Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This introduces a wrapper for phys_page_find (before we complicate
address_space_translate with IOMMU translation).  This function will
also encapsulate locking and reference counting when we introduce
BQL-free dispatching.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The memory API allows a MemoryRegion's size to be 2^64, as a special
case (otherwise the size always fits in a 64 bit integer). This meant
that attempts to access address zero in a 2^64 sized region would
assert in address_space_translate():

  #3  0x00007ffff3e4d192 in __GI___assert_fail#(assertion=0x555555a43f32
    "!a.hi", file=0x555555a43ef0 "include/qemu/int128.h", line=18,
    function=0x555555a4439f "int128_get64") at assert.c:103
  #4  0x0000555555877642 in int128_get64 (a=...)
    at include/qemu/int128.h:18
  #5  0x00005555558782f2 in address_space_translate (as=0x55555668d140,
   /addr=0, xlat=0x7fffafac9918, plen=0x7fffafac9920, is_write=false)
    at exec.c:221

Fix this by doing the 'min' operation in 128 bit arithmetic
rather than 64 bit arithmetic (we know the result of the 'min'
definitely fits in 64 bits because one of the inputs did).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Manual page and qemu-doc on talk about "Bochs BIOS".  We use SeaBIOS,
and it implements the feature.  Replace by just "BIOS", and drop the
TODO line wondering about the Bochs reference.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com>
Message-id: 1371208516-7857-7-git-send-email-armbru@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Option -no-fd-bootchk asks the BIOS to attempt booting from a floppy
even when the boot sector signature isn't there, by setting a bit in
RTC CMOS.  It was added back in 2006 (commit 52ca8d6a).

Two years later, commit 0ecdffbb added monitor command boot_set.
Implemented by new function pc_boot_set().  It unconditionally clears
the floppy signature bit in CMOS.

Commit e0f084bf added -boot option once to automatically change the
boot order on first reset.  Reuses pc_boot_set(), thus also clears the
floppy signature bit.  Commit d9346e81 took care to preserve this
behavior.

Thus, -no-fd-bootchk applies to any number of boots.  Except it
applies just to the first boot with -boot once, and never after
boot_set.  Weird.  Make it stick instead: set the bit according to
-no-fd-bootchk in pc_boot_set().
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com>
Message-id: 1371208516-7857-6-git-send-email-armbru@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com>
Message-id: 1371208516-7857-5-git-send-email-armbru@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Option "once" sets up a different boot order just for the initial
boot.  Boot order reverts back to normal on reset.  Option "order"
changes the normal boot order.

The reversal is implemented by reset handler restore_boot_devices(),
which takes the boot order to revert to as argument.
restore_boot_devices() does nothing on its first call, because that
must be the initial machine reset.  On its second call, it changes the
boot order back, and unregisters itself.

Because we register the handler right when -boot gets parsed, we can
revert to an incorrect normal boot order, and multiple -boot can
interact in funny ways.

Here's how things work without -boot once or order:

* boot_devices is "".

* main() passes machine->boot_order to to machine->init(), because
  boot_devices is "".  machine->init() configures firmware
  accordingly.  For PC machines, machine->boot_order is "cad", and
  pc_cmos_init() writes it to RTC CMOS, where SeaBIOS picks it up.

Now consider -boot order=:

* boot_devices is "".

* -boot order= sets boot_devices to "" (no change).

* main() passes machine->boot_order to to machine->init(), because
  boot_devices is "", as above.

  Bug: -boot order= has no effect.  Broken in commit e4ada29e.

Next, consider -boot once=a:

* boot_devices is "".

* -boot once=a registers restore_boot_devices() with argument "", and
  sets boot_devices to "a".

* main() passes boot_devices "a" to machine->init(), which configures
  firmware accordingly.  For PC machines, pc_cmos_init() writes the
  boot order to RTC CMOS.

* main() calls qemu_system_reset().  This runs reset handlers.

  - restore_boot_devices() gets called with argument "".  Does
    nothing, because it's the first call.

* Machine boots, boot order is "a".

* Machine resets (e.g. monitor command).  Reset handlers run.

  - restore_boot_devices() gets called with argument "".  Calls
    qemu_boot_set("") to reconfigure firmware.  For PC machines,
    pc_boot_set() writes it into RTC CMOS.  Reset handler
    unregistered.

    Bug: boot order reverts to "" instead of machine->boot_order.  The
    actual boot order depends on how firmware interprets "".  Broken
    in commit e4ada29e.

Next, consider -boot once=a -boot order=c:

* boot_devices is "".

* -boot once=a registers restore_boot_devices() with argument "", and
  sets boot_devices to "a".

* -boot order=c sets boot_devices to "c".

* main() passes boot_devices "c" to machine->init(), which configures
  firmware accordingly.  For PC machines, pc_cmos_init() writes the
  boot order to RTC CMOS.

* main() calls qemu_system_reset().  This runs reset handlers.

  - restore_boot_devices() gets called with argument "".  Does
    nothing, because it's the first call.

* Machine boots, boot order is "c".

  Bug: it should be "a".  I figure this has always been broken.

* Machine resets (e.g. monitor command).  Reset handlers run.

  - restore_boot_devices() gets called with argument "".  Calls
    qemu_boot_set("") to reconfigure firmware.  For PC machines,
    pc_boot_set() writes it into RTC CMOS.  Reset handler
    unregistered.

    Bug: boot order reverts to "" instead of "c".  I figure this has
    always been broken, just differently broken before commit
    e4ada29e.

Next, consider -boot once=a -boot once=b -boot once=c:

* boot_devices is "".

* -boot once=a registers restore_boot_devices() with argument "", and
  sets boot_devices to "a".

* -boot once=b registers restore_boot_devices() with argument "a", and
  sets boot_devices to "b".

* -boot once=c registers restore_boot_devices() with argument "b", and
  sets boot_devices to "c".

* main() passes boot_devices "c" to machine->init(), which configures
  firmware accordingly.  For PC machines, pc_cmos_init() writes the
  boot order to RTC CMOS.

* main() calls qemu_system_reset().  This runs reset handlers.

  - restore_boot_devices() gets called with argument "".  Does
    nothing, because it's the first call.

  - restore_boot_devices() gets called with argument "a".  Calls
    qemu_boot_set("a") to reconfigure firmware.  For PC machines,
    pc_boot_set() writes it into RTC CMOS.  Reset handler
    unregistered.

  - restore_boot_devices() gets called with argument "b".  Calls
    qemu_boot_set("b") to reconfigure firmware.  For PC machines,
    pc_boot_set() writes it into RTC CMOS.  Reset handler
    unregistered.

* Machine boots, boot order is "b".

  Bug: should really be "c", because that came last, and for all other
  -boot options, the last one wins.  I figure this was broken some
  time before commit 37905d6a, and fixed there only for a single
  occurence of "once".

* Machine resets (e.g. monitor command).  Reset handlers run.

  - restore_boot_devices() gets called with argument "".  Calls
    qemu_boot_set("") to reconfigure firmware.  For PC machines,
    pc_boot_set() writes it into RTC CMOS.  Reset handler
    unregistered.

    Same bug as above: boot order reverts to "" instead of
    machine->boot_order.

Fix by acting upon -boot options order, once and menu only after
option parsing is complete, and the machine is known.  This is how the
other -boot options work already.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com>
Message-id: 1371208516-7857-4-git-send-email-armbru@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com>
Message-id: 1371208516-7857-3-git-send-email-armbru@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Commit 3d3b8303 threw in some QemuOpts parsing without replacing the
existing ad hoc parser, resulting in a confusing mess.  Clean it up.

Two user-visible changes:

1. Invalid options are reported more nicely.  Before:

        qemu: unknown boot parameter 'x' in 'x=y'

   After:

        qemu-system-x86_64: -boot x=y: Invalid parameter 'x'

2. If -boot is given multiple times, options accumulate, just like for
   -machine.  Before, only options order, once and menu accumulated.
   For the other ones, all but the first -boot in non-legacy syntax
   got simply ignored.
Signed-off-by: NMarkus Armbruster <armbru@redhat.com>
Reviewed-by: NAnthony Liguori <aliguori@us.ibm.com>
Message-id: 1371208516-7857-2-git-send-email-armbru@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

When this VMSD was introduced it's version fields were set to
sizeof(I6300State), making them essentially random from build to build,
version to version.

To fix this, we lock in a high version id and low minimum version id to
support old->new migration from all prior versions of this device's
state. This should work since the device state has not changed since
its introduction.

The potentially breaks migration from 1.5+ to 1.5, but since the
versioning was essentially random prior to this patch, new->old
migration was not consistently functional to begin with.
Reported-by: NNicholas Thomas <nick@bytemark.co.uk>
Suggested-by: NPeter Maydell <peter.maydell@linaro.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

# By Paolo Bonzini (3) and others
# Via Paolo Bonzini
* bonzini/scsi-next:
  iscsi: reorganize iscsi_readcapacity_sync
  iscsi: simplify freeing of tasks
  vhost-scsi: fix k->set_guest_notifiers() NULL dereference
  scsi-disk: scsi-block device for scsi pass-through should not be removable
  scsi-generic: check the return value of bdrv_aio_ioctl in execute_command
  scsi-generic: fix sign extension of READ CAPACITY(10) data
  scsi: reset cdrom tray statuses on scsi_disk_reset

Message-id: 1371565016-2643-1-git-send-email-pbonzini@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

# By Ján Tomko
# Via Paolo Bonzini
* bonzini/nbd-next:
  nbd: strip braces from literal IPv6 address in URI
  qemu-socket: allow hostnames starting with a digit

'default_backend' isn't always set, but 'rng' is, so use that.

$ ./x86_64-softmmu/qemu-system-x86_64 -object rng-random,id=rng0,filename=/dev/random -device virtio-rng-pci,rng=rng0
Segmentation fault (core dumped)

Regressed with virtio refactoring in 59ccd20a

CC: qemu-stable@nongnu.org
Signed-off-by: NCole Robinson <crobinso@redhat.com>
Acked-by: NAmit Shah <amit.shah@redhat.com>
Acked-by: NMichael S. Tsirkin <mst@redhat.com>
Tested-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
Message-id: bf4505014a0a941dbd3c62068f3cf2c496b69e6a.1370023944.git.crobinso@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Avoid the goto, and use the same retry logic for the 10- and 16-
byte versions.

Cc: qemu-stable@nongnu.org
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Always free them in the iscsi_aio_*_acb functions and remove the
checks in their callers.  Remove ifs when the task struct was
previously dereferenced (spotted by Coverity).

Cc: qemu-stable@nongnu.org
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Coverity picked up a copy-paste bug.  In vhost_scsi_start() we check for
!k->set_guest_notifiers and error out.  The check probably got copied
but instead of erroring we actually use the function pointer!

Cc: Nicholas Bellinger <nab@linux-iscsi.org>
Cc: Asias He <asias@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This patch adds a new SCSI_DISK_F_NO_REMOVABLE_DEVOPS feature. By this
feature we can set that the scsi-block (scsi pass-through) device will still
be removable from the guest side, but from monitor it cannot be removed.

Cc: qemu-stable@nongnu.org
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This fixes the bug introduced by this commit ad54ae80.
The bdrv_aio_ioctl() still could return null and we should return an error
in that case.

Cc: qemu-stable@nongnu.org
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Issuing the READ CAPACITY(10) command in the guest will cause QEMU
to update its knowledge of the maximum accessible LBA in the disk.
The recorded maximum LBA will be wrong if the disk is bigger than
1TB, because ldl_be_p returns a signed int.

When this is fixed, a latent bug will be unmasked.  If the READ
CAPACITY(10) command reported an overflow (0xFFFFFFFF), we must
not overwrite the previously-known maximum accessible LBA, or the guest
will fail to access the disk above the first 2TB.

Cc: qemu-stable@nongnu.org
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Tray statuses should be also reset. Some guests may lock the tray and
right after resetting the guest it should be unlocked and closed. This
is done on power-on, reset and resume from suspend/hibernate on bare-metal.

This fix is already committed for IDE CD.
Check the commit a7f3d65b.

Test results on bare-metal:
  - on reset/power-on the CD-ROM tray is closed even before the monitor
    is turned on
  - on resume from suspend/hibernate the tray is also closed before
    the monitor is turned on

From test results it seems that this behavior is OS and probably BIOS
independent.

Cc: qemu-stable@nongnu.org
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Otherwise they would get passed to getaddrinfo and fail with:
address resolution failed for [::1]🔢 Name or service not known

(Broken by commit v1.4.0-736-gf17c90be)
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

According to RFC 1123 [1], hostnames can start with a digit too.

[1] http://tools.ietf.org/html/rfc1123#page-13Signed-off-by: NJán Tomko <jtomko@redhat.com>
Cc: qemu-stable@nongnu.org
[Use strspn, not strcspn. - Paolo]
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This is a little strange. It is lowering the parent IRQ pin on input
when HIE is cleared. There is no such behaviour in the real hardware.

ISR changes based on interrupt pin state are already guarded on HIE
being set. So we can just delete this if in its entirety.
Signed-off-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

When the Hardware Interrupt Enable (HIE) bit is set, software cannot
change ISR. Add write guard accordingly.
Signed-off-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

Acking a level sensitive interrupt should have no effect if the
interrupt pin is still asserted. The current implementation requires
and edge condition to occur for setting a level sensitive IRQ, which
means an ACK can clear a level sensitive interrupt, until the original
source strobes the interrupt again.

Fix by keeping track of the interrupt pin state and setting ISR based
on this every time update_irq() is called.
Signed-off-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

For level sensitive interrupts, ISR bits are cleared when the input pin
is lowered. This is incorrect. Only software can clear ISR bits (via
IAR or direct write to ISR with !MER(2)).
Signed-off-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

The UART IRQ is edge sensitive, whereas the machine was registering it
as level sensitive. Fix.
Signed-off-by: NPeter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

# By Luiz Capitulino
# Via Luiz Capitulino
* luiz/queue/qmp:
  qerror: drop QERR_OPEN_FILE_FAILED macro
  block: bdrv_reopen_prepare(): don't use QERR_OPEN_FILE_FAILED
  savevm: qmp_xen_save_devices_state(): use error_setg_file_open()
  dump: qmp_dump_guest_memory(): use error_setg_file_open()
  cpus: use error_setg_file_open()
  blockdev: use error_setg_file_open()
  block: mirror_complete(): use error_setg_file_open()
  rng-random: use error_setg_file_open()
  error: add error_setg_file_open() helper

Message-id: 1371484631-29510-1-git-send-email-lcapitulino@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

# By Liu Yuan (2) and others
# Via Kevin Wolf
* kwolf/for-anthony:
  vmdk: Allow reading variable size descriptor files
  NVMe: Initial commit for new storage interface
  curl: Don't set curl options on the handle just before it's going to be deleted.
  vmdk: byteswap VMDK4Header.desc_offset field
  block/curl.c: Refuse to open the handle for writes.
  sheepdog: support 'qemu-img snapshot -a'
  sheepdog: fix snapshot tag initialization

Message-id: 1371486710-17793-1-git-send-email-kwolf@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

# By Anton Blanchard
# Via Richard Henderson
* rth/fix-ppc64:
  tcg-ppc64: rotr_i32 rotates wrong amount
  tcg-ppc64: Fix add2_i64
  tcg-ppc64: bswap64 rotates output 32 bits
  tcg-ppc64: Fix RLDCL opcode

Message-id: 1371491129-30246-1-git-send-email-rth@twiddle.net
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

rotr_i32 calculates the amount to left shift and puts it into a
temporary, but then doesn't use it when doing the shift.

Cc: qemu-stable@nongnu.org
Signed-off-by: NAnton Blanchard <anton@samba.org>
Signed-off-by: NRichard Henderson <rth@twiddle.net>

add2_i64 was adding the lower double word to the upper double word
of each input. Fix this so we add the lower double words, then the
upper double words with carry propagation.

Cc: qemu-stable@nongnu.org
Signed-off-by: NAnton Blanchard <anton@samba.org>
Signed-off-by: NRichard Henderson <rth@twiddle.net>

If our input and output is in the same register, bswap64 tries to
undo a rotate of the input. This just ends up rotating the output.

Cc: qemu-stable@nongnu.org
Signed-off-by: NAnton Blanchard <anton@samba.org>
Signed-off-by: NRichard Henderson <rth@twiddle.net>

The rldcl instruction doesn't have an sh field, so the minor opcode
is shifted 1 bit. We were using the XO30 macro which shifted the
minor opcode 2 bits.

Remove XO30 and add MD30 and MDS30 macros which match the
Power ISA categories.

Cc: qemu-stable@nongnu.org
Signed-off-by: NAnton Blanchard <anton@samba.org>
Signed-off-by: NRichard Henderson <rth@twiddle.net>

the hard-coded 2k buffer on the stack won't allow reading big descriptor
files which can be generated when storing big images. For example 500G
vmdk splitted to 2G chunks.
Signed-off-by: NEvgeny Budilovsky <evgeny.budilovsky@ravellosystems.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Initial commit for emulated Non-Volatile-Memory Express (NVMe) pci
storage device.

NVMe is an open, industry driven storage specification defining
an optimized register and command set designed to deliver the full
capabilities of non-volatile memory on PCIe SSDs. Further information
may be found on the organizations website at:

http://www.nvmexpress.org/

This commit implements the minimum from the specification to work with
existing drivers.

Cc: Keith Busch <keith.busch@gmail.com>
Signed-off-by: NKeith Busch <keith.busch@intel.com>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

(Found by Kamil Dudka)
Signed-off-by: NRichard W.M. Jones <rjones@redhat.com>
Cc: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Remember to byteswap VMDK4Header.desc_offset on big-endian machines.

Cc: qemu-stable@nongnu.org
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Signed-off-by: NRichard W.M. Jones <rjones@redhat.com>
Signed-off-by: NFam Zheng <famz@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Just call sd_create_branch() in the snapshot_goto to rollback the image is good
enough. With this patch, 'loadvm' process for sheepdog is modified:

Suppose we have a snapshot chain A --> B --> C, we do 'loadvm A' so as to get
a new chain,

A --> B
|
V
C1

in the old code:

1 reload inode of A (in snapshot_goto)
2 read vmstate via A's vdi_id (loadvm_state)
3 delete C and create C1, reload inode of C1 (sd_create_branch on write)

with this patch applied:

1 reload inode of A, delete C and create C1  (in snapshot_goto)
2 read vmstate via C1's parent, that is A's vdi_id (loadvm_state)

This will fix the possible bug that QEMU exit between 2 and 3 in the old code

Cc: qemu-devel@nongnu.org
Cc: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
Cc: Kevin Wolf <kwolf@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NLiu Yuan <namei.unix@gmail.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>