The various uas data structures are called IU-s, which is short for
Information Unit, rather then UI-s.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

This patch mirrors a patch to the Linux uas kernel driver which I've just
submitted. It looks like the qemu uas struct definitions were taken from
the Linux kernel driver, and have inherited the same mistake.

Besides fixing the response iu struct, the patch also drops the add_info
parameter from the usb_uas_queue_response() function, it is always 0 anyways,
and expressing 3 zero-bytes as a function argument is a bit hard.

Below is the long explanation for this change taken from the kernel commit:

The response iu struct before this patch has a size of 7 bytes, which is weird
since all other iu-s are explictly padded to a multiple of 4 bytes.

Submitting a 7 byte bulk transfer to the status endpoint of a real uasp device
when expecting a response iu results in an USB babble error, as the device
actually sends 8 bytes.

Up on closer reading of the UAS spec:
http://www.t10.org/cgi-bin/ac.pl?t=f&f=uas2r00.pdf

The reason for this becomes clear, the 2 entries in "Table 17 — RESPONSE IU"
are numbered 4 and 6, looking at other iu definitions in the spec, esp.
multi-byte fields, this indicates that the ADDITIONAL RESPONSE INFORMATION
field is not a 2 byte field as one might assume at a first look, but is
a multi-byte field containing 3 bytes.

This also aligns with the SCSI Architecture Model 4 spec, which UAS is based
on which states in paragraph "7.1 Task management function procedure calls"
that the "Additional Response Information" output argument for a Task
management function procedure call is 3 bytes.

Last but not least I've verified this by sending a logical unit reset task
management call with an invalid lun to an actual uasp device, and received
back a response-iu with byte 6 being 0, and byte 7 being 9, which is the
responce code for an invalid iu, which confirms that the response code is
being reported in byte 7 of the response iu rather then in byte 6.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Disallow the guest to cause us to address the data3 and status3 arrays
out of bounds.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

It is easier to simply make the arrays one larger, rather then
substracting one everywhere.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

-The correct error if we cannot find the dev is INCORRECT_LUN rather then
 INVALID_INFO_UNIT
-Move the device not found check to the top so we only need to do it once
-Remove the dev->lun != lun checks, dev is returned by scsi_device_find
 which searches by lun, so this will never trigger
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Regular scsi cmds should always report their status using a sense-iu, using
the sense code to report any errors.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

The OS can ask the xhci controller to save and restore its
internal state, which is used by the OS when the system is
suspended and resumed.

This patch handles writes to the save + restore bits in the
command register.  Only thing it does is updating the
restore error bit in the status register to signal an error
on restore.  The guest OS should do a full reinitialization
after resume then.

This is the minimal patch which gets S3 going with xhci.
Implementing full save/restore support is TBD.

https://bugzilla.redhat.com/show_bug.cgi?id=1012365Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

One of the reworks of qemu's usb core made changes to usb-port's disconnect
handling. Now ports with a device will always have a non 0 dev member, but
if the device is not attached (which is possible with usb redirection),
dev->attached will be 0.

So supplement all checks for dev to also check dev->attached, and add an
extra check in a path where a device check was completely missing.

This fixes various crashes (asserts triggering) I've been seeing when xhci
attached usb devices get disconnected at the wrong time.
Signed-off-by: NHans de Goede <hdegoede@redhat.com>
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>

Don't run code in the signal handler, only set a flag.
Use sigaction(2) to avoid non-portable signal(2) semantics.
Make #ifdefs less messy.
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
Reviewed-by: NLaszlo Ersek <lersek@redhat.com>
Message-id: 1385130903-20531-1-git-send-email-kraxel@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Both code locations cause a compiler warning. Using "%s" instead of "%lu"
would result in a program crash if the wrong code were executed.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Message-id: 1385409257-2522-1-git-send-email-sw@weilnetz.de
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

The default granularity for the FIT timer on 440 is on every 0x1000th
transition of TB from 0 to 1. Translated that means 48828 times a second.

Since interrupts are quite expensive for 440 and we don't really care
about the accuracy of the FIT to that significance, let's force FIT and
WDT to at best millisecond granularity.

This basically restores behavior as it was in QEMU 1.6, where timers
could only deal with millisecond granularities at all.

This patch greatly improves performance with the 440 target and restores
roughly the same performance level that QEMU 1.6 had for me.
Signed-off-by: NAlexander Graf <agraf@suse.de>
Message-id: 1385416015-22775-3-git-send-email-agraf@suse.de
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Today we fire FIT and WDT timer events every time the respective bit
position in TB flips from 0 -> 1.

However, there is no need to do this if the end result would be that
we're changing a TSR bit that is set to 1 to 1 again. No guest visible
change would have occured.

So whenever we see that the TSR bit to our timer is already set, don't
even bother to update the timer that would potentially fire it off.

However, we do need to make sure that we update our timer that notifies
us of the TB flip when the respective TSR bit gets unset. In that case
we do care about the flip and need to notify the guest again. So add
a callback into our timer handlers when TSR bits get unset.

This improves performance for me when the guest is busy processing things.
Signed-off-by: NAlexander Graf <agraf@suse.de>
Message-id: 1385416015-22775-2-git-send-email-agraf@suse.de
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

glib < 2.22 does not have g_array_get_element_size,
limit it's use (to check all elements are 1 byte
in size) to newer glib.

This fixes build on RHEL 5.3.
Reported-by: NRichard Henderson <rth@redhat.com>
Reported-by: NErik Rull <erik.rull@rdsoftware.de>
Tested-by: NRichard Henderson <rth@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
Message-id: 20131125220039.GA16386@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

pc very last minute fixes for 1.7

This has a fix for a crasher bug with pci bridges,
boot failure fix for s390 on 32 bit hosts,
and fixes build for hosts with old glib.

There's also a fix for --iasl configure flag - it can be used
to work around broken iasl on some systems either
by using a non-standard iasl or by disabling it.

I've also reverted a e1000/rtl mac programming change
that seems slightly wrong and too risky for 1.8.
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

# gpg: Signature made Mon 25 Nov 2013 03:40:07 AM PST using RSA key ID D28D5469
# gpg: Can't check signature: public key not found

# By Michael S. Tsirkin (5) and Bandan Das (1)
# Via Michael S. Tsirkin
* mst/tags/for_anthony:
  configure: make --iasl option actually work
  Revert "e1000/rtl8139: update HMP NIC when every bit is written"
  acpi-build: fix build on glib < 2.14
  acpi-build: fix build on glib < 2.22
  pci: unregister vmstate_pcibus on unplug
  s390x: fix flat file load on 32 bit systems

Message-id: 1385379990-32093-1-git-send-email-mst@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Here are a bunch of 1.7-tagged patches that I was afraid
were getting forgotten or that did not have a clear maintainer responsible
for making a pull request.

# gpg: Signature made Thu 21 Nov 2013 08:40:59 AM PST using RSA key ID 9B4D86F2
# gpg: Can't check signature: public key not found

# By Peter Maydell (3) and others
# Via Paolo Bonzini
* bonzini/tags/for-anthony:
  qga: Fix compiler warnings (missing format attribute, wrong format strings)
  mips jazz: do not raise data bus exception when accessing invalid addresses
  target-i386: yield to another VCPU on PAUSE
  rng-egd: offset the point when repeatedly read from the buffer
  rng-egd: remove redundant free
  target-i386: Fix build by providing stub kvm_arch_get_supported_cpuid()
  vfio-pci: Fix multifunction=on
  atomic.h: Fix build with clang
  pc: get rid of builtin pvpanic for "-M pc-1.5"
  configure: Explicitly set ARFLAGS so we can build with GNU Make 4.0
  sun4m: Add FCode ROM for TCX framebuffer

Message-id: 1385052578-32352-1-git-send-email-pbonzini@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

# By Tomoki Sekiyama
# Via Michael Roth
* mdroth/qga-pull-2013-11-22:
  qemu-ga: vss-win32: Install VSS provider COM+ application service

Message-id: 1385154505-15145-1-git-send-email-mdroth@linux.vnet.ibm.com
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

# By Vlad Yasevich
# Via Stefan Hajnoczi
* stefanha/net:
  qdev-properties-system.c: Allow vlan or netdev for -device, not both

Message-id: 1385118544-28482-1-git-send-email-stefanha@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

--iasl option was added to CC option parsing section by mistake,
it's not effective there and attempts to use cause
an 'unknown option' error.

Fix this up.
Tested-by: NMarcel Apfelbaum <marcel.a@redhat.com>
Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>

Currently, qemu-ga for Windows fails to execute guset-fsfreeze-freeze when
no user is logging in to Windows, with an error message:
  {"error":{"class":"GenericError",
            "desc":"failed to add C:\\ to snapshotset:  (error: 8004230f)"}}

To enable guest-fsfreeze-freeze/thaw without logging in users, this installs
a service to execute qemu-ga VSS provider COM+ application that has full
access privileges to the local system. The service will automatically be
removed when the COM+ application is deregistered.

This patch replaces ICOMAdminCatalog interface with ICOMAdminCatalog2
interface that contains CreateServiceForApplication() method in addition.
Signed-off-by: NTomoki Sekiyama <tomoki.sekiyama@hds.com>
Reviewed-by: NGal Hammer <ghammer@redhat.com>
Reviewed-by: NYan Vugenfirer <yvugenfi@redhat.com>
Tested-by: NYan Vugenfirer <yvugenfi@redhat.com>
Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>

It is currently possible to specify things like:
	-device e1000,netdev=foo,vlan=1
With this usage, whichever argument was specified last (vlan or netdev)
overwrites what was previousely set and results in a non-working
configuration.  Even worse, when used with multiqueue devices,
it causes a segmentation fault on exit in qemu_free_net_client.

That patch treates the above command line options as invalid and
generates an error at start-up.
Signed-off-by: NVlad Yasevich <vyasevic@redhat.com>
Acked-by: NJason Wang <jasowang@redhat.com>
Signed-off-by: NStefan Hajnoczi <stefanha@redhat.com>

gcc 4.8.2 reports this warning when extra warnings are enabled (-Wextra):

  CC    qga/commands.o
qga/commands.c: In function ‘slog’:
qga/commands.c:28:5: error:
 function might be possible candidate for ‘gnu_printf’ format attribute [-Werror=suggest-attribute=format]
     g_logv("syslog", G_LOG_LEVEL_INFO, fmt, ap);
     ^

gcc 4.8.2 reports this warning when slog is declared with the
gnu_printf format attribute:

qga/commands-posix.c: In function ‘qmp_guest_file_open’:
qga/commands-posix.c:404:5: warning:
 format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘int64_t’ [-Wformat=]
     slog("guest-file-open, handle: %d", handle);
     ^

On 32 bit hosts there are three more warnings which are also fixed here.
Signed-off-by: NStefan Weil <sw@weilnetz.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

MIPS Jazz chipset doesn't seem to raise data bus exceptions on invalid accesses.
However, there is no easy way to prevent them. Creating a big memory region
for the whole address space doesn't prevent memory core to directly call
unassigned_mem_read/write which in turn call cpu->do_unassigned_access,
which (for MIPS CPU) raise an data bus exception.

This fixes a MIPS Jazz regression introduced in c658b94f.
Signed-off-by: NHervé Poussineau <hpoussin@reactos.org>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

After commit b1bbfe72 (aio / timers: On timer modification, qemu_notify
or aio_notify, 2013-08-21) FreeBSD guests report a huge slowdown.

The problem shows up as soon as FreeBSD turns out its periodic (~1 ms)
tick, but the timers are only the trigger for a pre-existing problem.

Before the offending patch, setting a timer did a timer_settime system call.

After, setting the timer exits the event loop (which uses poll) and
reenters it with a new deadline.  This does not cause any slowdown; the
difference is between one system call (timer_settime and a signal
delivery (SIGALRM) before the patch, and two system calls afterwards
(write to a pipe or eventfd + calling poll again when re-entering the
event loop).

Unfortunately, the exit/enter causes the main loop to grab the iothread
lock, which in turns kicks the VCPU thread out of execution.  This
causes TCG to execute the next VCPU in its round-robin scheduling of
VCPUS.  When the second VCPU is mostly unused, FreeBSD runs a "pause"
instruction in its idle loop which only burns cycles without any
progress.  As soon as the timer tick expires, the first VCPU runs
the interrupt handler but very soon it sets it again---and QEMU
then goes back doing nothing in the second VCPU.

The fix is to make the pause instruction do "cpu_loop_exit".
Reported-by: NLuigi Rizzo <rizzo@iet.unipi.it>
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

The buffer content might be read out more than once, currently
we just repeatedly read the first data block, buffer offset is
missing.

Cc: qemu-stable@nongnu.org
Signed-off-by: NAmos Kong <akong@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

We didn't set default chr_name, the free is redundant.
Signed-off-by: NAmos Kong <akong@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Fix build failures with clang when KVM is not enabled by
providing a stub version of kvm_arch_get_supported_cpuid().
We retain the compile time check that this function isn't
called when CONFIG_KVM is not set by guarding the stub with
ifndef __OPTIMIZE__ (we assume that an optimizing build will
do sufficient constant folding and dead code elimination to
remove the calls before linking).
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

When an assigned device is initialized it copies the device config
space into the emulated config space.  Unfortunately multifunction is
setup prior to the device initfn and gets clobbered.  We need to
restore it just like pci-assign does.

Cc: qemu-stable@nongnu.org
Signed-off-by: NAlex Williamson <alex.williamson@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

clang defines __ATOMIC_SEQ_CST but its implementation of the
__atomic_exchange() builtin differs from that of gcc. Move the
__clang__ branch of the ifdef ladder to the top and fix its
implementation (there is no such builtin as __sync_exchange),
so we can compile with clang again.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

This causes two slight backwards-incompatibilities between "-M pc-1.5"
and 1.5's "-M pc":

(1) a fw_cfg file is removed with this patch.  This is only a problem
if migration stops the virtual machine exactly during fw_cfg enumeration.

(2) after migration, a VM created without an explicit "-device pvpanic"
will stop reporting panics to management.

The first problem only occurs if migration is done at a very, very
early point (and I'm not sure it can happen in practice for reasonable-size
VMs, since it will likely take more time to send the RAM to destination,
than it will take for BIOS to scan fw_cfg).

The second problem only occurs if the guest panics _and_ has a guest
driver _and_ management knows to look at the crash event, so it is
mostly theoretical at this point in time.

Thus keep the code simple, and pretend it was never broken.
Reviewed-by: NEric Blake <eblake@redhat.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Our rules.mak adds '-rR' to MAKEFLAGS to indicate that we will be
explicitly specifying everything and not relying on any default
variables or rules. However we were accidentally relying on the
default ARFLAGS ("rv"). This went unnoticed because of a bug in
GNU Make 3.82 and earlier which meant that adding -rR to MAKEFLAGS
only affected submakes, not the currently running instance.
Explicitly set ARFLAGS in config-host.mak, in the same way we
handle CFLAGS and LDFLAGS; this will allow us to work with
Make 4.0.

Thanks to Paul Smith for analyzing this bug for us.

Cc: qemu-stable@nongnu.org
Reported-by: NKen Moffat <zarniwhoop@ntlworld.com>
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Upstream OpenBIOS now implements SBus probing in order to determine the
contents of a physical bus slot, which is required to allow OpenBIOS to
identify the framebuffer without help from the fw_cfg interface.

SBus probing works by detecting the presence of an FCode program
(effectively tokenised Forth) at the base address of each slot, and if
present executes it so that it creates its own device node in the
OpenBIOS device tree.

The FCode ROM is generated as part of the OpenBIOS build and should
generally be updated at the same time.
Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
CC: Blue Swirl <blauwirbel@gmail.com>
CC: Bob Breuer <breuerr@mc.net>
CC: Artyom Tarasenko <atar4qemu@gmail.com>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>

Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

When an assigned device is initialized it copies the device config
space into the emulated config space.  Unfortunately multifunction is
setup prior to the device initfn and gets clobbered.  We need to
restore it just like pci-assign does.
Signed-off-by: NAlex Williamson <alex.williamson@redhat.com>
Reviewed-by: NBandan Das <bsd@redhat.com>
Message-id: 20131112185059.7262.33780.stgit@bling.home
Cc: qemu-stable@nongnu.org
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Fix the following run-test-x86_64 testsuite failures:

-lea (%%eax) = 0000000000000001
-lea (%%ebx) = 0000000000000002
-lea (%%ecx) = 0000000000000004
-lea (%%edx) = 0000000000000008
-lea (%%esi) = 0000000000000010
-lea (%%edi) = 0000000000000020
+lea (%%eax) = 0000abcc00000001
+lea (%%ebx) = 0000abcf00000002
+lea (%%ecx) = 0000abc900000004
+lea (%%edx) = 0000abc500000008
+lea (%%esi) = 0000abdd00000010
+lea (%%edi) = 0000abed00000020

In addition, reduce ifdeffery and minimize the number of TCG ops
produced during address computation.
Signed-off-by: NRichard Henderson <rth@twiddle.net>
Message-id: 1384219016-5170-1-git-send-email-rth@twiddle.net
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

clang defines __ATOMIC_SEQ_CST but its implementation of the
__atomic_exchange() builtin differs from that of gcc. Move the
__clang__ branch of the ifdef ladder to the top and fix its
implementation (there is no such builtin as __sync_exchange),
so we can compile with clang again.
Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Message-id: 1382435921-18438-1-git-send-email-peter.maydell@linaro.org
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

Commit 787aaf57 (target-i386: forward CPUID cache leaves when -cpu host is
used, 2013-09-02) brings bits 31..26 of CPUID leaf 04h out of sync with
the APIC IDs that QEMU reserves for each package.  This number must come
from "-smp" options rather than from the host CPUID.

It also turns out that this unsyncing makes Windows Server 2012R2 fail
to boot.
Tested-by: NPeter Lieven <pl@kamp.de>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NBenoit Canet <benoit@irqsave.net>
Reviewed-by: NEduardo Habkost <ehabkost@redhat.com>
Message-id: 1384879786-6721-1-git-send-email-pbonzini@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

MIPS Jazz chipset doesn't seem to raise data bus exceptions on invalid accesses.
However, there is no easy way to prevent them. Creating a big memory region
for the whole address space doesn't prevent memory core to directly call
unassigned_mem_read/write which in turn call cpu->do_unassigned_access,
which (for MIPS CPU) raise an data bus exception.

This fixes a MIPS Jazz regression introduced in c658b94f.
Signed-off-by: NHervé Poussineau <hpoussin@reactos.org>
Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: NHervé Poussineau <hpoussin@reactos.org>
Message-id: 1383603977-7003-1-git-send-email-hpoussin@reactos.org
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>

After commit b1bbfe72 (aio / timers: On timer modification, qemu_notify
or aio_notify, 2013-08-21) FreeBSD guests report a huge slowdown.

The problem shows up as soon as FreeBSD turns out its periodic (~1 ms)
tick, but the timers are only the trigger for a pre-existing problem.

Before the offending patch, setting a timer did a timer_settime system call.

After, setting the timer exits the event loop (which uses poll) and
reenters it with a new deadline.  This does not cause any slowdown; the
difference is between one system call (timer_settime and a signal
delivery (SIGALRM) before the patch, and two system calls afterwards
(write to a pipe or eventfd + calling poll again when re-entering the
event loop).

Unfortunately, the exit/enter causes the main loop to grab the iothread
lock, which in turns kicks the VCPU thread out of execution.  This
causes TCG to execute the next VCPU in its round-robin scheduling of
VCPUS.  When the second VCPU is mostly unused, FreeBSD runs a "pause"
instruction in its idle loop which only burns cycles without any
progress.  As soon as the timer tick expires, the first VCPU runs
the interrupt handler but very soon it sets it again---and QEMU
then goes back doing nothing in the second VCPU.

The fix is to make the pause instruction do "cpu_loop_exit".

Cc: Richard Henderson <rth@twiddle.net>
Reported-by: NLuigi Rizzo <rizzo@iet.unipi.it>
Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
Reviewed-by: NRichard Henderson <rth@twiddle.net>
Message-id: 1384948442-24217-1-git-send-email-pbonzini@redhat.com
Signed-off-by: NAnthony Liguori <aliguori@amazon.com>