    qdev_init_nofail(sysctl);
     sysbus_mmio_map(sysbus_from_qdev(sysctl), 0, 0x10000000);
 
     cpu_pic = arm_pic_init_cpu(env);
diff --git a/hw/vexpress.c b/hw/vexpress.c
index 64fab45..43f47a6 100644
--- a/hw/vexpress.c
+++ b/hw/vexpress.c
@@ -123,8 +123,8 @@ static void vexpress_a9_init(ram_addr_t ram_size,
     /* 0x10000000 System registers */
     sysctl = qdev_create(NULL, "realview_sysctl");
     qdev_prop_set_uint32(sysctl, "sys_id", sys_id);
-    qdev_init_nofail(sysctl);
     qdev_prop_set_uint32(sysctl, "proc_id", proc_id);
+    qdev_init_nofail(sysctl);
     sysbus_mmio_map(sysbus_from_qdev(sysctl), 0, 0x10000000);
 
     /* 0x10001000 SP810 system control */
commit a4aecd2819fd31641ab62472e3385073043521fb
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Sun Feb 5 12:45:20 2012 +0100

    apic: Fix legacy vmstate loading for KVM
    
    Also in case of loading pre-vmstate machines, we also need to open-code
    the reading of the timer expires value and instead call the post_load
    callback to apply it (or not). This fixes loading of legacy states into
    the KVM APIC.
    
    Reported-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/apic_common.c b/hw/apic_common.c
index 26991b4..8373d79 100644
--- a/hw/apic_common.c
+++ b/hw/apic_common.c
@@ -188,6 +188,7 @@ static void apic_reset_common(DeviceState *d)
 static int apic_load_old(QEMUFile *f, void *opaque, int version_id)
 {
     APICCommonState *s = opaque;
+    APICCommonClass *info = APIC_COMMON_GET_CLASS(s);
     int i;
 
     if (version_id > 2) {
@@ -220,7 +221,11 @@ static int apic_load_old(QEMUFile *f, void *opaque, int version_id)
     s->next_time = qemu_get_be64(f);
 
     if (version_id >= 2) {
-        qemu_get_timer(f, s->timer);
+        s->timer_expiry = qemu_get_be64(f);
+    }
+
+    if (info->post_load) {
+        info->post_load(s);
     }
     return 0;
 }
commit 3d4b26494fdce89354dac49ef909356ccda77914
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Tue Jan 31 19:17:52 2012 +0100

    kvm: Implement kvm_irqchip_in_kernel like kvm_enabled
    
    To both avoid that kvm_irqchip_in_kernel always has to be paired with
    kvm_enabled and that the former ends up in a function call, implement it
    like the latter. This means keeping the state in a global variable and
    defining kvm_irqchip_in_kernel as a preprocessor macro.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/hw/pc.c b/hw/pc.c
index 7f3aa65..3b35735 100644
--- a/hw/pc.c
+++ b/hw/pc.c
@@ -889,7 +889,7 @@ static DeviceState *apic_init(void *env, uint8_t apic_id)
     DeviceState *dev;
     static int apic_mapped;
 
-    if (kvm_enabled() && kvm_irqchip_in_kernel()) {
+    if (kvm_irqchip_in_kernel()) {
         dev = qdev_create(NULL, "kvm-apic");
     } else {
         dev = qdev_create(NULL, "apic");
@@ -908,7 +908,7 @@ static DeviceState *apic_init(void *env, uint8_t apic_id)
     }
 
     /* KVM does not support MSI yet. */
-    if (!kvm_enabled() || !kvm_irqchip_in_kernel()) {
+    if (!kvm_irqchip_in_kernel()) {
         msi_supported = true;
     }
 
diff --git a/hw/pc_piix.c b/hw/pc_piix.c
index c06f1b5..17f8d5d 100644
--- a/hw/pc_piix.c
+++ b/hw/pc_piix.c
@@ -104,7 +104,7 @@ static void ioapic_init(GSIState *gsi_state)
     SysBusDevice *d;
     unsigned int i;
 
-    if (kvm_enabled() && kvm_irqchip_in_kernel()) {
+    if (kvm_irqchip_in_kernel()) {
         dev = qdev_create(NULL, "kvm-ioapic");
     } else {
         dev = qdev_create(NULL, "ioapic");
@@ -183,7 +183,7 @@ static void pc_init1(MemoryRegion *system_memory,
     }
 
     gsi_state = g_malloc0(sizeof(*gsi_state));
-    if (kvm_enabled() && kvm_irqchip_in_kernel()) {
+    if (kvm_irqchip_in_kernel()) {
         kvm_piix3_setup_irq_routing(pci_enabled);
         gsi = qemu_allocate_irqs(kvm_piix3_gsi_handler, gsi_state,
                                  GSI_NUM_PINS);
@@ -209,7 +209,7 @@ static void pc_init1(MemoryRegion *system_memory,
     }
     isa_bus_irqs(isa_bus, gsi);
 
-    if (kvm_enabled() && kvm_irqchip_in_kernel()) {
+    if (kvm_irqchip_in_kernel()) {
         i8259 = kvm_i8259_init(isa_bus);
     } else if (xen_enabled()) {
         i8259 = xen_interrupt_controller_init();
diff --git a/kvm-all.c b/kvm-all.c
index 0b87658..c4babda 100644
--- a/kvm-all.c
+++ b/kvm-all.c
@@ -74,7 +74,6 @@ struct KVMState
 #ifdef KVM_CAP_SET_GUEST_DEBUG
     struct kvm_sw_breakpoint_head kvm_sw_breakpoints;
 #endif
-    int irqchip_in_kernel;
     int pit_in_kernel;
     int xsave, xcrs;
     int many_ioeventfds;
@@ -88,6 +87,7 @@ struct KVMState
 };
 
 KVMState *kvm_state;
+bool kvm_kernel_irqchip;
 
 static const KVMCapabilityInfo kvm_required_capabilites[] = {
     KVM_CAP_INFO(USER_MEMORY),
@@ -193,11 +193,6 @@ static void kvm_reset_vcpu(void *opaque)
     kvm_arch_reset_vcpu(env);
 }
 
-int kvm_irqchip_in_kernel(void)
-{
-    return kvm_state->irqchip_in_kernel;
-}
-
 int kvm_pit_in_kernel(void)
 {
     return kvm_state->pit_in_kernel;
@@ -742,7 +737,7 @@ int kvm_irqchip_set_irq(KVMState *s, int irq, int level)
     struct kvm_irq_level event;
     int ret;
 
-    assert(s->irqchip_in_kernel);
+    assert(kvm_irqchip_in_kernel());
 
     event.level = level;
     event.irq = irq;
@@ -862,7 +857,7 @@ static int kvm_irqchip_create(KVMState *s)
     if (kvm_check_extension(s, KVM_CAP_IRQ_INJECT_STATUS)) {
         s->irqchip_inject_ioctl = KVM_IRQ_LINE_STATUS;
     }
-    s->irqchip_in_kernel = 1;
+    kvm_kernel_irqchip = true;
 
     kvm_init_irq_routing(s);
 
@@ -1315,7 +1310,7 @@ int kvm_has_gsi_routing(void)
 
 int kvm_allows_irq0_override(void)
 {
-    return !kvm_enabled() || !kvm_irqchip_in_kernel() || kvm_has_gsi_routing();
+    return !kvm_irqchip_in_kernel() || kvm_has_gsi_routing();
 }
 
 void kvm_setup_guest_memory(void *start, size_t size)
diff --git a/kvm-stub.c b/kvm-stub.c
index 6c2b06b..f63a0d2 100644
--- a/kvm-stub.c
+++ b/kvm-stub.c
@@ -16,11 +16,6 @@
 #include "gdbstub.h"
 #include "kvm.h"
 
-int kvm_irqchip_in_kernel(void)
-{
-    return 0;
-}
-
 int kvm_pit_in_kernel(void)
 {
     return 0;
diff --git a/kvm.h b/kvm.h
index 40b5ffc..f9f1dc8 100644
--- a/kvm.h
+++ b/kvm.h
@@ -23,11 +23,14 @@
 #endif
 
 extern int kvm_allowed;
+extern bool kvm_kernel_irqchip;
 
 #if defined CONFIG_KVM || !defined NEED_CPU_H
-#define kvm_enabled() (kvm_allowed)
+#define kvm_enabled()           (kvm_allowed)
+#define kvm_irqchip_in_kernel() (kvm_kernel_irqchip)
 #else
-#define kvm_enabled() (0)
+#define kvm_enabled()           (0)
+#define kvm_irqchip_in_kernel() (false)
 #endif
 
 struct kvm_run;
@@ -80,7 +83,6 @@ int kvm_set_signal_mask(CPUState *env, const sigset_t *sigset);
 #endif
 
 int kvm_pit_in_kernel(void);
-int kvm_irqchip_in_kernel(void);
 
 int kvm_on_sigbus_vcpu(CPUState *env, int code, void *addr);
 int kvm_on_sigbus(int code, void *addr);
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 445c060..981192d 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -1356,7 +1356,7 @@ static int kvm_get_apic(CPUState *env)
     struct kvm_lapic_state kapic;
     int ret;
 
-    if (apic && kvm_enabled() && kvm_irqchip_in_kernel()) {
+    if (apic && kvm_irqchip_in_kernel()) {
         ret = kvm_vcpu_ioctl(env, KVM_GET_LAPIC, &kapic);
         if (ret < 0) {
             return ret;
@@ -1372,7 +1372,7 @@ static int kvm_put_apic(CPUState *env)
     DeviceState *apic = env->apic_state;
     struct kvm_lapic_state kapic;
 
-    if (apic && kvm_enabled() && kvm_irqchip_in_kernel()) {
+    if (apic && kvm_irqchip_in_kernel()) {
         kvm_put_apic_state(apic, &kapic);
 
         return kvm_vcpu_ioctl(env, KVM_SET_LAPIC, &kapic);
commit 39d6960aabfd90bf0bf7ba38d69e918962b70b16
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Wed Jan 25 18:14:15 2012 +0100

    kvm: Allow to set shadow MMU size
    
    Introduce the KVM-specific machine option kvm_shadow_mem. It allows to
    set a custom shadow MMU size for the virtual machine. This is useful for
    stress testing e.g.
    
    Only x86 supports this for now, but it is in principle a generic
    concept for all targets with shadow MMUs.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Marcelo Tosatti <mtosatti at redhat.com>

diff --git a/qemu-config.c b/qemu-config.c
index b030205..95bf5e5 100644
--- a/qemu-config.c
+++ b/qemu-config.c
@@ -535,6 +535,10 @@ static QemuOptsList qemu_machine_opts = {
             .name = "kernel_irqchip",
             .type = QEMU_OPT_BOOL,
             .help = "use KVM in-kernel irqchip",
+        }, {
+            .name = "kvm_shadow_mem",
+            .type = QEMU_OPT_SIZE,
+            .help = "KVM shadow MMU size",
         },
         { /* End of list */ }
     },
diff --git a/qemu-options.hx b/qemu-options.hx
index 19906e5..4ad1fc7 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -32,7 +32,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \
     "                selects emulated machine (-machine ? for list)\n"
     "                property accel=accel1[:accel2[:...]] selects accelerator\n"
     "                supported accelerators are kvm, xen, tcg (default: tcg)\n"
-    "                kernel_irqchip=on|off controls accelerated irqchip support\n",
+    "                kernel_irqchip=on|off controls accelerated irqchip support\n"
+    "                kvm_shadow_mem=size of KVM shadow MMU\n",
     QEMU_ARCH_ALL)
 STEXI
 @item -machine [type=]@var{name}[,prop=@var{value}[,...]]
@@ -47,6 +48,8 @@ than one accelerator specified, the next one is used if the previous one fails
 to initialize.
 @item kernel_irqchip=on|off
 Enables in-kernel irqchip support for the chosen accelerator when available.
+ at item kvm_shadow_mem=size
+Defines the size of the KVM shadow MMU.
 @end table
 ETEXI
 
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index e41de39..445c060 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -646,7 +646,9 @@ static int kvm_get_supported_msrs(KVMState *s)
 
 int kvm_arch_init(KVMState *s)
 {
+    QemuOptsList *list = qemu_find_opts("machine");
     uint64_t identity_base = 0xfffbc000;
+    uint64_t shadow_mem;
     int ret;
     struct utsname utsname;
 
@@ -693,6 +695,17 @@ int kvm_arch_init(KVMState *s)
     }
     qemu_register_reset(kvm_unpoison_all, NULL);
 
+    if (!QTAILQ_EMPTY(&list->head)) {
+        shadow_mem = qemu_opt_get_size(QTAILQ_FIRST(&list->head),
+                                       "kvm_shadow_mem", -1);
+        if (shadow_mem != -1) {
+            shadow_mem /= 4096;
+            ret = kvm_vm_ioctl(s, KVM_SET_NR_MMU_PAGES, shadow_mem);
+            if (ret < 0) {
+                return ret;
+            }
+        }
+    }
     return 0;
 }
 
commit a642153013b2d0af106c0d4b9a637677d1e2c010
Merge: dc717bf... a3d4a1b...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Feb 8 07:24:37 2012 -0600

    Merge remote-tracking branch 'bonzini/qdev-props-for-anthony' into staging
    
    * bonzini/qdev-props-for-anthony: (25 commits)
      qdev: remove unused fields from PropertyInfo
      qdev: initialize properties via QOM
      qdev: inline qdev_prop_set into qdev_prop_set_ptr
      qdev: access properties via QOM
      qdev: fix off-by-one
      qdev: let QOM free properties
      qdev: remove parse/print methods for pointer properties
      qdev: make the non-legacy pci address property accept an integer
      qdev: remove parse/print methods for mac properties
      qdev: remove print/parse methods from LostTickPolicy properties
      qdev: remove parse method for string properties
      qdev: allow reusing get/set for legacy property
      qdev: remove direct calls to print/parse
      qom: add property get/set wrappers for links
      qom: fix canonical paths vs. interfaces
      qom: use object_resolve_path_type for links
      qom: add object_resolve_path_type
      qom: fix off-by-one
      qom: add property get/set wrappers for C types
      qom: add QObject-based property get/set wrappers
      ...

commit dc717bfd057ac3d6b75c633d57e501d5e6d5ef50
Merge: a283b1b... eed9686...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Feb 8 07:23:55 2012 -0600

    Merge remote-tracking branch 'aneesh/for-upstream' into staging
    
    * aneesh/for-upstream:
      hw/9pfs: Remove O_NOATIME flag from 9pfs open() calls in readonly mode
      hw/9pfs: Update MAINTAINERS file
      fsdev: Fix parameter parsing for proxy helper
      hw/9pfs: Fix crash when mounting with synthfs
      hw/9pfs: Preserve S_ISGID
      hw/9pfs: Add new security model mapped-file.

commit a283b1b8eb121dcc086c4850c91b35fed13d2023
Merge: cf4dc46... edc1de9...
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Wed Feb 8 07:23:23 2012 -0600

    Merge remote-tracking branch 'sweil/w32' into staging
    
    * sweil/w32:
      w32: Initialise critical section before starting thread (fix #922131)
      w32: Build windows and console executables

commit 6612db12d56c68fff3e56ca4ea8c41d9d55c12e4
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Wed Feb 8 10:05:45 2012 +0100

    slirp: Prevent sending ICMP error replies to source-only addresses
    
    This triggered the related assert in arp_table_search.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>

diff --git a/slirp/ip_icmp.c b/slirp/ip_icmp.c
index 4b43994..5dbf21d 100644
--- a/slirp/ip_icmp.c
+++ b/slirp/ip_icmp.c
@@ -262,6 +262,11 @@ icmp_error(struct mbuf *msrc, u_char type, u_char code, int minsize,
 #endif
   if(ip->ip_off & IP_OFFMASK) goto end_error;    /* Only reply to fragment 0 */
 
+  /* Do not reply to source-only IPs */
+  if ((ip->ip_src.s_addr & htonl(~(0xf << 28))) == 0) {
+      goto end_error;
+  }
+
   shlen=ip->ip_hl << 2;
   s_ip_len=ip->ip_len;
   if(ip->ip_p == IPPROTO_ICMP) {
commit 9f1134d4aac64ea427453fc7c7f8cab39f4fe3da
Author: Stefan Weil <sw at weilnetz.de>
Date:   Thu Jan 5 14:18:45 2012 +0100

    slirp: Remove unused variable and unused code
    
    9634d9031c140b24c7ca0d8872632207f6ce7275 disabled unused code.
    This patch removes what was left.
    
    If do_pty is 2, the function returns immediately, so any later checks
    for do_pty == 2 will always fail and can be removed together with
    the code which is never executed. Then variable master is unused and
    can be removed, too.
    
    This issue was detected by coverity.
    
    Cc: Blue Swirl <blauwirbel at gmail.com>
    Signed-off-by: Stefan Weil <sw at weilnetz.de>
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>

diff --git a/slirp/misc.c b/slirp/misc.c
index 6c80e69..3432fbf 100644
--- a/slirp/misc.c
+++ b/slirp/misc.c
@@ -113,7 +113,6 @@ fork_exec(struct socket *so, const char *ex, int do_pty)
 	struct sockaddr_in addr;
 	socklen_t addrlen = sizeof(addr);
 	int opt;
-        int master = -1;
 	const char *argv[256];
 	/* don't want to clobber the original */
 	char *bptr;
@@ -148,32 +147,23 @@ fork_exec(struct socket *so, const char *ex, int do_pty)
 	 case -1:
 		lprint("Error: fork failed: %s\n", strerror(errno));
 		close(s);
-		if (do_pty == 2)
-		   close(master);
 		return 0;
 
 	 case 0:
                 setsid();
 
 		/* Set the DISPLAY */
-		if (do_pty == 2) {
-			(void) close(master);
-#ifdef TIOCSCTTY /* XXXXX */
-			ioctl(s, TIOCSCTTY, (char *)NULL);
-#endif
-		} else {
-			getsockname(s, (struct sockaddr *)&addr, &addrlen);
-			close(s);
-			/*
-			 * Connect to the socket
-			 * XXX If any of these fail, we're in trouble!
-	 		 */
-			s = qemu_socket(AF_INET, SOCK_STREAM, 0);
-			addr.sin_addr = loopback_addr;
-                        do {
-                            ret = connect(s, (struct sockaddr *)&addr, addrlen);
-                        } while (ret < 0 && errno == EINTR);
-		}
+                getsockname(s, (struct sockaddr *)&addr, &addrlen);
+                close(s);
+                /*
+                 * Connect to the socket
+                 * XXX If any of these fail, we're in trouble!
+                 */
+                s = qemu_socket(AF_INET, SOCK_STREAM, 0);
+                addr.sin_addr = loopback_addr;
+                do {
+                    ret = connect(s, (struct sockaddr *)&addr, addrlen);
+                } while (ret < 0 && errno == EINTR);
 
 		dup2(s, 0);
 		dup2(s, 1);
@@ -210,26 +200,21 @@ fork_exec(struct socket *so, const char *ex, int do_pty)
 
 	 default:
 		qemu_add_child_watch(pid);
-		if (do_pty == 2) {
-			close(s);
-			so->s = master;
-		} else {
-			/*
-			 * XXX this could block us...
-			 * XXX Should set a timer here, and if accept() doesn't
-		 	 * return after X seconds, declare it a failure
-		 	 * The only reason this will block forever is if socket()
-		 	 * of connect() fail in the child process
-		 	 */
-                        do {
-                            so->s = accept(s, (struct sockaddr *)&addr, &addrlen);
-                        } while (so->s < 0 && errno == EINTR);
-                        closesocket(s);
-			opt = 1;
-			setsockopt(so->s,SOL_SOCKET,SO_REUSEADDR,(char *)&opt,sizeof(int));
-			opt = 1;
-			setsockopt(so->s,SOL_SOCKET,SO_OOBINLINE,(char *)&opt,sizeof(int));
-		}
+                /*
+                 * XXX this could block us...
+                 * XXX Should set a timer here, and if accept() doesn't
+                 * return after X seconds, declare it a failure
+                 * The only reason this will block forever is if socket()
+                 * of connect() fail in the child process
+                 */
+                do {
+                    so->s = accept(s, (struct sockaddr *)&addr, &addrlen);
+                } while (so->s < 0 && errno == EINTR);
+                closesocket(s);
+                opt = 1;
+                setsockopt(so->s, SOL_SOCKET, SO_REUSEADDR, (char *)&opt, sizeof(int));
+                opt = 1;
+                setsockopt(so->s, SOL_SOCKET, SO_OOBINLINE, (char *)&opt, sizeof(int));
 		fd_nonblock(so->s);
 
 		/* Append the telnet options now */
commit cf4dc461a4cfc3e056ee24edb26154f4d34a6278
Author: malc <av1474 at comtv.ru>
Date:   Tue Feb 7 22:11:04 2012 +0400

    Restore consistent formatting
    
    Signed-off-by: malc <av1474 at comtv.ru>

diff --git a/hw/ac97.c b/hw/ac97.c
index ed2e4cd..7bf9171 100644
--- a/hw/ac97.c
+++ b/hw/ac97.c
@@ -1175,17 +1175,17 @@ static const VMStateDescription vmstate_ac97_bm_regs = {
     .minimum_version_id = 1,
     .minimum_version_id_old = 1,
     .fields      = (VMStateField []) {
-        VMSTATE_UINT32(bdbar, AC97BusMasterRegs),
-        VMSTATE_UINT8(civ, AC97BusMasterRegs),
-        VMSTATE_UINT8(lvi, AC97BusMasterRegs),
-        VMSTATE_UINT16(sr, AC97BusMasterRegs),
-        VMSTATE_UINT16(picb, AC97BusMasterRegs),
-        VMSTATE_UINT8(piv, AC97BusMasterRegs),
-        VMSTATE_UINT8(cr, AC97BusMasterRegs),
-        VMSTATE_UINT32(bd_valid, AC97BusMasterRegs),
-        VMSTATE_UINT32(bd.addr, AC97BusMasterRegs),
-        VMSTATE_UINT32(bd.ctl_len, AC97BusMasterRegs),
-        VMSTATE_END_OF_LIST()
+        VMSTATE_UINT32 (bdbar, AC97BusMasterRegs),
+        VMSTATE_UINT8 (civ, AC97BusMasterRegs),
+        VMSTATE_UINT8 (lvi, AC97BusMasterRegs),
+        VMSTATE_UINT16 (sr, AC97BusMasterRegs),
+        VMSTATE_UINT16 (picb, AC97BusMasterRegs),
+        VMSTATE_UINT8 (piv, AC97BusMasterRegs),
+        VMSTATE_UINT8 (cr, AC97BusMasterRegs),
+        VMSTATE_UINT32 (bd_valid, AC97BusMasterRegs),
+        VMSTATE_UINT32 (bd.addr, AC97BusMasterRegs),
+        VMSTATE_UINT32 (bd.ctl_len, AC97BusMasterRegs),
+        VMSTATE_END_OF_LIST ()
     }
 };
 
@@ -1224,15 +1224,15 @@ static const VMStateDescription vmstate_ac97 = {
     .minimum_version_id_old = 2,
     .post_load = ac97_post_load,
     .fields      = (VMStateField []) {
-        VMSTATE_PCI_DEVICE(dev, AC97LinkState),
-        VMSTATE_UINT32(glob_cnt, AC97LinkState),
-        VMSTATE_UINT32(glob_sta, AC97LinkState),
-        VMSTATE_UINT32(cas, AC97LinkState),
-        VMSTATE_STRUCT_ARRAY(bm_regs, AC97LinkState, 3, 1,
-                             vmstate_ac97_bm_regs, AC97BusMasterRegs),
-        VMSTATE_BUFFER(mixer_data, AC97LinkState),
-        VMSTATE_UNUSED_TEST(is_version_2, 3),
-        VMSTATE_END_OF_LIST()
+        VMSTATE_PCI_DEVICE (dev, AC97LinkState),
+        VMSTATE_UINT32 (glob_cnt, AC97LinkState),
+        VMSTATE_UINT32 (glob_sta, AC97LinkState),
+        VMSTATE_UINT32 (cas, AC97LinkState),
+        VMSTATE_STRUCT_ARRAY (bm_regs, AC97LinkState, 3, 1,
+                              vmstate_ac97_bm_regs, AC97BusMasterRegs),
+        VMSTATE_BUFFER (mixer_data, AC97LinkState),
+        VMSTATE_UNUSED_TEST (is_version_2, 3),
+        VMSTATE_END_OF_LIST ()
     }
 };
 
@@ -1243,7 +1243,7 @@ static const MemoryRegionPortio nam_portio[] = {
     { 0, 256 * 1, 1, .write = nam_writeb, },
     { 0, 256 * 2, 2, .write = nam_writew, },
     { 0, 256 * 4, 4, .write = nam_writel, },
-    PORTIO_END_OF_LIST(),
+    PORTIO_END_OF_LIST (),
 };
 
 static const MemoryRegionOps ac97_io_nam_ops = {
@@ -1257,7 +1257,7 @@ static const MemoryRegionPortio nabm_portio[] = {
     { 0, 64 * 1, 1, .write = nabm_writeb, },
     { 0, 64 * 2, 2, .write = nabm_writew, },
     { 0, 64 * 4, 4, .write = nabm_writel, },
-    PORTIO_END_OF_LIST()
+    PORTIO_END_OF_LIST ()
 };
 
 static const MemoryRegionOps ac97_io_nabm_ops = {
@@ -1345,14 +1345,14 @@ int ac97_init (PCIBus *bus)
 }
 
 static Property ac97_properties[] = {
-    DEFINE_PROP_UINT32("use_broken_id", AC97LinkState, use_broken_id, 0),
-    DEFINE_PROP_END_OF_LIST(),
+    DEFINE_PROP_UINT32 ("use_broken_id", AC97LinkState, use_broken_id, 0),
+    DEFINE_PROP_END_OF_LIST (),
 };
 
-static void ac97_class_init(ObjectClass *klass, void *data)
+static void ac97_class_init (ObjectClass *klass, void *data)
 {
-    DeviceClass *dc = DEVICE_CLASS(klass);
-    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS (klass);
+    PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
 
     k->init = ac97_initfn;
     k->exit = ac97_exitfn;
@@ -1374,7 +1374,7 @@ static TypeInfo ac97_info = {
 
 static void ac97_register (void)
 {
-    type_register_static(&ac97_info);
+    type_register_static (&ac97_info);
 }
 device_init (ac97_register);
 
diff --git a/hw/adlib.c b/hw/adlib.c
index dd8b188..d39cd97 100644
--- a/hw/adlib.c
+++ b/hw/adlib.c
@@ -164,7 +164,7 @@ static void timer_handler (int c, double interval_Sec)
 
     s->ticking[n] = 1;
 #ifdef DEBUG
-    interval = get_ticks_per_sec() * interval_Sec;
+    interval = get_ticks_per_sec () * interval_Sec;
     exp = qemu_get_clock_ns (vm_clock) + interval;
     s->exp[n] = exp;
 #endif
diff --git a/hw/cs4231a.c b/hw/cs4231a.c
index 811dda6..ad04ad6 100644
--- a/hw/cs4231a.c
+++ b/hw/cs4231a.c
@@ -622,13 +622,13 @@ static const VMStateDescription vmstate_cs4231a = {
     .pre_load = cs4231a_pre_load,
     .post_load = cs4231a_post_load,
     .fields      = (VMStateField []) {
-        VMSTATE_UINT32_ARRAY(regs, CSState, CS_REGS),
-        VMSTATE_BUFFER(dregs, CSState),
-        VMSTATE_INT32(dma_running, CSState),
-        VMSTATE_INT32(audio_free, CSState),
-        VMSTATE_INT32(transferred, CSState),
-        VMSTATE_INT32(aci_counter, CSState),
-        VMSTATE_END_OF_LIST()
+        VMSTATE_UINT32_ARRAY (regs, CSState, CS_REGS),
+        VMSTATE_BUFFER (dregs, CSState),
+        VMSTATE_INT32 (dma_running, CSState),
+        VMSTATE_INT32 (audio_free, CSState),
+        VMSTATE_INT32 (transferred, CSState),
+        VMSTATE_INT32 (aci_counter, CSState),
+        VMSTATE_END_OF_LIST ()
     }
 };
 
@@ -672,10 +672,10 @@ static Property cs4231a_properties[] = {
     DEFINE_PROP_END_OF_LIST (),
 };
 
-static void cs4231a_class_initfn(ObjectClass *klass, void *data)
+static void cs4231a_class_initfn (ObjectClass *klass, void *data)
 {
-    DeviceClass *dc = DEVICE_CLASS(klass);
-    ISADeviceClass *ic = ISA_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS (klass);
+    ISADeviceClass *ic = ISA_DEVICE_CLASS (klass);
     ic->init = cs4231a_initfn;
     dc->desc = "Crystal Semiconductor CS4231A";
     dc->vmsd = &vmstate_cs4231a;
@@ -691,6 +691,6 @@ static TypeInfo cs4231a_info = {
 
 static void cs4231a_register (void)
 {
-    type_register_static(&cs4231a_info);
+    type_register_static (&cs4231a_info);
 }
 device_init (cs4231a_register)
diff --git a/hw/es1370.c b/hw/es1370.c
index 95e88b9..e377c48 100644
--- a/hw/es1370.c
+++ b/hw/es1370.c
@@ -914,7 +914,7 @@ static const MemoryRegionPortio es1370_portio[] = {
     { 0, 0x40 * 4, 1, .read = es1370_readb, },
     { 0, 0x40 * 2, 2, .read = es1370_readw, },
     { 0, 0x40, 4, .read = es1370_readl, },
-    PORTIO_END_OF_LIST()
+    PORTIO_END_OF_LIST ()
 };
 
 static const MemoryRegionOps es1370_io_ops = {
@@ -928,12 +928,12 @@ static const VMStateDescription vmstate_es1370_channel = {
     .minimum_version_id = 2,
     .minimum_version_id_old = 2,
     .fields      = (VMStateField []) {
-        VMSTATE_UINT32(shift, struct chan),
-        VMSTATE_UINT32(leftover, struct chan),
-        VMSTATE_UINT32(scount, struct chan),
-        VMSTATE_UINT32(frame_addr, struct chan),
-        VMSTATE_UINT32(frame_cnt, struct chan),
-        VMSTATE_END_OF_LIST()
+        VMSTATE_UINT32 (shift, struct chan),
+        VMSTATE_UINT32 (leftover, struct chan),
+        VMSTATE_UINT32 (scount, struct chan),
+        VMSTATE_UINT32 (frame_addr, struct chan),
+        VMSTATE_UINT32 (frame_cnt, struct chan),
+        VMSTATE_END_OF_LIST ()
     }
 };
 
@@ -973,15 +973,15 @@ static const VMStateDescription vmstate_es1370 = {
     .minimum_version_id_old = 2,
     .post_load = es1370_post_load,
     .fields      = (VMStateField []) {
-        VMSTATE_PCI_DEVICE(dev, ES1370State),
-        VMSTATE_STRUCT_ARRAY(chan, ES1370State, NB_CHANNELS, 2,
-                             vmstate_es1370_channel, struct chan),
-        VMSTATE_UINT32(ctl, ES1370State),
-        VMSTATE_UINT32(status, ES1370State),
-        VMSTATE_UINT32(mempage, ES1370State),
-        VMSTATE_UINT32(codec, ES1370State),
-        VMSTATE_UINT32(sctl, ES1370State),
-        VMSTATE_END_OF_LIST()
+        VMSTATE_PCI_DEVICE (dev, ES1370State),
+        VMSTATE_STRUCT_ARRAY (chan, ES1370State, NB_CHANNELS, 2,
+                              vmstate_es1370_channel, struct chan),
+        VMSTATE_UINT32 (ctl, ES1370State),
+        VMSTATE_UINT32 (status, ES1370State),
+        VMSTATE_UINT32 (mempage, ES1370State),
+        VMSTATE_UINT32 (codec, ES1370State),
+        VMSTATE_UINT32 (sctl, ES1370State),
+        VMSTATE_END_OF_LIST ()
     }
 };
 
@@ -1017,7 +1017,7 @@ static int es1370_initfn (PCIDevice *dev)
     return 0;
 }
 
-static int es1370_exitfn(PCIDevice *dev)
+static int es1370_exitfn (PCIDevice *dev)
 {
     ES1370State *s = DO_UPCAST (ES1370State, dev, dev);
 
@@ -1031,10 +1031,10 @@ int es1370_init (PCIBus *bus)
     return 0;
 }
 
-static void es1370_class_init(ObjectClass *klass, void *data)
+static void es1370_class_init (ObjectClass *klass, void *data)
 {
-    DeviceClass *dc = DEVICE_CLASS(klass);
-    PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS (klass);
+    PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
 
     k->init = es1370_initfn;
     k->exit = es1370_exitfn;
@@ -1056,7 +1056,7 @@ static TypeInfo es1370_info = {
 
 static void es1370_register (void)
 {
-    type_register_static(&es1370_info);
+    type_register_static (&es1370_info);
 }
 device_init (es1370_register);
 
diff --git a/hw/gus.c b/hw/gus.c
index 49e5dbf..2054707 100644
--- a/hw/gus.c
+++ b/hw/gus.c
@@ -221,14 +221,14 @@ static const VMStateDescription vmstate_gus = {
     .minimum_version_id = 2,
     .minimum_version_id_old = 2,
     .fields      = (VMStateField []) {
-        VMSTATE_INT32(pos, GUSState),
-        VMSTATE_INT32(left, GUSState),
-        VMSTATE_INT32(shift, GUSState),
-        VMSTATE_INT32(irqs, GUSState),
-        VMSTATE_INT32(samples, GUSState),
-        VMSTATE_INT64(last_ticks, GUSState),
-        VMSTATE_BUFFER(himem, GUSState),
-        VMSTATE_END_OF_LIST()
+        VMSTATE_INT32 (pos, GUSState),
+        VMSTATE_INT32 (left, GUSState),
+        VMSTATE_INT32 (shift, GUSState),
+        VMSTATE_INT32 (irqs, GUSState),
+        VMSTATE_INT32 (samples, GUSState),
+        VMSTATE_INT64 (last_ticks, GUSState),
+        VMSTATE_BUFFER (himem, GUSState),
+        VMSTATE_END_OF_LIST ()
     }
 };
 
@@ -239,13 +239,13 @@ static const MemoryRegionPortio gus_portio_list1[] = {
     {0x006, 10, 2, .read = gus_readw, .write = gus_writew },
     {0x100,  8, 1, .read = gus_readb, .write = gus_writeb },
     {0x100,  8, 2, .read = gus_readw, .write = gus_writew },
-    PORTIO_END_OF_LIST(),
+    PORTIO_END_OF_LIST (),
 };
 
 static const MemoryRegionPortio gus_portio_list2[] = {
     {0, 1, 1, .read = gus_readb },
     {0, 1, 2, .read = gus_readw },
-    PORTIO_END_OF_LIST(),
+    PORTIO_END_OF_LIST (),
 };
 
 static int gus_initfn (ISADevice *dev)
@@ -307,10 +307,10 @@ static Property gus_properties[] = {
     DEFINE_PROP_END_OF_LIST (),
 };
 
-static void gus_class_initfn(ObjectClass *klass, void *data)
+static void gus_class_initfn (ObjectClass *klass, void *data)
 {
-    DeviceClass *dc = DEVICE_CLASS(klass);
-    ISADeviceClass *ic = ISA_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS (klass);
+    ISADeviceClass *ic = ISA_DEVICE_CLASS (klass);
     ic->init = gus_initfn;
     dc->desc = "Gravis Ultrasound GF1";
     dc->vmsd = &vmstate_gus;
@@ -326,6 +326,6 @@ static TypeInfo gus_info = {
 
 static void gus_register (void)
 {
-    type_register_static(&gus_info);
+    type_register_static (&gus_info);
 }
 device_init (gus_register)
diff --git a/hw/sb16.c b/hw/sb16.c
index ae25450..db8929b 100644
--- a/hw/sb16.c
+++ b/hw/sb16.c
@@ -1289,55 +1289,55 @@ static const VMStateDescription vmstate_sb16 = {
     .minimum_version_id_old = 1,
     .post_load = sb16_post_load,
     .fields      = (VMStateField []) {
-        VMSTATE_UINT32(irq, SB16State),
-        VMSTATE_UINT32(dma, SB16State),
-        VMSTATE_UINT32(hdma, SB16State),
-        VMSTATE_UINT32(port, SB16State),
-        VMSTATE_UINT32(ver, SB16State),
-        VMSTATE_INT32(in_index, SB16State),
-        VMSTATE_INT32(out_data_len, SB16State),
-        VMSTATE_INT32(fmt_stereo, SB16State),
-        VMSTATE_INT32(fmt_signed, SB16State),
-        VMSTATE_INT32(fmt_bits, SB16State),
-        VMSTATE_UINT32(fmt, SB16State),
-        VMSTATE_INT32(dma_auto, SB16State),
-        VMSTATE_INT32(block_size, SB16State),
-        VMSTATE_INT32(fifo, SB16State),
-        VMSTATE_INT32(freq, SB16State),
-        VMSTATE_INT32(time_const, SB16State),
-        VMSTATE_INT32(speaker, SB16State),
-        VMSTATE_INT32(needed_bytes, SB16State),
-        VMSTATE_INT32(cmd, SB16State),
-        VMSTATE_INT32(use_hdma, SB16State),
-        VMSTATE_INT32(highspeed, SB16State),
-        VMSTATE_INT32(can_write, SB16State),
-        VMSTATE_INT32(v2x6, SB16State),
-
-        VMSTATE_UINT8(csp_param, SB16State),
-        VMSTATE_UINT8(csp_value, SB16State),
-        VMSTATE_UINT8(csp_mode, SB16State),
-        VMSTATE_UINT8(csp_param, SB16State),
-        VMSTATE_BUFFER(csp_regs, SB16State),
-        VMSTATE_UINT8(csp_index, SB16State),
-        VMSTATE_BUFFER(csp_reg83, SB16State),
-        VMSTATE_INT32(csp_reg83r, SB16State),
-        VMSTATE_INT32(csp_reg83w, SB16State),
-
-        VMSTATE_BUFFER(in2_data, SB16State),
-        VMSTATE_BUFFER(out_data, SB16State),
-        VMSTATE_UINT8(test_reg, SB16State),
-        VMSTATE_UINT8(last_read_byte, SB16State),
-
-        VMSTATE_INT32(nzero, SB16State),
-        VMSTATE_INT32(left_till_irq, SB16State),
-        VMSTATE_INT32(dma_running, SB16State),
-        VMSTATE_INT32(bytes_per_second, SB16State),
-        VMSTATE_INT32(align, SB16State),
-
-        VMSTATE_INT32(mixer_nreg, SB16State),
-        VMSTATE_BUFFER(mixer_regs, SB16State),
-
-        VMSTATE_END_OF_LIST()
+        VMSTATE_UINT32 (irq, SB16State),
+        VMSTATE_UINT32 (dma, SB16State),
+        VMSTATE_UINT32 (hdma, SB16State),
+        VMSTATE_UINT32 (port, SB16State),
+        VMSTATE_UINT32 (ver, SB16State),
+        VMSTATE_INT32 (in_index, SB16State),
+        VMSTATE_INT32 (out_data_len, SB16State),
+        VMSTATE_INT32 (fmt_stereo, SB16State),
+        VMSTATE_INT32 (fmt_signed, SB16State),
+        VMSTATE_INT32 (fmt_bits, SB16State),
+        VMSTATE_UINT32 (fmt, SB16State),
+        VMSTATE_INT32 (dma_auto, SB16State),
+        VMSTATE_INT32 (block_size, SB16State),
+        VMSTATE_INT32 (fifo, SB16State),
+        VMSTATE_INT32 (freq, SB16State),
+        VMSTATE_INT32 (time_const, SB16State),
+        VMSTATE_INT32 (speaker, SB16State),
+        VMSTATE_INT32 (needed_bytes, SB16State),
+        VMSTATE_INT32 (cmd, SB16State),
+        VMSTATE_INT32 (use_hdma, SB16State),
+        VMSTATE_INT32 (highspeed, SB16State),
+        VMSTATE_INT32 (can_write, SB16State),
+        VMSTATE_INT32 (v2x6, SB16State),
+
+        VMSTATE_UINT8 (csp_param, SB16State),
+        VMSTATE_UINT8 (csp_value, SB16State),
+        VMSTATE_UINT8 (csp_mode, SB16State),
+        VMSTATE_UINT8 (csp_param, SB16State),
+        VMSTATE_BUFFER (csp_regs, SB16State),
+        VMSTATE_UINT8 (csp_index, SB16State),
+        VMSTATE_BUFFER (csp_reg83, SB16State),
+        VMSTATE_INT32 (csp_reg83r, SB16State),
+        VMSTATE_INT32 (csp_reg83w, SB16State),
+
+        VMSTATE_BUFFER (in2_data, SB16State),
+        VMSTATE_BUFFER (out_data, SB16State),
+        VMSTATE_UINT8 (test_reg, SB16State),
+        VMSTATE_UINT8 (last_read_byte, SB16State),
+
+        VMSTATE_INT32 (nzero, SB16State),
+        VMSTATE_INT32 (left_till_irq, SB16State),
+        VMSTATE_INT32 (dma_running, SB16State),
+        VMSTATE_INT32 (bytes_per_second, SB16State),
+        VMSTATE_INT32 (align, SB16State),
+
+        VMSTATE_INT32 (mixer_nreg, SB16State),
+        VMSTATE_BUFFER (mixer_regs, SB16State),
+
+        VMSTATE_END_OF_LIST ()
     }
 };
 
@@ -1349,7 +1349,7 @@ static const MemoryRegionPortio sb16_ioport_list[] = {
     { 10, 1, 1, .read = dsp_read },
     { 12, 1, 1, .write = dsp_write },
     { 12, 4, 1, .read = dsp_read },
-    PORTIO_END_OF_LIST(),
+    PORTIO_END_OF_LIST (),
 };
 
 
@@ -1400,10 +1400,10 @@ static Property sb16_properties[] = {
     DEFINE_PROP_END_OF_LIST (),
 };
 
-static void sb16_class_initfn(ObjectClass *klass, void *data)
+static void sb16_class_initfn (ObjectClass *klass, void *data)
 {
-    DeviceClass *dc = DEVICE_CLASS(klass);
-    ISADeviceClass *ic = ISA_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS (klass);
+    ISADeviceClass *ic = ISA_DEVICE_CLASS (klass);
     ic->init = sb16_initfn;
     dc->desc = "Creative Sound Blaster 16";
     dc->vmsd = &vmstate_sb16;
@@ -1419,6 +1419,6 @@ static TypeInfo sb16_info = {
 
 static void sb16_register (void)
 {
-    type_register_static(&sb16_info);
+    type_register_static (&sb16_info);
 }
 device_init (sb16_register)
commit edc1de97138af028bba216ef71d1d995834829df
Author: Stefan Weil <sw at weilnetz.de>
Date:   Tue Jan 31 07:14:15 2012 +0100

    w32: Initialise critical section before starting thread (fix #922131)
    
    This patch was contributed by Bogdan Harjoc. I added some assertions.
    
    Reviewed-by: Paolo Bonzini <pbonzini at redhat.com>
    Signed-off-by: Stefan Weil <sw at weilnetz.de>

diff --git a/qemu-thread-win32.c b/qemu-thread-win32.c
index fe9b931..3524c8b 100644
--- a/qemu-thread-win32.c
+++ b/qemu-thread-win32.c
@@ -215,8 +215,6 @@ static unsigned __stdcall win32_start_routine(void *arg)
     if (data->mode == QEMU_THREAD_DETACHED) {
         g_free(data);
         data = NULL;
-    } else {
-        InitializeCriticalSection(&data->cs);
     }
     TlsSetValue(qemu_thread_tls_index, data);
     qemu_thread_exit(start_routine(thread_arg));
@@ -227,6 +225,7 @@ void qemu_thread_exit(void *arg)
 {
     QemuThreadData *data = TlsGetValue(qemu_thread_tls_index);
     if (data) {
+        assert(data->mode != QEMU_THREAD_DETACHED);
         data->ret = arg;
         EnterCriticalSection(&data->cs);
         data->exited = true;
@@ -258,6 +257,7 @@ void *qemu_thread_join(QemuThread *thread)
         CloseHandle(handle);
     }
     ret = data->ret;
+    assert(data->mode != QEMU_THREAD_DETACHED);
     DeleteCriticalSection(&data->cs);
     g_free(data);
     return ret;
@@ -288,6 +288,10 @@ void qemu_thread_create(QemuThread *thread,
     data->mode = mode;
     data->exited = false;
 
+    if (data->mode != QEMU_THREAD_DETACHED) {
+        InitializeCriticalSection(&data->cs);
+    }
+
     hThread = (HANDLE) _beginthreadex(NULL, 0, win32_start_routine,
                                       data, 0, &thread->tid);
     if (!hThread) {
@@ -314,6 +318,7 @@ HANDLE qemu_thread_get_handle(QemuThread *thread)
         return NULL;
     }
 
+    assert(data->mode != QEMU_THREAD_DETACHED);
     EnterCriticalSection(&data->cs);
     if (!data->exited) {
         handle = OpenThread(SYNCHRONIZE | THREAD_SUSPEND_RESUME, FALSE,
commit 0fa5491eed8ff4fe63cb63c93ce37ff76de7c010
Author: Stefan Weil <sw at weilnetz.de>
Date:   Thu Dec 22 11:18:53 2011 +0100

    w32: Build windows and console executables
    
    System emulation executables with SDL are typically windows
    executables. Sometimes console executables are more useful,
    so create both variants if linker option -mwindows was detected.
    
    v2:
    This version uses QEMU_PROGW / QEMU_PROG instead of QEMU_PROG / QEMU_PROGC.
    
    Signed-off-by: Stefan Weil <sw at weilnetz.de>

diff --git a/Makefile.target b/Makefile.target
index 68481a3..7ed4979 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -29,10 +29,17 @@ ifdef CONFIG_USER_ONLY
 QEMU_PROG=qemu-$(TARGET_ARCH2)
 else
 # system emulator name
+ifneq (,$(findstring -mwindows,$(LIBS)))
+# Terminate program name with a 'w' because the linker builds a windows executable.
+QEMU_PROGW=qemu-system-$(TARGET_ARCH2)w$(EXESUF)
+endif # windows executable
 QEMU_PROG=qemu-system-$(TARGET_ARCH2)$(EXESUF)
 endif
 
 PROGS=$(QEMU_PROG)
+ifdef QEMU_PROGW
+PROGS+=$(QEMU_PROGW)
+endif
 STPFILES=
 
 ifndef CONFIG_HAIKU
@@ -407,9 +414,16 @@ endif # CONFIG_LINUX_USER
 
 obj-$(CONFIG_GDBSTUB_XML) += gdbstub-xml.o
 
+ifdef QEMU_PROGW
+# The linker builds a windows executable. Make also a console executable.
+$(QEMU_PROGW): $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y)
+	$(call LINK,$^)
+$(QEMU_PROG): $(QEMU_PROGW)
+	$(call quiet-command,$(OBJCOPY) --subsystem console $(QEMU_PROGW) $(QEMU_PROG),"  GEN   $(TARGET_DIR)$(QEMU_PROG)")
+else
 $(QEMU_PROG): $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y)
 	$(call LINK,$^)
-
+endif
 
 gdbstub-xml.c: $(TARGET_XML_FILES) $(SRC_PATH)/scripts/feature_to_c.sh
 	$(call quiet-command,rm -f $@ && $(SHELL) $(SRC_PATH)/scripts/feature_to_c.sh $@ $(TARGET_XML_FILES),"  GEN   $(TARGET_DIR)$@")
commit a3d4a1b0479414fc4d59368a0635640979a9e4d2
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 22:51:09 2012 +0100

    qdev: remove unused fields from PropertyInfo
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev-addr.c b/hw/qdev-addr.c
index 8daa733..0bb16c7 100644
--- a/hw/qdev-addr.c
+++ b/hw/qdev-addr.c
@@ -61,8 +61,6 @@ static void set_taddr(Object *obj, Visitor *v, void *opaque,
 
 PropertyInfo qdev_prop_taddr = {
     .name  = "taddr",
-    .type  = PROP_TYPE_TADDR,
-    .size  = sizeof(target_phys_addr_t),
     .parse = parse_taddr,
     .print = print_taddr,
     .get   = get_taddr,
diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index 49bed30..b6d6fcf 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -12,7 +12,7 @@ void *qdev_get_prop_ptr(DeviceState *dev, Property *prop)
 
 static uint32_t qdev_get_prop_mask(Property *prop)
 {
-    assert(prop->info->type == PROP_TYPE_BIT);
+    assert(prop->info == &qdev_prop_bit);
     return 0x1 << prop->bitnr;
 }
 
@@ -79,8 +79,6 @@ static void set_bit(Object *obj, Visitor *v, void *opaque,
 PropertyInfo qdev_prop_bit = {
     .name  = "boolean",
     .legacy_name  = "on/off",
-    .type  = PROP_TYPE_BIT,
-    .size  = sizeof(uint32_t),
     .parse = parse_bit,
     .print = print_bit,
     .get   = get_bit,
@@ -151,8 +149,6 @@ static void set_int8(Object *obj, Visitor *v, void *opaque,
 
 PropertyInfo qdev_prop_uint8 = {
     .name  = "uint8",
-    .type  = PROP_TYPE_UINT8,
-    .size  = sizeof(uint8_t),
     .parse = parse_uint8,
     .print = print_uint8,
     .get   = get_int8,
@@ -185,8 +181,6 @@ static int print_hex8(DeviceState *dev, Property *prop, char *dest, size_t len)
 PropertyInfo qdev_prop_hex8 = {
     .name  = "uint8",
     .legacy_name  = "hex8",
-    .type  = PROP_TYPE_UINT8,
-    .size  = sizeof(uint8_t),
     .parse = parse_hex8,
     .print = print_hex8,
     .get   = get_int8,
@@ -259,8 +253,6 @@ static void set_int16(Object *obj, Visitor *v, void *opaque,
 
 PropertyInfo qdev_prop_uint16 = {
     .name  = "uint16",
-    .type  = PROP_TYPE_UINT16,
-    .size  = sizeof(uint16_t),
     .parse = parse_uint16,
     .print = print_uint16,
     .get   = get_int16,
@@ -333,8 +325,6 @@ static void set_int32(Object *obj, Visitor *v, void *opaque,
 
 PropertyInfo qdev_prop_uint32 = {
     .name  = "uint32",
-    .type  = PROP_TYPE_UINT32,
-    .size  = sizeof(uint32_t),
     .parse = parse_uint32,
     .print = print_uint32,
     .get   = get_int32,
@@ -364,8 +354,6 @@ static int print_int32(DeviceState *dev, Property *prop, char *dest, size_t len)
 
 PropertyInfo qdev_prop_int32 = {
     .name  = "int32",
-    .type  = PROP_TYPE_INT32,
-    .size  = sizeof(int32_t),
     .parse = parse_int32,
     .print = print_int32,
     .get   = get_int32,
@@ -398,8 +386,6 @@ static int print_hex32(DeviceState *dev, Property *prop, char *dest, size_t len)
 PropertyInfo qdev_prop_hex32 = {
     .name  = "uint32",
     .legacy_name  = "hex32",
-    .type  = PROP_TYPE_UINT32,
-    .size  = sizeof(uint32_t),
     .parse = parse_hex32,
     .print = print_hex32,
     .get   = get_int32,
@@ -457,8 +443,6 @@ static void set_int64(Object *obj, Visitor *v, void *opaque,
 
 PropertyInfo qdev_prop_uint64 = {
     .name  = "uint64",
-    .type  = PROP_TYPE_UINT64,
-    .size  = sizeof(uint64_t),
     .parse = parse_uint64,
     .print = print_uint64,
     .get   = get_int64,
@@ -489,8 +473,6 @@ static int print_hex64(DeviceState *dev, Property *prop, char *dest, size_t len)
 PropertyInfo qdev_prop_hex64 = {
     .name  = "uint64",
     .legacy_name  = "hex64",
-    .type  = PROP_TYPE_UINT64,
-    .size  = sizeof(uint64_t),
     .parse = parse_hex64,
     .print = print_hex64,
     .get   = get_int64,
@@ -559,8 +541,6 @@ static void set_string(Object *obj, Visitor *v, void *opaque,
 
 PropertyInfo qdev_prop_string = {
     .name  = "string",
-    .type  = PROP_TYPE_STRING,
-    .size  = sizeof(char*),
     .print = print_string,
     .release = release_string,
     .get   = get_string,
@@ -655,8 +635,6 @@ static void set_drive(Object *obj, Visitor *v, void *opaque,
 
 PropertyInfo qdev_prop_drive = {
     .name  = "drive",
-    .type  = PROP_TYPE_DRIVE,
-    .size  = sizeof(BlockDriverState *),
     .get   = get_drive,
     .set   = set_drive,
     .release = release_drive,
@@ -711,8 +689,6 @@ static void set_chr(Object *obj, Visitor *v, void *opaque,
 
 PropertyInfo qdev_prop_chr = {
     .name  = "chr",
-    .type  = PROP_TYPE_CHR,
-    .size  = sizeof(CharDriverState*),
     .get   = get_chr,
     .set   = set_chr,
     .release = release_chr,
@@ -755,8 +731,6 @@ static void set_netdev(Object *obj, Visitor *v, void *opaque,
 
 PropertyInfo qdev_prop_netdev = {
     .name  = "netdev",
-    .type  = PROP_TYPE_NETDEV,
-    .size  = sizeof(VLANClientState*),
     .get   = get_netdev,
     .set   = set_netdev,
 };
@@ -834,8 +808,6 @@ static void set_vlan(Object *obj, Visitor *v, void *opaque,
 
 PropertyInfo qdev_prop_vlan = {
     .name  = "vlan",
-    .type  = PROP_TYPE_VLAN,
-    .size  = sizeof(VLANClientState*),
     .parse = parse_vlan,
     .print = print_vlan,
     .get   = get_vlan,
@@ -847,8 +819,6 @@ PropertyInfo qdev_prop_vlan = {
 /* Not a proper property, just for dirty hacks.  TODO Remove it!  */
 PropertyInfo qdev_prop_ptr = {
     .name  = "ptr",
-    .type  = PROP_TYPE_PTR,
-    .size  = sizeof(void*),
 };
 
 /* --- mac address --- */
@@ -917,8 +887,6 @@ inval:
 
 PropertyInfo qdev_prop_macaddr = {
     .name  = "macaddr",
-    .type  = PROP_TYPE_MACADDR,
-    .size  = sizeof(MACAddr),
     .get   = get_mac,
     .set   = set_mac,
 };
@@ -965,8 +933,6 @@ static void set_enum(Object *obj, Visitor *v, void *opaque,
 
 PropertyInfo qdev_prop_losttickpolicy = {
     .name  = "LostTickPolicy",
-    .type  = PROP_TYPE_LOSTTICKPOLICY,
-    .size  = sizeof(LostTickPolicy),
     .enum_table  = lost_tick_policy_table,
     .get   = get_enum,
     .set   = set_enum,
@@ -1012,8 +978,6 @@ static int print_pci_devfn(DeviceState *dev, Property *prop, char *dest, size_t
 PropertyInfo qdev_prop_pci_devfn = {
     .name  = "int32",
     .legacy_name  = "pci-devfn",
-    .type  = PROP_TYPE_UINT32,
-    .size  = sizeof(uint32_t),
     .parse = parse_pci_devfn,
     .print = print_pci_devfn,
     .get   = get_int32,
diff --git a/hw/qdev.h b/hw/qdev.h
index a3bcf0b..9cc3f98 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -117,30 +117,9 @@ struct Property {
     int64_t      defval;
 };
 
-enum PropertyType {
-    PROP_TYPE_UNSPEC = 0,
-    PROP_TYPE_UINT8,
-    PROP_TYPE_UINT16,
-    PROP_TYPE_UINT32,
-    PROP_TYPE_INT32,
-    PROP_TYPE_UINT64,
-    PROP_TYPE_TADDR,
-    PROP_TYPE_MACADDR,
-    PROP_TYPE_LOSTTICKPOLICY,
-    PROP_TYPE_DRIVE,
-    PROP_TYPE_CHR,
-    PROP_TYPE_STRING,
-    PROP_TYPE_NETDEV,
-    PROP_TYPE_VLAN,
-    PROP_TYPE_PTR,
-    PROP_TYPE_BIT,
-};
-
 struct PropertyInfo {
     const char *name;
     const char *legacy_name;
-    size_t size;
-    enum PropertyType type;
     const char **enum_table;
     int64_t min;
     int64_t max;
commit 4f2d3d705c1ae7dce29254e2c4645c84e77a74d4
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 09:43:02 2012 +0100

    qdev: initialize properties via QOM
    
    Similarly, use the object properties also to set the default
    values of the qdev properties.  This requires reordering
    registration and initialization.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index b3cd2a8..49bed30 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -26,17 +26,6 @@ static void bit_prop_set(DeviceState *dev, Property *props, bool val)
         *p &= ~mask;
 }
 
-static void qdev_prop_cpy(DeviceState *dev, Property *props, void *src)
-{
-    if (props->info->type == PROP_TYPE_BIT) {
-        bool *defval = src;
-        bit_prop_set(dev, props, *defval);
-    } else {
-        char *dst = qdev_get_prop_ptr(dev, props);
-        memcpy(dst, src, props->info->size);
-    }
-}
-
 /* Bit */
 static int parse_bit(DeviceState *dev, Property *prop, const char *str)
 {
@@ -1241,13 +1230,23 @@ void qdev_prop_set_ptr(DeviceState *dev, const char *name, void *value)
 
 void qdev_prop_set_defaults(DeviceState *dev, Property *props)
 {
+    Object *obj = OBJECT(dev);
     if (!props)
         return;
-    while (props->name) {
-        if (props->defval) {
-            qdev_prop_cpy(dev, props, props->defval);
+    for (; props->name; props++) {
+        Error *errp = NULL;
+        if (props->qtype == QTYPE_NONE) {
+            continue;
         }
-        props++;
+        if (props->qtype == QTYPE_QBOOL) {
+            object_property_set_bool(obj, props->defval, props->name, &errp);
+        } else if (props->info->enum_table) {
+            object_property_set_str(obj, props->info->enum_table[props->defval],
+                                    props->name, &errp);
+        } else if (props->qtype == QTYPE_QINT) {
+            object_property_set_int(obj, props->defval, props->name, &errp);
+        }
+        assert(!errp);
     }
 }
 
diff --git a/hw/qdev.c b/hw/qdev.c
index 487ca5d..8a413ef 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -86,11 +86,11 @@ void qdev_set_parent_bus(DeviceState *dev, BusState *bus)
     dev->parent_bus = bus;
     QTAILQ_INSERT_HEAD(&bus->children, dev, sibling);
 
-    qdev_prop_set_defaults(dev, dev->parent_bus->info->props);
     for (prop = qdev_get_bus_info(dev)->props; prop && prop->name; prop++) {
         qdev_property_add_legacy(dev, prop, NULL);
         qdev_property_add_static(dev, prop, NULL);
     }
+    qdev_prop_set_defaults(dev, dev->parent_bus->info->props);
 }
 
 /* Create a new device.  This only initializes the device state structure
@@ -612,13 +612,13 @@ static void device_initfn(Object *obj)
     dev->instance_id_alias = -1;
     dev->state = DEV_STATE_CREATED;
 
-    qdev_prop_set_defaults(dev, qdev_get_props(dev));
     for (prop = qdev_get_props(dev); prop && prop->name; prop++) {
         qdev_property_add_legacy(dev, prop, NULL);
         qdev_property_add_static(dev, prop, NULL);
     }
 
     object_property_add_str(OBJECT(dev), "type", qdev_get_type, NULL, NULL);
+    qdev_prop_set_defaults(dev, qdev_get_props(dev));
 }
 
 /* Unlink device from bus and free the structure.  */
diff --git a/hw/qdev.h b/hw/qdev.h
index 9ccd5c3..a3bcf0b 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -112,8 +112,9 @@ struct Property {
     const char   *name;
     PropertyInfo *info;
     int          offset;
-    int          bitnr;
-    void         *defval;
+    uint8_t      bitnr;
+    uint8_t      qtype;
+    int64_t      defval;
 };
 
 enum PropertyType {
@@ -255,7 +256,8 @@ extern PropertyInfo qdev_prop_pci_devfn;
         .info      = &(_prop),                                          \
         .offset    = offsetof(_state, _field)                           \
             + type_check(_type,typeof_field(_state, _field)),           \
-        .defval    = (_type[]) { _defval },                             \
+        .qtype     = QTYPE_QINT,                                        \
+        .defval    = (_type)_defval,                                    \
         }
 #define DEFINE_PROP_BIT(_name, _state, _field, _bit, _defval) {  \
         .name      = (_name),                                    \
@@ -263,7 +265,8 @@ extern PropertyInfo qdev_prop_pci_devfn;
         .bitnr    = (_bit),                                      \
         .offset    = offsetof(_state, _field)                    \
             + type_check(uint32_t,typeof_field(_state, _field)), \
-        .defval    = (bool[]) { (_defval) },                     \
+        .qtype     = QTYPE_QBOOL,                                \
+        .defval    = (bool)_defval,                              \
         }
 
 #define DEFINE_PROP_UINT8(_n, _s, _f, _d)                       \
commit 7a7aae21ccab06606cee9aba846d2e30cb616763
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 16:58:31 2012 +0100

    qdev: inline qdev_prop_set into qdev_prop_set_ptr
    
    qdev_prop_set is not needed anymore except for hacks, simplify it and
    inline it.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index 5a11676..b3cd2a8 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -1115,24 +1115,6 @@ int qdev_prop_parse(DeviceState *dev, const char *name, const char *value)
     return 0;
 }
 
-static void qdev_prop_set(DeviceState *dev, const char *name, void *src, enum PropertyType type)
-{
-    Property *prop;
-
-    prop = qdev_prop_find(dev, name);
-    if (!prop) {
-        fprintf(stderr, "%s: property \"%s.%s\" not found\n",
-                __FUNCTION__, object_get_typename(OBJECT(dev)), name);
-        abort();
-    }
-    if (prop->info->type != type) {
-        fprintf(stderr, "%s: property \"%s.%s\" type mismatch\n",
-                __FUNCTION__, object_get_typename(OBJECT(dev)), name);
-        abort();
-    }
-    qdev_prop_cpy(dev, prop, src);
-}
-
 void qdev_prop_set_bit(DeviceState *dev, const char *name, bool value)
 {
     Error *errp = NULL;
@@ -1248,7 +1230,13 @@ void qdev_prop_set_enum(DeviceState *dev, const char *name, int value)
 
 void qdev_prop_set_ptr(DeviceState *dev, const char *name, void *value)
 {
-    qdev_prop_set(dev, name, &value, PROP_TYPE_PTR);
+    Property *prop;
+    void **ptr;
+
+    prop = qdev_prop_find(dev, name);
+    assert(prop && prop->info == &qdev_prop_ptr);
+    ptr = qdev_get_prop_ptr(dev, prop);
+    *ptr = value;
 }
 
 void qdev_prop_set_defaults(DeviceState *dev, Property *props)
commit 9b170e60adc6dc01564128cf09f96ec923ed6526
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 12:51:44 2012 +0100

    qdev: access properties via QOM
    
    Do not poke anymore in the struct when accessing qdev properties.
    Instead, ask the object to set the right value.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev-addr.c b/hw/qdev-addr.c
index 5976dcd..8daa733 100644
--- a/hw/qdev-addr.c
+++ b/hw/qdev-addr.c
@@ -71,5 +71,8 @@ PropertyInfo qdev_prop_taddr = {
 
 void qdev_prop_set_taddr(DeviceState *dev, const char *name, target_phys_addr_t value)
 {
-    qdev_prop_set(dev, name, &value, PROP_TYPE_TADDR);
+    Error *errp = NULL;
+    object_property_set_int(OBJECT(dev), value, name, &errp);
+    assert(!errp);
+
 }
diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index debb37f..5a11676 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -1115,7 +1115,7 @@ int qdev_prop_parse(DeviceState *dev, const char *name, const char *value)
     return 0;
 }
 
-void qdev_prop_set(DeviceState *dev, const char *name, void *src, enum PropertyType type)
+static void qdev_prop_set(DeviceState *dev, const char *name, void *src, enum PropertyType type)
 {
     Property *prop;
 
@@ -1135,52 +1135,63 @@ void qdev_prop_set(DeviceState *dev, const char *name, void *src, enum PropertyT
 
 void qdev_prop_set_bit(DeviceState *dev, const char *name, bool value)
 {
-    qdev_prop_set(dev, name, &value, PROP_TYPE_BIT);
+    Error *errp = NULL;
+    object_property_set_bool(OBJECT(dev), value, name, &errp);
+    assert(!errp);
 }
 
 void qdev_prop_set_uint8(DeviceState *dev, const char *name, uint8_t value)
 {
-    qdev_prop_set(dev, name, &value, PROP_TYPE_UINT8);
+    Error *errp = NULL;
+    object_property_set_int(OBJECT(dev), value, name, &errp);
+    assert(!errp);
 }
 
 void qdev_prop_set_uint16(DeviceState *dev, const char *name, uint16_t value)
 {
-    qdev_prop_set(dev, name, &value, PROP_TYPE_UINT16);
+    Error *errp = NULL;
+    object_property_set_int(OBJECT(dev), value, name, &errp);
+    assert(!errp);
 }
 
 void qdev_prop_set_uint32(DeviceState *dev, const char *name, uint32_t value)
 {
-    qdev_prop_set(dev, name, &value, PROP_TYPE_UINT32);
+    Error *errp = NULL;
+    object_property_set_int(OBJECT(dev), value, name, &errp);
+    assert(!errp);
 }
 
 void qdev_prop_set_int32(DeviceState *dev, const char *name, int32_t value)
 {
-    qdev_prop_set(dev, name, &value, PROP_TYPE_INT32);
+    Error *errp = NULL;
+    object_property_set_int(OBJECT(dev), value, name, &errp);
+    assert(!errp);
 }
 
 void qdev_prop_set_uint64(DeviceState *dev, const char *name, uint64_t value)
 {
-    qdev_prop_set(dev, name, &value, PROP_TYPE_UINT64);
+    Error *errp = NULL;
+    object_property_set_int(OBJECT(dev), value, name, &errp);
+    assert(!errp);
 }
 
 void qdev_prop_set_string(DeviceState *dev, const char *name, char *value)
 {
-    qdev_prop_set(dev, name, &value, PROP_TYPE_STRING);
+    Error *errp = NULL;
+    object_property_set_str(OBJECT(dev), value, name, &errp);
+    assert(!errp);
 }
 
 int qdev_prop_set_drive(DeviceState *dev, const char *name, BlockDriverState *value)
 {
-    int res;
-
-    res = bdrv_attach_dev(value, dev);
-    if (res < 0) {
-        error_report("Can't attach drive %s to %s.%s: %s",
-                     bdrv_get_device_name(value),
-                     dev->id ? dev->id : object_get_typename(OBJECT(dev)),
-                     name, strerror(-res));
+    Error *errp = NULL;
+    object_property_set_str(OBJECT(dev), bdrv_get_device_name(value),
+                            name, &errp);
+    if (errp) {
+        qerror_report_err(errp);
+        error_free(errp);
         return -1;
     }
-    qdev_prop_set(dev, name, &value, PROP_TYPE_DRIVE);
     return 0;
 }
 
@@ -1192,28 +1203,47 @@ void qdev_prop_set_drive_nofail(DeviceState *dev, const char *name, BlockDriverS
 }
 void qdev_prop_set_chr(DeviceState *dev, const char *name, CharDriverState *value)
 {
-    qdev_prop_set(dev, name, &value, PROP_TYPE_CHR);
+    Error *errp = NULL;
+    assert(value->label);
+    object_property_set_str(OBJECT(dev), value->label, name, &errp);
+    assert(!errp);
 }
 
 void qdev_prop_set_netdev(DeviceState *dev, const char *name, VLANClientState *value)
 {
-    qdev_prop_set(dev, name, &value, PROP_TYPE_NETDEV);
+    Error *errp = NULL;
+    assert(value->name);
+    object_property_set_str(OBJECT(dev), value->name, name, &errp);
+    assert(!errp);
 }
 
 void qdev_prop_set_vlan(DeviceState *dev, const char *name, VLANState *value)
 {
-    qdev_prop_set(dev, name, &value, PROP_TYPE_VLAN);
+    Error *errp = NULL;
+    object_property_set_int(OBJECT(dev), value ? value->id : -1, name, &errp);
+    assert(!errp);
 }
 
 void qdev_prop_set_macaddr(DeviceState *dev, const char *name, uint8_t *value)
 {
-    qdev_prop_set(dev, name, value, PROP_TYPE_MACADDR);
+    Error *errp = NULL;
+    char str[2 * 6 + 5 + 1];
+    snprintf(str, sizeof(str), "%02x:%02x:%02x:%02x:%02x:%02x",
+             value[0], value[1], value[2], value[3], value[4], value[5]);
+
+    object_property_set_str(OBJECT(dev), str, name, &errp);
+    assert(!errp);
 }
 
-void qdev_prop_set_losttickpolicy(DeviceState *dev, const char *name,
-                                  LostTickPolicy *value)
+void qdev_prop_set_enum(DeviceState *dev, const char *name, int value)
 {
-    qdev_prop_set(dev, name, value, PROP_TYPE_LOSTTICKPOLICY);
+    Property *prop;
+    Error *errp = NULL;
+
+    prop = qdev_prop_find(dev, name);
+    object_property_set_str(OBJECT(dev), prop->info->enum_table[value],
+                            name, &errp);
+    assert(!errp);
 }
 
 void qdev_prop_set_ptr(DeviceState *dev, const char *name, void *value)
diff --git a/hw/qdev.h b/hw/qdev.h
index acccf26..9ccd5c3 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -310,7 +310,6 @@ extern PropertyInfo qdev_prop_pci_devfn;
 void *qdev_get_prop_ptr(DeviceState *dev, Property *prop);
 int qdev_prop_exists(DeviceState *dev, const char *name);
 int qdev_prop_parse(DeviceState *dev, const char *name, const char *value);
-void qdev_prop_set(DeviceState *dev, const char *name, void *src, enum PropertyType type);
 void qdev_prop_set_bit(DeviceState *dev, const char *name, bool value);
 void qdev_prop_set_uint8(DeviceState *dev, const char *name, uint8_t value);
 void qdev_prop_set_uint16(DeviceState *dev, const char *name, uint16_t value);
@@ -324,8 +323,7 @@ void qdev_prop_set_vlan(DeviceState *dev, const char *name, VLANState *value);
 int qdev_prop_set_drive(DeviceState *dev, const char *name, BlockDriverState *value) QEMU_WARN_UNUSED_RESULT;
 void qdev_prop_set_drive_nofail(DeviceState *dev, const char *name, BlockDriverState *value);
 void qdev_prop_set_macaddr(DeviceState *dev, const char *name, uint8_t *value);
-void qdev_prop_set_losttickpolicy(DeviceState *dev, const char *name,
-                                  LostTickPolicy *value);
+void qdev_prop_set_enum(DeviceState *dev, const char *name, int value);
 /* FIXME: Remove opaque pointer properties.  */
 void qdev_prop_set_ptr(DeviceState *dev, const char *name, void *value);
 void qdev_prop_set_defaults(DeviceState *dev, Property *props);
commit 6350b0904615cc0531cc3059ea34db5c009c88aa
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 16:19:21 2012 +0100

    qdev: fix off-by-one
    
    Integer properties did not work.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index d69a987..debb37f 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -151,7 +151,7 @@ static void set_int8(Object *obj, Visitor *v, void *opaque,
         error_propagate(errp, local_err);
         return;
     }
-    if (value > prop->info->min && value <= prop->info->max) {
+    if (value >= prop->info->min && value <= prop->info->max) {
         *ptr = value;
     } else {
         error_set(errp, QERR_PROPERTY_VALUE_OUT_OF_RANGE,
@@ -259,7 +259,7 @@ static void set_int16(Object *obj, Visitor *v, void *opaque,
         error_propagate(errp, local_err);
         return;
     }
-    if (value > prop->info->min && value <= prop->info->max) {
+    if (value >= prop->info->min && value <= prop->info->max) {
         *ptr = value;
     } else {
         error_set(errp, QERR_PROPERTY_VALUE_OUT_OF_RANGE,
@@ -333,7 +333,7 @@ static void set_int32(Object *obj, Visitor *v, void *opaque,
         error_propagate(errp, local_err);
         return;
     }
-    if (value > prop->info->min && value <= prop->info->max) {
+    if (value >= prop->info->min && value <= prop->info->max) {
         *ptr = value;
     } else {
         error_set(errp, QERR_PROPERTY_VALUE_OUT_OF_RANGE,
commit dd0ba250ca83ed915ea192ab7539cdbb4e868c14
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 13:08:48 2012 +0100

    qdev: let QOM free properties
    
    Drop the special free callback.  Instead, register a "regular"
    release method in the non-legacy property.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index 67995a3..d69a987 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -510,9 +510,10 @@ PropertyInfo qdev_prop_hex64 = {
 
 /* --- string --- */
 
-static void free_string(DeviceState *dev, Property *prop)
+static void release_string(Object *obj, const char *name, void *opaque)
 {
-    g_free(*(char **)qdev_get_prop_ptr(dev, prop));
+    Property *prop = opaque;
+    g_free(*(char **)qdev_get_prop_ptr(DEVICE(obj), prop));
 }
 
 static int print_string(DeviceState *dev, Property *prop, char *dest, size_t len)
@@ -572,7 +573,7 @@ PropertyInfo qdev_prop_string = {
     .type  = PROP_TYPE_STRING,
     .size  = sizeof(char*),
     .print = print_string,
-    .free  = free_string,
+    .release = release_string,
     .get   = get_string,
     .set   = set_string,
 };
@@ -592,8 +593,10 @@ static int parse_drive(DeviceState *dev, const char *str, void **ptr)
     return 0;
 }
 
-static void free_drive(DeviceState *dev, Property *prop)
+static void release_drive(Object *obj, const char *name, void *opaque)
 {
+    DeviceState *dev = DEVICE(obj);
+    Property *prop = opaque;
     BlockDriverState **ptr = qdev_get_prop_ptr(dev, prop);
 
     if (*ptr) {
@@ -667,7 +670,7 @@ PropertyInfo qdev_prop_drive = {
     .size  = sizeof(BlockDriverState *),
     .get   = get_drive,
     .set   = set_drive,
-    .free  = free_drive,
+    .release = release_drive,
 };
 
 /* --- character device --- */
@@ -686,8 +689,10 @@ static int parse_chr(DeviceState *dev, const char *str, void **ptr)
     return 0;
 }
 
-static void free_chr(DeviceState *dev, Property *prop)
+static void release_chr(Object *obj, const char *name, void *opaque)
 {
+    DeviceState *dev = DEVICE(obj);
+    Property *prop = opaque;
     CharDriverState **ptr = qdev_get_prop_ptr(dev, prop);
 
     if (*ptr) {
@@ -721,7 +726,7 @@ PropertyInfo qdev_prop_chr = {
     .size  = sizeof(CharDriverState*),
     .get   = get_chr,
     .set   = set_chr,
-    .free  = free_chr,
+    .release = release_chr,
 };
 
 /* --- netdev device --- */
diff --git a/hw/qdev.c b/hw/qdev.c
index 0205fe7..487ca5d 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -595,7 +595,7 @@ void qdev_property_add_static(DeviceState *dev, Property *prop,
 
     object_property_add(OBJECT(dev), prop->name, prop->info->name,
                         prop->info->get, prop->info->set,
-                        NULL,
+                        prop->info->release,
                         prop, errp);
 }
 
@@ -626,7 +626,6 @@ static void device_finalize(Object *obj)
 {
     DeviceState *dev = DEVICE(obj);
     BusState *bus;
-    Property *prop;
     DeviceClass *dc = DEVICE_GET_CLASS(dev);
 
     if (dev->state == DEV_STATE_INITIALIZED) {
@@ -645,11 +644,6 @@ static void device_finalize(Object *obj)
         }
     }
     QTAILQ_REMOVE(&dev->parent_bus->children, dev, sibling);
-    for (prop = qdev_get_props(dev); prop && prop->name; prop++) {
-        if (prop->info->free) {
-            prop->info->free(dev, prop);
-        }
-    }
 }
 
 void device_reset(DeviceState *dev)
diff --git a/hw/qdev.h b/hw/qdev.h
index c31dc4e..acccf26 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -145,9 +145,9 @@ struct PropertyInfo {
     int64_t max;
     int (*parse)(DeviceState *dev, Property *prop, const char *str);
     int (*print)(DeviceState *dev, Property *prop, char *dest, size_t len);
-    void (*free)(DeviceState *dev, Property *prop);
     ObjectPropertyAccessor *get;
     ObjectPropertyAccessor *set;
+    ObjectPropertyRelease *release;
 };
 
 typedef struct GlobalProperty {
commit 7b009e5d09ee7786a4fd848327b6a8d8d7c01f0d
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 13:01:40 2012 +0100

    qdev: remove parse/print methods for pointer properties
    
    Pointer properties (except for PROP_PTR of course) should not need a
    legacy counterpart.  In the future, relative paths will ensure that
    QEMU will support the same syntax as now for drives etc..
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index 9a67cc5..67995a3 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -579,9 +579,8 @@ PropertyInfo qdev_prop_string = {
 
 /* --- drive --- */
 
-static int parse_drive(DeviceState *dev, Property *prop, const char *str)
+static int parse_drive(DeviceState *dev, const char *str, void **ptr)
 {
-    BlockDriverState **ptr = qdev_get_prop_ptr(dev, prop);
     BlockDriverState *bs;
 
     bs = bdrv_find(str);
@@ -603,35 +602,30 @@ static void free_drive(DeviceState *dev, Property *prop)
     }
 }
 
-static int print_drive(DeviceState *dev, Property *prop, char *dest, size_t len)
+static const char *print_drive(void *ptr)
 {
-    BlockDriverState **ptr = qdev_get_prop_ptr(dev, prop);
-    return snprintf(dest, len, "%s",
-                    *ptr ? bdrv_get_device_name(*ptr) : "<null>");
+    return bdrv_get_device_name(ptr);
 }
 
-static void get_generic(Object *obj, Visitor *v, void *opaque,
-                       const char *name, Error **errp)
+static void get_pointer(Object *obj, Visitor *v, Property *prop,
+                        const char *(*print)(void *ptr),
+                        const char *name, Error **errp)
 {
     DeviceState *dev = DEVICE(obj);
-    Property *prop = opaque;
     void **ptr = qdev_get_prop_ptr(dev, prop);
-    char buffer[1024];
-    char *p = buffer;
+    char *p;
 
-    buffer[0] = 0;
-    if (*ptr) {
-        prop->info->print(dev, prop, buffer, sizeof(buffer));
-    }
+    p = (char *) (*ptr ? print(*ptr) : "");
     visit_type_str(v, &p, name, errp);
 }
 
-static void set_generic(Object *obj, Visitor *v, void *opaque,
+static void set_pointer(Object *obj, Visitor *v, Property *prop,
+                        int (*parse)(DeviceState *dev, const char *str, void **ptr),
                         const char *name, Error **errp)
 {
     DeviceState *dev = DEVICE(obj);
-    Property *prop = opaque;
     Error *local_err = NULL;
+    void **ptr = qdev_get_prop_ptr(dev, prop);
     char *str;
     int ret;
 
@@ -650,36 +644,45 @@ static void set_generic(Object *obj, Visitor *v, void *opaque,
         error_set_from_qdev_prop_error(errp, EINVAL, dev, prop, str);
         return;
     }
-    ret = prop->info->parse(dev, prop, str);
+    ret = parse(dev, str, ptr);
     error_set_from_qdev_prop_error(errp, ret, dev, prop, str);
     g_free(str);
 }
 
+static void get_drive(Object *obj, Visitor *v, void *opaque,
+                      const char *name, Error **errp)
+{
+    get_pointer(obj, v, opaque, print_drive, name, errp);
+}
+
+static void set_drive(Object *obj, Visitor *v, void *opaque,
+                      const char *name, Error **errp)
+{
+    set_pointer(obj, v, opaque, parse_drive, name, errp);
+}
+
 PropertyInfo qdev_prop_drive = {
     .name  = "drive",
     .type  = PROP_TYPE_DRIVE,
     .size  = sizeof(BlockDriverState *),
-    .parse = parse_drive,
-    .print = print_drive,
-    .get   = get_generic,
-    .set   = set_generic,
+    .get   = get_drive,
+    .set   = set_drive,
     .free  = free_drive,
 };
 
 /* --- character device --- */
 
-static int parse_chr(DeviceState *dev, Property *prop, const char *str)
+static int parse_chr(DeviceState *dev, const char *str, void **ptr)
 {
-    CharDriverState **ptr = qdev_get_prop_ptr(dev, prop);
-
-    *ptr = qemu_chr_find(str);
-    if (*ptr == NULL) {
+    CharDriverState *chr = qemu_chr_find(str);
+    if (chr == NULL) {
         return -ENOENT;
     }
-    if ((*ptr)->avail_connections < 1) {
+    if (chr->avail_connections < 1) {
         return -EEXIST;
     }
-    --(*ptr)->avail_connections;
+    *ptr = chr;
+    --chr->avail_connections;
     return 0;
 }
 
@@ -693,62 +696,75 @@ static void free_chr(DeviceState *dev, Property *prop)
 }
 
 
-static int print_chr(DeviceState *dev, Property *prop, char *dest, size_t len)
+static const char *print_chr(void *ptr)
 {
-    CharDriverState **ptr = qdev_get_prop_ptr(dev, prop);
+    CharDriverState *chr = ptr;
 
-    if (*ptr && (*ptr)->label) {
-        return snprintf(dest, len, "%s", (*ptr)->label);
-    } else {
-        return snprintf(dest, len, "<null>");
-    }
+    return chr->label ? chr->label : "";
+}
+
+static void get_chr(Object *obj, Visitor *v, void *opaque,
+                    const char *name, Error **errp)
+{
+    get_pointer(obj, v, opaque, print_chr, name, errp);
+}
+
+static void set_chr(Object *obj, Visitor *v, void *opaque,
+                    const char *name, Error **errp)
+{
+    set_pointer(obj, v, opaque, parse_chr, name, errp);
 }
 
 PropertyInfo qdev_prop_chr = {
     .name  = "chr",
     .type  = PROP_TYPE_CHR,
     .size  = sizeof(CharDriverState*),
-    .parse = parse_chr,
-    .print = print_chr,
-    .get   = get_generic,
-    .set   = set_generic,
+    .get   = get_chr,
+    .set   = set_chr,
     .free  = free_chr,
 };
 
 /* --- netdev device --- */
 
-static int parse_netdev(DeviceState *dev, Property *prop, const char *str)
+static int parse_netdev(DeviceState *dev, const char *str, void **ptr)
 {
-    VLANClientState **ptr = qdev_get_prop_ptr(dev, prop);
+    VLANClientState *netdev = qemu_find_netdev(str);
 
-    *ptr = qemu_find_netdev(str);
-    if (*ptr == NULL)
+    if (netdev == NULL) {
         return -ENOENT;
-    if ((*ptr)->peer) {
+    }
+    if (netdev->peer) {
         return -EEXIST;
     }
+    *ptr = netdev;
     return 0;
 }
 
-static int print_netdev(DeviceState *dev, Property *prop, char *dest, size_t len)
+static const char *print_netdev(void *ptr)
 {
-    VLANClientState **ptr = qdev_get_prop_ptr(dev, prop);
+    VLANClientState *netdev = ptr;
 
-    if (*ptr && (*ptr)->name) {
-        return snprintf(dest, len, "%s", (*ptr)->name);
-    } else {
-        return snprintf(dest, len, "<null>");
-    }
+    return netdev->name ? netdev->name : "";
+}
+
+static void get_netdev(Object *obj, Visitor *v, void *opaque,
+                       const char *name, Error **errp)
+{
+    get_pointer(obj, v, opaque, print_netdev, name, errp);
+}
+
+static void set_netdev(Object *obj, Visitor *v, void *opaque,
+                       const char *name, Error **errp)
+{
+    set_pointer(obj, v, opaque, parse_netdev, name, errp);
 }
 
 PropertyInfo qdev_prop_netdev = {
     .name  = "netdev",
     .type  = PROP_TYPE_NETDEV,
     .size  = sizeof(VLANClientState*),
-    .parse = parse_netdev,
-    .print = print_netdev,
-    .get   = get_generic,
-    .set   = set_generic,
+    .get   = get_netdev,
+    .set   = set_netdev,
 };
 
 /* --- vlan --- */
commit b403298adb54ca683b895ebddd412dcb092cb780
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 17:12:19 2012 +0100

    qdev: make the non-legacy pci address property accept an integer
    
    PCI addresses are set with qdev_prop_uint32.  Thus we make the QOM
    property accept a device and function encoded in an 8-bit integer,
    instead of the magic dd.f hex string.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index 42b9b24..9a67cc5 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -999,30 +999,20 @@ static int print_pci_devfn(DeviceState *dev, Property *prop, char *dest, size_t
     }
 }
 
-static void get_pci_devfn(Object *obj, Visitor *v, void *opaque,
-                          const char *name, Error **errp)
-{
-    DeviceState *dev = DEVICE(obj);
-    Property *prop = opaque;
-    uint32_t *ptr = qdev_get_prop_ptr(dev, prop);
-    char buffer[32];
-    char *p = buffer;
-
-    buffer[0] = 0;
-    if (*ptr != -1) {
-        snprintf(buffer, sizeof(buffer), "%02x.%x", *ptr >> 3, *ptr & 7);
-    }
-    visit_type_str(v, &p, name, errp);
-}
-
 PropertyInfo qdev_prop_pci_devfn = {
-    .name  = "pci-devfn",
+    .name  = "int32",
+    .legacy_name  = "pci-devfn",
     .type  = PROP_TYPE_UINT32,
     .size  = sizeof(uint32_t),
     .parse = parse_pci_devfn,
     .print = print_pci_devfn,
-    .get   = get_pci_devfn,
-    .set   = set_generic,
+    .get   = get_int32,
+    .set   = set_int32,
+    /* FIXME: this should be -1...255, but the address is stored
+     * into an uint32_t rather than int32_t.
+     */
+    .min   = 0,
+    .max   = 0xFFFFFFFFULL,
 };
 
 /* --- public helpers --- */
commit e39e5d60c9a65f36946454ddf8c9be9c582ffef8
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 17:08:47 2012 +0100

    qdev: remove parse/print methods for mac properties
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index dea287a..42b9b24 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -848,46 +848,69 @@ PropertyInfo qdev_prop_ptr = {
  *   01:02:03:04:05:06
  *   01-02-03-04-05-06
  */
-static int parse_mac(DeviceState *dev, Property *prop, const char *str)
+static void get_mac(Object *obj, Visitor *v, void *opaque,
+                    const char *name, Error **errp)
+{
+    DeviceState *dev = DEVICE(obj);
+    Property *prop = opaque;
+    MACAddr *mac = qdev_get_prop_ptr(dev, prop);
+    char buffer[2 * 6 + 5 + 1];
+    char *p = buffer;
+
+    snprintf(buffer, sizeof(buffer), "%02x:%02x:%02x:%02x:%02x:%02x",
+             mac->a[0], mac->a[1], mac->a[2],
+             mac->a[3], mac->a[4], mac->a[5]);
+
+    visit_type_str(v, &p, name, errp);
+}
+
+static void set_mac(Object *obj, Visitor *v, void *opaque,
+                    const char *name, Error **errp)
 {
+    DeviceState *dev = DEVICE(obj);
+    Property *prop = opaque;
     MACAddr *mac = qdev_get_prop_ptr(dev, prop);
+    Error *local_err = NULL;
     int i, pos;
-    char *p;
+    char *str, *p;
+
+    if (dev->state != DEV_STATE_CREATED) {
+        error_set(errp, QERR_PERMISSION_DENIED);
+        return;
+    }
+
+    visit_type_str(v, &str, name, &local_err);
+    if (local_err) {
+        error_propagate(errp, local_err);
+        return;
+    }
 
     for (i = 0, pos = 0; i < 6; i++, pos += 3) {
         if (!qemu_isxdigit(str[pos]))
-            return -EINVAL;
+            goto inval;
         if (!qemu_isxdigit(str[pos+1]))
-            return -EINVAL;
+            goto inval;
         if (i == 5) {
             if (str[pos+2] != '\0')
-                return -EINVAL;
+                goto inval;
         } else {
             if (str[pos+2] != ':' && str[pos+2] != '-')
-                return -EINVAL;
+                goto inval;
         }
         mac->a[i] = strtol(str+pos, &p, 16);
     }
-    return 0;
-}
-
-static int print_mac(DeviceState *dev, Property *prop, char *dest, size_t len)
-{
-    MACAddr *mac = qdev_get_prop_ptr(dev, prop);
+    return;
 
-    return snprintf(dest, len, "%02x:%02x:%02x:%02x:%02x:%02x",
-                    mac->a[0], mac->a[1], mac->a[2],
-                    mac->a[3], mac->a[4], mac->a[5]);
+inval:
+    error_set_from_qdev_prop_error(errp, EINVAL, dev, prop, str);
 }
 
 PropertyInfo qdev_prop_macaddr = {
     .name  = "macaddr",
     .type  = PROP_TYPE_MACADDR,
     .size  = sizeof(MACAddr),
-    .parse = parse_mac,
-    .print = print_mac,
-    .get   = get_generic,
-    .set   = set_generic,
+    .get   = get_mac,
+    .set   = set_mac,
 };
 
 
commit 1ce05125571e9dbbd16e1de0f8924fe45bef2bf0
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 22:09:44 2012 +0100

    qdev: remove print/parse methods from LostTickPolicy properties
    
    Also generalize the code so that we can have more enum properties
    in the future.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index 1fc77b5..dea287a 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -893,50 +893,50 @@ PropertyInfo qdev_prop_macaddr = {
 
 /* --- lost tick policy --- */
 
-static const struct {
-    const char *name;
-    LostTickPolicy code;
-} lost_tick_policy_table[] = {
-    { .name = "discard", .code = LOST_TICK_DISCARD },
-    { .name = "delay", .code = LOST_TICK_DELAY },
-    { .name = "merge", .code = LOST_TICK_MERGE },
-    { .name = "slew", .code = LOST_TICK_SLEW },
+static const char *lost_tick_policy_table[LOST_TICK_MAX+1] = {
+    [LOST_TICK_DISCARD] = "discard",
+    [LOST_TICK_DELAY] = "delay",
+    [LOST_TICK_MERGE] = "merge",
+    [LOST_TICK_SLEW] = "slew",
+    [LOST_TICK_MAX] = NULL,
 };
 
-static int parse_lost_tick_policy(DeviceState *dev, Property *prop,
-                                  const char *str)
+QEMU_BUILD_BUG_ON(sizeof(LostTickPolicy) != sizeof(int));
+
+static void get_enum(Object *obj, Visitor *v, void *opaque,
+                     const char *name, Error **errp)
 {
-    LostTickPolicy *ptr = qdev_get_prop_ptr(dev, prop);
-    int i;
+    DeviceState *dev = DEVICE(obj);
+    Property *prop = opaque;
+    int *ptr = qdev_get_prop_ptr(dev, prop);
 
-    for (i = 0; i < ARRAY_SIZE(lost_tick_policy_table); i++) {
-        if (!strcasecmp(str, lost_tick_policy_table[i].name)) {
-            *ptr = lost_tick_policy_table[i].code;
-            break;
-        }
-    }
-    if (i == ARRAY_SIZE(lost_tick_policy_table)) {
-        return -EINVAL;
-    }
-    return 0;
+    visit_type_enum(v, ptr, prop->info->enum_table,
+                    prop->info->name, prop->name, errp);
 }
 
-static int print_lost_tick_policy(DeviceState *dev, Property *prop, char *dest,
-                                  size_t len)
+static void set_enum(Object *obj, Visitor *v, void *opaque,
+                     const char *name, Error **errp)
 {
-    LostTickPolicy *ptr = qdev_get_prop_ptr(dev, prop);
+    DeviceState *dev = DEVICE(obj);
+    Property *prop = opaque;
+    int *ptr = qdev_get_prop_ptr(dev, prop);
+
+    if (dev->state != DEV_STATE_CREATED) {
+        error_set(errp, QERR_PERMISSION_DENIED);
+        return;
+    }
 
-    return snprintf(dest, len, "%s", lost_tick_policy_table[*ptr].name);
+    visit_type_enum(v, ptr, prop->info->enum_table,
+                    prop->info->name, prop->name, errp);
 }
 
 PropertyInfo qdev_prop_losttickpolicy = {
-    .name  = "lost_tick_policy",
+    .name  = "LostTickPolicy",
     .type  = PROP_TYPE_LOSTTICKPOLICY,
     .size  = sizeof(LostTickPolicy),
-    .parse = parse_lost_tick_policy,
-    .print = print_lost_tick_policy,
-    .get   = get_generic,
-    .set   = set_generic,
+    .enum_table  = lost_tick_policy_table,
+    .get   = get_enum,
+    .set   = set_enum,
 };
 
 /* --- pci address --- */
diff --git a/hw/qdev.h b/hw/qdev.h
index ab53273..c31dc4e 100644
--- a/hw/qdev.h
+++ b/hw/qdev.h
@@ -140,6 +140,7 @@ struct PropertyInfo {
     const char *legacy_name;
     size_t size;
     enum PropertyType type;
+    const char **enum_table;
     int64_t min;
     int64_t max;
     int (*parse)(DeviceState *dev, Property *prop, const char *str);
diff --git a/qemu-common.h b/qemu-common.h
index 8b69a9e..9b997f8 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -255,6 +255,7 @@ typedef enum LostTickPolicy {
     LOST_TICK_DELAY,
     LOST_TICK_MERGE,
     LOST_TICK_SLEW,
+    LOST_TICK_MAX
 } LostTickPolicy;
 
 void tcg_exec_init(unsigned long tb_size);
commit acbac4a1dc974a3915760b4551336544c4360241
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 13:04:45 2012 +0100

    qdev: remove parse method for string properties
    
    We need the print method to put double quotes, but parsing is not special.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index 5e19ec8..1fc77b5 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -510,16 +510,6 @@ PropertyInfo qdev_prop_hex64 = {
 
 /* --- string --- */
 
-static int parse_string(DeviceState *dev, Property *prop, const char *str)
-{
-    char **ptr = qdev_get_prop_ptr(dev, prop);
-
-    if (*ptr)
-        g_free(*ptr);
-    *ptr = g_strdup(str);
-    return 0;
-}
-
 static void free_string(DeviceState *dev, Property *prop)
 {
     g_free(*(char **)qdev_get_prop_ptr(dev, prop));
@@ -581,7 +571,6 @@ PropertyInfo qdev_prop_string = {
     .name  = "string",
     .type  = PROP_TYPE_STRING,
     .size  = sizeof(char*),
-    .parse = parse_string,
     .print = print_string,
     .free  = free_string,
     .get   = get_string,
commit 68ee356941801d0a17fdc43b11ac3e6b72fcd597
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 10:17:19 2012 +0100

    qdev: allow reusing get/set for legacy property
    
    In some cases, a legacy property does need a special print method
    but not a special parse method.  In this case, we can reuse the get/set
    from the static (non-legacy) property.
    
    If neither parse nor print is needed, though, do not register the
    legacy property at all.  The previous patch ensures that the right
    fallback will be used.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev.c b/hw/qdev.c
index acb7829..0205fe7 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -550,21 +550,24 @@ static void qdev_set_legacy_property(Object *obj, Visitor *v, void *opaque,
  * Do not use this is new code!  Properties added through this interface will
  * be given names and types in the "legacy" namespace.
  *
- * Legacy properties are always processed as strings.  The format of the string
- * depends on the property type.
+ * Legacy properties are string versions of other OOM properties.  The format
+ * of the string depends on the property type.
  */
 void qdev_property_add_legacy(DeviceState *dev, Property *prop,
                               Error **errp)
 {
     gchar *name, *type;
 
+    if (!prop->info->print && !prop->info->parse) {
+        return;
+    }
     name = g_strdup_printf("legacy-%s", prop->name);
     type = g_strdup_printf("legacy<%s>",
                            prop->info->legacy_name ?: prop->info->name);
 
     object_property_add(OBJECT(dev), name, type,
-                        prop->info->print ? qdev_get_legacy_property : NULL,
-                        prop->info->parse ? qdev_set_legacy_property : NULL,
+                        prop->info->print ? qdev_get_legacy_property : prop->info->get,
+                        prop->info->parse ? qdev_set_legacy_property : prop->info->set,
                         NULL,
                         prop, errp);
 
commit d822979bdf80c3ea9752615af15f231b4c4ce547
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 09:47:13 2012 +0100

    qdev: remove direct calls to print/parse
    
    There's no need to call into ->parse and ->print manually.  The
    QOM legacy properties do that for us.
    
    Furthermore, in some cases legacy and static properties have exactly
    the same behavior, and we could drop the legacy properties right away.
    Add an appropriate fallback to prepare for this.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/hw/qdev-monitor.c b/hw/qdev-monitor.c
index 135c2bf..49f13ca 100644
--- a/hw/qdev-monitor.c
+++ b/hw/qdev-monitor.c
@@ -485,22 +485,26 @@ static void qbus_print(Monitor *mon, BusState *bus, int indent);
 static void qdev_print_props(Monitor *mon, DeviceState *dev, Property *props,
                              const char *prefix, int indent)
 {
-    char buf[64];
-
     if (!props)
         return;
-    while (props->name) {
-        /*
-         * TODO Properties without a print method are just for dirty
-         * hacks.  qdev_prop_ptr is the only such PropertyInfo.  It's
-         * marked for removal.  The test props->info->print should be
-         * removed along with it.
-         */
-        if (props->info->print) {
-            props->info->print(dev, props, buf, sizeof(buf));
-            qdev_printf("%s-prop: %s = %s\n", prefix, props->name, buf);
+    for (; props->name; props++) {
+        Error *err = NULL;
+        char *value;
+        char *legacy_name = g_strdup_printf("legacy-%s", props->name);
+        if (object_property_get_type(OBJECT(dev), legacy_name, NULL)) {
+            value = object_property_get_str(OBJECT(dev), legacy_name, &err);
+        } else {
+            value = object_property_get_str(OBJECT(dev), props->name, &err);
+        }
+        g_free(legacy_name);
+
+        if (err) {
+            error_free(err);
+            continue;
         }
-        props++;
+        qdev_printf("%s-prop: %s = %s\n", prefix, props->name,
+                    value && *value ? value : "<null>");
+        g_free(value);
     }
 }
 
diff --git a/hw/qdev-properties.c b/hw/qdev-properties.c
index c4583a1..5e19ec8 100644
--- a/hw/qdev-properties.c
+++ b/hw/qdev-properties.c
@@ -1073,24 +1073,18 @@ void error_set_from_qdev_prop_error(Error **errp, int ret, DeviceState *dev,
 
 int qdev_prop_parse(DeviceState *dev, const char *name, const char *value)
 {
-    Property *prop;
-    int ret;
+    char *legacy_name;
+    Error *err = NULL;
 
-    prop = qdev_prop_find(dev, name);
-    /*
-     * TODO Properties without a parse method are just for dirty
-     * hacks.  qdev_prop_ptr is the only such PropertyInfo.  It's
-     * marked for removal.  The test !prop->info->parse should be
-     * removed along with it.
-     */
-    if (!prop || !prop->info->parse) {
-        qerror_report(QERR_PROPERTY_NOT_FOUND, object_get_typename(OBJECT(dev)), name);
-        return -1;
+    legacy_name = g_strdup_printf("legacy-%s", name);
+    if (object_property_get_type(OBJECT(dev), legacy_name, NULL)) {
+        object_property_set_str(OBJECT(dev), value, legacy_name, &err);
+    } else {
+        object_property_set_str(OBJECT(dev), value, name, &err);
     }
-    ret = prop->info->parse(dev, prop, value);
-    if (ret < 0) {
-        Error *err;
-        error_set_from_qdev_prop_error(&err, ret, dev, prop, value);
+    g_free(legacy_name);
+
+    if (err) {
         qerror_report_err(err);
         error_free(err);
         return -1;
diff --git a/hw/qdev.c b/hw/qdev.c
index e3b53b7..acb7829 100644
--- a/hw/qdev.c
+++ b/hw/qdev.c
@@ -581,6 +581,15 @@ void qdev_property_add_legacy(DeviceState *dev, Property *prop,
 void qdev_property_add_static(DeviceState *dev, Property *prop,
                               Error **errp)
 {
+    /*
+     * TODO qdev_prop_ptr does not have getters or setters.  It must
+     * go now that it can be replaced with links.  The test should be
+     * removed along with it: all static properties are read/write.
+     */
+    if (!prop->info->get && !prop->info->set) {
+        return;
+    }
+
     object_property_add(OBJECT(dev), prop->name, prop->info->name,
                         prop->info->get, prop->info->set,
                         NULL,
commit 1d9c5a12cefcd914d99c32de9aac72966a4788ae
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 10:51:57 2012 +0100

    qom: add property get/set wrappers for links
    
    These can set a link to any object, as long as it is included in
    the composition tree.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/include/qemu/object.h b/include/qemu/object.h
index 6c36345..7d50da9 100644
--- a/include/qemu/object.h
+++ b/include/qemu/object.h
@@ -646,6 +646,30 @@ char *object_property_get_str(Object *obj, const char *name,
                               struct Error **errp);
 
 /**
+ * object_property_set_link:
+ * @value: the value to be written to the property
+ * @name: the name of the property
+ * @errp: returns an error if this function fails
+ *
+ * Writes an object's canonical path to a property.
+ */
+void object_property_set_link(Object *obj, Object *value,
+                              const char *name, struct Error **errp);
+
+/**
+ * object_property_get_link:
+ * @obj: the object
+ * @name: the name of the property
+ * @errp: returns an error if this function fails
+ *
+ * Returns: the value of the property, resolved from a path to an Object,
+ * or NULL if an error occurs (including when the property value is not a
+ * string or not a valid object path).
+ */
+Object *object_property_get_link(Object *obj, const char *name,
+                                 struct Error **errp);
+
+/**
  * object_property_set_bool:
  * @value: the value to be written to the property
  * @name: the name of the property
diff --git a/qom/object.c b/qom/object.c
index 686cca0..5e5b261 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -696,6 +696,30 @@ char *object_property_get_str(Object *obj, const char *name,
     return retval;
 }
 
+void object_property_set_link(Object *obj, Object *value,
+                              const char *name, Error **errp)
+{
+    object_property_set_str(obj, object_get_canonical_path(value),
+                            name, errp);
+}
+
+Object *object_property_get_link(Object *obj, const char *name,
+                                 Error **errp)
+{
+    char *str = object_property_get_str(obj, name, errp);
+    Object *target = NULL;
+
+    if (str && *str) {
+        target = object_resolve_path(str, NULL);
+        if (!target) {
+            error_set(errp, QERR_DEVICE_NOT_FOUND, str);
+        }
+    }
+
+    g_free(str);
+    return target;
+}
+
 void object_property_set_bool(Object *obj, bool value,
                               const char *name, Error **errp)
 {
commit a1e7efdcef38f7cba4a46e836f433c73d45d926f
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Feb 3 15:59:53 2012 +0100

    qom: fix canonical paths vs. interfaces
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/qom/object.c b/qom/object.c
index 2bd15b8..686cca0 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -805,6 +805,12 @@ void object_property_add_child(Object *obj, const char *name,
 {
     gchar *type;
 
+    /* Registering an interface object in the composition tree will mightily
+     * confuse object_get_canonical_path (which, on the other hand, knows how
+     * to get the canonical path of an interface object).
+     */
+    assert(!object_is_type(obj, type_interface));
+
     type = g_strdup_printf("child<%s>", object_get_typename(OBJECT(child)));
 
     object_property_add(obj, name, type, object_get_child_property,
@@ -898,6 +904,10 @@ gchar *object_get_canonical_path(Object *obj)
     Object *root = object_get_root();
     char *newpath = NULL, *path = NULL;
 
+    if (object_is_type(obj, type_interface)) {
+        obj = INTERFACE(obj)->obj;
+    }
+
     while (obj != root) {
         ObjectProperty *prop = NULL;
 
commit 11e35bfdc7f030f65844b34239bdde16e68b2468
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 12:37:53 2012 +0100

    qom: use object_resolve_path_type for links
    
    This allows to restrict partial matches to objects of the expected
    type.  It will let people use bare names to reference drives
    even though their name might be the same as a device's (e.g.
    -drive id=hd0,if=none,... -device ...,drive=hd0,id=hd0).
    
    As a useful byproduct, this fixes a problem with links of interface
    type.  When a link property's type is an interface, the code expects
    the implementation object (not the parent object) to be stored in the
    variable.  The parent object does not contain the right vtable.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/qerror.c b/qerror.c
index 3d179c8..8e6efaf 100644
--- a/qerror.c
+++ b/qerror.c
@@ -48,6 +48,10 @@ static const QErrorStringTable qerror_table[] = {
         .desc      = "Could not add client",
     },
     {
+        .error_fmt = QERR_AMBIGUOUS_PATH,
+        .desc      = "Path '%(path)' does not uniquely identify a %(object)"
+    },
+    {
         .error_fmt = QERR_BAD_BUS_FOR_DEVICE,
         .desc      = "Device '%(device)' can't go on a %(bad_bus_type) bus",
     },
diff --git a/qerror.h b/qerror.h
index 8c36ddb..e8718bf 100644
--- a/qerror.h
+++ b/qerror.h
@@ -54,6 +54,9 @@ QError *qobject_to_qerror(const QObject *obj);
 #define QERR_ADD_CLIENT_FAILED \
     "{ 'class': 'AddClientFailed', 'data': {} }"
 
+#define QERR_AMBIGUOUS_PATH \
+    "{ 'class': 'AmbiguousPath', 'data': { 'path': %s } }"
+
 #define QERR_BAD_BUS_FOR_DEVICE \
     "{ 'class': 'BadBusForDevice', 'data': { 'device': %s, 'bad_bus_type': %s } }"
 
diff --git a/qom/object.c b/qom/object.c
index ea0efc6..2bd15b8 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -840,6 +840,7 @@ static void object_set_link_property(Object *obj, Visitor *v, void *opaque,
     bool ambiguous = false;
     const char *type;
     char *path;
+    gchar *target_type;
 
     type = object_property_get_type(obj, name, NULL);
 
@@ -847,28 +848,30 @@ static void object_set_link_property(Object *obj, Visitor *v, void *opaque,
 
     if (*child) {
         object_unref(*child);
+        *child = NULL;
     }
 
     if (strcmp(path, "") != 0) {
         Object *target;
 
-        target = object_resolve_path(path, &ambiguous);
-        if (target) {
-            /* Go from link<FOO> to FOO.  */
-            gchar *target_type = g_strndup(&type[5], strlen(type) - 6);
-            if (object_dynamic_cast(target, target_type)) {
-                object_ref(target);
-                *child = target;
-            } else {
-                error_set(errp, QERR_INVALID_PARAMETER_TYPE, name, type);
-            }
+        /* Go from link<FOO> to FOO.  */
+        target_type = g_strndup(&type[5], strlen(type) - 6);
+        target = object_resolve_path_type(path, target_type, &ambiguous);
 
-            g_free(target_type);
+        if (ambiguous) {
+            error_set(errp, QERR_AMBIGUOUS_PATH, path);
+        } else if (target) {
+            object_ref(target);
+            *child = target;
         } else {
-            error_set(errp, QERR_DEVICE_NOT_FOUND, path);
+            target = object_resolve_path(path, &ambiguous);
+            if (target || ambiguous) {
+                error_set(errp, QERR_INVALID_PARAMETER_TYPE, name, target_type);
+            } else {
+                error_set(errp, QERR_DEVICE_NOT_FOUND, path);
+            }
         }
-    } else {
-        *child = NULL;
+        g_free(target_type);
     }
 
     g_free(path);
commit 02fe2db6312ff894be9aa0b862b383cc9d94505a
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Feb 3 11:21:01 2012 +0100

    qom: add object_resolve_path_type
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/include/qemu/object.h b/include/qemu/object.h
index b27f80e..6c36345 100644
--- a/include/qemu/object.h
+++ b/include/qemu/object.h
@@ -749,14 +749,35 @@ gchar *object_get_canonical_path(Object *obj);
  * specifying objects easy.  At each level of the composition tree, the partial
  * path is matched as an absolute path.  The first match is not returned.  At
  * least two matches are searched for.  A successful result is only returned if
- * only one match is founded.  If more than one match is found, a flag is
- * return to indicate that the match was ambiguous.
+ * only one match is found.  If more than one match is found, a flag is
+ * returned to indicate that the match was ambiguous.
  *
  * Returns: The matched object or NULL on path lookup failure.
  */
 Object *object_resolve_path(const char *path, bool *ambiguous);
 
 /**
+ * object_resolve_path_type:
+ * @path: the path to resolve
+ * @typename: the type to look for.
+ * @ambiguous: returns true if the path resolution failed because of an
+ *   ambiguous match
+ *
+ * This is similar to object_resolve_path.  However, when looking for a
+ * partial path only matches that implement the given type are considered.
+ * This restricts the search and avoids spuriously flagging matches as
+ * ambiguous.
+ *
+ * For both partial and absolute paths, the return value goes through
+ * a dynamic cast to @typename.  This is important if either the link,
+ * or the typename itself are of interface types.
+ *
+ * Returns: The matched object or NULL on path lookup failure.
+ */
+Object *object_resolve_path_type(const char *path, const char *typename,
+                                 bool *ambiguous);
+
+/**
  * object_property_add_child:
  * @obj: the object to add a property to
  * @name: the name of the property
diff --git a/qom/object.c b/qom/object.c
index 7fd37cb..ea0efc6 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -930,17 +930,18 @@ gchar *object_get_canonical_path(Object *obj)
 
 static Object *object_resolve_abs_path(Object *parent,
                                           gchar **parts,
+                                          const char *typename,
                                           int index)
 {
     ObjectProperty *prop;
     Object *child;
 
     if (parts[index] == NULL) {
-        return parent;
+        return object_dynamic_cast(parent, typename);
     }
 
     if (strcmp(parts[index], "") == 0) {
-        return object_resolve_abs_path(parent, parts, index + 1);
+        return object_resolve_abs_path(parent, parts, typename, index + 1);
     }
 
     prop = object_property_find(parent, parts[index]);
@@ -962,17 +963,18 @@ static Object *object_resolve_abs_path(Object *parent,
         return NULL;
     }
 
-    return object_resolve_abs_path(child, parts, index + 1);
+    return object_resolve_abs_path(child, parts, typename, index + 1);
 }
 
 static Object *object_resolve_partial_path(Object *parent,
                                               gchar **parts,
+                                              const char *typename,
                                               bool *ambiguous)
 {
     Object *obj;
     ObjectProperty *prop;
 
-    obj = object_resolve_abs_path(parent, parts, 0);
+    obj = object_resolve_abs_path(parent, parts, typename, 0);
 
     QTAILQ_FOREACH(prop, &parent->properties, node) {
         Object *found;
@@ -981,7 +983,8 @@ static Object *object_resolve_partial_path(Object *parent,
             continue;
         }
 
-        found = object_resolve_partial_path(prop->opaque, parts, ambiguous);
+        found = object_resolve_partial_path(prop->opaque, parts,
+                                            typename, ambiguous);
         if (found) {
             if (obj) {
                 if (ambiguous) {
@@ -1000,7 +1003,8 @@ static Object *object_resolve_partial_path(Object *parent,
     return obj;
 }
 
-Object *object_resolve_path(const char *path, bool *ambiguous)
+Object *object_resolve_path_type(const char *path, const char *typename,
+                                 bool *ambiguous)
 {
     bool partial_path = true;
     Object *obj;
@@ -1020,9 +1024,10 @@ Object *object_resolve_path(const char *path, bool *ambiguous)
         if (ambiguous) {
             *ambiguous = false;
         }
-        obj = object_resolve_partial_path(object_get_root(), parts, ambiguous);
+        obj = object_resolve_partial_path(object_get_root(), parts,
+                                          typename, ambiguous);
     } else {
-        obj = object_resolve_abs_path(object_get_root(), parts, 1);
+        obj = object_resolve_abs_path(object_get_root(), parts, typename, 1);
     }
 
     g_strfreev(parts);
@@ -1030,6 +1035,11 @@ Object *object_resolve_path(const char *path, bool *ambiguous)
     return obj;
 }
 
+Object *object_resolve_path(const char *path, bool *ambiguous)
+{
+    return object_resolve_path_type(path, TYPE_OBJECT, ambiguous);
+}
+
 typedef struct StringProperty
 {
     char *(*get)(Object *, Error **);
commit 8f770d39056c797a0a3de7a9a1a00befddfb088a
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Feb 3 15:41:13 2012 +0100

    qom: fix off-by-one
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/qom/object.c b/qom/object.c
index 212629d..7fd37cb 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -854,11 +854,8 @@ static void object_set_link_property(Object *obj, Visitor *v, void *opaque,
 
         target = object_resolve_path(path, &ambiguous);
         if (target) {
-            gchar *target_type;
-
-            target_type = g_strdup(&type[5]);
-            target_type[strlen(target_type) - 2] = 0;
-
+            /* Go from link<FOO> to FOO.  */
+            gchar *target_type = g_strndup(&type[5], strlen(type) - 6);
             if (object_dynamic_cast(target, target_type)) {
                 object_ref(target);
                 *child = target;
commit 7b7b7d18e40c158134b7588e629be7dd35b468fa
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Wed Feb 1 17:16:22 2012 +0100

    qom: add property get/set wrappers for C types
    
    Add wrappers that let you get/set properties using normal C data types.
    
    Reviewed-by: Anthony Liguori <anthony at aliguori@us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/include/qemu/object.h b/include/qemu/object.h
index ad7d32d..b27f80e 100644
--- a/include/qemu/object.h
+++ b/include/qemu/object.h
@@ -622,6 +622,76 @@ void object_property_get(Object *obj, struct Visitor *v, const char *name,
                          struct Error **errp);
 
 /**
+ * object_property_set_str:
+ * @value: the value to be written to the property
+ * @name: the name of the property
+ * @errp: returns an error if this function fails
+ *
+ * Writes a string value to a property.
+ */
+void object_property_set_str(Object *obj, const char *value,
+                             const char *name, struct Error **errp);
+
+/**
+ * object_property_get_str:
+ * @obj: the object
+ * @name: the name of the property
+ * @errp: returns an error if this function fails
+ *
+ * Returns: the value of the property, converted to a C string, or NULL if
+ * an error occurs (including when the property value is not a string).
+ * The caller should free the string.
+ */
+char *object_property_get_str(Object *obj, const char *name,
+                              struct Error **errp);
+
+/**
+ * object_property_set_bool:
+ * @value: the value to be written to the property
+ * @name: the name of the property
+ * @errp: returns an error if this function fails
+ *
+ * Writes a bool value to a property.
+ */
+void object_property_set_bool(Object *obj, bool value,
+                              const char *name, struct Error **errp);
+
+/**
+ * object_property_get_bool:
+ * @obj: the object
+ * @name: the name of the property
+ * @errp: returns an error if this function fails
+ *
+ * Returns: the value of the property, converted to a boolean, or NULL if
+ * an error occurs (including when the property value is not a bool).
+ */
+bool object_property_get_bool(Object *obj, const char *name,
+                              struct Error **errp);
+
+/**
+ * object_property_set_int:
+ * @value: the value to be written to the property
+ * @name: the name of the property
+ * @errp: returns an error if this function fails
+ *
+ * Writes an integer value to a property.
+ */
+void object_property_set_int(Object *obj, int64_t value,
+                             const char *name, struct Error **errp);
+
+/**
+ * object_property_get_int:
+ * @obj: the object
+ * @name: the name of the property
+ * @errp: returns an error if this function fails
+ *
+ * Returns: the value of the property, converted to an integer, or NULL if
+ * an error occurs (including when the property value is not an integer).
+ */
+int64_t object_property_get_int(Object *obj, const char *name,
+                                struct Error **errp);
+
+/**
  * object_property_set:
  * @obj: the object
  * @v: the visitor that will be used to write the property value.  This should
diff --git a/qom/object.c b/qom/object.c
index 98b8ad5..212629d 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -14,6 +14,14 @@
 #include "qemu-common.h"
 #include "qapi/qapi-visit-core.h"
 
+/* TODO: replace QObject with a simpler visitor to avoid a dependency
+ * of the QOM core on QObject?  */
+#include "qemu/qom-qobject.h"
+#include "qobject.h"
+#include "qbool.h"
+#include "qint.h"
+#include "qstring.h"
+
 #define MAX_INTERFACES 32
 
 typedef struct InterfaceImpl InterfaceImpl;
@@ -657,6 +665,99 @@ void object_property_set(Object *obj, Visitor *v, const char *name,
     }
 }
 
+void object_property_set_str(Object *obj, const char *value,
+                             const char *name, Error **errp)
+{
+    QString *qstr = qstring_from_str(value);
+    object_property_set_qobject(obj, QOBJECT(qstr), name, errp);
+
+    QDECREF(qstr);
+}
+
+char *object_property_get_str(Object *obj, const char *name,
+                              Error **errp)
+{
+    QObject *ret = object_property_get_qobject(obj, name, errp);
+    QString *qstring;
+    char *retval;
+
+    if (!ret) {
+        return NULL;
+    }
+    qstring = qobject_to_qstring(ret);
+    if (!qstring) {
+        error_set(errp, QERR_INVALID_PARAMETER_TYPE, name, "string");
+        retval = NULL;
+    } else {
+        retval = g_strdup(qstring_get_str(qstring));
+    }
+
+    QDECREF(qstring);
+    return retval;
+}
+
+void object_property_set_bool(Object *obj, bool value,
+                              const char *name, Error **errp)
+{
+    QBool *qbool = qbool_from_int(value);
+    object_property_set_qobject(obj, QOBJECT(qbool), name, errp);
+
+    QDECREF(qbool);
+}
+
+bool object_property_get_bool(Object *obj, const char *name,
+                              Error **errp)
+{
+    QObject *ret = object_property_get_qobject(obj, name, errp);
+    QBool *qbool;
+    bool retval;
+
+    if (!ret) {
+        return false;
+    }
+    qbool = qobject_to_qbool(ret);
+    if (!qbool) {
+        error_set(errp, QERR_INVALID_PARAMETER_TYPE, name, "boolean");
+        retval = false;
+    } else {
+        retval = qbool_get_int(qbool);
+    }
+
+    QDECREF(qbool);
+    return retval;
+}
+
+void object_property_set_int(Object *obj, int64_t value,
+                             const char *name, Error **errp)
+{
+    QInt *qint = qint_from_int(value);
+    object_property_set_qobject(obj, QOBJECT(qint), name, errp);
+
+    QDECREF(qint);
+}
+
+int64_t object_property_get_int(Object *obj, const char *name,
+                                Error **errp)
+{
+    QObject *ret = object_property_get_qobject(obj, name, errp);
+    QInt *qint;
+    int64_t retval;
+
+    if (!ret) {
+        return -1;
+    }
+    qint = qobject_to_qint(ret);
+    if (!qint) {
+        error_set(errp, QERR_INVALID_PARAMETER_TYPE, name, "int");
+        retval = -1;
+    } else {
+        retval = qint_get_int(qint);
+    }
+
+    QDECREF(qint);
+    return retval;
+}
+
 const char *object_property_get_type(Object *obj, const char *name, Error **errp)
 {
     ObjectProperty *prop = object_property_find(obj, name);
@@ -938,8 +1039,8 @@ typedef struct StringProperty
     void (*set)(Object *, const char *, Error **);
 } StringProperty;
 
-static void object_property_get_str(Object *obj, Visitor *v, void *opaque,
-                                    const char *name, Error **errp)
+static void property_get_str(Object *obj, Visitor *v, void *opaque,
+                             const char *name, Error **errp)
 {
     StringProperty *prop = opaque;
     char *value;
@@ -951,8 +1052,8 @@ static void object_property_get_str(Object *obj, Visitor *v, void *opaque,
     }
 }
 
-static void object_property_set_str(Object *obj, Visitor *v, void *opaque,
-                                  const char *name, Error **errp)
+static void property_set_str(Object *obj, Visitor *v, void *opaque,
+                             const char *name, Error **errp)
 {
     StringProperty *prop = opaque;
     char *value;
@@ -968,8 +1069,8 @@ static void object_property_set_str(Object *obj, Visitor *v, void *opaque,
     g_free(value);
 }
 
-static void object_property_release_str(Object *obj, const char *name,
-                                      void *opaque)
+static void property_release_str(Object *obj, const char *name,
+                                 void *opaque)
 {
     StringProperty *prop = opaque;
     g_free(prop);
@@ -986,8 +1087,8 @@ void object_property_add_str(Object *obj, const char *name,
     prop->set = set;
 
     object_property_add(obj, name, "string",
-                        get ? object_property_get_str : NULL,
-                        set ? object_property_set_str : NULL,
-                        object_property_release_str,
+                        get ? property_get_str : NULL,
+                        set ? property_set_str : NULL,
+                        property_release_str,
                         prop, errp);
 }
commit 9f5f135058e22a6f7b3d8ca02e388e502c0d161f
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Wed Feb 1 16:58:47 2012 +0100

    qom: add QObject-based property get/set wrappers
    
    Move the creation of QmpInputVisitor and QmpOutputVisitor from qmp.c
    to qom/object.c, since it's the only practical way to access object
    properties.
    
    Keep this isolated such that it's easy to remove.  At some point, we need
    to remove all usage of QObject in the tree and replace it with GVariant.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/include/qemu/qom-qobject.h b/include/qemu/qom-qobject.h
new file mode 100644
index 0000000..f9dff12
--- /dev/null
+++ b/include/qemu/qom-qobject.h
@@ -0,0 +1,42 @@
+/*
+ * QEMU Object Model - QObject wrappers
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * Author: Paolo Bonzini <pbonzini at redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef QEMU_QOM_QOBJECT_H
+#define QEMU_QOM_QOBJECT_H
+
+#include "qemu/object.h"
+
+/*
+ * object_property_get_qobject:
+ * @obj: the object
+ * @name: the name of the property
+ * @errp: returns an error if this function fails
+ *
+ * Returns: the value of the property, converted to QObject, or NULL if
+ * an error occurs.
+ */
+struct QObject *object_property_get_qobject(Object *obj, const char *name,
+                                            struct Error **errp);
+
+/**
+ * object_property_set_qobject:
+ * @obj: the object
+ * @ret: The value that will be written to the property.
+ * @name: the name of the property
+ * @errp: returns an error if this function fails
+ *
+ * Writes a property to a object.
+ */
+void object_property_set_qobject(Object *obj, struct QObject *qobj,
+                                 const char *name, struct Error **errp);
+
+#endif
diff --git a/qmp.c b/qmp.c
index 45052cc..1f64844 100644
--- a/qmp.c
+++ b/qmp.c
@@ -21,9 +21,8 @@
 #include "kvm.h"
 #include "arch_init.h"
 #include "hw/qdev.h"
-#include "qapi/qmp-input-visitor.h"
-#include "qapi/qmp-output-visitor.h"
 #include "blockdev.h"
+#include "qemu/qom-qobject.h"
 
 NameInfo *qmp_query_name(Error **errp)
 {
@@ -198,7 +197,6 @@ int qmp_qom_set(Monitor *mon, const QDict *qdict, QObject **ret)
     const char *property = qdict_get_str(qdict, "property");
     QObject *value = qdict_get(qdict, "value");
     Error *local_err = NULL;
-    QmpInputVisitor *mi;
     Object *obj;
 
     obj = object_resolve_path(path, NULL);
@@ -207,10 +205,7 @@ int qmp_qom_set(Monitor *mon, const QDict *qdict, QObject **ret)
         goto out;
     }
 
-    mi = qmp_input_visitor_new(value);
-    object_property_set(obj, qmp_input_get_visitor(mi), property, &local_err);
-
-    qmp_input_visitor_cleanup(mi);
+    object_property_set_qobject(obj, value, property, &local_err);
 
 out:
     if (local_err) {
@@ -227,7 +222,6 @@ int qmp_qom_get(Monitor *mon, const QDict *qdict, QObject **ret)
     const char *path = qdict_get_str(qdict, "path");
     const char *property = qdict_get_str(qdict, "property");
     Error *local_err = NULL;
-    QmpOutputVisitor *mo;
     Object *obj;
 
     obj = object_resolve_path(path, NULL);
@@ -236,13 +230,7 @@ int qmp_qom_get(Monitor *mon, const QDict *qdict, QObject **ret)
         goto out;
     }
 
-    mo = qmp_output_visitor_new();
-    object_property_get(obj, qmp_output_get_visitor(mo), property, &local_err);
-    if (!local_err) {
-        *ret = qmp_output_get_qobject(mo);
-    }
-
-    qmp_output_visitor_cleanup(mo);
+    *ret = object_property_get_qobject(obj, property, &local_err);
 
 out:
     if (local_err) {
diff --git a/qom/Makefile b/qom/Makefile
index f33f0be..885a263 100644
--- a/qom/Makefile
+++ b/qom/Makefile
@@ -1 +1 @@
-qom-y = object.o container.o
+qom-y = object.o container.o qom-qobject.o
diff --git a/qom/qom-qobject.c b/qom/qom-qobject.c
new file mode 100644
index 0000000..0689914
--- /dev/null
+++ b/qom/qom-qobject.c
@@ -0,0 +1,44 @@
+/*
+ * QEMU Object Model - QObject wrappers
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * Author: Paolo Bonzini <pbonzini at redhat.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu-common.h"
+#include "qemu/object.h"
+#include "qemu/qom-qobject.h"
+#include "qapi/qapi-visit-core.h"
+#include "qapi/qmp-input-visitor.h"
+#include "qapi/qmp-output-visitor.h"
+
+void object_property_set_qobject(Object *obj, QObject *value,
+                                 const char *name, Error **errp)
+{
+    QmpInputVisitor *mi;
+    mi = qmp_input_visitor_new(value);
+    object_property_set(obj, qmp_input_get_visitor(mi), name, errp);
+
+    qmp_input_visitor_cleanup(mi);
+}
+
+QObject *object_property_get_qobject(Object *obj, const char *name,
+                                     Error **errp)
+{
+    QObject *ret = NULL;
+    Error *local_err = NULL;
+    QmpOutputVisitor *mo;
+
+    mo = qmp_output_visitor_new();
+    object_property_get(obj, qmp_output_get_visitor(mo), name, &local_err);
+    if (!local_err) {
+        ret = qmp_output_get_qobject(mo);
+    }
+    error_propagate(errp, local_err);
+    qmp_output_visitor_cleanup(mo);
+    return ret;
+}
commit b46d9b1082054cba5af5ccab584f0e22a5264057
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Thu Feb 2 15:14:32 2012 +0100

    qom: do not include qdev header file
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/qom/object.c b/qom/object.c
index ffd50a3..98b8ad5 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -13,8 +13,6 @@
 #include "qemu/object.h"
 #include "qemu-common.h"
 #include "qapi/qapi-visit-core.h"
-#include "hw/qdev.h"
-// FIXME remove above
 
 #define MAX_INTERFACES 32
 
commit 9970bd887d7b6ec17899fa337e58547430a99e7d
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Feb 3 11:51:39 2012 +0100

    qom: avoid useless conversions from string to type
    
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/qom/object.c b/qom/object.c
index 669acc5..ffd50a3 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -63,6 +63,8 @@ typedef struct Interface
 
 #define INTERFACE(obj) OBJECT_CHECK(Interface, obj, TYPE_INTERFACE)
 
+static Type type_interface;
+
 static GHashTable *type_table_get(void)
 {
     static GHashTable *type_table;
@@ -384,25 +386,20 @@ static bool type_is_ancestor(TypeImpl *type, TypeImpl *target_type)
     return false;
 }
 
-static bool object_is_type(Object *obj, const char *typename)
+static bool object_is_type(Object *obj, TypeImpl *target_type)
 {
-    TypeImpl *target_type;
-
-    if (typename == TYPE_OBJECT) {
-        return true;
-    }
-    target_type = type_get_by_name(typename);
-    return type_is_ancestor(obj->class->type, target_type);
+    return !target_type || type_is_ancestor(obj->class->type, target_type);
 }
 
 Object *object_dynamic_cast(Object *obj, const char *typename)
 {
+    TypeImpl *target_type = type_get_by_name(typename);
     GSList *i;
 
     /* Check if typename is a direct ancestor.  Special-case TYPE_OBJECT,
      * we want to go back from interfaces to the parent.
     */
-    if (typename && object_is_type(obj, typename)) {
+    if (target_type && object_is_type(obj, target_type)) {
         return obj;
     }
 
@@ -410,21 +407,21 @@ Object *object_dynamic_cast(Object *obj, const char *typename)
      * ancestor of typename.  In principle we could do this test at the very
      * beginning of object_dynamic_cast, avoiding a second call to
      * object_is_type.  However, casting between interfaces is relatively
-     * rare, and object_is_type(obj, TYPE_INTERFACE) would fail almost always.
+     * rare, and object_is_type(obj, type_interface) would fail almost always.
      *
      * Perhaps we could add a magic value to the object header for increased
      * (run-time) type safety and to speed up tests like this one.  If we ever
      * do that we can revisit the order here.
      */
-    if (object_is_type(obj, TYPE_INTERFACE)) {
+    if (object_is_type(obj, type_interface)) {
         assert(!obj->interfaces);
         obj = INTERFACE(obj)->obj;
-        if (object_is_type(obj, typename)) {
+        if (object_is_type(obj, target_type)) {
             return obj;
         }
     }
 
-    if (typename == TYPE_OBJECT) {
+    if (!target_type) {
         return obj;
     }
 
@@ -432,7 +429,7 @@ Object *object_dynamic_cast(Object *obj, const char *typename)
     for (i = obj->interfaces; i; i = i->next) {
         Interface *iface = i->data;
 
-        if (object_is_type(OBJECT(iface), typename)) {
+        if (object_is_type(OBJECT(iface), target_type)) {
             return OBJECT(iface);
         }
     }
@@ -449,7 +446,7 @@ static void register_interface(void)
         .abstract = true,
     };
 
-    type_register_static(&interface_info);
+    type_interface = type_register_static(&interface_info);
 }
 
 device_init(register_interface);
commit acc4af3fec335bb0778456f72bfb2c3591c11da4
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Feb 3 11:57:23 2012 +0100

    qom: clean up/optimize object_dynamic_cast
    
    The interface loop can be performed only on the parent object.  It
    does not need to be done on each interface.  Similarly, we can
    simplify the code by switching early from the implementation
    object to the parent object.
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/qom/object.c b/qom/object.c
index 4261944..669acc5 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -368,11 +368,9 @@ void object_delete(Object *obj)
     g_free(obj);
 }
 
-static bool object_is_type(Object *obj, const char *typename)
+static bool type_is_ancestor(TypeImpl *type, TypeImpl *target_type)
 {
-    TypeImpl *target_type = type_get_by_name(typename);
-    TypeImpl *type = obj->class->type;
-    GSList *i;
+    assert(target_type);
 
     /* Check if typename is a direct ancestor of type */
     while (type) {
@@ -383,24 +381,50 @@ static bool object_is_type(Object *obj, const char *typename)
         type = type_get_parent(type);
     }
 
-    /* Check if obj has an interface of typename */
-    for (i = obj->interfaces; i; i = i->next) {
-        Interface *iface = i->data;
+    return false;
+}
 
-        if (object_is_type(OBJECT(iface), typename)) {
-            return true;
-        }
-    }
+static bool object_is_type(Object *obj, const char *typename)
+{
+    TypeImpl *target_type;
 
-    return false;
+    if (typename == TYPE_OBJECT) {
+        return true;
+    }
+    target_type = type_get_by_name(typename);
+    return type_is_ancestor(obj->class->type, target_type);
 }
 
 Object *object_dynamic_cast(Object *obj, const char *typename)
 {
     GSList *i;
 
-    /* Check if typename is a direct ancestor */
-    if (object_is_type(obj, typename)) {
+    /* Check if typename is a direct ancestor.  Special-case TYPE_OBJECT,
+     * we want to go back from interfaces to the parent.
+    */
+    if (typename && object_is_type(obj, typename)) {
+        return obj;
+    }
+
+    /* Check if obj is an interface and its containing object is a direct
+     * ancestor of typename.  In principle we could do this test at the very
+     * beginning of object_dynamic_cast, avoiding a second call to
+     * object_is_type.  However, casting between interfaces is relatively
+     * rare, and object_is_type(obj, TYPE_INTERFACE) would fail almost always.
+     *
+     * Perhaps we could add a magic value to the object header for increased
+     * (run-time) type safety and to speed up tests like this one.  If we ever
+     * do that we can revisit the order here.
+     */
+    if (object_is_type(obj, TYPE_INTERFACE)) {
+        assert(!obj->interfaces);
+        obj = INTERFACE(obj)->obj;
+        if (object_is_type(obj, typename)) {
+            return obj;
+        }
+    }
+
+    if (typename == TYPE_OBJECT) {
         return obj;
     }
 
@@ -413,16 +437,6 @@ Object *object_dynamic_cast(Object *obj, const char *typename)
         }
     }
 
-    /* Check if obj is an interface and its containing object is a direct
-     * ancestor of typename */
-    if (object_is_type(obj, TYPE_INTERFACE)) {
-        Interface *iface = INTERFACE(obj);
-
-        if (object_is_type(iface->obj, typename)) {
-            return iface->obj;
-        }
-    }
-
     return NULL;
 }
 
commit 0815a859492e87e120efa7feaa836ecf6ecffaf7
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Feb 3 12:51:53 2012 +0100

    qom: more documentation on subclassing
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/include/qemu/object.h b/include/qemu/object.h
index ab1c48c..ad7d32d 100644
--- a/include/qemu/object.h
+++ b/include/qemu/object.h
@@ -55,6 +55,9 @@ typedef struct InterfaceInfo InterfaceInfo;
  *
  * #define TYPE_MY_DEVICE "my-device"
  *
+ * // No new virtual functions: we can reuse the typedef for the
+ * // superclass.
+ * typedef DeviceClass MyDeviceClass;
  * typedef struct MyDevice
  * {
  *     DeviceState parent;
@@ -88,8 +91,21 @@ typedef struct InterfaceInfo InterfaceInfo;
  *
  * Using object_new(), a new #Object derivative will be instantiated.  You can
  * cast an #Object to a subclass (or base-class) type using
- * object_dynamic_cast().  You typically want to define a macro wrapper around
- * object_dynamic_cast_assert() to make it easier to convert to a specific type.
+ * object_dynamic_cast().  You typically want to define macro wrappers around
+ * OBJECT_CHECK() and OBJECT_CLASS_CHECK() to make it easier to convert to a
+ * specific type:
+ *
+ * <example>
+ *   <title>Typecasting macros</title>
+ *   <programlisting>
+ *    #define MY_DEVICE_GET_CLASS(obj) \
+ *       OBJECT_GET_CLASS(MyDeviceClass, obj, TYPE_MY_DEVICE)
+ *    #define MY_DEVICE_CLASS(klass) \
+ *       OBJECT_CLASS_CHECK(MyDeviceClass, klass, TYPE_MY_DEVICE)
+ *    #define MY_DEVICE(obj) \
+ *       OBJECT_CHECK(MyDevice, obj, TYPE_MY_DEVICE)
+ *   </programlisting>
+ * </example>
  *
  * # Class Initialization #
  *
@@ -108,7 +124,61 @@ typedef struct InterfaceInfo InterfaceInfo;
  *
  * Once all of the parent classes have been initialized, #TypeInfo::class_init
  * is called to let the class being instantiated provide default initialize for
- * it's virtual functions.
+ * it's virtual functions.  Here is how the above example might be modified
+ * to introduce an overridden virtual function:
+ *
+ * <example>
+ *   <title>Overriding a virtual function</title>
+ *   <programlisting>
+ * #include "qdev.h"
+ *
+ * void my_device_class_init(ObjectClass *klass, void *class_data)
+ * {
+ *     DeviceClass *dc = DEVICE_CLASS(klass);
+ *     dc->reset = my_device_reset;
+ * }
+ *
+ * static TypeInfo my_device_info = {
+ *     .name = TYPE_MY_DEVICE,
+ *     .parent = TYPE_DEVICE,
+ *     .instance_size = sizeof(MyDevice),
+ *     .class_init = my_device_class_init,
+ * };
+ *   </programlisting>
+ * </example>
+ *
+ * Introducing new virtual functions requires a class to define its own
+ * struct and to add a .class_size member to the TypeInfo.  Each function
+ * will also have a wrapper to call it easily:
+ *
+ * <example>
+ *   <title>Defining an abstract class</title>
+ *   <programlisting>
+ * #include "qdev.h"
+ *
+ * typedef struct MyDeviceClass
+ * {
+ *     DeviceClass parent;
+ *
+ *     void (*frobnicate) (MyDevice *obj);
+ * } MyDeviceClass;
+ *
+ * static TypeInfo my_device_info = {
+ *     .name = TYPE_MY_DEVICE,
+ *     .parent = TYPE_DEVICE,
+ *     .instance_size = sizeof(MyDevice),
+ *     .abstract = true, // or set a default in my_device_class_init
+ *     .class_size = sizeof(MyDeviceClass),
+ * };
+ *
+ * void my_device_frobnicate(MyDevice *obj)
+ * {
+ *     MyDeviceClass *klass = MY_DEVICE_GET_CLASS(obj);
+ *
+ *     klass->frobnicate(obj);
+ * }
+ *   </programlisting>
+ * </example>
  *
  * # Interfaces #
  *
commit 1ed5b918ceda9a92dd00a2d432aa431bea2da66a
Author: Paolo Bonzini <pbonzini at redhat.com>
Date:   Fri Feb 3 11:48:11 2012 +0100

    qom: clean up cast macros
    
    Reviewed-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>

diff --git a/include/qemu/object.h b/include/qemu/object.h
index 9d0251d..ab1c48c 100644
--- a/include/qemu/object.h
+++ b/include/qemu/object.h
@@ -259,6 +259,16 @@ struct TypeInfo
     ((Object *)(obj))
 
 /**
+ * OBJECT_CLASS:
+ * @class: A derivative of #ObjectClas.
+ *
+ * Converts a class to an #ObjectClass.  Since all objects are #Objects,
+ * this function will always succeed.
+ */
+#define OBJECT_CLASS(class) \
+    ((ObjectClass *)(class))
+
+/**
  * OBJECT_CHECK:
  * @type: The C type to use for the return value.
  * @obj: A derivative of @type to cast.
@@ -272,7 +282,7 @@ struct TypeInfo
  * generated.
  */
 #define OBJECT_CHECK(type, obj, name) \
-    ((type *)object_dynamic_cast_assert((Object *)(obj), (name)))
+    ((type *)object_dynamic_cast_assert(OBJECT(obj), (name)))
 
 /**
  * OBJECT_CLASS_CHECK:
@@ -280,11 +290,12 @@ struct TypeInfo
  * @obj: A derivative of @type to cast.
  * @name: the QOM typename of @class.
  *
- * A type safe version of @object_check_class.  This macro is typically wrapped
- * by each type to perform type safe casts of a class to a specific class type.
+ * A type safe version of @object_class_dynamic_cast_assert.  This macro is
+ * typically wrapped by each type to perform type safe casts of a class to a
+ * specific class type.
  */
 #define OBJECT_CLASS_CHECK(class, obj, name) \
-    ((class *)object_class_dynamic_cast_assert((ObjectClass *)(obj), (name)))
+    ((class *)object_class_dynamic_cast_assert(OBJECT_CLASS(obj), (name)))
 
 /**
  * OBJECT_GET_CLASS:
@@ -299,9 +310,6 @@ struct TypeInfo
 #define OBJECT_GET_CLASS(class, obj, name) \
     OBJECT_CLASS_CHECK(class, object_get_class(OBJECT(obj)), name)
 
-#define OBJECT_CLASS(class) \
-    ((ObjectClass *)(class))
-
 /**
  * InterfaceClass:
  * @parent_class: the base class
commit e87f7fc67948da80a0452c4fd523ec45f0d03f26
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Mon Feb 6 11:07:18 2012 -0600

    s390x: fix qom-ification fall-out
    
    Tested-by: Andreas Faerber <afaerber at suse.de>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/s390-virtio-bus.c b/hw/s390-virtio-bus.c
index b66ef68..49140f8 100644
--- a/hw/s390-virtio-bus.c
+++ b/hw/s390-virtio-bus.c
@@ -429,6 +429,7 @@ static TypeInfo virtio_s390_device_info = {
     .parent = TYPE_DEVICE,
     .instance_size = sizeof(VirtIOS390Device),
     .class_init = virtio_s390_device_class_init,
+    .class_size = sizeof(VirtIOS390DeviceClass),
     .abstract = true,
 };
 
diff --git a/vl.c b/vl.c
index 2d464cf..63dd725 100644
--- a/vl.c
+++ b/vl.c
@@ -1947,7 +1947,11 @@ static int virtcon_parse(const char *devname)
     }
 
     bus_opts = qemu_opts_create(device, NULL, 0);
-    qemu_opt_set(bus_opts, "driver", "virtio-serial");
+    if (arch_type == QEMU_ARCH_S390X) {
+        qemu_opt_set(bus_opts, "driver", "virtio-serial-s390");
+    } else {
+        qemu_opt_set(bus_opts, "driver", "virtio-serial-pci");
+    } 
 
     dev_opts = qemu_opts_create(device, NULL, 0);
     qemu_opt_set(dev_opts, "driver", "virtconsole");
commit 4cafe606040bfb7526a954e131daa61afc5d747a
Author: Jan Kiszka <jan.kiszka at siemens.com>
Date:   Fri Feb 3 22:06:47 2012 +0100

    KVM: Fix breakages of QOM conversion
    
    KVM APIC and PIC require instance sizes.
    
    Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/hw/kvm/apic.c b/hw/kvm/apic.c
index 89e33b0..dfc2ab3 100644
--- a/hw/kvm/apic.c
+++ b/hw/kvm/apic.c
@@ -135,6 +135,7 @@ static void kvm_apic_class_init(ObjectClass *klass, void *data)
 static TypeInfo kvm_apic_info = {
     .name = "kvm-apic",
     .parent = TYPE_APIC_COMMON,
+    .instance_size = sizeof(APICCommonState),
     .class_init = kvm_apic_class_init,
 };
 
diff --git a/hw/kvm/i8259.c b/hw/kvm/i8259.c
index 297d64e..14bd427 100644
--- a/hw/kvm/i8259.c
+++ b/hw/kvm/i8259.c
@@ -126,6 +126,7 @@ static void kvm_i8259_class_init(ObjectClass *klass, void *data)
 static TypeInfo kvm_i8259_info = {
     .name  = "kvm-i8259",
     .parent = TYPE_PIC_COMMON,
+    .instance_size = sizeof(PICCommonState),
     .class_init = kvm_i8259_class_init,
 };
 
commit 3bc36349722a6f0d96ec9d8dc870aa82ae6de4cd
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Fri Feb 3 17:39:57 2012 -0600

    usb-redir: convert to QOM
    
    This was missed due to the fact that it's in the top level and it uses
    'struct DeviceInfo' instead of 'DeviceInfo' for some strange reason.
    
    Tested-by: Benoît Canet <benoit.canet at gmail.com>
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>

diff --git a/usb-redir.c b/usb-redir.c
index 8f4a29a..303292a 100644
--- a/usb-redir.c
+++ b/usb-redir.c
@@ -1315,9 +1315,16 @@ static void usbredir_interrupt_packet(void *priv, uint32_t id,
     }
 }
 
+static Property usbredir_properties[] = {
+    DEFINE_PROP_CHR("chardev", USBRedirDevice, cs),
+    DEFINE_PROP_UINT8("debug", USBRedirDevice, debug, 0),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
 static void usbredir_class_initfn(ObjectClass *klass, void *data)
 {
     USBDeviceClass *uc = USB_DEVICE_CLASS(klass);
+    DeviceClass *dc = DEVICE_CLASS(klass);
 
     uc->init           = usbredir_initfn;
     uc->product_desc   = "USB Redirection Device";
@@ -1327,21 +1334,18 @@ static void usbredir_class_initfn(ObjectClass *klass, void *data)
     uc->handle_reset   = usbredir_handle_reset;
     uc->handle_data    = usbredir_handle_data;
     uc->handle_control = usbredir_handle_control;
+    dc->props          = usbredir_properties;
 }
 
-static struct DeviceInfo usbredir_dev_info = {
-    .name      = "usb-redir",
-    .size      = sizeof(USBRedirDevice),
-    .class_init= usbredir_class_initfn,
-    .props     = (Property[]) {
-        DEFINE_PROP_CHR("chardev", USBRedirDevice, cs),
-        DEFINE_PROP_UINT8("debug", USBRedirDevice, debug, 0),
-        DEFINE_PROP_END_OF_LIST(),
-    },
+static TypeInfo usbredir_dev_info = {
+    .name          = "usb-redir",
+    .parent        = TYPE_USB_DEVICE,
+    .instance_size = sizeof(USBRedirDevice),
+    .class_init    = usbredir_class_initfn,
 };
 
 static void usbredir_register_devices(void)
 {
-    usb_qdev_register(&usbredir_dev_info, NULL, NULL);
+    type_register_static(&usbredir_dev_info);
 }
 device_init(usbredir_register_devices);
commit 53a19a30527863f0257436de28d2b01ae043aaf0
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sat Feb 4 17:29:00 2012 +0000

    Fix previous commit
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/usb-bsd.c b/usb-bsd.c
index 43fd1a1..fc722b3 100644
--- a/usb-bsd.c
+++ b/usb-bsd.c
@@ -414,7 +414,7 @@ static TypeInfo usb_host_dev_info = {
     .name          = "usb-host",
     .parent        = TYPE_USB_DEVICE,
     .instance_size = sizeof(USBHostDevice),
-    .class_init    = usb_host_initfn,
+    .class_init    = usb_host_class_initfn,
 };
 
 static void usb_host_register_devices(void)
commit d217d208b5b518251196fbadd7f2fb1ed246cb13
Author: Anthony Liguori <aliguori at us.ibm.com>
Date:   Fri Feb 3 17:41:59 2012 -0600

    usb-bsd: convert to QOM
    
    Simple enough.
    
    Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/usb-bsd.c b/usb-bsd.c
index 2c6afc8..43fd1a1 100644
--- a/usb-bsd.c
+++ b/usb-bsd.c
@@ -410,15 +410,16 @@ static void usb_host_class_initfn(ObjectClass *klass, void *data)
     uc->handle_destroy = usb_host_handle_destroy;
 }
 
-static struct DeviceInfo usb_host_dev_info = {
-    .name      = "usb-host",
-    .size      = sizeof(USBHostDevice),
-    .class_init= usb_host_initfn,
+static TypeInfo usb_host_dev_info = {
+    .name          = "usb-host",
+    .parent        = TYPE_USB_DEVICE,
+    .instance_size = sizeof(USBHostDevice),
+    .class_init    = usb_host_initfn,
 };
 
 static void usb_host_register_devices(void)
 {
-    usb_qdev_register(&usb_host_dev_info, NULL, NULL);
+    type_register_static(&usb_host_dev_info);
 }
 device_init(usb_host_register_devices)
 
commit 47c012e21cb368d9bf6be80cce8322c1e4481aa6
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Jan 29 17:29:12 2012 +0000

    vga: improve documentation
    
    Add links to chipset docs and FreeVGA site.
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/vga.c b/hw/vga.c
index 758bd92..d87c4f9 100644
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -37,6 +37,18 @@
 
 //#define DEBUG_BOCHS_VBE
 
+/*
+ * Video Graphics Array (VGA)
+ *
+ * Chipset docs for original IBM VGA:
+ * http://www.mcamafia.de/pdf/ibm_vgaxga_trm2.pdf
+ *
+ * FreeVGA site:
+ * http://www.osdever.net/FreeVGA/home.htm
+ *
+ * Standard VGA features and Bochs VBE extensions are implemented.
+ */
+
 /* force some bits to zero */
 const uint8_t sr_mask[8] = {
     0x03,
commit 5e55efc9e751e8044f5b870e069e4ed8165a2a84
Author: Blue Swirl <blauwirbel at gmail.com>
Date:   Sun Jan 29 17:02:07 2012 +0000

    vga: use constants from vga.h
    
    Signed-off-by: Blue Swirl <blauwirbel at gmail.com>

diff --git a/hw/vga.c b/hw/vga.c
index cf9b39f..758bd92 100644
--- a/hw/vga.c
+++ b/hw/vga.c
@@ -22,6 +22,7 @@
  * THE SOFTWARE.
  */
 #include "hw.h"
+#include "vga.h"
 #include "console.h"
 #include "pc.h"
 #include "pci.h"
@@ -160,9 +161,10 @@ static void vga_update_memory_access(VGACommonState *s)
 
     s->chain4_alias = NULL;
 
-    if ((s->sr[0x02] & 0xf) == 0xf && s->sr[0x04] & 0x08) {
+    if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
+        VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
         offset = 0;
-        switch ((s->gr[6] >> 2) & 3) {
+        switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
         case 0:
             base = 0xa0000;
             size = 0x20000;
@@ -223,22 +225,20 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
     int64_t chars_per_sec;
     struct vga_precise_retrace *r = &s->retrace_info.precise;
 
-    htotal_chars = s->cr[0x00] + 5;
-    hretr_start_char = s->cr[0x04];
-    hretr_skew_chars = (s->cr[0x05] >> 5) & 3;
-    hretr_end_char = s->cr[0x05] & 0x1f;
+    htotal_chars = s->cr[VGA_CRTC_H_TOTAL] + 5;
+    hretr_start_char = s->cr[VGA_CRTC_H_SYNC_START];
+    hretr_skew_chars = (s->cr[VGA_CRTC_H_SYNC_END] >> 5) & 3;
+    hretr_end_char = s->cr[VGA_CRTC_H_SYNC_END] & 0x1f;
 
-    vtotal_lines = (s->cr[0x06]
-                    | (((s->cr[0x07] & 1) | ((s->cr[0x07] >> 4) & 2)) << 8)) + 2
-        ;
-    vretr_start_line = s->cr[0x10]
-        | ((((s->cr[0x07] >> 2) & 1) | ((s->cr[0x07] >> 6) & 2)) << 8)
-        ;
-    vretr_end_line = s->cr[0x11] & 0xf;
+    vtotal_lines = (s->cr[VGA_CRTC_V_TOTAL] |
+                    (((s->cr[VGA_CRTC_OVERFLOW] & 1) |
+                      ((s->cr[VGA_CRTC_OVERFLOW] >> 4) & 2)) << 8)) + 2;
+    vretr_start_line = s->cr[VGA_CRTC_V_SYNC_START] |
+        ((((s->cr[VGA_CRTC_OVERFLOW] >> 2) & 1) |
+          ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
+    vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
 
-
-
-    clocking_mode = (s->sr[0x01] >> 3) & 1;
+    clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
     clock_sel = (s->msr >> 2) & 3;
     dots = (s->msr & 1) ? 8 : 9;
 
@@ -261,8 +261,8 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
     r->htotal = htotal_chars;
 
 #if 0
-    div2 = (s->cr[0x17] >> 2) & 1;
-    sldiv2 = (s->cr[0x17] >> 3) & 1;
+    div2 = (s->cr[VGA_CRTC_MODE] >> 2) & 1;
+    sldiv2 = (s->cr[VGA_CRTC_MODE] >> 3) & 1;
     printf (
         "hz=%f\n"
         "htotal = %d\n"
@@ -332,7 +332,7 @@ static uint8_t vga_dumb_retrace(VGACommonState *s)
 
 int vga_ioport_invalid(VGACommonState *s, uint32_t addr)
 {
-    if (s->msr & MSR_COLOR_EMULATION) {
+    if (s->msr & VGA_MIS_COLOR) {
         /* Color */
         return (addr >= 0x3b0 && addr <= 0x3bf);
     } else {
@@ -350,73 +350,74 @@ uint32_t vga_ioport_read(void *opaque, uint32_t addr)
         val = 0xff;
     } else {
         switch(addr) {
-        case 0x3c0:
+        case VGA_ATT_W:
             if (s->ar_flip_flop == 0) {
                 val = s->ar_index;
             } else {
                 val = 0;
             }
             break;
-        case 0x3c1:
+        case VGA_ATT_R:
             index = s->ar_index & 0x1f;
-            if (index < 21)
+            if (index < VGA_ATT_C) {
                 val = s->ar[index];
-            else
+            } else {
                 val = 0;
+            }
             break;
-        case 0x3c2:
+        case VGA_MIS_W:
             val = s->st00;
             break;
-        case 0x3c4:
+        case VGA_SEQ_I:
             val = s->sr_index;
             break;
-        case 0x3c5:
+        case VGA_SEQ_D:
             val = s->sr[s->sr_index];
 #ifdef DEBUG_VGA_REG
             printf("vga: read SR%x = 0x%02x\n", s->sr_index, val);
 #endif
             break;
-        case 0x3c7:
+        case VGA_PEL_IR:
             val = s->dac_state;
             break;
-        case 0x3c8:
+        case VGA_PEL_IW:
             val = s->dac_write_index;
             break;
-        case 0x3c9:
+        case VGA_PEL_D:
             val = s->palette[s->dac_read_index * 3 + s->dac_sub_index];
             if (++s->dac_sub_index == 3) {
                 s->dac_sub_index = 0;
                 s->dac_read_index++;
             }
             break;
-        case 0x3ca:
+        case VGA_FTC_R:
             val = s->fcr;
             break;
-        case 0x3cc:
+        case VGA_MIS_R:
             val = s->msr;
             break;
-        case 0x3ce:
+        case VGA_GFX_I:
             val = s->gr_index;
             break;
-        case 0x3cf:
+        case VGA_GFX_D:
             val = s->gr[s->gr_index];
 #ifdef DEBUG_VGA_REG
             printf("vga: read GR%x = 0x%02x\n", s->gr_index, val);
 #endif
             break;
-        case 0x3b4:
-        case 0x3d4:
+        case VGA_CRT_IM:
+        case VGA_CRT_IC:
             val = s->cr_index;
             break;
-        case 0x3b5:
-        case 0x3d5:
+        case VGA_CRT_DM:
+        case VGA_CRT_DC:
             val = s->cr[s->cr_index];
 #ifdef DEBUG_VGA_REG
             printf("vga: read CR%x = 0x%02x\n", s->cr_index, val);
 #endif
             break;
-        case 0x3ba:
-        case 0x3da:
+        case VGA_IS1_RM:
+        case VGA_IS1_RC:
             /* just toggle to fool polling */
             val = s->st01 = s->retrace(s);
             s->ar_flip_flop = 0;
@@ -446,29 +447,29 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
 #endif
 
     switch(addr) {
-    case 0x3c0:
+    case VGA_ATT_W:
         if (s->ar_flip_flop == 0) {
             val &= 0x3f;
             s->ar_index = val;
         } else {
             index = s->ar_index & 0x1f;
             switch(index) {
-            case 0x00 ... 0x0f:
+            case VGA_ATC_PALETTE0 ... VGA_ATC_PALETTEF:
                 s->ar[index] = val & 0x3f;
                 break;
-            case 0x10:
+            case VGA_ATC_MODE:
                 s->ar[index] = val & ~0x10;
                 break;
-            case 0x11:
+            case VGA_ATC_OVERSCAN:
                 s->ar[index] = val;
                 break;
-            case 0x12:
+            case VGA_ATC_PLANE_ENABLE:
                 s->ar[index] = val & ~0xc0;
                 break;
-            case 0x13:
+            case VGA_ATC_PEL:
                 s->ar[index] = val & ~0xf0;
                 break;
-            case 0x14:
+            case VGA_ATC_COLOR_PAGE:
                 s->ar[index] = val & ~0xf0;
                 break;
             default:
@@ -477,32 +478,34 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
         }
         s->ar_flip_flop ^= 1;
         break;
-    case 0x3c2:
+    case VGA_MIS_W:
         s->msr = val & ~0x10;
         s->update_retrace_info(s);
         break;
-    case 0x3c4:
+    case VGA_SEQ_I:
         s->sr_index = val & 7;
         break;
-    case 0x3c5:
+    case VGA_SEQ_D:
 #ifdef DEBUG_VGA_REG
         printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
 #endif
         s->sr[s->sr_index] = val & sr_mask[s->sr_index];
-        if (s->sr_index == 1) s->update_retrace_info(s);
+        if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
+            s->update_retrace_info(s);
+        }
         vga_update_memory_access(s);
         break;
-    case 0x3c7:
+    case VGA_PEL_IR:
         s->dac_read_index = val;
         s->dac_sub_index = 0;
         s->dac_state = 3;
         break;
-    case 0x3c8:
+    case VGA_PEL_IW:
         s->dac_write_index = val;
         s->dac_sub_index = 0;
         s->dac_state = 0;
         break;
-    case 0x3c9:
+    case VGA_PEL_D:
         s->dac_cache[s->dac_sub_index] = val;
         if (++s->dac_sub_index == 3) {
             memcpy(&s->palette[s->dac_write_index * 3], s->dac_cache, 3);
@@ -510,48 +513,51 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
             s->dac_write_index++;
         }
         break;
-    case 0x3ce:
+    case VGA_GFX_I:
         s->gr_index = val & 0x0f;
         break;
-    case 0x3cf:
+    case VGA_GFX_D:
 #ifdef DEBUG_VGA_REG
         printf("vga: write GR%x = 0x%02x\n", s->gr_index, val);
 #endif
         s->gr[s->gr_index] = val & gr_mask[s->gr_index];
         vga_update_memory_access(s);
         break;
-    case 0x3b4:
-    case 0x3d4:
+    case VGA_CRT_IM:
+    case VGA_CRT_IC:
         s->cr_index = val;
         break;
-    case 0x3b5:
-    case 0x3d5:
+    case VGA_CRT_DM:
+    case VGA_CRT_DC:
 #ifdef DEBUG_VGA_REG
         printf("vga: write CR%x = 0x%02x\n", s->cr_index, val);
 #endif
         /* handle CR0-7 protection */
-        if ((s->cr[0x11] & 0x80) && s->cr_index <= 7) {
+        if ((s->cr[VGA_CRTC_V_SYNC_END] & VGA_CR11_LOCK_CR0_CR7) &&
+            s->cr_index <= VGA_CRTC_OVERFLOW) {
             /* can always write bit 4 of CR7 */
-            if (s->cr_index == 7)
-                s->cr[7] = (s->cr[7] & ~0x10) | (val & 0x10);
+            if (s->cr_index == VGA_CRTC_OVERFLOW) {
+                s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x10) |
+                    (val & 0x10);
+            }
             return;
         }
         s->cr[s->cr_index] = val;
 
         switch(s->cr_index) {
-        case 0x00:
-        case 0x04:
-        case 0x05:
-        case 0x06:
-        case 0x07:
-        case 0x11:
-        case 0x17:
+        case VGA_CRTC_H_TOTAL:
+        case VGA_CRTC_H_SYNC_START:
+        case VGA_CRTC_H_SYNC_END:
+        case VGA_CRTC_V_TOTAL:
+        case VGA_CRTC_OVERFLOW:
+        case VGA_CRTC_V_SYNC_END:
+        case VGA_CRTC_MODE:
             s->update_retrace_info(s);
             break;
         }
         break;
-    case 0x3ba:
-    case 0x3da:
+    case VGA_IS1_RM:
+    case VGA_IS1_RC:
         s->fcr = val & 0x10;
         break;
     }
@@ -681,31 +687,37 @@ static void vbe_ioport_write_data(void *opaque, uint32_t addr, uint32_t val)
 
                 /* we initialize the VGA graphic mode (should be done
                    in BIOS) */
-                s->gr[0x06] = (s->gr[0x06] & ~0x0c) | 0x05; /* graphic mode + memory map 1 */
-                s->cr[0x17] |= 3; /* no CGA modes */
-                s->cr[0x13] = s->vbe_line_offset >> 3;
+                /* graphic mode + memory map 1 */
+                s->gr[VGA_GFX_MISC] = (s->gr[VGA_GFX_MISC] & ~0x0c) | 0x04 |
+                    VGA_GR06_GRAPHICS_MODE;
+                s->cr[VGA_CRTC_MODE] |= 3; /* no CGA modes */
+                s->cr[VGA_CRTC_OFFSET] = s->vbe_line_offset >> 3;
                 /* width */
-                s->cr[0x01] = (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
+                s->cr[VGA_CRTC_H_DISP] =
+                    (s->vbe_regs[VBE_DISPI_INDEX_XRES] >> 3) - 1;
                 /* height (only meaningful if < 1024) */
                 h = s->vbe_regs[VBE_DISPI_INDEX_YRES] - 1;
-                s->cr[0x12] = h;
-                s->cr[0x07] = (s->cr[0x07] & ~0x42) |
+                s->cr[VGA_CRTC_V_DISP_END] = h;
+                s->cr[VGA_CRTC_OVERFLOW] = (s->cr[VGA_CRTC_OVERFLOW] & ~0x42) |
                     ((h >> 7) & 0x02) | ((h >> 3) & 0x40);
                 /* line compare to 1023 */
-                s->cr[0x18] = 0xff;
-                s->cr[0x07] |= 0x10;
-                s->cr[0x09] |= 0x40;
+                s->cr[VGA_CRTC_LINE_COMPARE] = 0xff;
+                s->cr[VGA_CRTC_OVERFLOW] |= 0x10;
+                s->cr[VGA_CRTC_MAX_SCAN] |= 0x40;
 
                 if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
                     shift_control = 0;
-                    s->sr[0x01] &= ~8; /* no double line */
+                    s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
                 } else {
                     shift_control = 2;
-                    s->sr[4] |= 0x08; /* set chain 4 mode */
-                    s->sr[2] |= 0x0f; /* activate all planes */
+                    /* set chain 4 mode */
+                    s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
+                    /* activate all planes */
+                    s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
                 }
-                s->gr[0x05] = (s->gr[0x05] & ~0x60) | (shift_control << 5);
-                s->cr[0x09] &= ~0x9f; /* no double scan */
+                s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
+                    (shift_control << 5);
+                s->cr[VGA_CRTC_MAX_SCAN] &= ~0x9f; /* no double scan */
             } else {
                 /* XXX: the bios should do that */
                 s->bank_offset = 0;
@@ -762,7 +774,7 @@ uint32_t vga_mem_readb(VGACommonState *s, target_phys_addr_t addr)
     uint32_t ret;
 
     /* convert to VGA memory offset */
-    memory_map_mode = (s->gr[6] >> 2) & 3;
+    memory_map_mode = (s->gr[VGA_GFX_MISC] >> 2) & 3;
     addr &= 0x1ffff;
     switch(memory_map_mode) {
     case 0:
@@ -785,24 +797,25 @@ uint32_t vga_mem_readb(VGACommonState *s, target_phys_addr_t addr)
         break;
     }
 
-    if (s->sr[4] & 0x08) {
+    if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
         /* chain 4 mode : simplest access */
         ret = s->vram_ptr[addr];
-    } else if (s->gr[5] & 0x10) {
+    } else if (s->gr[VGA_GFX_MODE] & 0x10) {
         /* odd/even mode (aka text mode mapping) */
-        plane = (s->gr[4] & 2) | (addr & 1);
+        plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
         ret = s->vram_ptr[((addr & ~1) << 1) | plane];
     } else {
         /* standard VGA latched access */
         s->latch = ((uint32_t *)s->vram_ptr)[addr];
 
-        if (!(s->gr[5] & 0x08)) {
+        if (!(s->gr[VGA_GFX_MODE] & 0x08)) {
             /* read mode 0 */
-            plane = s->gr[4];
+            plane = s->gr[VGA_GFX_PLANE_READ];
             ret = GET_PLANE(s->latch, plane);
         } else {
             /* read mode 1 */
-            ret = (s->latch ^ mask16[s->gr[2]]) & mask16[s->gr[7]];
+            ret = (s->latch ^ mask16[s->gr[VGA_GFX_COMPARE_VALUE]]) &
+                mask16[s->gr[VGA_GFX_COMPARE_MASK]];
             ret |= ret >> 16;
             ret |= ret >> 8;
             ret = (~ret) & 0xff;
@@ -821,7 +834,7 @@ void vga_mem_writeb(VGACommonState *s, target_phys_addr_t addr, uint32_t val)
     printf("vga: [0x" TARGET_FMT_plx "] = 0x%02x\n", addr, val);
 #endif
     /* convert to VGA memory offset */
-    memory_map_mode = (s->gr[6] >> 2) & 3;
+    memory_map_mode = (s->gr[VGA_GFX_MISC] >> 2) & 3;
     addr &= 0x1ffff;
     switch(memory_map_mode) {
     case 0:
@@ -844,11 +857,11 @@ void vga_mem_writeb(VGACommonState *s, target_phys_addr_t addr, uint32_t val)
         break;
     }
 
-    if (s->sr[4] & 0x08) {
+    if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
         /* chain 4 mode : simplest access */
         plane = addr & 3;
         mask = (1 << plane);
-        if (s->sr[2] & mask) {
+        if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
             s->vram_ptr[addr] = val;
 #ifdef DEBUG_VGA_MEM
             printf("vga: chain4: [0x" TARGET_FMT_plx "]\n", addr);
@@ -856,11 +869,11 @@ void vga_mem_writeb(VGACommonState *s, target_phys_addr_t addr, uint32_t val)
             s->plane_updated |= mask; /* only used to detect font change */
             memory_region_set_dirty(&s->vram, addr, 1);
         }
-    } else if (s->gr[5] & 0x10) {
+    } else if (s->gr[VGA_GFX_MODE] & 0x10) {
         /* odd/even mode (aka text mode mapping) */
-        plane = (s->gr[4] & 2) | (addr & 1);
+        plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
         mask = (1 << plane);
-        if (s->sr[2] & mask) {
+        if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
             addr = ((addr & ~1) << 1) | plane;
             s->vram_ptr[addr] = val;
 #ifdef DEBUG_VGA_MEM
@@ -871,40 +884,41 @@ void vga_mem_writeb(VGACommonState *s, target_phys_addr_t addr, uint32_t val)
         }
     } else {
         /* standard VGA latched access */
-        write_mode = s->gr[5] & 3;
+        write_mode = s->gr[VGA_GFX_MODE] & 3;
         switch(write_mode) {
         default:
         case 0:
             /* rotate */
-            b = s->gr[3] & 7;
+            b = s->gr[VGA_GFX_DATA_ROTATE] & 7;
             val = ((val >> b) | (val << (8 - b))) & 0xff;
             val |= val << 8;
             val |= val << 16;
 
             /* apply set/reset mask */
-            set_mask = mask16[s->gr[1]];
-            val = (val & ~set_mask) | (mask16[s->gr[0]] & set_mask);
-            bit_mask = s->gr[8];
+            set_mask = mask16[s->gr[VGA_GFX_SR_ENABLE]];
+            val = (val & ~set_mask) |
+                (mask16[s->gr[VGA_GFX_SR_VALUE]] & set_mask);
+            bit_mask = s->gr[VGA_GFX_BIT_MASK];
             break;
         case 1:
             val = s->latch;
             goto do_write;
         case 2:
             val = mask16[val & 0x0f];
-            bit_mask = s->gr[8];
+            bit_mask = s->gr[VGA_GFX_BIT_MASK];
             break;
         case 3:
             /* rotate */
-            b = s->gr[3] & 7;
+            b = s->gr[VGA_GFX_DATA_ROTATE] & 7;
             val = (val >> b) | (val << (8 - b));
 
-            bit_mask = s->gr[8] & val;
-            val = mask16[s->gr[0]];
+            bit_mask = s->gr[VGA_GFX_BIT_MASK] & val;
+            val = mask16[s->gr[VGA_GFX_SR_VALUE]];
             break;
         }
 
         /* apply logical operation */
-        func_select = s->gr[3] >> 3;
+        func_select = s->gr[VGA_GFX_DATA_ROTATE] >> 3;
         switch(func_select) {
         case 0:
         default:
@@ -931,7 +945,7 @@ void vga_mem_writeb(VGACommonState *s, target_phys_addr_t addr, uint32_t val)
 
     do_write:
         /* mask data according to sr[2] */
-        mask = s->sr[2];
+        mask = s->sr[VGA_SEQ_PLANE_WRITE];
         s->plane_updated |= mask; /* only used to detect font change */
         write_mask = mask16[mask];
         ((uint32_t *)s->vram_ptr)[addr] =
@@ -1045,10 +1059,11 @@ static int update_palette16(VGACommonState *s)
     palette = s->last_palette;
     for(i = 0; i < 16; i++) {
         v = s->ar[i];
-        if (s->ar[0x10] & 0x80)
-            v = ((s->ar[0x14] & 0xf) << 4) | (v & 0xf);
-        else
-            v = ((s->ar[0x14] & 0xc) << 4) | (v & 0x3f);
+        if (s->ar[VGA_ATC_MODE] & 0x80) {
+            v = ((s->ar[VGA_ATC_COLOR_PAGE] & 0xf) << 4) | (v & 0xf);
+        } else {
+            v = ((s->ar[VGA_ATC_COLOR_PAGE] & 0xc) << 4) | (v & 0x3f);
+        }
         v = v * 3;
         col = s->rgb_to_pixel(c6_to_8(s->palette[v]),
                               c6_to_8(s->palette[v + 1]),
@@ -1104,16 +1119,17 @@ static void vga_get_offsets(VGACommonState *s,
 #endif
     {
         /* compute line_offset in bytes */
-        line_offset = s->cr[0x13];
+        line_offset = s->cr[VGA_CRTC_OFFSET];
         line_offset <<= 3;
 
         /* starting address */
-        start_addr = s->cr[0x0d] | (s->cr[0x0c] << 8);
+        start_addr = s->cr[VGA_CRTC_START_LO] |
+            (s->cr[VGA_CRTC_START_HI] << 8);
 
         /* line compare */
-        line_compare = s->cr[0x18] |
-            ((s->cr[0x07] & 0x10) << 4) |
-            ((s->cr[0x09] & 0x40) << 3);
+        line_compare = s->cr[VGA_CRTC_LINE_COMPARE] |
+            ((s->cr[VGA_CRTC_OVERFLOW] & 0x10) << 4) |
+            ((s->cr[VGA_CRTC_MAX_SCAN] & 0x40) << 3);
     }
     *pline_offset = line_offset;
     *pstart_addr = start_addr;
@@ -1216,20 +1232,22 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight
     int width, cwidth, height, cheight;
 
     /* total width & height */
-    cheight = (s->cr[9] & 0x1f) + 1;
+    cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
     cwidth = 8;
-    if (!(s->sr[1] & 0x01))
+    if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
         cwidth = 9;
-    if (s->sr[1] & 0x08)
+    }
+    if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
         cwidth = 16; /* NOTE: no 18 pixel wide */
-    width = (s->cr[0x01] + 1);
-    if (s->cr[0x06] == 100) {
+    }
+    width = (s->cr[VGA_CRTC_H_DISP] + 1);
+    if (s->cr[VGA_CRTC_V_TOTAL] == 100) {
         /* ugly hack for CGA 160x100x16 - explain me the logic */
         height = 100;
     } else {
-        height = s->cr[0x12] |
-            ((s->cr[0x07] & 0x02) << 7) |
-            ((s->cr[0x07] & 0x40) << 3);
+        height = s->cr[VGA_CRTC_V_DISP_END] |
+            ((s->cr[VGA_CRTC_OVERFLOW] & 0x02) << 7) |
+            ((s->cr[VGA_CRTC_OVERFLOW] & 0x40) << 3);
         height = (height + 1) / cheight;
     }
 
@@ -1273,7 +1291,7 @@ static void vga_draw_text(VGACommonState *s, int full_update)
     vga_draw_glyph9_func *vga_draw_glyph9;
 
     /* compute font data address (in plane 2) */
-    v = s->sr[3];
+    v = s->sr[VGA_SEQ_CHARACTER_MAP];
     offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2;
     if (offset != s->font_offsets[0]) {
         s->font_offsets[0] = offset;
@@ -1321,10 +1339,11 @@ static void vga_draw_text(VGACommonState *s, int full_update)
     palette = s->last_palette;
     x_incr = cw * ((ds_get_bits_per_pixel(s->ds) + 7) >> 3);