summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* migrate: error message for ram_load sizeqemu-kvm-1.2.2-gentoo-r1qemu-kvm-1.2.0-gentooDoug Goldstein2013-01-181-0/+5
| | | | | | | | | | | | | | | | | | Report an error when ramblock's sizes mismatch with a suggestion to the user as to what went wrong. If a user has a managedsave state by libvirt, which is the default now, and upgrades their distro, which in turn upgrades QEMU, they will be surprised by the fact that their VMs fail to start. The reason for this is that the default ROM sizes changed recently which makes it not possible to migrate from that saved state. However the error message really does not provide details as to what went wrong. This patch attempts to provide more details see: http://lists.nongnu.org/archive/html/qemu-devel/2012-10/msg03746.html http://lists.nongnu.org/archive/html/qemu-devel/2012-10/msg04108.html Signed-off-by: Doug Goldstein <cardoe@cardoe.com> (cherry picked from commit 4a9f00c12caa9e28992d76c18aeec468295bb157)
* Call MADV_HUGEPAGE for guest RAM allocationsLuiz Capitulino2013-01-182-0/+6
| | | | | | | | | | This makes it possible for QEMU to use transparent huge pages (THP) when transparent_hugepage/enabled=madvise. Otherwise THP is only used when it's enabled system wide. Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> (cherry picked from commit ad0b5321f1f797274603ebbe20108b0750baee94)
* migration: Fix madvise breakage if host and guest have different page sizesDavid Gibson2013-01-181-1/+2
| | | | | | | | | | | | | | | | | | | | | | madvise(DONTNEED) will throw away the contents of the whole page at the given address, even if the given length is less than the page size. One can argue about whether that's the correct behaviour, but that's what it's done for a long time in Linux at least. That means that the madvise() in ram_load(), on a setup where TARGET_PAGE_SIZE is smaller than the host page size, can throw away data in guest pages adjacent to the one it's actually processing right now, leading to guest memory corruption on an incoming migration. This patch therefore, disables the madvise() if the host page size is larger than TARGET_PAGE_SIZE. This means we don't get the benefits of that madvise() in this case, but a more complete fix is more difficult to accomplish. This at least fixes the guest memory corruption. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> (cherry picked from commit 45e6cee42b98d10e2e14885ab656541a9ffd5187)
* target-xtensa: fix ITLB/DTLB page protection flagsMax Filippov2013-01-181-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With MMU option xtensa architecture has two TLBs: ITLB and DTLB. ITLB is only used for code access, DTLB is only for data. However TLB entries in both TLBs have attribute field controlling write and exec access. These bits need to be properly masked off depending on TLB type before being used as tlb_set_page prot argument. Otherwise the following happens: (1) ITLB entry for some PFN gets invalidated (2) DTLB entry for the same PFN gets updated, attributes allow code execution (3) code at the page with that PFN is executed (possible due to step 2), entry for the TB is written into the jump cache (4) QEMU TLB entry for the PFN gets replaced with an entry for some other PFN (5) code in the TB from step 3 is executed (possible due to jump cache) and it accesses data, for which there's no DTLB entry, causing DTLB miss exception (6) re-translation of the TB from step 5 is attempted, but there's no QEMU TLB entry nor xtensa ITLB entry for that PFN, which causes ITLB miss exception at the TB start address (7) ITLB miss exception is handled by the guest, but execution is resumed from the beginning of the faulting TB (the point where ITLB miss occured), not from the point where DTLB miss occured, which is wrong. With that fix the above scenario causes ITLB miss exception (that used to be step 7) at step 3, right at the beginning of the TB. Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Cc: qemu-stable@nongnu.org Signed-off-by: Blue Swirl <blauwirbel@gmail.com> (cherry picked from commit 659f807c0a700317a7a0fae7a6e6ebfe68bfbbc4)
* qxl: save qemu_create_displaysurface_from resultGerd Hoffmann2013-01-181-5/+6
| | | | | | | | | | | Spotted by Coverity. https://bugzilla.redhat.com/show_bug.cgi?id=885644 Cc: qemu-stable@nongnu.org Reported-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 2f464b5a32b414adb545acc6d94b5c35c7d258ba)
* e1000: Discard oversized packets based on SBP|LPEMichael Contreras2013-01-181-2/+5
| | | | | | | | Discard packets longer than 16384 when !SBP to match the hardware behavior. Signed-off-by: Michael Contreras <michael@inetric.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 2c0331f4f7d241995452b99afaf0aab00493334a)
* buffered_file: do not send more than s->bytes_xfer bytes per tickPaolo Bonzini2013-01-181-0/+1
| | | | | | | | | | | | Sending more was possible if the buffer was large. Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Juan Quintela <quintela@redhat.com> (cherry picked from commit bde54c08b4854aceee3dee25121a2b835cb81166) Conflicts: buffered_file.c
* target-xtensa: fix search_pc for the last TB opcodeMax Filippov2013-01-181-1/+5
| | | | | | | | | | Zero out tcg_ctx.gen_opc_instr_start for instructions representing the last guest opcode in the TB. Cc: qemu-stable@nongnu.org Signed-off-by: Max Filippov <jcmvbkbc@gmail.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com> (cherry picked from commit 36f25d2537c40c6c47f4abee5d31a24863d1adf7)
* pci-assign: Enable MSIX on device to match guestAlex Williamson2013-01-181-2/+15
| | | | | | | | | | | | | | | | | | | | | | When a guest enables MSIX on a device we evaluate the MSIX vector table, typically find no unmasked vectors and don't switch the device to MSIX mode. This generally works fine and the device will be switched once the guest enables and therefore unmasks a vector. Unfortunately some drivers enable MSIX, then use interfaces to send commands between VF & PF or PF & firmware that act based on the host state of the device. These therefore may break when MSIX is managed lazily. This change re-enables the previous test used to enable MSIX (see qemu-kvm a6b402c9), which basically guesses whether a vector will be used based on the data field of the vector table. Cc: qemu-stable@nongnu.org Signed-off-by: Alex Williamson <alex.williamson@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit feb9a2ab4b0260d8d680a7ffd25063dafc7ec628) Conflicts: hw/kvm/pci-assign.c
* seccomp: adding new syscalls (bugzilla 855162)Eduardo Otubo2013-01-121-17/+139
| | | | | | | | | | | | | | According to the bug 855162[0] - there's the need of adding new syscalls to the whitelist when using Qemu with Libvirt. [0] - https://bugzilla.redhat.com/show_bug.cgi?id=855162 Reported-by: Paul Moore <pmoore@redhat.com> Tested-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Eduardo Otubo <otubo@linux.vnet.ibm.com> Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> (cherry picked from commit fe512d65e0b752dfa7af6cfb374a0820d35040d0)
* hw/qxl: qxl_send_events: nop if stoppedAlon Levy2013-01-122-1/+8
| | | | | | | | | | Added a trace point for easy logging. RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=870972 Signed-off-by: Alon Levy <alevy@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 511aefb0c60e3063ead76d4ba6aabf619eed18ef)
* dtrace backend: add function to reserved wordsAlon Levy2013-01-121-1/+1
| | | | | | Signed-off-by: Alon Levy <alevy@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com> (cherry picked from commit d8f8a860f2403533fc73f541122c65a34b21e42f)
* arm_boot: Change initrd load address to "halfway through RAM"Peter Maydell2013-01-122-14/+25
| | | | | | | | | | | | | | | | | | | | | | | | To avoid continually having to bump the initrd load address to account for larger kernel images, put the initrd halfway through RAM. This allows large kernels on new boards with lots of RAM to work OK, without breaking existing usecases for boards with only 32MB of RAM. Note that this change fixes in passing a bug where we were passing an overly large max_size to load_image_targphys() for the initrd, which meant that we wouldn't correctly refuse to load an enormous initrd that didn't actually fit into RAM. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> Reviewed-by: Igor Mitsyanko <i.mitsyanko@samsung.com> Tested-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> (cherry picked from commit fc53b7d4b7fe409acae7d8d55a868eb5c696d71c) Conflicts: hw/arm-misc.h hw/arm_boot.c
* mips: Fix link error with 'piix4_pm_init'Cole Robinson2013-01-111-0/+1
| | | | | | | | | | | | | | | | LINK mipsel-softmmu/qemu-system-mipsel hw/mips/../mips_malta.o: In function `mips_malta_init': mips_malta.c:962: undefined reference to `piix4_pm_init' Can reproduce with: ./configure --target-list=mipsel-softmmu --disable-werror make However only on qemu-kvm, not qemu.git or qemu 1.2.0. We are carrying this in Fedora since we build everything from qemu-kvm.git Signed-off-by: Cole Robinson <crobinso@redhat.com>
* update VERSION for v1.2.2Michael Roth2012-12-131-1/+1
| | | | | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit ff0245dea25937a93878069b15eee245344eb6b9)
* e1000: Discard packets that are too long if !SBP and !LPEMichael Contreras2012-12-131-0/+10
| | | | | | | | | | | | | The e1000_receive function for the e1000 needs to discard packets longer than 1522 bytes if the SBP and LPE flags are disabled. The linux driver assumes this behavior and allocates memory based on this assumption. Signed-off-by: Michael Contreras <michael@inetric.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> (cherry picked from commit b0d9ffcd0251161c7c92f94804dcf599dfa3edeb) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit e1a0ffb95728304f962ce36b27dcd3a16f04a05d)
* stream: fix ratelimit_set_speedDietmar Maurer2012-12-131-1/+1
| | | | | | | | | | | | The formula to compute slice_quota was wrong since commit 6ef228fc. Signed-off-by: Dietmar Maurer <dietmar@proxmox.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit e3980e28bb888bf643054770452998d1b4319609) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 178ef3a43ad24d074c683e2fe0658e589747c823)
* usb: fail usbdevice_create() when there is no USB busStefan Hajnoczi2012-12-131-0/+7
| | | | | | | | | | | | | | | | | | | | | Report an error instead of segfaulting when attaching a USB device to a machine with no USB busses: $ qemu-system-arm -machine vexpress-a9 \ -sd Fedora-17-armhfp-vexpress-mmcblk0.img \ -kernel vmlinuz-3.4.2-3.fc17.armv7hl \ -initrd initramfs-3.4.2-3.fc17.armv7hl.img \ -usbdevice disk:format=raw:test.img Note that the vexpress-a9 machine does not have a USB host controller. Reported-by: David Abdurachmanov <David.Abdurachmanov@cern.ch> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit c128d6a6d785eb9235a4f6dbd52f405ab8c60bee) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit cd00334f1ae587aee146517af295adbfd7ab702a)
* qxl: reload memslots after migration, when qxl is in UNDEFINED modeYonit Halperin2012-12-131-0/+1
| | | | | | | | | | | | | | | The devram memslot stays active when qxl enters UNDEFINED mode (i.e, no primary surface). If migration has occurred while the device is in UNDEFINED stae, the memslots have to be reloaded at the destination. Fixes rhbz#874574 Signed-off-by: Yonit Halperin <yhalperi@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit fa98efe932d93a15ffa867f3b05149c8d1fc7c28) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 8c9283c82a8428018b2e43c5f5381a99d1648d4b)
* virtio-scsi: Fix subtle (guest) endian bugDavid Gibson2012-12-131-2/+2
| | | | | | | | | | | | | | | | | | | | | | | The virtio-scsi config space is, by specification, in guest endian (which is ill-defined, but there you go). In virtio_scsi_get_config() we set up all the fields in there, using stl_raw(). Which is a problem for the max_channel and max_target fields, which are 16-bit, not 32-bit. For little-endian targets we get away with it by accident, since the first two bytes will still be correct, and the extra two bytes written (with zeroes) will be overwritten correctly by the next store. But for big-endian guests, this means the max_target field ends up as zero, which means the guest will only recognize a single disk on the virtio-scsi bus. This patch fixes the problem. Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Paul 'Rusty' Russell <rusty@rustcorp.com.au> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 863d1050c96cff91dd478767c0da9cc288575919) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit bf47da47dbcbf2c90119ba0bd45560d5b2f1dd13)
* virtio-scsi: Fix some endian bugs with virtio-scsiDavid Gibson2012-12-131-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | The virtio-scsi specification does not specify the correct endianness for fields in the request structure. It's therefore best to assume that it is "guest native" endian since that's the (stupid and poorly defined) norm in virtio. However, the qemu device for virtio-scsi has no byteswaps at all, and so will break if the guest has different endianness from the host. This patch fixes it by adding tswap() calls for the sense_len and resid fields in the request structure. In theory status_qualifier needs swaps as well, but that field is never actually touched. The tag field is a uint64_t, but since its value is completely arbitrary, it might as well be uint8_t[8] and so it does not need swapping. Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Paul 'Rusty' Russell <rusty@rustcorp.com.au> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 474ee55a18765e7de8f0b2cc00db5d26286bb24d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit ea08f3a4e25fe76d42a186152949516c2a63a46b)
* iscsi: do not assume device is zero initializedPeter Lieven2012-12-131-0/+6
| | | | | | | | | | | | Without any complex checks we can't assume that an iscsi target is initialized to zero. Signed-off-by: Peter Lieven <pl@kamp.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit f807ecd5741325fe0d281199ff22cdda0acb6a7a) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit cef2566953b967f8ff79ef6305c92728a795fdac)
* iscsi: fix deadlock during loginPeter Lieven2012-12-131-181/+70
| | | | | | | | | | | | | | | | If the connection is interrupted before the first login is successfully completed qemu-kvm is waiting forever in qemu_aio_wait(). This is fixed by performing an sync login to the target. If the connection breaks after the first successful login errors are handled internally by libiscsi. Signed-off-by: Peter Lieven <pl@kamp.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit e829b0bb054ed3389e5b22dad61875e51674e629) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 707f2b69ff97820f345e509f68155e265c7e45a4)
* iscsi: fix segfault in url parsingPeter Lieven2012-12-131-2/+1
| | | | | | | | | | | | If an invalid URL is specified iscsi_get_error(iscsi) is called with iscsi == NULL. Signed-off-by: Peter Lieven <pl@kamp.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 8da1e18b0cf46b6c95c88bbad1cc50d6dd1bef4b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 972a2bf07287e4a9a4a7bd03d4e9af5d4259baef)
* qapi: fix qapi_dealloc_type_size parameter typeBruce Rogers2012-12-131-1/+1
| | | | | | | | | | | | | | | The second parameter to qapi_dealloc_type_size should be a uint64_t *, not a size_t *. This was causing our 32 bit x86 build to fail, since warnings are treated as errors. Signed-off-by: Bruce Rogers <brogers@suse.com> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Reviewed-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com> (cherry picked from commit 1d16252652688a775b244fffa1b9ac9b719ceffc) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit ffffff01466a0180de7632842cf583c8a9cbf959)
* qapi: handle visitor->type_size() in QapiDeallocVisitorStefan Hajnoczi2012-12-131-0/+6
| | | | | | | | | | | | | | | | | | | | | | visit_type_size() requires either visitor->type_size() or visitor_uint64() to be implemented, otherwise a NULL function pointer is invoked. It is possible to trigger this crash as follows: $ qemu-system-x86_64 -netdev tap,sndbuf=0,id=netdev0 \ -device virtio-blk-pci,netdev=netdev0 The 'sndbuf' option has type "size". Reviewed-by: Andreas Färber <afaerber@suse.de> Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> (cherry picked from commit 0c26f2eca40d6c65ea9edc62a10e510dc7f65cc8) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 54c6c5a35d8bd57b320bbba8b85604018004bd13)
* qom: fix refcount of non-heap-allocated objectsPaolo Bonzini2012-12-131-1/+1
| | | | | | | | | | | | | | | | | | | The reference count for embedded objects is always one too low, because object_initialize_with_type returns with zero references to the object. This causes premature finalization of the object (or an assertion failure) after calling object_ref to add an extra reference and object_unref to remove it. The fix is to move the initial object_ref call from object_new_with_type to object_initialize_with_type. Acked-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> (cherry picked from commit 764b63125a77dab54ed405d493452a4e05679c2e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit f05a3da4e00d24c4540811e6fff2c4f0484771bd)
* PPC: Fix missing TRACE exceptionJulio Guerra2012-12-131-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes bug 1031698 : https://bugs.launchpad.net/qemu/+bug/1031698 If we look at the (truncated) translation of the conditional branch instruction in the test submitted in the bug post, the call to the exception helper is missing in the "bne-false" chunk of translated code : IN: bne- 0x1800278 OUT: 0xb544236d: jne 0xb5442396 0xb5442373: mov %ebp,(%esp) 0xb5442376: mov $0x44,%ebx 0xb544237b: mov %ebx,0x4(%esp) 0xb544237f: mov $0x1800278,%ebx 0xb5442384: mov %ebx,0x25c(%ebp) 0xb544238a: call 0x827475a ^^^^^^^^^^^^^^^^^^ 0xb5442396: mov %ebp,(%esp) 0xb5442399: mov $0x44,%ebx 0xb544239e: mov %ebx,0x4(%esp) 0xb54423a2: mov $0x1800270,%ebx 0xb54423a7: mov %ebx,0x25c(%ebp) Indeed, gen_exception(ctx, excp) called by gen_goto_tb (called by gen_bcond) changes ctx->exception's value to excp's : gen_bcond() { gen_goto_tb(ctx, 0, ctx->nip + li - 4); /* ctx->exception value is POWERPC_EXCP_BRANCH */ gen_goto_tb(ctx, 1, ctx->nip); /* ctx->exception now value is POWERPC_EXCP_TRACE */ } Making the following gen_goto_tb()'s test false during the second call : if ((ctx->singlestep_enabled & (CPU_BRANCH_STEP | CPU_SINGLE_STEP)) && ctx->exception == POWERPC_EXCP_BRANCH /* false...*/) { target_ulong tmp = ctx->nip; ctx->nip = dest; /* ... and this is the missing call */ gen_exception(ctx, POWERPC_EXCP_TRACE); ctx->nip = tmp; } So the patch simply adds the missing matching case, fixing our problem. Signed-off-by: Julio Guerra <guerr@julio.in> Signed-off-by: Alexander Graf <agraf@suse.de> (cherry picked from commit f0cc4aa8450376ca2aee3ebb09db71f9f2ff333b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 0aad8f1a49fe49b15858978a03b4adead669ff6d)
* hmp: do not crash on invalid SCSI hotplugPaolo Bonzini2012-12-131-1/+7
| | | | | | | | | | | | | | | | | | | Commit 0d93692 (qdev: Convert busses to QEMU Object Model, 2012-05-02) removed a check on the type of the bus where a SCSI disk is hotplugged. However, hot-plugging to the wrong kind of device now causes a crash due to either a NULL pointer dereference (avoided by the previous patch) or a failed QOM cast. Instead, in this case we need to use object_dynamic_cast and check for the result, similar to what was done before that commit. Reported-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> (cherry picked from commit b5007bcc9729acd995518c52eb1038c4d8416b5d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit a99cb0d20a4868a31f294f5d1fd4fa3225ea70ab)
* qom: dynamic_cast of NULL is always NULLPaolo Bonzini2012-12-131-2/+2
| | | | | | | | | | | | | | Trying to cast a NULL value will cause a crash. Returning NULL is also sensible, and it is also what the type-unsafe DO_UPCAST macro does. Reported-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> (cherry picked from commit b7f43fe46029d8fd0594cd599fa2599dcce0f553) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 5e19e498b4b2a31c985dc96b1aff078c34e40488)
* block: Fix regression for MinGW (assertion caused by short string)Stefan Weil2012-12-131-1/+2
| | | | | | | | | | | | | | | | | | The local string tmp_filename is passed to function get_tmp_filename which expects a string with minimum size MAX_PATH for w32 hosts. MAX_PATH is 260 and PATH_MAX is 259, so tmp_filename was too short. Commit eba25057b9a5e19d10ace2bc7716667a31297169 introduced this regression. Signed-off-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Blue Swirl <blauwirbel@gmail.com> (cherry picked from commit 89c9bc3d147fdaa932db99b0463b4af1d3e7cda1) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 4fb9656b9d62ce348656a7184ac7861d70c490a7)
* tci: Fix type of tci_read_labelRichard Henderson2012-12-131-2/+2
| | | | | | | | | | | | | | | Fixes the pointer truncation that was occurring for branches. Cc: Stefan Weil <sw@weilnetz.de> Cc: Blue Swirl <blauwirbel@gmail.com> Signed-off-by: Richard Henderson <rth@twiddle.net> Reviewed-by: Stefan Weil <sw@weilnetz.de> Tested-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Blue Swirl <blauwirbel@gmail.com> (cherry picked from commit c6c5063c7a5bb1d3fe6b9931a1ec15294e39b8b1) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 38c6d17e75f83363ef92582dd366a4b1d936dc2f)
* qcow2: Fix refcount table size calculationKevin Wolf2012-12-131-1/+2
| | | | | | | | | | | | | | A missing factor for the refcount table entry size in the calculation could mean that too little memory was allocated for the in-memory representation of the table, resulting in a buffer overflow. Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Tested-by: Michael Tokarev <mjt@tls.msk.ru> (cherry picked from commit a3548077062dd9dc2701ebffd931ba6eaef40bec) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 600a9efdb1ddb749332200cab27d9240fbc0bda1)
* configure: avoid compiler warning in pipe2 detectionBruce Rogers2012-12-131-2/+1
| | | | | | | | | | | | | | | | When building qemu-kvm for openSUSE:Factory, I am getting a warning in the pipe2 detection performed by configure, which prevents using --enable-werror. Change detection code to use return value of pipe2. Signed-off-by: Bruce Rogers <brogers@suse.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Blue Swirl <blauwirbel@gmail.com> (cherry picked from commit 9bca81624ef9299b9a06013fd29cd6899079aab4) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit ea79e157c61eb20e1065836f9d2719ffef91b8cf)
* target-openrisc: remove conflicting definitions from cpu.hAurelien Jarno2012-12-131-18/+0
| | | | | | | | | | | | | | | On an ARM host, the registers definitions from cpu.h clash with /usr/include/sys/ucontext.h. As there are unused, just remove them. Cc: Jia Liu <proljc@gmail.com> Cc: qemu-stable@nongnu.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> (cherry picked from commit 44e04d3b945ba6f5cc87e65192081da4783f73fa) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 4a8e490cbc15ad3fd88180ebff016cdd56242987)
* tcg/arm: fix cross-endian qemu_st16Aurelien Jarno2012-12-131-2/+18
| | | | | | | | | | | | | | | | | | | | | | | | The bswap16 TCG opcode assumes that the high bytes of the temp equal to 0 before calling it. The ARM backend implementation takes this assumption to slightly optimize the generated code. The same implementation is called for implementing the cross-endian qemu_st16 opcode, where this assumption is not true anymore. One way to fix that would be to zero the high bytes before calling it. Given the store instruction just ignore them, it is possible to provide a slightly more optimized version. With ARMv6+ the rev16 instruction does the work correctly. For lower ARM versions the patch provides a version which behaves correctly with non-zero high bytes, but fill them with junk. Cc: Andrzej Zaborowski <balrogg@gmail.com> Cc: Peter Maydell <peter.maydell@linaro.org> Cc: qemu-stable@nongnu.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> (cherry picked from commit 7aab08aa786e3a8838beac758ee61c5000144937) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit ede76edace43dcc940e1dfaa3f5be5fe485b7254)
* tcg/arm: fix TLB access in qemu-ld/st opsAurelien Jarno2012-12-131-36/+42
| | | | | | | | | | | | | | | | | | | | The TCG arm backend considers likely that the offset to the TLB entries does not exceed 12 bits for mem_index = 0. In practice this is not true for at least the MIPS target. The current patch fixes that by loading the bits 23-12 with a separate instruction, and using loads with address writeback, independently of the value of mem_idx. In total this allow a 24-bit offset, which is a lot more than needed. Cc: Andrzej Zaborowski <balrogg@gmail.com> Cc: Peter Maydell <peter.maydell@linaro.org> Cc: qemu-stable@nongnu.org Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> (cherry picked from commit d17bd1d8cc27f8c1a24c65f555a77a661c332b7f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit ac914c1fc2f6981282e179f408d5e6af589595b8)
* target-mips: fix wrong microMIPS opcode encoding陳韋任 (Wei-Ren Chen)2012-12-131-1/+1
| | | | | | | | | | | | | | | | While reading microMIPS decoding, I found a possible wrong opcode encoding. According to [1] page 166, the bits 13..12 for MULTU is 0x01 rather than 0x00. Please review, thanks. [1] MIPS Architecture for Programmers VolumeIV-e: The MIPS DSP Application-Specific Extension to the microMIPS32 Architecture Signed-off-by: Chen Wei-Ren <chenwj@iis.sinica.edu.tw> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> (cherry picked from commit 6801038bc52d61f81ac8a25fbe392f1bad982887) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 357414daa4915fb2312fff2af2d4ef28147f3eeb)
* mips/malta: fix CBUS UART interrupt pinAurelien Jarno2012-12-131-1/+2
| | | | | | | | | | | | | | | | | | | According to the MIPS Malta Developement Platform User's Manual, the i8259 interrupt controller is supposed to be connected to the hardware IRQ0, and the CBUS UART to the hardware interrupt 2. In QEMU they are both connected to hardware interrupt 0, the CBUS UART interrupt being wrong. This patch fixes that. It should be noted that the irq array in QEMU includes the software interrupts, hence env->irq[2] is the first hardware interrupt. Cc: Ralf Baechle <ralf@linux-mips.org> Reviewed-by: Eric Johnson <ericj@mips.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> (cherry picked from commit 68d001928b151a0c50f367c0bdca645b3d5e9ed3) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit f6b803df744f3b8fafd69fa8e8e0588ffd75f4ac)
* nbd: fixes to read-only handlingPaolo Bonzini2012-12-131-13/+12
| | | | | | | | | | | | | We do not need BLKROSET if the kernel supports setting flags. Also, always do BLKROSET even for a read-write export, otherwise the read-only state remains "sticky" after the invocation of "qemu-nbd -r". Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit c8969eded252058e90e91f12f75f32aceae46ec9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 879c2648038863c30587411f90b142de05e12a3b)
* m68k: Return semihosting errno values correctlyMeador Inge2012-12-131-1/+1
| | | | | | | | | | | | | | | Fixing a simple typo, s/errno/err/, that caused the error status from GDB semihosted system calls to be returned incorrectly. Signed-off-by: Meador Inge <meadori@codesourcery.com> Reviewed-by: Andreas Färber <afaerber@suse.de> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Blue Swirl <blauwirbel@gmail.com> (cherry picked from commit aed91c1bff5e568c7b0fbd0e1e7e2f9e62409e73) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 382a582c1f4c1877968d73751dd2f1206547eda4)
* tools: initialize main loop before block layerPaolo Bonzini2012-12-132-4/+2
| | | | | | | | | | | | | Tools were broken because they initialized the block layer while qemu_aio_context was still NULL. Reported-by: malc <av1474@comtv.ru> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: malc <av1474@comtv.ru> (cherry picked from commit 2592c59a66d456fe98fe96cb5787b356c40ee66f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 5c0d5aebd5c9cf445fb71e01ee56efad094248f5)
* xhci: fix usb name in capsGerd Hoffmann2012-12-131-2/+2
| | | | | | | | | | Used to be "UTB" not "USB". Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 0ebfb144e8ad3f2da436d630fdcc5aa9ab646341) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 3dd59b4dc77847d78d04c4cfe03d9bd574ff5918)
* target-sparc64: disable VGA cirrusAurelien Jarno2012-12-131-1/+0
| | | | | | | | | | | | | | | | | OpenBIOS on sparc64 only support Standard VGA and not Cirrus VGA. Don't build Cirrus VGA support so that it can't be selected. This fixes the breakage introduced by commit f2898771. Reported-by: Richard Henderson <rth@twiddle.net> Cc: Blue Swirl <blauwirbel@gmail.com> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> Tested-by: Richard Henderson <rth@twiddle.net> Signed-off-by: Blue Swirl <blauwirbel@gmail.com> (cherry picked from commit 0356404b0f1da939657cad1efeb556745cd430d5) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 03e044136ae6c595fec63dd21be39dbf12a24eca)
* PPC: Bamboo: Fix memory size DT propertyAlexander Graf2012-12-131-1/+1
| | | | | | | | | | | | Device tree properties need to be specified in big endian. Fix the bamboo memory size property accordingly. Signed-off-by: Alexander Graf <agraf@suse.de> CC: qemu-stable@nongnu.org (cherry picked from commit 5232fa59b17b45c04bd24e0d38224964816bf391) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit db6e5ab78efd1d0c07945fcff6f42e9acb8929ed)
* s390x: fix -initrd in virtio machineAlexander Graf2012-12-131-2/+2
| | | | | | | | | | | | | | When using -initrd in the virtio machine, we need to indicate the initrd start and size inside the kernel image. These parameters need to be stored in native endianness. Signed-off-by: Alexander Graf <agraf@suse.de> Acked-by: Richard Henderson <rth@twiddle.net> Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> (cherry picked from commit 235a3f0bed3584fe65079ffa07c7a842971f261e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 7817b8d858852adb2ae93f2af8c7f2a1198f4f61)
* memory: fix rendering of a region obscured by anotherAvi Kivity2012-12-131-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | The memory core drops regions that are hidden by another region (for example, during BAR sizing), but it doesn't do so correctly if the lower address of the existing range is below the lower address of the new range. Example (qemu-system-mips -M malta -kernel vmlinux-2.6.32-5-4kc-malta -append "console=ttyS0" -nographic -vga cirrus): Existing range: 10000000-107fffff New range: 100a0000-100bffff Correct behaviour: drop new range Incorrect behaviour: add new range Fix by taking this case into account (previously we only considered equal lower boundaries). Tested-by: Aurelien Jarno <aurelien@aurel32.net> Signed-off-by: Avi Kivity <avi@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> (cherry picked from commit d26a8caea3f160782841efb87b5e8bea606b512b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 0dfd8215c2d7023436e4bd25b68d6f00d83702e6)
* e1000: drop check_rxov, always treat RX ring with RDH == RDT as emptyDmitry Fleytman2012-12-131-5/+2
| | | | | | | | | | | | | | Real HW always treats RX ring with RDH == RDT as empty. Emulation is supposed to behave the same. Reported-by: Chris Webb <chris.webb@elastichosts.com> Reported-by: Richard Davies <richard.davies@elastichosts.com> Signed-off-by: Dmitry Fleytman <dmitry@daynix.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit e5b8b0d4ba29fe1268ba049519a1b0cf8552a21a) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit e16d81df85ec6e66364770cdb5e2737b0586961c)
* target-i386: Allow tsc-frequency to be larger then 2.147GDon Slutz2012-12-131-1/+1
| | | | | | | | | | | | The check using INT_MAX (2147483647) is wrong in this case. Signed-off-by: Fred Oliveira <foliveira@cloudswitch.com> Signed-off-by: Don Slutz <Don@CloudSwitch.com> Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com> (cherry picked from commit 2e84849aa2cc7f220d3b3668f5f7e3c57bb1b590) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 3dfbc51e787bbe150273595ef526167842fd94ec)
* hw: Fix return value check for bdrv_read, bdrv_writeStefan Weil2012-12-133-20/+32
| | | | | | | | | | | | Those functions return -errno in case of an error. The old code would typically only detect EPERM (1) errors. Signed-off-by: Stefan Weil <sw@weilnetz.de> Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com> (cherry picked from commit 7a608f562ebd91e811ed0b725e528c894e4f19c4) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit eb63b0c2da53caf1681ca0123a4e0aa893ffe238)