The local string tmp_filename is passed to function get_tmp_filename
which expects a string with minimum size MAX_PATH for w32 hosts.

MAX_PATH is 260 and PATH_MAX is 259, so tmp_filename was too short.

Commit eba25057 introduced this
regression.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 89c9bc3d)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Fixes the pointer truncation that was occurring for branches.

Cc: Stefan Weil <sw@weilnetz.de>
Cc: Blue Swirl <blauwirbel@gmail.com>
Signed-off-by: NRichard Henderson <rth@twiddle.net>
Reviewed-by: NStefan Weil <sw@weilnetz.de>
Tested-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit c6c5063c)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

A missing factor for the refcount table entry size in the calculation
could mean that too little memory was allocated for the in-memory
representation of the table, resulting in a buffer overflow.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>
Reviewed-by: NMichael Tokarev <mjt@tls.msk.ru>
Tested-by: NMichael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit a3548077)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

When building qemu-kvm for openSUSE:Factory, I am getting a
warning in the pipe2 detection performed by configure, which
prevents using --enable-werror.

Change detection code to use return value of pipe2.
Signed-off-by: NBruce Rogers <brogers@suse.com>
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 9bca8162)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

On an ARM host, the registers definitions from cpu.h clash
with /usr/include/sys/ucontext.h. As there are unused, just remove
them.

Cc: Jia Liu <proljc@gmail.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 44e04d3b)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The bswap16 TCG opcode assumes that the high bytes of the temp equal
to 0 before calling it. The ARM backend implementation takes this
assumption to slightly optimize the generated code.

The same implementation is called for implementing the cross-endian
qemu_st16 opcode, where this assumption is not true anymore. One way to
fix that would be to zero the high bytes before calling it. Given the
store instruction just ignore them, it is possible to provide a slightly
more optimized version. With ARMv6+ the rev16 instruction does the work
correctly. For lower ARM versions the patch provides a version which
behaves correctly with non-zero high bytes, but fill them with junk.

Cc: Andrzej Zaborowski <balrogg@gmail.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-stable@nongnu.org
Reviewed-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 7aab08aa)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The TCG arm backend considers likely that the offset to the TLB
entries does not exceed 12 bits for mem_index = 0. In practice this is
not true for at least the MIPS target.

The current patch fixes that by loading the bits 23-12 with a separate
instruction, and using loads with address writeback, independently of
the value of mem_idx. In total this allow a 24-bit offset, which is a
lot more than needed.

Cc: Andrzej Zaborowski <balrogg@gmail.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit d17bd1d8)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

While reading microMIPS decoding, I found a possible wrong opcode
encoding. According to [1] page 166, the bits 13..12 for MULTU is
0x01 rather than 0x00. Please review, thanks.

[1] MIPS Architecture for Programmers VolumeIV-e: The MIPS DSP
    Application-Specific Extension to the microMIPS32 Architecture
Signed-off-by: NChen Wei-Ren <chenwj@iis.sinica.edu.tw>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 6801038b)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

According to the MIPS Malta Developement Platform User's Manual, the
i8259 interrupt controller is supposed to be connected to the hardware
IRQ0, and the CBUS UART to the hardware interrupt 2.

In QEMU they are both connected to hardware interrupt 0, the CBUS UART
interrupt being wrong. This patch fixes that. It should be noted that
the irq array in QEMU includes the software interrupts, hence
env->irq[2] is the first hardware interrupt.

Cc: Ralf Baechle <ralf@linux-mips.org>
Reviewed-by: NEric Johnson <ericj@mips.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 68d00192)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

We do not need BLKROSET if the kernel supports setting flags.
Also, always do BLKROSET even for a read-write export, otherwise
the read-only state remains "sticky" after the invocation of
"qemu-nbd -r".
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c8969ede)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Fixing a simple typo, s/errno/err/, that caused
the error status from GDB semihosted system calls
to be returned incorrectly.
Signed-off-by: NMeador Inge <meadori@codesourcery.com>
Reviewed-by: NAndreas Färber <afaerber@suse.de>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit aed91c1b)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Tools were broken because they initialized the block layer while
qemu_aio_context was still NULL.
Reported-by: Nmalc <av1474@comtv.ru>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Nmalc <av1474@comtv.ru>
(cherry picked from commit 2592c59a)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Used to be "UTB" not "USB".
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0ebfb144)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

OpenBIOS on sparc64 only support Standard VGA and not Cirrus VGA. Don't
build Cirrus VGA support so that it can't be selected.

This fixes the breakage introduced by commit f2898771.
Reported-by: NRichard Henderson <rth@twiddle.net>
Cc: Blue Swirl <blauwirbel@gmail.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
Tested-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit 0356404b)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Device tree properties need to be specified in big endian. Fix the
bamboo memory size property accordingly.
Signed-off-by: NAlexander Graf <agraf@suse.de>
CC: qemu-stable@nongnu.org
(cherry picked from commit 5232fa59)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

When using -initrd in the virtio machine, we need to indicate the initrd
start and size inside the kernel image. These parameters need to be stored
in native endianness.
Signed-off-by: NAlexander Graf <agraf@suse.de>
Acked-by: NRichard Henderson <rth@twiddle.net>
Acked-by: NChristian Borntraeger <borntraeger@de.ibm.com>
(cherry picked from commit 235a3f0b)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The memory core drops regions that are hidden by another region (for example,
during BAR sizing), but it doesn't do so correctly if the lower address of the
existing range is below the lower address of the new range.

Example (qemu-system-mips -M malta -kernel vmlinux-2.6.32-5-4kc-malta
         -append "console=ttyS0"  -nographic -vga cirrus):

Existing range: 10000000-107fffff
New range:      100a0000-100bffff

Correct behaviour: drop new range
Incorrect behaviour: add new range

Fix by taking this case into account (previously we only considered
equal lower boundaries).
Tested-by: NAurelien Jarno <aurelien@aurel32.net>
Signed-off-by: NAvi Kivity <avi@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit d26a8cae)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Real HW always treats RX ring with RDH == RDT as empty.
Emulation is supposed to behave the same.
Reported-by: NChris Webb <chris.webb@elastichosts.com>
Reported-by: NRichard Davies <richard.davies@elastichosts.com>
Signed-off-by: NDmitry Fleytman <dmitry@daynix.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit e5b8b0d4)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The check using INT_MAX (2147483647) is wrong in this case.
Signed-off-by: NFred Oliveira <foliveira@cloudswitch.com>
Signed-off-by: NDon Slutz <Don@CloudSwitch.com>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit 2e84849a)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Those functions return -errno in case of an error.
The old code would typically only detect EPERM (1) errors.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NStefan Hajnoczi <stefanha@gmail.com>
(cherry picked from commit 7a608f56)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

When setting a date in 1980, Linux is actually disregarding the century
byte and setting the year to 2080.  This causes a year-2038 overflow
in mktimegm.  Fix this by doing the days-to-seconds computation in
64-bit math.
Reported-by: NLucas Meneghel Rodrigues <lookkas@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit b6db4aca)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Don't try to be clever and skip displaysurface reinitialization in case
the size hasn't changed.  Other parameters might have changed
nevertheless, for example depth or stride, resulting in rendering being
broken then.

Trigger: boot linux guest with vesafb, start X11, make sure both vesafb
and X11 use the display same resolution.  Then watch X11 screen being
upside down.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0ec8df39)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

As suggested by Paolo Bonzini, to avoid possible integer overflow issues.
Signed-off-by: NAlon Levy <alevy@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit c5825ac6)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

According to the spec we must raise an interrupt when one is requested
even for non active tds.

Linux depends on this, for bulk transfers it runs an inactivity timer
to work around a bug in early uhci revisions, when we take longer then
200 ms to process a packet, this timer goes of, and as part of the
handling Linux then unlinks the qh, and relinks it after the frindex
has increased by atleast 1, the problem is Linux only checks for the
frindex increases on an interrupt, and we don't send that, causing
the qh to go inactive for more then 32 frames, at which point we
consider the packet cancelled.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 883bca77)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

When reverse connection is in use, there is no active VNC server
socket.  Because of this, getsockopt(-1, ...) is attempted and
the following error is emitted:

    $ socat TCP-LISTEN:5900,reuseaddr TCP-LISTEN:5901,reuseaddr &
    $ x86_64-softmmu/qemu-system-x86_64 -vnc localhost:5900,reverse -monitor stdio
    QEMU 1.2.50 monitor - type 'help' for more information
    (qemu) info vnc
    An undefined error has occurred

Because however the host, family, service and auth fields are
optional, we can just exit if there is no active server socket.

    $ x86_64-softmmu/qemu-system-x86_64 -vnc localhost:5900,reverse -monitor stdio
    QEMU 1.2.50 monitor - type 'help' for more information
    (qemu) info vnc
    Server:
    Client:
         address: 127.0.0.1:5900
      x509_dname: none
        username: none
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 417b0b88)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

If TIGHT_PNG is not enabled by the --enable-vnc-png configure flag
then do not report to the client that it is supported.

Also, since TIGHT_PNG is the same as the TIGHT encoding but with the
filter/copy replaced with PNG data, adding it to the supported
encodings list when it is disabled will cause the TIGHT encoding to be
used even though the client requested TIGHT_PNG.
Signed-off-by: NJoel Martin <github@martintribe.org>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit fe3e7f2d)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

commit 38f419f3 fixed a breakage with CONFIG_QEMU_HELPERDIR
which has been introduced by 8bf188aa.  But while techinically
that fix has been correct, all other similar variables are handled
differently.  Make it consistent, and let scripts/create_config
expand and capitalize the variable properly like for all other
qemu_*dir variables.
Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit f354b1a1)

Conflicts:

	configure
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

We need to evaluate $libexecdir in configure, otherwise we literally end
up with "${prefix}/libexec" instead of the absolute path as
CONFIG_QEMU_HELPERDIR.
Signed-off-by: NJan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit 38f419f3)

Conflicts:

	configure
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

PAPR hypercalls should only be invoked from the guest kernel, not guest
user programs, that is, with MSR[PR]=0.  Currently we check this in
spapr_hypercall, returning H_PRIVILEGE if MSR[PR]=1.

However, under KVM the state of MSR[PR] is already checked by the host
kernel before passing the hypercall to qemu, making this check redundant.
Worse, however, we don't generally synchronize KVM and qemu state on the
hypercall path, meaning that qemu could incorrectly reject a hypercall
because it has a stale MSR value.

This patch fixes the problem by moving the privilege test exclusively to
the TCG hypercall path.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
CC: qemu-stable@nongnu.org
Signed-off-by: NAlexander Graf <agraf@suse.de>
(cherry picked from commit efcb9383)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The uint64_to_float32() conversion function was incorrectly always
returning numbers with the sign bit set (ie negative numbers). Correct
this so we return positive numbers instead.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit e744c06f)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Bit 10 of CPUID[8000_0001].EDX is not defined as an alias of
CPUID[1].EDX[10], so do not duplicate it on
kvm_arch_get_supported_cpuid().
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>
Reviewed-By: NIgor Mammedov <imammedo@redhat.com>
Reviewed-by: NDon Slutz <Don@CloudSwitch.com>
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>
(cherry picked from commit b1f46793)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

In the A series memory map (implemented in the Cortex A15 CoreTile), the
first NOR flash bank (flash 0) is mapped to address 0x08000000, while
address 0x00000000 can be configured as alias to either the first or the
second flash bank. This patch fixes the definition of flash 0 address,
and for simplicity removes the alias definition.
Signed-off-by: NFrancesco Lavra <francescolavra.fl@gmail.com>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 661bafb3)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

When setting up the NVIC memory regions the memory range
0x100..0xcff is aliased to an IO memory region that belongs
to the ARM GIC.  This aliased region should be added to the
NVIC memory container, but the actual GIC IO memory region
was being added instead.  This mixup was causing the wrong
IO memory access functions to be called when accessing parts
of the NVIC memory.
Signed-off-by: NMeador Inge <meadori@codesourcery.com>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 9892cae3)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Reading VECTADDR was causing us to set the current priority to
the wrong value, the most obvious effect of which was that we
would return the vector for the wrong interrupt as the result
of the read.
Signed-off-by: NBrendan Fennell <bfennell@skynet.ie>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 14c126ba)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

Signed-off-by: NOrit Wasserman <owasserm@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 3202beca)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

getaddrinfo can give us a list of addresses, but we only try to
connect to the first one. If that fails we never proceed to
the next one.  This is common on desktop setups that often have ipv6
configured but not actually working.

To fix this make inet_connect_nonblocking retry connection with a different
address.
callers on inet_nonblocking_connect register a callback function that will
be called when connect opertion completes, in case of failure the fd will have
a negative value
Signed-off-by: NOrit Wasserman <owasserm@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 233aa5c2)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

No need to add non blocking parameters to the blocking inet_connect
add block parameter for inet_connect_opts instead of using QemuOpt "block".
Signed-off-by: NOrit Wasserman <owasserm@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 5db5f44c)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

refactor address resolution code to fix nonblocking connect
remove getnameinfo call
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: NAmos Kong <akong@redhat.com>
Signed-off-by: NOrit Wasserman <owasserm@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 05bc1d8a)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

The old code aborted configure when no emulation target was selected.
Even after removing the 'exit 1', it tried to read from STDIN
when QEMU was configured with

    configure' '--disable-user' '--disable-system'

This is fixed here.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 8bdd3d49)
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>