git.qemu.org Git - qemu-stable-0.15.git/log

VERSION: Update to 0.15.2

Signed-off-by: Andreas Färber <afaerber@suse.de>

kvmclock: Always register type

Currently, the "kvmclock" type is only registered when kvm_enabled().

This breaks when moving type registration to before command line
parsing (so that QOM types can be used for CPU and machine).

Since the QOM classes are lazy-initialized anyway and kvmclock_create()
has another kvm_enabled() check, simply drop the KVM check in
kvmclock_register_types().

kvm-i8259, kvm-apic and kvm-ioapic do not suffer from such a check.

Signed-off-by: Andreas Färber <afaerber@suse.de>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Avi Kivity <avi@redhat.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 03f48b0797c9904301ee91e0081e89b3a3250f91)

[AF: Backported; fixes -enable-kvm regression introduced by 2e2a8aa.]
Signed-off-by: Andreas Färber <afaerber@suse.de>

qcow2: Flush requests in AIO cancel

This matches the behavior of v1.0 without introducing coroutines.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

scsi-disk: lazily allocate bounce buffer

It will not be needed for reads and writes if the HBA provides a sglist.
In addition, this lets scsi-disk refuse commands with an excessive
allocation length, as well as limit memory on usual well-behaved guests.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 7285477ab11831b1cf56e45878a89170dd06d9b9)

[AF: Backported; BNC#728664 / CVE-2011-3346]
Signed-off-by: Andreas Färber <afaerber@suse.de>

scsi-disk: commonize iovec creation between reads and writes

Also, consistently use qiov.size instead of iov.iov_len.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 103b40f51e4012b3b0ad20f615562a1806d7f49a)

[AF: Backported; BNC#728664]
Signed-off-by: Andreas Färber <afaerber@suse.de>

kvm_init didn't set return value after create vm failed

And kvm_ioctl(s, KVM_CREATE_VM, 0)'s return value can be < -1,
so change the check of vmfd at label 'err'.

Signed-off-by: Xu He Jie <xuhj@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit db9eae1c49fe2766a7709d7b2c4cdfcd91b9c25b)

Signed-off-by: Andreas Färber <afaerber@suse.de>

ahci: properly reset PxCMD on HBA reset

While testing q35, I found that windows 7 (specifically, windows 7 ultimate
with sp1 x64), wouldn't install because it can't find the cdrom or disk drive.
The failure message is: 'A required cd/dvd device driver is missing. If you
have a driver floppy disk, CD, DVD, or USB flash drive, please insert it now.'
This can also be reproduced on piix by adding an ahci controller, and
observing that windows 7 does not see any devices behind it.

The problem is that when windows issues a HBA reset, qemu does not reset the
individual ports' PxCMD register. Windows 7 then reads back the PxCMD register
and presumably assumes that the ahci controller has already been initialized.
Windows then never sets up the PxIE register to enable interrupts, and thus it
never gets irqs back when it sends ata device inquiry commands.

This change brings qemu into ahci 1.3 specification compliance.

Section 10.4.3 HBA Reset:

"
When GHC.HR is set to '1', GHC.AE, GHC.IE, the IS register, and all port
register fields (except PxFB/PxFBU/PxCLB/PxCLBU) that are not HwInit in the
HBA's register memory space are reset.
"

I've also re-tested Fedora 16 and 17 to verify that they continue to work with
this change.

Signed-off-by: Jason Baron <jbaron@redhat.com>
Acked-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 2a4f4f34e6fe55f4c82507c3e7ec9b58c2e24ad4)

Signed-off-by: Andreas Färber <afaerber@suse.de>

AHCI Port Interrupt Enable register cleaning on soft reset

I've found that FreeBSD AHCI driver doesn't work with AHCI hardware
emulation of QEMU 0.15.0. I believe the problem is on QEMU's side. As I
see, it clears port's Interrupt Enable register each time when reset of
any level happens. Is is reasonable for the global controller reset. It
is probably not good, but acceptable for FreeBSD driver for the port
hard reset. But it is IMO wrong for the device soft reset. None of real
hardware I know behaves that way.

Signed-off-by: Alexander Motin <mav@FreeBSD.org>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit a26a13da687f757c07e2a5c26fa411840405e6d7)

Signed-off-by: Andreas Färber <afaerber@suse.de>

ahci: Fix sglist memleak in ahci_dma_rw_buf()

I noticed that in hw/ide/ahci:ahci_dma_rw_buf() we do not free the sglist. Thus,
I've added a call to qemu_sglist_destroy() to fix this memory leak.

In addition, I've adeed a call in qemu_sglist_destroy() to 0 all of the sglist
fields, in case there is some other codepath that tries to free the sglist.

Signed-off-by: Jason Baron <jbaron@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit ea8d82a1ed72634f089ed1bccccd9c84cc1ab855)

[AF: Backported g_free() -> qemu_free()]
Signed-off-by: Andreas Färber <afaerber@suse.de>

ahci: Fix ahci cdrom read corruptions for reads > 128k

While testing q35, which has its cdrom attached to the ahci controller, I found
that the Fedora 17 install would panic on boot. The panic occurs while
squashfs is trying to read from the cdrom. The errors are:

[ 8.622711] SQUASHFS error: xz_dec_run error, data probably corrupt
[ 8.625180] SQUASHFS error: squashfs_read_data failed to read block
0x20be48a

I was also able to produce corrupt data reads using an installed piix based
qemu machine, using 'dd'. I found that the corruptions were only occuring when
then read size was greater than 128k. For example, the following command
results in corrupted reads:

dd if=/dev/sr0 of=/tmp/blah bs=256k iflag=direct

The > 128k size reads exercise a different code path than 128k and below. In
ide_atapi_cmd_read_dma_cb() s->io_buffer_size is capped at 128k. Thus,
ide_atapi_cmd_read_dma_cb() is called a second time when the read is > 128k.
However, ahci_dma_rw_buf() restart the read from offset 0, instead of at 128k.
Thus, resulting in a corrupted read.

To fix this, I've introduced 'io_buffer_offset' field in IDEState to keep
track of the offset. I've also modified ahci_populate_sglist() to take a new
3rd offset argument, so that the sglist is property initialized.

I've tested this patch using 'dd' testing, and Fedora 17 now correctly boots
and installs on q35 with the cdrom ahci controller.

Signed-off-by: Jason Baron <jbaron@redhat.com>
Tested-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 61f52e06f0a21bab782f98ef3ea789aa6d0aa046)

[AF: Backported; resolves BNC#725008]
Signed-off-by: Andreas Färber <afaerber@suse.de>

ahci: Fix reset of MSI function

Call msi_reset on device reset as still required by the core.

CC: Alexander Graf <agraf@suse.de>
CC: qemu-stable@nongnu.org
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 868a1a52267daddf933ee18480ae036da029b561)

[AF: Backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>

ahci: SATA FIS is 20 bytes, not 0x20

As in the SATA and AHCI specifications, a FIS is 5 Dwords of 4 bytes
each, which comes to 20 bytes (decimal), not 0x20.

Signed-off-by: Daniel Verkamp <daniel@drv.nu>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 4bb9c939a57103898f5a51aa6a7336eb3320d923)

Signed-off-by: Andreas Färber <afaerber@suse.de>

AHCI: Masking of IRQs actually masks them

When masking IRQ lines, we should actually mask them out and not declare
them active anymore. Once we mask them in again, they are allowed to trigger
again.

Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b867672884afc39b6537a8aa6aa2f20a5154bf4f)

Signed-off-by: Andreas Färber <afaerber@suse.de>

AHCI: Fix port reset race

bdrv_aio_cancel() can trigger bdrv_aio_flush() which makes all aio
that is currently in flight finish. So what we do is:

  port reset
  detect ncq in flight
  cancel ncq
  delete ncq sg list

at which point we have double freed the sg list. Instead, with this
patch we do:

  port reset
  detect ncq in flight
  cancel ncq
  check if we are really still in flight
  delete ncq sg list

which makes things work and gets rid of the race.

Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit c9b308d20b642c106048f088ccc31f2aa7cf59ba)

Signed-off-by: Andreas Färber <afaerber@suse.de>

eepro100: Fix network hang when rx buffers run out

This is reported by QA. When installing os with pxe, after the initial
kernel and initrd are loaded, the procedure tries to copy files from install
server to local harddisk, the network becomes stall because of running out of
receive descriptor.

[Whitespace fixes and removed qemu_notify_event() because Paolo's
earlier net patches have moved it into qemu_flush_queued_packets().

Additional info:

I can reproduce the network hang with a tap device doing a iPXE HTTP
boot as follows:

  $ qemu -enable-kvm -m 1024 \
    -netdev tap,id=netdev0,script=no,downscript=no \
    -device i82559er,netdev=netdev0,romfile=80861209.rom \
    -drive if=virtio,cache=none,file=test.img
  iPXE> ifopen net0
  iPXE> config # set static network configuration
  iPXE> kernel http://mirror.bytemark.co.uk/fedora/linux/releases/17/Fedora/x86_64/os/images/pxeboot/vmlinuz

I needed a vanilla iPXE ROM to get to the iPXE prompt.  I think the boot
prompt has been disabled in the ROMs that ship with QEMU to reduce boot
time.

During the vmlinuz HTTP download there is a network hang.  hw/eepro100.c
has reached the end of the rx descriptor list.  When the iPXE driver
replenishes the rx descriptor list we don't kick the QEMU net subsystem
and event loop, thereby leaving the tap netdev without its file
descriptor in select(2).

Stefan Hajnoczi <stefanha@gmail.com>]

Signed-off-by: Bo Yang <boyang@suse.com>
Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit 1069985fb132cd4324fc02d371f1e61492a1823f)

[AF: Resolves BNC#712137]
Signed-off-by: Andreas Färber <afaerber@suse.de>

qemu-char: BUGFIX, don't call FD_ISSET with negative fd

tcp_chr_connect(), unlike for example udp_chr_update_read_handler() does
not check if the fd it is using is valid (>= 0) before passing it to
qemu_set_fd_handler2(). If using e.g. a TCP serial port, which is not
initially connected, this can result in -1 being passed to FD_ISSET, which
has undefined behaviour. On x86 it seems to harmlessly return 0, but on
PowerPC, it causes a fortify buffer overflow error to be thrown.

This patch fixes this by putting an extra test in tcp_chr_connect(), and
also adds an assert qemu_set_fd_handler2() to catch other such errors on
all platforms, rather than just some.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit bbdd2ad0814ea0911076419ea21b7957505cf1cc)

Signed-off-by: Andreas Färber <afaerber@suse.de>

console: bounds check whenever changing the cursor due to an escape code

This is XSA-17 / CVE-2012-3515

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 3eea5498ca501922520b3447ba94815bfc109743)

[AF: Resolves BNC#777084]
Signed-off-by: Andreas Färber <afaerber@suse.de>

handle device help before accelerator set up

A command line device probe using just -device "?" gets processed
after qemu-kvm initializes the accelerator. If /dev/kvm is not
present, the accelerator check will fail (kvm is defaulted to on),
which causes libvirt to not be set up to handle qemu guests.

Moving the device help handling before the accelerator set up allows
the device probe to work in this configuration and libvirt succeeds
in setting up for a qemu hypervisor mode.

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 3d1d9652978ac5a32a0beb4bdf6065ca39440d89)
[AF: Backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>

virtio-blk: pass full status to the guest

When SCSI passthrough is being used by the guest with virtio-blk, the
guest is not able to detect disk failures. This is because the status
field is expected by the guest driver to include also the msg_status,
host_status and driver_status fields, but the device is only passing
down the SCSI status.

The patch fixes this, and also makes sure that the guest always sees a
CHECK_CONDITION status when there is valid sense data.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 5bb23927761db0d48507c60f56c4e28f72f3c2a7)

Signed-off-by: Andreas Färber <afaerber@suse.de>

block: prevent snapshot mode $TMPDIR symlink attack

In snapshot mode, bdrv_open creates an empty temporary file without
checking for mkstemp or close failure, and ignoring the possibility
of a buffer overrun given a surprisingly long $TMPDIR.
Change the get_tmp_filename function to return int (not void),
so that it can inform its two callers of those failures.
Also avoid the risk of buffer overrun and do not ignore mkstemp
or close failure.
Update both callers (in block.c and vvfat.c) to propagate
temp-file-creation failure to their callers.

get_tmp_filename creates and closes an empty file, while its
callers later open that presumed-existing file with O_CREAT.
The problem was that a malicious user could provoke mkstemp failure
and race to create a symlink with the selected temporary file name,
thus causing the qemu process (usually root owned) to open through
the symlink, overwriting an attacker-chosen file.

This addresses CVE-2012-2652.
http://bugzilla.redhat.com/CVE-2012-2652

Signed-off-by: Jim Meyering <meyering@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit c2d76497b6eafcaedc806e07804e7bed55a98a0b)
[AF: Backported, g_free -> qemu_free]
Signed-off-by: Andreas Färber <afaerber@suse.de>

virtio: order index/descriptor reads

virtio has the equivalent of:

if (vq->last_avail_index != vring_avail_idx(vq)) {
read descriptor head at vq->last_avail_index;
}

In theory, processor can reorder descriptor head
read to happen speculatively before the index read.
this would trigger the following race:

host descriptor head read <- reads invalid head from ring
guest writes valid descriptor head
guest writes avail index
host avail index read <- observes valid index

as a result host will use an invalid head value.
This was not observed in the field by me but after
the experience with the previous two races
I think it is prudent to address this theoretical race condition.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit a821ce59338c79bb72dc844dd44ea53701965b2b)

Signed-off-by: Andreas Färber <afaerber@suse.de>

virtio: add missing mb() on enable notification

This fixes an issue dual to the one fixed by
patch 'virtio: add missing mb() on notification'
and applies on top.

In this case, to enable vq kick to exit to host,
qemu writes out used flag then reads the
avail index. if these are reordered we get a race:

    host avail index read: ring is empty
     guest avail index write
     guest flag read: exit disabled
    host used flag write: enable exit

which results in a lost exit: host will never be notified about the
avail index update.  Again, happens in the field but only seems to
trigger on some specific hardware.

Insert an smp_mb barrier operation to ensure the correct ordering.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 92045d80badc43c9f95897aad675dc7ef17a3b3f)

Signed-off-by: Andreas Färber <afaerber@suse.de>

virtio: add missing mb() on notification

During normal operation, virtio first writes a used index
and then checks whether it should interrupt the guest
by reading guest avail index/flag values.

Guest does the reverse: writes the index/flag,
then checks the used ring.

The ordering is important: if host avail flag read bypasses the used
index write, we could in effect get this timing:

host avail flag read
guest enable interrupts: avail flag write
guest check used ring: ring is empty
host used index write

which results in a lost interrupt: guest will never be notified
about the used ring update.

This actually can happen when using kvm with an io thread,
such that the guest vcpu and qemu run on different host cpus,
and this has actually been observed in the field
(but only seems to trigger on very specific processor types)
with userspace virtio: vhost has the necessary smp_mb()
in place to prevent the regordering, so the same workload stalls
forever waiting for an interrupt with vhost=off but works
fine with vhost=on.

Insert an smp_mb barrier operation in userspace virtio to
ensure the correct ordering.
Applying this patch fixed the race condition we have observed.
Tested on x86_64. I checked the code generated by the new macro
for i386 and ppc but didn't run virtio.

Note: mb could in theory be implemented by __sync_synchronize, but this
would make us hit old GCC bugs. Besides old GCC
not implementing __sync_synchronize at all, there were bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=36793
in this functionality as recently as in 4.3.

As we need asm for rmb,wmb anyway, it's just as well to
use it for mb.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit a281ebc11a6917fbc27e1a93bb5772cd14e241fc)

Signed-off-by: Andreas Färber <afaerber@suse.de>

qemu-barrier: Fix build failure on PowerPC Mac OS X

qemu-barrier.h tests if macro __powerpc__ is defined, however, the
preprocessor on PowerPC Mac OS X defines only __POWERPC__, not
__powerpc__. Resolve by testing instead for qemu-provided _ARCH_PPC.

Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 463ce4ae2dc5214f1b3ce5951c7cc3904c903702)

Signed-off-by: Andreas Färber <afaerber@suse.de>

Barriers in qemu-barrier.h should not be x86 specific

qemu-barrier.h contains a few macros implementing memory barrier
primitives used in several places throughout qemu.  However, apart
from the compiler-only barrier, the defined wmb() is correct only for
x86, or platforms which are similarly strongly ordered.

This patch addresses the FIXME about this by making the wmb() macro
arch dependent.  On x86, it remains a compiler barrier only, but with
a comment explaining in more detail the conditions under which this is
correct.  On weakly-ordered powerpc, an "eieio" instruction is used,
again with explanation of the conditions under which it is sufficient.

On other platforms, we use the __sync_synchronize() primitive,
available in sufficiently recent gcc (4.2 and after?).  This should
implement a full barrier which will be sufficient on all platforms,
although it may be overkill in some cases.  Other platforms can add
optimized versions in future if it's worth it for them.

Without proper memory barriers, it is easy to reproduce ordering
problems with virtio on powerpc; specifically, the QEMU puts new
element into the "used" ring and then updates the ring free-running
counter.  Without a barrier between these under the right
circumstances, the guest linux driver can receive an interrupt, read
the counter change but find the ring element to be handled still has
an old value, leading to an "id %u is not a head!\n" error message.
Similar problems are likely to be possible with kvm on other weakly
ordered platforms.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit e22517086bbdf8d09de2b9ba8b3dfa4c42ec0f6c)

Signed-off-by: Andreas Färber <afaerber@suse.de>

virtio: Use global memory barrier macros

The virtio code uses wmb() macros in several places, as required by the
SMP-aware virtio protocol.  However the wmb() macro is locally defined
to be a compiler barrier only.  This is probably sufficient on x86
due to its strong storage ordering model, but it certainly isn't on other
platforms, such as ppc.

In any case, qemu already has some globally defined memory barrier macros
in qemu-barrier.h.  This patch, therefore converts virtio.c to use those
barrier macros.  The macros in qemu-barrier.h are also wrong (or at least,
safe for x86 only) but this way at least there's only one place to fix
them.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit b90d2f35125490b8f62484c5ea7e6bbecbe43b6f)

Signed-off-by: Andreas Färber <afaerber@suse.de>

hw/vmmouse.c: Disable vmmouse after reboot

Bugfix after reboot when vmmouse was enabled and another OS which uses e.g. PS/2
mouse.

Details:
When a guest activated the vmmouse followed by a reboot the vmmouse was still
enabled and the PS/2 mouse was therefore unsusable. When another guest is then
booted without vmmouse support (e.g. PS/2 mouse) the mouse is not working.

Reason is that VMMouse has priority and disables all other mouse entities
and therefore must be disabled on reset.

Testscenario:
1.) Boot e.g. OS with VMMouse support (e.g. Windows with VMMouse tools)
2.) reboot
3.) Boot e.g. OS without VMMouse support (e.g. DOS) => PS/2 mouse doesn't work
any more. Fixes that issue.

Testscenario 2 by Jan Kiszka <jan.kiszka@siemens.com>:
Confirm that this patch fixes a real issue. Setup: qemu.git,
opensuse 11.4 guest, SDL graphic, system_reset while guest is using the
vmmouse. Without the patch, the vmmouse become unusable after the
reboot. Also, the mouse stays in absolute mode even before X starts again.

Fixed by:
Disabling the vmmouse in its reset handler.

Tested-by: Andreas F=E4rber <afaerber@suse.de>
Signed-off-by: Gerhard Wiesinger <lists@wiesinger.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 069ab0eb8a46bc4ff6f4d4d81bf037d3441347da)

Signed-off-by: Andreas Färber <afaerber@suse.de>

exec.c: Fix subpage memory access to RAM MemoryRegion

Commit 95c318f5e1f88d7e5bcc6deac17330fd4806a2d3 (Fix segfault in mmio
subpage handling code.) prevented a segfault by making all subpage
registrations over an existing memory page perform an unassigned access.
Symptoms were writes not taking effect and reads returning zero.

Very small page sizes are not currently supported either,
so subpage memory areas cannot fully be avoided.

Therefore change the previous fix to use a new IO_MEM_SUBPAGE_RAM
instead of IO_MEM_UNASSIGNED. Suggested by Avi.

Reviewed-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Cc: Avi Kivity <avi@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 56384e8b1eebac750e6186f5041af710433ddc9e)

Signed-off-by: Andreas Färber <afaerber@suse.de>

vl.c: prohibit simultaneous use of -icount with kvm or xen

With -icount, The vm_clock is updated with help from TCG (it counts
instructions at 2^ICOUNT ns/instructions). With KVM, the instruction
count is not available so KVM cannot provide this help.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 0abe905d29f556128c5fb2ea8d93e982e94aaa67)

Signed-off-by: Andreas Färber <afaerber@suse.de>

block/vdi: Zero unused parts when allocating a new block (fix #919242)

The new block was filled with zero when it was allocated by g_malloc0,
but when it was reused later and only partially used, data from the
previously allocated block were still present and written to the new
block.

This caused the problems reported by bug #919242
(https://bugs.launchpad.net/qemu/+bug/919242).

Now the unused parts of the new block which are before and after the data
are always filled with zero, so it is no longer necessary to zero the whole
block with g_malloc0.

I also updated the copyright comment.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 641543b76b82a8b361482b727e08de0c8ec093b0)

[AF: g_malloc() -> qemu_malloc()]
Signed-off-by: Andreas Färber <afaerber@suse.de>

ds1338: Add missing break statement

Without the break statement, case 5 sets month and year from the same
data. This does not look correct.

The missing break was reported by splint.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit fbac6a7d35d119a52606c175aface9bcec805f09)

Signed-off-by: Andreas Färber <afaerber@suse.de>

bt-host: add missing break statement

The switch statement in bt_host_read() is missing a break in one case.
Andrzej Zaborowski <andrew.zaborowski@intel.com> confirmed that this is
not an intentional fall-through.

Reviewed-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit f7253270fc66a60e4faf639a3c4ce0b352553b24)

Signed-off-by: Andreas Färber <afaerber@suse.de>

block/vpc: write checksum back to footer after check

After validation check, the 'checksum' is not written back
to footer, which leave it with zero.

This results in errors while loadding it under Microsoft's
Hyper-V environment, and also errors from utilities like
Citrix's vhd-util.

Signed-off-by: Zhang Shengju <sean_zhang@trendmicro.com.cn>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit c088b691363070d151f80cc1fde4b7c151bdfe8f)

Signed-off-by: Andreas Färber <afaerber@suse.de>

qemu_vmalloc: align properly for transparent hugepages and KVM

To make good use of transparent hugepages, KVM requires that guest-physical
and host-virtual addresses share the low 21 bits (as opposed to just the low
12 bits normally required).

Adjust qemu_vmalloc() to honor that requirement. Ignore it for small regions
to avoid fragmentation.

Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 36b586284e678da28df3af9fd0907d2b16f9311c)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

Add missing trace call to oslib-posix.c:qemu_vmalloc()

Acked-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit c7f4111a06208b46c6d05934d2a1e5cfbebc0180)

Signed-off-by: Andreas Färber <afaerber@suse.de>

pc: fix event_idx compatibility for virtio devices

event_idx was introduced in 0.15 and must be disabled for all virtio-pci devices
(including virtio-balloon-pci).

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit ea830ebb74461c5ad6d199857fb000d2e0284c69)

[BR: bnc#741460]
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

pc: add pc-0.15

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit ce01a508e8053350544c88ba68a3f90c44b6bb93)

[BR: bnc#741460]
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>

Error check find_ram_offset

Spotted via code review, we initialize offset to 0 to avoid a
compiler warning, but in the unlikely case that offset is
never set to something else, we should abort instead of return
a value that will almost certainly cause problems.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 3e837b2c05bc63fe2226baf3c29923d5a688593f)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

cpu-common: Have a ram_addr_t of uint64 with Xen.

In Xen case, memory can be bigger than the host memory. that mean a
32bits host (and QEMU) should be able to handle a RAM address of 64bits.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit f15fbc4bd1a24bd1477a846e63e62c6d435912f8)

Signed-off-by: Andreas Färber <afaerber@suse.de>

pc: Fix floppy drives with if=none

Commit 63ffb564 broke floppy devices specified on the command line like
-drive file=...,if=none,id=floppy -global isa-fdc.driveA=floppy because it
relies on drive_get() which works only with -fda/-drive if=floppy.

This patch resembles what we're already doing for IDE, i.e. remember the floppy
device that was created and use that to extract the BlockDriverStates where
needed.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
(cherry picked from commit 34d4260e1846d69d7241f690534e3dd4b3e6fd5b)

[BR: bnc#733777]
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>

vmdk: Fix possible segfaults

Data we read from the disk isn't necessarily null terminated and may not
contain the string we're looking for. The code needs to be a bit more careful
here.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 93897b9fd43548e9c15cf8bece2d9e5174b01fc7)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

qxl: stride fixup

spice uses negative stride value to signal the bitmap is upside down.
The qxl renderer (used for scl, vnc and screenshots) wants a positive
value because it is easier to work with. The positive value is then
stored in the very same variable, which has the drawback that the
upside-down test works only once. Fix by using two variables.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0e2487bd6f56445b43307536a465ee2ba810aed9)

Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>

block: reinitialize across bdrv_close()/bdrv_open()

Several BlockDriverState fields are not being reinitialized across
bdrv_close()/bdrv_open(). Make sure they are reset to their default
values.

Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 03f541bd6eacdc6c2893f72b975257c89cab2b74)

Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>

qcow: Fix bdrv_write_compressed error handling

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 64ebe71aa0e498d24e8c02b133192142fce3a0d0)

Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: backported]
Signed-off-by: Andreas Färber <afaerber@suse.de>

block: Fix vpc initialization of the Dynamic Disk Header

The Data Offset field in the Dynamic Disk Header is an 8 byte field.
Although the specification (2006-10-11) gives an example of initializing
only the first 4 bytes, images generated by Microsoft on Windows initialize
all 8 bytes.

Failure to initialize all 8 bytes results in errors from utilities
like Citrix's vhd-util which checks specifically for the proper Data
Offset field initialization.

Signed-off-by: Charles Arnold <carnold@suse.com>
Reviewed-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 78439f6af1caa3e8bdafc9fc2d62aeefa53ed63a)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

console: Fix rendering of VGA underline

vga_putcharxy()'s underline code sets font_data to 0xffff instead of
0xff.  vga_putcharxy() then reads dmask16[0xffff >> 4] and
dmask4[0xffff >> 6].  In practice, these out-of-bounds subscripts
"only" put a few crap bits into the display surface.

For 32 bit pixels, there's no array access.  font_data's extra bits go
straight into the display surface.

Broken when commit 6d6f7c28 implemented underline.

Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 439229c7cb97f6c4cddd3965c3e9d2b8319fe83c)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

block: set bs->read_only before .bdrv_open()

Several block drivers set bs->read_only in .bdrv_open() but
block.c:bdrv_open_common() clobbers its value. Additionally, QED uses
bdrv_is_read_only() in .bdrv_open() to decide whether to perform
consistency checks.

The correct ordering is to initialize bs->read_only from the open flags
before calling .bdrv_open(). This way block drivers can override it if
necessary and can use bdrv_is_read_only() in .bdrv_open().

Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit e7c637967e6aad195b5f30cfd995913c9e0b4666)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

vmdk: Improve error handling

Return the right error values in some more places.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 99f1835d9bc744f98370254600530e66f32e6d81)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

Teach block/vdi about "discarded" (no longer allocated) blocks

An entry in the VDI block map will hold an offset to the actual block if
the block is allocated, or one of two specially-interpreted values if
not allocated. Using VirtualBox terminology, value VDI_IMAGE_BLOCK_FREE
(0xffffffff) represents a never-allocated block (semantically arbitrary
content).  VDI_IMAGE_BLOCK_ZERO (0xfffffffe) represents a "discarded"
block (semantically zero-filled).  block/vdi knows only about
VDI_IMAGE_BLOCK_FREE.  Teach it about VDI_IMAGE_BLOCK_ZERO.

Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit c794b4e0fd9ef8d72b068614dcdb2418c105d5cc)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

hda: do not mix output and input stream states, RHBZ #740493

Windows 7 may use the same stream number for input and output.
Current code will confuse streams.

Changes since v1:
- keep running_compat[] for migration version 1
- add running_real[] for migration version 2

Signed-off-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
Signed-off-by: malc <av1474@comtv.ru>
(cherry picked from commit ba43d28916c4f51c19bd7366089155ce81bee058)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

hda: do not mix output and input streams, RHBZ #740493

Windows 7 may use the same stream number for input and output.
That will result in lot of garbage on playback.

The hardcoded value of 4 needs to be in sync with GCAP streams
description and IN/OUT registers.

Signed-off-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
Signed-off-by: malc <av1474@comtv.ru>
(cherry picked from commit 36ac4ad3d054a7b4962a6393630a73591cfa9558)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

block/curl: Implement a flush function on the fd handlers

Signed-off-by: Nick Thomas <nick@bytemark.co.uk>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit c84dcdc1d6583ebe5841907c99d95deb8c40a6e0)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

vns/tls: don't use depricated gnutls functions

Avoid using deprecated gnutls functions with recent gnutls versions.
Fixes build failure on Fedora 16. Keep the old way for compatibility
with old installations such as RHEL-5 (gnutls 1.4.x).

Based on a patch from Raghavendra D Prabhu <raghu.prabhu13@gmail.com>

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit f40d55081667a716312b9a8b6e13835c4074f56b)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

vvfat: Fix potential buffer overflow

path2[PATH_MAX] can be used for the null termination, so make the array big
enough to allow this.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 0d460d6f414e02805cbc348404db03b2b7907360)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

ac97: don't override the pci subsystem id

This patch removes the code lines which set the subsystem id for the
emulated ac97 card to 8086:0000. Due to the device id being zero the
subsystem id isn't vaild anyway. With the patch applied the sound card
gets the default qemu subsystem id (1af4:1100) instead.

[ v2: old & broken id is maintained for -M pc-$oldqemuversion ]

Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 25a21c94c0055e078acb7f7455e66c8a15f32385)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

hw/lan9118.c: Add missing 'break' to fix buffer overrun

Add a missing 'break' statement to fix a buffer overrun when
executing the EEPROM write-all command. Spotted by Coverity
(see bug 887883).

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit 0e3b800e71cb7759d099eabbd8ad4c4fe848e381)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

Fix X86 CPU topology in KVM mode

apic id returned to guest kernel in ebx for cpuid(function=1) depends on
CPUX86State->cpuid_apic_id which gets populated after the cpuid information
is cached in the host kernel. This results in broken CPU topology in guest.

Fix this by setting cpuid_apic_id before cpuid information is passed to
the host kernel. This is done by moving the setting of cpuid_apic_id
to cpu_x86_init() where it will work for both KVM as well as TCG modes.

Acked-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Bharata B Rao <bharata.rao@gmail.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit f2209eb854a016eabc444b45f6d6b1636949141f)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

migration: flush migration data to disk.

This patch increases robustness when migrating to a file with
two little changes:

(1) Before closing the migration file handle checks if it happens to be
     a regular file and if so it issues a fsync.  This way the data is
     flushed to disk before qemu sends the migration completed event.
(2) It adds error checking.  In case either fsync or close syscall
     fails pass up the error (and fail migration).

[ v2: return -errno instead of -1 ]

Cc: Juan Quintela <quintela@redhat.com>
Cc: Jiri Denemark <jdenemar@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit aab2293687ee54a409f3fb53a1ab3595b595e0fb)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

acl: Fix use after free in qemu_acl_reset()

Reproducer:

    $ MALLOC_PERTURB_=234 qemu-system-x86_64 -vnc :0,acl,sasl [...]
    QEMU 0.15.50 monitor - type 'help' for more information
    (qemu) acl_add vnc.username fred allow
    acl: added rule at position 1
    (qemu) acl_reset vnc.username
    Segmentation fault (core dumped)

Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit 0ce6a434176e274a7e86bcaa268542c5cc402696)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

ide: Fix off-by-one error in array index check

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit fb60105d4942a26f571b1be92a8b9e7528d0c4d8)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

block: Fix bdrv_open use after free

tmp_filename was used outside the block it was defined in, i.e. after it went
out of scope. Move its declaration to the top level.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 2b5728164fcf5211bbae8d3c2fc6df62dd6b2295)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

vmdk: vmdk_read_cid returns garbage if p_name is NULL

Spotted by Clang Analyzer

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit 8379e46d1fd681b8aa4714382e2cdab05e5d0575)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

kvm: avoid reentring kvm_flush_coalesced_mmio_buffer()

mmio callbacks invoked by kvm_flush_coalesced_mmio_buffer() may
themselves indirectly call kvm_flush_coalesced_mmio_buffer().
Prevent reentering the function by checking a flag that indicates
we're processing coalesced mmio requests.

Signed-off-by: Avi Kivity <avi@redhat.com>
(cherry picked from commit 1cae88b9f4121c9af0bf677435c6129e643280fd)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

compatfd.c: Don't pass NULL pointer to SYS_signalfd

Don't pass a NULL pointer in to SYS_signalfd in qemu_signalfd_available():
this isn't valid and Valgrind complains about it.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Andrzej Zaborowski <andrew.zaborowski@intel.com>
(cherry picked from commit 7f84c1272b601be88daeb828ec1890890c7aae25)

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>

e1000: bounds packet size against buffer size

Otherwise we can write beyond the buffer and corrupt memory. This is tracked
as CVE-2012-0029.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 65f82df0d7a71ce1b10cd4c5ab08888d176ac840)

Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: stable-0.15 does not have pci_dma_read(). Fixes BNC#740165.]
Signed-off-by: Andreas Färber <afaerber@suse.de>

e1000: Don't set the Capabilities List bit

[Originally sent to qemu-kvm list, but I was redirected here]

The Capabilities Pointer is NULL, so this bit shouldn't be set. The state of
this bit doesn't appear to change any behavior on Linux/Windows versions we've
tested, but it does cause Windows' PCI/PCI Express Compliance Test to balk.

I happen to have a physical 82540EM controller, and it also sets the
Capabilities Bit, but it actually has items on the capabilities list to go
with it :)

Signed-off-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit dd8e93799f13ef82d83c185b8e71e049452f7d40)

Signed-off-by: Andreas Färber <afaerber@suse.de>

e1000: use MII status register for link up/down

Some guests will use the standard MII status register
to verify link state.  They will not notice link changes
unless this register is updated.

Verified with Linux 3.0 and Windows XP guests.

Without this patch, ethtool will report speed and duplex as
unknown when the link is down, but still report the link as
up.  This is because the Linux e1000 driver checks the
mac_reg[STATUS] register link state before it checks speed
and duplex, but uses the phy_reg[PHY_STATUS] register for
the actual link state check.  Fix by updating both registers
on link state changes.

Linux guest before:

(qemu) set_link e1000.0 off

kvm-sid:~# ethtool eth0
Settings for eth0:
        Supported ports: [ TP ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Advertised pause frame use: No
        Advertised auto-negotiation: Yes
        Speed: Unknown!
        Duplex: Unknown! (255)
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: on
        MDI-X: Unknown
        Supports Wake-on: umbg
        Wake-on: d
        Current message level: 0x00000007 (7)
                               drv probe link
        Link detected: yes

(qemu) set_link e1000.0 on

Linux guest after:

(qemu) set_link e1000.0 off
[   63.384221] e1000: eth0 NIC Link is Down

kvm-sid:~# ethtool eth0
Settings for eth0:
        Supported ports: [ TP ]
        Supported link modes:   10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Supports auto-negotiation: Yes
        Advertised link modes:  10baseT/Half 10baseT/Full
                                100baseT/Half 100baseT/Full
                                1000baseT/Full
        Advertised pause frame use: No
        Advertised auto-negotiation: Yes
        Speed: Unknown!
        Duplex: Unknown! (255)
        Port: Twisted Pair
        PHYAD: 0
        Transceiver: internal
        Auto-negotiation: on
        MDI-X: Unknown
        Supports Wake-on: umbg
        Wake-on: d
        Current message level: 0x00000007 (7)
                               drv probe link
        Link detected: no

(qemu) set_link e1000.0 on
[   84.304582] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit d4044c2a6b9ba4a00dd653f515a4b0ebfcb7e125)

Signed-off-by: Andreas Färber <afaerber@suse.de>

qdev: Reset hot-plugged devices

Device models rely on the core invoking their reset handlers after init.
We do this in the cold-plug case, but so far we miss this step after
hot-plug.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 5ab28c8340f683121c081a181adfd9f72ab85cba)

[AF: Fixes BNC#722958 / LTC#75394.]
Signed-off-by: Andreas Färber <afaerber@suse.de>

ccid: Fix buffer overrun in handling of VSC_ATR message

ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].

The message is read from a character device. Obvious security
implications unless the other end of the character device is trusted.

Spotted by Coverity. CVE-2011-4111.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a)

Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: Fixes BNC#731086.]
Signed-off-by: Andreas Färber <afaerber@suse.de>

Version 0.15.1

Signed-off-by: Justin M. Forbes <jforbes@redhat.com>

qed: fix use-after-free during l2 cache commit

QED's metadata caching strategy allows two parallel requests to race for
metadata lookup. The first one to complete will populate the metadata
cache and the second one will drop the data it just read in favor of the
cached data.

There is a use-after-free in qed_read_l2_table_cb() and
qed_commit_l2_update() where l2_table->offset was used after the
l2_table may have been freed due to a metadata lookup race. Fix this by
keeping the l2_offset in a local variable and not reaching into the
possibly freed l2_table.

Reported-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

sdl: Fix termination in -no-shutdown mode

Just like the monitor does, we need to clear no_shutdown before calling
qemu_system_shutdown_request on quit requests. Otherwise, QEMU just
stops the VM.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

Fix termination by signal with -no-shutdown

On signals such as SIGTERM qemu should exit instead of just stopping the VM
even with -no-shutdown.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

Add support for finding libpng via pkg-config.

Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

Check for presence of compiler -pthread flag.

OpenBSD / FreeBSD and some other OS's require the use of
cc -pthread to link threaded programs so have QEMU's
configure script check for the presence of the flag
and use it if so.

Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>

Allow overriding the location of Samba's smbd.

Allow overriding the location of Samba's smbd.

Pretty much every OS I look at has some means of
changing this path (patching) so lets just make
it easier for OS developers creating packages
and/or end users to override the location.

Signed-off-by: Brad Smith <brad@comstyle.com>
Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>

Fix linker scripts

Remove PROVIDE_HIDDEN and ONLY_IF_{RO,RW} from linker scripts to make
them work with older binutils versions. Fixes *-bsd-user build on
OpenBSD 4.9 which ships binutils 2.15.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>

Fix install(1) usage to be compatible with OpenBSD's install(1).

Fix install(1) usage to be compatible with OpenBSD's install(1).

When creating a directory via the -d flag the -p flag cannot be
used at the same time. Also in the context of installing QEMU it
doesn't make sense to use the -p flag anyway so use the [default]
-c flag instead.

Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

Fix qjson test of solidus encoding

"\/" is supposed to be decoded as "/", but there is no need to encode
"/" via escape. Fix the existing test and add a second one expressing
this.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Acked-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>

configure: Copy test data to build directory

The QDict unit-tests (check-qdict) will fail when ran on a different
build directory. That's, it only works when ran on the source dir.

This happens because its data file (qdict-test-data.txt) is not
copied to the build dir. Fix it.

Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
Conflicts:

configure

monitor: fix build breakage for !CONFIG_VNC

Commit c62f6d1 (monitor: fix build breakage with --disable-vnc)
conditionalised some VNC setup code but left an unused variable. Move
the variable into the conditional code to fix the build breakage.

Cc: Luiz Capitulino <lcapitulino@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Jamie Iles <jamie@jamieiles.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>

monitor: fix build breakage with --disable-vnc

The breakage was introduced by the commit 13661089810d3e59931f3e80d7cb541b99af7071

Signed-off-by: TeLeMan <geleman@gmail.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

Fix forcing multicast msgs to loopback on OpenBSD.

Fix forcing multicast msgs to loopback on OpenBSD.
e.g.
$ sudo qemu -m 128 -no-fd-bootchk \
        -hda virtual.img -boot n -nographic \
        -net nic,vlan=0,model=rtl8139,macaddr=52:54:00:12:34:03 \
        -net user -tftp /usr/src/sys/arch/i386/compile/TEST -bootp pxeboot \
        -net nic,vlan=1,model=rtl8139,macaddr=52:54:00:23:03:01 \
        -net tap,vlan=1,script=no \
        -net nic,vlan=3,model=rtl8139,macaddr=52:54:00:23:03:03 \
        -net socket,vlan=3,mcast=230.0.0.1:10003
setsockopt(SOL_IP, IP_MULTICAST_LOOP): Invalid argument
qemu: -net socket,vlan=3,mcast=230.0.0.1:10003: Device 'socket' could not be initialized

Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>

Merge branch 'stable-0.15' of git://git.qemu.org/qemu

Update version to 0.15.0

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

qcow2: Fix L1 table size after bdrv_snapshot_goto

When loading an internal snapshot whose L1 table is smaller than the current L1
table, the size of the current L1 would be shrunk to the snapshot's L1 size in
memory, but not on disk. This lead to incorrect refcount updates and eventuelly
to image corruption.

Instead of writing the new L1 size to disk, this simply retains the bigger L1
size that is currently in use and makes sure that the unused part is zeroed.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Tested-by: Philipp Hahn <hahn@univention.de>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 35d7ace74bd07e3d6983c1fd7cbfab4e11175689)

Merge branch 'stable-0.15' of git://git.qemu.org/qemu

Revert "floppy: save and restore DIR register"

This reverts commit 7d905f716bea633f2836e1d661387983aacdc6d6.

The use of subsections by this commit are broken because of a fundamental
limitations of subsections in the current protocol.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

alpha-softmmu: Disable for the 0.15 release branch.

The system emulation code was not merged before the branch.
Let's leave that work for the next release.

Signed-off-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

vhost build fix for i386

vhost.c uses __sync_fetch_and_and(), which is only
available for -march=i486 and above (see
https://bugzilla.redhat.com/show_bug.cgi?id=624279).

Signed-off-by: Wolfgang Mauerer <wolfgang.mauerer@siemens.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
(cherry picked from commit 023367e6cd41199521613674b44e9c703c8be1a1)

guest agent: add --enable-guest-agent config option

QAPI will require glib/python, but for now the guest agent is the only
user. For now, make these dependencies an explicit guest agent one, and
give users the option to disable it if need be.

Once QAPI is adopted in core QEMU code, we would basically revert this
patch.

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

user: Restore debug usage message for '-d ?' in user mode emulation

The code which prints the debug usage message on '-d ?' for *-user
has to come before the check for "not enough arguments", so that
"qemu-foo -d ?" prints the list of possible debug log items rather than
the generic usage message. (This was inadvertently broken in commit
c235d73.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

lm32: softusb: claim to support full speed

The QEMU keyboard and mouse reports themselves as full speed devices,
though they are actually low speed devices. Until this is fixed, claim that
we are supporting full speed devices.

Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>

user: Restore debug usage message for '-d ?' in user mode emulation

The code which prints the debug usage message on '-d ?' for *-user
has to come before the check for "not enough arguments", so that
"qemu-foo -d ?" prints the list of possible debug log items rather than
the generic usage message. (This was inadvertently broken in commit
c235d73.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

Makefile: add missing deps on $(GENERATED_HEADERS)

This fixes a build issue with make -j6+ due to qapi-generated files
being built before $(GENERATED_HEADERS) have been created.

Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Update version to 0.15.0-rc2

Bump version to 0.15.0-rc1

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

Merge branch 'for-upstream-0.15' of git://git.linaro.org/people/pmaydell/qemu-arm

virtio-balloon: Unregister savevm section on device unplug

Migrating after unplugging a virtio-balloon device resulted in an error
message on the destination:

Unknown savevm section or instance '0000:00:04.0/virtio-balloon' 0
load of migration failed

Fix this by unregistering the section on device unplug.

Signed-off-by: Amit Shah <amit.shah@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>

virtio-balloon: Add exit handler, fix memleaks

Add an exit handler that will free up RAM after a virtio-balloon device
is unplugged.

Signed-off-by: Amit Shah <amit.shah@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>