Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

The pointer arithmetic there is safe, but ugly.  Coverity grouses
about it.  However, the actual comparison is off by one: <= end
instead of < end.  Fix by rewriting the check in a cleaner way.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit bc5f92e5)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: Sander Eikelenboom <linux@eikelenboom.it>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
(cherry picked from commit f1b8caf1)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

We are currently passing entry->data as address parameter. Pass
entry->addr instead.

Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Tested-by: Sander Eikelenboom <linux@eikelenboom.it>
Xen-devel: http://marc.info/?l=xen-devel&m=135515462613715


(cherry picked from commit 044b99c6)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

On ioreq_release the full ioreq was memset to 0, loosing all the data
and memory allocations inside the QEMUIOVector, which leads to a
memory leak. Create a new function to specifically reset ioreq.

Reported-by: Maik Wessler <maik.wessler@yahoo.com>
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
(cherry picked from commit 282c6a2f)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Silence a (legitimate) complaint about missing parentheses:

tcg/arm/tcg-target.c: In function ‘tcg_out_qemu_ld’:
tcg/arm/tcg-target.c:1148:5: error: suggest parentheses around
comparison in operand of ‘&’ [-Werror=parentheses]
tcg/arm/tcg-target.c: In function ‘tcg_out_qemu_st’:
tcg/arm/tcg-target.c:1357:5: error: suggest parentheses around
comparison in operand of ‘&’ [-Werror=parentheses]

which meant that we would mistakenly always assert if running
a QEMU built with debug enabled on ARM.

Signed-off-by: Peter Maydell <peter.maydelL@linaro.org>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 5256a720)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

The buffer is allocated for both reads and writes, and obviously it
should be freed even if an error occurs.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit e8bccad5)

Conflicts:

	block/win32-aio.c

*addressed conflict due to buggy g_free() still in use instead of
qemu_vfree() as it is upstream (via commit 7479acdb)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Copying data in the right direction really helps a lot!

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit bcbbd234)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

aio_poll() must return true if any work is still pending, even if it
didn't make progress, so that bdrv_drain_all() doesn't stop waiting too
early. The possibility of stopping early occasionally lead to a failed
assertion in bdrv_drain_all(), when some in-flight request was missed
and the function didn't really drain all requests.

In order to make that change, the return value as specified in the
function comment must change for blocking = false; fortunately, the
return value of blocking = false callers is only used in test cases, so
this change shouldn't cause any trouble.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 2ea9b58f)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

When the raw-posix aio=thread code was moved from posix-aio-compat.c
to block/raw-posix.c, there was an unintended change to the ioctl code.
The code used to return the ioctl command, which posix_aio_read()
would later morph into a zero.  This hack is not necessary anymore,
and in fact breaks scsi-generic (which expects a zero return code).
Remove it.

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b608c8dc)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

VFIO_PCI_NUM_REGIONS and VFIO_PCI_NUM_IRQS should never have been
used in this manner as it locks a specific kernel implementation.
Future features may introduce new regions or interrupt entries
(VGA may add legacy ranges, AER might add an IRQ for error
signalling).  Fix this before it gets us into trouble.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: qemu-stable@nongnu.org
(cherry picked from commit 8fc94e5a)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

When a guest enables MSIX on a device we evaluate the MSIX vector
table, typically find no unmasked vectors and don't switch the device
to MSIX mode.  This generally works fine and the device will be
switched once the guest enables and therefore unmasks a vector.
Unfortunately some drivers enable MSIX, then use interfaces to send
commands between VF & PF or PF & firmware that act based on the host
state of the device.  These therefore may break when MSIX is managed
lazily.  This change re-enables the previous test used to enable MSIX
(see qemu-kvm a6b402c9), which basically guesses whether a vector
will be used based on the data field of the vector table.

Cc: qemu-stable@nongnu.org
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit feb9a2ab)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Guests typically enable MSI-X with all of the vectors in the MSI-X
vector table masked.  Only when the vector is enabled does the vector
get unmasked, resulting in a vector_use callback.  These two points,
enable and unmask, correspond to pci_enable_msix() and request_irq()
for Linux guests.  Some drivers rely on VF/PF or PF/fw communication
channels that expect the physical state of the device to match the
guest visible state of the device.  They don't appreciate lazily
enabling MSI-X on the physical device.

To solve this, enable MSI-X with a single vector when the MSI-X
capability is enabled and immediate disable the vector.  This leaves
the physical device in exactly the same state between host and guest.
Furthermore, the brief gap where we enable vector 0, it fires into
userspace, not KVM, so the guest doesn't get spurious interrupts.
Ideally we could call VFIO_DEVICE_SET_IRQS with the right parameters
to enable MSI-X with zero vectors, but this will currently return an
error as the Linux MSI-X interfaces do not allow it.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: qemu-stable@nongnu.org
(cherry picked from commit b0223e29)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Zero out tcg_ctx.gen_opc_instr_start for instructions representing the
last guest opcode in the TB.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 36f25d25)

*modified to use older global version of gen_opc_instr_start

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Sending more was possible if the buffer was large.

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit bde54c08)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 244eaa75)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Discard packets longer than 16384 when !SBP to match the hardware behavior.

Signed-off-by: Michael Contreras <michael@inetric.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 2c0331f4)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

When qxl + vnc are used, a dummy spice_server is initialized.
The spice_server has to be told when the VM runstate changes,
which is what this patch does.

Without it, from qxl_send_events(), the following error message is shown:
  qxl_send_events: spice-server bug: guest stopped, ignoring

Cc: qemu-stable@nongnu.org
Signed-off-by: Uri Lublin <uril@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 938b8a36)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Spotted by Coverity.

https://bugzilla.redhat.com/show_bug.cgi?id=885644



Cc: qemu-stable@nongnu.org
Reported-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 2f464b5a)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

With MMU option xtensa architecture has two TLBs: ITLB and DTLB. ITLB is
only used for code access, DTLB is only for data. However TLB entries in
both TLBs have attribute field controlling write and exec access. These
bits need to be properly masked off depending on TLB type before being
used as tlb_set_page prot argument. Otherwise the following happens:

(1) ITLB entry for some PFN gets invalidated
(2) DTLB entry for the same PFN gets updated, attributes allow code
    execution
(3) code at the page with that PFN is executed (possible due to step 2),
    entry for the TB is written into the jump cache
(4) QEMU TLB entry for the PFN gets replaced with an entry for some
    other PFN
(5) code in the TB from step 3 is executed (possible due to jump cache)
    and it accesses data, for which there's no DTLB entry, causing DTLB
    miss exception
(6) re-translation of the TB from step 5 is attempted, but there's no
    QEMU TLB entry nor xtensa ITLB entry for that PFN, which causes ITLB
    miss exception at the TB start address
(7) ITLB miss exception is handled by the guest, but execution is
    resumed from the beginning of the faulting TB (the point where ITLB
    miss occured), not from the point where DTLB miss occured, which is
    wrong.

With that fix the above scenario causes ITLB miss exception (that used
to be step 7) at step 3, right at the beginning of the TB.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 659f807c)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

This patch adds an x argument to qemu_pixman_linebuf_fill so it can
also be used to convert a partial scanline.  Then fix tight + png/jpeg
encoding by passing in the x+y offset, so the data is read from the
correct screen location instead of the upper left corner.

Cc: 1087974@bugs.launchpad.net
Cc: qemu-stable@nongnu.org
Reported-by: Tim Hardeneck <thardeck@suse.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit bc210eb1)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

git shortlog:

Kevin O'Connor (6):
      floppy: Minor - reduce handle_0e code size when CONFIG_FLOPPY is disabled.
      vga: Minor comment spelling fix.
      Don't recursively evaluate CFLAGS variables.
      Don't use gcc's -combine option.
      Add compile checking phase to build.
      acpi: Use prt_slot() macro to describe irq pins of first PCI device.

Laszlo Ersek (1):
      maininit(): print machine UUID under seabios version message

Paolo Bonzini (1):
      acpi: reintroduce LNKS

Paolo's patch fixes the FreeBSD boot failure.

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 15faf946)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

This patch updates seabios to latest git master.  Changes:

  (1) q35 patches merged.
  (2) some acpi cleanups.
  (3) fixes irq 8 conflict.

(3) makes this a candidate for the stable branch

Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit ff156290)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

kvm_irqchip_in_kernel() has an architecture specific meaning, so
we shouldn't be using it to determine whether to enabled KVM INTx
bypass.  kvm_irqfds_enabled() seems most appropriate.  Also use this
to protect our other call to kvm_check_extension() as that explodes
when KVM isn't enabled.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: qemu-stable@nongnu.org
(cherry picked from commit d281084d)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

helper_shilo has not been shifting an accumulator value correctly for negative
values in 'shift' field. Minor optimization for shift=0 case.
This change also adds tests that will trigger issue and check for regressions.

Signed-off-by: Petar Jovanovic <petarj@mips.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Eric Johnson <ericj@mips.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 19e6c50d)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Content of register rs should be shifted for pos before applying a mask.
This change contains both fix for the instruction and to the existing test.

Signed-off-by: Petar Jovanovic <petarj@mips.com>
Reviewed-by: Eric Johnson <ericj@mips.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 34f5606e)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

madvise(DONTNEED) will throw away the contents of the whole page at the
given address, even if the given length is less than the page size.  One
can argue about whether that's the correct behaviour, but that's what it's
done for a long time in Linux at least.

That means that the madvise() in ram_load(), on a setup where
TARGET_PAGE_SIZE is smaller than the host page size, can throw away data
in guest pages adjacent to the one it's actually processing right now,
leading to guest memory corruption on an incoming migration.

This patch therefore, disables the madvise() if the host page size is
larger than TARGET_PAGE_SIZE.  This means we don't get the benefits of that
madvise() in this case, but a more complete fix is more difficult to
accomplish.  This at least fixes the guest memory corruption.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 45e6cee4)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

The code for migrating (or savevm-ing) memory pages starts off by creating
a dirty bitmap and filling it with 1s.  Except, actually, because bit
addresses are 0-based it fills every bit except bit 0 with 1s and puts an
extra 1 beyond the end of the bitmap, potentially corrupting unrelated
memory.  Oops.  This patch fixes it.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7ec81e56)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Disable the semaphores fallback code for OpenBSD as modern OpenBSD
releases now have sem_timedwait().

Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 927fa909)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

As reported in bug 1087114 the semaphores fallback code is broken which
results in QEMU crashing and making QEMU unusable.

This patch is from Paolo.

This needs to be back ported to the 1.3 stable tree as well.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
(cherry picked from commit a795ef8d)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

The e1000_receive function for the e1000 needs to discard packets longer than
1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes
this behavior and allocates memory based on this assumption.

Signed-off-by: Michael Contreras <michael@inetric.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

* kraxel/seabios-b1c35f2:
  seabios: update binaries in pc-bios/
  roms: also copy the dsdt when updating seabios.
  seabios: update to b1c35f2b28cc0c94ebed8176ff61ac0e0b377798

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

* kwolf/for-anthony:
  coroutine-sigaltstack.c: Use stack_t, not struct sigaltstack
  stream: fix ratelimit_set_speed
  atapi: make change media detection for guests easier
  Documentation: Update image format information
  Documentation: Update block cache mode information

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

* spice/spice.v65:
  qxl: reload memslots after migration, when qxl is in UNDEFINED mode

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

* kraxel/usb.73:
  ehci-sysbus: Attach DMA context.
  usb: fail usbdevice_create() when there is no USB bus
  usb: tag usb host adapters as not hotpluggable.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

* qmp/queue/qmp:
  qapi: fix qapi_dealloc_type_size parameter type

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>