summaryrefslogtreecommitdiff
path: root/hw
AgeCommit message (Collapse)AuthorFilesLines
2013-02-06qemu/9p: Don't ignore error in fid clunkAneesh Kumar K.V1-5/+7
We use the clunk request to do the actual xattr operation. So don't ignore the error value for fid clunk. Security model "none" don't support posix acl. Without this patch guest won't get EOPNOTSUPP error on setxattr("system.posix_acl_access") Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-06e1000: fix link down handling with auto negotiationMichael S. Tsirkin1-6/+36
Fixes a couple of regression bugs introduced by b9d03e352cb6b31a66545763f6a1e20c9abf0c2c and related to auto-negotiation: - Auto-negotiation currently sets link up even if it was forced down from the monitor. - If Auto-negotiation was in progress during migration, link will never come up. As a fix, don't touch NC link_down field at all, instead add code on receive path to check guest link status. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-04acpi_piix4: fix segfault migrating from 1.2Michael Roth1-2/+2
b0b873a07872f7ab7f66f259c73fb9dd42aa66a9 bumped the vmstate version and introduced an old-style load function to handle migration from prior (<= 1.2) versions. The load function passes the top-level PIIX4PMState pointer to vmstate_load_state() to handle nested structs for APMState and pci_status, which leads to corruption of the top-level PIIX4PMState, since pointers to the nested structs are expected. A segfault can be fairly reliably triggered by migrating from 1.2 and issuing a reset, which will trigger a number of QOM operations which rely on the now corrupted ObjectClass/Object members. Fix this by passing in the expected pointers for vmstate_load_state(). Cc: qemu-stable@nongnu.org Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01qdev: drop extra references at creation timePaolo Bonzini2-4/+6
qdev_free and qbus_free have to do unparent+unref, because nobody else drops the initial reference (the one included by object_initialize) before them. For device_init_func and do_device_add, this is trivially correct, since the DeviceState goes out of scope. For qdev_create, qdev_try_create and qbus_init, it is a bit more tricky. What we are doing here is just assuming that the caller knows what it's doing, and won't call qdev_free/qbus_free while the device is still there. This is a pretty reasonable assumption and (behind the scenes) is also what GObject/GTK does. GTK actually has a "floating reference" that goes away as soon as the caller does gtk_container_add or something like that, but in the end qbus_init and qdev_try_create are already adding the new object to its qdev parent! So in the end the two solutions are the same. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01qdev: inline object_delete into qbus_free/qdev_freePaolo Bonzini1-2/+4
We want object_delete to disappear, and we will do this one class at a time. Inline it for the qdev case, which we will tackle first. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01qdev: add reference for the bus while it is referred to by the DeviceStatePaolo Bonzini1-0/+3
Now that the unparent callbacks are complete, we can correctly account more missing references. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01qdev: move unrealization of devices from finalize to unparentPaolo Bonzini1-18/+17
Similarly, a bus holds a reference back to the device, and this will prevent the device from going away as soon as this reference is counted properly. To avoid this, move the unrealization of devices to the unparent callback. This includes recursively unparenting all the buses and (after the previous patch) the devices on those buses, which ensures that the web of references completely disappears for all devices that reside (in the qdev tree) below the one being unplugged. After this patch, the qdev tree and the bus<->child relationship is defined as "A is above B, iff unplugging A will automatically unplug B". Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01qdev: move deletion of children from finalize to unparentPaolo Bonzini1-12/+25
A device will never be finalized as long as it has a reference from other devices that sit on its buses. To ensure that the references go away, deassociate a bus from its children in the unparent callback for the bus. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01qdev: add reference count to a device for the BusChildPaolo Bonzini1-0/+5
Each device has a reference through the BusChild. This reference was not accounted for, add it now. Reviewed-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01pci: use qbus_create in pci_bus_newPaolo Bonzini1-6/+15
Remove knowledge of QOM innards. The common part of pci_bus_new and pci_bus_new_inplace is moved to a new function pci_bus_init. Acked-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01qdev: change first argument of qbus_create_inplace to void *Paolo Bonzini2-2/+2
Make it clear that no BUS() macro is needed in the callers (in fact it wouldn't work because the object has not been initialized yet with the right class). Suggested-by: Andreas Faerber <afaerber@suse.de> Acked-by: Andreas F=E4rber <afaerber@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01qdev: remove duplication between qbus_create and qbus_create_inplacePaolo Bonzini1-11/+7
Move the common part to qbus_realize. Acked-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01accel: change {xen, kvm, tcg, qtest}_allowed from int to boolliguang1-2/+2
Signed-off-by: liguang <lig.fnst@cn.fujitsu.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01xen: fix build problem introduced from per-queue peersAnthony Liguori1-2/+0
Reported-by Andreas Färber <afaerber@suse.de> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01virtio-net: compat multiqueue supportJason Wang1-0/+4
Disable multiqueue support for pre 1.4. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01virtio-net: migration support for multiqueueJason Wang1-6/+29
This patch add migration support for multiqueue virtio-net. Instead of bumping the version, we conditionally send the info of multiqueue only when the device support more than one queue to maintain the backward compatibility. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01virtio-net: multiqueue supportJason Wang2-67/+263
This patch implements both userspace and vhost support for multiple queue virtio-net (VIRTIO_NET_F_MQ). This is done by introducing an array of VirtIONetQueue to VirtIONet. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01virtio-net: separate virtqueue from VirtIONetJason Wang1-81/+114
To support multiqueue virtio-net, the first step is to separate the virtqueue related fields from VirtIONet to a new structure VirtIONetQueue. The following patches will add an array of VirtIONetQueue to VirtIONet based on this patch. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01virtio: add a queue_index to VirtQueueJason Wang2-0/+9
Add a queue_index to VirtQueue and a helper to fetch it, this could be used by multiqueue supported device. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01virtio: introduce virtio_del_queue()Jason Wang2-0/+11
Some device (such as virtio-net) needs the ability to destroy or re-order the virtqueues, this patch adds a helper to do this. Signed-off-by: Jason Wang <jasowang> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01vhost: multiqueue supportJason Wang5-58/+120
This patch lets vhost support multiqueue. The idea is simple, just launching multiple threads of vhost and let each of vhost thread processing a subset of the virtqueues of the device. After this change each emulated device can have multiple vhost threads as its backend. To do this, a virtqueue index were introduced to record to first virtqueue that will be handled by this vhost_net device. Based on this and nvqs, vhost could calculate its relative index to setup vhost_net device. Since we may have many vhost/net devices for a virtio-net device. The setting of guest notifiers were moved out of the starting/stopping of a specific vhost thread. The vhost_net_{start|stop}() were renamed to vhost_net_{start|stop}_one(), and a new vhost_net_{start|stop}() were introduced to configure the guest notifiers and start/stop all vhost/vhost_net devices. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01net: multiqueue supportJason Wang4-12/+44
This patch adds basic multiqueue support for qemu. The idea is simple, an array of NetClientStates were introduced in NICState, parse_netdev() were extended to find and match all NetClientStates belongs to the backend and place their pointers in NICConf. Then qemu_new_nic can setup a N:N mapping between NICStates that belongs to a nic and NICStates belongs to the netdev. And a queue_index were introduced in NetClientState to track its index. After this, each peers of a NICState were abstracted as a queue. After this change, all NetClientState that belongs to the same backend/nic has the same id. When use want to change the link status, all NetClientStates that belongs to the same backend/nic will be also changed. When user want to delete a device or netdev, all NetClientStates that belongs to the same backend/nic will be deleted also. Changing or deleting an specific queue is not allowed. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01net: intorduce qemu_del_nic()Jason Wang8-8/+8
To support multiqueue nic, this patch separate the nic destructor from qemu_del_net_client() to a new helper qemu_del_nic() since the mapping bettween NiCState and NetClientState were not 1:1 in multiqueue. The following patches would refactor this function to support multiqueue nic. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01net: introduce qemu_get_nic()Jason Wang26-74/+74
To support multiqueue, this patch introduces a helper qemu_get_nic() to get NICState from a NetClientState. The following patches would refactor this helper to support multiqueue. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01net: introduce qemu_get_queue()Jason Wang25-114/+133
To support multiqueue, the patch introduce a helper qemu_get_queue() which is used to get the NetClientState of a device. The following patches would refactor this helper to support multiqueue. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01net: tap: using bool instead of bitfieldJason Wang1-1/+1
Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01isa: QOM'ify isa_bus_from_device()Andreas Färber1-1/+1
DeviceState::parent_bus is document as private and should be accessed through qdev_get_parent_bus(). Use a DEVICE() cast instead of accessing ISADevice's qdev field directly. Use ISA_BUS() in place of DO_UPCAST(). Signed-off-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01i2c: Drop I2C_SLAVE_FROM_QDEV() macroAndreas Färber7-8/+7
It is not being used in hot paths and is obsoleted by I2C_SLAVE() QOM cast macro. Clean it up using a scripted conversion, so that it doesn't get used in new code. Some of its callers were combining it with FROM_I2C_SLAVE() macro, which is equally obsolete but needs to be replaced in a type-specific way. Signed-off-by: Andreas Färber <afaerber@suse.de> Cc: Kuo-Jung Su <dantesu@faraday-tech.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01Revert "e1000: no need auto-negotiation if link was down"Michael Roth1-5/+0
This reverts commit 84dd2120247a7d25ff1bb337de21c0e76816ad2d. I'm not sure what issue the original commit was meant to fix, or if the logic is actually wrong, but it causes e1000 to stop working after a guest issues a reset. >From what I can tell a guest with an e1000 nic has no way of changing the link status, as far as it's NetClient peer is concerned, except in the auto-negotiation path, so with this patch in place there's no recovery after a reset, since the link goes down and stays that way. Revert this patch now to fix the bigger problem, and handle any lingering issues with a follow-up. Reproduced/tested with qemu-jeos and Ubuntu 12.10. Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2013-02-01Merge remote-tracking branch 'agraf/s390-for-upstream' into stagingAnthony Liguori3-7/+11
# By Andreas Färber # Via Alexander Graf * agraf/s390-for-upstream: target-s390x: Pass S390CPU to s390_{add, del}_running_cpu() target-s390x: Clean up cpu_inject_*() signatures target-s390x: Fix debug output target-s390x: Fix debug output (continued)
2013-01-31Merge remote-tracking branch 'afaerber/qom-cpu' into stagingAnthony Liguori4-28/+86
# By Andreas Färber # Via Andreas Färber * afaerber/qom-cpu: linux-user: bsd-user: Don't reset X86CPU twice target-i386: Pass X86CPU to cpu_x86_set_a20() target-unicore32: Rename CPU subtypes target-openrisc: Rename CPU subtypes target-openrisc: TYPE_OPENRISC_CPU should be abstract target-m68k: Rename CPU subtypes target-m68k: Mark as unmigratable target-s390x: Mark as unmigratable target-sh4: Mark as unmigratable target-xtensa: Mark as unmigratable target-microblaze: Mark as unmigratable target-unicore32: Mark as unmigratable ide/mmio: QOM'ify MMIO IDE for R2D
2013-01-31Merge remote-tracking branch 'mst/tags/for_anthony' into stagingAnthony Liguori9-65/+227
virtio,make,pci,e1000,vfio,piix This includes my timestamp generation cleanup, Amos's and my work on virtio net commands, pci,e1000,vfio and piix fixes. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> # gpg: Signature made Thu 31 Jan 2013 06:20:27 AM CST using RSA key ID D28D5469 # gpg: Can't check signature: public key not found # By Michael S. Tsirkin (6) and others # Via Michael S. Tsirkin * mst/tags/for_anthony: vfio-pci: Enable PCIe extended config space PIIX3: reset the VM when the Reset Control Register's RCPU bit gets set ich9: add support for pci assignment virtio-net: rename ctrl rx commands virtio-net: introduce a new macaddr control virtio-net: remove layout assumptions for ctrl vq virtio-net: revert mac on reset rules/mak: make clean should blow away timestamp files Makefile: clean timestamp generation rule rules.mak: cleanup config generation rules e1000: document ICS read behaviour
2013-02-01target-s390x: Pass S390CPU to s390_{add, del}_running_cpu()Andreas Färber2-4/+10
This prepares for moving the halted field to CPUState. Most call sites can already supply S390CPU, for some env becomes unused. Signed-off-by: Andreas Färber <afaerber@suse.de> Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Alexander Graf <agraf@suse.de>
2013-02-01target-s390x: Clean up cpu_inject_*() signaturesAndreas Färber1-3/+1
Despite cautioning that S390CPU is needed for upcoming CPUState refactorings, commit 5d69c547d947798cba92d836d06f6e017ba2b19d (s390: I/O interrupt and machine check injection.) added functions cpu_inject_io() and cpu_inject_crw_mchk() with CPUS390XState argument, claiming consistency with cpu_inject_ext(). This complicates making cpu_interrupt() take a CPUState even more and it required to pass &cpu->env from some S390CPU-aware call sites already, creating inconsistency elsewhere. Address that. This also eliminates the need for CPUS390XState in s390_virtio_irq(). Signed-off-by: Andreas Färber <afaerber@suse.de> Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Alexander Graf <agraf@suse.de>
2013-02-01target-i386: Pass X86CPU to cpu_x86_set_a20()Andreas Färber1-3/+4
Prepares for cpu_interrupt() changing argument to CPUState. While touching it, rename to x86_cpu_...() now that it takes an X86CPU. Signed-off-by: Andreas Färber <afaerber@suse.de> Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
2013-02-01ide/mmio: QOM'ify MMIO IDE for R2DAndreas Färber3-25/+82
It was not qdev'ified before, so turn it into a SysBusDevice. Keep mmio_ide_init_drives() around to attach the hard drive. Signed-off-by: Andreas Färberr <afaerber@suse.de> Cc: Markus Armbruster <armbru@redhat.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
2013-01-30Merge remote-tracking branch 'pmaydell/arm-devs.next' into stagingAnthony Liguori2-1/+2
# By Christoffer Dall (1) and Peter Maydell (1) # Via Peter Maydell * pmaydell/arm-devs.next: hw/vexpress: Use correct HBI (board model number) for vexpress-a15 hw/arm_sysctl: Clear sysctl cfgctrl start bit
2013-01-30Merge remote-tracking branch 'stefanha/trivial-patches' into stagingAnthony Liguori8-33/+23
# By Markus Armbruster (12) and others # Via Stefan Hajnoczi * stefanha/trivial-patches: qmp-commands.hx: s/tray-open/tray_open/ to match qapi schema tests: Fix {rtc, m48t59}-test build on illumos qemu-pixman.h: Avoid mutual inclusion loop with console.h qemu-ga: Fix unchecked strdup() by converting to g_strdup() qapi: Fix unchecked strdup() by converting to g_strdup() libcacard: Fix unchecked strdup() by converting to g_strdup() qemu-log: Plug trivial memory leak in cpu_set_log_filename() qemu-log: Fix unchecked strdup() by converting to g_strdup() virtfs-proxy-helper: Fix unchecked strdup() by conv. to g_strdup() spice: Fix unchecked strdup() by converting to g_strdup() readline: Fix unchecked strdup() by converting to g_strdup() hw/9pfs: Fix unchecked strdup() by converting to g_strdup() g_strdup(NULL) returns NULL; simplify g_malloc(0) and g_malloc0(0) return NULL; simplify xilinx_axidma: Fix debug mode compile messages cadence_gem: Debug mode compile fixes cadence_ttc: Debug mode compile fixes vnc: Clean up vncws_send_handshake_response()
2013-01-30Merge remote-tracking branch 'afaerber-or/prep-up' into stagingAnthony Liguori3-31/+56
# By Andreas Färber # Via Andreas Färber * afaerber-or/prep-up: prep: Move PReP machine to hw/ppc/ prep_pci: Convert to QOM realizefn prep_pci: Create PCIBus and PCIDevice in-place
2013-01-30hw/vexpress: Use correct HBI (board model number) for vexpress-a15Peter Maydell1-1/+1
The vexpress-a15 QEMU model is supposed to be a V2P-CA15; the HBI (a kind of board model number) for this coretile is 237, not 217. Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2013-01-30hw/arm_sysctl: Clear sysctl cfgctrl start bitChristoffer Dall1-0/+1
The start bit should only be set to indicate that a function call is underway, right now. When done with function, clear it. Signed-off-by: Christoffer Dall <c.dall@virtualopensystems.com> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2013-01-30hw/9pfs: Fix unchecked strdup() by converting to g_strdup()Markus Armbruster2-5/+5
Note: the allocation in virtio_9p_init() is still leaked. To be fixed in a followup commit. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-01-30g_strdup(NULL) returns NULL; simplifyMarkus Armbruster2-8/+2
Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-01-30g_malloc(0) and g_malloc0(0) return NULL; simplifyMarkus Armbruster2-10/+3
Once upon a time, it was decided that qemu_malloc(0) should abort. Switching to glib retired that bright idea. Some code that was added to cope with it (e.g. in commits 702ef63, b76b6e9) is still around. Bury it. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-01-30prep: Move PReP machine to hw/ppc/Andreas Färber2-15/+16
Signed-off-by: Andreas Färber <andreas.faerber@web.de>
2013-01-30xilinx_axidma: Fix debug mode compile messagesPeter Crosthwaite1-1/+1
Missing cast one one of the conditionally compiled printfs. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-01-30cadence_gem: Debug mode compile fixesPeter Crosthwaite1-7/+10
Some printfs are throwing warnings when debug mode is enabled. Fixed. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-01-30cadence_ttc: Debug mode compile fixesPeter Crosthwaite1-2/+2
Some printfs are throwing warnings when debug mode is enabled. Fixed. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2013-01-30vfio-pci: Enable PCIe extended config spaceAlex Williamson1-0/+4
We don't know pre-init time whether the device we're exposing is PCIe or legacy PCI. We could ask for it to be specified via a device option, but that seems like too much to ask of the user. Instead we can assume everything will be PCIe, which makes PCI-core allocate enough config space. Removing the flag during init leaves the space allocated, but allows legacy PCI devices to report the real device config space size to rest of Qemu. Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2013-01-30PIIX3: reset the VM when the Reset Control Register's RCPU bit gets setLaszlo Ersek1-1/+69
Traditional PCI config space access is achieved by writing a 32 bit value to io port 0xcf8 to identify the bus, device, function and config register. Port 0xcfc then contains the register in question. But if you write the appropriate pair of magic values to 0xcf9, the machine will reboot. Spectacular! And not standardised in any way (certainly not part of the PCI spec), so different chipsets may have different requirements. Booo. In the PIIX3 spec, IO port 0xcf9 is specified as the Reset Control Register. Bit 1 (System Reset, SRST) would normally differentiate between soft reset and hard reset, but we ignore the difference beyond allowing the guest to read it back. RHBZ reference: 890459 This patch introduces the following overlap between the preexistent "pci-conf-idx" region and the "piix3-reset-control" region just being added. Partial output from "info mtree": I/O 0000000000000000-000000000000ffff (prio 0, RW): io 0000000000000cf8-0000000000000cfb (prio 0, RW): pci-conf-idx 0000000000000cf9-0000000000000cf9 (prio 1, RW): piix3-reset-control I sanity-checked the patch by booting a RHEL-6.3 guest and found no problems. I summoned gdb and set a breakpoint on rcr_write() in order to gather a bit more confidence. Relevant frames of the stack: kvm_handle_io (port=3321, data=0x7f3f5f3de000, direction=1, size=1, count=1) [kvm-all.c:1422] cpu_outb (addr=3321, val=6 '\006') [ioport.c:289] ioport_write (index=0, address=3321, data=6) [ioport.c:83] ioport_writeb_thunk (opaque=0x7f3f622c4680, addr=3321, data=6) [ioport.c:212] memory_region_iorange_write (iorange=0x7f3f622c4680, offset=0, width=1, data=6) [memory.c:439] access_with_adjusted_size (addr=0, value=0x7f3f531fbac0, size=1, access_size_min=1, access_size_max=4, access=0x7f3f5f6e0f90 <memory_region_write_accessor>, opaque=0x7f3f6227b668) [memory.c:364] memory_region_write_accessor (opaque=0x7f3f6227b668, addr=0, value=0x7f3f531fbac0, size=1, shift=0, mask=255) [memory.c:334] rcr_write (opaque=0x7f3f6227afb0, addr=0, val=6, len=1) [hw/piix_pci.c:498] The dispatch happens in ioport_write(); "index=0" means byte-wide access: static void ioport_write(int index, uint32_t address, uint32_t data) { static IOPortWriteFunc * const default_func[3] = { default_ioport_writeb, default_ioport_writew, default_ioport_writel }; IOPortWriteFunc *func = ioport_write_table[index][address]; if (!func) func = default_func[index]; func(ioport_opaque[address], address, data); } The "ioport_write_table" and "ioport_opaque" arrays describe the flattened IO port space. The first array is less interesting (it selects a thunk function). The "ioport_opaque" array is interesting because it decides how writing to the port is implemented ultimately. 4-byte wide access to 0xcf8 (pci-conf-idx): (gdb) print ioport_write_table[2][0xcf8] $1 = (IOPortWriteFunc *) 0x7f3f5f6d99ba <ioport_writel_thunk> (gdb) print \ ((struct MemoryRegionIORange*)ioport_opaque[0xcf8])->mr->ops.write $2 = (void (*)(void *, hwaddr, uint64_t, unsigned int)) 0x7f3f5f5575cb <pci_host_config_write> 1-byte wide access to 0xcf9 (piix3-reset-control): (gdb) print ioport_write_table[0][0xcf9] $3 = (IOPortWriteFunc *) 0x7f3f5f6d98d0 <ioport_writeb_thunk> (gdb) print \ ((struct MemoryRegionIORange*)ioport_opaque[0xcf9])->mr->ops.write $4 = (void (*)(void *, hwaddr, uint64_t, unsigned int)) 0x7f3f5f6b42f1 <rcr_write> The higher priority of "piix3-reset-control" ensures that the 0xcf9 entries in ioport_write_table / ioport_opaque will always belong to it, independently of its relative registration order versus "pci-conf-idx". Signed-off-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>