qemu.git
5 years agomigration: fix parameter validation on ram load
Michael S. Tsirkin [Wed, 12 Nov 2014 09:44:39 +0000 (11:44 +0200)] 
migration: fix parameter validation on ram load

During migration, the values read from migration stream during ram load
are not validated. Especially offset in host_from_stream_offset() and
also the length of the writes in the callers of said function.

To fix this, we need to make sure that the [offset, offset + length]
range fits into one of the allocated memory regions.

Validating addr < len should be sufficient since data seems to always be
managed in TARGET_PAGE_SIZE chunks.

Fixes: CVE-2014-7840

Note: follow-up patches add extra checks on each block->host access.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
5 years agotarget-arm: handle address translations that start at level 3
Peter Maydell [Thu, 13 Nov 2014 14:56:09 +0000 (14:56 +0000)] 
target-arm: handle address translations that start at level 3

The ARMv8 address translation system defines that a page table walk
starts at a level which depends on the translation granule size
and the number of bits of virtual address that need to be resolved.
Where the translation granule is 64KB and the guest sets the
TCR.TxSZ field to between 35 and 39, it's actually possible to
start at level 3 (the final level). QEMU's implementation failed
to handle this case, and so we would set level to 2 and behave
incorrectly (including invoking the C undefined behaviour of
shifting left by a negative number). Correct the code that
determines the starting level to deal with the start-at-3 case,
by replacing the if-else ladder with an expression derived from
the ARM ARM pseudocode version.

This error was detected by the Coverity scan, which spotted
the potential shift by a negative number.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1415890569-7454-1-git-send-email-peter.maydell@linaro.org

5 years agoMerge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
Peter Maydell [Mon, 17 Nov 2014 17:22:03 +0000 (17:22 +0000)] 
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

A smattering of fixes for problems that Coverity reported.

# gpg: Signature made Mon 17 Nov 2014 17:03:25 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  hcd-musb: fix dereference null return value
  target-cris/translate.c: fix out of bounds read
  shpc: fix error propaagation
  qemu-char: fix MISSING_COMMA
  acl: fix memory leak
  nvme: remove superfluous check
  loader: fix NEGATIVE_RETURNS
  qga: fix false negative argument passing
  mips_mipssim: fix use-after-free for filename
  l2tpv3: fix fd leak
  l2tpv3: fix possible double free
  libcacard: fix resource leak

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agohcd-musb: fix dereference null return value
Paolo Bonzini [Mon, 17 Nov 2014 10:57:23 +0000 (11:57 +0100)] 
hcd-musb: fix dereference null return value

usb_ep_get and usb_handle_packet can deal with a NULL device, but we have
to avoid dereferencing NULL pointers when building the id.

Thanks to Gonglei for an initial stab at fixing this.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoMerge remote-tracking branch 'remotes/mcayland/tags/qemu-openbios-signed' into staging
Peter Maydell [Mon, 17 Nov 2014 15:37:10 +0000 (15:37 +0000)] 
Merge remote-tracking branch 'remotes/mcayland/tags/qemu-openbios-signed' into staging

Update OpenBIOS images

# gpg: Signature made Sat 15 Nov 2014 13:12:02 GMT using RSA key ID AE0F321F
# gpg: Good signature from "Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>"

* remotes/mcayland/tags/qemu-openbios-signed:
  Update OpenBIOS images

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agotarget-cris/translate.c: fix out of bounds read
zhanghailiang [Mon, 17 Nov 2014 05:57:34 +0000 (13:57 +0800)] 
target-cris/translate.c: fix out of bounds read

In function t_gen_mov_TN_preg and t_gen_mov_preg_TN, The begin check about the
validity of in-parameter 'r' is useless. We still access cpu_PR[r] in the
follow code if it is invalid. Which will be an out-of-bounds read error.

Fix it by using assert() to ensure it is valid before using it.

Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoshpc: fix error propaagation
Gonglei [Sat, 15 Nov 2014 10:06:47 +0000 (18:06 +0800)] 
shpc: fix error propaagation

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoqemu-char: fix MISSING_COMMA
Gonglei [Sat, 15 Nov 2014 10:06:46 +0000 (18:06 +0800)] 
qemu-char: fix MISSING_COMMA

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoacl: fix memory leak
Gonglei [Sat, 15 Nov 2014 10:06:45 +0000 (18:06 +0800)] 
acl: fix memory leak

If 'i != index' for all acl->entries, variable
entry leaks the storage it points to.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agonvme: remove superfluous check
Gonglei [Sat, 15 Nov 2014 10:06:44 +0000 (18:06 +0800)] 
nvme: remove superfluous check

Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
((n->bar.aqa >> AQA_ASQS_SHIFT) & AQA_ASQS_MASK) > 4095
is always false regardless of the values of its operands.
This occurs as the logical second operand of '||'.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoloader: fix NEGATIVE_RETURNS
Gonglei [Sat, 15 Nov 2014 10:06:43 +0000 (18:06 +0800)] 
loader: fix NEGATIVE_RETURNS

lseek will return -1 on error, g_malloc0(size) and read(,,size)
paramenters cannot be negative. We should add a check for return
value of lseek().

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoqga: fix false negative argument passing
Gonglei [Sat, 15 Nov 2014 10:06:42 +0000 (18:06 +0800)] 
qga: fix false negative argument passing

Function send_response(s, &qdict->base) returns a negative number
when any failures occured. But strerror()'s parameter cannot be
negative. Let's change the testing condition and pass '-ret' to
strerr().

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agomips_mipssim: fix use-after-free for filename
Gonglei [Sat, 15 Nov 2014 10:06:41 +0000 (18:06 +0800)] 
mips_mipssim: fix use-after-free for filename

May pass freed pointer filename as an argument to error_report.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agol2tpv3: fix fd leak
Gonglei [Sat, 15 Nov 2014 10:06:40 +0000 (18:06 +0800)] 
l2tpv3: fix fd leak

In this false branch, fd will leak when it is zero.
Change the testing condition.

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
[Fix net_l2tpv3_cleanup as well. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoUpdate OpenBIOS images
Mark Cave-Ayland [Sat, 15 Nov 2014 13:01:44 +0000 (13:01 +0000)] 
Update OpenBIOS images

Update OpenBIOS images to SVN r1327 built from submodule.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
5 years agoMerge remote-tracking branch 'remotes/sstabellini/xen-2014-11-14' into staging
Peter Maydell [Fri, 14 Nov 2014 12:05:33 +0000 (12:05 +0000)] 
Merge remote-tracking branch 'remotes/sstabellini/xen-2014-11-14' into staging

* remotes/sstabellini/xen-2014-11-14:
  xen_disk: fix unmapping of persistent grants
  pc: piix4_pm: init legacy PCI hotplug when running on Xen

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agol2tpv3: fix possible double free
zhanghailiang [Fri, 14 Nov 2014 01:39:23 +0000 (09:39 +0800)] 
l2tpv3: fix possible double free

freeaddrinfo(result) does not assign result = NULL, after frees it.
There will be a double free when it goes error case.
It is reported by covertiy.

Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agolibcacard: fix resource leak
zhanghailiang [Fri, 14 Nov 2014 02:18:08 +0000 (10:18 +0800)] 
libcacard: fix resource leak

In function connect_to_qemu(), getaddrinfo() will allocate memory
that is stored into server, it should be freed by using freeaddrinfo()
before connect_to_qemu() return.

Cc: qemu-stable@nongnu.org
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoMerge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
Peter Maydell [Fri, 14 Nov 2014 11:12:40 +0000 (11:12 +0000)] 
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging

# gpg: Signature made Fri 14 Nov 2014 11:05:54 GMT using RSA key ID 81AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>"
# gpg:                 aka "Stefan Hajnoczi <stefanha@gmail.com>"

* remotes/stefanha/tags/block-pull-request:
  vmdk: Leave bdi intact if -ENOTSUP in vmdk_get_info
  block: Fix max nb_sectors in bdrv_make_zero
  ahci: factor out FIS decomposition from handle_cmd
  ahci: Check cmd_fis[1] more explicitly
  ahci: Reorder error cases in handle_cmd
  ahci: Fix FIS decomposition
  ahci: add is_ncq predicate helper
  ide: Correct handling of malformed/short PRDTs
  ahci: unify sglist preparation
  ide: repair PIO transfers for cases where nsector > 1
  ahci: Fix byte count regression for ATAPI/PIO

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoxen_disk: fix unmapping of persistent grants
Roger Pau Monne [Thu, 13 Nov 2014 17:42:09 +0000 (18:42 +0100)] 
xen_disk: fix unmapping of persistent grants

This patch fixes two issues with persistent grants and the disk PV backend
(Qdisk):

 - Keep track of memory regions where persistent grants have been mapped
   since we need to unmap them as a whole. It is not possible to unmap a
   single grant if it has been batch-mapped. A new check has also been added
   to make sure persistent grants are only used if the whole mapped region
   can be persistently mapped in the batch_maps case.
 - Unmap persistent grants before switching to the closed state, so the
   frontend can also free them.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Reported-by: George Dunlap <george.dunlap@eu.citrix.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: Kevin Wolf <kwolf@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Cc: George Dunlap <george.dunlap@eu.citrix.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
5 years agopc: piix4_pm: init legacy PCI hotplug when running on Xen
Igor Mammedov [Fri, 14 Nov 2014 11:11:44 +0000 (11:11 +0000)] 
pc: piix4_pm: init legacy PCI hotplug when running on Xen

If user starts QEMU with "-machine pc,accel=xen", then
compat property in xenfv won't work and it would cause error:
"Unsupported bus. Bus doesn't have property 'acpi-pcihp-bsel' set"
when PCI device is added with -device on QEMU CLI.

From: Igor Mammedov <imammedo@redhat.com>

In case of Xen instead of using compat property, just use the fact
that xen doesn't use QEMU's fw_cfg/acpi tables to switch piix4_pm
into legacy PCI hotplug mode when Xen is enabled.

Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Li Liang <liang.z.li@intel.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agovmdk: Leave bdi intact if -ENOTSUP in vmdk_get_info
Fam Zheng [Fri, 14 Nov 2014 04:09:21 +0000 (12:09 +0800)] 
vmdk: Leave bdi intact if -ENOTSUP in vmdk_get_info

When extent types don't match, we return -ENOTSUP. In this case, be
polite to the caller and don't modify bdi.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Message-id: 1415938161-16217-1-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoblock: Fix max nb_sectors in bdrv_make_zero
Fam Zheng [Mon, 10 Nov 2014 07:07:44 +0000 (15:07 +0800)] 
block: Fix max nb_sectors in bdrv_make_zero

In bdrv_rw_co we report -EINVAL for nb_sectors > INT_MAX /
BDRV_SECTOR_SIZE, so a caller shouldn't exceed it.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id: 1415603264-21497-1-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoahci: factor out FIS decomposition from handle_cmd
John Snow [Mon, 3 Nov 2014 23:56:19 +0000 (18:56 -0500)] 
ahci: factor out FIS decomposition from handle_cmd

In order to make handle_cmd more readable at the macro level,
the details of how to decompose particular types of FIS packets
are left to helper functions.

In our case, the only type of FIS packet we currently expect to
see is a Register H2D FIS packet, but the gory details of its
decomposition are of no particular interest in handle_cmd.

This patch keeps the receipt of FIS packets and the decomposition
thereof separated to two different functions.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1415058979-16604-6-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoahci: Check cmd_fis[1] more explicitly
John Snow [Mon, 3 Nov 2014 23:56:18 +0000 (18:56 -0500)] 
ahci: Check cmd_fis[1] more explicitly

Instead of checking for a known byte, inspect the
fields of this byte explicitly to produce more meaningful
error messages and improve the readability of this section.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1415058979-16604-5-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoahci: Reorder error cases in handle_cmd
John Snow [Mon, 3 Nov 2014 23:56:17 +0000 (18:56 -0500)] 
ahci: Reorder error cases in handle_cmd

Error checking in ahci's handle_cmd is re-ordered so that we
initialize as few things as possible before we've done our
sanity checking. This simplifies returning from this call
in case of an error.

A check to make sure the DMA memory map succeeds with the
correct size is also added, and the debug print of the
command fis is cleaned up with its size corrected.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1415058979-16604-4-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoahci: Fix FIS decomposition
John Snow [Mon, 3 Nov 2014 23:56:16 +0000 (18:56 -0500)] 
ahci: Fix FIS decomposition

This patch introduces a few changes to how FIS packets are
deciphered in the AHCI virtual device. The summary of
changes can be grouped into two pieces:

[A] Changes to how we apply a preliminary sieve to FISes,
[B] Changes in how we internalize a decomposed FIS.

== Changes to how we apply a preliminary sieve to FISes ==

(1) Packets may now either update the Control register or
    the Command register, but not both. This is according
    to the SATA 3.2 specification which states:
    "...the device either initiates processing of the command
    indicated in the Command register or initiates processing
    of the control request indicated [...] depending on the
    state of the C bit in the FIS."

    See SATA 3.2 section 10.5.5.4, "Reception" in the 10.5.5
    "Register Host to Device FIS" section.

    This change accounts for the first two regions of change
    within the diff. All other changes belong to the following
    changes.

== Changes in how we internalize a decomposed FIS ==

(2) Instead of trying to extract the sector number out of the
    FIS from bytes 4-10 and setting it with ide_set_sector,
    we set the appropriate IDEState registers and trust that
    ide_get_sector can retrieve the correct sector later.

    By "constructing" the sector for use with ide_set_sector,
    we are duplicating the mechanisms of ide_get_sector.
    This change makes the FIS decomposition more obvious.

    SATA 3.2 as a specification does not make the legacy
    register mapping with respect to the D2H FIS obvious.
    However, SATA 3.2 section 10.5.5.1 "Register Host to
    Device FIS layout" describes all of the "cmd_fis"
    bytes:

    0 - FIS Type (0x27)
    1 - Port Multiplier Port and Command Update flag
    2 - ATA Command
    3 - Features_Low
    4 - LBA 7:0
    5 - LBA 15:8
    6 - LBA 23:16
    7 - Device, AKA "Drive Select."
    8 - LBA 31:24
    9 - LBA 39:32
    10 - LBA 47:40
    11 - Features_High
    12 - Count Low
    13 - Count High
    14 - ICC
    15 - Control
    16-19 - Auxiliary (for NCQ, defined per-command)

    Most of these registers map to existing IDEState registers
    in obvious ways, especially features, select, hob_features,
    and nsector (count). ICC is reserved in older specifications
    but is not supported in our implementation, and remains
    unused here. The Control register is not valid for a command
    that is trying to update the command register and is to be
    considered reserved at this point.

    What is not obvious is the LBA register mappings, but SATA 1.0
    can help inform of us legacy device support, see SATA 1.0 section
    8.5.2 "Register - Host to Device."

    LBA 7:0   - Sector Number    (sector)
    LBA 15:8  - Cyl Low          (lcyl)
    LBA 23:16 - Cyl High         (hcyl)
    LBA 31:24 - Sector Num Exp.  (hob_sector)
    LBA 39:32 - Cyl Low Exp.     (hob_lcyl)
    LBA 47:40 - Cyl High Exp.    (hob_hcyl)

    These mappings help guide which registers the FIS should be decomposed
    into/towards for CHS, LBA28 and LBA48 commands.

    As a note: The prior confusion that can be seen in the documentation
    arises from the fact that CHS and LBA28 commands use the low nybble
    of the drive select register to store LBA 27:24, whereas LNA48 commands
    use the hob_sector, hob_lcyl and hob_hcyl registers as explained above.

    The decomposition as it stands now will correctly decompose CHS, LBA28
    and LBA48 commands into their appropriate registers where the core
    IDE/ATAPI layers can deal with them correctly.

    See the below point for more information.

(3) We save cmd_fis[7] as ide_state->select, which informs
    decisions about if we are using LBA or CHS.
    This corrects a bug in AHCI wherein we attempt to set and/or
    retrieve the sector number by using ide_set_sector and
    ide_get_sector, which depend on the select register to
    determine if we are using LBA or CHS.

    Without this adjustment, LBA48 read/writes are currently
    broken. Thanks to Eniac Zheng @ HP for pointing this out.

(4) Save cmd_fis[11] as ide_state->hob_feature, as defined in SATA 3.2.

(5) For several ATA commands, the sector count register set to 0
    is a magic number that means 256 sectors. For LBA48 commands,
    this means 65,536 sectors. We drop the magic sector correction
    here, and trust the ide core layer to handle the conversion
    appropriately, in ide_cmd_lba48_transform(). As it stands,
    the current AHCI code is only compliant with LBA28 commands.
    By simply removing the magic, it will work with LBA28 and LBA48.

(6) We expand FIS decomposition to include both ATAPI and IDE devices.
    We leave the logic of determining if the fields are valid or not
    to the respective layers.

    This change intends to make it clearer that AHCI is only a
    composition mechanism for the FIS packets: the meanings of
    the registers is best left to the implementation layers for
    those devices.

(7) Forcefully setting the feature, hcyl and lcyl registers for ATAPI
    commands is removed.
    - The hcyl and lcyl magic present here is valid at boot only,
      and should not be overridden for every PACKET command.
    - The feature register is defined as valid for the PACKET command,
      so we should not suppress it. The ATAPI layer does not even
      currently depend on or require 0x01 as mandatory.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1415058979-16604-3-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoahci: add is_ncq predicate helper
John Snow [Mon, 3 Nov 2014 23:56:15 +0000 (18:56 -0500)] 
ahci: add is_ncq predicate helper

A small helper to determine which S/ATA commands
are destined to be routed to the NCQ pathways.

This references SATA 3.2 section 13.6,
Native Command Queueing. See sections 13.6.4,
13.6.5, 13.6.6, 13.6.7 and 13.6.8 for all
SATA commands considered to be part of the
NCQ feature set. This is summarized in a small
list in section 13.6.3.1 and again in 13.6.3.2.

Not all of these NCQ commands are currently supported,
so the error pathways are adjusted slightly to be more
informative in the case they are encountered.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1415058979-16604-2-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoide: Correct handling of malformed/short PRDTs
John Snow [Fri, 31 Oct 2014 20:03:39 +0000 (16:03 -0400)] 
ide: Correct handling of malformed/short PRDTs

This impacts both BMDMA and AHCI HBA interfaces for IDE.
Currently, we confuse the difference between a PRDT having
"0 bytes" and a PRDT having "0 complete sectors."

When we receive an incomplete sector, inconsistent error checking
leads to an infinite loop wherein the call succeeds, but it
didn't give us enough bytes -- leading us to re-call the
DMA chain over and over again. This leads to, in the BMDMA case,
leaked memory for short PRDTs, and infinite loops and resource
usage in the AHCI case.

The .prepare_buf() callback is reworked to return the number of
bytes that it successfully prepared. 0 is a valid, non-error
answer that means the table was empty and described no bytes.
-1 indicates an error.

Our current implementation uses the io_buffer in IDEState to
ultimately describe the size of a prepared scatter-gather list.
Even though the AHCI PRDT/SGList can be as large as 256GiB, the
AHCI command header limits transactions to just 4GiB. ATA8-ACS3,
however, defines the largest transaction to be an LBA48 command
that transfers 65,536 sectors. With a 512 byte sector size, this
is just 32MiB.

Since our current state structures use the int type to describe
the size of the buffer, and this state is migrated as int32, we
are limited to describing 2GiB buffer sizes unless we change the
migration protocol.

For this reason, this patch begins to unify the assertions in the
IDE pathways that the scatter-gather list provided by either the
AHCI PRDT or the PCI BMDMA PRDs can only describe, at a maximum,
2GiB. This should be resilient enough unless we need a sector
size that exceeds 32KiB.

Further, the likelihood of any guest operating system actually
attempting to transfer this much data in a single operation is
very slim.

To this end, the IDEState variables have been updated to more
explicitly clarify our maximum supported size. Callers to the
prepare_buf callback have been reworked to understand the new
return code, and all versions of the prepare_buf callback have
been adjusted accordingly.

Lastly, the ahci_populate_sglist helper, relied upon by the
AHCI implementation of .prepare_buf() as well as the PCI
implementation of the callback have had overflow assertions
added to help make clear the reasonings behind the various
type changes.

[Added %d -> %"PRId64" fix John sent because off_pos changed from int to
int64_t.
--Stefan]

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1414785819-26209-4-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoahci: unify sglist preparation
John Snow [Fri, 31 Oct 2014 20:03:38 +0000 (16:03 -0400)] 
ahci: unify sglist preparation

The intent of this patch is to further unify the creation and
deletion of the sglist used for all AHCI transfers, including
emulated PIO, ATAPI R/W, and native DMA R/W.

By replacing ahci_start_transfer's call to ahci_populate_sglist
with ahci_dma_prepare_buf, we reduce the number of direct calls
where we manipulate the scatter-gather list in the AHCI code.

To make this switch, the constant "0" passed as an offset
in ahci_dma_prepare_buf is adjusted to use io_buffer_offset.

For DMA pathways, this has no effect: io_buffer_offset is always
updated to 0 at the beginning of a DMA transfer loop regardless.
DMA pathways through ide_dma_cb() update the io_buffer_offset
accordingly, and for circumstances where we might make several
trips through this loop, this may actually correct a design flaw.

For PIO pathways, the newly updated ahci_dma_prepare_buf will
now prepare the sglist at the correct offset. It will also set
io_buffer_size, but this is not used in the cmd_read_pio or
cmd_write_pio pathways.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1414785819-26209-3-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoide: repair PIO transfers for cases where nsector > 1
John Snow [Fri, 31 Oct 2014 20:03:37 +0000 (16:03 -0400)] 
ide: repair PIO transfers for cases where nsector > 1

Currently, for emulated PIO transfers through the AHCI device,
any attempt made to request more than a single sector's worth
of data will result in the same sector being transferred over
and over.

For example, if we request 8 sectors via PIO READ SECTORS, the
AHCI device will give us the same sector eight times.

This patch adds offset tracking into the PIO pathways so that
we can fulfill these requests appropriately.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1414785819-26209-2-git-send-email-jsnow@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoahci: Fix byte count regression for ATAPI/PIO
John Snow [Tue, 11 Nov 2014 00:41:40 +0000 (19:41 -0500)] 
ahci: Fix byte count regression for ATAPI/PIO

This patch fixes a regression caused by commit
659142ecf71a0da240ab0ff7cf929ee25c32b9bc.
The problem occurs when we wish to return early
from the ahci_start_transfer function, but are now
updating the transferred byte count in the AHCI
command header via ahci_commit_buf.

This will cause problems in the Windows 8 installer.

Don't update the byte count in the command header
for the transmission of ATAPI packets: These commands
will distort the final byte count of the actual data
payload.

The call to ahci_commit_buf remains in the "out"
portion of the call in order to clean up the sglist.
The byte count is maintained by forcing size to be 0.

Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
5 years agoMerge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
Peter Maydell [Thu, 13 Nov 2014 15:44:16 +0000 (15:44 +0000)] 
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

x86 and SCSI fixes.  I left out the APIC device model
patches, pending confirmation from the submitter that they really
fix QNX.

# gpg: Signature made Thu 13 Nov 2014 15:13:38 GMT using RSA key ID 78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream:
  acpi: accurate overflow check
  smbios: change 'ram_addr_t' variables to 'uint64_t'
  kvmclock: Add comment explaining why we need cpu_clean_all_dirty()
  target-i386: fix Coverity complaints about overflows
  apic_common: migrate missing fields
  target-i386: eliminate dead code and hoist common code out of "if"
  virtio-scsi: Fix comment for VirtIOSCSIReq
  virtio-scsi: dataplane: suppress guest notification
  esp: Do not overwrite ESP_TCHI after reset
  virtio-scsi: dataplane: fix allocation for 'cmd_vrings'
  esp: fix coding standards
  virtio-scsi: work around bug in old BIOSes
  esp-pci: fixup deadlock with linux

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoacpi: accurate overflow check
Pavel Dovgalyuk [Fri, 7 Nov 2014 10:31:33 +0000 (13:31 +0300)] 
acpi: accurate overflow check

Compare clock in ns, because acpi_pm_tmr_update uses rounded
to ns value instead of ticks.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
[This lets Windows boot in icount mode. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agosmbios: change 'ram_addr_t' variables to 'uint64_t'
SeokYeon Hwang [Wed, 5 Nov 2014 06:19:54 +0000 (15:19 +0900)] 
smbios: change 'ram_addr_t' variables to 'uint64_t'

ram_addr_t should not be used except if referring to a RAMBlobk.
Using 'uint64_t' avoids a -Wconstant-conversion warning, which
clang >= 3.4 produces in "smbios_get_tables()".

Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agokvmclock: Add comment explaining why we need cpu_clean_all_dirty()
Eduardo Habkost [Mon, 3 Nov 2014 17:45:34 +0000 (15:45 -0200)] 
kvmclock: Add comment explaining why we need cpu_clean_all_dirty()

Try to explain why commit 317b0a6d8ba44e9bf8f9c3dbd776c4536843d82c
needed a cpu_clean_all_dirty() call just after calling
cpu_synchronize_all_states().

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Cc: Andrey Korolyov <andrey@xdel.ru>
Cc: Marcin Gibuła <m.gibula@beyond.pl>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agotarget-i386: fix Coverity complaints about overflows
Paolo Bonzini [Wed, 12 Nov 2014 11:16:58 +0000 (12:16 +0100)] 
target-i386: fix Coverity complaints about overflows

sipi_vector is an int; it is shifted by 12 and passed as a 64-bit value,
which makes Coverity think that we wanted (uint64_t)sipi_vector << 12.

But actually it must be between 0 and 255.  Make this explicit.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoapic_common: migrate missing fields
Pavel Dovgalyuk [Thu, 28 Aug 2014 11:18:57 +0000 (15:18 +0400)] 
apic_common: migrate missing fields

This patch adds missed sipi_vector and wait_for_sipi fields to a new
subsection of the vmstate of the apic_common module. Saving and loading
of these fields makes migration of the apic state deterministic.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
[Initialize the field in pre_load and kvm_apic_realize. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-seabios-1.7.5.1-20141113-1...
Peter Maydell [Thu, 13 Nov 2014 13:02:31 +0000 (13:02 +0000)] 
Merge remote-tracking branch 'remotes/kraxel/tags/pull-seabios-1.7.5.1-20141113-1' into staging

update seabios to 1.7.5.1 stable release

# gpg: Signature made Thu 13 Nov 2014 11:03:05 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-seabios-1.7.5.1-20141113-1:
  update seabios to 1.7.5.1 stable release

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-input-20141113-1' into staging
Peter Maydell [Thu, 13 Nov 2014 11:52:11 +0000 (11:52 +0000)] 
Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20141113-1' into staging

QMP/input-send-event: make console parameter optional

# gpg: Signature made Thu 13 Nov 2014 10:07:26 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-input-20141113-1:
  QMP/input-send-event: make console parameter optional
  QMP/input-send-event: update document of union InputEvent

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoupdate seabios to 1.7.5.1 stable release
Gerd Hoffmann [Thu, 13 Nov 2014 10:56:02 +0000 (11:56 +0100)] 
update seabios to 1.7.5.1 stable release

git shortlog since 1.7.5:

Hannes Reinecke (1):
      megasas: read addional PCI I/O bar

Kevin O'Connor (5):
      boot: Change ":rom%d" boot order rom instance to ":rom%x"
      vgabios: Return from handle_1011() if handler found.
      Don't enable thread preemption during S3 resume vga option rom execution.
      build: Avoid absolute paths during "whole-program" compiling.
      ehci: Fix bug in hub port assignment

Marcel Apfelbaum (1):
      hw/pci: reserve IO and mem for pci express downstream ports with no devices attached

Markus Armbruster (1):
      boot: Fix boot order for SCSI target, lun > 9

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agoMerge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20141112-1' into staging
Peter Maydell [Thu, 13 Nov 2014 10:54:05 +0000 (10:54 +0000)] 
Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20141112-1' into staging

usb bugfixes for 2.2

# gpg: Signature made Wed 12 Nov 2014 14:35:09 GMT using RSA key ID D3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"

* remotes/kraxel/tags/pull-usb-20141112-1:
  usb-host: fix usb_host_speed_compat tyops
  xhci: add sanity checks to xhci_lookup_uport
  Provide the missing LIBUSB_LOG_LEVEL_* for older libusb or FreeBSD. Providing just the needed value as a defined.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoQMP/input-send-event: make console parameter optional
Amos Kong [Fri, 7 Nov 2014 04:41:25 +0000 (12:41 +0800)] 
QMP/input-send-event: make console parameter optional

The 'QemuConsole' is the input source for handler, we share some
input handlers to process the input events from different QemuConsole.

Normally we only have one set of keyboard, mouse, usbtablet, etc.
The devices have different mask, it's fine to just checking mask to
insure that the handler has the ability to process the event.

I saw we try to bind console to handler in usb/dev-hid.c, but display
always isn't available at that time.

If we have multiseat setup (as Gerd said), we only have 'problem' in
this case. Actually event from different devices have the same effect
for system, it's fine to always use the first available handler
without caring about the console.

For send-key command, we just pass a NULL for console parameter in
calling qemu_input_event_send_key(NULL, ..), but 'input-send-event'
needs to care more devices.

Conclusion:
Generally assigning the special console is meanless, and we can't
directly remove the QMP parameter for compatibility.

So we can make the parameter optional. The parameter might be useful
for some special condition: we have multiple devices without binding
console and they all have the ability(mask) to process events, and
we don't want to use the first one.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Amos Kong <akong@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agoQMP/input-send-event: update document of union InputEvent
Amos Kong [Fri, 7 Nov 2014 04:41:24 +0000 (12:41 +0800)] 
QMP/input-send-event: update document of union InputEvent

Signed-off-by: Amos Kong <akong@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agousb-host: fix usb_host_speed_compat tyops
Gerd Hoffmann [Mon, 10 Nov 2014 11:14:22 +0000 (12:14 +0100)] 
usb-host: fix usb_host_speed_compat tyops

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
5 years agotarget-i386: eliminate dead code and hoist common code out of "if"
Paolo Bonzini [Wed, 12 Nov 2014 11:04:56 +0000 (12:04 +0100)] 
target-i386: eliminate dead code and hoist common code out of "if"

ist != 0 is checked in the first "if", so it cannot be true in
the "else if" part.  While at it, simplify the code and move
the ESP alignment out of the conditionals.

Reported by Coverity.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agovirtio-scsi: Fix comment for VirtIOSCSIReq
Fam Zheng [Wed, 12 Nov 2014 11:29:55 +0000 (19:29 +0800)] 
virtio-scsi: Fix comment for VirtIOSCSIReq

The cdb is not zeroed by virtio_scsi_init_req, so fix the misleading
comment.

Suggested-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agovirtio-scsi: dataplane: suppress guest notification
Ming Lei [Wed, 12 Nov 2014 03:24:35 +0000 (11:24 +0800)] 
virtio-scsi: dataplane: suppress guest notification

This patch uses vring_should_notify() to suppress
guest notification, and looks notification frequency
can be decreased from ~33K/sec to ~2K/sec in my test
environment.

Suggested-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoesp: Do not overwrite ESP_TCHI after reset
Hannes Reinecke [Mon, 10 Nov 2014 15:52:55 +0000 (16:52 +0100)] 
esp: Do not overwrite ESP_TCHI after reset

After a reset ESP_TCHI should contain the unique ID
of the chip. This value will be overwritten with the
current tranfer count if the transfer count has
previously been set.
So we should always return the chip id if ESP_TCHI
has never been written to.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoUpdate version for v2.2.0-rc1 release v2.2.0-rc1
Peter Maydell [Tue, 11 Nov 2014 17:25:11 +0000 (17:25 +0000)] 
Update version for v2.2.0-rc1 release

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoMerge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20141111' into staging
Peter Maydell [Tue, 11 Nov 2014 16:23:02 +0000 (16:23 +0000)] 
Merge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20141111' into staging

seccomp branch queue

# gpg: Signature made Tue 11 Nov 2014 16:12:48 GMT using RSA key ID 12F8BD2F
# gpg: Can't check signature: public key not found

* remotes/otubo/tags/pull-seccomp-20141111:
  seccomp: change configure to avoid arm 32 to break
  seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoseccomp: change configure to avoid arm 32 to break
Eduardo Otubo [Fri, 7 Nov 2014 09:05:44 +0000 (10:05 +0100)] 
seccomp: change configure to avoid arm 32 to break

Current stable version of libseccomp (2.1.1) only supports i386 and
x86_64 archs correctly. This patch limits the usage of the syscall
filter for those archs and updates to the correct last version of
libseccomp.

This patch also fixes the bug:
https://bugs.launchpad.net/qemu/+bug/1363641

Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Paul Moore <pmoore@redhat.com>
5 years agoseccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add...
Philipp Gesang [Fri, 5 Sep 2014 16:29:31 +0000 (18:29 +0200)] 
seccomp: whitelist syscalls fallocate(), fadvise64(), inotify_init1() and inotify_add_watch()

fallocate() is needed for snapshotting. If it isn’t whitelisted

    $ qemu-img create -f qcow2 x.qcow 1G
    Formatting 'x.qcow', fmt=qcow2 size=1073741824 encryption=off cluster_size=65536 lazy_refcounts=off
    $ qemu-kvm -display none -monitor stdio -sandbox on x.qcow
    QEMU 2.1.50 monitor - type 'help' for more information
    (qemu) savevm foo
    (qemu) loadvm foo

will fail, as will subsequent savevm commands on the same image.

fadvise64(), inotify_init1(), inotify_add_watch() are needed by
the SDL display. Without the whitelist entries,

    qemu-kvm -sandbox on

fails immediately.

In my tests fadvise64() is called 50--51 times per VM run. That
number seems independent of the duration of the run. fallocate(),
inotify_init1(), inotify_add_watch() are called once each.
Accordingly, they are added to the whitelist at a very low
priority.

Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
Signed-off-by: Eduardo Otubo <eduardo.otubo@profitbricks.com>
5 years agoMerge remote-tracking branch 'remotes/mjt/tags/pull-trivial-patches-2014-11-11' into...
Peter Maydell [Tue, 11 Nov 2014 14:50:10 +0000 (14:50 +0000)] 
Merge remote-tracking branch 'remotes/mjt/tags/pull-trivial-patches-2014-11-11' into staging

trivial patches for 2014-11-11

# gpg: Signature made Tue 11 Nov 2014 14:38:39 GMT using RSA key ID A4C3D7DB
# gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>"
# gpg:                 aka "Michael Tokarev <mjt@corpit.ru>"
# gpg:                 aka "Michael Tokarev <mjt@debian.org>"

* remotes/mjt/tags/pull-trivial-patches-2014-11-11:
  block: Fix comment for bdrv_co_get_block_status
  sysbus: Correct SYSTEM_BUS(obj) defines
  target-i386: cpu: keeping function parameters alignment on new line
  xen-hvm: Remove redundant variable 'xstate'
  coroutine-sigaltstack: Change jmp_buf to sigjmp_buf
  pc-bios: petalogix-s3adsp1800.dtb: Use 'xlnx, xps-ethernetlite-2.00.a' instead of 'xlnx, xps-ethernetlite-2.00.b'
  gdbstub: Add a missing case of signal number translation in gdbstub
  numa: make 'info numa' take into account hotplugged memory
  slirp/smbd: modify/set several parameters in generated smbd.conf
  qemu-doc.texi: fix typos in x509 examples
  icc_bus: fix typo ICC_BRIGDE -> ICC_BRIDGE

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoblock: Fix comment for bdrv_co_get_block_status
Fam Zheng [Mon, 10 Nov 2014 09:10:38 +0000 (17:10 +0800)] 
block: Fix comment for bdrv_co_get_block_status

It returns more information than binary, fix the comment.

Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
5 years agosysbus: Correct SYSTEM_BUS(obj) defines
Gonglei [Tue, 11 Nov 2014 09:37:59 +0000 (17:37 +0800)] 
sysbus: Correct SYSTEM_BUS(obj) defines

Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
5 years agotarget-i386: cpu: keeping function parameters alignment on new line
Chen Fan [Wed, 5 Nov 2014 08:40:33 +0000 (16:40 +0800)] 
target-i386: cpu: keeping function parameters alignment on new line

Signed-off-by: Chen Fan <chen.fan.fnst@cn.fujitsu.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
5 years agoxen-hvm: Remove redundant variable 'xstate'
Chen Gang [Tue, 11 Nov 2014 09:23:40 +0000 (17:23 +0800)] 
xen-hvm: Remove redundant variable 'xstate'

In xen_hvm_change_state_handler(), we can pass 'opaque' with type cast
to xen_main_loop_prepare() directly, there's no need to use additional
variable for it.

Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
5 years agoMerge remote-tracking branch 'remotes/armbru/tags/for-upstream' into staging
Peter Maydell [Tue, 11 Nov 2014 11:05:54 +0000 (11:05 +0000)] 
Merge remote-tracking branch 'remotes/armbru/tags/for-upstream' into staging

Patches to MAINTAINERS that haven't been picked up

# gpg: Signature made Tue 11 Nov 2014 08:46:55 GMT using RSA key ID EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
# gpg:                 aka "Markus Armbruster <armbru@pond.sub.org>"

* remotes/armbru/tags/for-upstream:
  Add Migration maintainer
  MAINTAINERS: add section for QEMU Guest Agent
  MAINTAINERS: add myself as bootdevice.c maintainer

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agovirtio-scsi: dataplane: fix allocation for 'cmd_vrings'
Ming Lei [Tue, 11 Nov 2014 01:17:09 +0000 (09:17 +0800)] 
virtio-scsi: dataplane: fix allocation for 'cmd_vrings'

The size of each element should be sizeof(VirtIOSCSIVring *).

Signed-off-by: Ming Lei <ming.lei@canonical.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoMerge remote-tracking branch 'remotes/riku/tags/pull-linux-user-20141111' into staging
Peter Maydell [Tue, 11 Nov 2014 10:09:31 +0000 (10:09 +0000)] 
Merge remote-tracking branch 'remotes/riku/tags/pull-linux-user-20141111' into staging

linux-user pull for 2.2

Two last minute fixes uncovered and fixed by Tom Musta
and Alexander Graf, thanks

# gpg: Signature made Tue 11 Nov 2014 06:36:02 GMT using RSA key ID DE3C9BC0
# gpg: Good signature from "Riku Voipio <riku.voipio@iki.fi>"
# gpg:                 aka "Riku Voipio <riku.voipio@linaro.org>"

* remotes/riku/tags/pull-linux-user-20141111:
  linux-user: Fix up timer id handling
  linux-user: Do not subtract offset from end address

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoAdd Migration maintainer
Juan Quintela [Wed, 15 Oct 2014 08:34:50 +0000 (10:34 +0200)] 
Add Migration maintainer

Signed-off-by: Juan Quintela <quintela@trasno.org>
Reviewed-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
5 years agoMAINTAINERS: add section for QEMU Guest Agent
Michael Roth [Wed, 22 Oct 2014 12:05:36 +0000 (07:05 -0500)] 
MAINTAINERS: add section for QEMU Guest Agent

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
5 years agoMAINTAINERS: add myself as bootdevice.c maintainer
Gonglei [Wed, 22 Oct 2014 03:07:57 +0000 (11:07 +0800)] 
MAINTAINERS: add myself as bootdevice.c maintainer

bootdevice.c was created by me, and I wrote most of
the code in this file. And now I can maintain it,
I'd hope nobody object this.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
5 years agocoroutine-sigaltstack: Change jmp_buf to sigjmp_buf
Willem Pinckaers [Sat, 8 Nov 2014 03:51:59 +0000 (19:51 -0800)] 
coroutine-sigaltstack: Change jmp_buf to sigjmp_buf

This is a simple patch to change the type of old_env from jmp_buf
to sigjmp_buf.  old_env is used by sigsetjmp and as such should be
a sigjmp_buf.

This fixes a stack_chk fail in a OSX 32bit build. Since at least on
OSX sigjmp_buf is four bytes larger then a jmpbuf, resulting in an
overflow in sigsetjmp. Due to variable reordering this overwrites
the stack cookie.

Signed-off-by: Willem Pinckaers <willem_qemu@lekkertech.net>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Peter: I think I must have missed this one when I converted
       all the jmp_buf to sigjmp_buf in commit 6ab7e546.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
5 years agoxhci: add sanity checks to xhci_lookup_uport
Gerd Hoffmann [Fri, 7 Nov 2014 09:41:25 +0000 (10:41 +0100)] 
xhci: add sanity checks to xhci_lookup_uport

Also catch xhci_lookup_uport failures in post_load.

https://bugzilla.redhat.com/show_bug.cgi?id=1074219

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agoProvide the missing LIBUSB_LOG_LEVEL_* for older libusb or FreeBSD. Providing just...
Chris Johns [Wed, 5 Nov 2014 08:35:22 +0000 (19:35 +1100)] 
Provide the missing LIBUSB_LOG_LEVEL_* for older libusb or FreeBSD. Providing just the needed value as a defined.

Signed-off-by: Chris Johns <chrisj@rtems.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
5 years agolinux-user: Fix up timer id handling
Alexander Graf [Mon, 10 Nov 2014 20:33:03 +0000 (21:33 +0100)] 
linux-user: Fix up timer id handling

When creating a timer handle, we give the timer id a special magic offset
of 0xcafe0000. However, we never mask that offset out of the timer id before
we start using it to dereference our timer array. So we always end up aborting
timer operations because the timer id is out of bounds.

This was not an issue before my patch e52a99f756e ("linux-user: Simplify
timerid checks on g_posix_timers range") because before we would blindly mask
anything above the first 16 bits.

This patch simplifies the code around timer id creation by introducing a proper
target_timer_id typedef that is s32, just like Linux has it. It also changes the
magic offset to a value that makes all timer ids be positive.

Reported-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Tom Musta <tommusta@gmail.com>
Tested-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
5 years agolinux-user: Do not subtract offset from end address
Tom Musta [Thu, 6 Nov 2014 19:43:13 +0000 (13:43 -0600)] 
linux-user: Do not subtract offset from end address

When computing the upper address of a program segment, do not subtract the
offset from the virtual address; instead compute the sum of the virtual address
and the memory size.

Signed-off-by: Tom Musta <tommusta@gmail.com>
Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
5 years agopc-bios: petalogix-s3adsp1800.dtb: Use 'xlnx, xps-ethernetlite-2.00.a' instead of...
Chen Gang [Mon, 3 Nov 2014 09:26:30 +0000 (17:26 +0800)] 
pc-bios: petalogix-s3adsp1800.dtb: Use 'xlnx, xps-ethernetlite-2.00.a' instead of 'xlnx, xps-ethernetlite-2.00.b'

For Linux upstream kernel (e.g. 3.17-rc7), the related compatible string
'xlnx,xps-ethernetlite-2.00.a' is supported, but 'b' is not supported,
so change qemu dtb file to match kernel driver.

The related operation for qemu (after this patch):

   yum install libvirt
   yum install tunctl
   tunctl -b
   ip link set tap0 up
   brctl addif virbr0 tap0

   ./configure
   make
   ./microblaze-softmmu/qemu-system-microblaze -M petalogix-s3adsp1800 \
     -kernel ../linux-stable.microblaze/arch/microblaze/boot/linux.bin \
     -no-reboot -append "console=ttyUL0,115200 doreboot" -nographic \
     -net nic,vlan=0,model=xlnx.xps-ethernetlite,macaddr=00:16:35:AF:94:00 \
     -net tap,vlan=0,ifname=tap0,script=no,downscript=no

   in microblaze qemu bash (guest machine):

     ifconfig eth0 add 192.168.122.2 netmask 255.255.255.0
     ifconfig eth0 up

   Then can telnet 192.168.122.2 directly without password from the host
   machine.

The related operation for generating new dtb:

   building Linux kernel firstly, then get dts tool "./scripts/dts/dts".
   "./scripts/dtc/dtc -I dtb -O dts  -o ../work.dts ../qemu/petalogix-s3adsp1800.dtb"
   edit work.dts (replace 'xlnx,xps-ethernetlite-2.00.b')
   "./scripts/dtc/dtc -I dts -O dtb  -o ..qemu/petalogix-s3adsp1800.dtb ../work.dts"

(Since I am not quite sure whether can read this patch or not, I put the
related dtb file in attachment, please check, thanks).

Signed-off-by: Chen Gang <gang.chen.5i5j@gmail.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
5 years agogdbstub: Add a missing case of signal number translation in gdbstub
Martin Simmons [Wed, 5 Nov 2014 14:47:39 +0000 (14:47 +0000)] 
gdbstub: Add a missing case of signal number translation in gdbstub

While using qemu with gdb "target remote" to debug an application that uses
fork and exec, the qemu process receives SIGSTOP every time the forked process
terminates (sending SIGCHLD).

This is caused by a missing call to gdb_signal_to_target in gdbstub.c, which
is fixed by this patch:

Signed-off-by: Martin Simmons <martin@lispworks.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
5 years agonuma: make 'info numa' take into account hotplugged memory
zhanghailiang [Tue, 4 Nov 2014 11:49:30 +0000 (19:49 +0800)] 
numa: make 'info numa' take into account hotplugged memory

When do memory hotplug, if there is numa node, we should add
the memory size to the corresponding node memory size.

It affects the result of hmp command "info numa".

Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
5 years agoslirp/smbd: modify/set several parameters in generated smbd.conf
Peter Wu [Mon, 3 Nov 2014 10:52:10 +0000 (11:52 +0100)] 
slirp/smbd: modify/set several parameters in generated smbd.conf

The file sharing module should not handle printers, so disable it.
The options 'load printers' and 'printing' have been available since the
beginning (May 1996, commit 0e8fd3398771da2f016d72830179507f3edda51b).
Option 'disable spoolss' is available since Samba 2.0.4, commit
de5f42c9d9172592779fa2504d44544e3b6b1c0d).

Next, "socket address" was reported as deprecated, use a combination of
"interfaces" and "bind interfaces only" instead (available since October
1997, commit 79f4fb52c1ed56fd843f81b4eb0cdd2991d4d0f4).

Override cache directory to avoid writing to a global directory. Option
available since Samba 3.4.0, Jan 2009, commit
19a05bf2f485023b11b41dfae3f6459847d55ef7.

Set "usershare max shared=0" to prevent a global directory from being
used. Option available since Samba 3.0.23, February 2006, commit
5831715049f2d460ce42299963a5defdc160891b.

The last option was introduced with Samba 3.4.0, but previously
"state directory" was already added which exists in Samba 3.4.0. As
unknown parameters are ignored (while printing a warning), it should be
safe to add another option.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
Cc: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
5 years agoMerge remote-tracking branch 'remotes/xtensa/tags/20141110-xtensa' into staging
Peter Maydell [Mon, 10 Nov 2014 20:50:36 +0000 (20:50 +0000)] 
Merge remote-tracking branch 'remotes/xtensa/tags/20141110-xtensa' into staging

Xtensa fixes for 2.2:
- fix entry opcode register window checking and add unit test.

# gpg: Signature made Mon 10 Nov 2014 15:01:47 GMT using RSA key ID F83FA044
# gpg: Good signature from "Max Filippov <max.filippov@cogentembedded.com>"
# gpg:                 aka "Max Filippov <jcmvbkbc@gmail.com>"

* remotes/xtensa/tags/20141110-xtensa:
  target-xtensa: add entry overflow test
  target-xtensa: add missing window check for entry

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoMerge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging
Peter Maydell [Mon, 10 Nov 2014 16:28:51 +0000 (16:28 +0000)] 
Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block patches

# gpg: Signature made Mon 10 Nov 2014 09:42:07 GMT using RSA key ID C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"

* remotes/kevin/tags/for-upstream:
  block/vdi: Limit maximum size even futher
  qapi: Complete BlkdebugEvent
  iotests: Add test for non-existing backing file
  block: Propagate error in bdrv_img_create()
  qemu-img: Omit error_report() after img_open()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agotarget-xtensa: add entry overflow test
Max Filippov [Fri, 7 Nov 2014 19:55:53 +0000 (22:55 +0300)] 
target-xtensa: add entry overflow test

Check that entry instruction raises window overflow exception when
PS.CALLINC points to live registers.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
5 years agotarget-xtensa: add missing window check for entry
Max Filippov [Fri, 7 Nov 2014 18:11:07 +0000 (21:11 +0300)] 
target-xtensa: add missing window check for entry

Entry opcode needs to check if moving to new register frame would cause
register window overflow. Entry used in function prologue never
overflows because preceding windowed call* opcode writes return address
to the target register window frame, causing overflow exceptions at the
point of call. But when a sequence of entry opcodes is used for register
window spilling there may not be a call or other opcode that would cause
window check between entries and they would not raise overflow exception
themselves resulting in data corruption.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
5 years agoMerge remote-tracking branch 'remotes/cohuck/tags/s390x-20141105' into staging
Peter Maydell [Mon, 10 Nov 2014 14:58:59 +0000 (14:58 +0000)] 
Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20141105' into staging

Several bugfixes for s390x:
- instruction decoding and sparse warning in kvm
- overlong input and hangs in the sclp consoles

# gpg: Signature made Wed 05 Nov 2014 15:42:14 GMT using RSA key ID C6F02FAF
# gpg: Good signature from "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg:                 aka "Cornelia Huck <cornelia.huck@de.ibm.com>"

* remotes/cohuck/tags/s390x-20141105:
  s390x/sclpconsole: Avoid hanging SCLP ASCII console
  s390x/sclpconsole-lm: Fix hanging SCLP line mode console
  s390x/sclpconsole-lm: truncate input if line is too long
  s390x/kvm: Fix warning from sparse
  s390x/kvm: Fix opcode decoding for eb instruction handler

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoMerge remote-tracking branch 'remotes/lalrae/tags/mips-20141107' into staging
Peter Maydell [Mon, 10 Nov 2014 13:56:47 +0000 (13:56 +0000)] 
Merge remote-tracking branch 'remotes/lalrae/tags/mips-20141107' into staging

* remotes/lalrae/tags/mips-20141107:
  target-mips: fix multiple TCG registers covering same data
  mips: Ensure PC update with MTC0 single-stepping
  target-mips: fix for missing delay slot in BC1EQZ and BC1NEZ
  mips: Set the CP0.Config3.DSP and CP0.Config3.DSP2P bits
  mips: Add macros for CP0.Config3 and CP0.Config4 bits
  mips: Respect CP0.Status.CU1 for microMIPS FP branches
  mips: Remove CONFIG_VT82C686 from non-Fulong configs

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoesp: fix coding standards
Paolo Bonzini [Mon, 10 Nov 2014 12:58:14 +0000 (13:58 +0100)] 
esp: fix coding standards

Reported-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agoMerge remote-tracking branch 'remotes/amit/tags/vser-2.2.0-queue-2' into staging
Peter Maydell [Mon, 10 Nov 2014 11:58:39 +0000 (11:58 +0000)] 
Merge remote-tracking branch 'remotes/amit/tags/vser-2.2.0-queue-2' into staging

Fixes a crash when a virtio-serial port is added without a name to it.

# gpg: Signature made Fri 07 Nov 2014 04:58:05 GMT using RSA key ID 854083B6
# gpg: Good signature from "Amit Shah <amit@amitshah.net>"
# gpg:                 aka "Amit Shah <amit@kernel.org>"
# gpg:                 aka "Amit Shah <amitshah@gmx.net>"

* remotes/amit/tags/vser-2.2.0-queue-2:
  virtio-serial: avoid crash when port has no name

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
5 years agoMerge remote-tracking branch 'mreitz/block' into queue-block
Kevin Wolf [Mon, 10 Nov 2014 09:41:34 +0000 (10:41 +0100)] 
Merge remote-tracking branch 'mreitz/block' into queue-block

* mreitz/block:
  block/vdi: Limit maximum size even futher

5 years agoblock/vdi: Limit maximum size even futher
Max Reitz [Tue, 28 Oct 2014 10:12:32 +0000 (11:12 +0100)] 
block/vdi: Limit maximum size even futher

The block layer read and write functions do not like requests which are
bigger than INT_MAX bytes. Since the VDI bmap is read and written in a
single operation, its size is therefore limited accordingly. This
reduces the maximum VDI image size supported by QEMU to half of what it
currently is (down to approximately 512 TB).

The VDI test 084 has to be adapted accordingly. Actually, one could
clearly see that it was broken from the "Could not open
'TEST_DIR/t.IMGFMT': Invalid argument" line for an image which was
supposed to work just fine.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Peter Lieven <pl@kamp.de>
5 years agoqapi: Complete BlkdebugEvent
Max Reitz [Fri, 7 Nov 2014 15:51:35 +0000 (16:51 +0100)] 
qapi: Complete BlkdebugEvent

Several events were missing from the QAPI enum, add them.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agovirtio-scsi: work around bug in old BIOSes
Paolo Bonzini [Fri, 7 Nov 2014 13:00:02 +0000 (14:00 +0100)] 
virtio-scsi: work around bug in old BIOSes

Old BIOSes left some padding by mistake after the req_size/resp_size.
New QEMU does not like it, thinking it is a bidirectional command.

As a workaround, we can check if the ANY_LAYOUT bit is set; if not, we
always consider the first buffer as the virtio-scsi request/response,
because, back when QEMU did not support ANY_LAYOUT, it expected the
payload to start at the second element of the iovec.

This can show up during migration.

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agotarget-mips: fix multiple TCG registers covering same data
Yongbok Kim [Fri, 7 Nov 2014 10:43:21 +0000 (10:43 +0000)] 
target-mips: fix multiple TCG registers covering same data

Avoid to allocate different TCG registers for the FPU registers
that are mapped on the MSA vectore registers.

Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
5 years agomips: Ensure PC update with MTC0 single-stepping
Maciej W. Rozycki [Thu, 6 Nov 2014 20:38:10 +0000 (20:38 +0000)] 
mips: Ensure PC update with MTC0 single-stepping

Correct the way PC is updated when single-stepping instructions, by
keeping the old PC only for the BS_EXCP (exception condition) state.

Some MTC0 (and possibly other) instructions switch to the BS_STOP state
to terminate the current translation block, so that the state transition
of the simulated CPU resulting from the CP0 operation takes effect with
the following instruction.  This happens with `mtc0 <reg>,c0_config' for
example, typically used to set KSEG0 cacheability.

While single-stepping this has a side-effect of not advancing the PC
past the instruction just executed; subsequent single-step traps will
stop at the same instruction repeatedly.  Example:

(gdb) stepi
0x80004d24 in _start ()
5: x/i $pc
=> 0x80004d24 <_start+364>:     mfc0    t1,c0_config
(gdb)
0x80004d28 in _start ()
5: x/i $pc
=> 0x80004d28 <_start+368>:     li      at,-8
(gdb)
0x80004d2c in _start ()
5: x/i $pc
=> 0x80004d2c <_start+372>:     and     t1,t1,at
(gdb)
0x80004d30 in _start ()
5: x/i $pc
=> 0x80004d30 <_start+376>:     ori     t1,t1,0x3
(gdb)
0x80004d34 in _start ()
5: x/i $pc
=> 0x80004d34 <_start+380>:     mtc0    t1,c0_config
(gdb)
0x80004d34 in _start ()
5: x/i $pc
=> 0x80004d34 <_start+380>:     mtc0    t1,c0_config
(gdb)
0x80004d34 in _start ()
5: x/i $pc
=> 0x80004d34 <_start+380>:     mtc0    t1,c0_config
(gdb)
0x80004d34 in _start ()
5: x/i $pc
=> 0x80004d34 <_start+380>:     mtc0    t1,c0_config
(gdb)

-- oops!

Signed-off-by: Maciej W. Rozycki <macro@codesourcery.com>
Reviewed-by: Leon Alrae <leon.alrae@imgtec.com>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
5 years agotarget-mips: fix for missing delay slot in BC1EQZ and BC1NEZ
Leon Alrae [Thu, 6 Nov 2014 10:29:38 +0000 (10:29 +0000)] 
target-mips: fix for missing delay slot in BC1EQZ and BC1NEZ

New R6 COP1 conditional branches currently don't have delay slot. Fixing this
by setting MIPS_HFLAG_BDS32 flag which is required for branches having 4-byte
delay slot.

Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
Reviewed-by: Yongbok Kim <yongbok.kim@imgtec.com>
5 years agomips: Set the CP0.Config3.DSP and CP0.Config3.DSP2P bits
Maciej W. Rozycki [Tue, 4 Nov 2014 15:41:20 +0000 (15:41 +0000)] 
mips: Set the CP0.Config3.DSP and CP0.Config3.DSP2P bits

Set the CP0.Config3.DSP2P bit for the 74kf processor and both that bit
and the CP0.Config3.DSP bit for the artificial mips32r5-generic and
mips64dspr2 processors.  They have the DSPr2 ASE enabled in `insn_flags'
and CPUs that implement that ASE need to have both CP0.Config3.DSP and
CP0.Config3.DSP2P set or software won't detect its presence.

Signed-off-by: Maciej W. Rozycki <macro@codesourcery.com>
Reviewed-by: Leon Alrae <leon.alrae@imgtec.com>
[leon.alrae@imgtec.com: remove DSP flags from mips32r5-generic]
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
5 years agomips: Add macros for CP0.Config3 and CP0.Config4 bits
Maciej W. Rozycki [Tue, 4 Nov 2014 15:38:05 +0000 (15:38 +0000)] 
mips: Add macros for CP0.Config3 and CP0.Config4 bits

Define macros for CP0.Config3 and CP0.Config4 bits.  These used to be
exhaustive as at MIPS32r3, but more bits may have been added since.

Signed-off-by: Maciej W. Rozycki <macro@codesourcery.com>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
5 years agoesp-pci: fixup deadlock with linux
Hannes Reinecke [Fri, 7 Nov 2014 12:22:32 +0000 (13:22 +0100)] 
esp-pci: fixup deadlock with linux

A linux guest will be issuing messages:

[   32.124042] DC390: Deadlock in DataIn_0: DMA aborted unfinished: 000000 bytes remain!!
[   32.126348] DC390: DataIn_0: DMA State: 0

and the HBA will fail to work properly.
Reason is the emulation is not setting the 'DMA transfer done'
status correctly.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
5 years agomips: Respect CP0.Status.CU1 for microMIPS FP branches
Maciej W. Rozycki [Mon, 3 Nov 2014 19:08:51 +0000 (19:08 +0000)] 
mips: Respect CP0.Status.CU1 for microMIPS FP branches

Make microMIPS FP branches respect CP0.Status.CU1 and trap with a
Coprocessor Unusable exception if COP1 has been disabled; also trap if
no FPU is present at all.

Standard MIPS FP instruction encodings have a more regular structure and
branches are covered with a single umbrella along other instructions.
This is not the case with the microMIPS encoding, this case has to be
taken care of explicitly here.  Code to do so has been copied from the
standard MIPS code handler for OPC_CP1, in `decode_opc'.

Problems arising from this bug will generally only show up on user
context switches in operating systems making use of lazy FP context
switches, such as Linux.  It will also more readily trigger if software
FPU emulation is used, either implicitly on a non-float CPU, or forced
on a hard-float CPU such as with the "nofpu" Linux kernel command line
argument.

The problem may have been easily missed because we have no hard-float
microMIPS CPU configuration present; in fact we have no microMIPS CPU
configuration of any kind present.

Signed-off-by: Maciej W. Rozycki <macro@codesourcery.com>
Reviewed-by: Leon Alrae <leon.alrae@imgtec.com>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
5 years agomips: Remove CONFIG_VT82C686 from non-Fulong configs
Maciej W. Rozycki [Mon, 3 Nov 2014 18:36:17 +0000 (18:36 +0000)] 
mips: Remove CONFIG_VT82C686 from non-Fulong configs

Fix the regression introduced with commit
47934d0aadc075b05ce2d9e8a44fa6a46edd1afa [hw: move ISA bridges and
devices to hw/isa/, configure with default-configs/], by removing
CONFIG_VT82C686 from configurations that previously did not enable it.
That southbridge is only available on Fulong platforms (CONFIG_FULONG)
that are exclusively little-endian, 64-bit MIPS.  Previously vt82c686.o
was pulled explicitly with obj-$(CONFIG_FULONG).

Signed-off-by: Maciej W. Rozycki <macro@codesourcery.com>
Reviewed-by: Leon Alrae <leon.alrae@imgtec.com>
Signed-off-by: Leon Alrae <leon.alrae@imgtec.com>
5 years agovirtio-serial: avoid crash when port has no name
Marc-André Lureau [Wed, 5 Nov 2014 14:43:14 +0000 (15:43 +0100)] 
virtio-serial: avoid crash when port has no name

It seems "name" is not mandatory, and the following command line (based
on one generated by current libvirt) will crash qemu at start:

qemu-system-x86_64 \
    -device virtio-serial-pci \
    -device virtserialport,name=foo \
    -device virtconsole

Program received signal SIGSEGV, Segmentation fault.
__strcmp_ssse3 () at ../sysdeps/x86_64/strcmp.S:210
210        movlpd    (%rsi), %xmm2
Missing separate debuginfos, use: debuginfo-install
python-libs-2.7.5-13.fc20.x86_64
(gdb) bt
 #0  __strcmp_ssse3 () at ../sysdeps/x86_64/strcmp.S:210
 #1  0x000055555566bdc6 in find_port_by_name (name=0x0) at /home/elmarco/src/qemu/hw/char/virtio-serial-bus.c:67

Signed-off-by: Marc-André Lureau <marcandre.lureau@gmail.com>
Reviewed-by: Amos Kong <akong@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
5 years agoiotests: Add test for non-existing backing file
Max Reitz [Mon, 27 Oct 2014 12:30:09 +0000 (13:30 +0100)] 
iotests: Add test for non-existing backing file

Test the error message when a COW file is about to be created which is
supposed to inherit the size of its backing file, while the backing file
given does not actually exist.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoblock: Propagate error in bdrv_img_create()
Max Reitz [Mon, 27 Oct 2014 12:30:08 +0000 (13:30 +0100)] 
block: Propagate error in bdrv_img_create()

If the specified backing file could not be opened, do not generate a new
error message which contains the message which has been generated by
bdrv_open(), but just propagate the latter.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agoqemu-img: Omit error_report() after img_open()
Max Reitz [Mon, 3 Nov 2014 12:40:47 +0000 (13:40 +0100)] 
qemu-img: Omit error_report() after img_open()

img_open() already prints an error if the operation failed, so there
should not be another error_report() afterwards.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
5 years agos390x/sclpconsole: Avoid hanging SCLP ASCII console
Heinz Graalfs [Fri, 24 Oct 2014 13:10:49 +0000 (13:10 +0000)] 
s390x/sclpconsole: Avoid hanging SCLP ASCII console

Force recalculation of file descriptor sets for main loop's poll(),
in order to be able to readd a possibly removed input file descriptor
after can_read() returned 0 (zero).

Signed-off-by: Heinz Graalfs <graalfs@linux.vnet.ibm.com>
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
5 years agos390x/sclpconsole-lm: Fix hanging SCLP line mode console
Heinz Graalfs [Wed, 29 Oct 2014 12:52:02 +0000 (12:52 +0000)] 
s390x/sclpconsole-lm: Fix hanging SCLP line mode console

Trigger recalculating sets of file descriptors for the main loop's poll()
in order to make sure a possibly removed FD 0 from the poll() file
descriptor array is re-added. FD 0 is removed from the decriptor array
when the console's can_read() callback returns 0.

Signed-off-by: Heinz Graalfs <graalfs@linux.vnet.ibm.com>
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
5 years agos390x/sclpconsole-lm: truncate input if line is too long
Heinz Graalfs [Wed, 29 Oct 2014 08:58:05 +0000 (08:58 +0000)] 
s390x/sclpconsole-lm: truncate input if line is too long

As the SCLP line mode console input length is limited by the available
SCCB buffer space, it might lock up if the input does not fit into the
buffer.

With this patch, characters that don't fit are 'eaten' up to the next
CR/LF and the input line is sent truncated to the guest.

Signed-off-by: Heinz Graalfs <graalfs@linux.vnet.ibm.com>
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>