git.osdn.net Git - qmiga/qemu.git/log

hw/arm/virt-acpi-build: use SMC if booting in EL2

Signed-off-by: Andrew Jones <drjones@redhat.com>
Acked-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1483977924-14522-16-git-send-email-peter.maydell@linaro.org
[PMM: look at vms->psci_conduit rather than vms->virt
to decide whether to use HVC or SMC, and report no
PSCI support at all for the 'PSCI disabled' case]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

hw/arm/virt: Support using SMC for PSCI

If we are giving the guest a CPU with EL2, it is likely to
want to use the HVC instruction itself, for instance for
providing PSCI to inner guest VMs. This makes using HVC
as the PSCI conduit for the outer QEMU a bad idea. We will
want to use SMC instead is this case: this makes sense
because QEMU's PSCI implementation is effectively an
emulation of functionality provided by EL3 firmware.

Add code to support selecting the PSCI conduit to use,
rather than hardcoding use of HVC.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 1483977924-14522-15-git-send-email-peter.maydell@linaro.org

hw/intc/arm_gicv3: Implement EL2 traps for CPU i/f regs

Implement the architecturally required traps from NS EL1
to EL2 for the CPU interface registers. These fall into
several different groups:
* group-0-only registers all trap if ICH_HRC_EL2.TALL0 is set
   (exactly the registers covered by gicv3_fiq_access())
* group-1-only registers all trap if ICH_HRC_EL2.TALL1 is set
   (exactly the registers covered by gicv3_irq_access())
* DIR traps if ICH_HCR_EL2.TC or ICH_HCR_EL2.TDIR are set
* PMR, RPR, CTLR trap if ICH_HCR_EL2.TC is set
* SGI0R, SGI1R, ASGI1R trap if ICH_HCR_EL2.TC is set or
   if HCR_EL2.IMO or HCR_EL2.FMO are set

We split DIR and the SGI registers out into their own access
functions, leaving the existing gicv3_irqfiq_access() just
handling PMR, RPR and CTLR.

This commit doesn't implement support for trapping on
HSTR_EL2.T12 for the 32-bit registers, as we don't implement
any of those per-coprocessor trap bits currently and
probably will want to do those in some more centralized way.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1483977924-14522-14-git-send-email-peter.maydell@linaro.org

hw/intc/arm_gicv3: Implement gicv3_cpuif_virt_update()

Implement the function which signals virtual interrupts to the
CPU as appropriate following CPU interface state changes.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1483977924-14522-13-git-send-email-peter.maydell@linaro.org

hw/intc/arm_gicv3: Implement ICV_ registers EOIR and IAR

Implement the two remaining ICV_ registers: EOIR and IAR.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1483977924-14522-12-git-send-email-peter.maydell@linaro.org

hw/intc/arm_gicv3: Implement ICV_ HPPIR, DIR and RPR registers

Implement the the ICV_ registers HPPIR, DIR and RPR.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1483977924-14522-11-git-send-email-peter.maydell@linaro.org

hw/intc/arm_gicv3: Implement ICV_ registers which are just accessors

If the HCR_EL2.IMO or FMO bits are set, accesses to ICC_
system registers are redirected to be accesses to ICV_
registers (the guest-visible interface to the virtual
interrupt controller). Implement this behaviour for the
ICV_ registers which are simple accessors to the underlying
register state.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1483977924-14522-10-git-send-email-peter.maydell@linaro.org

hw/intc/arm_gicv3: Add accessors for ICH_ system registers

The GICv3 virtualization interface includes system registers
accessible only to the hypervisor which form the control
interface for interrupt virtualization. Implement these
registers.

The function gicv3_cpuif_virt_update() which determines
whether it needs to signal vIRQ, vFIQ or a maintenance
interrupt is introduced here as a stub function -- its
implementation will be added in a subsequent commit.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1483977924-14522-9-git-send-email-peter.maydell@linaro.org

hw/intc/gicv3: Add data fields for virtualization support

As the first step in adding support for the virtualization
extensions to the GICv3 emulation:
* add the necessary data fields to the state structures
* add the fields to the migration state, as a subsection
which is only present if virtualization is enabled

The use of a subsection means we retain migration
compatibility as EL2 is not enabled on any CPUs currently.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1483977924-14522-8-git-send-email-peter.maydell@linaro.org

hw/intc/gicv3: Add defines for ICH system register fields

Add defines to gicv3_internal.h for fields in the ICH_*
system registers which form the GIC virtualization control
interface.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1483977924-14522-7-git-send-email-peter.maydell@linaro.org

target-arm: Add ARMCPU fields for GIC CPU i/f config

Add fields to the ARMCPU structure to allow CPU classes to
specify the configurable aspects of their GIC CPU interface.
In particular, the virtualization support allows different
values for number of list registers, priority bits and
preemption bits.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1483977924-14522-6-git-send-email-peter.maydell@linaro.org

hw/arm/virt: Wire VIRQ, VFIQ, maintenance irq lines from GIC to CPU

Wire the new VIRQ, VFIQ and maintenance interrupt lines from the
GIC to each CPU.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1483977924-14522-5-git-send-email-peter.maydell@linaro.org

target-arm: Expose output GPIO line for VCPU maintenance interrupt

The GICv3 support for virtualization includes an outbound
maintenance interrupt signal which is asserted when the
CPU interface wants to signal to the hypervisor that it
needs attention. Expose this as an outbound GPIO line from
the CPU object which can be wired up as a physical interrupt
line by the board code (as we do already for the CPU timers).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1483977924-14522-4-git-send-email-peter.maydell@linaro.org

hw/intc/arm_gic: Add external IRQ lines for VIRQ and VFIQ

Augment the GIC's QOM device interface by adding two
new sets of sysbus IRQ lines, to signal VIRQ and VFIQ to
each CPU.

We never use these, but it's helpful to keep the v2-and-earlier
GIC's external interface in line with that of the GICv3 to
avoid board code having to add extra code conditional on which
version of the GIC is in use.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 1483977924-14522-3-git-send-email-peter.maydell@linaro.org

hw/intc/arm_gicv3: Add external IRQ lines for VIRQ and VFIQ

Augment the GICv3's QOM device interface by adding two
new sets of sysbus IRQ lines, to signal VIRQ and VFIQ to
each CPU.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
Message-id: 1483977924-14522-2-git-send-email-peter.maydell@linaro.org

hw/arm/virt-acpi - reserve ECAM space as PNP0C02 device

Linux for arm64 v4.10 and later will complain if the ECAM config space is
not reserved in the ACPI namespace:

acpi PNP0A08:00: [Firmware Bug]: ECAM area [mem 0x3f000000-0x3fffffff] not reserved in ACPI namespace

The rationale is that OSes that don't consume the MCFG table should still
be able to infer that the PCI config space MMIO region is occupied.

So update the ACPI table generation routine to add this reservation.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Message-id: 1484328738-21149-1-git-send-email-ard.biesheuvel@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

arm: virt: Fix segmentation fault when specifying an unsupported CPU

Using -cpu cortex-a9 (or any other unsupported CPU) with the virt
board will cause QEMU to segmentation fault. This bug was introduced
in commit 9ac4ef77, which incorrectly added a NULL terminator when
converting the VirtBoardInfo array into a simple array of strings
defining the valid CPUs. The cpuname_valid() loop already has
a termination condition based on ARRAY_SIZE, so the NULL is
spurious and causes the strcmp() to segfault if we reach it.
Delete the NULL.

Signed-off-by: Shannon Zhao <shannon.zhao@linaro.org>
Message-id: 1484619334-10488-1-git-send-email-zhaoshenglong@huawei.com
[PMM: expanded commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

aspeed: use first FMC flash as a boot ROM

Create a ROM region, using the default size of the mapping window for
the CE0 FMC flash module, and fill it with the flash content.

This is a little hacky but until we can boot from a MMIO region, it
seems difficult to do anything else.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 1483979087-32663-11-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

aspeed/smc: extend tests for Command mode

The Aspeed SMC controllers have a mode (Command mode) in which
accesses to the flash content are no different than doing MMIOs. The
controller generates all the necessary commands to load (or store)
data in memory.

So add a couple of tests doing direct reads and writes on the AHB bus.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 1483979087-32663-10-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

aspeed/smc: reset flash after each test

Let's make sure when each test is run that the flash object is in an
initial state and did not keep configuration from the previous tests.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 1483979087-32663-9-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

aspeed/smc: handle SPI flash Command mode

The Aspeed SMC controllers have a mode (Command mode) in which
accesses to the flash content are no different than doing MMIOs. The
controller generates all the necessary commands to load (or store)
data in memory.

However, accesses are restricted to the segment window assigned the
the flash module by the controller. This window is defined by the
Segment Address Register.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 1483979087-32663-8-git-send-email-clg@kaod.org
[PMM: Deleted now-unused aspeed_smc_is_usermode() function]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

aspeed/smc: adjust the size of the register region

The SPI controller of the AST2400 SoC has less registers. So we can
adjust the size of the memory region holding the registers depending
on the controller type. We can also remove the guest_error logging
which is useless as the range of the region is strict enough.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-id: 1483979087-32663-7-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

aspeed/smc: unfold the AspeedSMCController array

This is getting difficult to read. Also add a 'has_dma' field for each
controller type.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 1483979087-32663-6-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

aspeed/smc: autostrap CE0/1 configuration

On the AST2500 SoC, the FMC controller flash type is fixed to SPI for
CE0 and CE1 and 4BYTE mode is autodetected for CE0.

On the AST2400 SoC, the FMC controller flash type and 4BYTE mode are
strapped with register SCU70. We use the default settings from the
palmetto-bmc machine for now.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 1483979087-32663-5-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

aspeed/smc: rework the prototype of the AspeedSMCFlash helper routines

Change the routines prototype to use a 'AspeedSMCFlash *' instead of
'AspeedSMCState *'. The result will help in making future changes
clearer.

Also change aspeed_smc_update_cs() which uselessly loops on all slave
devices to update their status.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Message-id: 1483979087-32663-4-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

aspeed/smc: remove call to aspeed_smc_update_cs() in reset function

Instead, we can simply set the irq level when unselecting the slave
devices. This change prepares ground for a subsequent cleanup of the
aspeed_smc_update_cs() routine which uselessly loops on all slaves to
update their status.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Message-id: 1483979087-32663-3-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

aspeed/smc: remove call to reset in realize function

This is useless as reset will be called later on.

Signed-off-by: Cédric Le Goater <clg@kaod.org>
Acked-by: Marcin Krzemiński <mar.krzeminski@gmail.com>
Message-id: 1483979087-32663-2-git-send-email-clg@kaod.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target/arm: Implement DBGVCR32_EL2 system register

The DBGVCR_EL2 system register is needed to run a 32-bit
EL1 guest under a Linux EL2 64-bit hypervisor. Its only
purpose is to provide AArch64 with access to the state of
the DBGVCR AArch32 register. Since we only have a dummy
DBGVCR, implement a corresponding dummy DBGVCR32_EL2.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>

target/arm: Handle VIRQ and VFIQ in arm_cpu_do_interrupt_aarch32()

To run a VM in 32-bit EL1 our AArch32 interrupt handling code
needs to be able to cope with VIRQ and VFIQ exceptions.
These behave like IRQ and FIQ except that we don't need to try
to route them to Monitor mode.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>

block: m25p80: Improve 1GiB Micron flash definition

n25q00 and mt25q01 devices share the same JEDEC ID. The difference
between those two devices is number of dies and one bit in extended
JEDEC bytes. This commit adds proper entry for both devices by
introduction the number of dies and and new 25q00 entries.

Signed-off-by: Marcin Krzeminski <mar.krzeminski@gmail.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20170108083854.5006-4-mar.krzeminski@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

block: m25p80: Introduce die erase command

Modern big flash NOR devices consist of more than one die.
Some of them do not support chip erase and instead have a die
erase command that can erase one die only. This commit adds
support for defining the number of dies in the chip, and adds
support for die erase command.

The NOR flash model is not strict, so no option to
disable chip erase has been added.

Signed-off-by: Marcin Krzeminski <mar.krzeminski@gmail.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20170108083854.5006-3-mar.krzeminski@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

block: m25p80: Add Quad Page Program 4byte

Some flash chips have additional page program opcode that
takes only 4 byte address. This commit adds support
for such command in Qemu.

Signed-off-by: Marcin Krzeminski <mar.krzeminski@gmail.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20170108083854.5006-2-mar.krzeminski@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

arm: Uniquely name imx25 I2C buses.

The imx25 chip provides 3 i2c buses, but they have all been named
"i2c", which makes it difficult to predict which bus a device will
be connected to when specified on the command line.

This patch addresses the issue by naming the buses uniquely:
i2c-bus.0 i2c-bus.1 i2c-bus.2

Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
Message-id: 20170105043430.3176-2-alastair@au1.ibm.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/artyom/tags/pull-sun4v-20170118' into staging

add OpenSPARC T1 emulation

# gpg: Signature made Wed 18 Jan 2017 22:25:47 GMT
# gpg:                using RSA key 0x3360C3F7411A125F
# gpg: Good signature from "Artyom Tarasenko <atar4qemu@gmail.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 2AD8 6149 17F4 B2D7 05C0  BB12 3360 C3F7 411A 125F

* remotes/artyom/tags/pull-sun4v-20170118: (30 commits)
  target-sparc: fix up niagara machine
  target-sparc: move common cpu initialisation routines to sparc64.c
  target-sparc: implement sun4v RTC
  target-sparc: add ST_BLKINIT_ ASIs for UA2005+ CPUs
  target-sparc: store the UA2005 entries in sun4u format
  target-sparc: implement UA2005 ASI_MMU (0x21)
  target-sparc: add more registers to dump_mmu
  target-sparc: implement auto-demapping for UA2005 CPUs
  target-sparc: allow 256M sized pages
  target-sparc: simplify ultrasparc_tsb_pointer
  target-sparc: implement UA2005 TSB Pointers
  target-sparc: use SparcV9MMU type for sparc64 I/D-MMUs
  target-sparc: replace the last tlb entry when no free entries left
  target-sparc: ignore writes to UA2005 CPU mondo queue register
  target-sparc: allow priveleged ASIs in hyperprivileged mode
  target-sparc: use direct address translation in hyperprivileged mode
  target-sparc: fix immediate UA2005 traps
  target-sparc: implement UA2005 rdhpstate and wrhpstate instructions
  target-sparc: implement UA2005 GL register
  target-sparc: implement UA2005 hypervisor traps
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20170117' into staging

tcg/i386 fixes

# gpg: Signature made Tue 17 Jan 2017 22:58:04 GMT
# gpg:                using RSA key 0xAD1270CC4DD0279B
# gpg: Good signature from "Richard Henderson <rth7680@gmail.com>"
# gpg:                 aka "Richard Henderson <rth@redhat.com>"
# gpg:                 aka "Richard Henderson <rth@twiddle.net>"
# Primary key fingerprint: 9CB1 8DDA F8E8 49AD 2AFC  16A4 AD12 70CC 4DD0 279B

* remotes/rth/tags/pull-tcg-20170117:
  tcg/i386: Always use TZCNT when available
  Revert "tcg/i386: Rely on undefined/undocumented behaviour of BSF/BSR"

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

target-sparc: fix up niagara machine

Remove the Niagara stub implementation from sun4u.c and add a machine,
compatible with Legion simulator from the OpenSPARC T1 project.

The machine uses the firmware supplied with the OpenSPARC T1 project,
http://download.oracle.com/technetwork/systems/opensparc/OpenSPARCT1_Arch.1.5.tar.bz2
in the directory S10image/, and is able to boot the supplied Solaris 10 image.

Note that for compatibility with the naming conventions for SPARC machines
the new machine name is lowercase niagara.

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>

target-sparc: move common cpu initialisation routines to sparc64.c

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>

target-sparc: implement sun4v RTC

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: add ST_BLKINIT_ ASIs for UA2005+ CPUs

In OpenSPARC T1+ TWINX ASIs in store instructions are aliased
with Block Initializing Store ASIs.

"UltraSPARC T1 Supplement Draft D2.1, 14 May 2007" describes them
in the chapter "5.9 Block Initializing Store ASIs"

Integer stores of all sizes are allowed with these ASIs.

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: store the UA2005 entries in sun4u format

According to chapter 13.3 of the
UltraSPARC T1 Supplement to the UltraSPARC Architecture 2005,
only the sun4u format is available for data-access loads.

Store UA2005 entries in the sun4u format to simplify processing.

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: implement UA2005 ASI_MMU (0x21)

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: add more registers to dump_mmu

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>

target-sparc: implement auto-demapping for UA2005 CPUs

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: allow 256M sized pages

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: simplify ultrasparc_tsb_pointer

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: implement UA2005 TSB Pointers

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: use SparcV9MMU type for sparc64 I/D-MMUs

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: replace the last tlb entry when no free entries left

Implement the behavior described in the chapter 13.9.11 of
UltraSPARC T1™ Supplement to the UltraSPARC Architecture 2005:

"If a TLB Data-In replacement is attempted with all TLB
entries locked and valid, the last TLB entry (entry 63) is
replaced."

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: ignore writes to UA2005 CPU mondo queue register

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>

target-sparc: allow priveleged ASIs in hyperprivileged mode

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: use direct address translation in hyperprivileged mode

Please note that QEMU doesn't impelement Real->Physical address
translation. The "Real Address" is always the "Physical Address".

Suggested-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: fix immediate UA2005 traps

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: implement UA2005 rdhpstate and wrhpstate instructions

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>

target-sparc: implement UA2005 GL register

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: implement UA2005 hypervisor traps

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: hypervisor mode takes over nucleus mode

Accordinf to UA2005, 9.3.3 "Address Space Identifiers",

"In hyperprivileged mode, all instruction fetches and loads and stores with implicit
ASIs use a physical address, regardless of the value of TL".

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: implement UltraSPARC-T1 Strand status ASR

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>

target-sparc: implement UA2005 scratchpad registers

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: simplify replace_tlb_entry by using TTE_PGSIZE

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>

target-sparc: on UA2005 don't deliver Interrupt_level_n IRQs in hypervisor mode

As described in Chapter 5.7.6 of the UltraSPARC Architecture 2005,
outstanding disrupting exceptions that are destined for privileged mode can only
cause a trap when the virtual processor is in nonprivileged or privileged mode and
PSTATE.ie = 1. At all other times, they are held pending.

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>

target-sparc: add UltraSPARC T1 TLB #defines

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: add UA2005 TTE bit #defines

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: use explicit mmu register pointers

Use explicit register pointers while accessing D/I-MMU registers.
Call cpu_unassigned_access on access to missing registers.

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>

target-sparc: store cpu super- and hypervisor flags in TB

Suggested-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

target-sparc: ignore MMU-faults if MMU is disabled in hypervisor mode

while IMMU/DMMU is disabled
- ignore MMU-faults in hypervisorv mode or if CPU doesn't have hypervisor
- signal TT_INSN_REAL_TRANSLATION_MISS/TT_DATA_REAL_TRANSLATION_MISS otherwise

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>

tcg/i386: Always use TZCNT when available

I think this is cleaner than sometimes using BSF.

Signed-off-by: Richard Henderson <rth@twiddle.net>

Revert "tcg/i386: Rely on undefined/undocumented behaviour of BSF/BSR"

This reverts commit 4ac76910734209dab83ddd3795f08fc7889ef463.

This fixes
http://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg03062.html

While I think we could get away with relying on the undocumented
behaviour, the tcg constraint system isn't powerful enough to
properly describe the required (non-)overlap conditions.

Reported-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Richard Henderson <rth@twiddle.net>

Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' into staging

# gpg: Signature made Mon 16 Jan 2017 13:44:46 GMT
# gpg:                using RSA key 0x9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35  775A 9CA4 ABB3 81AB 73C8

* remotes/stefanha/tags/tracing-pull-request:
  trace: Add event "guest_cpu_exit"
  trace: Fix dynamic event state on vCPU hot-unplug
  trace: Lock vCPU list when initializing dynamic tracing state
  trace-events: spelling fix

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2017-01-16' into staging

QAPI patches for 2017-01-16

# gpg: Signature made Mon 16 Jan 2017 09:26:49 GMT
# gpg:                using RSA key 0x3870B400EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
# gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>"
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867  4E5F 3870 B400 EB91 8653

* remotes/armbru/tags/pull-qapi-2017-01-16: (180 commits)
  build-sys: add qapi doc generation targets
  build-sys: add txt documentation rules
  build-sys: use a generic TEXI2MAN rule
  build-sys: remove dvi doc generation
  build-sys: use --no-split for info
  docs: add qemu logo to pdf
  qapi: add qapi2texi script
  qmp-events: move 'MIGRATION_PASS' doc to schema
  qmp-events: move 'DUMP_COMPLETED' doc to schema
  qmp-events: move 'MEM_UNPLUG_ERROR' doc to schema
  qmp-events: move 'VSERPORT_CHANGE' doc to schema
  qmp-events: move 'QUORUM_REPORT_BAD' doc to schema
  qmp-events: move 'QUORUM_FAILURE' doc to schema
  qmp-events: move 'GUEST_PANICKED' doc to schema
  qmp-events: move 'BALLOON_CHANGE' doc to schema
  qmp-events: move 'ACPI_DEVICE_OST' doc to schema
  qmp-events: move 'MIGRATION' doc to schema
  qmp-events: move 'SPICE_MIGRATE_COMPLETED' doc to schema
  qmp-events: move 'SPICE_DISCONNECTED' doc to schema
  qmp-events: move 'SPICE_INITIALIZED' doc to schema
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging

# gpg: Signature made Mon 16 Jan 2017 13:38:52 GMT
# gpg:                using RSA key 0x9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35  775A 9CA4 ABB3 81AB 73C8

* remotes/stefanha/tags/block-pull-request:
  async: optimize aio_bh_poll
  aio: document locking
  aio-win32: remove walking_handlers, protecting AioHandler list with list_lock
  aio-posix: remove walking_handlers, protecting AioHandler list with list_lock
  aio: tweak walking in dispatch phase
  aio-posix: split aio_dispatch_handlers out of aio_dispatch
  qemu-thread: optimize QemuLockCnt with futexes on Linux
  aio: make ctx->list_lock a QemuLockCnt, subsuming ctx->walking_bh
  qemu-thread: introduce QemuLockCnt
  aio: rename bh_lock to list_lock
  block: get rid of bdrv_io_unplugged_begin/end

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/stsquad/tags/pull-tcg-common-tlb-reset-20170113-r1' into staging

This is the same as the v3 posted except a re-base and a few extra signoffs

# gpg: Signature made Fri 13 Jan 2017 14:26:46 GMT
# gpg:                using RSA key 0xFBD0DB095A9E2A44
# gpg: Good signature from "Alex Bennée (Master Work Key) <alex.bennee@linaro.org>"
# Primary key fingerprint: 6685 AE99 E751 67BC AFC8  DF35 FBD0 DB09 5A9E 2A44

* remotes/stsquad/tags/pull-tcg-common-tlb-reset-20170113-r1:
  cputlb: drop flush_global flag from tlb_flush
  cpu_common_reset: wrap TCG specific code in tcg_enabled()
  qom/cpu: move tlb_flush to cpu_common_reset

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

trace: Add event "guest_cpu_exit"

Signals the hot-unplugging of a virtual (guest) CPU.

Signed-off-by: Lluís Vilanova <vilanova@ac.upc.edu>
Message-id: 148278748597.1404.10546320797997984932.stgit@fimbulvetr.bsc.es
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

trace: Fix dynamic event state on vCPU hot-unplug

We need to disable per-vCPU events on a vCPU that is hot-unplugged to
keep the dynamic event state global counters consistent.

Signed-off-by: Lluís Vilanova <vilanova@ac.upc.edu>
Message-id: 148278748055.1404.1570530281528619895.stgit@fimbulvetr.bsc.es
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

trace: Lock vCPU list when initializing dynamic tracing state

Fixes potential corruption when a vCPU is hot-(un)plugged while
initializing the current one.

Signed-off-by: Lluís Vilanova <vilanova@ac.upc.edu>
Message-id: 148278747515.1404.6538173443841279200.stgit@fimbulvetr.bsc.es
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

trace-events: spelling fix

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20161212221759.28949-1-marcandre.lureau@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

async: optimize aio_bh_poll

Avoid entering the slow path of qemu_lockcnt_dec_and_lock if
no bottom half has to be deleted.

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170112180800.21085-11-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

aio: document locking

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170112180800.21085-10-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

aio-win32: remove walking_handlers, protecting AioHandler list with list_lock

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170112180800.21085-9-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

aio-posix: remove walking_handlers, protecting AioHandler list with list_lock

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20170112180800.21085-8-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

aio: tweak walking in dispatch phase

Preparing for the following patch, use QLIST_FOREACH_SAFE and
modify the placement of walking_handlers increment/decrement.

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170112180800.21085-7-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

aio-posix: split aio_dispatch_handlers out of aio_dispatch

This simplifies the handling of dispatch_fds.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20170112180800.21085-6-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

qemu-thread: optimize QemuLockCnt with futexes on Linux

This is complex, but I think it is reasonably documented in the source.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20170112180800.21085-5-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

aio: make ctx->list_lock a QemuLockCnt, subsuming ctx->walking_bh

This will make it possible to walk the list of bottom halves without
holding the AioContext lock---and in turn to call bottom half
handlers without holding the lock.

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170112180800.21085-4-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

qemu-thread: introduce QemuLockCnt

A QemuLockCnt comprises a counter and a mutex, with primitives
to increment and decrement the counter, and to take and release the
mutex. It can be used to do lock-free visits to a data structure
whenever mutexes would be too heavy-weight and the critical section
is too long for RCU.

This could be implemented simply by protecting the counter with the
mutex, but QemuLockCnt is harder to misuse and more efficient.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 20170112180800.21085-3-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

aio: rename bh_lock to list_lock

This will be used for AioHandlers too. There is going to be little
or no contention, so it is better to reuse the same lock.

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Message-id: 20170112180800.21085-2-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

block: get rid of bdrv_io_unplugged_begin/end

bdrv_io_plug and bdrv_io_unplug are only called (via their
BlockBackend equivalents) after starting asynchronous I/O.
bdrv_drain is not going to be called while they are running,
because---even if a coroutine runs for some reason---it will
only drain in the next iteration of the event loop through
bdrv_co_yield_to_drain.

So this mechanism is unnecessary, get rid of it.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20161129113334.605-1-pbonzini@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Merge remote-tracking branch 'remotes/vivier/tags/m68k-for-2.9-pull-request' into staging

# gpg: Signature made Sat 14 Jan 2017 09:06:31 GMT
# gpg:                using RSA key 0xF30C38BD3F2FBE3C
# gpg: Good signature from "Laurent Vivier <lvivier@redhat.com>"
# gpg:                 aka "Laurent Vivier <laurent@vivier.eu>"
# gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@redhat.com>"
# Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F  5173 F30C 38BD 3F2F BE3C

* remotes/vivier/tags/m68k-for-2.9-pull-request:
  target-m68k: increment/decrement with SP
  target-m68k: CAS doesn't need aligned access
  target-m68k: manage pre-dec et post-inc in CAS
  target-m68k: fix gen_flush_flags()
  target-m68k: fix bit operation with immediate value
  m68k: Remove PCI and USB from config file
  target-m68k: Implement bfffo
  target-m68k: Implement bitfield ops for memory
  target-m68k: Implement bitfield ops for registers

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20170113' into staging

Fixes and more queued patches

# gpg: Signature made Fri 13 Jan 2017 20:00:53 GMT
# gpg:                using RSA key 0xAD1270CC4DD0279B
# gpg: Good signature from "Richard Henderson <rth7680@gmail.com>"
# gpg:                 aka "Richard Henderson <rth@redhat.com>"
# gpg:                 aka "Richard Henderson <rth@twiddle.net>"
# Primary key fingerprint: 9CB1 8DDA F8E8 49AD 2AFC  16A4 AD12 70CC 4DD0 279B

* remotes/rth/tags/pull-tcg-20170113:
  tcg/aarch64: Fix tcg_out_movi
  tcg/aarch64: Fix addsub2 for 0+C
  target/arm: Fix ubfx et al for aarch64
  tcg/s390: Fix merge error with facilities

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

build-sys: add qapi doc generation targets

Generate and install the man, txt and html versions of QAPI
documentation (generate and install qemu-doc.txt too).

Add it also to optional pdf/info targets.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20170113144135.5150-22-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>

build-sys: add txt documentation rules

Build plain text documentation, and install it.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20170113144135.5150-21-marcandre.lureau@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>

build-sys: use a generic TEXI2MAN rule

The recipe for making a man page from .texi is duplicated several
times over. Capture it in suitable pattern rules instead.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20170113144135.5150-20-marcandre.lureau@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>

build-sys: remove dvi doc generation

There is no clear reason to have rules to generate dvi format
documentation, pdf is generally better supported nowadays.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20170113144135.5150-19-marcandre.lureau@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>

build-sys: use --no-split for info

Splitting the info files doesn't bring much benefits these days.
This fixes also untracked generated info files from git ignore.

Let's use MAKEINFOFLAGS for common flags, --number-sections is already
the default anyway, so adding it doesn't change the info output.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20170113144135.5150-18-marcandre.lureau@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>

docs: add qemu logo to pdf

Add a logo to texi2pdf output. Other formats (info/html) are left as
future improvements.

The PDF (needed by texi2pdf for vectorized images) was generated from
pc-bios/qemu_logo.svg like this:

inkscape --export-pdf=docs/qemu_logo.pdf pc-bios/qemu_logo.svg

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20170113144135.5150-17-marcandre.lureau@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>

qapi: add qapi2texi script

As the name suggests, the qapi2texi script converts JSON QAPI
description into a texi file suitable for different target
formats (info/man/txt/pdf/html...).

It parses the following kind of blocks:

Free-form:

  ##
  # = Section
  # == Subsection
  #
  # Some text foo with *emphasis*
  # 1. with a list
  # 2. like that
  #
  # And some code:
  # | $ echo foo
  # | -> do this
  # | <- get that
  #
  ##

Symbol description:

  ##
  # @symbol:
  #
  # Symbol body ditto ergo sum. Foo bar
  # baz ding.
  #
  # @param1: the frob to frobnicate
  # @param2: #optional how hard to frobnicate
  #
  # Returns: the frobnicated frob.
  #          If frob isn't frobnicatable, GenericError.
  #
  # Since: version
  # Notes: notes, comments can have
  #        - itemized list
  #        - like this
  #
  # Example:
  #
  # -> { "execute": "quit" }
  # <- { "return": {} }
  #
  ##

That's roughly following the following EBNF grammar:

api_comment = "##\n" comment "##\n"
comment = freeform_comment | symbol_comment
freeform_comment = { "# " text "\n" | "#\n" }
symbol_comment = "# @" name ":\n" { member | tag_section | freeform_comment }
member = "# @" name ':' [ text ] "\n" freeform_comment
tag_section = "# " ( "Returns:", "Since:", "Note:", "Notes:", "Example:", "Examples:" ) [ text ]  "\n" freeform_comment
text = free text with markup

Note that the grammar is ambiguous: a line "# @foo:\n" can be parsed
both as freeform_comment and as symbol_comment.  The actual parser
recognizes symbol_comment.

See docs/qapi-code-gen.txt for more details.

Deficiencies and limitations:
- the generated QMP documentation includes internal types
- union type support is lacking
- type information is lacking in generated documentation
- doc comment error message positions are imprecise, they point
  to the beginning of the comment.
- a few minor issues, all marked TODO/FIXME in the code

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20170113144135.5150-16-marcandre.lureau@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
[test-qapi.py tweaked to avoid trailing empty lines in .out]
Signed-off-by: Markus Armbruster <armbru@redhat.com>

qmp-events: move 'MIGRATION_PASS' doc to schema

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>

qmp-events: move 'DUMP_COMPLETED' doc to schema

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>

qmp-events: move 'MEM_UNPLUG_ERROR' doc to schema

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>

qmp-events: move 'VSERPORT_CHANGE' doc to schema

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>

qmp-events: move 'QUORUM_REPORT_BAD' doc to schema

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>