Reported-by: NThomas Schmitt <scdbackup@gmx.net>
Tested-by: NThomas Schmitt <scdbackup@gmx.net>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

- several MMC commands were parsed wrong by QEMU because their allocation
length/parameter list length is placed in a non-standard position in
the CDB (i.e. it is different from most commands with the same value in
bits 5-7).

- SEND VOLUME TAG length was multiplied by 40 which is not in SMC.  The
parameter list length is between 32 and 40 bytes.  Same for MEDIUM SCAN
(spec found at http://ldkelley.com/SCSI2/SCSI2-16.html but not in any of
the PDFs I have here).

- READ_POSITION (SSC) conflicts with PRE_FETCH (SBC).  READ_POSITION's
transfer length is not hardcoded to 20 in SSC; for PRE_FETCH cmd->xfer
should be 0.  Both fixed.

- FORMAT MEDIUM (the SSC name for FORMAT UNIT) was missing.  The FORMAT
UNIT command is still somewhat broken for block devices because its
parameter list length is not in the CDB.  However it works for CD/DVD
drives, which mandate the length of the payload.

- fixed wrong sign-extensions for 32-bit fields (for the LBA field,
this affects disks >1 TB).

- several other SBC or SSC commands were missing or parsed wrong.

- some commands were not in the list of "write" commands.
Reported-by: NThomas Schmitt <scdbackup@gmx.net>
Tested-by: Thomas Schmitt <scdbackup@gmx.net> (MMC bits only)
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Add more commands and their names, and remove SEEK(6) which is obsolete.
Instead, use SET_CAPACITY which is still in SSC.
Tested-by: NThomas Schmitt <scdbackup@gmx.net>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Mode page 2A of emulated ATAPI DVD-ROM should have page length 0x14
like SCSI CD-ROM, rather than 0x12.

Mode page length is off by 8, as it should contain the length of the
payload after the first two bytes.

MODE SENSE(6) should be thrown out of ATAPI DVD-ROM emulation.  It is
not specified in the ATAPI list of MMC-2, and MMC-5 prescribes to use
MODE SENSE(10).  Anyway, its implementation is wrong.
Reported-by: NThomas Schmitt <scdbackup@gmx.net>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Old operating systems rely on correct geometry to convert from CHS
addresses to LBA.  Providing correct data is necessary for them to boot.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

The pre-1.0 firmware path for SCSI devices already included the LUN
using the suffix argument to add_boot_device_path.  I missed that when
making channel and LUN customizable.  Avoid that it is included twice, and
convert the colons to commas for consistency with other kinds of devices
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

The default is still 3, and I didn't change older machine types.
Signed-off-by: NAlon Levy <alevy@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Fix a long-standing bug which meant that any attempt to do an
8 or 16 bit read from the OMAP GPIO module would cause qemu to
crash due to an infinite recursion.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NAndrzej Zaborowski <andrew.zaborowski@intel.com>

Signed-off-by: NJuha Riihimäki <juha.riihimaki@nokia.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAndrzej Zaborowski <andrew.zaborowski@intel.com>

also gracefully fail on nand_device_init() for unsupported block
size instead of aborting.
Signed-off-by: NJuha Riihimäki <juha.riihimaki@nokia.com>
Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NAndrzej Zaborowski <andrew.zaborowski@intel.com>

Depending on the considered baseboard the bit used to
reset the platform is different.

Here is the list of considered Realview/Versatile platforms:

Realview/Versatile AB for ARM926EJ-S: BOARD_ID = 0x100 = BOARD_ID_PB9
http://infocenter.arm.com/help/topic/com.arm.doc.dui0225d/CACCIFGI.html

RealView Emulation Baseboard: BOARD_ID = 0x140 = BOARD_ID_EB
No reset register

RealView PB for Cortex-A8: BOARD_ID = 0x178 = BOARD_ID_PBA8
http://infocenter.arm.com/help/topic/com.arm.doc.dui0417d/BBACIGAD.html

RealView PB for Cortex-A9: BOARD_ID = 0x182 = BOARD_ID_PBX
http://infocenter.arm.com/help/topic/com.arm.doc.dui0440b/CACCHBFB.html

Motherboard Express =C2=B5ATX: BOARD_ID = 0x190 = BOARD_ID_VEXPRESS
No reset register
Signed-off-by: NJean-Christophe DUBOIS <jcd@tribudubois.net>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndrzej Zaborowski <andrew.zaborowski@intel.com>

Fix an error in commit afd4a652 which meant that writing a zero
to the RW bits in the PMCR wouldn't actually clear them. (Error
spotted by Andrzej Zaborowski.)
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndrzej Zaborowski <andrew.zaborowski@intel.com>

"!X == 2" is always false (spotted by Coverity), so the checks
for whether rndis is in the correct state would never fire.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAndrzej Zaborowski <andrew.zaborowski@intel.com>

There are only three counter/timers on the integrator board:
correct the bounds check to avoid an array overrun. (Spotted
by Coverity, see bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Fix a bug in handling the write-one-to-clear bits in the PMCR
which meant that we would always clear the bit even if the
value written was a zero. Spotted by Coverity (see bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Remove a pointless comparison of an array to null. (There is
no need to check whether s->out[i] is non-null as qemu_set_irq
will do that for us.) Spotted by Coverity (see bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Remove a check for g_malloc failing: this never happens.
Also use g_malloc rather than g_malloc0 as we immediately
memset the entire region and so zero-initialising it is pointless.
Spotted by Coverity (see bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Avoid a crash due to null pointer dereference if a guest attempts
to access banked registers for a nonexistent bank. Spotted by
Coverity (see bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Fix a use-while-uninitialized of the fd_type[] array (introduced
in commit 34d4260e, noticed by Coverity). This is more theoretical
than practical, since it's quite hard to get here with floppy==NULL
(the qdev_try_create() of the isa-fdc device has to fail).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Add a missing 'break' statement to fix a buffer overrun when
executing the EEPROM write-all command. Spotted by Coverity
(see bug 887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

Spotted by Coverity.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

hpet_timer timer callback rearms itself based on difference between
current HPET tick counter and comparator value. Difference calculated by
the hpet_calculate_diff function is limited to non-negative values.

cur_tick is calculated via hpet_get_ticks that uses qemu_get_clock_ns(vm_clock).

With -icount enabled vm_clock doesn't advance during qemu_run_timers
loop thus once difference is zero, qemu_run_timers loops forever
handling hpet_timer.

Limit hpet_calculate_diff results to positive only values to avoid that
infinite loop.

This fixes the following qemu-system-x86_64 hang when it reaches
timer_irq_works() in the linux bootup:

[    0.000000] Fast TSC calibration using PIT
[    0.000000] Detected 1000.054 MHz processor.
[    0.000031] Calibrating delay loop (skipped), value calculated using timer frequency.. 2000.10 BogoMIPS (lpj=10000540)
[    0.000404] pid_max: default: 32768 minimum: 301
[    0.001138] Mount-cache hash table entries: 256
[    0.003883] Initializing cgroup subsys ns
[    0.004035] Initializing cgroup subsys cpuacct
[    0.004280] Initializing cgroup subsys freezer
[    0.004790] Performance Events: AMD PMU driver.
[    0.004985] ... version:                0
[    0.005134] ... bit width:              48
[    0.005285] ... generic registers:      4
[    0.005437] ... value mask:             0000ffffffffffff
[    0.005625] ... max period:             00007fffffffffff
[    0.005807] ... fixed-purpose events:   0
[    0.005957] ... event mask:             000000000000000f
[    0.006275] SMP alternatives: switching to UP code
Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Add missing 'break' statements which would have meant that writing
to an 8 bit NAND device was broken. Spotted by Coverity (see bug
887883).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Fix a bug revealed by a coverity scan (see bug 887883) which meant
that we would never print the warning about unpredictable behaviour
if a nonexistent overlay is enabled.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Modern distributions place xattr.h in /usr/include/sys, and fold
libattr.so into libc.  They also don't have an ENOATTR.

Make configure detect this, and add a qemu-xattr.h file that
directs the #include to the right place.
Signed-off-by: NAvi Kivity <avi@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

clk_setup is now a function. Fixes a segfault.
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

Commit 0a039dc7 broke vga modes for
qxl-vga by loosing vga_ioport_read windup.  qxl needs to hook into
vga port writes only and used to realize that by letting vga_init() do
the work for both reads and writes, then overwrite the write function.
That little detail was missed while doing the conversion ...

This patch fixes it.  It also switch qxl vga ioport registration to
portio lists while being at it.

Cc: Hans de Goede <hdegoede@redhat.com>
Acked-by: NAlon Levy <alevy@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This patch removes the code lines which set the subsystem id for the
emulated ac97 card to 8086:0000.  Due to the device id being zero the
subsystem id isn't vaild anyway.  With the patch applied the sound card
gets the default qemu subsystem id (1af4:1100) instead.

[ v2: old & broken id is maintained for -M pc-$oldqemuversion ]

Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This patch adds a pc-1.0 machine type.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

sgabios hasn't gotten a lot of coverage since it was not shipped.  For 1.0,
let's disable the automatic loading of the option ROM in -nographic
mode.  We can put it back for 1.1.
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Somehow, the read/write functions handle an offset that does not exist anymore.
Signed-off-by: NAnthony PERARD <anthony.perard@citrix.com>
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>

The first enable set/clear register (which controls the PPIs and SGIs)
is supposed to be banked for each processor.  Currently it is just
handled globally and this prevents recent SMP Linux kernels from
booting, because CPU0 stops receiving localtimer interrupts when CPU1
disables them locally.

To fix this, allow the enable bits to be enabled per-cpu.  For SPIs,
always enable/disable ALL_CPU_MASK.
Signed-off-by: NRabin Vincent <rabin@rab.in>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>

With the conversion of the block layer to coroutines, bdrv_read/write
have changed to run a nested event loop that calls qemu_bh_poll.
Consequently a scheduled BH can be called while a DMA transfer handler
runs and this means that DMA_run becomes reentrant.

Devices haven't been designed to cope with that, so instead of running a
nested transfer handler just wait for the next invocation of the BH from the
main loop.

This fixes some problems with the floppy device.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

apic id returned to guest kernel in ebx for cpuid(function=1) depends on
CPUX86State->cpuid_apic_id which gets populated after the cpuid information
is cached in the host kernel. This results in broken CPU topology in guest.

Fix this by setting cpuid_apic_id before cpuid information is passed to
the host kernel. This is done by moving the setting of cpuid_apic_id
to cpu_x86_init() where it will work for both KVM as well as TCG modes.
Acked-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NBharata B Rao <bharata.rao@gmail.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

commit ba43d289 introduces a bug:
The stream-not-found case doesn't error out any more, instead the
code silently uses the first stream.  Fix it.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

When SCSI passthrough is being used by the guest with virtio-blk, the
guest is not able to detect disk failures.  This is because the status
field is expected by the guest driver to include also the msg_status,
host_status and driver_status fields, but the device is only passing
down the SCSI status.

The patch fixes this, and also makes sure that the guest always sees a
CHECK_CONDITION status when there is valid sense data.
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Markus Armbruster <armbru@redhat.com> sent fixes for va_list vararg
issues in v9fs_string_alloc_printf().  It turns out the function
duplicates g_vasprintf() and can therefore be eliminated entirely.
Signed-off-by: NStefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>